- Mozilla Firefox 68.0.1
* Fixed missing Full Screen button when watching videos in full
screen mode on HBO GO (bmo#1562837)
* Fixed a bug causing incorrect messages to appear for some
locales when sites try to request the use of the Storage
Access API (bmo#1558503)
* Users in Russian regions may have their default search engine
changed (bmo#1565315)
* Built-in search engines in some locales do not function
correctly (bmo#1565779)
* SupportMenu policy doesn't always work (bmo#1553290)
* Allow the privacy.file_unique_origin pref to be controlled by
policy (bmo#1563759)
- add fix-build-after-y2038-changes-in-glibc.patch
- Generate langpacks sequentially to avoid file corruption
from racy file writes (boo#1137970)
- Mozilla Firefox 68.0
* Dark mode in reader view
* Improved extension security and discovery
* Cryptomining and fingerprinting protections are added to strict
content blocking settings in Privacy & Security preferences
* Camera and microphone access now require an HTTPS connection
MFSA 2019-21 (bsc#1140868)
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
Sandbox escape via installation of malicious languagepack
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
OBS-URL: https://build.opensuse.org/request/show/717184
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=291
* Fixed missing Full Screen button when watching videos in full
screen mode on HBO GO (bmo#1562837)
* Fixed a bug causing incorrect messages to appear for some
locales when sites try to request the use of the Storage
Access API (bmo#1558503)
* Users in Russian regions may have their default search engine
changed (bmo#1565315)
* Built-in search engines in some locales do not function
correctly (bmo#1565779)
* SupportMenu policy doesn't always work (bmo#1553290)
* Allow the privacy.file_unique_origin pref to be controlled by
policy (bmo#1563759)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=753
* Dark mode in reader view
* Improved extension security and discovery
* Cryptomining and fingerprinting protections are added to strict
content blocking settings in Privacy & Security preferences
* Camera and microphone access now require an HTTPS connection
MFSA 2019-21 (bsc#1140868)
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
Sandbox escape via installation of malicious languagepack
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804)
Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
* CVE-2019-11713 (bmo#1528481)
Use-after-free with HTTP/2 cached stream
* CVE-2019-11714 (bmo#1542593)
NeckoChild can trigger crash when accessed off of main thread
* CVE-2019-11729 (bmo#1515342)
Empty or malformed p256-ECDH public keys may trigger a segmentation fault
* CVE-2019-11715 (bmo#1555523)
HTML parsing error can contribute to content XSS
* CVE-2019-11716 (bmo#1552632)
globalThis not enumerable until accessed
* CVE-2019-11717 (bmo#1548306)
Caret character improperly escaped in origins
* CVE-2019-11718 (bmo#1408349)
Activity Stream writes unsanitized content to innerHTML
* CVE-2019-11719 (bmo#1540541)
Out-of-bounds read when importing curve25519 private key
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=748
- Mozilla Firefox 67.0.4
MFSA 2019-19 (boo#1138872)
* CVE-2019-11708 (bmo#1559858)
sandbox escape using Prompt:Open
- Mozilla Firefox 67.0.3
MFSA 2019-18 (boo#1138614)
* CVE-2019-11707 (bmo#1544386)
Type confusion in Array.pop
- Mozilla Firefox 67.0.2
* Fixed: Fix JavaScript error ("TypeError: data is null in
PrivacyFilter.jsm") in console which may significantly degrade
sessionstore reliability and performance (bmo#1553413)
* Fixed: Proxy authentication dialog box repeatedly pops up
asking to authenticate after upgrading to Firefox 67 (bmo#1548804)
* Fixed: Pearson MyCloud breaks if FIDO U2F is not Chrome's
implementation (bmo#1551282)
* Fixed: Starting in safe mode on Linux or macOS causes Firefox
to think on the subsequent launch that the profile is too
recent to be used with this version of Firefox (bmo#1556612)
* Fixed: Linux distribution users can't easily install/use
additional/different languages using the built-in preferences
UI (bmo#1554744)
* Fixed: Developer tools users can't copy the href/src content
from various HTML tags via the context menu in the Inspector
markup view (bmo#1552275)
* Fixed: Custom home page is broken with clearing data on shutdown
settings applied (bmo#1554167)
* Fixed: Performance-regression for eclipse RAP based applications
OBS-URL: https://build.opensuse.org/request/show/711215
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=290
* Fixed: Fix JavaScript error ("TypeError: data is null in
PrivacyFilter.jsm") in console which may significantly degrade
sessionstore reliability and performance (bmo#1553413)
* Fixed: Proxy authentication dialog box repeatedly pops up
asking to authenticate after upgrading to Firefox 67 (bmo#1548804)
* Fixed: Pearson MyCloud breaks if FIDO U2F is not Chrome's
implementation (bmo#1551282)
* Fixed: Starting in safe mode on Linux or macOS causes Firefox
to think on the subsequent launch that the profile is too
recent to be used with this version of Firefox (bmo#1556612)
* Fixed: Linux distribution users can't easily install/use
additional/different languages using the built-in preferences
UI (bmo#1554744)
* Fixed: Developer tools users can't copy the href/src content
from various HTML tags via the context menu in the Inspector
markup view (bmo#1552275)
* Fixed: Custom home page is broken with clearing data on shutdown
settings applied (bmo#1554167)
* Fixed: Performance-regression for eclipse RAP based applications
(bmo#1555962)
* Fixed: macOS 10.15 crash fix (bmo#1556076)
* Fixed: Can't start two downloads in parallel via <a download>
anymore (bmo#1542912)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=741
fixed a missing syntax error (missing closing bracket); no extra changelog addition since it's not yet accepted afaik
- Mozilla Firefox 67.0
* Firefox 67 will be able to run different Firefox installs side by side
https://blog.nightly.mozilla.org/2019/01/14/moving-to-a-profile-per-install-architecture/
* Tabs can now be pinned from the Page Actions menu in the address bar
* Users can block known cryptominers and fingerprinters in the
Custom settings or their Content Blocking preferences
* The Import Data from Another Browser feature is now also available
from the File menu
* Firefox will now protect you against running older versions which
can lead to data corruption and stability issues
* Easier access to your list of saved logins from the main menu and
login autocomplete
* We’ve added a toolbar menu for your Firefox Account to provide more
transparency for when you are synced, sharing data across devices
and with Firefox. Personalize the appearance of the menu with your
own avatar
* Enable FIDO U2F API, and permit registrations for Google Accounts
* Enabled AV1 support on Linux
MFSA 2019-13 (boo#1135824)
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
OBS-URL: https://build.opensuse.org/request/show/705211
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=289
* Firefox 67 will be able to run different Firefox installs side by side
https://blog.nightly.mozilla.org/2019/01/14/moving-to-a-profile-per-install-architecture/
* Tabs can now be pinned from the Page Actions menu in the address bar
* Users can block known cryptominers and fingerprinters in the
Custom settings or their Content Blocking preferences
* The Import Data from Another Browser feature is now also available
from the File menu
* Firefox will now protect you against running older versions which
can lead to data corruption and stability issues
* Easier access to your list of saved logins from the main menu and
login autocomplete
* We’ve added a toolbar menu for your Firefox Account to provide more
transparency for when you are synced, sharing data across devices
and with Firefox. Personalize the appearance of the menu with your
own avatar
* Enable FIDO U2F API, and permit registrations for Google Accounts
* Enabled AV1 support on Linux
MFSA 2019-13
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=736
* Fixed: Address bar on tablets running Windows 10 now behaves
correctly (bmo#1498973)
* Fixed: Performance issues with some HTML5 games (bmo#1537609)
* Fixed a bug with keypress events in IBM cloud applications
(bmo#1538970)
* Fix for keypress events in some Microsoft cloud applications
(bmo#1539618)
* Changed: Updated Baidu search plugin
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=730
- Mozilla Firefox 66.0.2
* Fixed Web compatibility issues with Office 365, iCloud and
IBM WebMail caused by recent changes to the handling of
keyboard events (bmo#1538966)
* Crash fixes (bmo#1521370, bmo#1539118)
- Add patch to fix aarch64 build:
* mozilla-fix-aarch64-libopus.patch (bmo#1539737)
- Mozilla Firefox 66.0.1
MFSA 2019-09 (bsc#1130262)
* CVE-2019-9810 (bmo#1537924)
IonMonkey MArraySlice has incorrect alias information
* CVE-2019-9813 (bmo#1538006)
Ionmonkey type confusion with __proto__ mutations
OBS-URL: https://build.opensuse.org/request/show/690057
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=285
* CVE-2019-9790 (bmo#1525145)
Use-after-free when removing in-use DOM elements
* CVE-2019-9791 (bmo#1530958)
Type inference is incorrect for constructors entered through on-stack
replacement with IonMonkey
* CVE-2019-9792 (bmo#1532599)
IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
* CVE-2019-9793 (bmo#1528829)
Improper bounds checks when Spectre mitigations are disabled
* CVE-2019-9794 (bmo#1530103) (Windows only)
Command line arguments not discarded during execution
* CVE-2019-9795 (bmo#1514682)
Type-confusion in IonMonkey JIT compiler
* CVE-2019-9796 (bmo#1531277)
Use-after-free with SMIL animation controller
* CVE-2019-9797 (bmo#1528909)
Cross-origin theft of images with createImageBitmap
* CVE-2019-9798 (bmo#1527534) (Android only)
Library is loaded from world writable APITRACE_LIB location
* CVE-2019-9799 (bmo#1505678)
Information disclosure via IPC channel messages
* CVE-2019-9801 (bmo#1527717) (Windows only)
Windows programs that are not 'URL Handlers' are exposed to web content
* CVE-2019-9802 (bmo#1415508)
Chrome process information leak
* CVE-2019-9803 (bmo#1515863, bmo#1437009)
Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation
* CVE-2019-9804 (bmo#1518026) (MacOS only)
Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=726
- Mozilla Firefox 66.0
* Increased content processes to 8
* Added capability to search through open tabs from the tab overflow menu
* New backend for the storage.local WebExtensions API, providing
I/O performance improvements when the extension updates a small
subset of the stored data
* WebExtension keyboard shortcuts can now be managed or overridden
from about:addons
* Improved scrolling behavior: Firefox will now attempt to keep content
from jumping around while a page is loading by supporting scroll
anchoring
* New about:privatebrowsing with search
* A certificate error page now notifies the user of the name of the
certificate issuer that breaks HTTPs connections on intercepted
connections to help troubleshooting possible anti-virus software
issues.
* Fixed an performance issue some Linux users experienced with the
Downloads panel (bmo#1517101)
* Firefox now blocks all autoplay media with sound by default. Users
can add individual sites to an exceptions list or turn the blocking
off.
* System title bar is hidden by default to match Gnome guideline
MFSA 2019-07 (bsc#1129821)
* CVE-2019-9790 (bmo#1525145)
Use-after-free when removing in-use DOM elements
* CVE-2019-9791 (bmo#1530958)
Type inference is incorrect for constructors entered through on-stack
replacement with IonMonkey
* CVE-2019-9792 (bmo#1532599)
IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
OBS-URL: https://build.opensuse.org/request/show/686793
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=284
* Increased content processes to 8
* Added capability to search through open tabs from the tab overflow menu
* New backend for the storage.local WebExtensions API, providing
I/O performance improvements when the extension updates a small
subset of the stored data
* WebExtension keyboard shortcuts can now be managed or overridden
from about:addons
* Improved scrolling behavior: Firefox will now attempt to keep content
from jumping around while a page is loading by supporting scroll
anchoring
* New about:privatebrowsing with search
* A certificate error page now notifies the user of the name of the
certificate issuer that breaks HTTPs connections on intercepted
connections to help troubleshooting possible anti-virus software
issues.
* Fixed an performance issue some Linux users experienced with the
Downloads panel (bmo#1517101)
* Firefox now blocks all autoplay media with sound by default. Users
can add individual sites to an exceptions list or turn the blocking
off.
* System title bar is hidden by default to match Gnome guideline
MFSA 2019-07 (bsc#1129821)
* CVE-2019-9790 (bmo#1525145)
Use-after-free when removing in-use DOM elements
* CVE-2019-9791 (bmo#1530958)
Type inference is incorrect for constructors entered through on-stack
replacement with IonMonkey
* CVE-2019-9792 (bmo#1532599)
IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=723
* Fixed accidental requests to addons.mozilla.org when an addon
recommendation doorhanger is shown (bmo#1526387)
* Improved playback of interactive Netflix videos (bmo#1524500)
* Fixed incorrect sizing of the "Clear Recent History" window in
some situations (bmo#1523696)
* Fixed audio & video delays while making WebRTC calls
(bmo#1521577, bmo#1523817)
* Fixed video sizing problems during some WebRTC calls (bmo#1520200)
* Fixed looping CONNECT requests when using WebSockets over HTTP/2
from behind a proxy server (bmo#1523427)
* Fixed the "Enter" key not working on password entry fields for
certain Linux distributions (bmo#1523635)
MFSA 2019-04
* CVE-2018-18356 bmo#1525817
Use-after-free in Skia
* CVE-2019-5785 bmo#1525433
Integer overflow in Skia
* CVE-2018-18511 bmo#1526218
Cross-origin theft of images with ImageBitmapRenderingContext
- Enable LTO only for latest new toolchain (boo#1125038) for x86_64
(with increased memory constraints)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=717
Hope that the i586 build issue is fixed. It worked in my OBS project but not sure if it occasionally still could fail.
- Mozilla Firefox 65.0
* Enhanced tracking protection
* allow switching of UI locales within preferences
* support for the WebP image format
* "top"-like about:performance
MFSA 2019-01 (bsc#1122983)
* CVE-2018-18500 bmo#1510114
Use-after-free parsing HTML5 stream
* CVE-2018-18503 bmo#1509442
Memory corruption with Audio Buffer
* CVE-2018-18504 bmo#1496413
Memory corruption and out-of-bounds read of texture client
* CVE-2018-18505 bmo#1497749
Privilege escalation through IPC channel messages
* CVE-2018-18506 bmo#1503393
Proxy Auto-Configuration file can define localhost access to be proxied
* CVE-2018-18502 bmo#1499426 bmo#1480090 bmo#1472990 bmo#1514762
bmo#1501482 bmo#1505887 bmo#1508102 bmo#1508618 bmo#1511580
bmo#1493497 bmo#1510145 bmo#1516289 bmo#1506798 bmo#1512758
Memory safety bugs fixed in Firefox 65
* CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619
bmo#1502871 bmo#1516738 bmo#1516514
Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
- requires
NSS 3.41
rust/carge 1.30
rust-cbindgen 0.6.7
- rebased patches
- remove workaround for build memory consumption on i586; other
mitigations meanwhile introduced (mainly parallelity) will be
OBS-URL: https://build.opensuse.org/request/show/670835
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=281
