Closed
Bug 967153
Opened 10 years ago
Closed 10 years ago
Update NSS to NSS 3.16
Categories
(Core :: Security: PSM, defect, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: briansmith, Assigned: cviecco)
References
Details
Attachments
(1 file)
267 bytes,
text/plain
|
Sylvestre
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details |
No description provided.
Reporter | ||
Comment 1•10 years ago
|
||
NSS 3.16 removes some root certificate authority certificates that have weak keys. We had previously committed ourselves to remove these roots in Firefox 29. So, we should uplift this change to Firefox 29. My plan is to let NSS 3.15.5 beta 3 live on Nightly for at least one day, then land NSs 3.16 beta 1 to mozilla-inbound later this week, and then uplift NSS 3.16 beta 1 to Mozilla-Aurora later this week or early next week.
tracking-firefox29:
--- → ?
Reporter | ||
Updated•10 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla30
Reporter | ||
Comment 2•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9e5d07c8c87b https://hg.mozilla.org/integration/mozilla-inbound/rev/5b5e7559cda5 https://hg.mozilla.org/integration/mozilla-inbound/rev/81e6988807de The second commit makes NSS 3.16 the minimum acceptable version of NSS for system NSS. The third commit adds the NSS name constraint test cases that should have been added in the first commit (I forgot to "hg addremove").
Comment 3•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9e5d07c8c87b https://hg.mozilla.org/mozilla-central/rev/5b5e7559cda5 https://hg.mozilla.org/mozilla-central/rev/81e6988807de
Updated•10 years ago
|
Reporter | ||
Comment 4•10 years ago
|
||
[Approval Request Comment] Bug caused by (feature/regressing bug #): Kathleen Wilson (Mozilla CA Policy Module Owner) needs to have NSS updated to NSS 3.16 in Firefox 29 in order to remove some root certificates that are using weak (1024-bit) keys. User impact if declined: More susceptibility to crypto, broken promises, crushed dreams. Testing completed (on m-c, etc.): This has been on m-c since yesterday. We are doing these root removals in coordination with the CAs, who already have other roots with stronger keys in NSS. Risk to taking this patch (and alternatives if risky): Some compatibility risk if there are any websites that require these removed roots. String or IDL/UUID changes made by this patch: None.
Attachment #8374644 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
Attachment #8374644 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Reporter | ||
Comment 5•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/51497c942865 https://hg.mozilla.org/releases/mozilla-aurora/rev/a7b083b7ddaa
Updated•10 years ago
|
status-firefox29:
--- → fixed
status-firefox30:
--- → fixed
Reporter | ||
Comment 6•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5d8fc2d51ec2
Reporter | ||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/b0b52ea69cec
Reporter | ||
Comment 8•10 years ago
|
||
python client.py --repo=/c/p/nss/nss update_nss NSS_3_16_BETA3 https://hg.mozilla.org/integration/mozilla-inbound/rev/826695253218 https://hg.mozilla.org/releases/mozilla-aurora/rev/4bc0ff092aca
Reporter | ||
Comment 9•10 years ago
|
||
NSS 3.16 beta3 undoes the 1024-bit root removals that were causing the compatibility problems, so removing the dependencies on bug 974500, bug 973592, and bug 974262.
Reporter | ||
Comment 10•10 years ago
|
||
Bug 968567 isn't needed in the NSS 3.16 timeframe so removing that bug's dependency on this bug.
No longer blocks: 968567
Reporter | ||
Comment 12•10 years ago
|
||
beta 4: https://hg.mozilla.org/integration/mozilla-inbound/rev/85a239cf7dac
Reporter | ||
Comment 14•10 years ago
|
||
beta 5: https://hg.mozilla.org/integration/mozilla-inbound/rev/1624c45df0d9
Reporter | ||
Comment 15•10 years ago
|
||
beta 5 (mozilla-aurora): https://hg.mozilla.org/releases/mozilla-aurora/rev/bf60b72ca035
Comment 17•10 years ago
|
||
NSS 3.16 (NSS_3_16_RTM) pushed to mozilla-inbound: https://hg.mozilla.org/integration/mozilla-inbound/rev/8ff12456c32b
Priority: -- → P1
Whiteboard: [leave open]
Comment 18•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/8ff12456c32b
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Comment 19•10 years ago
|
||
status-firefox29 ISN'T yet fixed, because the RTM version still needs to land into the 29 branch (today still aurora). Camilo, can you please help to get this done?
Assignee: brian → cviecco
Assignee | ||
Comment 20•10 years ago
|
||
Will do.
Assignee | ||
Comment 21•10 years ago
|
||
Comment on attachment 8374644 [details]
Update NSS to NSS 3.16
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Kathleen Wilson (Mozilla CA Policy Module Owner) needs to have NSS updated to NSS 3.16 in Firefox 29 in order to remove some root certificates that are using weak (1024-bit) keys. There was some confusion and the RTM version did not land in aurora before the merge (just the beta 5).
User impact if declined: More susceptibility to crypto, broken promises, crushed dreams.
Testing completed (on m-c, etc.): The latest version has been on m-c since friday (beta 5 since 2 weeks ago). We are doing these root removals in coordination with the CAs, who already have other roots with stronger keys in NSS.
Risk to taking this patch (and alternatives if risky): Some compatibility risk if there are any websites that require these removed roots.
String or IDL/UUID changes made by this patch: None.
Attachment #8374644 -
Flags: approval-mozilla-beta?
Reporter | ||
Updated•10 years ago
|
Attachment #8374644 -
Attachment mime type: application/x-shellscript → text/plain
Reporter | ||
Comment 22•10 years ago
|
||
(In reply to Camilo Viecco (:cviecco) from comment #21) > [Approval Request Comment] > Bug caused by (feature/regressing bug #): Kathleen Wilson (Mozilla CA Policy > Module Owner) needs to have NSS updated to NSS 3.16 in Firefox 29 in order > to remove some root certificates that are using weak (1024-bit) keys. There > was some confusion and the RTM version did not land in aurora before the > merge (just the beta 5). The root removals in NSS 3.16 were reverted a few weeks ago. Firefox 29 Aurora already had NSS 3.16 beta 5. The changes between beta 5 and RTM were very small bug fixes that are very low risk. > Testing completed (on m-c, etc.): The latest version has been on m-c since > friday (beta 5 since 2 weeks ago). We are doing these root removals in > coordination with the CAs, who already have other roots with stronger keys > in NSS. This also applies to mozilla-aurora, which has had been using beta 5. > Risk to taking this patch (and alternatives if risky): Some compatibility > risk if there are any websites that require these removed roots. There is basically no risk to taking this patch since the root removals were reversed.
Updated•10 years ago
|
Attachment #8374644 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 23•10 years ago
|
||
This was landed by cviecco. https://hg.mozilla.org/releases/mozilla-beta/rev/653b34f9a889
Comment 24•10 years ago
|
||
http://hg.mozilla.org/releases/mozilla-beta/rev/a7b083b7ddaa since i was confused not seeing 3.16 required in 29.0b3..
Comment 25•10 years ago
|
||
Should update to 3.16.1 before 30.0 gold.
You need to log in
before you can comment on or make changes to this bug.
Description
•