* Dark mode in reader view
* Improved extension security and discovery
* Cryptomining and fingerprinting protections are added to strict
content blocking settings in Privacy & Security preferences
* Camera and microphone access now require an HTTPS connection
MFSA 2019-21 (bsc#1140868)
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
Sandbox escape via installation of malicious languagepack
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804)
Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
* CVE-2019-11713 (bmo#1528481)
Use-after-free with HTTP/2 cached stream
* CVE-2019-11714 (bmo#1542593)
NeckoChild can trigger crash when accessed off of main thread
* CVE-2019-11729 (bmo#1515342)
Empty or malformed p256-ECDH public keys may trigger a segmentation fault
* CVE-2019-11715 (bmo#1555523)
HTML parsing error can contribute to content XSS
* CVE-2019-11716 (bmo#1552632)
globalThis not enumerable until accessed
* CVE-2019-11717 (bmo#1548306)
Caret character improperly escaped in origins
* CVE-2019-11718 (bmo#1408349)
Activity Stream writes unsanitized content to innerHTML
* CVE-2019-11719 (bmo#1540541)
Out-of-bounds read when importing curve25519 private key
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=748
* Fixed: Fix JavaScript error ("TypeError: data is null in
PrivacyFilter.jsm") in console which may significantly degrade
sessionstore reliability and performance (bmo#1553413)
* Fixed: Proxy authentication dialog box repeatedly pops up
asking to authenticate after upgrading to Firefox 67 (bmo#1548804)
* Fixed: Pearson MyCloud breaks if FIDO U2F is not Chrome's
implementation (bmo#1551282)
* Fixed: Starting in safe mode on Linux or macOS causes Firefox
to think on the subsequent launch that the profile is too
recent to be used with this version of Firefox (bmo#1556612)
* Fixed: Linux distribution users can't easily install/use
additional/different languages using the built-in preferences
UI (bmo#1554744)
* Fixed: Developer tools users can't copy the href/src content
from various HTML tags via the context menu in the Inspector
markup view (bmo#1552275)
* Fixed: Custom home page is broken with clearing data on shutdown
settings applied (bmo#1554167)
* Fixed: Performance-regression for eclipse RAP based applications
(bmo#1555962)
* Fixed: macOS 10.15 crash fix (bmo#1556076)
* Fixed: Can't start two downloads in parallel via <a download>
anymore (bmo#1542912)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=741
* Firefox 67 will be able to run different Firefox installs side by side
https://blog.nightly.mozilla.org/2019/01/14/moving-to-a-profile-per-install-architecture/
* Tabs can now be pinned from the Page Actions menu in the address bar
* Users can block known cryptominers and fingerprinters in the
Custom settings or their Content Blocking preferences
* The Import Data from Another Browser feature is now also available
from the File menu
* Firefox will now protect you against running older versions which
can lead to data corruption and stability issues
* Easier access to your list of saved logins from the main menu and
login autocomplete
* We’ve added a toolbar menu for your Firefox Account to provide more
transparency for when you are synced, sharing data across devices
and with Firefox. Personalize the appearance of the menu with your
own avatar
* Enable FIDO U2F API, and permit registrations for Google Accounts
* Enabled AV1 support on Linux
MFSA 2019-13
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=736
* Fixed: Address bar on tablets running Windows 10 now behaves
correctly (bmo#1498973)
* Fixed: Performance issues with some HTML5 games (bmo#1537609)
* Fixed a bug with keypress events in IBM cloud applications
(bmo#1538970)
* Fix for keypress events in some Microsoft cloud applications
(bmo#1539618)
* Changed: Updated Baidu search plugin
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=730
* CVE-2019-9790 (bmo#1525145)
Use-after-free when removing in-use DOM elements
* CVE-2019-9791 (bmo#1530958)
Type inference is incorrect for constructors entered through on-stack
replacement with IonMonkey
* CVE-2019-9792 (bmo#1532599)
IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
* CVE-2019-9793 (bmo#1528829)
Improper bounds checks when Spectre mitigations are disabled
* CVE-2019-9794 (bmo#1530103) (Windows only)
Command line arguments not discarded during execution
* CVE-2019-9795 (bmo#1514682)
Type-confusion in IonMonkey JIT compiler
* CVE-2019-9796 (bmo#1531277)
Use-after-free with SMIL animation controller
* CVE-2019-9797 (bmo#1528909)
Cross-origin theft of images with createImageBitmap
* CVE-2019-9798 (bmo#1527534) (Android only)
Library is loaded from world writable APITRACE_LIB location
* CVE-2019-9799 (bmo#1505678)
Information disclosure via IPC channel messages
* CVE-2019-9801 (bmo#1527717) (Windows only)
Windows programs that are not 'URL Handlers' are exposed to web content
* CVE-2019-9802 (bmo#1415508)
Chrome process information leak
* CVE-2019-9803 (bmo#1515863, bmo#1437009)
Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation
* CVE-2019-9804 (bmo#1518026) (MacOS only)
Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=726
* Increased content processes to 8
* Added capability to search through open tabs from the tab overflow menu
* New backend for the storage.local WebExtensions API, providing
I/O performance improvements when the extension updates a small
subset of the stored data
* WebExtension keyboard shortcuts can now be managed or overridden
from about:addons
* Improved scrolling behavior: Firefox will now attempt to keep content
from jumping around while a page is loading by supporting scroll
anchoring
* New about:privatebrowsing with search
* A certificate error page now notifies the user of the name of the
certificate issuer that breaks HTTPs connections on intercepted
connections to help troubleshooting possible anti-virus software
issues.
* Fixed an performance issue some Linux users experienced with the
Downloads panel (bmo#1517101)
* Firefox now blocks all autoplay media with sound by default. Users
can add individual sites to an exceptions list or turn the blocking
off.
* System title bar is hidden by default to match Gnome guideline
MFSA 2019-07 (bsc#1129821)
* CVE-2019-9790 (bmo#1525145)
Use-after-free when removing in-use DOM elements
* CVE-2019-9791 (bmo#1530958)
Type inference is incorrect for constructors entered through on-stack
replacement with IonMonkey
* CVE-2019-9792 (bmo#1532599)
IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=723
* Fixed accidental requests to addons.mozilla.org when an addon
recommendation doorhanger is shown (bmo#1526387)
* Improved playback of interactive Netflix videos (bmo#1524500)
* Fixed incorrect sizing of the "Clear Recent History" window in
some situations (bmo#1523696)
* Fixed audio & video delays while making WebRTC calls
(bmo#1521577, bmo#1523817)
* Fixed video sizing problems during some WebRTC calls (bmo#1520200)
* Fixed looping CONNECT requests when using WebSockets over HTTP/2
from behind a proxy server (bmo#1523427)
* Fixed the "Enter" key not working on password entry fields for
certain Linux distributions (bmo#1523635)
MFSA 2019-04
* CVE-2018-18356 bmo#1525817
Use-after-free in Skia
* CVE-2019-5785 bmo#1525433
Integer overflow in Skia
* CVE-2018-18511 bmo#1526218
Cross-origin theft of images with ImageBitmapRenderingContext
- Enable LTO only for latest new toolchain (boo#1125038) for x86_64
(with increased memory constraints)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=717
* Better recommendations: You may see suggestions in regular browsing
mode for new and relevant Firefox features, services, and extensions
based on how you use the web (for US users only)
* Enhanced tab management: You can now select multiple tabs from the
tab bar and close, move, bookmark, or pin them quickly and easily
* Easier performance management: The new Task Manager page found at
about:performance lets you see how much energy each open tab consumes
and provides access to close tabs to conserve power
* Improved performance for Mac and Linux users, by enabling link time
optimization (Clang LTO).
* Added option to remove add-ons using the context menu on their
toolbar buttons
* RSS feed preview and live bookmarks are available only via add-ons
* TLS certificates issued by Symantec are no longer trusted by Firefox.
Website operators are strongly encouraged to replace any remaining
Symantec TLS certificates as soon as possible
MFSA 2018-29 (bsc#1119105)
* CVE-2018-12407 bmo#1505973
Buffer overflow with ANGLE library when using VertexBuffer11 module
* CVE-2018-17466 bmo#1488295
Buffer overflow and out-of-bounds read in ANGLE library with
TextureStorage11
* CVE-2018-18492 bmo#1499861
Use-after-free with select element
* CVE-2018-18493 bmo#1504452
Buffer overflow in accelerated 2D canvas with Skia
* CVE-2018-18494 bmo#1487964
Same-origin policy violation using location attribute and
performance.getEntries to steal cross-origin URLs
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=699
* Games using WebGL (created in Unity) get stuck after very short
time of gameplay (bmo#1502748)
* Slow page loading for some users with specific proxy configurations
(bmo#1495024)
* Disable HTTP response throttling by default for causing bugs with
videos in background tabs (bmo#1503354)
* Opening magnet links no longer works (bmo#1498934)
* Crash fixes (bmo#1498510, bmo#1503424)
- removed mozilla-newer-cbindgen.patch; no longer needed
- requires rust-cbindgen >= 0.6.2 to build
- requires nodejs >= 8.11 to build
- added mozilla-newer-cbindgen.patch to fix build with cbindgen 0.6.7
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=694
* Snippets are not loaded due to missing element (bmo#1503047)
* Print preview always shows 30& scale when it is actually
Shrink To Fit (bmo#1501952)
* Dialog displayed when closing multiple windows shows unreplaced
%1$S placeholder in Japanese and potentially other locales
(bmo#1500823)
MFSA 2018-26 (bsc#1112852)
* CVE-2018-12391 (bmo#1478843) (Android-only)
HTTP Live Stream audio data is accessible cross-origin
* CVE-2018-12392 (bmo#1492823)
Crash with nested event loops
* CVE-2018-12393 (bmo#1495011) (only affects non-64-bit archs)
Integer overflow during Unicode conversion while loading JavaScript
* CVE-2018-12395 (bmo#1467523)
WebExtension bypass of domain restrictions through header rewriting
* CVE-2018-12396 (bmo#1483602)
WebExtension content scripts can execute in disallowed contexts
* CVE-2018-12397 (bmo#1487478)
Missing warning prompt when WebExtension requests local file access
* CVE-2018-12398 (bmo#1460538, bmo#1488061)
CSP bypass through stylesheet injection in resource URIs
* CVE-2018-12399 (bmo#1490276)
Spoofing of protocol registration notification bar
* CVE-2018-12400 (bmo#1448305) (Android only)
Favicons are cached in private browsing mode on Firefox for Android
* CVE-2018-12401 (bmo#1422456)
DOS attack through special resource URI parsing
* CVE-2018-12402 (bmo#1469916)
SameSite cookies leak when pages are explicitly saved
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=692
* WebExtensions now run in their own process on Linux
* The Ctrl+Tab shortcut now displays thumbnail previews of your
tabs and cycles through tabs in recently used order. This new
default behavior is activated only in new profiles and can be
changed in preferences.
* Added support for Web Components custom elements and shadow DOM
- requires NSPR 4.20, NSS 3.39 and Rust 1.28
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=691
* Firefox Home (the default New Tab) now allows users to display
up to 4 rows of top sites, Pocket stories, and highlights
* "Reopen in Container" tab menu option appears for users with
Containers that lets them choose to reopen a tab in a different
container
* In advance of removing all trust for Symantec-issued certificates
in Firefox 63, a preference was added that allows users to distrust
certificates issued by Symantec. To use this preference, go to
about:config in the address bar and set the preference
"security.pki.distrust_ca_policy" to 2.
* Support for CSS Shapes, allowing for richer web page layouts.
This goes hand in hand with a brand new Shape Path Editor in the
CSS inspector.
* CSS Variable Fonts (OpenType Font Variations) support, which makes
it possible to create beautiful typography with a single font file
* Added Canadian English (en-CA) locale
MFSA 2018-20 (bsc#1107343)
* CVE-2018-12377 (bmo#1470260)
Use-after-free in refresh driver timers
* CVE-2018-12378 (bmo#1459383)
Use-after-free in IndexedDB
* CVE-2018-12379 (bmo#1473113) (updater is disabled for us)
Out-of-bounds write with malicious MAR file
* CVE-2017-16541 (bmo#1412081)
Proxy bypass using automount and autofs
* CVE-2018-12381 (bmo#1435319)
Dragging and dropping Outlook email message results in page navigation
* CVE-2018-12382 (bmo#1479311) (Android only)
Addressbar spoofing with javascript URI on Firefox for Android
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=683
* Performance enhancements
* Various improvements for dark theme support will provide a more
consistent experience across the entire Firefox UI
* OpenSearch plugins offered by web pages can now be added from the
page action menu for easier installation
* Improved support for allowing WebExtensions to manage and hide tabs
- requires NSS 3.37.3
- requires python >= 3.5 to build
- removed obsolete patches
mozilla-i586-DecoderDoctorLogger.patch
mozilla-i586-domPrefs.patch
mozilla-fix-skia-aarch64.patch
mozilla-bmo1375074.patch
mozilla-enable-csd.patch
- patch for new no-return warnings (mozilla-no-return.patch)
- do not disable system installed locales (mozilla-bmo1464766.patch)
- Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass
conditional --disable-gconf to configure: no longer pull in
obsolete gconf2 for Tumbleweed.
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=673
* Avoid overly long cycle collector pauses with some add-ons installed
(bmo#1449033)
* After unckecking the "Sponsored Stories" option, the New Tab page
now immediately stops displaying "Sponsored content" cards (bmo#1458906)
* On touchscreen devices, fixed momentum scrolling on non-zoomable pages
(bmo#1457743)
* Use the right default background when opening tabs or windows in
high contrast mode (bmo#1458956)
* Restored translations of the Preferences panels when using a
language pack (bmo#1461590)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=661
* CVE-2018-5154 (bmo#1443092)
Use-after-free with SVG animations and clip paths
* CVE-2018-5155 (bmo#1448774)
Use-after-free with SVG animations and text paths
* CVE-2018-5157 (bmo#1449898)
Same-origin bypass of PDF Viewer to view protected PDF files
* CVE-2018-5158 (bmo#1452075)
Malicious PDF can inject JavaScript into PDF Viewer
* CVE-2018-5159 (bmo#1441941)
Integer overflow and out-of-bounds write in Skia
* CVE-2018-5160 (bmo#1436117)
Uninitialized memory use by WebRTC encoder
* CVE-2018-5152 (bmo#1415644, bmo#1427289)
WebExtensions information leak through webRequest API
* CVE-2018-5153 (bmo#1436809)
Out-of-bounds read in mixed content websocket messages
* CVE-2018-5163 (bmo#1426353)
Replacing cached data in JavaScript Start-up Bytecode Cache
* CVE-2018-5164 (bmo#1416045)
CSP not applied to all multipart content sent with
multipart/x-mixed-replace
* CVE-2018-5166 (bmo#1437325)
WebExtension host permission bypass through filterReponseData
* CVE-2018-5167 (bmo#1447969)
Improper linkification of chrome: and javascript: content in
web console and JavaScript debugger
* CVE-2018-5168 (bmo#1449548)
Lightweight themes can be installed without user interaction
* CVE-2018-5169 (bmo#1319157)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=658
* Added a policy engine that allows customized Firefox deployments
in enterprise environments, using Windows Group Policy or a
cross-platform JSON file
* Applied Quantum CSS to render browser UI
* Added support for Web Authentication, allowing the use of USB
tokens for authentication to web sites
* Locale added: Occitan (oc)
- removed obsolete patches
0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
- requires NSPR 4.19 and NSS 3.36.1
- requires rust 1.24 or higher
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=655
* Invalid page rendering with hardware acceleration enabled (bmo#1435472)
* Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites
that use those keys with resistFingerprinting enabled (bmo#1433592)
* High CPU / memory churn caused by third-party software on some
computers (bmo#1446280)
* Users who have configured an "automatic proxy configuration URL"
and want to reload their proxy settings from the URL will find
the Reload button disabled in the Connection Settings dialog when
they select Preferences/Options>Network Proxy>Settings... (bmo#1445991)
* URL Fragment Identifiers Break Service Worker Responses (bmo#1443850)
* User's trying to cancel a print around the time it completes will
continue to get intermittent crashes (bmo#1441598)
MFSA 2018-10 (bsc#1087059)
* CVE-2018-5148 (bmo#1440717)
Use-after-free in compositor
- removed obsolete patch mozilla-bmo1446062.patch
* mozilla-i586-domPrefs.patch - DOMPrefs.h
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=642
MFSA 2018-05
* Arbitrary code execution through unsanitized browser UI (bmo#1432966)
- fixed language packs (boo#1077590)
- readd mozilla-enable-csd.patch as it only lands for FF59 upstream
- allow larger number of nested elements (mozilla-bmo256180.patch)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=630
MFSA 2018-02
* CVE-2018-5091 (bmo#1423086)
Use-after-free with DTMF timers
* CVE-2018-5092 (bmo#1418074)
Use-after-free in Web Workers
* CVE-2018-5093 (bmo#1415291)
Buffer overflow in WebAssembly during Memory/Table resizing
* CVE-2018-5094 (bmo#1415883)
Buffer overflow in WebAssembly with garbage collection on
uninitialized memory
* CVE-2018-5095 (bmo#1418447)
Integer overflow in Skia library during edge builder allocation
* CVE-2018-5097 (bmo#1387427)
Use-after-free when source document is manipulated during XSLT
* CVE-2018-5098 (bmo#1399400)
Use-after-free while manipulating form input elements
* CVE-2018-5099 (bmo#1416878)
Use-after-free with widget listener
* CVE-2018-5100 (bmo#1417405)
Use-after-free when IsPotentiallyScrollable arguments are freed
from memory
* CVE-2018-5101 (bmo#1417661)
Use-after-free with floating first-letter style elements
* CVE-2018-5102 (bmo#1419363)
Use-after-free in HTML media elements
* CVE-2018-5103 (bmo#1423159)
Use-after-free during mouse event handling
* CVE-2018-5104 (bmo#1425000)
Use-after-free during font face manipulation
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=629
* Firefox Quantum
* Photon UI
* Unified address and search bar
* AMD VP9 hardware video decoder support
* Added support for Date/Time input
* stricter security sandbox blocking filesystem reading and
writing on Linux systems
* middle mouse paste in the content area no longer navigates to
URLs by default on Unix systems
MFSA 2017-24
* CVE-2017-7828 (bmo#1406750. bmo#1412252)
Use-after-free of PressShell while restyling layout
* CVE-2017-7830 (bmo#1408990)
Cross-origin URL information leak through Resource Timing API
* CVE-2017-7831 (bmo#1392026)
Information disclosure of exposed properties on JavaScript proxy
objects
* CVE-2017-7832 (bmo#1408782)
Domain spoofing through use of dotless 'i' character followed
by accent markers
* CVE-2017-7833 (bmo#1370497)
Domain spoofing with Arabic and Indic vowel marker characters
* CVE-2017-7834 (bmo#1358009)
data: URLs opened in new tabs bypass CSP protections
* CVE-2017-7835 (bmo#1402363)
Mixed content blocking incorrectly applies with redirects
* CVE-2017-7836 (bmo#1401339)
Pingsender dynamically loads libcurl on Linux and OS X
* CVE-2017-7837 (bmo#1325923)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=610
* Disable Form Autofill completely on user request (bmo#1404531)
* Fix for video-related crashes on Windows 7 (bmo#1409141)
* Correct detection for 64-bit GSSAPI authentication (bmo#1409275)
* Fix for shutdown crash (bmo#1404105)
- update to Firefox 56.0.1
* Block D3D11 when using Intel drivers on Windows 7 systems with
partial AVX support (bmo#1403353)
-> just to sync the version number
- enable stylo for TW (requires LLVM >= 3.9)
- queue KDE filepicker requests to avoid non-opening file dialogs
happening in certain situations (contributed by Ignaz Forster)
- the placeholder dot in KDE file dialog in case of empty filenames
was removed, apparently not required (anymore)
(contributed by Ignaz Forster)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=609
MFSA 2017-21
* CVE-2017-7793 (bmo#1371889)
Use-after-free with Fetch API
* CVE-2017-7817 (bmo#1356596) (Android-only)
Firefox for Android address bar spoofing through fullscreen mode
* CVE-2017-7818 (bmo#1363723)
Use-after-free during ARIA array manipulation
* CVE-2017-7819 (bmo#1380292)
Use-after-free while resizing images in design mode
* CVE-2017-7824 (bmo#1398381)
Buffer overflow when drawing and validating elements with ANGLE
* CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
Use-after-free in TLS 1.2 generating handshake hashes
* CVE-2017-7812 (bmo#1379842)
Drag and drop of malicious page content to the tab bar can open locally stored files
* CVE-2017-7814 (bmo#1376036)
Blob and data URLs bypass phishing and malware protection warnings
* CVE-2017-7813 (bmo#1383951)
Integer truncation in the JavaScript parser
* CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
OS X fonts render some Tibetan and Arabic unicode characters as spaces
* CVE-2017-7815 (bmo#1368981)
Spoofing attack with modal dialogs on non-e10s installations
* CVE-2017-7816 (bmo#1380597)
WebExtensions can load about: URLs in extension UI
* CVE-2017-7821 (bmo#1346515)
WebExtensions can download and open non-executable files without user interaction
* CVE-2017-7823 (bmo#1396320)
CSP sandbox directive did not create a unique origin
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=604
* Fix an issue with addons when using a path containing non-ascii
characters (bmo#1389160)
* Fix file uploads to some websites, including YouTube (bmo#1383518)
- fix Google API key build integration
- add mozilla-ucontext.patch to fix Tumbleweed build
- do not enable XINPUT2 for now (boo#1053959)
- update to Firefox 55.0.1
* Fix a regression the tab restoration process (bmo#1388160)
* Fix a problem causing What's new pages not to be displayed (bmo#1386224)
* Fix a rendering issue with some PKCS#11 libraries (bmo#1388370)
* Disable the predictor prefetch (bmo#1388160)
- update to Firefox 55.0 (boo#1052829)
* Browsing sessions with a high number of tabs are now restored
in an instant
* Sidebar (bookmarks, history, synced tabs) can now be moved to
the right edge of the window
* Fine-tune your browser performance from the Preferences/Options page.
* Make screenshots of webpages, and save them locally or upload
them to the cloud. This feature will undergo A/B testing and
will not be visible for some users.
* Added Belarusian (be) locale
* Simplify print jobs from within print preview
* Use virtual reality devices with the web with the introduction
of WebVR
* Search suggestions are now enabled by default for users who
haven't explicitly opted-out
* Search with any installed search engine directly from the
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=601
MFSA 2017-19
* CVE-2017-7798 (bmo#1371586, bmo#1372112)
XUL injection in the style editor in devtools
* CVE-2017-7800 (bmo#1374047)
Use-after-free in WebSockets during disconnection
* CVE-2017-7801 (bmo#1371259)
Use-after-free with marquee during window resizing
* CVE-2017-7784 (bmo#1376087)
Use-after-free with image observers
* CVE-2017-7802 (bmo#1378147)
Use-after-free resizing image elements
* CVE-2017-7785 (bmo#1356985)
Buffer overflow manipulating ARIA attributes in DOM
* CVE-2017-7786 (bmo#1365189)
Buffer overflow while painting non-displayable SVG
* CVE-2017-7753 (bmo#1353312)
Out-of-bounds read with cached style data and pseudo-elements#
* CVE-2017-7787 (bmo#1322896)
Same-origin policy bypass with iframes through page reloads
* CVE-2017-7807 (bmo#1376459)
Domain hijacking through AppCache fallback
* CVE-2017-7792 (bmo#1368652)
Buffer overflow viewing certificates with an extremely long OID
* CVE-2017-7804 (bmo#1372849)
Memory protection bypass through WindowsDllDetourPatcher
* CVE-2017-7791 (bmo#1365875)
Spoofing following page navigation with data: protocol and modal alerts
* CVE-2017-7782 (bmo#1344034)
WindowsDllDetourPatcher allocates memory without DEP protections
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=598
MFSA 2017-16
* CVE-2017-5472 (bmo#1365602)
Use-after-free using destroyed node when regenerating trees
* CVE-2017-7749 (bmo#1355039)
Use-after-free during docshell reloading
* CVE-2017-7750 (bmo#1356558)
Use-after-free with track elements
* CVE-2017-7751 (bmo#1363396)
Use-after-free with content viewer listeners
* CVE-2017-7752 (bmo#1359547)
Use-after-free with IME input
* CVE-2017-7754 (bmo#1357090)
Out-of-bounds read in WebGL with ImageInfo object
* CVE-2017-7755 (bmo#1361326)
Privilege escalation through Firefox Installer with same
directory DLL files (Windows only)
* CVE-2017-7756 (bmo#1366595)
Use-after-free and use-after-scope logging XHR header errors
* CVE-2017-7757 (bmo#1356824)
Use-after-free in IndexedDB
* CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
CVE-2017-7777
Vulnerabilities in the Graphite 2 library
* CVE-2017-7758 (bmo#1368490)
Out-of-bounds read in Opus encoder
* CVE-2017-7760 (bmo#1348645)
File manipulation and privilege escalation via callback parameter
in Mozilla Windows Updater and Maintenance Service (Windows only)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=594
* Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787)
* Fix loading tab icons on session restore (bmo#1338009)
* Fix a crash on startup on Linux (bmo#1345413)
* Fix new installs erroneously not prompting to change the default
browser setting (bmo#1343938)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=581
* requires NSS >= 3.28.3
* Pages containing insecure password fields now display a warning
directly within username and password fields.
* Windows 8 touch screen support for multiprocess Firefox
* Send and open a tab from one device to another with Sync
* Removed NPAPI support for plugins other than Flash. Silverlight,
Java, Acrobat and the like are no longer supported.
* Removed Battery Status API to reduce fingerprinting of users by
trackers
- removed obsolete patches
* mozilla-binutils-visibility.patch
* mozilla-check_return.patch
* mozilla-disable-skia-be.patch
* mozilla-skia-overflow.patch
* mozilla-skia-ppc-endianess.patch
- rebased patches
- enable rust usage for Tumbleweed
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=572
* requires NSPR >= 4.13.1, NSS >= 3.28.1
* Added support for FLAC (Free Lossless Audio Codec) playback
* Added support for WebGL 2
* Added Georgian (ka) and Kabyle (kab) locales
* Support saving passwords for forms without 'submit' events
* Improved video performance for users without GPU acceleration
* Zoom indicator is shown in the URL bar if the zoom level is not
at default level
* View passwords from the prompt before saving them
* Remove Belarusian (be) locale
* Use Skia for content rendering (Linux)
* MFSA 2017-01
CVE-2017-5375: Excessive JIT code allocation allows bypass of
ASLR and DEP (bmo#1325200, boo#1021814)
CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
CVE-2017-5377: Memory corruption with transforms to create
gradients in Skia (bmo#1306883, boo#1021826)
CVE-2017-5378: Pointer and frame data leakage of Javascript objects
(bmo#1312001, bmo#1330769, boo#1021818)
CVE-2017-5379: Use-after-free in Web Animations
(bmo#1309198,boo#1021827)
CVE-2017-5380: Potential use-after-free during DOM manipulations
(bmo#1322107, boo#1021819)
CVE-2017-5390: Insecure communication methods in Developer Tools
JSON viewer (bmo#1297361, boo#1021820)
CVE-2017-5389: WebExtensions can install additional add-ons via
modified host requests (bmo#1308688, boo#1021828)
CVE-2017-5396: Use-after-free with Media Decoder
(bmo#1329403, boo#1021821)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=567
* MFSA 2016-94
CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628)
CVE-2016-9899: Use-after-free while manipulating DOM events and
audio elements (bmo#1317409)
CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
CVE-2016-9896: Use-after-free with WebVR (bmo#1315543)
CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
CVE-2016-9898: Use-after-free in Editor while manipulating
DOM subtrees (bmo#1314442)
CVE-2016-9900: Restricted external resources can be loaded by
SVG images through data URLs (bmo#1319122)
CVE-2016-9904: Cross-origin information leak in shared atoms
(bmo#1317936)
CVE-2016-9901: Data from Pocket server improperly sanitized
before execution (bmo#1320057)
CVE-2016-9902: Pocket extension does not validate the origin
of events (bmo#1320039)
CVE-2016-9903: XSS injection vulnerability in add-ons SDK
(bmo#1315435)
CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and
Firefox ESR 45.6
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=564
* requires NSS 3.26.2
new features
* Updates to keyboard shortcuts
Set a preference to have Ctrl+Tab cycle through tabs in recently
used order
View a page in Reader Mode by using Ctrl+Alt+R
* Added option to Find in page that allows users to limit search to
whole words only
* Added download protection for a large number of executable file
types on Windows, Mac and Linux
* Fixed rendering of dashed and dotted borders with rounded corners
(border-radius)
* Added a built-in Emoji set for operating systems without native
Emoji fonts (Windows 8.0 and lower and Linux)
* Blocked versions of libavcodec older than 54.35.1
* additional locale
security fixes:
* MFSA 2016-89
CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
(bmo#1292443)
CVE-2016-5292: URL parsing causes crash (bmo#1288482)
CVE-2016-5293: Write to arbitrary file with updater and moz
maintenance service using updater.log hardlink
(Windows only) (bmo#1246945)
CVE-2016-5294: Arbitrary target directory for result files of
update process (Windows only) (bmo#1246972)
CVE-2016-5297: Incorrect argument length checking in Javascript
(bmo#1303678)
CVE-2016-9064: Addons update must verify IDs match between
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=555
* Updated Firefox Login Manager to allow HTTPS pages to use saved
HTTP logins.
* Added features to Reader Mode that make it easier on the eyes and
the ears
* Improved video performance for users on systems that support
SSE3 without hardware acceleration
* Added context menu controls to HTML5 audio and video that let users
loops files or play files at 1.25x speed
* Improvements in about:memory reports for tracking font memory usage
security related
* MFSA 2016-85
CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
mozilla::net::IsValidReferrerPolicy
CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
nsCaseTransformTextRunFactory::TransformString
CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
PropertyProvider::GetSpacingInternal
CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
CVE-2016-5273 (bmo#1280387) - crash in
mozilla::a11y::HyperTextAccessible::GetChildOffset
CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
mozilla::a11y::DocAccessible::ProcessInvalidationList
CVE-2016-5274 (bmo#1282076) - use-after-free in
nsFrameManager::CaptureFrameState
CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
nsBMPEncoder::AddImageFrame
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=548
