Closed Bug 1339789 Opened 6 years ago Closed 6 years ago

Upgrade Firefox 52 (regular and ESR) to NSS 3.28.3 to fix binary compatibility issues


(Core :: Security: PSM, defect, P1)

52 Branch



Tracking Status
firefox51 --- wontfix
firefox52 + fixed
firefox-esr52 --- fixed
firefox53 --- unaffected
firefox54 --- unaffected


(Reporter: KaiE, Assigned: KaiE)



(Whiteboard: [psm-assigned])


(2 files)

The NSS version used by Firefox 51 and Firefox 52 contain an accidental change of an API data structure, which breaks binary compatibility with previous NSS versions.

Although this isn't an issue when NSS is built as part of Firefox, I would like to ask to get this fixed prior to the releases of Firefox 52.

The new Firefox ESR version will likely be a major driver to cause NSS consumers to upgrade, such as in enterprise deployments. We should avoid that they upgrade to the ABI-incompatible change. We can do so, by upgrading Firefox 52 to NSS 3.28.3, which contains the fix, and restores the old compatibility.

Also, there was a problem with the recent upgrade of Firefox to NSS 3.28.2.

The version number reported by NSS 3.28.2 is the incorrect 3.28.1, which may Linux distributions to accidentally consume the 3.28.1, and which would prevent them from picking up the important fixes from NSS 3.28.2.

If you agree to this fix, a single code patch will be added on top of what Firefox 52 is using today, see bug 1334108 attachment 8837341 [details] [diff] [review].

(For Firefox 53, because it uses NSS 3.29, I'll file a separate bug, which will request to upgrade to NSS 3.29.1)
See Also: → 1339790
We don't need to respin ff51.

Setting ff53 to unaffected, because it's handled in bug 1339790

ff54 will be fixed with the next nightly merge on m-c
I don't think this can cause any issues, but I've started a try build of the esr52 branch with the suggested change (I assume testing esr52 is sufficient to cover mozilla-beta 52, too):
Yeah, they're completely identical at this point. Thanks, Kai!
Tracking for 52 release.
Depends on: 1334108
We found an additional issue with NSS 3.28, bug 1340103.
We're trying to get this resolved ASAP.
Depends on: 1340103
Assignee: nobody → kaie
Priority: -- → P1
Whiteboard: [psm-assigned]
We identified another ABI breakage, and it has been fixed, too.

The 3.28.3 release has been created, so we're ready to proceed.

I've started another try build:

For comparison purposes, here's a try build on the same branch, but without any patches (so we know which try test failures are expected):
The try builds look good to me.

I think it's safe to pick up these two correctness fixes, which have been released as 3.28.3
Attached file update-to-3.28.3.txt
Approval Request Comment
[Feature/Bug causing the regression]:
nss 3.28 release, bug 957105

[User impact if declined]:
shipping ABI incompatible NSS into enterprise deployments

[Is this code covered by automated tests?]:

[Has the fix been verified in Nightly?]:
only in nightly NSS tests, not yet in nightly ff

[Needs manual test from QE? If yes, steps to reproduce]: 

[List of other uplifts needed for the feature/fix]:
nothing else

[Is the change risky?]:

[Why is the change risky/not risky?]:
Passes all tests of both NSS and Firefox.

[String changes made/needed]:
Attachment #8839152 - Flags: approval-mozilla-beta?
Comment on attachment 8839152 [details]

nss update to undo ABI breakage, let's get this in today for 52.0b8
Attachment #8839152 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Summary: Upgrade Firefox 52 (regular and ESR) to NSS 3.28.3 to fix a binary compatibility issue → Upgrade Firefox 52 (regular and ESR) to NSS 3.28.3 to fix binary compatibility issues

Should be auto-synced to esr52
Closed: 6 years ago
Resolution: --- → FIXED
Will be synced to es52, but isn't yet, so leaving as affected for now. :)
Setting qe-verify- based on Kai's assessment on manual testing needs (Comment 9) and the fact that this fix has automated coverage.
Flags: qe-verify-
Target Milestone: --- → mozilla54
You need to log in before you can comment on or make changes to this bug.