Mon Jan 23 13:00:00 2017 wrAATTrosenauer.org - update to Firefox 45.7.0esr (boo#1021991)
Sun Jan 8 13:00:00 2017 wrAATTrosenauer.org - update to Firefox 45.6.0esr (boo#1015422)
* MFSA 2016-95 CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements (bmo#1317409) CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272) CVE-2016-9897: Memory corruption in libGLES (bmo#1301381) CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees (bmo#1314442) CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs (bmo#1319122) CVE-2016-9904: Cross-origin information leak in shared atoms (bmo#1317936) CVE-2016-9905: Crash in EnumerateSubDocuments (bmo#1293985) CVE-2016-9901: Data from Pocket server improperly sanitized before execution (bmo#1320057) CVE-2016-9902: Pocket extension does not validate the origin of events (bmo#1320039) CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 - update to Firefox 45.5.1esr
* MFSA 2016-92 CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066) - update to Firefox 45.5.0esr (boo#1009026)
* MFSA 2016-90 CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink (Windows only) (bmo#1246945) CVE-2016-5294: Arbitrary target directory for result files of update process (Windows only) (bmo#1246972) CVE-2016-5297: Incorrect argument length checking in Javascript (bmo#1303678) CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bmo#1293334) - fixed in mozilla-nss >= 3.26.1 CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
Wed Oct 26 14:00:00 2016 wrAATTrosenauer.org - add mozilla-binutils-visibility.patch to fix build on 42.2
* MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381) Buffer overflow in libstagefright with CENC offsets
* MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386) Write to invalid HashMap entry through JavaScript.watch()
Thu Apr 21 14:00:00 2016 badshah400AATTgmail.com - Update mozilla-gtk3_20.patch to fix scrollbar appearance under gtk >= 3.20 (patch synced to Fedora\'s version).
Tue Apr 12 14:00:00 2016 badshah400AATTgmail.com - Compile against gtk3 depending on whether the macro %firefox_use_gtk3 is defined or not (e.g., at the prjconf level); macro is undefined by default and so gtk2 is used as the default toolkit. - Add BuildRequires for additional packages needed when building against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0), pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0). - Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20; patch taken from Fedora (bmo#1230955).
Mon Apr 11 14:00:00 2016 astiegerAATTsuse.com - Mozilla Firefox 45.0.2:
* Fix an issue impacting the cookie header when third-party cookies are blocked (bmo#1257861)
* Fix a web compatibility regression impacting the srcset attribute of the image tag (bmo#1259482)
* Fix a crash impacting the video playback with Media Source Extension (bmo#1258562)
* Fix a regression impacting some specific uploads (bmo#1255735)
* Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (bmo#1254980)
Fri Mar 18 13:00:00 2016 astiegerAATTsuse.com - Mozilla Firefox 45.0.1:
* Fix a regression causing search engine settings to be lost in some context (bmo#1254694)
* Bring back non-standard jar: URIs to fix a regression in IBM iNotes (bmo#1255139)
* XSLTProcessor.importStylesheet was failing when was used (bmo#1249572)
* Fix an issue which could cause the list of search provider to be empty (bmo#1255605)
* Fix a regression when using the location bar (bmo#1254503)
* Fix some loading issues when Accept third-party cookies: was set to Never (bmo#1254856)
* Disabled Graphite font shaping library
Sun Mar 6 13:00:00 2016 wrAATTrosenauer.org - update to Firefox 45.0 (boo#969894)
* requires NSPR 4.12 / NSS 3.21.1
* Instant browser tab sharing through Hello
* Synced Tabs button in button bar
* Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching
* Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level
* MFSA 2016-17/CVE-2016-1954 (bmo#1243178) Local file overwriting and potential privilege escalation through CSP reports
* MFSA 2016-18/CVE-2016-1955 (bmo#1208946) CSP reports fail to strip location information for embedded iframe pages
* MFSA 2016-19/CVE-2016-1956 (bmo#1199923) Linux video memory DOS with Intel drivers
* MFSA 2016-20/CVE-2016-1957 (bmo#1227052) Memory leak in libstagefright when deleting an array during MP4 processing
* MFSA 2016-21/CVE-2016-1958 (bmo#1228754) Displayed page address can be overridden
* MFSA 2016-22/CVE-2016-1959 (bmo#1234949) Service Worker Manager out-of-bounds read in Service Worker Manager
* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014) Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377) Use-after-free in SetBody
* MFSA 2016-25/CVE-2016-1962 (bmo#1240760) Use-after-free when using multiple WebRTC data channels
* MFSA 2016-26/CVE-2016-1963 (bmo#1238440) Memory corruption when modifying a file being read by FileReader
* MFSA 2016-27/CVE-2016-1964 (bmo#1243335) Use-after-free during XML transformations
* MFSA 2016-28/CVE-2016-1965 (bmo#1245264) Addressbar spoofing though history navigation and Location protocol property
* MFSA 2016-29/CVE-2016-1967 (bmo#1246956) Same-origin policy violation using perfomance.getEntries and history navigation with session restore
* MFSA 2016-30/CVE-2016-1968 (bmo#1246742) Buffer overflow in Brotli decompression
* MFSA 2016-31/CVE-2016-1966 (bmo#1246054) Memory corruption with malicious NPAPI plugin
* MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/ CVE-2016-1976/CVE-2016-1972 WebRTC and LibVPX vulnerabilities found through code inspection
* MFSA 2016-33/CVE-2016-1973 (bmo#1219339) Use-after-free in GetStaticInstance in WebRTC
* MFSA 2016-34/CVE-2016-1974 (bmo#1228103) Out-of-bounds read in HTML parser following a failed allocation
* MFSA 2016-35/CVE-2016-1950 (bmo#1245528) Buffer overflow during ASN.1 decoding in NSS (fixed by requiring 3.21.1)
* MFSA 2016-36/CVE-2016-1979 (bmo#1185033) Use-after-free during processing of DER encoded keys in NSS (fixed by requiring 3.21.1)
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/ CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/ CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/ CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 Font vulnerabilities in the Graphite 2 library
Sat Mar 5 13:00:00 2016 olafAATTaepfle.de - Remove B_CNT from symbols.zip filename to reduce build-compare noise
Fri Feb 26 13:00:00 2016 astiegerAATTsuse.com - fix build problems on i586, caused by too large unified compile units - adding mozilla-reduce-files-per-UnifiedBindings.patch
Thu Feb 11 13:00:00 2016 wrAATTrosenauer.org - update to Firefox 44.0.2
* MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438) Same-origin-policy violation using Service Workers with plugins
* Fix issue which could lead to the removal of stored passwords under certain circumstances (bmo#1242176)
* Allows spaces in cookie names (bmo#1244505)
* Disable opus/vorbis audio with H.264 (bmo#1245696)
* Fix for graphics startup crash (GNU/Linux) (bmo#1222171)
* Fix a crash in cache networking (bmo#1244076)
* Fix using WebSockets in service worker controlled pages (bmo#1243942)
Sat Jan 30 13:00:00 2016 dmuellerAATTsuse.com - build fixes for arm/aarch64:
* disable webrtc for arm/aarch64
* switch away from openGL-ES backend to default for arm/aarch64 since it almost never builds
* reenable neon - reenable webrtc for powerpc as it seems to build
Sun Jan 24 13:00:00 2016 wrAATTrosenauer.org - update to Firefox 44.0
Mon Jan 11 13:00:00 2016 astiegerAATTsuse.com - Mozilla Firefox 43.0.4:
* Re-enable SHA-1 certificates to prevent outdated man-in-the-middle security devices from interfering with properly secured SSL/TLS connections (bmo#1236975)
* Fix for startup crash for users of a third party antivirus tool (bmo#1235537) - The following change was previously in the package as a patch:
* Multi-user GNU/Linux download folders can be created (bmo#1233434), removed mozilla-bmo1233434.patch
Tue Dec 29 13:00:00 2015 wrAATTrosenauer.org - update to Firefox 43.0.3
* requires NSS 3.20.2 to fix MFSA 2015-150/CVE-2015-7575 (bmo#1158489) MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature
* various changes to support Windows update (SHA-1 vs. SHA-2)
* workaround Youtube user agent detection issue (bmo#1233970) - fix file download regression for multi user systems (bmo#1233434) (mozilla-bmo1233434.patch) - explicitely requires libXcomposite-devel
Sun Dec 13 13:00:00 2015 wrAATTrosenauer.org - update to Firefox 43.0 (bnc#959277)
* Improved API support for m4v video playback
* Users can opt-in to receive search suggestions from the Awesome Bar
* WebRTC streaming on multiple monitors
* User selectable second block list for Private Browsing\'s Tracking Protection security fixes:
* MFSA 2015-135/CVE-2015-7204 (bmo#1216130) Crash with JavaScript variable assignment with unboxed objects
* MFSA 2015-136/CVE-2015-7207 (bmo#1185256) Same-origin policy violation using perfomance.getEntries and history navigation
* MFSA 2015-137/CVE-2015-7208 (bmo#1191423) Firefox allows for control characters to be set in cookies
* MFSA 2015-138/CVE-2015-7210 (bmo#1218326) Use-after-free in WebRTC when datachannel is used after being destroyed
* MFSA 2015-139/CVE-2015-7212 (bmo#1222809) Integer overflow allocating extremely large textures
* MFSA 2015-140/CVE-2015-7215 (bmo#1160890) Cross-origin information leak through web workers error events
* MFSA 2015-141/CVE-2015-7211 (bmo#1221444) Hash in data URI is incorrectly parsed
* MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820) DOS due to malformed frames in HTTP/2
* MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078) Linux file chooser crashes on malformed images due to flaws in Jasper library
* MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221 (bmo#1201183, bmo#1178033, bmo#1199400) Buffer overflows found through code inspection
* MFSA 2015-145/CVE-2015-7205 (bmo#1220493) Underflow through code inspection
* MFSA 2015-146/CVE-2015-7213 (bmo#1206211) Integer overflow in MP4 playback in 64-bit versions
* MFSA 2015-147/CVE-2015-7222 (bmo#1216748) Integer underflow and buffer overflow processing MP4 metadata in libstagefright
* MFSA 2015-148/CVE-2015-7223 (bmo#1226423) Privilege escalation vulnerabilities in WebExtension APIs
* MFSA 2015-149/CVE-2015-7214 (bmo#1228950) Cross-site reading attack through data and view-source URIs - rebased patches
Sun Nov 15 13:00:00 2015 wrAATTrosenauer.org - Add desktop menu action for private browsing window to desktop file (boo#954747) - remove obsolete patch mozilla-bmo1005535.patch completely from source package to avoid automatic check failures
Sat Oct 31 13:00:00 2015 wrAATTrosenauer.org - update to Firefox 42.0 (bnc#952810)
* Private Browsing with Tracking Protection blocks certain Web elements that could be used to record your behavior across sites
* Control Center that contains site security and privacy controls
* Login Manager improvements
* WebRTC improvements
* Indicator added to tabs that play audio with one-click muting
* Media Source Extension for HTML5 video available for all sites security fixes:
Sun Oct 4 14:00:00 2015 wrAATTrosenauer.org - do not build with --enable-stdcxx-compat (this starts to fail build on various toolchain combinations and is not required for openSUSE builds in general
Thu Oct 1 14:00:00 2015 wrAATTrosenauer.org - update to Firefox 41.0.1
* Fix a startup crash related to Yandex toolbar and Adblock Plus (bmo#1209124)
* Fix potential hangs with Flash plugins (bmo#1185639)
* Fix a regression in the bookmark creation (bmo#1206376)
* Fix a startup crash with some Intel Media Accelerator 3150 graphic cards (bmo#1207665)
* Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601)
Sat Sep 19 14:00:00 2015 wrAATTrosenauer.org - update to Firefox 41.0 (bnc#947003)
* MFSA 2015-97/CVE-2015-4503 (bmo#994337) Memory leak in mozTCPSocket to servers
* MFSA 2015-98/CVE-2015-4504 (bmo#1132467) Out of bounds read in QCMS library with ICC V4 profile attributes
* MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only) Site attribute spoofing on Android by pasting URL with unknown scheme
* MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only) Arbitrary file manipulation by local user through Mozilla updater
* MFSA 2015-101/CVE-2015-4506 (bmo#1192226) Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-102/CVE-2015-4507 (bmo#1192401) Crash when using debugger with SavedStacks in JavaScript
* MFSA 2015-103/CVE-2015-4508 (bmo#1195976) URL spoofing in reader mode
* MFSA 2015-104/CVE-2015-4510 (bmo#1200004) Use-after-free with shared workers and IndexedDB
* MFSA 2015-105/CVE-2015-4511 (bmo#1200148) Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509 (bmo#1198435) Use-after-free while manipulating HTML media content
* MFSA 2015-107/CVE-2015-4512 (bmo#1170390) Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems
* MFSA 2015-108/CVE-2015-4502 (bmo#1105045) Scripted proxies can access inner window
* MFSA 2015-109/CVE-2015-4516 (bmo#904886) JavaScript immutable property enforcement can be bypassed
* MFSA 2015-110/CVE-2015-4519 (bmo#1189814) Dragging and dropping images exposes final URL after redirects
* MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869) Errors in the handling of CORS preflight request headers
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/ CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/ CVE-2015-7180 Vulnerabilities found through code inspection
* MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860, bmo#1190526) (Windows only) Memory safety errors in libGLES in the ANGLE graphics library
* MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only) Information disclosure via the High Resolution Time API - rebased patches - removed obsolete patches
* mozilla-arm64-libjpeg-turbo.patch
Thu Aug 27 14:00:00 2015 wrAATTrosenauer.org - update to Firefox 40.0.3 (bnc#943550)
* Disable the asynchronous plugin initialization (bmo#1198590)
* Fix a segmentation fault in the GStreamer support (bmo#1145230)
* Fix a regression with some Japanese fonts used in the field (bmo#1194055)
* On some sites, the selection in a select combox box using the mouse could be broken (bmo#1194733) security fixes
* MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278) Use-after-free when resizing canvas element during restyling
* MFSA 2015-95/CVE-2015-4498 (bmo#1042699) Add-on notification bypass through data URLs
Fri Aug 7 14:00:00 2015 wrAATTrosenauer.org - update to Firefox 40.0 (bnc#940806)
* Added protection against unwanted software downloads
* Suggested Tiles show sites of interest, based on categories from your recent browsing history
* Hello allows adding a link to conversations to provide context on what the conversation will be about
* New style for add-on manager based on the in-content preferences style
* Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only)
* Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked security fixes:
* MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with malformed MP3 file
* MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free in MediaStream playback
* MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of non-configurable JavaScript object properties
* MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues in libstagefright
* MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting through Mozilla Maintenance Service with hard links (only affected Windows)
* MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with Updater and malicious MAR file (does not affect openSUSE RPM packages which do not ship the updater)
* MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol with POST bypasses mixed content protections
* MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared memory in JavaScript
* MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf when scaling bitmap images
* MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) Buffer overflows on Libvpx when decoding WebM video
* MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection
* MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification
* MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in XMLHttpRequest with shared workers - added mozilla-no-stdcxx-check.patch - removed obsolete patches
* mozilla-add-glibcxx_use_cxx11_abi.patch
* firefox-multilocale-chrome.patch - rebased patches - requires version 40 of the branding package - removed browser/searchplugins/ location as it\'s not valid anymore
Fri Aug 7 14:00:00 2015 wrAATTrosenauer.org - security update to Firefox 39.0.3 (bnc#940918)
* MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058) Same origin violation and local file stealing via PDF reader
* MFSA 2015-60/CVE-2015-2727 (bmo#1163422) Local files or privileged URLs in pages can be opened into new tabs
* MFSA 2015-61/CVE-2015-2728 (bmo#1142210) Type confusion in Indexed Database Manager
* MFSA 2015-62/CVE-2015-2729 (bmo#1122218) Out-of-bound read while computing an oscillator rendering range in Web Audio
* MFSA 2015-63/CVE-2015-2731 (bmo#1149891) Use-after-free in Content Policy due to microtask execution error
* MFSA 2015-64/CVE-2015-2730 (bmo#1125025) ECDSA signature validation fails to handle some signatures correctly (this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867) Use-after-free in workers while using XMLHttpRequest
* MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737 CVE-2015-2738/CVE-2015-2739/CVE-2015-2740 Vulnerabilities found through code inspection
* MFSA 2015-67/CVE-2015-2741 (bmo#1147497) Key pinning is ignored when overridable errors are encountered
* MFSA 2015-68/CVE-2015-2742 (bmo#1138669) OS X crash reports may contain entered key press information (not relevant under Linux)
* MFSA 2015-69/CVE-2015-2743 (bmo#1163109) Privilege escalation in PDF.js
* MFSA 2015-70/CVE-2015-4000 (bmo#1138554) NSS accepts export-length DHE keys with regular DHE cipher suites (this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-71/CVE-2015-2721 (bmo#1086145) NSS incorrectly permits skipping of ServerKeyExchange (this fix is shipped by NSS 3.19.1 externally) - dropped mozilla-prefer_plugin_pref.patch as this feature is likely not worth maintaining further - rebased patches - require NSS 3.19.2
* MFSA 2015-33/CVE-2015-0816 (bmo#1144991) resource:// documents can load privileged pages
* MFSA-2015-34/CVE-2015-0811 (bmo#1132468) Out of bounds read in QCMS library
* MFSA-2015-35/CVE-2015-0810 (bmo#1125013) Cursor clickjacking with flash and images (OS X only)
* MFSA-2015-36/CVE-2015-0808 (bmo#1109552) Incorrect memory management for simple-type arrays in WebRTC
* MFSA-2015-37/CVE-2015-0807 (bmo#1111834) CORS requests should not follow 30x redirections after preflight
* MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437) Memory corruption crashes in Off Main Thread Compositing
* MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560) Use-after-free due to type confusion flaws
* MFSA-2015-40/CVE-2015-0801 (bmo#1146339) Same-origin bypass through anchor navigation
* MFSA-2015-41/CVE-2015-0800/CVE-2012-2808 PRNG weakness allows for DNS poisoning on Android (only)
* MFSA-2015-42/CVE-2015-0802 (bmo#1124898) Windows can retain access to privileged content on navigation to unprivileged pages - removed obsolete patches
* mozilla-bmo1088588.patch
* mozilla-bmo1108834.patch - requires NSPR 4.10.8
Tue Mar 24 13:00:00 2015 dvaleevAATTsuse.com - Fix builds with skia on Power mozilla-skia-be-le.patch (patch from #bmo1136958) mozilla-bmo1108834.patch mozilla-bmo1005535.patch
Sat Mar 21 13:00:00 2015 wrAATTrosenauer.org - update to Firefox 36.0.4 (bnc#923534)
* MFSA 2015-28/CVE-2015-0818 (bmo#1144988) Privilege escalation through SVG navigation
Fri Mar 20 13:00:00 2015 dimstarAATTopensuse.org - Copy the icons to /usr/share/icons instead of symlinking them: in preparation for containerized apps (e.g. xdg-app) as well as AppStream metadata extraction, there are a couple locations that need to be real files for system integration (.desktop files, icons, mime-type info).
Sat Mar 7 13:00:00 2015 wrAATTrosenauer.org - update to Firefox 36.0.1 Bugfixes:
* Disable the usage of the ANY DNS query type (bmo#1093983)
* Hello may become inactive until restart (bmo#1137469)
* Print preferences may not be preserved (bmo#1136855)
* Hello contact tabs may not be visible (bmo#1137141)
* Accept hostnames that include an underscore character (\"_\") (bmo#1136616)
* WebGL may use significant memory with Canvas2d (bmo#1137251)
* Option -remote has been restored (bmo#1080319) - added mozilla-skia-bmo1136958.patch to fix build issues for ARM and PPC
Fri Feb 20 13:00:00 2015 wrAATTrosenauer.org - update to Firefox 36.0 (bnc#917597)
* mozilla-xremote-client was removed
* added libclearkey.so media plugin
* Pinned tiles on the new tab page can be synced
* Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web.
* MFSA 2015-09/CVE-2014-8636 (bmo#987794) XrayWrapper bypass through DOM objects - rebased patches - dropped explicit support for everything older than 12.3 (including SLES11)
* merge firefox-kde.patch and firefox-kde-114.patch
* dropped mozilla-sle11.patch - reworked specfile to build conditionally based on release channel either Firefox or Firefox Developer Edition - added mozilla-openaes-decl.patch to fix implicit declarations - obsolete tracker-miner-firefox < 0.15 because it leads to startup crashes (bnc#908892)
Sat Dec 13 13:00:00 2014 Led - fix bashism in mozilla.sh script
Sat Nov 29 13:00:00 2014 wrAATTrosenauer.org - update to Firefox 34.0.5 (bnc#908009)
* Default search engine changed to Yahoo! for North America
* Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales
* Improved search bar (en-US only)
* Firefox Hello real-time communication client
* Easily switch themes/personas directly in the Customizing mode
* MFSA 2014-85/CVE-2014-1590 (bmo#1087633) XMLHttpRequest crashes with some input streams
* MFSA 2014-86/CVE-2014-1591 (bmo#1069762) CSP leaks redirect data via violation reports
* MFSA 2014-87/CVE-2014-1592 (bmo#1088635) Use-after-free during HTML5 parsing
* MFSA 2014-88/CVE-2014-1593 (bmo#1085175) Buffer overflow while parsing media content
* MFSA 2014-89/CVE-2014-1594 (bmo#1074280) Bad casting from the BasicThebesLayer to BasicContainerLayer - rebased patches - limit linker memory usage for %ix86 - rebased patches
Fri Nov 7 13:00:00 2014 wrAATTrosenauer.org - update to Firefox 33.1
* Adding DuckDuckGo as a search option (upstream)
* Forget Button added
* Enhanced Tiles
* Privacy tour introduced - fix typo in GStreamer Recommends
Tue Nov 4 13:00:00 2014 guillaumeAATTopensuse.org - Disable elf-hack for aarch64 - Enable EGL for aarch64 - Limit RAM usage during link for %arm - Fix _constraints for ARM
Mon Nov 3 13:00:00 2014 dmuellerAATTsuse.com - use proper macros for ARM
Mon Nov 3 13:00:00 2014 josua.mayer97AATTgmail.com - use \'--disable-optimize\' not only on 32-bit x86, but on 32-bit arm too to fix compiling. - pass \'-Wl,--no-keep-memory\' to linker to reduce required memory during linking on arm.
Thu Oct 30 13:00:00 2014 wrAATTrosenauer.org - update to Firefox 33.0.2
* Fix a startup crash with some combination of hardware and drivers 33.0.1
* Firefox displays a black screen at start-up with certain graphics drivers - adjusted _constraints for ARM
Tue Oct 28 13:00:00 2014 josua.mayer97AATTgmail.com - added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588)
Sat Oct 25 14:00:00 2014 wrAATTrosenauer.org - define /usr/share/myspell as additional dictionary location and remove add-plugins.sh finally (bnc#900639)
Sun Oct 19 14:00:00 2014 vindex17AATToutlook.it - use Firefox default optimization flags instead of -Os - specfile cleanup
Wed Oct 15 14:00:00 2014 wrAATTrosenauer.org - fix build for all ppc by not enabling elf-hack (bnc#901213)
Sat Oct 11 14:00:00 2014 wrAATTrosenauer.org - update to Firefox 33.0 (bnc#900941) New features:
* OpenH264 support (sandboxed)
* Enhanced Tiles
* Improved search experience through the location bar
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe
* MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API (only relevant for installed web apps) - requires NSPR 4.10.7 - requires NSS 3.17.1 - removed obsolete patches:
* mozilla-ppc.patch
* mozilla-libproxy-compat.patch - added basic appdata information
Sat Sep 20 14:00:00 2014 wrAATTrosenauer.org - update to Firefox 32.0.2
* just a version bump for our builds
* fixed the in application update process for certain environments (in application update is not enabled in openSUSE and Linux is unaffected in any case) - build with --disable-optimize for 13.1 and above for i586 to workaround miscompilations (bnc#896624) - use some more build flags to align with upstream
Sat Sep 13 14:00:00 2014 wrAATTrosenauer.org - update to Firefox 32.0.1
* fixed stability issues for computers with multiple graphics cards
* mixed content icon may be incorrectly displayed instead of lock icon for SSL sites in 32.0 (
* WebRTC: setRemoteDescription() silently fails if no success callback is specified (bmo#1063971)
Sun Aug 31 14:00:00 2014 wrAATTrosenauer.org - update to Firefox 32.0 (bnc#894370)
* MFSA 2014-63/CVE-2014-1544 (bmo#963150) Use-after-free while when manipulating certificates in the trusted cache (solved with NSS 3.16.2 requirement)
* MFSA 2014-64/CVE-2014-1557 (bmo#913805) Crash in Skia library when scaling high quality images
* MFSA 2014-65/CVE-2014-1558/CVE-2014-1559/CVE-2014-1560 (bmo#1015973, bmo#1026022, bmo#997795) Certificate parsing broken by non-standard character encoding
* MFSA 2014-66/CVE-2014-1552 (bmo#985135) IFRAME sandbox same-origin access through redirect - use EGL on ARM - rebased patches - requires NSS 3.16.2 - requires python-devel (not only python)
Mon Jun 9 14:00:00 2014 wrAATTrosenauer.org - update to Firefox 30.0 (bnc#881874)
* MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538 (bmo#989994, bmo#999274, bmo#1005584) Use-after-free and out of bounds issues found using Address Sanitizer
* MFSA 2014-50/CVE-2014-1539 (bmo#995603) Clickjacking through cursor invisability after Flash interaction
* MFSA 2014-51/CVE-2014-1540 (bmo#978862) Use-after-free in Event Listener Manager
* MFSA 2014-52/CVE-2014-1541 (bmo#1000185) Use-after-free with SMIL Animation Controller
* MFSA 2014-53/CVE-2014-1542 (bmo#991533) Buffer overflow in Web Audio Speex resampler
* MFSA 2014-54/CVE-2014-1543 (bmo#1011859) Buffer overflow in Gamepad API
* MFSA 2014-55/CVE-2014-1545 (bmo#1018783) Out of bounds write in NSPR - rebased patches - removed obsolete patches
* firefox-browser-css.patch
* mozilla-aarch64-bmo-962488.patch
* mozilla-aarch64-bmo-963023.patch
* mozilla-aarch64-bmo-963024.patch
* mozilla-aarch64-bmo-963027.patch
* mozilla-ppc64-xpcom.patch
* mozilla-ppc64le-javascript.patch
* mozilla-ppc64le-libffi.patch
* mozilla-ppc64le-mfbt.patch
* mozilla-ppc64le-webrtc.patch
* mozilla-ppc64le-xpcom.patch
* mozilla-ppc64le-build.patch - requires NSPR 4.10.6 - enabled GStreamer 1.0 usage for 13.2 and above
Sat May 10 14:00:00 2014 wrAATTrosenauer.org - update to Firefox 29.0.1
* Seer disabled by default (bmo#1005958)
* Session Restore failed with a corrupted sessionstore.js file (bmo#1001167)
* pdf.js printing white page (bmo#1003707, bnc#876833) - general.useragent.locale gets overwritten with en-US while it should be using the active langpack\'s setting
Sat Apr 26 14:00:00 2014 wrAATTrosenauer.org - update to Firefox 29.0 (bnc#875378)
Mon Feb 17 13:00:00 2014 wrAATTrosenauer.org - update to Firefox 27.0.1
* Fixed stability issues with Greasemonkey and other JS that used ClearTimeoutOrInterval
* JS math correctness issue (bmo#941381) - incorporate Google API key for geolocation (bnc#864170) - updated list of \"other\" locales in RPM requirements
Tue Jan 28 13:00:00 2014 wrAATTrosenauer.org - update to Firefox 27.0 (bnc#861847)
* MFSA 2013-111/CVE-2013-6671 (bmo#930281) Segmentation violation when replacing ordered list elements
* MFSA 2013-112/CVE-2013-6672 (bmo#894736) Linux clipboard information disclosure though selection paste
* MFSA 2013-113/CVE-2013-6673 (bmo#970380) Trust settings for built-in roots ignored during EV certificate validation
* MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449) Use-after-free in synthetic mouse movement
* MFSA 2013-115/CVE-2013-5615 (bmo#929261) GetElementIC typed array stubs can be generated outside observed typesets
* MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693) JPEG information leak
* MFSA 2013-117 (bmo#946351) Mis-issued ANSSI/DCSSI certificate (fixed via NSS 3.15.3.1) - removed gecko.js preference file as GStreamer is enabled by default now
Thu Oct 24 14:00:00 2013 wrAATTrosenauer.org - update to Firefox 25.0 (bnc#847708)
* MFSA 2013-94/CVE-2013-5593 (bmo#868327) Spoofing addressbar through SELECT element
* MFSA 2013-95/CVE-2013-5604 (bmo#914017) Access violation with XSLT and uninitialized data
* MFSA 2013-96/CVE-2013-5595 (bmo#916580) Improperly initialized memory and overflows in some JavaScript functions
* MFSA 2013-97/CVE-2013-5596 (bmo#910881) Writing to cycle collected object during image decoding
* MFSA 2013-98/CVE-2013-5597 (bmo#918864) Use-after-free when updating offline cache
* MFSA 2013-99/CVE-2013-5598 (bmo#920515) Security bypass of PDF.js checks using iframes
* MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601 (bmo#915210, bmo#915576, bmo#916685) Miscellaneous use-after-free issues found through ASAN fuzzing
* MFSA 2013-101/CVE-2013-5602 (bmo#897678) Memory corruption in workers
* MFSA 2013-102/CVE-2013-5603 (bmo#916404) Use-after-free in HTML document templates
Tue Sep 24 14:00:00 2013 wrAATTrosenauer.org - as GStreamer is not automatically required anymore but loaded dynamically if available, require it explicitely - recommend optional GStreamer plugins for comprehensive media support
Mon Sep 16 14:00:00 2013 lnusselAATTsuse.de - move greek to the translations-common package (bnc#840551)
Sat Sep 14 14:00:00 2013 wrAATTrosenauer.org - update to Firefox 24.0 (bnc#840485)
* MFSA 2013-22/CVE-2013-0772 (bmo#801366) Out-of-bounds read in image rendering
* MFSA 2013-23/CVE-2013-0765 (bmo#830614) Wrapped WebIDL objects can be wrapped again
* MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers
* MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers
* MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent
* MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy
* MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/ CVE-2013-0778/CVE-2013-0779/CVE-2013-0781 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer - removed obsolete patches
* mozilla-webrtc.patch
* mozilla-gstreamer-803287.patch - added patch to fix session restore window order (bmo#712763)
Sat Feb 2 13:00:00 2013 wrAATTrosenauer.org - update to Firefox 18.0.2
* blocklist and CTP updates
* fixes in JS engine
Wed Jan 16 13:00:00 2013 wrAATTrosenauer.org - update to Firefox 18.0.1
* MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767 CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829 Use-after-free and buffer overflow issues found using Address Sanitizer
* MFSA 2013-03/CVE-2013-0768 (bmo#815795) Buffer Overflow in Canvas
* MFSA 2013-04/CVE-2012-0759 (bmo#802026) URL spoofing in addressbar during page loads
* MFSA 2013-05/CVE-2013-0744 (bmo#814713) Use-after-free when displaying table with many columns and column groups
* MFSA 2013-06/CVE-2013-0751 (bmo#790454) Touch events are shared across iframes
* MFSA 2013-07/CVE-2013-0764 (bmo#804237) Crash due to handling of SSL on threads
* MFSA 2013-08/CVE-2013-0745 (bmo#794158) AutoWrapperChanger fails to keep objects alive during garbage collection
* MFSA 2013-09/CVE-2013-0746 (bmo#816842) Compartment mismatch with quickstubs returned values
* MFSA 2013-10/CVE-2013-0747 (bmo#733305) Event manipulation in plugin handler to bypass same-origin policy
* MFSA 2013-11/CVE-2013-0748 (bmo#806031) Address space layout leaked in XBL objects
* MFSA 2013-12/CVE-2013-0750 (bmo#805121) Buffer overflow in Javascript string concatenation
* MFSA 2013-13/CVE-2013-0752 (bmo#805024) Memory corruption in XBL with XML bindings containing SVG
* MFSA 2012-94/CVE-2012-5836 (bmo#792857) Crash when combining SVG text on path with CSS
* MFSA 2012-95/CVE-2012-4203 (bmo#765628) Javascript: URLs run in privileged context on New Tab page
* MFSA 2012-96/CVE-2012-4204 (bmo#778603) Memory corruption in str_unescape
* MFSA 2012-97/CVE-2012-4205 (bmo#779821) XMLHttpRequest inherits incorrect principal within sandbox
* MFSA 2012-99/CVE-2012-4208 (bmo#798264) XrayWrappers exposes chrome-only properties when not in chrome compartment
* MFSA 2012-100/CVE-2012-5841 (bmo#805807) Improper security filtering for cross-origin wrappers
* MFSA 2012-101/CVE-2012-4207 (bmo#801681) Improper character decoding in HZ-GB-2312 charset
* MFSA 2012-102/CVE-2012-5837 (bmo#800363) Script entered into Developer Toolbar runs with chrome privileges
* MFSA 2012-103/CVE-2012-4209 (bmo#792405) Frames can shadow top.location
* MFSA 2012-104/CVE-2012-4210 (bmo#796866) CSS and HTML injection through Style Inspector
* MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/ CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/ CVE-2012-4213/CVE-2012-4217/CVE-2012-4218 Use-after-free and buffer overflow issues found using Address Sanitizer
* MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer - rebased patches - disabled WebRTC since build is broken (bmo#776877)
Tue Nov 20 13:00:00 2012 pcernyAATTsuse.com - build on SLE11
* mozilla-gcc43-enums.patch
* mozilla-gcc43-template_hacks.patch
* mozilla-gcc43-templates_instantiation.patch
Wed Oct 24 14:00:00 2012 wrAATTrosenauer.org - update to Firefox 16.0.2 (bnc#786522)
* MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196 (bmo#800666, bmo#793121, bmo#802557) Fixes for Location object issues - bring back Obsoletes for libproxy\'s mozjs plugin for distributions before 12.2 to avoid crashes
Thu Oct 11 14:00:00 2012 wrAATTrosenauer.org - update to Firefox 16.0.1 (bnc#783533)
* MFSA 2012-75/CVE-2012-3984 (bmo#575294) select element persistance allows for attacks
* MFSA 2012-76/CVE-2012-3985 (bmo#655649) Continued access to initial origin after setting document.domain
* MFSA 2012-77/CVE-2012-3986 (bmo#775868) Some DOMWindowUtils methods bypass security checks
* MFSA 2012-79/CVE-2012-3988 (bmo#725770) DOS and crash with full screen and history navigation
* MFSA 2012-80/CVE-2012-3989 (bmo#783867) Crash with invalid cast when using instanceof operator
* MFSA 2012-81/CVE-2012-3991 (bmo#783260) GetProperty function can bypass security checks
* MFSA 2012-82/CVE-2012-3994 (bmo#765527) top object and location property accessible by plugins
* MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370) Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties
* MFSA 2012-84/CVE-2012-3992 (bmo#775009) Spoofing and script injection through location.hash
* MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/ CVE-2012-4181/CVE-2012-4182/CVE-2012-4183 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer
* MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/ CVE-2012-4188 Heap memory corruption issues found using Address Sanitizer
* MFSA 2012-87/CVE-2012-3990 (bmo#787704) Use-after-free in the IME State Manager - requires NSPR 4.9.2 - improve GStreamer integration (bmo#760140) - removed upstreamed mozilla-crashreporter-restart-args.patch - webapprt now included - use kmozillahelper\'s new REVEAL command (bnc#777415) (requires mozilla-kde4-integration >= 0.6.4) - updated translations-other with new languages
* MFSA 2012-72/CVE-2012-3980 (bmo#771859) Web console eval capable of executing chrome-privileged code - fix HTML5 video crash with GStreamer enabled (bmo#761030) - GStreamer is only used for MP4 (no WebM, OGG) - updated filelist - moved browser specific preferences to correct location
Sun Jul 29 14:00:00 2012 ajAATTsuse.de - Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16)
Sat Jul 14 14:00:00 2012 wrAATTrosenauer.org - update to 14.0.1 (bnc#771583)
* MFSA 2012-25/CVE-2012-0472 (bmo#744480) Potential memory corruption during font rendering using cairo-dwrite
* MFSA 2012-26/CVE-2012-0473 (bmo#743475) WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error
* MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307) Page load short-circuit can lead to XSS
* MFSA 2012-28/CVE-2012-0475 (bmo#694576) Ambiguous IPv6 in Origin headers may bypass webserver access restrictions
* MFSA 2012-29/CVE-2012-0477 (bmo#718573) Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
* MFSA 2012-30/CVE-2012-0478 (bmo#727547) Crash with WebGL content using textImage2D
* MFSA 2012-31/CVE-2011-3062 (bmo#739925) Off-by-one error in OpenType Sanitizer
* MFSA 2012-32/CVE-2011-1187 (bmo#624621) HTTP Redirections and remote content can be read by javascript errors
* MFSA 2012-33/CVE-2012-0479 (bmo#714631) Potential site identity spoofing when loading RSS and Atom feeds - added mozilla-libnotify.patch to allow fallback from libnotify to xul based events if no notification-daemon is running - gcc 4.7 fixes
* mozilla-gcc47.patch
* disabled crashreporter temporarily for Factory - recommend libcanberra0 for proper sound notifications
Fri Mar 9 13:00:00 2012 wrAATTrosenauer.org - update to Firefox 11.0 (bnc#750044)
* MFSA 2012-13/CVE-2012-0455 (bmo#704354) XSS with Drag and Drop and Javascript: URL
* MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103) SVG issues found with Address Sanitizer
Thu Feb 16 13:00:00 2012 wrAATTrosenauer.org - update to Firefox 10.0.2 (bnc#747328)
* CVE-2011-3026 (bmo#727401) libpng: integer overflow leading to heap-buffer overflow
Thu Feb 9 13:00:00 2012 wrAATTrosenauer.org - update to Firefox 10.0.1 (bnc#746616)
* MFSA 2012-10/CVE-2012-0452 (bmo#724284) use after free in nsXBLDocumentInfo::ReadPrototypeBindings
Tue Feb 7 13:00:00 2012 dvaleevAATTsuse.com - Use YARR interpreter instead of PCRE on platforms where YARR JIT is not supported, since PCRE doesnt build (bmo#691898) - fix ppc64 build (bmo#703534)
Mon Jan 30 13:00:00 2012 wrAATTrosenauer.org - update to Firefox 10.0 (bnc#744275)
