Closed Bug 595300 Opened 14 years ago Closed 14 years ago

Update to NSS_3_12_8_RTM in mozilla-central

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b7
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
blocking1.9.2 --- .11+
status1.9.2 --- .11-fixed
blocking1.9.1 --- .14+
status1.9.1 --- .14-fixed

People

(Reporter: wtc, Assigned: wtc)

References

Details

(Whiteboard: [sg:nse meta])

Attachments

(3 files)

Patch
129.63 KB, patch
Details | Diff | Splinter Review
Update to NSS_3_12_8_RC0
5.76 KB, patch
Details | Diff | Splinter Review
mozilla-1.9.1 patch for security/manager/Makefile.in
915 bytes, patch
khuey
: review+
christian
: approval1.9.1.14+
Details | Diff | Splinter Review 
mozilla-central is using NSS_3_12_8_BETA2.  I'd like to
update to NSS_3_12_8_BETA3.  I summarize the changes between
Beta 2 and Beta 3 below for Mozilla drivers.

Bug fixes of interest to Mozilla:
- Bug 578697: (CVE-2010-3170) Browser Wildcard Certificate Validation Issue
- Bug 582575: Add July 2010 batch of roots to NSS
- Bug 536640: valgrind warning in DecodeItem (about uninitialized local from
  nsslowkey_DecodePW)
- Bug 588698: SSL deadlock (seen in Thunderbird)
- Bug 567134: Use ASLR in NSS if it's available

Other important bug fixes:
- Bug 587234: Better error reporting and checks for weak server keys in libSSL
- Bug 585842: CERT_MakeCANickname returns static string in error case
- Bug 586953: CERT_FormatName leaks everything if it can't PORT_Alloc for buf
- Bug 586957: CERT_FormatName leaks things if properties exist multiple times
- Bug 586967: CERT_CreateCertificate leaks arena if PORT_ArenaZAlloc fails
- Bug 587399: crmf_copy_cert_req_msg leaks poolp if newReqMsg = PORT_ArenaZNew
  fails
- Bug 588052: nsslowhash.h missing from dist/public/nss
- Bug 587622: print_attr_value calls get_obj_class instead of get_key_type for
  CKA_KEY_TYPE
- Bug 584871: calling SEC_PKCS12DecoderStart with NULL dOpen, dClose, dRead,
  dWrite, dArg leads to leaks
- Bug 584875: Contents of sec_PKCS12EncoderContext are only freed on error
  handling case.
- Bug 587432: NSS_CMSSignerInfo_Sign leaks tmppoolp when things fail
- Bug 586697: ssl3_DeriveMasterSecret must not request pVersion when it does
  Master key derivation for Diffie-Hellman through pkcs11
- Bug 525092: Allow one more SSL function to be called early

Minor bug fixes:
- Bug 585247: NSS coreconf: Add -rpath-link to LDFLAGS for Maemo/Scratchbox
- Bug 586857: Mark SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME as an unsupported
  certificate extension
- Bug 587393: remove JAR_cert_attribute declaration
Group: core-security
blocking2.0: --- → ?
Attached patch PatchSplinter Review 
The changes in this patch have been individually reviewed in the
bugs I listed in comment 0.

This is likely to be the last Beta of NSS 3.12.8.
Attachment #474164 - Flags: approval2.0?
We definitely want the fix for now-public CVE-2010-3170 (bug 578697) on the branches, and should pick up the new roots too.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Whiteboard: [sg:nse meta]
Group: core-security
Blocks: 582579
Not blocking branches (yet): on the stable branches we'll wait for the actual NSS 3.12.8 release rather than BETA3 (though no changes are expected).
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
blocking2.0: ? → betaN+
Comment on attachment 474164 [details] [diff] [review]
Patch

Pushed to mozilla-central in changeset d9a8b06248be:
http://hg.mozilla.org/mozilla-central/rev/d9a8b06248be
Attachment #474164 - Flags: approval2.0?
Since the NSS_3_12_8_RC0 tag has been created, I pushed
it to mozilla-central in changeset 79b569b64111:
http://hg.mozilla.org/mozilla-central/rev/79b569b64111

In addition to removing "Beta" from the version strings,
it contains only one bug fix:
- Bug 595264: libpkix thrown into infinite loop by % in certificate
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Summary: Update to NSS_3_12_8_BETA3 in mozilla-central → Update to NSS_3_12_8_BETA3 and NSS_3_12_8_RC0 in mozilla-central
Target Milestone: --- → mozilla2.0
Target Milestone: mozilla2.0 → mozilla2.0b7
for the record, RC0 was released as RTM today, without changes.
We want this on the 1.9.2 and 1.9.1 branches.

In order to land on the 1.9.1 branch we will also have to apply the fix for bug 583337 to unbreak sites using DHE with stupidly small keys.
blocking1.9.1: --- → .14+
blocking1.9.2: --- → .11+
Depends on: 583337
Summary: Update to NSS_3_12_8_BETA3 and NSS_3_12_8_RC0 in mozilla-central → Update to NSS_3_12_8_RTM in mozilla-central
Is this able to land on 1.9.2 and 1.9.1 today?
Need to bump the NSS requirement in configure.in...
Depends on: 600104
Pushed to mozilla-1.9.2 in changeset e8ca667960b1:
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e8ca667960b1

Pushed to mozilla-1.9.1 in changeset 8ee042940966:
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/8ee042940966
status1.9.1: wanted.14-fixed
status1.9.2: wanted.11-fixed
Thanks!
mozilla-1.9.1 installs its sqlite3.h in dist/include/sqlite3, so we
need to pass that to NSS 3.12.8's build system this way.
Attachment #479249 - Flags: review?(khuey)
Attachment #479249 - Flags: approval1.9.1.14?
Attachment #479249 - Flags: approval1.9.1.14? → approval1.9.1.14+
Comment on attachment 479249 [details] [diff] [review]
mozilla-1.9.1 patch for security/manager/Makefile.in

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/95101ee982a6
No longer depends on: 614565
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: