All: Firefox 3.6.7's code freeze was last Friday (https://wiki.mozilla.org/Releases/Firefox_3.6.7). We are trying to get ASLR turned on for nspr (bug 559133) and nss (bug 567134) to harden Firefox before BlackHat.
It looks like there hasn't really been movement on bug 559133. Because of this and because 3.6.7 is closing/closed, we would like to land a patch on top of our current NSS that turns the DYNAMICBASE linker flag on. Official windows builds use a linker that supports the DYNAMICBASE flag, so the change should have the desired behavior. Others building the source may see a warning (or potentially a failed build), depending on how we implement the patch and the version of VS they are using. The downstream impact isn't too great as most distributers rebuilding from source are Linux vendors who would be unaffected by this change. I'm sending this email to: 1) Call attention to bug 567134 (https://bugzilla.mozilla.org/show_bug.cgi?id=567134), perhaps getting a nss-blessed fix 2) Notify the NSS community of what we would like to do and the reasons for doing so 3) Give people an opportunity to point out concerns or risks we may have missed Thanks, Christian Legnitto Firefox Stability and Security Release Manager -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
