* Added a policy engine that allows customized Firefox deployments
in enterprise environments, using Windows Group Policy or a
cross-platform JSON file
* Applied Quantum CSS to render browser UI
* Added support for Web Authentication, allowing the use of USB
tokens for authentication to web sites
* Locale added: Occitan (oc)
- removed obsolete patches
0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
- requires NSPR 4.19 and NSS 3.36.1
- requires rust 1.24 or higher
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=655
* Invalid page rendering with hardware acceleration enabled (bmo#1435472)
* Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites
that use those keys with resistFingerprinting enabled (bmo#1433592)
* High CPU / memory churn caused by third-party software on some
computers (bmo#1446280)
* Users who have configured an "automatic proxy configuration URL"
and want to reload their proxy settings from the URL will find
the Reload button disabled in the Connection Settings dialog when
they select Preferences/Options>Network Proxy>Settings... (bmo#1445991)
* URL Fragment Identifiers Break Service Worker Responses (bmo#1443850)
* User's trying to cancel a print around the time it completes will
continue to get intermittent crashes (bmo#1441598)
MFSA 2018-10 (bsc#1087059)
* CVE-2018-5148 (bmo#1440717)
Use-after-free in compositor
- removed obsolete patch mozilla-bmo1446062.patch
* mozilla-i586-domPrefs.patch - DOMPrefs.h
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=642
yet another small tweak to have really all fixes in place also for ARM (libtremor) which was left out from the upstream Firefox tag (and only applied to the Fennec one)
- update to Firefox 59.0.1 (bsc#1085671)
MFSA 2018-08
* CVE-2018-5146 (bmo#1446062)
Vorbis audio processing out of bounds write
* CVE-2018-5147 (bmo#1446365)
Out of bounds memory write in libtremor
(mozilla-bmo1446062.patch)
- Added patch:
* mozilla-bmo1005535.patch:
Enable skia_gpu on big endian platforms.
- update to Firefox 59.0
* Performance enhancements
* Drag-and-drop to rearrange Top Sites on the Firefox Home page
* added features for Firefox Screenshots
* Enhanced WebExtensions API
* Improved RTC capabilities
MFSA 2018-06 (bsc#1085130)
* CVE-2018-5127 (bmo#1430557)
Buffer overflow manipulating SVG animatedPathSegList
* CVE-2018-5128 (bmo#1431336)
Use-after-free manipulating editor selection ranges
* CVE-2018-5129 (bmo#1428947)
Out-of-bounds write with malformed IPC messages
* CVE-2018-5130 (bmo#1433005)
Mismatched RTP payload type can trigger memory corruption
* CVE-2018-5131 (bmo#1440775)
Fetch API improperly returns cached copies of no-store/no-cache resources
* CVE-2018-5132 (bmo#1408194)
OBS-URL: https://build.opensuse.org/request/show/588116
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=267
MFSA 2018-05
* Arbitrary code execution through unsanitized browser UI (bmo#1432966)
- fixed language packs (boo#1077590)
- readd mozilla-enable-csd.patch as it only lands for FF59 upstream
- allow larger number of nested elements (mozilla-bmo256180.patch)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=630
MFSA 2018-02
* CVE-2018-5091 (bmo#1423086)
Use-after-free with DTMF timers
* CVE-2018-5092 (bmo#1418074)
Use-after-free in Web Workers
* CVE-2018-5093 (bmo#1415291)
Buffer overflow in WebAssembly during Memory/Table resizing
* CVE-2018-5094 (bmo#1415883)
Buffer overflow in WebAssembly with garbage collection on
uninitialized memory
* CVE-2018-5095 (bmo#1418447)
Integer overflow in Skia library during edge builder allocation
* CVE-2018-5097 (bmo#1387427)
Use-after-free when source document is manipulated during XSLT
* CVE-2018-5098 (bmo#1399400)
Use-after-free while manipulating form input elements
* CVE-2018-5099 (bmo#1416878)
Use-after-free with widget listener
* CVE-2018-5100 (bmo#1417405)
Use-after-free when IsPotentiallyScrollable arguments are freed
from memory
* CVE-2018-5101 (bmo#1417661)
Use-after-free with floating first-letter style elements
* CVE-2018-5102 (bmo#1419363)
Use-after-free in HTML media elements
* CVE-2018-5103 (bmo#1423159)
Use-after-free during mouse event handling
* CVE-2018-5104 (bmo#1425000)
Use-after-free during font face manipulation
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=629
- update to Firefox 57.0.4
MFSA 2018-1: Speculative execution side-channel attack ("Spectre")
(boo#1074723)
- fixed regression introduced Oct 10th which made Firefox crash
when cancelling the KDE file dialog (boo#1069962)
- Mozilla Firefox 57.0.3:
* Fix a crash reporting issue that inadvertently sends background
tab crash reports to Mozilla without user opt-in (bmo#1427111,
bsc#1074235)
- Includes changes from 57.0.2:
* fixes for platforms other than GNU/Linux
OBS-URL: https://build.opensuse.org/request/show/561754
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=263
- Explicitly buildrequires python2-xml: The build system relies on
it. We wrongly relied on other packages pulling it in for us.
- Escape the usage of %{VERSION} when calling out to rpm.
RPM 4.14 has %{VERSION} defined as 'the main packages version'.
* CVE-2017-7843: Web worker in Private Browsing mode can write
IndexedDB data (bsc#1072034, bmo#1410106)
* CVE-2017-7844: Visited history information leak through SVG
image (bsc#1072036, bmo#1420001)
OBS-URL: https://build.opensuse.org/request/show/555866
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=262
- Add mozilla-bmo1360278.patch
Starting with Firefox 57, the context menu appears on key press.
This patch creates a config entry to restore the
old behaviour. Without the patch, the mouse gesture extensions
require 2 clicks to work (bmo#1360278).
The new config entry is named ui.context_menus.after_mouseup
(default : false).
- Allow experimental CSD for Gtk3 (bmo#1399611) if available and enabled
widget.allow-client-side-decoration=true
(mozilla-bmo1399611-csd.patch)
OBS-URL: https://build.opensuse.org/request/show/545695
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=260
- update to Firefox 57.0 (boo#1068101)
* Firefox Quantum
* Photon UI
* Unified address and search bar
* AMD VP9 hardware video decoder support
* Added support for Date/Time input
* stricter security sandbox blocking filesystem reading and
writing on Linux systems
* middle mouse paste in the content area no longer navigates to
URLs by default on Unix systems
MFSA 2017-24
* CVE-2017-7828 (bmo#1406750. bmo#1412252)
Use-after-free of PressShell while restyling layout
* CVE-2017-7830 (bmo#1408990)
Cross-origin URL information leak through Resource Timing API
* CVE-2017-7831 (bmo#1392026)
Information disclosure of exposed properties on JavaScript proxy
objects
* CVE-2017-7832 (bmo#1408782)
Domain spoofing through use of dotless 'i' character followed
by accent markers
* CVE-2017-7833 (bmo#1370497)
Domain spoofing with Arabic and Indic vowel marker characters
* CVE-2017-7834 (bmo#1358009)
data: URLs opened in new tabs bypass CSP protections
* CVE-2017-7835 (bmo#1402363)
Mixed content blocking incorrectly applies with redirects
* CVE-2017-7836 (bmo#1401339)
Pingsender dynamically loads libcurl on Linux and OS X
* CVE-2017-7837 (bmo#1325923)
OBS-URL: https://build.opensuse.org/request/show/541950
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=259
* Firefox Quantum
* Photon UI
* Unified address and search bar
* AMD VP9 hardware video decoder support
* Added support for Date/Time input
* stricter security sandbox blocking filesystem reading and
writing on Linux systems
* middle mouse paste in the content area no longer navigates to
URLs by default on Unix systems
MFSA 2017-24
* CVE-2017-7828 (bmo#1406750. bmo#1412252)
Use-after-free of PressShell while restyling layout
* CVE-2017-7830 (bmo#1408990)
Cross-origin URL information leak through Resource Timing API
* CVE-2017-7831 (bmo#1392026)
Information disclosure of exposed properties on JavaScript proxy
objects
* CVE-2017-7832 (bmo#1408782)
Domain spoofing through use of dotless 'i' character followed
by accent markers
* CVE-2017-7833 (bmo#1370497)
Domain spoofing with Arabic and Indic vowel marker characters
* CVE-2017-7834 (bmo#1358009)
data: URLs opened in new tabs bypass CSP protections
* CVE-2017-7835 (bmo#1402363)
Mixed content blocking incorrectly applies with redirects
* CVE-2017-7836 (bmo#1401339)
Pingsender dynamically loads libcurl on Linux and OS X
* CVE-2017-7837 (bmo#1325923)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=610
* Disable Form Autofill completely on user request (bmo#1404531)
* Fix for video-related crashes on Windows 7 (bmo#1409141)
* Correct detection for 64-bit GSSAPI authentication (bmo#1409275)
* Fix for shutdown crash (bmo#1404105)
- update to Firefox 56.0.1
* Block D3D11 when using Intel drivers on Windows 7 systems with
partial AVX support (bmo#1403353)
-> just to sync the version number
- enable stylo for TW (requires LLVM >= 3.9)
- queue KDE filepicker requests to avoid non-opening file dialogs
happening in certain situations (contributed by Ignaz Forster)
- the placeholder dot in KDE file dialog in case of empty filenames
was removed, apparently not required (anymore)
(contributed by Ignaz Forster)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=609
- Correct plugin directory for aarch64 (boo#1061207). The wrapper
script was not detecting aarch64 as a 64 bit architecture, thus
used /usr/lib/browser-plugins/.
- Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0),
pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure
looks for.
- update to Firefox 56.0 (boo#1060445)
* Firefox Screenshots
* Find Options/Preferences more quickly with new search function
* Media is no longer auto-played when opened in a background tab
* Enable CSS Grid Layout View
MFSA 2017-21
* CVE-2017-7793 (bmo#1371889)
Use-after-free with Fetch API
* CVE-2017-7817 (bmo#1356596) (Android-only)
Firefox for Android address bar spoofing through fullscreen mode
* CVE-2017-7818 (bmo#1363723)
Use-after-free during ARIA array manipulation
* CVE-2017-7819 (bmo#1380292)
Use-after-free while resizing images in design mode
* CVE-2017-7824 (bmo#1398381)
Buffer overflow when drawing and validating elements with ANGLE
* CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
Use-after-free in TLS 1.2 generating handshake hashes
* CVE-2017-7812 (bmo#1379842)
Drag and drop of malicious page content to the tab bar can open locally stored files
* CVE-2017-7814 (bmo#1376036)
OBS-URL: https://build.opensuse.org/request/show/530307
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=258
