head	1.5;
access;
symbols
	pkgsrc-2017Q2:1.4.0.4
	pkgsrc-2017Q2-base:1.4
	pkgsrc-2017Q1:1.4.0.2
	pkgsrc-2017Q1-base:1.4
	pkgsrc-2016Q4:1.2.0.10
	pkgsrc-2016Q4-base:1.2
	pkgsrc-2016Q3:1.2.0.8
	pkgsrc-2016Q3-base:1.2
	pkgsrc-2016Q2:1.2.0.6
	pkgsrc-2016Q2-base:1.2
	pkgsrc-2016Q1:1.2.0.4
	pkgsrc-2016Q1-base:1.2
	pkgsrc-2015Q4:1.2.0.2
	pkgsrc-2015Q4-base:1.2
	pkgsrc-2015Q3:1.1.0.6
	pkgsrc-2015Q3-base:1.1
	pkgsrc-2015Q2:1.1.0.4
	pkgsrc-2015Q2-base:1.1
	pkgsrc-2015Q1:1.1.0.2
	pkgsrc-2015Q1-base:1.1;
locks; strict;
comment	@// @;


1.5
date	2017.08.18.23.55.07;	author ryoon;	state dead;
branches;
next	1.4;
commitid	wpPxDKLU9TeNLK3A;

1.4
date	2017.01.24.13.31.37;	author ryoon;	state Exp;
branches;
next	1.3;
commitid	kbhiOEmzPRusWdDz;

1.3
date	2017.01.01.16.14.08;	author ryoon;	state dead;
branches;
next	1.2;
commitid	CdW2yhHz1uP1AhAz;

1.2
date	2015.10.02.22.49.36;	author ryoon;	state Exp;
branches;
next	1.1;
commitid	4NPwQdOyvYkssADy;

1.1
date	2015.03.17.19.50.42;	author ryoon;	state Exp;
branches;
next	;
commitid	oBEz3dg2AY8FRZdy;


desc
@@


1.5
log
@Update to 2.48

* Based on Gecko 51.0.2
@
text
@$NetBSD: patch-mozilla_netwerk_protocol_http_Http2Session.cpp,v 1.4 2017/01/24 13:31:37 ryoon Exp $

Fix an insecure connection error with NSS 3.28 or later in HTTP2 case
https://hg.mozilla.org/mozilla-central/rev/361ac226da2a

--- mozilla/netwerk/protocol/http/Http2Session.cpp.orig	2016-12-14 02:10:00.000000000 +0000
+++ mozilla/netwerk/protocol/http/Http2Session.cpp
@@@@ -3542,8 +3542,8 @@@@ Http2Session::ConfirmTLSProfile()
     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
           this, keybits));
     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
+  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
+    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
           this, keybits));
     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
   }
@


1.4
log
@Fix an insecure connection error with nss 3.28 or later. Bump PKGREVISION
@
text
@d1 1
a1 1
$NetBSD$
@


1.3
log
@Update to 2.46

Changelog:
What's New in SeaMonkey 2.46

SeaMonkey 2.46 contains (among other changes) the following major changes relative to SeaMonkey 2.40:
SeaMonkey-specific changes

    HTML5 fullscreen video (e.g. on YouTube) now works fine.
@
text
@d1 1
a1 1
$NetBSD: patch-mozilla_netwerk_protocol_http_Http2Session.cpp,v 1.2 2015/10/02 22:49:36 ryoon Exp $
d3 4
a6 1
--- mozilla/netwerk/protocol/http/Http2Session.cpp.orig	2015-09-25 07:36:06.000000000 +0000
d8 11
a18 8
@@@@ -33,7 +33,6 @@@@
 #include "nsStandardURL.h"
 #include "nsURLHelper.h"
 #include "prprf.h"
-#include "prnetdb.h"
 #include "sslt.h"
 
 #ifdef DEBUG
@


1.2
log
@Update to 2.38

Changelog:
Based on xulrunner 41.0

Security fixes:
    2015-114 Information disclosure via the High Resolution Time API
    2015-113 Memory safety errors in libGLES in the ANGLE graphics library
    2015-112 Vulnerabilities found through code inspection
    2015-111 Errors in the handling of CORS preflight request headers
    2015-110 Dragging and dropping images exposes final URL after redirects
    2015-109 JavaScript immutable property enforcement can be bypassed
    2015-108 Scripted proxies can access inner window
    2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems
    2015-106 Use-after-free while manipulating HTML media content
    2015-105 Buffer overflow while decoding WebM video
    2015-104 Use-after-free with shared workers and IndexedDB
    2015-103 URL spoofing in reader mode
    2015-102 Crash when using debugger with SavedStacks in JavaScript
    2015-101 Buffer overflow in libvpx while parsing vp9 format video
    2015-100 Arbitrary file manipulation by local user through Mozilla updater
    2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme
    2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes
    2015-97 Memory leak in mozTCPSocket to servers
    2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)
@
text
@d1 1
a1 1
$NetBSD: patch-mozilla_netwerk_protocol_http_Http2Session.cpp,v 1.1 2015/03/17 19:50:42 ryoon Exp $
@


1.1
log
@Update to 2.33

* gnome option is broken. Disable it.

Changelog:
What's New in SeaMonkey 2.33

SeaMonkey 2.33 contains the following major changes relative to SeaMonkey 2.32.1:
SeaMonkey-specific changes

    Security notification bars now feature tracking controls.
    The tracking/privacy preferences pane has been updated.

Mozilla platform changes

    The Flash protected-mode sandbox has been disabled on Windows in order to evaluate the stability impact of protected mode.
    Insecure RC4 ciphers are no longer accepted whenever possible.
    Certificates with 1024-bit RSA keys have been phased out.
    A subset of the Media Source Extensions (MSE) API has been implemented in order to allow native HTML5 playback on YouTube. Full support is on the way.
    The performance of the new ES6 generator functions has been improved.
    Also see Firefox 36 for Developers.
    Fixed several stability issues.

Bugs fixed in this release

    SeaMonkey bugs
    Thunderbird bugs (including both shared MailNews- and Thunderbird-only bugs)

Relevant security fixes are listed on Security Advisories for SeaMonkey.

* Security advisories are not available yet.
@
text
@d1 1
a1 1
$NetBSD$
d3 1
a3 1
--- mozilla/netwerk/protocol/http/Http2Session.cpp.orig	2015-03-09 05:34:55.000000000 +0000
d5 1
a5 1
@@@@ -32,7 +32,6 @@@@
a12 79
@@@@ -1295,7 +1294,7 @@@@ Http2Session::RecvPriority(Http2Session 
     return rv;
 
   uint32_t newPriorityDependency =
-    PR_ntohl(*reinterpret_cast<uint32_t *>(self->mInputFrameBuffer.get() + kFrameHeaderBytes));
+    NS_decodeN32(self->mInputFrameBuffer.get() + kFrameHeaderBytes);
   bool exclusive = !!(newPriorityDependency & 0x80000000);
   newPriorityDependency &= 0x7fffffff;
   uint8_t newPriorityWeight = *(self->mInputFrameBuffer.get() + kFrameHeaderBytes + 4);
@@@@ -1326,7 +1325,7 @@@@ Http2Session::RecvRstStream(Http2Session
   }
 
   self->mDownstreamRstReason =
-    PR_ntohl(*reinterpret_cast<uint32_t *>(self->mInputFrameBuffer.get() + kFrameHeaderBytes));
+    NS_decodeN32(self->mInputFrameBuffer.get() + kFrameHeaderBytes);
 
   LOG3(("Http2Session::RecvRstStream %p RST_STREAM Reason Code %u ID %x\n",
         self, self->mDownstreamRstReason, self->mInputFrameID));
@@@@ -1387,8 +1386,8 @@@@ Http2Session::RecvSettings(Http2Session 
     uint8_t *setting = reinterpret_cast<uint8_t *>
       (self->mInputFrameBuffer.get()) + kFrameHeaderBytes + index * 6;
 
-    uint16_t id = PR_ntohs(*reinterpret_cast<uint16_t *>(setting));
-    uint32_t value = PR_ntohl(*reinterpret_cast<uint32_t *>(setting + 2));
+    uint16_t id = NS_decodeN16(setting);
+    uint32_t value = NS_decodeN32(setting + 2);
     LOG3(("Settings ID %u, Value %u", id, value));
 
     switch (id)
@@@@ -1473,7 +1472,7 @@@@ Http2Session::RecvPushPromise(Http2Sessi
     }
     promiseLen = 4;
     promisedID =
-      PR_ntohl(*reinterpret_cast<uint32_t *>(self->mInputFrameBuffer.get() + kFrameHeaderBytes + paddingControlBytes));
+      NS_decodeN32(self->mInputFrameBuffer.get() + kFrameHeaderBytes + paddingControlBytes);
     promisedID &= 0x7fffffff;
   }
 
@@@@ -1733,11 +1732,11 @@@@ Http2Session::RecvGoAway(Http2Session *s
 
   self->mShouldGoAway = true;
   self->mGoAwayID =
-    PR_ntohl(*reinterpret_cast<uint32_t *>(self->mInputFrameBuffer.get() + kFrameHeaderBytes));
+    NS_decodeN32(self->mInputFrameBuffer.get() + kFrameHeaderBytes);
   self->mGoAwayID &= 0x7fffffff;
   self->mCleanShutdown = true;
   uint32_t statusCode =
-    PR_ntohl(*reinterpret_cast<uint32_t *>(self->mInputFrameBuffer.get() + kFrameHeaderBytes + 4));
+    NS_decodeN32(self->mInputFrameBuffer.get() + kFrameHeaderBytes + 4);
 
   // Find streams greater than the last-good ID and mark them for deletion
   // in the mGoAwayStreamsToRestart queue with the GoAwayEnumerator. The
@@@@ -1809,7 +1808,7 @@@@ Http2Session::RecvWindowUpdate(Http2Sess
   }
 
   uint32_t delta =
-    PR_ntohl(*reinterpret_cast<uint32_t *>(self->mInputFrameBuffer.get() + kFrameHeaderBytes));
+    NS_decodeN32(self->mInputFrameBuffer.get() + kFrameHeaderBytes);
   delta &= 0x7fffffff;
 
   LOG3(("Http2Session::RecvWindowUpdate %p len=%d Stream 0x%X.\n",
@@@@ -2453,7 +2452,7 @@@@ Http2Session::WriteSegments(nsAHttpSegme
 
     // 3 bytes of length, 1 type byte, 1 flag byte, 1 unused bit, 31 bits of ID
     uint8_t totallyWastedByte = mInputFrameBuffer.get()[0];
-    mInputFrameDataSize = PR_ntohs(*reinterpret_cast<uint16_t *>(mInputFrameBuffer.get() + 1));
+    mInputFrameDataSize = NS_decodeN16(mInputFrameBuffer.get() + 1);
     if (totallyWastedByte || (mInputFrameDataSize > kMaxFrameData)) {
       LOG3(("Got frame too large 0x%02X%04X", totallyWastedByte, mInputFrameDataSize));
       RETURN_SESSION_ERROR(this, PROTOCOL_ERROR);
@@@@ -2461,7 +2460,7 @@@@ Http2Session::WriteSegments(nsAHttpSegme
     mInputFrameType = *reinterpret_cast<uint8_t *>(mInputFrameBuffer.get() + kFrameLengthBytes);
     mInputFrameFlags = *reinterpret_cast<uint8_t *>(mInputFrameBuffer.get() + kFrameLengthBytes + kFrameTypeBytes);
     mInputFrameID =
-      PR_ntohl(*reinterpret_cast<uint32_t *>(mInputFrameBuffer.get() + kFrameLengthBytes + kFrameTypeBytes + kFrameFlagBytes));
+      NS_decodeN32(mInputFrameBuffer.get() + kFrameLengthBytes + kFrameTypeBytes + kFrameFlagBytes);
     mInputFrameID &= 0x7fffffff;
     mInputFrameDataRead = 0;
 
@