From 9f194c073779182d6535f8620429acc8c762a9cc7faa1ae6827c17e6d974f5af Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Wed, 1 Apr 2015 11:31:46 +0000 Subject: [PATCH] - update to Firefox 37.0 (bnc#925368) * Heartbeat user rating system * Yandex set as default search provider for the Turkish locale * Bing search now uses HTTPS for secure searching * Improved protection against site impersonation via OneCRL centralized certificate revocation * Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc * some more behaviour changes for TLS security fixes: * MFSA 2015-30/CVE-2015-0814/CVE-2015-0815 Miscellaneous memory safety hazards * MFSA 2015-31/CVE-2015-0813 (bmo#1106596)) Use-after-free when using the Fluendo MP3 GStreamer plugin * MFSA 2015-32/CVE-2015-0812 (bmo#1128126) Add-on lightweight theme installation approval bypassed through MITM attack * MFSA 2015-33/CVE-2015-0816 (bmo#1144991) resource:// documents can load privileged pages * MFSA-2015-34/CVE-2015-0811 (bmo#1132468) Out of bounds read in QCMS library * MFSA-2015-35/CVE-2015-0810 (bmo#1125013) Cursor clickjacking with flash and images (OS X only) * MFSA-2015-36/CVE-2015-0808 (bmo#1109552) Incorrect memory management for simple-type arrays in WebRTC * MFSA-2015-37/CVE-2015-0807 (bmo#1111834) CORS requests should not follow 30x redirections after preflight * MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437) Memory corruption crashes in Off Main Thread Compositing * MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560) OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=433 --- MozillaFirefox.changes | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index 9ad468b1..ded76c69 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -1,7 +1,44 @@ ------------------------------------------------------------------- Sat Mar 28 09:46:48 UTC 2015 - wr@rosenauer.org -- update to Firefox 37.0 +- update to Firefox 37.0 (bnc#925368) + * Heartbeat user rating system + * Yandex set as default search provider for the Turkish locale + * Bing search now uses HTTPS for secure searching + * Improved protection against site impersonation via OneCRL + centralized certificate revocation + * Opportunistically encrypt HTTP traffic where the server supports + HTTP/2 AltSvc + * some more behaviour changes for TLS + security fixes: + * MFSA 2015-30/CVE-2015-0814/CVE-2015-0815 + Miscellaneous memory safety hazards + * MFSA 2015-31/CVE-2015-0813 (bmo#1106596)) + Use-after-free when using the Fluendo MP3 GStreamer plugin + * MFSA 2015-32/CVE-2015-0812 (bmo#1128126) + Add-on lightweight theme installation approval bypassed through + MITM attack + * MFSA 2015-33/CVE-2015-0816 (bmo#1144991) + resource:// documents can load privileged pages + * MFSA-2015-34/CVE-2015-0811 (bmo#1132468) + Out of bounds read in QCMS library + * MFSA-2015-35/CVE-2015-0810 (bmo#1125013) + Cursor clickjacking with flash and images (OS X only) + * MFSA-2015-36/CVE-2015-0808 (bmo#1109552) + Incorrect memory management for simple-type arrays in WebRTC + * MFSA-2015-37/CVE-2015-0807 (bmo#1111834) + CORS requests should not follow 30x redirections after preflight + * MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437) + Memory corruption crashes in Off Main Thread Compositing + * MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560) + Use-after-free due to type confusion flaws + * MFSA-2015-40/CVE-2015-0801 (bmo#1146339) + Same-origin bypass through anchor navigation + * MFSA-2015-41/CVE-2015-0800/CVE-2012-2808 + PRNG weakness allows for DNS poisoning on Android (only) + * MFSA-2015-42/CVE-2015-0802 (bmo#1124898) + Windows can retain access to privileged content on navigation + to unprivileged pages - removed obsolete patches * mozilla-bmo1088588.patch * mozilla-bmo1108834.patch