1511495 - Upgrade Firefox 60 ESR to use NSS 3.36.6

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[J.C. Jones [:jcj] (he/they)]

Because of bug 1485864 a new NSS release (3.36.6) for uplift to Firefox 60 ESR was built from the NSS_3_36_BRANCH. The tag is NSS_3_36_6_RTM.

Artifacts are available at https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_36_6_RTM/src/

In addition to bug 1485864, this release includes ridealong fixes for 
* bug 1389967
* bug 1448748

as requested by :tjr.

Comment 1

[J.C. Jones [:jcj] (he/they)]

Attachment: NOTE: 3.36.5 was tagged but never version-bumped, so this looks funky

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: Addresses CVE-2018-12404, a sec-moderate that is likely to get attention.

User impact if declined: It's unlikely for this side-channel to affect client-side Firefox sessions, but it could be doable, and we'd want to try and protect our ESR users from it.

Fix Landed on Version: 65

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Constrained changes to timing within NSS without affecting functionality.

String or UUID changes made by this patch: None

Comment 2

[Liz Henry (:lizzard) (relman/hg->git project)]

Comment on attachment 9029061 [details]
NOTE: 3.36.5 was tagged but never version-bumped, so this looks funky

Uplift for ESR60 as discussed in bug 1485864.

Comment 3

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr60/rev/d428d2b8f585