The default bug view has changed. See this FAQ.

Upgrade Mozilla to NSS 3.13.1

RESOLVED FIXED in mozilla9

Status

()

Core
Security: PSM
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: kaie, Assigned: briansmith)

Tracking

({compat})

Trunk
mozilla9
compat
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox8+ unaffected, firefox9+ affected)

Details

(Whiteboard: [Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera][qa?])

Attachments

(2 attachments, 2 obsolete attachments)

(Reporter)

Description

6 years ago
NSS 3.13 is not yet released, but once it is, we want to upgrade mozilla-central to use it.
(Reporter)

Updated

6 years ago
Blocks: 673381
(Reporter)

Comment 1

6 years ago
Created attachment 554163 [details] [diff] [review]
NSS_3_13_BETA1

Wan-Teh, do you agree to upgrade mozilla-central to NSS_3_13_BETA1 ?

(I plan do so after getting a successful tryserver build with this tag.)
Assignee: nobody → kaie
Attachment #554163 - Flags: review?(wtc)

Comment 2

6 years ago
Comment on attachment 554163 [details] [diff] [review]
NSS_3_13_BETA1

r=wtc.  I agree.
Attachment #554163 - Flags: review?(wtc) → review+
(Reporter)

Comment 3

6 years ago
Beta1 tryserver build looks good to me.
http://tbpl.allizom.org/?tree=Try&usebuildbot=1&rev=a1e17d3d08e8

I checked the Beta1 in to mozilla-inbound.
http://hg.mozilla.org/integration/mozilla-inbound/rev/33000157292b
http://hg.mozilla.org/mozilla-central/rev/33000157292b
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla9
(Reporter)

Comment 5

6 years ago
This will stay open until we have checked in the final release of 3.13
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: keep open until 3.13 FINAL has been checked ing
(Reporter)

Updated

6 years ago
Whiteboard: keep open until 3.13 FINAL has been checked ing → keep open until 3.13 FINAL has been checked in
Duplicate of this bug: 692698
We have to take this in mozilla-aurora because we committed 3.13 BETA 1 before the merge. If we decide we don't want to activate the safeguards against the BEAST attack in mozilla-aurora because of the compatibility risk, then I will write a one-line patch that uses the SSL_OptionSet API to disable it. But, I would prefer we try to avoid doing that if possible.

There is some tension between the known compatibility issues associated with the workaround for the TLS BEAST attack included in 3.13 and other browsers' schedules for releasing a workaround. Details of other browser makers' plans cannot be posted here, but I believe that it will be important for Firefox 8 or Firefox 9 to take up this release. I will schedule a private meeting to discuss the compatibility impact with release-drivers.
status-firefox9: --- → affected
tracking-firefox8: --- → ?
tracking-firefox9: --- → ?
Keywords: compat
Whiteboard: keep open until 3.13 FINAL has been checked in → [keep open until 3.13 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera]
Here is the tryserver run after running:
    python client.py update_nss NSS_3_13_RC0
    hg addremove

Here is the tryserver run for NSS_3_13_RC0:
https://tbpl.mozilla.org/?tree=Try&rev=ef941bca98fd

Once it completes, I will check it into mozilla-central.
Created attachment 565639 [details] [diff] [review]
Upgrade to NSS 3.13.0

Wan-Teh, I believe I am doing the import correctly, but could you please double-check?

I issued the commands:
    python client.py update_nss NSS_3_13_RC0
    hg addremove

I verified that coreconf.dep was already modified

The tryserver run above looks as decent as a tryserver run gets (not very decent, but not the fault of this change.)
Assignee: kaie → bsmith
Attachment #554163 - Attachment is obsolete: true
Attachment #565639 - Flags: review?(wtc)

Comment 10

6 years ago
Comment on attachment 565639 [details] [diff] [review]
Upgrade to NSS 3.13.0

r=wtc.
Attachment #565639 - Flags: review?(wtc) → review+
Comment on attachment 565639 [details] [diff] [review]
Upgrade to NSS 3.13.0

https://hg.mozilla.org/mozilla-central/rev/8f011395145e
Attachment #565639 - Flags: checkin+
Depends on: 693925

Updated

6 years ago
Depends on: 693228
Because of regression bug 693228 introduced in NSS 3.13, we MUST update to the next NSS release (NSS 3.13.1) for mozilla-central.

Because we landed a pre-release of NSS 3.13 before mozilla-aurora branched, we MUST that same NSS release (NSS 3.13.1) on mozilla-aurora.
Summary: Upgrade Mozilla to NSS 3.13 → Upgrade Mozilla to NSS 3.13.1
Whiteboard: [keep open until 3.13 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera] → [keep open until 3.13.1 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera]
Depends on: 695833

Comment 13

6 years ago
I don't understand why we need both this bug and the NSS bug 695833.
Anyway, I have created the NSS_3_13_1_BETA1 CVS tag and will push it
to mozilla-inbound when the tree opens.

Comment 14

6 years ago
---------------------------------[ Triage Comment ]---------------------------------

We definitely want to track this for 9aurora as we have the beta version there and should update to final.

What do we need to do for Firefox 8? I doubt we'll be taking this version into the tree as it is so close to release and Oracle has released an update for Java mitigating the BEAST attack (I think).

We'll track this for Firefox 8 as well until we get a definitive answer so this doesn't get lost.
tracking-firefox8: ? → +
tracking-firefox9: ? → +
Depends on: 698203
Why is target milestone Mozilla9? Atm this is only in Mozilla10.
Beta1 made mozilla9 in comment 4.
Depends on: 698222
Created attachment 570614 [details] [diff] [review]
[for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM

Kai, this patch is for mozilla-aurora only. It upgrades NSS to 3.13.1 RTM. I made the following changes:
* python client.py update_nss NSS_3_13_1_RTM
* verified security/coreconf/coreconf.dep was modified
* updated configure.in to require system NSS 3.13.1
Attachment #570614 - Flags: review?(kaie)
Created attachment 570615 [details] [diff] [review]
Update mozilla-central to NSS 3.13.1

Kai, this patch updates mozilla-central to NSS 3.13.1 RTM. I made the following changes:
* python client.py update_nss NSS_3_13_1_RTM
* updated security/coreconf/coreconf.dep to remove a blank line, to cause NSS to fully rebuild
* updated configure.in to require NSS 3.13.1 or later.

I am not sure about the change to security/coreconf/coreconf.dep. Is that the right thing to do here?
Attachment #565639 - Attachment is obsolete: true
Attachment #570615 - Flags: review?(kaie)

Comment 19

6 years ago
Yes, to update security/coreconf/coreconf.dep, just add or delete a
blank line at the end of the file.

Comment 20

6 years ago
Comment on attachment 570615 [details] [diff] [review]
Update mozilla-central to NSS 3.13.1

r=wtc.  This patch is correct.
Attachment #570615 - Flags: review?(kaie) → review+

Updated

6 years ago
status-firefox8: --- → unaffected
Comment on attachment 570614 [details] [diff] [review]
[for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM

Review of attachment 570614 [details] [diff] [review]:
-----------------------------------------------------------------

I think we should apply this patch before we apply the patch for bug 698753. Please r+ and a+ for aurora.
Attachment #570614 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/integration/mozilla-inbound/rev/07f01c6bfaa9
Whiteboard: [keep open until 3.13.1 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera] → [inbound][keep open until 3.13.1 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera]
(Reporter)

Comment 23

6 years ago
Comment on attachment 570614 [details] [diff] [review]
[for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM

based on:
- the description in comment 17
- the change to configure.in in the attached patch:

r=kaie


Suggestion: I think it's unnecessary to attach such large diffs between release snapshots. It's impossible to review them. For the next time, I recommend to simply attach your own changes (such as your change to configure.in). If you want a formal review on "upgrade NSS", then you could do what I usually did in the recent past. Create a small text file that contains the commands to upgrade NSS, i.e. "python update_nss TAG", attach it and ask for review on that.
Attachment #570614 - Flags: review?(kaie) → review+
https://hg.mozilla.org/mozilla-central/rev/07f01c6bfaa9

please, resolve the bug if this was the final version, RTM sounds like it was.
Whiteboard: [inbound][keep open until 3.13.1 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera] → [keep open until 3.13.1 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera]

Comment 25

6 years ago
Comment on attachment 570614 [details] [diff] [review]
[for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM

Review of attachment 570614 [details] [diff] [review]:
-----------------------------------------------------------------

r=wtc.  The procedure in comment 17 is correct.  The changes to configure.in,
security/nss/TAG-INFO, and security/coreconf/coreconf.dep are correct.
Attachment #570614 - Flags: review+

Updated

6 years ago
Attachment #570614 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Reporter)

Comment 26

6 years ago
I agree this can be resolved, per comment 22 / 24, because mozilla-central already uses NSS 3.13.1 RTM.

I'll land this one and 698753 into aurora now.
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 27

6 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/bf9edc46e39f
(Reporter)

Updated

6 years ago
Whiteboard: [keep open until 3.13.1 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera] → [Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera]

Updated

5 years ago
Depends on: 702111
Is there anything specific QA can check to verify this fix (other than version info in source)?
Whiteboard: [Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera] → [Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera][qa?]

Updated

5 years ago
Depends on: 724478

Updated

5 years ago
Depends on: 738028

Updated

5 years ago
Depends on: 723370

Updated

5 years ago
Depends on: 742694
You need to log in before you can comment on or make changes to this bug.