summaryrefslogtreecommitdiffstats
path: root/security/nss/doc/rst/legacy/nss_releases
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
commit0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d (patch)
treea31f07c9bcca9d56ce61e9a1ffd30ef350d513aa /security/nss/doc/rst/legacy/nss_releases
parentInitial commit. (diff)
downloadfirefox-esr-0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d.tar.xz
firefox-esr-0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d.zip
Adding upstream version 115.8.0esr.upstream/115.8.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss/doc/rst/legacy/nss_releases')
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/index.rst161
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst109
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst432
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst327
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst285
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst318
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst144
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst127
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.14.2_release_notes/index.rst103
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.14.3_release_notes/index.rst132
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.14.4_release_notes/index.rst82
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.14.5_release_notes/index.rst82
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst174
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst131
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.15.2_release_notes/index.rst126
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.15.3.1_release_notes/index.rst89
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.15.3_release_notes/index.rst94
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst137
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst93
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.15_release_notes/index.rst157
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst97
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.1_release_notes/index.rst99
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.2_release_notes/index.rst81
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst110
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst114
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst171
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.16.4_release_notes/index.rst75
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.16.5_release_notes/index.rst98
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.16.6_release_notes/index.rst81
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst98
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst132
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.17.2_release_notes/index.rst88
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.17.3_release_notes/index.rst134
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst90
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.17_release_notes/index.rst72
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst105
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.18_release_notes/index.rst169
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst113
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.1_release_notes/index.rst88
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.2_release_notes/index.rst84
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.3_release_notes/index.rst84
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.4_release_notes/index.rst82
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst94
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.19.3_release_notes/index.rst117
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.19.4_release_notes/index.rst88
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst119
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.20.1_release_notes/index.rst88
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.20.2_release_notes/index.rst80
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst140
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.21.1_release_notes/index.rst80
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst70
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.21.3_release_notes/index.rst78
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst75
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.21_release_notes/index.rst277
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.22.1_release_notes/index.rst69
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.22.2_release_notes/index.rst90
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.22.3_release_notes/index.rst70
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst194
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst192
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst201
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.25.1_release_notes/index.rst80
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst140
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.26.2_release_notes/index.rst80
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.26_release_notes/index.rst91
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.27.1_release_notes/index.rst92
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst84
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.27_release_notes/index.rst149
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.28.1_release_notes/index.rst148
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.28.2_release_notes/index.rst79
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.28.3_release_notes/index.rst95
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst77
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.28.5_release_notes/index.rst116
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst170
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.29.1_release_notes/index.rst94
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.29.2_release_notes/index.rst71
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.29.3_release_notes/index.rst73
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst75
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.29_release_notes/index.rst68
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst73
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.30.2_release_notes/index.rst115
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst125
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.31.1_release_notes/index.rst71
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst129
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.32_release_notes/index.rst143
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.33_release_notes/index.rst115
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.34.1_release_notes/index.rst94
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst215
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst273
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst84
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.36.2_release_notes/index.rst75
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.36.4_release_notes/index.rst68
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.36.5_release_notes/index.rst69
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst73
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.36.7_release_notes/index.rst74
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst90
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.36_release_notes/index.rst78
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.37.1_release_notes/index.rst75
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.37_release_notes/index.rst112
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.38_release_notes/index.rst106
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst149
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst81
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst102
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.41.1_release_notes/index.rst76
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst163
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.42.1_release_notes/index.rst65
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.42_release_notes/index.rst143
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.43_release_notes/index.rst151
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.44.1_release_notes/index.rst140
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.44.2_release_notes/index.rst72
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.44.3_release_notes/index.rst76
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst69
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.44_release_notes/index.rst146
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst224
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.46.1_release_notes/index.rst72
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst219
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.47.1_release_notes/index.rst78
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst179
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.48.1_release_notes/index.rst71
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst178
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.49.1_release_notes/index.rst71
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst76
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.49_release_notes/index.rst103
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst120
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst79
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.51_release_notes/index.rst103
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst69
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.52_release_notes/index.rst158
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.53.1_release_notes/index.rst69
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst128
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.54_release_notes/index.rst184
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst135
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.56_release_notes/index.rst98
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.57_release_notes/index.rst151
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.58_release_notes/index.rst76
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.59.1_release_notes/index.rst57
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst108
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.60.1_release_notes/index.rst58
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst144
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.61_release_notes/index.rst65
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.62_release_notes/index.rst84
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.63.1_release_notes/index.rst66
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.63_release_notes/index.rst90
-rw-r--r--security/nss/doc/rst/legacy/nss_releases/nss_3.64_release_notes/index.rst69
143 files changed, 16544 insertions, 0 deletions
diff --git a/security/nss/doc/rst/legacy/nss_releases/index.rst b/security/nss/doc/rst/legacy/nss_releases/index.rst
new file mode 100644
index 0000000000..74858e969d
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/index.rst
@@ -0,0 +1,161 @@
+.. _mozilla_projects_nss_nss_releases:
+
+Release notes for recent versions of NSS
+========================================
+
+.. container::
+
+ The current **Stable** release of NSS is 3.64, which was released on **15 April 2021**.
+ (:ref:`mozilla_projects_nss_nss_3_64_release_notes`)
+
+ The current **ESR** releases of NSS are 3.44.4
+ (:ref:`mozilla_projects_nss_nss_3_44_4_release_notes`), intended for Firefox ESR 68, which was
+ released on **19 May 2020**, and 3.53.1 :ref:`mozilla_projects_nss_nss_3_53_1_release_notes`,
+ intended for Firefox ESR 78, which was released on **16 June 2020**.
+
+.. _past_releases:
+
+`Past releases <#past_releases>`__
+----------------------------------
+
+.. container::
+
+ - :ref:`mozilla_projects_nss_nss_3_63_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_63_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_62_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_61_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_60_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_60_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_59_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_59_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_58_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_57_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_56_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_55_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_54_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_53_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_53_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_52_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_44_4_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_52_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_51_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_51_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_50_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_49_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_49_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_49_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_48_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_48_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_47_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_47_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_46_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_46_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_45_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_44_3_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_44_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_44_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_44_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_43_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_42_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_42_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_36_8_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_36_7_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_41_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_40_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_36_6_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_40_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_39_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_38_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_37_3release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_37_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_37_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_36_5_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_36_4_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_36_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_36_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_36_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_35_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_34_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_34_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_33_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_32_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_31_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_31_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_30_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_30_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_30_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_29_5_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_29_3_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_29_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_29_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_29_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_28_5_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_28_4_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_28_3_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_28_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_28_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_28_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_27_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_27_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_27_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_26_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_26_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_25_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_25_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_24_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_23_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_22_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_22_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_22_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_21_4_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_21_3_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_21_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_21_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_21_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_20_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_20_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_19_3_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_19_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_19_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_19_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_18_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_18_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_17_4_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_17_3_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_17_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_17_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_17_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_16_6_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_16_5_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_16_4_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_16_3_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_16_2_3_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_16_2_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_16_2_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_16_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_16_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_16_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_15_5_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_15_4_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_15_3_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_15_3_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_15_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_15_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_15_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_14_5_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_14_4_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_14_3_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_14_2_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_14_1_release_notes`
+ - :ref:`mozilla_projects_nss_nss_3_14_release_notes`
+ - :ref:`mozilla_projects_nss_release_notes`
+
+.. _future_releases:
+
+`Future releases <#future_releases>`__
+--------------------------------------
+
+.. container::
+
+ Release planning is done on the Mozilla wiki: `NSS:Release
+ Versions <https://wiki.mozilla.org/NSS:Release_Versions>`__. \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst
new file mode 100644
index 0000000000..9be1956bde
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst
@@ -0,0 +1,109 @@
+.. _mozilla_projects_nss_jss_4_4_0_release_notes:
+
+JSS 4.4.0 Release Notes
+=======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Java Security Services (JSS) team has released JSS 4.4.0, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is JSS_4_4\ **\_20170313**. JSS 4.4.0 requires Netswork Security Services (NSS) 3.29.1
+ and Netscape Portable Runtime (NSPR) 4.13.1 or newer.
+
+ JSS 4.4.0 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ `https://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_4_0_RTM/src/ <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_RTM/src/>`__
+
+.. _new_in_jss_4.40:
+
+`New in JSS 4.40 <#new_in_jss_4.40>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ New Macros
+
+.. _notable_changes_in_jss_4.40:
+
+`Notable Changes in JSS 4.40 <#notable_changes_in_jss_4.40>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - Picks up work done downstream for Fedora and RHEL and used by various Linux distributions with
+ includes:.
+ - Support for IPv6.
+ - Support for TLS v1.1 and TLS v1.2 via NSS though JSS.
+
+.. _bugs_fixed_in_jss_4.4.0:
+
+`Bugs fixed in JSS 4.4.0 <#bugs_fixed_in_jss_4.4.0>`__
+------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 4.4.0:
+
+ https://bugzilla.mozilla.org/buglist.cgi?product=JSS&target_milestone=4.4&target_milestone=4.4&bug_status=RESOLVED&resolution=FIXED
+
+`Documentation <#documentation>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ Build instructions for JSS at https://hg.mozilla.org/projects/jss/file/tip/README
+
+.. _platform_information:
+
+`Platform Information <#platform_information>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - You can check out the source from mercurial via hg clone -r 055aa3ce8a61
+ https://hg.mozilla.org/projects/jss
+
+ - JSS 4.4.0 works with OpenJDK versions 1.7 or higher we suggest the latest - OpenJDK 1.8.
+ - JSS 4.4.0 requires :ref:`mozilla_projects_nss_nss_3_12_5_release_notes` or higher though NSS
+ 3.28.3 is recommended.
+ - JSS 4.3.1 requires `NSPR 4.7.1 <https://www.mozilla.org/projects/nspr/release-notes/>`__ or
+ higher though NSPR 3.13 is recommended.
+ - JSS only supports the native threading model (no green threads).
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ JSS 3.30 shared libraries are not backward compatible with all older JSS 4.3.2 shared libraries.
+ A program linked with older jSS 4.3.2 shared libraries will not work with JSS 4.4.0 shared
+ libraries without recompiling or relinking. Furthermore, applications that restrict their use of
+ jSS APIs to the functions listed in JSS Public Functions will remain compatible with future
+ versions of the JSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product JSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst
new file mode 100644
index 0000000000..8cb7d7a64b
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst
@@ -0,0 +1,432 @@
+.. _mozilla_projects_nss_nss_3_12_3_release_notes:
+
+NSS_3.12.3_release_notes.html
+=============================
+
+.. _nss_3.12.3_release_notes:
+
+`NSS 3.12.3 Release Notes <#nss_3.12.3_release_notes>`__
+--------------------------------------------------------
+
+.. _2009-04-01:
+
+`2009-04-01 <#2009-04-01>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ Newsgroup: `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__
+
+`Contents <#contents>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `Introduction <#introduction>`__
+ - `Distribution Information <#distribution_information>`__
+ - `New in NSS 3.12.3 <#new_in_nss_3.12.3>`__
+ - `Bugs Fixed <#bugs_fixed>`__
+ - `Documentation <#documentation>`__
+ - `Compatibility <#compatibility>`__
+ - `Feedback <#feedback>`__
+
+ --------------
+
+`Introduction <#introduction>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ Network Security Services (NSS) 3.12.3 is a patch release for NSS 3.12. The bug fixes in NSS
+ 3.12.3 are described in the "`Bugs Fixed <#bugs_fixed>`__" section below.
+
+ NSS 3.12.3 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
+
+ --------------
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ | The CVS tag for the NSS 3.12.3 release is NSS_3_12_3_RTM. NSS 3.12.3 requires `NSPR
+ 4.7.4 <https://www.mozilla.org/projects/nspr/release-notes/nspr474.html>`__.
+ | See the `Documentation <#documentation>`__ section for the build instructions.
+
+ NSS 3.12.3 source and binary distributions are also available on ftp.mozilla.org for secure HTTPS
+ download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_3_RTM/src/.
+ - Binary distributions:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_3_RTM/. Both debug and
+ optimized builds are provided. Go to the subdirectory for your platform, DBG (debug) or OPT
+ (optimized), to get the tar.gz or zip file. The tar.gz or zip file expands to an nss-3.12.3
+ directory containing three subdirectories:
+
+ - include - NSS header files
+ - lib - NSS shared libraries
+ - bin - `NSS Tools <https://www.mozilla.org/projects/security/pki/nss/tools/>`__ and test
+ programs
+
+ You also need to download the NSPR 4.7.4 binary distributions to get the NSPR 4.7.4 header files
+ and shared libraries, which NSS 3.12.3 requires. NSPR 4.7.4 binary distributions are in
+ https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.7.4/.
+
+ --------------
+
+.. _new_in_nss_3.12.3:
+
+`New in NSS 3.12.3 <#new_in_nss_3.12.3>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Changes in behavior:
+ - In the development of NSS 3.12.3, it became necessary to change some old library behaviors due
+ to the discovery of certain vulnerabilities in the old behaviors, and to correct some errors
+ that had limited NSS's ability to interoperate with cryptographic hardware and software from
+ other sources.
+ Most of these changes should cause NO problems for NSS users, but in some cases, some
+ customers' software, hardware and/or certificates may be dependent on the old behaviors, and
+ may have difficulty with the new behaviors. In anticipation of that, the NSS team has provided
+ ways to easily cause NSS to revert to its previous behavior through the use of environment
+ variables.
+ Here is a table of the new environment variables introduced in NSS 3.12.3 and information
+ about how they affect these new behaviors. The information in this table is excerpted from
+ :ref:`mozilla_projects_nss_reference_nss_environment_variables`
+
+ +--------------------------------+--------------------------------+--------------------------------+
+ | **Environment Variable** | **Value Type** | **Description** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | NSRANDCOUNT | Integer | Sets the maximum number of |
+ | | (byte count) | bytes to read from the file |
+ | | | named in the environment |
+ | | | variable NSRANDFILE (see |
+ | | | below). Makes NSRANDFILE |
+ | | | usable with /dev/urandom. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | NSS_ALLOW_WEAK_SIGNATURE_ALG | Boolean | Enables the use of MD2 and MD4 |
+ | | (any non-empty value to | hash algorithms inside |
+ | | enable) | signatures. This was allowed |
+ | | | by default before NSS 3.12.3. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | NSS_HASH_ALG_SUPPORT | String | Specifies algorithms allowed |
+ | | | to be used in certain |
+ | | | applications, such as in |
+ | | | signatures on certificates and |
+ | | | CRLs. See documentation at |
+ | | | `this |
+ | | | link |
+ | | | <https://bugzilla.mozilla.org/ |
+ | | | show_bug.cgi?id=483113#c0>`__. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | NSS_STRICT_NOFORK | String | It is an error to try to use a |
+ | | ("1", | PKCS#11 crypto module in a |
+ | | "DISABLED", | process before it has been |
+ | | or any other non-empty value) | initialized in that process, |
+ | | | even if the module was |
+ | | | initialized in the parent |
+ | | | process. Beginning in NSS |
+ | | | 3.12.3, Softoken will detect |
+ | | | this error. This environment |
+ | | | variable controls Softoken's |
+ | | | response to that error. |
+ | | | |
+ | | | - If set to "1" or unset, |
+ | | | Softoken will trigger an |
+ | | | assertion failure in debug |
+ | | | builds, and will report an |
+ | | | error in non-DEBUG builds. |
+ | | | - If set to "DISABLED", |
+ | | | Softoken will ignore forks, |
+ | | | and behave as it did in |
+ | | | older versions. |
+ | | | - If set to any other |
+ | | | non-empty value, Softoken |
+ | | | will report an error in |
+ | | | both DEBUG and non-DEBUG |
+ | | | builds. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | NSS_USE_DECODED_CKA_EC_POINT | Boolean | Tells NSS to send EC key |
+ | | (any non-empty value to | points across the PKCS#11 |
+ | | enable) | interface in the non-standard |
+ | | | unencoded format that was used |
+ | | | by default before NSS 3.12.3. |
+ | | | The new key point format is a |
+ | | | DER encoded ASN.1 OCTET |
+ | | | STRING. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | NSS_USE_SHEXP_IN_CERT_NAME | Boolean | Tells NSS to allow shell-style |
+ | | (any non-empty value to | wildcard patterns in |
+ | | enable) | certificates to match SSL |
+ | | | server host names. This |
+ | | | behavior was the default |
+ | | | before NSS 3.12.3. The new |
+ | | | behavior conforms to RFC 2818. |
+ +--------------------------------+--------------------------------+--------------------------------+
+
+ - New Korean SEED cipher:
+
+ - New macros for SEED support:
+
+ - *in blapit.h:*
+ NSS_SEED
+ NSS_SEED_CBC
+ SEED_BLOCK_SIZE
+ SEED_KEY_LENGTH
+ *in pkcs11t.h:*
+ CKK_SEED
+ CKM_SEED_KEY_GEN
+ CKM_SEED_ECB
+ CKM_SEED_CBC
+ CKM_SEED_MAC
+ CKM_SEED_MAC_GENERAL
+ CKM_SEED_CBC_PAD
+ CKM_SEED_ECB_ENCRYPT_DATA
+ CKM_SEED_CBC_ENCRYPT_DATA
+ *in secmod.h:*
+ PUBLIC_MECH_SEED_FLAG
+ *in secmodt.h:*
+ SECMOD_SEED_FLAG
+ *in secoidt.h:*
+ SEC_OID_SEED_CBC
+ *in sslproto.h:*
+ TLS_RSA_WITH_SEED_CBC_SHA
+ *in sslt.h:*
+ ssl_calg_seed
+
+ - New structure for SEED support:
+
+ - (see blapit.h)
+ SEEDContextStr
+ SEEDContext
+
+ - New functions in the nss shared library:
+
+ - CERT_RFC1485_EscapeAndQuote (see cert.h)
+ CERT_CompareCerts (see cert.h)
+ CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h)
+ PK11_GetSymKeyHandle (see pk11pqg.h)
+ UTIL_SetForkState (see secoid.h)
+ NSS_GetAlgorithmPolicy (see secoid.h)
+ NSS_SetAlgorithmPolicy (see secoid.h)
+
+ - For the 2 functions above see also (in secoidt.h):
+ NSS_USE_ALG_IN_CERT_SIGNATURE
+ NSS_USE_ALG_IN_CMS_SIGNATURE
+ NSS_USE_ALG_RESERVED
+
+ - Support for the Watcom C compiler is removed
+
+ - The file watcomfx.h is removed.
+
+ --------------
+
+.. _bugs_fixed:
+
+`Bugs Fixed <#bugs_fixed>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ The following bugs have been fixed in NSS 3.12.3.
+
+ - `Bug 159483 <https://bugzilla.mozilla.org/show_bug.cgi?id=159483>`__: cert name matching: RFC
+ 2818 vs. backwards compatibility (wildcards)
+ - `Bug 334678 <https://bugzilla.mozilla.org/show_bug.cgi?id=334678>`__: prng_fips1861.c
+ redefines the macro BSIZE on HP-UX
+ - `Bug 335016 <https://bugzilla.mozilla.org/show_bug.cgi?id=335016>`__: mpp_pprime (Miller-Rabin
+ probabilistic primality test) may choose 0 or 1 as the random integer
+ - `Bug 347037 <https://bugzilla.mozilla.org/show_bug.cgi?id=347037>`__: Make shlibsign depend on
+ the softoken only
+ - `Bug 371522 <https://bugzilla.mozilla.org/show_bug.cgi?id=371522>`__: Auto-Update of CRLs
+ stops after first update
+ - `Bug 380784 <https://bugzilla.mozilla.org/show_bug.cgi?id=380784>`__: PK11MODE in non FIPS
+ mode failed.
+ - `Bug 394077 <https://bugzilla.mozilla.org/show_bug.cgi?id=394077>`__: libpkix need to return
+ revocation status of a cert
+ - `Bug 412468 <https://bugzilla.mozilla.org/show_bug.cgi?id=412468>`__: modify certutil
+ - `Bug 417092 <https://bugzilla.mozilla.org/show_bug.cgi?id=417092>`__: Modify pkix_CertSelector
+ API to return an error if cert was rejected.
+ - `Bug 426413 <https://bugzilla.mozilla.org/show_bug.cgi?id=426413>`__: Audit messages need
+ distinct types
+ - `Bug 438870 <https://bugzilla.mozilla.org/show_bug.cgi?id=438870>`__: Free Freebl hashing code
+ of dependencies on NSPR and libUtil
+ - `Bug 439115 <https://bugzilla.mozilla.org/show_bug.cgi?id=439115>`__: DB merge allows nickname
+ conflicts in merged DB
+ - `Bug 439199 <https://bugzilla.mozilla.org/show_bug.cgi?id=439199>`__: SSE2 instructions for
+ bignum are not implemented on Windows 32-bit
+ - `Bug 441321 <https://bugzilla.mozilla.org/show_bug.cgi?id=441321>`__: Tolerate incorrect
+ encoding of DSA signatures in SSL 3.0 handshakes
+ - `Bug 444404 <https://bugzilla.mozilla.org/show_bug.cgi?id=444404>`__: libpkix reports unknown
+ issuer for nearly all certificate errors
+ - `Bug 452391 <https://bugzilla.mozilla.org/show_bug.cgi?id=452391>`__: certutil -K incorrectly
+ reports ec private key as an orphan
+ - `Bug 453234 <https://bugzilla.mozilla.org/show_bug.cgi?id=453234>`__: Support for SEED Cipher
+ Suites to TLS RFC4010
+ - `Bug 453364 <https://bugzilla.mozilla.org/show_bug.cgi?id=453364>`__: Improve PK11_CipherOp
+ error reporting (was: PK11_CreateContextBySymKey returns NULL
+ - `Bug 456406 <https://bugzilla.mozilla.org/show_bug.cgi?id=456406>`__: Slot list leaks in
+ symkeyutil
+ - `Bug 461085 <https://bugzilla.mozilla.org/show_bug.cgi?id=461085>`__: RFE: export function
+ CERT_CompareCerts
+ - `Bug 462293 <https://bugzilla.mozilla.org/show_bug.cgi?id=462293>`__: Crash on fork after
+ Softoken is dlClose'd on some Unix platforms in NSS 3.12
+ - `Bug 463342 <https://bugzilla.mozilla.org/show_bug.cgi?id=463342>`__: move some headers to
+ freebl/softoken
+ - `Bug 463452 <https://bugzilla.mozilla.org/show_bug.cgi?id=463452>`__: SQL DB creation does not
+ set files protections to 0600
+ - `Bug 463678 <https://bugzilla.mozilla.org/show_bug.cgi?id=463678>`__: Need to add RPATH to
+ 64-bit libraries on HP-UX
+ - `Bug 464088 <https://bugzilla.mozilla.org/show_bug.cgi?id=464088>`__: Option to build NSS
+ without dbm (handy for WinCE)
+ - `Bug 464223 <https://bugzilla.mozilla.org/show_bug.cgi?id=464223>`__: Certutil didn't accept
+ certificate request to sign.
+ - `Bug 464406 <https://bugzilla.mozilla.org/show_bug.cgi?id=464406>`__: Fix signtool regressions
+ - `Bug 465270 <https://bugzilla.mozilla.org/show_bug.cgi?id=465270>`__: uninitialised value in
+ devutil.c::create_object()
+ - `Bug 465273 <https://bugzilla.mozilla.org/show_bug.cgi?id=465273>`__: dead assignment in
+ devutil.c::nssSlotArray_Clone()
+ - `Bug 465926 <https://bugzilla.mozilla.org/show_bug.cgi?id=465926>`__: During import of PKCS
+ #12 files
+ - `Bug 466180 <https://bugzilla.mozilla.org/show_bug.cgi?id=466180>`__:
+ SSL_ConfigMPServerSIDCache with default parameters fails on {Net
+ - `Bug 466194 <https://bugzilla.mozilla.org/show_bug.cgi?id=466194>`__: CERT_DecodeTrustString
+ should take a const char \* input trusts string.
+ - `Bug 466736 <https://bugzilla.mozilla.org/show_bug.cgi?id=466736>`__: Incorrect use of
+ NSS_USE_64 in lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c
+ - `Bug 466745 <https://bugzilla.mozilla.org/show_bug.cgi?id=466745>`__: random number generator
+ fails on windows ce
+ - `Bug 467298 <https://bugzilla.mozilla.org/show_bug.cgi?id=467298>`__: SQL DB code uses local
+ cache on local file system
+ - `Bug 468279 <https://bugzilla.mozilla.org/show_bug.cgi?id=468279>`__: softoken crash importing
+ email cert into newly upgraded DB
+ - `Bug 468532 <https://bugzilla.mozilla.org/show_bug.cgi?id=468532>`__: Trusted CA trust flags
+ not being honored in CERT_VerifyCert
+ - `Bug 469583 <https://bugzilla.mozilla.org/show_bug.cgi?id=469583>`__: Coverity: uninitialized
+ variable used in sec_pkcs5CreateAlgorithmID
+ - `Bug 469944 <https://bugzilla.mozilla.org/show_bug.cgi?id=469944>`__: when built with
+ Microsoft compilers
+ - `Bug 470351 <https://bugzilla.mozilla.org/show_bug.cgi?id=470351>`__: crlutil build fails on
+ Windows because it calls undeclared isatty
+ - `Bug 471539 <https://bugzilla.mozilla.org/show_bug.cgi?id=471539>`__: Stop honoring digital
+ signatures in certificates and CRLs based on weak hashes
+ - `Bug 471665 <https://bugzilla.mozilla.org/show_bug.cgi?id=471665>`__: NSS reports incorrect
+ sizes for (AES) symmetric keys
+ - `Bug 471715 <https://bugzilla.mozilla.org/show_bug.cgi?id=471715>`__: Add cert to nssckbi to
+ override rogue md5-collision CA cert
+ - `Bug 472291 <https://bugzilla.mozilla.org/show_bug.cgi?id=472291>`__: crash in libpkix object
+ leak tests due to null pointer dereferencing in pkix_build.c:3218.
+ - `Bug 472319 <https://bugzilla.mozilla.org/show_bug.cgi?id=472319>`__: Vfychain validates chain
+ even if revoked certificate.
+ - `Bug 472749 <https://bugzilla.mozilla.org/show_bug.cgi?id=472749>`__: Softoken permits AES
+ keys of ANY LENGTH to be created
+ - `Bug 473147 <https://bugzilla.mozilla.org/show_bug.cgi?id=473147>`__: pk11mode tests fails on
+ AIX when using shareable DBs.
+ - `Bug 473357 <https://bugzilla.mozilla.org/show_bug.cgi?id=473357>`__: ssltap incorrectly
+ parses handshake messages that span record boundaries
+ - `Bug 473365 <https://bugzilla.mozilla.org/show_bug.cgi?id=473365>`__: Incompatible argument in
+ pkix_validate.c.
+ - `Bug 473505 <https://bugzilla.mozilla.org/show_bug.cgi?id=473505>`__: softoken's C_Initialize
+ and C_Finalize should succeed after a fork in a child process
+ - `Bug 473944 <https://bugzilla.mozilla.org/show_bug.cgi?id=473944>`__: Trust anchor is not
+ trusted when requireFreshInfo flag is set.
+ - `Bug 474532 <https://bugzilla.mozilla.org/show_bug.cgi?id=474532>`__: Softoken cannot import
+ certs with empty subjects and non-empty nicknames
+ - `Bug 474777 <https://bugzilla.mozilla.org/show_bug.cgi?id=474777>`__: Wrong deallocation when
+ modifying CRL.
+ - `Bug 476126 <https://bugzilla.mozilla.org/show_bug.cgi?id=476126>`__: CERT_AsciiToName fails
+ when AVAs in an RDN are separated by '+'
+ - `Bug 477186 <https://bugzilla.mozilla.org/show_bug.cgi?id=477186>`__: Infinite loop in
+ CERT_GetCertChainFromCert
+ - `Bug 477777 <https://bugzilla.mozilla.org/show_bug.cgi?id=477777>`__: Selfserv crashed in
+ client/server tests.
+ - `Bug 478171 <https://bugzilla.mozilla.org/show_bug.cgi?id=478171>`__: Consolidate the
+ coreconf/XXX.mk files for Windows
+ - `Bug 478563 <https://bugzilla.mozilla.org/show_bug.cgi?id=478563>`__: Add \_MSC_VER (the cl
+ version) to coreconf.
+ - `Bug 478724 <https://bugzilla.mozilla.org/show_bug.cgi?id=478724>`__: NSS build fails on
+ Windows since 20090213.1 nightly build.
+ - `Bug 478931 <https://bugzilla.mozilla.org/show_bug.cgi?id=478931>`__: object leak in
+ pkix_List_MergeLists function
+ - `Bug 478994 <https://bugzilla.mozilla.org/show_bug.cgi?id=478994>`__: Allow Softoken's fork
+ check to be disabled
+ - `Bug 479029 <https://bugzilla.mozilla.org/show_bug.cgi?id=479029>`__: OCSP Response signature
+ cert found invalid if issuer is trusted only for SSL
+ - `Bug 479601 <https://bugzilla.mozilla.org/show_bug.cgi?id=479601>`__: Wrong type (UTF8 String)
+ for email addresses in subject by CERT_AsciiToName
+ - `Bug 480142 <https://bugzilla.mozilla.org/show_bug.cgi?id=480142>`__: Use sizeof on the
+ correct type of ckc_x509 in lib/ckfw
+ - `Bug 480257 <https://bugzilla.mozilla.org/show_bug.cgi?id=480257>`__: OCSP fails when response
+ > 1K Byte
+ - `Bug 480280 <https://bugzilla.mozilla.org/show_bug.cgi?id=480280>`__: The CKA_EC_POINT PKCS#11
+ attribute is encoded in the wrong way: missing encapsulating octet string
+ - `Bug 480442 <https://bugzilla.mozilla.org/show_bug.cgi?id=480442>`__: Remove (empty)
+ watcomfx.h from nss
+ - `Bug 481216 <https://bugzilla.mozilla.org/show_bug.cgi?id=481216>`__: Fix specific spelling
+ errors in NSS
+ - `Bug 482702 <https://bugzilla.mozilla.org/show_bug.cgi?id=482702>`__: OCSP test with revoked
+ CA cert validated as good.
+ - `Bug 483113 <https://bugzilla.mozilla.org/show_bug.cgi?id=483113>`__: add environment variable
+ to disable/enable hash algorithms in cert/CRL signatures
+ - `Bug 483168 <https://bugzilla.mozilla.org/show_bug.cgi?id=483168>`__: NSS Callback API for
+ looking up a default OCSP Responder URL
+ - `Bug 483963 <https://bugzilla.mozilla.org/show_bug.cgi?id=483963>`__: Assertion failure in
+ OCSP tests.
+ - `Bug 484425 <https://bugzilla.mozilla.org/show_bug.cgi?id=484425>`__: Need accessor function
+ to retrieve SymKey handle
+ - `Bug 484466 <https://bugzilla.mozilla.org/show_bug.cgi?id=484466>`__: sec_error_invalid_args
+ with NSS_ENABLE_PKIX_VERIFY=1
+ - `Bug 485127 <https://bugzilla.mozilla.org/show_bug.cgi?id=485127>`__: bltest crashes when
+ attempting rc5_cbc or rc5_ecb
+ - `Bug 485140 <https://bugzilla.mozilla.org/show_bug.cgi?id=485140>`__: Wrong command line flags
+ used to build intel-aes.s with Solaris gas for x86_64
+ - `Bug 485370 <https://bugzilla.mozilla.org/show_bug.cgi?id=485370>`__: crash
+ - `Bug 485713 <https://bugzilla.mozilla.org/show_bug.cgi?id=485713>`__: Files added by Red Hat
+ recently have missing texts in license headers.
+ - `Bug 485729 <https://bugzilla.mozilla.org/show_bug.cgi?id=485729>`__: Remove
+ lib/freebl/mapfile.Solaris
+ - `Bug 485837 <https://bugzilla.mozilla.org/show_bug.cgi?id=485837>`__: vc90.pdb files are
+ output in source directory instead of OBJDIR
+ - `Bug 486060 <https://bugzilla.mozilla.org/show_bug.cgi?id=486060>`__: sec_asn1d_parse_leaf
+ uses argument uninitialized by caller pbe_PK11AlgidToParam
+
+ --------------
+
+`Documentation <#documentation>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ For a list of the primary NSS documentation pages on mozilla.org, see `NSS
+ Documentation <../index.html#Documentation>`__. New and revised documents available since the
+ release of NSS 3.11 include the following:
+
+ - `Build Instructions for NSS 3.11.4 and above <../nss-3.11.4/nss-3.11.4-build.html>`__
+ - `NSS Shared DB <http://wiki.mozilla.org/NSS_Shared_DB>`__
+
+ --------------
+
+`Compatibility <#compatibility>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ NSS 3.12.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.12.3 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in `NSS Public Functions <../ref/nssfunctions.html>`__ will remain
+ compatible with future versions of the NSS shared libraries.
+
+ --------------
+
+`Feedback <#feedback>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ | Bugs discovered should be reported by filing a bug report with `mozilla.org
+ Bugzilla <https://bugzilla.mozilla.org/>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst
new file mode 100644
index 0000000000..400ff005c9
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst
@@ -0,0 +1,327 @@
+.. _mozilla_projects_nss_nss_3_12_4_release_notes:
+
+NSS 3.12.4 release notes
+========================
+
+.. container::
+
+ .. code::
+
+ 2009-08-20
+
+ *Newsgroup:*\ `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__
+ .. rubric:: Introduction
+ :name: Introduction
+
+ Network Security Services (NSS) 3.12.4 is a patch release for NSS 3.12. The bug fixes in NSS
+ 3.12.4 are described in the "`Bugs Fixed <#bugsfixed>`__" section below.
+
+ NSS 3.12.4 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
+
+ .. rubric:: Distribution Information
+ :name: Distribution_Information
+
+ This release is built from the source, at the CVS repository rooted at cvs.mozilla.org:/cvsroot,
+ with the CVS tag ``NSS_3_12_4_RTM``.
+
+ NSS 3.12.4 requires `NSPR 4.8 <https://www.mozilla.org/projects/nspr/release-notes/>`__. This is
+ not a hard requirement. Our QA tested NSS 3.12.4 with NSPR 4.8, but it should work with NSPR
+ 4.7.1 or later.
+
+ You can check out the source from CVS by
+
+ .. note::
+
+ cvs co -r NSPR_4_8_RTM NSPR
+ cvs co -r NSS_3_12_4_RTM NSS
+
+ See the `Documentation <#docs>`__ section for the build instructions.
+
+ NSS 3.12.4 source is also available on ``ftp.mozilla.org`` for secure HTTPS download:
+
+ - Source tarball:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/src/.
+
+ .. rubric:: Major changes in NSS 3.12.4
+ :name: Major_changes_in_NSS_3.12.4
+
+ - NSS 3.12.4 is the version that we submitted to NIST for FIPS 140-2 validation.
+ Currently NSS 3.12.4 is in the "Review Pending" state in the FIPS 140-2 pre-validation
+ list at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
+ - Added CRL Distribution Point support (see cert.h).
+ **CERT_DecodeCRLIssuingDistributionPoint**
+ **CERT_FindCRLIssuingDistPointExten**
+ - The old documentation of the expression matching syntax rules was
+ incorrect, and the new corrected documentation is as follows for
+ public nssutil functions (see portreq.h):
+
+ - **PORT_RegExpValid**
+ - **PORT_RegExpSearch**
+ - **PORT_RegExpCaseSearch**
+
+ - These functions will match a string with a shell expression. The expressions
+ accepted are based loosely on the expressions accepted by zsh.
+ Expected return values:
+
+ - NON_SXP if exp is a standard string
+ - INVALID_SXP if exp is a shell expression, but invalid
+ - VALID_SXP if exp is a valid shell expression
+
+ Expression matching rules:
+
+ - \* matches anything
+ - ? matches one character
+ - \\ will escape a special character
+ - $ matches the end of the string
+ - Bracketed expressions:
+ [abc] matches one occurrence of a, b, or c.
+ [^abc] matches any character except a, b, or c.
+ To be matched between [ and ], these characters must be escaped: \\ ]
+ No other characters need be escaped between brackets.
+ Unnecessary escaping is permitted.
+ - [a-z] matches any character between a and z, inclusive.
+ The two range-definition characters must be alphanumeric ASCII.
+ If one is upper case and the other is lower case, then the ASCII
+ non-alphanumeric characters between Z and a will also be in range.
+ - [^a-z] matches any character except those between a and z, inclusive.
+ These forms cannot be combined, e.g [a-gp-z] does not work.
+ - Exclusions:
+ As a top level, outter-most expression only, the expression
+ foo~bar will match the expression foo, provided it does not also
+ match the expression bar. Either expression or both may be a union.
+ Except between brackets, any unescaped ~ is an exclusion.
+ At most one exclusion is permitted.
+ Exclusions cannot be nested (contain other exclusions).
+ example: \*~abc will match any string except abc
+ - Unions:
+ (foo|bar) will match either the expression foo, or the expression bar.
+ At least one '|' separator is required. More are permitted.
+ Expressions inside unions may not include unions or exclusions.
+ Inside a union, to be matched and not treated as a special character,
+ these characters must be escaped: \\ ( \| ) [ ~ except when they occur
+ inside a bracketed expression, where only \\ and ] require escaping.
+
+ - New functions in the nss shared library:
+
+ - PK11_IsInternalKeySlot (see pk11pub.h)
+ - SECMOD_OpenNewSlot (see pk11pub.h)
+
+ - New error codes (see secerr.h):
+
+ - SEC_ERROR_BAD_INFO_ACCESS_METHOD
+ - SEC_ERROR_CRL_IMPORT_FAILED
+
+ - New OIDs (see secoidt.h)
+
+ - SEC_OID_X509_ANY_POLICY
+
+ - The nssckbi PKCS #11 module's version changed to 1.75.
+ - Obsolete code for Win16 has been removed.
+ - Support for OpenVMS has been removed.
+
+ .. rubric:: Bugs Fixed
+ :name: Bugs_Fixed
+
+ The following bugs have been fixed in NSS 3.12.4.
+
+ - `Bug 321755 <https://bugzilla.mozilla.org/show_bug.cgi?id=321755>`__: implement
+ crlDistributionPoint extension in libPKIX
+ - `Bug 391434 <https://bugzilla.mozilla.org/show_bug.cgi?id=391434>`__: avoid multiple
+ encoding/decoding of PKIX_PL_OID to and from ascii string
+ - `Bug 405297 <https://bugzilla.mozilla.org/show_bug.cgi?id=405297>`__: Problems building
+ nss/lib/ckfw/capi/ with MingW GCC
+ - `Bug 420991 <https://bugzilla.mozilla.org/show_bug.cgi?id=420991>`__: libPKIX returns wrong
+ NSS error code
+ - `Bug 427135 <https://bugzilla.mozilla.org/show_bug.cgi?id=427135>`__: Add super-H (sh3,4)
+ architecture support
+ - `Bug 431958 <https://bugzilla.mozilla.org/show_bug.cgi?id=431958>`__: Improve DES and SHA512
+ for x86_64 platform
+ - `Bug 433791 <https://bugzilla.mozilla.org/show_bug.cgi?id=433791>`__: Win16 support should be
+ deleted from NSS
+ - `Bug 449332 <https://bugzilla.mozilla.org/show_bug.cgi?id=449332>`__: SECU_ParseCommandLine
+ does not validate its inputs
+ - `Bug 453735 <https://bugzilla.mozilla.org/show_bug.cgi?id=453735>`__: When using cert9
+ (SQLite3) DB, set or change master password fails
+ - `Bug 463544 <https://bugzilla.mozilla.org/show_bug.cgi?id=463544>`__: warning: passing enum\*
+ for an int\* argument in pkix_validate.c
+ - `Bug 469588 <https://bugzilla.mozilla.org/show_bug.cgi?id=469588>`__: Coverity errors reported
+ for softoken
+ - `Bug 470055 <https://bugzilla.mozilla.org/show_bug.cgi?id=470055>`__:
+ pkix_HttpCertStore_FindSocketConnection reuses closed socket
+ - `Bug 470070 <https://bugzilla.mozilla.org/show_bug.cgi?id=470070>`__: Multiple object leaks
+ reported by tinderbox
+ - `Bug 470479 <https://bugzilla.mozilla.org/show_bug.cgi?id=470479>`__: IO timeout during cert
+ fetching makes libpkix abort validation.
+ - `Bug 470500 <https://bugzilla.mozilla.org/show_bug.cgi?id=470500>`__: Firefox 3.1b2 Crash
+ Report [[@ nssutil3.dll@0x34c0 ]
+ - `Bug 482742 <https://bugzilla.mozilla.org/show_bug.cgi?id=482742>`__: Enable building util
+ independently of the rest of nss
+ - `Bug 483653 <https://bugzilla.mozilla.org/show_bug.cgi?id=483653>`__: unable to build
+ certutil.exe for fennec/wince
+ - `Bug 485145 <https://bugzilla.mozilla.org/show_bug.cgi?id=485145>`__: Miscellaneous crashes in
+ signtool on Windows
+ - `Bug 485155 <https://bugzilla.mozilla.org/show_bug.cgi?id=485155>`__: NSS_ENABLE_PKIX_VERIFY=1
+ causes sec_error_unknown_issuer errors
+ - `Bug 485527 <https://bugzilla.mozilla.org/show_bug.cgi?id=485527>`__: Rename the \_X86\_ macro
+ in lib/freebl
+ - `Bug 485658 <https://bugzilla.mozilla.org/show_bug.cgi?id=485658>`__: vfychain -p reports
+ revoked cert
+ - `Bug 485745 <https://bugzilla.mozilla.org/show_bug.cgi?id=485745>`__: modify fipstest.c to
+ support CAVS 7.1 DRBG testing
+ - `Bug 486304 <https://bugzilla.mozilla.org/show_bug.cgi?id=486304>`__: cert7.db/cert8.db
+ corruption when importing a large certificate (>64K)
+ - `Bug 486405 <https://bugzilla.mozilla.org/show_bug.cgi?id=486405>`__: Allocator mismatches in
+ pk12util.c
+ - `Bug 486537 <https://bugzilla.mozilla.org/show_bug.cgi?id=486537>`__: Disable execstack in
+ freebl x86_64 builds on Linux
+ - `Bug 486698 <https://bugzilla.mozilla.org/show_bug.cgi?id=486698>`__: Facilitate the building
+ of major components independently and in a chain manner by downstream distributions
+ - `Bug 486999 <https://bugzilla.mozilla.org/show_bug.cgi?id=486999>`__: Calling
+ SSL_SetSockPeerID a second time leaks the previous value
+ - `Bug 487007 <https://bugzilla.mozilla.org/show_bug.cgi?id=487007>`__: Make lib/jar conform to
+ NSS coding style
+ - `Bug 487162 <https://bugzilla.mozilla.org/show_bug.cgi?id=487162>`__: ckfw/capi build failure
+ on windows
+ - `Bug 487239 <https://bugzilla.mozilla.org/show_bug.cgi?id=487239>`__: nssutil.rc doesn't
+ compile on WinCE
+ - `Bug 487254 <https://bugzilla.mozilla.org/show_bug.cgi?id=487254>`__: sftkmod.c uses POSIX
+ file IO Functions on WinCE
+ - `Bug 487255 <https://bugzilla.mozilla.org/show_bug.cgi?id=487255>`__: sdb.c uses POSIX file IO
+ Functions on WinCE
+ - `Bug 487487 <https://bugzilla.mozilla.org/show_bug.cgi?id=487487>`__: CERT_NameToAscii reports
+ !Invalid AVA! whenever value exceeds 384 bytes
+ - `Bug 487736 <https://bugzilla.mozilla.org/show_bug.cgi?id=487736>`__: libpkix passes wrong
+ argument to DER_DecodeTimeChoice and crashes
+ - `Bug 487858 <https://bugzilla.mozilla.org/show_bug.cgi?id=487858>`__: Remove obsolete build
+ options MOZILLA_SECURITY_BUILD and MOZILLA_BSAFE_BUILD
+ - `Bug 487884 <https://bugzilla.mozilla.org/show_bug.cgi?id=487884>`__: object leak in libpkix
+ library upon error
+ - `Bug 488067 <https://bugzilla.mozilla.org/show_bug.cgi?id=488067>`__: PK11_ImportCRL reports
+ SEC_ERROR_CRL_NOT_FOUND when it fails to import a CRL
+ - `Bug 488350 <https://bugzilla.mozilla.org/show_bug.cgi?id=488350>`__: NSPR-free freebl
+ interface need to do post tests only in fips mode.
+ - `Bug 488396 <https://bugzilla.mozilla.org/show_bug.cgi?id=488396>`__: DBM needs to be FIPS
+ certifiable.
+ - `Bug 488550 <https://bugzilla.mozilla.org/show_bug.cgi?id=488550>`__: crash in certutil or pp
+ when printing cert with empty subject name
+ - `Bug 488992 <https://bugzilla.mozilla.org/show_bug.cgi?id=488992>`__: Fix
+ lib/freebl/win_rand.c warnings
+ - `Bug 489010 <https://bugzilla.mozilla.org/show_bug.cgi?id=489010>`__: stop exporting mktemp
+ and dbopen (again)
+ - `Bug 489287 <https://bugzilla.mozilla.org/show_bug.cgi?id=489287>`__: Resolve a few remaining
+ issues with NSS's new revocation flags
+ - `Bug 489710 <https://bugzilla.mozilla.org/show_bug.cgi?id=489710>`__: byteswap optimize for
+ MSVC++
+ - `Bug 490154 <https://bugzilla.mozilla.org/show_bug.cgi?id=490154>`__: Cryptokey framework
+ requires module to implement GenerateKey when they support KeyPairGeneration
+ - `Bug 491044 <https://bugzilla.mozilla.org/show_bug.cgi?id=491044>`__: Remove support for VMS
+ (a.k.a., OpenVMS) from NSS
+ - `Bug 491174 <https://bugzilla.mozilla.org/show_bug.cgi?id=491174>`__: CERT_PKIXVerifyCert
+ reports wrong error code when EE cert is expired
+ - `Bug 491919 <https://bugzilla.mozilla.org/show_bug.cgi?id=491919>`__: cert.h doesn't have
+ valid functions prototypes
+ - `Bug 492131 <https://bugzilla.mozilla.org/show_bug.cgi?id=492131>`__: A failure to import a
+ cert from a P12 file leaves error code set to zero
+ - `Bug 492385 <https://bugzilla.mozilla.org/show_bug.cgi?id=492385>`__: crash freeing named CRL
+ entry on shutdown
+ - `Bug 493135 <https://bugzilla.mozilla.org/show_bug.cgi?id=493135>`__: bltest crashes if it
+ can't open the input file
+ - `Bug 493364 <https://bugzilla.mozilla.org/show_bug.cgi?id=493364>`__: can't build with
+ --disable-dbm option when not cross-compiling
+ - `Bug 493693 <https://bugzilla.mozilla.org/show_bug.cgi?id=493693>`__: SSE2 instructions for
+ bignum are not implemented on OS/2
+ - `Bug 493912 <https://bugzilla.mozilla.org/show_bug.cgi?id=493912>`__: sqlite3_reset should be
+ invoked in sdb_FindObjectsInit when error occurs
+ - `Bug 494073 <https://bugzilla.mozilla.org/show_bug.cgi?id=494073>`__: update RSA/DSA
+ powerupself tests to be compliant for 2011
+ - `Bug 494087 <https://bugzilla.mozilla.org/show_bug.cgi?id=494087>`__: Passing NULL as the
+ value of cert_pi_trustAnchors causes a crash in cert_pkixSetParam
+ - `Bug 494107 <https://bugzilla.mozilla.org/show_bug.cgi?id=494107>`__: During NSS_NoDB_Init(),
+ softoken tries but fails to load libsqlite3.so crash [@ @0x0 ]
+ - `Bug 495097 <https://bugzilla.mozilla.org/show_bug.cgi?id=495097>`__: sdb_mapSQLError returns
+ signed int
+ - `Bug 495103 <https://bugzilla.mozilla.org/show_bug.cgi?id=495103>`__:
+ NSS_InitReadWrite(sql:<dbdir>) causes NSS to look for sql:<dbdir>/libnssckbi.so
+ - `Bug 495365 <https://bugzilla.mozilla.org/show_bug.cgi?id=495365>`__: Add const to the
+ 'nickname' parameter of SEC_CertNicknameConflict
+ - `Bug 495656 <https://bugzilla.mozilla.org/show_bug.cgi?id=495656>`__:
+ NSS_InitReadWrite(sql:<configdir>) leaves behind a pkcs11.txu file if libnssckbi.so is in
+ <configdir>.
+ - `Bug 495717 <https://bugzilla.mozilla.org/show_bug.cgi?id=495717>`__: Unable to compile
+ nss/cmd/certutil/keystuff.c on WinCE
+ - `Bug 496961 <https://bugzilla.mozilla.org/show_bug.cgi?id=496961>`__: provide truncated HMAC
+ support for testing tool fipstest
+ - `Bug 497002 <https://bugzilla.mozilla.org/show_bug.cgi?id=497002>`__: Lab required nspr-free
+ freebl changes.
+ - `Bug 497217 <https://bugzilla.mozilla.org/show_bug.cgi?id=497217>`__: The first random value
+ ever generated by the RNG should be discarded
+ - `Bug 498163 <https://bugzilla.mozilla.org/show_bug.cgi?id=498163>`__: assert if profile path
+ contains cyrillic chars. [[@isspace - secmod_argIsBlank - secmod_argHasBlanks -
+ secmod_formatPair - secmod_mkNewModuleSpec]
+ - `Bug 498509 <https://bugzilla.mozilla.org/show_bug.cgi?id=498509>`__: Produce debuggable
+ optimized builds for Mozilla on MacOSX
+ - `Bug 498511 <https://bugzilla.mozilla.org/show_bug.cgi?id=498511>`__: Produce debuggable
+ optimized NSS builds for Mozilla on Linux
+ - `Bug 499385 <https://bugzilla.mozilla.org/show_bug.cgi?id=499385>`__: DRBG Reseed function
+ needs to be tested on POST
+ - `Bug 499825 <https://bugzilla.mozilla.org/show_bug.cgi?id=499825>`__: utilrename.h is missing
+ from Solaris packages
+ - `Bug 502961 <https://bugzilla.mozilla.org/show_bug.cgi?id=502961>`__: Allocator mismatch in
+ pk11mode
+ - `Bug 502965 <https://bugzilla.mozilla.org/show_bug.cgi?id=502965>`__: Allocator mismatch in
+ sdrtest
+ - `Bug 502972 <https://bugzilla.mozilla.org/show_bug.cgi?id=502972>`__: Another allocator
+ mismatch in sdrtest
+ - `Bug 504398 <https://bugzilla.mozilla.org/show_bug.cgi?id=504398>`__:
+ pkix_pl_AIAMgr_GetHTTPCerts could crash if SEC_GetRegisteredHttpClient fails
+ - `Bug 504405 <https://bugzilla.mozilla.org/show_bug.cgi?id=504405>`__: pkix_pl_CrlDp_Create
+ will fail on alloc success because of a missing !
+ - `Bug 504408 <https://bugzilla.mozilla.org/show_bug.cgi?id=504408>`__: pkix_pl_CrlDp_Create
+ will always fail if dp->distPointType != generalName
+ - `Bug 504456 <https://bugzilla.mozilla.org/show_bug.cgi?id=504456>`__: Exploitable heap
+ overflow in NSS shell expression (filename globbing) parsing
+ - `Bug 505559 <https://bugzilla.mozilla.org/show_bug.cgi?id=505559>`__: Need function to
+ identify the one and only default internal private key slot.
+ - `Bug 505561 <https://bugzilla.mozilla.org/show_bug.cgi?id=505561>`__: Need a generic function
+ a la SECMOD_OpenUserDB() that can be used on non-softoken modules.
+ - `Bug 505858 <https://bugzilla.mozilla.org/show_bug.cgi?id=505858>`__: NSS_RegisterShutdown can
+ return without unlocking nssShutdownList.lock
+ - `Bug 507041 <https://bugzilla.mozilla.org/show_bug.cgi?id=507041>`__: Invalid build options
+ for VC6
+ - `Bug 507228 <https://bugzilla.mozilla.org/show_bug.cgi?id=507228>`__: coreconf.dep doesn't
+ need to contain the NSS version number
+ - `Bug 507422 <https://bugzilla.mozilla.org/show_bug.cgi?id=507422>`__: crash [[@ PORT_FreeArena
+ - lg_mkSecretKeyRep] when PORT_NewArena fails
+ - `Bug 507482 <https://bugzilla.mozilla.org/show_bug.cgi?id=507482>`__: NSS 3.12.3 (and later)
+ doesn't build on AIX 5.1
+ - `Bug 507937 <https://bugzilla.mozilla.org/show_bug.cgi?id=507937>`__: pwdecrypt program
+ problems
+ - `Bug 508259 <https://bugzilla.mozilla.org/show_bug.cgi?id=508259>`__: Pk11mode crashed on
+ Linux2.4
+ - `Bug 508467 <https://bugzilla.mozilla.org/show_bug.cgi?id=508467>`__: libpkix ocsp checker
+ should use date argument to obtain the time for cert validity verification
+ - `Bug 510367 <https://bugzilla.mozilla.org/show_bug.cgi?id=510367>`__: Fix the UTF8 characters
+ in the nickname string for AC Raíz Certicamara S.A.
+
+ .. rubric:: Documentation
+ :name: Documentation
+
+ For a list of the primary NSS documentation pages on developer.mozilla.org, see NSS. New and
+ revised documents available since the release of NSS 3.12 include the following:
+
+ - :ref:`mozilla_projects_nss_reference_building_and_installing_nss_build_instructions`
+
+ .. rubric:: Compatibility
+ :name: Compatibility
+
+ NSS 3.12.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.12.4 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in `NSS Public Functions </ref/nssfunctions.html>`__ will remain
+ compatible with future versions of the NSS shared libraries.
+
+ .. rubric:: Feedback
+ :name: Feedback
+
+ Bugs discovered should be reported by filing a bug report with `mozilla.org
+ Bugzilla <https://bugzilla.mozilla.org/>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst
new file mode 100644
index 0000000000..b36b631e5d
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst
@@ -0,0 +1,285 @@
+.. _mozilla_projects_nss_nss_3_12_5_release_notes:
+
+NSS 3.12.5 release_notes
+========================
+
+.. _nss_3.12.5_release_notes:
+
+`NSS 3.12.5 release notes <#nss_3.12.5_release_notes>`__
+--------------------------------------------------------
+
+.. container::
+
+ .. container::
+
+ 2009-12-02
+ *Newsgroup:*\ `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__
+
+ --------------
+
+ .. container::
+ :name: section_1
+
+ .. rubric:: Introduction
+ :name: Introduction
+
+ Network Security Services (NSS) 3.12.5 is a patch release for NSS 3.12. The bug fixes in
+ NSS 3.12.5 are described in the "`Bugs
+ Fixed <https://dev.mozilla.jp/localmdc/localmdc_5125.html#bugsfixed>`__" section below.
+
+ NSS 3.12.5 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
+
+ .. container::
+ :name: section_2
+
+ .. rubric:: Distribution Information
+ :name: Distribution_Information
+
+ The CVS tag for the NSS 3.12.5 release is ``NSS_3_12_5_RTM``.
+
+ NSS 3.12.5 requires `NSPR 4.8 <https://www.mozilla.org/projects/nspr/release-notes/>`__.
+
+ You can check out the source from CVS by
+
+ .. note::
+
+ cvs co -r NSPR_4_8_RTM NSPR
+ cvs co -r NSS_3_12_5_RTM NSS
+
+ See the `Documentation <https://dev.mozilla.jp/localmdc/localmdc_5125.html#docs>`__ section
+ for the build instructions.
+
+ NSS 3.12.5 source is also available on ``ftp.mozilla.org`` for secure HTTPS download:
+
+ - Source tarball:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_5_RTM/src/.
+
+ .. container::
+ :name: section_3
+
+ .. rubric:: New in NSS 3.12.5
+ :name: New_in_NSS_3.12.5
+
+ .. container::
+ :name: section_4
+
+ .. rubric:: SSL3 & TLS Renegotiation Vulnerability
+ :name: SSL3_TLS_Renegotiation_Vulnerability
+
+ See `CVE-2009-3555 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555>`__ and
+ `US-CERT VU#120541 <http://www.kb.cert.org/vuls/id/120541>`__ for more information about
+ this security vulnerability.
+
+ All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs
+ that attempt to perform renegotiation to experience failures where they formerly
+ experienced successes, and is necessary for them to not be vulnerable, until such time
+ as a new safe renegotiation scheme is standardized by the IETF.
+
+ If an application depends on renegotiation feature, it can be enabled by setting the
+ environment variable NSS_SSL_ENABLE_RENEGOTIATION to 1. By setting this environmental
+ variable, the fix provided by these patches will have no effect and the application may
+ become vulnerable to the issue.
+
+ This default setting can also be changed within the application by using the following
+ existing API functions:
+
+ -
+
+ - SECStatus SSL_OptionSet(PRFileDesc \*fd, PRInt32 option, PRBool on)
+ - SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on)
+
+ - There is now a new value for "option", which is:
+
+ - SSL_ENABLE_RENEGOTIATION
+
+ The corresponding new values for SSL_ENABLE_RENEGOTIATION are:
+
+ - SSL_RENEGOTIATE_NEVER: Never renegotiate at all (default).
+ - SSL_RENEGOTIATE_UNRESTRICTED: Renegotiate without restriction, whether or not the
+ peer's client hello bears the renegotiation info extension (as we always did in
+ the past). **UNSAFE**.
+
+ .. container::
+ :name: section_5
+
+ .. rubric:: TLS compression
+ :name: TLS_compression
+
+ - Enable TLS compression with:
+
+ - SSL_ENABLE_DEFLATE: Enable TLS compression with DEFLATE. Off by default. (See
+ ssl.h)
+
+ Error codes:
+
+ - SSL_ERROR_DECOMPRESSION_FAILURE (see sslerr.h)
+ - SSL_ERROR_RENEGOTIATION_NOT_ALLOWED (see sslerr.h)
+
+ .. container::
+ :name: section_6
+
+ .. rubric:: New context initialization and shutdown functions
+ :name: New_context_initialization_and_shutdown_functions
+
+ - See nss.h for details. The 2 new functions are:
+
+ - NSS_InitContext
+ - NSS_ShutdownContext
+
+ Parameters for these functions are used to initialize softoken. These are mostly
+ strings used to internationalize softoken. Memory for the strings are owned by the
+ caller, who is free to free them once NSS_ContextInit returns. If the string
+ parameter is NULL (as opposed to empty, zero length), then the softoken default is
+ used. These are equivalent to the parameters for PK11_ConfigurePKCS11().
+
+ See the following struct in nss.h for details:
+
+ - NSSInitParametersStr
+
+ .. container::
+ :name: section_7
+
+ .. rubric:: Other new functions
+ :name: Other_new_functions
+
+ - *In secmod.h:*
+
+ - SECMOD_GetSkipFirstFlag
+ - SECMOD_GetDefaultModDBFlag
+
+ *In prlink.h*
+
+ - NSS_SecureMemcmp
+ - PORT_LoadLibraryFromOrigin
+
+ .. container::
+ :name: section_8
+
+ .. rubric:: Modified functions
+ :name: Modified_functions
+
+ - SGN_Update (see cryptohi.h)
+
+ - The parameter "input" of this function is changed from *unsigned char \** to
+ *const unsigned char \**.
+
+ - PK11_ConfigurePKCS11 (see nss.h)
+
+ - The name of some parameters have been slightly changed ("des" became "desc").
+
+ .. container::
+ :name: section_9
+
+ .. rubric:: Deprecated headers
+ :name: Deprecated_headers
+
+ - The header file key.h is deprecated. Please use keyhi.h instead.
+
+ .. container::
+ :name: section_10
+
+ .. rubric:: Additional documentation
+ :name: Additional_documentation
+
+ - *In pk11pub.h:*
+
+ - The caller of PK11_DEREncodePublicKey should free the returned SECItem with a
+ SECITEM_FreeItem(..., PR_TRUE) call.
+ - PK11_ReadRawAttribute allocates the buffer for returning the attribute value. The
+ caller of PK11_ReadRawAttribute should free the data buffer pointed to by item
+ using a SECITEM_FreeItem(item, PR_FALSE) or PORT_Free(item->data) call.
+
+ *In secasn1.h:*
+
+ - If both pool and dest are NULL, the caller should free the returned SECItem with a
+ SECITEM_FreeItem(..., PR_TRUE) call. If pool is NULL but dest is not NULL, the
+ caller should free the data buffer pointed to by dest with a
+ SECITEM_FreeItem(dest, PR_FALSE) or PORT_Free(dest->data) call.
+
+ .. container::
+ :name: section_11
+
+ .. rubric:: Environment variables
+ :name: Environment_variables
+
+ - NSS_FIPS
+
+ - Will start NSS in FIPS mode.
+
+ - NSS_SSL_ENABLE_RENEGOTIATION
+ - NSS_SSL_REQUIRE_SAFE_NEGOTIATION
+
+ - See SSL3 & TLS Renegotiation Vulnerability.
+
+ .. container::
+ :name: section_12
+
+ .. rubric:: Bugs Fixed
+ :name: Bugs_Fixed
+
+ The following bugs have been fixed in NSS 3.12.5.
+
+ - `Bug 510435 <https://bugzilla.mozilla.org/show_bug.cgi?id=510435>`__: Remove unused make
+ variable DSO_LDFLAGS
+ - `Bug 510436 <https://bugzilla.mozilla.org/show_bug.cgi?id=510436>`__: Add macros for
+ build numbers (4th component of version number) to nssutil.h
+ - `Bug 511227 <https://bugzilla.mozilla.org/show_bug.cgi?id=511227>`__: Firefox 3.0.13
+ fails to compile on FreeBSD/powerpc
+ - `Bug 511312 <https://bugzilla.mozilla.org/show_bug.cgi?id=511312>`__: NSS fails to load
+ softoken, looking for sqlite3.dll
+ - `Bug 511781 <https://bugzilla.mozilla.org/show_bug.cgi?id=511781>`__: Add new TLS 1.2
+ cipher suites implemented in Windows 7 to ssltap
+ - `Bug 516101 <https://bugzilla.mozilla.org/show_bug.cgi?id=516101>`__: If PK11_ImportCert
+ fails, it leaves the certificate undiscoverable by CERT_PKIXVerifyCert
+ - `Bug 518443 <https://bugzilla.mozilla.org/show_bug.cgi?id=518443>`__:
+ PK11_ImportAndReturnPrivateKey leaks an arena
+ - `Bug 518446 <https://bugzilla.mozilla.org/show_bug.cgi?id=518446>`__:
+ PK11_DEREncodePublicKey leaks a CERTSubjectPublicKeyInfo
+ - `Bug 518457 <https://bugzilla.mozilla.org/show_bug.cgi?id=518457>`__:
+ SECKEY_EncodeDERSubjectPublicKeyInfo and PK11_DEREncodePublicKey are duplicate
+ - `Bug 522510 <https://bugzilla.mozilla.org/show_bug.cgi?id=522510>`__: Add deprecated
+ comments to key.h and pk11func.h
+ - `Bug 522580 <https://bugzilla.mozilla.org/show_bug.cgi?id=522580>`__: NSS uses
+ PORT_Memcmp for comparing secret data.
+ - `Bug 525056 <https://bugzilla.mozilla.org/show_bug.cgi?id=525056>`__: Timing attack
+ against ssl3ext.c:ssl3_ServerHandleSessionTicketXtn()
+ - `Bug 526689 <https://bugzilla.mozilla.org/show_bug.cgi?id=526689>`__: SSL3 & TLS
+ Renegotiation Vulnerability
+
+ .. container::
+ :name: section_13
+
+ .. rubric:: Documentation
+ :name: Documentation
+
+ For a list of the primary NSS documentation pages on mozilla.org, see `NSS
+ Documentation <https://www.mozilla.org/projects/security/pki/nss/#documentation>`__. New
+ and revised documents available since the release of NSS 3.11 include the following:
+
+ - `Build Instructions <https://dev.mozilla.jp/localmdc/localmdc_5142.html>`__
+ - `NSS Shared DB <http://wiki.mozilla.org/NSS_Shared_DB>`__
+
+ .. container::
+ :name: section_14
+
+ .. rubric:: Compatibility
+ :name: Compatibility
+
+ NSS 3.12.5 shared libraries are backward compatible with all older NSS 3.x shared
+ libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.5
+ shared libraries without recompiling or relinking. Furthermore, applications that restrict
+ their use of NSS APIs to the functions listed in `NSS Public
+ Functions <https://www.mozilla.org/projects/security/pki/nss/ref/nssfunctions.html>`__ will
+ remain compatible with future versions of the NSS shared libraries.
+
+ .. container::
+ :name: section_15
+
+ .. rubric:: Feedback
+ :name: Feedback
+
+ Bugs discovered should be reported by filing a bug report with `mozilla.org
+ Bugzilla <https://bugzilla.mozilla.org/>`__ (product NSS).
+
+ This document was generated by *genma teruaki* on *November 28, 2010* using `texi2html
+ 1.82 <http://www.nongnu.org/texi2html/>`__. \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst
new file mode 100644
index 0000000000..19087bb9eb
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst
@@ -0,0 +1,318 @@
+.. _mozilla_projects_nss_nss_3_12_6_release_notes:
+
+NSS 3.12.6 release notes
+========================
+
+.. _nss_3.12.6_release_notes:
+
+`NSS 3.12.6 release notes <#nss_3.12.6_release_notes>`__
+--------------------------------------------------------
+
+.. container::
+
+ .. container::
+
+ 2010-03-03
+ *Newsgroup:*\ `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__
+
+ .. container::
+ :name: section_1
+
+ .. rubric:: Introduction
+ :name: Introduction
+
+ Network Security Services (NSS) 3.12.6 is a patch release for NSS 3.12. The bug fixes in
+ NSS 3.12.6 are described in the "`Bugs
+ Fixed <http://mdn.beonex.com/en/NSS_3.12.6_release_notes.html#bugsfixed>`__" section below.
+
+ NSS 3.12.6 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
+
+ .. container::
+ :name: section_2
+
+ .. rubric:: Distribution Information
+ :name: Distribution_Information
+
+ | The CVS tag for the NSS 3.12.6 release is ``NSS_3_12_6_RTM``. NSS 3.12.6 requires `NSPR
+ 4.8.4 <https://www.mozilla.org/projects/nspr/release-notes/>`__.
+ | See the `Documentation <http://mdn.beonex.com/en/NSS_3.12.6_release_notes.html#docs>`__
+ section for the build instructions.
+
+ NSS 3.12.6 source and binary distributions are also available on ``ftp.mozilla.org`` for
+ secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_6_RTM/src/.
+
+ | You also need to download the NSPR 4.8.4 binary distributions to get the NSPR 4.8.4
+ header files and shared libraries, which NSS 3.12.6 requires. NSPR 4.8.4 binary
+ distributions are in https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.8.4/.
+ |
+
+ .. container::
+ :name: section_3
+
+ .. rubric:: New in NSS 3.12.6
+ :name: New_in_NSS_3.12.6
+
+ .. container::
+ :name: section_4
+
+ .. rubric:: SSL3 & TLS Renegotiation Indication Extension (RFC 5746)
+ :name: SSL3_TLS_Renegotiation_Indication_Extension_(RFC_5746)
+
+ - By default, NSS 3.12.6 uses the new TLS Renegotiation Indication Extension for TLS
+ renegotiation but allows simple SSL/TLS connections (without renegotiation) with
+ peers that don't support the TLS Renegotiation Indication Extension.
+
+ The behavior of NSS for renegotiation can be changed through API function calls, or
+ with the following environment variables:
+
+ - NSS_SSL_ENABLE_RENEGOTIATION
+
+ - values:
+
+ - [0|n|N]: SSL_RENEGOTIATE_NEVER
+
+ - Never allow renegotiation - That was the default for 3.12.5 release.
+
+ - [1|u|U]: SSL_RENEGOTIATE_UNRESTRICTED
+
+ - Server and client are allowed to renegotiate without any restrictions.
+ This setting was the default prior 3.12.5 and makes products vulnerable.
+
+ - [2|r|R]: SSL_RENEGOTIATE_REQUIRES_XTN (default)
+
+ - Only allows renegotiation if the peer's hello bears the TLS
+ renegotiation_info extension. This is the safe renegotiation.
+
+ - [3|t|T]: SSL_RENEGOTIATE_TRANSITIONAL
+
+ - Disallows unsafe renegotiation in server sockets only, but allows clients
+ to continue to renegotiate with vulnerable servers. This value should
+ only be used during the transition period when few servers have been
+ upgraded.
+
+ - NSS_SSL_REQUIRE_SAFE_NEGOTIATION
+
+ - values:
+
+ - 1: requireSafeNegotiation = TRUE
+ - unset: requireSafeNegotiation = FALSE
+
+ Controls whether safe renegotiation indication is required for initial
+ handshake. If TRUE, a connection will be dropped at initial handshake if the
+ peer server or client does not support safe renegotiation. The default setting
+ for this option is FALSE.
+
+ These options can also be set with the following SSL options:
+
+ - sslOptions.enableRenegotiation
+ - sslOptions.requireSafeNegotiation
+ - New pseudo cipher suite value: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (cannot be
+ negotiated)
+
+ .. container::
+ :name: section_5
+
+ .. rubric:: TLS Server Name Indication for servers
+ :name: TLS_Server_Name_Indication_for_servers
+
+ - | TLS Server Name Indication (SNI) for servers is almost fully implemented in NSS
+ 3.12.6.
+ | See `bug 360421 <https://bugzilla.mozilla.org/show_bug.cgi?id=360421>`__ for
+ details.
+
+ Note: The TLS Server Name Indication for clients is already fully implemented in NSS.
+
+ - New functions for SNI *(see ssl.h for more information)*:
+
+ - SSLSNISocketConfig
+
+ - Return values:
+
+ - SSL_SNI_CURRENT_CONFIG_IS_USED: libSSL must use the default cert and key.
+ - SSL_SNI_SEND_ALERT: libSSL must send the "unrecognized_name" alert.
+
+ - SSL_SNISocketConfigHook
+ - SSL_ReconfigFD
+ - SSL_ConfigServerSessionIDCacheWithOpt
+ - SSL_SetTrustAnchors
+ - SSL_GetNegotiatedHostInfo
+
+ - New enum for SNI:
+
+ - SSLSniNameType *(see sslt.h)*
+
+ .. container::
+ :name: section_6
+
+ .. rubric:: New functions
+ :name: New_functions
+
+ - *in cert.h*
+
+ - CERTDistNames: Duplicate distinguished name array.
+ - CERT_DistNamesFromCertList: Generate an array of Distinguished names from a list
+ of certs.
+
+ *in ocsp.h*
+
+ - CERT_CacheOCSPResponseFromSideChannel:
+
+ - This function is intended for use when OCSP responses are provided via a
+ side-channel, i.e. TLS OCSP stapling (a.k.a. the status_request extension).
+
+ *in ssl.h*
+
+ - SSL_GetImplementedCiphers
+ - SSL_GetNumImplementedCiphers
+ - SSL_HandshakeNegotiatedExtension
+
+ .. container::
+ :name: section_7
+
+ .. rubric:: New error codes
+ :name: New_error_codes
+
+ - *in sslerr.h*
+
+ - SSL_ERROR_UNSAFE_NEGOTIATION
+ - SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD
+
+ .. container::
+ :name: section_8
+
+ .. rubric:: New types
+ :name: New_types
+
+ - *in sslt.h*
+
+ - SSLExtensionType
+
+ .. container::
+ :name: section_9
+
+ .. rubric:: New environment variables
+ :name: New_environment_variables
+
+ - SQLITE_FORCE_PROXY_LOCKING
+
+ - 1 means force always use proxy, 0 means never use proxy, NULL means use proxy for
+ non-local files only.
+
+ - SSLKEYLOGFILE
+
+ - Key log file. If set, NSS logs RSA pre-master secrets to this file. This allows
+ packet sniffers to decrypt TLS connections.
+ See `documentation <http://mdn.beonex.com/en/NSS_Key_Log_Format.html>`__.
+ Note: The code must be built with TRACE defined to use this functionality.
+
+ .. container::
+ :name: section_10
+
+ .. rubric:: Bugs Fixed
+ :name: Bugs_Fixed
+
+ The following bugs have been fixed in NSS 3.12.6.
+
+ - `Bug 275744 <https://bugzilla.mozilla.org/show_bug.cgi?id=275744>`__: Support for TLS
+ compression RFC 3749
+ - `Bug 494603 <https://bugzilla.mozilla.org/show_bug.cgi?id=494603>`__: Update NSS's copy
+ of sqlite3 to 3.6.22 to get numerous bug fixes
+ - `Bug 496993 <https://bugzilla.mozilla.org/show_bug.cgi?id=496993>`__: Add accessor
+ functions for SSL_ImplementedCiphers
+ - `Bug 515279 <https://bugzilla.mozilla.org/show_bug.cgi?id=515279>`__:
+ CERT_PKIXVerifyCert considers a certificate revoked if cert_ProcessOCSPResponse fails
+ for any reason
+ - `Bug 515870 <https://bugzilla.mozilla.org/show_bug.cgi?id=515870>`__: GCC compiler
+ warnings in NSS 3.12.4
+ - `Bug 518255 <https://bugzilla.mozilla.org/show_bug.cgi?id=518255>`__: The input buffer
+ for SGN_Update should be declared const
+ - `Bug 519550 <https://bugzilla.mozilla.org/show_bug.cgi?id=519550>`__: Allow the
+ specification of an alternate library for SQLite
+ - `Bug 524167 <https://bugzilla.mozilla.org/show_bug.cgi?id=524167>`__: Crash in [[@
+ find_objects_by_template - nssToken_FindCertificateByIssuerAndSerialNumber]
+ - `Bug 526910 <https://bugzilla.mozilla.org/show_bug.cgi?id=526910>`__: maxResponseLength
+ (initialized to PKIX_DEFAULT_MAX_RESPONSE_LENGTH) is too small for downloading some
+ CRLs.
+ - `Bug 527759 <https://bugzilla.mozilla.org/show_bug.cgi?id=527759>`__: Add multiple roots
+ to NSS (single patch)
+ - `Bug 528741 <https://bugzilla.mozilla.org/show_bug.cgi?id=528741>`__: pkix_hash throws a
+ null-argument exception on empty strings
+ - `Bug 530907 <https://bugzilla.mozilla.org/show_bug.cgi?id=530907>`__: The peerID
+ argument to SSL_SetSockPeerID should be declared const
+ - `Bug 531188 <https://bugzilla.mozilla.org/show_bug.cgi?id=531188>`__: Decompression
+ failure with https://livechat.merlin.pl/
+ - `Bug 532417 <https://bugzilla.mozilla.org/show_bug.cgi?id=532417>`__: Build problem with
+ spaces in path names
+ - `Bug 534943 <https://bugzilla.mozilla.org/show_bug.cgi?id=534943>`__: Clean up the
+ makefiles in lib/ckfw/builtins
+ - `Bug 534945 <https://bugzilla.mozilla.org/show_bug.cgi?id=534945>`__: lib/dev does not
+ need to include headers from lib/ckfw
+ - `Bug 535669 <https://bugzilla.mozilla.org/show_bug.cgi?id=535669>`__: Move common
+ makefile code in if and else to the outside
+ - `Bug 536023 <https://bugzilla.mozilla.org/show_bug.cgi?id=536023>`__: DER_UTCTimeToTime
+ and DER_GeneralizedTimeToTime ignore all bytes after an embedded null
+ - `Bug 536474 <https://bugzilla.mozilla.org/show_bug.cgi?id=536474>`__: Add support for
+ logging pre-master secrets
+ - `Bug 537356 <https://bugzilla.mozilla.org/show_bug.cgi?id=537356>`__: Implement new safe
+ SSL3 & TLS renegotiation
+ - `Bug 537795 <https://bugzilla.mozilla.org/show_bug.cgi?id=537795>`__: NSS_InitContext
+ does not work with NSS_RegisterShutdown
+ - `Bug 537829 <https://bugzilla.mozilla.org/show_bug.cgi?id=537829>`__: Allow NSS to build
+ for Android
+ - `Bug 540304 <https://bugzilla.mozilla.org/show_bug.cgi?id=540304>`__: Implement
+ SSL_HandshakeNegotiatedExtension
+ - `Bug 541228 <https://bugzilla.mozilla.org/show_bug.cgi?id=541228>`__: Remove an obsolete
+ NSPR version check in lib/util/secport.c
+ - `Bug 541231 <https://bugzilla.mozilla.org/show_bug.cgi?id=541231>`__: nssinit.c doesn't
+ need to include ssl.h and sslproto.h.
+ - `Bug 542538 <https://bugzilla.mozilla.org/show_bug.cgi?id=542538>`__: NSS: Add function
+ for recording OCSP stapled replies
+ - `Bug 544191 <https://bugzilla.mozilla.org/show_bug.cgi?id=544191>`__: Use system zlib on
+ Mac OS X
+ - `Bug 544584 <https://bugzilla.mozilla.org/show_bug.cgi?id=544584>`__: segmentation fault
+ when enumerating the nss database
+ - `Bug 544586 <https://bugzilla.mozilla.org/show_bug.cgi?id=544586>`__: Various
+ nss-sys-init patches from Fedora
+ - `Bug 545273 <https://bugzilla.mozilla.org/show_bug.cgi?id=545273>`__: Remove unused
+ function SEC_Init
+ - `Bug 546389 <https://bugzilla.mozilla.org/show_bug.cgi?id=546389>`__: nsssysinit binary
+ built inside source tree
+
+ .. container::
+ :name: section_11
+
+ .. rubric:: Documentation
+ :name: Documentation
+
+ For a list of the primary NSS documentation pages on mozilla.org, see `NSS
+ Documentation <https://www.mozilla.org/projects/security/pki/nss/#documentation>`__. New
+ and revised documents available since the release of NSS 3.11 include the following:
+
+ - `Build
+ Instructions <http://mdn.beonex.com/en/NSS_reference/Building_and_installing_NSS/Build_instructions.html>`__
+ - `NSS Shared DB <http://wiki.mozilla.org/NSS_Shared_DB>`__
+
+ .. container::
+ :name: section_12
+
+ .. rubric:: Compatibility
+ :name: Compatibility
+
+ NSS 3.12.6 shared libraries are backward compatible with all older NSS 3.x shared
+ libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.6
+ shared libraries without recompiling or relinking. Furthermore, applications that restrict
+ their use of NSS APIs to the functions listed in `NSS Public
+ Functions <https://www.mozilla.org/projects/security/pki/nss/ref/nssfunctions.html>`__ will
+ remain compatible with future versions of the NSS shared libraries.
+
+ .. container::
+ :name: section_13
+
+ .. rubric:: Feedback
+ :name: Feedback
+
+ Bugs discovered should be reported by filing a bug report with `mozilla.org
+ Bugzilla <https://bugzilla.mozilla.org/>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst
new file mode 100644
index 0000000000..2f534fd0ad
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst
@@ -0,0 +1,144 @@
+.. _:
+
+NSS 3.12.9 release notes
+========================
+
+.. _removed_functions:
+
+`Removed functions <#removed_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ 2010-09-23
+ *Newsgroup:*\ `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__
+
+ .. container::
+ :name: section_1
+
+ .. rubric:: Introduction
+ :name: Introduction_2
+
+ Network Security Services (NSS) 3.12.9 is a patch release for NSS 3.12. The bug fixes in NSS
+ 3.12.9 are described in the "\ `Bugs Fixed <#bugsfixed>`__" section below.
+
+ NSS 3.12.9 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
+
+ .. container::
+ :name: section_2
+
+ .. rubric:: Distribution Information
+ :name: Distribution_Information
+
+ | The CVS tag for the NSS 3.12.9 release is ``NSS_3.12.9_RTM``. NSS 3.12.9 requires `NSPR
+ 4.8.7 <https://www.mozilla.org/projects/nspr/release-notes/nspr486.html>`__.
+ | See the `Documentation <#docs>`__ section for the build instructions.
+
+ NSS 3.12.9 source distribution is also available on ``ftp.mozilla.org`` for secure HTTPS
+ download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3.12.9_RTM/src/.
+
+ You also need to download the NSPR 4.8.7 binary distributions to get the NSPR 4.8.7 header
+ files and shared libraries, which NSS 3.12.9 requires. NSPR 4.8.7 binary distributions are in
+ https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.8.7/.
+
+ .. container::
+ :name: section_3
+
+ .. rubric:: New in NSS 3.12.9
+ :name: New_in_NSS_3.12.9
+
+ .. container::
+ :name: section_5
+
+ .. container::
+ :name: section_6
+
+ .. rubric:: New SSL options
+ :name: New_SSL_options
+
+ .. container::
+ :name: section_7
+
+ .. rubric:: New error codes
+ :name: New_error_codes
+
+ .. container::
+ :name: section_8
+
+ .. rubric:: Bugs Fixed
+ :name: Bugs_Fixed
+
+ The following bugs have been fixed in NSS 3.12.9.
+
+ - `Bug 609068 <https://bugzilla.mozilla.org/show_bug.cgi?id=609068>`__: Implement J-PAKE in
+ FreeBL
+ - `Bug 607058 <https://bugzilla.mozilla.org/show_bug.cgi?id=607058>`__: crash [@
+ nss_cms_decoder_work_data]
+ - `Bug 613394 <https://bugzilla.mozilla.org/show_bug.cgi?id=613394>`__: November/December
+ 2010 batch of NSS root CA changes
+ - `Bug 610843 <https://bugzilla.mozilla.org/show_bug.cgi?id=610843>`__: Need way to recover
+ softoken in child after fork()
+ - `Bug 617492 <https://bugzilla.mozilla.org/show_bug.cgi?id=617492>`__: Add
+ PK11_KeyGenWithTemplate function to pk11wrap (for Firefox Sync)
+ - `Bug 610162 <https://bugzilla.mozilla.org/show_bug.cgi?id=610162>`__: SHA-512 and SHA-384
+ hashes are incorrect for inputs of 512MB or larger when running under Windows and other
+ 32-bit platforms (Fx 3.6.12 and 4.0b6)
+ - `Bug 518551 <https://bugzilla.mozilla.org/show_bug.cgi?id=518551>`__: Vfychain crashes in
+ PKITS tests.
+ - `Bug 536485 <https://bugzilla.mozilla.org/show_bug.cgi?id=536485>`__: crash during ssl
+ handshake in [@ intel_aes_decrypt_cbc_256]
+ - `Bug 444367 <https://bugzilla.mozilla.org/show_bug.cgi?id=444367>`__: NSS 3.12 softoken
+ returns the certificate type of a certificate object as CKC_X_509_ATTR_CERT.
+ - `Bug 620908 <https://bugzilla.mozilla.org/show_bug.cgi?id=620908>`__: certutil -T -d
+ "sql:." dumps core
+ - `Bug 584257 <https://bugzilla.mozilla.org/show_bug.cgi?id=584257>`__: Need a way to expand
+ partial private keys.
+ - `Bug 596798 <https://bugzilla.mozilla.org/show_bug.cgi?id=596798>`__: win_rand.c (among
+ others) uses unsafe \_snwprintf
+ - `Bug 597622 <https://bugzilla.mozilla.org/show_bug.cgi?id=597622>`__: Do not use the
+ SEC_ERROR_BAD_INFO_ACCESS_LOCATION error code for bad CRL distribution point URLs
+ - `Bug 619268 <https://bugzilla.mozilla.org/show_bug.cgi?id=619268>`__: Memory leaks in
+ CERT_ChangeCertTrust and CERT_SaveSMimeProfile
+ - `Bug 585518 <https://bugzilla.mozilla.org/show_bug.cgi?id=585518>`__: AddTrust Qualified CA
+ Root serial wrong in certdata.txt trust entry
+ - `Bug 337433 <https://bugzilla.mozilla.org/show_bug.cgi?id=337433>`__: Need
+ CERT_FindCertByNicknameOrEmailAddrByUsage
+ - `Bug 592939 <https://bugzilla.mozilla.org/show_bug.cgi?id=592939>`__: Expired CAs in
+ certdata.txt
+
+ .. container::
+ :name: section_9
+
+ .. rubric:: Documentation
+ :name: Documentation
+
+ NSS Documentation. New and revised documents available since the release of NSS 3.11 include
+ the following:
+
+ - `Build Instructions for NSS 3.11.4 and
+ above <https://www-archive.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build>`__
+ - `NSS Shared DB <http://wiki.mozilla.org/NSS_Shared_DB>`__
+
+ .. container::
+ :name: section_10
+
+ .. rubric:: Compatibility
+ :name: Compatibility
+
+ NSS 3.12.9 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.12.9 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS
+ APIs to the functions listed in `NSS Public Functions </en-US/ref/nssfunctions.html>`__ will
+ remain compatible with future versions of the NSS shared libraries.
+
+ .. container::
+ :name: section_11
+
+ .. rubric:: Feedback
+ :name: Feedback
+
+ Bugs discovered should be reported by filing a bug report with `mozilla.org
+ Bugzilla <https://bugzilla.mozilla.org/>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst
new file mode 100644
index 0000000000..658f9a8f3a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst
@@ -0,0 +1,127 @@
+.. _mozilla_projects_nss_nss_3_14_1_release_notes:
+
+NSS 3.14.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.14.1 is a patch release for NSS 3.14. The bug fixes in NSS
+ 3.14.1 are described in the "Bugs Fixed" section below.
+
+ NSS 3.14.1 is licensed under the MPL 2.0.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The CVS tag is NSS_3_14_1_RTM. NSS 3.14.1 requires NSPR 4.9.4 or newer.
+
+ NSS 3.14.1 source distributions are also available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_1_RTM/src/
+
+.. _new_in_nss_3.14.1:
+
+`New in NSS 3.14.1 <#new_in_nss_3.14.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - NSS now has the ability to create signed OCSP responses.
+
+ - The ability to create signed OCSP responses has been added in NSS 3.14.1. Note that this
+ code is used primarily for purposes of testing.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in ocspt.h*
+
+ - CERT_CreateOCSPSingleResponseGood
+ - CERT_CreateOCSPSingleResponseUnknown
+ - CERT_CreateOCSPSingleResponseRevoked
+ - CERT_CreateEncodedOCSPSuccessResponse
+ - CERT_CreateEncodedOCSPErrorResponse
+
+ .. rubric:: New Types
+ :name: new_types
+
+ - *in ocspt.h*
+
+ - CERTOCSPResponderIDType
+
+.. _notable_changes_in_nss_3.14.1:
+
+`Notable Changes in NSS 3.14.1 <#notable_changes_in_nss_3.14.1>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Windows CE support has been removed from the code base.
+ - `Bug 812399 <https://bugzilla.mozilla.org/show_bug.cgi?id=812399>`__ - In NSS 3.14, a
+ regression caused `Bug 641052 <https://bugzilla.mozilla.org/show_bug.cgi?id=641052>`__ /
+ CVE-2011-3640 to be re-introduced under certain situations. This regression only affected
+ applications that initialize NSS via the NSS_NoDB_Init function. NSS 3.14.1 includes the
+ complete fix for this issue.
+ - `Bug 357025 <https://bugzilla.mozilla.org/show_bug.cgi?id=357025>`__ - NSS 3.14 added support
+ for tokens that make use of CKA_ALWAYS_AUTHENTICATE. However, when authenticating with such
+ tokens, it was possible for an internal lock to be acquired twice, causing a hang. This hang
+ has been fixed in NSS 3.14.1.
+ - `Bug 802429 <https://bugzilla.mozilla.org/show_bug.cgi?id=802429>`__ - In previous versions of
+ NSS, the "cipherOrder" slot configuration flag was not respected, causing the most recently
+ added slot that supported the requested PKCS#11 mechanism to be used instead. NSS now
+ correctly respects the supplied cipherOrder.
+ Applications which use multiple PKCS#11 modules, which do not indicate which tokens should be
+ used by default for particular algorithms, and which do make use of cipherOrder may now find
+ that cryptographic operations occur on a different PKCS#11 token.
+ - `Bug 802429 <https://bugzilla.mozilla.org/show_bug.cgi?id=802429>`__ - The NSS softoken is now
+ the default token for SHA-256 and SHA-512. In previous versions of NSS, these algorithms would
+ be handled by the most recently added PKCS#11 token that supported them.
+ - `Bug 611451 <https://bugzilla.mozilla.org/show_bug.cgi?id=611451>`__ - When built with the
+ current version of Apple XCode on Mac OS X, the NSS shared libraries will now only export the
+ public NSS functions.
+ - `Bug 810582 <https://bugzilla.mozilla.org/show_bug.cgi?id=810582>`__ - TLS False Start is now
+ only used with servers that negotiate a cipher suite that supports forward secrecy.
+ **Note**: The criteria for False Start may change again in future NSS releases.
+
+.. _bugs_fixed_in_nss_3.14.1:
+
+`Bugs fixed in NSS 3.14.1 <#bugs_fixed_in_nss_3.14.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ The following Bugzilla query returns all of the bugs fixed in NSS 3.14.1:
+
+ https://bugzilla.mozilla.org/buglist.cgi?list_id=5216669;resolution=FIXED;query_format=advanced;bug_status=RESOLVED;bug_status=VERIFIED;target_milestone=3.14.1;product=NSS
+
+`Compatability <#compatability>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.14.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.14.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered in this release should be reported by filing a bug report at
+ https://bugzilla.mozilla.org with the Product of NSS. \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.14.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.2_release_notes/index.rst
new file mode 100644
index 0000000000..b0b6420aab
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.2_release_notes/index.rst
@@ -0,0 +1,103 @@
+.. _mozilla_projects_nss_nss_3_14_2_release_notes:
+
+NSS 3.14.2 release notes
+========================
+
+.. container::
+
+ Network Security Services (NSS) 3.14.2 is a patch release for NSS 3.14. The bug fixes in NSS
+ 3.14.2 are described in the "Bugs Fixed" section below. NSS 3.14.2 should be used with NSPR 4.9.5
+ or newer.
+
+ The release is available for download from
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_2_RTM/src/
+
+ For the primary NSS documentation pages please visit :ref:`mozilla_projects_nss`
+
+.. _new_in_nss_3.14.2:
+
+`New in NSS 3.14.2 <#new_in_nss_3.14.2>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - NSS will now make use of the Intel AES-NI and AVX instruction sets for hardware-accelerated
+ AES-GCM on 64-bit Linux systems. Note: the new assembly code requires GNU as version 2.19 or
+ newer. On Red Hat Enterprise Linux 5.x systems, install the binutils220 package and add
+ /usr/libexec/binutils220 to the beginning of your PATH environment variable.
+ - Initial manual pages for some NSS command line tools have been added. They are still under
+ review, and contributions are welcome. The documentation is in the docbook format and can be
+ rendered as HTML and UNIX-style manual pages using an optional build target.
+
+ .. rubric:: New Types:
+ :name: new_types
+
+ - in certt.h
+
+ - ``cert_pi_useOnlyTrustAnchors``
+
+ - in secoidt.h
+
+ - ``SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING``
+
+.. _notable_changes_in_nss_3.14.2:
+
+`Notable Changes in NSS 3.14.2 <#notable_changes_in_nss_3.14.2>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Bug 805604 - Support for AES-NI and AVX accelerated AES-GCM was contributed by Shay Gueron of
+ Intel. If compiled on Linux systems in 64-bit mode, NSS will include runtime detection to
+ check if the platform supports AES-NI and PCLMULQDQ. If so, NSS uses the optimized code path,
+ reducing the CPU cycles per byte to 1/20 of what was required before the patch
+ (https://bugzilla.mozilla.org/show_bug.cgi?id=805604 and
+ https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf). Support for other platforms,
+ such as Windows, will follow in a future NSS release.
+ (https://bugzilla.mozilla.org/show_bug.cgi?id=540986)
+ - SQLite has been updated to 3.7.15. Note: please apply the patch in
+ https://bugzilla.mozilla.org/show_bug.cgi?id=837799 if you build NSS with the system SQLite
+ library and your system SQLite library is older than 3.7.15.
+ - Bug 816853 - When using libpkix for certificate validation, applications may now supply
+ additional application-defined trust anchors to be used in addition to those from loaded
+ security tokens, rather than as an alternative to.
+ (https://bugzilla.mozilla.org/show_bug.cgi?id=816853)
+ - Bug 772144 - Basic support for running NSS test suites on Android devices.This is currently
+ limited to running tests from a Linux host machine using an SSH connection. Only the SSHDroid
+ app has been tested.
+ - Bug 373108 - Fixed a bug where, under certain circumstances, when applications supplied
+ invalid/out-of-bounds parameters for AES encryption, a double free may occur.
+ - Bug 813857 - Modification of certificate trust flags from multiple threads is now a
+ thread-safe operation.
+ - Bug 618418 - C_Decrypt/C_DecryptFinal now correctly validate the PKCS #7 padding when present.
+ - Bug 807890 - Added support for Microsoft Trust List Signing EKU.
+ - Bug 822433 - Fixed a crash in dtls_FreeHandshakeMessages.
+ - Bug 823336 - Reject invalid LDAP AIA URIs sooner.
+
+.. _bugs_fixed_in_nss_3.14.2:
+
+`Bugs Fixed in NSS 3.14.2 <#bugs_fixed_in_nss_3.14.2>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - https://bugzilla.mozilla.org/buglist.cgi?list_id=5502456;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.14.2;product=NSS
+
+`Compatibility <#compatibility>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ NSS 3.14.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.14.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <http://bugzilla.mozilla.org/>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.14.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.3_release_notes/index.rst
new file mode 100644
index 0000000000..8844bfec82
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.3_release_notes/index.rst
@@ -0,0 +1,132 @@
+.. _mozilla_projects_nss_nss_3_14_3_release_notes:
+
+NSS 3.14.3 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.14.3 is a patch release for NSS 3.14. The bug fixes in NSS
+ 3.14.3 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The CVS tag is NSS_3_14_3_RTM. NSS 3.14.3 requires NSPR 4.9.5 or newer.
+
+ NSS 3.14.3 source distributions are also available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_3_RTM/src/
+
+.. _new_in_nss_3.14.3:
+
+`New in NSS 3.14.3 <#new_in_nss_3.14.3>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - No new major functionality is introduced in this release. This release is a patch release to
+ address `CVE-2013-1620 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620>`__.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in pk11pub.h*
+
+ - **PK11_SignWithSymKey** - Similar to PK11_Sign, performs a signing operation in a single
+ operation. However, unlike PK11_Sign, which uses a *SECKEYPrivateKey*, PK11_SignWithSymKey
+ performs the signature using a symmetric key, such as commonly used for generating MACs.
+
+ .. rubric:: New Types
+ :name: new_types
+
+ - *CK_NSS_MAC_CONSTANT_TIME_PARAMS* - Parameters for use with *CKM_NSS_HMAC_CONSTANT_TIME* and
+ *CKM_NSS_SSL3_MAC_CONSTANT_TIME*.
+
+ .. rubric:: New PKCS #11 Mechanisms
+ :name: new_pkcs_11_mechanisms
+
+ - *CKM_NSS_HMAC_CONSTANT_TIME* - Constant-time HMAC operation for use when verifying a padded,
+ MAC-then-encrypted block of data.
+ - *CKM_NSS_SSL3_MAC_CONSTANT_TIME* - Constant-time MAC operation for use when verifying a
+ padded, MAC-then-encrypted block of data using the SSLv3 MAC.
+
+.. _notable_changes_in_nss_3.14.3:
+
+`Notable Changes in NSS 3.14.3 <#notable_changes_in_nss_3.14.3>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `CVE-2013-1620 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620>`__
+
+ Recent research by Nadhem AlFardan and Kenny Patterson has highlighted a weakness in the
+ handling of CBC padding as used in SSL, TLS, and DTLS that allows an attacker to exploit
+ timing differences in MAC processing. The details of their research and the attack can be
+ found at http://www.isg.rhul.ac.uk/tls/, and has been referred to as "Lucky Thirteen".
+
+ NSS 3.14.3 includes changes to the *softoken* and *ssl* libraries to address and mitigate
+ these attacks, contributed by Adam Langley of Google. This attack is mitigated when using NSS
+ 3.14.3 with an NSS Cryptographic Module ("softoken") version 3.14.3 or later. However, this
+ attack is only partially mitigated if NSS 3.14.3 is used with the current FIPS validated `NSS
+ Cryptographic
+ Module <http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm#1837>`__, version
+ 3.12.9.1.
+
+ - `Bug 840714 <https://bugzilla.mozilla.org/show_bug.cgi?id=840714>`__ - "certutil -a" was not
+ correctly producing ASCII output as requested.
+
+ - `Bug 837799 <https://bugzilla.mozilla.org/show_bug.cgi?id=837799>`__ - NSS 3.14.2 broke
+ compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file
+ control. NSS 3.14.3 now properly compiles when used with older versions of sqlite.
+
+`Acknowledgements <#acknowledgements>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ The NSS development team would like to thank Nadhem AlFardan and Kenny Patterson (Royal Holloway,
+ University of London) for responsibly disclosing the issue by providing advance copies of their
+ research. In addition, thanks to Adam Langley (Google) for the development of a mitigation for
+ the issues raised in the paper, along with Emilia Kasper and Bodo Möller (Google) for assisting
+ in the review and improvements to the initial patches.
+
+.. _bugs_fixed_in_nss_3.14.3:
+
+`Bugs fixed in NSS 3.14.3 <#bugs_fixed_in_nss_3.14.3>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.14.3;product=NSS
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.14.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.14.3 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.14.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.4_release_notes/index.rst
new file mode 100644
index 0000000000..4177d62377
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.4_release_notes/index.rst
@@ -0,0 +1,82 @@
+.. _mozilla_projects_nss_nss_3_14_4_release_notes:
+
+NSS 3.14.4 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.14.4 is a patch release for NSS 3.14. The bug fixes in NSS
+ 3.14.4 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The CVS tag is NSS_3_14_4_RTM. NSS 3.14.4 requires NSPR 4.9.5 or newer.
+
+ NSS 3.14.4 source distributions are also available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_4_RTM/src/
+
+.. _security_advisories:
+
+`Security Advisories <#security_advisories>`__
+----------------------------------------------
+
+.. container::
+
+ The following security-relevant bugs have been resolved in NSS 3.14.4. Users are encouraged to
+ upgrade immediately.
+
+ - `Bug 894370 <https://bugzilla.mozilla.org/show_bug.cgi?id=894370>`__ - (CVE-2013-1739) Avoid
+ uninitialized data read in the event of a decryption failure.
+
+.. _new_in_nss_3.14.4:
+
+`New in NSS 3.14.4 <#new_in_nss_3.14.4>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - No new major functionality is introduced in this release. This release is a patch release to
+ address `CVE-2013-1739 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1739>`__.
+
+.. _bugs_fixed_in_nss_3.14.4:
+
+`Bugs fixed in NSS 3.14.4 <#bugs_fixed_in_nss_3.14.4>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - https://bugzilla.mozilla.org/buglist.cgi?bug_id=894370%2C832942%2C863947&bug_id_type=anyexact&list_id=8338081&resolution=FIXED&classification=Components&query_format=advanced&product=NSS
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.14.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.14.4 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.14.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.5_release_notes/index.rst
new file mode 100644
index 0000000000..ef32dabec6
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.5_release_notes/index.rst
@@ -0,0 +1,82 @@
+.. _mozilla_projects_nss_nss_3_14_5_release_notes:
+
+NSS 3.14.5 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.14.5 is a patch release for NSS 3.14. The bug fixes in NSS
+ 3.14.5 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The CVS tag is NSS_3_14_5_RTM. NSS 3.14.5 requires NSPR 4.9.5 or newer.
+
+ NSS 3.14.5 source distributions are also available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_5_RTM/src/
+
+.. _security_advisories:
+
+`Security Advisories <#security_advisories>`__
+----------------------------------------------
+
+.. container::
+
+ The following security-relevant bugs have been resolved in NSS 3.14.5. Users are encouraged to
+ upgrade immediately.
+
+ - `Bug 934016 <https://bugzilla.mozilla.org/show_bug.cgi?id=934016>`__ - (CVE-2013-5605) Handle
+ invalid handshake packets
+
+.. _new_in_nss_3.14.5:
+
+`New in NSS 3.14.5 <#new_in_nss_3.14.5>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - No new major functionality is introduced in this release. This release is a patch release to
+ address `CVE-2013-5605 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605>`__.
+
+.. _bugs_fixed_in_nss_3.14.5:
+
+`Bugs fixed in NSS 3.14.5 <#bugs_fixed_in_nss_3.14.5>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - https://bugzilla.mozilla.org/buglist.cgi?bug_id=934016&bug_id_type=anyexact&resolution=FIXED&classification=Components&query_format=advanced&product=NSS
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.14.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.14.5 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst
new file mode 100644
index 0000000000..a1974d1562
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst
@@ -0,0 +1,174 @@
+.. _mozilla_projects_nss_nss_3_14_release_notes:
+
+NSS 3.14 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.14, which is a minor release with the
+ following new features:
+
+ - Support for TLS 1.1 (RFC 4346)
+ - Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764)
+ - Support for AES-CTR, AES-CTS, and AES-GCM
+ - Support for Keying Material Exporters for TLS (RFC 5705)
+
+ In addition to the above new features, the following major changes have been introduced:
+
+ - Support for certificate signatures using the MD5 hash algorithm is now disabled by default.
+ - The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL
+ 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see
+ http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explantation on GPL/LGPL
+ compatibility, see security/nss/COPYING in the source code.
+ - Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites
+ are enabled by default.
+
+ NSS 3.14 source tarballs can be downloaded from
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_RTM/src/. The CVS tag is
+ NSS_3_14_RTM.
+
+.. _new_in_nss_3.14:
+
+`New in NSS 3.14 <#new_in_nss_3.14>`__
+--------------------------------------
+
+.. container::
+
+ The sections that follow discuss specific changes in NSS 3.14 in more detail.
+
+ - Support for TLS 1.1 (RFC 4346) has been added
+ (https://bugzilla.mozilla.org/show_bug.cgi?id=565047).
+
+ .. container::
+
+ To better support TLS 1.1 and future versions of TLS, a new version range API was
+ introduced to allow applications to specify the desired minimum and maximum versions. These
+ functions are intended to replace the now-deprecated use of the SSL_ENABLE_SSL3 and
+ SSL_ENABLE_TLS socket options. The following functions have been added to the libssl
+ library included in NSS 3.14
+
+ - SSL_VersionRangeGet (in ssl.h)
+ - SSL_VersionRangeGetDefault (in ssl.h)
+ - SSL_VersionRangeGetSupported (in ssl.h)
+ - SSL_VersionRangeSet (in ssl.h)
+ - SSL_VersionRangeSetDefault (in ssl.h)
+
+ - To better ensure interoperability with peers that support TLS 1.1, NSS has altered how it
+ handles certain SSL protocol layer events. Such changes may present interoperability concerns
+ when enabling TLS 1.1.
+
+ .. container::
+
+ - When connecting to a server, the record layer version of the initial ClientHello will be
+ at most { 3, 1 } (TLS 1.0), even when attempting to negotiate TLS 1.1
+ (https://bugzilla.mozilla.org/show_bug.cgi?id=774547)
+ - The choice of client_version sent during renegotiations has changed. See the
+ "`Changes <#changes>`__" section below.
+
+ - Experimental Support for DTLS (RFC 4347) and DTLS-SRTP (RFC 5764)
+
+ DTLS client and server support has been added in NSS 3.14. Because the test coverage and
+ interoperability testing is not yet at the same level as other NSS code, this feature should
+ be considered "experimental" and may contain bugs.
+
+ The following functions have been added to the libssl library included in NSS 3.14:
+
+ - DTLS_ImportFD (in ssl.h)
+ - DTLS_GetHandshakeTimeout (in ssl.h)
+ - SSL_GetSRTPCipher (in ssl.h)
+ - SSL_SetRTPCiphers (in ssl.h)
+
+ - Support for AES-GCM
+
+ .. container::
+
+ Support for AES-GCM has been added to the NSS PKCS #11 module (softoken), based upon the
+ draft 7 of PKCS #11 v2.30.
+
+ **WARNING**: Because of ambiguity in the current draft text, applications should ONLY use
+ GCM in single-part mode (C_Encrypt/C_Decrypt). They should NOT use multi-part APIs
+ (C_EncryptUpdate/C_DecryptUpdate).
+
+ - Support for application-defined certificate chain validation callback when using libpkix
+
+ .. container::
+
+ To better support per-application security policies, a new callback has been added for
+ applications that use libpkix to verify certificates. Applications may use this callback to
+ inform libpkix whether or not candidate certificate chains meet application-specific
+ security policies, allowing libpkix to continue discovering certificate paths until it can
+ find a chain that satisfies the policies.
+
+ The following types have been added in NSS 3.14
+
+ - CERTChainVerifyCallback (in certt.h)
+ - CERTChainVerifyCallbackFunc (in certt.h)
+ - cert_pi_chainVerifyCallback, a new option for CERTValParamInType (in certt.h)
+ - A new error code: SEC_ERROR_APPLICATION_CALLBACK_ERROR (in secerr.h)
+
+ - New for PKCS #11
+
+ .. container::
+
+ PKCS #11 mechanisms:
+
+ - CKM_AES_CTS
+ - CKM_AES_CTR
+ - CKM_AES_GCM (see warnings against using C_EncryptUpdate/C_DecryptUpdate above)
+ - CKM_SHA224_KEY_DERIVATION
+ - CKM_SHA256_KEY_DERIVATION
+ - CKM_SHA384_KEY_DERIVATION
+ - CKM_SHA512_KEY_DERIVATION
+
+ Changes in NSS 3.14
+
+.. _changes_in_nss_3.14:
+
+`Changes in NSS 3.14 <#changes_in_nss_3.14>`__
+----------------------------------------------
+
+.. container::
+
+ - `Bug 333601 <https://bugzilla.mozilla.org/show_bug.cgi?id=333601>`__ - Performance
+ enhancements for Intel Macs
+
+ When building for Intel Macs, NSS will now take advantage of optimized assembly code for
+ common operations. These changes have the observed effect of doubling RSA performance.
+
+ - `Bug 792681 <https://bugzilla.mozilla.org/show_bug.cgi?id=792681>`__ - New default cipher
+ suites
+
+ The default cipher suites in NSS 3.14 have been changed to better reflect the current security
+ landscape. The defaults now better match the set that most major Web browsers enable by
+ default.
+
+ - `Bug 783448 <https://bugzilla.mozilla.org/show_bug.cgi?id=783448>`__ - When performing an SSL
+ renegotiation, the client_version that is sent in the renegotiation ClientHello will be set to
+ match the client_version that was sent in the initial ClientHello. This is needed for
+ compatibility with IIS.
+
+ - Certificate signatures that make use of the MD5 hash algorithm will now be rejected by
+ default. Support for MD5 may be manually enabled (but is discouraged) by setting the
+ environment variable of "NSS_HASH_ALG_SUPPORT=+MD5" or by using the NSS_SetAlgorithmPolicy
+ function. Note that SSL cipher suites with "MD5" in their names are NOT disabled by this
+ change; those cipher suites use HMAC-MD5, not plain MD5, and are still considered safe.
+
+ - Maximum key sizes for RSA and Diffie-Hellman keys have been increased to 16K bits.
+
+ - Command line utilities tstclnt, strsclnt, and selfserv have changed. The old options to
+ disable SSL 2, SSL 3 and TLS 1.0 have been removed and replaced with a new -V option that
+ specifies the enabled range of protocol versions (see usage output of those tools).
+
+.. _bugs_fixed_in_nss_3.14:
+
+`Bugs fixed in NSS 3.14 <#bugs_fixed_in_nss_3.14>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.14:
+
+ https://bugzilla.mozilla.org/buglist.cgi?list_id=4643675;resolution=FIXED;classification=Components;query_format=advanced;product=NSS;target_milestone=3.14 \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst
new file mode 100644
index 0000000000..b78f326a85
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst
@@ -0,0 +1,131 @@
+.. _mozilla_projects_nss_nss_3_15_1_release_notes:
+
+NSS 3.15.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug fixes in NSS
+ 3.15.1 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ NSS 3.15.1 source distributions are also available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/
+
+.. _new_in_nss_3.15.1:
+
+`New in NSS 3.15.1 <#new_in_nss_3.15.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - TLS 1.2: TLS 1.2 (`RFC 5246 <https://datatracker.ietf.org/doc/html/rfc5246>`__) is supported.
+ HMAC-SHA256 cipher suites (`RFC 5246 <https://datatracker.ietf.org/doc/html/rfc5246>`__ and
+ `RFC 5289 <https://datatracker.ietf.org/doc/html/rfc5289>`__) are supported, allowing TLS to
+ be used without MD5 and SHA-1. Note the following limitations.
+
+ - The hash function used in the signature for TLS 1.2 client authentication must be the hash
+ function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1.
+ - AES GCM cipher suites are not yet supported.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ None.
+
+ .. rubric:: New Types
+ :name: new_types
+
+ - *in sslprot.h*
+
+ - **SSL_LIBRARY_VERSION_TLS_1_2** - The protocol version of TLS 1.2 on the wire, value
+ 0x0303.
+ - **TLS_DHE_RSA_WITH_AES_256_CBC_SHA256**, **TLS_RSA_WITH_AES_256_CBC_SHA256**,
+ **TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256**, **TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256**,
+ **TLS_DHE_RSA_WITH_AES_128_CBC_SHA256**, **TLS_RSA_WITH_AES_128_CBC_SHA256**,
+ **TLS_RSA_WITH_NULL_SHA256** - New TLS 1.2 only HMAC-SHA256 cipher suites.
+
+ - *in sslerr.h*
+
+ - **SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM**, **SSL_ERROR_DIGEST_FAILURE**,
+ **SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM** - New error codes for TLS 1.2.
+
+ - *in sslt.h*
+
+ - **ssl_hmac_sha256** - A new value in the SSLMACAlgorithm enum type.
+ - **ssl_signature_algorithms_xtn** - A new value in the SSLExtensionType enum type.
+
+ .. rubric:: New PKCS #11 Mechanisms
+ :name: new_pkcs_11_mechanisms
+
+ None.
+
+.. _notable_changes_in_nss_3.15.1:
+
+`Notable Changes in NSS 3.15.1 <#notable_changes_in_nss_3.15.1>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `Bug 856060 <https://bugzilla.mozilla.org/show_bug.cgi?id=856060>`__ - Enforce name
+ constraints on the common name in libpkix when no subjectAltName is present.
+ - `Bug 875156 <https://bugzilla.mozilla.org/show_bug.cgi?id=875156>`__ - Add const to the
+ function arguments of SEC_CertNicknameConflict.
+ - `Bug 877798 <https://bugzilla.mozilla.org/show_bug.cgi?id=877798>`__ - Fix ssltap to print the
+ certificate_status handshake message correctly.
+ - `Bug 882829 <https://bugzilla.mozilla.org/show_bug.cgi?id=882829>`__ - On Windows, NSS
+ initialization fails if NSS cannot call the RtlGenRandom function.
+ - `Bug 875601 <https://bugzilla.mozilla.org/show_bug.cgi?id=875601>`__ -
+ SECMOD_CloseUserDB/SECMOD_OpenUserDB fails to reset the token delay, leading to spurious
+ failures.
+ - `Bug 884072 <https://bugzilla.mozilla.org/show_bug.cgi?id=884072>`__ - Fix a typo in the
+ header include guard macro of secmod.h.
+ - `Bug 876352 <https://bugzilla.mozilla.org/show_bug.cgi?id=876352>`__ - certutil now warns if
+ importing a PEM file that contains a private key.
+ - `Bug 565296 <https://bugzilla.mozilla.org/show_bug.cgi?id=565296>`__ - Fix the bug that
+ shlibsign exited with status 0 even though it failed.
+ - The NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option is removed.
+
+.. _bugs_fixed_in_nss_3.15.1:
+
+`Bugs fixed in NSS 3.15.1 <#bugs_fixed_in_nss_3.15.1>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.15.1;product=NSS
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.15.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.15.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.2_release_notes/index.rst
new file mode 100644
index 0000000000..9f623daff4
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.2_release_notes/index.rst
@@ -0,0 +1,126 @@
+.. _mozilla_projects_nss_nss_3_15_2_release_notes:
+
+NSS 3.15.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.15.2 is a patch release for NSS 3.15. The bug fixes in NSS
+ 3.15.2 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ NSS 3.15.2 source distributions are also available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_2_RTM/src/
+
+.. _security_advisories:
+
+`Security Advisories <#security_advisories>`__
+----------------------------------------------
+
+.. container::
+
+ The following security-relevant bugs have been resolved in NSS 3.15.2. Users are encouraged to
+ upgrade immediately.
+
+ - `Bug 894370 <https://bugzilla.mozilla.org/show_bug.cgi?id=894370>`__ - (CVE-2013-1739) Avoid
+ uninitialized data read in the event of a decryption failure.
+
+.. _new_in_nss_3.15.2:
+
+`New in NSS 3.15.2 <#new_in_nss_3.15.2>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - AES-GCM Ciphersuites: AES-GCM cipher suite (RFC 5288 and RFC 5289) support has been added when
+ TLS 1.2 is negotiated. Specifically, the following cipher suites are now supported:
+
+ - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+ - TLS_RSA_WITH_AES_128_GCM_SHA256
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ PK11_CipherFinal has been introduced, which is a simple alias for PK11_DigestFinal.
+
+ .. rubric:: New Types
+ :name: new_types
+
+ No new types have been introduced.
+
+ .. rubric:: New PKCS #11 Mechanisms
+ :name: new_pkcs_11_mechanisms
+
+ No new PKCS#11 mechanisms have been introduced
+
+.. _notable_changes_in_nss_3.15.2:
+
+`Notable Changes in NSS 3.15.2 <#notable_changes_in_nss_3.15.2>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `Bug 880543 <https://bugzilla.mozilla.org/show_bug.cgi?id=880543>`__ - Support for AES-GCM
+ ciphersuites that use the SHA-256 PRF
+ - `Bug 663313 <https://bugzilla.mozilla.org/show_bug.cgi?id=663313>`__ - MD2, MD4, and MD5
+ signatures are no longer accepted for OCSP or CRLs, consistent with their handling for general
+ certificate signatures.
+ - `Bug 884178 <https://bugzilla.mozilla.org/show_bug.cgi?id=884178>`__ - Add PK11_CipherFinal
+ macro
+
+.. _bugs_fixed_in_nss_3.15.2:
+
+`Bugs fixed in NSS 3.15.2 <#bugs_fixed_in_nss_3.15.2>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `Bug 734007 <https://bugzilla.mozilla.org/show_bug.cgi?id=734007>`__ - sizeof() used
+ incorrectly
+ - `Bug 900971 <https://bugzilla.mozilla.org/show_bug.cgi?id=900971>`__ - nssutil_ReadSecmodDB()
+ leaks memory
+ - `Bug 681839 <https://bugzilla.mozilla.org/show_bug.cgi?id=681839>`__ - Allow
+ SSL_HandshakeNegotiatedExtension to be called before the handshake is finished.
+ - `Bug 848384 <https://bugzilla.mozilla.org/show_bug.cgi?id=848384>`__ - Deprecate the SSL
+ cipher policy code, as it's no longer relevant. It is no longer necessary to call
+ NSS_SetDomesticPolicy because all cipher suites are now allowed by default.
+
+ A complete list of all bugs resolved in this release can be obtained at
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.2&product=NSS&list_id=7982238
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.15.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.15.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15.3.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.3.1_release_notes/index.rst
new file mode 100644
index 0000000000..bb80e44e51
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.3.1_release_notes/index.rst
@@ -0,0 +1,89 @@
+.. _mozilla_projects_nss_nss_3_15_3_1_release_notes:
+
+NSS 3.15.3.1 release notes
+==========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.15.3.1 is a patch release for NSS 3.15. The bug fixes in NSS
+ 3.15.3.1 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_15_3_1_RTM. NSS 3.15.3.1 requires NSPR 4.10.2 or newer.
+
+ NSS 3.15.3.1 source distributions are also available on ftp.mozilla.org for secure HTTPS
+ download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_3_1_RTM/src/
+
+.. _security_advisories:
+
+`Security Advisories <#security_advisories>`__
+----------------------------------------------
+
+.. container::
+
+ The following security-relevant bugs have been resolved in NSS 3.15.3.1. Users are encouraged to
+ upgrade immediately.
+
+ - `Bug 946351 <https://bugzilla.mozilla.org/show_bug.cgi?id=946351>`__ - Misissued Google
+ certificates from DCSSI
+
+.. _new_in_nss_3.15.3.1:
+
+`New in NSS 3.15.3.1 <#new_in_nss_3.15.3.1>`__
+----------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new major functionality is introduced in this release. This is a patch release to `revoke
+ trust of a subordinate CA
+ certificate <https://blog.mozilla.org/security/2013/12/09/revoking-trust-in-one-anssi-certificate/>`__
+ that was mis-used to generate a certificate used by a network appliance.
+
+.. _bugs_fixed_in_nss_3.15.3.1:
+
+`Bugs fixed in NSS 3.15.3.1 <#bugs_fixed_in_nss_3.15.3.1>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `Bug 946351 <https://bugzilla.mozilla.org/show_bug.cgi?id=946351>`__ - Misissued Google
+ certificates from DCSSI
+
+ A complete list of all bugs resolved in this release can be obtained at
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3.1&product=NSS
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.15.3.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.15.3.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.3_release_notes/index.rst
new file mode 100644
index 0000000000..5a28baf7b0
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.3_release_notes/index.rst
@@ -0,0 +1,94 @@
+.. _mozilla_projects_nss_nss_3_15_3_release_notes:
+
+NSS 3.15.3 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.15.3 is a patch release for NSS 3.15. The bug fixes in NSS
+ 3.15.3 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_15_3_RTM. NSS 3.15.3 requires NSPR 4.10.2 or newer.
+
+ NSS 3.15.3 source distributions are also available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_3_RTM/src/
+
+.. _security_advisories:
+
+`Security Advisories <#security_advisories>`__
+----------------------------------------------
+
+.. container::
+
+ The following security-relevant bugs have been resolved in NSS 3.15.3. Users are encouraged to
+ upgrade immediately.
+
+ - `Bug 925100 <https://bugzilla.mozilla.org/show_bug.cgi?id=925100>`__ - (CVE-2013-1741) Ensure
+ a size is <= half of the maximum PRUint32 value
+ - `Bug 934016 <https://bugzilla.mozilla.org/show_bug.cgi?id=934016>`__ - (CVE-2013-5605) Handle
+ invalid handshake packets
+ - `Bug 910438 <https://bugzilla.mozilla.org/show_bug.cgi?id=910438>`__ - (CVE-2013-5606) Return
+ the correct result in CERT_VerifyCert on failure, if a verifyLog isn't used
+
+.. _new_in_nss_3.15.3:
+
+`New in NSS 3.15.3 <#new_in_nss_3.15.3>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new major functionality is introduced in this release. This release is a patch release to
+ address `CVE-2013-1741 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1741>`__,
+ `CVE- <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605>`__\ `2013-5605 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605>`__
+ and `CVE-2013-5606 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5606>`__.
+
+.. _bugs_fixed_in_nss_3.15.3:
+
+`Bugs fixed in NSS 3.15.3 <#bugs_fixed_in_nss_3.15.3>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `Bug 850478 <https://bugzilla.mozilla.org/show_bug.cgi?id=850478>`__ - List RC4_128 cipher
+ suites after AES_128 cipher suites
+ - `Bug 919677 <https://bugzilla.mozilla.org/show_bug.cgi?id=919677>`__ - Don't advertise TLS
+ 1.2-only ciphersuites in a TLS 1.1 ClientHello
+
+ A complete list of all bugs resolved in this release can be obtained at
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3&product=NSS
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.15.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.15.3 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst
new file mode 100644
index 0000000000..50f47b4226
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst
@@ -0,0 +1,137 @@
+.. _mozilla_projects_nss_nss_3_15_4_release_notes:
+
+NSS 3.15.4 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.15.4 is a patch release for NSS 3.15. The bug fixes in NSS
+ 3.15.4 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_15_4_RTM. NSS 3.15.4 requires NSPR 4.10.2 or newer.
+
+ NSS 3.15.4 source distributions are also available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_4_RTM/src/
+
+.. _security_advisories:
+
+`Security Advisories <#security_advisories>`__
+----------------------------------------------
+
+.. container::
+
+ The following security-relevant bugs have been resolved in NSS 3.15.4. Users are encouraged to
+ upgrade immediately.
+
+ - `Bug 919877 <https://bugzilla.mozilla.org/show_bug.cgi?id=919877>`__ - (CVE-2013-1740) When
+ false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from
+ PR_Recv
+
+.. _new_in_nss_3.15.4:
+
+`New in NSS 3.15.4 <#new_in_nss_3.15.4>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall
+ back to the HTTP POST method.
+ - Implemented OCSP server functionality for testing purposes (httpserv utility).
+ - Support SHA-1 signatures with TLS 1.2 client authentication.
+ - Added the --empty-password command-line option to certutil, to be used with -N: use an empty
+ password when creating a new database.
+ - Added the -w command-line option to pp: don't wrap long output lines.
+
+.. _new_functions:
+
+`New Functions <#new_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - CERT_ForcePostMethodForOCSP
+ - CERT_GetSubjectNameDigest
+ - CERT_GetSubjectPublicKeyDigest
+ - SSL_PeerCertificateChain
+ - SSL_RecommendedCanFalseStart
+ - SSL_SetCanFalseStartCallback
+
+.. _new_types:
+
+`New Types <#new_types>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to
+ use the HTTP GET method for OCSP requests; it will always use POST.
+
+.. _new_pkcs_11_mechanisms:
+
+`New PKCS #11 Mechanisms <#new_pkcs_11_mechanisms>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ None.
+
+.. _notable_changes_in_nss_3.15.4:
+
+`Notable Changes in NSS 3.15.4 <#notable_changes_in_nss_3.15.4>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best
+ practices.
+ - Updated the set of root CA certificates (version 1.96).
+ - Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an
+ application must now register a callback using the SSL_SetCanFalseStartCallback function.
+ - When building on Windows, OS_TARGET now defaults to WIN95. To use the WINNT build
+ configuration, specify OS_TARGET=WINNT.
+
+.. _bugs_fixed_in_nss_3.15.4:
+
+`Bugs fixed in NSS 3.15.4 <#bugs_fixed_in_nss_3.15.4>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ A complete list of all bugs resolved in this release can be obtained at
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.4&product=NSS
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.15.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.15.4 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst
new file mode 100644
index 0000000000..8bff77b0ef
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst
@@ -0,0 +1,93 @@
+.. _mozilla_projects_nss_nss_3_15_5_release_notes:
+
+NSS 3.15.5 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.15.5 is a patch release for NSS 3.15. The bug fixes in NSS
+ 3.15.5 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_15_5_RTM. NSS 3.15.5 requires NSPR 4.10.2 or newer.
+
+ NSS 3.15.5 source distributions are also available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_5_RTM/src/
+
+.. _new_in_nss_3.15.5:
+
+`New in NSS 3.15.5 <#new_in_nss_3.15.5>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Added support for the TLS `application layer protocol negotiation (ALPN)
+ extension <http://www.iana.org/go/draft-friedl-tls-applayerprotoneg>`__. Two SSL socket
+ options, ``SSL_ENABLE_NPN`` and ``SSL_ENABLE_ALPN``, can be used to control whether NPN or
+ ALPN (or both) should be used for application layer protocol negotiation.
+ - Added the TLS `padding
+ extension <https://datatracker.ietf.org/doc/html/draft-agl-tls-padding>`__. The extension type
+ value is 35655, which may change when an official extension type value is assigned by IANA.
+ NSS automatically adds the padding extension to ClientHello when necessary.
+ - Added a new macro ``CERT_LIST_TAIL``, defined in ``certt.h``, for getting the tail of a
+ ``CERTCertList``.
+
+.. _notable_changes_in_nss_3.15.5:
+
+`Notable Changes in NSS 3.15.5 <#notable_changes_in_nss_3.15.5>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `Bug 950129 <https://bugzilla.mozilla.org/show_bug.cgi?id=950129>`__: Improve the OCSP
+ fetching policy when verifying OCSP responses
+ - `Bug 949060 <https://bugzilla.mozilla.org/show_bug.cgi?id=949060>`__: Validate the ``iov``
+ input argument (an array of ``PRIOVec`` structures) of ``ssl_WriteV`` (called via
+ ``PR_Writev``). Applications should still take care when converting ``struct iov`` to
+ ``PRIOVec`` because the ``iov_len`` members of the two structures have different types
+ (``size_t`` vs. ``int``). ``size_t`` is unsigned and may be larger than ``int``.
+
+.. _bugs_fixed_in_nss_3.15.5:
+
+`Bugs fixed in NSS 3.15.5 <#bugs_fixed_in_nss_3.15.5>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ A complete list of all bugs resolved in this release can be obtained at
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.5&product=NSS
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.15.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.15.5 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15_release_notes/index.rst
new file mode 100644
index 0000000000..2c5353f485
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15_release_notes/index.rst
@@ -0,0 +1,157 @@
+.. _mozilla_projects_nss_nss_3_15_release_notes:
+
+NSS 3.15 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.15, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer.
+
+ NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/
+
+.. _new_in_nss_3.15:
+
+`New in NSS 3.15 <#new_in_nss_3.15>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Support for OCSP Stapling (`RFC 6066 <https://datatracker.ietf.org/doc/html/rfc6066>`__,
+ Certificate Status Request) has been added for both client and server sockets. TLS client
+ applications may enable this via a call to
+ ``SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);``
+ - Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now
+ declared as obsolete.
+ - Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via
+ *PK11_Encrypt* and *PK11_Decrypt*.
+ - certutil has been updated to support creating name constraints extensions.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in ssl.h*
+
+ - **SSL_PeerStapledOCSPResponse** - Returns the server's stapled OCSP response, when used
+ with a TLS client socket that negotiated the *status_request* extension.
+ - **SSL_SetStapledOCSPResponses** - Set's a stapled OCSP response for a TLS server socket to
+ return when clients send the *status_request* extension.
+
+ - *in ocsp.h*
+
+ - **CERT_PostOCSPRequest** - Primarily intended for testing, permits the sending and
+ receiving of raw OCSP request/responses.
+
+ - *in secpkcs7.h*
+
+ - **SEC_PKCS7VerifyDetachedSignatureAtTime** - Verifies a PKCS#7 signature at a specific time
+ other than the present time.
+
+ - *in xconst.h*
+
+ - **CERT_EncodeNameConstraintsExtension** - Matching function for
+ CERT_DecodeNameConstraintsExtension, added in NSS 3.10.
+
+ - *in secitem.h*
+
+ - **SECITEM_AllocArray**
+ - **SECITEM_DupArray**
+ - **SECITEM_FreeArray**
+ - **SECITEM_ZfreeArray** - Utility functions to handle the allocation and deallocation of
+ *SECItemArray*\ s
+ - **SECITEM_ReallocItemV2** - Replaces *SECITEM_ReallocItem*, which is now obsolete.
+ *SECITEM_ReallocItemV2* better matches caller expectations, in that it updates
+ ``item->len`` on allocation. For more details of the issues with SECITEM_ReallocItem, see
+ `Bug 298649 <http://bugzil.la/298649>`__ and `Bug 298938 <http://bugzil.la/298938>`__.
+
+ - *in pk11pub.h*
+
+ - **PK11_Decrypt** - Performs decryption as a single PKCS#11 operation (eg: not multi-part).
+ This is necessary for AES-GCM.
+ - **PK11_Encrypt** - Performs encryption as a single PKCS#11 operation (eg: not multi-part).
+ This is necessary for AES-GCM.
+
+ .. rubric:: New Types
+ :name: new_types
+
+ - *in secitem.h*
+
+ - **SECItemArray** - Represents a variable-length array of *SECItem*\ s.
+
+ .. rubric:: New Macros
+ :name: new_macros
+
+ - *in ssl.h*
+
+ - **SSL_ENABLE_OCSP_STAPLING** - Used with *SSL_OptionSet* to configure TLS client sockets to
+ request the *certificate_status* extension (eg: OCSP stapling) when set to **PR_TRUE**
+
+.. _notable_changes_in_nss_3.15:
+
+`Notable Changes in NSS 3.15 <#notable_changes_in_nss_3.15>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - *SECITEM_ReallocItem* is now deprecated. Please consider using *SECITEM_ReallocItemV2* in all
+ future code.
+
+ - NSS has migrated from CVS to the Mercurial source control management system.
+
+ Updated build instructions are available at
+ :ref:`mozilla_projects_nss_reference_building_and_installing_nss_migration_to_hg`
+
+ As part of this migration, the source code directory layout has been re-organized.
+
+ - The list of root CA certificates in the *nssckbi* module has been updated.
+
+ - The default implementation of SSL_AuthCertificate has been updated to add certificate status
+ responses stapled by the TLS server to the OCSP cache.
+
+ Applications that use SSL_AuthCertificateHook to override the default handler should add
+ appropriate calls to *SSL_PeerStapledOCSPResponse* and
+ *CERT_CacheOCSPResponseFromSideChannel*.
+
+ - `Bug 554369 <https://bugzilla.mozilla.org/show_bug.cgi?id=554369>`__: Fixed correctness of
+ CERT_CacheOCSPResponseFromSideChannel and other OCSP caching behaviour.
+
+ - `Bug 853285 <https://bugzilla.mozilla.org/show_bug.cgi?id=853285>`__: Fixed bugs in AES GCM.
+
+ - `Bug 341127 <https://bugzilla.mozilla.org/show_bug.cgi?id=341127>`__: Fix the invalid read in
+ rc4_wordconv.
+
+ - `Faster NIST curve P-256
+ implementation <https://bugzilla.mozilla.org/show_bug.cgi?id=831006>`__.
+
+ - Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library
+ ``libfreebl_32int_3.so`` is no longer produced.
+
+.. _bugs_fixed_in_nss_3.15:
+
+`Bugs fixed in NSS 3.15 <#bugs_fixed_in_nss_3.15>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.15:
+
+ https://bugzilla.mozilla.org/buglist.cgi?list_id=6278317&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.15 \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst
new file mode 100644
index 0000000000..7362895fe0
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst
@@ -0,0 +1,97 @@
+.. _mozilla_projects_nss_nss_3_16_1_release_notes:
+
+NSS 3.16.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.16.1 is a patch release for NSS 3.16. The bug fixes in NSS
+ 3.16.1 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_16_1_RTM. NSS 3.16.1 requires NSPR 4.10.5 or newer.
+
+ NSS 3.16.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_1_RTM/src/
+
+.. _new_in_nss_3.16.1:
+
+`New in NSS 3.16.1 <#new_in_nss_3.16.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Added the "ECC" flag for modutil to select the module used for elliptic curve cryptography
+ (ECC) operations.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in pk11pub.h*
+
+ - **PK11_ExportDERPrivateKeyInfo and PK11_ExportPrivKeyInfo** - exports a private key in a
+ DER-encoded ASN.1 PrivateKeyInfo type or a SECKEYPrivateKeyInfo structure. Only RSA private
+ keys are supported now.
+
+ - *in secmod.h*
+
+ - **SECMOD_InternalToPubMechFlags** - converts from NSS-internal to public representation of
+ mechanism flags.
+
+ .. rubric:: New Types
+ :name: new_types
+
+ - *in sslt.h*
+
+ - **ssl_padding_xtn** - the value of this enum constant changed from the experimental value
+ 35655 to the IANA-assigned value 21. .
+
+ .. rubric:: New Macros
+ :name: new_macros
+
+ - *in secmod.h*
+
+ - **PUBLIC_MECH_ECC_FLAG** - a public mechanism flag for elliptic curve cryptography (ECC)
+ operations.
+
+ - *in utilmodt.h*
+
+ - **SECMOD_ECC_FLAG** - an NSS-internal mechanism flag for elliptic curve cryptography (ECC)
+ operations. This macro has the same numeric value as **PUBLIC_MECH_ECC_FLAG.**
+
+.. _notable_changes_in_nss_3.16.1:
+
+`Notable Changes in NSS 3.16.1 <#notable_changes_in_nss_3.16.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - Imposed `name constraints <https://hg.mozilla.org/projects/nss/rev/742307da0792>`__ on the
+ French government root CA ANSSI (DCISS).
+
+.. _bugs_fixed_in_nss_3.16.1:
+
+`Bugs fixed in NSS 3.16.1 <#bugs_fixed_in_nss_3.16.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.16.1:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.16.1 \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.1_release_notes/index.rst
new file mode 100644
index 0000000000..f7c10ccb22
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.1_release_notes/index.rst
@@ -0,0 +1,99 @@
+.. _mozilla_projects_nss_nss_3_16_2_1_release_notes:
+
+NSS 3.16.2.1 release notes
+==========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.16.2.1 is a patch release for NSS 3.16, based on the NSS 3.16.2
+ release. The bug fixes in NSS 3.16.2.1 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_16_2_1_RTM. NSS 3.16.2.1 requires NSPR 4.10.6 or newer.
+
+ NSS 3.16.2.1 source distributions are also available on ftp.mozilla.org for secure HTTPS
+ download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_2_1_RTM/src/
+
+.. _security_advisories:
+
+`Security Advisories <#security_advisories>`__
+----------------------------------------------
+
+.. container::
+
+ The following security-relevant bugs have been resolved in NSS 3.16.2.1. Users are encouraged to
+ upgrade immediately.
+
+ - `Bug 1064636 <https://bugzilla.mozilla.org/show_bug.cgi?id=1064636>`__ - (CVE-2014-1568) RSA
+ Signature Forgery in NSS. See also `MFSA
+ 2014-73 <https://www.mozilla.org/security/announce/2014/mfsa2014-73.html>`__ for details.
+
+.. _new_in_nss_3.16.2.1:
+
+`New in NSS 3.16.2.1 <#new_in_nss_3.16.2.1>`__
+----------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix a bug that
+ caused NSS to accept forged RSA signatures.
+
+ A new symbol, \_SGN_VerifyPKCS1DigestInfo is exported in this release. As with all exported NSS
+ symbols that have a leading underscore '_', this is an internal symbol for NSS use only.
+ Applications that use or depend on these symbols can and will break in future NSS releases.
+
+.. _bugs_fixed_in_nss_3.16.2.1:
+
+`Bugs fixed in NSS 3.16.2.1 <#bugs_fixed_in_nss_3.16.2.1>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `Bug 1064636 <https://bugzilla.mozilla.org/show_bug.cgi?id=1064636>`__ - (CVE-2014-1568) RSA
+ Signature Forgery in NSS
+
+`Acknowledgements <#acknowledgements>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ The NSS development team would like to thank Antoine Delignat-Lavaud, security researcher at
+ Inria Paris in team Prosecco, and the Advanced Threat Research team at Intel Security, who both
+ independently discovered and reported this issue, for responsibly disclosing the issue by
+ providing advance copies of their research.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.16.2.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.16.2.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.2_release_notes/index.rst
new file mode 100644
index 0000000000..0a5f766f94
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.2_release_notes/index.rst
@@ -0,0 +1,81 @@
+.. _mozilla_projects_nss_nss_3_16_2_2_release_notes:
+
+NSS 3.16.2.2 release notes
+==========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.16.2.2 is a patch release for NSS 3.16. The bug fixes in NSS
+ 3.16.2.2 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_16_2_2_RTM. NSS 3.16.2.2 requires NSPR 4.10.6 or newer.
+
+ NSS 3.16.2.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_2_2_RTM/src/
+
+.. _new_in_nss_3.16.2.2:
+
+`New in NSS 3.16.2.2 <#new_in_nss_3.16.2.2>`__
+----------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix a regression.
+
+.. _notable_changes_in_nss_3.16.2.2:
+
+`Notable Changes in NSS 3.16.2.2 <#notable_changes_in_nss_3.16.2.2>`__
+----------------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1049435 <https://bugzilla.mozilla.org/show_bug.cgi?id=1049435>`__: Change
+ RSA_PrivateKeyCheck to not require p > q. This fixes a regression introduced in NSS 3.16.2
+ that prevented NSS from importing some RSA private keys (such as in PKCS #12 files) generated
+ by other crypto libraries.
+
+.. _bugs_fixed_in_nss_3.16.2.2:
+
+`Bugs fixed in NSS 3.16.2.2 <#bugs_fixed_in_nss_3.16.2.2>`__
+------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1049435 <https://bugzilla.mozilla.org/show_bug.cgi?id=1049435>`__ - Importing an RSA
+ private key fails if p < q
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.16.2.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.16.2.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst
new file mode 100644
index 0000000000..1b834338e3
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst
@@ -0,0 +1,110 @@
+.. _mozilla_projects_nss_nss_3_16_2_3_release_notes:
+
+NSS 3.16.2.3 release notes
+==========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.16.2.3 is a patch release for NSS 3.16. The bug fixes in NSS
+ 3.16.2.3 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_16_2_3_RTM. NSS 3.16.2.3 requires NSPR 4.10.6 or newer.
+
+ NSS 3.16.2.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_2_3_RTM/src/
+
+.. _new_in_nss_3.16.2.3:
+
+`New in NSS 3.16.2.3 <#new_in_nss_3.16.2.3>`__
+----------------------------------------------
+
+.. container::
+
+ This patch release fixes a bug and contains a backport of the TLS_FALLBACK_SCSV feature, which
+ was originally made available in NSS 3.17.1.
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `TLS_FALLBACK_SCSV <https://datatracker.ietf.org/doc/html/draft-ietf-tls-downgrade-scsv-00>`__
+ is a signaling cipher suite value that indicates a handshake is the result of TLS version
+ fallback.
+
+.. _new_macros:
+
+`New Macros <#new_macros>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - *in ssl.h*
+
+ - **SSL_ENABLE_FALLBACK_SCSV** - an SSL socket option that enables TLS_FALLBACK_SCSV. Off by
+ default.
+
+ - *in sslerr.h*
+
+ - **SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT** - a new SSL error code.
+
+ - *in sslproto.h*
+
+ - **TLS_FALLBACK_SCSV** - a signaling cipher suite value that indicates a handshake is the
+ result of TLS version fallback.
+
+.. _notable_changes_in_nss_3.16.2.3:
+
+`Notable Changes in NSS 3.16.2.3 <#notable_changes_in_nss_3.16.2.3>`__
+----------------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1057161 <https://bugzilla.mozilla.org/show_bug.cgi?id=1057161>`__: Check that an imported
+ elliptic curve public key is valid. Previously NSS would only validate the peer's public key
+ before performing ECDH key agreement. Now EC public keys are validated at import time.
+
+.. _bugs_fixed_in_nss_3.16.2.3:
+
+`Bugs fixed in NSS 3.16.2.3 <#bugs_fixed_in_nss_3.16.2.3>`__
+------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1057161 <https://bugzilla.mozilla.org/show_bug.cgi?id=1057161>`__ - NSS hangs with 100%
+ CPU on invalid EC key
+ - `Bug 1036735 <https://bugzilla.mozilla.org/show_bug.cgi?id=1036735>`__ - Add support for
+ draft-ietf-tls-downgrade-scsv to NSS
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.16.2.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.16.2.3 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst
new file mode 100644
index 0000000000..e4b56a4f64
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst
@@ -0,0 +1,114 @@
+.. _mozilla_projects_nss_nss_3_16_2_release_notes:
+
+NSS 3.16.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.16.2 is a patch release for NSS 3.16. The bug fixes in NSS
+ 3.16.2 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_16_2_RTM. NSS 3.16.2 requires NSPR 4.10.6 or newer.
+
+ NSS 3.16.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_2_RTM/src/
+
+.. _new_in_nss_3.16.2:
+
+`New in NSS 3.16.2 <#new_in_nss_3.16.2>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - DTLS 1.2 is supported.
+ - The TLS application layer protocol negotiation (ALPN) extension is also supported on the
+ server side.
+ - RSA-OEAP is supported. Use the new PK11_PrivDecrypt and PK11_PubEncrypt functions with the
+ CKM_RSA_PKCS_OAEP mechanism.
+ - New Intel AES assembly code for 32-bit and 64-bit Windows, contributed by Shay Gueron and Vlad
+ Krasnov of Intel.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in cert.h*
+
+ - **CERT_AddExtensionByOID** - adds an extension to a certificate. It is the same as
+ CERT_AddExtension except that the OID is represented by a SECItem instead of a SECOidTag.
+
+ - *in pk11pub.h*
+
+ - **PK11_PrivDecrypt** - decrypts with a private key. The algorithm is specified with a
+ CK_MECHANISM_TYPE.
+ - **PK11_PubEncrypt** - encrypts with a public key. The algorithm is specified with a
+ CK_MECHANISM_TYPE.
+
+ .. rubric:: New Macros
+ :name: new_macros
+
+ - *in sslerr.h*
+
+ - **SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK** - An SSL error code that means the next protcol
+ negotiation extension was enabled, but the callback was cleared prior to being needed.
+ - **SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL** - An SSL error code that means the server supports
+ no protocols that the client advertises in the ALPN extension.
+
+.. _notable_changes_in_nss_3.16.2:
+
+`Notable Changes in NSS 3.16.2 <#notable_changes_in_nss_3.16.2>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - The btoa command has a new command-line option -w *suffix*, which causes the output to be
+ wrapped in BEGIN/END lines with the given suffix. Use "c" as a shorthand for the suffix
+ CERTIFICATE.
+ - The certutil commands supports additionals types of subject alt name extensions:
+
+ - --extSAN *type:name[,type:name]...*
+
+ - The certutil commands supports generic certificate extensions, by loading binary data from
+ files, which have been prepared using external tools, or which have been extracted and dumped
+ to file from other existing certificates:
+
+ - --dump-ext-val *OID*
+ - --extGeneric *OID:critical-flag:filename[,OID:critical-flag:filename]...*
+
+ - The certutil command has three new certificate usage specifiers:
+
+ - L: certificateUsageSSLCA
+ - A: certificateUsageAnyCA
+ - Y: certificateUsageVerifyCA
+
+ - The pp command has a new command-line option -u, which means "use UTF-8". The default is to
+ show a non-ASCII character as ".".
+ - On Linux, NSS is built with the -ffunction-sections -fdata-sections compiler flags and the
+ --gc-sections linker flag to allow unused functions to be discarded.
+
+.. _bugs_fixed_in_nss_3.16.2:
+
+`Bugs fixed in NSS 3.16.2 <#bugs_fixed_in_nss_3.16.2>`__
+--------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.16.2:
+
+ | https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.16.2 \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst
new file mode 100644
index 0000000000..4bbf16cc45
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst
@@ -0,0 +1,171 @@
+.. _mozilla_projects_nss_nss_3_16_3_release_notes:
+
+NSS 3.16.3 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.16.3 is a patch release for NSS 3.16. The bug fixes in NSS
+ 3.16.3 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_16_3_RTM. NSS 3.16.3 requires NSPR 4.10.6 or newer.
+
+ NSS 3.16.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_3_RTM/src/
+
+.. _new_in_nss_3.16.3:
+
+`New in NSS 3.16.3 <#new_in_nss_3.16.3>`__
+------------------------------------------
+
+.. container::
+
+ This release consists primarily of CA certificate changes as listed below, and fixes an issue
+ with a recently added utility function.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in cert.h*
+
+ - **CERT_GetGeneralNameTypeFromString** - An utlity function to lookup a value of type
+ CERTGeneralNameType given a human readable string. This function was already added in NSS
+ 3.16.2, however, it wasn't declared in a public header file.
+
+.. _notable_changes_in_nss_3.16.3:
+
+`Notable Changes in NSS 3.16.3 <#notable_changes_in_nss_3.16.3>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - The following **1024-bit** CA certificates were **Removed**
+
+ - CN = Entrust.net Secure Server Certification Authority
+
+ - SHA1 Fingerprint: 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
+
+ - CN = GTE CyberTrust Global Root
+
+ - SHA1 Fingerprint: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+
+ - OU = ValiCert Class 1 Policy Validation Authority
+
+ - SHA1 Fingerprint: E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
+
+ - OU = ValiCert Class 2 Policy Validation Authority
+
+ - SHA1 Fingerprint: 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
+
+ - OU = ValiCert Class 3 Policy Validation Authority
+
+ - SHA1 Fingerprint: 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
+
+ - Additionally, the following CA certificate was **Removed** as requested by the CA
+
+ - OU = TDC Internet Root CA
+
+ - SHA1 Fingerprint: 21:FC:BD:8E:7F:6C:AF:05:1B:D1:B3:43:EC:A8:E7:61:47:F2:0F:8A
+
+ - The following CA certificates were **Added**
+
+ - CN = Certification Authority of WoSign
+
+ - SHA1 Fingerprint: B9:42:94:BF:91:EA:8F:B6:4B:E6:10:97:C7:FB:00:13:59:B6:76:CB
+
+ - CN = CA 沃通根证书
+
+ - SHA1 Fingerprint: 16:32:47:8D:89:F9:21:3A:92:00:85:63:F5:A4:A7:D3:12:40:8A:D6
+
+ - CN = DigiCert Assured ID Root G2
+
+ - SHA1 Fingerprint: A1:4B:48:D9:43:EE:0A:0E:40:90:4F:3C:E0:A4:C0:91:93:51:5D:3F
+
+ - CN = DigiCert Assured ID Root G3
+
+ - SHA1 Fingerprint: F5:17:A2:4F:9A:48:C6:C9:F8:A2:00:26:9F:DC:0F:48:2C:AB:30:89
+
+ - CN = DigiCert Global Root G2
+
+ - SHA1 Fingerprint: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
+
+ - CN = DigiCert Global Root G3
+
+ - SHA1 Fingerprint: 7E:04:DE:89:6A:3E:66:6D:00:E6:87:D3:3F:FA:D9:3B:E8:3D:34:9E
+
+ - CN = DigiCert Trusted Root G4
+
+ - SHA1 Fingerprint: DD:FB:16:CD:49:31:C9:73:A2:03:7D:3F:C8:3A:4D:7D:77:5D:05:E4
+
+ - CN = QuoVadis Root CA 1 G3
+
+ - SHA1 Fingerprint: 1B:8E:EA:57:96:29:1A:C9:39:EA:B8:0A:81:1A:73:73:C0:93:79:67
+
+ - CN = QuoVadis Root CA 2 G3
+
+ - SHA1 Fingerprint: 09:3C:61:F3:8B:8B:DC:7D:55:DF:75:38:02:05:00:E1:25:F5:C8:36
+
+ - CN = QuoVadis Root CA 3 G3
+
+ - SHA1 Fingerprint: 48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D
+
+ - The **Trust Bits were changed** for the following CA certificates
+
+ - OU = Class 3 Public Primary Certification Authority
+
+ - SHA1 Fingerprint: A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B
+ - Turned off websites and code signing trust bits (1024-bit root)
+
+ - OU = Class 3 Public Primary Certification Authority
+
+ - SHA1 Fingerprint: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
+ - Turned off websites and code signing trust bits (1024-bit root)
+
+ - OU = Class 2 Public Primary Certification Authority - G2
+
+ - SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
+ - Turned off code signing trust bit (change requested by CA)
+
+ - CN = VeriSign Class 2 Public Primary Certification Authority - G3
+
+ - SHA-1 Fingerprint: 61:EF:43:D7:7F:CA:D4:61:51:BC:98:E0:C3:59:12:AF:9F:EB:63:11
+ - Turned off code signing trust bit (change requested by CA)
+
+ - CN = AC Raíz Certicámara S.A.
+
+ - SHA1 Fingerprint: CB:A1:C5:F8:B0:E3:5E:B8:B9:45:12:D3:F9:34:A2:E9:06:10:D3:36
+ - Turned off websites trust bit (change requested by CA)
+
+ - CN = NetLock Uzleti (Class B) Tanusitvanykiado
+
+ - SHA1 Fingerprint: 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF
+ - Turned off websites and code signing trust bits (1024-bit root)
+
+ - CN = NetLock Expressz (Class C) Tanusitvanykiado
+
+ - SHA1 Fingerprint: E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B
+ - Turned off websites and code signing trust bits (1024-bit root)
+
+.. _bugs_fixed_in_nss_3.16.3:
+
+`Bugs fixed in NSS 3.16.3 <#bugs_fixed_in_nss_3.16.3>`__
+--------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.16.3:
+
+ | https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.16.3
+ | \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.4_release_notes/index.rst
new file mode 100644
index 0000000000..697966fbab
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.4_release_notes/index.rst
@@ -0,0 +1,75 @@
+.. _mozilla_projects_nss_nss_3_16_4_release_notes:
+
+NSS 3.16.4 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.16.4 is a patch release for NSS 3.16. The bug fixes in NSS
+ 3.16.4 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_16_4_RTM. NSS 3.16.4 requires NSPR 4.10.6 or newer.
+
+ NSS 3.16.4 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_4_RTM/src/
+
+.. _new_in_nss_3.16.4:
+
+`New in NSS 3.16.4 <#new_in_nss_3.16.4>`__
+------------------------------------------
+
+.. container::
+
+ This release consists primarily of CA certificate changes as listed below, and includes a small
+ number of bug fixes.
+
+.. _notable_changes_in_nss_3.16.4:
+
+`Notable Changes in NSS 3.16.4 <#notable_changes_in_nss_3.16.4>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - The following **1024-bit** root CA certificate was **restored** to allow more time to develop
+ a better transition strategy for affected sites. It was removed in
+ :ref:`mozilla_projects_nss_nss_3_16_3_release_notes`, but discussion in the
+ mozilla.dev.security.policy forum led to the decision to keep this root included longer in
+ order to give website administrators more time to update their web servers.
+
+ - CN = GTE CyberTrust Global Root
+
+ - SHA1 Fingerprint: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+
+ - In :ref:`mozilla_projects_nss_nss_3_16_3_release_notes`, the **1024-bit** "Entrust.net Secure
+ Server Certification Authority" root CA certificate (SHA1 Fingerprint:
+ 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39) was removed. In NSS 3.16.4, a
+ **2048-bit** intermediate CA certificate has been included, without explicit trust. The
+ intention is to mitigate the effects of the previous removal of the 1024-bit Entrust.net root
+ certificate, because many public Internet sites still use the "USERTrust Legacy Secure Server
+ CA" intermediate certificate that is signed by the 1024-bit Entrust.net root certificate. The
+ inclusion of the intermediate certificate is a temporary measure to allow those sites to
+ function, by allowing them to find a trust path to another **2048-bit** root CA certificate.
+ The temporarily included intermediate certificate expires November 1, 2015.
+
+.. _bugs_fixed_in_nss_3.16.4:
+
+`Bugs fixed in NSS 3.16.4 <#bugs_fixed_in_nss_3.16.4>`__
+--------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.16.4:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.16.4 \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.5_release_notes/index.rst
new file mode 100644
index 0000000000..0814f7f2bf
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.5_release_notes/index.rst
@@ -0,0 +1,98 @@
+.. _mozilla_projects_nss_nss_3_16_5_release_notes:
+
+NSS 3.16.5 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.16.5 is a patch release for NSS 3.16. The bug fixes in NSS
+ 3.16.5 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_16_5_RTM. NSS 3.16.5 requires NSPR 4.10.6 or newer.
+
+ NSS 3.16.5 source distributions are also available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_5_RTM/src/
+
+.. _security_advisories:
+
+`Security Advisories <#security_advisories>`__
+----------------------------------------------
+
+.. container::
+
+ The following security-relevant bugs have been resolved in NSS 3.16.5. Users are encouraged to
+ upgrade immediately.
+
+ - `Bug 1064636 <https://bugzilla.mozilla.org/show_bug.cgi?id=1064636>`__ - (CVE-2014-1568) RSA
+ Signature Forgery in NSS. See also `MFSA
+ 2014-73 <https://www.mozilla.org/security/announce/2014/mfsa2014-73.html>`__ for details.
+
+.. _new_in_nss_3.16.5:
+
+`New in NSS 3.16.5 <#new_in_nss_3.16.5>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix a bug that
+ caused NSS to accept forged RSA signatures.
+
+ A new symbol, \_SGN_VerifyPKCS1DigestInfo is exported in this release. As with all exported NSS
+ symbols that have a leading underscore '_', this is an internal symbol for NSS use only.
+ Applications that use or depend on these symbols can and will break in future NSS releases.
+
+.. _bugs_fixed_in_nss_3.16.5:
+
+`Bugs fixed in NSS 3.16.5 <#bugs_fixed_in_nss_3.16.5>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `Bug 1064636 <https://bugzilla.mozilla.org/show_bug.cgi?id=1064636>`__ - (CVE-2014-1568) RSA
+ Signature Forgery in NSS
+
+`Acknowledgements <#acknowledgements>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ The NSS development team would like to thank Antoine Delignat-Lavaud, security researcher at
+ Inria Paris in team Prosecco, and the Advanced Threat Research team at Intel Security, who both
+ independently discovered and reported this issue, for responsibly disclosing the issue by
+ providing advance copies of their research.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.16.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.16.5 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.6_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.6_release_notes/index.rst
new file mode 100644
index 0000000000..0dd9ff3ada
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.6_release_notes/index.rst
@@ -0,0 +1,81 @@
+.. _mozilla_projects_nss_nss_3_16_6_release_notes:
+
+NSS 3.16.6 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.16.6 is a patch release for NSS 3.16. The bug fixes in NSS
+ 3.16.6 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_16_6_RTM. NSS 3.16.6 requires NSPR 4.10.6 or newer.
+
+ NSS 3.16.6 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_6_RTM/src/
+
+.. _new_in_nss_3.16.6:
+
+`New in NSS 3.16.6 <#new_in_nss_3.16.6>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix a regression.
+
+.. _notable_changes_in_nss_3.16.6:
+
+`Notable Changes in NSS 3.16.6 <#notable_changes_in_nss_3.16.6>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1049435 <https://bugzilla.mozilla.org/show_bug.cgi?id=1049435>`__: Change
+ RSA_PrivateKeyCheck to not require p > q. This fixes a regression introduced in NSS 3.16.2
+ that prevented NSS from importing some RSA private keys (such as in PKCS #12 files) generated
+ by other crypto libraries.
+
+.. _bugs_fixed_in_nss_3.16.6:
+
+`Bugs fixed in NSS 3.16.6 <#bugs_fixed_in_nss_3.16.6>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1049435 <https://bugzilla.mozilla.org/show_bug.cgi?id=1049435>`__ - Importing an RSA
+ private key fails if p < q
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.16.6 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.16.6 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst
new file mode 100644
index 0000000000..212a599e92
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst
@@ -0,0 +1,98 @@
+.. _mozilla_projects_nss_nss_3_16_release_notes:
+
+NSS 3.16 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.16, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_16_RTM. NSS 3.16 requires NSPR 4.10.3 or newer.
+
+ NSS 3.16 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_RTM/src/
+
+.. _new_in_nss_3.16:
+
+`New in NSS 3.16 <#new_in_nss_3.16>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Supports the Linux x32 ABI. (This requires NSPR 4.10.4.) To build for the Linux x32 target,
+ set the environment variable USE_X32=1 when building NSS.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in cms.h*
+
+ - **NSS_CMSSignerInfo_Verify** - verify the signature of a single SignerInfo. It just
+ verifies the signature, assuming that the certificate has been verified already.
+
+ .. rubric:: New Macros
+ :name: new_macros
+
+ - *in sslproto.h*
+
+ - **TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc.** - cipher suites that were
+ first defined in SSL 3.0 can now be referred to with their official IANA names in TLS, with
+ the TLS\_ prefix. Previously, they had to be referred to with their names in SSL 3.0, with
+ the SSL\_ prefix.
+
+.. _notable_changes_in_nss_3.16:
+
+`Notable Changes in NSS 3.16 <#notable_changes_in_nss_3.16>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - ECC is enabled by default. It is no longer necessary to set the environment variable
+ NSS_ENABLE_ECC=1 when building NSS. To disable ECC, set the environment variable
+ NSS_DISABLE_ECC=1 when building NSS.
+ - `Bug 903885 <https://bugzilla.mozilla.org/show_bug.cgi?id=903885>`__: (CVE-2014-1492) In a
+ wildcard certificate, the wildcard character should not be embedded within the U-label of an
+ internationalized domain name. See the last bullet point in `RFC 6125, Section
+ 7.2 <https://datatracker.ietf.org/doc/html/rfc6125#section-7.2>`__.
+ - `Bug 962760 <https://bugzilla.mozilla.org/show_bug.cgi?id=962760>`__: libpkix should not
+ include the common name of CA as DNS names when evaluating name constraints.
+ - `Bug 981170 <https://bugzilla.mozilla.org/show_bug.cgi?id=981170>`__: AESKeyWrap_Decrypt
+ should not return SECSuccess for invalid keys.
+ - `Bug 974693 <https://bugzilla.mozilla.org/show_bug.cgi?id=974693>`__: Fix a memory corruption
+ in sec_pkcs12_new_asafe.
+ - `Bug 956082 <https://bugzilla.mozilla.org/show_bug.cgi?id=956082>`__: If the NSS_SDB_USE_CACHE
+ environment variable is set, skip the runtime test sdb_measureAccess.
+ - The built-in roots module has been updated to version 1.97, which adds, removes, and distrusts
+ several certificates.
+ - The atob utility has been improved to automatically ignore lines of text that aren't in base64
+ format.
+ - The certutil utility has been improved to support creation of version 1 and version 2
+ certificates, in addition to the existing version 3 support.
+
+.. _bugs_fixed_in_nss_3.16:
+
+`Bugs fixed in NSS 3.16 <#bugs_fixed_in_nss_3.16>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.16:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.16 \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst
new file mode 100644
index 0000000000..cc1f7a711a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst
@@ -0,0 +1,132 @@
+.. _mozilla_projects_nss_nss_3_17_1_release_notes:
+
+NSS 3.17.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.17.1 is a patch release for NSS 3.17. The bug fixes in NSS
+ 3.17.1 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_17_1_RTM. NSS 3.17.1 requires NSPR 4.10.7 or newer.
+
+ NSS 3.17.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_17_1_RTM/src/
+
+.. _security_advisories:
+
+`Security Advisories <#security_advisories>`__
+----------------------------------------------
+
+.. container::
+
+ The following security-relevant bugs have been resolved in NSS 3.17.1. Users are encouraged to
+ upgrade immediately.
+
+ - `Bug 1064636 <https://bugzilla.mozilla.org/show_bug.cgi?id=1064636>`__ - (CVE-2014-1568) RSA
+ Signature Forgery in NSS. See also `MFSA
+ 2014-73 <https://www.mozilla.org/security/announce/2014/mfsa2014-73.html>`__ for details.
+
+.. _new_in_nss_3.17.1:
+
+`New in NSS 3.17.1 <#new_in_nss_3.17.1>`__
+------------------------------------------
+
+.. container::
+
+ This patch release adds new functionality and fixes a bug that caused NSS to accept forged RSA
+ signatures.
+
+ A new symbol, \_SGN_VerifyPKCS1DigestInfo is exported in this release. As with all exported NSS
+ symbols that have a leading underscore '_', this is an internal symbol for NSS use only.
+ Applications that use or depend on these symbols can and will break in future NSS releases.
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `TLS_FALLBACK_SCSV <https://datatracker.ietf.org/doc/html/draft-ietf-tls-downgrade-scsv-00>`__
+ is a signaling cipher suite value that indicates a handshake is the result of TLS version
+ fallback.
+
+ .. rubric:: New Macros
+ :name: new_macros
+
+ - *in ssl.h*
+
+ - **SSL_ENABLE_FALLBACK_SCSV** - an SSL socket option that enables TLS_FALLBACK_SCSV. Off by
+ default.
+
+ - *in sslerr.h*
+
+ - **SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT** - a new SSL error code.
+
+ - *in sslproto.h*
+
+ - **TLS_FALLBACK_SCSV** - a signaling cipher suite value that indicates a handshake is the
+ result of TLS version fallback.
+
+.. _notable_changes_in_nss_3.17.1:
+
+`Notable Changes in NSS 3.17.1 <#notable_changes_in_nss_3.17.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - `Signature algorithms now use SHA-256 instead of SHA-1 by
+ default <https://bugzilla.mozilla.org/show_bug.cgi?id=1058933>`__.
+ - Added support for Linux on little-endian powerpc64.
+
+.. _bugs_fixed_in_nss_3.17.1:
+
+`Bugs fixed in NSS 3.17.1 <#bugs_fixed_in_nss_3.17.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ | This Bugzilla query returns all the bugs fixed in NSS 3.17.1:
+ | https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.1
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank Antoine Delignat-Lavaud, security researcher at
+ Inria Paris in team Prosecco, and the Advanced Threat Research team at Intel Security, who both
+ independently discovered and reported this issue, for responsibly disclosing the issue by
+ providing advance copies of their research.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.17.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.17.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.17.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.2_release_notes/index.rst
new file mode 100644
index 0000000000..38a4fc9047
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.2_release_notes/index.rst
@@ -0,0 +1,88 @@
+.. _mozilla_projects_nss_nss_3_17_2_release_notes:
+
+NSS 3.17.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.17.2 is a patch release for NSS 3.17. The bug fixes in NSS
+ 3.17.2 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_17_2_RTM. NSS 3.17.2 requires NSPR 4.10.7 or newer.
+
+ NSS 3.17.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_17_2_RTM/src/
+
+.. _new_in_nss_3.17.2:
+
+`New in NSS 3.17.2 <#new_in_nss_3.17.2>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix a regression
+ and other bugs.
+
+.. _notable_changes_in_nss_3.17.2:
+
+`Notable Changes in NSS 3.17.2 <#notable_changes_in_nss_3.17.2>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1049435 <https://bugzilla.mozilla.org/show_bug.cgi?id=1049435>`__: Change
+ RSA_PrivateKeyCheck to not require p > q. This fixes a regression introduced in NSS 3.16.2
+ that prevented NSS from importing some RSA private keys (such as in PKCS #12 files) generated
+ by other crypto libraries.
+ - `Bug 1057161 <https://bugzilla.mozilla.org/show_bug.cgi?id=1057161>`__: Check that an imported
+ elliptic curve public key is valid. Previously NSS would only validate the peer's public key
+ before performing ECDH key agreement. Now EC public keys are validated at import time.
+ - `Bug 1078669 <https://bugzilla.mozilla.org/show_bug.cgi?id=1078669>`__: certutil crashes when
+ an argument is passed to the --certVersion option.
+
+.. _bugs_fixed_in_nss_3.17.2:
+
+`Bugs fixed in NSS 3.17.2 <#bugs_fixed_in_nss_3.17.2>`__
+--------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.17.2:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.2
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.17.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.17.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.17.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.3_release_notes/index.rst
new file mode 100644
index 0000000000..f4ee1ca11f
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.3_release_notes/index.rst
@@ -0,0 +1,134 @@
+.. _mozilla_projects_nss_nss_3_17_3_release_notes:
+
+NSS 3.17.3 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.17.3 is a patch release for NSS 3.17. The bug fixes in NSS
+ 3.17.3 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_17_3_RTM. NSS 3.17.3 requires NSPR 4.10.7 or newer.
+
+ NSS 3.17.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_17_3_RTM/src/
+
+.. _new_in_nss_3.17.3:
+
+`New in NSS 3.17.3 <#new_in_nss_3.17.3>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Support for TLS_FALLBACK_SCSV has been added to the ssltap and tstclnt utilities.
+
+.. _notable_changes_in_nss_3.17.3:
+
+`Notable Changes in NSS 3.17.3 <#notable_changes_in_nss_3.17.3>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - The QuickDER decoder now decodes lengths robustly (CVE-2014-1569).
+ - The following CA certificates were **Removed**
+
+ - CN = GTE CyberTrust Global Root
+
+ - SHA1 Fingerprint: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+
+ - CN = Thawte Server CA
+
+ - SHA1 Fingerprint: 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
+
+ - CN = Thawte Premium Server CA
+
+ - SHA1 Fingerprint: 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
+
+ - CN = America Online Root Certification Authority 1
+
+ - SHA-1 Fingerprint: 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A
+
+ - CN = America Online Root Certification Authority 2
+
+ - SHA-1 Fingerprint: 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84
+
+ - The following CA certificates had the Websites and Code Signing **trust bits turned off**
+
+ - OU = Class 3 Public Primary Certification Authority - G2
+
+ - SHA1 Fingerprint: 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
+
+ - CN = Equifax Secure eBusiness CA-1
+
+ - SHA1 Fingerprint: DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
+
+ - The following CA certificates were **Added**
+
+ - CN = COMODO RSA Certification Authority
+
+ - SHA1 Fingerprint: AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
+
+ - CN = USERTrust RSA Certification Authority
+
+ - SHA1 Fingerprint: 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
+
+ - CN = USERTrust ECC Certification Authority
+
+ - SHA1 Fingerprint: D1:CB:CA:5D:B2:D5:2A:7F:69:3B:67:4D:E5:F0:5A:1D:0C:95:7D:F0
+
+ - CN = GlobalSign ECC Root CA - R4
+
+ - SHA1 Fingerprint: 69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB
+
+ - CN = GlobalSign ECC Root CA - R5
+
+ - SHA1 Fingerprint: 1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA
+
+ - The version number of the updated root CA list has been set to 2.2
+
+.. _bugs_fixed_in_nss_3.17.3:
+
+`Bugs fixed in NSS 3.17.3 <#bugs_fixed_in_nss_3.17.3>`__
+--------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.17.3:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.3
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.17.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.17.3 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst
new file mode 100644
index 0000000000..ce46881724
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst
@@ -0,0 +1,90 @@
+.. _mozilla_projects_nss_nss_3_17_4_release_notes:
+
+NSS 3.17.4 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.17.4 is a patch release for NSS 3.17. The bug fixes in NSS
+ 3.17.4 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_17_4_RTM. NSS 3.17.4 requires NSPR 4.10.7 or newer.
+
+ NSS 3.17.4 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_17_4_RTM/src/
+
+.. _new_in_nss_3.17.4:
+
+`New in NSS 3.17.4 <#new_in_nss_3.17.4>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix multiple bugs.
+
+.. _notable_changes_in_nss_3.17.4:
+
+`Notable Changes in NSS 3.17.4 <#notable_changes_in_nss_3.17.4>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1084986 <https://bugzilla.mozilla.org/show_bug.cgi?id=1084986>`__: If an SSL/TLS
+ connection fails, because client and server don't have any common protocol version enabled,
+ NSS has been changed to report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting
+ SSL_ERROR_NO_CYPHER_OVERLAP).
+ - `Bug 1112461 <https://bugzilla.mozilla.org/show_bug.cgi?id=1112461>`__: libpkix was fixed to
+ prefer the newest certificate, if multiple certificates match.
+ - `Bug 1094492 <https://bugzilla.mozilla.org/show_bug.cgi?id=1094492>`__: fixed a memory
+ corruption issue during failure of keypair generation.
+ - `Bug 1113632 <https://bugzilla.mozilla.org/show_bug.cgi?id=1113632>`__: fixed a failure to
+ reload a PKCS#11 module in FIPS mode.
+ - `Bug 1119983 <https://bugzilla.mozilla.org/show_bug.cgi?id=1119983>`__: fixed interoperability
+ of NSS server code with a LibreSSL client.
+
+.. _bugs_fixed_in_nss_3.17.4:
+
+`Bugs fixed in NSS 3.17.4 <#bugs_fixed_in_nss_3.17.4>`__
+--------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.17.4:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.4
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.17.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.17.4 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.17_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.17_release_notes/index.rst
new file mode 100644
index 0000000000..8dff4484ea
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.17_release_notes/index.rst
@@ -0,0 +1,72 @@
+.. _mozilla_projects_nss_nss_3_17_release_notes:
+
+NSS 3.17 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.17, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_17_RTM. NSS 3.17 requires NSPR 4.10.7 or newer.
+
+ NSS 3.17 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_17_RTM/src/
+
+.. _new_in_nss_3.17:
+
+`New in NSS 3.17 <#new_in_nss_3.17>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - When using ECDHE, the TLS server code may be configured to generate a fresh ephemeral ECDH key
+ for each handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The
+ SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the server's ephemeral ECDH
+ key is reused for multiple handshakes. This option does not affect the TLS client code, which
+ always generates a fresh ephemeral ECDH key for each handshake.
+
+ New Macros
+
+ - *in ssl.h*
+
+ - **SSL_REUSE_SERVER_ECDHE_KEY**
+
+.. _notable_changes_in_nss_3.17:
+
+`Notable Changes in NSS 3.17 <#notable_changes_in_nss_3.17>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The manual pages for the certutil and pp tools have been updated to document the new
+ parameters that had been added in NSS 3.16.2.
+ - On Windows, the new build variable USE_STATIC_RTL can be used to specify the static C runtime
+ library should be used. By default the dynamic C runtime library is used.
+
+.. _bugs_fixed_in_nss_3.17:
+
+`Bugs fixed in NSS 3.17 <#bugs_fixed_in_nss_3.17>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.17:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17 \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst
new file mode 100644
index 0000000000..33d2dae71e
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst
@@ -0,0 +1,105 @@
+.. _mozilla_projects_nss_nss_3_18_1_release_notes:
+
+NSS 3.18.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.18.1 is a patch release for NSS 3.18. The bug fixes in NSS
+ 3.18.1 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_18_1_RTM. NSS 3.18.1 requires NSPR 4.10.8 or newer.
+
+ NSS 3.18.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_18_1_RTM/src/
+
+.. _new_in_nss_3.18.1:
+
+`New in NSS 3.18.1 <#new_in_nss_3.18.1>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to update the list of
+ root CA certificates.
+
+.. _notable_changes_in_nss_3.18.1:
+
+`Notable Changes in NSS 3.18.1 <#notable_changes_in_nss_3.18.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - The following CA certificate had the Websites and Code Signing trust **bits restored to their
+ original state** to allow more time to develop a better transition strategy for affected
+ sites. The Websites and Code Signing trust bits were turned off in
+ :ref:`mozilla_projects_nss_nss_3_18_release_notes`. But when Firefox 38 went into Beta, there
+ was a huge spike in the number of certificate verification errors attributed to this change.
+ So, to give website administrators more time to update their web servers, we reverted the
+ trust bits back to being enabled.
+
+ - OU = Equifax Secure Certificate Authority
+
+ - SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
+
+ - The following CA certificate was **removed** after `discussion about
+ it <https://groups.google.com/d/msg/mozilla.dev.security.policy/LKJO9W5dkSY/9VjSJhRfraIJ>`__
+ in the mozilla.dev.security.policy forum\ **.**
+
+ - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi
+
+ - SHA1 Fingerprint: DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
+
+ - The following intermediate CA certificate has been added as `actively
+ distrusted <https://wiki.mozilla.org/CA:MaintenanceAndEnforcement#Actively_Distrusting_a_Certificate>`__
+ because it was
+ `misused <https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/>`__ to
+ issue certificates for domain names the holder did not own or control.
+
+ - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG
+
+ - SHA1 Fingerprint: E1:F3:59:1E:76:98:65:C4:E4:47:AC:C3:7E:AF:C9:E2:BF:E4:C5:76
+
+ - The version number of the updated root CA list has been set to 2.4
+
+.. _bugs_fixed_in_nss_3.18.1:
+
+`Bugs fixed in NSS 3.18.1 <#bugs_fixed_in_nss_3.18.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.18.1:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.18.1
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.18.1 shared libraries are backward compatible with all older NSS 3.18 shared libraries. A
+ program linked with older NSS 3.18 shared libraries will work with NSS 3.18.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.18_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.18_release_notes/index.rst
new file mode 100644
index 0000000000..8be06abbbe
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.18_release_notes/index.rst
@@ -0,0 +1,169 @@
+.. _mozilla_projects_nss_nss_3_18_release_notes:
+
+NSS 3.18 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.18, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_18_RTM. NSS 3.18 requires NSPR 4.10.8 or newer.
+
+ NSS 3.18 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_18_RTM/src/
+
+.. _new_in_nss_3.18:
+
+`New in NSS 3.18 <#new_in_nss_3.18>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - When importing certificates and keys from a PKCS#12 source, it's now possible to override the
+ nicknames, prior to importing them into the NSS database, using new API
+ SEC_PKCS12DecoderRenameCertNicknames.
+ - The tstclnt test utility program has new command-line options -C, -D, -b and -R.
+ Use -C one, two or three times to print information about the certificates received from a
+ server, and information about the locally found and trusted issuer certificates, to diagnose
+ server side configuration issues. It is possible to run tstclnt without providing a database
+ (-D). A PKCS#11 library that contains root CA certificates can be loaded by tstclnt, which may
+ either be the nssckbi library provided by NSS (-b) or another compatible library (-R).
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in certdb.h*
+
+ - **SEC_CheckCrlTimes** - Check the validity of a CRL at the given time.
+ - **SEC_GetCrlTimes** - Extract the validity times from a CRL.
+
+ - *in p12.h*
+
+ - **SEC_PKCS12DecoderRenameCertNicknames** - call an application provided callback for each
+ certificate found in a SEC_PKCS12DecoderContext.
+
+ - *in pk11pub.h*
+
+ - **\__PK11_SetCertificateNickname** - this is an internal symbol for NSS use only, as with
+ all exported NSS symbols that have a leading underscore '_'. Applications that use or
+ depend on these symbols can and will break in future NSS releases.
+
+ .. rubric:: New Types
+ :name: new_types
+
+ - *in p12.h*
+
+ - **SEC_PKCS12NicknameRenameCallback** - a function pointer definition. An application that
+ uses SEC_PKCS12DecoderRenameCertNicknames must implement a callback function that
+ implements this function interface.
+
+.. _notable_changes_in_nss_3.18:
+
+`Notable Changes in NSS 3.18 <#notable_changes_in_nss_3.18>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The highest TLS protocol version enabled by default has been increased from TLS 1.0 to TLS
+ 1.2. Similarly, the highest DTLS protocol version enabled by default has been increased from
+ DTLS 1.0 to DTLS 1.2.
+ - The default key size used by certutil when creating an RSA key pair has been increased from
+ 1024 bits to 2048 bits.
+ - On Mac OS X, by default the softokn shared library will link with the sqlite library installed
+ by the operating system, if it is version 3.5 or newer.
+ - The following CA certificates had the Websites and Code Signing **trust bits turned off**
+
+ - OU = Equifax Secure Certificate Authority
+
+ - SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
+
+ - CN = Equifax Secure Global eBusiness CA-1
+
+ - SHA1 Fingerprint: 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
+
+ - CN = TC TrustCenter Class 3 CA II
+
+ - SHA1 Fingerprint: 80:25:EF:F4:6E:70:C8:D4:72:24:65:84:FE:40:3B:8A:8D:6A:DB:F5
+
+ - The following CA certificates were **Added**
+
+ - CN = Staat der Nederlanden Root CA - G3
+
+ - SHA1 Fingerprint: D8:EB:6B:41:51:92:59:E0:F3:E7:85:00:C0:3D:B6:88:97:C9:EE:FC
+
+ - CN = Staat der Nederlanden EV Root CA
+
+ - SHA1 Fingerprint: 76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB
+
+ - CN = IdenTrust Commercial Root CA 1
+
+ - SHA1 Fingerprint: DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25
+
+ - CN = IdenTrust Public Sector Root CA 1
+
+ - SHA1 Fingerprint: BA:29:41:60:77:98:3F:F4:F3:EF:F2:31:05:3B:2E:EA:6D:4D:45:FD
+
+ - CN = S-TRUST Universal Root CA
+
+ - SHA1 Fingerprint: 1B:3D:11:14:EA:7A:0F:95:58:54:41:95:BF:6B:25:82:AB:40:CE:9A
+
+ - CN = Entrust Root Certification Authority - G2
+
+ - SHA1 Fingerprint: 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4
+
+ - CN = Entrust Root Certification Authority - EC1
+
+ - SHA1 Fingerprint: 20:D8:06:40:DF:9B:25:F5:12:25:3A:11:EA:F7:59:8A:EB:14:B5:47
+
+ - CN = CFCA EV ROOT
+
+ - SHA1 Fingerprint: E2:B8:29:4B:55:84:AB:6B:58:C2:90:46:6C:AC:3F:B8:39:8F:84:83
+
+ - The version number of the updated root CA list has been set to 2.3
+
+.. _bugs_fixed_in_nss_3.18:
+
+`Bugs fixed in NSS 3.18 <#bugs_fixed_in_nss_3.18>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.18:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.18
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.18 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.18 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst
new file mode 100644
index 0000000000..c8ddaeb613
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst
@@ -0,0 +1,113 @@
+.. _mozilla_projects_nss_nss_3_19_1_release_notes:
+
+NSS 3.19.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.19.1 is a security release for NSS 3.19. The bug fixes in NSS
+ 3.19.1 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_19_1_RTM. NSS 3.19.1 requires NSPR 4.10.8 or newer.
+
+ NSS 3.19.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_1_RTM/src/
+
+.. _security_fixes_in_nss_3.19.1:
+
+`Security Fixes in NSS 3.19.1 <#security_fixes_in_nss_3.19.1>`__
+----------------------------------------------------------------
+
+.. container::
+
+ - `Bug
+ 1138554 <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__ / `CVE-2015-4000 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000>`__ -
+ The minimum strength of keys that libssl will accept for finite field algorithms (RSA,
+ Diffie-Hellman, and DSA) have been increased to 1023 bits.
+
+.. _new_in_nss_3.19.1:
+
+`New in NSS 3.19.1 <#new_in_nss_3.19.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This patch release includes a fix for the
+ recently published `logjam attack <https://weakdh.org/>`__.
+
+.. _notable_changes_in_nss_3.19.1:
+
+`Notable Changes in NSS 3.19.1 <#notable_changes_in_nss_3.19.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - NSS reports the bit length of keys more accurately. Thus, the SECKEY_PublicKeyStrength and
+ SECKEY_PublicKeyStrengthInBits functions could report smaller values for values that have
+ leading zero values. This affects the key strength values that are reported by
+ SSL_GetChannelInfo.
+ - The minimum size of keys that NSS will generate, import, or use has been raised:
+
+ - The minimum modulus size for RSA keys is now 512 bits
+ - The minimum modulus size for DSA keys is now 1023 bits
+ - The minimum modulus size for Diffie-Hellman keys is now 1023 bits
+
+.. _bugs_fixed_in_nss_3.19.1:
+
+`Bugs fixed in NSS 3.19.1 <#bugs_fixed_in_nss_3.19.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.19.1:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.19.1
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank Matthew Green and Karthikeyan Bhargavan for
+ responsibly disclosing the issue in `bug
+ 1138554 <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.19.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.19.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+ **Note:** NSS 3.19.1 increases the minimum size of keys it is willing to use. This has been shown
+ to break some applications. :ref:`mozilla_projects_nss_nss_3_19_2_release_notes` reverts the
+ behaviour to the NSS 3.19 and earlier limits.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.1_release_notes/index.rst
new file mode 100644
index 0000000000..1e0c918e40
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.1_release_notes/index.rst
@@ -0,0 +1,88 @@
+.. _mozilla_projects_nss_nss_3_19_2_1_release_notes:
+
+NSS 3.19.2.1 release notes
+==========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.19.2.1 is a patch release for NSS 3.19.2. The bug fixes in NSS
+ 3.19.2.1 are described in the "Security Advisories" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_19_2_1_RTM. NSS 3.19.2.1 requires NSPR 4.10.10 or newer.
+
+ NSS 3.19.2.1 and NSPR 4.10.10 source distributions are available on ftp.mozilla.org for secure
+ HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_1_RTM/src/
+ https://ftp.mozilla.org/pub/nspr/releases/v4.10.10/src/
+
+.. _security_advisories:
+
+`Security Advisories <#security_advisories>`__
+----------------------------------------------
+
+.. container::
+
+ The following security-relevant bugs have been resolved in NSS 3.19.2.1. Users are encouraged to
+ upgrade immediately.
+
+ - `Bug 1192028 <https://bugzilla.mozilla.org/show_bug.cgi?id=1192028>`__ (CVE-2015-7181) and
+ `Bug 1202868 <https://bugzilla.mozilla.org/show_bug.cgi?id=1202868>`__ (CVE-2015-7182):
+ Several issues existed within the ASN.1 decoder used by NSS for handling streaming BER data.
+ While the majority of NSS uses a separate, unaffected DER decoder, several public routines
+ also accept BER data, and thus are affected. An attacker that successfully exploited these
+ issues can overflow the heap and may be able to obtain remote code execution.
+
+ | The following security-relevant bugs have been resolved in NSPR 4.10.10, which affect NSS.
+ | Because NSS includes portions of the affected NSPR code at build time, it is necessary to use
+ NSPR 4.10.10 when building NSS.
+
+ - `Bug 1205157 <https://bugzilla.mozilla.org/show_bug.cgi?id=1205157>`__ (NSPR, CVE-2015-7183):
+ A logic bug in the handling of large allocations would allow exceptionally large allocations
+ to be reported as successful, without actually allocating the requested memory. This may allow
+ attackers to bypass security checks and obtain control of arbitrary memory.
+
+.. _new_in_nss_3.19.2.1:
+
+`New in NSS 3.19.2.1 <#new_in_nss_3.19.2.1>`__
+----------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix
+ security-relevant bugs.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.19.2.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.19.2.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.2_release_notes/index.rst
new file mode 100644
index 0000000000..847ad06446
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.2_release_notes/index.rst
@@ -0,0 +1,84 @@
+.. _mozilla_projects_nss_nss_3_19_2_2_release_notes:
+
+NSS 3.19.2.2 release notes
+==========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.19.2.2 is a security patch release for NSS 3.19.2. The bug
+ fixes in NSS 3.19.2.2 are described in the "Security Fixes" section below.
+
+ (Current users of NSS 3.19.3 or NSS 3.19.4 are advised to update to
+ :ref:`mozilla_projects_nss_nss_3_20_2_release_notes`,
+ :ref:`mozilla_projects_nss_nss_3_21_release_notes`, or a later release.)
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_19_2_2_RTM. NSS 3.19.2.2 requires NSPR 4.10.10 or newer.
+
+ NSS 3.19.2.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_2_RTM/src/
+
+.. _security_fixes_in_nss_3.19.2.2:
+
+`Security Fixes in NSS 3.19.2.2 <#security_fixes_in_nss_3.19.2.2>`__
+--------------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1158489 <https://bugzilla.mozilla.org/show_bug.cgi?id=1158489>`__
+ ` <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__ /
+ `CVE-2015-7575 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575>`__ - Prevent
+ MD5 Downgrade in TLS 1.2 Signatures.
+
+.. _new_in_nss_3.19.2.2:
+
+`New in NSS 3.19.2.2 <#new_in_nss_3.19.2.2>`__
+----------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank Karthikeyan Bhargavan from
+ `INRIA <http://inria.fr/>`__ for responsibly disclosing the issue in `Bug
+ 1158489 <https://bugzilla.mozilla.org/show_bug.cgi?id=1158489>`__.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.19.2.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.19.2.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.3_release_notes/index.rst
new file mode 100644
index 0000000000..317f0cdd1a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.3_release_notes/index.rst
@@ -0,0 +1,84 @@
+.. _mozilla_projects_nss_nss_3_19_2_3_release_notes:
+
+NSS 3.19.2.3 release notes
+==========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.19.2.3 is a security patch release for NSS 3.19.2. The bug
+ fixes in NSS 3.19.2.3 are described in the "Security Fixes" section below.
+
+ (Current users of NSS 3.19.3, NSS 3.19.4 or NSS 3.20.x are advised to update to
+ :ref:`mozilla_projects_nss_nss_3_21_1_release_notes`,
+ :ref:`mozilla_projects_nss_nss_3_22_2_release_notes`, or a later release.)
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_19_2_3_RTM. NSS 3.19.2.3 requires NSPR 4.10.10 or newer.
+
+ NSS 3.19.2.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_3_RTM/src/
+
+.. _new_in_nss_3.19.2.3:
+
+`New in NSS 3.19.2.3 <#new_in_nss_3.19.2.3>`__
+----------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _security_fixes_in_nss_3.19.2.3:
+
+`Security Fixes in NSS 3.19.2.3 <#security_fixes_in_nss_3.19.2.3>`__
+--------------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1245528 <https://bugzilla.mozilla.org/show_bug.cgi?id=1245528>`__ /
+ `CVE-2016-1950 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950>`__ - Fixed a
+ heap-based buffer overflow related to the parsing of certain ASN.1 structures. An attacker
+ could create a specially-crafted certificate which, when parsed by NSS, would cause a crash or
+ execution of arbitrary code with the permissions of the user.
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank security researcher Francis Gabriel for responsibly
+ disclosing the issue in `Bug 1245528 <https://bugzilla.mozilla.org/show_bug.cgi?id=1245528>`__.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.19.2.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.19.2.3 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.4_release_notes/index.rst
new file mode 100644
index 0000000000..ffb6c2b177
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.4_release_notes/index.rst
@@ -0,0 +1,82 @@
+.. _mozilla_projects_nss_nss_3_19_2_4_release_notes:
+
+NSS 3.19.2.4 release notes
+==========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.19.2.4 is a security patch release for NSS 3.19.2. The bug
+ fixed in NSS 3.19.2.4 have been described in the "Security Fixes" section below.
+
+ (Current users of NSS 3.19.3, NSS 3.19.4 or NSS 3.20.x are advised to update to
+ :ref:`mozilla_projects_nss_nss_3_21_1_release_notes`,
+ :ref:`mozilla_projects_nss_nss_3_22_2_release_notes` or a later release.)
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_19_2_4_RTM. NSS 3.19.2.4 requires NSPR 4.10.10 or newer.
+
+ NSS 3.19.2.4 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_4_RTM/src/
+
+.. _new_in_nss_3.19.2.4:
+
+`New in NSS 3.19.2.4 <#new_in_nss_3.19.2.4>`__
+----------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality has been introduced in this release.
+
+.. _security_fixes_in_nss_3.19.2.4:
+
+`Security Fixes in NSS 3.19.2.4 <#security_fixes_in_nss_3.19.2.4>`__
+--------------------------------------------------------------------
+
+.. container::
+
+ The following security fixes from NSS 3.21 have been backported to NSS 3.19.2.4:
+
+ - `Bug 1185033 <https://bugzilla.mozilla.org/show_bug.cgi?id=1185033>`__ /
+ `CVE-2016-1979 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1979>`__ -
+ Use-after-free during processing of DER encoded keys in NSS
+ - `Bug 1209546 <https://bugzilla.mozilla.org/show_bug.cgi?id=1209546>`__ /
+ `CVE-2016-1978 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1978>`__ -
+ Use-after-free in NSS during SSL connections in low memory
+ - `Bug 1190248 <https://bugzilla.mozilla.org/show_bug.cgi?id=1190248>`__ /
+ `CVE-2016-1938 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1938>`__ - Errors in
+ mp_div and mp_exptmod cryptographic functions in NSS
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.19.2.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.19.2.4 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict the use of NSS APIs to
+ the functions listed in NSS Public Functions will remain compatible with future versions of the
+ NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst
new file mode 100644
index 0000000000..be8643aac9
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst
@@ -0,0 +1,94 @@
+.. _mozilla_projects_nss_nss_3_19_2_release_notes:
+
+NSS 3.19.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.19.2 is a patch release for NSS 3.19 that addresses
+ compatibility issues in NSS 3.19.1.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_19_2_RTM. NSS 3.19.2 requires NSPR 4.10.8 or newer.
+
+ NSS 3.19.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_RTM/src/
+
+.. _new_in_nss_3.19.2:
+
+`New in NSS 3.19.2 <#new_in_nss_3.19.2>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _notable_changes_in_nss_3.19.2:
+
+`Notable Changes in NSS 3.19.2 <#notable_changes_in_nss_3.19.2>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1172128 <https://bugzilla.mozilla.org/show_bug.cgi?id=1172128>`__ - In NSS 3.19.1, the
+ minimum key sizes that the freebl cryptographic implementation (part of the softoken
+ cryptographic module used by default by NSS) was willing to generate or use was increased -
+ for RSA keys, to 512 bits, and for DH keys, 1023 bits. This was done as part of a security fix
+ for `Bug 1138554 <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__ /
+ `CVE-2015-4000 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000>`__.
+ Applications that requested or attempted to use keys smaller then the minimum size would fail.
+ However, this change in behaviour unintentionally broke existing NSS applications that need to
+ generate or use such keys, via APIs such as SECKEY_CreateRSAPrivateKey or
+ SECKEY_CreateDHPrivateKey.
+ In NSS 3.19.2, this change in freebl behaviour has been reverted. The fix for `Bug
+ 1138554 <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__ has been moved to libssl,
+ and will now only affect the minimum keystrengths used in SSL/TLS.
+ **Note:** Future versions of NSS *may* increase the minimum keysizes required by the freebl
+ module. Consumers of NSS are **strongly** encouraged to migrate to stronger cryptographic
+ strengths as soon as possible.
+
+.. _bugs_fixed_in_nss_3.19.2:
+
+`Bugs fixed in NSS 3.19.2 <#bugs_fixed_in_nss_3.19.2>`__
+--------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.19.2:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.19.2
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.19.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.19.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.3_release_notes/index.rst
new file mode 100644
index 0000000000..40cd773736
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.3_release_notes/index.rst
@@ -0,0 +1,117 @@
+.. _mozilla_projects_nss_nss_3_19_3_release_notes:
+
+NSS 3.19.3 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.19.3 is a patch release for NSS 3.19. The bug fixes in NSS
+ 3.19.3 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_19_3_RTM. NSS 3.19.3 requires NSPR 4.10.8 or newer.
+
+ NSS 3.19.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_3_RTM/src/
+
+.. _new_in_nss_3.19.3:
+
+`New in NSS 3.19.3 <#new_in_nss_3.19.3>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to update the list of
+ root CA certificates.
+
+.. _notable_changes_in_nss_3.19.3:
+
+`Notable Changes in NSS 3.19.3 <#notable_changes_in_nss_3.19.3>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - The following CA certificates were **Removed**
+
+ - CN = Buypass Class 3 CA 1
+
+ - SHA1 Fingerprint: 61:57:3A:11:DF:0E:D8:7E:D5:92:65:22:EA:D0:56:D7:44:B3:23:71
+
+ - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
+
+ - SHA1 Fingerprint: 79:98:A3:08:E1:4D:65:85:E6:C2:1E:15:3A:71:9F:BA:5A:D3:4A:D9
+
+ - CN = SG TRUST SERVICES RACINE
+
+ - SHA1 Fingerprint: 0C:62:8F:5C:55:70:B1:C9:57:FA:FD:38:3F:B0:3D:7B:7D:D7:B9:C6
+
+ - CN = TC TrustCenter Universal CA I
+
+ - SHA-1 Fingerprint: 6B:2F:34:AD:89:58:BE:62:FD:B0:6B:5C:CE:BB:9D:D9:4F:4E:39:F3
+
+ - CN = TC TrustCenter Class 2 CA II
+
+ - SHA-1 Fingerprint: AE:50:83:ED:7C:F4:5C:BC:8F:61:C6:21:FE:68:5D:79:42:21:15:6E
+
+ - The following CA certificate had the Websites **trust bit turned off**
+
+ - CN = ComSign Secured CA
+
+ - SHA1 Fingerprint: F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A
+
+ - The following CA certificates were **Added**
+
+ - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
+
+ - SHA1 Fingerprint: C4:18:F6:4D:46:D1:DF:00:3D:27:30:13:72:43:A9:12:11:C6:75:FB
+
+ - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
+
+ - SHA1 Fingerprint: 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0
+
+ - CN = Certinomis - Root CA
+
+ - SHA1 Fingerprint: 9D:70:BB:01:A5:A4:A0:18:11:2E:F7:1C:01:B9:32:C5:34:E7:88:A8
+
+ - The version number of the updated root CA list has been set to 2.5
+
+.. _bugs_fixed_in_nss_3.19.3:
+
+`Bugs fixed in NSS 3.19.3 <#bugs_fixed_in_nss_3.19.3>`__
+--------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.19.3:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.19.3
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.19.3 shared libraries are backward compatible with all older NSS 3.19 shared libraries. A
+ program linked with older NSS 3.19 shared libraries will work with NSS 3.19.3 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.4_release_notes/index.rst
new file mode 100644
index 0000000000..9f778190b1
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.4_release_notes/index.rst
@@ -0,0 +1,88 @@
+.. _mozilla_projects_nss_nss_3_19_4_release_notes:
+
+NSS 3.19.4 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.19.4 is a patch release for NSS 3.19. The bug fixes in NSS
+ 3.19.4 are described in the "Security Advisories" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_19_4_RTM. NSS 3.19.4 requires NSPR 4.10.10 or newer.
+
+ NSS 3.19.4 and NSPR 4.10.10 source distributions are available on ftp.mozilla.org for secure
+ HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_4_RTM/src/
+ https://ftp.mozilla.org/pub/nspr/releases/v4.10.10/src/
+
+.. _security_advisories:
+
+`Security Advisories <#security_advisories>`__
+----------------------------------------------
+
+.. container::
+
+ The following security-relevant bugs have been resolved in NSS 3.19.4. Users are encouraged to
+ upgrade immediately.
+
+ - `Bug 1192028 <https://bugzilla.mozilla.org/show_bug.cgi?id=1192028>`__ (CVE-2015-7181) and
+ `Bug 1202868 <https://bugzilla.mozilla.org/show_bug.cgi?id=1202868>`__ (CVE-2015-7182):
+ Several issues existed within the ASN.1 decoder used by NSS for handling streaming BER data.
+ While the majority of NSS uses a separate, unaffected DER decoder, several public routines
+ also accept BER data, and thus are affected. An attacker that successfully exploited these
+ issues can overflow the heap and may be able to obtain remote code execution.
+
+ | The following security-relevant bugs have been resolved in NSPR 4.10.10, which affect NSS.
+ | Because NSS includes portions of the affected NSPR code at build time, it is necessary to use
+ NSPR 4.10.10 when building NSS.
+
+ - `Bug 1205157 <https://bugzilla.mozilla.org/show_bug.cgi?id=1205157>`__ (NSPR, CVE-2015-7183):
+ A logic bug in the handling of large allocations would allow exceptionally large allocations
+ to be reported as successful, without actually allocating the requested memory. This may allow
+ attackers to bypass security checks and obtain control of arbitrary memory.
+
+.. _new_in_nss_3.19.4:
+
+`New in NSS 3.19.4 <#new_in_nss_3.19.4>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix
+ security-relevant bugs.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.19.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.19.4 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst
new file mode 100644
index 0000000000..f0da35b220
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst
@@ -0,0 +1,119 @@
+.. _mozilla_projects_nss_nss_3_19_release_notes:
+
+NSS 3.19 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.19, which is a minor
+ security release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_19_RTM. NSS 3.19 requires NSPR 4.10.8 or newer.
+
+ NSS 3.19 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_RTM/src/
+
+.. _security_fixes_in_nss_3.19:
+
+`Security Fixes in NSS 3.19 <#security_fixes_in_nss_3.19>`__
+------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1086145 <https://bugzilla.mozilla.org/show_bug.cgi?id=1086145>`__ /
+ `CVE-2015-2721 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2721>`__ - Fixed a
+ bug related to the ordering of TLS handshake messages. This was also known
+ as `SMACK <https://www.smacktls.com/>`__.
+
+.. _new_in_nss_3.19:
+
+`New in NSS 3.19 <#new_in_nss_3.19>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - For some certificates, such as root CA certificates that don't embed any constraints, NSS
+ might impose additional constraints such as name constraints. A new API
+ (`CERT_GetImposedNameConstraints <http://mxr.mozilla.org/nss/ident?i=CERT_GetImposedNameConstraints>`__) has
+ been added that allows one to lookup imposed constraints.
+ - It is possible to override the directory
+ (`SQLITE_LIB_DIR <https://bugzilla.mozilla.org/show_bug.cgi?id=1138820>`__) in which the NSS
+ build system will look for the sqlite library.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in cert.h*
+
+ - **CERT_GetImposedNameConstraints** - Check if any imposed constraints exist for the given
+ certificate, and if found, return the constraints as encoded certificate extensions.
+
+.. _notable_changes_in_nss_3.19:
+
+`Notable Changes in NSS 3.19 <#notable_changes_in_nss_3.19>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The SSL 3 protocol has been disabled by default.
+ - NSS now more strictly validates TLS extensions and will fail a handshake that contains
+ malformed extensions (`bug 753136 <https://bugzilla.mozilla.org/show_bug.cgi?id=753136>`__).
+ - In TLS 1.2 handshakes, NSS advertises support for the SHA512 hash algorithm in order to be
+ compatible with TLS servers that use certificates with a SHA512 signature (`bug
+ 1155922 <https://bugzilla.mozilla.org/show_bug.cgi?id=1155922>`__).
+
+.. _bugs_fixed_in_nss_3.19:
+
+`Bugs fixed in NSS 3.19 <#bugs_fixed_in_nss_3.19>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.19:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.19
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank Karthikeyan Bhargavan from
+ `INRIA <http://inria.fr/>`__ for responsibly disclosing the issue in `bug
+ 1086145 <https://bugzilla.mozilla.org/show_bug.cgi?id=1086145>`__.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.19 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.19 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.20.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.20.1_release_notes/index.rst
new file mode 100644
index 0000000000..3ea1c845f2
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.20.1_release_notes/index.rst
@@ -0,0 +1,88 @@
+.. _mozilla_projects_nss_nss_3_20_1_release_notes:
+
+NSS 3.20.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.20.1 is a patch release for NSS 3.20. The bug fixes in NSS
+ 3.20.1 are described in the "Security Advisories" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_20_1_RTM. NSS 3.20.1 requires NSPR 4.10.10 or newer.
+
+ NSS 3.20.1 and NSPR 4.10.10 source distributions are available on ftp.mozilla.org for secure
+ HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_1_RTM/src/
+ https://ftp.mozilla.org/pub/nspr/releases/v4.10.10/src/
+
+.. _security_advisories:
+
+`Security Advisories <#security_advisories>`__
+----------------------------------------------
+
+.. container::
+
+ The following security-relevant bugs have been resolved in NSS 3.20.1. Users are encouraged to
+ upgrade immediately.
+
+ - `Bug 1192028 <https://bugzilla.mozilla.org/show_bug.cgi?id=1192028>`__ (CVE-2015-7181) and
+ `Bug 1202868 <https://bugzilla.mozilla.org/show_bug.cgi?id=1202868>`__ (CVE-2015-7182):
+ Several issues existed within the ASN.1 decoder used by NSS for handling streaming BER data.
+ While the majority of NSS uses a separate, unaffected DER decoder, several public routines
+ also accept BER data, and thus are affected. An attacker that successfully exploited these
+ issues can overflow the heap and may be able to obtain remote code execution.
+
+ | The following security-relevant bugs have been resolved in NSPR 4.10.10, which affect NSS.
+ | Because NSS includes portions of the affected NSPR code at build time, it is necessary to use
+ NSPR 4.10.10 when building NSS.
+
+ - `Bug 1205157 <https://bugzilla.mozilla.org/show_bug.cgi?id=1205157>`__ (NSPR, CVE-2015-7183):
+ A logic bug in the handling of large allocations would allow exceptionally large allocations
+ to be reported as successful, without actually allocating the requested memory. This may allow
+ attackers to bypass security checks and obtain control of arbitrary memory.
+
+.. _new_in_nss_3.20.1:
+
+`New in NSS 3.20.1 <#new_in_nss_3.20.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix
+ security-relevant bugs.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.20.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.20.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.20.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.20.2_release_notes/index.rst
new file mode 100644
index 0000000000..feb8de594e
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.20.2_release_notes/index.rst
@@ -0,0 +1,80 @@
+.. _mozilla_projects_nss_nss_3_20_2_release_notes:
+
+NSS 3.20.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.20.2 is a security patch release for NSS 3.20. The bug fixes in
+ NSS 3.20.2 are described in the "Security Fixes" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_20_2_RTM. NSS 3.20.2 requires NSPR 4.10.10 or newer.
+
+ NSS 3.20.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_2_RTM/src/
+
+.. _security_fixes_in_nss_3.20.2:
+
+`Security Fixes in NSS 3.20.2 <#security_fixes_in_nss_3.20.2>`__
+----------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1158489 <https://bugzilla.mozilla.org/show_bug.cgi?id=1158489>`__
+ ` <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__ /
+ `CVE-2015-7575 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575>`__ - Prevent
+ MD5 Downgrade in TLS 1.2 Signatures.
+
+.. _new_in_nss_3.20.2:
+
+`New in NSS 3.20.2 <#new_in_nss_3.20.2>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank Karthikeyan Bhargavan from
+ `INRIA <http://inria.fr/>`__ for responsibly disclosing the issue in `Bug
+ 1158489 <https://bugzilla.mozilla.org/show_bug.cgi?id=1158489>`__.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.20.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.20.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst
new file mode 100644
index 0000000000..49e0f41648
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst
@@ -0,0 +1,140 @@
+.. _mozilla_projects_nss_nss_3_20_release_notes:
+
+NSS 3.20 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.20, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_20_RTM. NSS 3.20 requires NSPR 4.10.8 or newer.
+
+ NSS 3.20 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_RTM/src/
+
+.. _new_in_nss_3.20:
+
+`New in NSS 3.20 <#new_in_nss_3.20>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - The TLS library has been extended to support DHE ciphersuites in server applications.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in ssl.h*
+
+ - **SSL_DHEGroupPrefSet** - Configure the set of allowed/enabled DHE group parameters that
+ can be used by NSS for a server socket.
+ - **SSL_EnableWeakDHEPrimeGroup** - Enable the use of weak DHE group parameters that are
+ smaller than default minimum size of the library.
+
+ .. rubric:: New Types
+ :name: new_types
+
+ - *in sslt.h*
+
+ - **SSLDHEGroupType** - Enumerates the set of DHE parameters embedded in NSS that can be used
+ with function SSL_DHEGroupPrefSet
+
+ .. rubric:: New Macros
+ :name: new_macros
+
+ - *in ssl.h*
+
+ - **SSL_ENABLE_SERVER_DHE** - A socket option user to enable or disable DHE ciphersuites for
+ a server socket
+
+.. _notable_changes_in_nss_3.20:
+
+`Notable Changes in NSS 3.20 <#notable_changes_in_nss_3.20>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The TLS library has been extended to support DHE ciphersuites in server applications.
+ - For backward compatibility reasons, the server side implementation of the TLS library keeps
+ all DHE ciphersuites disabled by default. They can be enabled with the new socket option
+ SSL_ENABLE_SERVER_DHE and the SSL_OptionSet or the SSL_OptionSetDefault API.
+ - The server side implementation of the TLS does not support session tickets while using a DHE
+ ciphersuite (see `bug 1174677 <https://bugzilla.mozilla.org/show_bug.cgi?id=1174677>`__).
+ - Support for the following ciphersuites has been added:
+
+ - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
+ - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
+ - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
+
+ - By default, the server side TLS implementation will use DHE parameters with a size of 2048
+ bits when using DHE ciphersuites.
+ - NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and 8192 bits, which were copied
+ from version 08 of the Internet-Draft `"Negotiated Finite Field Diffie-Hellman Ephemeral
+ Parameters for
+ TLS" <https://datatracker.ietf.org/doc/html/draft-ietf-tls-negotiated-ff-dhe-08>`__, Appendix
+ A.
+ - A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a server application to
+ select one or multiple of the embedded DHE parameters as the preferred parameters. The current
+ implementation of NSS will always use the first entry in the array that is passed as a
+ parameter to the SSL_DHEGroupPrefSet API. In future versions of the TLS implementation, a TLS
+ client might show a preference for certain DHE parameters, and the NSS TLS server side
+ implementation might select a matching entry from the set of parameters that have been
+ configured as preferred on the server side.
+ - NSS optionally supports the use of weak DHE parameters with DHE ciphersuites in order to
+ support legacy clients. To enable this support, the new API SSL_EnableWeakDHEPrimeGroup must
+ be used. Each time this API is called for the first time in a process, a fresh set of weak DHE
+ parameters will be randomly created, which may take a long amount of time. Please refer to the
+ comments in the header file that declares the SSL_EnableWeakDHEPrimeGroup API for additional
+ details.
+ - The size of the default PQG parameters used by certutil when creating DSA keys has been
+ increased to use 2048 bit parameters.
+ - The selfserv utility has been enhanced to support the new DHE features.
+ - NSS no longer supports C compilers that predate the ANSI C standard (C89).
+
+.. _bugs_fixed_in_nss_3.20:
+
+`Bugs fixed in NSS 3.20 <#bugs_fixed_in_nss_3.20>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.20:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.20
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.20 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.20 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report
+ at ` bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product
+ NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.21.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.1_release_notes/index.rst
new file mode 100644
index 0000000000..10f0016420
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.1_release_notes/index.rst
@@ -0,0 +1,80 @@
+.. _mozilla_projects_nss_nss_3_21_1_release_notes:
+
+NSS 3.21.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.21.1 is a security patch release for NSS 3.21. The bug fixes in
+ NSS 3.21.1 are described in the "Security Fixes" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_21_1_RTM. NSS 3.21.1 requires NSPR 4.10.10 or newer.
+
+ NSS 3.21.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_1_RTM/src/
+
+.. _new_in_nss_3.21.1:
+
+`New in NSS 3.21.1 <#new_in_nss_3.21.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _security_fixes_in_nss_3.21.1:
+
+`Security Fixes in NSS 3.21.1 <#security_fixes_in_nss_3.21.1>`__
+----------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1245528 <https://bugzilla.mozilla.org/show_bug.cgi?id=1245528>`__ /
+ `CVE-2016-1950 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950>`__ - Fixed a
+ heap-based buffer overflow related to the parsing of certain ASN.1 structures. An attacker
+ could create a specially-crafted certificate which, when parsed by NSS, would cause a crash or
+ execution of arbitrary code with the permissions of the user.
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank security researcher Francis Gabriel for responsibly
+ disclosing the issue in `Bug 1245528 <https://bugzilla.mozilla.org/show_bug.cgi?id=1245528>`__.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.21.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.21.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst
new file mode 100644
index 0000000000..f1db6bbd4e
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst
@@ -0,0 +1,70 @@
+.. _mozilla_projects_nss_nss_3_21_2_release_notes:
+
+NSS 3.21.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.21.2 is a security patch release for NSS 3.21.1. The bug fixes
+ in NSS 3.21.2 are described in the "Security Fixes" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_21_2_RTM. NSS 3.21.2 requires NSPR 4.10.10 or newer.
+
+ NSS 3.21.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_2_RTM/src/
+
+.. _new_in_nss_3.21.2:
+
+`New in NSS 3.21.2 <#new_in_nss_3.21.2>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _security_fixes_in_nss_3.21.2:
+
+`Security Fixes in NSS 3.21.2 <#security_fixes_in_nss_3.21.2>`__
+----------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1293334 <https://bugzilla.mozilla.org/show_bug.cgi?id=1293334>`__ /
+ `CVE-2016-9074 <https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9074>`__ - Fixed
+ a timing side channel in the TLS CBC code.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.21.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.21.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.21.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.3_release_notes/index.rst
new file mode 100644
index 0000000000..cccdd61aa0
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.3_release_notes/index.rst
@@ -0,0 +1,78 @@
+.. _mozilla_projects_nss_nss_3_21_3_release_notes:
+
+NSS 3.21.3 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.21.3 is a security patch release for NSS 3.21.2. The bug fixes
+ in NSS 3.21.3 are described in the "Security Fixes" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_21_3_RTM. NSS 3.21.3 requires NSPR 4.10.10 or newer.
+
+ NSS 3.21.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_3_RTM/src/
+
+.. _new_in_nss_3.21.3:
+
+`New in NSS 3.21.3 <#new_in_nss_3.21.3>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _security_fixes_in_nss_3.21.3:
+
+`Security Fixes in NSS 3.21.3 <#security_fixes_in_nss_3.21.3>`__
+----------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1306103 <https://bugzilla.mozilla.org/show_bug.cgi?id=1306103>`__ /
+ `CVE-2016-5285 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5285>`__ - Fixed a
+ possible DOS on NSS servers due to a missing NULL check.
+ - `Bug 1221620 <https://bugzil.la/1221620>`__ - Fixed a possible left-shift of a negative
+ integer value when parsing DER.
+ - `Bug 1206283 <https://bugzilla.mozilla.org/show_bug.cgi?id=1206283>`__ - Fixed an out-of-bound
+ read when parsing invalid UTF-16.
+ - `Bug 1241034 <https://bugzilla.mozilla.org/show_bug.cgi?id=1241034>`__ - Fixed an
+ out-of-bounds write when parsing invalid UTF-16.
+ - `Bug 1241037 <https://bugzilla.mozilla.org/show_bug.cgi?id=1241037>`__ - Fixed bogus surrogate
+ detection when parsing invalid UTF-16.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.21.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.21.3 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst
new file mode 100644
index 0000000000..194e39c6d8
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst
@@ -0,0 +1,75 @@
+.. _mozilla_projects_nss_nss_3_21_4_release_notes:
+
+NSS 3.21.4 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.21.4 is a security patch release for NSS 3.21. The bug fixes in
+ NSS 3.21.4 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_21_4_RTM. NSS 3.21.4 requires NSPR 4.12 or newer.
+
+ NSS 3.21.4 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_4_RTM/src/
+
+.. _new_in_nss_3.21.4:
+
+`New in NSS 3.21.4 <#new_in_nss_3.21.4>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.21.4:
+
+`Bugs fixed in NSS 3.21.4 <#bugs_fixed_in_nss_3.21.4>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1344380 <https://bugzilla.mozilla.org/show_bug.cgi?id=1344380>`__ / Out-of-bounds write
+ in Base64 encoding in NSS
+ (`CVE-2017-5461 <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461>`__)
+ - `Bug 1345089 <https://bugzilla.mozilla.org/show_bug.cgi?id=1345089>`__ / DRBG flaw in NSS
+ (`CVE-2017-5462 <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5462>`__)
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank Ronald Crane and Vladimir Klebanov for responsibly
+ disclosing the issues by providing advance copies of their research.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.21.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.21.4 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.21_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.21_release_notes/index.rst
new file mode 100644
index 0000000000..9bd12981ab
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.21_release_notes/index.rst
@@ -0,0 +1,277 @@
+.. _mozilla_projects_nss_nss_3_21_release_notes:
+
+NSS 3.21 release notes
+======================
+
+.. container::
+
+ 2016-01-07, this page has been updated to include additional information about the release. The
+ sections "Security Fixes" and "Acknowledgements" have been added.
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.21, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_21_RTM. NSS 3.21 requires NSPR 4.10.10 or newer.
+
+ NSS 3.21 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_RTM/src/
+
+.. _security_fixes_in_nss_3.21:
+
+`Security Fixes in NSS 3.21 <#security_fixes_in_nss_3.21>`__
+------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1158489 <https://bugzilla.mozilla.org/show_bug.cgi?id=1158489>`__
+ ` <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__ /
+ `CVE-2015-7575 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575>`__ - Prevent
+ MD5 Downgrade in TLS 1.2 Signatures.
+
+.. _new_in_nss_3.21:
+
+`New in NSS 3.21 <#new_in_nss_3.21>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - ``certutil`` now supports a ``--rename`` option to change a nickname (`bug
+ 1142209 <https://bugzilla.mozilla.org/show_bug.cgi?id=1142209>`__)
+ - TLS extended master secret extension (`RFC
+ 7627 <https://datatracker.ietf.org/doc/html/rfc7627>`__) is supported (`bug
+ 1117022 <https://bugzilla.mozilla.org/show_bug.cgi?id=1117022>`__)
+ - New info functions added for use during mid-handshake callbacks (`bug
+ 1084669 <https://bugzilla.mozilla.org/show_bug.cgi?id=1084669>`__)
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in nss.h*
+
+ - **NSS_OptionSet** - sets NSS global options
+ - **NSS_OptionGet** - gets the current value of NSS global options
+
+ - *in secmod.h*
+
+ - **SECMOD_CreateModuleEx** - Create a new SECMODModule structure from module name string,
+ module parameters string, NSS specific parameters string, and NSS configuration parameter
+ string. The module represented by the module structure is not loaded. The difference with
+ **SECMOD_CreateModule** is the new function handles NSS configuration parameter strings.
+
+ - *in ssl.h*
+
+ - **SSL_GetPreliminaryChannelInfo** - obtains information about a TLS channel prior to the
+ handshake being completed, for use with the callbacks that are invoked during the handshake
+ - **SSL_SignaturePrefSet** - configures the enabled signature and hash algorithms for TLS
+ - **SSL_SignaturePrefGet** - retrieves the currently configured signature and hash algorithms
+ - **SSL_SignatureMaxCount** - obtains the maximum number signature algorithms that can be
+ configured with **SSL_SignaturePrefSet**
+
+ - *in utilpars.h*
+
+ - **NSSUTIL_ArgParseModuleSpecEx** - takes a module spec and breaks it into shared library
+ string, module name string, module parameters string, NSS specific parameters string, and
+ NSS configuration parameter strings. The returned strings must be freed by the caller. The
+ difference with **NSS_ArgParseModuleSpec** is the new function handles NSS configuration
+ parameter strings.
+ - **NSSUTIL_MkModuleSpecEx** - take a shared library string, module name string, module
+ parameters string, NSS specific parameters string, and NSS configuration parameter string
+ and returns a module string which the caller must free when it is done. The difference with
+ **NSS_MkModuleSpec** is the new function handles NSS configuration parameter strings.
+
+ .. rubric:: New Types
+ :name: new_types
+
+ - *in pkcs11t.h*
+
+ - **CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR}** - parameters {or pointer} for
+ **CKM_TLS12_MASTER_KEY_DERIVE**
+ - **CK_TLS12_KEY_MAT_PARAMS{_PTR}** - parameters {or pointer} for
+ **CKM_TLS12_KEY_AND_MAC_DERIVE**
+ - **CK_TLS_KDF_PARAMS{_PTR}** - parameters {or pointer} for **CKM_TLS_KDF**
+ - **CK_TLS_MAC_PARAMS{_PTR}** - parameters {or pointer} for **CKM_TLS_MAC**
+
+ - *in sslt.h*
+
+ - **SSLHashType** - identifies a hash function
+ - **SSLSignatureAndHashAlg** - identifies a signature and hash function
+ - **SSLPreliminaryChannelInfo** - provides information about the session state prior to
+ handshake completion
+
+ .. rubric:: New Macros
+ :name: new_macros
+
+ - *in nss.h*
+
+ - **NSS_RSA_MIN_KEY_SIZE** - used with NSS_OptionSet and NSS_OptionGet to set or get the
+ minimum RSA key size
+ - **NSS_DH_MIN_KEY_SIZE** - used with NSS_OptionSet and NSS_OptionGet to set or get the
+ minimum DH key size
+ - **NSS_DSA_MIN_KEY_SIZE** - used with NSS_OptionSet and NSS_OptionGet to set or get the
+ minimum DSA key size
+
+ - *in pkcs11t.h*
+
+ - **CKM_TLS12_MASTER_KEY_DERIVE** - derives TLS 1.2 master secret
+ - **CKM_TLS12_KEY_AND_MAC_DERIVE** - derives TLS 1.2 traffic key and IV
+ - **CKM_TLS12_MASTER_KEY_DERIVE_DH** - derives TLS 1.2 master secret for DH (and ECDH) cipher
+ suites
+ - **CKM_TLS12_KEY_SAFE_DERIVE** and **CKM_TLS_KDF** are identifiers for additional PKCS#12
+ mechanisms for TLS 1.2 that are currently unused in NSS.
+ - **CKM_TLS_MAC** - computes TLS Finished MAC
+
+ - *in secoidt.h*
+
+ - **NSS_USE_ALG_IN_SSL_KX** - policy flag indicating that keys are used in TLS key exchange
+
+ - *in sslerr.h*
+
+ - **SSL_ERROR_RX_SHORT_DTLS_READ** - error code for failure to include a complete DTLS record
+ in a UDP packet
+ - **SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM** - error code for when no valid signature and
+ hash algorithm is available
+ - **SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM** - error code for when an unsupported
+ signature and hash algorithm is configured
+ - **SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET** - error code for when the extended master
+ secret is missing after having been negotiated
+ - **SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET** - error code for receiving an extended
+ master secret when previously not negotiated
+
+ - *in sslt.h*
+
+ - **SSL_ENABLE_EXTENDED_MASTER_SECRET** - configuration to enable the TLS extended master
+ secret extension (`RFC 7627 <https://datatracker.ietf.org/doc/html/rfc7627>`__)
+ - **ssl_preinfo_version** - used with **SSLPreliminaryChannelInfo** to indicate that a TLS
+ version has been selected
+ - **ssl_preinfo_cipher_suite** - used with **SSLPreliminaryChannelInfo** to indicate that a
+ TLS cipher suite has been selected
+ - **ssl_preinfo_all** - used with **SSLPreliminaryChannelInfo** to indicate that all
+ preliminary information has been set
+
+.. _notable_changes_in_nss_3.21:
+
+`Notable Changes in NSS 3.21 <#notable_changes_in_nss_3.21>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - NSS now builds with elliptic curve ciphers enabled by default (`bug
+ 1205688 <https://bugzilla.mozilla.org/show_bug.cgi?id=1205688>`__)
+ - NSS now builds with warnings as errors (`bug
+ 1182667 <https://bugzilla.mozilla.org/show_bug.cgi?id=1182667>`__)
+ - The following CA certificates were **Removed**
+
+ - CN = VeriSign Class 4 Public Primary Certification Authority - G3
+
+ - SHA1 Fingerprint: C8:EC:8C:87:92:69:CB:4B:AB:39:E9:8D:7E:57:67:F3:14:95:73:9D
+
+ - CN = UTN-USERFirst-Network Applications
+
+ - SHA1 Fingerprint: 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1
+
+ - CN = TC TrustCenter Universal CA III
+
+ - SHA1 Fingerprint: 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87
+
+ - CN = A-Trust-nQual-03
+
+ - SHA-1 Fingerprint: D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
+
+ - CN = USERTrust Legacy Secure Server CA
+
+ - SHA-1 Fingerprint: 7C:2F:91:E2:BB:96:68:A9:C6:F6:BD:10:19:2C:6B:52:5A:1B:BA:48
+
+ - Friendly Name: Digital Signature Trust Co. Global CA 1
+
+ - SHA-1 Fingerprint: 81:96:8B:3A:EF:1C:DC:70:F5:FA:32:69:C2:92:A3:63:5B:D1:23:D3
+
+ - Friendly Name: Digital Signature Trust Co. Global CA 3
+
+ - SHA-1 Fingerprint: AB:48:F3:33:DB:04:AB:B9:C0:72:DA:5B:0C:C1:D0:57:F0:36:9B:46
+
+ - CN = UTN - DATACorp SGC
+
+ - SHA-1 Fingerprint: 58:11:9F:0E:12:82:87:EA:50:FD:D9:87:45:6F:4F:78:DC:FA:D6:D4
+
+ - O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005
+
+ - SHA-1 Fingerprint: B4:35:D4:E1:11:9D:1C:66:90:A7:49:EB:B3:94:BD:63:7B:A7:82:B7
+
+ - The following CA certificate had the Websites **trust bit turned off**
+
+ - OU = Equifax Secure Certificate Authority
+
+ - SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
+
+ - The following CA certificates were **Added**
+
+ - CN = Certification Authority of WoSign G2
+
+ - SHA1 Fingerprint: FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1
+
+ - CN = CA WoSign ECC Root
+
+ - SHA1 Fingerprint: D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B
+
+ - CN = OISTE WISeKey Global Root GB CA
+
+ - SHA1 Fingerprint: 0F:F9:40:76:18:D3:D7:6A:4B:98:F0:A8:35:9E:0C:FD:27:AC:CC:ED
+
+ - The version number of the updated root CA list has been set to 2.6
+
+.. _bugs_fixed_in_nss_3.21:
+
+`Bugs fixed in NSS 3.21 <#bugs_fixed_in_nss_3.21>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.21:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.21
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank Karthikeyan Bhargavan from
+ `INRIA <http://inria.fr/>`__ for responsibly disclosing the issue in `Bug
+ 1158489 <https://bugzilla.mozilla.org/show_bug.cgi?id=1158489>`__.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.21 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.21 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.22.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.22.1_release_notes/index.rst
new file mode 100644
index 0000000000..45efc4f22d
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.22.1_release_notes/index.rst
@@ -0,0 +1,69 @@
+.. _mozilla_projects_nss_nss_3_22_1_release_notes:
+
+NSS 3.22.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.22.1 is a patch release for NSS 3.22. The bug fixes in NSS
+ 3.22.1 are described in the "Notable Changes" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_22_1_RTM. NSS 3.22.1 requires NSPR 4.12 or newer.
+
+ NSS 3.22.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_1_RTM/src/
+
+.. _new_in_nss_3.22.1:
+
+`New in NSS 3.22.1 <#new_in_nss_3.22.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _notable_changes_in_nss_3.22.1:
+
+`Notable Changes in NSS 3.22.1 <#notable_changes_in_nss_3.22.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - `bug 1194680 <https://bugzilla.mozilla.org/show_bug.cgi?id=1194680>`__: NSS has been changed
+ to use the PR_GetEnvSecure function that was made available in NSPR 4.12
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.22.1 shared libraries are backward compatible with all older NSS 3.22 shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.22.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.22.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.22.2_release_notes/index.rst
new file mode 100644
index 0000000000..598dfdde3b
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.22.2_release_notes/index.rst
@@ -0,0 +1,90 @@
+.. _mozilla_projects_nss_nss_3_22_2_release_notes:
+
+NSS 3.22.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.22.2 is a security patch release for NSS 3.22. The bug fixes in
+ NSS 3.22.2 are described in the "Security Fixes" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_22_2_RTM. NSS 3.22.2 requires NSPR 4.12 or newer.
+
+ NSS 3.22.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_2_RTM/src/
+
+.. _new_in_nss_3.22.2:
+
+`New in NSS 3.22.2 <#new_in_nss_3.22.2>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _security_fixes_in_nss_3.22.2:
+
+`Security Fixes in NSS 3.22.2 <#security_fixes_in_nss_3.22.2>`__
+----------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1245528 <https://bugzilla.mozilla.org/show_bug.cgi?id=1245528>`__ /
+ `CVE-2016-1950 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950>`__ - Fixed a
+ heap-based buffer overflow related to the parsing of certain ASN.1 structures. An attacker
+ could create a specially-crafted certificate which, when parsed by NSS, would cause a crash or
+ execution of arbitrary code with the permissions of the user.
+
+.. _notable_changes_in_nss_3.22.2:
+
+`Notable Changes in NSS 3.22.2 <#notable_changes_in_nss_3.22.2>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1247990 <https://bugzilla.mozilla.org/show_bug.cgi?id=1247990>`__ - The root CA changes
+ from :ref:`mozilla_projects_nss_nss_3_23_release_notes` have been backported.
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank security researcher Francis Gabriel for responsibly
+ disclosing the issue in `Bug 1245528 <https://bugzilla.mozilla.org/show_bug.cgi?id=1245528>`__.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.22.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.22.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.22.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.22.3_release_notes/index.rst
new file mode 100644
index 0000000000..c31cb417e2
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.22.3_release_notes/index.rst
@@ -0,0 +1,70 @@
+.. _mozilla_projects_nss_nss_3_22_3_release_notes:
+
+NSS 3.22.3 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.22.3 is a patch release for NSS 3.22. The bug fixes in NSS
+ 3.22.3 are described in the "Bugs fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_22_3_RTM. NSS 3.22.3 requires NSPR 4.12 or newer.
+
+ NSS 3.22.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_3_RTM/src/
+
+.. _new_in_nss_3.22.3:
+
+`New in NSS 3.22.3 <#new_in_nss_3.22.3>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.22.3:
+
+`Bugs fixed in NSS 3.22.3 <#bugs_fixed_in_nss_3.22.3>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1243641 <https://bugzilla.mozilla.org/show_bug.cgi?id=1243641>`__ - Increase
+ compatibility of TLS extended master secret, don't send an empty TLS extension last in the
+ handshake
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.22.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.22.3 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst
new file mode 100644
index 0000000000..2f57e2715c
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst
@@ -0,0 +1,194 @@
+.. _mozilla_projects_nss_nss_3_22_release_notes:
+
+NSS 3.22 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.22, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer.
+
+ NSS 3.22 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_RTM/src/
+
+.. _new_in_nss_3.22:
+
+`New in NSS 3.22 <#new_in_nss_3.22>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - RSA-PSS signatures are now supported (`bug
+ 1215295 <https://bugzilla.mozilla.org/show_bug.cgi?id=1215295>`__)
+
+ - New functions ``PK11_SignWithMechanism()`` and ``PK11_SignWithMechanism()`` are provided to
+ allow RSA keys to be used with PSS.
+
+ - Pseudorandom functions based on hashes other than SHA-1 are now supported with PBKDF (`bug
+ 554827 <https://bugzilla.mozilla.org/show_bug.cgi?id=554827>`__).
+
+ - ``PK11_CreatePBEV2AlgorithmID()`` now supports ``SEC_OID_PKCS5_PBKDF2`` with
+ ``cipherAlgTag`` and ``prfAlgTag`` set to ``SEC_OID_HMAC_SHA256``, ``SEC_OID_HMAC_SHA224``,
+ ``SEC_OID_HMAC_SHA384``, or ``SEC_OID_HMAC_SHA512``.
+
+ - Enforce an External Policy on NSS from a config file (`bug
+ 1009429 <https://bugzilla.mozilla.org/show_bug.cgi?id=1009429>`__)
+
+ - you can now add a config= line to pkcs11.txt (assuming you are using sql databases), which
+ will force NSS to restrict the application to certain cryptographic algorithms and
+ protocols. A complete list can be found in :ref:`mozilla_projects_nss_nss_config_options`.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in pk11pub.h*
+
+ - **PK11_SignWithMechanism** - This function is an extended version ``PK11_Sign()``.
+ - **PK11_VerifyWithMechanism** - This function is an extended version of ``PK11_Verify()``.
+
+ - These functions take an explicit mechanism and parameters as arguments rather than
+ inferring it from the key type using ``PK11_MapSignKeyType()``. The mechanism type
+ CKM_RSA_PKCS_PSS is now supported for RSA in addition to CKM_RSA_PKCS. The
+ CK_RSA_PKCS_PSS mechanism takes a parameter of type CK_RSA_PKCS_PSS_PARAMS.
+
+ - *in ssl.h*
+
+ - **SSL_PeerSignedCertTimestamps** - Get signed_certificate_timestamp TLS extension data
+ - **SSL_SetSignedCertTimestamps** - Set signed_certificate_timestamp TLS extension data
+
+ .. rubric:: New Types
+ :name: new_types
+
+ - *in secoidt.h*
+
+ - The following are added to SECOidTag:
+
+ - SEC_OID_AES_128_GCM
+ - SEC_OID_AES_192_GCM
+ - SEC_OID_AES_256_GCM
+ - SEC_OID_IDEA_CBC
+ - SEC_OID_RC2_40_CBC
+ - SEC_OID_DES_40_CBC
+ - SEC_OID_RC4_40
+ - SEC_OID_RC4_56
+ - SEC_OID_NULL_CIPHER
+ - SEC_OID_HMAC_MD5
+ - SEC_OID_TLS_RSA
+ - SEC_OID_TLS_DHE_RSA
+ - SEC_OID_TLS_DHE_DSS
+ - SEC_OID_TLS_DH_RSA
+ - SEC_OID_TLS_DH_DSS
+ - SEC_OID_TLS_DH_ANON
+ - SEC_OID_TLS_ECDHE_ECDSA
+ - SEC_OID_TLS_ECDHE_RSA
+ - SEC_OID_TLS_ECDH_ECDSA
+ - SEC_OID_TLS_ECDH_RSA
+ - SEC_OID_TLS_ECDH_ANON
+ - SEC_OID_TLS_RSA_EXPORT
+ - SEC_OID_TLS_DHE_RSA_EXPORT
+ - SEC_OID_TLS_DHE_DSS_EXPORT
+ - SEC_OID_TLS_DH_RSA_EXPORT
+ - SEC_OID_TLS_DH_DSS_EXPORT
+ - SEC_OID_TLS_DH_ANON_EXPORT
+ - SEC_OID_APPLY_SSL_POLICY
+
+ - in sslt.h
+
+ - **ssl_signed_cert_timestamp_xtn** is added to ``SSLExtensionType``.
+
+ .. rubric:: New Macros
+ :name: new_macros
+
+ - in nss.h
+
+ - NSS_RSA_MIN_KEY_SIZE
+ - NSS_DH_MIN_KEY_SIZE
+ - NSS_DSA_MIN_KEY_SIZE
+ - NSS_TLS_VERSION_MIN_POLICY
+ - NSS_TLS_VERSION_MAX_POLICY
+ - NSS_DTLS_VERSION_MIN_POLICY
+ - NSS_DTLS_VERSION_MAX_POLICY
+
+ - *in pkcs11t.h*
+
+ - **CKP_PKCS5_PBKD2_HMAC_GOSTR3411** - PRF based on HMAC with GOSTR3411 for PBKDF (not
+ supported)
+ - **CKP_PKCS5_PBKD2_HMAC_SHA224** - PRF based on HMAC with SHA-224 for PBKDF
+ - **CKP_PKCS5_PBKD2_HMAC_SHA256** - PRF based on HMAC with SHA-256 for PBKDF
+ - **CKP_PKCS5_PBKD2_HMAC_SHA384** - PRF based on HMAC with SHA-256 for PBKDF
+ - **CKP_PKCS5_PBKD2_HMAC_SHA512** - PRF based on HMAC with SHA-256 for PBKDF
+ - **CKP_PKCS5_PBKD2_HMAC_SHA512_224** - PRF based on HMAC with SHA-512 truncated to 224 bits
+ for PBKDF (not supported)
+ - **CKP_PKCS5_PBKD2_HMAC_SHA512_256** - PRF based on HMAC with SHA-512 truncated to 256 bits
+ for PBKDF (not supported)
+
+ - *in secoidt.h*
+
+ - NSS_USE_ALG_IN_SSL
+ - NSS_USE_POLICY_IN_SSL
+
+ - *in ssl.h*
+
+ - **SSL_ENABLE_SIGNED_CERT_TIMESTAMPS**
+
+ - *in sslt.h*
+
+ - **SSL_MAX_EXTENSIONS** is updated to 13
+
+.. _notable_changes_in_nss_3.22:
+
+`Notable Changes in NSS 3.22 <#notable_changes_in_nss_3.22>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - NSS C++ tests are built by default, requiring a C++11 compiler. Set the NSS_DISABLE_GTESTS
+ variable to 1 to disable building these tests.
+
+.. _bugs_fixed_in_nss_3.22:
+
+`Bugs fixed in NSS 3.22 <#bugs_fixed_in_nss_3.22>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.22:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.22
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.22 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.22 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst
new file mode 100644
index 0000000000..78cd188db3
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst
@@ -0,0 +1,192 @@
+.. _mozilla_projects_nss_nss_3_23_release_notes:
+
+NSS 3.23 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.23, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_23_RTM. NSS 3.23 requires NSPR 4.12 or newer.
+
+ NSS 3.23 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/
+
+.. _new_in_nss_3.23:
+
+`New in NSS 3.23 <#new_in_nss_3.23>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - ChaCha20/Poly1305 cipher and TLS cipher suites now supported (`bug
+ 917571 <https://bugzilla.mozilla.org/show_bug.cgi?id=917571>`__, `bug
+ 1227905 <https://bugzilla.mozilla.org/show_bug.cgi?id=1227905>`__)
+
+ -
+
+ .. container::
+
+ Experimental-only support TLS 1.3 1-RTT mode (draft-11). This code is not ready for
+ production use.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in ssl.h*
+
+ - **SSL_SetDowngradeCheckVersion** - Set maximum version for new ServerRandom anti-downgrade
+ mechanism. Clients that perform a version downgrade (which is a dangerous practice) call
+ this with the highest version number that they possibly support. This gives them access to
+ the `version downgrade protection from TLS
+ 1.3 <https://tlswg.github.io/tls13-spec/#client-hello>`__.
+
+.. _notable_changes_in_nss_3.23:
+
+`Notable Changes in NSS 3.23 <#notable_changes_in_nss_3.23>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The copy of SQLite shipped with NSS has been updated to version 3.10.2 (`bug
+ 1234698 <https://bugzilla.mozilla.org/show_bug.cgi?id=1234698>`__)
+ - The list of TLS extensions sent in the TLS handshake has been reordered to increase
+ compatibility of the Extended Master Secret with servers (`bug
+ 1243641 <https://bugzilla.mozilla.org/show_bug.cgi?id=1243641>`__)
+ - The build time environment variable NSS_ENABLE_ZLIB has been renamed to NSS_SSL_ENABLE_ZLIB
+ (`Bug 1243872 <https://bugzilla.mozilla.org/show_bug.cgi?id=1243872>`__).
+ - The build time environment variable NSS_DISABLE_CHACHAPOLY was added, which can be used to
+ prevent compilation of the ChaCha20/Poly1305 code.
+ - The following CA certificates were **Removed**
+
+ - CN = Staat der Nederlanden Root CA
+
+ - SHA-256 Fingerprint:
+ D4:1D:82:9E:8C:16:59:82:2A:F9:3F:CE:62:BF:FC:DE:26:4F:C8:4E:8B:95:0C:5F:F2:75:D0:52:35:46:95:A3
+
+ - CN = NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
+
+ - SHA-256 Fingerprint:
+ E6:06:DD:EE:E2:EE:7F:5C:DE:F5:D9:05:8F:F8:B7:D0:A9:F0:42:87:7F:6A:17:1E:D8:FF:69:60:E4:CC:5E:A5
+
+ - CN = NetLock Kozjegyzoi (Class A) Tanusitvanykiado
+
+ - SHA-256 Fingerprint:
+ 7F:12:CD:5F:7E:5E:29:0E:C7:D8:51:79:D5:B7:2C:20:A5:BE:75:08:FF:DB:5B:F8:1A:B9:68:4A:7F:C9:F6:67
+
+ - CN = NetLock Uzleti (Class B) Tanusitvanykiado
+
+ - SHA-256 Fingerprint:
+ 39:DF:7B:68:2B:7B:93:8F:84:71:54:81:CC:DE:8D:60:D8:F2:2E:C5:98:87:7D:0A:AA:C1:2B:59:18:2B:03:12
+
+ - CN = NetLock Expressz (Class C) Tanusitvanykiado
+
+ - SHA-256 Fingerprint:
+ 0B:5E:ED:4E:84:64:03:CF:55:E0:65:84:84:40:ED:2A:82:75:8B:F5:B9:AA:1F:25:3D:46:13:CF:A0:80:FF:3F
+
+ - Friendly Name: VeriSign Class 1 Public PCA – G2
+
+ - SHA-256 Fingerprint:
+ 34:1D:E9:8B:13:92:AB:F7:F4:AB:90:A9:60:CF:25:D4:BD:6E:C6:5B:9A:51:CE:6E:D0:67:D0:0E:C7:CE:9B:7F
+
+ - Friendly Name: VeriSign Class 3 Public PCA
+
+ - SHA-256 Fingerprint:
+ A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09:CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05
+
+ - Friendly Name: VeriSign Class 3 Public PCA – G2
+
+ - SHA-256 Fingerprint:
+ 83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E:DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B
+
+ - CN = CA Disig
+
+ - SHA-256 Fingerprint:
+ 92:BF:51:19:AB:EC:CA:D0:B1:33:2D:C4:E1:D0:5F:BA:75:B5:67:90:44:EE:0C:A2:6E:93:1F:74:4F:2F:33:CF
+
+ - The following CA certificates were **Added**
+
+ - CN = SZAFIR ROOT CA2
+
+ - SHA-256 Fingerprint:
+ A1:33:9D:33:28:1A:0B:56:E5:57:D3:D3:2B:1C:E7:F9:36:7E:B0:94:BD:5F:A7:2A:7E:50:04:C8:DE:D7:CA:FE
+
+ - CN = Certum Trusted Network CA 2
+
+ - SHA-256 Fingerprint:
+ B6:76:F2:ED:DA:E8:77:5C:D3:6C:B0:F6:3C:D1:D4:60:39:61:F4:9E:62:65:BA:01:3A:2F:03:07:B6:D0:B8:04
+
+ - The following CA certificate had the Email **trust bit turned on**
+
+ - CN = Actalis Authentication Root CA
+
+ - SHA-256 Fingerprint:
+ 55:92:60:84:EC:96:3A:64:B9:6E:2A:BE:01:CE:0B:A8:6A:64:FB:FE:BC:C7:AA:B5:AF:C1:55:B3:7F:D7:60:66
+
+.. _security_fixes_in_nss_3.23:
+
+`Security Fixes in NSS 3.23 <#security_fixes_in_nss_3.23>`__
+------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1245528 <https://bugzilla.mozilla.org/show_bug.cgi?id=1245528>`__ /
+ `CVE-2016-1950 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950>`__ - Fixed a
+ heap-based buffer overflow related to the parsing of certain ASN.1 structures. An attacker
+ could create a specially-crafted certificate which, when parsed by NSS, would cause a crash or
+ execution of arbitrary code with the permissions of the user.
+
+.. _bugs_fixed_in_nss_3.23:
+
+`Bugs fixed in NSS 3.23 <#bugs_fixed_in_nss_3.23>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.23:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.23
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank security researcher Francis Gabriel for responsibly
+ disclosing the issue in `Bug 1245528 <https://bugzilla.mozilla.org/show_bug.cgi?id=1245528>`__.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.23 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.23 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst
new file mode 100644
index 0000000000..ac7bd6ef7a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst
@@ -0,0 +1,201 @@
+.. _mozilla_projects_nss_nss_3_24_release_notes:
+
+NSS 3.24 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.24, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_24_RTM. NSS 3.24 requires Netscape Portable Runtime(NSPR) 4.12 or newer.
+
+ NSS 3.24 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_24_RTM/src/
+
+.. _new_in_nss_3.24:
+
+`New in NSS 3.24 <#new_in_nss_3.24>`__
+--------------------------------------
+
+.. container::
+
+ NSS 3.24 includes two NSS softoken updates, a new function to configure SSL/TLS server sockets,
+ and two functions to improve the use of temporary arenas.
+
+.. _new_functionality:
+
+`New functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - NSS softoken has been updated with the latest National Institute of Standards and Technology
+ (NIST) guidance (as of 2015):
+
+ - Software integrity checks and POST functions are executed on shared library load. These
+ checks have been disabled by default, as they can cause a performance regression. To enable
+ these checks, you must define symbol NSS_FORCE_FIPS when building NSS.
+ - Counter mode and Galois/Counter Mode (GCM) have checks to prevent counter overflow.
+ - Additional CSPs are zeroed in the code.
+ - NSS softoken uses new guidance for how many Rabin-Miller tests are needed to verify a prime
+ based on prime size.
+
+ - NSS softoken has also been updated to allow NSS to run in FIPS Level 1 (no password). This
+ mode is triggered by setting the database password to the empty string. In FIPS mode, you may
+ move from Level 1 to Level 2 (by setting an appropriate password), but not the reverse.
+ - A SSL_ConfigServerCert function has been added for configuring SSL/TLS server sockets with a
+ certificate and private key. Use this new function in place of SSL_ConfigSecureServer,
+ SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, and
+ SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically determines the certificate
+ type from the certificate and private key. The caller is no longer required to use SSLKEAType
+ explicitly to select a "slot" into which the certificate is configured (which incorrectly
+ identifies a key agreement type rather than a certificate). Separate functions for configuring
+ Online Certificate Status Protocol (OCSP) responses or Signed Certificate Timestamps are not
+ needed, since these can be added to the optional SSLExtraServerCertData struct provided to
+ SSL_ConfigServerCert. Also, partial support for RSA Probabilistic Signature Scheme (RSA-PSS)
+ certificates has been added. Although these certificates can be configured, they will not be
+ used by NSS in this version.
+ - For functions that use temporary arenas, allocating a PORTCheapArena on the stack is more
+ performant than allocating a PLArenaPool on the heap. Rather than declaring a PLArenaPool
+ pointer and calling PORT_NewArena/PORT_FreeArena to allocate or free an instance on the heap,
+ declare a PORTCheapArenaPool on the stack and use PORT_InitCheapArena/PORT_DestroyCheapArena
+ to initialize and destroy it. Items allocated from the arena are still created on the heap,
+ only the arena itself is stack-allocated. Note: This approach is only useful when the arena
+ use is tightly bounded, for example, if it is only used in a single function.
+
+.. _new_elements:
+
+`New elements <#new_elements>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ This section lists and briefly describes the new functions, types, and macros in NSS 3.24.
+
+ .. rubric:: New functions
+ :name: new_functions
+
+ - *In ssl.h*
+
+ - SSL_ConfigServerCert - Configures an SSL/TLS socket with a certificate, private key, and
+ other information.
+
+ - *In secport.h*
+
+ - PORT_InitCheapArena - Initializes an arena that was created on the stack. (See
+ PORTCheapArenaPool.)
+ - PORT_DestroyCheapArena - Destroys an arena that was created on the stack. (See
+ PORTCheapArenaPool.)
+
+ .. rubric:: New types
+ :name: new_types
+
+ - *In sslt.h*
+
+ - SSLExtraServerCertData - Optionally passed as an argument to SSL_ConfigServerCert. This
+ struct contains supplementary information about a certificate, such as the intended type of
+ the certificate, stapled OCSP responses, or Signed Certificate Timestamps (used for
+ `certificate transparency <https://datatracker.ietf.org/doc/html/rfc6962>`__).
+
+ - *In secport.h*
+
+ - PORTCheapArenaPool - A stack-allocated arena pool, to be used for temporary arena
+ allocations.
+
+ .. rubric:: New macros
+ :name: new_macros
+
+ - *In pkcs11t.h*
+
+ - CKM_TLS12_MAC
+
+ - *In secoidt.h*
+
+ - SEC_OID_TLS_ECDHE_PSK - This OID governs the use of the
+ TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is used only for session
+ resumption in TLS 1.3.
+
+.. _notable_changes_in_nss_3.24:
+
+`Notable changes in NSS 3.24 <#notable_changes_in_nss_3.24>`__
+--------------------------------------------------------------
+
+.. container::
+
+ Additions, deprecations, and other changes in NSS 3.24 are listed below.
+
+ - Deprecate the following functions. (Applications should instead use the new
+ SSL_ConfigServerCert function.)
+
+ - SSL_SetStapledOCSPResponses
+ - SSL_SetSignedCertTimestamps
+ - SSL_ConfigSecureServer
+ - SSL_ConfigSecureServerWithCertChain
+
+ - Deprecate the NSS_FindCertKEAType function, as it reports a misleading value for certificates
+ that might be used for signing rather than key exchange.
+ - Update SSLAuthType to define a larger number of authentication key types.
+ - Deprecate the member attribute **authAlgorithm** of type SSLCipherSuiteInfo. Instead,
+ applications should use the newly added attribute **authType**.
+ - Rename ssl_auth_rsa to ssl_auth_rsa_decrypt.
+ - Add a shared library (libfreeblpriv3) on Linux platforms that define FREEBL_LOWHASH.
+ - Remove most code related to SSL v2, including the ability to actively send a SSLv2-compatible
+ client hello. However, the server-side implementation of the SSL/TLS protocol still supports
+ processing of received v2-compatible client hello messages.
+ - Disable (by default) NSS support in optimized builds for logging SSL/TLS key material to a
+ logfile if the SSLKEYLOGFILE environment variable is set. To enable the functionality in
+ optimized builds, you must define the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.
+ - Update NSS to protect it against the Cachebleed attack.
+ - Disable support for DTLS compression.
+ - Improve support for TLS 1.3. This includes support for DTLS 1.3. Note that TLS 1.3 support is
+ experimental and not suitable for production use.
+
+.. _bugs_fixed_in_nss_3.24:
+
+`Bugs fixed in NSS 3.24 <#bugs_fixed_in_nss_3.24>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.24:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.24
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank Yuval Yarom for responsibly disclosing the
+ Cachebleed attack by providing advance copies of their research.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.24 shared libraries are backward-compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.24 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.25.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.25.1_release_notes/index.rst
new file mode 100644
index 0000000000..213e02169b
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.25.1_release_notes/index.rst
@@ -0,0 +1,80 @@
+.. _mozilla_projects_nss_nss_3_25_1_release_notes:
+
+NSS 3.25.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.25.1 is a patch release for NSS 3.25.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_25_1_RTM. NSS 3.25.1 requires NSPR 4.12 or newer.
+
+ NSS 3.25.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_25_1_RTM/src/
+
+.. _new_in_nss_3.25.1:
+
+`New in NSS 3.25.1 <#new_in_nss_3.25.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to address a TLS
+ compatibility issue that some client applications experienced with NSS 3.25.
+
+.. _notable_changes_in_nss_3.25.1:
+
+`Notable Changes in NSS 3.25.1 <#notable_changes_in_nss_3.25.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+ MD5 signature algorithms sent by the server in CertificateRequest messages are now properly
+ ignored. Previously, with rare server configurations, an MD5 signature algorithm might have been
+ selected for client authentication and caused the client to abort the connection soon after.
+
+.. _bugs_fixed_in_nss_3.25.1:
+
+`Bugs fixed in NSS 3.25.1 <#bugs_fixed_in_nss_3.25.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - The following bug has been fixed in NSS 3.25.1: `Ignore MD5 signature algorithms in
+ certificate requests <https://bugzilla.mozilla.org/show_bug.cgi?id=1304407>`__
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.25.1 shared libraries are backwards compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.25.1 shared libraries
+ without recompiling or relinking. Applications that restrict their use of NSS APIs to the
+ functions listed in NSS Public Functions will remain compatible with future versions of the NSS
+ shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst
new file mode 100644
index 0000000000..a65360f257
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst
@@ -0,0 +1,140 @@
+.. _mozilla_projects_nss_nss_3_25_release_notes:
+
+NSS 3.25 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.25, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_25_RTM. NSS 3.25 requires Netscape Portable Runtime(NSPR) 4.12 or newer.
+
+ NSS 3.25 source distributions are available on ftp.mozilla.org for secure HTTPS download at the
+ following location.
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_25_RTM/src/
+
+.. _new_in_nss_3.25:
+
+`New in NSS 3.25 <#new_in_nss_3.25>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Implemented DHE key agreement for TLS 1.3.
+ - Added support for ChaCha with TLS 1.3.
+ - Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF.
+ - Removed the limitation that allowed NSS to only support certificate_verify messages that used
+ the same signature hash algorithm as the PRF when using TLS 1.2 client authentication.
+ - Several functions have been added to the public API of the NSS Cryptoki Framework.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in nssckfw.h*
+
+ - **NSSCKFWSlot_GetSlotID**
+ - **NSSCKFWSession_GetFWSlot**
+ - **NSSCKFWInstance_DestroySessionHandle**
+ - **NSSCKFWInstance_FindSessionHandle**
+
+.. _notable_changes_in_nss_3.25:
+
+`Notable Changes in NSS 3.25 <#notable_changes_in_nss_3.25>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - An SSL socket can no longer be configured to allow both TLS 1.3 and SSL v3.
+ - Regression fix: NSS no longer reports a failure if an application attempts to disable the SSL
+ v2 protocol.
+ - The trusted CA certificate list has been updated to version 2.8.
+ - The following CA certificate was **Removed**
+
+ - CN = Sonera Class1 CA
+
+ - SHA-256 Fingerprint:
+ CD:80:82:84:CF:74:6F:F2:FD:6E:B5:8A:A1:D5:9C:4A:D4:B3:CA:56:FD:C6:27:4A:89:26:A7:83:5F:32:31:3D
+
+ - The following CA certificates were **Added**
+
+ - CN = Hellenic Academic and Research Institutions RootCA 2015
+
+ - SHA-256 Fingerprint:
+ A0:40:92:9A:02:CE:53:B4:AC:F4:F2:FF:C6:98:1C:E4:49:6F:75:5E:6D:45:FE:0B:2A:69:2B:CD:52:52:3F:36
+
+ - CN = Hellenic Academic and Research Institutions ECC RootCA 2015
+
+ - SHA-256 Fingerprint:
+ 44:B5:45:AA:8A:25:E6:5A:73:CA:15:DC:27:FC:36:D2:4C:1C:B9:95:3A:06:65:39:B1:15:82:DC:48:7B:48:33
+
+ - CN = Certplus Root CA G1
+
+ - SHA-256 Fingerprint:
+ 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E
+
+ - CN = Certplus Root CA G2
+
+ - SHA-256 Fingerprint:
+ 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17
+
+ - CN = OpenTrust Root CA G1
+
+ - SHA-256 Fingerprint:
+ 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4
+
+ - CN = OpenTrust Root CA G2
+
+ - SHA-256 Fingerprint:
+ 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2
+
+ - CN = OpenTrust Root CA G3
+
+ - SHA-256 Fingerprint:
+ B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92
+
+.. _bugs_fixed_in_nss_3.25:
+
+`Bugs fixed in NSS 3.25 <#bugs_fixed_in_nss_3.25>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.25:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.25
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.25 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.25 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.26.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.26.2_release_notes/index.rst
new file mode 100644
index 0000000000..485527b6c8
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.26.2_release_notes/index.rst
@@ -0,0 +1,80 @@
+.. _mozilla_projects_nss_nss_3_26_2_release_notes:
+
+NSS 3.26.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.26.2 is a patch release for NSS 3.26.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_26_2_RTM. NSS 3.26.2 requires NSPR 4.12 or newer.
+
+ NSS 3.26.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_26_2_RTM/src/
+
+.. _new_in_nss_3.26.2:
+
+`New in NSS 3.26.2 <#new_in_nss_3.26.2>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to address a TLS
+ compatibility issue that some client applications experienced with NSS 3.26.1.
+
+.. _notable_changes_in_nss_3.26.2:
+
+`Notable Changes in NSS 3.26.2 <#notable_changes_in_nss_3.26.2>`__
+------------------------------------------------------------------
+
+.. container::
+
+ MD5 signature algorithms sent by the server in CertificateRequest messages are now properly
+ ignored. Previously, with rare server configurations, an MD5 signature algorithm might have been
+ selected for client authentication and caused the client to abort the connection soon after.
+
+.. _bugs_fixed_in_nss_3.26.2:
+
+`Bugs fixed in NSS 3.26.2 <#bugs_fixed_in_nss_3.26.2>`__
+--------------------------------------------------------
+
+.. container::
+
+ - The following bug has been fixed in NSS 3.26.2: `Ignore MD5 signature algorithms in
+ certificate requests <https://bugzilla.mozilla.org/show_bug.cgi?id=1304407>`__
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.26.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.26.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.26_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.26_release_notes/index.rst
new file mode 100644
index 0000000000..9c47dcf087
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.26_release_notes/index.rst
@@ -0,0 +1,91 @@
+.. _mozilla_projects_nss_nss_3_26_release_notes:
+
+NSS 3.26 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.26, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_26_RTM. NSS 3.26 requires Netscape Portable Runtime(NSPR) 4.12 or newer.
+
+ NSS 3.26 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_26_RTM/src/
+
+.. _new_in_nss_3.26:
+
+`New in NSS 3.26 <#new_in_nss_3.26>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - the selfserv test utility has been enhanced to support ALPN (HTTP/1.1) and 0-RTT
+ - added support for the System-wide crypto policy available on Fedora Linux, see
+ http://fedoraproject.org/wiki/Changes/CryptoPolicy
+ - introduced build flag NSS_DISABLE_LIBPKIX which allows compilation of NSS without the libpkix
+ library
+
+.. _notable_changes_in_nss_3.26:
+
+`Notable Changes in NSS 3.26 <#notable_changes_in_nss_3.26>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The following CA certificate was **Added**
+
+ - CN = ISRG Root X1
+
+ - SHA-256 Fingerprint:
+ 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6
+
+ - NPN is disabled, and ALPN is enabled by default
+ - the NSS test suite now completes with the experimental TLS 1.3 code enabled
+ - several test improvements and additions, including a NIST known answer test
+
+.. _bugs_fixed_in_nss_3.26:
+
+`Bugs fixed in NSS 3.26 <#bugs_fixed_in_nss_3.26>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.26:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.26
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.26 shared libraries are backwards compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.26 shared libraries
+ without recompiling or relinking. Applications that restrict their use of NSS APIs, to the
+ functions listed in NSS Public Functions, will remain compatible with future versions of the NSS
+ shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.27.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.27.1_release_notes/index.rst
new file mode 100644
index 0000000000..bebbb52ef2
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.27.1_release_notes/index.rst
@@ -0,0 +1,92 @@
+.. _mozilla_projects_nss_nss_3_27_1_release_notes:
+
+NSS 3.27.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.27.1 is a patch release for NSS 3.27.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_27_1_RTM. NSS 3.27.1 requires NSPR 4.13 or newer.
+
+ NSS 3.27.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_27_1_RTM/src/
+
+.. _new_in_nss_3.27.1:
+
+`New in NSS 3.27.1 <#new_in_nss_3.27.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to address a TLS
+ compatibility issue which some applications experienced with NSS 3.27.
+
+.. _notable_changes_in_nss_3.27.1:
+
+`Notable Changes in NSS 3.27.1 <#notable_changes_in_nss_3.27.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+ Availability of the TLS 1.3 (draft) implementation has been re-disabled in the default build.
+
+ Previous versions of NSS made TLS 1.3 (draft) available only when compiled with
+ NSS_ENABLE_TLS_1_3. NSS 3.27 set this value on by default, allowing TLS 1.3 (draft) to be
+ disabled using NSS_DISABLE_TLS_1_3, although the maximum version used by default remained TLS
+ 1.2.
+
+ However, some applications query the list of protocol versions that are supported by the NSS
+ library, enabling all supported TLS protocol versions. Because NSS 3.27 enabled compilation of
+ TLS 1.3 (draft) by default, it caused those applications to enable TLS 1.3 (draft). This resulted
+ in connectivity failures, as some TLS servers are version 1.3 intolerant, and failed to negotiate
+ an earlier TLS version with NSS 3.27 clients.
+
+ NSS 3.27.1 once again requires NSS_ENABLE_TLS_1_3 to be deliberately set to enable TLS 1.3
+ (draft).
+
+.. _bugs_fixed_in_nss_3.27.1:
+
+`Bugs fixed in NSS 3.27.1 <#bugs_fixed_in_nss_3.27.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - The following bug has been fixed in NSS 3.27.1: `Re-disable TLS 1.3 by
+ default <https://bugzilla.mozilla.org/show_bug.cgi?id=1306985>`__
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.27.1 shared libraries are backwards compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.27.1 shared libraries
+ without recompiling or relinking. Applications that restrict their use of NSS APIs to the
+ functions listed in NSS Public Functions will remain compatible with future versions of the NSS
+ shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst
new file mode 100644
index 0000000000..06c03b0644
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst
@@ -0,0 +1,84 @@
+.. _mozilla_projects_nss_nss_3_27_2_release_notes:
+
+NSS 3.27.2 Release Notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.27.2 is a patch release for NSS 3.27.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_27_2_RTM. NSS 3.27.2 requires NSPR 4.13 or newer.
+
+ NSS 3.27.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ `https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_27_2_RTM/src/ <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_27_1_RTM/src/>`__
+
+.. _new_in_nss_3.27.2:
+
+`New in NSS 3.27.2 <#new_in_nss_3.27.2>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to address a memory
+ leak in the ``SSL_SetTrustAnchors()`` function.
+
+.. _notable_changes_in_nss_3.27.2:
+
+`Notable Changes in NSS 3.27.2 <#notable_changes_in_nss_3.27.2>`__
+------------------------------------------------------------------
+
+.. container::
+
+ The ``SSL_SetTrustAnchors()`` function is used to set the distinguished names that an NSS server
+ includes in its TLS CertificateRequest message. If this function is not used, NSS will include
+ the distinguished names for all trust anchors installed in the database. This can be a lengthy
+ list.
+
+ Previous versions of NSS leaked the memory used to store distinguished names when
+ ``SSL_SetTrustAnchors()`` was used. This release fixes that error.
+
+.. _bugs_fixed_in_nss_3.27.2:
+
+`Bugs fixed in NSS 3.27.2 <#bugs_fixed_in_nss_3.27.2>`__
+--------------------------------------------------------
+
+.. container::
+
+ - The following bug has been fixed in NSS 3.27.2: `Bug 1318561 - SSL_SetTrustAnchors
+ leaks <https://bugzilla.mozilla.org/show_bug.cgi?id=1318561>`__
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.27.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.27.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.27_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.27_release_notes/index.rst
new file mode 100644
index 0000000000..5fd0b1bfff
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.27_release_notes/index.rst
@@ -0,0 +1,149 @@
+.. _mozilla_projects_nss_nss_3_27_release_notes:
+
+NSS 3.27 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.27, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_27_RTM. NSS 3.27 requires Netscape Portable Runtime(NSPR) 4.13 or newer.
+
+ NSS 3.27 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_27_RTM/src/
+
+.. _new_in_nss_3.27:
+
+`New in NSS 3.27 <#new_in_nss_3.27>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Allow custom named group priorities for TLS key exchange handshake (SSL_NamedGroupConfig).
+ - Added support for RSA-PSS signatures in TLS 1.2 and TLS 1.3
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - in ssl.h
+
+ - SSL_NamedGroupConfig
+
+.. _notable_changes_in_nss_3.27:
+
+`Notable Changes in NSS 3.27 <#notable_changes_in_nss_3.27>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - *UPDATE 2016-10-02:*
+
+ - The maximum TLS version supported has been increased to TLS 1.3 (draft).
+ - Although the maximum TLS version enabled by default is still TLS 1.2, there are
+ applications that query the list of TLS protocol versions supported by NSS, and enable all
+ supported versions. For those applications, updating to NSS 3.27 may result in TLS 1.3
+ (draft) to be enabled.
+ - The TLS 1.3 (draft) protocol can be disabled, by defining symbol NSS_DISABLE_TLS_1_3 when
+ building NSS.
+
+ - NPN can not be enabled anymore.
+ - Hard limits on the maximum number of TLS records encrypted with the same key are enforced.
+ - Disabled renegotiation in DTLS.
+ - The following CA certificates were **Removed**
+
+ - CN = IGC/A, O = PM/SGDN, OU = DCSSI
+
+ - SHA256 Fingerprint:
+ B9:BE:A7:86:0A:96:2E:A3:61:1D:AB:97:AB:6D:A3:E2:1C:10:68:B9:7D:55:57:5E:D0:E1:12:79:C1:1C:89:32
+
+ - CN = Juur-SK, O = AS Sertifitseerimiskeskus
+
+ - SHA256 Fingerprint:
+ EC:C3:E9:C3:40:75:03:BE:E0:91:AA:95:2F:41:34:8F:F8:8B:AA:86:3B:22:64:BE:FA:C8:07:90:15:74:E9:39
+
+ - CN = EBG Elektronik Sertifika Hizmet Sağlayıcısı
+
+ - SHA-256 Fingerprint:
+ 35:AE:5B:DD:D8:F7:AE:63:5C:FF:BA:56:82:A8:F0:0B:95:F4:84:62:C7:10:8E:E9:A0:E5:29:2B:07:4A:AF:B2
+
+ - CN = S-TRUST Authentication and Encryption Root CA 2005:PN
+
+ - SHA-256 Fingerprint:
+ 37:D8:DC:8A:F7:86:78:45:DA:33:44:A6:B1:BA:DE:44:8D:8A:80:E4:7B:55:79:F9:6B:F6:31:76:8F:9F:30:F6
+
+ - O = VeriSign, Inc., OU = Class 1 Public Primary Certification Authority
+
+ - SHA-256 Fingerprint:
+ 51:84:7C:8C:BD:2E:9A:72:C9:1E:29:2D:2A:E2:47:D7:DE:1E:3F:D2:70:54:7A:20:EF:7D:61:0F:38:B8:84:2C
+
+ - O = VeriSign, Inc., OU = Class 2 Public Primary Certification Authority - G2
+
+ - SHA-256 Fingerprint:
+ 3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F:D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1
+
+ - O = VeriSign, Inc., OU = Class 3 Public Primary Certification Authority
+
+ - SHA-256 Fingerprint:
+ E7:68:56:34:EF:AC:F6:9A:CE:93:9A:6B:25:5B:7B:4F:AB:EF:42:93:5B:50:A2:65:AC:B5:CB:60:27:E4:4E:70
+
+ - O = Equifax, OU = Equifax Secure Certificate Authority
+
+ - SHA-256 Fingerprint:
+ 08:29:7A:40:47:DB:A2:36:80:C7:31:DB:6E:31:76:53:CA:78:48:E1:BE:BD:3A:0B:01:79:A7:07:F9:2C:F1:78
+
+ - CN = Equifax Secure eBusiness CA-1
+
+ - SHA-256 Fingerprint:
+ CF:56:FF:46:A4:A1:86:10:9D:D9:65:84:B5:EE:B5:8A:51:0C:42:75:B0:E5:F9:4F:40:BB:AE:86:5E:19:F6:73
+
+ - CN = Equifax Secure Global eBusiness CA-1
+
+ - SHA-256 Fingerprint:
+ 5F:0B:62:EA:B5:E3:53:EA:65:21:65:16:58:FB:B6:53:59:F4:43:28:0A:4A:FB:D1:04:D7:7D:10:F9:F0:4C:07
+
+.. _bugs_fixed_in_nss_3.27:
+
+`Bugs fixed in NSS 3.27 <#bugs_fixed_in_nss_3.27>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.27:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.27
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.27 shared libraries are backwards compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.27 shared libraries
+ without recompiling or relinking. Applications that restrict their use of NSS APIs to the
+ functions listed in NSS Public Functions will remain compatible with future versions of the NSS
+ shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.28.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.1_release_notes/index.rst
new file mode 100644
index 0000000000..3a8f749afc
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.1_release_notes/index.rst
@@ -0,0 +1,148 @@
+.. _mozilla_projects_nss_nss_3_28_1_release_notes:
+
+NSS 3.28.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.28.1 is a patch release for NSS 3.28. The bug fixes in NSS
+ 3.28.1 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_28_1_RTM. NSS 3.28.1 requires NSPR 4.13.1 or newer.
+
+ NSS 3.28.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_1_RTM/src/
+
+.. _new_in_nss_3.28.1:
+
+`New in NSS 3.28.1 <#new_in_nss_3.28.1>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to update the list of
+ root CA certificates, and address a minor TLS compatibility issue, that some applications
+ experienced with NSS 3.28.
+
+.. _notable_changes_in_nss_3.28.1:
+
+`Notable Changes in NSS 3.28.1 <#notable_changes_in_nss_3.28.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - The following CA certificates were **Removed**
+
+ - CN = Buypass Class 2 CA 1
+
+ - SHA-256 Fingerprint:
+ 0F:4E:9C:DD:26:4B:02:55:50:D1:70:80:63:40:21:4F:E9:44:34:C9:B0:2F:69:7E:C7:10:FC:5F:EA:FB:5E:38
+
+ - CN = Root CA Generalitat Valenciana
+
+ - SHA-256 Fingerprint:
+ 8C:4E:DF:D0:43:48:F3:22:96:9E:7E:29:A4:CD:4D:CA:00:46:55:06:1C:16:E1:B0:76:42:2E:F3:42:AD:63:0E
+
+ - OU = RSA Security 2048 V3
+
+ - SHA-256 Fingerprint:
+ AF:8B:67:62:A1:E5:28:22:81:61:A9:5D:5C:55:9E:E2:66:27:8F:75:D7:9E:83:01:89:A5:03:50:6A:BD:6B:4C
+
+ - The following CA certificates were **Added**
+
+ - OU = AC RAIZ FNMT-RCM
+
+ - SHA-256 Fingerprint:
+ EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA
+
+ - CN = Amazon Root CA 1
+
+ - SHA-256 Fingerprint:
+ 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E
+
+ - CN = Amazon Root CA 2
+
+ - SHA-256 Fingerprint:
+ 1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4
+
+ - CN = Amazon Root CA 3
+
+ - SHA-256 Fingerprint:
+ 18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4
+
+ - CN = Amazon Root CA 4
+
+ - SHA-256 Fingerprint:
+ E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92
+
+ - CN = LuxTrust Global Root 2
+
+ - SHA-256 Fingerprint:
+ 54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5
+
+ - CN = Symantec Class 1 Public Primary Certification Authority - G4
+
+ - SHA-256 Fingerprint:
+ 36:3F:3C:84:9E:AB:03:B0:A2:A0:F6:36:D7:B8:6D:04:D3:AC:7F:CF:E2:6A:0A:91:21:AB:97:95:F6:E1:76:DF
+
+ - CN = Symantec Class 1 Public Primary Certification Authority - G6
+
+ - SHA-256 Fingerprint:
+ 9D:19:0B:2E:31:45:66:68:5B:E8:A8:89:E2:7A:A8:C7:D7:AE:1D:8A:AD:DB:A3:C1:EC:F9:D2:48:63:CD:34:B9
+
+ - CN = Symantec Class 2 Public Primary Certification Authority - G4
+
+ - SHA-256 Fingerprint:
+ FE:86:3D:08:22:FE:7A:23:53:FA:48:4D:59:24:E8:75:65:6D:3D:C9:FB:58:77:1F:6F:61:6F:9D:57:1B:C5:92
+
+ - CN = Symantec Class 2 Public Primary Certification Authority - G6
+
+ - SHA-256 Fingerprint:
+ CB:62:7D:18:B5:8A:D5:6D:DE:33:1A:30:45:6B:C6:5C:60:1A:4E:9B:18:DE:DC:EA:08:E7:DA:AA:07:81:5F:F0
+
+ - The version number of the updated root CA list has been set to 2.11
+ - A misleading assertion/alert has been removed, when NSS tries to flush data to the peer but
+ the connection was already reset.
+
+.. _bugs_fixed_in_nss_3.28.1:
+
+`Bugs fixed in NSS 3.28.1 <#bugs_fixed_in_nss_3.28.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ | `Bug 1296697 - December 2016 batch of root CA
+ changes <https://bugzilla.mozilla.org/show_bug.cgi?id=1296697>`__
+ | `Bug 1322496 - Internal error assert when the other side closes connection before reading
+ EOED <https://bugzilla.mozilla.org/show_bug.cgi?id=1322496>`__
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.28.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.28.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.28.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.2_release_notes/index.rst
new file mode 100644
index 0000000000..6bfa1fe610
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.2_release_notes/index.rst
@@ -0,0 +1,79 @@
+.. _mozilla_projects_nss_nss_3_28_2_release_notes:
+
+NSS 3.28.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.28.2 is a patch release for NSS 3.28.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_28_2_RTM. NSS 3.28.2 requires NSPR 4.13.1 or newer.
+
+ NSS 3.28.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_2_RTM/src/
+
+.. _incorrect_version_number:
+
+`Incorrect version number <#incorrect_version_number>`__
+--------------------------------------------------------
+
+.. container::
+
+ - Note the version numbers embedded in the NSS 3.28.2 are wrong (it reports itself as version
+ 3.28.1).
+
+.. _new_in_nss_3.28.2:
+
+`New in NSS 3.28.2 <#new_in_nss_3.28.2>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release includes bug fixes
+ and addresses some compatibility issues with TLS.
+
+.. _bugs_fixed_in_nss_3.28.2:
+
+`Bugs fixed in NSS 3.28.2 <#bugs_fixed_in_nss_3.28.2>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1334114 - NSS 3.28 regression in signature scheme flexibility, causes connectivity issue
+ between iOS 8 clients and NSS servers with ECDSA
+ certificates <https://bugzilla.mozilla.org/show_bug.cgi?id=1334114>`__
+ - `Bug 1330612 - X25519 is the default curve for ECDHE in
+ NSS <https://bugzilla.mozilla.org/show_bug.cgi?id=1330612>`__
+ - `Bug 1323150 - Crash [@ ReadDBEntry
+ ] <https://bugzilla.mozilla.org/show_bug.cgi?id=1323150>`__
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.28.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.28.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.28.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.3_release_notes/index.rst
new file mode 100644
index 0000000000..272516d5a6
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.3_release_notes/index.rst
@@ -0,0 +1,95 @@
+.. _mozilla_projects_nss_nss_3_28_3_release_notes:
+
+NSS 3.28.3 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.28.3 is a patch release for NSS 3.28. The bug fixes in NSS
+ 3.28.3 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_28_3_RTM. NSS 3.28.3 requires Netscape Portable Runtime(NSPR) 4.13.1 or
+ newer.
+
+ NSS 3.28.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_28_3_RTM/src/
+
+.. _new_in_nss_3.28.3:
+
+`New in NSS 3.28.3 <#new_in_nss_3.28.3>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix binary
+ compatibility issues.
+
+.. _bugs_fixed_in_nss_3.28.3:
+
+`Bugs fixed in NSS 3.28.3 <#bugs_fixed_in_nss_3.28.3>`__
+--------------------------------------------------------
+
+.. container::
+
+ NSS version 3.28, 3.28.1 and 3.28.2 contained changes that were in violation with the NSS
+ compatibility promise.
+
+ ECParams, which is part of the public API of the freebl/softokn parts of NSS, had been changed to
+ include an additional attribute. That size increase caused crashes or malfunctioning with
+ applications that use that data structure directly, or indirectly through ECPublicKey,
+ ECPrivateKey, NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey, or potentially other data structures that
+ reference ECParams. The change has been reverted to the original state in `bug
+ 1334108 <https://bugzilla.mozilla.org/show_bug.cgi?id=1334108>`__.
+
+ SECKEYECPublicKey had been extended with a new attribute, named "encoding". If an application
+ passed type SECKEYECPublicKey to NSS (as part of SECKEYPublicKey), the NSS library read the
+ uninitialized attribute. With this NSS release SECKEYECPublicKey.encoding is deprecated. NSS no
+ longer reads the attribute, and will always set it to ECPoint_Undefined. See `bug
+ 1340103 <https://bugzilla.mozilla.org/show_bug.cgi?id=1340103>`__.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.28.3 shared libraries are backward compatible with most older NSS 3.x shared libraries, but
+ depending on your application, may be incompatible, if you application has been compiled against
+ header files of versions 3.28, 3.28.1, or 3.28.2.
+
+ A program linked with most older NSS 3.x shared libraries (excluding the exceptions mentioned
+ above), will work with NSS 3.28.3 shared libraries without recompiling or relinking. Furthermore,
+ applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions
+ will remain compatible with future versions of the NSS shared libraries.
+
+ If you had compiled your application against header files of NSS 3.28, NSS 3.28.1 or NSS 3.28.2,
+ it is recommended that you recompile your application against NSS 3.28.3, at the time you upgrade
+ to NSS 3.28.3.
+
+ Please note that NSS 3.29 also contained the incorrect change. You should avoid using NSS 3.29,
+ and rather use NSS 3.29.1 or a newer version. See also the
+ :ref:`mozilla_projects_nss_nss_3_29_1_release_notes`
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst
new file mode 100644
index 0000000000..9b213e5456
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst
@@ -0,0 +1,77 @@
+.. _mozilla_projects_nss_nss_3_28_4_release_notes:
+
+NSS 3.28.4 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.28.4 is a security patch release for NSS 3.28. The bug fixes in
+ NSS 3.28.4 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_28_4_RTM. NSS 3.28.4 requires NSPR 4.13.1 or newer.
+
+ NSS 3.28.4 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_4_RTM/src/
+
+.. _new_in_nss_3.28.4:
+
+`New in NSS 3.28.4 <#new_in_nss_3.28.4>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.28.4:
+
+`Bugs fixed in NSS 3.28.4 <#bugs_fixed_in_nss_3.28.4>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1344380 <https://bugzilla.mozilla.org/show_bug.cgi?id=1344380>`__ / Out-of-bounds write
+ in Base64 encoding in NSS
+ (`CVE-2017-5461 <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461>`__)
+ - `Bug 1345089 <https://bugzilla.mozilla.org/show_bug.cgi?id=1345089>`__ / DRBG flaw in NSS
+ (`CVE-2017-5462 <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5462>`__)
+ - `Bug 1342358 - Crash in
+ tls13_DestroyKeyShares <https://bugzilla.mozilla.org/show_bug.cgi?id=1342358>`__
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank Ronald Crane and Vladimir Klebanov for responsibly
+ disclosing the issues by providing advance copies of their research.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.28.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.28.4 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.28.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.5_release_notes/index.rst
new file mode 100644
index 0000000000..224649d596
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.5_release_notes/index.rst
@@ -0,0 +1,116 @@
+.. _mozilla_projects_nss_nss_3_28_5_release_notes:
+
+NSS 3.28.5 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.28.5 is a patch release for NSS 3.28. The bug fixes in NSS
+ 3.28.5 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_28_5_RTM. NSS 3.28.5 requires NSPR 4.13.1 or newer.
+
+ NSS 3.28.5 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_5_RTM/src/
+
+.. _new_in_nss_3.28.5:
+
+`New in NSS 3.28.5 <#new_in_nss_3.28.5>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to update the list of
+ root CA certificates. It backports the changes that were initially released in
+ :ref:`mozilla_projects_nss_nss_3_30_2_release_notes`.
+
+.. _notable_changes_in_nss_3.28.5:
+
+`Notable Changes in NSS 3.28.5 <#notable_changes_in_nss_3.28.5>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - The following CA certificates were **Removed:**
+
+ - O = Japanese Government, OU = ApplicationCA
+
+ - SHA-256 Fingerprint:
+ 2D:47:43:7D:E1:79:51:21:5A:12:F3:C5:8E:51:C7:29:A5:80:26:EF:1F:CC:0A:5F:B3:D9:DC:01:2F:60:0D:19
+
+ - CN = WellsSecure Public Root Certificate Authority
+
+ - SHA-256 Fingerprint:
+ A7:12:72:AE:AA:A3:CF:E8:72:7F:7F:B3:9F:0F:B3:D1:E5:42:6E:90:60:B0:6E:E6:F1:3E:9A:3C:58:33:CD:43
+
+ - CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
+
+ - SHA-256 Fingerprint:
+ 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00
+
+ - CN=Microsec e-Szigno Root
+
+ - SHA-256 Fingerprint:
+ 32:7A:3D:76:1A:BA:DE:A0:34:EB:99:84:06:27:5C:B1:A4:77:6E:FD:AE:2F:DF:6D:01:68:EA:1C:4F:55:67:D0
+
+ - The following CA certificates were **Added:**
+
+ - CN = D-TRUST Root CA 3 2013
+
+ - SHA-256 Fingerprint:
+ A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57
+ - Trust Flags: Email
+
+ - CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
+
+ - SHA-256 Fingerprint:
+ 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16
+ - Trust Flags: Websites
+ - Technically constrained to: gov.tr, k12.tr, pol.tr, mil.tr, tsk.tr, kep.tr, bel.tr,
+ edu.tr, org.tr
+
+ - The version number of the updated root CA list has been set to 2.14.
+ (The version numbers 2.12 and 2.13 for the root CA list have been skipped.)
+
+.. _bugs_fixed_in_nss_3.28.5:
+
+`Bugs fixed in NSS 3.28.5 <#bugs_fixed_in_nss_3.28.5>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1350859 <https://bugzilla.mozilla.org/show_bug.cgi?id=1350859>`__ - March 2017 batch of
+ root CA changes.
+ - `Bug 1349705 <https://bugzilla.mozilla.org/show_bug.cgi?id=1349705>`__ - Implemented domain
+ name constraints for CA: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.28.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.28.5 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst
new file mode 100644
index 0000000000..6e5f14573a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst
@@ -0,0 +1,170 @@
+.. _mozilla_projects_nss_nss_3_28_release_notes:
+
+NSS 3.28 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.28, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_28_RTM. NSS 3.28 requires Netscape Portable Runtime(NSPR) 4.13.1 or newer.
+
+ NSS 3.28 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_RTM/src/
+
+.. _new_in_nss_3.28:
+
+`New in NSS 3.28 <#new_in_nss_3.28>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - NSS includes support for `TLS 1.3 draft
+ -18 <https://datatracker.ietf.org/doc/html/draft-ietf-tls-tls13-18>`__. This includes a
+ number of improvements to TLS 1.3:
+
+ - The signed certificate timestamp, used in certificate transparency, is supported in TLS 1.3
+ (`bug 1252745 <https://bugzilla.mozilla.org/show_bug.cgi?id=1252745>`__).
+ - Key exporters for TLS 1.3 are supported (`bug
+ 1310610 <https://bugzilla.mozilla.org/show_bug.cgi?id=1310610>`__). This includes the
+ early key exporter, which can be used if 0-RTT is enabled. Note that there is a difference
+ between TLS 1.3 and key exporters in older versions of TLS. TLS 1.3 does not distinguish
+ between an empty context and no context.
+ - The TLS 1.3 (draft) protocol can be enabled, by defining NSS_ENABLE_TLS_1_3=1 when building
+ NSS.
+
+ - NSS includes support for `the X25519 key exchange
+ algorithm <https://datatracker.ietf.org/doc/html/rfc7748>`__ (`bug
+ 957105 <https://bugzilla.mozilla.org/show_bug.cgi?id=957105>`__), which is supported and
+ enabled by default in all versions of TLS.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - in ssl.h
+
+ - **SSL_ExportEarlyKeyingMaterial** implements a key exporter based on the TLS 1.3 early
+ exporter secret. This API is equivalent in function to SSL_ExportKeyingMaterial, but it
+ can only succeed if 0-RTT was attempted (on the client) or accepted (on the server).
+
+ - **SSL_SendAdditionalKeyShares** configures a TLS 1.3 client so that it generates additional
+ key shares when sending a ClientHello.
+
+ - **SSL_SignatureSchemePrefSet** allows an application to set which signature schemes should
+ be supported in TLS and to specify the preference order of those schemes.
+
+ - **SSL_SignatureSchemePrefGet** allows an application to learn the currently supported and
+ enabled signature schemes for a socket.
+
+.. _request_to_test_and_prepare_for_tls_1.3:
+
+`Request to test and prepare for TLS 1.3 <#request_to_test_and_prepare_for_tls_1.3>`__
+--------------------------------------------------------------------------------------
+
+.. container::
+
+ This release contains improved support for TLS 1.3, however, the code that supports TLS 1.3 is
+ still disabled by default (not built).
+
+ For the future NSS 3.29 release, it is planned that standard builds of NSS will support the TLS
+ 1.3 protocol (although the maximum TLS protocol version enabled by default will remain at TLS
+ 1.2).
+
+ We know that some applications which use NSS, query NSS for the supported range of SSL/TLS
+ protocols, and will enable the maximum enabled protocol version. In NSS 3.29, those applications
+ will therefore enable support for the TLS 1.3 protocol.
+
+ In order to prepare for this future change, we'd like to encourage all users of NSS to override
+ the standard NSS 3.28 build configuration, by defining NSS_ENABLE_TLS_1_3=1 at build time. This
+ will enable support for TLS 1.3. Please give feedback to the NSS developers for any compatibility
+ issues that you encounter in your tests.
+
+.. _notable_changes_in_nss_3.28:
+
+`Notable Changes in NSS 3.28 <#notable_changes_in_nss_3.28>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - NSS can no longer be compiled with support for additional elliptic curves (the
+ NSS_ECC_MORE_THAN_SUITE_B option, `bug
+ 1253912 <https://bugzilla.mozilla.org/show_bug.cgi?id=1253912>`__). This was previously
+ possible by replacing certain NSS source files.
+ - NSS will now detect the presence of tokens that support additional elliptic curves and enable
+ those curves for use in TLS (`bug
+ 1303648 <https://bugzilla.mozilla.org/show_bug.cgi?id=1303648>`__). Note that this detection
+ has a one-off performance cost, which can be avoided by using the SSL_NamedGroupConfig
+ function, to limit supported groups to those that NSS provides.
+ - PKCS#11 bypass for TLS is no longer supported and has been removed (`bug
+ 1303224 <https://bugzilla.mozilla.org/show_bug.cgi?id=1303224>`__).
+ - Support for "export" grade SSL/TLS cipher suites has been removed (`bug
+ 1252849 <https://bugzilla.mozilla.org/show_bug.cgi?id=1252849>`__).
+ - NSS now uses the signature schemes definition in TLS 1.3 (`bug
+ 1309446 <https://bugzilla.mozilla.org/show_bug.cgi?id=1309446>`__). This also affects TLS
+ 1.2. NSS will now only generate signatures with the combinations of hash and signature scheme
+ that are defined in TLS 1.3, even when negotiating TLS 1.2.
+
+ - This means that SHA-256 will only be used with P-256 ECDSA certificates, SHA-384 with P-384
+ certificates, and SHA-512 with P-521 certificates. SHA-1 is permitted (in TLS 1.2 only)
+ with any certificate for backward compatibility reasons.
+ - New functions to configure signature schemes are provided: **SSL_SignatureSchemePrefSet,
+ SSL_SignatureSchemePrefGet**. The old SSL_SignaturePrefSet and SSL_SignaturePrefSet
+ functions are now deprecated.
+ - NSS will now no longer assume that default signature schemes are supported by a peer if
+ there was no commonly supported signature scheme.
+
+ - NSS will now check if RSA-PSS signing is supported by the token that holds the private key
+ prior to using it for TLS (`bug
+ 1311950 <https://bugzilla.mozilla.org/show_bug.cgi?id=1311950>`__).
+ - The certificate validation code contains checks to no longer trust certificates that are
+ issued by old WoSign and StartCom CAs, after October 21, 2016. This is equivalent to the
+ behavior that Mozilla will release with Firefox 51. Background information can be found in
+ `Mozilla's blog
+ post <https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/>`__.
+
+.. _bugs_fixed_in_nss_3.28:
+
+`Bugs fixed in NSS 3.28 <#bugs_fixed_in_nss_3.28>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.28:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.28
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.28 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.28 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.29.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.1_release_notes/index.rst
new file mode 100644
index 0000000000..7bd3ccee49
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.1_release_notes/index.rst
@@ -0,0 +1,94 @@
+.. _mozilla_projects_nss_nss_3_29_1_release_notes:
+
+NSS 3.29.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.29.1 is a patch release for NSS 3.29. The bug fixes in NSS
+ 3.29.1 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_29_1_RTM. NSS 3.29.1 requires Netscape Portable Runtime(NSPR) 4.13.1 or
+ newer.
+
+ NSS 3.29.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_29_1_RTM/src/
+
+.. _new_in_nss_3.29.1:
+
+`New in NSS 3.29.1 <#new_in_nss_3.29.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix binary
+ compatibility issues.
+
+.. _bugs_fixed_in_nss_3.29.1:
+
+`Bugs fixed in NSS 3.29.1 <#bugs_fixed_in_nss_3.29.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ NSS version 3.28, 3.28.1, 3.28.2 and 3.29 contained changes that were in violation with the NSS
+ compatibility promise.
+
+ ECParams, which is part of the public API of the freebl/softokn parts of NSS, had been changed to
+ include an additional attribute. That size increase caused crashes or malfunctioning with
+ applications that use that data structure directly, or indirectly through ECPublicKey,
+ ECPrivateKey, NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey, or potentially other data structures that
+ reference ECParams. The change has been reverted to the original state in `bug
+ 1334108 <https://bugzilla.mozilla.org/show_bug.cgi?id=1334108>`__.
+
+ SECKEYECPublicKey had been extended with a new attribute, named "encoding". If an application
+ passed type SECKEYECPublicKey to NSS (as part of SECKEYPublicKey), the NSS library read the
+ uninitialized attribute. With this NSS release SECKEYECPublicKey.encoding is deprecated. NSS no
+ longer reads the attribute, and will always set it to ECPoint_Undefined. See `bug
+ 1340103 <https://bugzilla.mozilla.org/show_bug.cgi?id=1340103>`__.
+
+ Note that NSS 3.28.3 from the older NSS 3.28.x branch
+ :ref:`mozilla_projects_nss_nss_3_28_3_release_notes` with the identical fixes.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.29.1 shared libraries are backward compatible with most older NSS 3.x shared libraries, but
+ depending on your application, may be incompatible, if you application has been compiled against
+ header files of versions 3.28, 3.28.1, 3.28.2 NSS 3.29.1.
+
+ A program linked with most older NSS 3.x shared libraries (excluding the exceptions mentioned
+ above), will work with NSS 3.29.1 shared libraries without recompiling or relinking. Furthermore,
+ applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions
+ will remain compatible with future versions of the NSS shared libraries.
+
+ If you had compiled your application against header files of NSS 3.28, NSS 3.28.1, NSS 3.28.2 or
+ NSS 3.29, it is recommended that you recompile your application against NSS 3.29.1 (or NSS
+ 3.28.3), at the time you upgrade to NSS 3.29.1 (or NSS 3.28.3).
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.29.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.2_release_notes/index.rst
new file mode 100644
index 0000000000..330728d9e7
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.2_release_notes/index.rst
@@ -0,0 +1,71 @@
+.. _mozilla_projects_nss_nss_3_29_2_release_notes:
+
+NSS 3.29.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.29.2 is a patch release for NSS 3.29. The bug fixes in NSS
+ 3.29.2 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_29_2_RTM. NSS 3.29.2 requires Netscape Portable Runtime(NSPR) 4.13.1 or
+ newer.
+
+ NSS 3.29.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_29_2_RTM/src/
+
+.. _new_in_nss_3.29.2:
+
+`New in NSS 3.29.2 <#new_in_nss_3.29.2>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.29.2:
+
+`Bugs fixed in NSS 3.29.2 <#bugs_fixed_in_nss_3.29.2>`__
+--------------------------------------------------------
+
+.. container::
+
+ NSS 3.29 and 3.29.1 included a change that reduced the time that NSS considered a TLS session
+ ticket to be valid. This release restores the session ticket lifetime to the intended value. See
+ `Bug 1340841 <https://bugzilla.mozilla.org/show_bug.cgi?id=1340841>`__ for details.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.29.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.29.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.29.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.3_release_notes/index.rst
new file mode 100644
index 0000000000..bae366b96e
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.3_release_notes/index.rst
@@ -0,0 +1,73 @@
+.. _mozilla_projects_nss_nss_3_29_3_release_notes:
+
+NSS 3.29.3 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.29.3 is a patch release for NSS 3.29. The bug fixes in NSS
+ 3.29.3 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_29_3_RTM. NSS 3.29.3 requires NSPR 4.13.1 or newer.
+
+ NSS 3.29.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_3_RTM/src/
+
+.. _new_in_nss_3.29.3:
+
+`New in NSS 3.29.3 <#new_in_nss_3.29.3>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _notable_changes_in_nss_3.29.3:
+
+`Notable Changes in NSS 3.29.3 <#notable_changes_in_nss_3.29.3>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - A rare crash when initializing an SSL socket fails has been fixed.
+
+.. _bugs_fixed_in_nss_3.29.3:
+
+`Bugs fixed in NSS 3.29.3 <#bugs_fixed_in_nss_3.29.3>`__
+--------------------------------------------------------
+
+.. container::
+
+ `Bug 1342358 - Crash in
+ tls13_DestroyKeyShares <https://bugzilla.mozilla.org/show_bug.cgi?id=1342358>`__
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.29.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.29.3 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst
new file mode 100644
index 0000000000..d4dd1eafd7
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst
@@ -0,0 +1,75 @@
+.. _mozilla_projects_nss_nss_3_29_5_release_notes:
+
+NSS 3.29.5 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.29.5 is a security patch release for NSS 3.29. The bug fixes in
+ NSS 3.29.5 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_29_5_RTM. NSS 3.29.5 requires NSPR 4.13.1 or newer.
+
+ NSS 3.29.5 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_5_RTM/src/
+
+.. _new_in_nss_3.29.5:
+
+`New in NSS 3.29.5 <#new_in_nss_3.29.5>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.29.5:
+
+`Bugs fixed in NSS 3.29.5 <#bugs_fixed_in_nss_3.29.5>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1344380 <https://bugzilla.mozilla.org/show_bug.cgi?id=1344380>`__ / Out-of-bounds write
+ in Base64 encoding in NSS
+ (`CVE-2017-5461 <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461>`__)
+ - `Bug 1345089 <https://bugzilla.mozilla.org/show_bug.cgi?id=1345089>`__ / DRBG flaw in NSS
+ (`CVE-2017-5462 <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5462>`__)
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank Ronald Crane and Vladimir Klebanov for responsibly
+ disclosing the issues by providing advance copies of their research.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.29.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.29.5 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.29_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.29_release_notes/index.rst
new file mode 100644
index 0000000000..d43a743c70
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.29_release_notes/index.rst
@@ -0,0 +1,68 @@
+.. _mozilla_projects_nss_nss_3_29_release_notes:
+
+NSS 3.29 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.29, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_29_RTM. NSS 3.29 requires Netscape Portable Runtime(NSPR) 4.13.1 or newer.
+
+ NSS 3.29 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_RTM/src/
+
+.. _notable_changes_in_nss_3.29:
+
+`Notable Changes in NSS 3.29 <#notable_changes_in_nss_3.29>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - Fixed a NSS 3.28 regression in the signature scheme flexibility that causes connectivity
+ issues between iOS 8 clients and NSS servers with ECDSA certificates
+ (`bug1334114 <https://bugzilla.mozilla.org/show_bug.cgi?id=1334114>`__).
+ - TLS 1.3 is now enabled by default in
+ (`bug1311296 <https://bugzilla.mozilla.org/show_bug.cgi?id=1311296>`__).
+
+.. _bugs_fixed_in_nss_3.29:
+
+`Bugs fixed in NSS 3.29 <#bugs_fixed_in_nss_3.29>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.29:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.29
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.29 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.29 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst
new file mode 100644
index 0000000000..cafb0f58b8
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst
@@ -0,0 +1,73 @@
+.. _mozilla_projects_nss_nss_3_30_1_release_notes:
+
+NSS 3.30.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.30.1 is a security patch release for NSS 3.30. The bug fixes in
+ NSS 3.30.1 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_30_1_RTM. NSS 3.30.1 requires NSPR 4.14 or newer.
+
+ NSS 3.30.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_1_RTM/src/
+
+.. _new_in_nss_3.30.1:
+
+`New in NSS 3.30.1 <#new_in_nss_3.30.1>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.30.1:
+
+`Bugs fixed in NSS 3.30.1 <#bugs_fixed_in_nss_3.30.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1344380 <https://bugzilla.mozilla.org/show_bug.cgi?id=1344380>`__ / Out-of-bounds write
+ in Base64 encoding in NSS
+ (`CVE-2017-5461 <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461>`__)
+
+`Acknowledgements <#acknowledgements>`__
+----------------------------------------
+
+.. container::
+
+ The NSS development team would like to thank Ronald Crane for responsibly disclosing the issue by
+ providing advance copies of their research.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.30.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.30.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.30.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.30.2_release_notes/index.rst
new file mode 100644
index 0000000000..cd3c9edf05
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.30.2_release_notes/index.rst
@@ -0,0 +1,115 @@
+.. _mozilla_projects_nss_nss_3_30_2_release_notes:
+
+NSS 3.30.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.30.2 is a patch release for NSS 3.30. The bug fixes in NSS
+ 3.30.2 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_30_2_RTM. NSS 3.30.2 requires NSPR 4.14 or newer.
+
+ NSS 3.30.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_2_RTM/src/
+
+.. _new_in_nss_3.30.2:
+
+`New in NSS 3.30.2 <#new_in_nss_3.30.2>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to update the list of
+ root CA certificates.
+
+.. _notable_changes_in_nss_3.30.2:
+
+`Notable Changes in NSS 3.30.2 <#notable_changes_in_nss_3.30.2>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - The following CA certificates were **Removed**:
+
+ - O = Japanese Government, OU = ApplicationCA
+
+ - SHA-256 Fingerprint:
+ 2D:47:43:7D:E1:79:51:21:5A:12:F3:C5:8E:51:C7:29:A5:80:26:EF:1F:CC:0A:5F:B3:D9:DC:01:2F:60:0D:19
+
+ - CN = WellsSecure Public Root Certificate Authority
+
+ - SHA-256 Fingerprint:
+ A7:12:72:AE:AA:A3:CF:E8:72:7F:7F:B3:9F:0F:B3:D1:E5:42:6E:90:60:B0:6E:E6:F1:3E:9A:3C:58:33:CD:43
+
+ - CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
+
+ - SHA-256 Fingerprint:
+ 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00
+
+ - CN=Microsec e-Szigno Root
+
+ - SHA-256 Fingerprint:
+ 32:7A:3D:76:1A:BA:DE:A0:34:EB:99:84:06:27:5C:B1:A4:77:6E:FD:AE:2F:DF:6D:01:68:EA:1C:4F:55:67:D0
+
+ - The following CA certificates were **Added**:
+
+ - CN = D-TRUST Root CA 3 2013
+
+ - SHA-256 Fingerprint:
+ A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57
+ - Trust Flags: Email
+
+ - CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
+
+ - SHA-256 Fingerprint:
+ 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16
+ - Trust Flags: Websites
+ - Technically constrained to: gov.tr, k12.tr, pol.tr, mil.tr, tsk.tr, kep.tr, bel.tr,
+ edu.tr, org.tr
+
+ - The version number of the updated root CA list has been set to 2.14
+ (The version numbers 2.12 and 2.13 for the root CA list have been skipped.)
+
+.. _bugs_fixed_in_nss_3.30.2:
+
+`Bugs fixed in NSS 3.30.2 <#bugs_fixed_in_nss_3.30.2>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1350859 <https://bugzilla.mozilla.org/show_bug.cgi?id=1350859>`__ - March 2017 batch of
+ root CA changes
+ - `Bug 1349705 <https://bugzilla.mozilla.org/show_bug.cgi?id=1349705>`__ - Implemented domain
+ name constraints for CA: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.30.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.30.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst
new file mode 100644
index 0000000000..3a2a0e0e12
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst
@@ -0,0 +1,125 @@
+.. _mozilla_projects_nss_nss_3_30_release_notes:
+
+NSS 3.30 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.30, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_30_RTM. NSS 3.30 requires Netscape Portable Runtime (NSPR); 4.13.1 or newer.
+
+ NSS 3.30 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_RTM/src/
+
+.. _new_in_nss_3.30:
+
+`New in NSS 3.30 <#new_in_nss_3.30>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - In the PKCS#11 root CA module (nssckbi), CAs with positive trust are marked with a new boolean
+ attribute, CKA_NSS_MOZILLA_CA_POLICY, set to true. Applications that need to distinguish them
+ from other root CAs, may use the exported function PK11_HasAttributeSet.
+ - Support for callback functions that can be used to monitor SSL/TLS alerts that are sent or
+ received.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in cert.h*
+
+ - **CERT_CompareAVA** - performs a comparison of two CERTAVA structures, and returns a
+ SECComparison result.
+
+ - *in pk11pub.h*
+
+ - **PK11_HasAttributeSet** - allows to check if a PKCS#11 object in a given slot has a
+ specific boolean attribute set.
+
+ - *in ssl.h*
+
+ - **SSL_AlertReceivedCallback** - register a callback function, that will be called whenever
+ an SSL/TLS alert is received
+ - **SSL_AlertSentCallback** - register a callback function, that will be called whenever an
+ SSL/TLS alert is sent
+ - **SSL_SetSessionTicketKeyPair** - configures an asymmetric key pair, for use in wrapping
+ session ticket keys, used by the server. This function currently only accepts an RSA
+ public/private key pair.
+
+ .. rubric:: New Macros
+ :name: new_macros
+
+ - *in ciferfam.h*
+
+ - **PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256** - cipher family identifiers
+ corresponding to the PKCS#5 v2.1 AES based encryption schemes used in the PKCS#12 support
+ in NSS
+
+ - *in pkcs11n.h*
+
+ - **CKA_NSS_MOZILLA_CA_POLICY** - identifier for a boolean PKCS#11 attribute, that should be
+ set to true, if a CA is present because of it's acceptance according to the Mozilla CA
+ Policy
+
+.. _notable_changes_in_nss_3.30:
+
+`Notable Changes in NSS 3.30 <#notable_changes_in_nss_3.30>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The TLS server code has been enhanced to support session tickets when no RSA certificate (e.g.
+ only an ECDSA certificate) is configured.
+ - RSA-PSS signatures produced by key pairs with a modulus bit length that is not a multiple of 8
+ are now supported.
+ - The pk12util tool now supports importing and exporting data encrypted in the AES based schemes
+ defined in PKCS#5 v2.1.
+
+.. _bugs_fixed_in_nss_3.30:
+
+`Bugs fixed in NSS 3.30 <#bugs_fixed_in_nss_3.30>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.30:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.30
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.30 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.30 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.31.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.31.1_release_notes/index.rst
new file mode 100644
index 0000000000..19f938d942
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.31.1_release_notes/index.rst
@@ -0,0 +1,71 @@
+.. _mozilla_projects_nss_nss_3_31_1_release_notes:
+
+NSS 3.31.1 release notes
+========================
+
+.. container::
+
+ .. note::
+
+ **This is a DRAFT document.** This notice will be removed when completed.
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.31.1, which is a patch release for
+ NSS 3.31.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_31_1_RTM. NSS 3.31.1 requires Netscape Portable Runtime (NSPR) 4.15, or
+ newer.
+
+ NSS 3.31.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_31_1_RTM/src/
+
+.. _new_in_nss_3.31.1:
+
+`New in NSS 3.31.1 <#new_in_nss_3.31.1>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.31.1:
+
+`Bugs fixed in NSS 3.31.1 <#bugs_fixed_in_nss_3.31.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1381784 <https://bugzilla.mozilla.org/show_bug.cgi?id=1381784>`__ - Potential deadlock
+ when using an external PKCS#11 token.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.31.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.31.1 shared libraries,
+ without recompiling, or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst
new file mode 100644
index 0000000000..105ac86f1d
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst
@@ -0,0 +1,129 @@
+.. _mozilla_projects_nss_nss_3_31_release_notes:
+
+NSS 3.31 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.31, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_31_RTM. NSS 3.31 requires Netscape Portable Runtime (NSPR) 4.15 or newer.
+
+ NSS 3.31 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_31_RTM/src/
+
+.. _new_in_nss_3.31:
+
+`New in NSS 3.31 <#new_in_nss_3.31>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Allow certificates to be specified by RFC7512 PKCS#11 URIs.
+ - Allow querying a certificate object for its temporary or permanent storage status in a thread
+ safe way.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in cert.h*
+
+ - **CERT_GetCertIsPerm** - retrieve the permanent storage status attribute of a certificate
+ in a thread safe way.
+ - **CERT_GetCertIsTemp** - retrieve the temporary storage status attribute of a certificate
+ in a thread safe way.
+
+ - *in pk11pub.h*
+
+ - **PK11_FindCertFromURI** - find a certificate identified by the given URI.
+ - **PK11_FindCertsFromURI** - find a list of certificates identified by the given URI.
+ - **PK11_GetModuleURI** - retrieve the URI of the given module.
+ - **PK11_GetTokenURI** - retrieve the URI of a token based on the given slot information.
+
+ - *in pkcs11uri.h*
+
+ - **PK11URI_CreateURI** - create a new PK11URI object from a set of attributes.
+ - **PK11URI_DestroyURI** - destroy a PK11URI object.
+ - **PK11URI_FormatURI** - format a PK11URI object to a string.
+ - **PK11URI_GetPathAttribute** - retrieve a path attribute with the given name.
+ - **PK11URI_GetQueryAttribute** - retrieve a query attribute with the given name.
+ - **PK11URI_ParseURI** - parse PKCS#11 URI and return a new PK11URI object.
+
+ .. rubric:: New Macros
+ :name: new_macros
+
+ - *in pkcs11uri.h*
+
+ - Several new macros that start with **PK11URI_PATTR\_** for path attributes defined in
+ RFC7512.
+ - Several new macros that start with **PK11URI_QATTR\_** for query attributes defined in
+ RFC7512.
+
+.. _notable_changes_in_nss_3.31:
+
+`Notable Changes in NSS 3.31 <#notable_changes_in_nss_3.31>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The APIs that set a TLS version range have been changed to trim the requested range to the
+ overlap with a systemwide crypto policy, if configured. **SSL_VersionRangeGetSupported** can
+ be used to query the overlap between the library's supported range of TLS versions and the
+ systemwide policy.
+ - Previously, **SSL_VersionRangeSet** and **SSL_VersionRangeSetDefault** returned a failure if
+ the requested version range wasn't fully allowed by the systemwide crypto policy. They have
+ been changed to return success, if at least one TLS version overlaps between the requested
+ range and the systemwide policy. An application may call **SSL_VersionRangeGet**
+ and **SSL_VersionRangeGetDefault** to query the TLS version range that was effectively
+ activated.
+ - Corrected the encoding of Domain Name Constraints extensions created by certutil
+ - NSS supports a clean seeding mechanism for \*NIX systems now using only /dev/urandom. This is
+ used only when SEED_ONLY_DEV_URANDOM is set at compile time.
+ - CERT_AsciiToName can handle OIDs in dotted decimal form now.
+
+.. _bugs_fixed_in_nss_3.31:
+
+`Bugs fixed in NSS 3.31 <#bugs_fixed_in_nss_3.31>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.31:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.31
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.31 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.31 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.32_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.32_release_notes/index.rst
new file mode 100644
index 0000000000..3fe3beaf2b
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.32_release_notes/index.rst
@@ -0,0 +1,143 @@
+.. _mozilla_projects_nss_nss_3_32_release_notes:
+
+NSS 3.32 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.32, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_32_RTM. NSS 3.32 requires Netscape Portable Runtime (NSPR) 4.16, or newer.
+
+ NSS 3.32 source distributions are available on ftp.mozilla.org, for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_32_RTM/src/
+
+.. _notable_changes_in_nss_3.32:
+
+`Notable Changes in NSS 3.32 <#notable_changes_in_nss_3.32>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - Various minor improvements and correctness fixes.
+ - The Code Signing trust bit was **turned off** for all, included root certificates.
+ - The Websites (TLS/SSL) trust bit was **turned off** for the following root certificates.
+
+ - CN = AddTrust Class 1 CA Root
+
+ - SHA-256 Fingerprint:
+ 8C:72:09:27:9A:C0:4E:27:5E:16:D0:7F:D3:B7:75:E8:01:54:B5:96:80:46:E3:1F:52:DD:25:76:63:24:E9:A7
+
+ - CN = Swisscom Root CA 2
+
+ - SHA-256 Fingerprint:
+ F0:9B:12:2C:71:14:F4:A0:9B:D4:EA:4F:4A:99:D5:58:B4:6E:4C:25:CD:81:14:0D:29:C0:56:13:91:4C:38:41
+
+ - The following CA certificates were **Removed**:
+
+ - CN = AddTrust Public CA Root
+
+ - SHA-256 Fingerprint:
+ 07:91:CA:07:49:B2:07:82:AA:D3:C7:D7:BD:0C:DF:C9:48:58:35:84:3E:B2:D7:99:60:09:CE:43:AB:6C:69:27
+
+ - CN = AddTrust Qualified CA Root
+
+ - SHA-256 Fingerprint:
+ 80:95:21:08:05:DB:4B:BC:35:5E:44:28:D8:FD:6E:C2:CD:E3:AB:5F:B9:7A:99:42:98:8E:B8:F4:DC:D0:60:16
+
+ - CN = China Internet Network Information Center EV Certificates Root
+
+ - SHA-256 Fingerprint:
+ 1C:01:C6:F4:DB:B2:FE:FC:22:55:8B:2B:CA:32:56:3F:49:84:4A:CF:C3:2B:7B:E4:B0:FF:59:9F:9E:8C:7A:F7
+
+ - CN = CNNIC ROOT
+
+ - SHA-256 Fingerprint:
+ E2:83:93:77:3D:A8:45:A6:79:F2:08:0C:C7:FB:44:A3:B7:A1:C3:79:2C:B7:EB:77:29:FD:CB:6A:8D:99:AE:A7
+
+ - CN = ComSign Secured CA
+
+ - SHA-256 Fingerprint:
+ 50:79:41:C7:44:60:A0:B4:70:86:22:0D:4E:99:32:57:2A:B5:D1:B5:BB:CB:89:80:AB:1C:B1:76:51:A8:44:D2
+
+ - CN = GeoTrust Global CA 2
+
+ - SHA-256 Fingerprint:
+ CA:2D:82:A0:86:77:07:2F:8A:B6:76:4F:F0:35:67:6C:FE:3E:5E:32:5E:01:21:72:DF:3F:92:09:6D:B7:9B:85
+
+ - CN = Secure Certificate Services
+
+ - SHA-256 Fingerprint:
+ BD:81:CE:3B:4F:65:91:D1:1A:67:B5:FC:7A:47:FD:EF:25:52:1B:F9:AA:4E:18:B9:E3:DF:2E:34:A7:80:3B:E8
+
+ - CN = Swisscom Root CA 1
+
+ - SHA-256 Fingerprint:
+ 21:DB:20:12:36:60:BB:2E:D4:18:20:5D:A1:1E:E7:A8:5A:65:E2:BC:6E:55:B5:AF:7E:78:99:C8:A2:66:D9:2E
+
+ - CN = Swisscom Root EV CA 2
+
+ - SHA-256 Fingerprint:
+ D9:5F:EA:3C:A4:EE:DC:E7:4C:D7:6E:75:FC:6D:1F:F6:2C:44:1F:0F:A8:BC:77:F0:34:B1:9E:5D:B2:58:01:5D
+
+ - CN = Trusted Certificate Services
+
+ - SHA-256 Fingerprint:
+ 3F:06:E5:56:81:D4:96:F5:BE:16:9E:B5:38:9F:9F:2B:8F:F6:1E:17:08:DF:68:81:72:48:49:CD:5D:27:CB:69
+
+ - CN = UTN-USERFirst-Hardware
+
+ - SHA-256 Fingerprint:
+ 6E:A5:47:41:D0:04:66:7E:ED:1B:48:16:63:4A:A3:A7:9E:6E:4B:96:95:0F:82:79:DA:FC:8D:9B:D8:81:21:37
+
+ - CN = UTN-USERFirst-Object
+
+ - SHA-256 Fingerprint:
+ 6F:FF:78:E4:00:A7:0C:11:01:1C:D8:59:77:C4:59:FB:5A:F9:6A:3D:F0:54:08:20:D0:F4:B8:60:78:75:E5:8F
+
+.. _bugs_fixed_in_nss_3.32:
+
+`Bugs fixed in NSS 3.32 <#bugs_fixed_in_nss_3.32>`__
+----------------------------------------------------
+
+.. container::
+
+ NSS versions 3.28.x, 3.29.x. 3.30.x and 3.31.x contained a bug in function CERT_CompareName,
+ which caused the first RDN to be ignored. NSS version 3.32 fixed this bug. (CVE-2018-5149, `Bug
+ 1361197 <https://bugzilla.mozilla.org/show_bug.cgi?id=1361197>`__)
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.32:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.32
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.32 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.32 shared libraries,
+ without recompiling, or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (select the
+ product 'NSS'). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.33_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.33_release_notes/index.rst
new file mode 100644
index 0000000000..aad5033f95
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.33_release_notes/index.rst
@@ -0,0 +1,115 @@
+.. _mozilla_projects_nss_nss_3_33_release_notes:
+
+NSS 3.33 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.33, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_33_RTM. NSS 3.33 requires Netscape Portable Runtime (NSPR) 4.17, or newer.
+
+ NSS 3.33 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_33_RTM/src/
+
+.. _notable_changes_in_nss_3.33:
+
+`Notable Changes in NSS 3.33 <#notable_changes_in_nss_3.33>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - TLS compression is no longer supported. API calls that attempt to enable compression are
+ accepted without failure. However, TLS compression will remain disabled.
+ - This version of NSS uses a `formally verified
+ implementation <https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/>`__
+ of Curve25519 on 64-bit systems.
+ - The compile time flag DISABLE_ECC has been removed.
+ - When NSS is compiled without NSS_FORCE_FIPS=1 startup checks are no longer performed.
+ - Fixes CVE-2017-7805, a potential use-after-free in TLS 1.2 server, when verifying client
+ authentication.
+ - Various minor improvements and correctness fixes.
+
+.. _new_in_nss_3.33:
+
+`New in NSS 3.33 <#new_in_nss_3.33>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - When listing an NSS database, using certutil -L, and the database hasn't yet been initialized
+ with any non-empty or empty password, the text "Database needs user init" will be included in
+ the listing.
+ - When using certutil to set an inacceptable password in FIPS mode, a correct explanation of
+ acceptable passwords will be printed.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in cert.h*
+
+ - **CERT_FindCertByIssuerAndSNCX** - a variation of existing function
+ CERT_FindCertByIssuerAndSN that accepts an additional password context parameter.
+ - **CERT_FindCertByNicknameOrEmailAddrCX** - a variation of existing function
+ CERT_FindCertByNicknameOrEmailAddr that accepts an additional password context parameter.
+ - **CERT_FindCertByNicknameOrEmailAddrForUsageCX** - a variation of existing function
+ CERT_FindCertByNicknameOrEmailAddrForUsage that accepts an additional password context
+ parameter.
+
+ - *in secport.h*
+
+ - **NSS_SecureMemcmpZero** - check if a memory region is all zero in constant time.
+ - **PORT_ZAllocAligned** - allocate aligned memory.
+ - **PORT_ZAllocAlignedOffset** - allocate aligned memory for structs.
+
+ - *in ssl.h*
+
+ - **SSL_GetExperimentalAPI** - access experimental APIs in libssl.
+
+.. _bugs_fixed_in_nss_3.33:
+
+`Bugs fixed in NSS 3.33 <#bugs_fixed_in_nss_3.33>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.33:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.33
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.33 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.33 shared libraries,
+ without recompiling, or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (select product
+ 'NSS'). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.34.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.34.1_release_notes/index.rst
new file mode 100644
index 0000000000..41eefa1489
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.34.1_release_notes/index.rst
@@ -0,0 +1,94 @@
+.. _mozilla_projects_nss_nss_3_34_1_release_notes:
+
+NSS 3.34.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.34.1, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_34.1_RTM. NSS 3.34.1 requires Netscape Portable Runtime (NSPR) 4.17, or
+ newer.
+
+ NSS 3.34.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_34_1_RTM/src/
+
+.. _notable_changes_in_nss_3.34.1:
+
+`Notable Changes in NSS 3.34.1 <#notable_changes_in_nss_3.34.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - The following CA certificate was **Re-Added**. It was previously removed in NSS 3.34, but now
+ re-added with only the Email trust bit set. (`bug
+ 1418678 <https://bugzilla.mozilla.org/show_bug.cgi?id=1418678>`__)
+
+ - CN = Certum CA, O=Unizeto Sp. z o.o.
+
+ - SHA-256 Fingerprint:
+ D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24
+
+ - Removed entries from certdata.txt for actively distrusted certificates that have expired (`bug
+ 1409872 <https://bugzilla.mozilla.org/show_bug.cgi?id=1409872>`__).
+ - The version of the CA list was set to 2.20.
+
+.. _new_in_nss_3.34:
+
+`New in NSS 3.34 <#new_in_nss_3.34>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - None
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+.. _bugs_fixed_in_nss_3.34.1:
+
+`Bugs fixed in NSS 3.34.1 <#bugs_fixed_in_nss_3.34.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.34.1:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.34.1
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.34.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.34 shared libraries,
+ without recompiling, or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (select product
+ 'NSS'). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst
new file mode 100644
index 0000000000..faa36b9f3e
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst
@@ -0,0 +1,215 @@
+.. _mozilla_projects_nss_nss_3_34_release_notes:
+
+NSS 3.34 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The Network Security Services (NSS) team has released NSS 3.34, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The hg tag is NSS_3_34_RTM. NSS 3.34 requires Netscape Portable Runtime (NSPR) 4.17, or newer.
+
+ NSS 3.34 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_34_RTM/src/
+
+.. _notable_changes_in_nss_3.34:
+
+`Notable Changes in NSS 3.34 <#notable_changes_in_nss_3.34>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The following CA certificates were **Added**:
+
+ - CN = GDCA TrustAUTH R5 ROOT
+
+ - SHA-256 Fingerprint:
+ BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93
+ - Trust Flags: Websites
+
+ - CN = SSL.com Root Certification Authority RSA
+
+ - SHA-256 Fingerprint:
+ 85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69
+ - Trust Flags: Websites, Email
+
+ - CN = SSL.com Root Certification Authority ECC
+
+ - SHA-256 Fingerprint:
+ 34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65
+ - Trust Flags: Websites, Email
+
+ - CN = SSL.com EV Root Certification Authority RSA R2
+
+ - SHA-256 Fingerprint:
+ 2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C
+ - Trust Flags: Websites
+
+ - CN = SSL.com EV Root Certification Authority ECC
+
+ - SHA-256 Fingerprint:
+ 22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8
+ - Trust Flags: Websites
+
+ - CN = TrustCor RootCert CA-1
+
+ - SHA-256 Fingerprint:
+ D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C
+ - Trust Flags: Websites, Email
+
+ - CN = TrustCor RootCert CA-2
+
+ - SHA-256 Fingerprint:
+ 07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65
+ - Trust Flags: Websites, Email
+
+ - CN = TrustCor ECA-1
+
+ - SHA-256 Fingerprint:
+ 5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C
+ - Trust Flags: Websites, Email
+
+ - The following CA certificates were **Removed**:
+
+ - CN = Certum CA, O=Unizeto Sp. z o.o.
+
+ - SHA-256 Fingerprint:
+ D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24
+
+ - CN = StartCom Certification Authority
+
+ - SHA-256 Fingerprint:
+ C7:66:A9:BE:F2:D4:07:1C:86:3A:31:AA:49:20:E8:13:B2:D1:98:60:8C:B7:B7:CF:E2:11:43:B8:36:DF:09:EA
+
+ - CN = StartCom Certification Authority
+
+ - SHA-256 Fingerprint:
+ E1:78:90:EE:09:A3:FB:F4:F4:8B:9C:41:4A:17:D6:37:B7:A5:06:47:E9:BC:75:23:22:72:7F:CC:17:42:A9:11
+
+ - CN = StartCom Certification Authority G2
+
+ - SHA-256 Fingerprint:
+ C7:BA:65:67:DE:93:A7:98:AE:1F:AA:79:1E:71:2D:37:8F:AE:1F:93:C4:39:7F:EA:44:1B:B7:CB:E6:FD:59:95
+
+ - CN = TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
+
+ - SHA-256 Fingerprint:
+ E4:C7:34:30:D7:A5:B5:09:25:DF:43:37:0A:0D:21:6E:9A:79:B9:D6:DB:83:73:A0:C6:9E:B1:CC:31:C7:C5:2A
+
+ - CN = ACEDICOM Root
+
+ - SHA-256 Fingerprint:
+ 03:95:0F:B4:9A:53:1F:3E:19:91:94:23:98:DF:A9:E0:EA:32:D7:BA:1C:DD:9B:C8:5D:B5:7E:D9:40:0B:43:4A
+
+ - CN = Certinomis - Autorité Racine
+
+ - SHA-256 Fingerprint:
+ FC:BF:E2:88:62:06:F7:2B:27:59:3C:8B:07:02:97:E1:2D:76:9E:D1:0E:D7:93:07:05:A8:09:8E:FF:C1:4D:17
+
+ - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
+
+ - SHA-256 Fingerprint:
+ 97:8C:D9:66:F2:FA:A0:7B:A7:AA:95:00:D9:C0:2E:9D:77:F2:CD:AD:A6:AD:6B:A7:4A:F4:B9:1C:66:59:3C:50
+
+ - CN = PSCProcert
+
+ - SHA-256 Fingerprint:
+ 3C:FC:3C:14:D1:F6:84:FF:17:E3:8C:43:CA:44:0C:00:B9:67:EC:93:3E:8B:FE:06:4C:A1:D7:2C:90:F2:AD:B0
+
+ - CN = CA 沃通根证书, O=WoSign CA Limited
+
+ - SHA-256 Fingerprint:
+ D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54
+
+ - CN = Certification Authority of WoSign
+
+ - SHA-256 Fingerprint:
+ 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08
+
+ - CN = Certification Authority of WoSign G2
+
+ - SHA-256 Fingerprint:
+ D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16
+
+ - CN = CA WoSign ECC Root
+
+ - SHA-256 Fingerprint:
+ 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02
+
+ - libfreebl no longer requires SSE2 instructions.
+
+.. _new_in_nss_3.34:
+
+`New in NSS 3.34 <#new_in_nss_3.34>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - When listing an NSS database. using ``certutil -L``, and the database hasn't yet been
+ initialized with any non-empty or empty password, the text "Database needs user init" will be
+ included in the listing.
+ - When using certutil, to set an inacceptable password in FIPS mode, a correct explanation of
+ acceptable passwords will be printed.
+ - SSLKEYLOGFILE is now supported with TLS 1.3, see `Bug
+ 1287711 <https://bugzilla.mozilla.org/show_bug.cgi?id=1287711>`__ for details.
+ - ``SSLChannelInfo`` has two new fields (Bug
+ `1396525 <https://bugzilla.mozilla.org/show_bug.cgi?id=1396525>`__)
+
+ - ``SSLNamedGroup originalKeaGroup`` holds the key exchange group of the original handshake,
+ when the session was resumed.
+ - ``PRBool resumed`` is ``PR_TRUE`` when the session is resumed, and ``PR_FALSE`` otherwise.
+
+ - RSA-PSS signatures are now supported on certificates. Certificates with RSA-PSS or
+ RSA-PKCS#1v1.5 keys can be used to create an RSA-PSS signature on a certificate, using the
+ ``--pss-sign`` argument to ``certutil``.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+.. _bugs_fixed_in_nss_3.34:
+
+`Bugs fixed in NSS 3.34 <#bugs_fixed_in_nss_3.34>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.34:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.34
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.34 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.34 shared libraries,
+ without recompiling, or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (select product
+ 'NSS'). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst
new file mode 100644
index 0000000000..08ee8643da
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst
@@ -0,0 +1,273 @@
+.. _mozilla_projects_nss_nss_3_35_release_notes:
+
+NSS 3.35 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.35, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_35_RTM. NSS 3.35 requires NSPR 4.18, or newer.
+
+ NSS 3.35 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_35_RTM/src/
+
+.. _new_in_nss_3.35:
+
+`New in NSS 3.35 <#new_in_nss_3.35>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - TLS 1.3 support has been updated to draft -23. This includes a large number of changes since
+ 3.34, which supported only draft -18. See below for details.
+
+ .. rubric:: New Types
+ :name: new_types
+
+ - *in sslt.h*
+
+ - **SSLHandshakeType** - The type of a TLS handshake message.
+ - For the **SSLSignatureScheme** enum, the enumerated values ssl_sig_rsa_pss_sha\* are
+ deprecated in response to a change in TLS 1.3. Please use the equivalent
+ ssl_sig_rsa_pss_rsae_sha\* for rsaEncryption keys, or ssl_sig_rsa_pss_pss_sha\* for PSS
+ keys. Note that this release does not include support for the latter.
+
+.. _notable_changes_in_nss_3.35:
+
+`Notable Changes in NSS 3.35 <#notable_changes_in_nss_3.35>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - Previously, NSS used the DBM file format by default. Starting with version 3.35, NSS uses the
+ SQL file format by default. Below, are explanations that could be helpful for environments
+ that need to adopt to the new default.
+
+ - If NSS is initialized, in read-write mode with a database directory provided, it uses
+ database files to store certificates, key, trust, and other information. NSS supports two
+ different database file formats:
+
+ - DBM: The legacy file format, based on Berkeley DB, using filenames cert8.db, key3.db and
+ secmod.db. Parallel database access, by multiple applications, is forbidden as it will
+ likely result in data corruption.
+ - SQL: The newer file format, based on SQLite, using filenames cert9.db, key4.db and
+ pkcs11.txt. Parallel database access, by multiple applications, is supported.
+
+ - Applications using NSS may explicitly request to use a specific database format, by adding
+ a type prefix to the database directory, provided at NSS initialization time. Without a
+ prefix, the default database type will be used (DBM in versions prior to 3.35, and SQL in
+ version 3.35 and later.)
+ - When using the SQL type (either explicitly, or because of the new default), with a database
+ directory which already contains a DBM type database, NSS will automatically perform a one
+ time migration of the information contained in the DBM files to the newer SQL files. If a
+ master password was set on the DBM database, then the initial migration may be partial, and
+ migration of keys from DBM to SQL will be delayed, until this master password is provided
+ to NSS. (Conversely, NSS will never synchronize data from SQL to DBM format.)
+ - Additional information can be found on this Fedora Linux project page:
+ https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql
+
+ - Added formally verified implementations of non-vectorized Chacha20 and non-vectorized Poly1305
+ 64-bit.
+ - For stronger security, when creating encrypted PKCS#7 or PKCS#12 data, the iteration count for
+ the password based encryption algorithm has been increased to one million iterations. Note
+ that debug builds will use a lower count, for better performance in test environments. As a
+ reminder, debug builds should not be used for production purposes.
+ - NSS 3.30 had introduced a regression, preventing NSS from reading some AES encrypted data,
+ produced by older versions of NSS. NSS 3.35 fixes this regression and restores the ability to
+ read affected data.
+ - The following CA certificates were **Removed**:
+
+ - OU = Security Communication EV RootCA1
+
+ - SHA-256 Fingerprint:
+ A2:2D:BA:68:1E:97:37:6E:2D:39:7D:72:8A:AE:3A:9B:62:96:B9:FD:BA:60:BC:2E:11:F6:47:F2:C6:75:FB:37
+
+ - CN = CA Disig Root R1
+
+ - SHA-256 Fingerprint:
+ F9:6F:23:F4:C3:E7:9C:07:7A:46:98:8D:5A:F5:90:06:76:A0:F0:39:CB:64:5D:D1:75:49:B2:16:C8:24:40:CE
+
+ - CN = DST ACES CA X6
+
+ - SHA-256 Fingerprint:
+ 76:7C:95:5A:76:41:2C:89:AF:68:8E:90:A1:C7:0F:55:6C:FD:6B:60:25:DB:EA:10:41:6D:7E:B6:83:1F:8C:40
+
+ - Subject CN = VeriSign Class 3 Secure Server CA - G2
+
+ - SHA-256 Fingerprint:
+ 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
+ - This intermediate cert had been directly included to help with transition from 1024-bit
+ roots per `Bug #1045189 <https://bugzilla.mozilla.org/show_bug.cgi?id=1045189>`__.
+
+ - The Websites (TLS/SSL) trust bit was turned **off** for the following CA certificates:
+
+ - CN = Chambers of Commerce Root
+
+ - SHA-256 Fingerprint:
+ 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3
+
+ - CN = Global Chambersign Root
+
+ - SHA-256 Fingerprint:
+ EF:3C:B4:17:FC:8E:BF:6F:97:87:6C:9E:4E:CE:39:DE:1E:A5:FE:64:91:41:D1:02:8B:7D:11:C0:B2:29:8C:ED
+
+ - Significant changes to TLS 1.3 were made, along with the update from draft -18 to draft -23:
+
+ - Support for KeyUpdate was added. KeyUpdate will be used automatically, if a cipher is used
+ for a sufficient number of records.
+ - SSL_KEYLOGFILE support was updated for TLS 1.3.
+ - An option to enable TLS 1.3 compatibility mode, SSL_ENABLE_TLS13_COMPAT_MODE, was added.
+ - Note: In this release, support for new rsa_pss_pss_shaX signature schemes have been
+ disabled; end-entity certificates with RSA-PSS keys will still be used to produce
+ signatures, but they will use the rsa_pss_rsae_shaX codepoints.
+ - Note: The value of ssl_tls13_key_share_xtn value, from the SSLExtensionType, has been
+ renumbered to match changes in TLS 1.3. This is not expected to cause problems; code
+ compiled against previous versions of TLS will now refer to an unsupported codepoint, if
+ this value was used. Recompilation should correct any mismatches.
+ - Note: DTLS support is promoted in draft -23, but this is currently not compliant with the
+ DTLS 1.3 draft -23 specification.
+
+ - TLS servers are able to handle a ClientHello statelessly, if the client supports TLS 1.3. If
+ the server sends a HelloRetryRequest, it is possible to discard the server socket, and make a
+ new socket to handle any subsequent ClientHello. This better enables stateless server
+ operation. (This feature is added in support of QUIC, but it also has utility for DTLS 1.3
+ servers.)
+ - The tstclnt utility now supports DTLS, using the -P option. Note that a DTLS server is also
+ provided in tstclnt.
+ - TLS compression is no longer possible with NSS. The option can be enabled, but NSS will no
+ longer negotiate compression.
+ - The signatures of functions SSL_OptionSet, SSL_OptionGet, SSL_OptionSetDefault and
+ SSL_OptionGetDefault have been modified, to take a PRIntn argument rather than PRBool. This
+ makes it clearer, that options can have values other than 0 or 1. Note this does not affect
+ ABI compatibility, because PRBool is a typedef for PRIntn.
+
+.. _experimental_apis_and_functionality:
+
+`Experimental APIs and Functionality <#experimental_apis_and_functionality>`__
+------------------------------------------------------------------------------
+
+.. container::
+
+ The functionality and the APIs listed in this section are experimental. Any of these APIs may be
+ removed from future NSS versions. Applications *must not* rely on these APIs to be present. If an
+ application is linked at runtime to a later version of NSS, which no longer provides any of these
+ APIs, the application *must* handle the scenario gracefully.
+
+ In order to ease transitions, experimental functions return SECFailure and set the
+ SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API code if the selected API is not available. Experimental
+ functions will always return this result if they are disabled or removed from a later NSS
+ release. If these experimental functions are made permanent in a later NSS release, no change to
+ code is necessary.
+
+ (Only APIs exported in \*.def files are stable APIs.)
+
+.. _new_experimental_functionality_provided:
+
+`New experimental functionality provided <#new_experimental_functionality_provided>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ Below are descriptions of experimental functionality, which might not be available in future
+ releases of NSS.
+
+ - Users of TLS are now able to provide implementations of TLS extensions, through an
+ experimental custom extension API. See the documentation in sslexp.h for
+ SSL_InstallExtensionHooks for more information on this feature.
+ - Several experimental APIs were added in support of TLS 1.3 features:
+
+ - TLS servers are able to send session tickets to clients on demand, using the experimental
+ SSL_SendSessionTicket function. This ticket can include arbitrary application-chosen
+ content.
+ - An anti-replay mechanism was added for 0-RTT, through the experimental SSL_SetupAntiReplay
+ function. *This mechanism must be enabled for 0-RTT to be accepted when NSS is being used
+ as a server.*
+ - KeyUpdate can be triggered by the experimental SSL_KeyUpdate() function.
+ - TLS servers can screen new TLS 1.3 connections, as they are made using the experimental
+ SSL_HelloRetryRequestCallback function. This function allows for callbacks to be
+ installed, which are called when a server receives a new TLS ClientHello. The application
+ is then able to examine application-chosen content from the session tickets, or
+ HelloRetryRequest cookie, and decide whether to proceed with the connection. For an
+ initial ClientHello, an application can control whether NSS sends a HelloRetryRequest, and
+ include application-chosen content in the cookie.
+
+.. _new_experimental_apis:
+
+`New experimental APIs <#new_experimental_apis>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ Below is a list of experimental functions, which might not be available in future releases of
+ NSS.
+
+ - *in sslexp.h*
+
+ - *experimental:* **SSL_KeyUpdate** - prompt NSS to update traffic keys (TLS 1.3 only).
+ - *experimental:* **SSL_GetExtensionSupport** - query NSS support for a TLS extension.
+ - *experimental:* **SSL_InstallExtensionHooks** - install custom handlers for a TLS
+ extension.
+ - *experimental:* **SSL_SetupAntiReplay** - configure a TLS server for 0-RTT anti-replay (TLS
+ 1.3 server only).
+ - *experimental:* **SSL_SendSessionTicket** - send a session ticket (TLS 1.3 server only).
+
+.. _removed_experimental_apis:
+
+`Removed experimental APIs <#removed_experimental_apis>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ Note that experimental APIs might get removed from NSS without announcing removals in the release
+ notes. This section might be incomplete.
+
+ - The experimental API SSL_UseAltServerHelloType has been disabled.
+
+.. _bugs_fixed_in_nss_3.35:
+
+`Bugs fixed in NSS 3.35 <#bugs_fixed_in_nss_3.35>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.35:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.35
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.35 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.35 shared libraries,
+ without recompiling, or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (select product
+ 'NSS'). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst
new file mode 100644
index 0000000000..24110acdd6
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst
@@ -0,0 +1,84 @@
+.. _mozilla_projects_nss_nss_3_36_1_release_notes:
+
+NSS 3.36.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.36.1 is a patch release for NSS 3.36.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_36_1_RTM. NSS 3.36.1 requires NSPR 4.19 or newer.
+
+ NSS 3.36.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_36_1_RTM/src/
+
+.. _new_in_nss_3.xx:
+
+`New in NSS 3.XX <#new_in_nss_3.xx>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix regression
+ bugs.
+
+.. _notable_changes_in_nss_3.36.1:
+
+`Notable Changes in NSS 3.36.1 <#notable_changes_in_nss_3.36.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - In NSS version 3.35 the iteration count in optimized builds, which is used for password based
+ encryption algorithm related to encrypted PKCS#7 or PKCS#12 data, was increased to one million
+ iterations. That change had caused an interoperability regression with operating systems that
+ are limited to 600 K iterations. NSS 3.36.1 has been changed to use the same 600 K limit.
+
+.. _bugs_fixed_in_nss_3.36.1:
+
+`Bugs fixed in NSS 3.36.1 <#bugs_fixed_in_nss_3.36.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - Certain smartcard operations could result in a deadlock.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.36.1:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.36.1
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.36.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.36.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.2_release_notes/index.rst
new file mode 100644
index 0000000000..3f7b458576
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.2_release_notes/index.rst
@@ -0,0 +1,75 @@
+.. _mozilla_projects_nss_nss_3_36_2_release_notes:
+
+NSS 3.36.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.36.2 is a patch release for NSS 3.36.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_36_2_RTM. NSS 3.36.2 requires NSPR 4.19 or newer.
+
+ NSS 3.36.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_36_2_RTM/src/
+
+.. _new_in_nss_3.36.2:
+
+`New in NSS 3.36.2 <#new_in_nss_3.36.2>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix regression
+ bugs.
+
+.. _bugs_fixed_in_nss_3.36.2:
+
+`Bugs fixed in NSS 3.36.2 <#bugs_fixed_in_nss_3.36.2>`__
+--------------------------------------------------------
+
+.. container::
+
+ - Bug 1462303 - Connecting to a server that was recently upgraded to TLS 1.3 would result in a
+ SSL_RX_MALFORMED_SERVER_HELLO error.
+
+ - Bug 1460673 - Fix a rare bug with PKCS#12 files.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.36.2:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.36.2
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.36.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.36.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.4_release_notes/index.rst
new file mode 100644
index 0000000000..6067a87db8
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.4_release_notes/index.rst
@@ -0,0 +1,68 @@
+.. _mozilla_projects_nss_nss_3_36_4_release_notes:
+
+NSS 3.36.4 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.36.4 is a patch release for NSS 3.36.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_36_4_RTM. NSS 3.36.4 requires NSPR 4.19 or newer.
+
+ NSS 3.36.4 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_36_4_RTM/src/
+
+.. _new_in_nss_3.36.4:
+
+`New in NSS 3.36.4 <#new_in_nss_3.36.4>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix regression
+ bugs.
+
+.. _bugs_fixed_in_nss_3.36.4:
+
+`Bugs fixed in NSS 3.36.4 <#bugs_fixed_in_nss_3.36.4>`__
+--------------------------------------------------------
+
+.. container::
+
+ - Bug 1461731 - Fix crash on macOS related to authentication tokens, e.g. PK11or WebAuthn.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.36.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.36.4 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.5_release_notes/index.rst
new file mode 100644
index 0000000000..95b6928aa5
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.5_release_notes/index.rst
@@ -0,0 +1,69 @@
+.. _mozilla_projects_nss_nss_3_36_5_release_notes:
+
+NSS 3.36.5 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.36.5 is a patch release for NSS 3.36. The bug fixes in NSS
+ 3.36.5 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_36_5_RTM. NSS 3.36.5 requires NSPR 4.19 or newer.
+
+ NSS 3.36.5 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_36_5_RTM/src/
+
+.. _new_in_nss_3.36.5:
+
+`New in NSS 3.36.5 <#new_in_nss_3.36.5>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix CVE-2018-12384
+
+.. _bugs_fixed_in_nss_3.36.5:
+
+`Bugs fixed in NSS 3.36.5 <#bugs_fixed_in_nss_3.36.5>`__
+--------------------------------------------------------
+
+.. container::
+
+ `Bug 1483128 <https://bugzilla.mozilla.org/show_bug.cgi?id=1483128>`__ - NSS responded to an
+ SSLv2-compatible ClientHello with a ServerHello that had an all-zero random (CVE-2018-12384)
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.36.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.36.5 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst
new file mode 100644
index 0000000000..eb66bbf0f1
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst
@@ -0,0 +1,73 @@
+.. _mozilla_projects_nss_nss_3_36_6_release_notes:
+
+NSS 3.36.6 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.36.6 is a patch release for NSS 3.36. The bug fixes in NSS
+ 3.36.6 are described in the "Bugs Fixed" section below.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_36_6_RTM. NSS 3.36.6 requires NSPR 4.19 or newer.
+
+ NSS 3.36.6 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_36_6_RTM/src/
+
+.. _new_in_nss_3.36.6:
+
+`New in NSS 3.36.6 <#new_in_nss_3.36.6>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix CVE-2018-12404
+
+.. _bugs_fixed_in_nss_3.36.6:
+
+`Bugs fixed in NSS 3.36.6 <#bugs_fixed_in_nss_3.36.6>`__
+--------------------------------------------------------
+
+.. container::
+
+ `Bug 1485864 <https://bugzilla.mozilla.org/show_bug.cgi?id=1485864>`__ - Cache side-channel
+ variant of the Bleichenbacher attack (CVE-2018-12404)
+
+ `Bug 1389967 <https://bugzilla.mozilla.org/show_bug.cgi?id=1389967>`__ and `Bug
+ 1448748 <https://bugzilla.mozilla.org/show_bug.cgi?id=1448748>`__ - Fixes for MinGW on x64
+ platforms.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.36.6 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.36.6 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.7_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.7_release_notes/index.rst
new file mode 100644
index 0000000000..415f608d49
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.7_release_notes/index.rst
@@ -0,0 +1,74 @@
+.. _mozilla_projects_nss_nss_3_36_7_release_notes:
+
+NSS 3.36.7 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.36.7 is a patch release for NSS 3.36. The bug fixes in NSS
+ 3.36.7 are described in the "Bugs Fixed" section below. It was released on 19 January 2019.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_36_7_RTM. NSS 3.36.7 requires NSPR 4.19 or newer.
+
+ NSS 3.36.7 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_36_7_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.36.7:
+
+`New in NSS 3.36.7 <#new_in_nss_3.36.7>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix bugs.
+
+.. _bugs_fixed_in_nss_3.36.7:
+
+`Bugs fixed in NSS 3.36.7 <#bugs_fixed_in_nss_3.36.7>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1507135 <https://bugzilla.mozilla.org/show_bug.cgi?id=1507135>`__ and `Bug
+ 1507174 <https://bugzilla.mozilla.org/show_bug.cgi?id=1507174>`__ - Add additional null checks
+ to several CMS functions to fix a rare CMS crash. Thanks to Hanno Böck and Damian Poddebniak
+ for the discovery and fixes.
+ (`CVE-2018-18508 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-18508>`__)
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.36.7 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.36.7 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst
new file mode 100644
index 0000000000..d5996b8ff0
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst
@@ -0,0 +1,90 @@
+.. _mozilla_projects_nss_nss_3_36_8_release_notes:
+
+NSS 3.36.8 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.36.8 is a patch release for NSS 3.36. The bug fixes in NSS
+ 3.36.8 are described in the "Bugs Fixed" section below. It was released on 21 June 2019.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_36_8_RTM. NSS 3.36.8 requires NSPR 4.19 or newer.
+
+ NSS 3.36.8 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_36_8_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.36.8:
+
+`New in NSS 3.36.8 <#new_in_nss_3.36.8>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix bugs.
+
+.. _bugs_fixed_in_nss_3.36.8:
+
+`Bugs fixed in NSS 3.36.8 <#bugs_fixed_in_nss_3.36.8>`__
+--------------------------------------------------------
+
+.. container::
+
+ -
+
+ .. container::
+
+ `1554336 <https://bugzilla.mozilla.org/show_bug.cgi?id=1554336>`__ - Optimize away unneeded
+ loop in mpi.c
+
+ -
+
+ .. container::
+
+ `1515342 <https://bugzilla.mozilla.org/show_bug.cgi?id=1515342>`__ - More thorough input
+ checking (`CVE-2019-11729) <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-11729>`__
+
+ -
+
+ .. container::
+
+ `1540541 <https://bugzilla.mozilla.org/show_bug.cgi?id=1540541>`__ - Don't unnecessarily
+ strip leading 0's from key material during PKCS11 import
+ (`CVE-2019-11719 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-11719>`__)
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.36.8 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.36.8 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36_release_notes/index.rst
new file mode 100644
index 0000000000..6efeeb38f4
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36_release_notes/index.rst
@@ -0,0 +1,78 @@
+.. _mozilla_projects_nss_nss_3_36_release_notes:
+
+NSS 3.36 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.36, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_36_RTM. NSS 3.36 requires NSPR 4.19 or newer.
+
+ NSS 3.36 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_36_RTM/src/ (make a link)
+
+.. _new_in_nss_3.36:
+
+`New in NSS 3.36 <#new_in_nss_3.36>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Experimental APIs for TLS session cache handling.
+
+.. _notable_changes_in_nss_3.36:
+
+`Notable Changes in NSS 3.36 <#notable_changes_in_nss_3.36>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - Replaced existing vectorized ChaCha20 code with verified HACL\* implementation.
+
+.. _bugs_fixed_in_nss_3.36:
+
+`Bugs fixed in NSS 3.36 <#bugs_fixed_in_nss_3.36>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.36:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.36
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.36 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.36 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.37.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.37.1_release_notes/index.rst
new file mode 100644
index 0000000000..46d06be579
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.37.1_release_notes/index.rst
@@ -0,0 +1,75 @@
+.. _mozilla_projects_nss_nss_3_37_1_release_notes:
+
+NSS 3.37.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.37.1 is a patch release for NSS 3.37.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_37_1_RTM. NSS 3.37.1 requires NSPR 4.19 or newer.
+
+ NSS 3.37.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_37_1_RTM/src/
+
+.. _new_in_nss_3.37.1:
+
+`New in NSS 3.37.1 <#new_in_nss_3.37.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix regression
+ bugs.
+
+.. _bugs_fixed_in_nss_3.37.1:
+
+`Bugs fixed in NSS 3.37.1 <#bugs_fixed_in_nss_3.37.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - Bug 1462303 - Connecting to a server that was recently upgraded to TLS 1.3 would result in a
+ SSL_RX_MALFORMED_SERVER_HELLO error.
+
+ - Bug 1460673 - Fix a rare bug with PKCS#12 files.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.37.1:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.37.1
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.37.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.37.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.37_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.37_release_notes/index.rst
new file mode 100644
index 0000000000..9d3e3fd1fa
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.37_release_notes/index.rst
@@ -0,0 +1,112 @@
+.. _mozilla_projects_nss_nss_3_37_release_notes:
+
+NSS 3.37 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.37, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_37_RTM. NSS 3.37 requires NSPR 4.19 or newer.
+
+ NSS 3.37 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_37_RTM/src/
+
+.. _notable_changes_in_nss_3.37:
+
+`Notable Changes in NSS 3.37 <#notable_changes_in_nss_3.37>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The TLS 1.3 implementation was updated to Draft 28.
+
+ - An issue where NSS erroneously accepted HRR requests was resolved. This issue was found by
+ `OSS fuzz <https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7159>`__.
+
+ - Added HACL\* Poly1305 32-bit
+
+ - The code to support the NPN protocol, which had already been disabled in a previous release,
+ has been fully removed.
+
+ - NSS allows servers now to register ALPN handling callbacks to select a protocol.
+
+ - NSS supports opening SQL databases in read-only mode. NSS now requires the SQLite APIs of
+ version 3.5.0 or newer.
+
+ - Starting with NSS version 3.31, an alternative implementation for RNG seeding on the
+ Linux/UNIX platform was available (bug 1346735), which performed seeding exclusively based on
+ /dev/urandom. This alternative implementation is selected at build time by defining the
+ SEED_ONLY_DEV_URANDOM symbol.
+
+ (The classic implementation for RNG seeding on the Linux/Unix platform, which may use
+ additional sources for the default seeding, is still available and will be used if
+ SEED_ONLY_DEV_URANDOM is undefined.)
+
+ With NSS 3.37, this alternative implementation for Linux/Unix can be selected in "make" builds
+ by defining the environment variable NSS_SEED_ONLY_DEV_URANDOM.
+
+ With NSS 3.37, this alternative implementation for Linux has been enhanced to use the glibc
+ function getentropy(), instead of reading from /dev/urandom directly, if the build and runtime
+ Linux platform supports it.
+
+ - The CA certificates list was updated to version 2.24.
+
+ - The following CA certificates were **Removed**:
+
+ - CN = S-TRUST Universal Root CA
+
+ - SHA-256 Fingerprint:
+ D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
+
+ - CN = TC TrustCenter Class 3 CA II
+
+ - SHA-256 Fingerprint:
+ 8D:A0:84:FC:F9:9C:E0:77:22:F8:9B:32:05:93:98:06:FA:5C:B8:11:E1:C8:13:F6:A1:08:C7:D3:36:B3:40:8E
+
+ - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
+
+ - SHA-256 Fingerprint:
+ 49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78
+
+.. _bugs_fixed_in_nss_3.37:
+
+`Bugs fixed in NSS 3.37 <#bugs_fixed_in_nss_3.37>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.37:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.37
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.37 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.37 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.38_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.38_release_notes/index.rst
new file mode 100644
index 0000000000..6b962ab560
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.38_release_notes/index.rst
@@ -0,0 +1,106 @@
+.. _mozilla_projects_nss_nss_3_38_release_notes:
+
+NSS 3.38 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.38, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_38_RTM. NSS 3.38 requires NSPR 4.19 or newer.
+
+ NSS 3.38 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_38_RTM/src/
+
+.. _new_in_nss_3.38:
+
+`New in NSS 3.38 <#new_in_nss_3.38>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - Added support for the TLS Record Size Limit Extension.
+ - When creating a certificate request (CSR) using certutil -R, an existing orphan private key
+ can be reused. Parameter -k may be used to specify the ID of an existing orphan key. The
+ available orphan key IDs can be displayed using command certutil -K.
+ - When using certutil -O to print the chain for a given certificate nickname, the new parameter
+ --simple-self-signed may be provided, which can avoid ambiguous output in some scenarios.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in secitem.h*
+
+ - **SECITEM_MakeItem** - Allocate and make an item with the requested contents
+
+ .. rubric:: New Macros
+ :name: new_macros
+
+ - *in ssl.h*
+
+ - **SSL_RECORD_SIZE_LIMIT** - used to control the TLS Record Size Limit Extension
+
+.. _notable_changes_in_nss_3.38:
+
+`Notable Changes in NSS 3.38 <#notable_changes_in_nss_3.38>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - Fixed `CVE-2018-0495 <https://nvd.nist.gov/vuln/detail/CVE-2018-0495>`__ in `bug
+ 1464971 <https://bugzilla.mozilla.org/show_bug.cgi?id=1464971>`__.
+
+ - Various security fixes in the ASN.1 code.
+
+ - NSS automatically enables caching for SQL database storage on Linux, if it is located on a
+ network filesystem that's known to benefit from caching.
+
+ - When repeatedly importing the same certificate into an SQL database, the existing nickname
+ will be kept.
+
+.. _bugs_fixed_in_nss_3.38:
+
+`Bugs fixed in NSS 3.38 <#bugs_fixed_in_nss_3.38>`__
+----------------------------------------------------
+
+.. container::
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.38:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.38
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.38 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.38 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst
new file mode 100644
index 0000000000..5c6347e2fe
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst
@@ -0,0 +1,149 @@
+.. _mozilla_projects_nss_nss_3_39_release_notes:
+
+NSS 3.39 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.39, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_39_RTM. NSS 3.39 requires NSPR 4.20 or newer.
+
+ NSS 3.39 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_39_RTM/src/
+
+.. _new_in_nss_3.39:
+
+`New in NSS 3.39 <#new_in_nss_3.39>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - The ``tstclnt`` and ``selfserv`` utilities added support for configuring the enabled TLS
+ signature schemes using the ``-J`` parameter.
+
+ - NSS will use RSA-PSS keys to authenticate in TLS. Support for these keys is disabled by
+ default but can be enabled using ``SSL_SignatureSchemePrefSet()``.
+
+ - ``certutil`` added the ability to delete an orphan private key from an NSS key database.
+
+ - Added the ``nss-policy-check`` utility, which can be used to check an NSS policy configuration
+ for problems.
+
+ - A PKCS#11 URI can be used as an identifier for a PKCS#11 token.
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - in cert.h
+
+ - **CERT_GetCertKeyType** - Query the Key Type associated with the given certificate.
+
+ - utilpars.h
+
+ - **NSSUTIL_AddNSSFlagToModuleSpec** - A helper function for modifying the PKCS#11 module
+ configuration. It can be used to add a single flag to the Flags= section inside the spec's
+ NSS= section.
+
+.. _notable_changes_in_nss_3.39:
+
+`Notable Changes in NSS 3.39 <#notable_changes_in_nss_3.39>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The TLS 1.3 implementation uses the final version number from `RFC
+ 8446 <https://datatracker.ietf.org/doc/html/rfc8446>`__.
+ - Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature where the DigestInfo structure
+ was missing the NULL parameter.
+ Starting with version 3.39, NSS requires the encoding to contain the NULL parameter.
+ - The ``tstclnt`` and ``selfserv`` test utilities no longer accept the -z parameter, as support
+ for TLS compression was removed in a previous NSS version.
+ - The CA certificates list was updated to version 2.26.
+ - The following CA certificates were **Added**:
+
+ - OU = GlobalSign Root CA - R6
+
+ - SHA-256 Fingerprint: 2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69
+
+ - CN = OISTE WISeKey Global Root GC CA
+
+ - SHA-256 Fingerprint: 8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D
+
+ - The following CA certificate was **Removed**:
+
+ - CN = ComSign
+
+ - SHA-256 Fingerprint: AE4457B40D9EDA96677B0D3C92D57B5177ABD7AC1037958356D1E094518BE5F2
+
+ - The following CA certificates had the **Websites trust bit disabled**:
+
+ - CN = Certplus Root CA G1
+
+ - SHA-256 Fingerprint: 152A402BFCDF2CD548054D2275B39C7FCA3EC0978078B0F0EA76E561A6C7433E
+
+ - CN = Certplus Root CA G2
+
+ - SHA-256 Fingerprint: 6CC05041E6445E74696C4CFBC9F80F543B7EABBB44B4CE6F787C6A9971C42F17
+
+ - CN = OpenTrust Root CA G1
+
+ - SHA-256 Fingerprint: 56C77128D98C18D91B4CFDFFBC25EE9103D4758EA2ABAD826A90F3457D460EB4
+
+ - CN = OpenTrust Root CA G2
+
+ - SHA-256 Fingerprint: 27995829FE6A7515C1BFE848F9C4761DB16C225929257BF40D0894F29EA8BAF2
+
+ - CN = OpenTrust Root CA G3
+
+ - SHA-256 Fingerprint: B7C36231706E81078C367CB896198F1E3208DD926949DD8F5709A410F75B6292
+
+.. _bugs_fixed_in_nss_3.39:
+
+`Bugs fixed in NSS 3.39 <#bugs_fixed_in_nss_3.39>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1483128 <https://bugzilla.mozilla.org/show_bug.cgi?id=1483128>`__ - NSS responded to an
+ SSLv2-compatible ClientHello with a ServerHello that had an all-zero random (CVE-2018-12384)
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.39:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.39
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.39 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.39 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst
new file mode 100644
index 0000000000..6b8c40bd56
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst
@@ -0,0 +1,81 @@
+.. _mozilla_projects_nss_nss_3_40_1_release_notes:
+
+NSS 3.40.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.40.1, which is a patch release for
+ NSS 3.40
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_40_1_RTM. NSS 3.40.1 requires NSPR 4.20 or newer.
+
+ NSS 3.40 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_40_1_RTM/src/
+
+.. _new_in_nss_3.40.1:
+
+`New in NSS 3.40.1 <#new_in_nss_3.40.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - No new functionality is introduced in this release. This is a patch release to fix
+ CVE-2018-12404
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - none
+
+.. _bugs_fixed_in_nss_3.40.1:
+
+`Bugs fixed in NSS 3.40.1 <#bugs_fixed_in_nss_3.40.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ -
+
+ .. container:: field indent
+
+ .. container::
+
+ `Bug 1485864 <https://bugzilla.mozilla.org/show_bug.cgi?id=1485864>`__ - Cache
+ side-channel variant of the Bleichenbacher attack (CVE-2018-12404)
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.40.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.40.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst
new file mode 100644
index 0000000000..c63a6ab56a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst
@@ -0,0 +1,102 @@
+.. _mozilla_projects_nss_nss_3_40_release_notes:
+
+NSS 3.40 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.40, which is a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_40_RTM. NSS 3.40 requires NSPR 4.20 or newer.
+
+ NSS 3.40 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_40_RTM/src/
+
+.. _new_in_nss_3.40:
+
+`New in NSS 3.40 <#new_in_nss_3.40>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - The draft-00 version of encrypted SNI support is implemented
+
+ - ``tstclnt`` now takes ``-N`` option to specify encrypted SNI key
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - none
+
+.. _notable_changes_in_nss_3.40:
+
+`Notable Changes in NSS 3.40 <#notable_changes_in_nss_3.40>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The mozilla::pkix library has been ported from Mozilla PSM to NSS. This is a C++ library for
+ building certification paths. mozilla::pkix APIs are not exposed in the libraries NSS builds.
+ - It is easier to build NSS on Windows in
+ `mozilla-build <https://wiki.mozilla.org/MozillaBuild>`__ environments.
+ - The following CA certificates were **Removed**:
+
+ - CN = Visa eCommerce Root
+
+ - SHA-256 Fingerprint: 69FAC9BD55FB0AC78D53BBEE5CF1D597989FD0AAAB20A25151BDF1733EE7D122
+
+.. _bugs_fixed_in_nss_3.40:
+
+`Bugs fixed in NSS 3.40 <#bugs_fixed_in_nss_3.40>`__
+----------------------------------------------------
+
+.. container::
+
+ -
+
+ .. container:: field indent
+
+ .. container::
+
+ `Bug 1478698 <https://bugzilla.mozilla.org/show_bug.cgi?id=1478698>`__ - FFDHE key
+ exchange sometimes fails with decryption failure
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.40:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.40
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.40 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.40 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.41.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.41.1_release_notes/index.rst
new file mode 100644
index 0000000000..83a2f66301
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.41.1_release_notes/index.rst
@@ -0,0 +1,76 @@
+.. _mozilla_projects_nss_nss_3_41_1_release_notes:
+
+NSS 3.41.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.41.1 is a patch release for NSS 3.41. The bug fixes in NSS
+ 3.41.1 are described in the "Bugs Fixed" section below. It was released on 22 January 2019.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_41_1_RTM. NSS 3.41.1 requires NSPR 4.20 or newer.
+
+ NSS 3.41.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_41_1_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.41.1:
+
+`New in NSS 3.41.1 <#new_in_nss_3.41.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ No new functionality is introduced in this release. This is a patch release to fix bugs.
+
+.. _bugs_fixed_in_nss_3.41.1:
+
+`Bugs fixed in NSS 3.41.1 <#bugs_fixed_in_nss_3.41.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - Bug 1507135 and Bug 1507174 - Add additional null checks to several CMS functions to fix a
+ rare CMS crash. Thanks to Hanno Böck and Damian Poddebniak for the discovery and fixes.
+ (CVE-2018-18508)
+
+ This bugzilla query returns all bugs fixed in 3.41.1:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.41.1
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.41.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.41.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst
new file mode 100644
index 0000000000..617a6c40cf
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst
@@ -0,0 +1,163 @@
+.. _mozilla_projects_nss_nss_3_41_release_notes:
+
+NSS 3.41 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.41 on 7 December 2018, which is a
+ minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_41_RTM. NSS 3.41 requires NSPR 4.20 or newer.
+
+ NSS 3.41 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_41_RTM/src/
+
+.. _new_in_nss_3.41:
+
+`New in NSS 3.41 <#new_in_nss_3.41>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `Bug 1252891 <https://bugzilla.mozilla.org/show_bug.cgi?id=1252891>`__ - Implemented EKU
+ handling for IPsec IKE.
+ - `Bug 1423043 <https://bugzilla.mozilla.org/show_bug.cgi?id=1423043>`__ - Enable half-closed
+ states for TLS.
+ - `Bug 1493215 <https://bugzilla.mozilla.org/show_bug.cgi?id=1493215>`__ - Enabled the following
+ ciphersuites by default:
+
+ - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ - TLS_RSA_WITH_AES_256_GCM_SHA384
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - none
+
+.. _notable_changes_in_nss_3.41:
+
+`Notable Changes in NSS 3.41 <#notable_changes_in_nss_3.41>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The following CA certificates were **Added**:
+
+ - CN = Certigna Root CA
+
+ - SHA-256 Fingerprint: D48D3D23EEDB50A459E55197601C27774B9D7B18C94D5A059511A10250B93168
+
+ - CN = GTS Root R1
+
+ - SHA-256 Fingerprint: 2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472
+
+ - CN = GTS Root R2
+
+ - SHA-256 Fingerprint: C45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60
+
+ - CN = GTS Root R3
+
+ - SHA-256 Fingerprint: 15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5
+
+ - CN = GTS Root R4
+
+ - SHA-256 Fingerprint: 71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD
+
+ - CN = UCA Global G2 Root
+
+ - SHA-256 Fingerprint: 9BEA11C976FE014764C1BE56A6F914B5A560317ABD9988393382E5161AA0493C
+
+ - CN = UCA Extended Validation Root
+
+ - SHA-256 Fingerprint: D43AF9B35473755C9684FC06D7D8CB70EE5C28E773FB294EB41EE71722924D24
+
+ - The following CA certificates were **Removed**:
+
+ - CN = AC Raíz Certicámara S.A.
+
+ - SHA-256 Fingerprint: A6C51E0DA5CA0A9309D2E4C0E40C2AF9107AAE8203857FE198E3E769E343085C
+
+ - CN = Certplus Root CA G1
+
+ - SHA-256 Fingerprint: 152A402BFCDF2CD548054D2275B39C7FCA3EC0978078B0F0EA76E561A6C7433E
+
+ - CN = Certplus Root CA G2
+
+ - SHA-256 Fingerprint: 6CC05041E6445E74696C4CFBC9F80F543B7EABBB44B4CE6F787C6A9971C42F17
+
+ - CN = OpenTrust Root CA G1
+
+ - SHA-256 Fingerprint: 56C77128D98C18D91B4CFDFFBC25EE9103D4758EA2ABAD826A90F3457D460EB4
+
+ - CN = OpenTrust Root CA G2
+
+ - SHA-256 Fingerprint: 27995829FE6A7515C1BFE848F9C4761DB16C225929257BF40D0894F29EA8BAF2
+
+ - CN = OpenTrust Root CA G3
+
+ - SHA-256 Fingerprint: B7C36231706E81078C367CB896198F1E3208DD926949DD8F5709A410F75B6292
+
+.. _bugs_fixed_in_nss_3.41:
+
+`Bugs fixed in NSS 3.41 <#bugs_fixed_in_nss_3.41>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1412829 <https://bugzilla.mozilla.org/show_bug.cgi?id=1412829>`__, Reject empty
+ supported_signature_algorithms in Certificate Request in TLS 1.2
+
+ - `Bug 1485864 <https://bugzilla.mozilla.org/show_bug.cgi?id=1485864>`__ - Cache side-channel
+ variant of the Bleichenbacher attack (CVE-2018-12404)
+
+ - `Bug 1481271 <https://bugzilla.mozilla.org/show_bug.cgi?id=1481271>`__ - Resend the same
+ ticket in ClientHello after HelloRetryRequest
+
+ - `Bug 1493769 <https://bugzilla.mozilla.org/show_bug.cgi?id=1493769>`__ - Set session_id for
+ external resumption tokens
+
+ - `Bug 1507179 <https://bugzilla.mozilla.org/show_bug.cgi?id=1507179>`__ - Reject CCS after
+ handshake is complete in TLS 1.3
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.41:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.41
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.41 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.41 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.42.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.42.1_release_notes/index.rst
new file mode 100644
index 0000000000..4840c8cb9f
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.42.1_release_notes/index.rst
@@ -0,0 +1,65 @@
+.. _mozilla_projects_nss_nss_3_42_1_release_notes:
+
+NSS 3.42.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.42.1 on 31 January 2019, which is a
+ patch release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_42_1_RTM. NSS 3.42.1 requires NSPR 4.20 or newer.
+
+ NSS 3.42.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_42_1_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _bugs_fixed_in_nss_3.42.1:
+
+`Bugs fixed in NSS 3.42.1 <#bugs_fixed_in_nss_3.42.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1507135 <https://bugzilla.mozilla.org/show_bug.cgi?id=1507135>`__ and `Bug
+ 1507174 <https://bugzilla.mozilla.org/show_bug.cgi?id=1507174>`__ - Add additional null checks
+ to several CMS functions to fix a rare CMS crash. Thanks to Hanno Böck and Damian Poddebniak
+ for the discovery and fixes. This was originally announced in
+ :ref:`mozilla_projects_nss_nss_3_42_release_notes`, but was mistakenly not included in the
+ release. (`CVE-2018-18508 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-18508>`__)
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.42.1:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.42.1
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.42.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.42.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.42_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.42_release_notes/index.rst
new file mode 100644
index 0000000000..bc8596affd
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.42_release_notes/index.rst
@@ -0,0 +1,143 @@
+.. _mozilla_projects_nss_nss_3_42_release_notes:
+
+NSS 3.42 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.42 on 25 January 2019, which is a
+ minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_42_RTM. NSS 3.42 requires NSPR 4.20 or newer.
+
+ NSS 3.42 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_42_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.42:
+
+`New in NSS 3.42 <#new_in_nss_3.42>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - `Bug 818686 <https://bugzilla.mozilla.org/show_bug.cgi?id=818686>`__ - Support XDG basedir
+ specification
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - none
+
+.. _notable_changes_in_nss_3.42:
+
+`Notable Changes in NSS 3.42 <#notable_changes_in_nss_3.42>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The following CA certificates were **Added**:
+
+ - None
+
+ - The following CA certificates were **Removed**:
+
+ - None
+
+ - Added support for some of the test cases from the `Wycheproof
+ project <https://github.com/google/wycheproof>`__:
+
+ - `Bug 1508666 <https://bugzilla.mozilla.org/show_bug.cgi?id=1508666>`__ - Added AES-GCM test
+ cases
+
+ -
+
+ .. container:: field indent
+
+ .. container::
+
+ .. container::
+
+ `Bug 1508673 <https://bugzilla.mozilla.org/show_bug.cgi?id=1508673>`__ - Added
+ ChaCha20-Poly1305 test cases
+
+ -
+
+ .. container:: field indent
+
+ .. container::
+
+ .. container::
+
+ `Bug 1514999 <https://bugzilla.mozilla.org/show_bug.cgi?id=1514999>`__ - Added the
+ Curve25519 test cases
+
+ - Thanks to Jonas Allmann for adapting these tests.
+
+.. _bugs_fixed_in_nss_3.42:
+
+`Bugs fixed in NSS 3.42 <#bugs_fixed_in_nss_3.42>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1490006 <https://bugzilla.mozilla.org/show_bug.cgi?id=1490006>`__ - Reject invalid
+ CH.legacy_version in TLS 1.3
+
+ - `Bug 1507135 <https://bugzilla.mozilla.org/show_bug.cgi?id=1507135>`__\ [STRIKEOUT:and]\ `Bug
+ 1507174 <https://bugzilla.mozilla.org/show_bug.cgi?id=1507174>`__\ [STRIKEOUT:- Add additional
+ null checks to several CMS functions to fix a rare CMS crash. Thanks to Hanno Böck and Damian
+ Poddebniak for the discovery and fixes.] Note: This was mistakenly not in release 3.42, and is
+ instead in :ref:`mozilla_projects_nss_nss_3_42_1_release_notes`.
+
+ -
+
+ .. container:: field indent
+
+ .. container::
+
+ .. container::
+
+ `Bug 1513913 <https://bugzilla.mozilla.org/show_bug.cgi?id=1513913>`__ - A fix for
+ Solaris where Firefox 60 core dumps during start when using profile from version 52
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.42:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.42
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.42 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.42 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.43_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.43_release_notes/index.rst
new file mode 100644
index 0000000000..f4e82bc29d
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.43_release_notes/index.rst
@@ -0,0 +1,151 @@
+.. _mozilla_projects_nss_nss_3_43_release_notes:
+
+NSS 3.43 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.43 on 16 March 2019, which is a minor
+ release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_43_RTM. NSS 3.43 requires NSPR 4.21 or newer.
+
+ NSS 3.43 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_43_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.43:
+
+`New in NSS 3.43 <#new_in_nss_3.43>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in sechash.h*
+
+ - **HASH_GetHashOidTagByHashType** - convert type HASH_HashType to type SECOidTag
+
+ - *in sslexp.h*
+
+ - **SSL_SendCertificateRequest** - allow server to request post-handshake client
+ authentication. To use this both peers need to enable the
+ **SSL_ENABLE_POST_HANDSHAKE_AUTH** option. Note that while the mechanism is present,
+ post-handshake authentication is currently not TLS 1.3 compliant due to `Bug
+ 1532312 <https://bugzilla.mozilla.org/show_bug.cgi?id=1532312>`__
+
+.. _notable_changes_in_nss_3.43:
+
+`Notable Changes in NSS 3.43 <#notable_changes_in_nss_3.43>`__
+--------------------------------------------------------------
+
+.. container::
+
+ -
+
+ .. container:: field indent
+
+ .. container::
+
+ .. container::
+
+ The following CA certificates were **Added**:
+
+ - CN = emSign Root CA - G1
+
+ - SHA-256 Fingerprint: 40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367
+
+ - CN = emSign ECC Root CA - G3
+
+ - SHA-256 Fingerprint: 86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B
+
+ - CN = emSign Root CA - C1
+
+ - SHA-256 Fingerprint: 125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F
+
+ - CN = emSign ECC Root CA - C3
+
+ - SHA-256 Fingerprint: BC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3
+
+ - CN = Hongkong Post Root CA 3
+
+ - SHA-256 Fingerprint: 5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6
+
+ - The following CA certificates were **Removed**:
+
+ - None
+
+.. _bugs_fixed_in_nss_3.43:
+
+`Bugs fixed in NSS 3.43 <#bugs_fixed_in_nss_3.43>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1528669 <https://bugzilla.mozilla.org/show_bug.cgi?id=1528669>`__ and `Bug
+ 1529308 <https://bugzilla.mozilla.org/show_bug.cgi?id=1529308>`__ - Improve Gyp build system
+ handling
+ - `Bug 1529950 <https://bugzilla.mozilla.org/show_bug.cgi?id=1529950>`__ and `Bug
+ 1521174 <https://bugzilla.mozilla.org/show_bug.cgi?id=1521174>`__ - Improve NSS S/MIME tests
+ for Thunderbird
+ - `Bug 1530134 <https://bugzilla.mozilla.org/show_bug.cgi?id=1530134>`__ - If Docker isn't
+ installed, try running a local clang-format as a fallback
+ - `Bug 1531267 <https://bugzilla.mozilla.org/show_bug.cgi?id=1531267>`__ - Enable FIPS mode
+ automatically if the system FIPS mode flag is set
+ - `Bug 1528262 <https://bugzilla.mozilla.org/show_bug.cgi?id=1528262>`__ - Add a -J option to
+ the strsclnt command to specify sigschemes
+ - `Bug 1513909 <https://bugzilla.mozilla.org/show_bug.cgi?id=1513909>`__ - Add manual for
+ nss-policy-check
+ - `Bug 1531074 <https://bugzilla.mozilla.org/show_bug.cgi?id=1531074>`__ - Fix a deref after a
+ null check in SECKEY_SetPublicValue
+ - `Bug 1517714 <https://bugzilla.mozilla.org/show_bug.cgi?id=1517714>`__ - Properly handle ESNI
+ with HRR
+ - `Bug 1529813 <https://bugzilla.mozilla.org/show_bug.cgi?id=1529813>`__ - Expose
+ HKDF-Expand-Label with mechanism
+ - `Bug 1535122 <https://bugzilla.mozilla.org/show_bug.cgi?id=1535122>`__ - Align TLS 1.3 HKDF
+ trace levels
+ - `Bug 1530102 <https://bugzilla.mozilla.org/show_bug.cgi?id=1530102>`__ - Use getentropy on
+ compatible versions of FreeBSD.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.43:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.43
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.43 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.43 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.44.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.1_release_notes/index.rst
new file mode 100644
index 0000000000..2500f55c57
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.1_release_notes/index.rst
@@ -0,0 +1,140 @@
+.. _mozilla_projects_nss_nss_3_44_1_release_notes:
+
+NSS 3.44.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.44.1 is a patch release for NSS 3.44. The bug fixes in NSS
+ 3.44.1 are described in the "Bugs Fixed" section below. It was released on 21 June 2019.
+
+ The NSS team would like to recognize first-time contributors: Greg Rubin
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_44_1_RTM. NSS 3.44.1 requires NSPR 4.21 or newer.
+
+ NSS 3.44.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_44_1_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.44.1:
+
+`New in NSS 3.44.1 <#new_in_nss_3.44.1>`__
+------------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ -
+
+ .. container::
+
+ `1546229 <https://bugzilla.mozilla.org/show_bug.cgi?id=1546229>`__ - Add IPSEC IKE support
+ to softoken
+
+ -
+
+ .. container::
+
+ Many new FIPS test cases (Note: This has increased the source archive by approximately 50
+ megabytes for this release.)
+
+.. _bugs_fixed_in_nss_3.44.1:
+
+`Bugs fixed in NSS 3.44.1 <#bugs_fixed_in_nss_3.44.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ -
+
+ .. container::
+
+ `1554336 <https://bugzilla.mozilla.org/show_bug.cgi?id=1554336>`__ - Optimize away unneeded
+ loop in mpi.c
+
+ -
+
+ .. container::
+
+ `1515342 <https://bugzilla.mozilla.org/show_bug.cgi?id=1515342>`__ - More thorough input
+ checking (`CVE-2019-11729) <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-11729>`__
+
+ -
+
+ .. container::
+
+ `1540541 <https://bugzilla.mozilla.org/show_bug.cgi?id=1540541>`__ - Don't unnecessarily
+ strip leading 0's from key material during PKCS11 import
+ (`CVE-2019-11719 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-11719>`__)
+
+ -
+
+ .. container::
+
+ `1515236 <https://bugzilla.mozilla.org/show_bug.cgi?id=1515236>`__ - Add a SSLKEYLOGFILE
+ enable/disable flag at `build.sh <http://build.sh>`__
+
+ -
+
+ .. container::
+
+ `1473806 <https://bugzilla.mozilla.org/show_bug.cgi?id=1473806>`__ - Fix
+ SECKEY_ConvertToPublicKey handling of non-RSA keys
+
+ -
+
+ .. container::
+
+ `1546477 <https://bugzilla.mozilla.org/show_bug.cgi?id=1546477>`__ - Updates to testing for
+ FIPS validation
+
+ -
+
+ .. container::
+
+ `1552208 <https://bugzilla.mozilla.org/show_bug.cgi?id=1552208>`__ - Prohibit use of
+ RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
+ (`CVE-2019-11727 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-11727>`__)
+
+ -
+
+ .. container::
+
+ `1551041 <https://bugzilla.mozilla.org/show_bug.cgi?id=1551041>`__ - Unbreak build on GCC <
+ 4.3 big-endian
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.44.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.44.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.44.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.2_release_notes/index.rst
new file mode 100644
index 0000000000..98a1c18ca8
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.2_release_notes/index.rst
@@ -0,0 +1,72 @@
+.. _mozilla_projects_nss_nss_3_44_2_release_notes:
+
+NSS 3.44.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.44.2 is a patch release for NSS 3.44. The bug fixes in NSS
+ 3.44.2 are described in the "Bugs Fixed" section below. It was released on 2 October 2019.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_44_2_RTM. NSS 3.44.2 requires NSPR 4.21 or newer.
+
+ NSS 3.44.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_44_2_RTM/src/
+
+ Other releases are available in NSS Releases.
+
+.. _new_in_nss_3.44.2:
+
+`New in NSS 3.44.2 <#new_in_nss_3.44.2>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.44.2:
+
+`Bugs fixed in NSS 3.44.2 <#bugs_fixed_in_nss_3.44.2>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1582343 <https://bugzilla.mozilla.org/show_bug.cgi?id=1582343>`__\ - Soft token MAC
+ verification not constant time
+ - `Bug 1577953 <https://bugzilla.mozilla.org/show_bug.cgi?id=1577953>`__\ - Remove arbitrary
+ HKDF output limit by allocating space as needed
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.44.2:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.44.2
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.44.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.44.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__\ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.44.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.3_release_notes/index.rst
new file mode 100644
index 0000000000..7417c17d08
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.3_release_notes/index.rst
@@ -0,0 +1,76 @@
+.. _mozilla_projects_nss_nss_3_44_3_release_notes:
+
+NSS 3.44.3 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.44.3 is a patch release for NSS 3.44. The bug fixes in NSS
+ 3.44.3 are described in the "Bugs Fixed" section below. It was released on 19 November 2019.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - Craig Disselkoen
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_44_3_RTM. NSS 3.44.3 requires NSPR 4.21 or newer.
+
+ NSS 3.44.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_44_3_RTM/src/
+
+ Other releases are available in NSS Releases.
+
+.. _new_in_nss_3.44.3:
+
+`New in NSS 3.44.3 <#new_in_nss_3.44.3>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.44.3:
+
+`Bugs fixed in NSS 3.44.3 <#bugs_fixed_in_nss_3.44.3>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1579060 <https://bugzilla.mozilla.org/show_bug.cgi?id=1579060>`__ - Don't set the
+ CONSTRUCTED bit for issuerUniqueID and subjectUniqueID in mozilla::pkix
+ - `CVE-2019-11745 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-11745>`__ -
+ EncryptUpdate should use maxout, not block size
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.44:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.44
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.44.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.44.3 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst
new file mode 100644
index 0000000000..6828d3941a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst
@@ -0,0 +1,69 @@
+.. _mozilla_projects_nss_nss_3_44_4_release_notes:
+
+NSS 3.44.4 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.44.4 on **19 May 2020**. This is a
+ security patch release.
+
+ Thank you to Cesar Pereida Garcia and the Network and Information Security Group (NISEC) at
+ Tampere University for reporting this issue.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_44_4_RTM. NSS 3.44.4 requires NSPR 4.21 or newer.
+
+ NSS 3.44.4 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_44_4_RTM/src/
+
+ Other releases are available in :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.44.4:
+
+`New in NSS 3.44.4 <#new_in_nss_3.44.4>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.44.4:
+
+`Bugs fixed in NSS 3.44.4 <#bugs_fixed_in_nss_3.44.4>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `CVE-2020-12399 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2020-12399>`__ - Force a
+ fixed length for DSA exponentiation
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.44.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.44.4 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.44_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.44_release_notes/index.rst
new file mode 100644
index 0000000000..d23d48e5fe
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.44_release_notes/index.rst
@@ -0,0 +1,146 @@
+.. _mozilla_projects_nss_nss_3_44_release_notes:
+
+NSS 3.44 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.44 on 10 May 2019, which is a minor
+ release.
+
+ The NSS team would like to recognize first-time contributors: Kevin Jacobs, David Carlier,
+ Alexander Scheel, and Edouard Oger.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_44_RTM. NSS 3.44 requires NSPR 4.21 or newer.
+
+ NSS 3.44 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_44_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.44:
+
+`New in NSS 3.44 <#new_in_nss_3.44>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - *in lib/certdb/cert.h*
+
+ - **CERT_GetCertificateDer** - Access the DER-encoded form of a CERTCertificate.
+
+.. _notable_changes_in_nss_3.44:
+
+`Notable Changes in NSS 3.44 <#notable_changes_in_nss_3.44>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - It is now possible to build NSS as a static library (Bug
+ `1543545 <https://bugzilla.mozilla.org/show_bug.cgi?id=1543545>`__)
+ - Initial support for building for iOS.
+
+.. _bugs_fixed_in_nss_3.44:
+
+`Bugs fixed in NSS 3.44 <#bugs_fixed_in_nss_3.44>`__
+----------------------------------------------------
+
+.. container::
+
+ - `1501542 <https://bugzilla.mozilla.org/show_bug.cgi?id=1501542>`__ - Implement CheckARMSupport
+ for Android
+ - `1531244 <https://bugzilla.mozilla.org/show_bug.cgi?id=1531244>`__ - Use \__builtin_bswap64 in
+ crypto_primitives.h
+ - `1533216 <https://bugzilla.mozilla.org/show_bug.cgi?id=1533216>`__ - CERT_DecodeCertPackage()
+ crash with Netscape Certificate Sequences
+ - `1533616 <https://bugzilla.mozilla.org/show_bug.cgi?id=1533616>`__ -
+ sdb_GetAttributeValueNoLock should make at most one sql query, rather than one for each
+ attribute
+ - `1531236 <https://bugzilla.mozilla.org/show_bug.cgi?id=1531236>`__ - Provide accessor for
+ CERTCertificate.derCert
+ - `1536734 <https://bugzilla.mozilla.org/show_bug.cgi?id=1536734>`__ -
+ lib/freebl/crypto_primitives.c assumes a big endian machine
+ - `1532384 <https://bugzilla.mozilla.org/show_bug.cgi?id=1532384>`__ - In NSS test certificates,
+ use @example.com (not @bogus.com)
+ - `1538479 <https://bugzilla.mozilla.org/show_bug.cgi?id=1538479>`__ - Post-Handshake messages
+ after async server authentication break when using record layer separation
+ - `1521578 <https://bugzilla.mozilla.org/show_bug.cgi?id=1521578>`__ - x25519 support in
+ pk11pars.c
+ - `1540205 <https://bugzilla.mozilla.org/show_bug.cgi?id=1540205>`__ - freebl build fails with
+ -DNSS_DISABLE_CHACHAPOLY
+ - `1532312 <https://bugzilla.mozilla.org/show_bug.cgi?id=1532312>`__ - post-handshake auth
+ doesn't interoperate with OpenSSL
+ - `1542741 <https://bugzilla.mozilla.org/show_bug.cgi?id=1542741>`__ - certutil -F crashes with
+ segmentation fault
+ - `1546925 <https://bugzilla.mozilla.org/show_bug.cgi?id=1546925>`__ - Allow preceding text in
+ try comment
+ - `1534468 <https://bugzilla.mozilla.org/show_bug.cgi?id=1534468>`__ - Expose ChaCha20 primitive
+ - `1418944 <https://bugzilla.mozilla.org/show_bug.cgi?id=1418944>`__ - Quote CC/CXX variables
+ passed to nspr
+ - `1543545 <https://bugzilla.mozilla.org/show_bug.cgi?id=1543545>`__ - Allow to build NSS as a
+ static library
+ - `1487597 <https://bugzilla.mozilla.org/show_bug.cgi?id=1487597>`__ - Early data that arrives
+ before the handshake completes can be read afterwards
+ - `1548398 <https://bugzilla.mozilla.org/show_bug.cgi?id=1548398>`__ - freebl_gtest not building
+ on Linux/Mac
+ - `1548722 <https://bugzilla.mozilla.org/show_bug.cgi?id=1548722>`__ - Fix some Coverity
+ warnings
+ - `1540652 <https://bugzilla.mozilla.org/show_bug.cgi?id=1540652>`__ - softoken/sdb.c: Logically
+ dead code
+ - `1549413 <https://bugzilla.mozilla.org/show_bug.cgi?id=1549413>`__ - Android log lib is not
+ included in build
+ - `1537927 <https://bugzilla.mozilla.org/show_bug.cgi?id=1537927>`__ - IPsec usage is too
+ restrictive for existing deployments
+ - `1549608 <https://bugzilla.mozilla.org/show_bug.cgi?id=1549608>`__ - Signature fails with dbm
+ disabled
+ - `1549848 <https://bugzilla.mozilla.org/show_bug.cgi?id=1549848>`__ - Allow building NSS for
+ iOS using gyp
+ - `1549847 <https://bugzilla.mozilla.org/show_bug.cgi?id=1549847>`__ - NSS's SQLite compilation
+ warnings make the build fail on iOS
+ - `1550041 <https://bugzilla.mozilla.org/show_bug.cgi?id=1550041>`__ - freebl not building on
+ iOS simulator
+ - `1542950 <https://bugzilla.mozilla.org/show_bug.cgi?id=1542950>`__ - MacOS cipher test
+ timeouts
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.44:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.44
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.44 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.44 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst
new file mode 100644
index 0000000000..8b3e37b3a3
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst
@@ -0,0 +1,224 @@
+.. _mozilla_projects_nss_nss_3_45_release_notes:
+
+NSS 3.45 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.45 on **5 July 2019**, which is a
+ minor release.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - Bastien Abadie
+ - Christopher Patton
+ - Jeremie Courreges-Anglas
+ - Marcus Burghardt
+ - Michael Shigorin
+ - Tomas Mraz
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_45_RTM. NSS 3.45 requires NSPR 4.21 or newer.
+
+ NSS 3.45 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_45_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.45:
+
+`New in NSS 3.45 <#new_in_nss_3.45>`__
+--------------------------------------
+
+.. _new_functionality:
+
+`New Functionality <#new_functionality>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ .. rubric:: New Functions
+ :name: new_functions
+
+ - in *pk11pub.h*:
+
+ - **PK11_FindRawCertsWithSubject** - Finds all certificates on the given slot with the given
+ subject distinguished name and returns them as DER bytes. If no such certificates can be
+ found, returns SECSuccess and sets ``*results`` to NULL. If a failure is encountered while
+ fetching any of the matching certificates, SECFailure is returned and ``*results`` will be
+ NULL.
+
+.. _notable_changes_in_nss_3.45:
+
+`Notable Changes in NSS 3.45 <#notable_changes_in_nss_3.45>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1540403 <https://bugzilla.mozilla.org/show_bug.cgi?id=1540403>`__ - Implement Delegated
+ Credentials
+ (`draft-ietf-tls-subcerts <https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/>`__)
+
+ - This adds a new experimental function: **SSL_DelegateCredential**
+ - **Note**: In 3.45, ``selfserv`` does not yet support delegated credentials. See `Bug
+ 1548360 <https://bugzilla.mozilla.org/show_bug.cgi?id=1548360>`__.
+ - **Note**: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46
+ will set ``SSLChannelInfo.authKeyBits`` to that of the delegated credential for better
+ policy enforcement. See `Bug
+ 1563078 <https://bugzilla.mozilla.org/show_bug.cgi?id=1563078>`__.
+
+ - `Bug 1550579 <https://bugzilla.mozilla.org/show_bug.cgi?id=1550579>`__ - Replace ARM32
+ Curve25519 implementation with one from
+ `fiat-crypto <https://github.com/mit-plv/fiat-crypto>`__
+ - `Bug 1551129 <https://bugzilla.mozilla.org/show_bug.cgi?id=1551129>`__ - Support static
+ linking on Windows
+ - `Bug 1552262 <https://bugzilla.mozilla.org/show_bug.cgi?id=1552262>`__ - Expose a function
+ **PK11_FindRawCertsWithSubject** for finding certificates with a given subject on a given slot
+ - `Bug 1546229 <https://bugzilla.mozilla.org/show_bug.cgi?id=1546229>`__ - Add IPSEC IKE support
+ to softoken
+ - `Bug 1554616 <https://bugzilla.mozilla.org/show_bug.cgi?id=1554616>`__ - Add support for the
+ Elbrus lcc compiler (<=1.23)
+ - `Bug 1543874 <https://bugzilla.mozilla.org/show_bug.cgi?id=1543874>`__ - Expose an external
+ clock for SSL
+
+ - This adds new experimental functions: **SSL_SetTimeFunc**, **SSL_CreateAntiReplayContext**,
+ **SSL_SetAntiReplayContext**, and **SSL_ReleaseAntiReplayContext**.
+ - The experimental function **SSL_InitAntiReplay** is removed.
+
+ - `Bug 1546477 <https://bugzilla.mozilla.org/show_bug.cgi?id=1546477>`__ - Various changes in
+ response to the ongoing FIPS review
+
+ - Note: The source package size has increased substantially due to the new FIPS test vectors.
+ This will likely prompt follow-on work, but please accept our apologies in the meantime.
+
+.. _certificate_authority_changes:
+
+`Certificate Authority Changes <#certificate_authority_changes>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - The following CA certificates were **Removed**:
+
+ - `Bug 1552374 <https://bugzilla.mozilla.org/show_bug.cgi?id=1552374>`__ - CN = Certinomis -
+ Root CA
+
+ - SHA-256 Fingerprint: 2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158
+
+.. _bugs_fixed_in_nss_3.45:
+
+`Bugs fixed in NSS 3.45 <#bugs_fixed_in_nss_3.45>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1540541 <https://bugzilla.mozilla.org/show_bug.cgi?id=1540541>`__ - Don't unnecessarily
+ strip leading 0's from key material during PKCS11 import
+ (`CVE-2019-11719 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-11719>`__)
+
+ - `Bug 1515342 <https://bugzilla.mozilla.org/show_bug.cgi?id=1515342>`__ - More thorough input
+ checking (`CVE-2019-11729) <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-11729>`__
+
+ -
+
+ .. container::
+
+ `Bug 1552208 <https://bugzilla.mozilla.org/show_bug.cgi?id=1552208>`__ - Prohibit use of
+ RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
+ (`CVE-2019-11727 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-11727>`__)
+
+ - `Bug 1227090 <https://bugzilla.mozilla.org/show_bug.cgi?id=1227090>`__ - Fix a potential
+ divide-by-zero in makePfromQandSeed from lib/freebl/pqg.c (static analysis)
+
+ - `Bug 1227096 <https://bugzilla.mozilla.org/show_bug.cgi?id=1227096>`__ - Fix a potential
+ divide-by-zero in PQG_VerifyParams from lib/freebl/pqg.c (static analysis)
+
+ - `Bug 1509432 <https://bugzilla.mozilla.org/show_bug.cgi?id=1509432>`__ - De-duplicate code
+ between mp_set_long and mp_set_ulong
+
+ - `Bug 1515011 <https://bugzilla.mozilla.org/show_bug.cgi?id=1515011>`__ - Fix a mistake with
+ ChaCha20-Poly1305 test code where tags could be faked. Only relevant for clients that might
+ have copied the unit test code verbatim
+
+ - `Bug 1550022 <https://bugzilla.mozilla.org/show_bug.cgi?id=1550022>`__ - Ensure nssutil3 gets
+ built on Android
+
+ - `Bug 1528174 <https://bugzilla.mozilla.org/show_bug.cgi?id=1528174>`__ - ChaCha20Poly1305
+ should no longer modify output length on failure
+
+ - `Bug 1549382 <https://bugzilla.mozilla.org/show_bug.cgi?id=1549382>`__ - Don't leak in PKCS#11
+ modules if C_GetSlotInfo() returns error
+
+ - `Bug 1551041 <https://bugzilla.mozilla.org/show_bug.cgi?id=1551041>`__ - Fix builds using GCC
+ < 4.3 on big-endian architectures
+
+ -
+
+ .. container::
+
+ `Bug 1554659 <https://bugzilla.mozilla.org/show_bug.cgi?id=1554659>`__ - Add versioning to
+ OpenBSD builds to fix link time errors using NSS
+
+ - `Bug 1553443 <https://bugzilla.mozilla.org/show_bug.cgi?id=1553443>`__ - Send session ticket
+ only after handshake is marked as finished
+
+ - `Bug 1550708 <https://bugzilla.mozilla.org/show_bug.cgi?id=1550708>`__ - Fix gyp scripts on
+ Solaris SPARC so that libfreebl_64fpu_3.so builds
+
+ - `Bug 1554336 <https://bugzilla.mozilla.org/show_bug.cgi?id=1554336>`__ - Optimize away
+ unneeded loop in mpi.c
+
+ - `Bug 1559906 <https://bugzilla.mozilla.org/show_bug.cgi?id=1559906>`__ - fipstest: use
+ CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism
+
+ - `Bug 1558126 <https://bugzilla.mozilla.org/show_bug.cgi?id=1558126>`__ -
+ TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
+
+ - `Bug 1555207 <https://bugzilla.mozilla.org/show_bug.cgi?id=1555207>`__ -
+ HelloRetryRequestCallback return code for rejecting 0-RTT
+
+ - `Bug 1556591 <https://bugzilla.mozilla.org/show_bug.cgi?id=1556591>`__ - Eliminate races in
+ uses of PK11_SetWrapKey
+
+ - `Bug 1558681 <https://bugzilla.mozilla.org/show_bug.cgi?id=1558681>`__ - Stop using a global
+ for anti-replay of TLS 1.3 early data
+
+ - `Bug 1561510 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561510>`__ - Fix a bug where
+ removing -arch XXX args from CC didn't work
+
+ - `Bug 1561523 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561523>`__ - Add a string for the
+ new-ish error SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.45:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.45
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.45 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.45 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.46.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.46.1_release_notes/index.rst
new file mode 100644
index 0000000000..a7a3c1e09e
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.46.1_release_notes/index.rst
@@ -0,0 +1,72 @@
+.. _mozilla_projects_nss_nss_3_46_1_release_notes:
+
+NSS 3.46.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.46.1 is a patch release for NSS 3.46. The bug fixes in NSS
+ 3.46.1 are described in the "Bugs Fixed" section below. It was released on 2 October 2019.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_46_1_RTM. NSS 3.46.1 requires NSPR 4.22 or newer.
+
+ NSS 3.46.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_46_1_RTM/src/
+
+ Other releases are available in NSS Releases.
+
+.. _new_in_nss_3.46.1:
+
+`New in NSS 3.46.1 <#new_in_nss_3.46.1>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.46.1:
+
+`Bugs fixed in NSS 3.46.1 <#bugs_fixed_in_nss_3.46.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1582343 <https://bugzilla.mozilla.org/show_bug.cgi?id=1582343>`__\ - Soft token MAC
+ verification not constant time
+ - `Bug 1577953 <https://bugzilla.mozilla.org/show_bug.cgi?id=1577953>`__\ - Remove arbitrary
+ HKDF output limit by allocating space as needed
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.46.1:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.46.1
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.46.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.46.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__\ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst
new file mode 100644
index 0000000000..f1a13d7c54
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst
@@ -0,0 +1,219 @@
+.. _mozilla_projects_nss_nss_3_46_release_notes:
+
+NSS 3.46 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.46 on **30 August 2019**, which is a
+ minor release.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - Giulio Benetti
+ - Louis Dassy
+ - Mike Kaganski
+ - xhimanshuz
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_46_RTM. NSS 3.46 requires NSPR 4.22 or newer.
+
+ NSS 3.46 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_46_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.46:
+
+`New in NSS 3.46 <#new_in_nss_3.46>`__
+--------------------------------------
+
+.. container::
+
+ This release contains no significant new functionality, but concentrates on providing improved
+ performance, stability, and security. Of particular note are significant improvements to AES-GCM
+ performance on ARM.
+
+.. _notable_changes_in_nss_3.46:
+
+`Notable Changes in NSS 3.46 <#notable_changes_in_nss_3.46>`__
+--------------------------------------------------------------
+
+.. container::
+
+.. _certificate_authority_changes:
+
+`Certificate Authority Changes <#certificate_authority_changes>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - The following CA certificates were **Removed**:
+
+ - `Bug 1574670 <https://bugzilla.mozilla.org/show_bug.cgi?id=1574670>`__ - Remove expired
+ Class 2 Primary root certificate
+
+ - SHA-256 Fingerprint: 0F993C8AEF97BAAF5687140ED59AD1821BB4AFACF0AA9A58B5D57A338A3AFBCB
+
+ - `Bug 1574670 <https://bugzilla.mozilla.org/show_bug.cgi?id=1574670>`__ - Remove expired
+ UTN-USERFirst-Client root certificate
+
+ - SHA-256 Fingerprint: 43F257412D440D627476974F877DA8F1FC2444565A367AE60EDDC27A412531AE
+
+ - `Bug 1574670 <https://bugzilla.mozilla.org/show_bug.cgi?id=1574670>`__ - Remove expired
+ Deutsche Telekom Root CA 2 root certificate
+
+ - SHA-256 Fingerprint: B6191A50D0C3977F7DA99BCDAAC86A227DAEB9679EC70BA3B0C9D92271C170D3
+
+ - `Bug 1566569 <https://bugzilla.mozilla.org/show_bug.cgi?id=1566569>`__ - Remove Swisscom
+ Root CA 2 root certificate
+
+ - SHA-256 Fingerprint: F09B122C7114F4A09BD4EA4F4A99D558B46E4C25CD81140D29C05613914C3841
+
+.. _upcoming_changes_to_default_tls_configuration:
+
+`Upcoming changes to default TLS configuration <#upcoming_changes_to_default_tls_configuration>`__
+--------------------------------------------------------------------------------------------------
+
+.. container::
+
+ The next NSS team plans to make two changes to the default TLS configuration in NSS 3.47, which
+ will be released in October:
+
+ - `TLS 1.3 <https://datatracker.ietf.org/doc/html/rfc8446>`__ will be the default maximum TLS
+ version. See `Bug 1573118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573118>`__ for
+ details.
+ - `TLS extended master secret <https://datatracker.ietf.org/doc/html/rfc7627>`__ will be enabled
+ by default, where possible. See `Bug
+ 1575411 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575411>`__ for details.
+
+.. _bugs_fixed_in_nss_3.46:
+
+`Bugs fixed in NSS 3.46 <#bugs_fixed_in_nss_3.46>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1572164 <https://bugzilla.mozilla.org/show_bug.cgi?id=1572164>`__ - Don't unnecessarily
+ free session in NSC_WrapKey
+ - `Bug 1574220 <https://bugzilla.mozilla.org/show_bug.cgi?id=1574220>`__ - Improve controls
+ after errors in tstcln, selfserv and vfyserv cmds
+ - `Bug 1550636 <https://bugzilla.mozilla.org/show_bug.cgi?id=1550636>`__ - Upgrade SQLite in NSS
+ to a 2019 version
+ - `Bug 1572593 <https://bugzilla.mozilla.org/show_bug.cgi?id=1572593>`__ - Reset advertised
+ extensions in ssl_ConstructExtensions
+ - `Bug 1415118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1415118>`__ - NSS build with
+ ./build.sh --enable-libpkix fails
+ - `Bug 1539788 <https://bugzilla.mozilla.org/show_bug.cgi?id=1539788>`__ - Add length checks for
+ cryptographic primitives
+ (`CVE-2019-17006 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-17006>`__)
+ - `Bug 1542077 <https://bugzilla.mozilla.org/show_bug.cgi?id=1542077>`__ - mp_set_ulong and
+ mp_set_int should return errors on bad values
+ - `Bug 1572791 <https://bugzilla.mozilla.org/show_bug.cgi?id=1572791>`__ - Read out-of-bounds in
+ DER_DecodeTimeChoice_Util from SSLExp_DelegateCredential
+ - `Bug 1560593 <https://bugzilla.mozilla.org/show_bug.cgi?id=1560593>`__ - Cleanup.sh script
+ does not set error exit code for tests that "Failed with core"
+ - `Bug 1566601 <https://bugzilla.mozilla.org/show_bug.cgi?id=1566601>`__ - Add Wycheproof test
+ vectors for AES-KW
+ - `Bug 1571316 <https://bugzilla.mozilla.org/show_bug.cgi?id=1571316>`__ - curve25519_32.c:280:
+ undefined reference to \`PR_Assert' when building NSS 3.45 on armhf-linux
+ - `Bug 1516593 <https://bugzilla.mozilla.org/show_bug.cgi?id=1516593>`__ - Client to generate
+ new random during renegotiation
+ - `Bug 1563258 <https://bugzilla.mozilla.org/show_bug.cgi?id=1563258>`__ - fips.sh fails due to
+ non-existent "resp" directories
+ - `Bug 1561598 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561598>`__ - Remove
+ -Wmaybe-uninitialized warning in pqg.c
+ - `Bug 1560806 <https://bugzilla.mozilla.org/show_bug.cgi?id=1560806>`__ - Increase softoken
+ password max size to 500 characters
+ - `Bug 1568776 <https://bugzilla.mozilla.org/show_bug.cgi?id=1568776>`__ - Output paths relative
+ to repository in NSS coverity
+ - `Bug 1453408 <https://bugzilla.mozilla.org/show_bug.cgi?id=1453408>`__ - modutil -changepw
+ fails in FIPS mode if password is an empty string
+ - `Bug 1564727 <https://bugzilla.mozilla.org/show_bug.cgi?id=1564727>`__ - Use a PSS SPKI when
+ possible for delegated credentials
+ - `Bug 1493916 <https://bugzilla.mozilla.org/show_bug.cgi?id=1493916>`__ - fix ppc64 inline
+ assembler for clang
+ - `Bug 1561588 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561588>`__ - Remove
+ -Wmaybe-uninitialized warning in p7env.c
+ - `Bug 1561548 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561548>`__ - Remove
+ -Wmaybe-uninitialized warning in pkix_pl_ldapdefaultclient.c
+ - `Bug 1512605 <https://bugzilla.mozilla.org/show_bug.cgi?id=1512605>`__ - Incorrect alert
+ description after unencrypted Finished msg
+ - `Bug 1564715 <https://bugzilla.mozilla.org/show_bug.cgi?id=1564715>`__ - Read /proc/cpuinfo
+ when AT_HWCAP2 returns 0
+ - `Bug 1532194 <https://bugzilla.mozilla.org/show_bug.cgi?id=1532194>`__ - Remove or fix
+ -DDEBUG_$USER from make builds
+ - `Bug 1565577 <https://bugzilla.mozilla.org/show_bug.cgi?id=1565577>`__ - Visual Studio's
+ cl.exe -? hangs on Windows x64 when building nss since changeset
+ 9162c654d06915f0f15948fbf67d4103a229226f
+ - `Bug 1564875 <https://bugzilla.mozilla.org/show_bug.cgi?id=1564875>`__ - Improve rebuilding
+ with build.sh
+ - `Bug 1565243 <https://bugzilla.mozilla.org/show_bug.cgi?id=1565243>`__ - Support TC_OWNER
+ without email address in nss taskgraph
+ - `Bug 1563778 <https://bugzilla.mozilla.org/show_bug.cgi?id=1563778>`__ - Increase maxRunTime
+ on Mac taskcluster Tools, SSL tests
+ - `Bug 1561591 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561591>`__ - Remove
+ -Wmaybe-uninitialized warning in tstclnt.c
+ - `Bug 1561587 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561587>`__ - Remove
+ -Wmaybe-uninitialized warning in lgattr.c
+ - `Bug 1561558 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561558>`__ - Remove
+ -Wmaybe-uninitialized warning in httpserv.c
+ - `Bug 1561556 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561556>`__ - Remove
+ -Wmaybe-uninitialized warning in tls13esni.c
+ - `Bug 1561332 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561332>`__ - ec.c:28 warning:
+ comparison of integers of different signs: 'int' and 'unsigned long'
+ - `Bug 1564714 <https://bugzilla.mozilla.org/show_bug.cgi?id=1564714>`__ - Print certutil
+ commands during setup
+ - `Bug 1565013 <https://bugzilla.mozilla.org/show_bug.cgi?id=1565013>`__ - HACL image builder
+ times out while fetching gpg key
+ - `Bug 1563786 <https://bugzilla.mozilla.org/show_bug.cgi?id=1563786>`__ - Update hacl-star
+ docker image to pull specific commit
+ - `Bug 1559012 <https://bugzilla.mozilla.org/show_bug.cgi?id=1559012>`__ - Improve GCM
+ perfomance using PMULL2
+ - `Bug 1528666 <https://bugzilla.mozilla.org/show_bug.cgi?id=1528666>`__ - Correct resumption
+ validation checks
+ - `Bug 1568803 <https://bugzilla.mozilla.org/show_bug.cgi?id=1568803>`__ - More tests for client
+ certificate authentication
+ - `Bug 1564284 <https://bugzilla.mozilla.org/show_bug.cgi?id=1564284>`__ - Support profile
+ mobility across Windows and Linux
+ - `Bug 1573942 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573942>`__ - Gtest for pkcs11.txt
+ with different breaking line formats
+ - `Bug 1575968 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575968>`__ - Add strsclnt option
+ to enforce the use of either IPv4 or IPv6
+ - `Bug 1549847 <https://bugzilla.mozilla.org/show_bug.cgi?id=1549847>`__ - Fix NSS builds on iOS
+ - `Bug 1485533 <https://bugzilla.mozilla.org/show_bug.cgi?id=1485533>`__ - Enable NSS_SSL_TESTS
+ on taskcluster
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.46:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.46
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.46 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.46 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.47.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.47.1_release_notes/index.rst
new file mode 100644
index 0000000000..93c78b5261
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.47.1_release_notes/index.rst
@@ -0,0 +1,78 @@
+.. _mozilla_projects_nss_nss_3_47_1_release_notes:
+
+NSS 3.47.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.47.1 is a patch release for NSS 3.47. The bug fixes in NSS
+ 3.47.1 are described in the "Bugs Fixed" section below. It was released on 19 November 2019.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - Craig Disselkoen
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_47_1_RTM. NSS 3.47.1 requires NSPR 4.23 or newer.
+
+ NSS 3.47.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_47_1_RTM/src/
+
+ Other releases are available in NSS Releases.
+
+.. _new_in_nss_3.47.1:
+
+`New in NSS 3.47.1 <#new_in_nss_3.47.1>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.47.1:
+
+`Bugs fixed in NSS 3.47.1 <#bugs_fixed_in_nss_3.47.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `CVE-2019-11745 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-11745>`__ -
+ EncryptUpdate should use maxout, not block size
+ - `Bug 1590495 <https://bugzilla.mozilla.org/show_bug.cgi?id=1590495>`__ - Fix a crash that
+ could be caused by client certificates during startup
+ - `Bug 1589810 <https://bugzilla.mozilla.org/show_bug.cgi?id=1589810>`__ - Fix compile-time
+ warnings from uninitialized variables in a perl script
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.47:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.47
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.47.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.47.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst
new file mode 100644
index 0000000000..57ffce14a3
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst
@@ -0,0 +1,179 @@
+.. _mozilla_projects_nss_nss_3_47_release_notes:
+
+NSS 3.47 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.47 on **18 October 2019**, which is a
+ minor release.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - Christian Weisgerber
+ - Deian Stefan
+ - Jenine
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_47_RTM. NSS 3.47 requires NSPR 4.23 or newer.
+
+ NSS 3.47 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_47_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _upcoming_changes_to_default_tls_configuration:
+
+`Upcoming changes to default TLS configuration <#upcoming_changes_to_default_tls_configuration>`__
+--------------------------------------------------------------------------------------------------
+
+.. container::
+
+ The next NSS team plans to make two changes to the default TLS configuration in NSS 3.48, which
+ will be released in early December:
+
+ - `TLS 1.3 <https://datatracker.ietf.org/doc/html/rfc8446>`__ will be the default maximum TLS
+ version. See `Bug 1573118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573118>`__ for
+ details.
+ - `TLS extended master secret <https://datatracker.ietf.org/doc/html/rfc7627>`__ will be enabled
+ by default, where possible. See `Bug
+ 1575411 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575411>`__ for details.
+
+.. _notable_changes_in_nss_3.47:
+
+`Notable Changes in NSS 3.47 <#notable_changes_in_nss_3.47>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1152625 <https://bugzilla.mozilla.org/show_bug.cgi?id=1152625>`__ - Support AES HW
+ acceleration on ARMv8
+ - `Bug 1267894 <https://bugzilla.mozilla.org/show_bug.cgi?id=1267894>`__ - Allow per-socket
+ run-time ordering of the cipher suites presented in ClientHello
+ - `Bug 1570501 <https://bugzilla.mozilla.org/show_bug.cgi?id=1570501>`__ - Add CMAC to FreeBL
+ and PKCS #11 libraries
+
+.. _bugs_fixed_in_nss_3.47:
+
+`Bugs fixed in NSS 3.47 <#bugs_fixed_in_nss_3.47>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1459141 <https://bugzilla.mozilla.org/show_bug.cgi?id=1459141>`__ - Make softoken CBC
+ padding removal constant time
+ - `Bug 1589120 <https://bugzilla.mozilla.org/show_bug.cgi?id=1589120>`__ - More CBC padding
+ tests
+ - `Bug 1465613 <https://bugzilla.mozilla.org/show_bug.cgi?id=1465613>`__ - Add ability to
+ distrust certificates issued after a certain date for a specified root cert
+ - `Bug 1588557 <https://bugzilla.mozilla.org/show_bug.cgi?id=1588557>`__ - Bad debug statement
+ in tls13con.c
+ - `Bug 1579060 <https://bugzilla.mozilla.org/show_bug.cgi?id=1579060>`__ - mozilla::pkix tag
+ definitions for issuerUniqueID and subjectUniqueID shouldn't have the CONSTRUCTED bit set
+ - `Bug 1583068 <https://bugzilla.mozilla.org/show_bug.cgi?id=1583068>`__ - NSS 3.47 should pick
+ up fix from bug 1575821 (NSPR 4.23)
+ - `Bug 1152625 <https://bugzilla.mozilla.org/show_bug.cgi?id=1152625>`__ - Support AES HW
+ acceleration on ARMv8
+ - `Bug 1549225 <https://bugzilla.mozilla.org/show_bug.cgi?id=1549225>`__ - Disable DSA signature
+ schemes for TLS 1.3
+ - `Bug 1586947 <https://bugzilla.mozilla.org/show_bug.cgi?id=1586947>`__ -
+ PK11_ImportAndReturnPrivateKey does not store nickname for EC keys
+ - `Bug 1586456 <https://bugzilla.mozilla.org/show_bug.cgi?id=1586456>`__ - Unnecessary
+ conditional in pki3hack, pk11load and stanpcertdb
+ - `Bug 1576307 <https://bugzilla.mozilla.org/show_bug.cgi?id=1576307>`__ - Check mechanism param
+ and param length before casting to mechanism-specific structs
+ - `Bug 1577953 <https://bugzilla.mozilla.org/show_bug.cgi?id=1577953>`__ - Support longer (up to
+ RFC maximum) HKDF outputs
+ - `Bug 1508776 <https://bugzilla.mozilla.org/show_bug.cgi?id=1508776>`__ - Remove refcounting
+ from sftk_FreeSession (CVE-2019-11756)
+ - `Bug 1494063 <https://bugzilla.mozilla.org/show_bug.cgi?id=1494063>`__ - Support TLS Exporter
+ in tstclnt and selfserv
+ - `Bug 1581024 <https://bugzilla.mozilla.org/show_bug.cgi?id=1581024>`__ - Heap overflow in NSS
+ utility "derdump"
+ - `Bug 1582343 <https://bugzilla.mozilla.org/show_bug.cgi?id=1582343>`__ - Soft token MAC
+ verification not constant time
+ - `Bug 1578238 <https://bugzilla.mozilla.org/show_bug.cgi?id=1578238>`__ - Handle invald tag
+ sizes for CKM_AES_GCM
+ - `Bug 1576295 <https://bugzilla.mozilla.org/show_bug.cgi?id=1576295>`__ - Check all bounds when
+ encrypting with SEED_CBC
+ - `Bug 1580286 <https://bugzilla.mozilla.org/show_bug.cgi?id=1580286>`__ - NSS rejects TLS 1.2
+ records with large padding with SHA384 HMAC
+ - `Bug 1577448 <https://bugzilla.mozilla.org/show_bug.cgi?id=1577448>`__ - Create additional
+ nested S/MIME test messages for Thunderbird
+ - `Bug 1399095 <https://bugzilla.mozilla.org/show_bug.cgi?id=1399095>`__ - Allow nss-try to be
+ used to test NSPR changes
+ - `Bug 1267894 <https://bugzilla.mozilla.org/show_bug.cgi?id=1267894>`__ - libSSL should allow
+ selecting the order of cipher suites in ClientHello
+ - `Bug 1581507 <https://bugzilla.mozilla.org/show_bug.cgi?id=1581507>`__ - Fix unportable grep
+ expression in test scripts
+ - `Bug 1234830 <https://bugzilla.mozilla.org/show_bug.cgi?id=1234830>`__ - [CID 1242894][CID
+ 1242852] unused values
+ - `Bug 1580126 <https://bugzilla.mozilla.org/show_bug.cgi?id=1580126>`__ - Fix build failure on
+ aarch64_be while building freebl/gcm
+ - `Bug 1385039 <https://bugzilla.mozilla.org/show_bug.cgi?id=1385039>`__ - Build NSPR tests as
+ part of NSS continuous integration
+ - `Bug 1581391 <https://bugzilla.mozilla.org/show_bug.cgi?id=1581391>`__ - Fix build on
+ OpenBSD/arm64 after bug #1559012
+ - `Bug 1581041 <https://bugzilla.mozilla.org/show_bug.cgi?id=1581041>`__ - mach-commands ->
+ mach-completion
+ - `Bug 1558313 <https://bugzilla.mozilla.org/show_bug.cgi?id=1558313>`__ - Code bugs found by
+ clang scanners.
+ - `Bug 1542207 <https://bugzilla.mozilla.org/show_bug.cgi?id=1542207>`__ - Limit policy check on
+ signature algorithms to known algorithms
+ - `Bug 1560329 <https://bugzilla.mozilla.org/show_bug.cgi?id=1560329>`__ - drbg: add continuous
+ self-test on entropy source
+ - `Bug 1579290 <https://bugzilla.mozilla.org/show_bug.cgi?id=1579290>`__ - ASAN builds should
+ disable LSAN while building
+ - `Bug 1385061 <https://bugzilla.mozilla.org/show_bug.cgi?id=1385061>`__ - Build NSPR tests with
+ NSS make; Add gyp parameters to build/run NSPR tests
+ - `Bug 1577359 <https://bugzilla.mozilla.org/show_bug.cgi?id=1577359>`__ - Build atob and btoa
+ for Thunderbird
+ - `Bug 1579036 <https://bugzilla.mozilla.org/show_bug.cgi?id=1579036>`__ - Confusing error when
+ trying to export non-existent cert with pk12util
+ - `Bug 1578626 <https://bugzilla.mozilla.org/show_bug.cgi?id=1578626>`__ - [CID 1453375] UB:
+ decrement nullptr.
+ - `Bug 1578751 <https://bugzilla.mozilla.org/show_bug.cgi?id=1578751>`__ - Ensure a consistent
+ style for pk11_find_certs_unittest.cc
+ - `Bug 1570501 <https://bugzilla.mozilla.org/show_bug.cgi?id=1570501>`__ - Add CMAC to FreeBL
+ and PKCS #11 libraries
+ - `Bug 657379 <https://bugzilla.mozilla.org/show_bug.cgi?id=657379>`__ - NSS uses the wrong OID
+ for signatureAlgorithm field of signerInfo in CMS for DSA and ECDSA
+ - `Bug 1576664 <https://bugzilla.mozilla.org/show_bug.cgi?id=1576664>`__ - Remove -mms-bitfields
+ from mingw NSS build.
+ - `Bug 1577038 <https://bugzilla.mozilla.org/show_bug.cgi?id=1577038>`__ - add
+ PK11_GetCertsFromPrivateKey to return all certificates with public keys matching a particular
+ private key
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.47:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.47
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.47 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.47 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.48.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.48.1_release_notes/index.rst
new file mode 100644
index 0000000000..220abe8586
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.48.1_release_notes/index.rst
@@ -0,0 +1,71 @@
+.. _mozilla_projects_nss_nss_3_48_1_release_notes:
+
+NSS 3.48.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.48.1 is a patch release for NSS 3.48. The bug fixes in NSS
+ 3.48.1 are described in the "Bugs Fixed" section below. It was released on **13 January 2020**.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_48_1_RTM. NSS 3.48.1 requires NSPR 4.23 or newer.
+
+ NSS 3.48.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_48_1_RTM/src/
+
+ Other releases are available in :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.48.1:
+
+`New in NSS 3.48.1 <#new_in_nss_3.48.1>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.48.1:
+
+`Bugs fixed in NSS 3.48.1 <#bugs_fixed_in_nss_3.48.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1606992 <https://bugzilla.mozilla.org/show_bug.cgi?id=1606992>`__ - Cache the most recent
+ PBKDF2 password hash, to speed up repeated SDR operations, important with the increased KDF
+ iteration counts.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.48:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.48
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.48.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.48.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst
new file mode 100644
index 0000000000..fb1b02370e
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst
@@ -0,0 +1,178 @@
+.. _mozilla_projects_nss_nss_3_48_release_notes:
+
+NSS 3.48 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.48 on **5 December 2019**, which is a
+ minor release.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - Craig Disselkoen
+ - Giulio Benetti
+ - Lauri Kasanen
+ - Tom Prince
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_48_RTM. NSS 3.48 requires NSPR 4.24 or newer.
+
+ NSS 3.48 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_48_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.48:
+
+`Notable Changes in NSS 3.48 <#notable_changes_in_nss_3.48>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - `TLS 1.3 <https://datatracker.ietf.org/doc/html/rfc8446>`__ is the default maximum TLS
+ version. See `Bug 1573118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573118>`__ for
+ details.
+ - `TLS extended master secret <https://datatracker.ietf.org/doc/html/rfc7627>`__ is enabled by
+ default, where possible. See `Bug
+ 1575411 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575411>`__ for details.
+ - The master password PBE now uses 10,000 iterations by default when using the default sql
+ (key4.db) storage. Because using an iteration count higher than 1 with the legacy dbm
+ (key3.db) storage creates files that are incompatible with previous versions of NSS,
+ applications that wish to enable it for key3.db are required to set environment variable
+ NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1. Applications may set environment variable
+ NSS_MIN_MP_PBE_ITERATION_COUNT to request a higher iteration count than the library's default,
+ or NSS_MAX_MP_PBE_ITERATION_COUNT to request a lower iteration count for test environments.
+ See `Bug 1562671 <https://bugzilla.mozilla.org/show_bug.cgi?id=1562671>`__ for details.
+
+.. _certificate_authority_changes:
+
+`Certificate Authority Changes <#certificate_authority_changes>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - The following CA certificates were Added:
+
+ - `Bug 1591178 <https://bugzilla.mozilla.org/show_bug.cgi?id=1591178>`__ - Entrust Root
+ Certification Authority - G4 Cert
+
+ - SHA-256 Fingerprint: DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88
+
+.. _upcoming_changes_in_nss_3.49:
+
+`Upcoming Changes in NSS 3.49 <#upcoming_changes_in_nss_3.49>`__
+----------------------------------------------------------------
+
+.. container::
+
+ - The legacy DBM database, **libnssdbm**, will no longer be built by default. See `Bug
+ 1594933 <https://bugzilla.mozilla.org/show_bug.cgi?id=1594933>`__ for details.
+
+.. _bugs_fixed_in_nss_3.48:
+
+`Bugs fixed in NSS 3.48 <#bugs_fixed_in_nss_3.48>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1600775 <https://bugzilla.mozilla.org/show_bug.cgi?id=1600775>`__ - Require NSPR 4.24 for
+ NSS 3.48
+ - `Bug 1593401 <https://bugzilla.mozilla.org/show_bug.cgi?id=1593401>`__ - Fix race condition in
+ self-encrypt functions
+ - `Bug 1599545 <https://bugzilla.mozilla.org/show_bug.cgi?id=1599545>`__ - Fix assertion and add
+ test for early Key Update
+ - `Bug 1597799 <https://bugzilla.mozilla.org/show_bug.cgi?id=1597799>`__ - Fix a crash in
+ nssCKFWObject_GetAttributeSize
+ - `Bug 1591178 <https://bugzilla.mozilla.org/show_bug.cgi?id=1591178>`__ - Add Entrust Root
+ Certification Authority - G4 certificate to NSS
+ - `Bug 1590001 <https://bugzilla.mozilla.org/show_bug.cgi?id=1590001>`__ - Prevent negotiation
+ of versions lower than 1.3 after HelloRetryRequest
+ - `Bug 1596450 <https://bugzilla.mozilla.org/show_bug.cgi?id=1596450>`__ - Added a simplified
+ and unified MAC implementation for HMAC and CMAC behind PKCS#11
+ - `Bug 1522203 <https://bugzilla.mozilla.org/show_bug.cgi?id=1522203>`__ - Remove an old Pentium
+ Pro performance workaround
+ - `Bug 1592557 <https://bugzilla.mozilla.org/show_bug.cgi?id=1592557>`__ - Fix PRNG
+ known-answer-test scripts
+ - `Bug 1586176 <https://bugzilla.mozilla.org/show_bug.cgi?id=1586176>`__ - EncryptUpdate should
+ use maxout not block size (CVE-2019-11745)
+ - `Bug 1593141 <https://bugzilla.mozilla.org/show_bug.cgi?id=1593141>`__ - add \`notBefore\` or
+ similar "beginning-of-validity-period" parameter to
+ mozilla::pkix::TrustDomain::CheckRevocation
+ - `Bug 1591363 <https://bugzilla.mozilla.org/show_bug.cgi?id=1591363>`__ - Fix a PBKDF2 memory
+ leak in NSC_GenerateKey if key length > MAX_KEY_LEN (256)
+ - `Bug 1592869 <https://bugzilla.mozilla.org/show_bug.cgi?id=1592869>`__ - Use ARM NEON for
+ ctr_xor
+ - `Bug 1566131 <https://bugzilla.mozilla.org/show_bug.cgi?id=1566131>`__ - Ensure SHA-1 fallback
+ disabled in TLS 1.2
+ - `Bug 1577803 <https://bugzilla.mozilla.org/show_bug.cgi?id=1577803>`__ - Mark PKCS#11 token as
+ friendly if it implements CKP_PUBLIC_CERTIFICATES_TOKEN
+ - `Bug 1566126 <https://bugzilla.mozilla.org/show_bug.cgi?id=1566126>`__ - POWER GHASH Vector
+ Acceleration
+ - `Bug 1589073 <https://bugzilla.mozilla.org/show_bug.cgi?id=1589073>`__ - Use of new
+ PR_ASSERT_ARG in certdb.c
+ - `Bug 1590495 <https://bugzilla.mozilla.org/show_bug.cgi?id=1590495>`__ - Fix a crash in
+ PK11_MakeCertFromHandle
+ - `Bug 1591742 <https://bugzilla.mozilla.org/show_bug.cgi?id=1591742>`__ - Ensure DES IV length
+ is valid before usage from PKCS#11
+ - `Bug 1588567 <https://bugzilla.mozilla.org/show_bug.cgi?id=1588567>`__ - Enable mozilla::pkix
+ gtests in NSS CI
+ - `Bug 1591315 <https://bugzilla.mozilla.org/show_bug.cgi?id=1591315>`__ - Update NSC_Decrypt
+ length in constant time
+ - `Bug 1562671 <https://bugzilla.mozilla.org/show_bug.cgi?id=1562671>`__ - Increase NSS MP KDF
+ default iteration count, by default for modern key4 storage, optionally for legacy key3.db
+ storage
+ - `Bug 1590972 <https://bugzilla.mozilla.org/show_bug.cgi?id=1590972>`__ - Use -std=c99 rather
+ than -std=gnu99
+ - `Bug 1590676 <https://bugzilla.mozilla.org/show_bug.cgi?id=1590676>`__ - Fix build if ARM
+ doesn't support NEON
+ - `Bug 1575411 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575411>`__ - Enable TLS extended
+ master secret by default
+ - `Bug 1590970 <https://bugzilla.mozilla.org/show_bug.cgi?id=1590970>`__ - SSL_SetTimeFunc has
+ incomplete coverage
+ - `Bug 1590678 <https://bugzilla.mozilla.org/show_bug.cgi?id=1590678>`__ - Remove
+ -Wmaybe-uninitialized warning in tls13esni.c
+ - `Bug 1588244 <https://bugzilla.mozilla.org/show_bug.cgi?id=1588244>`__ - NSS changes for
+ Delegated Credential key strength checks
+ - `Bug 1459141 <https://bugzilla.mozilla.org/show_bug.cgi?id=1459141>`__ - Add more CBC padding
+ tests that missed NSS 3.47
+ - `Bug 1590339 <https://bugzilla.mozilla.org/show_bug.cgi?id=1590339>`__ - Fix a memory leak in
+ btoa.c
+ - `Bug 1589810 <https://bugzilla.mozilla.org/show_bug.cgi?id=1589810>`__ - fix uninitialized
+ variable warnings from certdata.perl
+ - `Bug 1573118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573118>`__ - Enable TLS 1.3 by
+ default in NSS
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.48:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.48
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.48 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.48 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.49.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.49.1_release_notes/index.rst
new file mode 100644
index 0000000000..a76dbf274a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.49.1_release_notes/index.rst
@@ -0,0 +1,71 @@
+.. _mozilla_projects_nss_nss_3_49_1_release_notes:
+
+NSS 3.49.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.49.1 is a patch release for NSS 3.49. The bug fixes in NSS
+ 3.49.1 are described in the "Bugs Fixed" section below. It was released on **13 January 2020**.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_49_1_RTM. NSS 3.49.1 requires NSPR 4.24 or newer.
+
+ NSS 3.49.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_49_1_RTM/src/
+
+ Other releases are available in :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.49.1:
+
+`New in NSS 3.49.1 <#new_in_nss_3.49.1>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.49.1:
+
+`Bugs fixed in NSS 3.49.1 <#bugs_fixed_in_nss_3.49.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1606992 <https://bugzilla.mozilla.org/show_bug.cgi?id=1606992>`__ - Cache the most recent
+ PBKDF2 password hash, to speed up repeated SDR operations, important with the increased KDF
+ iteration counts.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.49:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.49
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.49.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.49.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst
new file mode 100644
index 0000000000..70e3627438
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst
@@ -0,0 +1,76 @@
+.. _mozilla_projects_nss_nss_3_49_2_release_notes:
+
+NSS 3.49.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.49.2 is a patch release for NSS 3.49. The bug fixes in NSS
+ 3.49.2 are described in the "Bugs Fixed" section below. It was released on **23 January 2020**.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_49_2_RTM. NSS 3.49.2 requires NSPR 4.24 or newer.
+
+ NSS 3.49.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_49_2_RTM/src/
+
+ Other releases are available in :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.49.2:
+
+`New in NSS 3.49.2 <#new_in_nss_3.49.2>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.49.2:
+
+`Bugs fixed in NSS 3.49.2 <#bugs_fixed_in_nss_3.49.2>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1606992 <https://bugzilla.mozilla.org/show_bug.cgi?id=1606992>`__ - Cache the most
+ recent PBKDF1 password hash, to speed up repeated SDR operations, important with the increased
+ KDF iteration counts. NSS 3.49.1 sped up PBKDF2 operations, though PBKDF1 operations are also
+ relevant for older NSS databases.
+ - `Bug 1608327 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608327>`__ - Fix compilation
+ problems with NEON-specific code in freebl
+ - `Bug 1608895 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608895>`__ - Fix a taskcluster
+ issue with Python 2 / Python 3
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.49:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.49
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.49.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.49.2 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.49_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.49_release_notes/index.rst
new file mode 100644
index 0000000000..b1679fdcd1
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.49_release_notes/index.rst
@@ -0,0 +1,103 @@
+.. _mozilla_projects_nss_nss_3_49_release_notes:
+
+NSS 3.49 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.49 on **3 January 2020**, which is a
+ minor release.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - Alex Henrie
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_49_RTM. NSS 3.49 requires NSPR 4.24 or newer.
+
+ NSS 3.49 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_49_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.49:
+
+`Notable Changes in NSS 3.49 <#notable_changes_in_nss_3.49>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - The legacy DBM database, **libnssdbm**, is no longer built by default when using gyp builds.
+ See `Bug 1594933 <https://bugzilla.mozilla.org/show_bug.cgi?id=1594933>`__ for details.
+
+.. _bugs_fixed_in_nss_3.49:
+
+`Bugs fixed in NSS 3.49 <#bugs_fixed_in_nss_3.49>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1513586 <https://bugzilla.mozilla.org/show_bug.cgi?id=1513586>`__ - Set downgrade
+ sentinel for client TLS versions lower than 1.2.
+ - `Bug 1606025 <https://bugzilla.mozilla.org/show_bug.cgi?id=1606025>`__ - Remove
+ -Wmaybe-uninitialized warning in sslsnce.c
+ - `Bug 1606119 <https://bugzilla.mozilla.org/show_bug.cgi?id=1606119>`__ - Fix PPC HW Crypto
+ build failure
+ - `Bug 1605545 <https://bugzilla.mozilla.org/show_bug.cgi?id=1605545>`__ - Memory leak in
+ Pk11Install_Platform_Generate
+ - `Bug 1602288 <https://bugzilla.mozilla.org/show_bug.cgi?id=1602288>`__ - Fix build failure due
+ to missing posix signal.h
+ - `Bug 1588714 <https://bugzilla.mozilla.org/show_bug.cgi?id=1588714>`__ - Implement
+ CheckARMSupport for Win64/aarch64
+ - `Bug 1585189 <https://bugzilla.mozilla.org/show_bug.cgi?id=1585189>`__ - NSS database uses
+ 3DES instead of AES to encrypt DB entries
+ - `Bug 1603257 <https://bugzilla.mozilla.org/show_bug.cgi?id=1603257>`__ - Fix UBSAN issue in
+ softoken CKM_NSS_CHACHA20_CTR initialization
+ - `Bug 1590001 <https://bugzilla.mozilla.org/show_bug.cgi?id=1590001>`__ - Additional HRR Tests
+ (CVE-2019-17023)
+ - `Bug 1600144 <https://bugzilla.mozilla.org/show_bug.cgi?id=1600144>`__ - Treat ClientHello
+ with message_seq of 1 as a second ClientHello
+ - `Bug 1603027 <https://bugzilla.mozilla.org/show_bug.cgi?id=1603027>`__ - Test that ESNI is
+ regenerated after HelloRetryRequest
+ - `Bug 1593167 <https://bugzilla.mozilla.org/show_bug.cgi?id=1593167>`__ - Intermittent
+ mis-reporting potential security risk SEC_ERROR_UNKNOWN_ISSUER
+ - `Bug 1535787 <https://bugzilla.mozilla.org/show_bug.cgi?id=1535787>`__ - Fix
+ automation/release/nss-release-helper.py on MacOS
+ - `Bug 1594933 <https://bugzilla.mozilla.org/show_bug.cgi?id=1594933>`__ - Disable building DBM
+ by default
+ - `Bug 1562548 <https://bugzilla.mozilla.org/show_bug.cgi?id=1562548>`__ - Improve GCM
+ perfomance on aarch32
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.49:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.49
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.49 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.49 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst
new file mode 100644
index 0000000000..bc910ee41b
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst
@@ -0,0 +1,120 @@
+.. _mozilla_projects_nss_nss_3_50_release_notes:
+
+NSS 3.50 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.50 on **7 February 2020**, which is a
+ minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_50_RTM. NSS 3.50 requires NSPR 4.25 or newer.
+
+ NSS 3.50 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_50_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.50:
+
+`Notable Changes in NSS 3.50 <#notable_changes_in_nss_3.50>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - Verified primitives from HACL\* were updated, bringing performance improvements for several
+ platforms.
+
+ - Note that Intel processors with SSE4 but without AVX are currently unable to use the
+ improved ChaCha20/Poly1305 due to a build issue; such platforms will fall-back to less
+ optimized algorithms. See `Bug 1609569 for
+ details. <https://bugzilla.mozilla.org/show_bug.cgi?id=1609569>`__
+
+ - Updated DTLS 1.3 implementation to Draft-30. See `Bug 1599514 for
+ details. <https://bugzilla.mozilla.org/show_bug.cgi?id=1599514>`__
+ - Added NIST SP800-108 KBKDF - PKCS#11 implementation. See `Bug 1599603 for
+ details. <https://bugzilla.mozilla.org/show_bug.cgi?id=1599603>`__
+
+.. _bugs_fixed_in_nss_3.50:
+
+`Bugs fixed in NSS 3.50 <#bugs_fixed_in_nss_3.50>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1599514 <https://bugzilla.mozilla.org/show_bug.cgi?id=1599514>`__ - Update DTLS 1.3
+ implementation to Draft-30
+ - `Bug 1603438 <https://bugzilla.mozilla.org/show_bug.cgi?id=1603438>`__ - Fix native tools
+ build failure due to lack of zlib include dir if external
+ - `Bug 1599603 <https://bugzilla.mozilla.org/show_bug.cgi?id=1599603>`__ - NIST SP800-108 KBKDF
+ - PKCS#11 implementation
+ - `Bug 1606992 <https://bugzilla.mozilla.org/show_bug.cgi?id=1606992>`__ - Cache the most
+ recent PBKDF1 password hash, to speed up repeated SDR operations, important with the increased
+ KDF iteration counts. NSS 3.49.1 sped up PBKDF2 operations, though PBKDF1 operations are also
+ relevant for older NSS databases (also included in NSS 3.49.2)
+ - `Bug 1608895 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608895>`__ - Gyp builds on
+ taskcluster broken by Setuptools v45.0.0 (for lacking Python3)
+ - `Bug 1574643 <https://bugzilla.mozilla.org/show_bug.cgi?id=1574643>`__ - Upgrade HACL\*
+ verified implementations of ChaCha20, Poly1305, and 64-bit Curve25519
+ - `Bug 1608327 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608327>`__ - Two problems with
+ NEON-specific code in freebl
+ - `Bug 1575843 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575843>`__ - Detect AArch64 CPU
+ features on FreeBSD
+ - `Bug 1607099 <https://bugzilla.mozilla.org/show_bug.cgi?id=1607099>`__ - Remove the buildbot
+ configuration
+ - `Bug 1585429 <https://bugzilla.mozilla.org/show_bug.cgi?id=1585429>`__ - Add more HKDF test
+ vectors
+ - `Bug 1573911 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573911>`__ - Add more RSA test
+ vectors
+ - `Bug 1605314 <https://bugzilla.mozilla.org/show_bug.cgi?id=1605314>`__ - Compare all 8 bytes
+ of an mp_digit when clamping in Windows assembly/mp_comba
+ - `Bug 1604596 <https://bugzilla.mozilla.org/show_bug.cgi?id=1604596>`__ - Update Wycheproof
+ vectors and add support for CBC, P256-ECDH, and CMAC tests
+ - `Bug 1608493 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608493>`__ - Use AES-NI for
+ non-GCM AES ciphers on platforms with no assembly-optimized implementation, such as macOS.
+ - `Bug 1547639 <https://bugzilla.mozilla.org/show_bug.cgi?id=1547639>`__ - Update zlib in NSS to
+ 1.2.11
+ - `Bug 1609181 <https://bugzilla.mozilla.org/show_bug.cgi?id=1609181>`__ - Detect ARM (32-bit)
+ CPU features on FreeBSD
+ - `Bug 1602386 <https://bugzilla.mozilla.org/show_bug.cgi?id=1602386>`__ - Fix build on
+ FreeBSD/powerpc\*
+ - `Bug 1608151 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608151>`__ - Introduce
+ NSS_DISABLE_ALTIVEC
+ - `Bug 1612623 <https://bugzilla.mozilla.org/show_bug.cgi?id=1612623>`__ - Depend on NSPR 4.25
+ - `Bug 1609673 <https://bugzilla.mozilla.org/show_bug.cgi?id=1609673>`__ - Fix a crash when NSS
+ is compiled without libnssdbm support, but the nssdbm shared object is available anyway.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.50:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.50
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.50 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.50 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst
new file mode 100644
index 0000000000..5ac0fedc33
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst
@@ -0,0 +1,79 @@
+.. _mozilla_projects_nss_nss_3_51_1_release_notes:
+
+NSS 3.51.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.51.1 on **3 April 2020**. This is a
+ minor release focusing on functional bug fixes and low-risk patches only.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_51_1_RTM. NSS 3.51.1 requires NSPR 4.25 or newer.
+
+ NSS 3.51.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_51_1_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.51.1:
+
+`Notable Changes in NSS 3.51.1 <#notable_changes_in_nss_3.51.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1617968 <https://bugzilla.mozilla.org/show_bug.cgi?id=1617968>`__ - Update Delegated
+ Credentials implementation to draft-07.
+
+.. _bugs_fixed_in_nss_3.51.1:
+
+`Bugs fixed in NSS 3.51.1 <#bugs_fixed_in_nss_3.51.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1619102 <https://bugzilla.mozilla.org/show_bug.cgi?id=1619102>`__ - Add workaround option
+ to include both DTLS and TLS versions in DTLS supported_versions.
+ - `Bug 1619056 <https://bugzilla.mozilla.org/show_bug.cgi?id=1619056>`__ - Update README: TLS
+ 1.3 is not experimental anymore.
+ - `Bug 1618739 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618739>`__ - Don't assert fuzzer
+ behavior in SSL_ParseSessionTicket.
+ - `Bug 1618915 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618915>`__ - Fix UBSAN issue in
+ ssl_ParseSessionTicket.
+ - `Bug 1608245 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608245>`__ - Consistently handle
+ NULL slot/session.
+ - `Bug 1608250 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608250>`__ - broken fipstest
+ handling of KI_len.
+ - `Bug 1617968 <https://bugzilla.mozilla.org/show_bug.cgi?id=1617968>`__ - Update Delegated
+ Credentials implementation to draft-07.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.51.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.51.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.51_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.51_release_notes/index.rst
new file mode 100644
index 0000000000..4eb0a40166
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.51_release_notes/index.rst
@@ -0,0 +1,103 @@
+.. _mozilla_projects_nss_nss_3_51_release_notes:
+
+NSS 3.51 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.51 on **6 March 2020**, which is a
+ minor release.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - Dmitry Baryshkov
+ - Victor Tapia
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_51_RTM. NSS 3.51 requires NSPR 4.25 or newer.
+
+ NSS 3.51 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_51_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.51:
+
+`Notable Changes in NSS 3.51 <#notable_changes_in_nss_3.51>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - Updated DTLS 1.3 implementation to Draft-34. See `Bug
+ 1608892 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608892>`__ for details.
+
+.. _bugs_fixed_in_nss_3.51:
+
+`Bugs fixed in NSS 3.51 <#bugs_fixed_in_nss_3.51>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1608892 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608892>`__ - Update DTLS 1.3
+ implementation to draft-34.
+ - `Bug 1611209 <https://bugzilla.mozilla.org/show_bug.cgi?id=1611209>`__ - Correct swapped
+ PKCS11 values of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL
+ - `Bug 1612259 <https://bugzilla.mozilla.org/show_bug.cgi?id=1612259>`__ - Complete integration
+ of Wycheproof ECDH test cases
+ - `Bug 1614183 <https://bugzilla.mozilla.org/show_bug.cgi?id=1614183>`__ - Check if PPC
+ \__has_include(<sys/auxv.h>)
+ - `Bug 1614786 <https://bugzilla.mozilla.org/show_bug.cgi?id=1614786>`__ - Fix a compilation
+ error for ‘getFIPSEnv’ "defined but not used"
+ - `Bug 1615208 <https://bugzilla.mozilla.org/show_bug.cgi?id=1615208>`__ - Send DTLS version
+ numbers in DTLS 1.3 supported_versions extension to avoid an incompatibility.
+ - `Bug 1538980 <https://bugzilla.mozilla.org/show_bug.cgi?id=1538980>`__ - SECU_ReadDERFromFile
+ calls strstr on a string that isn't guaranteed to be null-terminated
+ - `Bug 1561337 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561337>`__ - Correct a warning for
+ comparison of integers of different signs: 'int' and 'unsigned long' in
+ security/nss/lib/freebl/ecl/ecp_25519.c:88
+ - `Bug 1609751 <https://bugzilla.mozilla.org/show_bug.cgi?id=1609751>`__ - Add test for mp_int
+ clamping
+ - `Bug 1582169 <https://bugzilla.mozilla.org/show_bug.cgi?id=1582169>`__ - Don't attempt to read
+ the fips_enabled flag on the machine unless NSS was built with FIPS enabled
+ - `Bug 1431940 <https://bugzilla.mozilla.org/show_bug.cgi?id=1431940>`__ - Fix a null pointer
+ dereference in BLAKE2B_Update
+ - `Bug 1617387 <https://bugzilla.mozilla.org/show_bug.cgi?id=1617387>`__ - Fix compiler warning
+ in secsign.c
+ - `Bug 1618400 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618400>`__ - Fix a OpenBSD/arm64
+ compilation error: unused variable 'getauxval'
+ - `Bug 1610687 <https://bugzilla.mozilla.org/show_bug.cgi?id=1610687>`__ - Fix a crash on
+ unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.51:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.51
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.51 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.51 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst
new file mode 100644
index 0000000000..8c2670a328
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst
@@ -0,0 +1,69 @@
+.. _mozilla_projects_nss_nss_3_52_1_release_notes:
+
+NSS 3.52.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.52.1 on **19 May 2020**. This is a
+ security patch release.
+
+ Thank you to Cesar Pereida Garcia and the Network and Information Security Group (NISEC) at
+ Tampere University for reporting this issue.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_52_1_RTM. NSS 3.52.1 requires NSPR 4.25 or newer.
+
+ NSS 3.52.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_52_1_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.52.1:
+
+`New in NSS 3.52.1 <#new_in_nss_3.52.1>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.52.1:
+
+`Bugs fixed in NSS 3.52.1 <#bugs_fixed_in_nss_3.52.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `CVE-2020-12399 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2020-12399>`__ - Force a
+ fixed length for DSA exponentiation
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.52.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.52.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.52_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.52_release_notes/index.rst
new file mode 100644
index 0000000000..0936a87b4d
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.52_release_notes/index.rst
@@ -0,0 +1,158 @@
+.. _mozilla_projects_nss_nss_3_52_release_notes:
+
+NSS 3.52 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.52 on **1 May 2020**.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - zhujianwei7
+ - Hans Petter Jansson
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_52_RTM. NSS 3.52 requires NSPR 4.25 or newer.
+
+ NSS 3.52 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_52_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.52:
+
+`Notable Changes in NSS 3.52 <#notable_changes_in_nss_3.52>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - `Bug 1603628 <https://bugzilla.mozilla.org/show_bug.cgi?id=1603628>`__ - Update NSS to support
+ PKCS #11 v3.0.
+
+ - Note: This change modifies the CK_GCM_PARAMS struct to include the ulIvBits field which,
+ prior to PKCS #11 v3.0, was ambiguously defined and not included in the NSS definition. If
+ an application is recompiled with NSS 3.52+, this field must be initialized to a value
+ corresponding to ulIvLen. Alternatively, defining NSS_PKCS11_2_0_COMPAT will yield the old
+ definition. See the bug for more information.
+
+ - `Bug 1623374 <https://bugzilla.mozilla.org/show_bug.cgi?id=1623374>`__ - Support new PKCS #11
+ v3.0 Message Interface for AES-GCM and ChaChaPoly.
+ - `Bug 1612493 <https://bugzilla.mozilla.org/show_bug.cgi?id=1612493>`__ - Integrate AVX2
+ ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*.
+
+.. _bugs_fixed_in_nss_3.52:
+
+`Bugs fixed in NSS 3.52 <#bugs_fixed_in_nss_3.52>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1633498 <https://bugzilla.mozilla.org/show_bug.cgi?id=1633498>`__ - Fix unused variable
+ 'getauxval' error on iOS compilation.
+ - `Bug 1630721 <https://bugzilla.mozilla.org/show_bug.cgi?id=1630721>`__ - Add Softoken
+ functions for FIPS.
+ - `Bug 1630458 <https://bugzilla.mozilla.org/show_bug.cgi?id=1630458>`__ - Fix problem of GYP
+ MSVC builds not producing debug symbol files.
+ - `Bug 1629663 <https://bugzilla.mozilla.org/show_bug.cgi?id=1629663>`__ - Add IKEv1 Quick Mode
+ KDF.
+ - `Bug 1629661 <https://bugzilla.mozilla.org/show_bug.cgi?id=1629661>`__ - MPConfig calls in SSL
+ initialize policy before NSS is initialized.
+ - `Bug 1629655 <https://bugzilla.mozilla.org/show_bug.cgi?id=1629655>`__ - Support temporary
+ session objects in ckfw.
+ - `Bug 1629105 <https://bugzilla.mozilla.org/show_bug.cgi?id=1629105>`__ - Add PKCS11 v3.0
+ functions to module debug logger.
+ - `Bug 1626751 <https://bugzilla.mozilla.org/show_bug.cgi?id=1626751>`__ - Fix error in
+ generation of fuzz32 docker image after updates.
+ - `Bug 1625133 <https://bugzilla.mozilla.org/show_bug.cgi?id=1625133>`__ - Fix implicit
+ declaration of function 'getopt' error.
+ - `Bug 1624864 <https://bugzilla.mozilla.org/show_bug.cgi?id=1624864>`__ - Allow building of
+ gcm-arm32-neon on non-armv7 architectures.
+ - `Bug 1624402 <https://bugzilla.mozilla.org/show_bug.cgi?id=1624402>`__ - Fix compilation error
+ in Firefox Android.
+ - `Bug 1624130 <https://bugzilla.mozilla.org/show_bug.cgi?id=1624130>`__ - Require
+ CK_FUNCTION_LIST structs to be packed.
+ - `Bug 1624377 <https://bugzilla.mozilla.org/show_bug.cgi?id=1624377>`__ - Fix clang warning for
+ unknown argument '-msse4'.
+ - `Bug 1623374 <https://bugzilla.mozilla.org/show_bug.cgi?id=1623374>`__ - Support new PKCS #11
+ v3.0 Message Interface for AES-GCM and ChaChaPoly.
+ - `Bug 1623184 <https://bugzilla.mozilla.org/show_bug.cgi?id=1623184>`__ - Fix freebl_cpuid for
+ querying Extended Features.
+ - `Bug 1622555 <https://bugzilla.mozilla.org/show_bug.cgi?id=1622555>`__ - Fix argument parsing
+ in lowhashtest.
+ - `Bug 1620799 <https://bugzilla.mozilla.org/show_bug.cgi?id=1620799>`__ - Introduce
+ NSS_DISABLE_GCM_ARM32_NEON to build on arm32 without NEON support.
+ - `Bug 1619102 <https://bugzilla.mozilla.org/show_bug.cgi?id=1619102>`__ - Add workaround option
+ to include both DTLS and TLS versions in DTLS supported_versions.
+ - `Bug 1619056 <https://bugzilla.mozilla.org/show_bug.cgi?id=1619056>`__ - Update README: TLS
+ 1.3 is not experimental anymore.
+ - `Bug 1618915 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618915>`__ - Fix UBSAN issue in
+ ssl_ParseSessionTicket.
+ - `Bug 1618739 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618739>`__ - Don't assert fuzzer
+ behavior in SSL_ParseSessionTicket.
+ - `Bug 1617968 <https://bugzilla.mozilla.org/show_bug.cgi?id=1617968>`__ - Update Delegated
+ Credentials implementation to draft-07.
+ - `Bug 1617533 <https://bugzilla.mozilla.org/show_bug.cgi?id=1617533>`__ - Update HACL\*
+ dependencies for libintvector.h
+ - `Bug 1613238 <https://bugzilla.mozilla.org/show_bug.cgi?id=1613238>`__ - Add vector
+ accelerated SHA2 for POWER 8+.
+ - `Bug 1612493 <https://bugzilla.mozilla.org/show_bug.cgi?id=1612493>`__ - Integrate AVX2
+ ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*.
+ - `Bug 1612281 <https://bugzilla.mozilla.org/show_bug.cgi?id=1612281>`__ - Maintain PKCS11
+ C_GetAttributeValue semantics on attributes that lack NSS database columns.
+ - `Bug 1612260 <https://bugzilla.mozilla.org/show_bug.cgi?id=1612260>`__ - Add Wycheproof RSA
+ test vectors.
+ - `Bug 1608250 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608250>`__ - broken fipstest
+ handling of KI_len.
+ - `Bug 1608245 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608245>`__ - Consistently handle
+ NULL slot/session.
+ - `Bug 1603801 <https://bugzilla.mozilla.org/show_bug.cgi?id=1603801>`__ - Avoid dcache
+ pollution from sdb_measureAccess().
+ - `Bug 1603628 <https://bugzilla.mozilla.org/show_bug.cgi?id=1603628>`__ - Update NSS to support
+ PKCS #11 v3.0.
+ - `Bug 1561637 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561637>`__ - TLS 1.3 does not work
+ in FIPS mode.
+ - `Bug 1531906 <https://bugzilla.mozilla.org/show_bug.cgi?id=1531906>`__ - Fix overzealous
+ assertion when evicting a cached sessionID or using external cache.
+ - `Bug 1465613 <https://bugzilla.mozilla.org/show_bug.cgi?id=1465613>`__ - Fix issue where
+ testlib makefile build produced extraneous object files.
+ - `Bug 1619959 <https://bugzilla.mozilla.org/show_bug.cgi?id=1619959>`__ - Properly handle
+ multi-block SEED ECB inputs.
+ - `Bug 1630925 <https://bugzilla.mozilla.org/show_bug.cgi?id=1630925>`__ - Guard all instances
+ of NSSCMSSignedData.signerInfo to avoid a CMS crash
+ - `Bug 1571677 <https://bugzilla.mozilla.org/show_bug.cgi?id=1571677>`__ - Name Constraints
+ validation: CN treated as DNS name even when syntactically invalid as DNS name
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.52:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.52
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.52 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.52 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.53.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.53.1_release_notes/index.rst
new file mode 100644
index 0000000000..1c9c93ca7b
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.53.1_release_notes/index.rst
@@ -0,0 +1,69 @@
+.. _mozilla_projects_nss_nss_3_53_1_release_notes:
+
+NSS 3.53.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.53.1 on **16 June 2020**. This is a
+ security patch release.
+
+ Thank you to Sohaib ul Hassan, Billy Bob Brumley, and the Network and Information Security Group
+ (NISEC) at Tampere University for reporting this issue and providing a patch.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_53_1_RTM. NSS 3.53.1 requires NSPR 4.25 or newer.
+
+ NSS 3.53.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_53_1_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _new_in_nss_3.53.1:
+
+`New in NSS 3.53.1 <#new_in_nss_3.53.1>`__
+------------------------------------------
+
+.. container::
+
+ No new functionality is introduced in this release.
+
+.. _bugs_fixed_in_nss_3.53.1:
+
+`Bugs fixed in NSS 3.53.1 <#bugs_fixed_in_nss_3.53.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `CVE-2020-12402 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2020-12402>`__ - Use
+ constant-time GCD and modular inversion in MPI.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.53.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.53.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst
new file mode 100644
index 0000000000..d9605ca312
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst
@@ -0,0 +1,128 @@
+.. _mozilla_projects_nss_nss_3_53_release_notes:
+
+NSS 3.53 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team released Network Security Services (NSS) 3.53 on **29 May 2020**. NSS 3.53 will be a
+ long-term support release, supporting Firefox 78 ESR.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - Jan-Marek Glogowski
+ - Jeff Walden
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_53_RTM. NSS 3.53 requires NSPR 4.25 or newer.
+
+ NSS 3.53 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_53_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.53:
+
+`Notable Changes in NSS 3.53 <#notable_changes_in_nss_3.53>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - When using the Makefiles, NSS can be built in parallel, speeding up those builds to more
+ similar performance as the build.sh/ninja/gyp system. (`Bug
+ 290526 <https://bugzilla.mozilla.org/show_bug.cgi?id=290526>`__)
+ - SEED is now moved into a new freebl directory freebl/deprecated (`Bug
+ 1636389 <https://bugzilla.mozilla.org/show_bug.cgi?id=1636389>`__).
+
+ - SEED will be disabled by default in a future release of NSS. At that time, users will need
+ to set the compile-time flag (`Bug
+ 1622033 <https://bugzilla.mozilla.org/show_bug.cgi?id=1622033>`__) to disable that
+ deprecation in order to use the algorithm.
+ - Algorithms marked as deprecated will ultimately be removed.
+
+ - Several root certificates in the Mozilla program now set the CKA_NSS_SERVER_DISTRUST_AFTER
+ attribute, which NSS consumers can query to further refine trust decisions. (`Bug
+ 1618404, <https://bugzilla.mozilla.org/show_bug.cgi?id=1618404>`__ `Bug
+ 1621159 <https://bugzilla.mozilla.org/show_bug.cgi?id=1621159>`__) If a builtin certificate
+ has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the SCT or NotBefore date of a
+ certificate that builtin issued, then clients can elect not to trust it.
+
+ - This attribute provides a more graceful phase-out for certificate authorities than complete
+ removal from the root certificate builtin store.
+
+.. _bugs_fixed_in_nss_3.53:
+
+`Bugs fixed in NSS 3.53 <#bugs_fixed_in_nss_3.53>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1640260 <https://bugzilla.mozilla.org/show_bug.cgi?id=1640260>`__ - Initialize PBE params
+ (ASAN fix)
+ - `Bug 1618404 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618404>`__ - Set
+ CKA_NSS_SERVER_DISTRUST_AFTER for Symantec root certs
+ - `Bug 1621159 <https://bugzilla.mozilla.org/show_bug.cgi?id=1621159>`__ - Set
+ CKA_NSS_SERVER_DISTRUST_AFTER for Consorci AOC, GRCA, and SK ID root certs
+ - `Bug 1629414 <https://bugzilla.mozilla.org/show_bug.cgi?id=1629414>`__ - PPC64: Correct
+ compilation error between VMX vs. VSX vector instructions
+ - `Bug 1639033 <https://bugzilla.mozilla.org/show_bug.cgi?id=1639033>`__ - Fix various compile
+ warnings in NSS
+ - `Bug 1640041 <https://bugzilla.mozilla.org/show_bug.cgi?id=1640041>`__ - Fix a null pointer in
+ security/nss/lib/ssl/sslencode.c:67
+ - `Bug 1640042 <https://bugzilla.mozilla.org/show_bug.cgi?id=1640042>`__ - Fix a null pointer in
+ security/nss/lib/ssl/sslsock.c:4460
+ - `Bug 1638289 <https://bugzilla.mozilla.org/show_bug.cgi?id=1638289>`__ - Avoid multiple
+ definitions of SHA{256,384,512}_\* symbols when linking libfreeblpriv3.so in Firefox on
+ ppc64le
+ - `Bug 1636389 <https://bugzilla.mozilla.org/show_bug.cgi?id=1636389>`__ - Relocate deprecated
+ SEED algorithm
+ - `Bug 1637083 <https://bugzilla.mozilla.org/show_bug.cgi?id=1637083>`__ - lib/ckfw: No such
+ file or directory. Stop.
+ - `Bug 1561331 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561331>`__ - Additional modular
+ inverse test
+ - `Bug 1629553 <https://bugzilla.mozilla.org/show_bug.cgi?id=1629553>`__ - Rework and cleanup
+ gmake builds
+ - `Bug 1438431 <https://bugzilla.mozilla.org/show_bug.cgi?id=1438431>`__ - Remove mkdepend and
+ "depend" make target
+ - `Bug 290526 <https://bugzilla.mozilla.org/show_bug.cgi?id=290526>`__ - Support parallel
+ building of NSS when using the Makefiles
+ - `Bug 1636206 <https://bugzilla.mozilla.org/show_bug.cgi?id=1636206>`__ - HACL\* update after
+ changes in libintvector.h
+ - `Bug 1636058 <https://bugzilla.mozilla.org/show_bug.cgi?id=1636058>`__ - Fix building NSS on
+ Debian s390x, mips64el, and riscv64
+ - `Bug 1622033 <https://bugzilla.mozilla.org/show_bug.cgi?id=1622033>`__ - Add option to build
+ without SEED
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.53:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.53
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.53 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.53 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.54_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.54_release_notes/index.rst
new file mode 100644
index 0000000000..3013238b22
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.54_release_notes/index.rst
@@ -0,0 +1,184 @@
+.. _mozilla_projects_nss_nss_3_54_release_notes:
+
+NSS 3.54 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.54 on **26 June 2020**, which is a
+ minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_54_RTM. NSS 3.54 requires NSPR 4.26 or newer.
+
+ NSS 3.54 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_54_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.54:
+
+`Notable Changes in NSS 3.54 <#notable_changes_in_nss_3.54>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - Support for TLS 1.3 external pre-shared keys (`Bug
+ 1603042 <https://bugzilla.mozilla.org/show_bug.cgi?id=1603042>`__).
+ - Use ARM Cryptography Extension for SHA256, when available. (`Bug
+ 1528113 <https://bugzilla.mozilla.org/show_bug.cgi?id=1528113>`__).
+
+.. _certificate_authority_changes:
+
+`Certificate Authority Changes <#certificate_authority_changes>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - The following CA certificates were Added:
+
+ - `Bug 1645186 <https://bugzilla.mozilla.org/show_bug.cgi?id=1645186>`__ - certSIGN Root CA
+ G2
+
+ - SHA-256 Fingerprint: 657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305
+
+ - `Bug 1645174 <https://bugzilla.mozilla.org/show_bug.cgi?id=1645174>`__ - e-Szigno Root CA
+ 2017
+
+ - SHA-256 Fingerprint: BEB00B30839B9BC32C32E4447905950641F26421B15ED089198B518AE2EA1B99
+
+ - `Bug 1641716 <https://bugzilla.mozilla.org/show_bug.cgi?id=1641716>`__ - Microsoft ECC Root
+ Certificate Authority 2017
+
+ - SHA-256 Fingerprint: 358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02
+
+ - `Bug 1641716 <https://bugzilla.mozilla.org/show_bug.cgi?id=1641716>`__ - Microsoft RSA Root
+ Certificate Authority 2017
+
+ - SHA-256 Fingerprint: C741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0
+
+ - The following CA certificates were Removed:
+
+ - `Bug 1645199 <https://bugzilla.mozilla.org/show_bug.cgi?id=1645199>`__ - AddTrust Class 1
+ CA Root
+
+ - SHA-256 Fingerprint:
+ 8C7209279AC04E275E16D07FD3B775E80154B5968046E31F52DD25766324E9A7
+
+ - `Bug 1645199 <https://bugzilla.mozilla.org/show_bug.cgi?id=1645199>`__ - AddTrust External
+ CA Root
+
+ - SHA-256 Fingerprint:
+ 687FA451382278FFF0C8B11F8D43D576671C6EB2BCEAB413FB83D965D06D2FF2
+
+ - `Bug 1641718 <https://bugzilla.mozilla.org/show_bug.cgi?id=1641718>`__ - LuxTrust Global
+ Root 2
+
+ - SHA-256 Fingerprint: 54455F7129C20B1447C418F997168F24C58FC5023BF5DA5BE2EB6E1DD8902ED5
+
+ - `Bug 1639987 <https://bugzilla.mozilla.org/show_bug.cgi?id=1639987>`__ - Staat der
+ Nederlanden Root CA - G2
+
+ - SHA-256 Fingerprint: 668C83947DA63B724BECE1743C31A0E6AED0DB8EC5B31BE377BB784F91B6716F
+
+ - `Bug 1618402 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618402>`__ - Symantec Class 2
+ Public Primary Certification Authority - G4
+
+ - SHA-256 Fingerprint: FE863D0822FE7A2353FA484D5924E875656D3DC9FB58771F6F616F9D571BC592
+
+ - `Bug 1618402 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618402>`__ - Symantec Class 1
+ Public Primary Certification Authority - G4
+
+ - SHA-256 Fingerprint: 363F3C849EAB03B0A2A0F636D7B86D04D3AC7FCFE26A0A9121AB9795F6E176DF
+
+ - `Bug 1618402 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618402>`__ - VeriSign Class 3
+ Public Primary Certification Authority - G3
+
+ - SHA-256 Fingerprint: EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244
+
+ - A number of certificates had their Email trust bit disabled. See `Bug
+ 1618402 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618402#c0>`__ for a complete list.
+
+.. _bugs_fixed_in_nss_3.54:
+
+`Bugs fixed in NSS 3.54 <#bugs_fixed_in_nss_3.54>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1528113 <https://bugzilla.mozilla.org/show_bug.cgi?id=1528113>`__ - Use ARM Cryptography
+ Extension for SHA256.
+ - `Bug 1603042 <https://bugzilla.mozilla.org/show_bug.cgi?id=1603042>`__ - Add TLS 1.3 external
+ PSK support.
+ - `Bug 1642802 <https://bugzilla.mozilla.org/show_bug.cgi?id=1642802>`__ - Add uint128 support
+ for HACL\* curve25519 on Windows.
+ - `Bug 1645186 <https://bugzilla.mozilla.org/show_bug.cgi?id=1645186>`__ - Add "certSIGN Root CA
+ G2" root certificate.
+ - `Bug 1645174 <https://bugzilla.mozilla.org/show_bug.cgi?id=1645174>`__ - Add Microsec's
+ "e-Szigno Root CA 2017" root certificate.
+ - `Bug 1641716 <https://bugzilla.mozilla.org/show_bug.cgi?id=1641716>`__ - Add Microsoft's
+ non-EV root certificates.
+ - `Bug 1621151 <https://bugzilla.mozilla.org/show_bug.cgi?id=1621151>`__ - Disable email trust
+ bit for "O=Government Root Certification Authority; C=TW" root.
+ - `Bug 1645199 <https://bugzilla.mozilla.org/show_bug.cgi?id=1645199>`__ - Remove AddTrust root
+ certificates.
+ - `Bug 1641718 <https://bugzilla.mozilla.org/show_bug.cgi?id=1641718>`__ - Remove "LuxTrust
+ Global Root 2" root certificate.
+ - `Bug 1639987 <https://bugzilla.mozilla.org/show_bug.cgi?id=1639987>`__ - Remove "Staat der
+ Nederlanden Root CA - G2" root certificate.
+ - `Bug 1618402 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618402>`__ - Remove Symantec root
+ certificates and disable email trust bit.
+ - `Bug 1640516 <https://bugzilla.mozilla.org/show_bug.cgi?id=1640516>`__ - NSS 3.54 should
+ depend on NSPR 4.26.
+ - `Bug 1642146 <https://bugzilla.mozilla.org/show_bug.cgi?id=1642146>`__ - Fix undefined
+ reference to \`PORT_ZAlloc_stub' in seed.c.
+ - `Bug 1642153 <https://bugzilla.mozilla.org/show_bug.cgi?id=1642153>`__ - Fix infinite
+ recursion building NSS.
+ - `Bug 1642638 <https://bugzilla.mozilla.org/show_bug.cgi?id=1642638>`__ - Fix fuzzing assertion
+ crash.
+ - `Bug 1642871 <https://bugzilla.mozilla.org/show_bug.cgi?id=1642871>`__ - Enable
+ SSL_SendSessionTicket after resumption.
+ - `Bug 1643123 <https://bugzilla.mozilla.org/show_bug.cgi?id=1643123>`__ - Support
+ SSL_ExportEarlyKeyingMaterial with External PSKs.
+ - `Bug 1643557 <https://bugzilla.mozilla.org/show_bug.cgi?id=1643557>`__ - Fix numerous compile
+ warnings in NSS.
+ - `Bug 1644774 <https://bugzilla.mozilla.org/show_bug.cgi?id=1644774>`__ - SSL gtests to use
+ ClearServerCache when resetting self-encrypt keys.
+ - `Bug 1645479 <https://bugzilla.mozilla.org/show_bug.cgi?id=1645479>`__ - Don't use
+ SECITEM_MakeItem in secutil.c.
+ - `Bug 1646520 <https://bugzilla.mozilla.org/show_bug.cgi?id=1646520>`__ - Stricter enforcement
+ of ASN.1 INTEGER encoding.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.54:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.54
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.54 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.54 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst
new file mode 100644
index 0000000000..4da2a6b20a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst
@@ -0,0 +1,135 @@
+.. _mozilla_projects_nss_nss_3_55_release_notes:
+
+NSS 3.55 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.55 on **24 July 2020**, which is a
+ minor release.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - Danh
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_55_RTM. NSS 3.55 requires NSPR 4.27 or newer.
+
+ NSS 3.55 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_55_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.55:
+
+`Notable Changes in NSS 3.55 <#notable_changes_in_nss_3.55>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - P384 and P521 elliptic curve implementations are replaced with verifiable implementations from
+ `Fiat-Crypto <https://github.com/mit-plv/fiat-crypto>`__ and
+ `ECCKiila <https://gitlab.com/nisec/ecckiila/>`__. Special thanks to the Network and
+ Information Security Group (NISEC) at Tampere University.
+ - PK11_FindCertInSlot is added. With this function, a given slot can be queried with a
+ DER-Encoded certificate, providing performance and usability improvements over other
+ mechanisms. See `Bug 1649633 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649633>`__ for
+ more details.
+ - DTLS 1.3 implementation is updated to draft-38. See `Bug
+ 1647752 <https://bugzilla.mozilla.org/show_bug.cgi?id=1647752>`__ for details.
+ - NSPR dependency updated to 4.27.
+
+.. _known_issues:
+
+`Known Issues <#known_issues>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - On some platforms, using the Makefile builds fails to locate seccomon.h; ensure you are using
+ make all rather than just make. Another potential workaround is to use the gyp-based build.sh
+ script. If this affects you, please help us narrow down the cause in `Bug
+ 1653975. <https://bugzilla.mozilla.org/show_bug.cgi?id=1653975>`__
+
+.. _bugs_fixed_in_nss_3.55:
+
+`Bugs fixed in NSS 3.55 <#bugs_fixed_in_nss_3.55>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1631583 <https://bugzilla.mozilla.org/show_bug.cgi?id=1631583>`__ (CVE-2020-6829,
+ CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from
+ `Fiat-Crypto <https://github.com/mit-plv/fiat-crypto>`__ and
+ `ECCKiila <https://gitlab.com/nisec/ecckiila/>`__.
+ - `Bug 1649487 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649487>`__ - Move overzealous
+ assertion in VFY_EndWithSignature.
+ - `Bug 1631573 <https://bugzilla.mozilla.org/show_bug.cgi?id=1631573>`__ (CVE-2020-12401) -
+ Remove unnecessary scalar padding.
+ - `Bug 1636771 <https://bugzilla.mozilla.org/show_bug.cgi?id=1636771>`__ (CVE-2020-12403) -
+ Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly
+ enforce tag length.
+ - `Bug 1649648 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649648>`__ - Don't memcpy zero
+ bytes (sanitizer fix).
+ - `Bug 1649316 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649316>`__ - Don't memcpy zero
+ bytes (sanitizer fix).
+ - `Bug 1649322 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649322>`__ - Don't memcpy zero
+ bytes (sanitizer fix).
+ - `Bug 1653202 <https://bugzilla.mozilla.org/show_bug.cgi?id=1653202>`__ - Fix initialization
+ bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED.
+ - `Bug 1646594 <https://bugzilla.mozilla.org/show_bug.cgi?id=1646594>`__ - Fix AVX2 detection in
+ makefile builds.
+ - `Bug 1649633 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649633>`__ - Add
+ PK11_FindCertInSlot to search a given slot for a DER-encoded certificate.
+ - `Bug 1651520 <https://bugzilla.mozilla.org/show_bug.cgi?id=1651520>`__ - Fix slotLock race in
+ NSC_GetTokenInfo.
+ - `Bug 1647752 <https://bugzilla.mozilla.org/show_bug.cgi?id=1647752>`__ - Update DTLS 1.3
+ implementation to draft-38.
+ - `Bug 1649190 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649190>`__ - Run cipher, sdr, and
+ ocsp tests under standard test cycle in CI.
+ - `Bug 1649226 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649226>`__ - Add Wycheproof ECDSA
+ tests.
+ - `Bug 1637222 <https://bugzilla.mozilla.org/show_bug.cgi?id=1637222>`__ - Consistently enforce
+ IV requirements for DES and 3DES.
+ - `Bug 1067214 <https://bugzilla.mozilla.org/show_bug.cgi?id=1067214>`__ - Enforce minimum
+ PKCS#1 v1.5 padding length in RSA_CheckSignRecover.
+ - `Bug 1643528 <https://bugzilla.mozilla.org/show_bug.cgi?id=1643528>`__ - Fix compilation error
+ with -Werror=strict-prototypes.
+ - `Bug 1646324 <https://bugzilla.mozilla.org/show_bug.cgi?id=1646324>`__ - Advertise PKCS#1
+ schemes for certificates in the signature_algorithms extension.
+ - `Bug 1652331 <https://bugzilla.mozilla.org/show_bug.cgi?id=1652331>`__ - Update NSS 3.55 NSPR
+ version to 4.27.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.55:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.55
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.55 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.55 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.56_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.56_release_notes/index.rst
new file mode 100644
index 0000000000..3f00a41cc8
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.56_release_notes/index.rst
@@ -0,0 +1,98 @@
+.. _mozilla_projects_nss_nss_3_56_release_notes:
+
+NSS 3.56 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.56 on **21 August 2020**, which is a
+ minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_56_RTM. NSS 3.56 requires NSPR 4.28 or newer.
+
+ NSS 3.56 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_56_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.56:
+
+`Notable Changes in NSS 3.56 <#notable_changes_in_nss_3.56>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - NSPR dependency updated to 4.28.
+ - The known issue where Makefile builds failed to locate seccomon.h was fixed in `Bug
+ 1653975 <https://bugzilla.mozilla.org/show_bug.cgi?id=1653975>`__.
+
+.. _bugs_fixed_in_nss_3.56:
+
+`Bugs fixed in NSS 3.56 <#bugs_fixed_in_nss_3.56>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1650702 <https://bugzilla.mozilla.org/show_bug.cgi?id=1650702>`__ - Support SHA-1 HW
+ acceleration on ARMv8
+ - `Bug 1656981 <https://bugzilla.mozilla.org/show_bug.cgi?id=1656981>`__ - Use MPI comba and
+ mulq optimizations on x86-64 MacOS.
+ - `Bug 1654142 <https://bugzilla.mozilla.org/show_bug.cgi?id=1654142>`__ - Add CPU feature
+ detection for Intel SHA extension.
+ - `Bug 1648822 <https://bugzilla.mozilla.org/show_bug.cgi?id=1648822>`__ - Add stricter
+ validation of DH keys in FIPS mode.
+ - `Bug 1656986 <https://bugzilla.mozilla.org/show_bug.cgi?id=1656986>`__ - Properly detect arm64
+ during GYP build architecture detection.
+ - `Bug 1652729 <https://bugzilla.mozilla.org/show_bug.cgi?id=1652729>`__ - Add build flag to
+ disable RC2 and relocate to lib/freebl/deprecated.
+ - `Bug 1656429 <https://bugzilla.mozilla.org/show_bug.cgi?id=1656429>`__ - Correct RTT estimate
+ used in 0-RTT anti-replay.
+ - `Bug 1588941 <https://bugzilla.mozilla.org/show_bug.cgi?id=1588941>`__ - Send empty
+ certificate message when scheme selection fails.
+ - `Bug 1652032 <https://bugzilla.mozilla.org/show_bug.cgi?id=1652032>`__ - Fix failure to build
+ in Windows arm64 makefile cross-compilation.
+ - `Bug 1625791 <https://bugzilla.mozilla.org/show_bug.cgi?id=1625791>`__ - Fix deadlock issue in
+ nssSlot_IsTokenPresent.
+ - `Bug 1653975 <https://bugzilla.mozilla.org/show_bug.cgi?id=1653975>`__ - Fix 3.53 regression
+ by setting "all" as the default makefile target.
+ - `Bug 1659792 <https://bugzilla.mozilla.org/show_bug.cgi?id=1659792>`__ - Fix broken libpkix
+ tests with unexpired PayPal cert.
+ - `Bug 1659814 <https://bugzilla.mozilla.org/show_bug.cgi?id=1659814>`__ - Fix interop.sh
+ failures with newer tls-interop commit and dependencies.
+ - `Bug 1656519 <https://bugzilla.mozilla.org/show_bug.cgi?id=1656519>`__ - Update NSPR
+ dependency to 4.28.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.56:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.56
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.56 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.56 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.57_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.57_release_notes/index.rst
new file mode 100644
index 0000000000..685f83cb4a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.57_release_notes/index.rst
@@ -0,0 +1,151 @@
+.. _mozilla_projects_nss_nss_3_57_release_notes:
+
+NSS 3.57 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.57 on **18 September 2020**, which is
+ a minor release.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - Khem Raj
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_57_RTM. NSS 3.57 requires NSPR 4.29 or newer.
+
+ NSS 3.57 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_57_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.57:
+
+`Notable Changes in NSS 3.57 <#notable_changes_in_nss_3.57>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - NSPR dependency updated to 4.29.
+
+.. _certificate_authority_changes:
+
+`Certificate Authority Changes <#certificate_authority_changes>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - The following CA certificates were Added:
+
+ - `Bug 1663049 <https://bugzilla.mozilla.org/show_bug.cgi?id=1663049>`__ - CN=Trustwave
+ Global Certification Authority
+
+ - SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
+
+ - `Bug 1663049 <https://bugzilla.mozilla.org/show_bug.cgi?id=1663049>`__ - CN=Trustwave
+ Global ECC P256 Certification Authority
+
+ - SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
+
+ - `Bug 1663049 <https://bugzilla.mozilla.org/show_bug.cgi?id=1663049>`__ - CN=Trustwave
+ Global ECC P384 Certification Authority
+
+ - SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
+
+ - The following CA certificates were Removed:
+
+ - `Bug 1651211 <https://bugzilla.mozilla.org/show_bug.cgi?id=1651211>`__ - CN=EE
+ Certification Centre Root CA
+
+ - SHA-256 Fingerprint:
+ 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
+
+ - `Bug 1656077 <https://bugzilla.mozilla.org/show_bug.cgi?id=1656077>`__ - O=Government Root
+ Certification Authority; C=TW
+
+ - SHA-256 Fingerprint:
+ 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
+
+ - Trust settings for the following CA certificates were Modified:
+
+ - `Bug 1653092 <https://bugzilla.mozilla.org/show_bug.cgi?id=1653092>`__ - CN=OISTE WISeKey
+ Global Root GA CA
+
+ - Websites (server authentication) trust bit removed.
+
+.. _bugs_fixed_in_nss_3.57:
+
+`Bugs fixed in NSS 3.57 <#bugs_fixed_in_nss_3.57>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1651211 <https://bugzilla.mozilla.org/show_bug.cgi?id=1651211>`__ - Remove EE
+ Certification Centre Root CA certificate.
+ - `Bug 1653092 <https://bugzilla.mozilla.org/show_bug.cgi?id=1653092>`__ - Turn off Websites
+ Trust Bit for OISTE WISeKey Global Root GA CA.
+ - `Bug 1656077 <https://bugzilla.mozilla.org/show_bug.cgi?id=1656077>`__ - Remove Taiwan
+ Government Root Certification Authority certificate.
+ - `Bug 1663049 <https://bugzilla.mozilla.org/show_bug.cgi?id=1663049>`__ - Add SecureTrust's
+ Trustwave Global root certificates to NSS.
+ - `Bug 1659256 <https://bugzilla.mozilla.org/show_bug.cgi?id=1659256>`__ - AArch64 AES
+ optimization shouldn't be enabled with gcc 4.8.
+ - `Bug 1651834 <https://bugzilla.mozilla.org/show_bug.cgi?id=1651834>`__ - Fix Clang static
+ analyzer warnings.
+ - `Bug 1661378 <https://bugzilla.mozilla.org/show_bug.cgi?id=1661378>`__ - Fix Build failure
+ with Clang 11.
+ - `Bug 1659727 <https://bugzilla.mozilla.org/show_bug.cgi?id=1659727>`__ - Fix mpcpucache.c
+ invalid output constraint on Linux/ARM.
+ - `Bug 1662738 <https://bugzilla.mozilla.org/show_bug.cgi?id=1662738>`__ - Only run
+ freebl_fips_RNG_PowerUpSelfTest when linked with NSPR.
+ - `Bug 1661810 <https://bugzilla.mozilla.org/show_bug.cgi?id=1661810>`__ - Fix Crash @
+ arm_aes_encrypt_ecb_128 when building with Clang 11.
+ - `Bug 1659252 <https://bugzilla.mozilla.org/show_bug.cgi?id=1659252>`__ - Fix Make build with
+ NSS_DISABLE_DBM=1.
+ - `Bug 1660304 <https://bugzilla.mozilla.org/show_bug.cgi?id=1660304>`__ - Add POST tests for
+ KDFs as required by FIPS.
+ - `Bug 1663346 <https://bugzilla.mozilla.org/show_bug.cgi?id=1663346>`__ - Use 64-bit
+ compilation on e2k architecture.
+ - `Bug 1605922 <https://bugzilla.mozilla.org/show_bug.cgi?id=1605922>`__ - Account for negative
+ sign in mp_radix_size.
+ - `Bug 1653641 <https://bugzilla.mozilla.org/show_bug.cgi?id=1653641>`__ - Cleanup inaccurate
+ DTLS comments, code review fixes.
+ - `Bug 1660372 <https://bugzilla.mozilla.org/show_bug.cgi?id=1660372>`__ - NSS 3.57 should
+ depend on NSPR 4.29
+ - `Bug 1660734 <https://bugzilla.mozilla.org/show_bug.cgi?id=1660734>`__ - Fix Makefile typos.
+ - `Bug 1660735 <https://bugzilla.mozilla.org/show_bug.cgi?id=1660735>`__ - Fix Makefile typos.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.57:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.57
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.57 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.57 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.58_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.58_release_notes/index.rst
new file mode 100644
index 0000000000..0dda20b4af
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.58_release_notes/index.rst
@@ -0,0 +1,76 @@
+.. _mozilla_projects_nss_nss_3_58_release_notes:
+
+NSS 3.58 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.58 on **16 October 2020**, which is a
+ minor release.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - Ricky Stewart
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_58_RTM. NSS 3.58 requires NSPR 4.29 or newer.
+
+ NSS 3.58 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_58_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _bugs_fixed_in_nss_3.58:
+
+`Bugs fixed in NSS 3.58 <#bugs_fixed_in_nss_3.58>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1641480 <https://bugzilla.mozilla.org/show_bug.cgi?id=1641480>`__ (CVE-2020-25648) -
+ Tighten CCS handling for middlebox compatibility mode.
+ - `Bug 1631890 <https://bugzilla.mozilla.org/show_bug.cgi?id=1631890>`__ - Add support for
+ Hybrid Public Key Encryption
+ (`draft-irtf-cfrg-hpke <https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/>`__) support.
+ - `Bug 1657255 <https://bugzilla.mozilla.org/show_bug.cgi?id=1657255>`__ - Add CI tests that
+ disable SHA1/SHA2 ARM crypto extensions.
+ - `Bug 1668328 <https://bugzilla.mozilla.org/show_bug.cgi?id=1668328>`__ - Handle spaces in the
+ Python path name when using gyp on Windows.
+ - `Bug 1667153 <https://bugzilla.mozilla.org/show_bug.cgi?id=1667153>`__ - Add
+ PK11_ImportDataKey for data object import.
+ - `Bug 1665715 <https://bugzilla.mozilla.org/show_bug.cgi?id=1665715>`__ - Pass the embedded SCT
+ list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.58:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.58
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.58 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.58 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.59.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.59.1_release_notes/index.rst
new file mode 100644
index 0000000000..7434379560
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.59.1_release_notes/index.rst
@@ -0,0 +1,57 @@
+.. _mozilla_projects_nss_nss_3_59_1_release_notes:
+
+NSS 3.59.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.59.1 on **18 December 2020**, which
+ is a patch release for NSS 3.59.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_59_1_RTM. NSS 3.59.1 requires NSPR 4.29 or newer.
+
+ NSS 3.59.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_59_1_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _bugs_fixed_in_nss_3.59.1:
+
+`Bugs fixed in NSS 3.59.1 <#bugs_fixed_in_nss_3.59.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1679290 <https://bugzilla.mozilla.org/show_bug.cgi?id=1679290>`__ - Fix potential
+ deadlock with certain third-party PKCS11 modules.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.59.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.59.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst
new file mode 100644
index 0000000000..96490dda30
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst
@@ -0,0 +1,108 @@
+.. _mozilla_projects_nss_nss_3_59_release_notes:
+
+NSS 3.59 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.59 on **13 November 2020**, which is
+ a minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_59_RTM. NSS 3.59 requires NSPR 4.29 or newer.
+
+ NSS 3.59 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_59_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.59:
+
+`Notable Changes in NSS 3.59 <#notable_changes_in_nss_3.59>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - Exported two existing functions from libnss, CERT_AddCertToListHeadWithData and
+ CERT_AddCertToListTailWithData
+
+.. _build_requirements:
+
+`Build Requirements <#build_requirements>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - NSS will soon require GCC 4.8 or newer. Gyp-based builds will stop supporting older GCC
+ versions in the next release, NSS 3.60 planned for December, followed later by the make-based
+ builds. Users of older GCC versions can continue to use the make-based build system while they
+ upgrade to newer versions of GCC.
+
+.. _bugs_fixed_in_nss_3.59:
+
+`Bugs fixed in NSS 3.59 <#bugs_fixed_in_nss_3.59>`__
+----------------------------------------------------
+
+.. container::
+
+ - `Bug 1607449 <https://bugzilla.mozilla.org/show_bug.cgi?id=1607449>`__ - Lock
+ cert->nssCertificate to prevent a potential data race
+ - `Bug 1672823 <https://bugzilla.mozilla.org/show_bug.cgi?id=1672823>`__ - Add Wycheproof test
+ cases for HMAC, HKDF, and DSA
+ - `Bug 1663661 <https://bugzilla.mozilla.org/show_bug.cgi?id=1663661>`__ - Guard against NULL
+ token in nssSlot_IsTokenPresent
+ - `Bug 1670835 <https://bugzilla.mozilla.org/show_bug.cgi?id=1670835>`__ - Support enabling and
+ disabling signatures via Crypto Policy
+ - `Bug 1672291 <https://bugzilla.mozilla.org/show_bug.cgi?id=1672291>`__ - Resolve libpkix OCSP
+ failures on SHA1 self-signed root certs when SHA1 signatures are disabled.
+ - `Bug 1644209 <https://bugzilla.mozilla.org/show_bug.cgi?id=1644209>`__ - Fix broken
+ SelectedCipherSuiteReplacer filter to solve some test intermittents
+ - `Bug 1672703 <https://bugzilla.mozilla.org/show_bug.cgi?id=1672703>`__ - Tolerate the first
+ CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord
+ - `Bug 1666891 <https://bugzilla.mozilla.org/show_bug.cgi?id=1666891>`__ - Support key
+ wrap/unwrap with RSA-OAEP
+ - `Bug 1667989 <https://bugzilla.mozilla.org/show_bug.cgi?id=1667989>`__ - Fix gyp linking on
+ Solaris
+ - `Bug 1668123 <https://bugzilla.mozilla.org/show_bug.cgi?id=1668123>`__ - Export
+ CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss
+ - `Bug 1634584 <https://bugzilla.mozilla.org/show_bug.cgi?id=1634584>`__ - Set
+ CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
+ - `Bug 1663091 <https://bugzilla.mozilla.org/show_bug.cgi?id=1663091>`__ - Remove unnecessary
+ assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys
+ when using NSS debug builds
+ - `Bug 1670839 <https://bugzilla.mozilla.org/show_bug.cgi?id=1670839>`__ - Use ARM crypto
+ extension for AES, SHA1 and SHA2 on MacOS.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.59:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.59
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.59 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.59 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.60.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.60.1_release_notes/index.rst
new file mode 100644
index 0000000000..a524dba2df
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.60.1_release_notes/index.rst
@@ -0,0 +1,58 @@
+.. _mozilla_projects_nss_nss_3_60_1_release_notes:
+
+NSS 3.60.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team released Network Security Services (NSS) 3.60.1 on **4 January 2021**, which is a
+ patch release for NSS 3.60.
+
+.. _distribution_information:
+
+`Distribution information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_60_1_RTM. NSS 3.60.1 requires NSPR 4.29 or newer.
+
+ NSS 3.60.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_60_1_RTM/src/
+
+ Other releases are available at :ref:`mozilla_projects_nss_nss_releases#past_releases`.
+
+.. _bugs_fixed_in_nss_3.60.1:
+
+`Bugs fixed in NSS 3.60.1 <#bugs_fixed_in_nss_3.60.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - `Bug 1682863 <https://bugzilla.mozilla.org/show_bug.cgi?id=1682863>`__ - Fix remaining hang
+ issues with slow third-party PKCS #11 tokens.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.60.1 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.60.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report at
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ under the NSS
+ product. \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst
new file mode 100644
index 0000000000..579124030a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst
@@ -0,0 +1,144 @@
+.. _mozilla_projects_nss_nss_3_60_release_notes:
+
+NSS 3.60 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team has released Network Security Services (NSS) 3.60 on **11 December 2020**, which is
+ a minor release.
+
+ The NSS team would like to recognize first-time contributors:
+
+ - yogesh
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_60_RTM. NSS 3.60 requires NSPR 4.29 or newer.
+
+ NSS 3.60 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_60_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _notable_changes_in_nss_3.60:
+
+`Notable Changes in NSS 3.60 <#notable_changes_in_nss_3.60>`__
+--------------------------------------------------------------
+
+.. container::
+
+ - TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the
+ ESNI (draft-ietf-tls-esni-01). See `bug
+ 1654332 <https://bugzilla.mozilla.org/show_bug.cgi?id=1654332>`__ for more information.
+
+.. _certificate_authority_changes:
+
+`Certificate Authority Changes <#certificate_authority_changes>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ - The following CA certificates were added:
+
+ - `Bug 1678166 <https://bugzilla.mozilla.org/show_bug.cgi?id=1678166>`__ - NAVER Global Root
+ Certification Authority
+
+ - SHA-256 Fingerprint: 88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265
+
+ - The following CA certificates were removed in `bug
+ 1670769 <https://bugzilla.mozilla.org/show_bug.cgi?id=1670769>`__:
+
+ - GeoTrust Global CA
+
+ - SHA-256 Fingerprint:
+ FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A
+
+ - GeoTrust Primary Certification Authority
+
+ - SHA-256 Fingerprint: 37D51006C512EAAB626421F1EC8C92013FC5F82AE98EE533EB4619B8DEB4D06C
+
+ - GeoTrust Primary Certification Authority - G3
+
+ - SHA-256 Fingerprint: B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4
+
+ - thawte Primary Root CA
+
+ - SHA-256 Fingerprint: 8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F
+
+ - thawte Primary Root CA - G3
+
+ - SHA-256 Fingerprint: 4B03F45807AD70F21BFC2CAE71C9FDE4604C064CF5FFB686BAE5DBAAD7FDD34C
+
+ - VeriSign Class 3 Public Primary Certification Authority - G4
+
+ - SHA-256 Fingerprint: 69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79
+
+ - VeriSign Class 3 Public Primary Certification Authority - G5
+
+ - SHA-256 Fingerprint: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF
+
+ - thawte Primary Root CA - G2
+
+ - SHA-256 Fingerprint: A4310D50AF18A6447190372A86AFAF8B951FFB431D837F1E5688B45971ED1557
+
+ - GeoTrust Universal CA
+
+ - SHA-256 Fingerprint: A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912
+
+ - GeoTrust Universal CA 2
+
+ - SHA-256 Fingerprint: A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B
+
+.. _bugs_fixed_in_nss_3.60:
+
+`Bugs fixed in NSS 3.60 <#bugs_fixed_in_nss_3.60>`__
+----------------------------------------------------
+
+.. container::
+
+ - Bug 1654332 - Implement Encrypted Client Hello (draft-ietf-tls-esni-08) in NSS.
+ - Bug 1678189 - Update CA list version to 2.46.
+ - Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS.
+ - Bug 1678166 - Add NAVER Global Root Certification Authority root cert to NSS.
+ - Bug 1678384 - Add a build flag to allow building nssckbi-testlib in m-c.
+ - Bug 1570539 - Remove -X alt-server-hello option from tstclnt.
+ - Bug 1675523 - Fix incorrect pkcs11t.h value CKR_PUBLIC_KEY_INVALID.
+ - Bug 1642174 - Fix PowerPC ABI version 1 build failure.
+ - Bug 1674819 - Fix undefined shift in fuzzer mode.
+ - Bug 1678990 - Fix ARM crypto extensions detection on macOS.
+ - Bug 1679290 - Fix lock order inversion and potential deadlock with libnsspem.
+ - Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.60:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.60
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.60 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.60 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report with
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.61_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.61_release_notes/index.rst
new file mode 100644
index 0000000000..1fa1e7c44a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.61_release_notes/index.rst
@@ -0,0 +1,65 @@
+.. _mozilla_projects_nss_nss_3_61_release_notes:
+
+NSS 3.61 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team released Network Security Services (NSS) 3.61 on **22 January 2021**, which is a
+ minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_61_RTM. NSS 3.61 requires NSPR 4.29 or newer.
+
+ NSS 3.61 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_61_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _bugs_fixed_in_nss_3.61:
+
+`Bugs fixed in NSS 3.61 <#bugs_fixed_in_nss_3.61>`__
+----------------------------------------------------
+
+.. container::
+
+ - Bug 1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain
+ conditions.
+ - Bug 1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM.
+ - Bug 1651411 - Improve constant-timeness in RSA operations.
+ - Bug 1677207 - Upgrade Google Test version to latest release.
+ - Bug 1654332 - Add aarch64-make target to nss-try.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.61:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.61
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.61 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.61 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report on
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS). \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.62_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.62_release_notes/index.rst
new file mode 100644
index 0000000000..c5296c1de0
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.62_release_notes/index.rst
@@ -0,0 +1,84 @@
+.. _mozilla_projects_nss_nss_3_62_release_notes:
+
+NSS 3.62 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ The NSS team released Network Security Services (NSS) 3.62 on **19 February 2021**, which is a
+ minor release.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_62_RTM. NSS 3.62 requires NSPR 4.29 or newer.
+
+ NSS 3.62 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_62_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _bugs_fixed_in_nss_3.62:
+
+`Bugs fixed in NSS 3.62 <#bugs_fixed_in_nss_3.62>`__
+----------------------------------------------------
+
+.. container::
+
+ - Bug 1688374 - Fix parallel build NSS-3.61 with make.
+ - Bug 1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt "cachedCertTable".
+ - Bug 1690583 - Fix CH padding extension size calculation.
+ - Bug 1690421 - Adjust 3.62 ABI report formatting for new libabigail.
+ - Bug 1690421 - Install packaged libabigail in docker-builds image.
+ - Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing.
+ - Bug 1674819 - Fixup a51fae403328, enum type may be signed.
+ - Bug 1681585 - Add ECH support to selfserv.
+ - Bug 1681585 - Update ECH to Draft-09.
+ - Bug 1678398 - Add Export/Import functions for HPKE context.
+ - Bug 1678398 - Update HPKE to draft-07.
+
+ This Bugzilla query returns all the bugs fixed in NSS 3.62:
+
+ https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.62
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.62 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.62 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report on
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
+
+`Notes <#notes>`__
+------------------
+
+.. container::
+
+ Due to changes to MDN, we have been notified that the NSS documentation will have to move off of
+ MDN. It is not fully clear yet, but the proposed solution is to move the documentation in-tree
+ (nss/docs), to the md/sphinx format, and have it either rendered as a sub-section of the Firefox
+ source docs or as a standalone website. More information will follow in the NSS 3.63 notes.
+
+ Regarding the Release day, in order to organize release process better and avoid issues, we will
+ likely move the release day to Thursdays. Please take a look at the release calendar for the
+ exact dates. \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.63.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.63.1_release_notes/index.rst
new file mode 100644
index 0000000000..a7a32b7e03
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.63.1_release_notes/index.rst
@@ -0,0 +1,66 @@
+.. _mozilla_projects_nss_nss_3_63_1_release_notes:
+
+NSS 3.63.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.63.1 was released on **6 April 2021**.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_63_1_RTM. NSS 3.63.1 requires NSPR 4.30 or newer.
+
+ NSS 3.63.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_63_1_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _bugs_fixed_in_nss_3.63.1:
+
+`Bugs fixed in NSS 3.63.1 <#bugs_fixed_in_nss_3.63.1>`__
+--------------------------------------------------------
+
+.. container::
+
+ - REVERTING Bug 1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and
+ 'Global Chambersign Root - 2008’.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.63.1 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.63.1 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report on
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
+
+`Notes <#notes>`__
+------------------
+
+.. container::
+
+ This version of NSS contains a minor update to the root CAs due to a delay in deprecation.
+
+ This revert is temporary in order to prevent breaking websites with Firefox 88 and the change has
+ been reinstated in NSS 3.64 for Firefox 89. \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.63_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.63_release_notes/index.rst
new file mode 100644
index 0000000000..e1f157409d
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.63_release_notes/index.rst
@@ -0,0 +1,90 @@
+.. _mozilla_projects_nss_nss_3_63_release_notes:
+
+NSS 3.63 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.63 was released on **18 March 2021**.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_63_RTM. NSS 3.63 requires NSPR 4.30 or newer.
+
+ NSS 3.63 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_63_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _bugs_fixed_in_nss_3.63:
+
+`Bugs fixed in NSS 3.63 <#bugs_fixed_in_nss_3.63>`__
+----------------------------------------------------
+
+.. container::
+
+ - Bug 1688374 - Fix parallel build NSS-3.61 with make.
+ - Bug 1697380 - Make a clang-format run on top of helpful contributions.
+ - Bug 1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build
+ isses with GCC 4.8.
+ - Bug 1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication.
+ - Bug 1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build
+ isses with GCC 4.8.
+ - Bug 1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication.
+ - Bug 1696800 - HACL\* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
+ - Bug 1694214 - tstclnt can't enable middlebox compat mode.
+ - Bug 1694392 - NSS does not work with PKCS #11 modules not supporting profiles.
+ - Bug 1685880 - Minor fix to prevent unused variable on early return.
+ - Bug 1685880 - Fix for the gcc compiler version 7 to support setenv with nss build.
+ - Bug 1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA
+ list version 2.48.
+ - Bug 1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and
+ 'Global Chambersign' roots.
+ - Bug 1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
+ - Bug 1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
+ - Bug 1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
+ - Bug 1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS.
+ - Bug 1687822 - Turn off Websites trust bit for the “Staat der Nederlanden Root CA - G3” root
+ cert in NSS.
+ - Bug 1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global
+ Chambersign Root - 2008’.
+ - Bug 1694291 - Tracing fixes for ECH.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.63 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.63 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report on
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
+
+`Notes <#notes>`__
+------------------
+
+.. container::
+
+ This version of NSS contains a significant update to the root CAs.
+
+ Discussions about moving the documentation are still ongoing. (See discussion in the 3.62 release
+ notes.) \ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.64_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.64_release_notes/index.rst
new file mode 100644
index 0000000000..a3c605e4cc
--- /dev/null
+++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.64_release_notes/index.rst
@@ -0,0 +1,69 @@
+.. _mozilla_projects_nss_nss_3_64_release_notes:
+
+NSS 3.64 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.64 was released on **15 April 2021**.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_64_RTM. NSS 3.64 requires NSPR 4.30 or newer.
+
+ NSS 3.64 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_64_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
+
+.. _bugs_fixed_in_nss_3.64:
+
+`Bugs fixed in NSS 3.64 <#bugs_fixed_in_nss_3.64>`__
+----------------------------------------------------
+
+.. container::
+
+ - Bug 1705286 - Properly detect mips64.
+ - Bug 1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx.
+ - Bug 1698320 - replace \__builtin_cpu_supports("vsx") with ppc_crypto_support() for clang.
+ - Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.64 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A
+ program linked with older NSS 3.x shared libraries will work with NSS 3.64 shared libraries
+ without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+ to the functions listed in NSS Public Functions will remain compatible with future versions of
+ the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report on
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
+
+`Notes <#notes>`__
+------------------
+
+.. container::
+
+ This version of NSS contains a number of contributions for "unsupported platforms". We would like
+ to thank the authors and the reviewers for their contributions to NSS.
+
+ Discussions about moving the documentation are still ongoing. (See discussion in the 3.62 release
+ notes.) \ No newline at end of file