From 6156a55b00c784127a9081a6a7f6c20b5760a9fc70c0a9f142630e16f09c9f9e Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Tue, 23 Jan 2018 20:56:02 +0000 Subject: [PATCH] - update to Firefox 58.0 (bsc#1077291) MFSA 2018-02 * CVE-2018-5091 (bmo#1423086) Use-after-free with DTMF timers * CVE-2018-5092 (bmo#1418074) Use-after-free in Web Workers * CVE-2018-5093 (bmo#1415291) Buffer overflow in WebAssembly during Memory/Table resizing * CVE-2018-5094 (bmo#1415883) Buffer overflow in WebAssembly with garbage collection on uninitialized memory * CVE-2018-5095 (bmo#1418447) Integer overflow in Skia library during edge builder allocation * CVE-2018-5097 (bmo#1387427) Use-after-free when source document is manipulated during XSLT * CVE-2018-5098 (bmo#1399400) Use-after-free while manipulating form input elements * CVE-2018-5099 (bmo#1416878) Use-after-free with widget listener * CVE-2018-5100 (bmo#1417405) Use-after-free when IsPotentiallyScrollable arguments are freed from memory * CVE-2018-5101 (bmo#1417661) Use-after-free with floating first-letter style elements * CVE-2018-5102 (bmo#1419363) Use-after-free in HTML media elements * CVE-2018-5103 (bmo#1423159) Use-after-free during mouse event handling * CVE-2018-5104 (bmo#1425000) Use-after-free during font face manipulation OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=629 --- MozillaFirefox.changes | 73 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 71 insertions(+), 2 deletions(-) diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index c0e8cb60..56b436a1 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -1,10 +1,79 @@ ------------------------------------------------------------------- -Sat Jan 20 22:05:35 UTC 2018 - wr@rosenauer.org +Tue Jan 23 20:40:57 UTC 2018 - wr@rosenauer.org -- update to Firefox 58.0 +- update to Firefox 58.0 (bsc#1077291) * Added Nepali (ne-NP) locale * Added support for form autofill for credit card * Optimize page load by caching JavaScript internal representation + MFSA 2018-02 + * CVE-2018-5091 (bmo#1423086) + Use-after-free with DTMF timers + * CVE-2018-5092 (bmo#1418074) + Use-after-free in Web Workers + * CVE-2018-5093 (bmo#1415291) + Buffer overflow in WebAssembly during Memory/Table resizing + * CVE-2018-5094 (bmo#1415883) + Buffer overflow in WebAssembly with garbage collection on + uninitialized memory + * CVE-2018-5095 (bmo#1418447) + Integer overflow in Skia library during edge builder allocation + * CVE-2018-5097 (bmo#1387427) + Use-after-free when source document is manipulated during XSLT + * CVE-2018-5098 (bmo#1399400) + Use-after-free while manipulating form input elements + * CVE-2018-5099 (bmo#1416878) + Use-after-free with widget listener + * CVE-2018-5100 (bmo#1417405) + Use-after-free when IsPotentiallyScrollable arguments are freed + from memory + * CVE-2018-5101 (bmo#1417661) + Use-after-free with floating first-letter style elements + * CVE-2018-5102 (bmo#1419363) + Use-after-free in HTML media elements + * CVE-2018-5103 (bmo#1423159) + Use-after-free during mouse event handling + * CVE-2018-5104 (bmo#1425000) + Use-after-free during font face manipulation + * CVE-2018-5105 (bmo#1390882) + WebExtensions can save and execute files on local file system + without user prompts + * CVE-2018-5106 (bmo#1408708) + Developer Tools can expose style editor information cross-origin + through service worker + * CVE-2018-5107 (bmo#1379276) + Printing process will follow symlinks for local file access + * CVE-2018-5108 (bmo#1421099) + Manually entered blob URL can be accessed by subsequent private browsing tabs + * CVE-2018-5109 (bmo#1405599) + Audio capture prompts and starts with incorrect origin attribution + * CVE-2018-5110 (bmo#1423275) (affects only OS X) + Cursor can be made invisible on OS X + * CVE-2018-5111 (bmo#1321619) + URL spoofing in addressbar through drag and drop + * CVE-2018-5112 (bmo#1425224) + Extension development tools panel can open a non-relative URL in the panel + * CVE-2018-5113 (bmo#1425267) + WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow + * CVE-2018-5114 (bmo#1421324) + The old value of a cookie changed to HttpOnly remains accessible to scripts + * CVE-2018-5115 (bmo#1409449) + Background network requests can open HTTP authentication in unrelated foreground tabs + * CVE-2018-5116 (bmo#1396399) + WebExtension ActiveTab permission allows cross-origin frame content access + * CVE-2018-5117 (bmo#1395508) + URL spoofing with right-to-left text aligned left-to-right + * CVE-2018-5118 (bmo#1420049) + Activity Stream images can attempt to load local content through file: + * CVE-2018-5119 (bmo#1420507) + Reader view will load cross-origin content in violation of CORS headers + * CVE-2018-5121 (bmo#1402368) (affects only OS X) + OS X Tibetan characters render incompletely in the addressbar + * CVE-2018-5122 (bmo#1413841) + Potential integer overflow in DoCrypt + * CVE-2018-5090 + Memory safety bugs fixed in Firefox 58 + * CVE-2018-5089 + Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6 - requires NSS 3.34.1 - requires rust 1.21 - removed obsolete patches: