The bug is private still, but according to the release notes: "- Bug 1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS." Please stabilize nss-3.98 when ready.
Uh oh, we only stabilize NSS ESR which 3.98 is not. Then again ESR and release (3.98) should be API/ABI compatible, so I'm not sure if there's any reason to keep these releases split in Gentoo. Maybe there's some historical reason. Will ask upstream about their intentions with ESR if a parallel release isn't made in the near future.
Hm, there *was* a parallel release on an earlier branch, nss-3.90.2, but since that's less than our stable (3.91), I assumed we were already on "rapid" NSS? https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_90_2.html Now that I look, I don't even see a 3.91 on the sidebar at https://firefox-source-docs.mozilla.org/security/nss/releases/index.html#mozilla-projects-nss-releases?
3.90 was utterly broken and I wasn't sure whether they'd ESR 3.91 or 3.92 instead of the originally planned 3.90. I'll see whether 3.90.2 holds all fixes from 3.91.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=629b39c4e1723ce530653175269fd679985df9ff commit 629b39c4e1723ce530653175269fd679985df9ff Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2024-02-21 08:29:55 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-02-21 08:29:55 +0000 dev-libs/nss: add 3.90.2 - bring back the intended ESR version, with fixes to the original broken 3.90. Bug: https://bugs.gentoo.org/925027 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/nss/Manifest | 1 + dev-libs/nss/nss-3.90.2.ebuild | 418 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 419 insertions(+)
Ok, *now* please stabilize when ready! :)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b1a888864fa17c7be604b8b4a2f28f68d134c5f commit 5b1a888864fa17c7be604b8b4a2f28f68d134c5f Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2024-04-01 06:38:35 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-04-01 06:47:34 +0000 dev-libs/nss: drop 3.91 - returning to the true ESR -> 3.90.2. Bug: https://bugs.gentoo.org/925027 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/nss/Manifest | 2 - dev-libs/nss/nss-3.91.ebuild | 423 ------------------------------------------- 2 files changed, 425 deletions(-)
On my old Intel Core 4xxx generation the downgrade to nss 3.90.2 may triggered bug https://bugs.gentoo.org/907932 on firefox. On start firefox craches with channel error. No problem on newer cpu.
(In reply to Stephan Karacson from comment #7) > On my old Intel Core 4xxx generation the downgrade to nss 3.90.2 may > triggered bug https://bugs.gentoo.org/907932 on firefox. > On start firefox craches with channel error. > No problem on newer cpu. "does" or "may"? I'm pretty sure I checked that those CPU fixes were in 3.90.2.
can repoduce it on intel i7 47xx and no problem on 7900. As last week there was a profile-change I recompile rust, clangc and llvm just o be sure. But I have to admid, that these "CPU fixes" are over my level. Should be just a hint if it happens further.
Could you add nss to package.accept_keywords and use an unstable version (3.99) where it's broken? Due to this security bug we can't keep 3.91 in tree forever. Also I'd ask you to file an upstream bug so the issues can be fixed in 3.90.3 - you can reproduce, you can provide output straight to the maintainers. 3.99 should work fine in an otherwise stable system.
upgrade to nss 3.99 works for me on intel 47xx with firefox 115.9.1esr (just o admit, the no problem cpu is a Ryzen 7900) Thank you for the help.
Intel Sandy Bridge and AMD Barcelona seems to be affected too according to forum: https://forums.gentoo.org/viewtopic-t-1168203.html
Hi, Also got this regression with my AMD X2 64 Windsor. I will try to upgrade to 3.99.
I don't know what the best course of action here is. Maybe we skip this *utterly* broken 3.90 ESR series and just stabilize the "rapid" releases instead until next ESR.
3.99 also solved the issue. It looks like 3.91 was planned as ESR: https://wiki.mozilla.org/NSS:Release_Versions #914752 > Needed for firefox-115 ESR. > > juippis explained there's kind of a mess with this because NSS 3.90 was pretty broken and it's not clear if NSS 3.91 or NSS 3.92 is ESR.. > https://firefox-source-docs.mozilla.org/security/nss/releases/index.html#mozilla-projects-nss-releases says 3.90 still, but https://wiki.mozilla.org/NSS:Release_Versions says 3.91. > > Let's go for the conservative option of 3.91 for now given 3.90 was hopelessly bad. 3.90.2 should be compatible according to https://bugzilla.mozilla.org/show_bug.cgi?id=1880562 (my version is 115.9.1esr)
Bug 928403 Would be great if someone reported this issue with 3.90.2 to upstream including the exact error messages, also mentioning that 3.99 works. We could still drop stable from 3.99 to 3.90.3 if it works. Apparently nss-100 will have bigger changes so I fear going from 100 -> 3.90* will not be feasible anymore.
(In reply to Joonas Niilola from comment #16) > Would be great if someone reported this issue with 3.90.2 to upstream > including the exact error messages, also mentioning that 3.99 works. > > We could still drop stable from 3.99 to 3.90.3 if it works. Apparently > nss-100 will have bigger changes so I fear going from 100 -> 3.90* will not > be feasible anymore. Hi Joonas, I created https://bugs.gentoo.org/928901 about the crash. It contains all needed informations. Please take a look and add a the link in “see also”. This bug should be closed: it is related to a security bug that is now fixed. Let's continue in https://bugs.gentoo.org/928901.
