Closed Bug 1677548 Opened 6 months ago Closed 5 months ago

Upgrade Firefox 85 to use NSS 3.60

Categories

(Core :: Security: PSM, enhancement, P1)

Firefox 85
enhancement

Tracking

()

RESOLVED FIXED
85 Branch
Tracking Status
firefox85 --- fixed

People

(Reporter: kjacobs, Assigned: kjacobs)

References

Details

Attachments

(5 files)

+++ This bug was initially created as a clone of Bug #1671713 +++

Tracking NSS 3.60 for Firefox 85. Ultimate tag will be NSS_3_60_RTM.

Keywords: leave-open
Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/39c31ec31cbd
land NSS 3eacb92e9adf UPGRADE_NSS_RELEASE, r=jcj
Depends on: 1680154

2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>

* lib/ckfw/builtins/nssckbi.h:
Bug 1678189 - December 2020 batch of root changes,
NSS_BUILTINS_LIBRARY_VERSION 2.46. r=bbeurdouche

[f8c49b334e51] [tip]

* lib/ckfw/builtins/certdata.txt:
Bug 1678166 - Add NAVER Global Root Certification Authority root
cert to NSS. r=bbeurdouche,KathleenWilson

[b9742b439a81]

2020-12-01 Benjamin Beurdouche <benjamin.beurdouche@inria.fr>

* lib/ckfw/builtins/certdata.txt:
Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs
from NSS. r=kjacobs,KathleenWilson

[4c69d6d0cf21]

2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>

* lib/ssl/ssl3exthandle.c:
Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche

In fuzzer mode, session tickets are serialized without any
encryption or integrity protection. This leads to a post-deserialize
UBSAN error when shifting by a fuzzed (large) authType value. A real
NSS server will not produce these values.

[a51fae403328]

2020-11-30 Benjamin Beurdouche <benjamin.beurdouche@inria.fr>

* build.sh, coreconf/config.gypi, lib/ckfw/builtins/testlib/builtins-
testlib.gyp, lib/ckfw/builtins/testlib/nssckbi-testlib.def, nss.gyp:
Bug 1678384 - Add a build flag to allow building nssckbi-testlib in
m-c r=kjacobs

[22bf7c680b60]

2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>

* lib/dev/devslot.c:
Bug 1679290 - Don't hold slot lock when taking session lock
r=bbeurdouche

[[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362c
d61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed
a number of race conditions related to NSSSlot member accesses.
Unfortunately the locking order that was imposed by that patch has
been found to cause problems for at least one PKCS11 module,
libnsspem.

This patch drops nested locking in favor of unlocking/re-locking.
While this isn't perfect, the original problem in bug 1663661 was
that `slot->token` could become NULL, which we can easily check
after reacquiring.

[19585ccc7a1f]

2020-11-25 Makoto Kato <m_kato@ga2.so-net.ne.jp>

* lib/freebl/blinit.c:
Bug 1678990 - Use __ARM_FEATURE_CRYPTO for feature detection.
r=bbeurdouche

Actually, we have CPU feature detection for Linux and FreeBSD on
aarch64 platform. But others don't.

macOS doesn't has any CPU feature detection for ARM Crypto
Extension, but toolchain default is turned on. So we should respect
__ARM_FEATURE_CRYPTO.

[f1e48fbead3d]

2020-11-19 Lauri Kasanen <cand@gmx.com>

* lib/freebl/Makefile:
Bug 1642174 - Resolve sha512-p8.o: ABI version 2 is not compatible
with ABI version 1 output. r=jcj Don't try to build the SHA-2
accelerated asm on old-ABI ppc.

Currently make only, I don't have enough gyp-fu to do that side.
However, the reporters of 1642174 and 1635625 both used make, not
gyp.

Signed-off-by: Lauri Kasanen <cand@gmx.com>
[d806f7992b10]
Pushed by nbeleuzu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bc61343b5d68
land NSS f8c49b334e51 UPGRADE_NSS_RELEASE, r=bbeurdouche
Regressions: 1681071

2020-12-04 Kevin Jacobs <kjacobs@mozilla.com>

* gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc,
lib/pk11wrap/pk11obj.c:
Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey. r=bbeurdouche

[f84fb229842a] [tip]

2020-12-03 yogesh <yoyogesh01@gmail.com>

* cmd/tstclnt/tstclnt.c:
Bug 1570539 - Removed -X alt-server-hello option from tstclnt
r=kjacobs

[ef9198eb2895]

2020-12-03 J.C. Jones <jjones@mozilla.com>

* lib/util/pkcs11t.h:
Bug 1675523 - CKR_PUBLIC_KEY_INVALID has an incorrect value
r=bbeurdouche

PKCS#11 v2.40:
https://www.cryptsoft.com/pkcs11doc/STANDARD/include/v240/pkcs11t.h
line 1150

jdk8u: https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/eb7f437285a1
/src/share/native/sun/security/pkcs11/wrapper/pkcs11t.h#l1155

[f9bcf45ca3bf]
Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d3f53a315e15
land NSS f84fb229842a UPGRADE_NSS_RELEASE, r=bbeurdouche
Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d30361659e2a
land NSS NSS_3_60_BETA1 UPGRADE_NSS_RELEASE, r=keeler

2020-12-11 Kevin Jacobs <kjacobs@mozilla.com>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.60 final
[2015cf6ca323] [NSS_3_60_RTM] <NSS_3_60_BRANCH>

2020-12-08 Kevin Jacobs <kjacobs@mozilla.com>

* .hgtags:
Added tag NSS_3_60_BETA1 for changeset f84fb229842a
[1fe6cb3c3874]
Keywords: leave-open
Pushed by rmaries@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8ade6a20744e
land NSS NSS_3_60_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch
Regressions: 1696840
No longer regressions: 1696840
You need to log in before you can comment on or make changes to this bug.