nss_3_112_2.rst - mozsearch

.. _mozilla_projects_nss_nss_3_112_2_release_notes:

NSS 3.112.2 release notes

=========================

`Introduction <#introduction>`__

--------------------------------

.. container::

   Network Security Services (NSS) 3.112.2 was released on *3 October 2025**.

`Distribution Information <#distribution_information>`__

--------------------------------------------------------

.. container::

   The HG tag is NSS_3_112_2_RTM. NSS 3.112.2 requires NSPR 4.36 or newer.

   NSS 3.112.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:

   -  Source tarballs:

      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_112_2_RTM/src/

   Other releases are available :ref:`mozilla_projects_nss_releases`.

.. _changes_in_nss_3.112.2:

`Changes in NSS 3.112.2 <#changes_in_nss_3.112.2>`__

------------------------------------------------------------------

.. container::

   - Bug 1970079 - Prevent leaks during pkcs12 decoding.

   - Bug 1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates.

   - Bug 1992218 - fix memory leak in secasn1decode_unittest.cc.

   - Bug 1988913 - Add OISTE roots.

   - Bug 1976051 - Add runbook for certdata.txt changes.

   - Bug 1991666 - dbtool: close databases before shutdown.

   - Bug 1956754 - don't flush base64 when buffer is null.

   - Bug 1989541 - Set `use_pkcs5_pbkd2_params2_only=1` for fuzzing builds.

   - Bug 1989480 - mozilla::pkix: recognize the qcStatements extension for QWACs.

   - Bug 1980465 - Fix a big-endian-problematic cast in zlib calls.

   - Bug 1962321 - Revert removing out/ directory after ossfuzz build.

   - Bug 1988524 - Add Cryptofuzz to OSS-Fuzz build.

   - Bug 1984704 - Add PKCS#11 trust tests.

   - Bug 1983308 - final disable dsa patch cert.sh.

   - Bug 1983320 - ml-dsa: move tls 1.3 to use streaming signatures.

   - Bug 1983320 - ml-dsa: Prep Create a FindOidTagByString function.

   - Bug 1983320 - ml-dsa: softoken changes.

   - Bug 1983320 - ml-dsa: der key decode.

   - Bug 1983320 - ml-dsa: Prep colapse the overuse of keyType outside of pk11wrap and cryptohi.

   - Bug 1983320 - ml-dsa: Prep Create a CreateSignatureAlgorithmID function.

   - Bug 1983308 - disable DSA in NSS script tests.

   - Bug 1983308 - Disabling of some algorithms: generic cert.sh.

   - Bug 1981046 - Need to update to new mechanisms.

   - Bug 1983320 - Add ML-DSA public key printing support in NSS command-line utilities.

   - Bug 1986802 - note embedded scts before revocation checks are performed.

   - Bug 1983320 - Add support for ML-DSA keys and mechanisms in PKCS#11 interface.

   - Bug 1983320 - Add support for ML-DSA key type and public key structure.

   - Bug 1983320 - Enable ML-DSA integration via OIDs support and SECMOD flag.

   - Bug 1983308 - disable kyber.

   - Bug 1965329 - Implement PKCS #11 v3.2 PQ functions (use verify signature).

   - Bug 1983308 - Disable dsa - gtests.

   - Bug 1983313 - make group and scheme support in test tools generic.

   - Bug 1983770 - Create GH workflow to automatically close PRs.

   - Bug 1983308 - Disable dsa - base code.

   - Bug 1983308 - Disabling of some algorithms: remove dsa from pk11_mode.

   - Bug 1983308 - Disable seed and RC2 bug fixes.

   - Bug 1982742 - restore support for finding certificates by decoded serial number.

   - Bug 1984165 - avoid CKR_BUFFER_TO_SMALL error in trust lookups.