head	1.2;
access;
symbols;
locks; strict;
comment	@// @;


1.2
date	2017.01.27.13.43.41;	author ryoon;	state dead;
branches;
next	1.1;
commitid	d6E7kYhTlYuCUBDz;

1.1
date	2017.01.20.15.03.37;	author ryoon;	state Exp;
branches;
next	;
commitid	76C6sFH8mxPWzICz;


desc
@@


1.2
log
@Update 45.7.0

Security fixes:
#CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
#CVE-2017-5376: Use-after-free in XSL
#CVE-2017-5378: Pointer and frame data leakage of Javascript objects
#CVE-2017-5380: Potential use-after-free during DOM manipulations
#CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer
#CVE-2017-5396: Use-after-free with Media Decoder
#CVE-2017-5383: Location bar spoofing with unicode characters
#CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions
#CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7
@
text
@$NetBSD: patch-netwerk_protocol_http_Http2Session.cpp,v 1.1 2017/01/20 15:03:37 ryoon Exp $

--- netwerk/protocol/http/Http2Session.cpp.orig	2016-07-25 12:12:07.000000000 +0000
+++ netwerk/protocol/http/Http2Session.cpp
@@@@ -3521,8 +3521,8 @@@@ Http2Session::ConfirmTLSProfile()
     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
           this, keybits));
     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
+  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
+    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
           this, keybits));
     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
   }
@


1.1
log
@Fix an insecure connection error in HTTP2 case with devel/nss-3.28 or later
Bump PKGREVISION
@
text
@d1 1
a1 1
$NetBSD$
@