MFSA 2021-28 (bsc#1188275)
* CVE-2021-29970 (bmo#1709976)
Use-after-free in accessibility features of a document
* CVE-2021-29971 (bmo#1713638)
Granted permissions only compared host; omitting scheme and
port on Android
* CVE-2021-30547 (bmo#1715766)
Out of bounds write in ANGLE
* CVE-2021-29972 (bmo#1696816)
Use of out-of-date library included use-after-free
vulnerability
* CVE-2021-29973 (bmo#1701932)
Password autofill on HTTP websites was enabled without user
interaction on Android
* CVE-2021-29974 (bmo#1704843)
HSTS errors could be overridden when network partitioning was
enabled
* CVE-2021-29975 (bmo#1713259)
Text message could be overlaid on top of another website
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
bmo#1711576, bmo#1714391)
Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
* CVE-2021-29977 (bmo#1665836, bmo#1686138, bmo#1704316,
bmo#1706314, bmo#1709931, bmo#1712084, bmo#1712357,
bmo#1714066)
Memory safety bugs fixed in Firefox 90
- requires
NSPR 4.31
NSS 3.66
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=922
* The Event Timing API is now supported
* The CSS forced-colors media query is now supported
MFSA 2021-23 (bsc#1186696)
* CVE-2021-29965 (bmo#1709257)
Password Manager on Firefox for Android susceptible to domain
spoofing
* CVE-2021-29960 (bmo#1675965)
Filenames printed from private browsing mode incorrectly
retained in preferences
* CVE-2021-29961 (bmo#1700235)
Firefox UI spoof using `<select>` elements and CSS scaling
* CVE-2021-29963 (bmo#1705068)
Shared cookies for search suggestions in private browsing mode
* CVE-2021-29964 (bmo#1706501)
Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29959 (bmo#1395819)
Devices could be re-enabled without additional permission prompt
* CVE-2021-29962 (bmo#1701673)
No rate-limiting for popups on Firefox for Android
* CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
bmo#1704722, bmo#1706041)
Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11
* CVE-2021-29966 (bmo#1660307, bmo#1686154, bmo#1702948, bmo#1708124)
Memory safety bugs fixed in Firefox 89
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=913
* New: PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features
* New: Print updates: Margin units are now localized
* New: Smooth pinch-zooming using a touchpad is now supported
on Linux
* New: To protect against cross-site privacy leaks, Firefox now
isolates window.name data to the website that created it.
Learn more
* Changed: Firefox will not prompt for access to your
microphone or camera if you’ve already granted access to the
same device on the same site in the same tab within the past
50 seconds. This new grace period reduces the number of times
you’re prompted to grant device access
* Changed: The ‘Take a Screenshot’ feature was removed from the
Page Actions menu in the url bar. To take a screenshot,
right-click to open the context menu. You can also add a
screenshots shortcut directly to your toolbar via the
Customize menu. Open the Firefox menu and select Customize…
* Changed: FTP support has been disabled, and its full removal
is planned for an upcoming release. Addressing this security
risk reduces the likelihood of an attack while also removing
support for a non-encrypted protocol
* Developer: Introduced a new toggle button in the Network
panel for switching between JSON formatted HTTP response and
raw data (as received over the wire).
!enter image description here
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. You can see
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=904
* requires NSS 3.62
* removed obsolete BigEndian ICU build workaround
* rebased patches
MFSA 2021-10 (bsc#1183942)
* CVE-2021-23981 (bmo#1692832)
Texture upload into an unbound backing buffer resulted in an
out-of-bound read
* CVE-2021-23982 (bmo#1677046)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2021-23983 (bmo#1692684)
Transitions for invalid ::marker properties resulted in memory
corruption
* CVE-2021-23984 (bmo#1693664)
Malicious extensions could have spoofed popup information
* CVE-2021-23985 (bmo#1659129)
Devtools remote debugging feature could have been enabled
without indication to the user
* CVE-2021-23986 (bmo#1692623)
A malicious extension could have performed credential-less
same origin policy violations
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169,
bmo#1690718)
Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
* CVE-2021-23988 (bmo#1684994, bmo#1686653)
Memory safety bugs fixed in Firefox 87
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=901
* requires NSS >= 3.61
* requires rust-cbindgen >= 0.16.0
* Firefox now supports simultaneously watching multiple videos in
Picture-in-Picture.
* Total Cookie Protection to Strict Mode
* https://www.mozilla.org/en-US/firefox/86.0/releasenotes
MSFA 2021-07 (bsc#1182614)
* CVE-2021-23969 (bmo#1542194)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23970 (bmo#1681724)
Multithreaded WASM triggered assertions validating separation
of script domains
* CVE-2021-23968 (bmo#1687342)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23974 (bmo#1528997, bmo#1683627)
noscript elements could have led to an HTML Sanitizer bypass
* CVE-2021-23971 (bmo#1678545)
A website's Referrer-Policy could have been be overridden,
potentially resulting in the full URL being sent as a Referrer
* CVE-2021-23976 (bmo#1684627)
Local spoofing of web manifests for arbitrary pages in
Firefox for Android
* CVE-2021-23977 (bmo#1684761)
Malicious application could read sensitive data from Firefox
for Android's application directories
* CVE-2021-23972 (bmo#1683536)
HTTP Auth phishing warning was omitted when a redirect is
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=895
* Adobe Flash is completely history
* supercookie protection
* new bookmark handling and features
MFSA 2021-03 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940)
Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020)
Type confusion when using logical assignment operators in
JavaScript switch statements
* CVE-2021-23955 (bmo#1684837)
Clickjacking across tabs through misusing requestPointerLock
* CVE-2021-23956 (bmo#1338637)
File picker dialog could have been used to disclose a
complete directory
* CVE-2021-23957 (bmo#1584582)
Iframe sandbox could have been bypassed on Android via the
intent URL scheme
* CVE-2021-23958 (bmo#1642747)
Screen sharing permission leaked across tabs
* CVE-2021-23959 (bmo#1659035)
Cross-Site Scripting in error pages on Firefox for Android
* CVE-2021-23960 (bmo#1675755)
Use-after-poison for incorrectly redeclared JavaScript
variables during GC
* CVE-2021-23961 (bmo#1677940)
More internal network hosts could have been probed by a
malicious webpage
* CVE-2021-23962 (bmo#1677194)
Use-after-poison in
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=888
* Fixed problems loading secure websites and crashes for users
with certain third-party PKCS11 modules and smartcards installed
(bmo#1682881) (fixed in NSS 3.59.1)
* Fixed a bug causing some Unity JS games to not load on Apple
Silicon devices due to improper detection of the OS version
(bmo#1680516)
- requires NSS 3.59.1
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=882
* Firefox 84 is the final release to support Adobe Flash
* WebRender is enabled by default when run on GNOME-based X11
Linux desktops
MFSA 2020-54 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26972 (bmo#1671382)
Use-After-Free in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26975 (bmo#1661071)
Malicious applications on Android could have induced Firefox
for Android into sending arbitrary attacker-specified headers
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2020-26977 (bmo#1676311)
URL spoofing via unresponsive port in Firefox for Android
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-26979 (bmo#1641287, bmo#1673299)
When entering an address in the address or search bars, a
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=880
* major update for SpiderMonkey improving performance significantly
* optional HTTPS-Only mode
* more improvements
https://www.mozilla.org/en-US/firefox/83.0/releasenotes/
MFSA 2020-50 (bsc#1178824))
* CVE-2020-26951 (bmo#1667113)
Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
* CVE-2020-26952 (bmo#1667685)
Out of memory handling of JITed, inlined functions could lead
to a memory corruption
* CVE-2020-16012 (bmo#1642028)
Variable time processing of cross-origin images during
drawImage calls
* CVE-2020-26953 (bmo#1656741)
Fullscreen could be enabled without displaying the security UI
* CVE-2020-26954 (bmo#1657026)
Local spoofing of web manifests for arbitrary pages in
Firefox for Android
* CVE-2020-26955 (bmo#1663261)
Cookies set during file downloads are shared between normal
and Private Browsing Mode in Firefox for Android
* CVE-2020-26956 (bmo#1666300)
XSS through paste (manual and clipboard API)
* CVE-2020-26957 (bmo#1667179)
OneCRL was not working in Firefox for Android
* CVE-2020-26958 (bmo#1669355)
Requests intercepted through ServiceWorkers lacked MIME type
restrictions
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=871
MFSA 2020-45 (bsc#1177872)
* CVE-2020-15969 (bmo#1666570)
Use-after-free in usersctp
* CVE-2020-15254 (bmo#1668514)
Undefined behavior in bounded channel of crossbeam rust crate
* CVE-2020-15680 (bmo#1658881)
Presence of external protocol handlers could be determined
through image tags
* CVE-2020-15681 (bmo#1666568)
Multiple WASM threads may have overwritten each others' stub
table entries
* CVE-2020-15682 (bmo#1636654)
The domain associated with the prompt to open an external
protocol could be spoofed to display the incorrect origin
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954,
bmo#1662760, bmo#1663439, bmo#1666140)
Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* CVE-2020-15684 (bmo#1653764, bmo#1661402, bmo#1662259,
bmo#1664257)
Memory safety bugs fixed in Firefox 82
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=864
* https://www.mozilla.org/en-US/firefox/81.0/releasenotes
MFSA 2020-42 (bsc#1176756)
* CVE-2020-15675 (bmo#1654211)
Use-After-Free in WebGL
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
* CVE-2020-15674 (bmo#1656063, bmo#1656064, bmo#1656067, bmo#1660293)
Memory safety bugs fixed in Firefox 81
- requires
NSPR 4.28
NSS 3.56
- removed obsolete patches
* mozilla-system-nspr.patch
* mozilla-bmo1661715.patch
* mozilla-silence-no-return-type.patch
- skip post-build-checks for 15.0 and 15.1
- add revert-795c8762b16b.patch to fix LTO builds with gcc
(related to bmo#1644409)
- Use %limit_build macro again for aarch64 and armv7, instead of
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=858
MFSA 2020- (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-12401 (bmo#1631573)
Timing-attack on ECDSA signature generation
* CVE-2020-6829 (bmo#1631583)
P-384 and P-521 vulnerable to an electro-magnetic side
channel attack on signature generation
* CVE-2020-12400 (bmo#1623116)
P-384 and P-521 vulnerable to a side channel attack on
modular inversion
* CVE-2020-15665 (bmo#1651636)
Address bar not reset when choosing to stay on a page after
the beforeunload dialog is shown
* CVE-2020-15666 (bmo#1450853)
MediaError message property leaks cross-origin response
status
* CVE-2020-15667 (bmo#1653371)
Heap overflow when processing an update file
* CVE-2020-15668 (bmo#1651520)
Data Race when reading certificate information
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
bmo#1656957)
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
- requires
* NSPR 4.27
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=853
