2022815 - Update NSS to new version 9028b604112bc4a797d9fa4824670bc686e3891a from 2026-03-10 20:52:43

Reporter

Description

•

9 days ago

This update covers 59 commits, including 13 new upstream commits I've never filed a bug on before. (They're the top 13.). Here are the overall diff statistics, and then the commit information.

9028b604112bc4a797d9fa4824670bc686e3891a by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/9028b604112bc4a797d9fa4824670bc686e3891a
Authored: 2026-03-10 20:52:43 +0000
Committed: 2026-03-10 20:52:43 +0000

Bug 1472747 - wrong alert for malformed TLS 1.3 Finished. r=nss-reviewers,keeler

tls13_VerifyFinished was sending illegal_parameter for Finished messages
with wrong-length payloads. RFC 8446 requires decode_error for length
errors.

The tlsfuzzer test-tls13-finished.py was marked exp_pass:false because it
expected decode_error but received illegal_parameter. This caused an
intermittent CI failure: when none of the wrong-length test cases were
sampled, all 42 tests passed and the exp_pass:false caused the CI runner
to mark the script as FAILED.

Padding test cases with total Finished body > MAX_HANDSHAKE_MSG_LEN (131071
bytes) are excluded because they hit a separate rejection path in
ssl3_HandleHandshake (ssl3con.c). NSS correctly sends decode_error for
those too, but the tlsfuzzer runner's generator error-handling skips the
ExpectAlert node and jumps to ExpectClose, which then unexpectedly reads
the buffered alert.

Differential Revision: https://phabricator.services.mozilla.com/D286329

Files Modified:

gtests/ssl_gtest/ssl_extension_unittest.cc
lib/ssl/tls13con.c
tests/tlsfuzzer/config.json.in

5056fdd3a2a5a537d6134e60f96f2763bfe37bb2 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/5056fdd3a2a5a537d6134e60f96f2763bfe37bb2
Authored: 2026-03-10 12:25:08 -0700
Committed: 2026-03-10 12:25:08 -0700

Bug 1472747 - Backed out changeset 683c49a0f7ed

--HG--
extra : amend_source : 35e281f30b27579d8ed6fd74a598aa080603bc80

Files Modified:

lib/ssl/tls13con.c
tests/tlsfuzzer/config.json.in

3d524ce9c57dd3553e61b877e0613e250b5cb6f3 by Dennis Jackson <djackson@mozilla.com>

https://github.com/nss-dev/nss/commit/3d524ce9c57dd3553e61b877e0613e250b5cb6f3
Authored: 2026-03-10 18:44:17 +0000
Committed: 2026-03-10 18:44:17 +0000

Bug 1916429 - Swap order of asserts and state check. r=nss-reviewers,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D286855

Files Modified:

lib/ssl/ssl3con.c

a9c6b49190d99be538bd711d262b033fe3ba79ca by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/a9c6b49190d99be538bd711d262b033fe3ba79ca
Authored: 2026-03-10 18:07:25 +0000
Committed: 2026-03-10 18:07:25 +0000

Bug 1472747 - wrong alert for malformed TLS 1.3 Finished. r=nss-reviewers,keeler

tls13_VerifyFinished was sending illegal_parameter for Finished messages
with wrong-length payloads. RFC 8446 requires decode_error for length
errors.

The tlsfuzzer test-tls13-finished.py was marked exp_pass:false because it
expected decode_error but received illegal_parameter. This caused an
intermittent CI failure: when none of the wrong-length test cases were
sampled, all 42 tests passed and the exp_pass:false caused the CI runner
to mark the script as FAILED.

Padding test cases with total Finished body > MAX_HANDSHAKE_MSG_LEN (131071
bytes) are excluded because they hit a separate rejection path in
ssl3_HandleHandshake (ssl3con.c). NSS correctly sends decode_error for
those too, but the tlsfuzzer runner's generator error-handling skips the
ExpectAlert node and jumps to ExpectClose, which then unexpectedly reads
the buffered alert.

Differential Revision: https://phabricator.services.mozilla.com/D286329

Files Modified:

lib/ssl/tls13con.c
tests/tlsfuzzer/config.json.in

9ab25974c96016dcee19069e36620ee44ac94212 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/9ab25974c96016dcee19069e36620ee44ac94212
Authored: 2026-03-10 18:06:55 +0000
Committed: 2026-03-10 18:06:55 +0000

Bug 2022149 - set correct value of unused curve parameters in tls13_HandleKeyShare. r=nss-reviewers,keeler

Differential Revision: https://phabricator.services.mozilla.com/D286924

Files Modified:

lib/ssl/tls13con.c

04d1cf50e3190b31ba734bdf828050a4973cfeee by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/04d1cf50e3190b31ba734bdf828050a4973cfeee
Authored: 2026-02-24 10:13:36 -0800
Committed: 2026-02-24 10:13:36 -0800

Bug 2017929 GCM needs to check for various limits in FIPS mode.

If we are in FIPS mode, GCM needs to turn off FIPS indicators if the IV generation doesn't meet the FIPS limits.

Differential Revision: https://phabricator.services.mozilla.com/D284777

--HG--
extra : rebase_source : 9eb5f67daff2ea414685e970279ca529fced5196

Files Modified:

lib/softoken/sftkmessage.c

f6d71c86e6c5cac37414a0a1c5870d2406347441 by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/f6d71c86e6c5cac37414a0a1c5870d2406347441
Authored: 2026-02-23 12:58:00 -0800
Committed: 2026-02-23 12:58:00 -0800

Bug 2017938 Get Key Length not working form ED and Montgomery keys.

Differential Revision: https://phabricator.services.mozilla.com/D284705

Files Modified:

lib/softoken/pkcs11u.c

c0fd0eb79e3b17cf2731e56732fecd3a16f75f60 by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/c0fd0eb79e3b17cf2731e56732fecd3a16f75f60
Authored: 2026-02-24 10:26:14 -0800
Committed: 2026-02-24 10:26:14 -0800

Bug 2017927 Not all ike modes are FIPS approved. Adjust the indicators when they aren't

ikev1 isn't approved. If we use ike_prf (only) in ikev1 mode then turn
off the FIPS indicator.

This case is bDataAsKey=PR_FALSE and bRekey=PR_FALSE;

Differential Revision: https://phabricator.services.mozilla.com/D284778

--HG--
extra : rebase_source : f975990ab2c83de94cf57f8a8704d0217fcf30e0

Files Modified:

lib/softoken/sftkike.c

4660c736d63815dd7888c0a9a4bb24069cf60a7e by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/4660c736d63815dd7888c0a9a4bb24069cf60a7e
Authored: 2026-03-07 00:58:49 +0000
Committed: 2026-03-07 00:58:49 +0000

Bug 2020721 - fix intermittent ssl.sh test failures on windows runners. r=nss-reviewers,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D286490

Files Modified:

tests/chains/chains.sh
tests/common/init.sh
tests/ssl/ssl.sh

3a3e819d2a1777ac3d68b0f3ead4ec94bc39a070 by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/3a3e819d2a1777ac3d68b0f3ead4ec94bc39a070
Authored: 2026-02-24 14:36:57 -0800
Committed: 2026-02-24 14:36:57 -0800

Bug 2017918 FIPS indicators on HDKF needs to be restricted to TLS usage.

HKDF is only FIPS if it's used in a TLS use. We need to detect TLS type usage and turn off the indicator when it is used in another context. We do this by tracking the source of the key and making sure a given key came from a TLS expected context, and by checking if the parameters pass match with parameters we expect from a FIPS context.

Differential Revision: https://phabricator.services.mozilla.com/D284780

--HG--
extra : rebase_source : dbe57c1a609c90e4e0e0045165e75898cfd0137d

Files Modified:

lib/softoken/kem.c
lib/softoken/pkcs11c.c
lib/softoken/pkcs11i.h
lib/softoken/pkcs11u.c

4f79bb66bee9c56ff8a0e703e36b696f009695f6 by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/4f79bb66bee9c56ff8a0e703e36b696f009695f6
Authored: 2026-02-24 11:30:59 -0800
Committed: 2026-02-24 11:30:59 -0800

Bug 2017920 Generate keys not getting indicators.

GenerateKey and GenerateKeyPair is not getting FIPS indicators.

Differential Revision: https://phabricator.services.mozilla.com/D284779

--HG--
extra : rebase_source : 67c92088bfe2b85bfba94fbf06f551322b81db50

Files Modified:

lib/softoken/pkcs11c.c
lib/softoken/pkcs11u.c
lib/util/pkcs11n.h

cce63d84426eb5721fed40329efc6fb66b9cd756 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/cce63d84426eb5721fed40329efc6fb66b9cd756
Authored: 2026-03-06 19:30:31 +0000
Committed: 2026-03-06 19:30:31 +0000

Bug 2020612 - improve error handling in smime_init_once. r=kaie

Differential Revision: https://phabricator.services.mozilla.com/D286349

Files Modified:

lib/smime/smimeutil.c

8b18086c71d2928259da966bc14f08428c8d1bee by Brad Smith <brad@comstyle.com>

https://github.com/nss-dev/nss/commit/8b18086c71d2928259da966bc14f08428c8d1bee
Authored: 2026-03-05 18:36:25 +0000
Committed: 2026-03-05 18:36:25 +0000

Bug 1987288 - Detect CPU features on OpenBSD using elf_aux_info. r=nss-reviewers,keeler

Also some fixes for the FreeBSD support. Simplify checking, as if
the header exists the API exists. FreeBSD 11.4 has elf_aux_info().

Differential Revision: https://phabricator.services.mozilla.com/D265579

Files Modified:

lib/freebl/blinit.c

e2230c2ffc0b69680f2ffc526fd8987f91abf77c by Dana Keeler <dkeeler@mozilla.com>

https://github.com/nss-dev/nss/commit/e2230c2ffc0b69680f2ffc526fd8987f91abf77c
Authored: 2026-03-05 00:24:17 +0000
Committed: 2026-03-05 00:24:17 +0000

Bug 2019357 - RSA_EMSAEncodePSS should validate the length of mHash r=nkulatova

Differential Revision: https://phabricator.services.mozilla.com/D284886

Files Modified:

lib/freebl/blapii.h
lib/freebl/rsa_blind.c
lib/freebl/rsapkcs.c

e9e5c9e226a5feffce7046cd670771511f9d3cb9 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/e9e5c9e226a5feffce7046cd670771511f9d3cb9
Authored: 2026-03-04 19:01:06 +0000
Committed: 2026-03-04 19:01:06 +0000

Bug 2020442 - more robustly distinguish SFTKSessionObject and SFTKTokenObjects. r=nss-reviewers,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D285553

Files Modified:

lib/softoken/pkcs11.c
lib/softoken/pkcs11c.c
lib/softoken/pkcs11i.h
lib/softoken/pkcs11u.c

37109c5203b5058045ffd1b076f77099fe637d9f by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/37109c5203b5058045ffd1b076f77099fe637d9f
Authored: 2026-03-04 19:00:14 +0000
Committed: 2026-03-04 19:00:14 +0000

Bug 2019194 - fix missing .S file error in Solaris Makefile builds. r=nss-reviewers,keeler

Differential Revision: https://phabricator.services.mozilla.com/D286088

Files Modified:

lib/freebl/Makefile

f1324392f936aed4de790c0f77ef02134bb6aa00 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/f1324392f936aed4de790c0f77ef02134bb6aa00
Authored: 2026-03-04 18:59:50 +0000
Committed: 2026-03-04 18:59:50 +0000

Bug 2020188 - avoid null deref in mp_div_d sign normalization. r=nss-reviewers,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D286056

Files Modified:

gtests/freebl_gtest/mpi_unittest.cc
lib/freebl/mpi/mpi.c

f00bbec7671d1f879d55494f2d680d461f0e926e by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/f00bbec7671d1f879d55494f2d680d461f0e926e
Authored: 2026-03-04 09:58:00 -0800
Committed: 2026-03-04 09:58:00 -0800

Backed out changeset 93a0edbcf0a9 for build bustage

Files Modified:

gtests/freebl_gtest/mpi_unittest.cc
lib/freebl/mpi/mpi.c

bd09f3de1155d264d9388edca2517194572b156b by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/bd09f3de1155d264d9388edca2517194572b156b
Authored: 2026-03-04 17:40:36 +0000
Committed: 2026-03-04 17:40:36 +0000

Bug 2020486 - fix memory leak in NSC_GenerateKey error path. r=nss-reviewers,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D285587

Files Modified:

lib/softoken/pkcs11c.c

926cbc78b4ddb068b52d967782d2fbe7fa0956ea by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/926cbc78b4ddb068b52d967782d2fbe7fa0956ea
Authored: 2026-03-04 17:40:12 +0000
Committed: 2026-03-04 17:40:12 +0000

Bug 2020615 - Missing SECFailure return after FATAL_ERROR in tls13_HandleEncryptedExtensions. r=nss-reviewers,nkulatova

Differential Revision: https://phabricator.services.mozilla.com/D285784

Files Modified:

lib/ssl/tls13con.c

255581d2e86b0e6866dd97e92ab99a77d8f2b08f by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/255581d2e86b0e6866dd97e92ab99a77d8f2b08f
Authored: 2026-03-04 17:39:44 +0000
Committed: 2026-03-04 17:39:44 +0000

Bug 2020613 - release xmit buf lock on dtls13_MaybeSendKeyUpdate error paths. r=nkulatova

Differential Revision: https://phabricator.services.mozilla.com/D285887

Files Modified:

lib/ssl/dtls13con.c

85e537f1f76d22e64195e602ab28c81f0f2fb349 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/85e537f1f76d22e64195e602ab28c81f0f2fb349
Authored: 2026-03-04 17:39:17 +0000
Committed: 2026-03-04 17:39:17 +0000

Bug 2020849 - release 1stHandshakeLock on SSL_ResetHandshake error path. r=nss-reviewers,nkulatova

Differential Revision: https://phabricator.services.mozilla.com/D285892

Files Modified:

lib/ssl/sslsecur.c

8432cfeaa46431911f10c5a5212890a4f9af4653 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/8432cfeaa46431911f10c5a5212890a4f9af4653
Authored: 2026-03-04 17:36:58 +0000
Committed: 2026-03-04 17:36:58 +0000

Bug 2020188 - avoid null deref in mp_div_d sign normalization. r=nss-reviewers,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D286056

Files Modified:

gtests/freebl_gtest/mpi_unittest.cc
lib/freebl/mpi/mpi.c

d2369dbdc3c3ad64ef8b340d4bb6ac3755d406a8 by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/d2369dbdc3c3ad64ef8b340d4bb6ac3755d406a8
Authored: 2026-03-03 19:26:59 -0800
Committed: 2026-03-03 19:26:59 -0800

Bug 2017945 Temp private key lifecycle is broken. -- fix clangformat

You'd think I could do a 3 line testcase fix without messing up clang, clearly not.

Files Modified:

gtests/pk11_gtest/pk11_find_certs_unittest.cc

706827399eec119f44775d819a97a17daae8d54a by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/706827399eec119f44775d819a97a17daae8d54a
Authored: 2026-03-03 19:16:47 -0800
Committed: 2026-03-03 19:16:47 -0800

Bug 2017945 Temp private key lifecycle is broken.

Fix memory leak in new test case.

Files Modified:

gtests/pk11_gtest/pk11_find_certs_unittest.cc

242ffcd34a2a72409ee2a87a73f80cad98c0e7a5 by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/242ffcd34a2a72409ee2a87a73f80cad98c0e7a5
Authored: 2026-02-23 08:43:14 -0800
Committed: 2026-02-23 08:43:14 -0800

Bug 2017945 Temp private key lifecycle is broken.

Temp Private keys typically 'own' their own handles, so when you free a temp key, you destroy the handle. However, when we search temp keys from Find, that handle we get is owned by a different temp key. Destroying that key will destroy the underlying key. We ran into this problem with the Certificate Server, where the server would start up SSL and create a temporary key from the perm key (for performance reasons. In another thread, the server had code that would look up the private key and do some queries. In some tokens, like softoken, the query would return the original perm key first, but it's perfectly acceptable for the token to return the session key first. In that case when the key is freed, that thread will delete the handle returned. This deletes the underlying key still used in SSL and all SSL sessions stop working because the private key is now gone. It's clearly wrong to delete the handles returned from a find, the keys should not be owned by the find. We need to separately track both isTemp and isOwned.

Because SECKEYPrivateKeys are public (sigh), we can't just add new fields to the structure. Fortunately if IsOwned is set, then isTemp must also be set, so we can overload the PRBool as bit flags. Old code testing for isTemp will still succeed.

Differential Revision: https://phabricator.services.mozilla.com/D284485

--HG--
extra : rebase_source : fab53e77f215a975b6fc2a02a749b1629dd7a88c

Files Modified:

gtests/pk11_gtest/pk11_find_certs_unittest.cc
lib/cryptohi/keythi.h
lib/cryptohi/seckey.c
lib/pk11wrap/pk11akey.c
lib/pk11wrap/pk11cert.c
lib/pk11wrap/pk11kea.c
lib/pk11wrap/pk11merge.c
lib/pk11wrap/pk11obj.c
lib/pk11wrap/pk11pk12.c
lib/pk11wrap/secmodi.h

7912ca7646f84b67393459fdcb5f038e4d9b619a by Dana Keeler <dkeeler@mozilla.com">

https://github.com/nss-dev/nss/commit/7912ca7646f84b67393459fdcb5f038e4d9b619a
Authored: 2026-03-02 20:05:55 +0000
Committed: 2026-03-02 20:05:55 +0000

Bug 1851073 - protect rwSessionCount with slotLock r=rrelyea

Previously, SFTKSlot.rwSessionCount was incremented and decremented atomically,
which meant that there was no way to synchronize reads from it in
NSC_GetTokenInfo. This patch removes the atomic operations but protects
rwSessionCount with SFTKSlot.slotLock. SFTKSlot.sessionCount is already
protected in this way, so this should have no performance impact.

Differential Revision: https://phabricator.services.mozilla.com/D285300

Files Modified:

lib/softoken/pkcs11.c
lib/softoken/pkcs11i.h

33ca4f409bb06f2c6b68e0300be70b17ef8d9814 by Maurice Dauer <mdauer@mozilla.com>

https://github.com/nss-dev/nss/commit/33ca4f409bb06f2c6b68e0300be70b17ef8d9814
Authored: 2026-03-02 10:37:18 +0000
Committed: 2026-03-02 10:37:18 +0000

Bug 2019224 - Remove invalid PORT_Free(), r=djackson,nss-reviewers

Differential Revision: https://phabricator.services.mozilla.com/D284822

Files Modified:

lib/smime/cmsdecode.c

ca66d0b88ca37855644e19d6e5d9fbeab87335f8 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/ca66d0b88ca37855644e19d6e5d9fbeab87335f8
Authored: 2026-02-27 22:51:15 +0000
Committed: 2026-02-27 22:51:15 +0000

Bug 1828713 - Fix intermittent ClientGreaseKeyShare test failure. r=nss-reviewers,djackson

countGreaseInBuffer scanned the entire raw key_share extension buffer, including
the random key_exchange bytes of real key shares (e.g., 32 bytes for x25519).
Any aligned 2-byte window in that random data matching a GREASE pattern caused a
spurious count of 2 instead of 1. Fix by parsing the extension structurally and
only checking the group ID fields.

Differential Revision: https://phabricator.services.mozilla.com/D285335

Files Modified:

gtests/ssl_gtest/tls_grease_unittest.cc

748154942ceda9ce2115f0a7f9aab141cf95e0cb by Maurice Dauer <mdauer@mozilla.com>

https://github.com/nss-dev/nss/commit/748154942ceda9ce2115f0a7f9aab141cf95e0cb
Authored: 2026-02-27 22:34:05 +0000
Committed: 2026-02-27 22:34:05 +0000

Bug 2018200 - Fix kCtxStr len passed to tls_SignOrVerifyUpdate, r=rrelyea,nss-reviewers,keeler

Differential Revision: https://phabricator.services.mozilla.com/D284263

Files Modified:

lib/ssl/tls13subcerts.c

591b95f52fd9b4f23b950671a87b3d2c95e366b0 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/591b95f52fd9b4f23b950671a87b3d2c95e366b0
Authored: 2026-02-27 17:35:57 +0000
Committed: 2026-02-27 17:35:57 +0000

Bug 2019760 - patch upstream acvp-rust during checkout to avoid build failures. r=nss-reviewers,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D285123

Files Added:

taskcluster/docker/acvp/acvp-rust.patch

Files Modified:

taskcluster/docker/acvp/bin/run.sh

aea877ccef513f9e666648141dfddc0c2cac33a3 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/aea877ccef513f9e666648141dfddc0c2cac33a3
Authored: 2026-02-27 17:35:57 +0000
Committed: 2026-02-27 17:35:57 +0000

Bug 2019760 - update acvp Dockerfile. r=nss-reviewers,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D285122

Files Modified:

taskcluster/docker/acvp/Dockerfile
taskcluster/docker/acvp/bin/run.sh

6507c5f30e5284af0af0314492941e90c6fc017b by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/6507c5f30e5284af0af0314492941e90c6fc017b
Authored: 2026-02-27 09:24:28 -0800
Committed: 2026-02-27 09:24:28 -0800

Bug 2017997 CKA_PARAM_SET missing from the CK_ULONG list in softoken.

Sigh, fix clangformat issue in previous patch.

Files Modified:

lib/softoken/sftkdb.c

37acda1bd5018f5c5d58dbd31172f6be2a2f232f by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/37acda1bd5018f5c5d58dbd31172f6be2a2f232f
Authored: 2025-11-07 11:01:32 -0800
Committed: 2025-11-07 11:01:32 -0800

Bug 2017997 CKA_PARAM_SET missing from the CK_ULONG list in softoken.

CKA_PARAMETER_SET is a CKA_ULONG, and should be stored in network order in the database, but it's missing from the list. It needs to be added to the list and we need to be able to read incorrectly stored versions (since the bad version has been shipped for a couple of releases now).

Differential Revision: https://phabricator.services.mozilla.com/D284189

--HG--
extra : rebase_source : 6227ac3d544851ed621bb19fb8c92d3bd8913a99

Files Modified:

lib/softoken/sftkdb.c

e9ac8c7c354303de99950982deaa69dfe30b9523 by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/e9ac8c7c354303de99950982deaa69dfe30b9523
Authored: 2026-02-19 16:04:43 -0800
Committed: 2026-02-19 16:04:43 -0800

Bug 2018000 CKA_SEED missing from isPrivate in the database.

CKA_SEED is missing from 'isPrivate', which will cause the CKA_SEED value to become invalid if we try to change the password because it won't get updated. This will only affect exporting an ml_dsa private key (where it will loose the seed value on export), since the key only needs CKA_VALUE internally.

Note: the missing CKA_SEED was already fixed in bug 1981034, but we didn't include code to remove old seed integrity checks, so this patch only includes the former fix, not the latter.

Differential Revision: https://phabricator.services.mozilla.com/D284191

--HG--
extra : rebase_source : d76ad9734362df981311ae2d232ca321c9bc7d64

Files Modified:

lib/softoken/sftkdb.c

c1e9cfffc48ef801b309289f9dd7d8d055feef40 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/c1e9cfffc48ef801b309289f9dd7d8d055feef40
Authored: 2026-02-26 19:24:01 +0000
Committed: 2026-02-26 19:24:01 +0000

Bug 2019717 - update abicheck expectation for __nss_InitLock. r=rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D285095

Files Modified:

automation/abi-check/expected-report-libnss3.so.txt

790efeccea00ac2de228e11b03b4d9cb173f0450 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/790efeccea00ac2de228e11b03b4d9cb173f0450
Authored: 2026-02-26 17:59:39 +0000
Committed: 2026-02-26 17:59:39 +0000

Bug 2019327 - taskcluster: set NSS_DISABLE_LIBPKIX=1 in test env for static builds. r=nss-reviewers,rrelyea

Static GYP builds pass -Ddisable_libpkix=1, which compiles out LIBPKIX.
However the test environment did not set NSS_DISABLE_LIBPKIX, so the ssl
stapling tests (which call CERT_PKIXVerifyCert) still ran and always
returned exit code 1 (cert failed to verify, prior to revocation checking).

Set NSS_DISABLE_LIBPKIX=1 via the platforms transform for any task derived
from a static build, mirroring the existing fuzz-build convention. This
causes ssl_stapling() and other LIBPKIX-gated tests to be skipped.

Differential Revision: https://phabricator.services.mozilla.com/D284954

Files Modified:

taskcluster/nss_taskgraph/transforms/platforms.py

0748c9712eb8ffdef917763d8f84a66fa3de1c4d by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/0748c9712eb8ffdef917763d8f84a66fa3de1c4d
Authored: 2026-02-26 17:59:39 +0000
Committed: 2026-02-26 17:59:39 +0000

Bug 2019327 - tests: fix setup_policy to use ROOTCERTSFILE for root cert module path. r=nss-reviewers,rrelyea

setup_policy() in init.sh hard-coded 'libnssckbi.so' when writing the
root-certs module entry into pkcs11.txt. On Windows the file is named
'libnssckbi.dll', so NSS cannot load the module and external CA certs
(e.g. ISRG Root X1 / Let's Encrypt) are untrusted. The ssl_policy_pkix_ocsp
test therefore gets SEC_ERROR_UNKNOWN_ISSUER (-8179) instead of the expected
SSL_ERROR_BAD_CERT_DOMAIN (-12276), causing it to fail.

Use ${ROOTCERTSFILE} instead, which cert.sh already sets by globbing
nssckbi. in the lib directory and running it through native_path, giving
the correct platform-specific filename and Windows-native path.

Differential Revision: https://phabricator.services.mozilla.com/D284953

Files Modified:

tests/common/init.sh

a4e59cad4bc930e46c6f824ab30a2affcfafabd3 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/a4e59cad4bc930e46c6f824ab30a2affcfafabd3
Authored: 2026-02-26 17:59:38 +0000
Committed: 2026-02-26 17:59:38 +0000

Bug 2019327 - tests: fix selfserv/httpserv PID handling and wait exit code for MSYS_NT. r=nss-reviewers,rrelyea

Two related fixes for Windows CI (MSYS_NT) in the ssl and chains test suites:

Add MSYS_NT to the OS_NAME checks in is_selfserv_alive, kill_selfserv,
start_selfserv (ssl.sh) and the equivalent httpserv functions (chains.sh)
so that SHELL_SERVERPID / SHELL_HTTPPID are used instead of reading the
PID file. MSYS_NT behaves like CYGWIN_NT in this regard.
Change 'wait ${PID}' to 'wait ${PID} || [ "${OS_ARCH}" = "WINNT" ... ]' in
kill_selfserv and kill_httpserv. On Windows, kill sends SIGTERM so the
server exits with status 143 (128+SIGTERM); the non-zero wait return
would abort the test run in shells with set -e active.

Differential Revision: https://phabricator.services.mozilla.com/D284952

Files Modified:

tests/chains/chains.sh
tests/ssl/ssl.sh

f4baf9888df8ed6707567ba187a05bf00bb5c1e9 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/f4baf9888df8ed6707567ba187a05bf00bb5c1e9
Authored: 2026-02-26 17:59:38 +0000
Committed: 2026-02-26 17:59:38 +0000

Bug 2019327 - tests: add native_path helper for cross-platform path conversion. r=nss-reviewers,rrelyea

NSS tools (certutil, etc.) are native Windows binaries and cannot open
MSYS/Cygwin-style Unix paths. Replace the scattered cygpath/OS_NAME checks
with a single native_path() function defined in common/init.sh that:

on WINNT: calls pwd -W (no args) or cygpath -m (with arg)
elsewhere: calls pwd or echoes its argument unchanged

Also converts TESTDIR and QADIR to native paths at init time so that all
derived paths (SERVERDIR, etc.) are correct for native Windows binaries.
Removes the duplicate MINGW32_NT block that existed in init.sh.

Differential Revision: https://phabricator.services.mozilla.com/D284951

Files Modified:

tests/cert/cert.sh
tests/cipher/performance.sh
tests/common/init.sh
tests/fips/fips.sh
tests/iopr/cert_iopr.sh
tests/ssl_gtests/ssl_gtests.sh

fc53ecbe25a802cadf7bc8c3e24b2cfab054c56c by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/fc53ecbe25a802cadf7bc8c3e24b2cfab054c56c
Authored: 2026-02-26 17:59:38 +0000
Committed: 2026-02-26 17:59:38 +0000

Bug 2019327 - tstclnt, strsclnt: avoid DNS lookup for loopback addresses on Windows. r=nss-reviewers,rrelyea

Windows does not have localhost.localdomain in its hosts file by default,
causing PR_GetAddrInfoByName to fail. Add a loopback shortcut that uses
PR_GetPrefLoopbackAddrInfo (or a direct PR_StringToNetAddr call for the
single-address-family case) so that no DNS query is needed for localhost
or localhost.localdomain.

Differential Revision: https://phabricator.services.mozilla.com/D284939

Files Modified:

cmd/strsclnt/strsclnt.c
cmd/tstclnt/tstclnt.c

394c219857c3382925a4700c09fee166929e8b9e by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/394c219857c3382925a4700c09fee166929e8b9e
Authored: 2026-02-26 16:28:47 +0000
Committed: 2026-02-26 16:28:47 +0000

Bug 2019090 - avoid platform GCM for x64 iOS emulator builds. r=nss-reviewers,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D284873

Files Modified:

lib/freebl/gcm.gyp

6484fa3d19a68fb3b62b48af0462945e49a91928 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/6484fa3d19a68fb3b62b48af0462945e49a91928
Authored: 2026-02-25 17:29:34 +0000
Committed: 2026-02-25 17:29:34 +0000

Bug 2012002 - remove lock instrumentation feature. r=nss-reviewers,djackson,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D280175

Files Deleted:

cmd/tests/conflict.c
lib/util/nssilock.c

Files Modified:

cmd/httpserv/httpserv.c
cmd/selfserv/selfserv.c
cmd/tests/manifest.mn
cmd/tests/nonspr10.c
cmd/tests/tests.gyp
lib/base/baset.h
lib/base/hash.c
lib/base/list.c
lib/base/nssbaset.h
lib/base/tracker.c
lib/certdb/certdb.c
lib/certdb/certt.h
lib/certdb/genname.c
lib/certdb/stanpcertdb.c
lib/dev/devslot.c
lib/dev/devt.h
lib/dev/devtoken.c
lib/dev/devutil.c
lib/freebl/det_rng.c
lib/freebl/det_rng.h
lib/freebl/drbg.c
lib/freebl/dsa.c
lib/freebl/ml_dsa.c
lib/freebl/rsa.c
lib/nss/nssinit.c
lib/nss/utilwrap.c
lib/pk11wrap/dev3hack.c
lib/pk11wrap/pk11cxt.c
lib/pk11wrap/pk11kea.c
lib/pk11wrap/pk11list.c
lib/pk11wrap/pk11load.c
lib/pk11wrap/pk11pars.c
lib/pk11wrap/pk11skey.c
lib/pk11wrap/pk11slot.c
lib/pk11wrap/pk11util.c
lib/pk11wrap/secmodi.h
lib/pk11wrap/secmodt.h
lib/pk11wrap/secmodti.h
lib/pki/pkibase.c
lib/pki/pkistore.c
lib/pki/pkistore.h
lib/pki/pkit.h
lib/pki/tdcache.c
lib/smime/smimeutil.c
lib/softoken/legacydb/cdbhdl.h
lib/softoken/legacydb/keydb.c
lib/softoken/legacydb/lgdb.h
lib/softoken/legacydb/lowcert.c
lib/softoken/legacydb/pcertdb.c
lib/softoken/legacydb/pcertt.h
lib/softoken/lgglue.c
lib/softoken/lowpbe.c
lib/softoken/pkcs11.c
lib/softoken/pkcs11i.h
lib/softoken/pkcs11u.c
lib/softoken/sftkdb.c
lib/softoken/sftkdbti.h
lib/softoken/sftkpwd.c
lib/ssl/ssl3con.c
lib/ssl/sslimpl.h
lib/ssl/sslnonce.c
lib/ssl/sslsock.c
lib/ssl/tls13replay.c
lib/util/manifest.mn
lib/util/nssilckt.h
lib/util/nssilock.h
lib/util/nssrwlk.c
lib/util/nssrwlkt.h
lib/util/secport.c
lib/util/util.gyp
nss.gyp

9333ee0aa38ac44ac491aa6ae41f3e7d55bba816 by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/9333ee0aa38ac44ac491aa6ae41f3e7d55bba816
Authored: 2026-02-23 10:25:31 -0800
Committed: 2026-02-23 10:25:31 -0800

Bug 2017923 Move FIPS indicator structures out of fips_algorithms.h

fips_algorithms.h is a vendor specific file that is based on each vendor's evaluation. Data structures in the file are used by the actual indicator code and need to be updated periodically moving the data structures out of fips_algorithms.h means vendors don't need to update their fips_algorithms.h when a new version of NSS is picked up, even if it supports more fine grain indicators, It only needs to be updated when the vendor does a new validation.

Differential Revision: https://phabricator.services.mozilla.com/D284554

--HG--
extra : rebase_source : 7ed799619fafac7b7f0246d9852955ad09c42780

Files Modified:

lib/softoken/fips_algorithms.h
lib/softoken/pkcs11u.c

7ca6aa71ae2c9a1be62bc1d88fa036603a58cbf1 by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/7ca6aa71ae2c9a1be62bc1d88fa036603a58cbf1
Authored: 2026-02-20 13:23:58 -0800
Committed: 2026-02-20 13:23:58 -0800

Bug 2018064 all.sh is failing in FIPS SSL test in main tree

Differential Revision: https://phabricator.services.mozilla.com/D284488

If you run all.sh, the FIPS SSL tests are failing because of a typo in ssl/ssl.sh. selfserve fails to start because it does not recognize mx25519mlkem768 as a valid group.

--HG--
extra : rebase_source : 4d7100c997a04086747dff91a221e484a887aa4a

Files Modified:

tests/ssl/ssl.sh

d0505b201965617c5b5c0de808a589ffe139971a by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/d0505b201965617c5b5c0de808a589ffe139971a
Authored: 2026-02-23 17:05:41 +0000
Committed: 2026-02-23 17:05:41 +0000

Bug 1975973 - fix memory leaks in crmf tests. r=nss-reviewers,djackson

Differential Revision: https://phabricator.services.mozilla.com/D284323

Files Modified:

cmd/crmftest/testcrmf.c
lib/crmf/cmmfrec.c
lib/crmf/cmmfresp.c
lib/crmf/respcmn.c

1776e42d5683957370cae22cd11f78c2115c657a by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/1776e42d5683957370cae22cd11f78c2115c657a
Authored: 2026-02-21 00:14:13 +0000
Committed: 2026-02-21 00:14:13 +0000

Bug 2012547 - fix unsatisfiable condition in lg_getTrust. r=rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D280525

Files Modified:

lib/softoken/legacydb/lgattr.c

a7f4f5cc2d315f652954d837cabd157ece7952cc by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/a7f4f5cc2d315f652954d837cabd157ece7952cc
Authored: 2026-02-21 00:13:36 +0000
Committed: 2026-02-21 00:13:36 +0000

Bug 2006218 - allow selfserv makefile build to use system zlib. r=nss-reviewers,djackson

Differential Revision: https://phabricator.services.mozilla.com/D281668

Files Modified:

cmd/selfserv/manifest.mn

2a44f58d2735759a176bc0362e8246184b686f2d by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/2a44f58d2735759a176bc0362e8246184b686f2d
Authored: 2026-02-20 13:00:47 -0800
Committed: 2026-02-20 13:00:47 -0800

Set version numbers to 3.122 beta

Files Modified:

automation/abi-check/previous-nss-release
lib/nss/nss.h
lib/softoken/softkver.h
lib/util/nssutil.h

5afe957082721d3a50c67721bbdafa273292cf63 by Dennis Jackson <djackson@mozilla.com>

https://github.com/nss-dev/nss/commit/5afe957082721d3a50c67721bbdafa273292cf63
Authored: 2026-02-20 15:59:26 +0000
Committed: 2026-02-20 15:59:26 +0000

Bug 2002247: Add allocation limit to pkcs12 decoding. r=nss-reviewers,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D273990

Files Modified:

fuzz/targets/pkcs12.cc
lib/pkcs12/p12.h
lib/pkcs12/p12d.c

29173428dc341c8989d7d874537ffef2b9907636 by Kai Engert <kaie@kuix.de>

https://github.com/nss-dev/nss/commit/29173428dc341c8989d7d874537ffef2b9907636
Authored: 2026-02-20 13:45:57 +0000
Committed: 2026-02-20 13:45:57 +0000

Bug 2012406 - Add text/html single-line example emails to NSS S/SMIME CMS tests. r=nss-reviewers,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D280580

Files Modified:

tests/smime/smime.sh

32c217f646beddadebfd7fb6328ddfc5d37c7ae3 by Anna <anna.weine@mozilla.com>

https://github.com/nss-dev/nss/commit/32c217f646beddadebfd7fb6328ddfc5d37c7ae3
Authored: 2026-02-19 10:38:48 +0100
Committed: 2026-02-19 10:38:48 +0100

Release notes for NSS 3.121

--HG--
extra : source : cc4406475ddc8a334dc228b972d093958e787506

Files Added:

doc/rst/releases/nss_3_121.rst

Files Modified:

doc/rst/releases/index.rst

72ac8738b0b4886f4cc20e918141b6e2b18f086e by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/72ac8738b0b4886f4cc20e918141b6e2b18f086e
Authored: 2026-02-19 09:30:44 +0000
Committed: 2026-02-19 09:30:44 +0000

Bug 2017366 - update vendored zlib to v1.3.2. r=nss-reviewers,nkulatova

Differential Revision: https://phabricator.services.mozilla.com/D283730

Files Modified:

lib/zlib/LICENSE
lib/zlib/README
lib/zlib/README.nss
lib/zlib/compress.c
lib/zlib/crc32.c
lib/zlib/deflate.c
lib/zlib/deflate.h
lib/zlib/gzguts.h
lib/zlib/gzlib.c
lib/zlib/gzread.c
lib/zlib/gzwrite.c
lib/zlib/infback.c
lib/zlib/inffast.c
lib/zlib/inffixed.h
lib/zlib/inflate.c
lib/zlib/inflate.h
lib/zlib/inftrees.c
lib/zlib/inftrees.h
lib/zlib/trees.c
lib/zlib/uncompr.c
lib/zlib/vendor.sh
lib/zlib/zconf.h
lib/zlib/zlib.h
lib/zlib/zutil.c
lib/zlib/zutil.h

181e90fa48fa18b8ca1c038f6436e40e45bb56e5 by Ryan VanderMeulen <rvandermeulen@mozilla.com>

https://github.com/nss-dev/nss/commit/181e90fa48fa18b8ca1c038f6436e40e45bb56e5
Authored: 2026-02-17 20:36:38 +0000
Committed: 2026-02-17 20:36:38 +0000

Bug 2012645 - Revert the unnecessary changes to intel-gcm-wrap.gyp. r=jschanck

These aren't needed because the guards in gcm.gyp prevent MinGW
builds from ever entering into that file in the first place.

Differential Revision: https://phabricator.services.mozilla.com/D283765

Files Modified:

lib/freebl/intel-gcm-wrap.gyp

2c242c6b4c9e791eb7190d10dcf3b2c41e36cd01 by Ryan VanderMeulen <rvandermeulen@mozilla.com>

https://github.com/nss-dev/nss/commit/2c242c6b4c9e791eb7190d10dcf3b2c41e36cd01
Authored: 2026-02-17 19:23:49 +0000
Committed: 2026-02-17 19:23:49 +0000

Bug 2012645 - Use C fallback for AES-GCM on MinGW builds. r=jschanck

MinGW builds cannot use the assembly optimizations:

32-bit: The GAS files only contain 64-bit code
64-bit: The GAS files contain ELF-specific directives incompatible with PE/COFF

This patch makes MinGW builds use the portable C implementation in gcm.c by:

Not including intel-gcm-wrap.c or assembly files for MinGW
Not defining HAVE_PLATFORM_GCM for MinGW, so gcm.c provides stub implementations

Other builds continue to use optimized assembly as before.

Differential Revision: https://phabricator.services.mozilla.com/D283753

Files Modified:

lib/freebl/gcm.gyp
lib/freebl/intel-gcm-wrap.gyp

820d711b4b5097cf02b3a93e5602e05cb8641887 by Robert Relyea <rrelyea@redhat.com>

https://github.com/nss-dev/nss/commit/820d711b4b5097cf02b3a93e5602e05cb8641887
Authored: 2026-02-16 13:43:32 -0800
Committed: 2026-02-16 13:43:32 -0800

Bug 2005669 - fix ML-KEM PCT. r=#nss-reviewers,rrelyea

patch by joachim

The ML-KEM PCT currently has two issues:

isKEM = sftk_isTrue(privateKey, CKA_ENCAPSULATE); is incorrect, as the private key in ML-KEM is used for decapsulation not encapsulation. Ref. FIPS 203 Section 2.1: "decapsulation key A cryptographic key produced by a KEM during key generation and used during the decapsulation process. The decapsulation key must be kept private and must be destroyed after it is no longer needed. (See Section 3.3.)"
The function must return CKR_GENERAL_ERROR if the PCT fails, however this is never done for the KEM PCT.

Differential Revision: https://phabricator.services.mozilla.com/D276127

Files Modified:

lib/softoken/kem.c
lib/softoken/pkcs11c.c

dade98440aceca4516f5fa259d4c537d9f2cf090 by Dennis Jackson <djackson@mozilla.com>

https://github.com/nss-dev/nss/commit/dade98440aceca4516f5fa259d4c537d9f2cf090
Authored: 2026-02-16 10:50:58 +0000
Committed: 2026-02-16 10:50:58 +0000

Bug 2017008 - Extend NSS Fuzzing docs. r=mdauer

Differential Revision: https://phabricator.services.mozilla.com/D283474

Files Added:

doc/rst/runbooks/fuzzing.rst

Files Modified:

doc/rst/runbooks/index.rst
fuzz/README.md

da6c1a879e0409002d24eddcf838602f74967acc by Anna <anna.weine@mozilla.com>

https://github.com/nss-dev/nss/commit/da6c1a879e0409002d24eddcf838602f74967acc
Authored: 2026-02-13 15:13:57 +0100
Committed: 2026-02-13 15:13:57 +0100

Release notes for NSS 3.112.3

--HG--
extra : source : ef262ca045c548ebb486baaba38fe5f1f4d81324

Files Added:

doc/rst/releases/nss_3_112_3.rst

Files Modified:

doc/rst/releases/index.rst

7dbff6ce7aace164b95676e48b91ec27ee415f73 by John Schanck <jschanck@mozilla.com>

https://github.com/nss-dev/nss/commit/7dbff6ce7aace164b95676e48b91ec27ee415f73
Authored: 2026-02-11 17:21:49 +0000
Committed: 2026-02-11 17:21:49 +0000

Bug 2009552 - avoid integer overflow in platform-independent ghash. r=nss-reviewers,nkulatova

Differential Revision: https://phabricator.services.mozilla.com/D278681

Files Modified:

lib/freebl/gcm.c

Update Bot

Reporter

Comment 1

•

9 days ago

BGBjioxfQxyVHinfzfHdUA

I've submitted a try run for this commit: https://treeherder.mozilla.org/jobs?repo=try&revision=781ab66baae8f81bf27165dcabf99207fa3959d1

Update Bot

Reporter

Comment 2

•

9 days ago

Attached file Bug 2022815 - Update NSS to 9028b604112bc4a797d9fa4824670bc686e3891a. UPGRADE_NSS_RELEASE — Details

Update Bot

Reporter

Comment 3

•

9 days ago

P7FuNI6UQnGRI9KKAVjTmg

All the jobs in the try run succeeded. Like literally all of them, there weren't
even any intermittents. That is pretty surprising to me, so maybe you should double
check to make sure I didn't misinterpret things and that the correct tests ran...

Anyway, I've done all I can, so I'm passing to you to review and land the patch.
When reviewing, please note that this is external code, which needs a full and
careful inspection - not a rubberstamp.

Assignee: nobody → jschanck

Phabricator Automation

Updated

•

8 days ago

Attachment #9552222 - Attachment description: Bug 2022815 - Update NSS to 9028b604112bc4a797d9fa4824670bc686e3891a → Bug 2022815 - Update NSS to 9028b604112bc4a797d9fa4824670bc686e3891a. UPGRADE_NSS_RELEASE

Pulsebot

Comment 4

•

8 days ago

Pushed by jschanck@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/a48ef1b45f5e https://hg.mozilla.org/integration/autoland/rev/58454b7f5172 Update NSS to 9028b604112bc4a797d9fa4824670bc686e3891a. UPGRADE_NSS_RELEASE r=nss-reviewers,jschanck

Pulsebot

Comment 5

•

8 days ago

Pushed by abutkovits@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/1f7ae7c67795 https://hg.mozilla.org/integration/autoland/rev/cdfa11f2caf7 Revert "Bug 2022815 - Update NSS to 9028b604112bc4a797d9fa4824670bc686e3891a. UPGRADE_NSS_RELEASE r=nss-reviewers,jschanck" for causing documentation failures.

Atila Butkovits

Comment 6

•

8 days ago

Backed out for causing documentation failures.

Backout link: https://hg.mozilla.org/integration/autoland/rev/cdfa11f2caf7

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel&revision=58454b7f51728d95669c18f29240f51995faed15

Failure log: https://treeherder.mozilla.org/logviewer?job_id=553598945&repo=autoland&task=S_OZXTh_RH6VMnqyz_j25w.0&lineNumber=5061

Flags: needinfo?(jschanck)

Silaghi Andreea

Comment 7

•

7 days ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/58454b7f5172

Status: NEW → RESOLVED

Closed: 7 days ago

status-firefox150: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → 150 Branch

John Schanck [:jschanck]

Assignee

Updated

•

6 days ago

Updated

•

6 days ago

Flags: needinfo?(jschanck)

Bugzilla

Update NSS to new version 9028b604112bc4a797d9fa4824670bc686e3891a from 2026-03-10 20:52:43

Categories

(Core :: Security: PSM, enhancement)

Tracking

()

People

(Reporter: update-bot, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

(Whiteboard: [3pl-filed][task_id: BGBjioxfQxyVHinfzfHdUA])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Comment 6

Comment 7

Updated

Updated

Attachment

General

Description

File Name

Content Type