1588559 - Upgrade Firefox 71 to use NSS 3.47.1

Status: RESOLVED FIXED

(Core :: Security: PSM, task, P1)

Description

[J.C. Jones [:jcj] (he/him)]

[Tracking Requested - why for this release]:

This is a cumulative security update for NSS 3.47 for Firefox 71 . When ready, the tag will be NSS_3_47_1_RTM.

Comment 1

[J.C. Jones [:jcj] (he/him)]

Attachment: Bug 1588559 - land NSS NSS_3_47_1_RTM UPGRADE_NSS_RELEASE, r=kjacobs

2019-11-19 J.C. Jones <jjones@mozilla.com>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.47.1 final
[6339a6f350c9] [NSS_3_47_1_RTM] <NSS_3_47_BRANCH>

2019-11-19 Craig Disselkoen <cdisselk@cs.ucsd.edu>

* lib/softoken/pkcs11c.c:
Bug 1586176 - EncryptUpdate should use maxout not block size.
r=franziskus
[4c20de402b39] <NSS_3_47_BRANCH>

2019-10-21 Marcus Burghardt <mburghardt@mozilla.com>

* lib/ckfw/builtins/testlib/certdata-testlib.txt:
Bug 1589810 - Uninitialized variable warnings from certdata.perl.
r=mt

[86f505b65576] <NSS_3_47_BRANCH>

2019-11-04 Marcus Burghardt <mburghardt@mozilla.com>

* lib/pk11wrap/pk11cert.c:
Bug 1590495 - Crash in PK11_MakeCertFromHandle->pk11_fastCert. r=jcj

Fixed controls to avoid crashes caused by slots possibly without a
token in pk11_fastCert. Also, improved arguments controls in
PK11_MakeCertFromHandle.

[54ce0e2caeb8] <NSS_3_47_BRANCH>

2019-11-11 Tom Prince <mozilla@hocat.ca>

* automation/taskcluster/graph/src/extend.js,
automation/taskcluster/windows/setup.sh:
Bug 1594891 - Use tc-proxy for nss tooltool; r=dustin,jcj

[15b525236995] <NSS_3_47_BRANCH>

2019-11-08 Dustin J. Mitchell <dustin@mozilla.com>

* automation/taskcluster/graph/npm-shrinkwrap.json,
automation/taskcluster/graph/package.json,
automation/taskcluster/graph/src/image_builder.js,
automation/taskcluster/graph/src/queue.js,
automation/taskcluster/scripts/tools.sh,
automation/taskcluster/windows/gen_certs.sh,
automation/taskcluster/windows/run_tests.sh:
Bug 1594891 - Updates to run correctly on the new TC deployment
r=jcj

* Update the Taskcluster client used in the decision task to one
that understands Taskcluster rootUrls.
* Update scripts that fetch content to use the TASKCLUSTER_ROOT_URL
  * the absence of this variale signals an "old" worker so we use an
"old" URL

[054c57351ca0] <NSS_3_47_BRANCH>

2019-11-07 Tom Prince <mozilla@hocat.ca>

* .taskcluster.yml, automation/taskcluster/graph/src/extend.js,
automation/taskcluster/graph/src/queue.js:
Bug 1591275: Switch workers to use AWS Provder; r=kjacobs

[af55d9185ec5] <NSS_3_47_BRANCH>

2019-10-18 J.C. Jones <jjones@mozilla.com>

* .hgtags:
Added tag NSS_3_47_RTM for changeset 7ccb4ade5577
[dcadb95b9d77] <NSS_3_47_BRANCH>

Comment 2

[J.C. Jones [:jcj] (he/him)]

Comment on attachment 9110098 [details]
Bug 1588559 - land NSS NSS_3_47_1_RTM UPGRADE_NSS_RELEASE, r=kjacobs

Beta/Release Uplift Approval Request

• User impact if declined: sec-high CVE-2019-11745
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Minimal fix for CVE-2019-11745, and a backported crash fix that effects some enterprise profiles which had two weeks to bake in nightly
• String changes made/needed: none

Comment 3

[Pascal Chevrel:pascalc (PTO until April 26)]

Comment on attachment 9110098 [details]
Bug 1588559 - land NSS NSS_3_47_1_RTM UPGRADE_NSS_RELEASE, r=kjacobs

Uplift approved for 71 beta 12, thanks.

Comment 4

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/releases/mozilla-beta/rev/4b6cb17b74d9