Closed Bug 839141 Opened 11 years ago Closed 11 years ago

Upgrade Mozilla to NSS 3.14.3 (once it's ready)

Categories

(Core :: Security: PSM, defect)

20 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox20 + fixed
firefox21 + fixed
firefox-esr17 20+ fixed
b2g18 20+ fixed
b2g18-v1.0.1 --- fixed

People

(Reporter: KaiE, Assigned: mayhemer)

References

(Blocks 1 open bug)

Details

(Whiteboard: [no-nag])

Attachments

(5 files, 1 obsolete file)

Mozilla should pick up the bugfix from NSS bug 822365, which requires to upgrade to NSS 3.14.3, and I suggest to use this bug to track upgrading the various Mozilla branches.

NSS 3.14.3 hasn't been released yet, but we have started testing it.
We just created the first beta tag, NSS_3_14_3_BETA1
Whiteboard: [keep open] → [leave open]
We must update mozilla-central and mozilla-aurora to the final RTM version.

The only changes that affect Mozilla's build are the version numbers.
Attachment #718510 - Flags: review?(bsmith)
Comment on attachment 718510 [details]
placeholder for approval

r=wtc.
Attachment #718510 - Flags: review?(bsmith) → review+
Whiteboard: [leave open] → [leave open][no-nag]
In order to pick up the lucky-13 fix for Firefox, we need to get this upgrade done.

Therefore I propose to migrate the flags from bug 822365 to this one, at least 20 and esr17.

I'm not involved in b2g, so I'm not touching those flags.
Attachment #718510 - Flags: approval-mozilla-esr17?
We're still discussing what to do about ESR17/B2G18 in email, but this can definitely land to FF20/21.
Assignee: nobody → honzab.moz
tracking-b2g18: --- → ?
Depends on: 848890
Comment on attachment 718510 [details]
placeholder for approval

[Triage Comment]
Please go ahead with landing this upgrade to Aurora/Beta branches today.
Attachment #718510 - Flags: approval-mozilla-beta+
Attachment #718510 - Flags: approval-mozilla-aurora+
Attached patch v1Splinter Review
Command series, ran from mozilla-central root src dir:

$ python client.py update_nss NSS_3_14_3_RTM

$ patch < security/patches/bug-834091.patch
patching file security/nss/lib/pkcs7/p7decode.c
patching file security/nss/lib/pkcs7/secpkcs7.h
patching file security/nss/lib/smime/smime.def

$ hg addrem
removing dbm/include/moz.build
removing dbm/moz.build
removing dbm/src/moz.build
removing dbm/tests/moz.build
removing security/nss/tests/pkcs11/netscape/trivial/moz.build

$ hg stat
M security/nss/TAG-INFO
M security/nss/TAG-INFO-CKBI
M security/nss/cmd/certutil/certutil.c
M security/nss/lib/freebl/blapi.h
M security/nss/lib/freebl/hmacct.h
M security/nss/lib/nss/nss.h
M security/nss/lib/softoken/softkver.h
M security/nss/lib/util/nssutil.h
M security/nss/lib/util/pkcs11n.h
R dbm/include/moz.build
R dbm/moz.build
R dbm/src/moz.build
R dbm/tests/moz.build
R security/nss/tests/pkcs11/netscape/trivial/moz.build

$ hg qnew 834091-update-nss-to-NSS_3_14_3_RTM.patch
Attachment #724078 - Flags: review?(bsmith)
Attached patch v1 for m-aSplinter Review
$ python client.py update_nss NSS_3_14_3_RTM
$ patch -p0 < security/patches/bug-834091.patch
patching file security/nss/lib/pkcs7/p7decode.c
patching file security/nss/lib/pkcs7/secpkcs7.h
patching file security/nss/lib/smime/smime.def

$ hg stat
M security/nss/TAG-INFO
M security/nss/TAG-INFO-CKBI
M security/nss/cmd/certutil/certutil.c
M security/nss/lib/freebl/blapi.h
M security/nss/lib/freebl/hmacct.h
M security/nss/lib/nss/nss.h
M security/nss/lib/softoken/softkver.h
M security/nss/lib/util/nssutil.h
M security/nss/lib/util/pkcs11n.h

$ hg qnew 834091-update-nss-to-NSS_3_14_3_RTM-m-a.patch
Attachment #724083 - Flags: review?(bsmith)
Attached patch v1 for m-bSplinter Review
$ python client.py update_nss NSS_3_14_3_RTM
$ hg addrem
$ hg stat
M security/nss/TAG-INFO
M security/nss/TAG-INFO-CKBI
M security/nss/cmd/certutil/certutil.c
M security/nss/lib/freebl/blapi.h
M security/nss/lib/freebl/ecl/ecp_aff.c
M security/nss/lib/freebl/ldvector.c
M security/nss/lib/freebl/loader.c
M security/nss/lib/freebl/loader.h
M security/nss/lib/freebl/manifest.mn
M security/nss/lib/freebl/md5.c
M security/nss/lib/freebl/rawhash.c
M security/nss/lib/freebl/sha512.c
M security/nss/lib/freebl/sha_fast.c
M security/nss/lib/freebl/sha_fast.h
M security/nss/lib/nss/nss.def
M security/nss/lib/nss/nss.h
M security/nss/lib/pk11wrap/pk11obj.c
M security/nss/lib/pk11wrap/pk11pub.h
M security/nss/lib/softoken/manifest.mn
M security/nss/lib/softoken/pkcs11.c
M security/nss/lib/softoken/pkcs11c.c
M security/nss/lib/softoken/pkcs11i.h
M security/nss/lib/softoken/rsawrapr.c
M security/nss/lib/softoken/sdb.c
M security/nss/lib/softoken/softkver.h
M security/nss/lib/softoken/softoken.h
M security/nss/lib/softoken/softoknt.h
M security/nss/lib/ssl/ssl3con.c
M security/nss/lib/util/hasht.h
M security/nss/lib/util/nssutil.h
M security/nss/lib/util/pkcs11n.h
M security/nss/tests/ssl/ssl.sh
A security/nss/lib/freebl/hmacct.c
A security/nss/lib/freebl/hmacct.h
A security/nss/lib/softoken/sftkhmac.c

$ hg qnew 834091-update-nss-to-NSS_3_14_3_RTM-m-b.patch
Attachment #724085 - Flags: review?(bsmith)
Comment on attachment 724078 [details] [diff] [review]
v1

Review of attachment 724078 [details] [diff] [review]:
-----------------------------------------------------------------

::: dbm/include/moz.build
@@ -1,4 @@
> -# vim: set filetype=python:
> -# This Source Code Form is subject to the terms of the Mozilla Public
> -# License, v. 2.0. If a copy of the MPL was not distributed with this
> -# file, You can obtain one at http://mozilla.org/MPL/2.0/.

Honza: What are these moz.build files in your patch?
Attachment #724091 - Flags: review?(bsmith) → review+
(In reply to Wan-Teh Chang from comment #13)
> Comment on attachment 724078 [details] [diff] [review]
> v1
> 
> Review of attachment 724078 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: dbm/include/moz.build
> @@ -1,4 @@
> > -# vim: set filetype=python:
> > -# This Source Code Form is subject to the terms of the Mozilla Public
> > -# License, v. 2.0. If a copy of the MPL was not distributed with this
> > -# file, You can obtain one at http://mozilla.org/MPL/2.0/.
> 
> Honza: What are these moz.build files in your patch?

They landed as part of updating the build system in bug 784841. I imagine they shouldn't be removed.
(In reply to Wan-Teh Chang from comment #13)
> Honza: What are these moz.build files in your patch?

Good question, those has been removed by the update.  Not sure whether they should be left in the tree or not.  Probably yes.. those seems to be the recent updates to mozilla build system.

Seems like that is something we will need to manage since now every time we are updating NSS.

Probably worth a new bug and documentation update.
Attached patch v1.1 for m-c (obsolete) — Splinter Review
Attachment #724115 - Flags: review?(bsmith)
Comment on attachment 724078 [details] [diff] [review]
v1

> python client.py update_nss NSS_3_14_3_RTM
> hg addrem

I agree that this is the right thing to do. I did not review the actual patch, but instead just these steps. The hg addremove should be "hg addremove dbm security/coreconf security/dbm security/nss" but in Honza's trees that's equivalent.

I did notice the moz.build files were mentioned in the patch. I think the moz.build files shouldn't be in these NSS directories at all. I agree it seems good to remove these files.

The NSS 3.14.3 release notes say that NSS 3.14.3 requires NSPR 4.9.5 or later. I checked and all branches have NSPR 4.9.5 or later so NSPR doesn't need to be updated.
Attachment #724078 - Flags: review?(bsmith) → review+
Honza, also when you update each tree, make sure that the patch that lands either adds or removes a blank line from security/coreconf/coreconf.dep. This is a workaround to deal with the fact that the build dependencies for header files in NSS are not correct.
Comment on attachment 724083 [details] [diff] [review]
v1 for m-a

Honza, you don't need to post patches for review here. The comments you made with the "python client.py" "hg addremove" and "hg status" are sufficient for the review, and those work across branches.
Attachment #724083 - Flags: review?(bsmith)
(In reply to Brian Smith (:bsmith) from comment #19)
> Comment on attachment 724083 [details] [diff] [review]
> v1 for m-a
> 
> Honza, you don't need to post patches for review here. The comments you made
> with the "python client.py" "hg addremove" and "hg status" are sufficient
> for the review, and those work across branches.

OK, next time :)

(In reply to Brian Smith (:bsmith) from comment #18)
> Honza, also when you update each tree, make sure that the patch that lands
> either adds or removes a blank line from security/coreconf/coreconf.dep.
> This is a workaround to deal with the fact that the build dependencies for
> header files in NSS are not correct.

According [1] no need for Gecko 17+, right?

[1] https://developer.mozilla.org/en-US/docs/Updating_NSPR_or_NSS_in_mozilla-central
Comment on attachment 724078 [details] [diff] [review]
v1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): This is needed to pick up the fix for bug 822365.

User impact if declined: Exposure to bug 822365.

Testing completed (on m-c, etc.): This has been tested for a few weeks now on mozilla-central and in Google Chrome.

Risk to taking this patch (and alternatives if risky): The risk is that there will be some regressions. But, the regression risk looks low given the testing on mozilla-central and the fact that very few changes were made between NSS 3.14.2 and NSS 3.14.3:

https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.14.3&product=NSS&list_id=5990497

String or UUID changes made by this patch: None
Attachment #724078 - Flags: approval-mozilla-beta?
Attachment #724078 - Flags: approval-mozilla-aurora?
(In reply to Honza Bambas (:mayhemer) from comment #20)
> According [1] no need for Gecko 17+, right?
> 
> [1]
> https://developer.mozilla.org/en-US/docs/Updating_NSPR_or_NSS_in_mozilla-
> central

The client.py script *should* do the change for you automatically. However, I think there may be a bug in it, because I remember having to manually fix security/coreconf/coreconf.dep myself after the fact. As long as "hg diff security/coreconf/coreconf.dep" gives you a change to that file (whether done by client.py or done by yourself manually), you are good to go.
(In reply to Brian Smith (:bsmith) from comment #22)
> (In reply to Honza Bambas (:mayhemer) from comment #20)
> > According [1] no need for Gecko 17+, right?
> > 
> > [1]
> > https://developer.mozilla.org/en-US/docs/Updating_NSPR_or_NSS_in_mozilla-
> > central
> 
> The client.py script *should* do the change for you automatically. However,
> I think there may be a bug in it, because I remember having to manually fix
> security/coreconf/coreconf.dep myself after the fact. As long as "hg diff
> security/coreconf/coreconf.dep" gives you a change to that file (whether
> done by client.py or done by yourself manually), you are good to go.

Hmm.. I thought it had been fixed in smarter way.. OK, good point!
Also, in mozilla-central and mozilla-aurora, there are mozilla-specific patches in security/patches that must be re-applied after you run client.py.
(In reply to Brian Smith (:bsmith) from comment #24)
> Also, in mozilla-central and mozilla-aurora, there are mozilla-specific
> patches in security/patches that must be re-applied after you run client.py.

I thought I did that, right?
Attachment #724115 - Attachment is obsolete: true
Attachment #724115 - Flags: review?(bsmith)
Attachment #724078 - Flags: approval-mozilla-beta?
Attachment #724078 - Flags: approval-mozilla-beta+
Attachment #724078 - Flags: approval-mozilla-aurora?
Attachment #724078 - Flags: approval-mozilla-aurora+
Comment on attachment 718510 [details]
placeholder for approval

After analysis by Brian in bug 848890, the risk here for uplifting NSS/NSPR is manageable and necessary. We're committed to providing ESR users with the latest critical security fixes, and these changes do qualify.

The only remaining step is to uplift to mozilla-b2g18
Attachment #718510 - Flags: approval-mozilla-esr17? → approval-mozilla-esr17+
gps, FYI:

(In reply to Honza Bambas (:mayhemer) from comment #9)
> $ hg addrem
> removing dbm/include/moz.build
> removing dbm/moz.build
> removing dbm/src/moz.build
> removing dbm/tests/moz.build
> removing security/nss/tests/pkcs11/netscape/trivial/moz.build
We'll want to ask enterprises to test "SSL client authentication with smartcards" according to https://bugzilla.mozilla.org/show_bug.cgi?id=848890#c4

Setting the relnote flag to get this on a list we'll review closer to release.
relnote-firefox: --- → ?
Closing, because 3.14.3 RTM has landed on mozilla-central already (comment 26).
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [leave open][no-nag] → [no-nag]
Setting aurora 21 and beta 20 flags to fixed, based on comment 27 and 28.
(In reply to Kai Engert (:kaie) from comment #33)
> Landed NSPR 4.9.5 and NSS 3.14.3 RTM versions into mozilla-esr17 branch.
> https://hg.mozilla.org/releases/mozilla-esr17/rev/902b2c3f4d6b
> https://hg.mozilla.org/releases/mozilla-esr17/rev/747c40b60d2b

Thanks Kai for landing this, I didn't get to it.
Depends on: 855263
(In reply to Kai Engert (:kaie) from comment #33)
> Landed NSPR 4.9.5 and NSS 3.14.3 RTM versions into mozilla-esr17 branch.
> https://hg.mozilla.org/releases/mozilla-esr17/rev/902b2c3f4d6b
> https://hg.mozilla.org/releases/mozilla-esr17/rev/747c40b60d2b

Would you mind doing the same for mozilla-b2g18? a=akeybl
Flags: needinfo?(kaie)
(In reply to Alex Keybl [:akeybl] from comment #36)
> (In reply to Kai Engert (:kaie) from comment #33)
> > Landed NSPR 4.9.5 and NSS 3.14.3 RTM versions into mozilla-esr17 branch.
> > https://hg.mozilla.org/releases/mozilla-esr17/rev/902b2c3f4d6b
> > https://hg.mozilla.org/releases/mozilla-esr17/rev/747c40b60d2b
> 
> Would you mind doing the same for mozilla-b2g18? a=akeybl

I'm not working with b2g. I never checked out the tree, I never built it, I don't know how to test it. So, there is risk that I accidentally break things. Furthermore I think b2g18 uses a fork of NSS, and it would require me to reapply the local patches that Mozilla uses on top of regular NSS. I would prefer to not touch that branch.
Flags: needinfo?(kaie)
You need to log in before you can comment on or make changes to this bug.