1
0
Commit Graph

9 Commits

Author SHA256 Message Date
Wolfgang Rosenauer
8c7db35439 - Mozilla Firefox 110.0
* https://www.mozilla.org/en-US/firefox/110.0/releasenotes
  MFSA 2023-05 (bsc#1208144)
  * CVE-2023-25728 (bmo#1790345)
    Content security policy leak in violation reports using iframes
  * CVE-2023-25730 (bmo#1794622)
    Screen hijack via browser fullscreen mode
  * CVE-2023-25743 (bmo#1800203)
    Fullscreen notification not shown in Firefox Focus
  * CVE-2023-0767 (bmo#1804640)
    Arbitrary memory write via PKCS 12 in NSS
  * CVE-2023-25735 (bmo#1810711)
    Potential use-after-free from compartment mismatch in SpiderMonkey
  * CVE-2023-25737 (bmo#1811464)
    Invalid downcast in SVGUtils::SetupStrokeGeometry
  * CVE-2023-25738 (bmo#1811852)
    Printing on Windows could potentially crash Firefox with some
    device drivers
  * CVE-2023-25739 (bmo#1811939)
    Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
  * CVE-2023-25729 (bmo#1792138)
    Extensions could have opened external schemes without user knowledge
  * CVE-2023-25732 (bmo#1804564)
    Out of bounds memory write from EncodeInputStream
  * CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338)
    Opening local .url files could cause unexpected network loads
  * CVE-2023-25740 (bmo#1812354)
    Opening local .scf files could cause unexpected network loads
  * CVE-2023-25731 (bmo#1801542)
    Prototype pollution when rendering URLPreview

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1037
2023-02-15 21:11:31 +00:00
Wolfgang Rosenauer
b45fd771cd - Mozilla Firefox 109.0
MFSA 2023-01 (bsc#1207119)
  * CVE-2023-23597 (bmo#1538028)
    Logic bug in process allocation allowed to read arbitrary
    files
  * CVE-2023-23598 (bmo#1800425)
    Arbitrary file read from GTK drag and drop on Linux
  * CVE-2023-23599 (bmo#1777800)
    Malicious command could be hidden in devtools output on
    Windows
  * CVE-2023-23600 (bmo#1787034)
    Notification permissions persisted between Normal and Private
    Browsing on Android
  * CVE-2023-23601 (bmo#1794268)
    URL being dragged from cross-origin iframe into same tab
    triggers navigation
  * CVE-2023-23602 (bmo#1800890)
    Content Security Policy wasn't being correctly applied to
    WebSockets in WebWorkers
  * CVE-2023-23603 (bmo#1800832)
    Calls to <code>console.log</code> allowed bypasing Content
    Security Policy via format directive
  * CVE-2023-23604 (bmo#1802346)
    Creation of duplicate <code>SystemPrincipal</code> from less
    secure contexts
  * CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)
    Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7
  * CVE-2023-23606 (bmo#1764974, bmo#1798591, bmo#1799201,
    bmo#1800446, bmo#1801248, bmo#1802100, bmo#1803393,
    bmo#1804626, bmo#1804971, bmo#1807004)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1033
2023-01-18 07:21:07 +00:00
Wolfgang Rosenauer
da3e0c974f - Mozilla Firefox 99.0
* You can now toggle Narrate in ReaderMode with the keyboard
    shortcut "n."
  * You can find added support for search—with or without
    diacritics—in the PDF viewer.
  * The Linux sandbox has been strengthened: processes exposed to web
    content no longer have access to the X Window system (X11).
  * Firefox now supports credit card autofill and capture in
    Germany and France.
  MFSA 2022-13 (bsc#1197903)
  * CVE-2022-1097 (bmo#1745667)
    Use-after-free in NSSToken objects
  * CVE-2022-28281 (bmo#1755621)
    Out of bounds write due to unexpected WebAuthN Extensions
  * CVE-2022-28282 (bmo#1751609)
    Use-after-free in DocumentL10n::TranslateDocument
  * CVE-2022-28283 (bmo#1754066)
    Missing security checks for fetching sourceMapURL
  * CVE-2022-28284 (bmo#1754522)
    Script could be executed via svg's use element
  * CVE-2022-28285 (bmo#1756957)
    Incorrect AliasSet used in JIT Codegen
  * CVE-2022-28286 (bmo#1735265)
    iframe contents could be rendered outside the border
  * CVE-2022-28287 (bmo#1741515)
    Text Selection could crash Firefox
  * CVE-2022-24713 (bmo#1758509)
    Denial of Service via complex regular expressions
  * CVE-2022-28289 (bmo#1663508, bmo#1744525, bmo#1753508,
    bmo#1757476, bmo#1757805, bmo#1758549, bmo#1758776)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=970
2022-04-05 20:51:21 +00:00
Wolfgang Rosenauer
abe4d87b4e - Mozilla Firefox 96.0
* https://www.mozilla.org/en-US/firefox/96.0/releasenotes
  MFSA 2022-01 (bsc#1194547)
  * CVE-2022-22746 (bmo#1735071)
    Calling into reportValidity could have lead to fullscreen
    window spoof
  * CVE-2022-22743 (bmo#1739220)
    Browser window spoof using fullscreen mode
  * CVE-2022-22742 (bmo#1739923)
    Out-of-bounds memory access when inserting text in edit mode
  * CVE-2022-22741 (bmo#1740389)
    Browser window spoof using fullscreen mode
  * CVE-2022-22740 (bmo#1742334)
    Use-after-free of ChannelEventQueue::mOwner
  * CVE-2022-22738 (bmo#1742382)
    Heap-buffer-overflow in blendGaussianBlur
  * CVE-2022-22737 (bmo#1745874)
    Race condition when playing audio files
  * CVE-2021-4140 (bmo#1746720)
    Iframe sandbox bypass with XSLT
  * CVE-2022-22750 (bmo#1566608)
    IPC passing of resource handles could have lead to sandbox
    bypass
  * CVE-2022-22749 (bmo#1705094)
    Lack of URL restrictions when scanning QR codes
  * CVE-2022-22748 (bmo#1705211)
    Spoofed origin on external protocol launch dialog
  * CVE-2022-22745 (bmo#1735856)
    Leaking cross-origin URLs through securitypolicyviolation
    event

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=951
2022-01-11 22:06:33 +00:00
Wolfgang Rosenauer
79dbc14d01 - Mozilla Firefox 95.0
* You can now move the Picture-in-Picture toggle button to the
    opposite side of the video. Simply look for the new context menu
    option Move Picture-in-Picture Toggle to Left (Right) Side.
  * To better protect Firefox users against side-channel attacks such
    as Spectre, Site Isolation is now enabled for all Firefox 95 users.
  * https://www.mozilla.org/en-US/firefox/95.0/releasenotes
  MFSA 2021-52 (bsc#1193485)
  * CVE-2021-43536 (bmo#1730120)
    URL leakage when navigating while executing asynchronous
    function
  * CVE-2021-43537 (bmo#1738237)
    Heap buffer overflow when using structured clone
  * CVE-2021-43538 (bmo#1739091)
    Missing fullscreen and pointer lock notification when
    requesting both
  * CVE-2021-43539 (bmo#1739683)
    GC rooting failure when calling wasm instance methods
  * MOZ-2021-0010 (bmo#1735852)
    Use-after-free in fullscreen objects on MacOS
  * CVE-2021-43540 (bmo#1636629)
    WebExtensions could have installed persistent ServiceWorkers
  * CVE-2021-43541 (bmo#1696685)
    External protocol handler parameters were unescaped
  * CVE-2021-43542 (bmo#1723281)
    XMLHttpRequest error codes could have leaked the existence of
    an external protocol handler
  * CVE-2021-43543 (bmo#1738418)
    Bypass of CSP sandbox directive when embedding
  * CVE-2021-43544 (bmo#1739934)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=947
2021-12-07 21:12:25 +00:00
Wolfgang Rosenauer
9b2c9b32ce - Mozilla Firefox 88.0
* New: PDF forms now support JavaScript embedded in PDF files.
    Some PDF forms use JavaScript for validation and other
    interactive features
  * New: Print updates: Margin units are now localized
  * New: Smooth pinch-zooming using a touchpad is now supported
    on Linux
  * New: To protect against cross-site privacy leaks, Firefox now
    isolates window.name data to the website that created it.
    Learn more
  * Changed: Firefox will not prompt for access to your
    microphone or camera if you’ve already granted access to the
    same device on the same site in the same tab within the past
    50 seconds. This new grace period reduces the number of times
    you’re prompted to grant device access
  * Changed: The ‘Take a Screenshot’ feature was removed from the
    Page Actions menu in the url bar. To take a screenshot,
    right-click to open the context menu. You can also add a
    screenshots shortcut directly to your toolbar via the
    Customize menu. Open the Firefox menu and select Customize…
  * Changed: FTP support has been disabled, and its full removal
    is planned for an upcoming release. Addressing this security
    risk reduces the likelihood of an attack while also removing
    support for a non-encrypted protocol
  * Developer: Introduced a new toggle button in the Network
    panel for switching between JSON formatted HTTP response and
    raw data (as received over the wire).
    !enter image description here
  * Enterprise: Various bug fixes and new policies have been
    implemented in the latest version of Firefox. You can see

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=904
2021-04-20 07:57:25 +00:00
Wolfgang Rosenauer
e8a1c7a40b - Mozilla Firefox 86.0
* requires NSS >= 3.61
  * requires rust-cbindgen >= 0.16.0
  * Firefox now supports simultaneously watching multiple videos in
    Picture-in-Picture.
  * Total Cookie Protection to Strict Mode
  * https://www.mozilla.org/en-US/firefox/86.0/releasenotes
  MSFA 2021-07 (bsc#1182614)
  * CVE-2021-23969 (bmo#1542194)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23970 (bmo#1681724)
    Multithreaded WASM triggered assertions validating separation
    of script domains
  * CVE-2021-23968 (bmo#1687342)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23974 (bmo#1528997, bmo#1683627)
    noscript elements could have led to an HTML Sanitizer bypass
  * CVE-2021-23971 (bmo#1678545)
    A website's Referrer-Policy could have been be overridden,
    potentially resulting in the full URL being sent as a Referrer
  * CVE-2021-23976 (bmo#1684627)
    Local spoofing of web manifests for arbitrary pages in
    Firefox for Android
  * CVE-2021-23977 (bmo#1684761)
    Malicious application could read sensitive data from Firefox
    for Android's application directories
  * CVE-2021-23972 (bmo#1683536)
    HTTP Auth phishing warning was omitted when a redirect is

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=895
2021-02-24 11:49:39 +00:00
Wolfgang Rosenauer
ee9c609811 - Mozilla Firefox 85.0
* Adobe Flash is completely history
  * supercookie protection
  * new bookmark handling and features
  MFSA 2021-03 (bsc#1181414)
  * CVE-2021-23953 (bmo#1683940)
    Cross-origin information leakage via redirected PDF requests
  * CVE-2021-23954 (bmo#1684020)
    Type confusion when using logical assignment operators in
    JavaScript switch statements
  * CVE-2021-23955 (bmo#1684837)
    Clickjacking across tabs through misusing requestPointerLock
  * CVE-2021-23956 (bmo#1338637)
    File picker dialog could have been used to disclose a
    complete directory
  * CVE-2021-23957 (bmo#1584582)
    Iframe sandbox could have been bypassed on Android via the
    intent URL scheme
  * CVE-2021-23958 (bmo#1642747)
    Screen sharing permission leaked across tabs
  * CVE-2021-23959 (bmo#1659035)
    Cross-Site Scripting in error pages on Firefox for Android
  * CVE-2021-23960 (bmo#1675755)
    Use-after-poison for incorrectly redeclared JavaScript
    variables during GC
  * CVE-2021-23961 (bmo#1677940)
    More internal network hosts could have been probed by a
    malicious webpage
  * CVE-2021-23962 (bmo#1677194)
    Use-after-poison in

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=888
2021-01-26 21:38:39 +00:00
Wolfgang Rosenauer
70fb53e62e - Mozilla Firefox 84.0
* Firefox 84 is the final release to support Adobe Flash
  * WebRender is enabled by default when run on GNOME-based X11
    Linux desktops
  MFSA 2020-54 (bsc#1180039))
  * CVE-2020-16042 (bmo#1679003)
    Operations on a BigInt could have caused uninitialized memory
    to be exposed
  * CVE-2020-26971 (bmo#1663466)
    Heap buffer overflow in WebGL
  * CVE-2020-26972 (bmo#1671382)
    Use-After-Free in WebGL
  * CVE-2020-26973 (bmo#1680084)
    CSS Sanitizer performed incorrect sanitization
  * CVE-2020-26974 (bmo#1681022)
    Incorrect cast of StyleGenericFlexBasis resulted in a heap
    use-after-free
  * CVE-2020-26975 (bmo#1661071)
    Malicious applications on Android could have induced Firefox
    for Android into sending arbitrary attacker-specified headers
  * CVE-2020-26976 (bmo#1674343)
    HTTPS pages could have been intercepted by a registered
    service worker when they should not have been
  * CVE-2020-26977 (bmo#1676311)
    URL spoofing via unresponsive port in Firefox for Android
  * CVE-2020-26978 (bmo#1677047)
    Internal network hosts could have been probed by a malicious
    webpage
  * CVE-2020-26979 (bmo#1641287, bmo#1673299)
    When entering an address in the address or search bars, a

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=880
2020-12-16 22:40:17 +00:00