Last Comment Bug 595300 - Update to NSS_3_12_8_RTM in mozilla-central
: Update to NSS_3_12_8_RTM in mozilla-central
[sg:nse meta]
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: Trunk
: All All
-- normal (vote)
: mozilla2.0b7
Assigned To: Wan-Teh Chang
: David Keeler [:keeler] (use needinfo?)
: 582580 (view as bug list)
Depends on: 583337 600104
Blocks: CVE-2010-3170 582579
  Show dependency treegraph
Reported: 2010-09-10 12:53 PDT by Wan-Teh Chang
Modified: 2010-11-24 10:51 PST (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Patch (129.63 KB, patch)
2010-09-10 13:10 PDT, Wan-Teh Chang
no flags Details | Diff | Splinter Review
Update to NSS_3_12_8_RC0 (5.76 KB, patch)
2010-09-18 09:35 PDT, Wan-Teh Chang
no flags Details | Diff | Splinter Review
mozilla-1.9.1 patch for security/manager/ (915 bytes, patch)
2010-09-28 17:50 PDT, Wan-Teh Chang
khuey: review+
christian: approval1.9.1.14+
Details | Diff | Splinter Review

Description User image Wan-Teh Chang 2010-09-10 12:53:15 PDT
mozilla-central is using NSS_3_12_8_BETA2.  I'd like to
update to NSS_3_12_8_BETA3.  I summarize the changes between
Beta 2 and Beta 3 below for Mozilla drivers.

Bug fixes of interest to Mozilla:
- Bug 578697: (CVE-2010-3170) Browser Wildcard Certificate Validation Issue
- Bug 582575: Add July 2010 batch of roots to NSS
- Bug 536640: valgrind warning in DecodeItem (about uninitialized local from
- Bug 588698: SSL deadlock (seen in Thunderbird)
- Bug 567134: Use ASLR in NSS if it's available

Other important bug fixes:
- Bug 587234: Better error reporting and checks for weak server keys in libSSL
- Bug 585842: CERT_MakeCANickname returns static string in error case
- Bug 586953: CERT_FormatName leaks everything if it can't PORT_Alloc for buf
- Bug 586957: CERT_FormatName leaks things if properties exist multiple times
- Bug 586967: CERT_CreateCertificate leaks arena if PORT_ArenaZAlloc fails
- Bug 587399: crmf_copy_cert_req_msg leaks poolp if newReqMsg = PORT_ArenaZNew
- Bug 588052: nsslowhash.h missing from dist/public/nss
- Bug 587622: print_attr_value calls get_obj_class instead of get_key_type for
- Bug 584871: calling SEC_PKCS12DecoderStart with NULL dOpen, dClose, dRead,
  dWrite, dArg leads to leaks
- Bug 584875: Contents of sec_PKCS12EncoderContext are only freed on error
  handling case.
- Bug 587432: NSS_CMSSignerInfo_Sign leaks tmppoolp when things fail
- Bug 586697: ssl3_DeriveMasterSecret must not request pVersion when it does
  Master key derivation for Diffie-Hellman through pkcs11
- Bug 525092: Allow one more SSL function to be called early

Minor bug fixes:
- Bug 585247: NSS coreconf: Add -rpath-link to LDFLAGS for Maemo/Scratchbox
- Bug 586857: Mark SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME as an unsupported
  certificate extension
- Bug 587393: remove JAR_cert_attribute declaration
Comment 1 User image Wan-Teh Chang 2010-09-10 13:10:50 PDT
Created attachment 474164 [details] [diff] [review]

The changes in this patch have been individually reviewed in the
bugs I listed in comment 0.

This is likely to be the last Beta of NSS 3.12.8.
Comment 2 User image Daniel Veditz [:dveditz] 2010-09-13 16:08:52 PDT
We definitely want the fix for now-public CVE-2010-3170 (bug 578697) on the branches, and should pick up the new roots too.
Comment 3 User image Daniel Veditz [:dveditz] 2010-09-16 09:49:38 PDT
Not blocking branches (yet): on the stable branches we'll wait for the actual NSS 3.12.8 release rather than BETA3 (though no changes are expected).
Comment 4 User image Wan-Teh Chang 2010-09-16 09:57:13 PDT
*** Bug 582580 has been marked as a duplicate of this bug. ***
Comment 5 User image Wan-Teh Chang 2010-09-18 06:44:56 PDT
Comment on attachment 474164 [details] [diff] [review]

Pushed to mozilla-central in changeset d9a8b06248be:
Comment 6 User image Wan-Teh Chang 2010-09-18 09:35:12 PDT
Created attachment 476537 [details] [diff] [review]
Update to NSS_3_12_8_RC0

Since the NSS_3_12_8_RC0 tag has been created, I pushed
it to mozilla-central in changeset 79b569b64111:

In addition to removing "Beta" from the version strings,
it contains only one bug fix:
- Bug 595264: libpkix thrown into infinite loop by % in certificate
Comment 7 User image Kai Engert (:kaie) 2010-09-23 12:15:22 PDT
for the record, RC0 was released as RTM today, without changes.
Comment 8 User image Daniel Veditz [:dveditz] 2010-09-27 16:29:58 PDT
We want this on the 1.9.2 and 1.9.1 branches.

In order to land on the 1.9.1 branch we will also have to apply the fix for bug 583337 to unbreak sites using DHE with stupidly small keys.
Comment 9 User image christian 2010-09-28 14:26:10 PDT
Is this able to land on 1.9.2 and 1.9.1 today?
Comment 10 User image Reed Loden [:reed] (use needinfo?) 2010-09-28 15:32:26 PDT
Need to bump the NSS requirement in
Comment 11 User image Wan-Teh Chang 2010-09-28 15:40:22 PDT
Pushed to mozilla-1.9.2 in changeset e8ca667960b1:

Pushed to mozilla-1.9.1 in changeset 8ee042940966:
Comment 12 User image christian 2010-09-28 15:43:11 PDT
Comment 13 User image Wan-Teh Chang 2010-09-28 17:50:53 PDT
Created attachment 479249 [details] [diff] [review]
mozilla-1.9.1 patch for security/manager/

mozilla-1.9.1 installs its sqlite3.h in dist/include/sqlite3, so we
need to pass that to NSS 3.12.8's build system this way.
Comment 14 User image Wan-Teh Chang 2010-09-28 17:59:29 PDT
Comment on attachment 479249 [details] [diff] [review]
mozilla-1.9.1 patch for security/manager/

Note You need to log in before you can comment on or make changes to this bug.