------------------------------------------------------------------- Fri Dec 29 19:52:34 UTC 2017 - astieger@suse.com - Mozilla Firefox 57.0.3: * Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in (bmo#1427111, bsc#1074235) - Includes changes from 57.0.2: * fixes for platforms other than GNU/Linux ------------------------------------------------------------------- Fri Dec 8 15:52:17 UTC 2017 - dimstar@opensuse.org - Explicitly buildrequires python2-xml: The build system relies on it. We wrongly relied on other packages pulling it in for us. ------------------------------------------------------------------- Thu Dec 7 11:12:31 UTC 2017 - dimstar@opensuse.org - Escape the usage of %{VERSION} when calling out to rpm. RPM 4.14 has %{VERSION} defined as 'the main packages version'. ------------------------------------------------------------------- Wed Nov 29 23:45:03 UTC 2017 - wr@rosenauer.org - update to Firefox 57.0.1 * CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data (bsc#1072034, bmo#1410106) * CVE-2017-7844: Visited history information leak through SVG image (bsc#1072036, bmo#1420001) * Fix a video color distortion issue on YouTube and other video sites with some AMD devices (bmo#1417442) * Fix an issue with prefs.js when the profile path has non-ascii characters (bmo#1420427) ------------------------------------------------------------------- Tue Nov 21 09:00:48 UTC 2017 - christophe@krop.fr - Add mozilla-bmo1360278.patch Starting with Firefox 57, the context menu appears on key press. This patch creates a config entry to restore the old behaviour. Without the patch, the mouse gesture extensions require 2 clicks to work (bmo#1360278). The new config entry is named ui.context_menus.after_mouseup (default : false). ------------------------------------------------------------------- Sat Nov 18 08:35:21 UTC 2017 - wr@rosenauer.org - Allow experimental CSD for Gtk3 (bmo#1399611) if available and enabled widget.allow-client-side-decoration=true (mozilla-bmo1399611-csd.patch) ------------------------------------------------------------------- Wed Nov 15 06:46:06 UTC 2017 - wr@rosenauer.org - update to Firefox 57.0 (boo#1068101) * Firefox Quantum * Photon UI * Unified address and search bar * AMD VP9 hardware video decoder support * Added support for Date/Time input * stricter security sandbox blocking filesystem reading and writing on Linux systems * middle mouse paste in the content area no longer navigates to URLs by default on Unix systems MFSA 2017-24 * CVE-2017-7828 (bmo#1406750. bmo#1412252) Use-after-free of PressShell while restyling layout * CVE-2017-7830 (bmo#1408990) Cross-origin URL information leak through Resource Timing API * CVE-2017-7831 (bmo#1392026) Information disclosure of exposed properties on JavaScript proxy objects * CVE-2017-7832 (bmo#1408782) Domain spoofing through use of dotless 'i' character followed by accent markers * CVE-2017-7833 (bmo#1370497) Domain spoofing with Arabic and Indic vowel marker characters * CVE-2017-7834 (bmo#1358009) data: URLs opened in new tabs bypass CSP protections * CVE-2017-7835 (bmo#1402363) Mixed content blocking incorrectly applies with redirects * CVE-2017-7836 (bmo#1401339) Pingsender dynamically loads libcurl on Linux and OS X * CVE-2017-7837 (bmo#1325923) SVG loaded as can use meta tags to set cookies * CVE-2017-7838 (bmo#1399540) Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN * CVE-2017-7839 (bmo#1402896) Control characters before javascript: URLs defeats self-XSS prevention mechanism * CVE-2017-7840 (bmo#1366420) Exported bookmarks do not strip script elements from user-supplied tags * CVE-2017-7842 (bmo#1397064) Referrer Policy is not always respected for elements * CVE-2017-7827 Memory safety bugs fixed in Firefox 57 * CVE-2017-7826 Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5 - requires NSPR 4.17, NSS 3.33 and rustc 1.19 - rebased patches - added mozilla-bindgen-systemlibs.patch to allow stylo build with system libs (bmo#1341234) - removed mozilla-language.patch since the whole locale code changed in Firefox and is relying on ICU now - removed obsolete mozilla-ucontext.patch ------------------------------------------------------------------- Sat Oct 28 06:30:37 UTC 2017 - wr@rosenauer.org - update to Firefox 56.0.2 * Disable Form Autofill completely on user request (bmo#1404531) * Fix for video-related crashes on Windows 7 (bmo#1409141) * Correct detection for 64-bit GSSAPI authentication (bmo#1409275) * Fix for shutdown crash (bmo#1404105) ------------------------------------------------------------------- Tue Oct 10 11:47:49 UTC 2017 - wr@rosenauer.org - update to Firefox 56.0.1 * Block D3D11 when using Intel drivers on Windows 7 systems with partial AVX support (bmo#1403353) -> just to sync the version number - enable stylo for TW (requires LLVM >= 3.9) - queue KDE filepicker requests to avoid non-opening file dialogs happening in certain situations (contributed by Ignaz Forster) - the placeholder dot in KDE file dialog in case of empty filenames was removed, apparently not required (anymore) (contributed by Ignaz Forster) ------------------------------------------------------------------- Sun Oct 1 18:25:16 UTC 2017 - stefan.bruens@rwth-aachen.de - Correct plugin directory for aarch64 (boo#1061207). The wrapper script was not detecting aarch64 as a 64 bit architecture, thus used /usr/lib/browser-plugins/. ------------------------------------------------------------------- Sat Sep 30 20:10:50 UTC 2017 - zaitor@opensuse.org - Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0), pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0), pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure looks for. ------------------------------------------------------------------- Thu Sep 28 08:28:29 UTC 2017 - wr@rosenauer.org - update to Firefox 56.0 (boo#1060445) * Firefox Screenshots * Find Options/Preferences more quickly with new search function * Media is no longer auto-played when opened in a background tab * Enable CSS Grid Layout View MFSA 2017-21 * CVE-2017-7793 (bmo#1371889) Use-after-free with Fetch API * CVE-2017-7817 (bmo#1356596) (Android-only) Firefox for Android address bar spoofing through fullscreen mode * CVE-2017-7818 (bmo#1363723) Use-after-free during ARIA array manipulation * CVE-2017-7819 (bmo#1380292) Use-after-free while resizing images in design mode * CVE-2017-7824 (bmo#1398381) Buffer overflow when drawing and validating elements with ANGLE * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) Use-after-free in TLS 1.2 generating handshake hashes * CVE-2017-7812 (bmo#1379842) Drag and drop of malicious page content to the tab bar can open locally stored files * CVE-2017-7814 (bmo#1376036) Blob and data URLs bypass phishing and malware protection warnings * CVE-2017-7813 (bmo#1383951) Integer truncation in the JavaScript parser * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) OS X fonts render some Tibetan and Arabic unicode characters as spaces * CVE-2017-7815 (bmo#1368981) Spoofing attack with modal dialogs on non-e10s installations * CVE-2017-7816 (bmo#1380597) WebExtensions can load about: URLs in extension UI * CVE-2017-7821 (bmo#1346515) WebExtensions can download and open non-executable files without user interaction * CVE-2017-7823 (bmo#1396320) CSP sandbox directive did not create a unique origin * CVE-2017-7822 (bmo#1368859) WebCrypto allows AES-GCM with 0-length IV * CVE-2017-7820 (bmo#1378207) Xray wrapper bypass with new tab and web console * CVE-2017-7811 Memory safety bugs fixed in Firefox 56 * CVE-2017-7810 Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 - requires NSPR 4.16 and NSS 3.32.1 - rebased patches ------------------------------------------------------------------- Thu Sep 28 07:53:13 UTC 2017 - dimstar@opensuse.org - Add alsa-devel BuildRequires: we care for ALSA support to be built and thus need to ensure we get the dependencies in place. In the past, alsa-devel was pulled in by accident: we buildrequire libgnome-devel. This required esound-devel and that in turn pulled in alsa-devel for us. libgnome is being fixed to no longer require esound-devel. ------------------------------------------------------------------- Mon Sep 4 18:27:44 UTC 2017 - wr@rosenauer.org - update to Firefox 55.0.3 * Fix an issue with addons when using a path containing non-ascii characters (bmo#1389160) * Fix file uploads to some websites, including YouTube (bmo#1383518) - fix Google API key build integration - add mozilla-ucontext.patch to fix Tumbleweed build - do not enable XINPUT2 for now (boo#1053959) ------------------------------------------------------------------- Fri Aug 11 08:32:30 UTC 2017 - wr@rosenauer.org - update to Firefox 55.0.1 * Fix a regression the tab restoration process (bmo#1388160) * Fix a problem causing What's new pages not to be displayed (bmo#1386224) * Fix a rendering issue with some PKCS#11 libraries (bmo#1388370) * Disable the predictor prefetch (bmo#1388160) ------------------------------------------------------------------- Sat Aug 5 13:22:16 UTC 2017 - wr@rosenauer.org - update to Firefox 55.0 (boo#1052829) * Browsing sessions with a high number of tabs are now restored in an instant * Sidebar (bookmarks, history, synced tabs) can now be moved to the right edge of the window * Fine-tune your browser performance from the Preferences/Options page. * Make screenshots of webpages, and save them locally or upload them to the cloud. This feature will undergo A/B testing and will not be visible for some users. * Added Belarusian (be) locale * Simplify print jobs from within print preview * Use virtual reality devices with the web with the introduction of WebVR * Search suggestions are now enabled by default for users who haven't explicitly opted-out * Search with any installed search engine directly from the location bar * IMPORTANT: Breaking profile changes - do not downgrade Firefox and use a profile that has been opened with Firefox 55+. * The Adobe Flash plugin is now click-to-activate by default and only allowed on http:// and https:// URL schemes. This change will be rolled out progressively and so will not be visible to all users immediately. For more information see the Firefox plugin roadmap * Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change. * Insecure sites can no longer access the Geolocation APIs to get access to your physical location * requires NSPR 4.15 and NSS 3.31 MFSA 2017-18 * CVE-2017-7798 (bmo#1371586, bmo#1372112) XUL injection in the style editor in devtools * CVE-2017-7800 (bmo#1374047) Use-after-free in WebSockets during disconnection * CVE-2017-7801 (bmo#1371259) Use-after-free with marquee during window resizing * CVE-2017-7809 (bmo#1380284) Use-after-free while deleting attached editor DOM node * CVE-2017-7784 (bmo#1376087) Use-after-free with image observers * CVE-2017-7802 (bmo#1378147) Use-after-free resizing image elements * CVE-2017-7785 (bmo#1356985) Buffer overflow manipulating ARIA attributes in DOM * CVE-2017-7786 (bmo#1365189) Buffer overflow while painting non-displayable SVG * CVE-2017-7806 (bmo#1378113) Use-after-free in layer manager with SVG * CVE-2017-7753 (bmo#1353312) Out-of-bounds read with cached style data and pseudo-elements# * CVE-2017-7787 (bmo#1322896) Same-origin policy bypass with iframes through page reloads * CVE-2017-7807 (bmo#1376459) Domain hijacking through AppCache fallback * CVE-2017-7792 (bmo#1368652) Buffer overflow viewing certificates with an extremely long OID * CVE-2017-7804 (bmo#1372849) Memory protection bypass through WindowsDllDetourPatcher * CVE-2017-7791 (bmo#1365875) Spoofing following page navigation with data: protocol and modal alerts * CVE-2017-7808 (bmo#1367531) CSP information leak with frame-ancestors containing paths * CVE-2017-7782 (bmo#1344034) WindowsDllDetourPatcher allocates memory without DEP protections * CVE-2017-7781 (bmo#1352039) Elliptic curve point addition error when using mixed Jacobian-affine coordinates * CVE-2017-7794 (bmo#1374281) Linux file truncation via sandbox broker * CVE-2017-7803 (bmo#1377426) CSP containing 'sandbox' improperly applied * CVE-2017-7799 (bmo#1372509) Self-XSS XUL injection in about:webrtc * CVE-2017-7783 (bmo#1360842) DOS attack through long username in URL * CVE-2017-7788 (bmo#1073952) Sandboxed about:srcdoc iframes do not inherit CSP directives * CVE-2017-7789 (bmo#1074642) Failure to enable HSTS when two STS headers are sent for a connection * CVE-2017-7790 (bmo#1350460) (Windows-only) Windows crash reporter reads extra memory for some non-null-terminated registry values * CVE-2017-7796 (bmo#1234401) (Windows-only) Windows updater can delete any file named update.log * CVE-2017-7797 (bmo#1334776) Response header name interning leaks across origins * CVE-2017-7780 Memory safety bugs fixed in Firefox 55 * CVE-2017-7779 Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 - updated mozilla-kde.patch: * removed "downloadfinished" alert as Firefox reimplemented the whole thing (TODO: check if there is another function we should hook in) ------------------------------------------------------------------- Tue Jul 4 20:08:47 UTC 2017 - wr@rosenauer.org - update to Firefox 54.0.1 * Fix a display issue of tab title (bmo#1357656) * Fix a display issue of opening new tab (bmo#1371995) * Fix a display issue when opening multiple tabs (bmo#1371962) * Fix a tab display issue when downloading files (bmo#1373109) * Fix a PDF printing issue (bmo#1366744) * Fix a Netflix issue on Linux (bmo#1375708) ------------------------------------------------------------------- Thu Jun 15 13:56:05 UTC 2017 - wr@rosenauer.org - update to Firefox 54.0 * Clearer and more detailed information for download items in the download panel * Added Burmese (my) locale * Bookmarks created on mobile devices are now shown in "Mobile Bookmarks” folder in the drop down list from the toolbar and Bookmarks option in the menu bar in Desktop Firefox * added support for multiple content processes (e10s-multi) - requires NSPR 4.14 and NSS 3.30.2 - requires rust 1.15.1 - removed mozilla-shared-nss-db.patch as it seems to be a rather unused feature ------------------------------------------------------------------- Thu Jun 1 04:25:05 UTC 2017 - kah0922@gmail.com - remove -fno-inline-small-functions and explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105) ------------------------------------------------------------------- Wed Apr 26 12:37:38 UTC 2017 - wr@rosenauer.org - switch to Mozilla's geolocation service (boo#1026989) - removed mozilla-preferences.patch obsoleted by overriding via firefox.js - fixed KDE integration to avoid crash caused by filepicker (boo#1015998) ------------------------------------------------------------------- Mon Apr 17 12:52:10 UTC 2017 - wr@rosenauer.org - update to Firefox 53.0 * requires NSS 3.29.5 * Lightweight themes are now applied in private browsing windows * Reader Mode now displays estimated reading time for the page * Two new 'compact' themes available in Firefox, dark and light, based on the Firefox Developer Edition theme * Ended Firefox Linux support for processors older than Pentium 4 and AMD Opteron * Refresh of the media controls user interface * Shortened titles on tabs are faded out instead of using ellipsis for improved readability * Media playback on new tabs is blocked until the tab is visible * Permission notifications have a cleaner design and cannot be easily missed MFSA 2017-10 * CVE-2017-5456 (bmo#1344415) Sandbox escape allowing local file system access * CVE-2017-5442 (bmo#1347979) Use-after-free during style changes * CVE-2017-5443 (bmo#1342661) Out-of-bounds write during BinHex decoding * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894, bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088) Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 * CVE-2017-5464 (bmo#1347075) Memory corruption with accessibility and DOM manipulation * CVE-2017-5465 (bmo#1347617) Out-of-bounds read in ConvolvePixel * CVE-2017-5466 (bmo#1353975) Origin confusion when reloading isolated data:text/html URL * CVE-2017-5467 (bmo#1347262) Memory corruption when drawing Skia content * CVE-2017-5460 (bmo#1343642) Use-after-free in frame selection * CVE-2017-5461 (bmo#1344380) Out-of-bounds write in Base64 encoding in NSS * CVE-2017-5448 (bmo#1346648) Out-of-bounds write in ClearKeyDecryptor * CVE-2017-5449 (bmo#1340127) Crash during bidirectional unicode manipulation with animation * CVE-2017-5446 (bmo#1343505) Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data * CVE-2017-5447 (bmo#1343552) Out-of-bounds read during glyph processing * CVE-2017-5444 (bmo#1344461) Buffer overflow while parsing application/http-index-format content * CVE-2017-5445 (bmo#1344467) Uninitialized values used while parsing application/http-index-format content * CVE-2017-5468 (bmo#1329521) Incorrect ownership model for Private Browsing information * CVE-2017-5469 (bmo#1292534) Potential Buffer overflow in flex-generated code * CVE-2017-5440 (bmo#1336832) Use-after-free in txExecutionState destructor during XSLT processing * CVE-2017-5441 (bmo#1343795) Use-after-free with selection during scroll events * CVE-2017-5439 (bmo#1336830) Use-after-free in nsTArray Length() during XSLT processing * CVE-2017-5438 (bmo#1336828) Use-after-free in nsAutoPtr during XSLT processing * CVE-2017-5437 (bmo#1343453) Vulnerabilities in Libevent library * CVE-2017-5436 (bmo#1345461) Out-of-bounds write with malicious font in Graphite 2 * CVE-2017-5435 (bmo#1350683) Use-after-free during transaction processing in the editor * CVE-2017-5434 (bmo#1349946) Use-after-free during focus handling * CVE-2017-5433 (bmo#1347168) Use-after-free in SMIL animation functions * CVE-2017-5432 (bmo#1346654) Use-after-free in text input selection * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482, bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476) Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 * CVE-2017-5459 (bmo#1333858) Buffer overflow in WebGL * CVE-2017-5458 (bmo#1229426) Drag and drop of javascript: URLs can allow for self-XSS * CVE-2017-5455 (bmo#1341191) Sandbox escape through internal feed reader APIs * CVE-2017-5454 (bmo#1349276) Sandbox escape allowing file system read access through file picker * CVE-2017-5451 (bmo#1273537) Addressbar spoofing with onblur event * CVE-2017-5453 (bmo#1321247) HTML injection into RSS Reader feed preview page through TITLE element * CVE-2017-5462 (bmo#1345089) DRBG flaw in NSS - removed browser(npapi) provides as these plugins are deprecated - switch used compiler to gcc5 (FF requires gcc >= 4.9 now) for Leap 42 - Gtk2 is not longer an option; switched to Gtk3 - apply MOZ_USE_XINPUT2=1 for better touchpad and touchscreen support (boo#1032003) ------------------------------------------------------------------- Mon Apr 3 06:16:26 UTC 2017 - wr@rosenauer.org - update to Firefox 52.0.2 * Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787) * Fix loading tab icons on session restore (bmo#1338009) * Fix a crash on startup on Linux (bmo#1345413) * Fix new installs erroneously not prompting to change the default browser setting (bmo#1343938) ------------------------------------------------------------------- Mon Mar 20 15:35:57 UTC 2017 - wr@rosenauer.org - disable rust usage for everything but x86(-64) - explicitely add libffi build requirement ------------------------------------------------------------------- Fri Mar 17 15:43:29 UTC 2017 - wr@rosenauer.org - update to Firefox 52.0.1 (boo#1029822) MFSA 2017-08 CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168) ------------------------------------------------------------------- Thu Mar 9 12:30:14 UTC 2017 - wr@rosenauer.org - reenable ALSA support which was removed by default upstream ------------------------------------------------------------------- Sat Mar 4 16:57:45 UTC 2017 - wr@rosenauer.org - update to Firefox 52.0 (boo#1028391) * requires NSS >= 3.28.3 * Pages containing insecure password fields now display a warning directly within username and password fields. * Send and open a tab from one device to another with Sync * Removed NPAPI support for plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported. * Removed Battery Status API to reduce fingerprinting of users by trackers * MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861) CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186) CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890) CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622) CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687) CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711) CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323) CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504) CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370) CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719) CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121) CVE-2017-5417: Addressbar spoofing by draging and dropping URLs (bmo#791597) CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361) CVE-2017-5427: Non-existent chrome.manifest file loaded during startup (bmo#1295542) CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876) CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243) CVE-2017-5420: Javascript: URLs can obfuscate addressbar location (bmo#1284395) CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699) CVE-2017-5421: Print preview spoofing (bmo#1301876) CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002) CVE-2017-5399: Memory safety bugs fixed in Firefox 52 CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 - removed obsolete patches * mozilla-binutils-visibility.patch * mozilla-check_return.patch * mozilla-disable-skia-be.patch * mozilla-skia-overflow.patch * mozilla-skia-ppc-endianess.patch - rebased patches - enable rust usage for Tumbleweed ------------------------------------------------------------------- Fri Jan 27 20:25:59 UTC 2017 - astieger@suse.com - Mozilla Firefox 51.0.1: - Multiprocess incompatibility did not correctly register with some add-ons (bmo#1333423) ------------------------------------------------------------------- Fri Jan 20 13:57:56 UTC 2017 - wr@rosenauer.org - update to Firefox 51.0 * requires NSPR >= 4.13.1, NSS >= 3.28.1 * Added support for FLAC (Free Lossless Audio Codec) playback * Added support for WebGL 2 * Added Georgian (ka) and Kabyle (kab) locales * Support saving passwords for forms without 'submit' events * Improved video performance for users without GPU acceleration * Zoom indicator is shown in the URL bar if the zoom level is not at default level * View passwords from the prompt before saving them * Remove Belarusian (be) locale * Use Skia for content rendering (Linux) * MFSA 2017-01 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (bmo#1325200, boo#1021814) CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) CVE-2017-5377: Memory corruption with transforms to create gradients in Skia (bmo#1306883, boo#1021826) CVE-2017-5378: Pointer and frame data leakage of Javascript objects (bmo#1312001, bmo#1330769, boo#1021818) CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827) CVE-2017-5380: Potential use-after-free during DOM manipulations (bmo#1322107, boo#1021819) CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (bmo#1297361, boo#1021820) CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests (bmo#1308688, boo#1021828) CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403, boo#1021821) CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations (bmo#1017616, boo#1021830) CVE-2017-5382: Feed preview can expose privileged content errors and exceptions (bmo#1295322, boo#1021831) CVE-2017-5383: Location bar spoofing with unicode characters (bmo#1323338, bmo#1324716, boo#1021822) CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) (bmo#1255474, boo#1021832) CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers (bmo#1295945, boo#1021833) CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions (bmo#1319070, boo#1021823) CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events (bmo#1222798) CVE-2017-5391: Content about: pages can load privileged about: pages (bmo#1309310, boo#1021835) CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage (bmo#1293709) (Android only) CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager (bmo#1309282, boo#1021837) CVE-2017-5395: Android location bar spoofing during scrolling (bmo#1293463) (Android only) CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages (bmo#1295023, boo#1021839) CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks (bmo#1281482, boo#1021840) CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841) CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (boo#1021824) - switch Firefox to Gtk3 for Tumbleweed - removed obsolete patches * mozilla-flex_buffer_overrun.patch - updated RPM locale support tag - improve recognition of LANGUAGE env variable (boo#1017174) - add upstream patch to fix PPC64LE (bmo#1319389) (mozilla-skia-ppc-endianess.patch) - fix build without skia (big endian archs) (bmo#1319374) (mozilla-disable-skia-be.patch) ------------------------------------------------------------------- Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org - update to Firefox 50.1.0 (boo#1015422) * MFSA 2016-94 CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628) CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements (bmo#1317409) CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272) CVE-2016-9896: Use-after-free with WebVR (bmo#1315543) CVE-2016-9897: Memory corruption in libGLES (bmo#1301381) CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees (bmo#1314442) CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs (bmo#1319122) CVE-2016-9904: Cross-origin information leak in shared atoms (bmo#1317936) CVE-2016-9901: Data from Pocket server improperly sanitized before execution (bmo#1320057) CVE-2016-9902: Pocket extension does not validate the origin of events (bmo#1320039) CVE-2016-9903: XSS injection vulnerability in add-ons SDK (bmo#1315435) CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 ------------------------------------------------------------------- Fri Dec 9 17:57:22 UTC 2016 - cgrobertson@novell.com - added patch mozilla-aarch64-startup-crash.patch (bsc#1011922) ------------------------------------------------------------------- Thu Dec 1 02:49:45 UTC 2016 - wr@rosenauer.org - update to Firefox 50.0.2 * Firefox crashes with 3rd party Chinese IME when using IME text (50.0.1) security fixes (in 50.0.1): (boo#1012807) * MFSA 2016-91 CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect (bmo#1317641) security fixes (in 50.0.2) (boo#1012964) * MFSA 2016-92 CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066) ------------------------------------------------------------------- Mon Nov 14 21:07:03 UTC 2016 - wr@rosenauer.org - update to Firefox 50.0 (boo#1009026) * requires NSS 3.26.2 new features * Updates to keyboard shortcuts Set a preference to have Ctrl+Tab cycle through tabs in recently used order View a page in Reader Mode by using Ctrl+Alt+R * Added option to Find in page that allows users to limit search to whole words only * Added download protection for a large number of executable file types on Windows, Mac and Linux * Fixed rendering of dashed and dotted borders with rounded corners (border-radius) * Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux) * Blocked versions of libavcodec older than 54.35.1 * additional locale security fixes: * MFSA 2016-89 CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) CVE-2016-5292: URL parsing causes crash (bmo#1288482) CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink (Windows only) (bmo#1246945) CVE-2016-5294: Arbitrary target directory for result files of update process (Windows only) (bmo#1246972) CVE-2016-5297: Incorrect argument length checking in Javascript (bmo#1303678) CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen (Android only) (bmo#1306696) CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile (bmo#1300083) (Windows only) CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM (Windows only) (bmo#1247239) CVE-2016-5298: SSL indicator can mislead the user about the real URL visited (bmo#1227538) (Android only) CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (bmo#1245791) (Android only) CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (Android only) (bmo#1245795) CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file (Android only) (bmo#1294438) CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl" (bmo#1289273) CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bmo#1293334) (fixed via NSS 3.26.1) CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s (bmo#1276976) CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat (bmo#1274777) CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP (bmo#1285003) CVE-2016-5289: Memory safety bugs fixed in Firefox 50 CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 - make aarch64 build more similar to x86_64 build (remove conditionals that don't seem to be necessary anymore) ------------------------------------------------------------------- Mon Oct 24 09:41:17 UTC 2016 - astieger@suse.com - Mozilla Firefox 49.0.2: * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475) * CVE-2016-5288: Web content can read cache entries (bsc#1006476) * Asynchronous rendering of the Flash plugins is now enabled by default * Change D3D9 default fallback preference to prevent graphical artifacts * Network issue prevents some users from seeing the Firefox UI on startup * Web compatibility issue with file uploads * Web compatibility issue with Array.prototype.values * Diagnostic information on timing for tab switching * Fix a Canvas filters graphics issue affecting HTML5 apps ------------------------------------------------------------------- Wed Oct 12 20:42:28 UTC 2016 - badshah400@gmail.com - Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0 and fixes have been incorporated by upstream. ------------------------------------------------------------------- Fri Sep 23 20:36:39 UTC 2016 - astieger@suse.com - Mozilla Firefox 49.0.1: * Mitigate a startup crash issue caused by Websense - bmo#1304783 ------------------------------------------------------------------- Tue Sep 20 07:09:52 UTC 2016 - wr@rosenauer.org - update to Firefox 49.0 (boo#999701) new features * Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. * Added features to Reader Mode that make it easier on the eyes and the ears * Improved video performance for users on systems that support SSE3 without hardware acceleration * Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed * Improvements in about:memory reports for tracking font memory usage security related * MFSA 2016-85 CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in PropertyProvider::GetSpacingInternal CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin CVE-2016-5273 (bmo#1280387) - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5274 (bmo#1282076) - use-after-free in nsFrameManager::CaptureFrameState CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame CVE-2016-5279 (bmo#1249522) - Full local path of files is available to web pages after drag and drop CVE-2016-5280 (bmo#1289970) - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons from non-whitelisted schemes CVE-2016-5283 (bmo#928187) -