diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes
index d75b3c0..33022c3 100644
--- a/MozillaFirefox.changes
+++ b/MozillaFirefox.changes
@@ -1,7 +1,21 @@
+-------------------------------------------------------------------
+Tue Oct 26 19:48:24 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires
+- (re-)enable LTO on Tumbleweed
+
+-------------------------------------------------------------------
+Wed Oct 20 06:49:52 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+
+- Rebase mozilla-sandbox-fips.patch to punch another hole in the
+  sandbox containment, to be able to open /proc/sys/crypto/fips_enabled
+  from within the newly introduced socket process sandbox.
+  This fixes bsc#1191815 and bsc#1190141
+
 -------------------------------------------------------------------
 Mon Oct 18 12:44:44 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 
-- Add patch to fix build on aarch64 - bmo#1729124 
+- Add patch to fix build on aarch64 (bmo#1729124)
   * mozilla-bmo1729124.patch
 
 -------------------------------------------------------------------
diff --git a/MozillaFirefox.spec b/MozillaFirefox.spec
index 4a4e09d..449d38a 100644
--- a/MozillaFirefox.spec
+++ b/MozillaFirefox.spec
@@ -145,7 +145,6 @@ BuildRequires:  clang6-devel
 %else
 BuildRequires:  clang-devel >= 5
 %endif
-BuildRequires:  pkgconfig(gdk-x11-2.0)
 BuildRequires:  pkgconfig(glib-2.0) >= 2.22
 BuildRequires:  pkgconfig(gobject-2.0)
 BuildRequires:  pkgconfig(gtk+-3.0) >= 3.14.0
@@ -522,7 +521,7 @@ ac_add_options --enable-optimize="-O1"
 %endif
 %ifarch x86_64
 # LTO needs newer toolchain stack only (at least GCC 8.2.1 (r268506)
-%if 0%{?suse_version} > 1500 && 0%{?suse_version} < 1550
+%if 0%{?suse_version} > 1500
 ac_add_options --enable-lto
 %if 0%{?do_profiling}
 ac_add_options MOZ_PGO=1
diff --git a/mozilla-sandbox-fips.patch b/mozilla-sandbox-fips.patch
index 8381299..fda8b55 100644
--- a/mozilla-sandbox-fips.patch
+++ b/mozilla-sandbox-fips.patch
@@ -4,15 +4,11 @@ References:
 http://bugzilla.suse.com/show_bug.cgi?id=1167132
 bsc#1174284 - Firefox tab just crashed in FIPS mode
 
-diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
---- a/security/sandbox/linux/Sandbox.cpp
-+++ b/security/sandbox/linux/Sandbox.cpp
-@@ -650,16 +650,17 @@ void SetMediaPluginSandbox(const char* a
-     SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath,
-                       strerror(errno));
-     MOZ_CRASH("failed while trying to open the plugin file ");
-   }
- 
+Index: firefox-93.0/security/sandbox/linux/Sandbox.cpp
+===================================================================
+--- firefox-93.0.orig/security/sandbox/linux/Sandbox.cpp
++++ firefox-93.0/security/sandbox/linux/Sandbox.cpp
+@@ -655,6 +655,7 @@ void SetMediaPluginSandbox(const char* a
    auto files = new SandboxOpenedFiles();
    files->Add(std::move(plugin));
    files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES);
@@ -20,20 +16,11 @@ diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox
    files->Add("/etc/ld.so.cache");  // Needed for NSS in clearkey.
    files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
    files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
-   files->Add("/proc/cpuinfo");  // Info also available via CPUID instruction.
-   files->Add("/proc/sys/crypto/fips_enabled");  // Needed for NSS in clearkey.
- #ifdef __i386__
-   files->Add("/proc/self/auxv");  // Info also in process's address space.
- #endif
-diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
---- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-@@ -315,16 +315,18 @@ void SandboxBrokerPolicyFactory::InitCon
-     policy->AddDir(rdwr, "/dev/dri");
-   }
- 
-   // Bug 1575985: WASM library sandbox needs RW access to /dev/null
-   policy->AddPath(rdwr, "/dev/null");
+Index: firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+===================================================================
+--- firefox-93.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -320,6 +320,8 @@ void SandboxBrokerPolicyFactory::InitCon
  
    // Read permissions
    policy->AddPath(rdonly, "/dev/urandom");
@@ -42,8 +29,12 @@ diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/secu
    policy->AddPath(rdonly, "/proc/cpuinfo");
    policy->AddPath(rdonly, "/proc/meminfo");
    policy->AddDir(rdonly, "/sys/devices/cpu");
-   policy->AddDir(rdonly, "/sys/devices/system/cpu");
-   policy->AddDir(rdonly, "/lib");
-   policy->AddDir(rdonly, "/lib64");
-   policy->AddDir(rdonly, "/usr/lib");
-   policy->AddDir(rdonly, "/usr/lib32");
+@@ -792,6 +794,8 @@ SandboxBrokerPolicyFactory::GetSocketPro
+   auto policy = MakeUnique<SandboxBroker::Policy>();
+ 
+   policy->AddPath(rdonly, "/dev/urandom");
++  policy->AddPath(rdonly, "/dev/random");
++  policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
+   policy->AddPath(rdonly, "/proc/cpuinfo");
+   policy->AddPath(rdonly, "/proc/meminfo");
+   policy->AddDir(rdonly, "/sys/devices/cpu");