SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for MozillaFirefox-translations-common-60.6.1-135.1.x86_64.rpm :
Fri Mar 22 13:00:00 2019 Wolfgang Rosenauer
- Mozilla Firefox 60.6.1esr
MFSA 2019-10 (bsc#1130262)

* CVE-2019-9810 (bmo#1537924)
IonMonkey MArraySlice has incorrect alias information

* CVE-2019-9813 (bmo#1538006)
Ionmonkey type confusion with __proto__ mutations

Tue Mar 19 13:00:00 2019 Wolfgang Rosenauer
- Mozilla Firefox 60.6.0esr
MFSA 2019-08 (bsc#1129821)

* CVE-2019-9790 bmo#1525145
Use-after-free when removing in-use DOM elements

* CVE-2019-9791 bmo#1530958
Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey

* CVE-2019-9792 bmo#1532599
IonMonkey leaks JS_OPTIMIZED_OUT magic value to script

* CVE-2019-9793 bmo#1528829
Improper bounds checks when Spectre mitigations are disabled

* CVE-2019-9794 bmo#1530103
Command line arguments not discarded during execution

* CVE-2019-9795 bmo#1514682
Type-confusion in IonMonkey JIT compiler

* CVE-2019-9796 bmo#1531277
Use-after-free with SMIL animation controller

* CVE-2018-18506 bmo#1503393
Proxy Auto-Configuration file can define localhost access to be proxied

* CVE-2019-9788 bmo#1518001 bmo#1521304 bmo#1521214 bmo#1506665 bmo#1516834
bmo#1518774 bmo#1524755 bmo#1523362 bmo#1524214 bmo#1529203
Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6

Fri Feb 22 13:00:00 2019 Andreas Stieger
- Mozilla Firefox 60.5.2esr:

* Fix a frequent crash when reading various Reuters news articles
(bmo#1505844)

Wed Feb 13 13:00:00 2019 Wolfgang Rosenauer
- Mozilla Firefox 60.5.1esr (bsc#1125330)
MFSA 2019-05

* CVE-2018-18356 bmo#1525817
Use-after-free in Skia

* CVE-2019-5785 bmo#1525433
Integer overflow in Skia

* CVE-2018-18335 bmo#1525815
Buffer overflow in Skia with accelerated Canvas 2D
- increased disk space requirement to 20G for build

Wed Jan 23 13:00:00 2019 Wolfgang Rosenauer
- Mozilla Firefox 60.5.0esr
MFSA 2019-02 (bsc#1122983)

* CVE-2018-18500 bmo#1510114
Use-after-free parsing HTML5 stream

* CVE-2018-18505 bmo#1497749
Privilege escalation through IPC channel messages

* CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619
bmo#1502871 bmo#1516738 bmo#1516514
Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
- requires NSS >= 3.36.7
- rebased patches
- removed obsolete patch:
mozilla-no-stdcxx-check.patch

Wed Jan 9 13:00:00 2019 Guillaume GARDET
- Add patch to fix armv7 build (boo#1121255):

* mozilla-bmo1463035.patch

Mon Dec 10 13:00:00 2018 Wolfgang Rosenauer
- Mozilla Firefox 60.4.0esr:

* Updated list of currency codes to include Unidad Previsional (UYW)
(bmo#1499028)
MFSA 2018-30 (bsc#1119105)

* CVE-2018-17466 bmo#1488295
Buffer overflow and out-of-bounds read in ANGLE library with
TextureStorage11

* CVE-2018-18492 bmo#1499861
Use-after-free with select element

* CVE-2018-18493 bmo#1504452
Buffer overflow in accelerated 2D canvas with Skia

* CVE-2018-18494 bmo#1487964
Same-origin policy violation using location attribute and
performance.getEntries to steal cross-origin URLs

* CVE-2018-18498 bmo#1500011
Integer overflow when calculating buffer sizes for images

* CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759
bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471
Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4
- requires NSS >= 3.36.6

Tue Oct 23 14:00:00 2018 astiegerAATTsuse.com
- Mozilla Firefox 60.3.0esr:

* Various stability and regression fixes
MFSA 2018-27 bsc#1112852

* CVE-2018-12392 bmo#1492823
Crash with nested event loops

* CVE-2018-12393 bmo#1495011
Integer overflow during Unicode conversion while loading
JavaScript

* CVE-2018-12395 bmo#1467523
WebExtension bypass of domain restrictions through header
rewriting

* CVE-2018-12396 bmo#1483602
WebExtension content scripts can execute in disallowed
contexts

* CVE-2018-12397 bmo#1487478
WebExtension local file access vulnerability

* CVE-2018-12389 bmo#1498460, bmo#1499198
Memory safety bugs fixed in Firefox ESR 60.3

* CVE-2018-12390 bmo#1487098 bmo#1487660 bmo#1490234 bmo#1496159
bmo#1443748 bmo#1496340 bmo#1483905 bmo#1493347 bmo#1488803
bmo#1498701 bmo#1498482 bmo#1442010 bmo#1495245 bmo#1483699
bmo#1469486 bmo#1484905 bmo#1490561 bmo#1492524 bmo#1481844
Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3

Tue Oct 2 14:00:00 2018 astiegerAATTsuse.com
- Mozilla Firefox 60.2.2esr:
MFSA 2018-24

* CVE-2018-12386 (bsc#1110506, bmo#1493900)
Type confusion in JavaScript allowed remote code execution

* CVE-2018-12387 (bsc#1110507, bmo#1493903)
Array.prototype.push stack pointer vulnerability may enable
exploits in the sandboxed content process

Thu Sep 27 14:00:00 2018 olafAATTaepfle.de
- Avoid undefined behavior in IPC fd-passing code with
mozilla-bmo1436242.patch (boo#1094767, bmo#1436242)

Fri Sep 21 14:00:00 2018 astiegerAATTsuse.com
- Mozilla Firefox 60.2.1esr:
MFSA 2018-23

* CVE-2018-12385 (boo#1109363, bmo#1490585)
Crash in TransportSecurityInfo due to cached data

* CVE-2018-12383 (boo#1107343, bmo#1475775)
Setting a master password did not delete unencrypted
previously stored passwords

* Fixed a startup crash affecting users migrating from older ESR
releases

* Clean up old NSS DB files after upgrading

Wed Sep 5 14:00:00 2018 securityAATTsuse.com
- Mozilla Firefox 60.2.0esr:
MFSA 2018-21 (bsc#1107343)

* CVE-2018-12377 (bmo#1470260)
Use-after-free in refresh driver timers

* CVE-2018-12378 (bmo#1459383)
Use-after-free in IndexedDB

* CVE-2017-16541 (bsc#1066489, bmo#1412081)
Proxy bypass using automount and autofs

* CVE-2018-12376 (bmo#69309,bmo#69914,bmo#50989,bmo#80092,
bmo#80517,bmo#81093,bmo#78575,bmo#71953,bmo#73161,bmo#66991,
bmo#68738,bmo#83120,bmo#67363,bmo#72925,bmo#66577,bmo#67889,
bmo#80521)
Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
- unfuzz mozilla-kde.patch

Sat Jun 23 14:00:00 2018 wrAATTrosenauer.org
- update to Firefox 60.1.0esr
MFSA 2018-16 (bsc#1098998)

* CVE-2018-12359 (bmo#1459162)
Buffer overflow using computed size of canvas element

* CVE-2018-12360 (bmo#1459693)
Use-after-free when using focus()

* CVE-2018-12361 (bmo#1463244)
Integer overflow in SwizzleData

* CVE-2018-12362 (bmo#1452375)
Integer overflow in SSSE3 scaler

* CVE-2018-5156 (bmo#1453127)
Media recorder segmentation fault when track type is changed during capture

* CVE-2018-12363 (bmo#1464784)
Use-after-free when appending DOM nodes

* CVE-2018-12364 (bmo#1436241)
CSRF attacks through 307 redirects and NPAPI plugins

* CVE-2018-12365 (bmo#1459206)
Compromised IPC child process can list local filenames

* CVE-2018-12371 (bmo#1465686)
Integer overflow in Skia library during edge builder allocation

* CVE-2018-12366 (bmo#1464039)
Invalid data handling during QCMS transformations

* CVE-2018-12367 (bmo#1462891)
Timing attack mitigation of PerformanceNavigationTiming

* CVE-2018-12369 (bmo#1454909)
WebExtension security permission checks bypassed by embedded experiments

* CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938,
bmo#1461619,bmo#1425930,bmo#1438556,bmo#1454285,bmo#1459568,
bmo#1463884)
Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1

* CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576,
bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829,
bmo#1464079,bmo#1463494,bmo#1458048)
Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
- remove obsolete patches
mozilla-enable-csd.patch
mozilla-fix-skia-aarch64.patch
- do not disable system installed unsigned langpacks
(mozilla-bmo1464766.patch)

Thu Jun 7 14:00:00 2018 wrAATTrosenauer.org
- update to Firefox 60.0.2esr

* requires NSS 3.36.4
MFSA 2018-14 (bsc#1096449)

* CVE-2018-6126 (bmo#1462682)
Heap buffer overflow rasterizing paths in SVG with Skia

Wed Jun 6 14:00:00 2018 guillaume.gardetAATTopensuse.org
- Add upstream patch to fix boo#1093059 instead of \'-ffixed-x28\'
workaround:

* mozilla-bmo1375074.patch

Sat May 26 14:00:00 2018 wrAATTrosenauer.org
- fixed \"open with\" option under KDE (boo#1094747)
- workaround crash on startup on aarch64 (boo#1093059)
(contributed by guillaume.gardetAATTarm.com)

Wed May 23 14:00:00 2018 guillaume.gardetAATTopensuse.org
- Disable webrtc for aarch64 due to bmo#1434589
- Add patch to fix skia build on AArch64:

* mozilla-fix-skia-aarch64.patch

Thu May 17 14:00:00 2018 wrAATTrosenauer.org
- update to Firefox 60.0.1esr (bsc#1093767)

* Avoid overly long cycle collector pauses with some add-ons installed
(bmo#1449033)

* After unckecking the \"Sponsored Stories\" option, the New Tab page
now immediately stops displaying \"Sponsored content\" cards (bmo#1458906)

* On touchscreen devices, fixed momentum scrolling on non-zoomable pages
(bmo#1457743)

* Use the right default background when opening tabs or windows in
high contrast mode (bmo#1458956)

* Restored translations of the Preferences panels when using a
language pack (bmo#1461590)

Mon May 14 14:00:00 2018 pcernyAATTsuse.com
- parellelise locales building

Fri May 11 14:00:00 2018 wrAATTrosenauer.org
- correct buildconfig (source-stamp.txt) and update channel
definition

Mon May 7 14:00:00 2018 wrAATTrosenauer.org
- update to Firefox 60.0esr

* Added a policy engine that allows customized Firefox deployments
in enterprise environments, using Windows Group Policy or a
cross-platform JSON file

* Applied Quantum CSS to render browser UI

* Added support for Web Authentication, allowing the use of USB
tokens for authentication to web sites

* Locale added: Occitan (oc)
MFSA 2018-11 (bsc#1092548)

* CVE-2018-5154 (bmo#1443092)
Use-after-free with SVG animations and clip paths

* CVE-2018-5155 (bmo#1448774)
Use-after-free with SVG animations and text paths

* CVE-2018-5157 (bmo#1449898)
Same-origin bypass of PDF Viewer to view protected PDF files

* CVE-2018-5158 (bmo#1452075)
Malicious PDF can inject JavaScript into PDF Viewer

* CVE-2018-5159 (bmo#1441941)
Integer overflow and out-of-bounds write in Skia

* CVE-2018-5160 (bmo#1436117)
Uninitialized memory use by WebRTC encoder

* CVE-2018-5152 (bmo#1415644, bmo#1427289)
WebExtensions information leak through webRequest API

* CVE-2018-5153 (bmo#1436809)
Out-of-bounds read in mixed content websocket messages

* CVE-2018-5163 (bmo#1426353)
Replacing cached data in JavaScript Start-up Bytecode Cache

* CVE-2018-5164 (bmo#1416045)
CSP not applied to all multipart content sent with
multipart/x-mixed-replace

* CVE-2018-5166 (bmo#1437325)
WebExtension host permission bypass through filterReponseData

* CVE-2018-5167 (bmo#1447969)
Improper linkification of chrome: and javascript: content in
web console and JavaScript debugger

* CVE-2018-5168 (bmo#1449548)
Lightweight themes can be installed without user interaction

* CVE-2018-5169 (bmo#1319157)
Dragging and dropping link text onto home button can set home page
to include chrome pages

* CVE-2018-5172 (bmo#1436482)
Pasted script from clipboard can run in the Live Bookmarks page
or PDF viewer

* CVE-2018-5173 (bmo#1438025)
File name spoofing of Downloads panel with Unicode characters

* CVE-2018-5174 (bmo#1447080) (Windows-only)
Windows Defender SmartScreen UI runs with less secure behavior
for downloaded files in Windows 10 April 2018 Update

* CVE-2018-5175 (bmo#1432358)
Universal CSP bypass on sites using strict-dynamic in their policies

* CVE-2018-5176 (bmo#1442840)
JSON Viewer script injection

* CVE-2018-5177 (bmo#1451908)
Buffer overflow in XSLT during number formatting

* CVE-2018-5165 (bmo#1451452)
Checkbox for enabling Flash protected mode is inverted in 32-bit
Firefox

* CVE-2018-5180 (bmo#1444086)
heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced

* CVE-2018-5181 (bmo#1424107)
Local file can be displayed in noopener tab through drag and
drop of hyperlink

* CVE-2018-5182 (bmo#1435908)
Local file can be displayed from hyperlink dragged and dropped
on addressbar

* CVE-2018-5151
Memory safety bugs fixed in Firefox 60

* CVE-2018-5150
Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
- removed obsolete patches
0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
mozilla-bmo1005535.patch
- requires NSPR 4.19 and NSS 3.36.1
- requires rust 1.24 or higher
- use upstream source archive and detached signature for
source verification

Thu May 3 14:00:00 2018 guillaume.gardetAATTopensuse.org
- Fix armv7 build by:

* adding RUSTFLAGS=\"-Cdebuginfo=0\"

* updating _constraints for %arm

Wed May 2 14:00:00 2018 wrAATTrosenauer.org
- do not try CSD on kwin (boo#1091592)
- fix build in openSUSE:Leap:42.3:Update, use gcc7

Tue May 1 14:00:00 2018 astiegerAATTsuse.com
- Mozilla Firefox 59.0.3:

* fixes for platforms other than GNU/Linux

Fri Apr 20 14:00:00 2018 mliskaAATTsuse.cz
- Add 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
in order to fix boo#1090362.

Mon Apr 2 14:00:00 2018 badshah400AATTgmail.com
- Add back mozilla-enable-csd.patch: New rebased version from
Fedora for version 59.0.x.

Tue Mar 27 14:00:00 2018 schwabAATTsuse.de
- Reduce constraints on aarch64

Tue Mar 27 14:00:00 2018 wrAATTrosenauer.org
- update to Firefox 59.0.2

* Invalid page rendering with hardware acceleration enabled (bmo#1435472)

* Browser keyboard shortcuts (eg copy Ctrl+C) don\'t work on sites
that use those keys with resistFingerprinting enabled (bmo#1433592)

* High CPU / memory churn caused by third-party software on some
computers (bmo#1446280)

* Users who have configured an \"automatic proxy configuration URL\"
and want to reload their proxy settings from the URL will find
the Reload button disabled in the Connection Settings dialog when
they select Preferences/Options>Network Proxy>Settings... (bmo#1445991)

* URL Fragment Identifiers Break Service Worker Responses (bmo#1443850)

* User\'s trying to cancel a print around the time it completes will
continue to get intermittent crashes (bmo#1441598)
MFSA 2018-10 (bsc#1087059)

* CVE-2018-5148 (bmo#1440717)
Use-after-free in compositor
- removed obsolete patch mozilla-bmo1446062.patch

Wed Mar 21 13:00:00 2018 cgrobertsonAATTsuse.com
- Added patches:

* mozilla-i586-DecoderDoctorLogger.patch - bmo#1447070
fixes non-unified build error

* mozilla-i586-domPrefs.patch - DOMPrefs.h
fixes 32bit build error

Fri Mar 16 13:00:00 2018 wrAATTrosenauer.org
- update to Firefox 59.0.1 (bsc#1085671)
MFSA 2018-08

* CVE-2018-5146 (bmo#1446062)
Vorbis audio processing out of bounds write

* CVE-2018-5147 (bmo#1446365)
Out of bounds memory write in libtremor
(mozilla-bmo1446062.patch)

Wed Mar 14 13:00:00 2018 cgrobertsonAATTsuse.com
- Added patch:

* mozilla-bmo1005535.patch:
Enable skia_gpu on big endian platforms.

Sun Mar 11 13:00:00 2018 wrAATTrosenauer.org
- update to Firefox 59.0

* Performance enhancements

* Drag-and-drop to rearrange Top Sites on the Firefox Home page

* added features for Firefox Screenshots

* Enhanced WebExtensions API

* Improved RTC capabilities
MFSA 2018-06 (bsc#1085130)

* CVE-2018-5127 (bmo#1430557)
Buffer overflow manipulating SVG animatedPathSegList

* CVE-2018-5128 (bmo#1431336)
Use-after-free manipulating editor selection ranges

* CVE-2018-5129 (bmo#1428947)
Out-of-bounds write with malformed IPC messages

* CVE-2018-5130 (bmo#1433005)
Mismatched RTP payload type can trigger memory corruption

* CVE-2018-5131 (bmo#1440775)
Fetch API improperly returns cached copies of no-store/no-cache resources

* CVE-2018-5132 (bmo#1408194)
WebExtension Find API can search privileged pages

* CVE-2018-5133 (bmo#1430511, bmo#1430974)
Value of the app.support.baseURL preference is not properly sanitized

* CVE-2018-5134 (bmo#1429379)
WebExtensions may use view-source: URLs to bypass content restrictions

* CVE-2018-5135 (bmo#1431371)
WebExtension browserAction can inject scripts into unintended contexts

* CVE-2018-5136 (bmo#1419166)
Same-origin policy violation with data: URL shared workers

* CVE-2018-5137 (bmo#1432870)
Script content can access legacy extension non-contentaccessible resources

* CVE-2018-5138 (bmo#1432624) (Android only)
Android Custom Tab address spoofing through long domain names

* CVE-2018-5140 (bmo#1424261)
Moz-icon images accessible to web content through moz-icon: protocol

* CVE-2018-5141 (bmo#1429093)
DOS attack through notifications Push API

* CVE-2018-5142 (bmo#1366357)
Media Capture and Streams API permissions display incorrect origin
with data: and blob: URLs

* CVE-2018-5143 (bmo#1422643)
Self-XSS pasting javascript: URL with embedded tab into addressbar

* CVE-2018-5126
Memory safety bugs fixed in Firefox 59

* CVE-2018-5125
Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
- requires NSPR 4.18 and NSS 3.35
- requires rust >= 1.22.1
- removed obsolete patches:
mozilla-alsa-sandbox.patch
mozilla-enable-csd.patch
firefox-no-default-ualocale.patch
- removed l10n_changesets.txt since same information is now in
Firefox source tree (updated create-tar.sh now requires jq)

Fri Feb 9 13:00:00 2018 astiegerAATTsuse.com
- Mozilla Firefox 58.0.2:

* Blocklisted graphics drivers related to off main thread painting
crashes

* Fix tab crash during printing

* Fix clicking links and scrolling emails on Microsoft Hotmail
and Outlook (OWA) webmail

Fri Feb 9 13:00:00 2018 wrAATTrosenauer.org
- correct requires and provides handling (boo#1076907)

Tue Feb 6 13:00:00 2018 fstrbaAATTsuse.com
- Added patch:

* mozilla-alsa-sandbox.patch: Fix bmo#1430274, ALSA sound (still
or again?) not working in Firefox 58 due to sandboxing.

Mon Jan 29 13:00:00 2018 wrAATTrosenauer.org
- update to Firefox 58.0.1
MFSA 2018-05

* Arbitrary code execution through unsanitized browser UI (bmo#1432966)
- use correct language packs
- readd mozilla-enable-csd.patch as it only lands for FF59 upstream
- allow larger number of nested elements (mozilla-bmo256180.patch)

Tue Jan 23 13:00:00 2018 wrAATTrosenauer.org
- update to Firefox 58.0 (bsc#1077291)

* Added Nepali (ne-NP) locale

* Added support for form autofill for credit card

* Optimize page load by caching JavaScript internal representation
MFSA 2018-02

* CVE-2018-5091 (bmo#1423086)
Use-after-free with DTMF timers

* CVE-2018-5092 (bmo#1418074)
Use-after-free in Web Workers

* CVE-2018-5093 (bmo#1415291)
Buffer overflow in WebAssembly during Memory/Table resizing

* CVE-2018-5094 (bmo#1415883)
Buffer overflow in WebAssembly with garbage collection on
uninitialized memory

* CVE-2018-5095 (bmo#1418447)
Integer overflow in Skia library during edge builder allocation

* CVE-2018-5097 (bmo#1387427)
Use-after-free when source document is manipulated during XSLT

* CVE-2018-5098 (bmo#1399400)
Use-after-free while manipulating form input elements

* CVE-2018-5099 (bmo#1416878)
Use-after-free with widget listener

* CVE-2018-5100 (bmo#1417405)
Use-after-free when IsPotentiallyScrollable arguments are freed
from memory

* CVE-2018-5101 (bmo#1417661)
Use-after-free with floating first-letter style elements

* CVE-2018-5102 (bmo#1419363)
Use-after-free in HTML media elements

* CVE-2018-5103 (bmo#1423159)
Use-after-free during mouse event handling

* CVE-2018-5104 (bmo#1425000)
Use-after-free during font face manipulation

* CVE-2018-5105 (bmo#1390882)
WebExtensions can save and execute files on local file system
without user prompts

* CVE-2018-5106 (bmo#1408708)
Developer Tools can expose style editor information cross-origin
through service worker

* CVE-2018-5107 (bmo#1379276)
Printing process will follow symlinks for local file access

* CVE-2018-5108 (bmo#1421099)
Manually entered blob URL can be accessed by subsequent private browsing tabs

* CVE-2018-5109 (bmo#1405599)
Audio capture prompts and starts with incorrect origin attribution

* CVE-2018-5110 (bmo#1423275) (affects only OS X)
Cursor can be made invisible on OS X

* CVE-2018-5111 (bmo#1321619)
URL spoofing in addressbar through drag and drop

* CVE-2018-5112 (bmo#1425224)
Extension development tools panel can open a non-relative URL in the panel

* CVE-2018-5113 (bmo#1425267)
WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow

* CVE-2018-5114 (bmo#1421324)
The old value of a cookie changed to HttpOnly remains accessible to scripts

* CVE-2018-5115 (bmo#1409449)
Background network requests can open HTTP authentication in unrelated foreground tabs

* CVE-2018-5116 (bmo#1396399)
WebExtension ActiveTab permission allows cross-origin frame content access

* CVE-2018-5117 (bmo#1395508)
URL spoofing with right-to-left text aligned left-to-right

* CVE-2018-5118 (bmo#1420049)
Activity Stream images can attempt to load local content through file:

* CVE-2018-5119 (bmo#1420507)
Reader view will load cross-origin content in violation of CORS headers

* CVE-2018-5121 (bmo#1402368) (affects only OS X)
OS X Tibetan characters render incompletely in the addressbar

* CVE-2018-5122 (bmo#1413841)
Potential integer overflow in DoCrypt

* CVE-2018-5090
Memory safety bugs fixed in Firefox 58

* CVE-2018-5089
Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
- requires NSS 3.34.1
- requires rust 1.21
- removed obsolete patches:
mozilla-bindgen-systemlibs.patch
mozilla-bmo1360278.patch
mozilla-bmo1399611-csd.patch
mozilla-rust-1.23.patch
- rebased patches
- updated man-page

Tue Jan 9 13:00:00 2018 wrAATTrosenauer.org
- fixed build with latest rust (mozilla-rust-1.23.patch)

Thu Jan 4 13:00:00 2018 wrAATTrosenauer.org
- update to Firefox 57.0.4
MFSA 2018-1: Speculative execution side-channel attack (\"Spectre\")
(boo#1074723)

Wed Jan 3 13:00:00 2018 wrAATTrosenauer.org
- fixed regression introduced Oct 10th which made Firefox crash
when cancelling the KDE file dialog (boo#1069962)

Fri Dec 29 13:00:00 2017 astiegerAATTsuse.com
- Mozilla Firefox 57.0.3:

* Fix a crash reporting issue that inadvertently sends background
tab crash reports to Mozilla without user opt-in (bmo#1427111,
bsc#1074235)
- Includes changes from 57.0.2:

* fixes for platforms other than GNU/Linux

Fri Dec 8 13:00:00 2017 dimstarAATTopensuse.org
- Explicitly buildrequires python2-xml: The build system relies on
it. We wrongly relied on other packages pulling it in for us.

Thu Dec 7 13:00:00 2017 dimstarAATTopensuse.org
- Escape the usage of %{VERSION} when calling out to rpm.
RPM 4.14 has %{VERSION} defined as \'the main packages version\'.

Wed Nov 29 13:00:00 2017 wrAATTrosenauer.org
- update to Firefox 57.0.1

* CVE-2017-7843: Web worker in Private Browsing mode can write
IndexedDB data (bsc#1072034, bmo#1410106)

* CVE-2017-7844: Visited history information leak through SVG
image (bsc#1072036, bmo#1420001)

* Fix a video color distortion issue on YouTube and other video
sites with some AMD devices (bmo#1417442)

* Fix an issue with prefs.js when the profile path has non-ascii
characters (bmo#1420427)

Tue Nov 21 13:00:00 2017 christopheAATTkrop.fr
- Add mozilla-bmo1360278.patch
Starting with Firefox 57, the context menu appears on key press.
This patch creates a config entry to restore the
old behaviour. Without the patch, the mouse gesture extensions
require 2 clicks to work (bmo#1360278).
The new config entry is named ui.context_menus.after_mouseup
(default : false).

Sat Nov 18 13:00:00 2017 wrAATTrosenauer.org
- Allow experimental CSD for Gtk3 (bmo#1399611) if available and enabled
widget.allow-client-side-decoration=true
(mozilla-bmo1399611-csd.patch)

Wed Nov 15 13:00:00 2017 wrAATTrosenauer.org
- update to Firefox 57.0 (boo#1068101)

* Firefox Quantum

* Photon UI

* Unified address and search bar

* AMD VP9 hardware video decoder support

* Added support for Date/Time input

* stricter security sandbox blocking filesystem reading and
writing on Linux systems

* middle mouse paste in the content area no longer navigates to
URLs by default on Unix systems
MFSA 2017-24

* CVE-2017-7828 (bmo#1406750. bmo#1412252)
Use-after-free of PressShell while restyling layout

* CVE-2017-7830 (bmo#1408990)
Cross-origin URL information leak through Resource Timing API

* CVE-2017-7831 (bmo#1392026)
Information disclosure of exposed properties on JavaScript proxy
objects

* CVE-2017-7832 (bmo#1408782)
Domain spoofing through use of dotless \'i\' character followed
by accent markers

* CVE-2017-7833 (bmo#1370497)
Domain spoofing with Arabic and Indic vowel marker characters

* CVE-2017-7834 (bmo#1358009)
data: URLs opened in new tabs bypass CSP protections

* CVE-2017-7835 (bmo#1402363)
Mixed content blocking incorrectly applies with redirects

* CVE-2017-7836 (bmo#1401339)
Pingsender dynamically loads libcurl on Linux and OS X

* CVE-2017-7837 (bmo#1325923)
SVG loaded as can use meta tags to set cookies

* CVE-2017-7838 (bmo#1399540)
Failure of individual decoding of labels in international domain
names triggers punycode display of entire IDN

* CVE-2017-7839 (bmo#1402896)
Control characters before javascript: URLs defeats self-XSS
prevention mechanism

* CVE-2017-7840 (bmo#1366420)
Exported bookmarks do not strip script elements from user-supplied
tags

* CVE-2017-7842 (bmo#1397064)
Referrer Policy is not always respected for elements

* CVE-2017-7827
Memory safety bugs fixed in Firefox 57

* CVE-2017-7826
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
- requires NSPR 4.17, NSS 3.33 and rustc 1.19
- rebased patches
- added mozilla-bindgen-systemlibs.patch to allow stylo build
with system libs (bmo#1341234)
- removed mozilla-language.patch since the whole locale code
changed in Firefox and is relying on ICU now
- removed obsolete mozilla-ucontext.patch

Sat Oct 28 14:00:00 2017 wrAATTrosenauer.org
- update to Firefox 56.0.2

* Disable Form Autofill completely on user request (bmo#1404531)

* Fix for video-related crashes on Windows 7 (bmo#1409141)

* Correct detection for 64-bit GSSAPI authentication (bmo#1409275)

* Fix for shutdown crash (bmo#1404105)

Tue Oct 10 14:00:00 2017 wrAATTrosenauer.org
- update to Firefox 56.0.1

* Block D3D11 when using Intel drivers on Windows 7 systems with
partial AVX support (bmo#1403353)
- > just to sync the version number
- enable stylo for TW (requires LLVM >= 3.9)
- queue KDE filepicker requests to avoid non-opening file dialogs
happening in certain situations (contributed by Ignaz Forster)
- the placeholder dot in KDE file dialog in case of empty filenames
was removed, apparently not required (anymore)
(contributed by Ignaz Forster)

Sun Oct 1 14:00:00 2017 stefan.bruensAATTrwth-aachen.de
- Correct plugin directory for aarch64 (boo#1061207). The wrapper
script was not detecting aarch64 as a 64 bit architecture, thus
used /usr/lib/browser-plugins/.

Sat Sep 30 14:00:00 2017 zaitorAATTopensuse.org
- Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0),
pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure
looks for.

Thu Sep 28 14:00:00 2017 wrAATTrosenauer.org
- update to Firefox 56.0 (boo#1060445)

* Firefox Screenshots

* Find Options/Preferences more quickly with new search function

* Media is no longer auto-played when opened in a background tab

* Enable CSS Grid Layout View
MFSA 2017-21

* CVE-2017-7793 (bmo#1371889)
Use-after-free with Fetch API

* CVE-2017-7817 (bmo#1356596) (Android-only)
Firefox for Android address bar spoofing through fullscreen mode

* CVE-2017-7818 (bmo#1363723)
Use-after-free during ARIA array manipulation

* CVE-2017-7819 (bmo#1380292)
Use-after-free while resizing images in design mode

* CVE-2017-7824 (bmo#1398381)
Buffer overflow when drawing and validating elements with ANGLE

* CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
Use-after-free in TLS 1.2 generating handshake hashes

* CVE-2017-7812 (bmo#1379842)
Drag and drop of malicious page content to the tab bar can open locally stored files

* CVE-2017-7814 (bmo#1376036)
Blob and data URLs bypass phishing and malware protection warnings

* CVE-2017-7813 (bmo#1383951)
Integer truncation in the JavaScript parser

* CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
OS X fonts render some Tibetan and Arabic unicode characters as spaces

* CVE-2017-7815 (bmo#1368981)
Spoofing attack with modal dialogs on non-e10s installations

* CVE-2017-7816 (bmo#1380597)
WebExtensions can load about: URLs in extension UI

* CVE-2017-7821 (bmo#1346515)
WebExtensions can download and open non-executable files without user interaction

* CVE-2017-7823 (bmo#1396320)
CSP sandbox directive did not create a unique origin

* CVE-2017-7822 (bmo#1368859)
WebCrypto allows AES-GCM with 0-length IV

* CVE-2017-7820 (bmo#1378207)
Xray wrapper bypass with new tab and web console

* CVE-2017-7811
Memory safety bugs fixed in Firefox 56

* CVE-2017-7810
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
- requires NSPR 4.16 and NSS 3.32.1
- rebased patches

Thu Sep 28 14:00:00 2017 dimstarAATTopensuse.org
- Add alsa-devel BuildRequires: we care for ALSA support to be
built and thus need to ensure we get the dependencies in place.
In the past, alsa-devel was pulled in by accident: we
buildrequire libgnome-devel. This required esound-devel and that
in turn pulled in alsa-devel for us. libgnome is being fixed to
no longer require esound-devel.

Mon Sep 4 14:00:00 2017 wrAATTrosenauer.org
- update to Firefox 55.0.3

* Fix an issue with addons when using a path containing non-ascii
characters (bmo#1389160)

* Fix file uploads to some websites, including YouTube (bmo#1383518)
- fix Google API key build integration
- add mozilla-ucontext.patch to fix Tumbleweed build
- do not enable XINPUT2 for now (boo#1053959)

Fri Aug 11 14:00:00 2017 wrAATTrosenauer.org
- update to Firefox 55.0.1

* Fix a regression the tab restoration process (bmo#1388160)

* Fix a problem causing What\'s new pages not to be displayed (bmo#1386224)

* Fix a rendering issue with some PKCS#11 libraries (bmo#1388370)

* Disable the predictor prefetch (bmo#1388160)

Sat Aug 5 14:00:00 2017 wrAATTrosenauer.org
- update to Firefox 55.0 (boo#1052829)

* Browsing sessions with a high number of tabs are now restored
in an instant

* Sidebar (bookmarks, history, synced tabs) can now be moved to
the right edge of the window

* Fine-tune your browser performance from the Preferences/Options page.

* Make screenshots of webpages, and save them locally or upload
them to the cloud. This feature will undergo A/B testing and
will not be visible for some users.

* Added Belarusian (be) locale

* Simplify print jobs from within print preview

* Use virtual reality devices with the web with the introduction
of WebVR

* Search suggestions are now enabled by default for users who
haven\'t explicitly opted-out

* Search with any installed search engine directly from the
location bar

* IMPORTANT: Breaking profile changes - do not downgrade Firefox
and use a profile that has been opened with Firefox 55+.

* The Adobe Flash plugin is now click-to-activate by default and
only allowed on http:// and https:// URL schemes. This change
will be rolled out progressively and so will not be visible to
all users immediately. For more information see the Firefox
plugin roadmap

* Modernized application update UI to be less intrusive and more
aligned with the rest of the browser. Only users who have not
restarted their browser 8 days after downloading an update or
users who opted out of automatic updates will see this change.

* Insecure sites can no longer access the Geolocation APIs to get
access to your physical location

* requires NSPR 4.15 and NSS 3.31
MFSA 2017-18

* CVE-2017-7798 (bmo#1371586, bmo#1372112)
XUL injection in the style editor in devtools

* CVE-2017-7800 (bmo#1374047)
Use-after-free in WebSockets during disconnection

* CVE-2017-7801 (bmo#1371259)
Use-after-free with marquee during window resizing

* CVE-2017-7809 (bmo#1380284)
Use-after-free while deleting attached editor DOM node

* CVE-2017-7784 (bmo#1376087)
Use-after-free with image observers

* CVE-2017-7802 (bmo#1378147)
Use-after-free resizing image elements

* CVE-2017-7785 (bmo#1356985)
Buffer overflow manipulating ARIA attributes in DOM

* CVE-2017-7786 (bmo#1365189)
Buffer overflow while painting non-displayable SVG

* CVE-2017-7806 (bmo#1378113)
Use-after-free in layer manager with SVG

* CVE-2017-7753 (bmo#1353312)
Out-of-bounds read with cached style data and pseudo-elements#

* CVE-2017-7787 (bmo#1322896)
Same-origin policy bypass with iframes through page reloads

* CVE-2017-7807 (bmo#1376459)
Domain hijacking through AppCache fallback

* CVE-2017-7792 (bmo#1368652)
Buffer overflow viewing certificates with an extremely long OID

* CVE-2017-7804 (bmo#1372849)
Memory protection bypass through WindowsDllDetourPatcher

* CVE-2017-7791 (bmo#1365875)
Spoofing following page navigation with data: protocol and modal alerts

* CVE-2017-7808 (bmo#1367531)
CSP information leak with frame-ancestors containing paths

* CVE-2017-7782 (bmo#1344034)
WindowsDllDetourPatcher allocates memory without DEP protections

* CVE-2017-7781 (bmo#1352039)
Elliptic curve point addition error when using mixed Jacobian-affine coordinates

* CVE-2017-7794 (bmo#1374281)
Linux file truncation via sandbox broker

* CVE-2017-7803 (bmo#1377426)
CSP containing \'sandbox\' improperly applied

* CVE-2017-7799 (bmo#1372509)
Self-XSS XUL injection in about:webrtc

* CVE-2017-7783 (bmo#1360842)
DOS attack through long username in URL

* CVE-2017-7788 (bmo#1073952)
Sandboxed about:srcdoc iframes do not inherit CSP directives

* CVE-2017-7789 (bmo#1074642)
Failure to enable HSTS when two STS headers are sent for a connection

* CVE-2017-7790 (bmo#1350460) (Windows-only)
Windows crash reporter reads extra memory for some non-null-terminated registry values

* CVE-2017-7796 (bmo#1234401) (Windows-only)
Windows updater can delete any file named update.log

* CVE-2017-7797 (bmo#1334776)
Response header name interning leaks across origins

* CVE-2017-7780
Memory safety bugs fixed in Firefox 55

* CVE-2017-7779
Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
- updated mozilla-kde.patch:

* removed \"downloadfinished\" alert as Firefox reimplemented the
whole thing (TODO: check if there is another function we should
hook in)

Tue Jul 4 14:00:00 2017 wrAATTrosenauer.org
- update to Firefox 54.0.1

* Fix a display issue of tab title (bmo#1357656)

* Fix a display issue of opening new tab (bmo#1371995)

* Fix a display issue when opening multiple tabs (bmo#1371962)

* Fix a tab display issue when downloading files (bmo#1373109)

* Fix a PDF printing issue (bmo#1366744)

* Fix a Netflix issue on Linux (bmo#1375708)

Thu Jun 15 14:00:00 2017 wrAATTrosenauer.org
- update to Firefox 54.0

* Clearer and more detailed information for download items in the
download panel

* Added Burmese (my) locale

* Bookmarks created on mobile devices are now shown in
\"Mobile Bookmarks” folder in the drop down list from the toolbar
and Bookmarks option in the menu bar in Desktop Firefox

* added support for multiple content processes (e10s-multi)
- requires NSPR 4.14 and NSS 3.30.2
- requires rust 1.15.1
- removed mozilla-shared-nss-db.patch as it seems to be a rather
unused feature

Thu Jun 1 14:00:00 2017 kah0922AATTgmail.com
- remove -fno-inline-small-functions and explicitely optimize with
- O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)

Wed Apr 26 14:00:00 2017 wrAATTrosenauer.org
- switch to Mozilla\'s geolocation service (boo#1026989)
- removed mozilla-preferences.patch obsoleted by overriding via
firefox.js
- fixed KDE integration to avoid crash caused by filepicker
(boo#1015998)

Mon Apr 17 14:00:00 2017 wrAATTrosenauer.org
- update to Firefox 53.0

* requires NSS 3.29.5

* Lightweight themes are now applied in private browsing windows

* Reader Mode now displays estimated reading time for the page

* Two new \'compact\' themes available in Firefox, dark and light,
based on the Firefox Developer Edition theme

* Ended Firefox Linux support for processors older than Pentium 4
and AMD Opteron

* Refresh of the media controls user interface

* Shortened titles on tabs are faded out instead of using ellipsis
for improved readability

* Media playback on new tabs is blocked until the tab is visible

* Permission notifications have a cleaner design and cannot be
easily missed
MFSA 2017-10

* CVE-2017-5456 (bmo#1344415)
Sandbox escape allowing local file system access

* CVE-2017-5442 (bmo#1347979)
Use-after-free during style changes

* CVE-2017-5443 (bmo#1342661)
Out-of-bounds write during BinHex decoding

* CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
Firefox ESR 52.1

* CVE-2017-5464 (bmo#1347075)
Memory corruption with accessibility and DOM manipulation

* CVE-2017-5465 (bmo#1347617)
Out-of-bounds read in ConvolvePixel

* CVE-2017-5466 (bmo#1353975)
Origin confusion when reloading isolated data:text/html URL

* CVE-2017-5467 (bmo#1347262)
Memory corruption when drawing Skia content

* CVE-2017-5460 (bmo#1343642)
Use-after-free in frame selection

* CVE-2017-5461 (bmo#1344380)
Out-of-bounds write in Base64 encoding in NSS

* CVE-2017-5448 (bmo#1346648)
Out-of-bounds write in ClearKeyDecryptor

* CVE-2017-5449 (bmo#1340127)
Crash during bidirectional unicode manipulation with animation

* CVE-2017-5446 (bmo#1343505)
Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data

* CVE-2017-5447 (bmo#1343552)
Out-of-bounds read during glyph processing

* CVE-2017-5444 (bmo#1344461)
Buffer overflow while parsing application/http-index-format content

* CVE-2017-5445 (bmo#1344467)
Uninitialized values used while parsing application/http-index-format
content

* CVE-2017-5468 (bmo#1329521)
Incorrect ownership model for Private Browsing information

* CVE-2017-5469 (bmo#1292534)
Potential Buffer overflow in flex-generated code

* CVE-2017-5440 (bmo#1336832)
Use-after-free in txExecutionState destructor during XSLT processing

* CVE-2017-5441 (bmo#1343795)
Use-after-free with selection during scroll events

* CVE-2017-5439 (bmo#1336830)
Use-after-free in nsTArray Length() during XSLT processing

* CVE-2017-5438 (bmo#1336828)
Use-after-free in nsAutoPtr during XSLT processing

* CVE-2017-5437 (bmo#1343453)
Vulnerabilities in Libevent library

* CVE-2017-5436 (bmo#1345461)
Out-of-bounds write with malicious font in Graphite 2

* CVE-2017-5435 (bmo#1350683)
Use-after-free during transaction processing in the editor

* CVE-2017-5434 (bmo#1349946)
Use-after-free during focus handling

* CVE-2017-5433 (bmo#1347168)
Use-after-free in SMIL animation functions

* CVE-2017-5432 (bmo#1346654)
Use-after-free in text input selection

* CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686,
bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621,
bmo#1349719, bmo#1353476)
Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1

* CVE-2017-5459 (bmo#1333858)
Buffer overflow in WebGL

* CVE-2017-5458 (bmo#1229426)
Drag and drop of javascript: URLs can allow for self-XSS

* CVE-2017-5455 (bmo#1341191)
Sandbox escape through internal feed reader APIs

* CVE-2017-5454 (bmo#1349276)
Sandbox escape allowing file system read access through file picker

* CVE-2017-5451 (bmo#1273537)
Addressbar spoofing with onblur event

* CVE-2017-5453 (bmo#1321247)
HTML injection into RSS Reader feed preview page through
TITLE element

* CVE-2017-5462 (bmo#1345089)
DRBG flaw in NSS
- removed browser(npapi) provides as these plugins are deprecated
- switch used compiler to gcc5 (FF requires gcc >= 4.9 now) for
Leap 42
- Gtk2 is not longer an option; switched to Gtk3
- apply MOZ_USE_XINPUT2=1 for better touchpad and touchscreen support
(boo#1032003)

Mon Apr 3 14:00:00 2017 wrAATTrosenauer.org
- update to Firefox 52.0.2

* Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787)

* Fix loading tab icons on session restore (bmo#1338009)

* Fix a crash on startup on Linux (bmo#1345413)

* Fix new installs erroneously not prompting to change the default
browser setting (bmo#1343938)

Mon Mar 20 13:00:00 2017 wrAATTrosenauer.org
- disable rust usage for everything but x86(-64)
- explicitely add libffi build requirement

Fri Mar 17 13:00:00 2017 wrAATTrosenauer.org
- update to Firefox 52.0.1 (boo#1029822)
MFSA 2017-08
CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168)

Thu Mar 9 13:00:00 2017 wrAATTrosenauer.org
- reenable ALSA support which was removed by default upstream

Sat Mar 4 13:00:00 2017 wrAATTrosenauer.org
- update to Firefox 52.0 (boo#1028391)

* requires NSS >= 3.28.3

* Pages containing insecure password fields now display a warning
directly within username and password fields.

* Send and open a tab from one device to another with Sync

* Removed NPAPI support for plugins other than Flash. Silverlight,
Java, Acrobat and the like are no longer supported.

* Removed Battery Status API to reduce fingerprinting of users by
trackers

* MFSA 2017-05
CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
(bmo#1334933)
CVE-2017-5401: Memory Corruption when handling ErrorResult
(bmo#1328861)
CVE-2017-5402: Use-after-free working with events in FontFace
objects (bmo#1334876)
CVE-2017-5403: Use-after-free using addRange to add range to an
incorrect root object (bmo#1340186)
CVE-2017-5404: Use-after-free working with ranges in selections
(bmo#1340138)
CVE-2017-5406: Segmentation fault in Skia with canvas operations
(bmo#1306890)
CVE-2017-5407: Pixel and history stealing via floating-point
timing side channel with SVG filters (bmo#1336622)
CVE-2017-5410: Memory corruption during JavaScript garbage
collection incremental sweeping (bmo#1330687)
CVE-2017-5408: Cross-origin reading of video captions in violation
of CORS (bmo#1313711)
CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
CVE-2017-5413: Segmentation fault during bidirectional operations
(bmo#1337504)
CVE-2017-5414: File picker can choose incorrect default directory
(bmo#1319370)
CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719)
CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
(bmo#791597)
CVE-2017-5426: Gecko Media Plugin sandbox is not started if
seccomp-bpf filter is running (bmo#1257361)
CVE-2017-5427: Non-existent chrome.manifest file loaded during
startup (bmo#1295542)
CVE-2017-5418: Out of bounds read when parsing HTTP digest
authorization responses (bmo#1338876)
CVE-2017-5419: Repeated authentication prompts lead to DOS
attack (bmo#1312243)
CVE-2017-5420: Javascript: URLs can obfuscate addressbar
location (bmo#1284395)
CVE-2017-5405: FTP response codes can cause use of
uninitialized values for ports (bmo#1336699)
CVE-2017-5421: Print preview spoofing (bmo#1301876)
CVE-2017-5422: DOS attack by using view-source: protocol
repeatedly in one hyperlink (bmo#1295002)
CVE-2017-5399: Memory safety bugs fixed in Firefox 52
CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
Firefox ESR 45.8
- removed obsolete patches

* mozilla-binutils-visibility.patch

* mozilla-check_return.patch

* mozilla-disable-skia-be.patch

* mozilla-skia-overflow.patch

* mozilla-skia-ppc-endianess.patch
- rebased patches
- enable rust usage for Tumbleweed

Fri Jan 27 13:00:00 2017 astiegerAATTsuse.com
- Mozilla Firefox 51.0.1:
- Multiprocess incompatibility did not correctly register with
some add-ons (bmo#1333423)

Fri Jan 20 13:00:00 2017 wrAATTrosenauer.org
- update to Firefox 51.0

* requires NSPR >= 4.13.1, NSS >= 3.28.1

* Added support for FLAC (Free Lossless Audio Codec) playback

* Added support for WebGL 2

* Added Georgian (ka) and Kabyle (kab) locales

* Support saving passwords for forms without \'submit\' events

* Improved video performance for users without GPU acceleration

* Zoom indicator is shown in the URL bar if the zoom level is not
at default level

* View passwords from the prompt before saving them

* Remove Belarusian (be) locale

* Use Skia for content rendering (Linux)

* MFSA 2017-01
CVE-2017-5375: Excessive JIT code allocation allows bypass of
ASLR and DEP (bmo#1325200, boo#1021814)
CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
CVE-2017-5377: Memory corruption with transforms to create
gradients in Skia (bmo#1306883, boo#1021826)
CVE-2017-5378: Pointer and frame data leakage of Javascript objects
(bmo#1312001, bmo#1330769, boo#1021818)
CVE-2017-5379: Use-after-free in Web Animations
(bmo#1309198,boo#1021827)
CVE-2017-5380: Potential use-after-free during DOM manipulations
(bmo#1322107, boo#1021819)
CVE-2017-5390: Insecure communication methods in Developer Tools
JSON viewer (bmo#1297361, boo#1021820)
CVE-2017-5389: WebExtensions can install additional add-ons via
modified host requests (bmo#1308688, boo#1021828)
CVE-2017-5396: Use-after-free with Media Decoder
(bmo#1329403, boo#1021821)
CVE-2017-5381: Certificate Viewer exporting can be used to navigate
and save to arbitrary filesystem locations
(bmo#1017616, boo#1021830)
CVE-2017-5382: Feed preview can expose privileged content errors
and exceptions (bmo#1295322, boo#1021831)
CVE-2017-5383: Location bar spoofing with unicode characters
(bmo#1323338, bmo#1324716, boo#1021822)
CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
(bmo#1255474, boo#1021832)
CVE-2017-5385: Data sent in multipart channels ignores referrer-policy
response headers (bmo#1295945, boo#1021833)
CVE-2017-5386: WebExtensions can use data: protocol to affect other
extensions (bmo#1319070, boo#1021823)
CVE-2017-5394: Android location bar spoofing using fullscreen and
JavaScript events (bmo#1222798)
CVE-2017-5391: Content about: pages can load privileged about: pages
(bmo#1309310, boo#1021835)
CVE-2017-5392: Weak references using multiple threads on weak proxy
objects lead to unsafe memory usage (bmo#1293709)
(Android only)
CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for
mozAddonManager (bmo#1309282, boo#1021837)
CVE-2017-5395: Android location bar spoofing during scrolling
(bmo#1293463) (Android only)
CVE-2017-5387: Disclosure of local file existence through TRACK
tag error messages (bmo#1295023, boo#1021839)
CVE-2017-5388: WebRTC can be used to generate a large amount of
UDP traffic for DDOS attacks
(bmo#1281482, boo#1021840)
CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841)
CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and
Firefox ESR 45.7 (boo#1021824)
- switch Firefox to Gtk3 for Tumbleweed
- removed obsolete patches

* mozilla-flex_buffer_overrun.patch
- updated RPM locale support tag
- improve recognition of LANGUAGE env variable (boo#1017174)
- add upstream patch to fix PPC64LE (bmo#1319389)
(mozilla-skia-ppc-endianess.patch)
- fix build without skia (big endian archs) (bmo#1319374)
(mozilla-disable-skia-be.patch)

Mon Dec 12 13:00:00 2016 wrAATTrosenauer.org
- update to Firefox 50.1.0 (boo#1015422)

* MFSA 2016-94
CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628)
CVE-2016-9899: Use-after-free while manipulating DOM events and
audio elements (bmo#1317409)
CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
CVE-2016-9896: Use-after-free with WebVR (bmo#1315543)
CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
CVE-2016-9898: Use-after-free in Editor while manipulating
DOM subtrees (bmo#1314442)
CVE-2016-9900: Restricted external resources can be loaded by
SVG images through data URLs (bmo#1319122)
CVE-2016-9904: Cross-origin information leak in shared atoms
(bmo#1317936)
CVE-2016-9901: Data from Pocket server improperly sanitized
before execution (bmo#1320057)
CVE-2016-9902: Pocket extension does not validate the origin
of events (bmo#1320039)
CVE-2016-9903: XSS injection vulnerability in add-ons SDK
(bmo#1315435)
CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and
Firefox ESR 45.6

Fri Dec 9 13:00:00 2016 cgrobertsonAATTnovell.com
- added patch mozilla-aarch64-startup-crash.patch (bsc#1011922)

Thu Dec 1 13:00:00 2016 wrAATTrosenauer.org
- update to Firefox 50.0.2

* Firefox crashes with 3rd party Chinese IME when using IME text
(50.0.1)
security fixes (in 50.0.1): (boo#1012807)

* MFSA 2016-91
CVE-2016-9078: data: URL can inherit wrong origin after an
HTTP redirect (bmo#1317641)
security fixes (in 50.0.2) (boo#1012964)

* MFSA 2016-92
CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066)

Mon Nov 14 13:00:00 2016 wrAATTrosenauer.org
- update to Firefox 50.0 (boo#1009026)

* requires NSS 3.26.2
new features

* Updates to keyboard shortcuts
Set a preference to have Ctrl+Tab cycle through tabs in recently
used order
View a page in Reader Mode by using Ctrl+Alt+R

* Added option to Find in page that allows users to limit search to
whole words only

* Added download protection for a large number of executable file
types on Windows, Mac and Linux

* Fixed rendering of dashed and dotted borders with rounded corners
(border-radius)

* Added a built-in Emoji set for operating systems without native
Emoji fonts (Windows 8.0 and lower and Linux)

* Blocked versions of libavcodec older than 54.35.1

* additional locale
security fixes:

* MFSA 2016-89
CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
(bmo#1292443)
CVE-2016-5292: URL parsing causes crash (bmo#1288482)
CVE-2016-5293: Write to arbitrary file with updater and moz
maintenance service using updater.log hardlink
(Windows only) (bmo#1246945)
CVE-2016-5294: Arbitrary target directory for result files of
update process (Windows only) (bmo#1246972)
CVE-2016-5297: Incorrect argument length checking in Javascript
(bmo#1303678)
CVE-2016-9064: Addons update must verify IDs match between
current and new versions (bmo#1303418)
CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen
(Android only) (bmo#1306696)
CVE-2016-9066: Integer overflow leading to a buffer overflow in
nsScriptLoadHandler (bmo#1299686)
CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
(bmo#1301777, bmo#1308922 (CVE-2016-9069))
CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973)
CVE-2016-9072: 64-bit NPAPI sandbox isn\'t enabled on fresh profile
(bmo#1300083) (Windows only)
CVE-2016-9075: WebExtensions can access the mozAddonManager API
and use it to gain elevated privileges (bmo#1295324)
CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied
to cross-origin images, allowing timing attacks on them
(bmo#1298552)
CVE-2016-5291: Same-origin policy violation using local HTML file
and saved shortcut file (bmo#1292159)
CVE-2016-5295: Mozilla Maintenance Service: Ability to read
arbitrary files as SYSTEM (Windows only) (bmo#1247239)
CVE-2016-5298: SSL indicator can mislead the user about the real
URL visited (bmo#1227538) (Android only)
CVE-2016-5299: Firefox AuthToken in broadcast protected with
signature-level permission can be accessed by an
application installed beforehand that defines the
same permissions (bmo#1245791) (Android only)
CVE-2016-9061: API Key (glocation) in broadcast protected with
signature-level permission can be accessed by an
application installed beforehand that defines the
same permissions (Android only) (bmo#1245795)
CVE-2016-9062: Private browsing browser traces (android) in
browser.db and wal file (Android only) (bmo#1294438)
CVE-2016-9070: Sidebar bookmark can have reference to chrome window
(bmo#1281071)
CVE-2016-9073: windows.create schema doesn\'t specify \"format\": \"relativeUrl\"
(bmo#1289273)
CVE-2016-9074: Insufficient timing side-channel resistance in
divSpoiler (bmo#1293334) (fixed via NSS 3.26.1)
CVE-2016-9076: select dropdown menu can be used for URL bar
spoofing on e10s (bmo#1276976)
CVE-2016-9063: Possible integer overflow to fix inside XML_Parse
in expat (bmo#1274777)
CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
(bmo#1285003)
CVE-2016-5289: Memory safety bugs fixed in Firefox 50
CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
- make aarch64 build more similar to x86_64 build (remove conditionals
that don\'t seem to be necessary anymore)

Mon Oct 24 14:00:00 2016 astiegerAATTsuse.com
- Mozilla Firefox 49.0.2:

* CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)

* CVE-2016-5288: Web content can read cache entries (bsc#1006476)

* Asynchronous rendering of the Flash plugins is now enabled by
default

* Change D3D9 default fallback preference to prevent graphical
artifacts

* Network issue prevents some users from seeing the Firefox UI on
startup

* Web compatibility issue with file uploads

* Web compatibility issue with Array.prototype.values

* Diagnostic information on timing for tab switching

* Fix a Canvas filters graphics issue affecting HTML5 apps

Wed Oct 12 14:00:00 2016 badshah400AATTgmail.com
- Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0
and fixes have been incorporated by upstream.

Fri Sep 23 14:00:00 2016 astiegerAATTsuse.com
- Mozilla Firefox 49.0.1:

* Mitigate a startup crash issue caused by Websense - bmo#1304783

Tue Sep 20 14:00:00 2016 wrAATTrosenauer.org
- update to Firefox 49.0 (boo#999701)
new features

* Updated Firefox Login Manager to allow HTTPS pages to use saved
HTTP logins.

* Added features to Reader Mode that make it easier on the eyes and
the ears

* Improved video performance for users on systems that support
SSE3 without hardware acceleration

* Added context menu controls to HTML5 audio and video that let users
loops files or play files at 1.25x speed

* Improvements in about:memory reports for tracking font memory usage
security related

* MFSA 2016-85
CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
mozilla::net::IsValidReferrerPolicy
CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
nsCaseTransformTextRunFactory::TransformString
CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
PropertyProvider::GetSpacingInternal
CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
CVE-2016-5273 (bmo#1280387) - crash in
mozilla::a11y::HyperTextAccessible::GetChildOffset
CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
mozilla::a11y::DocAccessible::ProcessInvalidationList
CVE-2016-5274 (bmo#1282076) - use-after-free in
nsFrameManager::CaptureFrameState
CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
nsBMPEncoder::AddImageFrame
CVE-2016-5279 (bmo#1249522) - Full local path of files is available
to web pages after drag and drop
CVE-2016-5280 (bmo#1289970) - Use-after-free in
mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
CVE-2016-5282 (bmo#932335) - Don\'t allow content to request favicons
from non-whitelisted schemes
CVE-2016-5283 (bmo#928187) -