* requires NSS 3.26.2
new features
* Updates to keyboard shortcuts
Set a preference to have Ctrl+Tab cycle through tabs in recently
used order
View a page in Reader Mode by using Ctrl+Alt+R
* Added option to Find in page that allows users to limit search to
whole words only
* Added download protection for a large number of executable file
types on Windows, Mac and Linux
* Fixed rendering of dashed and dotted borders with rounded corners
(border-radius)
* Added a built-in Emoji set for operating systems without native
Emoji fonts (Windows 8.0 and lower and Linux)
* Blocked versions of libavcodec older than 54.35.1
* additional locale
security fixes:
* MFSA 2016-89
CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
(bmo#1292443)
CVE-2016-5292: URL parsing causes crash (bmo#1288482)
CVE-2016-5293: Write to arbitrary file with updater and moz
maintenance service using updater.log hardlink
(Windows only) (bmo#1246945)
CVE-2016-5294: Arbitrary target directory for result files of
update process (Windows only) (bmo#1246972)
CVE-2016-5297: Incorrect argument length checking in Javascript
(bmo#1303678)
CVE-2016-9064: Addons update must verify IDs match between
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=555
* Updated Firefox Login Manager to allow HTTPS pages to use saved
HTTP logins.
* Added features to Reader Mode that make it easier on the eyes and
the ears
* Improved video performance for users on systems that support
SSE3 without hardware acceleration
* Added context menu controls to HTML5 audio and video that let users
loops files or play files at 1.25x speed
* Improvements in about:memory reports for tracking font memory usage
security related
* MFSA 2016-85
CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
mozilla::net::IsValidReferrerPolicy
CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
nsCaseTransformTextRunFactory::TransformString
CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
PropertyProvider::GetSpacingInternal
CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
CVE-2016-5273 (bmo#1280387) - crash in
mozilla::a11y::HyperTextAccessible::GetChildOffset
CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
mozilla::a11y::DocAccessible::ProcessInvalidationList
CVE-2016-5274 (bmo#1282076) - use-after-free in
nsFrameManager::CaptureFrameState
CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
nsBMPEncoder::AddImageFrame
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=548
* MFSA 2016-62/CVE-2016-2835/CVE-2016-2836
Miscellaneous memory safety hazards
* MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
Favicon network connection can persist when page is closed
* MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
Buffer overflow rendering SVG with bidirectional content
* MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
* MFSA 2016-66/CVE-2016-5251 (bmo#1255570)
Location bar spoofing via data URLs with malformed/invalid mediatypes
* MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
Stack underflow during 2D graphics rendering
* MFSA 2016-68/CVE-2016-0718 (bmo#1236923)
Out-of-bounds read during XML parsing in Expat library
* MFSA 2016-69/CVE-2016-5253 (bmo#1246944)
Arbitrary file manipulation by local user through Mozilla updater
and callback application path parameter (Windows-only)
* MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
Use-after-free when using alt key and toplevel menus
* MFSA 2016-71/CVE-2016-5255 (bmo#1212356)
Crash in incremental garbage collection in JavaScript
* MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
Use-after-free in DTLS during WebRTC session shutdown
* MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
Use-after-free in service workers with nested sync events
* MFSA 2016-74/CVE-2016-5260 (bmo#1280294)
Form input type change from password to text can store plain
text password in session restore file
* MFSA 2016-75/CVE-2016-5261 (bmo#1287266)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=537
* requires NSS 3.24
* Process separation (e10s) is enabled for some of you
* Add-ons that have not been verified and signed by Mozilla will not load
* WebRTC embetterments
* The media parser has been redeveloped using the Rust programming
language
* better Canvas performance with speedy Skia support
- removed obsolete mozilla-gcc6.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=536
* Enable VP9 video codec for users with fast machines
* Embedded YouTube videos now play with HTML5 video if Flash is
not installed
* View and search open tabs from your smartphone or another
computer in a sidebar
* Allow no-cache on back/forward navigations for https resources
security fixes:
* MFSA 2016-49/CVE-2016-2815/CVE-2016-2818
(boo#983638)
(bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743,
bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493,
bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752,
bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130,
bmo#1269729, bmo#1273202, bmo#1273701)
Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
* MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381)
Buffer overflow parsing HTML5 fragments
* MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460)
Use-after-free deleting tables from a contenteditable document
* MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129)
Addressbar spoofing though the SELECT element
* MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580)
Out-of-bounds write with WebGL shader
* MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093)
Partial same-origin-policy through setting location.host
through data URI
* MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810)
Use-after-free when textures are used in WebGL operations
after recycle pool destruction
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=518
* Improved security of the JavaScript Just In Time (JIT) Compiler
* WebRTC fixes to improve performance and stability
* Added support for document.elementsFromPoint
* Added HKDF support for Web Crypto API
* requires NSPR 4.12 and NSS 3.22.3
* added patch to fix unchecked return value
mozilla-check_return.patch
* Gtk3 builds not supported at the moment
security fixes:
* MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807
Miscellaneous memory safety hazards
* MFSA 2016-40/CVE-2016-2809 (bmo#1212939)
Privilege escalation through file deletion by Maintenance Service updater
(Windows only)
* MFSA 2016-41/CVE-2016-2810 (bmo#1229681)
Content provider permission bypass allows malicious application
to access data (Android only)
* MFSA 2016-42/CVE-2016-2811/CVE-2016-2812 (bmo#1252330, bmo#1261776)
Use-after-free and buffer overflow in Service Workers
* MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650)
Disclosure of user actions through JavaScript with motion and
orientation sensors (only affects mobile variants)
* MFSA 2016-44/CVE-2016-2814 (bmo#1254721)
Buffer overflow in libstagefright with CENC offsets
* MFSA 2016-45/CVE-2016-2816 (bmo#1223743)
CSP not applied to pages sent with multipart/x-mixed-replace
* MFSA 2016-46/CVE-2016-2817 (bmo#1227462)
Elevation of privilege with chrome.tabs.update API in web extensions
* MFSA 2016-47/CVE-2016-2808 (bmo#1246061)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=500
%firefox_use_gtk3 is defined or not (e.g., at the prjconf
level); macro is undefined by default and so gtk2 is used as the
default toolkit.
- Add BuildRequires for additional packages needed when building
against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0),
pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0).
- Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20;
patch taken from Fedora (bmo#1230955).
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=496
* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
Miscellaneous memory safety hazards
* MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
Local file overwriting and potential privilege escalation through
CSP reports
* MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
CSP reports fail to strip location information for embedded iframe pages
* MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
Linux video memory DOS with Intel drivers
* MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
Memory leak in libstagefright when deleting an array during MP4
processing
* MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
Displayed page address can be overridden
* MFSA 2016-22/CVE-2016-1959 (bmo#1234949)
Service Worker Manager out-of-bounds read in Service Worker Manager
* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
Use-after-free in SetBody
* MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
Use-after-free when using multiple WebRTC data channels
* MFSA 2016-26/CVE-2016-1963 (bmo#1238440)
Memory corruption when modifying a file being read by FileReader
* MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
Use-after-free during XML transformations
* MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
Addressbar spoofing though history navigation and Location protocol
property
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=491
* requires NSPR 4.12 / NSS 3.21.1
* Instant browser tab sharing through Hello
* Synced Tabs button in button bar
* Tabs synced via Firefox Accounts from other devices are now shown
in dropdown area of Awesome Bar when searching
* Introduce a new preference (network.dns.blockDotOnion) to allow
blocking .onion at the DNS level
* Tab Groups (Panorama) feature removed
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=490
* MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438)
Same-origin-policy violation using Service Workers with plugins
* Fix issue which could lead to the removal of stored passwords
under certain circumstances (bmo#1242176)
* Allows spaces in cookie names (bmo#1244505)
* Disable opus/vorbis audio with H.264 (bmo#1245696)
* Fix for graphics startup crash (GNU/Linux) (bmo#1222171)
* Fix a crash in cache networking (bmo#1244076)
* Fix using WebSockets in service worker controlled pages (bmo#1243942)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=484
* requires NSS 3.20.2 to fix
MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
server signature
* various changes to support Windows update (SHA-1 vs. SHA-2)
* workaround Youtube user agent detection issue (bmo#1233970)
- fix file download regression for multi user systems
(bmo#1233434) (mozilla-bmo1233434.patch)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=475
* Improved API support for m4v video playback
* Users can opt-in to receive search suggestions from the Awesome Bar
* WebRTC streaming on multiple monitors
* User selectable second block list for Private Browsing's Tracking
Protection
security fixes:
* MFSA 2015-134/CVE-2015-7201/CVE-2015-7202
Miscellaneous memory safety hazards
* MFSA 2015-135/CVE-2015-7204 (bmo#1216130)
Crash with JavaScript variable assignment with unboxed objects
* MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
Same-origin policy violation using perfomance.getEntries and
history navigation
* MFSA 2015-137/CVE-2015-7208 (bmo#1191423)
Firefox allows for control characters to be set in cookies
* MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
Use-after-free in WebRTC when datachannel is used after being
destroyed
* MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
Integer overflow allocating extremely large textures
* MFSA 2015-140/CVE-2015-7215 (bmo#1160890)
Cross-origin information leak through web workers error events
* MFSA 2015-141/CVE-2015-7211 (bmo#1221444)
Hash in data URI is incorrectly parsed
* MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820)
DOS due to malformed frames in HTTP/2
* MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078)
Linux file chooser crashes on malformed images due to flaws in
Jasper library
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=473
* MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
Miscellaneous memory safety hazards
* MFSA 2015-117/CVE-2015-4515 (bmo#1046421)
Information disclosure through NTLM authentication
* MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692)
CSP bypass due to permissive Reader mode whitelist
* MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only)
Firefox for Android addressbar can be removed after fullscreen mode
* MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only)
Reading sensitive profile files through local HTML file on Android
* MFSA 2015-121/CVE-2015-7187 (bmo#1195735)
disabling scripts in Add-on SDK panels has no effect
* MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
Trailing whitespace in IP address hostnames can bypass same-origin policy
* MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
Buffer overflow during image interactions in canvas
* MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only)
Android intents can be used on Firefox for Android to open privileged files
* MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only)
XSS attack through intents on Firefox for Android
* MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only)
Crash when accessing HTML tables with accessibility tools on OS X
* MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
CORS preflight is bypassed when non-standard Content-Type headers
are received
* MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
Memory corruption in libjar through zip files
* MFSA 2015-129/CVE-2015-7195 (bmo#1211871)
Certain escaped characters in host of Location-header are being
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=468
* Private Browsing with Tracking Protection blocks certain Web
elements that could be used to record your behavior across sites
* Control Center that contains site security and privacy controls
* Login Manager improvements
* WebRTC improvements
* Indicator added to tabs that play audio with one-click muting
* Media Source Extension for HTML5 video available for all sites
- requires NSPR 4.10.10 and NSS 3.19.4
- removed obsolete patches
* mozilla-arm-disable-edsp.patch
* mozilla-icu-strncat.patch
* mozilla-skia-be-le.patch
* toolkit-download-folder.patch
- fixed build with enable-libproxy (bmo#1220399)
* mozilla-libproxy.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=467
* Fix a startup crash related to Yandex toolbar and Adblock Plus
(bmo#1209124)
* Fix potential hangs with Flash plugins (bmo#1185639)
* Fix a regression in the bookmark creation (bmo#1206376)
* Fix a startup crash with some Intel Media Accelerator 3150
graphic cards (bmo#1207665)
* Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=462
- update to Firefox 40.0.3 (bnc#943550)
* Disable the asynchronous plugin initialization (bmo#1198590)
* Fix a segmentation fault in the GStreamer support (bmo#1145230)
* Fix a regression with some Japanese fonts used in the <input>
field (bmo#1194055)
* On some sites, the selection in a select combox box using the
mouse could be broken (bmo#1194733)
security fixes
* MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278)
Use-after-free when resizing canvas element during restyling
* MFSA 2015-95/CVE-2015-4498 (bmo#1042699)
Add-on notification bypass through data URLs
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=460
* MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
Miscellaneous memory safety hazards
* MFSA 2015-97/CVE-2015-4503 (bmo#994337)
Memory leak in mozTCPSocket to servers
* MFSA 2015-98/CVE-2015-4504 (bmo#1132467)
Out of bounds read in QCMS library with ICC V4 profile attributes
* MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only)
Site attribute spoofing on Android by pasting URL with unknown scheme
* MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
Arbitrary file manipulation by local user through Mozilla updater
* MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-102/CVE-2015-4507 (bmo#1192401)
Crash when using debugger with SavedStacks in JavaScript
* MFSA 2015-103/CVE-2015-4508 (bmo#1195976)
URL spoofing in reader mode
* MFSA 2015-104/CVE-2015-4510 (bmo#1200004)
Use-after-free with shared workers and IndexedDB
* MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
Use-after-free while manipulating HTML media content
* MFSA 2015-107/CVE-2015-4512 (bmo#1170390)
Out-of-bounds read during 2D canvas display on Linux 16-bit
color depth systems
* MFSA 2015-108/CVE-2015-4502 (bmo#1105045)
Scripted proxies can access inner window
* MFSA 2015-109/CVE-2015-4516 (bmo#904886)
JavaScript immutable property enforcement can be bypassed
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=459
* Disable the asynchronous plugin initialization (bmo#1198590)
* Fix a segmentation fault in the GStreamer support (bmo#1145230)
* Fix a regression with some Japanese fonts used in the <input>
field (bmo#1194055)
* On some sites, the selection in a select combox box using the
mouse could be broken (bmo#1194733)
security fixes
* MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278)
Use-after-free when resizing canvas element during restyling
* MFSA 2015-95/CVE-2015-4498 (bmo#1042699)
Add-on notification bypass through data URLs
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=456
* Added protection against unwanted software downloads
* Suggested Tiles show sites of interest, based on categories
from your recent browsing history
* Hello allows adding a link to conversations to provide context
on what the conversation will be about
* New style for add-on manager based on the in-content
preferences style
* Improved scrolling, graphics, and video playback performance
with off main thread compositing (GNU/Linux only)
* Graphic blocklist mechanism improved: Firefox version ranges
can be specified, limiting the number of devices blocked
security fixes:
* MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
Miscellaneous memory safety hazards
* MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
Out-of-bounds read with malformed MP3 file
* MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
Use-after-free in MediaStream playback
* MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
Redefinition of non-configurable JavaScript object properties
* MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
Overflow issues in libstagefright
* MFSA 2015-84/CVE-2015-4481 (bmo1171518)
Arbitrary file overwriting through Mozilla Maintenance Service
with hard links (only affected Windows)
* MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
Out-of-bounds write with Updater and malicious MAR file
(does not affect openSUSE RPM packages which do not ship the
updater)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=454
security fixes:
* MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726
Miscellaneous memory safety hazards
* MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
Local files or privileged URLs in pages can be opened into new tabs
* MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
Type confusion in Indexed Database Manager
* MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
Out-of-bound read while computing an oscillator rendering range in Web Audio
* MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
Use-after-free in Content Policy due to microtask execution error
* MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
ECDSA signature validation fails to handle some signatures correctly
(this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
Use-after-free in workers while using XMLHttpRequest
* MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
Vulnerabilities found through code inspection
* MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
Key pinning is ignored when overridable errors are encountered
* MFSA 2015-68/CVE-2015-2742 (bmo#1138669)
OS X crash reports may contain entered key press information
(not relevant under Linux)
* MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
Privilege escalation in PDF.js
* MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
NSS accepts export-length DHE keys with regular DHE cipher suites
(this fix is shipped by NSS 3.19.1 externally)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=450
* Share Hello URLs with social networks
* Support for 'switch' role in ARIA 1.1 (web accessibility)
* SafeBrowsing malware detection lookups enabled for downloads
(Mac OS X and Linux)
* Support for new Unicode 8.0 skin tone emoji
* Removed support for insecure SSLv3 for network communications
* Disable use of RC4 except for temporarily whitelisted hosts
* NPAPI Plug-in performance improved via asynchronous initialization
- dropped mozilla-prefer_plugin_pref.patch as this feature is
likely not worth maintaining further
- rebased patches
- require NSS 3.19.2
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=449
stability and regression fixes
* Systems with first generation NVidia Optimus graphics cards
may crash on start-up
* Users who import cookies from Google Chrome can end up with
broken websites
* Large animated images may fail to play and may stop other
images from loading
- update to Firefox 38.0 (bnc#930622)
* New tab-based preferences
* Ruby annotation support
* more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
security fixes:
* MFSA 2015-46/CVE-2015-2708/CVE-2015-2709
Miscellaneous memory safety hazards
* MFSA 2015-47/VE-2015-0797 (bmo#1080995)
Buffer overflow parsing H.264 video with Linux Gstreamer
* MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
Buffer overflow with SVG content and CSS
* MFSA 2015-49/CVE-2015-2711 (bmo#1113431)
Referrer policy ignored when links opened by middle-click and
context menu
* MFSA 2015-50/CVE-2015-2712 (bmo#1152280)
Out-of-bounds read and write in asm.js validation
* MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
Use-after-free during text processing with vertical text enabled
* MFSA 2015-53/CVE-2015-2715 (bmo#988698)
Use-after-free due to Media Decoder Thread creation during shutdown
* MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
Buffer overflow when parsing compressed XML
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=441
* Heartbeat user rating system
* Yandex set as default search provider for the Turkish locale
* Bing search now uses HTTPS for secure searching
* Improved protection against site impersonation via OneCRL
centralized certificate revocation
* Opportunistically encrypt HTTP traffic where the server supports
HTTP/2 AltSvc
* some more behaviour changes for TLS
security fixes:
* MFSA 2015-30/CVE-2015-0814/CVE-2015-0815
Miscellaneous memory safety hazards
* MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
Use-after-free when using the Fluendo MP3 GStreamer plugin
* MFSA 2015-32/CVE-2015-0812 (bmo#1128126)
Add-on lightweight theme installation approval bypassed through
MITM attack
* MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
resource:// documents can load privileged pages
* MFSA-2015-34/CVE-2015-0811 (bmo#1132468)
Out of bounds read in QCMS library
* MFSA-2015-35/CVE-2015-0810 (bmo#1125013)
Cursor clickjacking with flash and images (OS X only)
* MFSA-2015-36/CVE-2015-0808 (bmo#1109552)
Incorrect memory management for simple-type arrays in WebRTC
* MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
CORS requests should not follow 30x redirections after preflight
* MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437)
Memory corruption crashes in Off Main Thread Compositing
* MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=433
Bugfixes:
* Disable the usage of the ANY DNS query type (bmo#1093983)
* Hello may become inactive until restart (bmo#1137469)
* Print preferences may not be preserved (bmo#1136855)
* Hello contact tabs may not be visible (bmo#1137141)
* Accept hostnames that include an underscore character ("_")
(bmo#1136616)
* WebGL may use significant memory with Canvas2d (bmo#1137251)
* Option -remote has been restored (bmo#1080319)
- added mozilla-skia-bmo1136958.patch to fix build issues for
ARM and PPC
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=425
* mozilla-xremote-client was removed
* added libclearkey.so media plugin
* Pinned tiles on the new tab page can be synced
* Support for the full HTTP/2 protocol. HTTP/2 enables a faster,
more scalable, and more responsive web.
* Locale added: Uzbek (uz)
- rebased patches
- requires NSS 3.17.4
- update to Firefox 35.0.1
* With the Enhanced Steam extension, Firefox could crash (bmo#1123732)
* Kerberos authentication did not work with alias (bmo#1108971)
* SVG / CSS animation had a regression causing rendering issues on
websites like openstreemap.org (bmo#1083079)
* On Godaddy webmail, Firefox could crash (bmo#1113121)
* document.baseURI did not get updated to document.location after
base tag was removed from DOM for site with a CSP (bmo#1121857)
* With a Right-to-left (RTL) version of Firefox, the text selection
could be broken (bmo#1104036)
* CSP had a change in behavior with regard to case sensitivity
resources loading (bmo#1122445)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=422
notable features:
* Firefox Hello with new rooms-based conversations model
* Implemented HTTP Public Key Pinning Extension (for enhanced
authentication of encrypted connections)
- rebased patches
- dropped explicit support for everything older than 12.3
(including SLES11)
* merge firefox-kde.patch and firefox-kde-114.patch
* dropped mozilla-sle11.patch
- reworked specfile to build conditionally based on release channel
either Firefox or Firefox Developer Edition
- added mozilla-openaes-decl.patch to fix implicit declarations
- obsolete tracker-miner-firefox < 0.15 because it leads to startup
crashes (bnc#908892)
- rebased patches
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=419
* Fix a startup crash with some combination of hardware and drivers
33.0.1
* Firefox displays a black screen at start-up with certain
graphics drivers
- adjusted _constraints for ARM
- added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=408
* just a version bump for our builds
* fixed the in application update process for certain environments
(in application update is not enabled in openSUSE and Linux
is unaffected in any case)
- build with --disable-optimize for 13.1 and above for i586 to
workaround miscompilations (bnc#896624)
- update to Firefox 32.0.1
* fixed stability issues for computers with multiple graphics cards
* mixed content icon may be incorrectly displayed instead of lock
icon for SSL sites in 32.0 (
* WebRTC: setRemoteDescription() silently fails if no success
callback is specified (bmo#1063971)
- update to Firefox 32.0 (bnc#894370)
* MFSA 2014-67/CVE-2014-1553/CVE-2014-1554/CVE-2014-1562
- rebased patches
- requires NSS 3.16.4
- removed upstreamed patch
* mozilla-aarch64-bmo-810631.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=396
* Seer disabled by default (bmo#1005958)
* Session Restore failed with a corrupted sessionstore.js file
(bmo#1001167)
* pdf.js printing white page (bmo#1003707, bnc#876833)
- general.useragent.locale gets overwritten with en-US while it
should be using the active langpack's setting
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=382
Miscellaneous memory safety hazards
* MFSA 2014-36/CVE-2014-1522 (bmo#995289)
Web Audio memory corruption issues
* MFSA 2014-37/CVE-2014-1523 (bmo#969226)
Out of bounds read while decoding JPG images
* MFSA 2014-38/CVE-2014-1524 (bmo#989183)
Buffer overflow when using non-XBL object as XBL
* MFSA 2014-39/CVE-2014-1525 (bmo#989210)
Use-after-free in the Text Track Manager for HTML video
* MFSA 2014-41/CVE-2014-1528 (bmo#963962)
Out-of-bounds write in Cairo
* MFSA 2014-42/CVE-2014-1529 (bmo#987003)
Privilege escalation through Web Notification API
* MFSA 2014-43/CVE-2014-1530 (bmo#895557)
Cross-site scripting (XSS) using history navigations
* MFSA 2014-44/CVE-2014-1531 (bmo#987140)
Use-after-free in imgLoader while resizing images
* MFSA 2014-45/CVE-2014-1492 (bmo#903885)
Incorrect IDNA domain name matching for wildcard certificates
(fixed by NSS 3.16)
* MFSA 2014-46/CVE-2014-1532 (bmo#966006)
Use-after-free in nsHostResolver
* MFSA 2014-47/CVE-2014-1526 (bmo#988106)
Debugger can bypass XrayWrappers with JavaScript
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=379
* MFSA 2014-15/CVE-2014-1493/CVE-2014-1494
Miscellaneous memory safety hazards
* MFSA 2014-17/CVE-2014-1497 (bmo#966311)
Out of bounds read during WAV file decoding
* MFSA 2014-18/CVE-2014-1498 (bmo#935618)
crypto.generateCRMFRequest does not validate type of key
* MFSA 2014-19/CVE-2014-1499 (bmo#961512)
Spoofing attack on WebRTC permission prompt
* MFSA 2014-20/CVE-2014-1500 (bmo#956524)
onbeforeunload and Javascript navigation DOS
* MFSA 2014-22/CVE-2014-1502 (bmo#972622)
WebGL content injection from one domain to rendering in another
* MFSA 2014-23/CVE-2014-1504 (bmo#911547)
Content Security Policy for data: documents not preserved by
session restore
* MFSA 2014-26/CVE-2014-1508 (bmo#963198)
Information disclosure through polygon rendering in MathML
* MFSA 2014-27/CVE-2014-1509 (bmo#966021)
Memory corruption in Cairo during PDF font rendering
* MFSA 2014-28/CVE-2014-1505 (bmo#941887)
SVG filters information disclosure through feDisplacementMap
* MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909)
Privilege escalation using WebIDL-implemented APIs
* MFSA 2014-30/CVE-2014-1512 (bmo#982957)
Use-after-free in TypeObject
* MFSA 2014-31/CVE-2014-1513 (bmo#982974)
Out-of-bounds read/write through neutering ArrayBuffer objects
* MFSA 2014-32/CVE-2014-1514 (bmo#983344)
Out-of-bounds write through TypedArrayObject after neutering
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=370
* MFSA 2013-63/CVE-2013-1701/CVE-2013-1702
Miscellaneous memory safety hazards
* MFSA 2013-64/CVE-2013-1704 (bmo#883313)
Use after free mutating DOM during SetBody
* MFSA 2013-65/CVE-2013-1705 (bmo#882865)
Buffer underflow when generating CRMF requests
* MFSA 2013-67/CVE-2013-1708 (bmo#879924)
Crash during WAV audio file decoding
* MFSA 2013-68/CVE-2013-1709 (bmo#838253)
Document URI misrepresentation and masquerading
* MFSA 2013-69/CVE-2013-1710 (bmo#871368)
CRMF requests allow for code execution and XSS attacks
* MFSA 2013-70/CVE-2013-1711 (bmo#843829)
Bypass of XrayWrappers using XBL Scopes
* MFSA 2013-72/CVE-2013-1713 (bmo#887098)
Wrong principal used for validating URI for some Javascript
components
* MFSA 2013-73/CVE-2013-1714 (bmo#879787)
Same-origin bypass with web workers and XMLHttpRequest
* MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file system
- requires NSPR 4.10 and NSS 3.15
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=345
Miscellaneous memory safety hazards
* MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686
Memory corruption found using Address Sanitizer
* MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)
Privileged content access and execution via XBL
* MFSA 2013-52/CVE-2013-1688 (bmo#873966)
Arbitrary code execution within Profiler
* MFSA 2013-53/CVE-2013-1690 (bmo#857883)
Execution of unmapped memory through onreadystatechange event
* MFSA 2013-54/CVE-2013-1692 (bmo#866915)
Data in the body of XHR HEAD requests leads to CSRF attacks
* MFSA 2013-55/CVE-2013-1693 (bmo#711043)
SVG filters can lead to information disclosure
* MFSA 2013-56/CVE-2013-1694 (bmo#848535)
PreserveWrapper has inconsistent behavior
* MFSA 2013-57/CVE-2013-1695 (bmo#849791)
Sandbox restrictions not applied to nested frame elements
* MFSA 2013-58/CVE-2013-1696 (bmo#761667)
X-Frame-Options ignored when using server push with multi-part
responses
* MFSA 2013-59/CVE-2013-1697 (bmo#858101)
XrayWrappers can be bypassed to run user defined methods in a
privileged context
* MFSA 2013-60/CVE-2013-1698 (bmo#876044)
getUserMedia permission dialog incorrectly displays location
* MFSA 2013-61/CVE-2013-1699 (bmo#840882)
Homograph domain spoofing in .com, .net and .name
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=341
Miscellaneous memory safety hazards
* MFSA 2012-75/CVE-2012-3984 (bmo#575294)
select element persistance allows for attacks
* MFSA 2012-76/CVE-2012-3985 (bmo#655649)
Continued access to initial origin after setting document.domain
* MFSA 2012-77/CVE-2012-3986 (bmo#775868)
Some DOMWindowUtils methods bypass security checks
* MFSA 2012-79/CVE-2012-3988 (bmo#725770)
DOS and crash with full screen and history navigation
* MFSA 2012-80/CVE-2012-3989 (bmo#783867)
Crash with invalid cast when using instanceof operator
* MFSA 2012-81/CVE-2012-3991 (bmo#783260)
GetProperty function can bypass security checks
* MFSA 2012-82/CVE-2012-3994 (bmo#765527)
top object and location property accessible by plugins
* MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370)
Chrome Object Wrapper (COW) does not disallow acces to privileged
functions or properties
* MFSA 2012-84/CVE-2012-3992 (bmo#775009)
Spoofing and script injection through location.hash
* MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/
CVE-2012-4181/CVE-2012-4182/CVE-2012-4183
Use-after-free, buffer overflow, and out of bounds read issues
found using Address Sanitizer
* MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/
CVE-2012-4188
Heap memory corruption issues found using Address Sanitizer
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=296
- license change from tri license to MPL-2.0
- fix crashreporter restart option (bmo#762780)
- reenabled mozilla-yarr-pcre.patch to fix build for PPC
- require NSS 3.13.5
- remove mozjs pacrunner obsoletes again for now
- adopted mozilla-prefer_plugin_pref.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=284
* rebased patches
- added mozilla-libnotify.patch to allow fallback from libnotify
to xul based events if no notification-daemon is running
- gcc 4.7 fixes
* mozilla-gcc47.patch
* disabled crashreporter temporarily for Factory
- recommend libcanberra0 for proper sound notifications
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=270
* MFSA 2012-01/CVE-2012-0442/CVE-2012-0443
Miscellaneous memory safety hazards
* MFSA 2012-03/CVE-2012-0445 (bmo#701071)
<iframe> element exposed across domains via name attribute
* MFSA 2012-04/CVE-2011-3659 (bmo#708198)
Child nodes from nsDOMAttribute still accessible after removal
of nodes
* MFSA 2012-05/CVE-2012-0446 (bmo#705651)
Frame scripts calling into untrusted objects bypass security
checks
* MFSA 2012-06/CVE-2012-0447 (bmo#710079)
Uninitialized memory appended when encoding icon images may
cause information disclosure
* MFSA 2012-07/CVE-2012-0444 (bmo#719612)
Potential Memory Corruption When Decoding Ogg Vorbis files
* MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466)
Crash with malformed embedded XSLT stylesheets
- KDE integration has been disabled since it needs refactoring
- removed obsolete ppc64 patch
- Disable neon for arm as it doesn't build correctly
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=252
* MFSA 2011-47/CVE-2011-3648 (bmo#690225)
Potential XSS against sites using Shift-JIS
* MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654
Miscellaneous memory safety hazards
* MFSA 2011-49/CVE-2011-3650 (bmo#674776)
Memory corruption while profiling using Firebug
* MFSA 2011-52/CVE-2011-3655 (bmo#672182)
Code execution via NoWaiverWrapper
- rebased patches
- enable telemetry prompt
- set intl.locale.matchOS=true in the base package as it causes
too much confusion when it's only available with branding-openSUSE
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=237