Hi Jon,
You are indeed correct now that I look at things.
We had the firefox and all it's dependencies in the testing area for a while, 
and it looks like the nss and nspr were updated without the testing ones being 
updated.

I want to verify that this fixes the problem.  I am looking at the paypal site, 
but I don't know where the "run by" message is.

Troy

Jon Peatfield wrote:
> What firefox-3.0 was released for sl52 we say the following security
> updates:
> 
>> SRPMS:
>>   devhelp-0.12-17.el5.src.rpm
>>   nss-3.12.0.3-1.el5.src.rpm
>>   firefox-3.0-2.el5.src.rpm
>>   xulrunner-1.9-1.el5.src.rpm
>>   nspr-4.7.1-1.el5.src.rpm
>>   yelp-2.16.0-19.el5.src.rpm
> ...
> 
> Later when firefox-3.0.1 was also pushed to sl51, sl50 the set of packages
> updated was:
> 
> ...
>>    SRPMS:
>> devhelp-0.12-18.el5.src.rpm
>> firefox-3.0.1-1.el5.src.rpm
>> xulrunner-1.9.0.1-1.el5.src.rpm
>> yelp-2.16.0-20.el5.src.rpm
> ...
> 
> So there were no security updates for nss, nspr at that point, and indeed
> I still seem to have nss-3.11.99.5-2.el5, nspr-4.7.0.99.2-1.el5 as the
> latest versions.
> 
> This may be intended, but I notice that on an sl51 box (updated to firefox
> 3.0.1) I don't get the "Extended Validation (EV) SSL" stuff appearing in
> the location bar, but I do on a test box running sl52 also using
> firefox-3.0.1
> 
> If I update just the nss* packages to the same version as in sl52 then it
> magically works.  I don't know if the nspr security update is also
> actually expected by firefox-3 or not but a trivial test suggests that it
> can be updated to without obvious problems on sl51...
> 
> Could/should the nss/nspr errata be pushed to sl51/sl50?
> 
> [ anyone who dosn't know about the EV stuff should look at (say)
> https://www.paypal.com/ and see if the box displays a 'run by' message. ]
> 
>   -- Jon


-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI DSS Group
__________________________________________________