Merge branch 'c8' into a8

2023-07-14 11:25:13 +03:00 · 2023-07-14 11:25:13 +03:00 · 9aa9900f52
commit 9aa9900f52
parent fd99a5867f a5e0937424
7 changed files with 689 additions and 20 deletions
--- a/.firefox.metadata
+++ b/.firefox.metadata
@ -1,7 +1,5 @@
 52f2d51d0e17d137571bf3a766f514d34e28e556 SOURCES/cbindgen-vendor.tar.xz
-6aa448bcbabf2b9410b916e8290b0f58ee725186 SOURCES/firefox-102.11.0esr.b2.processed-source.tar.xz
+c4754e71b61165ea4c3c0631875d57cd5533cde7 SOURCES/firefox-102.13.0esr.b2.processed-source.tar.xz
-a26fce6c1a21e026f550ee9e4431200ddd041e36 SOURCES/firefox-langpacks-102.11.0esr-20230504.tar.xz
+47c2292880afb9c3ebd9a5d1b1c00717d021a36c SOURCES/firefox-langpacks-102.13.0esr-20230630.tar.xz
 2dbf669fa4742e7065cc54cec19f96423032658b SOURCES/firefox-symbolic.svg
 da39a3ee5e6b4b0d3255bfef95601890afd80709 SOURCES/mochitest-python.tar.gz
 af58b3c87a8b5491dde63b07efaeb3d7f1ec56c1 SOURCES/nspr-4.34.0-3.el8_1.src.rpm
 a9dd43799ab2ccbc248cfbba1cc5639c1ab18769 SOURCES/nss-3.79.0-11.el8_1.src.rpm
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,5 @@
 SOURCES/cbindgen-vendor.tar.xz
-SOURCES/firefox-102.11.0esr.b2.processed-source.tar.xz
+SOURCES/firefox-102.13.0esr.b2.processed-source.tar.xz
-SOURCES/firefox-langpacks-102.11.0esr-20230504.tar.xz
+SOURCES/firefox-langpacks-102.13.0esr-20230630.tar.xz
 SOURCES/firefox-symbolic.svg
 SOURCES/mochitest-python.tar.gz
 SOURCES/nspr-4.34.0-3.el8_1.src.rpm
 SOURCES/nss-3.79.0-11.el8_1.src.rpm
--- a/SOURCES/firefox-almalinux-default-prefs.js
+++ b/SOURCES/firefox-almalinux-default-prefs.js
@ -36,3 +36,6 @@ pref("browser.gnome-search-provider.enabled",true);
 pref("media.navigator.mediadatadecoder_vpx_enabled", true);
 /* See https://bugzilla.redhat.com/show_bug.cgi?id=1672424 */
 pref("storage.nfs_filesystem", true);
 pref("datareporting.healthreport.uploadEnabled", false);
 pref("datareporting.policy.dataSubmissionEnabled", false);
 pref("toolkit.telemetry.archive.enabled", false);
--- a/SOURCES/firefox-symbolic.svg
+++ b/SOURCES/firefox-symbolic.svg
@ -0,0 +1,3 @@
 <svg id="Assets" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
  <path d="M190.368 150.591c0.157 0.009 0.079 0.003 0 0zm-57.874-28.933c0.158 0.008 0.079 0.003 0 0zm346.228 44.674c-10.445-25.123-31.6-52.248-48.211-60.82 13.52 26.5 21.345 53.093 24.335 72.935 0 0.04 0.015 0.136 0.047 0.4-27.175-67.732-73.254-95.047-110.886-154.512-1.9-3.008-3.805-6.022-5.661-9.2a73.237 73.237 0 0 1-2.646-4.972 43.757 43.757 0 0 1-3.585-9.5 0.625 0.625 0 0 0-0.546-0.644 0.8 0.8 0 0 0-0.451 0c-0.033 0.011-0.084 0.051-0.119 0.065-0.053 0.02-0.12 0.069-0.176 0.095 0.026-0.036 0.083-0.117 0.1-0.135-53.437 31.3-75.587 86.093-81.282 120.97a128.057 128.057 0 0 0-47.624 12.153 6.144 6.144 0 0 0-3.041 7.63 6.034 6.034 0 0 0 8.192 3.525 116.175 116.175 0 0 1 41.481-10.826c0.468-0.033 0.937-0.062 1.405-0.1a117.624 117.624 0 0 1 5.932-0.211 120.831 120.831 0 0 1 34.491 4.777c0.654 0.192 1.295 0.414 1.946 0.616a120.15 120.15 0 0 1 5.539 1.842 121.852 121.852 0 0 1 3.992 1.564c1.074 0.434 2.148 0.868 3.206 1.331a118.453 118.453 0 0 1 4.9 2.307c0.743 0.368 1.485 0.735 2.217 1.117a120.535 120.535 0 0 1 4.675 2.587 107.785 107.785 0 0 1 2.952 1.776 123.018 123.018 0 0 1 42.028 43.477c-12.833-9.015-35.81-17.918-57.947-14.068 86.441 43.214 63.234 192.027-56.545 186.408a106.7 106.7 0 0 1-31.271-6.031 132.461 132.461 0 0 1-7.059-2.886c-1.356-0.618-2.711-1.243-4.051-1.935-29.349-15.168-53.583-43.833-56.611-78.643 0 0 11.093-41.335 79.433-41.335 7.388 0 28.508-20.614 28.9-26.593-0.09-1.953-41.917-18.59-58.223-34.656-8.714-8.585-12.851-12.723-16.514-15.829a71.7 71.7 0 0 0-6.225-4.7 111.335 111.335 0 0 1-0.675-58.733c-24.687 11.242-43.89 29.011-57.849 44.7h-0.111c-9.528-12.067-8.855-51.873-8.312-60.184-0.114-0.516-7.107 3.63-8.024 4.254a175.21 175.21 0 0 0-23.486 20.12 210.5 210.5 0 0 0-22.443 26.913c0 0.012-0.007 0.025-0.011 0.037 0-0.012 0.007-0.025 0.011-0.038a202.837 202.837 0 0 0-32.244 72.81c-0.058 0.265-2.29 10.054-3.92 22.147a265.794 265.794 0 0 0-0.769 5.651c-0.558 3.636-0.992 7.6-1.42 13.767-0.019 0.239-0.031 0.474-0.048 0.712a591.152 591.152 0 0 0-0.481 7.995c0 0.411-0.025 0.816-0.025 1.227 0 132.709 107.6 240.29 240.324 240.29 118.865 0 217.559-86.288 236.882-199.63 0.407-3.075 0.732-6.168 1.092-9.27 4.777-41.21-0.53-84.525-15.588-120.747zm-164.068 72.1z" fill="#fff"/>
 </svg>
--- a/SOURCES/mochitest-python.tar.gz
+++ b/SOURCES/mochitest-python.tar.gz
--- a/SOURCES/mozilla-1833330.patch
+++ b/SOURCES/mozilla-1833330.patch
@ -0,0 +1,632 @@
 diff --git a/security/manager/locales/en-US/security/certificates/certManager.ftl b/security/manager/locales/en-US/security/certificates/certManager.ftl
 --- a/security/manager/locales/en-US/security/certificates/certManager.ftl
 +++ b/security/manager/locales/en-US/security/certificates/certManager.ftl
@@ -51,9 +51,6 @@ certmgr-cert-name =
 certmgr-cert-server =
     .label = Server
 -certmgr-override-lifetime =
 -    .label = Lifetime
 -
 certmgr-token-name =
     .label = Security Device
@@ -69,6 +66,9 @@ certmgr-email =
 certmgr-serial =
     .label = Serial Number
 +certmgr-fingerprint-sha-256 =
 +    .label = SHA-256 Fingerprint
 +
 certmgr-view =
     .label = View…
     .accesskey = V
 diff --git a/security/manager/pki/resources/content/certManager.js b/security/manager/pki/resources/content/certManager.js
 --- a/security/manager/pki/resources/content/certManager.js
 +++ b/security/manager/pki/resources/content/certManager.js
@@ -64,22 +64,16 @@ var serverRichList = {
   buildRichList() {
     let overrides = overrideService.getOverrides().map(item => {
 -      let cert = null;
 -      if (item.dbKey !== "") {
 -        cert = certdb.findCertByDBKey(item.dbKey);
 -      }
       return {
         hostPort: item.hostPort,
 -        dbKey: item.dbKey,
         asciiHost: item.asciiHost,
         port: item.port,
         originAttributes: item.originAttributes,
 -        isTemporary: item.isTemporary,
 -        displayName: cert !== null ? cert.displayName : "",
 +        fingerprint: item.fingerprint,
       };
     });
     overrides.sort((a, b) => {
 -      let criteria = ["hostPort", "displayName"];
 +      let criteria = ["hostPort", "fingerprint"];
       for (let c of criteria) {
         let res = a[c].localeCompare(b[c]);
         if (res !== 0) {
@@ -106,10 +100,10 @@ var serverRichList = {
   _richBoxAddItem(item) {
     let richlistitem = document.createXULElement("richlistitem");
 -    richlistitem.setAttribute("dbKey", item.dbKey);
     richlistitem.setAttribute("host", item.asciiHost);
     richlistitem.setAttribute("port", item.port);
     richlistitem.setAttribute("hostPort", item.hostPort);
 +    richlistitem.setAttribute("fingerprint", item.fingerprint);
     richlistitem.setAttribute(
       "originAttributes",
       JSON.stringify(item.originAttributes)
@@ -120,18 +114,7 @@ var serverRichList = {
     hbox.setAttribute("equalsize", "always");
     hbox.appendChild(createRichlistItem({ raw: item.hostPort }));
 -    hbox.appendChild(
 -      createRichlistItem(
 -        item.displayName !== ""
 -          ? { raw: item.displayName }
 -          : { l10nid: "no-cert-stored-for-override" }
 -      )
 -    );
 -    hbox.appendChild(
 -      createRichlistItem({
 -        l10nid: item.isTemporary ? "temporary-override" : "permanent-override",
 -      })
 -    );
 +    hbox.appendChild(createRichlistItem({ raw: item.fingerprint }));
     richlistitem.appendChild(hbox);
@@ -170,32 +153,6 @@ var serverRichList = {
     }
   },
 -  viewSelectedRichListItem() {
 -    let selectedItem = this.richlist.selectedItem;
 -    if (!selectedItem) {
 -      return;
 -    }
 -
 -    let dbKey = selectedItem.getAttribute("dbKey");
 -    if (dbKey) {
 -      let cert = certdb.findCertByDBKey(dbKey);
 -      viewCertHelper(window, cert);
 -    }
 -  },
 -
 -  exportSelectedRichListItem() {
 -    let selectedItem = this.richlist.selectedItem;
 -    if (!selectedItem) {
 -      return;
 -    }
 -
 -    let dbKey = selectedItem.getAttribute("dbKey");
 -    if (dbKey) {
 -      let cert = certdb.findCertByDBKey(dbKey);
 -      exportToFile(window, cert);
 -    }
 -  },
 -
   addException() {
     let retval = {
       exceptionAdded: false,
@@ -212,16 +169,8 @@ var serverRichList = {
   },
   _setButtonState() {
 -    let websiteViewButton = document.getElementById("websites_viewButton");
 -    let websiteExportButton = document.getElementById("websites_exportButton");
     let websiteDeleteButton = document.getElementById("websites_deleteButton");
 -
 -    let certKey = this.richlist.selectedItem?.getAttribute("dbKey");
 -    let cert = certKey && certdb.findCertByDBKey(certKey);
 -
     websiteDeleteButton.disabled = this.richlist.selectedIndex < 0;
 -    websiteExportButton.disabled = !cert;
 -    websiteViewButton.disabled = websiteExportButton.disabled;
   },
 };
 /**
 diff --git a/security/manager/pki/resources/content/certManager.xhtml b/security/manager/pki/resources/content/certManager.xhtml
 --- a/security/manager/pki/resources/content/certManager.xhtml
 +++ b/security/manager/pki/resources/content/certManager.xhtml
@@ -157,18 +157,13 @@
            <listheader equalsize="always">
              <treecol id="sitecol" data-l10n-id="certmgr-cert-server" primary="true" flex="1"/>
 -             <treecol id="certcol" data-l10n-id="certmgr-cert-name" flex="1"/>
 -             <treecol id="lifetimecol" data-l10n-id="certmgr-override-lifetime" flex="1"/>
 +            <treecol id="sha256col" data-l10n-id="certmgr-fingerprint-sha-256" flex="1"/>
            </listheader>
            <richlistbox ondblclick="serverRichList.viewSelectedRichListItem();" class="certManagerRichlistBox" id="serverList" flex="1" selected="false"/>
           <separator class="thin"/>
           <hbox>
 -            <button id="websites_viewButton"
 -                    data-l10n-id="certmgr-view" oncommand="serverRichList.viewSelectedRichListItem();"/>
 -            <button id="websites_exportButton"
 -                    data-l10n-id="certmgr-export" oncommand="serverRichList.exportSelectedRichListItem();"/>
             <button id="websites_deleteButton"
                     data-l10n-id="certmgr-delete" oncommand="serverRichList.deleteSelectedRichListItem();"/>
             <button id="websites_exceptionButton"
 diff --git a/security/manager/ssl/nsCertOverrideService.cpp b/security/manager/ssl/nsCertOverrideService.cpp
 --- a/security/manager/ssl/nsCertOverrideService.cpp
 +++ b/security/manager/ssl/nsCertOverrideService.cpp
@@ -106,8 +106,8 @@ nsCertOverride::GetAsciiHost(/*out*/ nsA
 }
 NS_IMETHODIMP
 -nsCertOverride::GetDbKey(/*out*/ nsACString& aDBKey) {
 -  aDBKey = mDBKey;
 +nsCertOverride::GetFingerprint(/*out*/ nsACString& aFingerprint) {
 +  aFingerprint = mFingerprint;
   return NS_OK;
 }
@@ -118,12 +118,6 @@ nsCertOverride::GetPort(/*out*/ int32_t*
 }
 NS_IMETHODIMP
 -nsCertOverride::GetIsTemporary(/*out*/ bool* aIsTemporary) {
 -  *aIsTemporary = mIsTemporary;
 -  return NS_OK;
 -}
 -
 -NS_IMETHODIMP
 nsCertOverride::GetHostPort(/*out*/ nsACString& aHostPort) {
   nsCertOverrideService::GetHostWithPort(mAsciiHost, mPort, aHostPort);
   return NS_OK;
@@ -274,7 +268,6 @@ void nsCertOverrideService::RemoveAllTem
   for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) {
     nsCertOverrideEntry* entry = iter.Get();
     if (entry->mSettings->mIsTemporary) {
 -      entry->mSettings->mCert = nullptr;
       iter.Remove();
     }
   }
@@ -297,18 +297,11 @@
   nsAutoCString buffer;
   bool isMore = true;
 -  /* file format is:
 -   *
 -   * host:port:originattributes \t fingerprint-algorithm \t fingerprint \t
 -   * override-mask \t dbKey
 -   *
 -   *   where override-mask is a sequence of characters,
 -   *     M meaning hostname-Mismatch-override
 -   *     U meaning Untrusted-override
 -   *     T meaning Time-error-override (expired/not yet valid)
 -   *
 -   * if this format isn't respected we move onto the next line in the file.
 -   */
 +  // Each line is of the form:
 +  // host:port:originAttributes \t sSHA256OIDString \t fingerprint \t
 +  // There may be some "bits" identifiers and "dbKey" after the `fingerprint`
 +  // field in 'fingerprint \t \t dbKey' format, but these are now ignored.
 +  // Lines that don't match this form are silently dropped.
   while (isMore && NS_SUCCEEDED(lineInputStream->ReadLine(buffer, &isMore))) {
     if (buffer.IsEmpty() || buffer.First() == '#') {
@@ -350,23 +343,10 @@
         fingerprint.Length() == 0) {
       continue;
     }
 -    nsDependentCSubstring bitsString;
 -    if (!parser.ReadUntil(Tokenizer::Token::Whitespace(), bitsString) ||
 -        bitsString.Length() == 0) {
 -      continue;
 -    }
 -    nsDependentCSubstring dbKey;
 -    if (!parser.ReadUntil(Tokenizer::Token::EndOfFile(), dbKey) ||
 -        dbKey.Length() == 0) {
 -      continue;
 -    }
 -    nsCertOverride::OverrideBits bits;
 -    nsCertOverride::convertStringToBits(bitsString, bits);
     AddEntryToList(host, port, attributes,
 -                   nullptr,  // don't have the cert
 -                   false,    // not temporary
 -                   fingerprint, bits, dbKey, aProofOfLock);
 +                   false,  // not temporary
 +                   fingerprint, aProofOfLock);
   }
   return NS_OK;
@@ -412,9 +392,8 @@
     output.Append(kTab);
     output.Append(settings->mFingerprint);
     output.Append(kTab);
 -    output.Append(bitsString);
 -    output.Append(kTab);
 -    output.Append(settings->mDBKey);
 +    // the "bits" string used to go here, but it no longer exists
 +    // the "\t dbKey" string used to go here, but it no longer exists
     output.Append(NS_LINEBREAK);
   }
@@ -462,42 +441,16 @@
     return NS_ERROR_FAILURE;
   }
 -  nsAutoCString nickname;
 -  nsresult rv = DefaultServerNicknameForCert(nsscert.get(), nickname);
 -  if (!aTemporary && NS_SUCCEEDED(rv)) {
 -    UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
 -    if (!slot) {
 -      return NS_ERROR_FAILURE;
 -    }
 -
 -    // This can fail (for example, if we're in read-only mode). Luckily, we
 -    // don't even need it to succeed - we always match on the stored hash of the
 -    // certificate rather than the full certificate. It makes the display a bit
 -    // less informative (since we won't have a certificate to display), but it's
 -    // better than failing the entire operation.
 -    Unused << PK11_ImportCert(slot.get(), nsscert.get(), CK_INVALID_HANDLE,
 -                              nickname.get(), false);
 -  }
 -
   nsAutoCString fpStr;
 -  rv = GetCertSha256Fingerprint(aCert, fpStr);
 -  if (NS_FAILED(rv)) {
 -    return rv;
 -  }
 -
 -  nsAutoCString dbkey;
 -  rv = aCert->GetDbKey(dbkey);
 +  nsresult rv = GetCertSha256Fingerprint(aCert, fpStr);
   if (NS_FAILED(rv)) {
     return rv;
   }
   {
     MutexAutoLock lock(mMutex);
 -    AddEntryToList(aHostName, aPort, aOriginAttributes,
 -                   aTemporary ? aCert : nullptr,
 -                   // keep a reference to the cert for temporary overrides
 -                   aTemporary, fpStr,
 -                   (nsCertOverride::OverrideBits)aOverrideBits, dbkey, lock);
 +    AddEntryToList(aHostName, aPort, aOriginAttributes, aTemporary, fpStr,
 +                   lock);
     if (!aTemporary) {
       Write(lock);
     }
@@ -532,10 +485,8 @@
   MutexAutoLock lock(mMutex);
   AddEntryToList(aHostName, aPort, aOriginAttributes,
 -                 nullptr,  // No cert to keep alive
                  true,     // temporary
 -                 aCertFingerprint, (nsCertOverride::OverrideBits)aOverrideBits,
 -                 ""_ns,  // dbkey
 +                 aCertFingerprint,
                  lock);
   return NS_OK;
@@ -632,10 +583,8 @@
 nsresult nsCertOverrideService::AddEntryToList(
     const nsACString& aHostName, int32_t aPort,
 -    const OriginAttributes& aOriginAttributes, nsIX509Cert* aCert,
 -    const bool aIsTemporary, const nsACString& fingerprint,
 -    nsCertOverride::OverrideBits ob, const nsACString& dbKey,
 -    const MutexAutoLock& aProofOfLock) {
 +    const OriginAttributes& aOriginAttributes, const bool aIsTemporary,
 +    const nsACString& fingerprint, const MutexAutoLock& aProofOfLock) {
   mMutex.AssertCurrentThreadOwns();
   nsAutoCString keyString;
   GetKeyString(aHostName, aPort, aOriginAttributes, keyString);
@@ -656,11 +605,6 @@
   settings->mOriginAttributes = aOriginAttributes;
   settings->mIsTemporary = aIsTemporary;
   settings->mFingerprint = fingerprint;
 -  settings->mOverrideBits = ob;
 -  settings->mDBKey = dbKey;
 -  // remove whitespace from stored dbKey for backwards compatibility
 -  settings->mDBKey.StripWhitespace();
 -  settings->mCert = aCert;
   entry->mSettings = settings;
   return NS_OK;
 diff --git a/security/manager/ssl/nsCertOverrideService.h b/security/manager/ssl/nsCertOverrideService.h
 --- a/security/manager/ssl/nsCertOverrideService.h
 +++ b/security/manager/ssl/nsCertOverrideService.h
@@ -43,8 +43,6 @@
   bool mIsTemporary;  // true: session only, false: stored on disk
   nsCString mFingerprint;
   OverrideBits mOverrideBits;
 -  nsCString mDBKey;
 -  nsCOMPtr<nsIX509Cert> mCert;
   static void convertBitsToString(OverrideBits ob, nsACString& str);
   static void convertStringToBits(const nsACString& str, OverrideBits& ob);
@@ -145,10 +143,8 @@
   nsresult Write(const mozilla::MutexAutoLock& aProofOfLock);
   nsresult AddEntryToList(const nsACString& host, int32_t port,
                           const OriginAttributes& aOriginAttributes,
 -                          nsIX509Cert* aCert, const bool aIsTemporary,
 +                          const bool aIsTemporary,
                           const nsACString& fingerprint,
 -                          nsCertOverride::OverrideBits ob,
 -                          const nsACString& dbKey,
                           const mozilla::MutexAutoLock& aProofOfLock);
   // Set in constructor only
 diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp
 --- a/security/manager/ssl/SSLServerCertVerification.cpp
 +++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -791,8 +791,8 @@
           aHostName, aPort, aOriginAttributes, aCert, &overrideBits,
           &isTemporaryOverride, &haveOverride);
       if (NS_SUCCEEDED(rv) && haveOverride) {
 -        // remove the errors that are already overriden
 -        remainingDisplayErrors &= ~overrideBits;
 +        // remove all the errors
 +        remainingDisplayErrors = 0;
       }
     }
 diff --git a/security/manager/ssl/nsICertOverrideService.idl b/security/manager/ssl/nsICertOverrideService.idl
 --- a/security/manager/ssl/nsICertOverrideService.idl
 +++ b/security/manager/ssl/nsICertOverrideService.idl
@@ -33,17 +33,6 @@ interface nsICertOverride : nsISupports 
   readonly attribute int32_t port;
   /**
 -  *   Whether or not the override is only used for this
 -  *   session (true) or stored persistently (false)
 -  */
 -  readonly attribute boolean isTemporary;
 -
 -  /**
 -  *   The database key for the associated certificate.
 -  */
 -  readonly attribute ACString dbKey;
 -
 -  /**
   *   A combination of hostname and port in the form host:port.
   *   Since the port can be -1 which is equivalent to port 433 we use an
   *   existing function of nsCertOverrideService to create this property.
@@ -51,6 +40,11 @@ interface nsICertOverride : nsISupports 
   readonly attribute ACString hostPort;
   /**
 +  *   The fingerprint for the associated certificate.
 +  */
 +  readonly attribute ACString fingerprint;
 +
 +  /**
   *   The origin attributes associated with this override.
   */
   [implicit_jscontext]
 diff --git a/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js b/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js
 --- a/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js
 +++ b/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js
@@ -27,9 +27,7 @@ async function checkServerCertificates(w
   expectedValues.forEach((item, i) => {
     let hostPort = labels[i * 3].value;
 -    let certString = labels[i * 3 + 1].value || labels[i * 3 + 1].textContent;
 -    let isTemporaryString =
 -      labels[i * 3 + 2].value || labels[i * 3 + 2].textContent;
 +    let fingerprint = labels[i * 3 + 1].value || labels[i * 3 + 1].textContent;
     Assert.equal(
       hostPort,
@@ -38,15 +36,9 @@ async function checkServerCertificates(w
     );
     Assert.equal(
 -      certString,
 -      item.certName,
 -      `Expected override to have field ${item.certName}`
 -    );
 -
 -    Assert.equal(
 -      isTemporaryString,
 -      item.isTemporary ? "Temporary" : "Permanent",
 -      `Expected override to be ${item.isTemporary ? "Temporary" : "Permanent"}`
 +      fingerprint,
 +      item.fingerprint,
 +      `Expected override to have field ${item.fingerprint}`
     );
   });
 }
@@ -73,41 +73,6 @@
   );
 }
 -async function testViewButton(win) {
 -  win.document.getElementById("serverList").selectedIndex = 1;
 -
 -  Assert.ok(
 -    win.document.getElementById("websites_viewButton").disabled,
 -    "View button should be disabled for override without cert"
 -  );
 -
 -  win.document.getElementById("serverList").selectedIndex = 0;
 -
 -  Assert.ok(
 -    !win.document.getElementById("websites_viewButton").disabled,
 -    "View button should be enabled for override with cert"
 -  );
 -
 -  let loaded = BrowserTestUtils.waitForNewTab(gBrowser, null, true);
 -
 -  win.document.getElementById("websites_viewButton").click();
 -
 -  let newTab = await loaded;
 -  let spec = newTab.linkedBrowser.documentURI.spec;
 -
 -  Assert.ok(
 -    spec.startsWith("about:certificate"),
 -    "about:certificate should habe been opened"
 -  );
 -
 -  let newUrl = new URL(spec);
 -  let certEncoded = newUrl.searchParams.get("cert");
 -  let certDecoded = decodeURIComponent(certEncoded);
 -  Assert.ok(certDecoded, "should have some certificate as cert url param");
 -
 -  gBrowser.removeCurrentTab();
 -}
 -
 add_task(async function test_cert_manager_server_tab() {
   let win = await openCertManager();
@@ -134,48 +99,13 @@
   await checkServerCertificates(win, [
     {
       hostPort: "example.com:443",
 -      certName: "md5-ee",
 -      isTemporary: false,
 -    },
 -  ]);
 -
 -  win.document.getElementById("certmanager").acceptDialog();
 -  await BrowserTestUtils.windowClosed(win);
 -
 -  certOverrideService.rememberTemporaryValidityOverrideUsingFingerprint(
 -    "example.com",
 -    9999,
 -    {},
 -    "40:20:3E:57:FB:82:95:0D:3F:62:D7:04:39:F6:32:CC:B2:2F:70:9F:3E:66:C5:35:64:6E:49:2A:F1:02:75:9F",
 -    Ci.nsICertOverrideService.ERROR_UNTRUSTED
 -  );
 -
 -  win = await openCertManager();
 -
 -  await checkServerCertificates(win, [
 -    {
 -      hostPort: "example.com:443",
 -      certName: "md5-ee",
 -      isTemporary: false,
 -    },
 -    {
 -      hostPort: "example.com:9999",
 -      certName: "(Not Stored)",
 -      isTemporary: true,
 +      fingerprint: cert.sha256Fingerprint,
     },
   ]);
 -  await testViewButton(win);
 -
 -  await deleteOverride(win, 2);
 +  await deleteOverride(win, 1);
 -  await checkServerCertificates(win, [
 -    {
 -      hostPort: "example.com:9999",
 -      certName: "(Not Stored)",
 -      isTemporary: true,
 -    },
 -  ]);
 +  await checkServerCertificates(win, []);
   win.document.getElementById("certmanager").acceptDialog();
   await BrowserTestUtils.windowClosed(win);
 diff --git a/security/manager/ssl/tests/unit/test_cert_override_read.js b/security/manager/ssl/tests/unit/test_cert_override_read.js
 --- a/security/manager/ssl/tests/unit/test_cert_override_read.js
 +++ b/security/manager/ssl/tests/unit/test_cert_override_read.js
@@ -11,19 +11,16 @@ function run_test() {
   let cert1 = {
     sha256Fingerprint:
       "E9:3A:91:F6:15:11:FB:DD:02:76:DD:45:8C:4B:F4:9B:D1:14:13:91:2E:96:4B:EC:D2:4F:90:D5:F4:BB:29:5C",
 -    dbKey: "This isn't relevant for this test.",
   };
   // bad_certs/selfsigned.pem
   let cert2 = {
     sha256Fingerprint:
       "51:BC:41:90:C1:FD:6E:73:18:19:B0:60:08:DD:A3:3D:59:B2:5B:FB:D0:3D:DD:89:19:A5:BB:C6:2B:5A:72:A7",
 -    dbKey: "This isn't relevant for this test.",
   };
   // bad_certs/noValidNames.pem
   let cert3 = {
     sha256Fingerprint:
       "C3:A3:61:02:CA:64:CC:EC:45:1D:24:B6:A0:69:DB:DB:F0:D8:58:76:FC:50:36:52:5A:E8:40:4C:55:72:08:F4",
 -    dbKey: "This isn't relevant for this test.",
   };
   let profileDir = do_get_profile();
@@ -35,58 +35,42 @@
     "# This is a generated file!  Do not edit.",
     "test.example.com:443:^privateBrowsingId=1\tOID.2.16.840.1.101.3.4.2.1\t" +
       cert1.sha256Fingerprint +
 -      "\tM\t" +
 -      cert1.dbKey,
 +      "\t",
     "test.example.com:443:^privateBrowsingId=2\tOID.2.16.840.1.101.3.4.2.1\t" +
       cert1.sha256Fingerprint +
 +      "\t",
 +    "test.example.com:443:^privateBrowsingId=3\tOID.2.16.840.1.101.3.4.2.1\t" + // includes bits and dbKey (now obsolete)
 +      cert1.sha256Fingerprint +
       "\tM\t" +
 -      cert1.dbKey,
 +      "AAAAAAAAAAAAAAACAAAAFjA5MBQxEjAQBgNVBAMMCWxvY2FsaG9zdA==",
     "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" +
       cert2.sha256Fingerprint +
 -      "\tU\t" +
 -      cert2.dbKey,
 +      "\t",
     "[::1]:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // IPv6
       cert2.sha256Fingerprint +
 -      "\tM\t" +
 -      cert2.dbKey,
 +      "\t",
     "old.example.com:443\tOID.2.16.840.1.101.3.4.2.1\t" + // missing attributes (defaulted)
       cert1.sha256Fingerprint +
 -      "\tM\t" +
 -      cert1.dbKey,
 +      "\t",
     ":443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing host name
       cert3.sha256Fingerprint +
 -      "\tU\t" +
 -      cert3.dbKey,
 +      "\t",
     "example.com::\tOID.2.16.840.1.101.3.4.2.1\t" + // missing port
       cert3.sha256Fingerprint +
 -      "\tU\t" +
 -      cert3.dbKey,
 -    "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // wrong fingerprint/dbkey
 +      "\t",
 +    "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // wrong fingerprint
       cert2.sha256Fingerprint +
 -      "\tU\t" +
 -      cert3.dbKey,
 +      "\t",
     "example.com:443:\tOID.0.00.000.0.000.0.0.0.0\t" + // bad OID
       cert3.sha256Fingerprint +
 -      "\tU\t" +
 -      cert3.dbKey,
 +      "\t",
     "example.com:443:\t.0.0.0.0\t" + // malformed OID
       cert3.sha256Fingerprint +
 -      "\tU\t" +
 -      cert3.dbKey,
 +      "\t",
     "example.com:443:\t\t" + // missing OID
       cert3.sha256Fingerprint +
 -      "\tU\t" +
 -      cert3.dbKey,
 -    "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing fingerprint
 -      "\tU\t" +
 -      cert3.dbKey,
 -    "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing override bits
 -      cert3.sha256Fingerprint +
 -      "\t\t" +
 -      cert3.dbKey,
 -    "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing dbkey
 -      cert3.sha256Fingerprint +
 -      "\tU\t",
 +      "\t",
 +    "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t", // missing fingerprint
   ];
   writeLinesAndClose(lines, outputStream);
   let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
--- a/SPECS/firefox.spec
+++ b/SPECS/firefox.spec
@ -15,7 +15,7 @@
 %global create_debuginfo  1
 %{lua:
-function dist_to_rhel_minor(str, start)
+function dist_to_rhel8_minor(str, start)
  match = string.match(str, ".module%+el8.%d+")
  if match then
     return string.sub(match, 13)
@ -31,7 +31,25 @@ function dist_to_rhel_minor(str, start)
  return -1
 end}
-%global rhel_minor_version %{lua:print(dist_to_rhel_minor(rpm.expand("%dist")))}
+%{lua:
 function dist_to_rhel9_minor(str, start)
  match = string.match(str, ".module%+el9.%d+")
  if match then
     return string.sub(match, 13)
  end
  match = string.match(str, ".el9_%d+")
  if match then
     return string.sub(match, 6)
  end
  match = string.match(str, ".el9")
  if match then
     return 3
  end
  return -1
 end}
 %global rhel8_minor_version %{lua:print(dist_to_rhel8_minor(rpm.expand("%dist")))}
 %global rhel9_minor_version %{lua:print(dist_to_rhel9_minor(rpm.expand("%dist")))}
 # Produce debug (non-optimized) package build. Suitable for debugging only
 # as the build is *very* slow.
@ -42,7 +60,7 @@ end}
 %global bundle_nss        0
 %if 0%{?rhel} == 8
-  %if %{rhel_minor_version} <= 4
+  %if %{rhel8_minor_version} <= 4
    %global bundle_nss        1
    %global system_nss        1
  %endif
@ -201,7 +219,7 @@ end}
 Summary:        Mozilla Firefox Web browser
 Name:           firefox
-Version:        102.11.0
+Version:        102.13.0
 Release:        2%{?dist}.alma
 URL:            https://www.mozilla.org/firefox/
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
@ -216,7 +234,7 @@ License:        MPLv1.1 or GPLv2+ or LGPLv2+
 ExcludeArch:    %{ix86}
 %endif
 %if 0%{?rhel} == 8
-  %if %{rhel_minor_version} == 1
+  %if %{rhel8_minor_version} == 1
 ExcludeArch:    %{ix86} aarch64 s390x
  %else
 ExcludeArch:    %{ix86}
@ -232,7 +250,7 @@ ExcludeArch:    aarch64 s390 ppc
 # Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%{version}%{?pre_version}/source/firefox-%{version}%{?pre_version}.source.tar.xz
 Source0:        firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz
 %if %{with langpacks}
-Source1:        firefox-langpacks-%{version}%{?pre_version}-20230504.tar.xz
+Source1:        firefox-langpacks-%{version}%{?pre_version}-20230630.tar.xz
 %endif
 Source2:        cbindgen-vendor.tar.xz
 Source3:        process-official-tarball
@ -313,6 +331,7 @@ Patch421:        mozilla-s390x-skia-gradient.patch
 Patch422:        one_swizzle_to_rule_them_all.patch
 Patch423:        svg-rendering.patch
 Patch424:        D158770.diff
 Patch425:        mozilla-1833330.patch
 # PGO/LTO patches
 Patch600:        pgo.patch
@ -517,7 +536,7 @@ BuildRequires:  pciutils-libs
 Obsoletes:      mozilla <= 37:1.7.13
 Provides:       webclient
-%if 0%{?rhel} == 8 && %{rhel_minor_version} < 6
+%if 0%{?rhel} == 8 && %{rhel8_minor_version} < 6
 %ifarch aarch64
 BuildRequires: gcc-toolset-12-annobin-plugin-gcc
 %endif
@ -624,7 +643,8 @@ to run Firefox explicitly on X11.
 %prep
 echo "Build environment"
 echo "dist                  %{?dist}"
-echo "RHEL 8 minor version: %{?rhel_minor_version}"
+echo "RHEL 8 minor version: %{?rhel8_minor_version}"
 echo "RHEL 9 minor version: %{?rhel9_minor_version}"
 echo "use_bundled_ffi       %{?use_bundled_ffi}"
 echo "bundle_nss            %{?bundle_nss}"
 echo "system_nss            %{?system_nss}"
@ -658,7 +678,8 @@ echo "use_rustts            %{?use_rustts}"
 %patch77 -p1 -b .mozilla-1775202
 %patch73 -p1 -b .build-ascii-decode-fail-rhel7
-%if 0%{?rhel} == 7
+%if 0%{?rhel} == 7 || (0%{?rhel} == 8 && %{rhel8_minor_version} >= 9)
 # Also c8s/rhel-8.9.0 has only node 10.24.0, this is build-only.
 %patch78 -p1 -b .build-rhel7-lower-node-min-version
 %endif
@ -688,6 +709,7 @@ echo "use_rustts            %{?use_rustts}"
 %patch422 -p1 -b .one_swizzle_to_rule_them_all
 %patch423 -p1 -b .svg-rendering
 %patch424 -p1 -b .D158770.diff
 %patch425 -p1 -b .mozilla-1833330
 # PGO patches
 %if %{build_with_pgo}
@ -791,7 +813,7 @@ echo "ac_add_options --disable-crashreporter" >> .mozconfig
 %endif
 # AV1 requires newer nasm that was rebased in 8.4
-%if 0%{?rhel} == 7 || (0%{?rhel} == 8 && %{rhel_minor_version} < 4)
+%if 0%{?rhel} == 7 || (0%{?rhel} == 8 && %{rhel8_minor_version} < 4)
 echo "ac_add_options --disable-av1" >> .mozconfig
 %endif
@ -886,7 +908,7 @@ function install_rpms_to_current_dir() {
 %endif
 set +e
-%if 0%{?rhel} == 8 && %{rhel_minor_version} < 6
+%if 0%{?rhel} == 8 && %{rhel8_minor_version} < 6
 %ifarch aarch64
 source scl_source enable gcc-toolset-12
 %endif
@ -1452,9 +1474,22 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 #---------------------------------------------------------------------
 %changelog
-* Thu May 18 2023 Eduard Abdullin <eabdullin@almalinux.org> - 102.11.0-2.alma
+* Fri Jul 14 2023 Eduard Abdullin <eabdullin@almalinux.org> - 102.13.0-2.alma
 - Debrand for AlmaLinux
 * Fri Jun 30 2023 Eike Rathke <erack@redhat.com> - 102.13.0-2
 - Update to 102.13.0 build2
 * Thu Jun 29 2023 Eike Rathke <erack@redhat.com> - 102.13.0-1
 - Update to 102.13.0 build1
 * Wed May 31 2023 Eike Rathke <erack@redhat.com> - 102.12.0-1
 - Update to 102.12.0 build1
 * Tue May 23 2023 Anton Bobrov <abobrov@redhat.com> 102.11.0-2
 - Do not import cert to certdb on override exception:
  rhbz#2118991
  mzbz@1833330
 * Thu May 04 2023 Eike Rathke <erack@redhat.com> - 102.11.0-2
 - Update to 102.11.0 build2
 * Tue May 02 2023 Eike Rathke <erack@redhat.com> - 102.11.0-1