1
0
Commit Graph

7 Commits

Author SHA256 Message Date
Wolfgang Rosenauer
4da575923b - Mozilla Firefox 91.0
MFSA 2021-?? (boo#1188891)
- requires
  * rustc/cargo >= 1.51
  * NSPR >= 4.32
  * NSS >= 3.68
- force-disable webrender on BE platforms

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=926
2021-08-11 20:19:19 +00:00
Wolfgang Rosenauer
1ef79265b6 - Mozilla Firefox 90.0
MFSA 2021-28 (bsc#1188275)
  * CVE-2021-29970 (bmo#1709976)
    Use-after-free in accessibility features of a document
  * CVE-2021-29971 (bmo#1713638)
    Granted permissions only compared host; omitting scheme and
    port on Android
  * CVE-2021-30547 (bmo#1715766)
    Out of bounds write in ANGLE
  * CVE-2021-29972 (bmo#1696816)
    Use of out-of-date library included use-after-free
    vulnerability
  * CVE-2021-29973 (bmo#1701932)
    Password autofill on HTTP websites was enabled without user
    interaction on Android
  * CVE-2021-29974 (bmo#1704843)
    HSTS errors could be overridden when network partitioning was
    enabled
  * CVE-2021-29975 (bmo#1713259)
    Text message could be overlaid on top of another website
  * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
    bmo#1711576, bmo#1714391)
    Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
  * CVE-2021-29977 (bmo#1665836, bmo#1686138, bmo#1704316,
    bmo#1706314, bmo#1709931, bmo#1712084, bmo#1712357,
    bmo#1714066)
    Memory safety bugs fixed in Firefox 90
- requires
  NSPR 4.31
  NSS 3.66

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=922
2021-07-15 21:12:05 +00:00
Wolfgang Rosenauer
ee9c609811 - Mozilla Firefox 85.0
* Adobe Flash is completely history
  * supercookie protection
  * new bookmark handling and features
  MFSA 2021-03 (bsc#1181414)
  * CVE-2021-23953 (bmo#1683940)
    Cross-origin information leakage via redirected PDF requests
  * CVE-2021-23954 (bmo#1684020)
    Type confusion when using logical assignment operators in
    JavaScript switch statements
  * CVE-2021-23955 (bmo#1684837)
    Clickjacking across tabs through misusing requestPointerLock
  * CVE-2021-23956 (bmo#1338637)
    File picker dialog could have been used to disclose a
    complete directory
  * CVE-2021-23957 (bmo#1584582)
    Iframe sandbox could have been bypassed on Android via the
    intent URL scheme
  * CVE-2021-23958 (bmo#1642747)
    Screen sharing permission leaked across tabs
  * CVE-2021-23959 (bmo#1659035)
    Cross-Site Scripting in error pages on Firefox for Android
  * CVE-2021-23960 (bmo#1675755)
    Use-after-poison for incorrectly redeclared JavaScript
    variables during GC
  * CVE-2021-23961 (bmo#1677940)
    More internal network hosts could have been probed by a
    malicious webpage
  * CVE-2021-23962 (bmo#1677194)
    Use-after-poison in

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=888
2021-01-26 21:38:39 +00:00
Wolfgang Rosenauer
70fb53e62e - Mozilla Firefox 84.0
* Firefox 84 is the final release to support Adobe Flash
  * WebRender is enabled by default when run on GNOME-based X11
    Linux desktops
  MFSA 2020-54 (bsc#1180039))
  * CVE-2020-16042 (bmo#1679003)
    Operations on a BigInt could have caused uninitialized memory
    to be exposed
  * CVE-2020-26971 (bmo#1663466)
    Heap buffer overflow in WebGL
  * CVE-2020-26972 (bmo#1671382)
    Use-After-Free in WebGL
  * CVE-2020-26973 (bmo#1680084)
    CSS Sanitizer performed incorrect sanitization
  * CVE-2020-26974 (bmo#1681022)
    Incorrect cast of StyleGenericFlexBasis resulted in a heap
    use-after-free
  * CVE-2020-26975 (bmo#1661071)
    Malicious applications on Android could have induced Firefox
    for Android into sending arbitrary attacker-specified headers
  * CVE-2020-26976 (bmo#1674343)
    HTTPS pages could have been intercepted by a registered
    service worker when they should not have been
  * CVE-2020-26977 (bmo#1676311)
    URL spoofing via unresponsive port in Firefox for Android
  * CVE-2020-26978 (bmo#1677047)
    Internal network hosts could have been probed by a malicious
    webpage
  * CVE-2020-26979 (bmo#1641287, bmo#1673299)
    When entering an address in the address or search bars, a

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=880
2020-12-16 22:40:17 +00:00
Wolfgang Rosenauer
a9628fa6ae - Mozilla Firefox 74.0
* https://www.mozilla.org/en-US/firefox/74.0/releasenotes/
  MFSA 2020-08 (bsc#1166238)
  * CVE-2020-6805 (bmo#1610880)
    Use-after-free when removing data about origins
  * CVE-2020-6806 (bmo#1612308)
    BodyStream::OnInputStreamReady was missing protections against
    state confusion
  * CVE-2020-6807 (bmo#1614971)
    Use-after-free in cubeb during stream destruction
  * CVE-2020-6808 (bmo#1247968)
    URL Spoofing via javascript: URL
  * CVE-2020-6809 (bmo#1420296)
    Web Extensions with the all-urls permission could access local
    files
  * CVE-2020-6810 (bmo#1432856)
    Focusing a popup while in fullscreen could have obscured the
    fullscreen notification
  * CVE-2020-6811 (bmo#1607742)
    Devtools' 'Copy as cURL' feature did not fully escape
    website-controlled data, potentially leading to command injection
  * CVE-2019-20503 (bmo#1613765)
    Out of bounds reads in sctp_load_addresses_from_init
  * CVE-2020-6812 (bmo#1616661)
    The names of AirPods with personally identifiable information
    were exposed to websites with camera or microphone permission
  * CVE-2020-6813 (bmo#1605814)
    @import statements in CSS could bypass the Content Security
    Policy nonce feature
  * CVE-2020-6814 (bmo#1592078,bmo#1604847,bmo#1608256,bmo#1612636,

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=809
2020-03-12 19:14:24 +00:00
Wolfgang Rosenauer
9b8d4398e7 - Mozilla Firefox 70.0
* more privacy protections from Enhanced Tracking Protection
  * Firefox Lockwise passwordmanager
  * Improvements to core engine components, for better browsing on more sites
  * Improved privacy and security indicators
  MFSA 2019-34
  * CVE-2018-6156 (bmo#1480088)
    Heap buffer overflow in FEC processing in WebRTC
  * CVE-2019-15903 (bmo#1584907)
    Heap overflow in expat library in XML_GetCurrentLineNumber
  * CVE-2019-11757 (bmo#1577107)
    Use-after-free when creating index updates in IndexedDB
  * CVE-2019-11759 (bmo#1577953)
    Stack buffer overflow in HKDF output
  * CVE-2019-11760 (bmo#1577719)
    Stack buffer overflow in WebRTC networking
  * CVE-2019-11761 (bmo#1561502)
    Unintended access to a privileged JSONView object
  * CVE-2019-11762 (bmo#1582857)
    document.domain-based origin isolation has same-origin-property violation
  * CVE-2019-11763 (bmo#1584216)
    Incorrect HTML parsing results in XSS bypass technique
  * CVE-2019-11765 (bmo#1562582)
    Incorrect permissions could be granted to a website
  * CVE-2019-17000 (bmo#1441468)
    CSP bypass using object tag with data: URI
  * CVE-2019-17001 (bmo#1587976)
    CSP bypass using object tag when script-src 'none' is specified
  * CVE-2019-17002 (bmo#1561056)
    upgrade-insecure-requests was not being honored for links dragged and dropped

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=786
2019-10-25 09:13:30 +00:00
Wolfgang Rosenauer
c4b62217a3 - Mozilla Firefox 68.0
* Dark mode in reader view
  * Improved extension security and discovery
  * Cryptomining and fingerprinting protections are added to strict
    content blocking settings in Privacy & Security preferences
  * Camera and microphone access now require an HTTPS connection
  MFSA 2019-21 (bsc#1140868)
  * CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
    Sandbox escape via installation of malicious languagepack
  * CVE-2019-11711 (bmo#1552541)
    Script injection within domain through inner window reuse
  * CVE-2019-11712 (bmo#1543804)
    Cross-origin POST requests can be made with NPAPI plugins by
    following 308 redirects
  * CVE-2019-11713 (bmo#1528481)
    Use-after-free with HTTP/2 cached stream
  * CVE-2019-11714 (bmo#1542593)
    NeckoChild can trigger crash when accessed off of main thread
  * CVE-2019-11729 (bmo#1515342)
    Empty or malformed p256-ECDH public keys may trigger a segmentation fault
  * CVE-2019-11715 (bmo#1555523)
    HTML parsing error can contribute to content XSS
  * CVE-2019-11716 (bmo#1552632)
    globalThis not enumerable until accessed
  * CVE-2019-11717 (bmo#1548306)
    Caret character improperly escaped in origins
  * CVE-2019-11718 (bmo#1408349)
    Activity Stream writes unsanitized content to innerHTML
  * CVE-2019-11719 (bmo#1540541)
    Out-of-bounds read when importing curve25519 private key

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=748
2019-07-09 21:21:11 +00:00