Increase libnss3 dependency requirement to 3.26
Reported by
vanantwe...@gmail.com,
Feb 11 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 Steps to reproduce the problem: Reported on https://productforums.google.com/forum/#!topic/chrome/iGCFIoCprO4 NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM is given on visiting google.com ... What is the expected behavior? What went wrong? Installing libnss2-1d has been reported to fix the issue. Would it be possible to add this to the installation dependencies? Did this work before? N/A Chrome version: 56 Channel: stable OS Version: Flash Version: N/A
,
Feb 14 2017
,
Feb 14 2017
,
Feb 14 2017
Libnss3 is already part of the dependencies. NSS 3.14.3 is the minimum required version at present due to distribution requirements. NSS 3.17.4 includes the fix for preferring SHA-256 vs SHA-1. On Jessie, we require NSS 3.26 - https://cs.chromium.org/chromium/src/build/linux/sysroot_scripts/packagelist.jessie.arm?rcl=ea69b8739b1bf1a220ea541cca7886597c04bf0b&l=160 On Wheezy, we require NSS 3.14.5 - https://cs.chromium.org/chromium/src/build/linux/sysroot_scripts/packagelist.wheezy.i386?rcl=ea69b8739b1bf1a220ea541cca7886597c04bf0b&l=138 On Precise, we require NSS 3.26.2 - https://cs.chromium.org/chromium/src/build/linux/sysroot_scripts/packagelist.precise.amd64?rcl=ea69b8739b1bf1a220ea541cca7886597c04bf0b&l=138 On Trusty, we require NSS 3.26.2 - https://cs.chromium.org/chromium/src/build/linux/sysroot_scripts/packagelist.trusty.arm?rcl=ea69b8739b1bf1a220ea541cca7886597c04bf0b&l=123 Lei, Pawel, Dirk: What's the dance needed to bump NSS revisions? Can we?
,
Feb 14 2017
Note: NSS 3.17.4 was released 1/28/2015 - https://groups.google.com/d/msg/mozilla.dev.tech.crypto/GglnJ6-HwYw/Bre-vMecC8wJ
,
Feb 21 2017
This looks like out of scope for TE, hence adding the respective label for it to triage further.
,
Mar 1 2017
In chrome/installer/linux/debian/build.sh, the dependency entry is set to: libnss3 (>= 3.17.2) But we don't support Wheezy, so you should be able to bump it up to 3.26.
,
Mar 1 2017
Bumping to 3.26 sgtm .
,
Mar 1 2017
We don't support Wheezy, but we do still kinda support Precise (not in the wild, but we still have builders on it), and so dropping this isn't completely straightforward. See also my comments on bug 697494 .
,
Mar 1 2017
It seems this discussion has gotten a bit off topic, isn't this bug about adding a dependency on libnss3-1d (which is different from libnss3)? Also, while bumping the dependency requirements to 3.26 would be easy enough to do, I don't think it would solve the issue. Systems that are able to have 3.26 (ie, all systems that we actually support) will already have 3.26 installed.
,
Mar 1 2017
re Comment 10: There's no actual runtime dependency on libnss3-1d. I think the reason this manifests is simply because the act of installing this new package forces the libnss3 package to be upgraded from the security tree of the distribution, which is effectively what resolves the issue. I've got a CL out to bump the dependency to 3.26, both in build scripts and runtime. The issue here is NSS maintains a strict ABI compatability guarantee, and unless we use the API symbols from NSS 3.26, there's nothing runtime that actually requires it - despite compiling with 3.26 in the sysroot. The effect is that distros running the 'rtm' version (e.g. without any security updates applied) end up running a woefully out of date NSS version. If we actually used the symbols from 3.26 that are available in the sysroot (... mod Precise/Wheezy), I think our users wouldn't have encountered this.
,
Mar 1 2017
There is a thread with the valgrind team discussion the ASAN/MSAN challenges, but just for documentation: http://packages.ubuntu.com/precise/libnss3 http://packages.ubuntu.com/trusty/libs/libnss3 Are both 3.26.2 as well.
,
Mar 1 2017
,
Mar 2 2017
Hi! I have been facing this issue; have attached 3 screenshots. Please have a look. Thanks.
,
Mar 2 2017
@Comment 14: It would appear you may have disabled one or more critical security updates. You can see https://help.ubuntu.com/community/AutomaticSecurityUpdates on how to ensure critical security updates are automatically installed.
,
Mar 2 2017
Note: the unattended-upgrade packages is just one part of getting to updates. https://help.ubuntu.com/community/AutomaticSecurityUpdates#Using_GNOME_Update_Manager should show that "libnss3" is version 3.26.2 or later
,
Mar 2 2017
Thank you very very much :). Special thanks for specific "libnss3" guidance. The issue is completely resolved. I would never have been able to sort it out. Thanks a lot :)
,
May 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c61e0b14d96fcb5c4592d2c12551994f879e5490 commit c61e0b14d96fcb5c4592d2c12551994f879e5490 Author: thomasanderson <thomasanderson@chromium.org> Date: Sat May 27 01:31:22 2017 Add jessie-security repo to sysroot scripts This CL adds a more general syntax for specify apt sources for sysroot-creator.sh, similar to /etc/apt/sources.list. Whereas previously there was only APT_REPO, this CL allows specifying multiple repos so that we can get "security.debian.org" in addition to "ftp.us.debian.org". BUG= 691261 R=thestig@chromium.org Review-Url: https://codereview.chromium.org/2912533002 Cr-Commit-Position: refs/heads/master@{#475209} [modify] https://crrev.com/c61e0b14d96fcb5c4592d2c12551994f879e5490/build/linux/sysroot_scripts/debian-archive-jessie-stable.gpg [modify] https://crrev.com/c61e0b14d96fcb5c4592d2c12551994f879e5490/build/linux/sysroot_scripts/sysroot-creator-jessie.sh [modify] https://crrev.com/c61e0b14d96fcb5c4592d2c12551994f879e5490/build/linux/sysroot_scripts/sysroot-creator.sh
,
May 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1c02ea390c65d2292b64ffbb57c4a4d4873c34b4 commit 1c02ea390c65d2292b64ffbb57c4a4d4873c34b4 Author: thestig <thestig@chromium.org> Date: Sat May 27 01:36:57 2017 Linux: Make manual libnss3 version dependency work again. When libnss3 is specified as a dependency both manually and via dpkg-shlibdeps, only the dpkg-shlibdeps dependency actually makes it into the .deb file's Depends section. To work around this, remove the entry generated by dpkg-shlibdeps, after comparing it to expectations. This used to work, but something changed during the Jessie sysroot update. BUG= 691261 , 726858 Review-Url: https://codereview.chromium.org/2903253005 Cr-Commit-Position: refs/heads/master@{#475215} [modify] https://crrev.com/1c02ea390c65d2292b64ffbb57c4a4d4873c34b4/chrome/installer/linux/debian/build.sh
,
May 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/78f649de4a2e25c585115ed7127416c07f557655 commit 78f649de4a2e25c585115ed7127416c07f557655 Author: thomasanderson <thomasanderson@chromium.org> Date: Sat May 27 05:12:37 2017 Roll sysroots This CL rolls the sysroots after: https://codereview.chromium.org/2912533002/ BUG= 691261 R=thestig@chromium.org Review-Url: https://codereview.chromium.org/2911763002 Cr-Commit-Position: refs/heads/master@{#475239} [modify] https://crrev.com/78f649de4a2e25c585115ed7127416c07f557655/build/linux/sysroot_scripts/packagelist.jessie.amd64 [modify] https://crrev.com/78f649de4a2e25c585115ed7127416c07f557655/build/linux/sysroot_scripts/packagelist.jessie.arm [modify] https://crrev.com/78f649de4a2e25c585115ed7127416c07f557655/build/linux/sysroot_scripts/packagelist.jessie.arm64 [modify] https://crrev.com/78f649de4a2e25c585115ed7127416c07f557655/build/linux/sysroot_scripts/packagelist.jessie.i386 [modify] https://crrev.com/78f649de4a2e25c585115ed7127416c07f557655/build/linux/sysroot_scripts/packagelist.jessie.mipsel [modify] https://crrev.com/78f649de4a2e25c585115ed7127416c07f557655/build/linux/sysroot_scripts/sysroots.json
,
May 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ce1be06c2ea023c7a41852a9002fdb5cc690bc80 commit ce1be06c2ea023c7a41852a9002fdb5cc690bc80 Author: Lei Zhang <thestig@chromium.org> Date: Tue May 30 19:09:17 2017 M59: Linux: Make manual libnss3 version dependency work again. When libnss3 is specified as a dependency both manually and via dpkg-shlibdeps, only the dpkg-shlibdeps dependency actually makes it into the .deb file's Depends section. To work around this, remove the entry generated by dpkg-shlibdeps, after comparing it to expectations. This used to work, but something changed during the Jessie sysroot update. BUG= 691261 , 726858 Review-Url: https://codereview.chromium.org/2903253005 Cr-Original-Commit-Position: refs/heads/master@{#475215} Review-Url: https://codereview.chromium.org/2910253002 . Cr-Commit-Position: refs/branch-heads/3071@{#722} Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641} [modify] https://crrev.com/ce1be06c2ea023c7a41852a9002fdb5cc690bc80/chrome/installer/linux/debian/build.sh
,
May 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1c22d9bc4c094b6c20e096d4b1fd6bc906f066e9 commit 1c22d9bc4c094b6c20e096d4b1fd6bc906f066e9 Author: tyoshino <tyoshino@chromium.org> Date: Wed May 31 05:18:29 2017 Revert of M59: Linux: Make manual libnss3 version dependency work again. (patchset #1 id:1 of https://codereview.chromium.org/2910253002/ ) Reason for revert: Looks this broke the stable builder. https://bugs.chromium.org/p/chromium/issues/detail?id=727996 Original issue's description: > M59: Linux: Make manual libnss3 version dependency work again. > > When libnss3 is specified as a dependency both manually and via > dpkg-shlibdeps, only the dpkg-shlibdeps dependency actually makes it > into the .deb file's Depends section. To work around this, remove the > entry generated by dpkg-shlibdeps, after comparing it to expectations. > > This used to work, but something changed during the Jessie sysroot > update. > > BUG= 691261 , 726858 > > Review-Url: https://codereview.chromium.org/2903253005 > Cr-Original-Commit-Position: refs/heads/master@{#475215} > Review-Url: https://codereview.chromium.org/2910253002 . > Cr-Commit-Position: refs/branch-heads/3071@{#722} > Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641} > Committed: https://chromium.googlesource.com/chromium/src/+/ce1be06c2ea023c7a41852a9002fdb5cc690bc80 TBR=thestig@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= 691261 , 726858 Review-Url: https://codereview.chromium.org/2913103003 Cr-Commit-Position: refs/branch-heads/3071@{#728} Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641} [modify] https://crrev.com/1c22d9bc4c094b6c20e096d4b1fd6bc906f066e9/chrome/installer/linux/debian/build.sh
,
May 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c73405cbac5a361a4129200066007e1fde882484 commit c73405cbac5a361a4129200066007e1fde882484 Author: Lei Zhang <thestig@chromium.org> Date: Wed May 31 08:11:36 2017 M59: Linux: Make manual libnss3 version dependency work again. (try 2) When libnss3 is specified as a dependency both manually and via dpkg-shlibdeps, only the dpkg-shlibdeps dependency actually makes it into the .deb file's Depends section. To work around this, remove the entry generated by dpkg-shlibdeps, after comparing it to expectations. This used to work, but something changed during the Jessie sysroot update. BUG= 691261 , 726858 Review-Url: https://codereview.chromium.org/2903253005 Cr-Original-Original-Commit-Position: refs/heads/master@{#475215} Review-Url: https://codereview.chromium.org/2914763002 . Cr-Commit-Position: refs/branch-heads/3071@{#730} Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641} [modify] https://crrev.com/c73405cbac5a361a4129200066007e1fde882484/chrome/installer/linux/debian/build.sh
,
Jun 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e07fdaea3823ca6e88ab2dff92adbe9af1a6b31d commit e07fdaea3823ca6e88ab2dff92adbe9af1a6b31d Author: Lei Zhang <thestig@chromium.org> Date: Thu Jun 01 05:56:03 2017 M60: Linux: Make manual libnss3 version dependency work again. When libnss3 is specified as a dependency both manually and via dpkg-shlibdeps, only the dpkg-shlibdeps dependency actually makes it into the .deb file's Depends section. To work around this, remove the entry generated by dpkg-shlibdeps, after comparing it to expectations. This used to work, but something changed during the Jessie sysroot update. BUG= 691261 , 726858 Review-Url: https://codereview.chromium.org/2903253005 Cr-Original-Commit-Position: refs/heads/master@{#475215} Review-Url: https://codereview.chromium.org/2921593002 . Cr-Commit-Position: refs/branch-heads/3112@{#80} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/e07fdaea3823ca6e88ab2dff92adbe9af1a6b31d/chrome/installer/linux/debian/build.sh
,
Jun 5 2017
Could some one please help us with the steps to verify it. We tried installing a deb package on Ubuntu 14.04 and on Debian OS, but were unable find the line "Depends:" with an entry for "libnss3". Should this be seen if we have libnss3 version less than 3.17.2. Tried using chrome version 59.0.3071.86 build. Thanks.!
,
Jun 5 2017
As the same CL in comment is applicable for issue#726858 which I have verified based on steps provided by Lei, I am marking this bug as verified as well as both bugs are dependent on libnss3 which is not listed under "Depends:"
,
Jun 5 2017
,
Jun 5 2017
Tom: New RPMs updated for your sanity checking. If all looks good, I'll land https://codereview.chromium.org/2721373002 for M-61 (although would <3 to merge it for M-60)
,
Jun 6 2017
,
Jun 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b52a2dfadb3158e39a3848d3631a2deffd4b2ac8 commit b52a2dfadb3158e39a3848d3631a2deffd4b2ac8 Author: rsleevi <rsleevi@chromium.org> Date: Thu Jun 08 18:28:11 2017 Uprev NSS requirement on Linux to 3.26 BUG= 691261 Review-Url: https://codereview.chromium.org/2721373002 Cr-Commit-Position: refs/heads/master@{#478030} [modify] https://crrev.com/b52a2dfadb3158e39a3848d3631a2deffd4b2ac8/chrome/installer/linux/debian/build.sh [modify] https://crrev.com/b52a2dfadb3158e39a3848d3631a2deffd4b2ac8/chrome/installer/linux/rpm/build.sh [modify] https://crrev.com/b52a2dfadb3158e39a3848d3631a2deffd4b2ac8/crypto/nss_util.cc [modify] https://crrev.com/b52a2dfadb3158e39a3848d3631a2deffd4b2ac8/crypto/scoped_test_nss_db.cc
,
Jun 12 2017
|
||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||
Comment 1 by vanantwe...@gmail.com
, Feb 11 2017