.. _mozilla_projects_nss_nss_3_117_release_notes: NSS 3.117 release notes ======================== `Introduction <#introduction>`__ -------------------------------- .. container:: Network Security Services (NSS) 3.117 was released on *3 October 2025**. `Distribution Information <#distribution_information>`__ -------------------------------------------------------- .. container:: The HG tag is NSS_3_117_RTM. NSS 3.117 requires NSPR 4.37 or newer. NSS 3.117 source distributions are available on ftp.mozilla.org for secure HTTPS download: - Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_117_RTM/src/ Other releases are available :ref:`mozilla_projects_nss_releases`. .. _changes_in_nss_3.117: `Changes in NSS 3.117 <#changes_in_nss_3.117>`__ ------------------------------------------------------------------ .. container:: - Bug 1992218 - fix memory leak in secasn1decode_unittest.cc. - Bug 1988913 - Add OISTE roots. - Bug 1976051 - Add runbook for certdata.txt changes. - Bug 1991666 - dbtool: close databases before shutdown. - Bug 1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates. - Bug 1956754 - don't flush base64 when buffer is null. - Bug 1989541 - Set `use_pkcs5_pbkd2_params2_only=1` for fuzzing builds. - Bug 1989480 - mozilla::pkix: recognize the qcStatements extension for QWACs. - Bug 1980465 - Fix a big-endian-problematic cast in zlib calls. - Bug 1962321 - Revert removing out/ directory after ossfuzz build. - Bug 1988524 - Add Cryptofuzz to OSS-Fuzz build. - Bug 1984704 - Add PKCS#11 trust tests. - Bug 1983308 - final disable dsa patch cert.sh. - Bug 1983320 - ml-dsa: move tls 1.3 to use streaming signatures. - Bug 1983320 - ml-dsa: Prep Create a FindOidTagByString function. - Bug 1983320 - ml-dsa: softoken changes. - Bug 1983320 - ml-dsa: der key decode. - Bug 1983320 - ml-dsa: Prep colapse the overuse of keyType outside of pk11wrap and cryptohi. - Bug 1983320 - ml-dsa: Prep Create a CreateSignatureAlgorithmID function.