- Mozilla Firefox 126.0.1
* Fixed an issue with reading tagged PDF documents in a screen reader
bmo#1894849
* Fixed not displaying localized text for non-en-US locales in the
Crash Reporter dialog box on macOS. (bmo#1896097)
* Fixed issues with drag-and-drop functionality on Linux. (bmo#1897115)
* Fixed an issue causing high GPU memory usage on certain versions
of AMD cards. (bmo#1897006)
- Backport upstream patches to fix build on aarch64 - boo#1225460
* mozilla-bmo1886378.patch
OBS-URL: https://build.opensuse.org/request/show/1177453
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=428
* Fixed an issue with reading tagged PDF documents in a screen reader
bmo#1894849
* Fixed not displaying localized text for non-en-US locales in the
Crash Reporter dialog box on macOS. (bmo#1896097)
* Fixed issues with drag-and-drop functionality on Linux. (bmo#1897115)
* Fixed an issue causing high GPU memory usage on certain versions
of AMD cards. (bmo#1897006)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1153
- Mozilla Firefox 126.0
https://www.mozilla.org/en-US/firefox/126.0/releasenotes
MFSA 2024-21 (bsc#1224056)
* CVE-2024-4764 (bmo#1879093)
Use-after-free when audio input connected with multiple consumers
* CVE-2024-4367 (bmo#1893645)
Arbitrary JavaScript execution in PDF.js
* CVE-2024-4765 (bmo#1871109)
Web application manifests could have been overwritten via
hash collision
* CVE-2024-4766 (bmo#1871214, bmo#1871217)
Fullscreen notification could have been obscured on Firefox
for Android
* CVE-2024-4767 (bmo#1878577)
IndexedDB files retained in private browsing mode
* CVE-2024-4768 (bmo#1886082)
Potential permissions request bypass via clickjacking
* CVE-2024-4769 (bmo#1886108)
Cross-origin responses could be distinguished between script
and non-script content-types
* CVE-2024-4770 (bmo#1893270)
Use-after-free could occur when printing to PDF
* CVE-2024-4771 (bmo#1893891)
Failed allocation could lead to use-after-free
* CVE-2024-4772 (bmo#1870579)
Use of insecure rand() function to generate nonce
* CVE-2024-4773 (bmo#1875248)
URL bar could be cleared after network error
* CVE-2024-4774 (bmo#1886598)
Undefined behavior in ShmemCharMapHashEntry()
OBS-URL: https://build.opensuse.org/request/show/1175472
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=427
https://www.mozilla.org/en-US/firefox/126.0/releasenotes
MFSA 2024-21 (bsc#1224056)
* CVE-2024-4764 (bmo#1879093)
Use-after-free when audio input connected with multiple consumers
* CVE-2024-4367 (bmo#1893645)
Arbitrary JavaScript execution in PDF.js
* CVE-2024-4765 (bmo#1871109)
Web application manifests could have been overwritten via
hash collision
* CVE-2024-4766 (bmo#1871214, bmo#1871217)
Fullscreen notification could have been obscured on Firefox
for Android
* CVE-2024-4767 (bmo#1878577)
IndexedDB files retained in private browsing mode
* CVE-2024-4768 (bmo#1886082)
Potential permissions request bypass via clickjacking
* CVE-2024-4769 (bmo#1886108)
Cross-origin responses could be distinguished between script
and non-script content-types
* CVE-2024-4770 (bmo#1893270)
Use-after-free could occur when printing to PDF
* CVE-2024-4771 (bmo#1893891)
Failed allocation could lead to use-after-free
* CVE-2024-4772 (bmo#1870579)
Use of insecure rand() function to generate nonce
* CVE-2024-4773 (bmo#1875248)
URL bar could be cleared after network error
* CVE-2024-4774 (bmo#1886598)
Undefined behavior in ShmemCharMapHashEntry()
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1150
- Mozilla Firefox 125.0.2
* The 125.0 and 125.0.1 releases were skipped due to problems with a
feature that proactively blocked downloads from potentially
untrustworthy URLs
* New: Firefox now supports the AV1 codec for Encrypted Media
Extensions (EME), enabling higher-quality playback from video
streaming providers
* New: The Firefox PDF viewer now supports text highlighting.
* New: Firefox View now displays pinned tabs in the Open tabs
section. Tab indicators have also been added to Open tabs, so
users can do things like see which tabs are playing media and
quickly mute or unmute across windows. Indicators were also
added for bookmarks, tabs with notifications, and more!
their addresses upon submitting an address form, allowing
Firefox to autofill stored address information in the future.
* New: The URL Paste Suggestion feature provides a convenient
way for users to quickly visit URLs copied to the clipboard
in the address bar of Firefox. When the clipboard contains a
URL and the URL bar is focused, an autocomplete result
appears automatically. Activating the clipboard suggestion
will navigate the user to the URL with 1 click.
* New: Users of tab-specific Container add-ons can now search
in the Address Bar for tabs that are open in different
containers. Special thanks to volunteer contributor atararx
for kicking off the work on this feature!
* New: Firefox now provides an option to enable Web Proxy Auto-
Discovery (WPAD) while configured to use system proxy
settings.
* Changed: In a group of radio buttons where no option is
selected, the tab key now only reaches the first option
OBS-URL: https://build.opensuse.org/request/show/1169983
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=425
feature that proactively blocked downloads from potentially
untrustworthy URLs
Use-after-free if garbage collection runs during realm initialization
Incorrect JIT optimization of MSubstr leads to out-of-bounds reads
Corrupt pointer dereference in js::CheckTracedThing<js::Shape>
Download Protections were bypassed by .xrm-ms files on Windows
* CVE-2024-3865 (bmo#1881076, bmo#1884887, bmo#1885359, bmo#1889049)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1146
be unable to restore a bookmarks backup. (bmo#1884308)
* Fixed an issue that would cause open Firefox windows
Netflix. (bmo#1883932)
* Fixed a crash that affected Linux AArch64 builds. (bmo#1866396)
* Fixed an issue where some users experienced difficulties loading
webpages due to changes made to the default AppArmor configuration
shipping in Ubuntu 24.04. (bmo#1884347)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1143
- Mozilla Firefox 124.0.1
https://www.mozilla.org/en-US/firefox/124.0.1/releasenotes/
MFSA 2024-15 (bsc#1221850)
* CVE-2024-29943 (bmo#1886849)
Out-of-bounds access via Range Analysis bypass
* CVE-2024-29944 (bmo#1886852)
Privileged JavaScript Execution via Event Handlers
Mozilla Firefox 124.0
https://www.mozilla.org/en-US/firefox/124.0/releasenotes/
MFSA 2024-12 (bsc#1221327)
* CVE-2024-2605 (bmo#1872920)
Windows Error Reporter could be used as a Sandbox escape vector
* CVE-2024-2606 (bmo#1879237)
Mishandling of WASM register values
* CVE-2024-2607 (bmo#1879939)
JIT code failed to save return registers on Armv7-A
* CVE-2024-2608 (bmo#1880692)
Integer overflow could have led to out of bounds write
* CVE-2023-5388 (bmo#1780432)
NSS susceptible to timing attack against RSA decryption
* CVE-2024-2609 (bmo#1866100)
Permission prompt input delay could expire when not in focus
* CVE-2024-2610 (bmo#1871112)
Improper handling of html and body tags enabled CSP nonce leakage
* CVE-2024-2611 (bmo#1876675)
Clickjacking vulnerability could have led to a user accidentally
granting permissions
* CVE-2024-2612 (bmo#1879444)
Self referencing object could have potentially led to a use-
after-free
OBS-URL: https://build.opensuse.org/request/show/1160726
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=423
https://www.mozilla.org/en-US/firefox/124.0.1/releasenotes/
MFSA 2024-15 (bsc#1221850)
* CVE-2024-29943 (bmo#1886849)
Out-of-bounds access via Range Analysis bypass
* CVE-2024-29944 (bmo#1886852)
Privileged JavaScript Execution via Event Handlers
Mozilla Firefox 124.0
https://www.mozilla.org/en-US/firefox/124.0/releasenotes/
MFSA 2024-12 (bsc#1221327)
* CVE-2024-2605 (bmo#1872920)
Windows Error Reporter could be used as a Sandbox escape vector
* CVE-2024-2606 (bmo#1879237)
Mishandling of WASM register values
* CVE-2024-2607 (bmo#1879939)
JIT code failed to save return registers on Armv7-A
* CVE-2024-2608 (bmo#1880692)
Integer overflow could have led to out of bounds write
* CVE-2023-5388 (bmo#1780432)
NSS susceptible to timing attack against RSA decryption
* CVE-2024-2609 (bmo#1866100)
Permission prompt input delay could expire when not in focus
* CVE-2024-2610 (bmo#1871112)
Improper handling of html and body tags enabled CSP nonce leakage
* CVE-2024-2611 (bmo#1876675)
Clickjacking vulnerability could have led to a user accidentally
granting permissions
* CVE-2024-2612 (bmo#1879444)
Self referencing object could have potentially led to a use-
after-free
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1140
- Mozilla Firefox 123.0
https://www.mozilla.org/en-US/firefox/123.0/releasenotes/
MFSA 2024-05 (bsc#1220048)
* CVE-2024-1546 (bmo#1843752)
Out-of-bounds memory read in networking channels
* CVE-2024-1547 (bmo#1877879)
Alert dialog could have been spoofed on another site
* CVE-2024-1554 (bmo#1816390)
fetch could be used to effect cache poisoning
* CVE-2024-1548 (bmo#1832627)
Fullscreen Notification could have been hidden by select element
* CVE-2024-1549 (bmo#1833814)
Custom cursor could obscure the permission dialog
* CVE-2024-1550 (bmo#1860065)
Mouse cursor re-positioned unexpectedly could have led to
unintended permission grants
* CVE-2024-1551 (bmo#1864385)
Multipart HTTP Responses would accept the Set-Cookie header
in response parts
* CVE-2024-1555 (bmo#1873223)
SameSite cookies were not properly respected when opening a
website from an external browser
* CVE-2024-1556 (bmo#1870414)
Invalid memory access in the built-in profiler
* CVE-2024-1552 (bmo#1874502)
Incorrect code generation on 32-bit ARM devices
* CVE-2024-1553 (bmo#1855686, bmo#1867982, bmo#1871498, bmo#1872296,
bmo#1873521, bmo#1873577, bmo#1873597, bmo#1873866, bmo#1874080,
bmo#1874740, bmo#1875795, bmo#1875906, bmo#1876425, bmo#1878211,
bmo#1878286)
OBS-URL: https://build.opensuse.org/request/show/1150527
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=421
https://www.mozilla.org/en-US/firefox/123.0/releasenotes/
MFSA 2024-05 (bsc#1220048)
* CVE-2024-1546 (bmo#1843752)
Out-of-bounds memory read in networking channels
* CVE-2024-1547 (bmo#1877879)
Alert dialog could have been spoofed on another site
* CVE-2024-1554 (bmo#1816390)
fetch could be used to effect cache poisoning
* CVE-2024-1548 (bmo#1832627)
Fullscreen Notification could have been hidden by select element
* CVE-2024-1549 (bmo#1833814)
Custom cursor could obscure the permission dialog
* CVE-2024-1550 (bmo#1860065)
Mouse cursor re-positioned unexpectedly could have led to
unintended permission grants
* CVE-2024-1551 (bmo#1864385)
Multipart HTTP Responses would accept the Set-Cookie header
in response parts
* CVE-2024-1555 (bmo#1873223)
SameSite cookies were not properly respected when opening a
website from an external browser
* CVE-2024-1556 (bmo#1870414)
Invalid memory access in the built-in profiler
* CVE-2024-1552 (bmo#1874502)
Incorrect code generation on 32-bit ARM devices
* CVE-2024-1553 (bmo#1855686, bmo#1867982, bmo#1871498, bmo#1872296,
bmo#1873521, bmo#1873577, bmo#1873597, bmo#1873866, bmo#1874080,
bmo#1874740, bmo#1875795, bmo#1875906, bmo#1876425, bmo#1878211,
bmo#1878286)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1136
- Mozilla Firefox 122.0
https://www.mozilla.org/en-US/firefox/122.0/releasenotes/
MFSA 2024-01 (bsc#1218955)
* CVE-2024-0741 (bmo#1864587)
Out of bounds write in ANGLE
* CVE-2024-0742 (bmo#1867152)
Failure to update user input timestamp
* CVE-2024-0743 (bmo#1867408)
Crash in NSS TLS method
* CVE-2024-0744 (bmo#1871089)
Wild pointer dereference in JavaScript
* CVE-2024-0745 (bmo#1871838)
Stack buffer overflow in WebAudio
* CVE-2024-0746 (bmo#1660223)
Crash when listing printers on Linux
* CVE-2024-0747 (bmo#1764343)
Bypass of Content Security Policy when directive unsafe-inline was set
* CVE-2024-0748 (bmo#1783504)
Compromised content process could modify document URI
* CVE-2024-0749 (bmo#1813463)
Phishing site popup could show local origin in address bar
* CVE-2024-0750 (bmo#1863083)
Potential permissions request bypass via clickjacking
* CVE-2024-0751 (bmo#1865689)
Privilege escalation through devtools
* CVE-2024-0752 (bmo#1866840)
Use-after-free could occur when applying update on macOS
* CVE-2024-0753 (bmo#1870262)
HSTS policy on subdomain could bypass policy of upper domain
* CVE-2024-0754 (bmo#1871605)
OBS-URL: https://build.opensuse.org/request/show/1141490
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=417
https://www.mozilla.org/en-US/firefox/122.0/releasenotes/
MFSA 2024-01 (bsc#1218955)
* CVE-2024-0741 (bmo#1864587)
Out of bounds write in ANGLE
* CVE-2024-0742 (bmo#1867152)
Failure to update user input timestamp
* CVE-2024-0743 (bmo#1867408)
Crash in NSS TLS method
* CVE-2024-0744 (bmo#1871089)
Wild pointer dereference in JavaScript
* CVE-2024-0745 (bmo#1871838)
Stack buffer overflow in WebAudio
* CVE-2024-0746 (bmo#1660223)
Crash when listing printers on Linux
* CVE-2024-0747 (bmo#1764343)
Bypass of Content Security Policy when directive unsafe-inline was set
* CVE-2024-0748 (bmo#1783504)
Compromised content process could modify document URI
* CVE-2024-0749 (bmo#1813463)
Phishing site popup could show local origin in address bar
* CVE-2024-0750 (bmo#1863083)
Potential permissions request bypass via clickjacking
* CVE-2024-0751 (bmo#1865689)
Privilege escalation through devtools
* CVE-2024-0752 (bmo#1866840)
Use-after-free could occur when applying update on macOS
* CVE-2024-0753 (bmo#1870262)
HSTS policy on subdomain could bypass policy of upper domain
* CVE-2024-0754 (bmo#1871605)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1128
https://www.mozilla.org/en-US/firefox/119.0/releasenotes
MFSA 2023-45 (bsc#1216338)
* CVE-2023-5721 (bmo#1830820)
Queued up rendering could have allowed websites to clickjack
* CVE-2023-5722 (bmo#1738426)
Cross-Origin size and header leakage
* CVE-2023-5723 (bmo#1802057)
Invalid cookie characters could have led to unexpected errors
* CVE-2023-5724 (bmo#1836705)
Large WebGL draw could have led to a crash
* CVE-2023-5725 (bmo#1845739)
WebExtensions could open arbitrary URLs
* CVE-2023-5726 (bmo#1846205)
Full screen notification obscured by file open dialog on macOS
* CVE-2023-5727 (bmo#1847180)
Download Protections were bypassed by .msix, .msixbundle,
.appx, and .appxbundle files on Windows
* CVE-2023-5728 (bmo#1852729)
Improper object tracking during GC in the JavaScript engine
could have led to a crash.
* CVE-2023-5729 (bmo#1823720)
Fullscreen notification dialog could have been obscured by
WebAuthn prompts
* CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694, bmo#1848833,
bmo#1850191, bmo#1850259, bmo#1852596, bmo#1853201, bmo#1854002,
bmo#1855306, bmo#1855640, bmo#1856695)
Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4,
and Thunderbird 115.4.1
* CVE-2023-5731 (bmo#1690111, bmo#1721904, bmo#1851803, bmo#1854068)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1115
