* Avoid overly long cycle collector pauses with some add-ons installed
(bmo#1449033)
* After unckecking the "Sponsored Stories" option, the New Tab page
now immediately stops displaying "Sponsored content" cards (bmo#1458906)
* On touchscreen devices, fixed momentum scrolling on non-zoomable pages
(bmo#1457743)
* Use the right default background when opening tabs or windows in
high contrast mode (bmo#1458956)
* Restored translations of the Preferences panels when using a
language pack (bmo#1461590)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=661
Final Firefox 60.0 (regular; non-ESR) for TW
- update to Firefox 60.0
* Added a policy engine that allows customized Firefox deployments
in enterprise environments, using Windows Group Policy or a
cross-platform JSON file
* Applied Quantum CSS to render browser UI
* Added support for Web Authentication, allowing the use of USB
tokens for authentication to web sites
* Locale added: Occitan (oc)
MFSA 2018-11 (bsc#1092548)
* CVE-2018-5154 (bmo#1443092)
Use-after-free with SVG animations and clip paths
* CVE-2018-5155 (bmo#1448774)
Use-after-free with SVG animations and text paths
* CVE-2018-5157 (bmo#1449898)
Same-origin bypass of PDF Viewer to view protected PDF files
* CVE-2018-5158 (bmo#1452075)
Malicious PDF can inject JavaScript into PDF Viewer
* CVE-2018-5159 (bmo#1441941)
Integer overflow and out-of-bounds write in Skia
* CVE-2018-5160 (bmo#1436117)
Uninitialized memory use by WebRTC encoder
* CVE-2018-5152 (bmo#1415644, bmo#1427289)
WebExtensions information leak through webRequest API
* CVE-2018-5153 (bmo#1436809)
Out-of-bounds read in mixed content websocket messages
* CVE-2018-5163 (bmo#1426353)
Replacing cached data in JavaScript Start-up Bytecode Cache
* CVE-2018-5164 (bmo#1416045)
CSP not applied to all multipart content sent with
multipart/x-mixed-replace
OBS-URL: https://build.opensuse.org/request/show/605919
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=271
* CVE-2018-5154 (bmo#1443092)
Use-after-free with SVG animations and clip paths
* CVE-2018-5155 (bmo#1448774)
Use-after-free with SVG animations and text paths
* CVE-2018-5157 (bmo#1449898)
Same-origin bypass of PDF Viewer to view protected PDF files
* CVE-2018-5158 (bmo#1452075)
Malicious PDF can inject JavaScript into PDF Viewer
* CVE-2018-5159 (bmo#1441941)
Integer overflow and out-of-bounds write in Skia
* CVE-2018-5160 (bmo#1436117)
Uninitialized memory use by WebRTC encoder
* CVE-2018-5152 (bmo#1415644, bmo#1427289)
WebExtensions information leak through webRequest API
* CVE-2018-5153 (bmo#1436809)
Out-of-bounds read in mixed content websocket messages
* CVE-2018-5163 (bmo#1426353)
Replacing cached data in JavaScript Start-up Bytecode Cache
* CVE-2018-5164 (bmo#1416045)
CSP not applied to all multipart content sent with
multipart/x-mixed-replace
* CVE-2018-5166 (bmo#1437325)
WebExtension host permission bypass through filterReponseData
* CVE-2018-5167 (bmo#1447969)
Improper linkification of chrome: and javascript: content in
web console and JavaScript debugger
* CVE-2018-5168 (bmo#1449548)
Lightweight themes can be installed without user interaction
* CVE-2018-5169 (bmo#1319157)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=658
* Added a policy engine that allows customized Firefox deployments
in enterprise environments, using Windows Group Policy or a
cross-platform JSON file
* Applied Quantum CSS to render browser UI
* Added support for Web Authentication, allowing the use of USB
tokens for authentication to web sites
* Locale added: Occitan (oc)
- removed obsolete patches
0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
- requires NSPR 4.19 and NSS 3.36.1
- requires rust 1.24 or higher
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=655
* Invalid page rendering with hardware acceleration enabled (bmo#1435472)
* Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites
that use those keys with resistFingerprinting enabled (bmo#1433592)
* High CPU / memory churn caused by third-party software on some
computers (bmo#1446280)
* Users who have configured an "automatic proxy configuration URL"
and want to reload their proxy settings from the URL will find
the Reload button disabled in the Connection Settings dialog when
they select Preferences/Options>Network Proxy>Settings... (bmo#1445991)
* URL Fragment Identifiers Break Service Worker Responses (bmo#1443850)
* User's trying to cancel a print around the time it completes will
continue to get intermittent crashes (bmo#1441598)
MFSA 2018-10 (bsc#1087059)
* CVE-2018-5148 (bmo#1440717)
Use-after-free in compositor
- removed obsolete patch mozilla-bmo1446062.patch
* mozilla-i586-domPrefs.patch - DOMPrefs.h
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=642
yet another small tweak to have really all fixes in place also for ARM (libtremor) which was left out from the upstream Firefox tag (and only applied to the Fennec one)
- update to Firefox 59.0.1 (bsc#1085671)
MFSA 2018-08
* CVE-2018-5146 (bmo#1446062)
Vorbis audio processing out of bounds write
* CVE-2018-5147 (bmo#1446365)
Out of bounds memory write in libtremor
(mozilla-bmo1446062.patch)
- Added patch:
* mozilla-bmo1005535.patch:
Enable skia_gpu on big endian platforms.
- update to Firefox 59.0
* Performance enhancements
* Drag-and-drop to rearrange Top Sites on the Firefox Home page
* added features for Firefox Screenshots
* Enhanced WebExtensions API
* Improved RTC capabilities
MFSA 2018-06 (bsc#1085130)
* CVE-2018-5127 (bmo#1430557)
Buffer overflow manipulating SVG animatedPathSegList
* CVE-2018-5128 (bmo#1431336)
Use-after-free manipulating editor selection ranges
* CVE-2018-5129 (bmo#1428947)
Out-of-bounds write with malformed IPC messages
* CVE-2018-5130 (bmo#1433005)
Mismatched RTP payload type can trigger memory corruption
* CVE-2018-5131 (bmo#1440775)
Fetch API improperly returns cached copies of no-store/no-cache resources
* CVE-2018-5132 (bmo#1408194)
OBS-URL: https://build.opensuse.org/request/show/588116
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=267
MFSA 2018-05
* Arbitrary code execution through unsanitized browser UI (bmo#1432966)
- fixed language packs (boo#1077590)
- readd mozilla-enable-csd.patch as it only lands for FF59 upstream
- allow larger number of nested elements (mozilla-bmo256180.patch)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=630
MFSA 2018-02
* CVE-2018-5091 (bmo#1423086)
Use-after-free with DTMF timers
* CVE-2018-5092 (bmo#1418074)
Use-after-free in Web Workers
* CVE-2018-5093 (bmo#1415291)
Buffer overflow in WebAssembly during Memory/Table resizing
* CVE-2018-5094 (bmo#1415883)
Buffer overflow in WebAssembly with garbage collection on
uninitialized memory
* CVE-2018-5095 (bmo#1418447)
Integer overflow in Skia library during edge builder allocation
* CVE-2018-5097 (bmo#1387427)
Use-after-free when source document is manipulated during XSLT
* CVE-2018-5098 (bmo#1399400)
Use-after-free while manipulating form input elements
* CVE-2018-5099 (bmo#1416878)
Use-after-free with widget listener
* CVE-2018-5100 (bmo#1417405)
Use-after-free when IsPotentiallyScrollable arguments are freed
from memory
* CVE-2018-5101 (bmo#1417661)
Use-after-free with floating first-letter style elements
* CVE-2018-5102 (bmo#1419363)
Use-after-free in HTML media elements
* CVE-2018-5103 (bmo#1423159)
Use-after-free during mouse event handling
* CVE-2018-5104 (bmo#1425000)
Use-after-free during font face manipulation
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=629
- update to Firefox 57.0.4
MFSA 2018-1: Speculative execution side-channel attack ("Spectre")
(boo#1074723)
- fixed regression introduced Oct 10th which made Firefox crash
when cancelling the KDE file dialog (boo#1069962)
- Mozilla Firefox 57.0.3:
* Fix a crash reporting issue that inadvertently sends background
tab crash reports to Mozilla without user opt-in (bmo#1427111,
bsc#1074235)
- Includes changes from 57.0.2:
* fixes for platforms other than GNU/Linux
OBS-URL: https://build.opensuse.org/request/show/561754
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=263
- Explicitly buildrequires python2-xml: The build system relies on
it. We wrongly relied on other packages pulling it in for us.
- Escape the usage of %{VERSION} when calling out to rpm.
RPM 4.14 has %{VERSION} defined as 'the main packages version'.
* CVE-2017-7843: Web worker in Private Browsing mode can write
IndexedDB data (bsc#1072034, bmo#1410106)
* CVE-2017-7844: Visited history information leak through SVG
image (bsc#1072036, bmo#1420001)
OBS-URL: https://build.opensuse.org/request/show/555866
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=262
- Add mozilla-bmo1360278.patch
Starting with Firefox 57, the context menu appears on key press.
This patch creates a config entry to restore the
old behaviour. Without the patch, the mouse gesture extensions
require 2 clicks to work (bmo#1360278).
The new config entry is named ui.context_menus.after_mouseup
(default : false).
- Allow experimental CSD for Gtk3 (bmo#1399611) if available and enabled
widget.allow-client-side-decoration=true
(mozilla-bmo1399611-csd.patch)
OBS-URL: https://build.opensuse.org/request/show/545695
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=260
