Bugzilla@Mozilla – Bug 595300
Update to NSS_3_12_8_RTM in mozilla-central
Last modified: 2010-11-24 10:51:45 PST
Summon comment box
mozilla-central is using NSS_3_12_8_BETA2. I'd like to update to NSS_3_12_8_BETA3. I summarize the changes between Beta 2 and Beta 3 below for Mozilla drivers. Bug fixes of interest to Mozilla: - Bug 578697: (CVE-2010-3170) Browser Wildcard Certificate Validation Issue - Bug 582575: Add July 2010 batch of roots to NSS - Bug 536640: valgrind warning in DecodeItem (about uninitialized local from nsslowkey_DecodePW) - Bug 588698: SSL deadlock (seen in Thunderbird) - Bug 567134: Use ASLR in NSS if it's available Other important bug fixes: - Bug 587234: Better error reporting and checks for weak server keys in libSSL - Bug 585842: CERT_MakeCANickname returns static string in error case - Bug 586953: CERT_FormatName leaks everything if it can't PORT_Alloc for buf - Bug 586957: CERT_FormatName leaks things if properties exist multiple times - Bug 586967: CERT_CreateCertificate leaks arena if PORT_ArenaZAlloc fails - Bug 587399: crmf_copy_cert_req_msg leaks poolp if newReqMsg = PORT_ArenaZNew fails - Bug 588052: nsslowhash.h missing from dist/public/nss - Bug 587622: print_attr_value calls get_obj_class instead of get_key_type for CKA_KEY_TYPE - Bug 584871: calling SEC_PKCS12DecoderStart with NULL dOpen, dClose, dRead, dWrite, dArg leads to leaks - Bug 584875: Contents of sec_PKCS12EncoderContext are only freed on error handling case. - Bug 587432: NSS_CMSSignerInfo_Sign leaks tmppoolp when things fail - Bug 586697: ssl3_DeriveMasterSecret must not request pVersion when it does Master key derivation for Diffie-Hellman through pkcs11 - Bug 525092: Allow one more SSL function to be called early Minor bug fixes: - Bug 585247: NSS coreconf: Add -rpath-link to LDFLAGS for Maemo/Scratchbox - Bug 586857: Mark SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME as an unsupported certificate extension - Bug 587393: remove JAR_cert_attribute declaration
Created attachment 474164 [details] [review] Patch The changes in this patch have been individually reviewed in the bugs I listed in comment 0. This is likely to be the last Beta of NSS 3.12.8.
We definitely want the fix for now-public CVE-2010-3170 (bug 578697) on the branches, and should pick up the new roots too.
Not blocking branches (yet): on the stable branches we'll wait for the actual NSS 3.12.8 release rather than BETA3 (though no changes are expected).
*** Bug 582580 has been marked as a duplicate of this bug. ***
Comment on attachment 474164 [details] [review] Patch Pushed to mozilla-central in changeset d9a8b06248be: http://hg.mozilla.org/mozilla-central/rev/d9a8b06248be
Created attachment 476537 [details] [review] Update to NSS_3_12_8_RC0 Since the NSS_3_12_8_RC0 tag has been created, I pushed it to mozilla-central in changeset 79b569b64111: http://hg.mozilla.org/mozilla-central/rev/79b569b64111 In addition to removing "Beta" from the version strings, it contains only one bug fix: - Bug 595264: libpkix thrown into infinite loop by % in certificate
for the record, RC0 was released as RTM today, without changes.
We want this on the 1.9.2 and 1.9.1 branches. In order to land on the 1.9.1 branch we will also have to apply the fix for bug 583337 to unbreak sites using DHE with stupidly small keys.
Is this able to land on 1.9.2 and 1.9.1 today?
Need to bump the NSS requirement in configure.in...
Pushed to mozilla-1.9.2 in changeset e8ca667960b1: http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e8ca667960b1 Pushed to mozilla-1.9.1 in changeset 8ee042940966: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/8ee042940966
Thanks!
Created attachment 479249 [details] [review] mozilla-1.9.1 patch for security/manager/Makefile.in mozilla-1.9.1 installs its sqlite3.h in dist/include/sqlite3, so we need to pass that to NSS 3.12.8's build system this way.
Comment on attachment 479249 [details] [review] mozilla-1.9.1 patch for security/manager/Makefile.in http://hg.mozilla.org/releases/mozilla-1.9.1/rev/95101ee982a6