https://www.mozilla.org/en-US/firefox/126.0/releasenotes
MFSA 2024-21 (bsc#1224056)
* CVE-2024-4764 (bmo#1879093)
Use-after-free when audio input connected with multiple consumers
* CVE-2024-4367 (bmo#1893645)
Arbitrary JavaScript execution in PDF.js
* CVE-2024-4765 (bmo#1871109)
Web application manifests could have been overwritten via
hash collision
* CVE-2024-4766 (bmo#1871214, bmo#1871217)
Fullscreen notification could have been obscured on Firefox
for Android
* CVE-2024-4767 (bmo#1878577)
IndexedDB files retained in private browsing mode
* CVE-2024-4768 (bmo#1886082)
Potential permissions request bypass via clickjacking
* CVE-2024-4769 (bmo#1886108)
Cross-origin responses could be distinguished between script
and non-script content-types
* CVE-2024-4770 (bmo#1893270)
Use-after-free could occur when printing to PDF
* CVE-2024-4771 (bmo#1893891)
Failed allocation could lead to use-after-free
* CVE-2024-4772 (bmo#1870579)
Use of insecure rand() function to generate nonce
* CVE-2024-4773 (bmo#1875248)
URL bar could be cleared after network error
* CVE-2024-4774 (bmo#1886598)
Undefined behavior in ShmemCharMapHashEntry()
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1150
https://www.mozilla.org/en-US/firefox/124.0.1/releasenotes/
MFSA 2024-15 (bsc#1221850)
* CVE-2024-29943 (bmo#1886849)
Out-of-bounds access via Range Analysis bypass
* CVE-2024-29944 (bmo#1886852)
Privileged JavaScript Execution via Event Handlers
Mozilla Firefox 124.0
https://www.mozilla.org/en-US/firefox/124.0/releasenotes/
MFSA 2024-12 (bsc#1221327)
* CVE-2024-2605 (bmo#1872920)
Windows Error Reporter could be used as a Sandbox escape vector
* CVE-2024-2606 (bmo#1879237)
Mishandling of WASM register values
* CVE-2024-2607 (bmo#1879939)
JIT code failed to save return registers on Armv7-A
* CVE-2024-2608 (bmo#1880692)
Integer overflow could have led to out of bounds write
* CVE-2023-5388 (bmo#1780432)
NSS susceptible to timing attack against RSA decryption
* CVE-2024-2609 (bmo#1866100)
Permission prompt input delay could expire when not in focus
* CVE-2024-2610 (bmo#1871112)
Improper handling of html and body tags enabled CSP nonce leakage
* CVE-2024-2611 (bmo#1876675)
Clickjacking vulnerability could have led to a user accidentally
granting permissions
* CVE-2024-2612 (bmo#1879444)
Self referencing object could have potentially led to a use-
after-free
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1140
https://www.mozilla.org/en-US/firefox/122.0/releasenotes/
MFSA 2024-01 (bsc#1218955)
* CVE-2024-0741 (bmo#1864587)
Out of bounds write in ANGLE
* CVE-2024-0742 (bmo#1867152)
Failure to update user input timestamp
* CVE-2024-0743 (bmo#1867408)
Crash in NSS TLS method
* CVE-2024-0744 (bmo#1871089)
Wild pointer dereference in JavaScript
* CVE-2024-0745 (bmo#1871838)
Stack buffer overflow in WebAudio
* CVE-2024-0746 (bmo#1660223)
Crash when listing printers on Linux
* CVE-2024-0747 (bmo#1764343)
Bypass of Content Security Policy when directive unsafe-inline was set
* CVE-2024-0748 (bmo#1783504)
Compromised content process could modify document URI
* CVE-2024-0749 (bmo#1813463)
Phishing site popup could show local origin in address bar
* CVE-2024-0750 (bmo#1863083)
Potential permissions request bypass via clickjacking
* CVE-2024-0751 (bmo#1865689)
Privilege escalation through devtools
* CVE-2024-0752 (bmo#1866840)
Use-after-free could occur when applying update on macOS
* CVE-2024-0753 (bmo#1870262)
HSTS policy on subdomain could bypass policy of upper domain
* CVE-2024-0754 (bmo#1871605)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1128
* Support for importing payment methods saved in Chrome-based browser
* Hardware video decoding is now enabled for Intel GPUs on Linux
* The Tab Manager dropdown now features close buttons, so tabs
can be closed more quickly
* Streamlined the user interface for importing data in from other browsers
* Users without platform support for H264 video decoding can now
fallback to Cisco's OpenH264 plugin for playback.
* Undo and redo are now available in Password fields
* Changed: On Linux, middle clicks on the new tab button will
now open the xclipboard contents in the new tab. If the
xclipboard content is a URL then that URL is opened, any
other text is opened with your default search provider.
* Changed: For users with a Firefox Colorways built-in theme,
the theme will be automatically migrated to the same theme
hosted on addons.mozilla.org for Firefox profiles that have
disabled add-ons auto-updates. This will allow users to keep
their Colorways theme when they are later removed from
Firefox installer files.
* Changed: Certain Firefox users may come across a message in
the extensions panel indicating that their add-ons are not
allowed on the site currently open. We have introduced a new
back-end feature to only allow some extensions monitored by
Mozilla to run on specific websites for various reasons,
including security concerns.
* HTML5: The builtin editor now behaves similarly to other
browsers with `contenteditable` and `designMode` when
splitting a node, e.g. typing Enter to split a paragraph, and
also when joining two nodes, e.g. typing Backspace at the
start of a paragraph to join the paragraph and the previous
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1071
* https://www.mozilla.org/en-US/firefox/112.0/releasenotes/
MFSA 2023-13 (bsc#1210212)
* CVE-2023-29531 (bmo#1794292)
Out-of-bound memory access in WebGL on macOS
* CVE-2023-29532 (bmo#1806394)
Mozilla Maintenance Service Write-lock bypass
* CVE-2023-29533 (bmo#1798219, bmo#1814597)
Fullscreen notification obscured
* CVE-2023-29534 (bmo#1816007, bmo#1816059, bmo#1821155, bmo#1821576,
bmo#1821906, bmo#1822298, bmo#1822305)
Fullscreen notification could have been obscured on Firefox
for Android
* MFSA-TMP-2023-0001 (bmo#1819244)
Double-free in libwebp
* CVE-2023-29535 (bmo#1820543)
Potential Memory Corruption following Garbage Collector compaction
* CVE-2023-29536 (bmo#1821959)
Invalid free from JavaScript code
* CVE-2023-29537 (bmo#1823365, bmo#1824200, bmo#1825569)
Data Races in font initialization code
* CVE-2023-29538 (bmo#1685403)
Directory information could have been leaked to WebExtensions
* CVE-2023-29539 (bmo#1784348)
Content-Disposition filename truncation leads to Reflected
File Download
* CVE-2023-29540 (bmo#1790542)
Iframe sandbox bypass using redirects and sourceMappingUrls
* CVE-2023-29541 (bmo#1810191)
Files with malicious extensions could have been downloaded
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1051
* https://www.mozilla.org/en-US/firefox/110.0/releasenotes
MFSA 2023-05 (bsc#1208144)
* CVE-2023-25728 (bmo#1790345)
Content security policy leak in violation reports using iframes
* CVE-2023-25730 (bmo#1794622)
Screen hijack via browser fullscreen mode
* CVE-2023-25743 (bmo#1800203)
Fullscreen notification not shown in Firefox Focus
* CVE-2023-0767 (bmo#1804640)
Arbitrary memory write via PKCS 12 in NSS
* CVE-2023-25735 (bmo#1810711)
Potential use-after-free from compartment mismatch in SpiderMonkey
* CVE-2023-25737 (bmo#1811464)
Invalid downcast in SVGUtils::SetupStrokeGeometry
* CVE-2023-25738 (bmo#1811852)
Printing on Windows could potentially crash Firefox with some
device drivers
* CVE-2023-25739 (bmo#1811939)
Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
* CVE-2023-25729 (bmo#1792138)
Extensions could have opened external schemes without user knowledge
* CVE-2023-25732 (bmo#1804564)
Out of bounds memory write from EncodeInputStream
* CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338)
Opening local .url files could cause unexpected network loads
* CVE-2023-25740 (bmo#1812354)
Opening local .scf files could cause unexpected network loads
* CVE-2023-25731 (bmo#1801542)
Prototype pollution when rendering URLPreview
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1037
MFSA 2023-01 (bsc#1207119)
* CVE-2023-23597 (bmo#1538028)
Logic bug in process allocation allowed to read arbitrary
files
* CVE-2023-23598 (bmo#1800425)
Arbitrary file read from GTK drag and drop on Linux
* CVE-2023-23599 (bmo#1777800)
Malicious command could be hidden in devtools output on
Windows
* CVE-2023-23600 (bmo#1787034)
Notification permissions persisted between Normal and Private
Browsing on Android
* CVE-2023-23601 (bmo#1794268)
URL being dragged from cross-origin iframe into same tab
triggers navigation
* CVE-2023-23602 (bmo#1800890)
Content Security Policy wasn't being correctly applied to
WebSockets in WebWorkers
* CVE-2023-23603 (bmo#1800832)
Calls to <code>console.log</code> allowed bypasing Content
Security Policy via format directive
* CVE-2023-23604 (bmo#1802346)
Creation of duplicate <code>SystemPrincipal</code> from less
secure contexts
* CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)
Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7
* CVE-2023-23606 (bmo#1764974, bmo#1798591, bmo#1799201,
bmo#1800446, bmo#1801248, bmo#1802100, bmo#1803393,
bmo#1804626, bmo#1804971, bmo#1807004)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1033
https://www.mozilla.org/en-US/firefox/108.0/releasenotes/
MFSA 2022-51 (bsc#1206242)
* CVE-2022-46871 (bmo#1795697)
libusrsctp library out of date
* CVE-2022-46872 (bmo#1799156)
Arbitrary file read from a compromised content process
* CVE-2022-46873 (bmo#1644790)
Firefox did not implement the CSP directive unsafe-hashes
* CVE-2022-46874 (bmo#1746139)
Drag and Dropped Filenames could have been truncated to
malicious extensions
* CVE-2022-46875 (bmo#1786188)
Download Protections were bypassed by .atloc and .ftploc
files on Mac OS
* CVE-2022-46877 (bmo#1795139)
Fullscreen notification bypass
* CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
bmo#1801102, bmo#1801315, bmo#1802395)
Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
* CVE-2022-46879 (bmo#1736224, bmo#1793407, bmo#1794249, bmo#1795845,
bmo#1797682, bmo#1797720, bmo#1798494, bmo#1799479)
Memory safety bugs fixed in Firefox 108
- requires
NSS >= 3.85
rustc/cargo 1.65
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1024
MFSA 2022-47 (bsc#1205270)
* CVE-2022-45403 (bmo#1762078)
Service Workers might have learned size of cross-origin media files
* CVE-2022-45404 (bmo#1790815)
Fullscreen notification bypass
* CVE-2022-45405 (bmo#1791314)
Use-after-free in InputStream implementation
* CVE-2022-45406 (bmo#1791975)
Use-after-free of a JavaScript Realm
* CVE-2022-45407 (bmo#1793314)
Loading fonts on workers was not thread-safe
* CVE-2022-45408 (bmo#1793829)
Fullscreen notification bypass via windowName
* CVE-2022-45409 (bmo#1796901)
Use-after-free in Garbage Collection
* CVE-2022-45410 (bmo#1658869)
ServiceWorker-intercepted requests bypassed SameSite cookie policy
* CVE-2022-45411 (bmo#1790311)
Cross-Site Tracing was possible via non-standard override headers
* CVE-2022-45412 (bmo#1791029)
Symlinks may resolve to partially uninitialized buffers
* CVE-2022-45413 (bmo#1791201)
SameSite=Strict cookies could have been sent cross-site via
intent URLs
* CVE-2022-40674 (bmo#1791598)
Use-after-free vulnerability in expat
* CVE-2022-45415 (bmo#1793551)
Downloaded file may have been saved with malicious extension
* CVE-2022-45416 (bmo#1793676)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1019
* You can now disable automatic opening of the download panel
every time a new download starts
* Firefox now mitigates query parameter tracking when navigating
sites in ETP strict mode
* Improved security by moving audio decoding into a separate
process with stricter sandboxing, thus improving process isolation
* https://www.mozilla.org/en-US/firefox/102.0/releasenotes
MFSA 2022-24 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595)
A popup window could be resized in a way to overlay the
address bar with web content
* CVE-2022-34470 (bmo#1765951)
Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537)
CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
* CVE-2022-34482 (bmo#845880)
Drag and drop of malicious image could have led to malicious
executable and potential code execution
* CVE-2022-34483 (bmo#1335845)
Drag and drop of malicious image could have led to malicious
executable and potential code execution
* CVE-2022-34476 (bmo#1387919)
ASN.1 parser could have been tricked into accepting malformed ASN.1
* CVE-2022-34481 (bmo#1483699, bmo#1497246)
Potential integer overflow in ReplaceElementsAt
* CVE-2022-34474 (bmo#1677138)
Sandboxed iframes could redirect to external schemes
* CVE-2022-34469 (bmo#1721220)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=983
* Reading is now easier with the prefers-contrast media query,
which allows sites to detect if the user has requested that web
content is presented with a higher (or lower) contrast
* All non-configured MIME types can now be assigned a custom
action upon download completion
* allows users to use as many microphones as you want, at the
same time, during video conferencing. The most exciting benefit
is that you can easily switch your microphones at any time
(if your conferencing service provider enables this flexibility)
MFSA 2022-20 (bsc#1200027)
* CVE-2022-31736 (bmo#1735923)
Cross-Origin resource's length leaked
* CVE-2022-31737 (bmo#1743767)
Heap buffer overflow in WebGL
* CVE-2022-31738 (bmo#1756388)
Browser window spoof using fullscreen mode
* CVE-2022-31739 (bmo#1765049)
Attacker-influenced path traversal when saving downloaded files
* CVE-2022-31740 (bmo#1766806)
Register allocation problem in WASM on arm64
* CVE-2022-31741 (bmo#1767590)
Uninitialized variable leads to invalid memory read
* CVE-2022-31742 (bmo#1730434)
Querying a WebAuthn token with a large number of allowCredential
entries may have leaked cross-origin information
* CVE-2022-31743 (bmo#1747388)
HTML Parsing incorrectly ended HTML comments prematurely
* CVE-2022-31744 (bmo#1757604)
CSP bypass enabling stylesheet injection
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=979
Change mozilla-kde.patch to follow the GNOME registry behavior for new MIME types to avoid opening downloaded files without any inquiries (bsc#1197319)
In Firefox 98.0, improvements to the download panel have been made to just download files instead of asking the user what to do with them. Unfortunately this causes some unwanted behavior inside nsKDERegistry as its unconditional call to the function
mimeInfo->SetPreferredAction(nsIMIMEInfo::useSystemDefault);
results in the browser opening many file types after download without any inquiries.
By replacing this unconditional call with the conditional one found in nsGNOMERegistry as of 98.0, this issue can be avoided:
3b6a1dc7fb/uriloader/exthandler/unix/nsGNOMERegistry.cpp (L98)
If you have any suggestions for improvement, please let me know!
OBS-URL: https://build.opensuse.org/request/show/964625
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=967
MFSA 2022-04 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435)
Privilege Escalation to SYSTEM on Windows via Maintenance Service
* CVE-2022-22754 (bmo#1750565)
Extensions could have bypassed permission confirmation during update
* CVE-2022-22755 (bmo#1309630)
XSL could have allowed JavaScript execution after a tab was closed
* CVE-2022-22756 (bmo#1317873)
Drag and dropping an image could have resulted in the dropped
object being an executable
* CVE-2022-22757 (bmo#1720098)
Remote Agent did not prevent local websites from connecting
* CVE-2022-22758 (bmo#1728742)
tel: links could have sent USSD codes to the dialer on
Firefox for Android
* CVE-2022-22759 (bmo#1739957)
Sandboxed iframes could have executed script if the parent
appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503)
Cross-Origin responses could be distinguished between script
and non-script content-types
* CVE-2022-22761 (bmo#1745566)
frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
* CVE-2022-22762 (bmo#1743931)
JavaScript Dialogs could have been displayed over other
domains on Firefox for Android
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
bmo#1748210, bmo#1748279)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=958
* https://www.mozilla.org/en-US/firefox/96.0/releasenotes
MFSA 2022-01 (bsc#1194547)
* CVE-2022-22746 (bmo#1735071)
Calling into reportValidity could have lead to fullscreen
window spoof
* CVE-2022-22743 (bmo#1739220)
Browser window spoof using fullscreen mode
* CVE-2022-22742 (bmo#1739923)
Out-of-bounds memory access when inserting text in edit mode
* CVE-2022-22741 (bmo#1740389)
Browser window spoof using fullscreen mode
* CVE-2022-22740 (bmo#1742334)
Use-after-free of ChannelEventQueue::mOwner
* CVE-2022-22738 (bmo#1742382)
Heap-buffer-overflow in blendGaussianBlur
* CVE-2022-22737 (bmo#1745874)
Race condition when playing audio files
* CVE-2021-4140 (bmo#1746720)
Iframe sandbox bypass with XSLT
* CVE-2022-22750 (bmo#1566608)
IPC passing of resource handles could have lead to sandbox
bypass
* CVE-2022-22749 (bmo#1705094)
Lack of URL restrictions when scanning QR codes
* CVE-2022-22748 (bmo#1705211)
Spoofed origin on external protocol launch dialog
* CVE-2022-22745 (bmo#1735856)
Leaking cross-origin URLs through securitypolicyviolation
event
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=951
* You can now move the Picture-in-Picture toggle button to the
opposite side of the video. Simply look for the new context menu
option Move Picture-in-Picture Toggle to Left (Right) Side.
* To better protect Firefox users against side-channel attacks such
as Spectre, Site Isolation is now enabled for all Firefox 95 users.
* https://www.mozilla.org/en-US/firefox/95.0/releasenotes
MFSA 2021-52 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120)
URL leakage when navigating while executing asynchronous
function
* CVE-2021-43537 (bmo#1738237)
Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091)
Missing fullscreen and pointer lock notification when
requesting both
* CVE-2021-43539 (bmo#1739683)
GC rooting failure when calling wasm instance methods
* MOZ-2021-0010 (bmo#1735852)
Use-after-free in fullscreen objects on MacOS
* CVE-2021-43540 (bmo#1636629)
WebExtensions could have installed persistent ServiceWorkers
* CVE-2021-43541 (bmo#1696685)
External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281)
XMLHttpRequest error codes could have leaked the existence of
an external protocol handler
* CVE-2021-43543 (bmo#1738418)
Bypass of CSP sandbox directive when embedding
* CVE-2021-43544 (bmo#1739934)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=947
* https://www.mozilla.org/en-US/firefox/94.0/releasenotes
MFSA 2021-48 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517)
iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156)
Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194)
Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750)
Firefox could be coaxed into going into fullscreen mode
without notification or warning
* CVE-2021-38507 (bmo#1730935)
Opportunistic Encryption in HTTP2 could be used to bypass the
Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0003 (bmo#1736886)
Universal XSS in Firefox for Android via QR Code URLs
* CVE-2021-38508 (bmo#1366818)
Permission Prompt could be overlaid, resulting in user
confusion and potential spoofing
* MOZ-2021-0004 (bmo#1659155)
Web Extensions could access pre-redirect URL when their
context menu was triggered by a user
* CVE-2021-38509 (bmo#1718571)
Javascript alert box could have been spoofed onto an
arbitrary domain
* CVE-2021-38510 (bmo#1731779)
Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0005 (bmo#1719203)
'Copy Image Link' context menu action could have been abused
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=942
* supports the new AVIF image format
* PDF viewer now supports filling more forms (XFA-based forms)
* now blocks downloads that rely on insecure connections,
protecting against potentially malicious or unsafe downloads
* Improved web compatibility for privacy protections with SmartBlock 3.0
* Introducing a new referrer tracking protection in Strict Tracking
Protection and Private Browsing
* TLS ciphersuites that use 3DES have been disabled. Such
ciphersuites can only be enabled when deprecated versions of
TLS are also enabled
* The download panel now follows the Firefox visual styles
MFSA 2021-43 (bsc#1191332)
* CVE-2021-38496 (bmo#1725335)
Use-after-free in MessageTask
* CVE-2021-38497 (bmo#1726621)
Validation message could have been overlaid on another origin
* CVE-2021-38498 (bmo#1729642)
Use-after-free of nsLanguageAtomService object
* CVE-2021-32810 (bmo#1729813)
https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
Data race in crossbeam-deque
* CVE-2021-38500 (bmo#1725854, bmo#1728321)
Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
* CVE-2021-38499 (bmo#1667102, bmo#1723170, bmo#1725356, bmo#1727364)
Memory safety bugs fixed in Firefox 93
- removed obsolete mozilla-bmo1708709.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=936
MFSA 2021-28 (bsc#1188275)
* CVE-2021-29970 (bmo#1709976)
Use-after-free in accessibility features of a document
* CVE-2021-29971 (bmo#1713638)
Granted permissions only compared host; omitting scheme and
port on Android
* CVE-2021-30547 (bmo#1715766)
Out of bounds write in ANGLE
* CVE-2021-29972 (bmo#1696816)
Use of out-of-date library included use-after-free
vulnerability
* CVE-2021-29973 (bmo#1701932)
Password autofill on HTTP websites was enabled without user
interaction on Android
* CVE-2021-29974 (bmo#1704843)
HSTS errors could be overridden when network partitioning was
enabled
* CVE-2021-29975 (bmo#1713259)
Text message could be overlaid on top of another website
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
bmo#1711576, bmo#1714391)
Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
* CVE-2021-29977 (bmo#1665836, bmo#1686138, bmo#1704316,
bmo#1706314, bmo#1709931, bmo#1712084, bmo#1712357,
bmo#1714066)
Memory safety bugs fixed in Firefox 90
- requires
NSPR 4.31
NSS 3.66
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=922
* New: PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features
* New: Print updates: Margin units are now localized
* New: Smooth pinch-zooming using a touchpad is now supported
on Linux
* New: To protect against cross-site privacy leaks, Firefox now
isolates window.name data to the website that created it.
Learn more
* Changed: Firefox will not prompt for access to your
microphone or camera if you’ve already granted access to the
same device on the same site in the same tab within the past
50 seconds. This new grace period reduces the number of times
you’re prompted to grant device access
* Changed: The ‘Take a Screenshot’ feature was removed from the
Page Actions menu in the url bar. To take a screenshot,
right-click to open the context menu. You can also add a
screenshots shortcut directly to your toolbar via the
Customize menu. Open the Firefox menu and select Customize…
* Changed: FTP support has been disabled, and its full removal
is planned for an upcoming release. Addressing this security
risk reduces the likelihood of an attack while also removing
support for a non-encrypted protocol
* Developer: Introduced a new toggle button in the Network
panel for switching between JSON formatted HTTP response and
raw data (as received over the wire).
!enter image description here
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. You can see
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=904
* requires NSS 3.62
* removed obsolete BigEndian ICU build workaround
* rebased patches
MFSA 2021-10 (bsc#1183942)
* CVE-2021-23981 (bmo#1692832)
Texture upload into an unbound backing buffer resulted in an
out-of-bound read
* CVE-2021-23982 (bmo#1677046)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2021-23983 (bmo#1692684)
Transitions for invalid ::marker properties resulted in memory
corruption
* CVE-2021-23984 (bmo#1693664)
Malicious extensions could have spoofed popup information
* CVE-2021-23985 (bmo#1659129)
Devtools remote debugging feature could have been enabled
without indication to the user
* CVE-2021-23986 (bmo#1692623)
A malicious extension could have performed credential-less
same origin policy violations
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169,
bmo#1690718)
Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
* CVE-2021-23988 (bmo#1684994, bmo#1686653)
Memory safety bugs fixed in Firefox 87
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=901
* Firefox 84 is the final release to support Adobe Flash
* WebRender is enabled by default when run on GNOME-based X11
Linux desktops
MFSA 2020-54 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26972 (bmo#1671382)
Use-After-Free in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26975 (bmo#1661071)
Malicious applications on Android could have induced Firefox
for Android into sending arbitrary attacker-specified headers
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2020-26977 (bmo#1676311)
URL spoofing via unresponsive port in Firefox for Android
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-26979 (bmo#1641287, bmo#1673299)
When entering an address in the address or search bars, a
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=880
* https://www.mozilla.org/en-US/firefox/81.0/releasenotes
MFSA 2020-42 (bsc#1176756)
* CVE-2020-15675 (bmo#1654211)
Use-After-Free in WebGL
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
* CVE-2020-15674 (bmo#1656063, bmo#1656064, bmo#1656067, bmo#1660293)
Memory safety bugs fixed in Firefox 81
- requires
NSPR 4.28
NSS 3.56
- removed obsolete patches
* mozilla-system-nspr.patch
* mozilla-bmo1661715.patch
* mozilla-silence-no-return-type.patch
- skip post-build-checks for 15.0 and 15.1
- add revert-795c8762b16b.patch to fix LTO builds with gcc
(related to bmo#1644409)
- Use %limit_build macro again for aarch64 and armv7, instead of
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=858
MFSA 2020- (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-12401 (bmo#1631573)
Timing-attack on ECDSA signature generation
* CVE-2020-6829 (bmo#1631583)
P-384 and P-521 vulnerable to an electro-magnetic side
channel attack on signature generation
* CVE-2020-12400 (bmo#1623116)
P-384 and P-521 vulnerable to a side channel attack on
modular inversion
* CVE-2020-15665 (bmo#1651636)
Address bar not reset when choosing to stay on a page after
the beforeunload dialog is shown
* CVE-2020-15666 (bmo#1450853)
MediaError message property leaks cross-origin response
status
* CVE-2020-15667 (bmo#1653371)
Heap overflow when processing an update file
* CVE-2020-15668 (bmo#1651520)
Data Race when reading certificate information
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
bmo#1656957)
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
- requires
* NSPR 4.27
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=853
* startup notifications now using Gtk instead of libnotify
* PDF downloads now show an option to open the PDF directly in Firefox
- requires
* NSS >= 3.53.1
* nodejs >= 10.21
* Gtk+3 >= 3.14
- removed obsolete patch
* mozilla-s390-bigendian.patch
- Add mozilla-pipewire-0-3.patch for openSUSE >= 15.2 to build
WebRTC with pipewire support to enable screen sharing under
Wayland; also add BuildRequires: pkgconfig(libpipewire-0.3)
appropriately (boo#1172903).
- adding SLE12 compatibility in spec file
- add patches for s390x
* mozilla-bmo1602730.patch (bmo#1602730)
* mozilla-bmo1626236.patch (bmo#1626236)
* mozilla-bmo998749.patch (bmo#998749)
* mozilla-s390x-skia-gradient.patch
- update create-tar.sh
- Use same _constraints for ppc64 (BE) as ppc64le to avoid oom build failure
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=834
* https://www.mozilla.org/en-US/firefox/74.0/releasenotes/
MFSA 2020-08 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880)
Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308)
BodyStream::OnInputStreamReady was missing protections against
state confusion
* CVE-2020-6807 (bmo#1614971)
Use-after-free in cubeb during stream destruction
* CVE-2020-6808 (bmo#1247968)
URL Spoofing via javascript: URL
* CVE-2020-6809 (bmo#1420296)
Web Extensions with the all-urls permission could access local
files
* CVE-2020-6810 (bmo#1432856)
Focusing a popup while in fullscreen could have obscured the
fullscreen notification
* CVE-2020-6811 (bmo#1607742)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765)
Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661)
The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
* CVE-2020-6813 (bmo#1605814)
@import statements in CSS could bypass the Content Security
Policy nonce feature
* CVE-2020-6814 (bmo#1592078,bmo#1604847,bmo#1608256,bmo#1612636,
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=809
* Added support for setting a default zoom level applicable for all
web content
* High-contrast mode has been updated to allow background images
* Improved audio quality when playing back audio at a faster or
slower speed
* Added NextDNS as alternative option for DNS over HTTPS
MFSA 2020-05 (bsc#1163368)
* CVE-2020-6796 (bmo#1610426)
Missing bounds check on shared memory read in the parent process
* CVE-2020-6797 (bmo#1596668) (MacOS X only)
Extensions granted downloads.open permission could open arbitrary
applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6799 (bmo#1606596) (Windows only)
Arbitrary code execution when opening pdf links from other
applications, when Firefox is configured as default pdf reader
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
bmo#1608580,bmo#1608785,bmo#1605777)
Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* CVE-2020-6801 (bmo#1601024,bmo#1601712,bmo#1604836,bmo#1606492)
Memory safety bugs fixed in Firefox 73
- updated requirements
* rust >= 1.39
* NSS >= 3.49.2
* rust-cbindgen >= 0.12.0
- rebased patches
- removed obsolete patch
* mozilla-bmo1601707.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=802
- Mozilla Firefox 72.0
* block fingerprinting scripts by default
* new notification pop-ups
* Picture-in-picture video
MFSA 2020-01
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17020 (bmo#1597645)
Content Security Policy not applied to XSL stylesheets applied
to XML documents
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17023 (bmo#1590001) (fixed in NSS FIXME)
NSS may negotiate TLS 1.2 or below after a TLS 1.3
HelloRetryRequest had been sent
* CVE-2019-17024 (bmo#1507180,bmo#1595470,bmo#1598605,bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
* CVE-2019-17025 (bmo#1328295,bmo#1328300,bmo#1590447,bmo#1590965
bmo#1595692,bmo#1597321,bmo#1597481)
Memory safety bugs fixed in Firefox 72
- update create-tar.sh to skip compare-locales
- requires NSPR 4.24 and NSS 3.48
- removed usage of browser-plugins convention for NPAPI plugins
from start wrapper and changed the RPM macro to the
/usr/$LIB/mozilla/plugins location (boo#1160302)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=793
* more privacy protections from Enhanced Tracking Protection
* Firefox Lockwise passwordmanager
* Improvements to core engine components, for better browsing on more sites
* Improved privacy and security indicators
MFSA 2019-34
* CVE-2018-6156 (bmo#1480088)
Heap buffer overflow in FEC processing in WebRTC
* CVE-2019-15903 (bmo#1584907)
Heap overflow in expat library in XML_GetCurrentLineNumber
* CVE-2019-11757 (bmo#1577107)
Use-after-free when creating index updates in IndexedDB
* CVE-2019-11759 (bmo#1577953)
Stack buffer overflow in HKDF output
* CVE-2019-11760 (bmo#1577719)
Stack buffer overflow in WebRTC networking
* CVE-2019-11761 (bmo#1561502)
Unintended access to a privileged JSONView object
* CVE-2019-11762 (bmo#1582857)
document.domain-based origin isolation has same-origin-property violation
* CVE-2019-11763 (bmo#1584216)
Incorrect HTML parsing results in XSS bypass technique
* CVE-2019-11765 (bmo#1562582)
Incorrect permissions could be granted to a website
* CVE-2019-17000 (bmo#1441468)
CSP bypass using object tag with data: URI
* CVE-2019-17001 (bmo#1587976)
CSP bypass using object tag when script-src 'none' is specified
* CVE-2019-17002 (bmo#1561056)
upgrade-insecure-requests was not being honored for links dragged and dropped
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=786
* Enhanced Tracking Protection (ETP) for stronger privacy protections
* Block Autoplay feature is enhanced to give users the option to block
any video
* Users in the US or using the en-US browser, can get a new “New Tab”
page experience connecting to the best of Pocket's content.
* Support for the Web Authentication HmacSecret extension via
Windows Hello introduced.
* Support for receiving multiple video codecs with this release makes
it easier for WebRTC conferencing services to mix video from
different clients.
- requires
* rust/cargo >= 1.35
* rust-cbindgen >= 0.9.0
* mozilla-nss >= 3.45
- rebased patches
* mozilla-bmo1504834-part1.patch (currently unused as it breaks LE)
* mozilla-bmo1504834-part2.patch (currently unused as it breaks LE)
* mozilla-bmo1504834-part3.patch (currently unused as it breaks LE)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=765
MFSA 2019-26
* CVE-2019-11751 (bmo#1572838; Windows only)
Malicious code execution through command line parameters
* CVE-2019-11746 (bmo#1564449)
Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033)
XSS by breaking out of title and textarea elements using innerHTML
* CVE-2019-11742 (bmo#1559715)
Same-origin policy violation with SVG filters and canvas to steal
cross-origin images
* CVE-2019-11736 (bmo#1551913, bmo#1552206; Windows only))
File manipulation and privilege escalation in Mozilla Maintenance Service
* CVE-2019-11753 (bmo#1574980; Windows only)
Privilege escalation with Mozilla Maintenance Service in custom
Firefox installation location
* CVE-2019-11752 (bmo#1501152)
Use-after-free while extracting a key value in IndexedDB
* CVE-2019-9812 (bmo#1538008, bmo#1538015)
Sandbox escape through Firefox Sync
* CVE-2019-11743 (bmo#1560495)
Cross-origin access to unload event attributes
* CVE-2019-11748 (bmo#1564588)
Persistence of WebRTC permissions in a third party context
* CVE-2019-11749 (bmo#1565374)
Camera information available without prompting using getUserMedia
* CVE-2019-11750 (bmo#1568397)
Type confusion in Spidermonkey
* CVE-2019-11738 (bmo#1452037)
Content security policy bypass through hash-based sources in directives
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=760
* Dark mode in reader view
* Improved extension security and discovery
* Cryptomining and fingerprinting protections are added to strict
content blocking settings in Privacy & Security preferences
* Camera and microphone access now require an HTTPS connection
MFSA 2019-21 (bsc#1140868)
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
Sandbox escape via installation of malicious languagepack
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804)
Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
* CVE-2019-11713 (bmo#1528481)
Use-after-free with HTTP/2 cached stream
* CVE-2019-11714 (bmo#1542593)
NeckoChild can trigger crash when accessed off of main thread
* CVE-2019-11729 (bmo#1515342)
Empty or malformed p256-ECDH public keys may trigger a segmentation fault
* CVE-2019-11715 (bmo#1555523)
HTML parsing error can contribute to content XSS
* CVE-2019-11716 (bmo#1552632)
globalThis not enumerable until accessed
* CVE-2019-11717 (bmo#1548306)
Caret character improperly escaped in origins
* CVE-2019-11718 (bmo#1408349)
Activity Stream writes unsanitized content to innerHTML
* CVE-2019-11719 (bmo#1540541)
Out-of-bounds read when importing curve25519 private key
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=748
* Firefox 67 will be able to run different Firefox installs side by side
https://blog.nightly.mozilla.org/2019/01/14/moving-to-a-profile-per-install-architecture/
* Tabs can now be pinned from the Page Actions menu in the address bar
* Users can block known cryptominers and fingerprinters in the
Custom settings or their Content Blocking preferences
* The Import Data from Another Browser feature is now also available
from the File menu
* Firefox will now protect you against running older versions which
can lead to data corruption and stability issues
* Easier access to your list of saved logins from the main menu and
login autocomplete
* We’ve added a toolbar menu for your Firefox Account to provide more
transparency for when you are synced, sharing data across devices
and with Firefox. Personalize the appearance of the menu with your
own avatar
* Enable FIDO U2F API, and permit registrations for Google Accounts
* Enabled AV1 support on Linux
MFSA 2019-13
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=736
* Increased content processes to 8
* Added capability to search through open tabs from the tab overflow menu
* New backend for the storage.local WebExtensions API, providing
I/O performance improvements when the extension updates a small
subset of the stored data
* WebExtension keyboard shortcuts can now be managed or overridden
from about:addons
* Improved scrolling behavior: Firefox will now attempt to keep content
from jumping around while a page is loading by supporting scroll
anchoring
* New about:privatebrowsing with search
* A certificate error page now notifies the user of the name of the
certificate issuer that breaks HTTPs connections on intercepted
connections to help troubleshooting possible anti-virus software
issues.
* Fixed an performance issue some Linux users experienced with the
Downloads panel (bmo#1517101)
* Firefox now blocks all autoplay media with sound by default. Users
can add individual sites to an exceptions list or turn the blocking
off.
* System title bar is hidden by default to match Gnome guideline
MFSA 2019-07 (bsc#1129821)
* CVE-2019-9790 (bmo#1525145)
Use-after-free when removing in-use DOM elements
* CVE-2019-9791 (bmo#1530958)
Type inference is incorrect for constructors entered through on-stack
replacement with IonMonkey
* CVE-2019-9792 (bmo#1532599)
IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=723
* Better recommendations: You may see suggestions in regular browsing
mode for new and relevant Firefox features, services, and extensions
based on how you use the web (for US users only)
* Enhanced tab management: You can now select multiple tabs from the
tab bar and close, move, bookmark, or pin them quickly and easily
* Easier performance management: The new Task Manager page found at
about:performance lets you see how much energy each open tab consumes
and provides access to close tabs to conserve power
* Improved performance for Mac and Linux users, by enabling link time
optimization (Clang LTO).
* Added option to remove add-ons using the context menu on their
toolbar buttons
* RSS feed preview and live bookmarks are available only via add-ons
* TLS certificates issued by Symantec are no longer trusted by Firefox.
Website operators are strongly encouraged to replace any remaining
Symantec TLS certificates as soon as possible
MFSA 2018-29 (bsc#1119105)
* CVE-2018-12407 bmo#1505973
Buffer overflow with ANGLE library when using VertexBuffer11 module
* CVE-2018-17466 bmo#1488295
Buffer overflow and out-of-bounds read in ANGLE library with
TextureStorage11
* CVE-2018-18492 bmo#1499861
Use-after-free with select element
* CVE-2018-18493 bmo#1504452
Buffer overflow in accelerated 2D canvas with Skia
* CVE-2018-18494 bmo#1487964
Same-origin policy violation using location attribute and
performance.getEntries to steal cross-origin URLs
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=699
* WebExtensions now run in their own process on Linux
* The Ctrl+Tab shortcut now displays thumbnail previews of your
tabs and cycles through tabs in recently used order. This new
default behavior is activated only in new profiles and can be
changed in preferences.
* Added support for Web Components custom elements and shadow DOM
- requires NSPR 4.20, NSS 3.39 and Rust 1.28
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=691
