Last Comment Bug 669061 - Upgrade Mozilla to NSS 3.13.1
: Upgrade Mozilla to NSS 3.13.1
Status: RESOLVED FIXED
[Contains security fixes, including w...
: compat
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla9
Assigned To: Brian Smith (:briansmith, :bsmith, use NEEDINFO?)
:
Mentors:
: 692698 (view as bug list)
Depends on: 669060 693228 693925 695833 698203 698222 702111 723370 724478 738028 742694
Blocks: 673381
  Show dependency treegraph
 
Reported: 2011-07-03 05:33 PDT by Kai Engert (:kaie)
Modified: 2012-04-05 07:10 PDT (History)
12 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
unaffected
+
affected


Attachments
NSS_3_13_BETA1 (15 bytes, patch)
2011-08-18 11:52 PDT, Kai Engert (:kaie)
wtc: review+
Details | Diff | Review
Upgrade to NSS 3.13.0 (228.21 KB, patch)
2011-10-07 13:41 PDT, Brian Smith (:briansmith, :bsmith, use NEEDINFO?)
wtc: review+
brian: checkin+
Details | Diff | Review
[for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM (254.13 KB, patch)
2011-10-30 23:33 PDT, Brian Smith (:briansmith, :bsmith, use NEEDINFO?)
kaie: review+
wtc: review+
christian: approval‑mozilla‑aurora+
Details | Diff | Review
Update mozilla-central to NSS 3.13.1 (4.80 KB, patch)
2011-10-30 23:40 PDT, Brian Smith (:briansmith, :bsmith, use NEEDINFO?)
wtc: review+
Details | Diff | Review

Description Kai Engert (:kaie) 2011-07-03 05:33:11 PDT
NSS 3.13 is not yet released, but once it is, we want to upgrade mozilla-central to use it.
Comment 1 Kai Engert (:kaie) 2011-08-18 11:52:16 PDT
Created attachment 554163 [details] [diff] [review]
NSS_3_13_BETA1

Wan-Teh, do you agree to upgrade mozilla-central to NSS_3_13_BETA1 ?

(I plan do so after getting a successful tryserver build with this tag.)
Comment 2 Wan-Teh Chang 2011-08-18 11:58:15 PDT
Comment on attachment 554163 [details] [diff] [review]
NSS_3_13_BETA1

r=wtc.  I agree.
Comment 3 Kai Engert (:kaie) 2011-08-19 08:31:34 PDT
Beta1 tryserver build looks good to me.
http://tbpl.allizom.org/?tree=Try&usebuildbot=1&rev=a1e17d3d08e8

I checked the Beta1 in to mozilla-inbound.
http://hg.mozilla.org/integration/mozilla-inbound/rev/33000157292b
Comment 4 Ed Morley [:emorley] 2011-08-21 11:38:07 PDT
http://hg.mozilla.org/mozilla-central/rev/33000157292b
Comment 5 Kai Engert (:kaie) 2011-08-21 11:43:23 PDT
This will stay open until we have checked in the final release of 3.13
Comment 6 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-10-06 23:21:09 PDT
*** Bug 692698 has been marked as a duplicate of this bug. ***
Comment 7 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-10-06 23:26:57 PDT
We have to take this in mozilla-aurora because we committed 3.13 BETA 1 before the merge. If we decide we don't want to activate the safeguards against the BEAST attack in mozilla-aurora because of the compatibility risk, then I will write a one-line patch that uses the SSL_OptionSet API to disable it. But, I would prefer we try to avoid doing that if possible.

There is some tension between the known compatibility issues associated with the workaround for the TLS BEAST attack included in 3.13 and other browsers' schedules for releasing a workaround. Details of other browser makers' plans cannot be posted here, but I believe that it will be important for Firefox 8 or Firefox 9 to take up this release. I will schedule a private meeting to discuss the compatibility impact with release-drivers.
Comment 8 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-10-07 00:41:14 PDT
Here is the tryserver run after running:
    python client.py update_nss NSS_3_13_RC0
    hg addremove

Here is the tryserver run for NSS_3_13_RC0:
https://tbpl.mozilla.org/?tree=Try&rev=ef941bca98fd

Once it completes, I will check it into mozilla-central.
Comment 9 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-10-07 13:41:47 PDT
Created attachment 565639 [details] [diff] [review]
Upgrade to NSS 3.13.0

Wan-Teh, I believe I am doing the import correctly, but could you please double-check?

I issued the commands:
    python client.py update_nss NSS_3_13_RC0
    hg addremove

I verified that coreconf.dep was already modified

The tryserver run above looks as decent as a tryserver run gets (not very decent, but not the fault of this change.)
Comment 10 Wan-Teh Chang 2011-10-07 13:47:03 PDT
Comment on attachment 565639 [details] [diff] [review]
Upgrade to NSS 3.13.0

r=wtc.
Comment 11 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-10-07 14:43:20 PDT
Comment on attachment 565639 [details] [diff] [review]
Upgrade to NSS 3.13.0

https://hg.mozilla.org/mozilla-central/rev/8f011395145e
Comment 12 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-10-19 13:22:16 PDT
Because of regression bug 693228 introduced in NSS 3.13, we MUST update to the next NSS release (NSS 3.13.1) for mozilla-central.

Because we landed a pre-release of NSS 3.13 before mozilla-aurora branched, we MUST that same NSS release (NSS 3.13.1) on mozilla-aurora.
Comment 13 Wan-Teh Chang 2011-10-19 13:45:43 PDT
I don't understand why we need both this bug and the NSS bug 695833.
Anyway, I have created the NSS_3_13_1_BETA1 CVS tag and will push it
to mozilla-inbound when the tree opens.
Comment 14 christian 2011-10-25 21:12:00 PDT
---------------------------------[ Triage Comment ]---------------------------------

We definitely want to track this for 9aurora as we have the beta version there and should update to final.

What do we need to do for Firefox 8? I doubt we'll be taking this version into the tree as it is so close to release and Oracle has released an update for Java mitigating the BEAST attack (I think).

We'll track this for Firefox 8 as well until we get a definitive answer so this doesn't get lost.
Comment 15 Olli Pettay [:smaug] 2011-10-29 10:17:32 PDT
Why is target milestone Mozilla9? Atm this is only in Mozilla10.
Comment 16 Ed Morley [:emorley] 2011-10-29 10:18:50 PDT
Beta1 made mozilla9 in comment 4.
Comment 17 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-10-30 23:33:20 PDT
Created attachment 570614 [details] [diff] [review]
[for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM

Kai, this patch is for mozilla-aurora only. It upgrades NSS to 3.13.1 RTM. I made the following changes:
* python client.py update_nss NSS_3_13_1_RTM
* verified security/coreconf/coreconf.dep was modified
* updated configure.in to require system NSS 3.13.1
Comment 18 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-10-30 23:40:45 PDT
Created attachment 570615 [details] [diff] [review]
Update mozilla-central to NSS 3.13.1

Kai, this patch updates mozilla-central to NSS 3.13.1 RTM. I made the following changes:
* python client.py update_nss NSS_3_13_1_RTM
* updated security/coreconf/coreconf.dep to remove a blank line, to cause NSS to fully rebuild
* updated configure.in to require NSS 3.13.1 or later.

I am not sure about the change to security/coreconf/coreconf.dep. Is that the right thing to do here?
Comment 19 Wan-Teh Chang 2011-10-31 11:09:41 PDT
Yes, to update security/coreconf/coreconf.dep, just add or delete a
blank line at the end of the file.
Comment 20 Wan-Teh Chang 2011-10-31 11:13:33 PDT
Comment on attachment 570615 [details] [diff] [review]
Update mozilla-central to NSS 3.13.1

r=wtc.  This patch is correct.
Comment 21 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-11-02 19:12:46 PDT
Comment on attachment 570614 [details] [diff] [review]
[for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM

Review of attachment 570614 [details] [diff] [review]:
-----------------------------------------------------------------

I think we should apply this patch before we apply the patch for bug 698753. Please r+ and a+ for aurora.
Comment 22 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-11-02 21:23:06 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/07f01c6bfaa9
Comment 23 Kai Engert (:kaie) 2011-11-03 08:05:29 PDT
Comment on attachment 570614 [details] [diff] [review]
[for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM

based on:
- the description in comment 17
- the change to configure.in in the attached patch:

r=kaie


Suggestion: I think it's unnecessary to attach such large diffs between release snapshots. It's impossible to review them. For the next time, I recommend to simply attach your own changes (such as your change to configure.in). If you want a formal review on "upgrade NSS", then you could do what I usually did in the recent past. Create a small text file that contains the commands to upgrade NSS, i.e. "python update_nss TAG", attach it and ask for review on that.
Comment 24 Marco Bonardo [::mak] 2011-11-03 08:56:02 PDT
https://hg.mozilla.org/mozilla-central/rev/07f01c6bfaa9

please, resolve the bug if this was the final version, RTM sounds like it was.
Comment 25 Wan-Teh Chang 2011-11-03 10:00:26 PDT
Comment on attachment 570614 [details] [diff] [review]
[for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM

Review of attachment 570614 [details] [diff] [review]:
-----------------------------------------------------------------

r=wtc.  The procedure in comment 17 is correct.  The changes to configure.in,
security/nss/TAG-INFO, and security/coreconf/coreconf.dep are correct.
Comment 26 Kai Engert (:kaie) 2011-11-04 12:45:36 PDT
I agree this can be resolved, per comment 22 / 24, because mozilla-central already uses NSS 3.13.1 RTM.

I'll land this one and 698753 into aurora now.
Comment 28 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-12-07 13:08:44 PST
Is there anything specific QA can check to verify this fix (other than version info in source)?

Note You need to log in before you can comment on or make changes to this bug.