Determine what changes need to be disabled, or may prevent uplift of NSS 3.14.3 on ESR17

RESOLVED FIXED

Status

()

RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: akeybl, Assigned: briansmith)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
We're considering uplifting NSS 3.14.3 to ESR17 (currently 3.13.6) and B2G18 for bug 822365. Brian has offered to review the changes and suggest disabling major changes, or call out risk about those changes.
(Reporter)

Comment 1

6 years ago
Bug 650355 means we don't have to worry about changing the NSS default around md5 certs for ESR17/B2G18.
I reviewed the changes between NSS 3.13.6 and NSS 3.14.3:

https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&query_format=advanced&bug_status=RESOLVED&bug_status=VERIFIED&target_milestone=3.14.1&product=NSS&list_id=5990542

https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&query_format=advanced&bug_status=RESOLVED&bug_status=VERIFIED&target_milestone=3.14.2&product=NSS&list_id=5990542

https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.14.3&product=NSS&list_id=5990497

Although it looks like a lot of changes, many of those changes are just code cleanup and/or fixing the tests and/or fixing the NSS tools, which means that Firefox won't be affected by most of them.

The most risky changes from NSS 3.14.1, which has *already shipped in at least one Firefox non-ESR final release*:

Bug 357025: potentially affects client authentication because of the CKA_ALWAYS_AUTHENTICATE attribute. 

Bug 611451: On MacOS X only, we were exporting some symbols from NSS libraries that we never intended to support. There is some small chance that a MacOS-only addon that is for ESR only is using these functions.

And these are the risky bugs that haven't shipped in a final release, but have shipped in the latest set of betas:

Bug 629816: This affects certificate parsing. However, it is a security fix that is driving the updating of NSS in ESR ESR anyway. 

Bug 813857: Seems like a potentially security-sensitive fix and so seems like a good idea to take for ESR anyway.

These haven't yet landed in beta but have been tested on mozilla-central:

Bug 822365: Lucky 13 fix that is motivating the update of NSS in ESR in the first place.

Bug 836562: ECC performance improvement. This code is (AFAICT) heavily tested in everyday use of Firefox and Chrome though.

The NSS release notes say that NSS 3.14.3 requires NSPR 4.9.5. ESR17 is currently using NSPR 4.9.2. Here are the differences between NSPR 4.9.2 and NSPR 4.9.5:

https://bugzilla.mozilla.org/buglist.cgi?list_id=5990677&resolution=FIXED&query_format=advanced&target_milestone=4.9.3&target_milestone=4.9.4&target_milestone=4.9.5&product=NSPR

These changes all seem like they are very low risk.

So, I would say that there is pretty low risk in upgrading ESR to NSPR 4.9.5 and NSS 3.14.3.

Alex, is there anything else I can investigate for you? Any questions?
Flags: needinfo?(akeybl)
(Reporter)

Comment 3

6 years ago
Thanks Brian!

(In reply to Brian Smith (:bsmith) from comment #2)
> The most risky changes from NSS 3.14.1, which has *already shipped in at
> least one Firefox non-ESR final release*:
> 
> Bug 357025: potentially affects client authentication because of the
> CKA_ALWAYS_AUTHENTICATE attribute. 

What auth could be impacted - proxy auth, web auth, etc.? We could ask enterprise IT to test whether they're impacted.

> Bug 611451: On MacOS X only, we were exporting some symbols from NSS
> libraries that we never intended to support. There is some small chance that
> a MacOS-only addon that is for ESR only is using these functions.

We don't feel this is concerning given your description.

The rest of the risk feels manageable.
Flags: needinfo?(akeybl)
(Reporter)

Updated

6 years ago
tracking-b2g18: 20+ → ?
tracking-firefox-esr17: --- → ?
(In reply to Alex Keybl [:akeybl] from comment #3)
> Thanks Brian!
> 
> (In reply to Brian Smith (:bsmith) from comment #2)
> > The most risky changes from NSS 3.14.1, which has *already shipped in at
> > least one Firefox non-ESR final release*:
> > 
> > Bug 357025: potentially affects client authentication because of the
> > CKA_ALWAYS_AUTHENTICATE attribute. 
> 
> What auth could be impacted - proxy auth, web auth, etc.? We could ask
> enterprise IT to test whether they're impacted.

SSL client authentication with smartcards.
(Reporter)

Comment 5

6 years ago
Thanks Brian - calling this resolved.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
tracking-b2g18: ? → ---
tracking-firefox-esr17: ? → ---
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.