Closed
Bug 1084005
Opened 10 years ago
Closed 10 years ago
Upgrade Firefox ESR 31.x to NSS 3.16.2.3
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
mozilla34
| Tracking | Status | |
|---|---|---|
| firefox34 | --- | unaffected |
| firefox35 | --- | unaffected |
| firefox36 | --- | unaffected |
| firefox-esr31 | 34+ | fixed |
| b2g-v1.4 | --- | fixed |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.2 | --- | unaffected |
People
(Reporter: KaiE, Assigned: KaiE)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
19.29 KB,
patch
|
wtc
:
review+
bkerensa
:
approval-mozilla-esr31+
bajaj
:
approval-mozilla-b2g30+
|
Details | Diff | Splinter Review |
I suggest to upgrade the Firefox 31 Enterprise Support branch (ESR) to a newer NSS version, which implements support for the TLS_FALLBACK_SCSV. While Firefox 31.3 will probably disable SSL 3 by default (currently being discussed), there might be users that are required to re-enable SSL 3, because they have to work with legacy devices in their environment. Using a version of NSS that supports TLS_FALLBACK_SCSV and the patch from bug 1036737 might benefit those users.
|
Assignee | |
Comment 1•10 years ago
|
||
At this time, Firefox 31 ESR uses NSS 3.16.2.2 TLS_FALLBACK_SCSV was added in NSS 3.17.2, in bug 1036735 I suggest to backport the patch to the NSS 3.16.2.x branch, and use a new release from that branch for Firefox 31 ESR.
|
||
Comment 2•10 years ago
|
||
:kaie can this be marked as a duplicate of bug 1036735? I don't want to have the discussion in two places.
|
|
Assignee | |
Comment 3•10 years ago
|
||
Martin, this is a Firefox/PSM bug. We usually have a separate tracking bug (to carry approvals) for Firefox releases. Bug 1036735 is a NSS bug. IMHO, all discussions related to NSS and backporting to NSS branches should happen in bug 1036735. This bug is intended to discuss whether or not to upgrade Firefox 31.
|
|
||
Comment 4•10 years ago
|
||
My mistake. I always confuse the bugs on this. bug 1036737 is what I intended to ask about. That's where I landed the Firefox/PSM changes.
|
|
Assignee | |
Comment 5•10 years ago
|
||
Ok, maybe you're right, and using bug 1036737 is fine.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
|
|
Assignee | |
Comment 6•10 years ago
|
||
I'm reopening this as its own bug, because NSS 3.16.2.3 includes an additional bugfix. This bug is for tracking a potential upgrade of NSS on the Firefox 31 ESR branch. Landing the patch from bug 1036737, which enables the feature, is a separate decision. [Tracking Requested - why for this release]: Firefox ESR could benefit from the TLS_FALLBACK_SCSV feature after POODLE and from a 100% cpu fix which are available in NSS 3.16.2.3 This is a minimal NSS update, with these fixes backported.
Status: RESOLVED → REOPENED
tracking-firefox-esr31:
--- → ?
Resolution: DUPLICATE → ---
Summary: Upgrade Firefox ESR 31.x to a version of NSS that supports TLS_FALLBACK_SCSV → Upgrade Firefox ESR 31.x to NSS 3.16.2.3
|
|
Assignee | |
Comment 7•10 years ago
|
||
This patch illustrates the amount of changes between the currently used NSS 3.16.2.2 and the suggested upgrade to 3.16.2.3 Using this patch for requesting approval.
Assignee: nobody → kaie
Attachment #8511380 -
Flags: approval-mozilla-esr31?
|
|
Assignee | |
Comment 8•10 years ago
|
||
esr-31 try build, using the patch from this bug, plus the patch from bug 1036737: https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=f69e43df260f
|
|
Assignee | |
Updated•10 years ago
|
Attachment #8511380 -
Attachment description: Illustrative patch → Illustrative patch
(for landing use: python client.py update_nss NSS_3_16_2_3_RTM)
|
||
Comment 9•10 years ago
|
||
Comment on attachment 8511380 [details] [diff] [review] Illustrative patch (for landing use: python client.py update_nss NSS_3_16_2_3_RTM) Review of attachment 8511380 [details] [diff] [review]: ----------------------------------------------------------------- r=wtc.
Attachment #8511380 -
Flags: review+
|
||
Comment 10•10 years ago
|
||
Paul, should we consider this for B2G v1.4/v2.0 as well?
Flags: needinfo?(ptheriault)
|
||
Comment 11•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #10) > Paul, should we consider this for B2G v1.4/v2.0 as well? Yes that sounds like a good idea to me (and 2.0m).
Flags: needinfo?(ptheriault)
|
|
||
Comment 12•10 years ago
|
||
Comment on attachment 8511380 [details] [diff] [review] Illustrative patch (for landing use: python client.py update_nss NSS_3_16_2_3_RTM) See comment 6 and comment 11.
Attachment #8511380 -
Flags: approval-mozilla-b2g32?
Attachment #8511380 -
Flags: approval-mozilla-b2g30?
|
||
Updated•10 years ago
|
Attachment #8511380 -
Flags: approval-mozilla-esr31? → approval-mozilla-esr31+
|
|
||
Updated•10 years ago
|
status-firefox-esr31:
--- → affected
|
|
Assignee | |
Comment 13•10 years ago
|
||
Thanks https://hg.mozilla.org/releases/mozilla-esr31/rev/2aad0b4e9a8d
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
|
|
||
Comment 14•10 years ago
|
||
Bump the minimum version in configure.in as well: https://hg.mozilla.org/releases/mozilla-esr31/rev/e70de1bbcf5f
status-b2g-v1.4:
--- → affected
status-b2g-v2.0:
--- → affected
status-b2g-v2.0M:
--- → affected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-firefox34:
--- → unaffected
status-firefox35:
--- → unaffected
status-firefox36:
--- → unaffected
|
||
Updated•10 years ago
|
Attachment #8511380 -
Flags: approval-mozilla-b2g32?
Attachment #8511380 -
Flags: approval-mozilla-b2g32+
Attachment #8511380 -
Flags: approval-mozilla-b2g30?
Attachment #8511380 -
Flags: approval-mozilla-b2g30+
|
|
||
Comment 15•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/6fa3af960fff B2G v2.0 (b2g32) is actually on NSS 3.16.5 at the moment. Kai, what should we do for that release?
Flags: needinfo?(kaie)
|
|
Assignee | |
Comment 16•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #15) > https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/6fa3af960fff > > B2G v2.0 (b2g32) is actually on NSS 3.16.5 at the moment. Kai, what should > we do for that release? It would be best if you could go to 3.17.2 The 3.16.2.x branch is primarily intended for those branches that still require the old set of root CA certs (which we don't want to change on FF 31 ESR). If you use 3.16.5, you already have the new root CA changes.
|
|
Assignee | |
Updated•10 years ago
|
Flags: needinfo?(kaie)
|
|
||
Comment 17•10 years ago
|
||
Thanks, I'll move it over to bug 1049435 then.
|
|
||
Updated•10 years ago
|
Attachment #8511380 -
Flags: approval-mozilla-b2g32+
|
|
||
Comment 18•10 years ago
|
||
I accidentally just pushed an empty to commit to Aurora under this bug number. It's completely safe to ignore. Sorry for any confusion it causes. https://hg.mozilla.org/releases/mozilla-aurora/rev/ee017c79f5a8
|
||
Updated•4 months ago
|
Blocks: nss-uplift
You need to log in
before you can comment on or make changes to this bug.
Description
•