This update for mozilla-nss fixes the following issues:

Changes in mozilla-nss:

Update to NSS 3.112.5:

* reject DTLS 1.3 Server Hello after HVR without capping ss->vrange.max.
* update to version 2.84 of builtins module.

- Added "Suggests: p11-kit-nss-trust" to favor over mozilla-nss-certs (Jira: PED-15633)

Update to NSS 3.112.4:

  * improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey.
  * Improving the allocation of S/MIME DecryptSymKey.
  * store email on subject cache_entry in NSS trust domain.
  * Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[] entry on NameConstraints violation.
  * Improve size calculations in CMS content buffering.
  * avoid integer overflow while escaping RFC822 Names.
  * Reject excessively large ASN.1 SEQUENCE OF in quickder.
  * Deep copy profile data in CERT_FindSMimeProfile.
  * Improve input validation in DSAU signature decoding.
  * avoid integer overflow in RSA_EMSAEncodePSS.
  * RSA_EMSAEncodePSS should validate the length of mHash.
  * Add a maximum cert uncompressed len and tests.
  * Clarify extension negotiation mechanism for TLS Handshakes.
  * ensure permittedSubtrees don't match wildcards that could be outside the permitted tree.
  * Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag.
  * Remove invalid PORT_Free().
  * free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed.
  * make ss->ssl3.hs.cookie an owned-copy of the cookie.

Update to NSS 3.112.3:

  * avoid integer overflow in platform-independent ghash

- Move NSS DB password hash away from SHA-1

Update to NSS 3.112.2:

  * Prevent leaks during pkcs12 decoding.
  * SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates

Update to NSS 3.112.1:

  * restore support for finding certificates by decoded serial number.