gecko-dev/security
Benjamin Beurdouche dde8b5dd22 Bug 1720464 - land NSS 8f41147c2192 UPGRADE_NSS_RELEASE, r=beurdouche
```
2021-07-22  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* doc/rst/index.rst:
	Display warning on the new NSS documentation
	[8f41147c2192] [tip]

2021-07-20  Robert Relyea  <rrelyea@redhat.com>

	* lib/softoken/sdb.c:
	Bug 1721476 sqlite 3.34 changed it's open semantics, causing nss
	failures.

	https://sqlite.org/forum/info/42cf8e985bb051a2

	sqlite is now permissive on opening a readonly file even if you ask
	for the file to be opened R/W.

	normally sqlite is very conservative in changing it's underlying
	semantics, but evidently they chose convience over compatibility.
	NSS now needs to check the file permissions itself to preserve nss
	semantics.

	[f2d34a957599]

2021-07-15  Robert Relyea  <rrelyea@redhat.com>

	* tests/common/init.sh, tests/common/parsegtestreport.sed,
	tests/common/parsegtestreport.sh, tests/gtests/gtests.sh,
	tests/ssl_gtests/ssl_gtests.sh:
	Bug 1720230 Gtest update changed the gtest reports, losing gtest
	details in all.sh reports.

	This patch includes the updated .sed script, and an experiment using
	bash instead to see how hard it would be to make a more robust
	parser.

	The robust parser generates identical output as sed, but takes about
	30x longer, so instead of subsecond operations, it takes almost half
	a minute. With that result, I think we can stay with sed and
	continue to update when we get new versions of gtests. (sigh).

	time cat report.xml.0 | sed -f parsegtestreport.sed > r1

	real 0m0.710s user 0m0.705s sys 0m0.008s

	time cat report.xml.0 | sh parsegtestreport.sh > r2

	real 0m25.066s user 0m17.759s sys 0m9.506s [rrelyea@localhost
	common]$ diff r1 r2

	updated: with review comments from Martin and move the report
	parsing to the common code so it can be shared with both ssl_gtests
	and gtests shell scripts.

	[f12856d5d2c2]

2021-07-13  Robert Relyea  <rrelyea@redhat.com>

	* gtests/softoken_gtest/softoken_dh_vectors.h, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkdhverify.c:
	Bug 1720228 NSS incorrectly accepting 1536 bit DH primes in FIPS
	mode

	When NSS is in FIPS mode, it should reject all primes smaller than
	2048. The ike 1536 prime is in the accepted primes table. In FIPS
	mode it should be rejected.

	[d2ec946e601a]

2021-07-15  Robert Relyea  <rrelyea@redhat.com>

	* cmd/manifest.mn, cmd/sdbthreadtst/Makefile,
	cmd/sdbthreadtst/manifest.mn, cmd/sdbthreadtst/sdbthreadtst.c,
	cmd/sdbthreadtst/sdbthreadtst.gyp, lib/softoken/sdb.c,
	lib/softoken/sftkdb.c, nss.gyp, tests/dbtests/dbtests.sh:
	Bug 1720232 SQLite calls could timeout in starvation situations.

	Some of our servers could cause random failures when trying to
	generate many key pairs from multiple threads. This is caused
	because some threads would starve long enough for them to give up on
	getting a begin transaction on sqlite. sqlite only allows one
	transaction at a time.

	Also, there were some bugs in error handling of the broken
	transaction case where NSS would try to cancel a transation after
	the begin failed (most cases were correct, but one case in
	particular was problematic).

	[b54b0d41e51b]

2021-07-13  Robert Relyea  <rrelyea@redhat.com>

	* lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11hpke.c,
	lib/softoken/kbkdf.c, lib/softoken/sftkhmac.c,
	lib/softoken/sftkike.c:
	Bug 1720225 Coverity/cpp scanner errors found in nss 3.67

	A number of coverity/scanner issues were found in the kdf code which
	was added in nss 3.44 and the fixes never upstreamed, as well as
	coverity/scanner errors in nss 3.66. Not all errors were fixed,
	those errors which were determined to be false positives were just
	recorded. No attempt has been made to fix coverity/scanner errors in
	gtests.

	[d1b9709d8861]
```

Differential Revision: https://phabricator.services.mozilla.com/D120624
2021-07-23 09:23:50 +00:00
..
apps Bug 1713628 - Treat notBefore in the future of signed XPI files as valid + tests r=keeler 2021-07-14 20:24:56 +00:00
certverifier Bug 1715142 - convert pinning to use a static pref r=rmf 2021-06-12 01:12:25 +00:00
ct Bug 1699294 - add 'mach generate-test-certs' command to generate test certificate and key artifacts r=glandium 2021-04-14 22:24:11 +00:00
mac/hardenedruntime
manager No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=jcristau 2021-07-22 11:55:25 +00:00
nss Bug 1720464 - land NSS 8f41147c2192 UPGRADE_NSS_RELEASE, r=beurdouche 2021-07-23 09:23:50 +00:00
rlbox Bug 1713735 - Add the bits necessary to build wasm sandbox libs with wasm2c. r=firefox-build-system-reviewers,mhentges 2021-07-16 02:38:41 +00:00
sandbox Bug 1719279 - Properly add $HOME/.cache/fontconfig allowance r=gcp 2021-07-20 12:24:56 +00:00
.eslintrc.js
generate_certdata.py Bug 1654103: Standardize on Black for Python code in mozilla-central. 2020-10-26 18:34:53 +00:00
generate_mapfile.py Bug 1654103: Standardize on Black for Python code in mozilla-central. 2020-10-26 18:34:53 +00:00
moz.build Bug 1709817 - Enable NSS documentation in firefox-src-tree. r=beurdouche 2021-07-22 12:10:19 +00:00
nss.symbols Bug 1710185 - export SECKEY_EncryptedPrivateKeyInfoTemplate r=bbeurdouche 2021-05-08 15:21:50 +00:00