Sync from SUSE:SLFO:Main MozillaFirefox revision cccd1689d9232f4fd17cd6436e916bbf

MozillaFirefox.changes

@@ -1,8 +1,118 @@
+-------------------------------------------------------------------
+Mon Dec  2 11:14:39 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+
+- Firefox Extended Support Release 128.5.1 ESR
+  * Fixed: Fixed an issue that prevented some websites from
+    loading when using SSL Inspection. (bmo#1933747)
+
+-------------------------------------------------------------------
+Mon Nov 25 07:35:12 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+
+- Firefox Extended Support Release 128.5.0 ESR
+  * Fixed: Various security fixes and other quality improvements.
+  MFSA 2024-64 (bsc#1233695)
+  * CVE-2024-11691 (bmo#1914707, bmo#1924184)
+    Out-of-bounds write in Apple GPU drivers via WebGL
+  * CVE-2024-11692 (bmo#1909535)
+    Select list elements could be shown over another site
+  * CVE-2024-11693 (bmo#1921458)
+    Download Protections were bypassed by .library-ms files on
+    Windows
+  * CVE-2024-11694 (bmo#1924167)
+    CSP Bypass and XSS Exposure via Web Compatibility Shims
+  * CVE-2024-11695 (bmo#1925496)
+    URL Bar Spoofing via Manipulated Punycode and Whitespace
+    Characters
+  * CVE-2024-11696 (bmo#1929600)
+    Unhandled Exception in Add-on Signature Verification
+  * CVE-2024-11697 (bmo#1842187)
+    Improper Keypress Handling in Executable File Confirmation
+    Dialog
+  * CVE-2024-11698 (bmo#1916152)
+    Fullscreen Lock-Up When Modal Dialog Interrupts Transition on
+    macOS
+  * CVE-2024-11699 (bmo#1880582, bmo#1929911)
+    Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5,
+    and Thunderbird 128.5
+
+-------------------------------------------------------------------
+Tue Oct 22 06:30:36 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+
+- Firefox Extended Support Release 128.4.0 ESR
+  * Fixed: Various security fixes and other quality improvements.
+  MFSA 2024-56 (bsc#1231879)
+  * CVE-2024-10458 (bmo#1921733)
+    Permission leak via embed or object elements
+  * CVE-2024-10459 (bmo#1919087)
+    Use-after-free in layout with accessibility
+  * CVE-2024-10460 (bmo#1912537)
+    Confusing display of origin for external protocol handler
+    prompt
+  * CVE-2024-10461 (bmo#1914521)
+    XSS due to Content-Disposition being ignored in
+    multipart/x-mixed-replace response
+  * CVE-2024-10462 (bmo#1920423)
+    Origin of permission prompt could be spoofed by long URL
+  * CVE-2024-10463 (bmo#1920800)
+    Cross origin video frame leak
+  * CVE-2024-10464 (bmo#1913000)
+    History interface could have been used to cause a Denial of
+    Service condition in the browser
+  * CVE-2024-10465 (bmo#1918853)
+    Clipboard "paste" button persisted across tabs
+  * CVE-2024-10466 (bmo#1924154)
+    DOM push subscription message could hang Firefox
+  * CVE-2024-10467 (bmo#1829029, bmo#1888538, bmo#1900394,
+    bmo#1904059, bmo#1917742, bmo#1919809, bmo#1923706)
+    Memory safety bugs fixed in Firefox 132, Thunderbird 132,
+    Firefox ESR 128.4, and Thunderbird 128.4
+- Rebase mozilla-rust-disable-future-incompat.patch
+
+-------------------------------------------------------------------
+Wed Oct  9 07:11:07 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+
+- Firefox Extended Support Release 128.3.1 ESR
+  MFSA 2024-51 (bsc#1231413)
+  * CVE-2024-9680 (bmo#1923344)
+    Use-after-free in Animation timeline
+
 -------------------------------------------------------------------
 Wed Sep 25 11:30:58 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
 
 - Firefox Extended Support Release 128.3.0 ESR
-  Placeholder changelog-entry (bsc#1230979)
+  * Fixed: Various security fixes and other quality improvements.
+  MFSA 2024-47 (bsc#1230979)
+  * CVE-2024-9392 (bmo#1899154, bmo#1905843)
+    Compromised content process can bypass site isolation
+  * CVE-2024-9393 (bmo#1918301)
+    Cross-origin access to PDF contents through multipart
+    responses
+  * CVE-2024-9394 (bmo#1918874)
+    Cross-origin access to JSON contents through multipart
+    responses
+  * CVE-2024-8900 (bmo#1872841)
+    Clipboard write permission bypass
+  * CVE-2024-9396 (bmo#1912471)
+    Potential memory corruption may occur when cloning certain
+    objects
+  * CVE-2024-9397 (bmo#1916659)
+    Potential directory upload bypass via clickjacking
+  * CVE-2024-9398 (bmo#1881037)
+    External protocol handlers could be enumerated via popups
+  * CVE-2024-9399 (bmo#1907726)
+    Specially crafted WebTransport requests could lead to denial
+    of service
+  * CVE-2024-9400 (bmo#1915249)
+    Potential memory corruption during JIT compilation
+  * CVE-2024-9401 (bmo#1872744, bmo#1897792, bmo#1911317,
+    bmo#1916476)
+    Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
+    Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
+  * CVE-2024-9402 (bmo#1872744, bmo#1897792, bmo#1911317,
+    bmo#1913445, bmo#1914106, bmo#1914475, bmo#1914963,
+    bmo#1915008, bmo#1916476)
+    Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
+    Thunderbird 131, and Thunderbird 128.3
 
 -------------------------------------------------------------------
 Mon Sep  9 20:57:49 UTC 2024 - Charles Robertson <cgrobertson@suse.com>

MozillaFirefox.spec

@@ -29,8 +29,8 @@
 # major 69
 # mainver %%major.99
 %define major          128
-%define mainver        %major.3.0
+%define mainver        %major.5.1
-%define orig_version   128.3.0
+%define orig_version   128.5.1
 %define orig_suffix    esr
 %define update_channel release
 %define branding       1

firefox-128.3.0esr.source.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmbxkrMACgkQ4207E/PZ
-MnQ8khAA0WUg/6Ykv2Mbxq1840nUwoTqBy2OMyqCR4kuqHVJlKIbTn8U1Fqde4RS
-qwgqkQ+eJUk6IAG/32KBZWJHsTFTUs+D0GYB+xqJnFGHDBcaK9IdvQz7SIIqzJUu
-MlAqqbQm/vXfrVqjyIEvvG9dIaYVe85L3/KKGDcHQOSMGZxsTX/MvqOMMjGH7J6w
-/kTFVjMcbrpjs1w1ovDtanNe66JNvuEnR5mdLvXa9o7Dg90ujJxq1jC/Z6h7A17f
-lsey0v+7nbUBINhdiFNgg3HBlm6aj4axghd4SkEKB1Vb4eCZmlzqY0JgKY6Xw8FM
-w9kKPAntGMaUXlSn0yR+XFlrwngTpi48+Ljgi/SxnKEGGOnWOj8XPpx0uxiRrIfp
-xNpK/rDUT+5EEFkap7Prr0huIBzYE50H/JKx8hVIwHQFbPe/oLZE1IAwepG8wcxv
-HQuYcYh+L+LG1uKqdLSlMi5EmLizobU0JWw+t989eR6wEPAyp5w+FZmYdNt9dgrk
-33nc72RdaCFmkDOpF++uLf8I/s4hrpIEQ4DU5XHnaHdUFg0W7B6/BR7d1YACljHs
-CkNm3XKcgYJJBeKHEskU5NozMpBbDC0OoXNzgGwpT1z2AmvsCI7JdAHTgSflTXe7
-wX/7t30hbGGzFdC9fJ6ZqUsC7EmZzPtpDmY5XI50yx9uZL32rhk=
-=1kCT
------END PGP SIGNATURE-----

firefox-128.5.1esr.source.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmdIvLkACgkQ4207E/PZ
+MnTntg//WWqNvoivQlg1oQTnYMfYp670oB3DkJvC0LnsGGLrPCqvlgQQxUBgFP2R
+fP7PIoZWUZR5yFBuX/81uYrIL2svM5BVIqEec5swXe32gmuK14R3jG0IIeh5d3hu
+oSVRL9/j+jQXe/sFIwqutCcr3WABhOPjEmCfjcDOO6SqKChe3XfTo7y0IEBq+pHI
+acuhw6RwfBZr8smMMWSPvolKJaGs/Nl2ZEAvgjPwfgTVwZt8+2lVg831kzxd/iXf
+1tsikXtslJsUVj7Yx1L8opnG51QBwIUxGGcoJUGFkY8ce9zM+z5OgEIwWqqFMjtA
+gfrvH0iy659q960Y/wF00EzH6vno3LFH4/CMQG04IURViyFqEGOgQi7lD2+Q4EMp
+CN08V5GOQ1n6CukSHx3CF8ujQavhdUrFlfB+pNsc6zJSsr/FTV2CD6HEgclh0bBc
+tMDCICV4A/eVQ8vG3fZIzV/vNv0qZsY+dvJ7RHE6qbTaL3VmrmF4iyrm+avPcZQG
+Aee3dKmD6uhzEKNNxvPkbvHVkwuffS9RX6Dc75vp3Sw2cgba8lW5URRk+NtpiWHQ
+pq7rRSPgCAtt+k0FtryGVeckGjvz/K11azGxOU0EoD/SM6hX0keoDrqalrxgDDtk
+FJmkIu6Po3W0EyexaFBYbFxxTg1MVCT+TbJdY0woxcBc2WttapQ=
+=MRPV
+-----END PGP SIGNATURE-----

mozilla-rust-disable-future-incompat.patch

@@ -1,14 +1,14 @@
 # HG changeset patch
 # Parent  83a5e219b271976ee9dfa46b74ecc1c1c6d49f94
 
-Index: firefox-128.0/Cargo.toml
+Index: firefox-128.4.0/Cargo.toml
 ===================================================================
---- firefox-128.0.orig/Cargo.toml
+--- firefox-128.4.0.orig/Cargo.toml
-+++ firefox-128.0/Cargo.toml
++++ firefox-128.4.0/Cargo.toml
-@@ -236,3 +236,8 @@ mio_0_8 = { package = "mio", git = "http
+@@ -244,3 +244,8 @@ neqo-crypto = { path = "third_party/rust
- # Patch `gpu-descriptor` 0.3.0 to remove unnecessary `allocator-api2` dep.:
+ neqo-http3 = { path = "third_party/rust/neqo-http3" }
- # Still waiting for the now-merged <https://github.com/zakarumych/gpu-descriptor/pull/40> to be released.
+ neqo-qpack = { path = "third_party/rust/neqo-qpack" }
- gpu-descriptor = { git = "https://github.com/zakarumych/gpu-descriptor", rev = "7b71a4e47c81903ad75e2c53deb5ab1310f6ff4d" }
+ neqo-transport = { path = "third_party/rust/neqo-transport" }
 +
 +# Package code v0.1.4 uses code "that will be rejected by a future version of Rust"
 +# Shut up such messages for now to make the build succeed

tar_stamps

@@ -1,10 +1,10 @@
 PRODUCT="firefox"
 CHANNEL="release"
-VERSION="128.3.0"
+VERSION="128.5.1"
 VERSION_SUFFIX="esr"
-PREV_VERSION="128.2.0"
+PREV_VERSION="128.5.0"
 PREV_VERSION_SUFFIX="esr"
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-esr128"
-RELEASE_TAG="e2cb3d9c8cfc18acad7f77add351416dc95b67c4"
+RELEASE_TAG="a6cdcd2ed9ec3e256f358010672bafd1674b0b8b"
-RELEASE_TIMESTAMP="20240923123820"
+RELEASE_TIMESTAMP="20241128151741"