1463537 - Upgrade Firefox 60 ESR to use NSS 3.36.2

Status: RESOLVED FIXED

(Core :: Security: PSM, defect, P1)

Description

[J.C. Jones [:jcj] (he/him)]

We have two regression bugs in NSS that should get fixed for Firefox 60 ESR. These are included in NSS 3.36.2, which is tagged as NSS_3_36_2_RTM (but not yet released) [1].

To update, execute the following commands:

sed -i 's/3.36.1,/3.36.2,/' old-configure.in
python client.py update_nss NSS_3_36_2_RTM

[1] https://hg.mozilla.org/projects/nss/rev/6ccabc4b688f

Comment 1

[J.C. Jones [:jcj] (he/him)]

Attachment: NSS_3_36_2_RTM.patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: 
NSS 3.36.2 fixes a TLS 1.3 connection issue that is being seen in the wild in Firefox 60+ (Bug 1462303). Also fixes a PKCS12 bug that affects some enterprise users (Bug 1460673).

User impact if declined:
Continued TLS 1.3 connection issues.

Fix Landed on Version: 
NSS 3.36.2, NSS 3.37.1, NSS 3.38

Risk to taking this patch (and alternatives if risky):
Low; there are only two small patches included in 3.36.2 versus the current 3.36.1.

String or UUID changes made by this patch:
n/a

Try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=6b27a281b03928a95b18a9f554bba1d52c133aae

Comment 2

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 8980069 [details] [diff] [review]
NSS_3_36_2_RTM.patch

Approved for ESR 60.1.

Comment 3

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr60/rev/610e5c03c09c