Release Management/Chemspill

From MozillaWiki
Jump to: navigation, search


"Chemspill" is a term used to describe a security-driven rapid release.

In a "chemspill" situation we release on whichever channels necessary, with only the necessary patch(es), as fast as possible. This is usually reserved for situations where a critical security exploit is public.

Some documentation around chemspill process

Past chemspills

2019 Jun "Coinbase hack"

2 chemspills during all hands work week.

2019 May "Armagadd-on 2"

Not a security breach but a rapid and focused single-issue dot release, which we treated as a chemspill in some ways. Repaired certificate chain to re-enable web extensions that had been disabled.

pwn2own 2019

IonMonkey/JIT issues

pwn2own 2018 Mar 15

Out of bounds memory write while processing Vorbis audio data.

2018 Jan: Spectre/Meltdown

2017 Dec: tab crash issue

Not quite a chemspill but was treated as such. Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in.

2017 Mar, pwn2own

Integer overflow in createImageBitmap()

2016 Nov 30, SVG 0day

Firefox SVG Animation Remote Code Execution.

2016 , "Armagadd-on"

Feb 2016 Service workers issue

  • Versions: 44.0.2
  • Bug(s): 1245724
  • Notes:

Aug 2015, Graphite2

  • Versions: ESR 38
  • Bug:
  • Notes:

Aug 2015, pdf.js issue

  • Versions: 39.0.3, 38.1.1
  • Bug(s): 1191284
  • Notes:

Apr 2015

  • Versions: 39.0.3.
  • Bug(s):
  • Notes:

Mar 2015