Closed Bug 1581998 Opened 5 years ago Closed 5 years ago

Upgrade Firefox 70 to use NSS 3.46.1


(Core :: Security: PSM, task, P1)




Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox69 --- unaffected
firefox70 + fixed
firefox71 --- unaffected


(Reporter: jcj, Assigned: jcj)


(Blocks 1 open bug, )


(Keywords: sec-other, Whiteboard: [post-critsmash-triage])


(1 file)

[Tracking Requested - why for this release]:

This is a cumulative security update for NSS 3.46 for Firefox 70. When ready, the tag will be NSS_3_46_1_RTM.

Depends on: 1582343
Depends on: 1576307

We're proposing releasing this on 9 October, the day before 70.0b14. Would that be OK date for uplift to beta 70, or would you want it a different day?

Flags: needinfo?(jcristau)
Flags: needinfo?(jcristau) → needinfo?(lhenry)

That timing would mean it would release on Friday in beta 14, and we'd have only the weekend to detect and fix any regressions before building the 70 release candidate on Monday. So, if it's possible to do this a week earlier that would be better, to give us some time to find and fix any release-blocking problems.

Flags: needinfo?(lhenry) → needinfo?(jjones)

OK, 2 October it is then. Noting that for the sec-approvals.

Flags: needinfo?(jjones)
No longer depends on: 1576307

2019-10-02 J.C. Jones <>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.46.1 final
[42682c941fd6] [NSS_3_46_1_RTM] <NSS_3_46_BRANCH>

2019-10-01 Kevin Jacobs <>

* lib/softoken/pkcs11c.c:
Bug 1577953 - Support longer (up to RFC maximum) HKDF outputs r=jcj

HKDF-Expand enforces a maximum output length much shorter than
stated in the RFC. This patch aligns the implementation with the RFC
by allocating more output space when necessary.

[f8dc0ce54c16] <NSS_3_46_BRANCH>

2019-09-26 Deian Stefan <>

* lib/softoken/pkcs11c.c, lib/softoken/tlsprf.c:
Bug 1582343 - Use constant time memcmp in more places r=kjacobs,jcj
[e2945c434286] <NSS_3_46_BRANCH>

2019-08-30 J.C. Jones <>

* .hgtags:
Added tag NSS_3_46_RTM for changeset decbf7bd40fd
[a75ea4cdacd9] <NSS_3_46_BRANCH>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.46 final
[decbf7bd40fd] [NSS_3_46_RTM]

Comment on attachment 9098413 [details]
Bug 1581998 - land NSS NSS_3_46_1_RTM UPGRADE_NSS_RELEASE, r=kjacobs

Beta/Release Uplift Approval Request

  • User impact if declined: One sec-high, one sec-audit.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: n/a
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The functionality fixes are straightforward and limited to specific crypto operaitons' correctness. See Bug 1566873 for the same patch against ESR.
  • String changes made/needed: n/a
Attachment #9098413 - Flags: approval-mozilla-beta?

Comment on attachment 9098413 [details]
Bug 1581998 - land NSS NSS_3_46_1_RTM UPGRADE_NSS_RELEASE, r=kjacobs

NSS update, let's uplift for beta 13 (this just barely missed beta 12)

Attachment #9098413 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

So, when this lands on beta it will fix bug 1577953 and bug 1582343, right?

Flags: needinfo?(jjones)

That's correct.

Flags: needinfo?(jjones)
Group: crypto-core-security → core-security-release
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.