Sync from SUSE:SLFO:Main MozillaFirefox revision cccd1689d9232f4fd17cd6436e916bbf

2024-12-05 10:53:22 +01:00 · 2024-12-05 10:53:22 +01:00 · 978a389e82
commit 978a389e82
parent 3e6a22a862
10 changed files with 146 additions and 36 deletions
--- a/MozillaFirefox.changes
+++ b/MozillaFirefox.changes
@ -1,8 +1,118 @@
 -------------------------------------------------------------------
 Mon Dec  2 11:14:39 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
 - Firefox Extended Support Release 128.5.1 ESR
  * Fixed: Fixed an issue that prevented some websites from
    loading when using SSL Inspection. (bmo#1933747)
 -------------------------------------------------------------------
 Mon Nov 25 07:35:12 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
 - Firefox Extended Support Release 128.5.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-64 (bsc#1233695)
  * CVE-2024-11691 (bmo#1914707, bmo#1924184)
    Out-of-bounds write in Apple GPU drivers via WebGL
  * CVE-2024-11692 (bmo#1909535)
    Select list elements could be shown over another site
  * CVE-2024-11693 (bmo#1921458)
    Download Protections were bypassed by .library-ms files on
    Windows
  * CVE-2024-11694 (bmo#1924167)
    CSP Bypass and XSS Exposure via Web Compatibility Shims
  * CVE-2024-11695 (bmo#1925496)
    URL Bar Spoofing via Manipulated Punycode and Whitespace
    Characters
  * CVE-2024-11696 (bmo#1929600)
    Unhandled Exception in Add-on Signature Verification
  * CVE-2024-11697 (bmo#1842187)
    Improper Keypress Handling in Executable File Confirmation
    Dialog
  * CVE-2024-11698 (bmo#1916152)
    Fullscreen Lock-Up When Modal Dialog Interrupts Transition on
    macOS
  * CVE-2024-11699 (bmo#1880582, bmo#1929911)
    Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5,
    and Thunderbird 128.5
 -------------------------------------------------------------------
 Tue Oct 22 06:30:36 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
 - Firefox Extended Support Release 128.4.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-56 (bsc#1231879)
  * CVE-2024-10458 (bmo#1921733)
    Permission leak via embed or object elements
  * CVE-2024-10459 (bmo#1919087)
    Use-after-free in layout with accessibility
  * CVE-2024-10460 (bmo#1912537)
    Confusing display of origin for external protocol handler
    prompt
  * CVE-2024-10461 (bmo#1914521)
    XSS due to Content-Disposition being ignored in
    multipart/x-mixed-replace response
  * CVE-2024-10462 (bmo#1920423)
    Origin of permission prompt could be spoofed by long URL
  * CVE-2024-10463 (bmo#1920800)
    Cross origin video frame leak
  * CVE-2024-10464 (bmo#1913000)
    History interface could have been used to cause a Denial of
    Service condition in the browser
  * CVE-2024-10465 (bmo#1918853)
    Clipboard "paste" button persisted across tabs
  * CVE-2024-10466 (bmo#1924154)
    DOM push subscription message could hang Firefox
  * CVE-2024-10467 (bmo#1829029, bmo#1888538, bmo#1900394,
    bmo#1904059, bmo#1917742, bmo#1919809, bmo#1923706)
    Memory safety bugs fixed in Firefox 132, Thunderbird 132,
    Firefox ESR 128.4, and Thunderbird 128.4
 - Rebase mozilla-rust-disable-future-incompat.patch
 -------------------------------------------------------------------
 Wed Oct  9 07:11:07 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
 - Firefox Extended Support Release 128.3.1 ESR
  MFSA 2024-51 (bsc#1231413)
  * CVE-2024-9680 (bmo#1923344)
    Use-after-free in Animation timeline
 -------------------------------------------------------------------
 Wed Sep 25 11:30:58 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
 - Firefox Extended Support Release 128.3.0 ESR
-  Placeholder changelog-entry (bsc#1230979)
+  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-47 (bsc#1230979)
  * CVE-2024-9392 (bmo#1899154, bmo#1905843)
    Compromised content process can bypass site isolation
  * CVE-2024-9393 (bmo#1918301)
    Cross-origin access to PDF contents through multipart
    responses
  * CVE-2024-9394 (bmo#1918874)
    Cross-origin access to JSON contents through multipart
    responses
  * CVE-2024-8900 (bmo#1872841)
    Clipboard write permission bypass
  * CVE-2024-9396 (bmo#1912471)
    Potential memory corruption may occur when cloning certain
    objects
  * CVE-2024-9397 (bmo#1916659)
    Potential directory upload bypass via clickjacking
  * CVE-2024-9398 (bmo#1881037)
    External protocol handlers could be enumerated via popups
  * CVE-2024-9399 (bmo#1907726)
    Specially crafted WebTransport requests could lead to denial
    of service
  * CVE-2024-9400 (bmo#1915249)
    Potential memory corruption during JIT compilation
  * CVE-2024-9401 (bmo#1872744, bmo#1897792, bmo#1911317,
    bmo#1916476)
    Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
    Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
  * CVE-2024-9402 (bmo#1872744, bmo#1897792, bmo#1911317,
    bmo#1913445, bmo#1914106, bmo#1914475, bmo#1914963,
    bmo#1915008, bmo#1916476)
    Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
    Thunderbird 131, and Thunderbird 128.3
 -------------------------------------------------------------------
 Mon Sep  9 20:57:49 UTC 2024 - Charles Robertson <cgrobertson@suse.com>
--- a/MozillaFirefox.spec
+++ b/MozillaFirefox.spec
@ -29,8 +29,8 @@
 # major 69
 # mainver %%major.99
 %define major          128
-%define mainver        %major.3.0
+%define mainver        %major.5.1
-%define orig_version   128.3.0
+%define orig_version   128.5.1
 %define orig_suffix    esr
 %define update_channel release
 %define branding       1
--- a/firefox-128.3.0esr.source.tar.xz
+++ b/firefox-128.3.0esr.source.tar.xz
--- a/firefox-128.3.0esr.source.tar.xz.asc
+++ b/firefox-128.3.0esr.source.tar.xz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmbxkrMACgkQ4207E/PZ
 MnQ8khAA0WUg/6Ykv2Mbxq1840nUwoTqBy2OMyqCR4kuqHVJlKIbTn8U1Fqde4RS
 qwgqkQ+eJUk6IAG/32KBZWJHsTFTUs+D0GYB+xqJnFGHDBcaK9IdvQz7SIIqzJUu
 MlAqqbQm/vXfrVqjyIEvvG9dIaYVe85L3/KKGDcHQOSMGZxsTX/MvqOMMjGH7J6w
 /kTFVjMcbrpjs1w1ovDtanNe66JNvuEnR5mdLvXa9o7Dg90ujJxq1jC/Z6h7A17f
 lsey0v+7nbUBINhdiFNgg3HBlm6aj4axghd4SkEKB1Vb4eCZmlzqY0JgKY6Xw8FM
 w9kKPAntGMaUXlSn0yR+XFlrwngTpi48+Ljgi/SxnKEGGOnWOj8XPpx0uxiRrIfp
 xNpK/rDUT+5EEFkap7Prr0huIBzYE50H/JKx8hVIwHQFbPe/oLZE1IAwepG8wcxv
 HQuYcYh+L+LG1uKqdLSlMi5EmLizobU0JWw+t989eR6wEPAyp5w+FZmYdNt9dgrk
 33nc72RdaCFmkDOpF++uLf8I/s4hrpIEQ4DU5XHnaHdUFg0W7B6/BR7d1YACljHs
 CkNm3XKcgYJJBeKHEskU5NozMpBbDC0OoXNzgGwpT1z2AmvsCI7JdAHTgSflTXe7
 wX/7t30hbGGzFdC9fJ6ZqUsC7EmZzPtpDmY5XI50yx9uZL32rhk=
 =1kCT
 -----END PGP SIGNATURE-----
--- a/firefox-128.5.1esr.source.tar.xz
+++ b/firefox-128.5.1esr.source.tar.xz
--- a/firefox-128.5.1esr.source.tar.xz.asc
+++ b/firefox-128.5.1esr.source.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmdIvLkACgkQ4207E/PZ
 MnTntg//WWqNvoivQlg1oQTnYMfYp670oB3DkJvC0LnsGGLrPCqvlgQQxUBgFP2R
 fP7PIoZWUZR5yFBuX/81uYrIL2svM5BVIqEec5swXe32gmuK14R3jG0IIeh5d3hu
 oSVRL9/j+jQXe/sFIwqutCcr3WABhOPjEmCfjcDOO6SqKChe3XfTo7y0IEBq+pHI
 acuhw6RwfBZr8smMMWSPvolKJaGs/Nl2ZEAvgjPwfgTVwZt8+2lVg831kzxd/iXf
 1tsikXtslJsUVj7Yx1L8opnG51QBwIUxGGcoJUGFkY8ce9zM+z5OgEIwWqqFMjtA
 gfrvH0iy659q960Y/wF00EzH6vno3LFH4/CMQG04IURViyFqEGOgQi7lD2+Q4EMp
 CN08V5GOQ1n6CukSHx3CF8ujQavhdUrFlfB+pNsc6zJSsr/FTV2CD6HEgclh0bBc
 tMDCICV4A/eVQ8vG3fZIzV/vNv0qZsY+dvJ7RHE6qbTaL3VmrmF4iyrm+avPcZQG
 Aee3dKmD6uhzEKNNxvPkbvHVkwuffS9RX6Dc75vp3Sw2cgba8lW5URRk+NtpiWHQ
 pq7rRSPgCAtt+k0FtryGVeckGjvz/K11azGxOU0EoD/SM6hX0keoDrqalrxgDDtk
 FJmkIu6Po3W0EyexaFBYbFxxTg1MVCT+TbJdY0woxcBc2WttapQ=
 =MRPV
 -----END PGP SIGNATURE-----
--- a/l10n-128.3.0esr.tar.xz
+++ b/l10n-128.3.0esr.tar.xz
--- a/l10n-128.5.1esr.tar.xz
+++ b/l10n-128.5.1esr.tar.xz
--- a/mozilla-rust-disable-future-incompat.patch
+++ b/mozilla-rust-disable-future-incompat.patch
@ -1,14 +1,14 @@
 # HG changeset patch
 # Parent  83a5e219b271976ee9dfa46b74ecc1c1c6d49f94
-Index: firefox-128.0/Cargo.toml
+Index: firefox-128.4.0/Cargo.toml
 ===================================================================
--- firefox-128.0.orig/Cargo.toml
+--- firefox-128.4.0.orig/Cargo.toml
-+++ firefox-128.0/Cargo.toml
+++ firefox-128.4.0/Cargo.toml
-@@ -236,3 +236,8 @@ mio_0_8 = { package = "mio", git = "http
+@@ -244,3 +244,8 @@ neqo-crypto = { path = "third_party/rust
- # Patch `gpu-descriptor` 0.3.0 to remove unnecessary `allocator-api2` dep.:
+ neqo-http3 = { path = "third_party/rust/neqo-http3" }
- # Still waiting for the now-merged <https://github.com/zakarumych/gpu-descriptor/pull/40> to be released.
+ neqo-qpack = { path = "third_party/rust/neqo-qpack" }
- gpu-descriptor = { git = "https://github.com/zakarumych/gpu-descriptor", rev = "7b71a4e47c81903ad75e2c53deb5ab1310f6ff4d" }
+ neqo-transport = { path = "third_party/rust/neqo-transport" }
 +
 +# Package code v0.1.4 uses code "that will be rejected by a future version of Rust"
 +# Shut up such messages for now to make the build succeed
--- a/8
+++ b/8
@ -1,10 +1,10 @@
 PRODUCT="firefox"
 CHANNEL="release"
-VERSION="128.3.0"
+VERSION="128.5.1"
 VERSION_SUFFIX="esr"
-PREV_VERSION="128.2.0"
+PREV_VERSION="128.5.0"
 PREV_VERSION_SUFFIX="esr"
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-esr128"
-RELEASE_TAG="e2cb3d9c8cfc18acad7f77add351416dc95b67c4"
+RELEASE_TAG="a6cdcd2ed9ec3e256f358010672bafd1674b0b8b"
-RELEASE_TIMESTAMP="20240923123820"
+RELEASE_TIMESTAMP="20241128151741"