RPM Search

Changelog for MozillaFirefox-devel-91.4.0-lp152.2.74.1.x86_64.rpm :

* Tue Dec 07 2021 Martin Sirringhaus - Firefox Extended Support Release 91.4.0 ESR
* Fixed: Various security fixes- Mozilla Firefox ESR 91.4.0 MFSA 2021-53 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120) URL leakage when navigating while executing asynchronous function
* CVE-2021-43537 (bmo#1738237) Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091) Missing fullscreen and pointer lock notification when requesting both
* CVE-2021-43539 (bmo#1739683) GC rooting failure when calling wasm instance methods
* CVE-2021-43541 (bmo#1696685) External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281) XMLHttpRequest error codes could have leaked the existence of an external protocol handler
* CVE-2021-43543 (bmo#1738418) Bypass of CSP sandbox directive when embedding
* CVE-2021-43545 (bmo#1720926) Denial of Service when using the Location API in a loop
* CVE-2021-43546 (bmo#1737751) Cursor spoofing could overlay user interface when native cursor is zoomed
* MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751, bmo#1737009, bmo#1739372, bmo#1739421) Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4
* Thu Dec 02 2021 Andreas Stieger - remove x-scheme-handler/ftp from MozillaFirefox.desktop boo#1193321
* Tue Nov 02 2021 Martin Sirringhaus - Firefox Extended Support Release 91.3.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2021-49 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517) iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156) Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194) Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750) Firefox could be coaxed into going into fullscreen mode without notification or warning
* CVE-2021-38507 (bmo#1730935) Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0008 (bmo#1667102) Use-after-free in HTTP2 Session object
* CVE-2021-38508 (bmo#1366818) Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
* CVE-2021-38509 (bmo#1718571) Javascript alert box could have been spoofed onto an arbitrary domain
* CVE-2021-38510 (bmo#1731779) Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048, bmo#1735152) Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3- Removed mozilla-bmo1735309.patch which is now upstream
* Wed Oct 20 2021 Martin Sirringhaus - Rebase mozilla-sandbox-fips.patch to punch another hole in the sandbox containment, to be able to open /proc/sys/crypto/fips_enabled from within the newly introduced socket process sandbox. This fixes bsc#1191815 and bsc#1190141- Add a way to let users overwrite MOZ_ENABLE_WAYLAND- Rename mozilla-neqo-fix-fips-crash.patch to mozilla-bmo1735309.patch and rebase to the official upstream patch
* Tue Oct 05 2021 Martin Sirringhaus - Firefox Extended Support Release 91.2.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2021-45 (bsc#1191332)
* CVE-2021-38496 (bmo#1725335) Use-after-free in MessageTask
* CVE-2021-38497 (bmo#1726621) Validation message could have been overlaid on another origin
* CVE-2021-38498 (bmo#1729642) Use-after-free of nsLanguageAtomService object
* CVE-2021-32810 (bmo#1729813, https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw) Data race in crossbeam-deque
* CVE-2021-38500 (bmo#1725854, bmo#1728321) Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
* Fri Oct 01 2021 Martin Sirringhaus - Add mozilla-neqo-fix-fips-crash.patch to fix crash in FIPS mode (bsc#1190710)
* Thu Sep 09 2021 Charles Robertson - Added firefox-i586-conflict-typedef-error.patch to fix 32bit i586 compile error
* Wed Sep 08 2021 Charles Robertson - Firefox Extended Support Release 91.1.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2021-40 (bsc#1190269, bsc#1190274)
* CVE-2021-38492 (bmo#1721107) Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101, bmo#1724107) Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1- Removed mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch made obsolete by upstream changes.- Rebased patches: firefox-branded-icons.patch firefox-kde.patch mozilla-aarch64-startup-crash.patch mozilla-bmo1504834-part1.patch mozilla-bmo1504834-part4.patch mozilla-bmo1512162.patch mozilla-bmo1626236.patch mozilla-bmo849632.patch mozilla-kde.patch mozilla-ntlm-full-path.patch mozilla-s390-context.patch mozilla-sandbox-fips.patch
* Wed Aug 18 2021 Martin Sirringhaus - Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bug 1704404) (bmo#1704404)
* Fixed: Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to- tab results in the address bar panel (bug 1720369) (bmo#1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses- Re-add mozilla-silence-no-return-type.patch
* Wed Aug 11 2021 Charles Robertson - Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are: - A number of user interface changes. For more information, see the Firefox 89 release notes. - Firefox now supports logging into Microsoft, work, and school accounts using Windows single sign-on. Learn more - On Windows, updates can now be applied in the background while Firefox is not running. - Firefox for Windows now offers a new page about:third-party to help identify compatibility issues caused by third-party applications - Version 2 of Firefox\'s SmartBlock feature further improves private browsing. Third party Facebook scripts are blocked to prevent you from being tracked, but are now automatically loaded \"just in time\" if you decide to \"Log in with Facebook\" on any website. - Enhanced the privacy of the Firefox Browser\'s Private Browsing mode with Total Cookie Protection, which confines cookies to the site where they were created, preventing companis from using cookies to track your browsing across sites. This feature was originally launched in Firefox\'s ETP Strict mode. - PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features. - You\'ll encounter less website breakage in Private Browsing and Strict Enhanced Tracking Protection with SmartBlock, which provides stand-in scripts so that websites load properly. - Improved Print functionality with a cleaner design and better integration with your computer\'s printer settings. - Firefox now protects you from supercookies, a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies. By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next. - Firefox now remembers your preferred location for saved bookmarks, displays the bookmarks toolbar by default on new tabs, and gives you easy access to all of your bookmarks via a toolbar folder. - Native support for macOS devices built with Apple Silicon CPUs brings dramatic performance improvements over the non- native build that was shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps are now twice as responsive (per the SpeedoMeter 2.0 test). If you are on a new Apple device, follow these steps to upgrade to the latest Firefox. - Pinch zooming will now be supported for our users with Windows touchscreen devices and touchpads on Mac devices. Firefox users may now use pinch to zoom on touch-capable devices to zoom in and out of webpages. - We’ve improved functionality and design for a number of Firefox search features:
* Selecting a search engine at the bottom of the search panel now enters search mode for that engine, allowing you to see suggestions (if available) for your search terms. The old behavior (immediately performing a search) is available with a shift-click.
* When Firefox autocompletes the URL of one of your search engines, you can now search with that engine directly in the address bar by selecting the shortcut in the address bar results.
* We’ve added buttons at the bottom of the search panel to allow you to search your bookmarks, open tabs, and history. - Firefox supports AcroForm, which will allow you to fill in, print, and save supported PDF forms and the PDF viewer also has a new fresh look. - For our users in the US and Canada, Firefox can now save, manage, and auto-fill credit card information for you, making shopping on Firefox ever more convenient. - In addition to our default, dark and light themes, with this release, Firefox introduces the Alpenglow theme: a colorful appearance for buttons, menus, and windows. You can update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been implemented in the latest version of Firefox. See more details in the Firefox for Enterprise 91 Release Notes. MFSA 2021-33 (bsc#1188891)
* CVE-2021-29986 (bmo#1696138) Race condition when resolving DNS names could have led to memory corruption
* CVE-2021-29981 (bmo#1707774) Live range splitting could have led to conflicting assignments in the JIT
* CVE-2021-29988 (bmo#1717922) Memory corruption as a result of incorrect style treatment
* CVE-2021-29983 (bmo#1719088) Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984 (bmo#1720031) Incorrect instruction reordering during JIT optimization
* CVE-2021-29980 (bmo#1722204) Uninitialized memory in a canvas object could have led to memory corruption
* CVE-2021-29987 (bmo#1716129) Users could have been tricked into accepting unwanted permissions on Linux
* CVE-2021-29985 (bmo#1722083) Use-after-free media channels
* CVE-2021-29982 (bmo#1715318) Single bit data leak due to incorrect JIT optimization and type confusion
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178, bmo#1719998, bmo#1720568) Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990 (bmo#1544190, bmo#1716481, bmo#1717778, bmo#1719319, bmo#1722073) Memory safety bugs fixed in Firefox 91
* Tue Aug 10 2021 Martin Sirringhaus - Firefox Extended Support Release 78.13.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2021-34 (bsc#1188891)
* CVE-2021-29986 (bmo#1696138) Race condition when resolving DNS names could have led to memory corruption
* CVE-2021-29988 (bmo#1717922) Memory corruption as a result of incorrect style treatment
* CVE-2021-29984 (bmo#1720031) Incorrect instruction reordering during JIT optimization
* CVE-2021-29980 (bmo#1722204) Uninitialized memory in a canvas object could have led to memory corruption
* CVE-2021-29985 (bmo#1722083) Use-after-free media channels
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178, bmo#1719998, bmo#1720568) Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* Thu Jul 15 2021 William Brown - jsc#SLE-18626 - Migrate rust to parallel versioned packages allowing more flexible build requirements to be expressed.- Update Firefox to use the 1.43 version of Rust.
* Tue Jul 13 2021 Martin Sirringhaus - Firefox Extended Support Release 78.12.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2021-29 (bsc#1188275)
* CVE-2021-29970 (bmo#1709976) Use-after-free in accessibility features of a document
* CVE-2021-30547 (bmo#1715766) Out of bounds write in ANGLE
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910, bmo#1711576, bmo#1714391) Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
* Tue Jun 01 2021 Martin Sirringhaus - Firefox Extended Support Release 78.11.0 ESR
* Fixed: Various stability, functionality, and security fixes- Mozilla Firefox ESR 78.11 MFSA 2021-24 (bsc#1186696)
* CVE-2021-29964 (bmo#1706501) Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760, bmo#1704722, bmo#1706041) Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11- Added the new Mozilla\'s GPG key, expiring on 2023-05-17 to the mozilla.keyring file
* Wed May 05 2021 Martin Sirringhaus - Firefox Extended Support Release 78.10.1 ESR
* Fixed: Resolved an issue caused by a recent Widevine plugin update which prevented some purchased video content from playing correctly (bmo#1705138)
* Fixed: Security fix MFSA 2021-18 (bsc#1185633)
* CVE-2021-29951 (bmo#1690062) Mozilla Maintenance Service could have been started or stopped by domain users
* Mon Apr 19 2021 Martin Sirringhaus - Firefox Extended Support Release 78.10.0 ESR
* Fixed: Various stability, functionality, and security fixes- Mozilla Firefox ESR 78.10 MFSA 2021-15 (bsc#1184960)
* CVE-2021-23994 (bmo#1699077) Out of bound write due to lazy initialization
* CVE-2021-23995 (bmo#1699835) Use-after-free in Responsive Design Mode
* CVE-2021-23998 (bmo#1667456) Secure Lock icon could have been spoofed
* CVE-2021-23961 (bmo#1677940) More internal network hosts could have been probed by a malicious webpage
* CVE-2021-23999 (bmo#1691153) Blob URLs may have been granted additional privileges
* CVE-2021-24002 (bmo#1702374) Arbitrary FTP command execution on FTP servers using an encoded URL
* CVE-2021-29945 (bmo#1700690) Incorrect size computation in WebAssembly JIT could lead to null-reads
* CVE-2021-29946 (bmo#1698503) Port blocking could be bypassed
* Wed Mar 24 2021 Martin Sirringhaus - Firefox Extended Support Release 78.9.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2021-11 (bsc#1183942)
* CVE-2021-23981 (bmo#1692832) Texture upload into an unbound backing buffer resulted in an out-of-bound read
* CVE-2021-23982 (bmo#1677046) Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23984 (bmo#1693664) Malicious extensions could have spoofed popup information
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718) Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
* Tue Feb 23 2021 Martin Sirringhaus - Firefox Extended Support Release 78.8.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2021-08 (bsc#1182614)
* CVE-2021-23969 (bmo#1542194) Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23968 (bmo#1687342) Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23973 (bmo#1690976) MediaError message property could have leaked information about cross-origin resources
* CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597, bmo#786797) Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8- Update create-tar.sh to use https instead of http (bsc#1182357)
* Mon Feb 08 2021 Martin Sirringhaus - Firefox Extended Support Release 78.7.1 ESR
* Fixed: Prevent access to NTFS special paths that could lead to filesystem corruption. (bmo#1689598)
* Fixed: Security fix MFSA 2021-06 (bsc#1181848)
* MOZ-2021-0001 (bmo#1676636) Buffer overflow in depth pitch calculations for compressed textures
* Tue Jan 26 2021 Martin Sirringhaus - Firefox Extended Support Release 78.7.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2021-04 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940) Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020) Type confusion when using logical assignment operators in JavaScript switch statements
* CVE-2020-26976 (bmo#1674343) HTTPS pages could have been intercepted by a registered service worker when they should not have been
* CVE-2021-23960 (bmo#1675755) Use-after-poison for incorrectly redeclared JavaScript variables during GC
* CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844, bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410, bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736, bmo#1685260, bmo#1685925) Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7
* Thu Jan 07 2021 Martin Sirringhaus - Firefox Extended Support Release 78.6.1 ESR
* Fixed: Security fix
* Fixed: Fixed a crash during video playback on Apple Silicon devices (bmo#1683579) MFSA 2021-01 (bsc#1180623)
* CVE-2020-16044 (bmo#1683964) Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk
* Tue Dec 15 2020 Martin Sirringhaus - Firefox Extended Support Release 78.6.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2020-55 (bsc#1180039)
* CVE-2020-16042 (bmo#1679003) Operations on a BigInt could have caused uninitialized memory to be exposed
* CVE-2020-26971 (bmo#1663466) Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084) CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022) Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free
* CVE-2020-26978 (bmo#1677047) Internal network hosts could have been probed by a malicious webpage
* CVE-2020-35111 (bmo#1657916) The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365) Opening an extension-less download may have inadvertently launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589) Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
* Tue Nov 17 2020 Martin Sirringhaus - Firefox Extended Support Release 78.5.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2020-51 (bsc#1178824)
* CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
* CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin images during drawImage calls
* CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without displaying the security UI
* CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard API)
* CVE-2020-26958 (bmo#1669355) Requests intercepted through ServiceWorkers lacked MIME type restrictions
* CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService
* CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of nsTArray
* CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype
* CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered typed passwords
* CVE-2020-26966 (bmo#1663571) Single-word search queries were also broadcast to local network
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
* Mon Nov 09 2020 Charles Robertson - Firefox Extended Support Release 78.4.1 ESR
* Fixed: Security fix MFSA 2020-49 (bsc#1178588)
* CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for
* Tue Oct 20 2020 Charles Robertson - Firefox Extended Support Release 78.4.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2020-46 (bsc#1177872)
* CVE-2020-15969 (bmo#1666570, bmo#https://github.com/sctplab/u srsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019) Use-after-free in usersctp
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760, bmo#1663439, bmo#1666140) Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* Thu Oct 01 2020 Charles Robertson - Firefox Extended Support Release 78.3.1 ESR (bsc#1176756)
* Fixed: Fixed legacy preferences not being properly applied when set via GPO (bmo#1666836)
* Tue Sep 22 2020 Martin Sirringhaus - Firefox Extended Support Release 78.3.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2020-43 (bsc#1176756)
* CVE-2020-15677 (bmo#1641487) Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140) XSS when pasting attacker-controlled data into a contenteditable element
* CVE-2020-15678 (bmo#1660211) When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800) Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
* Wed Sep 16 2020 Martin Sirringhaus - Enhance fix for wayland-detection (bsc#1174420)
* Wed Sep 16 2020 Martin Sirringhaus - Try to fix langpack-parallelization by introducing separate obj-dirs for each lang (boo#1173986, boo#1167976)
* Tue Aug 25 2020 Charles Robertson - Firefox Extended Support Release 78.2.0 ESR
* Fixed: Various stability, functionality, and security fixes- Mozilla Firefox ESR 78.2 MFSA 2020-38 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199) Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214) Attacker-induced prompt for extension installation
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626, bmo#1656957) Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
* Mon Aug 24 2020 Charles Robertson - Added patch: firefox-dev-random-sandbox.patch (bsc#1174284)
* Firefox tab crash in FIPS mode
* Fri Aug 14 2020 Charles Robertson - Fix: Do not allow Firefox to use wayland on SLED15-SP0/1 (bsc#1174420)
* Wed Aug 05 2020 Martin Sirringhaus - Activate ccache- Parallelize langpack build
* Mon Aug 03 2020 Martin Sirringhaus - Fix broken translation-loading (boo#1173991)
* allow addon sideloading
* mark signatures for langpacks non-mandatory
* do not autodisable user profile scopes- Google API key is not usable for geolocation service any more
* Tue Jul 28 2020 Martin Sirringhaus - Firefox Extended Support Release 78.1.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2020-32 (bsc#1174538)
* CVE-2020-15652 (bmo#1634872) Potential leak of redirect targets when loading scripts in a worker
* CVE-2020-6514 (bmo#1642792) WebRTC data channel leaks internal address to peer
* CVE-2020-15655 (bmo#1645204) Extension APIs could be used to bypass Same-Origin Policy
* CVE-2020-15653 (bmo#1521542) Bypassing iframe sandbox when allowing popups
* CVE-2020-6463 (bmo#1635293) Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15656 (bmo#1647293) Type confusion for special arguments in IonMonkey
* CVE-2020-15658 (bmo#1637745) Overriding file type when saving to disk
* CVE-2020-15657 (bmo#1644954) DLL hijacking due to incorrect loading path
* CVE-2020-15654 (bmo#1648333) Custom cursor can overlay user interface
* CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1643613, bmo#1644839, bmo#1645835, bmo#1646006, bmo#1646787, bmo#1649347, bmo#1650811, bmo#1651678) Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1
* Thu Jul 09 2020 Charles Robertson - Mozilla Firefox 78.0.2 MFSA 2020-28 (bsc#1173948)
* MFSA-2020-0003 (bmo#1644076) X-Frame-Options bypass using object or embed tags- Firefox Extended Support Release 78.0.2esr ESR
* Fixed: Security fix
* Fixed: Fixed an accessibility regression in reader mode (bmo#1650922)
* Fixed: Made the address bar more resilient to data corruption in the user profile (bmo#1649981)
* Fixed: Fixed a regression opening certain external applications (bmo#1650162)
* Thu Jul 02 2020 Martin Sirringhaus - Add specific requirement for libfreetype6 (bsc#1173613)
* Wed Jul 01 2020 Charles Robertson - Firefox Extended Support Release 78.0.1 ESR
* Fixed: Fixed an issue which could cause installed search engines to not be visible when upgrading from a previous release. (bmo#1649558)- Mozilla Firefox 78 MFSA 2020-24 (bsc#1173576)
* CVE-2020-12415 (bmo#1586630) AppCache manifest poisoning due to url encoded character processing
* CVE-2020-12416 (bmo#1639734) Use-after-free in WebRTC VideoBroadcaster
* CVE-2020-12417 (bmo#1640737) Memory corruption due to missing sign-extension for ValueTags on ARM64
* CVE-2020-12418 (bmo#1641303) Information disclosure due to manipulated URL object
* CVE-2020-12419 (bmo#1643874) Use-after-free in nsGlobalWindowInner
* CVE-2020-12420 (bmo#1643437) Use-After-Free when trying to connect to a STUN server
* CVE-2020-12402 (bmo#1631597) RSA Key Generation vulnerable to side-channel attack
* CVE-2020-12421 (bmo#1308251) Add-On updates did not respect the same certificate trust rules as software updates
* CVE-2020-12422 (bmo#1450353) Integer overflow in nsJPEGEncoder::emptyOutputBuffer
* CVE-2020-12423 (bmo#1642400) DLL Hijacking due to searching %PATH% for a library
* CVE-2020-12424 (bmo#1562600) WebRTC permission prompt could have been bypassed by a compromised content process
* CVE-2020-12425 (bmo#1634738) Out of bound read in Date.parse()
* CVE-2020-12426 (bmo#1608068, bmo#1609951, bmo#1631187, bmo#1637682) Memory safety bugs fixed in Firefox 78
* Tue Jun 30 2020 Charles Robertson - Firefox Extended Support Release 78.0esr ESR
* New: Some of the highlights of the new Extended Support Release are: - Kiosk mode - Client certificates - Service Worker and Push APIs are now enabled - The Block Autoplay feature is enabled - Picture-in-picture support - View and manage web certificates in about:certificate For more information about what\'s new in the Firefox 78 ESR release, see the more detailed release notes at support.mozilla.org.- Add patches to fix big endian problems:
* mozilla-s390x-skia-gradient.patch
* mozilla-bmo998749.patch
* mozilla-bmo1626236.patch- Add patch to fix broken build on ppc64le
* mozilla-bmo1512162.patch- Add patch to add screensharing capability on wayland
* mozilla-pipewire-0-3.patch- Rename firefox-fips.patch to mozilla-sandbox-fips.patch- Removed upstreamed patches:
* mozilla-cubeb-noreturn.patch
* mozilla-nestegg-big-endian.patch
* mozilla-openaes-decl.patch
* mozilla-s390x-bigendian.patch
* mozilla-sle12-lower-python-requirement.patch
* Tue Jun 02 2020 Martin Sirringhaus - Firefox Extended Support Release 68.9.0 ESR
* Fixed: Various stability and security fixes MFSA 2020-21 (bsc#1172402)
* CVE-2020-12405 (bmo#1619305, bmo#1632717) Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
* CVE-2020-12406 (bmo#1639590)
* CVE-2020-12410: Memory safety bugs fixed in Firefox 77 and Firefox
* Wed May 27 2020 Charles Robertson - Removed %is_opensuse macro from spec file to align builds with openSUSE Leap.
* Tue May 05 2020 Martin Sirringhaus - Firefox Extended Support Release 68.8.0 ESR MFSA 2020-17 (bsc#1171186)
* CVE-2020-12387 (bmo#1545345) Use-after-free during worker shutdown
* CVE-2020-12388 (bmo#1618911) Sandbox escape with improperly guarded Access Tokens
* CVE-2020-12389 (bmo#1554110) Sandbox escape with improperly separated process types
* CVE-2020-6831 (bmo#1632241) Buffer overflow in SCTP chunk input validation
* CVE-2020-12392 (bmo#1614468) Arbitrary local file access with \'Copy as cURL\'
* CVE-2020-12393 (bmo#1615471) Devtools\' \'Copy as cURL\' feature did not fully escape website-controlled data, potentially leading to command injection
* CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
* Tue Apr 07 2020 Martin Sirringhaus - Firefox Extended Support Release 68.7.0 ESR MFSA 2020-13 (bsc#1168874)
* CVE-2020-6828 (bmo#1617928) Preference overwrite via crafted Intent from malicious Android application
* CVE-2020-6827 (bmo#1622278) Custom Tabs in Firefox for Android could have the URI spoofed
* CVE-2020-6821 (bmo#1625404) Uninitialized memory could be read when using the WebGL copyTexSubImage method
* CVE-2020-6822 (bmo#1544181) Out of bounds write in GMPDecodeData when processing large images
* CVE-2020-6825 (bmo#1572541, bmo#1620193, bmo#1620203) Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
* Sat Apr 04 2020 Andreas Stieger - Mozilla Firefox 68.6.1esr MFSA 2020-11 (boo#1168630)
* CVE-2020-6819 (bmo#1620818) Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728) Use-after-free when handling a ReadableStream
* Fri Mar 20 2020 Charles Robertson - Added patch: firefox-fips.patch (bsc#1167231)
* FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled
* Tue Mar 10 2020 Martin Sirringhaus - Firefox Extended Support Release 68.6.0 ESR (bsc#1166238)
* Fixed: Various stability and security fixes MFSA 2020-09 (bsc#1132665)
* CVE-2020-6805 (bmo#1610880) Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308) BodyStream::OnInputStreamReady was missing protections against state confusion
* CVE-2020-6807 (bmo#1614971) Use-after-free in cubeb during stream destruction
* CVE-2020-6811 (bmo#1607742) Devtools\' \'Copy as cURL\' feature did not fully escape website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765) Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661) The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission
* CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636, bmo#1614339) Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6
* Tue Feb 11 2020 Charles Robertson - Firefox Extended Support Release 68.5.0 ESR
* Fixed: Various stability and security fixes- Mozilla Firefox ESR68.5 MFSA 2020-06 (bsc#1163368)
* CVE-2020-6796 (bmo#1610426) Missing bounds check on shared memory read in the parent process
* CVE-2020-6797 (bmo#1596668) Extensions granted downloads.open permission could open arbitrary applications on Mac OSX
* CVE-2020-6798 (bmo#1602944) Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6799 (bmo#1606596) Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader
* CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543, bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785) Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* Tue Jan 21 2020 Martin Sirringhaus - Firefox Extended Support Release 68.4.2 ESR
* Fixed: Fixed various issues opening files with spaces in their path (bmo#1601905, bmo#1602726)
* Thu Jan 09 2020 Martin Sirringhaus - Firefox Extended Support Release 68.4.1 ESR
* Fixed: Security fix MFSA 2020-03 (bsc#1160498)
* CVE-2019-17026 (bmo#1607443) IonMonkey type confusion with StoreElementHole and FallibleStoreElement
* Tue Jan 07 2020 Martin Sirringhaus - Firefox Extended Support Release 68.4.0 ESR
* Fixed: Various security fixes MFSA 2020-02 (bsc#1160305)
* CVE-2019-17015 (bmo#1599005) Memory corruption in parent process during new content process initialization on Windows
* CVE-2019-17016 (bmo#1599181) Bypass of AATTnamespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055) Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008) Heap address disclosure in parent process during content process initialization on Windows
* CVE-2019-17022 (bmo#1602843) CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826) Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4- Removed patch that is now upstream: mozilla-bmo1511604.patch- Added patch to fix broken URL-bar on s390x: mozilla-bmo1602730.patch
* Tue Dec 03 2019 Martin Sirringhaus - Firefox Extended Support Release 68.3.0 ESR
* Changed: Updates to improve performance and stability MFSA 2019-37 (bsc#1158328)
* CVE-2019-17008 (bmo#1546331) Use-after-free in worker destruction
* CVE-2019-13722 (bmo#1580156) Stack corruption due to incorrect number of arguments in WebRTC code
* CVE-2019-11745 (bmo#1586176) Out of bounds write in NSS when encrypting with a block cipher
* CVE-2019-17009 (bmo#1510494) Updater temporary files accessible to unprivileged processes
* CVE-2019-17010 (bmo#1581084) Use-after-free when performing device orientation checks
* CVE-2019-17005 (bmo#1584170) Buffer overflow in plain text serializer
* CVE-2019-17011 (bmo#1591334) Use-after-free when retrieving a document in antitracking
* CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209, bmo#1580288, bmo#1585760, bmo#1592502) Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
* Tue Nov 26 2019 Charles Robertson - Fix _constraints for ppc64le (bsc#1157652)
* Tue Nov 19 2019 Martin Sirringhaus - Add patch mozilla-bmo849632.patch to partially fix broken webGL sites on big endian machines (wrong colors)- Replace source-stamp.txt with tar_stamps- Reference create-tar.sh by direct commit-hash in the spec-file
* Tue Nov 05 2019 Martin Sirringhaus - Reactivate webRTC for all architectures
* Thu Oct 31 2019 Martin Sirringhaus - Add patch mozilla-bmo1504834-part4.patch to fix broken tab-titles on s390x
* Thu Oct 24 2019 Charles Robertson - Resolved issues fixed earlier:
* [bsc#1104841] Newer versions of firefox have a dependency on GLIBCXX_3.4.20
* [bsc#1129528] SLES15 - IBM s390-tools-2.1.0 Maintenance Patches (#6)
* [bsc#1137990] Firefox 60.7 ESR changed the user interface language
* Mon Oct 21 2019 Martin Sirringhaus - Firefox Extended Support Release 68.2.0 ESR
* Enterprise: New administrative policies were added. More information and templates are available at the Policy Templates page.
* Fixed: Various security fixes MFSA 2019-33 (bsc#1154738)
* CVE-2019-15903 (bmo#1584907) Heap overflow in expat library in XML_GetCurrentLineNumber
* CVE-2019-11757 (bmo#1577107) Use-after-free when creating index updates in IndexedDB
* CVE-2019-11758 (bmo#1536227) Potentially exploitable crash due to 360 Total Security
* CVE-2019-11759 (bmo#1577953) Stack buffer overflow in HKDF output
* CVE-2019-11760 (bmo#1577719) Stack buffer overflow in WebRTC networking
* CVE-2019-11761 (bmo#1561502) Unintended access to a privileged JSONView object
* CVE-2019-11762 (bmo#1582857) document.domain-based origin isolation has same-origin- property violation
* CVE-2019-11763 (bmo#1584216) Incorrect HTML parsing results in XSS bypass technique
* CVE-2019-11764 (bmo#1548044, bmo#1558522, bmo#1571223, bmo#1573048, bmo#1575217, bmo#1577061, bmo#1578933, bmo#1581950, bmo#1583463, bmo#1583684, bmo#1586599, bmo#1586845) Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2- removed now upstream patches:
* mozilla-bmo1573381.patch
* mozilla-bmo1512162.patch
* Fri Oct 11 2019 Martin Sirringhaus - Add patch to lower python requirement to 3.4 in order to build on SLE-12:
* mozilla-sle12-lower-python-requirement.patch
* Thu Oct 10 2019 Martin Sirringhaus - Add Provides-line for translations-common (bsc#1153423)
* Tue Oct 08 2019 Martin Sirringhaus - Moved some settings from branding-package here (bsc#1153869)- add patch to fix LTO build (w/o PGO):
* mozilla-fix-top-level-asm.patch- remove obsolete kde.js setting (boo#1151186) and related patch:
* firefox-add-kde.js-in-order-to-survive-PGO-build.patch
* modified firefox-kde.patch for the removal of kde.js
* Tue Sep 24 2019 Martin Sirringhaus - Update mozilla-bmo1512162.patch to the patch now commited upstream
* No more -O1 builds for ppc64le necessary- Disable DoH by default
* Not yet officially active in ESR, but just to make sure
* Mon Sep 09 2019 Charles Robertson - Mozilla Firefox ESR 68.1 Resolves the following bigendian s390x issues:
* [bsc#1109465] Latest Firefox update not released for s390x
* [bsc#1117473] Firefox segmentation fault on s390vsl082
* [bsc#1123482] openQA test fails in firefox - firefox doesn\'t start
* [bsc#1124525] Firefox is core dumping on SLES15 s390x
* [bsc#1133810] Firefox: Segmentation fault (core dumped) MFSA 2019-26 (bsc#1149323)
* CVE-2019-11751 (bmo#1572838) Malicious code execution through command line parameters
* CVE-2019-11746 (bmo#1564449) Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033) XSS by breaking out of title and textarea elements using innerHTML
* CVE-2019-11742 (bmo#1559715) Same-origin policy violation with SVG filters and canvas to steal cross-origin images
* CVE-2019-11736 (bmo#1551913, bmo#1552206) File manipulation and privilege escalation in Mozilla Maintenance Service
* CVE-2019-11753 (bmo#1574980) Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location
* CVE-2019-11752 (bmo#1501152) Use-after-free while extracting a key value in IndexedDB
* CVE-2019-9812 (bmo#1538008, bmo#1538015) Sandbox escape through Firefox Sync
* CVE-2019-11743 (bmo#1560495, bmo#https://w3c.github.io/navigation-timing) Cross-origin access to unload event attributes
* CVE-2019-11748 (bmo#1564588) Persistence of WebRTC permissions in a third party context
* CVE-2019-11749 (bmo#1565374) Camera information available without prompting using getUserMedia
* CVE-2019-11750 (bmo#1568397) Type confusion in Spidermonkey
* CVE-2019-11738 (bmo#1452037) Content security policy bypass through hash-based sources in directives
* CVE-2019-11747 (bmo#1564481) \'Forget about this site\' removes sites from pre-loaded HSTS list
* CVE-2019-11735 (bmo#1561404, bmo#1561484, bmo#1561912, bmo#1565744, bmo#1568047, bmo#1568858, bmo#1570358) Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
* CVE-2019-11740 (bmo#1563133, bmo#1573160) Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9- Mozilla Firefox ESR 68.0.2
* Fixed: Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar (bmo#1560228)
* Fixed: Allow fonts to be loaded via file:// URLs when opening a page locally (bmo#1565942)
* Fixed: Printing emails from the Outlook web app no longer prints only the header and footer (bmo#1567105)
* Fixed: Fixed a bug causing some images not to be displayed on reload, including on Google Maps (bmo#1565542)
* Fixed: Fixed an error when starting external applications configured as URI handlers (bmo#1567614)
* Fixed: Security fixes- MFSA 2019-24 (bsc#1145665)
* CVE-2019-11733 (bmo#1565780) Stored passwords in \'Saved Logins\' can be copied without master password entry- Mozilla Firefox ESR 68.0.1
* macOS releases are now signed by the Apple notary service, allowing Firefox to properly run on macOS 10.15 Beta releases
* Fixed missing Full Screen button when watching videos in full screen mode on HBO GO (bmo#1562837)
* Fixed a bug causing incorrect messages to appear for some locales when sites try to request the use of the Storage Access API (bmo#1558503)
* Users in Russian regions may have their default search engine changed (bmo#1565315)
* Built-in search engines in some locales do not function correctly (bmo#1565779)
* SupportMenu policy doesn\'t always work (bmo#1553290)
* Allow the new ExtensionSettings policy to work with GPO on Windows (bmo#1553586)
* Allow the privacy.file_unique_origin pref to be controlled by policy (bmo#1563759)- Mozilla Firefox ESR 68.0
* Dark mode in reader view
* Improved extension security and discovery
* Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences
* Camera and microphone access now require an HTTPS connection MFSA 2019-21 (bsc#1140868)
* CVE-2019-9811 (bmo#1523741, bmo#1538007, bmo#1539598, bmo#1539759, bmo#1563327) Sandbox escape via installation of malicious language pack
* CVE-2019-11711 (bmo#1552541) Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804) Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
* CVE-2019-11713 (bmo#1528481) Use-after-free with HTTP/2 cached stream
* CVE-2019-11714 (bmo#1542593) NeckoChild can trigger crash when accessed off of main thread
* CVE-2019-11729 (bmo#1515342) Empty or malformed p256-ECDH public keys may trigger a segmentation fault
* CVE-2019-11715 (bmo#1555523) HTML parsing error can contribute to content XSS
* CVE-2019-11716 (bmo#1552632) globalThis not enumerable until accessed
* CVE-2019-11717 (bmo#1548306) Caret character improperly escaped in origins
* CVE-2019-11718 (bmo#1408349) Activity Stream writes unsanitized content to innerHTML
* CVE-2019-11719 (bmo#1540541) Out-of-bounds read when importing curve25519 private key
* CVE-2019-11720 (bmo#1556230) Character encoding XSS vulnerability
* CVE-2019-11721 (bmo#1256009) Domain spoofing through unicode latin \'kra\' character
* CVE-2019-11730 (bmo#1558299) Same-origin policy treats all files in a directory as having the same-origin
* CVE-2019-11723 (bmo#1528335) Cookie leakage during add-on fetching across private browsing boundaries
* CVE-2019-11724 (bmo#1512511) Retired site input.mozilla.org has remote troubleshooting permissions
* CVE-2019-11725 (bmo#1483510) Websocket resources bypass safebrowsing protections
* CVE-2019-11727 (bmo#1552208) PKCS#1 v1.5 signatures can be used for TLS 1.3
* CVE-2019-11728 (bmo#1552993) Port scanning through Alt-Svc header
* CVE-2019-11710 (bmo#1507696, bmo#1510345, bmo#1533842, bmo#1535482, bmo#1535848, bmo#1537692, bmo#1540590, bmo#1544180, bmo#1547472, bmo#1547760, bmo#1548611, bmo#1549768, bmo#1551907) Memory safety bugs fixed in Firefox 68
* CVE-2019-11709 (bmo#1515052, bmo#1533522, bmo#1539219, bmo#1540759, bmo#1547266, bmo#1547757, bmo#1548822, bmo#1550498, bmo#1550498) Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8- removed patches that are now upstream
* mozilla-bmo1375074.patch
* mozilla-bmo1436242.patch
* mozilla-bmo256180.patch
* mozilla-i586-DecoderDoctorLogger.patch
* mozilla-i586-domPrefs.patch
* mozilla-bmo1464766.patch
* mozilla-bigendian_bit_flags_alias.patch- removed workaround-patch for build memory consumption on i586; other mitigations meanwhile introduced (mainly parallelity) will be sufficient
* mozilla-reduce-files-per-UnifiedBindings.patch- added patch to make builds reproducible
* mozilla-bmo1568145.patch- added a bunch of patches mainly for big endian platforms
* mozilla-bmo1504834-part1.patch
* mozilla-bmo1504834-part2.patch
* mozilla-bmo1504834-part3.patch
* mozilla-bmo1511604.patch
* mozilla-bmo1512162.patch
* mozilla-bmo1554971.patch
* mozilla-bmo1573381.patch
* mozilla-nestegg-big-endian.patch- added patches to fix build on armv7:
* mozilla-bmo1463035.patch
* mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch- added patch to fix non-return function
* mozilla-cubeb-noreturn.patch- added patch to fix aarch64 build:
* mozilla-fix-aarch64-libopus.patch (bmo#1539737)- added patch to enable PGO for x86_64.
* firefox-add-kde.js-in-order-to-survive-PGO-build.patch- added patch to reduce build-load
* mozilla-reduce-rust-debuginfo.patch
* Fri Jun 21 2019 Martin Sirringhaus - Mozilla Firefox Firefox 60.7.2 MFSA 2019-19 (bsc#1138872)
* CVE-2019-11708 (bmo#1559858) sandbox escape using Prompt:Open
* Wed Jun 19 2019 Martin Sirringhaus - Build Firefox with gcc instead of clang (bsc#1138688)
* Wed Jun 19 2019 Martin Sirringhaus - Mozilla Firefox Firefox 60.7.1 MFSA 2019-18 (bsc#1138614)
* CVE-2019-11707 (bmo#1544386) Type confusion in Array.pop- Added the new Mozilla\'s GPG key with subkey fingerprint 097B 3130 77AE 62A0 2F84 DA4D F1A6 668F BB7D 572E, expiring on 2021-05-29 to the mozilla.keyring file
* Tue Jun 11 2019 Martin Sirringhaus - Fix broken language plugins (bsc#1137792)
* Tue May 21 2019 Martin Sirringhaus - update to Firefox ESR 60.7 (bsc#1135824)
* Font and date adjustments to accommodate the new Reiwa era in Japan
* MFSA 2019-14/CVE-2019-9817 (bmo#1540221) Stealing of cross-domain images using canvas
* MFSA 2019-14/CVE-2019-9800 (bmo#1499108, bmo#1499719, bmo#1516325, bmo#1532465, bmo#1533554, bmo#1534593, bmo#1535194, bmo#1535612, bmo#1538042, bmo#1538619, bmo#1538736, bmo#1540136, bmo#1540166, bmo#1541580, bmo#1542097, bmo#1542324, bmo#1546327) Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
* MFSA 2019-14/CVE-2019-9816 (bmo#1536768) Type confusion with object groups and UnboxedObjects
* MFSA 2019-14/CVE-2019-9815 (bmo#1546544, bmo#https://mdsattacks.com/) Disable hyperthreading on content JavaScript threads on macOS
* MFSA 2019-14/CVE-2019-11698 (bmo#1543191) Theft of user history data through drag and drop of hyperlinks to and from bookmarks
* MFSA 2019-14/CVE-2019-11692 (bmo#1544670) Use-after-free removing listeners in the event listener manager
* MFSA 2019-14/CVE-2019-11693 (bmo#1532525) Buffer overflow in WebGL bufferdata on Linux
* MFSA 2019-14/CVE-2019-7317 (bmo#1542829) Use-after-free in png_image_free of libpng library
* MFSA 2019-14/CVE-2019-9820 (bmo#1536405) Use-after-free of ChromeEventHandler by DocShell
* MFSA 2019-14/CVE-2019-9818 (bmo#1542581) Use-after-free in crash generation server
* MFSA 2019-14/CVE-2019-11691 (bmo#1542465) Use-after-free in XMLHttpRequest
* MFSA 2019-14/CVE-2019-9819 (bmo#1532553) Compartment mismatch with fetch API
* MFSA 2019-14/CVE-2019-11694 (bmo#1534196) Uninitialized memory memory leakage in Windows sandbox
* Fri May 17 2019 Martin Sirringhaus - Sync with Devel:Desktop:Mozilla:
*:next
* Tue May 14 2019 Charles Robertson - Enable Firefox to build with Rust >= 1.30 with fix. See below.
* Thu May 09 2019 Charles Robertson - update to 60.6.3 (bmo#1549249)
* Further improvements to re-enable web extensions which had been disabled for users with a master password set.
* Mon May 06 2019 Peter Simons - update to 60.6.2 (bsc#1134126)
* Repaired certificate chain to re-enable web extensions that had been disabled.
* Thu Apr 18 2019 Jeff Kowalczyk - Update BuildRequires rust >= 1.30 from 1.24
* Upstream Firefox ESR presumes rust version stable at release (1.24). SUSE currently uses improved packaging for rust >= 1.30.
* boo#1130694 rust 1.33.0 breaks Firefox and Thunderbird due to missing macro comment docs in Firefox rust sources bmo#1539901 ESR 60 build fails with Rust 1.33 due to missing documentation on macros in stylo bmo#1519629 Stylo fails with --enable-warnings-as-errors using Rust 1.33
* Fix build using RUSTFLAGS=\"--cap-lints allow\" Preferred alternative to patching and revendoring stylo rust crates Revisit with intent to remove in next Firefox ESR 68.0 2019-07-09
* Wed Mar 27 2019 cgrobertsonAATTsuse.com- Fixed translations provides
* Fri Mar 22 2019 cgrobertsonAATTsuse.com- update to Firefox ESR 60.6.1 (bsc#1130262)
* MFSA 2019-10/CVE-2019-9813 (bmo#1538006) Ionmonkey type confusion with __proto__ mutations
* MFSA 2019-10/CVE-2019-9810 (bmo#1537924) IonMonkey MArraySlice has incorrect alias information
* Tue Mar 19 2019 cgrobertsonAATTsuse.com- update to Firefox ESR 60.6 (bsc#1129821)
* MFSA 2019-08/CVE-2018-18506 (bmo#1503393) Proxy Auto-Configuration file can define localhost access to be proxied
* MFSA 2019-08/CVE-2019-9801 (bmo#1527717) Windows programs that are not \'URL Handlers\' are exposed to web content
* MFSA 2019-08/CVE-2019-9788 (bmo#1506665, bmo#1516834, bmo#1518001, bmo#1518774, bmo#1521214, bmo#1521304, bmo#1523362, bmo#1524214, bmo#1524755, bmo#1529203) Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6
* MFSA 2019-08/CVE-2019-9790 (bmo#1525145) Use-after-free when removing in-use DOM elements
* MFSA 2019-08/CVE-2019-9791 (bmo#1530958) Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey
* MFSA 2019-08/CVE-2019-9792 (bmo#1532599) IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
* MFSA 2019-08/CVE-2019-9793 (bmo#1528829) Improper bounds checks when Spectre mitigations are disabled
* MFSA 2019-08/CVE-2019-9794 (bmo#1530103) Command line arguments not discarded during execution
* MFSA 2019-08/CVE-2019-9795 (bmo#1514682) Type-confusion in IonMonkey JIT compiler
* MFSA 2019-08/CVE-2019-9796 (bmo#1531277) Use-after-free with SMIL animation controller- Fix for [bsc#1127987] MozillaFirefox-translations-common causing error on update
* Tue Feb 26 2019 cgrobertsonAATTsuse.com- Mozilla Firefox 60.5.2esr:
* Fix a frequent crash when reading various Reuters news articles (bmo#1505844)
* Wed Feb 13 2019 alarrosaAATTsuse.com- Update to Firefox ESR 60.5.1 MFSA-2019-05 (bsc#1125330)
* CVE-2018-18356 (bmo#1525817) A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash.
* CVE-2019-5785 (bmo#1525433) An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash.
* CVE-2018-18335 (bmo#1525815) A buffer overflow vulnerability in the Skia library can occur with Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration in Firefox ESR. Note: this does not affect other versions and platforms where Canvas 2D acceleration is already disabled by default.
* Wed Jan 30 2019 cgrobertsonAATTsuse.com- Update to Firefox ESR 60.5 MFSA 2019-02 (bsc#1122983)
* CVE-2018-18501 (bmo#1460619, bmo#1502871, bmo#1512450, bmo#1513201, bmo#1516514, bmo#1516738, bmo#1517542) Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
* CVE-2018-18500 (bmo#1510114) Use-after-free parsing HTML5 stream
* CVE-2018-18505 (bmo#1087565, bmo#1497749) Privilege escalation through IPC channel messages- Removed obsolete patches: [mozilla-no-stdcxx-check.patch] Applied upstream [mozilla-s390-nojit.patch] Applied upstream
* Thu Jan 17 2019 cgrobertsonAATTsuse.com- Fix for language pack build error (bsc#1120374)
* Thu Dec 20 2018 Karol Babioch - Revert dependency for branding package back to >= 60 due to dependency issues.
* Fri Dec 14 2018 cgrobertsonAATTsuse.com- Depend on branding package version >= 60.0
* Wed Dec 12 2018 cgrobertsonAATTsuse.com- Mozilla Firefox 60.4.0esr:
* Updated list of currency codes to include Unidad Previsional (UYW) (bmo#1499028) MFSA 2018-30 (bsc#1119105)
* CVE-2018-17466 bmo#1488295 Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
* CVE-2018-18492 bmo#1499861 Use-after-free with select element
* CVE-2018-18493 bmo#1504452 Buffer overflow in accelerated 2D canvas with Skia
* CVE-2018-18494 bmo#1487964 Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs
* CVE-2018-18498 bmo#1500011 Integer overflow when calculating buffer sizes for images
* CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759 bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471 Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4- requires NSS >= 3.36.6- Removed obsolete patch: [mozilla-update-cc-crate.patch] Applied upstream
* Tue Oct 23 2018 alarrosaAATTsuse.com- Mozilla Firefox 60.3.0esr:
* Various stability and regression fixes MFSA 2018-27 bsc#1112852
* CVE-2018-12392 bmo#1492823 Crash with nested event loops
* CVE-2018-12393 bmo#1495011 Integer overflow during Unicode conversion while loading JavaScript
* CVE-2018-12395 bmo#1467523 WebExtension bypass of domain restrictions through header rewriting
* CVE-2018-12396 bmo#1483602 WebExtension content scripts can execute in disallowed contexts
* CVE-2018-12397 bmo#1487478 WebExtension local file access vulnerability
* CVE-2018-12389 bmo#1498460, bmo#1499198 Memory safety bugs fixed in Firefox ESR 60.3
* CVE-2018-12390 bmo#1487098 bmo#1487660 bmo#1490234 bmo#1496159 bmo#1443748 bmo#1496340 bmo#1483905 bmo#1493347 bmo#1488803 bmo#1498701 bmo#1498482 bmo#1442010 bmo#1495245 bmo#1483699 bmo#1469486 bmo#1484905 bmo#1490561 bmo#1492524 bmo#1481844 Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3- Drop mozilla-bmo1472538-update-bindgen.patch which was already merged upstream- Update mozilla-update-cc-crate.patch, since cc was updated to 1.0.9 upstream, but this patch still updates it to a newer version
* Thu Oct 11 2018 alarrosaAATTsuse.com- Update create-tar.sh and source-stamp.txt as should be done with every version update.
* Tue Oct 09 2018 alarrosaAATTsuse.com- Mozilla Firefox 60.2.2esr: MFSA 2018-24
* CVE-2018-12386 (bsc#1110506, bmo#1493900) Type confusion in JavaScript allowed remote code execution
* CVE-2018-12387 (bsc#1110507, bmo#1493903) Array.prototype.push stack pointer vulnerability may enable exploits in the sandboxed content process- Avoid undefined behavior in IPC fd-passing code with mozilla-bmo1436242.patch (boo#1094767, bmo#1436242)- Mozilla Firefox 60.2.1esr: MFSA 2018-23
* CVE-2018-12385 (boo#1109363, bmo#1490585) Crash in TransportSecurityInfo due to cached data
* CVE-2018-12383 (boo#1107343, bmo#1475775) Setting a master password did not delete unencrypted previously stored passwords
* Fixed a startup crash affecting users migrating from older ESR releases
* Clean up old NSS DB files after upgrading- Fix typo in an old changelog entry which mentioned a wrong patch file and really remove mozilla-glibc-getrandom.patch as should have been done some weeks ago.
* Wed Oct 03 2018 cgrobertsonAATTsuse.com- bsc#1109465 - Add mozilla-bmo1472538-update-bindgen.patch and mozilla-update-cc-crate.patch. This fixes an endianness problem in bindgen\'s handling of bitfields, which was causing Firefox to crash on startup on big-endian machines. Also, updates the cc crate, which was buggy in the version that was originally vendored in.- added patch [mozilla-bigendian_bit_flags_alias.patch] (bmo#1488552)
* Fri Sep 07 2018 pcernyAATTsuse.com- update to Firefox ESR 60.2 (bsc#1107343)
* MFSA 2018-20/CVE-2018-12381 (bmo#1435319) Dragging and dropping Outlook email message results in page navigation
* MFSA 2018-20/CVE-2017-16541 (bmo#1412081) Proxy bypass using automount and autofs
* MFSA 2018-20/CVE-2018-12376 (bmo#1450989, bmo#1466577, bmo#1466991, bmo#1467363, bmo#1467889, bmo#1468738, bmo#1469309, bmo#1469914, bmo#1471953, bmo#1472925, bmo#1473161, bmo#1478575, bmo#1478849, bmo#1480092, bmo#1480517, bmo#1480521, bmo#1481093, bmo#1483120) Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
* MFSA 2018-20/CVE-2018-12377 (bmo#1470260) Use-after-free in refresh driver timers
* MFSA 2018-20/CVE-2018-12378 (bmo#1459383) Use-after-free in IndexedDB
* MFSA 2018-20/CVE-2018-12379 (bmo#1473113) Out-of-bounds write with malicious MAR file- removed obsolete patches: [mozilla-glibc-getrandom.patch] [firefox-no-default-ualocale.patch] [mozilla-bmo1005640.patch] [mozilla-language.patch] [mozilla-shared-nss-db.patch]- added patches sync with openSUSE: [mozilla-bmo1005535.patch] [mozilla-bmo1375074.patch] [mozilla-bmo1464766.patch] [mozilla-bmo256180.patch] [mozilla-i586-DecoderDoctorLogger.patch] [mozilla-i586-domPrefs.patch] additional architecture enablement: [mozilla-ppc-altivec_static_inline.patch] [mozilla-s390-context.patch]
* Wed Jun 27 2018 pcernyAATTsuse.com- update to Firefox ESR 52.9 (bsc#1098998)
* MFSA 2018-17/CVE-2018-5188 (bmo#1392739, bmo#1437842, bmo#1442722, bmo#1450688, bmo#1451297, bmo#1452576, bmo#1456189, bmo#1456975, bmo#1458048, bmo#1458264, bmo#1458270, bmo#1463494, bmo#1464063, bmo#1464079, bmo#1464829, bmo#1465108, bmo#1465898) Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
* MFSA 2018-17/CVE-2018-12368 (bmo#1468217, bmo#https://posts.specterops.io/the-tale-of- settingcontent-ms-files-f1ea253e4d39) No warning when opening executable SettingContent-ms files
* MFSA 2018-17/CVE-2018-12366 (bmo#1464039) Invalid data handling during QCMS transformations
* MFSA 2018-17/CVE-2018-12365 (bmo#1459206) Compromised IPC child process can list local filenames
* MFSA 2018-17/CVE-2018-12364 (bmo#1436241) CSRF attacks through 307 redirects and NPAPI plugins
* MFSA 2018-17/CVE-2018-12363 (bmo#1464784) Use-after-free when appending DOM nodes
* MFSA 2018-17/CVE-2018-12362 (bmo#1452375) Integer overflow in SSSE3 scaler
* MFSA 2018-17/CVE-2018-12360 (bmo#1459693) Use-after-free when using focus()
* MFSA 2018-17/CVE-2018-5156 (bmo#1453127) Media recorder segmentation fault when track type is changed during capture
* MFSA 2018-17/CVE-2018-12359 (bmo#1459162) Buffer overflow using computed size of canvas element
* Thu Jun 07 2018 pcernyAATTsuse.com- update to Firefox 52.8.1 (bsc#1096449)
* MFSA 2018-14/CVE-2018-6126 (bmo#1462682) Heap buffer overflow rasterizing paths in SVG with Skia
* Wed May 09 2018 wrAATTrosenauer.org- update to Firefox 52.8.0:
* Various stability and regression fixes
* Performance improvements to the Safe Browsing service to avoid slowdowns while updating site classification data- Security fixes (bsc#1092548, MFSA 2018-12):
* CVE-2018-5183 (bmo#1454692) Backport critical security fixes in Skia
* CVE-2018-5154 (bmo#1443092) Use-after-free with SVG animations and clip paths
* CVE-2018-5155 (bmo#1448774) Use-after-free with SVG animations and text paths
* CVE-2018-5157 (bmo#1449898) Same-origin bypass of PDF Viewer to view protected PDF files
* CVE-2018-5158 (bmo#1452075) Malicious PDF can inject JavaScript into PDF Viewer
* CVE-2018-5159 (bmo#1441941) Integer overflow and out-of-bounds write in Skia
* CVE-2018-5168 (bmo#1449548) Lightweight themes can be installed without user interaction
* CVE-2018-5178 (bmo#1443891) Buffer overflow during UTF-8 to Unicode string conversion through legacy extension
* CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705, bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415, bmo#1426129) Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
* Wed Mar 28 2018 astiegerAATTsuse.com- fix release tag and tarball to correctly identify 52.7.3esr
* Tue Mar 27 2018 wrAATTrosenauer.org- update to Firefox 52.7.3 MFSA 2018-10 (bsc#1087059)
* CVE-2018-5148 (bmo#1440717) Use-after-free in compositor- removed obsolete patch mozilla-bmo1446062.patch
* Fri Mar 16 2018 wrAATTrosenauer.org- update to Firefox 52.7.2 (bsc#1085671) MFSA 2018-08
* CVE-2018-5146 (bmo#1446062) Out of bounds memory write in libvorbis
* CVE-2018-5147 (bmo#1446365) Out of bounds memory write in libtremor (in mozilla-bmo1446062.patch)- Firefox 52.7.1 fixes - issues with the IT locale (bmo#1445278)
* Tue Mar 13 2018 astiegerAATTsuse.com- update to Firefox 52.7esr (bsc#1085130, MFSA 2018-07):
* CVE-2018-5127 (bmo#1430557) Buffer overflow manipulating SVG animatedPathSegList
* CVE-2018-5129 (bmo#1428947) Out-of-bounds write with malformed IPC messages
* CVE-2018-5130 (bmo#1433005) Mismatched RTP payload type can trigger memory corruption
* CVE-2018-5131 (bmo#1440775) Fetch API improperly returns cached copies of no-store/no-cache resources
* CVE-2018-5144 (bmo#1440926) Integer overflow during Unicode conversion
* CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450, bmo#1437507,bmo#1426988,bmo#1438425,bmo#1324042,bmo#1437087, bmo#1443865,bmo#1425520) Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
* CVE-2018-5145 (bmo#1261175,bmo#1348955) Memory safety bugs fixed in Firefox ESR 52.7
* Fri Feb 09 2018 wrAATTrosenauer.org- correct requires and provides handling (boo#1076907)
* Tue Jan 23 2018 wrAATTrosenauer.org- update to Firefox 52.6esr (bsc#1077291) MFSA 2018-01
* Speculative execution side-channel attack (\"Spectre\") MFSA 2018-03
* CVE-2018-5091 (bmo#1423086) Use-after-free with DTMF timers
* CVE-2018-5095 (bmo#1418447) Integer overflow in Skia library during edge builder allocation
* CVE-2018-5096 (bmo#1418922) Use-after-free while editing form elements
* CVE-2018-5097 (bmo#1387427) Use-after-free when source document is manipulated during XSLT
* CVE-2018-5098 (bmo#1399400) Use-after-free while manipulating form input elements
* CVE-2018-5099 (bmo#1416878) Use-after-free with widget listener
* CVE-2018-5102 (bmo#1419363) Use-after-free in HTML media elements
* CVE-2018-5103 (bmo#1423159) Use-after-free during mouse event handling
* CVE-2018-5104 (bmo#1425000) Use-after-free during font face manipulation
* CVE-2018-5117 (bmo#1395508) URL spoofing with right-to-left text aligned left-to-right
* CVE-2018-5089 Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6- remove obsolete patch mozilla-ucontext.patch- official NSS requirement is >= 3.28.6 therefore putting 3.29.5 into an ifarch
* Wed Jan 17 2018 wbauerAATTtmo.at- Escape the usage of %{VERSION} when calling out to rpm. RPM 4.14 has %{VERSION} defined as \'the main package\'s version\'.
* Tue Jan 16 2018 cgrobertsonAATTsuse.com- Added additional patches and configurations to fix builds on s390 and PowerPC.
* Added firefox-glibc-getrandom.patch effecting builds on s390 and PowerPC
* Added mozilla-s390-bigendian.patch along with icudt58b.dat bigendian ICU data file for running Firefox on bigendian architectures (bmo#1322212 and bmo#1264836)
* Added mozilla-s390-nojit.patch to enable atomic operations used by the JS engine when JIT is disabled on s390
* Build configuration options specific to s390
* Requires NSS >= 3.29.5
* Fri Dec 29 2017 astiegerAATTsuse.com- Update to Firefox 52.5.3esr:
* Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in (bmo#1427111, bsc#1074235)
* Fri Dec 15 2017 fcrozatAATTsuse.com- Add BuildRequires python-xml to fix build on TW/SLE15.
* Sat Dec 09 2017 securityAATTsuse.com- update to Firefox 52.5.2esr (MFSA 2017-28):
* CVE-2017-7843 (bsc#1072034, bmo#1410106) Web worker in Private Browsing mode can write IndexedDB data
* Tue Nov 14 2017 wrAATTrosenauer.org- update to Firefox 52.5.0esr (boo#1068101) MFSA 2017-25
* CVE-2017-7828 (bmo#1406750. bmo#1412252) Use-after-free of PressShell while restyling layout
* CVE-2017-7830 (bmo#1408990) Cross-origin URL information leak through Resource Timing API
* CVE-2017-7826 Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
* Sun Oct 01 2017 stefan.bruensAATTrwth-aachen.de- Correct plugin directory for aarch64 (boo#1061207). The wrapper script was not detecting aarch64 as a 64 bit architecture, thus used /usr/lib/browser-plugins/.
* Sat Sep 30 2017 zaitorAATTopensuse.org- Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0), pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0), pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure looks for.
* Fri Sep 29 2017 wrAATTrosenauer.org- update to Firefox 52.4esr (boo#1060445)
* requires NSS >= 3.28.6 MFSA 2017-22
* CVE-2017-7793 (bmo#1371889) Use-after-free with Fetch API
* CVE-2017-7818 (bmo#1363723) Use-after-free during ARIA array manipulation
* CVE-2017-7819 (bmo#1380292) Use-after-free while resizing images in design mode
* CVE-2017-7824 (bmo#1398381) Buffer overflow when drawing and validating elements with ANGLE
* CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) Use-after-free in TLS 1.2 generating handshake hashes
* CVE-2017-7814 (bmo#1376036) Blob and data URLs bypass phishing and malware protection warnings
* CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) OS X fonts render some Tibetan and Arabic unicode characters as spaces
* CVE-2017-7823 (bmo#1396320) CSP sandbox directive did not create a unique origin
* CVE-2017-7810 Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4- fixed language accept header to use correct locale (mozilla-bmo1005640.patch, boo#1029917)
* Thu Sep 28 2017 dimstarAATTopensuse.org- Add alsa-devel BuildRequires: we care for ALSA support to be built and thus need to ensure we get the dependencies in place. In the past, alsa-devel was pulled in by accident: we buildrequire libgnome-devel. This required esound-devel and that in turn pulled in alsa-devel for us. libgnome is being fixed to no longer require esound-devel.
* Wed Aug 09 2017 schwabAATTsuse.de- mozilla-ucontext.patch: use ucontext_t instead of struct ucontext
* Tue Aug 08 2017 wrAATTrosenauer.org- update to Firefox 52.3esr (boo#1052829) MFSA 2017-19
* CVE-2017-7798 (bmo#1371586, bmo#1372112) XUL injection in the style editor in devtools
* CVE-2017-7800 (bmo#1374047) Use-after-free in WebSockets during disconnection
* CVE-2017-7801 (bmo#1371259) Use-after-free with marquee during window resizing
* CVE-2017-7784 (bmo#1376087) Use-after-free with image observers
* CVE-2017-7802 (bmo#1378147) Use-after-free resizing image elements
* CVE-2017-7785 (bmo#1356985) Buffer overflow manipulating ARIA attributes in DOM
* CVE-2017-7786 (bmo#1365189) Buffer overflow while painting non-displayable SVG
* CVE-2017-7753 (bmo#1353312) Out-of-bounds read with cached style data and pseudo-elements#
* CVE-2017-7787 (bmo#1322896) Same-origin policy bypass with iframes through page reloads
* CVE-2017-7807 (bmo#1376459) Domain hijacking through AppCache fallback
* CVE-2017-7792 (bmo#1368652) Buffer overflow viewing certificates with an extremely long OID
* CVE-2017-7804 (bmo#1372849) Memory protection bypass through WindowsDllDetourPatcher
* CVE-2017-7791 (bmo#1365875) Spoofing following page navigation with data: protocol and modal alerts
* CVE-2017-7782 (bmo#1344034) WindowsDllDetourPatcher allocates memory without DEP protections
* CVE-2017-7803 (bmo#1377426) CSP containing \'sandbox\' improperly applied
* CVE-2017-7779 Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
* Wed Jul 05 2017 astiegerAATTsuse.com- Mozilla Firefox 52.2.1esr:
* Printing text does not work on Windows when Direct2D is disabled (bmo#1318845)
* Wed Jun 14 2017 wrAATTrosenauer.org- update to Firefox 52.2esr (boo#1043960) MFSA 2017-16
* CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when regenerating trees
* CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading
* CVE-2017-7750 (bmo#1356558) Use-after-free with track elements
* CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners
* CVE-2017-7752 (bmo#1359547) Use-after-free with IME input
* CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo object
* CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox Installer with same directory DLL files (Windows only)
* CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging XHR header errors
* CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB
* CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777 Vulnerabilities in the Graphite 2 library
* CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder
* CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service (Windows only)
* CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application (Windows only)
* CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian Syllabics and other unicode blocks
* CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving executable files (Windows only)
* CVE-2017-7766 (bmo#1342742) File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service (Windows only)
* CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service (Windows only)
* CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla Maintenance Service (Windows only)
* CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2- requires NSS 3.28.5
* Tue May 23 2017 wrAATTrosenauer.org- remove -fno-inline-small-functions and explicitely optimize with - O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)
* Mon May 08 2017 wrAATTrosenauer.org- update to Firefox 52.1.1 MFSA 2017-14
* CVE-2017-5031: Use after free in ANGLE (bmo#1328762) (Windows only, Linux not affected)- switch to Mozilla\'s geolocation service (boo#1026989)- removed mozilla-preferences.patch obsoleted by overriding via firefox.js- fixed KDE integration to avoid crash caused by filepicker (boo#1015998)
* Wed Apr 12 2017 wrAATTrosenauer.org- update to Firefox 52.1.0esr (boo#1035082) MFSA 2017-12
* CVE-2017-5443 (bmo#1342661) Out-of-bounds write during BinHex decoding
* CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894, bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088) Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1
* CVE-2017-5464 (bmo#1347075) Memory corruption with accessibility and DOM manipulation
* CVE-2017-5465 (bmo#1347617) Out-of-bounds read in ConvolvePixel
* CVE-2017-5466 (bmo#1353975) Origin confusion when reloading isolated data:text/html URL
* CVE-2017-5467 (bmo#1347262) Memory corruption when drawing Skia content
* CVE-2017-5460 (bmo#1343642) Use-after-free in frame selection
* CVE-2017-5461 (bmo#1344380) Out-of-bounds write in Base64 encoding in NSS
* CVE-2017-5448 (bmo#1346648) Out-of-bounds write in ClearKeyDecryptor
* CVE-2017-5449 (bmo#1340127) Crash during bidirectional unicode manipulation with animation
* CVE-2017-5446 (bmo#1343505) Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
* CVE-2017-5447 (bmo#1343552) Out-of-bounds read during glyph processing
* CVE-2017-5444 (bmo#1344461) Buffer overflow while parsing application/http-index-format content
* CVE-2017-5445 (bmo#1344467) Uninitialized values used while parsing application/http-index-format content
* CVE-2017-5442 (bmo#1347979) Use-after-free during style changes
* CVE-2017-5469 (bmo#1292534) Potential Buffer overflow in flex-generated code
* CVE-2017-5440 (bmo#1336832) Use-after-free in txExecutionState destructor during XSLT processing
* CVE-2017-5441 (bmo#1343795) Use-after-free with selection during scroll events
* CVE-2017-5439 (bmo#1336830) Use-after-free in nsTArray Length() during XSLT processing
* CVE-2017-5438 (bmo#1336828) Use-after-free in nsAutoPtr during XSLT processing
* CVE-2017-5437 (bmo#1343453) Vulnerabilities in Libevent library
* CVE-2017-5436 (bmo#1345461) Out-of-bounds write with malicious font in Graphite 2
* CVE-2017-5435 (bmo#1350683) Use-after-free during transaction processing in the editor
* CVE-2017-5434 (bmo#1349946) Use-after-free during focus handling
* CVE-2017-5433 (bmo#1347168) Use-after-free in SMIL animation functions
* CVE-2017-5432 (bmo#1346654) Use-after-free in text input selection
* CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482, bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476) Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
* CVE-2017-5459 (bmo#1333858) Buffer overflow in WebGL
* CVE-2017-5462 (bmo#1345089) DRBG flaw in NSS
* CVE-2017-5455 (bmo#1341191) Sandbox escape through internal feed reader APIs
* CVE-2017-5454 (bmo#1349276) Sandbox escape allowing file system read access through file picker
* CVE-2017-5456 (bmo#1344415) Sandbox escape allowing local file system access
* CVE-2017-5451 (bmo#1273537) Addressbar spoofing with onblur event- requires NSS 3.28.4- rebased patches
* Mon Apr 03 2017 wrAATTrosenauer.org- switch package to use ESR52 branch
* enables plugin support by default
* service workers are disabled by default
* push notifications are disabled by default
* WebAssembly (wasm) is disabled
* Less use of multiprocess architecture Electrolysis (e10s)
* Mon Apr 03 2017 wrAATTrosenauer.org- update to Firefox 52.0.2
* Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787)
* Fix loading tab icons on session restore (bmo#1338009)
* Fix a crash on startup on Linux (bmo#1345413)
* Fix new installs erroneously not prompting to change the default browser setting (bmo#1343938)
* Mon Mar 20 2017 wrAATTrosenauer.org- disable rust usage for everything but x86(-64)- explicitely add libffi build requirement
* Fri Mar 17 2017 wrAATTrosenauer.org- update to Firefox 52.0.1 (boo#1029822) MFSA 2017-08 CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168)
* Thu Mar 09 2017 wrAATTrosenauer.org- reenable ALSA support which was removed by default upstream
* Sat Mar 04 2017 wrAATTrosenauer.org- update to Firefox 52.0 (boo#1028391)
* requires NSS >= 3.28.3
* Pages containing insecure password fields now display a warning directly within username and password fields.
* Send and open a tab from one device to another with Sync
* Removed NPAPI support for plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported.
* Removed Battery Status API to reduce fingerprinting of users by trackers
* MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861) CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186) CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890) CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622) CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687) CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711) CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323) CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504) CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370) CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719) CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121) CVE-2017-5417: Addressbar spoofing by draging and dropping URLs (bmo#791597) CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361) CVE-2017-5427: Non-existent chrome.manifest file loaded during startup (bmo#1295542) CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876) CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243) CVE-2017-5420: Javascript: URLs can obfuscate addressbar location (bmo#1284395) CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699) CVE-2017-5421: Print preview spoofing (bmo#1301876) CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002) CVE-2017-5399: Memory safety bugs fixed in Firefox 52 CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8- removed obsolete patches
* mozilla-binutils-visibility.patch
* mozilla-check_return.patch
* mozilla-disable-skia-be.patch
* mozilla-skia-overflow.patch
* mozilla-skia-ppc-endianess.patch- rebased patches- enable rust usage for Tumbleweed
* Fri Jan 27 2017 astiegerAATTsuse.com- Mozilla Firefox 51.0.1: - Multiprocess incompatibility did not correctly register with some add-ons (bmo#1333423)
* Fri Jan 20 2017 wrAATTrosenauer.org- update to Firefox 51.0
* requires NSPR >= 4.13.1, NSS >= 3.28.1
* Added support for FLAC (Free Lossless Audio Codec) playback
* Added support for WebGL 2
* Added Georgian (ka) and Kabyle (kab) locales
* Support saving passwords for forms without \'submit\' events
* Improved video performance for users without GPU acceleration
* Zoom indicator is shown in the URL bar if the zoom level is not at default level
* View passwords from the prompt before saving them
* Remove Belarusian (be) locale
* Use Skia for content rendering (Linux)
* MFSA 2017-01 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (bmo#1325200, boo#1021814) CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) CVE-2017-5377: Memory corruption with transforms to create gradients in Skia (bmo#1306883, boo#1021826) CVE-2017-5378: Pointer and frame data leakage of Javascript objects (bmo#1312001, bmo#1330769, boo#1021818) CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827) CVE-2017-5380: Potential use-after-free during DOM manipulations (bmo#1322107, boo#1021819) CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (bmo#1297361, boo#1021820) CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests (bmo#1308688, boo#1021828) CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403, boo#1021821) CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations (bmo#1017616, boo#1021830) CVE-2017-5382: Feed preview can expose privileged content errors and exceptions (bmo#1295322, boo#1021831) CVE-2017-5383: Location bar spoofing with unicode characters (bmo#1323338, bmo#1324716, boo#1021822) CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) (bmo#1255474, boo#1021832) CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers (bmo#1295945, boo#1021833) CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions (bmo#1319070, boo#1021823) CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events (bmo#1222798) CVE-2017-5391: Content about: pages can load privileged about: pages (bmo#1309310, boo#1021835) CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage (bmo#1293709) (Android only) CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager (bmo#1309282, boo#1021837) CVE-2017-5395: Android location bar spoofing during scrolling (bmo#1293463) (Android only) CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages (bmo#1295023, boo#1021839) CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks (bmo#1281482, boo#1021840) CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841) CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (boo#1021824)- switch Firefox to Gtk3 for Tumbleweed- removed obsolete patches
* mozilla-flex_buffer_overrun.patch- updated RPM locale support tag- improve recognition of LANGUAGE env variable (boo#1017174)- add upstream patch to fix PPC64LE (bmo#1319389) (mozilla-skia-ppc-endianess.patch)- fix build without skia (big endian archs) (bmo#1319374) (mozilla-disable-skia-be.patch)
* Mon Dec 12 2016 wrAATTrosenauer.org- update to Firefox 50.1.0 (boo#1015422)
* MFSA 2016-94 CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628) CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements (bmo#1317409) CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272) CVE-2016-9896: Use-after-free with WebVR (bmo#1315543) CVE-2016-9897: Memory corruption in libGLES (bmo#1301381) CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees (bmo#1314442) CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs (bmo#1319122) CVE-2016-9904: Cross-origin information leak in shared atoms (bmo#1317936) CVE-2016-9901: Data from Pocket server improperly sanitized before execution (bmo#1320057) CVE-2016-9902: Pocket extension does not validate the origin of events (bmo#1320039) CVE-2016-9903: XSS injection vulnerability in add-ons SDK (bmo#1315435) CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6
* Fri Dec 09 2016 cgrobertsonAATTnovell.com- added patch mozilla-aarch64-startup-crash.patch (bsc#1011922)
* Thu Dec 01 2016 wrAATTrosenauer.org- update to Firefox 50.0.2
* Firefox crashes with 3rd party Chinese IME when using IME text (50.0.1) security fixes (in 50.0.1): (boo#1012807)
* MFSA 2016-91 CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect (bmo#1317641) security fixes (in 50.0.2) (boo#1012964)
* MFSA 2016-92 CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066)
* Mon Nov 14 2016 wrAATTrosenauer.org- update to Firefox 50.0 (boo#1009026)
* requires NSS 3.26.2 new features
* Updates to keyboard shortcuts Set a preference to have Ctrl+Tab cycle through tabs in recently used order View a page in Reader Mode by using Ctrl+Alt+R
* Added option to Find in page that allows users to limit search to whole words only
* Added download protection for a large number of executable file types on Windows, Mac and Linux
* Fixed rendering of dashed and dotted borders with rounded corners (border-radius)
* Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux)
* Blocked versions of libavcodec older than 54.35.1
* additional locale security fixes:
* MFSA 2016-89 CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) CVE-2016-5292: URL parsing causes crash (bmo#1288482) CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink (Windows only) (bmo#1246945) CVE-2016-5294: Arbitrary target directory for result files of update process (Windows only) (bmo#1246972) CVE-2016-5297: Incorrect argument length checking in Javascript (bmo#1303678) CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen (Android only) (bmo#1306696) CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) CVE-2016-9072: 64-bit NPAPI sandbox isn\'t enabled on fresh profile (bmo#1300083) (Windows only) CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM (Windows only) (bmo#1247239) CVE-2016-5298: SSL indicator can mislead the user about the real URL visited (bmo#1227538) (Android only) CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (bmo#1245791) (Android only) CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (Android only) (bmo#1245795) CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file (Android only) (bmo#1294438) CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) CVE-2016-9073: windows.create schema doesn\'t specify \"format\": \"relativeUrl\" (bmo#1289273) CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bmo#1293334) (fixed via NSS 3.26.1) CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s (bmo#1276976) CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat (bmo#1274777) CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP (bmo#1285003) CVE-2016-5289: Memory safety bugs fixed in Firefox 50 CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5- make aarch64 build more similar to x86_64 build (remove conditionals that don\'t seem to be necessary anymore)
* Mon Oct 24 2016 astiegerAATTsuse.com- Mozilla Firefox 49.0.2:
* CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)
* CVE-2016-5288: Web content can read cache entries (bsc#1006476)
* Asynchronous rendering of the Flash plugins is now enabled by default
* Change D3D9 default fallback preference to prevent graphical artifacts
* Network issue prevents some users from seeing the Firefox UI on startup
* Web compatibility issue with file uploads
* Web compatibility issue with Array.prototype.values
* Diagnostic information on timing for tab switching
* Fix a Canvas filters graphics issue affecting HTML5 apps
* Wed Oct 12 2016 badshah400AATTgmail.com- Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0 and fixes have been incorporated by upstream.
* Fri Sep 23 2016 astiegerAATTsuse.com- Mozilla Firefox 49.0.1:
* Mitigate a startup crash issue caused by Websense - bmo#1304783
* Tue Sep 20 2016 wrAATTrosenauer.org- update to Firefox 49.0 (boo#999701) new features
* Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins.
* Added features to Reader Mode that make it easier on the eyes and the ears
* Improved video performance for users on systems that support SSE3 without hardware acceleration
* Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed
* Improvements in about:memory reports for tracking font memory usage security related
* MFSA 2016-85 CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in PropertyProvider::GetSpacingInternal CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin CVE-2016-5273 (bmo#1280387) - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5274 (bmo#1282076) - use-after-free in nsFrameManager::CaptureFrameState CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame CVE-2016-5279 (bmo#1249522) - Full local path of files is available to web pages after drag and drop CVE-2016-5280 (bmo#1289970) - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength CVE-2016-5282 (bmo#932335) - Don\'t allow content to request favicons from non-whitelisted schemes CVE-2016-5283 (bmo#928187) -