-------------------------------------------------------------------
Tue Feb 6 07:03:42 UTC 2018 - fstrba@suse.com
- Added patch:
* mozilla-alsa-sandbox.patch: Fix bmo#1430274, ALSA sound (still
or again?) not working in Firefox 58 due to sandboxing.
-------------------------------------------------------------------
Mon Jan 29 22:32:21 UTC 2018 - wr@rosenauer.org
- update to Firefox 58.0.1
MFSA 2018-05
* Arbitrary code execution through unsanitized browser UI (bmo#1432966)
- use correct language packs
- readd mozilla-enable-csd.patch as it only lands for FF59 upstream
- allow larger number of nested elements (mozilla-bmo256180.patch)
-------------------------------------------------------------------
Tue Jan 23 20:40:57 UTC 2018 - wr@rosenauer.org
- update to Firefox 58.0 (bsc#1077291)
* Added Nepali (ne-NP) locale
* Added support for form autofill for credit card
* Optimize page load by caching JavaScript internal representation
MFSA 2018-02
* CVE-2018-5091 (bmo#1423086)
Use-after-free with DTMF timers
* CVE-2018-5092 (bmo#1418074)
Use-after-free in Web Workers
* CVE-2018-5093 (bmo#1415291)
Buffer overflow in WebAssembly during Memory/Table resizing
* CVE-2018-5094 (bmo#1415883)
Buffer overflow in WebAssembly with garbage collection on
uninitialized memory
* CVE-2018-5095 (bmo#1418447)
Integer overflow in Skia library during edge builder allocation
* CVE-2018-5097 (bmo#1387427)
Use-after-free when source document is manipulated during XSLT
* CVE-2018-5098 (bmo#1399400)
Use-after-free while manipulating form input elements
* CVE-2018-5099 (bmo#1416878)
Use-after-free with widget listener
* CVE-2018-5100 (bmo#1417405)
Use-after-free when IsPotentiallyScrollable arguments are freed
from memory
* CVE-2018-5101 (bmo#1417661)
Use-after-free with floating first-letter style elements
* CVE-2018-5102 (bmo#1419363)
Use-after-free in HTML media elements
* CVE-2018-5103 (bmo#1423159)
Use-after-free during mouse event handling
* CVE-2018-5104 (bmo#1425000)
Use-after-free during font face manipulation
* CVE-2018-5105 (bmo#1390882)
WebExtensions can save and execute files on local file system
without user prompts
* CVE-2018-5106 (bmo#1408708)
Developer Tools can expose style editor information cross-origin
through service worker
* CVE-2018-5107 (bmo#1379276)
Printing process will follow symlinks for local file access
* CVE-2018-5108 (bmo#1421099)
Manually entered blob URL can be accessed by subsequent private browsing tabs
* CVE-2018-5109 (bmo#1405599)
Audio capture prompts and starts with incorrect origin attribution
* CVE-2018-5110 (bmo#1423275) (affects only OS X)
Cursor can be made invisible on OS X
* CVE-2018-5111 (bmo#1321619)
URL spoofing in addressbar through drag and drop
* CVE-2018-5112 (bmo#1425224)
Extension development tools panel can open a non-relative URL in the panel
* CVE-2018-5113 (bmo#1425267)
WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow
* CVE-2018-5114 (bmo#1421324)
The old value of a cookie changed to HttpOnly remains accessible to scripts
* CVE-2018-5115 (bmo#1409449)
Background network requests can open HTTP authentication in unrelated foreground tabs
* CVE-2018-5116 (bmo#1396399)
WebExtension ActiveTab permission allows cross-origin frame content access
* CVE-2018-5117 (bmo#1395508)
URL spoofing with right-to-left text aligned left-to-right
* CVE-2018-5118 (bmo#1420049)
Activity Stream images can attempt to load local content through file:
* CVE-2018-5119 (bmo#1420507)
Reader view will load cross-origin content in violation of CORS headers
* CVE-2018-5121 (bmo#1402368) (affects only OS X)
OS X Tibetan characters render incompletely in the addressbar
* CVE-2018-5122 (bmo#1413841)
Potential integer overflow in DoCrypt
* CVE-2018-5090
Memory safety bugs fixed in Firefox 58
* CVE-2018-5089
Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
- requires NSS 3.34.1
- requires rust 1.21
- removed obsolete patches:
mozilla-bindgen-systemlibs.patch
mozilla-bmo1360278.patch
mozilla-bmo1399611-csd.patch
mozilla-rust-1.23.patch
- rebased patches
- updated man-page
-------------------------------------------------------------------
Tue Jan 9 18:48:02 UTC 2018 - wr@rosenauer.org
- fixed build with latest rust (mozilla-rust-1.23.patch)
-------------------------------------------------------------------
Thu Jan 4 12:23:41 UTC 2018 - wr@rosenauer.org
- update to Firefox 57.0.4
MFSA 2018-1: Speculative execution side-channel attack ("Spectre")
(boo#1074723)
-------------------------------------------------------------------
Wed Jan 3 08:29:38 UTC 2018 - wr@rosenauer.org
- fixed regression introduced Oct 10th which made Firefox crash
when cancelling the KDE file dialog (boo#1069962)
-------------------------------------------------------------------
Fri Dec 29 19:52:34 UTC 2017 - astieger@suse.com
- Mozilla Firefox 57.0.3:
* Fix a crash reporting issue that inadvertently sends background
tab crash reports to Mozilla without user opt-in (bmo#1427111,
bsc#1074235)
- Includes changes from 57.0.2:
* fixes for platforms other than GNU/Linux
-------------------------------------------------------------------
Fri Dec 8 15:52:17 UTC 2017 - dimstar@opensuse.org
- Explicitly buildrequires python2-xml: The build system relies on
it. We wrongly relied on other packages pulling it in for us.
-------------------------------------------------------------------
Thu Dec 7 11:12:31 UTC 2017 - dimstar@opensuse.org
- Escape the usage of %{VERSION} when calling out to rpm.
RPM 4.14 has %{VERSION} defined as 'the main packages version'.
-------------------------------------------------------------------
Wed Nov 29 23:45:03 UTC 2017 - wr@rosenauer.org
- update to Firefox 57.0.1
* CVE-2017-7843: Web worker in Private Browsing mode can write
IndexedDB data (bsc#1072034, bmo#1410106)
* CVE-2017-7844: Visited history information leak through SVG
image (bsc#1072036, bmo#1420001)
* Fix a video color distortion issue on YouTube and other video
sites with some AMD devices (bmo#1417442)
* Fix an issue with prefs.js when the profile path has non-ascii
characters (bmo#1420427)
-------------------------------------------------------------------
Tue Nov 21 09:00:48 UTC 2017 - christophe@krop.fr
- Add mozilla-bmo1360278.patch
Starting with Firefox 57, the context menu appears on key press.
This patch creates a config entry to restore the
old behaviour. Without the patch, the mouse gesture extensions
require 2 clicks to work (bmo#1360278).
The new config entry is named ui.context_menus.after_mouseup
(default : false).
-------------------------------------------------------------------
Sat Nov 18 08:35:21 UTC 2017 - wr@rosenauer.org
- Allow experimental CSD for Gtk3 (bmo#1399611) if available and enabled
widget.allow-client-side-decoration=true
(mozilla-bmo1399611-csd.patch)
-------------------------------------------------------------------
Wed Nov 15 06:46:06 UTC 2017 - wr@rosenauer.org
- update to Firefox 57.0 (boo#1068101)
* Firefox Quantum
* Photon UI
* Unified address and search bar
* AMD VP9 hardware video decoder support
* Added support for Date/Time input
* stricter security sandbox blocking filesystem reading and
writing on Linux systems
* middle mouse paste in the content area no longer navigates to
URLs by default on Unix systems
MFSA 2017-24
* CVE-2017-7828 (bmo#1406750. bmo#1412252)
Use-after-free of PressShell while restyling layout
* CVE-2017-7830 (bmo#1408990)
Cross-origin URL information leak through Resource Timing API
* CVE-2017-7831 (bmo#1392026)
Information disclosure of exposed properties on JavaScript proxy
objects
* CVE-2017-7832 (bmo#1408782)
Domain spoofing through use of dotless 'i' character followed
by accent markers
* CVE-2017-7833 (bmo#1370497)
Domain spoofing with Arabic and Indic vowel marker characters
* CVE-2017-7834 (bmo#1358009)
data: URLs opened in new tabs bypass CSP protections
* CVE-2017-7835 (bmo#1402363)
Mixed content blocking incorrectly applies with redirects
* CVE-2017-7836 (bmo#1401339)
Pingsender dynamically loads libcurl on Linux and OS X
* CVE-2017-7837 (bmo#1325923)
SVG loaded as can use meta tags to set cookies
* CVE-2017-7838 (bmo#1399540)
Failure of individual decoding of labels in international domain
names triggers punycode display of entire IDN
* CVE-2017-7839 (bmo#1402896)
Control characters before javascript: URLs defeats self-XSS
prevention mechanism
* CVE-2017-7840 (bmo#1366420)
Exported bookmarks do not strip script elements from user-supplied
tags
* CVE-2017-7842 (bmo#1397064)
Referrer Policy is not always respected for elements
* CVE-2017-7827
Memory safety bugs fixed in Firefox 57
* CVE-2017-7826
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
- requires NSPR 4.17, NSS 3.33 and rustc 1.19
- rebased patches
- added mozilla-bindgen-systemlibs.patch to allow stylo build
with system libs (bmo#1341234)
- removed mozilla-language.patch since the whole locale code
changed in Firefox and is relying on ICU now
- removed obsolete mozilla-ucontext.patch
-------------------------------------------------------------------
Sat Oct 28 06:30:37 UTC 2017 - wr@rosenauer.org
- update to Firefox 56.0.2
* Disable Form Autofill completely on user request (bmo#1404531)
* Fix for video-related crashes on Windows 7 (bmo#1409141)
* Correct detection for 64-bit GSSAPI authentication (bmo#1409275)
* Fix for shutdown crash (bmo#1404105)
-------------------------------------------------------------------
Tue Oct 10 11:47:49 UTC 2017 - wr@rosenauer.org
- update to Firefox 56.0.1
* Block D3D11 when using Intel drivers on Windows 7 systems with
partial AVX support (bmo#1403353)
-> just to sync the version number
- enable stylo for TW (requires LLVM >= 3.9)
- queue KDE filepicker requests to avoid non-opening file dialogs
happening in certain situations (contributed by Ignaz Forster)
- the placeholder dot in KDE file dialog in case of empty filenames
was removed, apparently not required (anymore)
(contributed by Ignaz Forster)
-------------------------------------------------------------------
Sun Oct 1 18:25:16 UTC 2017 - stefan.bruens@rwth-aachen.de
- Correct plugin directory for aarch64 (boo#1061207). The wrapper
script was not detecting aarch64 as a 64 bit architecture, thus
used /usr/lib/browser-plugins/.
-------------------------------------------------------------------
Sat Sep 30 20:10:50 UTC 2017 - zaitor@opensuse.org
- Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0),
pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure
looks for.
-------------------------------------------------------------------
Thu Sep 28 08:28:29 UTC 2017 - wr@rosenauer.org
- update to Firefox 56.0 (boo#1060445)
* Firefox Screenshots
* Find Options/Preferences more quickly with new search function
* Media is no longer auto-played when opened in a background tab
* Enable CSS Grid Layout View
MFSA 2017-21
* CVE-2017-7793 (bmo#1371889)
Use-after-free with Fetch API
* CVE-2017-7817 (bmo#1356596) (Android-only)
Firefox for Android address bar spoofing through fullscreen mode
* CVE-2017-7818 (bmo#1363723)
Use-after-free during ARIA array manipulation
* CVE-2017-7819 (bmo#1380292)
Use-after-free while resizing images in design mode
* CVE-2017-7824 (bmo#1398381)
Buffer overflow when drawing and validating elements with ANGLE
* CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
Use-after-free in TLS 1.2 generating handshake hashes
* CVE-2017-7812 (bmo#1379842)
Drag and drop of malicious page content to the tab bar can open locally stored files
* CVE-2017-7814 (bmo#1376036)
Blob and data URLs bypass phishing and malware protection warnings
* CVE-2017-7813 (bmo#1383951)
Integer truncation in the JavaScript parser
* CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
OS X fonts render some Tibetan and Arabic unicode characters as spaces
* CVE-2017-7815 (bmo#1368981)
Spoofing attack with modal dialogs on non-e10s installations
* CVE-2017-7816 (bmo#1380597)
WebExtensions can load about: URLs in extension UI
* CVE-2017-7821 (bmo#1346515)
WebExtensions can download and open non-executable files without user interaction
* CVE-2017-7823 (bmo#1396320)
CSP sandbox directive did not create a unique origin
* CVE-2017-7822 (bmo#1368859)
WebCrypto allows AES-GCM with 0-length IV
* CVE-2017-7820 (bmo#1378207)
Xray wrapper bypass with new tab and web console
* CVE-2017-7811
Memory safety bugs fixed in Firefox 56
* CVE-2017-7810
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
- requires NSPR 4.16 and NSS 3.32.1
- rebased patches
-------------------------------------------------------------------
Thu Sep 28 07:53:13 UTC 2017 - dimstar@opensuse.org
- Add alsa-devel BuildRequires: we care for ALSA support to be
built and thus need to ensure we get the dependencies in place.
In the past, alsa-devel was pulled in by accident: we
buildrequire libgnome-devel. This required esound-devel and that
in turn pulled in alsa-devel for us. libgnome is being fixed to
no longer require esound-devel.
-------------------------------------------------------------------
Mon Sep 4 18:27:44 UTC 2017 - wr@rosenauer.org
- update to Firefox 55.0.3
* Fix an issue with addons when using a path containing non-ascii
characters (bmo#1389160)
* Fix file uploads to some websites, including YouTube (bmo#1383518)
- fix Google API key build integration
- add mozilla-ucontext.patch to fix Tumbleweed build
- do not enable XINPUT2 for now (boo#1053959)
-------------------------------------------------------------------
Fri Aug 11 08:32:30 UTC 2017 - wr@rosenauer.org
- update to Firefox 55.0.1
* Fix a regression the tab restoration process (bmo#1388160)
* Fix a problem causing What's new pages not to be displayed (bmo#1386224)
* Fix a rendering issue with some PKCS#11 libraries (bmo#1388370)
* Disable the predictor prefetch (bmo#1388160)
-------------------------------------------------------------------
Sat Aug 5 13:22:16 UTC 2017 - wr@rosenauer.org
- update to Firefox 55.0 (boo#1052829)
* Browsing sessions with a high number of tabs are now restored
in an instant
* Sidebar (bookmarks, history, synced tabs) can now be moved to
the right edge of the window
* Fine-tune your browser performance from the Preferences/Options page.
* Make screenshots of webpages, and save them locally or upload
them to the cloud. This feature will undergo A/B testing and
will not be visible for some users.
* Added Belarusian (be) locale
* Simplify print jobs from within print preview
* Use virtual reality devices with the web with the introduction
of WebVR
* Search suggestions are now enabled by default for users who
haven't explicitly opted-out
* Search with any installed search engine directly from the
location bar
* IMPORTANT: Breaking profile changes - do not downgrade Firefox
and use a profile that has been opened with Firefox 55+.
* The Adobe Flash plugin is now click-to-activate by default and
only allowed on http:// and https:// URL schemes. This change
will be rolled out progressively and so will not be visible to
all users immediately. For more information see the Firefox
plugin roadmap
* Modernized application update UI to be less intrusive and more
aligned with the rest of the browser. Only users who have not
restarted their browser 8 days after downloading an update or
users who opted out of automatic updates will see this change.
* Insecure sites can no longer access the Geolocation APIs to get
access to your physical location
* requires NSPR 4.15 and NSS 3.31
MFSA 2017-18
* CVE-2017-7798 (bmo#1371586, bmo#1372112)
XUL injection in the style editor in devtools
* CVE-2017-7800 (bmo#1374047)
Use-after-free in WebSockets during disconnection
* CVE-2017-7801 (bmo#1371259)
Use-after-free with marquee during window resizing
* CVE-2017-7809 (bmo#1380284)
Use-after-free while deleting attached editor DOM node
* CVE-2017-7784 (bmo#1376087)
Use-after-free with image observers
* CVE-2017-7802 (bmo#1378147)
Use-after-free resizing image elements
* CVE-2017-7785 (bmo#1356985)
Buffer overflow manipulating ARIA attributes in DOM
* CVE-2017-7786 (bmo#1365189)
Buffer overflow while painting non-displayable SVG
* CVE-2017-7806 (bmo#1378113)
Use-after-free in layer manager with SVG
* CVE-2017-7753 (bmo#1353312)
Out-of-bounds read with cached style data and pseudo-elements#
* CVE-2017-7787 (bmo#1322896)
Same-origin policy bypass with iframes through page reloads
* CVE-2017-7807 (bmo#1376459)
Domain hijacking through AppCache fallback
* CVE-2017-7792 (bmo#1368652)
Buffer overflow viewing certificates with an extremely long OID
* CVE-2017-7804 (bmo#1372849)
Memory protection bypass through WindowsDllDetourPatcher
* CVE-2017-7791 (bmo#1365875)
Spoofing following page navigation with data: protocol and modal alerts
* CVE-2017-7808 (bmo#1367531)
CSP information leak with frame-ancestors containing paths
* CVE-2017-7782 (bmo#1344034)
WindowsDllDetourPatcher allocates memory without DEP protections
* CVE-2017-7781 (bmo#1352039)
Elliptic curve point addition error when using mixed Jacobian-affine coordinates
* CVE-2017-7794 (bmo#1374281)
Linux file truncation via sandbox broker
* CVE-2017-7803 (bmo#1377426)
CSP containing 'sandbox' improperly applied
* CVE-2017-7799 (bmo#1372509)
Self-XSS XUL injection in about:webrtc
* CVE-2017-7783 (bmo#1360842)
DOS attack through long username in URL
* CVE-2017-7788 (bmo#1073952)
Sandboxed about:srcdoc iframes do not inherit CSP directives
* CVE-2017-7789 (bmo#1074642)
Failure to enable HSTS when two STS headers are sent for a connection
* CVE-2017-7790 (bmo#1350460) (Windows-only)
Windows crash reporter reads extra memory for some non-null-terminated registry values
* CVE-2017-7796 (bmo#1234401) (Windows-only)
Windows updater can delete any file named update.log
* CVE-2017-7797 (bmo#1334776)
Response header name interning leaks across origins
* CVE-2017-7780
Memory safety bugs fixed in Firefox 55
* CVE-2017-7779
Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
- updated mozilla-kde.patch:
* removed "downloadfinished" alert as Firefox reimplemented the
whole thing (TODO: check if there is another function we should
hook in)
-------------------------------------------------------------------
Tue Jul 4 20:08:47 UTC 2017 - wr@rosenauer.org
- update to Firefox 54.0.1
* Fix a display issue of tab title (bmo#1357656)
* Fix a display issue of opening new tab (bmo#1371995)
* Fix a display issue when opening multiple tabs (bmo#1371962)
* Fix a tab display issue when downloading files (bmo#1373109)
* Fix a PDF printing issue (bmo#1366744)
* Fix a Netflix issue on Linux (bmo#1375708)
-------------------------------------------------------------------
Thu Jun 15 13:56:05 UTC 2017 - wr@rosenauer.org
- update to Firefox 54.0
* Clearer and more detailed information for download items in the
download panel
* Added Burmese (my) locale
* Bookmarks created on mobile devices are now shown in
"Mobile Bookmarks” folder in the drop down list from the toolbar
and Bookmarks option in the menu bar in Desktop Firefox
* added support for multiple content processes (e10s-multi)
- requires NSPR 4.14 and NSS 3.30.2
- requires rust 1.15.1
- removed mozilla-shared-nss-db.patch as it seems to be a rather
unused feature
-------------------------------------------------------------------
Thu Jun 1 04:25:05 UTC 2017 - kah0922@gmail.com
- remove -fno-inline-small-functions and explicitely optimize with
-O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)
-------------------------------------------------------------------
Wed Apr 26 12:37:38 UTC 2017 - wr@rosenauer.org
- switch to Mozilla's geolocation service (boo#1026989)
- removed mozilla-preferences.patch obsoleted by overriding via
firefox.js
- fixed KDE integration to avoid crash caused by filepicker
(boo#1015998)
-------------------------------------------------------------------
Mon Apr 17 12:52:10 UTC 2017 - wr@rosenauer.org
- update to Firefox 53.0
* requires NSS 3.29.5
* Lightweight themes are now applied in private browsing windows
* Reader Mode now displays estimated reading time for the page
* Two new 'compact' themes available in Firefox, dark and light,
based on the Firefox Developer Edition theme
* Ended Firefox Linux support for processors older than Pentium 4
and AMD Opteron
* Refresh of the media controls user interface
* Shortened titles on tabs are faded out instead of using ellipsis
for improved readability
* Media playback on new tabs is blocked until the tab is visible
* Permission notifications have a cleaner design and cannot be
easily missed
MFSA 2017-10
* CVE-2017-5456 (bmo#1344415)
Sandbox escape allowing local file system access
* CVE-2017-5442 (bmo#1347979)
Use-after-free during style changes
* CVE-2017-5443 (bmo#1342661)
Out-of-bounds write during BinHex decoding
* CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
Firefox ESR 52.1
* CVE-2017-5464 (bmo#1347075)
Memory corruption with accessibility and DOM manipulation
* CVE-2017-5465 (bmo#1347617)
Out-of-bounds read in ConvolvePixel
* CVE-2017-5466 (bmo#1353975)
Origin confusion when reloading isolated data:text/html URL
* CVE-2017-5467 (bmo#1347262)
Memory corruption when drawing Skia content
* CVE-2017-5460 (bmo#1343642)
Use-after-free in frame selection
* CVE-2017-5461 (bmo#1344380)
Out-of-bounds write in Base64 encoding in NSS
* CVE-2017-5448 (bmo#1346648)
Out-of-bounds write in ClearKeyDecryptor
* CVE-2017-5449 (bmo#1340127)
Crash during bidirectional unicode manipulation with animation
* CVE-2017-5446 (bmo#1343505)
Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
* CVE-2017-5447 (bmo#1343552)
Out-of-bounds read during glyph processing
* CVE-2017-5444 (bmo#1344461)
Buffer overflow while parsing application/http-index-format content
* CVE-2017-5445 (bmo#1344467)
Uninitialized values used while parsing application/http-index-format
content
* CVE-2017-5468 (bmo#1329521)
Incorrect ownership model for Private Browsing information
* CVE-2017-5469 (bmo#1292534)
Potential Buffer overflow in flex-generated code
* CVE-2017-5440 (bmo#1336832)
Use-after-free in txExecutionState destructor during XSLT processing
* CVE-2017-5441 (bmo#1343795)
Use-after-free with selection during scroll events
* CVE-2017-5439 (bmo#1336830)
Use-after-free in nsTArray Length() during XSLT processing
* CVE-2017-5438 (bmo#1336828)
Use-after-free in nsAutoPtr during XSLT processing
* CVE-2017-5437 (bmo#1343453)
Vulnerabilities in Libevent library
* CVE-2017-5436 (bmo#1345461)
Out-of-bounds write with malicious font in Graphite 2
* CVE-2017-5435 (bmo#1350683)
Use-after-free during transaction processing in the editor
* CVE-2017-5434 (bmo#1349946)
Use-after-free during focus handling
* CVE-2017-5433 (bmo#1347168)
Use-after-free in SMIL animation functions
* CVE-2017-5432 (bmo#1346654)
Use-after-free in text input selection
* CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686,
bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621,
bmo#1349719, bmo#1353476)
Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
* CVE-2017-5459 (bmo#1333858)
Buffer overflow in WebGL
* CVE-2017-5458 (bmo#1229426)
Drag and drop of javascript: URLs can allow for self-XSS
* CVE-2017-5455 (bmo#1341191)
Sandbox escape through internal feed reader APIs
* CVE-2017-5454 (bmo#1349276)
Sandbox escape allowing file system read access through file picker
* CVE-2017-5451 (bmo#1273537)
Addressbar spoofing with onblur event
* CVE-2017-5453 (bmo#1321247)
HTML injection into RSS Reader feed preview page through
TITLE element
* CVE-2017-5462 (bmo#1345089)
DRBG flaw in NSS
- removed browser(npapi) provides as these plugins are deprecated
- switch used compiler to gcc5 (FF requires gcc >= 4.9 now) for
Leap 42
- Gtk2 is not longer an option; switched to Gtk3
- apply MOZ_USE_XINPUT2=1 for better touchpad and touchscreen support
(boo#1032003)
-------------------------------------------------------------------
Mon Apr 3 06:16:26 UTC 2017 - wr@rosenauer.org
- update to Firefox 52.0.2
* Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787)
* Fix loading tab icons on session restore (bmo#1338009)
* Fix a crash on startup on Linux (bmo#1345413)
* Fix new installs erroneously not prompting to change the default
browser setting (bmo#1343938)
-------------------------------------------------------------------
Mon Mar 20 15:35:57 UTC 2017 - wr@rosenauer.org
- disable rust usage for everything but x86(-64)
- explicitely add libffi build requirement
-------------------------------------------------------------------
Fri Mar 17 15:43:29 UTC 2017 - wr@rosenauer.org
- update to Firefox 52.0.1 (boo#1029822)
MFSA 2017-08
CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168)
-------------------------------------------------------------------
Thu Mar 9 12:30:14 UTC 2017 - wr@rosenauer.org
- reenable ALSA support which was removed by default upstream
-------------------------------------------------------------------
Sat Mar 4 16:57:45 UTC 2017 - wr@rosenauer.org
- update to Firefox 52.0 (boo#1028391)
* requires NSS >= 3.28.3
* Pages containing insecure password fields now display a warning
directly within username and password fields.
* Send and open a tab from one device to another with Sync
* Removed NPAPI support for plugins other than Flash. Silverlight,
Java, Acrobat and the like are no longer supported.
* Removed Battery Status API to reduce fingerprinting of users by
trackers
* MFSA 2017-05
CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
(bmo#1334933)
CVE-2017-5401: Memory Corruption when handling ErrorResult
(bmo#1328861)
CVE-2017-5402: Use-after-free working with events in FontFace
objects (bmo#1334876)
CVE-2017-5403: Use-after-free using addRange to add range to an
incorrect root object (bmo#1340186)
CVE-2017-5404: Use-after-free working with ranges in selections
(bmo#1340138)
CVE-2017-5406: Segmentation fault in Skia with canvas operations
(bmo#1306890)
CVE-2017-5407: Pixel and history stealing via floating-point
timing side channel with SVG filters (bmo#1336622)
CVE-2017-5410: Memory corruption during JavaScript garbage
collection incremental sweeping (bmo#1330687)
CVE-2017-5408: Cross-origin reading of video captions in violation
of CORS (bmo#1313711)
CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
CVE-2017-5413: Segmentation fault during bidirectional operations
(bmo#1337504)
CVE-2017-5414: File picker can choose incorrect default directory
(bmo#1319370)
CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719)
CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
(bmo#791597)
CVE-2017-5426: Gecko Media Plugin sandbox is not started if
seccomp-bpf filter is running (bmo#1257361)
CVE-2017-5427: Non-existent chrome.manifest file loaded during
startup (bmo#1295542)
CVE-2017-5418: Out of bounds read when parsing HTTP digest
authorization responses (bmo#1338876)
CVE-2017-5419: Repeated authentication prompts lead to DOS
attack (bmo#1312243)
CVE-2017-5420: Javascript: URLs can obfuscate addressbar
location (bmo#1284395)
CVE-2017-5405: FTP response codes can cause use of
uninitialized values for ports (bmo#1336699)
CVE-2017-5421: Print preview spoofing (bmo#1301876)
CVE-2017-5422: DOS attack by using view-source: protocol
repeatedly in one hyperlink (bmo#1295002)
CVE-2017-5399: Memory safety bugs fixed in Firefox 52
CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
Firefox ESR 45.8
- removed obsolete patches
* mozilla-binutils-visibility.patch
* mozilla-check_return.patch
* mozilla-disable-skia-be.patch
* mozilla-skia-overflow.patch
* mozilla-skia-ppc-endianess.patch
- rebased patches
- enable rust usage for Tumbleweed
-------------------------------------------------------------------
Fri Jan 27 20:25:59 UTC 2017 - astieger@suse.com
- Mozilla Firefox 51.0.1:
- Multiprocess incompatibility did not correctly register with
some add-ons (bmo#1333423)
-------------------------------------------------------------------
Fri Jan 20 13:57:56 UTC 2017 - wr@rosenauer.org
- update to Firefox 51.0
* requires NSPR >= 4.13.1, NSS >= 3.28.1
* Added support for FLAC (Free Lossless Audio Codec) playback
* Added support for WebGL 2
* Added Georgian (ka) and Kabyle (kab) locales
* Support saving passwords for forms without 'submit' events
* Improved video performance for users without GPU acceleration
* Zoom indicator is shown in the URL bar if the zoom level is not
at default level
* View passwords from the prompt before saving them
* Remove Belarusian (be) locale
* Use Skia for content rendering (Linux)
* MFSA 2017-01
CVE-2017-5375: Excessive JIT code allocation allows bypass of
ASLR and DEP (bmo#1325200, boo#1021814)
CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
CVE-2017-5377: Memory corruption with transforms to create
gradients in Skia (bmo#1306883, boo#1021826)
CVE-2017-5378: Pointer and frame data leakage of Javascript objects
(bmo#1312001, bmo#1330769, boo#1021818)
CVE-2017-5379: Use-after-free in Web Animations
(bmo#1309198,boo#1021827)
CVE-2017-5380: Potential use-after-free during DOM manipulations
(bmo#1322107, boo#1021819)
CVE-2017-5390: Insecure communication methods in Developer Tools
JSON viewer (bmo#1297361, boo#1021820)
CVE-2017-5389: WebExtensions can install additional add-ons via
modified host requests (bmo#1308688, boo#1021828)
CVE-2017-5396: Use-after-free with Media Decoder
(bmo#1329403, boo#1021821)
CVE-2017-5381: Certificate Viewer exporting can be used to navigate
and save to arbitrary filesystem locations
(bmo#1017616, boo#1021830)
CVE-2017-5382: Feed preview can expose privileged content errors
and exceptions (bmo#1295322, boo#1021831)
CVE-2017-5383: Location bar spoofing with unicode characters
(bmo#1323338, bmo#1324716, boo#1021822)
CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
(bmo#1255474, boo#1021832)
CVE-2017-5385: Data sent in multipart channels ignores referrer-policy
response headers (bmo#1295945, boo#1021833)
CVE-2017-5386: WebExtensions can use data: protocol to affect other
extensions (bmo#1319070, boo#1021823)
CVE-2017-5394: Android location bar spoofing using fullscreen and
JavaScript events (bmo#1222798)
CVE-2017-5391: Content about: pages can load privileged about: pages
(bmo#1309310, boo#1021835)
CVE-2017-5392: Weak references using multiple threads on weak proxy
objects lead to unsafe memory usage (bmo#1293709)
(Android only)
CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for
mozAddonManager (bmo#1309282, boo#1021837)
CVE-2017-5395: Android location bar spoofing during scrolling
(bmo#1293463) (Android only)
CVE-2017-5387: Disclosure of local file existence through TRACK
tag error messages (bmo#1295023, boo#1021839)
CVE-2017-5388: WebRTC can be used to generate a large amount of
UDP traffic for DDOS attacks
(bmo#1281482, boo#1021840)
CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841)
CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and
Firefox ESR 45.7 (boo#1021824)
- switch Firefox to Gtk3 for Tumbleweed
- removed obsolete patches
* mozilla-flex_buffer_overrun.patch
- updated RPM locale support tag
- improve recognition of LANGUAGE env variable (boo#1017174)
- add upstream patch to fix PPC64LE (bmo#1319389)
(mozilla-skia-ppc-endianess.patch)
- fix build without skia (big endian archs) (bmo#1319374)
(mozilla-disable-skia-be.patch)
-------------------------------------------------------------------
Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org
- update to Firefox 50.1.0 (boo#1015422)
* MFSA 2016-94
CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628)
CVE-2016-9899: Use-after-free while manipulating DOM events and
audio elements (bmo#1317409)
CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
CVE-2016-9896: Use-after-free with WebVR (bmo#1315543)
CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
CVE-2016-9898: Use-after-free in Editor while manipulating
DOM subtrees (bmo#1314442)
CVE-2016-9900: Restricted external resources can be loaded by
SVG images through data URLs (bmo#1319122)
CVE-2016-9904: Cross-origin information leak in shared atoms
(bmo#1317936)
CVE-2016-9901: Data from Pocket server improperly sanitized
before execution (bmo#1320057)
CVE-2016-9902: Pocket extension does not validate the origin
of events (bmo#1320039)
CVE-2016-9903: XSS injection vulnerability in add-ons SDK
(bmo#1315435)
CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and
Firefox ESR 45.6
-------------------------------------------------------------------
Fri Dec 9 17:57:22 UTC 2016 - cgrobertson@novell.com
- added patch mozilla-aarch64-startup-crash.patch (bsc#1011922)
-------------------------------------------------------------------
Thu Dec 1 02:49:45 UTC 2016 - wr@rosenauer.org
- update to Firefox 50.0.2
* Firefox crashes with 3rd party Chinese IME when using IME text
(50.0.1)
security fixes (in 50.0.1): (boo#1012807)
* MFSA 2016-91
CVE-2016-9078: data: URL can inherit wrong origin after an
HTTP redirect (bmo#1317641)
security fixes (in 50.0.2) (boo#1012964)
* MFSA 2016-92
CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066)
-------------------------------------------------------------------
Mon Nov 14 21:07:03 UTC 2016 - wr@rosenauer.org
- update to Firefox 50.0 (boo#1009026)
* requires NSS 3.26.2
new features
* Updates to keyboard shortcuts
Set a preference to have Ctrl+Tab cycle through tabs in recently
used order
View a page in Reader Mode by using Ctrl+Alt+R
* Added option to Find in page that allows users to limit search to
whole words only
* Added download protection for a large number of executable file
types on Windows, Mac and Linux
* Fixed rendering of dashed and dotted borders with rounded corners
(border-radius)
* Added a built-in Emoji set for operating systems without native
Emoji fonts (Windows 8.0 and lower and Linux)
* Blocked versions of libavcodec older than 54.35.1
* additional locale
security fixes:
* MFSA 2016-89
CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
(bmo#1292443)
CVE-2016-5292: URL parsing causes crash (bmo#1288482)
CVE-2016-5293: Write to arbitrary file with updater and moz
maintenance service using updater.log hardlink
(Windows only) (bmo#1246945)
CVE-2016-5294: Arbitrary target directory for result files of
update process (Windows only) (bmo#1246972)
CVE-2016-5297: Incorrect argument length checking in Javascript
(bmo#1303678)
CVE-2016-9064: Addons update must verify IDs match between
current and new versions (bmo#1303418)
CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen
(Android only) (bmo#1306696)
CVE-2016-9066: Integer overflow leading to a buffer overflow in
nsScriptLoadHandler (bmo#1299686)
CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
(bmo#1301777, bmo#1308922 (CVE-2016-9069))
CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973)
CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
(bmo#1300083) (Windows only)
CVE-2016-9075: WebExtensions can access the mozAddonManager API
and use it to gain elevated privileges (bmo#1295324)
CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied
to cross-origin images, allowing timing attacks on them
(bmo#1298552)
CVE-2016-5291: Same-origin policy violation using local HTML file
and saved shortcut file (bmo#1292159)
CVE-2016-5295: Mozilla Maintenance Service: Ability to read
arbitrary files as SYSTEM (Windows only) (bmo#1247239)
CVE-2016-5298: SSL indicator can mislead the user about the real
URL visited (bmo#1227538) (Android only)
CVE-2016-5299: Firefox AuthToken in broadcast protected with
signature-level permission can be accessed by an
application installed beforehand that defines the
same permissions (bmo#1245791) (Android only)
CVE-2016-9061: API Key (glocation) in broadcast protected with
signature-level permission can be accessed by an
application installed beforehand that defines the
same permissions (Android only) (bmo#1245795)
CVE-2016-9062: Private browsing browser traces (android) in
browser.db and wal file (Android only) (bmo#1294438)
CVE-2016-9070: Sidebar bookmark can have reference to chrome window
(bmo#1281071)
CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
(bmo#1289273)
CVE-2016-9074: Insufficient timing side-channel resistance in
divSpoiler (bmo#1293334) (fixed via NSS 3.26.1)
CVE-2016-9076: select dropdown menu can be used for URL bar
spoofing on e10s (bmo#1276976)
CVE-2016-9063: Possible integer overflow to fix inside XML_Parse
in expat (bmo#1274777)
CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
(bmo#1285003)
CVE-2016-5289: Memory safety bugs fixed in Firefox 50
CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
- make aarch64 build more similar to x86_64 build (remove conditionals
that don't seem to be necessary anymore)
-------------------------------------------------------------------
Mon Oct 24 09:41:17 UTC 2016 - astieger@suse.com
- Mozilla Firefox 49.0.2:
* CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)
* CVE-2016-5288: Web content can read cache entries (bsc#1006476)
* Asynchronous rendering of the Flash plugins is now enabled by
default
* Change D3D9 default fallback preference to prevent graphical
artifacts
* Network issue prevents some users from seeing the Firefox UI on
startup
* Web compatibility issue with file uploads
* Web compatibility issue with Array.prototype.values
* Diagnostic information on timing for tab switching
* Fix a Canvas filters graphics issue affecting HTML5 apps
-------------------------------------------------------------------
Wed Oct 12 20:42:28 UTC 2016 - badshah400@gmail.com
- Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0
and fixes have been incorporated by upstream.
-------------------------------------------------------------------
Fri Sep 23 20:36:39 UTC 2016 - astieger@suse.com
- Mozilla Firefox 49.0.1:
* Mitigate a startup crash issue caused by Websense - bmo#1304783
-------------------------------------------------------------------
Tue Sep 20 07:09:52 UTC 2016 - wr@rosenauer.org
- update to Firefox 49.0 (boo#999701)
new features
* Updated Firefox Login Manager to allow HTTPS pages to use saved
HTTP logins.
* Added features to Reader Mode that make it easier on the eyes and
the ears
* Improved video performance for users on systems that support
SSE3 without hardware acceleration
* Added context menu controls to HTML5 audio and video that let users
loops files or play files at 1.25x speed
* Improvements in about:memory reports for tracking font memory usage
security related
* MFSA 2016-85
CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
mozilla::net::IsValidReferrerPolicy
CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
nsCaseTransformTextRunFactory::TransformString
CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
PropertyProvider::GetSpacingInternal
CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
CVE-2016-5273 (bmo#1280387) - crash in
mozilla::a11y::HyperTextAccessible::GetChildOffset
CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
mozilla::a11y::DocAccessible::ProcessInvalidationList
CVE-2016-5274 (bmo#1282076) - use-after-free in
nsFrameManager::CaptureFrameState
CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
nsBMPEncoder::AddImageFrame
CVE-2016-5279 (bmo#1249522) - Full local path of files is available
to web pages after drag and drop
CVE-2016-5280 (bmo#1289970) - Use-after-free in
mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons
from non-whitelisted schemes
CVE-2016-5283 (bmo#928187) -