- update to Firefox 39.0 (bnc#935979)

security fixes:
  * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726
    Miscellaneous memory safety hazards
  * MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
    Local files or privileged URLs in pages can be opened into new tabs
  * MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
    Type confusion in Indexed Database Manager
  * MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
    Out-of-bound read while computing an oscillator rendering range in Web Audio
  * MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
    Use-after-free in Content Policy due to microtask execution error
  * MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
    ECDSA signature validation fails to handle some signatures correctly
    (this fix is shipped by NSS 3.19.1 externally)
  * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
    Use-after-free in workers while using XMLHttpRequest
  * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
    CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
    Vulnerabilities found through code inspection
  * MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
    Key pinning is ignored when overridable errors are encountered
  * MFSA 2015-68/CVE-2015-2742 (bmo#1138669)
    OS X crash reports may contain entered key press information
    (not relevant under Linux)
  * MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
    Privilege escalation in PDF.js
  * MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
    NSS accepts export-length DHE keys with regular DHE cipher suites
    (this fix is shipped by NSS 3.19.1 externally)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=450

MozillaFirefox.changes

@@ -1,7 +1,7 @@
 -------------------------------------------------------------------
-Tue Jun 23 06:12:45 UTC 2015 - wr@rosenauer.org
+Wed Jul  1 06:43:02 UTC 2015 - wr@rosenauer.org
 
-- update to Firefox 39.0
+- update to Firefox 39.0 (bnc#935979)
   * Share Hello URLs with social networks
   * Support for 'switch' role in ARIA 1.1 (web accessibility)
   * SafeBrowsing malware detection lookups enabled for downloads
@@ -10,6 +10,38 @@ Tue Jun 23 06:12:45 UTC 2015 - wr@rosenauer.org
   * Removed support for insecure SSLv3 for network communications
   * Disable use of RC4 except for temporarily whitelisted hosts
   * NPAPI Plug-in performance improved via asynchronous initialization
+  security fixes:
+  * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726
+    Miscellaneous memory safety hazards
+  * MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
+    Local files or privileged URLs in pages can be opened into new tabs
+  * MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
+    Type confusion in Indexed Database Manager
+  * MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
+    Out-of-bound read while computing an oscillator rendering range in Web Audio
+  * MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
+    Use-after-free in Content Policy due to microtask execution error
+  * MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
+    ECDSA signature validation fails to handle some signatures correctly
+    (this fix is shipped by NSS 3.19.1 externally)
+  * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
+    Use-after-free in workers while using XMLHttpRequest
+  * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
+    CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
+    Vulnerabilities found through code inspection
+  * MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
+    Key pinning is ignored when overridable errors are encountered
+  * MFSA 2015-68/CVE-2015-2742 (bmo#1138669)
+    OS X crash reports may contain entered key press information
+    (not relevant under Linux)
+  * MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
+    Privilege escalation in PDF.js
+  * MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
+    NSS accepts export-length DHE keys with regular DHE cipher suites
+    (this fix is shipped by NSS 3.19.1 externally)
+  * MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
+    NSS incorrectly permits skipping of ServerKeyExchange
+    (this fix is shipped by NSS 3.19.1 externally)
 - dropped mozilla-prefer_plugin_pref.patch as this feature is
   likely not worth maintaining further
 - rebased patches

MozillaFirefox.spec

@@ -21,7 +21,7 @@
 %define major 39
 %define mainver %major.0
 %define update_channel release
-%define releasedate 2015062300
+%define releasedate 2015063000
 
 # general build definitions
 %if "%{update_channel}" != "aurora"

compare-locales.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:3e0a748e563c83db835bda01d5bb1627b5571d8957068b0c91110baf8fc9c310
-size 28428
+oid sha256:7d81026bcb6180f233d685249992000512792b599de71e85b15f2a4319706b7e
+size 28448

firefox-39.0-source.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:980c9a66aff87ad6c7bd2c8b5cb87914941c87075c6122f9fc586418a62aa601
-size 156257540
+oid sha256:b0c4457706a43832e166902a53cb61531fc446a5039c41d051e4b989817da101
+size 156760208

l10n-39.0.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:0e2338d351444db95bb3c9abfaa7799f533f9157b65c011fc5b82373ce68b73e
-size 42206764
+oid sha256:00ffedb90fe76f706bef76208716a5350c3f10e4c8aa5a1608e5f43fb361c69b
+size 42221112

source-stamp.txt

@@ -1,2 +1,2 @@
-REV=034c406f342b
+REV=d3b3e57e8088
 REPO=http://hg.mozilla.org/releases/mozilla-release