MFSA 2022-04 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435)
Privilege Escalation to SYSTEM on Windows via Maintenance Service
* CVE-2022-22754 (bmo#1750565)
Extensions could have bypassed permission confirmation during update
* CVE-2022-22755 (bmo#1309630)
XSL could have allowed JavaScript execution after a tab was closed
* CVE-2022-22756 (bmo#1317873)
Drag and dropping an image could have resulted in the dropped
object being an executable
* CVE-2022-22757 (bmo#1720098)
Remote Agent did not prevent local websites from connecting
* CVE-2022-22758 (bmo#1728742)
tel: links could have sent USSD codes to the dialer on
Firefox for Android
* CVE-2022-22759 (bmo#1739957)
Sandboxed iframes could have executed script if the parent
appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503)
Cross-Origin responses could be distinguished between script
and non-script content-types
* CVE-2022-22761 (bmo#1745566)
frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
* CVE-2022-22762 (bmo#1743931)
JavaScript Dialogs could have been displayed over other
domains on Firefox for Android
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
bmo#1748210, bmo#1748279)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=958
- disable ccache, this adds about 1 minute of build time and
over 2 GB of disk space usage without benefit on OBS builds
- build with rust-simd like upstream does
- use -g1 for debuginfo generation as this is what upstream
does as well and it saves ~ 2GB of writes
- use %limit on x86_64 to scale down to less capable workers
- disable install stripping so that debuginfo is useful
- use autopatch
- cleanup constraints to specify only jobs, physicalmemory
and memoryperjob to be more flexible on which host to build
on
OBS-URL: https://build.opensuse.org/request/show/951346
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=956
* https://www.mozilla.org/en-US/firefox/96.0/releasenotes
MFSA 2022-01 (bsc#1194547)
* CVE-2022-22746 (bmo#1735071)
Calling into reportValidity could have lead to fullscreen
window spoof
* CVE-2022-22743 (bmo#1739220)
Browser window spoof using fullscreen mode
* CVE-2022-22742 (bmo#1739923)
Out-of-bounds memory access when inserting text in edit mode
* CVE-2022-22741 (bmo#1740389)
Browser window spoof using fullscreen mode
* CVE-2022-22740 (bmo#1742334)
Use-after-free of ChannelEventQueue::mOwner
* CVE-2022-22738 (bmo#1742382)
Heap-buffer-overflow in blendGaussianBlur
* CVE-2022-22737 (bmo#1745874)
Race condition when playing audio files
* CVE-2021-4140 (bmo#1746720)
Iframe sandbox bypass with XSLT
* CVE-2022-22750 (bmo#1566608)
IPC passing of resource handles could have lead to sandbox
bypass
* CVE-2022-22749 (bmo#1705094)
Lack of URL restrictions when scanning QR codes
* CVE-2022-22748 (bmo#1705211)
Spoofed origin on external protocol launch dialog
* CVE-2022-22745 (bmo#1735856)
Leaking cross-origin URLs through securitypolicyviolation
event
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=951
* Fixed frequent
MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error
messages when trying to connect to various microsoft.com
domains (bmo#1745600)
* Fix for a WebRender crash on some Linux/X11 systems (bmo#1741956)
* Fix for a frequent Windows shutdown crash (bmo#1738984)
* Fix websites contrast issues for some Linux users with
Dark mode set at OS level (bmo#1740518)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=948
* You can now move the Picture-in-Picture toggle button to the
opposite side of the video. Simply look for the new context menu
option Move Picture-in-Picture Toggle to Left (Right) Side.
* To better protect Firefox users against side-channel attacks such
as Spectre, Site Isolation is now enabled for all Firefox 95 users.
* https://www.mozilla.org/en-US/firefox/95.0/releasenotes
MFSA 2021-52 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120)
URL leakage when navigating while executing asynchronous
function
* CVE-2021-43537 (bmo#1738237)
Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091)
Missing fullscreen and pointer lock notification when
requesting both
* CVE-2021-43539 (bmo#1739683)
GC rooting failure when calling wasm instance methods
* MOZ-2021-0010 (bmo#1735852)
Use-after-free in fullscreen objects on MacOS
* CVE-2021-43540 (bmo#1636629)
WebExtensions could have installed persistent ServiceWorkers
* CVE-2021-43541 (bmo#1696685)
External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281)
XMLHttpRequest error codes could have leaked the existence of
an external protocol handler
* CVE-2021-43543 (bmo#1738418)
Bypass of CSP sandbox directive when embedding
* CVE-2021-43544 (bmo#1739934)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=947
* https://www.mozilla.org/en-US/firefox/94.0/releasenotes
MFSA 2021-48 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517)
iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156)
Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194)
Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750)
Firefox could be coaxed into going into fullscreen mode
without notification or warning
* CVE-2021-38507 (bmo#1730935)
Opportunistic Encryption in HTTP2 could be used to bypass the
Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0003 (bmo#1736886)
Universal XSS in Firefox for Android via QR Code URLs
* CVE-2021-38508 (bmo#1366818)
Permission Prompt could be overlaid, resulting in user
confusion and potential spoofing
* MOZ-2021-0004 (bmo#1659155)
Web Extensions could access pre-redirect URL when their
context menu was triggered by a user
* CVE-2021-38509 (bmo#1718571)
Javascript alert box could have been spoofed onto an
arbitrary domain
* CVE-2021-38510 (bmo#1731779)
Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0005 (bmo#1719203)
'Copy Image Link' context menu action could have been abused
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=942
* supports the new AVIF image format
* PDF viewer now supports filling more forms (XFA-based forms)
* now blocks downloads that rely on insecure connections,
protecting against potentially malicious or unsafe downloads
* Improved web compatibility for privacy protections with SmartBlock 3.0
* Introducing a new referrer tracking protection in Strict Tracking
Protection and Private Browsing
* TLS ciphersuites that use 3DES have been disabled. Such
ciphersuites can only be enabled when deprecated versions of
TLS are also enabled
* The download panel now follows the Firefox visual styles
MFSA 2021-43 (bsc#1191332)
* CVE-2021-38496 (bmo#1725335)
Use-after-free in MessageTask
* CVE-2021-38497 (bmo#1726621)
Validation message could have been overlaid on another origin
* CVE-2021-38498 (bmo#1729642)
Use-after-free of nsLanguageAtomService object
* CVE-2021-32810 (bmo#1729813)
https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
Data race in crossbeam-deque
* CVE-2021-38500 (bmo#1725854, bmo#1728321)
Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
* CVE-2021-38499 (bmo#1667102, bmo#1723170, bmo#1725356, bmo#1727364)
Memory safety bugs fixed in Firefox 93
- removed obsolete mozilla-bmo1708709.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=936
* More secure connections: Firefox can now automatically upgrade to
HTTPS using HTTPS RR as Alt-Svc headers
* Full-range color levels are now supported for video playback on
many systems
MFSA 2021-38 (bsc#1190269)
* CVE-2021-29993 (bmo#1708544, bmo#1708767, bmo#1712240,
bmo#1712242, bmo#1729259)
Handling custom intents could lead to crashes and UI spoofs
* CVE-2021-38491 (bmo#1551886)
Mixed-Content-Blocking was unable to check opaque origins
* CVE-2021-38492 (bmo#1721107)
Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38493 (bmo#1723391, bmo#1724101, bmo#1724107)
Memory safety bugs fixed in Firefox 92, Firefox ESR 78.14 and
Firefox ESR 91.1
* CVE-2021-38494 (bmo#1723920, bmo#1725638)
Memory safety bugs fixed in Firefox 92
- updated appdata
- remove mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
(does not apply anymore; unclear if obsolete)
- bring back mozilla-silence-no-return-type.patch and
run post-build-checks everywhere again
- requires NSS 3.69.1
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=934
MFSA 2021-28 (bsc#1188275)
* CVE-2021-29970 (bmo#1709976)
Use-after-free in accessibility features of a document
* CVE-2021-29971 (bmo#1713638)
Granted permissions only compared host; omitting scheme and
port on Android
* CVE-2021-30547 (bmo#1715766)
Out of bounds write in ANGLE
* CVE-2021-29972 (bmo#1696816)
Use of out-of-date library included use-after-free
vulnerability
* CVE-2021-29973 (bmo#1701932)
Password autofill on HTTP websites was enabled without user
interaction on Android
* CVE-2021-29974 (bmo#1704843)
HSTS errors could be overridden when network partitioning was
enabled
* CVE-2021-29975 (bmo#1713259)
Text message could be overlaid on top of another website
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
bmo#1711576, bmo#1714391)
Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
* CVE-2021-29977 (bmo#1665836, bmo#1686138, bmo#1704316,
bmo#1706314, bmo#1709931, bmo#1712084, bmo#1712357,
bmo#1714066)
Memory safety bugs fixed in Firefox 90
- requires
NSPR 4.31
NSS 3.66
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=922
* New: PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features
* New: Print updates: Margin units are now localized
* New: Smooth pinch-zooming using a touchpad is now supported
on Linux
* New: To protect against cross-site privacy leaks, Firefox now
isolates window.name data to the website that created it.
Learn more
* Changed: Firefox will not prompt for access to your
microphone or camera if you’ve already granted access to the
same device on the same site in the same tab within the past
50 seconds. This new grace period reduces the number of times
you’re prompted to grant device access
* Changed: The ‘Take a Screenshot’ feature was removed from the
Page Actions menu in the url bar. To take a screenshot,
right-click to open the context menu. You can also add a
screenshots shortcut directly to your toolbar via the
Customize menu. Open the Firefox menu and select Customize…
* Changed: FTP support has been disabled, and its full removal
is planned for an upcoming release. Addressing this security
risk reduces the likelihood of an attack while also removing
support for a non-encrypted protocol
* Developer: Introduced a new toggle button in the Network
panel for switching between JSON formatted HTTP response and
raw data (as received over the wire).
!enter image description here
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. You can see
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=904
* requires NSS 3.62
* removed obsolete BigEndian ICU build workaround
* rebased patches
MFSA 2021-10 (bsc#1183942)
* CVE-2021-23981 (bmo#1692832)
Texture upload into an unbound backing buffer resulted in an
out-of-bound read
* CVE-2021-23982 (bmo#1677046)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2021-23983 (bmo#1692684)
Transitions for invalid ::marker properties resulted in memory
corruption
* CVE-2021-23984 (bmo#1693664)
Malicious extensions could have spoofed popup information
* CVE-2021-23985 (bmo#1659129)
Devtools remote debugging feature could have been enabled
without indication to the user
* CVE-2021-23986 (bmo#1692623)
A malicious extension could have performed credential-less
same origin policy violations
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169,
bmo#1690718)
Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
* CVE-2021-23988 (bmo#1684994, bmo#1686653)
Memory safety bugs fixed in Firefox 87
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=901
* requires NSS >= 3.61
* requires rust-cbindgen >= 0.16.0
* Firefox now supports simultaneously watching multiple videos in
Picture-in-Picture.
* Total Cookie Protection to Strict Mode
* https://www.mozilla.org/en-US/firefox/86.0/releasenotes
MSFA 2021-07 (bsc#1182614)
* CVE-2021-23969 (bmo#1542194)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23970 (bmo#1681724)
Multithreaded WASM triggered assertions validating separation
of script domains
* CVE-2021-23968 (bmo#1687342)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23974 (bmo#1528997, bmo#1683627)
noscript elements could have led to an HTML Sanitizer bypass
* CVE-2021-23971 (bmo#1678545)
A website's Referrer-Policy could have been be overridden,
potentially resulting in the full URL being sent as a Referrer
* CVE-2021-23976 (bmo#1684627)
Local spoofing of web manifests for arbitrary pages in
Firefox for Android
* CVE-2021-23977 (bmo#1684761)
Malicious application could read sensitive data from Firefox
for Android's application directories
* CVE-2021-23972 (bmo#1683536)
HTTP Auth phishing warning was omitted when a redirect is
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=895
* Adobe Flash is completely history
* supercookie protection
* new bookmark handling and features
MFSA 2021-03 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940)
Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020)
Type confusion when using logical assignment operators in
JavaScript switch statements
* CVE-2021-23955 (bmo#1684837)
Clickjacking across tabs through misusing requestPointerLock
* CVE-2021-23956 (bmo#1338637)
File picker dialog could have been used to disclose a
complete directory
* CVE-2021-23957 (bmo#1584582)
Iframe sandbox could have been bypassed on Android via the
intent URL scheme
* CVE-2021-23958 (bmo#1642747)
Screen sharing permission leaked across tabs
* CVE-2021-23959 (bmo#1659035)
Cross-Site Scripting in error pages on Firefox for Android
* CVE-2021-23960 (bmo#1675755)
Use-after-poison for incorrectly redeclared JavaScript
variables during GC
* CVE-2021-23961 (bmo#1677940)
More internal network hosts could have been probed by a
malicious webpage
* CVE-2021-23962 (bmo#1677194)
Use-after-poison in
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=888
* Fixed problems loading secure websites and crashes for users
with certain third-party PKCS11 modules and smartcards installed
(bmo#1682881) (fixed in NSS 3.59.1)
* Fixed a bug causing some Unity JS games to not load on Apple
Silicon devices due to improper detection of the OS version
(bmo#1680516)
- requires NSS 3.59.1
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=882
* Firefox 84 is the final release to support Adobe Flash
* WebRender is enabled by default when run on GNOME-based X11
Linux desktops
MFSA 2020-54 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26972 (bmo#1671382)
Use-After-Free in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26975 (bmo#1661071)
Malicious applications on Android could have induced Firefox
for Android into sending arbitrary attacker-specified headers
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2020-26977 (bmo#1676311)
URL spoofing via unresponsive port in Firefox for Android
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-26979 (bmo#1641287, bmo#1673299)
When entering an address in the address or search bars, a
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=880
* major update for SpiderMonkey improving performance significantly
* optional HTTPS-Only mode
* more improvements
https://www.mozilla.org/en-US/firefox/83.0/releasenotes/
MFSA 2020-50 (bsc#1178824))
* CVE-2020-26951 (bmo#1667113)
Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
* CVE-2020-26952 (bmo#1667685)
Out of memory handling of JITed, inlined functions could lead
to a memory corruption
* CVE-2020-16012 (bmo#1642028)
Variable time processing of cross-origin images during
drawImage calls
* CVE-2020-26953 (bmo#1656741)
Fullscreen could be enabled without displaying the security UI
* CVE-2020-26954 (bmo#1657026)
Local spoofing of web manifests for arbitrary pages in
Firefox for Android
* CVE-2020-26955 (bmo#1663261)
Cookies set during file downloads are shared between normal
and Private Browsing Mode in Firefox for Android
* CVE-2020-26956 (bmo#1666300)
XSS through paste (manual and clipboard API)
* CVE-2020-26957 (bmo#1667179)
OneCRL was not working in Firefox for Android
* CVE-2020-26958 (bmo#1669355)
Requests intercepted through ServiceWorkers lacked MIME type
restrictions
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=871
MFSA 2020-45 (bsc#1177872)
* CVE-2020-15969 (bmo#1666570)
Use-after-free in usersctp
* CVE-2020-15254 (bmo#1668514)
Undefined behavior in bounded channel of crossbeam rust crate
* CVE-2020-15680 (bmo#1658881)
Presence of external protocol handlers could be determined
through image tags
* CVE-2020-15681 (bmo#1666568)
Multiple WASM threads may have overwritten each others' stub
table entries
* CVE-2020-15682 (bmo#1636654)
The domain associated with the prompt to open an external
protocol could be spoofed to display the incorrect origin
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954,
bmo#1662760, bmo#1663439, bmo#1666140)
Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* CVE-2020-15684 (bmo#1653764, bmo#1661402, bmo#1662259,
bmo#1664257)
Memory safety bugs fixed in Firefox 82
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=864
* https://www.mozilla.org/en-US/firefox/81.0/releasenotes
MFSA 2020-42 (bsc#1176756)
* CVE-2020-15675 (bmo#1654211)
Use-After-Free in WebGL
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
* CVE-2020-15674 (bmo#1656063, bmo#1656064, bmo#1656067, bmo#1660293)
Memory safety bugs fixed in Firefox 81
- requires
NSPR 4.28
NSS 3.56
- removed obsolete patches
* mozilla-system-nspr.patch
* mozilla-bmo1661715.patch
* mozilla-silence-no-return-type.patch
- skip post-build-checks for 15.0 and 15.1
- add revert-795c8762b16b.patch to fix LTO builds with gcc
(related to bmo#1644409)
- Use %limit_build macro again for aarch64 and armv7, instead of
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=858
MFSA 2020- (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-12401 (bmo#1631573)
Timing-attack on ECDSA signature generation
* CVE-2020-6829 (bmo#1631583)
P-384 and P-521 vulnerable to an electro-magnetic side
channel attack on signature generation
* CVE-2020-12400 (bmo#1623116)
P-384 and P-521 vulnerable to a side channel attack on
modular inversion
* CVE-2020-15665 (bmo#1651636)
Address bar not reset when choosing to stay on a page after
the beforeunload dialog is shown
* CVE-2020-15666 (bmo#1450853)
MediaError message property leaks cross-origin response
status
* CVE-2020-15667 (bmo#1653371)
Heap overflow when processing an update file
* CVE-2020-15668 (bmo#1651520)
Data Race when reading certificate information
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
bmo#1656957)
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
- requires
* NSPR 4.27
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=853
- do not use XINPUT2 for the moment until Plasma 5.19.3 has landed
(boo#1173993)
- rework langpack integration (boo#1173991)
* ship XPIs instead of directories
* allow addon sideloading
* mark signatures for langpacks non-mandatory
* do not autodisable user profile scopes
* Google API key is not usable for geolocation service
- Mozilla Firefox 78.0.2
* Fixed an accessibility regression in reader mode (bmo#1650922)
* Made the address bar more resilient to data corruption in the
user profile (bmo#1649981)
* Fixed a regression opening certain external applications (bmo#1650162)
MFSA 2020-28
* CVE pending (bmo#1644076)
X-Frame-Options bypass using object or embed tags
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=839
* Fixed an issue which could cause installed search engines to not
be visible when upgrading from a previous release.
- enable MOZ_USE_XINPUT2 for TW (boo#1173320)
* Protections Dashboard (about:protections)
* WebRTC not interrupted by screensaver anymore
* disabled TLS 1.0 and 1.1 by default
MFSA 2020-24 (bsc#1173576)
* CVE-2020-12415 (bmo#1586630)
AppCache manifest poisoning due to url encoded character processing
* CVE-2020-12416 (bmo#1639734)
Use-after-free in WebRTC VideoBroadcaster
* CVE-2020-12417 (bmo#1640737)
Memory corruption due to missing sign-extension for ValueTags
on ARM64
* CVE-2020-12418 (bmo#1641303)
Information disclosure due to manipulated URL object
* CVE-2020-12419 (bmo#1643874)
Use-after-free in nsGlobalWindowInner
* CVE-2020-12420 (bmo#1643437)
Use-After-Free when trying to connect to a STUN server
* CVE-2020-12402 (bmo#1631597)
RSA Key Generation vulnerable to side-channel attack
* CVE-2020-12421 (bmo#1308251)
Add-On updates did not respect the same certificate trust
rules as software updates
* CVE-2020-12422 (bmo#1450353)
Integer overflow in nsJPEGEncoder::emptyOutputBuffer
* CVE-2020-12423 (bmo#1642400)
DLL Hijacking due to searching %PATH% for a library
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=835
* startup notifications now using Gtk instead of libnotify
* PDF downloads now show an option to open the PDF directly in Firefox
- requires
* NSS >= 3.53.1
* nodejs >= 10.21
* Gtk+3 >= 3.14
- removed obsolete patch
* mozilla-s390-bigendian.patch
- Add mozilla-pipewire-0-3.patch for openSUSE >= 15.2 to build
WebRTC with pipewire support to enable screen sharing under
Wayland; also add BuildRequires: pkgconfig(libpipewire-0.3)
appropriately (boo#1172903).
- adding SLE12 compatibility in spec file
- add patches for s390x
* mozilla-bmo1602730.patch (bmo#1602730)
* mozilla-bmo1626236.patch (bmo#1626236)
* mozilla-bmo998749.patch (bmo#998749)
* mozilla-s390x-skia-gradient.patch
- update create-tar.sh
- Use same _constraints for ppc64 (BE) as ppc64le to avoid oom build failure
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=834
* https://www.mozilla.org/en-US/firefox/74.0/releasenotes/
MFSA 2020-08 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880)
Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308)
BodyStream::OnInputStreamReady was missing protections against
state confusion
* CVE-2020-6807 (bmo#1614971)
Use-after-free in cubeb during stream destruction
* CVE-2020-6808 (bmo#1247968)
URL Spoofing via javascript: URL
* CVE-2020-6809 (bmo#1420296)
Web Extensions with the all-urls permission could access local
files
* CVE-2020-6810 (bmo#1432856)
Focusing a popup while in fullscreen could have obscured the
fullscreen notification
* CVE-2020-6811 (bmo#1607742)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765)
Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661)
The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
* CVE-2020-6813 (bmo#1605814)
@import statements in CSS could bypass the Content Security
Policy nonce feature
* CVE-2020-6814 (bmo#1592078,bmo#1604847,bmo#1608256,bmo#1612636,
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=809
* Resolved problems connecting to the RBC Royal Bank website
(bmo#1613943)
* Fixed Firefox unexpectedly exiting when leaving Print Preview mode
(bmo#1611133)
* Fixed crashes when playing encrypted content on some Linux systems
(bmo#1614535)
- start in wayland mode when running under wayland session
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=804
* Added support for setting a default zoom level applicable for all
web content
* High-contrast mode has been updated to allow background images
* Improved audio quality when playing back audio at a faster or
slower speed
* Added NextDNS as alternative option for DNS over HTTPS
MFSA 2020-05 (bsc#1163368)
* CVE-2020-6796 (bmo#1610426)
Missing bounds check on shared memory read in the parent process
* CVE-2020-6797 (bmo#1596668) (MacOS X only)
Extensions granted downloads.open permission could open arbitrary
applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6799 (bmo#1606596) (Windows only)
Arbitrary code execution when opening pdf links from other
applications, when Firefox is configured as default pdf reader
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
bmo#1608580,bmo#1608785,bmo#1605777)
Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* CVE-2020-6801 (bmo#1601024,bmo#1601712,bmo#1604836,bmo#1606492)
Memory safety bugs fixed in Firefox 73
- updated requirements
* rust >= 1.39
* NSS >= 3.49.2
* rust-cbindgen >= 0.12.0
- rebased patches
- removed obsolete patch
* mozilla-bmo1601707.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=802
* Various stability fixes
* Fixed issues opening files with spaces in their path (bmo#1601905)
* Fixed a hang opening about:logins when a master password is set
(bmo#1606992)
* Fixed a web compatibility issue with CSS Shadow Parts which
shipped in Firefox 72 (bmo#1604989)
* Fixed inconsistent playback performance for fullscreen 1080p
videos on some systems (bmo#1608485)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=798
- Mozilla Firefox 72.0
* block fingerprinting scripts by default
* new notification pop-ups
* Picture-in-picture video
MFSA 2020-01
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17020 (bmo#1597645)
Content Security Policy not applied to XSL stylesheets applied
to XML documents
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17023 (bmo#1590001) (fixed in NSS FIXME)
NSS may negotiate TLS 1.2 or below after a TLS 1.3
HelloRetryRequest had been sent
* CVE-2019-17024 (bmo#1507180,bmo#1595470,bmo#1598605,bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
* CVE-2019-17025 (bmo#1328295,bmo#1328300,bmo#1590447,bmo#1590965
bmo#1595692,bmo#1597321,bmo#1597481)
Memory safety bugs fixed in Firefox 72
- update create-tar.sh to skip compare-locales
- requires NSPR 4.24 and NSS 3.48
- removed usage of browser-plugins convention for NPAPI plugins
from start wrapper and changed the RPM macro to the
/usr/$LIB/mozilla/plugins location (boo#1160302)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=793
* Improvements to Lockwise, our integrated password manager
* More information about Enhanced Tracking Protection in action
* Native MP3 decoding on Windows, Linux, and macOS
* Configuration page (about:config) reimplemented in HTML
* New kiosk mode functionality, which allows maximum screen space
for customer-facing displays
MFSA 2019-36
* CVE-2019-11756 (bmo#1508776)
Use-after-free of SFTKSession object
* CVE-2019-17008 (bmo#1546331)
Use-after-free in worker destruction
* CVE-2019-13722 (bmo#1580156) (Windows only)
Stack corruption due to incorrect number of arguments in WebRTC code
* CVE-2019-17014 (bmo#1322864)
Dragging and dropping a cross-origin resource, incorrectly loaded
as an image, could result in information disclosure
* CVE-2019-17010 (bmo#1581084)
Use-after-free when performing device orientation checks
* CVE-2019-17005 (bmo#1584170)
Buffer overflow in plain text serializer
* CVE-2019-17011 (bmo#1591334)
Use-after-free when retrieving a document in antitracking
* CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209
bmo#1580288, bmo#1585760, bmo#1592502)
Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
* CVE-2019-17013 (bmo#1298509, bmo#1472328, bmo#1577439, bmo#1577937
bmo#1580320, bmo#1584195, bmo#1585106, bmo#1586293, bmo#1593865
bmo#1594181)
Memory safety bugs fixed in Firefox 71
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=789
