Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
MozillaFirefox.20441
MozillaFirefox.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File MozillaFirefox.changes of Package MozillaFirefox.20441
------------------------------------------------------------------- Tue Jul 13 13:47:45 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.12.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-29 (bsc#1188275) * CVE-2021-29970 (bmo#1709976) Use-after-free in accessibility features of a document * CVE-2021-30547 (bmo#1715766) Out of bounds write in ANGLE * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910, bmo#1711576, bmo#1714391) Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 ------------------------------------------------------------------- Tue Jun 1 12:56:04 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.11.0 ESR * Fixed: Various stability, functionality, and security fixes - Mozilla Firefox ESR 78.11 MFSA 2021-24 (bsc#1186696) * CVE-2021-29964 (bmo#1706501) Out of bounds-read when parsing a `WM_COPYDATA` message * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760, bmo#1704722, bmo#1706041) Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 - Added the new Mozilla's GPG key, expiring on 2023-05-17 to the mozilla.keyring file ------------------------------------------------------------------- Wed May 5 07:27:47 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.10.1 ESR * Fixed: Resolved an issue caused by a recent Widevine plugin update which prevented some purchased video content from playing correctly (bmo#1705138) * Fixed: Security fix MFSA 2021-18 (bsc#1185633) * CVE-2021-29951 (bmo#1690062) Mozilla Maintenance Service could have been started or stopped by domain users ------------------------------------------------------------------- Mon Apr 19 13:16:14 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.10.0 ESR * Fixed: Various stability, functionality, and security fixes - Mozilla Firefox ESR 78.10 MFSA 2021-15 (bsc#1184960) * CVE-2021-23994 (bmo#1699077) Out of bound write due to lazy initialization * CVE-2021-23995 (bmo#1699835) Use-after-free in Responsive Design Mode * CVE-2021-23998 (bmo#1667456) Secure Lock icon could have been spoofed * CVE-2021-23961 (bmo#1677940) More internal network hosts could have been probed by a malicious webpage * CVE-2021-23999 (bmo#1691153) Blob URLs may have been granted additional privileges * CVE-2021-24002 (bmo#1702374) Arbitrary FTP command execution on FTP servers using an encoded URL * CVE-2021-29945 (bmo#1700690) Incorrect size computation in WebAssembly JIT could lead to null-reads * CVE-2021-29946 (bmo#1698503) Port blocking could be bypassed ------------------------------------------------------------------- Wed Mar 24 07:07:10 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.9.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-11 (bsc#1183942) * CVE-2021-23981 (bmo#1692832) Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982 (bmo#1677046) Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984 (bmo#1693664) Malicious extensions could have spoofed popup information * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718) Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9 ------------------------------------------------------------------- Tue Feb 23 13:34:35 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.8.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-08 (bsc#1182614) * CVE-2021-23969 (bmo#1542194) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968 (bmo#1687342) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973 (bmo#1690976) MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597, bmo#786797) Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 - Update create-tar.sh to use https instead of http (bsc#1182357) ------------------------------------------------------------------- Mon Feb 8 08:01:54 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.7.1 ESR * Fixed: Prevent access to NTFS special paths that could lead to filesystem corruption. (bmo#1689598) * Fixed: Security fix MFSA 2021-06 (bsc#1181848) * MOZ-2021-0001 (bmo#1676636) Buffer overflow in depth pitch calculations for compressed textures ------------------------------------------------------------------- Tue Jan 26 14:43:01 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.7.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-04 (bsc#1181414) * CVE-2021-23953 (bmo#1683940) Cross-origin information leakage via redirected PDF requests * CVE-2021-23954 (bmo#1684020) Type confusion when using logical assignment operators in JavaScript switch statements * CVE-2020-26976 (bmo#1674343) HTTPS pages could have been intercepted by a registered service worker when they should not have been * CVE-2021-23960 (bmo#1675755) Use-after-poison for incorrectly redeclared JavaScript variables during GC * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844, bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410, bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736, bmo#1685260, bmo#1685925) Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7 ------------------------------------------------------------------- Thu Jan 7 06:45:39 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.6.1 ESR * Fixed: Security fix * Fixed: Fixed a crash during video playback on Apple Silicon devices (bmo#1683579) MFSA 2021-01 (bsc#1180623) * CVE-2020-16044 (bmo#1683964) Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk ------------------------------------------------------------------- Tue Dec 15 13:41:58 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.6.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2020-55 (bsc#1180039) * CVE-2020-16042 (bmo#1679003) Operations on a BigInt could have caused uninitialized memory to be exposed * CVE-2020-26971 (bmo#1663466) Heap buffer overflow in WebGL * CVE-2020-26973 (bmo#1680084) CSS Sanitizer performed incorrect sanitization * CVE-2020-26974 (bmo#1681022) Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free * CVE-2020-26978 (bmo#1677047) Internal network hosts could have been probed by a malicious webpage * CVE-2020-35111 (bmo#1657916) The proxy.onRequest API did not catch view-source URLs * CVE-2020-35112 (bmo#1661365) Opening an extension-less download may have inadvertently launched an executable instead * CVE-2020-35113 (bmo#1664831, bmo#1673589) Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 ------------------------------------------------------------------- Tue Nov 17 14:10:17 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.5.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2020-51 (bsc#1178824) * CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without displaying the security UI * CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard API) * CVE-2020-26958 (bmo#1669355) Requests intercepted through ServiceWorkers lacked MIME type restrictions * CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService * CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of nsTArray * CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype * CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP Addresses * CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered typed passwords * CVE-2020-26966 (bmo#1663571) Single-word search queries were also broadcast to local network * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5 ------------------------------------------------------------------- Mon Nov 9 17:14:52 UTC 2020 - Charles Robertson <cgrobertson@suse.com> - Firefox Extended Support Release 78.4.1 ESR * Fixed: Security fix MFSA 2020-49 (bsc#1178588) * CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for ------------------------------------------------------------------- Tue Oct 20 15:45:22 UTC 2020 - Charles Robertson <cgrobertson@suse.com> - Firefox Extended Support Release 78.4.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2020-46 (bsc#1177872) * CVE-2020-15969 (bmo#1666570, bmo#https://github.com/sctplab/u srsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019) Use-after-free in usersctp * CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760, bmo#1663439, bmo#1666140) Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4 ------------------------------------------------------------------- Thu Oct 1 17:37:54 UTC 2020 - Charles Robertson <cgrobertson@suse.com> - Firefox Extended Support Release 78.3.1 ESR (bsc#1176756) * Fixed: Fixed legacy preferences not being properly applied when set via GPO (bmo#1666836) ------------------------------------------------------------------- Tue Sep 22 13:35:26 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.3.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2020-43 (bsc#1176756) * CVE-2020-15677 (bmo#1641487) Download origin spoofing via redirect * CVE-2020-15676 (bmo#1646140) XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 (bmo#1660211) When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 (bmo#1648493, bmo#1660800) Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 ------------------------------------------------------------------- Wed Sep 16 13:55:06 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Enhance fix for wayland-detection (bsc#1174420) ------------------------------------------------------------------- Wed Sep 16 10:47:33 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Try to fix langpack-parallelization by introducing separate obj-dirs for each lang (boo#1173986, boo#1167976) ------------------------------------------------------------------- Tue Aug 25 17:09:36 UTC 2020 - Charles Robertson <cgrobertson@suse.com> - Firefox Extended Support Release 78.2.0 ESR * Fixed: Various stability, functionality, and security fixes - Mozilla Firefox ESR 78.2 MFSA 2020-38 (bsc#1175686) * CVE-2020-15663 (bmo#1643199) Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege * CVE-2020-15664 (bmo#1658214) Attacker-induced prompt for extension installation * CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626, bmo#1656957) Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2 ------------------------------------------------------------------- Mon Aug 24 23:15:34 UTC 2020 - Charles Robertson <cgrobertson@suse.com> - Added patch: firefox-dev-random-sandbox.patch (bsc#1174284) * Firefox tab crash in FIPS mode ------------------------------------------------------------------- Fri Aug 14 22:51:32 UTC 2020 - Charles Robertson <cgrobertson@suse.com> - Fix: Do not allow Firefox to use wayland on SLED15-SP0/1 (bsc#1174420) ------------------------------------------------------------------- Wed Aug 5 11:49:05 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Activate ccache - Parallelize langpack build ------------------------------------------------------------------- Mon Aug 3 11:06:17 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Fix broken translation-loading (boo#1173991) * allow addon sideloading * mark signatures for langpacks non-mandatory * do not autodisable user profile scopes - Google API key is not usable for geolocation service any more ------------------------------------------------------------------- Tue Jul 28 13:33:39 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 78.1.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2020-32 (bsc#1174538) * CVE-2020-15652 (bmo#1634872) Potential leak of redirect targets when loading scripts in a worker * CVE-2020-6514 (bmo#1642792) WebRTC data channel leaks internal address to peer * CVE-2020-15655 (bmo#1645204) Extension APIs could be used to bypass Same-Origin Policy * CVE-2020-15653 (bmo#1521542) Bypassing iframe sandbox when allowing popups * CVE-2020-6463 (bmo#1635293) Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture * CVE-2020-15656 (bmo#1647293) Type confusion for special arguments in IonMonkey * CVE-2020-15658 (bmo#1637745) Overriding file type when saving to disk * CVE-2020-15657 (bmo#1644954) DLL hijacking due to incorrect loading path * CVE-2020-15654 (bmo#1648333) Custom cursor can overlay user interface * CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1643613, bmo#1644839, bmo#1645835, bmo#1646006, bmo#1646787, bmo#1649347, bmo#1650811, bmo#1651678) Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1 ------------------------------------------------------------------- Thu Jul 9 17:14:55 UTC 2020 - Charles Robertson <cgrobertson@suse.com> - Mozilla Firefox 78.0.2 MFSA 2020-28 (bsc#1173948) * MFSA-2020-0003 (bmo#1644076) X-Frame-Options bypass using object or embed tags - Firefox Extended Support Release 78.0.2esr ESR * Fixed: Security fix * Fixed: Fixed an accessibility regression in reader mode (bmo#1650922) * Fixed: Made the address bar more resilient to data corruption in the user profile (bmo#1649981) * Fixed: Fixed a regression opening certain external applications (bmo#1650162) ------------------------------------------------------------------- Thu Jul 2 09:04:19 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Add specific requirement for libfreetype6 (bsc#1173613) ------------------------------------------------------------------- Wed Jul 1 18:20:53 UTC 2020 - Charles Robertson <cgrobertson@suse.com> - Firefox Extended Support Release 78.0.1 ESR * Fixed: Fixed an issue which could cause installed search engines to not be visible when upgrading from a previous release. (bmo#1649558) - Mozilla Firefox 78 MFSA 2020-24 (bsc#1173576) * CVE-2020-12415 (bmo#1586630) AppCache manifest poisoning due to url encoded character processing * CVE-2020-12416 (bmo#1639734) Use-after-free in WebRTC VideoBroadcaster * CVE-2020-12417 (bmo#1640737) Memory corruption due to missing sign-extension for ValueTags on ARM64 * CVE-2020-12418 (bmo#1641303) Information disclosure due to manipulated URL object * CVE-2020-12419 (bmo#1643874) Use-after-free in nsGlobalWindowInner * CVE-2020-12420 (bmo#1643437) Use-After-Free when trying to connect to a STUN server * CVE-2020-12402 (bmo#1631597) RSA Key Generation vulnerable to side-channel attack * CVE-2020-12421 (bmo#1308251) Add-On updates did not respect the same certificate trust rules as software updates * CVE-2020-12422 (bmo#1450353) Integer overflow in nsJPEGEncoder::emptyOutputBuffer * CVE-2020-12423 (bmo#1642400) DLL Hijacking due to searching %PATH% for a library * CVE-2020-12424 (bmo#1562600) WebRTC permission prompt could have been bypassed by a compromised content process * CVE-2020-12425 (bmo#1634738) Out of bound read in Date.parse() * CVE-2020-12426 (bmo#1608068, bmo#1609951, bmo#1631187, bmo#1637682) Memory safety bugs fixed in Firefox 78 ------------------------------------------------------------------- Tue Jun 30 22:24:48 UTC 2020 - Charles Robertson <cgrobertson@suse.com> - Firefox Extended Support Release 78.0esr ESR * New: Some of the highlights of the new Extended Support Release are: - Kiosk mode - Client certificates - Service Worker and Push APIs are now enabled - The Block Autoplay feature is enabled - Picture-in-picture support - View and manage web certificates in about:certificate For more information about what's new in the Firefox 78 ESR release, see the more detailed release notes at support.mozilla.org. - Add patches to fix big endian problems: * mozilla-s390x-skia-gradient.patch * mozilla-bmo998749.patch * mozilla-bmo1626236.patch - Add patch to fix broken build on ppc64le * mozilla-bmo1512162.patch - Add patch to add screensharing capability on wayland * mozilla-pipewire-0-3.patch - Rename firefox-fips.patch to mozilla-sandbox-fips.patch - Removed upstreamed patches: * mozilla-cubeb-noreturn.patch * mozilla-nestegg-big-endian.patch * mozilla-openaes-decl.patch * mozilla-s390x-bigendian.patch * mozilla-sle12-lower-python-requirement.patch ------------------------------------------------------------------- Tue Jun 2 13:18:48 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 68.9.0 ESR * Fixed: Various stability and security fixes MFSA 2020-21 (bsc#1172402) * CVE-2020-12405 (bmo#1619305, bmo#1632717) Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9 * CVE-2020-12406 (bmo#1639590) * CVE-2020-12410: Memory safety bugs fixed in Firefox 77 and Firefox ------------------------------------------------------------------- Wed May 27 15:14:08 UTC 2020 - Charles Robertson <cgrobertson@suse.com> - Removed %is_opensuse macro from spec file to align builds with openSUSE Leap. ------------------------------------------------------------------- Tue May 5 13:10:26 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 68.8.0 ESR MFSA 2020-17 (bsc#1171186) * CVE-2020-12387 (bmo#1545345) Use-after-free during worker shutdown * CVE-2020-12388 (bmo#1618911) Sandbox escape with improperly guarded Access Tokens * CVE-2020-12389 (bmo#1554110) Sandbox escape with improperly separated process types * CVE-2020-6831 (bmo#1632241) Buffer overflow in SCTP chunk input validation * CVE-2020-12392 (bmo#1614468) Arbitrary local file access with 'Copy as cURL' * CVE-2020-12393 (bmo#1615471) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 ------------------------------------------------------------------- Tue Apr 7 13:45:36 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 68.7.0 ESR MFSA 2020-13 (bsc#1168874) * CVE-2020-6828 (bmo#1617928) Preference overwrite via crafted Intent from malicious Android application * CVE-2020-6827 (bmo#1622278) Custom Tabs in Firefox for Android could have the URI spoofed * CVE-2020-6821 (bmo#1625404) Uninitialized memory could be read when using the WebGL copyTexSubImage method * CVE-2020-6822 (bmo#1544181) Out of bounds write in GMPDecodeData when processing large images * CVE-2020-6825 (bmo#1572541, bmo#1620193, bmo#1620203) Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 ------------------------------------------------------------------- Sat Apr 4 08:24:21 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de> - Mozilla Firefox 68.6.1esr MFSA 2020-11 (boo#1168630) * CVE-2020-6819 (bmo#1620818) Use-after-free while running the nsDocShell destructor * CVE-2020-6820 (bmo#1626728) Use-after-free when handling a ReadableStream ------------------------------------------------------------------- Fri Mar 20 18:20:58 UTC 2020 - Charles Robertson <cgrobertson@suse.com> - Added patch: firefox-fips.patch (bsc#1167231) * FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled ------------------------------------------------------------------- Tue Mar 10 12:36:01 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 68.6.0 ESR (bsc#1166238) * Fixed: Various stability and security fixes MFSA 2020-09 (bsc#1132665) * CVE-2020-6805 (bmo#1610880) Use-after-free when removing data about origins * CVE-2020-6806 (bmo#1612308) BodyStream::OnInputStreamReady was missing protections against state confusion * CVE-2020-6807 (bmo#1614971) Use-after-free in cubeb during stream destruction * CVE-2020-6811 (bmo#1607742) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection * CVE-2019-20503 (bmo#1613765) Out of bounds reads in sctp_load_addresses_from_init * CVE-2020-6812 (bmo#1616661) The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission * CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636, bmo#1614339) Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6 ------------------------------------------------------------------- Tue Feb 11 18:43:03 UTC 2020 - Charles Robertson <cgrobertson@suse.com> - Firefox Extended Support Release 68.5.0 ESR * Fixed: Various stability and security fixes - Mozilla Firefox ESR68.5 MFSA 2020-06 (bsc#1163368) * CVE-2020-6796 (bmo#1610426) Missing bounds check on shared memory read in the parent process * CVE-2020-6797 (bmo#1596668) Extensions granted downloads.open permission could open arbitrary applications on Mac OSX * CVE-2020-6798 (bmo#1602944) Incorrect parsing of template tag could result in JavaScript injection * CVE-2020-6799 (bmo#1606596) Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader * CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543, bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785) Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 ------------------------------------------------------------------- Tue Jan 21 11:49:52 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 68.4.2 ESR * Fixed: Fixed various issues opening files with spaces in their path (bmo#1601905, bmo#1602726) ------------------------------------------------------------------- Thu Jan 9 06:37:13 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 68.4.1 ESR * Fixed: Security fix MFSA 2020-03 (bsc#1160498) * CVE-2019-17026 (bmo#1607443) IonMonkey type confusion with StoreElementHole and FallibleStoreElement ------------------------------------------------------------------- Tue Jan 7 14:28:41 UTC 2020 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 68.4.0 ESR * Fixed: Various security fixes MFSA 2020-02 (bsc#1160305) * CVE-2019-17015 (bmo#1599005) Memory corruption in parent process during new content process initialization on Windows * CVE-2019-17016 (bmo#1599181) Bypass of @namespace CSS sanitization during pasting * CVE-2019-17017 (bmo#1603055) Type Confusion in XPCVariant.cpp * CVE-2019-17021 (bmo#1599008) Heap address disclosure in parent process during content process initialization on Windows * CVE-2019-17022 (bmo#1602843) CSS sanitization does not escape HTML tags * CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826) Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 - Removed patch that is now upstream: mozilla-bmo1511604.patch - Added patch to fix broken URL-bar on s390x: mozilla-bmo1602730.patch ------------------------------------------------------------------- Tue Dec 3 14:00:28 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 68.3.0 ESR * Changed: Updates to improve performance and stability MFSA 2019-37 (bsc#1158328) * CVE-2019-17008 (bmo#1546331) Use-after-free in worker destruction * CVE-2019-13722 (bmo#1580156) Stack corruption due to incorrect number of arguments in WebRTC code * CVE-2019-11745 (bmo#1586176) Out of bounds write in NSS when encrypting with a block cipher * CVE-2019-17009 (bmo#1510494) Updater temporary files accessible to unprivileged processes * CVE-2019-17010 (bmo#1581084) Use-after-free when performing device orientation checks * CVE-2019-17005 (bmo#1584170) Buffer overflow in plain text serializer * CVE-2019-17011 (bmo#1591334) Use-after-free when retrieving a document in antitracking * CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209, bmo#1580288, bmo#1585760, bmo#1592502) Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 ------------------------------------------------------------------- Tue Nov 26 22:30:03 UTC 2019 - Charles Robertson <cgrobertson@suse.com> - Fix _constraints for ppc64le (bsc#1157652) ------------------------------------------------------------------- Tue Nov 19 12:41:44 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Add patch mozilla-bmo849632.patch to partially fix broken webGL sites on big endian machines (wrong colors) - Replace source-stamp.txt with tar_stamps - Reference create-tar.sh by direct commit-hash in the spec-file ------------------------------------------------------------------- Tue Nov 5 14:37:37 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Reactivate webRTC for all architectures ------------------------------------------------------------------- Thu Oct 31 11:10:35 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Add patch mozilla-bmo1504834-part4.patch to fix broken tab-titles on s390x ------------------------------------------------------------------- Thu Oct 24 17:25:44 UTC 2019 - Charles Robertson <cgrobertson@suse.com> - Resolved issues fixed earlier: * [bsc#1104841] Newer versions of firefox have a dependency on GLIBCXX_3.4.20 * [bsc#1129528] SLES15 - IBM s390-tools-2.1.0 Maintenance Patches (#6) * [bsc#1137990] Firefox 60.7 ESR changed the user interface language ------------------------------------------------------------------- Mon Oct 21 12:34:34 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Firefox Extended Support Release 68.2.0 ESR * Enterprise: New administrative policies were added. More information and templates are available at the Policy Templates page. * Fixed: Various security fixes MFSA 2019-33 (bsc#1154738) * CVE-2019-15903 (bmo#1584907) Heap overflow in expat library in XML_GetCurrentLineNumber * CVE-2019-11757 (bmo#1577107) Use-after-free when creating index updates in IndexedDB * CVE-2019-11758 (bmo#1536227) Potentially exploitable crash due to 360 Total Security * CVE-2019-11759 (bmo#1577953) Stack buffer overflow in HKDF output * CVE-2019-11760 (bmo#1577719) Stack buffer overflow in WebRTC networking * CVE-2019-11761 (bmo#1561502) Unintended access to a privileged JSONView object * CVE-2019-11762 (bmo#1582857) document.domain-based origin isolation has same-origin- property violation * CVE-2019-11763 (bmo#1584216) Incorrect HTML parsing results in XSS bypass technique * CVE-2019-11764 (bmo#1548044, bmo#1558522, bmo#1571223, bmo#1573048, bmo#1575217, bmo#1577061, bmo#1578933, bmo#1581950, bmo#1583463, bmo#1583684, bmo#1586599, bmo#1586845) Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2 - removed now upstream patches: * mozilla-bmo1573381.patch * mozilla-bmo1512162.patch ------------------------------------------------------------------- Fri Oct 11 12:18:38 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Add patch to lower python requirement to 3.4 in order to build on SLE-12: * mozilla-sle12-lower-python-requirement.patch ------------------------------------------------------------------- Thu Oct 10 11:44:21 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Add Provides-line for translations-common (bsc#1153423) ------------------------------------------------------------------- Tue Oct 8 12:26:41 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Moved some settings from branding-package here (bsc#1153869) - add patch to fix LTO build (w/o PGO): * mozilla-fix-top-level-asm.patch - remove obsolete kde.js setting (boo#1151186) and related patch: * firefox-add-kde.js-in-order-to-survive-PGO-build.patch * modified firefox-kde.patch for the removal of kde.js ------------------------------------------------------------------- Tue Sep 24 13:07:00 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Update mozilla-bmo1512162.patch to the patch now commited upstream * No more -O1 builds for ppc64le necessary - Disable DoH by default * Not yet officially active in ESR, but just to make sure ------------------------------------------------------------------- Mon Sep 9 22:06:54 UTC 2019 - Charles Robertson <cgrobertson@suse.com> - Mozilla Firefox ESR 68.1 Resolves the following bigendian s390x issues: * [bsc#1109465] Latest Firefox update not released for s390x * [bsc#1117473] Firefox segmentation fault on s390vsl082 * [bsc#1123482] openQA test fails in firefox - firefox doesn't start * [bsc#1124525] Firefox is core dumping on SLES15 s390x * [bsc#1133810] Firefox: Segmentation fault (core dumped) MFSA 2019-26 (bsc#1149323) * CVE-2019-11751 (bmo#1572838) Malicious code execution through command line parameters * CVE-2019-11746 (bmo#1564449) Use-after-free while manipulating video * CVE-2019-11744 (bmo#1562033) XSS by breaking out of title and textarea elements using innerHTML * CVE-2019-11742 (bmo#1559715) Same-origin policy violation with SVG filters and canvas to steal cross-origin images * CVE-2019-11736 (bmo#1551913, bmo#1552206) File manipulation and privilege escalation in Mozilla Maintenance Service * CVE-2019-11753 (bmo#1574980) Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location * CVE-2019-11752 (bmo#1501152) Use-after-free while extracting a key value in IndexedDB * CVE-2019-9812 (bmo#1538008, bmo#1538015) Sandbox escape through Firefox Sync * CVE-2019-11743 (bmo#1560495, bmo#https://w3c.github.io/navigation-timing) Cross-origin access to unload event attributes * CVE-2019-11748 (bmo#1564588) Persistence of WebRTC permissions in a third party context * CVE-2019-11749 (bmo#1565374) Camera information available without prompting using getUserMedia * CVE-2019-11750 (bmo#1568397) Type confusion in Spidermonkey * CVE-2019-11738 (bmo#1452037) Content security policy bypass through hash-based sources in directives * CVE-2019-11747 (bmo#1564481) 'Forget about this site' removes sites from pre-loaded HSTS list * CVE-2019-11735 (bmo#1561404, bmo#1561484, bmo#1561912, bmo#1565744, bmo#1568047, bmo#1568858, bmo#1570358) Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 * CVE-2019-11740 (bmo#1563133, bmo#1573160) Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 - Mozilla Firefox ESR 68.0.2 * Fixed: Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar (bmo#1560228) * Fixed: Allow fonts to be loaded via file:// URLs when opening a page locally (bmo#1565942) * Fixed: Printing emails from the Outlook web app no longer prints only the header and footer (bmo#1567105) * Fixed: Fixed a bug causing some images not to be displayed on reload, including on Google Maps (bmo#1565542) * Fixed: Fixed an error when starting external applications configured as URI handlers (bmo#1567614) * Fixed: Security fixes - MFSA 2019-24 (bsc#1145665) * CVE-2019-11733 (bmo#1565780) Stored passwords in 'Saved Logins' can be copied without master password entry - Mozilla Firefox ESR 68.0.1 * macOS releases are now signed by the Apple notary service, allowing Firefox to properly run on macOS 10.15 Beta releases * Fixed missing Full Screen button when watching videos in full screen mode on HBO GO (bmo#1562837) * Fixed a bug causing incorrect messages to appear for some locales when sites try to request the use of the Storage Access API (bmo#1558503) * Users in Russian regions may have their default search engine changed (bmo#1565315) * Built-in search engines in some locales do not function correctly (bmo#1565779) * SupportMenu policy doesn't always work (bmo#1553290) * Allow the new ExtensionSettings policy to work with GPO on Windows (bmo#1553586) * Allow the privacy.file_unique_origin pref to be controlled by policy (bmo#1563759) - Mozilla Firefox ESR 68.0 * Dark mode in reader view * Improved extension security and discovery * Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences * Camera and microphone access now require an HTTPS connection MFSA 2019-21 (bsc#1140868) * CVE-2019-9811 (bmo#1523741, bmo#1538007, bmo#1539598, bmo#1539759, bmo#1563327) Sandbox escape via installation of malicious language pack * CVE-2019-11711 (bmo#1552541) Script injection within domain through inner window reuse * CVE-2019-11712 (bmo#1543804) Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects * CVE-2019-11713 (bmo#1528481) Use-after-free with HTTP/2 cached stream * CVE-2019-11714 (bmo#1542593) NeckoChild can trigger crash when accessed off of main thread * CVE-2019-11729 (bmo#1515342) Empty or malformed p256-ECDH public keys may trigger a segmentation fault * CVE-2019-11715 (bmo#1555523) HTML parsing error can contribute to content XSS * CVE-2019-11716 (bmo#1552632) globalThis not enumerable until accessed * CVE-2019-11717 (bmo#1548306) Caret character improperly escaped in origins * CVE-2019-11718 (bmo#1408349) Activity Stream writes unsanitized content to innerHTML * CVE-2019-11719 (bmo#1540541) Out-of-bounds read when importing curve25519 private key * CVE-2019-11720 (bmo#1556230) Character encoding XSS vulnerability * CVE-2019-11721 (bmo#1256009) Domain spoofing through unicode latin 'kra' character * CVE-2019-11730 (bmo#1558299) Same-origin policy treats all files in a directory as having the same-origin * CVE-2019-11723 (bmo#1528335) Cookie leakage during add-on fetching across private browsing boundaries * CVE-2019-11724 (bmo#1512511) Retired site input.mozilla.org has remote troubleshooting permissions * CVE-2019-11725 (bmo#1483510) Websocket resources bypass safebrowsing protections * CVE-2019-11727 (bmo#1552208) PKCS#1 v1.5 signatures can be used for TLS 1.3 * CVE-2019-11728 (bmo#1552993) Port scanning through Alt-Svc header * CVE-2019-11710 (bmo#1507696, bmo#1510345, bmo#1533842, bmo#1535482, bmo#1535848, bmo#1537692, bmo#1540590, bmo#1544180, bmo#1547472, bmo#1547760, bmo#1548611, bmo#1549768, bmo#1551907) Memory safety bugs fixed in Firefox 68 * CVE-2019-11709 (bmo#1515052, bmo#1533522, bmo#1539219, bmo#1540759, bmo#1547266, bmo#1547757, bmo#1548822, bmo#1550498, bmo#1550498) Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 - removed patches that are now upstream * mozilla-bmo1375074.patch * mozilla-bmo1436242.patch * mozilla-bmo256180.patch * mozilla-i586-DecoderDoctorLogger.patch * mozilla-i586-domPrefs.patch * mozilla-bmo1464766.patch * mozilla-bigendian_bit_flags_alias.patch - removed workaround-patch for build memory consumption on i586; other mitigations meanwhile introduced (mainly parallelity) will be sufficient * mozilla-reduce-files-per-UnifiedBindings.patch - added patch to make builds reproducible * mozilla-bmo1568145.patch - added a bunch of patches mainly for big endian platforms * mozilla-bmo1504834-part1.patch * mozilla-bmo1504834-part2.patch * mozilla-bmo1504834-part3.patch * mozilla-bmo1511604.patch * mozilla-bmo1512162.patch * mozilla-bmo1554971.patch * mozilla-bmo1573381.patch * mozilla-nestegg-big-endian.patch - added patches to fix build on armv7: * mozilla-bmo1463035.patch * mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch - added patch to fix non-return function * mozilla-cubeb-noreturn.patch - added patch to fix aarch64 build: * mozilla-fix-aarch64-libopus.patch (bmo#1539737) - added patch to enable PGO for x86_64. * firefox-add-kde.js-in-order-to-survive-PGO-build.patch - added patch to reduce build-load * mozilla-reduce-rust-debuginfo.patch ------------------------------------------------------------------- Fri Jun 21 06:01:18 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Mozilla Firefox Firefox 60.7.2 MFSA 2019-19 (bsc#1138872) * CVE-2019-11708 (bmo#1559858) sandbox escape using Prompt:Open ------------------------------------------------------------------- Wed Jun 19 12:35:12 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Build Firefox with gcc instead of clang (bsc#1138688) ------------------------------------------------------------------- Wed Jun 19 06:17:40 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Mozilla Firefox Firefox 60.7.1 MFSA 2019-18 (bsc#1138614) * CVE-2019-11707 (bmo#1544386) Type confusion in Array.pop - Added the new Mozilla's GPG key with subkey fingerprint 097B 3130 77AE 62A0 2F84 DA4D F1A6 668F BB7D 572E, expiring on 2021-05-29 to the mozilla.keyring file ------------------------------------------------------------------- Tue Jun 11 09:19:32 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Fix broken language plugins (bsc#1137792) ------------------------------------------------------------------- Tue May 21 17:54:12 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - update to Firefox ESR 60.7 (bsc#1135824) * Font and date adjustments to accommodate the new Reiwa era in Japan * MFSA 2019-14/CVE-2019-9817 (bmo#1540221) Stealing of cross-domain images using canvas * MFSA 2019-14/CVE-2019-9800 (bmo#1499108, bmo#1499719, bmo#1516325, bmo#1532465, bmo#1533554, bmo#1534593, bmo#1535194, bmo#1535612, bmo#1538042, bmo#1538619, bmo#1538736, bmo#1540136, bmo#1540166, bmo#1541580, bmo#1542097, bmo#1542324, bmo#1546327) Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 * MFSA 2019-14/CVE-2019-9816 (bmo#1536768) Type confusion with object groups and UnboxedObjects * MFSA 2019-14/CVE-2019-9815 (bmo#1546544, bmo#https://mdsattacks.com/) Disable hyperthreading on content JavaScript threads on macOS * MFSA 2019-14/CVE-2019-11698 (bmo#1543191) Theft of user history data through drag and drop of hyperlinks to and from bookmarks * MFSA 2019-14/CVE-2019-11692 (bmo#1544670) Use-after-free removing listeners in the event listener manager * MFSA 2019-14/CVE-2019-11693 (bmo#1532525) Buffer overflow in WebGL bufferdata on Linux * MFSA 2019-14/CVE-2019-7317 (bmo#1542829) Use-after-free in png_image_free of libpng library * MFSA 2019-14/CVE-2019-9820 (bmo#1536405) Use-after-free of ChromeEventHandler by DocShell * MFSA 2019-14/CVE-2019-9818 (bmo#1542581) Use-after-free in crash generation server * MFSA 2019-14/CVE-2019-11691 (bmo#1542465) Use-after-free in XMLHttpRequest * MFSA 2019-14/CVE-2019-9819 (bmo#1532553) Compartment mismatch with fetch API * MFSA 2019-14/CVE-2019-11694 (bmo#1534196) Uninitialized memory memory leakage in Windows sandbox ------------------------------------------------------------------- Fri May 17 08:34:38 UTC 2019 - Martin Sirringhaus <martin.sirringhaus@suse.com> - Sync with Devel:Desktop:Mozilla:*:next ------------------------------------------------------------------- Tue May 14 17:23:34 UTC 2019 - Charles Robertson <cgrobertson@suse.com> - Enable Firefox to build with Rust >= 1.30 with fix. See below. ------------------------------------------------------------------- Thu May 9 22:26:20 UTC 2019 - Charles Robertson <cgrobertson@suse.com> - update to 60.6.3 (bmo#1549249) * Further improvements to re-enable web extensions which had been disabled for users with a master password set. ------------------------------------------------------------------- Mon May 6 07:26:43 UTC 2019 - Peter Simons <psimons@suse.com> - update to 60.6.2 (bsc#1134126) * Repaired certificate chain to re-enable web extensions that had been disabled. ------------------------------------------------------------------- Fri Apr 18 19:59:46 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com> - Update BuildRequires rust >= 1.30 from 1.24 * Upstream Firefox ESR presumes rust version stable at release (1.24). SUSE currently uses improved packaging for rust >= 1.30. * boo#1130694 rust 1.33.0 breaks Firefox and Thunderbird due to missing macro comment docs in Firefox rust sources bmo#1539901 ESR 60 build fails with Rust 1.33 due to missing documentation on macros in stylo bmo#1519629 Stylo fails with --enable-warnings-as-errors using Rust 1.33 * Fix build using RUSTFLAGS="--cap-lints allow" Preferred alternative to patching and revendoring stylo rust crates Revisit with intent to remove in next Firefox ESR 68.0 2019-07-09 ------------------------------------------------------------------- Wed Mar 27 11:32:18 UTC 2019 - cgrobertson@suse.com - Fixed translations provides ------------------------------------------------------------------- Fri Mar 22 17:24:25 UTC 2019 - cgrobertson@suse.com - update to Firefox ESR 60.6.1 (bsc#1130262) * MFSA 2019-10/CVE-2019-9813 (bmo#1538006) Ionmonkey type confusion with __proto__ mutations * MFSA 2019-10/CVE-2019-9810 (bmo#1537924) IonMonkey MArraySlice has incorrect alias information ------------------------------------------------------------------- Tue Mar 19 13:17:46 UTC 2019 - cgrobertson@suse.com - update to Firefox ESR 60.6 (bsc#1129821) * MFSA 2019-08/CVE-2018-18506 (bmo#1503393) Proxy Auto-Configuration file can define localhost access to be proxied * MFSA 2019-08/CVE-2019-9801 (bmo#1527717) Windows programs that are not 'URL Handlers' are exposed to web content * MFSA 2019-08/CVE-2019-9788 (bmo#1506665, bmo#1516834, bmo#1518001, bmo#1518774, bmo#1521214, bmo#1521304, bmo#1523362, bmo#1524214, bmo#1524755, bmo#1529203) Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * MFSA 2019-08/CVE-2019-9790 (bmo#1525145) Use-after-free when removing in-use DOM elements * MFSA 2019-08/CVE-2019-9791 (bmo#1530958) Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey * MFSA 2019-08/CVE-2019-9792 (bmo#1532599) IonMonkey leaks JS_OPTIMIZED_OUT magic value to script * MFSA 2019-08/CVE-2019-9793 (bmo#1528829) Improper bounds checks when Spectre mitigations are disabled * MFSA 2019-08/CVE-2019-9794 (bmo#1530103) Command line arguments not discarded during execution * MFSA 2019-08/CVE-2019-9795 (bmo#1514682) Type-confusion in IonMonkey JIT compiler * MFSA 2019-08/CVE-2019-9796 (bmo#1531277) Use-after-free with SMIL animation controller - Fix for [bsc#1127987] MozillaFirefox-translations-common causing error on update ------------------------------------------------------------------- Tue Feb 26 17:14:33 UTC 2019 - cgrobertson@suse.com - Mozilla Firefox 60.5.2esr: * Fix a frequent crash when reading various Reuters news articles (bmo#1505844) ------------------------------------------------------------------- Wed Feb 13 09:09:18 UTC 2019 - alarrosa@suse.com - Update to Firefox ESR 60.5.1 MFSA-2019-05 (bsc#1125330) * CVE-2018-18356 (bmo#1525817) A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash. * CVE-2019-5785 (bmo#1525433) An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash. * CVE-2018-18335 (bmo#1525815) A buffer overflow vulnerability in the Skia library can occur with Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration in Firefox ESR. Note: this does not affect other versions and platforms where Canvas 2D acceleration is already disabled by default. ------------------------------------------------------------------- Wed Jan 30 12:53:24 UTC 2019 - cgrobertson@suse.com - Update to Firefox ESR 60.5 MFSA 2019-02 (bsc#1122983) * CVE-2018-18501 (bmo#1460619, bmo#1502871, bmo#1512450, bmo#1513201, bmo#1516514, bmo#1516738, bmo#1517542) Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * CVE-2018-18500 (bmo#1510114) Use-after-free parsing HTML5 stream * CVE-2018-18505 (bmo#1087565, bmo#1497749) Privilege escalation through IPC channel messages - Removed obsolete patches: [mozilla-no-stdcxx-check.patch] Applied upstream [mozilla-s390-nojit.patch] Applied upstream ------------------------------------------------------------------- Thu Jan 17 17:27:06 UTC 2019 - cgrobertson@suse.com - Fix for language pack build error (bsc#1120374) ------------------------------------------------------------------- Thu Dec 20 12:32:17 UTC 2018 - Karol Babioch <kbabioch@suse.de> - Revert dependency for branding package back to >= 60 due to dependency issues. ------------------------------------------------------------------- Fri Dec 14 19:05:21 UTC 2018 - cgrobertson@suse.com - Depend on branding package version >= 60.0 ------------------------------------------------------------------- Wed Dec 12 19:20:33 UTC 2018 - cgrobertson@suse.com - Mozilla Firefox 60.4.0esr: * Updated list of currency codes to include Unidad Previsional (UYW) (bmo#1499028) MFSA 2018-30 (bsc#1119105) * CVE-2018-17466 bmo#1488295 Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 * CVE-2018-18492 bmo#1499861 Use-after-free with select element * CVE-2018-18493 bmo#1504452 Buffer overflow in accelerated 2D canvas with Skia * CVE-2018-18494 bmo#1487964 Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs * CVE-2018-18498 bmo#1500011 Integer overflow when calculating buffer sizes for images * CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759 bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471 Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 - requires NSS >= 3.36.6 - Removed obsolete patch: [mozilla-update-cc-crate.patch] Applied upstream ------------------------------------------------------------------- Tue Oct 23 20:35:31 UTC 2018 - alarrosa@suse.com - Mozilla Firefox 60.3.0esr: * Various stability and regression fixes MFSA 2018-27 bsc#1112852 * CVE-2018-12392 bmo#1492823 Crash with nested event loops * CVE-2018-12393 bmo#1495011 Integer overflow during Unicode conversion while loading JavaScript * CVE-2018-12395 bmo#1467523 WebExtension bypass of domain restrictions through header rewriting * CVE-2018-12396 bmo#1483602 WebExtension content scripts can execute in disallowed contexts * CVE-2018-12397 bmo#1487478 WebExtension local file access vulnerability * CVE-2018-12389 bmo#1498460, bmo#1499198 Memory safety bugs fixed in Firefox ESR 60.3 * CVE-2018-12390 bmo#1487098 bmo#1487660 bmo#1490234 bmo#1496159 bmo#1443748 bmo#1496340 bmo#1483905 bmo#1493347 bmo#1488803 bmo#1498701 bmo#1498482 bmo#1442010 bmo#1495245 bmo#1483699 bmo#1469486 bmo#1484905 bmo#1490561 bmo#1492524 bmo#1481844 Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 - Drop mozilla-bmo1472538-update-bindgen.patch which was already merged upstream - Update mozilla-update-cc-crate.patch, since cc was updated to 1.0.9 upstream, but this patch still updates it to a newer version ------------------------------------------------------------------- Thu Oct 11 15:42:40 UTC 2018 - alarrosa@suse.com - Update create-tar.sh and source-stamp.txt as should be done with every version update. ------------------------------------------------------------------- Tue Oct 9 08:00:29 UTC 2018 - alarrosa@suse.com - Mozilla Firefox 60.2.2esr: MFSA 2018-24 * CVE-2018-12386 (bsc#1110506, bmo#1493900) Type confusion in JavaScript allowed remote code execution * CVE-2018-12387 (bsc#1110507, bmo#1493903) Array.prototype.push stack pointer vulnerability may enable exploits in the sandboxed content process - Avoid undefined behavior in IPC fd-passing code with mozilla-bmo1436242.patch (boo#1094767, bmo#1436242) - Mozilla Firefox 60.2.1esr: MFSA 2018-23 * CVE-2018-12385 (boo#1109363, bmo#1490585) Crash in TransportSecurityInfo due to cached data * CVE-2018-12383 (boo#1107343, bmo#1475775) Setting a master password did not delete unencrypted previously stored passwords * Fixed a startup crash affecting users migrating from older ESR releases * Clean up old NSS DB files after upgrading - Fix typo in an old changelog entry which mentioned a wrong patch file and really remove mozilla-glibc-getrandom.patch as should have been done some weeks ago. ------------------------------------------------------------------- Wed Oct 3 23:35:43 UTC 2018 - cgrobertson@suse.com - bsc#1109465 - Add mozilla-bmo1472538-update-bindgen.patch and mozilla-update-cc-crate.patch. This fixes an endianness problem in bindgen's handling of bitfields, which was causing Firefox to crash on startup on big-endian machines. Also, updates the cc crate, which was buggy in the version that was originally vendored in. - added patch [mozilla-bigendian_bit_flags_alias.patch] (bmo#1488552) ------------------------------------------------------------------- Fri Sep 7 01:01:19 UTC 2018 - pcerny@suse.com - update to Firefox ESR 60.2 (bsc#1107343) * MFSA 2018-20/CVE-2018-12381 (bmo#1435319) Dragging and dropping Outlook email message results in page navigation * MFSA 2018-20/CVE-2017-16541 (bmo#1412081) Proxy bypass using automount and autofs * MFSA 2018-20/CVE-2018-12376 (bmo#1450989, bmo#1466577, bmo#1466991, bmo#1467363, bmo#1467889, bmo#1468738, bmo#1469309, bmo#1469914, bmo#1471953, bmo#1472925, bmo#1473161, bmo#1478575, bmo#1478849, bmo#1480092, bmo#1480517, bmo#1480521, bmo#1481093, bmo#1483120) Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * MFSA 2018-20/CVE-2018-12377 (bmo#1470260) Use-after-free in refresh driver timers * MFSA 2018-20/CVE-2018-12378 (bmo#1459383) Use-after-free in IndexedDB * MFSA 2018-20/CVE-2018-12379 (bmo#1473113) Out-of-bounds write with malicious MAR file - removed obsolete patches: [mozilla-glibc-getrandom.patch] [firefox-no-default-ualocale.patch] [mozilla-bmo1005640.patch] [mozilla-language.patch] [mozilla-shared-nss-db.patch] - added patches sync with openSUSE: [mozilla-bmo1005535.patch] [mozilla-bmo1375074.patch] [mozilla-bmo1464766.patch] [mozilla-bmo256180.patch] [mozilla-i586-DecoderDoctorLogger.patch] [mozilla-i586-domPrefs.patch] additional architecture enablement: [mozilla-ppc-altivec_static_inline.patch] [mozilla-s390-context.patch] ------------------------------------------------------------------- Wed Jun 27 13:26:39 UTC 2018 - pcerny@suse.com - update to Firefox ESR 52.9 (bsc#1098998) * MFSA 2018-17/CVE-2018-5188 (bmo#1392739, bmo#1437842, bmo#1442722, bmo#1450688, bmo#1451297, bmo#1452576, bmo#1456189, bmo#1456975, bmo#1458048, bmo#1458264, bmo#1458270, bmo#1463494, bmo#1464063, bmo#1464079, bmo#1464829, bmo#1465108, bmo#1465898) Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9 * MFSA 2018-17/CVE-2018-12368 (bmo#1468217, bmo#https://posts.specterops.io/the-tale-of- settingcontent-ms-files-f1ea253e4d39) No warning when opening executable SettingContent-ms files * MFSA 2018-17/CVE-2018-12366 (bmo#1464039) Invalid data handling during QCMS transformations * MFSA 2018-17/CVE-2018-12365 (bmo#1459206) Compromised IPC child process can list local filenames * MFSA 2018-17/CVE-2018-12364 (bmo#1436241) CSRF attacks through 307 redirects and NPAPI plugins * MFSA 2018-17/CVE-2018-12363 (bmo#1464784) Use-after-free when appending DOM nodes * MFSA 2018-17/CVE-2018-12362 (bmo#1452375) Integer overflow in SSSE3 scaler * MFSA 2018-17/CVE-2018-12360 (bmo#1459693) Use-after-free when using focus() * MFSA 2018-17/CVE-2018-5156 (bmo#1453127) Media recorder segmentation fault when track type is changed during capture * MFSA 2018-17/CVE-2018-12359 (bmo#1459162) Buffer overflow using computed size of canvas element ------------------------------------------------------------------- Thu Jun 7 12:42:46 UTC 2018 - pcerny@suse.com - update to Firefox 52.8.1 (bsc#1096449) * MFSA 2018-14/CVE-2018-6126 (bmo#1462682) Heap buffer overflow rasterizing paths in SVG with Skia ------------------------------------------------------------------- Wed May 9 11:36:33 UTC 2018 - wr@rosenauer.org - update to Firefox 52.8.0: * Various stability and regression fixes * Performance improvements to the Safe Browsing service to avoid slowdowns while updating site classification data - Security fixes (bsc#1092548, MFSA 2018-12): * CVE-2018-5183 (bmo#1454692) Backport critical security fixes in Skia * CVE-2018-5154 (bmo#1443092) Use-after-free with SVG animations and clip paths * CVE-2018-5155 (bmo#1448774) Use-after-free with SVG animations and text paths * CVE-2018-5157 (bmo#1449898) Same-origin bypass of PDF Viewer to view protected PDF files * CVE-2018-5158 (bmo#1452075) Malicious PDF can inject JavaScript into PDF Viewer * CVE-2018-5159 (bmo#1441941) Integer overflow and out-of-bounds write in Skia * CVE-2018-5168 (bmo#1449548) Lightweight themes can be installed without user interaction * CVE-2018-5178 (bmo#1443891) Buffer overflow during UTF-8 to Unicode string conversion through legacy extension * CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705, bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415, bmo#1426129) Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 ------------------------------------------------------------------- Wed Mar 28 19:27:16 UTC 2018 - astieger@suse.com - fix release tag and tarball to correctly identify 52.7.3esr ------------------------------------------------------------------- Tue Mar 27 05:53:14 UTC 2018 - wr@rosenauer.org - update to Firefox 52.7.3 MFSA 2018-10 (bsc#1087059) * CVE-2018-5148 (bmo#1440717) Use-after-free in compositor - removed obsolete patch mozilla-bmo1446062.patch ------------------------------------------------------------------- Fri Mar 16 11:27:21 UTC 2018 - wr@rosenauer.org - update to Firefox 52.7.2 (bsc#1085671) MFSA 2018-08 * CVE-2018-5146 (bmo#1446062) Out of bounds memory write in libvorbis * CVE-2018-5147 (bmo#1446365) Out of bounds memory write in libtremor (in mozilla-bmo1446062.patch) - Firefox 52.7.1 fixes - issues with the IT locale (bmo#1445278) ------------------------------------------------------------------- Tue Mar 13 18:30:52 UTC 2018 - astieger@suse.com - update to Firefox 52.7esr (bsc#1085130, MFSA 2018-07): * CVE-2018-5127 (bmo#1430557) Buffer overflow manipulating SVG animatedPathSegList * CVE-2018-5129 (bmo#1428947) Out-of-bounds write with malformed IPC messages * CVE-2018-5130 (bmo#1433005) Mismatched RTP payload type can trigger memory corruption * CVE-2018-5131 (bmo#1440775) Fetch API improperly returns cached copies of no-store/no-cache resources * CVE-2018-5144 (bmo#1440926) Integer overflow during Unicode conversion * CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450, bmo#1437507,bmo#1426988,bmo#1438425,bmo#1324042,bmo#1437087, bmo#1443865,bmo#1425520) Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * CVE-2018-5145 (bmo#1261175,bmo#1348955) Memory safety bugs fixed in Firefox ESR 52.7 ------------------------------------------------------------------- Fri Feb 9 12:12:08 UTC 2018 - wr@rosenauer.org - correct requires and provides handling (boo#1076907) ------------------------------------------------------------------- Tue Jan 23 19:04:46 UTC 2018 - wr@rosenauer.org - update to Firefox 52.6esr (bsc#1077291) MFSA 2018-01 * Speculative execution side-channel attack ("Spectre") MFSA 2018-03 * CVE-2018-5091 (bmo#1423086) Use-after-free with DTMF timers * CVE-2018-5095 (bmo#1418447) Integer overflow in Skia library during edge builder allocation * CVE-2018-5096 (bmo#1418922) Use-after-free while editing form elements * CVE-2018-5097 (bmo#1387427) Use-after-free when source document is manipulated during XSLT * CVE-2018-5098 (bmo#1399400) Use-after-free while manipulating form input elements * CVE-2018-5099 (bmo#1416878) Use-after-free with widget listener * CVE-2018-5102 (bmo#1419363) Use-after-free in HTML media elements * CVE-2018-5103 (bmo#1423159) Use-after-free during mouse event handling * CVE-2018-5104 (bmo#1425000) Use-after-free during font face manipulation * CVE-2018-5117 (bmo#1395508) URL spoofing with right-to-left text aligned left-to-right * CVE-2018-5089 Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6 - remove obsolete patch mozilla-ucontext.patch - official NSS requirement is >= 3.28.6 therefore putting 3.29.5 into an ifarch ------------------------------------------------------------------- Wed Jan 17 17:07:25 UTC 2018 - wbauer@tmo.at - Escape the usage of %{VERSION} when calling out to rpm. RPM 4.14 has %{VERSION} defined as 'the main package's version'. ------------------------------------------------------------------- Tue Jan 16 17:03:01 UTC 2018 - cgrobertson@suse.com - Added additional patches and configurations to fix builds on s390 and PowerPC. * Added firefox-glibc-getrandom.patch effecting builds on s390 and PowerPC * Added mozilla-s390-bigendian.patch along with icudt58b.dat bigendian ICU data file for running Firefox on bigendian architectures (bmo#1322212 and bmo#1264836) * Added mozilla-s390-nojit.patch to enable atomic operations used by the JS engine when JIT is disabled on s390 * Build configuration options specific to s390 * Requires NSS >= 3.29.5 ------------------------------------------------------------------- Fri Dec 29 19:52:34 UTC 2017 - astieger@suse.com - Update to Firefox 52.5.3esr: * Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in (bmo#1427111, bsc#1074235) ------------------------------------------------------------------- Fri Dec 15 09:00:55 UTC 2017 - fcrozat@suse.com - Add BuildRequires python-xml to fix build on TW/SLE15. ------------------------------------------------------------------- Sat Dec 9 20:49:28 UTC 2017 - security@suse.com - update to Firefox 52.5.2esr (MFSA 2017-28): * CVE-2017-7843 (bsc#1072034, bmo#1410106) Web worker in Private Browsing mode can write IndexedDB data ------------------------------------------------------------------- Tue Nov 14 21:22:11 UTC 2017 - wr@rosenauer.org - update to Firefox 52.5.0esr (boo#1068101) MFSA 2017-25 * CVE-2017-7828 (bmo#1406750. bmo#1412252) Use-after-free of PressShell while restyling layout * CVE-2017-7830 (bmo#1408990) Cross-origin URL information leak through Resource Timing API * CVE-2017-7826 Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5 ------------------------------------------------------------------- Sun Oct 1 18:25:16 UTC 2017 - stefan.bruens@rwth-aachen.de - Correct plugin directory for aarch64 (boo#1061207). The wrapper script was not detecting aarch64 as a 64 bit architecture, thus used /usr/lib/browser-plugins/. ------------------------------------------------------------------- Sat Sep 30 20:10:50 UTC 2017 - zaitor@opensuse.org - Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0), pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0), pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure looks for. ------------------------------------------------------------------- Fri Sep 29 08:56:27 UTC 2017 - wr@rosenauer.org - update to Firefox 52.4esr (boo#1060445) * requires NSS >= 3.28.6 MFSA 2017-22 * CVE-2017-7793 (bmo#1371889) Use-after-free with Fetch API * CVE-2017-7818 (bmo#1363723) Use-after-free during ARIA array manipulation * CVE-2017-7819 (bmo#1380292) Use-after-free while resizing images in design mode * CVE-2017-7824 (bmo#1398381) Buffer overflow when drawing and validating elements with ANGLE * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) Use-after-free in TLS 1.2 generating handshake hashes * CVE-2017-7814 (bmo#1376036) Blob and data URLs bypass phishing and malware protection warnings * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) OS X fonts render some Tibetan and Arabic unicode characters as spaces * CVE-2017-7823 (bmo#1396320) CSP sandbox directive did not create a unique origin * CVE-2017-7810 Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 - fixed language accept header to use correct locale (mozilla-bmo1005640.patch, boo#1029917) ------------------------------------------------------------------- Thu Sep 28 07:53:13 UTC 2017 - dimstar@opensuse.org - Add alsa-devel BuildRequires: we care for ALSA support to be built and thus need to ensure we get the dependencies in place. In the past, alsa-devel was pulled in by accident: we buildrequire libgnome-devel. This required esound-devel and that in turn pulled in alsa-devel for us. libgnome is being fixed to no longer require esound-devel. ------------------------------------------------------------------- Wed Aug 9 09:47:39 UTC 2017 - schwab@suse.de - mozilla-ucontext.patch: use ucontext_t instead of struct ucontext ------------------------------------------------------------------- Tue Aug 8 18:13:34 UTC 2017 - wr@rosenauer.org - update to Firefox 52.3esr (boo#1052829) MFSA 2017-19 * CVE-2017-7798 (bmo#1371586, bmo#1372112) XUL injection in the style editor in devtools * CVE-2017-7800 (bmo#1374047) Use-after-free in WebSockets during disconnection * CVE-2017-7801 (bmo#1371259) Use-after-free with marquee during window resizing * CVE-2017-7784 (bmo#1376087) Use-after-free with image observers * CVE-2017-7802 (bmo#1378147) Use-after-free resizing image elements * CVE-2017-7785 (bmo#1356985) Buffer overflow manipulating ARIA attributes in DOM * CVE-2017-7786 (bmo#1365189) Buffer overflow while painting non-displayable SVG * CVE-2017-7753 (bmo#1353312) Out-of-bounds read with cached style data and pseudo-elements# * CVE-2017-7787 (bmo#1322896) Same-origin policy bypass with iframes through page reloads * CVE-2017-7807 (bmo#1376459) Domain hijacking through AppCache fallback * CVE-2017-7792 (bmo#1368652) Buffer overflow viewing certificates with an extremely long OID * CVE-2017-7804 (bmo#1372849) Memory protection bypass through WindowsDllDetourPatcher * CVE-2017-7791 (bmo#1365875) Spoofing following page navigation with data: protocol and modal alerts * CVE-2017-7782 (bmo#1344034) WindowsDllDetourPatcher allocates memory without DEP protections * CVE-2017-7803 (bmo#1377426) CSP containing 'sandbox' improperly applied * CVE-2017-7779 Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 ------------------------------------------------------------------- Wed Jul 5 07:26:32 UTC 2017 - astieger@suse.com - Mozilla Firefox 52.2.1esr: * Printing text does not work on Windows when Direct2D is disabled (bmo#1318845) ------------------------------------------------------------------- Wed Jun 14 07:08:29 UTC 2017 - wr@rosenauer.org - update to Firefox 52.2esr (boo#1043960) MFSA 2017-16 * CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when regenerating trees * CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading * CVE-2017-7750 (bmo#1356558) Use-after-free with track elements * CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners * CVE-2017-7752 (bmo#1359547) Use-after-free with IME input * CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo object * CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox Installer with same directory DLL files (Windows only) * CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging XHR header errors * CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777 Vulnerabilities in the Graphite 2 library * CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder * CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service (Windows only) * CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application (Windows only) * CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian Syllabics and other unicode blocks * CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving executable files (Windows only) * CVE-2017-7766 (bmo#1342742) File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service (Windows only) * CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service (Windows only) * CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla Maintenance Service (Windows only) * CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2 - requires NSS 3.28.5 ------------------------------------------------------------------- Tue May 23 14:00:40 UTC 2017 - wr@rosenauer.org - remove -fno-inline-small-functions and explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105) ------------------------------------------------------------------- Mon May 8 08:28:17 UTC 2017 - wr@rosenauer.org - update to Firefox 52.1.1 MFSA 2017-14 * CVE-2017-5031: Use after free in ANGLE (bmo#1328762) (Windows only, Linux not affected) - switch to Mozilla's geolocation service (boo#1026989) - removed mozilla-preferences.patch obsoleted by overriding via firefox.js - fixed KDE integration to avoid crash caused by filepicker (boo#1015998) ------------------------------------------------------------------- Wed Apr 12 21:43:16 UTC 2017 - wr@rosenauer.org - update to Firefox 52.1.0esr (boo#1035082) MFSA 2017-12 * CVE-2017-5443 (bmo#1342661) Out-of-bounds write during BinHex decoding * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894, bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088) Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 * CVE-2017-5464 (bmo#1347075) Memory corruption with accessibility and DOM manipulation * CVE-2017-5465 (bmo#1347617) Out-of-bounds read in ConvolvePixel * CVE-2017-5466 (bmo#1353975) Origin confusion when reloading isolated data:text/html URL * CVE-2017-5467 (bmo#1347262) Memory corruption when drawing Skia content * CVE-2017-5460 (bmo#1343642) Use-after-free in frame selection * CVE-2017-5461 (bmo#1344380) Out-of-bounds write in Base64 encoding in NSS * CVE-2017-5448 (bmo#1346648) Out-of-bounds write in ClearKeyDecryptor * CVE-2017-5449 (bmo#1340127) Crash during bidirectional unicode manipulation with animation * CVE-2017-5446 (bmo#1343505) Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data * CVE-2017-5447 (bmo#1343552) Out-of-bounds read during glyph processing * CVE-2017-5444 (bmo#1344461) Buffer overflow while parsing application/http-index-format content * CVE-2017-5445 (bmo#1344467) Uninitialized values used while parsing application/http-index-format content * CVE-2017-5442 (bmo#1347979) Use-after-free during style changes * CVE-2017-5469 (bmo#1292534) Potential Buffer overflow in flex-generated code * CVE-2017-5440 (bmo#1336832) Use-after-free in txExecutionState destructor during XSLT processing * CVE-2017-5441 (bmo#1343795) Use-after-free with selection during scroll events * CVE-2017-5439 (bmo#1336830) Use-after-free in nsTArray Length() during XSLT processing * CVE-2017-5438 (bmo#1336828) Use-after-free in nsAutoPtr during XSLT processing * CVE-2017-5437 (bmo#1343453) Vulnerabilities in Libevent library * CVE-2017-5436 (bmo#1345461) Out-of-bounds write with malicious font in Graphite 2 * CVE-2017-5435 (bmo#1350683) Use-after-free during transaction processing in the editor * CVE-2017-5434 (bmo#1349946) Use-after-free during focus handling * CVE-2017-5433 (bmo#1347168) Use-after-free in SMIL animation functions * CVE-2017-5432 (bmo#1346654) Use-after-free in text input selection * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482, bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476) Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 * CVE-2017-5459 (bmo#1333858) Buffer overflow in WebGL * CVE-2017-5462 (bmo#1345089) DRBG flaw in NSS * CVE-2017-5455 (bmo#1341191) Sandbox escape through internal feed reader APIs * CVE-2017-5454 (bmo#1349276) Sandbox escape allowing file system read access through file picker * CVE-2017-5456 (bmo#1344415) Sandbox escape allowing local file system access * CVE-2017-5451 (bmo#1273537) Addressbar spoofing with onblur event - requires NSS 3.28.4 - rebased patches ------------------------------------------------------------------- Mon Apr 3 06:28:34 UTC 2017 - wr@rosenauer.org - switch package to use ESR52 branch * enables plugin support by default * service workers are disabled by default * push notifications are disabled by default * WebAssembly (wasm) is disabled * Less use of multiprocess architecture Electrolysis (e10s) ------------------------------------------------------------------- Mon Apr 3 06:16:26 UTC 2017 - wr@rosenauer.org - update to Firefox 52.0.2 * Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787) * Fix loading tab icons on session restore (bmo#1338009) * Fix a crash on startup on Linux (bmo#1345413) * Fix new installs erroneously not prompting to change the default browser setting (bmo#1343938) ------------------------------------------------------------------- Mon Mar 20 15:35:57 UTC 2017 - wr@rosenauer.org - disable rust usage for everything but x86(-64) - explicitely add libffi build requirement ------------------------------------------------------------------- Fri Mar 17 15:43:29 UTC 2017 - wr@rosenauer.org - update to Firefox 52.0.1 (boo#1029822) MFSA 2017-08 CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168) ------------------------------------------------------------------- Thu Mar 9 12:30:14 UTC 2017 - wr@rosenauer.org - reenable ALSA support which was removed by default upstream ------------------------------------------------------------------- Sat Mar 4 16:57:45 UTC 2017 - wr@rosenauer.org - update to Firefox 52.0 (boo#1028391) * requires NSS >= 3.28.3 * Pages containing insecure password fields now display a warning directly within username and password fields. * Send and open a tab from one device to another with Sync * Removed NPAPI support for plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported. * Removed Battery Status API to reduce fingerprinting of users by trackers * MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861) CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186) CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890) CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622) CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687) CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711) CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323) CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504) CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370) CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719) CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121) CVE-2017-5417: Addressbar spoofing by draging and dropping URLs (bmo#791597) CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361) CVE-2017-5427: Non-existent chrome.manifest file loaded during startup (bmo#1295542) CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876) CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243) CVE-2017-5420: Javascript: URLs can obfuscate addressbar location (bmo#1284395) CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699) CVE-2017-5421: Print preview spoofing (bmo#1301876) CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002) CVE-2017-5399: Memory safety bugs fixed in Firefox 52 CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 - removed obsolete patches * mozilla-binutils-visibility.patch * mozilla-check_return.patch * mozilla-disable-skia-be.patch * mozilla-skia-overflow.patch * mozilla-skia-ppc-endianess.patch - rebased patches - enable rust usage for Tumbleweed ------------------------------------------------------------------- Fri Jan 27 20:25:59 UTC 2017 - astieger@suse.com - Mozilla Firefox 51.0.1: - Multiprocess incompatibility did not correctly register with some add-ons (bmo#1333423) ------------------------------------------------------------------- Fri Jan 20 13:57:56 UTC 2017 - wr@rosenauer.org - update to Firefox 51.0 * requires NSPR >= 4.13.1, NSS >= 3.28.1 * Added support for FLAC (Free Lossless Audio Codec) playback * Added support for WebGL 2 * Added Georgian (ka) and Kabyle (kab) locales * Support saving passwords for forms without 'submit' events * Improved video performance for users without GPU acceleration * Zoom indicator is shown in the URL bar if the zoom level is not at default level * View passwords from the prompt before saving them * Remove Belarusian (be) locale * Use Skia for content rendering (Linux) * MFSA 2017-01 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (bmo#1325200, boo#1021814) CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) CVE-2017-5377: Memory corruption with transforms to create gradients in Skia (bmo#1306883, boo#1021826) CVE-2017-5378: Pointer and frame data leakage of Javascript objects (bmo#1312001, bmo#1330769, boo#1021818) CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827) CVE-2017-5380: Potential use-after-free during DOM manipulations (bmo#1322107, boo#1021819) CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (bmo#1297361, boo#1021820) CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests (bmo#1308688, boo#1021828) CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403, boo#1021821) CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations (bmo#1017616, boo#1021830) CVE-2017-5382: Feed preview can expose privileged content errors and exceptions (bmo#1295322, boo#1021831) CVE-2017-5383: Location bar spoofing with unicode characters (bmo#1323338, bmo#1324716, boo#1021822) CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) (bmo#1255474, boo#1021832) CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers (bmo#1295945, boo#1021833) CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions (bmo#1319070, boo#1021823) CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events (bmo#1222798) CVE-2017-5391: Content about: pages can load privileged about: pages (bmo#1309310, boo#1021835) CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage (bmo#1293709) (Android only) CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager (bmo#1309282, boo#1021837) CVE-2017-5395: Android location bar spoofing during scrolling (bmo#1293463) (Android only) CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages (bmo#1295023, boo#1021839) CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks (bmo#1281482, boo#1021840) CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841) CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (boo#1021824) - switch Firefox to Gtk3 for Tumbleweed - removed obsolete patches * mozilla-flex_buffer_overrun.patch - updated RPM locale support tag - improve recognition of LANGUAGE env variable (boo#1017174) - add upstream patch to fix PPC64LE (bmo#1319389) (mozilla-skia-ppc-endianess.patch) - fix build without skia (big endian archs) (bmo#1319374) (mozilla-disable-skia-be.patch) ------------------------------------------------------------------- Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org - update to Firefox 50.1.0 (boo#1015422) * MFSA 2016-94 CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628) CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements (bmo#1317409) CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272) CVE-2016-9896: Use-after-free with WebVR (bmo#1315543) CVE-2016-9897: Memory corruption in libGLES (bmo#1301381) CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees (bmo#1314442) CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs (bmo#1319122) CVE-2016-9904: Cross-origin information leak in shared atoms (bmo#1317936) CVE-2016-9901: Data from Pocket server improperly sanitized before execution (bmo#1320057) CVE-2016-9902: Pocket extension does not validate the origin of events (bmo#1320039) CVE-2016-9903: XSS injection vulnerability in add-ons SDK (bmo#1315435) CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 ------------------------------------------------------------------- Fri Dec 9 17:57:22 UTC 2016 - cgrobertson@novell.com - added patch mozilla-aarch64-startup-crash.patch (bsc#1011922) ------------------------------------------------------------------- Thu Dec 1 02:49:45 UTC 2016 - wr@rosenauer.org - update to Firefox 50.0.2 * Firefox crashes with 3rd party Chinese IME when using IME text (50.0.1) security fixes (in 50.0.1): (boo#1012807) * MFSA 2016-91 CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect (bmo#1317641) security fixes (in 50.0.2) (boo#1012964) * MFSA 2016-92 CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066) ------------------------------------------------------------------- Mon Nov 14 21:07:03 UTC 2016 - wr@rosenauer.org - update to Firefox 50.0 (boo#1009026) * requires NSS 3.26.2 new features * Updates to keyboard shortcuts Set a preference to have Ctrl+Tab cycle through tabs in recently used order View a page in Reader Mode by using Ctrl+Alt+R * Added option to Find in page that allows users to limit search to whole words only * Added download protection for a large number of executable file types on Windows, Mac and Linux * Fixed rendering of dashed and dotted borders with rounded corners (border-radius) * Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux) * Blocked versions of libavcodec older than 54.35.1 * additional locale security fixes: * MFSA 2016-89 CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) CVE-2016-5292: URL parsing causes crash (bmo#1288482) CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink (Windows only) (bmo#1246945) CVE-2016-5294: Arbitrary target directory for result files of update process (Windows only) (bmo#1246972) CVE-2016-5297: Incorrect argument length checking in Javascript (bmo#1303678) CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen (Android only) (bmo#1306696) CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile (bmo#1300083) (Windows only) CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM (Windows only) (bmo#1247239) CVE-2016-5298: SSL indicator can mislead the user about the real URL visited (bmo#1227538) (Android only) CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (bmo#1245791) (Android only) CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (Android only) (bmo#1245795) CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file (Android only) (bmo#1294438) CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl" (bmo#1289273) CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bmo#1293334) (fixed via NSS 3.26.1) CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s (bmo#1276976) CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat (bmo#1274777) CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP (bmo#1285003) CVE-2016-5289: Memory safety bugs fixed in Firefox 50 CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 - make aarch64 build more similar to x86_64 build (remove conditionals that don't seem to be necessary anymore) ------------------------------------------------------------------- Mon Oct 24 09:41:17 UTC 2016 - astieger@suse.com - Mozilla Firefox 49.0.2: * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475) * CVE-2016-5288: Web content can read cache entries (bsc#1006476) * Asynchronous rendering of the Flash plugins is now enabled by default * Change D3D9 default fallback preference to prevent graphical artifacts * Network issue prevents some users from seeing the Firefox UI on startup * Web compatibility issue with file uploads * Web compatibility issue with Array.prototype.values * Diagnostic information on timing for tab switching * Fix a Canvas filters graphics issue affecting HTML5 apps ------------------------------------------------------------------- Wed Oct 12 20:42:28 UTC 2016 - badshah400@gmail.com - Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0 and fixes have been incorporated by upstream. ------------------------------------------------------------------- Fri Sep 23 20:36:39 UTC 2016 - astieger@suse.com - Mozilla Firefox 49.0.1: * Mitigate a startup crash issue caused by Websense - bmo#1304783 ------------------------------------------------------------------- Tue Sep 20 07:09:52 UTC 2016 - wr@rosenauer.org - update to Firefox 49.0 (boo#999701) new features * Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. * Added features to Reader Mode that make it easier on the eyes and the ears * Improved video performance for users on systems that support SSE3 without hardware acceleration * Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed * Improvements in about:memory reports for tracking font memory usage security related * MFSA 2016-85 CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in PropertyProvider::GetSpacingInternal CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin CVE-2016-5273 (bmo#1280387) - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5274 (bmo#1282076) - use-after-free in nsFrameManager::CaptureFrameState CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame CVE-2016-5279 (bmo#1249522) - Full local path of files is available to web pages after drag and drop CVE-2016-5280 (bmo#1289970) - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons from non-whitelisted schemes CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can reveal cross-origin data CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 - removed obsolete patches: * mozilla-aarch64-48bit-va.patch * mozilla-exclude-nametablecpp.patch * mozilla-old_configure-bmo1282843.patch - added patch mozilla-skia-overflow.patch (bmo#1304114) - requires NSS 3.25 ------------------------------------------------------------------- Tue Aug 30 20:25:38 UTC 2016 - astieger@suse.com - Mozilla Firefox 48.0.2: * Mitigate a startup crash issue caused on Windows (bmo#1291738) ------------------------------------------------------------------- Sat Aug 20 10:58:26 UTC 2016 - astieger@suse.com - Mozilla Firefox 48.0.1: * Fix an audio regression impacting some major websites (bmo#1295296) * Fix a top crash in the JavaScript engine (bmo#1290469) * Fix a startup crash issue caused by Websense (bmo#1291738) * Fix a different behavior with e10s / non-e10s on <select> and mouse events (bmo#1291078) * Fix a top crash caused by plugin issues (bmo#1264530) * Fix a shutdown issue (bmo#1276920) * Fix a crash in WebRTC ------------------------------------------------------------------- Mon Aug 15 11:24:00 UTC 2016 - wr@rosenauer.org - added upstream patch so system plugins/extensions are correctly loaded again on x86-64 (bmo#1282843) (mozilla-old_configure-bmo1282843.patch) ------------------------------------------------------------------- Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com - Fix for possible buffer overrun (bsc#990856) CVE-2016-6354 (bmo#1292534) [mozilla-flex_buffer_overrun.patch] ------------------------------------------------------------------- Wed Aug 3 03:38:47 UTC 2016 - badshah400@gmail.com - Update mozilla-gtk3_20.patch to latest version from Fedora. ------------------------------------------------------------------- Mon Aug 1 12:37:05 UTC 2016 - wr@rosenauer.org - update to Firefox 48.0 (boo#991809) * requires NSS 3.24 * Process separation (e10s) is enabled for some of you * Add-ons that have not been verified and signed by Mozilla will not load * WebRTC embetterments * The media parser has been redeveloped using the Rust programming language * better Canvas performance with speedy Skia support security fixes: * MFSA 2016-62/CVE-2016-2835/CVE-2016-2836 Miscellaneous memory safety hazards * MFSA 2016-63/CVE-2016-2830 (bmo#1255270) Favicon network connection can persist when page is closed * MFSA 2016-64/CVE-2016-2838 (bmo#1279814) Buffer overflow rendering SVG with bidirectional content * MFSA 2016-65/CVE-2016-2839 (bmo#1275339) Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 * MFSA 2016-66/CVE-2016-5251 (bmo#1255570) Location bar spoofing via data URLs with malformed/invalid mediatypes * MFSA 2016-67/CVE-2016-5252 (bmo#1268854) Stack underflow during 2D graphics rendering * MFSA 2016-68/CVE-2016-0718 (bmo#1236923) Out-of-bounds read during XML parsing in Expat library * MFSA 2016-69/CVE-2016-5253 (bmo#1246944) Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter (Windows-only) * MFSA 2016-70/CVE-2016-5254 (bmo#1266963) Use-after-free when using alt key and toplevel menus * MFSA 2016-71/CVE-2016-5255 (bmo#1212356) Crash in incremental garbage collection in JavaScript * MFSA 2016-72/CVE-2016-5258 (bmo#1279146) Use-after-free in DTLS during WebRTC session shutdown * MFSA 2016-73/CVE-2016-5259 (bmo#1282992) Use-after-free in service workers with nested sync events * MFSA 2016-74/CVE-2016-5260 (bmo#1280294) Form input type change from password to text can store plain text password in session restore file * MFSA 2016-75/CVE-2016-5261 (bmo#1287266) Integer overflow in WebSockets during data buffering * MFSA 2016-76/CVE-2016-5262 (bmo#1277475) Scripts on marquee tag can execute in sandboxed iframes * MFSA 2016-77/CVE-2016-2837 (bmo#1274637) Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback * MFSA 2016-78/CVE-2016-5263 (bmo#1276897) Type confusion in display transformation * MFSA 2016-79/CVE-2016-5264 (bmo#1286183) Use-after-free when applying SVG effects * MFSA 2016-80/CVE-2016-5265 (bmo#1278013) Same-origin policy violation using local HTML file and saved shortcut file * MFSA 2016-81/CVE-2016-5266 (bmo#1226977) Information disclosure and local file manipulation through drag and drop * MFSA 2016-82/CVE-2016-5267 (bmo#1284372) Addressbar spoofing with right-to-left characters on Firefox for Android (Android only) * MFSA 2016-83/CVE-2016-5268 (bmo#1253673) Spoofing attack through text injection into internal error pages * MFSA 2016-84/CVE-2016-5250 (bmo#1254688) Information disclosure through Resource Timing API during page navigation - removed obsolete mozilla-gcc6.patch ------------------------------------------------------------------- Fri Jul 29 01:26:13 UTC 2016 - badshah400@gmail.com - Update description and screenshots in appdata.xml file. ------------------------------------------------------------------- Sat Jul 23 20:13:08 UTC 2016 - antoine.belvire@laposte.net - Fix Firefox crash on startup on i586 (boo#986541): * Add -fno-delete-null-pointer-checks and -fno-inline-small-functions to CFLAGS ------------------------------------------------------------------- Tue Jul 19 20:12:11 UTC 2016 - mailaender@opensuse.org - Update the appdata.xml file (replace Windows XP screenshot) ------------------------------------------------------------------- Wed Jun 29 09:25:41 UTC 2016 - astieger@suse.com - Mozilla Firefox 47.0.1: * Selenium WebDriver may cause Firefox to crash at startup (bmo#1280854) ------------------------------------------------------------------- Wed Jun 15 07:52:18 UTC 2016 - wr@rosenauer.org - mozilla-binutils-visibility.patch to fix build issues with gcc/binutils combination used in Leap 42.2 (boo#984637) ------------------------------------------------------------------- Tue Jun 14 08:35:03 UTC 2016 - badshah400@gmail.com - Update mozilla-gtk3_20.patch to latest version from Fedora. ------------------------------------------------------------------- Mon Jun 13 20:28:01 UTC 2016 - agraf@suse.com - Fix running on 48bit va aarch64 (bsc#984126) * add patch mozilla-aarch64-48bit-va.patch ------------------------------------------------------------------- Mon Jun 13 15:27:13 UTC 2016 - wr@rosenauer.org - fix XUL dialog button order under KDE session (boo#984403) ------------------------------------------------------------------- Tue Jun 7 19:47:25 UTC 2016 - wr@rosenauer.org - update to Firefox 47.0 (boo#983549) * Enable VP9 video codec for users with fast machines * Embedded YouTube videos now play with HTML5 video if Flash is not installed * View and search open tabs from your smartphone or another computer in a sidebar * Allow no-cache on back/forward navigations for https resources security fixes: * MFSA 2016-49/CVE-2016-2815/CVE-2016-2818 (boo#983638) (bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743, bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493, bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752, bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130, bmo#1269729, bmo#1273202, bmo#1273701) Miscellaneous memory safety hazards (rv:47.0 / rv:45.2) * MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381) Buffer overflow parsing HTML5 fragments * MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460) Use-after-free deleting tables from a contenteditable document * MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129) Addressbar spoofing though the SELECT element * MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580) Out-of-bounds write with WebGL shader * MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093) Partial same-origin-policy through setting location.host through data URI * MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810) Use-after-free when textures are used in WebGL operations after recycle pool destruction * MFSA 2016-57/CVE-2016-2829 (boo#983644) (bmo#1248329) Incorrect icon displayed on permissions notifications * MFSA 2016-58/CVE-2016-2831 (boo#983643) (bmo#1261933) Entering fullscreen and persistent pointerlock without user permission * MFSA 2016-59/CVE-2016-2832 (boo#983632) (bmo#1025267) Information disclosure of disabled plugins through CSS pseudo-classes * MFSA 2016-60/CVE-2016-2833 (boo#983640) (bmo#908933) Java applets bypass CSP protections * MFSA 2016-62/CVE-2016-2834 (boo#983639) (bmo#1206283, bmo#1221620, bmo#1241034, bmo#1241037) Network Security Services (NSS) vulnerabilities fixed by requiring NSS 3.23 packaging changes: * cleanup configure options (boo#981695): - notably remove GStreamer support which is gone from FF * remove obsolete patches - mozilla-libproxy.patch - mozilla-repo.patch ------------------------------------------------------------------- Wed May 25 16:36:23 UTC 2016 - badshah400@gmail.com - The conditional testing for gcc was failing for different openSUSE versions, drop it and apply patches unconditionally. ------------------------------------------------------------------- Mon May 23 15:30:27 UTC 2016 - badshah400@gmail.com - Add patches to fix building with gcc6: + mozilla-gcc6.patch: fix building with gcc >= 6.1; patch taken from upstream: https://hg.mozilla.org/mozilla-central/rev/55212130f19d. + mozilla-exclude-nametablecpp.patch: Exclude NameTable.cpp from unified compilation because #include <cmath> in other source files causes gcc6 compilation failure; patch taken from upstream: https://hg.mozilla.org/mozilla-central/rev/9c57b7cacffc. ------------------------------------------------------------------- Fri May 13 00:00:00 CEST 2016 - dsterba@suse.cz - enable build with PIE and full relro on x86_64 (boo#980384) ------------------------------------------------------------------- Wed May 4 10:27:43 UTC 2016 - wr@rosenauer.org - update to Firefox 46.0.1 Fixed: * Search plugin issue for various locales * Add-on signing certificate expiration * Service worker update issue * Build issue when jit is disabled * Limit Sync registration updates - removed now obsolete mozilla-jit_branch64.patch ------------------------------------------------------------------- Tue May 3 15:47:18 UTC 2016 - normand@linux.vnet.ibm.com - add mozilla-jit_branch64.patch to avoid PowerPC build failure (from bmo#1266366) ------------------------------------------------------------------- Wed Apr 27 08:39:28 UTC 2016 - badshah400@gmail.com - Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest version from Fedora). ------------------------------------------------------------------- Wed Apr 27 06:09:30 UTC 2016 - wr@rosenauer.org - update to Firefox 46.0 (boo#977333) * Improved security of the JavaScript Just In Time (JIT) Compiler * WebRTC fixes to improve performance and stability * Added support for document.elementsFromPoint * Added HKDF support for Web Crypto API * requires NSPR 4.12 and NSS 3.22.3 * added patch to fix unchecked return value mozilla-check_return.patch * Gtk3 builds not supported at the moment security fixes: * MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807 (boo#977373, boo#977375, boo#977376) Miscellaneous memory safety hazards * MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377) Privilege escalation through file deletion by Maintenance Service updater (Windows only) * MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378) Content provider permission bypass allows malicious application to access data (Android only) * MFSA 2016-42/CVE-2016-2811/CVE-2016-2812 (bmo#1252330, bmo#1261776, boo#977379) Use-after-free and buffer overflow in Service Workers * MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380) Disclosure of user actions through JavaScript with motion and orientation sensors (only affects mobile variants) * MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381) Buffer overflow in libstagefright with CENC offsets * MFSA 2016-45/CVE-2016-2816 (bmo#1223743, boo#977382) CSP not applied to pages sent with multipart/x-mixed-replace * MFSA 2016-46/CVE-2016-2817 (bmo#1227462, boo#977384) Elevation of privilege with chrome.tabs.update API in web extensions * MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386) Write to invalid HashMap entry through JavaScript.watch() * MFSA 2016-48/CVE-2016-2820 (bmo#870870, boo#977388) Firefox Health Reports could accept events from untrusted domains ------------------------------------------------------------------- Thu Apr 21 12:00:28 UTC 2016 - badshah400@gmail.com - Update mozilla-gtk3_20.patch to fix scrollbar appearance under gtk >= 3.20 (patch synced to Fedora's version). ------------------------------------------------------------------- Tue Apr 12 19:11:30 UTC 2016 - badshah400@gmail.com - Compile against gtk3 depending on whether the macro %firefox_use_gtk3 is defined or not (e.g., at the prjconf level); macro is undefined by default and so gtk2 is used as the default toolkit. - Add BuildRequires for additional packages needed when building against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0), pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0). - Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20; patch taken from Fedora (bmo#1230955). ------------------------------------------------------------------- Mon Apr 11 22:49:24 UTC 2016 - astieger@suse.com - Mozilla Firefox 45.0.2: * Fix an issue impacting the cookie header when third-party cookies are blocked (bmo#1257861) * Fix a web compatibility regression impacting the srcset attribute of the image tag (bmo#1259482) * Fix a crash impacting the video playback with Media Source Extension (bmo#1258562) * Fix a regression impacting some specific uploads (bmo#1255735) * Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (bmo#1254980) ------------------------------------------------------------------- Fri Mar 18 08:52:58 UTC 2016 - astieger@suse.com - Mozilla Firefox 45.0.1: * Fix a regression causing search engine settings to be lost in some context (bmo#1254694) * Bring back non-standard jar: URIs to fix a regression in IBM iNotes (bmo#1255139) * XSLTProcessor.importStylesheet was failing when <import> was used (bmo#1249572) * Fix an issue which could cause the list of search provider to be empty (bmo#1255605) * Fix a regression when using the location bar (bmo#1254503) * Fix some loading issues when Accept third-party cookies: was set to Never (bmo#1254856) * Disabled Graphite font shaping library ------------------------------------------------------------------- Sun Mar 6 19:52:13 UTC 2016 - wr@rosenauer.org - update to Firefox 45.0 (boo#969894) * requires NSPR 4.12 / NSS 3.21.1 * Instant browser tab sharing through Hello * Synced Tabs button in button bar * Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching * Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level * Tab Groups (Panorama) feature removed * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953 Miscellaneous memory safety hazards * MFSA 2016-17/CVE-2016-1954 (bmo#1243178) Local file overwriting and potential privilege escalation through CSP reports * MFSA 2016-18/CVE-2016-1955 (bmo#1208946) CSP reports fail to strip location information for embedded iframe pages * MFSA 2016-19/CVE-2016-1956 (bmo#1199923) Linux video memory DOS with Intel drivers * MFSA 2016-20/CVE-2016-1957 (bmo#1227052) Memory leak in libstagefright when deleting an array during MP4 processing * MFSA 2016-21/CVE-2016-1958 (bmo#1228754) Displayed page address can be overridden * MFSA 2016-22/CVE-2016-1959 (bmo#1234949) Service Worker Manager out-of-bounds read in Service Worker Manager * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014) Use-after-free in HTML5 string parser * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377) Use-after-free in SetBody * MFSA 2016-25/CVE-2016-1962 (bmo#1240760) Use-after-free when using multiple WebRTC data channels * MFSA 2016-26/CVE-2016-1963 (bmo#1238440) Memory corruption when modifying a file being read by FileReader * MFSA 2016-27/CVE-2016-1964 (bmo#1243335) Use-after-free during XML transformations * MFSA 2016-28/CVE-2016-1965 (bmo#1245264) Addressbar spoofing though history navigation and Location protocol property * MFSA 2016-29/CVE-2016-1967 (bmo#1246956) Same-origin policy violation using perfomance.getEntries and history navigation with session restore * MFSA 2016-30/CVE-2016-1968 (bmo#1246742) Buffer overflow in Brotli decompression * MFSA 2016-31/CVE-2016-1966 (bmo#1246054) Memory corruption with malicious NPAPI plugin * MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/ CVE-2016-1976/CVE-2016-1972 WebRTC and LibVPX vulnerabilities found through code inspection * MFSA 2016-33/CVE-2016-1973 (bmo#1219339) Use-after-free in GetStaticInstance in WebRTC * MFSA 2016-34/CVE-2016-1974 (bmo#1228103) Out-of-bounds read in HTML parser following a failed allocation * MFSA 2016-35/CVE-2016-1950 (bmo#1245528) Buffer overflow during ASN.1 decoding in NSS (fixed by requiring 3.21.1) * MFSA 2016-36/CVE-2016-1979 (bmo#1185033) Use-after-free during processing of DER encoded keys in NSS (fixed by requiring 3.21.1) * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/ CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/ CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/ CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 Font vulnerabilities in the Graphite 2 library ------------------------------------------------------------------- Sat Mar 5 15:27:00 UTC 2016 - olaf@aepfle.de - Remove B_CNT from symbols.zip filename to reduce build-compare noise ------------------------------------------------------------------- Fri Feb 26 16:22:52 UTC 2016 - astieger@suse.com - fix build problems on i586, caused by too large unified compile units - adding mozilla-reduce-files-per-UnifiedBindings.patch ------------------------------------------------------------------- Thu Feb 11 07:51:34 UTC 2016 - wr@rosenauer.org - update to Firefox 44.0.2 * MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438) Same-origin-policy violation using Service Workers with plugins * Fix issue which could lead to the removal of stored passwords under certain circumstances (bmo#1242176) * Allows spaces in cookie names (bmo#1244505) * Disable opus/vorbis audio with H.264 (bmo#1245696) * Fix for graphics startup crash (GNU/Linux) (bmo#1222171) * Fix a crash in cache networking (bmo#1244076) * Fix using WebSockets in service worker controlled pages (bmo#1243942) ------------------------------------------------------------------- Sat Jan 30 08:28:17 UTC 2016 - dmueller@suse.com - build fixes for arm/aarch64: * disable webrtc for arm/aarch64 * switch away from openGL-ES backend to default for arm/aarch64 since it almost never builds * reenable neon - reenable webrtc for powerpc as it seems to build ------------------------------------------------------------------- Sun Jan 24 09:33:15 UTC 2016 - wr@rosenauer.org - update to Firefox 44.0 * MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633 Miscellaneous memory safety hazards * MFSA 2016-02/CVE-2016-1933 (bmo#1231761) boo#963634 Out of Memory crash when parsing GIF format images * MFSA 2016-03/CVE-2016-1935 (bmo#1220450) boo#963635 Buffer overflow in WebGL after out of memory allocation * MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) boo#963637 Firefox allows for control characters to be set in cookie names * MFSA 2016-06/CVE-2016-1937 (bmo#724353) boo#963641 Missing delay following user click events in protocol handler dialog * MFSA 2016-07/CVE-2016-1938 (bmo#1190248) boo#963731 Errors in mp_div and mp_exptmod cryptographic functions in NSS (fixed by requiring NSS 3.21) * MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590) Addressbar spoofing attacks boo#963643 * MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946 (bmo#1186621, bmo#1214782, bmo#1232096) boo#963644 Unsafe memory manipulation found through code inspection * MFSA 2016-11/CVE-2016-1947 (bmo#1237103) boo#963645 Application Reputation service disabled in Firefox 43 * requires NSPR 4.11 * requires NSS 3.21 - prepare mozilla-kde.patch for Gtk3 builds - rebased patches ------------------------------------------------------------------- Mon Jan 11 08:04:24 UTC 2016 - astieger@suse.com - Mozilla Firefox 43.0.4: * Re-enable SHA-1 certificates to prevent outdated man-in-the-middle security devices from interfering with properly secured SSL/TLS connections (bmo#1236975) * Fix for startup crash for users of a third party antivirus tool (bmo#1235537) - The following change was previously in the package as a patch: * Multi-user GNU/Linux download folders can be created (bmo#1233434), removed mozilla-bmo1233434.patch ------------------------------------------------------------------- Tue Dec 29 20:29:35 UTC 2015 - wr@rosenauer.org - update to Firefox 43.0.3 * requires NSS 3.20.2 to fix MFSA 2015-150/CVE-2015-7575 (bmo#1158489) MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature * various changes to support Windows update (SHA-1 vs. SHA-2) * workaround Youtube user agent detection issue (bmo#1233970) - fix file download regression for multi user systems (bmo#1233434) (mozilla-bmo1233434.patch) - explicitely requires libXcomposite-devel ------------------------------------------------------------------- Sun Dec 13 23:07:56 UTC 2015 - wr@rosenauer.org - update to Firefox 43.0 (bnc#959277) * Improved API support for m4v video playback * Users can opt-in to receive search suggestions from the Awesome Bar * WebRTC streaming on multiple monitors * User selectable second block list for Private Browsing's Tracking Protection security fixes: * MFSA 2015-134/CVE-2015-7201/CVE-2015-7202 Miscellaneous memory safety hazards * MFSA 2015-135/CVE-2015-7204 (bmo#1216130) Crash with JavaScript variable assignment with unboxed objects * MFSA 2015-136/CVE-2015-7207 (bmo#1185256) Same-origin policy violation using perfomance.getEntries and history navigation * MFSA 2015-137/CVE-2015-7208 (bmo#1191423) Firefox allows for control characters to be set in cookies * MFSA 2015-138/CVE-2015-7210 (bmo#1218326) Use-after-free in WebRTC when datachannel is used after being destroyed * MFSA 2015-139/CVE-2015-7212 (bmo#1222809) Integer overflow allocating extremely large textures * MFSA 2015-140/CVE-2015-7215 (bmo#1160890) Cross-origin information leak through web workers error events * MFSA 2015-141/CVE-2015-7211 (bmo#1221444) Hash in data URI is incorrectly parsed * MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820) DOS due to malformed frames in HTTP/2 * MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078) Linux file chooser crashes on malformed images due to flaws in Jasper library * MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221 (bmo#1201183, bmo#1178033, bmo#1199400) Buffer overflows found through code inspection * MFSA 2015-145/CVE-2015-7205 (bmo#1220493) Underflow through code inspection * MFSA 2015-146/CVE-2015-7213 (bmo#1206211) Integer overflow in MP4 playback in 64-bit versions * MFSA 2015-147/CVE-2015-7222 (bmo#1216748) Integer underflow and buffer overflow processing MP4 metadata in libstagefright * MFSA 2015-148/CVE-2015-7223 (bmo#1226423) Privilege escalation vulnerabilities in WebExtension APIs * MFSA 2015-149/CVE-2015-7214 (bmo#1228950) Cross-site reading attack through data and view-source URIs - rebased patches ------------------------------------------------------------------- Sun Nov 15 19:52:20 UTC 2015 - wr@rosenauer.org - Add desktop menu action for private browsing window to desktop file (boo#954747) - remove obsolete patch mozilla-bmo1005535.patch completely from source package to avoid automatic check failures ------------------------------------------------------------------- Sat Oct 31 19:50:03 UTC 2015 - wr@rosenauer.org - update to Firefox 42.0 (bnc#952810) * Private Browsing with Tracking Protection blocks certain Web elements that could be used to record your behavior across sites * Control Center that contains site security and privacy controls * Login Manager improvements * WebRTC improvements * Indicator added to tabs that play audio with one-click muting * Media Source Extension for HTML5 video available for all sites security fixes: * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514 Miscellaneous memory safety hazards * MFSA 2015-117/CVE-2015-4515 (bmo#1046421) Information disclosure through NTLM authentication * MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692) CSP bypass due to permissive Reader mode whitelist * MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only) Firefox for Android addressbar can be removed after fullscreen mode * MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only) Reading sensitive profile files through local HTML file on Android * MFSA 2015-121/CVE-2015-7187 (bmo#1195735) disabling scripts in Add-on SDK panels has no effect * MFSA 2015-122/CVE-2015-7188 (bmo#1199430) Trailing whitespace in IP address hostnames can bypass same-origin policy * MFSA 2015-123/CVE-2015-7189 (bmo#1205900) Buffer overflow during image interactions in canvas * MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only) Android intents can be used on Firefox for Android to open privileged files * MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only) XSS attack through intents on Firefox for Android * MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only) Crash when accessing HTML tables with accessibility tools on OS X * MFSA 2015-127/CVE-2015-7193 (bmo#1210302) CORS preflight is bypassed when non-standard Content-Type headers are received * MFSA 2015-128/CVE-2015-7194 (bmo#1211262) Memory corruption in libjar through zip files * MFSA 2015-129/CVE-2015-7195 (bmo#1211871) Certain escaped characters in host of Location-header are being treated as non-escaped * MFSA 2015-130/CVE-2015-7196 (bmo#1140616) JavaScript garbage collection crash with Java applet * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 (bmo#1188010, bmo#1204061, bmo#1204155) Vulnerabilities found through code inspection * MFSA 2015-132/CVE-2015-7197 (bmo#1204269) Mixed content WebSocket policy bypass through workers * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 (bmo#1202868, bmo#1205157) NSS and NSPR memory corruption issues (fixed in mozilla-nspr and mozilla-nss packages) - requires NSPR >= 4.10.10 and NSS >= 3.19.4 - removed obsolete patches * mozilla-arm-disable-edsp.patch * mozilla-icu-strncat.patch * mozilla-skia-be-le.patch * toolkit-download-folder.patch - fixed build with enable-libproxy (bmo#1220399) * mozilla-libproxy.patch ------------------------------------------------------------------- Thu Oct 15 08:25:54 UTC 2015 - wr@rosenauer.org - update to Firefox 41.0.2 (bnc#950686) * MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669) Cross-origin restriction bypass using Fetch - added explicit appdata provides (bnc#949983) ------------------------------------------------------------------- Sun Oct 4 09:20:56 UTC 2015 - wr@rosenauer.org - do not build with --enable-stdcxx-compat (this starts to fail build on various toolchain combinations and is not required for openSUSE builds in general ------------------------------------------------------------------- Thu Oct 1 09:49:57 UTC 2015 - wr@rosenauer.org - update to Firefox 41.0.1 * Fix a startup crash related to Yandex toolbar and Adblock Plus (bmo#1209124) * Fix potential hangs with Flash plugins (bmo#1185639) * Fix a regression in the bookmark creation (bmo#1206376) * Fix a startup crash with some Intel Media Accelerator 3150 graphic cards (bmo#1207665) * Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601) ------------------------------------------------------------------- Sat Sep 19 20:23:29 UTC 2015 - wr@rosenauer.org - update to Firefox 41.0 (bnc#947003) * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous memory safety hazards * MFSA 2015-97/CVE-2015-4503 (bmo#994337) Memory leak in mozTCPSocket to servers * MFSA 2015-98/CVE-2015-4504 (bmo#1132467) Out of bounds read in QCMS library with ICC V4 profile attributes * MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only) Site attribute spoofing on Android by pasting URL with unknown scheme * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only) Arbitrary file manipulation by local user through Mozilla updater * MFSA 2015-101/CVE-2015-4506 (bmo#1192226) Buffer overflow in libvpx while parsing vp9 format video * MFSA 2015-102/CVE-2015-4507 (bmo#1192401) Crash when using debugger with SavedStacks in JavaScript * MFSA 2015-103/CVE-2015-4508 (bmo#1195976) URL spoofing in reader mode * MFSA 2015-104/CVE-2015-4510 (bmo#1200004) Use-after-free with shared workers and IndexedDB * MFSA 2015-105/CVE-2015-4511 (bmo#1200148) Buffer overflow while decoding WebM video * MFSA 2015-106/CVE-2015-4509 (bmo#1198435) Use-after-free while manipulating HTML media content * MFSA 2015-107/CVE-2015-4512 (bmo#1170390) Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems * MFSA 2015-108/CVE-2015-4502 (bmo#1105045) Scripted proxies can access inner window * MFSA 2015-109/CVE-2015-4516 (bmo#904886) JavaScript immutable property enforcement can be bypassed * MFSA 2015-110/CVE-2015-4519 (bmo#1189814) Dragging and dropping images exposes final URL after redirects * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869) Errors in the handling of CORS preflight request headers * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/ CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/ CVE-2015-7180 Vulnerabilities found through code inspection * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860, bmo#1190526) (Windows only) Memory safety errors in libGLES in the ANGLE graphics library * MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only) Information disclosure via the High Resolution Time API - rebased patches - removed obsolete patches * mozilla-arm64-libjpeg-turbo.patch ------------------------------------------------------------------- Thu Aug 27 06:03:51 UTC 2015 - wr@rosenauer.org - update to Firefox 40.0.3 (bnc#943550) * Disable the asynchronous plugin initialization (bmo#1198590) * Fix a segmentation fault in the GStreamer support (bmo#1145230) * Fix a regression with some Japanese fonts used in the <input> field (bmo#1194055) * On some sites, the selection in a select combox box using the mouse could be broken (bmo#1194733) security fixes * MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278) Use-after-free when resizing canvas element during restyling * MFSA 2015-95/CVE-2015-4498 (bmo#1042699) Add-on notification bypass through data URLs ------------------------------------------------------------------- Fri Aug 7 07:49:49 UTC 2015 - wr@rosenauer.org - update to Firefox 40.0 (bnc#940806) * Added protection against unwanted software downloads * Suggested Tiles show sites of interest, based on categories from your recent browsing history * Hello allows adding a link to conversations to provide context on what the conversation will be about * New style for add-on manager based on the in-content preferences style * Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only) * Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked security fixes: * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety hazards * MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with malformed MP3 file * MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free in MediaStream playback * MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of non-configurable JavaScript object properties * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues in libstagefright * MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting through Mozilla Maintenance Service with hard links (only affected Windows) * MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with Updater and malicious MAR file (does not affect openSUSE RPM packages which do not ship the updater) * MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol with POST bypasses mixed content protections * MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared memory in JavaScript * MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf when scaling bitmap images * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) Buffer overflows on Libvpx when decoding WebM video * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection * MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification * MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in XMLHttpRequest with shared workers - added mozilla-no-stdcxx-check.patch - removed obsolete patches * mozilla-add-glibcxx_use_cxx11_abi.patch * firefox-multilocale-chrome.patch - rebased patches - requires version 40 of the branding package - removed browser/searchplugins/ location as it's not valid anymore ------------------------------------------------------------------- Fri Aug 7 07:09:39 UTC 2015 - wr@rosenauer.org - security update to Firefox 39.0.3 (bnc#940918) * MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058) Same origin violation and local file stealing via PDF reader ------------------------------------------------------------------- Wed Jul 1 06:43:02 UTC 2015 - wr@rosenauer.org - update to Firefox 39.0 (bnc#935979) * Share Hello URLs with social networks * Support for 'switch' role in ARIA 1.1 (web accessibility) * SafeBrowsing malware detection lookups enabled for downloads (Mac OS X and Linux) * Support for new Unicode 8.0 skin tone emoji * Removed support for insecure SSLv3 for network communications * Disable use of RC4 except for temporarily whitelisted hosts * NPAPI Plug-in performance improved via asynchronous initialization security fixes: * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726 Miscellaneous memory safety hazards * MFSA 2015-60/CVE-2015-2727 (bmo#1163422) Local files or privileged URLs in pages can be opened into new tabs * MFSA 2015-61/CVE-2015-2728 (bmo#1142210) Type confusion in Indexed Database Manager * MFSA 2015-62/CVE-2015-2729 (bmo#1122218) Out-of-bound read while computing an oscillator rendering range in Web Audio * MFSA 2015-63/CVE-2015-2731 (bmo#1149891) Use-after-free in Content Policy due to microtask execution error * MFSA 2015-64/CVE-2015-2730 (bmo#1125025) ECDSA signature validation fails to handle some signatures correctly (this fix is shipped by NSS 3.19.1 externally) * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867) Use-after-free in workers while using XMLHttpRequest * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737 CVE-2015-2738/CVE-2015-2739/CVE-2015-2740 Vulnerabilities found through code inspection * MFSA 2015-67/CVE-2015-2741 (bmo#1147497) Key pinning is ignored when overridable errors are encountered * MFSA 2015-68/CVE-2015-2742 (bmo#1138669) OS X crash reports may contain entered key press information (not relevant under Linux) * MFSA 2015-69/CVE-2015-2743 (bmo#1163109) Privilege escalation in PDF.js * MFSA 2015-70/CVE-2015-4000 (bmo#1138554) NSS accepts export-length DHE keys with regular DHE cipher suites (this fix is shipped by NSS 3.19.1 externally) * MFSA 2015-71/CVE-2015-2721 (bmo#1086145) NSS incorrectly permits skipping of ServerKeyExchange (this fix is shipped by NSS 3.19.1 externally) - dropped mozilla-prefer_plugin_pref.patch as this feature is likely not worth maintaining further - rebased patches - require NSS 3.19.2 ------------------------------------------------------------------- Thu Jun 18 10:30:18 UTC 2015 - schwab@suse.de - mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration ------------------------------------------------------------------- Sun Jun 7 07:09:12 UTC 2015 - wr@rosenauer.org - update to Firefox 38.0.6 * fixes bmo#1171730 which is not really relevant to oS builds - fix KDE regression from 38.0.5 builds (bsc#933439) ------------------------------------------------------------------- Sat May 23 21:13:49 UTC 2015 - wr@rosenauer.org - update to Firefox 38.0.5 * Keep track of articles and videos with Pocket * Clean formatting for articles and blog posts with Reader View * Share the active tab or window in a Hello conversation - add changes file as source for SRPM (bsc#932142) ------------------------------------------------------------------- Fri May 15 10:40:19 UTC 2015 - normand@linux.vnet.ibm.com - add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from https://bugzilla.mozilla.org/show_bug.cgi?id=1153109 ------------------------------------------------------------------- Fri May 15 07:37:46 UTC 2015 - wr@rosenauer.org - update to Firefox 38.0.1 stability and regression fixes * Systems with first generation NVidia Optimus graphics cards may crash on start-up * Users who import cookies from Google Chrome can end up with broken websites * Large animated images may fail to play and may stop other images from loading ------------------------------------------------------------------- Sun May 10 07:07:49 UTC 2015 - wr@rosenauer.org - update to Firefox 38.0 (bnc#930622) * New tab-based preferences * Ruby annotation support * more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/ security fixes: * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 Miscellaneous memory safety hazards * MFSA 2015-47/VE-2015-0797 (bmo#1080995) Buffer overflow parsing H.264 video with Linux Gstreamer * MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow with SVG content and CSS * MFSA 2015-49/CVE-2015-2711 (bmo#1113431) Referrer policy ignored when links opened by middle-click and context menu * MFSA 2015-50/CVE-2015-2712 (bmo#1152280) Out-of-bounds read and write in asm.js validation * MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free during text processing with vertical text enabled * MFSA 2015-53/CVE-2015-2715 (bmo#988698) Use-after-free due to Media Decoder Thread creation during shutdown * MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow when parsing compressed XML * MFSA 2015-55/CVE-2015-2717 (bmo#1154683) Buffer overflow and out-of-bounds read while parsing MP4 video metadata * MFSA 2015-56/CVE-2015-2718 (bmo#1146724) Untrusted site hosting trusted page can intercept webchannel responses * MFSA 2015-57/CVE-2011-3079 (bmo#1087565) Privilege escalation through IPC channel messages - requires NSS 3.18.1 - removed obsolete patches: * mozilla-skia-bmo1136958.patch - remove gnomevfs build options as it is removed from sources - rebased patches ------------------------------------------------------------------- Fri Apr 17 16:39:20 UTC 2015 - wr@rosenauer.org - update to Firefox 37.0.2 (bnc#928116) * MFSA 2015-45/CVE-2015-2706 (bmo#1141081) Memory corruption during failed plugin initialization ------------------------------------------------------------------- Fri Apr 3 08:27:24 UTC 2015 - wr@rosenauer.org - update to Firefox 37.0.1 (bnc#926166) * MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only) Loading privileged content through Reader mode * MFSA 2015-44/CVE-2015-0799 (bmo#1148328) Certificate verification bypass through the HTTP/2 Alt-Svc header ------------------------------------------------------------------- Sat Mar 28 09:46:48 UTC 2015 - wr@rosenauer.org - update to Firefox 37.0 (bnc#925368) * Heartbeat user rating system * Yandex set as default search provider for the Turkish locale * Bing search now uses HTTPS for secure searching * Improved protection against site impersonation via OneCRL centralized certificate revocation * Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc * some more behaviour changes for TLS security fixes: * MFSA 2015-30/CVE-2015-0814/CVE-2015-0815 Miscellaneous memory safety hazards * MFSA 2015-31/CVE-2015-0813 (bmo#1106596)) Use-after-free when using the Fluendo MP3 GStreamer plugin * MFSA 2015-32/CVE-2015-0812 (bmo#1128126) Add-on lightweight theme installation approval bypassed through MITM attack * MFSA 2015-33/CVE-2015-0816 (bmo#1144991) resource:// documents can load privileged pages * MFSA-2015-34/CVE-2015-0811 (bmo#1132468) Out of bounds read in QCMS library * MFSA-2015-35/CVE-2015-0810 (bmo#1125013) Cursor clickjacking with flash and images (OS X only) * MFSA-2015-36/CVE-2015-0808 (bmo#1109552) Incorrect memory management for simple-type arrays in WebRTC * MFSA-2015-37/CVE-2015-0807 (bmo#1111834) CORS requests should not follow 30x redirections after preflight * MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437) Memory corruption crashes in Off Main Thread Compositing * MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560) Use-after-free due to type confusion flaws * MFSA-2015-40/CVE-2015-0801 (bmo#1146339) Same-origin bypass through anchor navigation * MFSA-2015-41/CVE-2015-0800/CVE-2012-2808 PRNG weakness allows for DNS poisoning on Android (only) * MFSA-2015-42/CVE-2015-0802 (bmo#1124898) Windows can retain access to privileged content on navigation to unprivileged pages - removed obsolete patches * mozilla-bmo1088588.patch * mozilla-bmo1108834.patch - requires NSPR 4.10.8 ------------------------------------------------------------------- Tue Mar 24 15:35:24 UTC 2015 - dvaleev@suse.com - Fix builds with skia on Power mozilla-skia-be-le.patch (patch from #bmo1136958) mozilla-bmo1108834.patch mozilla-bmo1005535.patch ------------------------------------------------------------------- Sat Mar 21 09:03:12 UTC 2015 - wr@rosenauer.org - update to Firefox 36.0.4 (bnc#923534) * MFSA 2015-28/CVE-2015-0818 (bmo#1144988) Privilege escalation through SVG navigation * MFSA 2015-29/CVE-2015-0817 (bmo#1145255) Code execution through incorrect JavaScript bounds checking elimination ------------------------------------------------------------------- Fri Mar 20 15:02:33 UTC 2015 - dimstar@opensuse.org - Copy the icons to /usr/share/icons instead of symlinking them: in preparation for containerized apps (e.g. xdg-app) as well as AppStream metadata extraction, there are a couple locations that need to be real files for system integration (.desktop files, icons, mime-type info). ------------------------------------------------------------------- Sat Mar 7 07:40:56 UTC 2015 - wr@rosenauer.org - update to Firefox 36.0.1 Bugfixes: * Disable the usage of the ANY DNS query type (bmo#1093983) * Hello may become inactive until restart (bmo#1137469) * Print preferences may not be preserved (bmo#1136855) * Hello contact tabs may not be visible (bmo#1137141) * Accept hostnames that include an underscore character ("_") (bmo#1136616) * WebGL may use significant memory with Canvas2d (bmo#1137251) * Option -remote has been restored (bmo#1080319) - added mozilla-skia-bmo1136958.patch to fix build issues for ARM and PPC ------------------------------------------------------------------- Fri Feb 20 22:53:39 UTC 2015 - wr@rosenauer.org - update to Firefox 36.0 (bnc#917597) * mozilla-xremote-client was removed * added libclearkey.so media plugin * Pinned tiles on the new tab page can be synced * Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web. * Locale added: Uzbek (uz) security fixes: * MFSA 2015-11/CVE-2015-0835/CVE-2015-0836 Miscellaneous memory safety hazards * MFSA 2015-12/CVE-2015-0833 (bmo#945192) Invoking Mozilla updater will load locally stored DLL files (Windows only) * MFSA 2015-13/CVE-2015-0832 (bmo#1065909) Appended period to hostnames can bypass HPKP and HSTS protections * MFSA 2015-14/CVE-2015-0830 (bmo#1110488) Malicious WebGL content crash when writing strings * MFSA 2015-15/CVE-2015-0834 (bmo#1098314) TLS TURN and STUN connections silently fail to simple TCP connections * MFSA 2015-16/CVE-2015-0831 (bmo#1130514) Use-after-free in IndexedDB * MFSA 2015-17/CVE-2015-0829 (bmo#1128939) Buffer overflow in libstagefright during MP4 video playback * MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675) Double-free when using non-default memory allocators with a zero-length XHR * MFSA 2015-19/CVE-2015-0827 (bmo#1117304) Out-of-bounds read and write while rendering SVG content * MFSA 2015-20/CVE-2015-0826 (bmo#1092363) Buffer overflow during CSS restyling * MFSA 2015-21/CVE-2015-0825 (bmo#1092370) Buffer underflow during MP3 playback * MFSA 2015-22/CVE-2015-0824 (bmo#1095925) Crash using DrawTarget in Cairo graphics library * MFSA 2015-23/CVE-2015-0823 (bmo#1098497) Use-after-free in Developer Console date with OpenType Sanitiser * MFSA 2015-24/CVE-2015-0822 (bmo#1110557) Reading of local files through manipulation of form autocomplete * MFSA 2015-25/CVE-2015-0821 (bmo#1111960) Local files or privileged URLs in pages can be opened into new tabs * MFSA 2015-26/CVE-2015-0819 (bmo#1079554) UI Tour whitelisted sites in background tab can spoof foreground tabs * MFSA 2015-27CVE-2015-0820 (bmo#1125398) Caja Compiler JavaScript sandbox bypass - rebased patches - requires NSS 3.17.4 ------------------------------------------------------------------- Sat Jan 31 18:37:38 UTC 2015 - wr@rosenauer.org - update to Firefox 35.0.1 * With the Enhanced Steam extension, Firefox could crash (bmo#1123732) * Kerberos authentication did not work with alias (bmo#1108971) * SVG / CSS animation had a regression causing rendering issues on websites like openstreemap.org (bmo#1083079) * On Godaddy webmail, Firefox could crash (bmo#1113121) * document.baseURI did not get updated to document.location after base tag was removed from DOM for site with a CSP (bmo#1121857) * With a Right-to-left (RTL) version of Firefox, the text selection could be broken (bmo#1104036) * CSP had a change in behavior with regard to case sensitivity resources loading (bmo#1122445) ------------------------------------------------------------------- Sat Jan 10 18:36:37 UTC 2015 - wr@rosenauer.org - update to Firefox 35.0 (bnc#910669) notable features: * Firefox Hello with new rooms-based conversations model * Implemented HTTP Public Key Pinning Extension (for enhanced authentication of encrypted connections) security fixes: * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635 Miscellaneous memory safety hazards * MFSA 2015-02/CVE-2014-8637 (bmo#1094536) Uninitialized memory use during bitmap rendering * MFSA 2015-03/CVE-2014-8638 (bmo#1080987) sendBeacon requests lack an Origin header * MFSA 2015-04/CVE-2014-8639 (bmo#1095859) Cookie injection through Proxy Authenticate responses * MFSA 2015-05/CVE-2014-8640 (bmo#1100409) Read of uninitialized memory in Web Audio * MFSA 2015-06/CVE-2014-8641 (bmo#1108455) Read-after-free in WebRTC * MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only) Gecko Media Plugin sandbox escape * MFSA 2015-08/CVE-2014-8642 (bmo#1079658) Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension * MFSA 2015-09/CVE-2014-8636 (bmo#987794) XrayWrapper bypass through DOM objects - rebased patches - dropped explicit support for everything older than 12.3 (including SLES11) * merge firefox-kde.patch and firefox-kde-114.patch * dropped mozilla-sle11.patch - reworked specfile to build conditionally based on release channel either Firefox or Firefox Developer Edition - added mozilla-openaes-decl.patch to fix implicit declarations - obsolete tracker-miner-firefox < 0.15 because it leads to startup crashes (bnc#908892) ------------------------------------------------------------------- Sat Dec 13 22:13:00 UTC 2014 - Led <ledest@gmail.com> - fix bashism in mozilla.sh script ------------------------------------------------------------------- Sat Nov 29 21:23:03 UTC 2014 - wr@rosenauer.org - update to Firefox 34.0.5 (bnc#908009) * Default search engine changed to Yahoo! for North America * Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales * Improved search bar (en-US only) * Firefox Hello real-time communication client * Easily switch themes/personas directly in the Customizing mode * Implementation of HTTP/2 (draft14) and ALPN * Disabled SSLv3 * MFSA 2014-83/CVE-2014-1587/CVE-2014-1588 Miscellaneous memory safety hazards * MFSA 2014-84/CVE-2014-1589 (bmo#1043787) XBL bindings accessible via improper CSS declarations * MFSA 2014-85/CVE-2014-1590 (bmo#1087633) XMLHttpRequest crashes with some input streams * MFSA 2014-86/CVE-2014-1591 (bmo#1069762) CSP leaks redirect data via violation reports * MFSA 2014-87/CVE-2014-1592 (bmo#1088635) Use-after-free during HTML5 parsing * MFSA 2014-88/CVE-2014-1593 (bmo#1085175) Buffer overflow while parsing media content * MFSA 2014-89/CVE-2014-1594 (bmo#1074280) Bad casting from the BasicThebesLayer to BasicContainerLayer - rebased patches - limit linker memory usage for %ix86 - rebased patches ------------------------------------------------------------------- Fri Nov 7 20:14:32 UTC 2014 - wr@rosenauer.org - update to Firefox 33.1 * Adding DuckDuckGo as a search option (upstream) * Forget Button added * Enhanced Tiles * Privacy tour introduced - fix typo in GStreamer Recommends ------------------------------------------------------------------- Tue Nov 4 18:00:35 UTC 2014 - guillaume@opensuse.org - Disable elf-hack for aarch64 - Enable EGL for aarch64 - Limit RAM usage during link for %arm - Fix _constraints for ARM ------------------------------------------------------------------- Mon Nov 3 11:36:04 UTC 2014 - dmueller@suse.com - use proper macros for ARM ------------------------------------------------------------------- Mon Nov 3 11:26:23 UTC 2014 - josua.mayer97@gmail.com - use '--disable-optimize' not only on 32-bit x86, but on 32-bit arm too to fix compiling. - pass '-Wl,--no-keep-memory' to linker to reduce required memory during linking on arm. ------------------------------------------------------------------- Thu Oct 30 11:31:05 UTC 2014 - wr@rosenauer.org - update to Firefox 33.0.2 * Fix a startup crash with some combination of hardware and drivers 33.0.1 * Firefox displays a black screen at start-up with certain graphics drivers - adjusted _constraints for ARM ------------------------------------------------------------------- Tue Oct 28 15:23:09 UTC 2014 - josua.mayer97@gmail.com - added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588) ------------------------------------------------------------------- Sat Oct 25 08:45:43 UTC 2014 - wr@rosenauer.org - define /usr/share/myspell as additional dictionary location and remove add-plugins.sh finally (bnc#900639) ------------------------------------------------------------------- Sun Oct 19 12:59:28 UTC 2014 - vindex17@outlook.it - use Firefox default optimization flags instead of -Os - specfile cleanup ------------------------------------------------------------------- Wed Oct 15 08:05:33 UTC 2014 - wr@rosenauer.org - fix build for all ppc by not enabling elf-hack (bnc#901213) ------------------------------------------------------------------- Sat Oct 11 08:48:24 UTC 2014 - wr@rosenauer.org - update to Firefox 33.0 (bnc#900941) New features: * OpenH264 support (sandboxed) * Enhanced Tiles * Improved search experience through the location bar * Slimmer and faster JavaScript strings * New CSP (Content Security Policy) backend * Support for connecting to HTTP proxy over HTTPS * Improved reliability of the session restoration * Proprietary window.crypto properties/functions removed Security: * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety hazards * MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation * MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms * MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video * MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory use during GIF rendering * MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality * MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190) Key pinning bypasses * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe * MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API (only relevant for installed web apps) - requires NSPR 4.10.7 - requires NSS 3.17.1 - removed obsolete patches: * mozilla-ppc.patch * mozilla-libproxy-compat.patch - added basic appdata information ------------------------------------------------------------------- Sat Sep 20 13:33:51 UTC 2014 - wr@rosenauer.org - update to Firefox 32.0.2 * just a version bump for our builds * fixed the in application update process for certain environments (in application update is not enabled in openSUSE and Linux is unaffected in any case) - build with --disable-optimize for 13.1 and above for i586 to workaround miscompilations (bnc#896624) - use some more build flags to align with upstream ------------------------------------------------------------------- Sat Sep 13 16:58:16 UTC 2014 - wr@rosenauer.org - update to Firefox 32.0.1 * fixed stability issues for computers with multiple graphics cards * mixed content icon may be incorrectly displayed instead of lock icon for SSL sites in 32.0 ( * WebRTC: setRemoteDescription() silently fails if no success callback is specified (bmo#1063971) ------------------------------------------------------------------- Sun Aug 31 07:44:54 UTC 2014 - wr@rosenauer.org - update to Firefox 32.0 (bnc#894370) * MFSA 2014-67/CVE-2014-1553/CVE-2014-1554/CVE-2014-1562 Miscellaneous memory safety hazards * MFSA 2014-68/CVE-2014-1563 (bmo#1018524) Use-after-free during DOM interactions with SVG * MFSA 2014-69/CVE-2014-1564 (bmo#1045977) Uninitialized memory use during GIF rendering * MFSA 2014-70/CVE-2014-1565 (bmo#1047831) Out-of-bounds read in Web Audio audio timeline * MFSA 2014-72/CVE-2014-1567 (bmo#1037641) Use-after-free setting text directionality - rebased patches - requires NSS 3.16.4 - removed upstreamed patch * mozilla-aarch64-bmo-810631.patch ------------------------------------------------------------------- Wed Aug 20 13:50:58 CEST 2014 - behlert@suse.de - adapted _constraints, used more than 3900MB on s390x during last build ------------------------------------------------------------------- Sun Jul 20 18:11:44 UTC 2014 - wr@rosenauer.org - update to Firefox 31.0 (bnc#887746) * MFSA 2014-56/CVE-2014-1547/CVE-2014-1548 Miscellaneous memory safety hazards * MFSA 2014-57/CVE-2014-1549 (bmo#1020205) Buffer overflow during Web Audio buffering for playback * MFSA 2014-58/CVE-2014-1550 (bmo#1020411) Use-after-free in Web Audio due to incorrect control message ordering * MFSA 2014-60/CVE-2014-1561 (bmo#1000514, bmo#910375) Toolbar dialog customization event spoofing * MFSA 2014-61/CVE-2014-1555 (bmo#1023121) Use-after-free with FireOnStateChange event * MFSA 2014-62/CVE-2014-1556 (bmo#1028891) Exploitable WebGL crash with Cesium JavaScript library * MFSA 2014-63/CVE-2014-1544 (bmo#963150) Use-after-free while when manipulating certificates in the trusted cache (solved with NSS 3.16.2 requirement) * MFSA 2014-64/CVE-2014-1557 (bmo#913805) Crash in Skia library when scaling high quality images * MFSA 2014-65/CVE-2014-1558/CVE-2014-1559/CVE-2014-1560 (bmo#1015973, bmo#1026022, bmo#997795) Certificate parsing broken by non-standard character encoding * MFSA 2014-66/CVE-2014-1552 (bmo#985135) IFRAME sandbox same-origin access through redirect - use EGL on ARM - rebased patches - requires NSS 3.16.2 - requires python-devel (not only python) ------------------------------------------------------------------- Mon Jun 9 08:28:17 UTC 2014 - wr@rosenauer.org - update to Firefox 30.0 (bnc#881874) * MFSA 2014-48/CVE-2014-1533/CVE-2014-1534 (bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874, bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981, bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817, bmo#996536, bmo#996715, bmo#999651, bmo#1000598, bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223, bmo#1009952, bmo#1011007) Miscellaneous memory safety hazards (rv:30.0) * MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538 (bmo#989994, bmo#999274, bmo#1005584) Use-after-free and out of bounds issues found using Address Sanitizer * MFSA 2014-50/CVE-2014-1539 (bmo#995603) Clickjacking through cursor invisability after Flash interaction * MFSA 2014-51/CVE-2014-1540 (bmo#978862) Use-after-free in Event Listener Manager * MFSA 2014-52/CVE-2014-1541 (bmo#1000185) Use-after-free with SMIL Animation Controller * MFSA 2014-53/CVE-2014-1542 (bmo#991533) Buffer overflow in Web Audio Speex resampler * MFSA 2014-54/CVE-2014-1543 (bmo#1011859) Buffer overflow in Gamepad API * MFSA 2014-55/CVE-2014-1545 (bmo#1018783) Out of bounds write in NSPR - rebased patches - removed obsolete patches * firefox-browser-css.patch * mozilla-aarch64-bmo-962488.patch * mozilla-aarch64-bmo-963023.patch * mozilla-aarch64-bmo-963024.patch * mozilla-aarch64-bmo-963027.patch * mozilla-ppc64-xpcom.patch * mozilla-ppc64le-javascript.patch * mozilla-ppc64le-libffi.patch * mozilla-ppc64le-mfbt.patch * mozilla-ppc64le-webrtc.patch * mozilla-ppc64le-xpcom.patch * mozilla-ppc64le-build.patch - requires NSPR 4.10.6 - enabled GStreamer 1.0 usage for 13.2 and above ------------------------------------------------------------------- Sat May 10 06:09:37 UTC 2014 - wr@rosenauer.org - update to Firefox 29.0.1 * Seer disabled by default (bmo#1005958) * Session Restore failed with a corrupted sessionstore.js file (bmo#1001167) * pdf.js printing white page (bmo#1003707, bnc#876833) - general.useragent.locale gets overwritten with en-US while it should be using the active langpack's setting ------------------------------------------------------------------- Sat Apr 26 12:18:07 UTC 2014 - wr@rosenauer.org - update to Firefox 29.0 (bnc#875378) * MFSA 2014-34/CVE-2014-1518/CVE-2014-1519 Miscellaneous memory safety hazards * MFSA 2014-36/CVE-2014-1522 (bmo#995289) Web Audio memory corruption issues * MFSA 2014-37/CVE-2014-1523 (bmo#969226) Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 (bmo#989183) Buffer overflow when using non-XBL object as XBL * MFSA 2014-39/CVE-2014-1525 (bmo#989210) Use-after-free in the Text Track Manager for HTML video * MFSA 2014-41/CVE-2014-1528 (bmo#963962) Out-of-bounds write in Cairo * MFSA 2014-42/CVE-2014-1529 (bmo#987003) Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 (bmo#895557) Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 (bmo#987140) Use-after-free in imgLoader while resizing images * MFSA 2014-45/CVE-2014-1492 (bmo#903885) Incorrect IDNA domain name matching for wildcard certificates (fixed by NSS 3.16) * MFSA 2014-46/CVE-2014-1532 (bmo#966006) Use-after-free in nsHostResolver * MFSA 2014-47/CVE-2014-1526 (bmo#988106) Debugger can bypass XrayWrappers with JavaScript - rebased patches - removed obsolete patches * firefox-browser-css.patch * mozilla-aarch64-599882cfb998.diff * mozilla-aarch64-bmo-963028.patch * mozilla-aarch64-bmo-963029.patch * mozilla-aarch64-bmo-963030.patch * mozilla-aarch64-bmo-963031.patch - requires NSS 3.16 - added mozilla-icu-strncat.patch to fix post build checks ------------------------------------------------------------------- Mon Apr 7 15:34:31 UTC 2014 - dmueller@suse.com - add mozilla-aarch64-599882cfb998.patch, mozilla-aarch64-bmo-810631.patch, mozilla-aarch64-bmo-962488.patch, mozilla-aarch64-bmo-963030.patch, mozilla-aarch64-bmo-963027.patch, mozilla-aarch64-bmo-963028.patch, mozilla-aarch64-bmo-963029.patch, mozilla-aarch64-bmo-963023.patch, mozilla-aarch64-bmo-963024.patch, mozilla-aarch64-bmo-963031.patch: AArch64 porting ------------------------------------------------------------------- Mon Mar 24 16:18:44 UTC 2014 - dvaleev@suse.com - Add patch for bmo#973977 * mozilla-ppc64-xpcom.patch ------------------------------------------------------------------- Mon Mar 24 14:29:12 UTC 2014 - dvaleev@suse.com - Refresh mozilla-ppc64le-xpcom.patch patch ------------------------------------------------------------------- Fri Mar 21 19:01:42 UTC 2014 - dvaleev@suse.com - Adapt mozilla-ppc64le-xpcom.patch to Mozilla > 24.0 build system ------------------------------------------------------------------- Sun Mar 16 13:39:15 UTC 2014 - wr@rosenauer.org - update to Firefox 28.0 (bnc#868603) * MFSA 2014-15/CVE-2014-1493/CVE-2014-1494 Miscellaneous memory safety hazards * MFSA 2014-17/CVE-2014-1497 (bmo#966311) Out of bounds read during WAV file decoding * MFSA 2014-18/CVE-2014-1498 (bmo#935618) crypto.generateCRMFRequest does not validate type of key * MFSA 2014-19/CVE-2014-1499 (bmo#961512) Spoofing attack on WebRTC permission prompt * MFSA 2014-20/CVE-2014-1500 (bmo#956524) onbeforeunload and Javascript navigation DOS * MFSA 2014-22/CVE-2014-1502 (bmo#972622) WebGL content injection from one domain to rendering in another * MFSA 2014-23/CVE-2014-1504 (bmo#911547) Content Security Policy for data: documents not preserved by session restore * MFSA 2014-26/CVE-2014-1508 (bmo#963198) Information disclosure through polygon rendering in MathML * MFSA 2014-27/CVE-2014-1509 (bmo#966021) Memory corruption in Cairo during PDF font rendering * MFSA 2014-28/CVE-2014-1505 (bmo#941887) SVG filters information disclosure through feDisplacementMap * MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909) Privilege escalation using WebIDL-implemented APIs * MFSA 2014-30/CVE-2014-1512 (bmo#982957) Use-after-free in TypeObject * MFSA 2014-31/CVE-2014-1513 (bmo#982974) Out-of-bounds read/write through neutering ArrayBuffer objects * MFSA 2014-32/CVE-2014-1514 (bmo#983344) Out-of-bounds write through TypedArrayObject after neutering - requires NSPR 4.10.3 and NSS 3.15.5 - new build dependency (and recommends): * libpulse - update of PowerPC 64 patches (bmo#976648) (pcerny@suse.com) - rebased patches ------------------------------------------------------------------- Mon Feb 17 11:59:28 UTC 2014 - wr@rosenauer.org - update to Firefox 27.0.1 * Fixed stability issues with Greasemonkey and other JS that used ClearTimeoutOrInterval * JS math correctness issue (bmo#941381) - incorporate Google API key for geolocation (bnc#864170) - updated list of "other" locales in RPM requirements ------------------------------------------------------------------- Tue Jan 28 15:45:41 UTC 2014 - wr@rosenauer.org - update to Firefox 27.0 (bnc#861847) * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3) * MFSA 2014-02/CVE-2014-1479 (bmo#911864) Clone protected content with XBL scopes * MFSA 2014-03/CVE-2014-1480 (bmo#916726) UI selection timeout missing on download prompts * MFSA 2014-04/CVE-2014-1482 (bmo#943803) Incorrect use of discarded images by RasterImage * MFSA 2014-05/CVE-2014-1483 (bmo#950427) Information disclosure with *FromPoint on iframes * MFSA 2014-06/CVE-2014-1484 (bmo#953993) Profile path leaks to Android system log * MFSA 2014-07/CVE-2014-1485 (bmo#910139) XSLT stylesheets treated as styles in Content Security Policy * MFSA 2014-08/CVE-2014-1486 (bmo#942164) Use-after-free with imgRequestProxy and image proccessing * MFSA 2014-09/CVE-2014-1487 (bmo#947592) Cross-origin information leak through web workers * MFSA 2014-10/CVE-2014-1489 (bmo#959531) Firefox default start page UI content invokable by script * MFSA 2014-11/CVE-2014-1488 (bmo#950604) Crash when using web workers with asm.js * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 (bmo#934545, bmo#930874, bmo#930857) NSS ticket handling issues * MFSA 2014-13/CVE-2014-1481(bmo#936056) Inconsistent JavaScript handling of access to Window objects - requires NSS 3.15.4 or higher - rebased/reworked patches - removed obsolete mozilla-bug929439.patch ------------------------------------------------------------------- Thu Dec 12 21:19:54 UTC 2013 - uweigand@de.ibm.com - Add support for powerpc64le-linux. * mozilla-ppc64le.patch: general support * mozilla-libffi-ppc64le.patch: libffi backport * mozilla-xpcom-ppc64le.patch: port xpcom - Add build fix from mainline. * mozilla-bug929439.patch ------------------------------------------------------------------- Sun Dec 8 20:26:23 UTC 2013 - wr@rosenauer.org - update to Firefox 26.0 (bnc#854367, bnc#854370) * rebased patches * requires NSPR 4.10.2 and NSS 3.15.3.1 * MFSA 2013-104/CVE-2013-5609/CVE-2013-5610 Miscellaneous memory safety hazards * MFSA 2013-105/CVE-2013-5611 (bmo#771294) Application Installation doorhanger persists on navigation * MFSA 2013-106/CVE-2013-5612 (bmo#871161) Character encoding cross-origin XSS attack * MFSA 2013-107/CVE-2013-5614 (bmo#886262) Sandbox restrictions not applied to nested object elements * MFSA 2013-108/CVE-2013-5616 (bmo#938341) Use-after-free in event listeners * MFSA 2013-109/CVE-2013-5618 (bmo#926361) Use-after-free during Table Editing * MFSA 2013-110/CVE-2013-5619 (bmo#917841) Potential overflow in JavaScript binary search algorithms * MFSA 2013-111/CVE-2013-6671 (bmo#930281) Segmentation violation when replacing ordered list elements * MFSA 2013-112/CVE-2013-6672 (bmo#894736) Linux clipboard information disclosure though selection paste * MFSA 2013-113/CVE-2013-6673 (bmo#970380) Trust settings for built-in roots ignored during EV certificate validation * MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449) Use-after-free in synthetic mouse movement * MFSA 2013-115/CVE-2013-5615 (bmo#929261) GetElementIC typed array stubs can be generated outside observed typesets * MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693) JPEG information leak * MFSA 2013-117 (bmo#946351) Mis-issued ANSSI/DCSSI certificate (fixed via NSS 3.15.3.1) - removed gecko.js preference file as GStreamer is enabled by default now ------------------------------------------------------------------- Thu Oct 24 18:16:19 UTC 2013 - wr@rosenauer.org - update to Firefox 25.0 (bnc#847708) * rebased patches * requires NSS 3.15.2 or above * MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592 Miscellaneous memory safety hazards * MFSA 2013-94/CVE-2013-5593 (bmo#868327) Spoofing addressbar through SELECT element * MFSA 2013-95/CVE-2013-5604 (bmo#914017) Access violation with XSLT and uninitialized data * MFSA 2013-96/CVE-2013-5595 (bmo#916580) Improperly initialized memory and overflows in some JavaScript functions * MFSA 2013-97/CVE-2013-5596 (bmo#910881) Writing to cycle collected object during image decoding * MFSA 2013-98/CVE-2013-5597 (bmo#918864) Use-after-free when updating offline cache * MFSA 2013-99/CVE-2013-5598 (bmo#920515) Security bypass of PDF.js checks using iframes * MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601 (bmo#915210, bmo#915576, bmo#916685) Miscellaneous use-after-free issues found through ASAN fuzzing * MFSA 2013-101/CVE-2013-5602 (bmo#897678) Memory corruption in workers * MFSA 2013-102/CVE-2013-5603 (bmo#916404) Use-after-free in HTML document templates ------------------------------------------------------------------- Tue Sep 24 07:31:30 UTC 2013 - wr@rosenauer.org - as GStreamer is not automatically required anymore but loaded dynamically if available, require it explicitely - recommend optional GStreamer plugins for comprehensive media support ------------------------------------------------------------------- Mon Sep 16 11:59:18 UTC 2013 - lnussel@suse.de - move greek to the translations-common package (bnc#840551) ------------------------------------------------------------------- Sat Sep 14 14:39:58 UTC 2013 - wr@rosenauer.org - update to Firefox 24.0 (bnc#840485) * MFSA 2013-76/CVE-2013-1718/CVE-2013-1719 Miscellaneous memory safety hazards * MFSA 2013-77/CVE-2013-1720 (bmo#888820) Improper state in HTML5 Tree Builder with templates * MFSA 2013-78/CVE-2013-1721 (bmo#890277) Integer overflow in ANGLE library * MFSA 2013-79/CVE-2013-1722 (bmo#893308) Use-after-free in Animation Manager during stylesheet cloning * MFSA 2013-80/CVE-2013-1723 (bmo#891292) NativeKey continues handling key messages after widget is destroyed * MFSA 2013-81/CVE-2013-1724 (bmo#894137) Use-after-free with select element * MFSA 2013-82/CVE-2013-1725 (bmo#876762) Calling scope for new Javascript objects can lead to memory corruption * MFSA 2013-85/CVE-2013-1728 (bmo#883686) Uninitialized data in IonMonkey * MFSA 2013-88/CVE-2013-1730 (bmo#851353) Compartment mismatch re-attaching XBL-backed nodes * MFSA 2013-89/CVE-2013-1732 (bmo#883514) Buffer overflow with multi-column, lists, and floats * MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301) Memory corruption involving scrolling * MFSA 2013-91/CVE-2013-1737 (bmo#907727) User-defined properties on DOM proxies get the wrong "this" object * MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897) GC hazard with default compartments and frame chain restoration - enable gstreamer explicitely via pref (gecko.js) - require NSS 3.15.1 ------------------------------------------------------------------- Mon Aug 26 07:35:36 UTC 2013 - wr@rosenauer.org - update to Firefox 23.0.1 * Audio static/"burble"/breakup in Firefox to Firefox WebRTC calls (bmo#901527) ------------------------------------------------------------------- Sun Aug 4 18:30:11 UTC 2013 - wr@rosenauer.org - update to Firefox 23.0 (bnc#833389) * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous memory safety hazards * MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free mutating DOM during SetBody * MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow when generating CRMF requests * MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during WAV audio file decoding * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of XrayWrappers using XBL Scopes * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) Local Java applets may read contents of local file system - requires NSPR 4.10 and NSS 3.15 ------------------------------------------------------------------- Wed Jul 3 17:14:35 UTC 2013 - dmueller@suse.com - fix build on ARM (/-g/ matches /-grecord-switches/) ------------------------------------------------------------------- Sat Jun 22 17:48:06 UTC 2013 - wr@rosenauer.org - update to Firefox 22.0 (bnc#825935) * removed obsolete patches + mozilla-qcms-ppc.patch + mozilla-gstreamer-760140.patch * GStreamer support does not build on 12.1 anymore (build only on 12.2 and later) * MFSA 2013-49/CVE-2013-1682/CVE-2013-1683 Miscellaneous memory safety hazards * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686 Memory corruption found using Address Sanitizer * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823) Privileged content access and execution via XBL * MFSA 2013-52/CVE-2013-1688 (bmo#873966) Arbitrary code execution within Profiler * MFSA 2013-53/CVE-2013-1690 (bmo#857883) Execution of unmapped memory through onreadystatechange event * MFSA 2013-54/CVE-2013-1692 (bmo#866915) Data in the body of XHR HEAD requests leads to CSRF attacks * MFSA 2013-55/CVE-2013-1693 (bmo#711043) SVG filters can lead to information disclosure * MFSA 2013-56/CVE-2013-1694 (bmo#848535) PreserveWrapper has inconsistent behavior * MFSA 2013-57/CVE-2013-1695 (bmo#849791) Sandbox restrictions not applied to nested frame elements * MFSA 2013-58/CVE-2013-1696 (bmo#761667) X-Frame-Options ignored when using server push with multi-part responses * MFSA 2013-59/CVE-2013-1697 (bmo#858101) XrayWrappers can be bypassed to run user defined methods in a privileged context * MFSA 2013-60/CVE-2013-1698 (bmo#876044) getUserMedia permission dialog incorrectly displays location * MFSA 2013-61/CVE-2013-1699 (bmo#840882) Homograph domain spoofing in .com, .net and .name ------------------------------------------------------------------- Tue Jun 11 21:06:58 UTC 2013 - dvaleev@suse.com - Fix qcms altivec include (mozilla-qcms-ppc.patch) ------------------------------------------------------------------- Fri May 10 05:25:39 UTC 2013 - wr@rosenauer.org - update to Firefox 21.0 (bnc#819204) * removed upstreamed patch firefox-712763.patch * removed disabled mozilla-disable-neon-option.patch * MFSA 2013-41/CVE-2013-0801/CVE-2013-1669 Miscellaneous memory safety hazards * MFSA 2013-42/CVE-2013-1670 (bmo#853709) Privileged access for content level constructor * MFSA 2013-43/CVE-2013-1671 (bmo#842255) File input control has access to full path * MFSA 2013-46/CVE-2013-1674 (bmo#860971) Use-after-free with video and onresize event * MFSA 2013-47/CVE-2013-1675 (bmo#866825) Uninitialized functions in DOMSVGZoomEvent * MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/ CVE-2013-1679/CVE-2013-1680/CVE-2013-1681 Memory corruption found using Address Sanitizer ------------------------------------------------------------------- Tue Apr 9 06:41:31 UTC 2013 - wr@rosenauer.org - revert to use GStreamer 0.10 on 12.3 (bnc#814101) (remove mozilla-gstreamer-1.patch) ------------------------------------------------------------------- Fri Apr 5 17:04:11 UTC 2013 - schwab@linux-m68k.org - Explicitly disable WebRTC support on non-x86, the configure script disables it only half-heartedly ------------------------------------------------------------------- Fri Mar 29 22:15:21 UTC 2013 - wr@rosenauer.org - update to Firefox 20.0 (bnc#813026) * requires NSPR 4.9.5 and NSS 3.14.3 * mozilla-webrtc-ppc.patch included upstream * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards * MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library * MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux * MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes * MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure * MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations * MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory corruption while rendering grayscale PNG images - use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch) ------------------------------------------------------------------- Tue Mar 12 23:08:15 UTC 2013 - dmueller@suse.com - build fixes for armv7hl: * disable debug build as armv7hl does not have enough memory * disable webrtc on armv7hl as it is non-compiling ------------------------------------------------------------------- Thu Mar 7 19:03:32 UTC 2013 - wr@rosenauer.org - update to Firefox 19.0.2 (bnc#808243) * MFSA 2013-29/CVE-2013-0787 (bmo#848644) Use-after-free in HTML Editor ------------------------------------------------------------------- Thu Feb 28 22:06:36 UTC 2013 - wr@rosenauer.org - update to Firefox 19.0.1 * blocklist updates ------------------------------------------------------------------- Sat Feb 16 07:08:55 UTC 2013 - wr@rosenauer.org - update to Firefox 19.0 (bnc#804248) * MFSA 2013-21/CVE-2013-0783/2013-0784 Miscellaneous memory safety hazards * MFSA 2013-22/CVE-2013-0772 (bmo#801366) Out-of-bounds read in image rendering * MFSA 2013-23/CVE-2013-0765 (bmo#830614) Wrapped WebIDL objects can be wrapped again * MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers * MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers * MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent * MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/ CVE-2013-0778/CVE-2013-0779/CVE-2013-0781 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer - removed obsolete patches * mozilla-webrtc.patch * mozilla-gstreamer-803287.patch - added patch to fix session restore window order (bmo#712763) ------------------------------------------------------------------- Sat Feb 2 08:40:52 UTC 2013 - wr@rosenauer.org - update to Firefox 18.0.2 * blocklist and CTP updates * fixes in JS engine ------------------------------------------------------------------- Wed Jan 16 20:51:55 UTC 2013 - wr@rosenauer.org - update to Firefox 18.0.1 * blocklist updates * backed out bmo#677092 (removed patch) * fixed problems involving HTTP proxy transactions ------------------------------------------------------------------- Sat Jan 12 17:25:11 UTC 2013 - schwab@linux-m68k.org - Fix WebRTC to build on powerpc ------------------------------------------------------------------- Sun Jan 6 21:54:18 UTC 2013 - wr@rosenauer.org - update to Firefox 18.0 (bnc#796895) * MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770 Miscellaneous memory safety hazards * MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767 CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829 Use-after-free and buffer overflow issues found using Address Sanitizer * MFSA 2013-03/CVE-2013-0768 (bmo#815795) Buffer Overflow in Canvas * MFSA 2013-04/CVE-2012-0759 (bmo#802026) URL spoofing in addressbar during page loads * MFSA 2013-05/CVE-2013-0744 (bmo#814713) Use-after-free when displaying table with many columns and column groups * MFSA 2013-06/CVE-2013-0751 (bmo#790454) Touch events are shared across iframes * MFSA 2013-07/CVE-2013-0764 (bmo#804237) Crash due to handling of SSL on threads * MFSA 2013-08/CVE-2013-0745 (bmo#794158) AutoWrapperChanger fails to keep objects alive during garbage collection * MFSA 2013-09/CVE-2013-0746 (bmo#816842) Compartment mismatch with quickstubs returned values * MFSA 2013-10/CVE-2013-0747 (bmo#733305) Event manipulation in plugin handler to bypass same-origin policy * MFSA 2013-11/CVE-2013-0748 (bmo#806031) Address space layout leaked in XBL objects * MFSA 2013-12/CVE-2013-0750 (bmo#805121) Buffer overflow in Javascript string concatenation * MFSA 2013-13/CVE-2013-0752 (bmo#805024) Memory corruption in XBL with XML bindings containing SVG * MFSA 2013-14/CVE-2013-0757 (bmo#813901) Chrome Object Wrapper (COW) bypass through changing prototype * MFSA 2013-15/CVE-2013-0758 (bmo#813906) Privilege escalation through plugin objects * MFSA 2013-16/CVE-2013-0753 (bmo#814001) Use-after-free in serializeToStream * MFSA 2013-17/CVE-2013-0754 (bmo#814026) Use-after-free in ListenerManager * MFSA 2013-18/CVE-2013-0755 (bmo#814027) Use-after-free in Vibrate * MFSA 2013-19/CVE-2013-0756 (bmo#814029) Use-after-free in Javascript Proxy objects - requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743) - removed obsolete SLE11 patches (mozilla-gcc43*) - reenable WebRTC - added mozilla-libproxy-compat.patch for libproxy API compat on openSUSE 11.2 and earlier - backed out restartless language packs as it broke multi-locale setup (bmo#677092, bmo#818468) ------------------------------------------------------------------- Thu Nov 29 19:56:51 UTC 2012 - wr@rosenauer.org - update to Firefox 17.0.1 * revert some useragent changes introduced in 17.0 * leaving private browsing with social enabled doesn't reset all social components (bmo#815042) - fix KDE integration for file dialogs ------------------------------------------------------------------- Tue Nov 20 19:52:02 UTC 2012 - wr@rosenauer.org - update to Firefox 17.0 (bnc#790140) * MFSA 2012-91/CVE-2012-5842/CVE-2012-5843 Miscellaneous memory safety hazards * MFSA 2012-92/CVE-2012-4202 (bmo#758200) Buffer overflow while rendering GIF images * MFSA 2012-93/CVE-2012-4201 (bmo#747607) evalInSanbox location context incorrectly applied * MFSA 2012-94/CVE-2012-5836 (bmo#792857) Crash when combining SVG text on path with CSS * MFSA 2012-95/CVE-2012-4203 (bmo#765628) Javascript: URLs run in privileged context on New Tab page * MFSA 2012-96/CVE-2012-4204 (bmo#778603) Memory corruption in str_unescape * MFSA 2012-97/CVE-2012-4205 (bmo#779821) XMLHttpRequest inherits incorrect principal within sandbox * MFSA 2012-99/CVE-2012-4208 (bmo#798264) XrayWrappers exposes chrome-only properties when not in chrome compartment * MFSA 2012-100/CVE-2012-5841 (bmo#805807) Improper security filtering for cross-origin wrappers * MFSA 2012-101/CVE-2012-4207 (bmo#801681) Improper character decoding in HZ-GB-2312 charset * MFSA 2012-102/CVE-2012-5837 (bmo#800363) Script entered into Developer Toolbar runs with chrome privileges * MFSA 2012-103/CVE-2012-4209 (bmo#792405) Frames can shadow top.location * MFSA 2012-104/CVE-2012-4210 (bmo#796866) CSS and HTML injection through Style Inspector * MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/ CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/ CVE-2012-4213/CVE-2012-4217/CVE-2012-4218 Use-after-free and buffer overflow issues found using Address Sanitizer * MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer - rebased patches - disabled WebRTC since build is broken (bmo#776877) ------------------------------------------------------------------- Tue Nov 20 15:42:55 UTC 2012 - pcerny@suse.com - build on SLE11 * mozilla-gcc43-enums.patch * mozilla-gcc43-template_hacks.patch * mozilla-gcc43-templates_instantiation.patch ------------------------------------------------------------------- Wed Oct 24 08:27:29 UTC 2012 - wr@rosenauer.org - update to Firefox 16.0.2 (bnc#786522) * MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196 (bmo#800666, bmo#793121, bmo#802557) Fixes for Location object issues - bring back Obsoletes for libproxy's mozjs plugin for distributions before 12.2 to avoid crashes ------------------------------------------------------------------- Thu Oct 11 01:51:16 UTC 2012 - wr@rosenauer.org - update to Firefox 16.0.1 (bnc#783533) * MFSA 2012-88/CVE-2012-4191 (bmo#798045) Miscellaneous memory safety hazards * MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619) defaultValue security checks not applied ------------------------------------------------------------------- Sun Oct 7 21:40:14 UTC 2012 - wr@rosenauer.org - update to Firefox 16.0 (bnc#783533) * MFSA 2012-74/CVE-2012-3982/CVE-2012-3983 Miscellaneous memory safety hazards * MFSA 2012-75/CVE-2012-3984 (bmo#575294) select element persistance allows for attacks * MFSA 2012-76/CVE-2012-3985 (bmo#655649) Continued access to initial origin after setting document.domain * MFSA 2012-77/CVE-2012-3986 (bmo#775868) Some DOMWindowUtils methods bypass security checks * MFSA 2012-79/CVE-2012-3988 (bmo#725770) DOS and crash with full screen and history navigation * MFSA 2012-80/CVE-2012-3989 (bmo#783867) Crash with invalid cast when using instanceof operator * MFSA 2012-81/CVE-2012-3991 (bmo#783260) GetProperty function can bypass security checks * MFSA 2012-82/CVE-2012-3994 (bmo#765527) top object and location property accessible by plugins * MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370) Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties * MFSA 2012-84/CVE-2012-3992 (bmo#775009) Spoofing and script injection through location.hash * MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/ CVE-2012-4181/CVE-2012-4182/CVE-2012-4183 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer * MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/ CVE-2012-4188 Heap memory corruption issues found using Address Sanitizer * MFSA 2012-87/CVE-2012-3990 (bmo#787704) Use-after-free in the IME State Manager - requires NSPR 4.9.2 - improve GStreamer integration (bmo#760140) - removed upstreamed mozilla-crashreporter-restart-args.patch - webapprt now included - use kmozillahelper's new REVEAL command (bnc#777415) (requires mozilla-kde4-integration >= 0.6.4) - updated translations-other with new languages ------------------------------------------------------------------- Mon Sep 10 19:37:56 UTC 2012 - wr@rosenauer.org - update to Firefox 15.0.1 (bnc#779936) * Sites visited while in Private Browsing mode could be found through manual browser cache inspection (bmo#787743) ------------------------------------------------------------------- Sun Aug 26 13:47:43 UTC 2012 - wr@rosenauer.org - update to Firefox 15.0 (bnc#777588) * MFSA 2012-57/CVE-2012-1970 Miscellaneous memory safety hazards * MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975 CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959 CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964 Use-after-free issues found using Address Sanitizer * MFSA 2012-59/CVE-2012-1956 (bmo#756719) Location object can be shadowed using Object.defineProperty * MFSA 2012-60/CVE-2012-3965 (bmo#769108) Escalation of privilege through about:newtab * MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793) Memory corruption with bitmap format images with negative height * MFSA 2012-62/CVE-2012-3967/CVE-2012-3968 WebGL use-after-free and memory corruption * MFSA 2012-63/CVE-2012-3969/CVE-2012-3970 SVG buffer overflow and use-after-free issues * MFSA 2012-64/CVE-2012-3971 Graphite 2 memory corruption * MFSA 2012-65/CVE-2012-3972 (bmo#746855) Out-of-bounds read in format-number in XSLT * MFSA 2012-66/CVE-2012-3973 (bmo#757128) HTTPMonitor extension allows for remote debugging without explicit activation * MFSA 2012-68/CVE-2012-3975 (bmo#770684) DOMParser loads linked resources in extensions when parsing text/html * MFSA 2012-69/CVE-2012-3976 (bmo#768568) Incorrect site SSL certificate data display * MFSA 2012-70/CVE-2012-3978 (bmo#770429) Location object security checks bypassed by chrome code * MFSA 2012-72/CVE-2012-3980 (bmo#771859) Web console eval capable of executing chrome-privileged code - fix HTML5 video crash with GStreamer enabled (bmo#761030) - GStreamer is only used for MP4 (no WebM, OGG) - updated filelist - moved browser specific preferences to correct location ------------------------------------------------------------------- Sun Jul 29 08:34:39 UTC 2012 - aj@suse.de - Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16) ------------------------------------------------------------------- Sat Jul 14 19:31:51 UTC 2012 - wr@rosenauer.org - update to 14.0.1 (bnc#771583) * MFSA 2012-42/CVE-2012-1949/CVE-2012-1948 Miscellaneous memory safety hazards * MFSA 2012-43/CVE-2012-1950 Incorrect URL displayed in addressbar through drag and drop * MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952 Gecko memory corruption * MFSA 2012-45/CVE-2012-1955 (bmo#757376) Spoofing issue with location * MFSA 2012-46/CVE-2012-1966 (bmo#734076) XSS through data: URLs * MFSA 2012-47/CVE-2012-1957 (bmo#750096) Improper filtering of javascript in HTML feed-view * MFSA 2012-48/CVE-2012-1958 (bmo#750820) use-after-free in nsGlobalWindow::PageHidden * MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559) Same-compartment Security Wrappers can be bypassed * MFSA 2012-50/CVE-2012-1960 (bmo#761014) Out of bounds read in QCMS * MFSA 2012-51/CVE-2012-1961 (bmo#761655) X-Frame-Options header ignored when duplicated * MFSA 2012-52/CVE-2012-1962 (bmo#764296) JSDependentString::undepend string conversion results in memory corruption * MFSA 2012-53/CVE-2012-1963 (bmo#767778) Content Security Policy 1.0 implementation errors cause data leakage * MFSA 2012-55/CVE-2012-1965 (bmo#758990) feed: URLs with an innerURI inherit security context of page * MFSA 2012-56/CVE-2012-1967 (bmo#758344) Code execution through javascript: URLs - license change from tri license to MPL-2.0 - fix crashreporter restart option (bmo#762780) - require NSS 3.13.5 - remove mozjs pacrunner obsoletes again for now - adopted mozilla-prefer_plugin_pref.patch - PPC fixes: * reenabled mozilla-yarr-pcre.patch to fix build for PPC * add patches for bmo#750620 and bmo#746112 * fix xpcshell segfault on ppc ------------------------------------------------------------------- Fri Jun 15 12:37:09 UTC 2012 - wr@rosenauer.org - update to Firefox 13.0.1 * bugfix release - obsolete libproxy's mozjs pacrunner (bnc#759123) ------------------------------------------------------------------- Sat Jun 2 08:22:51 UTC 2012 - wr@rosenauer.org - update to Firefox 13.0 (bnc#765204) * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101 Miscellaneous memory safety hazards * MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content Security Policy inline-script bypass * MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information disclosure though Windows file shares and shortcut files * MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free while replacing/inserting a node in a document * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941 Buffer overflow and use-after-free issues found using Address Sanitizer - require NSS 3.13.4 * MFSA 2012-39/CVE-2012-0441 (bmo#715073) - fix sound notifications when filename/path contains a whitespace (bmo#749739) ------------------------------------------------------------------- Wed May 23 14:40:16 UTC 2012 - adrian@suse.de - fix build on arm ------------------------------------------------------------------- Wed May 16 05:34:01 UTC 2012 - wr@rosenauer.org - reenabled crashreporter for Factory/12.2 (fix in mozilla-gcc47.patch) ------------------------------------------------------------------- Sat Apr 21 10:02:37 UTC 2012 - wr@rosenauer.org - update to Firefox 12.0 (bnc#758408) * rebased patches * MFSA 2012-20/CVE-2012-0467/CVE-2012-0468 Miscellaneous memory safety hazards * MFSA 2012-22/CVE-2012-0469 (bmo#738985) use-after-free in IDBKeyRange * MFSA 2012-23/CVE-2012-0470 (bmo#734288) Invalid frees causes heap corruption in gfxImageSurface * MFSA 2012-24/CVE-2012-0471 (bmo#715319) Potential XSS via multibyte content processing errors * MFSA 2012-25/CVE-2012-0472 (bmo#744480) Potential memory corruption during font rendering using cairo-dwrite * MFSA 2012-26/CVE-2012-0473 (bmo#743475) WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error * MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307) Page load short-circuit can lead to XSS * MFSA 2012-28/CVE-2012-0475 (bmo#694576) Ambiguous IPv6 in Origin headers may bypass webserver access restrictions * MFSA 2012-29/CVE-2012-0477 (bmo#718573) Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues * MFSA 2012-30/CVE-2012-0478 (bmo#727547) Crash with WebGL content using textImage2D * MFSA 2012-31/CVE-2011-3062 (bmo#739925) Off-by-one error in OpenType Sanitizer * MFSA 2012-32/CVE-2011-1187 (bmo#624621) HTTP Redirections and remote content can be read by javascript errors * MFSA 2012-33/CVE-2012-0479 (bmo#714631) Potential site identity spoofing when loading RSS and Atom feeds - added mozilla-libnotify.patch to allow fallback from libnotify to xul based events if no notification-daemon is running - gcc 4.7 fixes * mozilla-gcc47.patch * disabled crashreporter temporarily for Factory - recommend libcanberra0 for proper sound notifications ------------------------------------------------------------------- Fri Mar 9 21:47:07 UTC 2012 - wr@rosenauer.org - update to Firefox 11.0 (bnc#750044) * MFSA 2012-13/CVE-2012-0455 (bmo#704354) XSS with Drag and Drop and Javascript: URL * MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103) SVG issues found with Address Sanitizer * MFSA 2012-15/CVE-2012-0451 (bmo#717511) XSS with multiple Content Security Policy headers * MFSA 2012-16/CVE-2012-0458 Escalation of privilege with Javascript: URL as home page * MFSA 2012-17/CVE-2012-0459 (bmo#723446) Crash when accessing keyframe cssText after dynamic modification * MFSA 2012-18/CVE-2012-0460 (bmo#727303) window.fullScreen writeable by untrusted content * MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/ CVE-2012-0463 Miscellaneous memory safety hazards - ported and reenabled KDE integration (bnc#746591) - explicitely build-require X libs ------------------------------------------------------------------- Mon Mar 5 13:31:48 UTC 2012 - vdziewiecki@suse.com - add Provides: browser(npapi) FATE#313084 ------------------------------------------------------------------- Fri Feb 17 17:41:11 UTC 2012 - pcerny@suse.com - better plugin directory resolution (bnc#747320) ------------------------------------------------------------------- Thu Feb 16 08:47:31 UTC 2012 - wr@rosenauer.org - update to Firefox 10.0.2 (bnc#747328) * CVE-2011-3026 (bmo#727401) libpng: integer overflow leading to heap-buffer overflow ------------------------------------------------------------------- Thu Feb 9 09:26:11 UTC 2012 - wr@rosenauer.org - update to Firefox 10.0.1 (bnc#746616) * MFSA 2012-10/CVE-2012-0452 (bmo#724284) use after free in nsXBLDocumentInfo::ReadPrototypeBindings ------------------------------------------------------------------- Tue Feb 7 10:40:58 UTC 2012 - dvaleev@suse.com - Use YARR interpreter instead of PCRE on platforms where YARR JIT is not supported, since PCRE doesnt build (bmo#691898) - fix ppc64 build (bmo#703534) ------------------------------------------------------------------- Mon Jan 30 09:41:59 UTC 2012 - wr@rosenauer.org - update to Firefox 10.0 (bnc#744275) * MFSA 2012-01/CVE-2012-0442/CVE-2012-0443 Miscellaneous memory safety hazards * MFSA 2012-03/CVE-2012-0445 (bmo#701071) <iframe> element exposed across domains via name attribute * MFSA 2012-04/CVE-2011-3659 (bmo#708198) Child nodes from nsDOMAttribute still accessible after removal of nodes * MFSA 2012-05/CVE-2012-0446 (bmo#705651) Frame scripts calling into untrusted objects bypass security checks * MFSA 2012-06/CVE-2012-0447 (bmo#710079) Uninitialized memory appended when encoding icon images may cause information disclosure * MFSA 2012-07/CVE-2012-0444 (bmo#719612) Potential Memory Corruption When Decoding Ogg Vorbis files * MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466) Crash with malformed embedded XSLT stylesheets - KDE integration has been disabled since it needs refactoring - removed obsolete ppc64 patch ------------------------------------------------------------------- Sun Jan 22 12:08:07 UTC 2012 - joop.boonen@opensuse.org - Disable neon for arm as it doesn't build correctly ------------------------------------------------------------------- Fri Dec 23 17:02:01 UTC 2011 - wr@rosenauer.org - update to Firefox 9.0.1 * (strongparent) parentNode of element gets lost (bmo#335998) ------------------------------------------------------------------- Sun Dec 18 09:58:52 UTC 2011 - adrian@suse.de - fix arm build, don't package crashreporter there ------------------------------------------------------------------- Sun Dec 18 09:52:08 UTC 2011 - wr@rosenauer.org - update to Firefox 9 (bnc#737533) * MFSA 2011-53/CVE-2011-3660 Miscellaneous memory safety hazards (rv:9.0) * MFSA 2011-54/CVE-2011-3661 (bmo#691299) Potentially exploitable crash in the YARR regular expression library * MFSA 2011-55/CVE-2011-3658 (bmo#708186) nsSVGValue out-of-bounds access * MFSA 2011-56/CVE-2011-3663 (bmo#704482) Key detection without JavaScript via SVG animation * MFSA 2011-58/VE-2011-3665 (bmo#701259) Crash scaling <video> to extreme sizes ------------------------------------------------------------------- Sun Nov 27 03:51:54 UTC 2011 - mgorse@suse.com - Fix accessibility under GNOME 3 (bnc#732898) ------------------------------------------------------------------- Sat Nov 12 15:16:38 UTC 2011 - dvaleev@suse.com - fix ppc64 build ------------------------------------------------------------------- Sun Nov 6 08:20:59 UTC 2011 - wr@rosenauer.org - update to Firefox 8 (bnc#728520) * MFSA 2011-47/CVE-2011-3648 (bmo#690225) Potential XSS against sites using Shift-JIS * MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654 Miscellaneous memory safety hazards * MFSA 2011-49/CVE-2011-3650 (bmo#674776) Memory corruption while profiling using Firebug * MFSA 2011-52/CVE-2011-3655 (bmo#672182) Code execution via NoWaiverWrapper - rebased patches ------------------------------------------------------------------- Thu Oct 20 12:34:47 UTC 2011 - wr@rosenauer.org - enable telemetry prompt ------------------------------------------------------------------- Fri Sep 30 10:52:36 UTC 2011 - wr@rosenauer.org - update to minor release 7.0.1 * fixed staged addon updates - set intl.locale.matchOS=true in the base package as it causes too much confusion when it's only available with branding-openSUSE ------------------------------------------------------------------- Fri Sep 23 11:22:22 UTC 2011 - wr@rosenauer.org - update to Firefox 7 (bnc#720264) including * Improve Responsiveness with Memory Reductions * Instant Sync * WebSocket protocol 8 * MFSA 2011-36/CVE-2011-2995/CVE-2011-2996/CVE-2011-2997 Miscellaneous memory safety hazards * MFSA 2011-39/CVE-2011-3000 (bmo#655389) Defense against multiple Location headers due to CRLF Injection * MFSA 2011-40/CVE-2011-2372/CVE-2011-3001 Code installation through holding down Enter * MFSA 2011-41/CVE-2011-3002/CVE-2011-3003 (bmo#680840, bmo#682335) Potentially exploitable WebGL crashes * MFSA 2011-42/CVE-2011-3232 (bmo#653672) Potentially exploitable crash in the YARR regular expression library * MFSA 2011-43/CVE-2011-3004 (bmo#653926) loadSubScript unwraps XPCNativeWrapper scope parameter * MFSA 2011-44/CVE-2011-3005 (bmo#675747) Use after free reading OGG headers * MFSA 2011-45 Inferring keystrokes from motion data - removed obsolete mozilla-cairo-lcd.patch - rebased patches - removed XLIB_SKIP_ARGB_VISUALS=1 from environment in mozilla.sh.in (bnc#680758) ------------------------------------------------------------------- Fri Sep 16 06:57:38 UTC 2011 - wr@rosenauer.org - fixed loading of kde.js under KDE (bnc#718311) ------------------------------------------------------------------- Wed Sep 14 07:02:04 UTC 2011 - wr@rosenauer.org - add dbus-1-glib-devel to BuildRequires (not pulled in automatically anymore on 12.1) - increase minversions for NSPR and NSS ------------------------------------------------------------------- Fri Sep 9 20:44:15 UTC 2011 - wr@rosenauer.org - recreated source archive to get correct source-stamp.txt ------------------------------------------------------------------- Wed Sep 7 14:30:34 UTC 2011 - pcerny@suse.com - security update to 6.0.2 (bnc#714931) * Complete blocking of certificates issued by DigiNotar (bmo#683449) ------------------------------------------------------------------- Fri Sep 2 14:40:07 UTC 2011 - pcerny@suse.com - security update to 6.0.1 (bnc#714931) * MFSA 2011-34 Protection against fraudulent DigiNotar certificates (bmo#682927) ------------------------------------------------------------------- Fri Aug 12 21:16:19 UTC 2011 - wr@rosenauer.org - update to 6.0 (bnc#712224) included security fixes MFSA 2011-29 * CVE-2011-2989/CVE-2011-2991/CVE-2011-2992/CVE-2011-2985 Miscellaneous memory safety hazards * CVE-2011-2993 (bmo#657267) Unsigned scripts can call script inside signed JAR * CVE-2011-2988 (bmo#665934) Heap overflow in ANGLE library * CVE-2011-0084 (bmo#648094) Crash in SVGTextElement.getCharNumAtPosition() * CVE-2011-2990 Credential leakage using Content Security Policy reports * CVE-2011-2986 (bmo#655836) Cross-origin data theft using canvas and Windows D2D - removed obsolete curl header dependency (mozilla-curl.patch) ------------------------------------------------------------------- Fri Jul 22 13:34:12 UTC 2011 - wr@rosenauer.org - update to 6.0b3 * removed obsolete patches - firefox-shellservice.patch - mozilla-gio.patch - mozilla-ppc-ipc.patch - firefox-linkorder.patch - firefox-no-sync-l10n.patch - recognize linux3 as platform for symbolstore.py ------------------------------------------------------------------- Fri Jul 1 19:53:18 CEST 2011 - vuntz@opensuse.org - Add x-scheme-handler/ftp to the MimeType key in the .desktop, to let desktops know that Firefox can deal with ftp: URIs. ------------------------------------------------------------------- Fri Jul 1 06:45:08 UTC 2011 - wr@rosenauer.org - create upstream branding package again (supposedly empty) (bnc#703401) - fix build on SLE11 (changes do not affect/are not applied for later versions) ------------------------------------------------------------------- Wed Jun 22 06:41:17 UTC 2011 - wr@rosenauer.org - enable startup notification (bnc#701465) ------------------------------------------------------------------- Mon Jun 20 19:37:01 UTC 2011 - wr@rosenauer.org - update to 5.0 final - included fixes for security issues: (bnc#701296, bnc#700578) * MFSA 2011-19/CVE-2011-2374 CVE-2011-2375 Miscellaneous memory safety hazards * MFSA 2011-20/CVE-2011-2373 (bmo#617247) Use-after-free vulnerability when viewing XUL document with script disabled * MFSA 2011-21/CVE-2011-2377 (bmo#638018, bmo#639303) Memory corruption due to multipart/x-mixed-replace images * MFSA 2011-22/CVE-2011-2371 (bmo#664009) Integer overflow and arbitrary code execution in Array.reduceRight() * MFSA 2011-25/CVE-2011-2366 Stealing of cross-domain images using WebGL textures * MFSA 2011-26/CVE-2011-2367 CVE-2011-2368 Multiple WebGL crashes * MFSA 2011-27/CVE-2011-2369 (bmo#650001) XSS encoding hazard with inline SVG * MFSA 2011-28/CVE-2011-2370 (bmo#645699) Non-whitelisted site can trigger xpinstall ------------------------------------------------------------------- Mon Jun 20 09:17:42 UTC 2011 - wr@rosenauer.org - update to 5.0b7 * updated supported locales - do not build dump_syms static (not needed for us) -> fix build for openSUSE 12.1 and above ------------------------------------------------------------------- Wed Jun 15 14:59:32 UTC 2011 - wr@rosenauer.org - update to 5.0b6 - include proper revision information into the build - speedier find-external-requires.sh ------------------------------------------------------------------- Tue May 31 06:53:55 UTC 2011 - wr@rosenauer.org - update to 5.0b3 - transformed to standalone Firefox (not xulrunner based) (with new Firefox rapid release cycle it makes no sense anymore) * imported all relevant xulrunner patches - do not compile in build timestamp ------------------------------------------------------------------- Fri Apr 15 07:08:53 UTC 2011 - wr@rosenauer.org - security update to 4.0.1 (bnc#689281) * MFSA 2011-12/ CVE-2011-0069 CVE-2011-0070 CVE-2011-0079 CVE-2011-0080 CVE-2011-0081 Miscellaneous memory safety hazards * MFSA 2011-17/CVE-2011-0068 (bmo#623791) WebGLES vulnerabilities * MFSA 2011-18/CVE-2011-1202 (bmo#640339) XSLT generate-id() function heap address leak ------------------------------------------------------------------- Wed Mar 30 11:24:36 UTC 2011 - wr@rosenauer.org - add all available icon sizes ------------------------------------------------------------------- Tue Mar 29 11:55:53 UTC 2011 - cfarrell@novell.com - license update: MPLv1.1 or GPLv2+ or LGPLv2+ Sync licenses with Fedora. MPL does not state ^or later^ ------------------------------------------------------------------- Fri Mar 18 08:49:15 UTC 2011 - wr@rosenauer.org - update to version 4.0rc2 - fixed rpm macros delivered with devel package (bnc#679950) ------------------------------------------------------------------- Wed Feb 23 07:52:04 UTC 2011 - wr@rosenauer.org - update to version 4.0b12 - rebased patches ------------------------------------------------------------------- Fri Feb 4 09:32:50 UTC 2011 - wr@rosenauer.org - update to version 4.0b11 * loads of bugfixes compared to last beta * added "Do Not Track" option - rebased patches - disable testpilot ------------------------------------------------------------------- Fri Jan 28 08:56:12 UTC 2011 - wr@rosenauer.org - set correct desktop file name within KDE for 11.4 and up - add devel package with macros for extensions (from lnussel@suse.de) ------------------------------------------------------------------- Sat Jan 22 22:21:52 UTC 2011 - wr@rosenauer.org - update to version 4.0b10 - removed obsolete firefox-shell-bmo624267.patch - testpilot moved to distribution/extensions - updated locale provides and removed bn-IN from locales ------------------------------------------------------------------- Tue Jan 11 06:13:40 UTC 2011 - wr@rosenauer.org - update to version 4.0b9 - added x-scheme-handler for http and https to desktop file for newer Gnome environments - fixed default browser check/set for GIO (bmo#611953) (mozilla-shellservice.patch) - removed obsolete firefox-appname.patch (integrated into shellservice patch) - renamed desktop file to firefox.desktop for 11.4 and newer (bnc#664211) - removed support for 10.3 and older from the spec file - removed obsolete "Ximian" categories from desktop file ------------------------------------------------------------------- Mon Jan 3 17:35:46 CET 2011 - meissner@suse.de - Mirror ac_add_options --disable-ipc from xulrunner for PowerPC. ------------------------------------------------------------------- Wed Dec 15 07:49:45 UTC 2010 - wr@rosenauer.org - update to version 4.0beta8 ------------------------------------------------------------------- Tue Nov 30 14:19:59 UTC 2010 - wr@rosenauer.org - major update to version 4.0beta7 * based on mozilla-xulrunner20 * far too many internal changes to list ------------------------------------------------------------------- Wed Oct 27 07:12:14 CEST 2010 - wr@rosenauer.org - security update to 3.6.12 (bnc#649492) * MFSA 2010-73/CVE-2010-3765 (bmo#607222) Heap buffer overflow mixing document.write and DOM insertion ------------------------------------------------------------------- Wed Oct 6 07:13:52 CEST 2010 - wr@rosenauer.org - security update to 3.6.11 (bnc#645315) * MFSA 2010-64/CVE-2010-3174/CVE-2010-3175/CVE-2010-3176 Miscellaneous memory safety hazards * MFSA 2010-65/CVE-2010-3179 (bmo#583077) Buffer overflow and memory corruption using document.write * MFSA 2010-66/CVE-2010-3180 (bmo#588929) Use-after-free error in nsBarProp * MFSA 2010-67/CVE-2010-3183 (bmo#598669) Dangling pointer vulnerability in LookupGetterOrSetter * MFSA 2010-68/CVE-2010-3177 (bmo#556734) XSS in gopher parser when parsing hrefs * MFSA 2010-69/CVE-2010-3178 (bmo#576616) Cross-site information disclosure via modal calls * MFSA 2010-70/CVE-2010-3170 (bmo#578697) SSL wildcard certificate matching IP addresses * MFSA 2010-71/CVE-2010-3182 (bmo#590753) Unsafe library loading vulnerabilities * MFSA 2010-72/CVE-2010-3173 Insecure Diffie-Hellman key exchange ------------------------------------------------------------------- Wed Sep 15 07:39:22 CEST 2010 - wr@rosenauer.org - update to 3.6.10 * fixing startup topcrash (bmo#594699) ------------------------------------------------------------------- Thu Aug 26 07:40:28 CEST 2010 - wr@rosenauer.org - security update to 3.6.9 (bnc#637303) * MFSA 2010-49/CVE-2010-3169 Miscellaneous memory safety hazards * MFSA 2010-50/CVE-2010-2765 (bmo#576447) Frameset integer overflow vulnerability * MFSA 2010-51/CVE-2010-2767 (bmo#584512) Dangling pointer vulnerability using DOM plugin array * MFSA 2010-53/CVE-2010-3166 (bmo#579655) Heap buffer overflow in nsTextFrameUtils::TransformText * MFSA 2010-54/CVE-2010-2760 (bmo#585815) Dangling pointer vulnerability in nsTreeSelection * MFSA 2010-55/CVE-2010-3168 (bmo#576075) XUL tree removal crash and remote code execution * MFSA 2010-56/CVE-2010-3167 (bmo#576070) Dangling pointer vulnerability in nsTreeContentView * MFSA 2010-57/CVE-2010-2766 (bmo#580445) Crash and remote code execution in normalizeDocument * MFSA 2010-59/CVE-2010-2762 (bmo#584180) SJOW creates scope chains ending in outer object * MFSA 2010-61/CVE-2010-2768 (bmo#579744) UTF-7 XSS by overriding document charset using <object> type attribute * MFSA 2010-62/CVE-2010-2769 (bmo#520189) Copy-and-paste or drag-and-drop into designMode document allows XSS * MFSA 2010-63/CVE-2010-2764 (bmo#552090) Information leak via XMLHttpRequest statusText ------------------------------------------------------------------- Wed Jul 28 08:33:14 CEST 2010 - meissner@suse.de - disable crash reporter for non x86/x86_64 to make it build. ------------------------------------------------------------------- Sat Jul 24 12:42:58 CEST 2010 - wr@rosenauer.org - security update to 3.6.8 (bnc#622506) * MFSA 2010-48/CVE-2010-2755 (bmo#575836) Dangling pointer crash regression from plugin parameter array fix ------------------------------------------------------------------- Fri Jul 16 06:48:44 CEST 2010 - wr@rosenauer.org - security update to 3.6.7 (bnc#622506) * MFSA 2010-34/CVE-2010-1211/CVE-2010-1212 Miscellaneous memory safety hazards * MFSA 2010-35/CVE-2010-1208 (bmo#572986) DOM attribute cloning remote code execution vulnerability * MFSA 2010-36/CVE-2010-1209 (bmo#552110) Use-after-free error in NodeIterator * MFSA 2010-37/CVE-2010-1214 (bmo#572985) Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability * MFSA 2010-38/CVE-2010-1215 (bmo#567069) Arbitrary code execution using SJOW and fast native function * MFSA 2010-39/CVE-2010-2752 (bmo#574059) nsCSSValue::Array index integer overflow * MFSA 2010-40/CVE-2010-2753 (bmo#571106) nsTreeSelection dangling pointer remote code execution vulnerability * MFSA 2010-41/CVE-2010-1205 (bmo#570451) Remote code execution using malformed PNG image * MFSA 2010-42/CVE-2010-1213 (bmo#568148) Cross-origin data disclosure via Web Workers and importScripts * MFSA 2010-43/CVE-2010-1207 (bmo#571287) Same-origin bypass using canvas context * MFSA 2010-44/CVE-2010-1210 (bmo#564679) Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish * MFSA 2010-45/CVE-2010-1206/CVE-2010-2751 (bmo#536466,556957) Multiple location bar spoofing vulnerabilities * MFSA 2010-46/CVE-2010-0654 (bmo#524223) Cross-domain data theft using CSS * MFSA 2010-47/CVE-2010-2754 (bmo#568564) Cross-origin data leakage from script filename in error messages ------------------------------------------------------------------- Sun Jun 27 20:24:31 CEST 2010 - wr@rosenauer.org - update to 3.6.6 release * modifies the crash protection feature to increase the amount of time that plugins are allowed to be non-responsive before being terminated. ------------------------------------------------------------------- Wed Jun 23 14:40:35 CEST 2010 - wr@rosenauer.org - update to final 3.6.4 release (bnc#603356) * MFSA 2010-26/CVE-2010-1200/CVE-2010-1201/CVE-2010-1202/ CVE-2010-1203 Crashes with evidence of memory corruption (rv:1.9.2.4) * MFSA 2010-28/CVE-2010-1198 (bmo#532246) Freed object reuse across plugin instances * MFSA 2010-29/CVE-2010-1196 (bmo#534666) Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal * MFSA 2010-30/CVE-2010-1199 (bmo#554255) Integer Overflow in XSLT Node Sorting * MFSA 2010-31/CVE-2010-1125 (bmo#552255) focus() behavior can be used to inject or steal keystrokes * MFSA 2010-32/CVE-2010-1197 (bmo#537120) Content-Disposition: attachment ignored if Content-Type: multipart also present * MFSA 2010-33/CVE-2008-5913 (bmo#475585) User tracking across sites using Math.random() ------------------------------------------------------------------- Mon Jun 7 07:07:33 CEST 2010 - wr@rosenauer.org - update to 3.6.4(build6) ------------------------------------------------------------------- Sun Apr 18 09:42:40 CEST 2010 - wr@rosenauer.org - security update to 3.6.4 (Lorentz) * enable crashreporter also for x86-64 * Flash runs in a separate process to avoid crashing Firefox (ix86 only; x86-64 still uses nspluginwrapper) ------------------------------------------------------------------- Thu Apr 1 11:15:38 UTC 2010 - wr@rosenauer.org - security update to 3.6.3 * MFSA 2010-25/CVE-2010-1121 (bmo#555109) Re-use of freed object due to scope confusion ------------------------------------------------------------------- Thu Mar 18 06:43:33 CET 2010 - wr@rosenauer.org - security update to version 3.6.2 (bnc#586567) * MFSA 2010-08/CVE-2010-1028 WOFF heap corruption due to integer overflow * MFSA 2010-09/CVE-2010-0164 (bmo#547143) Deleted frame reuse in multipart/x-mixed-replace image * MFSA 2010-10/CVE-2010-0170 (bmo#541530) XSS via plugins and unprotected Location object * MFSA 2010-11/CVE-2010-0165/CVE-2010-0166/CVE-2010-0167 Crashes with evidence of memory corruption * MFSA 2010-12/CVE-2010-0171 (bmo#531364) XSS using addEventListener and setTimeout on a wrapped object * MFSA 2010-13/CVE-2010-0168 (bmo#540642) Content policy bypass with image preloading * MFSA 2010-14/CVE-2010-0169 (bmo#535806) Browser chrome defacement via cached XUL stylesheets * MFSA 2010-15/CVE-2010-0172 (bmo#537862) Asynchronous Auth Prompt attaches to wrong window * MFSA 2010-16/CVE-2010-0173/CVE-2010-0174 Crashes with evidence of memory corruption * MFSA 2010-18/CVE-2010-0176 (bmo#538308) Dangling pointer vulnerability in nsTreeContentView * MFSA 2010-19/CVE-2010-0177 (bmo#538310) Dangling pointer vulnerability in nsPluginArray * MFSA 2010-20/CVE-2010-0178 (bmo#546909) Chrome privilege escalation via forced URL drag and drop * MFSA 2010-22/CVE-2009-3555 (bmo#545755) Update NSS to support TLS renegotiation indication * MFSA 2010-23/CVE-2010-0181 (bmo#452093) Image src redirect to mailto: URL opens email editor * MFSA 2010-24/CVE-2010-0182 (bmo#490790) XMLDocument::load() doesn't check nsIContentPolicy ------------------------------------------------------------------- Mon Jan 18 09:42:50 CET 2010 - wr@rosenauer.org - update to 3.6rc2 (already named 3.6.0) - removed obsolete orbit-devel build requirement ------------------------------------------------------------------- Wed Jan 6 17:15:40 CET 2010 - wr@rosenauer.org - major update to 3.6rc1 ------------------------------------------------------------------- Fri Dec 25 09:39:42 CET 2009 - wr@rosenauer.org - update to version 3.5.7 (bnc#568011) * DNS resolution in MakeSN of nsAuthSSPI causing issues for proxy servers that support NTLM auth (bmo#535193) - added missing lockdown preferences (bnc#567131) ------------------------------------------------------------------- Thu Dec 17 20:06:38 CET 2009 - wr@rosenauer.org - readded firefox-ui-lockdown.patch (bnc#546158) ------------------------------------------------------------------- Thu Dec 3 21:53:59 CET 2009 - wr@rosenauer.org - security update to version 3.5.6 (bnc#559807) * MFSA 2009-65/CVE-2009-3979/CVE-2009-3980/CVE-2009-3982 Crashes with evidence of memory corruption (rv:1.9.1.6) * MFSA 2009-66/CVE-2009-3388 (bmo#504843,bmo#523816) Memory safety fixes in liboggplay media library * MFSA 2009-67/CVE-2009-3389 (bmo#515882,bmo#504613) Integer overflow, crash in libtheora video library * MFSA 2009-68/CVE-2009-3983 (bmo#487872) NTLM reflection vulnerability * MFSA 2009-69/CVE-2009-3984/CVE-2009-3985 (bmo#521461,bmo#514232) Location bar spoofing vulnerabilities * MFSA 2009-70/VE-2009-3986 (bmo#522430) Privilege escalation via chrome window.opener - fixed firefox-browser-css.patch (bnc#561027) ------------------------------------------------------------------- Mon Nov 23 22:31:21 CET 2009 - wr@rosenauer.org - rebased patches for fuzz=0 ------------------------------------------------------------------- Thu Nov 5 19:49:33 UTC 2009 - wr@rosenauer.org - update to version 3.5.5 (bnc#553172) ------------------------------------------------------------------- Sat Oct 17 23:19:23 CEST 2009 - wr@rosenauer.org - security update to version 3.5.4 (bnc#545277) * MFSA 2009-52/CVE-2009-3370 (bmo#511615) Form history vulnerable to stealing * MFSA 2009-53/CVE-2009-3274 (bmo#514823) Local downloaded file tampering * MFSA 2009-54/CVE-2009-3371 (bmo#514554) Crash with recursive web-worker calls * MFSA 2009-55/CVE-2009-3372 (bmo#500644) Crash in proxy auto-configuration regexp parsing * MFSA 2009-56/CVE-2009-3373 (bmo#511689) Heap buffer overflow in GIF color map parser * MFSA 2009-57/CVE-2009-3374 (bmo#505988) Chrome privilege escalation in XPCVariant::VariantDataToJS() * MFSA 2009-59/CVE-2009-1563 (bmo#516396, bmo#516862) Heap buffer overflow in string to number conversion * MFSA 2009-61/CVE-2009-3375 (bmo#503226) Cross-origin data theft through document.getSelection() * MFSA 2009-62/CVE-2009-3376 (bmo#511521) Download filename spoofing with RTL override * MFSA 2009-63/CVE-2009-3377/CVE-2009-3379/CVE-2009-3378 Upgrade media libraries to fix memory safety bugs * MFSA 2009-64/CVE-2009-3380/CVE-2009-3381/CVE-2009-3383 Crashes with evidence of memory corruption - removed upstreamed patch * firefox-bug506901.patch ------------------------------------------------------------------- Wed Oct 7 20:11:24 CEST 2009 - llunak@novell.com - fix KDE button order in one more place (bnc#170055) ------------------------------------------------------------------- Fri Oct 2 20:26:49 CEST 2009 - wr@rosenauer.org - improve UI colors to be usable with dark themes at all (firefox-browser-css.patch) (bnc#503351) - extend list of supported architectures as ABI identifier (mozilla-abi.patch) (bnc#543460) ------------------------------------------------------------------- Mon Sep 14 00:07:55 CEST 2009 - wr@rosenauer.org - added KDE integration patch from llunak@novell.com (firefox-kde.patch) * support for knotify, making -kde4-addon obsolete * KDE-specific support functional (bnc#170055) - do not build libnkgnomevfs (bmo#512671) (firefox-no-gnomevfs) ------------------------------------------------------------------- Thu Sep 10 09:34:26 CEST 2009 - wr@rosenauer.org - security update to version 3.5.3 (bnc#534458) * MFSA 2009-47/CVE-2009-3069/CVE-2009-3070/CVE-2009-3071/ CVE-2009-3072/CVE-2009-3073/CVE-2009-3074/CVE-2009-3075 Crashes with evidence of memory corruption * MFSA 2009-49/CVE-2009-3077 (bmo#506871) TreeColumns dangling pointer vulnerability * MFSA 2009-50/CVE-2009-3078 (bmo#453827) Location bar spoofing via tall line-height Unicode characters * MFSA 2009-51/CVE-2009-3079 (bmo#454363) Chrome privilege escalation with FeedWriter ------------------------------------------------------------------- Wed Aug 19 22:14:07 CEST 2009 - wr@rosenauer.org - renamed patch firefox-contextmenu-gnome to firefox-cross-desktop as it contains more tweaks to handle non-Gnome environments and especially KDE integration: * added the ability to set the KDE default browser (still part of bnc#170055) ------------------------------------------------------------------- Sat Aug 8 00:14:18 CEST 2009 - wr@rosenauer.org - split -translations package into -common and -other (bnc#529180) - remove "set as background" from context menu if not running in Gnome (part of bnc#170055) ------------------------------------------------------------------- Fri Jul 31 09:01:57 CEST 2009 - wr@rosenauer.org - security update to version 3.5.2 * MFSA 2009-38/CVE-2009-2470 (bmo#459524) Data corruption with SOCKS5 reply containing DNS name longer than 15 characters * MFSA 2009-44/CVE-2009-2654 (bmo#451898) Location bar and SSL indicator spoofing via window.open() on invalid URL * MFSA 2009-45 Crashes with evidence of memory corruption * MFSA 2009-46 (bmo#498897) Chrome privilege escalation due to incorrectly cached wrapper * various other stability fixes - export MOZ_APP_LAUNCHER in the startscript (bmo#453689) ------------------------------------------------------------------- Tue Jul 28 14:54:46 CEST 2009 - wr@rosenauer.org - fixed %exclude usage - fixed preferences' advanced pane for fresh profiles (bmo#506901) ------------------------------------------------------------------- Wed Jul 15 20:13:19 CEST 2009 - wr@rosenauer.org - security update to version 3.5.1 * MFSA 2009-41 Corrupt JIT state after deep return from native function ------------------------------------------------------------------- Mon Jul 6 12:33:47 CEST 2009 - wr@rosenauer.org - added mozilla-linkorder.patch to fix build with --as-needed ------------------------------------------------------------------- Tue Jun 30 08:52:00 CEST 2009 - wr@rosenauer.org - update to final version 3.5 (20090623) ------------------------------------------------------------------- Tue Jun 23 09:39:50 CEST 2009 - wr@rosenauer.org - fixed build by linking to a real file ------------------------------------------------------------------- Thu Jun 18 10:19:40 CEST 2009 - wr@rosenauer.org - update to version 3.5rc2 (20090617) - BuildRequire mozilla-xulrunner191 = 1.9.1.0 ------------------------------------------------------------------- Sat Jun 6 15:59:02 CEST 2009 - wr@rosenauer.org - update to version 3.5b99 (20090604) - BuildRequire mozilla-xulrunner191 = 1.9.1b99 ------------------------------------------------------------------- Wed May 27 08:03:16 CEST 2009 - wr@rosenauer.org - fixed typos in improved xulrunner dependencies ------------------------------------------------------------------- Mon May 11 18:25:12 CEST 2009 - wr@rosenauer.org - use non-localized Downloads folder (bnc#501724) ------------------------------------------------------------------- Mon May 4 07:57:50 CEST 2009 - wr@rosenauer.org - update to new major version 3.5b4 * based on Gecko 1.9.1 (mozilla-xulrunner191) * Private Browsing Mode * TraceMonkey JavaScript engine * Geolocation support * native JSON and web worker threads support * speculative parsing for faster content rendering * Some HTML5 support - updated firefox.schemas - improved firefox-no-update.patch ------------------------------------------------------------------- Tue Apr 28 10:47:54 CEST 2009 - wr@rosenauer.org - security update to 3.0.10 * MFSA 2009-23/CVE-2009-1313 (bmo#489647) Crash in nsTextFrame::ClearTextRun() ------------------------------------------------------------------- Thu Apr 16 13:52:21 CEST 2009 - wr@rosenauer.org - security update to 3.0.9 (bnc#495473) * MFSA 2009-14/CVE-2009-1302/CVE-2009-1303/CVE-2009-1304/CVE-2009-1305 Crashes with evidence of memory corruption (rv:1.9.0.9) * MFSA 2009-15/CVE-2009-0652 (bmo#479336) URL spoofing with box drawing character * MFSA 2009-16/CVE-2009-1306 (bmo#474536) jar: scheme ignores the content-disposition: header on the inner URI * MFSA 2009-17/CVE-2009-1307 (bmo#481342) Same-origin violations when Adobe Flash loaded via view-source: scheme * MFSA 2009-18/CVE-2009-1308 (bmo#481558) XSS hazard using third-party stylesheets and XBL bindings * MFSA 2009-19/CVE-2009-1309 (bmo#482206,478433) Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString * MFSA 2009-20/CVE-2009-1310 (bmo#483086) Malicious search plugins can inject code into arbitrary sites * MFSA 2009-21/CVE-2009-1311 (bmo#471962) POST data sent to wrong site when saving web page with embedded frame * MFSA 2009-22/CVE-2009-1312 (bmo#475636) Firefox allows Refresh header to redirect to javascript: URIs ------------------------------------------------------------------- Fri Mar 27 09:43:43 CET 2009 - wr@rosenauer.org - security update to 1.9.0.8 (bnc#488955,489411) * MFSA 2009-12/CVE-2009-1169 (bmo#460090,485217) Crash and remote code execution in XSL transformation * MFSA 2009-13/CVE-2009-1044 (bmo#484320) Arbitrary code execution via XUL tree moveToEdgeShift - allow RPM provides for stuff besides shared libraries (e.g. mime-types) ------------------------------------------------------------------- Sun Mar 1 11:08:58 CET 2009 - wr@rosenauer.org - security update to 3.0.7 (bnc#478625) * MFSA 2009-07 - Crashes with evidence of memory corruption CVE-2009-0771 - Layout Engine Crashes CVE-2009-0772 - Layout Engine Crashes CVE-2009-0773 - crashes in the JavaScript engine CVE-2009-0774 - Layout Engine Crashes * MFSA 2009-08/CVE-2009-0775 - (bmo#474456) Mozilla Firefox XUL Linked Clones Double Free Vulnerability * MFSA 2009-09/CVE-2009-0776 (bmo#414540) XML data theft via RDFXMLDataSource and cross-domain redirect * MFSA 2009-10/CVE-2009-0040 (bmo#478901) Upgrade PNG library to fix memory safety hazards * MFSA 2009-11/CVE-2009-0777 (bmo#452979) URL spoofing with invisible control characters ------------------------------------------------------------------- Wed Feb 4 18:58:59 EST 2009 - hfiguiere@suse.de - Review and approve changes. ------------------------------------------------------------------- Wed Jan 28 13:48:00 CET 2009 - wr@rosenauer.org - security update to 3.0.6 (bnc#470074) * MFSA 2009-06/CVE-2009-0358: Directives to not cache pages ignored (bmo#441751) * MFSA 2009-05/CVE-2009-0357: XMLHttpRequest allows reading HTTPOnly cookies (bmo#380418) * MFSA 2009-04/CVE-2009-0356: Chrome privilege escalation via local .desktop files (bmo#460425) * MFSA 2009-03/CVE-2009-0355: Local file stealing with SessionStore (bmo#466937) * MFSA 2009-02/CVE-2009-0354: XSS using a chrome XBL method and window.eval (bmo#468581) * MFSA 2009-01/CVE-2009-0352 - CVE-2009-0353: Crashes with evidence of memory corruption (rv:1.9.0.6) (bmo#452913, bmo#449006, bmo#331088, bmo#401042, bmo#416461, bmo#422283, bmo#422301, bmo#431705, bmo#437142, bmo#421839, bmo#420697, bmo#461027) * (non security) added lv locale ------------------------------------------------------------------- Thu Jan 22 11:09:42 EST 2009 - hfiguiere@suse.de - Fix the wrapper script for PowerPC 64-bits (bnc#464753) ------------------------------------------------------------------- Wed Dec 17 13:13:25 EST 2008 - hfiguiere@suse.de - Review and approve changes. ------------------------------------------------------------------- Mon Dec 15 16:41:57 CET 2008 - wr@rosenauer.org - security update to 1.9.0.5 (bnc#455804) for details http://www.mozilla.org/security/known-vulnerabilities/firefox30.html * removed aboutRights workaround again * added et locale ------------------------------------------------------------------- Tue Nov 25 10:14:45 EST 2008 - hfiguiere@suse.de - Review and approve changes. ------------------------------------------------------------------- Sat Nov 22 13:26:03 CET 2008 - wr@rosenauer.org - replace license agreement with about:rights toolbar (backported from upcoming FF 3.0.5) (bnc#436054, bmo#456439) (it's always displayed in en-US) ------------------------------------------------------------------- Fri Nov 21 03:11:41 EST 2008 - hfiguiere@suse.de - Update firefox-lockdown-ui.patch * Print Setup is now properly locked down. bnc#431028 * Bookmark editing it now properly locked down. bnc#439335 * Bookmars are properly hidden. * History is properly locked down. bnc#439343 * Make sure the search bar is not put back when resetting the toolbar. bnc#439358 ------------------------------------------------------------------- Thu Nov 20 18:49:19 CST 2008 - maw@suse.de - Review and approve changes. ------------------------------------------------------------------- Thu Nov 13 08:22:13 CET 2008 - wr@rosenauer.org - lockdown cleanup * removed gecko-lockdown.patch from Firefox (it's in xulrunner) * stripped out some toolkit stuff from firefox-ui-lockdown * added extra default preferences for lockdown ------------------------------------------------------------------- Wed Nov 12 17:55:19 CST 2008 - maw@suse.de - Review and approve changes. ------------------------------------------------------------------- Tue Nov 11 09:15:59 CET 2008 - wr@rosenauer.org - update to security/maintenance release 3.0.4 (bnc#439841) * support additional locales (bg, cy, eo, oc) - removed obsolete configure option (enable-gconf) ------------------------------------------------------------------- Fri Nov 7 15:39:54 CST 2008 - maw@suse.de - Review and approve changes. ------------------------------------------------------------------- Tue Nov 4 23:27:03 CET 2008 - wr@rosenauer.org - moved gconf schema into branding packages (bnc#441646) ------------------------------------------------------------------- Tue Oct 28 16:16:14 EDT 2008 - hfiguiere@suse.de - Fix missing %endif (for fix for bnc#434283) ------------------------------------------------------------------- Mon Oct 27 17:05:02 EDT 2008 - hfiguiere@suse.de - Add disable_show_passwords to firefox.schemas. (FATE #301534) ------------------------------------------------------------------- Mon Oct 27 11:57:29 CET 2008 - wr@rosenauer.org - make biarch dependencies work correctly (bnc#434283) ------------------------------------------------------------------- Thu Oct 23 10:14:22 EDT 2008 - hfiguiere@suse.de - Added firefox-ui-lockdown.patch and gecko-lockdown.patch * Lockdown: FATE#302023, FATE#302024 ------------------------------------------------------------------- Mon Oct 6 14:55:48 CEST 2008 - sbrabec@suse.cz - Conflict with other branding providers (FATE#304881). ------------------------------------------------------------------- Mon Sep 29 12:27:43 CDT 2008 - maw@suse.de - Review and approve changes. ------------------------------------------------------------------- Mon Sep 29 11:36:30 CDT 2008 - maw@suse.de - Remove a reference to a stale patch. ------------------------------------------------------------------- Sun Sep 28 18:19:26 CEST 2008 - wr@rosenauer.org - update to regression fix release 3.0.3 * Fixed a problem where users were unable to retrieve saved passwords or save new passwords (bmo#454708, bnc#429179#c20, CVE-2008-4063, CVE-2008-4064, CVE-2008-3836, andCVE-2008-4070) ------------------------------------------------------------------- Thu Sep 25 14:47:13 CDT 2008 - maw@suse.de - Review and approve changes. ------------------------------------------------------------------- Mon Sep 15 13:45:16 CEST 2008 - wr@rosenauer.org - update to security/maintenance release 3.0.2 (bnc#429179) - removed unused files from sources - fix more rpmlint complaints and provide a config file to filter false positives - disable Gnome crashreporter as it has no value - brought man-page up to date for the firefox stub (removing firefox-bin reference) - en-US locale not longer packaged in translations subpackage ------------------------------------------------------------------- Fri Aug 15 18:56:26 CDT 2008 - maw@novell.com - Review and approve changes. ------------------------------------------------------------------- Mon Aug 4 09:26:05 CEST 2008 - wr@rosenauer.org - Tweak branding split ------------------------------------------------------------------- Tue Jul 29 15:02:47 CEST 2008 - vuntz@novell.com - Create branding package (bnc#390752): + search-addons.tar.bz2, bookmarks.html.suse and firefox-suse-default-prefs.js will be moved to MozillaFirefox-branding-openSUSE + create a MozillaFirefox-branding-upstream package ------------------------------------------------------------------- Mon Jul 28 20:54:22 CEST 2008 - mauro@suse.de - Update to stability/security release 3.0.1 (bnc#407573) (thanks, Wolfgang) + MFSA 2008-36 Crash with malformed GIF file on Mac OS X + MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running + MFSA 2008-34 Remote code execution by overflowing CSS reference counter - Set browser.shell.checkDefaultBrowser to true (bnc#404119) ------------------------------------------------------------------- Tue Jun 17 18:49:33 CEST 2008 - maw@suse.de - Merge changes from the build service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). ------------------------------------------------------------------- Tue Jun 17 14:40:04 CEST 2008 - wr@rosenauer.org - update to version 3.0 - fixed double entry in bookmarks for www.opensuse.org (bnc#396980 ------------------------------------------------------------------- Thu May 15 13:45:51 CEST 2008 - aj@suse.de - Add Planet SUSE, forums.o.o and How to participate to default URLs. ------------------------------------------------------------------- Fri May 2 16:25:24 CEST 2008 - maw@suse.de - network.protocol-handler.app.* prefs are no longer supported; remove references to them from firefox-suse-default-prefs.js (bnc#383697). ------------------------------------------------------------------- Thu Apr 3 01:42:34 CEST 2008 - maw@suse.de - Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang). ------------------------------------------------------------------- Wed Mar 26 01:05:18 CET 2008 - maw@suse.de - Merge changes from the build service (thanks, Wolfgang) - Update to the fourth Firefox 3.0 Beta (2.9.94): + Based upon the Gecko 1.9 Web rendering platform, which improves performance, stability, and rendering correctness; it also boasts a considerable simplification in its code + Security improvements: * One-click site info * Malware Protection * New Web Forgery Protection page * New SSL error pages * Add-ons and Plugin version check * Secure add-on updates * Effective top-level domain (eTLD) service to better restrict cookies and other restricted content to a single domain * Better protection against cross-site JSON data leaks + Usability improvements: * Easier password management * Simplified add-on installation * New Download Manager * Resumable downloading * Full page zoom * Podcasts and Videocasts can be associated with your media playback tools * Tab scrolling and quickmenu * Save what you were doing: Firefox will prompt users to save tabs on exit * Optimized Open in Tabs behavior * Location and Search bar size can now be customized with a simple resizer item * Text selection improvements * Find toolbar * Improved integration with Linux: Firefox's default icons, buttons, and menu styles now use the native GTK theme + Personalization improvements: * Star button: quickly add bookmarks from the location bar with a single click; a second click lets you file and tag them * Tags: associate keywords with your bookmarks to sort them by topic * Location bar & auto-complete * Smart Bookmarks Folder * Places Organizer: view, organize and search through all of your bookmarks, tags, and browsing history with multiple views and smart folders to store your frequent searches * Web-based protocol handlers * Download & Install Add-ons * Easy to use Download Actions + Improved platform for web developers: * New graphics and font handling: new graphics and text rendering architectures in Gecko 1.9 provides rendering improvements in CSS, SVG as well as improved display of fonts with ligatures and complex scripts * Color management: (set gfx.color_management.enabled on in about:config and restart the browser to enable.); Firefox can now adjust images with embedded color profiles * Offline support: enables web applications to provide offline functionality (website authors must add support for offline browsing to their site for this feature to be available to users) + Improved performance: * Speed: improvements to the JavaScript engine as well as profile guided optimizations have resulted in significant improvements in performance; compared to Firefox 2, web applications like Google Mail and Zoho Office run twice as fast in Firefox 3 Beta 4, and the popular SunSpider test from Apple shows improvements over previous releases * Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 Beta 4 over a web browsing session; memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned * Reliability: A user's bookmarks, history, cookies, and preferences are now stored in a transactionally secure database format which will prevent data loss even if their system crashes - This version depends upon the mozilla-xulrunner190 package - Drop various stale packages, respin several that have been kept around, and add a few new ones. ------------------------------------------------------------------- Mon Feb 11 18:18:14 CET 2008 - maw@suse.de - Security update to version 2.0.0.12 (bnc#354469): + MFSA 2008-11/CVE-2008-0594 Web forgery overwrite with div overlay + MFSA 2008-10/CVE-2008-0593 URL token stealing via stylesheet redirect + MFSA 2008-09/CVE-2008-0592 Mishandling of locally-saved plain text files + MFSA 2008-08/CVE-2008-0591 File action dialog tampering + MFSA 2008-06/CVE-2008-0419 Web browsing history and forward navigation stealing + MFSA 2008-05/CVE-2008-0418 Directory traversal via chrome: URI + MFSA 2008-04/CVE-2008-0417 Stored password corruption + MFSA 2008-03/CVE-2008-0415 Privilege escalation, XSS, Remote Code Execution + MFSA 2008-02/CVE-2008-0414 Multiple file input focus stealing vulnerabilities + MFSA 2008-01/CVE-2008-0412 Crashes with evidence of memory corruption (rv:1.8.1.12) - Reference libaoss.so in start script (bnc#117079) - Remove mozilla-canvas-1.8.1.10.patch, as it has been upstreamed - Update firefox-ui-lockdown.patch (FATE#301534, FATE#302023, and FATE#302024) - Add application/x-xpinstall mime type to MozillaFirefox.desktop - Add MozillaFirefox.xml to bind .xpi to application/x-xpinstall in desktop. ------------------------------------------------------------------- Thu Jan 17 17:52:47 CET 2008 - maw@suse.de - Add mozilla-maxpathlen.patch (#354150 and bmo #412610). ------------------------------------------------------------------- Fri Dec 21 18:46:50 CET 2007 - maw@suse.de - Add firefox-348446-empty-lists.patch (bnc#348446). ------------------------------------------------------------------- Wed Dec 5 02:21:26 CET 2007 - maw@suse.de - Respin proxy-dev.patch (bnc#340678) -- thanks, Anders! ------------------------------------------------------------------- Tue Nov 27 18:25:25 CET 2007 - maw@suse.de - Security update to version 2.0.0.10 (#341905, #341591): + MFSA 2007-39 Referer-spoofing via window.location race condition + MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10) + MFSA 2007-37 jar: URI scheme XSS hazard + Fixes for regressions introduced in 2.0.0.8 + Updated dbus.patch, startup.patch, misc.dif, and configure.patch - Add mozilla-gcc4.3-fixes.patch - Add mozilla-canvas-1.8.1.10.patch (#341591#c10). ------------------------------------------------------------------- Mon Nov 26 18:27:25 CET 2007 - maw@suse.de - Build with -ftree-vrp -fwrapv, per advice in #342603#c17. ------------------------------------------------------------------- Tue Nov 13 17:49:01 CET 2007 - maw@suse.de - Add firefox-gcc4.3-fixes.patch. ------------------------------------------------------------------- Fri Oct 19 02:04:45 CEST 2007 - maw@suse.de - Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang) * MFSA 2007-29 Crashes with evidence of memory corruption * MFSA 2007-30 onUnload Tailgating * MFSA 2007-31 Digest authentication request splitting * MFSA 2007-32 File input focus stealing vulnerability * MFSA 2007-33 XUL pages can hide the window titlebar * MFSA 2007-34 Possible file stealing through sftp protocol * MFSA 2007-35 XPCNativeWraper pollution using Script object complete advisories on http://www.mozilla.org/projects/security/known-vulnerabilities.html ------------------------------------------------------------------- Sun Sep 23 19:49:12 CEST 2007 - maw@suse.de - Don't explicitly require libaoss.so (#326751). ------------------------------------------------------------------- Fri Sep 14 23:13:06 CEST 2007 - maw@suse.de - Update the Novell Support search plugin in search-addons.tar.bz2 (#297261) - Set the browser.tabs.loadFolderAndReplace preference to false by default (#230759). ------------------------------------------------------------------- Wed Sep 12 15:21:06 CEST 2007 - dmueller@suse.de - fix hardlinks accross partitions ------------------------------------------------------------------- Thu Sep 6 16:07:12 CEST 2007 - maw@suse.de - Add http://software.opensuse.org/search?baseproject=openSUSE:10.3 to the default bookmarks (#308223). ------------------------------------------------------------------- Mon Sep 3 22:33:09 CEST 2007 - ro@suse.de - move last change a bit further in specfile ------------------------------------------------------------------- Fri Aug 31 18:36:16 CEST 2007 - maw@suse.de - Mark a .png file as nonexecutable. ------------------------------------------------------------------- Tue Aug 28 16:44:08 CEST 2007 - maw@suse.de - Minor .spec update (#305193) + Remove two obsolete patches + Correct releasedate + Include only the officially supported locales. ------------------------------------------------------------------- Wed Aug 22 17:53:03 CEST 2007 - maw@suse.de - Merge changes from the build service (thanks, Wolfgang): + Provide locale dependency information (#302288) + Add x11-session.patch, supporting X11 session management (#227047) + Update to version 2.0.0.6 * MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows * MFSA 2007-27 Unescaped URIs passed to external programs (only relevant on Windows) - Use %fdupes. ------------------------------------------------------------------- Tue Aug 21 09:45:35 CEST 2007 - aj@suse.de - Adjust bookmarks: Add news.opensuse.org, use new software.o.o page. ------------------------------------------------------------------- Thu Aug 16 14:57:27 CEST 2007 - mauro@suse.de - Revert previous change. ------------------------------------------------------------------- Tue Aug 14 11:58:23 CEST 2007 - mauro@suse.de - Added support for ymp in the mimetypes.rdf - Added OneClickInstallUrlHandler for handing the actual call from firefox. - Fixes bnc #295677 ------------------------------------------------------------------- Mon Jul 23 18:57:07 CEST 2007 - maw@suse.de - Security update to version 2.0.0.5 (#288115) which has fixes for: MFSA 2007-18 CVE-2007-3734 - Browser flaws CVE-2007-3735 - Javascript flaws MFSA 2007-19 CVE-2007-3736 MFSA 2007-20 CVE-2007-3089 MFSA 2007-21 CVE-2007-3737 MFSA 2007-22 CVE-2007-3285 MFSA 2007-23 CVE-2007-3670 MFSA 2007-24 CVE-2007-3656 MFSA 2007-25 CVE-2007-3738 ------------------------------------------------------------------- Thu Jun 21 15:59:01 CEST 2007 - adrian@suse.de - fix changelog entry order ------------------------------------------------------------------- Mon Jun 18 13:22:42 CDT 2007 - maw@suse.de - Use mozilla.sh.in from the build service (#230681). ------------------------------------------------------------------- Tue Jun 5 15:55:08 CEST 2007 - sbrabec@suse.cz - Removed invalid desktop category "Application" (#254654). ------------------------------------------------------------------- Mon Jun 4 19:53:35 CDT 2007 - maw@suse.de - Security update to version 2.0.0.4 - Refresh configure.patch, startup.patch, and visibility.patch - Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2. ------------------------------------------------------------------- Mon Apr 30 16:49:55 CEST 2007 - ro@suse.de - added unzip to BuildRequires ------------------------------------------------------------------- Wed Apr 18 14:16:44 CEST 2007 - mfabian@suse.de - add Japanese to the languages which get PANGO enabled in the start script to support the Japanese combining characters U+3099 U+309A (see bugzilla #262718 comment #29). ------------------------------------------------------------------- Mon Mar 12 11:06:10 CST 2007 - maw@suse.de - Package gconf stuff. ------------------------------------------------------------------- Wed Feb 21 16:37:25 CST 2007 - maw@suse.de - Security update to 2.0.0.2 (#244923), which covers: + mfsa2007-01 * CVE-2007-0775 - layout engine crashes * CVE-2007-0776 - SVG * CVE-2007-0777 - javascript engine corruption + mfsa2007-02 * CVE-2007-0995 - Invalid trailing characters in HTML tag attributes * CVE-2007-0996 - Child frame character set inheritance * CVE-2006-6077 - Injected password forms + mfsa2007-02 + mfsa2007-03 * CVE-2007-0078 + mfsa2007-04 * CVE-2007-0079 + mfsa2007-05 * CVE-2007-0780 * CVE-2007-0800 + mfsa2007-06 * CVE-2007-0008 - client flaw * CVE-2007-0009 - server flaw + mfsa2007-07 * CVE-2007-0981 - Updates mozilla.sh.in (#230681) - Fixes #232209 - Updates the man page (#243037) - Properly propagates exit codes (#241492) - Adds em-356370.patch (#217374) ------------------------------------------------------------------- Thu Jan 25 10:16:56 CST 2007 - maw@suse.de - Fixup the Gnome paths, keeping in closer sync with the buildservice. ------------------------------------------------------------------- Thu Jan 18 09:27:54 CST 2007 - maw@suse.de - Gnome is now in /usr, so remove references to /opt/gnome - Install firefox.png with the executable bit not set. ------------------------------------------------------------------- Wed Jan 10 12:57:39 CET 2007 - meissner@suse.de - readd MozillaFirebird provides (was incorrect in removing it). ------------------------------------------------------------------- Mon Jan 8 11:16:08 CET 2007 - meissner@suse.de - Do not provide MozillaFirebird, just obsolete it. ------------------------------------------------------------------- Fri Dec 1 02:22:49 CET 2006 - maw@suse.de - Update gecko-lockdown.patch (#220616). ------------------------------------------------------------------- Thu Nov 30 19:02:54 CET 2006 - maw@suse.de - Update firefox-suse-default-prefs.js, adding 'pref("browser.backspace_action", 2);' (#217374) ------------------------------------------------------------------- Thu Nov 30 08:17:28 CET 2006 - aj@suse.de - Fix last change (#224431). ------------------------------------------------------------------- Wed Nov 29 11:45:47 CET 2006 - aj@suse.de - Change download bookmark (#224431). - Rename bookmark folder to openSUSE. ------------------------------------------------------------------- Tue Nov 28 08:09:48 CET 2006 - aj@suse.de - Sync from Buildservice with following critical fixes (thanks Wolfgang Rosenauer!): * fixed system-proxies.patch to actually work (#223881). * Rearrange Bookmarks to pass trademark review. ------------------------------------------------------------------- Mon Nov 27 19:40:44 CET 2006 - aj@suse.de - Fix tango theme (#223796). ------------------------------------------------------------------- Mon Nov 27 17:40:50 CET 2006 - aj@suse.de - Use www.opensuse.org as home page. ------------------------------------------------------------------- Sun Nov 12 11:28:00 CET 2006 - aj@suse.de - Set novell.com as home page. - Update from BuildService (thanks Wolfgang!): - fixed crash in htmlparser (#217257, bmo #358797) - added gconf2 as PreReq (#212505) - added 32bit libaoss.so as requirement (#216266) - Removed SUSE searchplugin (Portal not available anymore) (#216054) - Removed obsolete xul-picker.patch and system-nspr.patch - Fixed building on 10.1 and 10.0 (dbus) - Removed obsolete throbber preference ------------------------------------------------------------------- Thu Nov 9 19:09:46 CET 2006 - jhargadon@suse.de - updated tango theme ------------------------------------------------------------------- Sun Oct 29 12:05:46 CET 2006 - aj@suse.de - Another fix for 214125, patch by Wolfgang Rosenauer. ------------------------------------------------------------------- Thu Oct 26 06:58:59 CEST 2006 - aj@suse.de - Fix gcc warnings about undefined operations, patch by Robert O'Callahan. - Update system-proxies.patch to fix error box (214125), patch by Robert O'Callahan. ------------------------------------------------------------------- Mon Oct 23 21:54:54 CEST 2006 - aj@suse.de - Update to current CVS version of 2.0. - Use www.opensuse.org as default home page for now (#203547). ------------------------------------------------------------------- Sat Oct 21 08:53:50 CEST 2006 - aj@suse.de - Disable non-working plasticfox and tango themes. ------------------------------------------------------------------- Fri Oct 20 20:16:29 CEST 2006 - aj@suse.de - Fix building of locales. ------------------------------------------------------------------- Fri Oct 20 11:27:23 CEST 2006 - mkoenig@suse.de - update to version 2.0rc3: * New features: Visual Refresh, Built-in phishing protection, Enhanced search capabilities, Improved tabbed browsing, Resuming your browsing session, Previewing and subscribing to Web feeds, Inline spell checking, Live Titles, Improved Add-ons manager, JavaScript 1.7, Extended search plugin format, Updates to the extension system, Client-side session and persistent storage, SVG text ------------------------------------------------------------------- Tue Oct 17 11:26:44 CEST 2006 - meissner@suse.de - disabled debugging. ------------------------------------------------------------------- Tue Sep 12 20:27:02 CEST 2006 - stark@suse.de - security update to version 1.5.0.7 ------------------------------------------------------------------- Mon Aug 21 12:53:50 CEST 2006 - stark@suse.de - added greasemonkey helper change (#199920) - fixed packager.mk for new make version ------------------------------------------------------------------- Fri Aug 11 20:51:48 CEST 2006 - stark@suse.de - fixed crash in dbus component (patch by thoenig #197928) - use external adresses for PAC configuration (#196506) ------------------------------------------------------------------- Mon Aug 7 09:26:58 CEST 2006 - stark@suse.de - added symlink for Firefox 1.0.x compatibility ------------------------------------------------------------------- Sat Jul 29 08:48:53 CEST 2006 - stark@suse.de - update to regression release 1.5.0.6 (#195043) ------------------------------------------------------------------- Thu Jul 27 06:20:36 CEST 2006 - stark@suse.de - security update to version 1.5.0.5 (#195043) * observer-lock.patch integrated now - fixed leak in JS' liveconnect (#186066) - fixed desktop file for old distributions (StartupNotify=false) ------------------------------------------------------------------- Thu Jun 29 20:13:28 CEST 2006 - stark@suse.de - fixed printing crash if the last used printer is not available anymore (#187013) ------------------------------------------------------------------- Fri Jun 16 22:11:22 CEST 2006 - stark@suse.de - added 48x48 icon (#185777) ------------------------------------------------------------------- Mon Jun 12 20:20:02 CEST 2006 - stark@suse.de - fix overwrite confirmation for GTK filesaver (#179531) - get network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris from gconf if system-settings are enabled (#184489) ------------------------------------------------------------------- Thu Jun 1 20:34:43 CEST 2006 - stark@suse.de - update to security/stability release 1.5.0.4 (#179011) - moved locale-global prefs to browserconfig.properties (#177881) ------------------------------------------------------------------- Tue May 23 21:11:11 CEST 2006 - stark@suse.de - complete implementation of startup-notification (#115417) (including autoconf and remote support) - different home-pages for SLE10 and SL (#177881) ------------------------------------------------------------------- Tue May 16 06:27:26 CEST 2006 - stark@suse.de - fixed potential deadlock in nsObserverList::RemoveObserver (#173986, bmo #338069) - base startup notification on libstartup-notification (#115417) ------------------------------------------------------------------- Thu May 11 09:39:27 CEST 2006 - stark@suse.de - save printer settings properly (#174082, bmo #324072) - added startup notification support for showing load activity in Gnome and to avoid focus stealing prevention (#115417) - added StartupNotify=true to desktop file (#115417) - provide legacy symlink for NLD9 update compatibility (#173138) - fixed system-proxies patch to avoid unwanted wpad requests (#171743, #167613) ------------------------------------------------------------------- Mon May 8 14:55:52 CEST 2006 - stark@suse.de - preconfigure the theme according to the used desktop (#151163) ------------------------------------------------------------------- Thu Apr 27 10:24:07 CEST 2006 - stark@suse.de - last minute change for 1.5.0.3 ------------------------------------------------------------------- Wed Apr 26 14:23:33 CEST 2006 - stark@suse.de - security update to 1.5.0.3 - fix for typo in postscript.patch ------------------------------------------------------------------- Tue Apr 25 14:14:51 CEST 2006 - stark@suse.de - fixed iframe crash (#169039, bmo #334515) - fixed img tag misuse (#168710, bmo #334341) ------------------------------------------------------------------- Mon Apr 24 08:04:16 CEST 2006 - stark@suse.de - improved postscript output (bmo #334485) - changed defaults for printer properties (#6534) - overwrite gnome-vfs' file protocol by providing "desktop-launch" (#131501) - get available paper sizes from CUPS (#65482) - replaced/removed complicated gconfd reload in %post (#167989) - fixed memory leak in clipboard caching (bmo #289897) ------------------------------------------------------------------- Tue Apr 11 08:35:53 CEST 2006 - stark@suse.de - added (optional) plastikfox theme (#151163) - get some more security related patches (#148876) - finally fixed the default proxy configuration by adding a new UI option (#132398) ------------------------------------------------------------------- Mon Apr 3 11:41:13 CEST 2006 - stark@suse.de - fixed keyword fixup patch (#162532) ------------------------------------------------------------------- Tue Mar 28 07:17:04 CEST 2006 - stark@suse.de - don't use keyword fixup for pasted text (#160034, bmo #331522) ------------------------------------------------------------------- Mon Mar 20 09:28:58 CET 2006 - stark@suse.de - added Tango theme - fixed reading proxies from gconf (#132398) ------------------------------------------------------------------- Sun Mar 12 09:04:05 CET 2006 - stark@suse.de - tweaked bookmarks (fixed URLs) - added Khmer (km-*) to pango locales (#157397) ------------------------------------------------------------------- Sat Mar 4 21:08:45 CET 2006 - stark@suse.de - fixed crash with multipart JPEGs (bmo #328684) (#140416) - got latest security fixes from upstream (#148876) ------------------------------------------------------------------- Wed Feb 22 13:24:58 CET 2006 - stark@suse.de - fixed plugin loading when launched from Thunderbird (#151614) - merged dbus reconnection patch (#150042) - default to autodetect proxy (network.proxy.type=4) (#151811) - added GTK category to desktop file ------------------------------------------------------------------- Tue Feb 14 06:45:24 CET 2006 - stark@suse.de - modified lockdown patches (#67281, #67282) - applied set of security patches (#148876) bmo bugs: 282105, 307989, 315625, 320459, 323634, 325403, 325947 ------------------------------------------------------------------- Tue Feb 7 20:09:43 CET 2006 - stark@suse.de - fixed disabling of Pango (#148788) ------------------------------------------------------------------- Thu Feb 2 21:51:30 CET 2006 - stark@suse.de - define gssapi lib explicitely (#147670) - use only official Firefox-Icon - changed home-download patch ------------------------------------------------------------------- Sun Jan 29 09:54:49 CET 2006 - stark@suse.de - throbber URL is default again - removed firefox-showpass patch - removed additional CA certs from builtin NSS ------------------------------------------------------------------- Fri Jan 27 17:55:21 CET 2006 - stark@suse.de - got some l10n changes from 1.8.0 branch ------------------------------------------------------------------- Fri Jan 27 08:15:09 CET 2006 - stark@suse.de - final 1.5.0.1 version - make it possible to choose $HOME as download directory (#144894, bmo #300856) ------------------------------------------------------------------- Wed Jan 25 21:33:43 CET 2006 - mls@suse.de - converted neededforbuild to BuildRequires ------------------------------------------------------------------- Sun Jan 22 17:06:57 CET 2006 - stark@suse.de - disable Pango if MOZ_ENABLE_PANGO is not set and no typical language which needs Pango is used (#143428) ------------------------------------------------------------------- Wed Jan 18 10:27:30 CET 2006 - stark@suse.de - fixed DumpStackToFile() for glibc 2.4 - added default (font) settings ------------------------------------------------------------------- Thu Jan 12 10:23:58 CET 2006 - stark@suse.de - update to 1.5.0.1pre (20060111) - updated man-page - fixed hovered tab close button - only Requires mozilla-nspr instead of PreReq since there is no postinstall registration necessary anymore - use system NSS from CODE10 on - use -fstack-protector where available - changed unixproxy component to work on older distributions ------------------------------------------------------------------- Mon Jan 2 13:39:09 CET 2006 - stark@suse.de - added unixproxy component written by Robert O'Callahan (#132398) (bmo #66057) - added official translations - preload libaoss for plugin sound (#117079) ------------------------------------------------------------------- Wed Dec 28 08:16:03 CET 2005 - stark@suse.de - get some patches from 1.8.0 branch - readded modification to gconf-backend (bmo #321315) - readded lockdown stuff - enable additional extension install directory (#120329) (/usr/lib/browser-extensions/firefox) - added patch to make the XUL filechooser optional (MOZ_XUL_PICKER) ------------------------------------------------------------------- Wed Dec 14 16:08:12 CET 2005 - stark@suse.de - fixed patch for parsing -remote parameter - removed default-plugin patch (not needed anymore) ------------------------------------------------------------------- Fri Dec 9 17:21:29 CET 2005 - stark@suse.de - fix to ignore X composite extension (#135373) - fixed parsing of -remote parameters (#134396) - activated locales as released ------------------------------------------------------------------- Tue Nov 29 21:33:13 CET 2005 - stark@suse.de - update to 1.5 (20051128) - don't override startup URL when changing Gecko versions (#135314) - added patch for GTK2 handling (#134831) - readded add-plugins stuff for compatibility ------------------------------------------------------------------- Fri Nov 18 07:41:41 CET 2005 - stark@suse.de - update to 1.5rc3 (20051117) ------------------------------------------------------------------- Mon Oct 31 08:58:14 CET 2005 - stark@suse.de - updated l10n archive (20051030) - fixed postinstall script to copy plugin links instead of files ------------------------------------------------------------------- Fri Oct 28 06:43:27 CEST 2005 - stark@suse.de - update to 1.5rc1 (20051027) - fixed profile locking on FAT partitions (bmo #313360) - introduced an rpath again ------------------------------------------------------------------- Wed Oct 19 20:03:48 CEST 2005 - stark@suse.de - update to snapshot 1.5 (20051019) - moved installation to /usr/%{_lib}/firefox - added dbus component to be able to get network status from NetworkManager (bmo #312793) - remove all update UI for application - removed diable-gconf (no registration at build time anymore) - removed rebuild-databases.sh (no system registration anymore) - open links in new windows (#128087) ------------------------------------------------------------------- Thu Oct 6 20:44:53 CEST 2005 - stark@suse.de - update to Firefox 1.5b2 (20051005) - added supported translations ------------------------------------------------------------------- Sat Oct 1 15:09:18 CEST 2005 - stark@suse.de - update to Firefox 1.5b1 (20050930) RPM version 1.4.1 - removed rebuild-databases.sh calls - removed add-plugins.sh calls and corresponding triggers - enabled SVG and Canvas support - fixed gconf urlhandler registration ------------------------------------------------------------------- Tue Sep 20 10:24:16 CEST 2005 - stark@suse.de - security update to 1.0.7 (#117619) * MFSA 2005-57: IDN heap overrun using soft-hyphens (bmo #307259) (enabled IDN pref again) * MFSA 2005-58: CAN-2005-2701 Heap overrun in XBM image processing CAN-2005-2702 Crash on "zero-width non-joiner" sequence CAN-2005-2703 XMLHttpRequest header spoofing CAN-2005-2704 Object spoofing using XBL <implements> CAN-2005-2705 JavaScript integer overflow CAN-2005-2706 Privilege escalation using about: scheme CAN-2005-2707 Chrome window spoofing Regression fixes - register beagle extension if it gets installed (#116787) ------------------------------------------------------------------- Tue Sep 13 15:41:37 CEST 2005 - aj@suse.de - Change SUSE bookmarks. ------------------------------------------------------------------- Sun Sep 11 17:05:07 CEST 2005 - stark@suse.de - disable IDN per default (#116070) - unlocalize bookmarks (#114279) ------------------------------------------------------------------- Thu Sep 8 08:52:13 CEST 2005 - stark@suse.de - fixed some filemodes (#114849) ------------------------------------------------------------------- Sun Sep 4 00:03:53 CEST 2005 - stark@suse.de - fixed gconf-backend patch to be able to use system prefs (#114054) ------------------------------------------------------------------- Thu Sep 1 13:22:17 CEST 2005 - stark@suse.de - changed default font to sans-serif (#114464) - removed de-de parts of the bookmark-links (#114279) ------------------------------------------------------------------- Mon Aug 22 06:10:12 CEST 2005 - stark@suse.de - install gconf schema for lockdown also on non-NLD - added backports (firefox-backports.patch) * gtk_im_context_set_cursor_location() is not used (bmo #281339) * fixed crash in imgCacheValidator::OnStartRequest() (bmo #293307) - workaround for linking with pangoxft and pangox (broken by gtk 2.8 update) (#105764) - remove extensions on deinstallation - include dragonegg (kparts) plugin (#105468) ------------------------------------------------------------------- Thu Aug 18 13:08:55 CEST 2005 - stark@suse.de - fixed regression in profile locking change (bmo #303633) - added rtsp handler to global config (#104434) - don't blacklist help: protocol (bmo #304833) - fixed Gdk-WARNING at startup (gtk.patch) - fixed crash with gtk 2.7 (bmo #300226, bnc #104586) - fixed installation of the beagle plugin - update industrial theme to 1.0.11 (#104564) - included lockdownV2 (removed obsolete gconf.diff) - linked firefox-bin with rpath to progdir ------------------------------------------------------------------- Fri Aug 5 09:51:26 CEST 2005 - stark@suse.de - fixed profile locking (bmo #151188) - install beagle extension globally ------------------------------------------------------------------- Fri Jul 29 06:58:24 CEST 2005 - stark@suse.de - don't require and provide NSS libs (#98002) - fixed printing error 'You cannot print while in print preview' (#96991, bmo #302445) ------------------------------------------------------------------- Wed Jul 27 09:34:12 CEST 2005 - stark@suse.de - fixed Firefox on ppc (stack-direction.patch) (#97359) - removed open-pref from startscript as it is done automatically now (#73042) - updated Novell searchplugins ------------------------------------------------------------------- Mon Jul 25 12:32:13 CEST 2005 - stark@suse.de - GTK filechooser is now modal (#8533) - backed out patch to add tooltips to print-preview because it breaks localization ------------------------------------------------------------------- Fri Jul 22 10:54:39 CEST 2005 - stark@suse.de - fixed another problem in printing patch ------------------------------------------------------------------- Tue Jul 19 10:44:59 CEST 2005 - stark@suse.de - fixed error in ft-xft-ps2.patch - disabled stripping in spec instead of patch - added NSPR to PreReq ------------------------------------------------------------------- Mon Jul 18 08:43:24 CEST 2005 - stark@suse.de - fixed some more regressions with final 1.0.6 - fixed width calculation in Postscript module (bmo #290292) - fixed plugin event starvation (bnc #94749, #94751, bmo #301161) ------------------------------------------------------------------- Fri Jul 15 11:24:47 CEST 2005 - stark@suse.de - searchplugins can now be installed per profile (#8176) ------------------------------------------------------------------- Fri Jul 15 06:54:02 CEST 2005 - stark@suse.de - update to 1.0.6 which restores API compatibility ------------------------------------------------------------------- Tue Jul 12 06:20:37 CEST 2005 - stark@suse.de - update to 1.0.5 final (#88509) - don't strip explicitely - don't ship beagle.xpi ------------------------------------------------------------------- Wed Jul 6 14:13:09 CEST 2005 - stark@suse.de - update to 1.0.5-pre (20050705) - use RPM_OPT_FLAGS for NSS component - fixed implicit declarations and uninitialized used variables - added patch for bmo #87969 ------------------------------------------------------------------- Tue Jul 5 10:17:16 CEST 2005 - stark@suse.de - fixed regression from security update (#95069, bmo #298478) ------------------------------------------------------------------- Mon Jun 27 21:46:58 CEST 2005 - stark@suse.de - don't use system-prefs by default on NLD - removed basic lockdown stuff for SUSE Linux (it's not needed and caused problems: bnc #75418) - fixed NLD lockdown patch (bnc #75418) - don't write prefs back to gconf for now ------------------------------------------------------------------- Wed Jun 22 07:32:42 CEST 2005 - stark@suse.de - new NLD lockdown patch which is syncing user prefs to gconf - update to 1.0.5pre security-release ------------------------------------------------------------------- Thu Jun 9 06:56:02 CEST 2005 - stark@suse.de - new revision of NLD lockdown patch - fixed remote usage behaviour in start script (bnc #41903) - got more bugfixes from the branch ------------------------------------------------------------------- Thu Jun 2 10:31:48 CEST 2005 - stark@suse.de - fixed neededforbuild ------------------------------------------------------------------- Wed Jun 1 20:15:25 CEST 2005 - stark@suse.de - fixed IDN for 64bit platforms (bmo #236425, bnc #46268) ------------------------------------------------------------------- Fri May 20 15:12:06 CEST 2005 - stark@suse.de - fixed keybinding for KP separator (bnc #84147) - pulled security related patch from upstream branch - update plastikfox theme to version 1.6 ------------------------------------------------------------------- Thu May 12 06:16:25 CEST 2005 - stark@suse.de - update to final 1.0.4 release ------------------------------------------------------------------- Tue May 10 06:38:05 CEST 2005 - stark@suse.de - update to 1.0.4 security release - removed s390(x) patches (upstream) - made two more files %verify (81692) - updated NLD lockdown patch (81304) ------------------------------------------------------------------- Thu Apr 28 09:45:53 CEST 2005 - stark@suse.de - use static NSPR libs from new location ------------------------------------------------------------------- Sat Apr 23 15:56:08 CEST 2005 - stark@suse.de - activate usage of system NSPR for distributions after 9.3 - add patch to be able to use systen NSPR at all ------------------------------------------------------------------- Fri Apr 22 02:06:06 CEST 2005 - ro@suse.de - use mozilla-gcc4.patch ------------------------------------------------------------------- Thu Apr 21 12:51:19 CEST 2005 - stark@suse.de - don't execute gconf magic within build environment ------------------------------------------------------------------- Sat Apr 16 13:05:37 CEST 2005 - stark@suse.de - update to final 1.0.3 release ------------------------------------------------------------------- Fri Apr 15 00:10:54 CEST 2005 - ro@suse.de - fix problem in postinstall script ------------------------------------------------------------------- Wed Apr 14 09:20:02 CEST 2005 - stark@suse.de - included fixed lockdown patch for NLD - linked proxies within Firefox with gnome settings (NLD) - added gconfd restart procedure to install script (only needed if gconf changes are done) (#76852) ------------------------------------------------------------------- Sat Apr 2 21:03:11 CEST 2005 - stark@suse.de - update to security pre-release 1.0.3 (#75692) * Manual plug-in install, javascript vulnerability (bmo #288556) * Access memory vulnerability (bmo #288688) ------------------------------------------------------------------- Fri Apr 1 11:32:44 CEST 2005 - stark@suse.de - added advanced lockdown features for ZLM integration (NLD-only) ------------------------------------------------------------------- Tue Mar 22 12:33:15 CET 2005 - stark@suse.de - update to final 1.0.2 - use new theme handling on NLD - added default-plugin-less-annoying from mozilla - use GTK2 for Flash - use system NSPR on SUSE releases after 9.3 - made startscript PIS aware - set g-application-name correctly (bmo #281979) - added man-page - use GTK system colors - modify useragent string and add vendor id - activate smooth-scrolling by default (#74310) ------------------------------------------------------------------- Tue Mar 22 08:59:06 CET 2005 - stark@suse.de - don't register beagle automatically (#74062) - added default bookmarks for SUSE LINUX ------------------------------------------------------------------- Mon Mar 21 18:20:39 CET 2005 - max@suse.de - Fixed a typo in the shell code that handles inclusion of the Acrobat Reader plugin (#70861). ------------------------------------------------------------------- Thu Mar 17 21:01:11 CET 2005 - stark@suse.de - updates from upcoming 1.0.2 - added again logic to use Adobe Reader 7 (#70861) - fixed crash in ICO decoding (#67142, bmo #245631) - preinstall beagle extension (#72920) - bugfixes in trigger scripts - fixed industrial theming for Gnome (#72918) ------------------------------------------------------------------- Sat Mar 12 12:42:16 CET 2005 - stark@suse.de - fixed more security related bugs (bmo #284551, #284627, #285595) ------------------------------------------------------------------- Wed Mar 9 21:42:05 CET 2005 - stark@suse.de - update also GNOME desktop file (#71810) - added firefox-gnome.png to filelist - use correct Firefox icon ------------------------------------------------------------------- Mon Mar 7 20:47:00 CET 2005 - stark@suse.de - disable inclusion of acrobat plugin again (#70861) - don't use gconfd in registration phase (#66381) ------------------------------------------------------------------- Mon Mar 7 16:13:29 CET 2005 - adrian@suse.de - use standard icon again for the default desktop file and add a Gnome-only desktop file for the Gnome icon - add plastikfox chrome theme to fix button order within KDE - add patch for automatic theme selection for KDE and Gnome - do register extensions in rebuild-databases.sh instead of %install, to fix needed timestamps ------------------------------------------------------------------- Fri Mar 4 07:54:47 CET 2005 - stark@suse.de - extend add-plugins to recognize Java 1.5 (#66909) - changed comment in desktop-file (#66867) ------------------------------------------------------------------- Tue Feb 22 09:33:44 CET 2005 - stark@suse.de - make --display parameter working in all cases (bnc #66043) - revised postscript patch - final 1.0.1 codebase ------------------------------------------------------------------- Mon Feb 21 13:09:30 CET 2005 - stark@suse.de - added patch to create Postscript level 2 (instead of 3) (special thanks to Jungshik Shin) - disabled freetype explicitly to be able to use the above patch (freetype wasn't used anymore since some time anyway) ------------------------------------------------------------------- Fri Feb 18 09:10:10 CET 2005 - stark@suse.de - got more patches from branch to get another IDN fix and to fix bug #51019 - enabled IDN again ------------------------------------------------------------------- Wed Feb 16 09:20:39 CET 2005 - stark@suse.de - bumped version number to 1.0.1 ------------------------------------------------------------------- Tue Feb 15 10:26:04 CET 2005 - stark@suse.de - got updates from 1.0.1 branch ------------------------------------------------------------------- Thu Feb 10 06:57:33 CET 2005 - stark@suse.de - additional fireflashing fix (#50635, bmo #280664) - some more security related fixes (bmo #268483, #273498, #277322) - fire up GTK2 filepicker if GNOME is running ------------------------------------------------------------------- Tue Feb 8 07:51:13 CET 2005 - stark@suse.de - some prefs are ignored (bmo #261934) - disabled default IDN (#50566) - fixed some more bugzilla.mozilla.org bugs: #276482, #280056, #280603 ------------------------------------------------------------------- Sun Feb 6 13:10:12 CET 2005 - stark@suse.de - use same desktop categories for Professional and NLD - added some lockdown stuff for printing and page saving (bmo #280488) ------------------------------------------------------------------- Wed Feb 2 13:58:53 CET 2005 - stark@suse.de - modified gconf.diff to honor ignore_hosts (bmo #280742) - added a JS crasher fix (bmo #268535) - added more fixes (bmo #255441, #273024, #275405, #275634) ------------------------------------------------------------------- Fri Jan 28 12:39:37 CET 2005 - stark@suse.de - added gplflash inclusion - improved JRE inclusion - reactivated usage of Acrobat Reader plugin (ready for acroread 7) ------------------------------------------------------------------- Sat Jan 22 13:16:47 CET 2005 - stark@suse.de - added some backported bugfixes ------------------------------------------------------------------- Sat Dec 18 10:30:11 CET 2004 - stark@suse.de - updated industrial theme to 1.0.9 - use slightly changed icon for menu-entry (bnc #275) - use original desktop file for NLD again ------------------------------------------------------------------- Thu Dec 16 19:37:48 CET 2004 - stark@suse.de - newer patch for GNOME associations (bnc #362) - fix overwriting of files with GTK picker (Ximian #65068) - readded the industrial default theme patch for NLD ------------------------------------------------------------------- Wed Dec 15 11:50:56 CET 2004 - stark@suse.de - activate GTK filepicker for NLD again - fix for GNOME helper applications with parameters - make GNOME associations the default on NLD ------------------------------------------------------------------- Sat Dec 4 16:11:01 CET 2004 - stark@suse.de - fixed build on s390/s390x - added patch to be able to install-global without running X (bmo #265859) ------------------------------------------------------------------- Thu Nov 18 21:48:05 CET 2004 - stark@suse.de - update industrial theme to 1.0.8 (still not activated) - added patch to make home-directory the default download dir (on NLD is still used Desktop) ------------------------------------------------------------------- Thu Nov 11 09:01:58 CET 2004 - stark@suse.de - made initial window height smaller again ------------------------------------------------------------------- Tue Nov 9 09:09:06 CET 2004 - stark@suse.de - update to final 1.0 release (20041109) ------------------------------------------------------------------- Thu Nov 4 08:22:36 CET 2004 - stark@suse.de - update to 1.0rc2 ------------------------------------------------------------------- Sat Oct 30 21:27:29 CEST 2004 - stark@suse.de - added missing s390(x) patch ------------------------------------------------------------------- Wed Oct 27 07:26:25 CEST 2004 - stark@suse.de - update to 1.0rc1 codebase - printing via XFT/fontconfig - freetype changes to avoid API conflicts with newer freetype2 - fixed build for s390/s390x - removed AMD64 patch (included upstream) - added translations sub-package - removed "Show folder" patch for NLD (resolved upstream) - don't use gnome-filepicker patch for NLD for now - removed hppa buildfix (included upstream) - removed untitled.patch (bmo #24068) resolved by (bmo #262478) - use make -C browser/installer now to prepare installation - don't check for default browser at startup (#47587) - updated industrial.jar (0.99.13) (disabled) ------------------------------------------------------------------- Fri Oct 15 13:51:54 CEST 2004 - stark@suse.de - inherit locale from system - fixed chrome registration ------------------------------------------------------------------- Wed Oct 6 23:11:01 CEST 2004 - joeshaw@suse.de - disable gconf settings as default (Ximian #67718) ------------------------------------------------------------------- Wed Oct 6 07:04:05 CEST 2004 - stark@suse.de - fixed inclusion of RealPlayer plugin again ------------------------------------------------------------------- Tue Oct 5 10:09:04 CEST 2004 - stark@suse.de - small important fix in firefox-download.patch (Ximian #65472) ------------------------------------------------------------------- Sun Oct 3 00:02:09 CEST 2004 - stark@suse.de - added security-fix from 0.10.1 (mozilla.org #259708) (#46687) ------------------------------------------------------------------- Fri Oct 1 12:49:38 CEST 2004 - stark@suse.de - final fix for downloading to Desktop folder (Ximian #65756) - remove Postscript from printer names (Ximian #65560) ------------------------------------------------------------------- Thu Sep 30 16:14:10 CEST 2004 - shprasad@suse.de - Modified the MozillaFirefox.desktop file. Changed the name 'Firefox' to 'Firefox Web Browser'. Also changed it for all languages. ------------------------------------------------------------------- Wed Sep 29 15:54:46 CEST 2004 - stark@suse.de - fix inclusion of RealPlayer plugin (Ximian #65711) ------------------------------------------------------------------- Mon Sep 27 17:51:24 CEST 2004 - joeshaw@suse.de - Update the industrial default patch, for some reason it didn't take before. ------------------------------------------------------------------- Fri Sep 24 07:34:48 CEST 2004 - stark@suse.de - fix for Ximian #65176 (mozilla.org #240068) - revised patch for update function (Ximian #65615) ------------------------------------------------------------------- Thu Sep 23 20:21:39 CEST 2004 - joeshaw@suse.de - Uncomment the patch which tells the UI that industrial is the default. ------------------------------------------------------------------- Thu Sep 23 12:38:06 CEST 2004 - stark@suse.de - open Nautilus on NLD for 'Show folder' in download settings (Ximian #65472) by sragavan@novell.com - save to Desktop folder if selected (Ximian #65756) by sragavan@novell.com ------------------------------------------------------------------- Wed Sep 22 10:23:01 CEST 2004 - stark@suse.de - synced NLD package with 9.2 version - GTK2 filepicker does now ask for confirmation when overwriting files (Ximian #65068) by sagarwala@novell.com - no direct update function (Ximian #65615) by rganesan@novell.com - throbber linked to Novell (Ximian #66283) by rganesan@novell.com - make industrial the default theme for NLD (Ximian #65542) by joeshaw@suse.de ------------------------------------------------------------------- Mon Sep 20 22:00:55 CEST 2004 - joeshaw@suse.de - Add default bookmarks. Ximian #65546. - Add the industrial theme, but it's not the default yet. - Remove acroread from add-plugins because it's badly behaved. Ximian #65499. ------------------------------------------------------------------- Mon Sep 20 17:57:38 CEST 2004 - federico@ximian.com - Added MozillaFirefox-toplevel-window-height.diff for http://bugzilla.ximian.com/show_bug.cgi?id=65543 ------------------------------------------------------------------- Sun Sep 19 15:42:30 CEST 2004 - stark@suse.de - use GNOME system prefs only for NLD by default (fixes bug #45575) ------------------------------------------------------------------- Fri Sep 17 08:59:32 CEST 2004 - stark@suse.de - joeshaw@suse.de: Update GConf patch so that proxy settings work correctly (Ximian #64461) - don't search Java on every path (Ximian #65383) - added some missing fixes for official release - added new java package name for triggers (#45257) ------------------------------------------------------------------- Sat Sep 11 13:25:41 CEST 2004 - stark@suse.de - update to official 1.0PR (0.10) - adopted gnome-filepicker patch - removed obsolete CUPS hack from start-script (Ximian #65635, #65560) ------------------------------------------------------------------- Thu Sep 9 21:35:42 CEST 2004 - stark@suse.de - fixed endianess on AMD64 in JS component (#34743) ------------------------------------------------------------------- Mon Sep 6 17:33:07 CEST 2004 - stark@suse.de - fixed filelist ------------------------------------------------------------------- Mon Sep 6 13:48:03 CEST 2004 - stark@suse.de - update to 1.0PR (aka 0.10) ------------------------------------------------------------------- Fri Sep 3 21:35:47 CEST 2004 - stark@suse.de - added ppc64 patch ------------------------------------------------------------------- Thu Sep 2 03:08:59 CEST 2004 - dave@suse.de - Fixed up the .desktop installation on nld ------------------------------------------------------------------- Wed Sep 1 15:05:48 CEST 2004 - shprasad@suse.de - Doesn't ask to set Firefox as default web-browser. ------------------------------------------------------------------- Tue Aug 31 14:01:18 CEST 2004 - stark@suse.de - next new version for filepicker stuff - deactivated native filepicker for NLD - update to snapshot (20040831) ------------------------------------------------------------------- Tue Aug 24 17:35:52 CEST 2004 - stark@suse.de - new version of gnome-filepicker patch - added patch for config ------------------------------------------------------------------- Fri Aug 20 17:12:48 CEST 2004 - stark@suse.de - update to snapshot (20040820) ------------------------------------------------------------------- Thu Aug 19 08:46:42 CEST 2004 - stark@suse.de - added workaround for mozilla bug #246313 (Firefox does not start: getting "cannot open display" error) ------------------------------------------------------------------- Wed Aug 18 15:07:22 CEST 2004 - stark@suse.de - added some patches from Ximian - use GNOME filepicker - use more gconf settings - set startup homepage to Novell ------------------------------------------------------------------- Tue Aug 17 13:12:35 CEST 2004 - stark@suse.de - update to pre-1.0.0 (20040817) ------------------------------------------------------------------- Thu Aug 5 06:27:41 CEST 2004 - stark@suse.de - security update to 0.9.3 (including #43312 and others) - handle RealPlayer 9 plugin ------------------------------------------------------------------- Mon Aug 2 15:11:51 CEST 2004 - ro@suse.de - recode desktop file to utf-8 ------------------------------------------------------------------- Wed Jul 28 08:46:31 CEST 2004 - stark@suse.de - added fix against certificate spoofing (#43312) ------------------------------------------------------------------- Fri Jul 23 06:31:41 CEST 2004 - stark@suse.de - update to 0.9.2 - added workaround for extension registry - removed old (incompatible) mozex extension ------------------------------------------------------------------- Tue Jun 29 06:27:59 CEST 2004 - stark@suse.de - update to 0.9.1 - added hint to run as root first ------------------------------------------------------------------- Tue Jun 15 12:42:28 CEST 2004 - stark@suse.de - update to 0.9 - added patch for newer freetype ------------------------------------------------------------------- Fri Apr 2 10:31:45 CEST 2004 - stark@suse.de - removing relocation of TEMP directory (#34391) ------------------------------------------------------------------- Mon Mar 29 11:43:51 CEST 2004 - stark@suse.de - update to 0.8.0+ (20040503) - removed firefox logos and activate official branding for milestone builds - changed profile-dir to .firefox - added some needed files - enabled gnomevfs extension ------------------------------------------------------------------- Fri Mar 26 18:09:34 CET 2004 - uli@suse.de - fixed hang during build on s390* (bug #35440) ------------------------------------------------------------------- Wed Mar 3 06:52:00 CET 2004 - stark@suse.de - removed unused patches for GTK2 build - more fixes for (#35179) ------------------------------------------------------------------- Mon Mar 1 07:32:52 CET 2004 - stark@suse.de - improved start-script to interact with thunderbird (#35179) ------------------------------------------------------------------- Thu Feb 26 06:57:05 CET 2004 - stark@suse.de - use official releasedate - added official (trademarked) artwork - added firefox icon to /usr/share/pixmaps - cleaned up spec-file (there will be no GTK1 version) ------------------------------------------------------------------- Tue Feb 24 16:43:17 CET 2004 - stark@suse.de - fixed optimization for non-x86 archs ------------------------------------------------------------------- Tue Feb 24 07:43:35 CET 2004 - stark@suse.de - adopted file-list and build options to original distribution - added prdtoa fix (#32963) - added hook for static firefox build to rebuild-databases.sh - added compiler flags for security/ (nss-opt.patch) - included mozex (mozex.mozdev.org) - added -Os as optimization flag ------------------------------------------------------------------- Mon Feb 9 21:59:37 CET 2004 - stark@suse.de - renamed to MozillaFirefox - update to final version 0.8 ------------------------------------------------------------------- Fri Feb 6 08:39:15 CET 2004 - stark@suse.de - update to Firebird 0.8 (20040205) - added mips build fix - set PS printer list in MozillaFirebird.sh - use lib64 again for biarch platforms ------------------------------------------------------------------- Sat Jan 10 10:33:54 CET 2004 - adrian@suse.de - build as user ------------------------------------------------------------------- Fri Aug 22 11:32:07 CEST 2003 - stark@suse.de - upstream sync for 0.6.1post ------------------------------------------------------------------- Sun Aug 10 22:01:12 CEST 2003 - stark@suse.de - removed dmoz from searchplugins-filelist ------------------------------------------------------------------- Fri Aug 8 10:30:50 CEST 2003 - stark@suse.de - update to 0.6.1post (TRUNK) - use -fno-strict-aliasing ------------------------------------------------------------------- Thu Jul 31 11:25:39 CEST 2003 - stark@suse.de - update to 0.6.1 (MOZILLA_1_4_BRANCH) - synchronized with mozilla-source - created file-list ------------------------------------------------------------------- Thu Jul 10 09:45:49 CEST 2003 - stark@suse.de - update to snapshot 20030709 - fixed generation of symlink MozillaFirebird-xremote-client ------------------------------------------------------------------- Fri Jun 20 06:53:08 CEST 2003 - stark@suse.de - update to snapshot 20030622 (0.7pre) ------------------------------------------------------------------- Mon May 19 08:54:46 CEST 2003 - stark@suse.de - update to snapshot 20030518 (0.6) ------------------------------------------------------------------- Sun May 7 10:11:16 CEST 2003 - stark@suse.de - update to snapshot 20030507 ------------------------------------------------------------------- Wed Apr 30 13:26:43 CEST 2003 - stark@suse.de - initial SuSE package
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor