* Fixed an issue which could cause installed search engines to not
be visible when upgrading from a previous release.
- enable MOZ_USE_XINPUT2 for TW (boo#1173320)
* Protections Dashboard (about:protections)
* WebRTC not interrupted by screensaver anymore
* disabled TLS 1.0 and 1.1 by default
MFSA 2020-24 (bsc#1173576)
* CVE-2020-12415 (bmo#1586630)
AppCache manifest poisoning due to url encoded character processing
* CVE-2020-12416 (bmo#1639734)
Use-after-free in WebRTC VideoBroadcaster
* CVE-2020-12417 (bmo#1640737)
Memory corruption due to missing sign-extension for ValueTags
on ARM64
* CVE-2020-12418 (bmo#1641303)
Information disclosure due to manipulated URL object
* CVE-2020-12419 (bmo#1643874)
Use-after-free in nsGlobalWindowInner
* CVE-2020-12420 (bmo#1643437)
Use-After-Free when trying to connect to a STUN server
* CVE-2020-12402 (bmo#1631597)
RSA Key Generation vulnerable to side-channel attack
* CVE-2020-12421 (bmo#1308251)
Add-On updates did not respect the same certificate trust
rules as software updates
* CVE-2020-12422 (bmo#1450353)
Integer overflow in nsJPEGEncoder::emptyOutputBuffer
* CVE-2020-12423 (bmo#1642400)
DLL Hijacking due to searching %PATH% for a library
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=835
* startup notifications now using Gtk instead of libnotify
* PDF downloads now show an option to open the PDF directly in Firefox
- requires
* NSS >= 3.53.1
* nodejs >= 10.21
* Gtk+3 >= 3.14
- removed obsolete patch
* mozilla-s390-bigendian.patch
- Add mozilla-pipewire-0-3.patch for openSUSE >= 15.2 to build
WebRTC with pipewire support to enable screen sharing under
Wayland; also add BuildRequires: pkgconfig(libpipewire-0.3)
appropriately (boo#1172903).
- adding SLE12 compatibility in spec file
- add patches for s390x
* mozilla-bmo1602730.patch (bmo#1602730)
* mozilla-bmo1626236.patch (bmo#1626236)
* mozilla-bmo998749.patch (bmo#998749)
* mozilla-s390x-skia-gradient.patch
- update create-tar.sh
- Use same _constraints for ppc64 (BE) as ppc64le to avoid oom build failure
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=834
MFSA 2020-12 (bsc#1168874)
* CVE-2020-6821 (bmo#1625404)
Uninitialized memory could be read when using the WebGL
copyTexSubImage method
* CVE-2020-6822 (bmo#1544181)
Out of bounds write in GMPDecodeData when processing large images
* CVE-2020-6823 (bmo#1614919)
Malicious Extension could obtain auth codes from OAuth login flows
* CVE-2020-6824 (bmo#1621853)
Generated passwords may be identical on the same site between
separate private browsing sessions
* CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203)
Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
* CVE-2020-6826 (bmo#1613009,bmo#1613195,bmo#1616734,bmo#1617488,
bmo#1619229,bmo#1620719,bmo#1624897)
Memory safety bugs fixed in Firefox 75
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=822
* https://www.mozilla.org/en-US/firefox/74.0/releasenotes/
MFSA 2020-08 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880)
Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308)
BodyStream::OnInputStreamReady was missing protections against
state confusion
* CVE-2020-6807 (bmo#1614971)
Use-after-free in cubeb during stream destruction
* CVE-2020-6808 (bmo#1247968)
URL Spoofing via javascript: URL
* CVE-2020-6809 (bmo#1420296)
Web Extensions with the all-urls permission could access local
files
* CVE-2020-6810 (bmo#1432856)
Focusing a popup while in fullscreen could have obscured the
fullscreen notification
* CVE-2020-6811 (bmo#1607742)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765)
Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661)
The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
* CVE-2020-6813 (bmo#1605814)
@import statements in CSS could bypass the Content Security
Policy nonce feature
* CVE-2020-6814 (bmo#1592078,bmo#1604847,bmo#1608256,bmo#1612636,
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=809
* Resolved problems connecting to the RBC Royal Bank website
(bmo#1613943)
* Fixed Firefox unexpectedly exiting when leaving Print Preview mode
(bmo#1611133)
* Fixed crashes when playing encrypted content on some Linux systems
(bmo#1614535)
- start in wayland mode when running under wayland session
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=804
* Added support for setting a default zoom level applicable for all
web content
* High-contrast mode has been updated to allow background images
* Improved audio quality when playing back audio at a faster or
slower speed
* Added NextDNS as alternative option for DNS over HTTPS
MFSA 2020-05 (bsc#1163368)
* CVE-2020-6796 (bmo#1610426)
Missing bounds check on shared memory read in the parent process
* CVE-2020-6797 (bmo#1596668) (MacOS X only)
Extensions granted downloads.open permission could open arbitrary
applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6799 (bmo#1606596) (Windows only)
Arbitrary code execution when opening pdf links from other
applications, when Firefox is configured as default pdf reader
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
bmo#1608580,bmo#1608785,bmo#1605777)
Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* CVE-2020-6801 (bmo#1601024,bmo#1601712,bmo#1604836,bmo#1606492)
Memory safety bugs fixed in Firefox 73
- updated requirements
* rust >= 1.39
* NSS >= 3.49.2
* rust-cbindgen >= 0.12.0
- rebased patches
- removed obsolete patch
* mozilla-bmo1601707.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=802
* Various stability fixes
* Fixed issues opening files with spaces in their path (bmo#1601905)
* Fixed a hang opening about:logins when a master password is set
(bmo#1606992)
* Fixed a web compatibility issue with CSS Shadow Parts which
shipped in Firefox 72 (bmo#1604989)
* Fixed inconsistent playback performance for fullscreen 1080p
videos on some systems (bmo#1608485)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=798
- Mozilla Firefox 72.0
* block fingerprinting scripts by default
* new notification pop-ups
* Picture-in-picture video
MFSA 2020-01
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17020 (bmo#1597645)
Content Security Policy not applied to XSL stylesheets applied
to XML documents
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17023 (bmo#1590001) (fixed in NSS FIXME)
NSS may negotiate TLS 1.2 or below after a TLS 1.3
HelloRetryRequest had been sent
* CVE-2019-17024 (bmo#1507180,bmo#1595470,bmo#1598605,bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
* CVE-2019-17025 (bmo#1328295,bmo#1328300,bmo#1590447,bmo#1590965
bmo#1595692,bmo#1597321,bmo#1597481)
Memory safety bugs fixed in Firefox 72
- update create-tar.sh to skip compare-locales
- requires NSPR 4.24 and NSS 3.48
- removed usage of browser-plugins convention for NPAPI plugins
from start wrapper and changed the RPM macro to the
/usr/$LIB/mozilla/plugins location (boo#1160302)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=793
* Improvements to Lockwise, our integrated password manager
* More information about Enhanced Tracking Protection in action
* Native MP3 decoding on Windows, Linux, and macOS
* Configuration page (about:config) reimplemented in HTML
* New kiosk mode functionality, which allows maximum screen space
for customer-facing displays
MFSA 2019-36
* CVE-2019-11756 (bmo#1508776)
Use-after-free of SFTKSession object
* CVE-2019-17008 (bmo#1546331)
Use-after-free in worker destruction
* CVE-2019-13722 (bmo#1580156) (Windows only)
Stack corruption due to incorrect number of arguments in WebRTC code
* CVE-2019-17014 (bmo#1322864)
Dragging and dropping a cross-origin resource, incorrectly loaded
as an image, could result in information disclosure
* CVE-2019-17010 (bmo#1581084)
Use-after-free when performing device orientation checks
* CVE-2019-17005 (bmo#1584170)
Buffer overflow in plain text serializer
* CVE-2019-17011 (bmo#1591334)
Use-after-free when retrieving a document in antitracking
* CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209
bmo#1580288, bmo#1585760, bmo#1592502)
Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
* CVE-2019-17013 (bmo#1298509, bmo#1472328, bmo#1577439, bmo#1577937
bmo#1580320, bmo#1584195, bmo#1585106, bmo#1586293, bmo#1593865
bmo#1594181)
Memory safety bugs fixed in Firefox 71
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=789
* Fix for an issue that caused some websites or page elements using
dynamic JavaScript to fail to load. (bmo#1592136)
* Title bar no longer shows in full screen view (bmo#1588747)
- added mozilla-bmo1504834-part4.patch to fix some visual issues on
big endian platforms
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=787
* more privacy protections from Enhanced Tracking Protection
* Firefox Lockwise passwordmanager
* Improvements to core engine components, for better browsing on more sites
* Improved privacy and security indicators
MFSA 2019-34
* CVE-2018-6156 (bmo#1480088)
Heap buffer overflow in FEC processing in WebRTC
* CVE-2019-15903 (bmo#1584907)
Heap overflow in expat library in XML_GetCurrentLineNumber
* CVE-2019-11757 (bmo#1577107)
Use-after-free when creating index updates in IndexedDB
* CVE-2019-11759 (bmo#1577953)
Stack buffer overflow in HKDF output
* CVE-2019-11760 (bmo#1577719)
Stack buffer overflow in WebRTC networking
* CVE-2019-11761 (bmo#1561502)
Unintended access to a privileged JSONView object
* CVE-2019-11762 (bmo#1582857)
document.domain-based origin isolation has same-origin-property violation
* CVE-2019-11763 (bmo#1584216)
Incorrect HTML parsing results in XSS bypass technique
* CVE-2019-11765 (bmo#1562582)
Incorrect permissions could be granted to a website
* CVE-2019-17000 (bmo#1441468)
CSP bypass using object tag with data: URI
* CVE-2019-17001 (bmo#1587976)
CSP bypass using object tag when script-src 'none' is specified
* CVE-2019-17002 (bmo#1561056)
upgrade-insecure-requests was not being honored for links dragged and dropped
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=786
* Fixed external programs launching in the background when clicking
a link from inside Firefox to launch them (bmo#1570845)
* Usability improvements to the Add-ons Manager for users with
screen readers (bmo#1567600)
* Fixed the Captive Portal notification bar not being dismissable
in some situations after login is complete (bmo#1578633)
* Fixed the maximum size of fonts in Reader Mode when zoomed (bmo#1578454)
* Fixed missing stacks in the Developer Tools Performance section
(bmo#1578354)
MFSA 2019-31
* CVE-2019-11754 (bmo#1580506)
Pointer Lock is enabled with no user notification
- disable DOH by default
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=768
* Enhanced Tracking Protection (ETP) for stronger privacy protections
* Block Autoplay feature is enhanced to give users the option to block
any video
* Users in the US or using the en-US browser, can get a new “New Tab”
page experience connecting to the best of Pocket's content.
* Support for the Web Authentication HmacSecret extension via
Windows Hello introduced.
* Support for receiving multiple video codecs with this release makes
it easier for WebRTC conferencing services to mix video from
different clients.
- requires
* rust/cargo >= 1.35
* rust-cbindgen >= 0.9.0
* mozilla-nss >= 3.45
- rebased patches
* mozilla-bmo1504834-part1.patch (currently unused as it breaks LE)
* mozilla-bmo1504834-part2.patch (currently unused as it breaks LE)
* mozilla-bmo1504834-part3.patch (currently unused as it breaks LE)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=765
MFSA 2019-26
* CVE-2019-11751 (bmo#1572838; Windows only)
Malicious code execution through command line parameters
* CVE-2019-11746 (bmo#1564449)
Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033)
XSS by breaking out of title and textarea elements using innerHTML
* CVE-2019-11742 (bmo#1559715)
Same-origin policy violation with SVG filters and canvas to steal
cross-origin images
* CVE-2019-11736 (bmo#1551913, bmo#1552206; Windows only))
File manipulation and privilege escalation in Mozilla Maintenance Service
* CVE-2019-11753 (bmo#1574980; Windows only)
Privilege escalation with Mozilla Maintenance Service in custom
Firefox installation location
* CVE-2019-11752 (bmo#1501152)
Use-after-free while extracting a key value in IndexedDB
* CVE-2019-9812 (bmo#1538008, bmo#1538015)
Sandbox escape through Firefox Sync
* CVE-2019-11743 (bmo#1560495)
Cross-origin access to unload event attributes
* CVE-2019-11748 (bmo#1564588)
Persistence of WebRTC permissions in a third party context
* CVE-2019-11749 (bmo#1565374)
Camera information available without prompting using getUserMedia
* CVE-2019-11750 (bmo#1568397)
Type confusion in Spidermonkey
* CVE-2019-11738 (bmo#1452037)
Content security policy bypass through hash-based sources in directives
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=760