diff options
Diffstat (limited to 'firefox-kde-opensuse.changes')
| -rw-r--r-- | firefox-kde-opensuse.changes | 10476 |
1 files changed, 10476 insertions, 0 deletions
diff --git a/firefox-kde-opensuse.changes b/firefox-kde-opensuse.changes new file mode 100644 index 000000000000..005efa9ee0fe --- /dev/null +++ b/firefox-kde-opensuse.changes @@ -0,0 +1,10476 @@ +------------------------------------------------------------------- +Thu Oct 26 10:31:03 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 119.0 + https://www.mozilla.org/en-US/firefox/119.0/releasenotes + MFSA 2023-45 (bsc#1216338) + * CVE-2023-5721 (bmo#1830820) + Queued up rendering could have allowed websites to clickjack + * CVE-2023-5722 (bmo#1738426) + Cross-Origin size and header leakage + * CVE-2023-5723 (bmo#1802057) + Invalid cookie characters could have led to unexpected errors + * CVE-2023-5724 (bmo#1836705) + Large WebGL draw could have led to a crash + * CVE-2023-5725 (bmo#1845739) + WebExtensions could open arbitrary URLs + * CVE-2023-5726 (bmo#1846205) + Full screen notification obscured by file open dialog on macOS + * CVE-2023-5727 (bmo#1847180) + Download Protections were bypassed by .msix, .msixbundle, + .appx, and .appxbundle files on Windows + * CVE-2023-5728 (bmo#1852729) + Improper object tracking during GC in the JavaScript engine + could have led to a crash. + * CVE-2023-5729 (bmo#1823720) + Fullscreen notification dialog could have been obscured by + WebAuthn prompts + * CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694, bmo#1848833, + bmo#1850191, bmo#1850259, bmo#1852596, bmo#1853201, bmo#1854002, + bmo#1855306, bmo#1855640, bmo#1856695) + Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, + and Thunderbird 115.4.1 + * CVE-2023-5731 (bmo#1690111, bmo#1721904, bmo#1851803, bmo#1854068) + Memory safety bugs fixed in Firefox 119 +- requires NSS 3.94 + +------------------------------------------------------------------- +Wed Oct 11 18:28:09 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 118.0.2 + * Fix games not loading on betsoft.com (bmo#1856145) + * Fix printing issues for some SVG images (bmo#1853727) + * Fix CORS XHR with authentication no longer working (bmo#1855650) + * Fix h264 WebRTC video not working in some contexts (bmo#1855636) + * Fix Firefox Translations not working on some pages + (bmo#1841656, bmo#1855307) + * Stability fixes (bmo#1851991, bmo#1799326, bmo#1856637) + +------------------------------------------------------------------- +Sat Sep 30 19:51:56 UTC 2023 - Björn Bidar <bjorn.bidar@thaodan.de> + +- Activate KDE integration again, included rebased and updated + patches, firefox-kde.patch and mozilla-kde.patch, (upstream + removed special files handling for preferences but that has no + effect since we haven't shipped obsolete kde.js for a while) + (boo#1216027) + +------------------------------------------------------------------- +Fri Sep 29 06:50:26 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 118.0.1 + MFSA 2023-44 (bsc#1215814) + * CVE-2023-5217 (bmo#1855550), + Heap buffer overflow in libvpx + +------------------------------------------------------------------- +Mon Sep 25 06:35:49 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 118.0 + MFSA 2023-41 (bsc#1215575) + * CVE-2023-5168 (bmo#1846683) + Out-of-bounds write in FilterNodeD2D1 + * CVE-2023-5169 (bmo#1846685) + Out-of-bounds write in PathOps + * CVE-2023-5170 (bmo#1846686) + Memory leak from a privileged process + * CVE-2023-5171 (bmo#1851599) + Use-after-free in Ion Compiler + * CVE-2023-5172 (bmo#1852218) + Memory Corruption in Ion Hints + * CVE-2023-5173 (bmo#1823172) + Out-of-bounds write in HTTP Alternate Services + * CVE-2023-5174 (bmo#1848454) + Double-free in process spawning on Windows + * CVE-2023-5175 (bmo#1849704) + Use-after-free of ImageBitmap during process shutdown + * CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824, bmo#1843962, + bmo#1848890, bmo#1850180, bmo#1850983, bmo#1851195) + Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, + and Thunderbird 115.3 +- requires NSS 3.93 +- add mozilla-bmo1822730.patch +- deactivated KDE integration temporarily + (removed mozilla-kde.patch and firefox-kde.patch for now) + +------------------------------------------------------------------- +Tue Sep 12 17:04:01 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 117.0.1 + * Fix a bug causing extensions using an event page for long- + running tasks to be terminated while running, causing + unexpected behavior changes (bmo#1851373) + * Temporarily revert an intentional behavior change preventing + Javascript from changing URL.protocol (bmo#1850954). + * Fix audio worklets not working for sites using WebAssembly + exception handling (bmo#1851468) + * Fix the Reopen all tabs option in the Recently closed tabs + menu sometimes failing to open all tabs (bmo#1850856) + * Fix the bookmarks menu sometimes remaining partially visible + when minimizing Firefox (bmo#1843700) + * Fix an issue causing incorrect time zones to be detected on + some sites (bmo#1848615) + * MFSA 2023-40 CVE-2023-4863 (boo#1215231) + Heap buffer overflow in WebP + +------------------------------------------------------------------- +Sun Aug 27 08:51:28 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 117.0 + https://www.mozilla.org/en-US/firefox/117.0/releasenotes + MFSA 2023-34 (bsc#1214606) + * CVE-2023-4573 (bmo#1846687) + Memory corruption in IPC CanvasTranslator + * CVE-2023-4574 (bmo#1846688) + Memory corruption in IPC ColorPickerShownCallback + * CVE-2023-4575 (bmo#1846689) + Memory corruption in IPC FilePickerShownCallback + * CVE-2023-4576 (bmo#1846694) + Integer Overflow in RecordedSourceSurfaceCreation + * CVE-2023-4577 (bmo#1847397) + Memory corruption in JIT UpdateRegExpStatics + * CVE-2023-4578 (bmo#1839007) + Error reporting methods in SpiderMonkey could have triggered + an Out of Memory Exception + * CVE-2023-4579 (bmo#1842766) + Persisted search terms were formatted as URLs + * CVE-2023-4580 (bmo#1843046) + Push notifications saved to disk unencrypted + * CVE-2023-4581 (bmo#1843758) + XLL file extensions were downloadable without warnings + * CVE-2023-4582 (bmo#1773874) + Buffer Overflow in WebGL glGetProgramiv + * CVE-2023-4583 (bmo#1842030) + Browsing Context potentially not cleared when closing Private + Window + * CVE-2023-4584 (bmo#1843968, bmo#1845205, bmo#1846080, + bmo#1846526, bmo#1847529) + Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, + Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2 + * CVE-2023-4585 (bmo#1751583, bmo#1841082, bmo#1847904, bmo#1848999) + Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, + and Thunderbird 115.2 +- requires + NSS = 3.92 + rustc = 1.71 + +------------------------------------------------------------------- +Thu Aug 17 18:20:18 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 116.0.3 + * Fixed an issue for OPFS users that broke access to files that + were locally cached in a previous version + (bmo#1847989, bmo#1847619) + * Fixed an issue that was breaking screensharing for some users + on Wayland (bmo#1841851) + * Fixed an issue where a fullscreen notification was persistently + being shown to a user, even after disabling it (bmo#1847901) + * Fixed an issue where Firefox would hang when doing a Google + search (bmo#1847066) + +------------------------------------------------------------------- +Tue Aug 15 09:51:15 UTC 2023 - Adam Majer <adam.majer@suse.de> + +- After further testing on memory consumption during linking, it's + safe to remove most of the memory reducing options for ix86 linker. + A combination of these actually resulted in the OOM condition. + It's even possible to add basic debugging info while keeping + linker memory consumption at about 2GB + +------------------------------------------------------------------- +Thu Aug 10 16:32:02 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 116.0.2 + * fixes for other platforms + +------------------------------------------------------------------- +Wed Aug 9 09:52:36 UTC 2023 - Adam Majer <adam.majer@suse.de> + +- Workarold ld bug causing OOM when linking on 32-bit +- Remove -j1 limit on x86. The build runs on 64-bit kernel with a + 32-bit userland. This means there is plenty of memory available + but userland is limited to just under 4GB per process. + +------------------------------------------------------------------- +Sat Aug 5 17:46:22 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 116.0.1 + * fixes for other platforms + +------------------------------------------------------------------- +Sat Aug 5 10:04:18 UTC 2023 - Andreas Schwab <schwab@suse.de> + +- ship vaapitest binary for supported archs + +------------------------------------------------------------------- +Fri Aug 4 09:55:05 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- re-enable ppc64le +- ship v4l2test binary for supported archs +- drop obsolete mozilla-bmo1775202.patch + +------------------------------------------------------------------- +Sun Jul 30 19:55:49 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 116.0 + * https://www.mozilla.org/en-US/firefox/116.0/releasenotes/ + MFSA 2023-29 (bsc#1213746) + * CVE-2023-4045 (bmo#1833876) + Offscreen Canvas could have bypassed cross-origin restrictions + * CVE-2023-4046 (bmo#1837686) + Incorrect value used during WASM compilation + * CVE-2023-4047 (bmo#1839073) + Potential permissions request bypass via clickjacking + * CVE-2023-4048 (bmo#1841368) + Crash in DOMParser due to out-of-memory conditions + * CVE-2023-4049 (bmo#1842658) + Fix potential race conditions when releasing platform objects + * CVE-2023-4050 (bmo#1843038) + Stack buffer overflow in StorageManager + * CVE-2023-4051 (bmo#1821884) + Full screen notification obscured by file open dialog + * CVE-2023-4052 (bmo#1824420) + File deletion and privilege escalation through Firefox uninstaller + * CVE-2023-4053 (bmo#1839079) + Full screen notification obscured by external program + * CVE-2023-4054 (bmo#1840777) + Lack of warning when opening appref-ms files + * CVE-2023-4055 (bmo#1782561) + Cookie jar overflow caused unexpected cookie jar state + * CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235, + bmo#1842325, bmo#1843847) + Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, + Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14 + * CVE-2023-4057 (bmo#1841682) + Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, + and Thunderbird 115.1 + * CVE-2023-4058 (bmo#1819160, bmo#1828024) + Memory safety bugs fixed in Firefox 116 +- require NSS 3.91 +- remove obsolete mozilla-fix-top-level-asm.patch +- re-enable LTO + +------------------------------------------------------------------- +Fri Jul 28 20:56:00 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 115.0.3 + * fixes for other platforms +- remove bashisms from firefox startup script (boo#1213657) + +------------------------------------------------------------------- +Thu Jul 13 13:30:20 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 115.0.2 + * Fixed a bug with displaying a caret in the text editor on some websites + (bmo#1840804) + * Fixed a bug with broken audio rendering on some websites (bmo#1841982) + * Fixed a bug with patternTransform translate using the wrong units + (bmo#1840746) + MFSA 2023-26 (bsc#1213230) + * CVE-2023-3600 (bmo#1839703) + Use-after-free in workers + +------------------------------------------------------------------- +Fri Jul 7 19:39:30 UTC 2023 - Andreas Stieger <Andreas.Stieger@gmx.de> + +- Mozilla Firefox 115.0.1 + * fixes for other platforms + +------------------------------------------------------------------- +Sun Jul 2 16:00:53 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 115.0 + * Support for importing payment methods saved in Chrome-based browser + * Hardware video decoding is now enabled for Intel GPUs on Linux + * The Tab Manager dropdown now features close buttons, so tabs + can be closed more quickly + * Streamlined the user interface for importing data in from other browsers + * Users without platform support for H264 video decoding can now + fallback to Cisco's OpenH264 plugin for playback. + * Undo and redo are now available in Password fields + * Changed: On Linux, middle clicks on the new tab button will + now open the xclipboard contents in the new tab. If the + xclipboard content is a URL then that URL is opened, any + other text is opened with your default search provider. + * Changed: For users with a Firefox Colorways built-in theme, + the theme will be automatically migrated to the same theme + hosted on addons.mozilla.org for Firefox profiles that have + disabled add-ons auto-updates. This will allow users to keep + their Colorways theme when they are later removed from + Firefox installer files. + * Changed: Certain Firefox users may come across a message in + the extensions panel indicating that their add-ons are not + allowed on the site currently open. We have introduced a new + back-end feature to only allow some extensions monitored by + Mozilla to run on specific websites for various reasons, + including security concerns. + * HTML5: The builtin editor now behaves similarly to other + browsers with `contenteditable` and `designMode` when + splitting a node, e.g. typing Enter to split a paragraph, and + also when joining two nodes, e.g. typing Backspace at the + start of a paragraph to join the paragraph and the previous + one. + When a node is split, the builtin editor creates a new node + after the original one instead of before, i.e. creates the + right node instead of the left node. + Similarly, when two nodes are joined, the builtin editor + deletes the latter node and moves its children to the end of + the preceding node instead of deleting the former node and + moving its child to the start of the following node. + * HTML5: WebRTC application developers can now specify a target + in milliseconds of media for the jitter buffer to hold. + Altering the target value allows applications to control the + tradeoff between playout delay and the risk of running out of + audio or video frames due to network jitter. + * HTML5: Change array by copy provides additional methods on + `Array.prototype` and `TypedArray.prototype` to enable + changes on the array by returning a new copy of it with the + change. + * HTML5: The animation-composition property is now supported, + allowing a declarative way to define the composite operation + used when multiple animations affect the same property + simultaneously. + * HTML5: Added the URL.canParse() function to allow easy and + fast checking if URLs are valid and parseable. + * HTML5: IndexedDB is now also supported in private browsing + without memory limits thanks to encrypted storage on disk. + The temporary keys to decrypt the information are hold in RAM + only and all stored information is purged at the normal end + of a private browsing session from disk. + * HTML5: Supports conditions are now supported in CSS import + rules @import supports(...) + * Developer: In web development, we rely on third-party + libraries which you may not be interested in while debugging. + These can be ignored. Ignoring them means that breakpoints + will not get hit and they are skipped during stepping. + You can now choose to **Hide ignore-listed sources** in the + Developer Tools source tree + * Developer: We have introduced a new option, + `devtools.f12_enabled`, that can be utilized to prevent the + accidental use of the F12 key, which opens the DevTools + toolbox (bug). + * Enterprise: You can find information about policy updates and + enterprise specific bug fixes in the Firefox for Enterprise + 115 Release Notes. + MFSA 2023-22 (bsc#1212438) + * CVE-2023-3482 (bmo#1839464) + Block all cookies bypass for localstorage + * CVE-2023-37201 (bmo#1826002) + Use-after-free in WebRTC certificate generation + * CVE-2023-37202 (bmo#1834711) + Potential use-after-free from compartment mismatch in SpiderMonkey + * CVE-2023-37203 (bmo#291640) + Drag and Drop API may provide access to local system files + * CVE-2023-37204 (bmo#1832195) + Fullscreen notification obscured via option element + * CVE-2023-37205 (bmo#1704420) + URL spoofing in address bar using RTL characters + * CVE-2023-37206 (bmo#1813299) + Insufficient validation of symlinks in the FileSystem API + * CVE-2023-37207 (bmo#1816287) + Fullscreen notification obscured + * CVE-2023-37208 (bmo#1837675) + Lack of warning when opening Diagcab files + * CVE-2023-37209 (bmo#1837993) + Use-after-free in `NotifyOnHistoryReload` + * CVE-2023-37210 (bmo#1821886) + Full-screen mode exit prevention + * CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, + bmo#1836550, bmo#1837450) + Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, + and Thunderbird 102.13 + * CVE-2023-37212 (bmo#1750870, bmo#1825552, bmo#1826206, bmo#1827076, + bmo#1828690, bmo#1833503, bmo#1835710, bmo#1838587) + Memory safety bugs fixed in Firefox 115 +- Requires NSS 3.90 +- Add patches: + mozilla-rust-disable-future-incompat.patch + mozilla-bmo1775202.patch + mozilla-partial-revert-1768632.patch +- removed obsolete mozilla-buildfixes.patch + +------------------------------------------------------------------- +Tue Jun 20 19:49:51 UTC 2023 - Andreas Stieger <Andreas.Stieger@gmx.de> + +- Mozilla Firefox 114.0.2: + * Several crash fixes + * Web Extensions: Fixes for 114 regressions in Native Messaging + support + +------------------------------------------------------------------- +Tue Jun 20 06:30:02 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- do not enable LTO as it caused crashes now (boo#1212101) + +------------------------------------------------------------------- +Sat Jun 10 14:48:07 UTC 2023 - Andreas Stieger <Andreas.Stieger@gmx.de> + +- Mozilla Firefox 114.0.1 + * Fix a startup crash (bmo#1837201, boo#1212101) + +------------------------------------------------------------------- +Fri Jun 9 11:05:47 UTC 2023 - Martin Sirringhaus <martin.sirringhaus@suse.com> + +- Only install vaapitest for wayland-enabled builds, where it gets built +- Rebase mozilla-silence-no-return-type.patch +- Rebase s390x-patches, and remove obsolete patches: + mozilla-bmo1005535.patch mozilla-s390x-skia-gradient.patch + +------------------------------------------------------------------- +Mon Jun 5 21:22:19 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 114.0 + MFSA 2023-20 (bsc#1211922) + * CVE-2023-34414 (bmo#1695986) + Click-jacking certificate exceptions through rendering lag + * CVE-2023-34415 (bmo#1811999) + Site-isolation bypass on sites that allow open redirects to + data: urls + * CVE-2023-34416 (bmo#1752703, bmo#1818394, bmo#1826875, + bmo#1827340, bmo#1827655, bmo#1828065, bmo#1830190, + bmo#1830206, bmo#1830795, bmo#1833339) + Memory safety bugs fixed in Firefox 114 and Firefox ESR + 102.12 + * CVE-2023-34417 (bmo#1746447, bmo#1820903, bmo#1832832) + Memory safety bugs fixed in Firefox 114 + * New: Added UI to manage the DNS over HTTPS exception list. + (bmo#1596847) + * New: Bookmarks can now be searched from the Bookmarks menu. + The Bookmarks menu is accessible by adding the *Bookmarks + menu* button to the toolbar. (bmo#1736937) + * New: Restrict searches to your local browsing history by + selecting *Search history* from the History, Library or + Application menu buttons. (bmo#1736939) + * New: Mac users can now capture video from their cameras in + all supported native resolutions. This enables resolutions + higher than 1280x720. (bmo#1806604) + * New: It is now possible to reorder the extensions listed in + the extensions panel. (bmo#1805924) + * New: Users on macOS, Linux, and Windows 7 can now use FIDO2 / + WebAuthn authenticators over USB. Some advanced features, + such as fully passwordless logins, require a PIN to be set on + the authenticator. (bmo#1814487) + * New: Pocket Recommended content can now be seen in France, + Italy, and Spain. (bmo#None) + * Changed: DNS over HTTPS settings are now part of the + *Privacy & Security* section of the *Settings* page and allow + the user to choose from all the supported modes. + (bmo#1610741) + * HTML5: DOM: Added support for ES Modules on DedicatedWorker + and SharedWorker + * HTML5: WebTransport is now enabled by default and will be + going to release with 114. As the original Explainer notes, + it enables multiple use-cases that are hard or impossible to + handle without it, especially for Gaming and live streaming. + It covers cases that are problematic for alternative + mechanisms, such as WebSockets. + Built on top of HTTP3 (HTTP2 support will be coming later). + The current implementation in Firefox is passing 505 out of + 565 Web-Platform Tests. + * HTML5: CSS: The `infinity` and `NaN` constants are now + supported inside the `calc()` function. (bmo#1830759) + * Developer: The *Copy as cURL* feature, available in the + Network panel, has been enhanced. It now supports the + -`-compressed` argument. (bmo#1776120) + * Developer: The Accessibility Inspector has been improved to + accurately recognize all the ARIA roles like `banner`, + `main`, `navigation`, and `contentinfo`, etc. This + enhancement is particularly beneficial for web developers + working with ARIA roles to improve web accessibility. + (bmo#1572512) + * Developer: Firefox now provides support for the CSS Cascading + Level 4 `supports()` syntax for `@import` rules. This allows + for the importation of other stylesheets based on support- + dependency. In addition, the Inspector panel now accurately + displays the conditions at the top of the imported rule. +- requires NSS 3.89.1 + +------------------------------------------------------------------- +Wed May 24 19:26:35 UTC 2023 - Andreas Stieger <Andreas.Stieger@gmx.de> + +- Mozilla Firefox 113.0.2 (boo#1211696) + * Fixed: Fixed a bug which could cause Firefox to freeze on + some pages when loading them with the Developer Tools Web + Console open (bmo#1828026) + * Fixed: Fixed a bug which would cause the bookmarks and + history sidebars to not properly react to the browser window + being vertically resized (bmo#1831535) + +------------------------------------------------------------------- +Sat May 13 20:56:05 UTC 2023 - Andreas Stieger <Andreas.Stieger@gmx.de> + +- Mozilla Firefox 113.0.1 + * UI fixes for other platforms +- upstream signing key updated + +------------------------------------------------------------------- +Tue May 9 21:12:38 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 113.0 + * https://www.mozilla.org/en-US/firefox/113.0/releasenotes + MFSA 2023-16 (bsc#1211175) + * CVE-2023-32205 (bmo#1753339, bmo#1753341) + Browser prompts could have been obscured by popups + * CVE-2023-32206 (bmo#1824892) + Crash in RLBox Expat driver + * CVE-2023-32207 (bmo#1826116) + Potential permissions request bypass via clickjacking + * CVE-2023-32208 (bmo#1646034) + Leak of script base URL in service workers via import() + * CVE-2023-32209 (bmo#1767194) + Persistent DoS via favicon image + * CVE-2023-32210 (bmo#1776755) + Incorrect principal object ordering + * CVE-2023-32211 (bmo#1823379) + Content process crash due to invalid wasm code + * CVE-2023-32212 (bmo#1826622) + Potential spoof due to obscured address bar + * CVE-2023-32213 (bmo#1826666) + Potential memory corruption in FileReader::DoReadData() + * MFSA-TMP-2023-0002 (bmo#1814560, bmo#1814790, bmo#1819796) + Race condition in dav1d decoding + * CVE-2023-32214 (bmo#1828716) + Potential DoS via exposed protocol handlers + * CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856, bmo#1820210, + bmo#1821480, bmo#1827019, bmo#1827024, bmo#1827144, bmo#1827359, + bmo#1830186) + Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11 + * CVE-2023-32216 (bmo#1746479, bmo#1806852, bmo#1815987, + bmo#1820359, bmo#1823568, bmo#1824803, bmo#1824834, bmo#1825170, + bmo#1827020, bmo#1828130) + Memory safety bugs fixed in Firefox 113 +- removed obsolete mozilla-bmo1568145.patch + +------------------------------------------------------------------- +Sun May 7 19:47:00 UTC 2023 - Aaron Puchert <aaronpuchert@alice-dsl.net> + +- Fix i586 build by reducing debug info to -g1. (boo#1210168) + +------------------------------------------------------------------- +Tue Apr 25 16:01:07 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 112.0.2 + * Fix a high memory usage issue with animated images in minimized + (or completely covered) windows, especially when using animated + themes (bmo#1828587) + * Fix an issue where Linux users with bitmap fonts installed may + have had entire sections of text invisible to them on some + sites (bmo#1827950) + +------------------------------------------------------------------- +Fri Apr 21 09:48:25 UTC 2023 - Manfred Hollstein <manfred.h@gmx.net> + +- Include Leap 15.5 in check for which python version is required. + +------------------------------------------------------------------- +Thu Apr 20 13:24:13 UTC 2023 - Andreas Stieger <Andreas.Stieger@gmx.de> + +- Mozilla Firefox 112.0.1 + * Fix a bug where cookie dates appear to be set in the far + future after updating Firefox. This may have caused cookies to + be unintentionally purged (bmo#1827669) + +------------------------------------------------------------------- +Mon Apr 10 21:58:19 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 112.0 + * https://www.mozilla.org/en-US/firefox/112.0/releasenotes/ + MFSA 2023-13 (bsc#1210212) + * CVE-2023-29531 (bmo#1794292) + Out-of-bound memory access in WebGL on macOS + * CVE-2023-29532 (bmo#1806394) + Mozilla Maintenance Service Write-lock bypass + * CVE-2023-29533 (bmo#1798219, bmo#1814597) + Fullscreen notification obscured + * CVE-2023-29534 (bmo#1816007, bmo#1816059, bmo#1821155, bmo#1821576, + bmo#1821906, bmo#1822298, bmo#1822305) + Fullscreen notification could have been obscured on Firefox + for Android + * MFSA-TMP-2023-0001 (bmo#1819244) + Double-free in libwebp + * CVE-2023-29535 (bmo#1820543) + Potential Memory Corruption following Garbage Collector compaction + * CVE-2023-29536 (bmo#1821959) + Invalid free from JavaScript code + * CVE-2023-29537 (bmo#1823365, bmo#1824200, bmo#1825569) + Data Races in font initialization code + * CVE-2023-29538 (bmo#1685403) + Directory information could have been leaked to WebExtensions + * CVE-2023-29539 (bmo#1784348) + Content-Disposition filename truncation leads to Reflected + File Download + * CVE-2023-29540 (bmo#1790542) + Iframe sandbox bypass using redirects and sourceMappingUrls + * CVE-2023-29541 (bmo#1810191) + Files with malicious extensions could have been downloaded + unsafely on Linux + * CVE-2023-29542 (bmo#1810793, bmo#1815062) + Bypass of file download extension restrictions + * CVE-2023-29543 (bmo#1816158) + Use-after-free in debugging APIs + * CVE-2023-29544 (bmo#1818781) + Memory Corruption in garbage collector + * CVE-2023-29545 (bmo#1823077) + Windows Save As dialog resolved environment variables + * CVE-2023-29546 (bmo#1780842) + Screen recording in Private Browsing included address bar on + Android + * CVE-2023-29547 (bmo#1783536) + Secure document cookie could be spoofed with insecure cookie + * CVE-2023-29548 (bmo#1822754) + Incorrect optimization result on ARM64 + * CVE-2023-29549 (bmo#1823042) + Javascript's bind function may have failed + * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217, + bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602, + bmo#1821448, bmo#1822413, bmo#1824828) + Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 + * CVE-2023-29551 (bmo#1763625, bmo#1814314, bmo#1815798, bmo#1815890, + bmo#1819239, bmo#1819465, bmo#1819486, bmo#1819492, bmo#1819957, + bmo#1820514, bmo#1820776, bmo#1821838, bmo#1822175, bmo#1823547) + Memory safety bugs fixed in Firefox 112 +- requires + * NSS 3.89 + * Python >= 3.7 (for build) +- removed obsolete mozilla-bmo1807652.patch +- Fix Icons displayed incorrectly on GNOME/wayland via WMCLASS + in desktop file + +------------------------------------------------------------------- +Mon Mar 27 15:17:17 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 111.0.1 (boo#1209688) + * Fixed a crash on macOS while pinch-zooming under some circumstances + (bmo#1658986) + * Fixed a bug causing Firefox to freeze on startup for some + Windows users (bmo#1823159) +- Fix build on Tumbleweed (bmo#1807652, already included earlier but found later + by vanilla package) +- Exclude i586/i686 once again because it fails to link libxul due + to its size + +------------------------------------------------------------------- +Tue Mar 14 14:29:09 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 111.0 + * https://www.mozilla.org/en-US/firefox/111.0/releasenotes + MFSA 2023-09 (bsc#1209173) + * CVE-2023-28159 (bmo#1783561) + Fullscreen Notification could have been hidden by download + popups on Android + * CVE-2023-25748 (bmo#1798798) + Fullscreen Notification could have been hidden by window + prompts on Android + * CVE-2023-25749 (bmo#1810705) + Firefox for Android may have opened third-party apps without + a prompt + * CVE-2023-25750 (bmo#1814733) + Potential ServiceWorker cache leak during private browsing mode + * CVE-2023-25751 (bmo#1814899) + Incorrect code generation during JIT compilation + * CVE-2023-28160 (bmo#1802385) + Redirect to Web Extension files may have leaked local path + * CVE-2023-28164 (bmo#1809122) + URL being dragged from a removed cross-origin iframe into the + same tab triggered navigation + * CVE-2023-28161 (bmo#1811181) + One-time permissions granted to a local file were extended to + other local files loaded in the same tab + * CVE-2023-28162 (bmo#1811327) + Invalid downcast in Worklets + * CVE-2023-25752 (bmo#1811627) + Potential out-of-bounds when accessing throttled streams + * CVE-2023-28163 (bmo#1817768) + Windows Save As dialog resolved environment variables + * CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904, bmo#1817442, + bmo#1818674) + Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9 + * CVE-2023-28177 (bmo#1803109, bmo#1808832, bmo#1809542, bmo#1817336) + Memory safety bugs fixed in Firefox 111 +- ensure gcc11-c++ gets used on Leap 15.5 +- requires NSS >= 3.88.1 +- removed obsolete patches + gcc13-fix.patch + mozilla-bmo1810584.patch +- rebased patches +- update create-tar.sh +- Packaging cleanup + + +------------------------------------------------------------------- +Tue Mar 7 09:40:11 UTC 2023 - Martin Liška <mliska@suse.cz> + +- Cherry-pick upstream changes for GCC 13 in gcc13-fix.patch. + +------------------------------------------------------------------- +Mon Mar 6 20:09:41 UTC 2023 - Andreas Schwab <schwab@suse.de> + +- Limit memory use on riscv64 + +------------------------------------------------------------------- +Sat Mar 4 16:03:22 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> + +- Fix 32 bit build bmo#1810584 (add mozilla-bmo1810584.patch) + +------------------------------------------------------------------- +Fri Mar 3 17:29:27 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 110.0.1 (boo#1208886) + * Fixed clearing recent cookies clears all cookies + (bmo#1816279) + * Fixed WebGL crashes on Linux when ran inside a VMWare virtual + machine (bmo#1807942) + * Fixed a bug with CSP serialization causing bugs with the MitID + Digital ID in Denmark (bmo#1819096) + +------------------------------------------------------------------- +Wed Feb 15 09:56:46 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 110.0 + * https://www.mozilla.org/en-US/firefox/110.0/releasenotes + MFSA 2023-05 (bsc#1208144) + * CVE-2023-25728 (bmo#1790345) + Content security policy leak in violation reports using iframes + * CVE-2023-25730 (bmo#1794622) + Screen hijack via browser fullscreen mode + * CVE-2023-25743 (bmo#1800203) + Fullscreen notification not shown in Firefox Focus + * CVE-2023-0767 (bmo#1804640) + Arbitrary memory write via PKCS 12 in NSS + * CVE-2023-25735 (bmo#1810711) + Potential use-after-free from compartment mismatch in SpiderMonkey + * CVE-2023-25737 (bmo#1811464) + Invalid downcast in SVGUtils::SetupStrokeGeometry + * CVE-2023-25738 (bmo#1811852) + Printing on Windows could potentially crash Firefox with some + device drivers + * CVE-2023-25739 (bmo#1811939) + Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext + * CVE-2023-25729 (bmo#1792138) + Extensions could have opened external schemes without user knowledge + * CVE-2023-25732 (bmo#1804564) + Out of bounds memory write from EncodeInputStream + * CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338) + Opening local .url files could cause unexpected network loads + * CVE-2023-25740 (bmo#1812354) + Opening local .scf files could cause unexpected network loads + * CVE-2023-25731 (bmo#1801542) + Prototype pollution when rendering URLPreview + * CVE-2023-25733 (bmo#1808632) + Possible null pointer dereference in TaskbarPreviewCallback + * CVE-2023-25736 (bmo#1811331) + Invalid downcast in GetTableSelectionMode + * CVE-2023-25741 (bmo#1437126, bmo#1812611, bmo#1813376) + Same-origin policy leak via image drag and drop + * CVE-2023-25742 (bmo#1813424) + Web Crypto ImportKey crashes tab + * CVE-2023-25744 (bmo#1789449, bmo#1803628, bmo#1810536) + Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8 + * CVE-2023-25745 (bmo#1688592, bmo#1797186, bmo#1804998, + bmo#1806521, bmo#1813284) + Memory safety bugs fixed in Firefox 110 +- requires + NSS = 3.87 + rust/cargo = 1.66 +- update create-tar.sh + +------------------------------------------------------------------- +Wed Feb 1 19:48:47 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 109.0.1 + * Fixed jank when loading pages containing a large number of + emoji characters (bmo#1809081) + * Fixed an issue causing authentication prompts to not appear + when loading pages in some enterprise environments + (bmo#1809151) + * ixed inconsistent sizing of event listener checkboxes inside + the Inspector developer tool (bmo#1811760) + +------------------------------------------------------------------- +Mon Jan 16 06:54:09 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 109.0 + MFSA 2023-01 (bsc#1207119) + * CVE-2023-23597 (bmo#1538028) + Logic bug in process allocation allowed to read arbitrary + files + * CVE-2023-23598 (bmo#1800425) + Arbitrary file read from GTK drag and drop on Linux + * CVE-2023-23599 (bmo#1777800) + Malicious command could be hidden in devtools output on + Windows + * CVE-2023-23600 (bmo#1787034) + Notification permissions persisted between Normal and Private + Browsing on Android + * CVE-2023-23601 (bmo#1794268) + URL being dragged from cross-origin iframe into same tab + triggers navigation + * CVE-2023-23602 (bmo#1800890) + Content Security Policy wasn't being correctly applied to + WebSockets in WebWorkers + * CVE-2023-23603 (bmo#1800832) + Calls to <code>console.log</code> allowed bypasing Content + Security Policy via format directive + * CVE-2023-23604 (bmo#1802346) + Creation of duplicate <code>SystemPrincipal</code> from less + secure contexts + * CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974) + Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 + * CVE-2023-23606 (bmo#1764974, bmo#1798591, bmo#1799201, + bmo#1800446, bmo#1801248, bmo#1802100, bmo#1803393, + bmo#1804626, bmo#1804971, bmo#1807004) + Memory safety bugs fixed in Firefox 109 +- requires NSS 3.86 +- rebased patches + +------------------------------------------------------------------- +Fri Jan 6 06:57:25 UTC 2023 - Luciano Santos <luc14n0@opensuse.org> + +- Mozilla Firefox 108.0.2 + * Fixes a crash that might occur when managing browser history + (bmo#1806408). +- Drop merged-upstream mozilla-bmo1805809.patch. + +------------------------------------------------------------------- +Wed Dec 21 16:05:26 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- add mozilla-bmo1805809.patch to fix build for x86-32 (boo#1206600) + +------------------------------------------------------------------- +Tue Dec 20 07:58:58 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 108.0.1 (boo#1206507) + * Fixes the default search engine being reset on upgrade for + profiles which were previously copied from a different location + +------------------------------------------------------------------- +Tue Dec 13 13:54:35 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 108.0 + https://www.mozilla.org/en-US/firefox/108.0/releasenotes/ + MFSA 2022-51 (bsc#1206242) + * CVE-2022-46871 (bmo#1795697) + libusrsctp library out of date + * CVE-2022-46872 (bmo#1799156) + Arbitrary file read from a compromised content process + * CVE-2022-46873 (bmo#1644790) + Firefox did not implement the CSP directive unsafe-hashes + * CVE-2022-46874 (bmo#1746139) + Drag and Dropped Filenames could have been truncated to + malicious extensions + * CVE-2022-46875 (bmo#1786188) + Download Protections were bypassed by .atloc and .ftploc + files on Mac OS + * CVE-2022-46877 (bmo#1795139) + Fullscreen notification bypass + * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685, + bmo#1801102, bmo#1801315, bmo#1802395) + Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6 + * CVE-2022-46879 (bmo#1736224, bmo#1793407, bmo#1794249, bmo#1795845, + bmo#1797682, bmo#1797720, bmo#1798494, bmo#1799479) + Memory safety bugs fixed in Firefox 108 +- requires + NSS >= 3.85 + rustc/cargo 1.65 + +------------------------------------------------------------------- +Thu Dec 8 08:42:14 UTC 2022 - Milachew <milachew@mail.lv> + +- added translations to .desktop file. + +------------------------------------------------------------------- +Thu Dec 1 21:13:32 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 107.0.1: + * Fix an issue with accessing some sites reliably in Private + Browsing mode or Strict ETP due to anti-adblockers + (bmo#1717806) + * Fix an issue where Color Management was not available for + some users (bmo#1799391) + * Fix an issue with text overlapping in the Settings Menu for + some locales (bmo#1800379) + * Fix an issue where the DevTools UI is not accessible when an + alert dialog is displayed (bmo#1801840) + +------------------------------------------------------------------- +Tue Nov 15 14:22:26 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 107.0 + MFSA 2022-47 (bsc#1205270) + * CVE-2022-45403 (bmo#1762078) + Service Workers might have learned size of cross-origin media files + * CVE-2022-45404 (bmo#1790815) + Fullscreen notification bypass + * CVE-2022-45405 (bmo#1791314) + Use-after-free in InputStream implementation + * CVE-2022-45406 (bmo#1791975) + Use-after-free of a JavaScript Realm + * CVE-2022-45407 (bmo#1793314) + Loading fonts on workers was not thread-safe + * CVE-2022-45408 (bmo#1793829) + Fullscreen notification bypass via windowName + * CVE-2022-45409 (bmo#1796901) + Use-after-free in Garbage Collection + * CVE-2022-45410 (bmo#1658869) + ServiceWorker-intercepted requests bypassed SameSite cookie policy + * CVE-2022-45411 (bmo#1790311) + Cross-Site Tracing was possible via non-standard override headers + * CVE-2022-45412 (bmo#1791029) + Symlinks may resolve to partially uninitialized buffers + * CVE-2022-45413 (bmo#1791201) + SameSite=Strict cookies could have been sent cross-site via + intent URLs + * CVE-2022-40674 (bmo#1791598) + Use-after-free vulnerability in expat + * CVE-2022-45415 (bmo#1793551) + Downloaded file may have been saved with malicious extension + * CVE-2022-45416 (bmo#1793676) + Keystroke Side-Channel Leakage + * CVE-2022-45417 (bmo#1794508) + Service Workers in Private Browsing Mode may have been + written to disk + * CVE-2022-45418 (bmo#1795815) + Custom mouse cursor could have been drawn over browser UI + * CVE-2022-45419 (bmo#1716082) + Deleting a security exception did not take effect immediately + * CVE-2022-45420 (bmo#1792643) + Iframe contents could be rendered outside the iframe + * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) + Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 +- requires + * NSS >= 3.84 + * rust = 1.64 + +------------------------------------------------------------------- +Sat Nov 5 13:16:42 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 106.0.5 + * Addresses a crash experienced by users with Intel Gemini Lake + CPUs (bmo#1702019) +- Mozilla Firefox 106.0.4 + * Fixed an issue with DRM Video playback (bmo#1797292) + * Fixed broken layout of datetime input when switching + types (bmo#1797139) + +------------------------------------------------------------------- +Tue Nov 1 19:26:39 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 106.0.3 + * Fixes for other platforms + +------------------------------------------------------------------- +Thu Oct 27 18:07:29 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 106.0.2 + * Fix missing content on some PDF forms (bmo#1794351) + * Fix column width for the Notification sub-panel in Settings + (bmo#1793558) + * Fix a browser freeze with accessibility enabled on some sites + such as the Proxmox Web UI (bmo#1793748) + * Fix page reloading not working with Firefox View and not + refreshing synced data (bmo#1792680, bmo#1794474) + +------------------------------------------------------------------- +Sun Oct 23 07:34:50 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 106.0.1 + * Addresses a crash experienced by users with AMD Zen 1 CPUs + (bmo#1796126) + +------------------------------------------------------------------- +Sun Oct 16 20:08:21 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 106.0 + * support editing of PDFs + * introduced Firefox View + * major WebRTC update + - Better screen sharing for Windows and Linux Wayland users + - RTP performance and reliability improvements + - Richer statistics + - Cross-browser and service compatibility improvements + * detailed releasenotes + https://www.mozilla.org/en-US/firefox/106.0/releasenotes + MFSA 2022-44 (bsc#1204421) + * CVE-2022-42927 (bmo#1789128) + Same-origin policy violation could have leaked cross-origin URLs + * CVE-2022-42928 (bmo#1791520) + Memory Corruption in JS Engine + * CVE-2022-42929 (bmo#1789439) + Denial of Service via window.print + * CVE-2022-42930 (bmo#1789503) + Race condition in DOM Workers + * CVE-2022-42931 (bmo#1780571) + Username saved to a plaintext file on disk + * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) + Memory safety bugs fixed in Firefox +- added -msse2 flag to fix i386 build and workaround bmo#1795993 +- fixed used buildflags +- renamed mozilla-i686-build.patch to mozilla-buildfixes.patch + as it was extended with changes for other archs + +------------------------------------------------------------------- +Sat Oct 8 13:41:12 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 105.0.3: + * Fixes for other platforms + +------------------------------------------------------------------- +Wed Oct 5 18:27:01 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 105.0.2: + * Fixed poor contrast on various menu items with certain + themes on Linux systems (bmo#1792063) + * Fixed the scrollbar appearing on the wrong side of + `select` elements in right-to-left locales (bmo#1791219) + * Fixed a possible deadlock when loading some sites in + Troubleshoot Mode (bmo#1786259) + * Fixed a bug causing some dynamic appearance changes to + not appear when expected (bmo#1786521) + * Fixed a bug causing theme styling to not be properly applied + to sidebars for some add-ons in Private Browsing Mode + (bmo#1787543) + +------------------------------------------------------------------- +Thu Sep 22 22:12:39 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 105.0.1 + * Reverted focus behavior for new windows back to the content + area instead of the address bar (bmo#1784692) +- added mozilla-i686-build.patch to avoid using avx2 + +------------------------------------------------------------------- +Sat Sep 17 21:01:10 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 105.0 + https://www.mozilla.org/en-US/firefox/105.0/releasenotes + MFSA 2022-40 (bsc#1203477) + * CVE-2022-40959 (bmo#1782211) + Bypassing FeaturePolicy restrictions on transient pages + * CVE-2022-40960 (bmo#1787633) + Data-race when parsing non-UTF-8 URLs in threads + * CVE-2022-40958 (bmo#1779993) + Bypassing Secure Context restriction for cookies with __Host + and __Secure prefix + * CVE-2022-40961 (bmo#1784588) + Stack-buffer overflow when initializing Graphics + * CVE-2022-40956 (bmo#1770094) + Content-Security-Policy base-uri bypass + * CVE-2022-40957 (bmo#1777604) + Incoherent instruction cache when building WASM on ARM64 + * CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, + bmo#1784835, bmo#1785109, bmo#1786502, bmo#1789440) + Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3 +- requires + NSS 3.82 + Rust 1.63 (1.61) +- removed obsolete mozilla-glibc236.patch + +------------------------------------------------------------------- +Fri Sep 9 05:59:03 UTC 2022 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Adjust memory requirements to fix build on aarch64 + +------------------------------------------------------------------- +Wed Sep 7 06:50:24 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 104.0.2 (boo#1203177) + https://www.mozilla.org/en-US/firefox/104.0.2/releasenotes/ + * Fixed a bug making it impossible to use touch or a stylus to + drag the scrollbar on pages (bmo#1787361) + * Fixed an issue causing some users to crash in out-of-memory + conditions (bmo#1774155) + * Fixed an issue that would sometimes affect video & audio playback + when loaded via a cross-origin iframe src attribute (bmo#1781759) + * Fixed an issue that would sometimes affect video & audio playback + when served with Content-Security-Policy: sandbox (bmo#1781063) + +------------------------------------------------------------------- +Thu Sep 1 07:04:11 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 104.0.1 + * Addresses an issue with Youtube video playback that was + affecting some users (boo#1203003) + +------------------------------------------------------------------- +Sun Aug 21 11:12:14 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 104.0 + * https://www.mozilla.org/en-US/firefox/104.0/releasenotes + MFSA 2022-33 (bsc#1202645) + * CVE-2022-38472 (bmo#1769155) + Address bar spoofing via XSLT error handling + * CVE-2022-38473 (bmo#1771685) + Cross-origin XSLT Documents would have inherited the parent's + permissions + * CVE-2022-38474 (bmo#1719511) + Recording notification not shown when microphone was + recording on Android + * CVE-2022-38475 (bmo#1773266) + Attacker could write a value to a zero-length array + * CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363) + Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2 + * CVE-2022-38478 (bmo#1770630, bmo#1776658) + Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, + and Firefox ESR 91.13 +- requires + NSPR 4.34.1 + NSS 3.81 + rust 1.62 + +------------------------------------------------------------------- +Sat Aug 13 06:25:20 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- added mozilla-glibc236.patch (bmo#1782988, boo#1202323) + +------------------------------------------------------------------- +Tue Aug 9 08:46:29 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 103.0.2 + * Fixed menu shortcuts for users of the JAWS screen reader + * Fixed an occasional non-overridable certificate error when + accessing device configuration pages + +------------------------------------------------------------------- +Tue Aug 2 08:05:28 UTC 2022 - Andreas Schwab <schwab@suse.de> + +- The --disable-elf-hack option only exists on ARM and X86 + +------------------------------------------------------------------- +Mon Aug 1 10:45:16 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 103.0.1 + * Enabled hardware acceleration on newer AMD cards. + * Fixed a crash on Firefox shutdown caused by a bug in the + audio manager + +------------------------------------------------------------------- +Wed Jul 27 07:13:07 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 103.0 + https://www.mozilla.org/en-US/firefox/103.0/releasenotes + MFSA 2022-28 (bsc#1201758) + * CVE-2022-36319 (bmo#1737722) + Mouse Position spoofing with CSS transforms + * CVE-2022-36317 (bmo#1759951) + Long URL would hang Firefox for Android + * CVE-2022-36318 (bmo#1771774) + Directory indexes for bundled resources reflected URL + parameters + * CVE-2022-36314 (bmo#1773894) + Opening local <code>.lnk</code> files could cause unexpected + network loads + * CVE-2022-36315 (bmo#1762520) + Preload Cache Bypasses Subresource Integrity + * CVE-2022-36316 (bmo#1768583) + Performance API leaked whether a cross-site resource is + redirecting + * CVE-2022-36320 (bmo#1759794, bmo#1760998) + Memory safety bugs fixed in Firefox 103 + * CVE-2022-2505 (bmo#1769739, bmo#1772824) + Memory safety bugs fixed in Firefox 103 and 102.1 +- requires + NSS >= 3.80 + rust = 1.61 + rust-cbindgen >= 0.24.3 + +------------------------------------------------------------------- +Wed Jul 13 07:54:21 UTC 2022 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Move %limit_build set before mozilla config to actually set the + value of %jobs to MOZ_MAKE_FLAGS to fix build on aarch64 + +------------------------------------------------------------------- +Wed Jul 6 18:35:47 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Firefox 102.0.1: + * Fixed: Fixed bookmarks sidebar flashing white when opened in + dark mode (bmo#1776157) + * Fixed: Fixed multilingual spell checking not working with + content in both English and a non-Latin alphabet + (bmo#1773802) + * Fixed: Developer tools: Fixed an issue where the console + output keep getting scrolled to the bottom when the last + visible message is an evaluation result (bmo#1776262) + * Fixed: Fixed *Delete cookies and site data when Firefox is + closed* checkbox getting disabled on startup (bmo#1777419) + * Fixed: Various stability fixes + +------------------------------------------------------------------- +Sat Jun 25 12:51:46 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Firefox 102.0 + * You can now disable automatic opening of the download panel + every time a new download starts + * Firefox now mitigates query parameter tracking when navigating + sites in ETP strict mode + * Improved security by moving audio decoding into a separate + process with stricter sandboxing, thus improving process isolation + * https://www.mozilla.org/en-US/firefox/102.0/releasenotes + MFSA 2022-24 (bsc#1200793) + * CVE-2022-34479 (bmo#1745595) + A popup window could be resized in a way to overlay the + address bar with web content + * CVE-2022-34470 (bmo#1765951) + Use-after-free in nsSHistory + * CVE-2022-34468 (bmo#1768537) + CSP sandbox header without `allow-scripts` can be bypassed + via retargeted javascript: URI + * CVE-2022-34482 (bmo#845880) + Drag and drop of malicious image could have led to malicious + executable and potential code execution + * CVE-2022-34483 (bmo#1335845) + Drag and drop of malicious image could have led to malicious + executable and potential code execution + * CVE-2022-34476 (bmo#1387919) + ASN.1 parser could have been tricked into accepting malformed ASN.1 + * CVE-2022-34481 (bmo#1483699, bmo#1497246) + Potential integer overflow in ReplaceElementsAt + * CVE-2022-34474 (bmo#1677138) + Sandboxed iframes could redirect to external schemes + * CVE-2022-34469 (bmo#1721220) + TLS certificate errors on HSTS-protected domains could be + bypassed by the user on Firefox for Android + * CVE-2022-34471 (bmo#1766047) + Compromised server could trick a browser into an addon downgrade + * CVE-2022-34472 (bmo#1770123) + Unavailable PAC file resulted in OCSP requests being blocked + * CVE-2022-34478 (bmo#1773717) + Microsoft protocols can be attacked if a user accepts a prompt + * CVE-2022-2200 (bmo#1771381) + Undesired attributes could be set as part of prototype pollution + * CVE-2022-34480 (bmo#1454072) + Free of uninitialized pointer in lg_init + * CVE-2022-34477 (bmo#1731614) + MediaError message property leaked information on cross- + origin same-site pages + * CVE-2022-34475 (bmo#1757210) + HTML Sanitizer could have been bypassed via same-origin + script via use tags + * CVE-2022-34473 (bmo#1770888) + HTML Sanitizer could have been bypassed via use tags + * CVE-2022-34484 (bmo#1763634, bmo#1772651) + Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11 + * CVE-2022-34485 (bmo#1768409, bmo#1768578) + Memory safety bugs fixed in Firefox 102 +- requires + NSPR >= 4.34 + NSS >= 3.79 + rust = 1.60 +- switch out skia-patches with webrender-patches for big endian + removed: + * mozilla-bmo1504834-part2.patch + * mozilla-bmo1504834-part4.patch + * mozilla-bmo1626236.patch + added: + * one_swizzle_to_rule_them_all.patch + * svg-rendering.patch +- add some more returns to the no-return-patch + +------------------------------------------------------------------- +Fri Jun 10 20:45:37 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 101.0.1: + * Fixed context menus not appearing when right-clicking + Picture-in-Picture windows on some Linux systems (bmo#1771914) + * Various stability fixes + +------------------------------------------------------------------- +Sun May 29 08:02:45 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 101.0 + * Reading is now easier with the prefers-contrast media query, + which allows sites to detect if the user has requested that web + content is presented with a higher (or lower) contrast + * All non-configured MIME types can now be assigned a custom + action upon download completion + * allows users to use as many microphones as you want, at the + same time, during video conferencing. The most exciting benefit + is that you can easily switch your microphones at any time + (if your conferencing service provider enables this flexibility) + MFSA 2022-20 (bsc#1200027) + * CVE-2022-31736 (bmo#1735923) + Cross-Origin resource's length leaked + * CVE-2022-31737 (bmo#1743767) + Heap buffer overflow in WebGL + * CVE-2022-31738 (bmo#1756388) + Browser window spoof using fullscreen mode + * CVE-2022-31739 (bmo#1765049) + Attacker-influenced path traversal when saving downloaded files + * CVE-2022-31740 (bmo#1766806) + Register allocation problem in WASM on arm64 + * CVE-2022-31741 (bmo#1767590) + Uninitialized variable leads to invalid memory read + * CVE-2022-31742 (bmo#1730434) + Querying a WebAuthn token with a large number of allowCredential + entries may have leaked cross-origin information + * CVE-2022-31743 (bmo#1747388) + HTML Parsing incorrectly ended HTML comments prematurely + * CVE-2022-31744 (bmo#1757604) + CSP bypass enabling stylesheet injection + * CVE-2022-31745 (bmo#1760944) + Incorrect Assertion caused by unoptimized array shift operations + * CVE-2022-1919 (bmo#1761275) + Memory Corruption when manipulating webp images + * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283, + bmo#1767365, bmo#1768559, bmo#1768734) + Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10 + * CVE-2022-31748 (bmo#1713773, bmo#1762201, bmo#1762469, + bmo#1762770, bmo#1764878, bmo#1765226, bmo#1765782, bmo#1765973, + bmo#1767177, bmo#1767181, bmo#1768232, bmo#1768251, bmo#1769869) + Memory safety bugs fixed in Firefox 101 +- requires + * NSS 3.78.1 + * rust-cbindgen 0.23.0 + * rust 1.59 + +------------------------------------------------------------------- +Fri May 20 15:03:50 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 100.0.2 + MFSA 2022-19 (bsc#1199768) + * CVE-2022-1802 (bmo#1770137) + Prototype pollution in Top-Level Await implementation + * CVE-2022-1529 (bmo#1770048) + Untrusted input used in JavaScript object indexing, leading + to prototype pollution + +------------------------------------------------------------------- +Wed May 18 20:27:49 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 100.0.1: + * Fixed: Fixed an issue with subtitles in Picture-in-Picture + mode while using Netflix (bmo#1768818) + * Fixed: Fixed an issue where some commands were unavailable in + the Picture-in-Picture window (bmo#1768201) + +------------------------------------------------------------------- +Sun May 1 21:31:01 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 100.0 + * subtitle support in PiP + * spell checking supports multiple languages in parallel + * more details here + https://www.mozilla.org/en-US/firefox/100.0/releasenotes + MFSA 2022-16 (boo#1198970) + * CVE-2022-29914 (bmo#1746448) + Fullscreen notification bypass using popups + * CVE-2022-29909 (bmo#1755081) + Bypassing permission prompt in nested browsing contexts + * CVE-2022-29916 (bmo#1760674) + Leaking browser history with CSS variables + * CVE-2022-29911 (bmo#1761981) + iframe Sandbox bypass + * CVE-2022-29912 (bmo#1692655) + Reader mode bypassed SameSite cookies + * CVE-2022-29910 (bmo#1757138) + Firefox for Android forgot HTTP Strict Transport Security + settings + * CVE-2022-29915 (bmo#1751678) + Leaking cross-origin redirect through the Performance API + * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298, + bmo#1762614, bmo#1762620, bmo#1764778) + Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9 + * CVE-2022-29918 (bmo#1744043, bmo#1747178, bmo#1753535, + bmo#1754017, bmo#1755847, bmo#1756172, bmo#1757477, + bmo#1758223, bmo#1760160, bmo#1761481, bmo#1761771) + Memory safety bugs fixed in Firefox 100 +- requires NSS 3.77 + +------------------------------------------------------------------- +Tue Apr 12 19:30:30 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 99.0.1 + * Fixed an issue with text rendering in Bengali (bmo#1763368) + * Fixed a selection issue in the Download panel with drag and + drop (bmo#1762723) + * Fixed: Fixed an issue preventing Zoom gallery mode for users + who go to zoom.us URLs instead of subdomain.zoom.us URLs + (bmo#1763801) + +------------------------------------------------------------------- +Mon Apr 4 07:34:36 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 99.0 + * You can now toggle Narrate in ReaderMode with the keyboard + shortcut "n." + * You can find added support for search—with or without + diacritics—in the PDF viewer. + * The Linux sandbox has been strengthened: processes exposed to web + content no longer have access to the X Window system (X11). + * Firefox now supports credit card autofill and capture in + Germany and France. + MFSA 2022-13 (bsc#1197903) + * CVE-2022-1097 (bmo#1745667) + Use-after-free in NSSToken objects + * CVE-2022-28281 (bmo#1755621) + Out of bounds write due to unexpected WebAuthN Extensions + * CVE-2022-28282 (bmo#1751609) + Use-after-free in DocumentL10n::TranslateDocument + * CVE-2022-28283 (bmo#1754066) + Missing security checks for fetching sourceMapURL + * CVE-2022-28284 (bmo#1754522) + Script could be executed via svg's use element + * CVE-2022-28285 (bmo#1756957) + Incorrect AliasSet used in JIT Codegen + * CVE-2022-28286 (bmo#1735265) + iframe contents could be rendered outside the border + * CVE-2022-28287 (bmo#1741515) + Text Selection could crash Firefox + * CVE-2022-24713 (bmo#1758509) + Denial of Service via complex regular expressions + * CVE-2022-28289 (bmo#1663508, bmo#1744525, bmo#1753508, + bmo#1757476, bmo#1757805, bmo#1758549, bmo#1758776) + Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8 + * CVE-2022-28288 (bmo#1746415, bmo#1746495, bmo#1746500, + bmo#1747282, bmo#1748759, bmo#1749056, bmo#1749786, + bmo#1751679, bmo#1752120, bmo#1756010, bmo#1756017, + bmo#1757213, bmo#1757258, bmo#1757427) + Memory safety bugs fixed in Firefox 99 +- requires NSS >= 3.76.1 +- remove obsolete patch + * mozilla-bmo1756347.patch + * mozilla-bmo1757571.patch +- update create-tar.sh + +------------------------------------------------------------------- +Thu Mar 24 21:49:57 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- MozillaFirefox 98.0.2: + * Fixed: Fixed an issue preventing users from typing in Address + Bar after opening new tab and pressing cmd + enter + (bmo#1757376) + * Fixed: Fixed an issue causing some users to crash in out-of- + memory conditions (bmo#1757618) + * Fixed: Fixed an issue in session history which caused some + sites to fail to load (bmo#1758664) + * Fixed: Fixed an add-on specific compatibility issue + (bmo#1759162) + +------------------------------------------------------------------- +Wed Mar 23 15:14:22 UTC 2022 - Simon Vogl <simon.vogl@gmx.net> + +- Change mozilla-kde.patch to follow the GNOME registry + behavior for new MIME types to avoid opening downloaded files + without any inquiries (bsc#1197319) + +------------------------------------------------------------------- +Tue Mar 22 12:22:51 UTC 2022 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Add patch to fix start-up on aarch64: + * mozilla-bmo1757571.patch + +------------------------------------------------------------------- +Thu Mar 17 14:52:39 UTC 2022 - Dirk Müller <dmueller@suse.com> + +- exclude slow cpus for building + +------------------------------------------------------------------- +Thu Mar 17 09:18:01 UTC 2022 - Martin Sirringhaus <martin.sirringhaus@suse.com> + +- Add cpu-flag `asimdrdm` to aarch64 constraints, to select newer, + faster buildhosts, as the others struggle to build FF. + +------------------------------------------------------------------- +Mon Mar 14 22:48:42 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 98.0.1: + * Yandex and Mail.ru have been removed as optional search + providers in the drop-down search menu in Firefox + +------------------------------------------------------------------- +Tue Mar 8 10:27:16 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 98.0 + * Firefox has a new optimized download flow + * other changes as documented here + https://www.mozilla.org/en-US/firefox/98.0/releasenotes + MFSA 2022-10 (bsc#1196900) + * CVE-2022-26383 (bmo#1742421) + Browser window spoof using fullscreen mode + * CVE-2022-26384 (bmo#1744352) + iframe allow-scripts sandbox bypass + * CVE-2022-26387 (bmo#1752979) + Time-of-check time-of-use bug when verifying add-on signatures + * CVE-2022-26381 (bmo#1736243) + Use-after-free in text reflows + * CVE-2022-26382 (bmo#1741888) + Autofill Text could be exfiltrated via side-channel attacks + * CVE-2022-26385 (bmo#1747526) + Use-after-free in thread shutdown + * CVE-2022-0843 (bmo#1746523, bmo#1749062, bmo#1749164, bmo#1749214, + bmo#1749610, bmo#1750032, bmo#1752100, bmo#1752405, bmo#1753612, + bmo#1754508) + Memory safety bugs fixed in Firefox 98 +- requires NSS 3.75 +- add mozilla-bmo1756347.patch to fix i586 build + +------------------------------------------------------------------- +Fri Feb 18 20:38:22 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 97.0.1 + * Fixed: Fixed an issue where TikTok videos would fail to load + when selected from a user's profile page (bmo#1750973) + * Fixed: Fixed an issue which led to Picture-in-Picture mode + being unable to be toggled on Hulu (bmo#1753401) + * Fixed: Works around problems with WebRoot SecureAnywhere + antivirus rendering Firefox unusable in some situations + (bmo#1752466) + * Fixed: Fixed an issue causing users to see the Restore + Session screen unexpectedly when starting Firefox + (bmo#1749996) + +------------------------------------------------------------------- +Mon Feb 14 19:31:29 UTC 2022 - Luciano Santos <luc14n0@opensuse.org> + +- Remove bashisms ("source" and "function" keywords) from + mozilla.sh.in to ally with the #!/bin/sh shebang. If the end user + has either dash-sh package or busybox-sh to handle Bourn Shell + scripts rather than having bash-sh package, the script would + fail. Using "." instead of "source" and "create_langpack_link()" + function definition is enough to keep both sides sane, + behavior-wise. + +------------------------------------------------------------------- +Tue Feb 8 08:40:45 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 97.0 + MFSA 2022-04 (bsc#1195682) + * CVE-2022-22753 (bmo#1732435) + Privilege Escalation to SYSTEM on Windows via Maintenance Service + * CVE-2022-22754 (bmo#1750565) + Extensions could have bypassed permission confirmation during update + * CVE-2022-22755 (bmo#1309630) + XSL could have allowed JavaScript execution after a tab was closed + * CVE-2022-22756 (bmo#1317873) + Drag and dropping an image could have resulted in the dropped + object being an executable + * CVE-2022-22757 (bmo#1720098) + Remote Agent did not prevent local websites from connecting + * CVE-2022-22758 (bmo#1728742) + tel: links could have sent USSD codes to the dialer on + Firefox for Android + * CVE-2022-22759 (bmo#1739957) + Sandboxed iframes could have executed script if the parent + appended elements + * CVE-2022-22760 (bmo#1740985, bmo#1748503) + Cross-Origin responses could be distinguished between script + and non-script content-types + * CVE-2022-22761 (bmo#1745566) + frame-ancestors Content Security Policy directive was not + enforced for framed extension pages + * CVE-2022-22762 (bmo#1743931) + JavaScript Dialogs could have been displayed over other + domains on Firefox for Android + * CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545, + bmo#1748210, bmo#1748279) + Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6 + * CVE-2022-0511 (bmo#1713579, bmo#1735448, bmo#1743821, bmo#1746313, + bmo#1746314, bmo#1746316, bmo#1746321, bmo#1746322, bmo#1746323, + bmo#1746412, bmo#1746430, bmo#1746451, bmo#1746488, bmo#1746875, + bmo#1746898, bmo#1746905, bmo#1746907, bmo#1746917, bmo#1747128, + bmo#1747137, bmo#1747331, bmo#1747346, bmo#1747439, bmo#1747457, + bmo#1747870, bmo#1749051, bmo#1749274, bmo#1749831) + Memory safety bugs fixed in Firefox 97 +- requires NSS 3.74 +- requires rust 1.57 + +------------------------------------------------------------------- +Mon Feb 7 22:21:29 UTC 2022 - Dirk Müller <dmueller@suse.com> + +- remove memoryperjob and use %limit instead. this allows to + adapt to more worker types, and lowers the time the package + is stuck in "scheduling". raising memory above 8 to lower + risk for LTO jobs to run OOM +- add hack to disable -Wl,--gc-section which avoids a binutils + segfault on x86 +- change mozilla-reduce-rust-debuginfo.patch: use -g1 everywhere + +------------------------------------------------------------------- +Sun Jan 30 23:58:34 UTC 2022 - Dirk Müller <dmueller@suse.com> + +- disable ccache, this adds about 1 minute of build time and + over 2 GB of disk space usage without benefit on OBS builds +- build with rust-simd like upstream does +- use -g1 for debuginfo generation as this is what upstream + does as well and it saves ~ 2GB of writes +- use %limit on x86_64 to scale down to less capable workers +- disable install stripping so that debuginfo is useful +- use autopatch +- cleanup constraints to specify only jobs, physicalmemory + and memoryperjob to be more flexible on which host to build + on + +------------------------------------------------------------------- +Fri Jan 28 15:26:45 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 96.0.3 (bsc#1195230) + * Fixed an issue that allowed unexpected data to be submitted in + some of our search telemetry (bmo#1752317) + +------------------------------------------------------------------- +Mon Jan 24 07:42:03 UTC 2022 - Martin Liška <mliska@suse.cz> + +- Enable -fimplicit-constexpr for GCC 12+. + +------------------------------------------------------------------- +Thu Jan 20 23:21:44 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 96.0.2 + * Fix an issue that caused tab height to display inconsistently + on Linux when audio was played (bmo#1714276) + * Fix an issue that caused Lastpass dropdowns to appear blank in + Private Browsing mode (bmo#1748158) + * Fix a crash encountered when resizing a Facebook app + (bmo#1746084) + +------------------------------------------------------------------- +Fri Jan 14 16:56:42 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 96.0.1 + * Fixed: Improvements to make the parsing of content-length + headers more robust (bmo#1749957, boo#1194677) + +------------------------------------------------------------------- +Sat Jan 8 10:32:46 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 96.0 + * https://www.mozilla.org/en-US/firefox/96.0/releasenotes + MFSA 2022-01 (bsc#1194547) + * CVE-2022-22746 (bmo#1735071) + Calling into reportValidity could have lead to fullscreen + window spoof + * CVE-2022-22743 (bmo#1739220) + Browser window spoof using fullscreen mode + * CVE-2022-22742 (bmo#1739923) + Out-of-bounds memory access when inserting text in edit mode + * CVE-2022-22741 (bmo#1740389) + Browser window spoof using fullscreen mode + * CVE-2022-22740 (bmo#1742334) + Use-after-free of ChannelEventQueue::mOwner + * CVE-2022-22738 (bmo#1742382) + Heap-buffer-overflow in blendGaussianBlur + * CVE-2022-22737 (bmo#1745874) + Race condition when playing audio files + * CVE-2021-4140 (bmo#1746720) + Iframe sandbox bypass with XSLT + * CVE-2022-22750 (bmo#1566608) + IPC passing of resource handles could have lead to sandbox + bypass + * CVE-2022-22749 (bmo#1705094) + Lack of URL restrictions when scanning QR codes + * CVE-2022-22748 (bmo#1705211) + Spoofed origin on external protocol launch dialog + * CVE-2022-22745 (bmo#1735856) + Leaking cross-origin URLs through securitypolicyviolation + event + * CVE-2022-22744 (bmo#1737252) + The 'Copy as curl' feature in DevTools did not fully escape + website-controlled data, potentially leading to command + injection + * CVE-2022-22747 (bmo#1735028) + Crash when handling empty pkcs7 sequence + * CVE-2022-22736 (bmo#1742692) + Potential local privilege escalation when loading modules + from the install directory. + * CVE-2022-22739 (bmo#1744158) + Missing throttling on external protocol launch dialog + * CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366, + bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, + bmo#1743221, bmo#1743515, bmo#1745373, bmo#1746011) + Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5 + * CVE-2022-22752 (bmo#1740534, bmo#1741210, bmo#1742770) + Memory safety bugs fixed in Firefox 96 +- removed obsolete patches + * mozilla-bmo1745560.patch + * mozilla-bmo1744896.patch + * mozilla-sandbox-fips.patch +- requires + NSPR >= 4.33 + NSS >= 3.73.1 + +------------------------------------------------------------------- +Tue Dec 28 17:45:28 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com> + +- Add upstream patches: + * mozilla-bmo1745560.patch: Fix build against wayland 1.20. + * mozilla-bmo1744896.patch: Create WaylandVsyncSource on window + creation + +------------------------------------------------------------------- +Mon Dec 20 21:57:30 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 95.0.2 + * Addresses frequent crashes experienced by users with C/E/Z-Series + "Bobcat" CPUs running on Windows 7, 8, and 8.1. +- updated constraints for ppc and x86-64 + +------------------------------------------------------------------- +Fri Dec 17 13:49:16 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 95.0.1 (bsc#1193845) + * Fixed frequent + MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error + messages when trying to connect to various microsoft.com + domains (bmo#1745600) + * Fix for a WebRender crash on some Linux/X11 systems (bmo#1741956) + * Fix for a frequent Windows shutdown crash (bmo#1738984) + * Fix websites contrast issues for some Linux users with + Dark mode set at OS level (bmo#1740518) + +------------------------------------------------------------------- +Sat Dec 4 12:07:21 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 95.0 + * You can now move the Picture-in-Picture toggle button to the + opposite side of the video. Simply look for the new context menu + option Move Picture-in-Picture Toggle to Left (Right) Side. + * To better protect Firefox users against side-channel attacks such + as Spectre, Site Isolation is now enabled for all Firefox 95 users. + * https://www.mozilla.org/en-US/firefox/95.0/releasenotes + MFSA 2021-52 (bsc#1193485) + * CVE-2021-43536 (bmo#1730120) + URL leakage when navigating while executing asynchronous + function + * CVE-2021-43537 (bmo#1738237) + Heap buffer overflow when using structured clone + * CVE-2021-43538 (bmo#1739091) + Missing fullscreen and pointer lock notification when + requesting both + * CVE-2021-43539 (bmo#1739683) + GC rooting failure when calling wasm instance methods + * MOZ-2021-0010 (bmo#1735852) + Use-after-free in fullscreen objects on MacOS + * CVE-2021-43540 (bmo#1636629) + WebExtensions could have installed persistent ServiceWorkers + * CVE-2021-43541 (bmo#1696685) + External protocol handler parameters were unescaped + * CVE-2021-43542 (bmo#1723281) + XMLHttpRequest error codes could have leaked the existence of + an external protocol handler + * CVE-2021-43543 (bmo#1738418) + Bypass of CSP sandbox directive when embedding + * CVE-2021-43544 (bmo#1739934) + Receiving a malicious URL as text through a SEND intent could + have led to XSS + * CVE-2021-43545 (bmo#1720926) + Denial of Service when using the Location API in a loop + * CVE-2021-43546 (bmo#1737751) + Cursor spoofing could overlay user interface when native + cursor is zoomed + * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751, + bmo#1737009, bmo#1739372, bmo#1739421) + Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4 +- requires + NSS >= 3.72 + +------------------------------------------------------------------- +Thu Dec 2 20:32:42 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- remove x-scheme-handler/ftp from firefox.desktop boo#1193321 + +------------------------------------------------------------------- +Thu Nov 25 20:21:07 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com> + +- Drop unused libidl-devel BuildRequires. + +------------------------------------------------------------------- +Tue Nov 23 22:00:38 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 94.0.2: + * Update preference design for Firefox Suggest for improved clarity + * Resolved general instability/crashes on Linux caused by a file + descriptor leak when backgrounding tabs using WebGL + (bmo#1741997) + +------------------------------------------------------------------- +Fri Nov 5 18:02:48 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 94.0.1: + * fixes for other platforms + +------------------------------------------------------------------- +Sat Oct 30 07:52:22 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 94.0 + * https://www.mozilla.org/en-US/firefox/94.0/releasenotes + MFSA 2021-48 (bsc#1192250) + * CVE-2021-38503 (bmo#1729517) + iframe sandbox rules did not apply to XSLT stylesheets + * CVE-2021-38504 (bmo#1730156) + Use-after-free in file picker dialog + * CVE-2021-38505 (bmo#1730194) + Windows 10 Cloud Clipboard may have recorded sensitive user data + * CVE-2021-38506 (bmo#1730750) + Firefox could be coaxed into going into fullscreen mode + without notification or warning + * CVE-2021-38507 (bmo#1730935) + Opportunistic Encryption in HTTP2 could be used to bypass the + Same-Origin-Policy on services hosted on other ports + * MOZ-2021-0003 (bmo#1736886) + Universal XSS in Firefox for Android via QR Code URLs + * CVE-2021-38508 (bmo#1366818) + Permission Prompt could be overlaid, resulting in user + confusion and potential spoofing + * MOZ-2021-0004 (bmo#1659155) + Web Extensions could access pre-redirect URL when their + context menu was triggered by a user + * CVE-2021-38509 (bmo#1718571) + Javascript alert box could have been spoofed onto an + arbitrary domain + * CVE-2021-38510 (bmo#1731779) + Download Protections were bypassed by .inetloc files on Mac OS + * MOZ-2021-0005 (bmo#1719203) + 'Copy Image Link' context menu action could have been abused + to see authentication tokens + * MOZ-2021-0006 (bmo#1724233) + URL Parsing may incorrectly parse internationalized domains + * MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048, bmo#1735152) + Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3 +- removed obsolete patches + * mozilla-bmo1602730.patch + * mozilla-bmo1725828.patch + * mozilla-bmo1729124.patch +- requires + NSS >= 3.71 + rust >= 1.53 +- fix Plasma detection (boo#1191825) +- fix Link error "undefined hidden symbol:" + https://github.com/openSUSE/firefox-maintenance/issues/37 + +------------------------------------------------------------------- +Tue Oct 26 19:48:24 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires +- (re-)enable LTO on Tumbleweed + +------------------------------------------------------------------- +Wed Oct 20 06:49:52 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com> + +- Rebase mozilla-sandbox-fips.patch to punch another hole in the + sandbox containment, to be able to open /proc/sys/crypto/fips_enabled + from within the newly introduced socket process sandbox. + This fixes bsc#1191815 and bsc#1190141 + +------------------------------------------------------------------- +Mon Oct 18 12:44:44 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Add patch to fix build on aarch64 (bmo#1729124) + * mozilla-bmo1729124.patch + +------------------------------------------------------------------- +Fri Oct 1 18:33:33 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 93.0 + * supports the new AVIF image format + * PDF viewer now supports filling more forms (XFA-based forms) + * now blocks downloads that rely on insecure connections, + protecting against potentially malicious or unsafe downloads + * Improved web compatibility for privacy protections with SmartBlock 3.0 + * Introducing a new referrer tracking protection in Strict Tracking + Protection and Private Browsing + * TLS ciphersuites that use 3DES have been disabled. Such + ciphersuites can only be enabled when deprecated versions of + TLS are also enabled + * The download panel now follows the Firefox visual styles + MFSA 2021-43 (bsc#1191332) + * CVE-2021-38496 (bmo#1725335) + Use-after-free in MessageTask + * CVE-2021-38497 (bmo#1726621) + Validation message could have been overlaid on another origin + * CVE-2021-38498 (bmo#1729642) + Use-after-free of nsLanguageAtomService object + * CVE-2021-32810 (bmo#1729813) + https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw) + Data race in crossbeam-deque + * CVE-2021-38500 (bmo#1725854, bmo#1728321) + Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, + and Firefox ESR 91.2 + * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) + Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 + * CVE-2021-38499 (bmo#1667102, bmo#1723170, bmo#1725356, bmo#1727364) + Memory safety bugs fixed in Firefox 93 +- removed obsolete mozilla-bmo1708709.patch +- require NSS >= 3.70 +- allow to override wayland detection by defining MOZ_ENABLE_WAYLAND + explicitely as 0 or 1 +- fix aarch64 build by updating constraints +- add mozilla-bmo1725828.patch to fix widevine (bsc#1190842) +- add mozilla-bmo531915.patch to fix build for i586 + +------------------------------------------------------------------- +Sat Sep 25 10:10:56 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 92.0.1 + * Fixed: Fixes an issue where audio playback was not working on + some Linux systems (bmo#1730499) + * Fixed: Fixes issues with the findbar close button on + different operating systems (bmo#1728368) + +------------------------------------------------------------------- +Mon Sep 6 10:16:28 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 92.0 + * More secure connections: Firefox can now automatically upgrade to + HTTPS using HTTPS RR as Alt-Svc headers + * Full-range color levels are now supported for video playback on + many systems + MFSA 2021-38 (bsc#1190269) + * CVE-2021-29993 (bmo#1708544, bmo#1708767, bmo#1712240, + bmo#1712242, bmo#1729259) + Handling custom intents could lead to crashes and UI spoofs + * CVE-2021-38491 (bmo#1551886) + Mixed-Content-Blocking was unable to check opaque origins + * CVE-2021-38492 (bmo#1721107) + Navigating to `mk:` URL scheme could load Internet Explorer + * CVE-2021-38493 (bmo#1723391, bmo#1724101, bmo#1724107) + Memory safety bugs fixed in Firefox 92, Firefox ESR 78.14 and + Firefox ESR 91.1 + * CVE-2021-38494 (bmo#1723920, bmo#1725638) + Memory safety bugs fixed in Firefox 92 +- updated appdata +- remove mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch + (does not apply anymore; unclear if obsolete) +- bring back mozilla-silence-no-return-type.patch and + run post-build-checks everywhere again +- requires NSS 3.69.1 + +------------------------------------------------------------------- +Tue Aug 31 00:33:39 UTC 2021 - Atri Bhattacharya <badshah400@gmail.com> + +- Add mozilla-bmo1708709.patch: On [wayland] popup can be wrongly + repositioned due to rounding errors when font scaling != 1 + (bmo#1708709); patch taken from upstream bug report and rebased + to apply cleanly against current version. + +------------------------------------------------------------------- +Sun Aug 29 14:45:29 UTC 2021 - Martin Liška <mliska@suse.cz> + +- Bump using with GCC (tested locally). + +------------------------------------------------------------------- +Fri Aug 27 22:47:48 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 91.0.2: + * Fixed: Firefox no longer clears authentication data when + purging trackers, to avoid repeatedly prompting for a + password (bmo#1721084) + +------------------------------------------------------------------- +Wed Aug 18 06:34:01 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 91.0.1 + * Fixed an issue causing buttons on the tab bar to be resized when + loading certain websites (bmo#1704404) + * Fixed an issue which caused tabs from private windows to be + visible in non-private windows when viewing switch-to-tab results + in the address bar panel (bmo#1720369) + * Various stability fixes + MFSA 2021-37 (bsc#1189547) + * CVE-2021-29991 (bmo#1724896) + Header Splitting possible with HTTP/3 Responses + +------------------------------------------------------------------- +Mon Aug 9 14:55:22 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 91.0 + MFSA 2021-33 (bsc#1188891) + * CVE-2021-29986 (bmo#1696138) + Race condition when resolving DNS names could have led to + memory corruption + * CVE-2021-29981 (bmo#1707774) + Live range splitting could have led to conflicting + assignments in the JIT + * CVE-2021-29988 (bmo#1717922) + Memory corruption as a result of incorrect style treatment + * CVE-2021-29983 (bmo#1719088) + Firefox for Android could get stuck in fullscreen mode + * CVE-2021-29984 (bmo#1720031) + Incorrect instruction reordering during JIT optimization + * CVE-2021-29980 (bmo#1722204) + Uninitialized memory in a canvas object could have led to + memory corruption + * CVE-2021-29987 (bmo#1716129) + Users could have been tricked into accepting unwanted + permissions on Linux + * CVE-2021-29985 (bmo#1722083) + Use-after-free media channels + * CVE-2021-29982 (bmo#1715318) + Single bit data leak due to incorrect JIT optimization and + type confusion + * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178, + bmo#1719998, bmo#1720568) + Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13 + * CVE-2021-29990 (bmo#1544190, bmo#1716481, bmo#1717778, + bmo#1719319, bmo#1722073) + Memory safety bugs fixed in Firefox 91 +- requires + * rustc/cargo >= 1.51 + * NSPR >= 4.32 + * NSS >= 3.68 +- force-disable webrender on BE platforms + +------------------------------------------------------------------- +Sat Jul 24 07:15:54 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 90.0.2: + * Changed: Updates to support DoH Canada rollout (bmo#1713036) + * Fixed: Fixed truncated output when printing (bmo#1720621) + * Fixed: Fixed menu styling on some Gtk themes (bmo#1720441, + bmo#1720874) + +------------------------------------------------------------------- +Mon Jul 19 20:08:56 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 90.0.1 (boo#1188480): + * Fixed: Fixed busy looping processing some HTTP3 responses + (bmo#1720079) + * Fixed: Fixed transient errors authenticating with some smart + cards (bmo#1715325) + * Fixed: Fixed a rare crash on shutdown (bmo#1707057) + * Fixed: Fixed a race on startup that caused about:support to + end up empty after upgrade (bmo#1717894, boo#1188330) + +------------------------------------------------------------------- +Sun Jul 11 08:53:02 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 90.0 + MFSA 2021-28 (bsc#1188275) + * CVE-2021-29970 (bmo#1709976) + Use-after-free in accessibility features of a document + * CVE-2021-29971 (bmo#1713638) + Granted permissions only compared host; omitting scheme and + port on Android + * CVE-2021-30547 (bmo#1715766) + Out of bounds write in ANGLE + * CVE-2021-29972 (bmo#1696816) + Use of out-of-date library included use-after-free + vulnerability + * CVE-2021-29973 (bmo#1701932) + Password autofill on HTTP websites was enabled without user + interaction on Android + * CVE-2021-29974 (bmo#1704843) + HSTS errors could be overridden when network partitioning was + enabled + * CVE-2021-29975 (bmo#1713259) + Text message could be overlaid on top of another website + * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910, + bmo#1711576, bmo#1714391) + Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 + * CVE-2021-29977 (bmo#1665836, bmo#1686138, bmo#1704316, + bmo#1706314, bmo#1709931, bmo#1712084, bmo#1712357, + bmo#1714066) + Memory safety bugs fixed in Firefox 90 +- requires + NSPR 4.31 + NSS 3.66 +- Gtk2 support removed (was only for Flash plugin before) + +------------------------------------------------------------------- +Wed Jun 23 16:54:20 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 89.0.2 (boo#1187648): + * Fix occasional hangs with Software WebRender on Linux (bmo#1708224) + +------------------------------------------------------------------- +Sat Jun 19 09:00:20 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 89.0.1 (boo#1187475): + * Updated translations, including full Spanish (Mexico) + localization and other improvements (bmo#1714946) + * Fix various font related regressions (bmo#1694174) + * Linux: Fix performance and stability regressions with + WebRender (bmo#1715895, bmo#1715902) + * Enterprise: Fix for the `DisableDeveloperTools` policy not + having effect anymore (bmo#1715777) + * Linux: Fix broken scrollbars on some GTK themes (bmo#1714103) + * Various stability fixes + +------------------------------------------------------------------- +Sat May 29 20:55:56 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 89.0 + * UI redesign + * The Event Timing API is now supported + * The CSS forced-colors media query is now supported + MFSA 2021-23 (bsc#1186696) + * CVE-2021-29965 (bmo#1709257) + Password Manager on Firefox for Android susceptible to domain + spoofing + * CVE-2021-29960 (bmo#1675965) + Filenames printed from private browsing mode incorrectly + retained in preferences + * CVE-2021-29961 (bmo#1700235) + Firefox UI spoof using `<select>` elements and CSS scaling + * CVE-2021-29963 (bmo#1705068) + Shared cookies for search suggestions in private browsing mode + * CVE-2021-29964 (bmo#1706501) + Out of bounds-read when parsing a `WM_COPYDATA` message + * CVE-2021-29959 (bmo#1395819) + Devices could be re-enabled without additional permission prompt + * CVE-2021-29962 (bmo#1701673) + No rate-limiting for popups on Firefox for Android + * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760, + bmo#1704722, bmo#1706041) + Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 + * CVE-2021-29966 (bmo#1660307, bmo#1686154, bmo#1702948, bmo#1708124) + Memory safety bugs fixed in Firefox 89 +- require + NSS >= 3.64 + rust-cbindgen >= 0.19.0 +- do not rely on nodejs10 packagename anymore +- updated mozilla.keyring +- switched TW/x86_64 to clang as the last platform due to + https://bugs.gentoo.org/792705 +- but LTO with clang is broken in TW so disable LTO for it + https://bugs.llvm.org/show_bug.cgi?id=47872 + +------------------------------------------------------------------- +Thu May 6 13:40:10 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Relax RAM and disk constraints for aarch64 + +------------------------------------------------------------------- +Wed May 5 15:13:20 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 88.0.1 + * Fixed: Resolved an issue caused by a recent Widevine plugin + update which prevented some purchased video content from + playing correctly (bmo#1705138) + * Fixed: Fixed corruption of videos playing on Twitter or + WebRTC calls on some Gen6 Intel graphics chipsets + (bmo#1708937) + * Fixed: Fixed menulists in Preferences being unreadable for + users with High Contrast Mode enabled (bmo#1706496) + MFSA 2021-20 (bsc#1185633) + * CVE-2021-29952 (bmo#1704227) + Race condition in Web Render Components +- devel package: move macros to /usr/lib/rpm/macros.d (boo#1185658) + +------------------------------------------------------------------- +Sun May 2 12:03:26 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- add compatibility for libavcodec58_134 + +------------------------------------------------------------------- +Sun Apr 18 09:01:32 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 88.0 + * New: PDF forms now support JavaScript embedded in PDF files. + Some PDF forms use JavaScript for validation and other + interactive features + * New: Print updates: Margin units are now localized + * New: Smooth pinch-zooming using a touchpad is now supported + on Linux + * New: To protect against cross-site privacy leaks, Firefox now + isolates window.name data to the website that created it. + Learn more + * Changed: Firefox will not prompt for access to your + microphone or camera if you’ve already granted access to the + same device on the same site in the same tab within the past + 50 seconds. This new grace period reduces the number of times + you’re prompted to grant device access + * Changed: The ‘Take a Screenshot’ feature was removed from the + Page Actions menu in the url bar. To take a screenshot, + right-click to open the context menu. You can also add a + screenshots shortcut directly to your toolbar via the + Customize menu. Open the Firefox menu and select Customize… + * Changed: FTP support has been disabled, and its full removal + is planned for an upcoming release. Addressing this security + risk reduces the likelihood of an attack while also removing + support for a non-encrypted protocol + * Developer: Introduced a new toggle button in the Network + panel for switching between JSON formatted HTTP response and + raw data (as received over the wire). + !enter image description here + * Enterprise: Various bug fixes and new policies have been + implemented in the latest version of Firefox. You can see + more details in the Firefox for Enterprise 88 Release Notes. + * Fixed: Screen readers no longer incorrectly read content that + websites have visually hidden, as in the case of articles in + the Google Help panel + MFSA 2021-16 (bsc#1184960) + * CVE-2021-23994 (bmo#1699077) + Out of bound write due to lazy initialization + * CVE-2021-23995 (bmo#1699835) + Use-after-free in Responsive Design Mode + * CVE-2021-23996 (bmo#1701834) + Content rendered outside of webpage viewport + * CVE-2021-23997 (bmo#1701942) + Use-after-free when freeing fonts from cache + * CVE-2021-23998 (bmo#1667456) + Secure Lock icon could have been spoofed + * CVE-2021-23999 (bmo#1691153) + Blob URLs may have been granted additional privileges + * CVE-2021-24000 (bmo#1694698) + requestPointerLock() could be applied to a tab different from + the visible tab + * CVE-2021-24001 (bmo#1694727) + Testing code could have enabled session history manipulations + by a compromised content process + * CVE-2021-24002 (bmo#1702374) + Arbitrary FTP command execution on FTP servers using an + encoded URL + * CVE-2021-29945 (bmo#1700690) + Incorrect size computation in WebAssembly JIT could lead to + null-reads + * CVE-2021-29944 (bmo#1697604) + HTML injection vulnerability in Firefox for Android's Reader View + * CVE-2021-29946 (bmo#1698503) + Port blocking could be bypassed + * CVE-2021-29947 (bmo#1651449, bmo#1674142, bmo#1693476, + bmo#1696886, bmo#1700091) + Memory safety bugs fixed in Firefox 88 +- requires + * NSPR 4.30 + * NSS 3.63.1 +- align wayland support logic + +------------------------------------------------------------------- +Sat Mar 27 10:40:46 UTC 2021 - Manfred Hollstein <manfred.h@gmx.net> + +- Switch to clang_build globally; just on TW/x86_64 it does not work + due to unreolved externals `__rust_probestack' - disable clang_build + then. +- useccache: Add conditionals to enable/disable ccache. + +------------------------------------------------------------------- +Tue Mar 23 16:42:19 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 87.0 + * requires NSS 3.62 + * removed obsolete BigEndian ICU build workaround + * rebased patches + MFSA 2021-10 (bsc#1183942) + * CVE-2021-23981 (bmo#1692832) + Texture upload into an unbound backing buffer resulted in an + out-of-bound read + * CVE-2021-23982 (bmo#1677046) + Internal network hosts could have been probed by a malicious + webpage + * CVE-2021-23983 (bmo#1692684) + Transitions for invalid ::marker properties resulted in memory + corruption + * CVE-2021-23984 (bmo#1693664) + Malicious extensions could have spoofed popup information + * CVE-2021-23985 (bmo#1659129) + Devtools remote debugging feature could have been enabled + without indication to the user + * CVE-2021-23986 (bmo#1692623) + A malicious extension could have performed credential-less + same origin policy violations + * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, + bmo#1690718) + Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9 + * CVE-2021-23988 (bmo#1684994, bmo#1686653) + Memory safety bugs fixed in Firefox 87 + +------------------------------------------------------------------- +Tue Mar 16 14:26:35 UTC 2021 - Martin Liška <mliska@suse.cz> + +- Set memory limits for DWZ to 4x. + +------------------------------------------------------------------- +Sat Mar 13 08:23:06 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 86.0.1 + * Fixed: Fixed an issue on Apple Silicon machines that caused + Firefox to be unresponsive after system sleep (bmo#1682713) + * Fixed: Fixed an issue causing windows to gain or lose focus + unexpectedly (bmo#1694927) + * Fixed: Fixed truncation of date and time widgets due to + incorrect width calculation (bmo#1695578) + * Fixed: Fixed an issue causing unexpected behavior with + extensions managing tab groups (bmo#1694699) + * Fixed: Fixed a frequent Linux crash on browser launch + (bmo#1694670) + +------------------------------------------------------------------- +Sun Feb 21 18:14:12 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 86.0 + * requires NSS >= 3.61 + * requires rust-cbindgen >= 0.16.0 + * Firefox now supports simultaneously watching multiple videos in + Picture-in-Picture. + * Total Cookie Protection to Strict Mode + * https://www.mozilla.org/en-US/firefox/86.0/releasenotes + MSFA 2021-07 (bsc#1182614) + * CVE-2021-23969 (bmo#1542194) + Content Security Policy violation report could have contained + the destination of a redirect + * CVE-2021-23970 (bmo#1681724) + Multithreaded WASM triggered assertions validating separation + of script domains + * CVE-2021-23968 (bmo#1687342) + Content Security Policy violation report could have contained + the destination of a redirect + * CVE-2021-23974 (bmo#1528997, bmo#1683627) + noscript elements could have led to an HTML Sanitizer bypass + * CVE-2021-23971 (bmo#1678545) + A website's Referrer-Policy could have been be overridden, + potentially resulting in the full URL being sent as a Referrer + * CVE-2021-23976 (bmo#1684627) + Local spoofing of web manifests for arbitrary pages in + Firefox for Android + * CVE-2021-23977 (bmo#1684761) + Malicious application could read sensitive data from Firefox + for Android's application directories + * CVE-2021-23972 (bmo#1683536) + HTTP Auth phishing warning was omitted when a redirect is + cached + * CVE-2021-23975 (bmo#1685145) + about:memory Measure function caused an incorrect pointer + operation + * CVE-2021-23973 (bmo#1690976) + MediaError message property could have leaked information + about cross-origin resources + * CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597, bmo#786797) + Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 + * CVE-2021-23979 (bmo#1663222, bmo#1666607, bmo#1672120, bmo#1678463, + bmo#1678927, bmo#1679560, bmo#1681297, bmo#1681684, bmo#1683490, + bmo#1684377, bmo#1684902) + Memory safety bugs fixed in Firefox 86 +- updated create-tar.sh (bsc#1182357) +- removed obsolete mozilla-bmo1554971.patch +- remove buildsymbols subpackage + * we haven't done anything with it for years + * mozilla is collecting those from our debuginfo packages + * would require a local dump_syms tool + +------------------------------------------------------------------- +Wed Feb 17 18:40:41 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 85.0.2 + * Fixed: Fixed a deadlock during startup (bmo#1679933) + +------------------------------------------------------------------- +Wed Feb 17 11:19:01 UTC 2021 - Michel Normand <normand@linux.vnet.ibm.com> + +- Use %limit_build macros for PowerPC to avoid oom build failure + +------------------------------------------------------------------- +Tue Feb 9 09:05:26 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 85.0.1 + MFSA 2021-06 (bsc#1181848) + * MOZ-2021-0001 (bmo#1676636) + Buffer overflow in depth pitch calculations for compressed + textures + * Fixed: Avoid printing an extra blank page at the end of some + documents (bmo#1689789). + * Fixed: Fixed a browser crash in case of unexpected Cache API + state (bmo#1684838). + +------------------------------------------------------------------- +Sun Jan 24 11:53:58 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 85.0 + * Adobe Flash is completely history + * supercookie protection + * new bookmark handling and features + MFSA 2021-03 (bsc#1181414) + * CVE-2021-23953 (bmo#1683940) + Cross-origin information leakage via redirected PDF requests + * CVE-2021-23954 (bmo#1684020) + Type confusion when using logical assignment operators in + JavaScript switch statements + * CVE-2021-23955 (bmo#1684837) + Clickjacking across tabs through misusing requestPointerLock + * CVE-2021-23956 (bmo#1338637) + File picker dialog could have been used to disclose a + complete directory + * CVE-2021-23957 (bmo#1584582) + Iframe sandbox could have been bypassed on Android via the + intent URL scheme + * CVE-2021-23958 (bmo#1642747) + Screen sharing permission leaked across tabs + * CVE-2021-23959 (bmo#1659035) + Cross-Site Scripting in error pages on Firefox for Android + * CVE-2021-23960 (bmo#1675755) + Use-after-poison for incorrectly redeclared JavaScript + variables during GC + * CVE-2021-23961 (bmo#1677940) + More internal network hosts could have been probed by a + malicious webpage + * CVE-2021-23962 (bmo#1677194) + Use-after-poison in + <code>nsTreeBodyFrame::RowCountChanged</code> + * CVE-2021-23963 (bmo#1680793) + Permission prompt inaccessible after asking for additional + permissions + * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, bmo#1674278, + bmo#1674835, bmo#1675097, bmo#1675844, bmo#1675868, bmo#1677590, + bmo#1677888, bmo#1680410, bmo#1681268, bmo#1682068, bmo#1682938, + bmo#1683736, bmo#1685260, bmo#1685925) + Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7 + * CVE-2021-23965 (bmo#1670378, bmo#1673555, bmo#1676812, bmo#1678582, + bmo#1684497) + Memory safety bugs fixed in Firefox 85 +- requires NSS 3.60.1 +- requires rust 1.47 +- remove obsolete mozilla-pipewire-0-3.patch + +------------------------------------------------------------------- +Mon Jan 11 18:02:01 UTC 2021 - Matthias Mailänder <mailaender@opensuse.org> + +- Fix AppStream screenshot links + +------------------------------------------------------------------- +Thu Jan 7 17:11:43 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 84.0.2 + MFSA 2021-01 (bsc#1180623) + * CVE-2020-16044 (bmo#1683964) + Use-after-free write when handling a malicious COOKIE-ECHO + SCTP chunk + +------------------------------------------------------------------- +Sun Dec 27 09:52:50 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 84.0.1 + * Fixed problems loading secure websites and crashes for users + with certain third-party PKCS11 modules and smartcards installed + (bmo#1682881) (fixed in NSS 3.59.1) + * Fixed a bug causing some Unity JS games to not load on Apple + Silicon devices due to improper detection of the OS version + (bmo#1680516) +- requires NSS 3.59.1 + +------------------------------------------------------------------- +Sun Dec 13 18:18:58 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 84.0 + * Firefox 84 is the final release to support Adobe Flash + * WebRender is enabled by default when run on GNOME-based X11 + Linux desktops + MFSA 2020-54 (bsc#1180039)) + * CVE-2020-16042 (bmo#1679003) + Operations on a BigInt could have caused uninitialized memory + to be exposed + * CVE-2020-26971 (bmo#1663466) + Heap buffer overflow in WebGL + * CVE-2020-26972 (bmo#1671382) + Use-After-Free in WebGL + * CVE-2020-26973 (bmo#1680084) + CSS Sanitizer performed incorrect sanitization + * CVE-2020-26974 (bmo#1681022) + Incorrect cast of StyleGenericFlexBasis resulted in a heap + use-after-free + * CVE-2020-26975 (bmo#1661071) + Malicious applications on Android could have induced Firefox + for Android into sending arbitrary attacker-specified headers + * CVE-2020-26976 (bmo#1674343) + HTTPS pages could have been intercepted by a registered + service worker when they should not have been + * CVE-2020-26977 (bmo#1676311) + URL spoofing via unresponsive port in Firefox for Android + * CVE-2020-26978 (bmo#1677047) + Internal network hosts could have been probed by a malicious + webpage + * CVE-2020-26979 (bmo#1641287, bmo#1673299) + When entering an address in the address or search bars, a + website could have redirected the user before they were + navigated to the intended url + * CVE-2020-35111 (bmo#1657916) + The proxy.onRequest API did not catch view-source URLs + * CVE-2020-35112 (bmo#1661365) + Opening an extension-less download may have inadvertently + launched an executable instead + * CVE-2020-35113 (bmo#1664831, bmo#1673589) + Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 + * CVE-2020-35114 (bmo#1607449, bmo#1640416, bmo#1656459, + bmo#1669914, bmo#1673567) + Memory safety bugs fixed in Firefox 84 +- requires + NSS >= 3.59 + rust >= 1.44 + rust-cbindgen >= 0.15.0 +- remove revert-795c8762b16b.patch and replace with mozilla-pgo.patch + +------------------------------------------------------------------- +Sat Nov 21 08:12:17 UTC 2020 - Kirill Kirillov <kkirill@opensuse.org> + +- Add/Enable GNOME search provider + +------------------------------------------------------------------- +Sun Nov 15 12:16:53 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 83.0 + * major update for SpiderMonkey improving performance significantly + * optional HTTPS-Only mode + * more improvements + https://www.mozilla.org/en-US/firefox/83.0/releasenotes/ + MFSA 2020-50 (bsc#1178824)) + * CVE-2020-26951 (bmo#1667113) + Parsing mismatches could confuse and bypass security + sanitizer for chrome privileged code + * CVE-2020-26952 (bmo#1667685) + Out of memory handling of JITed, inlined functions could lead + to a memory corruption + * CVE-2020-16012 (bmo#1642028) + Variable time processing of cross-origin images during + drawImage calls + * CVE-2020-26953 (bmo#1656741) + Fullscreen could be enabled without displaying the security UI + * CVE-2020-26954 (bmo#1657026) + Local spoofing of web manifests for arbitrary pages in + Firefox for Android + * CVE-2020-26955 (bmo#1663261) + Cookies set during file downloads are shared between normal + and Private Browsing Mode in Firefox for Android + * CVE-2020-26956 (bmo#1666300) + XSS through paste (manual and clipboard API) + * CVE-2020-26957 (bmo#1667179) + OneCRL was not working in Firefox for Android + * CVE-2020-26958 (bmo#1669355) + Requests intercepted through ServiceWorkers lacked MIME type + restrictions + * CVE-2020-26959 (bmo#1669466) + Use-after-free in WebRequestService + * CVE-2020-26960 (bmo#1670358) + Potential use-after-free in uses of nsTArray + * CVE-2020-15999 (bmo#1672223) + Heap buffer overflow in freetype + * CVE-2020-26961 (bmo#1672528) + DoH did not filter IPv4 mapped IP Addresses + * CVE-2020-26962 (bmo#610997) + Cross-origin iframes supported login autofill + * CVE-2020-26963 (bmo#1314912) + History and Location interfaces could have been used to hang + the browser + * CVE-2020-26964 (bmo#1658865) + Firefox for Android's Remote Debugging via USB could have + been abused by untrusted apps on older versions of Android + * CVE-2020-26965 (bmo#1661617) + Software keyboards may have remembered typed passwords + * CVE-2020-26966 (bmo#1663571) + Single-word search queries were also broadcast to local + network + * CVE-2020-26967 (bmo#1665820) + Mutation Observers could break or confuse Firefox Screenshots + feature + * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, + bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479, + bmo#1671923) + Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5 + * CVE-2020-26969 (bmo#1623920, bmo#1651705, bmo#1667872, + bmo#1668876) + Memory safety bugs fixed in Firefox 83 +- requires + NSS >= 3.58 + nodejs >= 10.22.1 +- removed obsolete mozilla-ppc-altivec_static_inline.patch +- disable LTO on TW because of ICEs in gcc + +------------------------------------------------------------------- +Mon Nov 9 10:15:52 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 82.0.3 + MSFA 2020-49 + * CVE-2020-26950 (bmo#1675905) + Write side effects in MCallGetProperty opcode not accounted for + +------------------------------------------------------------------- +Mon Nov 2 09:00:13 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 82.0.2 + * few bugfixes for introduced regressions + +------------------------------------------------------------------- +Sun Nov 1 20:15:17 UTC 2020 - Kirill Kirillov <kkirill@opensuse.org> + +- Enable GNOME search provider + +------------------------------------------------------------------- +Thu Oct 15 20:44:47 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 82.0 + * https://www.mozilla.org/en-US/firefox/82.0/releasenotes/ + MFSA 2020-45 (bsc#1177872) + * CVE-2020-15969 (bmo#1666570) + Use-after-free in usersctp + * CVE-2020-15254 (bmo#1668514) + Undefined behavior in bounded channel of crossbeam rust crate + * CVE-2020-15680 (bmo#1658881) + Presence of external protocol handlers could be determined + through image tags + * CVE-2020-15681 (bmo#1666568) + Multiple WASM threads may have overwritten each others' stub + table entries + * CVE-2020-15682 (bmo#1636654) + The domain associated with the prompt to open an external + protocol could be spoofed to display the incorrect origin + * CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, + bmo#1662760, bmo#1663439, bmo#1666140) + Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4 + * CVE-2020-15684 (bmo#1653764, bmo#1661402, bmo#1662259, + bmo#1664257) + Memory safety bugs fixed in Firefox 82 +- requires + * NSPR 4.29 + * NSS 3.57 + +------------------------------------------------------------------- +Thu Oct 1 20:00:27 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 81.0.1 + * https://www.mozilla.org/en-US/firefox/81.0.1/releasenotes/ +- remove obsolete python2 build requires + +------------------------------------------------------------------- +Wed Sep 30 18:49:10 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Increase disk requirements in _constraints to match current needs + +------------------------------------------------------------------- +Fri Sep 18 06:22:40 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 81.0 + * https://www.mozilla.org/en-US/firefox/81.0/releasenotes + MFSA 2020-42 (bsc#1176756) + * CVE-2020-15675 (bmo#1654211) + Use-After-Free in WebGL + * CVE-2020-15677 (bmo#1641487) + Download origin spoofing via redirect + * CVE-2020-15676 (bmo#1646140) + XSS when pasting attacker-controlled data into a + contenteditable element + * CVE-2020-15678 (bmo#1660211) + When recursing through layers while scrolling, an iterator + may have become invalid, resulting in a potential use-after- + free scenario + * CVE-2020-15673 (bmo#1648493, bmo#1660800) + Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 + * CVE-2020-15674 (bmo#1656063, bmo#1656064, bmo#1656067, bmo#1660293) + Memory safety bugs fixed in Firefox 81 +- requires + NSPR 4.28 + NSS 3.56 +- removed obsolete patches + * mozilla-system-nspr.patch + * mozilla-bmo1661715.patch + * mozilla-silence-no-return-type.patch +- skip post-build-checks for 15.0 and 15.1 +- add revert-795c8762b16b.patch to fix LTO builds with gcc + (related to bmo#1644409) +- require python3-curses as workaround to fix i586 build + +------------------------------------------------------------------- +Thu Sep 17 11:45:31 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Use %limit_build macro again for aarch64 and armv7, instead of + the new memoryperjob _constraints to use more workers + +------------------------------------------------------------------- +Sat Sep 5 17:43:26 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- add mozilla-bmo1661715.patch to fix Flash plugin + +------------------------------------------------------------------- +Wed Sep 2 17:11:19 UTC 2020 - Manfred Hollstein <manfred.h@gmx.net> + +- Mozilla Firefox 80.0.1: Bug fixes: + * Fixed a performance regression when encountering new intermediate + CA certificates (bmo#1661543) + * Fixed crashes possibly related to GPU resets (bmo#1627616) + * Fixed rendering on some sites using WebGL (bmo#1659225) + * Fixed the zoom-in keyboard shortcut on Japanese language builds + (bmo#1661895) + * Fixed download issues related to extensions and cookies + (bmo#1655190) +- added mozilla-silence-no-return-type.patch + +------------------------------------------------------------------- +Tue Aug 25 19:30:15 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- more whitelisting (/dev/random) for sandbox in relation to FIPS + (bsc#1174284) +- improve langpack builds to use dedicated objdirs and make it + parallel again + +------------------------------------------------------------------- +Sat Aug 22 06:52:01 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 80.0 + MFSA 2020-36 (bsc#1175686) + * CVE-2020-15663 (bmo#1643199) + Downgrade attack on the Mozilla Maintenance Service could + have resulted in escalation of privilege + * CVE-2020-15664 (bmo#1658214) + Attacker-induced prompt for extension installation + * CVE-2020-12401 (bmo#1631573) + Timing-attack on ECDSA signature generation + * CVE-2020-6829 (bmo#1631583) + P-384 and P-521 vulnerable to an electro-magnetic side + channel attack on signature generation + * CVE-2020-12400 (bmo#1623116) + P-384 and P-521 vulnerable to a side channel attack on + modular inversion + * CVE-2020-15665 (bmo#1651636) + Address bar not reset when choosing to stay on a page after + the beforeunload dialog is shown + * CVE-2020-15666 (bmo#1450853) + MediaError message property leaks cross-origin response + status + * CVE-2020-15667 (bmo#1653371) + Heap overflow when processing an update file + * CVE-2020-15668 (bmo#1651520) + Data Race when reading certificate information + * CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626, + bmo#1656957) + Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2 +- requires + * NSPR 4.27 + * NSS 3.55 +- added mozilla-system-nspr.patch (bmo#1661096) +- exclude ga-IE locale as it's failing to build +- rollback parallelize locale build because it breaks bookmarks + (boo#1167976) +- preserve original default bookmark file during langpack build + (boo#1167976) +- add some ccache output during build + +------------------------------------------------------------------- +Thu Aug 20 13:07:33 UTC 2020 - Martin Liška <mliska@suse.cz> + +- Use new memoryperjob _constraints instead of %limit_build macro. + +------------------------------------------------------------------- +Mon Aug 10 09:19:38 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- use ccache for build +- replace versioned RPM deps with requires_ge +- parallelize locale build + +------------------------------------------------------------------- +Thu Aug 6 14:37:16 UTC 2020 - Yunhe Guo <i@guoyunhe.me> + +- Change *.appdata.xml location to latest AppStream standard + +------------------------------------------------------------------- +Thu Jul 23 21:00:34 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 79.0 + MFSA 2020-30 (bsc#1174538) + * CVE-2020-15652 (bmo#1634872) + Potential leak of redirect targets when loading scripts in a worker + * CVE-2020-6514 (bmo#1642792) + WebRTC data channel leaks internal address to peer + * CVE-2020-15655 (bmo#1645204) + Extension APIs could be used to bypass Same-Origin Policy + * CVE-2020-15653 (bmo#1521542) + Bypassing iframe sandbox when allowing popups + * CVE-2020-6463 (bmo#1635293) + Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture + * CVE-2020-15656 (bmo#1647293) + Type confusion for special arguments in IonMonkey + * CVE-2020-15658 (bmo#1637745) + Overriding file type when saving to disk + * CVE-2020-15657 (bmo#1644954) + DLL hijacking due to incorrect loading path + * CVE-2020-15654 (bmo#1648333) + Custom cursor can overlay user interface + * CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1638856, + bmo#1643613, bmo#1644839, bmo#1645835, bmo#1646006, bmo#1646220, + bmo#1646787, bmo#1649347, bmo#1650811, bmo#1651678) + Memory safety bugs fixed in Firefox 79 +- updated dependency requirements: + * mozilla-nspr >= 4.26 + * mozilla-nss >= 3.54 + * rust >= 1.43 + * rust-cbindgen >= 0.14.3 +- removed obsolete patch + mozilla-bmo1463035.patch + +------------------------------------------------------------------- +Tue Jul 21 21:31:20 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- fixed syntax issue in desktop file (boo#1174360) + +------------------------------------------------------------------- +Fri Jul 17 15:07:45 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Add mozilla-libavcodec58_91.patch to link against updated + soversion of libavcodec (58.91) with ffmpeg >= 4.3. + (patch provided by Atri Bhattacharya <badshah400@gmail.com> +- enable MOZ_USE_XINPUT2 for TW (again) (boo#1173320) + (Plasma 5.19.3 is now in TW) + +------------------------------------------------------------------- +Sat Jul 11 11:08:06 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 78.0.2 + * Fixed an accessibility regression in reader mode (bmo#1650922) + * Made the address bar more resilient to data corruption in the + user profile (bmo#1649981) + * Fixed a regression opening certain external applications (bmo#1650162) + MFSA 2020-28 + * CVE pending (bmo#1644076) + X-Frame-Options bypass using object or embed tags +- added desktop file actions +- do not use XINPUT2 for the moment until Plasma 5.19.3 has landed + (boo#1173993) +- rework langpack integration (boo#1173991) + * ship XPIs instead of directories + * allow addon sideloading + * mark signatures for langpacks non-mandatory + * do not autodisable user profile scopes +- Google API key is not usable for geolocation service +- fix pipewire support for TW (boo#1172903) + +------------------------------------------------------------------- +Wed Jul 1 07:15:02 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 78.0.1 + * Fixed an issue which could cause installed search engines to not + be visible when upgrading from a previous release. +- enable MOZ_USE_XINPUT2 for TW (boo#1173320) + +------------------------------------------------------------------- +Sun Jun 28 07:17:13 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 78.0 + * startup notifications now using Gtk instead of libnotify + * PDF downloads now show an option to open the PDF directly in Firefox + * Protections Dashboard (about:protections) + * WebRTC not interrupted by screensaver anymore + * disabled TLS 1.0 and 1.1 by default + MFSA 2020-24 (bsc#1173576) + * CVE-2020-12415 (bmo#1586630) + AppCache manifest poisoning due to url encoded character processing + * CVE-2020-12416 (bmo#1639734) + Use-after-free in WebRTC VideoBroadcaster + * CVE-2020-12417 (bmo#1640737) + Memory corruption due to missing sign-extension for ValueTags + on ARM64 + * CVE-2020-12418 (bmo#1641303) + Information disclosure due to manipulated URL object + * CVE-2020-12419 (bmo#1643874) + Use-after-free in nsGlobalWindowInner + * CVE-2020-12420 (bmo#1643437) + Use-After-Free when trying to connect to a STUN server + * CVE-2020-12402 (bmo#1631597) + RSA Key Generation vulnerable to side-channel attack + * CVE-2020-12421 (bmo#1308251) + Add-On updates did not respect the same certificate trust + rules as software updates + * CVE-2020-12422 (bmo#1450353) + Integer overflow in nsJPEGEncoder::emptyOutputBuffer + * CVE-2020-12423 (bmo#1642400) + DLL Hijacking due to searching %PATH% for a library + * CVE-2020-12424 (bmo#1562600) + WebRTC permission prompt could have been bypassed by a + compromised content process + * CVE-2020-12425 (bmo#1634738) + Out of bound read in Date.parse() + * CVE-2020-12426 (bmo#1608068, bmo#1609951, bmo#1631187, bmo#1637682) + Memory safety bugs fixed in Firefox 78 +- requires + * NSS >= 3.53.1 + * nodejs >= 10.21 + * Gtk+3 >= 3.14 +- removed obsolete patches + * mozilla-s390-bigendian.patch + * mozilla-bmo1634646.patch +- Add mozilla-pipewire-0-3.patch for openSUSE >= 15.2 to build + WebRTC with pipewire support to enable screen sharing under + Wayland; also add BuildRequires: pkgconfig(libpipewire-0.3) + appropriately (boo#1172903). +- adding SLE12 compatibility in spec file +- add patches for s390x + * mozilla-bmo1602730.patch (bmo#1602730) + * mozilla-bmo1626236.patch (bmo#1626236) + * mozilla-bmo998749.patch (bmo#998749) + * mozilla-s390x-skia-gradient.patch +- update create-tar.sh +- Use same _constraints for ppc64 (BE) as ppc64le to avoid oom build failure + +------------------------------------------------------------------- +Wed Jun 10 07:17:15 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Exclude armv6, since it is unbuildable since about 3 years + +------------------------------------------------------------------- +Wed Jun 3 21:39:11 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 77.0.1 + * Disable automatic selection of DNS over HTTPS providers during + a test to enable wider deployment in a more controlled way + (bmo#1642723) + +------------------------------------------------------------------- +Fri May 29 11:49:36 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 77.0 + * view and manage web certificates more easily on the new + about:certificate page + * improvements in accessibility + * significant improvements to JavaScript debugging + MFSA 2020-20 (bsc#1172402) + * CVE-2020-12399 (bmo#1631576) + Timing attack on DSA signatures in NSS library + (fixed with external NSS >= 3.52.1) + * CVE-2020-12405 (bmo#1631618) + Use-after-free in SharedWorkerService + * CVE-2020-12406 (bmo#1639590) + JavaScript type confusion with NativeTypes + * CVE-2020-12407 (bmo#1637112) + WebRender leaking GPU memory when using border-image CSS + directive + * CVE-2020-12408 (bmo#1623888) + URL spoofing when using IP addresses + * CVE-2020-12409 (bmo#1619305, bmo#1632717) + Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9 + * CVE-2020-12411 (bmo#1620972, bmo#1625333) + Memory safety bugs fixed in Firefox 77 +- requires + * NSS >= 3.52.1 + * rust-cbindgen >= 1.14.1 + * clang >= 5 +- added mozilla-bmo1634646.patch as part of fixing PGO build + (still not working) + +------------------------------------------------------------------- +Wed May 13 12:21:13 UTC 2020 - Michel Normand <normand@linux.vnet.ibm.com> + +- change again _constraints for ppc64le use <physicalmemory> + and increase limit_build in spec file to reduce max_jobs. + +------------------------------------------------------------------- +Sat May 9 11:45:39 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 76.0.1 + * Fixed a bug causing some add-ons such as Amazon Assistant to see + multiple onConnect events, impairing functionality (bmo#1635637) + +------------------------------------------------------------------- +Fri May 1 11:59:58 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 76.0 + * Lockwise improvements + * Improvements in Picture-in-Picture feature + * Support Audio Worklets + MFSA-2020-16 (bsc#1171186) + * CVE-2020-12387 (bmo#1545345) + Use-after-free during worker shutdown + * CVE-2020-12388 (bmo#1618911) + Sandbox escape with improperly guarded Access Tokens + * CVE-2020-12389 (bmo#1554110) + Sandbox escape with improperly separated process types + * CVE-2020-6831 (bmo#1632241) + Buffer overflow in SCTP chunk input validation + * CVE-2020-12390 (bmo#1141959) + Incorrect serialization of nsIPrincipal.origin for IPv6 addresses + * CVE-2020-12391 (bmo#1457100) + Content-Security-Policy bypass using object elements + * CVE-2020-12392 (bmo#1614468) + Arbitrary local file access with 'Copy as cURL' + * CVE-2020-12393 (bmo#1615471) + Devtools' 'Copy as cURL' feature did not fully escape + website-controlled data, potentially leading to command injection + * CVE-2020-12394 (bmo#1628288) + URL spoofing in location bar when unfocussed + * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, + bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) + Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 + * CVE-2020-12396 (bmo#1339601, bmo#1611938, bmo#1620488, + bmo#1622291, bmo#1627644) + Memory safety bugs fixed in Firefox 76 +- requires + * NSS >= 3.51.1 + * nasm >= 2.14 +- removed obsolete patch mozilla-bmo1622013.patch +- fix URI creation for KDE file selector integration (boo#1160331) + +------------------------------------------------------------------- +Tue Apr 7 12:18:27 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 75.0 + * https://www.mozilla.org/en-US/firefox/75.0/releasenotes + MFSA 2020-12 (bsc#1168874) + * CVE-2020-6821 (bmo#1625404) + Uninitialized memory could be read when using the WebGL + copyTexSubImage method + * CVE-2020-6822 (bmo#1544181) + Out of bounds write in GMPDecodeData when processing large images + * CVE-2020-6823 (bmo#1614919) + Malicious Extension could obtain auth codes from OAuth login flows + * CVE-2020-6824 (bmo#1621853) + Generated passwords may be identical on the same site between + separate private browsing sessions + * CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203) + Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 + * CVE-2020-6826 (bmo#1613009,bmo#1613195,bmo#1616734,bmo#1617488, + bmo#1619229,bmo#1620719,bmo#1624897) + Memory safety bugs fixed in Firefox 75 +- removed obsolete patch + mozilla-bmo1609538.patch +- requires + * rust >= 1.41 + * rust-cbindgen >= 0.13.1 + * mozilla-nss >= 3.51 + * nodejs10 >= 10.19 +- fix build issue in libvpx for i586 via mozilla-bmo1622013.patch + +------------------------------------------------------------------- +Mon Apr 6 11:19:24 UTC 2020 - Michel Normand <normand@linux.vnet.ibm.com> + +- increase _constraints memory for ppc64le + +------------------------------------------------------------------- +Fri Apr 3 15:23:28 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 74.0.1 + MFSA 2020-11 (boo#1168630) + * CVE-2020-6819 (bmo#1620818) + Use-after-free while running the nsDocShell destructor + * CVE-2020-6820 (bmo#1626728) + Use-after-free when handling a ReadableStream + +------------------------------------------------------------------- +Wed Mar 25 07:30:39 UTC 2020 - Marcus Meissner <meissner@suse.com> + +- mozilla-sandbox-fips.patch: allow /proc/sys/crypto/fips_enabled + to be read, as openssl 1.1.1 FIPS aborts if it cannot access it + (bsc#1167132) + +------------------------------------------------------------------- +Sat Mar 7 08:51:06 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 74.0 + * https://www.mozilla.org/en-US/firefox/74.0/releasenotes/ + MFSA 2020-08 (bsc#1166238) + * CVE-2020-6805 (bmo#1610880) + Use-after-free when removing data about origins + * CVE-2020-6806 (bmo#1612308) + BodyStream::OnInputStreamReady was missing protections against + state confusion + * CVE-2020-6807 (bmo#1614971) + Use-after-free in cubeb during stream destruction + * CVE-2020-6808 (bmo#1247968) + URL Spoofing via javascript: URL + * CVE-2020-6809 (bmo#1420296) + Web Extensions with the all-urls permission could access local + files + * CVE-2020-6810 (bmo#1432856) + Focusing a popup while in fullscreen could have obscured the + fullscreen notification + * CVE-2020-6811 (bmo#1607742) + Devtools' 'Copy as cURL' feature did not fully escape + website-controlled data, potentially leading to command injection + * CVE-2019-20503 (bmo#1613765) + Out of bounds reads in sctp_load_addresses_from_init + * CVE-2020-6812 (bmo#1616661) + The names of AirPods with personally identifiable information + were exposed to websites with camera or microphone permission + * CVE-2020-6813 (bmo#1605814) + @import statements in CSS could bypass the Content Security + Policy nonce feature + * CVE-2020-6814 (bmo#1592078,bmo#1604847,bmo#1608256,bmo#1612636, + bmo#1614339) + Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6 + * CVE-2020-6815 (bmo#1181957,bmo#1557732,bmo#1557739,bmo#1611457, + bmo#1612431) + Memory and script safety bugs fixed in Firefox 74 +- requires + * NSPR 4.25 + * NSS 3.50 + * rust-cbindgen 0.13.0 +- removed obsolete patches + mozilla-bmo1610814.patch + mozilla-cubeb-noreturn.patch +- add mozilla-bmo1609538.patch to fix wayland issues with mutter 3.36 + (bmo#1609538, boo#1166471) + +------------------------------------------------------------------- +Wed Feb 26 08:12:00 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- big endian fixes + +------------------------------------------------------------------- +Tue Feb 25 14:17:00 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Fix build on aarch64/armv7 with: + * mozilla-bmo1610814.patch (boo#1164845, bmo#1610814) + +------------------------------------------------------------------- +Thu Feb 20 13:40:59 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 73.0.1 + * Resolved problems connecting to the RBC Royal Bank website + (bmo#1613943) + * Fixed Firefox unexpectedly exiting when leaving Print Preview mode + (bmo#1611133) + * Fixed crashes when playing encrypted content on some Linux systems + (bmo#1614535, boo#1164646) +- start in wayland mode when running under wayland session + +------------------------------------------------------------------- +Sun Feb 9 07:45:00 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 73.0 + * Added support for setting a default zoom level applicable for all + web content + * High-contrast mode has been updated to allow background images + * Improved audio quality when playing back audio at a faster or + slower speed + * Added NextDNS as alternative option for DNS over HTTPS + MFSA 2020-05 (bsc#1163368) + * CVE-2020-6796 (bmo#1610426) + Missing bounds check on shared memory read in the parent process + * CVE-2020-6797 (bmo#1596668) (MacOS X only) + Extensions granted downloads.open permission could open arbitrary + applications on Mac OSX + * CVE-2020-6798 (bmo#1602944) + Incorrect parsing of template tag could result in JavaScript injection + * CVE-2020-6799 (bmo#1606596) (Windows only) + Arbitrary code execution when opening pdf links from other + applications, when Firefox is configured as default pdf reader + * CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851, + bmo#1608580,bmo#1608785,bmo#1605777) + Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 + * CVE-2020-6801 (bmo#1601024,bmo#1601712,bmo#1604836,bmo#1606492) + Memory safety bugs fixed in Firefox 73 +- updated requirements + * rust >= 1.39 + * NSS >= 3.49.2 + * rust-cbindgen >= 0.12.0 +- rebased patches +- removed obsolete patch + * mozilla-bmo1601707.patch +- switched to cairo-gtk3-wayland build + (to fully enable wayland MOZ_ENABLE_WAYLAND=1 needs to be set) +- disabled elfhack due to failing packager + https://github.com/openSUSE/firefox-maintenance/issues/28 +- disabled PGO due to build failure + https://github.com/openSUSE/firefox-maintenance/issues/29 + +------------------------------------------------------------------- +Tue Jan 28 07:30:16 UTC 2020 - Stasiek Michalski <stasiek@michalski.cc> + +- Use a symbolic icon from branding internals +- Pixmaps no longer required for the desktops + +------------------------------------------------------------------- +Wed Jan 22 10:30:21 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 72.0.2 + * Various stability fixes + * Fixed issues opening files with spaces in their path (bmo#1601905) + * Fixed a hang opening about:logins when a master password is set + (bmo#1606992) + * Fixed a web compatibility issue with CSS Shadow Parts which + shipped in Firefox 72 (bmo#1604989) + * Fixed inconsistent playback performance for fullscreen 1080p + videos on some systems (bmo#1608485) + +------------------------------------------------------------------- +Tue Jan 21 12:59:54 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Fix build for aarch64/ppc64le (do not update config.sub file + for libbacktrace) + +------------------------------------------------------------------- +Wed Jan 8 08:19:12 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 72.0.1 + MFSA 2020-03 (bsc#1160498) + * CVE-2019-17026 (bmo#1607443) + IonMonkey type confusion with StoreElementHole and FallibleStoreElement +- Mozilla Firefox 72.0 + * block fingerprinting scripts by default + * new notification pop-ups + * Picture-in-picture video + MFSA 2020-01 (bsc#1160305) + * CVE-2019-17016 (bmo#1599181) + Bypass of @namespace CSS sanitization during pasting + * CVE-2019-17017 (bmo#1603055) + Type Confusion in XPCVariant.cpp + * CVE-2019-17020 (bmo#1597645) + Content Security Policy not applied to XSL stylesheets applied + to XML documents + * CVE-2019-17022 (bmo#1602843) + CSS sanitization does not escape HTML tags + * CVE-2019-17023 (bmo#1590001) (fixed in NSS FIXME) + NSS may negotiate TLS 1.2 or below after a TLS 1.3 + HelloRetryRequest had been sent + * CVE-2019-17024 (bmo#1507180,bmo#1595470,bmo#1598605,bmo#1601826) + Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 + * CVE-2019-17025 (bmo#1328295,bmo#1328300,bmo#1590447,bmo#1590965 + bmo#1595692,bmo#1597321,bmo#1597481) + Memory safety bugs fixed in Firefox 72 +- update create-tar.sh to skip compare-locales +- requires NSPR 4.24 and NSS 3.48 +- removed usage of browser-plugins convention for NPAPI plugins + from start wrapper and changed the RPM macro to the + /usr/$LIB/mozilla/plugins location (boo#1160302) + +------------------------------------------------------------------- +Mon Dec 2 08:24:05 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 71.0 + * Improvements to Lockwise, our integrated password manager + * More information about Enhanced Tracking Protection in action + * Native MP3 decoding on Windows, Linux, and macOS + * Configuration page (about:config) reimplemented in HTML + * New kiosk mode functionality, which allows maximum screen space + for customer-facing displays + MFSA 2019-36 + * CVE-2019-11756 (bmo#1508776) + Use-after-free of SFTKSession object + * CVE-2019-17008 (bmo#1546331) + Use-after-free in worker destruction + * CVE-2019-13722 (bmo#1580156) (Windows only) + Stack corruption due to incorrect number of arguments in WebRTC code + * CVE-2019-17014 (bmo#1322864) + Dragging and dropping a cross-origin resource, incorrectly loaded + as an image, could result in information disclosure + * CVE-2019-17010 (bmo#1581084) + Use-after-free when performing device orientation checks + * CVE-2019-17005 (bmo#1584170) + Buffer overflow in plain text serializer + * CVE-2019-17011 (bmo#1591334) + Use-after-free when retrieving a document in antitracking + * CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209 + bmo#1580288, bmo#1585760, bmo#1592502) + Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 + * CVE-2019-17013 (bmo#1298509, bmo#1472328, bmo#1577439, bmo#1577937 + bmo#1580320, bmo#1584195, bmo#1585106, bmo#1586293, bmo#1593865 + bmo#1594181) + Memory safety bugs fixed in Firefox 71 +- requires + NSPR >= 4.23 + NSS >= 3.47.1 + rust/cargo >= 1.37 +- reactivate webrtc for platforms where it was disabled +- updated create-tar.sh to cover buildid and origin repo information + -> removed obsolete source-stamp.txt +- removed obsolete patches + mozilla-bmo1511604.patch + mozilla-openaes-decl.patch +- changed locale building procedure + * removed obsolete compare-locales.tar.xz +- added mozilla-bmo1601707.patch to fix gcc/LTO builds + (bmo#1601707, boo#1158466) +- added mozilla-bmo849632.patch to fix big endian issues in skia + used for WebGL + +------------------------------------------------------------------- +Fri Nov 1 14:16:39 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 70.0.1 + * Fix for an issue that caused some websites or page elements using + dynamic JavaScript to fail to load. (bmo#1592136) + * Title bar no longer shows in full screen view (bmo#1588747) +- added mozilla-bmo1504834-part4.patch to fix some visual issues on + big endian platforms + +------------------------------------------------------------------- +Sun Oct 20 20:19:31 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 70.0 + * more privacy protections from Enhanced Tracking Protection + * Firefox Lockwise passwordmanager + * Improvements to core engine components, for better browsing on more sites + * Improved privacy and security indicators + MFSA 2019-34 + * CVE-2018-6156 (bmo#1480088) + Heap buffer overflow in FEC processing in WebRTC + * CVE-2019-15903 (bmo#1584907) + Heap overflow in expat library in XML_GetCurrentLineNumber + * CVE-2019-11757 (bmo#1577107) + Use-after-free when creating index updates in IndexedDB + * CVE-2019-11759 (bmo#1577953) + Stack buffer overflow in HKDF output + * CVE-2019-11760 (bmo#1577719) + Stack buffer overflow in WebRTC networking + * CVE-2019-11761 (bmo#1561502) + Unintended access to a privileged JSONView object + * CVE-2019-11762 (bmo#1582857) + document.domain-based origin isolation has same-origin-property violation + * CVE-2019-11763 (bmo#1584216) + Incorrect HTML parsing results in XSS bypass technique + * CVE-2019-11765 (bmo#1562582) + Incorrect permissions could be granted to a website + * CVE-2019-17000 (bmo#1441468) + CSP bypass using object tag with data: URI + * CVE-2019-17001 (bmo#1587976) + CSP bypass using object tag when script-src 'none' is specified + * CVE-2019-17002 (bmo#1561056) + upgrade-insecure-requests was not being honored for links dragged and dropped + * CVE-2019-11764 (bmo#1558522, bmo#1577061, bmo#1548044, bmo#1571223, + bmo#1573048, bmo#1578933, bmo#1575217, bmo#1583684, bmo#1586845, bmo#1581950, + bmo#1583463, bmo#1586599) + Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2 +- requires + rust/cargo >= 1.36 + NSPR >= 4.22 + NSS >= 3.46.1 + rust-cbindgen >= 0.9.1 +- removed obsolete patches + mozilla-bmo1573381.patch + mozilla-nestegg-big-endian.patch + +------------------------------------------------------------------- +Sun Oct 13 08:58:12 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 69.0.3 + * Fixed Yahoo mail users being prompted to download files when + clicking on emails (bmo#1582848) +- devel package build can easily be disabled now + +------------------------------------------------------------------- +Thu Oct 3 08:40:05 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 69.0.2 + * Fixed a crash when editing files on Office 365 websites (bmo#1579858) + * Fixed a Linux-only crash when changing the playback speed while + watching YouTube videos (bmo#1582222) +- updated supported locale list +- Allow to build without profile guided optimizations (boo#1040589) + (contributed by Bernhard Wiedemann) +- Make build verbose (contributed by Martin Liška) +- remove obsolete kde.js setting (boo#1151186) and related patch + firefox-add-kde.js-in-order-to-survive-PGO-build.patch +- update create-tar.sh to latest revision and adjusted tar_stamps +- add mozilla-fix-top-level-asm.patch to fix LTO build (w/o PGO) +- extension preferences moved from branding package to core package + (packaging but not branding specific) + +------------------------------------------------------------------- +Thu Sep 19 13:31:16 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 69.0.1 + * Fixed external programs launching in the background when clicking + a link from inside Firefox to launch them (bmo#1570845) + * Usability improvements to the Add-ons Manager for users with + screen readers (bmo#1567600) + * Fixed the Captive Portal notification bar not being dismissable + in some situations after login is complete (bmo#1578633) + * Fixed the maximum size of fonts in Reader Mode when zoomed (bmo#1578454) + * Fixed missing stacks in the Developer Tools Performance section + (bmo#1578354) + MFSA 2019-31 + * CVE-2019-11754 (bmo#1580506) + Pointer Lock is enabled with no user notification +- disable DOH by default + +------------------------------------------------------------------- +Thu Sep 5 13:02:39 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 69.0 + * Enhanced Tracking Protection (ETP) for stronger privacy protections + * Block Autoplay feature is enhanced to give users the option to block + any video + * Users in the US or using the en-US browser, can get a new “New Tab” + page experience connecting to the best of Pocket's content. + * Support for the Web Authentication HmacSecret extension via + Windows Hello introduced. + * Support for receiving multiple video codecs with this release makes + it easier for WebRTC conferencing services to mix video from + different clients. + MFSA 2019-25 (boo#1149324) + * CVE-2019-11741 (bmo#1539595) + Isolate addons.mozilla.org and accounts.firefox.com + * CVE-2019-5849 (bmo#1555838) + Out-of-bounds read in Skia + * CVE-2019-11737 (bmo#1388015) + Content security policy directives ignore port and path if host is a wildcard + * CVE-2019-11734 (bmo#1352875,bmo#1536227,bmo#1557208,bmo#1560641) + Memory safety bugs fixed in Firefox 69 + * CVE-2019-11735 (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912, + bmo#1565744,bmo#1568858,bmo#1570358) + Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 + * CVE-2019-11740 (bmo#1563133,bmo#1573160) + Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 +- requires + * rust/cargo >= 1.35 + * rust-cbindgen >= 0.9.0 + * mozilla-nss >= 3.45 +- rebased patches + +------------------------------------------------------------------- +Wed Sep 4 15:38:40 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- added a bunch of patches mainly for big endian platforms + * mozilla-bmo1504834-part1.patch + * mozilla-bmo1504834-part2.patch + * mozilla-bmo1504834-part3.patch + * mozilla-bmo1511604.patch + * mozilla-bmo1554971.patch + * mozilla-bmo1573381.patch + * mozilla-nestegg-big-endian.patch + * mozilla-bmo1512162.patch + +------------------------------------------------------------------- +Fri Aug 30 20:49:11 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 68.1.0 + MFSA 2019-26 + * CVE-2019-11751 (bmo#1572838; Windows only) + Malicious code execution through command line parameters + * CVE-2019-11746 (bmo#1564449) + Use-after-free while manipulating video + * CVE-2019-11744 (bmo#1562033) + XSS by breaking out of title and textarea elements using innerHTML + * CVE-2019-11742 (bmo#1559715) + Same-origin policy violation with SVG filters and canvas to steal + cross-origin images + * CVE-2019-11736 (bmo#1551913, bmo#1552206; Windows only)) + File manipulation and privilege escalation in Mozilla Maintenance Service + * CVE-2019-11753 (bmo#1574980; Windows only) + Privilege escalation with Mozilla Maintenance Service in custom + Firefox installation location + * CVE-2019-11752 (bmo#1501152) + Use-after-free while extracting a key value in IndexedDB + * CVE-2019-9812 (bmo#1538008, bmo#1538015) + Sandbox escape through Firefox Sync + * CVE-2019-11743 (bmo#1560495) + Cross-origin access to unload event attributes + * CVE-2019-11748 (bmo#1564588) + Persistence of WebRTC permissions in a third party context + * CVE-2019-11749 (bmo#1565374) + Camera information available without prompting using getUserMedia + * CVE-2019-11750 (bmo#1568397) + Type confusion in Spidermonkey + * CVE-2019-11738 (bmo#1452037) + Content security policy bypass through hash-based sources in directives + * CVE-2019-11747 (bmo#1564481) + 'Forget about this site' removes sites from pre-loaded HSTS list + * CVE-2019-11735i (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912, + bmo#1565744,bmo#1568858,bmo#1570358) + Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 + * CVE-2019-11740 (bmo#1563133,bmo#1573160) + Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 +- switched package to ESR branch +- added mozilla-bmo1568145.patch to make builds reproducible +- removed upstreamed patch mozilla-gcc-internal-compiler-error.patch + +------------------------------------------------------------------- +Sun Aug 18 17:29:25 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de> + +- Mozilla Firefox 68.0.2: + * Fixed a bug causing some special characters to be cut off from + the end of the search terms when searching from the URL bar + (bmo#1560228) + * Allow fonts to be loaded via file:// URLs when opening a page + locally (bmo#1565942) + * Printing emails from the Outlook web app no longer prints only + the header and footer (bmo#1567105) + * Fixed a bug causing some images not to be displayed on reload, + including on Google Maps (bmo# 1565542) + * Fixed an error when starting external applications configured + as URI handlers (bmo#1567614) + MFSA 2019-24 (boo#1145665) + * CVE-2019-11733: Stored passwords in 'Saved Logins' can be + copied without master password entry (bmo#1565780) +- drop fix-build-after-y2038-changes-in-glibc.patch, upstream + +------------------------------------------------------------------- +Fri Aug 16 16:49:24 UTC 2019 - Jonathan Brielmaier <jbrielmaier@suse.de> + +- Fix crash when typing in the URL bar on ppc64le (bmo#1512162). + The upstream patch doesn't resolve the issue on TW, but compiling + with -O1 does. Do this until we have a proper fix. + +------------------------------------------------------------------- +Thu Aug 1 14:25:02 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Update build constraints to fix arm builds + +------------------------------------------------------------------- +Fri Jul 19 08:11:27 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 68.0.1 + * Fixed missing Full Screen button when watching videos in full + screen mode on HBO GO (bmo#1562837) + * Fixed a bug causing incorrect messages to appear for some + locales when sites try to request the use of the Storage + Access API (bmo#1558503) + * Users in Russian regions may have their default search engine + changed (bmo#1565315) + * Built-in search engines in some locales do not function + correctly (bmo#1565779) + * SupportMenu policy doesn't always work (bmo#1553290) + * Allow the privacy.file_unique_origin pref to be controlled by + policy (bmo#1563759) + +------------------------------------------------------------------- +Thu Jul 11 10:51:39 UTC 2019 - Jiri Slaby <jslaby@suse.com> + +- add fix-build-after-y2038-changes-in-glibc.patch + +------------------------------------------------------------------- +Wed Jul 10 13:47:41 UTC 2019 - Bernhard Wiedemann <bwiedemann@suse.com> + +- Generate langpacks sequentially to avoid file corruption + from racy file writes (boo#1137970) + +------------------------------------------------------------------- +Mon Jul 8 13:30:35 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 68.0 + * Dark mode in reader view + * Improved extension security and discovery + * Cryptomining and fingerprinting protections are added to strict + content blocking settings in Privacy & Security preferences + * Camera and microphone access now require an HTTPS connection + MFSA 2019-21 (bsc#1140868) + * CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327) + Sandbox escape via installation of malicious languagepack + * CVE-2019-11711 (bmo#1552541) + Script injection within domain through inner window reuse + * CVE-2019-11712 (bmo#1543804) + Cross-origin POST requests can be made with NPAPI plugins by + following 308 redirects + * CVE-2019-11713 (bmo#1528481) + Use-after-free with HTTP/2 cached stream + * CVE-2019-11714 (bmo#1542593) + NeckoChild can trigger crash when accessed off of main thread + * CVE-2019-11729 (bmo#1515342) + Empty or malformed p256-ECDH public keys may trigger a segmentation fault + * CVE-2019-11715 (bmo#1555523) + HTML parsing error can contribute to content XSS + * CVE-2019-11716 (bmo#1552632) + globalThis not enumerable until accessed + * CVE-2019-11717 (bmo#1548306) + Caret character improperly escaped in origins + * CVE-2019-11718 (bmo#1408349) + Activity Stream writes unsanitized content to innerHTML + * CVE-2019-11719 (bmo#1540541) + Out-of-bounds read when importing curve25519 private key + * CVE-2019-11720 (bmo#1556230) + Character encoding XSS vulnerability + * CVE-2019-11721 (bmo#1256009) + Domain spoofing through unicode latin 'kra' character + * CVE-2019-11730 (bmo#1558299) + Same-origin policy treats all files in a directory as having the + same-origin + * CVE-2019-11723 (bmo#1528335) + Cookie leakage during add-on fetching across private browsing boundaries + * CVE-2019-11724 (bmo#1512511) + Retired site input.mozilla.org has remote troubleshooting permissions + * CVE-2019-11725 (bmo#1483510) + Websocket resources bypass safebrowsing protections + * CVE-2019-11727 (bmo#1552208) + PKCS#1 v1.5 signatures can be used for TLS 1.3 + * CVE-2019-11728 (bmo#1552993) + Port scanning through Alt-Svc header + * CVE-2019-11710 (bmo#1549768, bmo#1548611, bmo#1533842, bmo#1537692, + bmo#1540590, bmo#1551907, bmo#1510345, bmo#1535482, bmo#1535848, + bmo#1547472, bmo#1547760, bmo#1507696, bmo#1544180) + Memory safety bugs fixed in Firefox 68 + * CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498 + bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522) + Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 +- requires + * NSS 3.44.1 + * rust/cargo 1.34 + * rust-cbindgen 0.8.7 +- rebased patches + * mozilla-aarch64-startup-crash.patch + * mozilla-kde.patch + * mozilla-nongnome-proxies.patch + * firefox-kde.patch +- use new create-tar.sh and add tar_stamps for package definitions +- added patches imported from SLE flavour + * mozilla-gcc-internal-compiler-error.patch + * mozilla-bmo1005535.patch + * mozilla-ppc-altivec_static_inline.patch + * mozilla-reduce-rust-debuginfo.patch + * mozilla-s390-bigendian.patch + * mozilla-s390-context.patch + +------------------------------------------------------------------- +Mon Jul 2 14:15:17 UTC 2019 - Martin Liška <mliska@suse.cz> + +- Enable PGO for x86_64. + * added firefox-add-kde.js-in-order-to-survive-PGO-build.patch + +------------------------------------------------------------------- +Thu Jun 20 06:20:59 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 67.0.4 + MFSA 2019-19 (boo#1138872) + * CVE-2019-11708 (bmo#1559858) + sandbox escape using Prompt:Open + +------------------------------------------------------------------- +Tue Jun 18 18:36:15 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 67.0.3 + MFSA 2019-18 (boo#1138614) + * CVE-2019-11707 (bmo#1544386) + Type confusion in Array.pop + +------------------------------------------------------------------- +Thu Jun 12 14:56:32 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net> + +- Mozilla Firefox 67.0.2 + * Fixed: Fix JavaScript error ("TypeError: data is null in + PrivacyFilter.jsm") in console which may significantly degrade + sessionstore reliability and performance (bmo#1553413) + * Fixed: Proxy authentication dialog box repeatedly pops up + asking to authenticate after upgrading to Firefox 67 (bmo#1548804) + * Fixed: Pearson MyCloud breaks if FIDO U2F is not Chrome's + implementation (bmo#1551282) + * Fixed: Starting in safe mode on Linux or macOS causes Firefox + to think on the subsequent launch that the profile is too + recent to be used with this version of Firefox (bmo#1556612) + * Fixed: Linux distribution users can't easily install/use + additional/different languages using the built-in preferences + UI (bmo#1554744) + * Fixed: Developer tools users can't copy the href/src content + from various HTML tags via the context menu in the Inspector + markup view (bmo#1552275) + * Fixed: Custom home page is broken with clearing data on shutdown + settings applied (bmo#1554167) + * Fixed: Performance-regression for eclipse RAP based applications + (bmo#1555962) + * Fixed: macOS 10.15 crash fix (bmo#1556076) + * Fixed: Can't start two downloads in parallel via <a download> + anymore (bmo#1542912) + +------------------------------------------------------------------- +Thu Jun 6 06:49:51 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net> + +- Mozilla Firefox 67.0.1 + * enable enhanced tracking protection by default for new users + * upgrade of Facebook container to version 2.0 + * new version of Firefox Lockwise (password management) + * new version of Firefox Monitor + * Firefox Send improvements + +------------------------------------------------------------------- +Sun May 19 20:40:30 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 67.0 + * Firefox 67 will be able to run different Firefox installs side by side + https://blog.nightly.mozilla.org/2019/01/14/moving-to-a-profile-per-install-architecture/ + * Tabs can now be pinned from the Page Actions menu in the address bar + * Users can block known cryptominers and fingerprinters in the + Custom settings or their Content Blocking preferences + * The Import Data from Another Browser feature is now also available + from the File menu + * Firefox will now protect you against running older versions which + can lead to data corruption and stability issues + * Easier access to your list of saved logins from the main menu and + login autocomplete + * We’ve added a toolbar menu for your Firefox Account to provide more + transparency for when you are synced, sharing data across devices + and with Firefox. Personalize the appearance of the menu with your + own avatar + * Enable FIDO U2F API, and permit registrations for Google Accounts + * Enabled AV1 support on Linux + MFSA 2019-13 (boo#1135824) + * CVE-2019-9815 (bmo#1546544) + Disable hyperthreading on content JavaScript threads on macOS + * CVE-2019-9816 (bmo#1536768) + Type confusion with object groups and UnboxedObjects + * CVE-2019-9817 (bmo#1540221) + Stealing of cross-domain images using canvas + * CVE-2019-9818 (bmo#1542581) (Windows only) + Use-after-free in crash generation server + * CVE-2019-9819 (bmo#1532553) + Compartment mismatch with fetch API + * CVE-2019-9820 (bmo#1536405) + Use-after-free of ChromeEventHandler by DocShell + * CVE-2019-9821 (bmo#1539125) + Use-after-free in AssertWorkerThread + * CVE-2019-11691 (bmo#1542465) + Use-after-free in XMLHttpRequest + * CVE-2019-11692 (bmo#1544670) + Use-after-free removing listeners in the event listener manager + * CVE-2019-11693 (bmo#1532525) + Buffer overflow in WebGL bufferdata on Linux + * CVE-2019-7317 (bmo#1542829) + Use-after-free in png_image_free of libpng library + * CVE-2019-11694 (bmo#1534196) (Windows only) + Uninitialized memory memory leakage in Windows sandbox + * CVE-2019-11695 (bmo#1445844) + Custom cursor can render over user interface outside of web content + * CVE-2019-11696 (bmo#1392955) + Java web start .JNLP files are not recognized as executable files + for download prompts + * CVE-2019-11697 (bmo#1440079) + Pressing key combinations can bypass installation prompt delays and + install extensions + * CVE-2019-11698 (bmo#1543191) + Theft of user history data through drag and drop of hyperlinks + to and from bookmarks + * CVE-2019-11700 (bmo#1549833) (Windows only) + res: protocol can be used to open known local files + * CVE-2019-11699 (bmo#1528939) + Incorrect domain name highlighting during page navigation + * CVE-2019-11701 (bmo#1518627) + webcal: protocol default handler loads vulnerable web page + * CVE-2019-9814 (bmo#1527592, bmo#1534536, bmo#1520132, bmo#1543159, + bmo#1539393, bmo#1459932, bmo#1459182, bmo#1516425) + Memory safety bugs fixed in Firefox 67 + * CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136, + bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108, + bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097, + bmo#1532465, bmo#1533554, bmo#1541580) + Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 +- requires + * rust/cargo >= 1.32 + * mozilla-nspr >= 4.21 + * mozilla-nss >= 3.43 + * rust-cbindgen >= 0.8.2 +- rebased patches +- KDE integration for default browser detection is broken in this revision + +------------------------------------------------------------------- +Fri May 17 12:04:49 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Fix armv7 build with: + * mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch + +------------------------------------------------------------------- +Fri May 10 10:30:05 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net> + +- Mozilla Firefox 66.0.5 + * Fixed: Further improvements to re-enable web extensions which + had been disabled for users with a master password set (bmo#1549249) + +------------------------------------------------------------------- +Sun May 5 20:21:02 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 66.0.4 (boo#1134126) + * fix extension certificate chain + https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/ + +------------------------------------------------------------------- +Thu Apr 11 09:16:17 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net> + +- Mozilla Firefox 66.0.3 + * Fixed: Address bar on tablets running Windows 10 now behaves + correctly (bmo#1498973) + * Fixed: Performance issues with some HTML5 games (bmo#1537609) + * Fixed a bug with keypress events in IBM cloud applications + (bmo#1538970) + * Fix for keypress events in some Microsoft cloud applications + (bmo#1539618) + * Changed: Updated Baidu search plugin + +------------------------------------------------------------------- +Thu Mar 28 19:01:41 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net> + +- Mozilla Firefox 66.0.2 + * Fixed Web compatibility issues with Office 365, iCloud and + IBM WebMail caused by recent changes to the handling of + keyboard events (bmo#1538966) + * Crash fixes (bmo#1521370, bmo#1539118) + +------------------------------------------------------------------- +Thu Mar 28 09:58:36 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Add patch to fix aarch64 build: + * mozilla-fix-aarch64-libopus.patch (bmo#1539737) + +------------------------------------------------------------------- +Fri Mar 22 22:22:08 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 66.0.1 + MFSA 2019-09 (bsc#1130262) + * CVE-2019-9810 (bmo#1537924) + IonMonkey MArraySlice has incorrect alias information + * CVE-2019-9813 (bmo#1538006) + Ionmonkey type confusion with __proto__ mutations + +------------------------------------------------------------------- +Sun Mar 17 10:08:51 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 66.0 + * Increased content processes to 8 + * Added capability to search through open tabs from the tab overflow menu + * New backend for the storage.local WebExtensions API, providing + I/O performance improvements when the extension updates a small + subset of the stored data + * WebExtension keyboard shortcuts can now be managed or overridden + from about:addons + * Improved scrolling behavior: Firefox will now attempt to keep content + from jumping around while a page is loading by supporting scroll + anchoring + * New about:privatebrowsing with search + * A certificate error page now notifies the user of the name of the + certificate issuer that breaks HTTPs connections on intercepted + connections to help troubleshooting possible anti-virus software + issues. + * Fixed an performance issue some Linux users experienced with the + Downloads panel (bmo#1517101) + * Firefox now blocks all autoplay media with sound by default. Users + can add individual sites to an exceptions list or turn the blocking + off. + * System title bar is hidden by default to match Gnome guideline + MFSA 2019-07 (bsc#1129821) + * CVE-2019-9790 (bmo#1525145) + Use-after-free when removing in-use DOM elements + * CVE-2019-9791 (bmo#1530958) + Type inference is incorrect for constructors entered through on-stack + replacement with IonMonkey + * CVE-2019-9792 (bmo#1532599) + IonMonkey leaks JS_OPTIMIZED_OUT magic value to script + * CVE-2019-9793 (bmo#1528829) + Improper bounds checks when Spectre mitigations are disabled + * CVE-2019-9794 (bmo#1530103) (Windows only) + Command line arguments not discarded during execution + * CVE-2019-9795 (bmo#1514682) + Type-confusion in IonMonkey JIT compiler + * CVE-2019-9796 (bmo#1531277) + Use-after-free with SMIL animation controller + * CVE-2019-9797 (bmo#1528909) + Cross-origin theft of images with createImageBitmap + * CVE-2019-9798 (bmo#1527534) (Android only) + Library is loaded from world writable APITRACE_LIB location + * CVE-2019-9799 (bmo#1505678) + Information disclosure via IPC channel messages + * CVE-2019-9801 (bmo#1527717) (Windows only) + Windows programs that are not 'URL Handlers' are exposed to web content + * CVE-2019-9802 (bmo#1415508) + Chrome process information leak + * CVE-2019-9803 (bmo#1515863, bmo#1437009) + Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation + * CVE-2019-9804 (bmo#1518026) (MacOS only) + Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS + * CVE-2019-9805 (bmo#1521360) + Potential use of uninitialized memory in Prio + * CVE-2019-9806 (bmo#1525267) + Denial of service through successive FTP authorization prompts + * CVE-2019-9807 (bmo#1362050) + Text sent through FTP connection can be incorporated into alert messages + * CVE-2019-9809 (bmo#1282430, bmo#1523249) + Denial of service through FTP modal alert error messages + * CVE-2019-9808 (bmo#1434634) + WebRTC permissions can display incorrect origin with data: and blob: URLs + * CVE-2019-9789 bmo#1520483, bmo#1522987, bmo#1528199, bmo#1519337, + bmo#1525549, bmo#1516179, bmo#1518524, bmo#1518331, bmo#1526579, + bmo#1512567, bmo#1524335, bmo#1448505, bmo#1518821 + Memory safety bugs fixed in Firefox 66 + * CVE-2019-9788 bmo#1518001, bmo#1521304, bmo#1521214, bmo#1506665, + bmo#1516834, bmo#1518774, bmo#1524755, bmo#1523362, bmo#1524214, bmo#1529203 + Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 +- updated build/runtime requirements + * mozilla-nss >= 3.42.1 + * cargo/rust >= 1.31 + * rust-cbindgen >= 0.6.8 + * nasm >= 2.13 (new) +- removed obsolete patch + * mozilla-bmo256180.patch + +------------------------------------------------------------------- +Tue Mar 5 10:17:01 UTC 2019 - Stephan Kulow <coolo@suse.com> + +- Do not hardcode nodejs8 but leave the prefer to the distribution + (Tumbleweed staging wants to switch to nodejs10) + +------------------------------------------------------------------- +Fri Feb 15 13:45:57 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Update _constraints to avoid 'no space left' error seen on aarch64 + +------------------------------------------------------------------- +Wed Feb 13 07:17:28 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 65.0.1 + * Fixed accidental requests to addons.mozilla.org when an addon + recommendation doorhanger is shown (bmo#1526387) + * Improved playback of interactive Netflix videos (bmo#1524500) + * Fixed incorrect sizing of the "Clear Recent History" window in + some situations (bmo#1523696) + * Fixed audio & video delays while making WebRTC calls + (bmo#1521577, bmo#1523817) + * Fixed video sizing problems during some WebRTC calls (bmo#1520200) + * Fixed looping CONNECT requests when using WebSockets over HTTP/2 + from behind a proxy server (bmo#1523427) + * Fixed the "Enter" key not working on password entry fields for + certain Linux distributions (bmo#1523635) + MFSA 2019-04 (bsc#1125330) + * CVE-2018-18356 bmo#1525817 + Use-after-free in Skia + * CVE-2019-5785 bmo#1525433 + Integer overflow in Skia + * CVE-2018-18511 bmo#1526218 + Cross-origin theft of images with ImageBitmapRenderingContext + +------------------------------------------------------------------- +Wed Feb 13 06:12:43 UTC 2019 - Martin Liška <mliska@suse.cz> + +- Enable LTO only for latest new toolchain (boo#1125038) for x86_64 + (with increased memory constraints) + +------------------------------------------------------------------- +Sat Jan 26 22:37:01 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org> + +- Mozilla Firefox 65.0 + * Enhanced tracking protection + * allow switching of UI locales within preferences + * support for the WebP image format + * "top"-like about:performance + MFSA 2019-01 (bsc#1122983) + * CVE-2018-18500 bmo#1510114 + Use-after-free parsing HTML5 stream + * CVE-2018-18503 bmo#1509442 + Memory corruption with Audio Buffer + * CVE-2018-18504 bmo#1496413 + Memory corruption and out-of-bounds read of texture client + * CVE-2018-18505 bmo#1497749 + Privilege escalation through IPC channel messages + * CVE-2018-18506 bmo#1503393 + Proxy Auto-Configuration file can define localhost access to be proxied + * CVE-2018-18502 bmo#1499426 bmo#1480090 bmo#1472990 bmo#1514762 + bmo#1501482 bmo#1505887 bmo#1508102 bmo#1508618 bmo#1511580 + bmo#1493497 bmo#1510145 bmo#1516289 bmo#1506798 bmo#1512758 + Memory safety bugs fixed in Firefox 65 + * CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619 + bmo#1502871 bmo#1516738 bmo#1516514 + Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 +- requires + NSS 3.41 + rust/carge 1.30 + rust-cbindgen 0.6.7 +- rebased patches +- remove workaround for build memory consumption on i586; other + mitigations meanwhile introduced (mainly parallelity) will be + sufficient + mozilla-reduce-files-per-UnifiedBindings.patch + +------------------------------------------------------------------- +Tue Jan 15 14:32:03 UTC 2019 - Martin Liška <mliska@suse.cz> + +- Increase disk constraint. + +------------------------------------------------------------------- +Mon Jan 14 12:12:12 UTC 2019 - Martin Liška <mliska@suse.cz> + +- Remove -v from mach build in order to work-around bmo#1500436. + +------------------------------------------------------------------- +Fri Jan 11 15:07:14 UTC 2019 - Martin Liška <mliska@suse.cz> + +- Set %clang_build to false on all architectures +- Do not use -fno-delete-null-pointer-checks and -fno-strict-aliasing: + it should not be needed anymore +- Do not overwrite enable-optimize and when possible + enable --enable-debug-symbols. +- Add -v to mach in order to make build verbose. + +------------------------------------------------------------------- +Wed Jan 9 22:40:14 UTC 2019 - astieger@suse.com + +- Mozilla Firefox 64.0.2: + * Update the Japanese translation for missing strings (bmo#1513259) + * Properly restore column sizes in developer tools inspector (bmo#1503175) + * Fixed video stuttering on Youtube (bmo#1513511) + * Fix updates for some lightweight themes (bmo#1508777) + +------------------------------------------------------------------- +Tue Dec 18 14:46:41 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Enable build_hardened for all architectures +- Switch back aarch64 to clang as '-fPIC' fixes bmo#1513605 +- Remove obolete '--enable-pie' as -pie is always enabled for + gcc and clang + +------------------------------------------------------------------- +Wed Dec 12 17:33:29 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Switch aarch64 builds back to gcc, not clang (bmo#1513605) +- Switch %arm builds back to gcc, not clang to avoid OOM +- Fix build flags when clang is not used +- Fix flags for clang ppc64 builds + +------------------------------------------------------------------- +Tue Dec 11 08:45:56 UTC 2018 - Wolfgang Rosenauer <wr@rosenauer.org> + +- update to Firefox 64.0 + * Better recommendations: You may see suggestions in regular browsing + mode for new and relevant Firefox features, services, and extensions + based on how you use the web (for US users only) + * Enhanced tab management: You can now select multiple tabs from the + tab bar and close, move, bookmark, or pin them quickly and easily + * Easier performance management: The new Task Manager page found at + about:performance lets you see how much energy each open tab consumes + and provides access to close tabs to conserve power + * Improved performance for Mac and Linux users, by enabling link time + optimization (Clang LTO). + * Added option to remove add-ons using the context menu on their + toolbar buttons + * RSS feed preview and live bookmarks are available only via add-ons + * TLS certificates issued by Symantec are no longer trusted by Firefox. + Website operators are strongly encouraged to replace any remaining + Symantec TLS certificates as soon as possible + MFSA 2018-29 (bsc#1119105) + * CVE-2018-12407 bmo#1505973 + Buffer overflow with ANGLE library when using VertexBuffer11 module + * CVE-2018-17466 bmo#1488295 + Buffer overflow and out-of-bounds read in ANGLE library with + TextureStorage11 + * CVE-2018-18492 bmo#1499861 + Use-after-free with select element + * CVE-2018-18493 bmo#1504452 + Buffer overflow in accelerated 2D canvas with Skia + * CVE-2018-18494 bmo#1487964 + Same-origin policy violation using location attribute and + performance.getEntries to steal cross-origin URLs + * CVE-2018-18495 bmo#1427585 + WebExtension content scripts can be loaded in about: pages + * CVE-2018-18496 bmo#1422231 (Windows only) + Embedded feed preview page can be abused for clickjacking + * CVE-2018-18497 bmo#1488180 + WebExtensions can load arbitrary URLs through pipe separators + * CVE-2018-18498 bmo#1500011 + Integer overflow when calculating buffer sizes for images + * CVE-2018-12406 bmo#1456947 bmo#1475669 bmo#1504816 bmo#1502886 + bmo#1500064 bmo#1500310 bmo#1500696 bmo#1498765 bmo#1499198 bmo#1434490 + bmo#1481745 bmo#1458129 + Memory safety bugs fixed in Firefox 64 + * CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759 + bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471 + Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 +- requires + * rust/cargo >= 1.29 + * mozilla-nss >= 3.40.1 + * rust-cbindgen >= 0.6.4 +- rebased patches +- removed obsolete patch + * mozilla-bmo1491289.patch +- now uses clang primarily for compilation + +------------------------------------------------------------------- +Wed Nov 28 11:07:18 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Remove --disable-elf-hack when not available: on aarch64 and ppc64* + +------------------------------------------------------------------- +Mon Nov 26 09:46:02 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org> + +- Clean-up %arm build + +------------------------------------------------------------------- +Sun Nov 18 11:01:21 UTC 2018 - manfred.h@gmx.net + +- update to Firefox 63.0.3 + * Games using WebGL (created in Unity) get stuck after very short + time of gameplay (bmo#1502748) + * Slow page loading for some users with specific proxy configurations + (bmo#1495024) + * Disable HTTP response throttling by default for causing bugs with + videos in background tabs (bmo#1503354) + * Opening magnet links no longer works (bmo#1498934) + * Crash fixes (bmo#1498510, bmo#1503424) +- removed mozilla-newer-cbindgen.patch; no longer needed + +------------------------------------------------------------------- +Thu Nov 8 14:59:13 UTC 2018 - wr@rosenauer.org + +- update to Firefox 63.0.1 + * Snippets are not loaded due to missing element (bmo#1503047) + * Print preview always shows 30& scale when it is actually + Shrink To Fit (bmo#1501952) + * Dialog displayed when closing multiple windows shows unreplaced + %1$S placeholder in Japanese and potentially other locales + (bmo#1500823) + +------------------------------------------------------------------- +Mon Oct 29 14:07:51 UTC 2018 - wr@rosenauer.org + +- update to Firefox 63.0 + * WebExtensions now run in their own process on Linux + * The Ctrl+Tab shortcut now displays thumbnail previews of your + tabs and cycles through tabs in recently used order. This new + default behavior is activated only in new profiles and can be + changed in preferences. + * Added support for Web Components custom elements and shadow DOM + MFSA 2018-26 (bsc#1112852) + * CVE-2018-12391 (bmo#1478843) (Android-only) + HTTP Live Stream audio data is accessible cross-origin + * CVE-2018-12392 (bmo#1492823) + Crash with nested event loops + * CVE-2018-12393 (bmo#1495011) (only affects non-64-bit archs) + Integer overflow during Unicode conversion while loading JavaScript + * CVE-2018-12395 (bmo#1467523) + WebExtension bypass of domain restrictions through header rewriting + * CVE-2018-12396 (bmo#1483602) + WebExtension content scripts can execute in disallowed contexts + * CVE-2018-12397 (bmo#1487478) + Missing warning prompt when WebExtension requests local file access + * CVE-2018-12398 (bmo#1460538, bmo#1488061) + CSP bypass through stylesheet injection in resource URIs + * CVE-2018-12399 (bmo#1490276) + Spoofing of protocol registration notification bar + * CVE-2018-12400 (bmo#1448305) (Android only) + Favicons are cached in private browsing mode on Firefox for Android + * CVE-2018-12401 (bmo#1422456) + DOS attack through special resource URI parsing + * CVE-2018-12402 (bmo#1469916) + SameSite cookies leak when pages are explicitly saved + * CVE-2018-12403 (bmo#1484753) + Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP + * CVE-2018-12388 (bmo#1472639, bmo#1485698, bmo#1301547, bmo#1471427, + bmo#1379411, bmo#1482122, bmo#1486314, bmo#1487167) + Memory safety bugs fixed in Firefox 63 + * CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159, + bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803, + bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699, + bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844) + Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 +- requires NSPR 4.20, NSS 3.39 and Rust 1.28 +- latest rust does not provide rust-std so stop requiring it +- requires rust-cbindgen >= 0.6.2 to build +- requires nodejs >= 8.11 to build +- added mozilla-bmo1491289.patch to fix system NSS build (bmo#1491289) +- added mozilla-cubeb-noreturn.patch to fix non-return function +- added mozilla-newer-cbindgen.patch to fix build with cbindgen 0.6.7 +- disable elfhack for TW and newer due to build errors +- removed obsolete patches + * mozilla-no-return.patch + * mozilla-no-stdcxx-check.patch + +------------------------------------------------------------------- +Thu Oct 25 14:39:04 UTC 2018 - guillaume.gardet@opensuse.org + +- Update _constraints for armv6/7 + +------------------------------------------------------------------- +Thu Oct 25 08:50:24 UTC 2018 - guillaume.gardet@opensuse.org + +- Add patch to fix build on armv7: + * mozilla-bmo1463035.patch + +------------------------------------------------------------------- +Tue Oct 2 21:28:31 UTC 2018 - astieger@suse.com + +- Mozilla Firefox 62.0.3: + MFSA 2018-24 + * CVE-2018-12386 (bsc#1110506, bmo#1493900) + Type confusion in JavaScript allowed remote code execution + * CVE-2018-12387 (bsc#1110507, bmo#1493903) + Array.prototype.push stack pointer vulnerability may enable + exploits in the sandboxed content process + +------------------------------------------------------------------- +Sat Sep 22 09:03:53 UTC 2018 - astieger@suse.com + +- Mozilla Firefox 62.0.2: + MFSA 2018-22 + * CVE-2018-12385 (boo#1109363, bmo#1490585) + Crash in TransportSecurityInfo due to cached data + * Unvisited bookmarks can once again be autofilled in the address + bar + * Fix WebGL rendering issues + * Fix fallback on startup when a language pack is missing + * Avoid crash when sharing a profile with newer (as yet + unreleased) versions of Firefox + * Do not undo removal of search engines when using a language + pack + * Fixed rendering of some web sites + * Restored compatibility with some sites using deprecated TLS + settings +- disable rust debug symbols to fix build on %ix86 + +------------------------------------------------------------------- +Mon Sep 3 10:47:43 UTC 2018 - wr@rosenauer.org + +- update to Firefox 62.0 + * Firefox Home (the default New Tab) now allows users to display + up to 4 rows of top sites, Pocket stories, and highlights + * "Reopen in Container" tab menu option appears for users with + Containers that lets them choose to reopen a tab in a different + container + * In advance of removing all trust for Symantec-issued certificates + in Firefox 63, a preference was added that allows users to distrust + certificates issued by Symantec. To use this preference, go to + about:config in the address bar and set the preference + "security.pki.distrust_ca_policy" to 2. + * Support for CSS Shapes, allowing for richer web page layouts. + This goes hand in hand with a brand new Shape Path Editor in the + CSS inspector. + * CSS Variable Fonts (OpenType Font Variations) support, which makes + it possible to create beautiful typography with a single font file + * Added Canadian English (en-CA) locale + MFSA 2018-20 (bsc#1107343) + * CVE-2018-12377 (bmo#1470260) + Use-after-free in refresh driver timers + * CVE-2018-12378 (bmo#1459383) + Use-after-free in IndexedDB + * CVE-2018-12379 (bmo#1473113) (updater is disabled for us) + Out-of-bounds write with malicious MAR file + * CVE-2017-16541 (bmo#1412081) + Proxy bypass using automount and autofs + * CVE-2018-12381 (bmo#1435319) + Dragging and dropping Outlook email message results in page navigation + * CVE-2018-12382 (bmo#1479311) (Android only) + Addressbar spoofing with javascript URI on Firefox for Android + * CVE-2018-12383 (bmo#1475775) + Setting a master password post-Firefox 58 does not delete + unencrypted previously stored passwords + * CVE-2018-12375 + Memory safety bugs fixed in Firefox 62 + * CVE-2018-12376 + Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 +- requires NSS >= 3.38 +- removed obsolete patch + mozilla-bmo1464766.patch + +------------------------------------------------------------------- +Thu Aug 9 14:22:00 UTC 2018 - wr@rosenauer.org + +- update to Firefox 61.0.2 + * Improved website rendering with the Retained Display List feature + enabled (bmo#1474402) + * Fixed broken DevTools panels with certain extensions installed + (bmo#1474379) + * Fixed a crash for users with some accessibility tools enabled + (bmo#1474007) + +------------------------------------------------------------------- +Mon Jul 9 07:22:09 UTC 2018 - astieger@suse.com + +- Mozilla Firefox 61.0.1: + * Fix missing content on the New Tab Page and the Home section of + the Preferences page (bmo#1471375) + * Fixed loss of bookmarks under rare circumstances when upgrading + from Firefox 60 (bmo#1472127) + * Improved playback of Twitch 1080p video streams (bmo#1469257) + * Web pages no longer lose focus when a browser popup window is + opened (bmo#1471415) + * Re-allowed downloading files from FTP sites via the "Save Link + As" option when linked from HTTP pages (bmo#1470295) + * Fixed extensions being unable to override the default homepage + in certain situations (bmo#1466846) + +------------------------------------------------------------------- +Sat Jun 23 07:25:51 UTC 2018 - wr@rosenauer.org + +- update to Firefox 61.0 + * Performance enhancements + * Various improvements for dark theme support will provide a more + consistent experience across the entire Firefox UI + * OpenSearch plugins offered by web pages can now be added from the + page action menu for easier installation + * Improved support for allowing WebExtensions to manage and hide tabs + MFSA 2018-15 (bsc#1098998) + * CVE-2018-12359 (bmo#1459162) + Buffer overflow using computed size of canvas element + * CVE-2018-12360 (bmo#1459693) + Use-after-free when using focus() + * CVE-2018-12361 (bmo#1463244) + Integer overflow in SwizzleData + * CVE-2018-12358 (bmo#1467852) + Same-origin bypass using service worker and redirection + * CVE-2018-12362 (bmo#1452375) + Integer overflow in SSSE3 scaler + * CVE-2018-5156 (bmo#1453127) + Media recorder segmentation fault when track type is changed during capture + * CVE-2018-12363 (bmo#1464784) + Use-after-free when appending DOM nodes + * CVE-2018-12364 (bmo#1436241) + CSRF attacks through 307 redirects and NPAPI plugins + * CVE-2018-12365 (bmo#1459206) + Compromised IPC child process can list local filenames + * CVE-2018-12371 (bmo#1465686) + Integer overflow in Skia library during edge builder allocation + * CVE-2018-12366 (bmo#1464039) + Invalid data handling during QCMS transformations + * CVE-2018-12367 (bmo#1462891) + Timing attack mitigation of PerformanceNavigationTiming + * CVE-2018-12369 (bmo#1454909) + WebExtension security permission checks bypassed by embedded experiments + * CVE-2018-12370 (bmo#1456652) + SameSite cookie protections bypassed when exiting Reader View + * CVE-2018-5186 (bmo#1464872,bmo#1463329,bmo#1419373,bmo#1412882, + bmo#1413033,bmo#1444673,bmo#1454448,bmo#1453505,bmo#1438671) + Memory safety bugs fixed in Firefox 61 + * CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938, + bmo#1461619,bmo#1425930,bmo#1438556,bmo#1454285,bmo#1459568, + bmo#1463884) + Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1 + * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739, + bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576, + bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829, + bmo#1464079,bmo#1463494,bmo#1458048) + Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9 +- requires NSS 3.37.3 +- requires python >= 3.5 to build +- removed obsolete patches + mozilla-i586-DecoderDoctorLogger.patch + mozilla-i586-domPrefs.patch + mozilla-fix-skia-aarch64.patch + mozilla-bmo1375074.patch + mozilla-enable-csd.patch +- patch for new no-return warnings (mozilla-no-return.patch) +- do not disable system installed locales (mozilla-bmo1464766.patch) + +------------------------------------------------------------------- +Fri Jun 8 10:52:13 UTC 2018 - bjorn.lie@gmail.com + +- Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass + conditional --disable-gconf to configure: no longer pull in + obsolete gconf2 for Tumbleweed. + +------------------------------------------------------------------- +Thu Jun 7 12:11:06 UTC 2018 - wr@rosenauer.org + +- update to Firefox 60.0.2 + * requires NSS 3.36.4 + MFSA 2018-14 (bsc#1096449) + * CVE-2018-6126 (bmo#1462682) + Heap buffer overflow rasterizing paths in SVG with Skia + +------------------------------------------------------------------- +Wed Jun 6 18:57:52 UTC 2018 - guillaume.gardet@opensuse.org + +- Add upstream patch to fix boo#1093059 instead of '-ffixed-x28' + workaround: + * mozilla-bmo1375074.patch + +------------------------------------------------------------------- +Sat May 26 15:53:25 UTC 2018 - wr@rosenauer.org + +- fixed "open with" option under KDE (boo#1094747) +- workaround crash on startup on aarch64 (boo#1093059) + (contributed by guillaume.gardet@arm.com) + +------------------------------------------------------------------- +Wed May 23 08:49:09 UTC 2018 - guillaume.gardet@opensuse.org + +- Disable webrtc for aarch64 due to bmo#1434589 +- Add patch to fix skia build on AArch64: + * mozilla-fix-skia-aarch64.patch + +------------------------------------------------------------------- +Thu May 17 14:01:18 UTC 2018 - wr@rosenauer.org + +- update to Firefox 60.0.1 + * Avoid overly long cycle collector pauses with some add-ons installed + (bmo#1449033) + * After unckecking the "Sponsored Stories" option, the New Tab page + now immediately stops displaying "Sponsored content" cards (bmo#1458906) + * On touchscreen devices, fixed momentum scrolling on non-zoomable pages + (bmo#1457743) + * Use the right default background when opening tabs or windows in + high contrast mode (bmo#1458956) + * Restored translations of the Preferences panels when using a + language pack (bmo#1461590) + +------------------------------------------------------------------- +Mon May 14 13:37:38 UTC 2018 - pcerny@suse.com + +- parellelise locales building + +------------------------------------------------------------------- +Mon May 7 08:32:28 UTC 2018 - wr@rosenauer.org + +- update to Firefox 60.0 + * Added a policy engine that allows customized Firefox deployments + in enterprise environments, using Windows Group Policy or a + cross-platform JSON file + * Applied Quantum CSS to render browser UI + * Added support for Web Authentication, allowing the use of USB + tokens for authentication to web sites + * Locale added: Occitan (oc) + MFSA 2018-11 (bsc#1092548) + * CVE-2018-5154 (bmo#1443092) + Use-after-free with SVG animations and clip paths + * CVE-2018-5155 (bmo#1448774) + Use-after-free with SVG animations and text paths + * CVE-2018-5157 (bmo#1449898) + Same-origin bypass of PDF Viewer to view protected PDF files + * CVE-2018-5158 (bmo#1452075) + Malicious PDF can inject JavaScript into PDF Viewer + * CVE-2018-5159 (bmo#1441941) + Integer overflow and out-of-bounds write in Skia + * CVE-2018-5160 (bmo#1436117) + Uninitialized memory use by WebRTC encoder + * CVE-2018-5152 (bmo#1415644, bmo#1427289) + WebExtensions information leak through webRequest API + * CVE-2018-5153 (bmo#1436809) + Out-of-bounds read in mixed content websocket messages + * CVE-2018-5163 (bmo#1426353) + Replacing cached data in JavaScript Start-up Bytecode Cache + * CVE-2018-5164 (bmo#1416045) + CSP not applied to all multipart content sent with + multipart/x-mixed-replace + * CVE-2018-5166 (bmo#1437325) + WebExtension host permission bypass through filterReponseData + * CVE-2018-5167 (bmo#1447969) + Improper linkification of chrome: and javascript: content in + web console and JavaScript debugger + * CVE-2018-5168 (bmo#1449548) + Lightweight themes can be installed without user interaction + * CVE-2018-5169 (bmo#1319157) + Dragging and dropping link text onto home button can set home page + to include chrome pages + * CVE-2018-5172 (bmo#1436482) + Pasted script from clipboard can run in the Live Bookmarks page + or PDF viewer + * CVE-2018-5173 (bmo#1438025) + File name spoofing of Downloads panel with Unicode characters + * CVE-2018-5174 (bmo#1447080) (Windows-only) + Windows Defender SmartScreen UI runs with less secure behavior + for downloaded files in Windows 10 April 2018 Update + * CVE-2018-5175 (bmo#1432358) + Universal CSP bypass on sites using strict-dynamic in their policies + * CVE-2018-5176 (bmo#1442840) + JSON Viewer script injection + * CVE-2018-5177 (bmo#1451908) + Buffer overflow in XSLT during number formatting + * CVE-2018-5165 (bmo#1451452) + Checkbox for enabling Flash protected mode is inverted in 32-bit + Firefox + * CVE-2018-5180 (bmo#1444086) + heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced + * CVE-2018-5181 (bmo#1424107) + Local file can be displayed in noopener tab through drag and + drop of hyperlink + * CVE-2018-5182 (bmo#1435908) + Local file can be displayed from hyperlink dragged and dropped + on addressbar + * CVE-2018-5151 + Memory safety bugs fixed in Firefox 60 + * CVE-2018-5150 + Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 +- removed obsolete patches + 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch + mozilla-bmo1005535.patch +- requires NSPR 4.19 and NSS 3.36.1 +- requires rust 1.24 or higher +- use upstream source archive and detached signature for + source verification + +------------------------------------------------------------------- +Thu May 3 14:33:37 UTC 2018 - guillaume.gardet@opensuse.org + +- Fix armv7 build by: + * adding RUSTFLAGS="-Cdebuginfo=0" + * updating _constraints for %arm + +------------------------------------------------------------------- +Wed May 2 20:46:37 UTC 2018 - wr@rosenauer.org + +- do not try CSD on kwin (boo#1091592) +- fix build in openSUSE:Leap:42.3:Update, use gcc7 + +------------------------------------------------------------------- +Tue May 1 14:26:24 UTC 2018 - astieger@suse.com + +- Mozilla Firefox 59.0.3: + * fixes for platforms other than GNU/Linux + +------------------------------------------------------------------- +Fri Apr 20 12:31:52 UTC 2018 - mliska@suse.cz + +- Add 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch + in order to fix boo#1090362. + +------------------------------------------------------------------- +Mon Apr 2 00:55:45 UTC 2018 - badshah400@gmail.com + +- Add back mozilla-enable-csd.patch: New rebased version from + Fedora for version 59.0.x. + +------------------------------------------------------------------- +Tue Mar 27 14:07:11 UTC 2018 - schwab@suse.de + +- Reduce constraints on aarch64 + +------------------------------------------------------------------- +Tue Mar 27 06:40:25 UTC 2018 - wr@rosenauer.org + +- update to Firefox 59.0.2 + * Invalid page rendering with hardware acceleration enabled (bmo#1435472) + * Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites + that use those keys with resistFingerprinting enabled (bmo#1433592) + * High CPU / memory churn caused by third-party software on some + computers (bmo#1446280) + * Users who have configured an "automatic proxy configuration URL" + and want to reload their proxy settings from the URL will find + the Reload button disabled in the Connection Settings dialog when + they select Preferences/Options>Network Proxy>Settings... (bmo#1445991) + * URL Fragment Identifiers Break Service Worker Responses (bmo#1443850) + * User's trying to cancel a print around the time it completes will + continue to get intermittent crashes (bmo#1441598) + MFSA 2018-10 (bsc#1087059) + * CVE-2018-5148 (bmo#1440717) + Use-after-free in compositor +- removed obsolete patch mozilla-bmo1446062.patch + +------------------------------------------------------------------- +Wed Mar 21 17:14:24 UTC 2018 - cgrobertson@suse.com + +- Added patches: + * mozilla-i586-DecoderDoctorLogger.patch - bmo#1447070 + fixes non-unified build error + * mozilla-i586-domPrefs.patch - DOMPrefs.h + fixes 32bit build error + +------------------------------------------------------------------- +Fri Mar 16 06:40:11 UTC 2018 - wr@rosenauer.org + +- update to Firefox 59.0.1 (bsc#1085671) + MFSA 2018-08 + * CVE-2018-5146 (bmo#1446062) + Vorbis audio processing out of bounds write + * CVE-2018-5147 (bmo#1446365) + Out of bounds memory write in libtremor + (mozilla-bmo1446062.patch) + +------------------------------------------------------------------- +Wed Mar 14 19:27:07 UTC 2018 - cgrobertson@suse.com + +- Added patch: + * mozilla-bmo1005535.patch: + Enable skia_gpu on big endian platforms. + +------------------------------------------------------------------- +Sun Mar 11 22:12:12 UTC 2018 - wr@rosenauer.org + +- update to Firefox 59.0 + * Performance enhancements + * Drag-and-drop to rearrange Top Sites on the Firefox Home page + * added features for Firefox Screenshots + * Enhanced WebExtensions API + * Improved RTC capabilities + MFSA 2018-06 (bsc#1085130) + * CVE-2018-5127 (bmo#1430557) + Buffer overflow manipulating SVG animatedPathSegList + * CVE-2018-5128 (bmo#1431336) + Use-after-free manipulating editor selection ranges + * CVE-2018-5129 (bmo#1428947) + Out-of-bounds write with malformed IPC messages + * CVE-2018-5130 (bmo#1433005) + Mismatched RTP payload type can trigger memory corruption + * CVE-2018-5131 (bmo#1440775) + Fetch API improperly returns cached copies of no-store/no-cache resources + * CVE-2018-5132 (bmo#1408194) + WebExtension Find API can search privileged pages + * CVE-2018-5133 (bmo#1430511, bmo#1430974) + Value of the app.support.baseURL preference is not properly sanitized + * CVE-2018-5134 (bmo#1429379) + WebExtensions may use view-source: URLs to bypass content restrictions + * CVE-2018-5135 (bmo#1431371) + WebExtension browserAction can inject scripts into unintended contexts + * CVE-2018-5136 (bmo#1419166) + Same-origin policy violation with data: URL shared workers + * CVE-2018-5137 (bmo#1432870) + Script content can access legacy extension non-contentaccessible resources + * CVE-2018-5138 (bmo#1432624) (Android only) + Android Custom Tab address spoofing through long domain names + * CVE-2018-5140 (bmo#1424261) + Moz-icon images accessible to web content through moz-icon: protocol + * CVE-2018-5141 (bmo#1429093) + DOS attack through notifications Push API + * CVE-2018-5142 (bmo#1366357) + Media Capture and Streams API permissions display incorrect origin + with data: and blob: URLs + * CVE-2018-5143 (bmo#1422643) + Self-XSS pasting javascript: URL with embedded tab into addressbar + * CVE-2018-5126 + Memory safety bugs fixed in Firefox 59 + * CVE-2018-5125 + Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 +- requires NSPR 4.18 and NSS 3.35 +- requires rust >= 1.22.1 +- removed obsolete patches: + mozilla-alsa-sandbox.patch + mozilla-enable-csd.patch + firefox-no-default-ualocale.patch +- removed l10n_changesets.txt since same information is now in + Firefox source tree (updated create-tar.sh now requires jq) + +------------------------------------------------------------------- +Fri Feb 9 13:37:46 UTC 2018 - astieger@suse.com + +- Mozilla Firefox 58.0.2: + * Blocklisted graphics drivers related to off main thread painting + crashes + * Fix tab crash during printing + * Fix clicking links and scrolling emails on Microsoft Hotmail + and Outlook (OWA) webmail + +------------------------------------------------------------------- +Fri Feb 9 12:06:31 UTC 2018 - wr@rosenauer.org + +- correct requires and provides handling (boo#1076907) + +------------------------------------------------------------------- +Tue Feb 6 07:03:42 UTC 2018 - fstrba@suse.com + +- Added patch: + * mozilla-alsa-sandbox.patch: Fix bmo#1430274, ALSA sound (still + or again?) not working in Firefox 58 due to sandboxing. + +------------------------------------------------------------------- +Mon Jan 29 22:32:21 UTC 2018 - wr@rosenauer.org + +- update to Firefox 58.0.1 + MFSA 2018-05 + * Arbitrary code execution through unsanitized browser UI (bmo#1432966) +- use correct language packs +- readd mozilla-enable-csd.patch as it only lands for FF59 upstream +- allow larger number of nested elements (mozilla-bmo256180.patch) + +------------------------------------------------------------------- +Tue Jan 23 20:40:57 UTC 2018 - wr@rosenauer.org + +- update to Firefox 58.0 (bsc#1077291) + * Added Nepali (ne-NP) locale + * Added support for form autofill for credit card + * Optimize page load by caching JavaScript internal representation + MFSA 2018-02 + * CVE-2018-5091 (bmo#1423086) + Use-after-free with DTMF timers + * CVE-2018-5092 (bmo#1418074) + Use-after-free in Web Workers + * CVE-2018-5093 (bmo#1415291) + Buffer overflow in WebAssembly during Memory/Table resizing + * CVE-2018-5094 (bmo#1415883) + Buffer overflow in WebAssembly with garbage collection on + uninitialized memory + * CVE-2018-5095 (bmo#1418447) + Integer overflow in Skia library during edge builder allocation + * CVE-2018-5097 (bmo#1387427) + Use-after-free when source document is manipulated during XSLT + * CVE-2018-5098 (bmo#1399400) + Use-after-free while manipulating form input elements + * CVE-2018-5099 (bmo#1416878) + Use-after-free with widget listener + * CVE-2018-5100 (bmo#1417405) + Use-after-free when IsPotentiallyScrollable arguments are freed + from memory + * CVE-2018-5101 (bmo#1417661) + Use-after-free with floating first-letter style elements + * CVE-2018-5102 (bmo#1419363) + Use-after-free in HTML media elements + * CVE-2018-5103 (bmo#1423159) + Use-after-free during mouse event handling + * CVE-2018-5104 (bmo#1425000) + Use-after-free during font face manipulation + * CVE-2018-5105 (bmo#1390882) + WebExtensions can save and execute files on local file system + without user prompts + * CVE-2018-5106 (bmo#1408708) + Developer Tools can expose style editor information cross-origin + through service worker + * CVE-2018-5107 (bmo#1379276) + Printing process will follow symlinks for local file access + * CVE-2018-5108 (bmo#1421099) + Manually entered blob URL can be accessed by subsequent private browsing tabs + * CVE-2018-5109 (bmo#1405599) + Audio capture prompts and starts with incorrect origin attribution + * CVE-2018-5110 (bmo#1423275) (affects only OS X) + Cursor can be made invisible on OS X + * CVE-2018-5111 (bmo#1321619) + URL spoofing in addressbar through drag and drop + * CVE-2018-5112 (bmo#1425224) + Extension development tools panel can open a non-relative URL in the panel + * CVE-2018-5113 (bmo#1425267) + WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow + * CVE-2018-5114 (bmo#1421324) + The old value of a cookie changed to HttpOnly remains accessible to scripts + * CVE-2018-5115 (bmo#1409449) + Background network requests can open HTTP authentication in unrelated foreground tabs + * CVE-2018-5116 (bmo#1396399) + WebExtension ActiveTab permission allows cross-origin frame content access + * CVE-2018-5117 (bmo#1395508) + URL spoofing with right-to-left text aligned left-to-right + * CVE-2018-5118 (bmo#1420049) + Activity Stream images can attempt to load local content through file: + * CVE-2018-5119 (bmo#1420507) + Reader view will load cross-origin content in violation of CORS headers + * CVE-2018-5121 (bmo#1402368) (affects only OS X) + OS X Tibetan characters render incompletely in the addressbar + * CVE-2018-5122 (bmo#1413841) + Potential integer overflow in DoCrypt + * CVE-2018-5090 + Memory safety bugs fixed in Firefox 58 + * CVE-2018-5089 + Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6 +- requires NSS 3.34.1 +- requires rust 1.21 +- removed obsolete patches: + mozilla-bindgen-systemlibs.patch + mozilla-bmo1360278.patch + mozilla-bmo1399611-csd.patch + mozilla-rust-1.23.patch +- rebased patches +- updated man-page + +------------------------------------------------------------------- +Tue Jan 9 18:48:02 UTC 2018 - wr@rosenauer.org + +- fixed build with latest rust (mozilla-rust-1.23.patch) + +------------------------------------------------------------------- +Thu Jan 4 12:23:41 UTC 2018 - wr@rosenauer.org + +- update to Firefox 57.0.4 + MFSA 2018-1: Speculative execution side-channel attack ("Spectre") + (boo#1074723) + +------------------------------------------------------------------- +Wed Jan 3 08:29:38 UTC 2018 - wr@rosenauer.org + +- fixed regression introduced Oct 10th which made Firefox crash + when cancelling the KDE file dialog (boo#1069962) + +------------------------------------------------------------------- +Fri Dec 29 19:52:34 UTC 2017 - astieger@suse.com + +- Mozilla Firefox 57.0.3: + * Fix a crash reporting issue that inadvertently sends background + tab crash reports to Mozilla without user opt-in (bmo#1427111, + bsc#1074235) +- Includes changes from 57.0.2: + * fixes for platforms other than GNU/Linux + +------------------------------------------------------------------- +Fri Dec 8 15:52:17 UTC 2017 - dimstar@opensuse.org + +- Explicitly buildrequires python2-xml: The build system relies on + it. We wrongly relied on other packages pulling it in for us. + +------------------------------------------------------------------- +Thu Dec 7 11:12:31 UTC 2017 - dimstar@opensuse.org + +- Escape the usage of %{VERSION} when calling out to rpm. + RPM 4.14 has %{VERSION} defined as 'the main packages version'. + +------------------------------------------------------------------- +Wed Nov 29 23:45:03 UTC 2017 - wr@rosenauer.org + +- update to Firefox 57.0.1 + * CVE-2017-7843: Web worker in Private Browsing mode can write + IndexedDB data (bsc#1072034, bmo#1410106) + * CVE-2017-7844: Visited history information leak through SVG + image (bsc#1072036, bmo#1420001) + * Fix a video color distortion issue on YouTube and other video + sites with some AMD devices (bmo#1417442) + * Fix an issue with prefs.js when the profile path has non-ascii + characters (bmo#1420427) + +------------------------------------------------------------------- +Tue Nov 21 09:00:48 UTC 2017 - christophe@krop.fr + +- Add mozilla-bmo1360278.patch + Starting with Firefox 57, the context menu appears on key press. + This patch creates a config entry to restore the + old behaviour. Without the patch, the mouse gesture extensions + require 2 clicks to work (bmo#1360278). + The new config entry is named ui.context_menus.after_mouseup + (default : false). + +------------------------------------------------------------------- +Sat Nov 18 08:35:21 UTC 2017 - wr@rosenauer.org + +- Allow experimental CSD for Gtk3 (bmo#1399611) if available and enabled + widget.allow-client-side-decoration=true + (mozilla-bmo1399611-csd.patch) + +------------------------------------------------------------------- +Wed Nov 15 06:46:06 UTC 2017 - wr@rosenauer.org + +- update to Firefox 57.0 (boo#1068101) + * Firefox Quantum + * Photon UI + * Unified address and search bar + * AMD VP9 hardware video decoder support + * Added support for Date/Time input + * stricter security sandbox blocking filesystem reading and + writing on Linux systems + * middle mouse paste in the content area no longer navigates to + URLs by default on Unix systems + MFSA 2017-24 + * CVE-2017-7828 (bmo#1406750. bmo#1412252) + Use-after-free of PressShell while restyling layout + * CVE-2017-7830 (bmo#1408990) + Cross-origin URL information leak through Resource Timing API + * CVE-2017-7831 (bmo#1392026) + Information disclosure of exposed properties on JavaScript proxy + objects + * CVE-2017-7832 (bmo#1408782) + Domain spoofing through use of dotless 'i' character followed + by accent markers + * CVE-2017-7833 (bmo#1370497) + Domain spoofing with Arabic and Indic vowel marker characters + * CVE-2017-7834 (bmo#1358009) + data: URLs opened in new tabs bypass CSP protections + * CVE-2017-7835 (bmo#1402363) + Mixed content blocking incorrectly applies with redirects + * CVE-2017-7836 (bmo#1401339) + Pingsender dynamically loads libcurl on Linux and OS X + * CVE-2017-7837 (bmo#1325923) + SVG loaded as <img> can use meta tags to set cookies + * CVE-2017-7838 (bmo#1399540) + Failure of individual decoding of labels in international domain + names triggers punycode display of entire IDN + * CVE-2017-7839 (bmo#1402896) + Control characters before javascript: URLs defeats self-XSS + prevention mechanism + * CVE-2017-7840 (bmo#1366420) + Exported bookmarks do not strip script elements from user-supplied + tags + * CVE-2017-7842 (bmo#1397064) + Referrer Policy is not always respected for <link> elements + * CVE-2017-7827 + Memory safety bugs fixed in Firefox 57 + * CVE-2017-7826 + Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5 +- requires NSPR 4.17, NSS 3.33 and rustc 1.19 +- rebased patches +- added mozilla-bindgen-systemlibs.patch to allow stylo build + with system libs (bmo#1341234) +- removed mozilla-language.patch since the whole locale code + changed in Firefox and is relying on ICU now +- removed obsolete mozilla-ucontext.patch + +------------------------------------------------------------------- +Sat Oct 28 06:30:37 UTC 2017 - wr@rosenauer.org + +- update to Firefox 56.0.2 + * Disable Form Autofill completely on user request (bmo#1404531) + * Fix for video-related crashes on Windows 7 (bmo#1409141) + * Correct detection for 64-bit GSSAPI authentication (bmo#1409275) + * Fix for shutdown crash (bmo#1404105) + +------------------------------------------------------------------- +Tue Oct 10 11:47:49 UTC 2017 - wr@rosenauer.org + +- update to Firefox 56.0.1 + * Block D3D11 when using Intel drivers on Windows 7 systems with + partial AVX support (bmo#1403353) + -> just to sync the version number +- enable stylo for TW (requires LLVM >= 3.9) +- queue KDE filepicker requests to avoid non-opening file dialogs + happening in certain situations (contributed by Ignaz Forster) +- the placeholder dot in KDE file dialog in case of empty filenames + was removed, apparently not required (anymore) + (contributed by Ignaz Forster) + +------------------------------------------------------------------- +Sun Oct 1 18:25:16 UTC 2017 - stefan.bruens@rwth-aachen.de + +- Correct plugin directory for aarch64 (boo#1061207). The wrapper + script was not detecting aarch64 as a 64 bit architecture, thus + used /usr/lib/browser-plugins/. + +------------------------------------------------------------------- +Sat Sep 30 20:10:50 UTC 2017 - zaitor@opensuse.org + +- Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0), + pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0), + pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and + pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure + looks for. + +------------------------------------------------------------------- +Thu Sep 28 08:28:29 UTC 2017 - wr@rosenauer.org + +- update to Firefox 56.0 (boo#1060445) + * Firefox Screenshots + * Find Options/Preferences more quickly with new search function + * Media is no longer auto-played when opened in a background tab + * Enable CSS Grid Layout View + MFSA 2017-21 + * CVE-2017-7793 (bmo#1371889) + Use-after-free with Fetch API + * CVE-2017-7817 (bmo#1356596) (Android-only) + Firefox for Android address bar spoofing through fullscreen mode + * CVE-2017-7818 (bmo#1363723) + Use-after-free during ARIA array manipulation + * CVE-2017-7819 (bmo#1380292) + Use-after-free while resizing images in design mode + * CVE-2017-7824 (bmo#1398381) + Buffer overflow when drawing and validating elements with ANGLE + * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) + Use-after-free in TLS 1.2 generating handshake hashes + * CVE-2017-7812 (bmo#1379842) + Drag and drop of malicious page content to the tab bar can open locally stored files + * CVE-2017-7814 (bmo#1376036) + Blob and data URLs bypass phishing and malware protection warnings + * CVE-2017-7813 (bmo#1383951) + Integer truncation in the JavaScript parser + * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) + OS X fonts render some Tibetan and Arabic unicode characters as spaces + * CVE-2017-7815 (bmo#1368981) + Spoofing attack with modal dialogs on non-e10s installations + * CVE-2017-7816 (bmo#1380597) + WebExtensions can load about: URLs in extension UI + * CVE-2017-7821 (bmo#1346515) + WebExtensions can download and open non-executable files without user interaction + * CVE-2017-7823 (bmo#1396320) + CSP sandbox directive did not create a unique origin + * CVE-2017-7822 (bmo#1368859) + WebCrypto allows AES-GCM with 0-length IV + * CVE-2017-7820 (bmo#1378207) + Xray wrapper bypass with new tab and web console + * CVE-2017-7811 + Memory safety bugs fixed in Firefox 56 + * CVE-2017-7810 + Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 +- requires NSPR 4.16 and NSS 3.32.1 +- rebased patches + +------------------------------------------------------------------- +Thu Sep 28 07:53:13 UTC 2017 - dimstar@opensuse.org + +- Add alsa-devel BuildRequires: we care for ALSA support to be + built and thus need to ensure we get the dependencies in place. + In the past, alsa-devel was pulled in by accident: we + buildrequire libgnome-devel. This required esound-devel and that + in turn pulled in alsa-devel for us. libgnome is being fixed to + no longer require esound-devel. + +------------------------------------------------------------------- +Mon Sep 4 18:27:44 UTC 2017 - wr@rosenauer.org + +- update to Firefox 55.0.3 + * Fix an issue with addons when using a path containing non-ascii + characters (bmo#1389160) + * Fix file uploads to some websites, including YouTube (bmo#1383518) +- fix Google API key build integration +- add mozilla-ucontext.patch to fix Tumbleweed build +- do not enable XINPUT2 for now (boo#1053959) + +------------------------------------------------------------------- +Fri Aug 11 08:32:30 UTC 2017 - wr@rosenauer.org + +- update to Firefox 55.0.1 + * Fix a regression the tab restoration process (bmo#1388160) + * Fix a problem causing What's new pages not to be displayed (bmo#1386224) + * Fix a rendering issue with some PKCS#11 libraries (bmo#1388370) + * Disable the predictor prefetch (bmo#1388160) + +------------------------------------------------------------------- +Sat Aug 5 13:22:16 UTC 2017 - wr@rosenauer.org + +- update to Firefox 55.0 (boo#1052829) + * Browsing sessions with a high number of tabs are now restored + in an instant + * Sidebar (bookmarks, history, synced tabs) can now be moved to + the right edge of the window + * Fine-tune your browser performance from the Preferences/Options page. + * Make screenshots of webpages, and save them locally or upload + them to the cloud. This feature will undergo A/B testing and + will not be visible for some users. + * Added Belarusian (be) locale + * Simplify print jobs from within print preview + * Use virtual reality devices with the web with the introduction + of WebVR + * Search suggestions are now enabled by default for users who + haven't explicitly opted-out + * Search with any installed search engine directly from the + location bar + * IMPORTANT: Breaking profile changes - do not downgrade Firefox + and use a profile that has been opened with Firefox 55+. + * The Adobe Flash plugin is now click-to-activate by default and + only allowed on http:// and https:// URL schemes. This change + will be rolled out progressively and so will not be visible to + all users immediately. For more information see the Firefox + plugin roadmap + * Modernized application update UI to be less intrusive and more + aligned with the rest of the browser. Only users who have not + restarted their browser 8 days after downloading an update or + users who opted out of automatic updates will see this change. + * Insecure sites can no longer access the Geolocation APIs to get + access to your physical location + * requires NSPR 4.15 and NSS 3.31 + MFSA 2017-18 + * CVE-2017-7798 (bmo#1371586, bmo#1372112) + XUL injection in the style editor in devtools + * CVE-2017-7800 (bmo#1374047) + Use-after-free in WebSockets during disconnection + * CVE-2017-7801 (bmo#1371259) + Use-after-free with marquee during window resizing + * CVE-2017-7809 (bmo#1380284) + Use-after-free while deleting attached editor DOM node + * CVE-2017-7784 (bmo#1376087) + Use-after-free with image observers + * CVE-2017-7802 (bmo#1378147) + Use-after-free resizing image elements + * CVE-2017-7785 (bmo#1356985) + Buffer overflow manipulating ARIA attributes in DOM + * CVE-2017-7786 (bmo#1365189) + Buffer overflow while painting non-displayable SVG + * CVE-2017-7806 (bmo#1378113) + Use-after-free in layer manager with SVG + * CVE-2017-7753 (bmo#1353312) + Out-of-bounds read with cached style data and pseudo-elements# + * CVE-2017-7787 (bmo#1322896) + Same-origin policy bypass with iframes through page reloads + * CVE-2017-7807 (bmo#1376459) + Domain hijacking through AppCache fallback + * CVE-2017-7792 (bmo#1368652) + Buffer overflow viewing certificates with an extremely long OID + * CVE-2017-7804 (bmo#1372849) + Memory protection bypass through WindowsDllDetourPatcher + * CVE-2017-7791 (bmo#1365875) + Spoofing following page navigation with data: protocol and modal alerts + * CVE-2017-7808 (bmo#1367531) + CSP information leak with frame-ancestors containing paths + * CVE-2017-7782 (bmo#1344034) + WindowsDllDetourPatcher allocates memory without DEP protections + * CVE-2017-7781 (bmo#1352039) + Elliptic curve point addition error when using mixed Jacobian-affine coordinates + * CVE-2017-7794 (bmo#1374281) + Linux file truncation via sandbox broker + * CVE-2017-7803 (bmo#1377426) + CSP containing 'sandbox' improperly applied + * CVE-2017-7799 (bmo#1372509) + Self-XSS XUL injection in about:webrtc + * CVE-2017-7783 (bmo#1360842) + DOS attack through long username in URL + * CVE-2017-7788 (bmo#1073952) + Sandboxed about:srcdoc iframes do not inherit CSP directives + * CVE-2017-7789 (bmo#1074642) + Failure to enable HSTS when two STS headers are sent for a connection + * CVE-2017-7790 (bmo#1350460) (Windows-only) + Windows crash reporter reads extra memory for some non-null-terminated registry values + * CVE-2017-7796 (bmo#1234401) (Windows-only) + Windows updater can delete any file named update.log + * CVE-2017-7797 (bmo#1334776) + Response header name interning leaks across origins + * CVE-2017-7780 + Memory safety bugs fixed in Firefox 55 + * CVE-2017-7779 + Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 +- updated mozilla-kde.patch: + * removed "downloadfinished" alert as Firefox reimplemented the + whole thing (TODO: check if there is another function we should + hook in) + +------------------------------------------------------------------- +Tue Jul 4 20:08:47 UTC 2017 - wr@rosenauer.org + +- update to Firefox 54.0.1 + * Fix a display issue of tab title (bmo#1357656) + * Fix a display issue of opening new tab (bmo#1371995) + * Fix a display issue when opening multiple tabs (bmo#1371962) + * Fix a tab display issue when downloading files (bmo#1373109) + * Fix a PDF printing issue (bmo#1366744) + * Fix a Netflix issue on Linux (bmo#1375708) + +------------------------------------------------------------------- +Thu Jun 15 13:56:05 UTC 2017 - wr@rosenauer.org + +- update to Firefox 54.0 + * Clearer and more detailed information for download items in the + download panel + * Added Burmese (my) locale + * Bookmarks created on mobile devices are now shown in + "Mobile Bookmarks” folder in the drop down list from the toolbar + and Bookmarks option in the menu bar in Desktop Firefox + * added support for multiple content processes (e10s-multi) +- requires NSPR 4.14 and NSS 3.30.2 +- requires rust 1.15.1 +- removed mozilla-shared-nss-db.patch as it seems to be a rather + unused feature + +------------------------------------------------------------------- +Thu Jun 1 04:25:05 UTC 2017 - kah0922@gmail.com + +- remove -fno-inline-small-functions and explicitely optimize with + -O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105) + +------------------------------------------------------------------- +Wed Apr 26 12:37:38 UTC 2017 - wr@rosenauer.org + +- switch to Mozilla's geolocation service (boo#1026989) +- removed mozilla-preferences.patch obsoleted by overriding via + firefox.js +- fixed KDE integration to avoid crash caused by filepicker + (boo#1015998) + +------------------------------------------------------------------- +Mon Apr 17 12:52:10 UTC 2017 - wr@rosenauer.org + +- update to Firefox 53.0 + * requires NSS 3.29.5 + * Lightweight themes are now applied in private browsing windows + * Reader Mode now displays estimated reading time for the page + * Two new 'compact' themes available in Firefox, dark and light, + based on the Firefox Developer Edition theme + * Ended Firefox Linux support for processors older than Pentium 4 + and AMD Opteron + * Refresh of the media controls user interface + * Shortened titles on tabs are faded out instead of using ellipsis + for improved readability + * Media playback on new tabs is blocked until the tab is visible + * Permission notifications have a cleaner design and cannot be + easily missed + MFSA 2017-10 + * CVE-2017-5456 (bmo#1344415) + Sandbox escape allowing local file system access + * CVE-2017-5442 (bmo#1347979) + Use-after-free during style changes + * CVE-2017-5443 (bmo#1342661) + Out-of-bounds write during BinHex decoding + * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894, + bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088) + Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and + Firefox ESR 52.1 + * CVE-2017-5464 (bmo#1347075) + Memory corruption with accessibility and DOM manipulation + * CVE-2017-5465 (bmo#1347617) + Out-of-bounds read in ConvolvePixel + * CVE-2017-5466 (bmo#1353975) + Origin confusion when reloading isolated data:text/html URL + * CVE-2017-5467 (bmo#1347262) + Memory corruption when drawing Skia content + * CVE-2017-5460 (bmo#1343642) + Use-after-free in frame selection + * CVE-2017-5461 (bmo#1344380) + Out-of-bounds write in Base64 encoding in NSS + * CVE-2017-5448 (bmo#1346648) + Out-of-bounds write in ClearKeyDecryptor + * CVE-2017-5449 (bmo#1340127) + Crash during bidirectional unicode manipulation with animation + * CVE-2017-5446 (bmo#1343505) + Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data + * CVE-2017-5447 (bmo#1343552) + Out-of-bounds read during glyph processing + * CVE-2017-5444 (bmo#1344461) + Buffer overflow while parsing application/http-index-format content + * CVE-2017-5445 (bmo#1344467) + Uninitialized values used while parsing application/http-index-format + content + * CVE-2017-5468 (bmo#1329521) + Incorrect ownership model for Private Browsing information + * CVE-2017-5469 (bmo#1292534) + Potential Buffer overflow in flex-generated code + * CVE-2017-5440 (bmo#1336832) + Use-after-free in txExecutionState destructor during XSLT processing + * CVE-2017-5441 (bmo#1343795) + Use-after-free with selection during scroll events + * CVE-2017-5439 (bmo#1336830) + Use-after-free in nsTArray Length() during XSLT processing + * CVE-2017-5438 (bmo#1336828) + Use-after-free in nsAutoPtr during XSLT processing + * CVE-2017-5437 (bmo#1343453) + Vulnerabilities in Libevent library + * CVE-2017-5436 (bmo#1345461) + Out-of-bounds write with malicious font in Graphite 2 + * CVE-2017-5435 (bmo#1350683) + Use-after-free during transaction processing in the editor + * CVE-2017-5434 (bmo#1349946) + Use-after-free during focus handling + * CVE-2017-5433 (bmo#1347168) + Use-after-free in SMIL animation functions + * CVE-2017-5432 (bmo#1346654) + Use-after-free in text input selection + * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482, + bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, + bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621, + bmo#1349719, bmo#1353476) + Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 + * CVE-2017-5459 (bmo#1333858) + Buffer overflow in WebGL + * CVE-2017-5458 (bmo#1229426) + Drag and drop of javascript: URLs can allow for self-XSS + * CVE-2017-5455 (bmo#1341191) + Sandbox escape through internal feed reader APIs + * CVE-2017-5454 (bmo#1349276) + Sandbox escape allowing file system read access through file picker + * CVE-2017-5451 (bmo#1273537) + Addressbar spoofing with onblur event + * CVE-2017-5453 (bmo#1321247) + HTML injection into RSS Reader feed preview page through + TITLE element + * CVE-2017-5462 (bmo#1345089) + DRBG flaw in NSS +- removed browser(npapi) provides as these plugins are deprecated +- switch used compiler to gcc5 (FF requires gcc >= 4.9 now) for + Leap 42 +- Gtk2 is not longer an option; switched to Gtk3 +- apply MOZ_USE_XINPUT2=1 for better touchpad and touchscreen support + (boo#1032003) + +------------------------------------------------------------------- +Mon Apr 3 06:16:26 UTC 2017 - wr@rosenauer.org + +- update to Firefox 52.0.2 + * Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787) + * Fix loading tab icons on session restore (bmo#1338009) + * Fix a crash on startup on Linux (bmo#1345413) + * Fix new installs erroneously not prompting to change the default + browser setting (bmo#1343938) + +------------------------------------------------------------------- +Mon Mar 20 15:35:57 UTC 2017 - wr@rosenauer.org + +- disable rust usage for everything but x86(-64) +- explicitely add libffi build requirement + +------------------------------------------------------------------- +Fri Mar 17 15:43:29 UTC 2017 - wr@rosenauer.org + +- update to Firefox 52.0.1 (boo#1029822) + MFSA 2017-08 + CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168) + +------------------------------------------------------------------- +Thu Mar 9 12:30:14 UTC 2017 - wr@rosenauer.org + +- reenable ALSA support which was removed by default upstream + +------------------------------------------------------------------- +Sat Mar 4 16:57:45 UTC 2017 - wr@rosenauer.org + +- update to Firefox 52.0 (boo#1028391) + * requires NSS >= 3.28.3 + * Pages containing insecure password fields now display a warning + directly within username and password fields. + * Send and open a tab from one device to another with Sync + * Removed NPAPI support for plugins other than Flash. Silverlight, + Java, Acrobat and the like are no longer supported. + * Removed Battery Status API to reduce fingerprinting of users by + trackers + * MFSA 2017-05 + CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP + (bmo#1334933) + CVE-2017-5401: Memory Corruption when handling ErrorResult + (bmo#1328861) + CVE-2017-5402: Use-after-free working with events in FontFace + objects (bmo#1334876) + CVE-2017-5403: Use-after-free using addRange to add range to an + incorrect root object (bmo#1340186) + CVE-2017-5404: Use-after-free working with ranges in selections + (bmo#1340138) + CVE-2017-5406: Segmentation fault in Skia with canvas operations + (bmo#1306890) + CVE-2017-5407: Pixel and history stealing via floating-point + timing side channel with SVG filters (bmo#1336622) + CVE-2017-5410: Memory corruption during JavaScript garbage + collection incremental sweeping (bmo#1330687) + CVE-2017-5408: Cross-origin reading of video captions in violation + of CORS (bmo#1313711) + CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323) + CVE-2017-5413: Segmentation fault during bidirectional operations + (bmo#1337504) + CVE-2017-5414: File picker can choose incorrect default directory + (bmo#1319370) + CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719) + CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121) + CVE-2017-5417: Addressbar spoofing by draging and dropping URLs + (bmo#791597) + CVE-2017-5426: Gecko Media Plugin sandbox is not started if + seccomp-bpf filter is running (bmo#1257361) + CVE-2017-5427: Non-existent chrome.manifest file loaded during + startup (bmo#1295542) + CVE-2017-5418: Out of bounds read when parsing HTTP digest + authorization responses (bmo#1338876) + CVE-2017-5419: Repeated authentication prompts lead to DOS + attack (bmo#1312243) + CVE-2017-5420: Javascript: URLs can obfuscate addressbar + location (bmo#1284395) + CVE-2017-5405: FTP response codes can cause use of + uninitialized values for ports (bmo#1336699) + CVE-2017-5421: Print preview spoofing (bmo#1301876) + CVE-2017-5422: DOS attack by using view-source: protocol + repeatedly in one hyperlink (bmo#1295002) + CVE-2017-5399: Memory safety bugs fixed in Firefox 52 + CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and + Firefox ESR 45.8 +- removed obsolete patches + * mozilla-binutils-visibility.patch + * mozilla-check_return.patch + * mozilla-disable-skia-be.patch + * mozilla-skia-overflow.patch + * mozilla-skia-ppc-endianess.patch +- rebased patches +- enable rust usage for Tumbleweed + +------------------------------------------------------------------- +Fri Jan 27 20:25:59 UTC 2017 - astieger@suse.com + +- Mozilla Firefox 51.0.1: + - Multiprocess incompatibility did not correctly register with + some add-ons (bmo#1333423) + +------------------------------------------------------------------- +Fri Jan 20 13:57:56 UTC 2017 - wr@rosenauer.org + +- update to Firefox 51.0 + * requires NSPR >= 4.13.1, NSS >= 3.28.1 + * Added support for FLAC (Free Lossless Audio Codec) playback + * Added support for WebGL 2 + * Added Georgian (ka) and Kabyle (kab) locales + * Support saving passwords for forms without 'submit' events + * Improved video performance for users without GPU acceleration + * Zoom indicator is shown in the URL bar if the zoom level is not + at default level + * View passwords from the prompt before saving them + * Remove Belarusian (be) locale + * Use Skia for content rendering (Linux) + * MFSA 2017-01 + CVE-2017-5375: Excessive JIT code allocation allows bypass of + ASLR and DEP (bmo#1325200, boo#1021814) + CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) + CVE-2017-5377: Memory corruption with transforms to create + gradients in Skia (bmo#1306883, boo#1021826) + CVE-2017-5378: Pointer and frame data leakage of Javascript objects + (bmo#1312001, bmo#1330769, boo#1021818) + CVE-2017-5379: Use-after-free in Web Animations + (bmo#1309198,boo#1021827) + CVE-2017-5380: Potential use-after-free during DOM manipulations + (bmo#1322107, boo#1021819) + CVE-2017-5390: Insecure communication methods in Developer Tools + JSON viewer (bmo#1297361, boo#1021820) + CVE-2017-5389: WebExtensions can install additional add-ons via + modified host requests (bmo#1308688, boo#1021828) + CVE-2017-5396: Use-after-free with Media Decoder + (bmo#1329403, boo#1021821) + CVE-2017-5381: Certificate Viewer exporting can be used to navigate + and save to arbitrary filesystem locations + (bmo#1017616, boo#1021830) + CVE-2017-5382: Feed preview can expose privileged content errors + and exceptions (bmo#1295322, boo#1021831) + CVE-2017-5383: Location bar spoofing with unicode characters + (bmo#1323338, bmo#1324716, boo#1021822) + CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) + (bmo#1255474, boo#1021832) + CVE-2017-5385: Data sent in multipart channels ignores referrer-policy + response headers (bmo#1295945, boo#1021833) + CVE-2017-5386: WebExtensions can use data: protocol to affect other + extensions (bmo#1319070, boo#1021823) + CVE-2017-5394: Android location bar spoofing using fullscreen and + JavaScript events (bmo#1222798) + CVE-2017-5391: Content about: pages can load privileged about: pages + (bmo#1309310, boo#1021835) + CVE-2017-5392: Weak references using multiple threads on weak proxy + objects lead to unsafe memory usage (bmo#1293709) + (Android only) + CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for + mozAddonManager (bmo#1309282, boo#1021837) + CVE-2017-5395: Android location bar spoofing during scrolling + (bmo#1293463) (Android only) + CVE-2017-5387: Disclosure of local file existence through TRACK + tag error messages (bmo#1295023, boo#1021839) + CVE-2017-5388: WebRTC can be used to generate a large amount of + UDP traffic for DDOS attacks + (bmo#1281482, boo#1021840) + CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841) + CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and + Firefox ESR 45.7 (boo#1021824) +- switch Firefox to Gtk3 for Tumbleweed +- removed obsolete patches + * mozilla-flex_buffer_overrun.patch +- updated RPM locale support tag +- improve recognition of LANGUAGE env variable (boo#1017174) +- add upstream patch to fix PPC64LE (bmo#1319389) + (mozilla-skia-ppc-endianess.patch) +- fix build without skia (big endian archs) (bmo#1319374) + (mozilla-disable-skia-be.patch) + +------------------------------------------------------------------- +Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org + +- update to Firefox 50.1.0 (boo#1015422) + * MFSA 2016-94 + CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628) + CVE-2016-9899: Use-after-free while manipulating DOM events and + audio elements (bmo#1317409) + CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272) + CVE-2016-9896: Use-after-free with WebVR (bmo#1315543) + CVE-2016-9897: Memory corruption in libGLES (bmo#1301381) + CVE-2016-9898: Use-after-free in Editor while manipulating + DOM subtrees (bmo#1314442) + CVE-2016-9900: Restricted external resources can be loaded by + SVG images through data URLs (bmo#1319122) + CVE-2016-9904: Cross-origin information leak in shared atoms + (bmo#1317936) + CVE-2016-9901: Data from Pocket server improperly sanitized + before execution (bmo#1320057) + CVE-2016-9902: Pocket extension does not validate the origin + of events (bmo#1320039) + CVE-2016-9903: XSS injection vulnerability in add-ons SDK + (bmo#1315435) + CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 + CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and + Firefox ESR 45.6 + +------------------------------------------------------------------- +Fri Dec 9 17:57:22 UTC 2016 - cgrobertson@novell.com + +- added patch mozilla-aarch64-startup-crash.patch (bsc#1011922) + +------------------------------------------------------------------- +Thu Dec 1 02:49:45 UTC 2016 - wr@rosenauer.org + +- update to Firefox 50.0.2 + * Firefox crashes with 3rd party Chinese IME when using IME text + (50.0.1) + security fixes (in 50.0.1): (boo#1012807) + * MFSA 2016-91 + CVE-2016-9078: data: URL can inherit wrong origin after an + HTTP redirect (bmo#1317641) + security fixes (in 50.0.2) (boo#1012964) + * MFSA 2016-92 + CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066) + +------------------------------------------------------------------- +Mon Nov 14 21:07:03 UTC 2016 - wr@rosenauer.org + +- update to Firefox 50.0 (boo#1009026) + * requires NSS 3.26.2 + new features + * Updates to keyboard shortcuts + Set a preference to have Ctrl+Tab cycle through tabs in recently + used order + View a page in Reader Mode by using Ctrl+Alt+R + * Added option to Find in page that allows users to limit search to + whole words only + * Added download protection for a large number of executable file + types on Windows, Mac and Linux + * Fixed rendering of dashed and dotted borders with rounded corners + (border-radius) + * Added a built-in Emoji set for operating systems without native + Emoji fonts (Windows 8.0 and lower and Linux) + * Blocked versions of libavcodec older than 54.35.1 + * additional locale + security fixes: + * MFSA 2016-89 + CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 + (bmo#1292443) + CVE-2016-5292: URL parsing causes crash (bmo#1288482) + CVE-2016-5293: Write to arbitrary file with updater and moz + maintenance service using updater.log hardlink + (Windows only) (bmo#1246945) + CVE-2016-5294: Arbitrary target directory for result files of + update process (Windows only) (bmo#1246972) + CVE-2016-5297: Incorrect argument length checking in Javascript + (bmo#1303678) + CVE-2016-9064: Addons update must verify IDs match between + current and new versions (bmo#1303418) + CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen + (Android only) (bmo#1306696) + CVE-2016-9066: Integer overflow leading to a buffer overflow in + nsScriptLoadHandler (bmo#1299686) + CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore + (bmo#1301777, bmo#1308922 (CVE-2016-9069)) + CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) + CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile + (bmo#1300083) (Windows only) + CVE-2016-9075: WebExtensions can access the mozAddonManager API + and use it to gain elevated privileges (bmo#1295324) + CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied + to cross-origin images, allowing timing attacks on them + (bmo#1298552) + CVE-2016-5291: Same-origin policy violation using local HTML file + and saved shortcut file (bmo#1292159) + CVE-2016-5295: Mozilla Maintenance Service: Ability to read + arbitrary files as SYSTEM (Windows only) (bmo#1247239) + CVE-2016-5298: SSL indicator can mislead the user about the real + URL visited (bmo#1227538) (Android only) + CVE-2016-5299: Firefox AuthToken in broadcast protected with + signature-level permission can be accessed by an + application installed beforehand that defines the + same permissions (bmo#1245791) (Android only) + CVE-2016-9061: API Key (glocation) in broadcast protected with + signature-level permission can be accessed by an + application installed beforehand that defines the + same permissions (Android only) (bmo#1245795) + CVE-2016-9062: Private browsing browser traces (android) in + browser.db and wal file (Android only) (bmo#1294438) + CVE-2016-9070: Sidebar bookmark can have reference to chrome window + (bmo#1281071) + CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl" + (bmo#1289273) + CVE-2016-9074: Insufficient timing side-channel resistance in + divSpoiler (bmo#1293334) (fixed via NSS 3.26.1) + CVE-2016-9076: select dropdown menu can be used for URL bar + spoofing on e10s (bmo#1276976) + CVE-2016-9063: Possible integer overflow to fix inside XML_Parse + in expat (bmo#1274777) + CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP + (bmo#1285003) + CVE-2016-5289: Memory safety bugs fixed in Firefox 50 + CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 +- make aarch64 build more similar to x86_64 build (remove conditionals + that don't seem to be necessary anymore) + +------------------------------------------------------------------- +Mon Oct 24 09:41:17 UTC 2016 - astieger@suse.com + +- Mozilla Firefox 49.0.2: + * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475) + * CVE-2016-5288: Web content can read cache entries (bsc#1006476) + * Asynchronous rendering of the Flash plugins is now enabled by + default + * Change D3D9 default fallback preference to prevent graphical + artifacts + * Network issue prevents some users from seeing the Firefox UI on + startup + * Web compatibility issue with file uploads + * Web compatibility issue with Array.prototype.values + * Diagnostic information on timing for tab switching + * Fix a Canvas filters graphics issue affecting HTML5 apps + +------------------------------------------------------------------- +Wed Oct 12 20:42:28 UTC 2016 - badshah400@gmail.com + +- Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0 + and fixes have been incorporated by upstream. + +------------------------------------------------------------------- +Fri Sep 23 20:36:39 UTC 2016 - astieger@suse.com + +- Mozilla Firefox 49.0.1: + * Mitigate a startup crash issue caused by Websense - bmo#1304783 + +------------------------------------------------------------------- +Tue Sep 20 07:09:52 UTC 2016 - wr@rosenauer.org + +- update to Firefox 49.0 (boo#999701) + new features + * Updated Firefox Login Manager to allow HTTPS pages to use saved + HTTP logins. + * Added features to Reader Mode that make it easier on the eyes and + the ears + * Improved video performance for users on systems that support + SSE3 without hardware acceleration + * Added context menu controls to HTML5 audio and video that let users + loops files or play files at 1.25x speed + * Improvements in about:memory reports for tracking font memory usage + security related + * MFSA 2016-85 + CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in + mozilla::net::IsValidReferrerPolicy + CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in + nsCaseTransformTextRunFactory::TransformString + CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in + PropertyProvider::GetSpacingInternal + CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin + CVE-2016-5273 (bmo#1280387) - crash in + mozilla::a11y::HyperTextAccessible::GetChildOffset + CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in + mozilla::a11y::DocAccessible::ProcessInvalidationList + CVE-2016-5274 (bmo#1282076) - use-after-free in + nsFrameManager::CaptureFrameState + CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick + CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in + mozilla::gfx::FilterSupport::ComputeSourceNeededRegions + CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in + nsBMPEncoder::AddImageFrame + CVE-2016-5279 (bmo#1249522) - Full local path of files is available + to web pages after drag and drop + CVE-2016-5280 (bmo#1289970) - Use-after-free in + mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap + CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength + CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons + from non-whitelisted schemes + CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can + reveal cross-origin data + CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration + CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 + CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 +- removed obsolete patches: + * mozilla-aarch64-48bit-va.patch + * mozilla-exclude-nametablecpp.patch + * mozilla-old_configure-bmo1282843.patch +- added patch mozilla-skia-overflow.patch (bmo#1304114) +- requires NSS 3.25 + +------------------------------------------------------------------- +Tue Aug 30 20:25:38 UTC 2016 - astieger@suse.com + +- Mozilla Firefox 48.0.2: + * Mitigate a startup crash issue caused on Windows (bmo#1291738) + +------------------------------------------------------------------- +Sat Aug 20 10:58:26 UTC 2016 - astieger@suse.com + +- Mozilla Firefox 48.0.1: + * Fix an audio regression impacting some major websites + (bmo#1295296) + * Fix a top crash in the JavaScript engine (bmo#1290469) + * Fix a startup crash issue caused by Websense (bmo#1291738) + * Fix a different behavior with e10s / non-e10s on <select> and + mouse events (bmo#1291078) + * Fix a top crash caused by plugin issues (bmo#1264530) + * Fix a shutdown issue (bmo#1276920) + * Fix a crash in WebRTC + +------------------------------------------------------------------- +Mon Aug 15 11:24:00 UTC 2016 - wr@rosenauer.org + +- added upstream patch so system plugins/extensions are correctly + loaded again on x86-64 (bmo#1282843) + (mozilla-old_configure-bmo1282843.patch) + +------------------------------------------------------------------- +Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com + +- Fix for possible buffer overrun (bsc#990856) + CVE-2016-6354 (bmo#1292534) + [mozilla-flex_buffer_overrun.patch] + +------------------------------------------------------------------- +Wed Aug 3 03:38:47 UTC 2016 - badshah400@gmail.com + +- Update mozilla-gtk3_20.patch to latest version from Fedora. + +------------------------------------------------------------------- +Mon Aug 1 12:37:05 UTC 2016 - wr@rosenauer.org + +- update to Firefox 48.0 (boo#991809) + * requires NSS 3.24 + * Process separation (e10s) is enabled for some of you + * Add-ons that have not been verified and signed by Mozilla will not load + * WebRTC embetterments + * The media parser has been redeveloped using the Rust programming + language + * better Canvas performance with speedy Skia support + security fixes: + * MFSA 2016-62/CVE-2016-2835/CVE-2016-2836 + Miscellaneous memory safety hazards + * MFSA 2016-63/CVE-2016-2830 (bmo#1255270) + Favicon network connection can persist when page is closed + * MFSA 2016-64/CVE-2016-2838 (bmo#1279814) + Buffer overflow rendering SVG with bidirectional content + * MFSA 2016-65/CVE-2016-2839 (bmo#1275339) + Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 + * MFSA 2016-66/CVE-2016-5251 (bmo#1255570) + Location bar spoofing via data URLs with malformed/invalid mediatypes + * MFSA 2016-67/CVE-2016-5252 (bmo#1268854) + Stack underflow during 2D graphics rendering + * MFSA 2016-68/CVE-2016-0718 (bmo#1236923) + Out-of-bounds read during XML parsing in Expat library + * MFSA 2016-69/CVE-2016-5253 (bmo#1246944) + Arbitrary file manipulation by local user through Mozilla updater + and callback application path parameter (Windows-only) + * MFSA 2016-70/CVE-2016-5254 (bmo#1266963) + Use-after-free when using alt key and toplevel menus + * MFSA 2016-71/CVE-2016-5255 (bmo#1212356) + Crash in incremental garbage collection in JavaScript + * MFSA 2016-72/CVE-2016-5258 (bmo#1279146) + Use-after-free in DTLS during WebRTC session shutdown + * MFSA 2016-73/CVE-2016-5259 (bmo#1282992) + Use-after-free in service workers with nested sync events + * MFSA 2016-74/CVE-2016-5260 (bmo#1280294) + Form input type change from password to text can store plain + text password in session restore file + * MFSA 2016-75/CVE-2016-5261 (bmo#1287266) + Integer overflow in WebSockets during data buffering + * MFSA 2016-76/CVE-2016-5262 (bmo#1277475) + Scripts on marquee tag can execute in sandboxed iframes + * MFSA 2016-77/CVE-2016-2837 (bmo#1274637) + Buffer overflow in ClearKey Content Decryption Module (CDM) + during video playback + * MFSA 2016-78/CVE-2016-5263 (bmo#1276897) + Type confusion in display transformation + * MFSA 2016-79/CVE-2016-5264 (bmo#1286183) + Use-after-free when applying SVG effects + * MFSA 2016-80/CVE-2016-5265 (bmo#1278013) + Same-origin policy violation using local HTML file and saved shortcut file + * MFSA 2016-81/CVE-2016-5266 (bmo#1226977) + Information disclosure and local file manipulation through drag and drop + * MFSA 2016-82/CVE-2016-5267 (bmo#1284372) + Addressbar spoofing with right-to-left characters on Firefox for Android + (Android only) + * MFSA 2016-83/CVE-2016-5268 (bmo#1253673) + Spoofing attack through text injection into internal error pages + * MFSA 2016-84/CVE-2016-5250 (bmo#1254688) + Information disclosure through Resource Timing API during page navigation +- removed obsolete mozilla-gcc6.patch + +------------------------------------------------------------------- +Fri Jul 29 01:26:13 UTC 2016 - badshah400@gmail.com + +- Update description and screenshots in appdata.xml file. + +------------------------------------------------------------------- +Sat Jul 23 20:13:08 UTC 2016 - antoine.belvire@laposte.net + +- Fix Firefox crash on startup on i586 (boo#986541): + * Add -fno-delete-null-pointer-checks and + -fno-inline-small-functions to CFLAGS + +------------------------------------------------------------------- +Tue Jul 19 20:12:11 UTC 2016 - mailaender@opensuse.org + +- Update the appdata.xml file (replace Windows XP screenshot) + +------------------------------------------------------------------- +Wed Jun 29 09:25:41 UTC 2016 - astieger@suse.com + +- Mozilla Firefox 47.0.1: + * Selenium WebDriver may cause Firefox to crash at startup + (bmo#1280854) + +------------------------------------------------------------------- +Wed Jun 15 07:52:18 UTC 2016 - wr@rosenauer.org + +- mozilla-binutils-visibility.patch to fix build issues with + gcc/binutils combination used in Leap 42.2 (boo#984637) + +------------------------------------------------------------------- +Tue Jun 14 08:35:03 UTC 2016 - badshah400@gmail.com + +- Update mozilla-gtk3_20.patch to latest version from Fedora. + +------------------------------------------------------------------- +Mon Jun 13 20:28:01 UTC 2016 - agraf@suse.com + +- Fix running on 48bit va aarch64 (bsc#984126) + * add patch mozilla-aarch64-48bit-va.patch + +------------------------------------------------------------------- +Mon Jun 13 15:27:13 UTC 2016 - wr@rosenauer.org + +- fix XUL dialog button order under KDE session (boo#984403) + +------------------------------------------------------------------- +Tue Jun 7 19:47:25 UTC 2016 - wr@rosenauer.org + +- update to Firefox 47.0 (boo#983549) + * Enable VP9 video codec for users with fast machines + * Embedded YouTube videos now play with HTML5 video if Flash is + not installed + * View and search open tabs from your smartphone or another + computer in a sidebar + * Allow no-cache on back/forward navigations for https resources + security fixes: + * MFSA 2016-49/CVE-2016-2815/CVE-2016-2818 + (boo#983638) + (bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743, + bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493, + bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752, + bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130, + bmo#1269729, bmo#1273202, bmo#1273701) + Miscellaneous memory safety hazards (rv:47.0 / rv:45.2) + * MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381) + Buffer overflow parsing HTML5 fragments + * MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460) + Use-after-free deleting tables from a contenteditable document + * MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129) + Addressbar spoofing though the SELECT element + * MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580) + Out-of-bounds write with WebGL shader + * MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093) + Partial same-origin-policy through setting location.host + through data URI + * MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810) + Use-after-free when textures are used in WebGL operations + after recycle pool destruction + * MFSA 2016-57/CVE-2016-2829 (boo#983644) (bmo#1248329) + Incorrect icon displayed on permissions notifications + * MFSA 2016-58/CVE-2016-2831 (boo#983643) (bmo#1261933) + Entering fullscreen and persistent pointerlock without user + permission + * MFSA 2016-59/CVE-2016-2832 (boo#983632) (bmo#1025267) + Information disclosure of disabled plugins through CSS + pseudo-classes + * MFSA 2016-60/CVE-2016-2833 (boo#983640) (bmo#908933) + Java applets bypass CSP protections + * MFSA 2016-62/CVE-2016-2834 (boo#983639) (bmo#1206283, + bmo#1221620, bmo#1241034, bmo#1241037) + Network Security Services (NSS) vulnerabilities + fixed by requiring NSS 3.23 + packaging changes: + * cleanup configure options (boo#981695): + - notably remove GStreamer support which is gone from FF + * remove obsolete patches + - mozilla-libproxy.patch + - mozilla-repo.patch + +------------------------------------------------------------------- +Wed May 25 16:36:23 UTC 2016 - badshah400@gmail.com + +- The conditional testing for gcc was failing for different + openSUSE versions, drop it and apply patches unconditionally. + +------------------------------------------------------------------- +Mon May 23 15:30:27 UTC 2016 - badshah400@gmail.com + +- Add patches to fix building with gcc6: + + mozilla-gcc6.patch: fix building with gcc >= 6.1; patch + taken from upstream: + https://hg.mozilla.org/mozilla-central/rev/55212130f19d. + + mozilla-exclude-nametablecpp.patch: Exclude NameTable.cpp + from unified compilation because #include <cmath> in other + source files causes gcc6 compilation failure; patch taken from + upstream: + https://hg.mozilla.org/mozilla-central/rev/9c57b7cacffc. + +------------------------------------------------------------------- +Fri May 13 00:00:00 CEST 2016 - dsterba@suse.cz + +- enable build with PIE and full relro on x86_64 (boo#980384) + +------------------------------------------------------------------- +Wed May 4 10:27:43 UTC 2016 - wr@rosenauer.org + +- update to Firefox 46.0.1 + Fixed: + * Search plugin issue for various locales + * Add-on signing certificate expiration + * Service worker update issue + * Build issue when jit is disabled + * Limit Sync registration updates +- removed now obsolete mozilla-jit_branch64.patch + +------------------------------------------------------------------- +Tue May 3 15:47:18 UTC 2016 - normand@linux.vnet.ibm.com + +- add mozilla-jit_branch64.patch to avoid PowerPC build failure + (from bmo#1266366) + +------------------------------------------------------------------- +Wed Apr 27 08:39:28 UTC 2016 - badshah400@gmail.com + +- Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest + version from Fedora). + +------------------------------------------------------------------- +Wed Apr 27 06:09:30 UTC 2016 - wr@rosenauer.org + +- update to Firefox 46.0 (boo#977333) + * Improved security of the JavaScript Just In Time (JIT) Compiler + * WebRTC fixes to improve performance and stability + * Added support for document.elementsFromPoint + * Added HKDF support for Web Crypto API + * requires NSPR 4.12 and NSS 3.22.3 + * added patch to fix unchecked return value + mozilla-check_return.patch + * Gtk3 builds not supported at the moment + security fixes: + * MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807 + (boo#977373, boo#977375, boo#977376) + Miscellaneous memory safety hazards + * MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377) + Privilege escalation through file deletion by Maintenance Service updater + (Windows only) + * MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378) + Content provider permission bypass allows malicious application + to access data (Android only) + * MFSA 2016-42/CVE-2016-2811/CVE-2016-2812 + (bmo#1252330, bmo#1261776, boo#977379) + Use-after-free and buffer overflow in Service Workers + * MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380) + Disclosure of user actions through JavaScript with motion and + orientation sensors (only affects mobile variants) + * MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381) + Buffer overflow in libstagefright with CENC offsets + * MFSA 2016-45/CVE-2016-2816 (bmo#1223743, boo#977382) + CSP not applied to pages sent with multipart/x-mixed-replace + * MFSA 2016-46/CVE-2016-2817 (bmo#1227462, boo#977384) + Elevation of privilege with chrome.tabs.update API in web extensions + * MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386) + Write to invalid HashMap entry through JavaScript.watch() + * MFSA 2016-48/CVE-2016-2820 (bmo#870870, boo#977388) + Firefox Health Reports could accept events from untrusted domains + +------------------------------------------------------------------- +Thu Apr 21 12:00:28 UTC 2016 - badshah400@gmail.com + +- Update mozilla-gtk3_20.patch to fix scrollbar appearance under + gtk >= 3.20 (patch synced to Fedora's version). + +------------------------------------------------------------------- +Tue Apr 12 19:11:30 UTC 2016 - badshah400@gmail.com + +- Compile against gtk3 depending on whether the macro + %firefox_use_gtk3 is defined or not (e.g., at the prjconf + level); macro is undefined by default and so gtk2 is used as the + default toolkit. +- Add BuildRequires for additional packages needed when building + against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0), + pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0). +- Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20; + patch taken from Fedora (bmo#1230955). + +------------------------------------------------------------------- +Mon Apr 11 22:49:24 UTC 2016 - astieger@suse.com + +- Mozilla Firefox 45.0.2: + * Fix an issue impacting the cookie header when third-party + cookies are blocked (bmo#1257861) + * Fix a web compatibility regression impacting the srcset + attribute of the image tag (bmo#1259482) + * Fix a crash impacting the video playback with Media Source + Extension (bmo#1258562) + * Fix a regression impacting some specific uploads (bmo#1255735) + * Fix a regression with the copy and paste with some old versions + of some Gecko applications like Thunderbird (bmo#1254980) + +------------------------------------------------------------------- +Fri Mar 18 08:52:58 UTC 2016 - astieger@suse.com + +- Mozilla Firefox 45.0.1: + * Fix a regression causing search engine settings to be lost in + some context (bmo#1254694) + * Bring back non-standard jar: URIs to fix a regression in IBM + iNotes (bmo#1255139) + * XSLTProcessor.importStylesheet was failing when <import> was + used (bmo#1249572) + * Fix an issue which could cause the list of search provider to + be empty (bmo#1255605) + * Fix a regression when using the location bar (bmo#1254503) + * Fix some loading issues when Accept third-party cookies: was + set to Never (bmo#1254856) + * Disabled Graphite font shaping library + +------------------------------------------------------------------- +Sun Mar 6 19:52:13 UTC 2016 - wr@rosenauer.org + +- update to Firefox 45.0 (boo#969894) + * requires NSPR 4.12 / NSS 3.21.1 + * Instant browser tab sharing through Hello + * Synced Tabs button in button bar + * Tabs synced via Firefox Accounts from other devices are now shown + in dropdown area of Awesome Bar when searching + * Introduce a new preference (network.dns.blockDotOnion) to allow + blocking .onion at the DNS level + * Tab Groups (Panorama) feature removed + * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953 + Miscellaneous memory safety hazards + * MFSA 2016-17/CVE-2016-1954 (bmo#1243178) + Local file overwriting and potential privilege escalation through + CSP reports + * MFSA 2016-18/CVE-2016-1955 (bmo#1208946) + CSP reports fail to strip location information for embedded iframe pages + * MFSA 2016-19/CVE-2016-1956 (bmo#1199923) + Linux video memory DOS with Intel drivers + * MFSA 2016-20/CVE-2016-1957 (bmo#1227052) + Memory leak in libstagefright when deleting an array during MP4 + processing + * MFSA 2016-21/CVE-2016-1958 (bmo#1228754) + Displayed page address can be overridden + * MFSA 2016-22/CVE-2016-1959 (bmo#1234949) + Service Worker Manager out-of-bounds read in Service Worker Manager + * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014) + Use-after-free in HTML5 string parser + * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377) + Use-after-free in SetBody + * MFSA 2016-25/CVE-2016-1962 (bmo#1240760) + Use-after-free when using multiple WebRTC data channels + * MFSA 2016-26/CVE-2016-1963 (bmo#1238440) + Memory corruption when modifying a file being read by FileReader + * MFSA 2016-27/CVE-2016-1964 (bmo#1243335) + Use-after-free during XML transformations + * MFSA 2016-28/CVE-2016-1965 (bmo#1245264) + Addressbar spoofing though history navigation and Location protocol + property + * MFSA 2016-29/CVE-2016-1967 (bmo#1246956) + Same-origin policy violation using perfomance.getEntries and + history navigation with session restore + * MFSA 2016-30/CVE-2016-1968 (bmo#1246742) + Buffer overflow in Brotli decompression + * MFSA 2016-31/CVE-2016-1966 (bmo#1246054) + Memory corruption with malicious NPAPI plugin + * MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/ + CVE-2016-1976/CVE-2016-1972 + WebRTC and LibVPX vulnerabilities found through code inspection + * MFSA 2016-33/CVE-2016-1973 (bmo#1219339) + Use-after-free in GetStaticInstance in WebRTC + * MFSA 2016-34/CVE-2016-1974 (bmo#1228103) + Out-of-bounds read in HTML parser following a failed allocation + * MFSA 2016-35/CVE-2016-1950 (bmo#1245528) + Buffer overflow during ASN.1 decoding in NSS + (fixed by requiring 3.21.1) + * MFSA 2016-36/CVE-2016-1979 (bmo#1185033) + Use-after-free during processing of DER encoded keys in NSS + (fixed by requiring 3.21.1) + * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/ + CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/ + CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/ + CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 + Font vulnerabilities in the Graphite 2 library + +------------------------------------------------------------------- +Sat Mar 5 15:27:00 UTC 2016 - olaf@aepfle.de + +- Remove B_CNT from symbols.zip filename to reduce build-compare noise + +------------------------------------------------------------------- +Fri Feb 26 16:22:52 UTC 2016 - astieger@suse.com + +- fix build problems on i586, caused by too large unified compile + units - adding mozilla-reduce-files-per-UnifiedBindings.patch + +------------------------------------------------------------------- +Thu Feb 11 07:51:34 UTC 2016 - wr@rosenauer.org + +- update to Firefox 44.0.2 + * MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438) + Same-origin-policy violation using Service Workers with plugins + * Fix issue which could lead to the removal of stored passwords + under certain circumstances (bmo#1242176) + * Allows spaces in cookie names (bmo#1244505) + * Disable opus/vorbis audio with H.264 (bmo#1245696) + * Fix for graphics startup crash (GNU/Linux) (bmo#1222171) + * Fix a crash in cache networking (bmo#1244076) + * Fix using WebSockets in service worker controlled pages (bmo#1243942) + +------------------------------------------------------------------- +Sat Jan 30 08:28:17 UTC 2016 - dmueller@suse.com + +- build fixes for arm/aarch64: + * disable webrtc for arm/aarch64 + * switch away from openGL-ES backend to default for arm/aarch64 + since it almost never builds + * reenable neon +- reenable webrtc for powerpc as it seems to build + +------------------------------------------------------------------- +Sun Jan 24 09:33:15 UTC 2016 - wr@rosenauer.org + +- update to Firefox 44.0 + * MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633 + Miscellaneous memory safety hazards + * MFSA 2016-02/CVE-2016-1933 (bmo#1231761) boo#963634 + Out of Memory crash when parsing GIF format images + * MFSA 2016-03/CVE-2016-1935 (bmo#1220450) boo#963635 + Buffer overflow in WebGL after out of memory allocation + * MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) boo#963637 + Firefox allows for control characters to be set in cookie names + * MFSA 2016-06/CVE-2016-1937 (bmo#724353) boo#963641 + Missing delay following user click events in protocol handler dialog + * MFSA 2016-07/CVE-2016-1938 (bmo#1190248) boo#963731 + Errors in mp_div and mp_exptmod cryptographic functions in NSS + (fixed by requiring NSS 3.21) + * MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590) + Addressbar spoofing attacks boo#963643 + * MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946 + (bmo#1186621, bmo#1214782, bmo#1232096) boo#963644 + Unsafe memory manipulation found through code inspection + * MFSA 2016-11/CVE-2016-1947 (bmo#1237103) boo#963645 + Application Reputation service disabled in Firefox 43 + * requires NSPR 4.11 + * requires NSS 3.21 +- prepare mozilla-kde.patch for Gtk3 builds +- rebased patches + +------------------------------------------------------------------- +Mon Jan 11 08:04:24 UTC 2016 - astieger@suse.com + +- Mozilla Firefox 43.0.4: + * Re-enable SHA-1 certificates to prevent outdated + man-in-the-middle security devices from interfering with + properly secured SSL/TLS connections (bmo#1236975) + * Fix for startup crash for users of a third party antivirus tool + (bmo#1235537) +- The following change was previously in the package as a patch: + * Multi-user GNU/Linux download folders can be created + (bmo#1233434), removed mozilla-bmo1233434.patch + +------------------------------------------------------------------- +Tue Dec 29 20:29:35 UTC 2015 - wr@rosenauer.org + +- update to Firefox 43.0.3 + * requires NSS 3.20.2 to fix + MFSA 2015-150/CVE-2015-7575 (bmo#1158489) + MD5 signatures accepted within TLS 1.2 ServerKeyExchange in + server signature + * various changes to support Windows update (SHA-1 vs. SHA-2) + * workaround Youtube user agent detection issue (bmo#1233970) +- fix file download regression for multi user systems + (bmo#1233434) (mozilla-bmo1233434.patch) +- explicitely requires libXcomposite-devel + +------------------------------------------------------------------- +Sun Dec 13 23:07:56 UTC 2015 - wr@rosenauer.org + +- update to Firefox 43.0 (bnc#959277) + * Improved API support for m4v video playback + * Users can opt-in to receive search suggestions from the Awesome Bar + * WebRTC streaming on multiple monitors + * User selectable second block list for Private Browsing's Tracking + Protection + security fixes: + * MFSA 2015-134/CVE-2015-7201/CVE-2015-7202 + Miscellaneous memory safety hazards + * MFSA 2015-135/CVE-2015-7204 (bmo#1216130) + Crash with JavaScript variable assignment with unboxed objects + * MFSA 2015-136/CVE-2015-7207 (bmo#1185256) + Same-origin policy violation using perfomance.getEntries and + history navigation + * MFSA 2015-137/CVE-2015-7208 (bmo#1191423) + Firefox allows for control characters to be set in cookies + * MFSA 2015-138/CVE-2015-7210 (bmo#1218326) + Use-after-free in WebRTC when datachannel is used after being + destroyed + * MFSA 2015-139/CVE-2015-7212 (bmo#1222809) + Integer overflow allocating extremely large textures + * MFSA 2015-140/CVE-2015-7215 (bmo#1160890) + Cross-origin information leak through web workers error events + * MFSA 2015-141/CVE-2015-7211 (bmo#1221444) + Hash in data URI is incorrectly parsed + * MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820) + DOS due to malformed frames in HTTP/2 + * MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078) + Linux file chooser crashes on malformed images due to flaws in + Jasper library + * MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221 + (bmo#1201183, bmo#1178033, bmo#1199400) + Buffer overflows found through code inspection + * MFSA 2015-145/CVE-2015-7205 (bmo#1220493) + Underflow through code inspection + * MFSA 2015-146/CVE-2015-7213 (bmo#1206211) + Integer overflow in MP4 playback in 64-bit versions + * MFSA 2015-147/CVE-2015-7222 (bmo#1216748) + Integer underflow and buffer overflow processing MP4 metadata in + libstagefright + * MFSA 2015-148/CVE-2015-7223 (bmo#1226423) + Privilege escalation vulnerabilities in WebExtension APIs + * MFSA 2015-149/CVE-2015-7214 (bmo#1228950) + Cross-site reading attack through data and view-source URIs +- rebased patches + +------------------------------------------------------------------- +Sun Nov 15 19:52:20 UTC 2015 - wr@rosenauer.org + +- Add desktop menu action for private browsing window to desktop + file (boo#954747) +- remove obsolete patch mozilla-bmo1005535.patch completely from + source package to avoid automatic check failures + +------------------------------------------------------------------- +Sat Oct 31 19:50:03 UTC 2015 - wr@rosenauer.org + +- update to Firefox 42.0 (bnc#952810) + * Private Browsing with Tracking Protection blocks certain Web + elements that could be used to record your behavior across sites + * Control Center that contains site security and privacy controls + * Login Manager improvements + * WebRTC improvements + * Indicator added to tabs that play audio with one-click muting + * Media Source Extension for HTML5 video available for all sites + security fixes: + * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514 + Miscellaneous memory safety hazards + * MFSA 2015-117/CVE-2015-4515 (bmo#1046421) + Information disclosure through NTLM authentication + * MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692) + CSP bypass due to permissive Reader mode whitelist + * MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only) + Firefox for Android addressbar can be removed after fullscreen mode + * MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only) + Reading sensitive profile files through local HTML file on Android + * MFSA 2015-121/CVE-2015-7187 (bmo#1195735) + disabling scripts in Add-on SDK panels has no effect + * MFSA 2015-122/CVE-2015-7188 (bmo#1199430) + Trailing whitespace in IP address hostnames can bypass same-origin policy + * MFSA 2015-123/CVE-2015-7189 (bmo#1205900) + Buffer overflow during image interactions in canvas + * MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only) + Android intents can be used on Firefox for Android to open privileged files + * MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only) + XSS attack through intents on Firefox for Android + * MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only) + Crash when accessing HTML tables with accessibility tools on OS X + * MFSA 2015-127/CVE-2015-7193 (bmo#1210302) + CORS preflight is bypassed when non-standard Content-Type headers + are received + * MFSA 2015-128/CVE-2015-7194 (bmo#1211262) + Memory corruption in libjar through zip files + * MFSA 2015-129/CVE-2015-7195 (bmo#1211871) + Certain escaped characters in host of Location-header are being + treated as non-escaped + * MFSA 2015-130/CVE-2015-7196 (bmo#1140616) + JavaScript garbage collection crash with Java applet + * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 + (bmo#1188010, bmo#1204061, bmo#1204155) + Vulnerabilities found through code inspection + * MFSA 2015-132/CVE-2015-7197 (bmo#1204269) + Mixed content WebSocket policy bypass through workers + * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 + (bmo#1202868, bmo#1205157) + NSS and NSPR memory corruption issues + (fixed in mozilla-nspr and mozilla-nss packages) +- requires NSPR >= 4.10.10 and NSS >= 3.19.4 +- removed obsolete patches + * mozilla-arm-disable-edsp.patch + * mozilla-icu-strncat.patch + * mozilla-skia-be-le.patch + * toolkit-download-folder.patch +- fixed build with enable-libproxy (bmo#1220399) + * mozilla-libproxy.patch + +------------------------------------------------------------------- +Thu Oct 15 08:25:54 UTC 2015 - wr@rosenauer.org + +- update to Firefox 41.0.2 (bnc#950686) + * MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669) + Cross-origin restriction bypass using Fetch +- added explicit appdata provides (bnc#949983) + +------------------------------------------------------------------- +Sun Oct 4 09:20:56 UTC 2015 - wr@rosenauer.org + +- do not build with --enable-stdcxx-compat + (this starts to fail build on various toolchain combinations + and is not required for openSUSE builds in general + +------------------------------------------------------------------- +Thu Oct 1 09:49:57 UTC 2015 - wr@rosenauer.org + +- update to Firefox 41.0.1 + * Fix a startup crash related to Yandex toolbar and Adblock Plus + (bmo#1209124) + * Fix potential hangs with Flash plugins (bmo#1185639) + * Fix a regression in the bookmark creation (bmo#1206376) + * Fix a startup crash with some Intel Media Accelerator 3150 + graphic cards (bmo#1207665) + * Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601) + +------------------------------------------------------------------- +Sat Sep 19 20:23:29 UTC 2015 - wr@rosenauer.org + +- update to Firefox 41.0 (bnc#947003) + * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 + Miscellaneous memory safety hazards + * MFSA 2015-97/CVE-2015-4503 (bmo#994337) + Memory leak in mozTCPSocket to servers + * MFSA 2015-98/CVE-2015-4504 (bmo#1132467) + Out of bounds read in QCMS library with ICC V4 profile attributes + * MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only) + Site attribute spoofing on Android by pasting URL with unknown scheme + * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only) + Arbitrary file manipulation by local user through Mozilla updater + * MFSA 2015-101/CVE-2015-4506 (bmo#1192226) + Buffer overflow in libvpx while parsing vp9 format video + * MFSA 2015-102/CVE-2015-4507 (bmo#1192401) + Crash when using debugger with SavedStacks in JavaScript + * MFSA 2015-103/CVE-2015-4508 (bmo#1195976) + URL spoofing in reader mode + * MFSA 2015-104/CVE-2015-4510 (bmo#1200004) + Use-after-free with shared workers and IndexedDB + * MFSA 2015-105/CVE-2015-4511 (bmo#1200148) + Buffer overflow while decoding WebM video + * MFSA 2015-106/CVE-2015-4509 (bmo#1198435) + Use-after-free while manipulating HTML media content + * MFSA 2015-107/CVE-2015-4512 (bmo#1170390) + Out-of-bounds read during 2D canvas display on Linux 16-bit + color depth systems + * MFSA 2015-108/CVE-2015-4502 (bmo#1105045) + Scripted proxies can access inner window + * MFSA 2015-109/CVE-2015-4516 (bmo#904886) + JavaScript immutable property enforcement can be bypassed + * MFSA 2015-110/CVE-2015-4519 (bmo#1189814) + Dragging and dropping images exposes final URL after redirects + * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869) + Errors in the handling of CORS preflight request headers + * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/ + CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/ + CVE-2015-7180 + Vulnerabilities found through code inspection + * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860, + bmo#1190526) (Windows only) + Memory safety errors in libGLES in the ANGLE graphics library + * MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only) + Information disclosure via the High Resolution Time API +- rebased patches +- removed obsolete patches + * mozilla-arm64-libjpeg-turbo.patch + +------------------------------------------------------------------ +Thu Aug 27 06:03:51 UTC 2015 - wr@rosenauer.org + +- update to Firefox 40.0.3 (bnc#943550) + * Disable the asynchronous plugin initialization (bmo#1198590) + * Fix a segmentation fault in the GStreamer support (bmo#1145230) + * Fix a regression with some Japanese fonts used in the <input> + field (bmo#1194055) + * On some sites, the selection in a select combox box using the + mouse could be broken (bmo#1194733) + security fixes + * MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278) + Use-after-free when resizing canvas element during restyling + * MFSA 2015-95/CVE-2015-4498 (bmo#1042699) + Add-on notification bypass through data URLs + +------------------------------------------------------------------- +Fri Aug 7 07:49:49 UTC 2015 - wr@rosenauer.org + +- update to Firefox 40.0 (bnc#940806) + * Added protection against unwanted software downloads + * Suggested Tiles show sites of interest, based on categories + from your recent browsing history + * Hello allows adding a link to conversations to provide context + on what the conversation will be about + * New style for add-on manager based on the in-content + preferences style + * Improved scrolling, graphics, and video playback performance + with off main thread compositing (GNU/Linux only) + * Graphic blocklist mechanism improved: Firefox version ranges + can be specified, limiting the number of devices blocked + security fixes: + * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 + Miscellaneous memory safety hazards + * MFSA 2015-80/CVE-2015-4475 (bmo#1175396) + Out-of-bounds read with malformed MP3 file + * MFSA 2015-81/CVE-2015-4477 (bmo#1179484) + Use-after-free in MediaStream playback + * MFSA 2015-82/CVE-2015-4478 (bmo#1105914) + Redefinition of non-configurable JavaScript object properties + * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 + Overflow issues in libstagefright + * MFSA 2015-84/CVE-2015-4481 (bmo1171518) + Arbitrary file overwriting through Mozilla Maintenance Service + with hard links (only affected Windows) + * MFSA 2015-85/CVE-2015-4482 (bmo#1184500) + Out-of-bounds write with Updater and malicious MAR file + (does not affect openSUSE RPM packages which do not ship the + updater) + * MFSA 2015-86/CVE-2015-4483 (bmo#1148732) + Feed protocol with POST bypasses mixed content protections + * MFSA 2015-87/CVE-2015-4484 (bmo#1171540) + Crash when using shared memory in JavaScript + * MFSA 2015-88/CVE-2015-4491 (bmo#1184009) + Heap overflow in gdk-pixbuf when scaling bitmap images + * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) + Buffer overflows on Libvpx when decoding WebM video + * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 + Vulnerabilities found through code inspection + * MFSA 2015-91/CVE-2015-4490 (bmo#1086999) + Mozilla Content Security Policy allows for asterisk wildcards + in violation of CSP specification + * MFSA 2015-92/CVE-2015-4492 (bmo#1185820) + Use-after-free in XMLHttpRequest with shared workers +- added mozilla-no-stdcxx-check.patch +- removed obsolete patches + * mozilla-add-glibcxx_use_cxx11_abi.patch + * firefox-multilocale-chrome.patch +- rebased patches +- requires version 40 of the branding package +- removed browser/searchplugins/ location as it's not valid anymore + +------------------------------------------------------------------- +Fri Aug 7 07:09:39 UTC 2015 - wr@rosenauer.org + +- security update to Firefox 39.0.3 (bnc#940918) + * MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058) + Same origin violation and local file stealing via PDF reader + +------------------------------------------------------------------- +Wed Jul 1 06:43:02 UTC 2015 - wr@rosenauer.org + +- update to Firefox 39.0 (bnc#935979) + * Share Hello URLs with social networks + * Support for 'switch' role in ARIA 1.1 (web accessibility) + * SafeBrowsing malware detection lookups enabled for downloads + (Mac OS X and Linux) + * Support for new Unicode 8.0 skin tone emoji + * Removed support for insecure SSLv3 for network communications + * Disable use of RC4 except for temporarily whitelisted hosts + * NPAPI Plug-in performance improved via asynchronous initialization + security fixes: + * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726 + Miscellaneous memory safety hazards + * MFSA 2015-60/CVE-2015-2727 (bmo#1163422) + Local files or privileged URLs in pages can be opened into new tabs + * MFSA 2015-61/CVE-2015-2728 (bmo#1142210) + Type confusion in Indexed Database Manager + * MFSA 2015-62/CVE-2015-2729 (bmo#1122218) + Out-of-bound read while computing an oscillator rendering range in Web Audio + * MFSA 2015-63/CVE-2015-2731 (bmo#1149891) + Use-after-free in Content Policy due to microtask execution error + * MFSA 2015-64/CVE-2015-2730 (bmo#1125025) + ECDSA signature validation fails to handle some signatures correctly + (this fix is shipped by NSS 3.19.1 externally) + * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867) + Use-after-free in workers while using XMLHttpRequest + * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737 + CVE-2015-2738/CVE-2015-2739/CVE-2015-2740 + Vulnerabilities found through code inspection + * MFSA 2015-67/CVE-2015-2741 (bmo#1147497) + Key pinning is ignored when overridable errors are encountered + * MFSA 2015-68/CVE-2015-2742 (bmo#1138669) + OS X crash reports may contain entered key press information + (not relevant under Linux) + * MFSA 2015-69/CVE-2015-2743 (bmo#1163109) + Privilege escalation in PDF.js + * MFSA 2015-70/CVE-2015-4000 (bmo#1138554) + NSS accepts export-length DHE keys with regular DHE cipher suites + (this fix is shipped by NSS 3.19.1 externally) + * MFSA 2015-71/CVE-2015-2721 (bmo#1086145) + NSS incorrectly permits skipping of ServerKeyExchange + (this fix is shipped by NSS 3.19.1 externally) +- dropped mozilla-prefer_plugin_pref.patch as this feature is + likely not worth maintaining further +- rebased patches +- require NSS 3.19.2 + +------------------------------------------------------------------- +Thu Jun 18 10:30:18 UTC 2015 - schwab@suse.de + +- mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration + +------------------------------------------------------------------- +Sun Jun 7 07:09:12 UTC 2015 - wr@rosenauer.org + +- update to Firefox 38.0.6 + * fixes bmo#1171730 which is not really relevant to oS builds +- fix KDE regression from 38.0.5 builds (bsc#933439) + +------------------------------------------------------------------- +Sat May 23 21:13:49 UTC 2015 - wr@rosenauer.org + +- update to Firefox 38.0.5 + * Keep track of articles and videos with Pocket + * Clean formatting for articles and blog posts with Reader View + * Share the active tab or window in a Hello conversation +- add changes file as source for SRPM (bsc#932142) + +------------------------------------------------------------------- +Fri May 15 10:40:19 UTC 2015 - normand@linux.vnet.ibm.com + +- add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from + https://bugzilla.mozilla.org/show_bug.cgi?id=1153109 + +------------------------------------------------------------------- +Fri May 15 07:37:46 UTC 2015 - wr@rosenauer.org + +- update to Firefox 38.0.1 + stability and regression fixes + * Systems with first generation NVidia Optimus graphics cards + may crash on start-up + * Users who import cookies from Google Chrome can end up with + broken websites + * Large animated images may fail to play and may stop other + images from loading + +------------------------------------------------------------------- +Sun May 10 07:07:49 UTC 2015 - wr@rosenauer.org + +- update to Firefox 38.0 (bnc#930622) + * New tab-based preferences + * Ruby annotation support + * more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/ + security fixes: + * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 + Miscellaneous memory safety hazards + * MFSA 2015-47/VE-2015-0797 (bmo#1080995) + Buffer overflow parsing H.264 video with Linux Gstreamer + * MFSA 2015-48/CVE-2015-2710 (bmo#1149542) + Buffer overflow with SVG content and CSS + * MFSA 2015-49/CVE-2015-2711 (bmo#1113431) + Referrer policy ignored when links opened by middle-click and + context menu + * MFSA 2015-50/CVE-2015-2712 (bmo#1152280) + Out-of-bounds read and write in asm.js validation + * MFSA 2015-51/CVE-2015-2713 (bmo#1153478) + Use-after-free during text processing with vertical text enabled + * MFSA 2015-53/CVE-2015-2715 (bmo#988698) + Use-after-free due to Media Decoder Thread creation during shutdown + * MFSA 2015-54/CVE-2015-2716 (bmo#1140537) + Buffer overflow when parsing compressed XML + * MFSA 2015-55/CVE-2015-2717 (bmo#1154683) + Buffer overflow and out-of-bounds read while parsing MP4 video + metadata + * MFSA 2015-56/CVE-2015-2718 (bmo#1146724) + Untrusted site hosting trusted page can intercept webchannel + responses + * MFSA 2015-57/CVE-2011-3079 (bmo#1087565) + Privilege escalation through IPC channel messages +- requires NSS 3.18.1 +- removed obsolete patches: + * mozilla-skia-bmo1136958.patch +- remove gnomevfs build options as it is removed from sources +- rebased patches + +------------------------------------------------------------------- +Fri Apr 17 16:39:20 UTC 2015 - wr@rosenauer.org + +- update to Firefox 37.0.2 (bnc#928116) + * MFSA 2015-45/CVE-2015-2706 (bmo#1141081) + Memory corruption during failed plugin initialization + +------------------------------------------------------------------- +Fri Apr 3 08:27:24 UTC 2015 - wr@rosenauer.org + +- update to Firefox 37.0.1 (bnc#926166) + * MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only) + Loading privileged content through Reader mode + * MFSA 2015-44/CVE-2015-0799 (bmo#1148328) + Certificate verification bypass through the HTTP/2 Alt-Svc header + +------------------------------------------------------------------- +Sat Mar 28 09:46:48 UTC 2015 - wr@rosenauer.org + +- update to Firefox 37.0 (bnc#925368) + * Heartbeat user rating system + * Yandex set as default search provider for the Turkish locale + * Bing search now uses HTTPS for secure searching + * Improved protection against site impersonation via OneCRL + centralized certificate revocation + * Opportunistically encrypt HTTP traffic where the server supports + HTTP/2 AltSvc + * some more behaviour changes for TLS + security fixes: + * MFSA 2015-30/CVE-2015-0814/CVE-2015-0815 + Miscellaneous memory safety hazards + * MFSA 2015-31/CVE-2015-0813 (bmo#1106596)) + Use-after-free when using the Fluendo MP3 GStreamer plugin + * MFSA 2015-32/CVE-2015-0812 (bmo#1128126) + Add-on lightweight theme installation approval bypassed through + MITM attack + * MFSA 2015-33/CVE-2015-0816 (bmo#1144991) + resource:// documents can load privileged pages + * MFSA-2015-34/CVE-2015-0811 (bmo#1132468) + Out of bounds read in QCMS library + * MFSA-2015-35/CVE-2015-0810 (bmo#1125013) + Cursor clickjacking with flash and images (OS X only) + * MFSA-2015-36/CVE-2015-0808 (bmo#1109552) + Incorrect memory management for simple-type arrays in WebRTC + * MFSA-2015-37/CVE-2015-0807 (bmo#1111834) + CORS requests should not follow 30x redirections after preflight + * MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437) + Memory corruption crashes in Off Main Thread Compositing + * MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560) + Use-after-free due to type confusion flaws + * MFSA-2015-40/CVE-2015-0801 (bmo#1146339) + Same-origin bypass through anchor navigation + * MFSA-2015-41/CVE-2015-0800/CVE-2012-2808 + PRNG weakness allows for DNS poisoning on Android (only) + * MFSA-2015-42/CVE-2015-0802 (bmo#1124898) + Windows can retain access to privileged content on navigation + to unprivileged pages +- removed obsolete patches + * mozilla-bmo1088588.patch + * mozilla-bmo1108834.patch +- requires NSPR 4.10.8 + +------------------------------------------------------------------- +Tue Mar 24 15:35:24 UTC 2015 - dvaleev@suse.com + +- Fix builds with skia on Power + mozilla-skia-be-le.patch (patch from #bmo1136958) + mozilla-bmo1108834.patch + mozilla-bmo1005535.patch + +------------------------------------------------------------------- +Sat Mar 21 09:03:12 UTC 2015 - wr@rosenauer.org + +- update to Firefox 36.0.4 (bnc#923534) + * MFSA 2015-28/CVE-2015-0818 (bmo#1144988) + Privilege escalation through SVG navigation + * MFSA 2015-29/CVE-2015-0817 (bmo#1145255) + Code execution through incorrect JavaScript bounds checking + elimination + +------------------------------------------------------------------- +Fri Mar 20 15:02:33 UTC 2015 - dimstar@opensuse.org + +- Copy the icons to /usr/share/icons instead of symlinking them: + in preparation for containerized apps (e.g. xdg-app) as well as + AppStream metadata extraction, there are a couple locations that + need to be real files for system integration (.desktop files, + icons, mime-type info). + +------------------------------------------------------------------- +Sat Mar 7 07:40:56 UTC 2015 - wr@rosenauer.org + +- update to Firefox 36.0.1 + Bugfixes: + * Disable the usage of the ANY DNS query type (bmo#1093983) + * Hello may become inactive until restart (bmo#1137469) + * Print preferences may not be preserved (bmo#1136855) + * Hello contact tabs may not be visible (bmo#1137141) + * Accept hostnames that include an underscore character ("_") + (bmo#1136616) + * WebGL may use significant memory with Canvas2d (bmo#1137251) + * Option -remote has been restored (bmo#1080319) +- added mozilla-skia-bmo1136958.patch to fix build issues for + ARM and PPC + +------------------------------------------------------------------- +Fri Feb 20 22:53:39 UTC 2015 - wr@rosenauer.org + +- update to Firefox 36.0 (bnc#917597) + * mozilla-xremote-client was removed + * added libclearkey.so media plugin + * Pinned tiles on the new tab page can be synced + * Support for the full HTTP/2 protocol. HTTP/2 enables a faster, + more scalable, and more responsive web. + * Locale added: Uzbek (uz) + security fixes: + * MFSA 2015-11/CVE-2015-0835/CVE-2015-0836 + Miscellaneous memory safety hazards + * MFSA 2015-12/CVE-2015-0833 (bmo#945192) + Invoking Mozilla updater will load locally stored DLL files + (Windows only) + * MFSA 2015-13/CVE-2015-0832 (bmo#1065909) + Appended period to hostnames can bypass HPKP and HSTS protections + * MFSA 2015-14/CVE-2015-0830 (bmo#1110488) + Malicious WebGL content crash when writing strings + * MFSA 2015-15/CVE-2015-0834 (bmo#1098314) + TLS TURN and STUN connections silently fail to simple TCP connections + * MFSA 2015-16/CVE-2015-0831 (bmo#1130514) + Use-after-free in IndexedDB + * MFSA 2015-17/CVE-2015-0829 (bmo#1128939) + Buffer overflow in libstagefright during MP4 video playback + * MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675) + Double-free when using non-default memory allocators with a + zero-length XHR + * MFSA 2015-19/CVE-2015-0827 (bmo#1117304) + Out-of-bounds read and write while rendering SVG content + * MFSA 2015-20/CVE-2015-0826 (bmo#1092363) + Buffer overflow during CSS restyling + * MFSA 2015-21/CVE-2015-0825 (bmo#1092370) + Buffer underflow during MP3 playback + * MFSA 2015-22/CVE-2015-0824 (bmo#1095925) + Crash using DrawTarget in Cairo graphics library + * MFSA 2015-23/CVE-2015-0823 (bmo#1098497) + Use-after-free in Developer Console date with OpenType Sanitiser + * MFSA 2015-24/CVE-2015-0822 (bmo#1110557) + Reading of local files through manipulation of form autocomplete + * MFSA 2015-25/CVE-2015-0821 (bmo#1111960) + Local files or privileged URLs in pages can be opened into new tabs + * MFSA 2015-26/CVE-2015-0819 (bmo#1079554) + UI Tour whitelisted sites in background tab can spoof foreground + tabs + * MFSA 2015-27CVE-2015-0820 (bmo#1125398) + Caja Compiler JavaScript sandbox bypass +- rebased patches +- requires NSS 3.17.4 + +------------------------------------------------------------------- +Sat Jan 31 18:37:38 UTC 2015 - wr@rosenauer.org + +- update to Firefox 35.0.1 + * With the Enhanced Steam extension, Firefox could crash (bmo#1123732) + * Kerberos authentication did not work with alias (bmo#1108971) + * SVG / CSS animation had a regression causing rendering issues on + websites like openstreemap.org (bmo#1083079) + * On Godaddy webmail, Firefox could crash (bmo#1113121) + * document.baseURI did not get updated to document.location after + base tag was removed from DOM for site with a CSP (bmo#1121857) + * With a Right-to-left (RTL) version of Firefox, the text selection + could be broken (bmo#1104036) + * CSP had a change in behavior with regard to case sensitivity + resources loading (bmo#1122445) + +------------------------------------------------------------------- +Sat Jan 10 18:36:37 UTC 2015 - wr@rosenauer.org + +- update to Firefox 35.0 (bnc#910669) + notable features: + * Firefox Hello with new rooms-based conversations model + * Implemented HTTP Public Key Pinning Extension (for enhanced + authentication of encrypted connections) + security fixes: + * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635 + Miscellaneous memory safety hazards + * MFSA 2015-02/CVE-2014-8637 (bmo#1094536) + Uninitialized memory use during bitmap rendering + * MFSA 2015-03/CVE-2014-8638 (bmo#1080987) + sendBeacon requests lack an Origin header + * MFSA 2015-04/CVE-2014-8639 (bmo#1095859) + Cookie injection through Proxy Authenticate responses + * MFSA 2015-05/CVE-2014-8640 (bmo#1100409) + Read of uninitialized memory in Web Audio + * MFSA 2015-06/CVE-2014-8641 (bmo#1108455) + Read-after-free in WebRTC + * MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only) + Gecko Media Plugin sandbox escape + * MFSA 2015-08/CVE-2014-8642 (bmo#1079658) + Delegated OCSP responder certificates failure with + id-pkix-ocsp-nocheck extension + * MFSA 2015-09/CVE-2014-8636 (bmo#987794) + XrayWrapper bypass through DOM objects +- rebased patches +- dropped explicit support for everything older than 12.3 + (including SLES11) + * merge firefox-kde.patch and firefox-kde-114.patch + * dropped mozilla-sle11.patch +- reworked specfile to build conditionally based on release channel + either Firefox or Firefox Developer Edition +- added mozilla-openaes-decl.patch to fix implicit declarations +- obsolete tracker-miner-firefox < 0.15 because it leads to startup + crashes (bnc#908892) + +------------------------------------------------------------------- +Sat Dec 13 22:13:00 UTC 2014 - Led <ledest@gmail.com> + +- fix bashism in mozilla.sh script + +------------------------------------------------------------------- +Sat Nov 29 21:23:03 UTC 2014 - wr@rosenauer.org + +- update to Firefox 34.0.5 (bnc#908009) + * Default search engine changed to Yahoo! for North America + * Default search engine changed to Yandex for Belarusian, Kazakh, + and Russian locales + * Improved search bar (en-US only) + * Firefox Hello real-time communication client + * Easily switch themes/personas directly in the Customizing mode + * Implementation of HTTP/2 (draft14) and ALPN + * Disabled SSLv3 + * MFSA 2014-83/CVE-2014-1587/CVE-2014-1588 + Miscellaneous memory safety hazards + * MFSA 2014-84/CVE-2014-1589 (bmo#1043787) + XBL bindings accessible via improper CSS declarations + * MFSA 2014-85/CVE-2014-1590 (bmo#1087633) + XMLHttpRequest crashes with some input streams + * MFSA 2014-86/CVE-2014-1591 (bmo#1069762) + CSP leaks redirect data via violation reports + * MFSA 2014-87/CVE-2014-1592 (bmo#1088635) + Use-after-free during HTML5 parsing + * MFSA 2014-88/CVE-2014-1593 (bmo#1085175) + Buffer overflow while parsing media content + * MFSA 2014-89/CVE-2014-1594 (bmo#1074280) + Bad casting from the BasicThebesLayer to BasicContainerLayer +- rebased patches +- limit linker memory usage for %ix86 +- rebased patches + +------------------------------------------------------------------- +Fri Nov 7 20:14:32 UTC 2014 - wr@rosenauer.org + +- update to Firefox 33.1 + * Adding DuckDuckGo as a search option (upstream) + * Forget Button added + * Enhanced Tiles + * Privacy tour introduced +- fix typo in GStreamer Recommends + +------------------------------------------------------------------- +Tue Nov 4 18:00:35 UTC 2014 - guillaume@opensuse.org + +- Disable elf-hack for aarch64 +- Enable EGL for aarch64 +- Limit RAM usage during link for %arm +- Fix _constraints for ARM + +------------------------------------------------------------------- +Mon Nov 3 11:36:04 UTC 2014 - dmueller@suse.com + +- use proper macros for ARM + +------------------------------------------------------------------- +Mon Nov 3 11:26:23 UTC 2014 - josua.mayer97@gmail.com + +- use '--disable-optimize' not only on 32-bit x86, but on 32-bit arm too + to fix compiling. +- pass '-Wl,--no-keep-memory' to linker to reduce required memory during + linking on arm. + +------------------------------------------------------------------- +Thu Oct 30 11:31:05 UTC 2014 - wr@rosenauer.org + +- update to Firefox 33.0.2 + * Fix a startup crash with some combination of hardware and drivers + 33.0.1 + * Firefox displays a black screen at start-up with certain + graphics drivers +- adjusted _constraints for ARM + +------------------------------------------------------------------- +Tue Oct 28 15:23:09 UTC 2014 - josua.mayer97@gmail.com + +- added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588) + +------------------------------------------------------------------- +Sat Oct 25 08:45:43 UTC 2014 - wr@rosenauer.org + +- define /usr/share/myspell as additional dictionary location + and remove add-plugins.sh finally (bnc#900639) + +------------------------------------------------------------------- +Sun Oct 19 12:59:28 UTC 2014 - vindex17@outlook.it + +- use Firefox default optimization flags instead of -Os +- specfile cleanup + +------------------------------------------------------------------- +Wed Oct 15 08:05:33 UTC 2014 - wr@rosenauer.org + +- fix build for all ppc by not enabling elf-hack + (bnc#901213) + +------------------------------------------------------------------- +Sat Oct 11 08:48:24 UTC 2014 - wr@rosenauer.org + +- update to Firefox 33.0 (bnc#900941) + New features: + * OpenH264 support (sandboxed) + * Enhanced Tiles + * Improved search experience through the location bar + * Slimmer and faster JavaScript strings + * New CSP (Content Security Policy) backend + * Support for connecting to HTTP proxy over HTTPS + * Improved reliability of the session restoration + * Proprietary window.crypto properties/functions removed + Security: + * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 + Miscellaneous memory safety hazards + * MFSA 2014-75/CVE-2014-1576 (bmo#1041512) + Buffer overflow during CSS manipulation + * MFSA 2014-76/CVE-2014-1577 (bmo#1012609) + Web Audio memory corruption issues with custom waveforms + * MFSA 2014-77/CVE-2014-1578 (bmo#1063327) + Out-of-bounds write with WebM video + * MFSA 2014-78/CVE-2014-1580 (bmo#1063733) + Further uninitialized memory use during GIF rendering + * MFSA 2014-79/CVE-2014-1581 (bmo#1068218) + Use-after-free interacting with text directionality + * MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190) + Key pinning bypasses + * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) + Inconsistent video sharing within iframe + * MFSA 2014-82/CVE-2014-1583 (bmo#1015540) + Accessing cross-origin objects via the Alarms API + (only relevant for installed web apps) +- requires NSPR 4.10.7 +- requires NSS 3.17.1 +- removed obsolete patches: + * mozilla-ppc.patch + * mozilla-libproxy-compat.patch +- added basic appdata information + +------------------------------------------------------------------- +Sat Sep 20 13:33:51 UTC 2014 - wr@rosenauer.org + +- update to Firefox 32.0.2 + * just a version bump for our builds + * fixed the in application update process for certain environments + (in application update is not enabled in openSUSE and Linux + is unaffected in any case) +- build with --disable-optimize for 13.1 and above for i586 to + workaround miscompilations (bnc#896624) +- use some more build flags to align with upstream + +------------------------------------------------------------------- +Sat Sep 13 16:58:16 UTC 2014 - wr@rosenauer.org + +- update to Firefox 32.0.1 + * fixed stability issues for computers with multiple graphics cards + * mixed content icon may be incorrectly displayed instead of lock + icon for SSL sites in 32.0 ( + * WebRTC: setRemoteDescription() silently fails if no success + callback is specified (bmo#1063971) + +------------------------------------------------------------------- +Sun Aug 31 07:44:54 UTC 2014 - wr@rosenauer.org + +- update to Firefox 32.0 (bnc#894370) + * MFSA 2014-67/CVE-2014-1553/CVE-2014-1554/CVE-2014-1562 + Miscellaneous memory safety hazards + * MFSA 2014-68/CVE-2014-1563 (bmo#1018524) + Use-after-free during DOM interactions with SVG + * MFSA 2014-69/CVE-2014-1564 (bmo#1045977) + Uninitialized memory use during GIF rendering + * MFSA 2014-70/CVE-2014-1565 (bmo#1047831) + Out-of-bounds read in Web Audio audio timeline + * MFSA 2014-72/CVE-2014-1567 (bmo#1037641) + Use-after-free setting text directionality +- rebased patches +- requires NSS 3.16.4 +- removed upstreamed patch + * mozilla-aarch64-bmo-810631.patch + +------------------------------------------------------------------- +Wed Aug 20 13:50:58 CEST 2014 - behlert@suse.de + +- adapted _constraints, used more than 3900MB on s390x during + last build + +------------------------------------------------------------------- +Sun Jul 20 18:11:44 UTC 2014 - wr@rosenauer.org + +- update to Firefox 31.0 (bnc#887746) + * MFSA 2014-56/CVE-2014-1547/CVE-2014-1548 + Miscellaneous memory safety hazards + * MFSA 2014-57/CVE-2014-1549 (bmo#1020205) + Buffer overflow during Web Audio buffering for playback + * MFSA 2014-58/CVE-2014-1550 (bmo#1020411) + Use-after-free in Web Audio due to incorrect control message ordering + * MFSA 2014-60/CVE-2014-1561 (bmo#1000514, bmo#910375) + Toolbar dialog customization event spoofing + * MFSA 2014-61/CVE-2014-1555 (bmo#1023121) + Use-after-free with FireOnStateChange event + * MFSA 2014-62/CVE-2014-1556 (bmo#1028891) + Exploitable WebGL crash with Cesium JavaScript library + * MFSA 2014-63/CVE-2014-1544 (bmo#963150) + Use-after-free while when manipulating certificates in the trusted cache + (solved with NSS 3.16.2 requirement) + * MFSA 2014-64/CVE-2014-1557 (bmo#913805) + Crash in Skia library when scaling high quality images + * MFSA 2014-65/CVE-2014-1558/CVE-2014-1559/CVE-2014-1560 + (bmo#1015973, bmo#1026022, bmo#997795) + Certificate parsing broken by non-standard character encoding + * MFSA 2014-66/CVE-2014-1552 (bmo#985135) + IFRAME sandbox same-origin access through redirect +- use EGL on ARM +- rebased patches +- requires NSS 3.16.2 +- requires python-devel (not only python) + +------------------------------------------------------------------- +Mon Jun 9 08:28:17 UTC 2014 - wr@rosenauer.org + +- update to Firefox 30.0 (bnc#881874) + * MFSA 2014-48/CVE-2014-1533/CVE-2014-1534 + (bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874, + bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981, + bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817, + bmo#996536, bmo#996715, bmo#999651, bmo#1000598, + bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223, + bmo#1009952, bmo#1011007) + Miscellaneous memory safety hazards (rv:30.0) + * MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538 + (bmo#989994, bmo#999274, bmo#1005584) + Use-after-free and out of bounds issues found using Address + Sanitizer + * MFSA 2014-50/CVE-2014-1539 (bmo#995603) + Clickjacking through cursor invisability after Flash interaction + * MFSA 2014-51/CVE-2014-1540 (bmo#978862) + Use-after-free in Event Listener Manager + * MFSA 2014-52/CVE-2014-1541 (bmo#1000185) + Use-after-free with SMIL Animation Controller + * MFSA 2014-53/CVE-2014-1542 (bmo#991533) + Buffer overflow in Web Audio Speex resampler + * MFSA 2014-54/CVE-2014-1543 (bmo#1011859) + Buffer overflow in Gamepad API + * MFSA 2014-55/CVE-2014-1545 (bmo#1018783) + Out of bounds write in NSPR +- rebased patches +- removed obsolete patches + * firefox-browser-css.patch + * mozilla-aarch64-bmo-962488.patch + * mozilla-aarch64-bmo-963023.patch + * mozilla-aarch64-bmo-963024.patch + * mozilla-aarch64-bmo-963027.patch + * mozilla-ppc64-xpcom.patch + * mozilla-ppc64le-javascript.patch + * mozilla-ppc64le-libffi.patch + * mozilla-ppc64le-mfbt.patch + * mozilla-ppc64le-webrtc.patch + * mozilla-ppc64le-xpcom.patch + * mozilla-ppc64le-build.patch +- requires NSPR 4.10.6 +- enabled GStreamer 1.0 usage for 13.2 and above + +------------------------------------------------------------------- +Sat May 10 06:09:37 UTC 2014 - wr@rosenauer.org + +- update to Firefox 29.0.1 + * Seer disabled by default (bmo#1005958) + * Session Restore failed with a corrupted sessionstore.js file + (bmo#1001167) + * pdf.js printing white page (bmo#1003707, bnc#876833) +- general.useragent.locale gets overwritten with en-US while it + should be using the active langpack's setting + +------------------------------------------------------------------- +Sat Apr 26 12:18:07 UTC 2014 - wr@rosenauer.org + +- update to Firefox 29.0 (bnc#875378) + * MFSA 2014-34/CVE-2014-1518/CVE-2014-1519 + Miscellaneous memory safety hazards + * MFSA 2014-36/CVE-2014-1522 (bmo#995289) + Web Audio memory corruption issues + * MFSA 2014-37/CVE-2014-1523 (bmo#969226) + Out of bounds read while decoding JPG images + * MFSA 2014-38/CVE-2014-1524 (bmo#989183) + Buffer overflow when using non-XBL object as XBL + * MFSA 2014-39/CVE-2014-1525 (bmo#989210) + Use-after-free in the Text Track Manager for HTML video + * MFSA 2014-41/CVE-2014-1528 (bmo#963962) + Out-of-bounds write in Cairo + * MFSA 2014-42/CVE-2014-1529 (bmo#987003) + Privilege escalation through Web Notification API + * MFSA 2014-43/CVE-2014-1530 (bmo#895557) + Cross-site scripting (XSS) using history navigations + * MFSA 2014-44/CVE-2014-1531 (bmo#987140) + Use-after-free in imgLoader while resizing images + * MFSA 2014-45/CVE-2014-1492 (bmo#903885) + Incorrect IDNA domain name matching for wildcard certificates + (fixed by NSS 3.16) + * MFSA 2014-46/CVE-2014-1532 (bmo#966006) + Use-after-free in nsHostResolver + * MFSA 2014-47/CVE-2014-1526 (bmo#988106) + Debugger can bypass XrayWrappers with JavaScript +- rebased patches +- removed obsolete patches + * firefox-browser-css.patch + * mozilla-aarch64-599882cfb998.diff + * mozilla-aarch64-bmo-963028.patch + * mozilla-aarch64-bmo-963029.patch + * mozilla-aarch64-bmo-963030.patch + * mozilla-aarch64-bmo-963031.patch +- requires NSS 3.16 +- added mozilla-icu-strncat.patch to fix post build checks + +------------------------------------------------------------------- +Mon Apr 7 15:34:31 UTC 2014 - dmueller@suse.com + +- add mozilla-aarch64-599882cfb998.patch, + mozilla-aarch64-bmo-810631.patch, + mozilla-aarch64-bmo-962488.patch, + mozilla-aarch64-bmo-963030.patch, + mozilla-aarch64-bmo-963027.patch, + mozilla-aarch64-bmo-963028.patch, + mozilla-aarch64-bmo-963029.patch, + mozilla-aarch64-bmo-963023.patch, + mozilla-aarch64-bmo-963024.patch, + mozilla-aarch64-bmo-963031.patch: AArch64 porting + +------------------------------------------------------------------- +Mon Mar 24 16:18:44 UTC 2014 - dvaleev@suse.com + +- Add patch for bmo#973977 + * mozilla-ppc64-xpcom.patch + +------------------------------------------------------------------- +Mon Mar 24 14:29:12 UTC 2014 - dvaleev@suse.com + +- Refresh mozilla-ppc64le-xpcom.patch patch + +------------------------------------------------------------------- +Fri Mar 21 19:01:42 UTC 2014 - dvaleev@suse.com + +- Adapt mozilla-ppc64le-xpcom.patch to Mozilla > 24.0 build system + +------------------------------------------------------------------- +Sun Mar 16 13:39:15 UTC 2014 - wr@rosenauer.org + +- update to Firefox 28.0 (bnc#868603) + * MFSA 2014-15/CVE-2014-1493/CVE-2014-1494 + Miscellaneous memory safety hazards + * MFSA 2014-17/CVE-2014-1497 (bmo#966311) + Out of bounds read during WAV file decoding + * MFSA 2014-18/CVE-2014-1498 (bmo#935618) + crypto.generateCRMFRequest does not validate type of key + * MFSA 2014-19/CVE-2014-1499 (bmo#961512) + Spoofing attack on WebRTC permission prompt + * MFSA 2014-20/CVE-2014-1500 (bmo#956524) + onbeforeunload and Javascript navigation DOS + * MFSA 2014-22/CVE-2014-1502 (bmo#972622) + WebGL content injection from one domain to rendering in another + * MFSA 2014-23/CVE-2014-1504 (bmo#911547) + Content Security Policy for data: documents not preserved by + session restore + * MFSA 2014-26/CVE-2014-1508 (bmo#963198) + Information disclosure through polygon rendering in MathML + * MFSA 2014-27/CVE-2014-1509 (bmo#966021) + Memory corruption in Cairo during PDF font rendering + * MFSA 2014-28/CVE-2014-1505 (bmo#941887) + SVG filters information disclosure through feDisplacementMap + * MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909) + Privilege escalation using WebIDL-implemented APIs + * MFSA 2014-30/CVE-2014-1512 (bmo#982957) + Use-after-free in TypeObject + * MFSA 2014-31/CVE-2014-1513 (bmo#982974) + Out-of-bounds read/write through neutering ArrayBuffer objects + * MFSA 2014-32/CVE-2014-1514 (bmo#983344) + Out-of-bounds write through TypedArrayObject after neutering +- requires NSPR 4.10.3 and NSS 3.15.5 +- new build dependency (and recommends): + * libpulse +- update of PowerPC 64 patches (bmo#976648) (pcerny@suse.com) +- rebased patches + +------------------------------------------------------------------- +Mon Feb 17 11:59:28 UTC 2014 - wr@rosenauer.org + +- update to Firefox 27.0.1 + * Fixed stability issues with Greasemonkey and other JS that used + ClearTimeoutOrInterval + * JS math correctness issue (bmo#941381) +- incorporate Google API key for geolocation (bnc#864170) +- updated list of "other" locales in RPM requirements + +------------------------------------------------------------------- +Tue Jan 28 15:45:41 UTC 2014 - wr@rosenauer.org + +- update to Firefox 27.0 (bnc#861847) + * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478 + Miscellaneous memory safety hazards (rv:27.0 / rv:24.3) + * MFSA 2014-02/CVE-2014-1479 (bmo#911864) + Clone protected content with XBL scopes + * MFSA 2014-03/CVE-2014-1480 (bmo#916726) + UI selection timeout missing on download prompts + * MFSA 2014-04/CVE-2014-1482 (bmo#943803) + Incorrect use of discarded images by RasterImage + * MFSA 2014-05/CVE-2014-1483 (bmo#950427) + Information disclosure with *FromPoint on iframes + * MFSA 2014-06/CVE-2014-1484 (bmo#953993) + Profile path leaks to Android system log + * MFSA 2014-07/CVE-2014-1485 (bmo#910139) + XSLT stylesheets treated as styles in Content Security Policy + * MFSA 2014-08/CVE-2014-1486 (bmo#942164) + Use-after-free with imgRequestProxy and image proccessing + * MFSA 2014-09/CVE-2014-1487 (bmo#947592) + Cross-origin information leak through web workers + * MFSA 2014-10/CVE-2014-1489 (bmo#959531) + Firefox default start page UI content invokable by script + * MFSA 2014-11/CVE-2014-1488 (bmo#950604) + Crash when using web workers with asm.js + * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 + (bmo#934545, bmo#930874, bmo#930857) + NSS ticket handling issues + * MFSA 2014-13/CVE-2014-1481(bmo#936056) + Inconsistent JavaScript handling of access to Window objects +- requires NSS 3.15.4 or higher +- rebased/reworked patches +- removed obsolete mozilla-bug929439.patch + +------------------------------------------------------------------- +Thu Dec 12 21:19:54 UTC 2013 - uweigand@de.ibm.com + +- Add support for powerpc64le-linux. + * mozilla-ppc64le.patch: general support + * mozilla-libffi-ppc64le.patch: libffi backport + * mozilla-xpcom-ppc64le.patch: port xpcom +- Add build fix from mainline. + * mozilla-bug929439.patch + +------------------------------------------------------------------- +Sun Dec 8 20:26:23 UTC 2013 - wr@rosenauer.org + +- update to Firefox 26.0 (bnc#854367, bnc#854370) + * rebased patches + * requires NSPR 4.10.2 and NSS 3.15.3.1 + * MFSA 2013-104/CVE-2013-5609/CVE-2013-5610 + Miscellaneous memory safety hazards + * MFSA 2013-105/CVE-2013-5611 (bmo#771294) + Application Installation doorhanger persists on navigation + * MFSA 2013-106/CVE-2013-5612 (bmo#871161) + Character encoding cross-origin XSS attack + * MFSA 2013-107/CVE-2013-5614 (bmo#886262) + Sandbox restrictions not applied to nested object elements + * MFSA 2013-108/CVE-2013-5616 (bmo#938341) + Use-after-free in event listeners + * MFSA 2013-109/CVE-2013-5618 (bmo#926361) + Use-after-free during Table Editing + * MFSA 2013-110/CVE-2013-5619 (bmo#917841) + Potential overflow in JavaScript binary search algorithms + * MFSA 2013-111/CVE-2013-6671 (bmo#930281) + Segmentation violation when replacing ordered list elements + * MFSA 2013-112/CVE-2013-6672 (bmo#894736) + Linux clipboard information disclosure though selection paste + * MFSA 2013-113/CVE-2013-6673 (bmo#970380) + Trust settings for built-in roots ignored during EV certificate + validation + * MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449) + Use-after-free in synthetic mouse movement + * MFSA 2013-115/CVE-2013-5615 (bmo#929261) + GetElementIC typed array stubs can be generated outside observed + typesets + * MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693) + JPEG information leak + * MFSA 2013-117 (bmo#946351) + Mis-issued ANSSI/DCSSI certificate + (fixed via NSS 3.15.3.1) +- removed gecko.js preference file as GStreamer is enabled by + default now + +------------------------------------------------------------------- +Thu Oct 24 18:16:19 UTC 2013 - wr@rosenauer.org + +- update to Firefox 25.0 (bnc#847708) + * rebased patches + * requires NSS 3.15.2 or above + * MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592 + Miscellaneous memory safety hazards + * MFSA 2013-94/CVE-2013-5593 (bmo#868327) + Spoofing addressbar through SELECT element + * MFSA 2013-95/CVE-2013-5604 (bmo#914017) + Access violation with XSLT and uninitialized data + * MFSA 2013-96/CVE-2013-5595 (bmo#916580) + Improperly initialized memory and overflows in some JavaScript + functions + * MFSA 2013-97/CVE-2013-5596 (bmo#910881) + Writing to cycle collected object during image decoding + * MFSA 2013-98/CVE-2013-5597 (bmo#918864) + Use-after-free when updating offline cache + * MFSA 2013-99/CVE-2013-5598 (bmo#920515) + Security bypass of PDF.js checks using iframes + * MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601 + (bmo#915210, bmo#915576, bmo#916685) + Miscellaneous use-after-free issues found through ASAN fuzzing + * MFSA 2013-101/CVE-2013-5602 (bmo#897678) + Memory corruption in workers + * MFSA 2013-102/CVE-2013-5603 (bmo#916404) + Use-after-free in HTML document templates + +------------------------------------------------------------------- +Tue Sep 24 07:31:30 UTC 2013 - wr@rosenauer.org + +- as GStreamer is not automatically required anymore but loaded + dynamically if available, require it explicitely +- recommend optional GStreamer plugins for comprehensive media + support + +------------------------------------------------------------------- +Mon Sep 16 11:59:18 UTC 2013 - lnussel@suse.de + +- move greek to the translations-common package (bnc#840551) + +------------------------------------------------------------------- +Sat Sep 14 14:39:58 UTC 2013 - wr@rosenauer.org + +- update to Firefox 24.0 (bnc#840485) + * MFSA 2013-76/CVE-2013-1718/CVE-2013-1719 + Miscellaneous memory safety hazards + * MFSA 2013-77/CVE-2013-1720 (bmo#888820) + Improper state in HTML5 Tree Builder with templates + * MFSA 2013-78/CVE-2013-1721 (bmo#890277) + Integer overflow in ANGLE library + * MFSA 2013-79/CVE-2013-1722 (bmo#893308) + Use-after-free in Animation Manager during stylesheet cloning + * MFSA 2013-80/CVE-2013-1723 (bmo#891292) + NativeKey continues handling key messages after widget is destroyed + * MFSA 2013-81/CVE-2013-1724 (bmo#894137) + Use-after-free with select element + * MFSA 2013-82/CVE-2013-1725 (bmo#876762) + Calling scope for new Javascript objects can lead to memory corruption + * MFSA 2013-85/CVE-2013-1728 (bmo#883686) + Uninitialized data in IonMonkey + * MFSA 2013-88/CVE-2013-1730 (bmo#851353) + Compartment mismatch re-attaching XBL-backed nodes + * MFSA 2013-89/CVE-2013-1732 (bmo#883514) + Buffer overflow with multi-column, lists, and floats + * MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301) + Memory corruption involving scrolling + * MFSA 2013-91/CVE-2013-1737 (bmo#907727) + User-defined properties on DOM proxies get the wrong "this" object + * MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897) + GC hazard with default compartments and frame chain restoration +- enable gstreamer explicitely via pref (gecko.js) +- require NSS 3.15.1 + +------------------------------------------------------------------- +Mon Aug 26 07:35:36 UTC 2013 - wr@rosenauer.org + +- update to Firefox 23.0.1 + * Audio static/"burble"/breakup in Firefox to Firefox WebRTC calls + (bmo#901527) + +------------------------------------------------------------------- +Sun Aug 4 18:30:11 UTC 2013 - wr@rosenauer.org + +- update to Firefox 23.0 (bnc#833389) + * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 + Miscellaneous memory safety hazards + * MFSA 2013-64/CVE-2013-1704 (bmo#883313) + Use after free mutating DOM during SetBody + * MFSA 2013-65/CVE-2013-1705 (bmo#882865) + Buffer underflow when generating CRMF requests + * MFSA 2013-67/CVE-2013-1708 (bmo#879924) + Crash during WAV audio file decoding + * MFSA 2013-68/CVE-2013-1709 (bmo#838253) + Document URI misrepresentation and masquerading + * MFSA 2013-69/CVE-2013-1710 (bmo#871368) + CRMF requests allow for code execution and XSS attacks + * MFSA 2013-70/CVE-2013-1711 (bmo#843829) + Bypass of XrayWrappers using XBL Scopes + * MFSA 2013-72/CVE-2013-1713 (bmo#887098) + Wrong principal used for validating URI for some Javascript + components + * MFSA 2013-73/CVE-2013-1714 (bmo#879787) + Same-origin bypass with web workers and XMLHttpRequest + * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) + Local Java applets may read contents of local file system +- requires NSPR 4.10 and NSS 3.15 + +------------------------------------------------------------------- +Wed Jul 3 17:14:35 UTC 2013 - dmueller@suse.com + +- fix build on ARM (/-g/ matches /-grecord-switches/) + +------------------------------------------------------------------- +Sat Jun 22 17:48:06 UTC 2013 - wr@rosenauer.org + +- update to Firefox 22.0 (bnc#825935) + * removed obsolete patches + + mozilla-qcms-ppc.patch + + mozilla-gstreamer-760140.patch + * GStreamer support does not build on 12.1 anymore (build only + on 12.2 and later) + * MFSA 2013-49/CVE-2013-1682/CVE-2013-1683 + Miscellaneous memory safety hazards + * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686 + Memory corruption found using Address Sanitizer + * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823) + Privileged content access and execution via XBL + * MFSA 2013-52/CVE-2013-1688 (bmo#873966) + Arbitrary code execution within Profiler + * MFSA 2013-53/CVE-2013-1690 (bmo#857883) + Execution of unmapped memory through onreadystatechange event + * MFSA 2013-54/CVE-2013-1692 (bmo#866915) + Data in the body of XHR HEAD requests leads to CSRF attacks + * MFSA 2013-55/CVE-2013-1693 (bmo#711043) + SVG filters can lead to information disclosure + * MFSA 2013-56/CVE-2013-1694 (bmo#848535) + PreserveWrapper has inconsistent behavior + * MFSA 2013-57/CVE-2013-1695 (bmo#849791) + Sandbox restrictions not applied to nested frame elements + * MFSA 2013-58/CVE-2013-1696 (bmo#761667) + X-Frame-Options ignored when using server push with multi-part + responses + * MFSA 2013-59/CVE-2013-1697 (bmo#858101) + XrayWrappers can be bypassed to run user defined methods in a + privileged context + * MFSA 2013-60/CVE-2013-1698 (bmo#876044) + getUserMedia permission dialog incorrectly displays location + * MFSA 2013-61/CVE-2013-1699 (bmo#840882) + Homograph domain spoofing in .com, .net and .name + +------------------------------------------------------------------- +Tue Jun 11 21:06:58 UTC 2013 - dvaleev@suse.com + +- Fix qcms altivec include (mozilla-qcms-ppc.patch) + +------------------------------------------------------------------- +Fri May 10 05:25:39 UTC 2013 - wr@rosenauer.org + +- update to Firefox 21.0 (bnc#819204) + * removed upstreamed patch firefox-712763.patch + * removed disabled mozilla-disable-neon-option.patch + * MFSA 2013-41/CVE-2013-0801/CVE-2013-1669 + Miscellaneous memory safety hazards + * MFSA 2013-42/CVE-2013-1670 (bmo#853709) + Privileged access for content level constructor + * MFSA 2013-43/CVE-2013-1671 (bmo#842255) + File input control has access to full path + * MFSA 2013-46/CVE-2013-1674 (bmo#860971) + Use-after-free with video and onresize event + * MFSA 2013-47/CVE-2013-1675 (bmo#866825) + Uninitialized functions in DOMSVGZoomEvent + * MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/ + CVE-2013-1679/CVE-2013-1680/CVE-2013-1681 + Memory corruption found using Address Sanitizer + +------------------------------------------------------------------- +Tue Apr 9 06:41:31 UTC 2013 - wr@rosenauer.org + +- revert to use GStreamer 0.10 on 12.3 (bnc#814101) + (remove mozilla-gstreamer-1.patch) + +------------------------------------------------------------------- +Fri Apr 5 17:04:11 UTC 2013 - schwab@linux-m68k.org + +- Explicitly disable WebRTC support on non-x86, the configure script + disables it only half-heartedly + +------------------------------------------------------------------- +Fri Mar 29 22:15:21 UTC 2013 - wr@rosenauer.org + +- update to Firefox 20.0 (bnc#813026) + * requires NSPR 4.9.5 and NSS 3.14.3 + * mozilla-webrtc-ppc.patch included upstream + * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 + Miscellaneous memory safety hazards + * MFSA 2013-31/CVE-2013-0800 (bmo#825721) + Out-of-bounds write in Cairo library + * MFSA 2013-35/CVE-2013-0796 (bmo#827106) + WebGL crash with Mesa graphics driver on Linux + * MFSA 2013-36/CVE-2013-0795 (bmo#825697) + Bypass of SOW protections allows cloning of protected nodes + * MFSA 2013-37/CVE-2013-0794 (bmo#626775) + Bypass of tab-modal dialog origin disclosure + * MFSA 2013-38/CVE-2013-0793 (bmo#803870) + Cross-site scripting (XSS) using timed history navigations + * MFSA 2013-39/CVE-2013-0792 (bmo#722831) + Memory corruption while rendering grayscale PNG images +- use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch) + +------------------------------------------------------------------- +Tue Mar 12 23:08:15 UTC 2013 - dmueller@suse.com + +- build fixes for armv7hl: + * disable debug build as armv7hl does not have enough memory + * disable webrtc on armv7hl as it is non-compiling + +------------------------------------------------------------------- +Thu Mar 7 19:03:32 UTC 2013 - wr@rosenauer.org + +- update to Firefox 19.0.2 (bnc#808243) + * MFSA 2013-29/CVE-2013-0787 (bmo#848644) + Use-after-free in HTML Editor + +------------------------------------------------------------------- +Thu Feb 28 22:06:36 UTC 2013 - wr@rosenauer.org + +- update to Firefox 19.0.1 + * blocklist updates + +------------------------------------------------------------------- +Sat Feb 16 07:08:55 UTC 2013 - wr@rosenauer.org + +- update to Firefox 19.0 (bnc#804248) + * MFSA 2013-21/CVE-2013-0783/2013-0784 + Miscellaneous memory safety hazards + * MFSA 2013-22/CVE-2013-0772 (bmo#801366) + Out-of-bounds read in image rendering + * MFSA 2013-23/CVE-2013-0765 (bmo#830614) + Wrapped WebIDL objects can be wrapped again + * MFSA 2013-24/CVE-2013-0773 (bmo#809652) + Web content bypass of COW and SOW security wrappers + * MFSA 2013-25/CVE-2013-0774 (bmo#827193) + Privacy leak in JavaScript Workers + * MFSA 2013-26/CVE-2013-0775 (bmo#831095) + Use-after-free in nsImageLoadingContent + * MFSA 2013-27/CVE-2013-0776 (bmo#796475) + Phishing on HTTPS connection through malicious proxy + * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/ + CVE-2013-0778/CVE-2013-0779/CVE-2013-0781 + Use-after-free, out of bounds read, and buffer overflow issues + found using Address Sanitizer +- removed obsolete patches + * mozilla-webrtc.patch + * mozilla-gstreamer-803287.patch +- added patch to fix session restore window order (bmo#712763) + +------------------------------------------------------------------- +Sat Feb 2 08:40:52 UTC 2013 - wr@rosenauer.org + +- update to Firefox 18.0.2 + * blocklist and CTP updates + * fixes in JS engine + +------------------------------------------------------------------- +Wed Jan 16 20:51:55 UTC 2013 - wr@rosenauer.org + +- update to Firefox 18.0.1 + * blocklist updates + * backed out bmo#677092 (removed patch) + * fixed problems involving HTTP proxy transactions + +------------------------------------------------------------------- +Sat Jan 12 17:25:11 UTC 2013 - schwab@linux-m68k.org + +- Fix WebRTC to build on powerpc + +------------------------------------------------------------------- +Sun Jan 6 21:54:18 UTC 2013 - wr@rosenauer.org + +- update to Firefox 18.0 (bnc#796895) + * MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770 + Miscellaneous memory safety hazards + * MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767 + CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829 + Use-after-free and buffer overflow issues found using Address Sanitizer + * MFSA 2013-03/CVE-2013-0768 (bmo#815795) + Buffer Overflow in Canvas + * MFSA 2013-04/CVE-2012-0759 (bmo#802026) + URL spoofing in addressbar during page loads + * MFSA 2013-05/CVE-2013-0744 (bmo#814713) + Use-after-free when displaying table with many columns and column groups + * MFSA 2013-06/CVE-2013-0751 (bmo#790454) + Touch events are shared across iframes + * MFSA 2013-07/CVE-2013-0764 (bmo#804237) + Crash due to handling of SSL on threads + * MFSA 2013-08/CVE-2013-0745 (bmo#794158) + AutoWrapperChanger fails to keep objects alive during garbage collection + * MFSA 2013-09/CVE-2013-0746 (bmo#816842) + Compartment mismatch with quickstubs returned values + * MFSA 2013-10/CVE-2013-0747 (bmo#733305) + Event manipulation in plugin handler to bypass same-origin policy + * MFSA 2013-11/CVE-2013-0748 (bmo#806031) + Address space layout leaked in XBL objects + * MFSA 2013-12/CVE-2013-0750 (bmo#805121) + Buffer overflow in Javascript string concatenation + * MFSA 2013-13/CVE-2013-0752 (bmo#805024) + Memory corruption in XBL with XML bindings containing SVG + * MFSA 2013-14/CVE-2013-0757 (bmo#813901) + Chrome Object Wrapper (COW) bypass through changing prototype + * MFSA 2013-15/CVE-2013-0758 (bmo#813906) + Privilege escalation through plugin objects + * MFSA 2013-16/CVE-2013-0753 (bmo#814001) + Use-after-free in serializeToStream + * MFSA 2013-17/CVE-2013-0754 (bmo#814026) + Use-after-free in ListenerManager + * MFSA 2013-18/CVE-2013-0755 (bmo#814027) + Use-after-free in Vibrate + * MFSA 2013-19/CVE-2013-0756 (bmo#814029) + Use-after-free in Javascript Proxy objects +- requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743) +- removed obsolete SLE11 patches (mozilla-gcc43*) +- reenable WebRTC +- added mozilla-libproxy-compat.patch for libproxy API compat + on openSUSE 11.2 and earlier +- backed out restartless language packs as it broke multi-locale + setup (bmo#677092, bmo#818468) + +------------------------------------------------------------------- +Thu Nov 29 19:56:51 UTC 2012 - wr@rosenauer.org + +- update to Firefox 17.0.1 + * revert some useragent changes introduced in 17.0 + * leaving private browsing with social enabled doesn't reset all + social components (bmo#815042) +- fix KDE integration for file dialogs + +------------------------------------------------------------------- +Tue Nov 20 19:52:02 UTC 2012 - wr@rosenauer.org + +- update to Firefox 17.0 (bnc#790140) + * MFSA 2012-91/CVE-2012-5842/CVE-2012-5843 + Miscellaneous memory safety hazards + * MFSA 2012-92/CVE-2012-4202 (bmo#758200) + Buffer overflow while rendering GIF images + * MFSA 2012-93/CVE-2012-4201 (bmo#747607) + evalInSanbox location context incorrectly applied + * MFSA 2012-94/CVE-2012-5836 (bmo#792857) + Crash when combining SVG text on path with CSS + * MFSA 2012-95/CVE-2012-4203 (bmo#765628) + Javascript: URLs run in privileged context on New Tab page + * MFSA 2012-96/CVE-2012-4204 (bmo#778603) + Memory corruption in str_unescape + * MFSA 2012-97/CVE-2012-4205 (bmo#779821) + XMLHttpRequest inherits incorrect principal within sandbox + * MFSA 2012-99/CVE-2012-4208 (bmo#798264) + XrayWrappers exposes chrome-only properties when not in chrome + compartment + * MFSA 2012-100/CVE-2012-5841 (bmo#805807) + Improper security filtering for cross-origin wrappers + * MFSA 2012-101/CVE-2012-4207 (bmo#801681) + Improper character decoding in HZ-GB-2312 charset + * MFSA 2012-102/CVE-2012-5837 (bmo#800363) + Script entered into Developer Toolbar runs with chrome privileges + * MFSA 2012-103/CVE-2012-4209 (bmo#792405) + Frames can shadow top.location + * MFSA 2012-104/CVE-2012-4210 (bmo#796866) + CSS and HTML injection through Style Inspector + * MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/ + CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/ + CVE-2012-4213/CVE-2012-4217/CVE-2012-4218 + Use-after-free and buffer overflow issues found using Address + Sanitizer + * MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838 + Use-after-free, buffer overflow, and memory corruption issues + found using Address Sanitizer +- rebased patches +- disabled WebRTC since build is broken (bmo#776877) + +------------------------------------------------------------------- +Tue Nov 20 15:42:55 UTC 2012 - pcerny@suse.com + +- build on SLE11 + * mozilla-gcc43-enums.patch + * mozilla-gcc43-template_hacks.patch + * mozilla-gcc43-templates_instantiation.patch + +------------------------------------------------------------------- +Wed Oct 24 08:27:29 UTC 2012 - wr@rosenauer.org + +- update to Firefox 16.0.2 (bnc#786522) + * MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196 + (bmo#800666, bmo#793121, bmo#802557) + Fixes for Location object issues +- bring back Obsoletes for libproxy's mozjs plugin for distributions + before 12.2 to avoid crashes + +------------------------------------------------------------------- +Thu Oct 11 01:51:16 UTC 2012 - wr@rosenauer.org + +- update to Firefox 16.0.1 (bnc#783533) + * MFSA 2012-88/CVE-2012-4191 (bmo#798045) + Miscellaneous memory safety hazards + * MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619) + defaultValue security checks not applied + +------------------------------------------------------------------- +Sun Oct 7 21:40:14 UTC 2012 - wr@rosenauer.org + +- update to Firefox 16.0 (bnc#783533) + * MFSA 2012-74/CVE-2012-3982/CVE-2012-3983 + Miscellaneous memory safety hazards + * MFSA 2012-75/CVE-2012-3984 (bmo#575294) + select element persistance allows for attacks + * MFSA 2012-76/CVE-2012-3985 (bmo#655649) + Continued access to initial origin after setting document.domain + * MFSA 2012-77/CVE-2012-3986 (bmo#775868) + Some DOMWindowUtils methods bypass security checks + * MFSA 2012-79/CVE-2012-3988 (bmo#725770) + DOS and crash with full screen and history navigation + * MFSA 2012-80/CVE-2012-3989 (bmo#783867) + Crash with invalid cast when using instanceof operator + * MFSA 2012-81/CVE-2012-3991 (bmo#783260) + GetProperty function can bypass security checks + * MFSA 2012-82/CVE-2012-3994 (bmo#765527) + top object and location property accessible by plugins + * MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370) + Chrome Object Wrapper (COW) does not disallow acces to privileged + functions or properties + * MFSA 2012-84/CVE-2012-3992 (bmo#775009) + Spoofing and script injection through location.hash + * MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/ + CVE-2012-4181/CVE-2012-4182/CVE-2012-4183 + Use-after-free, buffer overflow, and out of bounds read issues + found using Address Sanitizer + * MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/ + CVE-2012-4188 + Heap memory corruption issues found using Address Sanitizer + * MFSA 2012-87/CVE-2012-3990 (bmo#787704) + Use-after-free in the IME State Manager +- requires NSPR 4.9.2 +- improve GStreamer integration (bmo#760140) +- removed upstreamed mozilla-crashreporter-restart-args.patch +- webapprt now included +- use kmozillahelper's new REVEAL command (bnc#777415) + (requires mozilla-kde4-integration >= 0.6.4) +- updated translations-other with new languages + +------------------------------------------------------------------- +Mon Sep 10 19:37:56 UTC 2012 - wr@rosenauer.org + +- update to Firefox 15.0.1 (bnc#779936) + * Sites visited while in Private Browsing mode could be found + through manual browser cache inspection (bmo#787743) + +------------------------------------------------------------------- +Sun Aug 26 13:47:43 UTC 2012 - wr@rosenauer.org + +- update to Firefox 15.0 (bnc#777588) + * MFSA 2012-57/CVE-2012-1970 + Miscellaneous memory safety hazards + * MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975 + CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959 + CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964 + Use-after-free issues found using Address Sanitizer + * MFSA 2012-59/CVE-2012-1956 (bmo#756719) + Location object can be shadowed using Object.defineProperty + * MFSA 2012-60/CVE-2012-3965 (bmo#769108) + Escalation of privilege through about:newtab + * MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793) + Memory corruption with bitmap format images with negative height + * MFSA 2012-62/CVE-2012-3967/CVE-2012-3968 + WebGL use-after-free and memory corruption + * MFSA 2012-63/CVE-2012-3969/CVE-2012-3970 + SVG buffer overflow and use-after-free issues + * MFSA 2012-64/CVE-2012-3971 + Graphite 2 memory corruption + * MFSA 2012-65/CVE-2012-3972 (bmo#746855) + Out-of-bounds read in format-number in XSLT + * MFSA 2012-66/CVE-2012-3973 (bmo#757128) + HTTPMonitor extension allows for remote debugging without explicit + activation + * MFSA 2012-68/CVE-2012-3975 (bmo#770684) + DOMParser loads linked resources in extensions when parsing + text/html + * MFSA 2012-69/CVE-2012-3976 (bmo#768568) + Incorrect site SSL certificate data display + * MFSA 2012-70/CVE-2012-3978 (bmo#770429) + Location object security checks bypassed by chrome code + * MFSA 2012-72/CVE-2012-3980 (bmo#771859) + Web console eval capable of executing chrome-privileged code +- fix HTML5 video crash with GStreamer enabled (bmo#761030) +- GStreamer is only used for MP4 (no WebM, OGG) +- updated filelist +- moved browser specific preferences to correct location + +------------------------------------------------------------------- +Sun Jul 29 08:34:39 UTC 2012 - aj@suse.de + +- Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16) + +------------------------------------------------------------------- +Sat Jul 14 19:31:51 UTC 2012 - wr@rosenauer.org + +- update to 14.0.1 (bnc#771583) + * MFSA 2012-42/CVE-2012-1949/CVE-2012-1948 + Miscellaneous memory safety hazards + * MFSA 2012-43/CVE-2012-1950 + Incorrect URL displayed in addressbar through drag and drop + * MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952 + Gecko memory corruption + * MFSA 2012-45/CVE-2012-1955 (bmo#757376) + Spoofing issue with location + * MFSA 2012-46/CVE-2012-1966 (bmo#734076) + XSS through data: URLs + * MFSA 2012-47/CVE-2012-1957 (bmo#750096) + Improper filtering of javascript in HTML feed-view + * MFSA 2012-48/CVE-2012-1958 (bmo#750820) + use-after-free in nsGlobalWindow::PageHidden + * MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559) + Same-compartment Security Wrappers can be bypassed + * MFSA 2012-50/CVE-2012-1960 (bmo#761014) + Out of bounds read in QCMS + * MFSA 2012-51/CVE-2012-1961 (bmo#761655) + X-Frame-Options header ignored when duplicated + * MFSA 2012-52/CVE-2012-1962 (bmo#764296) + JSDependentString::undepend string conversion results in memory + corruption + * MFSA 2012-53/CVE-2012-1963 (bmo#767778) + Content Security Policy 1.0 implementation errors cause data + leakage + * MFSA 2012-55/CVE-2012-1965 (bmo#758990) + feed: URLs with an innerURI inherit security context of page + * MFSA 2012-56/CVE-2012-1967 (bmo#758344) + Code execution through javascript: URLs +- license change from tri license to MPL-2.0 +- fix crashreporter restart option (bmo#762780) +- require NSS 3.13.5 +- remove mozjs pacrunner obsoletes again for now +- adopted mozilla-prefer_plugin_pref.patch +- PPC fixes: + * reenabled mozilla-yarr-pcre.patch to fix build for PPC + * add patches for bmo#750620 and bmo#746112 + * fix xpcshell segfault on ppc + +------------------------------------------------------------------- +Fri Jun 15 12:37:09 UTC 2012 - wr@rosenauer.org + +- update to Firefox 13.0.1 + * bugfix release +- obsolete libproxy's mozjs pacrunner (bnc#759123) + +------------------------------------------------------------------- +Sat Jun 2 08:22:51 UTC 2012 - wr@rosenauer.org + +- update to Firefox 13.0 (bnc#765204) + * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101 + Miscellaneous memory safety hazards + * MFSA 2012-36/CVE-2012-1944 (bmo#751422) + Content Security Policy inline-script bypass + * MFSA 2012-37/CVE-2012-1945 (bmo#670514) + Information disclosure though Windows file shares and shortcut + files + * MFSA 2012-38/CVE-2012-1946 (bmo#750109) + Use-after-free while replacing/inserting a node in a document + * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941 + Buffer overflow and use-after-free issues found using Address + Sanitizer +- require NSS 3.13.4 + * MFSA 2012-39/CVE-2012-0441 (bmo#715073) +- fix sound notifications when filename/path contains a whitespace + (bmo#749739) + +------------------------------------------------------------------- +Wed May 23 14:40:16 UTC 2012 - adrian@suse.de + +- fix build on arm + +------------------------------------------------------------------- +Wed May 16 05:34:01 UTC 2012 - wr@rosenauer.org + +- reenabled crashreporter for Factory/12.2 + (fix in mozilla-gcc47.patch) + +------------------------------------------------------------------- +Sat Apr 21 10:02:37 UTC 2012 - wr@rosenauer.org + +- update to Firefox 12.0 (bnc#758408) + * rebased patches + * MFSA 2012-20/CVE-2012-0467/CVE-2012-0468 + Miscellaneous memory safety hazards + * MFSA 2012-22/CVE-2012-0469 (bmo#738985) + use-after-free in IDBKeyRange + * MFSA 2012-23/CVE-2012-0470 (bmo#734288) + Invalid frees causes heap corruption in gfxImageSurface + * MFSA 2012-24/CVE-2012-0471 (bmo#715319) + Potential XSS via multibyte content processing errors + * MFSA 2012-25/CVE-2012-0472 (bmo#744480) + Potential memory corruption during font rendering using cairo-dwrite + * MFSA 2012-26/CVE-2012-0473 (bmo#743475) + WebGL.drawElements may read illegal video memory due to + FindMaxUshortElement error + * MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307) + Page load short-circuit can lead to XSS + * MFSA 2012-28/CVE-2012-0475 (bmo#694576) + Ambiguous IPv6 in Origin headers may bypass webserver access + restrictions + * MFSA 2012-29/CVE-2012-0477 (bmo#718573) + Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues + * MFSA 2012-30/CVE-2012-0478 (bmo#727547) + Crash with WebGL content using textImage2D + * MFSA 2012-31/CVE-2011-3062 (bmo#739925) + Off-by-one error in OpenType Sanitizer + * MFSA 2012-32/CVE-2011-1187 (bmo#624621) + HTTP Redirections and remote content can be read by javascript errors + * MFSA 2012-33/CVE-2012-0479 (bmo#714631) + Potential site identity spoofing when loading RSS and Atom feeds +- added mozilla-libnotify.patch to allow fallback from libnotify + to xul based events if no notification-daemon is running +- gcc 4.7 fixes + * mozilla-gcc47.patch + * disabled crashreporter temporarily for Factory +- recommend libcanberra0 for proper sound notifications + +------------------------------------------------------------------- +Fri Mar 9 21:47:07 UTC 2012 - wr@rosenauer.org + +- update to Firefox 11.0 (bnc#750044) + * MFSA 2012-13/CVE-2012-0455 (bmo#704354) + XSS with Drag and Drop and Javascript: URL + * MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103) + SVG issues found with Address Sanitizer + * MFSA 2012-15/CVE-2012-0451 (bmo#717511) + XSS with multiple Content Security Policy headers + * MFSA 2012-16/CVE-2012-0458 + Escalation of privilege with Javascript: URL as home page + * MFSA 2012-17/CVE-2012-0459 (bmo#723446) + Crash when accessing keyframe cssText after dynamic modification + * MFSA 2012-18/CVE-2012-0460 (bmo#727303) + window.fullScreen writeable by untrusted content + * MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/ + CVE-2012-0463 + Miscellaneous memory safety hazards +- ported and reenabled KDE integration (bnc#746591) +- explicitely build-require X libs + +------------------------------------------------------------------- +Mon Mar 5 13:31:48 UTC 2012 - vdziewiecki@suse.com + +- add Provides: browser(npapi) FATE#313084 + +------------------------------------------------------------------- +Fri Feb 17 17:41:11 UTC 2012 - pcerny@suse.com + +- better plugin directory resolution (bnc#747320) + +------------------------------------------------------------------- +Thu Feb 16 08:47:31 UTC 2012 - wr@rosenauer.org + +- update to Firefox 10.0.2 (bnc#747328) + * CVE-2011-3026 (bmo#727401) + libpng: integer overflow leading to heap-buffer overflow + +------------------------------------------------------------------- +Thu Feb 9 09:26:11 UTC 2012 - wr@rosenauer.org + +- update to Firefox 10.0.1 (bnc#746616) + * MFSA 2012-10/CVE-2012-0452 (bmo#724284) + use after free in nsXBLDocumentInfo::ReadPrototypeBindings + +------------------------------------------------------------------- +Tue Feb 7 10:40:58 UTC 2012 - dvaleev@suse.com + +- Use YARR interpreter instead of PCRE on platforms where YARR JIT + is not supported, since PCRE doesnt build (bmo#691898) +- fix ppc64 build (bmo#703534) + +------------------------------------------------------------------- +Mon Jan 30 09:41:59 UTC 2012 - wr@rosenauer.org + +- update to Firefox 10.0 (bnc#744275) + * MFSA 2012-01/CVE-2012-0442/CVE-2012-0443 + Miscellaneous memory safety hazards + * MFSA 2012-03/CVE-2012-0445 (bmo#701071) + <iframe> element exposed across domains via name attribute + * MFSA 2012-04/CVE-2011-3659 (bmo#708198) + Child nodes from nsDOMAttribute still accessible after removal + of nodes + * MFSA 2012-05/CVE-2012-0446 (bmo#705651) + Frame scripts calling into untrusted objects bypass security + checks + * MFSA 2012-06/CVE-2012-0447 (bmo#710079) + Uninitialized memory appended when encoding icon images may + cause information disclosure + * MFSA 2012-07/CVE-2012-0444 (bmo#719612) + Potential Memory Corruption When Decoding Ogg Vorbis files + * MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466) + Crash with malformed embedded XSLT stylesheets +- KDE integration has been disabled since it needs refactoring +- removed obsolete ppc64 patch + +------------------------------------------------------------------- +Sun Jan 22 12:08:07 UTC 2012 - joop.boonen@opensuse.org + +- Disable neon for arm as it doesn't build correctly + +------------------------------------------------------------------- +Fri Dec 23 17:02:01 UTC 2011 - wr@rosenauer.org + +- update to Firefox 9.0.1 + * (strongparent) parentNode of element gets lost (bmo#335998) + +------------------------------------------------------------------- +Sun Dec 18 09:58:52 UTC 2011 - adrian@suse.de + +- fix arm build, don't package crashreporter there + +------------------------------------------------------------------- +Sun Dec 18 09:52:08 UTC 2011 - wr@rosenauer.org + +- update to Firefox 9 (bnc#737533) + * MFSA 2011-53/CVE-2011-3660 + Miscellaneous memory safety hazards (rv:9.0) + * MFSA 2011-54/CVE-2011-3661 (bmo#691299) + Potentially exploitable crash in the YARR regular expression + library + * MFSA 2011-55/CVE-2011-3658 (bmo#708186) + nsSVGValue out-of-bounds access + * MFSA 2011-56/CVE-2011-3663 (bmo#704482) + Key detection without JavaScript via SVG animation + * MFSA 2011-58/VE-2011-3665 (bmo#701259) + Crash scaling <video> to extreme sizes + +------------------------------------------------------------------- +Sun Nov 27 03:51:54 UTC 2011 - mgorse@suse.com + +- Fix accessibility under GNOME 3 (bnc#732898) + +------------------------------------------------------------------- +Sat Nov 12 15:16:38 UTC 2011 - dvaleev@suse.com + +- fix ppc64 build + +------------------------------------------------------------------- +Sun Nov 6 08:20:59 UTC 2011 - wr@rosenauer.org + +- update to Firefox 8 (bnc#728520) + * MFSA 2011-47/CVE-2011-3648 (bmo#690225) + Potential XSS against sites using Shift-JIS + * MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654 + Miscellaneous memory safety hazards + * MFSA 2011-49/CVE-2011-3650 (bmo#674776) + Memory corruption while profiling using Firebug + * MFSA 2011-52/CVE-2011-3655 (bmo#672182) + Code execution via NoWaiverWrapper +- rebased patches + +------------------------------------------------------------------- +Thu Oct 20 12:34:47 UTC 2011 - wr@rosenauer.org + +- enable telemetry prompt + +------------------------------------------------------------------- +Fri Sep 30 10:52:36 UTC 2011 - wr@rosenauer.org + +- update to minor release 7.0.1 + * fixed staged addon updates +- set intl.locale.matchOS=true in the base package as it causes + too much confusion when it's only available with branding-openSUSE + +------------------------------------------------------------------- +Fri Sep 23 11:22:22 UTC 2011 - wr@rosenauer.org + +- update to Firefox 7 (bnc#720264) + including + * Improve Responsiveness with Memory Reductions + * Instant Sync + * WebSocket protocol 8 + * MFSA 2011-36/CVE-2011-2995/CVE-2011-2996/CVE-2011-2997 + Miscellaneous memory safety hazards + * MFSA 2011-39/CVE-2011-3000 (bmo#655389) + Defense against multiple Location headers due to CRLF Injection + * MFSA 2011-40/CVE-2011-2372/CVE-2011-3001 + Code installation through holding down Enter + * MFSA 2011-41/CVE-2011-3002/CVE-2011-3003 (bmo#680840, bmo#682335) + Potentially exploitable WebGL crashes + * MFSA 2011-42/CVE-2011-3232 (bmo#653672) + Potentially exploitable crash in the YARR regular expression + library + * MFSA 2011-43/CVE-2011-3004 (bmo#653926) + loadSubScript unwraps XPCNativeWrapper scope parameter + * MFSA 2011-44/CVE-2011-3005 (bmo#675747) + Use after free reading OGG headers + * MFSA 2011-45 + Inferring keystrokes from motion data +- removed obsolete mozilla-cairo-lcd.patch +- rebased patches +- removed XLIB_SKIP_ARGB_VISUALS=1 from environment in + mozilla.sh.in (bnc#680758) + +------------------------------------------------------------------- +Fri Sep 16 06:57:38 UTC 2011 - wr@rosenauer.org + +- fixed loading of kde.js under KDE (bnc#718311) + +------------------------------------------------------------------- +Wed Sep 14 07:02:04 UTC 2011 - wr@rosenauer.org + +- add dbus-1-glib-devel to BuildRequires (not pulled in + automatically anymore on 12.1) +- increase minversions for NSPR and NSS + +------------------------------------------------------------------- +Fri Sep 9 20:44:15 UTC 2011 - wr@rosenauer.org + +- recreated source archive to get correct source-stamp.txt + +------------------------------------------------------------------- +Wed Sep 7 14:30:34 UTC 2011 - pcerny@suse.com + +- security update to 6.0.2 (bnc#714931) + * Complete blocking of certificates issued by DigiNotar + (bmo#683449) + +------------------------------------------------------------------- +Fri Sep 2 14:40:07 UTC 2011 - pcerny@suse.com + +- security update to 6.0.1 (bnc#714931) + * MFSA 2011-34 + Protection against fraudulent DigiNotar certificates + (bmo#682927) + +------------------------------------------------------------------- +Fri Aug 12 21:16:19 UTC 2011 - wr@rosenauer.org + +- update to 6.0 (bnc#712224) + included security fixes MFSA 2011-29 + * CVE-2011-2989/CVE-2011-2991/CVE-2011-2992/CVE-2011-2985 + Miscellaneous memory safety hazards + * CVE-2011-2993 (bmo#657267) + Unsigned scripts can call script inside signed JAR + * CVE-2011-2988 (bmo#665934) + Heap overflow in ANGLE library + * CVE-2011-0084 (bmo#648094) + Crash in SVGTextElement.getCharNumAtPosition() + * CVE-2011-2990 + Credential leakage using Content Security Policy reports + * CVE-2011-2986 (bmo#655836) + Cross-origin data theft using canvas and Windows D2D +- removed obsolete curl header dependency (mozilla-curl.patch) + +------------------------------------------------------------------- +Fri Jul 22 13:34:12 UTC 2011 - wr@rosenauer.org + +- update to 6.0b3 + * removed obsolete patches + - firefox-shellservice.patch + - mozilla-gio.patch + - mozilla-ppc-ipc.patch + - firefox-linkorder.patch + - firefox-no-sync-l10n.patch +- recognize linux3 as platform for symbolstore.py + +------------------------------------------------------------------- +Fri Jul 1 19:53:18 CEST 2011 - vuntz@opensuse.org + +- Add x-scheme-handler/ftp to the MimeType key in the .desktop, to + let desktops know that Firefox can deal with ftp: URIs. + +------------------------------------------------------------------- +Fri Jul 1 06:45:08 UTC 2011 - wr@rosenauer.org + +- create upstream branding package again (supposedly empty) + (bnc#703401) +- fix build on SLE11 (changes do not affect/are not applied for + later versions) + +------------------------------------------------------------------- +Wed Jun 22 06:41:17 UTC 2011 - wr@rosenauer.org + +- enable startup notification (bnc#701465) + +------------------------------------------------------------------- +Mon Jun 20 19:37:01 UTC 2011 - wr@rosenauer.org + +- update to 5.0 final +- included fixes for security issues: (bnc#701296, bnc#700578) + * MFSA 2011-19/CVE-2011-2374 CVE-2011-2375 + Miscellaneous memory safety hazards + * MFSA 2011-20/CVE-2011-2373 (bmo#617247) + Use-after-free vulnerability when viewing XUL document with + script disabled + * MFSA 2011-21/CVE-2011-2377 (bmo#638018, bmo#639303) + Memory corruption due to multipart/x-mixed-replace images + * MFSA 2011-22/CVE-2011-2371 (bmo#664009) + Integer overflow and arbitrary code execution in + Array.reduceRight() + * MFSA 2011-25/CVE-2011-2366 + Stealing of cross-domain images using WebGL textures + * MFSA 2011-26/CVE-2011-2367 CVE-2011-2368 + Multiple WebGL crashes + * MFSA 2011-27/CVE-2011-2369 (bmo#650001) + XSS encoding hazard with inline SVG + * MFSA 2011-28/CVE-2011-2370 (bmo#645699) + Non-whitelisted site can trigger xpinstall + +------------------------------------------------------------------- +Mon Jun 20 09:17:42 UTC 2011 - wr@rosenauer.org + +- update to 5.0b7 + * updated supported locales +- do not build dump_syms static (not needed for us) + -> fix build for openSUSE 12.1 and above + +------------------------------------------------------------------- +Wed Jun 15 14:59:32 UTC 2011 - wr@rosenauer.org + +- update to 5.0b6 +- include proper revision information into the build +- speedier find-external-requires.sh + +------------------------------------------------------------------- +Tue May 31 06:53:55 UTC 2011 - wr@rosenauer.org + +- update to 5.0b3 +- transformed to standalone Firefox (not xulrunner based) + (with new Firefox rapid release cycle it makes no sense anymore) + * imported all relevant xulrunner patches +- do not compile in build timestamp + +------------------------------------------------------------------- +Fri Apr 15 07:08:53 UTC 2011 - wr@rosenauer.org + +- security update to 4.0.1 (bnc#689281) + * MFSA 2011-12/ CVE-2011-0069 CVE-2011-0070 CVE-2011-0079 + CVE-2011-0080 CVE-2011-0081 + Miscellaneous memory safety hazards + * MFSA 2011-17/CVE-2011-0068 (bmo#623791) + WebGLES vulnerabilities + * MFSA 2011-18/CVE-2011-1202 (bmo#640339) + XSLT generate-id() function heap address leak + +------------------------------------------------------------------- +Wed Mar 30 11:24:36 UTC 2011 - wr@rosenauer.org + +- add all available icon sizes + +------------------------------------------------------------------- +Tue Mar 29 11:55:53 UTC 2011 - cfarrell@novell.com + +- license update: MPLv1.1 or GPLv2+ or LGPLv2+ + Sync licenses with Fedora. MPL does not state ^or later^ + +------------------------------------------------------------------- +Fri Mar 18 08:49:15 UTC 2011 - wr@rosenauer.org + +- update to version 4.0rc2 +- fixed rpm macros delivered with devel package (bnc#679950) + +------------------------------------------------------------------- +Wed Feb 23 07:52:04 UTC 2011 - wr@rosenauer.org + +- update to version 4.0b12 +- rebased patches + +------------------------------------------------------------------- +Fri Feb 4 09:32:50 UTC 2011 - wr@rosenauer.org + +- update to version 4.0b11 + * loads of bugfixes compared to last beta + * added "Do Not Track" option +- rebased patches +- disable testpilot + +------------------------------------------------------------------- +Fri Jan 28 08:56:12 UTC 2011 - wr@rosenauer.org + +- set correct desktop file name within KDE for 11.4 and up +- add devel package with macros for extensions (from lnussel@suse.de) + +------------------------------------------------------------------- +Sat Jan 22 22:21:52 UTC 2011 - wr@rosenauer.org + +- update to version 4.0b10 +- removed obsolete firefox-shell-bmo624267.patch +- testpilot moved to distribution/extensions +- updated locale provides and removed bn-IN from locales + +------------------------------------------------------------------- +Tue Jan 11 06:13:40 UTC 2011 - wr@rosenauer.org + +- update to version 4.0b9 +- added x-scheme-handler for http and https to desktop file for + newer Gnome environments +- fixed default browser check/set for GIO (bmo#611953) + (mozilla-shellservice.patch) +- removed obsolete firefox-appname.patch (integrated into + shellservice patch) +- renamed desktop file to firefox.desktop for 11.4 and newer + (bnc#664211) +- removed support for 10.3 and older from the spec file +- removed obsolete "Ximian" categories from desktop file + +------------------------------------------------------------------- +Mon Jan 3 17:35:46 CET 2011 - meissner@suse.de + +- Mirror ac_add_options --disable-ipc from xulrunner for PowerPC. + +------------------------------------------------------------------- +Wed Dec 15 07:49:45 UTC 2010 - wr@rosenauer.org + +- update to version 4.0beta8 + +------------------------------------------------------------------- +Tue Nov 30 14:19:59 UTC 2010 - wr@rosenauer.org + +- major update to version 4.0beta7 + * based on mozilla-xulrunner20 + * far too many internal changes to list + +------------------------------------------------------------------- +Wed Oct 27 07:12:14 CEST 2010 - wr@rosenauer.org + +- security update to 3.6.12 (bnc#649492) + * MFSA 2010-73/CVE-2010-3765 (bmo#607222) + Heap buffer overflow mixing document.write and DOM insertion + +------------------------------------------------------------------- +Wed Oct 6 07:13:52 CEST 2010 - wr@rosenauer.org + +- security update to 3.6.11 (bnc#645315) + * MFSA 2010-64/CVE-2010-3174/CVE-2010-3175/CVE-2010-3176 + Miscellaneous memory safety hazards + * MFSA 2010-65/CVE-2010-3179 (bmo#583077) + Buffer overflow and memory corruption using document.write + * MFSA 2010-66/CVE-2010-3180 (bmo#588929) + Use-after-free error in nsBarProp + * MFSA 2010-67/CVE-2010-3183 (bmo#598669) + Dangling pointer vulnerability in LookupGetterOrSetter + * MFSA 2010-68/CVE-2010-3177 (bmo#556734) + XSS in gopher parser when parsing hrefs + * MFSA 2010-69/CVE-2010-3178 (bmo#576616) + Cross-site information disclosure via modal calls + * MFSA 2010-70/CVE-2010-3170 (bmo#578697) + SSL wildcard certificate matching IP addresses + * MFSA 2010-71/CVE-2010-3182 (bmo#590753) + Unsafe library loading vulnerabilities + * MFSA 2010-72/CVE-2010-3173 + Insecure Diffie-Hellman key exchange + +------------------------------------------------------------------- +Wed Sep 15 07:39:22 CEST 2010 - wr@rosenauer.org + +- update to 3.6.10 + * fixing startup topcrash (bmo#594699) + +------------------------------------------------------------------- +Thu Aug 26 07:40:28 CEST 2010 - wr@rosenauer.org + +- security update to 3.6.9 (bnc#637303) + * MFSA 2010-49/CVE-2010-3169 + Miscellaneous memory safety hazards + * MFSA 2010-50/CVE-2010-2765 (bmo#576447) + Frameset integer overflow vulnerability + * MFSA 2010-51/CVE-2010-2767 (bmo#584512) + Dangling pointer vulnerability using DOM plugin array + * MFSA 2010-53/CVE-2010-3166 (bmo#579655) + Heap buffer overflow in nsTextFrameUtils::TransformText + * MFSA 2010-54/CVE-2010-2760 (bmo#585815) + Dangling pointer vulnerability in nsTreeSelection + * MFSA 2010-55/CVE-2010-3168 (bmo#576075) + XUL tree removal crash and remote code execution + * MFSA 2010-56/CVE-2010-3167 (bmo#576070) + Dangling pointer vulnerability in nsTreeContentView + * MFSA 2010-57/CVE-2010-2766 (bmo#580445) + Crash and remote code execution in normalizeDocument + * MFSA 2010-59/CVE-2010-2762 (bmo#584180) + SJOW creates scope chains ending in outer object + * MFSA 2010-61/CVE-2010-2768 (bmo#579744) + UTF-7 XSS by overriding document charset using <object> type + attribute + * MFSA 2010-62/CVE-2010-2769 (bmo#520189) + Copy-and-paste or drag-and-drop into designMode document allows + XSS + * MFSA 2010-63/CVE-2010-2764 (bmo#552090) + Information leak via XMLHttpRequest statusText + +------------------------------------------------------------------- +Wed Jul 28 08:33:14 CEST 2010 - meissner@suse.de + +- disable crash reporter for non x86/x86_64 to make it build. + +------------------------------------------------------------------- +Sat Jul 24 12:42:58 CEST 2010 - wr@rosenauer.org + +- security update to 3.6.8 (bnc#622506) + * MFSA 2010-48/CVE-2010-2755 (bmo#575836) + Dangling pointer crash regression from plugin parameter array + fix + +------------------------------------------------------------------- +Fri Jul 16 06:48:44 CEST 2010 - wr@rosenauer.org + +- security update to 3.6.7 (bnc#622506) + * MFSA 2010-34/CVE-2010-1211/CVE-2010-1212 + Miscellaneous memory safety hazards + * MFSA 2010-35/CVE-2010-1208 (bmo#572986) + DOM attribute cloning remote code execution vulnerability + * MFSA 2010-36/CVE-2010-1209 (bmo#552110) + Use-after-free error in NodeIterator + * MFSA 2010-37/CVE-2010-1214 (bmo#572985) + Plugin parameter EnsureCachedAttrParamArrays remote code + execution vulnerability + * MFSA 2010-38/CVE-2010-1215 (bmo#567069) + Arbitrary code execution using SJOW and fast native function + * MFSA 2010-39/CVE-2010-2752 (bmo#574059) + nsCSSValue::Array index integer overflow + * MFSA 2010-40/CVE-2010-2753 (bmo#571106) + nsTreeSelection dangling pointer remote code execution + vulnerability + * MFSA 2010-41/CVE-2010-1205 (bmo#570451) + Remote code execution using malformed PNG image + * MFSA 2010-42/CVE-2010-1213 (bmo#568148) + Cross-origin data disclosure via Web Workers and importScripts + * MFSA 2010-43/CVE-2010-1207 (bmo#571287) + Same-origin bypass using canvas context + * MFSA 2010-44/CVE-2010-1210 (bmo#564679) + Characters mapped to U+FFFD in 8 bit encodings cause subsequent + character to vanish + * MFSA 2010-45/CVE-2010-1206/CVE-2010-2751 (bmo#536466,556957) + Multiple location bar spoofing vulnerabilities + * MFSA 2010-46/CVE-2010-0654 (bmo#524223) + Cross-domain data theft using CSS + * MFSA 2010-47/CVE-2010-2754 (bmo#568564) + Cross-origin data leakage from script filename in error messages + +------------------------------------------------------------------- +Sun Jun 27 20:24:31 CEST 2010 - wr@rosenauer.org + +- update to 3.6.6 release + * modifies the crash protection feature to increase the amount + of time that plugins are allowed to be non-responsive before + being terminated. + +------------------------------------------------------------------- +Wed Jun 23 14:40:35 CEST 2010 - wr@rosenauer.org + +- update to final 3.6.4 release (bnc#603356) + * MFSA 2010-26/CVE-2010-1200/CVE-2010-1201/CVE-2010-1202/ + CVE-2010-1203 + Crashes with evidence of memory corruption (rv:1.9.2.4) + * MFSA 2010-28/CVE-2010-1198 (bmo#532246) + Freed object reuse across plugin instances + * MFSA 2010-29/CVE-2010-1196 (bmo#534666) + Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal + * MFSA 2010-30/CVE-2010-1199 (bmo#554255) + Integer Overflow in XSLT Node Sorting + * MFSA 2010-31/CVE-2010-1125 (bmo#552255) + focus() behavior can be used to inject or steal keystrokes + * MFSA 2010-32/CVE-2010-1197 (bmo#537120) + Content-Disposition: attachment ignored if + Content-Type: multipart also present + * MFSA 2010-33/CVE-2008-5913 (bmo#475585) + User tracking across sites using Math.random() + +------------------------------------------------------------------- +Mon Jun 7 07:07:33 CEST 2010 - wr@rosenauer.org + +- update to 3.6.4(build6) + +------------------------------------------------------------------- +Sun Apr 18 09:42:40 CEST 2010 - wr@rosenauer.org + +- security update to 3.6.4 (Lorentz) + * enable crashreporter also for x86-64 + * Flash runs in a separate process to avoid crashing Firefox + (ix86 only; x86-64 still uses nspluginwrapper) + +------------------------------------------------------------------- +Thu Apr 1 11:15:38 UTC 2010 - wr@rosenauer.org + +- security update to 3.6.3 + * MFSA 2010-25/CVE-2010-1121 (bmo#555109) + Re-use of freed object due to scope confusion + +------------------------------------------------------------------- +Thu Mar 18 06:43:33 CET 2010 - wr@rosenauer.org + +- security update to version 3.6.2 (bnc#586567) + * MFSA 2010-08/CVE-2010-1028 + WOFF heap corruption due to integer overflow + * MFSA 2010-09/CVE-2010-0164 (bmo#547143) + Deleted frame reuse in multipart/x-mixed-replace image + * MFSA 2010-10/CVE-2010-0170 (bmo#541530) + XSS via plugins and unprotected Location object + * MFSA 2010-11/CVE-2010-0165/CVE-2010-0166/CVE-2010-0167 + Crashes with evidence of memory corruption + * MFSA 2010-12/CVE-2010-0171 (bmo#531364) + XSS using addEventListener and setTimeout on a wrapped object + * MFSA 2010-13/CVE-2010-0168 (bmo#540642) + Content policy bypass with image preloading + * MFSA 2010-14/CVE-2010-0169 (bmo#535806) + Browser chrome defacement via cached XUL stylesheets + * MFSA 2010-15/CVE-2010-0172 (bmo#537862) + Asynchronous Auth Prompt attaches to wrong window + * MFSA 2010-16/CVE-2010-0173/CVE-2010-0174 + Crashes with evidence of memory corruption + * MFSA 2010-18/CVE-2010-0176 (bmo#538308) + Dangling pointer vulnerability in nsTreeContentView + * MFSA 2010-19/CVE-2010-0177 (bmo#538310) + Dangling pointer vulnerability in nsPluginArray + * MFSA 2010-20/CVE-2010-0178 (bmo#546909) + Chrome privilege escalation via forced URL drag and drop + * MFSA 2010-22/CVE-2009-3555 (bmo#545755) + Update NSS to support TLS renegotiation indication + * MFSA 2010-23/CVE-2010-0181 (bmo#452093) + Image src redirect to mailto: URL opens email editor + * MFSA 2010-24/CVE-2010-0182 (bmo#490790) + XMLDocument::load() doesn't check nsIContentPolicy + +------------------------------------------------------------------- +Mon Jan 18 09:42:50 CET 2010 - wr@rosenauer.org + +- update to 3.6rc2 (already named 3.6.0) +- removed obsolete orbit-devel build requirement + +------------------------------------------------------------------- +Wed Jan 6 17:15:40 CET 2010 - wr@rosenauer.org + +- major update to 3.6rc1 + +------------------------------------------------------------------- +Fri Dec 25 09:39:42 CET 2009 - wr@rosenauer.org + +- update to version 3.5.7 (bnc#568011) + * DNS resolution in MakeSN of nsAuthSSPI causing issues for + proxy servers that support NTLM auth (bmo#535193) +- added missing lockdown preferences (bnc#567131) + +------------------------------------------------------------------- +Thu Dec 17 20:06:38 CET 2009 - wr@rosenauer.org + +- readded firefox-ui-lockdown.patch (bnc#546158) + +------------------------------------------------------------------- +Thu Dec 3 21:53:59 CET 2009 - wr@rosenauer.org + +- security update to version 3.5.6 (bnc#559807) + * MFSA 2009-65/CVE-2009-3979/CVE-2009-3980/CVE-2009-3982 + Crashes with evidence of memory corruption (rv:1.9.1.6) + * MFSA 2009-66/CVE-2009-3388 (bmo#504843,bmo#523816) + Memory safety fixes in liboggplay media library + * MFSA 2009-67/CVE-2009-3389 (bmo#515882,bmo#504613) + Integer overflow, crash in libtheora video library + * MFSA 2009-68/CVE-2009-3983 (bmo#487872) + NTLM reflection vulnerability + * MFSA 2009-69/CVE-2009-3984/CVE-2009-3985 (bmo#521461,bmo#514232) + Location bar spoofing vulnerabilities + * MFSA 2009-70/VE-2009-3986 (bmo#522430) + Privilege escalation via chrome window.opener +- fixed firefox-browser-css.patch (bnc#561027) + +------------------------------------------------------------------- +Mon Nov 23 22:31:21 CET 2009 - wr@rosenauer.org + +- rebased patches for fuzz=0 + +------------------------------------------------------------------- +Thu Nov 5 19:49:33 UTC 2009 - wr@rosenauer.org + +- update to version 3.5.5 (bnc#553172) + +------------------------------------------------------------------- +Sat Oct 17 23:19:23 CEST 2009 - wr@rosenauer.org + +- security update to version 3.5.4 (bnc#545277) + * MFSA 2009-52/CVE-2009-3370 (bmo#511615) + Form history vulnerable to stealing + * MFSA 2009-53/CVE-2009-3274 (bmo#514823) + Local downloaded file tampering + * MFSA 2009-54/CVE-2009-3371 (bmo#514554) + Crash with recursive web-worker calls + * MFSA 2009-55/CVE-2009-3372 (bmo#500644) + Crash in proxy auto-configuration regexp parsing + * MFSA 2009-56/CVE-2009-3373 (bmo#511689) + Heap buffer overflow in GIF color map parser + * MFSA 2009-57/CVE-2009-3374 (bmo#505988) + Chrome privilege escalation in XPCVariant::VariantDataToJS() + * MFSA 2009-59/CVE-2009-1563 (bmo#516396, bmo#516862) + Heap buffer overflow in string to number conversion + * MFSA 2009-61/CVE-2009-3375 (bmo#503226) + Cross-origin data theft through document.getSelection() + * MFSA 2009-62/CVE-2009-3376 (bmo#511521) + Download filename spoofing with RTL override + * MFSA 2009-63/CVE-2009-3377/CVE-2009-3379/CVE-2009-3378 + Upgrade media libraries to fix memory safety bugs + * MFSA 2009-64/CVE-2009-3380/CVE-2009-3381/CVE-2009-3383 + Crashes with evidence of memory corruption +- removed upstreamed patch + * firefox-bug506901.patch + +------------------------------------------------------------------- +Wed Oct 7 20:11:24 CEST 2009 - llunak@novell.com + +- fix KDE button order in one more place (bnc#170055) + +------------------------------------------------------------------- +Fri Oct 2 20:26:49 CEST 2009 - wr@rosenauer.org + +- improve UI colors to be usable with dark themes at all + (firefox-browser-css.patch) (bnc#503351) +- extend list of supported architectures as ABI identifier + (mozilla-abi.patch) (bnc#543460) + +------------------------------------------------------------------- +Mon Sep 14 00:07:55 CEST 2009 - wr@rosenauer.org + +- added KDE integration patch from llunak@novell.com + (firefox-kde.patch) + * support for knotify, making -kde4-addon obsolete + * KDE-specific support functional (bnc#170055) +- do not build libnkgnomevfs (bmo#512671) (firefox-no-gnomevfs) + +------------------------------------------------------------------- +Thu Sep 10 09:34:26 CEST 2009 - wr@rosenauer.org + +- security update to version 3.5.3 (bnc#534458) + * MFSA 2009-47/CVE-2009-3069/CVE-2009-3070/CVE-2009-3071/ + CVE-2009-3072/CVE-2009-3073/CVE-2009-3074/CVE-2009-3075 + Crashes with evidence of memory corruption + * MFSA 2009-49/CVE-2009-3077 (bmo#506871) + TreeColumns dangling pointer vulnerability + * MFSA 2009-50/CVE-2009-3078 (bmo#453827) + Location bar spoofing via tall line-height Unicode characters + * MFSA 2009-51/CVE-2009-3079 (bmo#454363) + Chrome privilege escalation with FeedWriter + +------------------------------------------------------------------- +Wed Aug 19 22:14:07 CEST 2009 - wr@rosenauer.org + +- renamed patch firefox-contextmenu-gnome to firefox-cross-desktop + as it contains more tweaks to handle non-Gnome environments and + especially KDE integration: + * added the ability to set the KDE default browser + (still part of bnc#170055) + +------------------------------------------------------------------- +Sat Aug 8 00:14:18 CEST 2009 - wr@rosenauer.org + +- split -translations package into -common and -other + (bnc#529180) +- remove "set as background" from context menu if not running in + Gnome (part of bnc#170055) + +------------------------------------------------------------------- +Fri Jul 31 09:01:57 CEST 2009 - wr@rosenauer.org + +- security update to version 3.5.2 + * MFSA 2009-38/CVE-2009-2470 (bmo#459524) + Data corruption with SOCKS5 reply containing DNS name longer + than 15 characters + * MFSA 2009-44/CVE-2009-2654 (bmo#451898) + Location bar and SSL indicator spoofing via window.open() on + invalid URL + * MFSA 2009-45 + Crashes with evidence of memory corruption + * MFSA 2009-46 (bmo#498897) + Chrome privilege escalation due to incorrectly cached wrapper + * various other stability fixes +- export MOZ_APP_LAUNCHER in the startscript (bmo#453689) + +------------------------------------------------------------------- +Tue Jul 28 14:54:46 CEST 2009 - wr@rosenauer.org + +- fixed %exclude usage +- fixed preferences' advanced pane for fresh profiles (bmo#506901) + +------------------------------------------------------------------- +Wed Jul 15 20:13:19 CEST 2009 - wr@rosenauer.org + +- security update to version 3.5.1 + * MFSA 2009-41 + Corrupt JIT state after deep return from native function + +------------------------------------------------------------------- +Mon Jul 6 12:33:47 CEST 2009 - wr@rosenauer.org + +- added mozilla-linkorder.patch to fix build with --as-needed + +------------------------------------------------------------------- +Tue Jun 30 08:52:00 CEST 2009 - wr@rosenauer.org + +- update to final version 3.5 (20090623) + +------------------------------------------------------------------- +Tue Jun 23 09:39:50 CEST 2009 - wr@rosenauer.org + +- fixed build by linking to a real file + +------------------------------------------------------------------- +Thu Jun 18 10:19:40 CEST 2009 - wr@rosenauer.org + +- update to version 3.5rc2 (20090617) +- BuildRequire mozilla-xulrunner191 = 1.9.1.0 + +------------------------------------------------------------------- +Sat Jun 6 15:59:02 CEST 2009 - wr@rosenauer.org + +- update to version 3.5b99 (20090604) +- BuildRequire mozilla-xulrunner191 = 1.9.1b99 + +------------------------------------------------------------------- +Wed May 27 08:03:16 CEST 2009 - wr@rosenauer.org + +- fixed typos in improved xulrunner dependencies + +------------------------------------------------------------------- +Mon May 11 18:25:12 CEST 2009 - wr@rosenauer.org + +- use non-localized Downloads folder (bnc#501724) + +------------------------------------------------------------------- +Mon May 4 07:57:50 CEST 2009 - wr@rosenauer.org + +- update to new major version 3.5b4 + * based on Gecko 1.9.1 (mozilla-xulrunner191) + * Private Browsing Mode + * TraceMonkey JavaScript engine + * Geolocation support + * native JSON and web worker threads support + * speculative parsing for faster content rendering + * Some HTML5 support +- updated firefox.schemas +- improved firefox-no-update.patch + +------------------------------------------------------------------- +Tue Apr 28 10:47:54 CEST 2009 - wr@rosenauer.org + +- security update to 3.0.10 + * MFSA 2009-23/CVE-2009-1313 (bmo#489647) + Crash in nsTextFrame::ClearTextRun() + +------------------------------------------------------------------- +Thu Apr 16 13:52:21 CEST 2009 - wr@rosenauer.org + +- security update to 3.0.9 (bnc#495473) + * MFSA 2009-14/CVE-2009-1302/CVE-2009-1303/CVE-2009-1304/CVE-2009-1305 + Crashes with evidence of memory corruption (rv:1.9.0.9) + * MFSA 2009-15/CVE-2009-0652 (bmo#479336) + URL spoofing with box drawing character + * MFSA 2009-16/CVE-2009-1306 (bmo#474536) + jar: scheme ignores the content-disposition: header on the + inner URI + * MFSA 2009-17/CVE-2009-1307 (bmo#481342) + Same-origin violations when Adobe Flash loaded via + view-source: scheme + * MFSA 2009-18/CVE-2009-1308 (bmo#481558) + XSS hazard using third-party stylesheets and XBL bindings + * MFSA 2009-19/CVE-2009-1309 (bmo#482206,478433) + Same-origin violations in XMLHttpRequest and + XPCNativeWrapper.toString + * MFSA 2009-20/CVE-2009-1310 (bmo#483086) + Malicious search plugins can inject code into arbitrary sites + * MFSA 2009-21/CVE-2009-1311 (bmo#471962) + POST data sent to wrong site when saving web page with + embedded frame + * MFSA 2009-22/CVE-2009-1312 (bmo#475636) + Firefox allows Refresh header to redirect to javascript: URIs + +------------------------------------------------------------------- +Fri Mar 27 09:43:43 CET 2009 - wr@rosenauer.org + +- security update to 1.9.0.8 (bnc#488955,489411) + * MFSA 2009-12/CVE-2009-1169 (bmo#460090,485217) + Crash and remote code execution in XSL transformation + * MFSA 2009-13/CVE-2009-1044 (bmo#484320) + Arbitrary code execution via XUL tree moveToEdgeShift +- allow RPM provides for stuff besides shared libraries + (e.g. mime-types) + +------------------------------------------------------------------- +Sun Mar 1 11:08:58 CET 2009 - wr@rosenauer.org + +- security update to 3.0.7 (bnc#478625) + * MFSA 2009-07 - Crashes with evidence of memory corruption + CVE-2009-0771 - Layout Engine Crashes + CVE-2009-0772 - Layout Engine Crashes + CVE-2009-0773 - crashes in the JavaScript engine + CVE-2009-0774 - Layout Engine Crashes + * MFSA 2009-08/CVE-2009-0775 - (bmo#474456) + Mozilla Firefox XUL Linked Clones Double Free Vulnerability + * MFSA 2009-09/CVE-2009-0776 (bmo#414540) + XML data theft via RDFXMLDataSource and cross-domain redirect + * MFSA 2009-10/CVE-2009-0040 (bmo#478901) + Upgrade PNG library to fix memory safety hazards + * MFSA 2009-11/CVE-2009-0777 (bmo#452979) + URL spoofing with invisible control characters + +------------------------------------------------------------------- +Wed Feb 4 18:58:59 EST 2009 - hfiguiere@suse.de + +- Review and approve changes. + +------------------------------------------------------------------- +Wed Jan 28 13:48:00 CET 2009 - wr@rosenauer.org + +- security update to 3.0.6 (bnc#470074) + * MFSA 2009-06/CVE-2009-0358: Directives to not cache pages ignored + (bmo#441751) + * MFSA 2009-05/CVE-2009-0357: XMLHttpRequest allows reading + HTTPOnly cookies (bmo#380418) + * MFSA 2009-04/CVE-2009-0356: Chrome privilege escalation via + local .desktop files (bmo#460425) + * MFSA 2009-03/CVE-2009-0355: Local file stealing with SessionStore + (bmo#466937) + * MFSA 2009-02/CVE-2009-0354: XSS using a chrome XBL method + and window.eval (bmo#468581) + * MFSA 2009-01/CVE-2009-0352 - CVE-2009-0353: Crashes with + evidence of memory corruption (rv:1.9.0.6) (bmo#452913, + bmo#449006, bmo#331088, bmo#401042, bmo#416461, bmo#422283, + bmo#422301, bmo#431705, bmo#437142, bmo#421839, bmo#420697, + bmo#461027) + * (non security) added lv locale + +------------------------------------------------------------------- +Thu Jan 22 11:09:42 EST 2009 - hfiguiere@suse.de + +- Fix the wrapper script for PowerPC 64-bits (bnc#464753) + +------------------------------------------------------------------- +Wed Dec 17 13:13:25 EST 2008 - hfiguiere@suse.de + +- Review and approve changes. + +------------------------------------------------------------------- +Mon Dec 15 16:41:57 CET 2008 - wr@rosenauer.org + +- security update to 1.9.0.5 (bnc#455804) + for details + http://www.mozilla.org/security/known-vulnerabilities/firefox30.html + * removed aboutRights workaround again + * added et locale + +------------------------------------------------------------------- +Tue Nov 25 10:14:45 EST 2008 - hfiguiere@suse.de + +- Review and approve changes. + +------------------------------------------------------------------- +Sat Nov 22 13:26:03 CET 2008 - wr@rosenauer.org + +- replace license agreement with about:rights toolbar + (backported from upcoming FF 3.0.5) (bnc#436054, bmo#456439) + (it's always displayed in en-US) + +------------------------------------------------------------------- +Fri Nov 21 03:11:41 EST 2008 - hfiguiere@suse.de + +- Update firefox-lockdown-ui.patch + * Print Setup is now properly locked down. bnc#431028 + * Bookmark editing it now properly locked down. bnc#439335 + * Bookmars are properly hidden. + * History is properly locked down. bnc#439343 + * Make sure the search bar is not put back when resetting the + toolbar. bnc#439358 + +------------------------------------------------------------------- +Thu Nov 20 18:49:19 CST 2008 - maw@suse.de + +- Review and approve changes. + +------------------------------------------------------------------- +Thu Nov 13 08:22:13 CET 2008 - wr@rosenauer.org + +- lockdown cleanup + * removed gecko-lockdown.patch from Firefox (it's in xulrunner) + * stripped out some toolkit stuff from firefox-ui-lockdown + * added extra default preferences for lockdown + +------------------------------------------------------------------- +Wed Nov 12 17:55:19 CST 2008 - maw@suse.de + +- Review and approve changes. + +------------------------------------------------------------------- +Tue Nov 11 09:15:59 CET 2008 - wr@rosenauer.org + +- update to security/maintenance release 3.0.4 (bnc#439841) + * support additional locales (bg, cy, eo, oc) +- removed obsolete configure option (enable-gconf) + +------------------------------------------------------------------- +Fri Nov 7 15:39:54 CST 2008 - maw@suse.de + +- Review and approve changes. + +------------------------------------------------------------------- +Tue Nov 4 23:27:03 CET 2008 - wr@rosenauer.org + +- moved gconf schema into branding packages (bnc#441646) + +------------------------------------------------------------------- +Tue Oct 28 16:16:14 EDT 2008 - hfiguiere@suse.de + +- Fix missing %endif (for fix for bnc#434283) + +------------------------------------------------------------------- +Mon Oct 27 17:05:02 EDT 2008 - hfiguiere@suse.de + +- Add disable_show_passwords to firefox.schemas. (FATE #301534) + +------------------------------------------------------------------- +Mon Oct 27 11:57:29 CET 2008 - wr@rosenauer.org + +- make biarch dependencies work correctly (bnc#434283) + +------------------------------------------------------------------- +Thu Oct 23 10:14:22 EDT 2008 - hfiguiere@suse.de + +- Added firefox-ui-lockdown.patch and gecko-lockdown.patch + * Lockdown: FATE#302023, FATE#302024 + +------------------------------------------------------------------- +Mon Oct 6 14:55:48 CEST 2008 - sbrabec@suse.cz + +- Conflict with other branding providers (FATE#304881). + +------------------------------------------------------------------- +Mon Sep 29 12:27:43 CDT 2008 - maw@suse.de + +- Review and approve changes. + +------------------------------------------------------------------- +Mon Sep 29 11:36:30 CDT 2008 - maw@suse.de + +- Remove a reference to a stale patch. + +------------------------------------------------------------------- +Sun Sep 28 18:19:26 CEST 2008 - wr@rosenauer.org + +- update to regression fix release 3.0.3 + * Fixed a problem where users were unable to retrieve saved + passwords or save new passwords (bmo#454708, bnc#429179#c20, + CVE-2008-4063, CVE-2008-4064, CVE-2008-3836, andCVE-2008-4070) + +------------------------------------------------------------------- +Thu Sep 25 14:47:13 CDT 2008 - maw@suse.de + +- Review and approve changes. + +------------------------------------------------------------------- +Mon Sep 15 13:45:16 CEST 2008 - wr@rosenauer.org + +- update to security/maintenance release 3.0.2 (bnc#429179) +- removed unused files from sources +- fix more rpmlint complaints and provide a config file to filter + false positives +- disable Gnome crashreporter as it has no value +- brought man-page up to date for the firefox stub + (removing firefox-bin reference) +- en-US locale not longer packaged in translations subpackage + +------------------------------------------------------------------- +Fri Aug 15 18:56:26 CDT 2008 - maw@novell.com + +- Review and approve changes. + +------------------------------------------------------------------- +Mon Aug 4 09:26:05 CEST 2008 - wr@rosenauer.org + +- Tweak branding split + +------------------------------------------------------------------- +Tue Jul 29 15:02:47 CEST 2008 - vuntz@novell.com + +- Create branding package (bnc#390752): + + search-addons.tar.bz2, bookmarks.html.suse and + firefox-suse-default-prefs.js will be moved to + MozillaFirefox-branding-openSUSE + + create a MozillaFirefox-branding-upstream package + +------------------------------------------------------------------- +Mon Jul 28 20:54:22 CEST 2008 - mauro@suse.de + +- Update to stability/security release 3.0.1 (bnc#407573) + (thanks, Wolfgang) + + MFSA 2008-36 Crash with malformed GIF file on Mac OS X + + MFSA 2008-35 Command-line URLs launch multiple tabs when + Firefox not running + + MFSA 2008-34 Remote code execution by overflowing CSS reference counter +- Set browser.shell.checkDefaultBrowser to true (bnc#404119) + +------------------------------------------------------------------- +Tue Jun 17 18:49:33 CEST 2008 - maw@suse.de + +- Merge changes from the build service (thanks, Wolfgang) + (bnc#400001 and SWAMP#18164). + +------------------------------------------------------------------- +Tue Jun 17 14:40:04 CEST 2008 - wr@rosenauer.org + +- update to version 3.0 +- fixed double entry in bookmarks for www.opensuse.org (bnc#396980 + +------------------------------------------------------------------- +Thu May 15 13:45:51 CEST 2008 - aj@suse.de + +- Add Planet SUSE, forums.o.o and How to participate to default + URLs. + +------------------------------------------------------------------- +Fri May 2 16:25:24 CEST 2008 - maw@suse.de + +- network.protocol-handler.app.* prefs are no longer supported; + remove references to them from firefox-suse-default-prefs.js + (bnc#383697). + +------------------------------------------------------------------- +Thu Apr 3 01:42:34 CEST 2008 - maw@suse.de + +- Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang). + +------------------------------------------------------------------- +Wed Mar 26 01:05:18 CET 2008 - maw@suse.de + +- Merge changes from the build service (thanks, Wolfgang) +- Update to the fourth Firefox 3.0 Beta (2.9.94): + + Based upon the Gecko 1.9 Web rendering platform, which improves + performance, stability, and rendering correctness; it also + boasts a considerable simplification in its code + + Security improvements: + * One-click site info + * Malware Protection + * New Web Forgery Protection page + * New SSL error pages + * Add-ons and Plugin version check + * Secure add-on updates + * Effective top-level domain (eTLD) service to better restrict + cookies and other restricted content to a single domain + * Better protection against cross-site JSON data leaks + + Usability improvements: + * Easier password management + * Simplified add-on installation + * New Download Manager + * Resumable downloading + * Full page zoom + * Podcasts and Videocasts can be associated with your media + playback tools + * Tab scrolling and quickmenu + * Save what you were doing: Firefox will prompt users to save + tabs on exit + * Optimized Open in Tabs behavior + * Location and Search bar size can now be customized with a + simple resizer item + * Text selection improvements + * Find toolbar + * Improved integration with Linux: Firefox's default icons, + buttons, and menu styles now use the native GTK theme + + Personalization improvements: + * Star button: quickly add bookmarks from the location bar + with a single click; a second click lets you file and tag them + * Tags: associate keywords with your bookmarks to sort them + by topic + * Location bar & auto-complete + * Smart Bookmarks Folder + * Places Organizer: view, organize and search through all + of your bookmarks, tags, and browsing history with multiple + views and smart folders to store your frequent searches + * Web-based protocol handlers + * Download & Install Add-ons + * Easy to use Download Actions + + Improved platform for web developers: + * New graphics and font handling: new graphics and text + rendering architectures in Gecko 1.9 provides rendering + improvements in CSS, SVG as well as improved display of + fonts with ligatures and complex scripts + * Color management: (set gfx.color_management.enabled on + in about:config and restart the browser to enable.); + Firefox can now adjust images with embedded color profiles + * Offline support: enables web applications to provide + offline functionality (website authors must add support + for offline browsing to their site for this feature + to be available to users) + + Improved performance: + * Speed: improvements to the JavaScript engine as well as + profile guided optimizations have resulted in significant + improvements in performance; compared to Firefox 2, + web applications like Google Mail and Zoho Office run + twice as fast in Firefox 3 Beta 4, and the popular + SunSpider test from Apple shows improvements over + previous releases + * Memory usage: Several new technologies work together to + reduce the amount of memory used by Firefox 3 Beta 4 + over a web browsing session; memory cycles are broken + and collected by an automated cycle collector, a new + memory allocator reduces fragmentation, hundreds of leaks + have been fixed, and caching strategies have been tuned + * Reliability: A user's bookmarks, history, cookies, and + preferences are now stored in a transactionally secure + database format which will prevent data loss even if their + system crashes +- This version depends upon the mozilla-xulrunner190 package +- Drop various stale packages, respin several that have been + kept around, and add a few new ones. + +------------------------------------------------------------------- +Mon Feb 11 18:18:14 CET 2008 - maw@suse.de + +- Security update to version 2.0.0.12 (bnc#354469): + + MFSA 2008-11/CVE-2008-0594 Web forgery overwrite with div + overlay + + MFSA 2008-10/CVE-2008-0593 URL token stealing via stylesheet + redirect + + MFSA 2008-09/CVE-2008-0592 Mishandling of locally-saved plain + text files + + MFSA 2008-08/CVE-2008-0591 File action dialog tampering + + MFSA 2008-06/CVE-2008-0419 Web browsing history and forward + navigation stealing + + MFSA 2008-05/CVE-2008-0418 Directory traversal via chrome: URI + + MFSA 2008-04/CVE-2008-0417 Stored password corruption + + MFSA 2008-03/CVE-2008-0415 Privilege escalation, XSS, Remote + Code Execution + + MFSA 2008-02/CVE-2008-0414 Multiple file input focus stealing + vulnerabilities + + MFSA 2008-01/CVE-2008-0412 Crashes with evidence of memory + corruption (rv:1.8.1.12) +- Reference libaoss.so in start script (bnc#117079) +- Remove mozilla-canvas-1.8.1.10.patch, as it has been upstreamed +- Update firefox-ui-lockdown.patch (FATE#301534, FATE#302023, and + FATE#302024) +- Add application/x-xpinstall mime type to MozillaFirefox.desktop +- Add MozillaFirefox.xml to bind .xpi to application/x-xpinstall + in desktop. + +------------------------------------------------------------------- +Thu Jan 17 17:52:47 CET 2008 - maw@suse.de + +- Add mozilla-maxpathlen.patch (#354150 and bmo #412610). + +------------------------------------------------------------------- +Fri Dec 21 18:46:50 CET 2007 - maw@suse.de + +- Add firefox-348446-empty-lists.patch (bnc#348446). + +------------------------------------------------------------------- +Wed Dec 5 02:21:26 CET 2007 - maw@suse.de + +- Respin proxy-dev.patch (bnc#340678) -- thanks, Anders! + +------------------------------------------------------------------- +Tue Nov 27 18:25:25 CET 2007 - maw@suse.de + +- Security update to version 2.0.0.10 (#341905, #341591): + + MFSA 2007-39 Referer-spoofing via window.location race condition + + MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10) + + MFSA 2007-37 jar: URI scheme XSS hazard + + Fixes for regressions introduced in 2.0.0.8 + + Updated dbus.patch, startup.patch, misc.dif, and configure.patch +- Add mozilla-gcc4.3-fixes.patch +- Add mozilla-canvas-1.8.1.10.patch (#341591#c10). + +------------------------------------------------------------------- +Mon Nov 26 18:27:25 CET 2007 - maw@suse.de + +- Build with -ftree-vrp -fwrapv, per advice in #342603#c17. + +------------------------------------------------------------------- +Tue Nov 13 17:49:01 CET 2007 - maw@suse.de + +- Add firefox-gcc4.3-fixes.patch. + +------------------------------------------------------------------- +Fri Oct 19 02:04:45 CEST 2007 - maw@suse.de + +- Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang) + * MFSA 2007-29 Crashes with evidence of memory corruption + * MFSA 2007-30 onUnload Tailgating + * MFSA 2007-31 Digest authentication request splitting + * MFSA 2007-32 File input focus stealing vulnerability + * MFSA 2007-33 XUL pages can hide the window titlebar + * MFSA 2007-34 Possible file stealing through sftp protocol + * MFSA 2007-35 XPCNativeWraper pollution using Script object + complete advisories on + http://www.mozilla.org/projects/security/known-vulnerabilities.html + +------------------------------------------------------------------- +Sun Sep 23 19:49:12 CEST 2007 - maw@suse.de + +- Don't explicitly require libaoss.so (#326751). + +------------------------------------------------------------------- +Fri Sep 14 23:13:06 CEST 2007 - maw@suse.de + +- Update the Novell Support search plugin in search-addons.tar.bz2 + (#297261) +- Set the browser.tabs.loadFolderAndReplace preference to false + by default (#230759). + +------------------------------------------------------------------- +Wed Sep 12 15:21:06 CEST 2007 - dmueller@suse.de + +- fix hardlinks accross partitions + +------------------------------------------------------------------- +Thu Sep 6 16:07:12 CEST 2007 - maw@suse.de + +- Add http://software.opensuse.org/search?baseproject=openSUSE:10.3 + to the default bookmarks (#308223). + +------------------------------------------------------------------- +Mon Sep 3 22:33:09 CEST 2007 - ro@suse.de + +- move last change a bit further in specfile + +------------------------------------------------------------------- +Fri Aug 31 18:36:16 CEST 2007 - maw@suse.de + +- Mark a .png file as nonexecutable. + +------------------------------------------------------------------- +Tue Aug 28 16:44:08 CEST 2007 - maw@suse.de + +- Minor .spec update (#305193) + + Remove two obsolete patches + + Correct releasedate + + Include only the officially supported locales. + +------------------------------------------------------------------- +Wed Aug 22 17:53:03 CEST 2007 - maw@suse.de + +- Merge changes from the build service (thanks, Wolfgang): + + Provide locale dependency information (#302288) + + Add x11-session.patch, supporting X11 session management + (#227047) + + Update to version 2.0.0.6 + * MFSA 2007-26 Privilege escalation through chrome-loaded + about:blank windows + * MFSA 2007-27 Unescaped URIs passed to external programs + (only relevant on Windows) +- Use %fdupes. + +------------------------------------------------------------------- +Tue Aug 21 09:45:35 CEST 2007 - aj@suse.de + +- Adjust bookmarks: Add news.opensuse.org, use new software.o.o + page. + +------------------------------------------------------------------- +Thu Aug 16 14:57:27 CEST 2007 - mauro@suse.de + +- Revert previous change. + +------------------------------------------------------------------- +Tue Aug 14 11:58:23 CEST 2007 - mauro@suse.de + +- Added support for ymp in the mimetypes.rdf +- Added OneClickInstallUrlHandler for handing the actual call from firefox. +- Fixes bnc #295677 + +------------------------------------------------------------------- +Mon Jul 23 18:57:07 CEST 2007 - maw@suse.de + +- Security update to version 2.0.0.5 (#288115) which has fixes for: +MFSA 2007-18 + CVE-2007-3734 - Browser flaws + CVE-2007-3735 - Javascript flaws + +MFSA 2007-19 + CVE-2007-3736 + +MFSA 2007-20 + CVE-2007-3089 + +MFSA 2007-21 + CVE-2007-3737 + +MFSA 2007-22 + CVE-2007-3285 + +MFSA 2007-23 + CVE-2007-3670 + +MFSA 2007-24 + CVE-2007-3656 + +MFSA 2007-25 + CVE-2007-3738 + +------------------------------------------------------------------- +Thu Jun 21 15:59:01 CEST 2007 - adrian@suse.de + +- fix changelog entry order + +------------------------------------------------------------------- +Mon Jun 18 13:22:42 CDT 2007 - maw@suse.de + +- Use mozilla.sh.in from the build service (#230681). + +------------------------------------------------------------------- +Tue Jun 5 15:55:08 CEST 2007 - sbrabec@suse.cz + +- Removed invalid desktop category "Application" (#254654). + +------------------------------------------------------------------- +Mon Jun 4 19:53:35 CDT 2007 - maw@suse.de + +- Security update to version 2.0.0.4 +- Refresh configure.patch, startup.patch, and visibility.patch +- Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2. + +------------------------------------------------------------------- +Mon Apr 30 16:49:55 CEST 2007 - ro@suse.de + +- added unzip to BuildRequires + +------------------------------------------------------------------- +Wed Apr 18 14:16:44 CEST 2007 - mfabian@suse.de + +- add Japanese to the languages which get PANGO enabled in the + start script to support the Japanese combining characters + U+3099 U+309A (see bugzilla #262718 comment #29). + +------------------------------------------------------------------- +Mon Mar 12 11:06:10 CST 2007 - maw@suse.de + +- Package gconf stuff. + +------------------------------------------------------------------- +Wed Feb 21 16:37:25 CST 2007 - maw@suse.de + +- Security update to 2.0.0.2 (#244923), which covers: + + mfsa2007-01 + * CVE-2007-0775 - layout engine crashes + * CVE-2007-0776 - SVG + * CVE-2007-0777 - javascript engine corruption + + mfsa2007-02 + * CVE-2007-0995 - Invalid trailing characters in HTML tag attributes + * CVE-2007-0996 - Child frame character set inheritance + * CVE-2006-6077 - Injected password forms + + mfsa2007-02 + + mfsa2007-03 + * CVE-2007-0078 + + mfsa2007-04 + * CVE-2007-0079 + + mfsa2007-05 + * CVE-2007-0780 + * CVE-2007-0800 + + mfsa2007-06 + * CVE-2007-0008 - client flaw + * CVE-2007-0009 - server flaw + + mfsa2007-07 + * CVE-2007-0981 +- Updates mozilla.sh.in (#230681) +- Fixes #232209 +- Updates the man page (#243037) +- Properly propagates exit codes (#241492) +- Adds em-356370.patch (#217374) + +------------------------------------------------------------------- +Thu Jan 25 10:16:56 CST 2007 - maw@suse.de + +- Fixup the Gnome paths, keeping in closer sync with the + buildservice. + +------------------------------------------------------------------- +Thu Jan 18 09:27:54 CST 2007 - maw@suse.de + +- Gnome is now in /usr, so remove references to /opt/gnome +- Install firefox.png with the executable bit not set. + +------------------------------------------------------------------- +Wed Jan 10 12:57:39 CET 2007 - meissner@suse.de + +- readd MozillaFirebird provides (was incorrect in removing it). + +------------------------------------------------------------------- +Mon Jan 8 11:16:08 CET 2007 - meissner@suse.de + +- Do not provide MozillaFirebird, just obsolete it. + +------------------------------------------------------------------- +Fri Dec 1 02:22:49 CET 2006 - maw@suse.de + +- Update gecko-lockdown.patch (#220616). + +------------------------------------------------------------------- +Thu Nov 30 19:02:54 CET 2006 - maw@suse.de + +- Update firefox-suse-default-prefs.js, adding + 'pref("browser.backspace_action", 2);' (#217374) + +------------------------------------------------------------------- +Thu Nov 30 08:17:28 CET 2006 - aj@suse.de + +- Fix last change (#224431). + +------------------------------------------------------------------- +Wed Nov 29 11:45:47 CET 2006 - aj@suse.de + +- Change download bookmark (#224431). +- Rename bookmark folder to openSUSE. + +------------------------------------------------------------------- +Tue Nov 28 08:09:48 CET 2006 - aj@suse.de + +- Sync from Buildservice with following critical fixes (thanks + Wolfgang Rosenauer!): + * fixed system-proxies.patch to actually work (#223881). + * Rearrange Bookmarks to pass trademark review. + +------------------------------------------------------------------- +Mon Nov 27 19:40:44 CET 2006 - aj@suse.de + +- Fix tango theme (#223796). + +------------------------------------------------------------------- +Mon Nov 27 17:40:50 CET 2006 - aj@suse.de + +- Use www.opensuse.org as home page. + +------------------------------------------------------------------- +Sun Nov 12 11:28:00 CET 2006 - aj@suse.de + +- Set novell.com as home page. +- Update from BuildService (thanks Wolfgang!): + - fixed crash in htmlparser (#217257, bmo #358797) + - added gconf2 as PreReq (#212505) + - added 32bit libaoss.so as requirement (#216266) + - Removed SUSE searchplugin (Portal not available anymore) + (#216054) + - Removed obsolete xul-picker.patch and system-nspr.patch + - Fixed building on 10.1 and 10.0 (dbus) + - Removed obsolete throbber preference + +------------------------------------------------------------------- +Thu Nov 9 19:09:46 CET 2006 - jhargadon@suse.de + +- updated tango theme + +------------------------------------------------------------------- +Sun Oct 29 12:05:46 CET 2006 - aj@suse.de + +- Another fix for 214125, patch by Wolfgang Rosenauer. + +------------------------------------------------------------------- +Thu Oct 26 06:58:59 CEST 2006 - aj@suse.de + +- Fix gcc warnings about undefined operations, patch by + Robert O'Callahan. +- Update system-proxies.patch to fix error box (214125), patch by + Robert O'Callahan. + +------------------------------------------------------------------- +Mon Oct 23 21:54:54 CEST 2006 - aj@suse.de + +- Update to current CVS version of 2.0. +- Use www.opensuse.org as default home page for now (#203547). + +------------------------------------------------------------------- +Sat Oct 21 08:53:50 CEST 2006 - aj@suse.de + +- Disable non-working plasticfox and tango themes. + +------------------------------------------------------------------- +Fri Oct 20 20:16:29 CEST 2006 - aj@suse.de + +- Fix building of locales. + +------------------------------------------------------------------- +Fri Oct 20 11:27:23 CEST 2006 - mkoenig@suse.de + +- update to version 2.0rc3: + * New features: Visual Refresh, Built-in phishing protection, + Enhanced search capabilities, Improved tabbed browsing, + Resuming your browsing session, Previewing and subscribing + to Web feeds, Inline spell checking, Live Titles, + Improved Add-ons manager, JavaScript 1.7, Extended search + plugin format, Updates to the extension system, + Client-side session and persistent storage, SVG text + +------------------------------------------------------------------- +Tue Oct 17 11:26:44 CEST 2006 - meissner@suse.de + +- disabled debugging. + +------------------------------------------------------------------- +Tue Sep 12 20:27:02 CEST 2006 - stark@suse.de + +- security update to version 1.5.0.7 + +------------------------------------------------------------------- +Mon Aug 21 12:53:50 CEST 2006 - stark@suse.de + +- added greasemonkey helper change (#199920) +- fixed packager.mk for new make version + +------------------------------------------------------------------- +Fri Aug 11 20:51:48 CEST 2006 - stark@suse.de + +- fixed crash in dbus component (patch by thoenig #197928) +- use external adresses for PAC configuration (#196506) + +------------------------------------------------------------------- +Mon Aug 7 09:26:58 CEST 2006 - stark@suse.de + +- added symlink for Firefox 1.0.x compatibility + +------------------------------------------------------------------- +Sat Jul 29 08:48:53 CEST 2006 - stark@suse.de + +- update to regression release 1.5.0.6 (#195043) + +------------------------------------------------------------------- +Thu Jul 27 06:20:36 CEST 2006 - stark@suse.de + +- security update to version 1.5.0.5 (#195043) + * observer-lock.patch integrated now +- fixed leak in JS' liveconnect (#186066) +- fixed desktop file for old distributions + (StartupNotify=false) + +------------------------------------------------------------------- +Thu Jun 29 20:13:28 CEST 2006 - stark@suse.de + +- fixed printing crash if the last used printer is not available + anymore (#187013) + +------------------------------------------------------------------- +Fri Jun 16 22:11:22 CEST 2006 - stark@suse.de + +- added 48x48 icon (#185777) + +------------------------------------------------------------------- +Mon Jun 12 20:20:02 CEST 2006 - stark@suse.de + +- fix overwrite confirmation for GTK filesaver (#179531) +- get network.negotiate-auth.trusted-uris and + network.negotiate-auth.delegation-uris from gconf if + system-settings are enabled (#184489) + +------------------------------------------------------------------- +Thu Jun 1 20:34:43 CEST 2006 - stark@suse.de + +- update to security/stability release 1.5.0.4 (#179011) +- moved locale-global prefs to browserconfig.properties (#177881) + +------------------------------------------------------------------- +Tue May 23 21:11:11 CEST 2006 - stark@suse.de + +- complete implementation of startup-notification (#115417) + (including autoconf and remote support) +- different home-pages for SLE10 and SL (#177881) + +------------------------------------------------------------------- +Tue May 16 06:27:26 CEST 2006 - stark@suse.de + +- fixed potential deadlock in nsObserverList::RemoveObserver + (#173986, bmo #338069) +- base startup notification on libstartup-notification (#115417) + +------------------------------------------------------------------- +Thu May 11 09:39:27 CEST 2006 - stark@suse.de + +- save printer settings properly (#174082, bmo #324072) +- added startup notification support for showing load activity + in Gnome and to avoid focus stealing prevention (#115417) +- added StartupNotify=true to desktop file (#115417) +- provide legacy symlink for NLD9 update compatibility (#173138) +- fixed system-proxies patch to avoid unwanted wpad requests + (#171743, #167613) + +------------------------------------------------------------------- +Mon May 8 14:55:52 CEST 2006 - stark@suse.de + +- preconfigure the theme according to the used desktop (#151163) + +------------------------------------------------------------------- +Thu Apr 27 10:24:07 CEST 2006 - stark@suse.de + +- last minute change for 1.5.0.3 + +------------------------------------------------------------------- +Wed Apr 26 14:23:33 CEST 2006 - stark@suse.de + +- security update to 1.5.0.3 +- fix for typo in postscript.patch + +------------------------------------------------------------------- +Tue Apr 25 14:14:51 CEST 2006 - stark@suse.de + +- fixed iframe crash (#169039, bmo #334515) +- fixed img tag misuse (#168710, bmo #334341) + +------------------------------------------------------------------- +Mon Apr 24 08:04:16 CEST 2006 - stark@suse.de + +- improved postscript output (bmo #334485) +- changed defaults for printer properties (#6534) +- overwrite gnome-vfs' file protocol by providing "desktop-launch" + (#131501) +- get available paper sizes from CUPS (#65482) +- replaced/removed complicated gconfd reload in %post (#167989) +- fixed memory leak in clipboard caching (bmo #289897) + +------------------------------------------------------------------- +Tue Apr 11 08:35:53 CEST 2006 - stark@suse.de + +- added (optional) plastikfox theme (#151163) +- get some more security related patches (#148876) +- finally fixed the default proxy configuration by adding a new + UI option (#132398) + +------------------------------------------------------------------- +Mon Apr 3 11:41:13 CEST 2006 - stark@suse.de + +- fixed keyword fixup patch (#162532) + +------------------------------------------------------------------- +Tue Mar 28 07:17:04 CEST 2006 - stark@suse.de + +- don't use keyword fixup for pasted text (#160034, bmo #331522) + +------------------------------------------------------------------- +Mon Mar 20 09:28:58 CET 2006 - stark@suse.de + +- added Tango theme +- fixed reading proxies from gconf (#132398) + +------------------------------------------------------------------- +Sun Mar 12 09:04:05 CET 2006 - stark@suse.de + +- tweaked bookmarks (fixed URLs) +- added Khmer (km-*) to pango locales (#157397) + +------------------------------------------------------------------- +Sat Mar 4 21:08:45 CET 2006 - stark@suse.de + +- fixed crash with multipart JPEGs (bmo #328684) (#140416) +- got latest security fixes from upstream (#148876) + +------------------------------------------------------------------- +Wed Feb 22 13:24:58 CET 2006 - stark@suse.de + +- fixed plugin loading when launched from Thunderbird (#151614) +- merged dbus reconnection patch (#150042) +- default to autodetect proxy (network.proxy.type=4) (#151811) +- added GTK category to desktop file + +------------------------------------------------------------------- +Tue Feb 14 06:45:24 CET 2006 - stark@suse.de + +- modified lockdown patches (#67281, #67282) +- applied set of security patches (#148876) + bmo bugs: 282105, 307989, 315625, 320459, 323634, 325403, 325947 + +------------------------------------------------------------------- +Tue Feb 7 20:09:43 CET 2006 - stark@suse.de + +- fixed disabling of Pango (#148788) + +------------------------------------------------------------------- +Thu Feb 2 21:51:30 CET 2006 - stark@suse.de + +- define gssapi lib explicitely (#147670) +- use only official Firefox-Icon +- changed home-download patch + +------------------------------------------------------------------- +Sun Jan 29 09:54:49 CET 2006 - stark@suse.de + +- throbber URL is default again +- removed firefox-showpass patch +- removed additional CA certs from builtin NSS + +------------------------------------------------------------------- +Fri Jan 27 17:55:21 CET 2006 - stark@suse.de + +- got some l10n changes from 1.8.0 branch + +------------------------------------------------------------------- +Fri Jan 27 08:15:09 CET 2006 - stark@suse.de + +- final 1.5.0.1 version +- make it possible to choose $HOME as download directory + (#144894, bmo #300856) + +------------------------------------------------------------------- +Wed Jan 25 21:33:43 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Sun Jan 22 17:06:57 CET 2006 - stark@suse.de + +- disable Pango if MOZ_ENABLE_PANGO is not set + and no typical language which needs Pango is used (#143428) + +------------------------------------------------------------------- +Wed Jan 18 10:27:30 CET 2006 - stark@suse.de + +- fixed DumpStackToFile() for glibc 2.4 +- added default (font) settings + +------------------------------------------------------------------- +Thu Jan 12 10:23:58 CET 2006 - stark@suse.de + +- update to 1.5.0.1pre (20060111) +- updated man-page +- fixed hovered tab close button +- only Requires mozilla-nspr instead of PreReq since + there is no postinstall registration necessary anymore +- use system NSS from CODE10 on +- use -fstack-protector where available +- changed unixproxy component to work on older distributions + +------------------------------------------------------------------- +Mon Jan 2 13:39:09 CET 2006 - stark@suse.de + +- added unixproxy component written by Robert O'Callahan (#132398) + (bmo #66057) +- added official translations +- preload libaoss for plugin sound (#117079) + +------------------------------------------------------------------- +Wed Dec 28 08:16:03 CET 2005 - stark@suse.de + +- get some patches from 1.8.0 branch +- readded modification to gconf-backend (bmo #321315) +- readded lockdown stuff +- enable additional extension install directory (#120329) + (/usr/lib/browser-extensions/firefox) +- added patch to make the XUL filechooser optional + (MOZ_XUL_PICKER) + +------------------------------------------------------------------- +Wed Dec 14 16:08:12 CET 2005 - stark@suse.de + +- fixed patch for parsing -remote parameter +- removed default-plugin patch (not needed anymore) + +------------------------------------------------------------------- +Fri Dec 9 17:21:29 CET 2005 - stark@suse.de + +- fix to ignore X composite extension (#135373) +- fixed parsing of -remote parameters (#134396) +- activated locales as released + +------------------------------------------------------------------- +Tue Nov 29 21:33:13 CET 2005 - stark@suse.de + +- update to 1.5 (20051128) +- don't override startup URL when changing Gecko versions (#135314) +- added patch for GTK2 handling (#134831) +- readded add-plugins stuff for compatibility + +------------------------------------------------------------------- +Fri Nov 18 07:41:41 CET 2005 - stark@suse.de + +- update to 1.5rc3 (20051117) + +------------------------------------------------------------------- +Mon Oct 31 08:58:14 CET 2005 - stark@suse.de + +- updated l10n archive (20051030) +- fixed postinstall script to copy plugin links instead of files + +------------------------------------------------------------------- +Fri Oct 28 06:43:27 CEST 2005 - stark@suse.de + +- update to 1.5rc1 (20051027) +- fixed profile locking on FAT partitions (bmo #313360) +- introduced an rpath again + +------------------------------------------------------------------- +Wed Oct 19 20:03:48 CEST 2005 - stark@suse.de + +- update to snapshot 1.5 (20051019) +- moved installation to /usr/%{_lib}/firefox +- added dbus component to be able to get network status from + NetworkManager (bmo #312793) +- remove all update UI for application +- removed diable-gconf (no registration at build time anymore) +- removed rebuild-databases.sh (no system registration anymore) +- open links in new windows (#128087) + +------------------------------------------------------------------- +Thu Oct 6 20:44:53 CEST 2005 - stark@suse.de + +- update to Firefox 1.5b2 (20051005) +- added supported translations + +------------------------------------------------------------------- +Sat Oct 1 15:09:18 CEST 2005 - stark@suse.de + +- update to Firefox 1.5b1 (20050930) RPM version 1.4.1 +- removed rebuild-databases.sh calls +- removed add-plugins.sh calls and corresponding triggers +- enabled SVG and Canvas support +- fixed gconf urlhandler registration + +------------------------------------------------------------------- +Tue Sep 20 10:24:16 CEST 2005 - stark@suse.de + +- security update to 1.0.7 (#117619) + * MFSA 2005-57: IDN heap overrun using soft-hyphens (bmo #307259) + (enabled IDN pref again) + * MFSA 2005-58: + CAN-2005-2701 Heap overrun in XBM image processing + CAN-2005-2702 Crash on "zero-width non-joiner" sequence + CAN-2005-2703 XMLHttpRequest header spoofing + CAN-2005-2704 Object spoofing using XBL <implements> + CAN-2005-2705 JavaScript integer overflow + CAN-2005-2706 Privilege escalation using about: scheme + CAN-2005-2707 Chrome window spoofing + Regression fixes +- register beagle extension if it gets installed (#116787) + +------------------------------------------------------------------- +Tue Sep 13 15:41:37 CEST 2005 - aj@suse.de + +- Change SUSE bookmarks. + +------------------------------------------------------------------- +Sun Sep 11 17:05:07 CEST 2005 - stark@suse.de + +- disable IDN per default (#116070) +- unlocalize bookmarks (#114279) + +------------------------------------------------------------------- +Thu Sep 8 08:52:13 CEST 2005 - stark@suse.de + +- fixed some filemodes (#114849) + +------------------------------------------------------------------- +Sun Sep 4 00:03:53 CEST 2005 - stark@suse.de + +- fixed gconf-backend patch to be able to use + system prefs (#114054) + +------------------------------------------------------------------- +Thu Sep 1 13:22:17 CEST 2005 - stark@suse.de + +- changed default font to sans-serif (#114464) +- removed de-de parts of the bookmark-links (#114279) + +------------------------------------------------------------------- +Mon Aug 22 06:10:12 CEST 2005 - stark@suse.de + +- install gconf schema for lockdown also on non-NLD +- added backports (firefox-backports.patch) + * gtk_im_context_set_cursor_location() is not used (bmo #281339) + * fixed crash in imgCacheValidator::OnStartRequest() + (bmo #293307) +- workaround for linking with pangoxft and pangox + (broken by gtk 2.8 update) (#105764) +- remove extensions on deinstallation +- include dragonegg (kparts) plugin (#105468) + +------------------------------------------------------------------- +Thu Aug 18 13:08:55 CEST 2005 - stark@suse.de + +- fixed regression in profile locking change (bmo #303633) +- added rtsp handler to global config (#104434) +- don't blacklist help: protocol (bmo #304833) +- fixed Gdk-WARNING at startup (gtk.patch) +- fixed crash with gtk 2.7 (bmo #300226, bnc #104586) +- fixed installation of the beagle plugin +- update industrial theme to 1.0.11 (#104564) +- included lockdownV2 (removed obsolete gconf.diff) +- linked firefox-bin with rpath to progdir + +------------------------------------------------------------------- +Fri Aug 5 09:51:26 CEST 2005 - stark@suse.de + +- fixed profile locking (bmo #151188) +- install beagle extension globally + +------------------------------------------------------------------- +Fri Jul 29 06:58:24 CEST 2005 - stark@suse.de + +- don't require and provide NSS libs (#98002) +- fixed printing error 'You cannot print while in print preview' + (#96991, bmo #302445) + +------------------------------------------------------------------- +Wed Jul 27 09:34:12 CEST 2005 - stark@suse.de + +- fixed Firefox on ppc (stack-direction.patch) (#97359) +- removed open-pref from startscript as it is done + automatically now (#73042) +- updated Novell searchplugins + +------------------------------------------------------------------- +Mon Jul 25 12:32:13 CEST 2005 - stark@suse.de + +- GTK filechooser is now modal (#8533) +- backed out patch to add tooltips to print-preview + because it breaks localization + +------------------------------------------------------------------- +Fri Jul 22 10:54:39 CEST 2005 - stark@suse.de + +- fixed another problem in printing patch + +------------------------------------------------------------------- +Tue Jul 19 10:44:59 CEST 2005 - stark@suse.de + +- fixed error in ft-xft-ps2.patch +- disabled stripping in spec instead of patch +- added NSPR to PreReq + +------------------------------------------------------------------- +Mon Jul 18 08:43:24 CEST 2005 - stark@suse.de + +- fixed some more regressions with final 1.0.6 +- fixed width calculation in Postscript module (bmo #290292) +- fixed plugin event starvation (bnc #94749, #94751, bmo #301161) + +------------------------------------------------------------------- +Fri Jul 15 11:24:47 CEST 2005 - stark@suse.de + +- searchplugins can now be installed per profile (#8176) + +------------------------------------------------------------------- +Fri Jul 15 06:54:02 CEST 2005 - stark@suse.de + +- update to 1.0.6 which restores API compatibility + +------------------------------------------------------------------- +Tue Jul 12 06:20:37 CEST 2005 - stark@suse.de + +- update to 1.0.5 final (#88509) +- don't strip explicitely +- don't ship beagle.xpi + +------------------------------------------------------------------- +Wed Jul 6 14:13:09 CEST 2005 - stark@suse.de + +- update to 1.0.5-pre (20050705) +- use RPM_OPT_FLAGS for NSS component +- fixed implicit declarations and uninitialized used variables +- added patch for bmo #87969 + +------------------------------------------------------------------- +Tue Jul 5 10:17:16 CEST 2005 - stark@suse.de + +- fixed regression from security update (#95069, bmo #298478) + +------------------------------------------------------------------- +Mon Jun 27 21:46:58 CEST 2005 - stark@suse.de + +- don't use system-prefs by default on NLD +- removed basic lockdown stuff for SUSE Linux + (it's not needed and caused problems: bnc #75418) +- fixed NLD lockdown patch (bnc #75418) +- don't write prefs back to gconf for now + +------------------------------------------------------------------- +Wed Jun 22 07:32:42 CEST 2005 - stark@suse.de + +- new NLD lockdown patch which is syncing user prefs to gconf +- update to 1.0.5pre security-release + +------------------------------------------------------------------- +Thu Jun 9 06:56:02 CEST 2005 - stark@suse.de + +- new revision of NLD lockdown patch +- fixed remote usage behaviour in start script (bnc #41903) +- got more bugfixes from the branch + +------------------------------------------------------------------- +Thu Jun 2 10:31:48 CEST 2005 - stark@suse.de + +- fixed neededforbuild + +------------------------------------------------------------------- +Wed Jun 1 20:15:25 CEST 2005 - stark@suse.de + +- fixed IDN for 64bit platforms (bmo #236425, bnc #46268) + +------------------------------------------------------------------- +Fri May 20 15:12:06 CEST 2005 - stark@suse.de + +- fixed keybinding for KP separator (bnc #84147) +- pulled security related patch from upstream branch +- update plastikfox theme to version 1.6 + +------------------------------------------------------------------- +Thu May 12 06:16:25 CEST 2005 - stark@suse.de + +- update to final 1.0.4 release + +------------------------------------------------------------------- +Tue May 10 06:38:05 CEST 2005 - stark@suse.de + +- update to 1.0.4 security release +- removed s390(x) patches (upstream) +- made two more files %verify (81692) +- updated NLD lockdown patch (81304) + +------------------------------------------------------------------- +Thu Apr 28 09:45:53 CEST 2005 - stark@suse.de + +- use static NSPR libs from new location + +------------------------------------------------------------------- +Sat Apr 23 15:56:08 CEST 2005 - stark@suse.de + +- activate usage of system NSPR for distributions after 9.3 +- add patch to be able to use systen NSPR at all + +------------------------------------------------------------------- +Fri Apr 22 02:06:06 CEST 2005 - ro@suse.de + +- use mozilla-gcc4.patch + +------------------------------------------------------------------- +Thu Apr 21 12:51:19 CEST 2005 - stark@suse.de + +- don't execute gconf magic within build environment + +------------------------------------------------------------------- +Sat Apr 16 13:05:37 CEST 2005 - stark@suse.de + +- update to final 1.0.3 release + +------------------------------------------------------------------- +Fri Apr 15 00:10:54 CEST 2005 - ro@suse.de + +- fix problem in postinstall script + +------------------------------------------------------------------- +Wed Apr 14 09:20:02 CEST 2005 - stark@suse.de + +- included fixed lockdown patch for NLD +- linked proxies within Firefox with gnome settings (NLD) +- added gconfd restart procedure to install script + (only needed if gconf changes are done) (#76852) + +------------------------------------------------------------------- +Sat Apr 2 21:03:11 CEST 2005 - stark@suse.de + +- update to security pre-release 1.0.3 (#75692) + * Manual plug-in install, javascript vulnerability (bmo #288556) + * Access memory vulnerability (bmo #288688) + +------------------------------------------------------------------- +Fri Apr 1 11:32:44 CEST 2005 - stark@suse.de + +- added advanced lockdown features for ZLM integration (NLD-only) + +------------------------------------------------------------------- +Tue Mar 22 12:33:15 CET 2005 - stark@suse.de + +- update to final 1.0.2 +- use new theme handling on NLD +- added default-plugin-less-annoying from mozilla +- use GTK2 for Flash +- use system NSPR on SUSE releases after 9.3 +- made startscript PIS aware +- set g-application-name correctly (bmo #281979) +- added man-page +- use GTK system colors +- modify useragent string and add vendor id +- activate smooth-scrolling by default (#74310) + +------------------------------------------------------------------- +Tue Mar 22 08:59:06 CET 2005 - stark@suse.de + +- don't register beagle automatically (#74062) +- added default bookmarks for SUSE LINUX + +------------------------------------------------------------------- +Mon Mar 21 18:20:39 CET 2005 - max@suse.de + +- Fixed a typo in the shell code that handles inclusion of the + Acrobat Reader plugin (#70861). + +------------------------------------------------------------------- +Thu Mar 17 21:01:11 CET 2005 - stark@suse.de + +- updates from upcoming 1.0.2 +- added again logic to use Adobe Reader 7 (#70861) +- fixed crash in ICO decoding (#67142, bmo #245631) +- preinstall beagle extension (#72920) +- bugfixes in trigger scripts +- fixed industrial theming for Gnome (#72918) + +------------------------------------------------------------------- +Sat Mar 12 12:42:16 CET 2005 - stark@suse.de + +- fixed more security related bugs + (bmo #284551, #284627, #285595) + +------------------------------------------------------------------- +Wed Mar 9 21:42:05 CET 2005 - stark@suse.de + +- update also GNOME desktop file (#71810) +- added firefox-gnome.png to filelist +- use correct Firefox icon + +------------------------------------------------------------------- +Mon Mar 7 20:47:00 CET 2005 - stark@suse.de + +- disable inclusion of acrobat plugin again (#70861) +- don't use gconfd in registration phase (#66381) + +------------------------------------------------------------------- +Mon Mar 7 16:13:29 CET 2005 - adrian@suse.de + +- use standard icon again for the default desktop file and + add a Gnome-only desktop file for the Gnome icon +- add plastikfox chrome theme to fix button order within KDE +- add patch for automatic theme selection for KDE and Gnome +- do register extensions in rebuild-databases.sh instead of %install, + to fix needed timestamps + +------------------------------------------------------------------- +Fri Mar 4 07:54:47 CET 2005 - stark@suse.de + +- extend add-plugins to recognize Java 1.5 (#66909) +- changed comment in desktop-file (#66867) + +------------------------------------------------------------------- +Tue Feb 22 09:33:44 CET 2005 - stark@suse.de + +- make --display parameter working in all cases (bnc #66043) +- revised postscript patch +- final 1.0.1 codebase + +------------------------------------------------------------------- +Mon Feb 21 13:09:30 CET 2005 - stark@suse.de + +- added patch to create Postscript level 2 (instead of 3) + (special thanks to Jungshik Shin) +- disabled freetype explicitly to be able to use the above patch + (freetype wasn't used anymore since some time anyway) + +------------------------------------------------------------------- +Fri Feb 18 09:10:10 CET 2005 - stark@suse.de + +- got more patches from branch to get another IDN fix and to + fix bug #51019 +- enabled IDN again + +------------------------------------------------------------------- +Wed Feb 16 09:20:39 CET 2005 - stark@suse.de + +- bumped version number to 1.0.1 + +------------------------------------------------------------------- +Tue Feb 15 10:26:04 CET 2005 - stark@suse.de + +- got updates from 1.0.1 branch + +------------------------------------------------------------------- +Thu Feb 10 06:57:33 CET 2005 - stark@suse.de + +- additional fireflashing fix (#50635, bmo #280664) +- some more security related fixes + (bmo #268483, #273498, #277322) +- fire up GTK2 filepicker if GNOME is running + +------------------------------------------------------------------- +Tue Feb 8 07:51:13 CET 2005 - stark@suse.de + +- some prefs are ignored (bmo #261934) +- disabled default IDN (#50566) +- fixed some more bugzilla.mozilla.org bugs: + #276482, #280056, #280603 + +------------------------------------------------------------------- +Sun Feb 6 13:10:12 CET 2005 - stark@suse.de + +- use same desktop categories for Professional and NLD +- added some lockdown stuff for printing and page saving + (bmo #280488) + +------------------------------------------------------------------- +Wed Feb 2 13:58:53 CET 2005 - stark@suse.de + +- modified gconf.diff to honor ignore_hosts (bmo #280742) +- added a JS crasher fix (bmo #268535) +- added more fixes (bmo #255441, #273024, #275405, #275634) + +------------------------------------------------------------------- +Fri Jan 28 12:39:37 CET 2005 - stark@suse.de + +- added gplflash inclusion +- improved JRE inclusion +- reactivated usage of Acrobat Reader plugin + (ready for acroread 7) + +------------------------------------------------------------------- +Sat Jan 22 13:16:47 CET 2005 - stark@suse.de + +- added some backported bugfixes + +------------------------------------------------------------------- +Sat Dec 18 10:30:11 CET 2004 - stark@suse.de + +- updated industrial theme to 1.0.9 +- use slightly changed icon for menu-entry (bnc #275) +- use original desktop file for NLD again + +------------------------------------------------------------------- +Thu Dec 16 19:37:48 CET 2004 - stark@suse.de + +- newer patch for GNOME associations (bnc #362) +- fix overwriting of files with GTK picker (Ximian #65068) +- readded the industrial default theme patch for NLD + +------------------------------------------------------------------- +Wed Dec 15 11:50:56 CET 2004 - stark@suse.de + +- activate GTK filepicker for NLD again +- fix for GNOME helper applications with parameters +- make GNOME associations the default on NLD + +------------------------------------------------------------------- +Sat Dec 4 16:11:01 CET 2004 - stark@suse.de + +- fixed build on s390/s390x +- added patch to be able to install-global without running X + (bmo #265859) + +------------------------------------------------------------------- +Thu Nov 18 21:48:05 CET 2004 - stark@suse.de + +- update industrial theme to 1.0.8 (still not activated) +- added patch to make home-directory the default download dir + (on NLD is still used Desktop) + +------------------------------------------------------------------- +Thu Nov 11 09:01:58 CET 2004 - stark@suse.de + +- made initial window height smaller again + +------------------------------------------------------------------- +Tue Nov 9 09:09:06 CET 2004 - stark@suse.de + +- update to final 1.0 release (20041109) + +------------------------------------------------------------------- +Thu Nov 4 08:22:36 CET 2004 - stark@suse.de + +- update to 1.0rc2 + +------------------------------------------------------------------- +Sat Oct 30 21:27:29 CEST 2004 - stark@suse.de + +- added missing s390(x) patch + +------------------------------------------------------------------- +Wed Oct 27 07:26:25 CEST 2004 - stark@suse.de + +- update to 1.0rc1 codebase +- printing via XFT/fontconfig +- freetype changes to avoid API conflicts with newer freetype2 +- fixed build for s390/s390x +- removed AMD64 patch (included upstream) +- added translations sub-package +- removed "Show folder" patch for NLD (resolved upstream) +- don't use gnome-filepicker patch for NLD for now +- removed hppa buildfix (included upstream) +- removed untitled.patch (bmo #24068) resolved by (bmo #262478) +- use make -C browser/installer now to prepare installation +- don't check for default browser at startup (#47587) +- updated industrial.jar (0.99.13) (disabled) + +------------------------------------------------------------------- +Fri Oct 15 13:51:54 CEST 2004 - stark@suse.de + +- inherit locale from system +- fixed chrome registration + +------------------------------------------------------------------- +Wed Oct 6 23:11:01 CEST 2004 - joeshaw@suse.de + + - disable gconf settings as default (Ximian #67718) + +------------------------------------------------------------------- +Wed Oct 6 07:04:05 CEST 2004 - stark@suse.de + +- fixed inclusion of RealPlayer plugin again + +------------------------------------------------------------------- +Tue Oct 5 10:09:04 CEST 2004 - stark@suse.de + +- small important fix in firefox-download.patch (Ximian #65472) + +------------------------------------------------------------------- +Sun Oct 3 00:02:09 CEST 2004 - stark@suse.de + +- added security-fix from 0.10.1 (mozilla.org #259708) (#46687) + +------------------------------------------------------------------- +Fri Oct 1 12:49:38 CEST 2004 - stark@suse.de + +- final fix for downloading to Desktop folder (Ximian #65756) +- remove Postscript from printer names (Ximian #65560) + +------------------------------------------------------------------- +Thu Sep 30 16:14:10 CEST 2004 - shprasad@suse.de + +- Modified the MozillaFirefox.desktop file. + Changed the name 'Firefox' to 'Firefox Web Browser'. + Also changed it for all languages. + +------------------------------------------------------------------- +Wed Sep 29 15:54:46 CEST 2004 - stark@suse.de + +- fix inclusion of RealPlayer plugin (Ximian #65711) + +------------------------------------------------------------------- +Mon Sep 27 17:51:24 CEST 2004 - joeshaw@suse.de + +- Update the industrial default patch, for some reason it didn't + take before. + +------------------------------------------------------------------- +Fri Sep 24 07:34:48 CEST 2004 - stark@suse.de + +- fix for Ximian #65176 (mozilla.org #240068) +- revised patch for update function (Ximian #65615) + +------------------------------------------------------------------- +Thu Sep 23 20:21:39 CEST 2004 - joeshaw@suse.de + +- Uncomment the patch which tells the UI that industrial is the + default. + +------------------------------------------------------------------- +Thu Sep 23 12:38:06 CEST 2004 - stark@suse.de + +- open Nautilus on NLD for 'Show folder' in download settings + (Ximian #65472) by sragavan@novell.com +- save to Desktop folder if selected (Ximian #65756) + by sragavan@novell.com + +------------------------------------------------------------------- +Wed Sep 22 10:23:01 CEST 2004 - stark@suse.de + +- synced NLD package with 9.2 version +- GTK2 filepicker does now ask for confirmation when overwriting + files (Ximian #65068) by sagarwala@novell.com +- no direct update function (Ximian #65615) by rganesan@novell.com +- throbber linked to Novell (Ximian #66283) by rganesan@novell.com +- make industrial the default theme for NLD + (Ximian #65542) by joeshaw@suse.de + +------------------------------------------------------------------- +Mon Sep 20 22:00:55 CEST 2004 - joeshaw@suse.de + +- Add default bookmarks. Ximian #65546. +- Add the industrial theme, but it's not the default yet. +- Remove acroread from add-plugins because it's badly behaved. + Ximian #65499. + +------------------------------------------------------------------- +Mon Sep 20 17:57:38 CEST 2004 - federico@ximian.com + +- Added MozillaFirefox-toplevel-window-height.diff for + http://bugzilla.ximian.com/show_bug.cgi?id=65543 + +------------------------------------------------------------------- +Sun Sep 19 15:42:30 CEST 2004 - stark@suse.de + +- use GNOME system prefs only for NLD by default + (fixes bug #45575) + +------------------------------------------------------------------- +Fri Sep 17 08:59:32 CEST 2004 - stark@suse.de + +- joeshaw@suse.de: Update GConf patch so that proxy settings work + correctly (Ximian #64461) +- don't search Java on every path (Ximian #65383) +- added some missing fixes for official release +- added new java package name for triggers (#45257) + +------------------------------------------------------------------- +Sat Sep 11 13:25:41 CEST 2004 - stark@suse.de + +- update to official 1.0PR (0.10) +- adopted gnome-filepicker patch +- removed obsolete CUPS hack from start-script + (Ximian #65635, #65560) + +------------------------------------------------------------------- +Thu Sep 9 21:35:42 CEST 2004 - stark@suse.de + +- fixed endianess on AMD64 in JS component (#34743) + +------------------------------------------------------------------- +Mon Sep 6 17:33:07 CEST 2004 - stark@suse.de + +- fixed filelist + +------------------------------------------------------------------- +Mon Sep 6 13:48:03 CEST 2004 - stark@suse.de + +- update to 1.0PR (aka 0.10) + +------------------------------------------------------------------- +Fri Sep 3 21:35:47 CEST 2004 - stark@suse.de + +- added ppc64 patch + +------------------------------------------------------------------- +Thu Sep 2 03:08:59 CEST 2004 - dave@suse.de + +- Fixed up the .desktop installation on nld + +------------------------------------------------------------------- +Wed Sep 1 15:05:48 CEST 2004 - shprasad@suse.de + +- Doesn't ask to set Firefox as default web-browser. + +------------------------------------------------------------------- +Tue Aug 31 14:01:18 CEST 2004 - stark@suse.de + +- next new version for filepicker stuff +- deactivated native filepicker for NLD +- update to snapshot (20040831) + +------------------------------------------------------------------- +Tue Aug 24 17:35:52 CEST 2004 - stark@suse.de + +- new version of gnome-filepicker patch +- added patch for config + +------------------------------------------------------------------- +Fri Aug 20 17:12:48 CEST 2004 - stark@suse.de + +- update to snapshot (20040820) + +------------------------------------------------------------------- +Thu Aug 19 08:46:42 CEST 2004 - stark@suse.de + +- added workaround for mozilla bug #246313 + (Firefox does not start: getting "cannot open display" error) + +------------------------------------------------------------------- +Wed Aug 18 15:07:22 CEST 2004 - stark@suse.de + +- added some patches from Ximian + - use GNOME filepicker + - use more gconf settings + - set startup homepage to Novell + +------------------------------------------------------------------- +Tue Aug 17 13:12:35 CEST 2004 - stark@suse.de + +- update to pre-1.0.0 (20040817) + +------------------------------------------------------------------- +Thu Aug 5 06:27:41 CEST 2004 - stark@suse.de + +- security update to 0.9.3 + (including #43312 and others) +- handle RealPlayer 9 plugin + +------------------------------------------------------------------- +Mon Aug 2 15:11:51 CEST 2004 - ro@suse.de + +- recode desktop file to utf-8 + +------------------------------------------------------------------- +Wed Jul 28 08:46:31 CEST 2004 - stark@suse.de + +- added fix against certificate spoofing (#43312) + +------------------------------------------------------------------- +Fri Jul 23 06:31:41 CEST 2004 - stark@suse.de + +- update to 0.9.2 +- added workaround for extension registry +- removed old (incompatible) mozex extension + +------------------------------------------------------------------- +Tue Jun 29 06:27:59 CEST 2004 - stark@suse.de + +- update to 0.9.1 +- added hint to run as root first + +------------------------------------------------------------------- +Tue Jun 15 12:42:28 CEST 2004 - stark@suse.de + +- update to 0.9 +- added patch for newer freetype + +------------------------------------------------------------------- +Fri Apr 2 10:31:45 CEST 2004 - stark@suse.de + +- removing relocation of TEMP directory (#34391) + +------------------------------------------------------------------- +Mon Mar 29 11:43:51 CEST 2004 - stark@suse.de + +- update to 0.8.0+ (20040503) +- removed firefox logos and activate official branding for + milestone builds +- changed profile-dir to .firefox +- added some needed files +- enabled gnomevfs extension + +------------------------------------------------------------------- +Fri Mar 26 18:09:34 CET 2004 - uli@suse.de + +- fixed hang during build on s390* (bug #35440) + +------------------------------------------------------------------- +Wed Mar 3 06:52:00 CET 2004 - stark@suse.de + +- removed unused patches for GTK2 build +- more fixes for (#35179) + +------------------------------------------------------------------- +Mon Mar 1 07:32:52 CET 2004 - stark@suse.de + +- improved start-script to interact with thunderbird (#35179) + +------------------------------------------------------------------- +Thu Feb 26 06:57:05 CET 2004 - stark@suse.de + +- use official releasedate +- added official (trademarked) artwork +- added firefox icon to /usr/share/pixmaps +- cleaned up spec-file (there will be no GTK1 version) + +------------------------------------------------------------------- +Tue Feb 24 16:43:17 CET 2004 - stark@suse.de + +- fixed optimization for non-x86 archs + +------------------------------------------------------------------- +Tue Feb 24 07:43:35 CET 2004 - stark@suse.de + +- adopted file-list and build options to original distribution +- added prdtoa fix (#32963) +- added hook for static firefox build to rebuild-databases.sh +- added compiler flags for security/ (nss-opt.patch) +- included mozex (mozex.mozdev.org) +- added -Os as optimization flag + +------------------------------------------------------------------- +Mon Feb 9 21:59:37 CET 2004 - stark@suse.de + +- renamed to MozillaFirefox +- update to final version 0.8 + +------------------------------------------------------------------- +Fri Feb 6 08:39:15 CET 2004 - stark@suse.de + +- update to Firebird 0.8 (20040205) +- added mips build fix +- set PS printer list in MozillaFirebird.sh +- use lib64 again for biarch platforms + +------------------------------------------------------------------- +Sat Jan 10 10:33:54 CET 2004 - adrian@suse.de + +- build as user + +------------------------------------------------------------------- +Fri Aug 22 11:32:07 CEST 2003 - stark@suse.de + +- upstream sync for 0.6.1post + +------------------------------------------------------------------- +Sun Aug 10 22:01:12 CEST 2003 - stark@suse.de + +- removed dmoz from searchplugins-filelist + +------------------------------------------------------------------- +Fri Aug 8 10:30:50 CEST 2003 - stark@suse.de + +- update to 0.6.1post (TRUNK) +- use -fno-strict-aliasing + +------------------------------------------------------------------- +Thu Jul 31 11:25:39 CEST 2003 - stark@suse.de + +- update to 0.6.1 (MOZILLA_1_4_BRANCH) +- synchronized with mozilla-source +- created file-list + +------------------------------------------------------------------- +Thu Jul 10 09:45:49 CEST 2003 - stark@suse.de + +- update to snapshot 20030709 +- fixed generation of symlink MozillaFirebird-xremote-client + +------------------------------------------------------------------- +Fri Jun 20 06:53:08 CEST 2003 - stark@suse.de + +- update to snapshot 20030622 (0.7pre) + +------------------------------------------------------------------- +Mon May 19 08:54:46 CEST 2003 - stark@suse.de + +- update to snapshot 20030518 (0.6) + +------------------------------------------------------------------- +Sun May 7 10:11:16 CEST 2003 - stark@suse.de + +- update to snapshot 20030507 + +------------------------------------------------------------------- +Wed Apr 30 13:26:43 CEST 2003 - stark@suse.de + +- initial SuSE package + |