* Adobe Flash is completely history
* supercookie protection
* new bookmark handling and features
MFSA 2021-03 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940)
Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020)
Type confusion when using logical assignment operators in
JavaScript switch statements
* CVE-2021-23955 (bmo#1684837)
Clickjacking across tabs through misusing requestPointerLock
* CVE-2021-23956 (bmo#1338637)
File picker dialog could have been used to disclose a
complete directory
* CVE-2021-23957 (bmo#1584582)
Iframe sandbox could have been bypassed on Android via the
intent URL scheme
* CVE-2021-23958 (bmo#1642747)
Screen sharing permission leaked across tabs
* CVE-2021-23959 (bmo#1659035)
Cross-Site Scripting in error pages on Firefox for Android
* CVE-2021-23960 (bmo#1675755)
Use-after-poison for incorrectly redeclared JavaScript
variables during GC
* CVE-2021-23961 (bmo#1677940)
More internal network hosts could have been probed by a
malicious webpage
* CVE-2021-23962 (bmo#1677194)
Use-after-poison in
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=888
* Fixed problems loading secure websites and crashes for users
with certain third-party PKCS11 modules and smartcards installed
(bmo#1682881) (fixed in NSS 3.59.1)
* Fixed a bug causing some Unity JS games to not load on Apple
Silicon devices due to improper detection of the OS version
(bmo#1680516)
- requires NSS 3.59.1
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=882
* Firefox 84 is the final release to support Adobe Flash
* WebRender is enabled by default when run on GNOME-based X11
Linux desktops
MFSA 2020-54 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26972 (bmo#1671382)
Use-After-Free in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26975 (bmo#1661071)
Malicious applications on Android could have induced Firefox
for Android into sending arbitrary attacker-specified headers
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2020-26977 (bmo#1676311)
URL spoofing via unresponsive port in Firefox for Android
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-26979 (bmo#1641287, bmo#1673299)
When entering an address in the address or search bars, a
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=880
* major update for SpiderMonkey improving performance significantly
* optional HTTPS-Only mode
* more improvements
https://www.mozilla.org/en-US/firefox/83.0/releasenotes/
MFSA 2020-50 (bsc#1178824))
* CVE-2020-26951 (bmo#1667113)
Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
* CVE-2020-26952 (bmo#1667685)
Out of memory handling of JITed, inlined functions could lead
to a memory corruption
* CVE-2020-16012 (bmo#1642028)
Variable time processing of cross-origin images during
drawImage calls
* CVE-2020-26953 (bmo#1656741)
Fullscreen could be enabled without displaying the security UI
* CVE-2020-26954 (bmo#1657026)
Local spoofing of web manifests for arbitrary pages in
Firefox for Android
* CVE-2020-26955 (bmo#1663261)
Cookies set during file downloads are shared between normal
and Private Browsing Mode in Firefox for Android
* CVE-2020-26956 (bmo#1666300)
XSS through paste (manual and clipboard API)
* CVE-2020-26957 (bmo#1667179)
OneCRL was not working in Firefox for Android
* CVE-2020-26958 (bmo#1669355)
Requests intercepted through ServiceWorkers lacked MIME type
restrictions
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=871
MFSA 2020-45 (bsc#1177872)
* CVE-2020-15969 (bmo#1666570)
Use-after-free in usersctp
* CVE-2020-15254 (bmo#1668514)
Undefined behavior in bounded channel of crossbeam rust crate
* CVE-2020-15680 (bmo#1658881)
Presence of external protocol handlers could be determined
through image tags
* CVE-2020-15681 (bmo#1666568)
Multiple WASM threads may have overwritten each others' stub
table entries
* CVE-2020-15682 (bmo#1636654)
The domain associated with the prompt to open an external
protocol could be spoofed to display the incorrect origin
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954,
bmo#1662760, bmo#1663439, bmo#1666140)
Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* CVE-2020-15684 (bmo#1653764, bmo#1661402, bmo#1662259,
bmo#1664257)
Memory safety bugs fixed in Firefox 82
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=864
* https://www.mozilla.org/en-US/firefox/81.0/releasenotes
MFSA 2020-42 (bsc#1176756)
* CVE-2020-15675 (bmo#1654211)
Use-After-Free in WebGL
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
* CVE-2020-15674 (bmo#1656063, bmo#1656064, bmo#1656067, bmo#1660293)
Memory safety bugs fixed in Firefox 81
- requires
NSPR 4.28
NSS 3.56
- removed obsolete patches
* mozilla-system-nspr.patch
* mozilla-bmo1661715.patch
* mozilla-silence-no-return-type.patch
- skip post-build-checks for 15.0 and 15.1
- add revert-795c8762b16b.patch to fix LTO builds with gcc
(related to bmo#1644409)
- Use %limit_build macro again for aarch64 and armv7, instead of
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=858
MFSA 2020- (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-12401 (bmo#1631573)
Timing-attack on ECDSA signature generation
* CVE-2020-6829 (bmo#1631583)
P-384 and P-521 vulnerable to an electro-magnetic side
channel attack on signature generation
* CVE-2020-12400 (bmo#1623116)
P-384 and P-521 vulnerable to a side channel attack on
modular inversion
* CVE-2020-15665 (bmo#1651636)
Address bar not reset when choosing to stay on a page after
the beforeunload dialog is shown
* CVE-2020-15666 (bmo#1450853)
MediaError message property leaks cross-origin response
status
* CVE-2020-15667 (bmo#1653371)
Heap overflow when processing an update file
* CVE-2020-15668 (bmo#1651520)
Data Race when reading certificate information
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
bmo#1656957)
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
- requires
* NSPR 4.27
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=853
* Fixed an accessibility regression in reader mode (bmo#1650922)
* Made the address bar more resilient to data corruption in the
user profile (bmo#1649981)
* Fixed a regression opening certain external applications (bmo#1650162)
MFSA 2020-28
* CVE pending (bmo#1644076)
X-Frame-Options bypass using object or embed tags
- Google API key is not usable for geolocation service
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=840
- do not use XINPUT2 for the moment until Plasma 5.19.3 has landed
(boo#1173993)
- rework langpack integration (boo#1173991)
* ship XPIs instead of directories
* allow addon sideloading
* mark signatures for langpacks non-mandatory
* do not autodisable user profile scopes
* Google API key is not usable for geolocation service
- Mozilla Firefox 78.0.2
* Fixed an accessibility regression in reader mode (bmo#1650922)
* Made the address bar more resilient to data corruption in the
user profile (bmo#1649981)
* Fixed a regression opening certain external applications (bmo#1650162)
MFSA 2020-28
* CVE pending (bmo#1644076)
X-Frame-Options bypass using object or embed tags
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=839
* Fixed an issue which could cause installed search engines to not
be visible when upgrading from a previous release.
- enable MOZ_USE_XINPUT2 for TW (boo#1173320)
* Protections Dashboard (about:protections)
* WebRTC not interrupted by screensaver anymore
* disabled TLS 1.0 and 1.1 by default
MFSA 2020-24 (bsc#1173576)
* CVE-2020-12415 (bmo#1586630)
AppCache manifest poisoning due to url encoded character processing
* CVE-2020-12416 (bmo#1639734)
Use-after-free in WebRTC VideoBroadcaster
* CVE-2020-12417 (bmo#1640737)
Memory corruption due to missing sign-extension for ValueTags
on ARM64
* CVE-2020-12418 (bmo#1641303)
Information disclosure due to manipulated URL object
* CVE-2020-12419 (bmo#1643874)
Use-after-free in nsGlobalWindowInner
* CVE-2020-12420 (bmo#1643437)
Use-After-Free when trying to connect to a STUN server
* CVE-2020-12402 (bmo#1631597)
RSA Key Generation vulnerable to side-channel attack
* CVE-2020-12421 (bmo#1308251)
Add-On updates did not respect the same certificate trust
rules as software updates
* CVE-2020-12422 (bmo#1450353)
Integer overflow in nsJPEGEncoder::emptyOutputBuffer
* CVE-2020-12423 (bmo#1642400)
DLL Hijacking due to searching %PATH% for a library
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=835
* startup notifications now using Gtk instead of libnotify
* PDF downloads now show an option to open the PDF directly in Firefox
- requires
* NSS >= 3.53.1
* nodejs >= 10.21
* Gtk+3 >= 3.14
- removed obsolete patch
* mozilla-s390-bigendian.patch
- Add mozilla-pipewire-0-3.patch for openSUSE >= 15.2 to build
WebRTC with pipewire support to enable screen sharing under
Wayland; also add BuildRequires: pkgconfig(libpipewire-0.3)
appropriately (boo#1172903).
- adding SLE12 compatibility in spec file
- add patches for s390x
* mozilla-bmo1602730.patch (bmo#1602730)
* mozilla-bmo1626236.patch (bmo#1626236)
* mozilla-bmo998749.patch (bmo#998749)
* mozilla-s390x-skia-gradient.patch
- update create-tar.sh
- Use same _constraints for ppc64 (BE) as ppc64le to avoid oom build failure
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=834
MFSA 2020-12 (bsc#1168874)
* CVE-2020-6821 (bmo#1625404)
Uninitialized memory could be read when using the WebGL
copyTexSubImage method
* CVE-2020-6822 (bmo#1544181)
Out of bounds write in GMPDecodeData when processing large images
* CVE-2020-6823 (bmo#1614919)
Malicious Extension could obtain auth codes from OAuth login flows
* CVE-2020-6824 (bmo#1621853)
Generated passwords may be identical on the same site between
separate private browsing sessions
* CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203)
Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
* CVE-2020-6826 (bmo#1613009,bmo#1613195,bmo#1616734,bmo#1617488,
bmo#1619229,bmo#1620719,bmo#1624897)
Memory safety bugs fixed in Firefox 75
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=822
* https://www.mozilla.org/en-US/firefox/74.0/releasenotes/
MFSA 2020-08 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880)
Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308)
BodyStream::OnInputStreamReady was missing protections against
state confusion
* CVE-2020-6807 (bmo#1614971)
Use-after-free in cubeb during stream destruction
* CVE-2020-6808 (bmo#1247968)
URL Spoofing via javascript: URL
* CVE-2020-6809 (bmo#1420296)
Web Extensions with the all-urls permission could access local
files
* CVE-2020-6810 (bmo#1432856)
Focusing a popup while in fullscreen could have obscured the
fullscreen notification
* CVE-2020-6811 (bmo#1607742)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765)
Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661)
The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
* CVE-2020-6813 (bmo#1605814)
@import statements in CSS could bypass the Content Security
Policy nonce feature
* CVE-2020-6814 (bmo#1592078,bmo#1604847,bmo#1608256,bmo#1612636,
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=809
* Resolved problems connecting to the RBC Royal Bank website
(bmo#1613943)
* Fixed Firefox unexpectedly exiting when leaving Print Preview mode
(bmo#1611133)
* Fixed crashes when playing encrypted content on some Linux systems
(bmo#1614535)
- start in wayland mode when running under wayland session
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=804
* Added support for setting a default zoom level applicable for all
web content
* High-contrast mode has been updated to allow background images
* Improved audio quality when playing back audio at a faster or
slower speed
* Added NextDNS as alternative option for DNS over HTTPS
MFSA 2020-05 (bsc#1163368)
* CVE-2020-6796 (bmo#1610426)
Missing bounds check on shared memory read in the parent process
* CVE-2020-6797 (bmo#1596668) (MacOS X only)
Extensions granted downloads.open permission could open arbitrary
applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6799 (bmo#1606596) (Windows only)
Arbitrary code execution when opening pdf links from other
applications, when Firefox is configured as default pdf reader
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
bmo#1608580,bmo#1608785,bmo#1605777)
Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* CVE-2020-6801 (bmo#1601024,bmo#1601712,bmo#1604836,bmo#1606492)
Memory safety bugs fixed in Firefox 73
- updated requirements
* rust >= 1.39
* NSS >= 3.49.2
* rust-cbindgen >= 0.12.0
- rebased patches
- removed obsolete patch
* mozilla-bmo1601707.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=802
* Various stability fixes
* Fixed issues opening files with spaces in their path (bmo#1601905)
* Fixed a hang opening about:logins when a master password is set
(bmo#1606992)
* Fixed a web compatibility issue with CSS Shadow Parts which
shipped in Firefox 72 (bmo#1604989)
* Fixed inconsistent playback performance for fullscreen 1080p
videos on some systems (bmo#1608485)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=798
- Mozilla Firefox 72.0
* block fingerprinting scripts by default
* new notification pop-ups
* Picture-in-picture video
MFSA 2020-01
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17020 (bmo#1597645)
Content Security Policy not applied to XSL stylesheets applied
to XML documents
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17023 (bmo#1590001) (fixed in NSS FIXME)
NSS may negotiate TLS 1.2 or below after a TLS 1.3
HelloRetryRequest had been sent
* CVE-2019-17024 (bmo#1507180,bmo#1595470,bmo#1598605,bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
* CVE-2019-17025 (bmo#1328295,bmo#1328300,bmo#1590447,bmo#1590965
bmo#1595692,bmo#1597321,bmo#1597481)
Memory safety bugs fixed in Firefox 72
- update create-tar.sh to skip compare-locales
- requires NSPR 4.24 and NSS 3.48
- removed usage of browser-plugins convention for NPAPI plugins
from start wrapper and changed the RPM macro to the
/usr/$LIB/mozilla/plugins location (boo#1160302)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=793
* Improvements to Lockwise, our integrated password manager
* More information about Enhanced Tracking Protection in action
* Native MP3 decoding on Windows, Linux, and macOS
* Configuration page (about:config) reimplemented in HTML
* New kiosk mode functionality, which allows maximum screen space
for customer-facing displays
MFSA 2019-36
* CVE-2019-11756 (bmo#1508776)
Use-after-free of SFTKSession object
* CVE-2019-17008 (bmo#1546331)
Use-after-free in worker destruction
* CVE-2019-13722 (bmo#1580156) (Windows only)
Stack corruption due to incorrect number of arguments in WebRTC code
* CVE-2019-17014 (bmo#1322864)
Dragging and dropping a cross-origin resource, incorrectly loaded
as an image, could result in information disclosure
* CVE-2019-17010 (bmo#1581084)
Use-after-free when performing device orientation checks
* CVE-2019-17005 (bmo#1584170)
Buffer overflow in plain text serializer
* CVE-2019-17011 (bmo#1591334)
Use-after-free when retrieving a document in antitracking
* CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209
bmo#1580288, bmo#1585760, bmo#1592502)
Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
* CVE-2019-17013 (bmo#1298509, bmo#1472328, bmo#1577439, bmo#1577937
bmo#1580320, bmo#1584195, bmo#1585106, bmo#1586293, bmo#1593865
bmo#1594181)
Memory safety bugs fixed in Firefox 71
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=789
* Fix for an issue that caused some websites or page elements using
dynamic JavaScript to fail to load. (bmo#1592136)
* Title bar no longer shows in full screen view (bmo#1588747)
- added mozilla-bmo1504834-part4.patch to fix some visual issues on
big endian platforms
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=787
* more privacy protections from Enhanced Tracking Protection
* Firefox Lockwise passwordmanager
* Improvements to core engine components, for better browsing on more sites
* Improved privacy and security indicators
MFSA 2019-34
* CVE-2018-6156 (bmo#1480088)
Heap buffer overflow in FEC processing in WebRTC
* CVE-2019-15903 (bmo#1584907)
Heap overflow in expat library in XML_GetCurrentLineNumber
* CVE-2019-11757 (bmo#1577107)
Use-after-free when creating index updates in IndexedDB
* CVE-2019-11759 (bmo#1577953)
Stack buffer overflow in HKDF output
* CVE-2019-11760 (bmo#1577719)
Stack buffer overflow in WebRTC networking
* CVE-2019-11761 (bmo#1561502)
Unintended access to a privileged JSONView object
* CVE-2019-11762 (bmo#1582857)
document.domain-based origin isolation has same-origin-property violation
* CVE-2019-11763 (bmo#1584216)
Incorrect HTML parsing results in XSS bypass technique
* CVE-2019-11765 (bmo#1562582)
Incorrect permissions could be granted to a website
* CVE-2019-17000 (bmo#1441468)
CSP bypass using object tag with data: URI
* CVE-2019-17001 (bmo#1587976)
CSP bypass using object tag when script-src 'none' is specified
* CVE-2019-17002 (bmo#1561056)
upgrade-insecure-requests was not being honored for links dragged and dropped
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=786
* Fixed external programs launching in the background when clicking
a link from inside Firefox to launch them (bmo#1570845)
* Usability improvements to the Add-ons Manager for users with
screen readers (bmo#1567600)
* Fixed the Captive Portal notification bar not being dismissable
in some situations after login is complete (bmo#1578633)
* Fixed the maximum size of fonts in Reader Mode when zoomed (bmo#1578454)
* Fixed missing stacks in the Developer Tools Performance section
(bmo#1578354)
MFSA 2019-31
* CVE-2019-11754 (bmo#1580506)
Pointer Lock is enabled with no user notification
- disable DOH by default
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=768
* Enhanced Tracking Protection (ETP) for stronger privacy protections
* Block Autoplay feature is enhanced to give users the option to block
any video
* Users in the US or using the en-US browser, can get a new “New Tab”
page experience connecting to the best of Pocket's content.
* Support for the Web Authentication HmacSecret extension via
Windows Hello introduced.
* Support for receiving multiple video codecs with this release makes
it easier for WebRTC conferencing services to mix video from
different clients.
- requires
* rust/cargo >= 1.35
* rust-cbindgen >= 0.9.0
* mozilla-nss >= 3.45
- rebased patches
* mozilla-bmo1504834-part1.patch (currently unused as it breaks LE)
* mozilla-bmo1504834-part2.patch (currently unused as it breaks LE)
* mozilla-bmo1504834-part3.patch (currently unused as it breaks LE)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=765
MFSA 2019-26
* CVE-2019-11751 (bmo#1572838; Windows only)
Malicious code execution through command line parameters
* CVE-2019-11746 (bmo#1564449)
Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033)
XSS by breaking out of title and textarea elements using innerHTML
* CVE-2019-11742 (bmo#1559715)
Same-origin policy violation with SVG filters and canvas to steal
cross-origin images
* CVE-2019-11736 (bmo#1551913, bmo#1552206; Windows only))
File manipulation and privilege escalation in Mozilla Maintenance Service
* CVE-2019-11753 (bmo#1574980; Windows only)
Privilege escalation with Mozilla Maintenance Service in custom
Firefox installation location
* CVE-2019-11752 (bmo#1501152)
Use-after-free while extracting a key value in IndexedDB
* CVE-2019-9812 (bmo#1538008, bmo#1538015)
Sandbox escape through Firefox Sync
* CVE-2019-11743 (bmo#1560495)
Cross-origin access to unload event attributes
* CVE-2019-11748 (bmo#1564588)
Persistence of WebRTC permissions in a third party context
* CVE-2019-11749 (bmo#1565374)
Camera information available without prompting using getUserMedia
* CVE-2019-11750 (bmo#1568397)
Type confusion in Spidermonkey
* CVE-2019-11738 (bmo#1452037)
Content security policy bypass through hash-based sources in directives
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=760
* Fixed missing Full Screen button when watching videos in full
screen mode on HBO GO (bmo#1562837)
* Fixed a bug causing incorrect messages to appear for some
locales when sites try to request the use of the Storage
Access API (bmo#1558503)
* Users in Russian regions may have their default search engine
changed (bmo#1565315)
* Built-in search engines in some locales do not function
correctly (bmo#1565779)
* SupportMenu policy doesn't always work (bmo#1553290)
* Allow the privacy.file_unique_origin pref to be controlled by
policy (bmo#1563759)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=753
* Dark mode in reader view
* Improved extension security and discovery
* Cryptomining and fingerprinting protections are added to strict
content blocking settings in Privacy & Security preferences
* Camera and microphone access now require an HTTPS connection
MFSA 2019-21 (bsc#1140868)
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
Sandbox escape via installation of malicious languagepack
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804)
Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
* CVE-2019-11713 (bmo#1528481)
Use-after-free with HTTP/2 cached stream
* CVE-2019-11714 (bmo#1542593)
NeckoChild can trigger crash when accessed off of main thread
* CVE-2019-11729 (bmo#1515342)
Empty or malformed p256-ECDH public keys may trigger a segmentation fault
* CVE-2019-11715 (bmo#1555523)
HTML parsing error can contribute to content XSS
* CVE-2019-11716 (bmo#1552632)
globalThis not enumerable until accessed
* CVE-2019-11717 (bmo#1548306)
Caret character improperly escaped in origins
* CVE-2019-11718 (bmo#1408349)
Activity Stream writes unsanitized content to innerHTML
* CVE-2019-11719 (bmo#1540541)
Out-of-bounds read when importing curve25519 private key
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=748
* Fixed: Fix JavaScript error ("TypeError: data is null in
PrivacyFilter.jsm") in console which may significantly degrade
sessionstore reliability and performance (bmo#1553413)
* Fixed: Proxy authentication dialog box repeatedly pops up
asking to authenticate after upgrading to Firefox 67 (bmo#1548804)
* Fixed: Pearson MyCloud breaks if FIDO U2F is not Chrome's
implementation (bmo#1551282)
* Fixed: Starting in safe mode on Linux or macOS causes Firefox
to think on the subsequent launch that the profile is too
recent to be used with this version of Firefox (bmo#1556612)
* Fixed: Linux distribution users can't easily install/use
additional/different languages using the built-in preferences
UI (bmo#1554744)
* Fixed: Developer tools users can't copy the href/src content
from various HTML tags via the context menu in the Inspector
markup view (bmo#1552275)
* Fixed: Custom home page is broken with clearing data on shutdown
settings applied (bmo#1554167)
* Fixed: Performance-regression for eclipse RAP based applications
(bmo#1555962)
* Fixed: macOS 10.15 crash fix (bmo#1556076)
* Fixed: Can't start two downloads in parallel via <a download>
anymore (bmo#1542912)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=741
* Firefox 67 will be able to run different Firefox installs side by side
https://blog.nightly.mozilla.org/2019/01/14/moving-to-a-profile-per-install-architecture/
* Tabs can now be pinned from the Page Actions menu in the address bar
* Users can block known cryptominers and fingerprinters in the
Custom settings or their Content Blocking preferences
* The Import Data from Another Browser feature is now also available
from the File menu
* Firefox will now protect you against running older versions which
can lead to data corruption and stability issues
* Easier access to your list of saved logins from the main menu and
login autocomplete
* We’ve added a toolbar menu for your Firefox Account to provide more
transparency for when you are synced, sharing data across devices
and with Firefox. Personalize the appearance of the menu with your
own avatar
* Enable FIDO U2F API, and permit registrations for Google Accounts
* Enabled AV1 support on Linux
MFSA 2019-13
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=736
* Fixed: Address bar on tablets running Windows 10 now behaves
correctly (bmo#1498973)
* Fixed: Performance issues with some HTML5 games (bmo#1537609)
* Fixed a bug with keypress events in IBM cloud applications
(bmo#1538970)
* Fix for keypress events in some Microsoft cloud applications
(bmo#1539618)
* Changed: Updated Baidu search plugin
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=730
* CVE-2019-9790 (bmo#1525145)
Use-after-free when removing in-use DOM elements
* CVE-2019-9791 (bmo#1530958)
Type inference is incorrect for constructors entered through on-stack
replacement with IonMonkey
* CVE-2019-9792 (bmo#1532599)
IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
* CVE-2019-9793 (bmo#1528829)
Improper bounds checks when Spectre mitigations are disabled
* CVE-2019-9794 (bmo#1530103) (Windows only)
Command line arguments not discarded during execution
* CVE-2019-9795 (bmo#1514682)
Type-confusion in IonMonkey JIT compiler
* CVE-2019-9796 (bmo#1531277)
Use-after-free with SMIL animation controller
* CVE-2019-9797 (bmo#1528909)
Cross-origin theft of images with createImageBitmap
* CVE-2019-9798 (bmo#1527534) (Android only)
Library is loaded from world writable APITRACE_LIB location
* CVE-2019-9799 (bmo#1505678)
Information disclosure via IPC channel messages
* CVE-2019-9801 (bmo#1527717) (Windows only)
Windows programs that are not 'URL Handlers' are exposed to web content
* CVE-2019-9802 (bmo#1415508)
Chrome process information leak
* CVE-2019-9803 (bmo#1515863, bmo#1437009)
Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation
* CVE-2019-9804 (bmo#1518026) (MacOS only)
Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=726
* Increased content processes to 8
* Added capability to search through open tabs from the tab overflow menu
* New backend for the storage.local WebExtensions API, providing
I/O performance improvements when the extension updates a small
subset of the stored data
* WebExtension keyboard shortcuts can now be managed or overridden
from about:addons
* Improved scrolling behavior: Firefox will now attempt to keep content
from jumping around while a page is loading by supporting scroll
anchoring
* New about:privatebrowsing with search
* A certificate error page now notifies the user of the name of the
certificate issuer that breaks HTTPs connections on intercepted
connections to help troubleshooting possible anti-virus software
issues.
* Fixed an performance issue some Linux users experienced with the
Downloads panel (bmo#1517101)
* Firefox now blocks all autoplay media with sound by default. Users
can add individual sites to an exceptions list or turn the blocking
off.
* System title bar is hidden by default to match Gnome guideline
MFSA 2019-07 (bsc#1129821)
* CVE-2019-9790 (bmo#1525145)
Use-after-free when removing in-use DOM elements
* CVE-2019-9791 (bmo#1530958)
Type inference is incorrect for constructors entered through on-stack
replacement with IonMonkey
* CVE-2019-9792 (bmo#1532599)
IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=723
* Fixed accidental requests to addons.mozilla.org when an addon
recommendation doorhanger is shown (bmo#1526387)
* Improved playback of interactive Netflix videos (bmo#1524500)
* Fixed incorrect sizing of the "Clear Recent History" window in
some situations (bmo#1523696)
* Fixed audio & video delays while making WebRTC calls
(bmo#1521577, bmo#1523817)
* Fixed video sizing problems during some WebRTC calls (bmo#1520200)
* Fixed looping CONNECT requests when using WebSockets over HTTP/2
from behind a proxy server (bmo#1523427)
* Fixed the "Enter" key not working on password entry fields for
certain Linux distributions (bmo#1523635)
MFSA 2019-04
* CVE-2018-18356 bmo#1525817
Use-after-free in Skia
* CVE-2019-5785 bmo#1525433
Integer overflow in Skia
* CVE-2018-18511 bmo#1526218
Cross-origin theft of images with ImageBitmapRenderingContext
- Enable LTO only for latest new toolchain (boo#1125038) for x86_64
(with increased memory constraints)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=717
* Better recommendations: You may see suggestions in regular browsing
mode for new and relevant Firefox features, services, and extensions
based on how you use the web (for US users only)
* Enhanced tab management: You can now select multiple tabs from the
tab bar and close, move, bookmark, or pin them quickly and easily
* Easier performance management: The new Task Manager page found at
about:performance lets you see how much energy each open tab consumes
and provides access to close tabs to conserve power
* Improved performance for Mac and Linux users, by enabling link time
optimization (Clang LTO).
* Added option to remove add-ons using the context menu on their
toolbar buttons
* RSS feed preview and live bookmarks are available only via add-ons
* TLS certificates issued by Symantec are no longer trusted by Firefox.
Website operators are strongly encouraged to replace any remaining
Symantec TLS certificates as soon as possible
MFSA 2018-29 (bsc#1119105)
* CVE-2018-12407 bmo#1505973
Buffer overflow with ANGLE library when using VertexBuffer11 module
* CVE-2018-17466 bmo#1488295
Buffer overflow and out-of-bounds read in ANGLE library with
TextureStorage11
* CVE-2018-18492 bmo#1499861
Use-after-free with select element
* CVE-2018-18493 bmo#1504452
Buffer overflow in accelerated 2D canvas with Skia
* CVE-2018-18494 bmo#1487964
Same-origin policy violation using location attribute and
performance.getEntries to steal cross-origin URLs
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=699
* Games using WebGL (created in Unity) get stuck after very short
time of gameplay (bmo#1502748)
* Slow page loading for some users with specific proxy configurations
(bmo#1495024)
* Disable HTTP response throttling by default for causing bugs with
videos in background tabs (bmo#1503354)
* Opening magnet links no longer works (bmo#1498934)
* Crash fixes (bmo#1498510, bmo#1503424)
- removed mozilla-newer-cbindgen.patch; no longer needed
- requires rust-cbindgen >= 0.6.2 to build
- requires nodejs >= 8.11 to build
- added mozilla-newer-cbindgen.patch to fix build with cbindgen 0.6.7
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=694
* Snippets are not loaded due to missing element (bmo#1503047)
* Print preview always shows 30& scale when it is actually
Shrink To Fit (bmo#1501952)
* Dialog displayed when closing multiple windows shows unreplaced
%1$S placeholder in Japanese and potentially other locales
(bmo#1500823)
MFSA 2018-26 (bsc#1112852)
* CVE-2018-12391 (bmo#1478843) (Android-only)
HTTP Live Stream audio data is accessible cross-origin
* CVE-2018-12392 (bmo#1492823)
Crash with nested event loops
* CVE-2018-12393 (bmo#1495011) (only affects non-64-bit archs)
Integer overflow during Unicode conversion while loading JavaScript
* CVE-2018-12395 (bmo#1467523)
WebExtension bypass of domain restrictions through header rewriting
* CVE-2018-12396 (bmo#1483602)
WebExtension content scripts can execute in disallowed contexts
* CVE-2018-12397 (bmo#1487478)
Missing warning prompt when WebExtension requests local file access
* CVE-2018-12398 (bmo#1460538, bmo#1488061)
CSP bypass through stylesheet injection in resource URIs
* CVE-2018-12399 (bmo#1490276)
Spoofing of protocol registration notification bar
* CVE-2018-12400 (bmo#1448305) (Android only)
Favicons are cached in private browsing mode on Firefox for Android
* CVE-2018-12401 (bmo#1422456)
DOS attack through special resource URI parsing
* CVE-2018-12402 (bmo#1469916)
SameSite cookies leak when pages are explicitly saved
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=692
* WebExtensions now run in their own process on Linux
* The Ctrl+Tab shortcut now displays thumbnail previews of your
tabs and cycles through tabs in recently used order. This new
default behavior is activated only in new profiles and can be
changed in preferences.
* Added support for Web Components custom elements and shadow DOM
- requires NSPR 4.20, NSS 3.39 and Rust 1.28
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=691
* Firefox Home (the default New Tab) now allows users to display
up to 4 rows of top sites, Pocket stories, and highlights
* "Reopen in Container" tab menu option appears for users with
Containers that lets them choose to reopen a tab in a different
container
* In advance of removing all trust for Symantec-issued certificates
in Firefox 63, a preference was added that allows users to distrust
certificates issued by Symantec. To use this preference, go to
about:config in the address bar and set the preference
"security.pki.distrust_ca_policy" to 2.
* Support for CSS Shapes, allowing for richer web page layouts.
This goes hand in hand with a brand new Shape Path Editor in the
CSS inspector.
* CSS Variable Fonts (OpenType Font Variations) support, which makes
it possible to create beautiful typography with a single font file
* Added Canadian English (en-CA) locale
MFSA 2018-20 (bsc#1107343)
* CVE-2018-12377 (bmo#1470260)
Use-after-free in refresh driver timers
* CVE-2018-12378 (bmo#1459383)
Use-after-free in IndexedDB
* CVE-2018-12379 (bmo#1473113) (updater is disabled for us)
Out-of-bounds write with malicious MAR file
* CVE-2017-16541 (bmo#1412081)
Proxy bypass using automount and autofs
* CVE-2018-12381 (bmo#1435319)
Dragging and dropping Outlook email message results in page navigation
* CVE-2018-12382 (bmo#1479311) (Android only)
Addressbar spoofing with javascript URI on Firefox for Android
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=683
* Performance enhancements
* Various improvements for dark theme support will provide a more
consistent experience across the entire Firefox UI
* OpenSearch plugins offered by web pages can now be added from the
page action menu for easier installation
* Improved support for allowing WebExtensions to manage and hide tabs
- requires NSS 3.37.3
- requires python >= 3.5 to build
- removed obsolete patches
mozilla-i586-DecoderDoctorLogger.patch
mozilla-i586-domPrefs.patch
mozilla-fix-skia-aarch64.patch
mozilla-bmo1375074.patch
mozilla-enable-csd.patch
- patch for new no-return warnings (mozilla-no-return.patch)
- do not disable system installed locales (mozilla-bmo1464766.patch)
- Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass
conditional --disable-gconf to configure: no longer pull in
obsolete gconf2 for Tumbleweed.
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=673
