From ea519de4149fdcef70bd8978da56ffe47190204bfe8759c91bd5dfdc27bac4cc Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Fri, 3 Jul 2015 06:21:15 +0000 Subject: [PATCH] - update to Firefox 39.0 (bnc#935979) security fixes: * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726 Miscellaneous memory safety hazards * MFSA 2015-60/CVE-2015-2727 (bmo#1163422) Local files or privileged URLs in pages can be opened into new tabs * MFSA 2015-61/CVE-2015-2728 (bmo#1142210) Type confusion in Indexed Database Manager * MFSA 2015-62/CVE-2015-2729 (bmo#1122218) Out-of-bound read while computing an oscillator rendering range in Web Audio * MFSA 2015-63/CVE-2015-2731 (bmo#1149891) Use-after-free in Content Policy due to microtask execution error * MFSA 2015-64/CVE-2015-2730 (bmo#1125025) ECDSA signature validation fails to handle some signatures correctly (this fix is shipped by NSS 3.19.1 externally) * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867) Use-after-free in workers while using XMLHttpRequest * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737 CVE-2015-2738/CVE-2015-2739/CVE-2015-2740 Vulnerabilities found through code inspection * MFSA 2015-67/CVE-2015-2741 (bmo#1147497) Key pinning is ignored when overridable errors are encountered * MFSA 2015-68/CVE-2015-2742 (bmo#1138669) OS X crash reports may contain entered key press information (not relevant under Linux) * MFSA 2015-69/CVE-2015-2743 (bmo#1163109) Privilege escalation in PDF.js * MFSA 2015-70/CVE-2015-4000 (bmo#1138554) NSS accepts export-length DHE keys with regular DHE cipher suites (this fix is shipped by NSS 3.19.1 externally) OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=450 --- MozillaFirefox.changes | 36 ++++++++++++++++++++++++++++++++++-- MozillaFirefox.spec | 2 +- compare-locales.tar.xz | 4 ++-- firefox-39.0-source.tar.xz | 4 ++-- l10n-39.0.tar.xz | 4 ++-- source-stamp.txt | 2 +- 6 files changed, 42 insertions(+), 10 deletions(-) diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index b709ebf..ddc63e0 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -1,7 +1,7 @@ ------------------------------------------------------------------- -Tue Jun 23 06:12:45 UTC 2015 - wr@rosenauer.org +Wed Jul 1 06:43:02 UTC 2015 - wr@rosenauer.org -- update to Firefox 39.0 +- update to Firefox 39.0 (bnc#935979) * Share Hello URLs with social networks * Support for 'switch' role in ARIA 1.1 (web accessibility) * SafeBrowsing malware detection lookups enabled for downloads @@ -10,6 +10,38 @@ Tue Jun 23 06:12:45 UTC 2015 - wr@rosenauer.org * Removed support for insecure SSLv3 for network communications * Disable use of RC4 except for temporarily whitelisted hosts * NPAPI Plug-in performance improved via asynchronous initialization + security fixes: + * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726 + Miscellaneous memory safety hazards + * MFSA 2015-60/CVE-2015-2727 (bmo#1163422) + Local files or privileged URLs in pages can be opened into new tabs + * MFSA 2015-61/CVE-2015-2728 (bmo#1142210) + Type confusion in Indexed Database Manager + * MFSA 2015-62/CVE-2015-2729 (bmo#1122218) + Out-of-bound read while computing an oscillator rendering range in Web Audio + * MFSA 2015-63/CVE-2015-2731 (bmo#1149891) + Use-after-free in Content Policy due to microtask execution error + * MFSA 2015-64/CVE-2015-2730 (bmo#1125025) + ECDSA signature validation fails to handle some signatures correctly + (this fix is shipped by NSS 3.19.1 externally) + * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867) + Use-after-free in workers while using XMLHttpRequest + * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737 + CVE-2015-2738/CVE-2015-2739/CVE-2015-2740 + Vulnerabilities found through code inspection + * MFSA 2015-67/CVE-2015-2741 (bmo#1147497) + Key pinning is ignored when overridable errors are encountered + * MFSA 2015-68/CVE-2015-2742 (bmo#1138669) + OS X crash reports may contain entered key press information + (not relevant under Linux) + * MFSA 2015-69/CVE-2015-2743 (bmo#1163109) + Privilege escalation in PDF.js + * MFSA 2015-70/CVE-2015-4000 (bmo#1138554) + NSS accepts export-length DHE keys with regular DHE cipher suites + (this fix is shipped by NSS 3.19.1 externally) + * MFSA 2015-71/CVE-2015-2721 (bmo#1086145) + NSS incorrectly permits skipping of ServerKeyExchange + (this fix is shipped by NSS 3.19.1 externally) - dropped mozilla-prefer_plugin_pref.patch as this feature is likely not worth maintaining further - rebased patches diff --git a/MozillaFirefox.spec b/MozillaFirefox.spec index 150181f..f7d38a5 100644 --- a/MozillaFirefox.spec +++ b/MozillaFirefox.spec @@ -21,7 +21,7 @@ %define major 39 %define mainver %major.0 %define update_channel release -%define releasedate 2015062300 +%define releasedate 2015063000 # general build definitions %if "%{update_channel}" != "aurora" diff --git a/compare-locales.tar.xz b/compare-locales.tar.xz index 9afff73..c37b499 100644 --- a/compare-locales.tar.xz +++ b/compare-locales.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:3e0a748e563c83db835bda01d5bb1627b5571d8957068b0c91110baf8fc9c310 -size 28428 +oid sha256:7d81026bcb6180f233d685249992000512792b599de71e85b15f2a4319706b7e +size 28448 diff --git a/firefox-39.0-source.tar.xz b/firefox-39.0-source.tar.xz index 7de479b..7863f79 100644 --- a/firefox-39.0-source.tar.xz +++ b/firefox-39.0-source.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:980c9a66aff87ad6c7bd2c8b5cb87914941c87075c6122f9fc586418a62aa601 -size 156257540 +oid sha256:b0c4457706a43832e166902a53cb61531fc446a5039c41d051e4b989817da101 +size 156760208 diff --git a/l10n-39.0.tar.xz b/l10n-39.0.tar.xz index 1e3bc4f..996e305 100644 --- a/l10n-39.0.tar.xz +++ b/l10n-39.0.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:0e2338d351444db95bb3c9abfaa7799f533f9157b65c011fc5b82373ce68b73e -size 42206764 +oid sha256:00ffedb90fe76f706bef76208716a5350c3f10e4c8aa5a1608e5f43fb361c69b +size 42221112 diff --git a/source-stamp.txt b/source-stamp.txt index 2b624b6..20bdb48 100644 --- a/source-stamp.txt +++ b/source-stamp.txt @@ -1,2 +1,2 @@ -REV=034c406f342b +REV=d3b3e57e8088 REPO=http://hg.mozilla.org/releases/mozilla-release