The Mozilla 42 should get the CA certificates update to version 2.5. The NSS 3.19.3 release will include this CA update.

I've checked in NSS_3_19_3_RC0. If everything looks good, I'll tag and land a 3.19.3 RTM around Thursday.

RE: Depends on: 1164609 Thanks for paying attention to this! I also appreciate your comment here: https://bugzilla.mozilla.org/show_bug.cgi?id=1164609#c2 "Due to the commented out assert, this is just a soft-blocker to Bug 1190794, but it doesn't hurt to add the relation I guess." I did check with Keeler about this, and he had also checked the code to confirm that the root may be removed before the EV treatment is turned off. So, Bug #1164609 will be done later as a batch of EV changes that is forthcoming.

I haven't seen any problem reports, so I've tagged the RTM version with NSS_3_19_3_RTM and have pushed it to mozilla-inbound (only change is the final tag information). https://hg.mozilla.org/integration/mozilla-inbound/rev/f7e37a2d7a7e