Changelog for firefox-esr-translations-common-115.16.1-lp156.207.2.x86_64.rpm :

* Wed Oct 09 2024 Manfred Hollstein - Mozilla Firefox ESR 115.16.1 https://www.mozilla.org/security/advisories/mfsa2024-51 MFSA 2024-51 (boo#???????)
* CVE-2024-9680 (bmo#1923344) Use-after-free in Animation timeline
* Mon Sep 30 2024 Manfred Hollstein - Firefox Extended Support Release 115.16.0 ESR
* Fixed: Fixed Windows 7 incompatibility with the latest Widevine library to retain Encrypted Media Extensions (EME) support, ensuring support for content from video streaming providers. (bmo#1918478)
* Fixed: Various security fixes.- Mozilla Firefox ESR 115.16 https://www.mozilla.org/security/advisories/mfsa2024-48 MFSA 2024-48 (boo#???????)
* CVE-2024-9392 (bmo#1899154, bmo#1905843) Compromised content process can bypass site isolation
* CVE-2024-9393 (bmo#1918301) Cross-origin access to PDF contents through multipart responses
* CVE-2024-9394 (bmo#1918874) Cross-origin access to JSON contents through multipart responses
* CVE-2024-9401 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1916476) Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
* Tue Sep 03 2024 Manfred Hollstein - Firefox Extended Support Release 115.15.0 ESR
* Fixed: Various security fixes and other quality improvements.- Mozilla Firefox ESR 115.15.0 https://www.mozilla.org/security/advisories/mfsa2024-41 MFSA 2024-41 (boo#???????)
* CVE-2024-8381 (bmo#1912715) Type confusion when looking up a property name in a "with" block
* CVE-2024-8382 (bmo#1906744) Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran
* CVE-2024-8383 (bmo#1908496) Firefox did not ask before openings news: links in an external application
* CVE-2024-8384 (bmo#1911288) Garbage collection could mis-color cross-compartment objects in OOM conditions- Stick with gcc13 on Tumbleweed; sources don\'t compile using gcc14!
* Tue Aug 06 2024 Manfred Hollstein - Firefox Extended Support Release 115.14.0 ESR
* Fixed: Various security fixes and other quality improvements.- Mozilla Firefox ESR 115.14.0 https://www.mozilla.org/security/advisories/mfsa2024-34 MFSA 2024-34 (boo#???????)
* CVE-2024-7519 (bmo#1902307) Out of bounds memory access in graphics shared memory handling
* CVE-2024-7521 (bmo#1904644) Incomplete WebAssembly exception handing
* CVE-2024-7522 (bmo#1906727) Out of bounds read in editor component
* CVE-2024-7524 (bmo#1909241) CSP strict-dynamic bypass using web-compatibility shims
* CVE-2024-7525 (bmo#1909298) Missing permission check when creating a StreamFilter
* CVE-2024-7526 (bmo#1910306) Uninitialized memory used by WebGL
* CVE-2024-7527 (bmo#1871303) Use-after-free in JavaScript garbage collection
* CVE-2024-7529 (bmo#1903187) Document content could partially obscure security prompts
* CVE-2024-7531 (bmo#1905691) PK11_Encrypt using CKM_CHACHA20 can reveal plaintext on Intel Sandy Bridge machines
* Tue Jul 09 2024 Manfred Hollstein - Firefox Extended Support Release 115.13.0 ESR
* Changed: The root certificate used to verify add-ons and signed content has been renewed to avoid upcoming expiration. (bmo#None)
* Fixed: Various security fixes and other quality improvements.- Mozilla Firefox ESR 115.13.0 https://www.mozilla.org/security/advisories/mfsa2024-30 MFSA 2024-30 (boo#1226316)
* CVE-2024-6600 (bmo#1888340) Memory corruption in WebGL API
* CVE-2024-6601 (bmo#1890748) Race condition in permission assignment
* CVE-2024-6602 (bmo#1895032) Memory corruption in NSS
* CVE-2024-6603 (bmo#1895081) Memory corruption in thread creation
* CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266) Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13, and Thunderbird 115.13- Update create_tar.sh from our firefox-scripts git- Use gcc13 and gcc13-c++ on all Leap versions.- Use cargo/rust1.76 for building.
* Mon Jun 10 2024 Manfred Hollstein - Firefox Extended Support Release 115.12.0 ESR
* Fixed: Various security fixes and other quality improvements.- Mozilla Firefox ESR 115.12.0 https://www.mozilla.org/security/advisories/mfsa2024-26 MFSA 2024-26 (boo#1226027)
* CVE-2024-5702 (bmo#1193389) Use-after-free in networking
* CVE-2024-5688 (bmo#1895086) Use-after-free in JavaScript object transplant
* CVE-2024-5690 (bmo#1883693) External protocol handlers leaked by timing attack
* CVE-2024-5691 (bmo#1888695) Sandboxed iframes were able to bypass sandbox restrictions to open a new window
* CVE-2024-5692 (bmo#1891234) Bypass of file name restrictions during saving
* CVE-2024-5693 (bmo#1891319) Cross-Origin Image leak via Offscreen Canvas
* CVE-2024-5696 (bmo#1896555) Memory Corruption in Text Fragments
* CVE-2024-5700 (bmo#1862809, bmo#1889355, bmo#1893388, bmo#1895123) Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12
* Tue May 07 2024 Manfred Hollstein - Mozilla Firefox ESR 115.11.0 https://www.mozilla.org/security/advisories/mfsa2024-22/ MFSA 2024-22 (boo#1224056)
* CVE-2024-4367 (bmo#1893645) Arbitrary JavaScript execution in PDF.js
* CVE-2024-4767 (bmo#1878577) IndexedDB files retained in private browsing mode
* CVE-2024-4768 (bmo#1886082) Potential permissions request bypass via clickjacking
* CVE-2024-4769 (bmo#1886108) Cross-origin responses could be distinguished between script and non-script content-types
* CVE-2024-4770 (bmo#1893270) Use-after-free could occur when printing to PDF
* CVE-2024-4777 (bmo#1878199, bmo#1893340) Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11
* Mon Apr 15 2024 Manfred Hollstein - Mozilla Firefox ESR 115.10.0 https://www.mozilla.org/security/advisories/mfsa2024-19/ MFSA 2024-19 (bsc#1222535)
* CVE-2024-3852 (bmo#1883542) GetBoundName in the JIT returned the wrong object
* CVE-2024-3854 (bmo#1884552) Out-of-bounds-read after mis-optimized switch statement
* CVE-2024-3857 (bmo#1886683) Incorrect JITting of arguments led to use-after-free during garbage collection
* CVE-2024-2609 (bmo#1866100) Permission prompt input delay could expire when not in focus
* CVE-2024-3859 (bmo#1874489) Integer-overflow led to out-of-bounds-read in the OpenType sanitizer
* CVE-2024-3861 (bmo#1883158) Potential use-after-free due to AlignedBuffer self-move
* CVE-2024-3863 (bmo#1885855) Download Protections were bypassed by .xrm-ms files on Windows
* CVE-2024-3302 (bmo#1881183, bmo#https://kb.cert.org/vuls/id/421644) Denial of Service using HTTP/2 CONTINUATION frames
* CVE-2024-3864 (bmo#1888333) Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10
* Fri Mar 22 2024 Manfred Hollstein - Mozilla Firefox ESR 115.9.1 https://www.mozilla.org/security/advisories/mfsa2024-16/ MFSA 2024-16 (boo#1221850)
* CVE-2024-29944 (bmo#1886852) Privileged JavaScript Execution via Event Handlers
* Wed Mar 20 2024 Manfred Hollstein - LLVM18 breaks building Firefox ESR on Tumbleweed; add
* mozilla-fix-issues-with-llvm18.patch
* Mon Mar 18 2024 Manfred Hollstein - Mozilla Firefox ESR 115.9.0 https://www.mozilla.org/security/advisories/mfsa2024-13/ MFSA 2024-13 (boo#1221327)
* CVE-2024-0743 (bmo#1867408) Crash in NSS TLS method
* CVE-2024-2605 (bmo#1872920) Windows Error Reporter could be used as a Sandbox escape vector
* CVE-2024-2607 (bmo#1879939) JIT code failed to save return registers on Armv7-A
* CVE-2024-2608 (bmo#1880692) Integer overflow could have led to out of bounds write
* CVE-2024-2616 (bmo#1846197) Improve handling of out-of-memory conditions in ICU
* CVE-2023-5388 (bmo#1780432) NSS susceptible to timing attack against RSA decryption
* CVE-2024-2610 (bmo#1871112) Improper handling of html and body tags enabled CSP nonce leakage
* CVE-2024-2611 (bmo#1876675) Clickjacking vulnerability could have led to a user accidentally granting permissions
* CVE-2024-2612 (bmo#1879444) Self referencing object could have potentially led to a use- after-free
* CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405, bmo#1881093) Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9
* Wed Feb 14 2024 Manfred Hollstein - Mozilla Firefox ESR 115.8.0 https://www.mozilla.org/security/advisories/mfsa2024-06/ MFSA 2024-06 (boo#1220048)
* CVE-2024-1546 (bmo#1843752) Out-of-bounds memory read in networking channels
* CVE-2024-1547 (bmo#1877879) Alert dialog could have been spoofed on another site
* CVE-2024-1548 (bmo#1832627) Fullscreen Notification could have been hidden by select element
* CVE-2024-1549 (bmo#1833814) Custom cursor could obscure the permission dialog
* CVE-2024-1550 (bmo#1860065) Mouse cursor re-positioned unexpectedly could have led to unintended permission grants
* CVE-2024-1551 (bmo#1864385) Multipart HTTP Responses would accept the Set-Cookie header in response parts
* CVE-2024-1552 (bmo#1874502) Incorrect code generation on 32-bit ARM devices
* CVE-2024-1553 (bmo#1855686, bmo#1867982, bmo#1871498, bmo#1872296, bmo#1873521, bmo#1873577, bmo#1873597, bmo#1873866, bmo#1874080, bmo#1874740, bmo#1875795, bmo#1875906, bmo#1876425, bmo#1878211, bmo#1878286) Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8
* Tue Jan 23 2024 Manfred Hollstein - Mozilla Firefox ESR 115.7.0 https://www.mozilla.org/security/advisories/mfsa2024-02/ MFSA 2024-02 (bsc#1218955)
* CVE-2024-0741 (bmo#1864587) Out of bounds write in ANGLE
* CVE-2024-0742 (bmo#1867152) Failure to update user input timestamp
* CVE-2024-0746 (bmo#1660223) Crash when listing printers on Linux
* CVE-2024-0747 (bmo#1764343) Bypass of Content Security Policy when directive unsafe- inline was set
* CVE-2024-0749 (bmo#1813463) Phishing site popup could show local origin in address bar
* CVE-2024-0750 (bmo#1863083) Potential permissions request bypass via clickjacking
* CVE-2024-0751 (bmo#1865689) Privilege escalation through devtools
* CVE-2024-0753 (bmo#1870262) HSTS policy on subdomain could bypass policy of upper domain
* CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701) Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7
* Mon Dec 18 2023 Manfred Hollstein - Mozilla Firefox ESR 115.6.0 https://www.mozilla.org/security/advisories/mfsa2023-54/ MFSA 2023-54 (bsc#1217974)
* CVE-2023-6856 (bmo#1843782) Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver
* CVE-2023-6865 (bmo#1864123) Potential exposure of uninitialized data in EncryptingOutputStream
* CVE-2023-6857 (bmo#1796023) Symlinks may resolve to smaller than expected buffers
* CVE-2023-6858 (bmo#1826791) Heap buffer overflow in nsTextFragment
* CVE-2023-6859 (bmo#1840144) Use-after-free in PR_GetIdentitiesLayer
* CVE-2023-6860 (bmo#1854669) Potential sandbox escape due to VideoBridge lack of texture validation
* CVE-2023-6867 (bmo#1863863) Clickjacking permission prompts using the popup transition
* CVE-2023-6861 (bmo#1864118) Heap buffer overflow affected nsWindow::PickerOpen(void) in headless mode
* CVE-2023-6862 (bmo#1868042) Use-after-free in nsDNSService
* CVE-2023-6863 (bmo#1868901) Undefined behavior in ShutdownObserver()
* CVE-2023-6864 (bmo#1736385, bmo#1810805, bmo#1846328, bmo#1856090, bmo#1858033, bmo#1858509, bmo#1862089, bmo#1862777, bmo#1864015) Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6
* Tue Nov 21 2023 Manfred Hollstein - Mozilla Firefox ESR 115.5.0 MFSA 2023-50 (boo#1217230)
* CVE-2023-6204 (bmo#1841050) Out-of-bound memory access in WebGL2 blitFramebuffer
* CVE-2023-6205 (bmo#1854076) Use-after-free in MessagePort::Entangled
* CVE-2023-6206 (bmo#1857430) Clickjacking permission prompts using the fullscreen transition
* CVE-2023-6207 (bmo#1861344) Use-after-free in ReadableByteStreamQueueEntry::Buffer
* CVE-2023-6208 (bmo#1855345) Using Selection API would copy contents into X11 primary selection.
* CVE-2023-6209 (bmo#1858570) Incorrect parsing of relative URLs starting with \"///\"
* CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252, bmo#1856072, bmo#1856091, bmo#1859030, bmo#1860943, bmo#1862782) Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5
* Mon Oct 23 2023 Manfred Hollstein - Mozilla Firefox ESR 115.4.0 MFSA 2023-46 (bsc#1216338)
* CVE-2023-5721 (bmo#1830820) Queued up rendering could have allowed websites to clickjack
* CVE-2023-5732 (bmo#1690979) Address bar spoofing via bidirectional characters
* CVE-2023-5724 (bmo#1836705) Large WebGL draw could have led to a crash
* CVE-2023-5725 (bmo#1845739) WebExtensions could open arbitrary URLs
* CVE-2023-5726 (bmo#1846205) Full screen notification obscured by file open dialog on macOS
* CVE-2023-5727 (bmo#1847180) Download Protections were bypassed by .msix, .msixbundle, .appx, and .appxbundle files on Windows
* CVE-2023-5728 (bmo#1852729) Improper object tracking during GC in the JavaScript engine could have led to a crash.
* CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694, bmo#1848833, bmo#1850191, bmo#1850259, bmo#1852596, bmo#1853201, bmo#1854002, bmo#1855306, bmo#1855640, bmo#1856695) Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4- Remove mozilla-bmo1846703.patch as it has been fixed upstream
* Thu Sep 28 2023 Manfred Hollstein - Mozilla Firefox ESR 115.3.1 MFSA 2023-44 (bsc#1215814)
* CVE-2023-5217 (bmo#1855550) Heap buffer overflow in libvpx- Add mozilla-bmo1846703.patch
* Mon Sep 25 2023 Manfred Hollstein - Mozilla Firefox ESR 115.3.0 MFSA 2023-42 (boo#1215575)
* CVE-2023-5168 (bmo#1846683) Out-of-bounds write in FilterNodeD2D1
* CVE-2023-5169 (bmo#1846685) Out-of-bounds write in PathOps
* CVE-2023-5171 (bmo#1851599) Use-after-free in Ion Compiler
* CVE-2023-5174 (bmo#1848454) Double-free in process spawning on Windows
* CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824, bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983, bmo#1851195) Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3
* Tue Sep 12 2023 Andreas Stieger - Mozilla Firefox 115.2.1
* MFSA 2023-40 CVE-2023-4863 (boo#1215231) Heap buffer overflow in WebP
* Tue Aug 29 2023 Manfred Hollstein - Mozilla Firefox ESR 115.2.0 MFSA 2023-36 (boo#1214606)
* CVE-2023-4573 (bmo#1846687) Memory corruption in IPC CanvasTranslator
* CVE-2023-4574 (bmo#1846688) Memory corruption in IPC ColorPickerShownCallback
* CVE-2023-4575 (bmo#1846689) Memory corruption in IPC FilePickerShownCallback
* CVE-2023-4576 (bmo#1846694) Integer Overflow in RecordedSourceSurfaceCreation
* CVE-2023-4577 (bmo#1847397) Memory corruption in JIT UpdateRegExpStatics
* CVE-2023-4051 (bmo#1821884) Full screen notification obscured by file open dialog
* CVE-2023-4578 (bmo#1839007) Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception
* CVE-2023-4053 (bmo#1839079) Full screen notification obscured by external program
* CVE-2023-4580 (bmo#1843046) Push notifications saved to disk unencrypted
* CVE-2023-4581 (bmo#1843758) XLL file extensions were downloadable without warnings
* CVE-2023-4582 (bmo#1773874) Buffer Overflow in WebGL glGetProgramiv
* CVE-2023-4583 (bmo#1842030) Browsing Context potentially not cleared when closing Private Window
* CVE-2023-4584 (bmo#1843968, bmo#1845205, bmo#1846080, bmo#1846526, bmo#1847529) Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2
* CVE-2023-4585 (bmo#1751583, bmo#1833504, bmo#1841082, bmo#1847904, bmo#1848999) Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2
* Tue Aug 15 2023 Manfred Hollstein - Rectify build requirements for the upcoming openSUSE Leap 15.6
* Fri Aug 11 2023 Manfred Hollstein - Revert the VERSION changes as they fixed the URL on the upstream server to that the release notes can be found again (bmo#1844726).
* Fri Aug 04 2023 Wolfgang Rosenauer - drop obsolete mozilla-bmo1775202.patch
* Mon Jul 31 2023 Manfred Hollstein - Mozilla Firefox ESR 115.1 MFSA 2023-31 (bsc#1213746)
* MFSA-RESERVE-2023-0001 (bmo#1833876) Offscreen Canvas could have bypassed cross-origin restrictions
* MFSA-RESERVE-2023-0002 (bmo#1837686) Incorrect value used during WASM compilation
* MFSA-RESERVE-2023-0003 (bmo#1839073) Potential permissions request bypass via clickjacking
* MFSA-RESERVE-2023-0004 (bmo#1841368) Crash in DOMParser due to out-of-memory conditions
* MFSA-RESERVE-2023-0005 (bmo#1842658) Fix potential race conditions when releasing platform objects
* MFSA-RESERVE-2023-0006 (bmo#1843038) Stack buffer overflow in StorageManager
* MFSA-RESERVE-2023-0008 (bmo#1824420) File deletion and privilege escalation through Firefox uninstaller
* MFSA-RESERVE-2023-0010 (bmo#1840777) Lack of warning when opening appref-ms files
* MFSA-RESERVE-2023-0011 (bmo#1782561) Cookie jar overflow caused unexpected cookie jar state
* MFSA-RESERVE-2023-0012 (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325, bmo#1843847) Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
* MFSA-RESERVE-2023-0013 (bmo#1841682) Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1- Set CHANNEL to \"esr115\" in tar_stamps- Set update_channel to \"esr\" in the spec file- Ensure to use \"esr\" in the VERSION variable, otherwise the executable will not find its releasenotes; unfortunately this does not work for .0 releases which gets removed from the releasenotes URL :(
* Fri Jul 28 2023 Andreas Stieger - remove bashisms from firefox startup script (boo#1213657) Sat Jul 22 07:48:11 UTC 2023 - Andreas Stieger- Mozilla Firefox 115.0.3 ESR
* fixes for other platforms
* Wed Jul 19 2023 Manfred Hollstein - Mozilla Firefox 115.0.3 ESR
* Fixed: Fixed a startup crash for Windows users with Qihoo 360 Antivirus software installed (bmo#1843977)
* Tue Jul 11 2023 Manfred Hollstein - Mozilla Firefox 115.0.2 ESR MFSA 2023-26 (bsc#1213230)
* CVE-2023-3600 (bmo#1839703) Use-after-free in workers
* Fixed: Fixed a startup crash experienced by some Windows 10 and 11 users by blocking instances of a malicious injected DLL (bmo#1841751)
* Fixed: Fixed a bug with displaying a caret in the text editor on some websites (bmo#1840804)
* Fixed: Fixed a bug with broken audio rendering on some websites (bmo#1841982)
* Fixed: Fixed a bug with patternTransform translate using the wrong units (bmo#1840746)
* Fixed: A security fix.
* Fixed: Fixed a crash affecting Windows 7 users related to the DLL blocklist.
* Sat Jul 08 2023 Manfred Hollstein - Mozilla Firefox 115.0.1 ESR
* Fixed: Fixed a startup crash for Windows users with Kingsoft Antivirus software installed (bmo#1837242)- Update create-tar.sh: Use the pre-packaged Thunderbird locales from FTP, if available
* Sun Jul 02 2023 Manfred Hollstein - Mozilla Firefox 115.0 ESR MFSA 2023-22 (boo#1212438)
* CVE-2023-3482 (bmo#1839464) Block all cookies bypass for localstorage
* CVE-2023-37201 (bmo#1826002) Use-after-free in WebRTC certificate generation
* CVE-2023-37202 (bmo#1834711) Potential use-after-free from compartment mismatch in SpiderMonkey
* CVE-2023-37203 (bmo#291640) Drag and Drop API may provide access to local system files
* CVE-2023-37204 (bmo#1832195) Fullscreen notification obscured via option element
* CVE-2023-37205 (bmo#1704420) URL spoofing in address bar using RTL characters
* CVE-2023-37206 (bmo#1813299) Insufficient validation of symlinks in the FileSystem API
* CVE-2023-37207 (bmo#1816287) Fullscreen notification obscured
* CVE-2023-37208 (bmo#1837675) Lack of warning when opening Diagcab files
* CVE-2023-37209 (bmo#1837993) Use-after-free in `NotifyOnHistoryReload`
* CVE-2023-37210 (bmo#1821886) Full-screen mode exit prevention
* CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, bmo#1836550, bmo#1837450) Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13
* CVE-2023-37212 (bmo#1750870, bmo#1825552, bmo#1826206, bmo#1827076, bmo#1828690, bmo#1833503, bmo#1835710, bmo#1838587) Memory safety bugs fixed in Firefox 115- Requires NSS 3.90- Add mozilla-rust-disable-future-incompat.patch
* Tue Jun 20 2023 Andreas Stieger - Mozilla Firefox 114.0.2:
* Several crash fixes
* Web Extensions: Fixes for 114 regressions in Native Messaging support
* Tue Jun 20 2023 Wolfgang Rosenauer - do not enable LTO as it caused crashes now (boo#1212101)
* Sat Jun 10 2023 Andreas Stieger - Mozilla Firefox 114.0.1
* Fix a startup crash (bmo#1837201, boo#1212101)
* Fri Jun 09 2023 Martin Sirringhaus - Only install vaapitest for wayland-enabled builds, where it gets built- Rebase mozilla-silence-no-return-type.patch- Rebase s390x-patches, and remove obsolete patches: mozilla-bmo1005535.patch mozilla-s390x-skia-gradient.patch
* Mon Jun 05 2023 Wolfgang Rosenauer - Mozilla Firefox 114.0 MFSA 2023-20 (bsc#1211922)
* CVE-2023-34414 (bmo#1695986) Click-jacking certificate exceptions through rendering lag
* CVE-2023-34415 (bmo#1811999) Site-isolation bypass on sites that allow open redirects to data: urls
* CVE-2023-34416 (bmo#1752703, bmo#1818394, bmo#1826875, bmo#1827340, bmo#1827655, bmo#1828065, bmo#1830190, bmo#1830206, bmo#1830795, bmo#1833339) Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12
* CVE-2023-34417 (bmo#1746447, bmo#1820903, bmo#1832832) Memory safety bugs fixed in Firefox 114
* New: Added UI to manage the DNS over HTTPS exception list. (bmo#1596847)
* New: Bookmarks can now be searched from the Bookmarks menu. The Bookmarks menu is accessible by adding the
*Bookmarks menu
* button to the toolbar. (bmo#1736937)
* New: Restrict searches to your local browsing history by selecting
*Search history
* from the History, Library or Application menu buttons. (bmo#1736939)
* New: Mac users can now capture video from their cameras in all supported native resolutions. This enables resolutions higher than 1280x720. (bmo#1806604)
* New: It is now possible to reorder the extensions listed in the extensions panel. (bmo#1805924)
* New: Users on macOS, Linux, and Windows 7 can now use FIDO2 / WebAuthn authenticators over USB. Some advanced features, such as fully passwordless logins, require a PIN to be set on the authenticator. (bmo#1814487)
* New: Pocket Recommended content can now be seen in France, Italy, and Spain. (bmo#None)
* Changed: DNS over HTTPS settings are now part of the
* Privacy & Security
* section of the
*Settings
* page and allow the user to choose from all the supported modes. (bmo#1610741)
* HTML5: DOM: Added support for ES Modules on DedicatedWorker and SharedWorker
* HTML5: WebTransport is now enabled by default and will be going to release with 114. As the original Explainer notes, it enables multiple use-cases that are hard or impossible to handle without it, especially for Gaming and live streaming. It covers cases that are problematic for alternative mechanisms, such as WebSockets. Built on top of HTTP3 (HTTP2 support will be coming later). The current implementation in Firefox is passing 505 out of 565 Web-Platform Tests.
* HTML5: CSS: The `infinity` and `NaN` constants are now supported inside the `calc()` function. (bmo#1830759)
* Developer: The
*Copy as cURL
* feature, available in the Network panel, has been enhanced. It now supports the - `-compressed` argument. (bmo#1776120)
* Developer: The Accessibility Inspector has been improved to accurately recognize all the ARIA roles like `banner`, `main`, `navigation`, and `contentinfo`, etc. This enhancement is particularly beneficial for web developers working with ARIA roles to improve web accessibility. (bmo#1572512)
* Developer: Firefox now provides support for the CSS Cascading Level 4 `supports()` syntax for `AATTimport` rules. This allows for the importation of other stylesheets based on support- dependency. In addition, the Inspector panel now accurately displays the conditions at the top of the imported rule.- requires NSS 3.89.1
* Wed May 24 2023 Andreas Stieger - Mozilla Firefox 113.0.2 (boo#1211696)
* Fixed: Fixed a bug which could cause Firefox to freeze on some pages when loading them with the Developer Tools Web Console open (bmo#1828026)
* Fixed: Fixed a bug which would cause the bookmarks and history sidebars to not properly react to the browser window being vertically resized (bmo#1831535)
* Sat May 13 2023 Andreas Stieger - Mozilla Firefox 113.0.1
* UI fixes for other platforms- upstream signing key updated
* Tue May 09 2023 Wolfgang Rosenauer - Mozilla Firefox 113.0
* https://www.mozilla.org/en-US/firefox/113.0/releasenotes MFSA 2023-16 (bsc#1211175)
* CVE-2023-32205 (bmo#1753339, bmo#1753341) Browser prompts could have been obscured by popups
* CVE-2023-32206 (bmo#1824892) Crash in RLBox Expat driver
* CVE-2023-32207 (bmo#1826116) Potential permissions request bypass via clickjacking
* CVE-2023-32208 (bmo#1646034) Leak of script base URL in service workers via import()
* CVE-2023-32209 (bmo#1767194) Persistent DoS via favicon image
* CVE-2023-32210 (bmo#1776755) Incorrect principal object ordering
* CVE-2023-32211 (bmo#1823379) Content process crash due to invalid wasm code
* CVE-2023-32212 (bmo#1826622) Potential spoof due to obscured address bar
* CVE-2023-32213 (bmo#1826666) Potential memory corruption in FileReader::DoReadData()
* MFSA-TMP-2023-0002 (bmo#1814560, bmo#1814790, bmo#1819796) Race condition in dav1d decoding
* CVE-2023-32214 (bmo#1828716) Potential DoS via exposed protocol handlers
* CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856, bmo#1820210, bmo#1821480, bmo#1827019, bmo#1827024, bmo#1827144, bmo#1827359, bmo#1830186) Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11
* CVE-2023-32216 (bmo#1746479, bmo#1806852, bmo#1815987, bmo#1820359, bmo#1823568, bmo#1824803, bmo#1824834, bmo#1825170, bmo#1827020, bmo#1828130) Memory safety bugs fixed in Firefox 113- removed obsolete mozilla-bmo1568145.patch
* Sun May 07 2023 Aaron Puchert - Fix i586 build by reducing debug info to -g1. (boo#1210168)
* Tue Apr 25 2023 Andreas Stieger - Mozilla Firefox 112.0.2
* Fix a high memory usage issue with animated images in minimized (or completely covered) windows, especially when using animated themes (bmo#1828587)
* Fix an issue where Linux users with bitmap fonts installed may have had entire sections of text invisible to them on some sites (bmo#1827950)
* Fri Apr 21 2023 Manfred Hollstein - Include Leap 15.5 in check for which python version is required.
* Thu Apr 20 2023 Andreas Stieger - Mozilla Firefox 112.0.1
* Fix a bug where cookie dates appear to be set in the far future after updating Firefox. This may have caused cookies to be unintentionally purged (bmo#1827669)
* Mon Apr 10 2023 Wolfgang Rosenauer - Mozilla Firefox 112.0
* https://www.mozilla.org/en-US/firefox/112.0/releasenotes/ MFSA 2023-13 (bsc#1210212)
* CVE-2023-29531 (bmo#1794292) Out-of-bound memory access in WebGL on macOS
* CVE-2023-29532 (bmo#1806394) Mozilla Maintenance Service Write-lock bypass
* CVE-2023-29533 (bmo#1798219, bmo#1814597) Fullscreen notification obscured
* CVE-2023-29534 (bmo#1816007, bmo#1816059, bmo#1821155, bmo#1821576, bmo#1821906, bmo#1822298, bmo#1822305) Fullscreen notification could have been obscured on Firefox for Android
* MFSA-TMP-2023-0001 (bmo#1819244) Double-free in libwebp
* CVE-2023-29535 (bmo#1820543) Potential Memory Corruption following Garbage Collector compaction
* CVE-2023-29536 (bmo#1821959) Invalid free from JavaScript code
* CVE-2023-29537 (bmo#1823365, bmo#1824200, bmo#1825569) Data Races in font initialization code
* CVE-2023-29538 (bmo#1685403) Directory information could have been leaked to WebExtensions
* CVE-2023-29539 (bmo#1784348) Content-Disposition filename truncation leads to Reflected File Download
* CVE-2023-29540 (bmo#1790542) Iframe sandbox bypass using redirects and sourceMappingUrls
* CVE-2023-29541 (bmo#1810191) Files with malicious extensions could have been downloaded unsafely on Linux
* CVE-2023-29542 (bmo#1810793, bmo#1815062) Bypass of file download extension restrictions
* CVE-2023-29543 (bmo#1816158) Use-after-free in debugging APIs
* CVE-2023-29544 (bmo#1818781) Memory Corruption in garbage collector
* CVE-2023-29545 (bmo#1823077) Windows Save As dialog resolved environment variables
* CVE-2023-29546 (bmo#1780842) Screen recording in Private Browsing included address bar on Android
* CVE-2023-29547 (bmo#1783536) Secure document cookie could be spoofed with insecure cookie
* CVE-2023-29548 (bmo#1822754) Incorrect optimization result on ARM64
* CVE-2023-29549 (bmo#1823042) Javascript\'s bind function may have failed
* CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413, bmo#1824828) Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10
* CVE-2023-29551 (bmo#1763625, bmo#1814314, bmo#1815798, bmo#1815890, bmo#1819239, bmo#1819465, bmo#1819486, bmo#1819492, bmo#1819957, bmo#1820514, bmo#1820776, bmo#1821838, bmo#1822175, bmo#1823547) Memory safety bugs fixed in Firefox 112- requires
* NSS 3.89
* Python >= 3.7 (for build)- removed obsolete mozilla-bmo1807652.patch- Fix Icons displayed incorrectly on GNOME/wayland via WMCLASS in desktop file
* Mon Mar 27 2023 Wolfgang Rosenauer - Mozilla Firefox 111.0.1 (boo#1209688)
* Fixed a crash on macOS while pinch-zooming under some circumstances (bmo#1658986)
* Fixed a bug causing Firefox to freeze on startup for some Windows users (bmo#1823159)- fix build on Tumbleweed (mozilla-bmo1807652.patch)- exclude i586/i686 once again because it fails to link libxul due to its size
* Tue Mar 14 2023 Wolfgang Rosenauer - Mozilla Firefox 111.0
* https://www.mozilla.org/en-US/firefox/111.0/releasenotes MFSA 2023-09 (bsc#1209173)
* CVE-2023-28159 (bmo#1783561) Fullscreen Notification could have been hidden by download popups on Android
* CVE-2023-25748 (bmo#1798798) Fullscreen Notification could have been hidden by window prompts on Android
* CVE-2023-25749 (bmo#1810705) Firefox for Android may have opened third-party apps without a prompt
* CVE-2023-25750 (bmo#1814733) Potential ServiceWorker cache leak during private browsing mode
* CVE-2023-25751 (bmo#1814899) Incorrect code generation during JIT compilation
* CVE-2023-28160 (bmo#1802385) Redirect to Web Extension files may have leaked local path
* CVE-2023-28164 (bmo#1809122) URL being dragged from a removed cross-origin iframe into the same tab triggered navigation
* CVE-2023-28161 (bmo#1811181) One-time permissions granted to a local file were extended to other local files loaded in the same tab
* CVE-2023-28162 (bmo#1811327) Invalid downcast in Worklets
* CVE-2023-25752 (bmo#1811627) Potential out-of-bounds when accessing throttled streams
* CVE-2023-28163 (bmo#1817768) Windows Save As dialog resolved environment variables
* CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904, bmo#1817442, bmo#1818674) Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9
* CVE-2023-28177 (bmo#1803109, bmo#1808832, bmo#1809542, bmo#1817336) Memory safety bugs fixed in Firefox 111- ensure gcc11-c++ gets used on Leap 15.5- requires NSS >= 3.88.1- removed obsolete patches gcc13-fix.patch mozilla-bmo1810584.patch- rebased patches- update create-tar.sh
* Tue Mar 07 2023 Martin Liška - Cherry-pick upstream changes for GCC 13 in gcc13-fix.patch.
* Mon Mar 06 2023 Andreas Schwab - Limit memory use on riscv64
* Sat Mar 04 2023 Andreas Stieger - Fix 32 bit build bmo#1810584 (add mozilla-bmo1810584.patch)
* Fri Mar 03 2023 Andreas Stieger - Mozilla Firefox 110.0.1 (boo#1208886)
* Fixed clearing recent cookies clears all cookies (bmo#1816279)
* Fixed WebGL crashes on Linux when ran inside a VMWare virtual machine (bmo#1807942)
* Fixed a bug with CSP serialization causing bugs with the MitID Digital ID in Denmark (bmo#1819096)
* Wed Feb 15 2023 Wolfgang Rosenauer - Mozilla Firefox 110.0
* https://www.mozilla.org/en-US/firefox/110.0/releasenotes MFSA 2023-05 (bsc#1208144)
* CVE-2023-25728 (bmo#1790345) Content security policy leak in violation reports using iframes
* CVE-2023-25730 (bmo#1794622) Screen hijack via browser fullscreen mode
* CVE-2023-25743 (bmo#1800203) Fullscreen notification not shown in Firefox Focus
* CVE-2023-0767 (bmo#1804640) Arbitrary memory write via PKCS 12 in NSS
* CVE-2023-25735 (bmo#1810711) Potential use-after-free from compartment mismatch in SpiderMonkey
* CVE-2023-25737 (bmo#1811464) Invalid downcast in SVGUtils::SetupStrokeGeometry
* CVE-2023-25738 (bmo#1811852) Printing on Windows could potentially crash Firefox with some device drivers
* CVE-2023-25739 (bmo#1811939) Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
* CVE-2023-25729 (bmo#1792138) Extensions could have opened external schemes without user knowledge
* CVE-2023-25732 (bmo#1804564) Out of bounds memory write from EncodeInputStream
* CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338) Opening local .url files could cause unexpected network loads
* CVE-2023-25740 (bmo#1812354) Opening local .scf files could cause unexpected network loads
* CVE-2023-25731 (bmo#1801542) Prototype pollution when rendering URLPreview
* CVE-2023-25733 (bmo#1808632) Possible null pointer dereference in TaskbarPreviewCallback
* CVE-2023-25736 (bmo#1811331) Invalid downcast in GetTableSelectionMode
* CVE-2023-25741 (bmo#1437126, bmo#1812611, bmo#1813376) Same-origin policy leak via image drag and drop
* CVE-2023-25742 (bmo#1813424) Web Crypto ImportKey crashes tab
* CVE-2023-25744 (bmo#1789449, bmo#1803628, bmo#1810536) Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8
* CVE-2023-25745 (bmo#1688592, bmo#1797186, bmo#1804998, bmo#1806521, bmo#1813284) Memory safety bugs fixed in Firefox 110- requires NSS = 3.87 rust/cargo = 1.66- update create-tar.sh
* Wed Feb 01 2023 Andreas Stieger - Mozilla Firefox 109.0.1
* Fixed jank when loading pages containing a large number of emoji characters (bmo#1809081)
* Fixed an issue causing authentication prompts to not appear when loading pages in some enterprise environments (bmo#1809151)
* ixed inconsistent sizing of event listener checkboxes inside the Inspector developer tool (bmo#1811760)
* Mon Jan 16 2023 Wolfgang Rosenauer - Mozilla Firefox 109.0 MFSA 2023-01 (bsc#1207119)
* CVE-2023-23597 (bmo#1538028) Logic bug in process allocation allowed to read arbitrary files
* CVE-2023-23598 (bmo#1800425) Arbitrary file read from GTK drag and drop on Linux
* CVE-2023-23599 (bmo#1777800) Malicious command could be hidden in devtools output on Windows
* CVE-2023-23600 (bmo#1787034) Notification permissions persisted between Normal and Private Browsing on Android
* CVE-2023-23601 (bmo#1794268) URL being dragged from cross-origin iframe into same tab triggers navigation
* CVE-2023-23602 (bmo#1800890) Content Security Policy wasn\'t being correctly applied to WebSockets in WebWorkers
* CVE-2023-23603 (bmo#1800832) Calls to console.log allowed bypasing Content Security Policy via format directive
* CVE-2023-23604 (bmo#1802346) Creation of duplicate SystemPrincipal from less secure contexts
* CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974) Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7
* CVE-2023-23606 (bmo#1764974, bmo#1798591, bmo#1799201, bmo#1800446, bmo#1801248, bmo#1802100, bmo#1803393, bmo#1804626, bmo#1804971, bmo#1807004) Memory safety bugs fixed in Firefox 109- requires NSS 3.86- rebased patches
* Fri Jan 06 2023 Luciano Santos - Mozilla Firefox 108.0.2
* Fixes a crash that might occur when managing browser history (bmo#1806408).- Drop merged-upstream mozilla-bmo1805809.patch.
* Wed Dec 21 2022 Wolfgang Rosenauer - add mozilla-bmo1805809.patch to fix build for x86-32 (boo#1206600)
* Tue Dec 20 2022 Wolfgang Rosenauer - Mozilla Firefox 108.0.1 (boo#1206507)
* Fixes the default search engine being reset on upgrade for profiles which were previously copied from a different location
* Tue Dec 13 2022 Wolfgang Rosenauer - Mozilla Firefox 108.0 https://www.mozilla.org/en-US/firefox/108.0/releasenotes/ MFSA 2022-51 (bsc#1206242)
* CVE-2022-46871 (bmo#1795697) libusrsctp library out of date
* CVE-2022-46872 (bmo#1799156) Arbitrary file read from a compromised content process
* CVE-2022-46873 (bmo#1644790) Firefox did not implement the CSP directive unsafe-hashes
* CVE-2022-46874 (bmo#1746139) Drag and Dropped Filenames could have been truncated to malicious extensions
* CVE-2022-46875 (bmo#1786188) Download Protections were bypassed by .atloc and .ftploc files on Mac OS
* CVE-2022-46877 (bmo#1795139) Fullscreen notification bypass
* CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685, bmo#1801102, bmo#1801315, bmo#1802395) Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
* CVE-2022-46879 (bmo#1736224, bmo#1793407, bmo#1794249, bmo#1795845, bmo#1797682, bmo#1797720, bmo#1798494, bmo#1799479) Memory safety bugs fixed in Firefox 108- requires NSS >= 3.85 rustc/cargo 1.65
* Thu Dec 08 2022 Milachew - added translations to .desktop file.
* Thu Dec 01 2022 Andreas Stieger - Mozilla Firefox 107.0.1:
* Fix an issue with accessing some sites reliably in Private Browsing mode or Strict ETP due to anti-adblockers (bmo#1717806)
* Fix an issue where Color Management was not available for some users (bmo#1799391)
* Fix an issue with text overlapping in the Settings Menu for some locales (bmo#1800379)
* Fix an issue where the DevTools UI is not accessible when an alert dialog is displayed (bmo#1801840)
* Tue Nov 15 2022 Wolfgang Rosenauer - Mozilla Firefox 107.0 MFSA 2022-47 (bsc#1205270)
* CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files
* CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass
* CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation
* CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm
* CVE-2022-45407 (bmo#1793314) Loading fonts on workers was not thread-safe
* CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName
* CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection
* CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy
* CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers
* CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers
* CVE-2022-45413 (bmo#1791201) SameSite=Strict cookies could have been sent cross-site via intent URLs
* CVE-2022-40674 (bmo#1791598) Use-after-free vulnerability in expat
* CVE-2022-45415 (bmo#1793551) Downloaded file may have been saved with malicious extension
* CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage
* CVE-2022-45417 (bmo#1794508) Service Workers in Private Browsing Mode may have been written to disk
* CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn over browser UI
* CVE-2022-45419 (bmo#1716082) Deleting a security exception did not take effect immediately
* CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside the iframe
* CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5- requires
* NSS >= 3.84
* rust = 1.64
* Sat Nov 05 2022 Andreas Stieger - Mozilla Firefox 106.0.5
* Addresses a crash experienced by users with Intel Gemini Lake CPUs (bmo#1702019)- Mozilla Firefox 106.0.4
* Fixed an issue with DRM Video playback (bmo#1797292)
* Fixed broken layout of datetime input when switching types (bmo#1797139)
* Tue Nov 01 2022 Andreas Stieger - Mozilla Firefox 106.0.3
* Fixes for other platforms
* Thu Oct 27 2022 Andreas Stieger - Mozilla Firefox 106.0.2
* Fix missing content on some PDF forms (bmo#1794351)
* Fix column width for the Notification sub-panel in Settings (bmo#1793558)
* Fix a browser freeze with accessibility enabled on some sites such as the Proxmox Web UI (bmo#1793748)
* Fix page reloading not working with Firefox View and not refreshing synced data (bmo#1792680, bmo#1794474)
* Sun Oct 23 2022 Andreas Stieger - Mozilla Firefox 106.0.1
* Addresses a crash experienced by users with AMD Zen 1 CPUs (bmo#1796126)
* Sun Oct 16 2022 Wolfgang Rosenauer - Mozilla Firefox 106.0
* support editing of PDFs
* introduced Firefox View
* major WebRTC update - Better screen sharing for Windows and Linux Wayland users - RTP performance and reliability improvements - Richer statistics - Cross-browser and service compatibility improvements
* detailed releasenotes https://www.mozilla.org/en-US/firefox/106.0/releasenotes MFSA 2022-44 (bsc#1204421)
* CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have leaked cross-origin URLs
* CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine
* CVE-2022-42929 (bmo#1789439) Denial of Service via window.print
* CVE-2022-42930 (bmo#1789503) Race condition in DOM Workers
* CVE-2022-42931 (bmo#1780571) Username saved to a plaintext file on disk
* CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety bugs fixed in Firefox- added -msse2 flag to fix i386 build and workaround bmo#1795993- fixed used buildflags- renamed mozilla-i686-build.patch to mozilla-buildfixes.patch as it was extended with changes for other archs
* Sat Oct 08 2022 Andreas Stieger - Mozilla Firefox 105.0.3:
* Fixes for other platforms
* Wed Oct 05 2022 Andreas Stieger - Mozilla Firefox 105.0.2:
* Fixed poor contrast on various menu items with certain themes on Linux systems (bmo#1792063)
* Fixed the scrollbar appearing on the wrong side of `select` elements in right-to-left locales (bmo#1791219)
* Fixed a possible deadlock when loading some sites in Troubleshoot Mode (bmo#1786259)
* Fixed a bug causing some dynamic appearance changes to not appear when expected (bmo#1786521)
* Fixed a bug causing theme styling to not be properly applied to sidebars for some add-ons in Private Browsing Mode (bmo#1787543)
* Thu Sep 22 2022 Wolfgang Rosenauer - Mozilla Firefox 105.0.1
* Reverted focus behavior for new windows back to the content area instead of the address bar (bmo#1784692)- added mozilla-i686-build.patch to avoid using avx2
* Sat Sep 17 2022 Wolfgang Rosenauer - Mozilla Firefox 105.0 https://www.mozilla.org/en-US/firefox/105.0/releasenotes MFSA 2022-40 (bsc#1203477)
* CVE-2022-40959 (bmo#1782211) Bypassing FeaturePolicy restrictions on transient pages
* CVE-2022-40960 (bmo#1787633) Data-race when parsing non-UTF-8 URLs in threads
* CVE-2022-40958 (bmo#1779993) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix
* CVE-2022-40961 (bmo#1784588) Stack-buffer overflow when initializing Graphics
* CVE-2022-40956 (bmo#1770094) Content-Security-Policy base-uri bypass
* CVE-2022-40957 (bmo#1777604) Incoherent instruction cache when building WASM on ARM64
* CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835, bmo#1785109, bmo#1786502, bmo#1789440) Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3- requires NSS 3.82 Rust 1.63 (1.61)- removed obsolete mozilla-glibc236.patch
* Fri Sep 09 2022 Guillaume GARDET - Adjust memory requirements to fix build on aarch64
* Wed Sep 07 2022 Wolfgang Rosenauer - Mozilla Firefox 104.0.2 (boo#1203177) https://www.mozilla.org/en-US/firefox/104.0.2/releasenotes/
* Fixed a bug making it impossible to use touch or a stylus to drag the scrollbar on pages (bmo#1787361)
* Fixed an issue causing some users to crash in out-of-memory conditions (bmo#1774155)
* Fixed an issue that would sometimes affect video & audio playback when loaded via a cross-origin iframe src attribute (bmo#1781759)
* Fixed an issue that would sometimes affect video & audio playback when served with Content-Security-Policy: sandbox (bmo#1781063)
* Thu Sep 01 2022 Wolfgang Rosenauer - Mozilla Firefox 104.0.1
* Addresses an issue with Youtube video playback that was affecting some users (boo#1203003)
* Sun Aug 21 2022 Wolfgang Rosenauer - Mozilla Firefox 104.0
* https://www.mozilla.org/en-US/firefox/104.0/releasenotes MFSA 2022-33 (bsc#1202645)
* CVE-2022-38472 (bmo#1769155) Address bar spoofing via XSLT error handling
* CVE-2022-38473 (bmo#1771685) Cross-origin XSLT Documents would have inherited the parent\'s permissions
* CVE-2022-38474 (bmo#1719511) Recording notification not shown when microphone was recording on Android
* CVE-2022-38475 (bmo#1773266) Attacker could write a value to a zero-length array
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363) Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
* CVE-2022-38478 (bmo#1770630, bmo#1776658) Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13- requires NSPR 4.34.1 NSS 3.81 rust 1.62
* Sat Aug 13 2022 Wolfgang Rosenauer - added mozilla-glibc236.patch (bmo#1782988, boo#1202323)
* Tue Aug 09 2022 Wolfgang Rosenauer - Mozilla Firefox 103.0.2
* Fixed menu shortcuts for users of the JAWS screen reader
* Fixed an occasional non-overridable certificate error when accessing device configuration pages
* Tue Aug 02 2022 Andreas Schwab - The --disable-elf-hack option only exists on ARM and X86
* Mon Aug 01 2022 Wolfgang Rosenauer - Mozilla Firefox 103.0.1
* Enabled hardware acceleration on newer AMD cards.
* Fixed a crash on Firefox shutdown caused by a bug in the audio manager
* Wed Jul 27 2022 Wolfgang Rosenauer - Mozilla Firefox 103.0 https://www.mozilla.org/en-US/firefox/103.0/releasenotes MFSA 2022-28 (bsc#1201758)
* CVE-2022-36319 (bmo#1737722) Mouse Position spoofing with CSS transforms
* CVE-2022-36317 (bmo#1759951) Long URL would hang Firefox for Android
* CVE-2022-36318 (bmo#1771774) Directory indexes for bundled resources reflected URL parameters
* CVE-2022-36314 (bmo#1773894) Opening local .lnk files could cause unexpected network loads
* CVE-2022-36315 (bmo#1762520) Preload Cache Bypasses Subresource Integrity
* CVE-2022-36316 (bmo#1768583) Performance API leaked whether a cross-site resource is redirecting
* CVE-2022-36320 (bmo#1759794, bmo#1760998) Memory safety bugs fixed in Firefox 103
* CVE-2022-2505 (bmo#1769739, bmo#1772824) Memory safety bugs fixed in Firefox 103 and 102.1- requires NSS >= 3.80 rust = 1.61 rust-cbindgen >= 0.24.3
* Wed Jul 13 2022 Guillaume GARDET - Move %limit_build set before mozilla config to actually set the value of %jobs to MOZ_MAKE_FLAGS to fix build on aarch64
* Wed Jul 06 2022 Andreas Stieger - Firefox 102.0.1:
* Fixed: Fixed bookmarks sidebar flashing white when opened in dark mode (bmo#1776157)
* Fixed: Fixed multilingual spell checking not working with content in both English and a non-Latin alphabet (bmo#1773802)
* Fixed: Developer tools: Fixed an issue where the console output keep getting scrolled to the bottom when the last visible message is an evaluation result (bmo#1776262)
* Fixed: Fixed
*Delete cookies and site data when Firefox is closed
* checkbox getting disabled on startup (bmo#1777419)
* Fixed: Various stability fixes
* Sat Jun 25 2022 Wolfgang Rosenauer - Firefox 102.0
* You can now disable automatic opening of the download panel every time a new download starts
* Firefox now mitigates query parameter tracking when navigating sites in ETP strict mode
* Improved security by moving audio decoding into a separate process with stricter sandboxing, thus improving process isolation
* https://www.mozilla.org/en-US/firefox/102.0/releasenotes MFSA 2022-24 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595) A popup window could be resized in a way to overlay the address bar with web content
* CVE-2022-34470 (bmo#1765951) Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537) CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
* CVE-2022-34482 (bmo#845880) Drag and drop of malicious image could have led to malicious executable and potential code execution
* CVE-2022-34483 (bmo#1335845) Drag and drop of malicious image could have led to malicious executable and potential code execution
* CVE-2022-34476 (bmo#1387919) ASN.1 parser could have been tricked into accepting malformed ASN.1
* CVE-2022-34481 (bmo#1483699, bmo#1497246) Potential integer overflow in ReplaceElementsAt
* CVE-2022-34474 (bmo#1677138) Sandboxed iframes could redirect to external schemes
* CVE-2022-34469 (bmo#1721220) TLS certificate errors on HSTS-protected domains could be bypassed by the user on Firefox for Android
* CVE-2022-34471 (bmo#1766047) Compromised server could trick a browser into an addon downgrade
* CVE-2022-34472 (bmo#1770123) Unavailable PAC file resulted in OCSP requests being blocked
* CVE-2022-34478 (bmo#1773717) Microsoft protocols can be attacked if a user accepts a prompt
* CVE-2022-2200 (bmo#1771381) Undesired attributes could be set as part of prototype pollution
* CVE-2022-34480 (bmo#1454072) Free of uninitialized pointer in lg_init
* CVE-2022-34477 (bmo#1731614) MediaError message property leaked information on cross- origin same-site pages
* CVE-2022-34475 (bmo#1757210) HTML Sanitizer could have been bypassed via same-origin script via use tags
* CVE-2022-34473 (bmo#1770888) HTML Sanitizer could have been bypassed via use tags
* CVE-2022-34484 (bmo#1763634, bmo#1772651) Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
* CVE-2022-34485 (bmo#1768409, bmo#1768578) Memory safety bugs fixed in Firefox 102- requires NSPR >= 4.34 NSS >= 3.79 rust = 1.60- switch out skia-patches with webrender-patches for big endian removed:
* mozilla-bmo1504834-part2.patch
* mozilla-bmo1504834-part4.patch
* mozilla-bmo1626236.patch added:
* one_swizzle_to_rule_them_all.patch
* svg-rendering.patch- add some more returns to the no-return-patch
* Fri Jun 10 2022 Andreas Stieger - Mozilla Firefox 101.0.1:
* Fixed context menus not appearing when right-clicking Picture-in-Picture windows on some Linux systems (bmo#1771914)
* Various stability fixes
* Sun May 29 2022 Wolfgang Rosenauer - Mozilla Firefox 101.0
* Reading is now easier with the prefers-contrast media query, which allows sites to detect if the user has requested that web content is presented with a higher (or lower) contrast
* All non-configured MIME types can now be assigned a custom action upon download completion
* allows users to use as many microphones as you want, at the same time, during video conferencing. The most exciting benefit is that you can easily switch your microphones at any time (if your conferencing service provider enables this flexibility) MFSA 2022-20 (bsc#1200027)
* CVE-2022-31736 (bmo#1735923) Cross-Origin resource\'s length leaked
* CVE-2022-31737 (bmo#1743767) Heap buffer overflow in WebGL
* CVE-2022-31738 (bmo#1756388) Browser window spoof using fullscreen mode
* CVE-2022-31739 (bmo#1765049) Attacker-influenced path traversal when saving downloaded files
* CVE-2022-31740 (bmo#1766806) Register allocation problem in WASM on arm64
* CVE-2022-31741 (bmo#1767590) Uninitialized variable leads to invalid memory read
* CVE-2022-31742 (bmo#1730434) Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
* CVE-2022-31743 (bmo#1747388) HTML Parsing incorrectly ended HTML comments prematurely
* CVE-2022-31744 (bmo#1757604) CSP bypass enabling stylesheet injection
* CVE-2022-31745 (bmo#1760944) Incorrect Assertion caused by unoptimized array shift operations
* CVE-2022-1919 (bmo#1761275) Memory Corruption when manipulating webp images
* CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283, bmo#1767365, bmo#1768559, bmo#1768734) Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
* CVE-2022-31748 (bmo#1713773, bmo#1762201, bmo#1762469, bmo#1762770, bmo#1764878, bmo#1765226, bmo#1765782, bmo#1765973, bmo#1767177, bmo#1767181, bmo#1768232, bmo#1768251, bmo#1769869) Memory safety bugs fixed in Firefox 101- requires
* NSS 3.78.1
* rust-cbindgen 0.23.0
* rust 1.59
* Fri May 20 2022 Wolfgang Rosenauer - Mozilla Firefox 100.0.2 MFSA 2022-19 (bsc#1199768)
* CVE-2022-1802 (bmo#1770137) Prototype pollution in Top-Level Await implementation
* CVE-2022-1529 (bmo#1770048) Untrusted input used in JavaScript object indexing, leading to prototype pollution
* Wed May 18 2022 Andreas Stieger - Mozilla Firefox 100.0.1:
* Fixed: Fixed an issue with subtitles in Picture-in-Picture mode while using Netflix (bmo#1768818)
* Fixed: Fixed an issue where some commands were unavailable in the Picture-in-Picture window (bmo#1768201)
* Sun May 01 2022 Wolfgang Rosenauer - Mozilla Firefox 100.0
* subtitle support in PiP
* spell checking supports multiple languages in parallel
* more details here https://www.mozilla.org/en-US/firefox/100.0/releasenotes MFSA 2022-16 (boo#1198970)
* CVE-2022-29914 (bmo#1746448) Fullscreen notification bypass using popups
* CVE-2022-29909 (bmo#1755081) Bypassing permission prompt in nested browsing contexts
* CVE-2022-29916 (bmo#1760674) Leaking browser history with CSS variables
* CVE-2022-29911 (bmo#1761981) iframe Sandbox bypass
* CVE-2022-29912 (bmo#1692655) Reader mode bypassed SameSite cookies
* CVE-2022-29910 (bmo#1757138) Firefox for Android forgot HTTP Strict Transport Security settings
* CVE-2022-29915 (bmo#1751678) Leaking cross-origin redirect through the Performance API
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298, bmo#1762614, bmo#1762620, bmo#1764778) Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
* CVE-2022-29918 (bmo#1744043, bmo#1747178, bmo#1753535, bmo#1754017, bmo#1755847, bmo#1756172, bmo#1757477, bmo#1758223, bmo#1760160, bmo#1761481, bmo#1761771) Memory safety bugs fixed in Firefox 100- requires NSS 3.77
* Tue Apr 12 2022 Andreas Stieger - Mozilla Firefox 99.0.1
* Fixed an issue with text rendering in Bengali (bmo#1763368)
* Fixed a selection issue in the Download panel with drag and drop (bmo#1762723)
* Fixed: Fixed an issue preventing Zoom gallery mode for users who go to zoom.us URLs instead of subdomain.zoom.us URLs (bmo#1763801)
* Mon Apr 04 2022 Wolfgang Rosenauer - Mozilla Firefox 99.0
* You can now toggle Narrate in ReaderMode with the keyboard shortcut \"n.\"
* You can find added support for search—with or without diacritics—in the PDF viewer.
* The Linux sandbox has been strengthened: processes exposed to web content no longer have access to the X Window system (X11).
* Firefox now supports credit card autofill and capture in Germany and France. MFSA 2022-13 (bsc#1197903)
* CVE-2022-1097 (bmo#1745667) Use-after-free in NSSToken objects
* CVE-2022-28281 (bmo#1755621) Out of bounds write due to unexpected WebAuthN Extensions
* CVE-2022-28282 (bmo#1751609) Use-after-free in DocumentL10n::TranslateDocument
* CVE-2022-28283 (bmo#1754066) Missing security checks for fetching sourceMapURL
* CVE-2022-28284 (bmo#1754522) Script could be executed via svg\'s use element
* CVE-2022-28285 (bmo#1756957) Incorrect AliasSet used in JIT Codegen
* CVE-2022-28286 (bmo#1735265) iframe contents could be rendered outside the border
* CVE-2022-28287 (bmo#1741515) Text Selection could crash Firefox
* CVE-2022-24713 (bmo#1758509) Denial of Service via complex regular expressions
* CVE-2022-28289 (bmo#1663508, bmo#1744525, bmo#1753508, bmo#1757476, bmo#1757805, bmo#1758549, bmo#1758776) Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
* CVE-2022-28288 (bmo#1746415, bmo#1746495, bmo#1746500, bmo#1747282, bmo#1748759, bmo#1749056, bmo#1749786, bmo#1751679, bmo#1752120, bmo#1756010, bmo#1756017, bmo#1757213, bmo#1757258, bmo#1757427) Memory safety bugs fixed in Firefox 99- requires NSS >= 3.76.1- remove obsolete patch
* mozilla-bmo1756347.patch
* mozilla-bmo1757571.patch- update create-tar.sh
* Thu Mar 24 2022 Andreas Stieger - MozillaFirefox 98.0.2:
* Fixed: Fixed an issue preventing users from typing in Address Bar after opening new tab and pressing cmd + enter (bmo#1757376)
* Fixed: Fixed an issue causing some users to crash in out-of- memory conditions (bmo#1757618)
* Fixed: Fixed an issue in session history which caused some sites to fail to load (bmo#1758664)
* Fixed: Fixed an add-on specific compatibility issue (bmo#1759162)
* Wed Mar 23 2022 Simon Vogl - Change mozilla-kde.patch to follow the GNOME registry behavior for new MIME types to avoid opening downloaded files without any inquiries (bsc#1197319)
* Tue Mar 22 2022 Guillaume GARDET - Add patch to fix start-up on aarch64:
* mozilla-bmo1757571.patch
* Thu Mar 17 2022 Dirk Müller - exclude slow cpus for building
* Thu Mar 17 2022 Martin Sirringhaus - Add cpu-flag `asimdrdm` to aarch64 constraints, to select newer, faster buildhosts, as the others struggle to build FF.
* Mon Mar 14 2022 Wolfgang Rosenauer - Mozilla Firefox 98.0.1:
* Yandex and Mail.ru have been removed as optional search providers in the drop-down search menu in Firefox
* Tue Mar 08 2022 Wolfgang Rosenauer - Mozilla Firefox 98.0
* Firefox has a new optimized download flow
* other changes as documented here https://www.mozilla.org/en-US/firefox/98.0/releasenotes MFSA 2022-10 (bsc#1196900)
* CVE-2022-26383 (bmo#1742421) Browser window spoof using fullscreen mode
* CVE-2022-26384 (bmo#1744352) iframe allow-scripts sandbox bypass
* CVE-2022-26387 (bmo#1752979) Time-of-check time-of-use bug when verifying add-on signatures
* CVE-2022-26381 (bmo#1736243) Use-after-free in text reflows
* CVE-2022-26382 (bmo#1741888) Autofill Text could be exfiltrated via side-channel attacks
* CVE-2022-26385 (bmo#1747526) Use-after-free in thread shutdown
* CVE-2022-0843 (bmo#1746523, bmo#1749062, bmo#1749164, bmo#1749214, bmo#1749610, bmo#1750032, bmo#1752100, bmo#1752405, bmo#1753612, bmo#1754508) Memory safety bugs fixed in Firefox 98- requires NSS 3.75- add mozilla-bmo1756347.patch to fix i586 build
* Fri Feb 18 2022 Andreas Stieger - Mozilla Firefox 97.0.1
* Fixed: Fixed an issue where TikTok videos would fail to load when selected from a user\'s profile page (bmo#1750973)
* Fixed: Fixed an issue which led to Picture-in-Picture mode being unable to be toggled on Hulu (bmo#1753401)
* Fixed: Works around problems with WebRoot SecureAnywhere antivirus rendering Firefox unusable in some situations (bmo#1752466)
* Fixed: Fixed an issue causing users to see the Restore Session screen unexpectedly when starting Firefox (bmo#1749996)
* Mon Feb 14 2022 Luciano Santos - Remove bashisms (\"source\" and \"function\" keywords) from mozilla.sh.in to ally with the #!/bin/sh shebang. If the end user has either dash-sh package or busybox-sh to handle Bourn Shell scripts rather than having bash-sh package, the script would fail. Using \".\" instead of \"source\" and \"create_langpack_link()\" function definition is enough to keep both sides sane, behavior-wise.
* Tue Feb 08 2022 Wolfgang Rosenauer - Mozilla Firefox 97.0 MFSA 2022-04 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435) Privilege Escalation to SYSTEM on Windows via Maintenance Service
* CVE-2022-22754 (bmo#1750565) Extensions could have bypassed permission confirmation during update
* CVE-2022-22755 (bmo#1309630) XSL could have allowed JavaScript execution after a tab was closed
* CVE-2022-22756 (bmo#1317873) Drag and dropping an image could have resulted in the dropped object being an executable
* CVE-2022-22757 (bmo#1720098) Remote Agent did not prevent local websites from connecting
* CVE-2022-22758 (bmo#1728742) tel: links could have sent USSD codes to the dialer on Firefox for Android
* CVE-2022-22759 (bmo#1739957) Sandboxed iframes could have executed script if the parent appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503) Cross-Origin responses could be distinguished between script and non-script content-types
* CVE-2022-22761 (bmo#1745566) frame-ancestors Content Security Policy directive was not enforced for framed extension pages
* CVE-2022-22762 (bmo#1743931) JavaScript Dialogs could have been displayed over other domains on Firefox for Android
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545, bmo#1748210, bmo#1748279) Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
* CVE-2022-0511 (bmo#1713579, bmo#1735448, bmo#1743821, bmo#1746313, bmo#1746314, bmo#1746316, bmo#1746321, bmo#1746322, bmo#1746323, bmo#1746412, bmo#1746430, bmo#1746451, bmo#1746488, bmo#1746875, bmo#1746898, bmo#1746905, bmo#1746907, bmo#1746917, bmo#1747128, bmo#1747137, bmo#1747331, bmo#1747346, bmo#1747439, bmo#1747457, bmo#1747870, bmo#1749051, bmo#1749274, bmo#1749831) Memory safety bugs fixed in Firefox 97- requires NSS 3.74- requires rust 1.57
* Mon Feb 07 2022 Dirk Müller - remove memoryperjob and use %limit instead. this allows to adapt to more worker types, and lowers the time the package is stuck in \"scheduling\". raising memory above 8 to lower risk for LTO jobs to run OOM- add hack to disable -Wl,--gc-section which avoids a binutils segfault on x86- change mozilla-reduce-rust-debuginfo.patch: use -g1 everywhere
* Sun Jan 30 2022 Dirk Müller - disable ccache, this adds about 1 minute of build time and over 2 GB of disk space usage without benefit on OBS builds- build with rust-simd like upstream does- use -g1 for debuginfo generation as this is what upstream does as well and it saves ~ 2GB of writes- use %limit on x86_64 to scale down to less capable workers- disable install stripping so that debuginfo is useful- use autopatch- cleanup constraints to specify only jobs, physicalmemory and memoryperjob to be more flexible on which host to build on
* Fri Jan 28 2022 Wolfgang Rosenauer - Mozilla Firefox 96.0.3 (bsc#1195230)
* Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry (bmo#1752317)
* Mon Jan 24 2022 Martin Liška - Enable -fimplicit-constexpr for GCC 12+.
* Thu Jan 20 2022 Andreas Stieger - Mozilla Firefox 96.0.2
* Fix an issue that caused tab height to display inconsistently on Linux when audio was played (bmo#1714276)
* Fix an issue that caused Lastpass dropdowns to appear blank in Private Browsing mode (bmo#1748158)
* Fix a crash encountered when resizing a Facebook app (bmo#1746084)
* Fri Jan 14 2022 Andreas Stieger - Mozilla Firefox 96.0.1
* Fixed: Improvements to make the parsing of content-length headers more robust (bmo#1749957, boo#1194677)
* Sat Jan 08 2022 Wolfgang Rosenauer - Mozilla Firefox 96.0
* https://www.mozilla.org/en-US/firefox/96.0/releasenotes MFSA 2022-01 (bsc#1194547)
* CVE-2022-22746 (bmo#1735071) Calling into reportValidity could have lead to fullscreen window spoof
* CVE-2022-22743 (bmo#1739220) Browser window spoof using fullscreen mode
* CVE-2022-22742 (bmo#1739923) Out-of-bounds memory access when inserting text in edit mode
* CVE-2022-22741 (bmo#1740389) Browser window spoof using fullscreen mode
* CVE-2022-22740 (bmo#1742334) Use-after-free of ChannelEventQueue::mOwner
* CVE-2022-22738 (bmo#1742382) Heap-buffer-overflow in blendGaussianBlur
* CVE-2022-22737 (bmo#1745874) Race condition when playing audio files
* CVE-2021-4140 (bmo#1746720) Iframe sandbox bypass with XSLT
* CVE-2022-22750 (bmo#1566608) IPC passing of resource handles could have lead to sandbox bypass
* CVE-2022-22749 (bmo#1705094) Lack of URL restrictions when scanning QR codes
* CVE-2022-22748 (bmo#1705211) Spoofed origin on external protocol launch dialog
* CVE-2022-22745 (bmo#1735856) Leaking cross-origin URLs through securitypolicyviolation event
* CVE-2022-22744 (bmo#1737252) The \'Copy as curl\' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
* CVE-2022-22747 (bmo#1735028) Crash when handling empty pkcs7 sequence
* CVE-2022-22736 (bmo#1742692) Potential local privilege escalation when loading modules from the install directory.
* CVE-2022-22739 (bmo#1744158) Missing throttling on external protocol launch dialog
* CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366, bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221, bmo#1743515, bmo#1745373, bmo#1746011) Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5
* CVE-2022-22752 (bmo#1740534, bmo#1741210, bmo#1742770) Memory safety bugs fixed in Firefox 96- removed obsolete patches
* mozilla-bmo1745560.patch
* mozilla-bmo1744896.patch
* mozilla-sandbox-fips.patch- requires NSPR >= 4.33 NSS >= 3.73.1
* Tue Dec 28 2021 Bjørn Lie - Add upstream patches:
* mozilla-bmo1745560.patch: Fix build against wayland 1.20.
* mozilla-bmo1744896.patch: Create WaylandVsyncSource on window creation
* Mon Dec 20 2021 Wolfgang Rosenauer - Mozilla Firefox 95.0.2
* Addresses frequent crashes experienced by users with C/E/Z-Series \"Bobcat\" CPUs running on Windows 7, 8, and 8.1.- updated constraints for ppc and x86-64
* Fri Dec 17 2021 Wolfgang Rosenauer - Mozilla Firefox 95.0.1 (bsc#1193845)
* Fixed frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains (bmo#1745600)
* Fix for a WebRender crash on some Linux/X11 systems (bmo#1741956)
* Fix for a frequent Windows shutdown crash (bmo#1738984)
* Fix websites contrast issues for some Linux users with Dark mode set at OS level (bmo#1740518)
* Sat Dec 04 2021 Wolfgang Rosenauer - Mozilla Firefox 95.0
* You can now move the Picture-in-Picture toggle button to the opposite side of the video. Simply look for the new context menu option Move Picture-in-Picture Toggle to Left (Right) Side.
* To better protect Firefox users against side-channel attacks such as Spectre, Site Isolation is now enabled for all Firefox 95 users.
* https://www.mozilla.org/en-US/firefox/95.0/releasenotes MFSA 2021-52 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120) URL leakage when navigating while executing asynchronous function
* CVE-2021-43537 (bmo#1738237) Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091) Missing fullscreen and pointer lock notification when requesting both
* CVE-2021-43539 (bmo#1739683) GC rooting failure when calling wasm instance methods
* MOZ-2021-0010 (bmo#1735852) Use-after-free in fullscreen objects on MacOS
* CVE-2021-43540 (bmo#1636629) WebExtensions could have installed persistent ServiceWorkers
* CVE-2021-43541 (bmo#1696685) External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281) XMLHttpRequest error codes could have leaked the existence of an external protocol handler
* CVE-2021-43543 (bmo#1738418) Bypass of CSP sandbox directive when embedding
* CVE-2021-43544 (bmo#1739934) Receiving a malicious URL as text through a SEND intent could have led to XSS
* CVE-2021-43545 (bmo#1720926) Denial of Service when using the Location API in a loop
* CVE-2021-43546 (bmo#1737751) Cursor spoofing could overlay user interface when native cursor is zoomed
* MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751, bmo#1737009, bmo#1739372, bmo#1739421) Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4- requires NSS >= 3.72
* Thu Dec 02 2021 Andreas Stieger - remove x-scheme-handler/ftp from firefox.desktop boo#1193321
* Thu Nov 25 2021 Bjørn Lie - Drop unused libidl-devel BuildRequires.
* Tue Nov 23 2021 Andreas Stieger - Mozilla Firefox 94.0.2:
* Update preference design for Firefox Suggest for improved clarity
* Resolved general instability/crashes on Linux caused by a file descriptor leak when backgrounding tabs using WebGL (bmo#1741997)
* Fri Nov 05 2021 Andreas Stieger - Mozilla Firefox 94.0.1:
* fixes for other platforms
* Sat Oct 30 2021 Wolfgang Rosenauer - Mozilla Firefox 94.0
* https://www.mozilla.org/en-US/firefox/94.0/releasenotes MFSA 2021-48 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517) iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156) Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194) Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750) Firefox could be coaxed into going into fullscreen mode without notification or warning
* CVE-2021-38507 (bmo#1730935) Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0003 (bmo#1736886) Universal XSS in Firefox for Android via QR Code URLs
* CVE-2021-38508 (bmo#1366818) Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
* MOZ-2021-0004 (bmo#1659155) Web Extensions could access pre-redirect URL when their context menu was triggered by a user
* CVE-2021-38509 (bmo#1718571) Javascript alert box could have been spoofed onto an arbitrary domain
* CVE-2021-38510 (bmo#1731779) Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0005 (bmo#1719203) \'Copy Image Link\' context menu action could have been abused to see authentication tokens
* MOZ-2021-0006 (bmo#1724233) URL Parsing may incorrectly parse internationalized domains
* MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048, bmo#1735152) Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3- removed obsolete patches
* mozilla-bmo1602730.patch
* mozilla-bmo1725828.patch
* mozilla-bmo1729124.patch- requires NSS >= 3.71 rust >= 1.53- fix Plasma detection (boo#1191825)- fix Link error \"undefined hidden symbol:\" https://github.com/openSUSE/firefox-maintenance/issues/37
* Tue Oct 26 2021 Wolfgang Rosenauer - Drop unused pkgconfig(gdk-x11-2.0) BuildRequires- (re-)enable LTO on Tumbleweed
* Wed Oct 20 2021 Martin Sirringhaus - Rebase mozilla-sandbox-fips.patch to punch another hole in the sandbox containment, to be able to open /proc/sys/crypto/fips_enabled from within the newly introduced socket process sandbox. This fixes bsc#1191815 and bsc#1190141
* Mon Oct 18 2021 Guillaume GARDET - Add patch to fix build on aarch64 (bmo#1729124)
* mozilla-bmo1729124.patch
* Fri Oct 01 2021 Wolfgang Rosenauer - Mozilla Firefox 93.0
* supports the new AVIF image format
* PDF viewer now supports filling more forms (XFA-based forms)
* now blocks downloads that rely on insecure connections, protecting against potentially malicious or unsafe downloads
* Improved web compatibility for privacy protections with SmartBlock 3.0
* Introducing a new referrer tracking protection in Strict Tracking Protection and Private Browsing
* TLS ciphersuites that use 3DES have been disabled. Such ciphersuites can only be enabled when deprecated versions of TLS are also enabled
* The download panel now follows the Firefox visual styles MFSA 2021-43 (bsc#1191332)
* CVE-2021-38496 (bmo#1725335) Use-after-free in MessageTask
* CVE-2021-38497 (bmo#1726621) Validation message could have been overlaid on another origin
* CVE-2021-38498 (bmo#1729642) Use-after-free of nsLanguageAtomService object
* CVE-2021-32810 (bmo#1729813) https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw) Data race in crossbeam-deque
* CVE-2021-38500 (bmo#1725854, bmo#1728321) Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
* CVE-2021-38499 (bmo#1667102, bmo#1723170, bmo#1725356, bmo#1727364) Memory safety bugs fixed in Firefox 93- removed obsolete mozilla-bmo1708709.patch- require NSS >= 3.70- allow to override wayland detection by defining MOZ_ENABLE_WAYLAND explicitely as 0 or 1- fix aarch64 build by updating constraints- add mozilla-bmo1725828.patch to fix widevine (bsc#1190842)- add mozilla-bmo531915.patch to fix build for i586
* Sat Sep 25 2021 Andreas Stieger - Mozilla Firefox 92.0.1
* Fixed: Fixes an issue where audio playback was not working on some Linux systems (bmo#1730499)
* Fixed: Fixes issues with the findbar close button on different operating systems (bmo#1728368)
* Mon Sep 06 2021 Wolfgang Rosenauer - Mozilla Firefox 92.0
* More secure connections: Firefox can now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc headers
* Full-range color levels are now supported for video playback on many systems MFSA 2021-38 (bsc#1190269)
* CVE-2021-29993 (bmo#1708544, bmo#1708767, bmo#1712240, bmo#1712242, bmo#1729259) Handling custom intents could lead to crashes and UI spoofs
* CVE-2021-38491 (bmo#1551886) Mixed-Content-Blocking was unable to check opaque origins
* CVE-2021-38492 (bmo#1721107) Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38493 (bmo#1723391, bmo#1724101, bmo#1724107) Memory safety bugs fixed in Firefox 92, Firefox ESR 78.14 and Firefox ESR 91.1
* CVE-2021-38494 (bmo#1723920, bmo#1725638) Memory safety bugs fixed in Firefox 92- updated appdata- remove mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch (does not apply anymore; unclear if obsolete)- bring back mozilla-silence-no-return-type.patch and run post-build-checks everywhere again- requires NSS 3.69.1
* Tue Aug 31 2021 Atri Bhattacharya - Add mozilla-bmo1708709.patch: On [wayland] popup can be wrongly repositioned due to rounding errors when font scaling != 1 (bmo#1708709); patch taken from upstream bug report and rebased to apply cleanly against current version.
* Sun Aug 29 2021 Martin Liška - Bump using with GCC (tested locally).
* Fri Aug 27 2021 Andreas Stieger - Mozilla Firefox 91.0.2:
* Fixed: Firefox no longer clears authentication data when purging trackers, to avoid repeatedly prompting for a password (bmo#1721084)
* Wed Aug 18 2021 Wolfgang Rosenauer - Mozilla Firefox 91.0.1
* Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bmo#1704404)
* Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to-tab results in the address bar panel (bmo#1720369)
* Various stability fixes MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses
* Mon Aug 09 2021 Wolfgang Rosenauer - Mozilla Firefox 91.0 MFSA 2021-33 (bsc#1188891)
* CVE-2021-29986 (bmo#1696138) Race condition when resolving DNS names could have led to memory corruption
* CVE-2021-29981 (bmo#1707774) Live range splitting could have led to conflicting assignments in the JIT
* CVE-2021-29988 (bmo#1717922) Memory corruption as a result of incorrect style treatment
* CVE-2021-29983 (bmo#1719088) Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984 (bmo#1720031) Incorrect instruction reordering during JIT optimization
* CVE-2021-29980 (bmo#1722204) Uninitialized memory in a canvas object could have led to memory corruption
* CVE-2021-29987 (bmo#1716129) Users could have been tricked into accepting unwanted permissions on Linux
* CVE-2021-29985 (bmo#1722083) Use-after-free media channels
* CVE-2021-29982 (bmo#1715318) Single bit data leak due to incorrect JIT optimization and type confusion
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178, bmo#1719998, bmo#1720568) Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990 (bmo#1544190, bmo#1716481, bmo#1717778, bmo#1719319, bmo#1722073) Memory safety bugs fixed in Firefox 91- requires
* rustc/cargo >= 1.51
* NSPR >= 4.32
* NSS >= 3.68- force-disable webrender on BE platforms
* Sat Jul 24 2021 Andreas Stieger - Mozilla Firefox 90.0.2:
* Changed: Updates to support DoH Canada rollout (bmo#1713036)
* Fixed: Fixed truncated output when printing (bmo#1720621)
* Fixed: Fixed menu styling on some Gtk themes (bmo#1720441, bmo#1720874)
* Mon Jul 19 2021 Andreas Stieger - Mozilla Firefox 90.0.1 (boo#1188480):
* Fixed: Fixed busy looping processing some HTTP3 responses (bmo#1720079)
* Fixed: Fixed transient errors authenticating with some smart cards (bmo#1715325)
* Fixed: Fixed a rare crash on shutdown (bmo#1707057)
* Fixed: Fixed a race on startup that caused about:support to end up empty after upgrade (bmo#1717894, boo#1188330)
* Sun Jul 11 2021 Wolfgang Rosenauer - Mozilla Firefox 90.0 MFSA 2021-28 (bsc#1188275)
* CVE-2021-29970 (bmo#1709976) Use-after-free in accessibility features of a document
* CVE-2021-29971 (bmo#1713638) Granted permissions only compared host; omitting scheme and port on Android
* CVE-2021-30547 (bmo#1715766) Out of bounds write in ANGLE
* CVE-2021-29972 (bmo#1696816) Use of out-of-date library included use-after-free vulnerability
* CVE-2021-29973 (bmo#1701932) Password autofill on HTTP websites was enabled without user interaction on Android
* CVE-2021-29974 (bmo#1704843) HSTS errors could be overridden when network partitioning was enabled
* CVE-2021-29975 (bmo#1713259) Text message could be overlaid on top of another website
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910, bmo#1711576, bmo#1714391) Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
* CVE-2021-29977 (bmo#1665836, bmo#1686138, bmo#1704316, bmo#1706314, bmo#1709931, bmo#1712084, bmo#1712357, bmo#1714066) Memory safety bugs fixed in Firefox 90- requires NSPR 4.31 NSS 3.66- Gtk2 support removed (was only for Flash plugin before)
* Wed Jun 23 2021 Andreas Stieger - Mozilla Firefox 89.0.2 (boo#1187648):
* Fix occasional hangs with Software WebRender on Linux (bmo#1708224)
* Sat Jun 19 2021 Andreas Stieger - Mozilla Firefox 89.0.1 (boo#1187475):
* Updated translations, including full Spanish (Mexico) localization and other improvements (bmo#1714946)
* Fix various font related regressions (bmo#1694174)
* Linux: Fix performance and stability regressions with WebRender (bmo#1715895, bmo#1715902)
* Enterprise: Fix for the `DisableDeveloperTools` policy not having effect anymore (bmo#1715777)
* Linux: Fix broken scrollbars on some GTK themes (bmo#1714103)
* Various stability fixes
* Sat May 29 2021 Wolfgang Rosenauer - Mozilla Firefox 89.0
* UI redesign
* The Event Timing API is now supported
* The CSS forced-colors media query is now supported MFSA 2021-23 (bsc#1186696)
* CVE-2021-29965 (bmo#1709257) Password Manager on Firefox for Android susceptible to domain spoofing
* CVE-2021-29960 (bmo#1675965) Filenames printed from private browsing mode incorrectly retained in preferences
* CVE-2021-29961 (bmo#1700235) Firefox UI spoof using `` elements and CSS scaling
* CVE-2021-29963 (bmo#1705068) Shared cookies for search suggestions in private browsing mode
* CVE-2021-29964 (bmo#1706501) Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29959 (bmo#1395819) Devices could be re-enabled without additional permission prompt
* CVE-2021-29962 (bmo#1701673) No rate-limiting for popups on Firefox for Android
* CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760, bmo#1704722, bmo#1706041) Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11
* CVE-2021-29966 (bmo#1660307, bmo#1686154, bmo#1702948, bmo#1708124) Memory safety bugs fixed in Firefox 89- require NSS >= 3.64 rust-cbindgen >= 0.19.0- do not rely on nodejs10 packagename anymore- updated mozilla.keyring- switched TW/x86_64 to clang as the last platform due to https://bugs.gentoo.org/792705- but LTO with clang is broken in TW so disable LTO for it https://bugs.llvm.org/show_bug.cgi?id=47872
* Thu May 06 2021 Guillaume GARDET - Relax RAM and disk constraints for aarch64
* Wed May 05 2021 Andreas Stieger - Mozilla Firefox 88.0.1
* Fixed: Resolved an issue caused by a recent Widevine plugin update which prevented some purchased video content from playing correctly (bmo#1705138)
* Fixed: Fixed corruption of videos playing on Twitter or WebRTC calls on some Gen6 Intel graphics chipsets (bmo#1708937)
* Fixed: Fixed menulists in Preferences being unreadable for users with High Contrast Mode enabled (bmo#1706496) MFSA 2021-20 (bsc#1185633)
* CVE-2021-29952 (bmo#1704227) Race condition in Web Render Components- devel package: move macros to /usr/lib/rpm/macros.d (boo#1185658)
* Sun May 02 2021 Wolfgang Rosenauer - add compatibility for libavcodec58_134
* Sun Apr 18 2021 Wolfgang Rosenauer - Mozilla Firefox 88.0
* New: PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features
* New: Print updates: Margin units are now localized
* New: Smooth pinch-zooming using a touchpad is now supported on Linux
* New: To protect against cross-site privacy leaks, Firefox now isolates window.name data to the website that created it. Learn more
* Changed: Firefox will not prompt for access to your microphone or camera if you’ve already granted access to the same device on the same site in the same tab within the past 50 seconds. This new grace period reduces the number of times you’re prompted to grant device access
* Changed: The ‘Take a Screenshot’ feature was removed from the Page Actions menu in the url bar. To take a screenshot, right-click to open the context menu. You can also add a screenshots shortcut directly to your toolbar via the Customize menu. Open the Firefox menu and select Customize…
* Changed: FTP support has been disabled, and its full removal is planned for an upcoming release. Addressing this security risk reduces the likelihood of an attack while also removing support for a non-encrypted protocol
* Developer: Introduced a new toggle button in the Network panel for switching between JSON formatted HTTP response and raw data (as received over the wire). !enter image description here
* Enterprise: Various bug fixes and new policies have been implemented in the latest version of Firefox. You can see more details in the Firefox for Enterprise 88 Release Notes.
* Fixed: Screen readers no longer incorrectly read content that websites have visually hidden, as in the case of articles in the Google Help panel MFSA 2021-16 (bsc#1184960)
* CVE-2021-23994 (bmo#1699077) Out of bound write due to lazy initialization
* CVE-2021-23995 (bmo#1699835) Use-after-free in Responsive Design Mode
* CVE-2021-23996 (bmo#1701834) Content rendered outside of webpage viewport
* CVE-2021-23997 (bmo#1701942) Use-after-free when freeing fonts from cache
* CVE-2021-23998 (bmo#1667456) Secure Lock icon could have been spoofed
* CVE-2021-23999 (bmo#1691153) Blob URLs may have been granted additional privileges
* CVE-2021-24000 (bmo#1694698) requestPointerLock() could be applied to a tab different from the visible tab
* CVE-2021-24001 (bmo#1694727) Testing code could have enabled session history manipulations by a compromised content process
* CVE-2021-24002 (bmo#1702374) Arbitrary FTP command execution on FTP servers using an encoded URL
* CVE-2021-29945 (bmo#1700690) Incorrect size computation in WebAssembly JIT could lead to null-reads
* CVE-2021-29944 (bmo#1697604) HTML injection vulnerability in Firefox for Android\'s Reader View
* CVE-2021-29946 (bmo#1698503) Port blocking could be bypassed
* CVE-2021-29947 (bmo#1651449, bmo#1674142, bmo#1693476, bmo#1696886, bmo#1700091) Memory safety bugs fixed in Firefox 88- requires
* NSPR 4.30
* NSS 3.63.1- align wayland support logic
* Sat Mar 27 2021 Manfred Hollstein - Switch to clang_build globally; just on TW/x86_64 it does not work due to unreolved externals `__rust_probestack\' - disable clang_build then.- useccache: Add conditionals to enable/disable ccache.
* Tue Mar 23 2021 Wolfgang Rosenauer - Mozilla Firefox 87.0
* requires NSS 3.62
* removed obsolete BigEndian ICU build workaround
* rebased patches MFSA 2021-10 (bsc#1183942)
* CVE-2021-23981 (bmo#1692832) Texture upload into an unbound backing buffer resulted in an out-of-bound read
* CVE-2021-23982 (bmo#1677046) Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23983 (bmo#1692684) Transitions for invalid ::marker properties resulted in memory corruption
* CVE-2021-23984 (bmo#1693664) Malicious extensions could have spoofed popup information
* CVE-2021-23985 (bmo#1659129) Devtools remote debugging feature could have been enabled without indication to the user
* CVE-2021-23986 (bmo#1692623) A malicious extension could have performed credential-less same origin policy violations
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718) Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
* CVE-2021-23988 (bmo#1684994, bmo#1686653) Memory safety bugs fixed in Firefox 87
* Tue Mar 16 2021 Martin Liška - Set memory limits for DWZ to 4x.
* Sat Mar 13 2021 Andreas Stieger - Mozilla Firefox 86.0.1
* Fixed: Fixed an issue on Apple Silicon machines that caused Firefox to be unresponsive after system sleep (bmo#1682713)
* Fixed: Fixed an issue causing windows to gain or lose focus unexpectedly (bmo#1694927)
* Fixed: Fixed truncation of date and time widgets due to incorrect width calculation (bmo#1695578)
* Fixed: Fixed an issue causing unexpected behavior with extensions managing tab groups (bmo#1694699)
* Fixed: Fixed a frequent Linux crash on browser launch (bmo#1694670)
* Sun Feb 21 2021 Wolfgang Rosenauer - Mozilla Firefox 86.0
* requires NSS >= 3.61
* requires rust-cbindgen >= 0.16.0
* Firefox now supports simultaneously watching multiple videos in Picture-in-Picture.
* Total Cookie Protection to Strict Mode
* https://www.mozilla.org/en-US/firefox/86.0/releasenotes MSFA 2021-07 (bsc#1182614)
* CVE-2021-23969 (bmo#1542194) Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23970 (bmo#1681724) Multithreaded WASM triggered assertions validating separation of script domains
* CVE-2021-23968 (bmo#1687342) Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23974 (bmo#1528997, bmo#1683627) noscript elements could have led to an HTML Sanitizer bypass
* CVE-2021-23971 (bmo#1678545) A website\'s Referrer-Policy could have been be overridden, potentially resulting in the full URL being sent as a Referrer
* CVE-2021-23976 (bmo#1684627) Local spoofing of web manifests for arbitrary pages in Firefox for Android
* CVE-2021-23977 (bmo#1684761) Malicious application could read sensitive data from Firefox for Android\'s application directories
* CVE-2021-23972 (bmo#1683536) HTTP Auth phishing warning was omitted when a redirect is cached
* CVE-2021-23975 (bmo#1685145) about:memory Measure function caused an incorrect pointer operation
* CVE-2021-23973 (bmo#1690976) MediaError message property could have leaked information about cross-origin resources
* CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597, bmo#786797) Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
* CVE-2021-23979 (bmo#1663222, bmo#1666607, bmo#1672120, bmo#1678463, bmo#1678927, bmo#1679560, bmo#1681297, bmo#1681684, bmo#1683490, bmo#1684377, bmo#1684902) Memory safety bugs fixed in Firefox 86- updated create-tar.sh (bsc#1182357)- removed obsolete mozilla-bmo1554971.patch- remove buildsymbols subpackage
* we haven\'t done anything with it for years
* mozilla is collecting those from our debuginfo packages
* would require a local dump_syms tool
* Wed Feb 17 2021 Andreas Stieger - Mozilla Firefox 85.0.2
* Fixed: Fixed a deadlock during startup (bmo#1679933)
* Wed Feb 17 2021 Michel Normand - Use %limit_build macros for PowerPC to avoid oom build failure
* Tue Feb 09 2021 Andreas Stieger - Mozilla Firefox 85.0.1 MFSA 2021-06 (bsc#1181848)
* MOZ-2021-0001 (bmo#1676636) Buffer overflow in depth pitch calculations for compressed textures
* Fixed: Avoid printing an extra blank page at the end of some documents (bmo#1689789).
* Fixed: Fixed a browser crash in case of unexpected Cache API state (bmo#1684838).
* Sun Jan 24 2021 Wolfgang Rosenauer - Mozilla Firefox 85.0
* Adobe Flash is completely history
* supercookie protection
* new bookmark handling and features MFSA 2021-03 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940) Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020) Type confusion when using logical assignment operators in JavaScript switch statements
* CVE-2021-23955 (bmo#1684837) Clickjacking across tabs through misusing requestPointerLock
* CVE-2021-23956 (bmo#1338637) File picker dialog could have been used to disclose a complete directory
* CVE-2021-23957 (bmo#1584582) Iframe sandbox could have been bypassed on Android via the intent URL scheme
* CVE-2021-23958 (bmo#1642747) Screen sharing permission leaked across tabs
* CVE-2021-23959 (bmo#1659035) Cross-Site Scripting in error pages on Firefox for Android
* CVE-2021-23960 (bmo#1675755) Use-after-poison for incorrectly redeclared JavaScript variables during GC
* CVE-2021-23961 (bmo#1677940) More internal network hosts could have been probed by a malicious webpage
* CVE-2021-23962 (bmo#1677194) Use-after-poison in nsTreeBodyFrame::RowCountChanged
* CVE-2021-23963 (bmo#1680793) Permission prompt inaccessible after asking for additional permissions
* CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844, bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410, bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736, bmo#1685260, bmo#1685925) Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7
* CVE-2021-23965 (bmo#1670378, bmo#1673555, bmo#1676812, bmo#1678582, bmo#1684497) Memory safety bugs fixed in Firefox 85- requires NSS 3.60.1- requires rust 1.47- remove obsolete mozilla-pipewire-0-3.patch
* Mon Jan 11 2021 Matthias Mailänder - Fix AppStream screenshot links
* Thu Jan 07 2021 Andreas Stieger - Mozilla Firefox 84.0.2 MFSA 2021-01 (bsc#1180623)
* CVE-2020-16044 (bmo#1683964) Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk
* Sun Dec 27 2020 Wolfgang Rosenauer - Mozilla Firefox 84.0.1
* Fixed problems loading secure websites and crashes for users with certain third-party PKCS11 modules and smartcards installed (bmo#1682881) (fixed in NSS 3.59.1)
* Fixed a bug causing some Unity JS games to not load on Apple Silicon devices due to improper detection of the OS version (bmo#1680516)- requires NSS 3.59.1
* Sun Dec 13 2020 Wolfgang Rosenauer - Mozilla Firefox 84.0
* Firefox 84 is the final release to support Adobe Flash
* WebRender is enabled by default when run on GNOME-based X11 Linux desktops MFSA 2020-54 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003) Operations on a BigInt could have caused uninitialized memory to be exposed
* CVE-2020-26971 (bmo#1663466) Heap buffer overflow in WebGL
* CVE-2020-26972 (bmo#1671382) Use-After-Free in WebGL
* CVE-2020-26973 (bmo#1680084) CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022) Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free
* CVE-2020-26975 (bmo#1661071) Malicious applications on Android could have induced Firefox for Android into sending arbitrary attacker-specified headers
* CVE-2020-26976 (bmo#1674343) HTTPS pages could have been intercepted by a registered service worker when they should not have been
* CVE-2020-26977 (bmo#1676311) URL spoofing via unresponsive port in Firefox for Android
* CVE-2020-26978 (bmo#1677047) Internal network hosts could have been probed by a malicious webpage
* CVE-2020-26979 (bmo#1641287, bmo#1673299) When entering an address in the address or search bars, a website could have redirected the user before they were navigated to the intended url
* CVE-2020-35111 (bmo#1657916) The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365) Opening an extension-less download may have inadvertently launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589) Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
* CVE-2020-35114 (bmo#1607449, bmo#1640416, bmo#1656459, bmo#1669914, bmo#1673567) Memory safety bugs fixed in Firefox 84- requires NSS >= 3.59 rust >= 1.44 rust-cbindgen >= 0.15.0- remove revert-795c8762b16b.patch and replace with mozilla-pgo.patch
* Sat Nov 21 2020 Kirill Kirillov - Add/Enable GNOME search provider
* Sun Nov 15 2020 Wolfgang Rosenauer - Mozilla Firefox 83.0
* major update for SpiderMonkey improving performance significantly
* optional HTTPS-Only mode
* more improvements https://www.mozilla.org/en-US/firefox/83.0/releasenotes/ MFSA 2020-50 (bsc#1178824))
* CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
* CVE-2020-26952 (bmo#1667685) Out of memory handling of JITed, inlined functions could lead to a memory corruption
* CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin images during drawImage calls
* CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without displaying the security UI
* CVE-2020-26954 (bmo#1657026) Local spoofing of web manifests for arbitrary pages in Firefox for Android
* CVE-2020-26955 (bmo#1663261) Cookies set during file downloads are shared between normal and Private Browsing Mode in Firefox for Android
* CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard API)
* CVE-2020-26957 (bmo#1667179) OneCRL was not working in Firefox for Android
* CVE-2020-26958 (bmo#1669355) Requests intercepted through ServiceWorkers lacked MIME type restrictions
* CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService
* CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of nsTArray
* CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype
* CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26962 (bmo#610997) Cross-origin iframes supported login autofill
* CVE-2020-26963 (bmo#1314912) History and Location interfaces could have been used to hang the browser
* CVE-2020-26964 (bmo#1658865) Firefox for Android\'s Remote Debugging via USB could have been abused by untrusted apps on older versions of Android
* CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered typed passwords
* CVE-2020-26966 (bmo#1663571) Single-word search queries were also broadcast to local network
* CVE-2020-26967 (bmo#1665820) Mutation Observers could break or confuse Firefox Screenshots feature
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
* CVE-2020-26969 (bmo#1623920, bmo#1651705, bmo#1667872, bmo#1668876) Memory safety bugs fixed in Firefox 83- requires NSS >= 3.58 nodejs >= 10.22.1- removed obsolete mozilla-ppc-altivec_static_inline.patch- disable LTO on TW because of ICEs in gcc
* Mon Nov 09 2020 Wolfgang Rosenauer - Mozilla Firefox 82.0.3 MSFA 2020-49
* CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for
* Mon Nov 02 2020 Wolfgang Rosenauer - Mozilla Firefox 82.0.2
* few bugfixes for introduced regressions
* Sun Nov 01 2020 Kirill Kirillov - Enable GNOME search provider
* Thu Oct 15 2020 Wolfgang Rosenauer - Mozilla Firefox 82.0
* https://www.mozilla.org/en-US/firefox/82.0/releasenotes/ MFSA 2020-45 (bsc#1177872)
* CVE-2020-15969 (bmo#1666570) Use-after-free in usersctp
* CVE-2020-15254 (bmo#1668514) Undefined behavior in bounded channel of crossbeam rust crate
* CVE-2020-15680 (bmo#1658881) Presence of external protocol handlers could be determined through image tags
* CVE-2020-15681 (bmo#1666568) Multiple WASM threads may have overwritten each others\' stub table entries
* CVE-2020-15682 (bmo#1636654) The domain associated with the prompt to open an external protocol could be spoofed to display the incorrect origin
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760, bmo#1663439, bmo#1666140) Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* CVE-2020-15684 (bmo#1653764, bmo#1661402, bmo#1662259, bmo#1664257) Memory safety bugs fixed in Firefox 82- requires
* NSPR 4.29
* NSS 3.57
* Thu Oct 01 2020 Wolfgang Rosenauer - Mozilla Firefox 81.0.1
* https://www.mozilla.org/en-US/firefox/81.0.1/releasenotes/- remove obsolete python2 build requires
* Wed Sep 30 2020 Guillaume GARDET - Increase disk requirements in _constraints to match current needs
* Fri Sep 18 2020 Wolfgang Rosenauer - Mozilla Firefox 81.0
* https://www.mozilla.org/en-US/firefox/81.0/releasenotes MFSA 2020-42 (bsc#1176756)
* CVE-2020-15675 (bmo#1654211) Use-After-Free in WebGL
* CVE-2020-15677 (bmo#1641487) Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140) XSS when pasting attacker-controlled data into a contenteditable element
* CVE-2020-15678 (bmo#1660211) When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800) Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
* CVE-2020-15674 (bmo#1656063, bmo#1656064, bmo#1656067, bmo#1660293) Memory safety bugs fixed in Firefox 81- requires NSPR 4.28 NSS 3.56- removed obsolete patches
* mozilla-system-nspr.patch
* mozilla-bmo1661715.patch
* mozilla-silence-no-return-type.patch- skip post-build-checks for 15.0 and 15.1- add revert-795c8762b16b.patch to fix LTO builds with gcc (related to bmo#1644409)- require python3-curses as workaround to fix i586 build
* Thu Sep 17 2020 Guillaume GARDET - Use %limit_build macro again for aarch64 and armv7, instead of the new memoryperjob _constraints to use more workers
* Sat Sep 05 2020 Wolfgang Rosenauer - add mozilla-bmo1661715.patch to fix Flash plugin
* Wed Sep 02 2020 Manfred Hollstein - Mozilla Firefox 80.0.1: Bug fixes:
* Fixed a performance regression when encountering new intermediate CA certificates (bmo#1661543)
* Fixed crashes possibly related to GPU resets (bmo#1627616)
* Fixed rendering on some sites using WebGL (bmo#1659225)
* Fixed the zoom-in keyboard shortcut on Japanese language builds (bmo#1661895)
* Fixed download issues related to extensions and cookies (bmo#1655190)- added mozilla-silence-no-return-type.patch
* Tue Aug 25 2020 Wolfgang Rosenauer - more whitelisting (/dev/random) for sandbox in relation to FIPS (bsc#1174284)- improve langpack builds to use dedicated objdirs and make it parallel again
* Sat Aug 22 2020 Wolfgang Rosenauer - Mozilla Firefox 80.0 MFSA 2020-36 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199) Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214) Attacker-induced prompt for extension installation
* CVE-2020-12401 (bmo#1631573) Timing-attack on ECDSA signature generation
* CVE-2020-6829 (bmo#1631583) P-384 and P-521 vulnerable to an electro-magnetic side channel attack on signature generation
* CVE-2020-12400 (bmo#1623116) P-384 and P-521 vulnerable to a side channel attack on modular inversion
* CVE-2020-15665 (bmo#1651636) Address bar not reset when choosing to stay on a page after the beforeunload dialog is shown
* CVE-2020-15666 (bmo#1450853) MediaError message property leaks cross-origin response status
* CVE-2020-15667 (bmo#1653371) Heap overflow when processing an update file
* CVE-2020-15668 (bmo#1651520) Data Race when reading certificate information
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626, bmo#1656957) Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2- requires
* NSPR 4.27
* NSS 3.55- added mozilla-system-nspr.patch (bmo#1661096)- exclude ga-IE locale as it\'s failing to build- rollback parallelize locale build because it breaks bookmarks (boo#1167976)- preserve original default bookmark file during langpack build (boo#1167976)- add some ccache output during build
* Thu Aug 20 2020 Martin Liška - Use new memoryperjob _constraints instead of %limit_build macro.
* Mon Aug 10 2020 Wolfgang Rosenauer - use ccache for build- replace versioned RPM deps with requires_ge- parallelize locale build
* Thu Aug 06 2020 Yunhe Guo - Change
*.appdata.xml location to latest AppStream standard
* Thu Jul 23 2020 Wolfgang Rosenauer - Mozilla Firefox 79.0 MFSA 2020-30 (bsc#1174538)
* CVE-2020-15652 (bmo#1634872) Potential leak of redirect targets when loading scripts in a worker
* CVE-2020-6514 (bmo#1642792) WebRTC data channel leaks internal address to peer
* CVE-2020-15655 (bmo#1645204) Extension APIs could be used to bypass Same-Origin Policy
* CVE-2020-15653 (bmo#1521542) Bypassing iframe sandbox when allowing popups
* CVE-2020-6463 (bmo#1635293) Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15656 (bmo#1647293) Type confusion for special arguments in IonMonkey
* CVE-2020-15658 (bmo#1637745) Overriding file type when saving to disk
* CVE-2020-15657 (bmo#1644954) DLL hijacking due to incorrect loading path
* CVE-2020-15654 (bmo#1648333) Custom cursor can overlay user interface
* CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1638856, bmo#1643613, bmo#1644839, bmo#1645835, bmo#1646006, bmo#1646220, bmo#1646787, bmo#1649347, bmo#1650811, bmo#1651678) Memory safety bugs fixed in Firefox 79- updated dependency requirements:
* mozilla-nspr >= 4.26
* mozilla-nss >= 3.54
* rust >= 1.43
* rust-cbindgen >= 0.14.3- removed obsolete patch mozilla-bmo1463035.patch
* Tue Jul 21 2020 Wolfgang Rosenauer - fixed syntax issue in desktop file (boo#1174360)
* Fri Jul 17 2020 Wolfgang Rosenauer - Add mozilla-libavcodec58_91.patch to link against updated soversion of libavcodec (58.91) with ffmpeg >= 4.3. (patch provided by Atri Bhattacharya - enable MOZ_USE_XINPUT2 for TW (again) (boo#1173320) (Plasma 5.19.3 is now in TW)
* Sat Jul 11 2020 Wolfgang Rosenauer - Mozilla Firefox 78.0.2
* Fixed an accessibility regression in reader mode (bmo#1650922)
* Made the address bar more resilient to data corruption in the user profile (bmo#1649981)
* Fixed a regression opening certain external applications (bmo#1650162) MFSA 2020-28
* CVE pending (bmo#1644076) X-Frame-Options bypass using object or embed tags- added desktop file actions- do not use XINPUT2 for the moment until Plasma 5.19.3 has landed (boo#1173993)- rework langpack integration (boo#1173991)
* ship XPIs instead of directories
* allow addon sideloading
* mark signatures for langpacks non-mandatory
* do not autodisable user profile scopes- Google API key is not usable for geolocation service- fix pipewire support for TW (boo#1172903)
* Wed Jul 01 2020 Wolfgang Rosenauer - Mozilla Firefox 78.0.1
* Fixed an issue which could cause installed search engines to not be visible when upgrading from a previous release.- enable MOZ_USE_XINPUT2 for TW (boo#1173320)
* Sun Jun 28 2020 Wolfgang Rosenauer - Mozilla Firefox 78.0
* startup notifications now using Gtk instead of libnotify
* PDF downloads now show an option to open the PDF directly in Firefox
* Protections Dashboard (about:protections)
* WebRTC not interrupted by screensaver anymore
* disabled TLS 1.0 and 1.1 by default MFSA 2020-24 (bsc#1173576)
* CVE-2020-12415 (bmo#1586630) AppCache manifest poisoning due to url encoded character processing
* CVE-2020-12416 (bmo#1639734) Use-after-free in WebRTC VideoBroadcaster
* CVE-2020-12417 (bmo#1640737) Memory corruption due to missing sign-extension for ValueTags on ARM64
* CVE-2020-12418 (bmo#1641303) Information disclosure due to manipulated URL object
* CVE-2020-12419 (bmo#1643874) Use-after-free in nsGlobalWindowInner
* CVE-2020-12420 (bmo#1643437) Use-After-Free when trying to connect to a STUN server
* CVE-2020-12402 (bmo#1631597) RSA Key Generation vulnerable to side-channel attack
* CVE-2020-12421 (bmo#1308251) Add-On updates did not respect the same certificate trust rules as software updates
* CVE-2020-12422 (bmo#1450353) Integer overflow in nsJPEGEncoder::emptyOutputBuffer
* CVE-2020-12423 (bmo#1642400) DLL Hijacking due to searching %PATH% for a library
* CVE-2020-12424 (bmo#1562600) WebRTC permission prompt could have been bypassed by a compromised content process
* CVE-2020-12425 (bmo#1634738) Out of bound read in Date.parse()
* CVE-2020-12426 (bmo#1608068, bmo#1609951, bmo#1631187, bmo#1637682) Memory safety bugs fixed in Firefox 78- requires
* NSS >= 3.53.1
* nodejs >= 10.21
* Gtk+3 >= 3.14- removed obsolete patches
* mozilla-s390-bigendian.patch
* mozilla-bmo1634646.patch- Add mozilla-pipewire-0-3.patch for openSUSE >= 15.2 to build WebRTC with pipewire support to enable screen sharing under Wayland; also add BuildRequires: pkgconfig(libpipewire-0.3) appropriately (boo#1172903).- adding SLE12 compatibility in spec file- add patches for s390x
* mozilla-bmo1602730.patch (bmo#1602730)
* mozilla-bmo1626236.patch (bmo#1626236)
* mozilla-bmo998749.patch (bmo#998749)
* mozilla-s390x-skia-gradient.patch- update create-tar.sh- Use same _constraints for ppc64 (BE) as ppc64le to avoid oom build failure
* Wed Jun 10 2020 Guillaume GARDET - Exclude armv6, since it is unbuildable since about 3 years
* Wed Jun 03 2020 Andreas Stieger - Mozilla Firefox 77.0.1
* Disable automatic selection of DNS over HTTPS providers during a test to enable wider deployment in a more controlled way (bmo#1642723)
* Fri May 29 2020 Wolfgang Rosenauer - Mozilla Firefox 77.0
* view and manage web certificates more easily on the new about:certificate page
* improvements in accessibility
* significant improvements to JavaScript debugging MFSA 2020-20 (bsc#1172402)
* CVE-2020-12399 (bmo#1631576) Timing attack on DSA signatures in NSS library (fixed with external NSS >= 3.52.1)
* CVE-2020-12405 (bmo#1631618) Use-after-free in SharedWorkerService
* CVE-2020-12406 (bmo#1639590) JavaScript type confusion with NativeTypes
* CVE-2020-12407 (bmo#1637112) WebRender leaking GPU memory when using border-image CSS directive
* CVE-2020-12408 (bmo#1623888) URL spoofing when using IP addresses
* CVE-2020-12409 (bmo#1619305, bmo#1632717) Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
* CVE-2020-12411 (bmo#1620972, bmo#1625333) Memory safety bugs fixed in Firefox 77- requires
* NSS >= 3.52.1
* rust-cbindgen >= 1.14.1
* clang >= 5- added mozilla-bmo1634646.patch as part of fixing PGO build (still not working)
* Wed May 13 2020 Michel Normand - change again _constraints for ppc64le use and increase limit_build in spec file to reduce max_jobs.
* Sat May 09 2020 Wolfgang Rosenauer - Mozilla Firefox 76.0.1
* Fixed a bug causing some add-ons such as Amazon Assistant to see multiple onConnect events, impairing functionality (bmo#1635637)
* Fri May 01 2020 Wolfgang Rosenauer - Mozilla Firefox 76.0
* Lockwise improvements
* Improvements in Picture-in-Picture feature
* Support Audio Worklets MFSA-2020-16 (bsc#1171186)
* CVE-2020-12387 (bmo#1545345) Use-after-free during worker shutdown
* CVE-2020-12388 (bmo#1618911) Sandbox escape with improperly guarded Access Tokens
* CVE-2020-12389 (bmo#1554110) Sandbox escape with improperly separated process types
* CVE-2020-6831 (bmo#1632241) Buffer overflow in SCTP chunk input validation
* CVE-2020-12390 (bmo#1141959) Incorrect serialization of nsIPrincipal.origin for IPv6 addresses
* CVE-2020-12391 (bmo#1457100) Content-Security-Policy bypass using object elements
* CVE-2020-12392 (bmo#1614468) Arbitrary local file access with \'Copy as cURL\'
* CVE-2020-12393 (bmo#1615471) Devtools\' \'Copy as cURL\' feature did not fully escape website-controlled data, potentially leading to command injection
* CVE-2020-12394 (bmo#1628288) URL spoofing in location bar when unfocussed
* CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
* CVE-2020-12396 (bmo#1339601, bmo#1611938, bmo#1620488, bmo#1622291, bmo#1627644) Memory safety bugs fixed in Firefox 76- requires
* NSS >= 3.51.1
* nasm >= 2.14- removed obsolete patch mozilla-bmo1622013.patch- fix URI creation for KDE file selector integration (boo#1160331)
* Tue Apr 07 2020 Wolfgang Rosenauer - Mozilla Firefox 75.0
* https://www.mozilla.org/en-US/firefox/75.0/releasenotes MFSA 2020-12 (bsc#1168874)
* CVE-2020-6821 (bmo#1625404) Uninitialized memory could be read when using the WebGL copyTexSubImage method
* CVE-2020-6822 (bmo#1544181) Out of bounds write in GMPDecodeData when processing large images
* CVE-2020-6823 (bmo#1614919) Malicious Extension could obtain auth codes from OAuth login flows
* CVE-2020-6824 (bmo#1621853) Generated passwords may be identical on the same site between separate private browsing sessions
* CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203) Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
* CVE-2020-6826 (bmo#1613009,bmo#1613195,bmo#1616734,bmo#1617488, bmo#1619229,bmo#1620719,bmo#1624897) Memory safety bugs fixed in Firefox 75- removed obsolete patch mozilla-bmo1609538.patch- requires
* rust >= 1.41
* rust-cbindgen >= 0.13.1
* mozilla-nss >= 3.51
* nodejs10 >= 10.19- fix build issue in libvpx for i586 via mozilla-bmo1622013.patch
* Mon Apr 06 2020 Michel Normand - increase _constraints memory for ppc64le
* Fri Apr 03 2020 Wolfgang Rosenauer - Mozilla Firefox 74.0.1 MFSA 2020-11 (boo#1168630)
* CVE-2020-6819 (bmo#1620818) Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728) Use-after-free when handling a ReadableStream
* Wed Mar 25 2020 Marcus Meissner - mozilla-sandbox-fips.patch: allow /proc/sys/crypto/fips_enabled to be read, as openssl 1.1.1 FIPS aborts if it cannot access it (bsc#1167132)
* Sat Mar 07 2020 Wolfgang Rosenauer - Mozilla Firefox 74.0
* https://www.mozilla.org/en-US/firefox/74.0/releasenotes/ MFSA 2020-08 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880) Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308) BodyStream::OnInputStreamReady was missing protections against state confusion
* CVE-2020-6807 (bmo#1614971) Use-after-free in cubeb during stream destruction
* CVE-2020-6808 (bmo#1247968) URL Spoofing via javascript: URL
* CVE-2020-6809 (bmo#1420296) Web Extensions with the all-urls permission could access local files
* CVE-2020-6810 (bmo#1432856) Focusing a popup while in fullscreen could have obscured the fullscreen notification
* CVE-2020-6811 (bmo#1607742) Devtools\' \'Copy as cURL\' feature did not fully escape website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765) Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661) The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission
* CVE-2020-6813 (bmo#1605814) AATTimport statements in CSS could bypass the Content Security Policy nonce feature
* CVE-2020-6814 (bmo#1592078,bmo#1604847,bmo#1608256,bmo#1612636, bmo#1614339) Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6
* CVE-2020-6815 (bmo#1181957,bmo#1557732,bmo#1557739,bmo#1611457, bmo#1612431) Memory and script safety bugs fixed in Firefox 74- requires
* NSPR 4.25
* NSS 3.50
* rust-cbindgen 0.13.0- removed obsolete patches mozilla-bmo1610814.patch mozilla-cubeb-noreturn.patch- add mozilla-bmo1609538.patch to fix wayland issues with mutter 3.36 (bmo#1609538, boo#1166471)
* Wed Feb 26 2020 Wolfgang Rosenauer - big endian fixes
* Tue Feb 25 2020 Guillaume GARDET - Fix build on aarch64/armv7 with:
* mozilla-bmo1610814.patch (boo#1164845, bmo#1610814)
* Thu Feb 20 2020 Wolfgang Rosenauer - Mozilla Firefox 73.0.1
* Resolved problems connecting to the RBC Royal Bank website (bmo#1613943)
* Fixed Firefox unexpectedly exiting when leaving Print Preview mode (bmo#1611133)
* Fixed crashes when playing encrypted content on some Linux systems (bmo#1614535, boo#1164646)- start in wayland mode when running under wayland session
* Sun Feb 09 2020 Wolfgang Rosenauer - Mozilla Firefox 73.0
* Added support for setting a default zoom level applicable for all web content
* High-contrast mode has been updated to allow background images
* Improved audio quality when playing back audio at a faster or slower speed
* Added NextDNS as alternative option for DNS over HTTPS MFSA 2020-05 (bsc#1163368)
* CVE-2020-6796 (bmo#1610426) Missing bounds check on shared memory read in the parent process
* CVE-2020-6797 (bmo#1596668) (MacOS X only) Extensions granted downloads.open permission could open arbitrary applications on Mac OSX
* CVE-2020-6798 (bmo#1602944) Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6799 (bmo#1606596) (Windows only) Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851, bmo#1608580,bmo#1608785,bmo#1605777) Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* CVE-2020-6801 (bmo#1601024,bmo#1601712,bmo#1604836,bmo#1606492) Memory safety bugs fixed in Firefox 73- updated requirements
* rust >= 1.39
* NSS >= 3.49.2
* rust-cbindgen >= 0.12.0- rebased patches- removed obsolete patch
* mozilla-bmo1601707.patch- switched to cairo-gtk3-wayland build (to fully enable wayland MOZ_ENABLE_WAYLAND=1 needs to be set)- disabled elfhack due to failing packager https://github.com/openSUSE/firefox-maintenance/issues/28- disabled PGO due to build failure https://github.com/openSUSE/firefox-maintenance/issues/29
* Tue Jan 28 2020 Stasiek Michalski - Use a symbolic icon from branding internals- Pixmaps no longer required for the desktops
* Wed Jan 22 2020 Wolfgang Rosenauer - Mozilla Firefox 72.0.2
* Various stability fixes
* Fixed issues opening files with spaces in their path (bmo#1601905)
* Fixed a hang opening about:logins when a master password is set (bmo#1606992)
* Fixed a web compatibility issue with CSS Shadow Parts which shipped in Firefox 72 (bmo#1604989)
* Fixed inconsistent playback performance for fullscreen 1080p videos on some systems (bmo#1608485)
* Tue Jan 21 2020 Guillaume GARDET - Fix build for aarch64/ppc64le (do not update config.sub file for libbacktrace)
* Wed Jan 08 2020 Wolfgang Rosenauer - Mozilla Firefox 72.0.1 MFSA 2020-03 (bsc#1160498)
* CVE-2019-17026 (bmo#1607443) IonMonkey type confusion with StoreElementHole and FallibleStoreElement- Mozilla Firefox 72.0
* block fingerprinting scripts by default
* new notification pop-ups
* Picture-in-picture video MFSA 2020-01 (bsc#1160305)
* CVE-2019-17016 (bmo#1599181) Bypass of AATTnamespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055) Type Confusion in XPCVariant.cpp
* CVE-2019-17020 (bmo#1597645) Content Security Policy not applied to XSL stylesheets applied to XML documents
* CVE-2019-17022 (bmo#1602843) CSS sanitization does not escape HTML tags
* CVE-2019-17023 (bmo#1590001) (fixed in NSS FIXME) NSS may negotiate TLS 1.2 or below after a TLS 1.3 HelloRetryRequest had been sent
* CVE-2019-17024 (bmo#1507180,bmo#1595470,bmo#1598605,bmo#1601826) Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
* CVE-2019-17025 (bmo#1328295,bmo#1328300,bmo#1590447,bmo#1590965 bmo#1595692,bmo#1597321,bmo#1597481) Memory safety bugs fixed in Firefox 72- update create-tar.sh to skip compare-locales- requires NSPR 4.24 and NSS 3.48- removed usage of browser-plugins convention for NPAPI plugins from start wrapper and changed the RPM macro to the /usr/$LIB/mozilla/plugins location (boo#1160302)
* Mon Dec 02 2019 Wolfgang Rosenauer - Mozilla Firefox 71.0
* Improvements to Lockwise, our integrated password manager
* More information about Enhanced Tracking Protection in action
* Native MP3 decoding on Windows, Linux, and macOS
* Configuration page (about:config) reimplemented in HTML
* New kiosk mode functionality, which allows maximum screen space for customer-facing displays MFSA 2019-36
* CVE-2019-11756 (bmo#1508776) Use-after-free of SFTKSession object
* CVE-2019-17008 (bmo#1546331) Use-after-free in worker destruction
* CVE-2019-13722 (bmo#1580156) (Windows only) Stack corruption due to incorrect number of arguments in WebRTC code
* CVE-2019-17014 (bmo#1322864) Dragging and dropping a cross-origin resource, incorrectly loaded as an image, could result in information disclosure
* CVE-2019-17010 (bmo#1581084) Use-after-free when performing device orientation checks
* CVE-2019-17005 (bmo#1584170) Buffer overflow in plain text serializer
* CVE-2019-17011 (bmo#1591334) Use-after-free when retrieving a document in antitracking
* CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209 bmo#1580288, bmo#1585760, bmo#1592502) Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
* CVE-2019-17013 (bmo#1298509, bmo#1472328, bmo#1577439, bmo#1577937 bmo#1580320, bmo#1584195, bmo#1585106, bmo#1586293, bmo#1593865 bmo#1594181) Memory safety bugs fixed in Firefox 71- requires NSPR >= 4.23 NSS >= 3.47.1 rust/cargo >= 1.37- reactivate webrtc for platforms where it was disabled- updated create-tar.sh to cover buildid and origin repo information - > removed obsolete source-stamp.txt- removed obsolete patches mozilla-bmo1511604.patch mozilla-openaes-decl.patch- changed locale building procedure
* removed obsolete compare-locales.tar.xz- added mozilla-bmo1601707.patch to fix gcc/LTO builds (bmo#1601707, boo#1158466)- added mozilla-bmo849632.patch to fix big endian issues in skia used for WebGL
* Fri Nov 01 2019 Wolfgang Rosenauer - Mozilla Firefox 70.0.1
* Fix for an issue that caused some websites or page elements using dynamic JavaScript to fail to load. (bmo#1592136)
* Title bar no longer shows in full screen view (bmo#1588747)- added mozilla-bmo1504834-part4.patch to fix some visual issues on big endian platforms
* Sun Oct 20 2019 Wolfgang Rosenauer - Mozilla Firefox 70.0
* more privacy protections from Enhanced Tracking Protection
* Firefox Lockwise passwordmanager
* Improvements to core engine components, for better browsing on more sites
* Improved privacy and security indicators MFSA 2019-34
* CVE-2018-6156 (bmo#1480088) Heap buffer overflow in FEC processing in WebRTC
* CVE-2019-15903 (bmo#1584907) Heap overflow in expat library in XML_GetCurrentLineNumber
* CVE-2019-11757 (bmo#1577107) Use-after-free when creating index updates in IndexedDB
* CVE-2019-11759 (bmo#1577953) Stack buffer overflow in HKDF output
* CVE-2019-11760 (bmo#1577719) Stack buffer overflow in WebRTC networking
* CVE-2019-11761 (bmo#1561502) Unintended access to a privileged JSONView object
* CVE-2019-11762 (bmo#1582857) document.domain-based origin isolation has same-origin-property violation
* CVE-2019-11763 (bmo#1584216) Incorrect HTML parsing results in XSS bypass technique
* CVE-2019-11765 (bmo#1562582) Incorrect permissions could be granted to a website
* CVE-2019-17000 (bmo#1441468) CSP bypass using object tag with data: URI
* CVE-2019-17001 (bmo#1587976) CSP bypass using object tag when script-src \'none\' is specified
* CVE-2019-17002 (bmo#1561056) upgrade-insecure-requests was not being honored for links dragged and dropped
* CVE-2019-11764 (bmo#1558522, bmo#1577061, bmo#1548044, bmo#1571223, bmo#1573048, bmo#1578933, bmo#1575217, bmo#1583684, bmo#1586845, bmo#1581950, bmo#1583463, bmo#1586599) Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2- requires rust/cargo >= 1.36 NSPR >= 4.22 NSS >= 3.46.1 rust-cbindgen >= 0.9.1- removed obsolete patches mozilla-bmo1573381.patch mozilla-nestegg-big-endian.patch
* Sun Oct 13 2019 Wolfgang Rosenauer - Mozilla Firefox 69.0.3
* Fixed Yahoo mail users being prompted to download files when clicking on emails (bmo#1582848)- devel package build can easily be disabled now
* Thu Oct 03 2019 Wolfgang Rosenauer - Mozilla Firefox 69.0.2
* Fixed a crash when editing files on Office 365 websites (bmo#1579858)
* Fixed a Linux-only crash when changing the playback speed while watching YouTube videos (bmo#1582222)- updated supported locale list- Allow to build without profile guided optimizations (boo#1040589) (contributed by Bernhard Wiedemann)- Make build verbose (contributed by Martin Liška)- remove obsolete kde.js setting (boo#1151186) and related patch firefox-add-kde.js-in-order-to-survive-PGO-build.patch- update create-tar.sh to latest revision and adjusted tar_stamps- add mozilla-fix-top-level-asm.patch to fix LTO build (w/o PGO)- extension preferences moved from branding package to core package (packaging but not branding specific)
* Thu Sep 19 2019 Wolfgang Rosenauer - Mozilla Firefox 69.0.1
* Fixed external programs launching in the background when clicking a link from inside Firefox to launch them (bmo#1570845)
* Usability improvements to the Add-ons Manager for users with screen readers (bmo#1567600)
* Fixed the Captive Portal notification bar not being dismissable in some situations after login is complete (bmo#1578633)
* Fixed the maximum size of fonts in Reader Mode when zoomed (bmo#1578454)
* Fixed missing stacks in the Developer Tools Performance section (bmo#1578354) MFSA 2019-31
* CVE-2019-11754 (bmo#1580506) Pointer Lock is enabled with no user notification- disable DOH by default
* Thu Sep 05 2019 Wolfgang Rosenauer - Mozilla Firefox 69.0
* Enhanced Tracking Protection (ETP) for stronger privacy protections
* Block Autoplay feature is enhanced to give users the option to block any video
* Users in the US or using the en-US browser, can get a new “New Tab” page experience connecting to the best of Pocket\'s content.
* Support for the Web Authentication HmacSecret extension via Windows Hello introduced.
* Support for receiving multiple video codecs with this release makes it easier for WebRTC conferencing services to mix video from different clients. MFSA 2019-25 (boo#1149324)
* CVE-2019-11741 (bmo#1539595) Isolate addons.mozilla.org and accounts.firefox.com
* CVE-2019-5849 (bmo#1555838) Out-of-bounds read in Skia
* CVE-2019-11737 (bmo#1388015) Content security policy directives ignore port and path if host is a wildcard
* CVE-2019-11734 (bmo#1352875,bmo#1536227,bmo#1557208,bmo#1560641) Memory safety bugs fixed in Firefox 69
* CVE-2019-11735 (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912, bmo#1565744,bmo#1568858,bmo#1570358) Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
* CVE-2019-11740 (bmo#1563133,bmo#1573160) Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9- requires
* rust/cargo >= 1.35
* rust-cbindgen >= 0.9.0
* mozilla-nss >= 3.45- rebased patches
* Wed Sep 04 2019 Wolfgang Rosenauer - added a bunch of patches mainly for big endian platforms
* mozilla-bmo1504834-part1.patch
* mozilla-bmo1504834-part2.patch
* mozilla-bmo1504834-part3.patch
* mozilla-bmo1511604.patch
* mozilla-bmo1554971.patch
* mozilla-bmo1573381.patch
* mozilla-nestegg-big-endian.patch
* mozilla-bmo1512162.patch
* Fri Aug 30 2019 Wolfgang Rosenauer - Mozilla Firefox 68.1.0 MFSA 2019-26
* CVE-2019-11751 (bmo#1572838; Windows only) Malicious code execution through command line parameters
* CVE-2019-11746 (bmo#1564449) Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033) XSS by breaking out of title and textarea elements using innerHTML
* CVE-2019-11742 (bmo#1559715) Same-origin policy violation with SVG filters and canvas to steal cross-origin images
* CVE-2019-11736 (bmo#1551913, bmo#1552206; Windows only)) File manipulation and privilege escalation in Mozilla Maintenance Service
* CVE-2019-11753 (bmo#1574980; Windows only) Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location
* CVE-2019-11752 (bmo#1501152) Use-after-free while extracting a key value in IndexedDB
* CVE-2019-9812 (bmo#1538008, bmo#1538015) Sandbox escape through Firefox Sync
* CVE-2019-11743 (bmo#1560495) Cross-origin access to unload event attributes
* CVE-2019-11748 (bmo#1564588) Persistence of WebRTC permissions in a third party context
* CVE-2019-11749 (bmo#1565374) Camera information available without prompting using getUserMedia
* CVE-2019-11750 (bmo#1568397) Type confusion in Spidermonkey
* CVE-2019-11738 (bmo#1452037) Content security policy bypass through hash-based sources in directives
* CVE-2019-11747 (bmo#1564481) \'Forget about this site\' removes sites from pre-loaded HSTS list
* CVE-2019-11735i (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912, bmo#1565744,bmo#1568858,bmo#1570358) Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
* CVE-2019-11740 (bmo#1563133,bmo#1573160) Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9- switched package to ESR branch- added mozilla-bmo1568145.patch to make builds reproducible- removed upstreamed patch mozilla-gcc-internal-compiler-error.patch
* Sun Aug 18 2019 Andreas Stieger - Mozilla Firefox 68.0.2:
* Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar (bmo#1560228)
* Allow fonts to be loaded via file:// URLs when opening a page locally (bmo#1565942)
* Printing emails from the Outlook web app no longer prints only the header and footer (bmo#1567105)
* Fixed a bug causing some images not to be displayed on reload, including on Google Maps (bmo# 1565542)
* Fixed an error when starting external applications configured as URI handlers (bmo#1567614) MFSA 2019-24 (boo#1145665)
* CVE-2019-11733: Stored passwords in \'Saved Logins\' can be copied without master password entry (bmo#1565780)- drop fix-build-after-y2038-changes-in-glibc.patch, upstream
* Fri Aug 16 2019 Jonathan Brielmaier - Fix crash when typing in the URL bar on ppc64le (bmo#1512162). The upstream patch doesn\'t resolve the issue on TW, but compiling with -O1 does. Do this until we have a proper fix.
* Thu Aug 01 2019 Guillaume GARDET - Update build constraints to fix arm builds
* Fri Jul 19 2019 Wolfgang Rosenauer - Mozilla Firefox 68.0.1
* Fixed missing Full Screen button when watching videos in full screen mode on HBO GO (bmo#1562837)
* Fixed a bug causing incorrect messages to appear for some locales when sites try to request the use of the Storage Access API (bmo#1558503)
* Users in Russian regions may have their default search engine changed (bmo#1565315)
* Built-in search engines in some locales do not function correctly (bmo#1565779)
* SupportMenu policy doesn\'t always work (bmo#1553290)
* Allow the privacy.file_unique_origin pref to be controlled by policy (bmo#1563759)
* Thu Jul 11 2019 Jiri Slaby - add fix-build-after-y2038-changes-in-glibc.patch
* Wed Jul 10 2019 Bernhard Wiedemann - Generate langpacks sequentially to avoid file corruption from racy file writes (boo#1137970)
* Mon Jul 08 2019 Wolfgang Rosenauer - Mozilla Firefox 68.0
* Dark mode in reader view
* Improved extension security and discovery
* Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences
* Camera and microphone access now require an HTTPS connection MFSA 2019-21 (bsc#1140868)
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327) Sandbox escape via installation of malicious languagepack
* CVE-2019-11711 (bmo#1552541) Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804) Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
* CVE-2019-11713 (bmo#1528481) Use-after-free with HTTP/2 cached stream
* CVE-2019-11714 (bmo#1542593) NeckoChild can trigger crash when accessed off of main thread
* CVE-2019-11729 (bmo#1515342) Empty or malformed p256-ECDH public keys may trigger a segmentation fault
* CVE-2019-11715 (bmo#1555523) HTML parsing error can contribute to content XSS
* CVE-2019-11716 (bmo#1552632) globalThis not enumerable until accessed
* CVE-2019-11717 (bmo#1548306) Caret character improperly escaped in origins
* CVE-2019-11718 (bmo#1408349) Activity Stream writes unsanitized content to innerHTML
* CVE-2019-11719 (bmo#1540541) Out-of-bounds read when importing curve25519 private key
* CVE-2019-11720 (bmo#1556230) Character encoding XSS vulnerability
* CVE-2019-11721 (bmo#1256009) Domain spoofing through unicode latin \'kra\' character
* CVE-2019-11730 (bmo#1558299) Same-origin policy treats all files in a directory as having the same-origin
* CVE-2019-11723 (bmo#1528335) Cookie leakage during add-on fetching across private browsing boundaries
* CVE-2019-11724 (bmo#1512511) Retired site input.mozilla.org has remote troubleshooting permissions
* CVE-2019-11725 (bmo#1483510) Websocket resources bypass safebrowsing protections
* CVE-2019-11727 (bmo#1552208) PKCS#1 v1.5 signatures can be used for TLS 1.3
* CVE-2019-11728 (bmo#1552993) Port scanning through Alt-Svc header
* CVE-2019-11710 (bmo#1549768, bmo#1548611, bmo#1533842, bmo#1537692, bmo#1540590, bmo#1551907, bmo#1510345, bmo#1535482, bmo#1535848, bmo#1547472, bmo#1547760, bmo#1507696, bmo#1544180) Memory safety bugs fixed in Firefox 68
* CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498 bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522) Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8- requires
* NSS 3.44.1
* rust/cargo 1.34
* rust-cbindgen 0.8.7- rebased patches
* mozilla-aarch64-startup-crash.patch
* mozilla-kde.patch
* mozilla-nongnome-proxies.patch
* firefox-kde.patch- use new create-tar.sh and add tar_stamps for package definitions- added patches imported from SLE flavour
* mozilla-gcc-internal-compiler-error.patch
* mozilla-bmo1005535.patch
* mozilla-ppc-altivec_static_inline.patch
* mozilla-reduce-rust-debuginfo.patch
* mozilla-s390-bigendian.patch
* mozilla-s390-context.patch
* Tue Jul 02 2019 Martin Liška - Enable PGO for x86_64.
* added firefox-add-kde.js-in-order-to-survive-PGO-build.patch
* Thu Jun 20 2019 Wolfgang Rosenauer - Mozilla Firefox 67.0.4 MFSA 2019-19 (boo#1138872)
* CVE-2019-11708 (bmo#1559858) sandbox escape using Prompt:Open
* Tue Jun 18 2019 Wolfgang Rosenauer - Mozilla Firefox 67.0.3 MFSA 2019-18 (boo#1138614)
* CVE-2019-11707 (bmo#1544386) Type confusion in Array.pop
* Wed Jun 12 2019 Manfred Hollstein - Mozilla Firefox 67.0.2
* Fixed: Fix JavaScript error (\"TypeError: data is null in PrivacyFilter.jsm\") in console which may significantly degrade sessionstore reliability and performance (bmo#1553413)
* Fixed: Proxy authentication dialog box repeatedly pops up asking to authenticate after upgrading to Firefox 67 (bmo#1548804)
* Fixed: Pearson MyCloud breaks if FIDO U2F is not Chrome\'s implementation (bmo#1551282)
* Fixed: Starting in safe mode on Linux or macOS causes Firefox to think on the subsequent launch that the profile is too recent to be used with this version of Firefox (bmo#1556612)
* Fixed: Linux distribution users can\'t easily install/use additional/different languages using the built-in preferences UI (bmo#1554744)
* Fixed: Developer tools users can\'t copy the href/src content from various HTML tags via the context menu in the Inspector markup view (bmo#1552275)
* Fixed: Custom home page is broken with clearing data on shutdown settings applied (bmo#1554167)
* Fixed: Performance-regression for eclipse RAP based applications (bmo#1555962)
* Fixed: macOS 10.15 crash fix (bmo#1556076)
* Fixed: Can\'t start two downloads in parallel via anymore (bmo#1542912)
* Thu Jun 06 2019 Manfred Hollstein - Mozilla Firefox 67.0.1
* enable enhanced tracking protection by default for new users
* upgrade of Facebook container to version 2.0
* new version of Firefox Lockwise (password management)
* new version of Firefox Monitor
* Firefox Send improvements
* Sun May 19 2019 Wolfgang Rosenauer - Mozilla Firefox 67.0
* Firefox 67 will be able to run different Firefox installs side by side https://blog.nightly.mozilla.org/2019/01/14/moving-to-a-profile-per-install-architecture/
* Tabs can now be pinned from the Page Actions menu in the address bar
* Users can block known cryptominers and fingerprinters in the Custom settings or their Content Blocking preferences
* The Import Data from Another Browser feature is now also available from the File menu
* Firefox will now protect you against running older versions which can lead to data corruption and stability issues
* Easier access to your list of saved logins from the main menu and login autocomplete
* We’ve added a toolbar menu for your Firefox Account to provide more transparency for when you are synced, sharing data across devices and with Firefox. Personalize the appearance of the menu with your own avatar
* Enable FIDO U2F API, and permit registrations for Google Accounts
* Enabled AV1 support on Linux MFSA 2019-13 (boo#1135824)
* CVE-2019-9815 (bmo#1546544) Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768) Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221) Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only) Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553) Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405) Use-after-free of ChromeEventHandler by DocShell
* CVE-2019-9821 (bmo#1539125) Use-after-free in AssertWorkerThread
* CVE-2019-11691 (bmo#1542465) Use-after-free in XMLHttpRequest
* CVE-2019-11692 (bmo#1544670) Use-after-free removing listeners in the event listener manager
* CVE-2019-11693 (bmo#1532525) Buffer overflow in WebGL bufferdata on Linux
* CVE-2019-7317 (bmo#1542829) Use-after-free in png_image_free of libpng library
* CVE-2019-11694 (bmo#1534196) (Windows only) Uninitialized memory memory leakage in Windows sandbox
* CVE-2019-11695 (bmo#1445844) Custom cursor can render over user interface outside of web content
* CVE-2019-11696 (bmo#1392955) Java web start .JNLP files are not recognized as executable files for download prompts
* CVE-2019-11697 (bmo#1440079) Pressing key combinations can bypass installation prompt delays and install extensions
* CVE-2019-11698 (bmo#1543191) Theft of user history data through drag and drop of hyperlinks to and from bookmarks
* CVE-2019-11700 (bmo#1549833) (Windows only) res: protocol can be used to open known local files
* CVE-2019-11699 (bmo#1528939) Incorrect domain name highlighting during page navigation
* CVE-2019-11701 (bmo#1518627) webcal: protocol default handler loads vulnerable web page
* CVE-2019-9814 (bmo#1527592, bmo#1534536, bmo#1520132, bmo#1543159, bmo#1539393, bmo#1459932, bmo#1459182, bmo#1516425) Memory safety bugs fixed in Firefox 67
* CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136, bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108, bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097, bmo#1532465, bmo#1533554, bmo#1541580) Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7- requires
* rust/cargo >= 1.32
* mozilla-nspr >= 4.21
* mozilla-nss >= 3.43
* rust-cbindgen >= 0.8.2- rebased patches- KDE integration for default browser detection is broken in this revision
* Fri May 17 2019 Guillaume GARDET - Fix armv7 build with:
* mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
* Fri May 10 2019 Manfred Hollstein - Mozilla Firefox 66.0.5
* Fixed: Further improvements to re-enable web extensions which had been disabled for users with a master password set (bmo#1549249)
* Sun May 05 2019 Wolfgang Rosenauer - Mozilla Firefox 66.0.4 (boo#1134126)
* fix extension certificate chain https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/
* Thu Apr 11 2019 Manfred Hollstein - Mozilla Firefox 66.0.3
* Fixed: Address bar on tablets running Windows 10 now behaves correctly (bmo#1498973)
* Fixed: Performance issues with some HTML5 games (bmo#1537609)
* Fixed a bug with keypress events in IBM cloud applications (bmo#1538970)
* Fix for keypress events in some Microsoft cloud applications (bmo#1539618)
* Changed: Updated Baidu search plugin
* Thu Mar 28 2019 Manfred Hollstein - Mozilla Firefox 66.0.2
* Fixed Web compatibility issues with Office 365, iCloud and IBM WebMail caused by recent changes to the handling of keyboard events (bmo#1538966)
* Crash fixes (bmo#1521370, bmo#1539118)
* Thu Mar 28 2019 Guillaume GARDET - Add patch to fix aarch64 build:
* mozilla-fix-aarch64-libopus.patch (bmo#1539737)
* Fri Mar 22 2019 Wolfgang Rosenauer - Mozilla Firefox 66.0.1 MFSA 2019-09 (bsc#1130262)
* CVE-2019-9810 (bmo#1537924) IonMonkey MArraySlice has incorrect alias information
* CVE-2019-9813 (bmo#1538006) Ionmonkey type confusion with __proto__ mutations
* Sun Mar 17 2019 Wolfgang Rosenauer - Mozilla Firefox 66.0
* Increased content processes to 8
* Added capability to search through open tabs from the tab overflow menu
* New backend for the storage.local WebExtensions API, providing I/O performance improvements when the extension updates a small subset of the stored data
* WebExtension keyboard shortcuts can now be managed or overridden from about:addons
* Improved scrolling behavior: Firefox will now attempt to keep content from jumping around while a page is loading by supporting scroll anchoring
* New about:privatebrowsing with search
* A certificate error page now notifies the user of the name of the certificate issuer that breaks HTTPs connections on intercepted connections to help troubleshooting possible anti-virus software issues.
* Fixed an performance issue some Linux users experienced with the Downloads panel (bmo#1517101)
* Firefox now blocks all autoplay media with sound by default. Users can add individual sites to an exceptions list or turn the blocking off.
* System title bar is hidden by default to match Gnome guideline MFSA 2019-07 (bsc#1129821)
* CVE-2019-9790 (bmo#1525145) Use-after-free when removing in-use DOM elements
* CVE-2019-9791 (bmo#1530958) Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey
* CVE-2019-9792 (bmo#1532599) IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
* CVE-2019-9793 (bmo#1528829) Improper bounds checks when Spectre mitigations are disabled
* CVE-2019-9794 (bmo#1530103) (Windows only) Command line arguments not discarded during execution
* CVE-2019-9795 (bmo#1514682) Type-confusion in IonMonkey JIT compiler
* CVE-2019-9796 (bmo#1531277) Use-after-free with SMIL animation controller
* CVE-2019-9797 (bmo#1528909) Cross-origin theft of images with createImageBitmap
* CVE-2019-9798 (bmo#1527534) (Android only) Library is loaded from world writable APITRACE_LIB location
* CVE-2019-9799 (bmo#1505678) Information disclosure via IPC channel messages
* CVE-2019-9801 (bmo#1527717) (Windows only) Windows programs that are not \'URL Handlers\' are exposed to web content
* CVE-2019-9802 (bmo#1415508) Chrome process information leak
* CVE-2019-9803 (bmo#1515863, bmo#1437009) Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation
* CVE-2019-9804 (bmo#1518026) (MacOS only) Code execution through \'Copy as cURL\' in Firefox Developer Tools on macOS
* CVE-2019-9805 (bmo#1521360) Potential use of uninitialized memory in Prio
* CVE-2019-9806 (bmo#1525267) Denial of service through successive FTP authorization prompts
* CVE-2019-9807 (bmo#1362050) Text sent through FTP connection can be incorporated into alert messages
* CVE-2019-9809 (bmo#1282430, bmo#1523249) Denial of service through FTP modal alert error messages
* CVE-2019-9808 (bmo#1434634) WebRTC permissions can display incorrect origin with data: and blob: URLs
* CVE-2019-9789 bmo#1520483, bmo#1522987, bmo#1528199, bmo#1519337, bmo#1525549, bmo#1516179, bmo#1518524, bmo#1518331, bmo#1526579, bmo#1512567, bmo#1524335, bmo#1448505, bmo#1518821 Memory safety bugs fixed in Firefox 66
* CVE-2019-9788 bmo#1518001, bmo#1521304, bmo#1521214, bmo#1506665, bmo#1516834, bmo#1518774, bmo#1524755, bmo#1523362, bmo#1524214, bmo#1529203 Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6- updated build/runtime requirements
* mozilla-nss >= 3.42.1
* cargo/rust >= 1.31
* rust-cbindgen >= 0.6.8
* nasm >= 2.13 (new)- removed obsolete patch
* mozilla-bmo256180.patch
* Tue Mar 05 2019 Stephan Kulow - Do not hardcode nodejs8 but leave the prefer to the distribution (Tumbleweed staging wants to switch to nodejs10)
* Fri Feb 15 2019 Guillaume GARDET - Update _constraints to avoid \'no space left\' error seen on aarch64
* Wed Feb 13 2019 Wolfgang Rosenauer - Mozilla Firefox 65.0.1
* Fixed accidental requests to addons.mozilla.org when an addon recommendation doorhanger is shown (bmo#1526387)
* Improved playback of interactive Netflix videos (bmo#1524500)
* Fixed incorrect sizing of the \"Clear Recent History\" window in some situations (bmo#1523696)
* Fixed audio & video delays while making WebRTC calls (bmo#1521577, bmo#1523817)
* Fixed video sizing problems during some WebRTC calls (bmo#1520200)
* Fixed looping CONNECT requests when using WebSockets over HTTP/2 from behind a proxy server (bmo#1523427)
* Fixed the \"Enter\" key not working on password entry fields for certain Linux distributions (bmo#1523635) MFSA 2019-04 (bsc#1125330)
* CVE-2018-18356 bmo#1525817 Use-after-free in Skia
* CVE-2019-5785 bmo#1525433 Integer overflow in Skia
* CVE-2018-18511 bmo#1526218 Cross-origin theft of images with ImageBitmapRenderingContext
* Wed Feb 13 2019 Martin Liška - Enable LTO only for latest new toolchain (boo#1125038) for x86_64 (with increased memory constraints)
* Sat Jan 26 2019 Wolfgang Rosenauer - Mozilla Firefox 65.0
* Enhanced tracking protection
* allow switching of UI locales within preferences
* support for the WebP image format
* \"top\"-like about:performance MFSA 2019-01 (bsc#1122983)
* CVE-2018-18500 bmo#1510114 Use-after-free parsing HTML5 stream
* CVE-2018-18503 bmo#1509442 Memory corruption with Audio Buffer
* CVE-2018-18504 bmo#1496413 Memory corruption and out-of-bounds read of texture client
* CVE-2018-18505 bmo#1497749 Privilege escalation through IPC channel messages
* CVE-2018-18506 bmo#1503393 Proxy Auto-Configuration file can define localhost access to be proxied
* CVE-2018-18502 bmo#1499426 bmo#1480090 bmo#1472990 bmo#1514762 bmo#1501482 bmo#1505887 bmo#1508102 bmo#1508618 bmo#1511580 bmo#1493497 bmo#1510145 bmo#1516289 bmo#1506798 bmo#1512758 Memory safety bugs fixed in Firefox 65
* CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619 bmo#1502871 bmo#1516738 bmo#1516514 Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5- requires NSS 3.41 rust/carge 1.30 rust-cbindgen 0.6.7- rebased patches- remove workaround for build memory consumption on i586; other mitigations meanwhile introduced (mainly parallelity) will be sufficient mozilla-reduce-files-per-UnifiedBindings.patch
* Tue Jan 15 2019 Martin Liška - Increase disk constraint.
* Mon Jan 14 2019 Martin Liška - Remove -v from mach build in order to work-around bmo#1500436.
* Fri Jan 11 2019 Martin Liška - Set %clang_build to false on all architectures- Do not use -fno-delete-null-pointer-checks and -fno-strict-aliasing: it should not be needed anymore- Do not overwrite enable-optimize and when possible enable --enable-debug-symbols.- Add -v to mach in order to make build verbose.
* Wed Jan 09 2019 astiegerAATTsuse.com- Mozilla Firefox 64.0.2:
* Update the Japanese translation for missing strings (bmo#1513259)
* Properly restore column sizes in developer tools inspector (bmo#1503175)
* Fixed video stuttering on Youtube (bmo#1513511)
* Fix updates for some lightweight themes (bmo#1508777)
* Tue Dec 18 2018 Guillaume GARDET - Enable build_hardened for all architectures- Switch back aarch64 to clang as \'-fPIC\' fixes bmo#1513605- Remove obolete \'--enable-pie\' as -pie is always enabled for gcc and clang
* Wed Dec 12 2018 Guillaume GARDET - Switch aarch64 builds back to gcc, not clang (bmo#1513605)- Switch %arm builds back to gcc, not clang to avoid OOM- Fix build flags when clang is not used- Fix flags for clang ppc64 builds
* Tue Dec 11 2018 Wolfgang Rosenauer - update to Firefox 64.0
* Better recommendations: You may see suggestions in regular browsing mode for new and relevant Firefox features, services, and extensions based on how you use the web (for US users only)
* Enhanced tab management: You can now select multiple tabs from the tab bar and close, move, bookmark, or pin them quickly and easily
* Easier performance management: The new Task Manager page found at about:performance lets you see how much energy each open tab consumes and provides access to close tabs to conserve power
* Improved performance for Mac and Linux users, by enabling link time optimization (Clang LTO).
* Added option to remove add-ons using the context menu on their toolbar buttons
* RSS feed preview and live bookmarks are available only via add-ons
* TLS certificates issued by Symantec are no longer trusted by Firefox. Website operators are strongly encouraged to replace any remaining Symantec TLS certificates as soon as possible MFSA 2018-29 (bsc#1119105)
* CVE-2018-12407 bmo#1505973 Buffer overflow with ANGLE library when using VertexBuffer11 module
* CVE-2018-17466 bmo#1488295 Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
* CVE-2018-18492 bmo#1499861 Use-after-free with select element
* CVE-2018-18493 bmo#1504452 Buffer overflow in accelerated 2D canvas with Skia
* CVE-2018-18494 bmo#1487964 Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs
* CVE-2018-18495 bmo#1427585 WebExtension content scripts can be loaded in about: pages
* CVE-2018-18496 bmo#1422231 (Windows only) Embedded feed preview page can be abused for clickjacking
* CVE-2018-18497 bmo#1488180 WebExtensions can load arbitrary URLs through pipe separators
* CVE-2018-18498 bmo#1500011 Integer overflow when calculating buffer sizes for images
* CVE-2018-12406 bmo#1456947 bmo#1475669 bmo#1504816 bmo#1502886 bmo#1500064 bmo#1500310 bmo#1500696 bmo#1498765 bmo#1499198 bmo#1434490 bmo#1481745 bmo#1458129 Memory safety bugs fixed in Firefox 64
* CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759 bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471 Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4- requires
* rust/cargo >= 1.29
* mozilla-nss >= 3.40.1
* rust-cbindgen >= 0.6.4- rebased patches- removed obsolete patch
* mozilla-bmo1491289.patch- now uses clang primarily for compilation
* Wed Nov 28 2018 Guillaume GARDET - Remove --disable-elf-hack when not available: on aarch64 and ppc64
*
* Mon Nov 26 2018 Guillaume GARDET - Clean-up %arm build
* Sun Nov 18 2018 manfred.hAATTgmx.net- update to Firefox 63.0.3
* Games using WebGL (created in Unity) get stuck after very short time of gameplay (bmo#1502748)
* Slow page loading for some users with specific proxy configurations (bmo#1495024)
* Disable HTTP response throttling by default for causing bugs with videos in background tabs (bmo#1503354)
* Opening magnet links no longer works (bmo#1498934)
* Crash fixes (bmo#1498510, bmo#1503424)- removed mozilla-newer-cbindgen.patch; no longer needed
* Thu Nov 08 2018 wrAATTrosenauer.org- update to Firefox 63.0.1
* Snippets are not loaded due to missing element (bmo#1503047)
* Print preview always shows 30& scale when it is actually Shrink To Fit (bmo#1501952)
* Dialog displayed when closing multiple windows shows unreplaced %1$S placeholder in Japanese and potentially other locales (bmo#1500823)
* Mon Oct 29 2018 wrAATTrosenauer.org- update to Firefox 63.0
* WebExtensions now run in their own process on Linux
* The Ctrl+Tab shortcut now displays thumbnail previews of your tabs and cycles through tabs in recently used order. This new default behavior is activated only in new profiles and can be changed in preferences.
* Added support for Web Components custom elements and shadow DOM MFSA 2018-26 (bsc#1112852)
* CVE-2018-12391 (bmo#1478843) (Android-only) HTTP Live Stream audio data is accessible cross-origin
* CVE-2018-12392 (bmo#1492823) Crash with nested event loops
* CVE-2018-12393 (bmo#1495011) (only affects non-64-bit archs) Integer overflow during Unicode conversion while loading JavaScript
* CVE-2018-12395 (bmo#1467523) WebExtension bypass of domain restrictions through header rewriting
* CVE-2018-12396 (bmo#1483602) WebExtension content scripts can execute in disallowed contexts
* CVE-2018-12397 (bmo#1487478) Missing warning prompt when WebExtension requests local file access
* CVE-2018-12398 (bmo#1460538, bmo#1488061) CSP bypass through stylesheet injection in resource URIs
* CVE-2018-12399 (bmo#1490276) Spoofing of protocol registration notification bar
* CVE-2018-12400 (bmo#1448305) (Android only) Favicons are cached in private browsing mode on Firefox for Android
* CVE-2018-12401 (bmo#1422456) DOS attack through special resource URI parsing
* CVE-2018-12402 (bmo#1469916) SameSite cookies leak when pages are explicitly saved
* CVE-2018-12403 (bmo#1484753) Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP
* CVE-2018-12388 (bmo#1472639, bmo#1485698, bmo#1301547, bmo#1471427, bmo#1379411, bmo#1482122, bmo#1486314, bmo#1487167) Memory safety bugs fixed in Firefox 63
* CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159, bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803, bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699, bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844) Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3- requires NSPR 4.20, NSS 3.39 and Rust 1.28- latest rust does not provide rust-std so stop requiring it- requires rust-cbindgen >= 0.6.2 to build- requires nodejs >= 8.11 to build- added mozilla-bmo1491289.patch to fix system NSS build (bmo#1491289)- added mozilla-cubeb-noreturn.patch to fix non-return function- added mozilla-newer-cbindgen.patch to fix build with cbindgen 0.6.7- disable elfhack for TW and newer due to build errors- removed obsolete patches
* mozilla-no-return.patch
* mozilla-no-stdcxx-check.patch
* Thu Oct 25 2018 guillaume.gardetAATTopensuse.org- Update _constraints for armv6/7
* Thu Oct 25 2018 guillaume.gardetAATTopensuse.org- Add patch to fix build on armv7:
* mozilla-bmo1463035.patch
* Tue Oct 02 2018 astiegerAATTsuse.com- Mozilla Firefox 62.0.3: MFSA 2018-24
* CVE-2018-12386 (bsc#1110506, bmo#1493900) Type confusion in JavaScript allowed remote code execution
* CVE-2018-12387 (bsc#1110507, bmo#1493903) Array.prototype.push stack pointer vulnerability may enable exploits in the sandboxed content process
* Sat Sep 22 2018 astiegerAATTsuse.com- Mozilla Firefox 62.0.2: MFSA 2018-22
* CVE-2018-12385 (boo#1109363, bmo#1490585) Crash in TransportSecurityInfo due to cached data
* Unvisited bookmarks can once again be autofilled in the address bar
* Fix WebGL rendering issues
* Fix fallback on startup when a language pack is missing
* Avoid crash when sharing a profile with newer (as yet unreleased) versions of Firefox
* Do not undo removal of search engines when using a language pack
* Fixed rendering of some web sites
* Restored compatibility with some sites using deprecated TLS settings- disable rust debug symbols to fix build on %ix86
* Mon Sep 03 2018 wrAATTrosenauer.org- update to Firefox 62.0
* Firefox Home (the default New Tab) now allows users to display up to 4 rows of top sites, Pocket stories, and highlights
* \"Reopen in Container\" tab menu option appears for users with Containers that lets them choose to reopen a tab in a different container
* In advance of removing all trust for Symantec-issued certificates in Firefox 63, a preference was added that allows users to distrust certificates issued by Symantec. To use this preference, go to about:config in the address bar and set the preference \"security.pki.distrust_ca_policy\" to 2.
* Support for CSS Shapes, allowing for richer web page layouts. This goes hand in hand with a brand new Shape Path Editor in the CSS inspector.
* CSS Variable Fonts (OpenType Font Variations) support, which makes it possible to create beautiful typography with a single font file
* Added Canadian English (en-CA) locale MFSA 2018-20 (bsc#1107343)
* CVE-2018-12377 (bmo#1470260) Use-after-free in refresh driver timers
* CVE-2018-12378 (bmo#1459383) Use-after-free in IndexedDB
* CVE-2018-12379 (bmo#1473113) (updater is disabled for us) Out-of-bounds write with malicious MAR file
* CVE-2017-16541 (bmo#1412081) Proxy bypass using automount and autofs
* CVE-2018-12381 (bmo#1435319) Dragging and dropping Outlook email message results in page navigation
* CVE-2018-12382 (bmo#1479311) (Android only) Addressbar spoofing with javascript URI on Firefox for Android
* CVE-2018-12383 (bmo#1475775) Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords
* CVE-2018-12375 Memory safety bugs fixed in Firefox 62
* CVE-2018-12376 Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2- requires NSS >= 3.38- removed obsolete patch mozilla-bmo1464766.patch
* Thu Aug 09 2018 wrAATTrosenauer.org- update to Firefox 61.0.2
* Improved website rendering with the Retained Display List feature enabled (bmo#1474402)
* Fixed broken DevTools panels with certain extensions installed (bmo#1474379)
* Fixed a crash for users with some accessibility tools enabled (bmo#1474007)
* Mon Jul 09 2018 astiegerAATTsuse.com- Mozilla Firefox 61.0.1:
* Fix missing content on the New Tab Page and the Home section of the Preferences page (bmo#1471375)
* Fixed loss of bookmarks under rare circumstances when upgrading from Firefox 60 (bmo#1472127)
* Improved playback of Twitch 1080p video streams (bmo#1469257)
* Web pages no longer lose focus when a browser popup window is opened (bmo#1471415)
* Re-allowed downloading files from FTP sites via the \"Save Link As\" option when linked from HTTP pages (bmo#1470295)
* Fixed extensions being unable to override the default homepage in certain situations (bmo#1466846)
* Sat Jun 23 2018 wrAATTrosenauer.org- update to Firefox 61.0
* Performance enhancements
* Various improvements for dark theme support will provide a more consistent experience across the entire Firefox UI
* OpenSearch plugins offered by web pages can now be added from the page action menu for easier installation
* Improved support for allowing WebExtensions to manage and hide tabs MFSA 2018-15 (bsc#1098998)
* CVE-2018-12359 (bmo#1459162) Buffer overflow using computed size of canvas element
* CVE-2018-12360 (bmo#1459693) Use-after-free when using focus()
* CVE-2018-12361 (bmo#1463244) Integer overflow in SwizzleData
* CVE-2018-12358 (bmo#1467852) Same-origin bypass using service worker and redirection
* CVE-2018-12362 (bmo#1452375) Integer overflow in SSSE3 scaler
* CVE-2018-5156 (bmo#1453127) Media recorder segmentation fault when track type is changed during capture
* CVE-2018-12363 (bmo#1464784) Use-after-free when appending DOM nodes
* CVE-2018-12364 (bmo#1436241) CSRF attacks through 307 redirects and NPAPI plugins
* CVE-2018-12365 (bmo#1459206) Compromised IPC child process can list local filenames
* CVE-2018-12371 (bmo#1465686) Integer overflow in Skia library during edge builder allocation
* CVE-2018-12366 (bmo#1464039) Invalid data handling during QCMS transformations
* CVE-2018-12367 (bmo#1462891) Timing attack mitigation of PerformanceNavigationTiming
* CVE-2018-12369 (bmo#1454909) WebExtension security permission checks bypassed by embedded experiments
* CVE-2018-12370 (bmo#1456652) SameSite cookie protections bypassed when exiting Reader View
* CVE-2018-5186 (bmo#1464872,bmo#1463329,bmo#1419373,bmo#1412882, bmo#1413033,bmo#1444673,bmo#1454448,bmo#1453505,bmo#1438671) Memory safety bugs fixed in Firefox 61
* CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938, bmo#1461619,bmo#1425930,bmo#1438556,bmo#1454285,bmo#1459568, bmo#1463884) Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1
* CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739, bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576, bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829, bmo#1464079,bmo#1463494,bmo#1458048) Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9- requires NSS 3.37.3- requires python >= 3.5 to build- removed obsolete patches mozilla-i586-DecoderDoctorLogger.patch mozilla-i586-domPrefs.patch mozilla-fix-skia-aarch64.patch mozilla-bmo1375074.patch mozilla-enable-csd.patch- patch for new no-return warnings (mozilla-no-return.patch)- do not disable system installed locales (mozilla-bmo1464766.patch)
* Fri Jun 08 2018 bjorn.lieAATTgmail.com- Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass conditional --disable-gconf to configure: no longer pull in obsolete gconf2 for Tumbleweed.
* Thu Jun 07 2018 wrAATTrosenauer.org- update to Firefox 60.0.2
* requires NSS 3.36.4 MFSA 2018-14 (bsc#1096449)
* CVE-2018-6126 (bmo#1462682) Heap buffer overflow rasterizing paths in SVG with Skia
* Wed Jun 06 2018 guillaume.gardetAATTopensuse.org- Add upstream patch to fix boo#1093059 instead of \'-ffixed-x28\' workaround:
* mozilla-bmo1375074.patch
* Sat May 26 2018 wrAATTrosenauer.org- fixed \"open with\" option under KDE (boo#1094747)- workaround crash on startup on aarch64 (boo#1093059) (contributed by guillaume.gardetAATTarm.com)
* Wed May 23 2018 guillaume.gardetAATTopensuse.org- Disable webrtc for aarch64 due to bmo#1434589- Add patch to fix skia build on AArch64:
* mozilla-fix-skia-aarch64.patch
* Thu May 17 2018 wrAATTrosenauer.org- update to Firefox 60.0.1
* Avoid overly long cycle collector pauses with some add-ons installed (bmo#1449033)
* After unckecking the \"Sponsored Stories\" option, the New Tab page now immediately stops displaying \"Sponsored content\" cards (bmo#1458906)
* On touchscreen devices, fixed momentum scrolling on non-zoomable pages (bmo#1457743)
* Use the right default background when opening tabs or windows in high contrast mode (bmo#1458956)
* Restored translations of the Preferences panels when using a language pack (bmo#1461590)
* Mon May 14 2018 pcernyAATTsuse.com- parellelise locales building
* Mon May 07 2018 wrAATTrosenauer.org- update to Firefox 60.0
* Added a policy engine that allows customized Firefox deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file
* Applied Quantum CSS to render browser UI
* Added support for Web Authentication, allowing the use of USB tokens for authentication to web sites
* Locale added: Occitan (oc) MFSA 2018-11 (bsc#1092548)
* CVE-2018-5154 (bmo#1443092) Use-after-free with SVG animations and clip paths
* CVE-2018-5155 (bmo#1448774) Use-after-free with SVG animations and text paths
* CVE-2018-5157 (bmo#1449898) Same-origin bypass of PDF Viewer to view protected PDF files
* CVE-2018-5158 (bmo#1452075) Malicious PDF can inject JavaScript into PDF Viewer
* CVE-2018-5159 (bmo#1441941) Integer overflow and out-of-bounds write in Skia
* CVE-2018-5160 (bmo#1436117) Uninitialized memory use by WebRTC encoder
* CVE-2018-5152 (bmo#1415644, bmo#1427289) WebExtensions information leak through webRequest API
* CVE-2018-5153 (bmo#1436809) Out-of-bounds read in mixed content websocket messages
* CVE-2018-5163 (bmo#1426353) Replacing cached data in JavaScript Start-up Bytecode Cache
* CVE-2018-5164 (bmo#1416045) CSP not applied to all multipart content sent with multipart/x-mixed-replace
* CVE-2018-5166 (bmo#1437325) WebExtension host permission bypass through filterReponseData
* CVE-2018-5167 (bmo#1447969) Improper linkification of chrome: and javascript: content in web console and JavaScript debugger
* CVE-2018-5168 (bmo#1449548) Lightweight themes can be installed without user interaction
* CVE-2018-5169 (bmo#1319157) Dragging and dropping link text onto home button can set home page to include chrome pages
* CVE-2018-5172 (bmo#1436482) Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer
* CVE-2018-5173 (bmo#1438025) File name spoofing of Downloads panel with Unicode characters
* CVE-2018-5174 (bmo#1447080) (Windows-only) Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update
* CVE-2018-5175 (bmo#1432358) Universal CSP bypass on sites using strict-dynamic in their policies
* CVE-2018-5176 (bmo#1442840) JSON Viewer script injection
* CVE-2018-5177 (bmo#1451908) Buffer overflow in XSLT during number formatting
* CVE-2018-5165 (bmo#1451452) Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox
* CVE-2018-5180 (bmo#1444086) heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
* CVE-2018-5181 (bmo#1424107) Local file can be displayed in noopener tab through drag and drop of hyperlink
* CVE-2018-5182 (bmo#1435908) Local file can be displayed from hyperlink dragged and dropped on addressbar
* CVE-2018-5151 Memory safety bugs fixed in Firefox 60
* CVE-2018-5150 Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8- removed obsolete patches 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch mozilla-bmo1005535.patch- requires NSPR 4.19 and NSS 3.36.1- requires rust 1.24 or higher- use upstream source archive and detached signature for source verification
* Thu May 03 2018 guillaume.gardetAATTopensuse.org- Fix armv7 build by:
* adding RUSTFLAGS=\"-Cdebuginfo=0\"
* updating _constraints for %arm
* Wed May 02 2018 wrAATTrosenauer.org- do not try CSD on kwin (boo#1091592)- fix build in openSUSE:Leap:42.3:Update, use gcc7
* Tue May 01 2018 astiegerAATTsuse.com- Mozilla Firefox 59.0.3:
* fixes for platforms other than GNU/Linux
* Fri Apr 20 2018 mliskaAATTsuse.cz- Add 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch in order to fix boo#1090362.
* Mon Apr 02 2018 badshah400AATTgmail.com- Add back mozilla-enable-csd.patch: New rebased version from Fedora for version 59.0.x.
* Tue Mar 27 2018 schwabAATTsuse.de- Reduce constraints on aarch64
* Tue Mar 27 2018 wrAATTrosenauer.org- update to Firefox 59.0.2
* Invalid page rendering with hardware acceleration enabled (bmo#1435472)
* Browser keyboard shortcuts (eg copy Ctrl+C) don\'t work on sites that use those keys with resistFingerprinting enabled (bmo#1433592)
* High CPU / memory churn caused by third-party software on some computers (bmo#1446280)
* Users who have configured an \"automatic proxy configuration URL\" and want to reload their proxy settings from the URL will find the Reload button disabled in the Connection Settings dialog when they select Preferences/Options>Network Proxy>Settings... (bmo#1445991)
* URL Fragment Identifiers Break Service Worker Responses (bmo#1443850)
* User\'s trying to cancel a print around the time it completes will continue to get intermittent crashes (bmo#1441598) MFSA 2018-10 (bsc#1087059)
* CVE-2018-5148 (bmo#1440717) Use-after-free in compositor- removed obsolete patch mozilla-bmo1446062.patch
* Wed Mar 21 2018 cgrobertsonAATTsuse.com- Added patches:
* mozilla-i586-DecoderDoctorLogger.patch - bmo#1447070 fixes non-unified build error
* mozilla-i586-domPrefs.patch - DOMPrefs.h fixes 32bit build error
* Fri Mar 16 2018 wrAATTrosenauer.org- update to Firefox 59.0.1 (bsc#1085671) MFSA 2018-08
* CVE-2018-5146 (bmo#1446062) Vorbis audio processing out of bounds write
* CVE-2018-5147 (bmo#1446365) Out of bounds memory write in libtremor (mozilla-bmo1446062.patch)
* Wed Mar 14 2018 cgrobertsonAATTsuse.com- Added patch:
* mozilla-bmo1005535.patch: Enable skia_gpu on big endian platforms.
* Sun Mar 11 2018 wrAATTrosenauer.org- update to Firefox 59.0
* Performance enhancements
* Drag-and-drop to rearrange Top Sites on the Firefox Home page
* added features for Firefox Screenshots
* Enhanced WebExtensions API
* Improved RTC capabilities MFSA 2018-06 (bsc#1085130)
* CVE-2018-5127 (bmo#1430557) Buffer overflow manipulating SVG animatedPathSegList
* CVE-2018-5128 (bmo#1431336) Use-after-free manipulating editor selection ranges
* CVE-2018-5129 (bmo#1428947) Out-of-bounds write with malformed IPC messages
* CVE-2018-5130 (bmo#1433005) Mismatched RTP payload type can trigger memory corruption
* CVE-2018-5131 (bmo#1440775) Fetch API improperly returns cached copies of no-store/no-cache resources
* CVE-2018-5132 (bmo#1408194) WebExtension Find API can search privileged pages
* CVE-2018-5133 (bmo#1430511, bmo#1430974) Value of the app.support.baseURL preference is not properly sanitized
* CVE-2018-5134 (bmo#1429379) WebExtensions may use view-source: URLs to bypass content restrictions
* CVE-2018-5135 (bmo#1431371) WebExtension browserAction can inject scripts into unintended contexts
* CVE-2018-5136 (bmo#1419166) Same-origin policy violation with data: URL shared workers
* CVE-2018-5137 (bmo#1432870) Script content can access legacy extension non-contentaccessible resources
* CVE-2018-5138 (bmo#1432624) (Android only) Android Custom Tab address spoofing through long domain names
* CVE-2018-5140 (bmo#1424261) Moz-icon images accessible to web content through moz-icon: protocol
* CVE-2018-5141 (bmo#1429093) DOS attack through notifications Push API
* CVE-2018-5142 (bmo#1366357) Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs
* CVE-2018-5143 (bmo#1422643) Self-XSS pasting javascript: URL with embedded tab into addressbar
* CVE-2018-5126 Memory safety bugs fixed in Firefox 59
* CVE-2018-5125 Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7- requires NSPR 4.18 and NSS 3.35- requires rust >= 1.22.1- removed obsolete patches: mozilla-alsa-sandbox.patch mozilla-enable-csd.patch firefox-no-default-ualocale.patch- removed l10n_changesets.txt since same information is now in Firefox source tree (updated create-tar.sh now requires jq)
* Fri Feb 09 2018 astiegerAATTsuse.com- Mozilla Firefox 58.0.2:
* Blocklisted graphics drivers related to off main thread painting crashes
* Fix tab crash during printing
* Fix clicking links and scrolling emails on Microsoft Hotmail and Outlook (OWA) webmail
* Fri Feb 09 2018 wrAATTrosenauer.org- correct requires and provides handling (boo#1076907)
* Tue Feb 06 2018 fstrbaAATTsuse.com- Added patch:
* mozilla-alsa-sandbox.patch: Fix bmo#1430274, ALSA sound (still or again?) not working in Firefox 58 due to sandboxing.
* Mon Jan 29 2018 wrAATTrosenauer.org- update to Firefox 58.0.1 MFSA 2018-05
* Arbitrary code execution through unsanitized browser UI (bmo#1432966)- use correct language packs- readd mozilla-enable-csd.patch as it only lands for FF59 upstream- allow larger number of nested elements (mozilla-bmo256180.patch)
* Tue Jan 23 2018 wrAATTrosenauer.org- update to Firefox 58.0 (bsc#1077291)
* Added Nepali (ne-NP) locale
* Added support for form autofill for credit card
* Optimize page load by caching JavaScript internal representation MFSA 2018-02
* CVE-2018-5091 (bmo#1423086) Use-after-free with DTMF timers
* CVE-2018-5092 (bmo#1418074) Use-after-free in Web Workers
* CVE-2018-5093 (bmo#1415291) Buffer overflow in WebAssembly during Memory/Table resizing
* CVE-2018-5094 (bmo#1415883) Buffer overflow in WebAssembly with garbage collection on uninitialized memory
* CVE-2018-5095 (bmo#1418447) Integer overflow in Skia library during edge builder allocation
* CVE-2018-5097 (bmo#1387427) Use-after-free when source document is manipulated during XSLT
* CVE-2018-5098 (bmo#1399400) Use-after-free while manipulating form input elements
* CVE-2018-5099 (bmo#1416878) Use-after-free with widget listener
* CVE-2018-5100 (bmo#1417405) Use-after-free when IsPotentiallyScrollable arguments are freed from memory
* CVE-2018-5101 (bmo#1417661) Use-after-free with floating first-letter style elements
* CVE-2018-5102 (bmo#1419363) Use-after-free in HTML media elements
* CVE-2018-5103 (bmo#1423159) Use-after-free during mouse event handling
* CVE-2018-5104 (bmo#1425000) Use-after-free during font face manipulation
* CVE-2018-5105 (bmo#1390882) WebExtensions can save and execute files on local file system without user prompts
* CVE-2018-5106 (bmo#1408708) Developer Tools can expose style editor information cross-origin through service worker
* CVE-2018-5107 (bmo#1379276) Printing process will follow symlinks for local file access
* CVE-2018-5108 (bmo#1421099) Manually entered blob URL can be accessed by subsequent private browsing tabs
* CVE-2018-5109 (bmo#1405599) Audio capture prompts and starts with incorrect origin attribution
* CVE-2018-5110 (bmo#1423275) (affects only OS X) Cursor can be made invisible on OS X
* CVE-2018-5111 (bmo#1321619) URL spoofing in addressbar through drag and drop
* CVE-2018-5112 (bmo#1425224) Extension development tools panel can open a non-relative URL in the panel
* CVE-2018-5113 (bmo#1425267) WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow
* CVE-2018-5114 (bmo#1421324) The old value of a cookie changed to HttpOnly remains accessible to scripts
* CVE-2018-5115 (bmo#1409449) Background network requests can open HTTP authentication in unrelated foreground tabs
* CVE-2018-5116 (bmo#1396399) WebExtension ActiveTab permission allows cross-origin frame content access
* CVE-2018-5117 (bmo#1395508) URL spoofing with right-to-left text aligned left-to-right
* CVE-2018-5118 (bmo#1420049) Activity Stream images can attempt to load local content through file:
* CVE-2018-5119 (bmo#1420507) Reader view will load cross-origin content in violation of CORS headers
* CVE-2018-5121 (bmo#1402368) (affects only OS X) OS X Tibetan characters render incompletely in the addressbar
* CVE-2018-5122 (bmo#1413841) Potential integer overflow in DoCrypt
* CVE-2018-5090 Memory safety bugs fixed in Firefox 58
* CVE-2018-5089 Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6- requires NSS 3.34.1- requires rust 1.21- removed obsolete patches: mozilla-bindgen-systemlibs.patch mozilla-bmo1360278.patch mozilla-bmo1399611-csd.patch mozilla-rust-1.23.patch- rebased patches- updated man-page
* Tue Jan 09 2018 wrAATTrosenauer.org- fixed build with latest rust (mozilla-rust-1.23.patch)
* Thu Jan 04 2018 wrAATTrosenauer.org- update to Firefox 57.0.4 MFSA 2018-1: Speculative execution side-channel attack (\"Spectre\") (boo#1074723)
* Wed Jan 03 2018 wrAATTrosenauer.org- fixed regression introduced Oct 10th which made Firefox crash when cancelling the KDE file dialog (boo#1069962)
* Fri Dec 29 2017 astiegerAATTsuse.com- Mozilla Firefox 57.0.3:
* Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in (bmo#1427111, bsc#1074235)- Includes changes from 57.0.2:
* fixes for platforms other than GNU/Linux
* Fri Dec 08 2017 dimstarAATTopensuse.org- Explicitly buildrequires python2-xml: The build system relies on it. We wrongly relied on other packages pulling it in for us.
* Thu Dec 07 2017 dimstarAATTopensuse.org- Escape the usage of %{VERSION} when calling out to rpm. RPM 4.14 has %{VERSION} defined as \'the main packages version\'.
* Wed Nov 29 2017 wrAATTrosenauer.org- update to Firefox 57.0.1
* CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data (bsc#1072034, bmo#1410106)
* CVE-2017-7844: Visited history information leak through SVG image (bsc#1072036, bmo#1420001)
* Fix a video color distortion issue on YouTube and other video sites with some AMD devices (bmo#1417442)
* Fix an issue with prefs.js when the profile path has non-ascii characters (bmo#1420427)
* Tue Nov 21 2017 christopheAATTkrop.fr- Add mozilla-bmo1360278.patch Starting with Firefox 57, the context menu appears on key press. This patch creates a config entry to restore the old behaviour. Without the patch, the mouse gesture extensions require 2 clicks to work (bmo#1360278). The new config entry is named ui.context_menus.after_mouseup (default : false).
* Sat Nov 18 2017 wrAATTrosenauer.org- Allow experimental CSD for Gtk3 (bmo#1399611) if available and enabled widget.allow-client-side-decoration=true (mozilla-bmo1399611-csd.patch)
* Wed Nov 15 2017 wrAATTrosenauer.org- update to Firefox 57.0 (boo#1068101)
* Firefox Quantum
* Photon UI
* Unified address and search bar
* AMD VP9 hardware video decoder support
* Added support for Date/Time input
* stricter security sandbox blocking filesystem reading and writing on Linux systems
* middle mouse paste in the content area no longer navigates to URLs by default on Unix systems MFSA 2017-24
* CVE-2017-7828 (bmo#1406750. bmo#1412252) Use-after-free of PressShell while restyling layout
* CVE-2017-7830 (bmo#1408990) Cross-origin URL information leak through Resource Timing API
* CVE-2017-7831 (bmo#1392026) Information disclosure of exposed properties on JavaScript proxy objects
* CVE-2017-7832 (bmo#1408782) Domain spoofing through use of dotless \'i\' character followed by accent markers
* CVE-2017-7833 (bmo#1370497) Domain spoofing with Arabic and Indic vowel marker characters
* CVE-2017-7834 (bmo#1358009) data: URLs opened in new tabs bypass CSP protections
* CVE-2017-7835 (bmo#1402363) Mixed content blocking incorrectly applies with redirects
* CVE-2017-7836 (bmo#1401339) Pingsender dynamically loads libcurl on Linux and OS X
* CVE-2017-7837 (bmo#1325923) SVG loaded as can use meta tags to set cookies
* CVE-2017-7838 (bmo#1399540) Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN
* CVE-2017-7839 (bmo#1402896) Control characters before javascript: URLs defeats self-XSS prevention mechanism
* CVE-2017-7840 (bmo#1366420) Exported bookmarks do not strip script elements from user-supplied tags
* CVE-2017-7842 (bmo#1397064) Referrer Policy is not always respected for elements
* CVE-2017-7827 Memory safety bugs fixed in Firefox 57
* CVE-2017-7826 Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5- requires NSPR 4.17, NSS 3.33 and rustc 1.19- rebased patches- added mozilla-bindgen-systemlibs.patch to allow stylo build with system libs (bmo#1341234)- removed mozilla-language.patch since the whole locale code changed in Firefox and is relying on ICU now- removed obsolete mozilla-ucontext.patch
* Sat Oct 28 2017 wrAATTrosenauer.org- update to Firefox 56.0.2
* Disable Form Autofill completely on user request (bmo#1404531)
* Fix for video-related crashes on Windows 7 (bmo#1409141)
* Correct detection for 64-bit GSSAPI authentication (bmo#1409275)
* Fix for shutdown crash (bmo#1404105)
* Tue Oct 10 2017 wrAATTrosenauer.org- update to Firefox 56.0.1
* Block D3D11 when using Intel drivers on Windows 7 systems with partial AVX support (bmo#1403353) - > just to sync the version number- enable stylo for TW (requires LLVM >= 3.9)- queue KDE filepicker requests to avoid non-opening file dialogs happening in certain situations (contributed by Ignaz Forster)- the placeholder dot in KDE file dialog in case of empty filenames was removed, apparently not required (anymore) (contributed by Ignaz Forster)
* Sun Oct 01 2017 stefan.bruensAATTrwth-aachen.de- Correct plugin directory for aarch64 (boo#1061207). The wrapper script was not detecting aarch64 as a 64 bit architecture, thus used /usr/lib/browser-plugins/.
* Sat Sep 30 2017 zaitorAATTopensuse.org- Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0), pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0), pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure looks for.
* Thu Sep 28 2017 wrAATTrosenauer.org- update to Firefox 56.0 (boo#1060445)
* Firefox Screenshots
* Find Options/Preferences more quickly with new search function
* Media is no longer auto-played when opened in a background tab
* Enable CSS Grid Layout View MFSA 2017-21
* CVE-2017-7793 (bmo#1371889) Use-after-free with Fetch API
* CVE-2017-7817 (bmo#1356596) (Android-only) Firefox for Android address bar spoofing through fullscreen mode
* CVE-2017-7818 (bmo#1363723) Use-after-free during ARIA array manipulation
* CVE-2017-7819 (bmo#1380292) Use-after-free while resizing images in design mode
* CVE-2017-7824 (bmo#1398381) Buffer overflow when drawing and validating elements with ANGLE
* CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) Use-after-free in TLS 1.2 generating handshake hashes
* CVE-2017-7812 (bmo#1379842) Drag and drop of malicious page content to the tab bar can open locally stored files
* CVE-2017-7814 (bmo#1376036) Blob and data URLs bypass phishing and malware protection warnings
* CVE-2017-7813 (bmo#1383951) Integer truncation in the JavaScript parser
* CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) OS X fonts render some Tibetan and Arabic unicode characters as spaces
* CVE-2017-7815 (bmo#1368981) Spoofing attack with modal dialogs on non-e10s installations
* CVE-2017-7816 (bmo#1380597) WebExtensions can load about: URLs in extension UI
* CVE-2017-7821 (bmo#1346515) WebExtensions can download and open non-executable files without user interaction
* CVE-2017-7823 (bmo#1396320) CSP sandbox directive did not create a unique origin
* CVE-2017-7822 (bmo#1368859) WebCrypto allows AES-GCM with 0-length IV
* CVE-2017-7820 (bmo#1378207) Xray wrapper bypass with new tab and web console
* CVE-2017-7811 Memory safety bugs fixed in Firefox 56
* CVE-2017-7810 Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4- requires NSPR 4.16 and NSS 3.32.1- rebased patches
* Thu Sep 28 2017 dimstarAATTopensuse.org- Add alsa-devel BuildRequires: we care for ALSA support to be built and thus need to ensure we get the dependencies in place. In the past, alsa-devel was pulled in by accident: we buildrequire libgnome-devel. This required esound-devel and that in turn pulled in alsa-devel for us. libgnome is being fixed to no longer require esound-devel.
* Mon Sep 04 2017 wrAATTrosenauer.org- update to Firefox 55.0.3
* Fix an issue with addons when using a path containing non-ascii characters (bmo#1389160)
* Fix file uploads to some websites, including YouTube (bmo#1383518)- fix Google API key build integration- add mozilla-ucontext.patch to fix Tumbleweed build- do not enable XINPUT2 for now (boo#1053959)
* Fri Aug 11 2017 wrAATTrosenauer.org- update to Firefox 55.0.1
* Fix a regression the tab restoration process (bmo#1388160)
* Fix a problem causing What\'s new pages not to be displayed (bmo#1386224)
* Fix a rendering issue with some PKCS#11 libraries (bmo#1388370)
* Disable the predictor prefetch (bmo#1388160)
* Sat Aug 05 2017 wrAATTrosenauer.org- update to Firefox 55.0 (boo#1052829)
* Browsing sessions with a high number of tabs are now restored in an instant
* Sidebar (bookmarks, history, synced tabs) can now be moved to the right edge of the window
* Fine-tune your browser performance from the Preferences/Options page.
* Make screenshots of webpages, and save them locally or upload them to the cloud. This feature will undergo A/B testing and will not be visible for some users.
* Added Belarusian (be) locale
* Simplify print jobs from within print preview
* Use virtual reality devices with the web with the introduction of WebVR
* Search suggestions are now enabled by default for users who haven\'t explicitly opted-out
* Search with any installed search engine directly from the location bar
* IMPORTANT: Breaking profile changes - do not downgrade Firefox and use a profile that has been opened with Firefox 55+.
* The Adobe Flash plugin is now click-to-activate by default and only allowed on http:// and https:// URL schemes. This change will be rolled out progressively and so will not be visible to all users immediately. For more information see the Firefox plugin roadmap
* Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change.
* Insecure sites can no longer access the Geolocation APIs to get access to your physical location
* requires NSPR 4.15 and NSS 3.31 MFSA 2017-18
* CVE-2017-7798 (bmo#1371586, bmo#1372112) XUL injection in the style editor in devtools
* CVE-2017-7800 (bmo#1374047) Use-after-free in WebSockets during disconnection
* CVE-2017-7801 (bmo#1371259) Use-after-free with marquee during window resizing
* CVE-2017-7809 (bmo#1380284) Use-after-free while deleting attached editor DOM node
* CVE-2017-7784 (bmo#1376087) Use-after-free with image observers
* CVE-2017-7802 (bmo#1378147) Use-after-free resizing image elements
* CVE-2017-7785 (bmo#1356985) Buffer overflow manipulating ARIA attributes in DOM
* CVE-2017-7786 (bmo#1365189) Buffer overflow while painting non-displayable SVG
* CVE-2017-7806 (bmo#1378113) Use-after-free in layer manager with SVG
* CVE-2017-7753 (bmo#1353312) Out-of-bounds read with cached style data and pseudo-elements#
* CVE-2017-7787 (bmo#1322896) Same-origin policy bypass with iframes through page reloads
* CVE-2017-7807 (bmo#1376459) Domain hijacking through AppCache fallback
* CVE-2017-7792 (bmo#1368652) Buffer overflow viewing certificates with an extremely long OID
* CVE-2017-7804 (bmo#1372849) Memory protection bypass through WindowsDllDetourPatcher
* CVE-2017-7791 (bmo#1365875) Spoofing following page navigation with data: protocol and modal alerts
* CVE-2017-7808 (bmo#1367531) CSP information leak with frame-ancestors containing paths
* CVE-2017-7782 (bmo#1344034) WindowsDllDetourPatcher allocates memory without DEP protections
* CVE-2017-7781 (bmo#1352039) Elliptic curve point addition error when using mixed Jacobian-affine coordinates
* CVE-2017-7794 (bmo#1374281) Linux file truncation via sandbox broker
* CVE-2017-7803 (bmo#1377426) CSP containing \'sandbox\' improperly applied
* CVE-2017-7799 (bmo#1372509) Self-XSS XUL injection in about:webrtc
* CVE-2017-7783 (bmo#1360842) DOS attack through long username in URL
* CVE-2017-7788 (bmo#1073952) Sandboxed about:srcdoc iframes do not inherit CSP directives
* CVE-2017-7789 (bmo#1074642) Failure to enable HSTS when two STS headers are sent for a connection
* CVE-2017-7790 (bmo#1350460) (Windows-only) Windows crash reporter reads extra memory for some non-null-terminated registry values
* CVE-2017-7796 (bmo#1234401) (Windows-only) Windows updater can delete any file named update.log
* CVE-2017-7797 (bmo#1334776) Response header name interning leaks across origins
* CVE-2017-7780 Memory safety bugs fixed in Firefox 55
* CVE-2017-7779 Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3- updated mozilla-kde.patch:
* removed \"downloadfinished\" alert as Firefox reimplemented the whole thing (TODO: check if there is another function we should hook in)
* Tue Jul 04 2017 wrAATTrosenauer.org- update to Firefox 54.0.1
* Fix a display issue of tab title (bmo#1357656)
* Fix a display issue of opening new tab (bmo#1371995)
* Fix a display issue when opening multiple tabs (bmo#1371962)
* Fix a tab display issue when downloading files (bmo#1373109)
* Fix a PDF printing issue (bmo#1366744)
* Fix a Netflix issue on Linux (bmo#1375708)
* Thu Jun 15 2017 wrAATTrosenauer.org- update to Firefox 54.0
* Clearer and more detailed information for download items in the download panel
* Added Burmese (my) locale
* Bookmarks created on mobile devices are now shown in \"Mobile Bookmarks” folder in the drop down list from the toolbar and Bookmarks option in the menu bar in Desktop Firefox
* added support for multiple content processes (e10s-multi)- requires NSPR 4.14 and NSS 3.30.2- requires rust 1.15.1- removed mozilla-shared-nss-db.patch as it seems to be a rather unused feature
* Thu Jun 01 2017 kah0922AATTgmail.com- remove -fno-inline-small-functions and explicitely optimize with - O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)
* Wed Apr 26 2017 wrAATTrosenauer.org- switch to Mozilla\'s geolocation service (boo#1026989)- removed mozilla-preferences.patch obsoleted by overriding via firefox.js- fixed KDE integration to avoid crash caused by filepicker (boo#1015998)
* Mon Apr 17 2017 wrAATTrosenauer.org- update to Firefox 53.0
* requires NSS 3.29.5
* Lightweight themes are now applied in private browsing windows
* Reader Mode now displays estimated reading time for the page
* Two new \'compact\' themes available in Firefox, dark and light, based on the Firefox Developer Edition theme
* Ended Firefox Linux support for processors older than Pentium 4 and AMD Opteron
* Refresh of the media controls user interface
* Shortened titles on tabs are faded out instead of using ellipsis for improved readability
* Media playback on new tabs is blocked until the tab is visible
* Permission notifications have a cleaner design and cannot be easily missed MFSA 2017-10
* CVE-2017-5456 (bmo#1344415) Sandbox escape allowing local file system access
* CVE-2017-5442 (bmo#1347979) Use-after-free during style changes
* CVE-2017-5443 (bmo#1342661) Out-of-bounds write during BinHex decoding
* CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894, bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088) Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1
* CVE-2017-5464 (bmo#1347075) Memory corruption with accessibility and DOM manipulation
* CVE-2017-5465 (bmo#1347617) Out-of-bounds read in ConvolvePixel
* CVE-2017-5466 (bmo#1353975) Origin confusion when reloading isolated data:text/html URL
* CVE-2017-5467 (bmo#1347262) Memory corruption when drawing Skia content
* CVE-2017-5460 (bmo#1343642) Use-after-free in frame selection
* CVE-2017-5461 (bmo#1344380) Out-of-bounds write in Base64 encoding in NSS
* CVE-2017-5448 (bmo#1346648) Out-of-bounds write in ClearKeyDecryptor
* CVE-2017-5449 (bmo#1340127) Crash during bidirectional unicode manipulation with animation
* CVE-2017-5446 (bmo#1343505) Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
* CVE-2017-5447 (bmo#1343552) Out-of-bounds read during glyph processing
* CVE-2017-5444 (bmo#1344461) Buffer overflow while parsing application/http-index-format content
* CVE-2017-5445 (bmo#1344467) Uninitialized values used while parsing application/http-index-format content
* CVE-2017-5468 (bmo#1329521) Incorrect ownership model for Private Browsing information
* CVE-2017-5469 (bmo#1292534) Potential Buffer overflow in flex-generated code
* CVE-2017-5440 (bmo#1336832) Use-after-free in txExecutionState destructor during XSLT processing
* CVE-2017-5441 (bmo#1343795) Use-after-free with selection during scroll events
* CVE-2017-5439 (bmo#1336830) Use-after-free in nsTArray Length() during XSLT processing
* CVE-2017-5438 (bmo#1336828) Use-after-free in nsAutoPtr during XSLT processing
* CVE-2017-5437 (bmo#1343453) Vulnerabilities in Libevent library
* CVE-2017-5436 (bmo#1345461) Out-of-bounds write with malicious font in Graphite 2
* CVE-2017-5435 (bmo#1350683) Use-after-free during transaction processing in the editor
* CVE-2017-5434 (bmo#1349946) Use-after-free during focus handling
* CVE-2017-5433 (bmo#1347168) Use-after-free in SMIL animation functions
* CVE-2017-5432 (bmo#1346654) Use-after-free in text input selection
* CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482, bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476) Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
* CVE-2017-5459 (bmo#1333858) Buffer overflow in WebGL
* CVE-2017-5458 (bmo#1229426) Drag and drop of javascript: URLs can allow for self-XSS
* CVE-2017-5455 (bmo#1341191) Sandbox escape through internal feed reader APIs
* CVE-2017-5454 (bmo#1349276) Sandbox escape allowing file system read access through file picker
* CVE-2017-5451 (bmo#1273537) Addressbar spoofing with onblur event
* CVE-2017-5453 (bmo#1321247) HTML injection into RSS Reader feed preview page through TITLE element
* CVE-2017-5462 (bmo#1345089) DRBG flaw in NSS- removed browser(npapi) provides as these plugins are deprecated- switch used compiler to gcc5 (FF requires gcc >= 4.9 now) for Leap 42- Gtk2 is not longer an option; switched to Gtk3- apply MOZ_USE_XINPUT2=1 for better touchpad and touchscreen support (boo#1032003)
* Mon Apr 03 2017 wrAATTrosenauer.org- update to Firefox 52.0.2
* Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787)
* Fix loading tab icons on session restore (bmo#1338009)
* Fix a crash on startup on Linux (bmo#1345413)
* Fix new installs erroneously not prompting to change the default browser setting (bmo#1343938)
* Mon Mar 20 2017 wrAATTrosenauer.org- disable rust usage for everything but x86(-64)- explicitely add libffi build requirement
* Fri Mar 17 2017 wrAATTrosenauer.org- update to Firefox 52.0.1 (boo#1029822) MFSA 2017-08 CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168)
* Thu Mar 09 2017 wrAATTrosenauer.org- reenable ALSA support which was removed by default upstream
* Sat Mar 04 2017 wrAATTrosenauer.org- update to Firefox 52.0 (boo#1028391)
* requires NSS >= 3.28.3
* Pages containing insecure password fields now display a warning directly within username and password fields.
* Send and open a tab from one device to another with Sync
* Removed NPAPI support for plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported.
* Removed Battery Status API to reduce fingerprinting of users by trackers
* MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861) CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186) CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890) CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622) CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687) CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711) CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323) CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504) CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370) CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719) CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121) CVE-2017-5417: Addressbar spoofing by draging and dropping URLs (bmo#791597) CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361) CVE-2017-5427: Non-existent chrome.manifest file loaded during startup (bmo#1295542) CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876) CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243) CVE-2017-5420: Javascript: URLs can obfuscate addressbar location (bmo#1284395) CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699) CVE-2017-5421: Print preview spoofing (bmo#1301876) CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002) CVE-2017-5399: Memory safety bugs fixed in Firefox 52 CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8- removed obsolete patches
* mozilla-binutils-visibility.patch
* mozilla-check_return.patch
* mozilla-disable-skia-be.patch
* mozilla-skia-overflow.patch
* mozilla-skia-ppc-endianess.patch- rebased patches- enable rust usage for Tumbleweed
* Fri Jan 27 2017 astiegerAATTsuse.com- Mozilla Firefox 51.0.1: - Multiprocess incompatibility did not correctly register with some add-ons (bmo#1333423)
* Fri Jan 20 2017 wrAATTrosenauer.org- update to Firefox 51.0
* requires NSPR >= 4.13.1, NSS >= 3.28.1
* Added support for FLAC (Free Lossless Audio Codec) playback
* Added support for WebGL 2
* Added Georgian (ka) and Kabyle (kab) locales
* Support saving passwords for forms without \'submit\' events
* Improved video performance for users without GPU acceleration
* Zoom indicator is shown in the URL bar if the zoom level is not at default level
* View passwords from the prompt before saving them
* Remove Belarusian (be) locale
* Use Skia for content rendering (Linux)
* MFSA 2017-01 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (bmo#1325200, boo#1021814) CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) CVE-2017-5377: Memory corruption with transforms to create gradients in Skia (bmo#1306883, boo#1021826) CVE-2017-5378: Pointer and frame data leakage of Javascript objects (bmo#1312001, bmo#1330769, boo#1021818) CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827) CVE-2017-5380: Potential use-after-free during DOM manipulations (bmo#1322107, boo#1021819) CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (bmo#1297361, boo#1021820) CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests (bmo#1308688, boo#1021828) CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403, boo#1021821) CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations (bmo#1017616, boo#1021830) CVE-2017-5382: Feed preview can expose privileged content errors and exceptions (bmo#1295322, boo#1021831) CVE-2017-5383: Location bar spoofing with unicode characters (bmo#1323338, bmo#1324716, boo#1021822) CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) (bmo#1255474, boo#1021832) CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers (bmo#1295945, boo#1021833) CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions (bmo#1319070, boo#1021823) CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events (bmo#1222798) CVE-2017-5391: Content about: pages can load privileged about: pages (bmo#1309310, boo#1021835) CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage (bmo#1293709) (Android only) CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager (bmo#1309282, boo#1021837) CVE-2017-5395: Android location bar spoofing during scrolling (bmo#1293463) (Android only) CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages (bmo#1295023, boo#1021839) CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks (bmo#1281482, boo#1021840) CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841) CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (boo#1021824)- switch Firefox to Gtk3 for Tumbleweed- removed obsolete patches
* mozilla-flex_buffer_overrun.patch- updated RPM locale support tag- improve recognition of LANGUAGE env variable (boo#1017174)- add upstream patch to fix PPC64LE (bmo#1319389) (mozilla-skia-ppc-endianess.patch)- fix build without skia (big endian archs) (bmo#1319374) (mozilla-disable-skia-be.patch)
* Mon Dec 12 2016 wrAATTrosenauer.org- update to Firefox 50.1.0 (boo#1015422)
* MFSA 2016-94 CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628) CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements (bmo#1317409) CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272) CVE-2016-9896: Use-after-free with WebVR (bmo#1315543) CVE-2016-9897: Memory corruption in libGLES (bmo#1301381) CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees (bmo#1314442) CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs (bmo#1319122) CVE-2016-9904: Cross-origin information leak in shared atoms (bmo#1317936) CVE-2016-9901: Data from Pocket server improperly sanitized before execution (bmo#1320057) CVE-2016-9902: Pocket extension does not validate the origin of events (bmo#1320039) CVE-2016-9903: XSS injection vulnerability in add-ons SDK (bmo#1315435) CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6
* Fri Dec 09 2016 cgrobertsonAATTnovell.com- added patch mozilla-aarch64-startup-crash.patch (bsc#1011922)
* Thu Dec 01 2016 wrAATTrosenauer.org- update to Firefox 50.0.2
* Firefox crashes with 3rd party Chinese IME when using IME text (50.0.1) security fixes (in 50.0.1): (boo#1012807)
* MFSA 2016-91 CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect (bmo#1317641) security fixes (in 50.0.2) (boo#1012964)
* MFSA 2016-92 CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066)
* Mon Nov 14 2016 wrAATTrosenauer.org- update to Firefox 50.0 (boo#1009026)
* requires NSS 3.26.2 new features
* Updates to keyboard shortcuts Set a preference to have Ctrl+Tab cycle through tabs in recently used order View a page in Reader Mode by using Ctrl+Alt+R
* Added option to Find in page that allows users to limit search to whole words only
* Added download protection for a large number of executable file types on Windows, Mac and Linux
* Fixed rendering of dashed and dotted borders with rounded corners (border-radius)
* Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux)
* Blocked versions of libavcodec older than 54.35.1
* additional locale security fixes:
* MFSA 2016-89 CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) CVE-2016-5292: URL parsing causes crash (bmo#1288482) CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink (Windows only) (bmo#1246945) CVE-2016-5294: Arbitrary target directory for result files of update process (Windows only) (bmo#1246972) CVE-2016-5297: Incorrect argument length checking in Javascript (bmo#1303678) CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen (Android only) (bmo#1306696) CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) CVE-2016-9072: 64-bit NPAPI sandbox isn\'t enabled on fresh profile (bmo#1300083) (Windows only) CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM (Windows only) (bmo#1247239) CVE-2016-5298: SSL indicator can mislead the user about the real URL visited (bmo#1227538) (Android only) CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (bmo#1245791) (Android only) CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (Android only) (bmo#1245795) CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file (Android only) (bmo#1294438) CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) CVE-2016-9073: windows.create schema doesn\'t specify \"format\": \"relativeUrl\" (bmo#1289273) CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bmo#1293334) (fixed via NSS 3.26.1) CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s (bmo#1276976) CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat (bmo#1274777) CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP (bmo#1285003) CVE-2016-5289: Memory safety bugs fixed in Firefox 50 CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5- make aarch64 build more similar to x86_64 build (remove conditionals that don\'t seem to be necessary anymore)
* Mon Oct 24 2016 astiegerAATTsuse.com- Mozilla Firefox 49.0.2:
* CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)
* CVE-2016-5288: Web content can read cache entries (bsc#1006476)
* Asynchronous rendering of the Flash plugins is now enabled by default
* Change D3D9 default fallback preference to prevent graphical artifacts
* Network issue prevents some users from seeing the Firefox UI on startup
* Web compatibility issue with file uploads
* Web compatibility issue with Array.prototype.values
* Diagnostic information on timing for tab switching
* Fix a Canvas filters graphics issue affecting HTML5 apps
* Wed Oct 12 2016 badshah400AATTgmail.com- Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0 and fixes have been incorporated by upstream.
* Fri Sep 23 2016 astiegerAATTsuse.com- Mozilla Firefox 49.0.1:
* Mitigate a startup crash issue caused by Websense - bmo#1304783
* Tue Sep 20 2016 wrAATTrosenauer.org- update to Firefox 49.0 (boo#999701) new features
* Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins.
* Added features to Reader Mode that make it easier on the eyes and the ears
* Improved video performance for users on systems that support SSE3 without hardware acceleration
* Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed
* Improvements in about:memory reports for tracking font memory usage security related
* MFSA 2016-85 CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in PropertyProvider::GetSpacingInternal CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin CVE-2016-5273 (bmo#1280387) - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5274 (bmo#1282076) - use-after-free in nsFrameManager::CaptureFrameState CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame CVE-2016-5279 (bmo#1249522) - Full local path of files is available to web pages after drag and drop CVE-2016-5280 (bmo#1289970) - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength CVE-2016-5282 (bmo#932335) - Don\'t allow content to request favicons from non-whitelisted schemes CVE-2016-5283 (bmo#928187) -