Closed
Bug 891659
Opened 11 years ago
Closed 10 years ago
Update VC++2010 runtime to MS11-025 updated version
Categories
(Infrastructure & Operations :: RelOps: General, task, P2)
Infrastructure & Operations
RelOps: General
x86_64
Windows Server 2008
Tracking
(firefox25-)
RESOLVED
WONTFIX
| Tracking | Status | |
|---|---|---|
| firefox25 | - | --- |
People
(Reporter: masa141421356, Assigned: markco)
References
()
Details
(Keywords: sec-low)
Now Firefox and Thunderbird installer installs msvcr100.dll Version 10.0.30319.1 But it contains security problem. Update of MS11-025 contains Version 10.0.30319.460
|
Reporter | |
Updated•11 years ago
|
|
||
Comment 1•11 years ago
|
||
Adding some folks.
|
||
Comment 2•11 years ago
|
||
Are there any vulnerabilities this fixes that we'd actually be subject to? In any event, this is a matter of updating the build slaves, not any build config issue.
Group: mozilla-corporation-confidential
Component: Build Config → Release Engineering: Machine Management
Product: Core → mozilla.org
QA Contact: armenzg
Version: Trunk → other
|
|
||
Comment 3•11 years ago
|
||
Ah, here's the security bulletin: http://technet.microsoft.com/en-us/security/bulletin/ms11-025 Sounds like this is just an MFC fix. I don't think this concerns us, honestly. I also don't think this bug needs to remain hidden.
|
|
Reporter | |
Comment 4•11 years ago
|
||
Is add-on that uses MFC DLL as binary components affected ?
|
|
||
Comment 5•11 years ago
|
||
Possibly, I don't know. I would have hoped we would have dissuaded add-ons from relying on our CRT when we were shipping a custom one for many releases, but it's possible that they are doing that nowadays.
|
||
Comment 6•11 years ago
|
||
A plugin might, but I can't see an addon using this. Not too much risk in practice but completely embarrassing. John: who would upgrade the build slaves to get the right version of msvc installed?
Group: mozilla-corporation-confidential, core-security
tracking-firefox25:
--- → ?
Flags: needinfo?(joduinn)
Keywords: sec-low
|
||
Comment 7•11 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #6) > A plugin might, but I can't see an addon using this. > > Not too much risk in practice but completely embarrassing. > > John: who would upgrade the build slaves to get the right version of msvc > installed? dveditz: getting the MSVC upgraded on production systems would be a RelEng project. After reading this bug, can you clarify: a) are there any binary compat issues to worry about with this proposed compiler change? (If so, we'll need to run with both compilers installed for a while, and have this use-new-compiler change ride the release trains for test coverage and user notifications.) b) urgency of this work, as a few comments seem to indicate its c) where this fits in with other (some completed, some ongoing) bugs for upgrading to VS2010 and VS2012 on production systems? (In reply to Ted Mielczarek [:ted.mielczarek] from comment #5) > Possibly, I don't know. I would have hoped we would have dissuaded add-ons > from relying on our CRT when we were shipping a custom one for many > releases, but it's possible that they are doing that nowadays. ted/dveditz: Is the request to upgrade the compiler we use in production? Or to update the dll which we include as part of the build? Or both?
Flags: needinfo?(joduinn) → needinfo?(dveditz)
|
|
||
Updated•11 years ago
|
Flags: needinfo?(ted)
|
|
||
Comment 8•11 years ago
|
||
The DLL we use comes from the redistributable package that ships as part of the compiler. This update is just a security update that only updates the CRT (you can look at the list of files it changes, it's large but they're all CRT-related), so it shouldn't have any impact on the actual compiler. You'd update the DLL we ship by installing this update, which would change the redistributable files provided by the compiler. Given that Firefox itself shouldn't be impacted by this change I personally wouldn't worry about it breaking anything. To answer your points more concisely: a) No b) Doesn't seem urgent, but we could get surprised by an add-on or plugin being vulnerable. c) Seems unrelated? We're already using VS2010, this is a security update for the compiler.
Flags: needinfo?(ted)
|
||
Comment 9•11 years ago
|
||
Not clear to me why we'd track a sec-low, I think this may belong on a separate list.
|
|
||
Comment 10•11 years ago
|
||
Ted's answers seem to cover it.
|
||
Updated•11 years ago
|
Component: Release Engineering: Machine Management → Release Engineering: Platform Support
OS: Windows XP → Windows Server 2008
QA Contact: armenzg → coop
Hardware: x86 → x86_64
|
|
||
Updated•11 years ago
|
Flags: needinfo?(dveditz)
|
||
Updated•11 years ago
|
Product: mozilla.org → Release Engineering
|
|
||
Comment 11•11 years ago
|
||
Sounds like we want this, but it's low priority. Process should be: * install the update from comment #1 on a machine in staging and verify we can still build everything we need to * re-assign bug over to relops to generate a GPO package for the update to push out to all the rev2 Windows builders * manually install the update on any lingering rev1 Windows builders
|
|
||
Updated•10 years ago
|
Assignee: nobody → coop
Priority: -- → P3
|
|
||
Comment 12•10 years ago
|
||
Download link is here: http://www.microsoft.com/en-us/download/confirmation.aspx?id=26351 I'm trying this out in staging now.
Status: NEW → ASSIGNED
Priority: P3 → P2
|
|
||
Comment 13•10 years ago
|
||
Pretty satisfied with results on m-c and comm-central. I'm trying a bunch of other branches now: mozilla-beta, mozilla-release, and mozilla-esr24.
|
|
||
Comment 14•10 years ago
|
||
OK, no showstoppers that I've found on any of the branches. Moving over to relops to add to the rev2 GPO deployment process. Download link is in comment #12. Install package seems to respect the standard silent install options.
Assignee: coop → relops
Status: ASSIGNED → NEW
Component: Platform Support → RelOps
Product: Release Engineering → Infrastructure & Operations
QA Contact: coop → arich
|
Assignee | |
Updated•10 years ago
|
Assignee: relops → mcornmesser
|
|
Assignee | |
Comment 15•10 years ago
|
||
We are planning on rolling this update into our WSUS configuration for win 64 group, and reactivating the GPO that will have the machines check in with our WSUS server for needed updates. This afternoon will be the earliest this will be ready to go. When would we want to roll this out?
|
|
Assignee | |
Comment 16•10 years ago
|
||
Is there any update on when we want to roll this out?
|
||
Comment 17•10 years ago
|
||
I don't think we should do this. We're planning on upgrading to MSVC2013 update 2 when it is released and this would just be unnecessary churn. The current version doesn't represent real risk to our users, and any CRT upgrades are potentially risky and would require a QA cycle. WONTFIXing with Callek's agreement on IRC.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•