You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

NSS 3.11.3 Release Notes

10 September 2006




Network Security Services (NSS) 3.11.3 is a patch release for NSS 3.11. The bug fixes in NSS 3.11.3 are described in the "Bugs Fixed" section below.

Distribution Information

The CVS tag for the NSS 3.11.3 release is NSS_3_11_3_RTM.  NSS 3.11.3 requires NSPR 4.6.3.

See the Documentation section for the build instructions.

NSS 3.11.3 source and binary distributions are also available on for secure HTTPS download:

You also need to download the NSPR 4.6.3 binary distributions to get the NSPR 4.6.3 header files and shared libraries, which NSS 3.11.3 requires. NSPR 4.6.3 binary distributions are in

Bugs Fixed

The following bugs have been fixed in NSS 3.11.3.
  • Bug 53427: PORT_FreeArena NEVER zeros memory before freeing it
  • Bug 182758: freebl PRNG hashes netstat and /dev/urandom data rather than just using /dev/urandom
  • Bug 225525: race assigning NSSCertificate fields leaks memory and slot reference
  • Bug 265003: Add CRL generation to crlutil
  • Bug 287850: chain validation returns ambiguous error codes when OCSP enabled
  • Bug 294537: ssltap should display ASCII CA names from cert request message
  • Bug 304361: smime: possible memory corruption when encoding/decoding smime_encryptionkeypref_template
  • Bug 325148: perl syntax error from make 3.81 changes backslash-newline behavior inside single-quoted strings
  • Bug 330056: seckey_put_private_key leaks memory
  • Bug 331279: intermittent reference leak in strsclnt caused by race in importing temp cert from server
  • Bug 334458: Variable (cache)->sharedCache tracked as NULL was passed to a function that dereferences it. [[@ CloseCache - InitCache]
  • Bug 336509: Continuous RNG test failure does not immediately put the FIPS module in the error state
  • Bug 336813: NSC_GetTokenInfo does not return some applicable token information flags
  • Bug 337013: OOM crash [[@ nssArena_Destroy - nssTrustDomain_TraverseCertificatesBySubject][[@ nssArena_Destroy - nssTrustDomain_TraverseCertificatesByNickname] Dereferencing possibly NULL tmpArena
  • Bug 337081: Coverity 516
  • Bug 337486: mismatch between PK11_FindCertFromNickname and FindCerts
  • Bug 339915: Coverity 874
  • Bug 340040: certutil does not have an option for verifying OCSP status responder certs
  • Bug 340217: Coverity 543
  • Bug 341114: Coverity 517 SECU_ParseCommandLine leaks optstate
  • Bug 341115: Multiple NULL ptr dereferences in nss/lib/base/arena.c
  • Bug 341117: PK11_DestroyPBEParams doesn't destroy (free) its argument
  • Bug 341118: Coverity 544 sec_pkcs12_decoder_verify_mac leaks allocated SECItem
  • Bug 341120: Coverity 541 nss_cms_recipients_traverse leaks rle
  • Bug 341323: Race condition in Stan import cert code called from __CERT_NewTempCertificate
  • Bug 341707: curve-limited clients must not negotiate ECC ciphersuites unless they send the supported curve extension
  • Bug 341708: selfserv is sometimes silent when client aborts handshake in client key exchange
  • Bug 343682: crash in libcrmf with ecc
  • Bug 345502: PRNG Power up Self test required
  • Bug 347024: Move the software integrity test into sftk_fipsPowerUpSelfTest
  • Bug 347409: Initiate the power-up self-tests on demand by restarting the NSS cryptographic module
  • Bug 347450: FIPS 140-2 requirements on key zeroization
  • Bug 348359: handshake failure using TLS/DHE-DSS/AES128-CBC/SHA suite
  • Bug 349609: C_SignUpdate does not work for DSA key
  • Bug 349632: C_VerifyUpdate fails for hmac
  • Bug 349920: freebl libraries are always optimized on Sparc
  • Bug 349965: Implement a power-up self-test for ECDSA key pair generation
  • Bug 349966: re-enable SSLTRACE for keys and (pre)master secrets
  • Bug 351270: Regression Assertion failure: 0
  • Bug 351482: audit_log_user_message doesn't exist in all versions of
  • Bug 351848: DecryptSigBlock does not check the message digest's length is correct
  • Bug 351872: Memory leak in FIPS power up self test
  • Bug 351890: Update misc version strings for NSS 3.11.3 release
  • Bug 351893: Differentiate Basic and Extended ECC for NSS version string
  • Bug 356215: FF1507 RSA signature forgery: unchecked padding length (CVE-2006-5462)


For a list of the primary NSS documentation pages on, see NSS Documentation.


NSS 3.11.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.11.3 shared libraries without recompiling or relinking.  Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.


Bugs discovered should be reported by filing a bug report with Bugzilla (product NSS).