#983504 firefox-esr: depends on wrong libnss3 version, TLS hangs with 2:3.58-1

Package:
firefox-esr
Source:
firefox-esr
Description:
Mozilla Firefox web browser - Extended Support Release (ESR)
Submitter:
"Adam M. Costello"
Date:
2021-02-25 09:06:25 UTC
Severity:
important
#983504#5
Date:
2021-02-25 08:28:22 UTC
From:
To:
Dear Maintainer,

firefox-esr (both the latest version 78.8.0esr-1 and the latest testing
version 78.7.0esr-1) depends on libnss3 (>= 2:3.53.1~), but that is not
sufficient. https fails completely with libnss3 2:3.58-1.  It works with
2:3.61-1 (the current testing version).  I didn't try any other versions
of libnss3.

Evidence:

When I updated firefox-esr from 78.3.0esr-2 to 78.7.0esr-1, https
stopped working.  The firefox developer console showed that it was
making the TCP connection but not getting past the TLS setup.  I tried
several versions of firefox-esr:

78.8.0esr-1 broken
78.7.0esr-1 broken
78.6.1esr-1 broken
78.5.0esr-1 worked
78.3.0esr-2 worked

Eventually I suspected libnss3, which was at version 2:3.58-1 this whole
time.  I updated it to 2:3.61-1 (the current testing version), then
retried firefox-esr 78.7.0esr-1 (the current testing version), and that
worked.