Closed Bug 669061 Opened 9 years ago Closed 9 years ago

Upgrade Mozilla to NSS 3.13.1

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla9
Tracking Status
firefox8 + unaffected
firefox9 + affected

People

(Reporter: KaiE, Assigned: briansmith)

References

Details

(Keywords: compat, Whiteboard: [Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera][qa?])

Attachments

(2 files, 2 obsolete files)

NSS 3.13 is not yet released, but once it is, we want to upgrade mozilla-central to use it.
Blocks: 673381
Attached patch NSS_3_13_BETA1 (obsolete) — Splinter Review
Wan-Teh, do you agree to upgrade mozilla-central to NSS_3_13_BETA1 ?

(I plan do so after getting a successful tryserver build with this tag.)
Assignee: nobody → kaie
Attachment #554163 - Flags: review?(wtc)
Comment on attachment 554163 [details] [diff] [review]
NSS_3_13_BETA1

r=wtc.  I agree.
Attachment #554163 - Flags: review?(wtc) → review+
Beta1 tryserver build looks good to me.
http://tbpl.allizom.org/?tree=Try&usebuildbot=1&rev=a1e17d3d08e8

I checked the Beta1 in to mozilla-inbound.
http://hg.mozilla.org/integration/mozilla-inbound/rev/33000157292b
http://hg.mozilla.org/mozilla-central/rev/33000157292b
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla9
This will stay open until we have checked in the final release of 3.13
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: keep open until 3.13 FINAL has been checked ing
Whiteboard: keep open until 3.13 FINAL has been checked ing → keep open until 3.13 FINAL has been checked in
Duplicate of this bug: 692698
We have to take this in mozilla-aurora because we committed 3.13 BETA 1 before the merge. If we decide we don't want to activate the safeguards against the BEAST attack in mozilla-aurora because of the compatibility risk, then I will write a one-line patch that uses the SSL_OptionSet API to disable it. But, I would prefer we try to avoid doing that if possible.

There is some tension between the known compatibility issues associated with the workaround for the TLS BEAST attack included in 3.13 and other browsers' schedules for releasing a workaround. Details of other browser makers' plans cannot be posted here, but I believe that it will be important for Firefox 8 or Firefox 9 to take up this release. I will schedule a private meeting to discuss the compatibility impact with release-drivers.
Keywords: compat
Whiteboard: keep open until 3.13 FINAL has been checked in → [keep open until 3.13 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera]
Here is the tryserver run after running:
    python client.py update_nss NSS_3_13_RC0
    hg addremove

Here is the tryserver run for NSS_3_13_RC0:
https://tbpl.mozilla.org/?tree=Try&rev=ef941bca98fd

Once it completes, I will check it into mozilla-central.
Attached patch Upgrade to NSS 3.13.0 (obsolete) — Splinter Review
Wan-Teh, I believe I am doing the import correctly, but could you please double-check?

I issued the commands:
    python client.py update_nss NSS_3_13_RC0
    hg addremove

I verified that coreconf.dep was already modified

The tryserver run above looks as decent as a tryserver run gets (not very decent, but not the fault of this change.)
Assignee: kaie → bsmith
Attachment #554163 - Attachment is obsolete: true
Attachment #565639 - Flags: review?(wtc)
Comment on attachment 565639 [details] [diff] [review]
Upgrade to NSS 3.13.0

r=wtc.
Attachment #565639 - Flags: review?(wtc) → review+
Depends on: 693925
Depends on: 693228
Because of regression bug 693228 introduced in NSS 3.13, we MUST update to the next NSS release (NSS 3.13.1) for mozilla-central.

Because we landed a pre-release of NSS 3.13 before mozilla-aurora branched, we MUST that same NSS release (NSS 3.13.1) on mozilla-aurora.
Summary: Upgrade Mozilla to NSS 3.13 → Upgrade Mozilla to NSS 3.13.1
Whiteboard: [keep open until 3.13 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera] → [keep open until 3.13.1 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera]
I don't understand why we need both this bug and the NSS bug 695833.
Anyway, I have created the NSS_3_13_1_BETA1 CVS tag and will push it
to mozilla-inbound when the tree opens.
---------------------------------[ Triage Comment ]---------------------------------

We definitely want to track this for 9aurora as we have the beta version there and should update to final.

What do we need to do for Firefox 8? I doubt we'll be taking this version into the tree as it is so close to release and Oracle has released an update for Java mitigating the BEAST attack (I think).

We'll track this for Firefox 8 as well until we get a definitive answer so this doesn't get lost.
Depends on: 698203
Why is target milestone Mozilla9? Atm this is only in Mozilla10.
Beta1 made mozilla9 in comment 4.
Kai, this patch is for mozilla-aurora only. It upgrades NSS to 3.13.1 RTM. I made the following changes:
* python client.py update_nss NSS_3_13_1_RTM
* verified security/coreconf/coreconf.dep was modified
* updated configure.in to require system NSS 3.13.1
Attachment #570614 - Flags: review?(kaie)
Kai, this patch updates mozilla-central to NSS 3.13.1 RTM. I made the following changes:
* python client.py update_nss NSS_3_13_1_RTM
* updated security/coreconf/coreconf.dep to remove a blank line, to cause NSS to fully rebuild
* updated configure.in to require NSS 3.13.1 or later.

I am not sure about the change to security/coreconf/coreconf.dep. Is that the right thing to do here?
Attachment #565639 - Attachment is obsolete: true
Attachment #570615 - Flags: review?(kaie)
Yes, to update security/coreconf/coreconf.dep, just add or delete a
blank line at the end of the file.
Comment on attachment 570615 [details] [diff] [review]
Update mozilla-central to NSS 3.13.1

r=wtc.  This patch is correct.
Attachment #570615 - Flags: review?(kaie) → review+
Comment on attachment 570614 [details] [diff] [review]
[for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM

Review of attachment 570614 [details] [diff] [review]:
-----------------------------------------------------------------

I think we should apply this patch before we apply the patch for bug 698753. Please r+ and a+ for aurora.
Attachment #570614 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/integration/mozilla-inbound/rev/07f01c6bfaa9
Whiteboard: [keep open until 3.13.1 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera] → [inbound][keep open until 3.13.1 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera]
Comment on attachment 570614 [details] [diff] [review]
[for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM

based on:
- the description in comment 17
- the change to configure.in in the attached patch:

r=kaie


Suggestion: I think it's unnecessary to attach such large diffs between release snapshots. It's impossible to review them. For the next time, I recommend to simply attach your own changes (such as your change to configure.in). If you want a formal review on "upgrade NSS", then you could do what I usually did in the recent past. Create a small text file that contains the commands to upgrade NSS, i.e. "python update_nss TAG", attach it and ask for review on that.
Attachment #570614 - Flags: review?(kaie) → review+
https://hg.mozilla.org/mozilla-central/rev/07f01c6bfaa9

please, resolve the bug if this was the final version, RTM sounds like it was.
Whiteboard: [inbound][keep open until 3.13.1 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera] → [keep open until 3.13.1 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera]
Comment on attachment 570614 [details] [diff] [review]
[for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM

Review of attachment 570614 [details] [diff] [review]:
-----------------------------------------------------------------

r=wtc.  The procedure in comment 17 is correct.  The changes to configure.in,
security/nss/TAG-INFO, and security/coreconf/coreconf.dep are correct.
Attachment #570614 - Flags: review+
Attachment #570614 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
I agree this can be resolved, per comment 22 / 24, because mozilla-central already uses NSS 3.13.1 RTM.

I'll land this one and 698753 into aurora now.
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Whiteboard: [keep open until 3.13.1 FINAL has been checked in][Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera] → [Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera]
Depends on: 702111
Is there anything specific QA can check to verify this fix (other than version info in source)?
Whiteboard: [Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera] → [Contains security fixes, including workaround for BEAST attack][soon parity-IE][parity-Chrome][parity-Opera][qa?]
Depends on: 724478
Depends on: 738028
Depends on: 723370
Depends on: 742694
You need to log in before you can comment on or make changes to this bug.