Update to NSS_3_12_8_RTM in mozilla-central

RESOLVED FIXED in mozilla2.0b7



Security: PSM
7 years ago
7 years ago


(Reporter: Wan-Teh Chang, Assigned: Wan-Teh Chang)


Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 betaN+, blocking1.9.2 .11+, status1.9.2 .11-fixed, blocking1.9.1 .14+, status1.9.1 .14-fixed)


(Whiteboard: [sg:nse meta])


(3 attachments)



7 years ago
mozilla-central is using NSS_3_12_8_BETA2.  I'd like to
update to NSS_3_12_8_BETA3.  I summarize the changes between
Beta 2 and Beta 3 below for Mozilla drivers.

Bug fixes of interest to Mozilla:
- Bug 578697: (CVE-2010-3170) Browser Wildcard Certificate Validation Issue
- Bug 582575: Add July 2010 batch of roots to NSS
- Bug 536640: valgrind warning in DecodeItem (about uninitialized local from
- Bug 588698: SSL deadlock (seen in Thunderbird)
- Bug 567134: Use ASLR in NSS if it's available

Other important bug fixes:
- Bug 587234: Better error reporting and checks for weak server keys in libSSL
- Bug 585842: CERT_MakeCANickname returns static string in error case
- Bug 586953: CERT_FormatName leaks everything if it can't PORT_Alloc for buf
- Bug 586957: CERT_FormatName leaks things if properties exist multiple times
- Bug 586967: CERT_CreateCertificate leaks arena if PORT_ArenaZAlloc fails
- Bug 587399: crmf_copy_cert_req_msg leaks poolp if newReqMsg = PORT_ArenaZNew
- Bug 588052: nsslowhash.h missing from dist/public/nss
- Bug 587622: print_attr_value calls get_obj_class instead of get_key_type for
- Bug 584871: calling SEC_PKCS12DecoderStart with NULL dOpen, dClose, dRead,
  dWrite, dArg leads to leaks
- Bug 584875: Contents of sec_PKCS12EncoderContext are only freed on error
  handling case.
- Bug 587432: NSS_CMSSignerInfo_Sign leaks tmppoolp when things fail
- Bug 586697: ssl3_DeriveMasterSecret must not request pVersion when it does
  Master key derivation for Diffie-Hellman through pkcs11
- Bug 525092: Allow one more SSL function to be called early

Minor bug fixes:
- Bug 585247: NSS coreconf: Add -rpath-link to LDFLAGS for Maemo/Scratchbox
- Bug 586857: Mark SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME as an unsupported
  certificate extension
- Bug 587393: remove JAR_cert_attribute declaration


7 years ago
Group: core-security
blocking2.0: --- → ?

Comment 1

7 years ago
Created attachment 474164 [details] [diff] [review]

The changes in this patch have been individually reviewed in the
bugs I listed in comment 0.

This is likely to be the last Beta of NSS 3.12.8.
Attachment #474164 - Flags: approval2.0?
We definitely want the fix for now-public CVE-2010-3170 (bug 578697) on the branches, and should pick up the new roots too.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted


7 years ago
Whiteboard: [sg:nse meta]
Group: core-security


7 years ago
Blocks: 582579
Not blocking branches (yet): on the stable branches we'll wait for the actual NSS 3.12.8 release rather than BETA3 (though no changes are expected).
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---


7 years ago
Duplicate of this bug: 582580


7 years ago
blocking2.0: ? → betaN+

Comment 5

7 years ago
Comment on attachment 474164 [details] [diff] [review]

Pushed to mozilla-central in changeset d9a8b06248be:
Attachment #474164 - Flags: approval2.0?

Comment 6

7 years ago
Created attachment 476537 [details] [diff] [review]
Update to NSS_3_12_8_RC0

Since the NSS_3_12_8_RC0 tag has been created, I pushed
it to mozilla-central in changeset 79b569b64111:

In addition to removing "Beta" from the version strings,
it contains only one bug fix:
- Bug 595264: libpkix thrown into infinite loop by % in certificate


7 years ago
Last Resolved: 7 years ago
Resolution: --- → FIXED
Summary: Update to NSS_3_12_8_BETA3 in mozilla-central → Update to NSS_3_12_8_BETA3 and NSS_3_12_8_RC0 in mozilla-central
Target Milestone: --- → mozilla2.0


7 years ago
Target Milestone: mozilla2.0 → mozilla2.0b7

Comment 7

7 years ago
for the record, RC0 was released as RTM today, without changes.
We want this on the 1.9.2 and 1.9.1 branches.

In order to land on the 1.9.1 branch we will also have to apply the fix for bug 583337 to unbreak sites using DHE with stupidly small keys.
blocking1.9.1: --- → .14+
blocking1.9.2: --- → .11+
Depends on: 583337
Summary: Update to NSS_3_12_8_BETA3 and NSS_3_12_8_RC0 in mozilla-central → Update to NSS_3_12_8_RTM in mozilla-central

Comment 9

7 years ago
Is this able to land on 1.9.2 and 1.9.1 today?
Need to bump the NSS requirement in configure.in...
Depends on: 600104

Comment 11

7 years ago
Pushed to mozilla-1.9.2 in changeset e8ca667960b1:

Pushed to mozilla-1.9.1 in changeset 8ee042940966:
status1.9.1: wanted → .14-fixed
status1.9.2: wanted → .11-fixed

Comment 12

7 years ago
Blocks: 578697

Comment 13

7 years ago
Created attachment 479249 [details] [diff] [review]
mozilla-1.9.1 patch for security/manager/Makefile.in

mozilla-1.9.1 installs its sqlite3.h in dist/include/sqlite3, so we
need to pass that to NSS 3.12.8's build system this way.
Attachment #479249 - Flags: review?(khuey)
Attachment #479249 - Flags: approval1.9.1.14?
Attachment #479249 - Flags: review?(khuey) → review+


7 years ago
Attachment #479249 - Flags: approval1.9.1.14? → approval1.9.1.14+

Comment 14

7 years ago
Comment on attachment 479249 [details] [diff] [review]
mozilla-1.9.1 patch for security/manager/Makefile.in

Depends on: 614565
No longer depends on: 614565
You need to log in before you can comment on or make changes to this bug.