- Mozilla Firefox 95.0

* You can now move the Picture-in-Picture toggle button to the
    opposite side of the video. Simply look for the new context menu
    option Move Picture-in-Picture Toggle to Left (Right) Side.
  * To better protect Firefox users against side-channel attacks such
    as Spectre, Site Isolation is now enabled for all Firefox 95 users.
  * https://www.mozilla.org/en-US/firefox/95.0/releasenotes
  MFSA 2021-52 (bsc#1193485)
  * CVE-2021-43536 (bmo#1730120)
    URL leakage when navigating while executing asynchronous
    function
  * CVE-2021-43537 (bmo#1738237)
    Heap buffer overflow when using structured clone
  * CVE-2021-43538 (bmo#1739091)
    Missing fullscreen and pointer lock notification when
    requesting both
  * CVE-2021-43539 (bmo#1739683)
    GC rooting failure when calling wasm instance methods
  * MOZ-2021-0010 (bmo#1735852)
    Use-after-free in fullscreen objects on MacOS
  * CVE-2021-43540 (bmo#1636629)
    WebExtensions could have installed persistent ServiceWorkers
  * CVE-2021-43541 (bmo#1696685)
    External protocol handler parameters were unescaped
  * CVE-2021-43542 (bmo#1723281)
    XMLHttpRequest error codes could have leaked the existence of
    an external protocol handler
  * CVE-2021-43543 (bmo#1738418)
    Bypass of CSP sandbox directive when embedding
  * CVE-2021-43544 (bmo#1739934)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=947

MozillaFirefox.changes

@@ -1,3 +1,49 @@
+-------------------------------------------------------------------
+Sat Dec  4 12:07:21 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 95.0
+  * You can now move the Picture-in-Picture toggle button to the
+    opposite side of the video. Simply look for the new context menu
+    option Move Picture-in-Picture Toggle to Left (Right) Side.
+  * To better protect Firefox users against side-channel attacks such
+    as Spectre, Site Isolation is now enabled for all Firefox 95 users.
+  * https://www.mozilla.org/en-US/firefox/95.0/releasenotes
+  MFSA 2021-52 (bsc#1193485)
+  * CVE-2021-43536 (bmo#1730120)
+    URL leakage when navigating while executing asynchronous
+    function
+  * CVE-2021-43537 (bmo#1738237)
+    Heap buffer overflow when using structured clone
+  * CVE-2021-43538 (bmo#1739091)
+    Missing fullscreen and pointer lock notification when
+    requesting both
+  * CVE-2021-43539 (bmo#1739683)
+    GC rooting failure when calling wasm instance methods
+  * MOZ-2021-0010 (bmo#1735852)
+    Use-after-free in fullscreen objects on MacOS
+  * CVE-2021-43540 (bmo#1636629)
+    WebExtensions could have installed persistent ServiceWorkers
+  * CVE-2021-43541 (bmo#1696685)
+    External protocol handler parameters were unescaped
+  * CVE-2021-43542 (bmo#1723281)
+    XMLHttpRequest error codes could have leaked the existence of
+    an external protocol handler
+  * CVE-2021-43543 (bmo#1738418)
+    Bypass of CSP sandbox directive when embedding
+  * CVE-2021-43544 (bmo#1739934)
+    Receiving a malicious URL as text through a SEND intent could
+    have led to XSS
+  * CVE-2021-43545 (bmo#1720926)
+    Denial of Service when using the Location API in a loop
+  * CVE-2021-43546 (bmo#1737751)
+    Cursor spoofing could overlay user interface when native
+    cursor is zoomed
+  * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
+    bmo#1737009, bmo#1739372, bmo#1739421)
+    Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4
+- requires
+  NSS >= 3.72
+
 -------------------------------------------------------------------
 Thu Dec  2 20:32:42 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
 

MozillaFirefox.spec

@@ -28,9 +28,9 @@
 # orig_suffix b3
 # major 69
 # mainver %major.99
-%define major          94
+%define major          95
-%define mainver        %major.0.2
+%define mainver        %major.0
-%define orig_version   94.0.2
+%define orig_version   95.0
 %define orig_suffix    %{nil}
 %define update_channel release
 %define branding       1
@@ -492,6 +492,8 @@ ac_add_options --with-mozilla-api-keyfile=%{SOURCE18}
 ac_add_options --with-google-safebrowsing-api-keyfile=%{SOURCE19}
 ac_add_options --with-unsigned-addon-scopes=app
 ac_add_options --allow-addon-sideload
+# at least temporary until the "wasi-sysroot" issue is solved
+ac_add_options --without-wasm-sandboxed-libraries
 %if %branding
 ac_add_options --enable-official-branding
 %endif
@@ -548,6 +550,7 @@ mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/../obj_LANG
 ac_add_options --prefix=%{_prefix}
 ac_add_options --with-l10n-base=$RPM_BUILD_DIR/l10n
 ac_add_options --disable-updater
+ac_add_options --without-wasm-sandboxed-libraries
 %if %branding
 ac_add_options --enable-official-branding
 %endif

firefox-94.0.2.source.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:899ba1c806549034793d7e8ca53f4c845d783c810338f314f3d653d39649e575
-size 382896780

firefox-94.0.2.source.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmGX42UACgkQ6+QekPbx
-L20fTg/9GdNWBx4O/+pVOxbaWOWn4w+aD0XuBLdTge4+c2u7hxtaMqGKyWFYDVq1
-5/TkpO5miNj7yb+Jgj7KRA8Mo6FLhEQVnox3YjndYE9rseGxiDzVBFf/NCX6gJLU
-beCEZ0VPXgXu6iA1PtW8Hs0Npq3o8NtrDyw+RVxZWH7clRPTFxnibBauPTNC+H5U
-BIe+exHSD984s7535DnDvK+C6YBe/Y8E/mPlcQLnGbAUzexU+3mB79bEGNwdI5gv
-X/YJtcf6Kmo4MDxEdKnE/eTDSr6u9AEpG0CYRiu3k9QcwiFTN5wpYxj+G5HeL8rF
-p6Y4xXnGbloMWwA9hNoYGyr0Iq6tLDWdpJKR7w7v/sXGujdf++7svDvGdup4r8VL
-Avu5RVAli+gMhFwkNnwWMfOHukH/09xNBfGjaTcdliDNcUyVgL82ZQ2oF36demrh
-1mVtJnEE2R8HIM/klAuu3Hz+rEam8kXmBA64zfXrbmTdAiymBKtF1gf82dJFMa3/
-7fbzSHQVBSpy3mzOphifUYvyxjR9a2OgxS5uKe4Ere5E0b+CvLEMzOSsVgP4Ilnb
-hjnXKRdG1js0AKKT9RrleNXJamn1LBIom5zLcMKqRBnYqHZDuVzanPt7MbJB7SvW
-+DcDfQ0YRYJbnQ/XJg9+J4xhcIcjdUdj61rPd6HK3zESqU7hUyU=
-=8S/P
------END PGP SIGNATURE-----

firefox-95.0.source.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7fa3e43f6ec710b2ebba0e99db713a56d13d85f1f23c4a1399bb594fd74864de
+size 382853940

firefox-95.0.source.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmGk/KQACgkQ6+QekPbx
+L20H4A//eZmrO5kJF2ISDsZGF7tV+EjP0hlNqBLsUkZUXvcldpzG8Fo3d4wqe27y
+ROdFyvuMlvAKNS3ZFzS47Q5mTc7nZ3KoI68Q4RTN+mk0VrHjQ+nLXFdennp6NWLs
+WAbtsVUgRiV9R8hZlWm69hWa/p22duc0lz9D7gGHSycTGKWqaacKCisXBNmV5UD1
+0ooD/maOYgLnedaZu2K2OOPZArHchZnrsMz7NG0DBXEY2yaTXyjVBtnSoo8bBrkv
+95XFwEVGZCGuc/OK9iBzIynRlKHV4mg0dsIayb/JpNnHdEGWFRLd6PulELdGPcvq
+msPl9kcHZX8M07Ha6gB3WB31M0COsTDraBvIZrfSBm+7XOF8QtYKjKV7SrlG9hLz
+KjkKDRVZBZPrGbol7IPaZQ1MKMmR/ifc33Azd0S+6v8VNxOUVmK18AxORj4/hEAy
+0FGiUkYAQKI6o2WLbAV5WOZGnlT4YyHUjNXH/yQXMlMelJS/5NSeSgmpRWWX6uhr
+li45wabZg11TMZ0a17w3ZYZZLN56jOsKbaglKI/MznpJB8pQYs8yTblFj0FfWxbT
+qlLtsmwvLMQYNr5lcfu7DYZGsGD47Dq3/Uo5jKFS7TQ68wLKHbtHJAXuEZkPpp/v
+drysMCzF78fx0tg0Lw7J2wvkYavSdensHSfkb6A8bGvBRbN/Eds=
+=/gW4
+-----END PGP SIGNATURE-----

l10n-94.0.2.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7ea87cc125b67cd1802b5895ca64b9e71df6966c9c0ac13376545da4ca727626
-size 48450876

l10n-95.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c350d342122846ce53c4c07b594b93406829e77545a3911743587f7018328e33
+size 49001020

mozilla-kde.patch

@@ -3,7 +3,7 @@
 # Date 1559294891 -7200
 #      Fri May 31 11:28:11 2019 +0200
 # Node ID c2aa7198fb925e7fde96abf65b6f68b9b755f112
-# Parent  9eb4df0e07175ce38fc6699b2b8544b9eda7f0ad
+# Parent  d065e5213c971b1f80d4a13458c412a3a25f7c1c
 Description: Add KDE integration to Firefox (toolkit parts)
 Author: Wolfgang Rosenauer <wolfgang@rosenauer.org>
 Author: Lubos Lunak <lunak@suse.com>
@@ -31,7 +31,7 @@ diff --git a/modules/libpref/Preferences.cpp b/modules/libpref/Preferences.cpp
  #ifdef MOZ_MEMORY
  #  include "mozmemory.h"
  #endif
-@@ -4634,16 +4635,27 @@ nsresult Preferences::InitInitialObjects
+@@ -4635,16 +4636,27 @@ nsresult Preferences::InitInitialObjects
      "unix.js"
  #  if defined(_AIX)
      ,
@@ -59,7 +59,7 @@ diff --git a/modules/libpref/Preferences.cpp b/modules/libpref/Preferences.cpp
  
    // Load jar:$app/omni.jar!/defaults/preferences/*.js
    // or jar:$gre/omni.jar!/defaults/preferences/*.js.
-@@ -4708,17 +4720,17 @@ nsresult Preferences::InitInitialObjects
+@@ -4709,17 +4721,17 @@ nsresult Preferences::InitInitialObjects
        }
  
        nsCOMPtr<nsIFile> path = do_QueryInterface(elem);
@@ -346,7 +346,7 @@ diff --git a/toolkit/system/unixproxy/nsUnixSystemProxySettings.cpp b/toolkit/sy
 diff --git a/toolkit/xre/moz.build b/toolkit/xre/moz.build
 --- a/toolkit/xre/moz.build
 +++ b/toolkit/xre/moz.build
-@@ -91,17 +91,19 @@ elif CONFIG["MOZ_WIDGET_TOOLKIT"] == "co
+@@ -92,17 +92,19 @@ elif CONFIG["MOZ_WIDGET_TOOLKIT"] == "co
          "../components/printingui",
      ]
  elif CONFIG["MOZ_WIDGET_TOOLKIT"] == "uikit":
@@ -360,12 +360,12 @@ diff --git a/toolkit/xre/moz.build b/toolkit/xre/moz.build
 +        "nsKDEUtils.cpp",
          "nsNativeAppSupportUnix.cpp",
      ]
+     CXXFLAGS += CONFIG["MOZ_X11_SM_CFLAGS"]
  else:
      UNIFIED_SOURCES += [
          "nsNativeAppSupportDefault.cpp",
      ]
  
- if CONFIG["MOZ_HAS_REMOTE"]:
 diff --git a/toolkit/xre/nsKDEUtils.cpp b/toolkit/xre/nsKDEUtils.cpp
 new file mode 100644
 --- /dev/null

mozilla-pgo.patch

@@ -1,37 +1,48 @@
 # HG changeset patch
 # User Wolfgang Rosenauer <wr@rosenauer.org>
-# Parent  ed9681bd4359b83145247fb6b01a56a2c84879fd
+# Parent  066aba2f6d1fbc0fe31d1864d539714041404fe6
 
 diff --git a/build/moz.configure/lto-pgo.configure b/build/moz.configure/lto-pgo.configure
 --- a/build/moz.configure/lto-pgo.configure
 +++ b/build/moz.configure/lto-pgo.configure
-@@ -235,23 +235,23 @@ def lto(
+@@ -243,34 +243,34 @@ def lto(
-                 "configure."
+             "configure."
-             )
+         )
  
-         if c_compiler.type == "clang":
+     if c_compiler.type == "clang":
-             if len(value) and value[0].lower() == "full":
+         if value == "full":
-                 cflags.append("-flto")
+             cflags.append("-flto")
-                 ldflags.append("-flto")
+             ldflags.append("-flto")
-             else:
+         else:
--                cflags.append("-flto=thin")
+-            cflags.append("-flto=thin")
--                ldflags.append("-flto=thin")
+-            ldflags.append("-flto=thin")
-+                cflags.append("-flto")
++            cflags.append("-flto")
-+                ldflags.append("-flto")
++            ldflags.append("-flto")
-         elif c_compiler.type == "clang-cl":
-             if len(value) and value[0].lower() == "full":
-                 cflags.append("-flto")
-             else:
--                cflags.append("-flto=thin")
-+                cflags.append("-flto")
-             # With clang-cl, -flto can only be used with -c or -fuse-ld=lld.
-             # AC_TRY_LINKs during configure don't have -c, so pass -fuse-ld=lld.
-             cflags.append("-fuse-ld=lld")
  
-             # Explicitly set the CPU to optimize for so the linker doesn't
+         if target.os == "Android" and value == "cross":
-             # choose a poor default.  Rust compilation by default uses the
+             # Work around https://github.com/rust-lang/rust/issues/90088
-             # pentium4 CPU on x86:
+             # by enabling the highest level of SSE the rust targets default
-             #
+             # to.
+             # https://github.com/rust-lang/rust/blob/bdfcb88e8b6203ccb46a2fb6649979b773efc8ac/compiler/rustc_target/src/spec/i686_linux_android.rs#L13
+             # https://github.com/rust-lang/rust/blob/8d1083e319841624f64400e1524805a40d725439/compiler/rustc_target/src/spec/x86_64_linux_android.rs#L7
+             if target.cpu == "x86":
+                 ldflags.append("-Wl,-plugin-opt=-mattr=+ssse3")
+             elif target.cpu == "x86_64":
+                 ldflags.append("-Wl,-plugin-opt=-mattr=+sse4.2")
+     elif c_compiler.type == "clang-cl":
+         if value == "full":
+             cflags.append("-flto")
+         else:
+-            cflags.append("-flto=thin")
++            cflags.append("-flto")
+         # With clang-cl, -flto can only be used with -c or -fuse-ld=lld.
+         # AC_TRY_LINKs during configure don't have -c, so pass -fuse-ld=lld.
+         cflags.append("-fuse-ld=lld")
+ 
+         # Explicitly set the CPU to optimize for so the linker doesn't
+         # choose a poor default.  Rust compilation by default uses the
+         # pentium4 CPU on x86:
+         #
 diff --git a/build/pgo/profileserver.py b/build/pgo/profileserver.py
 --- a/build/pgo/profileserver.py
 +++ b/build/pgo/profileserver.py
@@ -155,7 +166,7 @@ diff --git a/extensions/spellcheck/src/moz.build b/extensions/spellcheck/src/moz
 diff --git a/toolkit/components/terminator/nsTerminator.cpp b/toolkit/components/terminator/nsTerminator.cpp
 --- a/toolkit/components/terminator/nsTerminator.cpp
 +++ b/toolkit/components/terminator/nsTerminator.cpp
-@@ -451,16 +451,21 @@ void nsTerminator::StartWatchdog() {
+@@ -461,16 +461,21 @@ void nsTerminator::StartWatchdog() {
        // Defend against overflow
        crashAfterMS = INT32_MAX;
      } else {

tar_stamps

@@ -1,10 +1,10 @@
 PRODUCT="firefox"
 CHANNEL="release"
-VERSION="94.0.2"
+VERSION="95.0"
 VERSION_SUFFIX=""
-PREV_VERSION="94.0.1"
+PREV_VERSION="94.0.2"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release"
-RELEASE_TAG="f09593707108af9f9f4d580cf748c3537639ecd4"
+RELEASE_TAG="5a1a2f3b06c23a27532ba48f9999c59c643f3f36"
-RELEASE_TIMESTAMP="20211119140621"
+RELEASE_TIMESTAMP="20211129150630"