9263 lines
375 KiB
Plaintext
9263 lines
375 KiB
Plaintext
-------------------------------------------------------------------
|
||
Wed Sep 25 11:30:58 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 128.3.0 ESR
|
||
Placeholder changelog-entry (bsc#1230979)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 9 20:57:49 UTC 2024 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 128.2.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2024-40 (bsc#1229821)
|
||
* CVE-2024-8385 (bmo#1911909)
|
||
WASM type confusion involving ArrayTypes
|
||
* CVE-2024-8381 (bmo#1912715)
|
||
Type confusion when looking up a property name in a "with"
|
||
block
|
||
* CVE-2024-8382 (bmo#1906744)
|
||
Internal event interfaces were exposed to web content when
|
||
browser EventHandler listener callbacks ran
|
||
* CVE-2024-8383 (bmo#1908496)
|
||
Firefox did not ask before openings news: links in an
|
||
external application
|
||
* CVE-2024-8384 (bmo#1911288)
|
||
Garbage collection could mis-color cross-compartment objects
|
||
in OOM conditions
|
||
* CVE-2024-8386 (bmo#1907032, bmo#1909163, bmo#1909529)
|
||
SelectElements could be shown over another site if popups are
|
||
allowed
|
||
* CVE-2024-8387 (bmo#1857607, bmo#1911858, bmo#1914009)
|
||
Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2,
|
||
and Thunderbird 128.2
|
||
- Removed upstreamed patches mozilla-bmo1907511.patch mozilla-bmo1898476.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 31 11:59:32 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 128.1.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2024-35 (bsc#1228648)
|
||
* CVE-2024-7518 (bmo#1875354)
|
||
Fullscreen notification dialog can be obscured by document
|
||
content
|
||
* CVE-2024-7519 (bmo#1902307)
|
||
Out of bounds memory access in graphics shared memory
|
||
handling
|
||
* CVE-2024-7520 (bmo#1903041)
|
||
Type confusion in WebAssembly
|
||
* CVE-2024-7521 (bmo#1904644)
|
||
Incomplete WebAssembly exception handing
|
||
* CVE-2024-7522 (bmo#1906727)
|
||
Out of bounds read in editor component
|
||
* CVE-2024-7524 (bmo#1909241)
|
||
CSP strict-dynamic bypass using web-compatibility shims
|
||
* CVE-2024-7525 (bmo#1909298)
|
||
Missing permission check when creating a StreamFilter
|
||
* CVE-2024-7526 (bmo#1910306)
|
||
Uninitialized memory used by WebGL
|
||
* CVE-2024-7527 (bmo#1871303)
|
||
Use-after-free in JavaScript garbage collection
|
||
* CVE-2024-7528 (bmo#1895951)
|
||
Use-after-free in IndexedDB
|
||
* CVE-2024-7529 (bmo#1903187)
|
||
Document content could partially obscure security prompts
|
||
* CVE-2024-7531 (bmo#1905691)
|
||
PK11_Encrypt using CKM_CHACHA20 can reveal plaintext on Intel
|
||
Sandy Bridge machines
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 10 13:00:49 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 128.0esr ESR
|
||
* ### General
|
||
* Windows 7-8.1 and macOS 10.12-10.14 are no longer supported
|
||
operating systems.
|
||
* Firefox now supports automated translation of web content.
|
||
Also, unlike cloud-based alternatives, translation is done
|
||
locally so that the text being translated never leaves the
|
||
machine.
|
||
* The line breaking rules of web content now match the
|
||
Unicode standard, improving cross-browser compatibility.
|
||
Additionally, for East Asian and South East Asian end users,
|
||
Firefox now supports proper language-aware word selection
|
||
when double-clicking on text for languages including Chinese,
|
||
Japanese, Burmese, Lao, Khmer, and Thai.
|
||
* Video effects and background blur are now available to
|
||
Firefox users on Google Meet.
|
||
Firefox now displays images and descriptions for search
|
||
suggestions when provided by the search engine.
|
||
* It is now possible to copy and paste any file from the
|
||
operating system into Firefox.
|
||
* Having any issues with a website on Firefox, yet the site
|
||
seems to be working as expected on another browser? You can
|
||
now let us know via the Web Compatibility Reporting Tool! By
|
||
filing a web compatibility issue, you’re directly helping us
|
||
detect, target, and fix the most impacted sites to make your
|
||
browsing experience on Firefox smoother.
|
||
* Firefox now prompts users in the US and Canada to save
|
||
their addresses upon submitting an address form, allowing
|
||
Firefox to autofill stored address information in the future.
|
||
* Support for credit card autofill has been extended to users
|
||
running Firefox in the IT, ES, AT, BE, and PL locales.
|
||
* Recently closed tabs now persist between sessions that
|
||
don't have automatic session restore enabled. Manually
|
||
restoring a previous session will continue to reopen any
|
||
previously open tabs or windows.
|
||
* When migrating data from Chrome, Firefox now offers the
|
||
ability to import certain extensions as well.
|
||
* The Screenshots feature in Firefox has been updated. It now
|
||
supports taking screenshots of file types like SVG, XML, and
|
||
more as well as various about: pages within Firefox. The
|
||
screenshot tool was also made more accessible to everyone by
|
||
implementing new keyboard shortcuts and adding theme
|
||
compatibility and High Contrast Mode (HCM) support. And
|
||
finally, performance for capturing large screenshots has been
|
||
improved.
|
||
* ### PDF Viewer
|
||
* The Firefox PDF viewer has expanded PDF editing
|
||
capabilities:
|
||
* Text highlighting is now supported.
|
||
* Editing already-existing text annotations is now
|
||
supported.
|
||
* Images and alt text can be added in addition to text
|
||
and drawings.
|
||
* A floating button is now included to simplify deleting
|
||
drawings, text, and images added in PDFs.
|
||
* Caret browsing mode now also works in the PDF viewer.
|
||
(Learn more)
|
||
* ### Firefox View
|
||
* Firefox View includes more content. You can now see all
|
||
open tabs from all windows. If you sync open tabs, you’ll see
|
||
all tabs from other devices. Browsing history is now listed
|
||
and you can sort by date or by site. As before, recently
|
||
closed tabs are also listed on Firefox View.
|
||
To access Firefox View, select the file folder icon at the
|
||
top left of your tab strip.
|
||
* We’ve integrated search into Firefox View. You can now
|
||
search through all of the tabs on each of the section
|
||
subpages - Recent Browsing, Open Tabs, Recently Closed Tabs,
|
||
Tabs from other devices, or History.
|
||
* In Firefox View, open tabs can now be sorted by either
|
||
recent activity or tab order. Recent activity is the default
|
||
setting.
|
||
* Firefox View now displays pinned tabs in the Open tabs
|
||
section. Tab indicators have also been added to Open tabs, so
|
||
users can do things like see which tabs are playing media and
|
||
quickly mute or unmute across windows. Indicators were also
|
||
added for bookmarks, tabs with notifications, and more!
|
||
* It is now possible to close all duplicate tabs in a window
|
||
with the `Close duplicate tabs` command available from the
|
||
`List all tabs` widget in the tab bar or a tab context menu.
|
||
* ### Security & Privacy
|
||
* For added protection on macOS and Windows, a device sign in
|
||
(e.g. operating system password, fingerprint, face or voice
|
||
login if enabled) can be required when accessing and filling
|
||
stored passwords in the Firefox Password Manager about:logins
|
||
page.
|
||
* Firefox now supports creating and using passkeys stored in
|
||
the iCloud Keychain on macOS.
|
||
* Firefox now imports user-added TLS trust anchors (e.g.,
|
||
certificates) from the operating system root store. This will
|
||
be enabled by default on Windows, macOS, and Android, and if
|
||
needed, can be turned off in settings (Settings → Privacy &
|
||
Security → Certificates).
|
||
* The Storage Access API web standard was updated to improve
|
||
security while mitigating website breakages and further
|
||
enabling the phase out of third-party cookies in Firefox.
|
||
* Encrypted Client Hello (ECH) is now available to Firefox
|
||
users, delivering a more private browsing experience. ECH
|
||
extends the encryption used in TLS connections to cover more
|
||
of the handshake and better protect sensitive fields. Read
|
||
more about the launch of ECH on Mozilla Distilled.
|
||
* Firefox supports a new “Copy Link Without Site Tracking”
|
||
feature in the context menu which ensures that copied links
|
||
no longer contain tracking information.
|
||
* Firefox now supports a setting (in Preferences → Privacy &
|
||
Security) to enable Global Privacy Control. With this opt-in
|
||
feature, Firefox informs the websites that the user doesn’t
|
||
want their data to be shared or sold. This feature is enabled
|
||
in private browsing mode by default.
|
||
* Firefox now more proactively blocks downloads from URLs
|
||
that are considered to be potentially untrustworthy.
|
||
* ### Anti-Fingerprinting
|
||
* Web Audio in Firefox now uses the FDLIBM math library on
|
||
all systems to improve anonymity with Fingerprint Protection.
|
||
* As part of Total Cookie Protection, Firefox now supports
|
||
the partitioning of Blob URLs, this mitigates a potential
|
||
tracking vector that third-party agents could use to track an
|
||
individual.
|
||
* To mitigate font fingerprinting, the visibility of fonts to
|
||
websites has been restricted to system fonts and language
|
||
pack fonts when in Private Browsing Mode or with Enhanced
|
||
Tracking Protection set to strict mode.
|
||
* Firefox’s private windows and ETP-Strict privacy
|
||
configuration now enhance the Canvas APIs with Fingerprinting
|
||
Protection.
|
||
* To reduce user fingerprinting information and the risk of
|
||
some website compatibility issues, the CPU architecture for
|
||
32-bit x86 Linux will now be reported as x86_64 in Firefox's
|
||
User-Agent string and `navigator.platform` and
|
||
`navigator.oscpu` Web APIs.
|
||
* ### Windows
|
||
* Firefox can now be set to automatically launch whenever the
|
||
computer starts up. (Learn more)
|
||
* The background updater now updates properly when there are
|
||
multiple user accounts on a system.
|
||
* Firefox now populates the Windows taskbar jump list more
|
||
efficiently, which should allow for a smoother overall
|
||
browsing experience.
|
||
* ### macOS
|
||
* Firefox now supports Voice Control commands on macOS
|
||
systems.
|
||
* Links and other focusable elements are now tab-navigable by
|
||
default on macOS, instead of following macOS' "Keyboard
|
||
navigation" setting. This is a more accessible default and
|
||
matches the default in all other platforms. A checkbox in the
|
||
settings page still allows users to restore the old behavior.
|
||
* Firefox on Mac now uses the macOS fullscreen API for all
|
||
types of fullscreen windows. This should better match the
|
||
expected macOS user experience for fullscreen spaces, menubar
|
||
and the Dock.
|
||
* ### Linux
|
||
* Firefox now defaults to the Wayland compositor when
|
||
available instead of XWayland. This brings support for
|
||
touchpad & touchscreen gestures, swipe-to-nav, per-monitor
|
||
DPI settings, better graphics performance, and more.
|
||
* Firefox now ships with a new .deb package for Linux users
|
||
on Ubuntu, Debian, and Linux Mint.
|
||
* ### Video Playback
|
||
* Enabled AV1 hardware decode acceleration on macOS for M3
|
||
Macs.
|
||
* Firefox now supports the AV1 codec for Encrypted Media
|
||
Extensions (EME), enabling higher-quality playback from video
|
||
streaming providers.
|
||
* NVIDIA RTX Video Super Resolution (“VSR”) is now available
|
||
in Firefox. RTX VSR enhances and sharpens lower resolution
|
||
video when upscaled to higher resolutions and also removes
|
||
blocky artifacts commonly visible on low bitrate streamed
|
||
video. VSR requires at least a 20-series or higher NVIDIA RTX
|
||
GPU, Microsoft Windows 10/11 64-bit, and NVIDIA driver
|
||
version R530 or higher. The feature can be enabled in the
|
||
NVIDIA control panel.
|
||
* NVIDIA RTX Video HDR is now available in Firefox. RTX Video
|
||
HDR automatically converts SDR video to vibrant HDR10 in real
|
||
time, letting you enjoy video with improved clarity on your
|
||
HDR10 panel. It requires at least a 20-series NVIDIA RTX GPU,
|
||
Microsoft Windows 10/11 64-bit, and NVIDIA driver version 550
|
||
or higher. The feature can be enabled in the NVIDIA control
|
||
panel.
|
||
* Developer: * Firefox now supports DNS prefetching for HTTPS
|
||
documents via the `rel="dns-prefetch"` link hint. This
|
||
standard allows web developers to specify domain names for
|
||
important assets that should be resolved preemptively.
|
||
* Firefox will now automatically try to upgrade <img>,
|
||
<audio>, and <video> elements from HTTP to HTTPS
|
||
if they are embedded within an HTTPS page. If these so-called
|
||
mixed content elements do not support HTTPS, they will no
|
||
longer load.
|
||
* Firefox now supports Content-encoding: zstd (zstandard
|
||
compression). This is an alternative to brotli and gzip
|
||
compression for web content, and can provide higher
|
||
compression levels for the same CPU used, or conversely lower
|
||
server CPU use to get the same compression.
|
||
[2]: http://facebook.github.io/zstd/
|
||
* Enterprise: * The FirefoxHome policy has been updated to
|
||
reflect that the Snippets option is now deprecated.
|
||
* The DNSOverHTTPS policy has been updated to support setting
|
||
a `Fallback` value to prevent falling back to your default
|
||
DNS Provider.
|
||
* The AllowFileSelectionDialogs policy has been added for
|
||
controlling file selection dialogs.
|
||
* The TranslateEnabled policy has been added.
|
||
* The DisableEncryptedClientHello policy has been added to
|
||
control Encrypted Client Hello.
|
||
* The PostQuantumKeyAgreementEnabled policy has been added to
|
||
control post-quantum key agreement for TLS.
|
||
* The HttpsOnlyMode policy has been added to control HTTPS-
|
||
Only Mode.
|
||
* The HttpAllowlist policy has been added to add exceptions
|
||
to HTTPS-Only Mode.
|
||
* The Preferences policy has been updated to allow setting
|
||
the preferences
|
||
`security.mixed_content.block_display_content` and
|
||
`security.mixed_content.upgrade_display_content`.
|
||
* The UserMessaging policy has been updated to remove the
|
||
WhatsNew option.
|
||
* The ExtensionSettings policy has been updated to add
|
||
`temporarily_allow_weak_signatures` to allow installing
|
||
extensions signed using deprecated signature algorithms.
|
||
* Fixed: Various security fixes.
|
||
MFSA 2024-29 (bsc#1226316)
|
||
* CVE-2024-6605 (bmo#1836786)
|
||
Firefox Android missed activation delay to prevent tapjacking
|
||
* CVE-2024-6606 (bmo#1902305)
|
||
Out-of-bounds read in clipboard component
|
||
* CVE-2024-6607 (bmo#1694513)
|
||
Leaving pointerlock by pressing the escape key could be
|
||
prevented
|
||
* CVE-2024-6608 (bmo#1743329)
|
||
Cursor could be moved out of the viewport using pointerlock.
|
||
* CVE-2024-6609 (bmo#1839258)
|
||
Memory corruption in NSS
|
||
* CVE-2024-6610 (bmo#1883396)
|
||
Form validation popups could block exiting full-screen mode
|
||
* CVE-2024-6600 (bmo#1888340)
|
||
Memory corruption in WebGL API
|
||
* CVE-2024-6601 (bmo#1890748)
|
||
Race condition in permission assignment
|
||
* CVE-2024-6602 (bmo#1895032)
|
||
Memory corruption in NSS
|
||
* CVE-2024-6603 (bmo#1895081)
|
||
Memory corruption in thread creation
|
||
* CVE-2024-6611 (bmo#1844827)
|
||
Incorrect handling of SameSite cookies
|
||
* CVE-2024-6612 (bmo#1880374)
|
||
CSP violation leakage when using devtools
|
||
* CVE-2024-6613 (bmo#1900523)
|
||
Incorrect listing of stack frames
|
||
* CVE-2024-6614 (bmo#1902983)
|
||
Incorrect listing of stack frames
|
||
* CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266)
|
||
Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13,
|
||
and Thunderbird 115.13
|
||
* CVE-2024-6615 (bmo#1892875, bmo#1894428, bmo#1898364)
|
||
Memory safety bugs fixed in Firefox 128
|
||
- remove unneeded patches mozilla-fix-aarch64-libopus.patch
|
||
mozilla-bmo1504834-part3.patch mozilla-bmo1512162.patch
|
||
mozilla-fix-top-level-asm.patch mozilla-bmo531915.patch
|
||
mozilla-partial-revert-1768632.patch
|
||
- added patches mozilla-rust-disable-future-incompat.patch
|
||
fix-sle12-build-errors.patch
|
||
- added patches mozilla-bmo1898476.patch and mozilla-bmo1907511.patch
|
||
to fix Wayland-crashes
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 3 07:12:36 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.13.0 ESR
|
||
* Changed: The root certificate used to verify add-ons and
|
||
signed content has been renewed to avoid upcoming expiration.
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2024-30 (bsc#1226316)
|
||
* CVE-2024-6600 (bmo#1888340)
|
||
Memory corruption in WebGL API
|
||
* CVE-2024-6601 (bmo#1890748)
|
||
Race condition in permission assignment
|
||
* CVE-2024-6602 (bmo#1895032)
|
||
Memory corruption in NSS
|
||
* CVE-2024-6603 (bmo#1895081)
|
||
Memory corruption in thread creation
|
||
* CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266)
|
||
Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13,
|
||
and Thunderbird 115.13
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jul 1 14:01:17 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Fix GNOME search provider (boo#1225278)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 6 07:52:51 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.12.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2024-26 (bsc#1226027)
|
||
* CVE-2024-5702 (bmo#1193389)
|
||
Use-after-free in networking
|
||
* CVE-2024-5688 (bmo#1895086)
|
||
Use-after-free in JavaScript object transplant
|
||
* CVE-2024-5690 (bmo#1883693)
|
||
External protocol handlers leaked by timing attack
|
||
* CVE-2024-5691 (bmo#1888695)
|
||
Sandboxed iframes were able to bypass sandbox restrictions to
|
||
open a new window
|
||
* CVE-2024-5692 (bmo#1891234)
|
||
Bypass of file name restrictions during saving
|
||
* CVE-2024-5693 (bmo#1891319)
|
||
Cross-Origin Image leak via Offscreen Canvas
|
||
* CVE-2024-5696 (bmo#1896555)
|
||
Memory Corruption in Text Fragments
|
||
* CVE-2024-5700 (bmo#1862809, bmo#1889355, bmo#1893388,
|
||
bmo#1895123)
|
||
Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12,
|
||
and Thunderbird 115.12
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 8 13:34:00 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.11.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2024-22 (bsc#1224056)
|
||
* CVE-2024-4367 (bmo#1893645)
|
||
Arbitrary JavaScript execution in PDF.js
|
||
* CVE-2024-4767 (bmo#1878577)
|
||
IndexedDB files retained in private browsing mode
|
||
* CVE-2024-4768 (bmo#1886082)
|
||
Potential permissions request bypass via clickjacking
|
||
* CVE-2024-4769 (bmo#1886108)
|
||
Cross-origin responses could be distinguished between script
|
||
and non-script content-types
|
||
* CVE-2024-4770 (bmo#1893270)
|
||
Use-after-free could occur when printing to PDF
|
||
* CVE-2024-4777 (bmo#1878199, bmo#1893340)
|
||
Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11,
|
||
and Thunderbird 115.11
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 9 10:34:07 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.10.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2024-19 (bsc#1222535)
|
||
* CVE-2024-3852 (bmo#1883542)
|
||
GetBoundName in the JIT returned the wrong object
|
||
* CVE-2024-3854 (bmo#1884552)
|
||
Out-of-bounds-read after mis-optimized switch statement
|
||
* CVE-2024-3857 (bmo#1886683)
|
||
Incorrect JITting of arguments led to use-after-free during
|
||
garbage collection
|
||
* CVE-2024-2609 (bmo#1866100)
|
||
Permission prompt input delay could expire when not in focus
|
||
* CVE-2024-3859 (bmo#1874489)
|
||
Integer-overflow led to out-of-bounds-read in the OpenType
|
||
sanitizer
|
||
* CVE-2024-3861 (bmo#1883158)
|
||
Potential use-after-free due to AlignedBuffer self-move
|
||
* CVE-2024-3863 (bmo#1885855)
|
||
Download Protections were bypassed by .xrm-ms files on
|
||
Windows
|
||
* CVE-2024-3302 (bmo#1881183, https://kb.cert.org/vuls/id/421644)
|
||
Denial of Service using HTTP/2 CONTINUATION frames
|
||
* CVE-2024-3864 (bmo#1888333)
|
||
Memory safety bug fixed in Firefox 125, Firefox ESR 115.10,
|
||
and Thunderbird 115.10
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 22 08:11:15 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.9.1esr ESR
|
||
* Fixed: Security fix.
|
||
MFSA 2024-16 (bsc#1221850)
|
||
* CVE-2024-29944 (bmo#1886852)
|
||
Privileged JavaScript Execution via Event Handlers
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 13 08:25:10 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.9.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2024-13 (bsc#1221327)
|
||
* CVE-2024-0743 (bmo#1867408)
|
||
Crash in NSS TLS method
|
||
* CVE-2024-2605 (bmo#1872920)
|
||
Windows Error Reporter could be used as a Sandbox escape
|
||
vector
|
||
* CVE-2024-2607 (bmo#1879939)
|
||
JIT code failed to save return registers on Armv7-A
|
||
* CVE-2024-2608 (bmo#1880692)
|
||
Integer overflow could have led to out of bounds write
|
||
* CVE-2024-2616 (bmo#1846197)
|
||
Improve handling of out-of-memory conditions in ICU
|
||
* CVE-2023-5388 (bmo#1780432)
|
||
NSS susceptible to timing attack against RSA decryption
|
||
* CVE-2024-2610 (bmo#1871112)
|
||
Improper handling of html and body tags enabled CSP nonce
|
||
leakage
|
||
* CVE-2024-2611 (bmo#1876675)
|
||
Clickjacking vulnerability could have led to a user
|
||
accidentally granting permissions
|
||
* CVE-2024-2612 (bmo#1879444)
|
||
Self referencing object could have potentially led to a use-
|
||
after-free
|
||
* CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405,
|
||
bmo#1881093)
|
||
Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9,
|
||
and Thunderbird 115.9
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 19 07:18:16 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.8.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2024-06 (bsc#1220048)
|
||
* CVE-2024-1546 (bmo#1843752)
|
||
Out-of-bounds memory read in networking channels
|
||
* CVE-2024-1547 (bmo#1877879)
|
||
Alert dialog could have been spoofed on another site
|
||
* CVE-2024-1548 (bmo#1832627)
|
||
Fullscreen Notification could have been hidden by select
|
||
element
|
||
* CVE-2024-1549 (bmo#1833814)
|
||
Custom cursor could obscure the permission dialog
|
||
* CVE-2024-1550 (bmo#1860065)
|
||
Mouse cursor re-positioned unexpectedly could have led to
|
||
unintended permission grants
|
||
* CVE-2024-1551 (bmo#1864385)
|
||
Multipart HTTP Responses would accept the Set-Cookie header
|
||
in response parts
|
||
* CVE-2024-1552 (bmo#1874502)
|
||
Incorrect code generation on 32-bit ARM devices
|
||
* CVE-2024-1553 (bmo#1855686, bmo#1867982, bmo#1871498,
|
||
bmo#1872296, bmo#1873521, bmo#1873577, bmo#1873597,
|
||
bmo#1873866, bmo#1874080, bmo#1874740, bmo#1875795,
|
||
bmo#1875906, bmo#1876425, bmo#1878211, bmo#1878286)
|
||
Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8,
|
||
and Thunderbird 115.8
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 30 13:51:25 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Recommend libfido2-udev on codestreams that exist, in order to try
|
||
to get security keys (e.g. Yubikeys) work out of the box. (bsc#1184272)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 18 15:24:40 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.7.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
- Mozilla Firefox ESR 115.7
|
||
MFSA 2024-02 (bsc#1218955)
|
||
* CVE-2024-0741 (bmo#1864587)
|
||
Out of bounds write in ANGLE
|
||
* CVE-2024-0742 (bmo#1867152)
|
||
Failure to update user input timestamp
|
||
* CVE-2024-0746 (bmo#1660223)
|
||
Crash when listing printers on Linux
|
||
* CVE-2024-0747 (bmo#1764343)
|
||
Bypass of Content Security Policy when directive unsafe-
|
||
inline was set
|
||
* CVE-2024-0749 (bmo#1813463)
|
||
Phishing site popup could show local origin in address bar
|
||
* CVE-2024-0750 (bmo#1863083)
|
||
Potential permissions request bypass via clickjacking
|
||
* CVE-2024-0751 (bmo#1865689)
|
||
Privilege escalation through devtools
|
||
* CVE-2024-0753 (bmo#1870262)
|
||
HSTS policy on subdomain could bypass policy of upper domain
|
||
* CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701)
|
||
Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7,
|
||
and Thunderbird 115.7
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Dec 12 08:05:10 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.6.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2023-54 (bsc#1217974)
|
||
* CVE-2023-6856 (bmo#1843782)
|
||
Heap-buffer-overflow affecting WebGL DrawElementsInstanced
|
||
method with Mesa VM driver
|
||
* CVE-2023-6865 (bmo#1864123)
|
||
Potential exposure of uninitialized data in
|
||
EncryptingOutputStream
|
||
* CVE-2023-6857 (bmo#1796023)
|
||
Symlinks may resolve to smaller than expected buffers
|
||
* CVE-2023-6858 (bmo#1826791)
|
||
Heap buffer overflow in nsTextFragment
|
||
* CVE-2023-6859 (bmo#1840144)
|
||
Use-after-free in PR_GetIdentitiesLayer
|
||
* CVE-2023-6860 (bmo#1854669)
|
||
Potential sandbox escape due to VideoBridge lack of texture
|
||
validation
|
||
* CVE-2023-6867 (bmo#1863863)
|
||
Clickjacking permission prompts using the popup transition
|
||
* CVE-2023-6861 (bmo#1864118)
|
||
Heap buffer overflow affected nsWindow::PickerOpen(void) in
|
||
headless mode
|
||
* CVE-2023-6862 (bmo#1868042)
|
||
Use-after-free in nsDNSService
|
||
* CVE-2023-6863 (bmo#1868901)
|
||
Undefined behavior in ShutdownObserver()
|
||
* CVE-2023-6864 (bmo#1736385, bmo#1810805, bmo#1846328,
|
||
bmo#1856090, bmo#1858033, bmo#1858509, bmo#1862089,
|
||
bmo#1862777, bmo#1864015)
|
||
Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6,
|
||
and Thunderbird 115.6
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 16 12:37:04 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.5.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2023-50 (bsc#1217230)
|
||
* CVE-2023-6204 (bmo#1841050)
|
||
Out-of-bound memory access in WebGL2 blitFramebuffer
|
||
* CVE-2023-6205 (bmo#1854076)
|
||
Use-after-free in MessagePort::Entangled
|
||
* CVE-2023-6206 (bmo#1857430)
|
||
Clickjacking permission prompts using the fullscreen
|
||
transition
|
||
* CVE-2023-6207 (bmo#1861344)
|
||
Use-after-free in ReadableByteStreamQueueEntry::Buffer
|
||
* CVE-2023-6208 (bmo#1855345)
|
||
Using Selection API would copy contents into X11 primary
|
||
selection.
|
||
* CVE-2023-6209 (bmo#1858570)
|
||
Incorrect parsing of relative URLs starting with "///"
|
||
* CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252,
|
||
bmo#1856072, bmo#1856091, bmo#1859030, bmo#1860943,
|
||
bmo#1862782)
|
||
Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5,
|
||
and Thunderbird 115.5
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 17 12:16:23 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.4.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2023-46 (bsc#1216338)
|
||
* CVE-2023-5721 (bmo#1830820)
|
||
Queued up rendering could have allowed websites to clickjack
|
||
* CVE-2023-5732 (bmo#1690979, bmo#1836962)
|
||
Address bar spoofing via bidirectional characters
|
||
* CVE-2023-5724 (bmo#1836705)
|
||
Large WebGL draw could have led to a crash
|
||
* CVE-2023-5725 (bmo#1845739)
|
||
WebExtensions could open arbitrary URLs
|
||
* CVE-2023-5726 (bmo#1846205)
|
||
Full screen notification obscured by file open dialog on
|
||
macOS
|
||
* CVE-2023-5727 (bmo#1847180)
|
||
Download Protections were bypassed by .msix, .msixbundle,
|
||
.appx, and .appxbundle files on Windows
|
||
* CVE-2023-5728 (bmo#1852729)
|
||
Improper object tracking during GC in the JavaScript engine
|
||
could have led to a crash.
|
||
* CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694,
|
||
bmo#1848833, bmo#1850191, bmo#1850259, bmo#1852596,
|
||
bmo#1853201, bmo#1854002, bmo#1855306, bmo#1855640,
|
||
bmo#1856695)
|
||
Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4,
|
||
and Thunderbird 115.4.1
|
||
- Removed upstreamed patch mozilla-fix-broken-ffmpeg.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 29 13:02:44 UTC 2023 - Marcus Meissner <meissner@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.3.1 ESR
|
||
* Fixed: Security fix.
|
||
MFSA 2023-44 (bsc#1215814)
|
||
* CVE-2023-5217 (bmo#1855550)
|
||
Heap buffer overflow in libvpx
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 21 12:57:28 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.3.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2023-42 (bsc#1215575)
|
||
* CVE-2023-5168 (bmo#1846683)
|
||
Out-of-bounds write in FilterNodeD2D1
|
||
* CVE-2023-5169 (bmo#1846685)
|
||
Out-of-bounds write in PathOps
|
||
* CVE-2023-5171 (bmo#1851599)
|
||
Use-after-free in Ion Compiler
|
||
* CVE-2023-5174 (bmo#1848454)
|
||
Double-free in process spawning on Windows
|
||
* CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824,
|
||
bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983,
|
||
bmo#1851195)
|
||
Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3,
|
||
and Thunderbird 115.3
|
||
- Add patch mozilla-fix-broken-ffmpeg.patch to fix broken build
|
||
with newer binutils (bsc#1215309)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 12 21:45:11 UTC 2023 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.2.1 ESR
|
||
* Fixed: Security fix
|
||
MFSA 2023-40 (bsc#1215245)
|
||
* CVE-2023-4863 (bmo#1852649)
|
||
Heap buffer overflow in libwebp
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 8 09:31:41 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Fix i586 build by reducing debug info to -g1. (boo#1210168)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 25 09:36:23 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.2.0 ESR
|
||
* Fixed: Various security fixes and other quality
|
||
improvements.
|
||
MFSA 2023-36 (bsc#1214606)
|
||
* CVE-2023-4574: (bmo#1846688)
|
||
Memory corruption in IPC ColorPickerShownCallback
|
||
* CVE-2023-4575: (bmo#1846689)
|
||
Memory corruption in IPC FilePickerShownCallback
|
||
* CVE-2023-4576: (bmo#1846694)
|
||
Integer Overflow in RecordedSourceSurfaceCreation
|
||
* CVE-2023-4577: (bmo#1847397)
|
||
Memory corruption in JIT UpdateRegExpStatics
|
||
* CVE-2023-4051: (bmo#1821884)
|
||
Full screen notification obscured by file open dialog
|
||
* CVE-2023-4578: (bmo#1839007)
|
||
Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception
|
||
* CVE-2023-4053: (bmo#1839079)
|
||
Full screen notification obscured by external program
|
||
* CVE-2023-4580: (bmo#1843046)
|
||
Push notifications saved to disk unencrypted
|
||
* CVE-2023-4581: (bmo#1843758)
|
||
XLL file extensions were downloadable without warnings
|
||
* CVE-2023-4582: (bmo#1773874)
|
||
Buffer Overflow in WebGL glGetProgramiv
|
||
* CVE-2023-4583: (bmo#1842030)
|
||
Browsing Context potentially not cleared when closing Private Window
|
||
* CVE-2023-4584: (bmo#1843968, bmo#1845205, bmo#1846080, bmo#1846526, bmo#1847529)
|
||
Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15,
|
||
Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2
|
||
* CVE-2023-4585: (bmo#1751583, bmo#1833504, bmo#1841082, bmo#1847904, bmo#1848999)
|
||
Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2,
|
||
and Thunderbird 115.2
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 27 10:18:01 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.1.0 ESR
|
||
* Fixed: Various security fixes.
|
||
MFSA 2023-30 (bsc#1213746)
|
||
* CVE-2023-4045 (bmo#1833876)
|
||
Offscreen Canvas could have bypassed cross-origin
|
||
restrictions
|
||
* CVE-2023-4046 (bmo#1837686)
|
||
Incorrect value used during WASM compilation
|
||
* CVE-2023-4047 (bmo#1839073)
|
||
Potential permissions request bypass via clickjacking
|
||
* CVE-2023-4048 (bmo#1841368)
|
||
Crash in DOMParser due to out-of-memory conditions
|
||
* CVE-2023-4049 (bmo#1842658)
|
||
Fix potential race conditions when releasing platform objects
|
||
* CVE-2023-4050 (bmo#1843038)
|
||
Stack buffer overflow in StorageManager
|
||
* CVE-2023-4054 (bmo#1840777)
|
||
Lack of warning when opening appref-ms files
|
||
* CVE-2023-4055 (bmo#1782561)
|
||
Cookie jar overflow caused unexpected cookie jar state
|
||
* CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235,
|
||
bmo#1842325, bmo#1843847)
|
||
Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
|
||
Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
|
||
- Remove now upstreamed patch mozilla-bmo1838323.patch and mozilla-bmo1775202.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 26 11:50:51 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Remove bashisms from startup-script (bsc#1213657)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jul 11 22:37:54 UTC 2023 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.0.2 ESR
|
||
MFSA 2023-26 (bsc#1213230)
|
||
* CVE-2023-3600 (bmo#1839703)
|
||
Use-after-free in workers
|
||
-
|
||
* Fixed: Fixed a startup crash experienced by some Windows
|
||
users by blocking instances of a malicious injected DLL
|
||
(bmo#1841751)
|
||
* Fixed: Fixed a bug with displaying a caret in the text editor
|
||
on some websites (bmo#1840804)
|
||
* Fixed: Fixed a bug with broken audio rendering on some
|
||
websites (bmo#1841982)
|
||
* Fixed: Fixed a bug with patternTransform translate using the
|
||
wrong units (bmo#1840746)
|
||
* Fixed: A security fix.
|
||
* Fixed: Fixed a crash affecting Windows 7 users related to the
|
||
DLL blocklist.
|
||
- Firefox Extended Support Release 115.0.1 ESR
|
||
* Fixed: Fixed a startup crash for Windows users with Kingsoft
|
||
Antivirus software installed (bmo#1837242)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 27 08:06:01 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 115.0 ESR
|
||
* New:
|
||
- Required fields are now highlighted in PDF forms.
|
||
- Improved performance on high-refresh rate monitors
|
||
(120Hz+).
|
||
- Buttons in the Tabs toolbar can now be reached with Tab,
|
||
Shift+Tab, and Arrow keys. View this article for additional
|
||
details.
|
||
- Windows' "Make text bigger" accessibility setting now
|
||
affects all the UI and content pages, rather than only
|
||
applying to system font sizes.
|
||
- Non-breaking spaces are now preserved—preventing automatic
|
||
line breaks—when copying text from a form control.
|
||
- Fixed WebGL performance issues on NVIDIA binary drivers via
|
||
DMA-Buf on Linux.
|
||
- Fixed an issue in which Firefox startup could be
|
||
significantly slowed down by the processing of Web content
|
||
local storage. This had the greatest impact on users with
|
||
platter hard drives and significant local storage.
|
||
- Removed a configuration option to allow SHA-1 signatures in
|
||
certificates: SHA-1 signatures in certificates—long since
|
||
determined to no longer be secure enough—are now not
|
||
supported.
|
||
- Highlight color is preserved correctly after typing `Enter`
|
||
in the mail composer of Yahoo Mail and Outlook.
|
||
After bypassing the https only error page navigating back
|
||
would take you to the error page that was previously
|
||
dismissed. Back now takes you to the previous site that was
|
||
visited.
|
||
- Paste unformatted shortcut (shift+ctrl/cmd+v) now works in
|
||
plain text contexts, such as input and text area.
|
||
- Added an option to print only the current page from the
|
||
print preview dialog.
|
||
- Swipe to navigate (two fingers on a touchpad swiped left or
|
||
right to perform history back or forward) on Windows is now
|
||
enabled.
|
||
- Stability on Windows is significantly improved as Firefox
|
||
handles low-memory situations much better.
|
||
- Touchpad scrolling on macOS was made more accessible by
|
||
reducing unintended diagonal scrolling opposite of the
|
||
intended scroll axis.
|
||
- Firefox is less likely to run out of memory on Linux and
|
||
performs more efficiently for the rest of the system when
|
||
memory runs low.
|
||
- It is now possible to edit PDFs: including writing text,
|
||
drawing, and adding signatures.
|
||
- Setting Firefox as your default browser now also makes it
|
||
the default PDF application on Windows systems.
|
||
- Swipe-to-navigate (two fingers on a touchpad swiped left or
|
||
right to perform history back or forward) now works for Linux
|
||
users on Wayland.
|
||
- Text Recognition in images allows users on macOS 10.15 and
|
||
higher to extract text from the selected image (such as a
|
||
meme or screenshot).
|
||
- Firefox View helps you get back to content you previously
|
||
discovered. A pinned tab allows you to find and open recently
|
||
closed tabs on your current device and access tabs from other
|
||
devices (via our “Tab Pickup” feature).
|
||
- Import maps, which allow web pages to control the behavior
|
||
of JavaScript imports, are now enabled by default.
|
||
- Processes used for background tabs now use efficiency mode
|
||
on Windows 11 to limit resource use.
|
||
- The shift+esc keyboard shortcut now opens the Process
|
||
Manager, offering a way to quickly identify processes that
|
||
are using too many resources.
|
||
- Firefox now supports properly color correcting images
|
||
tagged with ICCv4 profiles.
|
||
- Support for non-English characters when saving and printing
|
||
PDF forms.
|
||
- The bookmarks toolbar's default "Only show on New Tab"
|
||
state works correctly for blank new tabs. As before, you can
|
||
change the bookmark toolbar's behavior using the toolbar
|
||
context menu.
|
||
- Manifest Version 3 (MV3) extension support is now enabled
|
||
by default (MV2 remains enabled/supported). This major update
|
||
also ushers an exciting user interface change in the form of
|
||
the new extensions button.
|
||
- The Arbitrary Code Guard exploit protection has been
|
||
enabled in the media playback utility processes, improving
|
||
security for Windows users.
|
||
- The native HTML date picker for date and datetime inputs
|
||
can now be used with a keyboard alone, improving its
|
||
accessibility for screen reader users. Users with limited
|
||
mobility can also now use common keyboard shortcuts to
|
||
navigate the calendar grid and month selection spinners.
|
||
- Firefox builds in the Spanish from Spain (es-ES) and
|
||
Spanish from Argentina (es-AR) locales now come with a built-
|
||
in dictionary for the Firefox spellchecker.
|
||
- On macOS, Ctrl or Cmd + trackpad or mouse wheel now scrolls
|
||
the page instead of zooming. This avoids accidental zooming
|
||
and matches the behavior of other web browsers on macOS.
|
||
- It's now possible to import bookmarks, history and
|
||
passwords not only from Edge, Chrome or Safari but also from
|
||
Opera, Opera GX, and Vivaldi.
|
||
- GPU sandboxing has been enabled on Windows.
|
||
- On Windows, third-party modules can now be blocked from
|
||
injecting themselves into Firefox, which can be helpful if
|
||
they are causing crashes or other undesirable behavior.
|
||
- Date, time, and datetime-local input fields can now be
|
||
cleared with `Cmd+Backspace` and `Cmd+Delete` shortcut on
|
||
macOS and `Ctrl+Backspace` and `Ctrl+Delete` on Windows and
|
||
Linux.
|
||
- GPU-accelerated Canvas2D is enabled by default on macOS and
|
||
Linux.
|
||
- WebGL performance improvement on Windows, MacOS and Linux.
|
||
- Enables overlay of hardware-decoded video with non-Intel
|
||
GPUs on Windows 10/11, improving video playback performance
|
||
and video scaling quality.
|
||
- Windows native notifications are now enabled.
|
||
- Firefox Relay users can now opt-in to create Relay email
|
||
masks directly from the Firefox credential manager. You must
|
||
be signed in with your Firefox Account.
|
||
- We’ve added two new locales: Silhe Friulian (fur) and
|
||
Sardinian (sc).
|
||
- Right-clicking on password fields now shows an option to
|
||
reveal the password.
|
||
- Private windows and ETP set to strict will now include
|
||
email tracking protection. This will make it harder for email
|
||
trackers to learn the browsing habits of Firefox users. You
|
||
can check the Tracking Content in the sub-panel on the shield
|
||
icon panel.
|
||
- The deprecated U2F Javascript API is now disabled by
|
||
default. The U2F protocol remains usable through the WebAuthn
|
||
API. The U2F API can be re-enabled using the
|
||
`security.webauth.u2f` preference.
|
||
- Say hello to enhanced Picture-in-Picture! Rewind, check
|
||
video duration, and effortlessly switch to full-screen mode
|
||
on the web's most popular video websites.
|
||
- Firefox's address bar is already a great place to search
|
||
for what you're looking for. Now you'll always be able to see
|
||
your web search terms and refine them while viewing your
|
||
search's results - no additional scrolling needed! Also, a
|
||
new result menu has been added making it easier to remove
|
||
history results and dismiss sponsored Firefox Suggest
|
||
entries.
|
||
- Private windows now protect users even better by blocking
|
||
third-party cookies and storage of content trackers.
|
||
- Passwords automatically generated by Firefox now include
|
||
special characters, giving users more secure passwords by
|
||
default.
|
||
- Firefox 115 introduces a redesigned accessibility engine
|
||
which significantly improves the speed, responsiveness, and
|
||
stability of Firefox when used with:
|
||
- Screen readers, as well as certain other accessibility
|
||
software;
|
||
- East Asian input methods;
|
||
- Enterprise single sign-on software; and
|
||
- Other applications which use accessibility frameworks to
|
||
access information.
|
||
- Firefox 115 now supports AV1 Image Format files containing
|
||
animations (AVIS), improving support for AVIF images across
|
||
the web.
|
||
- The Windows GPU sandbox first shipped in the Firefox 110
|
||
release has been tightened to enhance the security benefits
|
||
it provides.
|
||
- A 13-year-old feature request was fulfilled and Firefox now
|
||
supports files being drag-and-dropped directly from Microsoft
|
||
Outlook. A special thanks to volunteer contributor Marco
|
||
Spiess for helping to get this across the finish line!
|
||
- Users on macOS can now access the Services sub-menu
|
||
directly from Firefox context menus.
|
||
- On Windows, the elastic overscroll effect has been enabled
|
||
by default. When two-finger scrolling on the touchpad or
|
||
scrolling on the touchscreen, you will now see a bouncing
|
||
animation when scrolling past the edge of a scroll container.
|
||
- Firefox is now available in the Tajik (tg) language.
|
||
- Added UI to manage the DNS over HTTPS exception list.
|
||
- Bookmarks can now be searched from the Bookmarks menu. The
|
||
Bookmarks menu is accessible by adding the Bookmarks menu
|
||
button to the toolbar.
|
||
- Restrict searches to your local browsing history by
|
||
selecting Search history from the History, Library or
|
||
Application menu buttons.
|
||
- Mac users can now capture video from their cameras in all
|
||
supported native resolutions. This enables resolutions higher
|
||
than 1280x720.
|
||
- It is now possible to reorder the extensions listed in the
|
||
extensions panel.
|
||
- Users on macOS, Linux, and Windows 7 can now use FIDO2 /
|
||
WebAuthn authenticators over USB. Some advanced features,
|
||
such as fully passwordless logins, require a PIN to be set on
|
||
the authenticator.
|
||
- Pocket Recommended content can now be seen in France,
|
||
Italy, and Spain.
|
||
- DNS over HTTPS settings are now part of the Privacy &
|
||
Security section of the Settings page and allow the user to
|
||
choose from all the supported modes.
|
||
- Migrating from another browser? Now you can bring over
|
||
payment methods you've saved in Chrome-based browsers to
|
||
Firefox.
|
||
- Hardware video decoding enabled for Intel GPUs on Linux.
|
||
- The Tab Manager dropdown now features close buttons, so you
|
||
can close tabs more quickly.
|
||
- Windows Magnifier now follows the text cursor correctly
|
||
when the Firefox title bar is visible.
|
||
- Undo and redo are now available in Password fields.
|
||
[1]:https://support.mozilla.org/kb/access-toolbar-functions-
|
||
using-keyboard?_gl=1*16it7nj*_ga*MTEzNjg4MjY5NC4xNjQ1MjAxMDU3
|
||
*_ga_MQ7767QQQW*MTY1Njk2MzExMS43LjEuMTY1Njk2MzIzMy4w
|
||
[2]:https://support.mozilla.org/kb/how-set-tab-pickup-
|
||
firefox-view
|
||
[3]:https://support.mozilla.org/kb/task-manager-tabs-or-
|
||
extensions-are-slowing-firefox
|
||
[4]:https://blog.mozilla.org/addons/2022/11/17/manifest-v3-
|
||
signing-available-november-21-on-firefox-nightly/
|
||
[5]:https://blog.mozilla.org/addons/2022/05/18/manifest-v3-
|
||
in-firefox-recap-next-steps/
|
||
[6]:https://support.mozilla.org/kb/unified-extensions
|
||
[7]:https://support.mozilla.org/kb/import-data-another-
|
||
browser
|
||
[8]:https://support.mozilla.org/kb/identify-problems-third-
|
||
party-modules-firefox-windows
|
||
[9]:https://support.mozilla.org/kb/how-generate-secure-
|
||
password-firefox
|
||
[10]:https://blog.mozilla.org/accessibility/firefox-113-
|
||
accessibility-performance/
|
||
* Fixed: Various security fixes.
|
||
MFSA 2023-22 (bsc#1212438)
|
||
* CVE-2023-3482 (bmo#1839464)
|
||
Block all cookies bypass for localstorage
|
||
* CVE-2023-37201 (bmo#1826002)
|
||
Use-after-free in WebRTC certificate generation
|
||
* CVE-2023-37202 (bmo#1834711)
|
||
Potential use-after-free from compartment mismatch in
|
||
SpiderMonkey
|
||
* CVE-2023-37203 (bmo#291640)
|
||
Drag and Drop API may provide access to local system files
|
||
* CVE-2023-37204 (bmo#1832195)
|
||
Fullscreen notification obscured via option element
|
||
* CVE-2023-37205 (bmo#1704420)
|
||
URL spoofing in address bar using RTL characters
|
||
* CVE-2023-37206 (bmo#1813299)
|
||
Insufficient validation of symlinks in the FileSystem API
|
||
* CVE-2023-37207 (bmo#1816287)
|
||
Fullscreen notification obscured
|
||
* CVE-2023-37208 (bmo#1837675)
|
||
Lack of warning when opening Diagcab files
|
||
* CVE-2023-37209 (bmo#1837993)
|
||
Use-after-free in `NotifyOnHistoryReload`
|
||
* CVE-2023-37210 (bmo#1821886)
|
||
Full-screen mode exit prevention
|
||
* CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886,
|
||
bmo#1836550, bmo#1837450)
|
||
Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
|
||
and Thunderbird 102.13
|
||
* CVE-2023-37212 (bmo#1750870, bmo#1825552, bmo#1826206,
|
||
bmo#1827076, bmo#1828690, bmo#1833503, bmo#1835710,
|
||
bmo#1838587)
|
||
Memory safety bugs fixed in Firefox 115
|
||
- Remove obsolete patches mozilla-bmo1568145.patch, mozilla-bmo1005535.patch,
|
||
mozilla-s390x-skia-gradient.patch
|
||
- Add mozilla-bmo1838323.patch to fix potential SIGILL on old CPUs
|
||
(bsc#1212101)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 1 14:17:20 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 102.12.0 ESR
|
||
* Fixed: Various security fixes and other quality
|
||
improvements.
|
||
MFSA 2023-19 (bsc#1211922)
|
||
* CVE-2023-34414 (bmo#1695986)
|
||
Click-jacking certificate exceptions through rendering lag
|
||
* CVE-2023-34416 (bmo#1752703, bmo#1818394, bmo#1826875,
|
||
bmo#1827340, bmo#1827655, bmo#1828065, bmo#1830190,
|
||
bmo#1830206, bmo#1830795, bmo#1833339)
|
||
Memory safety bugs fixed in Firefox 114 and Firefox ESR
|
||
102.12
|
||
- update keyring
|
||
|
||
-------------------------------------------------------------------
|
||
Mon May 8 06:47:28 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 102.11.0 ESR
|
||
* Fixed: Various security fixes and other quality improvements.
|
||
MFSA 2023-17 (bsc#1211175)
|
||
* CVE-2023-32205 (bmo#1753339, bmo#1753341)
|
||
Browser prompts could have been obscured by popups
|
||
* CVE-2023-32206 (bmo#1824892)
|
||
Crash in RLBox Expat driver
|
||
* CVE-2023-32207 (bmo#1826116)
|
||
Potential permissions request bypass via clickjacking
|
||
* CVE-2023-32211 (bmo#1823379)
|
||
Content process crash due to invalid wasm code
|
||
* CVE-2023-32212 (bmo#1826622)
|
||
Potential spoof due to obscured address bar
|
||
* CVE-2023-32213 (bmo#1826666)
|
||
Potential memory corruption in FileReader::DoReadData()
|
||
* CVE-2023-32214 (bmo#1828716)
|
||
Potential DoS via exposed protocol handlers
|
||
* CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856,
|
||
bmo#1820210, bmo#1821480, bmo#1827019, bmo#1827024,
|
||
bmo#1827144, bmo#1827359, bmo#1830186)
|
||
Memory safety bugs fixed in Firefox 113 and Firefox ESR
|
||
102.11
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Apr 6 09:43:24 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 102.10.0 ESR
|
||
* Fixed: Various security fixes.
|
||
MFSA 2023-14 (bsc#1210212)
|
||
* CVE-2023-29531 (bmo#1794292)
|
||
Out-of-bound memory access in WebGL on macOS
|
||
* CVE-2023-29532 (bmo#1806394)
|
||
Mozilla Maintenance Service Write-lock bypass
|
||
* CVE-2023-29533 (bmo#1798219, bmo#1814597)
|
||
Fullscreen notification obscured
|
||
* CVE-2023-1999 (bmo#1819244)
|
||
Double-free in libwebp
|
||
* CVE-2023-29535 (bmo#1820543)
|
||
Potential Memory Corruption following Garbage Collector
|
||
compaction
|
||
* CVE-2023-29536 (bmo#1821959)
|
||
Invalid free from JavaScript code
|
||
* CVE-2023-29539 (bmo#1784348)
|
||
Content-Disposition filename truncation leads to Reflected
|
||
File Download
|
||
* CVE-2023-29541 (bmo#1810191)
|
||
Files with malicious extensions could have been downloaded
|
||
unsafely on Linux
|
||
* CVE-2023-29542 (bmo#1810793, bmo#1815062)
|
||
Bypass of file download extension restrictions
|
||
* CVE-2023-29545 (bmo#1823077)
|
||
Windows Save As dialog resolved environment variables
|
||
* CVE-2023-1945 (bmo#1777588)
|
||
Memory Corruption in Safe Browsing Code
|
||
* CVE-2023-29548 (bmo#1822754)
|
||
Incorrect optimization result on ARM64
|
||
* CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498,
|
||
bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493,
|
||
bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413,
|
||
bmo#1824828)
|
||
Memory safety bugs fixed in Firefox 112 and Firefox ESR
|
||
102.10
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Mar 12 09:53:24 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 102.9.0 ESR
|
||
* Fixed: Various security fixes.
|
||
MFSA 2023-10 (bsc#1209173)
|
||
* CVE-2023-25751 (bmo#1814899)
|
||
Incorrect code generation during JIT compilation
|
||
* CVE-2023-28164 (bmo#1809122)
|
||
URL being dragged from a removed cross-origin iframe into the
|
||
same tab triggered navigation
|
||
* CVE-2023-28162 (bmo#1811327)
|
||
Invalid downcast in Worklets
|
||
* CVE-2023-25752 (bmo#1811627)
|
||
Potential out-of-bounds when accessing throttled streams
|
||
* CVE-2023-28163 (bmo#1817768)
|
||
Windows Save As dialog resolved environment variables
|
||
* CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904,
|
||
bmo#1817442, bmo#1818674)
|
||
Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 10 13:25:10 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 102.8.0 ESR
|
||
* Fixed: Various security fixes.
|
||
MFSA 2023-06 (bsc#1208144)
|
||
* CVE-2023-25728 (bmo#1790345)
|
||
Content security policy leak in violation reports using
|
||
iframes
|
||
* CVE-2023-25730 (bmo#1794622)
|
||
Screen hijack via browser fullscreen mode
|
||
* CVE-2023-25743 (bmo#1800203)
|
||
Fullscreen notification not shown in Firefox Focus
|
||
* CVE-2023-0767 (bmo#1804640)
|
||
Arbitrary memory write via PKCS 12 in NSS
|
||
* CVE-2023-25735 (bmo#1810711)
|
||
Potential use-after-free from compartment mismatch in
|
||
SpiderMonkey
|
||
* CVE-2023-25737 (bmo#1811464)
|
||
Invalid downcast in SVGUtils::SetupStrokeGeometry
|
||
* CVE-2023-25738 (bmo#1811852)
|
||
Printing on Windows could potentially crash Firefox with some
|
||
device drivers
|
||
* CVE-2023-25739 (bmo#1811939)
|
||
Use-after-free in
|
||
mozilla::dom::ScriptLoadContext::~ScriptLoadContext
|
||
* CVE-2023-25729 (bmo#1792138)
|
||
Extensions could have opened external schemes without user
|
||
knowledge
|
||
* CVE-2023-25732 (bmo#1804564)
|
||
Out of bounds memory write from EncodeInputStream
|
||
* CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143,
|
||
bmo#1812338)
|
||
Opening local .url files could cause unexpected network loads
|
||
* CVE-2023-25742 (bmo#1813424)
|
||
Web Crypto ImportKey crashes tab
|
||
* CVE-2023-25744 (bmo#1789449, bmo#1803628, bmo#1810536)
|
||
Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8
|
||
* CVE-2023-25746 (bmo#1544127, bmo#1762368)
|
||
Memory safety bugs fixed in Firefox ESR 102.8
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 13 08:16:03 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 102.7.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes.
|
||
MFSA 2023-02 (bsc#1207119)
|
||
* CVE-2022-46871 (bmo#1795697)
|
||
libusrsctp library out of date
|
||
* CVE-2023-23598 (bmo#1800425)
|
||
Arbitrary file read from GTK drag and drop on Linux
|
||
* CVE-2023-23599 (bmo#1777800)
|
||
Malicious command could be hidden in devtools output on
|
||
Windows
|
||
* CVE-2023-23601 (bmo#1794268)
|
||
URL being dragged from cross-origin iframe into same tab
|
||
triggers navigation
|
||
* CVE-2023-23602 (bmo#1800890)
|
||
Content Security Policy wasn't being correctly applied to
|
||
WebSockets in WebWorkers
|
||
* CVE-2022-46877 (bmo#1795139)
|
||
Fullscreen notification bypass
|
||
* CVE-2023-23603 (bmo#1800832)
|
||
Calls to <code>console.log</code> allowed bypasing Content
|
||
Security Policy via format directive
|
||
* CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)
|
||
Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 8 15:54:04 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 102.6.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes.
|
||
MFSA 2022-52 (bsc#1206242)
|
||
* CVE-2022-46880 (bmo#1749292)
|
||
Use-after-free in WebGL
|
||
* CVE-2022-46872 (bmo#1799156)
|
||
Arbitrary file read from a compromised content process
|
||
* CVE-2022-46881 (bmo#1770930)
|
||
Memory corruption in WebGL
|
||
* CVE-2022-46874 (bmo#1746139)
|
||
Drag and Dropped Filenames could have been truncated to
|
||
malicious extensions
|
||
* CVE-2022-46875 (bmo#1786188)
|
||
Download Protections were bypassed by .atloc and .ftploc
|
||
files on Mac OS
|
||
* CVE-2022-46882 (bmo#1789371)
|
||
Use-after-free in WebGL
|
||
* CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
|
||
bmo#1801102, bmo#1801315, bmo#1802395)
|
||
Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 10 07:30:37 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 102.5.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes.
|
||
MFSA 2022-48 (bsc#1205270)
|
||
* CVE-2022-45403 (bmo#1762078)
|
||
Service Workers might have learned size of cross-origin media
|
||
files
|
||
* CVE-2022-45404 (bmo#1790815)
|
||
Fullscreen notification bypass
|
||
* CVE-2022-45405 (bmo#1791314)
|
||
Use-after-free in InputStream implementation
|
||
* CVE-2022-45406 (bmo#1791975)
|
||
Use-after-free of a JavaScript Realm
|
||
* CVE-2022-45408 (bmo#1793829)
|
||
Fullscreen notification bypass via windowName
|
||
* CVE-2022-45409 (bmo#1796901)
|
||
Use-after-free in Garbage Collection
|
||
* CVE-2022-45410 (bmo#1658869)
|
||
ServiceWorker-intercepted requests bypassed SameSite cookie
|
||
policy
|
||
* CVE-2022-45411 (bmo#1790311)
|
||
Cross-Site Tracing was possible via non-standard override
|
||
headers
|
||
* CVE-2022-45412 (bmo#1791029)
|
||
Symlinks may resolve to partially uninitialized buffers
|
||
* CVE-2022-45416 (bmo#1793676)
|
||
Keystroke Side-Channel Leakage
|
||
* CVE-2022-45418 (bmo#1795815)
|
||
Custom mouse cursor could have been drawn over browser UI
|
||
* CVE-2022-45420 (bmo#1792643)
|
||
Iframe contents could be rendered outside the iframe
|
||
* CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061)
|
||
Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 18 09:00:08 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 102.4.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes.
|
||
MFSA 2022-45 (bsc#1204421)
|
||
* CVE-2022-42927 (bmo#1789128)
|
||
Same-origin policy violation could have leaked cross-origin
|
||
URLs
|
||
* CVE-2022-42928 (bmo#1791520)
|
||
Memory Corruption in JS Engine
|
||
* CVE-2022-42929 (bmo#1789439)
|
||
Denial of Service via window.print
|
||
* CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041)
|
||
Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4
|
||
- Added mozilla-partial-revert-1768632.patch to fix build on i586
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 16 07:47:11 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 102.3.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes.
|
||
MFSA 2022-40 (bsc#1203477)
|
||
* CVE-2022-3266 (bmo#1767360)
|
||
Out of bounds read when decoding H264
|
||
* CVE-2022-40959 (bmo#1782211)
|
||
Bypassing FeaturePolicy restrictions on transient pages
|
||
* CVE-2022-40960 (bmo#1787633)
|
||
Data-race when parsing non-UTF-8 URLs in threads
|
||
* CVE-2022-40958 (bmo#1779993)
|
||
Bypassing Secure Context restriction for cookies with __Host
|
||
and __Secure prefix
|
||
* CVE-2022-40956 (bmo#1770094)
|
||
Content-Security-Policy base-uri bypass
|
||
* CVE-2022-40957 (bmo#1777604)
|
||
Incoherent instruction cache when building WASM on ARM64
|
||
* CVE-2022-40962 (bmo#1776655, bmo#1777574, bmo#1784835,
|
||
bmo#1785109, bmo#1786502, bmo#1789440)
|
||
Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3
|
||
- Rebase mozilla-silence-no-return-type.patch to apply with fuzz=0
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 24 11:52:13 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox 102.2.0esr ESR
|
||
* Fixed: Various stability, functionality, and security fixes.
|
||
MFSA 2022-34 (bsc#1202645)
|
||
* CVE-2022-38472 (bmo#1769155)
|
||
Address bar spoofing via XSLT error handling
|
||
* CVE-2022-38473 (bmo#1771685)
|
||
Cross-origin XSLT Documents would have inherited the parent's
|
||
permissions
|
||
* CVE-2022-38476 (bmo#1760998)
|
||
Data race and potential use-after-free in PK11_ChangePW
|
||
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159,
|
||
bmo#1773363)
|
||
Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
|
||
* CVE-2022-38478 (bmo#1770630, bmo#1776658)
|
||
Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2,
|
||
and Firefox ESR 91.13
|
||
|
||
- Add mozilla-bmo1775202.patch to fix build on ppc64le
|
||
|
||
- Firefox Extended Support Release 102.1 ESR
|
||
* Fixed: Various stability, functionality, and security fixes.
|
||
MFSA 2022-30 (bsc#1201758)
|
||
* CVE-2022-36319 (bmo#1737722)
|
||
Mouse Position spoofing with CSS transforms
|
||
* CVE-2022-36318 (bmo#1771774)
|
||
Directory indexes for bundled resources reflected URL
|
||
parameters
|
||
* CVE-2022-36314 (bmo#1773894)
|
||
Opening local <code>.lnk</code> files could cause unexpected
|
||
network loads
|
||
* CVE-2022-2505 (bmo#1769739, bmo#1772824)
|
||
Memory safety bugs fixed in Firefox 103 and 102.1
|
||
|
||
- Firefox Extended Support Release 102.0.1 ESR
|
||
* Fixed: Fixed bookmark shortcut creation by dragging to
|
||
Windows File Explorer and dropping partially broken
|
||
(bmo#1774683)
|
||
* Fixed: Fixed bookmarks sidebar flashing white when opened in
|
||
dark mode (bmo#1776157)
|
||
* Fixed: Fixed multilingual spell checking not working with
|
||
content in both English and a non-Latin alphabet
|
||
(bmo#1773802)
|
||
* Fixed: Developer tools: Fixed an issue where the console
|
||
output keep getting scrolled to the bottom when the last
|
||
visible message is an evaluation result (bmo#1776262)
|
||
* Fixed: Fixed *Delete cookies and site data when Firefox is
|
||
closed* checkbox getting disabled on startup (bmo#1777419)
|
||
* Fixed: Various stability fixes
|
||
|
||
- Firefox 102.0 ESR
|
||
* New:
|
||
- We now provide more secure connections: Firefox can
|
||
now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc
|
||
headers.
|
||
- For added viewing pleasure, full-range color levels are now
|
||
supported for video playback on many systems.
|
||
- Find it easier now! Mac users can now access the macOS
|
||
share options from the Firefox File menu.
|
||
- Voilà! Support for images containing ICC v4 profiles is
|
||
enabled on macOS.
|
||
- Firefox now supports the new AVIF image format, which is
|
||
based on the modern and royalty-free AV1 video codec. It
|
||
offers significant bandwidth savings for sites compared to
|
||
existing image formats. It also supports transparency and
|
||
other advanced features.
|
||
- Firefox PDF viewer now supports filling more forms (e.g.,
|
||
XFA-based forms, used by multiple governments and banks).
|
||
Learn more.
|
||
- When available system memory is critically low, Firefox on
|
||
Windows will automatically unload tabs based on their last
|
||
access time, memory usage, and other attributes. This helps
|
||
to reduce Firefox out-of-memory crashes. Forgot something?
|
||
Switching to an unloaded tab automatically reloads it.
|
||
- To prevent session loss for macOS users who are running
|
||
Firefox from a mounted .dmg file, they’ll now be prompted to
|
||
finish installation. Bear in mind, this permission prompt
|
||
only appears the first time these users run Firefox on their
|
||
computer.
|
||
- For your safety, Firefox now blocks downloads that rely on
|
||
insecure connections, protecting against potentially
|
||
malicious or unsafe downloads. Learn more and see where to
|
||
find downloads in Firefox.
|
||
- Improved web compatibility for privacy protections with
|
||
SmartBlock 3.0: In Private Browsing and Strict Tracking
|
||
Protection, Firefox goes to great lengths to protect your web
|
||
browsing activity from trackers. As part of this, the built-
|
||
in content blocking will automatically block third-party
|
||
scripts, images, and other content from being loaded from
|
||
cross-site tracking companies reported by Disconnect. Learn
|
||
more.
|
||
- Introducing a new referrer tracking protection in Strict
|
||
Tracking Protection and Private Browsing. This feature
|
||
prevents sites from unknowingly leaking private information
|
||
to trackers. Learn more.
|
||
- Introducing Firefox Suggest, a feature that provides
|
||
website suggestions as you type into the address bar. Learn
|
||
more about this faster way to navigate the web and locale-
|
||
specific features.
|
||
- Firefox macOS now uses Apple's low-power mode for
|
||
fullscreen video on sites such as YouTube and Twitch. This
|
||
meaningfully extends battery life in long viewing sessions.
|
||
Now your kids can find out what the fox says on a loop
|
||
without you ever missing a beat…
|
||
- With this release, power users can use about:unloads to
|
||
release system resources by manually unloading tabs without
|
||
closing them.
|
||
- On Windows, there will now be fewer interruptions because
|
||
Firefox won’t prompt you for updates. Instead, a background
|
||
agent will download and install updates even if Firefox is
|
||
closed.
|
||
- On Linux, we’ve improved WebGL performance and reduced
|
||
power consumption for many users.
|
||
- To better protect all Firefox users against side-channel
|
||
attacks, such as Spectre, we introduced Site Isolation.
|
||
- Firefox no longer warns you by default when you exit the
|
||
browser or close a window using a menu, button, or three-key
|
||
command. This should cut back on unwelcome notifications,
|
||
which is always nice—however, if you prefer a bit of notice,
|
||
you’ll still have full control over the quit/close modal
|
||
behavior. All warnings can be managed within Firefox
|
||
Settings. No worries! More details here.
|
||
- Firefox supports the new Snap Layouts menus when running on
|
||
Windows 11.
|
||
- RLBox—a new technology that hardens Firefox against
|
||
potential security vulnerabilities in third-party
|
||
libraries—is now enabled on all platforms.
|
||
- We’ve reduced CPU usage on macOS in Firefox and
|
||
WindowServer during event processing.
|
||
- We’ve also reduced the power usage of software decoded
|
||
video on macOS, especially in fullscreen. This includes
|
||
streaming sites such as Netflix and Amazon Prime Video.
|
||
- You can now move the Picture-in-Picture toggle button to
|
||
the opposite side of the video. Simply look for the new
|
||
context menu option Move Picture-in-Picture Toggle to Left
|
||
(Right) Side.
|
||
- We’ve made significant improvements in noise suppression
|
||
and auto-gain-control, as well as slight improvements in
|
||
echo-cancellation to provide you with a better overall
|
||
experience.
|
||
- We’ve also significantly reduced main-thread load.
|
||
- When printing, you can now choose to print only the
|
||
odd/even pages.
|
||
- Firefox now supports and displays the new style of
|
||
scrollbars on Windows 11.
|
||
- Firefox has a new optimized download flow. Instead of
|
||
prompting every time, files will download automatically.
|
||
However, they can still be opened from the downloads panel
|
||
with just one click. Easy! More information
|
||
- Firefox no longer asks what to do for each file by default.
|
||
You won’t be prompted to choose a helper application or save
|
||
to disk before downloading a file unless you have changed
|
||
your download action setting for that type of file.
|
||
- Any files you download will be immediately saved on your
|
||
disk. Depending on the current configuration, they’ll be
|
||
saved in your preferred download folder, or you’ll be asked
|
||
to select a location for each download. Windows and Linux
|
||
users will find their downloaded files in the destination
|
||
folder. They’ll no longer be put in the Temp folder.
|
||
- Firefox allows users to choose from a number of built-in
|
||
search engines to set as their default. In this release, some
|
||
users who had previously configured a default engine might
|
||
notice their default search engine has changed since Mozilla
|
||
was unable to secure formal permission to continue including
|
||
certain search engines in Firefox.
|
||
- You can now toggle Narrate in ReaderMode with the keyboard
|
||
shortcut "n."
|
||
- You can find added support for search—with or without
|
||
diacritics—in the PDF viewer.
|
||
- The Linux sandbox has been strengthened: processes exposed
|
||
to web content no longer have access to the X Window system
|
||
(X11).
|
||
- Firefox now supports credit card autofill and capture in
|
||
Germany, France, and the United Kingdom.
|
||
- We now support captions/subtitles display on YouTube, Prime
|
||
Video, and Netflix videos you watch in Picture-in-Picture.
|
||
Just turn on the subtitles on the in-page video player, and
|
||
they will appear in PiP.
|
||
- Picture-in-Picture now also supports video captions on
|
||
websites that use Web Video Text Track (WebVTT) format (e.g.,
|
||
Coursera.org, Canadian Broadcasting Corporation, and many
|
||
more).
|
||
- On the first run after install, Firefox detects when its
|
||
language does not match the operating system language and
|
||
offers the user a choice between the two languages.
|
||
- Firefox spell checking now checks spelling in multiple
|
||
languages. To enable additional languages, select them in the
|
||
text field’s context menu.
|
||
- HDR video is now supported in Firefox on Mac—starting with
|
||
YouTube! Firefox users on macOS 11+ (with HDR-compatible
|
||
screens) can enjoy higher-fidelity video content. No need to
|
||
manually flip any preferences to turn HDR video support
|
||
on—just make sure battery preferences are NOT set to
|
||
“optimize video streaming while on battery”.
|
||
- Hardware-accelerated AV1 video decoding is enabled on
|
||
Windows with supported GPUs (Intel Gen 11+, AMD RDNA 2
|
||
Excluding Navi 24, GeForce 30). Installing the AV1 Video
|
||
Extension from the Microsoft Store may also be required.
|
||
- Video overlay is enabled on Windows for Intel GPUs,
|
||
reducing power usage during video playback.
|
||
- Improved fairness between painting and handling other
|
||
events. This noticeably improves the performance of the
|
||
volume slider on Twitch.
|
||
- Scrollbars on Linux and Windows 11 won't take space by
|
||
default. On Linux, users can change this in Settings. On
|
||
Windows, Firefox follows the system setting (System Settings
|
||
> Accessibility > Visual Effects > Always show scrollbars).
|
||
- Firefox now ignores less restricted referrer
|
||
policies—including unsafe-url, no-referrer-when-downgrade,
|
||
and origin-when-cross-origin—for cross-site
|
||
subresource/iframe requests to prevent privacy leaks from the
|
||
referrer.
|
||
- Reading is now easier with the prefers-contrast media
|
||
query, which allows sites to detect if the user has requested
|
||
that web content is presented with a higher (or lower)
|
||
contrast.
|
||
- All non-configured MIME types can now be assigned a custom
|
||
action upon download completion.
|
||
- Firefox now allows users to use as many microphones as they
|
||
want, at the same time, during video conferencing. The most
|
||
exciting benefit is that you can easily switch your
|
||
microphones at any time (if your conferencing service
|
||
provider enables this flexibility).
|
||
- Print preview has been updated.
|
||
* Fixed: Various security fixes.
|
||
MFSA 2022-24 (bsc#1200793)
|
||
* CVE-2022-34479 (bmo#1745595)
|
||
A popup window could be resized in a way to overlay the
|
||
address bar with web content
|
||
* CVE-2022-34470 (bmo#1765951)
|
||
Use-after-free in nsSHistory
|
||
* CVE-2022-34468 (bmo#1768537)
|
||
CSP sandbox header without `allow-scripts` can be bypassed
|
||
via retargeted javascript: URI
|
||
* CVE-2022-34482 (bmo#845880)
|
||
Drag and drop of malicious image could have led to malicious
|
||
executable and potential code execution
|
||
* CVE-2022-34483 (bmo#1335845)
|
||
Drag and drop of malicious image could have led to malicious
|
||
executable and potential code execution
|
||
* CVE-2022-34476 (bmo#1387919)
|
||
ASN.1 parser could have been tricked into accepting malformed
|
||
ASN.1
|
||
* CVE-2022-34481 (bmo#1483699, bmo#1497246)
|
||
Potential integer overflow in ReplaceElementsAt
|
||
* CVE-2022-34474 (bmo#1677138)
|
||
Sandboxed iframes could redirect to external schemes
|
||
* CVE-2022-34469 (bmo#1721220)
|
||
TLS certificate errors on HSTS-protected domains could be
|
||
bypassed by the user on Firefox for Android
|
||
* CVE-2022-34471 (bmo#1766047)
|
||
Compromised server could trick a browser into an addon
|
||
downgrade
|
||
* CVE-2022-34472 (bmo#1770123)
|
||
Unavailable PAC file resulted in OCSP requests being blocked
|
||
* CVE-2022-34478 (bmo#1773717)
|
||
Microsoft protocols can be attacked if a user accepts a
|
||
prompt
|
||
* CVE-2022-2200 (bmo#1771381)
|
||
Undesired attributes could be set as part of prototype
|
||
pollution
|
||
* CVE-2022-34480 (bmo#1454072)
|
||
Free of uninitialized pointer in lg_init
|
||
* CVE-2022-34477 (bmo#1731614)
|
||
MediaError message property leaked information on cross-
|
||
origin same-site pages
|
||
* CVE-2022-34475 (bmo#1757210)
|
||
HTML Sanitizer could have been bypassed via same-origin
|
||
script via use tags
|
||
* CVE-2022-34473 (bmo#1770888)
|
||
HTML Sanitizer could have been bypassed via use tags
|
||
* CVE-2022-34484 (bmo#1763634, bmo#1772651)
|
||
Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
|
||
* CVE-2022-34485 (bmo#1768409, bmo#1768578)
|
||
Memory safety bugs fixed in Firefox 102
|
||
- Add patch one_swizzle_to_rule_them_all.patch to fix big endian
|
||
platforms and remove old patches for this:
|
||
mozilla-bmo1626236.patch, mozilla-bmo1602730.patch,
|
||
mozilla-bmo1504834-part2.patch, mozilla-bmo1504834-part4.patch
|
||
- Rename and rebase firefox-i586-conflict-typedef-error.patch
|
||
to mozilla-bmo531915.patch
|
||
- Remove upstreamed mozilla-sandbox-fips.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 23 17:58:50 UTC 2022 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.13.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes.
|
||
MFSA 2022-35 (bsc#1202645)
|
||
* CVE-2022-38472 (bmo#1769155)
|
||
Address bar spoofing via XSLT error handling
|
||
* CVE-2022-38473 (bmo#1771685)
|
||
Cross-origin XSLT Documents would have inherited the parent's
|
||
permissions
|
||
* CVE-2022-38478 (bmo#1770630, bmo#1776658)
|
||
Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2,
|
||
and Firefox ESR 91.13
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 21 12:01:56 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.12.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes.
|
||
MFSA 2022-29 (bsc#1201758)
|
||
* CVE-2022-36319 (bmo#1737722)
|
||
Mouse Position spoofing with CSS transforms
|
||
* CVE-2022-36318 (bmo#1771774)
|
||
Directory indexes for bundled resources reflected URL
|
||
parameters
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 22 08:37:51 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.11.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes.
|
||
MFSA 2022-25 (bsc#1200793)
|
||
* CVE-2022-34479 (bmo#1745595)
|
||
A popup window could be resized in a way to overlay the
|
||
address bar with web content
|
||
* CVE-2022-34470 (bmo#1765951)
|
||
Use-after-free in nsSHistory
|
||
* CVE-2022-34468 (bmo#1768537)
|
||
CSP sandbox header without `allow-scripts` can be bypassed
|
||
via retargeted javascript: URI
|
||
* CVE-2022-34481 (bmo#1497246)
|
||
Potential integer overflow in ReplaceElementsAt
|
||
* CVE-2022-31744 (bmo#1757604)
|
||
CSP bypass enabling stylesheet injection
|
||
* CVE-2022-34472 (bmo#1770123)
|
||
Unavailable PAC file resulted in OCSP requests being blocked
|
||
* CVE-2022-34478 (bmo#1773717)
|
||
Microsoft protocols can be attacked if a user accepts a
|
||
prompt
|
||
* CVE-2022-2200 (bmo#1771381)
|
||
Undesired attributes could be set as part of prototype
|
||
pollution
|
||
* CVE-2022-34484 (bmo#1763634, bmo#1772651)
|
||
Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
|
||
|
||
-------------------------------------------------------------------
|
||
Mon May 30 12:04:13 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.10.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes.
|
||
MFSA 2022-21 (bsc#1200027)
|
||
* CVE-2022-31736 (bmo#1735923)
|
||
Cross-Origin resource's length leaked
|
||
* CVE-2022-31737 (bmo#1743767)
|
||
Heap buffer overflow in WebGL
|
||
* CVE-2022-31738 (bmo#1756388)
|
||
Browser window spoof using fullscreen mode
|
||
* CVE-2022-31739 (bmo#1765049)
|
||
Attacker-influenced path traversal when saving downloaded
|
||
files
|
||
* CVE-2022-31740 (bmo#1766806)
|
||
Register allocation problem in WASM on arm64
|
||
* CVE-2022-31741 (bmo#1767590)
|
||
Uninitialized variable leads to invalid memory read
|
||
* CVE-2022-31742 (bmo#1730434)
|
||
Querying a WebAuthn token with a large number of
|
||
allowCredential entries may have leaked cross-origin
|
||
information
|
||
* CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
|
||
bmo#1767365, bmo#1768559, bmo#1768734)
|
||
Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
|
||
|
||
-------------------------------------------------------------------
|
||
Fri May 20 11:38:20 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.9.1 ESR
|
||
* Fixed: Security fix
|
||
MFSA 2022-19 (bsc#1199768)
|
||
* CVE-2022-1802 (bmo#1770137)
|
||
Prototype pollution in Top-Level Await implementation
|
||
* CVE-2022-1529 (bmo#1770048)
|
||
Untrusted input used in JavaScript object indexing, leading
|
||
to prototype pollution
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 27 14:58:19 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.9.0 ESR
|
||
MFSA 2022-17 (bsc#1198970)
|
||
* CVE-2022-29914 (bmo#1746448)
|
||
Fullscreen notification bypass using popups
|
||
* CVE-2022-29909 (bmo#1755081)
|
||
Bypassing permission prompt in nested browsing contexts
|
||
* CVE-2022-29916 (bmo#1760674)
|
||
Leaking browser history with CSS variables
|
||
* CVE-2022-29911 (bmo#1761981)
|
||
iframe Sandbox bypass
|
||
* CVE-2022-29912 (bmo#1692655)
|
||
Reader mode bypassed SameSite cookies
|
||
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
|
||
bmo#1762614, bmo#1762620, bmo#1764778)
|
||
Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 5 14:00:59 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.8.0 ESR
|
||
MFSA 2022-14 (bsc#1197903)
|
||
* CVE-2022-1097 (bmo#1745667)
|
||
Use-after-free in NSSToken objects
|
||
* CVE-2022-28281 (bmo#1755621)
|
||
Out of bounds write due to unexpected WebAuthN Extensions
|
||
* CVE-2022-1196 (bmo#1750679)
|
||
Use-after-free after VR Process destruction
|
||
* CVE-2022-28282 (bmo#1751609)
|
||
Use-after-free in DocumentL10n::TranslateDocument
|
||
* CVE-2022-28285 (bmo#1756957)
|
||
Incorrect AliasSet used in JIT Codegen
|
||
* CVE-2022-28286 (bmo#1735265)
|
||
iframe contents could be rendered outside the border
|
||
* CVE-2022-24713 (bmo#1758509)
|
||
Denial of Service via complex regular expressions
|
||
* CVE-2022-28289 (bmo#1663508, bmo#1744525, bmo#1753508,
|
||
bmo#1757476, bmo#1757805, bmo#1758549, bmo#1758776)
|
||
Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 30 13:00:06 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Adjust rust dependency for SP3 and later. TW uses always the
|
||
newest version of rust, but we don't, so we can't use the
|
||
rust+cargo notation, which would need both < and >= requirements.
|
||
(bsc#1197698)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Mar 17 09:18:01 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Add cpu-flag `asimdrdm` to aarch64 constraints, to select newer,
|
||
faster buildhosts, as the others struggle to build FF.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 15 10:23:40 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.7.1 ESR
|
||
* Changed: Yandex and Mail.ru have been removed as optional
|
||
search providers in the drop-down search menu in Firefox.
|
||
If you previously installed a customized version of Firefox
|
||
with Yandex or Mail.ru, offered through partner distribution
|
||
channels, this release removes those customizations,
|
||
including add-ons and default bookmarks. Where applicable,
|
||
your browser will revert back to default settings, as offered
|
||
by Mozilla. All other releases of Firefox remain unaffected
|
||
by the change.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 9 11:35:23 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.7.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2022-10 (bsc#1196900)
|
||
* CVE-2022-26383 (bmo#1742421)
|
||
Browser window spoof using fullscreen mode
|
||
* CVE-2022-26384 (bmo#1744352)
|
||
iframe allow-scripts sandbox bypass
|
||
* CVE-2022-26387 (bmo#1752979)
|
||
Time-of-check time-of-use bug when verifying add-on
|
||
signatures
|
||
* CVE-2022-26381 (bmo#1736243)
|
||
Use-after-free in text reflows
|
||
* CVE-2022-26386 (bmo#1752396)
|
||
Temporary files downloaded to /tmp and accessible by other
|
||
local users
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 7 16:32:11 UTC 2022 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.6.1 ESR
|
||
* Fixed: Security fix
|
||
- Mozilla Firefox ESR 91.6.1
|
||
MFSA 2022-09 (bsc#1196809)
|
||
* CVE-2022-26485 (bmo#1758062)
|
||
Use-after-free in XSLT parameter processing
|
||
* CVE-2022-26486 (bmo#1758070)
|
||
Use-after-free in WebGPU IPC Framework
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 8 14:23:12 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.6.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2022-05 (bsc#1195682)
|
||
* CVE-2022-22753 (bmo#1732435)
|
||
Privilege Escalation to SYSTEM on Windows via Maintenance
|
||
Service
|
||
* CVE-2022-22754 (bmo#1750565)
|
||
Extensions could have bypassed permission confirmation during
|
||
update
|
||
* CVE-2022-22756 (bmo#1317873)
|
||
Drag and dropping an image could have resulted in the dropped
|
||
object being an executable
|
||
* CVE-2022-22759 (bmo#1739957)
|
||
Sandboxed iframes could have executed script if the parent
|
||
appended elements
|
||
* CVE-2022-22760 (bmo#1740985, bmo#1748503)
|
||
Cross-Origin responses could be distinguished between script
|
||
and non-script content-types
|
||
* CVE-2022-22761 (bmo#1745566)
|
||
frame-ancestors Content Security Policy directive was not
|
||
enforced for framed extension pages
|
||
* CVE-2022-22763 (bmo#1740534)
|
||
Script Execution during invalid object state
|
||
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
|
||
bmo#1748210, bmo#1748279)
|
||
Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 27 15:04:55 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.5.1 ESR (bsc#1195230)
|
||
* Fixed: Fixed an issue that allowed unexpected data to be
|
||
submitted in some of our search telemetry (bmo#1752317)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 11 14:46:37 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.5.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2022-03 (bsc#1194547)
|
||
* CVE-2022-22746 (bmo#1735071)
|
||
Calling into reportValidity could have lead to fullscreen
|
||
window spoof
|
||
* CVE-2022-22743 (bmo#1739220)
|
||
Browser window spoof using fullscreen mode
|
||
* CVE-2022-22742 (bmo#1739923)
|
||
Out-of-bounds memory access when inserting text in edit mode
|
||
* CVE-2022-22741 (bmo#1740389)
|
||
Browser window spoof using fullscreen mode
|
||
* CVE-2022-22740 (bmo#1742334)
|
||
Use-after-free of ChannelEventQueue::mOwner
|
||
* CVE-2022-22738 (bmo#1742382)
|
||
Heap-buffer-overflow in blendGaussianBlur
|
||
* CVE-2022-22737 (bmo#1745874)
|
||
Race condition when playing audio files
|
||
* CVE-2021-4140 (bmo#1746720)
|
||
Iframe sandbox bypass with XSLT
|
||
* CVE-2022-22748 (bmo#1705211)
|
||
Spoofed origin on external protocol launch dialog
|
||
* CVE-2022-22745 (bmo#1735856)
|
||
Leaking cross-origin URLs through securitypolicyviolation
|
||
event
|
||
* CVE-2022-22744 (bmo#1737252)
|
||
The 'Copy as curl' feature in DevTools did not fully escape
|
||
website-controlled data, potentially leading to command
|
||
injection
|
||
* CVE-2022-22747 (bmo#1735028)
|
||
Crash when handling empty pkcs7 sequence
|
||
* CVE-2022-22739 (bmo#1744158)
|
||
Missing throttling on external protocol launch dialog
|
||
* CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366,
|
||
bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869,
|
||
bmo#1743221, bmo#1743515, bmo#1745373, bmo#1746011)
|
||
Memory safety bugs fixed in Thunderbird 91.5
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 16 12:43:15 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.4.1 ESR (bsc#1193845)
|
||
* Fixed frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING
|
||
error messages when trying to connect to various microsoft.com
|
||
domains (bmo#1745600)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Dec 7 13:37:45 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.4.0 ESR
|
||
* Fixed: Various security fixes
|
||
- Mozilla Firefox ESR 91.4.0
|
||
MFSA 2021-53 (bsc#1193485)
|
||
* CVE-2021-43536 (bmo#1730120)
|
||
URL leakage when navigating while executing asynchronous
|
||
function
|
||
* CVE-2021-43537 (bmo#1738237)
|
||
Heap buffer overflow when using structured clone
|
||
* CVE-2021-43538 (bmo#1739091)
|
||
Missing fullscreen and pointer lock notification when
|
||
requesting both
|
||
* CVE-2021-43539 (bmo#1739683)
|
||
GC rooting failure when calling wasm instance methods
|
||
* CVE-2021-43541 (bmo#1696685)
|
||
External protocol handler parameters were unescaped
|
||
* CVE-2021-43542 (bmo#1723281)
|
||
XMLHttpRequest error codes could have leaked the existence of
|
||
an external protocol handler
|
||
* CVE-2021-43543 (bmo#1738418)
|
||
Bypass of CSP sandbox directive when embedding
|
||
* CVE-2021-43545 (bmo#1720926)
|
||
Denial of Service when using the Location API in a loop
|
||
* CVE-2021-43546 (bmo#1737751)
|
||
Cursor spoofing could overlay user interface when native
|
||
cursor is zoomed
|
||
* MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
|
||
bmo#1737009, bmo#1739372, bmo#1739421)
|
||
Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 2 20:32:42 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
|
||
|
||
- remove x-scheme-handler/ftp from MozillaFirefox.desktop boo#1193321
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 2 11:48:18 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.3.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2021-49 (bsc#1192250)
|
||
* CVE-2021-38503 (bmo#1729517)
|
||
iframe sandbox rules did not apply to XSLT stylesheets
|
||
* CVE-2021-38504 (bmo#1730156)
|
||
Use-after-free in file picker dialog
|
||
* CVE-2021-38505 (bmo#1730194)
|
||
Windows 10 Cloud Clipboard may have recorded sensitive user
|
||
data
|
||
* CVE-2021-38506 (bmo#1730750)
|
||
Firefox could be coaxed into going into fullscreen mode
|
||
without notification or warning
|
||
* CVE-2021-38507 (bmo#1730935)
|
||
Opportunistic Encryption in HTTP2 could be used to bypass the
|
||
Same-Origin-Policy on services hosted on other ports
|
||
* MOZ-2021-0008 (bmo#1667102)
|
||
Use-after-free in HTTP2 Session object
|
||
* CVE-2021-38508 (bmo#1366818)
|
||
Permission Prompt could be overlaid, resulting in user
|
||
confusion and potential spoofing
|
||
* CVE-2021-38509 (bmo#1718571)
|
||
Javascript alert box could have been spoofed onto an
|
||
arbitrary domain
|
||
* CVE-2021-38510 (bmo#1731779)
|
||
Download Protections were bypassed by .inetloc files on Mac
|
||
OS
|
||
* MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
|
||
bmo#1735152)
|
||
Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3
|
||
- Removed mozilla-bmo1735309.patch which is now upstream
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 20 06:59:40 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Rebase mozilla-sandbox-fips.patch to punch another hole in the
|
||
sandbox containment, to be able to open /proc/sys/crypto/fips_enabled
|
||
from within the newly introduced socket process sandbox.
|
||
This fixes bsc#1191815 and bsc#1190141
|
||
- Add a way to let users overwrite MOZ_ENABLE_WAYLAND
|
||
- Rename mozilla-neqo-fix-fips-crash.patch to mozilla-bmo1735309.patch
|
||
and rebase to the official upstream patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 5 12:47:06 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.2.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2021-45 (bsc#1191332)
|
||
* CVE-2021-38496 (bmo#1725335)
|
||
Use-after-free in MessageTask
|
||
* CVE-2021-38497 (bmo#1726621)
|
||
Validation message could have been overlaid on another origin
|
||
* CVE-2021-38498 (bmo#1729642)
|
||
Use-after-free of nsLanguageAtomService object
|
||
* CVE-2021-32810 (bmo#1729813,
|
||
https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
|
||
Data race in crossbeam-deque
|
||
* CVE-2021-38500 (bmo#1725854, bmo#1728321)
|
||
Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
|
||
and Firefox ESR 91.2
|
||
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
|
||
Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Oct 1 09:28:03 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Add mozilla-neqo-fix-fips-crash.patch to fix crash in FIPS mode
|
||
(bsc#1190710)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 9 23:27:28 UTC 2021 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Added firefox-i586-conflict-typedef-error.patch
|
||
to fix 32bit i586 compile error
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 8 17:17:15 UTC 2021 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.1.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2021-40 (bsc#1190269, bsc#1190274)
|
||
* CVE-2021-38492 (bmo#1721107)
|
||
Navigating to `mk:` URL scheme could load Internet Explorer
|
||
* CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101,
|
||
bmo#1724107)
|
||
Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
|
||
- Removed mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
|
||
made obsolete by upstream changes.
|
||
- Rebased patches:
|
||
firefox-branded-icons.patch
|
||
firefox-kde.patch
|
||
mozilla-aarch64-startup-crash.patch
|
||
mozilla-bmo1504834-part1.patch
|
||
mozilla-bmo1504834-part4.patch
|
||
mozilla-bmo1512162.patch
|
||
mozilla-bmo1626236.patch
|
||
mozilla-bmo849632.patch
|
||
mozilla-kde.patch
|
||
mozilla-ntlm-full-path.patch
|
||
mozilla-s390-context.patch
|
||
mozilla-sandbox-fips.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 18 06:47:31 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox 91.0.1esr ESR
|
||
* Fixed: Fixed an issue causing buttons on the tab bar to be
|
||
resized when loading certain websites (bug 1704404)
|
||
(bmo#1704404)
|
||
* Fixed: Fixed an issue which caused tabs from private windows
|
||
to be visible in non-private windows when viewing switch-to-
|
||
tab results in the address bar panel (bug 1720369)
|
||
(bmo#1720369)
|
||
* Fixed: Various stability fixes
|
||
* Fixed: Security fix
|
||
MFSA 2021-37 (bsc#1189547)
|
||
* CVE-2021-29991 (bmo#1724896)
|
||
Header Splitting possible with HTTP/3 Responses
|
||
- Re-add mozilla-silence-no-return-type.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 11 02:31:55 UTC 2021 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 91.0 ESR
|
||
* New: Some of the highlights of the new Extended Support
|
||
Release are:
|
||
- A number of user interface changes. For more information,
|
||
see the Firefox 89 release notes.
|
||
- Firefox now supports logging into Microsoft, work, and
|
||
school accounts using Windows single sign-on. Learn more
|
||
- On Windows, updates can now be applied in the background
|
||
while Firefox is not running.
|
||
- Firefox for Windows now offers a new page about:third-party
|
||
to help identify compatibility issues caused by third-party
|
||
applications
|
||
- Version 2 of Firefox's SmartBlock feature further improves
|
||
private browsing. Third party Facebook scripts are blocked to
|
||
prevent you from being tracked, but are now automatically
|
||
loaded "just in time" if you decide to "Log in with Facebook"
|
||
on any website.
|
||
- Enhanced the privacy of the Firefox Browser's Private
|
||
Browsing mode with Total Cookie Protection, which confines
|
||
cookies to the site where they were created, preventing
|
||
companis from using cookies to track your browsing across
|
||
sites. This feature was originally launched in Firefox's ETP
|
||
Strict mode.
|
||
- PDF forms now support JavaScript embedded in PDF files.
|
||
Some PDF forms use JavaScript for validation and other
|
||
interactive features.
|
||
- You'll encounter less website breakage in Private Browsing
|
||
and Strict Enhanced Tracking Protection with SmartBlock,
|
||
which provides stand-in scripts so that websites load
|
||
properly.
|
||
- Improved Print functionality with a cleaner design and
|
||
better integration with your computer's printer settings.
|
||
- Firefox now protects you from supercookies, a type of
|
||
tracker that can stay hidden in your browser and track you
|
||
online, even after you clear cookies. By isolating
|
||
supercookies, Firefox prevents them from tracking your web
|
||
browsing from one site to the next.
|
||
- Firefox now remembers your preferred location for saved
|
||
bookmarks, displays the bookmarks toolbar by default on new
|
||
tabs, and gives you easy access to all of your bookmarks via
|
||
a toolbar folder.
|
||
- Native support for macOS devices built with Apple Silicon
|
||
CPUs brings dramatic performance improvements over the non-
|
||
native build that was shipped in Firefox 83: Firefox launches
|
||
over 2.5 times faster and web apps are now twice as
|
||
responsive (per the SpeedoMeter 2.0 test). If you are on a
|
||
new Apple device, follow these steps to upgrade to the latest
|
||
Firefox.
|
||
- Pinch zooming will now be supported for our users with
|
||
Windows touchscreen devices and touchpads on Mac devices.
|
||
Firefox users may now use pinch to zoom on touch-capable
|
||
devices to zoom in and out of webpages.
|
||
- We’ve improved functionality and design for a number of
|
||
Firefox search features:
|
||
* Selecting a search engine at the bottom of the search
|
||
panel now enters search mode for that engine, allowing you to
|
||
see suggestions (if available) for your search terms. The old
|
||
behavior (immediately performing a search) is available with
|
||
a shift-click.
|
||
* When Firefox autocompletes the URL of one of your search
|
||
engines, you can now search with that engine directly in the
|
||
address bar by selecting the shortcut in the address bar
|
||
results.
|
||
* We’ve added buttons at the bottom of the search panel to
|
||
allow you to search your bookmarks, open tabs, and history.
|
||
- Firefox supports AcroForm, which will allow you to fill in,
|
||
print, and save supported PDF forms and the PDF viewer also
|
||
has a new fresh look.
|
||
- For our users in the US and Canada, Firefox can now save,
|
||
manage, and auto-fill credit card information for you, making
|
||
shopping on Firefox ever more convenient.
|
||
- In addition to our default, dark and light themes, with
|
||
this release, Firefox introduces the Alpenglow theme: a
|
||
colorful appearance for buttons, menus, and windows. You can
|
||
update your Firefox themes under settings or preferences.
|
||
* Changed: Firefox no longer supports Adobe Flash. There is no
|
||
setting available to re-enable Flash support.
|
||
* Enterprise: Various bug fixes and new policies have been
|
||
implemented in the latest version of Firefox. See more
|
||
details in the Firefox for Enterprise 91 Release Notes.
|
||
MFSA 2021-33 (bsc#1188891)
|
||
* CVE-2021-29986 (bmo#1696138)
|
||
Race condition when resolving DNS names could have led to
|
||
memory corruption
|
||
* CVE-2021-29981 (bmo#1707774)
|
||
Live range splitting could have led to conflicting
|
||
assignments in the JIT
|
||
* CVE-2021-29988 (bmo#1717922)
|
||
Memory corruption as a result of incorrect style treatment
|
||
* CVE-2021-29983 (bmo#1719088)
|
||
Firefox for Android could get stuck in fullscreen mode
|
||
* CVE-2021-29984 (bmo#1720031)
|
||
Incorrect instruction reordering during JIT optimization
|
||
* CVE-2021-29980 (bmo#1722204)
|
||
Uninitialized memory in a canvas object could have led to
|
||
memory corruption
|
||
* CVE-2021-29987 (bmo#1716129)
|
||
Users could have been tricked into accepting unwanted
|
||
permissions on Linux
|
||
* CVE-2021-29985 (bmo#1722083)
|
||
Use-after-free media channels
|
||
* CVE-2021-29982 (bmo#1715318)
|
||
Single bit data leak due to incorrect JIT optimization and
|
||
type confusion
|
||
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
|
||
bmo#1719998, bmo#1720568)
|
||
Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
|
||
* CVE-2021-29990 (bmo#1544190, bmo#1716481, bmo#1717778,
|
||
bmo#1719319, bmo#1722073)
|
||
Memory safety bugs fixed in Firefox 91
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 10 12:51:02 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.13.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2021-34 (bsc#1188891)
|
||
* CVE-2021-29986 (bmo#1696138)
|
||
Race condition when resolving DNS names could have led to
|
||
memory corruption
|
||
* CVE-2021-29988 (bmo#1717922)
|
||
Memory corruption as a result of incorrect style treatment
|
||
* CVE-2021-29984 (bmo#1720031)
|
||
Incorrect instruction reordering during JIT optimization
|
||
* CVE-2021-29980 (bmo#1722204)
|
||
Uninitialized memory in a canvas object could have led to
|
||
memory corruption
|
||
* CVE-2021-29985 (bmo#1722083)
|
||
Use-after-free media channels
|
||
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
|
||
bmo#1719998, bmo#1720568)
|
||
Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 15 00:39:52 UTC 2021 - William Brown <william.brown@suse.com>
|
||
|
||
- jsc#SLE-18626 - Migrate rust to parallel versioned packages allowing
|
||
more flexible build requirements to be expressed.
|
||
- Update Firefox to use the 1.43 version of Rust.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jul 13 13:47:45 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.12.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2021-29 (bsc#1188275)
|
||
* CVE-2021-29970 (bmo#1709976)
|
||
Use-after-free in accessibility features of a document
|
||
* CVE-2021-30547 (bmo#1715766)
|
||
Out of bounds write in ANGLE
|
||
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
|
||
bmo#1711576, bmo#1714391)
|
||
Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 1 12:56:04 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.11.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
- Mozilla Firefox ESR 78.11
|
||
MFSA 2021-24 (bsc#1186696)
|
||
* CVE-2021-29964 (bmo#1706501)
|
||
Out of bounds-read when parsing a `WM_COPYDATA` message
|
||
* CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
|
||
bmo#1704722, bmo#1706041)
|
||
Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11
|
||
- Added the new Mozilla's GPG key, expiring on 2023-05-17 to the
|
||
mozilla.keyring file
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 5 07:27:47 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.10.1 ESR
|
||
* Fixed: Resolved an issue caused by a recent Widevine plugin
|
||
update which prevented some purchased video content from
|
||
playing correctly (bmo#1705138)
|
||
* Fixed: Security fix
|
||
MFSA 2021-18 (bsc#1185633)
|
||
* CVE-2021-29951 (bmo#1690062)
|
||
Mozilla Maintenance Service could have been started or
|
||
stopped by domain users
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Apr 19 13:16:14 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.10.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
- Mozilla Firefox ESR 78.10
|
||
MFSA 2021-15 (bsc#1184960)
|
||
* CVE-2021-23994 (bmo#1699077)
|
||
Out of bound write due to lazy initialization
|
||
* CVE-2021-23995 (bmo#1699835)
|
||
Use-after-free in Responsive Design Mode
|
||
* CVE-2021-23998 (bmo#1667456)
|
||
Secure Lock icon could have been spoofed
|
||
* CVE-2021-23961 (bmo#1677940)
|
||
More internal network hosts could have been probed by a
|
||
malicious webpage
|
||
* CVE-2021-23999 (bmo#1691153)
|
||
Blob URLs may have been granted additional privileges
|
||
* CVE-2021-24002 (bmo#1702374)
|
||
Arbitrary FTP command execution on FTP servers using an
|
||
encoded URL
|
||
* CVE-2021-29945 (bmo#1700690)
|
||
Incorrect size computation in WebAssembly JIT could lead to
|
||
null-reads
|
||
* CVE-2021-29946 (bmo#1698503)
|
||
Port blocking could be bypassed
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 24 07:07:10 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.9.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2021-11 (bsc#1183942)
|
||
* CVE-2021-23981 (bmo#1692832)
|
||
Texture upload into an unbound backing buffer resulted in an
|
||
out-of-bound read
|
||
* CVE-2021-23982 (bmo#1677046)
|
||
Internal network hosts could have been probed by a malicious
|
||
webpage
|
||
* CVE-2021-23984 (bmo#1693664)
|
||
Malicious extensions could have spoofed popup information
|
||
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169,
|
||
bmo#1690718)
|
||
Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 23 13:34:35 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.8.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2021-08 (bsc#1182614)
|
||
* CVE-2021-23969 (bmo#1542194)
|
||
Content Security Policy violation report could have contained
|
||
the destination of a redirect
|
||
* CVE-2021-23968 (bmo#1687342)
|
||
Content Security Policy violation report could have contained
|
||
the destination of a redirect
|
||
* CVE-2021-23973 (bmo#1690976)
|
||
MediaError message property could have leaked information
|
||
about cross-origin resources
|
||
* CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597,
|
||
bmo#786797)
|
||
Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
|
||
- Update create-tar.sh to use https instead of http (bsc#1182357)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 8 08:01:54 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.7.1 ESR
|
||
* Fixed: Prevent access to NTFS special paths that could lead
|
||
to filesystem corruption. (bmo#1689598)
|
||
* Fixed: Security fix
|
||
MFSA 2021-06 (bsc#1181848)
|
||
* MOZ-2021-0001 (bmo#1676636)
|
||
Buffer overflow in depth pitch calculations for compressed
|
||
textures
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 26 14:43:01 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.7.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2021-04 (bsc#1181414)
|
||
* CVE-2021-23953 (bmo#1683940)
|
||
Cross-origin information leakage via redirected PDF requests
|
||
* CVE-2021-23954 (bmo#1684020)
|
||
Type confusion when using logical assignment operators in
|
||
JavaScript switch statements
|
||
* CVE-2020-26976 (bmo#1674343)
|
||
HTTPS pages could have been intercepted by a registered
|
||
service worker when they should not have been
|
||
* CVE-2021-23960 (bmo#1675755)
|
||
Use-after-poison for incorrectly redeclared JavaScript
|
||
variables during GC
|
||
* CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526,
|
||
bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844,
|
||
bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410,
|
||
bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736,
|
||
bmo#1685260, bmo#1685925)
|
||
Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 7 06:45:39 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.6.1 ESR
|
||
* Fixed: Security fix
|
||
* Fixed: Fixed a crash during video playback on Apple Silicon
|
||
devices (bmo#1683579)
|
||
MFSA 2021-01 (bsc#1180623)
|
||
* CVE-2020-16044 (bmo#1683964)
|
||
Use-after-free write when handling a malicious COOKIE-ECHO
|
||
SCTP chunk
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Dec 15 13:41:58 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.6.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2020-55 (bsc#1180039)
|
||
* CVE-2020-16042 (bmo#1679003)
|
||
Operations on a BigInt could have caused uninitialized memory
|
||
to be exposed
|
||
* CVE-2020-26971 (bmo#1663466)
|
||
Heap buffer overflow in WebGL
|
||
* CVE-2020-26973 (bmo#1680084)
|
||
CSS Sanitizer performed incorrect sanitization
|
||
* CVE-2020-26974 (bmo#1681022)
|
||
Incorrect cast of StyleGenericFlexBasis resulted in a heap
|
||
use-after-free
|
||
* CVE-2020-26978 (bmo#1677047)
|
||
Internal network hosts could have been probed by a malicious
|
||
webpage
|
||
* CVE-2020-35111 (bmo#1657916)
|
||
The proxy.onRequest API did not catch view-source URLs
|
||
* CVE-2020-35112 (bmo#1661365)
|
||
Opening an extension-less download may have inadvertently
|
||
launched an executable instead
|
||
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
|
||
Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 17 14:10:17 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.5.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2020-51 (bsc#1178824)
|
||
* CVE-2020-26951 (bmo#1667113)
|
||
Parsing mismatches could confuse and bypass security
|
||
sanitizer for chrome privileged code
|
||
* CVE-2020-16012 (bmo#1642028)
|
||
Variable time processing of cross-origin images during
|
||
drawImage calls
|
||
* CVE-2020-26953 (bmo#1656741)
|
||
Fullscreen could be enabled without displaying the security
|
||
UI
|
||
* CVE-2020-26956 (bmo#1666300)
|
||
XSS through paste (manual and clipboard API)
|
||
* CVE-2020-26958 (bmo#1669355)
|
||
Requests intercepted through ServiceWorkers lacked MIME type
|
||
restrictions
|
||
* CVE-2020-26959 (bmo#1669466)
|
||
Use-after-free in WebRequestService
|
||
* CVE-2020-26960 (bmo#1670358)
|
||
Potential use-after-free in uses of nsTArray
|
||
* CVE-2020-15999 (bmo#1672223)
|
||
Heap buffer overflow in freetype
|
||
* CVE-2020-26961 (bmo#1672528)
|
||
DoH did not filter IPv4 mapped IP Addresses
|
||
* CVE-2020-26965 (bmo#1661617)
|
||
Software keyboards may have remembered typed passwords
|
||
* CVE-2020-26966 (bmo#1663571)
|
||
Single-word search queries were also broadcast to local
|
||
network
|
||
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
|
||
bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479,
|
||
bmo#1671923)
|
||
Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 9 17:14:52 UTC 2020 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.4.1 ESR
|
||
* Fixed: Security fix
|
||
MFSA 2020-49 (bsc#1178588)
|
||
* CVE-2020-26950 (bmo#1675905)
|
||
Write side effects in MCallGetProperty opcode not accounted
|
||
for
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 20 15:45:22 UTC 2020 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.4.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2020-46 (bsc#1177872)
|
||
* CVE-2020-15969 (bmo#1666570, bmo#https://github.com/sctplab/u
|
||
srsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019)
|
||
Use-after-free in usersctp
|
||
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954,
|
||
bmo#1662760, bmo#1663439, bmo#1666140)
|
||
Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 1 17:37:54 UTC 2020 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.3.1 ESR (bsc#1176756)
|
||
* Fixed: Fixed legacy preferences not being properly applied
|
||
when set via GPO (bmo#1666836)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 22 13:35:26 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.3.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2020-43 (bsc#1176756)
|
||
* CVE-2020-15677 (bmo#1641487)
|
||
Download origin spoofing via redirect
|
||
* CVE-2020-15676 (bmo#1646140)
|
||
XSS when pasting attacker-controlled data into a
|
||
contenteditable element
|
||
* CVE-2020-15678 (bmo#1660211)
|
||
When recursing through layers while scrolling, an iterator
|
||
may have become invalid, resulting in a potential use-after-
|
||
free scenario
|
||
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
|
||
Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 16 13:55:06 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Enhance fix for wayland-detection (bsc#1174420)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 16 10:47:33 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Try to fix langpack-parallelization by introducing separate
|
||
obj-dirs for each lang (boo#1173986, boo#1167976)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 25 17:09:36 UTC 2020 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.2.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
- Mozilla Firefox ESR 78.2
|
||
MFSA 2020-38 (bsc#1175686)
|
||
* CVE-2020-15663 (bmo#1643199)
|
||
Downgrade attack on the Mozilla Maintenance Service could
|
||
have resulted in escalation of privilege
|
||
* CVE-2020-15664 (bmo#1658214)
|
||
Attacker-induced prompt for extension installation
|
||
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
|
||
bmo#1656957)
|
||
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 24 23:15:34 UTC 2020 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Added patch: firefox-dev-random-sandbox.patch (bsc#1174284)
|
||
* Firefox tab crash in FIPS mode
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 14 22:51:32 UTC 2020 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Fix: Do not allow Firefox to use wayland on SLED15-SP0/1
|
||
(bsc#1174420)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 5 11:49:05 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Activate ccache
|
||
- Parallelize langpack build
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 3 11:06:17 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Fix broken translation-loading (boo#1173991)
|
||
* allow addon sideloading
|
||
* mark signatures for langpacks non-mandatory
|
||
* do not autodisable user profile scopes
|
||
- Google API key is not usable for geolocation service any more
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jul 28 13:33:39 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.1.0 ESR
|
||
* Fixed: Various stability, functionality, and security fixes
|
||
MFSA 2020-32 (bsc#1174538)
|
||
* CVE-2020-15652 (bmo#1634872)
|
||
Potential leak of redirect targets when loading scripts in a
|
||
worker
|
||
* CVE-2020-6514 (bmo#1642792)
|
||
WebRTC data channel leaks internal address to peer
|
||
* CVE-2020-15655 (bmo#1645204)
|
||
Extension APIs could be used to bypass Same-Origin Policy
|
||
* CVE-2020-15653 (bmo#1521542)
|
||
Bypassing iframe sandbox when allowing popups
|
||
* CVE-2020-6463 (bmo#1635293)
|
||
Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
|
||
* CVE-2020-15656 (bmo#1647293)
|
||
Type confusion for special arguments in IonMonkey
|
||
* CVE-2020-15658 (bmo#1637745)
|
||
Overriding file type when saving to disk
|
||
* CVE-2020-15657 (bmo#1644954)
|
||
DLL hijacking due to incorrect loading path
|
||
* CVE-2020-15654 (bmo#1648333)
|
||
Custom cursor can overlay user interface
|
||
* CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1643613,
|
||
bmo#1644839, bmo#1645835, bmo#1646006, bmo#1646787,
|
||
bmo#1649347, bmo#1650811, bmo#1651678)
|
||
Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 9 17:14:55 UTC 2020 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Mozilla Firefox 78.0.2
|
||
MFSA 2020-28 (bsc#1173948)
|
||
* MFSA-2020-0003 (bmo#1644076)
|
||
X-Frame-Options bypass using object or embed tags
|
||
- Firefox Extended Support Release 78.0.2esr ESR
|
||
* Fixed: Security fix
|
||
* Fixed: Fixed an accessibility regression in reader mode
|
||
(bmo#1650922)
|
||
* Fixed: Made the address bar more resilient to data corruption
|
||
in the user profile (bmo#1649981)
|
||
* Fixed: Fixed a regression opening certain external
|
||
applications (bmo#1650162)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 2 09:04:19 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Add specific requirement for libfreetype6 (bsc#1173613)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 1 18:20:53 UTC 2020 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.0.1 ESR
|
||
* Fixed: Fixed an issue which could cause installed search
|
||
engines to not be visible when upgrading from a previous
|
||
release. (bmo#1649558)
|
||
- Mozilla Firefox 78
|
||
MFSA 2020-24 (bsc#1173576)
|
||
* CVE-2020-12415 (bmo#1586630)
|
||
AppCache manifest poisoning due to url encoded character
|
||
processing
|
||
* CVE-2020-12416 (bmo#1639734)
|
||
Use-after-free in WebRTC VideoBroadcaster
|
||
* CVE-2020-12417 (bmo#1640737)
|
||
Memory corruption due to missing sign-extension for ValueTags
|
||
on ARM64
|
||
* CVE-2020-12418 (bmo#1641303)
|
||
Information disclosure due to manipulated URL object
|
||
* CVE-2020-12419 (bmo#1643874)
|
||
Use-after-free in nsGlobalWindowInner
|
||
* CVE-2020-12420 (bmo#1643437)
|
||
Use-After-Free when trying to connect to a STUN server
|
||
* CVE-2020-12402 (bmo#1631597)
|
||
RSA Key Generation vulnerable to side-channel attack
|
||
* CVE-2020-12421 (bmo#1308251)
|
||
Add-On updates did not respect the same certificate trust
|
||
rules as software updates
|
||
* CVE-2020-12422 (bmo#1450353)
|
||
Integer overflow in nsJPEGEncoder::emptyOutputBuffer
|
||
* CVE-2020-12423 (bmo#1642400)
|
||
DLL Hijacking due to searching %PATH% for a library
|
||
* CVE-2020-12424 (bmo#1562600)
|
||
WebRTC permission prompt could have been bypassed by a
|
||
compromised content process
|
||
* CVE-2020-12425 (bmo#1634738)
|
||
Out of bound read in Date.parse()
|
||
* CVE-2020-12426 (bmo#1608068, bmo#1609951, bmo#1631187,
|
||
bmo#1637682)
|
||
Memory safety bugs fixed in Firefox 78
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 30 22:24:48 UTC 2020 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 78.0esr ESR
|
||
* New: Some of the highlights of the new Extended Support
|
||
Release are:
|
||
- Kiosk mode
|
||
- Client certificates
|
||
- Service Worker and Push APIs are now enabled
|
||
- The Block Autoplay feature is enabled
|
||
- Picture-in-picture support
|
||
- View and manage web certificates in about:certificate
|
||
For more information about what's new in the Firefox 78 ESR
|
||
release, see the more detailed release notes at
|
||
support.mozilla.org.
|
||
- Add patches to fix big endian problems:
|
||
* mozilla-s390x-skia-gradient.patch
|
||
* mozilla-bmo998749.patch
|
||
* mozilla-bmo1626236.patch
|
||
- Add patch to fix broken build on ppc64le
|
||
* mozilla-bmo1512162.patch
|
||
- Add patch to add screensharing capability on wayland
|
||
* mozilla-pipewire-0-3.patch
|
||
- Rename firefox-fips.patch to mozilla-sandbox-fips.patch
|
||
|
||
- Removed upstreamed patches:
|
||
* mozilla-cubeb-noreturn.patch
|
||
* mozilla-nestegg-big-endian.patch
|
||
* mozilla-openaes-decl.patch
|
||
* mozilla-s390x-bigendian.patch
|
||
* mozilla-sle12-lower-python-requirement.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 2 13:18:48 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 68.9.0 ESR
|
||
* Fixed: Various stability and security fixes
|
||
MFSA 2020-21 (bsc#1172402)
|
||
* CVE-2020-12405 (bmo#1619305, bmo#1632717)
|
||
Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
|
||
* CVE-2020-12406 (bmo#1639590)
|
||
* CVE-2020-12410: Memory safety bugs fixed in Firefox 77 and Firefox
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 27 15:14:08 UTC 2020 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Removed %is_opensuse macro from spec file to align builds with
|
||
openSUSE Leap.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 5 13:10:26 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 68.8.0 ESR
|
||
MFSA 2020-17 (bsc#1171186)
|
||
* CVE-2020-12387 (bmo#1545345)
|
||
Use-after-free during worker shutdown
|
||
* CVE-2020-12388 (bmo#1618911)
|
||
Sandbox escape with improperly guarded Access Tokens
|
||
* CVE-2020-12389 (bmo#1554110)
|
||
Sandbox escape with improperly separated process types
|
||
* CVE-2020-6831 (bmo#1632241)
|
||
Buffer overflow in SCTP chunk input validation
|
||
* CVE-2020-12392 (bmo#1614468)
|
||
Arbitrary local file access with 'Copy as cURL'
|
||
* CVE-2020-12393 (bmo#1615471)
|
||
Devtools' 'Copy as cURL' feature did not fully escape
|
||
website-controlled data, potentially leading to command
|
||
injection
|
||
* CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704,
|
||
bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076,
|
||
bmo#1631508)
|
||
Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 7 13:45:36 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 68.7.0 ESR
|
||
MFSA 2020-13 (bsc#1168874)
|
||
* CVE-2020-6828 (bmo#1617928)
|
||
Preference overwrite via crafted Intent from malicious
|
||
Android application
|
||
* CVE-2020-6827 (bmo#1622278)
|
||
Custom Tabs in Firefox for Android could have the URI spoofed
|
||
* CVE-2020-6821 (bmo#1625404)
|
||
Uninitialized memory could be read when using the WebGL
|
||
copyTexSubImage method
|
||
* CVE-2020-6822 (bmo#1544181)
|
||
Out of bounds write in GMPDecodeData when processing large
|
||
images
|
||
* CVE-2020-6825 (bmo#1572541, bmo#1620193, bmo#1620203)
|
||
Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Apr 4 08:24:21 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
|
||
|
||
- Mozilla Firefox 68.6.1esr
|
||
MFSA 2020-11 (boo#1168630)
|
||
* CVE-2020-6819 (bmo#1620818)
|
||
Use-after-free while running the nsDocShell destructor
|
||
* CVE-2020-6820 (bmo#1626728)
|
||
Use-after-free when handling a ReadableStream
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 20 18:20:58 UTC 2020 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Added patch: firefox-fips.patch (bsc#1167231)
|
||
* FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 10 12:36:01 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 68.6.0 ESR (bsc#1166238)
|
||
* Fixed: Various stability and security fixes
|
||
MFSA 2020-09 (bsc#1132665)
|
||
* CVE-2020-6805 (bmo#1610880)
|
||
Use-after-free when removing data about origins
|
||
* CVE-2020-6806 (bmo#1612308)
|
||
BodyStream::OnInputStreamReady was missing protections
|
||
against state confusion
|
||
* CVE-2020-6807 (bmo#1614971)
|
||
Use-after-free in cubeb during stream destruction
|
||
* CVE-2020-6811 (bmo#1607742)
|
||
Devtools' 'Copy as cURL' feature did not fully escape
|
||
website-controlled data, potentially leading to command
|
||
injection
|
||
* CVE-2019-20503 (bmo#1613765)
|
||
Out of bounds reads in sctp_load_addresses_from_init
|
||
* CVE-2020-6812 (bmo#1616661)
|
||
The names of AirPods with personally identifiable information
|
||
were exposed to websites with camera or microphone permission
|
||
* CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256,
|
||
bmo#1612636, bmo#1614339)
|
||
Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 11 18:43:03 UTC 2020 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Firefox Extended Support Release 68.5.0 ESR
|
||
* Fixed: Various stability and security fixes
|
||
- Mozilla Firefox ESR68.5
|
||
MFSA 2020-06 (bsc#1163368)
|
||
* CVE-2020-6796 (bmo#1610426)
|
||
Missing bounds check on shared memory read in the parent
|
||
process
|
||
* CVE-2020-6797 (bmo#1596668)
|
||
Extensions granted downloads.open permission could open
|
||
arbitrary applications on Mac OSX
|
||
* CVE-2020-6798 (bmo#1602944)
|
||
Incorrect parsing of template tag could result in JavaScript
|
||
injection
|
||
* CVE-2020-6799 (bmo#1606596)
|
||
Arbitrary code execution when opening pdf links from other
|
||
applications, when Firefox is configured as default pdf
|
||
reader
|
||
* CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543,
|
||
bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785)
|
||
Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 21 11:49:52 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 68.4.2 ESR
|
||
* Fixed: Fixed various issues opening files with spaces in
|
||
their path (bmo#1601905, bmo#1602726)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 9 06:37:13 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 68.4.1 ESR
|
||
* Fixed: Security fix
|
||
MFSA 2020-03 (bsc#1160498)
|
||
* CVE-2019-17026 (bmo#1607443)
|
||
IonMonkey type confusion with StoreElementHole and
|
||
FallibleStoreElement
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 7 14:28:41 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 68.4.0 ESR
|
||
* Fixed: Various security fixes
|
||
MFSA 2020-02 (bsc#1160305)
|
||
* CVE-2019-17015 (bmo#1599005)
|
||
Memory corruption in parent process during new content
|
||
process initialization on Windows
|
||
* CVE-2019-17016 (bmo#1599181)
|
||
Bypass of @namespace CSS sanitization during pasting
|
||
* CVE-2019-17017 (bmo#1603055)
|
||
Type Confusion in XPCVariant.cpp
|
||
* CVE-2019-17021 (bmo#1599008)
|
||
Heap address disclosure in parent process during content
|
||
process initialization on Windows
|
||
* CVE-2019-17022 (bmo#1602843)
|
||
CSS sanitization does not escape HTML tags
|
||
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,
|
||
bmo#1601826)
|
||
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
|
||
- Removed patch that is now upstream: mozilla-bmo1511604.patch
|
||
- Added patch to fix broken URL-bar on s390x:
|
||
mozilla-bmo1602730.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Dec 3 14:00:28 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 68.3.0 ESR
|
||
* Changed: Updates to improve performance and stability
|
||
MFSA 2019-37 (bsc#1158328)
|
||
* CVE-2019-17008 (bmo#1546331)
|
||
Use-after-free in worker destruction
|
||
* CVE-2019-13722 (bmo#1580156)
|
||
Stack corruption due to incorrect number of arguments in
|
||
WebRTC code
|
||
* CVE-2019-11745 (bmo#1586176)
|
||
Out of bounds write in NSS when encrypting with a block
|
||
cipher
|
||
* CVE-2019-17009 (bmo#1510494)
|
||
Updater temporary files accessible to unprivileged processes
|
||
* CVE-2019-17010 (bmo#1581084)
|
||
Use-after-free when performing device orientation checks
|
||
* CVE-2019-17005 (bmo#1584170)
|
||
Buffer overflow in plain text serializer
|
||
* CVE-2019-17011 (bmo#1591334)
|
||
Use-after-free when retrieving a document in antitracking
|
||
* CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667,
|
||
bmo#1567209, bmo#1580288, bmo#1585760, bmo#1592502)
|
||
Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 26 22:30:03 UTC 2019 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Fix _constraints for ppc64le (bsc#1157652)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 19 12:41:44 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Add patch mozilla-bmo849632.patch to partially fix broken webGL
|
||
sites on big endian machines (wrong colors)
|
||
- Replace source-stamp.txt with tar_stamps
|
||
- Reference create-tar.sh by direct commit-hash in the spec-file
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 5 14:37:37 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Reactivate webRTC for all architectures
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 31 11:10:35 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Add patch mozilla-bmo1504834-part4.patch to fix broken
|
||
tab-titles on s390x
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 24 17:25:44 UTC 2019 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Resolved issues fixed earlier:
|
||
* [bsc#1104841] Newer versions of firefox have a dependency on GLIBCXX_3.4.20
|
||
* [bsc#1129528] SLES15 - IBM s390-tools-2.1.0 Maintenance Patches (#6)
|
||
* [bsc#1137990] Firefox 60.7 ESR changed the user interface language
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 21 12:34:34 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Firefox Extended Support Release 68.2.0 ESR
|
||
* Enterprise: New administrative policies were added. More
|
||
information and templates are available at the Policy
|
||
Templates page.
|
||
* Fixed: Various security fixes
|
||
MFSA 2019-33 (bsc#1154738)
|
||
* CVE-2019-15903 (bmo#1584907)
|
||
Heap overflow in expat library in XML_GetCurrentLineNumber
|
||
* CVE-2019-11757 (bmo#1577107)
|
||
Use-after-free when creating index updates in IndexedDB
|
||
* CVE-2019-11758 (bmo#1536227)
|
||
Potentially exploitable crash due to 360 Total Security
|
||
* CVE-2019-11759 (bmo#1577953)
|
||
Stack buffer overflow in HKDF output
|
||
* CVE-2019-11760 (bmo#1577719)
|
||
Stack buffer overflow in WebRTC networking
|
||
* CVE-2019-11761 (bmo#1561502)
|
||
Unintended access to a privileged JSONView object
|
||
* CVE-2019-11762 (bmo#1582857)
|
||
document.domain-based origin isolation has same-origin-
|
||
property violation
|
||
* CVE-2019-11763 (bmo#1584216)
|
||
Incorrect HTML parsing results in XSS bypass technique
|
||
* CVE-2019-11764 (bmo#1548044, bmo#1558522, bmo#1571223,
|
||
bmo#1573048, bmo#1575217, bmo#1577061, bmo#1578933,
|
||
bmo#1581950, bmo#1583463, bmo#1583684, bmo#1586599,
|
||
bmo#1586845)
|
||
Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
|
||
- removed now upstream patches:
|
||
* mozilla-bmo1573381.patch
|
||
* mozilla-bmo1512162.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Oct 11 12:18:38 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Add patch to lower python requirement to 3.4 in order to
|
||
build on SLE-12:
|
||
* mozilla-sle12-lower-python-requirement.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 10 11:44:21 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Add Provides-line for translations-common (bsc#1153423)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 8 12:26:41 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Moved some settings from branding-package here (bsc#1153869)
|
||
- add patch to fix LTO build (w/o PGO):
|
||
* mozilla-fix-top-level-asm.patch
|
||
- remove obsolete kde.js setting (boo#1151186) and related patch:
|
||
* firefox-add-kde.js-in-order-to-survive-PGO-build.patch
|
||
* modified firefox-kde.patch for the removal of kde.js
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 24 13:07:00 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Update mozilla-bmo1512162.patch to the patch now commited upstream
|
||
* No more -O1 builds for ppc64le necessary
|
||
- Disable DoH by default
|
||
* Not yet officially active in ESR, but just to make sure
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 9 22:06:54 UTC 2019 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Mozilla Firefox ESR 68.1
|
||
Resolves the following bigendian s390x issues:
|
||
* [bsc#1109465] Latest Firefox update not released for s390x
|
||
* [bsc#1117473] Firefox segmentation fault on s390vsl082
|
||
* [bsc#1123482] openQA test fails in firefox - firefox doesn't start
|
||
* [bsc#1124525] Firefox is core dumping on SLES15 s390x
|
||
* [bsc#1133810] Firefox: Segmentation fault (core dumped)
|
||
|
||
MFSA 2019-26 (bsc#1149323)
|
||
* CVE-2019-11751 (bmo#1572838)
|
||
Malicious code execution through command line parameters
|
||
* CVE-2019-11746 (bmo#1564449)
|
||
Use-after-free while manipulating video
|
||
* CVE-2019-11744 (bmo#1562033)
|
||
XSS by breaking out of title and textarea elements using
|
||
innerHTML
|
||
* CVE-2019-11742 (bmo#1559715)
|
||
Same-origin policy violation with SVG filters and canvas to
|
||
steal cross-origin images
|
||
* CVE-2019-11736 (bmo#1551913, bmo#1552206)
|
||
File manipulation and privilege escalation in Mozilla
|
||
Maintenance Service
|
||
* CVE-2019-11753 (bmo#1574980)
|
||
Privilege escalation with Mozilla Maintenance Service in
|
||
custom Firefox installation location
|
||
* CVE-2019-11752 (bmo#1501152)
|
||
Use-after-free while extracting a key value in IndexedDB
|
||
* CVE-2019-9812 (bmo#1538008, bmo#1538015)
|
||
Sandbox escape through Firefox Sync
|
||
* CVE-2019-11743 (bmo#1560495,
|
||
bmo#https://w3c.github.io/navigation-timing)
|
||
Cross-origin access to unload event attributes
|
||
* CVE-2019-11748 (bmo#1564588)
|
||
Persistence of WebRTC permissions in a third party context
|
||
* CVE-2019-11749 (bmo#1565374)
|
||
Camera information available without prompting using
|
||
getUserMedia
|
||
* CVE-2019-11750 (bmo#1568397)
|
||
Type confusion in Spidermonkey
|
||
* CVE-2019-11738 (bmo#1452037)
|
||
Content security policy bypass through hash-based sources in
|
||
directives
|
||
* CVE-2019-11747 (bmo#1564481)
|
||
'Forget about this site' removes sites from pre-loaded HSTS
|
||
list
|
||
* CVE-2019-11735 (bmo#1561404, bmo#1561484, bmo#1561912,
|
||
bmo#1565744, bmo#1568047, bmo#1568858, bmo#1570358)
|
||
Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
|
||
* CVE-2019-11740 (bmo#1563133, bmo#1573160)
|
||
Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and
|
||
Firefox ESR 60.9
|
||
|
||
- Mozilla Firefox ESR 68.0.2
|
||
* Fixed: Fixed a bug causing some special characters to be cut
|
||
off from the end of the search terms when searching from the
|
||
URL bar (bmo#1560228)
|
||
* Fixed: Allow fonts to be loaded via file:// URLs when opening
|
||
a page locally (bmo#1565942)
|
||
* Fixed: Printing emails from the Outlook web app no longer
|
||
prints only the header and footer (bmo#1567105)
|
||
* Fixed: Fixed a bug causing some images not to be displayed on
|
||
reload, including on Google Maps (bmo#1565542)
|
||
* Fixed: Fixed an error when starting external applications
|
||
configured as URI handlers (bmo#1567614)
|
||
* Fixed: Security fixes
|
||
- MFSA 2019-24 (bsc#1145665)
|
||
* CVE-2019-11733 (bmo#1565780)
|
||
Stored passwords in 'Saved Logins' can be copied without
|
||
master password entry
|
||
|
||
- Mozilla Firefox ESR 68.0.1
|
||
* macOS releases are now signed by the Apple notary service,
|
||
allowing Firefox to properly run on macOS 10.15 Beta releases
|
||
* Fixed missing Full Screen button when watching videos in full
|
||
screen mode on HBO GO (bmo#1562837)
|
||
* Fixed a bug causing incorrect messages to appear for some
|
||
locales when sites try to request the use of the Storage
|
||
Access API (bmo#1558503)
|
||
* Users in Russian regions may have their default search engine
|
||
changed (bmo#1565315)
|
||
* Built-in search engines in some locales do not function
|
||
correctly (bmo#1565779)
|
||
* SupportMenu policy doesn't always work (bmo#1553290)
|
||
* Allow the new ExtensionSettings policy to work with GPO on
|
||
Windows (bmo#1553586)
|
||
* Allow the privacy.file_unique_origin pref to be controlled by
|
||
policy (bmo#1563759)
|
||
|
||
- Mozilla Firefox ESR 68.0
|
||
* Dark mode in reader view
|
||
* Improved extension security and discovery
|
||
* Cryptomining and fingerprinting protections are added to strict
|
||
content blocking settings in Privacy & Security preferences
|
||
* Camera and microphone access now require an HTTPS connection
|
||
MFSA 2019-21 (bsc#1140868)
|
||
* CVE-2019-9811 (bmo#1523741, bmo#1538007, bmo#1539598,
|
||
bmo#1539759, bmo#1563327)
|
||
Sandbox escape via installation of malicious language pack
|
||
* CVE-2019-11711 (bmo#1552541)
|
||
Script injection within domain through inner window reuse
|
||
* CVE-2019-11712 (bmo#1543804)
|
||
Cross-origin POST requests can be made with NPAPI plugins by
|
||
following 308 redirects
|
||
* CVE-2019-11713 (bmo#1528481)
|
||
Use-after-free with HTTP/2 cached stream
|
||
* CVE-2019-11714 (bmo#1542593)
|
||
NeckoChild can trigger crash when accessed off of main thread
|
||
* CVE-2019-11729 (bmo#1515342)
|
||
Empty or malformed p256-ECDH public keys may trigger a
|
||
segmentation fault
|
||
* CVE-2019-11715 (bmo#1555523)
|
||
HTML parsing error can contribute to content XSS
|
||
* CVE-2019-11716 (bmo#1552632)
|
||
globalThis not enumerable until accessed
|
||
* CVE-2019-11717 (bmo#1548306)
|
||
Caret character improperly escaped in origins
|
||
* CVE-2019-11718 (bmo#1408349)
|
||
Activity Stream writes unsanitized content to innerHTML
|
||
* CVE-2019-11719 (bmo#1540541)
|
||
Out-of-bounds read when importing curve25519 private key
|
||
* CVE-2019-11720 (bmo#1556230)
|
||
Character encoding XSS vulnerability
|
||
* CVE-2019-11721 (bmo#1256009)
|
||
Domain spoofing through unicode latin 'kra' character
|
||
* CVE-2019-11730 (bmo#1558299)
|
||
Same-origin policy treats all files in a directory as having
|
||
the same-origin
|
||
* CVE-2019-11723 (bmo#1528335)
|
||
Cookie leakage during add-on fetching across private browsing
|
||
boundaries
|
||
* CVE-2019-11724 (bmo#1512511)
|
||
Retired site input.mozilla.org has remote troubleshooting
|
||
permissions
|
||
* CVE-2019-11725 (bmo#1483510)
|
||
Websocket resources bypass safebrowsing protections
|
||
* CVE-2019-11727 (bmo#1552208)
|
||
PKCS#1 v1.5 signatures can be used for TLS 1.3
|
||
* CVE-2019-11728 (bmo#1552993)
|
||
Port scanning through Alt-Svc header
|
||
* CVE-2019-11710 (bmo#1507696, bmo#1510345, bmo#1533842,
|
||
bmo#1535482, bmo#1535848, bmo#1537692, bmo#1540590,
|
||
bmo#1544180, bmo#1547472, bmo#1547760, bmo#1548611,
|
||
bmo#1549768, bmo#1551907)
|
||
Memory safety bugs fixed in Firefox 68
|
||
* CVE-2019-11709 (bmo#1515052, bmo#1533522, bmo#1539219,
|
||
bmo#1540759, bmo#1547266, bmo#1547757, bmo#1548822,
|
||
bmo#1550498, bmo#1550498)
|
||
Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
|
||
|
||
- removed patches that are now upstream
|
||
* mozilla-bmo1375074.patch
|
||
* mozilla-bmo1436242.patch
|
||
* mozilla-bmo256180.patch
|
||
* mozilla-i586-DecoderDoctorLogger.patch
|
||
* mozilla-i586-domPrefs.patch
|
||
* mozilla-bmo1464766.patch
|
||
* mozilla-bigendian_bit_flags_alias.patch
|
||
- removed workaround-patch for build memory consumption on i586;
|
||
other mitigations meanwhile introduced (mainly parallelity)
|
||
will be sufficient
|
||
* mozilla-reduce-files-per-UnifiedBindings.patch
|
||
- added patch to make builds reproducible
|
||
* mozilla-bmo1568145.patch
|
||
- added a bunch of patches mainly for big endian platforms
|
||
* mozilla-bmo1504834-part1.patch
|
||
* mozilla-bmo1504834-part2.patch
|
||
* mozilla-bmo1504834-part3.patch
|
||
* mozilla-bmo1511604.patch
|
||
* mozilla-bmo1512162.patch
|
||
* mozilla-bmo1554971.patch
|
||
* mozilla-bmo1573381.patch
|
||
* mozilla-nestegg-big-endian.patch
|
||
- added patches to fix build on armv7:
|
||
* mozilla-bmo1463035.patch
|
||
* mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
|
||
- added patch to fix non-return function
|
||
* mozilla-cubeb-noreturn.patch
|
||
- added patch to fix aarch64 build:
|
||
* mozilla-fix-aarch64-libopus.patch (bmo#1539737)
|
||
- added patch to enable PGO for x86_64.
|
||
* firefox-add-kde.js-in-order-to-survive-PGO-build.patch
|
||
- added patch to reduce build-load
|
||
* mozilla-reduce-rust-debuginfo.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jun 21 06:01:18 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Mozilla Firefox Firefox 60.7.2
|
||
MFSA 2019-19 (bsc#1138872)
|
||
* CVE-2019-11708 (bmo#1559858)
|
||
sandbox escape using Prompt:Open
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 19 12:35:12 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Build Firefox with gcc instead of clang (bsc#1138688)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 19 06:17:40 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Mozilla Firefox Firefox 60.7.1
|
||
MFSA 2019-18 (bsc#1138614)
|
||
* CVE-2019-11707 (bmo#1544386)
|
||
Type confusion in Array.pop
|
||
- Added the new Mozilla's GPG key with subkey fingerprint
|
||
097B 3130 77AE 62A0 2F84 DA4D F1A6 668F BB7D 572E, expiring on
|
||
2021-05-29 to the mozilla.keyring file
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 11 09:19:32 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Fix broken language plugins (bsc#1137792)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 21 17:54:12 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- update to Firefox ESR 60.7 (bsc#1135824)
|
||
* Font and date adjustments to accommodate the new Reiwa era
|
||
in Japan
|
||
* MFSA 2019-14/CVE-2019-9817
|
||
(bmo#1540221)
|
||
Stealing of cross-domain images using canvas
|
||
* MFSA 2019-14/CVE-2019-9800
|
||
(bmo#1499108, bmo#1499719, bmo#1516325, bmo#1532465,
|
||
bmo#1533554, bmo#1534593, bmo#1535194, bmo#1535612,
|
||
bmo#1538042, bmo#1538619, bmo#1538736, bmo#1540136,
|
||
bmo#1540166, bmo#1541580, bmo#1542097, bmo#1542324,
|
||
bmo#1546327)
|
||
Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
|
||
* MFSA 2019-14/CVE-2019-9816
|
||
(bmo#1536768)
|
||
Type confusion with object groups and UnboxedObjects
|
||
* MFSA 2019-14/CVE-2019-9815
|
||
(bmo#1546544, bmo#https://mdsattacks.com/)
|
||
Disable hyperthreading on content JavaScript threads on macOS
|
||
* MFSA 2019-14/CVE-2019-11698
|
||
(bmo#1543191)
|
||
Theft of user history data through drag and drop of
|
||
hyperlinks to and from bookmarks
|
||
* MFSA 2019-14/CVE-2019-11692
|
||
(bmo#1544670)
|
||
Use-after-free removing listeners in the event listener
|
||
manager
|
||
* MFSA 2019-14/CVE-2019-11693
|
||
(bmo#1532525)
|
||
Buffer overflow in WebGL bufferdata on Linux
|
||
* MFSA 2019-14/CVE-2019-7317
|
||
(bmo#1542829)
|
||
Use-after-free in png_image_free of libpng library
|
||
* MFSA 2019-14/CVE-2019-9820
|
||
(bmo#1536405)
|
||
Use-after-free of ChromeEventHandler by DocShell
|
||
* MFSA 2019-14/CVE-2019-9818
|
||
(bmo#1542581)
|
||
Use-after-free in crash generation server
|
||
* MFSA 2019-14/CVE-2019-11691
|
||
(bmo#1542465)
|
||
Use-after-free in XMLHttpRequest
|
||
* MFSA 2019-14/CVE-2019-9819
|
||
(bmo#1532553)
|
||
Compartment mismatch with fetch API
|
||
* MFSA 2019-14/CVE-2019-11694
|
||
(bmo#1534196)
|
||
Uninitialized memory memory leakage in Windows sandbox
|
||
|
||
-------------------------------------------------------------------
|
||
Fri May 17 08:34:38 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||
|
||
- Sync with Devel:Desktop:Mozilla:*:next
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 14 17:23:34 UTC 2019 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- Enable Firefox to build with Rust >= 1.30 with fix. See below.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 9 22:26:20 UTC 2019 - Charles Robertson <cgrobertson@suse.com>
|
||
|
||
- update to 60.6.3 (bmo#1549249)
|
||
* Further improvements to re-enable web extensions which had been
|
||
disabled for users with a master password set.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon May 6 07:26:43 UTC 2019 - Peter Simons <psimons@suse.com>
|
||
|
||
- update to 60.6.2 (bsc#1134126)
|
||
* Repaired certificate chain to re-enable web extensions that
|
||
had been disabled.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 18 19:59:46 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
||
|
||
- Update BuildRequires rust >= 1.30 from 1.24
|
||
* Upstream Firefox ESR presumes rust version stable at release (1.24).
|
||
SUSE currently uses improved packaging for rust >= 1.30.
|
||
* boo#1130694 rust 1.33.0 breaks Firefox and Thunderbird
|
||
due to missing macro comment docs in Firefox rust sources
|
||
bmo#1539901 ESR 60 build fails with Rust 1.33 due to missing documentation on macros in stylo
|
||
bmo#1519629 Stylo fails with --enable-warnings-as-errors using Rust 1.33
|
||
* Fix build using RUSTFLAGS="--cap-lints allow"
|
||
Preferred alternative to patching and revendoring stylo rust crates
|
||
Revisit with intent to remove in next Firefox ESR 68.0 2019-07-09
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 27 11:32:18 UTC 2019 - cgrobertson@suse.com
|
||
|
||
- Fixed translations provides
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 22 17:24:25 UTC 2019 - cgrobertson@suse.com
|
||
|
||
- update to Firefox ESR 60.6.1 (bsc#1130262)
|
||
* MFSA 2019-10/CVE-2019-9813
|
||
(bmo#1538006)
|
||
Ionmonkey type confusion with __proto__ mutations
|
||
* MFSA 2019-10/CVE-2019-9810
|
||
(bmo#1537924)
|
||
IonMonkey MArraySlice has incorrect alias information
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 19 13:17:46 UTC 2019 - cgrobertson@suse.com
|
||
|
||
- update to Firefox ESR 60.6 (bsc#1129821)
|
||
* MFSA 2019-08/CVE-2018-18506
|
||
(bmo#1503393)
|
||
Proxy Auto-Configuration file can define localhost access to
|
||
be proxied
|
||
* MFSA 2019-08/CVE-2019-9801
|
||
(bmo#1527717)
|
||
Windows programs that are not 'URL Handlers' are exposed to
|
||
web content
|
||
* MFSA 2019-08/CVE-2019-9788
|
||
(bmo#1506665, bmo#1516834, bmo#1518001, bmo#1518774,
|
||
bmo#1521214, bmo#1521304, bmo#1523362, bmo#1524214,
|
||
bmo#1524755, bmo#1529203)
|
||
Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6
|
||
* MFSA 2019-08/CVE-2019-9790
|
||
(bmo#1525145)
|
||
Use-after-free when removing in-use DOM elements
|
||
* MFSA 2019-08/CVE-2019-9791
|
||
(bmo#1530958)
|
||
Type inference is incorrect for constructors entered through
|
||
on-stack replacement with IonMonkey
|
||
* MFSA 2019-08/CVE-2019-9792
|
||
(bmo#1532599)
|
||
IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
|
||
* MFSA 2019-08/CVE-2019-9793
|
||
(bmo#1528829)
|
||
Improper bounds checks when Spectre mitigations are disabled
|
||
* MFSA 2019-08/CVE-2019-9794
|
||
(bmo#1530103)
|
||
Command line arguments not discarded during execution
|
||
* MFSA 2019-08/CVE-2019-9795
|
||
(bmo#1514682)
|
||
Type-confusion in IonMonkey JIT compiler
|
||
* MFSA 2019-08/CVE-2019-9796
|
||
(bmo#1531277)
|
||
Use-after-free with SMIL animation controller
|
||
|
||
- Fix for [bsc#1127987] MozillaFirefox-translations-common causing
|
||
error on update
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 26 17:14:33 UTC 2019 - cgrobertson@suse.com
|
||
|
||
- Mozilla Firefox 60.5.2esr:
|
||
* Fix a frequent crash when reading various Reuters news articles
|
||
(bmo#1505844)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Feb 13 09:09:18 UTC 2019 - alarrosa@suse.com
|
||
|
||
- Update to Firefox ESR 60.5.1
|
||
MFSA-2019-05 (bsc#1125330)
|
||
* CVE-2018-18356 (bmo#1525817)
|
||
A use-after-free vulnerability in the Skia library can occur when
|
||
creating a path, leading to a potentially exploitable crash.
|
||
* CVE-2019-5785 (bmo#1525433)
|
||
An integer overflow vulnerability in the Skia library can occur
|
||
after specific transform operations, leading to a potentially
|
||
exploitable crash.
|
||
* CVE-2018-18335 (bmo#1525815)
|
||
A buffer overflow vulnerability in the Skia library can occur with
|
||
Canvas 2D acceleration on macOS. This issue was addressed by
|
||
disabling Canvas 2D acceleration in Firefox ESR. Note: this does
|
||
not affect other versions and platforms where Canvas 2D
|
||
acceleration is already disabled by default.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jan 30 12:53:24 UTC 2019 - cgrobertson@suse.com
|
||
|
||
- Update to Firefox ESR 60.5
|
||
MFSA 2019-02 (bsc#1122983)
|
||
* CVE-2018-18501 (bmo#1460619, bmo#1502871, bmo#1512450,
|
||
bmo#1513201, bmo#1516514, bmo#1516738, bmo#1517542)
|
||
Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
|
||
* CVE-2018-18500 (bmo#1510114)
|
||
Use-after-free parsing HTML5 stream
|
||
* CVE-2018-18505 (bmo#1087565, bmo#1497749)
|
||
Privilege escalation through IPC channel messages
|
||
|
||
- Removed obsolete patches:
|
||
[mozilla-no-stdcxx-check.patch] Applied upstream
|
||
[mozilla-s390-nojit.patch] Applied upstream
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 17 17:27:06 UTC 2019 - cgrobertson@suse.com
|
||
|
||
- Fix for language pack build error (bsc#1120374)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 20 12:32:17 UTC 2018 - Karol Babioch <kbabioch@suse.de>
|
||
|
||
- Revert dependency for branding package back to >= 60 due to dependency
|
||
issues.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 14 19:05:21 UTC 2018 - cgrobertson@suse.com
|
||
|
||
- Depend on branding package version >= 60.0
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 12 19:20:33 UTC 2018 - cgrobertson@suse.com
|
||
|
||
- Mozilla Firefox 60.4.0esr:
|
||
* Updated list of currency codes to include Unidad Previsional (UYW)
|
||
(bmo#1499028)
|
||
MFSA 2018-30 (bsc#1119105)
|
||
* CVE-2018-17466 bmo#1488295
|
||
Buffer overflow and out-of-bounds read in ANGLE library with
|
||
TextureStorage11
|
||
* CVE-2018-18492 bmo#1499861
|
||
Use-after-free with select element
|
||
* CVE-2018-18493 bmo#1504452
|
||
Buffer overflow in accelerated 2D canvas with Skia
|
||
* CVE-2018-18494 bmo#1487964
|
||
Same-origin policy violation using location attribute and
|
||
performance.getEntries to steal cross-origin URLs
|
||
* CVE-2018-18498 bmo#1500011
|
||
Integer overflow when calculating buffer sizes for images
|
||
* CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759
|
||
bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471
|
||
Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4
|
||
- requires NSS >= 3.36.6
|
||
|
||
- Removed obsolete patch:
|
||
[mozilla-update-cc-crate.patch] Applied upstream
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 23 20:35:31 UTC 2018 - alarrosa@suse.com
|
||
|
||
- Mozilla Firefox 60.3.0esr:
|
||
* Various stability and regression fixes
|
||
MFSA 2018-27 bsc#1112852
|
||
* CVE-2018-12392 bmo#1492823
|
||
Crash with nested event loops
|
||
* CVE-2018-12393 bmo#1495011
|
||
Integer overflow during Unicode conversion while loading
|
||
JavaScript
|
||
* CVE-2018-12395 bmo#1467523
|
||
WebExtension bypass of domain restrictions through header
|
||
rewriting
|
||
* CVE-2018-12396 bmo#1483602
|
||
WebExtension content scripts can execute in disallowed
|
||
contexts
|
||
* CVE-2018-12397 bmo#1487478
|
||
WebExtension local file access vulnerability
|
||
* CVE-2018-12389 bmo#1498460, bmo#1499198
|
||
Memory safety bugs fixed in Firefox ESR 60.3
|
||
* CVE-2018-12390 bmo#1487098 bmo#1487660 bmo#1490234 bmo#1496159
|
||
bmo#1443748 bmo#1496340 bmo#1483905 bmo#1493347 bmo#1488803
|
||
bmo#1498701 bmo#1498482 bmo#1442010 bmo#1495245 bmo#1483699
|
||
bmo#1469486 bmo#1484905 bmo#1490561 bmo#1492524 bmo#1481844
|
||
Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
|
||
|
||
- Drop mozilla-bmo1472538-update-bindgen.patch which was already
|
||
merged upstream
|
||
|
||
- Update mozilla-update-cc-crate.patch, since cc was updated to 1.0.9
|
||
upstream, but this patch still updates it to a newer version
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 11 15:42:40 UTC 2018 - alarrosa@suse.com
|
||
|
||
- Update create-tar.sh and source-stamp.txt as should be done
|
||
with every version update.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 9 08:00:29 UTC 2018 - alarrosa@suse.com
|
||
|
||
- Mozilla Firefox 60.2.2esr:
|
||
MFSA 2018-24
|
||
* CVE-2018-12386 (bsc#1110506, bmo#1493900)
|
||
Type confusion in JavaScript allowed remote code execution
|
||
* CVE-2018-12387 (bsc#1110507, bmo#1493903)
|
||
Array.prototype.push stack pointer vulnerability may enable
|
||
exploits in the sandboxed content process
|
||
|
||
- Avoid undefined behavior in IPC fd-passing code with
|
||
mozilla-bmo1436242.patch (boo#1094767, bmo#1436242)
|
||
|
||
- Mozilla Firefox 60.2.1esr:
|
||
MFSA 2018-23
|
||
* CVE-2018-12385 (boo#1109363, bmo#1490585)
|
||
Crash in TransportSecurityInfo due to cached data
|
||
* CVE-2018-12383 (boo#1107343, bmo#1475775)
|
||
Setting a master password did not delete unencrypted
|
||
previously stored passwords
|
||
* Fixed a startup crash affecting users migrating from older ESR
|
||
releases
|
||
* Clean up old NSS DB files after upgrading
|
||
|
||
- Fix typo in an old changelog entry which mentioned a wrong patch file
|
||
and really remove mozilla-glibc-getrandom.patch as should have
|
||
been done some weeks ago.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 3 23:35:43 UTC 2018 - cgrobertson@suse.com
|
||
|
||
- bsc#1109465 - Add mozilla-bmo1472538-update-bindgen.patch and
|
||
mozilla-update-cc-crate.patch. This fixes an endianness problem in
|
||
bindgen's handling of bitfields, which was causing Firefox to crash
|
||
on startup on big-endian machines. Also, updates the cc crate,
|
||
which was buggy in the version that was originally vendored in.
|
||
|
||
- added patch
|
||
[mozilla-bigendian_bit_flags_alias.patch] (bmo#1488552)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 7 01:01:19 UTC 2018 - pcerny@suse.com
|
||
|
||
- update to Firefox ESR 60.2 (bsc#1107343)
|
||
* MFSA 2018-20/CVE-2018-12381
|
||
(bmo#1435319)
|
||
Dragging and dropping Outlook email message results in page
|
||
navigation
|
||
* MFSA 2018-20/CVE-2017-16541
|
||
(bmo#1412081)
|
||
Proxy bypass using automount and autofs
|
||
* MFSA 2018-20/CVE-2018-12376
|
||
(bmo#1450989, bmo#1466577, bmo#1466991, bmo#1467363,
|
||
bmo#1467889, bmo#1468738, bmo#1469309, bmo#1469914,
|
||
bmo#1471953, bmo#1472925, bmo#1473161, bmo#1478575,
|
||
bmo#1478849, bmo#1480092, bmo#1480517, bmo#1480521,
|
||
bmo#1481093, bmo#1483120)
|
||
Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
|
||
* MFSA 2018-20/CVE-2018-12377
|
||
(bmo#1470260)
|
||
Use-after-free in refresh driver timers
|
||
* MFSA 2018-20/CVE-2018-12378
|
||
(bmo#1459383)
|
||
Use-after-free in IndexedDB
|
||
* MFSA 2018-20/CVE-2018-12379
|
||
(bmo#1473113)
|
||
Out-of-bounds write with malicious MAR file
|
||
- removed obsolete patches:
|
||
[mozilla-glibc-getrandom.patch]
|
||
[firefox-no-default-ualocale.patch]
|
||
[mozilla-bmo1005640.patch]
|
||
[mozilla-language.patch]
|
||
[mozilla-shared-nss-db.patch]
|
||
- added patches
|
||
sync with openSUSE:
|
||
[mozilla-bmo1005535.patch]
|
||
[mozilla-bmo1375074.patch]
|
||
[mozilla-bmo1464766.patch]
|
||
[mozilla-bmo256180.patch]
|
||
[mozilla-i586-DecoderDoctorLogger.patch]
|
||
[mozilla-i586-domPrefs.patch]
|
||
additional architecture enablement:
|
||
[mozilla-ppc-altivec_static_inline.patch]
|
||
[mozilla-s390-context.patch]
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 27 13:26:39 UTC 2018 - pcerny@suse.com
|
||
|
||
- update to Firefox ESR 52.9 (bsc#1098998)
|
||
* MFSA 2018-17/CVE-2018-5188
|
||
(bmo#1392739, bmo#1437842, bmo#1442722, bmo#1450688,
|
||
bmo#1451297, bmo#1452576, bmo#1456189, bmo#1456975,
|
||
bmo#1458048, bmo#1458264, bmo#1458270, bmo#1463494,
|
||
bmo#1464063, bmo#1464079, bmo#1464829, bmo#1465108,
|
||
bmo#1465898)
|
||
Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and
|
||
Firefox ESR 52.9
|
||
* MFSA 2018-17/CVE-2018-12368
|
||
(bmo#1468217, bmo#https://posts.specterops.io/the-tale-of-
|
||
settingcontent-ms-files-f1ea253e4d39)
|
||
No warning when opening executable SettingContent-ms files
|
||
* MFSA 2018-17/CVE-2018-12366
|
||
(bmo#1464039)
|
||
Invalid data handling during QCMS transformations
|
||
* MFSA 2018-17/CVE-2018-12365
|
||
(bmo#1459206)
|
||
Compromised IPC child process can list local filenames
|
||
* MFSA 2018-17/CVE-2018-12364
|
||
(bmo#1436241)
|
||
CSRF attacks through 307 redirects and NPAPI plugins
|
||
* MFSA 2018-17/CVE-2018-12363
|
||
(bmo#1464784)
|
||
Use-after-free when appending DOM nodes
|
||
* MFSA 2018-17/CVE-2018-12362
|
||
(bmo#1452375)
|
||
Integer overflow in SSSE3 scaler
|
||
* MFSA 2018-17/CVE-2018-12360
|
||
(bmo#1459693)
|
||
Use-after-free when using focus()
|
||
* MFSA 2018-17/CVE-2018-5156
|
||
(bmo#1453127)
|
||
Media recorder segmentation fault when track type is changed
|
||
during capture
|
||
* MFSA 2018-17/CVE-2018-12359
|
||
(bmo#1459162)
|
||
Buffer overflow using computed size of canvas element
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 7 12:42:46 UTC 2018 - pcerny@suse.com
|
||
|
||
- update to Firefox 52.8.1 (bsc#1096449)
|
||
* MFSA 2018-14/CVE-2018-6126
|
||
(bmo#1462682)
|
||
Heap buffer overflow rasterizing paths in SVG with Skia
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 9 11:36:33 UTC 2018 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.8.0:
|
||
* Various stability and regression fixes
|
||
* Performance improvements to the Safe Browsing service to avoid
|
||
slowdowns while updating site classification data
|
||
- Security fixes (bsc#1092548, MFSA 2018-12):
|
||
* CVE-2018-5183 (bmo#1454692)
|
||
Backport critical security fixes in Skia
|
||
* CVE-2018-5154 (bmo#1443092)
|
||
Use-after-free with SVG animations and clip paths
|
||
* CVE-2018-5155 (bmo#1448774)
|
||
Use-after-free with SVG animations and text paths
|
||
* CVE-2018-5157 (bmo#1449898)
|
||
Same-origin bypass of PDF Viewer to view protected PDF files
|
||
* CVE-2018-5158 (bmo#1452075)
|
||
Malicious PDF can inject JavaScript into PDF Viewer
|
||
* CVE-2018-5159 (bmo#1441941)
|
||
Integer overflow and out-of-bounds write in Skia
|
||
* CVE-2018-5168 (bmo#1449548)
|
||
Lightweight themes can be installed without user interaction
|
||
* CVE-2018-5178 (bmo#1443891)
|
||
Buffer overflow during UTF-8 to Unicode string conversion
|
||
through legacy extension
|
||
* CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705,
|
||
bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415,
|
||
bmo#1426129)
|
||
Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 28 19:27:16 UTC 2018 - astieger@suse.com
|
||
|
||
- fix release tag and tarball to correctly identify 52.7.3esr
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 27 05:53:14 UTC 2018 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.7.3
|
||
MFSA 2018-10 (bsc#1087059)
|
||
* CVE-2018-5148 (bmo#1440717)
|
||
Use-after-free in compositor
|
||
- removed obsolete patch mozilla-bmo1446062.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 16 11:27:21 UTC 2018 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.7.2 (bsc#1085671)
|
||
MFSA 2018-08
|
||
* CVE-2018-5146 (bmo#1446062)
|
||
Out of bounds memory write in libvorbis
|
||
* CVE-2018-5147 (bmo#1446365)
|
||
Out of bounds memory write in libtremor
|
||
(in mozilla-bmo1446062.patch)
|
||
- Firefox 52.7.1 fixes
|
||
- issues with the IT locale (bmo#1445278)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 13 18:30:52 UTC 2018 - astieger@suse.com
|
||
|
||
- update to Firefox 52.7esr (bsc#1085130, MFSA 2018-07):
|
||
* CVE-2018-5127 (bmo#1430557)
|
||
Buffer overflow manipulating SVG animatedPathSegList
|
||
* CVE-2018-5129 (bmo#1428947)
|
||
Out-of-bounds write with malformed IPC messages
|
||
* CVE-2018-5130 (bmo#1433005)
|
||
Mismatched RTP payload type can trigger memory corruption
|
||
* CVE-2018-5131 (bmo#1440775)
|
||
Fetch API improperly returns cached copies of no-store/no-cache
|
||
resources
|
||
* CVE-2018-5144 (bmo#1440926)
|
||
Integer overflow during Unicode conversion
|
||
* CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450,
|
||
bmo#1437507,bmo#1426988,bmo#1438425,bmo#1324042,bmo#1437087,
|
||
bmo#1443865,bmo#1425520)
|
||
Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
|
||
* CVE-2018-5145 (bmo#1261175,bmo#1348955)
|
||
Memory safety bugs fixed in Firefox ESR 52.7
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 9 12:12:08 UTC 2018 - wr@rosenauer.org
|
||
|
||
- correct requires and provides handling (boo#1076907)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 23 19:04:46 UTC 2018 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.6esr (bsc#1077291)
|
||
MFSA 2018-01
|
||
* Speculative execution side-channel attack ("Spectre")
|
||
MFSA 2018-03
|
||
* CVE-2018-5091 (bmo#1423086)
|
||
Use-after-free with DTMF timers
|
||
* CVE-2018-5095 (bmo#1418447)
|
||
Integer overflow in Skia library during edge builder allocation
|
||
* CVE-2018-5096 (bmo#1418922)
|
||
Use-after-free while editing form elements
|
||
* CVE-2018-5097 (bmo#1387427)
|
||
Use-after-free when source document is manipulated during XSLT
|
||
* CVE-2018-5098 (bmo#1399400)
|
||
Use-after-free while manipulating form input elements
|
||
* CVE-2018-5099 (bmo#1416878)
|
||
Use-after-free with widget listener
|
||
* CVE-2018-5102 (bmo#1419363)
|
||
Use-after-free in HTML media elements
|
||
* CVE-2018-5103 (bmo#1423159)
|
||
Use-after-free during mouse event handling
|
||
* CVE-2018-5104 (bmo#1425000)
|
||
Use-after-free during font face manipulation
|
||
* CVE-2018-5117 (bmo#1395508)
|
||
URL spoofing with right-to-left text aligned left-to-right
|
||
* CVE-2018-5089
|
||
Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
|
||
- remove obsolete patch mozilla-ucontext.patch
|
||
- official NSS requirement is >= 3.28.6 therefore putting 3.29.5
|
||
into an ifarch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jan 17 17:07:25 UTC 2018 - wbauer@tmo.at
|
||
|
||
- Escape the usage of %{VERSION} when calling out to rpm.
|
||
RPM 4.14 has %{VERSION} defined as 'the main package's version'.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 16 17:03:01 UTC 2018 - cgrobertson@suse.com
|
||
|
||
- Added additional patches and configurations to fix
|
||
builds on s390 and PowerPC.
|
||
* Added firefox-glibc-getrandom.patch effecting builds on
|
||
s390 and PowerPC
|
||
* Added mozilla-s390-bigendian.patch along with icudt58b.dat
|
||
bigendian ICU data file for running Firefox on bigendian
|
||
architectures (bmo#1322212 and bmo#1264836)
|
||
* Added mozilla-s390-nojit.patch to enable atomic operations
|
||
used by the JS engine when JIT is disabled on s390
|
||
* Build configuration options specific to s390
|
||
* Requires NSS >= 3.29.5
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 29 19:52:34 UTC 2017 - astieger@suse.com
|
||
|
||
- Update to Firefox 52.5.3esr:
|
||
* Fix a crash reporting issue that inadvertently sends background
|
||
tab crash reports to Mozilla without user opt-in (bmo#1427111,
|
||
bsc#1074235)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 15 09:00:55 UTC 2017 - fcrozat@suse.com
|
||
|
||
- Add BuildRequires python-xml to fix build on TW/SLE15.
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Dec 9 20:49:28 UTC 2017 - security@suse.com
|
||
|
||
- update to Firefox 52.5.2esr (MFSA 2017-28):
|
||
* CVE-2017-7843 (bsc#1072034, bmo#1410106)
|
||
Web worker in Private Browsing mode can write IndexedDB data
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 14 21:22:11 UTC 2017 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.5.0esr (boo#1068101)
|
||
MFSA 2017-25
|
||
* CVE-2017-7828 (bmo#1406750. bmo#1412252)
|
||
Use-after-free of PressShell while restyling layout
|
||
* CVE-2017-7830 (bmo#1408990)
|
||
Cross-origin URL information leak through Resource Timing API
|
||
* CVE-2017-7826
|
||
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Oct 1 18:25:16 UTC 2017 - stefan.bruens@rwth-aachen.de
|
||
|
||
- Correct plugin directory for aarch64 (boo#1061207). The wrapper
|
||
script was not detecting aarch64 as a 64 bit architecture, thus
|
||
used /usr/lib/browser-plugins/.
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Sep 30 20:10:50 UTC 2017 - zaitor@opensuse.org
|
||
|
||
- Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0),
|
||
pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
|
||
pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
|
||
pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure
|
||
looks for.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 29 08:56:27 UTC 2017 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.4esr (boo#1060445)
|
||
* requires NSS >= 3.28.6
|
||
MFSA 2017-22
|
||
* CVE-2017-7793 (bmo#1371889)
|
||
Use-after-free with Fetch API
|
||
* CVE-2017-7818 (bmo#1363723)
|
||
Use-after-free during ARIA array manipulation
|
||
* CVE-2017-7819 (bmo#1380292)
|
||
Use-after-free while resizing images in design mode
|
||
* CVE-2017-7824 (bmo#1398381)
|
||
Buffer overflow when drawing and validating elements with ANGLE
|
||
* CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
|
||
Use-after-free in TLS 1.2 generating handshake hashes
|
||
* CVE-2017-7814 (bmo#1376036)
|
||
Blob and data URLs bypass phishing and malware protection warnings
|
||
* CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
|
||
OS X fonts render some Tibetan and Arabic unicode characters as spaces
|
||
* CVE-2017-7823 (bmo#1396320)
|
||
CSP sandbox directive did not create a unique origin
|
||
* CVE-2017-7810
|
||
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
|
||
- fixed language accept header to use correct locale
|
||
(mozilla-bmo1005640.patch, boo#1029917)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 28 07:53:13 UTC 2017 - dimstar@opensuse.org
|
||
|
||
- Add alsa-devel BuildRequires: we care for ALSA support to be
|
||
built and thus need to ensure we get the dependencies in place.
|
||
In the past, alsa-devel was pulled in by accident: we
|
||
buildrequire libgnome-devel. This required esound-devel and that
|
||
in turn pulled in alsa-devel for us. libgnome is being fixed to
|
||
no longer require esound-devel.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 9 09:47:39 UTC 2017 - schwab@suse.de
|
||
|
||
- mozilla-ucontext.patch: use ucontext_t instead of struct ucontext
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 8 18:13:34 UTC 2017 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.3esr (boo#1052829)
|
||
MFSA 2017-19
|
||
* CVE-2017-7798 (bmo#1371586, bmo#1372112)
|
||
XUL injection in the style editor in devtools
|
||
* CVE-2017-7800 (bmo#1374047)
|
||
Use-after-free in WebSockets during disconnection
|
||
* CVE-2017-7801 (bmo#1371259)
|
||
Use-after-free with marquee during window resizing
|
||
* CVE-2017-7784 (bmo#1376087)
|
||
Use-after-free with image observers
|
||
* CVE-2017-7802 (bmo#1378147)
|
||
Use-after-free resizing image elements
|
||
* CVE-2017-7785 (bmo#1356985)
|
||
Buffer overflow manipulating ARIA attributes in DOM
|
||
* CVE-2017-7786 (bmo#1365189)
|
||
Buffer overflow while painting non-displayable SVG
|
||
* CVE-2017-7753 (bmo#1353312)
|
||
Out-of-bounds read with cached style data and pseudo-elements#
|
||
* CVE-2017-7787 (bmo#1322896)
|
||
Same-origin policy bypass with iframes through page reloads
|
||
* CVE-2017-7807 (bmo#1376459)
|
||
Domain hijacking through AppCache fallback
|
||
* CVE-2017-7792 (bmo#1368652)
|
||
Buffer overflow viewing certificates with an extremely long OID
|
||
* CVE-2017-7804 (bmo#1372849)
|
||
Memory protection bypass through WindowsDllDetourPatcher
|
||
* CVE-2017-7791 (bmo#1365875)
|
||
Spoofing following page navigation with data: protocol and modal alerts
|
||
* CVE-2017-7782 (bmo#1344034)
|
||
WindowsDllDetourPatcher allocates memory without DEP protections
|
||
* CVE-2017-7803 (bmo#1377426)
|
||
CSP containing 'sandbox' improperly applied
|
||
* CVE-2017-7779
|
||
Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 5 07:26:32 UTC 2017 - astieger@suse.com
|
||
|
||
- Mozilla Firefox 52.2.1esr:
|
||
* Printing text does not work on Windows when Direct2D is
|
||
disabled (bmo#1318845)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 14 07:08:29 UTC 2017 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.2esr (boo#1043960)
|
||
MFSA 2017-16
|
||
* CVE-2017-5472 (bmo#1365602)
|
||
Use-after-free using destroyed node when regenerating trees
|
||
* CVE-2017-7749 (bmo#1355039)
|
||
Use-after-free during docshell reloading
|
||
* CVE-2017-7750 (bmo#1356558)
|
||
Use-after-free with track elements
|
||
* CVE-2017-7751 (bmo#1363396)
|
||
Use-after-free with content viewer listeners
|
||
* CVE-2017-7752 (bmo#1359547)
|
||
Use-after-free with IME input
|
||
* CVE-2017-7754 (bmo#1357090)
|
||
Out-of-bounds read in WebGL with ImageInfo object
|
||
* CVE-2017-7755 (bmo#1361326)
|
||
Privilege escalation through Firefox Installer with same
|
||
directory DLL files (Windows only)
|
||
* CVE-2017-7756 (bmo#1366595)
|
||
Use-after-free and use-after-scope logging XHR header errors
|
||
* CVE-2017-7757 (bmo#1356824)
|
||
Use-after-free in IndexedDB
|
||
* CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
|
||
CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
|
||
CVE-2017-7777
|
||
Vulnerabilities in the Graphite 2 library
|
||
* CVE-2017-7758 (bmo#1368490)
|
||
Out-of-bounds read in Opus encoder
|
||
* CVE-2017-7760 (bmo#1348645)
|
||
File manipulation and privilege escalation via callback parameter
|
||
in Mozilla Windows Updater and Maintenance Service (Windows only)
|
||
* CVE-2017-7761 (bmo#1215648)
|
||
File deletion and privilege escalation through Mozilla Maintenance
|
||
Service helper.exe application (Windows only)
|
||
* CVE-2017-7764 (bmo#1364283)
|
||
Domain spoofing with combination of Canadian Syllabics and other
|
||
unicode blocks
|
||
* CVE-2017-7765 (bmo#1273265)
|
||
Mark of the Web bypass when saving executable files (Windows only)
|
||
* CVE-2017-7766 (bmo#1342742)
|
||
File execution and privilege escalation through updater.ini,
|
||
Mozilla Windows Updater, and Mozilla Maintenance Service
|
||
(Windows only)
|
||
* CVE-2017-7767 (bmo#1336964)
|
||
Privilege escalation and arbitrary file overwrites through Mozilla
|
||
Windows Updater and Mozilla Maintenance Service (Windows only)
|
||
* CVE-2017-7768 (bmo#1336979)
|
||
32 byte arbitrary file read through Mozilla Maintenance Service
|
||
(Windows only)
|
||
* CVE-2017-5470
|
||
Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
|
||
- requires NSS 3.28.5
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 23 14:00:40 UTC 2017 - wr@rosenauer.org
|
||
|
||
- remove -fno-inline-small-functions and explicitely optimize with
|
||
-O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon May 8 08:28:17 UTC 2017 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.1.1
|
||
MFSA 2017-14
|
||
* CVE-2017-5031: Use after free in ANGLE (bmo#1328762)
|
||
(Windows only, Linux not affected)
|
||
- switch to Mozilla's geolocation service (boo#1026989)
|
||
- removed mozilla-preferences.patch obsoleted by overriding via
|
||
firefox.js
|
||
- fixed KDE integration to avoid crash caused by filepicker
|
||
(boo#1015998)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 12 21:43:16 UTC 2017 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.1.0esr (boo#1035082)
|
||
MFSA 2017-12
|
||
* CVE-2017-5443 (bmo#1342661)
|
||
Out-of-bounds write during BinHex decoding
|
||
* CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
|
||
bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
|
||
Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
|
||
Firefox ESR 52.1
|
||
* CVE-2017-5464 (bmo#1347075)
|
||
Memory corruption with accessibility and DOM manipulation
|
||
* CVE-2017-5465 (bmo#1347617)
|
||
Out-of-bounds read in ConvolvePixel
|
||
* CVE-2017-5466 (bmo#1353975)
|
||
Origin confusion when reloading isolated data:text/html URL
|
||
* CVE-2017-5467 (bmo#1347262)
|
||
Memory corruption when drawing Skia content
|
||
* CVE-2017-5460 (bmo#1343642)
|
||
Use-after-free in frame selection
|
||
* CVE-2017-5461 (bmo#1344380)
|
||
Out-of-bounds write in Base64 encoding in NSS
|
||
* CVE-2017-5448 (bmo#1346648)
|
||
Out-of-bounds write in ClearKeyDecryptor
|
||
* CVE-2017-5449 (bmo#1340127)
|
||
Crash during bidirectional unicode manipulation with animation
|
||
* CVE-2017-5446 (bmo#1343505)
|
||
Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
|
||
* CVE-2017-5447 (bmo#1343552)
|
||
Out-of-bounds read during glyph processing
|
||
* CVE-2017-5444 (bmo#1344461)
|
||
Buffer overflow while parsing application/http-index-format content
|
||
* CVE-2017-5445 (bmo#1344467)
|
||
Uninitialized values used while parsing application/http-index-format
|
||
content
|
||
* CVE-2017-5442 (bmo#1347979)
|
||
Use-after-free during style changes
|
||
* CVE-2017-5469 (bmo#1292534)
|
||
Potential Buffer overflow in flex-generated code
|
||
* CVE-2017-5440 (bmo#1336832)
|
||
Use-after-free in txExecutionState destructor during XSLT processing
|
||
* CVE-2017-5441 (bmo#1343795)
|
||
Use-after-free with selection during scroll events
|
||
* CVE-2017-5439 (bmo#1336830)
|
||
Use-after-free in nsTArray Length() during XSLT processing
|
||
* CVE-2017-5438 (bmo#1336828)
|
||
Use-after-free in nsAutoPtr during XSLT processing
|
||
* CVE-2017-5437 (bmo#1343453)
|
||
Vulnerabilities in Libevent library
|
||
* CVE-2017-5436 (bmo#1345461)
|
||
Out-of-bounds write with malicious font in Graphite 2
|
||
* CVE-2017-5435 (bmo#1350683)
|
||
Use-after-free during transaction processing in the editor
|
||
* CVE-2017-5434 (bmo#1349946)
|
||
Use-after-free during focus handling
|
||
* CVE-2017-5433 (bmo#1347168)
|
||
Use-after-free in SMIL animation functions
|
||
* CVE-2017-5432 (bmo#1346654)
|
||
Use-after-free in text input selection
|
||
* CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
|
||
bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140,
|
||
bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476)
|
||
Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
|
||
* CVE-2017-5459 (bmo#1333858)
|
||
Buffer overflow in WebGL
|
||
* CVE-2017-5462 (bmo#1345089)
|
||
DRBG flaw in NSS
|
||
* CVE-2017-5455 (bmo#1341191)
|
||
Sandbox escape through internal feed reader APIs
|
||
* CVE-2017-5454 (bmo#1349276)
|
||
Sandbox escape allowing file system read access through file
|
||
picker
|
||
* CVE-2017-5456 (bmo#1344415)
|
||
Sandbox escape allowing local file system access
|
||
* CVE-2017-5451 (bmo#1273537)
|
||
Addressbar spoofing with onblur event
|
||
- requires NSS 3.28.4
|
||
- rebased patches
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Apr 3 06:28:34 UTC 2017 - wr@rosenauer.org
|
||
|
||
- switch package to use ESR52 branch
|
||
* enables plugin support by default
|
||
* service workers are disabled by default
|
||
* push notifications are disabled by default
|
||
* WebAssembly (wasm) is disabled
|
||
* Less use of multiprocess architecture Electrolysis (e10s)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Apr 3 06:16:26 UTC 2017 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.0.2
|
||
* Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787)
|
||
* Fix loading tab icons on session restore (bmo#1338009)
|
||
* Fix a crash on startup on Linux (bmo#1345413)
|
||
* Fix new installs erroneously not prompting to change the default
|
||
browser setting (bmo#1343938)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 20 15:35:57 UTC 2017 - wr@rosenauer.org
|
||
|
||
- disable rust usage for everything but x86(-64)
|
||
- explicitely add libffi build requirement
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 17 15:43:29 UTC 2017 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.0.1 (boo#1029822)
|
||
MFSA 2017-08
|
||
CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Mar 9 12:30:14 UTC 2017 - wr@rosenauer.org
|
||
|
||
- reenable ALSA support which was removed by default upstream
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Mar 4 16:57:45 UTC 2017 - wr@rosenauer.org
|
||
|
||
- update to Firefox 52.0 (boo#1028391)
|
||
* requires NSS >= 3.28.3
|
||
* Pages containing insecure password fields now display a warning
|
||
directly within username and password fields.
|
||
* Send and open a tab from one device to another with Sync
|
||
* Removed NPAPI support for plugins other than Flash. Silverlight,
|
||
Java, Acrobat and the like are no longer supported.
|
||
* Removed Battery Status API to reduce fingerprinting of users by
|
||
trackers
|
||
* MFSA 2017-05
|
||
CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
|
||
(bmo#1334933)
|
||
CVE-2017-5401: Memory Corruption when handling ErrorResult
|
||
(bmo#1328861)
|
||
CVE-2017-5402: Use-after-free working with events in FontFace
|
||
objects (bmo#1334876)
|
||
CVE-2017-5403: Use-after-free using addRange to add range to an
|
||
incorrect root object (bmo#1340186)
|
||
CVE-2017-5404: Use-after-free working with ranges in selections
|
||
(bmo#1340138)
|
||
CVE-2017-5406: Segmentation fault in Skia with canvas operations
|
||
(bmo#1306890)
|
||
CVE-2017-5407: Pixel and history stealing via floating-point
|
||
timing side channel with SVG filters (bmo#1336622)
|
||
CVE-2017-5410: Memory corruption during JavaScript garbage
|
||
collection incremental sweeping (bmo#1330687)
|
||
CVE-2017-5408: Cross-origin reading of video captions in violation
|
||
of CORS (bmo#1313711)
|
||
CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
|
||
CVE-2017-5413: Segmentation fault during bidirectional operations
|
||
(bmo#1337504)
|
||
CVE-2017-5414: File picker can choose incorrect default directory
|
||
(bmo#1319370)
|
||
CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719)
|
||
CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
|
||
CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
|
||
(bmo#791597)
|
||
CVE-2017-5426: Gecko Media Plugin sandbox is not started if
|
||
seccomp-bpf filter is running (bmo#1257361)
|
||
CVE-2017-5427: Non-existent chrome.manifest file loaded during
|
||
startup (bmo#1295542)
|
||
CVE-2017-5418: Out of bounds read when parsing HTTP digest
|
||
authorization responses (bmo#1338876)
|
||
CVE-2017-5419: Repeated authentication prompts lead to DOS
|
||
attack (bmo#1312243)
|
||
CVE-2017-5420: Javascript: URLs can obfuscate addressbar
|
||
location (bmo#1284395)
|
||
CVE-2017-5405: FTP response codes can cause use of
|
||
uninitialized values for ports (bmo#1336699)
|
||
CVE-2017-5421: Print preview spoofing (bmo#1301876)
|
||
CVE-2017-5422: DOS attack by using view-source: protocol
|
||
repeatedly in one hyperlink (bmo#1295002)
|
||
CVE-2017-5399: Memory safety bugs fixed in Firefox 52
|
||
CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
|
||
Firefox ESR 45.8
|
||
- removed obsolete patches
|
||
* mozilla-binutils-visibility.patch
|
||
* mozilla-check_return.patch
|
||
* mozilla-disable-skia-be.patch
|
||
* mozilla-skia-overflow.patch
|
||
* mozilla-skia-ppc-endianess.patch
|
||
- rebased patches
|
||
- enable rust usage for Tumbleweed
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 27 20:25:59 UTC 2017 - astieger@suse.com
|
||
|
||
- Mozilla Firefox 51.0.1:
|
||
- Multiprocess incompatibility did not correctly register with
|
||
some add-ons (bmo#1333423)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 20 13:57:56 UTC 2017 - wr@rosenauer.org
|
||
|
||
- update to Firefox 51.0
|
||
* requires NSPR >= 4.13.1, NSS >= 3.28.1
|
||
* Added support for FLAC (Free Lossless Audio Codec) playback
|
||
* Added support for WebGL 2
|
||
* Added Georgian (ka) and Kabyle (kab) locales
|
||
* Support saving passwords for forms without 'submit' events
|
||
* Improved video performance for users without GPU acceleration
|
||
* Zoom indicator is shown in the URL bar if the zoom level is not
|
||
at default level
|
||
* View passwords from the prompt before saving them
|
||
* Remove Belarusian (be) locale
|
||
* Use Skia for content rendering (Linux)
|
||
* MFSA 2017-01
|
||
CVE-2017-5375: Excessive JIT code allocation allows bypass of
|
||
ASLR and DEP (bmo#1325200, boo#1021814)
|
||
CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
|
||
CVE-2017-5377: Memory corruption with transforms to create
|
||
gradients in Skia (bmo#1306883, boo#1021826)
|
||
CVE-2017-5378: Pointer and frame data leakage of Javascript objects
|
||
(bmo#1312001, bmo#1330769, boo#1021818)
|
||
CVE-2017-5379: Use-after-free in Web Animations
|
||
(bmo#1309198,boo#1021827)
|
||
CVE-2017-5380: Potential use-after-free during DOM manipulations
|
||
(bmo#1322107, boo#1021819)
|
||
CVE-2017-5390: Insecure communication methods in Developer Tools
|
||
JSON viewer (bmo#1297361, boo#1021820)
|
||
CVE-2017-5389: WebExtensions can install additional add-ons via
|
||
modified host requests (bmo#1308688, boo#1021828)
|
||
CVE-2017-5396: Use-after-free with Media Decoder
|
||
(bmo#1329403, boo#1021821)
|
||
CVE-2017-5381: Certificate Viewer exporting can be used to navigate
|
||
and save to arbitrary filesystem locations
|
||
(bmo#1017616, boo#1021830)
|
||
CVE-2017-5382: Feed preview can expose privileged content errors
|
||
and exceptions (bmo#1295322, boo#1021831)
|
||
CVE-2017-5383: Location bar spoofing with unicode characters
|
||
(bmo#1323338, bmo#1324716, boo#1021822)
|
||
CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
|
||
(bmo#1255474, boo#1021832)
|
||
CVE-2017-5385: Data sent in multipart channels ignores referrer-policy
|
||
response headers (bmo#1295945, boo#1021833)
|
||
CVE-2017-5386: WebExtensions can use data: protocol to affect other
|
||
extensions (bmo#1319070, boo#1021823)
|
||
CVE-2017-5394: Android location bar spoofing using fullscreen and
|
||
JavaScript events (bmo#1222798)
|
||
CVE-2017-5391: Content about: pages can load privileged about: pages
|
||
(bmo#1309310, boo#1021835)
|
||
CVE-2017-5392: Weak references using multiple threads on weak proxy
|
||
objects lead to unsafe memory usage (bmo#1293709)
|
||
(Android only)
|
||
CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for
|
||
mozAddonManager (bmo#1309282, boo#1021837)
|
||
CVE-2017-5395: Android location bar spoofing during scrolling
|
||
(bmo#1293463) (Android only)
|
||
CVE-2017-5387: Disclosure of local file existence through TRACK
|
||
tag error messages (bmo#1295023, boo#1021839)
|
||
CVE-2017-5388: WebRTC can be used to generate a large amount of
|
||
UDP traffic for DDOS attacks
|
||
(bmo#1281482, boo#1021840)
|
||
CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841)
|
||
CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and
|
||
Firefox ESR 45.7 (boo#1021824)
|
||
- switch Firefox to Gtk3 for Tumbleweed
|
||
- removed obsolete patches
|
||
* mozilla-flex_buffer_overrun.patch
|
||
- updated RPM locale support tag
|
||
- improve recognition of LANGUAGE env variable (boo#1017174)
|
||
- add upstream patch to fix PPC64LE (bmo#1319389)
|
||
(mozilla-skia-ppc-endianess.patch)
|
||
- fix build without skia (big endian archs) (bmo#1319374)
|
||
(mozilla-disable-skia-be.patch)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org
|
||
|
||
- update to Firefox 50.1.0 (boo#1015422)
|
||
* MFSA 2016-94
|
||
CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628)
|
||
CVE-2016-9899: Use-after-free while manipulating DOM events and
|
||
audio elements (bmo#1317409)
|
||
CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
|
||
CVE-2016-9896: Use-after-free with WebVR (bmo#1315543)
|
||
CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
|
||
CVE-2016-9898: Use-after-free in Editor while manipulating
|
||
DOM subtrees (bmo#1314442)
|
||
CVE-2016-9900: Restricted external resources can be loaded by
|
||
SVG images through data URLs (bmo#1319122)
|
||
CVE-2016-9904: Cross-origin information leak in shared atoms
|
||
(bmo#1317936)
|
||
CVE-2016-9901: Data from Pocket server improperly sanitized
|
||
before execution (bmo#1320057)
|
||
CVE-2016-9902: Pocket extension does not validate the origin
|
||
of events (bmo#1320039)
|
||
CVE-2016-9903: XSS injection vulnerability in add-ons SDK
|
||
(bmo#1315435)
|
||
CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
|
||
CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and
|
||
Firefox ESR 45.6
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 9 17:57:22 UTC 2016 - cgrobertson@novell.com
|
||
|
||
- added patch mozilla-aarch64-startup-crash.patch (bsc#1011922)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 1 02:49:45 UTC 2016 - wr@rosenauer.org
|
||
|
||
- update to Firefox 50.0.2
|
||
* Firefox crashes with 3rd party Chinese IME when using IME text
|
||
(50.0.1)
|
||
security fixes (in 50.0.1): (boo#1012807)
|
||
* MFSA 2016-91
|
||
CVE-2016-9078: data: URL can inherit wrong origin after an
|
||
HTTP redirect (bmo#1317641)
|
||
security fixes (in 50.0.2) (boo#1012964)
|
||
* MFSA 2016-92
|
||
CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 14 21:07:03 UTC 2016 - wr@rosenauer.org
|
||
|
||
- update to Firefox 50.0 (boo#1009026)
|
||
* requires NSS 3.26.2
|
||
new features
|
||
* Updates to keyboard shortcuts
|
||
Set a preference to have Ctrl+Tab cycle through tabs in recently
|
||
used order
|
||
View a page in Reader Mode by using Ctrl+Alt+R
|
||
* Added option to Find in page that allows users to limit search to
|
||
whole words only
|
||
* Added download protection for a large number of executable file
|
||
types on Windows, Mac and Linux
|
||
* Fixed rendering of dashed and dotted borders with rounded corners
|
||
(border-radius)
|
||
* Added a built-in Emoji set for operating systems without native
|
||
Emoji fonts (Windows 8.0 and lower and Linux)
|
||
* Blocked versions of libavcodec older than 54.35.1
|
||
* additional locale
|
||
security fixes:
|
||
* MFSA 2016-89
|
||
CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
|
||
(bmo#1292443)
|
||
CVE-2016-5292: URL parsing causes crash (bmo#1288482)
|
||
CVE-2016-5293: Write to arbitrary file with updater and moz
|
||
maintenance service using updater.log hardlink
|
||
(Windows only) (bmo#1246945)
|
||
CVE-2016-5294: Arbitrary target directory for result files of
|
||
update process (Windows only) (bmo#1246972)
|
||
CVE-2016-5297: Incorrect argument length checking in Javascript
|
||
(bmo#1303678)
|
||
CVE-2016-9064: Addons update must verify IDs match between
|
||
current and new versions (bmo#1303418)
|
||
CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen
|
||
(Android only) (bmo#1306696)
|
||
CVE-2016-9066: Integer overflow leading to a buffer overflow in
|
||
nsScriptLoadHandler (bmo#1299686)
|
||
CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
|
||
(bmo#1301777, bmo#1308922 (CVE-2016-9069))
|
||
CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973)
|
||
CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
|
||
(bmo#1300083) (Windows only)
|
||
CVE-2016-9075: WebExtensions can access the mozAddonManager API
|
||
and use it to gain elevated privileges (bmo#1295324)
|
||
CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied
|
||
to cross-origin images, allowing timing attacks on them
|
||
(bmo#1298552)
|
||
CVE-2016-5291: Same-origin policy violation using local HTML file
|
||
and saved shortcut file (bmo#1292159)
|
||
CVE-2016-5295: Mozilla Maintenance Service: Ability to read
|
||
arbitrary files as SYSTEM (Windows only) (bmo#1247239)
|
||
CVE-2016-5298: SSL indicator can mislead the user about the real
|
||
URL visited (bmo#1227538) (Android only)
|
||
CVE-2016-5299: Firefox AuthToken in broadcast protected with
|
||
signature-level permission can be accessed by an
|
||
application installed beforehand that defines the
|
||
same permissions (bmo#1245791) (Android only)
|
||
CVE-2016-9061: API Key (glocation) in broadcast protected with
|
||
signature-level permission can be accessed by an
|
||
application installed beforehand that defines the
|
||
same permissions (Android only) (bmo#1245795)
|
||
CVE-2016-9062: Private browsing browser traces (android) in
|
||
browser.db and wal file (Android only) (bmo#1294438)
|
||
CVE-2016-9070: Sidebar bookmark can have reference to chrome window
|
||
(bmo#1281071)
|
||
CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
|
||
(bmo#1289273)
|
||
CVE-2016-9074: Insufficient timing side-channel resistance in
|
||
divSpoiler (bmo#1293334) (fixed via NSS 3.26.1)
|
||
CVE-2016-9076: select dropdown menu can be used for URL bar
|
||
spoofing on e10s (bmo#1276976)
|
||
CVE-2016-9063: Possible integer overflow to fix inside XML_Parse
|
||
in expat (bmo#1274777)
|
||
CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
|
||
(bmo#1285003)
|
||
CVE-2016-5289: Memory safety bugs fixed in Firefox 50
|
||
CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
|
||
- make aarch64 build more similar to x86_64 build (remove conditionals
|
||
that don't seem to be necessary anymore)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 24 09:41:17 UTC 2016 - astieger@suse.com
|
||
|
||
- Mozilla Firefox 49.0.2:
|
||
* CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)
|
||
* CVE-2016-5288: Web content can read cache entries (bsc#1006476)
|
||
* Asynchronous rendering of the Flash plugins is now enabled by
|
||
default
|
||
* Change D3D9 default fallback preference to prevent graphical
|
||
artifacts
|
||
* Network issue prevents some users from seeing the Firefox UI on
|
||
startup
|
||
* Web compatibility issue with file uploads
|
||
* Web compatibility issue with Array.prototype.values
|
||
* Diagnostic information on timing for tab switching
|
||
* Fix a Canvas filters graphics issue affecting HTML5 apps
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 12 20:42:28 UTC 2016 - badshah400@gmail.com
|
||
|
||
- Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0
|
||
and fixes have been incorporated by upstream.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 23 20:36:39 UTC 2016 - astieger@suse.com
|
||
|
||
- Mozilla Firefox 49.0.1:
|
||
* Mitigate a startup crash issue caused by Websense - bmo#1304783
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 20 07:09:52 UTC 2016 - wr@rosenauer.org
|
||
|
||
- update to Firefox 49.0 (boo#999701)
|
||
new features
|
||
* Updated Firefox Login Manager to allow HTTPS pages to use saved
|
||
HTTP logins.
|
||
* Added features to Reader Mode that make it easier on the eyes and
|
||
the ears
|
||
* Improved video performance for users on systems that support
|
||
SSE3 without hardware acceleration
|
||
* Added context menu controls to HTML5 audio and video that let users
|
||
loops files or play files at 1.25x speed
|
||
* Improvements in about:memory reports for tracking font memory usage
|
||
security related
|
||
* MFSA 2016-85
|
||
CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
|
||
mozilla::net::IsValidReferrerPolicy
|
||
CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
|
||
nsCaseTransformTextRunFactory::TransformString
|
||
CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
|
||
PropertyProvider::GetSpacingInternal
|
||
CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
|
||
CVE-2016-5273 (bmo#1280387) - crash in
|
||
mozilla::a11y::HyperTextAccessible::GetChildOffset
|
||
CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
|
||
mozilla::a11y::DocAccessible::ProcessInvalidationList
|
||
CVE-2016-5274 (bmo#1282076) - use-after-free in
|
||
nsFrameManager::CaptureFrameState
|
||
CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
|
||
CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
|
||
mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
|
||
CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
|
||
nsBMPEncoder::AddImageFrame
|
||
CVE-2016-5279 (bmo#1249522) - Full local path of files is available
|
||
to web pages after drag and drop
|
||
CVE-2016-5280 (bmo#1289970) - Use-after-free in
|
||
mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
|
||
CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
|
||
CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons
|
||
from non-whitelisted schemes
|
||
CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can
|
||
reveal cross-origin data
|
||
CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration
|
||
CVE-2016-5256 - Memory safety bugs fixed in Firefox 49
|
||
CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4
|
||
- removed obsolete patches:
|
||
* mozilla-aarch64-48bit-va.patch
|
||
* mozilla-exclude-nametablecpp.patch
|
||
* mozilla-old_configure-bmo1282843.patch
|
||
- added patch mozilla-skia-overflow.patch (bmo#1304114)
|
||
- requires NSS 3.25
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 30 20:25:38 UTC 2016 - astieger@suse.com
|
||
|
||
- Mozilla Firefox 48.0.2:
|
||
* Mitigate a startup crash issue caused on Windows (bmo#1291738)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Aug 20 10:58:26 UTC 2016 - astieger@suse.com
|
||
|
||
- Mozilla Firefox 48.0.1:
|
||
* Fix an audio regression impacting some major websites
|
||
(bmo#1295296)
|
||
* Fix a top crash in the JavaScript engine (bmo#1290469)
|
||
* Fix a startup crash issue caused by Websense (bmo#1291738)
|
||
* Fix a different behavior with e10s / non-e10s on <select> and
|
||
mouse events (bmo#1291078)
|
||
* Fix a top crash caused by plugin issues (bmo#1264530)
|
||
* Fix a shutdown issue (bmo#1276920)
|
||
* Fix a crash in WebRTC
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 15 11:24:00 UTC 2016 - wr@rosenauer.org
|
||
|
||
- added upstream patch so system plugins/extensions are correctly
|
||
loaded again on x86-64 (bmo#1282843)
|
||
(mozilla-old_configure-bmo1282843.patch)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com
|
||
|
||
- Fix for possible buffer overrun (bsc#990856)
|
||
CVE-2016-6354 (bmo#1292534)
|
||
[mozilla-flex_buffer_overrun.patch]
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 3 03:38:47 UTC 2016 - badshah400@gmail.com
|
||
|
||
- Update mozilla-gtk3_20.patch to latest version from Fedora.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 1 12:37:05 UTC 2016 - wr@rosenauer.org
|
||
|
||
- update to Firefox 48.0 (boo#991809)
|
||
* requires NSS 3.24
|
||
* Process separation (e10s) is enabled for some of you
|
||
* Add-ons that have not been verified and signed by Mozilla will not load
|
||
* WebRTC embetterments
|
||
* The media parser has been redeveloped using the Rust programming
|
||
language
|
||
* better Canvas performance with speedy Skia support
|
||
security fixes:
|
||
* MFSA 2016-62/CVE-2016-2835/CVE-2016-2836
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
|
||
Favicon network connection can persist when page is closed
|
||
* MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
|
||
Buffer overflow rendering SVG with bidirectional content
|
||
* MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
|
||
Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
|
||
* MFSA 2016-66/CVE-2016-5251 (bmo#1255570)
|
||
Location bar spoofing via data URLs with malformed/invalid mediatypes
|
||
* MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
|
||
Stack underflow during 2D graphics rendering
|
||
* MFSA 2016-68/CVE-2016-0718 (bmo#1236923)
|
||
Out-of-bounds read during XML parsing in Expat library
|
||
* MFSA 2016-69/CVE-2016-5253 (bmo#1246944)
|
||
Arbitrary file manipulation by local user through Mozilla updater
|
||
and callback application path parameter (Windows-only)
|
||
* MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
|
||
Use-after-free when using alt key and toplevel menus
|
||
* MFSA 2016-71/CVE-2016-5255 (bmo#1212356)
|
||
Crash in incremental garbage collection in JavaScript
|
||
* MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
|
||
Use-after-free in DTLS during WebRTC session shutdown
|
||
* MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
|
||
Use-after-free in service workers with nested sync events
|
||
* MFSA 2016-74/CVE-2016-5260 (bmo#1280294)
|
||
Form input type change from password to text can store plain
|
||
text password in session restore file
|
||
* MFSA 2016-75/CVE-2016-5261 (bmo#1287266)
|
||
Integer overflow in WebSockets during data buffering
|
||
* MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
|
||
Scripts on marquee tag can execute in sandboxed iframes
|
||
* MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
|
||
Buffer overflow in ClearKey Content Decryption Module (CDM)
|
||
during video playback
|
||
* MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
|
||
Type confusion in display transformation
|
||
* MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
|
||
Use-after-free when applying SVG effects
|
||
* MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
|
||
Same-origin policy violation using local HTML file and saved shortcut file
|
||
* MFSA 2016-81/CVE-2016-5266 (bmo#1226977)
|
||
Information disclosure and local file manipulation through drag and drop
|
||
* MFSA 2016-82/CVE-2016-5267 (bmo#1284372)
|
||
Addressbar spoofing with right-to-left characters on Firefox for Android
|
||
(Android only)
|
||
* MFSA 2016-83/CVE-2016-5268 (bmo#1253673)
|
||
Spoofing attack through text injection into internal error pages
|
||
* MFSA 2016-84/CVE-2016-5250 (bmo#1254688)
|
||
Information disclosure through Resource Timing API during page navigation
|
||
- removed obsolete mozilla-gcc6.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 29 01:26:13 UTC 2016 - badshah400@gmail.com
|
||
|
||
- Update description and screenshots in appdata.xml file.
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jul 23 20:13:08 UTC 2016 - antoine.belvire@laposte.net
|
||
|
||
- Fix Firefox crash on startup on i586 (boo#986541):
|
||
* Add -fno-delete-null-pointer-checks and
|
||
-fno-inline-small-functions to CFLAGS
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jul 19 20:12:11 UTC 2016 - mailaender@opensuse.org
|
||
|
||
- Update the appdata.xml file (replace Windows XP screenshot)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 29 09:25:41 UTC 2016 - astieger@suse.com
|
||
|
||
- Mozilla Firefox 47.0.1:
|
||
* Selenium WebDriver may cause Firefox to crash at startup
|
||
(bmo#1280854)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 15 07:52:18 UTC 2016 - wr@rosenauer.org
|
||
|
||
- mozilla-binutils-visibility.patch to fix build issues with
|
||
gcc/binutils combination used in Leap 42.2 (boo#984637)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 14 08:35:03 UTC 2016 - badshah400@gmail.com
|
||
|
||
- Update mozilla-gtk3_20.patch to latest version from Fedora.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 13 20:28:01 UTC 2016 - agraf@suse.com
|
||
|
||
- Fix running on 48bit va aarch64 (bsc#984126)
|
||
* add patch mozilla-aarch64-48bit-va.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 13 15:27:13 UTC 2016 - wr@rosenauer.org
|
||
|
||
- fix XUL dialog button order under KDE session (boo#984403)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 7 19:47:25 UTC 2016 - wr@rosenauer.org
|
||
|
||
- update to Firefox 47.0 (boo#983549)
|
||
* Enable VP9 video codec for users with fast machines
|
||
* Embedded YouTube videos now play with HTML5 video if Flash is
|
||
not installed
|
||
* View and search open tabs from your smartphone or another
|
||
computer in a sidebar
|
||
* Allow no-cache on back/forward navigations for https resources
|
||
security fixes:
|
||
* MFSA 2016-49/CVE-2016-2815/CVE-2016-2818
|
||
(boo#983638)
|
||
(bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743,
|
||
bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493,
|
||
bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752,
|
||
bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130,
|
||
bmo#1269729, bmo#1273202, bmo#1273701)
|
||
Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
|
||
* MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381)
|
||
Buffer overflow parsing HTML5 fragments
|
||
* MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460)
|
||
Use-after-free deleting tables from a contenteditable document
|
||
* MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129)
|
||
Addressbar spoofing though the SELECT element
|
||
* MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580)
|
||
Out-of-bounds write with WebGL shader
|
||
* MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093)
|
||
Partial same-origin-policy through setting location.host
|
||
through data URI
|
||
* MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810)
|
||
Use-after-free when textures are used in WebGL operations
|
||
after recycle pool destruction
|
||
* MFSA 2016-57/CVE-2016-2829 (boo#983644) (bmo#1248329)
|
||
Incorrect icon displayed on permissions notifications
|
||
* MFSA 2016-58/CVE-2016-2831 (boo#983643) (bmo#1261933)
|
||
Entering fullscreen and persistent pointerlock without user
|
||
permission
|
||
* MFSA 2016-59/CVE-2016-2832 (boo#983632) (bmo#1025267)
|
||
Information disclosure of disabled plugins through CSS
|
||
pseudo-classes
|
||
* MFSA 2016-60/CVE-2016-2833 (boo#983640) (bmo#908933)
|
||
Java applets bypass CSP protections
|
||
* MFSA 2016-62/CVE-2016-2834 (boo#983639) (bmo#1206283,
|
||
bmo#1221620, bmo#1241034, bmo#1241037)
|
||
Network Security Services (NSS) vulnerabilities
|
||
fixed by requiring NSS 3.23
|
||
packaging changes:
|
||
* cleanup configure options (boo#981695):
|
||
- notably remove GStreamer support which is gone from FF
|
||
* remove obsolete patches
|
||
- mozilla-libproxy.patch
|
||
- mozilla-repo.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 25 16:36:23 UTC 2016 - badshah400@gmail.com
|
||
|
||
- The conditional testing for gcc was failing for different
|
||
openSUSE versions, drop it and apply patches unconditionally.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon May 23 15:30:27 UTC 2016 - badshah400@gmail.com
|
||
|
||
- Add patches to fix building with gcc6:
|
||
+ mozilla-gcc6.patch: fix building with gcc >= 6.1; patch
|
||
taken from upstream:
|
||
https://hg.mozilla.org/mozilla-central/rev/55212130f19d.
|
||
+ mozilla-exclude-nametablecpp.patch: Exclude NameTable.cpp
|
||
from unified compilation because #include <cmath> in other
|
||
source files causes gcc6 compilation failure; patch taken from
|
||
upstream:
|
||
https://hg.mozilla.org/mozilla-central/rev/9c57b7cacffc.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri May 13 00:00:00 CEST 2016 - dsterba@suse.cz
|
||
|
||
- enable build with PIE and full relro on x86_64 (boo#980384)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 4 10:27:43 UTC 2016 - wr@rosenauer.org
|
||
|
||
- update to Firefox 46.0.1
|
||
Fixed:
|
||
* Search plugin issue for various locales
|
||
* Add-on signing certificate expiration
|
||
* Service worker update issue
|
||
* Build issue when jit is disabled
|
||
* Limit Sync registration updates
|
||
- removed now obsolete mozilla-jit_branch64.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 3 15:47:18 UTC 2016 - normand@linux.vnet.ibm.com
|
||
|
||
- add mozilla-jit_branch64.patch to avoid PowerPC build failure
|
||
(from bmo#1266366)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 27 08:39:28 UTC 2016 - badshah400@gmail.com
|
||
|
||
- Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest
|
||
version from Fedora).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 27 06:09:30 UTC 2016 - wr@rosenauer.org
|
||
|
||
- update to Firefox 46.0 (boo#977333)
|
||
* Improved security of the JavaScript Just In Time (JIT) Compiler
|
||
* WebRTC fixes to improve performance and stability
|
||
* Added support for document.elementsFromPoint
|
||
* Added HKDF support for Web Crypto API
|
||
* requires NSPR 4.12 and NSS 3.22.3
|
||
* added patch to fix unchecked return value
|
||
mozilla-check_return.patch
|
||
* Gtk3 builds not supported at the moment
|
||
security fixes:
|
||
* MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807
|
||
(boo#977373, boo#977375, boo#977376)
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377)
|
||
Privilege escalation through file deletion by Maintenance Service updater
|
||
(Windows only)
|
||
* MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378)
|
||
Content provider permission bypass allows malicious application
|
||
to access data (Android only)
|
||
* MFSA 2016-42/CVE-2016-2811/CVE-2016-2812
|
||
(bmo#1252330, bmo#1261776, boo#977379)
|
||
Use-after-free and buffer overflow in Service Workers
|
||
* MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380)
|
||
Disclosure of user actions through JavaScript with motion and
|
||
orientation sensors (only affects mobile variants)
|
||
* MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381)
|
||
Buffer overflow in libstagefright with CENC offsets
|
||
* MFSA 2016-45/CVE-2016-2816 (bmo#1223743, boo#977382)
|
||
CSP not applied to pages sent with multipart/x-mixed-replace
|
||
* MFSA 2016-46/CVE-2016-2817 (bmo#1227462, boo#977384)
|
||
Elevation of privilege with chrome.tabs.update API in web extensions
|
||
* MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386)
|
||
Write to invalid HashMap entry through JavaScript.watch()
|
||
* MFSA 2016-48/CVE-2016-2820 (bmo#870870, boo#977388)
|
||
Firefox Health Reports could accept events from untrusted domains
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Apr 21 12:00:28 UTC 2016 - badshah400@gmail.com
|
||
|
||
- Update mozilla-gtk3_20.patch to fix scrollbar appearance under
|
||
gtk >= 3.20 (patch synced to Fedora's version).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 12 19:11:30 UTC 2016 - badshah400@gmail.com
|
||
|
||
- Compile against gtk3 depending on whether the macro
|
||
%firefox_use_gtk3 is defined or not (e.g., at the prjconf
|
||
level); macro is undefined by default and so gtk2 is used as the
|
||
default toolkit.
|
||
- Add BuildRequires for additional packages needed when building
|
||
against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0),
|
||
pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0).
|
||
- Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20;
|
||
patch taken from Fedora (bmo#1230955).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Apr 11 22:49:24 UTC 2016 - astieger@suse.com
|
||
|
||
- Mozilla Firefox 45.0.2:
|
||
* Fix an issue impacting the cookie header when third-party
|
||
cookies are blocked (bmo#1257861)
|
||
* Fix a web compatibility regression impacting the srcset
|
||
attribute of the image tag (bmo#1259482)
|
||
* Fix a crash impacting the video playback with Media Source
|
||
Extension (bmo#1258562)
|
||
* Fix a regression impacting some specific uploads (bmo#1255735)
|
||
* Fix a regression with the copy and paste with some old versions
|
||
of some Gecko applications like Thunderbird (bmo#1254980)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 18 08:52:58 UTC 2016 - astieger@suse.com
|
||
|
||
- Mozilla Firefox 45.0.1:
|
||
* Fix a regression causing search engine settings to be lost in
|
||
some context (bmo#1254694)
|
||
* Bring back non-standard jar: URIs to fix a regression in IBM
|
||
iNotes (bmo#1255139)
|
||
* XSLTProcessor.importStylesheet was failing when <import> was
|
||
used (bmo#1249572)
|
||
* Fix an issue which could cause the list of search provider to
|
||
be empty (bmo#1255605)
|
||
* Fix a regression when using the location bar (bmo#1254503)
|
||
* Fix some loading issues when Accept third-party cookies: was
|
||
set to Never (bmo#1254856)
|
||
* Disabled Graphite font shaping library
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Mar 6 19:52:13 UTC 2016 - wr@rosenauer.org
|
||
|
||
- update to Firefox 45.0 (boo#969894)
|
||
* requires NSPR 4.12 / NSS 3.21.1
|
||
* Instant browser tab sharing through Hello
|
||
* Synced Tabs button in button bar
|
||
* Tabs synced via Firefox Accounts from other devices are now shown
|
||
in dropdown area of Awesome Bar when searching
|
||
* Introduce a new preference (network.dns.blockDotOnion) to allow
|
||
blocking .onion at the DNS level
|
||
* Tab Groups (Panorama) feature removed
|
||
* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
|
||
Local file overwriting and potential privilege escalation through
|
||
CSP reports
|
||
* MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
|
||
CSP reports fail to strip location information for embedded iframe pages
|
||
* MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
|
||
Linux video memory DOS with Intel drivers
|
||
* MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
|
||
Memory leak in libstagefright when deleting an array during MP4
|
||
processing
|
||
* MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
|
||
Displayed page address can be overridden
|
||
* MFSA 2016-22/CVE-2016-1959 (bmo#1234949)
|
||
Service Worker Manager out-of-bounds read in Service Worker Manager
|
||
* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
|
||
Use-after-free in HTML5 string parser
|
||
* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
|
||
Use-after-free in SetBody
|
||
* MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
|
||
Use-after-free when using multiple WebRTC data channels
|
||
* MFSA 2016-26/CVE-2016-1963 (bmo#1238440)
|
||
Memory corruption when modifying a file being read by FileReader
|
||
* MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
|
||
Use-after-free during XML transformations
|
||
* MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
|
||
Addressbar spoofing though history navigation and Location protocol
|
||
property
|
||
* MFSA 2016-29/CVE-2016-1967 (bmo#1246956)
|
||
Same-origin policy violation using perfomance.getEntries and
|
||
history navigation with session restore
|
||
* MFSA 2016-30/CVE-2016-1968 (bmo#1246742)
|
||
Buffer overflow in Brotli decompression
|
||
* MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
|
||
Memory corruption with malicious NPAPI plugin
|
||
* MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/
|
||
CVE-2016-1976/CVE-2016-1972
|
||
WebRTC and LibVPX vulnerabilities found through code inspection
|
||
* MFSA 2016-33/CVE-2016-1973 (bmo#1219339)
|
||
Use-after-free in GetStaticInstance in WebRTC
|
||
* MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
|
||
Out-of-bounds read in HTML parser following a failed allocation
|
||
* MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
|
||
Buffer overflow during ASN.1 decoding in NSS
|
||
(fixed by requiring 3.21.1)
|
||
* MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
|
||
Use-after-free during processing of DER encoded keys in NSS
|
||
(fixed by requiring 3.21.1)
|
||
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
|
||
CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
|
||
CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
|
||
CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
|
||
Font vulnerabilities in the Graphite 2 library
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Mar 5 15:27:00 UTC 2016 - olaf@aepfle.de
|
||
|
||
- Remove B_CNT from symbols.zip filename to reduce build-compare noise
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 26 16:22:52 UTC 2016 - astieger@suse.com
|
||
|
||
- fix build problems on i586, caused by too large unified compile
|
||
units - adding mozilla-reduce-files-per-UnifiedBindings.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 11 07:51:34 UTC 2016 - wr@rosenauer.org
|
||
|
||
- update to Firefox 44.0.2
|
||
* MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438)
|
||
Same-origin-policy violation using Service Workers with plugins
|
||
* Fix issue which could lead to the removal of stored passwords
|
||
under certain circumstances (bmo#1242176)
|
||
* Allows spaces in cookie names (bmo#1244505)
|
||
* Disable opus/vorbis audio with H.264 (bmo#1245696)
|
||
* Fix for graphics startup crash (GNU/Linux) (bmo#1222171)
|
||
* Fix a crash in cache networking (bmo#1244076)
|
||
* Fix using WebSockets in service worker controlled pages (bmo#1243942)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jan 30 08:28:17 UTC 2016 - dmueller@suse.com
|
||
|
||
- build fixes for arm/aarch64:
|
||
* disable webrtc for arm/aarch64
|
||
* switch away from openGL-ES backend to default for arm/aarch64
|
||
since it almost never builds
|
||
* reenable neon
|
||
- reenable webrtc for powerpc as it seems to build
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Jan 24 09:33:15 UTC 2016 - wr@rosenauer.org
|
||
|
||
- update to Firefox 44.0
|
||
* MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2016-02/CVE-2016-1933 (bmo#1231761) boo#963634
|
||
Out of Memory crash when parsing GIF format images
|
||
* MFSA 2016-03/CVE-2016-1935 (bmo#1220450) boo#963635
|
||
Buffer overflow in WebGL after out of memory allocation
|
||
* MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) boo#963637
|
||
Firefox allows for control characters to be set in cookie names
|
||
* MFSA 2016-06/CVE-2016-1937 (bmo#724353) boo#963641
|
||
Missing delay following user click events in protocol handler dialog
|
||
* MFSA 2016-07/CVE-2016-1938 (bmo#1190248) boo#963731
|
||
Errors in mp_div and mp_exptmod cryptographic functions in NSS
|
||
(fixed by requiring NSS 3.21)
|
||
* MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590)
|
||
Addressbar spoofing attacks boo#963643
|
||
* MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946
|
||
(bmo#1186621, bmo#1214782, bmo#1232096) boo#963644
|
||
Unsafe memory manipulation found through code inspection
|
||
* MFSA 2016-11/CVE-2016-1947 (bmo#1237103) boo#963645
|
||
Application Reputation service disabled in Firefox 43
|
||
* requires NSPR 4.11
|
||
* requires NSS 3.21
|
||
- prepare mozilla-kde.patch for Gtk3 builds
|
||
- rebased patches
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jan 11 08:04:24 UTC 2016 - astieger@suse.com
|
||
|
||
- Mozilla Firefox 43.0.4:
|
||
* Re-enable SHA-1 certificates to prevent outdated
|
||
man-in-the-middle security devices from interfering with
|
||
properly secured SSL/TLS connections (bmo#1236975)
|
||
* Fix for startup crash for users of a third party antivirus tool
|
||
(bmo#1235537)
|
||
- The following change was previously in the package as a patch:
|
||
* Multi-user GNU/Linux download folders can be created
|
||
(bmo#1233434), removed mozilla-bmo1233434.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Dec 29 20:29:35 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 43.0.3
|
||
* requires NSS 3.20.2 to fix
|
||
MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
|
||
MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
|
||
server signature
|
||
* various changes to support Windows update (SHA-1 vs. SHA-2)
|
||
* workaround Youtube user agent detection issue (bmo#1233970)
|
||
- fix file download regression for multi user systems
|
||
(bmo#1233434) (mozilla-bmo1233434.patch)
|
||
- explicitely requires libXcomposite-devel
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Dec 13 23:07:56 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 43.0 (bnc#959277)
|
||
* Improved API support for m4v video playback
|
||
* Users can opt-in to receive search suggestions from the Awesome Bar
|
||
* WebRTC streaming on multiple monitors
|
||
* User selectable second block list for Private Browsing's Tracking
|
||
Protection
|
||
security fixes:
|
||
* MFSA 2015-134/CVE-2015-7201/CVE-2015-7202
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2015-135/CVE-2015-7204 (bmo#1216130)
|
||
Crash with JavaScript variable assignment with unboxed objects
|
||
* MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
|
||
Same-origin policy violation using perfomance.getEntries and
|
||
history navigation
|
||
* MFSA 2015-137/CVE-2015-7208 (bmo#1191423)
|
||
Firefox allows for control characters to be set in cookies
|
||
* MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
|
||
Use-after-free in WebRTC when datachannel is used after being
|
||
destroyed
|
||
* MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
|
||
Integer overflow allocating extremely large textures
|
||
* MFSA 2015-140/CVE-2015-7215 (bmo#1160890)
|
||
Cross-origin information leak through web workers error events
|
||
* MFSA 2015-141/CVE-2015-7211 (bmo#1221444)
|
||
Hash in data URI is incorrectly parsed
|
||
* MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820)
|
||
DOS due to malformed frames in HTTP/2
|
||
* MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078)
|
||
Linux file chooser crashes on malformed images due to flaws in
|
||
Jasper library
|
||
* MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221
|
||
(bmo#1201183, bmo#1178033, bmo#1199400)
|
||
Buffer overflows found through code inspection
|
||
* MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
|
||
Underflow through code inspection
|
||
* MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
|
||
Integer overflow in MP4 playback in 64-bit versions
|
||
* MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
|
||
Integer underflow and buffer overflow processing MP4 metadata in
|
||
libstagefright
|
||
* MFSA 2015-148/CVE-2015-7223 (bmo#1226423)
|
||
Privilege escalation vulnerabilities in WebExtension APIs
|
||
* MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
|
||
Cross-site reading attack through data and view-source URIs
|
||
- rebased patches
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Nov 15 19:52:20 UTC 2015 - wr@rosenauer.org
|
||
|
||
- Add desktop menu action for private browsing window to desktop
|
||
file (boo#954747)
|
||
- remove obsolete patch mozilla-bmo1005535.patch completely from
|
||
source package to avoid automatic check failures
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Oct 31 19:50:03 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 42.0 (bnc#952810)
|
||
* Private Browsing with Tracking Protection blocks certain Web
|
||
elements that could be used to record your behavior across sites
|
||
* Control Center that contains site security and privacy controls
|
||
* Login Manager improvements
|
||
* WebRTC improvements
|
||
* Indicator added to tabs that play audio with one-click muting
|
||
* Media Source Extension for HTML5 video available for all sites
|
||
security fixes:
|
||
* MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2015-117/CVE-2015-4515 (bmo#1046421)
|
||
Information disclosure through NTLM authentication
|
||
* MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692)
|
||
CSP bypass due to permissive Reader mode whitelist
|
||
* MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only)
|
||
Firefox for Android addressbar can be removed after fullscreen mode
|
||
* MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only)
|
||
Reading sensitive profile files through local HTML file on Android
|
||
* MFSA 2015-121/CVE-2015-7187 (bmo#1195735)
|
||
disabling scripts in Add-on SDK panels has no effect
|
||
* MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
|
||
Trailing whitespace in IP address hostnames can bypass same-origin policy
|
||
* MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
|
||
Buffer overflow during image interactions in canvas
|
||
* MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only)
|
||
Android intents can be used on Firefox for Android to open privileged files
|
||
* MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only)
|
||
XSS attack through intents on Firefox for Android
|
||
* MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only)
|
||
Crash when accessing HTML tables with accessibility tools on OS X
|
||
* MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
|
||
CORS preflight is bypassed when non-standard Content-Type headers
|
||
are received
|
||
* MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
|
||
Memory corruption in libjar through zip files
|
||
* MFSA 2015-129/CVE-2015-7195 (bmo#1211871)
|
||
Certain escaped characters in host of Location-header are being
|
||
treated as non-escaped
|
||
* MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
|
||
JavaScript garbage collection crash with Java applet
|
||
* MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
|
||
(bmo#1188010, bmo#1204061, bmo#1204155)
|
||
Vulnerabilities found through code inspection
|
||
* MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
|
||
Mixed content WebSocket policy bypass through workers
|
||
* MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
|
||
(bmo#1202868, bmo#1205157)
|
||
NSS and NSPR memory corruption issues
|
||
(fixed in mozilla-nspr and mozilla-nss packages)
|
||
- requires NSPR >= 4.10.10 and NSS >= 3.19.4
|
||
- removed obsolete patches
|
||
* mozilla-arm-disable-edsp.patch
|
||
* mozilla-icu-strncat.patch
|
||
* mozilla-skia-be-le.patch
|
||
* toolkit-download-folder.patch
|
||
- fixed build with enable-libproxy (bmo#1220399)
|
||
* mozilla-libproxy.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 15 08:25:54 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 41.0.2 (bnc#950686)
|
||
* MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669)
|
||
Cross-origin restriction bypass using Fetch
|
||
- added explicit appdata provides (bnc#949983)
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Oct 4 09:20:56 UTC 2015 - wr@rosenauer.org
|
||
|
||
- do not build with --enable-stdcxx-compat
|
||
(this starts to fail build on various toolchain combinations
|
||
and is not required for openSUSE builds in general
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 1 09:49:57 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 41.0.1
|
||
* Fix a startup crash related to Yandex toolbar and Adblock Plus
|
||
(bmo#1209124)
|
||
* Fix potential hangs with Flash plugins (bmo#1185639)
|
||
* Fix a regression in the bookmark creation (bmo#1206376)
|
||
* Fix a startup crash with some Intel Media Accelerator 3150
|
||
graphic cards (bmo#1207665)
|
||
* Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Sep 19 20:23:29 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 41.0 (bnc#947003)
|
||
* MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2015-97/CVE-2015-4503 (bmo#994337)
|
||
Memory leak in mozTCPSocket to servers
|
||
* MFSA 2015-98/CVE-2015-4504 (bmo#1132467)
|
||
Out of bounds read in QCMS library with ICC V4 profile attributes
|
||
* MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only)
|
||
Site attribute spoofing on Android by pasting URL with unknown scheme
|
||
* MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
|
||
Arbitrary file manipulation by local user through Mozilla updater
|
||
* MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
|
||
Buffer overflow in libvpx while parsing vp9 format video
|
||
* MFSA 2015-102/CVE-2015-4507 (bmo#1192401)
|
||
Crash when using debugger with SavedStacks in JavaScript
|
||
* MFSA 2015-103/CVE-2015-4508 (bmo#1195976)
|
||
URL spoofing in reader mode
|
||
* MFSA 2015-104/CVE-2015-4510 (bmo#1200004)
|
||
Use-after-free with shared workers and IndexedDB
|
||
* MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
|
||
Buffer overflow while decoding WebM video
|
||
* MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
|
||
Use-after-free while manipulating HTML media content
|
||
* MFSA 2015-107/CVE-2015-4512 (bmo#1170390)
|
||
Out-of-bounds read during 2D canvas display on Linux 16-bit
|
||
color depth systems
|
||
* MFSA 2015-108/CVE-2015-4502 (bmo#1105045)
|
||
Scripted proxies can access inner window
|
||
* MFSA 2015-109/CVE-2015-4516 (bmo#904886)
|
||
JavaScript immutable property enforcement can be bypassed
|
||
* MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
|
||
Dragging and dropping images exposes final URL after redirects
|
||
* MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
|
||
Errors in the handling of CORS preflight request headers
|
||
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
|
||
CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
|
||
CVE-2015-7180
|
||
Vulnerabilities found through code inspection
|
||
* MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
|
||
bmo#1190526) (Windows only)
|
||
Memory safety errors in libGLES in the ANGLE graphics library
|
||
* MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only)
|
||
Information disclosure via the High Resolution Time API
|
||
- rebased patches
|
||
- removed obsolete patches
|
||
* mozilla-arm64-libjpeg-turbo.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 27 06:03:51 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 40.0.3 (bnc#943550)
|
||
* Disable the asynchronous plugin initialization (bmo#1198590)
|
||
* Fix a segmentation fault in the GStreamer support (bmo#1145230)
|
||
* Fix a regression with some Japanese fonts used in the <input>
|
||
field (bmo#1194055)
|
||
* On some sites, the selection in a select combox box using the
|
||
mouse could be broken (bmo#1194733)
|
||
security fixes
|
||
* MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278)
|
||
Use-after-free when resizing canvas element during restyling
|
||
* MFSA 2015-95/CVE-2015-4498 (bmo#1042699)
|
||
Add-on notification bypass through data URLs
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 7 07:49:49 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 40.0 (bnc#940806)
|
||
* Added protection against unwanted software downloads
|
||
* Suggested Tiles show sites of interest, based on categories
|
||
from your recent browsing history
|
||
* Hello allows adding a link to conversations to provide context
|
||
on what the conversation will be about
|
||
* New style for add-on manager based on the in-content
|
||
preferences style
|
||
* Improved scrolling, graphics, and video playback performance
|
||
with off main thread compositing (GNU/Linux only)
|
||
* Graphic blocklist mechanism improved: Firefox version ranges
|
||
can be specified, limiting the number of devices blocked
|
||
security fixes:
|
||
* MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
|
||
Out-of-bounds read with malformed MP3 file
|
||
* MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
|
||
Use-after-free in MediaStream playback
|
||
* MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
|
||
Redefinition of non-configurable JavaScript object properties
|
||
* MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
|
||
Overflow issues in libstagefright
|
||
* MFSA 2015-84/CVE-2015-4481 (bmo1171518)
|
||
Arbitrary file overwriting through Mozilla Maintenance Service
|
||
with hard links (only affected Windows)
|
||
* MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
|
||
Out-of-bounds write with Updater and malicious MAR file
|
||
(does not affect openSUSE RPM packages which do not ship the
|
||
updater)
|
||
* MFSA 2015-86/CVE-2015-4483 (bmo#1148732)
|
||
Feed protocol with POST bypasses mixed content protections
|
||
* MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
|
||
Crash when using shared memory in JavaScript
|
||
* MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
|
||
Heap overflow in gdk-pixbuf when scaling bitmap images
|
||
* MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
|
||
Buffer overflows on Libvpx when decoding WebM video
|
||
* MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
|
||
Vulnerabilities found through code inspection
|
||
* MFSA 2015-91/CVE-2015-4490 (bmo#1086999)
|
||
Mozilla Content Security Policy allows for asterisk wildcards
|
||
in violation of CSP specification
|
||
* MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
|
||
Use-after-free in XMLHttpRequest with shared workers
|
||
- added mozilla-no-stdcxx-check.patch
|
||
- removed obsolete patches
|
||
* mozilla-add-glibcxx_use_cxx11_abi.patch
|
||
* firefox-multilocale-chrome.patch
|
||
- rebased patches
|
||
- requires version 40 of the branding package
|
||
- removed browser/searchplugins/ location as it's not valid anymore
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 7 07:09:39 UTC 2015 - wr@rosenauer.org
|
||
|
||
- security update to Firefox 39.0.3 (bnc#940918)
|
||
* MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058)
|
||
Same origin violation and local file stealing via PDF reader
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 1 06:43:02 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 39.0 (bnc#935979)
|
||
* Share Hello URLs with social networks
|
||
* Support for 'switch' role in ARIA 1.1 (web accessibility)
|
||
* SafeBrowsing malware detection lookups enabled for downloads
|
||
(Mac OS X and Linux)
|
||
* Support for new Unicode 8.0 skin tone emoji
|
||
* Removed support for insecure SSLv3 for network communications
|
||
* Disable use of RC4 except for temporarily whitelisted hosts
|
||
* NPAPI Plug-in performance improved via asynchronous initialization
|
||
security fixes:
|
||
* MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
|
||
Local files or privileged URLs in pages can be opened into new tabs
|
||
* MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
|
||
Type confusion in Indexed Database Manager
|
||
* MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
|
||
Out-of-bound read while computing an oscillator rendering range in Web Audio
|
||
* MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
|
||
Use-after-free in Content Policy due to microtask execution error
|
||
* MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
|
||
ECDSA signature validation fails to handle some signatures correctly
|
||
(this fix is shipped by NSS 3.19.1 externally)
|
||
* MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
|
||
Use-after-free in workers while using XMLHttpRequest
|
||
* MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
|
||
CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
|
||
Vulnerabilities found through code inspection
|
||
* MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
|
||
Key pinning is ignored when overridable errors are encountered
|
||
* MFSA 2015-68/CVE-2015-2742 (bmo#1138669)
|
||
OS X crash reports may contain entered key press information
|
||
(not relevant under Linux)
|
||
* MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
|
||
Privilege escalation in PDF.js
|
||
* MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
|
||
NSS accepts export-length DHE keys with regular DHE cipher suites
|
||
(this fix is shipped by NSS 3.19.1 externally)
|
||
* MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
|
||
NSS incorrectly permits skipping of ServerKeyExchange
|
||
(this fix is shipped by NSS 3.19.1 externally)
|
||
- dropped mozilla-prefer_plugin_pref.patch as this feature is
|
||
likely not worth maintaining further
|
||
- rebased patches
|
||
- require NSS 3.19.2
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 18 10:30:18 UTC 2015 - schwab@suse.de
|
||
|
||
- mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Jun 7 07:09:12 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 38.0.6
|
||
* fixes bmo#1171730 which is not really relevant to oS builds
|
||
- fix KDE regression from 38.0.5 builds (bsc#933439)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat May 23 21:13:49 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 38.0.5
|
||
* Keep track of articles and videos with Pocket
|
||
* Clean formatting for articles and blog posts with Reader View
|
||
* Share the active tab or window in a Hello conversation
|
||
- add changes file as source for SRPM (bsc#932142)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri May 15 10:40:19 UTC 2015 - normand@linux.vnet.ibm.com
|
||
|
||
- add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1153109
|
||
|
||
-------------------------------------------------------------------
|
||
Fri May 15 07:37:46 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 38.0.1
|
||
stability and regression fixes
|
||
* Systems with first generation NVidia Optimus graphics cards
|
||
may crash on start-up
|
||
* Users who import cookies from Google Chrome can end up with
|
||
broken websites
|
||
* Large animated images may fail to play and may stop other
|
||
images from loading
|
||
|
||
-------------------------------------------------------------------
|
||
Sun May 10 07:07:49 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 38.0 (bnc#930622)
|
||
* New tab-based preferences
|
||
* Ruby annotation support
|
||
* more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
|
||
security fixes:
|
||
* MFSA 2015-46/CVE-2015-2708/CVE-2015-2709
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2015-47/VE-2015-0797 (bmo#1080995)
|
||
Buffer overflow parsing H.264 video with Linux Gstreamer
|
||
* MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
|
||
Buffer overflow with SVG content and CSS
|
||
* MFSA 2015-49/CVE-2015-2711 (bmo#1113431)
|
||
Referrer policy ignored when links opened by middle-click and
|
||
context menu
|
||
* MFSA 2015-50/CVE-2015-2712 (bmo#1152280)
|
||
Out-of-bounds read and write in asm.js validation
|
||
* MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
|
||
Use-after-free during text processing with vertical text enabled
|
||
* MFSA 2015-53/CVE-2015-2715 (bmo#988698)
|
||
Use-after-free due to Media Decoder Thread creation during shutdown
|
||
* MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
|
||
Buffer overflow when parsing compressed XML
|
||
* MFSA 2015-55/CVE-2015-2717 (bmo#1154683)
|
||
Buffer overflow and out-of-bounds read while parsing MP4 video
|
||
metadata
|
||
* MFSA 2015-56/CVE-2015-2718 (bmo#1146724)
|
||
Untrusted site hosting trusted page can intercept webchannel
|
||
responses
|
||
* MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
|
||
Privilege escalation through IPC channel messages
|
||
- requires NSS 3.18.1
|
||
- removed obsolete patches:
|
||
* mozilla-skia-bmo1136958.patch
|
||
- remove gnomevfs build options as it is removed from sources
|
||
- rebased patches
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 17 16:39:20 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 37.0.2 (bnc#928116)
|
||
* MFSA 2015-45/CVE-2015-2706 (bmo#1141081)
|
||
Memory corruption during failed plugin initialization
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 3 08:27:24 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 37.0.1 (bnc#926166)
|
||
* MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only)
|
||
Loading privileged content through Reader mode
|
||
* MFSA 2015-44/CVE-2015-0799 (bmo#1148328)
|
||
Certificate verification bypass through the HTTP/2 Alt-Svc header
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Mar 28 09:46:48 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 37.0 (bnc#925368)
|
||
* Heartbeat user rating system
|
||
* Yandex set as default search provider for the Turkish locale
|
||
* Bing search now uses HTTPS for secure searching
|
||
* Improved protection against site impersonation via OneCRL
|
||
centralized certificate revocation
|
||
* Opportunistically encrypt HTTP traffic where the server supports
|
||
HTTP/2 AltSvc
|
||
* some more behaviour changes for TLS
|
||
security fixes:
|
||
* MFSA 2015-30/CVE-2015-0814/CVE-2015-0815
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
|
||
Use-after-free when using the Fluendo MP3 GStreamer plugin
|
||
* MFSA 2015-32/CVE-2015-0812 (bmo#1128126)
|
||
Add-on lightweight theme installation approval bypassed through
|
||
MITM attack
|
||
* MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
|
||
resource:// documents can load privileged pages
|
||
* MFSA-2015-34/CVE-2015-0811 (bmo#1132468)
|
||
Out of bounds read in QCMS library
|
||
* MFSA-2015-35/CVE-2015-0810 (bmo#1125013)
|
||
Cursor clickjacking with flash and images (OS X only)
|
||
* MFSA-2015-36/CVE-2015-0808 (bmo#1109552)
|
||
Incorrect memory management for simple-type arrays in WebRTC
|
||
* MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
|
||
CORS requests should not follow 30x redirections after preflight
|
||
* MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437)
|
||
Memory corruption crashes in Off Main Thread Compositing
|
||
* MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560)
|
||
Use-after-free due to type confusion flaws
|
||
* MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
|
||
Same-origin bypass through anchor navigation
|
||
* MFSA-2015-41/CVE-2015-0800/CVE-2012-2808
|
||
PRNG weakness allows for DNS poisoning on Android (only)
|
||
* MFSA-2015-42/CVE-2015-0802 (bmo#1124898)
|
||
Windows can retain access to privileged content on navigation
|
||
to unprivileged pages
|
||
- removed obsolete patches
|
||
* mozilla-bmo1088588.patch
|
||
* mozilla-bmo1108834.patch
|
||
- requires NSPR 4.10.8
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 24 15:35:24 UTC 2015 - dvaleev@suse.com
|
||
|
||
- Fix builds with skia on Power
|
||
mozilla-skia-be-le.patch (patch from #bmo1136958)
|
||
mozilla-bmo1108834.patch
|
||
mozilla-bmo1005535.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Mar 21 09:03:12 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 36.0.4 (bnc#923534)
|
||
* MFSA 2015-28/CVE-2015-0818 (bmo#1144988)
|
||
Privilege escalation through SVG navigation
|
||
* MFSA 2015-29/CVE-2015-0817 (bmo#1145255)
|
||
Code execution through incorrect JavaScript bounds checking
|
||
elimination
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 20 15:02:33 UTC 2015 - dimstar@opensuse.org
|
||
|
||
- Copy the icons to /usr/share/icons instead of symlinking them:
|
||
in preparation for containerized apps (e.g. xdg-app) as well as
|
||
AppStream metadata extraction, there are a couple locations that
|
||
need to be real files for system integration (.desktop files,
|
||
icons, mime-type info).
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Mar 7 07:40:56 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 36.0.1
|
||
Bugfixes:
|
||
* Disable the usage of the ANY DNS query type (bmo#1093983)
|
||
* Hello may become inactive until restart (bmo#1137469)
|
||
* Print preferences may not be preserved (bmo#1136855)
|
||
* Hello contact tabs may not be visible (bmo#1137141)
|
||
* Accept hostnames that include an underscore character ("_")
|
||
(bmo#1136616)
|
||
* WebGL may use significant memory with Canvas2d (bmo#1137251)
|
||
* Option -remote has been restored (bmo#1080319)
|
||
- added mozilla-skia-bmo1136958.patch to fix build issues for
|
||
ARM and PPC
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 20 22:53:39 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 36.0 (bnc#917597)
|
||
* mozilla-xremote-client was removed
|
||
* added libclearkey.so media plugin
|
||
* Pinned tiles on the new tab page can be synced
|
||
* Support for the full HTTP/2 protocol. HTTP/2 enables a faster,
|
||
more scalable, and more responsive web.
|
||
* Locale added: Uzbek (uz)
|
||
security fixes:
|
||
* MFSA 2015-11/CVE-2015-0835/CVE-2015-0836
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2015-12/CVE-2015-0833 (bmo#945192)
|
||
Invoking Mozilla updater will load locally stored DLL files
|
||
(Windows only)
|
||
* MFSA 2015-13/CVE-2015-0832 (bmo#1065909)
|
||
Appended period to hostnames can bypass HPKP and HSTS protections
|
||
* MFSA 2015-14/CVE-2015-0830 (bmo#1110488)
|
||
Malicious WebGL content crash when writing strings
|
||
* MFSA 2015-15/CVE-2015-0834 (bmo#1098314)
|
||
TLS TURN and STUN connections silently fail to simple TCP connections
|
||
* MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
|
||
Use-after-free in IndexedDB
|
||
* MFSA 2015-17/CVE-2015-0829 (bmo#1128939)
|
||
Buffer overflow in libstagefright during MP4 video playback
|
||
* MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675)
|
||
Double-free when using non-default memory allocators with a
|
||
zero-length XHR
|
||
* MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
|
||
Out-of-bounds read and write while rendering SVG content
|
||
* MFSA 2015-20/CVE-2015-0826 (bmo#1092363)
|
||
Buffer overflow during CSS restyling
|
||
* MFSA 2015-21/CVE-2015-0825 (bmo#1092370)
|
||
Buffer underflow during MP3 playback
|
||
* MFSA 2015-22/CVE-2015-0824 (bmo#1095925)
|
||
Crash using DrawTarget in Cairo graphics library
|
||
* MFSA 2015-23/CVE-2015-0823 (bmo#1098497)
|
||
Use-after-free in Developer Console date with OpenType Sanitiser
|
||
* MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
|
||
Reading of local files through manipulation of form autocomplete
|
||
* MFSA 2015-25/CVE-2015-0821 (bmo#1111960)
|
||
Local files or privileged URLs in pages can be opened into new tabs
|
||
* MFSA 2015-26/CVE-2015-0819 (bmo#1079554)
|
||
UI Tour whitelisted sites in background tab can spoof foreground
|
||
tabs
|
||
* MFSA 2015-27CVE-2015-0820 (bmo#1125398)
|
||
Caja Compiler JavaScript sandbox bypass
|
||
- rebased patches
|
||
- requires NSS 3.17.4
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jan 31 18:37:38 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 35.0.1
|
||
* With the Enhanced Steam extension, Firefox could crash (bmo#1123732)
|
||
* Kerberos authentication did not work with alias (bmo#1108971)
|
||
* SVG / CSS animation had a regression causing rendering issues on
|
||
websites like openstreemap.org (bmo#1083079)
|
||
* On Godaddy webmail, Firefox could crash (bmo#1113121)
|
||
* document.baseURI did not get updated to document.location after
|
||
base tag was removed from DOM for site with a CSP (bmo#1121857)
|
||
* With a Right-to-left (RTL) version of Firefox, the text selection
|
||
could be broken (bmo#1104036)
|
||
* CSP had a change in behavior with regard to case sensitivity
|
||
resources loading (bmo#1122445)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jan 10 18:36:37 UTC 2015 - wr@rosenauer.org
|
||
|
||
- update to Firefox 35.0 (bnc#910669)
|
||
notable features:
|
||
* Firefox Hello with new rooms-based conversations model
|
||
* Implemented HTTP Public Key Pinning Extension (for enhanced
|
||
authentication of encrypted connections)
|
||
security fixes:
|
||
* MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2015-02/CVE-2014-8637 (bmo#1094536)
|
||
Uninitialized memory use during bitmap rendering
|
||
* MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
|
||
sendBeacon requests lack an Origin header
|
||
* MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
|
||
Cookie injection through Proxy Authenticate responses
|
||
* MFSA 2015-05/CVE-2014-8640 (bmo#1100409)
|
||
Read of uninitialized memory in Web Audio
|
||
* MFSA 2015-06/CVE-2014-8641 (bmo#1108455)
|
||
Read-after-free in WebRTC
|
||
* MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only)
|
||
Gecko Media Plugin sandbox escape
|
||
* MFSA 2015-08/CVE-2014-8642 (bmo#1079658)
|
||
Delegated OCSP responder certificates failure with
|
||
id-pkix-ocsp-nocheck extension
|
||
* MFSA 2015-09/CVE-2014-8636 (bmo#987794)
|
||
XrayWrapper bypass through DOM objects
|
||
- rebased patches
|
||
- dropped explicit support for everything older than 12.3
|
||
(including SLES11)
|
||
* merge firefox-kde.patch and firefox-kde-114.patch
|
||
* dropped mozilla-sle11.patch
|
||
- reworked specfile to build conditionally based on release channel
|
||
either Firefox or Firefox Developer Edition
|
||
- added mozilla-openaes-decl.patch to fix implicit declarations
|
||
- obsolete tracker-miner-firefox < 0.15 because it leads to startup
|
||
crashes (bnc#908892)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Dec 13 22:13:00 UTC 2014 - Led <ledest@gmail.com>
|
||
|
||
- fix bashism in mozilla.sh script
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Nov 29 21:23:03 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 34.0.5 (bnc#908009)
|
||
* Default search engine changed to Yahoo! for North America
|
||
* Default search engine changed to Yandex for Belarusian, Kazakh,
|
||
and Russian locales
|
||
* Improved search bar (en-US only)
|
||
* Firefox Hello real-time communication client
|
||
* Easily switch themes/personas directly in the Customizing mode
|
||
* Implementation of HTTP/2 (draft14) and ALPN
|
||
* Disabled SSLv3
|
||
* MFSA 2014-83/CVE-2014-1587/CVE-2014-1588
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2014-84/CVE-2014-1589 (bmo#1043787)
|
||
XBL bindings accessible via improper CSS declarations
|
||
* MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
|
||
XMLHttpRequest crashes with some input streams
|
||
* MFSA 2014-86/CVE-2014-1591 (bmo#1069762)
|
||
CSP leaks redirect data via violation reports
|
||
* MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
|
||
Use-after-free during HTML5 parsing
|
||
* MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
|
||
Buffer overflow while parsing media content
|
||
* MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
|
||
Bad casting from the BasicThebesLayer to BasicContainerLayer
|
||
- rebased patches
|
||
- limit linker memory usage for %ix86
|
||
- rebased patches
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Nov 7 20:14:32 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 33.1
|
||
* Adding DuckDuckGo as a search option (upstream)
|
||
* Forget Button added
|
||
* Enhanced Tiles
|
||
* Privacy tour introduced
|
||
- fix typo in GStreamer Recommends
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 4 18:00:35 UTC 2014 - guillaume@opensuse.org
|
||
|
||
- Disable elf-hack for aarch64
|
||
- Enable EGL for aarch64
|
||
- Limit RAM usage during link for %arm
|
||
- Fix _constraints for ARM
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 3 11:36:04 UTC 2014 - dmueller@suse.com
|
||
|
||
- use proper macros for ARM
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 3 11:26:23 UTC 2014 - josua.mayer97@gmail.com
|
||
|
||
- use '--disable-optimize' not only on 32-bit x86, but on 32-bit arm too
|
||
to fix compiling.
|
||
- pass '-Wl,--no-keep-memory' to linker to reduce required memory during
|
||
linking on arm.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 30 11:31:05 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 33.0.2
|
||
* Fix a startup crash with some combination of hardware and drivers
|
||
33.0.1
|
||
* Firefox displays a black screen at start-up with certain
|
||
graphics drivers
|
||
- adjusted _constraints for ARM
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 28 15:23:09 UTC 2014 - josua.mayer97@gmail.com
|
||
|
||
- added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Oct 25 08:45:43 UTC 2014 - wr@rosenauer.org
|
||
|
||
- define /usr/share/myspell as additional dictionary location
|
||
and remove add-plugins.sh finally (bnc#900639)
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Oct 19 12:59:28 UTC 2014 - vindex17@outlook.it
|
||
|
||
- use Firefox default optimization flags instead of -Os
|
||
- specfile cleanup
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 15 08:05:33 UTC 2014 - wr@rosenauer.org
|
||
|
||
- fix build for all ppc by not enabling elf-hack
|
||
(bnc#901213)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Oct 11 08:48:24 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 33.0 (bnc#900941)
|
||
New features:
|
||
* OpenH264 support (sandboxed)
|
||
* Enhanced Tiles
|
||
* Improved search experience through the location bar
|
||
* Slimmer and faster JavaScript strings
|
||
* New CSP (Content Security Policy) backend
|
||
* Support for connecting to HTTP proxy over HTTPS
|
||
* Improved reliability of the session restoration
|
||
* Proprietary window.crypto properties/functions removed
|
||
Security:
|
||
* MFSA 2014-74/CVE-2014-1574/CVE-2014-1575
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2014-75/CVE-2014-1576 (bmo#1041512)
|
||
Buffer overflow during CSS manipulation
|
||
* MFSA 2014-76/CVE-2014-1577 (bmo#1012609)
|
||
Web Audio memory corruption issues with custom waveforms
|
||
* MFSA 2014-77/CVE-2014-1578 (bmo#1063327)
|
||
Out-of-bounds write with WebM video
|
||
* MFSA 2014-78/CVE-2014-1580 (bmo#1063733)
|
||
Further uninitialized memory use during GIF rendering
|
||
* MFSA 2014-79/CVE-2014-1581 (bmo#1068218)
|
||
Use-after-free interacting with text directionality
|
||
* MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190)
|
||
Key pinning bypasses
|
||
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
|
||
Inconsistent video sharing within iframe
|
||
* MFSA 2014-82/CVE-2014-1583 (bmo#1015540)
|
||
Accessing cross-origin objects via the Alarms API
|
||
(only relevant for installed web apps)
|
||
- requires NSPR 4.10.7
|
||
- requires NSS 3.17.1
|
||
- removed obsolete patches:
|
||
* mozilla-ppc.patch
|
||
* mozilla-libproxy-compat.patch
|
||
- added basic appdata information
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Sep 20 13:33:51 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 32.0.2
|
||
* just a version bump for our builds
|
||
* fixed the in application update process for certain environments
|
||
(in application update is not enabled in openSUSE and Linux
|
||
is unaffected in any case)
|
||
- build with --disable-optimize for 13.1 and above for i586 to
|
||
workaround miscompilations (bnc#896624)
|
||
- use some more build flags to align with upstream
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Sep 13 16:58:16 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 32.0.1
|
||
* fixed stability issues for computers with multiple graphics cards
|
||
* mixed content icon may be incorrectly displayed instead of lock
|
||
icon for SSL sites in 32.0 (
|
||
* WebRTC: setRemoteDescription() silently fails if no success
|
||
callback is specified (bmo#1063971)
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Aug 31 07:44:54 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 32.0 (bnc#894370)
|
||
* MFSA 2014-67/CVE-2014-1553/CVE-2014-1554/CVE-2014-1562
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2014-68/CVE-2014-1563 (bmo#1018524)
|
||
Use-after-free during DOM interactions with SVG
|
||
* MFSA 2014-69/CVE-2014-1564 (bmo#1045977)
|
||
Uninitialized memory use during GIF rendering
|
||
* MFSA 2014-70/CVE-2014-1565 (bmo#1047831)
|
||
Out-of-bounds read in Web Audio audio timeline
|
||
* MFSA 2014-72/CVE-2014-1567 (bmo#1037641)
|
||
Use-after-free setting text directionality
|
||
- rebased patches
|
||
- requires NSS 3.16.4
|
||
- removed upstreamed patch
|
||
* mozilla-aarch64-bmo-810631.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 20 13:50:58 CEST 2014 - behlert@suse.de
|
||
|
||
- adapted _constraints, used more than 3900MB on s390x during
|
||
last build
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Jul 20 18:11:44 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 31.0 (bnc#887746)
|
||
* MFSA 2014-56/CVE-2014-1547/CVE-2014-1548
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2014-57/CVE-2014-1549 (bmo#1020205)
|
||
Buffer overflow during Web Audio buffering for playback
|
||
* MFSA 2014-58/CVE-2014-1550 (bmo#1020411)
|
||
Use-after-free in Web Audio due to incorrect control message ordering
|
||
* MFSA 2014-60/CVE-2014-1561 (bmo#1000514, bmo#910375)
|
||
Toolbar dialog customization event spoofing
|
||
* MFSA 2014-61/CVE-2014-1555 (bmo#1023121)
|
||
Use-after-free with FireOnStateChange event
|
||
* MFSA 2014-62/CVE-2014-1556 (bmo#1028891)
|
||
Exploitable WebGL crash with Cesium JavaScript library
|
||
* MFSA 2014-63/CVE-2014-1544 (bmo#963150)
|
||
Use-after-free while when manipulating certificates in the trusted cache
|
||
(solved with NSS 3.16.2 requirement)
|
||
* MFSA 2014-64/CVE-2014-1557 (bmo#913805)
|
||
Crash in Skia library when scaling high quality images
|
||
* MFSA 2014-65/CVE-2014-1558/CVE-2014-1559/CVE-2014-1560
|
||
(bmo#1015973, bmo#1026022, bmo#997795)
|
||
Certificate parsing broken by non-standard character encoding
|
||
* MFSA 2014-66/CVE-2014-1552 (bmo#985135)
|
||
IFRAME sandbox same-origin access through redirect
|
||
- use EGL on ARM
|
||
- rebased patches
|
||
- requires NSS 3.16.2
|
||
- requires python-devel (not only python)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 9 08:28:17 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 30.0 (bnc#881874)
|
||
* MFSA 2014-48/CVE-2014-1533/CVE-2014-1534
|
||
(bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874,
|
||
bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981,
|
||
bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817,
|
||
bmo#996536, bmo#996715, bmo#999651, bmo#1000598,
|
||
bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223,
|
||
bmo#1009952, bmo#1011007)
|
||
Miscellaneous memory safety hazards (rv:30.0)
|
||
* MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538
|
||
(bmo#989994, bmo#999274, bmo#1005584)
|
||
Use-after-free and out of bounds issues found using Address
|
||
Sanitizer
|
||
* MFSA 2014-50/CVE-2014-1539 (bmo#995603)
|
||
Clickjacking through cursor invisability after Flash interaction
|
||
* MFSA 2014-51/CVE-2014-1540 (bmo#978862)
|
||
Use-after-free in Event Listener Manager
|
||
* MFSA 2014-52/CVE-2014-1541 (bmo#1000185)
|
||
Use-after-free with SMIL Animation Controller
|
||
* MFSA 2014-53/CVE-2014-1542 (bmo#991533)
|
||
Buffer overflow in Web Audio Speex resampler
|
||
* MFSA 2014-54/CVE-2014-1543 (bmo#1011859)
|
||
Buffer overflow in Gamepad API
|
||
* MFSA 2014-55/CVE-2014-1545 (bmo#1018783)
|
||
Out of bounds write in NSPR
|
||
- rebased patches
|
||
- removed obsolete patches
|
||
* firefox-browser-css.patch
|
||
* mozilla-aarch64-bmo-962488.patch
|
||
* mozilla-aarch64-bmo-963023.patch
|
||
* mozilla-aarch64-bmo-963024.patch
|
||
* mozilla-aarch64-bmo-963027.patch
|
||
* mozilla-ppc64-xpcom.patch
|
||
* mozilla-ppc64le-javascript.patch
|
||
* mozilla-ppc64le-libffi.patch
|
||
* mozilla-ppc64le-mfbt.patch
|
||
* mozilla-ppc64le-webrtc.patch
|
||
* mozilla-ppc64le-xpcom.patch
|
||
* mozilla-ppc64le-build.patch
|
||
- requires NSPR 4.10.6
|
||
- enabled GStreamer 1.0 usage for 13.2 and above
|
||
|
||
-------------------------------------------------------------------
|
||
Sat May 10 06:09:37 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 29.0.1
|
||
* Seer disabled by default (bmo#1005958)
|
||
* Session Restore failed with a corrupted sessionstore.js file
|
||
(bmo#1001167)
|
||
* pdf.js printing white page (bmo#1003707, bnc#876833)
|
||
- general.useragent.locale gets overwritten with en-US while it
|
||
should be using the active langpack's setting
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Apr 26 12:18:07 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 29.0 (bnc#875378)
|
||
* MFSA 2014-34/CVE-2014-1518/CVE-2014-1519
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2014-36/CVE-2014-1522 (bmo#995289)
|
||
Web Audio memory corruption issues
|
||
* MFSA 2014-37/CVE-2014-1523 (bmo#969226)
|
||
Out of bounds read while decoding JPG images
|
||
* MFSA 2014-38/CVE-2014-1524 (bmo#989183)
|
||
Buffer overflow when using non-XBL object as XBL
|
||
* MFSA 2014-39/CVE-2014-1525 (bmo#989210)
|
||
Use-after-free in the Text Track Manager for HTML video
|
||
* MFSA 2014-41/CVE-2014-1528 (bmo#963962)
|
||
Out-of-bounds write in Cairo
|
||
* MFSA 2014-42/CVE-2014-1529 (bmo#987003)
|
||
Privilege escalation through Web Notification API
|
||
* MFSA 2014-43/CVE-2014-1530 (bmo#895557)
|
||
Cross-site scripting (XSS) using history navigations
|
||
* MFSA 2014-44/CVE-2014-1531 (bmo#987140)
|
||
Use-after-free in imgLoader while resizing images
|
||
* MFSA 2014-45/CVE-2014-1492 (bmo#903885)
|
||
Incorrect IDNA domain name matching for wildcard certificates
|
||
(fixed by NSS 3.16)
|
||
* MFSA 2014-46/CVE-2014-1532 (bmo#966006)
|
||
Use-after-free in nsHostResolver
|
||
* MFSA 2014-47/CVE-2014-1526 (bmo#988106)
|
||
Debugger can bypass XrayWrappers with JavaScript
|
||
- rebased patches
|
||
- removed obsolete patches
|
||
* firefox-browser-css.patch
|
||
* mozilla-aarch64-599882cfb998.diff
|
||
* mozilla-aarch64-bmo-963028.patch
|
||
* mozilla-aarch64-bmo-963029.patch
|
||
* mozilla-aarch64-bmo-963030.patch
|
||
* mozilla-aarch64-bmo-963031.patch
|
||
- requires NSS 3.16
|
||
- added mozilla-icu-strncat.patch to fix post build checks
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Apr 7 15:34:31 UTC 2014 - dmueller@suse.com
|
||
|
||
- add mozilla-aarch64-599882cfb998.patch,
|
||
mozilla-aarch64-bmo-810631.patch,
|
||
mozilla-aarch64-bmo-962488.patch,
|
||
mozilla-aarch64-bmo-963030.patch,
|
||
mozilla-aarch64-bmo-963027.patch,
|
||
mozilla-aarch64-bmo-963028.patch,
|
||
mozilla-aarch64-bmo-963029.patch,
|
||
mozilla-aarch64-bmo-963023.patch,
|
||
mozilla-aarch64-bmo-963024.patch,
|
||
mozilla-aarch64-bmo-963031.patch: AArch64 porting
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 24 16:18:44 UTC 2014 - dvaleev@suse.com
|
||
|
||
- Add patch for bmo#973977
|
||
* mozilla-ppc64-xpcom.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 24 14:29:12 UTC 2014 - dvaleev@suse.com
|
||
|
||
- Refresh mozilla-ppc64le-xpcom.patch patch
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 21 19:01:42 UTC 2014 - dvaleev@suse.com
|
||
|
||
- Adapt mozilla-ppc64le-xpcom.patch to Mozilla > 24.0 build system
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Mar 16 13:39:15 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 28.0 (bnc#868603)
|
||
* MFSA 2014-15/CVE-2014-1493/CVE-2014-1494
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2014-17/CVE-2014-1497 (bmo#966311)
|
||
Out of bounds read during WAV file decoding
|
||
* MFSA 2014-18/CVE-2014-1498 (bmo#935618)
|
||
crypto.generateCRMFRequest does not validate type of key
|
||
* MFSA 2014-19/CVE-2014-1499 (bmo#961512)
|
||
Spoofing attack on WebRTC permission prompt
|
||
* MFSA 2014-20/CVE-2014-1500 (bmo#956524)
|
||
onbeforeunload and Javascript navigation DOS
|
||
* MFSA 2014-22/CVE-2014-1502 (bmo#972622)
|
||
WebGL content injection from one domain to rendering in another
|
||
* MFSA 2014-23/CVE-2014-1504 (bmo#911547)
|
||
Content Security Policy for data: documents not preserved by
|
||
session restore
|
||
* MFSA 2014-26/CVE-2014-1508 (bmo#963198)
|
||
Information disclosure through polygon rendering in MathML
|
||
* MFSA 2014-27/CVE-2014-1509 (bmo#966021)
|
||
Memory corruption in Cairo during PDF font rendering
|
||
* MFSA 2014-28/CVE-2014-1505 (bmo#941887)
|
||
SVG filters information disclosure through feDisplacementMap
|
||
* MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909)
|
||
Privilege escalation using WebIDL-implemented APIs
|
||
* MFSA 2014-30/CVE-2014-1512 (bmo#982957)
|
||
Use-after-free in TypeObject
|
||
* MFSA 2014-31/CVE-2014-1513 (bmo#982974)
|
||
Out-of-bounds read/write through neutering ArrayBuffer objects
|
||
* MFSA 2014-32/CVE-2014-1514 (bmo#983344)
|
||
Out-of-bounds write through TypedArrayObject after neutering
|
||
- requires NSPR 4.10.3 and NSS 3.15.5
|
||
- new build dependency (and recommends):
|
||
* libpulse
|
||
- update of PowerPC 64 patches (bmo#976648) (pcerny@suse.com)
|
||
- rebased patches
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 17 11:59:28 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 27.0.1
|
||
* Fixed stability issues with Greasemonkey and other JS that used
|
||
ClearTimeoutOrInterval
|
||
* JS math correctness issue (bmo#941381)
|
||
- incorporate Google API key for geolocation (bnc#864170)
|
||
- updated list of "other" locales in RPM requirements
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 28 15:45:41 UTC 2014 - wr@rosenauer.org
|
||
|
||
- update to Firefox 27.0 (bnc#861847)
|
||
* MFSA 2014-01/CVE-2014-1477/CVE-2014-1478
|
||
Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
|
||
* MFSA 2014-02/CVE-2014-1479 (bmo#911864)
|
||
Clone protected content with XBL scopes
|
||
* MFSA 2014-03/CVE-2014-1480 (bmo#916726)
|
||
UI selection timeout missing on download prompts
|
||
* MFSA 2014-04/CVE-2014-1482 (bmo#943803)
|
||
Incorrect use of discarded images by RasterImage
|
||
* MFSA 2014-05/CVE-2014-1483 (bmo#950427)
|
||
Information disclosure with *FromPoint on iframes
|
||
* MFSA 2014-06/CVE-2014-1484 (bmo#953993)
|
||
Profile path leaks to Android system log
|
||
* MFSA 2014-07/CVE-2014-1485 (bmo#910139)
|
||
XSLT stylesheets treated as styles in Content Security Policy
|
||
* MFSA 2014-08/CVE-2014-1486 (bmo#942164)
|
||
Use-after-free with imgRequestProxy and image proccessing
|
||
* MFSA 2014-09/CVE-2014-1487 (bmo#947592)
|
||
Cross-origin information leak through web workers
|
||
* MFSA 2014-10/CVE-2014-1489 (bmo#959531)
|
||
Firefox default start page UI content invokable by script
|
||
* MFSA 2014-11/CVE-2014-1488 (bmo#950604)
|
||
Crash when using web workers with asm.js
|
||
* MFSA 2014-12/CVE-2014-1490/CVE-2014-1491
|
||
(bmo#934545, bmo#930874, bmo#930857)
|
||
NSS ticket handling issues
|
||
* MFSA 2014-13/CVE-2014-1481(bmo#936056)
|
||
Inconsistent JavaScript handling of access to Window objects
|
||
- requires NSS 3.15.4 or higher
|
||
- rebased/reworked patches
|
||
- removed obsolete mozilla-bug929439.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 12 21:19:54 UTC 2013 - uweigand@de.ibm.com
|
||
|
||
- Add support for powerpc64le-linux.
|
||
* mozilla-ppc64le.patch: general support
|
||
* mozilla-libffi-ppc64le.patch: libffi backport
|
||
* mozilla-xpcom-ppc64le.patch: port xpcom
|
||
- Add build fix from mainline.
|
||
* mozilla-bug929439.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Dec 8 20:26:23 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 26.0 (bnc#854367, bnc#854370)
|
||
* rebased patches
|
||
* requires NSPR 4.10.2 and NSS 3.15.3.1
|
||
* MFSA 2013-104/CVE-2013-5609/CVE-2013-5610
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2013-105/CVE-2013-5611 (bmo#771294)
|
||
Application Installation doorhanger persists on navigation
|
||
* MFSA 2013-106/CVE-2013-5612 (bmo#871161)
|
||
Character encoding cross-origin XSS attack
|
||
* MFSA 2013-107/CVE-2013-5614 (bmo#886262)
|
||
Sandbox restrictions not applied to nested object elements
|
||
* MFSA 2013-108/CVE-2013-5616 (bmo#938341)
|
||
Use-after-free in event listeners
|
||
* MFSA 2013-109/CVE-2013-5618 (bmo#926361)
|
||
Use-after-free during Table Editing
|
||
* MFSA 2013-110/CVE-2013-5619 (bmo#917841)
|
||
Potential overflow in JavaScript binary search algorithms
|
||
* MFSA 2013-111/CVE-2013-6671 (bmo#930281)
|
||
Segmentation violation when replacing ordered list elements
|
||
* MFSA 2013-112/CVE-2013-6672 (bmo#894736)
|
||
Linux clipboard information disclosure though selection paste
|
||
* MFSA 2013-113/CVE-2013-6673 (bmo#970380)
|
||
Trust settings for built-in roots ignored during EV certificate
|
||
validation
|
||
* MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449)
|
||
Use-after-free in synthetic mouse movement
|
||
* MFSA 2013-115/CVE-2013-5615 (bmo#929261)
|
||
GetElementIC typed array stubs can be generated outside observed
|
||
typesets
|
||
* MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693)
|
||
JPEG information leak
|
||
* MFSA 2013-117 (bmo#946351)
|
||
Mis-issued ANSSI/DCSSI certificate
|
||
(fixed via NSS 3.15.3.1)
|
||
- removed gecko.js preference file as GStreamer is enabled by
|
||
default now
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 24 18:16:19 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 25.0 (bnc#847708)
|
||
* rebased patches
|
||
* requires NSS 3.15.2 or above
|
||
* MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2013-94/CVE-2013-5593 (bmo#868327)
|
||
Spoofing addressbar through SELECT element
|
||
* MFSA 2013-95/CVE-2013-5604 (bmo#914017)
|
||
Access violation with XSLT and uninitialized data
|
||
* MFSA 2013-96/CVE-2013-5595 (bmo#916580)
|
||
Improperly initialized memory and overflows in some JavaScript
|
||
functions
|
||
* MFSA 2013-97/CVE-2013-5596 (bmo#910881)
|
||
Writing to cycle collected object during image decoding
|
||
* MFSA 2013-98/CVE-2013-5597 (bmo#918864)
|
||
Use-after-free when updating offline cache
|
||
* MFSA 2013-99/CVE-2013-5598 (bmo#920515)
|
||
Security bypass of PDF.js checks using iframes
|
||
* MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601
|
||
(bmo#915210, bmo#915576, bmo#916685)
|
||
Miscellaneous use-after-free issues found through ASAN fuzzing
|
||
* MFSA 2013-101/CVE-2013-5602 (bmo#897678)
|
||
Memory corruption in workers
|
||
* MFSA 2013-102/CVE-2013-5603 (bmo#916404)
|
||
Use-after-free in HTML document templates
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 24 07:31:30 UTC 2013 - wr@rosenauer.org
|
||
|
||
- as GStreamer is not automatically required anymore but loaded
|
||
dynamically if available, require it explicitely
|
||
- recommend optional GStreamer plugins for comprehensive media
|
||
support
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 16 11:59:18 UTC 2013 - lnussel@suse.de
|
||
|
||
- move greek to the translations-common package (bnc#840551)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Sep 14 14:39:58 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 24.0 (bnc#840485)
|
||
* MFSA 2013-76/CVE-2013-1718/CVE-2013-1719
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2013-77/CVE-2013-1720 (bmo#888820)
|
||
Improper state in HTML5 Tree Builder with templates
|
||
* MFSA 2013-78/CVE-2013-1721 (bmo#890277)
|
||
Integer overflow in ANGLE library
|
||
* MFSA 2013-79/CVE-2013-1722 (bmo#893308)
|
||
Use-after-free in Animation Manager during stylesheet cloning
|
||
* MFSA 2013-80/CVE-2013-1723 (bmo#891292)
|
||
NativeKey continues handling key messages after widget is destroyed
|
||
* MFSA 2013-81/CVE-2013-1724 (bmo#894137)
|
||
Use-after-free with select element
|
||
* MFSA 2013-82/CVE-2013-1725 (bmo#876762)
|
||
Calling scope for new Javascript objects can lead to memory corruption
|
||
* MFSA 2013-85/CVE-2013-1728 (bmo#883686)
|
||
Uninitialized data in IonMonkey
|
||
* MFSA 2013-88/CVE-2013-1730 (bmo#851353)
|
||
Compartment mismatch re-attaching XBL-backed nodes
|
||
* MFSA 2013-89/CVE-2013-1732 (bmo#883514)
|
||
Buffer overflow with multi-column, lists, and floats
|
||
* MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301)
|
||
Memory corruption involving scrolling
|
||
* MFSA 2013-91/CVE-2013-1737 (bmo#907727)
|
||
User-defined properties on DOM proxies get the wrong "this" object
|
||
* MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897)
|
||
GC hazard with default compartments and frame chain restoration
|
||
- enable gstreamer explicitely via pref (gecko.js)
|
||
- require NSS 3.15.1
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 26 07:35:36 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 23.0.1
|
||
* Audio static/"burble"/breakup in Firefox to Firefox WebRTC calls
|
||
(bmo#901527)
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Aug 4 18:30:11 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 23.0 (bnc#833389)
|
||
* MFSA 2013-63/CVE-2013-1701/CVE-2013-1702
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2013-64/CVE-2013-1704 (bmo#883313)
|
||
Use after free mutating DOM during SetBody
|
||
* MFSA 2013-65/CVE-2013-1705 (bmo#882865)
|
||
Buffer underflow when generating CRMF requests
|
||
* MFSA 2013-67/CVE-2013-1708 (bmo#879924)
|
||
Crash during WAV audio file decoding
|
||
* MFSA 2013-68/CVE-2013-1709 (bmo#838253)
|
||
Document URI misrepresentation and masquerading
|
||
* MFSA 2013-69/CVE-2013-1710 (bmo#871368)
|
||
CRMF requests allow for code execution and XSS attacks
|
||
* MFSA 2013-70/CVE-2013-1711 (bmo#843829)
|
||
Bypass of XrayWrappers using XBL Scopes
|
||
* MFSA 2013-72/CVE-2013-1713 (bmo#887098)
|
||
Wrong principal used for validating URI for some Javascript
|
||
components
|
||
* MFSA 2013-73/CVE-2013-1714 (bmo#879787)
|
||
Same-origin bypass with web workers and XMLHttpRequest
|
||
* MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
|
||
Local Java applets may read contents of local file system
|
||
- requires NSPR 4.10 and NSS 3.15
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 3 17:14:35 UTC 2013 - dmueller@suse.com
|
||
|
||
- fix build on ARM (/-g/ matches /-grecord-switches/)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jun 22 17:48:06 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 22.0 (bnc#825935)
|
||
* removed obsolete patches
|
||
+ mozilla-qcms-ppc.patch
|
||
+ mozilla-gstreamer-760140.patch
|
||
* GStreamer support does not build on 12.1 anymore (build only
|
||
on 12.2 and later)
|
||
* MFSA 2013-49/CVE-2013-1682/CVE-2013-1683
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686
|
||
Memory corruption found using Address Sanitizer
|
||
* MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)
|
||
Privileged content access and execution via XBL
|
||
* MFSA 2013-52/CVE-2013-1688 (bmo#873966)
|
||
Arbitrary code execution within Profiler
|
||
* MFSA 2013-53/CVE-2013-1690 (bmo#857883)
|
||
Execution of unmapped memory through onreadystatechange event
|
||
* MFSA 2013-54/CVE-2013-1692 (bmo#866915)
|
||
Data in the body of XHR HEAD requests leads to CSRF attacks
|
||
* MFSA 2013-55/CVE-2013-1693 (bmo#711043)
|
||
SVG filters can lead to information disclosure
|
||
* MFSA 2013-56/CVE-2013-1694 (bmo#848535)
|
||
PreserveWrapper has inconsistent behavior
|
||
* MFSA 2013-57/CVE-2013-1695 (bmo#849791)
|
||
Sandbox restrictions not applied to nested frame elements
|
||
* MFSA 2013-58/CVE-2013-1696 (bmo#761667)
|
||
X-Frame-Options ignored when using server push with multi-part
|
||
responses
|
||
* MFSA 2013-59/CVE-2013-1697 (bmo#858101)
|
||
XrayWrappers can be bypassed to run user defined methods in a
|
||
privileged context
|
||
* MFSA 2013-60/CVE-2013-1698 (bmo#876044)
|
||
getUserMedia permission dialog incorrectly displays location
|
||
* MFSA 2013-61/CVE-2013-1699 (bmo#840882)
|
||
Homograph domain spoofing in .com, .net and .name
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 11 21:06:58 UTC 2013 - dvaleev@suse.com
|
||
|
||
- Fix qcms altivec include (mozilla-qcms-ppc.patch)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri May 10 05:25:39 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 21.0 (bnc#819204)
|
||
* removed upstreamed patch firefox-712763.patch
|
||
* removed disabled mozilla-disable-neon-option.patch
|
||
* MFSA 2013-41/CVE-2013-0801/CVE-2013-1669
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2013-42/CVE-2013-1670 (bmo#853709)
|
||
Privileged access for content level constructor
|
||
* MFSA 2013-43/CVE-2013-1671 (bmo#842255)
|
||
File input control has access to full path
|
||
* MFSA 2013-46/CVE-2013-1674 (bmo#860971)
|
||
Use-after-free with video and onresize event
|
||
* MFSA 2013-47/CVE-2013-1675 (bmo#866825)
|
||
Uninitialized functions in DOMSVGZoomEvent
|
||
* MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/
|
||
CVE-2013-1679/CVE-2013-1680/CVE-2013-1681
|
||
Memory corruption found using Address Sanitizer
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 9 06:41:31 UTC 2013 - wr@rosenauer.org
|
||
|
||
- revert to use GStreamer 0.10 on 12.3 (bnc#814101)
|
||
(remove mozilla-gstreamer-1.patch)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 5 17:04:11 UTC 2013 - schwab@linux-m68k.org
|
||
|
||
- Explicitly disable WebRTC support on non-x86, the configure script
|
||
disables it only half-heartedly
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 29 22:15:21 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 20.0 (bnc#813026)
|
||
* requires NSPR 4.9.5 and NSS 3.14.3
|
||
* mozilla-webrtc-ppc.patch included upstream
|
||
* MFSA 2013-30/CVE-2013-0788/CVE-2013-0789
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2013-31/CVE-2013-0800 (bmo#825721)
|
||
Out-of-bounds write in Cairo library
|
||
* MFSA 2013-35/CVE-2013-0796 (bmo#827106)
|
||
WebGL crash with Mesa graphics driver on Linux
|
||
* MFSA 2013-36/CVE-2013-0795 (bmo#825697)
|
||
Bypass of SOW protections allows cloning of protected nodes
|
||
* MFSA 2013-37/CVE-2013-0794 (bmo#626775)
|
||
Bypass of tab-modal dialog origin disclosure
|
||
* MFSA 2013-38/CVE-2013-0793 (bmo#803870)
|
||
Cross-site scripting (XSS) using timed history navigations
|
||
* MFSA 2013-39/CVE-2013-0792 (bmo#722831)
|
||
Memory corruption while rendering grayscale PNG images
|
||
- use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 12 23:08:15 UTC 2013 - dmueller@suse.com
|
||
|
||
- build fixes for armv7hl:
|
||
* disable debug build as armv7hl does not have enough memory
|
||
* disable webrtc on armv7hl as it is non-compiling
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Mar 7 19:03:32 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 19.0.2 (bnc#808243)
|
||
* MFSA 2013-29/CVE-2013-0787 (bmo#848644)
|
||
Use-after-free in HTML Editor
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 28 22:06:36 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 19.0.1
|
||
* blocklist updates
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Feb 16 07:08:55 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 19.0 (bnc#804248)
|
||
* MFSA 2013-21/CVE-2013-0783/2013-0784
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2013-22/CVE-2013-0772 (bmo#801366)
|
||
Out-of-bounds read in image rendering
|
||
* MFSA 2013-23/CVE-2013-0765 (bmo#830614)
|
||
Wrapped WebIDL objects can be wrapped again
|
||
* MFSA 2013-24/CVE-2013-0773 (bmo#809652)
|
||
Web content bypass of COW and SOW security wrappers
|
||
* MFSA 2013-25/CVE-2013-0774 (bmo#827193)
|
||
Privacy leak in JavaScript Workers
|
||
* MFSA 2013-26/CVE-2013-0775 (bmo#831095)
|
||
Use-after-free in nsImageLoadingContent
|
||
* MFSA 2013-27/CVE-2013-0776 (bmo#796475)
|
||
Phishing on HTTPS connection through malicious proxy
|
||
* MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/
|
||
CVE-2013-0778/CVE-2013-0779/CVE-2013-0781
|
||
Use-after-free, out of bounds read, and buffer overflow issues
|
||
found using Address Sanitizer
|
||
- removed obsolete patches
|
||
* mozilla-webrtc.patch
|
||
* mozilla-gstreamer-803287.patch
|
||
- added patch to fix session restore window order (bmo#712763)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Feb 2 08:40:52 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 18.0.2
|
||
* blocklist and CTP updates
|
||
* fixes in JS engine
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jan 16 20:51:55 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 18.0.1
|
||
* blocklist updates
|
||
* backed out bmo#677092 (removed patch)
|
||
* fixed problems involving HTTP proxy transactions
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jan 12 17:25:11 UTC 2013 - schwab@linux-m68k.org
|
||
|
||
- Fix WebRTC to build on powerpc
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Jan 6 21:54:18 UTC 2013 - wr@rosenauer.org
|
||
|
||
- update to Firefox 18.0 (bnc#796895)
|
||
* MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767
|
||
CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829
|
||
Use-after-free and buffer overflow issues found using Address Sanitizer
|
||
* MFSA 2013-03/CVE-2013-0768 (bmo#815795)
|
||
Buffer Overflow in Canvas
|
||
* MFSA 2013-04/CVE-2012-0759 (bmo#802026)
|
||
URL spoofing in addressbar during page loads
|
||
* MFSA 2013-05/CVE-2013-0744 (bmo#814713)
|
||
Use-after-free when displaying table with many columns and column groups
|
||
* MFSA 2013-06/CVE-2013-0751 (bmo#790454)
|
||
Touch events are shared across iframes
|
||
* MFSA 2013-07/CVE-2013-0764 (bmo#804237)
|
||
Crash due to handling of SSL on threads
|
||
* MFSA 2013-08/CVE-2013-0745 (bmo#794158)
|
||
AutoWrapperChanger fails to keep objects alive during garbage collection
|
||
* MFSA 2013-09/CVE-2013-0746 (bmo#816842)
|
||
Compartment mismatch with quickstubs returned values
|
||
* MFSA 2013-10/CVE-2013-0747 (bmo#733305)
|
||
Event manipulation in plugin handler to bypass same-origin policy
|
||
* MFSA 2013-11/CVE-2013-0748 (bmo#806031)
|
||
Address space layout leaked in XBL objects
|
||
* MFSA 2013-12/CVE-2013-0750 (bmo#805121)
|
||
Buffer overflow in Javascript string concatenation
|
||
* MFSA 2013-13/CVE-2013-0752 (bmo#805024)
|
||
Memory corruption in XBL with XML bindings containing SVG
|
||
* MFSA 2013-14/CVE-2013-0757 (bmo#813901)
|
||
Chrome Object Wrapper (COW) bypass through changing prototype
|
||
* MFSA 2013-15/CVE-2013-0758 (bmo#813906)
|
||
Privilege escalation through plugin objects
|
||
* MFSA 2013-16/CVE-2013-0753 (bmo#814001)
|
||
Use-after-free in serializeToStream
|
||
* MFSA 2013-17/CVE-2013-0754 (bmo#814026)
|
||
Use-after-free in ListenerManager
|
||
* MFSA 2013-18/CVE-2013-0755 (bmo#814027)
|
||
Use-after-free in Vibrate
|
||
* MFSA 2013-19/CVE-2013-0756 (bmo#814029)
|
||
Use-after-free in Javascript Proxy objects
|
||
- requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743)
|
||
- removed obsolete SLE11 patches (mozilla-gcc43*)
|
||
- reenable WebRTC
|
||
- added mozilla-libproxy-compat.patch for libproxy API compat
|
||
on openSUSE 11.2 and earlier
|
||
- backed out restartless language packs as it broke multi-locale
|
||
setup (bmo#677092, bmo#818468)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 29 19:56:51 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 17.0.1
|
||
* revert some useragent changes introduced in 17.0
|
||
* leaving private browsing with social enabled doesn't reset all
|
||
social components (bmo#815042)
|
||
- fix KDE integration for file dialogs
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 20 19:52:02 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 17.0 (bnc#790140)
|
||
* MFSA 2012-91/CVE-2012-5842/CVE-2012-5843
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2012-92/CVE-2012-4202 (bmo#758200)
|
||
Buffer overflow while rendering GIF images
|
||
* MFSA 2012-93/CVE-2012-4201 (bmo#747607)
|
||
evalInSanbox location context incorrectly applied
|
||
* MFSA 2012-94/CVE-2012-5836 (bmo#792857)
|
||
Crash when combining SVG text on path with CSS
|
||
* MFSA 2012-95/CVE-2012-4203 (bmo#765628)
|
||
Javascript: URLs run in privileged context on New Tab page
|
||
* MFSA 2012-96/CVE-2012-4204 (bmo#778603)
|
||
Memory corruption in str_unescape
|
||
* MFSA 2012-97/CVE-2012-4205 (bmo#779821)
|
||
XMLHttpRequest inherits incorrect principal within sandbox
|
||
* MFSA 2012-99/CVE-2012-4208 (bmo#798264)
|
||
XrayWrappers exposes chrome-only properties when not in chrome
|
||
compartment
|
||
* MFSA 2012-100/CVE-2012-5841 (bmo#805807)
|
||
Improper security filtering for cross-origin wrappers
|
||
* MFSA 2012-101/CVE-2012-4207 (bmo#801681)
|
||
Improper character decoding in HZ-GB-2312 charset
|
||
* MFSA 2012-102/CVE-2012-5837 (bmo#800363)
|
||
Script entered into Developer Toolbar runs with chrome privileges
|
||
* MFSA 2012-103/CVE-2012-4209 (bmo#792405)
|
||
Frames can shadow top.location
|
||
* MFSA 2012-104/CVE-2012-4210 (bmo#796866)
|
||
CSS and HTML injection through Style Inspector
|
||
* MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/
|
||
CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/
|
||
CVE-2012-4213/CVE-2012-4217/CVE-2012-4218
|
||
Use-after-free and buffer overflow issues found using Address
|
||
Sanitizer
|
||
* MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838
|
||
Use-after-free, buffer overflow, and memory corruption issues
|
||
found using Address Sanitizer
|
||
- rebased patches
|
||
- disabled WebRTC since build is broken (bmo#776877)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 20 15:42:55 UTC 2012 - pcerny@suse.com
|
||
|
||
- build on SLE11
|
||
* mozilla-gcc43-enums.patch
|
||
* mozilla-gcc43-template_hacks.patch
|
||
* mozilla-gcc43-templates_instantiation.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 24 08:27:29 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 16.0.2 (bnc#786522)
|
||
* MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196
|
||
(bmo#800666, bmo#793121, bmo#802557)
|
||
Fixes for Location object issues
|
||
- bring back Obsoletes for libproxy's mozjs plugin for distributions
|
||
before 12.2 to avoid crashes
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 11 01:51:16 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 16.0.1 (bnc#783533)
|
||
* MFSA 2012-88/CVE-2012-4191 (bmo#798045)
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619)
|
||
defaultValue security checks not applied
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Oct 7 21:40:14 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 16.0 (bnc#783533)
|
||
* MFSA 2012-74/CVE-2012-3982/CVE-2012-3983
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2012-75/CVE-2012-3984 (bmo#575294)
|
||
select element persistance allows for attacks
|
||
* MFSA 2012-76/CVE-2012-3985 (bmo#655649)
|
||
Continued access to initial origin after setting document.domain
|
||
* MFSA 2012-77/CVE-2012-3986 (bmo#775868)
|
||
Some DOMWindowUtils methods bypass security checks
|
||
* MFSA 2012-79/CVE-2012-3988 (bmo#725770)
|
||
DOS and crash with full screen and history navigation
|
||
* MFSA 2012-80/CVE-2012-3989 (bmo#783867)
|
||
Crash with invalid cast when using instanceof operator
|
||
* MFSA 2012-81/CVE-2012-3991 (bmo#783260)
|
||
GetProperty function can bypass security checks
|
||
* MFSA 2012-82/CVE-2012-3994 (bmo#765527)
|
||
top object and location property accessible by plugins
|
||
* MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370)
|
||
Chrome Object Wrapper (COW) does not disallow acces to privileged
|
||
functions or properties
|
||
* MFSA 2012-84/CVE-2012-3992 (bmo#775009)
|
||
Spoofing and script injection through location.hash
|
||
* MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/
|
||
CVE-2012-4181/CVE-2012-4182/CVE-2012-4183
|
||
Use-after-free, buffer overflow, and out of bounds read issues
|
||
found using Address Sanitizer
|
||
* MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/
|
||
CVE-2012-4188
|
||
Heap memory corruption issues found using Address Sanitizer
|
||
* MFSA 2012-87/CVE-2012-3990 (bmo#787704)
|
||
Use-after-free in the IME State Manager
|
||
- requires NSPR 4.9.2
|
||
- improve GStreamer integration (bmo#760140)
|
||
- removed upstreamed mozilla-crashreporter-restart-args.patch
|
||
- webapprt now included
|
||
- use kmozillahelper's new REVEAL command (bnc#777415)
|
||
(requires mozilla-kde4-integration >= 0.6.4)
|
||
- updated translations-other with new languages
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 10 19:37:56 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 15.0.1 (bnc#779936)
|
||
* Sites visited while in Private Browsing mode could be found
|
||
through manual browser cache inspection (bmo#787743)
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Aug 26 13:47:43 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 15.0 (bnc#777588)
|
||
* MFSA 2012-57/CVE-2012-1970
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975
|
||
CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959
|
||
CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964
|
||
Use-after-free issues found using Address Sanitizer
|
||
* MFSA 2012-59/CVE-2012-1956 (bmo#756719)
|
||
Location object can be shadowed using Object.defineProperty
|
||
* MFSA 2012-60/CVE-2012-3965 (bmo#769108)
|
||
Escalation of privilege through about:newtab
|
||
* MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793)
|
||
Memory corruption with bitmap format images with negative height
|
||
* MFSA 2012-62/CVE-2012-3967/CVE-2012-3968
|
||
WebGL use-after-free and memory corruption
|
||
* MFSA 2012-63/CVE-2012-3969/CVE-2012-3970
|
||
SVG buffer overflow and use-after-free issues
|
||
* MFSA 2012-64/CVE-2012-3971
|
||
Graphite 2 memory corruption
|
||
* MFSA 2012-65/CVE-2012-3972 (bmo#746855)
|
||
Out-of-bounds read in format-number in XSLT
|
||
* MFSA 2012-66/CVE-2012-3973 (bmo#757128)
|
||
HTTPMonitor extension allows for remote debugging without explicit
|
||
activation
|
||
* MFSA 2012-68/CVE-2012-3975 (bmo#770684)
|
||
DOMParser loads linked resources in extensions when parsing
|
||
text/html
|
||
* MFSA 2012-69/CVE-2012-3976 (bmo#768568)
|
||
Incorrect site SSL certificate data display
|
||
* MFSA 2012-70/CVE-2012-3978 (bmo#770429)
|
||
Location object security checks bypassed by chrome code
|
||
* MFSA 2012-72/CVE-2012-3980 (bmo#771859)
|
||
Web console eval capable of executing chrome-privileged code
|
||
- fix HTML5 video crash with GStreamer enabled (bmo#761030)
|
||
- GStreamer is only used for MP4 (no WebM, OGG)
|
||
- updated filelist
|
||
- moved browser specific preferences to correct location
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Jul 29 08:34:39 UTC 2012 - aj@suse.de
|
||
|
||
- Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jul 14 19:31:51 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to 14.0.1 (bnc#771583)
|
||
* MFSA 2012-42/CVE-2012-1949/CVE-2012-1948
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2012-43/CVE-2012-1950
|
||
Incorrect URL displayed in addressbar through drag and drop
|
||
* MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952
|
||
Gecko memory corruption
|
||
* MFSA 2012-45/CVE-2012-1955 (bmo#757376)
|
||
Spoofing issue with location
|
||
* MFSA 2012-46/CVE-2012-1966 (bmo#734076)
|
||
XSS through data: URLs
|
||
* MFSA 2012-47/CVE-2012-1957 (bmo#750096)
|
||
Improper filtering of javascript in HTML feed-view
|
||
* MFSA 2012-48/CVE-2012-1958 (bmo#750820)
|
||
use-after-free in nsGlobalWindow::PageHidden
|
||
* MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559)
|
||
Same-compartment Security Wrappers can be bypassed
|
||
* MFSA 2012-50/CVE-2012-1960 (bmo#761014)
|
||
Out of bounds read in QCMS
|
||
* MFSA 2012-51/CVE-2012-1961 (bmo#761655)
|
||
X-Frame-Options header ignored when duplicated
|
||
* MFSA 2012-52/CVE-2012-1962 (bmo#764296)
|
||
JSDependentString::undepend string conversion results in memory
|
||
corruption
|
||
* MFSA 2012-53/CVE-2012-1963 (bmo#767778)
|
||
Content Security Policy 1.0 implementation errors cause data
|
||
leakage
|
||
* MFSA 2012-55/CVE-2012-1965 (bmo#758990)
|
||
feed: URLs with an innerURI inherit security context of page
|
||
* MFSA 2012-56/CVE-2012-1967 (bmo#758344)
|
||
Code execution through javascript: URLs
|
||
- license change from tri license to MPL-2.0
|
||
- fix crashreporter restart option (bmo#762780)
|
||
- require NSS 3.13.5
|
||
- remove mozjs pacrunner obsoletes again for now
|
||
- adopted mozilla-prefer_plugin_pref.patch
|
||
- PPC fixes:
|
||
* reenabled mozilla-yarr-pcre.patch to fix build for PPC
|
||
* add patches for bmo#750620 and bmo#746112
|
||
* fix xpcshell segfault on ppc
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jun 15 12:37:09 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 13.0.1
|
||
* bugfix release
|
||
- obsolete libproxy's mozjs pacrunner (bnc#759123)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jun 2 08:22:51 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 13.0 (bnc#765204)
|
||
* MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2012-36/CVE-2012-1944 (bmo#751422)
|
||
Content Security Policy inline-script bypass
|
||
* MFSA 2012-37/CVE-2012-1945 (bmo#670514)
|
||
Information disclosure though Windows file shares and shortcut
|
||
files
|
||
* MFSA 2012-38/CVE-2012-1946 (bmo#750109)
|
||
Use-after-free while replacing/inserting a node in a document
|
||
* MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941
|
||
Buffer overflow and use-after-free issues found using Address
|
||
Sanitizer
|
||
- require NSS 3.13.4
|
||
* MFSA 2012-39/CVE-2012-0441 (bmo#715073)
|
||
- fix sound notifications when filename/path contains a whitespace
|
||
(bmo#749739)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 23 14:40:16 UTC 2012 - adrian@suse.de
|
||
|
||
- fix build on arm
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 16 05:34:01 UTC 2012 - wr@rosenauer.org
|
||
|
||
- reenabled crashreporter for Factory/12.2
|
||
(fix in mozilla-gcc47.patch)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Apr 21 10:02:37 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 12.0 (bnc#758408)
|
||
* rebased patches
|
||
* MFSA 2012-20/CVE-2012-0467/CVE-2012-0468
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2012-22/CVE-2012-0469 (bmo#738985)
|
||
use-after-free in IDBKeyRange
|
||
* MFSA 2012-23/CVE-2012-0470 (bmo#734288)
|
||
Invalid frees causes heap corruption in gfxImageSurface
|
||
* MFSA 2012-24/CVE-2012-0471 (bmo#715319)
|
||
Potential XSS via multibyte content processing errors
|
||
* MFSA 2012-25/CVE-2012-0472 (bmo#744480)
|
||
Potential memory corruption during font rendering using cairo-dwrite
|
||
* MFSA 2012-26/CVE-2012-0473 (bmo#743475)
|
||
WebGL.drawElements may read illegal video memory due to
|
||
FindMaxUshortElement error
|
||
* MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307)
|
||
Page load short-circuit can lead to XSS
|
||
* MFSA 2012-28/CVE-2012-0475 (bmo#694576)
|
||
Ambiguous IPv6 in Origin headers may bypass webserver access
|
||
restrictions
|
||
* MFSA 2012-29/CVE-2012-0477 (bmo#718573)
|
||
Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
|
||
* MFSA 2012-30/CVE-2012-0478 (bmo#727547)
|
||
Crash with WebGL content using textImage2D
|
||
* MFSA 2012-31/CVE-2011-3062 (bmo#739925)
|
||
Off-by-one error in OpenType Sanitizer
|
||
* MFSA 2012-32/CVE-2011-1187 (bmo#624621)
|
||
HTTP Redirections and remote content can be read by javascript errors
|
||
* MFSA 2012-33/CVE-2012-0479 (bmo#714631)
|
||
Potential site identity spoofing when loading RSS and Atom feeds
|
||
- added mozilla-libnotify.patch to allow fallback from libnotify
|
||
to xul based events if no notification-daemon is running
|
||
- gcc 4.7 fixes
|
||
* mozilla-gcc47.patch
|
||
* disabled crashreporter temporarily for Factory
|
||
- recommend libcanberra0 for proper sound notifications
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 9 21:47:07 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 11.0 (bnc#750044)
|
||
* MFSA 2012-13/CVE-2012-0455 (bmo#704354)
|
||
XSS with Drag and Drop and Javascript: URL
|
||
* MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103)
|
||
SVG issues found with Address Sanitizer
|
||
* MFSA 2012-15/CVE-2012-0451 (bmo#717511)
|
||
XSS with multiple Content Security Policy headers
|
||
* MFSA 2012-16/CVE-2012-0458
|
||
Escalation of privilege with Javascript: URL as home page
|
||
* MFSA 2012-17/CVE-2012-0459 (bmo#723446)
|
||
Crash when accessing keyframe cssText after dynamic modification
|
||
* MFSA 2012-18/CVE-2012-0460 (bmo#727303)
|
||
window.fullScreen writeable by untrusted content
|
||
* MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/
|
||
CVE-2012-0463
|
||
Miscellaneous memory safety hazards
|
||
- ported and reenabled KDE integration (bnc#746591)
|
||
- explicitely build-require X libs
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 5 13:31:48 UTC 2012 - vdziewiecki@suse.com
|
||
|
||
- add Provides: browser(npapi) FATE#313084
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 17 17:41:11 UTC 2012 - pcerny@suse.com
|
||
|
||
- better plugin directory resolution (bnc#747320)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 16 08:47:31 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 10.0.2 (bnc#747328)
|
||
* CVE-2011-3026 (bmo#727401)
|
||
libpng: integer overflow leading to heap-buffer overflow
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 9 09:26:11 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 10.0.1 (bnc#746616)
|
||
* MFSA 2012-10/CVE-2012-0452 (bmo#724284)
|
||
use after free in nsXBLDocumentInfo::ReadPrototypeBindings
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 7 10:40:58 UTC 2012 - dvaleev@suse.com
|
||
|
||
- Use YARR interpreter instead of PCRE on platforms where YARR JIT
|
||
is not supported, since PCRE doesnt build (bmo#691898)
|
||
- fix ppc64 build (bmo#703534)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jan 30 09:41:59 UTC 2012 - wr@rosenauer.org
|
||
|
||
- update to Firefox 10.0 (bnc#744275)
|
||
* MFSA 2012-01/CVE-2012-0442/CVE-2012-0443
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2012-03/CVE-2012-0445 (bmo#701071)
|
||
<iframe> element exposed across domains via name attribute
|
||
* MFSA 2012-04/CVE-2011-3659 (bmo#708198)
|
||
Child nodes from nsDOMAttribute still accessible after removal
|
||
of nodes
|
||
* MFSA 2012-05/CVE-2012-0446 (bmo#705651)
|
||
Frame scripts calling into untrusted objects bypass security
|
||
checks
|
||
* MFSA 2012-06/CVE-2012-0447 (bmo#710079)
|
||
Uninitialized memory appended when encoding icon images may
|
||
cause information disclosure
|
||
* MFSA 2012-07/CVE-2012-0444 (bmo#719612)
|
||
Potential Memory Corruption When Decoding Ogg Vorbis files
|
||
* MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466)
|
||
Crash with malformed embedded XSLT stylesheets
|
||
- KDE integration has been disabled since it needs refactoring
|
||
- removed obsolete ppc64 patch
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Jan 22 12:08:07 UTC 2012 - joop.boonen@opensuse.org
|
||
|
||
- Disable neon for arm as it doesn't build correctly
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 23 17:02:01 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to Firefox 9.0.1
|
||
* (strongparent) parentNode of element gets lost (bmo#335998)
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Dec 18 09:58:52 UTC 2011 - adrian@suse.de
|
||
|
||
- fix arm build, don't package crashreporter there
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Dec 18 09:52:08 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to Firefox 9 (bnc#737533)
|
||
* MFSA 2011-53/CVE-2011-3660
|
||
Miscellaneous memory safety hazards (rv:9.0)
|
||
* MFSA 2011-54/CVE-2011-3661 (bmo#691299)
|
||
Potentially exploitable crash in the YARR regular expression
|
||
library
|
||
* MFSA 2011-55/CVE-2011-3658 (bmo#708186)
|
||
nsSVGValue out-of-bounds access
|
||
* MFSA 2011-56/CVE-2011-3663 (bmo#704482)
|
||
Key detection without JavaScript via SVG animation
|
||
* MFSA 2011-58/VE-2011-3665 (bmo#701259)
|
||
Crash scaling <video> to extreme sizes
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Nov 27 03:51:54 UTC 2011 - mgorse@suse.com
|
||
|
||
- Fix accessibility under GNOME 3 (bnc#732898)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Nov 12 15:16:38 UTC 2011 - dvaleev@suse.com
|
||
|
||
- fix ppc64 build
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Nov 6 08:20:59 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to Firefox 8 (bnc#728520)
|
||
* MFSA 2011-47/CVE-2011-3648 (bmo#690225)
|
||
Potential XSS against sites using Shift-JIS
|
||
* MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2011-49/CVE-2011-3650 (bmo#674776)
|
||
Memory corruption while profiling using Firebug
|
||
* MFSA 2011-52/CVE-2011-3655 (bmo#672182)
|
||
Code execution via NoWaiverWrapper
|
||
- rebased patches
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 20 12:34:47 UTC 2011 - wr@rosenauer.org
|
||
|
||
- enable telemetry prompt
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 30 10:52:36 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to minor release 7.0.1
|
||
* fixed staged addon updates
|
||
- set intl.locale.matchOS=true in the base package as it causes
|
||
too much confusion when it's only available with branding-openSUSE
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 23 11:22:22 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to Firefox 7 (bnc#720264)
|
||
including
|
||
* Improve Responsiveness with Memory Reductions
|
||
* Instant Sync
|
||
* WebSocket protocol 8
|
||
* MFSA 2011-36/CVE-2011-2995/CVE-2011-2996/CVE-2011-2997
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2011-39/CVE-2011-3000 (bmo#655389)
|
||
Defense against multiple Location headers due to CRLF Injection
|
||
* MFSA 2011-40/CVE-2011-2372/CVE-2011-3001
|
||
Code installation through holding down Enter
|
||
* MFSA 2011-41/CVE-2011-3002/CVE-2011-3003 (bmo#680840, bmo#682335)
|
||
Potentially exploitable WebGL crashes
|
||
* MFSA 2011-42/CVE-2011-3232 (bmo#653672)
|
||
Potentially exploitable crash in the YARR regular expression
|
||
library
|
||
* MFSA 2011-43/CVE-2011-3004 (bmo#653926)
|
||
loadSubScript unwraps XPCNativeWrapper scope parameter
|
||
* MFSA 2011-44/CVE-2011-3005 (bmo#675747)
|
||
Use after free reading OGG headers
|
||
* MFSA 2011-45
|
||
Inferring keystrokes from motion data
|
||
- removed obsolete mozilla-cairo-lcd.patch
|
||
- rebased patches
|
||
- removed XLIB_SKIP_ARGB_VISUALS=1 from environment in
|
||
mozilla.sh.in (bnc#680758)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 16 06:57:38 UTC 2011 - wr@rosenauer.org
|
||
|
||
- fixed loading of kde.js under KDE (bnc#718311)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 14 07:02:04 UTC 2011 - wr@rosenauer.org
|
||
|
||
- add dbus-1-glib-devel to BuildRequires (not pulled in
|
||
automatically anymore on 12.1)
|
||
- increase minversions for NSPR and NSS
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 9 20:44:15 UTC 2011 - wr@rosenauer.org
|
||
|
||
- recreated source archive to get correct source-stamp.txt
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 7 14:30:34 UTC 2011 - pcerny@suse.com
|
||
|
||
- security update to 6.0.2 (bnc#714931)
|
||
* Complete blocking of certificates issued by DigiNotar
|
||
(bmo#683449)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 2 14:40:07 UTC 2011 - pcerny@suse.com
|
||
|
||
- security update to 6.0.1 (bnc#714931)
|
||
* MFSA 2011-34
|
||
Protection against fraudulent DigiNotar certificates
|
||
(bmo#682927)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 12 21:16:19 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to 6.0 (bnc#712224)
|
||
included security fixes MFSA 2011-29
|
||
* CVE-2011-2989/CVE-2011-2991/CVE-2011-2992/CVE-2011-2985
|
||
Miscellaneous memory safety hazards
|
||
* CVE-2011-2993 (bmo#657267)
|
||
Unsigned scripts can call script inside signed JAR
|
||
* CVE-2011-2988 (bmo#665934)
|
||
Heap overflow in ANGLE library
|
||
* CVE-2011-0084 (bmo#648094)
|
||
Crash in SVGTextElement.getCharNumAtPosition()
|
||
* CVE-2011-2990
|
||
Credential leakage using Content Security Policy reports
|
||
* CVE-2011-2986 (bmo#655836)
|
||
Cross-origin data theft using canvas and Windows D2D
|
||
- removed obsolete curl header dependency (mozilla-curl.patch)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 22 13:34:12 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to 6.0b3
|
||
* removed obsolete patches
|
||
- firefox-shellservice.patch
|
||
- mozilla-gio.patch
|
||
- mozilla-ppc-ipc.patch
|
||
- firefox-linkorder.patch
|
||
- firefox-no-sync-l10n.patch
|
||
- recognize linux3 as platform for symbolstore.py
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 1 19:53:18 CEST 2011 - vuntz@opensuse.org
|
||
|
||
- Add x-scheme-handler/ftp to the MimeType key in the .desktop, to
|
||
let desktops know that Firefox can deal with ftp: URIs.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 1 06:45:08 UTC 2011 - wr@rosenauer.org
|
||
|
||
- create upstream branding package again (supposedly empty)
|
||
(bnc#703401)
|
||
- fix build on SLE11 (changes do not affect/are not applied for
|
||
later versions)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 22 06:41:17 UTC 2011 - wr@rosenauer.org
|
||
|
||
- enable startup notification (bnc#701465)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 20 19:37:01 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to 5.0 final
|
||
- included fixes for security issues: (bnc#701296, bnc#700578)
|
||
* MFSA 2011-19/CVE-2011-2374 CVE-2011-2375
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2011-20/CVE-2011-2373 (bmo#617247)
|
||
Use-after-free vulnerability when viewing XUL document with
|
||
script disabled
|
||
* MFSA 2011-21/CVE-2011-2377 (bmo#638018, bmo#639303)
|
||
Memory corruption due to multipart/x-mixed-replace images
|
||
* MFSA 2011-22/CVE-2011-2371 (bmo#664009)
|
||
Integer overflow and arbitrary code execution in
|
||
Array.reduceRight()
|
||
* MFSA 2011-25/CVE-2011-2366
|
||
Stealing of cross-domain images using WebGL textures
|
||
* MFSA 2011-26/CVE-2011-2367 CVE-2011-2368
|
||
Multiple WebGL crashes
|
||
* MFSA 2011-27/CVE-2011-2369 (bmo#650001)
|
||
XSS encoding hazard with inline SVG
|
||
* MFSA 2011-28/CVE-2011-2370 (bmo#645699)
|
||
Non-whitelisted site can trigger xpinstall
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 20 09:17:42 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to 5.0b7
|
||
* updated supported locales
|
||
- do not build dump_syms static (not needed for us)
|
||
-> fix build for openSUSE 12.1 and above
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 15 14:59:32 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to 5.0b6
|
||
- include proper revision information into the build
|
||
- speedier find-external-requires.sh
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 31 06:53:55 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to 5.0b3
|
||
- transformed to standalone Firefox (not xulrunner based)
|
||
(with new Firefox rapid release cycle it makes no sense anymore)
|
||
* imported all relevant xulrunner patches
|
||
- do not compile in build timestamp
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 15 07:08:53 UTC 2011 - wr@rosenauer.org
|
||
|
||
- security update to 4.0.1 (bnc#689281)
|
||
* MFSA 2011-12/ CVE-2011-0069 CVE-2011-0070 CVE-2011-0079
|
||
CVE-2011-0080 CVE-2011-0081
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2011-17/CVE-2011-0068 (bmo#623791)
|
||
WebGLES vulnerabilities
|
||
* MFSA 2011-18/CVE-2011-1202 (bmo#640339)
|
||
XSLT generate-id() function heap address leak
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 30 11:24:36 UTC 2011 - wr@rosenauer.org
|
||
|
||
- add all available icon sizes
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 29 11:55:53 UTC 2011 - cfarrell@novell.com
|
||
|
||
- license update: MPLv1.1 or GPLv2+ or LGPLv2+
|
||
Sync licenses with Fedora. MPL does not state ^or later^
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 18 08:49:15 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to version 4.0rc2
|
||
- fixed rpm macros delivered with devel package (bnc#679950)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Feb 23 07:52:04 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to version 4.0b12
|
||
- rebased patches
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 4 09:32:50 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to version 4.0b11
|
||
* loads of bugfixes compared to last beta
|
||
* added "Do Not Track" option
|
||
- rebased patches
|
||
- disable testpilot
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 28 08:56:12 UTC 2011 - wr@rosenauer.org
|
||
|
||
- set correct desktop file name within KDE for 11.4 and up
|
||
- add devel package with macros for extensions (from lnussel@suse.de)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jan 22 22:21:52 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to version 4.0b10
|
||
- removed obsolete firefox-shell-bmo624267.patch
|
||
- testpilot moved to distribution/extensions
|
||
- updated locale provides and removed bn-IN from locales
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 11 06:13:40 UTC 2011 - wr@rosenauer.org
|
||
|
||
- update to version 4.0b9
|
||
- added x-scheme-handler for http and https to desktop file for
|
||
newer Gnome environments
|
||
- fixed default browser check/set for GIO (bmo#611953)
|
||
(mozilla-shellservice.patch)
|
||
- removed obsolete firefox-appname.patch (integrated into
|
||
shellservice patch)
|
||
- renamed desktop file to firefox.desktop for 11.4 and newer
|
||
(bnc#664211)
|
||
- removed support for 10.3 and older from the spec file
|
||
- removed obsolete "Ximian" categories from desktop file
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jan 3 17:35:46 CET 2011 - meissner@suse.de
|
||
|
||
- Mirror ac_add_options --disable-ipc from xulrunner for PowerPC.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 15 07:49:45 UTC 2010 - wr@rosenauer.org
|
||
|
||
- update to version 4.0beta8
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 30 14:19:59 UTC 2010 - wr@rosenauer.org
|
||
|
||
- major update to version 4.0beta7
|
||
* based on mozilla-xulrunner20
|
||
* far too many internal changes to list
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 27 07:12:14 CEST 2010 - wr@rosenauer.org
|
||
|
||
- security update to 3.6.12 (bnc#649492)
|
||
* MFSA 2010-73/CVE-2010-3765 (bmo#607222)
|
||
Heap buffer overflow mixing document.write and DOM insertion
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 6 07:13:52 CEST 2010 - wr@rosenauer.org
|
||
|
||
- security update to 3.6.11 (bnc#645315)
|
||
* MFSA 2010-64/CVE-2010-3174/CVE-2010-3175/CVE-2010-3176
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2010-65/CVE-2010-3179 (bmo#583077)
|
||
Buffer overflow and memory corruption using document.write
|
||
* MFSA 2010-66/CVE-2010-3180 (bmo#588929)
|
||
Use-after-free error in nsBarProp
|
||
* MFSA 2010-67/CVE-2010-3183 (bmo#598669)
|
||
Dangling pointer vulnerability in LookupGetterOrSetter
|
||
* MFSA 2010-68/CVE-2010-3177 (bmo#556734)
|
||
XSS in gopher parser when parsing hrefs
|
||
* MFSA 2010-69/CVE-2010-3178 (bmo#576616)
|
||
Cross-site information disclosure via modal calls
|
||
* MFSA 2010-70/CVE-2010-3170 (bmo#578697)
|
||
SSL wildcard certificate matching IP addresses
|
||
* MFSA 2010-71/CVE-2010-3182 (bmo#590753)
|
||
Unsafe library loading vulnerabilities
|
||
* MFSA 2010-72/CVE-2010-3173
|
||
Insecure Diffie-Hellman key exchange
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 15 07:39:22 CEST 2010 - wr@rosenauer.org
|
||
|
||
- update to 3.6.10
|
||
* fixing startup topcrash (bmo#594699)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 26 07:40:28 CEST 2010 - wr@rosenauer.org
|
||
|
||
- security update to 3.6.9 (bnc#637303)
|
||
* MFSA 2010-49/CVE-2010-3169
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2010-50/CVE-2010-2765 (bmo#576447)
|
||
Frameset integer overflow vulnerability
|
||
* MFSA 2010-51/CVE-2010-2767 (bmo#584512)
|
||
Dangling pointer vulnerability using DOM plugin array
|
||
* MFSA 2010-53/CVE-2010-3166 (bmo#579655)
|
||
Heap buffer overflow in nsTextFrameUtils::TransformText
|
||
* MFSA 2010-54/CVE-2010-2760 (bmo#585815)
|
||
Dangling pointer vulnerability in nsTreeSelection
|
||
* MFSA 2010-55/CVE-2010-3168 (bmo#576075)
|
||
XUL tree removal crash and remote code execution
|
||
* MFSA 2010-56/CVE-2010-3167 (bmo#576070)
|
||
Dangling pointer vulnerability in nsTreeContentView
|
||
* MFSA 2010-57/CVE-2010-2766 (bmo#580445)
|
||
Crash and remote code execution in normalizeDocument
|
||
* MFSA 2010-59/CVE-2010-2762 (bmo#584180)
|
||
SJOW creates scope chains ending in outer object
|
||
* MFSA 2010-61/CVE-2010-2768 (bmo#579744)
|
||
UTF-7 XSS by overriding document charset using <object> type
|
||
attribute
|
||
* MFSA 2010-62/CVE-2010-2769 (bmo#520189)
|
||
Copy-and-paste or drag-and-drop into designMode document allows
|
||
XSS
|
||
* MFSA 2010-63/CVE-2010-2764 (bmo#552090)
|
||
Information leak via XMLHttpRequest statusText
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 28 08:33:14 CEST 2010 - meissner@suse.de
|
||
|
||
- disable crash reporter for non x86/x86_64 to make it build.
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jul 24 12:42:58 CEST 2010 - wr@rosenauer.org
|
||
|
||
- security update to 3.6.8 (bnc#622506)
|
||
* MFSA 2010-48/CVE-2010-2755 (bmo#575836)
|
||
Dangling pointer crash regression from plugin parameter array
|
||
fix
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 16 06:48:44 CEST 2010 - wr@rosenauer.org
|
||
|
||
- security update to 3.6.7 (bnc#622506)
|
||
* MFSA 2010-34/CVE-2010-1211/CVE-2010-1212
|
||
Miscellaneous memory safety hazards
|
||
* MFSA 2010-35/CVE-2010-1208 (bmo#572986)
|
||
DOM attribute cloning remote code execution vulnerability
|
||
* MFSA 2010-36/CVE-2010-1209 (bmo#552110)
|
||
Use-after-free error in NodeIterator
|
||
* MFSA 2010-37/CVE-2010-1214 (bmo#572985)
|
||
Plugin parameter EnsureCachedAttrParamArrays remote code
|
||
execution vulnerability
|
||
* MFSA 2010-38/CVE-2010-1215 (bmo#567069)
|
||
Arbitrary code execution using SJOW and fast native function
|
||
* MFSA 2010-39/CVE-2010-2752 (bmo#574059)
|
||
nsCSSValue::Array index integer overflow
|
||
* MFSA 2010-40/CVE-2010-2753 (bmo#571106)
|
||
nsTreeSelection dangling pointer remote code execution
|
||
vulnerability
|
||
* MFSA 2010-41/CVE-2010-1205 (bmo#570451)
|
||
Remote code execution using malformed PNG image
|
||
* MFSA 2010-42/CVE-2010-1213 (bmo#568148)
|
||
Cross-origin data disclosure via Web Workers and importScripts
|
||
* MFSA 2010-43/CVE-2010-1207 (bmo#571287)
|
||
Same-origin bypass using canvas context
|
||
* MFSA 2010-44/CVE-2010-1210 (bmo#564679)
|
||
Characters mapped to U+FFFD in 8 bit encodings cause subsequent
|
||
character to vanish
|
||
* MFSA 2010-45/CVE-2010-1206/CVE-2010-2751 (bmo#536466,556957)
|
||
Multiple location bar spoofing vulnerabilities
|
||
* MFSA 2010-46/CVE-2010-0654 (bmo#524223)
|
||
Cross-domain data theft using CSS
|
||
* MFSA 2010-47/CVE-2010-2754 (bmo#568564)
|
||
Cross-origin data leakage from script filename in error messages
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Jun 27 20:24:31 CEST 2010 - wr@rosenauer.org
|
||
|
||
- update to 3.6.6 release
|
||
* modifies the crash protection feature to increase the amount
|
||
of time that plugins are allowed to be non-responsive before
|
||
being terminated.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 23 14:40:35 CEST 2010 - wr@rosenauer.org
|
||
|
||
- update to final 3.6.4 release (bnc#603356)
|
||
* MFSA 2010-26/CVE-2010-1200/CVE-2010-1201/CVE-2010-1202/
|
||
CVE-2010-1203
|
||
Crashes with evidence of memory corruption (rv:1.9.2.4)
|
||
* MFSA 2010-28/CVE-2010-1198 (bmo#532246)
|
||
Freed object reuse across plugin instances
|
||
* MFSA 2010-29/CVE-2010-1196 (bmo#534666)
|
||
Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
|
||
* MFSA 2010-30/CVE-2010-1199 (bmo#554255)
|
||
Integer Overflow in XSLT Node Sorting
|
||
* MFSA 2010-31/CVE-2010-1125 (bmo#552255)
|
||
focus() behavior can be used to inject or steal keystrokes
|
||
* MFSA 2010-32/CVE-2010-1197 (bmo#537120)
|
||
Content-Disposition: attachment ignored if
|
||
Content-Type: multipart also present
|
||
* MFSA 2010-33/CVE-2008-5913 (bmo#475585)
|
||
User tracking across sites using Math.random()
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 7 07:07:33 CEST 2010 - wr@rosenauer.org
|
||
|
||
- update to 3.6.4(build6)
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Apr 18 09:42:40 CEST 2010 - wr@rosenauer.org
|
||
|
||
- security update to 3.6.4 (Lorentz)
|
||
* enable crashreporter also for x86-64
|
||
* Flash runs in a separate process to avoid crashing Firefox
|
||
(ix86 only; x86-64 still uses nspluginwrapper)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Apr 1 11:15:38 UTC 2010 - wr@rosenauer.org
|
||
|
||
- security update to 3.6.3
|
||
* MFSA 2010-25/CVE-2010-1121 (bmo#555109)
|
||
Re-use of freed object due to scope confusion
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Mar 18 06:43:33 CET 2010 - wr@rosenauer.org
|
||
|
||
- security update to version 3.6.2 (bnc#586567)
|
||
* MFSA 2010-08/CVE-2010-1028
|
||
WOFF heap corruption due to integer overflow
|
||
* MFSA 2010-09/CVE-2010-0164 (bmo#547143)
|
||
Deleted frame reuse in multipart/x-mixed-replace image
|
||
* MFSA 2010-10/CVE-2010-0170 (bmo#541530)
|
||
XSS via plugins and unprotected Location object
|
||
* MFSA 2010-11/CVE-2010-0165/CVE-2010-0166/CVE-2010-0167
|
||
Crashes with evidence of memory corruption
|
||
* MFSA 2010-12/CVE-2010-0171 (bmo#531364)
|
||
XSS using addEventListener and setTimeout on a wrapped object
|
||
* MFSA 2010-13/CVE-2010-0168 (bmo#540642)
|
||
Content policy bypass with image preloading
|
||
* MFSA 2010-14/CVE-2010-0169 (bmo#535806)
|
||
Browser chrome defacement via cached XUL stylesheets
|
||
* MFSA 2010-15/CVE-2010-0172 (bmo#537862)
|
||
Asynchronous Auth Prompt attaches to wrong window
|
||
* MFSA 2010-16/CVE-2010-0173/CVE-2010-0174
|
||
Crashes with evidence of memory corruption
|
||
* MFSA 2010-18/CVE-2010-0176 (bmo#538308)
|
||
Dangling pointer vulnerability in nsTreeContentView
|
||
* MFSA 2010-19/CVE-2010-0177 (bmo#538310)
|
||
Dangling pointer vulnerability in nsPluginArray
|
||
* MFSA 2010-20/CVE-2010-0178 (bmo#546909)
|
||
Chrome privilege escalation via forced URL drag and drop
|
||
* MFSA 2010-22/CVE-2009-3555 (bmo#545755)
|
||
Update NSS to support TLS renegotiation indication
|
||
* MFSA 2010-23/CVE-2010-0181 (bmo#452093)
|
||
Image src redirect to mailto: URL opens email editor
|
||
* MFSA 2010-24/CVE-2010-0182 (bmo#490790)
|
||
XMLDocument::load() doesn't check nsIContentPolicy
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jan 18 09:42:50 CET 2010 - wr@rosenauer.org
|
||
|
||
- update to 3.6rc2 (already named 3.6.0)
|
||
- removed obsolete orbit-devel build requirement
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jan 6 17:15:40 CET 2010 - wr@rosenauer.org
|
||
|
||
- major update to 3.6rc1
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 25 09:39:42 CET 2009 - wr@rosenauer.org
|
||
|
||
- update to version 3.5.7 (bnc#568011)
|
||
* DNS resolution in MakeSN of nsAuthSSPI causing issues for
|
||
proxy servers that support NTLM auth (bmo#535193)
|
||
- added missing lockdown preferences (bnc#567131)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 17 20:06:38 CET 2009 - wr@rosenauer.org
|
||
|
||
- readded firefox-ui-lockdown.patch (bnc#546158)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 3 21:53:59 CET 2009 - wr@rosenauer.org
|
||
|
||
- security update to version 3.5.6 (bnc#559807)
|
||
* MFSA 2009-65/CVE-2009-3979/CVE-2009-3980/CVE-2009-3982
|
||
Crashes with evidence of memory corruption (rv:1.9.1.6)
|
||
* MFSA 2009-66/CVE-2009-3388 (bmo#504843,bmo#523816)
|
||
Memory safety fixes in liboggplay media library
|
||
* MFSA 2009-67/CVE-2009-3389 (bmo#515882,bmo#504613)
|
||
Integer overflow, crash in libtheora video library
|
||
* MFSA 2009-68/CVE-2009-3983 (bmo#487872)
|
||
NTLM reflection vulnerability
|
||
* MFSA 2009-69/CVE-2009-3984/CVE-2009-3985 (bmo#521461,bmo#514232)
|
||
Location bar spoofing vulnerabilities
|
||
* MFSA 2009-70/VE-2009-3986 (bmo#522430)
|
||
Privilege escalation via chrome window.opener
|
||
- fixed firefox-browser-css.patch (bnc#561027)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 23 22:31:21 CET 2009 - wr@rosenauer.org
|
||
|
||
- rebased patches for fuzz=0
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 5 19:49:33 UTC 2009 - wr@rosenauer.org
|
||
|
||
- update to version 3.5.5 (bnc#553172)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Oct 17 23:19:23 CEST 2009 - wr@rosenauer.org
|
||
|
||
- security update to version 3.5.4 (bnc#545277)
|
||
* MFSA 2009-52/CVE-2009-3370 (bmo#511615)
|
||
Form history vulnerable to stealing
|
||
* MFSA 2009-53/CVE-2009-3274 (bmo#514823)
|
||
Local downloaded file tampering
|
||
* MFSA 2009-54/CVE-2009-3371 (bmo#514554)
|
||
Crash with recursive web-worker calls
|
||
* MFSA 2009-55/CVE-2009-3372 (bmo#500644)
|
||
Crash in proxy auto-configuration regexp parsing
|
||
* MFSA 2009-56/CVE-2009-3373 (bmo#511689)
|
||
Heap buffer overflow in GIF color map parser
|
||
* MFSA 2009-57/CVE-2009-3374 (bmo#505988)
|
||
Chrome privilege escalation in XPCVariant::VariantDataToJS()
|
||
* MFSA 2009-59/CVE-2009-1563 (bmo#516396, bmo#516862)
|
||
Heap buffer overflow in string to number conversion
|
||
* MFSA 2009-61/CVE-2009-3375 (bmo#503226)
|
||
Cross-origin data theft through document.getSelection()
|
||
* MFSA 2009-62/CVE-2009-3376 (bmo#511521)
|
||
Download filename spoofing with RTL override
|
||
* MFSA 2009-63/CVE-2009-3377/CVE-2009-3379/CVE-2009-3378
|
||
Upgrade media libraries to fix memory safety bugs
|
||
* MFSA 2009-64/CVE-2009-3380/CVE-2009-3381/CVE-2009-3383
|
||
Crashes with evidence of memory corruption
|
||
- removed upstreamed patch
|
||
* firefox-bug506901.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 7 20:11:24 CEST 2009 - llunak@novell.com
|
||
|
||
- fix KDE button order in one more place (bnc#170055)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Oct 2 20:26:49 CEST 2009 - wr@rosenauer.org
|
||
|
||
- improve UI colors to be usable with dark themes at all
|
||
(firefox-browser-css.patch) (bnc#503351)
|
||
- extend list of supported architectures as ABI identifier
|
||
(mozilla-abi.patch) (bnc#543460)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 14 00:07:55 CEST 2009 - wr@rosenauer.org
|
||
|
||
- added KDE integration patch from llunak@novell.com
|
||
(firefox-kde.patch)
|
||
* support for knotify, making -kde4-addon obsolete
|
||
* KDE-specific support functional (bnc#170055)
|
||
- do not build libnkgnomevfs (bmo#512671) (firefox-no-gnomevfs)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 10 09:34:26 CEST 2009 - wr@rosenauer.org
|
||
|
||
- security update to version 3.5.3 (bnc#534458)
|
||
* MFSA 2009-47/CVE-2009-3069/CVE-2009-3070/CVE-2009-3071/
|
||
CVE-2009-3072/CVE-2009-3073/CVE-2009-3074/CVE-2009-3075
|
||
Crashes with evidence of memory corruption
|
||
* MFSA 2009-49/CVE-2009-3077 (bmo#506871)
|
||
TreeColumns dangling pointer vulnerability
|
||
* MFSA 2009-50/CVE-2009-3078 (bmo#453827)
|
||
Location bar spoofing via tall line-height Unicode characters
|
||
* MFSA 2009-51/CVE-2009-3079 (bmo#454363)
|
||
Chrome privilege escalation with FeedWriter
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 19 22:14:07 CEST 2009 - wr@rosenauer.org
|
||
|
||
- renamed patch firefox-contextmenu-gnome to firefox-cross-desktop
|
||
as it contains more tweaks to handle non-Gnome environments and
|
||
especially KDE integration:
|
||
* added the ability to set the KDE default browser
|
||
(still part of bnc#170055)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Aug 8 00:14:18 CEST 2009 - wr@rosenauer.org
|
||
|
||
- split -translations package into -common and -other
|
||
(bnc#529180)
|
||
- remove "set as background" from context menu if not running in
|
||
Gnome (part of bnc#170055)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 31 09:01:57 CEST 2009 - wr@rosenauer.org
|
||
|
||
- security update to version 3.5.2
|
||
* MFSA 2009-38/CVE-2009-2470 (bmo#459524)
|
||
Data corruption with SOCKS5 reply containing DNS name longer
|
||
than 15 characters
|
||
* MFSA 2009-44/CVE-2009-2654 (bmo#451898)
|
||
Location bar and SSL indicator spoofing via window.open() on
|
||
invalid URL
|
||
* MFSA 2009-45
|
||
Crashes with evidence of memory corruption
|
||
* MFSA 2009-46 (bmo#498897)
|
||
Chrome privilege escalation due to incorrectly cached wrapper
|
||
* various other stability fixes
|
||
- export MOZ_APP_LAUNCHER in the startscript (bmo#453689)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jul 28 14:54:46 CEST 2009 - wr@rosenauer.org
|
||
|
||
- fixed %exclude usage
|
||
- fixed preferences' advanced pane for fresh profiles (bmo#506901)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 15 20:13:19 CEST 2009 - wr@rosenauer.org
|
||
|
||
- security update to version 3.5.1
|
||
* MFSA 2009-41
|
||
Corrupt JIT state after deep return from native function
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jul 6 12:33:47 CEST 2009 - wr@rosenauer.org
|
||
|
||
- added mozilla-linkorder.patch to fix build with --as-needed
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 30 08:52:00 CEST 2009 - wr@rosenauer.org
|
||
|
||
- update to final version 3.5 (20090623)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 23 09:39:50 CEST 2009 - wr@rosenauer.org
|
||
|
||
- fixed build by linking to a real file
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 18 10:19:40 CEST 2009 - wr@rosenauer.org
|
||
|
||
- update to version 3.5rc2 (20090617)
|
||
- BuildRequire mozilla-xulrunner191 = 1.9.1.0
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jun 6 15:59:02 CEST 2009 - wr@rosenauer.org
|
||
|
||
- update to version 3.5b99 (20090604)
|
||
- BuildRequire mozilla-xulrunner191 = 1.9.1b99
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 27 08:03:16 CEST 2009 - wr@rosenauer.org
|
||
|
||
- fixed typos in improved xulrunner dependencies
|
||
|
||
-------------------------------------------------------------------
|
||
Mon May 11 18:25:12 CEST 2009 - wr@rosenauer.org
|
||
|
||
- use non-localized Downloads folder (bnc#501724)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon May 4 07:57:50 CEST 2009 - wr@rosenauer.org
|
||
|
||
- update to new major version 3.5b4
|
||
* based on Gecko 1.9.1 (mozilla-xulrunner191)
|
||
* Private Browsing Mode
|
||
* TraceMonkey JavaScript engine
|
||
* Geolocation support
|
||
* native JSON and web worker threads support
|
||
* speculative parsing for faster content rendering
|
||
* Some HTML5 support
|
||
- updated firefox.schemas
|
||
- improved firefox-no-update.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 28 10:47:54 CEST 2009 - wr@rosenauer.org
|
||
|
||
- security update to 3.0.10
|
||
* MFSA 2009-23/CVE-2009-1313 (bmo#489647)
|
||
Crash in nsTextFrame::ClearTextRun()
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Apr 16 13:52:21 CEST 2009 - wr@rosenauer.org
|
||
|
||
- security update to 3.0.9 (bnc#495473)
|
||
* MFSA 2009-14/CVE-2009-1302/CVE-2009-1303/CVE-2009-1304/CVE-2009-1305
|
||
Crashes with evidence of memory corruption (rv:1.9.0.9)
|
||
* MFSA 2009-15/CVE-2009-0652 (bmo#479336)
|
||
URL spoofing with box drawing character
|
||
* MFSA 2009-16/CVE-2009-1306 (bmo#474536)
|
||
jar: scheme ignores the content-disposition: header on the
|
||
inner URI
|
||
* MFSA 2009-17/CVE-2009-1307 (bmo#481342)
|
||
Same-origin violations when Adobe Flash loaded via
|
||
view-source: scheme
|
||
* MFSA 2009-18/CVE-2009-1308 (bmo#481558)
|
||
XSS hazard using third-party stylesheets and XBL bindings
|
||
* MFSA 2009-19/CVE-2009-1309 (bmo#482206,478433)
|
||
Same-origin violations in XMLHttpRequest and
|
||
XPCNativeWrapper.toString
|
||
* MFSA 2009-20/CVE-2009-1310 (bmo#483086)
|
||
Malicious search plugins can inject code into arbitrary sites
|
||
* MFSA 2009-21/CVE-2009-1311 (bmo#471962)
|
||
POST data sent to wrong site when saving web page with
|
||
embedded frame
|
||
* MFSA 2009-22/CVE-2009-1312 (bmo#475636)
|
||
Firefox allows Refresh header to redirect to javascript: URIs
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 27 09:43:43 CET 2009 - wr@rosenauer.org
|
||
|
||
- security update to 1.9.0.8 (bnc#488955,489411)
|
||
* MFSA 2009-12/CVE-2009-1169 (bmo#460090,485217)
|
||
Crash and remote code execution in XSL transformation
|
||
* MFSA 2009-13/CVE-2009-1044 (bmo#484320)
|
||
Arbitrary code execution via XUL tree moveToEdgeShift
|
||
- allow RPM provides for stuff besides shared libraries
|
||
(e.g. mime-types)
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Mar 1 11:08:58 CET 2009 - wr@rosenauer.org
|
||
|
||
- security update to 3.0.7 (bnc#478625)
|
||
* MFSA 2009-07 - Crashes with evidence of memory corruption
|
||
CVE-2009-0771 - Layout Engine Crashes
|
||
CVE-2009-0772 - Layout Engine Crashes
|
||
CVE-2009-0773 - crashes in the JavaScript engine
|
||
CVE-2009-0774 - Layout Engine Crashes
|
||
* MFSA 2009-08/CVE-2009-0775 - (bmo#474456)
|
||
Mozilla Firefox XUL Linked Clones Double Free Vulnerability
|
||
* MFSA 2009-09/CVE-2009-0776 (bmo#414540)
|
||
XML data theft via RDFXMLDataSource and cross-domain redirect
|
||
* MFSA 2009-10/CVE-2009-0040 (bmo#478901)
|
||
Upgrade PNG library to fix memory safety hazards
|
||
* MFSA 2009-11/CVE-2009-0777 (bmo#452979)
|
||
URL spoofing with invisible control characters
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Feb 4 18:58:59 EST 2009 - hfiguiere@suse.de
|
||
|
||
- Review and approve changes.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jan 28 13:48:00 CET 2009 - wr@rosenauer.org
|
||
|
||
- security update to 3.0.6 (bnc#470074)
|
||
* MFSA 2009-06/CVE-2009-0358: Directives to not cache pages ignored
|
||
(bmo#441751)
|
||
* MFSA 2009-05/CVE-2009-0357: XMLHttpRequest allows reading
|
||
HTTPOnly cookies (bmo#380418)
|
||
* MFSA 2009-04/CVE-2009-0356: Chrome privilege escalation via
|
||
local .desktop files (bmo#460425)
|
||
* MFSA 2009-03/CVE-2009-0355: Local file stealing with SessionStore
|
||
(bmo#466937)
|
||
* MFSA 2009-02/CVE-2009-0354: XSS using a chrome XBL method
|
||
and window.eval (bmo#468581)
|
||
* MFSA 2009-01/CVE-2009-0352 - CVE-2009-0353: Crashes with
|
||
evidence of memory corruption (rv:1.9.0.6) (bmo#452913,
|
||
bmo#449006, bmo#331088, bmo#401042, bmo#416461, bmo#422283,
|
||
bmo#422301, bmo#431705, bmo#437142, bmo#421839, bmo#420697,
|
||
bmo#461027)
|
||
* (non security) added lv locale
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 22 11:09:42 EST 2009 - hfiguiere@suse.de
|
||
|
||
- Fix the wrapper script for PowerPC 64-bits (bnc#464753)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 17 13:13:25 EST 2008 - hfiguiere@suse.de
|
||
|
||
- Review and approve changes.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Dec 15 16:41:57 CET 2008 - wr@rosenauer.org
|
||
|
||
- security update to 1.9.0.5 (bnc#455804)
|
||
for details
|
||
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
|
||
* removed aboutRights workaround again
|
||
* added et locale
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 25 10:14:45 EST 2008 - hfiguiere@suse.de
|
||
|
||
- Review and approve changes.
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Nov 22 13:26:03 CET 2008 - wr@rosenauer.org
|
||
|
||
- replace license agreement with about:rights toolbar
|
||
(backported from upcoming FF 3.0.5) (bnc#436054, bmo#456439)
|
||
(it's always displayed in en-US)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Nov 21 03:11:41 EST 2008 - hfiguiere@suse.de
|
||
|
||
- Update firefox-lockdown-ui.patch
|
||
* Print Setup is now properly locked down. bnc#431028
|
||
* Bookmark editing it now properly locked down. bnc#439335
|
||
* Bookmars are properly hidden.
|
||
* History is properly locked down. bnc#439343
|
||
* Make sure the search bar is not put back when resetting the
|
||
toolbar. bnc#439358
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 20 18:49:19 CST 2008 - maw@suse.de
|
||
|
||
- Review and approve changes.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 13 08:22:13 CET 2008 - wr@rosenauer.org
|
||
|
||
- lockdown cleanup
|
||
* removed gecko-lockdown.patch from Firefox (it's in xulrunner)
|
||
* stripped out some toolkit stuff from firefox-ui-lockdown
|
||
* added extra default preferences for lockdown
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Nov 12 17:55:19 CST 2008 - maw@suse.de
|
||
|
||
- Review and approve changes.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 11 09:15:59 CET 2008 - wr@rosenauer.org
|
||
|
||
- update to security/maintenance release 3.0.4 (bnc#439841)
|
||
* support additional locales (bg, cy, eo, oc)
|
||
- removed obsolete configure option (enable-gconf)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Nov 7 15:39:54 CST 2008 - maw@suse.de
|
||
|
||
- Review and approve changes.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 4 23:27:03 CET 2008 - wr@rosenauer.org
|
||
|
||
- moved gconf schema into branding packages (bnc#441646)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 28 16:16:14 EDT 2008 - hfiguiere@suse.de
|
||
|
||
- Fix missing %endif (for fix for bnc#434283)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 27 17:05:02 EDT 2008 - hfiguiere@suse.de
|
||
|
||
- Add disable_show_passwords to firefox.schemas. (FATE #301534)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 27 11:57:29 CET 2008 - wr@rosenauer.org
|
||
|
||
- make biarch dependencies work correctly (bnc#434283)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 23 10:14:22 EDT 2008 - hfiguiere@suse.de
|
||
|
||
- Added firefox-ui-lockdown.patch and gecko-lockdown.patch
|
||
* Lockdown: FATE#302023, FATE#302024
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 6 14:55:48 CEST 2008 - sbrabec@suse.cz
|
||
|
||
- Conflict with other branding providers (FATE#304881).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 29 12:27:43 CDT 2008 - maw@suse.de
|
||
|
||
- Review and approve changes.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 29 11:36:30 CDT 2008 - maw@suse.de
|
||
|
||
- Remove a reference to a stale patch.
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Sep 28 18:19:26 CEST 2008 - wr@rosenauer.org
|
||
|
||
- update to regression fix release 3.0.3
|
||
* Fixed a problem where users were unable to retrieve saved
|
||
passwords or save new passwords (bmo#454708, bnc#429179#c20,
|
||
CVE-2008-4063, CVE-2008-4064, CVE-2008-3836, andCVE-2008-4070)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 25 14:47:13 CDT 2008 - maw@suse.de
|
||
|
||
- Review and approve changes.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 15 13:45:16 CEST 2008 - wr@rosenauer.org
|
||
|
||
- update to security/maintenance release 3.0.2 (bnc#429179)
|
||
- removed unused files from sources
|
||
- fix more rpmlint complaints and provide a config file to filter
|
||
false positives
|
||
- disable Gnome crashreporter as it has no value
|
||
- brought man-page up to date for the firefox stub
|
||
(removing firefox-bin reference)
|
||
- en-US locale not longer packaged in translations subpackage
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 15 18:56:26 CDT 2008 - maw@novell.com
|
||
|
||
- Review and approve changes.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 4 09:26:05 CEST 2008 - wr@rosenauer.org
|
||
|
||
- Tweak branding split
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jul 29 15:02:47 CEST 2008 - vuntz@novell.com
|
||
|
||
- Create branding package (bnc#390752):
|
||
+ search-addons.tar.bz2, bookmarks.html.suse and
|
||
firefox-suse-default-prefs.js will be moved to
|
||
MozillaFirefox-branding-openSUSE
|
||
+ create a MozillaFirefox-branding-upstream package
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jul 28 20:54:22 CEST 2008 - mauro@suse.de
|
||
|
||
- Update to stability/security release 3.0.1 (bnc#407573)
|
||
(thanks, Wolfgang)
|
||
+ MFSA 2008-36 Crash with malformed GIF file on Mac OS X
|
||
+ MFSA 2008-35 Command-line URLs launch multiple tabs when
|
||
Firefox not running
|
||
+ MFSA 2008-34 Remote code execution by overflowing CSS reference counter
|
||
- Set browser.shell.checkDefaultBrowser to true (bnc#404119)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 17 18:49:33 CEST 2008 - maw@suse.de
|
||
|
||
- Merge changes from the build service (thanks, Wolfgang)
|
||
(bnc#400001 and SWAMP#18164).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 17 14:40:04 CEST 2008 - wr@rosenauer.org
|
||
|
||
- update to version 3.0
|
||
- fixed double entry in bookmarks for www.opensuse.org (bnc#396980
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 15 13:45:51 CEST 2008 - aj@suse.de
|
||
|
||
- Add Planet SUSE, forums.o.o and How to participate to default
|
||
URLs.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri May 2 16:25:24 CEST 2008 - maw@suse.de
|
||
|
||
- network.protocol-handler.app.* prefs are no longer supported;
|
||
remove references to them from firefox-suse-default-prefs.js
|
||
(bnc#383697).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Apr 3 01:42:34 CEST 2008 - maw@suse.de
|
||
|
||
- Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 26 01:05:18 CET 2008 - maw@suse.de
|
||
|
||
- Merge changes from the build service (thanks, Wolfgang)
|
||
- Update to the fourth Firefox 3.0 Beta (2.9.94):
|
||
+ Based upon the Gecko 1.9 Web rendering platform, which improves
|
||
performance, stability, and rendering correctness; it also
|
||
boasts a considerable simplification in its code
|
||
+ Security improvements:
|
||
* One-click site info
|
||
* Malware Protection
|
||
* New Web Forgery Protection page
|
||
* New SSL error pages
|
||
* Add-ons and Plugin version check
|
||
* Secure add-on updates
|
||
* Effective top-level domain (eTLD) service to better restrict
|
||
cookies and other restricted content to a single domain
|
||
* Better protection against cross-site JSON data leaks
|
||
+ Usability improvements:
|
||
* Easier password management
|
||
* Simplified add-on installation
|
||
* New Download Manager
|
||
* Resumable downloading
|
||
* Full page zoom
|
||
* Podcasts and Videocasts can be associated with your media
|
||
playback tools
|
||
* Tab scrolling and quickmenu
|
||
* Save what you were doing: Firefox will prompt users to save
|
||
tabs on exit
|
||
* Optimized Open in Tabs behavior
|
||
* Location and Search bar size can now be customized with a
|
||
simple resizer item
|
||
* Text selection improvements
|
||
* Find toolbar
|
||
* Improved integration with Linux: Firefox's default icons,
|
||
buttons, and menu styles now use the native GTK theme
|
||
+ Personalization improvements:
|
||
* Star button: quickly add bookmarks from the location bar
|
||
with a single click; a second click lets you file and tag them
|
||
* Tags: associate keywords with your bookmarks to sort them
|
||
by topic
|
||
* Location bar & auto-complete
|
||
* Smart Bookmarks Folder
|
||
* Places Organizer: view, organize and search through all
|
||
of your bookmarks, tags, and browsing history with multiple
|
||
views and smart folders to store your frequent searches
|
||
* Web-based protocol handlers
|
||
* Download & Install Add-ons
|
||
* Easy to use Download Actions
|
||
+ Improved platform for web developers:
|
||
* New graphics and font handling: new graphics and text
|
||
rendering architectures in Gecko 1.9 provides rendering
|
||
improvements in CSS, SVG as well as improved display of
|
||
fonts with ligatures and complex scripts
|
||
* Color management: (set gfx.color_management.enabled on
|
||
in about:config and restart the browser to enable.);
|
||
Firefox can now adjust images with embedded color profiles
|
||
* Offline support: enables web applications to provide
|
||
offline functionality (website authors must add support
|
||
for offline browsing to their site for this feature
|
||
to be available to users)
|
||
+ Improved performance:
|
||
* Speed: improvements to the JavaScript engine as well as
|
||
profile guided optimizations have resulted in significant
|
||
improvements in performance; compared to Firefox 2,
|
||
web applications like Google Mail and Zoho Office run
|
||
twice as fast in Firefox 3 Beta 4, and the popular
|
||
SunSpider test from Apple shows improvements over
|
||
previous releases
|
||
* Memory usage: Several new technologies work together to
|
||
reduce the amount of memory used by Firefox 3 Beta 4
|
||
over a web browsing session; memory cycles are broken
|
||
and collected by an automated cycle collector, a new
|
||
memory allocator reduces fragmentation, hundreds of leaks
|
||
have been fixed, and caching strategies have been tuned
|
||
* Reliability: A user's bookmarks, history, cookies, and
|
||
preferences are now stored in a transactionally secure
|
||
database format which will prevent data loss even if their
|
||
system crashes
|
||
- This version depends upon the mozilla-xulrunner190 package
|
||
- Drop various stale packages, respin several that have been
|
||
kept around, and add a few new ones.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 11 18:18:14 CET 2008 - maw@suse.de
|
||
|
||
- Security update to version 2.0.0.12 (bnc#354469):
|
||
+ MFSA 2008-11/CVE-2008-0594 Web forgery overwrite with div
|
||
overlay
|
||
+ MFSA 2008-10/CVE-2008-0593 URL token stealing via stylesheet
|
||
redirect
|
||
+ MFSA 2008-09/CVE-2008-0592 Mishandling of locally-saved plain
|
||
text files
|
||
+ MFSA 2008-08/CVE-2008-0591 File action dialog tampering
|
||
+ MFSA 2008-06/CVE-2008-0419 Web browsing history and forward
|
||
navigation stealing
|
||
+ MFSA 2008-05/CVE-2008-0418 Directory traversal via chrome: URI
|
||
+ MFSA 2008-04/CVE-2008-0417 Stored password corruption
|
||
+ MFSA 2008-03/CVE-2008-0415 Privilege escalation, XSS, Remote
|
||
Code Execution
|
||
+ MFSA 2008-02/CVE-2008-0414 Multiple file input focus stealing
|
||
vulnerabilities
|
||
+ MFSA 2008-01/CVE-2008-0412 Crashes with evidence of memory
|
||
corruption (rv:1.8.1.12)
|
||
- Reference libaoss.so in start script (bnc#117079)
|
||
- Remove mozilla-canvas-1.8.1.10.patch, as it has been upstreamed
|
||
- Update firefox-ui-lockdown.patch (FATE#301534, FATE#302023, and
|
||
FATE#302024)
|
||
- Add application/x-xpinstall mime type to MozillaFirefox.desktop
|
||
- Add MozillaFirefox.xml to bind .xpi to application/x-xpinstall
|
||
in desktop.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 17 17:52:47 CET 2008 - maw@suse.de
|
||
|
||
- Add mozilla-maxpathlen.patch (#354150 and bmo #412610).
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 21 18:46:50 CET 2007 - maw@suse.de
|
||
|
||
- Add firefox-348446-empty-lists.patch (bnc#348446).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 5 02:21:26 CET 2007 - maw@suse.de
|
||
|
||
- Respin proxy-dev.patch (bnc#340678) -- thanks, Anders!
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 27 18:25:25 CET 2007 - maw@suse.de
|
||
|
||
- Security update to version 2.0.0.10 (#341905, #341591):
|
||
+ MFSA 2007-39 Referer-spoofing via window.location race condition
|
||
+ MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
|
||
+ MFSA 2007-37 jar: URI scheme XSS hazard
|
||
+ Fixes for regressions introduced in 2.0.0.8
|
||
+ Updated dbus.patch, startup.patch, misc.dif, and configure.patch
|
||
- Add mozilla-gcc4.3-fixes.patch
|
||
- Add mozilla-canvas-1.8.1.10.patch (#341591#c10).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 26 18:27:25 CET 2007 - maw@suse.de
|
||
|
||
- Build with -ftree-vrp -fwrapv, per advice in #342603#c17.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 13 17:49:01 CET 2007 - maw@suse.de
|
||
|
||
- Add firefox-gcc4.3-fixes.patch.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Oct 19 02:04:45 CEST 2007 - maw@suse.de
|
||
|
||
- Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang)
|
||
* MFSA 2007-29 Crashes with evidence of memory corruption
|
||
* MFSA 2007-30 onUnload Tailgating
|
||
* MFSA 2007-31 Digest authentication request splitting
|
||
* MFSA 2007-32 File input focus stealing vulnerability
|
||
* MFSA 2007-33 XUL pages can hide the window titlebar
|
||
* MFSA 2007-34 Possible file stealing through sftp protocol
|
||
* MFSA 2007-35 XPCNativeWraper pollution using Script object
|
||
complete advisories on
|
||
http://www.mozilla.org/projects/security/known-vulnerabilities.html
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Sep 23 19:49:12 CEST 2007 - maw@suse.de
|
||
|
||
- Don't explicitly require libaoss.so (#326751).
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 14 23:13:06 CEST 2007 - maw@suse.de
|
||
|
||
- Update the Novell Support search plugin in search-addons.tar.bz2
|
||
(#297261)
|
||
- Set the browser.tabs.loadFolderAndReplace preference to false
|
||
by default (#230759).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 12 15:21:06 CEST 2007 - dmueller@suse.de
|
||
|
||
- fix hardlinks accross partitions
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 6 16:07:12 CEST 2007 - maw@suse.de
|
||
|
||
- Add http://software.opensuse.org/search?baseproject=openSUSE:10.3
|
||
to the default bookmarks (#308223).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 3 22:33:09 CEST 2007 - ro@suse.de
|
||
|
||
- move last change a bit further in specfile
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 31 18:36:16 CEST 2007 - maw@suse.de
|
||
|
||
- Mark a .png file as nonexecutable.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 28 16:44:08 CEST 2007 - maw@suse.de
|
||
|
||
- Minor .spec update (#305193)
|
||
+ Remove two obsolete patches
|
||
+ Correct releasedate
|
||
+ Include only the officially supported locales.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 22 17:53:03 CEST 2007 - maw@suse.de
|
||
|
||
- Merge changes from the build service (thanks, Wolfgang):
|
||
+ Provide locale dependency information (#302288)
|
||
+ Add x11-session.patch, supporting X11 session management
|
||
(#227047)
|
||
+ Update to version 2.0.0.6
|
||
* MFSA 2007-26 Privilege escalation through chrome-loaded
|
||
about:blank windows
|
||
* MFSA 2007-27 Unescaped URIs passed to external programs
|
||
(only relevant on Windows)
|
||
- Use %fdupes.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 21 09:45:35 CEST 2007 - aj@suse.de
|
||
|
||
- Adjust bookmarks: Add news.opensuse.org, use new software.o.o
|
||
page.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 16 14:57:27 CEST 2007 - mauro@suse.de
|
||
|
||
- Revert previous change.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 14 11:58:23 CEST 2007 - mauro@suse.de
|
||
|
||
- Added support for ymp in the mimetypes.rdf
|
||
- Added OneClickInstallUrlHandler for handing the actual call from firefox.
|
||
- Fixes bnc #295677
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jul 23 18:57:07 CEST 2007 - maw@suse.de
|
||
|
||
- Security update to version 2.0.0.5 (#288115) which has fixes for:
|
||
MFSA 2007-18
|
||
CVE-2007-3734 - Browser flaws
|
||
CVE-2007-3735 - Javascript flaws
|
||
|
||
MFSA 2007-19
|
||
CVE-2007-3736
|
||
|
||
MFSA 2007-20
|
||
CVE-2007-3089
|
||
|
||
MFSA 2007-21
|
||
CVE-2007-3737
|
||
|
||
MFSA 2007-22
|
||
CVE-2007-3285
|
||
|
||
MFSA 2007-23
|
||
CVE-2007-3670
|
||
|
||
MFSA 2007-24
|
||
CVE-2007-3656
|
||
|
||
MFSA 2007-25
|
||
CVE-2007-3738
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 21 15:59:01 CEST 2007 - adrian@suse.de
|
||
|
||
- fix changelog entry order
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 18 13:22:42 CDT 2007 - maw@suse.de
|
||
|
||
- Use mozilla.sh.in from the build service (#230681).
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 5 15:55:08 CEST 2007 - sbrabec@suse.cz
|
||
|
||
- Removed invalid desktop category "Application" (#254654).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 4 19:53:35 CDT 2007 - maw@suse.de
|
||
|
||
- Security update to version 2.0.0.4
|
||
- Refresh configure.patch, startup.patch, and visibility.patch
|
||
- Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Apr 30 16:49:55 CEST 2007 - ro@suse.de
|
||
|
||
- added unzip to BuildRequires
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 18 14:16:44 CEST 2007 - mfabian@suse.de
|
||
|
||
- add Japanese to the languages which get PANGO enabled in the
|
||
start script to support the Japanese combining characters
|
||
U+3099 U+309A (see bugzilla #262718 comment #29).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 12 11:06:10 CST 2007 - maw@suse.de
|
||
|
||
- Package gconf stuff.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Feb 21 16:37:25 CST 2007 - maw@suse.de
|
||
|
||
- Security update to 2.0.0.2 (#244923), which covers:
|
||
+ mfsa2007-01
|
||
* CVE-2007-0775 - layout engine crashes
|
||
* CVE-2007-0776 - SVG
|
||
* CVE-2007-0777 - javascript engine corruption
|
||
+ mfsa2007-02
|
||
* CVE-2007-0995 - Invalid trailing characters in HTML tag attributes
|
||
* CVE-2007-0996 - Child frame character set inheritance
|
||
* CVE-2006-6077 - Injected password forms
|
||
+ mfsa2007-02
|
||
+ mfsa2007-03
|
||
* CVE-2007-0078
|
||
+ mfsa2007-04
|
||
* CVE-2007-0079
|
||
+ mfsa2007-05
|
||
* CVE-2007-0780
|
||
* CVE-2007-0800
|
||
+ mfsa2007-06
|
||
* CVE-2007-0008 - client flaw
|
||
* CVE-2007-0009 - server flaw
|
||
+ mfsa2007-07
|
||
* CVE-2007-0981
|
||
- Updates mozilla.sh.in (#230681)
|
||
- Fixes #232209
|
||
- Updates the man page (#243037)
|
||
- Properly propagates exit codes (#241492)
|
||
- Adds em-356370.patch (#217374)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 25 10:16:56 CST 2007 - maw@suse.de
|
||
|
||
- Fixup the Gnome paths, keeping in closer sync with the
|
||
buildservice.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 18 09:27:54 CST 2007 - maw@suse.de
|
||
|
||
- Gnome is now in /usr, so remove references to /opt/gnome
|
||
- Install firefox.png with the executable bit not set.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jan 10 12:57:39 CET 2007 - meissner@suse.de
|
||
|
||
- readd MozillaFirebird provides (was incorrect in removing it).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jan 8 11:16:08 CET 2007 - meissner@suse.de
|
||
|
||
- Do not provide MozillaFirebird, just obsolete it.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 1 02:22:49 CET 2006 - maw@suse.de
|
||
|
||
- Update gecko-lockdown.patch (#220616).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 30 19:02:54 CET 2006 - maw@suse.de
|
||
|
||
- Update firefox-suse-default-prefs.js, adding
|
||
'pref("browser.backspace_action", 2);' (#217374)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 30 08:17:28 CET 2006 - aj@suse.de
|
||
|
||
- Fix last change (#224431).
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Nov 29 11:45:47 CET 2006 - aj@suse.de
|
||
|
||
- Change download bookmark (#224431).
|
||
- Rename bookmark folder to openSUSE.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 28 08:09:48 CET 2006 - aj@suse.de
|
||
|
||
- Sync from Buildservice with following critical fixes (thanks
|
||
Wolfgang Rosenauer!):
|
||
* fixed system-proxies.patch to actually work (#223881).
|
||
* Rearrange Bookmarks to pass trademark review.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 27 19:40:44 CET 2006 - aj@suse.de
|
||
|
||
- Fix tango theme (#223796).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 27 17:40:50 CET 2006 - aj@suse.de
|
||
|
||
- Use www.opensuse.org as home page.
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Nov 12 11:28:00 CET 2006 - aj@suse.de
|
||
|
||
- Set novell.com as home page.
|
||
- Update from BuildService (thanks Wolfgang!):
|
||
- fixed crash in htmlparser (#217257, bmo #358797)
|
||
- added gconf2 as PreReq (#212505)
|
||
- added 32bit libaoss.so as requirement (#216266)
|
||
- Removed SUSE searchplugin (Portal not available anymore)
|
||
(#216054)
|
||
- Removed obsolete xul-picker.patch and system-nspr.patch
|
||
- Fixed building on 10.1 and 10.0 (dbus)
|
||
- Removed obsolete throbber preference
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 9 19:09:46 CET 2006 - jhargadon@suse.de
|
||
|
||
- updated tango theme
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Oct 29 12:05:46 CET 2006 - aj@suse.de
|
||
|
||
- Another fix for 214125, patch by Wolfgang Rosenauer.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 26 06:58:59 CEST 2006 - aj@suse.de
|
||
|
||
- Fix gcc warnings about undefined operations, patch by
|
||
Robert O'Callahan.
|
||
- Update system-proxies.patch to fix error box (214125), patch by
|
||
Robert O'Callahan.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 23 21:54:54 CEST 2006 - aj@suse.de
|
||
|
||
- Update to current CVS version of 2.0.
|
||
- Use www.opensuse.org as default home page for now (#203547).
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Oct 21 08:53:50 CEST 2006 - aj@suse.de
|
||
|
||
- Disable non-working plasticfox and tango themes.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Oct 20 20:16:29 CEST 2006 - aj@suse.de
|
||
|
||
- Fix building of locales.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Oct 20 11:27:23 CEST 2006 - mkoenig@suse.de
|
||
|
||
- update to version 2.0rc3:
|
||
* New features: Visual Refresh, Built-in phishing protection,
|
||
Enhanced search capabilities, Improved tabbed browsing,
|
||
Resuming your browsing session, Previewing and subscribing
|
||
to Web feeds, Inline spell checking, Live Titles,
|
||
Improved Add-ons manager, JavaScript 1.7, Extended search
|
||
plugin format, Updates to the extension system,
|
||
Client-side session and persistent storage, SVG text
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 17 11:26:44 CEST 2006 - meissner@suse.de
|
||
|
||
- disabled debugging.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 12 20:27:02 CEST 2006 - stark@suse.de
|
||
|
||
- security update to version 1.5.0.7
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 21 12:53:50 CEST 2006 - stark@suse.de
|
||
|
||
- added greasemonkey helper change (#199920)
|
||
- fixed packager.mk for new make version
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 11 20:51:48 CEST 2006 - stark@suse.de
|
||
|
||
- fixed crash in dbus component (patch by thoenig #197928)
|
||
- use external adresses for PAC configuration (#196506)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 7 09:26:58 CEST 2006 - stark@suse.de
|
||
|
||
- added symlink for Firefox 1.0.x compatibility
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jul 29 08:48:53 CEST 2006 - stark@suse.de
|
||
|
||
- update to regression release 1.5.0.6 (#195043)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 27 06:20:36 CEST 2006 - stark@suse.de
|
||
|
||
- security update to version 1.5.0.5 (#195043)
|
||
* observer-lock.patch integrated now
|
||
- fixed leak in JS' liveconnect (#186066)
|
||
- fixed desktop file for old distributions
|
||
(StartupNotify=false)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 29 20:13:28 CEST 2006 - stark@suse.de
|
||
|
||
- fixed printing crash if the last used printer is not available
|
||
anymore (#187013)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jun 16 22:11:22 CEST 2006 - stark@suse.de
|
||
|
||
- added 48x48 icon (#185777)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 12 20:20:02 CEST 2006 - stark@suse.de
|
||
|
||
- fix overwrite confirmation for GTK filesaver (#179531)
|
||
- get network.negotiate-auth.trusted-uris and
|
||
network.negotiate-auth.delegation-uris from gconf if
|
||
system-settings are enabled (#184489)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 1 20:34:43 CEST 2006 - stark@suse.de
|
||
|
||
- update to security/stability release 1.5.0.4 (#179011)
|
||
- moved locale-global prefs to browserconfig.properties (#177881)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 23 21:11:11 CEST 2006 - stark@suse.de
|
||
|
||
- complete implementation of startup-notification (#115417)
|
||
(including autoconf and remote support)
|
||
- different home-pages for SLE10 and SL (#177881)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 16 06:27:26 CEST 2006 - stark@suse.de
|
||
|
||
- fixed potential deadlock in nsObserverList::RemoveObserver
|
||
(#173986, bmo #338069)
|
||
- base startup notification on libstartup-notification (#115417)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 11 09:39:27 CEST 2006 - stark@suse.de
|
||
|
||
- save printer settings properly (#174082, bmo #324072)
|
||
- added startup notification support for showing load activity
|
||
in Gnome and to avoid focus stealing prevention (#115417)
|
||
- added StartupNotify=true to desktop file (#115417)
|
||
- provide legacy symlink for NLD9 update compatibility (#173138)
|
||
- fixed system-proxies patch to avoid unwanted wpad requests
|
||
(#171743, #167613)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon May 8 14:55:52 CEST 2006 - stark@suse.de
|
||
|
||
- preconfigure the theme according to the used desktop (#151163)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Apr 27 10:24:07 CEST 2006 - stark@suse.de
|
||
|
||
- last minute change for 1.5.0.3
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 26 14:23:33 CEST 2006 - stark@suse.de
|
||
|
||
- security update to 1.5.0.3
|
||
- fix for typo in postscript.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 25 14:14:51 CEST 2006 - stark@suse.de
|
||
|
||
- fixed iframe crash (#169039, bmo #334515)
|
||
- fixed img tag misuse (#168710, bmo #334341)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Apr 24 08:04:16 CEST 2006 - stark@suse.de
|
||
|
||
- improved postscript output (bmo #334485)
|
||
- changed defaults for printer properties (#6534)
|
||
- overwrite gnome-vfs' file protocol by providing "desktop-launch"
|
||
(#131501)
|
||
- get available paper sizes from CUPS (#65482)
|
||
- replaced/removed complicated gconfd reload in %post (#167989)
|
||
- fixed memory leak in clipboard caching (bmo #289897)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 11 08:35:53 CEST 2006 - stark@suse.de
|
||
|
||
- added (optional) plastikfox theme (#151163)
|
||
- get some more security related patches (#148876)
|
||
- finally fixed the default proxy configuration by adding a new
|
||
UI option (#132398)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Apr 3 11:41:13 CEST 2006 - stark@suse.de
|
||
|
||
- fixed keyword fixup patch (#162532)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 28 07:17:04 CEST 2006 - stark@suse.de
|
||
|
||
- don't use keyword fixup for pasted text (#160034, bmo #331522)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 20 09:28:58 CET 2006 - stark@suse.de
|
||
|
||
- added Tango theme
|
||
- fixed reading proxies from gconf (#132398)
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Mar 12 09:04:05 CET 2006 - stark@suse.de
|
||
|
||
- tweaked bookmarks (fixed URLs)
|
||
- added Khmer (km-*) to pango locales (#157397)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Mar 4 21:08:45 CET 2006 - stark@suse.de
|
||
|
||
- fixed crash with multipart JPEGs (bmo #328684) (#140416)
|
||
- got latest security fixes from upstream (#148876)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Feb 22 13:24:58 CET 2006 - stark@suse.de
|
||
|
||
- fixed plugin loading when launched from Thunderbird (#151614)
|
||
- merged dbus reconnection patch (#150042)
|
||
- default to autodetect proxy (network.proxy.type=4) (#151811)
|
||
- added GTK category to desktop file
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 14 06:45:24 CET 2006 - stark@suse.de
|
||
|
||
- modified lockdown patches (#67281, #67282)
|
||
- applied set of security patches (#148876)
|
||
bmo bugs: 282105, 307989, 315625, 320459, 323634, 325403, 325947
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 7 20:09:43 CET 2006 - stark@suse.de
|
||
|
||
- fixed disabling of Pango (#148788)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 2 21:51:30 CET 2006 - stark@suse.de
|
||
|
||
- define gssapi lib explicitely (#147670)
|
||
- use only official Firefox-Icon
|
||
- changed home-download patch
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Jan 29 09:54:49 CET 2006 - stark@suse.de
|
||
|
||
- throbber URL is default again
|
||
- removed firefox-showpass patch
|
||
- removed additional CA certs from builtin NSS
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 27 17:55:21 CET 2006 - stark@suse.de
|
||
|
||
- got some l10n changes from 1.8.0 branch
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 27 08:15:09 CET 2006 - stark@suse.de
|
||
|
||
- final 1.5.0.1 version
|
||
- make it possible to choose $HOME as download directory
|
||
(#144894, bmo #300856)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jan 25 21:33:43 CET 2006 - mls@suse.de
|
||
|
||
- converted neededforbuild to BuildRequires
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Jan 22 17:06:57 CET 2006 - stark@suse.de
|
||
|
||
- disable Pango if MOZ_ENABLE_PANGO is not set
|
||
and no typical language which needs Pango is used (#143428)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jan 18 10:27:30 CET 2006 - stark@suse.de
|
||
|
||
- fixed DumpStackToFile() for glibc 2.4
|
||
- added default (font) settings
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 12 10:23:58 CET 2006 - stark@suse.de
|
||
|
||
- update to 1.5.0.1pre (20060111)
|
||
- updated man-page
|
||
- fixed hovered tab close button
|
||
- only Requires mozilla-nspr instead of PreReq since
|
||
there is no postinstall registration necessary anymore
|
||
- use system NSS from CODE10 on
|
||
- use -fstack-protector where available
|
||
- changed unixproxy component to work on older distributions
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jan 2 13:39:09 CET 2006 - stark@suse.de
|
||
|
||
- added unixproxy component written by Robert O'Callahan (#132398)
|
||
(bmo #66057)
|
||
- added official translations
|
||
- preload libaoss for plugin sound (#117079)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 28 08:16:03 CET 2005 - stark@suse.de
|
||
|
||
- get some patches from 1.8.0 branch
|
||
- readded modification to gconf-backend (bmo #321315)
|
||
- readded lockdown stuff
|
||
- enable additional extension install directory (#120329)
|
||
(/usr/lib/browser-extensions/firefox)
|
||
- added patch to make the XUL filechooser optional
|
||
(MOZ_XUL_PICKER)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 14 16:08:12 CET 2005 - stark@suse.de
|
||
|
||
- fixed patch for parsing -remote parameter
|
||
- removed default-plugin patch (not needed anymore)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 9 17:21:29 CET 2005 - stark@suse.de
|
||
|
||
- fix to ignore X composite extension (#135373)
|
||
- fixed parsing of -remote parameters (#134396)
|
||
- activated locales as released
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 29 21:33:13 CET 2005 - stark@suse.de
|
||
|
||
- update to 1.5 (20051128)
|
||
- don't override startup URL when changing Gecko versions (#135314)
|
||
- added patch for GTK2 handling (#134831)
|
||
- readded add-plugins stuff for compatibility
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Nov 18 07:41:41 CET 2005 - stark@suse.de
|
||
|
||
- update to 1.5rc3 (20051117)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 31 08:58:14 CET 2005 - stark@suse.de
|
||
|
||
- updated l10n archive (20051030)
|
||
- fixed postinstall script to copy plugin links instead of files
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Oct 28 06:43:27 CEST 2005 - stark@suse.de
|
||
|
||
- update to 1.5rc1 (20051027)
|
||
- fixed profile locking on FAT partitions (bmo #313360)
|
||
- introduced an rpath again
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 19 20:03:48 CEST 2005 - stark@suse.de
|
||
|
||
- update to snapshot 1.5 (20051019)
|
||
- moved installation to /usr/%{_lib}/firefox
|
||
- added dbus component to be able to get network status from
|
||
NetworkManager (bmo #312793)
|
||
- remove all update UI for application
|
||
- removed diable-gconf (no registration at build time anymore)
|
||
- removed rebuild-databases.sh (no system registration anymore)
|
||
- open links in new windows (#128087)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 6 20:44:53 CEST 2005 - stark@suse.de
|
||
|
||
- update to Firefox 1.5b2 (20051005)
|
||
- added supported translations
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Oct 1 15:09:18 CEST 2005 - stark@suse.de
|
||
|
||
- update to Firefox 1.5b1 (20050930) RPM version 1.4.1
|
||
- removed rebuild-databases.sh calls
|
||
- removed add-plugins.sh calls and corresponding triggers
|
||
- enabled SVG and Canvas support
|
||
- fixed gconf urlhandler registration
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 20 10:24:16 CEST 2005 - stark@suse.de
|
||
|
||
- security update to 1.0.7 (#117619)
|
||
* MFSA 2005-57: IDN heap overrun using soft-hyphens (bmo #307259)
|
||
(enabled IDN pref again)
|
||
* MFSA 2005-58:
|
||
CAN-2005-2701 Heap overrun in XBM image processing
|
||
CAN-2005-2702 Crash on "zero-width non-joiner" sequence
|
||
CAN-2005-2703 XMLHttpRequest header spoofing
|
||
CAN-2005-2704 Object spoofing using XBL <implements>
|
||
CAN-2005-2705 JavaScript integer overflow
|
||
CAN-2005-2706 Privilege escalation using about: scheme
|
||
CAN-2005-2707 Chrome window spoofing
|
||
Regression fixes
|
||
- register beagle extension if it gets installed (#116787)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 13 15:41:37 CEST 2005 - aj@suse.de
|
||
|
||
- Change SUSE bookmarks.
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Sep 11 17:05:07 CEST 2005 - stark@suse.de
|
||
|
||
- disable IDN per default (#116070)
|
||
- unlocalize bookmarks (#114279)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 8 08:52:13 CEST 2005 - stark@suse.de
|
||
|
||
- fixed some filemodes (#114849)
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Sep 4 00:03:53 CEST 2005 - stark@suse.de
|
||
|
||
- fixed gconf-backend patch to be able to use
|
||
system prefs (#114054)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 1 13:22:17 CEST 2005 - stark@suse.de
|
||
|
||
- changed default font to sans-serif (#114464)
|
||
- removed de-de parts of the bookmark-links (#114279)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 22 06:10:12 CEST 2005 - stark@suse.de
|
||
|
||
- install gconf schema for lockdown also on non-NLD
|
||
- added backports (firefox-backports.patch)
|
||
* gtk_im_context_set_cursor_location() is not used (bmo #281339)
|
||
* fixed crash in imgCacheValidator::OnStartRequest()
|
||
(bmo #293307)
|
||
- workaround for linking with pangoxft and pangox
|
||
(broken by gtk 2.8 update) (#105764)
|
||
- remove extensions on deinstallation
|
||
- include dragonegg (kparts) plugin (#105468)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 18 13:08:55 CEST 2005 - stark@suse.de
|
||
|
||
- fixed regression in profile locking change (bmo #303633)
|
||
- added rtsp handler to global config (#104434)
|
||
- don't blacklist help: protocol (bmo #304833)
|
||
- fixed Gdk-WARNING at startup (gtk.patch)
|
||
- fixed crash with gtk 2.7 (bmo #300226, bnc #104586)
|
||
- fixed installation of the beagle plugin
|
||
- update industrial theme to 1.0.11 (#104564)
|
||
- included lockdownV2 (removed obsolete gconf.diff)
|
||
- linked firefox-bin with rpath to progdir
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 5 09:51:26 CEST 2005 - stark@suse.de
|
||
|
||
- fixed profile locking (bmo #151188)
|
||
- install beagle extension globally
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 29 06:58:24 CEST 2005 - stark@suse.de
|
||
|
||
- don't require and provide NSS libs (#98002)
|
||
- fixed printing error 'You cannot print while in print preview'
|
||
(#96991, bmo #302445)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 27 09:34:12 CEST 2005 - stark@suse.de
|
||
|
||
- fixed Firefox on ppc (stack-direction.patch) (#97359)
|
||
- removed open-pref from startscript as it is done
|
||
automatically now (#73042)
|
||
- updated Novell searchplugins
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jul 25 12:32:13 CEST 2005 - stark@suse.de
|
||
|
||
- GTK filechooser is now modal (#8533)
|
||
- backed out patch to add tooltips to print-preview
|
||
because it breaks localization
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 22 10:54:39 CEST 2005 - stark@suse.de
|
||
|
||
- fixed another problem in printing patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jul 19 10:44:59 CEST 2005 - stark@suse.de
|
||
|
||
- fixed error in ft-xft-ps2.patch
|
||
- disabled stripping in spec instead of patch
|
||
- added NSPR to PreReq
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jul 18 08:43:24 CEST 2005 - stark@suse.de
|
||
|
||
- fixed some more regressions with final 1.0.6
|
||
- fixed width calculation in Postscript module (bmo #290292)
|
||
- fixed plugin event starvation (bnc #94749, #94751, bmo #301161)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 15 11:24:47 CEST 2005 - stark@suse.de
|
||
|
||
- searchplugins can now be installed per profile (#8176)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 15 06:54:02 CEST 2005 - stark@suse.de
|
||
|
||
- update to 1.0.6 which restores API compatibility
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jul 12 06:20:37 CEST 2005 - stark@suse.de
|
||
|
||
- update to 1.0.5 final (#88509)
|
||
- don't strip explicitely
|
||
- don't ship beagle.xpi
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 6 14:13:09 CEST 2005 - stark@suse.de
|
||
|
||
- update to 1.0.5-pre (20050705)
|
||
- use RPM_OPT_FLAGS for NSS component
|
||
- fixed implicit declarations and uninitialized used variables
|
||
- added patch for bmo #87969
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jul 5 10:17:16 CEST 2005 - stark@suse.de
|
||
|
||
- fixed regression from security update (#95069, bmo #298478)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 27 21:46:58 CEST 2005 - stark@suse.de
|
||
|
||
- don't use system-prefs by default on NLD
|
||
- removed basic lockdown stuff for SUSE Linux
|
||
(it's not needed and caused problems: bnc #75418)
|
||
- fixed NLD lockdown patch (bnc #75418)
|
||
- don't write prefs back to gconf for now
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 22 07:32:42 CEST 2005 - stark@suse.de
|
||
|
||
- new NLD lockdown patch which is syncing user prefs to gconf
|
||
- update to 1.0.5pre security-release
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 9 06:56:02 CEST 2005 - stark@suse.de
|
||
|
||
- new revision of NLD lockdown patch
|
||
- fixed remote usage behaviour in start script (bnc #41903)
|
||
- got more bugfixes from the branch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 2 10:31:48 CEST 2005 - stark@suse.de
|
||
|
||
- fixed neededforbuild
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 1 20:15:25 CEST 2005 - stark@suse.de
|
||
|
||
- fixed IDN for 64bit platforms (bmo #236425, bnc #46268)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri May 20 15:12:06 CEST 2005 - stark@suse.de
|
||
|
||
- fixed keybinding for KP separator (bnc #84147)
|
||
- pulled security related patch from upstream branch
|
||
- update plastikfox theme to version 1.6
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 12 06:16:25 CEST 2005 - stark@suse.de
|
||
|
||
- update to final 1.0.4 release
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 10 06:38:05 CEST 2005 - stark@suse.de
|
||
|
||
- update to 1.0.4 security release
|
||
- removed s390(x) patches (upstream)
|
||
- made two more files %verify (81692)
|
||
- updated NLD lockdown patch (81304)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Apr 28 09:45:53 CEST 2005 - stark@suse.de
|
||
|
||
- use static NSPR libs from new location
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Apr 23 15:56:08 CEST 2005 - stark@suse.de
|
||
|
||
- activate usage of system NSPR for distributions after 9.3
|
||
- add patch to be able to use systen NSPR at all
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 22 02:06:06 CEST 2005 - ro@suse.de
|
||
|
||
- use mozilla-gcc4.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Apr 21 12:51:19 CEST 2005 - stark@suse.de
|
||
|
||
- don't execute gconf magic within build environment
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Apr 16 13:05:37 CEST 2005 - stark@suse.de
|
||
|
||
- update to final 1.0.3 release
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 15 00:10:54 CEST 2005 - ro@suse.de
|
||
|
||
- fix problem in postinstall script
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 14 09:20:02 CEST 2005 - stark@suse.de
|
||
|
||
- included fixed lockdown patch for NLD
|
||
- linked proxies within Firefox with gnome settings (NLD)
|
||
- added gconfd restart procedure to install script
|
||
(only needed if gconf changes are done) (#76852)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Apr 2 21:03:11 CEST 2005 - stark@suse.de
|
||
|
||
- update to security pre-release 1.0.3 (#75692)
|
||
* Manual plug-in install, javascript vulnerability (bmo #288556)
|
||
* Access memory vulnerability (bmo #288688)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 1 11:32:44 CEST 2005 - stark@suse.de
|
||
|
||
- added advanced lockdown features for ZLM integration (NLD-only)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 22 12:33:15 CET 2005 - stark@suse.de
|
||
|
||
- update to final 1.0.2
|
||
- use new theme handling on NLD
|
||
- added default-plugin-less-annoying from mozilla
|
||
- use GTK2 for Flash
|
||
- use system NSPR on SUSE releases after 9.3
|
||
- made startscript PIS aware
|
||
- set g-application-name correctly (bmo #281979)
|
||
- added man-page
|
||
- use GTK system colors
|
||
- modify useragent string and add vendor id
|
||
- activate smooth-scrolling by default (#74310)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 22 08:59:06 CET 2005 - stark@suse.de
|
||
|
||
- don't register beagle automatically (#74062)
|
||
- added default bookmarks for SUSE LINUX
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 21 18:20:39 CET 2005 - max@suse.de
|
||
|
||
- Fixed a typo in the shell code that handles inclusion of the
|
||
Acrobat Reader plugin (#70861).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Mar 17 21:01:11 CET 2005 - stark@suse.de
|
||
|
||
- updates from upcoming 1.0.2
|
||
- added again logic to use Adobe Reader 7 (#70861)
|
||
- fixed crash in ICO decoding (#67142, bmo #245631)
|
||
- preinstall beagle extension (#72920)
|
||
- bugfixes in trigger scripts
|
||
- fixed industrial theming for Gnome (#72918)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Mar 12 12:42:16 CET 2005 - stark@suse.de
|
||
|
||
- fixed more security related bugs
|
||
(bmo #284551, #284627, #285595)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 9 21:42:05 CET 2005 - stark@suse.de
|
||
|
||
- update also GNOME desktop file (#71810)
|
||
- added firefox-gnome.png to filelist
|
||
- use correct Firefox icon
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 7 20:47:00 CET 2005 - stark@suse.de
|
||
|
||
- disable inclusion of acrobat plugin again (#70861)
|
||
- don't use gconfd in registration phase (#66381)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 7 16:13:29 CET 2005 - adrian@suse.de
|
||
|
||
- use standard icon again for the default desktop file and
|
||
add a Gnome-only desktop file for the Gnome icon
|
||
- add plastikfox chrome theme to fix button order within KDE
|
||
- add patch for automatic theme selection for KDE and Gnome
|
||
- do register extensions in rebuild-databases.sh instead of %install,
|
||
to fix needed timestamps
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 4 07:54:47 CET 2005 - stark@suse.de
|
||
|
||
- extend add-plugins to recognize Java 1.5 (#66909)
|
||
- changed comment in desktop-file (#66867)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 22 09:33:44 CET 2005 - stark@suse.de
|
||
|
||
- make --display parameter working in all cases (bnc #66043)
|
||
- revised postscript patch
|
||
- final 1.0.1 codebase
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 21 13:09:30 CET 2005 - stark@suse.de
|
||
|
||
- added patch to create Postscript level 2 (instead of 3)
|
||
(special thanks to Jungshik Shin)
|
||
- disabled freetype explicitly to be able to use the above patch
|
||
(freetype wasn't used anymore since some time anyway)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 18 09:10:10 CET 2005 - stark@suse.de
|
||
|
||
- got more patches from branch to get another IDN fix and to
|
||
fix bug #51019
|
||
- enabled IDN again
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Feb 16 09:20:39 CET 2005 - stark@suse.de
|
||
|
||
- bumped version number to 1.0.1
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 15 10:26:04 CET 2005 - stark@suse.de
|
||
|
||
- got updates from 1.0.1 branch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 10 06:57:33 CET 2005 - stark@suse.de
|
||
|
||
- additional fireflashing fix (#50635, bmo #280664)
|
||
- some more security related fixes
|
||
(bmo #268483, #273498, #277322)
|
||
- fire up GTK2 filepicker if GNOME is running
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 8 07:51:13 CET 2005 - stark@suse.de
|
||
|
||
- some prefs are ignored (bmo #261934)
|
||
- disabled default IDN (#50566)
|
||
- fixed some more bugzilla.mozilla.org bugs:
|
||
#276482, #280056, #280603
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Feb 6 13:10:12 CET 2005 - stark@suse.de
|
||
|
||
- use same desktop categories for Professional and NLD
|
||
- added some lockdown stuff for printing and page saving
|
||
(bmo #280488)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Feb 2 13:58:53 CET 2005 - stark@suse.de
|
||
|
||
- modified gconf.diff to honor ignore_hosts (bmo #280742)
|
||
- added a JS crasher fix (bmo #268535)
|
||
- added more fixes (bmo #255441, #273024, #275405, #275634)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 28 12:39:37 CET 2005 - stark@suse.de
|
||
|
||
- added gplflash inclusion
|
||
- improved JRE inclusion
|
||
- reactivated usage of Acrobat Reader plugin
|
||
(ready for acroread 7)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jan 22 13:16:47 CET 2005 - stark@suse.de
|
||
|
||
- added some backported bugfixes
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Dec 18 10:30:11 CET 2004 - stark@suse.de
|
||
|
||
- updated industrial theme to 1.0.9
|
||
- use slightly changed icon for menu-entry (bnc #275)
|
||
- use original desktop file for NLD again
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 16 19:37:48 CET 2004 - stark@suse.de
|
||
|
||
- newer patch for GNOME associations (bnc #362)
|
||
- fix overwriting of files with GTK picker (Ximian #65068)
|
||
- readded the industrial default theme patch for NLD
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 15 11:50:56 CET 2004 - stark@suse.de
|
||
|
||
- activate GTK filepicker for NLD again
|
||
- fix for GNOME helper applications with parameters
|
||
- make GNOME associations the default on NLD
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Dec 4 16:11:01 CET 2004 - stark@suse.de
|
||
|
||
- fixed build on s390/s390x
|
||
- added patch to be able to install-global without running X
|
||
(bmo #265859)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 18 21:48:05 CET 2004 - stark@suse.de
|
||
|
||
- update industrial theme to 1.0.8 (still not activated)
|
||
- added patch to make home-directory the default download dir
|
||
(on NLD is still used Desktop)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 11 09:01:58 CET 2004 - stark@suse.de
|
||
|
||
- made initial window height smaller again
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 9 09:09:06 CET 2004 - stark@suse.de
|
||
|
||
- update to final 1.0 release (20041109)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 4 08:22:36 CET 2004 - stark@suse.de
|
||
|
||
- update to 1.0rc2
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Oct 30 21:27:29 CEST 2004 - stark@suse.de
|
||
|
||
- added missing s390(x) patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 27 07:26:25 CEST 2004 - stark@suse.de
|
||
|
||
- update to 1.0rc1 codebase
|
||
- printing via XFT/fontconfig
|
||
- freetype changes to avoid API conflicts with newer freetype2
|
||
- fixed build for s390/s390x
|
||
- removed AMD64 patch (included upstream)
|
||
- added translations sub-package
|
||
- removed "Show folder" patch for NLD (resolved upstream)
|
||
- don't use gnome-filepicker patch for NLD for now
|
||
- removed hppa buildfix (included upstream)
|
||
- removed untitled.patch (bmo #24068) resolved by (bmo #262478)
|
||
- use make -C browser/installer now to prepare installation
|
||
- don't check for default browser at startup (#47587)
|
||
- updated industrial.jar (0.99.13) (disabled)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Oct 15 13:51:54 CEST 2004 - stark@suse.de
|
||
|
||
- inherit locale from system
|
||
- fixed chrome registration
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 6 23:11:01 CEST 2004 - joeshaw@suse.de
|
||
|
||
- disable gconf settings as default (Ximian #67718)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 6 07:04:05 CEST 2004 - stark@suse.de
|
||
|
||
- fixed inclusion of RealPlayer plugin again
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 5 10:09:04 CEST 2004 - stark@suse.de
|
||
|
||
- small important fix in firefox-download.patch (Ximian #65472)
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Oct 3 00:02:09 CEST 2004 - stark@suse.de
|
||
|
||
- added security-fix from 0.10.1 (mozilla.org #259708) (#46687)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Oct 1 12:49:38 CEST 2004 - stark@suse.de
|
||
|
||
- final fix for downloading to Desktop folder (Ximian #65756)
|
||
- remove Postscript from printer names (Ximian #65560)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 30 16:14:10 CEST 2004 - shprasad@suse.de
|
||
|
||
- Modified the MozillaFirefox.desktop file.
|
||
Changed the name 'Firefox' to 'Firefox Web Browser'.
|
||
Also changed it for all languages.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 29 15:54:46 CEST 2004 - stark@suse.de
|
||
|
||
- fix inclusion of RealPlayer plugin (Ximian #65711)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 27 17:51:24 CEST 2004 - joeshaw@suse.de
|
||
|
||
- Update the industrial default patch, for some reason it didn't
|
||
take before.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 24 07:34:48 CEST 2004 - stark@suse.de
|
||
|
||
- fix for Ximian #65176 (mozilla.org #240068)
|
||
- revised patch for update function (Ximian #65615)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 23 20:21:39 CEST 2004 - joeshaw@suse.de
|
||
|
||
- Uncomment the patch which tells the UI that industrial is the
|
||
default.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 23 12:38:06 CEST 2004 - stark@suse.de
|
||
|
||
- open Nautilus on NLD for 'Show folder' in download settings
|
||
(Ximian #65472) by sragavan@novell.com
|
||
- save to Desktop folder if selected (Ximian #65756)
|
||
by sragavan@novell.com
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 22 10:23:01 CEST 2004 - stark@suse.de
|
||
|
||
- synced NLD package with 9.2 version
|
||
- GTK2 filepicker does now ask for confirmation when overwriting
|
||
files (Ximian #65068) by sagarwala@novell.com
|
||
- no direct update function (Ximian #65615) by rganesan@novell.com
|
||
- throbber linked to Novell (Ximian #66283) by rganesan@novell.com
|
||
- make industrial the default theme for NLD
|
||
(Ximian #65542) by joeshaw@suse.de
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 20 22:00:55 CEST 2004 - joeshaw@suse.de
|
||
|
||
- Add default bookmarks. Ximian #65546.
|
||
- Add the industrial theme, but it's not the default yet.
|
||
- Remove acroread from add-plugins because it's badly behaved.
|
||
Ximian #65499.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 20 17:57:38 CEST 2004 - federico@ximian.com
|
||
|
||
- Added MozillaFirefox-toplevel-window-height.diff for
|
||
http://bugzilla.ximian.com/show_bug.cgi?id=65543
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Sep 19 15:42:30 CEST 2004 - stark@suse.de
|
||
|
||
- use GNOME system prefs only for NLD by default
|
||
(fixes bug #45575)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 17 08:59:32 CEST 2004 - stark@suse.de
|
||
|
||
- joeshaw@suse.de: Update GConf patch so that proxy settings work
|
||
correctly (Ximian #64461)
|
||
- don't search Java on every path (Ximian #65383)
|
||
- added some missing fixes for official release
|
||
- added new java package name for triggers (#45257)
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Sep 11 13:25:41 CEST 2004 - stark@suse.de
|
||
|
||
- update to official 1.0PR (0.10)
|
||
- adopted gnome-filepicker patch
|
||
- removed obsolete CUPS hack from start-script
|
||
(Ximian #65635, #65560)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 9 21:35:42 CEST 2004 - stark@suse.de
|
||
|
||
- fixed endianess on AMD64 in JS component (#34743)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 6 17:33:07 CEST 2004 - stark@suse.de
|
||
|
||
- fixed filelist
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 6 13:48:03 CEST 2004 - stark@suse.de
|
||
|
||
- update to 1.0PR (aka 0.10)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 3 21:35:47 CEST 2004 - stark@suse.de
|
||
|
||
- added ppc64 patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 2 03:08:59 CEST 2004 - dave@suse.de
|
||
|
||
- Fixed up the .desktop installation on nld
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 1 15:05:48 CEST 2004 - shprasad@suse.de
|
||
|
||
- Doesn't ask to set Firefox as default web-browser.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 31 14:01:18 CEST 2004 - stark@suse.de
|
||
|
||
- next new version for filepicker stuff
|
||
- deactivated native filepicker for NLD
|
||
- update to snapshot (20040831)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 24 17:35:52 CEST 2004 - stark@suse.de
|
||
|
||
- new version of gnome-filepicker patch
|
||
- added patch for config
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 20 17:12:48 CEST 2004 - stark@suse.de
|
||
|
||
- update to snapshot (20040820)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 19 08:46:42 CEST 2004 - stark@suse.de
|
||
|
||
- added workaround for mozilla bug #246313
|
||
(Firefox does not start: getting "cannot open display" error)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 18 15:07:22 CEST 2004 - stark@suse.de
|
||
|
||
- added some patches from Ximian
|
||
- use GNOME filepicker
|
||
- use more gconf settings
|
||
- set startup homepage to Novell
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 17 13:12:35 CEST 2004 - stark@suse.de
|
||
|
||
- update to pre-1.0.0 (20040817)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 5 06:27:41 CEST 2004 - stark@suse.de
|
||
|
||
- security update to 0.9.3
|
||
(including #43312 and others)
|
||
- handle RealPlayer 9 plugin
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 2 15:11:51 CEST 2004 - ro@suse.de
|
||
|
||
- recode desktop file to utf-8
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 28 08:46:31 CEST 2004 - stark@suse.de
|
||
|
||
- added fix against certificate spoofing (#43312)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 23 06:31:41 CEST 2004 - stark@suse.de
|
||
|
||
- update to 0.9.2
|
||
- added workaround for extension registry
|
||
- removed old (incompatible) mozex extension
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 29 06:27:59 CEST 2004 - stark@suse.de
|
||
|
||
- update to 0.9.1
|
||
- added hint to run as root first
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 15 12:42:28 CEST 2004 - stark@suse.de
|
||
|
||
- update to 0.9
|
||
- added patch for newer freetype
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 2 10:31:45 CEST 2004 - stark@suse.de
|
||
|
||
- removing relocation of TEMP directory (#34391)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 29 11:43:51 CEST 2004 - stark@suse.de
|
||
|
||
- update to 0.8.0+ (20040503)
|
||
- removed firefox logos and activate official branding for
|
||
milestone builds
|
||
- changed profile-dir to .firefox
|
||
- added some needed files
|
||
- enabled gnomevfs extension
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Mar 26 18:09:34 CET 2004 - uli@suse.de
|
||
|
||
- fixed hang during build on s390* (bug #35440)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 3 06:52:00 CET 2004 - stark@suse.de
|
||
|
||
- removed unused patches for GTK2 build
|
||
- more fixes for (#35179)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 1 07:32:52 CET 2004 - stark@suse.de
|
||
|
||
- improved start-script to interact with thunderbird (#35179)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 26 06:57:05 CET 2004 - stark@suse.de
|
||
|
||
- use official releasedate
|
||
- added official (trademarked) artwork
|
||
- added firefox icon to /usr/share/pixmaps
|
||
- cleaned up spec-file (there will be no GTK1 version)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 24 16:43:17 CET 2004 - stark@suse.de
|
||
|
||
- fixed optimization for non-x86 archs
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 24 07:43:35 CET 2004 - stark@suse.de
|
||
|
||
- adopted file-list and build options to original distribution
|
||
- added prdtoa fix (#32963)
|
||
- added hook for static firefox build to rebuild-databases.sh
|
||
- added compiler flags for security/ (nss-opt.patch)
|
||
- included mozex (mozex.mozdev.org)
|
||
- added -Os as optimization flag
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 9 21:59:37 CET 2004 - stark@suse.de
|
||
|
||
- renamed to MozillaFirefox
|
||
- update to final version 0.8
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 6 08:39:15 CET 2004 - stark@suse.de
|
||
|
||
- update to Firebird 0.8 (20040205)
|
||
- added mips build fix
|
||
- set PS printer list in MozillaFirebird.sh
|
||
- use lib64 again for biarch platforms
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jan 10 10:33:54 CET 2004 - adrian@suse.de
|
||
|
||
- build as user
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 22 11:32:07 CEST 2003 - stark@suse.de
|
||
|
||
- upstream sync for 0.6.1post
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Aug 10 22:01:12 CEST 2003 - stark@suse.de
|
||
|
||
- removed dmoz from searchplugins-filelist
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 8 10:30:50 CEST 2003 - stark@suse.de
|
||
|
||
- update to 0.6.1post (TRUNK)
|
||
- use -fno-strict-aliasing
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 31 11:25:39 CEST 2003 - stark@suse.de
|
||
|
||
- update to 0.6.1 (MOZILLA_1_4_BRANCH)
|
||
- synchronized with mozilla-source
|
||
- created file-list
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 10 09:45:49 CEST 2003 - stark@suse.de
|
||
|
||
- update to snapshot 20030709
|
||
- fixed generation of symlink MozillaFirebird-xremote-client
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jun 20 06:53:08 CEST 2003 - stark@suse.de
|
||
|
||
- update to snapshot 20030622 (0.7pre)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon May 19 08:54:46 CEST 2003 - stark@suse.de
|
||
|
||
- update to snapshot 20030518 (0.6)
|
||
|
||
-------------------------------------------------------------------
|
||
Sun May 7 10:11:16 CEST 2003 - stark@suse.de
|
||
|
||
- update to snapshot 20030507
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 30 13:26:43 CEST 2003 - stark@suse.de
|
||
|
||
- initial SuSE package
|
||
|