On pe, 20 tammi 2017, Hubert Kario wrote:
On Friday, 20 January 2017 18:40:13 CET Alexander Bokovoy wrote:
On pe, 20 tammi 2017, Kai Engert wrote:
>Hello,
>
>we are currently dealing with a tricky situation, that the NSS and Mozilla
>package maintainers have been discussing, and I'd like to publish our plan.
>
>The most recent NSS update, version 3.28.1, is required to ship to the
>Firefox 51 update planned for January 24.
>
>Unfortunately, NSS 3.28.1 is incompatible with Mozilla applications version
>50 and older.
>
>If Mozilla 50 or older is used together with NSS 3.28 or newer, and the
>application attempts to use HTTP v2, the connections to some servers may
>fail (including connections to Google servers).
>
>The fix is simple, it's possible to apply a small patch to the older
>Mozilla applications, to make it compatible with NSS 3.28.1
>
>The difficulty here is the timing, and it's a conflict between "don't break
>applications in Fedora" and "ship new Firefox security update as soon as
>possible".
>
>If we start by shipping NSS 3.28.1 first, without yet having fixed the
>Mozilla applications, then we allow Firefox 51 to be shipped, but we risk
>that the other>
> applications aren't fixed in time, and that users might see regressions,
> caused>
>by the upgrade to NSS 3.28.1
>
>Alternatively, if we wait until all affected Mozilla packages have been
>updated to fixed versions, it might delay the January 24 Firefox 51
>update.
>
>After discussing this, we have a preference to avoid the breakage in
>Fedora, and try to ship all required updates as soon as possible.
>
>In order to avoid the breakage, we want to add "Conflicts:" statements to
>the NSS 3.28.1 package, that makes it conflict with all known Mozilla
>packages that don't contain the required fix yet.
>
>The packages we have identified are:
>- firefox
>- thunderbird
>- seamonkey
>- xulrunner
>- icecat
>
>I see that for all the above packages, build attempts that include the fix
>are already ongoing in koji, so there's hope that we might be able to
>resolve the situation in time.
FreeIPA is broken when trying to install with nss 3.28.1. We reliably
reproduce this issue with
https://bodhi.fedoraproject.org/updates/FEDORA-2017-e42b513012
It seems that new nss also breaks 389-ds LDAP server's selection of
available ciphers. As result, ldapsearch does not work against the
389-ds LDAP server configured as part of FreeIPA deployment.
openldap issue is different than Firefox issue, the former is caused by
combination of buggy code in openldap and draft version of TLSv1.3 being
available in NSS while the latter is caused by addition of X25519 curve for
ECDHE.
We've already discussed the issues in openldap with Christian Heimes, Marin
Babinsky and Matus Honek. We will also be temporarily disabling TLSv1.3 in
NSS. The particulars bugs are:
https://bugzilla.redhat.com/show_bug.cgi?id=1243517
https://bugzilla.redhat.com/show_bug.cgi?id=1387868
Thanks, Hubert. I assume these fixes will be part of the 3.28.1 you are
preparing for Firefox 51?
--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
