Release Management/Chemspill

From MozillaWiki
Jump to: navigation, search


"Chemspill" is a term used to describe a security-driven rapid release.

In a "chemspill" situation we release on whichever channels necessary, with only the necessary patch(es), as fast as possible. This is usually reserved for situations where a critical security exploit is public.

Some documentation around chemspill process

Past chemspills

2023 September - libwebp

2022 May Pwn2Own

2022 March "zero days before wellness days"

2020 Apr

2020 Jan "DarkHotel"

  • Versions with the fix
  • 8 Jan 2010: Firefox 72.0.1, 73.0b2, 74 Nightly; Firefox for Android 68.4.1, 68.5.1; ESR 68.4.1 (Sec-advisory)
  • Bug(s): 1607443
  • (Add geckoview based releases)
  • Notes: Incident doc; Retrospective

2019 Jun "Coinbase hack"

2 chemspills during all hands work week.

2019 May "Armagadd-on 2"

Not a security breach but a rapid and focused single-issue dot release, which we treated as a chemspill in some ways. Repaired certificate chain to re-enable web extensions that had been disabled.

pwn2own 2019

IonMonkey/JIT issues

pwn2own 2018 Mar 15

Out of bounds memory write while processing Vorbis audio data.

2018 Jan: Spectre/Meltdown

  • Versions: 58.0.1 , 57.0.4.
  • Bug(s): 1423225
  • Notes: incident doc

2017 Dec: tab crash issue

Not quite a chemspill but was treated as such. Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in.

2017 Mar, pwn2own

Integer overflow in createImageBitmap()

2016 Nov 30, SVG 0day

Firefox SVG Animation Remote Code Execution.

2016 , "Armagadd-on"

Feb 2016 Service workers issue

  • Versions: 44.0.2
  • Bug(s): 1245724
  • Notes:

Aug 2015, pdf.js issue

Apr 2015

  • Versions: 39.0.3.
  • Bug(s):
  • Notes:

Mar 2015