1463539 - Upgrade Firefox 61 to use NSS 3.37.1

Status: RESOLVED FIXED

(Core :: Security: PSM, defect, P1)

Description

[J.C. Jones [:jcj] (he/they)]

We have two regression bugs in NSS that should get fixed for Firefox 61 Beta. These are included in NSS 3.37.1, which is tagged as NSS_3_37_1_RTM (but not yet released) [1].

To update, execute the following commands:

sed -i 's/3.37,/3.37.1,/' old-configure.in
python client.py update_nss NSS_3_37_1_RTM

[1] https://hg.mozilla.org/projects/nss/rev/aca2bdbd8823

Comment 1

[J.C. Jones [:jcj] (he/they)]

Attachment: NSS_3_37_1_RTM.patch

Approval Request Comment
[Feature/Bug causing the regression]:
NSS 3.37.1 fixes a TLS 1.3 connection issue that is being seen in the wild in Firefox 60+ (Bug 1462303). Also fixes a PKCS12 bug that affects some enterprise users (Bug 1460673).

[User impact if declined]:
Continued increased TLS 1.3 connection errors. Also continued issues with the PKCS12 bug, but that mostly affects ESR users (and uplifted earlier).

[Is this code covered by automated tests?]:
Yes, both changes added tests.

[Has the fix been verified in Nightly?]:
Yes, for 24 hours. 

[Needs manual test from QE? If yes, steps to reproduce]: 
No.

[List of other uplifts needed for the feature/fix]:
None.

[Is the change risky?]:
[Why is the change risky/not risky?]:
Both changes are very small and self-contained. 

[String changes made/needed]:
n/a, NSS uplift

Comment 2

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 8980100 [details] [diff] [review]
NSS_3_37_1_RTM.patch

Fix for a TLS 1.3 issue and a crash. Approved for 61.0b8.

Comment 3

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/4fa86932be2d