------------------------------------------------------------------- Thu Aug 19 12:52:52 UTC 2021 - Tristan Miller - add upstream patch seamonkey-packed_simd.patch which allows packed_simd to compile with Rust 1.54 ------------------------------------------------------------------- Tue Jul 27 06:57:05 UTC 2021 - Guillaume GARDET - Remove --disable-elf-hack when not available: aarch64 and ppc64* ------------------------------------------------------------------- Thu Jul 22 08:55:51 UTC 2021 - Tristan Miller - update to SeaMonkey 2.53.8.1 * Archive message action does not work bug 1718839. * Do not preserve offlineMsgSize parameter when moving/copying emails between folders bug 1720202 and bug 1430480. * Move thread code to threadPane.js and remove messengerdnd.js bug 515675. * SeaMonkey 2.53.8.1 uses the same backend as Firefox and contains the relevant Firefox 60.8 security fixes. * SeaMonkey 2.53.8.1 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.0 release notes for specific changes and security fixes in this release. * Additional important security fixes up to Current Firefox 78.12 ESR and a few enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to. - requested inclusion in Leap 15.3 and Leap 15.2: https://bugzilla.opensuse.org/show_bug.cgi?id=1188614 ------------------------------------------------------------------- Thu Jul 08 06:50:25 UTC 2021 - Tristan Miller - requested inclusion in Leap 15.3 and Leap 15.2: https://bugzilla.opensuse.org/show_bug.cgi?id=1188100 ------------------------------------------------------------------- Wed Jul 07 13:50:05 UTC 2021 - Tristan Miller - update to SeaMonkey 2.53.8 * Serious performance improvements and bug fixes tracked in bug 1633339 and bug 1711050. * Language attributes with country codes not recognized when building the Website Navigation Bar link toolbar bug 134436 and bug 1709443. * Optimize SeaMonkey icons for speed and optional higher quality for branding bug 1362210 and bug 1699322. * Support from= option when opening email compose window from the command line bug 1628671. * Update subject handling and GenericSendMessage function in compose window bug 1693994. * All message windows should update when view preferences are changed bug 1694765. * Improve marking of multiple messages as read / unread bug 1700530. * Show version numbers again in the add-on manager by the partial backout of bug 1161183. * Update available networks in chatZilla (including adding libera.chat)bug 1704392 and bug 1712505. * Change default port for IRC via TLS/SSL to 6697 bug 1704280. * Remove chatZilla and Lightning extension language packs and incorpate localisations within the main language pack bug 1604663. * Fix address drag and drop handling in compose window bug 1712002 and bug 1712227. * Further fixes for legacy generators and the deprecated for each statement in add-ons and the Add-on SDK bug 1702903. * For developers, fork DOMi repo into main SeaMonkey one which means no need to separately checkout the extension bug 1700003. * SeaMonkey 2.53.8 uses the same backend as Firefox and contains the relevant Firefox 60.8 security fixes. * SeaMonkey 2.53.8 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.0 release notes for specific changes and security fixes in this release. * Additional important security fixes up to Current Firefox 78.11 ESR and a few enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to. - removed obsolete seamonkey-websocketloop.patch and seamonkey-rustc-bootstrap.patch (now integrated upstream) ------------------------------------------------------------------- Tue May 18 07:04:59 UTC 2021 - Tristan Miller - add patch seamonkey-rustc-bootstrap.patch adapted from https://bugzilla.mozilla.org/show_bug.cgi?id=1710154 to enable compilation with rust >= 1.50.0 ------------------------------------------------------------------- Tue May 05 18:36:24 UTC 2021 - Tristan Miller - update GNU Makefile from upstream https://bugzilla.mozilla.org/show_bug.cgi?id=1692516#c8 -- besides some general improvements, this Makefile now allows the language packs for the bundled extensions to be split off again if desired (though our spec file does not yet take advantage of this) ------------------------------------------------------------------- Tue May 04 08:19:42 UTC 2021 - Tristan Miller - use system libraries for bz2, webp, and icu to reduce package size and because this is probably more secure (since our own libraries are probably updated more often than the ones bundled with SeaMonkey) ------------------------------------------------------------------- Wed Apr 28 07:59:04 UTC 2021 - Tristan Miller - add upstream patch seamonkey-websocketloop.patch from https://bugzilla.mozilla.org/attachment.cgi?id=9218795&action=diff to solve critical performance issue https://bugzilla.mozilla.org/show_bug.cgi?id=1633339 ------------------------------------------------------------------- Tue Apr 27 11:54:30 UTC 2021 - Tristan Miller - requested inclusion in Leap 15.2: https://bugzilla.opensuse.org/show_bug.cgi?id=1185349 ------------------------------------------------------------------- Tue Apr 20 15:28:04 UTC 2021 - Tristan Miller - remove check for .mkdir.done, as these files are no longer generated - remove check for text files with the executable bit incorrectly set, as the only remaining files in the source tree with this problem are ones that don't get installed anyway: https://bugzilla.mozilla.org/show_bug.cgi?id=1706019 - revise/improve spec file comments - update package description to clarify compatibility with Firefox extensions - update package description to reference bundled calendar ------------------------------------------------------------------- Tue Apr 20 06:52:31 UTC 2021 - Tristan Miller - re-enable elf-hack for x86_64 builds as this is no longer preventing compilation: https://bugzilla.mozilla.org/show_bug.cgi?id=1619776 ------------------------------------------------------------------- Mon Apr 19 20:40:37 UTC 2021 - Tristan Miller - remove --disable-optimize flag (added on Sat Sep 20 14:53:01 UTC 2014 as a result of bnc#896624) as compilation on ix86 with the default optimizations seems to work fine now ------------------------------------------------------------------- Mon Apr 19 07:40:51 UTC 2021 - Tristan Miller - add patch to install SeaMonkey's new man page: seamonkey-man-page.patch ------------------------------------------------------------------- Sun Apr 18 13:28:57 UTC 2021 - Tristan Miller - update to SeaMonkey 2.53.7.1 * Fix for legacy generators and the deprecated for each statement in add-ons and the Add-on SDK bug 1702903. * Fix for handling of dead keys in text input fields in GTK 3.24.26+ bug 1701288. * SeaMonkey 2.53.7.1 uses the same backend as Firefox and contains the relevant Firefox 60.8 security fixes. * SeaMonkey 2.53.7.1 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.0 release notes for specific changes and security fixes in this release. * Additional important security fixes up to Current Firefox 78.8 ESR and a few enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to. ------------------------------------------------------------------- Sun Apr 18 12:57:14 UTC 2021 - Tristan Miller - update to SeaMonkey 2.53.7 * Remove Flash and NPAPI support bug 1688415. * Switch packaged extensions to be global bug 1659298. * Add Insert Forms to Composer bug 1684611. * Fix an issue with copying to IMAP sent folder and some reference count leaks in mailnews bug 1689890. * Tailing to delay tracker requests and enhance performance has been enabled bug 1358060. * Fix an issue with favorite and recent folders not showing in macOS bug 1695869. * Various security and general platform fixes. * The ChatZilla source has been integrated into SeaMonkey and no longer needs to be checked out separately if you build your own release bug 1551033. * SeaMonkey 2.53.7 uses the same backend as Firefox and contains the relevant Firefox 60.8 security fixes. * SeaMonkey 2.53.7 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.0 release notes for specific changes and security fixes in this release. * Additional important security fixes up to Current Firefox 78.8 ESR and a few enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to. - update GNU Makefile per https://bugzilla.mozilla.org/show_bug.cgi?id=1692516#c6 * provide a way to auto-select es-AR locale on any Spanish one but es-ES ------------------------------------------------------------------- Sun Apr 18 12:22:54 UTC 2021 - Tristan Miller - restore Chatzilla and DOM Inspector packages disabled in Revision 333; these extensions were long since re-enabled upstream but apparently we had forgotten to re-enable them in the spec file ------------------------------------------------------------------- Fri Apr 16 15:18:27 UTC 2021 - Tristan Miller - add --disable-install-strip to .mozconfig; fixes #1184851 ------------------------------------------------------------------- Fri Apr 16 07:20:09 UTC 2021 - Tristan Miller - update to SeaMonkey 2.53.6 * Improve usability of multiple mailboxes/folders selectionbug 1600103. * Add Greek localisation (el). * Remove more RDF from mailnews code. * Switch to mozilla as topsrcdir and component for building is comm/suite now. * Rust support is now up to 1.48 and official build is now using 1.47.0 * Various security and general platform fixes. * SeaMonkey 2.53.6 uses the same backend as Firefox and contains the relevant Firefox 60.8 security fixes. * SeaMonkey 2.53.6 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.0 release notes for specific changes and security fixes in this release. * Additional important security fixes up to Current Firefox 78.6 ESR and a few enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to. - rewrote spec file to account for SeaMonkey's new build system, including a new Makefile from Dmitry Butskoy: #1181525#c3 - merged the translations-common and translations-other subpackages into the main package; it is no longer convenient/consistent to keep these separate because localizations for the integrated IRC and Calendar clients are already merged in the source. This also solves #1181525. - enabled and bundled Calendar (Lightning) extension - cleaned up spec file to remove conditions targeting long-obsolete openSUSE versions - disabled elf-hack on i586 builds, as it was preventing compilation ------------------------------------------------------------------- Tue Apr 13 07:58:48 UTC 2021 - Tristan Miller - add patch to enable builds with Rust >= 1.48 on Tumbleweed https://bugzilla.mozilla.org/show_bug.cgi?id=1617782#c22 ------------------------------------------------------------------- Fri Nov 20 09:49:51 UTC 2020 - Tristan Miller - requested inclusion in Leap 15.1 and 15.2: https://bugzilla.opensuse.org/show_bug.cgi?id=1179010 ------------------------------------------------------------------- Thu Nov 19 09:44:58 UTC 2020 - Tristan Miller - update to SeaMonkey 2.53.5.1 * Fix advertising of av1 support bug 1490877. * Fix some issues found with supporting new macOS. * Various security and general platform fixes. ------------------------------------------------------------------- Sat Nov 14 20:17:43 UTC 2020 - Tristan Miller - update to SeaMonkey 2.53.5 * Provide WebP support bug 1653869. * Add startpage.com as a search engine available to all locales bug 1655283. * Added av1 support. * Included latest version of freetype2. * Added support for the resizeObserver web API. * Support for rust 1.47.0 on Linux and macOS platforms. * Dropped support for use of system sqlite. * Various security and general platform fixes. * SeaMonkey 2.53.5 uses the same backend as Firefox and contains the relevant Firefox 60.8 security fixes * SeaMonkey 2.53.5 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.0 release notes for specific changes and security fixes in this release. * Additional important security fixes up to Current Firefox 78.4 ESR and a few enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to. ------------------------------------------------------------------- Wed Sep 23 08:19:00 UTC 2020 - Tristan Miller - update to SeaMonkey 2.53.4 * This version makes changes to your profile that can't be reverted in case you want to go back to a previous version of SeaMonkey. You MUST absolutely do a full backup of your profile before trying SeaMonkey 2.53.4. * Added translation for Bokmål (nb_NO) * Upgraded NSS to 3.53.1 bug 1643859. * Updated to Unicode 11 for SpiderMonkey bug 1466471. * Updated bundled Twemoji Mozilla font to v0.5.1 to support newer emojis bug 1644346. * Updated how photos are handled in the addressbook bug 1641705. * Removed outdated RSS feed handlers bug 1643716. * Fix initialisation of TodayPane mini-day, to show the right day bug 1479628. * Fixed sizing issue of HTML mail question (askSendFormat) dialog bug 1583415. * Update of help page content and links. * Various security and general platform fixes. * SeaMonkey 2.53.4 uses the same backend as Firefox and contains the relevant Firefox 60.6 security fixes. * SeaMonkey 2.53.4 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.0 release notes for specific changes and security fixes in this release. * Additional important security fixes up to Current Firefox 78.1 ESR and a few enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to. - Added patch seamonkey-lto.patch which corrects the LTO syntax when compiling with GCC ------------------------------------------------------------------- Mon Jul 20 09:35:49 UTC 2020 - Tristan Miller - requested inclusion in Leap 15.1 and 15.2: https://bugzilla.opensuse.org/show_bug.cgi?id=1174300 ------------------------------------------------------------------- Sat Jul 18 20:49:18 UTC 2020 - Tristan Miller - update appdata files (Bug 1174192): * correct metadata licensing information (most of the application descriptions had been taken from https://www.seamonkey-project.org/doc/features which according to the page footer is licensed under CC-BY-SA-3.0) * update the metadata summary and the introduction in the metadata description to more accurately reflect what SeaMonkey is, giving less prominence to the long-discontinued Mozilla Application Suite that many users may no longer be familiar with * update the metadata name to more accurately reflect the name or purpose of the application * update the metadata URL with the current SeaMonkey website ------------------------------------------------------------------- Wed Jul 15 12:09:03 UTC 2020 - Tristan Miller - update to SeaMonkey 2.53.3 * The LaTex tool TexZilla, used for inserting Math, has been upgraded to 1.0.2. * It is now possible to customize the toolbars in Composer and the formatting toolbar in Mailnews composition. * All folders of an account can now be marked as read. * There is now an option for not advertizing SeaMonkey at all in the user agent. * The preference for hiding the toolbar and menubar grippies can now be changed from "Preferences->Appearance". * The preference "browser.tabs.autoHide" which autohides the tab bar when there is only one tab in a browser window open has been flipped in bug 1634879. SeaMonkey will now show the tab bar as the default. You can change it back by checking "Hide the tab bar when only one tab is open" in "Preferences->Browser->Tabbed Browsing" * Update of help page content and links. * SeaMonkey language packs are now version specific and will be disabled as part of the profile upgrade following the installation of a later version. * Search Engines have been centralized and updated in bug 1300198. * Address book now has updated IM fields, improved layout for card view pane, improved multi-word search, ability to search across multiple address books, more granular prompts when deleting items, print on the context menus and print button on the toolbar. * Multimedia support has been updated in preparation of supporting more audio video formats in the next releases. For enhanced security the Rust multimedia parser is now used for this and the libstagefright package has been removed. * SeaMonkey 2.53.3 uses the same backend as Firefox and contains the relevant Firefox 60.4 security fixes. * SeaMonkey 2.53.3 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.0 release notes for specific changes and security fixes in this release. * Additional important security fixes up to Current Firefox 77 and a few enhancements have been backported. - Fix exclusion list syntax in create-tars.sh script - Disable LTO on i586 builds as these are once again failing due to memory issues ------------------------------------------------------------------- Tue Jun 02 13:00:57 UTC 2020 - Tristan Miller - Re-enable LTO on Tumbleweed builds after increasing available memory in _constraints ------------------------------------------------------------------- Sun May 10 20:24:22 UTC 2020 - Tristan Miller - Disable LTO on Tumbleweed builds to work around issues on build.opensuse.org: https://bugzilla.opensuse.org/show_bug.cgi?id=1171414 ------------------------------------------------------------------- Thu May 08 09:55:00 UTC 2020 - Tristan Miller - Update create-tars.sh script to more precisely exclude unwanted VCS files; the previous exclusion list would have eventually triggered the bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1621564 ------------------------------------------------------------------- Thu May 07 14:21:31 UTC 2020 - Tristan Miller - update to SeaMonkey 2.53.2 https://www.seamonkey-project.org/releases/seamonkey2.53.2/ * Scrollbars have been switched over to the native gtk3 theme in bug 1625754. If your theme does not show scrollbar buttons and you would like to see them try editing ~/.config/gtk-3.0/gtk.css and adding the following: { -GtkScrollbar-has-backward-stepper: 1; -GtkScrollbar-has-forward-stepper: 1; } * The download progress dialog has been fixed and is now showing the correct status for downloads. Some downloads may not show the transferred count. This problem is under investigation. * SeaMonkey is now translated and available in Finnish and Georgian. * Because of website compatibility issues and privacy concerns the Lightning version is no longer appended to the user agent string and has been removed from the preferences dialog. * Advanced Layers has been activated on Windows. This should boost performance on some websites. If you experience graphics problems please disable it by setting the pref "layers.mlgpu.enabled" to false. * Whether the native app chooser is used in Linux is now controlled via a preference setting in the Helper Applications preference pane. * In the Modern theme, popup notifications have improved styling and column headers now display sort direction arrows. * The column picker and folder view have been reinstated for the bookmarks panel. * Introduced the ability to close all tabs to the right of the current tab. * Whether mailnews tabs open in the background is controlled by a separate preference to browser tabs via General Settings section of main Mail & Newsgroups preference pane. * Fixed an issue with the recipient being missing when using Reply to Sender and Group button in Newsgroup discussions. * SeaMonkey now prevents address books from having duplicate names. * SeaMonkey 2.53.2 uses the same backend as Firefox and contains the relevant Firefox 60.3 security fixes. * SeaMonkey 2.53.2 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.0 release notes for specific changes and security fixes in this release. * SeaMonkey now uses gtk3 on Linux. If you experience a problem because of this please file a bug and link it to bug 1367257. Please try another OS theme first. Some of them are buggy and cause problems with SeaMonkey, Thunderbird and Firefox. - Remove obsolete upstream and local patches ------------------------------------------------------------------- Thu Mar 05 12:37:11 UTC 2020 - Tristan Miller - update to SeaMonkey 2.53.1 https://www.seamonkey-project.org/releases/seamonkey2.53.1/ * The Bookmarks Manager has switched its name to Library, and now also includes the History list. When invoking History, the Library will be shown with the History list selected. The extensive modifications were needed because of Mozilla Gecko platform API changes. * Download Manager has been migrated to a new API. Although it looks pretty much the same as before, the search option is missing and some other minor details work differently. The previous downloads history is removed during the upgrade. * Added Layout panel to CSS Grid tools. * TLS 1.3 is the default version now. * Among the general platform and mail fixes this release contains backported fixes from Thunderbird for the EFAIL security vulnerability. * SeaMonkey now uses gtk3 on Linux. If you experience a problem because of this please file a bug and link it to Switch Linux builds to GTK3 with SeaMonkey 2.49. Please try another OS theme first. Some of them are buggy and cause problems with SeaMonkey, Thunderbird and Firefox. * The Lightning extension is now included. - apply upstream patches for building with rust >= 1.40 - remove mozilla-systems-nss.patch (since merged upstream) - remove mozilla-no-stdcxx-check.patch (no longer applicable as build checks have been moved to a Python script) - adapt mozilla-nongnome-proxies.patch, mozilla-language.patch, and mozilla-ntlm-full-path.patch for SeaMonkey 2.53.1 - add upstream patch for better LTO detection - disable elf-hacking on x86_64 builds to prevent build errors: https://bugzilla.mozilla.org/show_bug.cgi?id=1619776 - rewrite the create-tars.sh script according to the new source code checkout instructions: https://bugzilla.opensuse.org/show_bug.cgi?id=1165427 https://bugzilla.mozilla.org/show_bug.cgi?id=1618806 ------------------------------------------------------------------- Fri Jan 24 10:59:33 UTC 2020 - Tristan Miller - remove obsolete locale patches mozilla-ua-locale.patch and seamonkey-ua-locale.patch, and update default preferences per https://bugzilla.mozilla.org/show_bug.cgi?id=542999#c23 ------------------------------------------------------------------- Mon Jan 20 12:22:30 UTC 2020 - Tristan Miller - remove obsolete and unused custom search add-ons ------------------------------------------------------------------- Tue Jan 14 13:28:47 UTC 2020 - Tristan Miller - disable Rust, as it caused build errors and was apparently unused - add patch unifying gettid() declarations to avoid GCC build errors - add patch correcting the syntax of the linker flags ------------------------------------------------------------------- Mon Jan 13 10:52:54 UTC 2020 - Wolfgang Rosenauer - remove mozilla-reduce-files-per-UnifiedBindings.patch since it creates build errors in certain situations - introduce limit_build instead ------------------------------------------------------------------- Mon Oct 21 09:29:14 UTC 2019 - Wolfgang Rosenauer - update to Seamonkey 2.49.5 * https://www.seamonkey-project.org/releases/seamonkey2.49.5/ - removed obsolete patch mozilla-bmo1338655.patch - fix build with system NSS (mozilla-system-nss.patch) ------------------------------------------------------------------- Fri Jul 13 05:13:13 UTC 2018 - wr@rosenauer.org - update to Seamonkey 2.49.4 * Gecko 52.9.1esr (bsc#1098998) MFSA 2018-16 (bsc#1098998) * CVE-2018-12359 (bmo#1459162) Buffer overflow using computed size of canvas element * CVE-2018-12360 (bmo#1459693) Use-after-free when using focus() * CVE-2018-12362 (bmo#1452375) Integer overflow in SSSE3 scaler * CVE-2018-5156 (bmo#1453127) Media recorder segmentation fault when track type is changed during capture * CVE-2018-12363 (bmo#1464784) Use-after-free when appending DOM nodes * CVE-2018-12364 (bmo#1436241) CSRF attacks through 307 redirects and NPAPI plugins * CVE-2018-12365 (bmo#1459206) Compromised IPC child process can list local filenames * CVE-2018-12366 (bmo#1464039) Invalid data handling during QCMS transformations * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739, bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576, bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829, bmo#1464079,bmo#1463494,bmo#1458048) Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9 - localizations finally included again (boo#1062195) ------------------------------------------------------------------- Thu Jun 7 00:07:03 UTC 2018 - bjorn.lie@gmail.com - Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass conditional --disable-gconf to configure: no longer pull in obsolete gconf2 for Tumbleweed. ------------------------------------------------------------------- Tue Jun 5 12:09:11 UTC 2018 - psychonaut@nothingisreal.com - update spec file summary and description to more accurately reflect what SeaMonkey is, giving less prominence to the long- discontinued Mozilla Application Suite that many users may no longer be familiar with - update project URL in spec file ------------------------------------------------------------------- Sat Mar 3 16:57:24 UTC 2018 - wr@rosenauer.org - update to Seamonkey 2.49.2 * Gecko 52.6esr (including security relevant fixes) (bsc#1077291) * fix issue in Composer * With some themes, the menulist- and history-dropmarker didn't show * Scrollbars didn't show the buttons * WebRTC has been disabled by default. It needs an add-on to enable it per site * The active title bar was not visually emphasized - correct requires and provides handling (boo#1076907) ------------------------------------------------------------------- Tue Jan 9 07:53:08 UTC 2018 - wr@rosenauer.org - Explicitly buildrequires python2-xml: The build system relies on it. We wrongly relied on other packages pulling it in for us. - use parallel compression in create-tar if available - use XZ instead of BZ2 for source archives - import upstream patch mozilla-bmo1338655.patch to fix failing build ------------------------------------------------------------------- Thu Dec 7 11:19:39 UTC 2017 - dimstar@opensuse.org - Escape the usage of %{VERSION} when calling out to rpm. RPM 4.14 has %{VERSION} defined as 'the main packages version'. ------------------------------------------------------------------- Fri Nov 10 22:30:10 UTC 2017 - zaitor@opensuse.org - Drop obsolete libgnomeui-devel BuildRequires: No longer needed. - Following the above, add explicit pkgconfig(gconf-2.0), pkgconfig(gobject-2.0)pkgconfig(gdk-x11-2.0), pkgconfig(gtk+-2.0) and pkgconfig(gtk+-unix-print-2.0) BuildRequires: previously pulled in by libgnomeui-devel, and is what configure really checks for. ------------------------------------------------------------------- Fri Aug 4 15:02:38 UTC 2017 - wr@rosenauer.org - update to Seamonkey 2.48 * based on Gecko 51.0.3 * requires NSPR 4.13.1 and NSS 3.28.5 (aligned with 52ESR) - removed obsolete (upstreamed) patches * mozilla-http2-ecdh-keybits.patch * mozilla-sed43.patch * mozilla-flex_buffer_overrun.patch * mozilla-shared-nss-db.patch (feature dropped from SM due to maintenance costs vs. usefulness) * mozilla-binutils-visibility.patch * mozilla-check_return.patch * mozilla-skia-overflow.patch - rebased patches ------------------------------------------------------------------- Sun Feb 12 13:03:49 UTC 2017 - wr@rosenauer.org - fix configure with for sed >= 4.3 (boo#1020631) (mozilla-sed43.patch) ------------------------------------------------------------------- Tue Jan 24 21:08:19 UTC 2017 - wr@rosenauer.org - improve recognition of LANGUAGE env variable (boo#1017174) - update minimum keybits in H2 so it allows a smaller value (e.g. for curve25519 as supported with NSS 3.28) (bmo#1290037) (boo#1021636) (mozilla-http2-ecdh-keybits.patch) ------------------------------------------------------------------- Fri Dec 23 22:13:00 UTC 2016 - wr@rosenauer.org - update to Seamonkey 2.46 * based on Gecko 49.0.2 * Chatzilla and DOM Inspector were removed/disabled and therefore those subpackages are not available at this moment - requires NSPR 4.12 and NSS 3.25 - removed obsolete patches * mozilla-libproxy.patch * mozilla-gcc6.patch * mozilla-openaes-decl.patch - rebased patches - added patches imported from Firefox 49: * mozilla-check_return.patch * mozilla-flex_buffer_overrun.patch * mozilla-skia-overflow.patch ------------------------------------------------------------------- Mon Oct 17 11:30:39 UTC 2016 - wr@rosenauer.org - mozilla-binutils-visibility.patch to fix build issues with gcc/binutils combination used in Leap 42.2 (boo#984637) ------------------------------------------------------------------- Sun Aug 21 14:05:26 UTC 2016 - antoine.belvire@laposte.net - Build also with fno-lifetime-dse and fno-schedule-insns2 for GCC6 (still boo#991027) - Check compiler version instead of openSUSE version for this ------------------------------------------------------------------- Mon Aug 8 09:19:46 UTC 2016 - wr@rosenauer.org - build with -fno-delete-null-pointer-checks for Tumbleweed/gcc6 as long as underlying issues have been addressed upstream (boo#991027) ------------------------------------------------------------------- Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com - Fix for possible buffer overrun (bsc#990856) CVE-2016-6354 (bmo#1292534) [mozilla-flex_buffer_overrun.patch] ------------------------------------------------------------------- Tue Jul 26 04:44:49 UTC 2016 - badshah400@gmail.com - Add appstream metainfo files as a tar.bz2 source (seamonkey-appdata.tar.bz2) and install these appdata.xml files to the appdata dir (/usr/share/appdata); with these appdata files installed, seamonkey shows up in appstores like GNOME software and KDE Discover. ------------------------------------------------------------------- Sun Jul 17 02:55:00 UTC 2016 - badshah400@gmail.com - Add mozilla-gcc6.patch to fix building with gcc >= 6.0. ------------------------------------------------------------------- Sat Mar 5 09:20:24 UTC 2016 - wr@rosenauer.org - fix build problems on i586, caused by too large unified compile units - adding mozilla-reduce-files-per-UnifiedBindings.patch - increased _constraints as required ------------------------------------------------------------------- Tue Jan 19 16:15:28 UTC 2016 - wr@rosenauer.org - update to Seamonkey 2.40 (bnc#959277) * requires NSS 3.20.2 to fix MFSA 2015-150/CVE-2015-7575 (bmo#1158489) MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature * MFSA 2015-134/CVE-2015-7201/CVE-2015-7202 Miscellaneous memory safety hazards * MFSA 2015-135/CVE-2015-7204 (bmo#1216130) Crash with JavaScript variable assignment with unboxed objects * MFSA 2015-136/CVE-2015-7207 (bmo#1185256) Same-origin policy violation using perfomance.getEntries and history navigation * MFSA 2015-137/CVE-2015-7208 (bmo#1191423) Firefox allows for control characters to be set in cookies * MFSA 2015-138/CVE-2015-7210 (bmo#1218326) Use-after-free in WebRTC when datachannel is used after being destroyed * MFSA 2015-139/CVE-2015-7212 (bmo#1222809) Integer overflow allocating extremely large textures * MFSA 2015-140/CVE-2015-7215 (bmo#1160890) Cross-origin information leak through web workers error events * MFSA 2015-141/CVE-2015-7211 (bmo#1221444) Hash in data URI is incorrectly parsed * MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820) DOS due to malformed frames in HTTP/2 * MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078) Linux file chooser crashes on malformed images due to flaws in Jasper library * MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221 (bmo#1201183, bmo#1178033, bmo#1199400) Buffer overflows found through code inspection * MFSA 2015-145/CVE-2015-7205 (bmo#1220493) Underflow through code inspection * MFSA 2015-146/CVE-2015-7213 (bmo#1206211) Integer overflow in MP4 playback in 64-bit versions * MFSA 2015-147/CVE-2015-7222 (bmo#1216748) Integer underflow and buffer overflow processing MP4 metadata in libstagefright * MFSA 2015-148/CVE-2015-7223 (bmo#1226423) Privilege escalation vulnerabilities in WebExtension APIs * MFSA 2015-149/CVE-2015-7214 (bmo#1228950) Cross-site reading attack through data and view-source URIs - rebased patches - buildrequire xcomposite now explicitely ------------------------------------------------------------------- Thu Nov 5 08:01:22 UTC 2015 - wr@rosenauer.org - update to Seamonkey 2.39 (bnc#952810) * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514 Miscellaneous memory safety hazards * MFSA 2015-117/CVE-2015-4515 (bmo#1046421) Information disclosure through NTLM authentication * MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692) CSP bypass due to permissive Reader mode whitelist * MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only) Firefox for Android addressbar can be removed after fullscreen mode * MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only) Reading sensitive profile files through local HTML file on Android * MFSA 2015-121/CVE-2015-7187 (bmo#1195735) disabling scripts in Add-on SDK panels has no effect * MFSA 2015-122/CVE-2015-7188 (bmo#1199430) Trailing whitespace in IP address hostnames can bypass same-origin policy * MFSA 2015-123/CVE-2015-7189 (bmo#1205900) Buffer overflow during image interactions in canvas * MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only) Android intents can be used on Firefox for Android to open privileged files * MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only) XSS attack through intents on Firefox for Android * MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only) Crash when accessing HTML tables with accessibility tools on OS X * MFSA 2015-127/CVE-2015-7193 (bmo#1210302) CORS preflight is bypassed when non-standard Content-Type headers are received * MFSA 2015-128/CVE-2015-7194 (bmo#1211262) Memory corruption in libjar through zip files * MFSA 2015-129/CVE-2015-7195 (bmo#1211871) Certain escaped characters in host of Location-header are being treated as non-escaped * MFSA 2015-130/CVE-2015-7196 (bmo#1140616) JavaScript garbage collection crash with Java applet * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 (bmo#1188010, bmo#1204061, bmo#1204155) Vulnerabilities found through code inspection * MFSA 2015-132/CVE-2015-7197 (bmo#1204269) Mixed content WebSocket policy bypass through workers * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 (bmo#1202868, bmo#1205157) NSS and NSPR memory corruption issues (fixed in mozilla-nspr and mozilla-nss packages) - requires NSPR >= 4.10.10 and NSS >= 3.19.4 - removed obsolete patches * mozilla-icu-strncat.patch - fixed build with enable-libproxy (bmo#1220399) * mozilla-libproxy.patch ------------------------------------------------------------------- Thu Oct 1 09:42:28 UTC 2015 - wr@rosenauer.org - update to SeaMonkey 2.38 (bnc#947003) * based on 41.0.1 * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous memory safety hazards * MFSA 2015-97/CVE-2015-4503 (bmo#994337) Memory leak in mozTCPSocket to servers * MFSA 2015-98/CVE-2015-4504 (bmo#1132467) Out of bounds read in QCMS library with ICC V4 profile attributes * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only) Arbitrary file manipulation by local user through Mozilla updater * MFSA 2015-101/CVE-2015-4506 (bmo#1192226) Buffer overflow in libvpx while parsing vp9 format video * MFSA 2015-102/CVE-2015-4507 (bmo#1192401) Crash when using debugger with SavedStacks in JavaScript * MFSA 2015-104/CVE-2015-4510 (bmo#1200004) Use-after-free with shared workers and IndexedDB * MFSA 2015-105/CVE-2015-4511 (bmo#1200148) Buffer overflow while decoding WebM video * MFSA 2015-106/CVE-2015-4509 (bmo#1198435) Use-after-free while manipulating HTML media content * MFSA 2015-107/CVE-2015-4512 (bmo#1170390) Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems * MFSA 2015-108/CVE-2015-4502 (bmo#1105045) Scripted proxies can access inner window * MFSA 2015-109/CVE-2015-4516 (bmo#904886) JavaScript immutable property enforcement can be bypassed * MFSA 2015-110/CVE-2015-4519 (bmo#1189814) Dragging and dropping images exposes final URL after redirects * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869) Errors in the handling of CORS preflight request headers * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/ CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/ CVE-2015-7180 Vulnerabilities found through code inspection * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860, bmo#1190526) (Windows only) Memory safety errors in libGLES in the ANGLE graphics library * MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only) Information disclosure via the High Resolution Time API - removed obsolete patch * mozilla-add-glibcxx_use_cxx11_abi.patch - added mozilla-no-stdcxx-check.patch ------------------------------------------------------------------- Sat Aug 29 20:09:34 UTC 2015 - wr@rosenauer.org - update to SeaMonkey 2.35 (bnc#935979) * based on 38.1.1esr * requires NSPR 4.10.8 and NSS 3.19.2 - removed obsolete patches * mozilla-visitSubstr.patch * mozilla-undef-CONST.patch * mozilla-reintroduce-pixman-code-path.patch * mozilla-fix-prototype.patch * mozilla-disable-JEMALLOC_STATIC_SIZES-on-ppc.patch - renamed mozilla-add-D_GLIBCXX_USE_CXX11_ABI-0-to-CXXFLAG.patch to mozilla-add-glibcxx_use_cxx11_abi.patch (sync with Firefox) - dropped mozilla-prefer_plugin_pref.patch as this feature is likely not worth maintaining further ------------------------------------------------------------------- Sat Jun 27 08:13:54 UTC 2015 - antoine.belvire@laposte.net - Fix compilation issues: * Add mozilla-add-D_GLIBCXX_USE_CXX11_ABI-0-to-CXXFLAG.patch (bmo#1153109) * Add mozilla-reintroduce-pixman-code-path.patch (bmo#1136958) * Add mozilla-visitSubstr.patch (bmo#1108834) * Add mozilla-undef-CONST.patch (bmo#1111395) * Add mozilla-disable-JEMALLOC_STATIC_SIZES-on-ppc.patch ------------------------------------------------------------------- Sun Mar 22 09:11:17 UTC 2015 - wr@rosenauer.org - update to SeaMonkey 2.33.1 (bnc#923534) * MFSA 2015-28/CVE-2015-0818 (bmo#1144988) Privilege escalation through SVG navigation * MFSA 2015-29/CVE-2015-0817 (bmo#1145255) Code execution through incorrect JavaScript bounds checking elimination ------------------------------------------------------------------- Mon Mar 16 08:48:08 UTC 2015 - wr@rosenauer.org - update to SeaMonkey 2.33 (bnc#917597) * MFSA 2015-11/CVE-2015-0835/CVE-2015-0836 Miscellaneous memory safety hazards * MFSA 2015-12/CVE-2015-0833 (bmo#945192) Invoking Mozilla updater will load locally stored DLL files (Windows only) * MFSA 2015-13/CVE-2015-0832 (bmo#1065909) Appended period to hostnames can bypass HPKP and HSTS protections * MFSA 2015-14/CVE-2015-0830 (bmo#1110488) Malicious WebGL content crash when writing strings * MFSA 2015-15/CVE-2015-0834 (bmo#1098314) TLS TURN and STUN connections silently fail to simple TCP connections * MFSA 2015-16/CVE-2015-0831 (bmo#1130514) Use-after-free in IndexedDB * MFSA 2015-17/CVE-2015-0829 (bmo#1128939) Buffer overflow in libstagefright during MP4 video playback * MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675) Double-free when using non-default memory allocators with a zero-length XHR * MFSA 2015-19/CVE-2015-0827 (bmo#1117304) Out-of-bounds read and write while rendering SVG content * MFSA 2015-20/CVE-2015-0826 (bmo#1092363) Buffer overflow during CSS restyling * MFSA 2015-21/CVE-2015-0825 (bmo#1092370) Buffer underflow during MP3 playback * MFSA 2015-22/CVE-2015-0824 (bmo#1095925) Crash using DrawTarget in Cairo graphics library * MFSA 2015-23/CVE-2015-0823 (bmo#1098497) Use-after-free in Developer Console date with OpenType Sanitiser * MFSA 2015-24/CVE-2015-0822 (bmo#1110557) Reading of local files through manipulation of form autocomplete * MFSA 2015-25/CVE-2015-0821 (bmo#1111960) Local files or privileged URLs in pages can be opened into new tabs * MFSA 2015-26/CVE-2015-0819 (bmo#1079554) UI Tour whitelisted sites in background tab can spoof foreground tabs * MFSA 2015-27CVE-2015-0820 (bmo#1125398) Caja Compiler JavaScript sandbox bypass - rebased patches - requires NSS 3.17.4 - removed obsolete seamonkey-fix-signed-char.patch - mozilla-xremote-client was removed upstream ------------------------------------------------------------------- Sat Feb 7 09:52:07 UTC 2015 - wr@rosenauer.org - update to SeaMonkey 2.32.1 * fixed MailNews feeds not updating * fixed selected profile in Profile Manager not remembered * fixed opening a bookmark folder in tabs on Linux * fixed Troubleshooting Information (about:support) with the Modern theme ------------------------------------------------------------------- Sat Jan 17 17:59:50 UTC 2015 - wr@rosenauer.org - update to SeaMonkey 2.32 (bnc#910669) * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635 Miscellaneous memory safety hazards * MFSA 2015-02/CVE-2014-8637 (bmo#1094536) Uninitialized memory use during bitmap rendering * MFSA 2015-03/CVE-2014-8638 (bmo#1080987) sendBeacon requests lack an Origin header * MFSA 2015-04/CVE-2014-8639 (bmo#1095859) Cookie injection through Proxy Authenticate responses * MFSA 2015-05/CVE-2014-8640 (bmo#1100409) Read of uninitialized memory in Web Audio * MFSA 2015-06/CVE-2014-8641 (bmo#1108455) Read-after-free in WebRTC * MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only) Gecko Media Plugin sandbox escape * MFSA 2015-08/CVE-2014-8642 (bmo#1079658) Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension * MFSA 2015-09/CVE-2014-8636 (bmo#987794) XrayWrapper bypass through DOM objects - rebased patches - removed obsolete mozilla-seamonkey-sdk.patch - added mozilla-openaes-decl.patch to fix implicit declarations ------------------------------------------------------------------- Thu Jan 1 22:53:33 UTC 2015 - wr@rosenauer.org - use GStreamer 1.0 from 13.2 on - removed package support for distributions older than 12.3 * removed mozilla-sle11.patch ------------------------------------------------------------------- Mon Dec 8 10:49:06 UTC 2014 - meissner@suse.com - seamonkey-fix-signed-char.patch: fix build on platforms where char is unsigned (power/arm). (bmo#1085151) - mozilla-fix-prototype.patch: add string.h includes for memcpy prototype (as used on bigendian architectures). ------------------------------------------------------------------- Thu Dec 4 23:52:37 UTC 2014 - pcerny@suse.com - enable some extensions using the addons sdk (e.g. Ghostery) (mozilla-seamonkey-sdk.patch) (bmo#1071048) ------------------------------------------------------------------- Wed Dec 3 06:53:08 UTC 2014 - wr@rosenauer.org - update to SeaMonkey 2.31 (bnc#908009) * requires NSS 3.17.2 * MFSA 2014-83/CVE-2014-1587/CVE-2014-1588 Miscellaneous memory safety hazards * MFSA 2014-84/CVE-2014-1589 (bmo#1043787) XBL bindings accessible via improper CSS declarations * MFSA 2014-85/CVE-2014-1590 (bmo#1087633) XMLHttpRequest crashes with some input streams * MFSA 2014-86/CVE-2014-1591 (bmo#1069762) CSP leaks redirect data via violation reports * MFSA 2014-87/CVE-2014-1592 (bmo#1088635) Use-after-free during HTML5 parsing * MFSA 2014-88/CVE-2014-1593 (bmo#1085175) Buffer overflow while parsing media content * MFSA 2014-89/CVE-2014-1594 (bmo#1074280) Bad casting from the BasicThebesLayer to BasicContainerLayer - rebased patches ------------------------------------------------------------------- Fri Nov 21 10:43:11 UTC 2014 - wr@rosenauer.org - use platform specific build flags as in Firefox (including _constraints) - define /usr/share/myspell as additional dictionary location and remove add-plugins.sh finally (bnc#900639) ------------------------------------------------------------------- Wed Nov 19 22:13:00 UTC 2014 - Led - fix bashisms in mozilla.sh and add-plugins.sh scripts ------------------------------------------------------------------- Tue Oct 14 21:06:22 UTC 2014 - wr@rosenauer.org - update to SeaMonkey 2.30 (bnc#900941) * venkman debugger removed from application and therefore obsolete package seamonkey-venkman * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety hazards * MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation * MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms * MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video * MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory use during GIF rendering * MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality * MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190) Key pinning bypasses * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe * MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API (only relevant for installed web apps) - requires NSPR 4.10.7 - requires NSS 3.17.1 - removed obsolete patches: * mozilla-ppc.patch * mozilla-libproxy-compat.patch ------------------------------------------------------------------- Sat Sep 20 14:53:01 UTC 2014 - wr@rosenauer.org - update to SeaMonkey 2.29 (bnc#894370) * based on Gecko 32.0 including all security fixes outlined here https://www.mozilla.org/security/known-vulnerabilities/ * removed obsolete patches mozilla-aarch64-bmo-810631.patch, mozilla-aarch64-bmo-962488.patch, mozilla-aarch64-bmo-963023.patch, mozilla-aarch64-bmo-963024.patch, mozilla-aarch64-bmo-963027.patch mozilla-ppc64le-build.patch, mozilla-ppc64le-javascript.patch, mozilla-ppc64le-libffi.patch, mozilla-ppc64le-mfbt.patch, mozilla-ppc64le-webrtc.patch, mozilla-ppc64le-xpcom.patch * rebased patches - requires NSS 3.16.4 - build with --disable-optimize for 13.1 and above for i586 to workaround miscompilations (bnc#896624) ------------------------------------------------------------------- Mon Jun 16 09:04:38 UTC 2014 - wr@rosenauer.org - update to SeaMonkey 2.26.1 (bnc#881874) * MFSA 2014-48/CVE-2014-1533/CVE-2014-1534 (bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874, bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981, bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817, bmo#996536, bmo#996715, bmo#999651, bmo#1000598, bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223, bmo#1009952, bmo#1011007) Miscellaneous memory safety hazards (rv:30.0) * MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538 (bmo#989994, bmo#999274, bmo#1005584) Use-after-free and out of bounds issues found using Address Sanitizer * MFSA 2014-50/CVE-2014-1539 (bmo#995603) Clickjacking through cursor invisability after Flash interaction * MFSA 2014-51/CVE-2014-1540 (bmo#978862) Use-after-free in Event Listener Manager * MFSA 2014-52/CVE-2014-1541 (bmo#1000185) Use-after-free with SMIL Animation Controller * MFSA 2014-53/CVE-2014-1542 (bmo#991533) Buffer overflow in Web Audio Speex resampler * MFSA 2014-54/CVE-2014-1543 (bmo#1011859) Buffer overflow in Gamepad API * MFSA 2014-55/CVE-2014-1545 (bmo#1018783) Out of bounds write in NSPR - requires NSPR 4.10.6 - build require makeinfo ------------------------------------------------------------------- Tue May 13 09:05:18 UTC 2014 - wr@rosenauer.org - fix translations packaging (bnc#877263) ------------------------------------------------------------------- Tue Apr 29 06:43:16 UTC 2014 - wr@rosenauer.org - update to SeaMonkey 2.26 (bnc#875378) * MFSA 2014-34/CVE-2014-1518/CVE-2014-1519 Miscellaneous memory safety hazards * MFSA 2014-36/CVE-2014-1522 (bmo#995289) Web Audio memory corruption issues * MFSA 2014-37/CVE-2014-1523 (bmo#969226) Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 (bmo#989183) Buffer overflow when using non-XBL object as XBL * MFSA 2014-39/CVE-2014-1525 (bmo#989210) Use-after-free in the Text Track Manager for HTML video * MFSA 2014-41/CVE-2014-1528 (bmo#963962) Out-of-bounds write in Cairo * MFSA 2014-42/CVE-2014-1529 (bmo#987003) Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 (bmo#895557) Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 (bmo#987140) Use-after-free in imgLoader while resizing images * MFSA 2014-45/CVE-2014-1492 (bmo#903885) Incorrect IDNA domain name matching for wildcard certificates (fixed by NSS 3.16) * MFSA 2014-46/CVE-2014-1532 (bmo#966006) Use-after-free in nsHostResolver * MFSA 2014-47/CVE-2014-1526 (bmo#988106) Debugger can bypass XrayWrappers with JavaScript - rebased patches - added aarch64 porting patches * mozilla-aarch64-bmo-810631.patch * mozilla-aarch64-bmo-962488.patch * mozilla-aarch64-bmo-963023.patch * mozilla-aarch64-bmo-963024.patch * mozilla-aarch64-bmo-963027.patch - requires NSPR 4.10.3 and NSS 3.16 - added mozilla-icu-strncat.patch to fix post build checks ------------------------------------------------------------------- Wed Mar 19 13:31:58 UTC 2014 - wr@rosenauer.org - update to SeaMonkey 2.25 (bnc#868603) * MFSA 2014-15/CVE-2014-1493/CVE-2014-1494 Miscellaneous memory safety hazards * MFSA 2014-17/CVE-2014-1497 (bmo#966311) Out of bounds read during WAV file decoding * MFSA 2014-18/CVE-2014-1498 (bmo#935618) crypto.generateCRMFRequest does not validate type of key * MFSA 2014-19/CVE-2014-1499 (bmo#961512) Spoofing attack on WebRTC permission prompt * MFSA 2014-20/CVE-2014-1500 (bmo#956524) onbeforeunload and Javascript navigation DOS * MFSA 2014-22/CVE-2014-1502 (bmo#972622) WebGL content injection from one domain to rendering in another * MFSA 2014-23/CVE-2014-1504 (bmo#911547) Content Security Policy for data: documents not preserved by session restore * MFSA 2014-26/CVE-2014-1508 (bmo#963198) Information disclosure through polygon rendering in MathML * MFSA 2014-27/CVE-2014-1509 (bmo#966021) Memory corruption in Cairo during PDF font rendering * MFSA 2014-28/CVE-2014-1505 (bmo#941887) SVG filters information disclosure through feDisplacementMap * MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909) Privilege escalation using WebIDL-implemented APIs * MFSA 2014-30/CVE-2014-1512 (bmo#982957) Use-after-free in TypeObject * MFSA 2014-31/CVE-2014-1513 (bmo#982974) Out-of-bounds read/write through neutering ArrayBuffer objects * MFSA 2014-32/CVE-2014-1514 (bmo#983344) Out-of-bounds write through TypedArrayObject after neutering - requires NSPR 4.10.3 and NSS 3.15.5 - new build dependency (and recommends): * libpulse - update of PowerPC 64 patches (bmo#976648) (pcerny@suse.com) - rebased patches ------------------------------------------------------------------- Sat Feb 8 08:21:01 UTC 2014 - wr@rosenauer.org - replaced locale source archive because the old one was broken by wrong upstream tagging (bnc#862831) ------------------------------------------------------------------- Tue Feb 4 10:18:33 UTC 2014 - wr@rosenauer.org - update to SeaMonkey 2.24 (bnc#861847) * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3) * MFSA 2014-02/CVE-2014-1479 (bmo#911864) Clone protected content with XBL scopes * MFSA 2014-03/CVE-2014-1480 (bmo#916726) UI selection timeout missing on download prompts * MFSA 2014-04/CVE-2014-1482 (bmo#943803) Incorrect use of discarded images by RasterImage * MFSA 2014-05/CVE-2014-1483 (bmo#950427) Information disclosure with *FromPoint on iframes * MFSA 2014-07/CVE-2014-1485 (bmo#910139) XSLT stylesheets treated as styles in Content Security Policy * MFSA 2014-08/CVE-2014-1486 (bmo#942164) Use-after-free with imgRequestProxy and image proccessing * MFSA 2014-09/CVE-2014-1487 (bmo#947592) Cross-origin information leak through web workers * MFSA 2014-11/CVE-2014-1488 (bmo#950604) Crash when using web workers with asm.js * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 (bmo#934545, bmo#930874, bmo#930857) NSS ticket handling issues * MFSA 2014-13/CVE-2014-1481(bmo#936056) Inconsistent JavaScript handling of access to Window objects - requires NSS 3.15.4 - removed obsolete mozilla-bug929439.patch ------------------------------------------------------------------- Fri Dec 13 21:30:38 UTC 2013 - uweigand@de.ibm.com - Add support for powerpc64le-linux. * ppc64le-support.patch: general support * libffi-ppc64le.patch: libffi backport * xpcom-ppc64le.patch: port xpcom - Add build fix from mainline. * mozilla-bug929439.patch ------------------------------------------------------------------- Wed Dec 11 11:13:16 UTC 2013 - wr@rosenauer.org - update to SeaMonkey 2.23 (bnc#854367, bnc#854370)) * requires NSPR 4.10.2 and NSS 3.15.3.1 * MFSA 2013-104/CVE-2013-5609/CVE-2013-5610 Miscellaneous memory safety hazards * MFSA 2013-105/CVE-2013-5611 (bmo#771294) Application Installation doorhanger persists on navigation * MFSA 2013-106/CVE-2013-5612 (bmo#871161) Character encoding cross-origin XSS attack * MFSA 2013-107/CVE-2013-5614 (bmo#886262) Sandbox restrictions not applied to nested object elements * MFSA 2013-108/CVE-2013-5616 (bmo#938341) Use-after-free in event listeners * MFSA 2013-109/CVE-2013-5618 (bmo#926361) Use-after-free during Table Editing * MFSA 2013-110/CVE-2013-5619 (bmo#917841) Potential overflow in JavaScript binary search algorithms * MFSA 2013-111/CVE-2013-6671 (bmo#930281) Segmentation violation when replacing ordered list elements * MFSA 2013-112/CVE-2013-6672 (bmo#894736) Linux clipboard information disclosure though selection paste * MFSA 2013-113/CVE-2013-6673 (bmo#970380) Trust settings for built-in roots ignored during EV certificate validation * MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449) Use-after-free in synthetic mouse movement * MFSA 2013-115/CVE-2013-5615 (bmo#929261) GetElementIC typed array stubs can be generated outside observed typesets * MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693) JPEG information leak * MFSA 2013-117 (bmo#946351) Mis-issued ANSSI/DCSSI certificate (fixed via NSS 3.15.3.1) - rebased patches: * mozilla-nongnome-proxies.patch * mozilla-shared-nss-db.patch ------------------------------------------------------------------- Wed Oct 30 18:07:33 UTC 2013 - wr@rosenauer.org - update to SeaMonkey 2.22 (bnc#847708) * rebased patches * requires NSS 3.15.2 or higher * MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592 Miscellaneous memory safety hazards * MFSA 2013-94/CVE-2013-5593 (bmo#868327) Spoofing addressbar through SELECT element * MFSA 2013-95/CVE-2013-5604 (bmo#914017) Access violation with XSLT and uninitialized data * MFSA 2013-96/CVE-2013-5595 (bmo#916580) Improperly initialized memory and overflows in some JavaScript functions * MFSA 2013-97/CVE-2013-5596 (bmo#910881) Writing to cycle collected object during image decoding * MFSA 2013-98/CVE-2013-5597 (bmo#918864) Use-after-free when updating offline cache * MFSA 2013-99/CVE-2013-5598 (bmo#920515) Security bypass of PDF.js checks using iframes * MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601 (bmo#915210, bmo#915576, bmo#916685) Miscellaneous use-after-free issues found through ASAN fuzzing * MFSA 2013-101/CVE-2013-5602 (bmo#897678) Memory corruption in workers * MFSA 2013-102/CVE-2013-5603 (bmo#916404) Use-after-free in HTML document templates ------------------------------------------------------------------- Tue Sep 17 15:51:02 UTC 2013 - wr@rosenauer.org - update to SeaMonkey 2.21 (bnc#840485) * MFSA 2013-76/CVE-2013-1718/CVE-2013-1719 Miscellaneous memory safety hazards * MFSA 2013-77/CVE-2013-1720 (bmo#888820) Improper state in HTML5 Tree Builder with templates * MFSA 2013-78/CVE-2013-1721 (bmo#890277) Integer overflow in ANGLE library * MFSA 2013-79/CVE-2013-1722 (bmo#893308) Use-after-free in Animation Manager during stylesheet cloning * MFSA 2013-80/CVE-2013-1723 (bmo#891292) NativeKey continues handling key messages after widget is destroyed * MFSA 2013-81/CVE-2013-1724 (bmo#894137) Use-after-free with select element * MFSA 2013-82/CVE-2013-1725 (bmo#876762) Calling scope for new Javascript objects can lead to memory corruption * MFSA 2013-85/CVE-2013-1728 (bmo#883686) Uninitialized data in IonMonkey * MFSA 2013-88/CVE-2013-1730 (bmo#851353) Compartment mismatch re-attaching XBL-backed nodes * MFSA 2013-89/CVE-2013-1732 (bmo#883514) Buffer overflow with multi-column, lists, and floats * MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301) Memory corruption involving scrolling * MFSA 2013-91/CVE-2013-1737 (bmo#907727) User-defined properties on DOM proxies get the wrong "this" object * MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897) GC hazard with default compartments and frame chain restoration - requires NSS 3.15.1 ------------------------------------------------------------------- Mon Aug 5 17:26:03 UTC 2013 - wr@rosenauer.org - update to SeaMonkey 2.20 (bnc#833389) * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous memory safety hazards * MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free mutating DOM during SetBody * MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow when generating CRMF requests * MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during WAV audio file decoding * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of XrayWrappers using XBL Scopes * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) Local Java applets may read contents of local file system - requires NSPR 4.10 and NSS 3.15 - removed obsolete seamonkey-shared-nss-db.patch ------------------------------------------------------------------- Sat Jun 29 14:22:45 UTC 2013 - wr@rosenauer.org - update to SeaMonkey 2.19 (bnc#825935) * removed obsolete patches + mozilla-gstreamer-760140.patch * GStreamer support does not build on 12.1 anymore (build only on 12.2 and later) * MFSA 2013-49/CVE-2013-1682/CVE-2013-1683 Miscellaneous memory safety hazards * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686 Memory corruption found using Address Sanitizer * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823) Privileged content access and execution via XBL * MFSA 2013-52/CVE-2013-1688 (bmo#873966) Arbitrary code execution within Profiler * MFSA 2013-53/CVE-2013-1690 (bmo#857883) Execution of unmapped memory through onreadystatechange event * MFSA 2013-54/CVE-2013-1692 (bmo#866915) Data in the body of XHR HEAD requests leads to CSRF attacks * MFSA 2013-55/CVE-2013-1693 (bmo#711043) SVG filters can lead to information disclosure * MFSA 2013-56/CVE-2013-1694 (bmo#848535) PreserveWrapper has inconsistent behavior * MFSA 2013-57/CVE-2013-1695 (bmo#849791) Sandbox restrictions not applied to nested frame elements * MFSA 2013-58/CVE-2013-1696 (bmo#761667) X-Frame-Options ignored when using server push with multi-part responses * MFSA 2013-59/CVE-2013-1697 (bmo#858101) XrayWrappers can be bypassed to run user defined methods in a privileged context * MFSA 2013-60/CVE-2013-1698 (bmo#876044) getUserMedia permission dialog incorrectly displays location * MFSA 2013-61/CVE-2013-1699 (bmo#840882) Homograph domain spoofing in .com, .net and .name ------------------------------------------------------------------- Tue May 28 20:52:21 UTC 2013 - wr@rosenauer.org - update to SeaMonkey 2.17.1 ------------------------------------------------------------------- Tue Apr 9 06:45:05 UTC 2013 - wr@rosenauer.org - revert to use GStreamer 0.10 on 12.3 (bnc#814101) ------------------------------------------------------------------- Tue Apr 2 14:18:30 UTC 2013 - wr@rosenauer.org - update to SeaMonkey 2.17 (bnc#813026) * requires NSPR 4.9.5 and NSS 3.14.3 * mozilla-webrtc-ppc.patch included upstream * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards * MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library * MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux * MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes * MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure * MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations * MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory corruption while rendering grayscale PNG images - use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch) ------------------------------------------------------------------- Fri Mar 15 17:34:54 UTC 2013 - pcerny@suse.com - update to SeaMonkey 2.16.2 ------------------------------------------------------------------- Sat Mar 9 09:15:53 UTC 2013 - wr@rosenauer.org - update to SeaMonkey 2.16.1 (bnc#808243) * MFSA 2013-29/CVE-2013-0787 (bmo#848644) Use-after-free in HTML Editor ------------------------------------------------------------------- Mon Feb 18 07:41:44 UTC 2013 - wr@rosenauer.org - update to SeaMonkey 2.16 (bnc#804248) * MFSA 2013-21/CVE-2013-0783/2013-0784 Miscellaneous memory safety hazards * MFSA 2013-22/CVE-2013-0772 (bmo#801366) Out-of-bounds read in image rendering * MFSA 2013-23/CVE-2013-0765 (bmo#830614) Wrapped WebIDL objects can be wrapped again * MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers * MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers * MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent * MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/ CVE-2013-0778/CVE-2013-0779/CVE-2013-0781 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer - removed obsolete patches * mozilla-webrtc.patch * mozilla-gstreamer-803287.patch ------------------------------------------------------------------- Mon Feb 4 12:27:38 UTC 2013 - wr@rosenauer.org - update to SeaMonkey 2.15.2 * Applications could not be removed from the "Application details" dialog under Preferences, Helper Applications (bmo#826771). * View / Message Body As could show menu items out of context (bmo#831348) ------------------------------------------------------------------- Sun Jan 20 09:15:53 UTC 2013 - wr@rosenauer.org - update to SeaMonkey 2.15.1 * backed out bmo#677092 (removed patch) * fixed problems involving HTTP proxy transactions ------------------------------------------------------------------- Sun Jan 13 16:38:35 UTC 2013 - wr@rosenauer.org - backed out restartless language packs as it broke multi-locale setup (bmo#677092, bmo#818468) ------------------------------------------------------------------- Tue Jan 8 18:32:43 UTC 2013 - wr@rosenauer.org - update to SeaMonkey 2.15 (bnc#796895) * MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770 Miscellaneous memory safety hazards * MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767 CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829 Use-after-free and buffer overflow issues found using Address Sanitizer * MFSA 2013-03/CVE-2013-0768 (bmo#815795) Buffer Overflow in Canvas * MFSA 2013-04/CVE-2012-0759 (bmo#802026) URL spoofing in addressbar during page loads * MFSA 2013-05/CVE-2013-0744 (bmo#814713) Use-after-free when displaying table with many columns and column groups * MFSA 2013-06/CVE-2013-0751 (bmo#790454) Touch events are shared across iframes * MFSA 2013-07/CVE-2013-0764 (bmo#804237) Crash due to handling of SSL on threads * MFSA 2013-08/CVE-2013-0745 (bmo#794158) AutoWrapperChanger fails to keep objects alive during garbage collection * MFSA 2013-09/CVE-2013-0746 (bmo#816842) Compartment mismatch with quickstubs returned values * MFSA 2013-10/CVE-2013-0747 (bmo#733305) Event manipulation in plugin handler to bypass same-origin policy * MFSA 2013-11/CVE-2013-0748 (bmo#806031) Address space layout leaked in XBL objects * MFSA 2013-12/CVE-2013-0750 (bmo#805121) Buffer overflow in Javascript string concatenation * MFSA 2013-13/CVE-2013-0752 (bmo#805024) Memory corruption in XBL with XML bindings containing SVG * MFSA 2013-14/CVE-2013-0757 (bmo#813901) Chrome Object Wrapper (COW) bypass through changing prototype * MFSA 2013-15/CVE-2013-0758 (bmo#813906) Privilege escalation through plugin objects * MFSA 2013-16/CVE-2013-0753 (bmo#814001) Use-after-free in serializeToStream * MFSA 2013-17/CVE-2013-0754 (bmo#814026) Use-after-free in ListenerManager * MFSA 2013-18/CVE-2013-0755 (bmo#814027) Use-after-free in Vibrate * MFSA 2013-19/CVE-2013-0756 (bmo#814029) Use-after-free in Javascript Proxy objects - requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743) - reenable WebRTC - added mozilla-libproxy-compat.patch for libproxy API compat on openSUSE 11.2 and earlier ------------------------------------------------------------------- Tue Dec 18 13:08:40 UTC 2012 - wr@rosenauer.org - update to SeaMonkey 2.14.1 * fix regressions from 2.14 release ------------------------------------------------------------------- Tue Nov 20 20:44:06 UTC 2012 - wr@rosenauer.org - update to SeaMonkey 2.14 (bnc#790140) * MFSA 2012-91/CVE-2012-5842/CVE-2012-5843 Miscellaneous memory safety hazards * MFSA 2012-92/CVE-2012-4202 (bmo#758200) Buffer overflow while rendering GIF images * MFSA 2012-93/CVE-2012-4201 (bmo#747607) evalInSanbox location context incorrectly applied * MFSA 2012-94/CVE-2012-5836 (bmo#792857) Crash when combining SVG text on path with CSS * MFSA 2012-96/CVE-2012-4204 (bmo#778603) Memory corruption in str_unescape * MFSA 2012-97/CVE-2012-4205 (bmo#779821) XMLHttpRequest inherits incorrect principal within sandbox * MFSA 2012-99/CVE-2012-4208 (bmo#798264) XrayWrappers exposes chrome-only properties when not in chrome compartment * MFSA 2012-100/CVE-2012-5841 (bmo#805807) Improper security filtering for cross-origin wrappers * MFSA 2012-101/CVE-2012-4207 (bmo#801681) Improper character decoding in HZ-GB-2312 charset * MFSA 2012-103/CVE-2012-4209 (bmo#792405) Frames can shadow top.location * MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/ CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/ CVE-2012-4213/CVE-2012-4217/CVE-2012-4218 Use-after-free and buffer overflow issues found using Address Sanitizer * MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer - rebased patches - disabled WebRTC since build is broken (bmo#776877) ------------------------------------------------------------------- Sat Oct 27 08:59:58 UTC 2012 - wr@rosenauer.org - update to SeaMonkey 2.13.2 (bnc#786522) * MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196 (bmo#800666, bmo#793121, bmo#802557) Fixes for Location object issues ------------------------------------------------------------------- Fri Oct 12 07:33:18 UTC 2012 - wr@rosenauer.org - update to SeaMonkey 2.13.1 (bnc#783533) * MFSA 2012-88/CVE-2012-4191 (bmo#798045) Miscellaneous memory safety hazards * MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619) defaultValue security checks not applied ------------------------------------------------------------------- Mon Oct 8 20:32:50 UTC 2012 - wr@rosenauer.org - update to SeaMonkey 2.13 (bnc#783533) * MFSA 2012-74/CVE-2012-3982/CVE-2012-3983 Miscellaneous memory safety hazards * MFSA 2012-75/CVE-2012-3984 (bmo#575294) select element persistance allows for attacks * MFSA 2012-76/CVE-2012-3985 (bmo#655649) Continued access to initial origin after setting document.domain * MFSA 2012-77/CVE-2012-3986 (bmo#775868) Some DOMWindowUtils methods bypass security checks * MFSA 2012-79/CVE-2012-3988 (bmo#725770) DOS and crash with full screen and history navigation * MFSA 2012-80/CVE-2012-3989 (bmo#783867) Crash with invalid cast when using instanceof operator * MFSA 2012-81/CVE-2012-3991 (bmo#783260) GetProperty function can bypass security checks * MFSA 2012-82/CVE-2012-3994 (bmo#765527) top object and location property accessible by plugins * MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370) Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties * MFSA 2012-84/CVE-2012-3992 (bmo#775009) Spoofing and script injection through location.hash * MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/ CVE-2012-4181/CVE-2012-4182/CVE-2012-4183 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer * MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/ CVE-2012-4188 Heap memory corruption issues found using Address Sanitizer * MFSA 2012-87/CVE-2012-3990 (bmo#787704) Use-after-free in the IME State Manager - requires NSPR 4.9.2 - improve GStreamer integration (bmo#760140) ------------------------------------------------------------------- Mon Sep 10 20:18:35 UTC 2012 - wr@rosenauer.org - update to SeaMonkey 2.12.1 (bnc#779936) * Sites visited while in Private Browsing mode could be found through manual browser cache inspection (bmo#787743) ------------------------------------------------------------------- Mon Aug 27 12:26:38 UTC 2012 - wr@rosenauer.org - update to SeaMonkey 2.12 (bnc#777588) * MFSA 2012-57/CVE-2012-1970 Miscellaneous memory safety hazards * MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975 CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959 CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964 Use-after-free issues found using Address Sanitizer * MFSA 2012-59/CVE-2012-1956 (bmo#756719) Location object can be shadowed using Object.defineProperty * MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793) Memory corruption with bitmap format images with negative height * MFSA 2012-62/CVE-2012-3967/CVE-2012-3968 WebGL use-after-free and memory corruption * MFSA 2012-63/CVE-2012-3969/CVE-2012-3970 SVG buffer overflow and use-after-free issues * MFSA 2012-64/CVE-2012-3971 Graphite 2 memory corruption * MFSA 2012-65/CVE-2012-3972 (bmo#746855) Out-of-bounds read in format-number in XSLT * MFSA 2012-68/CVE-2012-3975 (bmo#770684) DOMParser loads linked resources in extensions when parsing text/html * MFSA 2012-69/CVE-2012-3976 (bmo#768568) Incorrect site SSL certificate data display * MFSA 2012-70/CVE-2012-3978 (bmo#770429) Location object security checks bypassed by chrome code - enable GStreamer for 12.1 and higher - use internal libjpeg ------------------------------------------------------------------- Sun Jul 29 16:59:17 UTC 2012 - wr@rosenauer.org - import PPC patch from Firefox: * add patches for bmo#750620 and bmo#746112 * fix xpcshell segfault on ppc ------------------------------------------------------------------- Mon Jul 16 09:35:54 UTC 2012 - wr@rosenauer.org - update to Seamonkey 2.11 (bnc#771583) * MFSA 2012-42/CVE-2012-1949/CVE-2012-1948 Miscellaneous memory safety hazards * MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952 Gecko memory corruption * MFSA 2012-45/CVE-2012-1955 (bmo#757376) Spoofing issue with location * MFSA 2012-47/CVE-2012-1957 (bmo#750096) Improper filtering of javascript in HTML feed-view * MFSA 2012-48/CVE-2012-1958 (bmo#750820) use-after-free in nsGlobalWindow::PageHidden * MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559) Same-compartment Security Wrappers can be bypassed * MFSA 2012-50/CVE-2012-1960 (bmo#761014) Out of bounds read in QCMS * MFSA 2012-51/CVE-2012-1961 (bmo#761655) X-Frame-Options header ignored when duplicated * MFSA 2012-52/CVE-2012-1962 (bmo#764296) JSDependentString::undepend string conversion results in memory corruption * MFSA 2012-53/CVE-2012-1963 (bmo#767778) Content Security Policy 1.0 implementation errors cause data leakage * MFSA 2012-56/CVE-2012-1967 (bmo#758344) Code execution through javascript: URLs * relicensed to MPL-2.0 - updated/removed patches - requires NSS 3.13.5 ------------------------------------------------------------------- Fri Jun 15 07:50:18 UTC 2012 - wr@rosenauer.org - update to Seamonkey 2.10.1 ------------------------------------------------------------------- Mon Jun 4 06:03:00 UTC 2012 - wr@rosenauer.org - update to Seamonkey 2.10 (bnc#765204) * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101 Miscellaneous memory safety hazards * MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content Security Policy inline-script bypass * MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information disclosure though Windows file shares and shortcut files * MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free while replacing/inserting a node in a document * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941 Buffer overflow and use-after-free issues found using Address Sanitizer - requires NSS 3.13.4 * MFSA 2012-39/CVE-2012-0441 (bmo#715073) ------------------------------------------------------------------- Mon Apr 30 07:30:14 UTC 2012 - wr@rosenauer.org - update to Seamonkey 2.9.1 * fix regressions - POP3 filters (bmo#748090) - Message Body not loaded when using "Fetch Headers Only" (bmo#748865) - Received messages contain parts of other messages with movemail account (bmo#748726) - New mail notification issue (bmo#748997) - crash in nsMsgDatabase::MatchDbName (bmo#748432) ------------------------------------------------------------------- Fri Apr 27 10:21:24 UTC 2012 - wr@rosenauer.org - fixed build with gcc 4.7 ------------------------------------------------------------------- Mon Apr 23 14:28:50 UTC 2012 - wr@rosenauer.org - update to Seamonkey 2.9 (bnc#758408) * MFSA 2012-20/CVE-2012-0467/CVE-2012-0468 Miscellaneous memory safety hazards * MFSA 2012-22/CVE-2012-0469 (bmo#738985) use-after-free in IDBKeyRange * MFSA 2012-23/CVE-2012-0470 (bmo#734288) Invalid frees causes heap corruption in gfxImageSurface * MFSA 2012-24/CVE-2012-0471 (bmo#715319) Potential XSS via multibyte content processing errors * MFSA 2012-25/CVE-2012-0472 (bmo#744480) Potential memory corruption during font rendering using cairo-dwrite * MFSA 2012-26/CVE-2012-0473 (bmo#743475) WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error * MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307) Page load short-circuit can lead to XSS * MFSA 2012-28/CVE-2012-0475 (bmo#694576) Ambiguous IPv6 in Origin headers may bypass webserver access restrictions * MFSA 2012-29/CVE-2012-0477 (bmo#718573) Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues * MFSA 2012-30/CVE-2012-0478 (bmo#727547) Crash with WebGL content using textImage2D * MFSA 2012-31/CVE-2011-3062 (bmo#739925) Off-by-one error in OpenType Sanitizer * MFSA 2012-32/CVE-2011-1187 (bmo#624621) HTTP Redirections and remote content can be read by javascript errors * MFSA 2012-33/CVE-2012-0479 (bmo#714631) Potential site identity spoofing when loading RSS and Atom feeds ------------------------------------------------------------------- Sat Apr 21 12:29:55 UTC 2012 - wr@rosenauer.org - update to 2.9b4 - added mozilla-sle11.patch and add exceptions to be able to build for SLE11/11.1 - exclude broken gl locale from build - fixed build on 11.2-x86_64 by adding mozilla-revert_621446.patch - added mozilla-gcc47.patch and mailnews-literals.patch to fix compilation issues with recent gcc 4.7 ------------------------------------------------------------------- Tue Mar 13 15:19:56 UTC 2012 - wr@rosenauer.org - update to Seamonkey 2.8 (bnc#750044) * MFSA 2012-13/CVE-2012-0455 (bmo#704354) XSS with Drag and Drop and Javascript: URL * MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103) SVG issues found with Address Sanitizer * MFSA 2012-15/CVE-2012-0451 (bmo#717511) XSS with multiple Content Security Policy headers * MFSA 2012-16/CVE-2012-0458 Escalation of privilege with Javascript: URL as home page * MFSA 2012-17/CVE-2012-0459 (bmo#723446) Crash when accessing keyframe cssText after dynamic modification * MFSA 2012-18/CVE-2012-0460 (bmo#727303) window.fullScreen writeable by untrusted content * MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/ CVE-2012-0463 Miscellaneous memory safety hazards - explicitely build-require X libs ------------------------------------------------------------------- Thu Feb 16 15:55:03 UTC 2012 - wr@rosenauer.org - update to Seamonkey 2.7.2 (bnc#747328) * CVE-2011-3026 (bmo#727401) libpng: integer overflow leading to heap-buffer overflow ------------------------------------------------------------------- Thu Feb 9 12:36:02 UTC 2012 - wr@rosenauer.org - update to Seamonkey 2.7.1 (bnc#746616) * MFSA 2012-10/CVE-2012-0452 (bmo#724284) use after free in nsXBLDocumentInfo::ReadPrototypeBindings - Use YARR interpreter instead of PCRE on platforms where YARR JIT is not supported, since PCRE doesnt build (bmo#691898) - fix ppc64 build (bmo#703534) ------------------------------------------------------------------- Tue Jan 31 22:16:33 UTC 2012 - wr@rosenauer.org - update to Seamonkey 2.7 (bnc#744275) * MFSA 2012-01/CVE-2012-0442/CVE-2012-0443 Miscellaneous memory safety hazards * MFSA 2012-03/CVE-2012-0445 (bmo#701071)