Closed Bug 1511495 Opened 3 years ago Closed 3 years ago

Upgrade Firefox 60 ESR to use NSS 3.36.6

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr60 64+ fixed

People

(Reporter: jcj, Assigned: jcj)

References

()

Details

Attachments

(1 file)

Because of bug 1485864 a new NSS release (3.36.6) for uplift to Firefox 60 ESR was built from the NSS_3_36_BRANCH. The tag is NSS_3_36_6_RTM.

Artifacts are available at https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_36_6_RTM/src/

In addition to bug 1485864, this release includes ridealong fixes for 
* bug 1389967
* bug 1448748

as requested by :tjr.
[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: Addresses CVE-2018-12404, a sec-moderate that is likely to get attention.

User impact if declined: It's unlikely for this side-channel to affect client-side Firefox sessions, but it could be doable, and we'd want to try and protect our ESR users from it.

Fix Landed on Version: 65

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Constrained changes to timing within NSS without affecting functionality.

String or UUID changes made by this patch: None
Assignee: nobody → jjones
Status: NEW → ASSIGNED
Attachment #9029061 - Flags: approval-mozilla-esr60?
Comment on attachment 9029061 [details]
NOTE: 3.36.5 was tagged but never version-bumped, so this looks funky

Uplift for ESR60 as discussed in bug 1485864.
Attachment #9029061 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
https://hg.mozilla.org/releases/mozilla-esr60/rev/d428d2b8f585
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.