- update to Firefox 40.0.3 (bnc#943550)
* Disable the asynchronous plugin initialization (bmo#1198590)
* Fix a segmentation fault in the GStreamer support (bmo#1145230)
* Fix a regression with some Japanese fonts used in the <input>
field (bmo#1194055)
* On some sites, the selection in a select combox box using the
mouse could be broken (bmo#1194733)
security fixes
* MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278)
Use-after-free when resizing canvas element during restyling
* MFSA 2015-95/CVE-2015-4498 (bmo#1042699)
Add-on notification bypass through data URLs
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=460
* MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
Miscellaneous memory safety hazards
* MFSA 2015-97/CVE-2015-4503 (bmo#994337)
Memory leak in mozTCPSocket to servers
* MFSA 2015-98/CVE-2015-4504 (bmo#1132467)
Out of bounds read in QCMS library with ICC V4 profile attributes
* MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only)
Site attribute spoofing on Android by pasting URL with unknown scheme
* MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
Arbitrary file manipulation by local user through Mozilla updater
* MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-102/CVE-2015-4507 (bmo#1192401)
Crash when using debugger with SavedStacks in JavaScript
* MFSA 2015-103/CVE-2015-4508 (bmo#1195976)
URL spoofing in reader mode
* MFSA 2015-104/CVE-2015-4510 (bmo#1200004)
Use-after-free with shared workers and IndexedDB
* MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
Use-after-free while manipulating HTML media content
* MFSA 2015-107/CVE-2015-4512 (bmo#1170390)
Out-of-bounds read during 2D canvas display on Linux 16-bit
color depth systems
* MFSA 2015-108/CVE-2015-4502 (bmo#1105045)
Scripted proxies can access inner window
* MFSA 2015-109/CVE-2015-4516 (bmo#904886)
JavaScript immutable property enforcement can be bypassed
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=459
* Disable the asynchronous plugin initialization (bmo#1198590)
* Fix a segmentation fault in the GStreamer support (bmo#1145230)
* Fix a regression with some Japanese fonts used in the <input>
field (bmo#1194055)
* On some sites, the selection in a select combox box using the
mouse could be broken (bmo#1194733)
security fixes
* MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278)
Use-after-free when resizing canvas element during restyling
* MFSA 2015-95/CVE-2015-4498 (bmo#1042699)
Add-on notification bypass through data URLs
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=456
* Added protection against unwanted software downloads
* Suggested Tiles show sites of interest, based on categories
from your recent browsing history
* Hello allows adding a link to conversations to provide context
on what the conversation will be about
* New style for add-on manager based on the in-content
preferences style
* Improved scrolling, graphics, and video playback performance
with off main thread compositing (GNU/Linux only)
* Graphic blocklist mechanism improved: Firefox version ranges
can be specified, limiting the number of devices blocked
security fixes:
* MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
Miscellaneous memory safety hazards
* MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
Out-of-bounds read with malformed MP3 file
* MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
Use-after-free in MediaStream playback
* MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
Redefinition of non-configurable JavaScript object properties
* MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
Overflow issues in libstagefright
* MFSA 2015-84/CVE-2015-4481 (bmo1171518)
Arbitrary file overwriting through Mozilla Maintenance Service
with hard links (only affected Windows)
* MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
Out-of-bounds write with Updater and malicious MAR file
(does not affect openSUSE RPM packages which do not ship the
updater)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=454
security fixes:
* MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726
Miscellaneous memory safety hazards
* MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
Local files or privileged URLs in pages can be opened into new tabs
* MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
Type confusion in Indexed Database Manager
* MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
Out-of-bound read while computing an oscillator rendering range in Web Audio
* MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
Use-after-free in Content Policy due to microtask execution error
* MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
ECDSA signature validation fails to handle some signatures correctly
(this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
Use-after-free in workers while using XMLHttpRequest
* MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
Vulnerabilities found through code inspection
* MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
Key pinning is ignored when overridable errors are encountered
* MFSA 2015-68/CVE-2015-2742 (bmo#1138669)
OS X crash reports may contain entered key press information
(not relevant under Linux)
* MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
Privilege escalation in PDF.js
* MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
NSS accepts export-length DHE keys with regular DHE cipher suites
(this fix is shipped by NSS 3.19.1 externally)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=450
* Share Hello URLs with social networks
* Support for 'switch' role in ARIA 1.1 (web accessibility)
* SafeBrowsing malware detection lookups enabled for downloads
(Mac OS X and Linux)
* Support for new Unicode 8.0 skin tone emoji
* Removed support for insecure SSLv3 for network communications
* Disable use of RC4 except for temporarily whitelisted hosts
* NPAPI Plug-in performance improved via asynchronous initialization
- dropped mozilla-prefer_plugin_pref.patch as this feature is
likely not worth maintaining further
- rebased patches
- require NSS 3.19.2
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=449
stability and regression fixes
* Systems with first generation NVidia Optimus graphics cards
may crash on start-up
* Users who import cookies from Google Chrome can end up with
broken websites
* Large animated images may fail to play and may stop other
images from loading
- update to Firefox 38.0 (bnc#930622)
* New tab-based preferences
* Ruby annotation support
* more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
security fixes:
* MFSA 2015-46/CVE-2015-2708/CVE-2015-2709
Miscellaneous memory safety hazards
* MFSA 2015-47/VE-2015-0797 (bmo#1080995)
Buffer overflow parsing H.264 video with Linux Gstreamer
* MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
Buffer overflow with SVG content and CSS
* MFSA 2015-49/CVE-2015-2711 (bmo#1113431)
Referrer policy ignored when links opened by middle-click and
context menu
* MFSA 2015-50/CVE-2015-2712 (bmo#1152280)
Out-of-bounds read and write in asm.js validation
* MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
Use-after-free during text processing with vertical text enabled
* MFSA 2015-53/CVE-2015-2715 (bmo#988698)
Use-after-free due to Media Decoder Thread creation during shutdown
* MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
Buffer overflow when parsing compressed XML
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=441
* Heartbeat user rating system
* Yandex set as default search provider for the Turkish locale
* Bing search now uses HTTPS for secure searching
* Improved protection against site impersonation via OneCRL
centralized certificate revocation
* Opportunistically encrypt HTTP traffic where the server supports
HTTP/2 AltSvc
* some more behaviour changes for TLS
security fixes:
* MFSA 2015-30/CVE-2015-0814/CVE-2015-0815
Miscellaneous memory safety hazards
* MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
Use-after-free when using the Fluendo MP3 GStreamer plugin
* MFSA 2015-32/CVE-2015-0812 (bmo#1128126)
Add-on lightweight theme installation approval bypassed through
MITM attack
* MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
resource:// documents can load privileged pages
* MFSA-2015-34/CVE-2015-0811 (bmo#1132468)
Out of bounds read in QCMS library
* MFSA-2015-35/CVE-2015-0810 (bmo#1125013)
Cursor clickjacking with flash and images (OS X only)
* MFSA-2015-36/CVE-2015-0808 (bmo#1109552)
Incorrect memory management for simple-type arrays in WebRTC
* MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
CORS requests should not follow 30x redirections after preflight
* MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437)
Memory corruption crashes in Off Main Thread Compositing
* MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=433
Bugfixes:
* Disable the usage of the ANY DNS query type (bmo#1093983)
* Hello may become inactive until restart (bmo#1137469)
* Print preferences may not be preserved (bmo#1136855)
* Hello contact tabs may not be visible (bmo#1137141)
* Accept hostnames that include an underscore character ("_")
(bmo#1136616)
* WebGL may use significant memory with Canvas2d (bmo#1137251)
* Option -remote has been restored (bmo#1080319)
- added mozilla-skia-bmo1136958.patch to fix build issues for
ARM and PPC
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=425
* mozilla-xremote-client was removed
* added libclearkey.so media plugin
* Pinned tiles on the new tab page can be synced
* Support for the full HTTP/2 protocol. HTTP/2 enables a faster,
more scalable, and more responsive web.
* Locale added: Uzbek (uz)
- rebased patches
- requires NSS 3.17.4
- update to Firefox 35.0.1
* With the Enhanced Steam extension, Firefox could crash (bmo#1123732)
* Kerberos authentication did not work with alias (bmo#1108971)
* SVG / CSS animation had a regression causing rendering issues on
websites like openstreemap.org (bmo#1083079)
* On Godaddy webmail, Firefox could crash (bmo#1113121)
* document.baseURI did not get updated to document.location after
base tag was removed from DOM for site with a CSP (bmo#1121857)
* With a Right-to-left (RTL) version of Firefox, the text selection
could be broken (bmo#1104036)
* CSP had a change in behavior with regard to case sensitivity
resources loading (bmo#1122445)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=422
notable features:
* Firefox Hello with new rooms-based conversations model
* Implemented HTTP Public Key Pinning Extension (for enhanced
authentication of encrypted connections)
- rebased patches
- dropped explicit support for everything older than 12.3
(including SLES11)
* merge firefox-kde.patch and firefox-kde-114.patch
* dropped mozilla-sle11.patch
- reworked specfile to build conditionally based on release channel
either Firefox or Firefox Developer Edition
- added mozilla-openaes-decl.patch to fix implicit declarations
- obsolete tracker-miner-firefox < 0.15 because it leads to startup
crashes (bnc#908892)
- rebased patches
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=419
* Fix a startup crash with some combination of hardware and drivers
33.0.1
* Firefox displays a black screen at start-up with certain
graphics drivers
- adjusted _constraints for ARM
- added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=408
* just a version bump for our builds
* fixed the in application update process for certain environments
(in application update is not enabled in openSUSE and Linux
is unaffected in any case)
- build with --disable-optimize for 13.1 and above for i586 to
workaround miscompilations (bnc#896624)
- update to Firefox 32.0.1
* fixed stability issues for computers with multiple graphics cards
* mixed content icon may be incorrectly displayed instead of lock
icon for SSL sites in 32.0 (
* WebRTC: setRemoteDescription() silently fails if no success
callback is specified (bmo#1063971)
- update to Firefox 32.0 (bnc#894370)
* MFSA 2014-67/CVE-2014-1553/CVE-2014-1554/CVE-2014-1562
- rebased patches
- requires NSS 3.16.4
- removed upstreamed patch
* mozilla-aarch64-bmo-810631.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=396
