Closed
Bug 1588558
Opened 5 years ago
Closed 5 years ago
Upgrade Firefox ESR 68 to use NSS 3.44.3
Categories
(Core :: Security: PSM, task, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
People
(Reporter: jcj, Assigned: jcj)
References
(Blocks 1 open bug, )
Details
(Keywords: sec-other)
Attachments
(1 file)
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr68+
|
Details | Review |
[Tracking Requested - why for this release]:
This is a cumulative security update for NSS 3.44 for Firefox 68 ESR. When ready, the tag will be NSS_3_44_3_RTM.
|
||
Comment 1•5 years ago
•
|
||
Tracking 71+ so this is on the radar for the 68.3esr release shipping alongside Fx71 in early December.
Group: core-security-release → crypto-core-security
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
Group: core-security-release
|
|
Assignee | |
Comment 2•5 years ago
|
||
2019-11-19 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.44.3 final
[d871fc63531d] [NSS_3_44_3_RTM] <NSS_3_44_BRANCH>
2019-11-19 Craig Disselkoen <cdisselk@cs.ucsd.edu>
* lib/softoken/pkcs11c.c:
Bug 1586176 - EncryptUpdate should use maxout not block size.
r=franziskus
[60bca7c6dc6d] <NSS_3_44_BRANCH>
2019-10-15 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp,
lib/mozpkix/include/pkix/pkixder.h, lib/mozpkix/lib/pkixcert.cpp:
bug 1579060 - fix handling of issuerUniqueID and subjectUniqueID in
mozilla::pkix::BackCert r=jcj
According to RFC 5280, the definitions of issuerUniqueID and
subjectUniqueID in TBSCertificate are as follows:
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
where UniqueIdentifier is a BIT STRING.
IMPLICIT tags replace the tag of the underlying type. For these
fields, there is no specified class (just a tag number within the
class), and the underlying type of BIT STRING is "primitive" (i.e.
not constructed). Thus, the tags should be of the form CONTEXT
SPECIFIC | [number in class], which comes out to 0x81 and 0x82,
respectively.
When originally implemented, mozilla::pkix incorrectly required that
the CONSTRUCTED bit also be set for these fields. Consequently, the
library would reject any certificate that actually contained these
fields. Evidently such certificates are rare.
[64e55c9f658e] <NSS_3_44_BRANCH>
2019-11-11 Tom Prince <mozilla@hocat.ca>
* automation/taskcluster/graph/src/extend.js,
automation/taskcluster/windows/setup.sh:
Bug 1594891 - Use tc-proxy for nss tooltool; r=dustin,jcj
[d0f80763697f] <NSS_3_44_BRANCH>
2019-11-08 Dustin J. Mitchell <dustin@mozilla.com>
* automation/taskcluster/graph/npm-shrinkwrap.json,
automation/taskcluster/graph/package.json,
automation/taskcluster/graph/src/image_builder.js,
automation/taskcluster/graph/src/queue.js,
automation/taskcluster/scripts/tools.sh,
automation/taskcluster/windows/gen_certs.sh,
automation/taskcluster/windows/run_tests.sh:
Bug 1594891 - Updates to run correctly on the new TC deployment
r=jcj
* Update the Taskcluster client used in the decision task to one
that understands Taskcluster rootUrls.
* Update scripts that fetch content to use the TASKCLUSTER_ROOT_URL
* the absence of this variale signals an "old" worker so we use an
"old" URL
[f2604281fdcd] <NSS_3_44_BRANCH>
2019-11-07 Tom Prince <mozilla@hocat.ca>
* .taskcluster.yml, automation/taskcluster/graph/src/extend.js,
automation/taskcluster/graph/src/queue.js:
Bug 1591275: Switch workers to use AWS Provder; r=kjacobs
[11b2065c9197] <NSS_3_44_BRANCH>
2019-10-02 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_44_2_RTM for changeset 927b49b0d5cf
[65da61024980] <NSS_3_44_BRANCH>
|
||
Updated•5 years ago
|
Attachment #9110087 -
Attachment description: Bug 1588558 - land NSS NSS_3_44_3_RTM UPGRADE_NSS_RELEASE, r=kjacobs → Bug 1588558 - land NSS NSS_3_44_3_RTM UPGRADE_NSS_RELEASE (ESR 68), r=kjacobs
|
|
||
Updated•5 years ago
|
Attachment #9110087 -
Attachment description: Bug 1588558 - land NSS NSS_3_44_3_RTM UPGRADE_NSS_RELEASE (ESR 68), r=kjacobs → Bug 1588558 - land NSS NSS_3_44_3_RTM UPGRADE_NSS_RELEASE, r=kjacobs
|
|
Assignee | |
Comment 3•5 years ago
|
||
Comment on attachment 9110087 [details]
Bug 1588558 - land NSS NSS_3_44_3_RTM UPGRADE_NSS_RELEASE, r=kjacobs
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
- User impact if declined: sec-high
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Minimal patch to avoid CVE-2019-11745 and a cert viewer flaw
- String or UUID changes made by this patch:
Attachment #9110087 -
Flags: approval-mozilla-esr68?
|
|
||
Comment 4•5 years ago
|
||
Comment on attachment 9110087 [details]
Bug 1588558 - land NSS NSS_3_44_3_RTM UPGRADE_NSS_RELEASE, r=kjacobs
Approved for 68.3esr.
Attachment #9110087 -
Flags: approval-mozilla-esr68? → approval-mozilla-esr68+
|
|
||
Comment 5•5 years ago
|
||
| uplift | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
|
|
||
Updated•5 years ago
|
Group: crypto-core-security
|
||
Updated•4 years ago
|
Group: core-security-release
|
||
Updated•4 months ago
|
Blocks: nss-uplift
You need to log in
before you can comment on or make changes to this bug.
Description
•