* Improved security of the JavaScript Just In Time (JIT) Compiler
* WebRTC fixes to improve performance and stability
* Added support for document.elementsFromPoint
* Added HKDF support for Web Crypto API
* requires NSPR 4.12 and NSS 3.22.3
* added patch to fix unchecked return value
mozilla-check_return.patch
* Gtk3 builds not supported at the moment
security fixes:
* MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807
Miscellaneous memory safety hazards
* MFSA 2016-40/CVE-2016-2809 (bmo#1212939)
Privilege escalation through file deletion by Maintenance Service updater
(Windows only)
* MFSA 2016-41/CVE-2016-2810 (bmo#1229681)
Content provider permission bypass allows malicious application
to access data (Android only)
* MFSA 2016-42/CVE-2016-2811/CVE-2016-2812 (bmo#1252330, bmo#1261776)
Use-after-free and buffer overflow in Service Workers
* MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650)
Disclosure of user actions through JavaScript with motion and
orientation sensors (only affects mobile variants)
* MFSA 2016-44/CVE-2016-2814 (bmo#1254721)
Buffer overflow in libstagefright with CENC offsets
* MFSA 2016-45/CVE-2016-2816 (bmo#1223743)
CSP not applied to pages sent with multipart/x-mixed-replace
* MFSA 2016-46/CVE-2016-2817 (bmo#1227462)
Elevation of privilege with chrome.tabs.update API in web extensions
* MFSA 2016-47/CVE-2016-2808 (bmo#1246061)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=500
* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
Miscellaneous memory safety hazards
* MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
Local file overwriting and potential privilege escalation through
CSP reports
* MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
CSP reports fail to strip location information for embedded iframe pages
* MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
Linux video memory DOS with Intel drivers
* MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
Memory leak in libstagefright when deleting an array during MP4
processing
* MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
Displayed page address can be overridden
* MFSA 2016-22/CVE-2016-1959 (bmo#1234949)
Service Worker Manager out-of-bounds read in Service Worker Manager
* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
Use-after-free in SetBody
* MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
Use-after-free when using multiple WebRTC data channels
* MFSA 2016-26/CVE-2016-1963 (bmo#1238440)
Memory corruption when modifying a file being read by FileReader
* MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
Use-after-free during XML transformations
* MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
Addressbar spoofing though history navigation and Location protocol
property
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=491
* requires NSPR 4.12 / NSS 3.21.1
* Instant browser tab sharing through Hello
* Synced Tabs button in button bar
* Tabs synced via Firefox Accounts from other devices are now shown
in dropdown area of Awesome Bar when searching
* Introduce a new preference (network.dns.blockDotOnion) to allow
blocking .onion at the DNS level
* Tab Groups (Panorama) feature removed
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=490
* Improved API support for m4v video playback
* Users can opt-in to receive search suggestions from the Awesome Bar
* WebRTC streaming on multiple monitors
* User selectable second block list for Private Browsing's Tracking
Protection
security fixes:
* MFSA 2015-134/CVE-2015-7201/CVE-2015-7202
Miscellaneous memory safety hazards
* MFSA 2015-135/CVE-2015-7204 (bmo#1216130)
Crash with JavaScript variable assignment with unboxed objects
* MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
Same-origin policy violation using perfomance.getEntries and
history navigation
* MFSA 2015-137/CVE-2015-7208 (bmo#1191423)
Firefox allows for control characters to be set in cookies
* MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
Use-after-free in WebRTC when datachannel is used after being
destroyed
* MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
Integer overflow allocating extremely large textures
* MFSA 2015-140/CVE-2015-7215 (bmo#1160890)
Cross-origin information leak through web workers error events
* MFSA 2015-141/CVE-2015-7211 (bmo#1221444)
Hash in data URI is incorrectly parsed
* MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820)
DOS due to malformed frames in HTTP/2
* MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078)
Linux file chooser crashes on malformed images due to flaws in
Jasper library
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=473
* Private Browsing with Tracking Protection blocks certain Web
elements that could be used to record your behavior across sites
* Control Center that contains site security and privacy controls
* Login Manager improvements
* WebRTC improvements
* Indicator added to tabs that play audio with one-click muting
* Media Source Extension for HTML5 video available for all sites
- requires NSPR 4.10.10 and NSS 3.19.4
- removed obsolete patches
* mozilla-arm-disable-edsp.patch
* mozilla-icu-strncat.patch
* mozilla-skia-be-le.patch
* toolkit-download-folder.patch
- fixed build with enable-libproxy (bmo#1220399)
* mozilla-libproxy.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=467
* Added protection against unwanted software downloads
* Suggested Tiles show sites of interest, based on categories
from your recent browsing history
* Hello allows adding a link to conversations to provide context
on what the conversation will be about
* New style for add-on manager based on the in-content
preferences style
* Improved scrolling, graphics, and video playback performance
with off main thread compositing (GNU/Linux only)
* Graphic blocklist mechanism improved: Firefox version ranges
can be specified, limiting the number of devices blocked
security fixes:
* MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
Miscellaneous memory safety hazards
* MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
Out-of-bounds read with malformed MP3 file
* MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
Use-after-free in MediaStream playback
* MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
Redefinition of non-configurable JavaScript object properties
* MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
Overflow issues in libstagefright
* MFSA 2015-84/CVE-2015-4481 (bmo1171518)
Arbitrary file overwriting through Mozilla Maintenance Service
with hard links (only affected Windows)
* MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
Out-of-bounds write with Updater and malicious MAR file
(does not affect openSUSE RPM packages which do not ship the
updater)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=454
* Share Hello URLs with social networks
* Support for 'switch' role in ARIA 1.1 (web accessibility)
* SafeBrowsing malware detection lookups enabled for downloads
(Mac OS X and Linux)
* Support for new Unicode 8.0 skin tone emoji
* Removed support for insecure SSLv3 for network communications
* Disable use of RC4 except for temporarily whitelisted hosts
* NPAPI Plug-in performance improved via asynchronous initialization
- dropped mozilla-prefer_plugin_pref.patch as this feature is
likely not worth maintaining further
- rebased patches
- require NSS 3.19.2
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=449
* mozilla-xremote-client was removed
* added libclearkey.so media plugin
* Pinned tiles on the new tab page can be synced
* Support for the full HTTP/2 protocol. HTTP/2 enables a faster,
more scalable, and more responsive web.
* Locale added: Uzbek (uz)
- rebased patches
- requires NSS 3.17.4
- update to Firefox 35.0.1
* With the Enhanced Steam extension, Firefox could crash (bmo#1123732)
* Kerberos authentication did not work with alias (bmo#1108971)
* SVG / CSS animation had a regression causing rendering issues on
websites like openstreemap.org (bmo#1083079)
* On Godaddy webmail, Firefox could crash (bmo#1113121)
* document.baseURI did not get updated to document.location after
base tag was removed from DOM for site with a CSP (bmo#1121857)
* With a Right-to-left (RTL) version of Firefox, the text selection
could be broken (bmo#1104036)
* CSP had a change in behavior with regard to case sensitivity
resources loading (bmo#1122445)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=422
notable features:
* Firefox Hello with new rooms-based conversations model
* Implemented HTTP Public Key Pinning Extension (for enhanced
authentication of encrypted connections)
- rebased patches
- dropped explicit support for everything older than 12.3
(including SLES11)
* merge firefox-kde.patch and firefox-kde-114.patch
* dropped mozilla-sle11.patch
- reworked specfile to build conditionally based on release channel
either Firefox or Firefox Developer Edition
- added mozilla-openaes-decl.patch to fix implicit declarations
- obsolete tracker-miner-firefox < 0.15 because it leads to startup
crashes (bnc#908892)
- rebased patches
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=419
* just a version bump for our builds
* fixed the in application update process for certain environments
(in application update is not enabled in openSUSE and Linux
is unaffected in any case)
- build with --disable-optimize for 13.1 and above for i586 to
workaround miscompilations (bnc#896624)
- update to Firefox 32.0.1
* fixed stability issues for computers with multiple graphics cards
* mixed content icon may be incorrectly displayed instead of lock
icon for SSL sites in 32.0 (
* WebRTC: setRemoteDescription() silently fails if no success
callback is specified (bmo#1063971)
- update to Firefox 32.0 (bnc#894370)
* MFSA 2014-67/CVE-2014-1553/CVE-2014-1554/CVE-2014-1562
- rebased patches
- requires NSS 3.16.4
- removed upstreamed patch
* mozilla-aarch64-bmo-810631.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=396
* MFSA 2014-15/CVE-2014-1493/CVE-2014-1494
Miscellaneous memory safety hazards
* MFSA 2014-17/CVE-2014-1497 (bmo#966311)
Out of bounds read during WAV file decoding
* MFSA 2014-18/CVE-2014-1498 (bmo#935618)
crypto.generateCRMFRequest does not validate type of key
* MFSA 2014-19/CVE-2014-1499 (bmo#961512)
Spoofing attack on WebRTC permission prompt
* MFSA 2014-20/CVE-2014-1500 (bmo#956524)
onbeforeunload and Javascript navigation DOS
* MFSA 2014-22/CVE-2014-1502 (bmo#972622)
WebGL content injection from one domain to rendering in another
* MFSA 2014-23/CVE-2014-1504 (bmo#911547)
Content Security Policy for data: documents not preserved by
session restore
* MFSA 2014-26/CVE-2014-1508 (bmo#963198)
Information disclosure through polygon rendering in MathML
* MFSA 2014-27/CVE-2014-1509 (bmo#966021)
Memory corruption in Cairo during PDF font rendering
* MFSA 2014-28/CVE-2014-1505 (bmo#941887)
SVG filters information disclosure through feDisplacementMap
* MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909)
Privilege escalation using WebIDL-implemented APIs
* MFSA 2014-30/CVE-2014-1512 (bmo#982957)
Use-after-free in TypeObject
* MFSA 2014-31/CVE-2014-1513 (bmo#982974)
Out-of-bounds read/write through neutering ArrayBuffer objects
* MFSA 2014-32/CVE-2014-1514 (bmo#983344)
Out-of-bounds write through TypedArrayObject after neutering
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=370
* MFSA 2013-63/CVE-2013-1701/CVE-2013-1702
Miscellaneous memory safety hazards
* MFSA 2013-64/CVE-2013-1704 (bmo#883313)
Use after free mutating DOM during SetBody
* MFSA 2013-65/CVE-2013-1705 (bmo#882865)
Buffer underflow when generating CRMF requests
* MFSA 2013-67/CVE-2013-1708 (bmo#879924)
Crash during WAV audio file decoding
* MFSA 2013-68/CVE-2013-1709 (bmo#838253)
Document URI misrepresentation and masquerading
* MFSA 2013-69/CVE-2013-1710 (bmo#871368)
CRMF requests allow for code execution and XSS attacks
* MFSA 2013-70/CVE-2013-1711 (bmo#843829)
Bypass of XrayWrappers using XBL Scopes
* MFSA 2013-72/CVE-2013-1713 (bmo#887098)
Wrong principal used for validating URI for some Javascript
components
* MFSA 2013-73/CVE-2013-1714 (bmo#879787)
Same-origin bypass with web workers and XMLHttpRequest
* MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file system
- requires NSPR 4.10 and NSS 3.15
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=345
- license change from tri license to MPL-2.0
- fix crashreporter restart option (bmo#762780)
- reenabled mozilla-yarr-pcre.patch to fix build for PPC
- require NSS 3.13.5
- remove mozjs pacrunner obsoletes again for now
- adopted mozilla-prefer_plugin_pref.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=284
* rebased patches
- added mozilla-libnotify.patch to allow fallback from libnotify
to xul based events if no notification-daemon is running
- gcc 4.7 fixes
* mozilla-gcc47.patch
* disabled crashreporter temporarily for Factory
- recommend libcanberra0 for proper sound notifications
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=270
* MFSA 2012-01/CVE-2012-0442/CVE-2012-0443
Miscellaneous memory safety hazards
* MFSA 2012-03/CVE-2012-0445 (bmo#701071)
<iframe> element exposed across domains via name attribute
* MFSA 2012-04/CVE-2011-3659 (bmo#708198)
Child nodes from nsDOMAttribute still accessible after removal
of nodes
* MFSA 2012-05/CVE-2012-0446 (bmo#705651)
Frame scripts calling into untrusted objects bypass security
checks
* MFSA 2012-06/CVE-2012-0447 (bmo#710079)
Uninitialized memory appended when encoding icon images may
cause information disclosure
* MFSA 2012-07/CVE-2012-0444 (bmo#719612)
Potential Memory Corruption When Decoding Ogg Vorbis files
* MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466)
Crash with malformed embedded XSLT stylesheets
- KDE integration has been disabled since it needs refactoring
- removed obsolete ppc64 patch
- Disable neon for arm as it doesn't build correctly
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=252
* MFSA 2011-47/CVE-2011-3648 (bmo#690225)
Potential XSS against sites using Shift-JIS
* MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654
Miscellaneous memory safety hazards
* MFSA 2011-49/CVE-2011-3650 (bmo#674776)
Memory corruption while profiling using Firebug
* MFSA 2011-52/CVE-2011-3655 (bmo#672182)
Code execution via NoWaiverWrapper
- rebased patches
- enable telemetry prompt
- set intl.locale.matchOS=true in the base package as it causes
too much confusion when it's only available with branding-openSUSE
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=237