SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for MozillaFirefox-devel-131.0-lp155.2.1.noarch.rpm :

* Sun Sep 29 2024 Wolfgang Rosenauer - Firefox 131.0- requires NSS 3.104
* Sat Sep 21 2024 Manfred Hollstein - Don\'t use clang18-devel on Leap as they don\'t have that version.
* Wed Sep 18 2024 Manfred Hollstein - Firefox 130.0.1 Release https://www.mozilla.org/en-US/firefox/130.0.1/releasenotes
* Enterprise: Added an enterprise policy to disable the
* Firefox Labs
* section in
*Settings
*. (bmo#1911826)
* Fixed a recent regression causing some UI elements to be rendered as left-to-right instead of right-to-left for users of our Saraiki localization. (bmo#1917175)
* Linux: Fixed black rendering of AVIF images when Firefox is built with GCC. (bmo#1916038)- removed obsolete patches mozilla-bmo1916038.patch
* Sat Sep 07 2024 Wolfgang Rosenauer - Mozilla Firefox 130.0 https://www.mozilla.org/en-US/firefox/130.0/releasenotes MFSA 2024-39 (bsc#1229821)
* CVE-2024-8385 (bmo#1911909) WASM type confusion involving ArrayTypes
* CVE-2024-8381 (bmo#1912715) Type confusion when looking up a property name in a \"with\" block
* CVE-2024-8388 (bmo#1902996, bmo#1839074, bmo#1865413, bmo#1868970, bmo#1873367, bmo#1877820, bmo#1884642, bmo#1886469, bmo#1894326, bmo#1894891, bmo#1897648) Fullscreen notice on Android could be hidden under various panels and OS prompts
* CVE-2024-8382 (bmo#1906744) Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran
* CVE-2024-8383 (bmo#1908496) Firefox did not ask before openings news: links in an external application
* CVE-2024-8384 (bmo#1911288) Garbage collection could mis-color cross-compartment objects in OOM conditions
* CVE-2024-8386 (bmo#1907032, bmo#1909163, bmo#1909529) SelectElements could be shown over another site if popups are allowed
* CVE-2024-8387 (bmo#1857607, bmo#1911858, bmo#1914009) Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2
* CVE-2024-8389 (bmo#1907230, bmo#1909367) Memory safety bugs fixed in Firefox 130- requires NSS 3.103- removed obsolete patches mozilla-bmo1898476.patch mozilla-bmo1907511.patch- added mozilla-bmo1916038.patch to fix AVIF decoding (bsc#1230500)
* Fri Sep 06 2024 Marvin Friedrich - Update dependency on clang-devel from LLVM15 to LLVM18
* Wed Sep 04 2024 pallas wept - Added mozilla-bmo1746799.patch to fix incorrect audio volume scaling
* Sat Aug 24 2024 Christian Boltz - _constraints: increase RAM on s390x to fix the build
* Fri Aug 16 2024 Wolfgang Rosenauer - Mozilla Firefox 129.0.1
* Fixed playback issues on some websites with copyrighted video served via digital rights management. (bmo#1911283)
* Fixed a crash when dragging a video file onto some websites (bmo#1910990)
* Thu Aug 08 2024 Wolfgang Rosenauer - Mozilla Firefox 129.0 https://www.mozilla.org/en-US/firefox/129.0/releasenotes MFSA 2024-33 (bsc#1228648))
* CVE-2024-7518 (bmo#1875354) Fullscreen notification dialog can be obscured by document content
* CVE-2024-7519 (bmo#1902307) Out of bounds memory access in graphics shared memory handling
* CVE-2024-7520 (bmo#1903041) Type confusion in WebAssembly
* CVE-2024-7521 (bmo#1904644) Incomplete WebAssembly exception handing
* CVE-2024-7522 (bmo#1906727) Out of bounds read in editor component
* CVE-2024-7523 (bmo#1908344) Document content could partially obscure security prompts
* CVE-2024-7524 (bmo#1909241) CSP strict-dynamic bypass using web-compatibility shims
* CVE-2024-7525 (bmo#1909298) Missing permission check when creating a StreamFilter
* CVE-2024-7526 (bmo#1910306) Uninitialized memory used by WebGL
* CVE-2024-7527 (bmo#1871303) Use-after-free in JavaScript garbage collection
* CVE-2024-7528 (bmo#1895951) Use-after-free in IndexedDB
* CVE-2024-7529 (bmo#1903187) Document content could partially obscure security prompts
* CVE-2024-7530 (bmo#1904011) Use-after-free in JavaScript code coverage collection
* CVE-2024-7531 (bmo#1905691) PK11_Encrypt using CKM_CHACHA20 can reveal plaintext on Intel Sandy Bridge machines- removed obsolete patches mozilla-bmo1905018.patch mozilla-bmo1504834-part3.patch mozilla-bmo1512162.patch mozilla-bmo1822730.patch mozilla-fix-aarch64-libopus.patch mozilla-partial-revert-1768632.patch- requires NSS 3.102.1- extended mozilla-silence-no-return-type.patch
* Sun Jul 28 2024 Manfred Hollstein - Firefox 128.0.3 Release
* Fixed: Fixed an issue causing some sites to not load when connecting via HTTP/2. (bmo#1908161, bmo#1909666)
* Fixed: Fixed collapsed table rows not appearing when expected in some situations. (bmo#1907789)
* Fixed: Fixed the Windows on-screen keyboard potentially concealing the webpage when displayed. (bmo#1907766)- Firefox 128.0.2 Release
* Fixed: Fixed an audio echo in video calls on macOS under certain conditions. (bmo#1908539)
* Fixed: Fixed an issue where the Adguard extension popup was not displaying. (bmo#1906132)
* Fixed: Fixed an issue causing some screen readers to fail to read when navigating by character in rich text editors. (Bug 1905021)
* Fixed: Fixed visual glitches when dark mode is enabled in Windows ARM devices. (bmo#1897444)
* Fixed: Fixed an issue causing NTLM authentication failure. (bmo#1908115)
* Fixed: Fixed an issue where content displayed on mouseover was not captured in a screenshot. (bmo#1905468)
* Fixed: Various stability fixes.- renamed firefox-3781e3117706.patch to mozilla-bmo1905018.patch to conform with patch structure and naming for the package
* Thu Jul 18 2024 Martin Jambor - Add firefox-3781e3117706.patch to fix boo#1227856 aka bmo#1905018 where an incompatible pointer assignment is not accepted in C by GCC 14.
* Mon Jul 08 2024 Wolfgang Rosenauer - Mozilla Firefox 128.0 https://www.mozilla.org/en-US/firefox/128.0/releasenotes MFSA 2024-29 (bsc#1226316)
* CVE-2024-6605 (bmo#1836786) Firefox Android missed activation delay to prevent tapjacking
* CVE-2024-6606 (bmo#1902305) Out-of-bounds read in clipboard component
* CVE-2024-6607 (bmo#1694513) Leaving pointerlock by pressing the escape key could be prevented
* CVE-2024-6608 (bmo#1743329) Cursor could be moved out of the viewport using pointerlock.
* CVE-2024-6609 (bmo#1839258) Memory corruption in NSS
* CVE-2024-6610 (bmo#1883396) Form validation popups could block exiting full-screen mode
* CVE-2024-6600 (bmo#1888340) Memory corruption in WebGL API
* CVE-2024-6601 (bmo#1890748) Race condition in permission assignment
* CVE-2024-6602 (bmo#1895032) Memory corruption in NSS
* CVE-2024-6603 (bmo#1895081) Memory corruption in thread creation
* CVE-2024-6611 (bmo#1844827) Incorrect handling of SameSite cookies
* CVE-2024-6612 (bmo#1880374) CSP violation leakage when using devtools
* CVE-2024-6613 (bmo#1900523) Incorrect listing of stack frames
* CVE-2024-6614 (bmo#1902983) Incorrect listing of stack frames
* CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266) Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13, and Thunderbird 115.13
* CVE-2024-6615 (bmo#1892875, bmo#1894428, bmo#1898364) Memory safety bugs fixed in Firefox 128- requires NSS 3.101.1 rust >= 1.78- update create-tar.sh- add wayland upstream fixes (bmo#1907511, bmo#1898476) (mozilla-bmo1898476.patch and mozilla-bmo1907511.patch)
* Mon Jul 01 2024 Andrei Dziahel - Mozilla Firefox 127.0.2
* Fixed an issue where YouTube playback may experience stalling under certain conditions (bmo#1900191, bmo#1878510).
* Fixed an issue where the Private Window icon was displayed in the taskbar on Windows when browser.privateWindowSeparation.enabled was set to false (bmo#1901840).- Mozilla Firefox 127.0.1
* Fixed an issue where users with a primary password set on their profile could lose their previous session of tabs upon upgrading if they dismissed the primary password prompt (bmo#1901899).
* Fixed an issue where Linux users with accessibility.monoaudio.enable set to true were experiencing slow audio speeds (bmo#1900972).
* Fixed an issue where, in some circumstances, the Firefox installer on Windows failed to complete the installation (bmo#1896868).
* Fixed an issue causing Firefox to incorrectly reject cookies for certain websites (bmo#1901325).
* Fri Jun 28 2024 Martin Sirringhaus - Fix GNOME search provider (boo#1225278)
* Tue Jun 11 2024 Wolfgang Rosenauer - Mozilla Firefox 127.0 https://www.mozilla.org/en-US/firefox/127.0/releasenotes MFSA 2024-25 (bsc#1226027)
* CVE-2024-5687 (bmo#1889066) An incorrect principal could have been used when opening new tabs
* CVE-2024-5688 (bmo#1895086) Use-after-free in JavaScript object transplant
* CVE-2024-5689 (bmo#1389707) User confusion and possible phishing vector via Firefox Screenshots
* CVE-2024-5690 (bmo#1883693) External protocol handlers leaked by timing attack
* CVE-2024-5691 (bmo#1888695) Sandboxed iframes were able to bypass sandbox restrictions to open a new window
* CVE-2024-5692 (bmo#1837514, bmo#1891234) Bypass of file name restrictions during saving
* CVE-2024-5693 (bmo#1891319) Cross-Origin Image leak via Offscreen Canvas
* CVE-2024-5694 (bmo#1895055) Use-after-free in JavaScript Strings
* CVE-2024-5695 (bmo#1895579) Memory Corruption using allocation using out-of-memory conditions
* CVE-2024-5696 (bmo#1896555) Memory Corruption in Text Fragments
* CVE-2024-5697 (bmo#1414937) Website was able to detect when Firefox was taking a screenshot of them
* CVE-2024-5698 (bmo#1828259) Data-list could have overlaid address bar
* CVE-2024-5699 (bmo#1891349) Cookie prefixes not treated as case-sensitive
* CVE-2024-5700 (bmo#1862809, bmo#1889355, bmo#1893388, bmo#1895123) Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12
* CVE-2024-5701 (bmo#1890909, bmo#1891422, bmo#1893915, bmo#1894047, bmo#1896024) Memory safety bugs fixed in Firefox 127- removed obsolete mozilla-bmo1886378.patch
* Wed May 29 2024 Wolfgang Rosenauer - Mozilla Firefox 126.0.1
* Fixed an issue with reading tagged PDF documents in a screen reader bmo#1894849
* Fixed not displaying localized text for non-en-US locales in the Crash Reporter dialog box on macOS. (bmo#1896097)
* Fixed issues with drag-and-drop functionality on Linux. (bmo#1897115)
* Fixed an issue causing high GPU memory usage on certain versions of AMD cards. (bmo#1897006)
* Tue May 28 2024 Guillaume GARDET - Backport upstream patches to fix build on aarch64 - boo#1225460
* mozilla-bmo1886378.patch
* Wed May 15 2024 Wolfgang Rosenauer - Mozilla Firefox 126.0 https://www.mozilla.org/en-US/firefox/126.0/releasenotes MFSA 2024-21 (bsc#1224056)
* CVE-2024-4764 (bmo#1879093) Use-after-free when audio input connected with multiple consumers
* CVE-2024-4367 (bmo#1893645) Arbitrary JavaScript execution in PDF.js
* CVE-2024-4765 (bmo#1871109) Web application manifests could have been overwritten via hash collision
* CVE-2024-4766 (bmo#1871214, bmo#1871217) Fullscreen notification could have been obscured on Firefox for Android
* CVE-2024-4767 (bmo#1878577) IndexedDB files retained in private browsing mode
* CVE-2024-4768 (bmo#1886082) Potential permissions request bypass via clickjacking
* CVE-2024-4769 (bmo#1886108) Cross-origin responses could be distinguished between script and non-script content-types
* CVE-2024-4770 (bmo#1893270) Use-after-free could occur when printing to PDF
* CVE-2024-4771 (bmo#1893891) Failed allocation could lead to use-after-free
* CVE-2024-4772 (bmo#1870579) Use of insecure rand() function to generate nonce
* CVE-2024-4773 (bmo#1875248) URL bar could be cleared after network error
* CVE-2024-4774 (bmo#1886598) Undefined behavior in ShmemCharMapHashEntry()
* CVE-2024-4775 (bmo#1887332) Invalid memory access in the built-in profiler
* CVE-2024-4776 (bmo#1887343) Window may remain disabled after file dialog is shown in full-screen
* CVE-2024-4777 (bmo#1878199, bmo#1893340) Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11
* CVE-2024-4778 (bmo#1838834, bmo#1889291, bmo#1889595, bmo#1890204, bmo#1891545) Memory safety bugs fixed in Firefox 126- requires NSS 3.100- removed obsolete mozilla-libproxy-fix.patch
* Mon Apr 29 2024 Andreas Stieger - Mozilla Firefox 125.0.3
* Fixed: Fixed an extra blank tab with an address of `https://0.0.0.1` sometimes appearing when attempting to launch Firefox when it is already running (bmo#1892612).
* Fixed: Fixed an issue that could cause incorrect font selection in some situations for users with the Japanese locale set (bmo#1892363).
* Fixed: Fixed text corruption when dragging text containing unicode characters on Linux systems (bmo#1888202).
* Fixed: Fixed a correctness error when checking `arguments.length` (and not using arguments otherwise) inside of a generator or async function (bmo#1892699).
* Fixed: Fixed an issue that could lead to inconsistent focus handling of ` HTML element to not be applied to dropdown menu arrows (bmo#1861253)
* Fixed a bug with the HTML element state not changing when dynamically updating the `disabled` attribute on an ancestor
(bmo#1861027)
* Fixed a bug causing elements with the indeterminate CSS selector in a radio group to not update (bmo#1861346)
* Thu Oct 26 2023 Wolfgang Rosenauer - Mozilla Firefox 119.0 https://www.mozilla.org/en-US/firefox/119.0/releasenotes MFSA 2023-45 (bsc#1216338)
* CVE-2023-5721 (bmo#1830820) Queued up rendering could have allowed websites to clickjack
* CVE-2023-5722 (bmo#1738426) Cross-Origin size and header leakage
* CVE-2023-5723 (bmo#1802057) Invalid cookie characters could have led to unexpected errors
* CVE-2023-5724 (bmo#1836705) Large WebGL draw could have led to a crash
* CVE-2023-5725 (bmo#1845739) WebExtensions could open arbitrary URLs
* CVE-2023-5726 (bmo#1846205) Full screen notification obscured by file open dialog on macOS
* CVE-2023-5727 (bmo#1847180) Download Protections were bypassed by .msix, .msixbundle, .appx, and .appxbundle files on Windows
* CVE-2023-5728 (bmo#1852729) Improper object tracking during GC in the JavaScript engine could have led to a crash.
* CVE-2023-5729 (bmo#1823720) Fullscreen notification dialog could have been obscured by WebAuthn prompts
* CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694, bmo#1848833, bmo#1850191, bmo#1850259, bmo#1852596, bmo#1853201, bmo#1854002, bmo#1855306, bmo#1855640, bmo#1856695) Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1
* CVE-2023-5731 (bmo#1690111, bmo#1721904, bmo#1851803, bmo#1854068) Memory safety bugs fixed in Firefox 119- requires NSS 3.94
* Wed Oct 11 2023 Andreas Stieger - Mozilla Firefox 118.0.2
* Fix games not loading on betsoft.com (bmo#1856145)
* Fix printing issues for some SVG images (bmo#1853727)
* Fix CORS XHR with authentication no longer working (bmo#1855650)
* Fix h264 WebRTC video not working in some contexts (bmo#1855636)
* Fix Firefox Translations not working on some pages (bmo#1841656, bmo#1855307)
* Stability fixes (bmo#1851991, bmo#1799326, bmo#1856637)
* Sat Sep 30 2023 Björn Bidar - Activate KDE integration again, included rebased and updated patches, firefox-kde.patch and mozilla-kde.patch, (upstream removed special files handling for preferences but that has no effect since we haven\'t shipped obsolete kde.js for a while) (boo#1216027)
* Fri Sep 29 2023 Wolfgang Rosenauer - Mozilla Firefox 118.0.1 MFSA 2023-44 (bsc#1215814)
* CVE-2023-5217 (bmo#1855550), Heap buffer overflow in libvpx
* Mon Sep 25 2023 Wolfgang Rosenauer - Mozilla Firefox 118.0 MFSA 2023-41 (bsc#1215575)
* CVE-2023-5168 (bmo#1846683) Out-of-bounds write in FilterNodeD2D1
* CVE-2023-5169 (bmo#1846685) Out-of-bounds write in PathOps
* CVE-2023-5170 (bmo#1846686) Memory leak from a privileged process
* CVE-2023-5171 (bmo#1851599) Use-after-free in Ion Compiler
* CVE-2023-5172 (bmo#1852218) Memory Corruption in Ion Hints
* CVE-2023-5173 (bmo#1823172) Out-of-bounds write in HTTP Alternate Services
* CVE-2023-5174 (bmo#1848454) Double-free in process spawning on Windows
* CVE-2023-5175 (bmo#1849704) Use-after-free of ImageBitmap during process shutdown
* CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824, bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983, bmo#1851195) Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3- requires NSS 3.93- add mozilla-bmo1822730.patch- deactivated KDE integration temporarily (removed mozilla-kde.patch and firefox-kde.patch for now)
* Tue Sep 12 2023 Andreas Stieger - Mozilla Firefox 117.0.1
* Fix a bug causing extensions using an event page for long- running tasks to be terminated while running, causing unexpected behavior changes (bmo#1851373)
* Temporarily revert an intentional behavior change preventing Javascript from changing URL.protocol (bmo#1850954).
* Fix audio worklets not working for sites using WebAssembly exception handling (bmo#1851468)
* Fix the Reopen all tabs option in the Recently closed tabs menu sometimes failing to open all tabs (bmo#1850856)
* Fix the bookmarks menu sometimes remaining partially visible when minimizing Firefox (bmo#1843700)
* Fix an issue causing incorrect time zones to be detected on some sites (bmo#1848615)
* MFSA 2023-40 CVE-2023-4863 (boo#1215231) Heap buffer overflow in WebP
* Sun Aug 27 2023 Wolfgang Rosenauer - Mozilla Firefox 117.0 https://www.mozilla.org/en-US/firefox/117.0/releasenotes MFSA 2023-34 (bsc#1214606)
* CVE-2023-4573 (bmo#1846687) Memory corruption in IPC CanvasTranslator
* CVE-2023-4574 (bmo#1846688) Memory corruption in IPC ColorPickerShownCallback
* CVE-2023-4575 (bmo#1846689) Memory corruption in IPC FilePickerShownCallback
* CVE-2023-4576 (bmo#1846694) Integer Overflow in RecordedSourceSurfaceCreation
* CVE-2023-4577 (bmo#1847397) Memory corruption in JIT UpdateRegExpStatics
* CVE-2023-4578 (bmo#1839007) Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception
* CVE-2023-4579 (bmo#1842766) Persisted search terms were formatted as URLs
* CVE-2023-4580 (bmo#1843046) Push notifications saved to disk unencrypted
* CVE-2023-4581 (bmo#1843758) XLL file extensions were downloadable without warnings
* CVE-2023-4582 (bmo#1773874) Buffer Overflow in WebGL glGetProgramiv
* CVE-2023-4583 (bmo#1842030) Browsing Context potentially not cleared when closing Private Window
* CVE-2023-4584 (bmo#1843968, bmo#1845205, bmo#1846080, bmo#1846526, bmo#1847529) Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2
* CVE-2023-4585 (bmo#1751583, bmo#1841082, bmo#1847904, bmo#1848999) Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2- requires NSS = 3.92 rustc = 1.71
* Thu Aug 17 2023 Andreas Stieger - Mozilla Firefox 116.0.3
* Fixed an issue for OPFS users that broke access to files that were locally cached in a previous version (bmo#1847989, bmo#1847619)
* Fixed an issue that was breaking screensharing for some users on Wayland (bmo#1841851)
* Fixed an issue where a fullscreen notification was persistently being shown to a user, even after disabling it (bmo#1847901)
* Fixed an issue where Firefox would hang when doing a Google search (bmo#1847066)
* Tue Aug 15 2023 Adam Majer - After further testing on memory consumption during linking, it\'s safe to remove most of the memory reducing options for ix86 linker. A combination of these actually resulted in the OOM condition. It\'s even possible to add basic debugging info while keeping linker memory consumption at about 2GB
* Thu Aug 10 2023 Andreas Stieger - Mozilla Firefox 116.0.2
* fixes for other platforms
* Wed Aug 09 2023 Adam Majer - Workarold ld bug causing OOM when linking on 32-bit- Remove -j1 limit on x86. The build runs on 64-bit kernel with a 32-bit userland. This means there is plenty of memory available but userland is limited to just under 4GB per process.
* Sat Aug 05 2023 Andreas Stieger - Mozilla Firefox 116.0.1
* fixes for other platforms
* Sat Aug 05 2023 Andreas Schwab - ship vaapitest binary for supported archs
* Fri Aug 04 2023 Wolfgang Rosenauer - re-enable ppc64le- ship v4l2test binary for supported archs- drop obsolete mozilla-bmo1775202.patch
* Sun Jul 30 2023 Wolfgang Rosenauer - Mozilla Firefox 116.0
* https://www.mozilla.org/en-US/firefox/116.0/releasenotes/ MFSA 2023-29 (bsc#1213746)
* CVE-2023-4045 (bmo#1833876) Offscreen Canvas could have bypassed cross-origin restrictions
* CVE-2023-4046 (bmo#1837686) Incorrect value used during WASM compilation
* CVE-2023-4047 (bmo#1839073) Potential permissions request bypass via clickjacking
* CVE-2023-4048 (bmo#1841368) Crash in DOMParser due to out-of-memory conditions
* CVE-2023-4049 (bmo#1842658) Fix potential race conditions when releasing platform objects
* CVE-2023-4050 (bmo#1843038) Stack buffer overflow in StorageManager
* CVE-2023-4051 (bmo#1821884) Full screen notification obscured by file open dialog
* CVE-2023-4052 (bmo#1824420) File deletion and privilege escalation through Firefox uninstaller
* CVE-2023-4053 (bmo#1839079) Full screen notification obscured by external program
* CVE-2023-4054 (bmo#1840777) Lack of warning when opening appref-ms files
* CVE-2023-4055 (bmo#1782561) Cookie jar overflow caused unexpected cookie jar state
* CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325, bmo#1843847) Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
* CVE-2023-4057 (bmo#1841682) Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1
* CVE-2023-4058 (bmo#1819160, bmo#1828024) Memory safety bugs fixed in Firefox 116- require NSS 3.91- remove obsolete mozilla-fix-top-level-asm.patch- re-enable LTO
* Fri Jul 28 2023 Andreas Stieger - Mozilla Firefox 115.0.3
* fixes for other platforms- remove bashisms from firefox startup script (boo#1213657)
* Thu Jul 13 2023 Wolfgang Rosenauer - Mozilla Firefox 115.0.2
* Fixed a bug with displaying a caret in the text editor on some websites (bmo#1840804)
* Fixed a bug with broken audio rendering on some websites (bmo#1841982)
* Fixed a bug with patternTransform translate using the wrong units (bmo#1840746) MFSA 2023-26 (bsc#1213230)
* CVE-2023-3600 (bmo#1839703) Use-after-free in workers
* Fri Jul 07 2023 Andreas Stieger - Mozilla Firefox 115.0.1
* fixes for other platforms
* Sun Jul 02 2023 Wolfgang Rosenauer - Mozilla Firefox 115.0
* Support for importing payment methods saved in Chrome-based browser
* Hardware video decoding is now enabled for Intel GPUs on Linux
* The Tab Manager dropdown now features close buttons, so tabs can be closed more quickly
* Streamlined the user interface for importing data in from other browsers
* Users without platform support for H264 video decoding can now fallback to Cisco\'s OpenH264 plugin for playback.
* Undo and redo are now available in Password fields
* Changed: On Linux, middle clicks on the new tab button will now open the xclipboard contents in the new tab. If the xclipboard content is a URL then that URL is opened, any other text is opened with your default search provider.
* Changed: For users with a Firefox Colorways built-in theme, the theme will be automatically migrated to the same theme hosted on addons.mozilla.org for Firefox profiles that have disabled add-ons auto-updates. This will allow users to keep their Colorways theme when they are later removed from Firefox installer files.
* Changed: Certain Firefox users may come across a message in the extensions panel indicating that their add-ons are not allowed on the site currently open. We have introduced a new back-end feature to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns.
* HTML5: The builtin editor now behaves similarly to other browsers with `contenteditable` and `designMode` when splitting a node, e.g. typing Enter to split a paragraph, and also when joining two nodes, e.g. typing Backspace at the start of a paragraph to join the paragraph and the previous one. When a node is split, the builtin editor creates a new node after the original one instead of before, i.e. creates the right node instead of the left node. Similarly, when two nodes are joined, the builtin editor deletes the latter node and moves its children to the end of the preceding node instead of deleting the former node and moving its child to the start of the following node.
* HTML5: WebRTC application developers can now specify a target in milliseconds of media for the jitter buffer to hold. Altering the target value allows applications to control the tradeoff between playout delay and the risk of running out of audio or video frames due to network jitter.
* HTML5: Change array by copy provides additional methods on `Array.prototype` and `TypedArray.prototype` to enable changes on the array by returning a new copy of it with the change.
* HTML5: The animation-composition property is now supported, allowing a declarative way to define the composite operation used when multiple animations affect the same property simultaneously.
* HTML5: Added the URL.canParse() function to allow easy and fast checking if URLs are valid and parseable.
* HTML5: IndexedDB is now also supported in private browsing without memory limits thanks to encrypted storage on disk. The temporary keys to decrypt the information are hold in RAM only and all stored information is purged at the normal end of a private browsing session from disk.
* HTML5: Supports conditions are now supported in CSS import rules AATTimport supports(...)
* Developer: In web development, we rely on third-party libraries which you may not be interested in while debugging. These can be ignored. Ignoring them means that breakpoints will not get hit and they are skipped during stepping. You can now choose to
*
*Hide ignore-listed sources
*
* in the Developer Tools source tree
* Developer: We have introduced a new option, `devtools.f12_enabled`, that can be utilized to prevent the accidental use of the F12 key, which opens the DevTools toolbox (bug).
* Enterprise: You can find information about policy updates and enterprise specific bug fixes in the Firefox for Enterprise 115 Release Notes. MFSA 2023-22 (bsc#1212438)
* CVE-2023-3482 (bmo#1839464) Block all cookies bypass for localstorage
* CVE-2023-37201 (bmo#1826002) Use-after-free in WebRTC certificate generation
* CVE-2023-37202 (bmo#1834711) Potential use-after-free from compartment mismatch in SpiderMonkey
* CVE-2023-37203 (bmo#291640) Drag and Drop API may provide access to local system files
* CVE-2023-37204 (bmo#1832195) Fullscreen notification obscured via option element
* CVE-2023-37205 (bmo#1704420) URL spoofing in address bar using RTL characters
* CVE-2023-37206 (bmo#1813299) Insufficient validation of symlinks in the FileSystem API
* CVE-2023-37207 (bmo#1816287) Fullscreen notification obscured
* CVE-2023-37208 (bmo#1837675) Lack of warning when opening Diagcab files
* CVE-2023-37209 (bmo#1837993) Use-after-free in `NotifyOnHistoryReload`
* CVE-2023-37210 (bmo#1821886) Full-screen mode exit prevention
* CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, bmo#1836550, bmo#1837450) Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13
* CVE-2023-37212 (bmo#1750870, bmo#1825552, bmo#1826206, bmo#1827076, bmo#1828690, bmo#1833503, bmo#1835710, bmo#1838587) Memory safety bugs fixed in Firefox 115- Requires NSS 3.90- Add patches: mozilla-rust-disable-future-incompat.patch mozilla-bmo1775202.patch mozilla-partial-revert-1768632.patch- removed obsolete mozilla-buildfixes.patch
* Tue Jun 20 2023 Andreas Stieger - Mozilla Firefox 114.0.2:
* Several crash fixes
* Web Extensions: Fixes for 114 regressions in Native Messaging support
* Tue Jun 20 2023 Wolfgang Rosenauer - do not enable LTO as it caused crashes now (boo#1212101)
* Sat Jun 10 2023 Andreas Stieger - Mozilla Firefox 114.0.1
* Fix a startup crash (bmo#1837201, boo#1212101)
* Fri Jun 09 2023 Martin Sirringhaus - Only install vaapitest for wayland-enabled builds, where it gets built- Rebase mozilla-silence-no-return-type.patch- Rebase s390x-patches, and remove obsolete patches: mozilla-bmo1005535.patch mozilla-s390x-skia-gradient.patch
* Mon Jun 05 2023 Wolfgang Rosenauer - Mozilla Firefox 114.0 MFSA 2023-20 (bsc#1211922)
* CVE-2023-34414 (bmo#1695986) Click-jacking certificate exceptions through rendering lag
* CVE-2023-34415 (bmo#1811999) Site-isolation bypass on sites that allow open redirects to data: urls
* CVE-2023-34416 (bmo#1752703, bmo#1818394, bmo#1826875, bmo#1827340, bmo#1827655, bmo#1828065, bmo#1830190, bmo#1830206, bmo#1830795, bmo#1833339) Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12
* CVE-2023-34417 (bmo#1746447, bmo#1820903, bmo#1832832) Memory safety bugs fixed in Firefox 114
* New: Added UI to manage the DNS over HTTPS exception list. (bmo#1596847)
* New: Bookmarks can now be searched from the Bookmarks menu. The Bookmarks menu is accessible by adding the
*Bookmarks menu
* button to the toolbar. (bmo#1736937)
* New: Restrict searches to your local browsing history by selecting
*Search history
* from the History, Library or Application menu buttons. (bmo#1736939)
* New: Mac users can now capture video from their cameras in all supported native resolutions. This enables resolutions higher than 1280x720. (bmo#1806604)
* New: It is now possible to reorder the extensions listed in the extensions panel. (bmo#1805924)
* New: Users on macOS, Linux, and Windows 7 can now use FIDO2 / WebAuthn authenticators over USB. Some advanced features, such as fully passwordless logins, require a PIN to be set on the authenticator. (bmo#1814487)
* New: Pocket Recommended content can now be seen in France, Italy, and Spain. (bmo#None)
* Changed: DNS over HTTPS settings are now part of the
* Privacy & Security
* section of the
*Settings
* page and allow the user to choose from all the supported modes. (bmo#1610741)
* HTML5: DOM: Added support for ES Modules on DedicatedWorker and SharedWorker
* HTML5: WebTransport is now enabled by default and will be going to release with 114. As the original Explainer notes, it enables multiple use-cases that are hard or impossible to handle without it, especially for Gaming and live streaming. It covers cases that are problematic for alternative mechanisms, such as WebSockets. Built on top of HTTP3 (HTTP2 support will be coming later). The current implementation in Firefox is passing 505 out of 565 Web-Platform Tests.
* HTML5: CSS: The `infinity` and `NaN` constants are now supported inside the `calc()` function. (bmo#1830759)
* Developer: The
*Copy as cURL
* feature, available in the Network panel, has been enhanced. It now supports the - `-compressed` argument. (bmo#1776120)
* Developer: The Accessibility Inspector has been improved to accurately recognize all the ARIA roles like `banner`, `main`, `navigation`, and `contentinfo`, etc. This enhancement is particularly beneficial for web developers working with ARIA roles to improve web accessibility. (bmo#1572512)
* Developer: Firefox now provides support for the CSS Cascading Level 4 `supports()` syntax for `AATTimport` rules. This allows for the importation of other stylesheets based on support- dependency. In addition, the Inspector panel now accurately displays the conditions at the top of the imported rule.- requires NSS 3.89.1
* Wed May 24 2023 Andreas Stieger - Mozilla Firefox 113.0.2 (boo#1211696)
* Fixed: Fixed a bug which could cause Firefox to freeze on some pages when loading them with the Developer Tools Web Console open (bmo#1828026)
* Fixed: Fixed a bug which would cause the bookmarks and history sidebars to not properly react to the browser window being vertically resized (bmo#1831535)
* Sat May 13 2023 Andreas Stieger - Mozilla Firefox 113.0.1
* UI fixes for other platforms- upstream signing key updated
* Tue May 09 2023 Wolfgang Rosenauer - Mozilla Firefox 113.0
* https://www.mozilla.org/en-US/firefox/113.0/releasenotes MFSA 2023-16 (bsc#1211175)
* CVE-2023-32205 (bmo#1753339, bmo#1753341) Browser prompts could have been obscured by popups
* CVE-2023-32206 (bmo#1824892) Crash in RLBox Expat driver
* CVE-2023-32207 (bmo#1826116) Potential permissions request bypass via clickjacking
* CVE-2023-32208 (bmo#1646034) Leak of script base URL in service workers via import()
* CVE-2023-32209 (bmo#1767194) Persistent DoS via favicon image
* CVE-2023-32210 (bmo#1776755) Incorrect principal object ordering
* CVE-2023-32211 (bmo#1823379) Content process crash due to invalid wasm code
* CVE-2023-32212 (bmo#1826622) Potential spoof due to obscured address bar
* CVE-2023-32213 (bmo#1826666) Potential memory corruption in FileReader::DoReadData()
* MFSA-TMP-2023-0002 (bmo#1814560, bmo#1814790, bmo#1819796) Race condition in dav1d decoding
* CVE-2023-32214 (bmo#1828716) Potential DoS via exposed protocol handlers
* CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856, bmo#1820210, bmo#1821480, bmo#1827019, bmo#1827024, bmo#1827144, bmo#1827359, bmo#1830186) Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11
* CVE-2023-32216 (bmo#1746479, bmo#1806852, bmo#1815987, bmo#1820359, bmo#1823568, bmo#1824803, bmo#1824834, bmo#1825170, bmo#1827020, bmo#1828130) Memory safety bugs fixed in Firefox 113- removed obsolete mozilla-bmo1568145.patch
* Sun May 07 2023 Aaron Puchert - Fix i586 build by reducing debug info to -g1. (boo#1210168)
* Tue Apr 25 2023 Andreas Stieger - Mozilla Firefox 112.0.2
* Fix a high memory usage issue with animated images in minimized (or completely covered) windows, especially when using animated themes (bmo#1828587)
* Fix an issue where Linux users with bitmap fonts installed may have had entire sections of text invisible to them on some sites (bmo#1827950)
* Fri Apr 21 2023 Manfred Hollstein - Include Leap 15.5 in check for which python version is required.
* Thu Apr 20 2023 Andreas Stieger - Mozilla Firefox 112.0.1
* Fix a bug where cookie dates appear to be set in the far future after updating Firefox. This may have caused cookies to be unintentionally purged (bmo#1827669)
* Mon Apr 10 2023 Wolfgang Rosenauer - Mozilla Firefox 112.0
* https://www.mozilla.org/en-US/firefox/112.0/releasenotes/ MFSA 2023-13 (bsc#1210212)
* CVE-2023-29531 (bmo#1794292) Out-of-bound memory access in WebGL on macOS
* CVE-2023-29532 (bmo#1806394) Mozilla Maintenance Service Write-lock bypass
* CVE-2023-29533 (bmo#1798219, bmo#1814597) Fullscreen notification obscured
* CVE-2023-29534 (bmo#1816007, bmo#1816059, bmo#1821155, bmo#1821576, bmo#1821906, bmo#1822298, bmo#1822305) Fullscreen notification could have been obscured on Firefox for Android
* MFSA-TMP-2023-0001 (bmo#1819244) Double-free in libwebp
* CVE-2023-29535 (bmo#1820543) Potential Memory Corruption following Garbage Collector compaction
* CVE-2023-29536 (bmo#1821959) Invalid free from JavaScript code
* CVE-2023-29537 (bmo#1823365, bmo#1824200, bmo#1825569) Data Races in font initialization code
* CVE-2023-29538 (bmo#1685403) Directory information could have been leaked to WebExtensions
* CVE-2023-29539 (bmo#1784348) Content-Disposition filename truncation leads to Reflected File Download
* CVE-2023-29540 (bmo#1790542) Iframe sandbox bypass using redirects and sourceMappingUrls
* CVE-2023-29541 (bmo#1810191) Files with malicious extensions could have been downloaded unsafely on Linux
* CVE-2023-29542 (bmo#1810793, bmo#1815062) Bypass of file download extension restrictions
* CVE-2023-29543 (bmo#1816158) Use-after-free in debugging APIs
* CVE-2023-29544 (bmo#1818781) Memory Corruption in garbage collector
* CVE-2023-29545 (bmo#1823077) Windows Save As dialog resolved environment variables
* CVE-2023-29546 (bmo#1780842) Screen recording in Private Browsing included address bar on Android
* CVE-2023-29547 (bmo#1783536) Secure document cookie could be spoofed with insecure cookie
* CVE-2023-29548 (bmo#1822754) Incorrect optimization result on ARM64
* CVE-2023-29549 (bmo#1823042) Javascript\'s bind function may have failed
* CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413, bmo#1824828) Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10
* CVE-2023-29551 (bmo#1763625, bmo#1814314, bmo#1815798, bmo#1815890, bmo#1819239, bmo#1819465, bmo#1819486, bmo#1819492, bmo#1819957, bmo#1820514, bmo#1820776, bmo#1821838, bmo#1822175, bmo#1823547) Memory safety bugs fixed in Firefox 112- requires
* NSS 3.89
* Python >= 3.7 (for build)- removed obsolete mozilla-bmo1807652.patch- Fix Icons displayed incorrectly on GNOME/wayland via WMCLASS in desktop file
* Mon Mar 27 2023 Wolfgang Rosenauer - Mozilla Firefox 111.0.1 (boo#1209688)
* Fixed a crash on macOS while pinch-zooming under some circumstances (bmo#1658986)
* Fixed a bug causing Firefox to freeze on startup for some Windows users (bmo#1823159)- fix build on Tumbleweed (mozilla-bmo1807652.patch)- exclude i586/i686 once again because it fails to link libxul due to its size
* Tue Mar 14 2023 Wolfgang Rosenauer - Mozilla Firefox 111.0
* https://www.mozilla.org/en-US/firefox/111.0/releasenotes MFSA 2023-09 (bsc#1209173)
* CVE-2023-28159 (bmo#1783561) Fullscreen Notification could have been hidden by download popups on Android
* CVE-2023-25748 (bmo#1798798) Fullscreen Notification could have been hidden by window prompts on Android
* CVE-2023-25749 (bmo#1810705) Firefox for Android may have opened third-party apps without a prompt
* CVE-2023-25750 (bmo#1814733) Potential ServiceWorker cache leak during private browsing mode
* CVE-2023-25751 (bmo#1814899) Incorrect code generation during JIT compilation
* CVE-2023-28160 (bmo#1802385) Redirect to Web Extension files may have leaked local path
* CVE-2023-28164 (bmo#1809122) URL being dragged from a removed cross-origin iframe into the same tab triggered navigation
* CVE-2023-28161 (bmo#1811181) One-time permissions granted to a local file were extended to other local files loaded in the same tab
* CVE-2023-28162 (bmo#1811327) Invalid downcast in Worklets
* CVE-2023-25752 (bmo#1811627) Potential out-of-bounds when accessing throttled streams
* CVE-2023-28163 (bmo#1817768) Windows Save As dialog resolved environment variables
* CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904, bmo#1817442, bmo#1818674) Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9
* CVE-2023-28177 (bmo#1803109, bmo#1808832, bmo#1809542, bmo#1817336) Memory safety bugs fixed in Firefox 111- ensure gcc11-c++ gets used on Leap 15.5- requires NSS >= 3.88.1- removed obsolete patches gcc13-fix.patch mozilla-bmo1810584.patch- rebased patches- update create-tar.sh
* Tue Mar 07 2023 Martin Liška - Cherry-pick upstream changes for GCC 13 in gcc13-fix.patch.
* Mon Mar 06 2023 Andreas Schwab - Limit memory use on riscv64
* Sat Mar 04 2023 Andreas Stieger - Fix 32 bit build bmo#1810584 (add mozilla-bmo1810584.patch)
* Fri Mar 03 2023 Andreas Stieger - Mozilla Firefox 110.0.1 (boo#1208886)
* Fixed clearing recent cookies clears all cookies (bmo#1816279)
* Fixed WebGL crashes on Linux when ran inside a VMWare virtual machine (bmo#1807942)
* Fixed a bug with CSP serialization causing bugs with the MitID Digital ID in Denmark (bmo#1819096)
* Wed Feb 15 2023 Wolfgang Rosenauer - Mozilla Firefox 110.0
* https://www.mozilla.org/en-US/firefox/110.0/releasenotes MFSA 2023-05 (bsc#1208144)
* CVE-2023-25728 (bmo#1790345) Content security policy leak in violation reports using iframes
* CVE-2023-25730 (bmo#1794622) Screen hijack via browser fullscreen mode
* CVE-2023-25743 (bmo#1800203) Fullscreen notification not shown in Firefox Focus
* CVE-2023-0767 (bmo#1804640) Arbitrary memory write via PKCS 12 in NSS
* CVE-2023-25735 (bmo#1810711) Potential use-after-free from compartment mismatch in SpiderMonkey
* CVE-2023-25737 (bmo#1811464) Invalid downcast in SVGUtils::SetupStrokeGeometry
* CVE-2023-25738 (bmo#1811852) Printing on Windows could potentially crash Firefox with some device drivers
* CVE-2023-25739 (bmo#1811939) Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
* CVE-2023-25729 (bmo#1792138) Extensions could have opened external schemes without user knowledge
* CVE-2023-25732 (bmo#1804564) Out of bounds memory write from EncodeInputStream
* CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338) Opening local .url files could cause unexpected network loads
* CVE-2023-25740 (bmo#1812354) Opening local .scf files could cause unexpected network loads
* CVE-2023-25731 (bmo#1801542) Prototype pollution when rendering URLPreview
* CVE-2023-25733 (bmo#1808632) Possible null pointer dereference in TaskbarPreviewCallback
* CVE-2023-25736 (bmo#1811331) Invalid downcast in GetTableSelectionMode
* CVE-2023-25741 (bmo#1437126, bmo#1812611, bmo#1813376) Same-origin policy leak via image drag and drop
* CVE-2023-25742 (bmo#1813424) Web Crypto ImportKey crashes tab
* CVE-2023-25744 (bmo#1789449, bmo#1803628, bmo#1810536) Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8
* CVE-2023-25745 (bmo#1688592, bmo#1797186, bmo#1804998, bmo#1806521, bmo#1813284) Memory safety bugs fixed in Firefox 110- requires NSS = 3.87 rust/cargo = 1.66- update create-tar.sh
* Wed Feb 01 2023 Andreas Stieger - Mozilla Firefox 109.0.1
* Fixed jank when loading pages containing a large number of emoji characters (bmo#1809081)
* Fixed an issue causing authentication prompts to not appear when loading pages in some enterprise environments (bmo#1809151)
* ixed inconsistent sizing of event listener checkboxes inside the Inspector developer tool (bmo#1811760)
* Mon Jan 16 2023 Wolfgang Rosenauer - Mozilla Firefox 109.0 MFSA 2023-01 (bsc#1207119)
* CVE-2023-23597 (bmo#1538028) Logic bug in process allocation allowed to read arbitrary files
* CVE-2023-23598 (bmo#1800425) Arbitrary file read from GTK drag and drop on Linux
* CVE-2023-23599 (bmo#1777800) Malicious command could be hidden in devtools output on Windows
* CVE-2023-23600 (bmo#1787034) Notification permissions persisted between Normal and Private Browsing on Android
* CVE-2023-23601 (bmo#1794268) URL being dragged from cross-origin iframe into same tab triggers navigation
* CVE-2023-23602 (bmo#1800890) Content Security Policy wasn\'t being correctly applied to WebSockets in WebWorkers
* CVE-2023-23603 (bmo#1800832) Calls to console.log allowed bypasing Content Security Policy via format directive
* CVE-2023-23604 (bmo#1802346) Creation of duplicate SystemPrincipal from less secure contexts
* CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974) Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7
* CVE-2023-23606 (bmo#1764974, bmo#1798591, bmo#1799201, bmo#1800446, bmo#1801248, bmo#1802100, bmo#1803393, bmo#1804626, bmo#1804971, bmo#1807004) Memory safety bugs fixed in Firefox 109- requires NSS 3.86- rebased patches
* Fri Jan 06 2023 Luciano Santos - Mozilla Firefox 108.0.2
* Fixes a crash that might occur when managing browser history (bmo#1806408).- Drop merged-upstream mozilla-bmo1805809.patch.
* Wed Dec 21 2022 Wolfgang Rosenauer - add mozilla-bmo1805809.patch to fix build for x86-32 (boo#1206600)
* Tue Dec 20 2022 Wolfgang Rosenauer - Mozilla Firefox 108.0.1 (boo#1206507)
* Fixes the default search engine being reset on upgrade for profiles which were previously copied from a different location
* Tue Dec 13 2022 Wolfgang Rosenauer - Mozilla Firefox 108.0 https://www.mozilla.org/en-US/firefox/108.0/releasenotes/ MFSA 2022-51 (bsc#1206242)
* CVE-2022-46871 (bmo#1795697) libusrsctp library out of date
* CVE-2022-46872 (bmo#1799156) Arbitrary file read from a compromised content process
* CVE-2022-46873 (bmo#1644790) Firefox did not implement the CSP directive unsafe-hashes
* CVE-2022-46874 (bmo#1746139) Drag and Dropped Filenames could have been truncated to malicious extensions
* CVE-2022-46875 (bmo#1786188) Download Protections were bypassed by .atloc and .ftploc files on Mac OS
* CVE-2022-46877 (bmo#1795139) Fullscreen notification bypass
* CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685, bmo#1801102, bmo#1801315, bmo#1802395) Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
* CVE-2022-46879 (bmo#1736224, bmo#1793407, bmo#1794249, bmo#1795845, bmo#1797682, bmo#1797720, bmo#1798494, bmo#1799479) Memory safety bugs fixed in Firefox 108- requires NSS >= 3.85 rustc/cargo 1.65
* Thu Dec 08 2022 Milachew - added translations to .desktop file.
* Thu Dec 01 2022 Andreas Stieger - Mozilla Firefox 107.0.1:
* Fix an issue with accessing some sites reliably in Private Browsing mode or Strict ETP due to anti-adblockers (bmo#1717806)
* Fix an issue where Color Management was not available for some users (bmo#1799391)
* Fix an issue with text overlapping in the Settings Menu for some locales (bmo#1800379)
* Fix an issue where the DevTools UI is not accessible when an alert dialog is displayed (bmo#1801840)
* Tue Nov 15 2022 Wolfgang Rosenauer - Mozilla Firefox 107.0 MFSA 2022-47 (bsc#1205270)
* CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files
* CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass
* CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation
* CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm
* CVE-2022-45407 (bmo#1793314) Loading fonts on workers was not thread-safe
* CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName
* CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection
* CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy
* CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers
* CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers
* CVE-2022-45413 (bmo#1791201) SameSite=Strict cookies could have been sent cross-site via intent URLs
* CVE-2022-40674 (bmo#1791598) Use-after-free vulnerability in expat
* CVE-2022-45415 (bmo#1793551) Downloaded file may have been saved with malicious extension
* CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage
* CVE-2022-45417 (bmo#1794508) Service Workers in Private Browsing Mode may have been written to disk
* CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn over browser UI
* CVE-2022-45419 (bmo#1716082) Deleting a security exception did not take effect immediately
* CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside the iframe
* CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5- requires
* NSS >= 3.84
* rust = 1.64
* Sat Nov 05 2022 Andreas Stieger - Mozilla Firefox 106.0.5
* Addresses a crash experienced by users with Intel Gemini Lake CPUs (bmo#1702019)- Mozilla Firefox 106.0.4
* Fixed an issue with DRM Video playback (bmo#1797292)
* Fixed broken layout of datetime input when switching types (bmo#1797139)
* Tue Nov 01 2022 Andreas Stieger - Mozilla Firefox 106.0.3
* Fixes for other platforms
* Thu Oct 27 2022 Andreas Stieger - Mozilla Firefox 106.0.2
* Fix missing content on some PDF forms (bmo#1794351)
* Fix column width for the Notification sub-panel in Settings (bmo#1793558)
* Fix a browser freeze with accessibility enabled on some sites such as the Proxmox Web UI (bmo#1793748)
* Fix page reloading not working with Firefox View and not refreshing synced data (bmo#1792680, bmo#1794474)
* Sun Oct 23 2022 Andreas Stieger - Mozilla Firefox 106.0.1
* Addresses a crash experienced by users with AMD Zen 1 CPUs (bmo#1796126)
* Sun Oct 16 2022 Wolfgang Rosenauer - Mozilla Firefox 106.0
* support editing of PDFs
* introduced Firefox View
* major WebRTC update - Better screen sharing for Windows and Linux Wayland users - RTP performance and reliability improvements - Richer statistics - Cross-browser and service compatibility improvements
* detailed releasenotes https://www.mozilla.org/en-US/firefox/106.0/releasenotes MFSA 2022-44 (bsc#1204421)
* CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have leaked cross-origin URLs
* CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine
* CVE-2022-42929 (bmo#1789439) Denial of Service via window.print
* CVE-2022-42930 (bmo#1789503) Race condition in DOM Workers
* CVE-2022-42931 (bmo#1780571) Username saved to a plaintext file on disk
* CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety bugs fixed in Firefox- added -msse2 flag to fix i386 build and workaround bmo#1795993- fixed used buildflags- renamed mozilla-i686-build.patch to mozilla-buildfixes.patch as it was extended with changes for other archs
* Sat Oct 08 2022 Andreas Stieger - Mozilla Firefox 105.0.3:
* Fixes for other platforms
* Wed Oct 05 2022 Andreas Stieger - Mozilla Firefox 105.0.2:
* Fixed poor contrast on various menu items with certain themes on Linux systems (bmo#1792063)
* Fixed the scrollbar appearing on the wrong side of `select` elements in right-to-left locales (bmo#1791219)
* Fixed a possible deadlock when loading some sites in Troubleshoot Mode (bmo#1786259)
* Fixed a bug causing some dynamic appearance changes to not appear when expected (bmo#1786521)
* Fixed a bug causing theme styling to not be properly applied to sidebars for some add-ons in Private Browsing Mode (bmo#1787543)
* Thu Sep 22 2022 Wolfgang Rosenauer - Mozilla Firefox 105.0.1
* Reverted focus behavior for new windows back to the content area instead of the address bar (bmo#1784692)- added mozilla-i686-build.patch to avoid using avx2
* Sat Sep 17 2022 Wolfgang Rosenauer - Mozilla Firefox 105.0 https://www.mozilla.org/en-US/firefox/105.0/releasenotes MFSA 2022-40 (bsc#1203477)
* CVE-2022-40959 (bmo#1782211) Bypassing FeaturePolicy restrictions on transient pages
* CVE-2022-40960 (bmo#1787633) Data-race when parsing non-UTF-8 URLs in threads
* CVE-2022-40958 (bmo#1779993) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix
* CVE-2022-40961 (bmo#1784588) Stack-buffer overflow when initializing Graphics
* CVE-2022-40956 (bmo#1770094) Content-Security-Policy base-uri bypass
* CVE-2022-40957 (bmo#1777604) Incoherent instruction cache when building WASM on ARM64
* CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835, bmo#1785109, bmo#1786502, bmo#1789440) Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3- requires NSS 3.82 Rust 1.63 (1.61)- removed obsolete mozilla-glibc236.patch
* Fri Sep 09 2022 Guillaume GARDET - Adjust memory requirements to fix build on aarch64
* Wed Sep 07 2022 Wolfgang Rosenauer - Mozilla Firefox 104.0.2 (boo#1203177) https://www.mozilla.org/en-US/firefox/104.0.2/releasenotes/
* Fixed a bug making it impossible to use touch or a stylus to drag the scrollbar on pages (bmo#1787361)
* Fixed an issue causing some users to crash in out-of-memory conditions (bmo#1774155)
* Fixed an issue that would sometimes affect video & audio playback when loaded via a cross-origin iframe src attribute (bmo#1781759)
* Fixed an issue that would sometimes affect video & audio playback when served with Content-Security-Policy: sandbox (bmo#1781063)
* Thu Sep 01 2022 Wolfgang Rosenauer - Mozilla Firefox 104.0.1
* Addresses an issue with Youtube video playback that was affecting some users (boo#1203003)
* Sun Aug 21 2022 Wolfgang Rosenauer - Mozilla Firefox 104.0
* https://www.mozilla.org/en-US/firefox/104.0/releasenotes MFSA 2022-33 (bsc#1202645)
* CVE-2022-38472 (bmo#1769155) Address bar spoofing via XSLT error handling
* CVE-2022-38473 (bmo#1771685) Cross-origin XSLT Documents would have inherited the parent\'s permissions
* CVE-2022-38474 (bmo#1719511) Recording notification not shown when microphone was recording on Android
* CVE-2022-38475 (bmo#1773266) Attacker could write a value to a zero-length array
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363) Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
* CVE-2022-38478 (bmo#1770630, bmo#1776658) Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13- requires NSPR 4.34.1 NSS 3.81 rust 1.62
* Sat Aug 13 2022 Wolfgang Rosenauer - added mozilla-glibc236.patch (bmo#1782988, boo#1202323)
* Tue Aug 09 2022 Wolfgang Rosenauer - Mozilla Firefox 103.0.2
* Fixed menu shortcuts for users of the JAWS screen reader
* Fixed an occasional non-overridable certificate error when accessing device configuration pages
* Tue Aug 02 2022 Andreas Schwab - The --disable-elf-hack option only exists on ARM and X86
* Mon Aug 01 2022 Wolfgang Rosenauer - Mozilla Firefox 103.0.1
* Enabled hardware acceleration on newer AMD cards.
* Fixed a crash on Firefox shutdown caused by a bug in the audio manager
* Wed Jul 27 2022 Wolfgang Rosenauer - Mozilla Firefox 103.0 https://www.mozilla.org/en-US/firefox/103.0/releasenotes MFSA 2022-28 (bsc#1201758)
* CVE-2022-36319 (bmo#1737722) Mouse Position spoofing with CSS transforms
* CVE-2022-36317 (bmo#1759951) Long URL would hang Firefox for Android
* CVE-2022-36318 (bmo#1771774) Directory indexes for bundled resources reflected URL parameters
* CVE-2022-36314 (bmo#1773894) Opening local .lnk files could cause unexpected network loads
* CVE-2022-36315 (bmo#1762520) Preload Cache Bypasses Subresource Integrity
* CVE-2022-36316 (bmo#1768583) Performance API leaked whether a cross-site resource is redirecting
* CVE-2022-36320 (bmo#1759794, bmo#1760998) Memory safety bugs fixed in Firefox 103
* CVE-2022-2505 (bmo#1769739, bmo#1772824) Memory safety bugs fixed in Firefox 103 and 102.1- requires NSS >= 3.80 rust = 1.61 rust-cbindgen >= 0.24.3
* Wed Jul 13 2022 Guillaume GARDET - Move %limit_build set before mozilla config to actually set the value of %jobs to MOZ_MAKE_FLAGS to fix build on aarch64
* Wed Jul 06 2022 Andreas Stieger - Firefox 102.0.1:
* Fixed: Fixed bookmarks sidebar flashing white when opened in dark mode (bmo#1776157)
* Fixed: Fixed multilingual spell checking not working with content in both English and a non-Latin alphabet (bmo#1773802)
* Fixed: Developer tools: Fixed an issue where the console output keep getting scrolled to the bottom when the last visible message is an evaluation result (bmo#1776262)
* Fixed: Fixed
*Delete cookies and site data when Firefox is closed
* checkbox getting disabled on startup (bmo#1777419)
* Fixed: Various stability fixes
* Sat Jun 25 2022 Wolfgang Rosenauer - Firefox 102.0
* You can now disable automatic opening of the download panel every time a new download starts
* Firefox now mitigates query parameter tracking when navigating sites in ETP strict mode
* Improved security by moving audio decoding into a separate process with stricter sandboxing, thus improving process isolation
* https://www.mozilla.org/en-US/firefox/102.0/releasenotes MFSA 2022-24 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595) A popup window could be resized in a way to overlay the address bar with web content
* CVE-2022-34470 (bmo#1765951) Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537) CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
* CVE-2022-34482 (bmo#845880) Drag and drop of malicious image could have led to malicious executable and potential code execution
* CVE-2022-34483 (bmo#1335845) Drag and drop of malicious image could have led to malicious executable and potential code execution
* CVE-2022-34476 (bmo#1387919) ASN.1 parser could have been tricked into accepting malformed ASN.1
* CVE-2022-34481 (bmo#1483699, bmo#1497246) Potential integer overflow in ReplaceElementsAt
* CVE-2022-34474 (bmo#1677138) Sandboxed iframes could redirect to external schemes
* CVE-2022-34469 (bmo#1721220) TLS certificate errors on HSTS-protected domains could be bypassed by the user on Firefox for Android
* CVE-2022-34471 (bmo#1766047) Compromised server could trick a browser into an addon downgrade
* CVE-2022-34472 (bmo#1770123) Unavailable PAC file resulted in OCSP requests being blocked
* CVE-2022-34478 (bmo#1773717) Microsoft protocols can be attacked if a user accepts a prompt
* CVE-2022-2200 (bmo#1771381) Undesired attributes could be set as part of prototype pollution
* CVE-2022-34480 (bmo#1454072) Free of uninitialized pointer in lg_init
* CVE-2022-34477 (bmo#1731614) MediaError message property leaked information on cross- origin same-site pages
* CVE-2022-34475 (bmo#1757210) HTML Sanitizer could have been bypassed via same-origin script via use tags
* CVE-2022-34473 (bmo#1770888) HTML Sanitizer could have been bypassed via use tags
* CVE-2022-34484 (bmo#1763634, bmo#1772651) Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
* CVE-2022-34485 (bmo#1768409, bmo#1768578) Memory safety bugs fixed in Firefox 102- requires NSPR >= 4.34 NSS >= 3.79 rust = 1.60- switch out skia-patches with webrender-patches for big endian removed:
* mozilla-bmo1504834-part2.patch
* mozilla-bmo1504834-part4.patch
* mozilla-bmo1626236.patch added:
* one_swizzle_to_rule_them_all.patch
* svg-rendering.patch- add some more returns to the no-return-patch
* Fri Jun 10 2022 Andreas Stieger - Mozilla Firefox 101.0.1:
* Fixed context menus not appearing when right-clicking Picture-in-Picture windows on some Linux systems (bmo#1771914)
* Various stability fixes
* Sun May 29 2022 Wolfgang Rosenauer - Mozilla Firefox 101.0
* Reading is now easier with the prefers-contrast media query, which allows sites to detect if the user has requested that web content is presented with a higher (or lower) contrast
* All non-configured MIME types can now be assigned a custom action upon download completion
* allows users to use as many microphones as you want, at the same time, during video conferencing. The most exciting benefit is that you can easily switch your microphones at any time (if your conferencing service provider enables this flexibility) MFSA 2022-20 (bsc#1200027)
* CVE-2022-31736 (bmo#1735923) Cross-Origin resource\'s length leaked
* CVE-2022-31737 (bmo#1743767) Heap buffer overflow in WebGL
* CVE-2022-31738 (bmo#1756388) Browser window spoof using fullscreen mode
* CVE-2022-31739 (bmo#1765049) Attacker-influenced path traversal when saving downloaded files
* CVE-2022-31740 (bmo#1766806) Register allocation problem in WASM on arm64
* CVE-2022-31741 (bmo#1767590) Uninitialized variable leads to invalid memory read
* CVE-2022-31742 (bmo#1730434) Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
* CVE-2022-31743 (bmo#1747388) HTML Parsing incorrectly ended HTML comments prematurely
* CVE-2022-31744 (bmo#1757604) CSP bypass enabling stylesheet injection
* CVE-2022-31745 (bmo#1760944) Incorrect Assertion caused by unoptimized array shift operations
* CVE-2022-1919 (bmo#1761275) Memory Corruption when manipulating webp images
* CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283, bmo#1767365, bmo#1768559, bmo#1768734) Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
* CVE-2022-31748 (bmo#1713773, bmo#1762201, bmo#1762469, bmo#1762770, bmo#1764878, bmo#1765226, bmo#1765782, bmo#1765973, bmo#1767177, bmo#1767181, bmo#1768232, bmo#1768251, bmo#1769869) Memory safety bugs fixed in Firefox 101- requires
* NSS 3.78.1
* rust-cbindgen 0.23.0
* rust 1.59
* Fri May 20 2022 Wolfgang Rosenauer - Mozilla Firefox 100.0.2 MFSA 2022-19 (bsc#1199768)
* CVE-2022-1802 (bmo#1770137) Prototype pollution in Top-Level Await implementation
* CVE-2022-1529 (bmo#1770048) Untrusted input used in JavaScript object indexing, leading to prototype pollution
* Wed May 18 2022 Andreas Stieger - Mozilla Firefox 100.0.1:
* Fixed: Fixed an issue with subtitles in Picture-in-Picture mode while using Netflix (bmo#1768818)
* Fixed: Fixed an issue where some commands were unavailable in the Picture-in-Picture window (bmo#1768201)
* Sun May 01 2022 Wolfgang Rosenauer - Mozilla Firefox 100.0
* subtitle support in PiP
* spell checking supports multiple languages in parallel
* more details here https://www.mozilla.org/en-US/firefox/100.0/releasenotes MFSA 2022-16 (boo#1198970)
* CVE-2022-29914 (bmo#1746448) Fullscreen notification bypass using popups
* CVE-2022-29909 (bmo#1755081) Bypassing permission prompt in nested browsing contexts
* CVE-2022-29916 (bmo#1760674) Leaking browser history with CSS variables
* CVE-2022-29911 (bmo#1761981) iframe Sandbox bypass
* CVE-2022-29912 (bmo#1692655) Reader mode bypassed SameSite cookies
* CVE-2022-29910 (bmo#1757138) Firefox for Android forgot HTTP Strict Transport Security settings
* CVE-2022-29915 (bmo#1751678) Leaking cross-origin redirect through the Performance API
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298, bmo#1762614, bmo#1762620, bmo#1764778) Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
* CVE-2022-29918 (bmo#1744043, bmo#1747178, bmo#1753535, bmo#1754017, bmo#1755847, bmo#1756172, bmo#1757477, bmo#1758223, bmo#1760160, bmo#1761481, bmo#1761771) Memory safety bugs fixed in Firefox 100- requires NSS 3.77
* Tue Apr 12 2022 Andreas Stieger - Mozilla Firefox 99.0.1
* Fixed an issue with text rendering in Bengali (bmo#1763368)
* Fixed a selection issue in the Download panel with drag and drop (bmo#1762723)
* Fixed: Fixed an issue preventing Zoom gallery mode for users who go to zoom.us URLs instead of subdomain.zoom.us URLs (bmo#1763801)
* Mon Apr 04 2022 Wolfgang Rosenauer - Mozilla Firefox 99.0
* You can now toggle Narrate in ReaderMode with the keyboard shortcut \"n.\"
* You can find added support for search—with or without diacritics—in the PDF viewer.
* The Linux sandbox has been strengthened: processes exposed to web content no longer have access to the X Window system (X11).
* Firefox now supports credit card autofill and capture in Germany and France. MFSA 2022-13 (bsc#1197903)
* CVE-2022-1097 (bmo#1745667) Use-after-free in NSSToken objects
* CVE-2022-28281 (bmo#1755621) Out of bounds write due to unexpected WebAuthN Extensions
* CVE-2022-28282 (bmo#1751609) Use-after-free in DocumentL10n::TranslateDocument
* CVE-2022-28283 (bmo#1754066) Missing security checks for fetching sourceMapURL
* CVE-2022-28284 (bmo#1754522) Script could be executed via svg\'s use element
* CVE-2022-28285 (bmo#1756957) Incorrect AliasSet used in JIT Codegen
* CVE-2022-28286 (bmo#1735265) iframe contents could be rendered outside the border
* CVE-2022-28287 (bmo#1741515) Text Selection could crash Firefox
* CVE-2022-24713 (bmo#1758509) Denial of Service via complex regular expressions
* CVE-2022-28289 (bmo#1663508, bmo#1744525, bmo#1753508, bmo#1757476, bmo#1757805, bmo#1758549, bmo#1758776) Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
* CVE-2022-28288 (bmo#1746415, bmo#1746495, bmo#1746500, bmo#1747282, bmo#1748759, bmo#1749056, bmo#1749786, bmo#1751679, bmo#1752120, bmo#1756010, bmo#1756017, bmo#1757213, bmo#1757258, bmo#1757427) Memory safety bugs fixed in Firefox 99- requires NSS >= 3.76.1- remove obsolete patch
* mozilla-bmo1756347.patch
* mozilla-bmo1757571.patch- update create-tar.sh
* Thu Mar 24 2022 Andreas Stieger - MozillaFirefox 98.0.2:
* Fixed: Fixed an issue preventing users from typing in Address Bar after opening new tab and pressing cmd + enter (bmo#1757376)
* Fixed: Fixed an issue causing some users to crash in out-of- memory conditions (bmo#1757618)
* Fixed: Fixed an issue in session history which caused some sites to fail to load (bmo#1758664)
* Fixed: Fixed an add-on specific compatibility issue (bmo#1759162)
* Wed Mar 23 2022 Simon Vogl - Change mozilla-kde.patch to follow the GNOME registry behavior for new MIME types to avoid opening downloaded files without any inquiries (bsc#1197319)
* Tue Mar 22 2022 Guillaume GARDET - Add patch to fix start-up on aarch64:
* mozilla-bmo1757571.patch
* Thu Mar 17 2022 Dirk Müller - exclude slow cpus for building
* Thu Mar 17 2022 Martin Sirringhaus - Add cpu-flag `asimdrdm` to aarch64 constraints, to select newer, faster buildhosts, as the others struggle to build FF.
* Mon Mar 14 2022 Wolfgang Rosenauer - Mozilla Firefox 98.0.1:
* Yandex and Mail.ru have been removed as optional search providers in the drop-down search menu in Firefox
* Tue Mar 08 2022 Wolfgang Rosenauer - Mozilla Firefox 98.0
* Firefox has a new optimized download flow
* other changes as documented here https://www.mozilla.org/en-US/firefox/98.0/releasenotes MFSA 2022-10 (bsc#1196900)
* CVE-2022-26383 (bmo#1742421) Browser window spoof using fullscreen mode
* CVE-2022-26384 (bmo#1744352) iframe allow-scripts sandbox bypass
* CVE-2022-26387 (bmo#1752979) Time-of-check time-of-use bug when verifying add-on signatures
* CVE-2022-26381 (bmo#1736243) Use-after-free in text reflows
* CVE-2022-26382 (bmo#1741888) Autofill Text could be exfiltrated via side-channel attacks
* CVE-2022-26385 (bmo#1747526) Use-after-free in thread shutdown
* CVE-2022-0843 (bmo#1746523, bmo#1749062, bmo#1749164, bmo#1749214, bmo#1749610, bmo#1750032, bmo#1752100, bmo#1752405, bmo#1753612, bmo#1754508) Memory safety bugs fixed in Firefox 98- requires NSS 3.75- add mozilla-bmo1756347.patch to fix i586 build
* Fri Feb 18 2022 Andreas Stieger - Mozilla Firefox 97.0.1
* Fixed: Fixed an issue where TikTok videos would fail to load when selected from a user\'s profile page (bmo#1750973)
* Fixed: Fixed an issue which led to Picture-in-Picture mode being unable to be toggled on Hulu (bmo#1753401)
* Fixed: Works around problems with WebRoot SecureAnywhere antivirus rendering Firefox unusable in some situations (bmo#1752466)
* Fixed: Fixed an issue causing users to see the Restore Session screen unexpectedly when starting Firefox (bmo#1749996)
* Mon Feb 14 2022 Luciano Santos - Remove bashisms (\"source\" and \"function\" keywords) from mozilla.sh.in to ally with the #!/bin/sh shebang. If the end user has either dash-sh package or busybox-sh to handle Bourn Shell scripts rather than having bash-sh package, the script would fail. Using \".\" instead of \"source\" and \"create_langpack_link()\" function definition is enough to keep both sides sane, behavior-wise.
* Tue Feb 08 2022 Wolfgang Rosenauer - Mozilla Firefox 97.0 MFSA 2022-04 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435) Privilege Escalation to SYSTEM on Windows via Maintenance Service
* CVE-2022-22754 (bmo#1750565) Extensions could have bypassed permission confirmation during update
* CVE-2022-22755 (bmo#1309630) XSL could have allowed JavaScript execution after a tab was closed
* CVE-2022-22756 (bmo#1317873) Drag and dropping an image could have resulted in the dropped object being an executable
* CVE-2022-22757 (bmo#1720098) Remote Agent did not prevent local websites from connecting
* CVE-2022-22758 (bmo#1728742) tel: links could have sent USSD codes to the dialer on Firefox for Android
* CVE-2022-22759 (bmo#1739957) Sandboxed iframes could have executed script if the parent appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503) Cross-Origin responses could be distinguished between script and non-script content-types
* CVE-2022-22761 (bmo#1745566) frame-ancestors Content Security Policy directive was not enforced for framed extension pages
* CVE-2022-22762 (bmo#1743931) JavaScript Dialogs could have been displayed over other domains on Firefox for Android
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545, bmo#1748210, bmo#1748279) Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
* CVE-2022-0511 (bmo#1713579, bmo#1735448, bmo#1743821, bmo#1746313, bmo#1746314, bmo#1746316, bmo#1746321, bmo#1746322, bmo#1746323, bmo#1746412, bmo#1746430, bmo#1746451, bmo#1746488, bmo#1746875, bmo#1746898, bmo#1746905, bmo#1746907, bmo#1746917, bmo#1747128, bmo#1747137, bmo#1747331, bmo#1747346, bmo#1747439, bmo#1747457, bmo#1747870, bmo#1749051, bmo#1749274, bmo#1749831) Memory safety bugs fixed in Firefox 97- requires NSS 3.74- requires rust 1.57
* Mon Feb 07 2022 Dirk Müller - remove memoryperjob and use %limit instead. this allows to adapt to more worker types, and lowers the time the package is stuck in \"scheduling\". raising memory above 8 to lower risk for LTO jobs to run OOM- add hack to disable -Wl,--gc-section which avoids a binutils segfault on x86- change mozilla-reduce-rust-debuginfo.patch: use -g1 everywhere
* Sun Jan 30 2022 Dirk Müller - disable ccache, this adds about 1 minute of build time and over 2 GB of disk space usage without benefit on OBS builds- build with rust-simd like upstream does- use -g1 for debuginfo generation as this is what upstream does as well and it saves ~ 2GB of writes- use %limit on x86_64 to scale down to less capable workers- disable install stripping so that debuginfo is useful- use autopatch- cleanup constraints to specify only jobs, physicalmemory and memoryperjob to be more flexible on which host to build on
* Fri Jan 28 2022 Wolfgang Rosenauer - Mozilla Firefox 96.0.3 (bsc#1195230)
* Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry (bmo#1752317)
* Mon Jan 24 2022 Martin Liška - Enable -fimplicit-constexpr for GCC 12+.
* Thu Jan 20 2022 Andreas Stieger - Mozilla Firefox 96.0.2
* Fix an issue that caused tab height to display inconsistently on Linux when audio was played (bmo#1714276)
* Fix an issue that caused Lastpass dropdowns to appear blank in Private Browsing mode (bmo#1748158)
* Fix a crash encountered when resizing a Facebook app (bmo#1746084)
* Fri Jan 14 2022 Andreas Stieger - Mozilla Firefox 96.0.1
* Fixed: Improvements to make the parsing of content-length headers more robust (bmo#1749957, boo#1194677)
* Sat Jan 08 2022 Wolfgang Rosenauer - Mozilla Firefox 96.0
* https://www.mozilla.org/en-US/firefox/96.0/releasenotes MFSA 2022-01 (bsc#1194547)
* CVE-2022-22746 (bmo#1735071) Calling into reportValidity could have lead to fullscreen window spoof
* CVE-2022-22743 (bmo#1739220) Browser window spoof using fullscreen mode
* CVE-2022-22742 (bmo#1739923) Out-of-bounds memory access when inserting text in edit mode
* CVE-2022-22741 (bmo#1740389) Browser window spoof using fullscreen mode
* CVE-2022-22740 (bmo#1742334) Use-after-free of ChannelEventQueue::mOwner
* CVE-2022-22738 (bmo#1742382) Heap-buffer-overflow in blendGaussianBlur
* CVE-2022-22737 (bmo#1745874) Race condition when playing audio files
* CVE-2021-4140 (bmo#1746720) Iframe sandbox bypass with XSLT
* CVE-2022-22750 (bmo#1566608) IPC passing of resource handles could have lead to sandbox bypass
* CVE-2022-22749 (bmo#1705094) Lack of URL restrictions when scanning QR codes
* CVE-2022-22748 (bmo#1705211) Spoofed origin on external protocol launch dialog
* CVE-2022-22745 (bmo#1735856) Leaking cross-origin URLs through securitypolicyviolation event
* CVE-2022-22744 (bmo#1737252) The \'Copy as curl\' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
* CVE-2022-22747 (bmo#1735028) Crash when handling empty pkcs7 sequence
* CVE-2022-22736 (bmo#1742692) Potential local privilege escalation when loading modules from the install directory.
* CVE-2022-22739 (bmo#1744158) Missing throttling on external protocol launch dialog
* CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366, bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221, bmo#1743515, bmo#1745373, bmo#1746011) Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5
* CVE-2022-22752 (bmo#1740534, bmo#1741210, bmo#1742770) Memory safety bugs fixed in Firefox 96- removed obsolete patches
* mozilla-bmo1745560.patch
* mozilla-bmo1744896.patch
* mozilla-sandbox-fips.patch- requires NSPR >= 4.33 NSS >= 3.73.1
* Tue Dec 28 2021 Bjørn Lie - Add upstream patches:
* mozilla-bmo1745560.patch: Fix build against wayland 1.20.
* mozilla-bmo1744896.patch: Create WaylandVsyncSource on window creation
* Mon Dec 20 2021 Wolfgang Rosenauer - Mozilla Firefox 95.0.2
* Addresses frequent crashes experienced by users with C/E/Z-Series \"Bobcat\" CPUs running on Windows 7, 8, and 8.1.- updated constraints for ppc and x86-64
* Fri Dec 17 2021 Wolfgang Rosenauer - Mozilla Firefox 95.0.1 (bsc#1193845)
* Fixed frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains (bmo#1745600)
* Fix for a WebRender crash on some Linux/X11 systems (bmo#1741956)
* Fix for a frequent Windows shutdown crash (bmo#1738984)
* Fix websites contrast issues for some Linux users with Dark mode set at OS level (bmo#1740518)
* Sat Dec 04 2021 Wolfgang Rosenauer - Mozilla Firefox 95.0
* You can now move the Picture-in-Picture toggle button to the opposite side of the video. Simply look for the new context menu option Move Picture-in-Picture Toggle to Left (Right) Side.
* To better protect Firefox users against side-channel attacks such as Spectre, Site Isolation is now enabled for all Firefox 95 users.
* https://www.mozilla.org/en-US/firefox/95.0/releasenotes MFSA 2021-52 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120) URL leakage when navigating while executing asynchronous function
* CVE-2021-43537 (bmo#1738237) Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091) Missing fullscreen and pointer lock notification when requesting both
* CVE-2021-43539 (bmo#1739683) GC rooting failure when calling wasm instance methods
* MOZ-2021-0010 (bmo#1735852) Use-after-free in fullscreen objects on MacOS
* CVE-2021-43540 (bmo#1636629) WebExtensions could have installed persistent ServiceWorkers
* CVE-2021-43541 (bmo#1696685) External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281) XMLHttpRequest error codes could have leaked the existence of an external protocol handler
* CVE-2021-43543 (bmo#1738418) Bypass of CSP sandbox directive when embedding
* CVE-2021-43544 (bmo#1739934) Receiving a malicious URL as text through a SEND intent could have led to XSS
* CVE-2021-43545 (bmo#1720926) Denial of Service when using the Location API in a loop
* CVE-2021-43546 (bmo#1737751) Cursor spoofing could overlay user interface when native cursor is zoomed
* MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751, bmo#1737009, bmo#1739372, bmo#1739421) Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4- requires NSS >= 3.72
* Thu Dec 02 2021 Andreas Stieger - remove x-scheme-handler/ftp from firefox.desktop boo#1193321
* Thu Nov 25 2021 Bjørn Lie - Drop unused libidl-devel BuildRequires.
* Tue Nov 23 2021 Andreas Stieger - Mozilla Firefox 94.0.2:
* Update preference design for Firefox Suggest for improved clarity
* Resolved general instability/crashes on Linux caused by a file descriptor leak when backgrounding tabs using WebGL (bmo#1741997)
* Fri Nov 05 2021 Andreas Stieger - Mozilla Firefox 94.0.1:
* fixes for other platforms
* Sat Oct 30 2021 Wolfgang Rosenauer - Mozilla Firefox 94.0
* https://www.mozilla.org/en-US/firefox/94.0/releasenotes MFSA 2021-48 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517) iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156) Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194) Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750) Firefox could be coaxed into going into fullscreen mode without notification or warning
* CVE-2021-38507 (bmo#1730935) Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0003 (bmo#1736886) Universal XSS in Firefox for Android via QR Code URLs
* CVE-2021-38508 (bmo#1366818) Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
* MOZ-2021-0004 (bmo#1659155) Web Extensions could access pre-redirect URL when their context menu was triggered by a user
* CVE-2021-38509 (bmo#1718571) Javascript alert box could have been spoofed onto an arbitrary domain
* CVE-2021-38510 (bmo#1731779) Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0005 (bmo#1719203) \'Copy Image Link\' context menu action could have been abused to see authentication tokens
* MOZ-2021-0006 (bmo#1724233) URL Parsing may incorrectly parse internationalized domains
* MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048, bmo#1735152) Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3- removed obsolete patches
* mozilla-bmo1602730.patch
* mozilla-bmo1725828.patch
* mozilla-bmo1729124.patch- requires NSS >= 3.71 rust >= 1.53- fix Plasma detection (boo#1191825)- fix Link error \"undefined hidden symbol:\" https://github.com/openSUSE/firefox-maintenance/issues/37
* Tue Oct 26 2021 Wolfgang Rosenauer - Drop unused pkgconfig(gdk-x11-2.0) BuildRequires- (re-)enable LTO on Tumbleweed
* Wed Oct 20 2021 Martin Sirringhaus - Rebase mozilla-sandbox-fips.patch to punch another hole in the sandbox containment, to be able to open /proc/sys/crypto/fips_enabled from within the newly introduced socket process sandbox. This fixes bsc#1191815 and bsc#1190141
* Mon Oct 18 2021 Guillaume GARDET - Add patch to fix build on aarch64 (bmo#1729124)
* mozilla-bmo1729124.patch
* Fri Oct 01 2021 Wolfgang Rosenauer - Mozilla Firefox 93.0
* supports the new AVIF image format
* PDF viewer now supports filling more forms (XFA-based forms)
* now blocks downloads that rely on insecure connections, protecting against potentially malicious or unsafe downloads
* Improved web compatibility for privacy protections with SmartBlock 3.0
* Introducing a new referrer tracking protection in Strict Tracking Protection and Private Browsing
* TLS ciphersuites that use 3DES have been disabled. Such ciphersuites can only be enabled when deprecated versions of TLS are also enabled
* The download panel now follows the Firefox visual styles MFSA 2021-43 (bsc#1191332)
* CVE-2021-38496 (bmo#1725335) Use-after-free in MessageTask
* CVE-2021-38497 (bmo#1726621) Validation message could have been overlaid on another origin
* CVE-2021-38498 (bmo#1729642) Use-after-free of nsLanguageAtomService object
* CVE-2021-32810 (bmo#1729813) https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw) Data race in crossbeam-deque
* CVE-2021-38500 (bmo#1725854, bmo#1728321) Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
* CVE-2021-38499 (bmo#1667102, bmo#1723170, bmo#1725356, bmo#1727364) Memory safety bugs fixed in Firefox 93- removed obsolete mozilla-bmo1708709.patch- require NSS >= 3.70- allow to override wayland detection by defining MOZ_ENABLE_WAYLAND explicitely as 0 or 1- fix aarch64 build by updating constraints- add mozilla-bmo1725828.patch to fix widevine (bsc#1190842)- add mozilla-bmo531915.patch to fix build for i586
* Sat Sep 25 2021 Andreas Stieger - Mozilla Firefox 92.0.1
* Fixed: Fixes an issue where audio playback was not working on some Linux systems (bmo#1730499)
* Fixed: Fixes issues with the findbar close button on different operating systems (bmo#1728368)
* Mon Sep 06 2021 Wolfgang Rosenauer - Mozilla Firefox 92.0
* More secure connections: Firefox can now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc headers
* Full-range color levels are now supported for video playback on many systems MFSA 2021-38 (bsc#1190269)
* CVE-2021-29993 (bmo#1708544, bmo#1708767, bmo#1712240, bmo#1712242, bmo#1729259) Handling custom intents could lead to crashes and UI spoofs
* CVE-2021-38491 (bmo#1551886) Mixed-Content-Blocking was unable to check opaque origins
* CVE-2021-38492 (bmo#1721107) Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38493 (bmo#1723391, bmo#1724101, bmo#1724107) Memory safety bugs fixed in Firefox 92, Firefox ESR 78.14 and Firefox ESR 91.1
* CVE-2021-38494 (bmo#1723920, bmo#1725638) Memory safety bugs fixed in Firefox 92- updated appdata- remove mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch (does not apply anymore; unclear if obsolete)- bring back mozilla-silence-no-return-type.patch and run post-build-checks everywhere again- requires NSS 3.69.1
* Tue Aug 31 2021 Atri Bhattacharya - Add mozilla-bmo1708709.patch: On [wayland] popup can be wrongly repositioned due to rounding errors when font scaling != 1 (bmo#1708709); patch taken from upstream bug report and rebased to apply cleanly against current version.
* Sun Aug 29 2021 Martin Liška - Bump using with GCC (tested locally).
* Fri Aug 27 2021 Andreas Stieger - Mozilla Firefox 91.0.2:
* Fixed: Firefox no longer clears authentication data when purging trackers, to avoid repeatedly prompting for a password (bmo#1721084)
* Wed Aug 18 2021 Wolfgang Rosenauer - Mozilla Firefox 91.0.1
* Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bmo#1704404)
* Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to-tab results in the address bar panel (bmo#1720369)
* Various stability fixes MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses
* Mon Aug 09 2021 Wolfgang Rosenauer - Mozilla Firefox 91.0 MFSA 2021-33 (bsc#1188891)
* CVE-2021-29986 (bmo#1696138) Race condition when resolving DNS names could have led to memory corruption
* CVE-2021-29981 (bmo#1707774) Live range splitting could have led to conflicting assignments in the JIT
* CVE-2021-29988 (bmo#1717922) Memory corruption as a result of incorrect style treatment
* CVE-2021-29983 (bmo#1719088) Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984 (bmo#1720031) Incorrect instruction reordering during JIT optimization
* CVE-2021-29980 (bmo#1722204) Uninitialized memory in a canvas object could have led to memory corruption
* CVE-2021-29987 (bmo#1716129) Users could have been tricked into accepting unwanted permissions on Linux
* CVE-2021-29985 (bmo#1722083) Use-after-free media channels
* CVE-2021-29982 (bmo#1715318) Single bit data leak due to incorrect JIT optimization and type confusion
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178, bmo#1719998, bmo#1720568) Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990 (bmo#1544190, bmo#1716481, bmo#1717778, bmo#1719319, bmo#1722073) Memory safety bugs fixed in Firefox 91- requires
* rustc/cargo >= 1.51
* NSPR >= 4.32
* NSS >= 3.68- force-disable webrender on BE platforms
* Sat Jul 24 2021 Andreas Stieger - Mozilla Firefox 90.0.2:
* Changed: Updates to support DoH Canada rollout (bmo#1713036)
* Fixed: Fixed truncated output when printing (bmo#1720621)
* Fixed: Fixed menu styling on some Gtk themes (bmo#1720441, bmo#1720874)
* Mon Jul 19 2021 Andreas Stieger - Mozilla Firefox 90.0.1 (boo#1188480):
* Fixed: Fixed busy looping processing some HTTP3 responses (bmo#1720079)
* Fixed: Fixed transient errors authenticating with some smart cards (bmo#1715325)
* Fixed: Fixed a rare crash on shutdown (bmo#1707057)
* Fixed: Fixed a race on startup that caused about:support to end up empty after upgrade (bmo#1717894, boo#1188330)
* Sun Jul 11 2021 Wolfgang Rosenauer - Mozilla Firefox 90.0 MFSA 2021-28 (bsc#1188275)
* CVE-2021-29970 (bmo#1709976) Use-after-free in accessibility features of a document
* CVE-2021-29971 (bmo#1713638) Granted permissions only compared host; omitting scheme and port on Android
* CVE-2021-30547 (bmo#1715766) Out of bounds write in ANGLE
* CVE-2021-29972 (bmo#1696816) Use of out-of-date library included use-after-free vulnerability
* CVE-2021-29973 (bmo#1701932) Password autofill on HTTP websites was enabled without user interaction on Android
* CVE-2021-29974 (bmo#1704843) HSTS errors could be overridden when network partitioning was enabled
* CVE-2021-29975 (bmo#1713259) Text message could be overlaid on top of another website
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910, bmo#1711576, bmo#1714391) Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
* CVE-2021-29977 (bmo#1665836, bmo#1686138, bmo#1704316, bmo#1706314, bmo#1709931, bmo#1712084, bmo#1712357, bmo#1714066) Memory safety bugs fixed in Firefox 90- requires NSPR 4.31 NSS 3.66- Gtk2 support removed (was only for Flash plugin before)
* Wed Jun 23 2021 Andreas Stieger - Mozilla Firefox 89.0.2 (boo#1187648):
* Fix occasional hangs with Software WebRender on Linux (bmo#1708224)
* Sat Jun 19 2021 Andreas Stieger - Mozilla Firefox 89.0.1 (boo#1187475):
* Updated translations, including full Spanish (Mexico) localization and other improvements (bmo#1714946)
* Fix various font related regressions (bmo#1694174)
* Linux: Fix performance and stability regressions with WebRender (bmo#1715895, bmo#1715902)
* Enterprise: Fix for the `DisableDeveloperTools` policy not having effect anymore (bmo#1715777)
* Linux: Fix broken scrollbars on some GTK themes (bmo#1714103)
* Various stability fixes
* Sat May 29 2021 Wolfgang Rosenauer - Mozilla Firefox 89.0
* UI redesign
* The Event Timing API is now supported
* The CSS forced-colors media query is now supported MFSA 2021-23 (bsc#1186696)
* CVE-2021-29965 (bmo#1709257) Password Manager on Firefox for Android susceptible to domain spoofing
* CVE-2021-29960 (bmo#1675965) Filenames printed from private browsing mode incorrectly retained in preferences
* CVE-2021-29961 (bmo#1700235) Firefox UI spoof using ` and mouse events (bmo#1291078)
* Fix a top crash caused by plugin issues (bmo#1264530)
* Fix a shutdown issue (bmo#1276920)
* Fix a crash in WebRTC
* Mon Aug 15 2016 wrAATTrosenauer.org- added upstream patch so system plugins/extensions are correctly loaded again on x86-64 (bmo#1282843) (mozilla-old_configure-bmo1282843.patch)
* Fri Aug 05 2016 pcernyAATTsuse.com- Fix for possible buffer overrun (bsc#990856) CVE-2016-6354 (bmo#1292534) [mozilla-flex_buffer_overrun.patch]
* Wed Aug 03 2016 badshah400AATTgmail.com- Update mozilla-gtk3_20.patch to latest version from Fedora.
* Mon Aug 01 2016 wrAATTrosenauer.org- update to Firefox 48.0 (boo#991809)
* requires NSS 3.24
* Process separation (e10s) is enabled for some of you
* Add-ons that have not been verified and signed by Mozilla will not load
* WebRTC embetterments
* The media parser has been redeveloped using the Rust programming language
* better Canvas performance with speedy Skia support security fixes:
* MFSA 2016-62/CVE-2016-2835/CVE-2016-2836 Miscellaneous memory safety hazards
* MFSA 2016-63/CVE-2016-2830 (bmo#1255270) Favicon network connection can persist when page is closed
* MFSA 2016-64/CVE-2016-2838 (bmo#1279814) Buffer overflow rendering SVG with bidirectional content
* MFSA 2016-65/CVE-2016-2839 (bmo#1275339) Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
* MFSA 2016-66/CVE-2016-5251 (bmo#1255570) Location bar spoofing via data URLs with malformed/invalid mediatypes
* MFSA 2016-67/CVE-2016-5252 (bmo#1268854) Stack underflow during 2D graphics rendering
* MFSA 2016-68/CVE-2016-0718 (bmo#1236923) Out-of-bounds read during XML parsing in Expat library
* MFSA 2016-69/CVE-2016-5253 (bmo#1246944) Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter (Windows-only)
* MFSA 2016-70/CVE-2016-5254 (bmo#1266963) Use-after-free when using alt key and toplevel menus
* MFSA 2016-71/CVE-2016-5255 (bmo#1212356) Crash in incremental garbage collection in JavaScript
* MFSA 2016-72/CVE-2016-5258 (bmo#1279146) Use-after-free in DTLS during WebRTC session shutdown
* MFSA 2016-73/CVE-2016-5259 (bmo#1282992) Use-after-free in service workers with nested sync events
* MFSA 2016-74/CVE-2016-5260 (bmo#1280294) Form input type change from password to text can store plain text password in session restore file
* MFSA 2016-75/CVE-2016-5261 (bmo#1287266) Integer overflow in WebSockets during data buffering
* MFSA 2016-76/CVE-2016-5262 (bmo#1277475) Scripts on marquee tag can execute in sandboxed iframes
* MFSA 2016-77/CVE-2016-2837 (bmo#1274637) Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
* MFSA 2016-78/CVE-2016-5263 (bmo#1276897) Type confusion in display transformation
* MFSA 2016-79/CVE-2016-5264 (bmo#1286183) Use-after-free when applying SVG effects
* MFSA 2016-80/CVE-2016-5265 (bmo#1278013) Same-origin policy violation using local HTML file and saved shortcut file
* MFSA 2016-81/CVE-2016-5266 (bmo#1226977) Information disclosure and local file manipulation through drag and drop
* MFSA 2016-82/CVE-2016-5267 (bmo#1284372) Addressbar spoofing with right-to-left characters on Firefox for Android (Android only)
* MFSA 2016-83/CVE-2016-5268 (bmo#1253673) Spoofing attack through text injection into internal error pages
* MFSA 2016-84/CVE-2016-5250 (bmo#1254688) Information disclosure through Resource Timing API during page navigation- removed obsolete mozilla-gcc6.patch
* Fri Jul 29 2016 badshah400AATTgmail.com- Update description and screenshots in appdata.xml file.
* Sat Jul 23 2016 antoine.belvireAATTlaposte.net- Fix Firefox crash on startup on i586 (boo#986541):
* Add -fno-delete-null-pointer-checks and - fno-inline-small-functions to CFLAGS
* Tue Jul 19 2016 mailaenderAATTopensuse.org- Update the appdata.xml file (replace Windows XP screenshot)
* Wed Jun 29 2016 astiegerAATTsuse.com- Mozilla Firefox 47.0.1:
* Selenium WebDriver may cause Firefox to crash at startup (bmo#1280854)
* Wed Jun 15 2016 wrAATTrosenauer.org- mozilla-binutils-visibility.patch to fix build issues with gcc/binutils combination used in Leap 42.2 (boo#984637)
* Tue Jun 14 2016 badshah400AATTgmail.com- Update mozilla-gtk3_20.patch to latest version from Fedora.
* Mon Jun 13 2016 agrafAATTsuse.com- Fix running on 48bit va aarch64 (bsc#984126)
* add patch mozilla-aarch64-48bit-va.patch
* Mon Jun 13 2016 wrAATTrosenauer.org- fix XUL dialog button order under KDE session (boo#984403)
* Tue Jun 07 2016 wrAATTrosenauer.org- update to Firefox 47.0 (boo#983549)
* Enable VP9 video codec for users with fast machines
* Embedded YouTube videos now play with HTML5 video if Flash is not installed
* View and search open tabs from your smartphone or another computer in a sidebar
* Allow no-cache on back/forward navigations for https resources security fixes:
* MFSA 2016-49/CVE-2016-2815/CVE-2016-2818 (boo#983638) (bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743, bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493, bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752, bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130, bmo#1269729, bmo#1273202, bmo#1273701) Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
* MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381) Buffer overflow parsing HTML5 fragments
* MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460) Use-after-free deleting tables from a contenteditable document
* MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129) Addressbar spoofing though the SELECT element
* MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580) Out-of-bounds write with WebGL shader
* MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093) Partial same-origin-policy through setting location.host through data URI
* MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810) Use-after-free when textures are used in WebGL operations after recycle pool destruction
* MFSA 2016-57/CVE-2016-2829 (boo#983644) (bmo#1248329) Incorrect icon displayed on permissions notifications
* MFSA 2016-58/CVE-2016-2831 (boo#983643) (bmo#1261933) Entering fullscreen and persistent pointerlock without user permission
* MFSA 2016-59/CVE-2016-2832 (boo#983632) (bmo#1025267) Information disclosure of disabled plugins through CSS pseudo-classes
* MFSA 2016-60/CVE-2016-2833 (boo#983640) (bmo#908933) Java applets bypass CSP protections
* MFSA 2016-62/CVE-2016-2834 (boo#983639) (bmo#1206283, bmo#1221620, bmo#1241034, bmo#1241037) Network Security Services (NSS) vulnerabilities fixed by requiring NSS 3.23 packaging changes:
* cleanup configure options (boo#981695): - notably remove GStreamer support which is gone from FF
* remove obsolete patches - mozilla-libproxy.patch - mozilla-repo.patch
* Wed May 25 2016 badshah400AATTgmail.com- The conditional testing for gcc was failing for different openSUSE versions, drop it and apply patches unconditionally.
* Mon May 23 2016 badshah400AATTgmail.com- Add patches to fix building with gcc6: + mozilla-gcc6.patch: fix building with gcc >= 6.1; patch taken from upstream: https://hg.mozilla.org/mozilla-central/rev/55212130f19d. + mozilla-exclude-nametablecpp.patch: Exclude NameTable.cpp from unified compilation because #include in other source files causes gcc6 compilation failure; patch taken from upstream: https://hg.mozilla.org/mozilla-central/rev/9c57b7cacffc.
* Thu May 12 2016 dsterbaAATTsuse.cz- enable build with PIE and full relro on x86_64 (boo#980384)
* Wed May 04 2016 wrAATTrosenauer.org- update to Firefox 46.0.1 Fixed:
* Search plugin issue for various locales
* Add-on signing certificate expiration
* Service worker update issue
* Build issue when jit is disabled
* Limit Sync registration updates- removed now obsolete mozilla-jit_branch64.patch
* Tue May 03 2016 normandAATTlinux.vnet.ibm.com- add mozilla-jit_branch64.patch to avoid PowerPC build failure (from bmo#1266366)
* Wed Apr 27 2016 badshah400AATTgmail.com- Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest version from Fedora).
* Wed Apr 27 2016 wrAATTrosenauer.org- update to Firefox 46.0 (boo#977333)
* Improved security of the JavaScript Just In Time (JIT) Compiler
* WebRTC fixes to improve performance and stability
* Added support for document.elementsFromPoint
* Added HKDF support for Web Crypto API
* requires NSPR 4.12 and NSS 3.22.3
* added patch to fix unchecked return value mozilla-check_return.patch
* Gtk3 builds not supported at the moment security fixes:
* MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807 (boo#977373, boo#977375, boo#977376) Miscellaneous memory safety hazards
* MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377) Privilege escalation through file deletion by Maintenance Service updater (Windows only)
* MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378) Content provider permission bypass allows malicious application to access data (Android only)
* MFSA 2016-42/CVE-2016-2811/CVE-2016-2812 (bmo#1252330, bmo#1261776, boo#977379) Use-after-free and buffer overflow in Service Workers
* MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380) Disclosure of user actions through JavaScript with motion and orientation sensors (only affects mobile variants)
* MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381) Buffer overflow in libstagefright with CENC offsets
* MFSA 2016-45/CVE-2016-2816 (bmo#1223743, boo#977382) CSP not applied to pages sent with multipart/x-mixed-replace
* MFSA 2016-46/CVE-2016-2817 (bmo#1227462, boo#977384) Elevation of privilege with chrome.tabs.update API in web extensions
* MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386) Write to invalid HashMap entry through JavaScript.watch()
* MFSA 2016-48/CVE-2016-2820 (bmo#870870, boo#977388) Firefox Health Reports could accept events from untrusted domains
* Thu Apr 21 2016 badshah400AATTgmail.com- Update mozilla-gtk3_20.patch to fix scrollbar appearance under gtk >= 3.20 (patch synced to Fedora\'s version).
* Tue Apr 12 2016 badshah400AATTgmail.com- Compile against gtk3 depending on whether the macro %firefox_use_gtk3 is defined or not (e.g., at the prjconf level); macro is undefined by default and so gtk2 is used as the default toolkit.- Add BuildRequires for additional packages needed when building against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0), pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0).- Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20; patch taken from Fedora (bmo#1230955).
* Mon Apr 11 2016 astiegerAATTsuse.com- Mozilla Firefox 45.0.2:
* Fix an issue impacting the cookie header when third-party cookies are blocked (bmo#1257861)
* Fix a web compatibility regression impacting the srcset attribute of the image tag (bmo#1259482)
* Fix a crash impacting the video playback with Media Source Extension (bmo#1258562)
* Fix a regression impacting some specific uploads (bmo#1255735)
* Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (bmo#1254980)
* Fri Mar 18 2016 astiegerAATTsuse.com- Mozilla Firefox 45.0.1:
* Fix a regression causing search engine settings to be lost in some context (bmo#1254694)
* Bring back non-standard jar: URIs to fix a regression in IBM iNotes (bmo#1255139)
* XSLTProcessor.importStylesheet was failing when was used (bmo#1249572)
* Fix an issue which could cause the list of search provider to be empty (bmo#1255605)
* Fix a regression when using the location bar (bmo#1254503)
* Fix some loading issues when Accept third-party cookies: was set to Never (bmo#1254856)
* Disabled Graphite font shaping library
* Sun Mar 06 2016 wrAATTrosenauer.org- update to Firefox 45.0 (boo#969894)
* requires NSPR 4.12 / NSS 3.21.1
* Instant browser tab sharing through Hello
* Synced Tabs button in button bar
* Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching
* Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level
* Tab Groups (Panorama) feature removed
* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953 Miscellaneous memory safety hazards
* MFSA 2016-17/CVE-2016-1954 (bmo#1243178) Local file overwriting and potential privilege escalation through CSP reports
* MFSA 2016-18/CVE-2016-1955 (bmo#1208946) CSP reports fail to strip location information for embedded iframe pages
* MFSA 2016-19/CVE-2016-1956 (bmo#1199923) Linux video memory DOS with Intel drivers
* MFSA 2016-20/CVE-2016-1957 (bmo#1227052) Memory leak in libstagefright when deleting an array during MP4 processing
* MFSA 2016-21/CVE-2016-1958 (bmo#1228754) Displayed page address can be overridden
* MFSA 2016-22/CVE-2016-1959 (bmo#1234949) Service Worker Manager out-of-bounds read in Service Worker Manager
* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014) Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377) Use-after-free in SetBody
* MFSA 2016-25/CVE-2016-1962 (bmo#1240760) Use-after-free when using multiple WebRTC data channels
* MFSA 2016-26/CVE-2016-1963 (bmo#1238440) Memory corruption when modifying a file being read by FileReader
* MFSA 2016-27/CVE-2016-1964 (bmo#1243335) Use-after-free during XML transformations
* MFSA 2016-28/CVE-2016-1965 (bmo#1245264) Addressbar spoofing though history navigation and Location protocol property
* MFSA 2016-29/CVE-2016-1967 (bmo#1246956) Same-origin policy violation using perfomance.getEntries and history navigation with session restore
* MFSA 2016-30/CVE-2016-1968 (bmo#1246742) Buffer overflow in Brotli decompression
* MFSA 2016-31/CVE-2016-1966 (bmo#1246054) Memory corruption with malicious NPAPI plugin
* MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/ CVE-2016-1976/CVE-2016-1972 WebRTC and LibVPX vulnerabilities found through code inspection
* MFSA 2016-33/CVE-2016-1973 (bmo#1219339) Use-after-free in GetStaticInstance in WebRTC
* MFSA 2016-34/CVE-2016-1974 (bmo#1228103) Out-of-bounds read in HTML parser following a failed allocation
* MFSA 2016-35/CVE-2016-1950 (bmo#1245528) Buffer overflow during ASN.1 decoding in NSS (fixed by requiring 3.21.1)
* MFSA 2016-36/CVE-2016-1979 (bmo#1185033) Use-after-free during processing of DER encoded keys in NSS (fixed by requiring 3.21.1)
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/ CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/ CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/ CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 Font vulnerabilities in the Graphite 2 library
* Sat Mar 05 2016 olafAATTaepfle.de- Remove B_CNT from symbols.zip filename to reduce build-compare noise
* Fri Feb 26 2016 astiegerAATTsuse.com- fix build problems on i586, caused by too large unified compile units - adding mozilla-reduce-files-per-UnifiedBindings.patch
* Thu Feb 11 2016 wrAATTrosenauer.org- update to Firefox 44.0.2
* MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438) Same-origin-policy violation using Service Workers with plugins
* Fix issue which could lead to the removal of stored passwords under certain circumstances (bmo#1242176)
* Allows spaces in cookie names (bmo#1244505)
* Disable opus/vorbis audio with H.264 (bmo#1245696)
* Fix for graphics startup crash (GNU/Linux) (bmo#1222171)
* Fix a crash in cache networking (bmo#1244076)
* Fix using WebSockets in service worker controlled pages (bmo#1243942)
* Sat Jan 30 2016 dmuellerAATTsuse.com- build fixes for arm/aarch64:
* disable webrtc for arm/aarch64
* switch away from openGL-ES backend to default for arm/aarch64 since it almost never builds
* reenable neon- reenable webrtc for powerpc as it seems to build
* Sun Jan 24 2016 wrAATTrosenauer.org- update to Firefox 44.0
* MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633 Miscellaneous memory safety hazards
* MFSA 2016-02/CVE-2016-1933 (bmo#1231761) boo#963634 Out of Memory crash when parsing GIF format images
* MFSA 2016-03/CVE-2016-1935 (bmo#1220450) boo#963635 Buffer overflow in WebGL after out of memory allocation
* MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) boo#963637 Firefox allows for control characters to be set in cookie names
* MFSA 2016-06/CVE-2016-1937 (bmo#724353) boo#963641 Missing delay following user click events in protocol handler dialog
* MFSA 2016-07/CVE-2016-1938 (bmo#1190248) boo#963731 Errors in mp_div and mp_exptmod cryptographic functions in NSS (fixed by requiring NSS 3.21)
* MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590) Addressbar spoofing attacks boo#963643
* MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946 (bmo#1186621, bmo#1214782, bmo#1232096) boo#963644 Unsafe memory manipulation found through code inspection
* MFSA 2016-11/CVE-2016-1947 (bmo#1237103) boo#963645 Application Reputation service disabled in Firefox 43
* requires NSPR 4.11
* requires NSS 3.21- prepare mozilla-kde.patch for Gtk3 builds- rebased patches
* Mon Jan 11 2016 astiegerAATTsuse.com- Mozilla Firefox 43.0.4:
* Re-enable SHA-1 certificates to prevent outdated man-in-the-middle security devices from interfering with properly secured SSL/TLS connections (bmo#1236975)
* Fix for startup crash for users of a third party antivirus tool (bmo#1235537)- The following change was previously in the package as a patch:
* Multi-user GNU/Linux download folders can be created (bmo#1233434), removed mozilla-bmo1233434.patch
* Tue Dec 29 2015 wrAATTrosenauer.org- update to Firefox 43.0.3
* requires NSS 3.20.2 to fix MFSA 2015-150/CVE-2015-7575 (bmo#1158489) MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature
* various changes to support Windows update (SHA-1 vs. SHA-2)
* workaround Youtube user agent detection issue (bmo#1233970)- fix file download regression for multi user systems (bmo#1233434) (mozilla-bmo1233434.patch)- explicitely requires libXcomposite-devel
* Sun Dec 13 2015 wrAATTrosenauer.org- update to Firefox 43.0 (bnc#959277)
* Improved API support for m4v video playback
* Users can opt-in to receive search suggestions from the Awesome Bar
* WebRTC streaming on multiple monitors
* User selectable second block list for Private Browsing\'s Tracking Protection security fixes:
* MFSA 2015-134/CVE-2015-7201/CVE-2015-7202 Miscellaneous memory safety hazards
* MFSA 2015-135/CVE-2015-7204 (bmo#1216130) Crash with JavaScript variable assignment with unboxed objects
* MFSA 2015-136/CVE-2015-7207 (bmo#1185256) Same-origin policy violation using perfomance.getEntries and history navigation
* MFSA 2015-137/CVE-2015-7208 (bmo#1191423) Firefox allows for control characters to be set in cookies
* MFSA 2015-138/CVE-2015-7210 (bmo#1218326) Use-after-free in WebRTC when datachannel is used after being destroyed
* MFSA 2015-139/CVE-2015-7212 (bmo#1222809) Integer overflow allocating extremely large textures
* MFSA 2015-140/CVE-2015-7215 (bmo#1160890) Cross-origin information leak through web workers error events
* MFSA 2015-141/CVE-2015-7211 (bmo#1221444) Hash in data URI is incorrectly parsed
* MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820) DOS due to malformed frames in HTTP/2
* MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078) Linux file chooser crashes on malformed images due to flaws in Jasper library
* MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221 (bmo#1201183, bmo#1178033, bmo#1199400) Buffer overflows found through code inspection
* MFSA 2015-145/CVE-2015-7205 (bmo#1220493) Underflow through code inspection
* MFSA 2015-146/CVE-2015-7213 (bmo#1206211) Integer overflow in MP4 playback in 64-bit versions
* MFSA 2015-147/CVE-2015-7222 (bmo#1216748) Integer underflow and buffer overflow processing MP4 metadata in libstagefright
* MFSA 2015-148/CVE-2015-7223 (bmo#1226423) Privilege escalation vulnerabilities in WebExtension APIs
* MFSA 2015-149/CVE-2015-7214 (bmo#1228950) Cross-site reading attack through data and view-source URIs- rebased patches
* Sun Nov 15 2015 wrAATTrosenauer.org- Add desktop menu action for private browsing window to desktop file (boo#954747)- remove obsolete patch mozilla-bmo1005535.patch completely from source package to avoid automatic check failures
* Sat Oct 31 2015 wrAATTrosenauer.org- update to Firefox 42.0 (bnc#952810)
* Private Browsing with Tracking Protection blocks certain Web elements that could be used to record your behavior across sites
* Control Center that contains site security and privacy controls
* Login Manager improvements
* WebRTC improvements
* Indicator added to tabs that play audio with one-click muting
* Media Source Extension for HTML5 video available for all sites security fixes:
* MFSA 2015-116/CVE-2015-4513/CVE-2015-4514 Miscellaneous memory safety hazards
* MFSA 2015-117/CVE-2015-4515 (bmo#1046421) Information disclosure through NTLM authentication
* MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692) CSP bypass due to permissive Reader mode whitelist
* MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only) Firefox for Android addressbar can be removed after fullscreen mode
* MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only) Reading sensitive profile files through local HTML file on Android
* MFSA 2015-121/CVE-2015-7187 (bmo#1195735) disabling scripts in Add-on SDK panels has no effect
* MFSA 2015-122/CVE-2015-7188 (bmo#1199430) Trailing whitespace in IP address hostnames can bypass same-origin policy
* MFSA 2015-123/CVE-2015-7189 (bmo#1205900) Buffer overflow during image interactions in canvas
* MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only) Android intents can be used on Firefox for Android to open privileged files
* MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only) XSS attack through intents on Firefox for Android
* MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only) Crash when accessing HTML tables with accessibility tools on OS X
* MFSA 2015-127/CVE-2015-7193 (bmo#1210302) CORS preflight is bypassed when non-standard Content-Type headers are received
* MFSA 2015-128/CVE-2015-7194 (bmo#1211262) Memory corruption in libjar through zip files
* MFSA 2015-129/CVE-2015-7195 (bmo#1211871) Certain escaped characters in host of Location-header are being treated as non-escaped
* MFSA 2015-130/CVE-2015-7196 (bmo#1140616) JavaScript garbage collection crash with Java applet
* MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 (bmo#1188010, bmo#1204061, bmo#1204155) Vulnerabilities found through code inspection
* MFSA 2015-132/CVE-2015-7197 (bmo#1204269) Mixed content WebSocket policy bypass through workers
* MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 (bmo#1202868, bmo#1205157) NSS and NSPR memory corruption issues (fixed in mozilla-nspr and mozilla-nss packages)- requires NSPR >= 4.10.10 and NSS >= 3.19.4- removed obsolete patches
* mozilla-arm-disable-edsp.patch
* mozilla-icu-strncat.patch
* mozilla-skia-be-le.patch
* toolkit-download-folder.patch- fixed build with enable-libproxy (bmo#1220399)
* mozilla-libproxy.patch
* Thu Oct 15 2015 wrAATTrosenauer.org- update to Firefox 41.0.2 (bnc#950686)
* MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669) Cross-origin restriction bypass using Fetch- added explicit appdata provides (bnc#949983)
* Sun Oct 04 2015 wrAATTrosenauer.org- do not build with --enable-stdcxx-compat (this starts to fail build on various toolchain combinations and is not required for openSUSE builds in general
* Thu Oct 01 2015 wrAATTrosenauer.org- update to Firefox 41.0.1
* Fix a startup crash related to Yandex toolbar and Adblock Plus (bmo#1209124)
* Fix potential hangs with Flash plugins (bmo#1185639)
* Fix a regression in the bookmark creation (bmo#1206376)
* Fix a startup crash with some Intel Media Accelerator 3150 graphic cards (bmo#1207665)
* Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601)
* Sat Sep 19 2015 wrAATTrosenauer.org- update to Firefox 41.0 (bnc#947003)
* MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous memory safety hazards
* MFSA 2015-97/CVE-2015-4503 (bmo#994337) Memory leak in mozTCPSocket to servers
* MFSA 2015-98/CVE-2015-4504 (bmo#1132467) Out of bounds read in QCMS library with ICC V4 profile attributes
* MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only) Site attribute spoofing on Android by pasting URL with unknown scheme
* MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only) Arbitrary file manipulation by local user through Mozilla updater
* MFSA 2015-101/CVE-2015-4506 (bmo#1192226) Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-102/CVE-2015-4507 (bmo#1192401) Crash when using debugger with SavedStacks in JavaScript
* MFSA 2015-103/CVE-2015-4508 (bmo#1195976) URL spoofing in reader mode
* MFSA 2015-104/CVE-2015-4510 (bmo#1200004) Use-after-free with shared workers and IndexedDB
* MFSA 2015-105/CVE-2015-4511 (bmo#1200148) Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509 (bmo#1198435) Use-after-free while manipulating HTML media content
* MFSA 2015-107/CVE-2015-4512 (bmo#1170390) Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems
* MFSA 2015-108/CVE-2015-4502 (bmo#1105045) Scripted proxies can access inner window
* MFSA 2015-109/CVE-2015-4516 (bmo#904886) JavaScript immutable property enforcement can be bypassed
* MFSA 2015-110/CVE-2015-4519 (bmo#1189814) Dragging and dropping images exposes final URL after redirects
* MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869) Errors in the handling of CORS preflight request headers
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/ CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/ CVE-2015-7180 Vulnerabilities found through code inspection
* MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860, bmo#1190526) (Windows only) Memory safety errors in libGLES in the ANGLE graphics library
* MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only) Information disclosure via the High Resolution Time API- rebased patches- removed obsolete patches
* mozilla-arm64-libjpeg-turbo.patch
* Thu Aug 27 2015 wrAATTrosenauer.org- update to Firefox 40.0.3 (bnc#943550)
* Disable the asynchronous plugin initialization (bmo#1198590)
* Fix a segmentation fault in the GStreamer support (bmo#1145230)
* Fix a regression with some Japanese fonts used in the field (bmo#1194055)
* On some sites, the selection in a select combox box using the mouse could be broken (bmo#1194733) security fixes
* MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278) Use-after-free when resizing canvas element during restyling
* MFSA 2015-95/CVE-2015-4498 (bmo#1042699) Add-on notification bypass through data URLs
* Fri Aug 07 2015 wrAATTrosenauer.org- update to Firefox 40.0 (bnc#940806)
* Added protection against unwanted software downloads
* Suggested Tiles show sites of interest, based on categories from your recent browsing history
* Hello allows adding a link to conversations to provide context on what the conversation will be about
* New style for add-on manager based on the in-content preferences style
* Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only)
* Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked security fixes:
* MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety hazards
* MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with malformed MP3 file
* MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free in MediaStream playback
* MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of non-configurable JavaScript object properties
* MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues in libstagefright
* MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting through Mozilla Maintenance Service with hard links (only affected Windows)
* MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with Updater and malicious MAR file (does not affect openSUSE RPM packages which do not ship the updater)
* MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol with POST bypasses mixed content protections
* MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared memory in JavaScript
* MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf when scaling bitmap images
* MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) Buffer overflows on Libvpx when decoding WebM video
* MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection
* MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification
* MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in XMLHttpRequest with shared workers- added mozilla-no-stdcxx-check.patch- removed obsolete patches
* mozilla-add-glibcxx_use_cxx11_abi.patch
* firefox-multilocale-chrome.patch- rebased patches- requires version 40 of the branding package- removed browser/searchplugins/ location as it\'s not valid anymore
* Fri Aug 07 2015 wrAATTrosenauer.org- security update to Firefox 39.0.3 (bnc#940918)
* MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058) Same origin violation and local file stealing via PDF reader
* Wed Jul 01 2015 wrAATTrosenauer.org- update to Firefox 39.0 (bnc#935979)
* Share Hello URLs with social networks
* Support for \'switch\' role in ARIA 1.1 (web accessibility)
* SafeBrowsing malware detection lookups enabled for downloads (Mac OS X and Linux)
* Support for new Unicode 8.0 skin tone emoji
* Removed support for insecure SSLv3 for network communications
* Disable use of RC4 except for temporarily whitelisted hosts
* NPAPI Plug-in performance improved via asynchronous initialization security fixes:
* MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726 Miscellaneous memory safety hazards
* MFSA 2015-60/CVE-2015-2727 (bmo#1163422) Local files or privileged URLs in pages can be opened into new tabs
* MFSA 2015-61/CVE-2015-2728 (bmo#1142210) Type confusion in Indexed Database Manager
* MFSA 2015-62/CVE-2015-2729 (bmo#1122218) Out-of-bound read while computing an oscillator rendering range in Web Audio
* MFSA 2015-63/CVE-2015-2731 (bmo#1149891) Use-after-free in Content Policy due to microtask execution error
* MFSA 2015-64/CVE-2015-2730 (bmo#1125025) ECDSA signature validation fails to handle some signatures correctly (this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867) Use-after-free in workers while using XMLHttpRequest
* MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737 CVE-2015-2738/CVE-2015-2739/CVE-2015-2740 Vulnerabilities found through code inspection
* MFSA 2015-67/CVE-2015-2741 (bmo#1147497) Key pinning is ignored when overridable errors are encountered
* MFSA 2015-68/CVE-2015-2742 (bmo#1138669) OS X crash reports may contain entered key press information (not relevant under Linux)
* MFSA 2015-69/CVE-2015-2743 (bmo#1163109) Privilege escalation in PDF.js
* MFSA 2015-70/CVE-2015-4000 (bmo#1138554) NSS accepts export-length DHE keys with regular DHE cipher suites (this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-71/CVE-2015-2721 (bmo#1086145) NSS incorrectly permits skipping of ServerKeyExchange (this fix is shipped by NSS 3.19.1 externally)- dropped mozilla-prefer_plugin_pref.patch as this feature is likely not worth maintaining further- rebased patches- require NSS 3.19.2
* Thu Jun 18 2015 schwabAATTsuse.de- mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration
* Sun Jun 07 2015 wrAATTrosenauer.org- update to Firefox 38.0.6
* fixes bmo#1171730 which is not really relevant to oS builds- fix KDE regression from 38.0.5 builds (bsc#933439)
* Sat May 23 2015 wrAATTrosenauer.org- update to Firefox 38.0.5
* Keep track of articles and videos with Pocket
* Clean formatting for articles and blog posts with Reader View
* Share the active tab or window in a Hello conversation- add changes file as source for SRPM (bsc#932142)
* Fri May 15 2015 normandAATTlinux.vnet.ibm.com- add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from https://bugzilla.mozilla.org/show_bug.cgi?id=1153109
* Fri May 15 2015 wrAATTrosenauer.org- update to Firefox 38.0.1 stability and regression fixes
* Systems with first generation NVidia Optimus graphics cards may crash on start-up
* Users who import cookies from Google Chrome can end up with broken websites
* Large animated images may fail to play and may stop other images from loading
* Sun May 10 2015 wrAATTrosenauer.org- update to Firefox 38.0 (bnc#930622)
* New tab-based preferences
* Ruby annotation support
* more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/ security fixes:
* MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 Miscellaneous memory safety hazards
* MFSA 2015-47/VE-2015-0797 (bmo#1080995) Buffer overflow parsing H.264 video with Linux Gstreamer
* MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow with SVG content and CSS
* MFSA 2015-49/CVE-2015-2711 (bmo#1113431) Referrer policy ignored when links opened by middle-click and context menu
* MFSA 2015-50/CVE-2015-2712 (bmo#1152280) Out-of-bounds read and write in asm.js validation
* MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free during text processing with vertical text enabled
* MFSA 2015-53/CVE-2015-2715 (bmo#988698) Use-after-free due to Media Decoder Thread creation during shutdown
* MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow when parsing compressed XML
* MFSA 2015-55/CVE-2015-2717 (bmo#1154683) Buffer overflow and out-of-bounds read while parsing MP4 video metadata
* MFSA 2015-56/CVE-2015-2718 (bmo#1146724) Untrusted site hosting trusted page can intercept webchannel responses
* MFSA 2015-57/CVE-2011-3079 (bmo#1087565) Privilege escalation through IPC channel messages- requires NSS 3.18.1- removed obsolete patches:
* mozilla-skia-bmo1136958.patch- remove gnomevfs build options as it is removed from sources- rebased patches
* Fri Apr 17 2015 wrAATTrosenauer.org- update to Firefox 37.0.2 (bnc#928116)
* MFSA 2015-45/CVE-2015-2706 (bmo#1141081) Memory corruption during failed plugin initialization
* Fri Apr 03 2015 wrAATTrosenauer.org- update to Firefox 37.0.1 (bnc#926166)
* MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only) Loading privileged content through Reader mode
* MFSA 2015-44/CVE-2015-0799 (bmo#1148328) Certificate verification bypass through the HTTP/2 Alt-Svc header
* Sat Mar 28 2015 wrAATTrosenauer.org- update to Firefox 37.0 (bnc#925368)
* Heartbeat user rating system
* Yandex set as default search provider for the Turkish locale
* Bing search now uses HTTPS for secure searching
* Improved protection against site impersonation via OneCRL centralized certificate revocation
* Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc
* some more behaviour changes for TLS security fixes:
* MFSA 2015-30/CVE-2015-0814/CVE-2015-0815 Miscellaneous memory safety hazards
* MFSA 2015-31/CVE-2015-0813 (bmo#1106596)) Use-after-free when using the Fluendo MP3 GStreamer plugin
* MFSA 2015-32/CVE-2015-0812 (bmo#1128126) Add-on lightweight theme installation approval bypassed through MITM attack
* MFSA 2015-33/CVE-2015-0816 (bmo#1144991) resource:// documents can load privileged pages
* MFSA-2015-34/CVE-2015-0811 (bmo#1132468) Out of bounds read in QCMS library
* MFSA-2015-35/CVE-2015-0810 (bmo#1125013) Cursor clickjacking with flash and images (OS X only)
* MFSA-2015-36/CVE-2015-0808 (bmo#1109552) Incorrect memory management for simple-type arrays in WebRTC
* MFSA-2015-37/CVE-2015-0807 (bmo#1111834) CORS requests should not follow 30x redirections after preflight
* MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437) Memory corruption crashes in Off Main Thread Compositing
* MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560) Use-after-free due to type confusion flaws
* MFSA-2015-40/CVE-2015-0801 (bmo#1146339) Same-origin bypass through anchor navigation
* MFSA-2015-41/CVE-2015-0800/CVE-2012-2808 PRNG weakness allows for DNS poisoning on Android (only)
* MFSA-2015-42/CVE-2015-0802 (bmo#1124898) Windows can retain access to privileged content on navigation to unprivileged pages- removed obsolete patches
* mozilla-bmo1088588.patch
* mozilla-bmo1108834.patch- requires NSPR 4.10.8
* Tue Mar 24 2015 dvaleevAATTsuse.com- Fix builds with skia on Power mozilla-skia-be-le.patch (patch from #bmo1136958) mozilla-bmo1108834.patch mozilla-bmo1005535.patch
* Sat Mar 21 2015 wrAATTrosenauer.org- update to Firefox 36.0.4 (bnc#923534)
* MFSA 2015-28/CVE-2015-0818 (bmo#1144988) Privilege escalation through SVG navigation
* MFSA 2015-29/CVE-2015-0817 (bmo#1145255) Code execution through incorrect JavaScript bounds checking elimination
* Fri Mar 20 2015 dimstarAATTopensuse.org- Copy the icons to /usr/share/icons instead of symlinking them: in preparation for containerized apps (e.g. xdg-app) as well as AppStream metadata extraction, there are a couple locations that need to be real files for system integration (.desktop files, icons, mime-type info).
* Sat Mar 07 2015 wrAATTrosenauer.org- update to Firefox 36.0.1 Bugfixes:
* Disable the usage of the ANY DNS query type (bmo#1093983)
* Hello may become inactive until restart (bmo#1137469)
* Print preferences may not be preserved (bmo#1136855)
* Hello contact tabs may not be visible (bmo#1137141)
* Accept hostnames that include an underscore character (\"_\") (bmo#1136616)
* WebGL may use significant memory with Canvas2d (bmo#1137251)
* Option -remote has been restored (bmo#1080319)- added mozilla-skia-bmo1136958.patch to fix build issues for ARM and PPC
* Fri Feb 20 2015 wrAATTrosenauer.org- update to Firefox 36.0 (bnc#917597)
* mozilla-xremote-client was removed
* added libclearkey.so media plugin
* Pinned tiles on the new tab page can be synced
* Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web.
* Locale added: Uzbek (uz) security fixes:
* MFSA 2015-11/CVE-2015-0835/CVE-2015-0836 Miscellaneous memory safety hazards
* MFSA 2015-12/CVE-2015-0833 (bmo#945192) Invoking Mozilla updater will load locally stored DLL files (Windows only)
* MFSA 2015-13/CVE-2015-0832 (bmo#1065909) Appended period to hostnames can bypass HPKP and HSTS protections
* MFSA 2015-14/CVE-2015-0830 (bmo#1110488) Malicious WebGL content crash when writing strings
* MFSA 2015-15/CVE-2015-0834 (bmo#1098314) TLS TURN and STUN connections silently fail to simple TCP connections
* MFSA 2015-16/CVE-2015-0831 (bmo#1130514) Use-after-free in IndexedDB
* MFSA 2015-17/CVE-2015-0829 (bmo#1128939) Buffer overflow in libstagefright during MP4 video playback
* MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675) Double-free when using non-default memory allocators with a zero-length XHR
* MFSA 2015-19/CVE-2015-0827 (bmo#1117304) Out-of-bounds read and write while rendering SVG content
* MFSA 2015-20/CVE-2015-0826 (bmo#1092363) Buffer overflow during CSS restyling
* MFSA 2015-21/CVE-2015-0825 (bmo#1092370) Buffer underflow during MP3 playback
* MFSA 2015-22/CVE-2015-0824 (bmo#1095925) Crash using DrawTarget in Cairo graphics library
* MFSA 2015-23/CVE-2015-0823 (bmo#1098497) Use-after-free in Developer Console date with OpenType Sanitiser
* MFSA 2015-24/CVE-2015-0822 (bmo#1110557) Reading of local files through manipulation of form autocomplete
* MFSA 2015-25/CVE-2015-0821 (bmo#1111960) Local files or privileged URLs in pages can be opened into new tabs
* MFSA 2015-26/CVE-2015-0819 (bmo#1079554) UI Tour whitelisted sites in background tab can spoof foreground tabs
* MFSA 2015-27CVE-2015-0820 (bmo#1125398) Caja Compiler JavaScript sandbox bypass- rebased patches- requires NSS 3.17.4
* Sat Jan 31 2015 wrAATTrosenauer.org- update to Firefox 35.0.1
* With the Enhanced Steam extension, Firefox could crash (bmo#1123732)
* Kerberos authentication did not work with alias (bmo#1108971)
* SVG / CSS animation had a regression causing rendering issues on websites like openstreemap.org (bmo#1083079)
* On Godaddy webmail, Firefox could crash (bmo#1113121)
* document.baseURI did not get updated to document.location after base tag was removed from DOM for site with a CSP (bmo#1121857)
* With a Right-to-left (RTL) version of Firefox, the text selection could be broken (bmo#1104036)
* CSP had a change in behavior with regard to case sensitivity resources loading (bmo#1122445)
* Sat Jan 10 2015 wrAATTrosenauer.org- update to Firefox 35.0 (bnc#910669) notable features:
* Firefox Hello with new rooms-based conversations model
* Implemented HTTP Public Key Pinning Extension (for enhanced authentication of encrypted connections) security fixes:
* MFSA 2015-01/CVE-2014-8634/CVE-2014-8635 Miscellaneous memory safety hazards
* MFSA 2015-02/CVE-2014-8637 (bmo#1094536) Uninitialized memory use during bitmap rendering
* MFSA 2015-03/CVE-2014-8638 (bmo#1080987) sendBeacon requests lack an Origin header
* MFSA 2015-04/CVE-2014-8639 (bmo#1095859) Cookie injection through Proxy Authenticate responses
* MFSA 2015-05/CVE-2014-8640 (bmo#1100409) Read of uninitialized memory in Web Audio
* MFSA 2015-06/CVE-2014-8641 (bmo#1108455) Read-after-free in WebRTC
* MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only) Gecko Media Plugin sandbox escape
* MFSA 2015-08/CVE-2014-8642 (bmo#1079658) Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension
* MFSA 2015-09/CVE-2014-8636 (bmo#987794) XrayWrapper bypass through DOM objects- rebased patches- dropped explicit support for everything older than 12.3 (including SLES11)
* merge firefox-kde.patch and firefox-kde-114.patch
* dropped mozilla-sle11.patch- reworked specfile to build conditionally based on release channel either Firefox or Firefox Developer Edition- added mozilla-openaes-decl.patch to fix implicit declarations- obsolete tracker-miner-firefox < 0.15 because it leads to startup crashes (bnc#908892)
* Sat Dec 13 2014 Led - fix bashism in mozilla.sh script
* Sat Nov 29 2014 wrAATTrosenauer.org- update to Firefox 34.0.5 (bnc#908009)
* Default search engine changed to Yahoo! for North America
* Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales
* Improved search bar (en-US only)
* Firefox Hello real-time communication client
* Easily switch themes/personas directly in the Customizing mode
* Implementation of HTTP/2 (draft14) and ALPN
* Disabled SSLv3
* MFSA 2014-83/CVE-2014-1587/CVE-2014-1588 Miscellaneous memory safety hazards
* MFSA 2014-84/CVE-2014-1589 (bmo#1043787) XBL bindings accessible via improper CSS declarations
* MFSA 2014-85/CVE-2014-1590 (bmo#1087633) XMLHttpRequest crashes with some input streams
* MFSA 2014-86/CVE-2014-1591 (bmo#1069762) CSP leaks redirect data via violation reports
* MFSA 2014-87/CVE-2014-1592 (bmo#1088635) Use-after-free during HTML5 parsing
* MFSA 2014-88/CVE-2014-1593 (bmo#1085175) Buffer overflow while parsing media content
* MFSA 2014-89/CVE-2014-1594 (bmo#1074280) Bad casting from the BasicThebesLayer to BasicContainerLayer- rebased patches- limit linker memory usage for %ix86- rebased patches
* Fri Nov 07 2014 wrAATTrosenauer.org- update to Firefox 33.1
* Adding DuckDuckGo as a search option (upstream)
* Forget Button added
* Enhanced Tiles
* Privacy tour introduced- fix typo in GStreamer Recommends
* Tue Nov 04 2014 guillaumeAATTopensuse.org- Disable elf-hack for aarch64- Enable EGL for aarch64- Limit RAM usage during link for %arm- Fix _constraints for ARM
* Mon Nov 03 2014 dmuellerAATTsuse.com- use proper macros for ARM
* Mon Nov 03 2014 josua.mayer97AATTgmail.com- use \'--disable-optimize\' not only on 32-bit x86, but on 32-bit arm too to fix compiling.- pass \'-Wl,--no-keep-memory\' to linker to reduce required memory during linking on arm.
* Thu Oct 30 2014 wrAATTrosenauer.org- update to Firefox 33.0.2
* Fix a startup crash with some combination of hardware and drivers 33.0.1
* Firefox displays a black screen at start-up with certain graphics drivers- adjusted _constraints for ARM
* Tue Oct 28 2014 josua.mayer97AATTgmail.com- added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588)
* Sat Oct 25 2014 wrAATTrosenauer.org- define /usr/share/myspell as additional dictionary location and remove add-plugins.sh finally (bnc#900639)
* Sun Oct 19 2014 vindex17AATToutlook.it- use Firefox default optimization flags instead of -Os- specfile cleanup
* Wed Oct 15 2014 wrAATTrosenauer.org- fix build for all ppc by not enabling elf-hack (bnc#901213)
  
ICM