.. _mozilla_projects_nss_nss_3_108_release_notes:
NSS 3.108 release notes
========================
`Introduction <#introduction>`__
--------------------------------
.. container::
Network Security Services (NSS) 3.108 was released on *4 February 2024**.
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_108_RTM. NSS 3.108 requires NSPR 4.35 or newer. The latest version of NSPR is 4.36.
NSS 3.108 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_108_RTM/src/
Other releases are available :ref:`mozilla_projects_nss_releases`.
.. _changes_in_nss_3.108:
`Changes in NSS 3.108 <#changes_in_nss_3.108>`__
------------------------------------------------------------------
.. container::
- Bug 1923285 - libclang-16 -> libclang-19
- Bug 1939086 - Turn off Secure Email Trust Bit for Security Communication ECC RootCA1.
- Bug 1937332 - Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2.
- Bug 1915902 - Remove SwissSign Silver CA – G2.
- Bug 1938245 - Add D-Trust 2023 TLS Roots to NSS
- Bug 1942301 - fix fips test failure on windows.
- Bug 1935925 - change default sensitivity of KEM keys.
- Bug 1936001 - Part 1: Introduce frida hooks and script,
- Bug 1942350 - add missing arm_neon.h include to gcm.c.
- Bug 1831552 - ci: update windows workers to win2022 r=nss-reviewers,nkulatova NSS_3_108_BETA2
- Bug 1831552 - strip trailing carriage returns in tools tests r=nss-reviewers,nkulatova
- Bug 1880256 - work around unix/windows path translation issues in cert test script r=nss-reviewers,nkulatova
- Bug 1831552 - ci: let the windows setup script work without $m r=nss-reviewers,nkulatova
- Bug 1880255 - detect msys r=nss-reviewers,nkulatova
- Bug 1936680 - add a specialized CTR_Update variant for AES-GCM. r=nss-reviewers,keeler
- Bug 1930807 NSS policy updates - cavs NSS_3_108_BETA1
- Bug 1930806 FIPS changes need to be upstreamed: FIPS 140-3 RNG
- Bug 1930806 FIPS changes need to be upstreamed: Add SafeZero
- Bug 1930806 FIPS changes need to be upstreamed - updated POST
- Bug 1933031 Segmentation fault in SECITEM_Hash during pkcs12 processing
- Bug 1929922 - Extending NSS with LoadModuleFromFunction functionality r=keeler,nss-reviewers
- Bug 1935984 - Ensure zero-initialization of collectArgs.cert, r=djackson,nss-reviewers
- Bug 1934526 - pkcs7 fuzz target use CERT_DestroyCertificate, r=djackson,nss-reviewers
- Bug 1915898 - Fix actual underlying ODR violations issue, r=djackson,nss-reviewers
- Bug 1184059 - mozilla::pkix: allow reference ID labels to begin and/or end with hyphens r=jschanck
- Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set r=jschanck
- Bug 1934526 - Fix memory leak in pkcs7 fuzz target, r=djackson,nss-reviewers
- Bug 1934529 - Set -O2 for ASan builds in CI, r=djackson,nss-reviewers
- Bug 1934543 - Change branch of tlsfuzzer dependency, r=djackson,nss-reviewers
- Bug 1915898 - Run tests in CI for ASan builds with detect_odr_violation=1, r=djackson,nss-reviewers
- Bug 1934241 - Fix coverage failure in CI, r=djackson,nss-reviewers
- Bug 1934213 - Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch, r=djackson,nss-reviewers
- Bug 1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround, r=djackson,nss-reviewers
- Bug 1913677 - Part 3: Restructure fuzz/, r=djackson,nss-reviewers
- Bug 1931925 - Extract testcases from ssl gtests for fuzzing, r=djackson,nss-reviewers
- Bug 1923037 - Force Cryptofuzz to use NSS in CI, r=nss-reviewers,nkulatova
- Bug 1923037 - Fix Cryptofuzz on 32 bit in CI, r=nss-reviewers,nkulatova
- Bug 1933154 - Update Cryptofuzz repository link, r=nss-reviewers,nkulatova
- Bug 1926256 - fix build error from 9505f79d r=jschanck
- Bug 1926256 - simplify error handling in get_token_objects_for_cache. r=rrelyea
- Bug 1931973 - nss doc: fix a warning r=bbeurdouche
- Bug 1930797 pkcs12 fixes from RHEL need to be picked up.