Overview
Request 1186965 accepted
- Firefox Extended Support Release 128.0esr ESR
* New: ### General
* Windows 7-8.1 and macOS 10.12-10.14 are no longer supported
operating systems.
* Firefox now supports automated translation of web content.
Also, unlike cloud-based alternatives, translation is done
locally so that the text being translated never leaves the
machine.
* The line breaking rules of web content now match the
Unicode standard, improving cross-browser compatibility.
Additionally, for East Asian and South East Asian end users,
Firefox now supports proper language-aware word selection
when double-clicking on text for languages including Chinese,
Japanese, Burmese, Lao, Khmer, and Thai.
* Video effects and background blur are now available to
Firefox users on Google Meet.
Firefox now displays images and descriptions for search
suggestions when provided by the search engine.
* It is now possible to copy and paste any file from the
operating system into Firefox.
* Having any issues with a website on Firefox, yet the site
seems to be working as expected on another browser? You can
now let us know via the Web Compatibility Reporting Tool! By
filing a web compatibility issue, you’re directly helping us
detect, target, and fix the most impacted sites to make your
browsing experience on Firefox smoother.
* Firefox now prompts users in the US and Canada to save
their addresses upon submitting an address form, allowing
Firefox to autofill stored address information in the future.
* Support for credit card autofill has been extended to users
running Firefox in the IT, ES, AT, BE, and PL locales.
* Recently closed tabs now persist between sessions that
don't have automatic session restore enabled. Manually
restoring a previous session will continue to reopen any
previously open tabs or windows.
* When migrating data from Chrome, Firefox now offers the
ability to import certain extensions as well.
* The Screenshots feature in Firefox has been updated. It now
supports taking screenshots of file types like SVG, XML, and
more as well as various about: pages within Firefox. The
screenshot tool was also made more accessible to everyone by
implementing new keyboard shortcuts and adding theme
compatibility and High Contrast Mode (HCM) support. And
finally, performance for capturing large screenshots has been
improved. (bmo#None)
* New: ### PDF Viewer
* The Firefox PDF viewer has expanded PDF editing
capabilities:
* Text highlighting is now supported.
* Editing already-existing text annotations is now
supported.
* Images and alt text can be added in addition to text
and drawings.
* A floating button is now included to simplify deleting
drawings, text, and images added in PDFs.
* Caret browsing mode now also works in the PDF viewer.
(Learn more)
* New: ### Firefox View
* Firefox View includes more content. You can now see all
open tabs from all windows. If you sync open tabs, you’ll see
all tabs from other devices. Browsing history is now listed
and you can sort by date or by site. As before, recently
closed tabs are also listed on Firefox View.
To access Firefox View, select the file folder icon at the
top left of your tab strip.
* We’ve integrated search into Firefox View. You can now
search through all of the tabs on each of the section
subpages - Recent Browsing, Open Tabs, Recently Closed Tabs,
Tabs from other devices, or History.
* In Firefox View, open tabs can now be sorted by either
recent activity or tab order. Recent activity is the default
setting.
* Firefox View now displays pinned tabs in the Open tabs
section. Tab indicators have also been added to Open tabs, so
users can do things like see which tabs are playing media and
quickly mute or unmute across windows. Indicators were also
added for bookmarks, tabs with notifications, and more!
* It is now possible to close all duplicate tabs in a window
with the `Close duplicate tabs` command available from the
`List all tabs` widget in the tab bar or a tab context menu.
* New: ### Security & Privacy
* For added protection on macOS and Windows, a device sign in
(e.g. operating system password, fingerprint, face or voice
login if enabled) can be required when accessing and filling
stored passwords in the Firefox Password Manager about:logins
page.
* Firefox now supports creating and using passkeys stored in
the iCloud Keychain on macOS.
* Firefox now imports user-added TLS trust anchors (e.g.,
certificates) from the operating system root store. This will
be enabled by default on Windows, macOS, and Android, and if
needed, can be turned off in settings (Settings → Privacy &
Security → Certificates).
* The Storage Access API web standard was updated to improve
security while mitigating website breakages and further
enabling the phase out of third-party cookies in Firefox.
* Encrypted Client Hello (ECH) is now available to Firefox
users, delivering a more private browsing experience. ECH
extends the encryption used in TLS connections to cover more
of the handshake and better protect sensitive fields. Read
more about the launch of ECH on Mozilla Distilled.
* Firefox supports a new “Copy Link Without Site Tracking”
feature in the context menu which ensures that copied links
no longer contain tracking information.
* Firefox now supports a setting (in Preferences → Privacy &
Security) to enable Global Privacy Control. With this opt-in
feature, Firefox informs the websites that the user doesn’t
want their data to be shared or sold. This feature is enabled
in private browsing mode by default.
* Firefox now more proactively blocks downloads from URLs
that are considered to be potentially untrustworthy.
* New: ### Anti-Fingerprinting
* Web Audio in Firefox now uses the FDLIBM math library on
all systems to improve anonymity with Fingerprint Protection.
* As part of Total Cookie Protection, Firefox now supports
the partitioning of Blob URLs, this mitigates a potential
tracking vector that third-party agents could use to track an
individual.
* To mitigate font fingerprinting, the visibility of fonts to
websites has been restricted to system fonts and language
pack fonts when in Private Browsing Mode or with Enhanced
Tracking Protection set to strict mode.
* Firefox’s private windows and ETP-Strict privacy
configuration now enhance the Canvas APIs with Fingerprinting
Protection.
* To reduce user fingerprinting information and the risk of
some website compatibility issues, the CPU architecture for
32-bit x86 Linux will now be reported as x86_64 in Firefox's
User-Agent string and `navigator.platform` and
`navigator.oscpu` Web APIs.
* New: ### Windows
* Firefox can now be set to automatically launch whenever the
computer starts up. (Learn more)
* The background updater now updates properly when there are
multiple user accounts on a system.
* Firefox now populates the Windows taskbar jump list more
efficiently, which should allow for a smoother overall
browsing experience.
* New: ### macOS
* Firefox now supports Voice Control commands on macOS
systems.
* Links and other focusable elements are now tab-navigable by
default on macOS, instead of following macOS' "Keyboard
navigation" setting. This is a more accessible default and
matches the default in all other platforms. A checkbox in the
settings page still allows users to restore the old behavior.
* Firefox on Mac now uses the macOS fullscreen API for all
types of fullscreen windows. This should better match the
expected macOS user experience for fullscreen spaces, menubar
and the Dock.
* New: ### Linux
* Firefox now defaults to the Wayland compositor when
available instead of XWayland. This brings support for
touchpad & touchscreen gestures, swipe-to-nav, per-monitor
DPI settings, better graphics performance, and more.
* Firefox now ships with a new .deb package for Linux users
on Ubuntu, Debian, and Linux Mint.
* New: ### Video Playback
* Enabled AV1 hardware decode acceleration on macOS for M3
Macs.
* Firefox now supports the AV1 codec for Encrypted Media
Extensions (EME), enabling higher-quality playback from video
streaming providers.
* NVIDIA RTX Video Super Resolution (“VSR”) is now available
in Firefox. RTX VSR enhances and sharpens lower resolution
video when upscaled to higher resolutions and also removes
blocky artifacts commonly visible on low bitrate streamed
video. VSR requires at least a 20-series or higher NVIDIA RTX
GPU, Microsoft Windows 10/11 64-bit, and NVIDIA driver
version R530 or higher. The feature can be enabled in the
NVIDIA control panel.
* NVIDIA RTX Video HDR is now available in Firefox. RTX Video
HDR automatically converts SDR video to vibrant HDR10 in real
time, letting you enjoy video with improved clarity on your
HDR10 panel. It requires at least a 20-series NVIDIA RTX GPU,
Microsoft Windows 10/11 64-bit, and NVIDIA driver version 550
or higher. The feature can be enabled in the NVIDIA control
panel. (bmo#None)
* Developer: * Firefox now supports DNS prefetching for HTTPS
documents via the `rel="dns-prefetch"` link hint. This
standard allows web developers to specify domain names for
important assets that should be resolved preemptively.
* Firefox will now automatically try to upgrade <img>,
<audio>, and <video> elements from HTTP to HTTPS
if they are embedded within an HTTPS page. If these so-called
mixed content elements do not support HTTPS, they will no
longer load.
* Firefox now supports Content-encoding: zstd (zstandard
compression). This is an alternative to brotli and gzip
compression for web content, and can provide higher
compression levels for the same CPU used, or conversely lower
server CPU use to get the same compression.
[2]: http://facebook.github.io/zstd/ (bmo#None)
* Enterprise: * The FirefoxHome policy has been updated to
reflect that the Snippets option is now deprecated.
* The DNSOverHTTPS policy has been updated to support setting
a `Fallback` value to prevent falling back to your default
DNS Provider.
* The AllowFileSelectionDialogs policy has been added for
controlling file selection dialogs.
* The TranslateEnabled policy has been added.
* The DisableEncryptedClientHello policy has been added to
control Encrypted Client Hello.
* The PostQuantumKeyAgreementEnabled policy has been added to
control post-quantum key agreement for TLS.
* The HttpsOnlyMode policy has been added to control HTTPS-
Only Mode.
* The HttpAllowlist policy has been added to add exceptions
to HTTPS-Only Mode.
* The Preferences policy has been updated to allow setting
the preferences
`security.mixed_content.block_display_content` and
`security.mixed_content.upgrade_display_content`.
* The UserMessaging policy has been updated to remove the
WhatsNew option.
* The ExtensionSettings policy has been updated to add
`temporarily_allow_weak_signatures` to allow installing
extensions signed using deprecated signature algorithms.
* Fixed: Various security fixes.
- Mozilla Firefox ESR 128.0
https://www.mozilla.org/security/advisories/mfsa2024-29
MFSA 2024-29 (boo#1226316)
* CVE-2024-6605 (bmo#1836786)
Firefox Android missed activation delay to prevent tapjacking
* CVE-2024-6606 (bmo#1902305)
Out-of-bounds read in clipboard component
* CVE-2024-6607 (bmo#1694513)
Leaving pointerlock by pressing the escape key could be
prevented
* CVE-2024-6608 (bmo#1743329)
Cursor could be moved out of the viewport using pointerlock.
* CVE-2024-6609 (bmo#1839258)
Memory corruption in NSS
* CVE-2024-6610 (bmo#1883396)
Form validation popups could block exiting full-screen mode
* CVE-2024-6600 (bmo#1888340)
Memory corruption in WebGL API
* CVE-2024-6601 (bmo#1890748)
Race condition in permission assignment
* CVE-2024-6602 (bmo#1895032)
Memory corruption in NSS
* CVE-2024-6603 (bmo#1895081)
Memory corruption in thread creation
* CVE-2024-6611 (bmo#1844827)
Incorrect handling of SameSite cookies
* CVE-2024-6612 (bmo#1880374)
CSP violation leakage when using devtools
* CVE-2024-6613 (bmo#1900523)
Incorrect listing of stack frames
* CVE-2024-6614 (bmo#1902983)
Incorrect listing of stack frames
* CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266)
Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13,
and Thunderbird 115.13
* CVE-2024-6615 (bmo#1892875, bmo#1894428, bmo#1898364)
Memory safety bugs fixed in Firefox 128
- Update mozilla-bmo1504834-part1.patch,
mozilla-rust-disable-future-incompat.patch,
mozilla-silence-no-return-type.patch
- Update create_tar.sh from our firefox-scripts git
- Use cargo/rust1.78 for building.
Request History
manfred-h created request
- Firefox Extended Support Release 128.0esr ESR
* New: ### General
* Windows 7-8.1 and macOS 10.12-10.14 are no longer supported
operating systems.
* Firefox now supports automated translation of web content.
Also, unlike cloud-based alternatives, translation is done
locally so that the text being translated never leaves the
machine.
* The line breaking rules of web content now match the
Unicode standard, improving cross-browser compatibility.
Additionally, for East Asian and South East Asian end users,
Firefox now supports proper language-aware word selection
when double-clicking on text for languages including Chinese,
Japanese, Burmese, Lao, Khmer, and Thai.
* Video effects and background blur are now available to
Firefox users on Google Meet.
Firefox now displays images and descriptions for search
suggestions when provided by the search engine.
* It is now possible to copy and paste any file from the
operating system into Firefox.
* Having any issues with a website on Firefox, yet the site
seems to be working as expected on another browser? You can
now let us know via the Web Compatibility Reporting Tool! By
filing a web compatibility issue, you’re directly helping us
detect, target, and fix the most impacted sites to make your
browsing experience on Firefox smoother.
* Firefox now prompts users in the US and Canada to save
their addresses upon submitting an address form, allowing
Firefox to autofill stored address information in the future.
* Support for credit card autofill has been extended to users
running Firefox in the IT, ES, AT, BE, and PL locales.
* Recently closed tabs now persist between sessions that
don't have automatic session restore enabled. Manually
restoring a previous session will continue to reopen any
previously open tabs or windows.
* When migrating data from Chrome, Firefox now offers the
ability to import certain extensions as well.
* The Screenshots feature in Firefox has been updated. It now
supports taking screenshots of file types like SVG, XML, and
more as well as various about: pages within Firefox. The
screenshot tool was also made more accessible to everyone by
implementing new keyboard shortcuts and adding theme
compatibility and High Contrast Mode (HCM) support. And
finally, performance for capturing large screenshots has been
improved. (bmo#None)
* New: ### PDF Viewer
* The Firefox PDF viewer has expanded PDF editing
capabilities:
* Text highlighting is now supported.
* Editing already-existing text annotations is now
supported.
* Images and alt text can be added in addition to text
and drawings.
* A floating button is now included to simplify deleting
drawings, text, and images added in PDFs.
* Caret browsing mode now also works in the PDF viewer.
(Learn more)
* New: ### Firefox View
* Firefox View includes more content. You can now see all
open tabs from all windows. If you sync open tabs, you’ll see
all tabs from other devices. Browsing history is now listed
and you can sort by date or by site. As before, recently
closed tabs are also listed on Firefox View.
To access Firefox View, select the file folder icon at the
top left of your tab strip.
* We’ve integrated search into Firefox View. You can now
search through all of the tabs on each of the section
subpages - Recent Browsing, Open Tabs, Recently Closed Tabs,
Tabs from other devices, or History.
* In Firefox View, open tabs can now be sorted by either
recent activity or tab order. Recent activity is the default
setting.
* Firefox View now displays pinned tabs in the Open tabs
section. Tab indicators have also been added to Open tabs, so
users can do things like see which tabs are playing media and
quickly mute or unmute across windows. Indicators were also
added for bookmarks, tabs with notifications, and more!
* It is now possible to close all duplicate tabs in a window
with the `Close duplicate tabs` command available from the
`List all tabs` widget in the tab bar or a tab context menu.
* New: ### Security & Privacy
* For added protection on macOS and Windows, a device sign in
(e.g. operating system password, fingerprint, face or voice
login if enabled) can be required when accessing and filling
stored passwords in the Firefox Password Manager about:logins
page.
* Firefox now supports creating and using passkeys stored in
the iCloud Keychain on macOS.
* Firefox now imports user-added TLS trust anchors (e.g.,
certificates) from the operating system root store. This will
be enabled by default on Windows, macOS, and Android, and if
needed, can be turned off in settings (Settings → Privacy &
Security → Certificates).
* The Storage Access API web standard was updated to improve
security while mitigating website breakages and further
enabling the phase out of third-party cookies in Firefox.
* Encrypted Client Hello (ECH) is now available to Firefox
users, delivering a more private browsing experience. ECH
extends the encryption used in TLS connections to cover more
of the handshake and better protect sensitive fields. Read
more about the launch of ECH on Mozilla Distilled.
* Firefox supports a new “Copy Link Without Site Tracking”
feature in the context menu which ensures that copied links
no longer contain tracking information.
* Firefox now supports a setting (in Preferences → Privacy &
Security) to enable Global Privacy Control. With this opt-in
feature, Firefox informs the websites that the user doesn’t
want their data to be shared or sold. This feature is enabled
in private browsing mode by default.
* Firefox now more proactively blocks downloads from URLs
that are considered to be potentially untrustworthy.
* New: ### Anti-Fingerprinting
* Web Audio in Firefox now uses the FDLIBM math library on
all systems to improve anonymity with Fingerprint Protection.
* As part of Total Cookie Protection, Firefox now supports
the partitioning of Blob URLs, this mitigates a potential
tracking vector that third-party agents could use to track an
individual.
* To mitigate font fingerprinting, the visibility of fonts to
websites has been restricted to system fonts and language
pack fonts when in Private Browsing Mode or with Enhanced
Tracking Protection set to strict mode.
* Firefox’s private windows and ETP-Strict privacy
configuration now enhance the Canvas APIs with Fingerprinting
Protection.
* To reduce user fingerprinting information and the risk of
some website compatibility issues, the CPU architecture for
32-bit x86 Linux will now be reported as x86_64 in Firefox's
User-Agent string and `navigator.platform` and
`navigator.oscpu` Web APIs.
* New: ### Windows
* Firefox can now be set to automatically launch whenever the
computer starts up. (Learn more)
* The background updater now updates properly when there are
multiple user accounts on a system.
* Firefox now populates the Windows taskbar jump list more
efficiently, which should allow for a smoother overall
browsing experience.
* New: ### macOS
* Firefox now supports Voice Control commands on macOS
systems.
* Links and other focusable elements are now tab-navigable by
default on macOS, instead of following macOS' "Keyboard
navigation" setting. This is a more accessible default and
matches the default in all other platforms. A checkbox in the
settings page still allows users to restore the old behavior.
* Firefox on Mac now uses the macOS fullscreen API for all
types of fullscreen windows. This should better match the
expected macOS user experience for fullscreen spaces, menubar
and the Dock.
* New: ### Linux
* Firefox now defaults to the Wayland compositor when
available instead of XWayland. This brings support for
touchpad & touchscreen gestures, swipe-to-nav, per-monitor
DPI settings, better graphics performance, and more.
* Firefox now ships with a new .deb package for Linux users
on Ubuntu, Debian, and Linux Mint.
* New: ### Video Playback
* Enabled AV1 hardware decode acceleration on macOS for M3
Macs.
* Firefox now supports the AV1 codec for Encrypted Media
Extensions (EME), enabling higher-quality playback from video
streaming providers.
* NVIDIA RTX Video Super Resolution (“VSR”) is now available
in Firefox. RTX VSR enhances and sharpens lower resolution
video when upscaled to higher resolutions and also removes
blocky artifacts commonly visible on low bitrate streamed
video. VSR requires at least a 20-series or higher NVIDIA RTX
GPU, Microsoft Windows 10/11 64-bit, and NVIDIA driver
version R530 or higher. The feature can be enabled in the
NVIDIA control panel.
* NVIDIA RTX Video HDR is now available in Firefox. RTX Video
HDR automatically converts SDR video to vibrant HDR10 in real
time, letting you enjoy video with improved clarity on your
HDR10 panel. It requires at least a 20-series NVIDIA RTX GPU,
Microsoft Windows 10/11 64-bit, and NVIDIA driver version 550
or higher. The feature can be enabled in the NVIDIA control
panel. (bmo#None)
* Developer: * Firefox now supports DNS prefetching for HTTPS
documents via the `rel="dns-prefetch"` link hint. This
standard allows web developers to specify domain names for
important assets that should be resolved preemptively.
* Firefox will now automatically try to upgrade <img>,
<audio>, and <video> elements from HTTP to HTTPS
if they are embedded within an HTTPS page. If these so-called
mixed content elements do not support HTTPS, they will no
longer load.
* Firefox now supports Content-encoding: zstd (zstandard
compression). This is an alternative to brotli and gzip
compression for web content, and can provide higher
compression levels for the same CPU used, or conversely lower
server CPU use to get the same compression.
[2]: http://facebook.github.io/zstd/ (bmo#None)
* Enterprise: * The FirefoxHome policy has been updated to
reflect that the Snippets option is now deprecated.
* The DNSOverHTTPS policy has been updated to support setting
a `Fallback` value to prevent falling back to your default
DNS Provider.
* The AllowFileSelectionDialogs policy has been added for
controlling file selection dialogs.
* The TranslateEnabled policy has been added.
* The DisableEncryptedClientHello policy has been added to
control Encrypted Client Hello.
* The PostQuantumKeyAgreementEnabled policy has been added to
control post-quantum key agreement for TLS.
* The HttpsOnlyMode policy has been added to control HTTPS-
Only Mode.
* The HttpAllowlist policy has been added to add exceptions
to HTTPS-Only Mode.
* The Preferences policy has been updated to allow setting
the preferences
`security.mixed_content.block_display_content` and
`security.mixed_content.upgrade_display_content`.
* The UserMessaging policy has been updated to remove the
WhatsNew option.
* The ExtensionSettings policy has been updated to add
`temporarily_allow_weak_signatures` to allow installing
extensions signed using deprecated signature algorithms.
* Fixed: Various security fixes.
- Mozilla Firefox ESR 128.0
https://www.mozilla.org/security/advisories/mfsa2024-29
MFSA 2024-29 (boo#1226316)
* CVE-2024-6605 (bmo#1836786)
Firefox Android missed activation delay to prevent tapjacking
* CVE-2024-6606 (bmo#1902305)
Out-of-bounds read in clipboard component
* CVE-2024-6607 (bmo#1694513)
Leaving pointerlock by pressing the escape key could be
prevented
* CVE-2024-6608 (bmo#1743329)
Cursor could be moved out of the viewport using pointerlock.
* CVE-2024-6609 (bmo#1839258)
Memory corruption in NSS
* CVE-2024-6610 (bmo#1883396)
Form validation popups could block exiting full-screen mode
* CVE-2024-6600 (bmo#1888340)
Memory corruption in WebGL API
* CVE-2024-6601 (bmo#1890748)
Race condition in permission assignment
* CVE-2024-6602 (bmo#1895032)
Memory corruption in NSS
* CVE-2024-6603 (bmo#1895081)
Memory corruption in thread creation
* CVE-2024-6611 (bmo#1844827)
Incorrect handling of SameSite cookies
* CVE-2024-6612 (bmo#1880374)
CSP violation leakage when using devtools
* CVE-2024-6613 (bmo#1900523)
Incorrect listing of stack frames
* CVE-2024-6614 (bmo#1902983)
Incorrect listing of stack frames
* CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266)
Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13,
and Thunderbird 115.13
* CVE-2024-6615 (bmo#1892875, bmo#1894428, bmo#1898364)
Memory safety bugs fixed in Firefox 128
- Update mozilla-bmo1504834-part1.patch,
mozilla-rust-disable-future-incompat.patch,
mozilla-silence-no-return-type.patch
- Update create_tar.sh from our firefox-scripts git
- Use cargo/rust1.78 for building.
wrosenauer accepted request
