Update Mozilla to NSS 3.15.3 (new alternative NSS branch) to pick up a few fixes

RESOLVED FIXED in Firefox 25

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

Trunk
mozilla27
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox25 verified, firefox26+ verified, firefox27+ verified, firefox28+ verified, firefox-esr2425+ fixed, b2g-v1.2 fixed)

Details

(Whiteboard: [patches for 24 / 25 / 26 differ in dos/unix line endings of meta files only])

Attachments

(4 attachments)

Assignee

Description

6 years ago
We are going to release an intermediate NSS version 3.15.3 that cherry picks a few patches, and stable Mozilla branches should get it.
What's the plan for b2g18?
Assignee

Comment 2

6 years ago
Reason for this earlier release is: The false start and the OCSP GET feature work might need more time to stabilize, but we'd like to get out a few useful patches earlier.
Assignee

Comment 3

6 years ago
I propose to land NSS_3_15_3_BETA3 into mozilla-aurora for testing.
(This is waiting for approval to temporarily cleanup in bug 930811, in order to remove local patches.)

All patches contained in that snapshot are currently being tested on mozilla-central as part of NSS_3_15_4_BETA1.

Brian, can you please give your agreement to this proposal?
(This patch was produced by applying the patch from bug 930811 and on top executing: python client.py update_nss NSS_3_15_3_BETA3.)
Attachment #828646 - Flags: review?(brian)
Attachment #828646 - Flags: approval-mozilla-aurora?
Assignee

Updated

6 years ago
Whiteboard: [leave open]
Assignee

Updated

6 years ago
Summary: Update Mozilla to NSS 3.15.3 (new alternative NSS branch) to pick up security fixes → Update Mozilla to NSS 3.15.3 (new alternative NSS branch)
Assignee

Updated

6 years ago
Summary: Update Mozilla to NSS 3.15.3 (new alternative NSS branch) → Update Mozilla to NSS 3.15.3 (new alternative NSS branch) to pick up a few fixes
Comment on attachment 828646 [details] [diff] [review]
land 3.15.3 beta3 into aurora

Review of attachment 828646 [details] [diff] [review]:
-----------------------------------------------------------------

Please don't land this on m-c, but m-a, etc. are OK.
Attachment #828646 - Flags: review?(brian) → review+
Assignee

Comment 5

6 years ago
(In reply to Brian Smith from comment #4)
> Please don't land this on m-c, but m-a, etc. are OK.

Yes, that's the intention, no m-c
Kai: half the patch for bug 925100 actually moved into bug 927687. You'd have to ask Wan Teh why, possibly because it was not necessary for the specific security bug but it still looks relevant.
Depends on: CVE-2013-5607
Assignee

Comment 7

6 years ago
(In reply to Daniel Veditz [:dveditz] from comment #6)
> half the patch for bug 925100 actually moved into bug 927687. You'd
> have to ask Wan Teh why

Because that other code was NSPR code.
Assignee

Comment 8

6 years ago
(In reply to Daniel Veditz [:dveditz] from comment #6)
> half the patch for bug 925100 actually moved into bug 927687.

Thanks for making me aware!
Comment on attachment 828646 [details] [diff] [review]
land 3.15.3 beta3 into aurora

Approving for Aurora based on email exchanges.
Attachment #828646 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee

Comment 11

6 years ago
(In reply to Daniel Veditz [:dveditz] from comment #6)
> Kai: half the patch for bug 925100 actually moved into bug 927687.

Wan-Teh said this patch is optional. Removing the dependency, because it's NSPR. However, if you'd like to pick up the NSPR patch, please refer to bug 935568.
No longer depends on: CVE-2013-5607
Assignee

Comment 12

6 years ago
things look good, I'll have the patch for other branches ready soon (need to run some errants...)
Assignee

Comment 13

6 years ago
We need to investigate if bug 936808 is related to landing this NSS update. So far it's a one time crash.
Assignee

Comment 14

6 years ago
I've checked in an update to set the NSS version to NSS 3.15.3 RTM.
https://hg.mozilla.org/releases/mozilla-aurora/rev/7c876e9d50cb

I had created the release tag prior to learning about bug 936808.
I'm not convinced that bug is caused by this upgrade, it looks like a one time erratic failure.

Should it turn out that really another fix is required, we can handle that in a followup.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Assignee

Comment 15

6 years ago
Attachment #829913 - Flags: approval-mozilla-beta?
Assignee

Updated

6 years ago
Attachment #829914 - Flags: approval-mozilla-release?
Assignee

Comment 17

6 years ago
Attachment #829915 - Flags: approval-mozilla-esr24?
Assignee

Updated

6 years ago
Assignee: nobody → kaie
Whiteboard: [leave open]
Assignee

Updated

6 years ago
Whiteboard: [patches for 24 / 25 / 26 differ in line endings of meta files only]
Assignee

Updated

6 years ago
Whiteboard: [patches for 24 / 25 / 26 differ in line endings of meta files only] → [patches for 24 / 25 / 26 differ in dos/unix line endings of meta files only]
Assignee

Updated

6 years ago
See Also: → 936951
Assignee

Comment 18

6 years ago
see bug 936951 for ESR17
Shouldn't status-firefox28 be unaffected?
Assignee

Comment 20

6 years ago
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #19)
> Shouldn't status-firefox28 be unaffected?

firefox28 received the fixes using a more recent dev version, 3.15.4 beta
Exactly my point. It seems that "affected" doesn't really fit very well for this bug. I could see any of unaffected, wontfix, or fixed depending on your perspective.
Attachment #829913 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #21)
> Exactly my point. It seems that "affected" doesn't really fit very well for
> this bug. I could see any of unaffected, wontfix, or fixed depending on your
> perspective.

Talked it over with kaie. Will just go with fixed for fx28 since m-c already has the superseding fix on it.
Attachment #829914 - Flags: approval-mozilla-release? → approval-mozilla-release+
Attachment #829915 - Flags: approval-mozilla-esr24? → approval-mozilla-esr24+
Also pushed to GECKO2410esr_2013102201_RELBRANCH.
https://hg.mozilla.org/releases/mozilla-esr24/rev/0bbc7cd87aed
Flagging this for verification but please be advised that QA is just going to be doing some smoketesting of top-sites which utilize SSL. If there's something specific we need to test then please let us know.
Keywords: verifyme

Comment 28

6 years ago
Testing performed on Firefox 26 beta 4: https://etherpad.mozilla.org/firefox26b4-exploratory.
No regressions were found with the tested sites.
I'm calling this verified for Firefox 25 as well based on the testing here:
https://wiki.mozilla.org/Releases/Firefox_25/Test_Plan#Regression_Testing_12
Verified as fixed with Firefox 27 beta 2, based on the exploratory testing mentioned here: https://etherpad.mozilla.org/Fx27b2-TLS-SSL
You need to log in before you can comment on or make changes to this bug.