Last Comment Bug 728617 - Update Mozilla to NSS 3.13.3 (and mozilla-10 will need NSPR 4.9)
: Update Mozilla to NSS 3.13.3 (and mozilla-10 will need NSPR 4.9)
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: 10 Branch
: All All
: -- normal (vote)
: mozilla13
Assigned To: Kai Engert (:kaie) (on vacation)
: David Keeler [:keeler] (use needinfo?)
Depends on: 727167
Blocks: 724929
  Show dependency treegraph
Reported: 2012-02-18 15:43 PST by Kai Engert (:kaie) (on vacation)
Modified: 2012-03-05 10:31 PST (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Kai Engert (:kaie) (on vacation) 2012-02-18 15:43:09 PST
Update Mozilla to NSS 3.13.3

The changes between .2 and .3 are minimal.

There are only correctness changes, a fix to active distrust, and a patch to actively distrust the MITM subCAs issued by TrustWave.

The changes can be seen here:

(ignore the generated code in certdata.c - only read certdata.txt)
Comment 1 Kai Engert (:kaie) (on vacation) 2012-02-18 15:43:29 PST
I have r=rrelyea for the plan to update to 3.13.3
Comment 2 Kai Engert (:kaie) (on vacation) 2012-02-19 04:54:11 PST
Try build for mozilla-central:

Try build for mozilla-aurora:

Try build for mozilla-beta:
Comment 3 Kai Engert (:kaie) (on vacation) 2012-02-19 04:56:00 PST
Try build for mozilla-beta:
Comment 4 Kai Engert (:kaie) (on vacation) 2012-02-22 02:06:34 PST
This updated NSS release actively distrusts the MITM subCA certificates that were issued by Trustwave.

Pushed to mozilla-inbound

Proposed for mozilla-beta (11) and mozilla-aurora (12).
Comment 5 Kai Engert (:kaie) (on vacation) 2012-02-22 02:35:48 PST
Proposing for the Firefox 10 / 10 esr.
If you do upgrade NSS to this newer release, you must also upgrade NSPR to 4.9.
Comment 6 Daniel Veditz [:dveditz] 2012-02-22 10:15:57 PST
No need to track already-shipped Fx10, but we should land this on ESR when we take it for release (fx11 I hope, if not Fx12). We can live without this on 3.6.x since this would be a bigger upgrade on that branch and it's practically EOL.
Comment 7 Alex Keybl [:akeybl] 2012-02-22 12:49:12 PST
Low risk and the security team recommends we take for FF11 and up (m-c, m-a, m-b). Also tracking for the  ESR - this should land ASAP. Please see for how to land on mozilla-esr10. a=akeybl
Comment 8 Ed Morley [:emorley] 2012-02-22 16:03:52 PST
Comment 10 Kai Engert (:kaie) (on vacation) 2012-02-23 06:44:18 PST

Note You need to log in before you can comment on or make changes to this bug.