- MozillaFirefox 98.0.2:
* Fixed: Fixed an issue preventing users from typing in Address
Bar after opening new tab and pressing cmd + enter
(bmo#1757376)
* Fixed: Fixed an issue causing some users to crash in out-of-
memory conditions (bmo#1757618)
* Fixed: Fixed an issue in session history which caused some
sites to fail to load (bmo#1758664)
* Fixed: Fixed an add-on specific compatibility issue
(bmo#1759162)
- Change mozilla-kde.patch to follow the GNOME registry
behavior for new MIME types to avoid opening downloaded files
without any inquiries (bsc#1197319)
- Add patch to fix start-up on aarch64:
* mozilla-bmo1757571.patch
- exclude slow cpus for building
- Add cpu-flag `asimdrdm` to aarch64 constraints, to select newer,
faster buildhosts, as the others struggle to build FF.
- Mozilla Firefox 98.0.1:
* Yandex and Mail.ru have been removed as optional search
providers in the drop-down search menu in Firefox
OBS-URL: https://build.opensuse.org/request/show/964778
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=362
Change mozilla-kde.patch to follow the GNOME registry behavior for new MIME types to avoid opening downloaded files without any inquiries (bsc#1197319)
In Firefox 98.0, improvements to the download panel have been made to just download files instead of asking the user what to do with them. Unfortunately this causes some unwanted behavior inside nsKDERegistry as its unconditional call to the function
mimeInfo->SetPreferredAction(nsIMIMEInfo::useSystemDefault);
results in the browser opening many file types after download without any inquiries.
By replacing this unconditional call with the conditional one found in nsGNOMERegistry as of 98.0, this issue can be avoided:
3b6a1dc7fb/uriloader/exthandler/unix/nsGNOMERegistry.cpp (L98)
If you have any suggestions for improvement, please let me know!
OBS-URL: https://build.opensuse.org/request/show/964625
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=967
- Mozilla Firefox 98.0
* Firefox has a new optimized download flow
* other changes as documented here
https://www.mozilla.org/en-US/firefox/98.0/releasenotes
MFSA 2022-10 (bsc#1196900)
* CVE-2022-26383 (bmo#1742421)
Browser window spoof using fullscreen mode
* CVE-2022-26384 (bmo#1744352)
iframe allow-scripts sandbox bypass
* CVE-2022-26387 (bmo#1752979)
Time-of-check time-of-use bug when verifying add-on signatures
* CVE-2022-26381 (bmo#1736243)
Use-after-free in text reflows
* CVE-2022-26382 (bmo#1741888)
Autofill Text could be exfiltrated via side-channel attacks
* CVE-2022-26385 (bmo#1747526)
Use-after-free in thread shutdown
* CVE-2022-0843 (bmo#1746523, bmo#1749062, bmo#1749164, bmo#1749214,
bmo#1749610, bmo#1750032, bmo#1752100, bmo#1752405, bmo#1753612,
bmo#1754508)
Memory safety bugs fixed in Firefox 98
- requires NSS 3.75
- add mozilla-bmo1756347.patch to fix i586 build
- Remove bashisms ("source" and "function" keywords) from
mozilla.sh.in to ally with the #!/bin/sh shebang. If the end user
has either dash-sh package or busybox-sh to handle Bourn Shell
scripts rather than having bash-sh package, the script would
fail. Using "." instead of "source" and "create_langpack_link()"
function definition is enough to keep both sides sane,
OBS-URL: https://build.opensuse.org/request/show/960656
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=361
- Mozilla Firefox 97.0
MFSA 2022-04 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435)
Privilege Escalation to SYSTEM on Windows via Maintenance Service
* CVE-2022-22754 (bmo#1750565)
Extensions could have bypassed permission confirmation during update
* CVE-2022-22755 (bmo#1309630)
XSL could have allowed JavaScript execution after a tab was closed
* CVE-2022-22756 (bmo#1317873)
Drag and dropping an image could have resulted in the dropped
object being an executable
* CVE-2022-22757 (bmo#1720098)
Remote Agent did not prevent local websites from connecting
* CVE-2022-22758 (bmo#1728742)
tel: links could have sent USSD codes to the dialer on
Firefox for Android
* CVE-2022-22759 (bmo#1739957)
Sandboxed iframes could have executed script if the parent
appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503)
Cross-Origin responses could be distinguished between script
and non-script content-types
* CVE-2022-22761 (bmo#1745566)
frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
* CVE-2022-22762 (bmo#1743931)
JavaScript Dialogs could have been displayed over other
domains on Firefox for Android
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
bmo#1748210, bmo#1748279)
OBS-URL: https://build.opensuse.org/request/show/952887
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=359
MFSA 2022-04 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435)
Privilege Escalation to SYSTEM on Windows via Maintenance Service
* CVE-2022-22754 (bmo#1750565)
Extensions could have bypassed permission confirmation during update
* CVE-2022-22755 (bmo#1309630)
XSL could have allowed JavaScript execution after a tab was closed
* CVE-2022-22756 (bmo#1317873)
Drag and dropping an image could have resulted in the dropped
object being an executable
* CVE-2022-22757 (bmo#1720098)
Remote Agent did not prevent local websites from connecting
* CVE-2022-22758 (bmo#1728742)
tel: links could have sent USSD codes to the dialer on
Firefox for Android
* CVE-2022-22759 (bmo#1739957)
Sandboxed iframes could have executed script if the parent
appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503)
Cross-Origin responses could be distinguished between script
and non-script content-types
* CVE-2022-22761 (bmo#1745566)
frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
* CVE-2022-22762 (bmo#1743931)
JavaScript Dialogs could have been displayed over other
domains on Firefox for Android
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
bmo#1748210, bmo#1748279)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=958
- disable ccache, this adds about 1 minute of build time and
over 2 GB of disk space usage without benefit on OBS builds
- build with rust-simd like upstream does
- use -g1 for debuginfo generation as this is what upstream
does as well and it saves ~ 2GB of writes
- use %limit on x86_64 to scale down to less capable workers
- disable install stripping so that debuginfo is useful
- use autopatch
- cleanup constraints to specify only jobs, physicalmemory
and memoryperjob to be more flexible on which host to build
on
OBS-URL: https://build.opensuse.org/request/show/951346
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=956
- Mozilla Firefox 96.0
* https://www.mozilla.org/en-US/firefox/96.0/releasenotes
MFSA 2022-01 (bsc#1194547)
* CVE-2022-22746 (bmo#1735071)
Calling into reportValidity could have lead to fullscreen
window spoof
* CVE-2022-22743 (bmo#1739220)
Browser window spoof using fullscreen mode
* CVE-2022-22742 (bmo#1739923)
Out-of-bounds memory access when inserting text in edit mode
* CVE-2022-22741 (bmo#1740389)
Browser window spoof using fullscreen mode
* CVE-2022-22740 (bmo#1742334)
Use-after-free of ChannelEventQueue::mOwner
* CVE-2022-22738 (bmo#1742382)
Heap-buffer-overflow in blendGaussianBlur
* CVE-2022-22737 (bmo#1745874)
Race condition when playing audio files
* CVE-2021-4140 (bmo#1746720)
Iframe sandbox bypass with XSLT
* CVE-2022-22750 (bmo#1566608)
IPC passing of resource handles could have lead to sandbox
bypass
* CVE-2022-22749 (bmo#1705094)
Lack of URL restrictions when scanning QR codes
* CVE-2022-22748 (bmo#1705211)
Spoofed origin on external protocol launch dialog
* CVE-2022-22745 (bmo#1735856)
Leaking cross-origin URLs through securitypolicyviolation
event
OBS-URL: https://build.opensuse.org/request/show/945699
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=354
* https://www.mozilla.org/en-US/firefox/96.0/releasenotes
MFSA 2022-01 (bsc#1194547)
* CVE-2022-22746 (bmo#1735071)
Calling into reportValidity could have lead to fullscreen
window spoof
* CVE-2022-22743 (bmo#1739220)
Browser window spoof using fullscreen mode
* CVE-2022-22742 (bmo#1739923)
Out-of-bounds memory access when inserting text in edit mode
* CVE-2022-22741 (bmo#1740389)
Browser window spoof using fullscreen mode
* CVE-2022-22740 (bmo#1742334)
Use-after-free of ChannelEventQueue::mOwner
* CVE-2022-22738 (bmo#1742382)
Heap-buffer-overflow in blendGaussianBlur
* CVE-2022-22737 (bmo#1745874)
Race condition when playing audio files
* CVE-2021-4140 (bmo#1746720)
Iframe sandbox bypass with XSLT
* CVE-2022-22750 (bmo#1566608)
IPC passing of resource handles could have lead to sandbox
bypass
* CVE-2022-22749 (bmo#1705094)
Lack of URL restrictions when scanning QR codes
* CVE-2022-22748 (bmo#1705211)
Spoofed origin on external protocol launch dialog
* CVE-2022-22745 (bmo#1735856)
Leaking cross-origin URLs through securitypolicyviolation
event
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=951
- Mozilla Firefox 95.0.1 (bsc#1193845)
* Fixed frequent
MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error
messages when trying to connect to various microsoft.com
domains (bmo#1745600)
* Fix for a WebRender crash on some Linux/X11 systems (bmo#1741956)
* Fix for a frequent Windows shutdown crash (bmo#1738984)
* Fix websites contrast issues for some Linux users with
Dark mode set at OS level (bmo#1740518)
OBS-URL: https://build.opensuse.org/request/show/941230
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=352
* Fixed frequent
MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error
messages when trying to connect to various microsoft.com
domains (bmo#1745600)
* Fix for a WebRender crash on some Linux/X11 systems (bmo#1741956)
* Fix for a frequent Windows shutdown crash (bmo#1738984)
* Fix websites contrast issues for some Linux users with
Dark mode set at OS level (bmo#1740518)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=948
- Mozilla Firefox 95.0
* You can now move the Picture-in-Picture toggle button to the
opposite side of the video. Simply look for the new context menu
option Move Picture-in-Picture Toggle to Left (Right) Side.
* To better protect Firefox users against side-channel attacks such
as Spectre, Site Isolation is now enabled for all Firefox 95 users.
* https://www.mozilla.org/en-US/firefox/95.0/releasenotes
MFSA 2021-52 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120)
URL leakage when navigating while executing asynchronous
function
* CVE-2021-43537 (bmo#1738237)
Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091)
Missing fullscreen and pointer lock notification when
requesting both
* CVE-2021-43539 (bmo#1739683)
GC rooting failure when calling wasm instance methods
* MOZ-2021-0010 (bmo#1735852)
Use-after-free in fullscreen objects on MacOS
* CVE-2021-43540 (bmo#1636629)
WebExtensions could have installed persistent ServiceWorkers
* CVE-2021-43541 (bmo#1696685)
External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281)
XMLHttpRequest error codes could have leaked the existence of
an external protocol handler
* CVE-2021-43543 (bmo#1738418)
Bypass of CSP sandbox directive when embedding
* CVE-2021-43544 (bmo#1739934)
OBS-URL: https://build.opensuse.org/request/show/936364
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=351
* You can now move the Picture-in-Picture toggle button to the
opposite side of the video. Simply look for the new context menu
option Move Picture-in-Picture Toggle to Left (Right) Side.
* To better protect Firefox users against side-channel attacks such
as Spectre, Site Isolation is now enabled for all Firefox 95 users.
* https://www.mozilla.org/en-US/firefox/95.0/releasenotes
MFSA 2021-52 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120)
URL leakage when navigating while executing asynchronous
function
* CVE-2021-43537 (bmo#1738237)
Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091)
Missing fullscreen and pointer lock notification when
requesting both
* CVE-2021-43539 (bmo#1739683)
GC rooting failure when calling wasm instance methods
* MOZ-2021-0010 (bmo#1735852)
Use-after-free in fullscreen objects on MacOS
* CVE-2021-43540 (bmo#1636629)
WebExtensions could have installed persistent ServiceWorkers
* CVE-2021-43541 (bmo#1696685)
External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281)
XMLHttpRequest error codes could have leaked the existence of
an external protocol handler
* CVE-2021-43543 (bmo#1738418)
Bypass of CSP sandbox directive when embedding
* CVE-2021-43544 (bmo#1739934)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=947
* https://www.mozilla.org/en-US/firefox/94.0/releasenotes
MFSA 2021-48 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517)
iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156)
Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194)
Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750)
Firefox could be coaxed into going into fullscreen mode
without notification or warning
* CVE-2021-38507 (bmo#1730935)
Opportunistic Encryption in HTTP2 could be used to bypass the
Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0003 (bmo#1736886)
Universal XSS in Firefox for Android via QR Code URLs
* CVE-2021-38508 (bmo#1366818)
Permission Prompt could be overlaid, resulting in user
confusion and potential spoofing
* MOZ-2021-0004 (bmo#1659155)
Web Extensions could access pre-redirect URL when their
context menu was triggered by a user
* CVE-2021-38509 (bmo#1718571)
Javascript alert box could have been spoofed onto an
arbitrary domain
* CVE-2021-38510 (bmo#1731779)
Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0005 (bmo#1719203)
'Copy Image Link' context menu action could have been abused
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=942
- Mozilla Firefox 93.0
* supports the new AVIF image format
* PDF viewer now supports filling more forms (XFA-based forms)
* now blocks downloads that rely on insecure connections,
protecting against potentially malicious or unsafe downloads
* Improved web compatibility for privacy protections with SmartBlock 3.0
* Introducing a new referrer tracking protection in Strict Tracking
Protection and Private Browsing
* TLS ciphersuites that use 3DES have been disabled. Such
ciphersuites can only be enabled when deprecated versions of
TLS are also enabled
* The download panel now follows the Firefox visual styles
MFSA 2021-43 (bsc#1191332)
* CVE-2021-38496 (bmo#1725335)
Use-after-free in MessageTask
* CVE-2021-38497 (bmo#1726621)
Validation message could have been overlaid on another origin
* CVE-2021-38498 (bmo#1729642)
Use-after-free of nsLanguageAtomService object
* CVE-2021-32810 (bmo#1729813)
https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
Data race in crossbeam-deque
* CVE-2021-38500 (bmo#1725854, bmo#1728321)
Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
* CVE-2021-38499 (bmo#1667102, bmo#1723170, bmo#1725356, bmo#1727364)
Memory safety bugs fixed in Firefox 93
- removed obsolete mozilla-bmo1708709.patch
OBS-URL: https://build.opensuse.org/request/show/923417
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=346
* supports the new AVIF image format
* PDF viewer now supports filling more forms (XFA-based forms)
* now blocks downloads that rely on insecure connections,
protecting against potentially malicious or unsafe downloads
* Improved web compatibility for privacy protections with SmartBlock 3.0
* Introducing a new referrer tracking protection in Strict Tracking
Protection and Private Browsing
* TLS ciphersuites that use 3DES have been disabled. Such
ciphersuites can only be enabled when deprecated versions of
TLS are also enabled
* The download panel now follows the Firefox visual styles
MFSA 2021-43 (bsc#1191332)
* CVE-2021-38496 (bmo#1725335)
Use-after-free in MessageTask
* CVE-2021-38497 (bmo#1726621)
Validation message could have been overlaid on another origin
* CVE-2021-38498 (bmo#1729642)
Use-after-free of nsLanguageAtomService object
* CVE-2021-32810 (bmo#1729813)
https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
Data race in crossbeam-deque
* CVE-2021-38500 (bmo#1725854, bmo#1728321)
Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
* CVE-2021-38499 (bmo#1667102, bmo#1723170, bmo#1725356, bmo#1727364)
Memory safety bugs fixed in Firefox 93
- removed obsolete mozilla-bmo1708709.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=936