upgrade-2020-05-19-31dcaa5eb67 #333

https://about.gitlab.com/releases/2020/03/11/critical-security-release-gitlab-12-dot-8-dot-6-released/ (cherry picked from commit ab3b836)

(cherry picked from commit 281bd03)

[19.09] gitlab 12.8.5 -> 12.8.6

[19.09] systemd: 243.3 -> 243.7

(cherry picked from commit 243cd9f)

(cherry picked from commit 8330317)

cherry-picked 4665c94 Closes NixOS#81868

(cherry picked from commit 773462c)

(cherry picked from commit 41d8bb1)

fix CVE-2019-14866, backport

(Older version finished on Hydra.)

Fixes CVE-2019-14889, issue NixOS#77264. Release notes: https://www.libssh.org/2019/12/10/libssh-0-9-3-and-libssh-0-8-8-security-release/ (cherry picked from commit 7ef8a42)

Fixes: https://nvd.nist.gov/vuln/detail/CVE-2019-17543 Release notes: https://github.com/lz4/lz4/releases/tag/v1.9.2 (cherry picked from commit 18ac6ba)

https://www.samba.org/samba/history/security.html Tested: $ nix build -f nixos/release.nix tests.samba.x86_64-linux

(cherry picked from commit 500375e)

Contains only the version update from 8be61f7, the module-changes are not needed on 19.09 since the database is always configured properly here.

x86_64-linux rebuilds have finished, so let's merge to get the security fixes early.

(cherry picked from commit 291c735) /cc roundup NixOS#79725

includes fix for nC-SA-2020-015. See nextcloud/server#19976, the SA currently has a typo - adressed in nextcloud/security-advisories#21.

[19.09] nextcloud: 16.0.8 -> 16.0.9

The substitition in smtpd/parse.y isn't necessary anymore. The hardcoded /usr/libexec/ has been replaced by a PATH_LIBEXEC #define, which will be set properly by the build system. (cherry picked from commit 9658850)

Fixes critical vulnerability: https://www.mail-archive.com/[email protected]/msg04850.html (cherry picked from commit 7b9bd59)

(cherry picked from commit 77da495)

Release notes aren't available at this time [1] it is likely to be related to a recent mail to oss-security (either [2] or [3]). [1] https://www.mail-archive.com/[email protected]/msg04888.html [2] https://www.openwall.com/lists/oss-security/2020/02/24/5 [3] https://www.openwall.com/lists/oss-security/2020/02/24/4 (cherry picked from commit 09725e5)

This reverts commit 4f69f2c. We backported the latest opensmtpd version.

This reverts commit f5c74e6. Already included in the opensmtpd version.

build fails against our local libressl version

opensmtpd: 6.4.2p1 -> 6.6.4p1 [backport 19.09]

a "Low severity" [0] security issue: > Fixed an overflow bug in the x64_64 Montgomery squaring procedure used > in exponentiation with 512-bit moduli (CVE-2019-1551) [0] https://www.openssl.org/news/vulnerabilities.html#y2019 (cherry picked from commit abecf82)

Since Go 1.13, `GOSUMDB` defaults to "sum.golang.org", to consult the checksum database of the main module's go.sum. We already use the default behavior when building `go-modules`, but Go tries to consult the checksum database again when building the module, and fails because since it requires `cacert` and `git` which are not propagated when building the package. (cherry picked from commit c5733e7)

Signed-off-by: Martin Baillie <[email protected]> (cherry picked from commit 6e055c9)

Fixes a severe bug with subnet routing. Signed-off-by: David Anderson <[email protected]> (cherry picked from commit f61f686)

[19.09] openssl: 1.1.1d -> 1.1.1e

keep brave up-to-date (cherry picked from commit 418e3e4) Reason: Browsers should be kept up-to-date for security reasons

…_1.4.96 [19 09] brave 1.4.95 to 1.5.112

(cherry picked from commit 09f55f8)

https://lists.zx2c4.com/pipermail/wireguard/2020-March/005188.html (cherry picked from commit e758e95)

This reverts commit 41f1484. openssl 1.1.1e introduces breaking changes in its EOF handling.

https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_18.html This update includes 13 security fixes. CVEs: CVE-2020-6422 CVE-2020-6424 CVE-2020-6425 CVE-2020-6426 CVE-2020-6427 CVE-2020-6428 CVE-2020-6429 CVE-2019-20503 CVE-2020-6449 Note: The release of version 81 is currently on pause: https://chromereleases.googleblog.com/2020/03/upcoming-chrome-and-chrome-os-releases.html (cherry picked from commit fe60ff7)

https://lists.zx2c4.com/pipermail/wireguard/2020-March/005191.html (cherry picked from commit 19ceeb6)

[19.09] chromium: 80.0.3987.132 -> 80.0.3987.149 (backport)

Changelog: https://github.com/nodejs/node/releases/tag/v12.15.0

Changelog: https://github.com/nodejs/node/releases/tag/v12.16.0

Changelog: https://github.com/nodejs/node/releases/tag/v12.16.1

fetchpatch can't be used here and fetchurl from GitHub like in PR NixOS#82928 has the risk of breaking the hash later; fortunately the patches aren't too large.

This fixes the regressed python3Packages.pyopenssl build and should unblock both channels.

(cherry picked from commit 913e6b5)

(cherry picked from commit bf453da)

(cherry picked from commit 9e98d47)

@Frostman

@Frostman is not in maintainers-list.nix on 19.09. This fails the build of the `channel` and `tarball` jobs on the small jobset. Follow-up of NixOS#83102

[19.09 unblock] grafana: Drop Frostman from maintainers

(cherry picked from commit f9fcf29)

The tag points to the same commit hash, so the binary is unchanged. Signed-off-by: David Anderson <[email protected]> (cherry picked from commit 3fa813e)

Tailscale does not support Go 1.12. Signed-off-by: David Anderson <[email protected]>

Moved from nixos-homepage. (cherry picked from commit d6ec410)

(cherry picked from commit 4052f9b)

(cherry picked from commit e51c7f6)

Some changes were made after final review of the package. There was a missing runtime dependency that was discovered after merge of the backport (cherry picked from commit 9fe4a63) Reason: The dependency can make the package work or not

https://about.gitlab.com/releases/2020/03/16/gitlab-12-8-7-released/ (cherry picked from commit 3a173c1)

….2.0-with_fix [19.09] protonvpn ng 2.2.0 to 2.2.2

(cherry picked from commit 5c47359)

[19.09] signal-desktop: 1.32.1 -> 1.32.2 (backport)

(cherry picked from commit 0e5d457)

With quotes it doesn't match the Wire's screen, causing the window to not be grouped under its icon in Gnome. (cherry picked from commit da587da)

(cherry picked from commit 38aa1ca)

[19.09] signal-desktop: 1.32.2 -> 1.32.3 (backport)

(cherry picked from commit 8ab04fd)

(cherry picked from commit 425efa5)

tailscale: init at 0.97-0 [backport 19.09]

@devhell

While our ETag patch works pretty fine if it comes to serving data off store paths, it unfortunately broke something that might be a bit more common, namely when using regexes to extract path components of location directives for example. Recently, @devhell has reported a bug with a nginx location directive like this: location ~^/\~([a-z0-9_]+)(/.*)?$" { alias /home/$1/public_html$2; } While this might look harmless at first glance, it does however cause issues with our ETag patch. The alias directive gets broken up by nginx like this: *2 http script copy: "/home/" *2 http script capture: "foo" *2 http script copy: "/public_html/" *2 http script capture: "bar.txt" In our patch however, we use realpath(3) to get the canonicalised path from ngx_http_core_loc_conf_s.root, which returns the *configured* value from the root or alias directive. So in the example above, realpath(3) boils down to the following syscalls: lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/home/$1", 0x7ffd08da6f60) = -1 ENOENT (No such file or directory) During my review[1] of the initial patch, I didn't actually notice that what we're doing here is returning NGX_ERROR if the realpath(3) call fails, which in turn causes an HTTP 500 error. Since our patch actually made the canonicalisation (and thus additional syscalls) necessary, we really shouldn't introduce an additional error so let's - at least for now - silently skip return value if realpath(3) has failed. However since we're using the unaltered root from the config we have another issue, consider this root: /nix/store/...-abcde/$1 Calling realpath(3) on this path will fail (except if there's a file called "$1" of course), so even this fix is not enough because it results in the ETag not being set to the store path hash. While this is very ugly and we should fix this very soon, it's not as serious as getting HTTP 500 errors for serving static files. I added a small NixOS VM test, which uses the example above as a regression test. It seems that my memory is failing these days, since apparently I *knew* about this issue since digging for existing issues in nixpkgs, I found this similar pull request which I even reviewed: NixOS#66532 However, since the comments weren't addressed and the author hasn't responded to the pull request, I decided to keep this very commit and do a follow-up pull request. [1]: NixOS#48337 Signed-off-by: aszlig <[email protected]> Reported-by: @devhell Acked-by: @7c6f434c Acked-by: @yorickvP Merges: NixOS#80671 Fixes: NixOS#66532 (cherry picked from commit e1d63ad)

It seems the quoting breaks it just like in da587da (cherry picked from commit e50bb280cbf5339ed671b0a7208e6aba4002c713) (cherry picked from commit f8ccef5)

…-bin_release-19.09 [19.09] tor-browser-bundle-bin: 9.0.5 -> 9.0.7

(cherry picked from commit 6d28c18)

Update the checkum and the version (cherry picked from commit fa5fc49) Reason: Browser must be kept up-to-date

NixOS/nixos-homepage#372 (cherry picked from commit 4e554ad)

Co-authored-by: worldofpeace <[email protected]>

which was deprecated in 2018 and is now gone for good. I guess many won’t notice because the nix-cache kept the files around? (cherry picked from commit b872b8a and 29ca177)

Nodejs 12 backport from master

(cherry picked from commit 645a6fd)

(cherry picked from commit f41b8aa)

This reverts commit 36cbcdc. This reverts commit c3a9111. Rationale for revert: 6.7.0-beta1 introduced a breaking change[1] which seems to break at least one popular grafana integration. [1] https://github.com/grafana/grafana/blob/master/CHANGELOG.md#670-beta1-2020-03-12

[19.09] matrix-synapse: 1.11.1 -> 1.12.0

Changelog: https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/ (cherry picked from commit 99b09d6)

Changelog: https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-6-6-released/ (cherry picked from commit b312ecf)

The webrtc code suffered from a race condition when used with Pulseaudio. This lead to audio input breaking every couple of minutes during a webrtc session. (cherry picked from commit 81b18c3)

(cherry picked from commit b3c2908)

https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_31.html This update includes 8 security fixes. CVEs: CVE-2020-6450 CVE-2020-6451 CVE-2020-6452 (cherry picked from commit 6b7528c)

https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop.html Note: This update contains only two fixes [0]. The fix that reverts a feature which caused a crash spike on 80.0.3987.162 [1] seems important for us (though the commit doesn't provide any data on the crash spike). [0]: https://chromium.googlesource.com/chromium/src/+log/80.0.3987.162..80.0.3987.163?pretty=fuller [1]: https://chromium.googlesource.com/chromium/src/+/fc11c43603c05a9ef77430a6b4081a01969d2bf4 (cherry picked from commit cbd13f3)

[19.09] chromium: 80.0.3987.149 -> 80.0.3987.163 (backport)

https://lists.zx2c4.com/pipermail/wireguard/2020-April/005237.html Resolves NixOS#84009 (cherry picked from commit b503b2c)

(cherry picked from commit f26b2af)

[19.09] firefox{,-bin}: 74.0 -> 74.0.1, firefox-esr: 68.6.0esr -> 68.6.1esr

... into staging. Fixes CVE-2020-11501. (cherry picked from commit f91b34e) These bumps combined still seem quite safe in terms of regression likelihood.

(cherry picked from commit 39c5e1c)

[19.09] wire-desktop: mac 3.15.3621 -> 3.16.3630

Update the checksum and the version of Brave package. (cherry picked from commit 7a80ead) Reason: Browsers must be kept up-to-date

Adding this as a new attribute as software is likely going to break when we switch the default from the 1.7 branch to 1.8. (cherry picked from commit 1859b5a)

(cherry picked from commit 9de3c97)

(cherry picked from commit 4a41fd7)

(cherry picked from commit f56ea6c)

(cherry picked from commit bab82e7)

(cherry picked from commit 9d6a7fd)

(cherry picked from commit 79fb589)

[19.09] firefox: 74.0.1 -> 75.0

(cherry picked from commit fdedc5d)

This can e.g. save around 150k lines of unnecessary log messages which take up around 66% of the total lines (based on a log of 80.0.3987.100): 29527 warning: unknown warning option '-Wno-bitwise-conditional-parentheses'; did you mean '-Wno-bitwise-op-parentheses'? [-Wunknown-warning-option] 29527 warning: unknown warning option '-Wno-builtin-assume-aligned-alignment' [-Wunknown-warning-option] 29527 warning: unknown warning option '-Wno-deprecated-copy'; did you mean '-Wno-deprecated'? [-Wunknown-warning-option] 29527 warning: unknown warning option '-Wno-final-dtor-non-final-class'; did you mean '-Wno-abstract-final-class'? [-Wunknown-warning-option] 29527 warning: unknown warning option '-Wno-implicit-int-float-conversion'; did you mean '-Wno-implicit-float-conversion'? [-Wunknown-warning-option] (cherry picked from commit 9f39148)

This fixes the patch phase. I missed this problem in NixOS#83956. (cherry picked from commit 36c7123)

This patch was also backported to M81 [0][1]. [0]: https://chromium-review.googlesource.com/c/chromium/src/+/2091896 [1]: chromium/chromium@bbf0fad (cherry picked from commit ff3bc51)

https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html This update includes 32 security fixes. CVEs: CVE-2020-6454 CVE-2020-6423 CVE-2020-6455 CVE-2020-6430 CVE-2020-6456 CVE-2020-6431 CVE-2020-6432 CVE-2020-6433 CVE-2020-6434 CVE-2020-6435 CVE-2020-6436 CVE-2020-6437 CVE-2020-6438 CVE-2020-6439 CVE-2020-6440 CVE-2020-6441 CVE-2020-6442 CVE-2020-6443 CVE-2020-6444 CVE-2020-6445 CVE-2020-6446 CVE-2020-6447 CVE-2020-6448 (cherry picked from commit da832dd)

[19.09] signal-desktop: 1.32.3 -> 1.33.0 (backport)

[19.09] chromium: 80.0.3987.163 -> 81.0.4044.92 (backport)

otherwise https is disabled (cherry picked from commit b9b8388)

apacheHttpd: 2.4.41 -> 2.4.43 [19.09]

(cherry picked from commit 27ca6c2) Rationale for backport: it's explicitly supported to build a kernel with a custom tree. When using a 5.6 tree in a system configuration, eval will break since `wireguard` is still evaluated and throws an assertion-error on 5.6 or greater.

https://blog.torproject.org/new-release-tor-browser-909 https://blog.torproject.org/new-release-tor-browser-908 (cherry picked from commit 85e4f2d)

…9.0.9-release-19.09 [19.09] tor-browser-bundle-bin: 9.0.7 -> 9.0.9

https://www.thunderbird.net/en-US/thunderbird/68.7.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-14/ (cherry picked from commit f719350)

(cherry picked from commit e7ca19f)

…o_1.5.123 brave: 1.5.115 -> 1.5.123

(cherry picked from commit b233a19)

[19.09] aspell: 0.60.6.1 -> 0.60.8

It's only the security fix, nothing else. /cc roundup NixOS#75974. https://github.com/git/git/blob/v2.23.2/Documentation/RelNotes/2.23.2.txt https://github.com/git/git/blob/v2.23.2/Documentation/RelNotes/2.17.4.txt

(cherry picked from commit ac374d4) Backported 32.0.0.363 to release 19.09 for important bug fixes. Also needed because old upstream release is no longer available.

https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_15.html This update includes 1 security fix. CVEs: CVE-2020-6457 (cherry picked from commit ef2c3ab)

…ase-19.09 [19.09] flashplayer: 32.0.0.330 -> 32.0.0.363

[19.09] chromium: 81.0.4044.92 -> 81.0.4044.113 (backport)

(cherry picked from commit d9258d3)

(cherry picked from commit e341107)

[19.09] nexus: 3.18.1-01 -> 3.22.0-02 (backport)

Signed-off-by: Markus S. Wamser <[email protected]>

Backport of Yggdrasil, NixOS module, and tests.

(cherry picked from commit cb5c0a4) Note: Only M81 is supported on 19.09. This is mainly to cherry-pick stable channel updates and avoid an insecure chromiumBeta.

https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_21.html This update includes 8 security fixes. CVEs: CVE-2020-6459 CVE-2020-6460 CVE-2020-645 (cherry picked from commit a2df977)

[19.09] chromium: 81.0.4044.113 -> 81.0.4044.122 (backport)

See: https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.17.5.txt

(cherry picked from commit 83102fc)

(cherry picked from commit b98fa7c)

(cherry picked from commit f9ef2c1)

(cherry picked from commit 5858162)

(cherry picked from commit 7d1c2c0)

(cherry picked from commit 01de13a)

(cherry picked from commit 461843a)

(cherry picked from commit 86aab71)

(cherry picked from commit 4b7193b)

(cherry picked from commit e036261)

(cherry picked from commit 5f70a20)

(cherry picked from commit 2986699)

(cherry picked from commit 606a15d)

(cherry picked from commit 9f0dba1)

(cherry picked from commit affebc8)

(cherry picked from commit 22af8e8)

(cherry picked from commit 21d3ce5)

Wrap Qt program manually, remove makeWrapper from nativeBuildInputs. (cherry picked from commit 98f1266)

Wrap Qt program manually, remove makeWrapper from nativeBuildInputs. (cherry picked from commit a0a076b)

(cherry picked from commit 4ee9179)

(cherry picked from commit cc8d121)

(cherry picked from commit adae9f1)

(cherry picked from commit ec92227)

(cherry picked from commit 9384f48)

(cherry picked from commit 7dce1c5)

(cherry picked from commit 65050cd)

(cherry picked from commit 2e8962b)

(cherry picked from commit 1d8ea89)

(cherry picked from commit d5b14e5)

openssl/openssl@eb56324 openssl/openssl@64eef86

[19.09] openssl: patch CVE-2020-1967

Build security updates on release branch so *-small channel is updated as soon as possible.

https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/886

(cherry picked from commit d0419f9)

AP mode PMF disconnection protection bypass Published: September 11, 2019 Identifiers: - CVE-2019-16275 Latest version available from: https://w1.fi/security/2019-7/ Vulnerability hostapd (and wpa_supplicant when controlling AP mode) did not perform sufficient source address validation for some received Management frames and this could result in ending up sending a frame that caused associated stations to incorrectly believe they were disconnected from the network even if management frame protection (also known as PMF) was negotiated for the association. This could be considered to be a denial of service vulnerability since PMF is supposed to protect from this type of issues. It should be noted that if PMF is not enabled, there would be no protocol level protection against this type of denial service attacks. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Vulnerable versions/configurations All hostapd and wpa_supplicants versions with PMF support (CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with PMF being enabled (optional or required). In addition, this would be applicable only when using user space based MLME/SME in AP mode, i.e., when hostapd (or wpa_supplicant when controlling AP mode) would process authentication and association management frames. This condition would be applicable mainly with drivers that use mac80211. Possible mitigation steps - Merge the following commit to wpa_supplicant/hostapd and rebuild: AP: Silently ignore management frame from unexpected source address This patch is available from https://w1.fi/security/2019-7/ - Update to wpa_supplicant/hostapd v2.10 or newer, once available (cherry picked from commit 3e9f3a3)

…6275 [19.09] hostapd: apply patch for CVE-2019-16275

…9.09 [19.09] Use qt5's mkDerivation in packages that otherwise crash

Kyndig on IRC noticed that building `ninja` from source would fail due to a patch 404'ing (because the repo appears to no longer exist). Fetch from upstream instead. (cherry picked from commit 91d4e9a) cc NixOS#85742

'toString false' results in an empty string, which, in this context, is a syntax error. Use boolToString instead. Fixes NixOS#86160 (cherry picked from commit c0a838d)

nixos/gitlab: Fix services.gitlab.enableStartTLSAuto

See https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released/ for details. (cherry picked from commit d190292)

While it's already possible to invoke `update-data` with the `--rev` argument, one still needs to run all later phases manually. Fix this, by having `update-all` also accept a `--rev` argument, and pass it down to `update-data`. Also, make the help text a bit more usable, by suggesting the usual versioning scheme used these times. (cherry picked from commit 191c2c6)

(cherry picked from commit f7ddd30)

(cherry picked from commit c86c77b)

`bundix -l` doesn't work, as it treats bundler's warning about upgrading the lockfile version as an error, so invoke `bundle lock` manually. (cherry picked from commit 4c26ab4)

https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_27.html This update includes 2 security fixes. CVEs: CVE-2020-6462 CVE-2020-6461 (cherry picked from commit db4aece)

Fixes: CVE-2020-6061, CVE-2020-6062 An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability. An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability. (cherry picked from commit 704a018)

…+6062 [19.09] coturn: apply patch for CVE-2020-6061/6062

(cherry picked from commit 4644776)

…l-19.09 monotone: openssl in botan is not needed, so drop to avoid old openssl

https://github.com/roundcube/roundcubemail/releases/tag/1.3.11 This contains some important security fixes, hence the package-bump.

[19.09] chromium: 81.0.4044.122 -> 81.0.4044.129 (backport)

(cherry picked from commit 9eb6dc7)

(cherry picked from commit fdd0d0d)

[19.09] gitlab: 12.8.9 -> 12.8.10

Fixes CVE-2020-11651 and CVE-2020-11652

[19.09] salt: 2019.2.0 -> 2019.2.4

(cherry picked from commit 324e40f)

(cherry picked from commit 3911336)

(cherry picked from commit f3cc8dc)

[19.09] firefox: 75.0 -> 76.0

https://chromereleases.googleblog.com/2020/05/stable-channel-update-for-desktop.html This update includes 3 security fixes. CVEs: CVE-2020-6831 CVE-2020-6464 (cherry picked from commit dec3d5f)

chromium: 81.0.4044.129 -> 81.0.4044.138

https://www.thunderbird.net/en-US/thunderbird/68.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/ (cherry picked from commit 10134fc) Re-tested both briefly on 19.09.

According to https://monerodocs.org/interacting/monerod-reference/#node-rpc-api the correct option is restricted-rpc, not restrict-rpc. (cherry picked from commit e7ab236)

Regression introduced by bce5268. The bit size of the initialisation vector for AES GCM has been introduced in NSS version 3.52 in the CK_GCM_PARMS struct via the ulIvBits field. Unfortunately, Firefox 68.8.0 and 76.0 do not set this field and thus it gets initialised to zero, which in turn causes IV generation to fail. I found out about this because WebRTC stopped working after updating to NSS 3.52 and so I started bisecting. Since there wasn't an obvious error in Firefox hinting towards NSS but instead just the video stream ended up as a "null" stream, I didn't suspect the NSS update to be the culprit at first. So I verified a few times and then also started bisecting the actual commit in NSS that caused the issue. This turned out to be the problematic change: https://phabricator.services.mozilla.com/D63241 > One notable change was caused by an inconsistancy between the spec and > the released headers in PKCS#11 v2.40. CK_GCM_PARAMS had an extra > field in the header that was not in the spec. OASIS considers the > header file to be normative, so PKCS#11 v3.0 resolved the issue in > favor of the header file definition. Since the test I've used[1] was a bit flaky, I still didn't believe the result of the bisect to be accurate, but after running the test several times leading same results I dug through the above change line by line to get more clues. It fortunately didn't take that long to stumble upon the ulIvBits change (which is actually documented in the NSS 3.52 release notes[4], but I managed to blatantly ignore it for some reason) and started checking the Firefox source tree for changes regarding that field. Initialisation of that new field has been introduced[2] in preparation for the 76 release, but subsequently got reverted[3] prior to the release, because Firefox 76 is expected to be shipped with NSS 3.51, which didn't have the ulIvBits field. The patch I'm adding here is just a reintroduction of that change, because we're using NSS 3.52. Not initialising that field will break WebRTC and WebCrypto, which I think the former seems to gain in popularity these days ;-) Tested the change against the mentioned VM test[1] and also by testing manually using Jitsi Meet and Nextcloud Talk. [1]: https://github.com/aszlig/avonc/tree/884315838b6f0ebb32b/tests/talk [2]: https://hg.mozilla.org/mozilla-central/rev/3ed30e6b6de1 [3]: https://hg.mozilla.org/mozilla-central/rev/665137da70ee [4]: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52_release_notes Signed-off-by: aszlig <[email protected]> (cherry picked from commit 8fb4997 & moved to packages.nix)

(cherry picked from commit b70435e)

[19.09] firefox: Add patch to fix AES GCM IV bit size

upgrade-2020-05-19-31dcaa5eb67 #333

Are you sure you want to change the base?

upgrade-2020-05-19-31dcaa5eb67 #333

Commits on Mar 12, 2020

Commits on Mar 14, 2020

Commits on Mar 15, 2020

Commits on Mar 16, 2020

Commits on Mar 17, 2020

Commits on Mar 18, 2020

Commits on Mar 19, 2020

Commits on Mar 20, 2020

Commits on Mar 21, 2020

Commits on Mar 22, 2020

Commits on Mar 23, 2020

Commits on Mar 24, 2020

Commits on Mar 25, 2020

Commits on Mar 26, 2020

Commits on Mar 27, 2020

Commits on Mar 28, 2020

Commits on Mar 29, 2020

Commits on Mar 30, 2020

Commits on Mar 31, 2020

Commits on Apr 1, 2020

Commits on Apr 2, 2020

Commits on Apr 3, 2020

Commits on Apr 4, 2020

Commits on Apr 5, 2020

Commits on Apr 6, 2020

Commits on Apr 7, 2020

Commits on Apr 8, 2020

Commits on Apr 9, 2020

Commits on Apr 10, 2020

Commits on Apr 11, 2020

Commits on Apr 12, 2020

Commits on Apr 13, 2020

Commits on Apr 14, 2020

Commits on Apr 15, 2020

Commits on Apr 16, 2020

Commits on Apr 17, 2020

Commits on Apr 18, 2020

Commits on Apr 19, 2020

Commits on Apr 22, 2020

Commits on Apr 23, 2020

Commits on Apr 25, 2020

Commits on Apr 26, 2020

Commits on Apr 28, 2020

Commits on Apr 29, 2020

Commits on Apr 30, 2020

Commits on May 1, 2020

Commits on May 3, 2020

Commits on May 4, 2020

Commits on May 5, 2020

Commits on May 6, 2020

Commits on May 10, 2020

Commits on May 11, 2020

Commits on May 13, 2020

Commits on May 14, 2020