| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: MozillaFirefox-branding-upstream | Distribution: openSUSE Step 15 |
| Version: 78.13.0 | Vendor: openSUSE |
| Release: 8.50.1 | Build date: Fri Aug 20 08:28:00 2021 |
| Group: Productivity/Networking/Web/Browsers | Build host: obs-arm-5 |
| Size: 0 | Source RPM: MozillaFirefox-78.13.0-8.50.1.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: http://www.mozilla.org/ | |
| Summary: Upstream branding for Firefox | |
This package provides upstream look and feel for Firefox.
MPL-2.0
* Tue Aug 10 2021 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.13.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-34 (bsc#1188891)
* CVE-2021-29986 (bmo#1696138)
Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29988 (bmo#1717922)
Memory corruption as a result of incorrect style treatment
* CVE-2021-29984 (bmo#1720031)
Incorrect instruction reordering during JIT optimization
* CVE-2021-29980 (bmo#1722204)
Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29985 (bmo#1722083)
Use-after-free media channels
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
bmo#1719998, bmo#1720568)
Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* Thu Jul 15 2021 william.brown@suse.com
- jsc#SLE-18626 - Migrate rust to parallel versioned packages allowing
more flexible build requirements to be expressed.
- Update Firefox to use the 1.43 version of Rust.
* Tue Jul 13 2021 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.12.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-29 (bsc#1188275)
* CVE-2021-29970 (bmo#1709976)
Use-after-free in accessibility features of a document
* CVE-2021-30547 (bmo#1715766)
Out of bounds write in ANGLE
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
bmo#1711576, bmo#1714391)
Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
* Tue Jun 01 2021 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.11.0 ESR
* Fixed: Various stability, functionality, and security fixes
- Mozilla Firefox ESR 78.11
MFSA 2021-24 (bsc#1186696)
* CVE-2021-29964 (bmo#1706501)
Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
bmo#1704722, bmo#1706041)
Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11
- Added the new Mozilla's GPG key, expiring on 2023-05-17 to the
mozilla.keyring file
* Wed May 05 2021 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.10.1 ESR
* Fixed: Resolved an issue caused by a recent Widevine plugin
update which prevented some purchased video content from
playing correctly (bmo#1705138)
* Fixed: Security fix
MFSA 2021-18 (bsc#1185633)
* CVE-2021-29951 (bmo#1690062)
Mozilla Maintenance Service could have been started or
stopped by domain users
* Mon Apr 19 2021 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.10.0 ESR
* Fixed: Various stability, functionality, and security fixes
- Mozilla Firefox ESR 78.10
MFSA 2021-15 (bsc#1184960)
* CVE-2021-23994 (bmo#1699077)
Out of bound write due to lazy initialization
* CVE-2021-23995 (bmo#1699835)
Use-after-free in Responsive Design Mode
* CVE-2021-23998 (bmo#1667456)
Secure Lock icon could have been spoofed
* CVE-2021-23961 (bmo#1677940)
More internal network hosts could have been probed by a
malicious webpage
* CVE-2021-23999 (bmo#1691153)
Blob URLs may have been granted additional privileges
* CVE-2021-24002 (bmo#1702374)
Arbitrary FTP command execution on FTP servers using an
encoded URL
* CVE-2021-29945 (bmo#1700690)
Incorrect size computation in WebAssembly JIT could lead to
null-reads
* CVE-2021-29946 (bmo#1698503)
Port blocking could be bypassed
* Wed Mar 24 2021 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.9.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-11 (bsc#1183942)
* CVE-2021-23981 (bmo#1692832)
Texture upload into an unbound backing buffer resulted in an
out-of-bound read
* CVE-2021-23982 (bmo#1677046)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2021-23984 (bmo#1693664)
Malicious extensions could have spoofed popup information
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169,
bmo#1690718)
Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
* Tue Feb 23 2021 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.8.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-08 (bsc#1182614)
* CVE-2021-23969 (bmo#1542194)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23968 (bmo#1687342)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23973 (bmo#1690976)
MediaError message property could have leaked information
about cross-origin resources
* CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597,
bmo#786797)
Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
- Update create-tar.sh to use https instead of http (bsc#1182357)
* Mon Feb 08 2021 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.7.1 ESR
* Fixed: Prevent access to NTFS special paths that could lead
to filesystem corruption. (bmo#1689598)
* Fixed: Security fix
MFSA 2021-06 (bsc#1181848)
* MOZ-2021-0001 (bmo#1676636)
Buffer overflow in depth pitch calculations for compressed
textures
* Tue Jan 26 2021 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.7.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-04 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940)
Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020)
Type confusion when using logical assignment operators in
JavaScript switch statements
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2021-23960 (bmo#1675755)
Use-after-poison for incorrectly redeclared JavaScript
variables during GC
* CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526,
bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844,
bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410,
bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736,
bmo#1685260, bmo#1685925)
Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7
* Thu Jan 07 2021 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.6.1 ESR
* Fixed: Security fix
* Fixed: Fixed a crash during video playback on Apple Silicon
devices (bmo#1683579)
MFSA 2021-01 (bsc#1180623)
* CVE-2020-16044 (bmo#1683964)
Use-after-free write when handling a malicious COOKIE-ECHO
SCTP chunk
* Tue Dec 15 2020 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.6.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2020-55 (bsc#1180039)
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-35111 (bmo#1657916)
The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365)
Opening an extension-less download may have inadvertently
launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
* Tue Nov 17 2020 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.5.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2020-51 (bsc#1178824)
* CVE-2020-26951 (bmo#1667113)
Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
* CVE-2020-16012 (bmo#1642028)
Variable time processing of cross-origin images during
drawImage calls
* CVE-2020-26953 (bmo#1656741)
Fullscreen could be enabled without displaying the security
UI
* CVE-2020-26956 (bmo#1666300)
XSS through paste (manual and clipboard API)
* CVE-2020-26958 (bmo#1669355)
Requests intercepted through ServiceWorkers lacked MIME type
restrictions
* CVE-2020-26959 (bmo#1669466)
Use-after-free in WebRequestService
* CVE-2020-26960 (bmo#1670358)
Potential use-after-free in uses of nsTArray
* CVE-2020-15999 (bmo#1672223)
Heap buffer overflow in freetype
* CVE-2020-26961 (bmo#1672528)
DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965 (bmo#1661617)
Software keyboards may have remembered typed passwords
* CVE-2020-26966 (bmo#1663571)
Single-word search queries were also broadcast to local
network
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479,
bmo#1671923)
Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
* Mon Nov 09 2020 cgrobertson@suse.com
- Firefox Extended Support Release 78.4.1 ESR
* Fixed: Security fix
MFSA 2020-49 (bsc#1178588)
* CVE-2020-26950 (bmo#1675905)
Write side effects in MCallGetProperty opcode not accounted
for
* Tue Oct 20 2020 cgrobertson@suse.com
- Firefox Extended Support Release 78.4.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2020-46 (bsc#1177872)
* CVE-2020-15969 (bmo#1666570, bmo#https://github.com/sctplab/u
srsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019)
Use-after-free in usersctp
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954,
bmo#1662760, bmo#1663439, bmo#1666140)
Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* Thu Oct 01 2020 cgrobertson@suse.com
- Firefox Extended Support Release 78.3.1 ESR (bsc#1176756)
* Fixed: Fixed legacy preferences not being properly applied
when set via GPO (bmo#1666836)
* Tue Sep 22 2020 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.3.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2020-43 (bsc#1176756)
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
* Wed Sep 16 2020 martin.sirringhaus@suse.com
- Enhance fix for wayland-detection (bsc#1174420)
* Wed Sep 16 2020 martin.sirringhaus@suse.com
- Try to fix langpack-parallelization by introducing separate
obj-dirs for each lang (boo#1173986, boo#1167976)
* Tue Aug 25 2020 cgrobertson@suse.com
- Firefox Extended Support Release 78.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
- Mozilla Firefox ESR 78.2
MFSA 2020-38 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
bmo#1656957)
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
* Mon Aug 24 2020 cgrobertson@suse.com
- Added patch: firefox-dev-random-sandbox.patch (bsc#1174284)
* Firefox tab crash in FIPS mode
* Fri Aug 14 2020 cgrobertson@suse.com
- Fix: Do not allow Firefox to use wayland on SLED15-SP0/1
(bsc#1174420)
* Wed Aug 05 2020 martin.sirringhaus@suse.com
- Activate ccache
- Parallelize langpack build
* Mon Aug 03 2020 martin.sirringhaus@suse.com
- Fix broken translation-loading (boo#1173991)
* allow addon sideloading
* mark signatures for langpacks non-mandatory
* do not autodisable user profile scopes
- Google API key is not usable for geolocation service any more
* Tue Jul 28 2020 martin.sirringhaus@suse.com
- Firefox Extended Support Release 78.1.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2020-32 (bsc#1174538)
* CVE-2020-15652 (bmo#1634872)
Potential leak of redirect targets when loading scripts in a
worker
* CVE-2020-6514 (bmo#1642792)
WebRTC data channel leaks internal address to peer
* CVE-2020-15655 (bmo#1645204)
Extension APIs could be used to bypass Same-Origin Policy
* CVE-2020-15653 (bmo#1521542)
Bypassing iframe sandbox when allowing popups
* CVE-2020-6463 (bmo#1635293)
Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15656 (bmo#1647293)
Type confusion for special arguments in IonMonkey
* CVE-2020-15658 (bmo#1637745)
Overriding file type when saving to disk
* CVE-2020-15657 (bmo#1644954)
DLL hijacking due to incorrect loading path
* CVE-2020-15654 (bmo#1648333)
Custom cursor can overlay user interface
* CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1643613,
bmo#1644839, bmo#1645835, bmo#1646006, bmo#1646787,
bmo#1649347, bmo#1650811, bmo#1651678)
Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1
* Thu Jul 09 2020 cgrobertson@suse.com
- Mozilla Firefox 78.0.2
MFSA 2020-28 (bsc#1173948)
* MFSA-2020-0003 (bmo#1644076)
X-Frame-Options bypass using object or embed tags
- Firefox Extended Support Release 78.0.2esr ESR
* Fixed: Security fix
* Fixed: Fixed an accessibility regression in reader mode
(bmo#1650922)
* Fixed: Made the address bar more resilient to data corruption
in the user profile (bmo#1649981)
* Fixed: Fixed a regression opening certain external
applications (bmo#1650162)
* Thu Jul 02 2020 martin.sirringhaus@suse.com
- Add specific requirement for libfreetype6 (bsc#1173613)
* Wed Jul 01 2020 cgrobertson@suse.com
- Firefox Extended Support Release 78.0.1 ESR
* Fixed: Fixed an issue which could cause installed search
engines to not be visible when upgrading from a previous
release. (bmo#1649558)
- Mozilla Firefox 78
MFSA 2020-24 (bsc#1173576)
* CVE-2020-12415 (bmo#1586630)
AppCache manifest poisoning due to url encoded character
processing
* CVE-2020-12416 (bmo#1639734)
Use-after-free in WebRTC VideoBroadcaster
* CVE-2020-12417 (bmo#1640737)
Memory corruption due to missing sign-extension for ValueTags
on ARM64
* CVE-2020-12418 (bmo#1641303)
Information disclosure due to manipulated URL object
* CVE-2020-12419 (bmo#1643874)
Use-after-free in nsGlobalWindowInner
* CVE-2020-12420 (bmo#1643437)
Use-After-Free when trying to connect to a STUN server
* CVE-2020-12402 (bmo#1631597)
RSA Key Generation vulnerable to side-channel attack
* CVE-2020-12421 (bmo#1308251)
Add-On updates did not respect the same certificate trust
rules as software updates
* CVE-2020-12422 (bmo#1450353)
Integer overflow in nsJPEGEncoder::emptyOutputBuffer
* CVE-2020-12423 (bmo#1642400)
DLL Hijacking due to searching %PATH% for a library
* CVE-2020-12424 (bmo#1562600)
WebRTC permission prompt could have been bypassed by a
compromised content process
* CVE-2020-12425 (bmo#1634738)
Out of bound read in Date.parse()
* CVE-2020-12426 (bmo#1608068, bmo#1609951, bmo#1631187,
bmo#1637682)
Memory safety bugs fixed in Firefox 78
* Tue Jun 30 2020 cgrobertson@suse.com
- Firefox Extended Support Release 78.0esr ESR
* New: Some of the highlights of the new Extended Support
Release are:
- Kiosk mode
- Client certificates
- Service Worker and Push APIs are now enabled
- The Block Autoplay feature is enabled
- Picture-in-picture support
- View and manage web certificates in about:certificate
For more information about what's new in the Firefox 78 ESR
release, see the more detailed release notes at
support.mozilla.org.
- Add patches to fix big endian problems:
* mozilla-s390x-skia-gradient.patch
* mozilla-bmo998749.patch
* mozilla-bmo1626236.patch
- Add patch to fix broken build on ppc64le
* mozilla-bmo1512162.patch
- Add patch to add screensharing capability on wayland
* mozilla-pipewire-0-3.patch
- Rename firefox-fips.patch to mozilla-sandbox-fips.patch
- Removed upstreamed patches:
* mozilla-cubeb-noreturn.patch
* mozilla-nestegg-big-endian.patch
* mozilla-openaes-decl.patch
* mozilla-s390x-bigendian.patch
* mozilla-sle12-lower-python-requirement.patch
* Tue Jun 02 2020 martin.sirringhaus@suse.com
- Firefox Extended Support Release 68.9.0 ESR
* Fixed: Various stability and security fixes
MFSA 2020-21 (bsc#1172402)
* CVE-2020-12405 (bmo#1619305, bmo#1632717)
Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
* CVE-2020-12406 (bmo#1639590)
* CVE-2020-12410: Memory safety bugs fixed in Firefox 77 and Firefox
* Wed May 27 2020 cgrobertson@suse.com
- Removed %is_opensuse macro from spec file to align builds with
openSUSE Leap.
* Tue May 05 2020 martin.sirringhaus@suse.com
- Firefox Extended Support Release 68.8.0 ESR
MFSA 2020-17 (bsc#1171186)
* CVE-2020-12387 (bmo#1545345)
Use-after-free during worker shutdown
* CVE-2020-12388 (bmo#1618911)
Sandbox escape with improperly guarded Access Tokens
* CVE-2020-12389 (bmo#1554110)
Sandbox escape with improperly separated process types
* CVE-2020-6831 (bmo#1632241)
Buffer overflow in SCTP chunk input validation
* CVE-2020-12392 (bmo#1614468)
Arbitrary local file access with 'Copy as cURL'
* CVE-2020-12393 (bmo#1615471)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command
injection
* CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704,
bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076,
bmo#1631508)
Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
* Tue Apr 07 2020 martin.sirringhaus@suse.com
- Firefox Extended Support Release 68.7.0 ESR
MFSA 2020-13 (bsc#1168874)
* CVE-2020-6828 (bmo#1617928)
Preference overwrite via crafted Intent from malicious
Android application
* CVE-2020-6827 (bmo#1622278)
Custom Tabs in Firefox for Android could have the URI spoofed
* CVE-2020-6821 (bmo#1625404)
Uninitialized memory could be read when using the WebGL
copyTexSubImage method
* CVE-2020-6822 (bmo#1544181)
Out of bounds write in GMPDecodeData when processing large
images
* CVE-2020-6825 (bmo#1572541, bmo#1620193, bmo#1620203)
Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
* Sat Apr 04 2020 andreas.stieger@gmx.de
- Mozilla Firefox 68.6.1esr
MFSA 2020-11 (boo#1168630)
* CVE-2020-6819 (bmo#1620818)
Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728)
Use-after-free when handling a ReadableStream
* Fri Mar 20 2020 cgrobertson@suse.com
- Added patch: firefox-fips.patch (bsc#1167231)
* FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled
* Tue Mar 10 2020 martin.sirringhaus@suse.com
- Firefox Extended Support Release 68.6.0 ESR (bsc#1166238)
* Fixed: Various stability and security fixes
MFSA 2020-09 (bsc#1132665)
* CVE-2020-6805 (bmo#1610880)
Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308)
BodyStream::OnInputStreamReady was missing protections
against state confusion
* CVE-2020-6807 (bmo#1614971)
Use-after-free in cubeb during stream destruction
* CVE-2020-6811 (bmo#1607742)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command
injection
* CVE-2019-20503 (bmo#1613765)
Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661)
The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
* CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256,
bmo#1612636, bmo#1614339)
Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6
* Tue Feb 11 2020 cgrobertson@suse.com
- Firefox Extended Support Release 68.5.0 ESR
* Fixed: Various stability and security fixes
- Mozilla Firefox ESR68.5
MFSA 2020-06 (bsc#1163368)
* CVE-2020-6796 (bmo#1610426)
Missing bounds check on shared memory read in the parent
process
* CVE-2020-6797 (bmo#1596668)
Extensions granted downloads.open permission could open
arbitrary applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript
injection
* CVE-2020-6799 (bmo#1606596)
Arbitrary code execution when opening pdf links from other
applications, when Firefox is configured as default pdf
reader
* CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543,
bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785)
Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* Tue Jan 21 2020 martin.sirringhaus@suse.com
- Firefox Extended Support Release 68.4.2 ESR
* Fixed: Fixed various issues opening files with spaces in
their path (bmo#1601905, bmo#1602726)
* Thu Jan 09 2020 martin.sirringhaus@suse.com
- Firefox Extended Support Release 68.4.1 ESR
* Fixed: Security fix
MFSA 2020-03 (bsc#1160498)
* CVE-2019-17026 (bmo#1607443)
IonMonkey type confusion with StoreElementHole and
FallibleStoreElement
* Tue Jan 07 2020 martin.sirringhaus@suse.com
- Firefox Extended Support Release 68.4.0 ESR
* Fixed: Various security fixes
MFSA 2020-02 (bsc#1160305)
* CVE-2019-17015 (bmo#1599005)
Memory corruption in parent process during new content
process initialization on Windows
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008)
Heap address disclosure in parent process during content
process initialization on Windows
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,
bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
- Removed patch that is now upstream: mozilla-bmo1511604.patch
- Added patch to fix broken URL-bar on s390x:
mozilla-bmo1602730.patch
* Tue Dec 03 2019 martin.sirringhaus@suse.com
- Firefox Extended Support Release 68.3.0 ESR
* Changed: Updates to improve performance and stability
MFSA 2019-37 (bsc#1158328)
* CVE-2019-17008 (bmo#1546331)
Use-after-free in worker destruction
* CVE-2019-13722 (bmo#1580156)
Stack corruption due to incorrect number of arguments in
WebRTC code
* CVE-2019-11745 (bmo#1586176)
Out of bounds write in NSS when encrypting with a block
cipher
* CVE-2019-17009 (bmo#1510494)
Updater temporary files accessible to unprivileged processes
* CVE-2019-17010 (bmo#1581084)
Use-after-free when performing device orientation checks
* CVE-2019-17005 (bmo#1584170)
Buffer overflow in plain text serializer
* CVE-2019-17011 (bmo#1591334)
Use-after-free when retrieving a document in antitracking
* CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667,
bmo#1567209, bmo#1580288, bmo#1585760, bmo#1592502)
Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
* Tue Nov 26 2019 cgrobertson@suse.com
- Fix _constraints for ppc64le (bsc#1157652)
* Tue Nov 19 2019 martin.sirringhaus@suse.com
- Add patch mozilla-bmo849632.patch to partially fix broken webGL
sites on big endian machines (wrong colors)
- Replace source-stamp.txt with tar_stamps
- Reference create-tar.sh by direct commit-hash in the spec-file
* Tue Nov 05 2019 martin.sirringhaus@suse.com
- Reactivate webRTC for all architectures
* Thu Oct 31 2019 martin.sirringhaus@suse.com
- Add patch mozilla-bmo1504834-part4.patch to fix broken
tab-titles on s390x
* Thu Oct 24 2019 cgrobertson@suse.com
- Resolved issues fixed earlier:
* [bsc#1104841] Newer versions of firefox have a dependency on GLIBCXX_3.4.20
* [bsc#1129528] SLES15 - IBM s390-tools-2.1.0 Maintenance Patches (#6)
* [bsc#1137990] Firefox 60.7 ESR changed the user interface language
* Mon Oct 21 2019 martin.sirringhaus@suse.com
- Firefox Extended Support Release 68.2.0 ESR
* Enterprise: New administrative policies were added. More
information and templates are available at the Policy
Templates page.
* Fixed: Various security fixes
MFSA 2019-33 (bsc#1154738)
* CVE-2019-15903 (bmo#1584907)
Heap overflow in expat library in XML_GetCurrentLineNumber
* CVE-2019-11757 (bmo#1577107)
Use-after-free when creating index updates in IndexedDB
* CVE-2019-11758 (bmo#1536227)
Potentially exploitable crash due to 360 Total Security
* CVE-2019-11759 (bmo#1577953)
Stack buffer overflow in HKDF output
* CVE-2019-11760 (bmo#1577719)
Stack buffer overflow in WebRTC networking
* CVE-2019-11761 (bmo#1561502)
Unintended access to a privileged JSONView object
* CVE-2019-11762 (bmo#1582857)
document.domain-based origin isolation has same-origin-
property violation
* CVE-2019-11763 (bmo#1584216)
Incorrect HTML parsing results in XSS bypass technique
* CVE-2019-11764 (bmo#1548044, bmo#1558522, bmo#1571223,
bmo#1573048, bmo#1575217, bmo#1577061, bmo#1578933,
bmo#1581950, bmo#1583463, bmo#1583684, bmo#1586599,
bmo#1586845)
Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
- removed now upstream patches:
* mozilla-bmo1573381.patch
* mozilla-bmo1512162.patch
* Fri Oct 11 2019 martin.sirringhaus@suse.com
- Add patch to lower python requirement to 3.4 in order to
build on SLE-12:
* mozilla-sle12-lower-python-requirement.patch
* Thu Oct 10 2019 martin.sirringhaus@suse.com
- Add Provides-line for translations-common (bsc#1153423)
* Tue Oct 08 2019 martin.sirringhaus@suse.com
- Moved some settings from branding-package here (bsc#1153869)
- add patch to fix LTO build (w/o PGO):
* mozilla-fix-top-level-asm.patch
- remove obsolete kde.js setting (boo#1151186) and related patch:
* firefox-add-kde.js-in-order-to-survive-PGO-build.patch
* modified firefox-kde.patch for the removal of kde.js
* Tue Sep 24 2019 martin.sirringhaus@suse.com
- Update mozilla-bmo1512162.patch to the patch now commited upstream
* No more -O1 builds for ppc64le necessary
- Disable DoH by default
* Not yet officially active in ESR, but just to make sure
* Mon Sep 09 2019 cgrobertson@suse.com
- Mozilla Firefox ESR 68.1
Resolves the following bigendian s390x issues:
* [bsc#1109465] Latest Firefox update not released for s390x
* [bsc#1117473] Firefox segmentation fault on s390vsl082
* [bsc#1123482] openQA test fails in firefox - firefox doesn't start
* [bsc#1124525] Firefox is core dumping on SLES15 s390x
* [bsc#1133810] Firefox: Segmentation fault (core dumped)
MFSA 2019-26 (bsc#1149323)
* CVE-2019-11751 (bmo#1572838)
Malicious code execution through command line parameters
* CVE-2019-11746 (bmo#1564449)
Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033)
XSS by breaking out of title and textarea elements using
innerHTML
* CVE-2019-11742 (bmo#1559715)
Same-origin policy violation with SVG filters and canvas to
steal cross-origin images
* CVE-2019-11736 (bmo#1551913, bmo#1552206)
File manipulation and privilege escalation in Mozilla
Maintenance Service
* CVE-2019-11753 (bmo#1574980)
Privilege escalation with Mozilla Maintenance Service in
custom Firefox installation location
* CVE-2019-11752 (bmo#1501152)
Use-after-free while extracting a key value in IndexedDB
* CVE-2019-9812 (bmo#1538008, bmo#1538015)
Sandbox escape through Firefox Sync
* CVE-2019-11743 (bmo#1560495,
bmo#https://w3c.github.io/navigation-timing)
Cross-origin access to unload event attributes
* CVE-2019-11748 (bmo#1564588)
Persistence of WebRTC permissions in a third party context
* CVE-2019-11749 (bmo#1565374)
Camera information available without prompting using
getUserMedia
* CVE-2019-11750 (bmo#1568397)
Type confusion in Spidermonkey
* CVE-2019-11738 (bmo#1452037)
Content security policy bypass through hash-based sources in
directives
* CVE-2019-11747 (bmo#1564481)
'Forget about this site' removes sites from pre-loaded HSTS
list
* CVE-2019-11735 (bmo#1561404, bmo#1561484, bmo#1561912,
bmo#1565744, bmo#1568047, bmo#1568858, bmo#1570358)
Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
* CVE-2019-11740 (bmo#1563133, bmo#1573160)
Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and
Firefox ESR 60.9
- Mozilla Firefox ESR 68.0.2
* Fixed: Fixed a bug causing some special characters to be cut
off from the end of the search terms when searching from the
URL bar (bmo#1560228)
* Fixed: Allow fonts to be loaded via file:// URLs when opening
a page locally (bmo#1565942)
* Fixed: Printing emails from the Outlook web app no longer
prints only the header and footer (bmo#1567105)
* Fixed: Fixed a bug causing some images not to be displayed on
reload, including on Google Maps (bmo#1565542)
* Fixed: Fixed an error when starting external applications
configured as URI handlers (bmo#1567614)
* Fixed: Security fixes
- MFSA 2019-24 (bsc#1145665)
* CVE-2019-11733 (bmo#1565780)
Stored passwords in 'Saved Logins' can be copied without
master password entry
- Mozilla Firefox ESR 68.0.1
* macOS releases are now signed by the Apple notary service,
allowing Firefox to properly run on macOS 10.15 Beta releases
* Fixed missing Full Screen button when watching videos in full
screen mode on HBO GO (bmo#1562837)
* Fixed a bug causing incorrect messages to appear for some
locales when sites try to request the use of the Storage
Access API (bmo#1558503)
* Users in Russian regions may have their default search engine
changed (bmo#1565315)
* Built-in search engines in some locales do not function
correctly (bmo#1565779)
* SupportMenu policy doesn't always work (bmo#1553290)
* Allow the new ExtensionSettings policy to work with GPO on
Windows (bmo#1553586)
* Allow the privacy.file_unique_origin pref to be controlled by
policy (bmo#1563759)
- Mozilla Firefox ESR 68.0
* Dark mode in reader view
* Improved extension security and discovery
* Cryptomining and fingerprinting protections are added to strict
content blocking settings in Privacy & Security preferences
* Camera and microphone access now require an HTTPS connection
MFSA 2019-21 (bsc#1140868)
* CVE-2019-9811 (bmo#1523741, bmo#1538007, bmo#1539598,
bmo#1539759, bmo#1563327)
Sandbox escape via installation of malicious language pack
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804)
Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
* CVE-2019-11713 (bmo#1528481)
Use-after-free with HTTP/2 cached stream
* CVE-2019-11714 (bmo#1542593)
NeckoChild can trigger crash when accessed off of main thread
* CVE-2019-11729 (bmo#1515342)
Empty or malformed p256-ECDH public keys may trigger a
segmentation fault
* CVE-2019-11715 (bmo#1555523)
HTML parsing error can contribute to content XSS
* CVE-2019-11716 (bmo#1552632)
globalThis not enumerable until accessed
* CVE-2019-11717 (bmo#1548306)
Caret character improperly escaped in origins
* CVE-2019-11718 (bmo#1408349)
Activity Stream writes unsanitized content to innerHTML
* CVE-2019-11719 (bmo#1540541)
Out-of-bounds read when importing curve25519 private key
* CVE-2019-11720 (bmo#1556230)
Character encoding XSS vulnerability
* CVE-2019-11721 (bmo#1256009)
Domain spoofing through unicode latin 'kra' character
* CVE-2019-11730 (bmo#1558299)
Same-origin policy treats all files in a directory as having
the same-origin
* CVE-2019-11723 (bmo#1528335)
Cookie leakage during add-on fetching across private browsing
boundaries
* CVE-2019-11724 (bmo#1512511)
Retired site input.mozilla.org has remote troubleshooting
permissions
* CVE-2019-11725 (bmo#1483510)
Websocket resources bypass safebrowsing protections
* CVE-2019-11727 (bmo#1552208)
PKCS#1 v1.5 signatures can be used for TLS 1.3
* CVE-2019-11728 (bmo#1552993)
Port scanning through Alt-Svc header
* CVE-2019-11710 (bmo#1507696, bmo#1510345, bmo#1533842,
bmo#1535482, bmo#1535848, bmo#1537692, bmo#1540590,
bmo#1544180, bmo#1547472, bmo#1547760, bmo#1548611,
bmo#1549768, bmo#1551907)
Memory safety bugs fixed in Firefox 68
* CVE-2019-11709 (bmo#1515052, bmo#1533522, bmo#1539219,
bmo#1540759, bmo#1547266, bmo#1547757, bmo#1548822,
bmo#1550498, bmo#1550498)
Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
- removed patches that are now upstream
* mozilla-bmo1375074.patch
* mozilla-bmo1436242.patch
* mozilla-bmo256180.patch
* mozilla-i586-DecoderDoctorLogger.patch
* mozilla-i586-domPrefs.patch
* mozilla-bmo1464766.patch
* mozilla-bigendian_bit_flags_alias.patch
- removed workaround-patch for build memory consumption on i586;
other mitigations meanwhile introduced (mainly parallelity)
will be sufficient
* mozilla-reduce-files-per-UnifiedBindings.patch
- added patch to make builds reproducible
* mozilla-bmo1568145.patch
- added a bunch of patches mainly for big endian platforms
* mozilla-bmo1504834-part1.patch
* mozilla-bmo1504834-part2.patch
* mozilla-bmo1504834-part3.patch
* mozilla-bmo1511604.patch
* mozilla-bmo1512162.patch
* mozilla-bmo1554971.patch
* mozilla-bmo1573381.patch
* mozilla-nestegg-big-endian.patch
- added patches to fix build on armv7:
* mozilla-bmo1463035.patch
* mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
- added patch to fix non-return function
* mozilla-cubeb-noreturn.patch
- added patch to fix aarch64 build:
* mozilla-fix-aarch64-libopus.patch (bmo#1539737)
- added patch to enable PGO for x86_64.
* firefox-add-kde.js-in-order-to-survive-PGO-build.patch
- added patch to reduce build-load
* mozilla-reduce-rust-debuginfo.patch
* Fri Jun 21 2019 martin.sirringhaus@suse.com
- Mozilla Firefox Firefox 60.7.2
MFSA 2019-19 (bsc#1138872)
* CVE-2019-11708 (bmo#1559858)
sandbox escape using Prompt:Open
* Wed Jun 19 2019 martin.sirringhaus@suse.com
- Build Firefox with gcc instead of clang (bsc#1138688)
* Wed Jun 19 2019 martin.sirringhaus@suse.com
- Mozilla Firefox Firefox 60.7.1
MFSA 2019-18 (bsc#1138614)
* CVE-2019-11707 (bmo#1544386)
Type confusion in Array.pop
- Added the new Mozilla's GPG key with subkey fingerprint
097B 3130 77AE 62A0 2F84 DA4D F1A6 668F BB7D 572E, expiring on
2021-05-29 to the mozilla.keyring file
* Tue Jun 11 2019 martin.sirringhaus@suse.com
- Fix broken language plugins (bsc#1137792)
* Tue May 21 2019 martin.sirringhaus@suse.com
- update to Firefox ESR 60.7 (bsc#1135824)
* Font and date adjustments to accommodate the new Reiwa era
in Japan
* MFSA 2019-14/CVE-2019-9817
(bmo#1540221)
Stealing of cross-domain images using canvas
* MFSA 2019-14/CVE-2019-9800
(bmo#1499108, bmo#1499719, bmo#1516325, bmo#1532465,
bmo#1533554, bmo#1534593, bmo#1535194, bmo#1535612,
bmo#1538042, bmo#1538619, bmo#1538736, bmo#1540136,
bmo#1540166, bmo#1541580, bmo#1542097, bmo#1542324,
bmo#1546327)
Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
* MFSA 2019-14/CVE-2019-9816
(bmo#1536768)
Type confusion with object groups and UnboxedObjects
* MFSA 2019-14/CVE-2019-9815
(bmo#1546544, bmo#https://mdsattacks.com/)
Disable hyperthreading on content JavaScript threads on macOS
* MFSA 2019-14/CVE-2019-11698
(bmo#1543191)
Theft of user history data through drag and drop of
hyperlinks to and from bookmarks
* MFSA 2019-14/CVE-2019-11692
(bmo#1544670)
Use-after-free removing listeners in the event listener
manager
* MFSA 2019-14/CVE-2019-11693
(bmo#1532525)
Buffer overflow in WebGL bufferdata on Linux
* MFSA 2019-14/CVE-2019-7317
(bmo#1542829)
Use-after-free in png_image_free of libpng library
* MFSA 2019-14/CVE-2019-9820
(bmo#1536405)
Use-after-free of ChromeEventHandler by DocShell
* MFSA 2019-14/CVE-2019-9818
(bmo#1542581)
Use-after-free in crash generation server
* MFSA 2019-14/CVE-2019-11691
(bmo#1542465)
Use-after-free in XMLHttpRequest
* MFSA 2019-14/CVE-2019-9819
(bmo#1532553)
Compartment mismatch with fetch API
* MFSA 2019-14/CVE-2019-11694
(bmo#1534196)
Uninitialized memory memory leakage in Windows sandbox
* Fri May 17 2019 martin.sirringhaus@suse.com
- Sync with Devel:Desktop:Mozilla:*:next
* Tue May 14 2019 cgrobertson@suse.com
- Enable Firefox to build with Rust >= 1.30 with fix. See below.
* Thu May 09 2019 cgrobertson@suse.com
- update to 60.6.3 (bmo#1549249)
* Further improvements to re-enable web extensions which had been
disabled for users with a master password set.
* Mon May 06 2019 psimons@suse.com
- update to 60.6.2 (bsc#1134126)
* Repaired certificate chain to re-enable web extensions that
had been disabled.
* Thu Apr 18 2019 jkowalczyk@suse.com
- Update BuildRequires rust >= 1.30 from 1.24
* Upstream Firefox ESR presumes rust version stable at release (1.24).
SUSE currently uses improved packaging for rust >= 1.30.
* boo#1130694 rust 1.33.0 breaks Firefox and Thunderbird
due to missing macro comment docs in Firefox rust sources
bmo#1539901 ESR 60 build fails with Rust 1.33 due to missing documentation on macros in stylo
bmo#1519629 Stylo fails with --enable-warnings-as-errors using Rust 1.33
* Fix build using RUSTFLAGS="--cap-lints allow"
Preferred alternative to patching and revendoring stylo rust crates
Revisit with intent to remove in next Firefox ESR 68.0 2019-07-09
* Wed Mar 27 2019 cgrobertson@suse.com
- Fixed translations provides
* Fri Mar 22 2019 cgrobertson@suse.com
- update to Firefox ESR 60.6.1 (bsc#1130262)
* MFSA 2019-10/CVE-2019-9813
(bmo#1538006)
Ionmonkey type confusion with __proto__ mutations
* MFSA 2019-10/CVE-2019-9810
(bmo#1537924)
IonMonkey MArraySlice has incorrect alias information
* Tue Mar 19 2019 cgrobertson@suse.com
- update to Firefox ESR 60.6 (bsc#1129821)
* MFSA 2019-08/CVE-2018-18506
(bmo#1503393)
Proxy Auto-Configuration file can define localhost access to
be proxied
* MFSA 2019-08/CVE-2019-9801
(bmo#1527717)
Windows programs that are not 'URL Handlers' are exposed to
web content
* MFSA 2019-08/CVE-2019-9788
(bmo#1506665, bmo#1516834, bmo#1518001, bmo#1518774,
bmo#1521214, bmo#1521304, bmo#1523362, bmo#1524214,
bmo#1524755, bmo#1529203)
Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6
* MFSA 2019-08/CVE-2019-9790
(bmo#1525145)
Use-after-free when removing in-use DOM elements
* MFSA 2019-08/CVE-2019-9791
(bmo#1530958)
Type inference is incorrect for constructors entered through
on-stack replacement with IonMonkey
* MFSA 2019-08/CVE-2019-9792
(bmo#1532599)
IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
* MFSA 2019-08/CVE-2019-9793
(bmo#1528829)
Improper bounds checks when Spectre mitigations are disabled
* MFSA 2019-08/CVE-2019-9794
(bmo#1530103)
Command line arguments not discarded during execution
* MFSA 2019-08/CVE-2019-9795
(bmo#1514682)
Type-confusion in IonMonkey JIT compiler
* MFSA 2019-08/CVE-2019-9796
(bmo#1531277)
Use-after-free with SMIL animation controller
- Fix for [bsc#1127987] MozillaFirefox-translations-common causing
error on update
* Tue Feb 26 2019 cgrobertson@suse.com
- Mozilla Firefox 60.5.2esr:
* Fix a frequent crash when reading various Reuters news articles
(bmo#1505844)
* Wed Feb 13 2019 alarrosa@suse.com
- Update to Firefox ESR 60.5.1
MFSA-2019-05 (bsc#1125330)
* CVE-2018-18356 (bmo#1525817)
A use-after-free vulnerability in the Skia library can occur when
creating a path, leading to a potentially exploitable crash.
* CVE-2019-5785 (bmo#1525433)
An integer overflow vulnerability in the Skia library can occur
after specific transform operations, leading to a potentially
exploitable crash.
* CVE-2018-18335 (bmo#1525815)
A buffer overflow vulnerability in the Skia library can occur with
Canvas 2D acceleration on macOS. This issue was addressed by
disabling Canvas 2D acceleration in Firefox ESR. Note: this does
not affect other versions and platforms where Canvas 2D
acceleration is already disabled by default.
* Wed Jan 30 2019 cgrobertson@suse.com
- Update to Firefox ESR 60.5
MFSA 2019-02 (bsc#1122983)
* CVE-2018-18501 (bmo#1460619, bmo#1502871, bmo#1512450,
bmo#1513201, bmo#1516514, bmo#1516738, bmo#1517542)
Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
* CVE-2018-18500 (bmo#1510114)
Use-after-free parsing HTML5 stream
* CVE-2018-18505 (bmo#1087565, bmo#1497749)
Privilege escalation through IPC channel messages
- Removed obsolete patches:
[mozilla-no-stdcxx-check.patch] Applied upstream
[mozilla-s390-nojit.patch] Applied upstream
* Thu Jan 17 2019 cgrobertson@suse.com
- Fix for language pack build error (bsc#1120374)
* Thu Dec 20 2018 kbabioch@suse.de
- Revert dependency for branding package back to >= 60 due to dependency
issues.
* Fri Dec 14 2018 cgrobertson@suse.com
- Depend on branding package version >= 60.0
* Wed Dec 12 2018 cgrobertson@suse.com
- Mozilla Firefox 60.4.0esr:
* Updated list of currency codes to include Unidad Previsional (UYW)
(bmo#1499028)
MFSA 2018-30 (bsc#1119105)
* CVE-2018-17466 bmo#1488295
Buffer overflow and out-of-bounds read in ANGLE library with
TextureStorage11
* CVE-2018-18492 bmo#1499861
Use-after-free with select element
* CVE-2018-18493 bmo#1504452
Buffer overflow in accelerated 2D canvas with Skia
* CVE-2018-18494 bmo#1487964
Same-origin policy violation using location attribute and
performance.getEntries to steal cross-origin URLs
* CVE-2018-18498 bmo#1500011
Integer overflow when calculating buffer sizes for images
* CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759
bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471
Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4
- requires NSS >= 3.36.6
- Removed obsolete patch:
[mozilla-update-cc-crate.patch] Applied upstream
* Tue Oct 23 2018 alarrosa@suse.com
- Mozilla Firefox 60.3.0esr:
* Various stability and regression fixes
MFSA 2018-27 bsc#1112852
* CVE-2018-12392 bmo#1492823
Crash with nested event loops
* CVE-2018-12393 bmo#1495011
Integer overflow during Unicode conversion while loading
JavaScript
* CVE-2018-12395 bmo#1467523
WebExtension bypass of domain restrictions through header
rewriting
* CVE-2018-12396 bmo#1483602
WebExtension content scripts can execute in disallowed
contexts
* CVE-2018-12397 bmo#1487478
WebExtension local file access vulnerability
* CVE-2018-12389 bmo#1498460, bmo#1499198
Memory safety bugs fixed in Firefox ESR 60.3
* CVE-2018-12390 bmo#1487098 bmo#1487660 bmo#1490234 bmo#1496159
bmo#1443748 bmo#1496340 bmo#1483905 bmo#1493347 bmo#1488803
bmo#1498701 bmo#1498482 bmo#1442010 bmo#1495245 bmo#1483699
bmo#1469486 bmo#1484905 bmo#1490561 bmo#1492524 bmo#1481844
Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
- Drop mozilla-bmo1472538-update-bindgen.patch which was already
merged upstream
- Update mozilla-update-cc-crate.patch, since cc was updated to 1.0.9
upstream, but this patch still updates it to a newer version
* Thu Oct 11 2018 alarrosa@suse.com
- Update create-tar.sh and source-stamp.txt as should be done
with every version update.
* Tue Oct 09 2018 alarrosa@suse.com
- Mozilla Firefox 60.2.2esr:
MFSA 2018-24
* CVE-2018-12386 (bsc#1110506, bmo#1493900)
Type confusion in JavaScript allowed remote code execution
* CVE-2018-12387 (bsc#1110507, bmo#1493903)
Array.prototype.push stack pointer vulnerability may enable
exploits in the sandboxed content process
- Avoid undefined behavior in IPC fd-passing code with
mozilla-bmo1436242.patch (boo#1094767, bmo#1436242)
- Mozilla Firefox 60.2.1esr:
MFSA 2018-23
* CVE-2018-12385 (boo#1109363, bmo#1490585)
Crash in TransportSecurityInfo due to cached data
* CVE-2018-12383 (boo#1107343, bmo#1475775)
Setting a master password did not delete unencrypted
previously stored passwords
* Fixed a startup crash affecting users migrating from older ESR
releases
* Clean up old NSS DB files after upgrading
- Fix typo in an old changelog entry which mentioned a wrong patch file
and really remove mozilla-glibc-getrandom.patch as should have
been done some weeks ago.
* Wed Oct 03 2018 cgrobertson@suse.com
- bsc#1109465 - Add mozilla-bmo1472538-update-bindgen.patch and
mozilla-update-cc-crate.patch. This fixes an endianness problem in
bindgen's handling of bitfields, which was causing Firefox to crash
on startup on big-endian machines. Also, updates the cc crate,
which was buggy in the version that was originally vendored in.
- added patch
[mozilla-bigendian_bit_flags_alias.patch] (bmo#1488552)
* Fri Sep 07 2018 pcerny@suse.com
- update to Firefox ESR 60.2 (bsc#1107343)
* MFSA 2018-20/CVE-2018-12381
(bmo#1435319)
Dragging and dropping Outlook email message results in page
navigation
* MFSA 2018-20/CVE-2017-16541
(bmo#1412081)
Proxy bypass using automount and autofs
* MFSA 2018-20/CVE-2018-12376
(bmo#1450989, bmo#1466577, bmo#1466991, bmo#1467363,
bmo#1467889, bmo#1468738, bmo#1469309, bmo#1469914,
bmo#1471953, bmo#1472925, bmo#1473161, bmo#1478575,
bmo#1478849, bmo#1480092, bmo#1480517, bmo#1480521,
bmo#1481093, bmo#1483120)
Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
* MFSA 2018-20/CVE-2018-12377
(bmo#1470260)
Use-after-free in refresh driver timers
* MFSA 2018-20/CVE-2018-12378
(bmo#1459383)
Use-after-free in IndexedDB
* MFSA 2018-20/CVE-2018-12379
(bmo#1473113)
Out-of-bounds write with malicious MAR file
- removed obsolete patches:
[mozilla-glibc-getrandom.patch]
[firefox-no-default-ualocale.patch]
[mozilla-bmo1005640.patch]
[mozilla-language.patch]
[mozilla-shared-nss-db.patch]
- added patches
sync with openSUSE:
[mozilla-bmo1005535.patch]
[mozilla-bmo1375074.patch]
[mozilla-bmo1464766.patch]
[mozilla-bmo256180.patch]
[mozilla-i586-DecoderDoctorLogger.patch]
[mozilla-i586-domPrefs.patch]
additional architecture enablement:
[mozilla-ppc-altivec_static_inline.patch]
[mozilla-s390-context.patch]
* Wed Jun 27 2018 pcerny@suse.com
- update to Firefox ESR 52.9 (bsc#1098998)
* MFSA 2018-17/CVE-2018-5188
(bmo#1392739, bmo#1437842, bmo#1442722, bmo#1450688,
bmo#1451297, bmo#1452576, bmo#1456189, bmo#1456975,
bmo#1458048, bmo#1458264, bmo#1458270, bmo#1463494,
bmo#1464063, bmo#1464079, bmo#1464829, bmo#1465108,
bmo#1465898)
Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and
Firefox ESR 52.9
* MFSA 2018-17/CVE-2018-12368
(bmo#1468217, bmo#https://posts.specterops.io/the-tale-of-
settingcontent-ms-files-f1ea253e4d39)
No warning when opening executable SettingContent-ms files
* MFSA 2018-17/CVE-2018-12366
(bmo#1464039)
Invalid data handling during QCMS transformations
* MFSA 2018-17/CVE-2018-12365
(bmo#1459206)
Compromised IPC child process can list local filenames
* MFSA 2018-17/CVE-2018-12364
(bmo#1436241)
CSRF attacks through 307 redirects and NPAPI plugins
* MFSA 2018-17/CVE-2018-12363
(bmo#1464784)
Use-after-free when appending DOM nodes
* MFSA 2018-17/CVE-2018-12362
(bmo#1452375)
Integer overflow in SSSE3 scaler
* MFSA 2018-17/CVE-2018-12360
(bmo#1459693)
Use-after-free when using focus()
* MFSA 2018-17/CVE-2018-5156
(bmo#1453127)
Media recorder segmentation fault when track type is changed
during capture
* MFSA 2018-17/CVE-2018-12359
(bmo#1459162)
Buffer overflow using computed size of canvas element
* Thu Jun 07 2018 pcerny@suse.com
- update to Firefox 52.8.1 (bsc#1096449)
* MFSA 2018-14/CVE-2018-6126
(bmo#1462682)
Heap buffer overflow rasterizing paths in SVG with Skia
* Wed May 09 2018 wr@rosenauer.org
- update to Firefox 52.8.0:
* Various stability and regression fixes
* Performance improvements to the Safe Browsing service to avoid
slowdowns while updating site classification data
- Security fixes (bsc#1092548, MFSA 2018-12):
* CVE-2018-5183 (bmo#1454692)
Backport critical security fixes in Skia
* CVE-2018-5154 (bmo#1443092)
Use-after-free with SVG animations and clip paths
* CVE-2018-5155 (bmo#1448774)
Use-after-free with SVG animations and text paths
* CVE-2018-5157 (bmo#1449898)
Same-origin bypass of PDF Viewer to view protected PDF files
* CVE-2018-5158 (bmo#1452075)
Malicious PDF can inject JavaScript into PDF Viewer
* CVE-2018-5159 (bmo#1441941)
Integer overflow and out-of-bounds write in Skia
* CVE-2018-5168 (bmo#1449548)
Lightweight themes can be installed without user interaction
* CVE-2018-5178 (bmo#1443891)
Buffer overflow during UTF-8 to Unicode string conversion
through legacy extension
* CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705,
bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415,
bmo#1426129)
Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
* Wed Mar 28 2018 astieger@suse.com
- fix release tag and tarball to correctly identify 52.7.3esr
* Tue Mar 27 2018 wr@rosenauer.org
- update to Firefox 52.7.3
MFSA 2018-10 (bsc#1087059)
* CVE-2018-5148 (bmo#1440717)
Use-after-free in compositor
- removed obsolete patch mozilla-bmo1446062.patch
* Fri Mar 16 2018 wr@rosenauer.org
- update to Firefox 52.7.2 (bsc#1085671)
MFSA 2018-08
* CVE-2018-5146 (bmo#1446062)
Out of bounds memory write in libvorbis
* CVE-2018-5147 (bmo#1446365)
Out of bounds memory write in libtremor
(in mozilla-bmo1446062.patch)
- Firefox 52.7.1 fixes
- issues with the IT locale (bmo#1445278)
* Tue Mar 13 2018 astieger@suse.com
- update to Firefox 52.7esr (bsc#1085130, MFSA 2018-07):
* CVE-2018-5127 (bmo#1430557)
Buffer overflow manipulating SVG animatedPathSegList
* CVE-2018-5129 (bmo#1428947)
Out-of-bounds write with malformed IPC messages
* CVE-2018-5130 (bmo#1433005)
Mismatched RTP payload type can trigger memory corruption
* CVE-2018-5131 (bmo#1440775)
Fetch API improperly returns cached copies of no-store/no-cache
resources
* CVE-2018-5144 (bmo#1440926)
Integer overflow during Unicode conversion
* CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450,
bmo#1437507,bmo#1426988,bmo#1438425,bmo#1324042,bmo#1437087,
bmo#1443865,bmo#1425520)
Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
* CVE-2018-5145 (bmo#1261175,bmo#1348955)
Memory safety bugs fixed in Firefox ESR 52.7
* Fri Feb 09 2018 wr@rosenauer.org
- correct requires and provides handling (boo#1076907)
* Tue Jan 23 2018 wr@rosenauer.org
- update to Firefox 52.6esr (bsc#1077291)
MFSA 2018-01
* Speculative execution side-channel attack ("Spectre")
MFSA 2018-03
* CVE-2018-5091 (bmo#1423086)
Use-after-free with DTMF timers
* CVE-2018-5095 (bmo#1418447)
Integer overflow in Skia library during edge builder allocation
* CVE-2018-5096 (bmo#1418922)
Use-after-free while editing form elements
* CVE-2018-5097 (bmo#1387427)
Use-after-free when source document is manipulated during XSLT
* CVE-2018-5098 (bmo#1399400)
Use-after-free while manipulating form input elements
* CVE-2018-5099 (bmo#1416878)
Use-after-free with widget listener
* CVE-2018-5102 (bmo#1419363)
Use-after-free in HTML media elements
* CVE-2018-5103 (bmo#1423159)
Use-after-free during mouse event handling
* CVE-2018-5104 (bmo#1425000)
Use-after-free during font face manipulation
* CVE-2018-5117 (bmo#1395508)
URL spoofing with right-to-left text aligned left-to-right
* CVE-2018-5089
Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
- remove obsolete patch mozilla-ucontext.patch
- official NSS requirement is >= 3.28.6 therefore putting 3.29.5
into an ifarch
* Wed Jan 17 2018 wbauer@tmo.at
- Escape the usage of %{VERSION} when calling out to rpm.
RPM 4.14 has %{VERSION} defined as 'the main package's version'.
* Tue Jan 16 2018 cgrobertson@suse.com
- Added additional patches and configurations to fix
builds on s390 and PowerPC.
* Added firefox-glibc-getrandom.patch effecting builds on
s390 and PowerPC
* Added mozilla-s390-bigendian.patch along with icudt58b.dat
bigendian ICU data file for running Firefox on bigendian
architectures (bmo#1322212 and bmo#1264836)
* Added mozilla-s390-nojit.patch to enable atomic operations
used by the JS engine when JIT is disabled on s390
* Build configuration options specific to s390
* Requires NSS >= 3.29.5
* Fri Dec 29 2017 astieger@suse.com
- Update to Firefox 52.5.3esr:
* Fix a crash reporting issue that inadvertently sends background
tab crash reports to Mozilla without user opt-in (bmo#1427111,
bsc#1074235)
* Fri Dec 15 2017 fcrozat@suse.com
- Add BuildRequires python-xml to fix build on TW/SLE15.
* Sat Dec 09 2017 security@suse.com
- update to Firefox 52.5.2esr (MFSA 2017-28):
* CVE-2017-7843 (bsc#1072034, bmo#1410106)
Web worker in Private Browsing mode can write IndexedDB data
* Tue Nov 14 2017 wr@rosenauer.org
- update to Firefox 52.5.0esr (boo#1068101)
MFSA 2017-25
* CVE-2017-7828 (bmo#1406750. bmo#1412252)
Use-after-free of PressShell while restyling layout
* CVE-2017-7830 (bmo#1408990)
Cross-origin URL information leak through Resource Timing API
* CVE-2017-7826
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
* Sun Oct 01 2017 stefan.bruens@rwth-aachen.de
- Correct plugin directory for aarch64 (boo#1061207). The wrapper
script was not detecting aarch64 as a 64 bit architecture, thus
used /usr/lib/browser-plugins/.
* Sat Sep 30 2017 zaitor@opensuse.org
- Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0),
pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure
looks for.
* Fri Sep 29 2017 wr@rosenauer.org
- update to Firefox 52.4esr (boo#1060445)
* requires NSS >= 3.28.6
MFSA 2017-22
* CVE-2017-7793 (bmo#1371889)
Use-after-free with Fetch API
* CVE-2017-7818 (bmo#1363723)
Use-after-free during ARIA array manipulation
* CVE-2017-7819 (bmo#1380292)
Use-after-free while resizing images in design mode
* CVE-2017-7824 (bmo#1398381)
Buffer overflow when drawing and validating elements with ANGLE
* CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
Use-after-free in TLS 1.2 generating handshake hashes
* CVE-2017-7814 (bmo#1376036)
Blob and data URLs bypass phishing and malware protection warnings
* CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
OS X fonts render some Tibetan and Arabic unicode characters as spaces
* CVE-2017-7823 (bmo#1396320)
CSP sandbox directive did not create a unique origin
* CVE-2017-7810
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
- fixed language accept header to use correct locale
(mozilla-bmo1005640.patch, boo#1029917)
* Thu Sep 28 2017 dimstar@opensuse.org
- Add alsa-devel BuildRequires: we care for ALSA support to be
built and thus need to ensure we get the dependencies in place.
In the past, alsa-devel was pulled in by accident: we
buildrequire libgnome-devel. This required esound-devel and that
in turn pulled in alsa-devel for us. libgnome is being fixed to
no longer require esound-devel.
* Wed Aug 09 2017 schwab@suse.de
- mozilla-ucontext.patch: use ucontext_t instead of struct ucontext
* Tue Aug 08 2017 wr@rosenauer.org
- update to Firefox 52.3esr (boo#1052829)
MFSA 2017-19
* CVE-2017-7798 (bmo#1371586, bmo#1372112)
XUL injection in the style editor in devtools
* CVE-2017-7800 (bmo#1374047)
Use-after-free in WebSockets during disconnection
* CVE-2017-7801 (bmo#1371259)
Use-after-free with marquee during window resizing
* CVE-2017-7784 (bmo#1376087)
Use-after-free with image observers
* CVE-2017-7802 (bmo#1378147)
Use-after-free resizing image elements
* CVE-2017-7785 (bmo#1356985)
Buffer overflow manipulating ARIA attributes in DOM
* CVE-2017-7786 (bmo#1365189)
Buffer overflow while painting non-displayable SVG
* CVE-2017-7753 (bmo#1353312)
Out-of-bounds read with cached style data and pseudo-elements#
* CVE-2017-7787 (bmo#1322896)
Same-origin policy bypass with iframes through page reloads
* CVE-2017-7807 (bmo#1376459)
Domain hijacking through AppCache fallback
* CVE-2017-7792 (bmo#1368652)
Buffer overflow viewing certificates with an extremely long OID
* CVE-2017-7804 (bmo#1372849)
Memory protection bypass through WindowsDllDetourPatcher
* CVE-2017-7791 (bmo#1365875)
Spoofing following page navigation with data: protocol and modal alerts
* CVE-2017-7782 (bmo#1344034)
WindowsDllDetourPatcher allocates memory without DEP protections
* CVE-2017-7803 (bmo#1377426)
CSP containing 'sandbox' improperly applied
* CVE-2017-7779
Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
* Wed Jul 05 2017 astieger@suse.com
- Mozilla Firefox 52.2.1esr:
* Printing text does not work on Windows when Direct2D is
disabled (bmo#1318845)
* Wed Jun 14 2017 wr@rosenauer.org
- update to Firefox 52.2esr (boo#1043960)
MFSA 2017-16
* CVE-2017-5472 (bmo#1365602)
Use-after-free using destroyed node when regenerating trees
* CVE-2017-7749 (bmo#1355039)
Use-after-free during docshell reloading
* CVE-2017-7750 (bmo#1356558)
Use-after-free with track elements
* CVE-2017-7751 (bmo#1363396)
Use-after-free with content viewer listeners
* CVE-2017-7752 (bmo#1359547)
Use-after-free with IME input
* CVE-2017-7754 (bmo#1357090)
Out-of-bounds read in WebGL with ImageInfo object
* CVE-2017-7755 (bmo#1361326)
Privilege escalation through Firefox Installer with same
directory DLL files (Windows only)
* CVE-2017-7756 (bmo#1366595)
Use-after-free and use-after-scope logging XHR header errors
* CVE-2017-7757 (bmo#1356824)
Use-after-free in IndexedDB
* CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
CVE-2017-7777
Vulnerabilities in the Graphite 2 library
* CVE-2017-7758 (bmo#1368490)
Out-of-bounds read in Opus encoder
* CVE-2017-7760 (bmo#1348645)
File manipulation and privilege escalation via callback parameter
in Mozilla Windows Updater and Maintenance Service (Windows only)
* CVE-2017-7761 (bmo#1215648)
File deletion and privilege escalation through Mozilla Maintenance
Service helper.exe application (Windows only)
* CVE-2017-7764 (bmo#1364283)
Domain spoofing with combination of Canadian Syllabics and other
unicode blocks
* CVE-2017-7765 (bmo#1273265)
Mark of the Web bypass when saving executable files (Windows only)
* CVE-2017-7766 (bmo#1342742)
File execution and privilege escalation through updater.ini,
Mozilla Windows Updater, and Mozilla Maintenance Service
(Windows only)
* CVE-2017-7767 (bmo#1336964)
Privilege escalation and arbitrary file overwrites through Mozilla
Windows Updater and Mozilla Maintenance Service (Windows only)
* CVE-2017-7768 (bmo#1336979)
32 byte arbitrary file read through Mozilla Maintenance Service
(Windows only)
* CVE-2017-5470
Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
- requires NSS 3.28.5
* Tue May 23 2017 wr@rosenauer.org
- remove -fno-inline-small-functions and explicitely optimize with
- O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)
* Mon May 08 2017 wr@rosenauer.org
- update to Firefox 52.1.1
MFSA 2017-14
* CVE-2017-5031: Use after free in ANGLE (bmo#1328762)
(Windows only, Linux not affected)
- switch to Mozilla's geolocation service (boo#1026989)
- removed mozilla-preferences.patch obsoleted by overriding via
firefox.js
- fixed KDE integration to avoid crash caused by filepicker
(boo#1015998)
* Wed Apr 12 2017 wr@rosenauer.org
- update to Firefox 52.1.0esr (boo#1035082)
MFSA 2017-12
* CVE-2017-5443 (bmo#1342661)
Out-of-bounds write during BinHex decoding
* CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
Firefox ESR 52.1
* CVE-2017-5464 (bmo#1347075)
Memory corruption with accessibility and DOM manipulation
* CVE-2017-5465 (bmo#1347617)
Out-of-bounds read in ConvolvePixel
* CVE-2017-5466 (bmo#1353975)
Origin confusion when reloading isolated data:text/html URL
* CVE-2017-5467 (bmo#1347262)
Memory corruption when drawing Skia content
* CVE-2017-5460 (bmo#1343642)
Use-after-free in frame selection
* CVE-2017-5461 (bmo#1344380)
Out-of-bounds write in Base64 encoding in NSS
* CVE-2017-5448 (bmo#1346648)
Out-of-bounds write in ClearKeyDecryptor
* CVE-2017-5449 (bmo#1340127)
Crash during bidirectional unicode manipulation with animation
* CVE-2017-5446 (bmo#1343505)
Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
* CVE-2017-5447 (bmo#1343552)
Out-of-bounds read during glyph processing
* CVE-2017-5444 (bmo#1344461)
Buffer overflow while parsing application/http-index-format content
* CVE-2017-5445 (bmo#1344467)
Uninitialized values used while parsing application/http-index-format
content
* CVE-2017-5442 (bmo#1347979)
Use-after-free during style changes
* CVE-2017-5469 (bmo#1292534)
Potential Buffer overflow in flex-generated code
* CVE-2017-5440 (bmo#1336832)
Use-after-free in txExecutionState destructor during XSLT processing
* CVE-2017-5441 (bmo#1343795)
Use-after-free with selection during scroll events
* CVE-2017-5439 (bmo#1336830)
Use-after-free in nsTArray Length() during XSLT processing
* CVE-2017-5438 (bmo#1336828)
Use-after-free in nsAutoPtr during XSLT processing
* CVE-2017-5437 (bmo#1343453)
Vulnerabilities in Libevent library
* CVE-2017-5436 (bmo#1345461)
Out-of-bounds write with malicious font in Graphite 2
* CVE-2017-5435 (bmo#1350683)
Use-after-free during transaction processing in the editor
* CVE-2017-5434 (bmo#1349946)
Use-after-free during focus handling
* CVE-2017-5433 (bmo#1347168)
Use-after-free in SMIL animation functions
* CVE-2017-5432 (bmo#1346654)
Use-after-free in text input selection
* CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140,
bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476)
Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
* CVE-2017-5459 (bmo#1333858)
Buffer overflow in WebGL
* CVE-2017-5462 (bmo#1345089)
DRBG flaw in NSS
* CVE-2017-5455 (bmo#1341191)
Sandbox escape through internal feed reader APIs
* CVE-2017-5454 (bmo#1349276)
Sandbox escape allowing file system read access through file
picker
* CVE-2017-5456 (bmo#1344415)
Sandbox escape allowing local file system access
* CVE-2017-5451 (bmo#1273537)
Addressbar spoofing with onblur event
- requires NSS 3.28.4
- rebased patches
* Mon Apr 03 2017 wr@rosenauer.org
- switch package to use ESR52 branch
* enables plugin support by default
* service workers are disabled by default
* push notifications are disabled by default
* WebAssembly (wasm) is disabled
* Less use of multiprocess architecture Electrolysis (e10s)
* Mon Apr 03 2017 wr@rosenauer.org
- update to Firefox 52.0.2
* Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787)
* Fix loading tab icons on session restore (bmo#1338009)
* Fix a crash on startup on Linux (bmo#1345413)
* Fix new installs erroneously not prompting to change the default
browser setting (bmo#1343938)
* Mon Mar 20 2017 wr@rosenauer.org
- disable rust usage for everything but x86(-64)
- explicitely add libffi build requirement
* Fri Mar 17 2017 wr@rosenauer.org
- update to Firefox 52.0.1 (boo#1029822)
MFSA 2017-08
CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168)
* Thu Mar 09 2017 wr@rosenauer.org
- reenable ALSA support which was removed by default upstream
* Sat Mar 04 2017 wr@rosenauer.org
- update to Firefox 52.0 (boo#1028391)
* requires NSS >= 3.28.3
* Pages containing insecure password fields now display a warning
directly within username and password fields.
* Send and open a tab from one device to another with Sync
* Removed NPAPI support for plugins other than Flash. Silverlight,
Java, Acrobat and the like are no longer supported.
* Removed Battery Status API to reduce fingerprinting of users by
trackers
* MFSA 2017-05
CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
(bmo#1334933)
CVE-2017-5401: Memory Corruption when handling ErrorResult
(bmo#1328861)
CVE-2017-5402: Use-after-free working with events in FontFace
objects (bmo#1334876)
CVE-2017-5403: Use-after-free using addRange to add range to an
incorrect root object (bmo#1340186)
CVE-2017-5404: Use-after-free working with ranges in selections
(bmo#1340138)
CVE-2017-5406: Segmentation fault in Skia with canvas operations
(bmo#1306890)
CVE-2017-5407: Pixel and history stealing via floating-point
timing side channel with SVG filters (bmo#1336622)
CVE-2017-5410: Memory corruption during JavaScript garbage
collection incremental sweeping (bmo#1330687)
CVE-2017-5408: Cross-origin reading of video captions in violation
of CORS (bmo#1313711)
CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
CVE-2017-5413: Segmentation fault during bidirectional operations
(bmo#1337504)
CVE-2017-5414: File picker can choose incorrect default directory
(bmo#1319370)
CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719)
CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
(bmo#791597)
CVE-2017-5426: Gecko Media Plugin sandbox is not started if
seccomp-bpf filter is running (bmo#1257361)
CVE-2017-5427: Non-existent chrome.manifest file loaded during
startup (bmo#1295542)
CVE-2017-5418: Out of bounds read when parsing HTTP digest
authorization responses (bmo#1338876)
CVE-2017-5419: Repeated authentication prompts lead to DOS
attack (bmo#1312243)
CVE-2017-5420: Javascript: URLs can obfuscate addressbar
location (bmo#1284395)
CVE-2017-5405: FTP response codes can cause use of
uninitialized values for ports (bmo#1336699)
CVE-2017-5421: Print preview spoofing (bmo#1301876)
CVE-2017-5422: DOS attack by using view-source: protocol
repeatedly in one hyperlink (bmo#1295002)
CVE-2017-5399: Memory safety bugs fixed in Firefox 52
CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
Firefox ESR 45.8
- removed obsolete patches
* mozilla-binutils-visibility.patch
* mozilla-check_return.patch
* mozilla-disable-skia-be.patch
* mozilla-skia-overflow.patch
* mozilla-skia-ppc-endianess.patch
- rebased patches
- enable rust usage for Tumbleweed
* Fri Jan 27 2017 astieger@suse.com
- Mozilla Firefox 51.0.1:
- Multiprocess incompatibility did not correctly register with
some add-ons (bmo#1333423)
* Fri Jan 20 2017 wr@rosenauer.org
- update to Firefox 51.0
* requires NSPR >= 4.13.1, NSS >= 3.28.1
* Added support for FLAC (Free Lossless Audio Codec) playback
* Added support for WebGL 2
* Added Georgian (ka) and Kabyle (kab) locales
* Support saving passwords for forms without 'submit' events
* Improved video performance for users without GPU acceleration
* Zoom indicator is shown in the URL bar if the zoom level is not
at default level
* View passwords from the prompt before saving them
* Remove Belarusian (be) locale
* Use Skia for content rendering (Linux)
* MFSA 2017-01
CVE-2017-5375: Excessive JIT code allocation allows bypass of
ASLR and DEP (bmo#1325200, boo#1021814)
CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
CVE-2017-5377: Memory corruption with transforms to create
gradients in Skia (bmo#1306883, boo#1021826)
CVE-2017-5378: Pointer and frame data leakage of Javascript objects
(bmo#1312001, bmo#1330769, boo#1021818)
CVE-2017-5379: Use-after-free in Web Animations
(bmo#1309198,boo#1021827)
CVE-2017-5380: Potential use-after-free during DOM manipulations
(bmo#1322107, boo#1021819)
CVE-2017-5390: Insecure communication methods in Developer Tools
JSON viewer (bmo#1297361, boo#1021820)
CVE-2017-5389: WebExtensions can install additional add-ons via
modified host requests (bmo#1308688, boo#1021828)
CVE-2017-5396: Use-after-free with Media Decoder
(bmo#1329403, boo#1021821)
CVE-2017-5381: Certificate Viewer exporting can be used to navigate
and save to arbitrary filesystem locations
(bmo#1017616, boo#1021830)
CVE-2017-5382: Feed preview can expose privileged content errors
and exceptions (bmo#1295322, boo#1021831)
CVE-2017-5383: Location bar spoofing with unicode characters
(bmo#1323338, bmo#1324716, boo#1021822)
CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
(bmo#1255474, boo#1021832)
CVE-2017-5385: Data sent in multipart channels ignores referrer-policy
response headers (bmo#1295945, boo#1021833)
CVE-2017-5386: WebExtensions can use data: protocol to affect other
extensions (bmo#1319070, boo#1021823)
CVE-2017-5394: Android location bar spoofing using fullscreen and
JavaScript events (bmo#1222798)
CVE-2017-5391: Content about: pages can load privileged about: pages
(bmo#1309310, boo#1021835)
CVE-2017-5392: Weak references using multiple threads on weak proxy
objects lead to unsafe memory usage (bmo#1293709)
(Android only)
CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for
mozAddonManager (bmo#1309282, boo#1021837)
CVE-2017-5395: Android location bar spoofing during scrolling
(bmo#1293463) (Android only)
CVE-2017-5387: Disclosure of local file existence through TRACK
tag error messages (bmo#1295023, boo#1021839)
CVE-2017-5388: WebRTC can be used to generate a large amount of
UDP traffic for DDOS attacks
(bmo#1281482, boo#1021840)
CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841)
CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and
Firefox ESR 45.7 (boo#1021824)
- switch Firefox to Gtk3 for Tumbleweed
- removed obsolete patches
* mozilla-flex_buffer_overrun.patch
- updated RPM locale support tag
- improve recognition of LANGUAGE env variable (boo#1017174)
- add upstream patch to fix PPC64LE (bmo#1319389)
(mozilla-skia-ppc-endianess.patch)
- fix build without skia (big endian archs) (bmo#1319374)
(mozilla-disable-skia-be.patch)
* Mon Dec 12 2016 wr@rosenauer.org
- update to Firefox 50.1.0 (boo#1015422)
* MFSA 2016-94
CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628)
CVE-2016-9899: Use-after-free while manipulating DOM events and
audio elements (bmo#1317409)
CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
CVE-2016-9896: Use-after-free with WebVR (bmo#1315543)
CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
CVE-2016-9898: Use-after-free in Editor while manipulating
DOM subtrees (bmo#1314442)
CVE-2016-9900: Restricted external resources can be loaded by
SVG images through data URLs (bmo#1319122)
CVE-2016-9904: Cross-origin information leak in shared atoms
(bmo#1317936)
CVE-2016-9901: Data from Pocket server improperly sanitized
before execution (bmo#1320057)
CVE-2016-9902: Pocket extension does not validate the origin
of events (bmo#1320039)
CVE-2016-9903: XSS injection vulnerability in add-ons SDK
(bmo#1315435)
CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and
Firefox ESR 45.6
* Fri Dec 09 2016 cgrobertson@novell.com
- added patch mozilla-aarch64-startup-crash.patch (bsc#1011922)
* Thu Dec 01 2016 wr@rosenauer.org
- update to Firefox 50.0.2
* Firefox crashes with 3rd party Chinese IME when using IME text
(50.0.1)
security fixes (in 50.0.1): (boo#1012807)
* MFSA 2016-91
CVE-2016-9078: data: URL can inherit wrong origin after an
HTTP redirect (bmo#1317641)
security fixes (in 50.0.2) (boo#1012964)
* MFSA 2016-92
CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066)
* Mon Nov 14 2016 wr@rosenauer.org
- update to Firefox 50.0 (boo#1009026)
* requires NSS 3.26.2
new features
* Updates to keyboard shortcuts
Set a preference to have Ctrl+Tab cycle through tabs in recently
used order
View a page in Reader Mode by using Ctrl+Alt+R
* Added option to Find in page that allows users to limit search to
whole words only
* Added download protection for a large number of executable file
types on Windows, Mac and Linux
* Fixed rendering of dashed and dotted borders with rounded corners
(border-radius)
* Added a built-in Emoji set for operating systems without native
Emoji fonts (Windows 8.0 and lower and Linux)
* Blocked versions of libavcodec older than 54.35.1
* additional locale
security fixes:
* MFSA 2016-89
CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
(bmo#1292443)
CVE-2016-5292: URL parsing causes crash (bmo#1288482)
CVE-2016-5293: Write to arbitrary file with updater and moz
maintenance service using updater.log hardlink
(Windows only) (bmo#1246945)
CVE-2016-5294: Arbitrary target directory for result files of
update process (Windows only) (bmo#1246972)
CVE-2016-5297: Incorrect argument length checking in Javascript
(bmo#1303678)
CVE-2016-9064: Addons update must verify IDs match between
current and new versions (bmo#1303418)
CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen
(Android only) (bmo#1306696)
CVE-2016-9066: Integer overflow leading to a buffer overflow in
nsScriptLoadHandler (bmo#1299686)
CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
(bmo#1301777, bmo#1308922 (CVE-2016-9069))
CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973)
CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
(bmo#1300083) (Windows only)
CVE-2016-9075: WebExtensions can access the mozAddonManager API
and use it to gain elevated privileges (bmo#1295324)
CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied
to cross-origin images, allowing timing attacks on them
(bmo#1298552)
CVE-2016-5291: Same-origin policy violation using local HTML file
and saved shortcut file (bmo#1292159)
CVE-2016-5295: Mozilla Maintenance Service: Ability to read
arbitrary files as SYSTEM (Windows only) (bmo#1247239)
CVE-2016-5298: SSL indicator can mislead the user about the real
URL visited (bmo#1227538) (Android only)
CVE-2016-5299: Firefox AuthToken in broadcast protected with
signature-level permission can be accessed by an
application installed beforehand that defines the
same permissions (bmo#1245791) (Android only)
CVE-2016-9061: API Key (glocation) in broadcast protected with
signature-level permission can be accessed by an
application installed beforehand that defines the
same permissions (Android only) (bmo#1245795)
CVE-2016-9062: Private browsing browser traces (android) in
browser.db and wal file (Android only) (bmo#1294438)
CVE-2016-9070: Sidebar bookmark can have reference to chrome window
(bmo#1281071)
CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
(bmo#1289273)
CVE-2016-9074: Insufficient timing side-channel resistance in
divSpoiler (bmo#1293334) (fixed via NSS 3.26.1)
CVE-2016-9076: select dropdown menu can be used for URL bar
spoofing on e10s (bmo#1276976)
CVE-2016-9063: Possible integer overflow to fix inside XML_Parse
in expat (bmo#1274777)
CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
(bmo#1285003)
CVE-2016-5289: Memory safety bugs fixed in Firefox 50
CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
- make aarch64 build more similar to x86_64 build (remove conditionals
that don't seem to be necessary anymore)
* Mon Oct 24 2016 astieger@suse.com
- Mozilla Firefox 49.0.2:
* CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)
* CVE-2016-5288: Web content can read cache entries (bsc#1006476)
* Asynchronous rendering of the Flash plugins is now enabled by
default
* Change D3D9 default fallback preference to prevent graphical
artifacts
* Network issue prevents some users from seeing the Firefox UI on
startup
* Web compatibility issue with file uploads
* Web compatibility issue with Array.prototype.values
* Diagnostic information on timing for tab switching
* Fix a Canvas filters graphics issue affecting HTML5 apps
* Wed Oct 12 2016 badshah400@gmail.com
- Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0
and fixes have been incorporated by upstream.
* Fri Sep 23 2016 astieger@suse.com
- Mozilla Firefox 49.0.1:
* Mitigate a startup crash issue caused by Websense - bmo#1304783
* Tue Sep 20 2016 wr@rosenauer.org
- update to Firefox 49.0 (boo#999701)
new features
* Updated Firefox Login Manager to allow HTTPS pages to use saved
HTTP logins.
* Added features to Reader Mode that make it easier on the eyes and
the ears
* Improved video performance for users on systems that support
SSE3 without hardware acceleration
* Added context menu controls to HTML5 audio and video that let users
loops files or play files at 1.25x speed
* Improvements in about:memory reports for tracking font memory usage
security related
* MFSA 2016-85
CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
mozilla::net::IsValidReferrerPolicy
CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
nsCaseTransformTextRunFactory::TransformString
CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
PropertyProvider::GetSpacingInternal
CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
CVE-2016-5273 (bmo#1280387) - crash in
mozilla::a11y::HyperTextAccessible::GetChildOffset
CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
mozilla::a11y::DocAccessible::ProcessInvalidationList
CVE-2016-5274 (bmo#1282076) - use-after-free in
nsFrameManager::CaptureFrameState
CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
nsBMPEncoder::AddImageFrame
CVE-2016-5279 (bmo#1249522) - Full local path of files is available
to web pages after drag and drop
CVE-2016-5280 (bmo#1289970) - Use-after-free in
mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons
from non-whitelisted schemes
CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can
reveal cross-origin data
CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration
CVE-2016-5256 - Memory safety bugs fixed in Firefox 49
CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4
- removed obsolete patches:
* mozilla-aarch64-48bit-va.patch
* mozilla-exclude-nametablecpp.patch
* mozilla-old_configure-bmo1282843.patch
- added patch mozilla-skia-overflow.patch (bmo#1304114)
- requires NSS 3.25
* Tue Aug 30 2016 astieger@suse.com
- Mozilla Firefox 48.0.2:
* Mitigate a startup crash issue caused on Windows (bmo#1291738)
* Sat Aug 20 2016 astieger@suse.com
- Mozilla Firefox 48.0.1:
* Fix an audio regression impacting some major websites
(bmo#1295296)
* Fix a top crash in the JavaScript engine (bmo#1290469)
* Fix a startup crash issue caused by Websense (bmo#1291738)
* Fix a different behavior with e10s / non-e10s on <select> and
mouse events (bmo#1291078)
* Fix a top crash caused by plugin issues (bmo#1264530)
* Fix a shutdown issue (bmo#1276920)
* Fix a crash in WebRTC
* Mon Aug 15 2016 wr@rosenauer.org
- added upstream patch so system plugins/extensions are correctly
loaded again on x86-64 (bmo#1282843)
(mozilla-old_configure-bmo1282843.patch)
* Fri Aug 05 2016 pcerny@suse.com
- Fix for possible buffer overrun (bsc#990856)
CVE-2016-6354 (bmo#1292534)
[mozilla-flex_buffer_overrun.patch]
* Wed Aug 03 2016 badshah400@gmail.com
- Update mozilla-gtk3_20.patch to latest version from Fedora.
* Mon Aug 01 2016 wr@rosenauer.org
- update to Firefox 48.0 (boo#991809)
* requires NSS 3.24
* Process separation (e10s) is enabled for some of you
* Add-ons that have not been verified and signed by Mozilla will not load
* WebRTC embetterments
* The media parser has been redeveloped using the Rust programming
language
* better Canvas performance with speedy Skia support
security fixes:
* MFSA 2016-62/CVE-2016-2835/CVE-2016-2836
Miscellaneous memory safety hazards
* MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
Favicon network connection can persist when page is closed
* MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
Buffer overflow rendering SVG with bidirectional content
* MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
* MFSA 2016-66/CVE-2016-5251 (bmo#1255570)
Location bar spoofing via data URLs with malformed/invalid mediatypes
* MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
Stack underflow during 2D graphics rendering
* MFSA 2016-68/CVE-2016-0718 (bmo#1236923)
Out-of-bounds read during XML parsing in Expat library
* MFSA 2016-69/CVE-2016-5253 (bmo#1246944)
Arbitrary file manipulation by local user through Mozilla updater
and callback application path parameter (Windows-only)
* MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
Use-after-free when using alt key and toplevel menus
* MFSA 2016-71/CVE-2016-5255 (bmo#1212356)
Crash in incremental garbage collection in JavaScript
* MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
Use-after-free in DTLS during WebRTC session shutdown
* MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
Use-after-free in service workers with nested sync events
* MFSA 2016-74/CVE-2016-5260 (bmo#1280294)
Form input type change from password to text can store plain
text password in session restore file
* MFSA 2016-75/CVE-2016-5261 (bmo#1287266)
Integer overflow in WebSockets during data buffering
* MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
Scripts on marquee tag can execute in sandboxed iframes
* MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
Buffer overflow in ClearKey Content Decryption Module (CDM)
during video playback
* MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
Type confusion in display transformation
* MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
Use-after-free when applying SVG effects
* MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
Same-origin policy violation using local HTML file and saved shortcut file
* MFSA 2016-81/CVE-2016-5266 (bmo#1226977)
Information disclosure and local file manipulation through drag and drop
* MFSA 2016-82/CVE-2016-5267 (bmo#1284372)
Addressbar spoofing with right-to-left characters on Firefox for Android
(Android only)
* MFSA 2016-83/CVE-2016-5268 (bmo#1253673)
Spoofing attack through text injection into internal error pages
* MFSA 2016-84/CVE-2016-5250 (bmo#1254688)
Information disclosure through Resource Timing API during page navigation
- removed obsolete mozilla-gcc6.patch
* Fri Jul 29 2016 badshah400@gmail.com
- Update description and screenshots in appdata.xml file.
* Sat Jul 23 2016 antoine.belvire@laposte.net
- Fix Firefox crash on startup on i586 (boo#986541):
* Add -fno-delete-null-pointer-checks and
- fno-inline-small-functions to CFLAGS
* Tue Jul 19 2016 mailaender@opensuse.org
- Update the appdata.xml file (replace Windows XP screenshot)
* Wed Jun 29 2016 astieger@suse.com
- Mozilla Firefox 47.0.1:
* Selenium WebDriver may cause Firefox to crash at startup
(bmo#1280854)
* Wed Jun 15 2016 wr@rosenauer.org
- mozilla-binutils-visibility.patch to fix build issues with
gcc/binutils combination used in Leap 42.2 (boo#984637)
* Tue Jun 14 2016 badshah400@gmail.com
- Update mozilla-gtk3_20.patch to latest version from Fedora.
* Mon Jun 13 2016 agraf@suse.com
- Fix running on 48bit va aarch64 (bsc#984126)
* add patch mozilla-aarch64-48bit-va.patch
* Mon Jun 13 2016 wr@rosenauer.org
- fix XUL dialog button order under KDE session (boo#984403)
* Tue Jun 07 2016 wr@rosenauer.org
- update to Firefox 47.0 (boo#983549)
* Enable VP9 video codec for users with fast machines
* Embedded YouTube videos now play with HTML5 video if Flash is
not installed
* View and search open tabs from your smartphone or another
computer in a sidebar
* Allow no-cache on back/forward navigations for https resources
security fixes:
* MFSA 2016-49/CVE-2016-2815/CVE-2016-2818
(boo#983638)
(bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743,
bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493,
bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752,
bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130,
bmo#1269729, bmo#1273202, bmo#1273701)
Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
* MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381)
Buffer overflow parsing HTML5 fragments
* MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460)
Use-after-free deleting tables from a contenteditable document
* MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129)
Addressbar spoofing though the SELECT element
* MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580)
Out-of-bounds write with WebGL shader
* MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093)
Partial same-origin-policy through setting location.host
through data URI
* MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810)
Use-after-free when textures are used in WebGL operations
after recycle pool destruction
* MFSA 2016-57/CVE-2016-2829 (boo#983644) (bmo#1248329)
Incorrect icon displayed on permissions notifications
* MFSA 2016-58/CVE-2016-2831 (boo#983643) (bmo#1261933)
Entering fullscreen and persistent pointerlock without user
permission
* MFSA 2016-59/CVE-2016-2832 (boo#983632) (bmo#1025267)
Information disclosure of disabled plugins through CSS
pseudo-classes
* MFSA 2016-60/CVE-2016-2833 (boo#983640) (bmo#908933)
Java applets bypass CSP protections
* MFSA 2016-62/CVE-2016-2834 (boo#983639) (bmo#1206283,
bmo#1221620, bmo#1241034, bmo#1241037)
Network Security Services (NSS) vulnerabilities
fixed by requiring NSS 3.23
packaging changes:
* cleanup configure options (boo#981695):
- notably remove GStreamer support which is gone from FF
* remove obsolete patches
- mozilla-libproxy.patch
- mozilla-repo.patch
* Wed May 25 2016 badshah400@gmail.com
- The conditional testing for gcc was failing for different
openSUSE versions, drop it and apply patches unconditionally.
* Mon May 23 2016 badshah400@gmail.com
- Add patches to fix building with gcc6:
+ mozilla-gcc6.patch: fix building with gcc >= 6.1; patch
taken from upstream:
https://hg.mozilla.org/mozilla-central/rev/55212130f19d.
+ mozilla-exclude-nametablecpp.patch: Exclude NameTable.cpp
from unified compilation because #include <cmath> in other
source files causes gcc6 compilation failure; patch taken from
upstream:
https://hg.mozilla.org/mozilla-central/rev/9c57b7cacffc.
* Thu May 12 2016 dsterba@suse.cz
- enable build with PIE and full relro on x86_64 (boo#980384)
* Wed May 04 2016 wr@rosenauer.org
- update to Firefox 46.0.1
Fixed:
* Search plugin issue for various locales
* Add-on signing certificate expiration
* Service worker update issue
* Build issue when jit is disabled
* Limit Sync registration updates
- removed now obsolete mozilla-jit_branch64.patch
* Tue May 03 2016 normand@linux.vnet.ibm.com
- add mozilla-jit_branch64.patch to avoid PowerPC build failure
(from bmo#1266366)
* Wed Apr 27 2016 badshah400@gmail.com
- Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest
version from Fedora).
* Wed Apr 27 2016 wr@rosenauer.org
- update to Firefox 46.0 (boo#977333)
* Improved security of the JavaScript Just In Time (JIT) Compiler
* WebRTC fixes to improve performance and stability
* Added support for document.elementsFromPoint
* Added HKDF support for Web Crypto API
* requires NSPR 4.12 and NSS 3.22.3
* added patch to fix unchecked return value
mozilla-check_return.patch
* Gtk3 builds not supported at the moment
security fixes:
* MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807
(boo#977373, boo#977375, boo#977376)
Miscellaneous memory safety hazards
* MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377)
Privilege escalation through file deletion by Maintenance Service updater
(Windows only)
* MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378)
Content provider permission bypass allows malicious application
to access data (Android only)
* MFSA 2016-42/CVE-2016-2811/CVE-2016-2812
(bmo#1252330, bmo#1261776, boo#977379)
Use-after-free and buffer overflow in Service Workers
* MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380)
Disclosure of user actions through JavaScript with motion and
orientation sensors (only affects mobile variants)
* MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381)
Buffer overflow in libstagefright with CENC offsets
* MFSA 2016-45/CVE-2016-2816 (bmo#1223743, boo#977382)
CSP not applied to pages sent with multipart/x-mixed-replace
* MFSA 2016-46/CVE-2016-2817 (bmo#1227462, boo#977384)
Elevation of privilege with chrome.tabs.update API in web extensions
* MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386)
Write to invalid HashMap entry through JavaScript.watch()
* MFSA 2016-48/CVE-2016-2820 (bmo#870870, boo#977388)
Firefox Health Reports could accept events from untrusted domains
* Thu Apr 21 2016 badshah400@gmail.com
- Update mozilla-gtk3_20.patch to fix scrollbar appearance under
gtk >= 3.20 (patch synced to Fedora's version).
* Tue Apr 12 2016 badshah400@gmail.com
- Compile against gtk3 depending on whether the macro
%firefox_use_gtk3 is defined or not (e.g., at the prjconf
level); macro is undefined by default and so gtk2 is used as the
default toolkit.
- Add BuildRequires for additional packages needed when building
against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0),
pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0).
- Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20;
patch taken from Fedora (bmo#1230955).
* Mon Apr 11 2016 astieger@suse.com
- Mozilla Firefox 45.0.2:
* Fix an issue impacting the cookie header when third-party
cookies are blocked (bmo#1257861)
* Fix a web compatibility regression impacting the srcset
attribute of the image tag (bmo#1259482)
* Fix a crash impacting the video playback with Media Source
Extension (bmo#1258562)
* Fix a regression impacting some specific uploads (bmo#1255735)
* Fix a regression with the copy and paste with some old versions
of some Gecko applications like Thunderbird (bmo#1254980)
* Fri Mar 18 2016 astieger@suse.com
- Mozilla Firefox 45.0.1:
* Fix a regression causing search engine settings to be lost in
some context (bmo#1254694)
* Bring back non-standard jar: URIs to fix a regression in IBM
iNotes (bmo#1255139)
* XSLTProcessor.importStylesheet was failing when <import> was
used (bmo#1249572)
* Fix an issue which could cause the list of search provider to
be empty (bmo#1255605)
* Fix a regression when using the location bar (bmo#1254503)
* Fix some loading issues when Accept third-party cookies: was
set to Never (bmo#1254856)
* Disabled Graphite font shaping library
* Sun Mar 06 2016 wr@rosenauer.org
- update to Firefox 45.0 (boo#969894)
* requires NSPR 4.12 / NSS 3.21.1
* Instant browser tab sharing through Hello
* Synced Tabs button in button bar
* Tabs synced via Firefox Accounts from other devices are now shown
in dropdown area of Awesome Bar when searching
* Introduce a new preference (network.dns.blockDotOnion) to allow
blocking .onion at the DNS level
* Tab Groups (Panorama) feature removed
* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
Miscellaneous memory safety hazards
* MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
Local file overwriting and potential privilege escalation through
CSP reports
* MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
CSP reports fail to strip location information for embedded iframe pages
* MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
Linux video memory DOS with Intel drivers
* MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
Memory leak in libstagefright when deleting an array during MP4
processing
* MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
Displayed page address can be overridden
* MFSA 2016-22/CVE-2016-1959 (bmo#1234949)
Service Worker Manager out-of-bounds read in Service Worker Manager
* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
Use-after-free in SetBody
* MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
Use-after-free when using multiple WebRTC data channels
* MFSA 2016-26/CVE-2016-1963 (bmo#1238440)
Memory corruption when modifying a file being read by FileReader
* MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
Use-after-free during XML transformations
* MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
Addressbar spoofing though history navigation and Location protocol
property
* MFSA 2016-29/CVE-2016-1967 (bmo#1246956)
Same-origin policy violation using perfomance.getEntries and
history navigation with session restore
* MFSA 2016-30/CVE-2016-1968 (bmo#1246742)
Buffer overflow in Brotli decompression
* MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
Memory corruption with malicious NPAPI plugin
* MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/
CVE-2016-1976/CVE-2016-1972
WebRTC and LibVPX vulnerabilities found through code inspection
* MFSA 2016-33/CVE-2016-1973 (bmo#1219339)
Use-after-free in GetStaticInstance in WebRTC
* MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
Out-of-bounds read in HTML parser following a failed allocation
* MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
Buffer overflow during ASN.1 decoding in NSS
(fixed by requiring 3.21.1)
* MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
Use-after-free during processing of DER encoded keys in NSS
(fixed by requiring 3.21.1)
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
Font vulnerabilities in the Graphite 2 library
* Sat Mar 05 2016 olaf@aepfle.de
- Remove B_CNT from symbols.zip filename to reduce build-compare noise
* Fri Feb 26 2016 astieger@suse.com
- fix build problems on i586, caused by too large unified compile
units - adding mozilla-reduce-files-per-UnifiedBindings.patch
* Thu Feb 11 2016 wr@rosenauer.org
- update to Firefox 44.0.2
* MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438)
Same-origin-policy violation using Service Workers with plugins
* Fix issue which could lead to the removal of stored passwords
under certain circumstances (bmo#1242176)
* Allows spaces in cookie names (bmo#1244505)
* Disable opus/vorbis audio with H.264 (bmo#1245696)
* Fix for graphics startup crash (GNU/Linux) (bmo#1222171)
* Fix a crash in cache networking (bmo#1244076)
* Fix using WebSockets in service worker controlled pages (bmo#1243942)
* Sat Jan 30 2016 dmueller@suse.com
- build fixes for arm/aarch64:
* disable webrtc for arm/aarch64
* switch away from openGL-ES backend to default for arm/aarch64
since it almost never builds
* reenable neon
- reenable webrtc for powerpc as it seems to build
* Sun Jan 24 2016 wr@rosenauer.org
- update to Firefox 44.0
* MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633
Miscellaneous memory safety hazards
* MFSA 2016-02/CVE-2016-1933 (bmo#1231761) boo#963634
Out of Memory crash when parsing GIF format images
* MFSA 2016-03/CVE-2016-1935 (bmo#1220450) boo#963635
Buffer overflow in WebGL after out of memory allocation
* MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) boo#963637
Firefox allows for control characters to be set in cookie names
* MFSA 2016-06/CVE-2016-1937 (bmo#724353) boo#963641
Missing delay following user click events in protocol handler dialog
* MFSA 2016-07/CVE-2016-1938 (bmo#1190248) boo#963731
Errors in mp_div and mp_exptmod cryptographic functions in NSS
(fixed by requiring NSS 3.21)
* MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590)
Addressbar spoofing attacks boo#963643
* MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946
(bmo#1186621, bmo#1214782, bmo#1232096) boo#963644
Unsafe memory manipulation found through code inspection
* MFSA 2016-11/CVE-2016-1947 (bmo#1237103) boo#963645
Application Reputation service disabled in Firefox 43
* requires NSPR 4.11
* requires NSS 3.21
- prepare mozilla-kde.patch for Gtk3 builds
- rebased patches
* Mon Jan 11 2016 astieger@suse.com
- Mozilla Firefox 43.0.4:
* Re-enable SHA-1 certificates to prevent outdated
man-in-the-middle security devices from interfering with
properly secured SSL/TLS connections (bmo#1236975)
* Fix for startup crash for users of a third party antivirus tool
(bmo#1235537)
- The following change was previously in the package as a patch:
* Multi-user GNU/Linux download folders can be created
(bmo#1233434), removed mozilla-bmo1233434.patch
* Tue Dec 29 2015 wr@rosenauer.org
- update to Firefox 43.0.3
* requires NSS 3.20.2 to fix
MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
server signature
* various changes to support Windows update (SHA-1 vs. SHA-2)
* workaround Youtube user agent detection issue (bmo#1233970)
- fix file download regression for multi user systems
(bmo#1233434) (mozilla-bmo1233434.patch)
- explicitely requires libXcomposite-devel
* Sun Dec 13 2015 wr@rosenauer.org
- update to Firefox 43.0 (bnc#959277)
* Improved API support for m4v video playback
* Users can opt-in to receive search suggestions from the Awesome Bar
* WebRTC streaming on multiple monitors
* User selectable second block list for Private Browsing's Tracking
Protection
security fixes:
* MFSA 2015-134/CVE-2015-7201/CVE-2015-7202
Miscellaneous memory safety hazards
* MFSA 2015-135/CVE-2015-7204 (bmo#1216130)
Crash with JavaScript variable assignment with unboxed objects
* MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
Same-origin policy violation using perfomance.getEntries and
history navigation
* MFSA 2015-137/CVE-2015-7208 (bmo#1191423)
Firefox allows for control characters to be set in cookies
* MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
Use-after-free in WebRTC when datachannel is used after being
destroyed
* MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
Integer overflow allocating extremely large textures
* MFSA 2015-140/CVE-2015-7215 (bmo#1160890)
Cross-origin information leak through web workers error events
* MFSA 2015-141/CVE-2015-7211 (bmo#1221444)
Hash in data URI is incorrectly parsed
* MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820)
DOS due to malformed frames in HTTP/2
* MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078)
Linux file chooser crashes on malformed images due to flaws in
Jasper library
* MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221
(bmo#1201183, bmo#1178033, bmo#1199400)
Buffer overflows found through code inspection
* MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
Underflow through code inspection
* MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
Integer overflow in MP4 playback in 64-bit versions
* MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
Integer underflow and buffer overflow processing MP4 metadata in
libstagefright
* MFSA 2015-148/CVE-2015-7223 (bmo#1226423)
Privilege escalation vulnerabilities in WebExtension APIs
* MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
Cross-site reading attack through data and view-source URIs
- rebased patches
* Sun Nov 15 2015 wr@rosenauer.org
- Add desktop menu action for private browsing window to desktop
file (boo#954747)
- remove obsolete patch mozilla-bmo1005535.patch completely from
source package to avoid automatic check failures
* Sat Oct 31 2015 wr@rosenauer.org
- update to Firefox 42.0 (bnc#952810)
* Private Browsing with Tracking Protection blocks certain Web
elements that could be used to record your behavior across sites
* Control Center that contains site security and privacy controls
* Login Manager improvements
* WebRTC improvements
* Indicator added to tabs that play audio with one-click muting
* Media Source Extension for HTML5 video available for all sites
security fixes:
* MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
Miscellaneous memory safety hazards
* MFSA 2015-117/CVE-2015-4515 (bmo#1046421)
Information disclosure through NTLM authentication
* MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692)
CSP bypass due to permissive Reader mode whitelist
* MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only)
Firefox for Android addressbar can be removed after fullscreen mode
* MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only)
Reading sensitive profile files through local HTML file on Android
* MFSA 2015-121/CVE-2015-7187 (bmo#1195735)
disabling scripts in Add-on SDK panels has no effect
* MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
Trailing whitespace in IP address hostnames can bypass same-origin policy
* MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
Buffer overflow during image interactions in canvas
* MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only)
Android intents can be used on Firefox for Android to open privileged files
* MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only)
XSS attack through intents on Firefox for Android
* MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only)
Crash when accessing HTML tables with accessibility tools on OS X
* MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
CORS preflight is bypassed when non-standard Content-Type headers
are received
* MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
Memory corruption in libjar through zip files
* MFSA 2015-129/CVE-2015-7195 (bmo#1211871)
Certain escaped characters in host of Location-header are being
treated as non-escaped
* MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
JavaScript garbage collection crash with Java applet
* MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
(bmo#1188010, bmo#1204061, bmo#1204155)
Vulnerabilities found through code inspection
* MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
Mixed content WebSocket policy bypass through workers
* MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
(bmo#1202868, bmo#1205157)
NSS and NSPR memory corruption issues
(fixed in mozilla-nspr and mozilla-nss packages)
- requires NSPR >= 4.10.10 and NSS >= 3.19.4
- removed obsolete patches
* mozilla-arm-disable-edsp.patch
* mozilla-icu-strncat.patch
* mozilla-skia-be-le.patch
* toolkit-download-folder.patch
- fixed build with enable-libproxy (bmo#1220399)
* mozilla-libproxy.patch
* Thu Oct 15 2015 wr@rosenauer.org
- update to Firefox 41.0.2 (bnc#950686)
* MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669)
Cross-origin restriction bypass using Fetch
- added explicit appdata provides (bnc#949983)
* Sun Oct 04 2015 wr@rosenauer.org
- do not build with --enable-stdcxx-compat
(this starts to fail build on various toolchain combinations
and is not required for openSUSE builds in general
* Thu Oct 01 2015 wr@rosenauer.org
- update to Firefox 41.0.1
* Fix a startup crash related to Yandex toolbar and Adblock Plus
(bmo#1209124)
* Fix potential hangs with Flash plugins (bmo#1185639)
* Fix a regression in the bookmark creation (bmo#1206376)
* Fix a startup crash with some Intel Media Accelerator 3150
graphic cards (bmo#1207665)
* Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601)
* Sat Sep 19 2015 wr@rosenauer.org
- update to Firefox 41.0 (bnc#947003)
* MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
Miscellaneous memory safety hazards
* MFSA 2015-97/CVE-2015-4503 (bmo#994337)
Memory leak in mozTCPSocket to servers
* MFSA 2015-98/CVE-2015-4504 (bmo#1132467)
Out of bounds read in QCMS library with ICC V4 profile attributes
* MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only)
Site attribute spoofing on Android by pasting URL with unknown scheme
* MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
Arbitrary file manipulation by local user through Mozilla updater
* MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-102/CVE-2015-4507 (bmo#1192401)
Crash when using debugger with SavedStacks in JavaScript
* MFSA 2015-103/CVE-2015-4508 (bmo#1195976)
URL spoofing in reader mode
* MFSA 2015-104/CVE-2015-4510 (bmo#1200004)
Use-after-free with shared workers and IndexedDB
* MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
Use-after-free while manipulating HTML media content
* MFSA 2015-107/CVE-2015-4512 (bmo#1170390)
Out-of-bounds read during 2D canvas display on Linux 16-bit
color depth systems
* MFSA 2015-108/CVE-2015-4502 (bmo#1105045)
Scripted proxies can access inner window
* MFSA 2015-109/CVE-2015-4516 (bmo#904886)
JavaScript immutable property enforcement can be bypassed
* MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
Dragging and dropping images exposes final URL after redirects
* MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
Errors in the handling of CORS preflight request headers
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
CVE-2015-7180
Vulnerabilities found through code inspection
* MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
bmo#1190526) (Windows only)
Memory safety errors in libGLES in the ANGLE graphics library
* MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only)
Information disclosure via the High Resolution Time API
- rebased patches
- removed obsolete patches
* mozilla-arm64-libjpeg-turbo.patch
* Thu Aug 27 2015 wr@rosenauer.org
- update to Firefox 40.0.3 (bnc#943550)
* Disable the asynchronous plugin initialization (bmo#1198590)
* Fix a segmentation fault in the GStreamer support (bmo#1145230)
* Fix a regression with some Japanese fonts used in the <input>
field (bmo#1194055)
* On some sites, the selection in a select combox box using the
mouse could be broken (bmo#1194733)
security fixes
* MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278)
Use-after-free when resizing canvas element during restyling
* MFSA 2015-95/CVE-2015-4498 (bmo#1042699)
Add-on notification bypass through data URLs
* Fri Aug 07 2015 wr@rosenauer.org
- update to Firefox 40.0 (bnc#940806)
* Added protection against unwanted software downloads
* Suggested Tiles show sites of interest, based on categories
from your recent browsing history
* Hello allows adding a link to conversations to provide context
on what the conversation will be about
* New style for add-on manager based on the in-content
preferences style
* Improved scrolling, graphics, and video playback performance
with off main thread compositing (GNU/Linux only)
* Graphic blocklist mechanism improved: Firefox version ranges
can be specified, limiting the number of devices blocked
security fixes:
* MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
Miscellaneous memory safety hazards
* MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
Out-of-bounds read with malformed MP3 file
* MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
Use-after-free in MediaStream playback
* MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
Redefinition of non-configurable JavaScript object properties
* MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
Overflow issues in libstagefright
* MFSA 2015-84/CVE-2015-4481 (bmo1171518)
Arbitrary file overwriting through Mozilla Maintenance Service
with hard links (only affected Windows)
* MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
Out-of-bounds write with Updater and malicious MAR file
(does not affect openSUSE RPM packages which do not ship the
updater)
* MFSA 2015-86/CVE-2015-4483 (bmo#1148732)
Feed protocol with POST bypasses mixed content protections
* MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
Crash when using shared memory in JavaScript
* MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
Heap overflow in gdk-pixbuf when scaling bitmap images
* MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
Buffer overflows on Libvpx when decoding WebM video
* MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
Vulnerabilities found through code inspection
* MFSA 2015-91/CVE-2015-4490 (bmo#1086999)
Mozilla Content Security Policy allows for asterisk wildcards
in violation of CSP specification
* MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
Use-after-free in XMLHttpRequest with shared workers
- added mozilla-no-stdcxx-check.patch
- removed obsolete patches
* mozilla-add-glibcxx_use_cxx11_abi.patch
* firefox-multilocale-chrome.patch
- rebased patches
- requires version 40 of the branding package
- removed browser/searchplugins/ location as it's not valid anymore
* Fri Aug 07 2015 wr@rosenauer.org
- security update to Firefox 39.0.3 (bnc#940918)
* MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058)
Same origin violation and local file stealing via PDF reader
* Wed Jul 01 2015 wr@rosenauer.org
- update to Firefox 39.0 (bnc#935979)
* Share Hello URLs with social networks
* Support for 'switch' role in ARIA 1.1 (web accessibility)
* SafeBrowsing malware detection lookups enabled for downloads
(Mac OS X and Linux)
* Support for new Unicode 8.0 skin tone emoji
* Removed support for insecure SSLv3 for network communications
* Disable use of RC4 except for temporarily whitelisted hosts
* NPAPI Plug-in performance improved via asynchronous initialization
security fixes:
* MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726
Miscellaneous memory safety hazards
* MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
Local files or privileged URLs in pages can be opened into new tabs
* MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
Type confusion in Indexed Database Manager
* MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
Out-of-bound read while computing an oscillator rendering range in Web Audio
* MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
Use-after-free in Content Policy due to microtask execution error
* MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
ECDSA signature validation fails to handle some signatures correctly
(this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
Use-after-free in workers while using XMLHttpRequest
* MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
Vulnerabilities found through code inspection
* MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
Key pinning is ignored when overridable errors are encountered
* MFSA 2015-68/CVE-2015-2742 (bmo#1138669)
OS X crash reports may contain entered key press information
(not relevant under Linux)
* MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
Privilege escalation in PDF.js
* MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
NSS accepts export-length DHE keys with regular DHE cipher suites
(this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
NSS incorrectly permits skipping of ServerKeyExchange
(this fix is shipped by NSS 3.19.1 externally)
- dropped mozilla-prefer_plugin_pref.patch as this feature is
likely not worth maintaining further
- rebased patches
- require NSS 3.19.2
* Thu Jun 18 2015 schwab@suse.de
- mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration
* Sun Jun 07 2015 wr@rosenauer.org
- update to Firefox 38.0.6
* fixes bmo#1171730 which is not really relevant to oS builds
- fix KDE regression from 38.0.5 builds (bsc#933439)
* Sat May 23 2015 wr@rosenauer.org
- update to Firefox 38.0.5
* Keep track of articles and videos with Pocket
* Clean formatting for articles and blog posts with Reader View
* Share the active tab or window in a Hello conversation
- add changes file as source for SRPM (bsc#932142)
* Fri May 15 2015 normand@linux.vnet.ibm.com
- add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from
https://bugzilla.mozilla.org/show_bug.cgi?id=1153109
* Fri May 15 2015 wr@rosenauer.org
- update to Firefox 38.0.1
stability and regression fixes
* Systems with first generation NVidia Optimus graphics cards
may crash on start-up
* Users who import cookies from Google Chrome can end up with
broken websites
* Large animated images may fail to play and may stop other
images from loading
* Sun May 10 2015 wr@rosenauer.org
- update to Firefox 38.0 (bnc#930622)
* New tab-based preferences
* Ruby annotation support
* more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
security fixes:
* MFSA 2015-46/CVE-2015-2708/CVE-2015-2709
Miscellaneous memory safety hazards
* MFSA 2015-47/VE-2015-0797 (bmo#1080995)
Buffer overflow parsing H.264 video with Linux Gstreamer
* MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
Buffer overflow with SVG content and CSS
* MFSA 2015-49/CVE-2015-2711 (bmo#1113431)
Referrer policy ignored when links opened by middle-click and
context menu
* MFSA 2015-50/CVE-2015-2712 (bmo#1152280)
Out-of-bounds read and write in asm.js validation
* MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
Use-after-free during text processing with vertical text enabled
* MFSA 2015-53/CVE-2015-2715 (bmo#988698)
Use-after-free due to Media Decoder Thread creation during shutdown
* MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
Buffer overflow when parsing compressed XML
* MFSA 2015-55/CVE-2015-2717 (bmo#1154683)
Buffer overflow and out-of-bounds read while parsing MP4 video
metadata
* MFSA 2015-56/CVE-2015-2718 (bmo#1146724)
Untrusted site hosting trusted page can intercept webchannel
responses
* MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
Privilege escalation through IPC channel messages
- requires NSS 3.18.1
- removed obsolete patches:
* mozilla-skia-bmo1136958.patch
- remove gnomevfs build options as it is removed from sources
- rebased patches
* Fri Apr 17 2015 wr@rosenauer.org
- update to Firefox 37.0.2 (bnc#928116)
* MFSA 2015-45/CVE-2015-2706 (bmo#1141081)
Memory corruption during failed plugin initialization
* Fri Apr 03 2015 wr@rosenauer.org
- update to Firefox 37.0.1 (bnc#926166)
* MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only)
Loading privileged content through Reader mode
* MFSA 2015-44/CVE-2015-0799 (bmo#1148328)
Certificate verification bypass through the HTTP/2 Alt-Svc header
* Sat Mar 28 2015 wr@rosenauer.org
- update to Firefox 37.0 (bnc#925368)
* Heartbeat user rating system
* Yandex set as default search provider for the Turkish locale
* Bing search now uses HTTPS for secure searching
* Improved protection against site impersonation via OneCRL
centralized certificate revocation
* Opportunistically encrypt HTTP traffic where the server supports
HTTP/2 AltSvc
* some more behaviour changes for TLS
security fixes:
* MFSA 2015-30/CVE-2015-0814/CVE-2015-0815
Miscellaneous memory safety hazards
* MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
Use-after-free when using the Fluendo MP3 GStreamer plugin
* MFSA 2015-32/CVE-2015-0812 (bmo#1128126)
Add-on lightweight theme installation approval bypassed through
MITM attack
* MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
resource:// documents can load privileged pages
* MFSA-2015-34/CVE-2015-0811 (bmo#1132468)
Out of bounds read in QCMS library
* MFSA-2015-35/CVE-2015-0810 (bmo#1125013)
Cursor clickjacking with flash and images (OS X only)
* MFSA-2015-36/CVE-2015-0808 (bmo#1109552)
Incorrect memory management for simple-type arrays in WebRTC
* MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
CORS requests should not follow 30x redirections after preflight
* MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437)
Memory corruption crashes in Off Main Thread Compositing
* MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560)
Use-after-free due to type confusion flaws
* MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
Same-origin bypass through anchor navigation
* MFSA-2015-41/CVE-2015-0800/CVE-2012-2808
PRNG weakness allows for DNS poisoning on Android (only)
* MFSA-2015-42/CVE-2015-0802 (bmo#1124898)
Windows can retain access to privileged content on navigation
to unprivileged pages
- removed obsolete patches
* mozilla-bmo1088588.patch
* mozilla-bmo1108834.patch
- requires NSPR 4.10.8
* Tue Mar 24 2015 dvaleev@suse.com
- Fix builds with skia on Power
mozilla-skia-be-le.patch (patch from #bmo1136958)
mozilla-bmo1108834.patch
mozilla-bmo1005535.patch
* Sat Mar 21 2015 wr@rosenauer.org
- update to Firefox 36.0.4 (bnc#923534)
* MFSA 2015-28/CVE-2015-0818 (bmo#1144988)
Privilege escalation through SVG navigation
* MFSA 2015-29/CVE-2015-0817 (bmo#1145255)
Code execution through incorrect JavaScript bounds checking
elimination
* Fri Mar 20 2015 dimstar@opensuse.org
- Copy the icons to /usr/share/icons instead of symlinking them:
in preparation for containerized apps (e.g. xdg-app) as well as
AppStream metadata extraction, there are a couple locations that
need to be real files for system integration (.desktop files,
icons, mime-type info).
* Sat Mar 07 2015 wr@rosenauer.org
- update to Firefox 36.0.1
Bugfixes:
* Disable the usage of the ANY DNS query type (bmo#1093983)
* Hello may become inactive until restart (bmo#1137469)
* Print preferences may not be preserved (bmo#1136855)
* Hello contact tabs may not be visible (bmo#1137141)
* Accept hostnames that include an underscore character ("_")
(bmo#1136616)
* WebGL may use significant memory with Canvas2d (bmo#1137251)
* Option -remote has been restored (bmo#1080319)
- added mozilla-skia-bmo1136958.patch to fix build issues for
ARM and PPC
* Fri Feb 20 2015 wr@rosenauer.org
- update to Firefox 36.0 (bnc#917597)
* mozilla-xremote-client was removed
* added libclearkey.so media plugin
* Pinned tiles on the new tab page can be synced
* Support for the full HTTP/2 protocol. HTTP/2 enables a faster,
more scalable, and more responsive web.
* Locale added: Uzbek (uz)
security fixes:
* MFSA 2015-11/CVE-2015-0835/CVE-2015-0836
Miscellaneous memory safety hazards
* MFSA 2015-12/CVE-2015-0833 (bmo#945192)
Invoking Mozilla updater will load locally stored DLL files
(Windows only)
* MFSA 2015-13/CVE-2015-0832 (bmo#1065909)
Appended period to hostnames can bypass HPKP and HSTS protections
* MFSA 2015-14/CVE-2015-0830 (bmo#1110488)
Malicious WebGL content crash when writing strings
* MFSA 2015-15/CVE-2015-0834 (bmo#1098314)
TLS TURN and STUN connections silently fail to simple TCP connections
* MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
Use-after-free in IndexedDB
* MFSA 2015-17/CVE-2015-0829 (bmo#1128939)
Buffer overflow in libstagefright during MP4 video playback
* MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675)
Double-free when using non-default memory allocators with a
zero-length XHR
* MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
Out-of-bounds read and write while rendering SVG content
* MFSA 2015-20/CVE-2015-0826 (bmo#1092363)
Buffer overflow during CSS restyling
* MFSA 2015-21/CVE-2015-0825 (bmo#1092370)
Buffer underflow during MP3 playback
* MFSA 2015-22/CVE-2015-0824 (bmo#1095925)
Crash using DrawTarget in Cairo graphics library
* MFSA 2015-23/CVE-2015-0823 (bmo#1098497)
Use-after-free in Developer Console date with OpenType Sanitiser
* MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
Reading of local files through manipulation of form autocomplete
* MFSA 2015-25/CVE-2015-0821 (bmo#1111960)
Local files or privileged URLs in pages can be opened into new tabs
* MFSA 2015-26/CVE-2015-0819 (bmo#1079554)
UI Tour whitelisted sites in background tab can spoof foreground
tabs
* MFSA 2015-27CVE-2015-0820 (bmo#1125398)
Caja Compiler JavaScript sandbox bypass
- rebased patches
- requires NSS 3.17.4
* Sat Jan 31 2015 wr@rosenauer.org
- update to Firefox 35.0.1
* With the Enhanced Steam extension, Firefox could crash (bmo#1123732)
* Kerberos authentication did not work with alias (bmo#1108971)
* SVG / CSS animation had a regression causing rendering issues on
websites like openstreemap.org (bmo#1083079)
* On Godaddy webmail, Firefox could crash (bmo#1113121)
* document.baseURI did not get updated to document.location after
base tag was removed from DOM for site with a CSP (bmo#1121857)
* With a Right-to-left (RTL) version of Firefox, the text selection
could be broken (bmo#1104036)
* CSP had a change in behavior with regard to case sensitivity
resources loading (bmo#1122445)
* Sat Jan 10 2015 wr@rosenauer.org
- update to Firefox 35.0 (bnc#910669)
notable features:
* Firefox Hello with new rooms-based conversations model
* Implemented HTTP Public Key Pinning Extension (for enhanced
authentication of encrypted connections)
security fixes:
* MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
Miscellaneous memory safety hazards
* MFSA 2015-02/CVE-2014-8637 (bmo#1094536)
Uninitialized memory use during bitmap rendering
* MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
sendBeacon requests lack an Origin header
* MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
Cookie injection through Proxy Authenticate responses
* MFSA 2015-05/CVE-2014-8640 (bmo#1100409)
Read of uninitialized memory in Web Audio
* MFSA 2015-06/CVE-2014-8641 (bmo#1108455)
Read-after-free in WebRTC
* MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only)
Gecko Media Plugin sandbox escape
* MFSA 2015-08/CVE-2014-8642 (bmo#1079658)
Delegated OCSP responder certificates failure with
id-pkix-ocsp-nocheck extension
* MFSA 2015-09/CVE-2014-8636 (bmo#987794)
XrayWrapper bypass through DOM objects
- rebased patches
- dropped explicit support for everything older than 12.3
(including SLES11)
* merge firefox-kde.patch and firefox-kde-114.patch
* dropped mozilla-sle11.patch
- reworked specfile to build conditionally based on release channel
either Firefox or Firefox Developer Edition
- added mozilla-openaes-decl.patch to fix implicit declarations
- obsolete tracker-miner-firefox < 0.15 because it leads to startup
crashes (bnc#908892)
* Sat Dec 13 2014 ledest@gmail.com
- fix bashism in mozilla.sh script
* Sat Nov 29 2014 wr@rosenauer.org
- update to Firefox 34.0.5 (bnc#908009)
* Default search engine changed to Yahoo! for North America
* Default search engine changed to Yandex for Belarusian, Kazakh,
and Russian locales
* Improved search bar (en-US only)
* Firefox Hello real-time communication client
* Easily switch themes/personas directly in the Customizing mode
* Implementation of HTTP/2 (draft14) and ALPN
* Disabled SSLv3
* MFSA 2014-83/CVE-2014-1587/CVE-2014-1588
Miscellaneous memory safety hazards
* MFSA 2014-84/CVE-2014-1589 (bmo#1043787)
XBL bindings accessible via improper CSS declarations
* MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
XMLHttpRequest crashes with some input streams
* MFSA 2014-86/CVE-2014-1591 (bmo#1069762)
CSP leaks redirect data via violation reports
* MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
Use-after-free during HTML5 parsing
* MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
Buffer overflow while parsing media content
* MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
Bad casting from the BasicThebesLayer to BasicContainerLayer
- rebased patches
- limit linker memory usage for %ix86
- rebased patches
* Fri Nov 07 2014 wr@rosenauer.org
- update to Firefox 33.1
* Adding DuckDuckGo as a search option (upstream)
* Forget Button added
* Enhanced Tiles
* Privacy tour introduced
- fix typo in GStreamer Recommends
* Tue Nov 04 2014 guillaume@opensuse.org
- Disable elf-hack for aarch64
- Enable EGL for aarch64
- Limit RAM usage during link for %arm
- Fix _constraints for ARM
* Mon Nov 03 2014 dmueller@suse.com
- use proper macros for ARM
* Mon Nov 03 2014 josua.mayer97@gmail.com
- use '--disable-optimize' not only on 32-bit x86, but on 32-bit arm too
to fix compiling.
- pass '-Wl,--no-keep-memory' to linker to reduce required memory during
linking on arm.
* Thu Oct 30 2014 wr@rosenauer.org
- update to Firefox 33.0.2
* Fix a startup crash with some combination of hardware and drivers
33.0.1
* Firefox displays a black screen at start-up with certain
graphics drivers
- adjusted _constraints for ARM
* Tue Oct 28 2014 josua.mayer97@gmail.com
- added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588)
* Sat Oct 25 2014 wr@rosenauer.org
- define /usr/share/myspell as additional dictionary location
and remove add-plugins.sh finally (bnc#900639)
* Sun Oct 19 2014 vindex17@outlook.it
- use Firefox default optimization flags instead of -Os
- specfile cleanup
* Wed Oct 15 2014 wr@rosenauer.org
- fix build for all ppc by not enabling elf-hack
(bnc#901213)
/usr/lib/firefox
Generated by rpm2html 1.8.1
Fabrice Bellet, Sun Mar 9 13:55:41 2025