Closed Bug 935959 Opened 11 years ago Closed 11 years ago

Update Mozilla to NSS 3.15.3 (new alternative NSS branch) to pick up a few fixes

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla27
Tracking Flags:
Tracking Status
firefox25 --- verified
firefox26 + verified
firefox27 + verified
firefox28 + verified
firefox-esr24 25+ fixed
b2g-v1.2 --- fixed

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

(Whiteboard: [patches for 24 / 25 / 26 differ in dos/unix line endings of meta files only])

Attachments

(4 files)

land 3.15.3 beta3 into aurora
23.65 KB, patch
briansmith
: review+
abillings
: approval-mozilla-aurora+
Details | Diff | Splinter Review
land NSS 3.15.3 RTM into mozilla-beta (26)
23.47 KB, patch
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
land NSS 3.15.3 RTM into mozilla-release (25)
23.48 KB, patch
akeybl
: approval-mozilla-release+
Details | Diff | Splinter Review
land NSS 3.15.3 RTM into mozilla-esr24
23.48 KB, patch
akeybl
: approval-mozilla-esr24+
Details | Diff | Splinter Review 
We are going to release an intermediate NSS version 3.15.3 that cherry picks a few patches, and stable Mozilla branches should get it.
What's the plan for b2g18?
Reason for this earlier release is: The false start and the OCSP GET feature work might need more time to stabilize, but we'd like to get out a few useful patches earlier.
I propose to land NSS_3_15_3_BETA3 into mozilla-aurora for testing.
(This is waiting for approval to temporarily cleanup in bug 930811, in order to remove local patches.)

All patches contained in that snapshot are currently being tested on mozilla-central as part of NSS_3_15_4_BETA1.

Brian, can you please give your agreement to this proposal?
(This patch was produced by applying the patch from bug 930811 and on top executing: python client.py update_nss NSS_3_15_3_BETA3.)
Attachment #828646 - Flags: review?(brian)
Attachment #828646 - Flags: approval-mozilla-aurora?
Whiteboard: [leave open]
Summary: Update Mozilla to NSS 3.15.3 (new alternative NSS branch) to pick up security fixes → Update Mozilla to NSS 3.15.3 (new alternative NSS branch)
Summary: Update Mozilla to NSS 3.15.3 (new alternative NSS branch) → Update Mozilla to NSS 3.15.3 (new alternative NSS branch) to pick up a few fixes
Comment on attachment 828646 [details] [diff] [review]
land 3.15.3 beta3 into aurora

Review of attachment 828646 [details] [diff] [review]:
-----------------------------------------------------------------

Please don't land this on m-c, but m-a, etc. are OK.
Attachment #828646 - Flags: review?(brian) → review+
(In reply to Brian Smith from comment #4)
> Please don't land this on m-c, but m-a, etc. are OK.

Yes, that's the intention, no m-c
Kai: half the patch for bug 925100 actually moved into bug 927687. You'd have to ask Wan Teh why, possibly because it was not necessary for the specific security bug but it still looks relevant.
Depends on: CVE-2013-5607
(In reply to Daniel Veditz [:dveditz] from comment #6)
> half the patch for bug 925100 actually moved into bug 927687. You'd
> have to ask Wan Teh why

Because that other code was NSPR code.
(In reply to Daniel Veditz [:dveditz] from comment #6)
> half the patch for bug 925100 actually moved into bug 927687.

Thanks for making me aware!
Comment on attachment 828646 [details] [diff] [review]
land 3.15.3 beta3 into aurora

Approving for Aurora based on email exchanges.
Attachment #828646 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(In reply to Daniel Veditz [:dveditz] from comment #6)
> Kai: half the patch for bug 925100 actually moved into bug 927687.

Wan-Teh said this patch is optional. Removing the dependency, because it's NSPR. However, if you'd like to pick up the NSPR patch, please refer to bug 935568.
No longer depends on: CVE-2013-5607
things look good, I'll have the patch for other branches ready soon (need to run some errants...)
We need to investigate if bug 936808 is related to landing this NSS update. So far it's a one time crash.
I've checked in an update to set the NSS version to NSS 3.15.3 RTM.
https://hg.mozilla.org/releases/mozilla-aurora/rev/7c876e9d50cb

I had created the release tag prior to learning about bug 936808.
I'm not convinced that bug is caused by this upgrade, it looks like a one time erratic failure.

Should it turn out that really another fix is required, we can handle that in a followup.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27

        Attachment #829913 -
        Flags: approval-mozilla-beta?

    
  

        Attachment #829914 -
        Flags: approval-mozilla-release?

    
    

    
  


  

        Attachment #829915 -
        Flags: approval-mozilla-esr24?

    
  
Assignee: nobody → kaie
Whiteboard: [leave open]

    
  
Whiteboard: [patches for 24 / 25 / 26 differ in line endings of meta files only]

    
  
Whiteboard: [patches for 24 / 25 / 26 differ in line endings of meta files only] → [patches for 24 / 25 / 26 differ in dos/unix line endings of meta files only]

    
  
See Also:  → 936951

    
    

    
  
see bug 936951 for ESR17

    
    

    
  
Shouldn't status-firefox28 be unaffected?

          status-firefox25:
          --- → affected

          status-firefox27:
          affectedfixed

    
    

    
  
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #19)
> Shouldn't status-firefox28 be unaffected?

firefox28 received the fixes using a more recent dev version, 3.15.4 beta

    
    

    
  
Exactly my point. It seems that "affected" doesn't really fit very well for this bug. I could see any of unaffected, wontfix, or fixed depending on your perspective.

        Attachment #829913 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #21)
> Exactly my point. It seems that "affected" doesn't really fit very well for
> this bug. I could see any of unaffected, wontfix, or fixed depending on your
> perspective.

Talked it over with kaie. Will just go with fixed for fx28 since m-c already has the superseding fix on it.

          status-firefox28:
          affectedfixed

    
  

        Attachment #829914 -
        Flags: approval-mozilla-release? → approval-mozilla-release+

    
  

        Attachment #829915 -
        Flags: approval-mozilla-esr24? → approval-mozilla-esr24+

    
    

    
  
Also pushed to GECKO2410esr_2013102201_RELBRANCH.
https://hg.mozilla.org/releases/mozilla-esr24/rev/0bbc7cd87aed

    
    

    
  
Flagging this for verification but please be advised that QA is just going to be doing some smoketesting of top-sites which utilize SSL. If there's something specific we need to test then please let us know.
Keywords: verifyme

    
    

    
  
Testing performed on Firefox 26 beta 4: https://etherpad.mozilla.org/firefox26b4-exploratory.
No regressions were found with the tested sites.

          status-firefox26:
          fixedverified

    
    

    
  
I'm calling this verified for Firefox 25 as well based on the testing here:
https://wiki.mozilla.org/Releases/Firefox_25/Test_Plan#Regression_Testing_12

          status-firefox25:
          fixedverified

    
    

    
  
Verified as fixed with Firefox 27 beta 2, based on the exploratory testing mentioned here: https://etherpad.mozilla.org/Fx27b2-TLS-SSL

          status-firefox27:
          fixedverified

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: