From esr52
Not relevant:
M1366140 (Windows only)
M1366595 (not vulnerable)
M1357090 (not vulnerable, and not possible to enable)
M1355520 (not in our version of libcubeb)
M1361326 (Windows only)
M1334097 (no plugins, not in code)
M1356179 (not in code)
M1343256 (regression from M1150678)
M1359697 (not in code)
M1304566 (requires DLL and some later changes to trigger)
M1342057 (we don't have this support yet)
M1362590 (not in code)
M1358776 (not ARM, no Skia)
M1355340 (we don't run on Sierra)
M1354308 (not vulnerable)
M1352348 (not in code)
M1343172 (not affected, not shipped)
M1345893 (not in code)
M1152353 (Windows only)
M1313977 (we don't run on El Crapitan neither)
M1351340 (not vulnerable)
M1345355 (Windows only)
M1347748 (we don't have this support yet)
M1324140 (we don't have this support yet)
M1346012 (not vulnerable)
M1347835 (Windows only)
M1028195 (Windows only)
M1273265 (Windows only)
M1354810 (we don't have this support yet)
M1346499 (Windows only)
M1357462 (not vulnerable)
M1351278 (Windows only)
M1348424 (we use different widget code here and we don't run on El Crap)
M1343818 (Windows only)
Not taking:
M1349266 (no WorkerHolder, not shipped)
M1237868 (not clear if the security issue is relevant to 45 due to different handlers)
M1345910 (too many regressions in related NTLM code, such as M1360574 and M1346392)
M1356025 (requires M1349719, unlikely to be triggered, has performance impact)
M1349310 (not shipped)
M1325513 (not shipped)
M1359859 (would apply and does fix known though rare issue but M1356558 is more targetted and has little risk of hitting addons)
M1338574 (we don't care)
M1355414 (we don't build Thunderbird) - also M1357366, M1056322, M1353204
M1337810 (not shipped)
M1241066 (not shipped)
M1334443 (regression risk, likely not affected)
M1352566 (not shipped) - also M1349595
M1352093 (not vulnerable in 32-bit builds, we'd run out of memory first)
M1342366 (not e10s)
M1354294 (we don't like Lastpass and they don't like us, so screw 'em) - but see below
Defer to separate of rollup:
M1353649 (see intl/icu/source/tools/tzcode/readme.txt) - not a security issue
M1342552 if we think we're actually affected or this is a frequent crash. I'm not sure we are, and printing/IME code is very fragile on our end. Defer.
M1355873 (big and risky but we probably need it -- however, see deps)
M1297111 (big and risky but we probably need it)
Candidates:
M1364283 https://hg.mozilla.org/releases/mozilla-esr52/rev/a6caa7628e365ac53d12fef9146ff09094b33e41
M1359639 https://hg.mozilla.org/releases/mozilla-esr52/rev/a4f8d8a12afa
M1365602 (because of #387) https://hg.mozilla.org/releases/mozilla-esr52/rev/aad883966edd
M1356601 (also fixes M1353312) https://hg.mozilla.org/releases/mozilla-esr52/rev/8191e403fedf
M1356558 https://hg.mozilla.org/releases/mozilla-esr52/rev/89c7fb6c5be3
M1357599 https://hg.mozilla.org/releases/mozilla-esr52/rev/e0e348f79006 (just genname)
M1335904 (make sure to get the right OID!) https://hg.mozilla.org/releases/mozilla-esr52/rev/366cdd623cfb
M1363396 https://hg.mozilla.org/releases/mozilla-esr52/rev/24cbb7f2e0ff
M1355039 https://hg.mozilla.org/releases/mozilla-esr52/rev/4ae71415fecf
M1356755 https://hg.mozilla.org/releases/mozilla-esr52/rev/4a3fce67b52d but throw a MOZ_UNLIKELY in there
M1359547 https://hg.mozilla.org/releases/mozilla-esr52/rev/43d7b98d8743
M1360309 https://hg.mozilla.org/releases/mozilla-esr52/rev/c7fca0c66eac
M1348454 https://hg.mozilla.org/releases/mozilla-esr52/rev/c1cd8a02669f
take the proxy portion M1354294 https://hg.mozilla.org/releases/mozilla-esr52/rev/9e17e0266d21
refresh security/nss/lib/ckfw/builtins/certdata.txt from esr52
finish #400 as a prerequisite
finish #401 as a prerequisite
From
esr52Not relevant:
M1366140 (Windows only)
M1366595 (not vulnerable)
M1357090 (not vulnerable, and not possible to enable)
M1355520 (not in our version of
libcubeb)M1361326 (Windows only)
M1334097 (no plugins, not in code)
M1356179 (not in code)
M1343256 (regression from M1150678)
M1359697 (not in code)
M1304566 (requires DLL and some later changes to trigger)
M1342057 (we don't have this support yet)
M1362590 (not in code)
M1358776 (not ARM, no Skia)
M1355340 (we don't run on Sierra)
M1354308 (not vulnerable)
M1352348 (not in code)
M1343172 (not affected, not shipped)
M1345893 (not in code)
M1152353 (Windows only)
M1313977 (we don't run on El Crapitan neither)
M1351340 (not vulnerable)
M1345355 (Windows only)
M1347748 (we don't have this support yet)
M1324140 (we don't have this support yet)
M1346012 (not vulnerable)
M1347835 (Windows only)
M1028195 (Windows only)
M1273265 (Windows only)
M1354810 (we don't have this support yet)
M1346499 (Windows only)
M1357462 (not vulnerable)
M1351278 (Windows only)
M1348424 (we use different widget code here and we don't run on El Crap)
M1343818 (Windows only)
Not taking:
M1349266 (no
WorkerHolder, not shipped)M1237868 (not clear if the security issue is relevant to 45 due to different handlers)
M1345910 (too many regressions in related NTLM code, such as M1360574 and M1346392)
M1356025 (requires M1349719, unlikely to be triggered, has performance impact)
M1349310 (not shipped)
M1325513 (not shipped)
M1359859 (would apply and does fix known though rare issue but M1356558 is more targetted and has little risk of hitting addons)
M1338574 (we don't care)
M1355414 (we don't build Thunderbird) - also M1357366, M1056322, M1353204
M1337810 (not shipped)
M1241066 (not shipped)
M1334443 (regression risk, likely not affected)
M1352566 (not shipped) - also M1349595
M1352093 (not vulnerable in 32-bit builds, we'd run out of memory first)
M1342366 (not e10s)
M1354294 (we don't like Lastpass and they don't like us, so screw 'em) - but see below
Defer to separate of rollup:
M1353649 (see
intl/icu/source/tools/tzcode/readme.txt) - not a security issueM1342552 if we think we're actually affected or this is a frequent crash. I'm not sure we are, and printing/IME code is very fragile on our end. Defer.
M1355873 (big and risky but we probably need it -- however, see deps)
M1297111 (big and risky but we probably need it)
Candidates:
M1364283 https://hg.mozilla.org/releases/mozilla-esr52/rev/a6caa7628e365ac53d12fef9146ff09094b33e41
M1359639 https://hg.mozilla.org/releases/mozilla-esr52/rev/a4f8d8a12afa
M1365602 (because of #387) https://hg.mozilla.org/releases/mozilla-esr52/rev/aad883966edd
M1356601 (also fixes M1353312) https://hg.mozilla.org/releases/mozilla-esr52/rev/8191e403fedf
M1356558 https://hg.mozilla.org/releases/mozilla-esr52/rev/89c7fb6c5be3
M1357599 https://hg.mozilla.org/releases/mozilla-esr52/rev/e0e348f79006 (just
genname)M1335904 (make sure to get the right OID!) https://hg.mozilla.org/releases/mozilla-esr52/rev/366cdd623cfb
M1363396 https://hg.mozilla.org/releases/mozilla-esr52/rev/24cbb7f2e0ff
M1355039 https://hg.mozilla.org/releases/mozilla-esr52/rev/4ae71415fecf
M1356755 https://hg.mozilla.org/releases/mozilla-esr52/rev/4a3fce67b52d but throw a
MOZ_UNLIKELYin thereM1359547 https://hg.mozilla.org/releases/mozilla-esr52/rev/43d7b98d8743
M1360309 https://hg.mozilla.org/releases/mozilla-esr52/rev/c7fca0c66eac
M1348454 https://hg.mozilla.org/releases/mozilla-esr52/rev/c1cd8a02669f
take the proxy portion M1354294 https://hg.mozilla.org/releases/mozilla-esr52/rev/9e17e0266d21
refresh
security/nss/lib/ckfw/builtins/certdata.txtfromesr52finish #400 as a prerequisite
finish #401 as a prerequisite