Closed Bug 848890 Opened 12 years ago Closed 12 years ago

Determine what changes need to be disabled, or may prevent uplift of NSS 3.14.3 on ESR17

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: akeybl, Assigned: briansmith)

References

Details

We're considering uplifting NSS 3.14.3 to ESR17 (currently 3.13.6) and B2G18 for bug 822365. Brian has offered to review the changes and suggest disabling major changes, or call out risk about those changes.
Bug 650355 means we don't have to worry about changing the NSS default around md5 certs for ESR17/B2G18.
I reviewed the changes between NSS 3.13.6 and NSS 3.14.3: https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&query_format=advanced&bug_status=RESOLVED&bug_status=VERIFIED&target_milestone=3.14.1&product=NSS&list_id=5990542 https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&query_format=advanced&bug_status=RESOLVED&bug_status=VERIFIED&target_milestone=3.14.2&product=NSS&list_id=5990542 https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.14.3&product=NSS&list_id=5990497 Although it looks like a lot of changes, many of those changes are just code cleanup and/or fixing the tests and/or fixing the NSS tools, which means that Firefox won't be affected by most of them. The most risky changes from NSS 3.14.1, which has *already shipped in at least one Firefox non-ESR final release*: Bug 357025: potentially affects client authentication because of the CKA_ALWAYS_AUTHENTICATE attribute. Bug 611451: On MacOS X only, we were exporting some symbols from NSS libraries that we never intended to support. There is some small chance that a MacOS-only addon that is for ESR only is using these functions. And these are the risky bugs that haven't shipped in a final release, but have shipped in the latest set of betas: Bug 629816: This affects certificate parsing. However, it is a security fix that is driving the updating of NSS in ESR ESR anyway. Bug 813857: Seems like a potentially security-sensitive fix and so seems like a good idea to take for ESR anyway. These haven't yet landed in beta but have been tested on mozilla-central: Bug 822365: Lucky 13 fix that is motivating the update of NSS in ESR in the first place. Bug 836562: ECC performance improvement. This code is (AFAICT) heavily tested in everyday use of Firefox and Chrome though. The NSS release notes say that NSS 3.14.3 requires NSPR 4.9.5. ESR17 is currently using NSPR 4.9.2. Here are the differences between NSPR 4.9.2 and NSPR 4.9.5: https://bugzilla.mozilla.org/buglist.cgi?list_id=5990677&resolution=FIXED&query_format=advanced&target_milestone=4.9.3&target_milestone=4.9.4&target_milestone=4.9.5&product=NSPR These changes all seem like they are very low risk. So, I would say that there is pretty low risk in upgrading ESR to NSPR 4.9.5 and NSS 3.14.3. Alex, is there anything else I can investigate for you? Any questions?
Flags: needinfo?(akeybl)
Thanks Brian! (In reply to Brian Smith (:bsmith) from comment #2) > The most risky changes from NSS 3.14.1, which has *already shipped in at > least one Firefox non-ESR final release*: > > Bug 357025: potentially affects client authentication because of the > CKA_ALWAYS_AUTHENTICATE attribute. What auth could be impacted - proxy auth, web auth, etc.? We could ask enterprise IT to test whether they're impacted. > Bug 611451: On MacOS X only, we were exporting some symbols from NSS > libraries that we never intended to support. There is some small chance that > a MacOS-only addon that is for ESR only is using these functions. We don't feel this is concerning given your description. The rest of the risk feels manageable.
Flags: needinfo?(akeybl)
tracking-b2g18: 20+?
tracking-firefox-esr17: --- → ?
(In reply to Alex Keybl [:akeybl] from comment #3) > Thanks Brian! > > (In reply to Brian Smith (:bsmith) from comment #2) > > The most risky changes from NSS 3.14.1, which has *already shipped in at > > least one Firefox non-ESR final release*: > > > > Bug 357025: potentially affects client authentication because of the > > CKA_ALWAYS_AUTHENTICATE attribute. > > What auth could be impacted - proxy auth, web auth, etc.? We could ask > enterprise IT to test whether they're impacted. SSL client authentication with smartcards.
Thanks Brian - calling this resolved.
Status: NEW → RESOLVED
Closed: 12 years ago
tracking-b2g18: ? → ---
tracking-firefox-esr17: ? → ---
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.