2232a66f032294441727d84ad61ec263 2.0 1168255398 unknown e967717d0f219d0d078f3507094d6bce 2.0 1168447986 unknown 21c89396458f5ac45e6079f8fee546b1 2.0 1169165661 unknown 3fd58250c029a499b549a39b2f78e49d 2.0 1169769476 unknown 7d9d8e3f4336682f1d10c73527f6f8a0 2.0.0.2 1172442776 unknown c4c1f8095cb9faf55ac4b2c9ba475326 2.0.0.2 1173743930 unknown d48f55360d061f4b27d2ad5cb8ac9c2e 2.0.0.2 1176914143 unknown d6b0eb985b12d2fdaac6ae49e8ef1016 2.0.0.2 1177944701 unknown 962309ad94c8884971e9586f5bbad9fa 2.0.0.4 1181030484 unknown 0fdaa1ee72c8ae021c4f723c59628221 2.0.0.4 1181053901 unknown e91e1d2a472169d8736a3063235e8a23 2.0.0.4 1182205182 unknown 0dca1b99925a55f88a8a096d2b03fbb8 2.0.0.4 1182458640 unknown 23bd48eb98571aaa4a8836c276da6075 2.0.0.5 1185254033 unknown 600cac77105daf6a947e79fdb21bdff3 2.0.0.5 1187266772 unknown fb18698f0e5e8ac416c1299ffcf051eb 2.0.0.5 1187267178 unknown 75b95057b4d1b607986501b13ab25601 2.0.0.5 1187281191 unknown eecc6fb0172cb6ef301342b5571ee963 2.0.0.6 1188227501 unknown 25bb03740805bcb34ef1b58de17fdf3c 2.0.0.6 1188321352 unknown 5ca016836344e368b95e18cd956136c1 2.0.0.6 1188578567 unknown 5437b999d9b34fc10761a1e0ce9159bb 2.0.0.6 1188851628 unknown 50248aaadf174dc053cc0d53edccef65 2.0.0.6 1189420947 unknown e18603fd9551ba2ac72dcc1e84aaf5a8 2.0.0.6 1189608901 unknown 01d42857e3d87ccaa7c6241d9c33d4f0 2.0.0.6 1189850761 unknown 3b5997c8cadf2d77e63e28747e580e39 2.0.0.6 1190653231 unknown 527904cd1478529daefd369aec54b960 2.0.0.8 1192782680 unknown e4d4a1d28fd0b2e393261c2ebbb70fe0 2.0.0.8 1194985399 unknown 28e302c920a4352477d1d35954f9fa67 2.0.0.8 1196108908 unknown 8d98b300c3fc5f49435c6057cf765731 2.0.0.10 1196357124 unknown ed1a35a21851f9320a80d223c96f82b2 2.0.0.10 1200610286 unknown 3ee3c4b68041d953a98e76a74ebd3669 2.0.0.12 1203036338 unknown af1793b7bdd6a1b29db64ade5074381d 2.9.94 1206543714 unknown 278dd071126d4f601a5787281045b050 2.9.95 1207184166 unknown 757f9670ab1ece8844b2eef9349eb1d6 2.9.95 1209941881 unknown dc12529ddb4ed4539c71487152bc4f3c 2.9.95 1210855628 unknown 5771ab0ca1bf4bec0367061bf5991c89 3.0 1214257185 unknown f42f24c777ffd004878e06ed1cd603e7 3.0.1 1217803111 unknown c03e5ff0ebb77348750d30b9bf816e95 3.0.1 1219359219 unknown bb5ff1cf136842320e2c303c1f4b54cd 3.0.2 1222440780 unknown 27990ddc4e4e0e43b0a5c21b19be886d 3.0.3 1222733380 unknown d4700dd315e67693242e839952b190cf 3.0.3 1223307264 unknown f1b6d8fc3c2bb90d9c72d33e36283aea 3.0.3 1224794122 unknown 37d71b664ba03a8acc094916ee7ddf50 3.0.3 1225711680 unknown d06418d12941679eea54ea3448a395ab 3.0.3 1226273640 unknown ace89d84968066ec1a2ae38173aa60b7 3.0.4 1226939295 unknown b96ad099dbe8b37ce3541d6dfb330e2d 3.0.4 1227278160 unknown 2d2f58804ae3c7d2816643e7470acd92 3.0.4 1227279977 unknown 497c93291804454f0935f2cf63244511 3.0.4 1227626498 unknown 82563b492c0e573e4aefed780e5cab29 3.0.5 1229609741 unknown e0fa42ec45eec8d6c37ae053c8ffe877 3.0.5 1232674051 unknown 0ea4628d49f2454554e0006951e427f9 3.0.6 1234172371 unknown 58dd53ca0644dc3429292cf2459c49df 3.0.7 1236554789 unknown f4dcc9700a1a93d253d7b8acdfdf7a25 3.0.8 1238689836 unknown 0663b1e03913c56dfae102573166b8ea 3.0.10 1240966036 unknown 80cc5e5ca8a37ab08b0adcd05b8fb90d 3.5b4 1241454521 unknown 8c525f7a4df75dcd79b4b4fc15496e25 3.5b4 1242999315 unknown 71447b76f3533a06b972a2c7c76a53b5 3.5b99 1244562284 unknown 03c62407cc0c24695252b3e543b9ad0d 3.5b99 1245365741 unknown 2879754e4eaff442a9c534e398364479 3.5.0 1245459744 unknown 8674817afdf9afe416487bf3e8ff2e8a 3.5.0 1245831646 unknown 455b30f46da2114d3f14f0eb04519d5d 3.5.0 1246707011 unknown ab1b7d8ebfa4d54e21c39055e979f4e0 3.5.0 1247087056 unknown ac5d50f2b2ec2a0c6692aeac709859ef 3.5.1 1248170862 unknown d6b82c3ea46030cf81c115199c65df40 3.5.1 1248871911 unknown 64ad0ec5b069a4a93deea3cc690986fd 3.5.2 1249576676 unknown f27f4cb1785e00d9f2b2e6b493d6ad13 3.5.2 1249940091 unknown aceaa56f65f0a0069944a7e1f7763c12 3.5.2 1250869121 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 18344 from user wrosenauer e9cad66bdb53b04356747f12c6416548 3.5.3 1253140805 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 20525 from user wrosenauer 8c270db1128ae6beb8eb211aad995787 3.5.3 1254788249 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 21627 from user wrosenauer 03acd9e12c670cca740e9314f55fbdd9 3.5.3 1255343024 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 22141 from user wrosenauer 03acd9e12c670cca740e9314f55fbdd9 3.5.3 1255343024 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 22141 from user wrosenauer d5f87e3a1a857ea6f884cca095452e7f 3.5.4 1256301673 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 22615 from user wrosenauer 2316aaac3dabd6fc6121cfd8235a8abd 3.5.5 1257846577 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 24081 from user wrosenauer da241c166b7cd043bd43d34f09c878ec 3.5.5 1259157574 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 24938 from user wrosenauer 4cb186653166f278d0f257d0215a221e 3.5.6 1260961943 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 26722 from user wrosenauer ffe1d51cb1bd4faf26f9a1c4af2e8b23 3.5.6 1261400656 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 27196 from user wrosenauer cace7374f5171a5b07815fc0aa398003 3.5.7 1262865288 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 28033 from user wrosenauer 0abc44de3be5ed8e108d32a7a16a8bdd 3.6rc1 1262910763 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 28267 from user wrosenauer 2af80c1fa55970906918c6e985f9d1e5 3.6.0 1264072205 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 29988 from user wrosenauer 854bc84be24b3d2c82b637db72c5f786 3.6.0 1268922743 autobuild 4c7ced52ed308b5def09894916e8b15b 3.6.2 1269565790 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 35585 from user wrosenauer 35585 d392072e919b3e7ddac742ae025102ad 3.6.3 1270374784 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 36868 from user wrosenauer 36868 6ed582d093b6ade2c4ff569027f828f5 3.6.4 1272317427 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 38784 from user wrosenauer 38784 82a8660802117e889b8660a4ffd1b141 3.6.4 1276099198 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 41202 from user wrosenauer 41202 e5b867265b65b058df6e7e1f6e69315e 3.6.4 1277718201 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 41982 from user wrosenauer 41982 9b988c81bf976a7c946f25e2db59d50e 3.6.6 1277887394 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 42294 from user wrosenauer 42294 9b988c81bf976a7c946f25e2db59d50e 3.6.6 1278667369 autobuild release number sync 9b988c81bf976a7c946f25e2db59d50e 3.6.6 1278678598 autobuild release number sync a6697759fef53b02f3d0df0341b48371 3.6.8 1280675854 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 44271 from user wrosenauer 44271 4e82ed3d99436afa21a695c99d25963f unknown 1284125284 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 47528 from user wrosenauer 47528 274e15536294cbae38283be0d9ac81de 3.6.10 1284764199 autobuild Copy from mozilla:Factory/MozillaFirefox based on submit request 48363 from user wrosenauer 48363 b55834c477236de302b67ac44974ea42 3.6.11 1287676467 oertel Accepted submit request 51185 from user wrosenauer 51185 dfb277f3dc32f9c1fc1faf74bdb9b47b 3.6.12 1288701178 oertel Accepted submit request 51634 from user wrosenauer 51634 765553c55d0632c8f97922d3c6110cc2 4.0b 1291221244 darix Accepted submit request 54204 from user wrosenauer 54204 7bd037bce8f4c635e9aaa20cfb438ac4 4.0b 1291221250 darix Autobuild autoformatter for 54204 9390ff8a66d797ca6e23e0dbbfb311e0 4.0b 1293576738 oertel Accepted submit request 56563 from user wrosenauer 56563 9597e594c71c0622556ea3ecfc3bba4d 4.0b 1293576750 oertel Autobuild autoformatter for 56563 45e5ccce6668133ba5d983cfc1f6fb5b 4.0b 1294399613 azouhr Accepted submit request 57036 from user wrosenauer 57036 62faa12c4531f34f4eb8153e1322c192 4.0b 1294399624 azouhr Autobuild autoformatter for 57036 93b074e055e122afab81a6203254e00e 4.0b9 1294968416 darix Accepted submit request 58061 from user wrosenauer 58061 007f3af86b918fae61ec937546aefab9 4.0b9 1294968428 darix Autobuild autoformatter for 58061 c2d4dd21470c47687fe8fc030f4e8010 4.0b10 1295942423 lrupp Accepted submit request 59072 from user wrosenauer 59072 5c1307dd4503d2deceb54067c2f5ef5b 4.0b10 1295942434 lrupp Autobuild autoformatter for 59072 21c31e116d845ed09627018e6a0978c1 4.0b10 1296607725 oertel Accepted submit request 59447 from user wrosenauer 59447 612fd25c8f1a080bac2d774fa4e4e7cf 4.0b10 1296607737 oertel Autobuild autoformatter for 59447 8b9204c537471657b754d82f22ff58dd 4.0b11 1297384831 oertel Accepted submit request 60369 from user wrosenauer 60369 d451efdb92a9a4c9463b3daa7a017407 4.0b11 1297384839 oertel Autobuild autoformatter for 60369 d451efdb92a9a4c9463b3daa7a017407 4.0b11 1297941524 autobuild 11.4 source split 800c258b7d54ee6d329af10030f7f1fd 4.0b12 1298641471 saschpe Accepted submit request 62802 from user wrosenauer 62802 d482f917248648335022ba2c0f1bbf88 4.0b12 1298641481 saschpe Autobuild autoformatter for 62802 022d3693dd9098e67264b82ed461ee72 4.0.0 1300960053 saschpe Accepted submit request 64915 from user coolo 64915 c2b166597d10883cc5756974b03d3a84 4.0.0 1300960069 saschpe Autobuild autoformatter for 64915 2e736af20cfb743b54dc7a45aac2c412 4.0.0 1301563800 saschpe Accepted submit request 65604 from user coolo 65604 f2831fdee694ee956921e5035da63b59 4.0.0 1301563809 saschpe Autobuild autoformatter for 65604 b4df68fc0db6bca1670d9a64e709b2bb 4.0.1 1304336003 saschpe 68987 6e89f3180abdbebc6e533f8646814eec 4.0.1 1304336023 saschpe Autobuild autoformatter for 68987 8c3d154b31da850859a62f581d95bad2 4.99 1307370874 saschpe 72376 42ae289399fbc11b3e6a3ff767dd451e 4.99 1307370894 saschpe Autobuild autoformatter for 72376 8cb2057f55c33df925f494b812255f70 4.99 1308212247 saschpe 73787 95cc76b42a63416b96f40224280b65fa 4.99 1308212267 saschpe Autobuild autoformatter for 73787 1e496da024ec2d01c59bc645e34bbe0b 4.99 1308573398 saschpe fix build 74180 3cd918e0864868458cfa21b0990dd183 4.99 1308573415 saschpe Autobuild autoformatter for 74180 6a2ce41721982e74b8eb9bd2898670be 5.0 1309765371 saschpe 75065 64298e3e638552903c1792b7d94e319a 5.0 1309765389 saschpe Autobuild autoformatter for 75065 ff47d3a5c3e053f679505c6b133b6fb0 5.99 1311758759 saschpe 77148 e4a86a3ecae38ad893ed48b018245719 5.99 1311758774 saschpe Autobuild autoformatter for 77148 d47fab711c8440a600d8460f4f9d77b0 6.0 1313410448 saschpe 78861 6f58ef6ec63d94c171f84f5e4093993d 6.0 1313410468 saschpe Autobuild autoformatter for 78861 ecd1990dbfbed4938094f1775d90893f 6.0.2 1315559038 saschpe security update to Firefox 6.0.2 - bnc#714931 81394 c370d4168504d584df7f9f569d6cae03 6.0.2 1315760514 saschpe - recreated source archive to get correct source-stamp.txt 81758 7fd633627bc1c0461e9bb6998419cc62 6.0.2 1315760527 saschpe Autobuild autoformatter for 81758 096017154887e5e699988577ea8501ab 6.0.2 1316080516 saschpe 82116 cc81a00558d518f1609e6cc8d608fb38 6.0.2 1316080526 saschpe Autobuild autoformatter for 82116 5154d53c13c602812b037213c40e09fc 7.0 1317211283 saschpe - update to Firefox 7 (bnc#720264) including * Improve Responsiveness with Memory Reductions * Instant Sync * WebSocket protocol 8 - removed obsolete mozilla-cairo-lcd.patch - rebased patches - removed XLIB_SKIP_ARGB_VISUALS=1 from environment in mozilla.sh.in (bnc#680758) - fixed loading of kde.js under KDE (bnc#718311) 85281 e2d7548d9cee71e17119e8d6187260ea 7.0.1 1317541508 lrupp 85866 e2d7548d9cee71e17119e8d6187260ea 7.0.1 1319181752 adrianSuSE 26717906d2f76854217cf521ab241aa0 8.0 1320936866 coolo - update to Firefox 8 (bnc#728520) * MFSA 2011-47/CVE-2011-3648 (bmo#690225) Potential XSS against sites using Shift-JIS * MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654 Miscellaneous memory safety hazards * MFSA 2011-49/CVE-2011-3650 (bmo#674776) Memory corruption while profiling using Firebug * MFSA 2011-52/CVE-2011-3655 (bmo#672182) Code execution via NoWaiverWrapper - rebased patches - enable telemetry prompt - set intl.locale.matchOS=true in the base package as it causes too much confusion when it's only available with branding-openSUSE 90807 43155ef6c8a80f1a5264900cdca54fa1 8.0 1321273041 coolo 91117 3e8b72ef8c38534f70e79dc33ec4ae40 8.0 1323192584 coolo replace license with spdx.org variant a35b3d28df7c6a8c35ba2b0aa4beef26 9.0 1324458088 coolo - fix arm build, don't package crashreporter there - update to Firefox 9 (bnc#737533) * MFSA 2011-53/CVE-2011-3660 Miscellaneous memory safety hazards (rv:9.0) * MFSA 2011-54/CVE-2011-3661 (bmo#691299) Potentially exploitable crash in the YARR regular expression library * MFSA 2011-55/CVE-2011-3658 (bmo#708186) nsSVGValue out-of-bounds access * MFSA 2011-56/CVE-2011-3663 (bmo#704482) Key detection without JavaScript via SVG animation * MFSA 2011-58/VE-2011-3665 (bmo#701259) Crash scaling <video> to extreme sizes - Fix accessibility under GNOME 3 (bnc#732898) 97351 ef3a0e8643049e31c38fe66b2c61ab6d 9.0.1 1324831012 coolo - update to Firefox 9.0.1 * (strongparent) parentNode of element gets lost (bmo#335998) 98123 892e16a33c7e9b913ced8293ec4c84aa 10.0 1328201886 coolo - update to Firefox 10.0 (bnc#744275) * MFSA 2012-01/CVE-2012-0442/CVE-2012-0443 Miscellaneous memory safety hazards * MFSA 2012-03/CVE-2012-0445 (bmo#701071) <iframe> element exposed across domains via name attribute * MFSA 2012-04/CVE-2011-3659 (bmo#708198) Child nodes from nsDOMAttribute still accessible after removal of nodes * MFSA 2012-05/CVE-2012-0446 (bmo#705651) Frame scripts calling into untrusted objects bypass security checks * MFSA 2012-06/CVE-2012-0447 (bmo#710079) Uninitialized memory appended when encoding icon images may cause information disclosure * MFSA 2012-07/CVE-2012-0444 (bmo#719612) Potential Memory Corruption When Decoding Ogg Vorbis files * MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466) Crash with malformed embedded XSLT stylesheets - KDE integration has been disabled since it needs refactoring - removed obsolete ppc64 patch - Disable neon for arm as it doesn't build correctly 102411 76b6a6aa0bfd081cfa149482358a571a 10.0 1328717943 coolo - Use YARR interpreter instead of PCRE on platforms where YARR JIT is not supported, since PCRE doesnt build (bmo#691898) - fix ppc64 build (bmo#703534) 103184 2d7f35e3e7118eb7d0daf38b1f01f7fd 10.0.1 1329242617 coolo - update to Firefox 10.0.1 (bnc#746616) * MFSA 2012-10/CVE-2012-0452 (bmo#724284) use after free in nsXBLDocumentInfo::ReadPrototypeBindings 104183 37c7bfe06b07b71018cc289c82ce048c 10.0.2 1329477453 coolo - update to Firefox 10.0.2 (bnc#747328) * CVE-2011-3026 (bmo#727401) libpng: integer overflow leading to heap-buffer overflow 105422 4f9733096d819d00315b8b8c76ad4861 10.99 1331627815 coolo Automatic submission by obs-autosubmit 108974 45b899faebc40abab7166bbde5283029 11.0 1331900294 coolo - update to Firefox 11.0 (bnc#750044) * MFSA 2012-13/CVE-2012-0455 (bmo#704354) XSS with Drag and Drop and Javascript: URL * MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103) SVG issues found with Address Sanitizer * MFSA 2012-15/CVE-2012-0451 (bmo#717511) XSS with multiple Content Security Policy headers * MFSA 2012-16/CVE-2012-0458 Escalation of privilege with Javascript: URL as home page * MFSA 2012-17/CVE-2012-0459 (bmo#723446) Crash when accessing keyframe cssText after dynamic modification * MFSA 2012-18/CVE-2012-0460 (bmo#727303) window.fullScreen writeable by untrusted content * MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/ CVE-2012-0463 Miscellaneous memory safety hazards - ported and reenabled KDE integration (bnc#746591) - explicitely build-require X libs - add Provides: browser(npapi) FATE#313084 109208 79f79db5413e5fb4c622ed9213ac6731 12.0 1335190300 coolo - update to Firefox 12.0 (bnc#758408) * rebased patches - added mozilla-libnotify.patch to allow fallback from libnotify to xul based events if no notification-daemon is running - gcc 4.7 fixes * mozilla-gcc47.patch * disabled crashreporter temporarily for Factory - recommend libcanberra0 for proper sound notifications 114913 d2f52b1d9fd79c30a46d50d063afec1b 12.0 1336452404 coolo Automatic submission by obs-autosubmit 116230 c2fcda28a7d4825f34ea20f1dadcca54 12.0 1337195305 coolo 121179 6948322c58c83f32cacd2402e69068ca 12.0 1338017231 coolo fix ARM build (reportedly) 122243 d24cf04bf5ffcd27da8598393e8c4aa9 13.0 1338991712 coolo - update to Firefox 13.0 (bnc#765204) * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101 Miscellaneous memory safety hazards * MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content Security Policy inline-script bypass * MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information disclosure though Windows file shares and shortcut files * MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free while replacing/inserting a node in a document * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941 Buffer overflow and use-after-free issues found using Address Sanitizer - require NSS 3.13.4 * MFSA 2012-39/CVE-2012-0441 (bmo#715073) - fix sound notifications when filename/path contains a whitespace (bmo#749739) 123736 4b21fc352448a736f939a9f8e51a0b99 13.0.1 1340033505 coolo - update to Firefox 13.0.1 * bugfix release - obsolete libproxy's mozjs pacrunner (bnc#759123) 125186 4b21fc352448a736f939a9f8e51a0b99 13.0.1 1340183152 adrianSuSE branched from openSUSE:Factory a71069c7c6752eb947e75df11fb57ebb 14.0.1 1342772286 coolo - update to 14.0.1 (bnc#771583) * MFSA 2012-42/CVE-2012-1949/CVE-2012-1948 Miscellaneous memory safety hazards * MFSA 2012-43/CVE-2012-1950 Incorrect URL displayed in addressbar through drag and drop * MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952 Gecko memory corruption * MFSA 2012-45/CVE-2012-1955 (bmo#757376) Spoofing issue with location * MFSA 2012-46/CVE-2012-1966 (bmo#734076) XSS through data: URLs * MFSA 2012-47/CVE-2012-1957 (bmo#750096) Improper filtering of javascript in HTML feed-view * MFSA 2012-48/CVE-2012-1958 (bmo#750820) use-after-free in nsGlobalWindow::PageHidden * MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559) Same-compartment Security Wrappers can be bypassed * MFSA 2012-50/CVE-2012-1960 (bmo#761014) Out of bounds read in QCMS * MFSA 2012-51/CVE-2012-1961 (bmo#761655) X-Frame-Options header ignored when duplicated * MFSA 2012-52/CVE-2012-1962 (bmo#764296) JSDependentString::undepend string conversion results in memory corruption * MFSA 2012-53/CVE-2012-1963 (bmo#767778) Content Security Policy 1.0 implementation errors cause data leakage * MFSA 2012-55/CVE-2012-1965 (bmo#758990) feed: URLs with an innerURI inherit security context of page * MFSA 2012-56/CVE-2012-1967 (bmo#758344) 128272 1032c3e3fd9ae2cec97880aaad5091de 14.0.1 1343639837 namtrac Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16) (forwarded request 129204 from a_jaeger) 129207 11d4a90c3f68d7a45bd0b9af507de815 15.0 1346399098 coolo - update to Firefox 15.0 (bnc#777588) * MFSA 2012-57/CVE-2012-1970 Miscellaneous memory safety hazards * MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975 CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959 CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964 Use-after-free issues found using Address Sanitizer * MFSA 2012-59/CVE-2012-1956 (bmo#756719) Location object can be shadowed using Object.defineProperty * MFSA 2012-60/CVE-2012-3965 (bmo#769108) Escalation of privilege through about:newtab * MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793) Memory corruption with bitmap format images with negative height * MFSA 2012-62/CVE-2012-3967/CVE-2012-3968 WebGL use-after-free and memory corruption * MFSA 2012-63/CVE-2012-3969/CVE-2012-3970 SVG buffer overflow and use-after-free issues * MFSA 2012-64/CVE-2012-3971 Graphite 2 memory corruption * MFSA 2012-65/CVE-2012-3972 (bmo#746855) Out-of-bounds read in format-number in XSLT * MFSA 2012-66/CVE-2012-3973 (bmo#757128) HTTPMonitor extension allows for remote debugging without explicit activation * MFSA 2012-68/CVE-2012-3975 (bmo#770684) DOMParser loads linked resources in extensions when parsing text/html * MFSA 2012-69/CVE-2012-3976 (bmo#768568) Incorrect site SSL certificate data display * MFSA 2012-70/CVE-2012-3978 (bmo#770429) 131904 8ac22bb7fe610d1d5c81df7fee357ced 15.0.1 1347487501 namtrac - update to Firefox 15.0.1 (bnc#779936) * Sites visited while in Private Browsing mode could be found through manual browser cache inspection (bmo#787743) 133769 a7840df43dfe0b151b749292cb249ad7 16.0 1349853632 coolo - update to Firefox 16.0 (bnc#783533) * MFSA 2012-74/CVE-2012-3982/CVE-2012-3983 Miscellaneous memory safety hazards * MFSA 2012-75/CVE-2012-3984 (bmo#575294) select element persistance allows for attacks * MFSA 2012-76/CVE-2012-3985 (bmo#655649) Continued access to initial origin after setting document.domain * MFSA 2012-77/CVE-2012-3986 (bmo#775868) Some DOMWindowUtils methods bypass security checks * MFSA 2012-79/CVE-2012-3988 (bmo#725770) DOS and crash with full screen and history navigation * MFSA 2012-80/CVE-2012-3989 (bmo#783867) Crash with invalid cast when using instanceof operator * MFSA 2012-81/CVE-2012-3991 (bmo#783260) GetProperty function can bypass security checks * MFSA 2012-82/CVE-2012-3994 (bmo#765527) top object and location property accessible by plugins * MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370) Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties * MFSA 2012-84/CVE-2012-3992 (bmo#775009) Spoofing and script injection through location.hash * MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/ CVE-2012-4181/CVE-2012-4182/CVE-2012-4183 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer * MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/ CVE-2012-4188 Heap memory corruption issues found using Address Sanitizer * MFSA 2012-87/CVE-2012-3990 (bmo#787704) 137662 0ae2225b7bcf752043c65cddce7701a8 16.0.1 1350364205 coolo 137938 1c5e6e76350106820889a68b418c39d4 16.0.2 1351337036 coolo - update to Firefox 16.0.2 (bnc#786522) * MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196 (bmo#800666, bmo#793121, bmo#802557) Fixes for Location object issues - bring back Obsoletes for libproxy's mozjs plugin for distributions before 12.2 to avoid crashes 139507 fb857284956bef9de030c1f605e4917b 17.0 1353599206 coolo - update to Firefox 17.0 (bnc#790140) * MFSA 2012-91/CVE-2012-5842/CVE-2012-5843 Miscellaneous memory safety hazards * MFSA 2012-92/CVE-2012-4202 (bmo#758200) Buffer overflow while rendering GIF images * MFSA 2012-93/CVE-2012-4201 (bmo#747607) evalInSanbox location context incorrectly applied * MFSA 2012-94/CVE-2012-5836 (bmo#792857) Crash when combining SVG text on path with CSS * MFSA 2012-95/CVE-2012-4203 (bmo#765628) Javascript: URLs run in privileged context on New Tab page * MFSA 2012-96/CVE-2012-4204 (bmo#778603) Memory corruption in str_unescape * MFSA 2012-97/CVE-2012-4205 (bmo#779821) XMLHttpRequest inherits incorrect principal within sandbox * MFSA 2012-99/CVE-2012-4208 (bmo#798264) XrayWrappers exposes chrome-only properties when not in chrome compartment * MFSA 2012-100/CVE-2012-5841 (bmo#805807) Improper security filtering for cross-origin wrappers * MFSA 2012-101/CVE-2012-4207 (bmo#801681) Improper character decoding in HZ-GB-2312 charset * MFSA 2012-102/CVE-2012-5837 (bmo#800363) Script entered into Developer Toolbar runs with chrome privileges * MFSA 2012-103/CVE-2012-4209 (bmo#792405) Frames can shadow top.location * MFSA 2012-104/CVE-2012-4210 (bmo#796866) CSS and HTML injection through Style Inspector * MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/ CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/ 142205 8cf33e536282acae8304017efc56f85e 17.0.1 1354527668 coolo - update to Firefox 17.0.1 * revert some useragent changes introduced in 17.0 * leaving private browsing with social enabled doesn't reset all social components (bmo#815042) - fix KDE integration for file dialogs 143652 5543e5781da73339034ece87612309cf 18.0 1357821109 coolo - update to Firefox 18.0 (bnc#796895) * MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770 Miscellaneous memory safety hazards * MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767 CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829 Use-after-free and buffer overflow issues found using Address Sanitizer * MFSA 2013-03/CVE-2013-0768 (bmo#815795) Buffer Overflow in Canvas * MFSA 2013-04/CVE-2012-0759 (bmo#802026) URL spoofing in addressbar during page loads * MFSA 2013-05/CVE-2013-0744 (bmo#814713) Use-after-free when displaying table with many columns and column groups * MFSA 2013-06/CVE-2013-0751 (bmo#790454) Touch events are shared across iframes * MFSA 2013-07/CVE-2013-0764 (bmo#804237) Crash due to handling of SSL on threads * MFSA 2013-08/CVE-2013-0745 (bmo#794158) AutoWrapperChanger fails to keep objects alive during garbage collection * MFSA 2013-09/CVE-2013-0746 (bmo#816842) Compartment mismatch with quickstubs returned values * MFSA 2013-10/CVE-2013-0747 (bmo#733305) Event manipulation in plugin handler to bypass same-origin policy * MFSA 2013-11/CVE-2013-0748 (bmo#806031) Address space layout leaked in XBL objects * MFSA 2013-12/CVE-2013-0750 (bmo#805121) Buffer overflow in Javascript string concatenation * MFSA 2013-13/CVE-2013-0752 (bmo#805024) Memory corruption in XBL with XML bindings containing SVG * MFSA 2013-14/CVE-2013-0757 (bmo#813901) Chrome Object Wrapper (COW) bypass through changing prototype 147596 e1e6eddaaf77dfec83d736a6c5eb6d17 18.0.1 1359102850 coolo - update to Firefox 18.0.1 * blocklist updates * backed out bmo#677092 (removed patch) * fixed problems involving HTTP proxy transactions - Fix WebRTC to build on powerpc 149304 e1e6eddaaf77dfec83d736a6c5eb6d17 18.0.1 1359108619 adrianSuSE Split 12.3 from Factory f203dd8ad8a4b8db8795b872de7949e9 18.0.2 1360401216 coolo stability update; could be put into 12.3 but does not need to be (FF19 sec update will be released in 10 days anyway) 154952 8b353643b2e06b39e7e34caadf7583c0 19.0 1361349098 coolo - update to Firefox 19.0 (bnc#804248) * MFSA 2013-21/CVE-2013-0783/2013-0784 Miscellaneous memory safety hazards * MFSA 2013-22/CVE-2013-0772 (bmo#801366) Out-of-bounds read in image rendering * MFSA 2013-23/CVE-2013-0765 (bmo#830614) Wrapped WebIDL objects can be wrapped again * MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers * MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers * MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent * MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/ CVE-2013-0778/CVE-2013-0779/CVE-2013-0781 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer - removed obsolete patches * mozilla-webrtc.patch * mozilla-gstreamer-803287.patch - added patch to fix session restore window order (bmo#712763) 155861 0251bb519fdad8c02f0c1cbfa0fc92b8 19.0.2 1362900535 coolo - update to Firefox 19.0.2 (bnc#808243) * MFSA 2013-29/CVE-2013-0787 (bmo#848644) Use-after-free in HTML Editor - update to Firefox 19.0.1 * blocklist updates 158061 f52bdb962b13064598ac218b282e090c 19.0.2 1363340522 coolo - build fixes for armv7hl: * disable debug build as armv7hl does not have enough memory * disable webrtc on armv7hl as it is non-compiling (forwarded request 158795 from dirkmueller) 159297 beb17b9785d29e555e3d306c78021f29 20.0 1365231488 coolo - update to Firefox 20.0 (bnc#813026) * requires NSPR 4.9.5 and NSS 3.14.3 * mozilla-webrtc-ppc.patch included upstream * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards * MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library * MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux * MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes * MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure * MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations * MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory corruption while rendering grayscale PNG images - use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch) 162345 d22a7c429f5b5e609c4a97f5f2f94148 20.0 1365337419 coolo - Explicitly disable WebRTC support on non-x86, the configure script disables it only half-heartedly (forwarded request 162909 from AndreasSchwab) 163032 b491b74e92847c7472a7a7fb6a678186 20.0 1365928529 coolo - revert to use GStreamer 0.10 on 12.3 (bnc#814101) (remove mozilla-gstreamer-1.patch) 163449 de7d16df0c7f879789eb292125aeae13 21.0 1368771974 coolo 175906 ed6f63dca49ddeb751313f483bcaa841 21.0 1371136333 coolo - Fix qcms altivec include (mozilla-qcms-ppc.patch) (forwarded request 178590 from k0da) 178599 cf590fa05961467ab93e11375e246bf0 22.0 1372271071 coolo - update to Firefox 22.0 (bnc#825935) * removed obsolete patches + mozilla-qcms-ppc.patch + mozilla-gstreamer-760140.patch * GStreamer support does not build on 12.1 anymore (build only on 12.2 and later) * MFSA 2013-49/CVE-2013-1682/CVE-2013-1683 Miscellaneous memory safety hazards * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686 Memory corruption found using Address Sanitizer * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823) Privileged content access and execution via XBL * MFSA 2013-52/CVE-2013-1688 (bmo#873966) Arbitrary code execution within Profiler * MFSA 2013-53/CVE-2013-1690 (bmo#857883) Execution of unmapped memory through onreadystatechange event * MFSA 2013-54/CVE-2013-1692 (bmo#866915) Data in the body of XHR HEAD requests leads to CSRF attacks * MFSA 2013-55/CVE-2013-1693 (bmo#711043) SVG filters can lead to information disclosure * MFSA 2013-56/CVE-2013-1694 (bmo#848535) PreserveWrapper has inconsistent behavior * MFSA 2013-57/CVE-2013-1695 (bmo#849791) Sandbox restrictions not applied to nested frame elements * MFSA 2013-58/CVE-2013-1696 (bmo#761667) X-Frame-Options ignored when using server push with multi-part responses * MFSA 2013-59/CVE-2013-1697 (bmo#858101) XrayWrappers can be bypassed to run user defined methods in a privileged context 180910 46ddb6e3f9e0ef64935a3ed553a364b6 22.0 1373086997 coolo - fix build on ARM (/-g/ matches /-grecord-switches/) (forwarded request 181923 from dirkmueller) 182307 4eaad8fec28ef84c9b852ed061c76c5e 23.0 1376212880 scarabeus_factory - update to Firefox 23.0 (bnc#833389) * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous memory safety hazards * MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free mutating DOM during SetBody * MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow when generating CRMF requests * MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during WAV audio file decoding * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of XrayWrappers using XBL Scopes * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) Local Java applets may read contents of local file system - requires NSPR 4.10 and NSS 3.15 186295 dc21e7fe0977dbf87398df0e913976a9 23.0.1 1377855777 coolo 196711 dc21e7fe0977dbf87398df0e913976a9 23.0.1 1379661911 adrianSuSE Split 13.1 from Factory 354a947048421ae69f83ae3a1e91457b 24.0 1379923539 coolo - move greek to the translations-common package (bnc#840551) - update to Firefox 24.0 (bnc#840485) * MFSA 2013-76/CVE-2013-1718/CVE-2013-1719 Miscellaneous memory safety hazards * MFSA 2013-77/CVE-2013-1720 (bmo#888820) Improper state in HTML5 Tree Builder with templates * MFSA 2013-78/CVE-2013-1721 (bmo#890277) Integer overflow in ANGLE library * MFSA 2013-79/CVE-2013-1722 (bmo#893308) Use-after-free in Animation Manager during stylesheet cloning * MFSA 2013-80/CVE-2013-1723 (bmo#891292) NativeKey continues handling key messages after widget is destroyed * MFSA 2013-81/CVE-2013-1724 (bmo#894137) Use-after-free with select element * MFSA 2013-82/CVE-2013-1725 (bmo#876762) Calling scope for new Javascript objects can lead to memory corruption * MFSA 2013-85/CVE-2013-1728 (bmo#883686) Uninitialized data in IonMonkey * MFSA 2013-88/CVE-2013-1730 (bmo#851353) Compartment mismatch re-attaching XBL-backed nodes * MFSA 2013-89/CVE-2013-1732 (bmo#883514) Buffer overflow with multi-column, lists, and floats * MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301) Memory corruption involving scrolling * MFSA 2013-91/CVE-2013-1737 (bmo#907727) User-defined properties on DOM proxies get the wrong "this" object * MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897) GC hazard with default compartments and frame chain restoration - enable gstreamer explicitely via pref (gecko.js) 199437 06abb272c435982b3203f40a732cf958 24.0 1380526321 coolo - as GStreamer is not automatically required anymore but loaded dynamically if available, require it explicitely - recommend optional GStreamer plugins for comprehensive media support 201362 2a4dbe22c03487e84f2fa594e98dd034 25.0 1383285890 coolo - update to Firefox 25.0 (bnc#847708) * rebased patches * requires NSS 3.15.2 or above * MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592 Miscellaneous memory safety hazards * MFSA 2013-94/CVE-2013-5593 (bmo#868327) Spoofing addressbar through SELECT element * MFSA 2013-95/CVE-2013-5604 (bmo#914017) Access violation with XSLT and uninitialized data * MFSA 2013-96/CVE-2013-5595 (bmo#916580) Improperly initialized memory and overflows in some JavaScript functions * MFSA 2013-97/CVE-2013-5596 (bmo#910881) Writing to cycle collected object during image decoding * MFSA 2013-98/CVE-2013-5597 (bmo#918864) Use-after-free when updating offline cache * MFSA 2013-99/CVE-2013-5598 (bmo#920515) Security bypass of PDF.js checks using iframes * MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601 (bmo#915210, bmo#915576, bmo#916685) Miscellaneous use-after-free issues found through ASAN fuzzing * MFSA 2013-101/CVE-2013-5602 (bmo#897678) Memory corruption in workers * MFSA 2013-102/CVE-2013-5603 (bmo#916404) Use-after-free in HTML document templates 205261 e49cf49085c34123cc0dfd137cffc457 26.0 1386772896 coolo - update to Firefox 26.0 (bnc#854367, bnc#854370) * rebased patches * requires NSPR 4.10.2 and NSS 3.15.3.1 * MFSA 2013-104/CVE-2013-5609/CVE-2013-5610 Miscellaneous memory safety hazards * MFSA 2013-105/CVE-2013-5611 (bmo#771294) Application Installation doorhanger persists on navigation * MFSA 2013-106/CVE-2013-5612 (bmo#871161) Character encoding cross-origin XSS attack * MFSA 2013-107/CVE-2013-5614 (bmo#886262) Sandbox restrictions not applied to nested object elements * MFSA 2013-108/CVE-2013-5616 (bmo#938341) Use-after-free in event listeners * MFSA 2013-109/CVE-2013-5618 (bmo#926361) Use-after-free during Table Editing * MFSA 2013-110/CVE-2013-5619 (bmo#917841) Potential overflow in JavaScript binary search algorithms * MFSA 2013-111/CVE-2013-6671 (bmo#930281) Segmentation violation when replacing ordered list elements * MFSA 2013-112/CVE-2013-6672 (bmo#894736) Linux clipboard information disclosure though selection paste * MFSA 2013-113/CVE-2013-6673 (bmo#970380) Trust settings for built-in roots ignored during EV certificate validation * MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449) Use-after-free in synthetic mouse movement * MFSA 2013-115/CVE-2013-5615 (bmo#929261) GetElementIC typed array stubs can be generated outside observed typesets * MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693) 210489 7a104bdd854429cd307a0b51876a1012 26.0 1388757229 scarabeus_factory 212678 d7fee2fe343003f802ddb2a6c7a3d520 27.0 1391613790 coolo - update to Firefox 27.0 (bnc#861847) * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3) * MFSA 2014-02/CVE-2014-1479 (bmo#911864) Clone protected content with XBL scopes * MFSA 2014-03/CVE-2014-1480 (bmo#916726) UI selection timeout missing on download prompts * MFSA 2014-04/CVE-2014-1482 (bmo#943803) Incorrect use of discarded images by RasterImage * MFSA 2014-05/CVE-2014-1483 (bmo#950427) Information disclosure with *FromPoint on iframes * MFSA 2014-06/CVE-2014-1484 (bmo#953993) Profile path leaks to Android system log * MFSA 2014-07/CVE-2014-1485 (bmo#910139) XSLT stylesheets treated as styles in Content Security Policy * MFSA 2014-08/CVE-2014-1486 (bmo#942164) Use-after-free with imgRequestProxy and image proccessing * MFSA 2014-09/CVE-2014-1487 (bmo#947592) Cross-origin information leak through web workers * MFSA 2014-10/CVE-2014-1489 (bmo#959531) Firefox default start page UI content invokable by script * MFSA 2014-11/CVE-2014-1488 (bmo#950604) Crash when using web workers with asm.js * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 (bmo#934545, bmo#930874, bmo#930857) NSS ticket handling issues * MFSA 2014-13/CVE-2014-1481(bmo#936056) Inconsistent JavaScript handling of access to Window objects - requires NSS 3.15.4 or higher - rebased/reworked patches 220926 f6ce9e5679ebae0210a3c48290b55a8d 27.0.1 1393232558 coolo - update to Firefox 27.0.1 * Fixed stability issues with Greasemonkey and other JS that used ClearTimeoutOrInterval * JS math correctness issue (bnc#941381) - incorporate Google API key for geolocation (bnc#864170) - updated list of "other" locales in RPM requirements 223589 41aa8e049e385c7a9da8077c33163d1e 27.0.1 1393937698 coolo Automatic submission by obs-autosubmit 224415 1eb614b810187d53e5e2b04df478ce60 28.0 1395405231 coolo - update to Firefox 28.0 (bnc#868603) * MFSA 2014-15/CVE-2014-1493/CVE-2014-1494 Miscellaneous memory safety hazards * MFSA 2014-17/CVE-2014-1497 (bmo#966311) Out of bounds read during WAV file decoding * MFSA 2014-18/CVE-2014-1498 (bmo#935618) crypto.generateCRMFRequest does not validate type of key * MFSA 2014-19/CVE-2014-1499 (bmo#961512) Spoofing attack on WebRTC permission prompt * MFSA 2014-20/CVE-2014-1500 (bmo#956524) onbeforeunload and Javascript navigation DOS * MFSA 2014-22/CVE-2014-1502 (bmo#972622) WebGL content injection from one domain to rendering in another * MFSA 2014-23/CVE-2014-1504 (bmo#911547) Content Security Policy for data: documents not preserved by session restore * MFSA 2014-26/CVE-2014-1508 (bmo#963198) Information disclosure through polygon rendering in MathML * MFSA 2014-27/CVE-2014-1509 (bmo#966021) Memory corruption in Cairo during PDF font rendering * MFSA 2014-28/CVE-2014-1505 (bmo#941887) SVG filters information disclosure through feDisplacementMap * MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909) Privilege escalation using WebIDL-implemented APIs * MFSA 2014-30/CVE-2014-1512 (bmo#982957) Use-after-free in TypeObject * MFSA 2014-31/CVE-2014-1513 (bmo#982974) Out-of-bounds read/write through neutering ArrayBuffer objects * MFSA 2014-32/CVE-2014-1514 (bmo#983344) Out-of-bounds write through TypedArrayObject after neutering 226811 d4a19446171e56e42b3bb4890cc74009 28.0 1396452309 coolo Automatic submission by obs-autosubmit 228401 9feccb607ac0bfd5295b4880976ac506 28.0 1397460308 coolo - add mozilla-aarch64-599882cfb998.patch, mozilla-aarch64-bmo-810631.patch, mozilla-aarch64-bmo-962488.patch, mozilla-aarch64-bmo-963030.patch, mozilla-aarch64-bmo-963027.patch, mozilla-aarch64-bmo-963028.patch, mozilla-aarch64-bmo-963029.patch, mozilla-aarch64-bmo-963023.patch, mozilla-aarch64-bmo-963024.patch, mozilla-aarch64-bmo-963031.patch: AArch64 porting (forwarded request 229482 from dirkmueller) 229901 67ba36fa84abeb1aee66fc7cf63a9644 29.0 1398863379 coolo - update to Firefox 29.0 (bnc#875378) * MFSA 2014-34/CVE-2014-1518/CVE-2014-1519 Miscellaneous memory safety hazards * MFSA 2014-36/CVE-2014-1522 (bmo#995289) Web Audio memory corruption issues * MFSA 2014-37/CVE-2014-1523 (bmo#969226) Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 (bmo#989183) Buffer overflow when using non-XBL object as XBL * MFSA 2014-39/CVE-2014-1525 (bmo#989210) Use-after-free in the Text Track Manager for HTML video * MFSA 2014-41/CVE-2014-1528 (bmo#963962) Out-of-bounds write in Cairo * MFSA 2014-42/CVE-2014-1529 (bmo#987003) Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 (bmo#895557) Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 (bmo#987140) Use-after-free in imgLoader while resizing images * MFSA 2014-45/CVE-2014-1492 (bmo#903885) Incorrect IDNA domain name matching for wildcard certificates (fixed by NSS 3.16) * MFSA 2014-46/CVE-2014-1532 (bmo#966006) Use-after-free in nsHostResolver * MFSA 2014-47/CVE-2014-1526 (bmo#988106) Debugger can bypass XrayWrappers with JavaScript - rebased patches - removed obsolete patches * firefox-browser-css.patch * mozilla-aarch64-599882cfb998.diff 232128 799ec13a09a12d1188c888068fcf856a 29.0.1 1400006856 coolo - update to Firefox 29.0.1 * Seer disabled by default (bmo#1005958) * Session Restore failed with a corrupted sessionstore.js file (bmo#1001167) * pdf.js printing white page (bmo#1003707, bnc#876833) - general.useragent.locale gets overwritten with en-US while it should be using the active langpack's setting 233497 3323edcd2a8d47fc7a8aa65eeea09aaa 30.0 1402947775 coolo - update to Firefox 30.0 (bnc#881874) * MFSA 2014-48/CVE-2014-1533/CVE-2014-1534 (bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874, bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981, bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817, bmo#996536, bmo#996715, bmo#999651, bmo#1000598, bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223, bmo#1009952, bmo#1011007) Miscellaneous memory safety hazards (rv:30.0) * MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538 (bmo#989994, bmo#999274, bmo#1005584) Use-after-free and out of bounds issues found using Address Sanitizer * MFSA 2014-50/CVE-2014-1539 (bmo#995603) Clickjacking through cursor invisability after Flash interaction * MFSA 2014-51/CVE-2014-1540 (bmo#978862) Use-after-free in Event Listener Manager * MFSA 2014-52/CVE-2014-1541 (bmo#1000185) Use-after-free with SMIL Animation Controller * MFSA 2014-53/CVE-2014-1542 (bmo#991533) Buffer overflow in Web Audio Speex resampler * MFSA 2014-54/CVE-2014-1543 (bmo#1011859) Buffer overflow in Gamepad API * MFSA 2014-55/CVE-2014-1545 (bmo#1018783) Out of bounds write in NSPR - rebased patches - removed obsolete patches * firefox-browser-css.patch * mozilla-aarch64-bmo-962488.patch * mozilla-aarch64-bmo-963023.patch 236875 eaa6149bb5ecdd1dafb8a4b8ab514066 31.0 1406284038 coolo - update to Firefox 31.0 (bnc#887746) * MFSA 2014-56/CVE-2014-1547/CVE-2014-1548 Miscellaneous memory safety hazards * MFSA 2014-57/CVE-2014-1549 (bmo#1020205) Buffer overflow during Web Audio buffering for playback * MFSA 2014-58/CVE-2014-1550 (bmo#1020411) Use-after-free in Web Audio due to incorrect control message ordering * MFSA 2014-60/CVE-2014-1561 (bmo#1000514, bmo#910375) Toolbar dialog customization event spoofing * MFSA 2014-61/CVE-2014-1555 (bmo#1023121) Use-after-free with FireOnStateChange event * MFSA 2014-62/CVE-2014-1556 (bmo#1028891) Exploitable WebGL crash with Cesium JavaScript library * MFSA 2014-63/CVE-2014-1544 (bmo#963150) Use-after-free while when manipulating certificates in the trusted cache (solved with NSS 3.16.2 requirement) * MFSA 2014-64/CVE-2014-1557 (bmo#913805) Crash in Skia library when scaling high quality images * MFSA 2014-65/CVE-2014-1558/CVE-2014-1559/CVE-2014-1560 (bmo#1015973, bmo#1026022, bmo#997795) Certificate parsing broken by non-standard character encoding * MFSA 2014-66/CVE-2014-1552 (bmo#985135) IFRAME sandbox same-origin access through redirect - use EGL on ARM - rebased patches - requires NSS 3.16.2 - requires python-devel (not only python) 241955 eaa6149bb5ecdd1dafb8a4b8ab514066 31.0 1409300434 adrianSuSE Split 13.2 from Factory e1b8e2ddb54066abcc5155948565fff4 31.1.0 1409810156 coolo - update to Firefox 31.1.0esr (bnc#894370) * MFSA 2014-67/CVE-2014-1553/CVE-2014-1562 Miscellaneous memory safety hazards * MFSA 2014-68/CVE-2014-1563 (bmo#1018524) Use-after-free during DOM interactions with SVG * MFSA 2014-69/CVE-2014-1564 (bmo#1045977) Uninitialized memory use during GIF rendering * MFSA 2014-70/CVE-2014-1565 (bmo#1047831) Out-of-bounds read in Web Audio audio timeline * MFSA 2014-72/CVE-2014-1567 (bmo#1037641) Use-after-free setting text directionality - changes to support compilation on 11.4 * explicit xz BuildRequires * mozilla-nullptr-gcc45.patch * remove unresolved makeinfo BuildRequires - adapted _constraints, used more than 3900MB on s390x during last build 247292 94659be9d7b599475e58c1651d6c602a 32.0.2 1411556953 coolo - update to Firefox 32.0.2 * just a version bump for our builds * fixed the in application update process for certain environments (in application update is not enabled in openSUSE and Linux is unaffected in any case) - build with --disable-optimize for 13.1 and above for i586 to workaround miscompilations (bnc#896624) - use some more build flags to align with upstream - update to Firefox 32.0.1 * fixed stability issues for computers with multiple graphics cards * mixed content icon may be incorrectly displayed instead of lock icon for SSL sites in 32.0 ( * WebRTC: setRemoteDescription() silently fails if no success callback is specified (bmo#1063971) - update to Firefox 32.0 (bnc#894370) * MFSA 2014-67/CVE-2014-1553/CVE-2014-1554/CVE-2014-1562 - rebased patches - requires NSS 3.16.4 - removed upstreamed patch * mozilla-aarch64-bmo-810631.patch 251469 49a330bb3430cf9b361217783b661a30 33.0 1413384075 coolo - update to Firefox 33.0 (bnc#900941) New features: * OpenH264 support (sandboxed) * Enhanced Tiles * Improved search experience through the location bar * Slimmer and faster JavaScript strings * New CSP (Content Security Policy) backend * Support for connecting to HTTP proxy over HTTPS * Improved reliability of the session restoration * Proprietary window.crypto properties/functions removed Security: * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety hazards * MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation * MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms * MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video * MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory use during GIF rendering * MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality * MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190) Key pinning bypasses * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe * MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API (only relevant for installed web apps) 256323 7500bb510357a4aeb02d22df6a3e7308 33.0 1413616100 coolo 256768 e2c0aff7406eed78d93821ac08a09888 33.0.2 1414826041 coolo - update to Firefox 33.0.2 * Fix a startup crash with some combination of hardware and drivers 33.0.1 * Firefox displays a black screen at start-up with certain graphics drivers - adjusted _constraints for ARM - added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588) - define /usr/share/myspell as additional dictionary location and remove add-plugins.sh finally (bnc#900639) - use Firefox default optimization flags instead of -Os - specfile cleanup 259011 7f86f305fecf8e7b432595994bbe47e0 33.0.2 1415347520 coolo 1 260182 462654973674bbdd75c0c41728df2674 33.1 1415866610 dimstar_suse 260773 b131402bc4f1d802309bd3bd9bdb3089 34.0.5 1417870043 dimstar_suse - update to Firefox 34.0.5 (bnc#908009) * Default search engine changed to Yahoo! for North America * Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales * Improved search bar (en-US only) * Firefox Hello real-time communication client * Easily switch themes/personas directly in the Customizing mode * Implementation of HTTP/2 (draft14) and ALPN * Disabled SSLv3 * MFSA 2014-83/CVE-2014-1587/CVE-2014-1588 Miscellaneous memory safety hazards * MFSA 2014-84/CVE-2014-1589 (bmo#1043787) XBL bindings accessible via improper CSS declarations * MFSA 2014-85/CVE-2014-1590 (bmo#1087633) XMLHttpRequest crashes with some input streams * MFSA 2014-86/CVE-2014-1591 (bmo#1069762) CSP leaks redirect data via violation reports * MFSA 2014-87/CVE-2014-1592 (bmo#1088635) Use-after-free during HTML5 parsing * MFSA 2014-88/CVE-2014-1593 (bmo#1085175) Buffer overflow while parsing media content * MFSA 2014-89/CVE-2014-1594 (bmo#1074280) Bad casting from the BasicThebesLayer to BasicContainerLayer - rebased patches - limit linker memory usage for %ix86 263819 0d5788903c2c9c6fa856b1144e2afec7 34.0.5 1419545996 dimstar_suse Automatic submission by obs-autosubmit 266182 cb3beefa5c5cf57318de11a4595e042d 35.0 1421873440 coolo - update to Firefox 35.0 (bnc#910669) notable features: * Firefox Hello with new rooms-based conversations model * Implemented HTTP Public Key Pinning Extension (for enhanced authentication of encrypted connections) security fixes: * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635 Miscellaneous memory safety hazards * MFSA 2015-02/CVE-2014-8637 (bmo#1094536) Uninitialized memory use during bitmap rendering * MFSA 2015-03/CVE-2014-8638 (bmo#1080987) sendBeacon requests lack an Origin header * MFSA 2015-04/CVE-2014-8639 (bmo#1095859) Cookie injection through Proxy Authenticate responses * MFSA 2015-05/CVE-2014-8640 (bmo#1100409) Read of uninitialized memory in Web Audio * MFSA 2015-06/CVE-2014-8641 (bmo#1108455) Read-after-free in WebRTC * MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only) Gecko Media Plugin sandbox escape * MFSA 2015-08/CVE-2014-8642 (bmo#1079658) Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension * MFSA 2015-09/CVE-2014-8636 (bmo#987794) XrayWrapper bypass through DOM objects - rebased patches - dropped explicit support for everything older than 12.3 (including SLES11) * merge firefox-kde.patch and firefox-kde-114.patch * dropped mozilla-sle11.patch 281360 874715a23e6a2a9bb96d44f732fc915d 36.0 1425031620 dimstar_suse - update to Firefox 36.0 (bnc#917597) * mozilla-xremote-client was removed * added libclearkey.so media plugin * Pinned tiles on the new tab page can be synced * Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web. * Locale added: Uzbek (uz) security fixes: * MFSA 2015-11/CVE-2015-0835/CVE-2015-0836 Miscellaneous memory safety hazards * MFSA 2015-12/CVE-2015-0833 (bmo#945192) Invoking Mozilla updater will load locally stored DLL files (Windows only) * MFSA 2015-13/CVE-2015-0832 (bmo#1065909) Appended period to hostnames can bypass HPKP and HSTS protections * MFSA 2015-14/CVE-2015-0830 (bmo#1110488) Malicious WebGL content crash when writing strings * MFSA 2015-15/CVE-2015-0834 (bmo#1098314) TLS TURN and STUN connections silently fail to simple TCP connections * MFSA 2015-16/CVE-2015-0831 (bmo#1130514) Use-after-free in IndexedDB * MFSA 2015-17/CVE-2015-0829 (bmo#1128939) Buffer overflow in libstagefright during MP4 video playback * MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675) Double-free when using non-default memory allocators with a zero-length XHR * MFSA 2015-19/CVE-2015-0827 (bmo#1117304) Out-of-bounds read and write while rendering SVG content * MFSA 2015-20/CVE-2015-0826 (bmo#1092363) Buffer overflow during CSS restyling 287633 51c1d806f5d14a9635f49a41d1bbad31 36.0.1 1426494990 dimstar_suse FF 36 currently does not build on ARM and PPC apparently. I tried to fix one issue but it's not complete and still fails. This might need more research. - update to Firefox 36.0.1 Bugfixes: * Disable the usage of the ANY DNS query type (bmo#1093983) * Hello may become inactive until restart (bmo#1137469) * Print preferences may not be preserved (bmo#1136855) * Hello contact tabs may not be visible (bmo#1137141) * Accept hostnames that include an underscore character ("_") (bmo#1136616) * WebGL may use significant memory with Canvas2d (bmo#1137251) * Option -remote has been restored (bmo#1080319) - added mozilla-skia-bmo1136958.patch to fix build issues for ARM and PPC 289960 f393265a6c5e991f48303f806ed86a61 36.0.4 1427273690 dimstar_suse - update to Firefox 36.0.4 (bnc#923534) * MFSA 2015-28/CVE-2015-0818 (bmo#1144988) Privilege escalation through SVG navigation * MFSA 2015-29/CVE-2015-0817 (bmo#1145255) Code execution through incorrect JavaScript bounds checking elimination - Copy the icons to /usr/share/icons instead of symlinking them: in preparation for containerized apps (e.g. xdg-app) as well as AppStream metadata extraction, there are a couple locations that need to be real files for system integration (.desktop files, icons, mime-type info). 292313 9e3ce6a6e441131401e8bd4b3a781923 37.0 1428391670 dimstar_suse - update to Firefox 37.0 (bnc#925368) * Heartbeat user rating system * Yandex set as default search provider for the Turkish locale * Bing search now uses HTTPS for secure searching * Improved protection against site impersonation via OneCRL centralized certificate revocation * Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc * some more behaviour changes for TLS security fixes: * MFSA 2015-30/CVE-2015-0814/CVE-2015-0815 Miscellaneous memory safety hazards * MFSA 2015-31/CVE-2015-0813 (bmo#1106596)) Use-after-free when using the Fluendo MP3 GStreamer plugin * MFSA 2015-32/CVE-2015-0812 (bmo#1128126) Add-on lightweight theme installation approval bypassed through MITM attack * MFSA 2015-33/CVE-2015-0816 (bmo#1144991) resource:// documents can load privileged pages * MFSA-2015-34/CVE-2015-0811 (bmo#1132468) Out of bounds read in QCMS library * MFSA-2015-35/CVE-2015-0810 (bmo#1125013) Cursor clickjacking with flash and images (OS X only) * MFSA-2015-36/CVE-2015-0808 (bmo#1109552) Incorrect memory management for simple-type arrays in WebRTC * MFSA-2015-37/CVE-2015-0807 (bmo#1111834) CORS requests should not follow 30x redirections after preflight * MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437) Memory corruption crashes in Off Main Thread Compositing * MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560) 293906 0baf6da9560ed60593f4b7615b767c18 37.0.1 1428651986 dimstar_suse - update to Firefox 37.0.1 (bnc#926166) * MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only) Loading privileged content through Reader mode * MFSA 2015-44/CVE-2015-0799 (bmo#1148328) Certificate verification bypass through the HTTP/2 Alt-Svc header 294722 e93548268285fc0d6395172298341e27 37.0.2 1429973198 coolo - update to Firefox 37.0.2 (bnc#928116) * MFSA 2015-45/CVE-2015-2706 (bmo#1141081) Memory corruption during failed plugin initialization 298646 f107e0bab001d12cdcc72b03b34a872f 38.0.1 1432158641 dimstar_suse - add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from https://bugzilla.mozilla.org/show_bug.cgi?id=1153109 - update to Firefox 38.0.1 stability and regression fixes * Systems with first generation NVidia Optimus graphics cards may crash on start-up * Users who import cookies from Google Chrome can end up with broken websites * Large animated images may fail to play and may stop other images from loading - update to Firefox 38.0 (bnc#930622) * New tab-based preferences * Ruby annotation support * more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/ security fixes: * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 Miscellaneous memory safety hazards * MFSA 2015-47/VE-2015-0797 (bmo#1080995) Buffer overflow parsing H.264 video with Linux Gstreamer * MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow with SVG content and CSS * MFSA 2015-49/CVE-2015-2711 (bmo#1113431) Referrer policy ignored when links opened by middle-click and context menu * MFSA 2015-50/CVE-2015-2712 (bmo#1152280) Out-of-bounds read and write in asm.js validation * MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free during text processing with vertical text enabled 307294 ca257a880804ce7c198bf74aa3978997 38.0.5 1433401262 dimstar_suse - update to Firefox 38.0.5 * Keep track of articles and videos with Pocket * Clean formatting for articles and blog posts with Reader View * Share the active tab or window in a Hello conversation - add changes file as source for SRPM (bsc#932142) 309818 9c2ec2cf0c7b52443d56e60a54d11858 38.0.6 1433845446 dimstar_suse 311096 b9a5dee24aeedd34cc6ec5bb5735903b 39.0 1437059587 coolo - update to Firefox 39.0 (bnc#935979) * Share Hello URLs with social networks * Support for 'switch' role in ARIA 1.1 (web accessibility) * SafeBrowsing malware detection lookups enabled for downloads (Mac OS X and Linux) * Support for new Unicode 8.0 skin tone emoji * Removed support for insecure SSLv3 for network communications * Disable use of RC4 except for temporarily whitelisted hosts * NPAPI Plug-in performance improved via asynchronous initialization security fixes: * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726 Miscellaneous memory safety hazards * MFSA 2015-60/CVE-2015-2727 (bmo#1163422) Local files or privileged URLs in pages can be opened into new tabs * MFSA 2015-61/CVE-2015-2728 (bmo#1142210) Type confusion in Indexed Database Manager * MFSA 2015-62/CVE-2015-2729 (bmo#1122218) Out-of-bound read while computing an oscillator rendering range in Web Audio * MFSA 2015-63/CVE-2015-2731 (bmo#1149891) Use-after-free in Content Policy due to microtask execution error * MFSA 2015-64/CVE-2015-2730 (bmo#1125025) ECDSA signature validation fails to handle some signatures correctly (this fix is shipped by NSS 3.19.1 externally) * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867) Use-after-free in workers while using XMLHttpRequest * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737 CVE-2015-2738/CVE-2015-2739/CVE-2015-2740 Vulnerabilities found through code inspection * MFSA 2015-67/CVE-2015-2741 (bmo#1147497) Key pinning is ignored when overridable errors are encountered 314952 481face813cf597a174e764f47ad97e1 39.0.3 1439190918 dimstar_suse - security update to Firefox 39.0.3 (bnc#940918) * MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058) Same origin violation and local file stealing via PDF reader 321236 3556971125fa1d38b55d02ef02632bc1 40.0 1439556337 dimstar_suse - update to Firefox 40.0 (bnc#940806) * Added protection against unwanted software downloads * Suggested Tiles show sites of interest, based on categories from your recent browsing history * Hello allows adding a link to conversations to provide context on what the conversation will be about * New style for add-on manager based on the in-content preferences style * Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only) * Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked security fixes: * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety hazards * MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with malformed MP3 file * MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free in MediaStream playback * MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of non-configurable JavaScript object properties * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues in libstagefright * MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting through Mozilla Maintenance Service with hard links (only affected Windows) * MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with Updater and malicious MAR file (does not affect openSUSE RPM packages which do not ship the updater) 322026 403d010959f312fa2f065cba9fe311da 40.0.3 1440871341 coolo - update to Firefox 40.0.3 (bnc#943550) * Disable the asynchronous plugin initialization (bmo#1198590) * Fix a segmentation fault in the GStreamer support (bmo#1145230) * Fix a regression with some Japanese fonts used in the <input> field (bmo#1194055) * On some sites, the selection in a select combox box using the mouse could be broken (bmo#1194733) security fixes * MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278) Use-after-free when resizing canvas element during restyling * MFSA 2015-95/CVE-2015-4498 (bmo#1042699) Add-on notification bypass through data URLs 327639 4f5e24a5be89a82dab49dae250c38178 41.0 1443694879 dimstar_suse - update to Firefox 41.0 (bnc#947003) * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous memory safety hazards * MFSA 2015-97/CVE-2015-4503 (bmo#994337) Memory leak in mozTCPSocket to servers * MFSA 2015-98/CVE-2015-4504 (bmo#1132467) Out of bounds read in QCMS library with ICC V4 profile attributes * MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only) Site attribute spoofing on Android by pasting URL with unknown scheme * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only) Arbitrary file manipulation by local user through Mozilla updater * MFSA 2015-101/CVE-2015-4506 (bmo#1192226) Buffer overflow in libvpx while parsing vp9 format video * MFSA 2015-102/CVE-2015-4507 (bmo#1192401) Crash when using debugger with SavedStacks in JavaScript * MFSA 2015-103/CVE-2015-4508 (bmo#1195976) URL spoofing in reader mode * MFSA 2015-104/CVE-2015-4510 (bmo#1200004) Use-after-free with shared workers and IndexedDB * MFSA 2015-105/CVE-2015-4511 (bmo#1200148) Buffer overflow while decoding WebM video * MFSA 2015-106/CVE-2015-4509 (bmo#1198435) Use-after-free while manipulating HTML media content * MFSA 2015-107/CVE-2015-4512 (bmo#1170390) Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems * MFSA 2015-108/CVE-2015-4502 (bmo#1105045) Scripted proxies can access inner window * MFSA 2015-109/CVE-2015-4516 (bmo#904886) JavaScript immutable property enforcement can be bypassed 333058 99ba6d58c42fb5c1291aafa51a120dcb 41.0.1 1444636837 coolo - do not build with --enable-stdcxx-compat (this starts to fail build on various toolchain combinations and is not required for openSUSE builds in general - update to Firefox 41.0.1 * Fix a startup crash related to Yandex toolbar and Adblock Plus (bmo#1209124) * Fix potential hangs with Flash plugins (bmo#1185639) * Fix a regression in the bookmark creation (bmo#1206376) * Fix a startup crash with some Intel Media Accelerator 3150 graphic cards (bmo#1207665) * Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601) 336284 c72e53a71c97b1920b985b4f1ff595c9 41.0.2 1445675034 coolo - update to Firefox 41.0.2 (bnc#950686) * MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669) Cross-origin restriction bypass using Fetch - added explicit appdata provides (bnc#949983) 339287 92e0309cc17cc89ee4bc574ecf389590 42.0 1446978280 dimstar_suse - update to Firefox 42.0 (bnc#952810) * Private Browsing with Tracking Protection blocks certain Web elements that could be used to record your behavior across sites * Control Center that contains site security and privacy controls * Login Manager improvements * WebRTC improvements * Indicator added to tabs that play audio with one-click muting * Media Source Extension for HTML5 video available for all sites security fixes: * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514 Miscellaneous memory safety hazards * MFSA 2015-117/CVE-2015-4515 (bmo#1046421) Information disclosure through NTLM authentication * MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692) CSP bypass due to permissive Reader mode whitelist * MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only) Firefox for Android addressbar can be removed after fullscreen mode * MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only) Reading sensitive profile files through local HTML file on Android * MFSA 2015-121/CVE-2015-7187 (bmo#1195735) disabling scripts in Add-on SDK panels has no effect * MFSA 2015-122/CVE-2015-7188 (bmo#1199430) Trailing whitespace in IP address hostnames can bypass same-origin policy * MFSA 2015-123/CVE-2015-7189 (bmo#1205900) Buffer overflow during image interactions in canvas * MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only) Android intents can be used on Firefox for Android to open privileged files * MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only) XSS attack through intents on Firefox for Android * MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only) 342306 e55b3608a3dfda6550df2fbfaa5fc12a 42.0 1447766494 dimstar_suse - Add desktop menu action for private browsing window to desktop file (boo#954747) - remove obsolete patch mozilla-bmo1005535.patch completely from source package to avoid automatic check failures 344628 199be07ea7960a7d89ab6720b43b2a6a 43.0 1451177832 dimstar_suse - update to Firefox 43.0 (bnc#959277) * Improved API support for m4v video playback * Users can opt-in to receive search suggestions from the Awesome Bar * WebRTC streaming on multiple monitors * User selectable second block list for Private Browsing's Tracking Protection security fixes: * MFSA 2015-134/CVE-2015-7201/CVE-2015-7202 Miscellaneous memory safety hazards * MFSA 2015-135/CVE-2015-7204 (bmo#1216130) Crash with JavaScript variable assignment with unboxed objects * MFSA 2015-136/CVE-2015-7207 (bmo#1185256) Same-origin policy violation using perfomance.getEntries and history navigation * MFSA 2015-137/CVE-2015-7208 (bmo#1191423) Firefox allows for control characters to be set in cookies * MFSA 2015-138/CVE-2015-7210 (bmo#1218326) Use-after-free in WebRTC when datachannel is used after being destroyed * MFSA 2015-139/CVE-2015-7212 (bmo#1222809) Integer overflow allocating extremely large textures * MFSA 2015-140/CVE-2015-7215 (bmo#1160890) Cross-origin information leak through web workers error events * MFSA 2015-141/CVE-2015-7211 (bmo#1221444) Hash in data URI is incorrectly parsed * MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820) DOS due to malformed frames in HTTP/2 * MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078) Linux file chooser crashes on malformed images due to flaws in Jasper library 349286 fa682b56395e8609f2dbd044efd2d3b8 43.0.3 1451983254 dimstar_suse 351269 14e2d667db6642106091f0aaaf8c20f4 43.0.4 1452850773 dimstar_suse 1 352993 be63c8fbee7c056002b234ee73068226 44.0 1454490960 dimstar_suse - update to Firefox 44.0 (boo#963520) * MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 Miscellaneous memory safety hazards * MFSA 2016-02/CVE-2016-1933 (bmo#1231761) Out of Memory crash when parsing GIF format images * MFSA 2016-03/CVE-2016-1935 (bmo#1220450) Buffer overflow in WebGL after out of memory allocation * MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) Firefox allows for control characters to be set in cookie names * MFSA 2016-06/CVE-2016-1937 (bmo#724353) Missing delay following user click events in protocol handler dialog * MFSA 2016-07/CVE-2016-1938 (bmo#1190248) Errors in mp_div and mp_exptmod cryptographic functions in NSS (fixed by requiring NSS 3.21) * MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590) Addressbar spoofing attacks * MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946 (bmo#1186621, bmo#1214782, bmo#1232096) Unsafe memory manipulation found through code inspection * MFSA 2016-11/CVE-2016-1947 (bmo#1237103) Application Reputation service disabled in Firefox 43 * requires NSPR 4.11 * requires NSS 3.21 - prepare mozilla-kde.patch for Gtk3 builds - rebased patches 356135 f23997e0380f9a127d81a4eb9c143366 44.0 1455272521 dimstar_suse Automatic submission by obs-autosubmit 358662 eb12a64efd0a7b472a1d1b61a1625022 44.0.2 1456733614 dimstar_suse - fix build problems on i586, caused by too large unified compile units - adding mozilla-reduce-files-per-UnifiedBindings.patch - update to Firefox 44.0.2 * MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438) Same-origin-policy violation using Service Workers with plugins * Fix issue which could lead to the removal of stored passwords under certain circumstances (bmo#1242176) * Allows spaces in cookie names (bmo#1244505) * Disable opus/vorbis audio with H.264 (bmo#1245696) * Fix for graphics startup crash (GNU/Linux) (bmo#1222171) * Fix a crash in cache networking (bmo#1244076) * Fix using WebSockets in service worker controlled pages (bmo#1243942) 362048 ff21503a895c07c0cc0f73417bb37769 45.0 1458120276 dimstar_suse - update to Firefox 45.0 (boo#969894) * requires NSPR 4.12 / NSS 3.21.1 * Instant browser tab sharing through Hello * Synced Tabs button in button bar * Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching * Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level * Tab Groups (Panorama) feature removed * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953 Miscellaneous memory safety hazards * MFSA 2016-17/CVE-2016-1954 (bmo#1243178) Local file overwriting and potential privilege escalation through CSP reports * MFSA 2016-18/CVE-2016-1955 (bmo#1208946) CSP reports fail to strip location information for embedded iframe pages * MFSA 2016-19/CVE-2016-1956 (bmo#1199923) Linux video memory DOS with Intel drivers * MFSA 2016-20/CVE-2016-1957 (bmo#1227052) Memory leak in libstagefright when deleting an array during MP4 processing * MFSA 2016-21/CVE-2016-1958 (bmo#1228754) Displayed page address can be overridden * MFSA 2016-22/CVE-2016-1959 (bmo#1234949) Service Worker Manager out-of-bounds read in Service Worker Manager * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014) Use-after-free in HTML5 string parser * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377) Use-after-free in SetBody * MFSA 2016-25/CVE-2016-1962 (bmo#1240760) 368778 a0174a69c14b7f2beaa72ae2f766d71a 45.0.1 1459237913 dimstar_suse Automatic submission by obs-autosubmit 380049 24d21f12d578d80f014562e89bba17e7 45.0.2 1460924223 dimstar_suse 1 388302 0cf78223e280e1b1ce88b8d4771a467c 46.0 1462447165 dimstar_suse - add mozilla-jit_branch64.patch to avoid PowerPC build failure (from bmo#1266366) - Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest version from Fedora). - update to Firefox 46.0 (boo#977333) * Improved security of the JavaScript Just In Time (JIT) Compiler * WebRTC fixes to improve performance and stability * Added support for document.elementsFromPoint * Added HKDF support for Web Crypto API * requires NSPR 4.12 and NSS 3.22.3 * added patch to fix unchecked return value mozilla-check_return.patch * Gtk3 builds not supported at the moment security fixes: * MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807 (boo#977373, boo#977375, boo#977376) Miscellaneous memory safety hazards * MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377) Privilege escalation through file deletion by Maintenance Service updater (Windows only) * MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378) Content provider permission bypass allows malicious application to access data (Android only) * MFSA 2016-42/CVE-2016-2811/CVE-2016-2812 (bmo#1252330, bmo#1261776, boo#977379) Use-after-free and buffer overflow in Service Workers * MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380) Disclosure of user actions through JavaScript with motion and 393514 fbe852870a6422688f54577f1b49c6e7 46.0.1 1463738070 dimstar_suse - update to Firefox 46.0.1 Fixed: * Search plugin issue for various locales * Add-on signing certificate expiration * Service worker update issue * Build issue when jit is disabled * Limit Sync registration updates - removed now obsolete mozilla-jit_branch64.patch 395587 bb6b74128898d4e72a09011bc59f79f8 46.0.1 1464017430 dimstar_suse 1 397000 13277f7f27be544fa91723a300b0c175 46.0.1 1464689487 dimstar_suse 1 398146 af9dc7441f13205deb42565101b49fec 47.0 1465750307 dimstar_suse - update to Firefox 47.0 (boo#983549) * Enable VP9 video codec for users with fast machines * Embedded YouTube videos now play with HTML5 video if Flash is not installed * View and search open tabs from your smartphone or another computer in a sidebar * Allow no-cache on back/forward navigations for https resources security fixes: * MFSA 2016-49/CVE-2016-2815/CVE-2016-2818 (boo#983638) (bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743, bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493, bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752, bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130, bmo#1269729, bmo#1273202, bmo#1273701) Miscellaneous memory safety hazards (rv:47.0 / rv:45.2) * MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381) Buffer overflow parsing HTML5 fragments * MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460) Use-after-free deleting tables from a contenteditable document * MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129) Addressbar spoofing though the SELECT element * MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580) Out-of-bounds write with WebGL shader * MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093) Partial same-origin-policy through setting location.host through data URI * MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810) Use-after-free when textures are used in WebGL operations after recycle pool destruction 400713 07e720f397b0c0e58ffe069106d18e46 47.0.1 1467359645 dimstar_suse 1 405482 f4d7c361c5122d88b510572787f9c6e2 47.0.1 1469628512 dimstar_suse - Fix Firefox crash on startup on i586 (boo#986541): * Add -fno-delete-null-pointer-checks and -fno-inline-small-functions to CFLAGS - Update the appdata.xml file (replace Windows XP screenshot) 414919 8053bdc5a4b9f5116677f233c042dacf 48.0 1471008901 dimstar_suse 1 417434 bc8b3f5863385df84bb5710431cb2a30 48.0.1 1472026032 dimstar_suse 1 420732 088dc5f70410a17b6dbde881dcefd35e 48.0.2 1472731326 dimstar_suse 1 423950 6776ca732c2a11e6a87334eacf8fb553 49.0.1 1474806592 dimstar_suse 1 429909 564df7dab67ab8da11a05557db310d41 49.0.1 1477134209 dimstar_suse 1 435748 f22a7fca95f2290ef66e3c536230a4b1 49.0.2 1477644144 dimstar_suse 1 437097 30432addcce9830215a9094efe904781 50.0 1479381588 dimstar_suse - update to Firefox 50.0 (boo#1009026) * requires NSS 3.26.2 new features * Updates to keyboard shortcuts Set a preference to have Ctrl+Tab cycle through tabs in recently used order View a page in Reader Mode by using Ctrl+Alt+R * Added option to Find in page that allows users to limit search to whole words only * Added download protection for a large number of executable file types on Windows, Mac and Linux * Fixed rendering of dashed and dotted borders with rounded corners (border-radius) * Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux) * Blocked versions of libavcodec older than 54.35.1 * additional locale security fixes: * MFSA 2016-89 CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) CVE-2016-5292: URL parsing causes crash (bmo#1288482) CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink (Windows only) (bmo#1246945) CVE-2016-5294: Arbitrary target directory for result files of update process (Windows only) (bmo#1246972) CVE-2016-5297: Incorrect argument length checking in Javascript (bmo#1303678) CVE-2016-9064: Addons update must verify IDs match between 440442 969920b45400f0fbf191e223e9355ec7 50.0.2 1480785964 dimstar_suse 1 443072 45f879d2ff61b2389766051cca7a3758 50.1.0 1481886380 dimstar_suse - update to Firefox 50.1.0 (boo#1015422) * MFSA 2016-94 CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628) CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements (bmo#1317409) CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272) CVE-2016-9896: Use-after-free with WebVR (bmo#1315543) CVE-2016-9897: Memory corruption in libGLES (bmo#1301381) CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees (bmo#1314442) CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs (bmo#1319122) CVE-2016-9904: Cross-origin information leak in shared atoms (bmo#1317936) CVE-2016-9901: Data from Pocket server improperly sanitized before execution (bmo#1320057) CVE-2016-9902: Pocket extension does not validate the origin of events (bmo#1320039) CVE-2016-9903: XSS injection vulnerability in add-ons SDK (bmo#1315435) CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 - added patch mozilla-aarch64-startup-crash.patch (bsc#1011922) 445658 cc33427d84233ee00f314ae2f7678eba 51.0.1 1485682232 dimstar_suse 1 453043 b00d41b4179c1f52c7e1f774d6d1df93 52.0.1 1490132875 dimstar_suse hopefully last iteration (let's see what the i586 builds are doing :-() - disable rust usage for everything but x86(-64) - explicitely add libffi build requirement - update to Firefox 52.0.1 (boo#1029822) MFSA 2017-08 CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168) - reenable ALSA support which was removed by default upstream - update to Firefox 52.0 (boo#1028391) * requires NSS >= 3.28.3 * Pages containing insecure password fields now display a warning directly within username and password fields. * Send and open a tab from one device to another with Sync * Removed NPAPI support for plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported. * Removed Battery Status API to reduce fingerprinting of users by trackers * MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861) CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186) CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia with canvas operations 481555 afcf56a6d3234dad438b67440dd9fd0b 52.0.2 1491895735 maxlin_factory - update to Firefox 52.0.2 * Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787) * Fix loading tab icons on session restore (bmo#1338009) * Fix a crash on startup on Linux (bmo#1345413) * Fix new installs erroneously not prompting to change the default browser setting (bmo#1343938) 485000 a73ae52e2b010292f5540fe4e5a0917d 52.1.0 1493880730 dimstar_suse Automatic submission by obs-autosubmit 491715 9f52289b49ea8cca8bb31771e37b170b 52.1.1 1495132598 dimstar_suse - update to Firefox 52.1.1 MFSA 2017-14 * CVE-2017-5031: Use after free in ANGLE (bmo#1328762) (Windows only, Linux not affected) - switch to Mozilla's geolocation service (boo#1026989) - removed mozilla-preferences.patch obsoleted by overriding via firefox.js - fixed KDE integration to avoid crash caused by filepicker (boo#1015998) 493642 bd493d22632dfa0922a311dcdddad874 52.1.1 1495883374 dimstar_suse - remove -fno-inline-small-functions and explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105) 498129 72b3f5af79bda108822585b249ef1b1c 52.2 1497949072 dimstar_suse - update to Firefox 52.2esr (boo#1043960) MFSA 2017-16 * CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when regenerating trees * CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading * CVE-2017-7750 (bmo#1356558) Use-after-free with track elements * CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners * CVE-2017-7752 (bmo#1359547) Use-after-free with IME input * CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo object * CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox Installer with same directory DLL files (Windows only) * CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging XHR header errors * CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777 Vulnerabilities in the Graphite 2 library * CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder * CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service (Windows only) 503675 2d41695987093899439fc7e2450b42af 52.2.1 1500669375 dimstar_suse 1 510206 55eee3b5966b1f4cdd7e61a0a1b2437c 52.3.0 1502561757 maxlin_factory 1 515337 ac659e26664806eac60670e0570c3e11 56.0 1507570592 dimstar_suse - Correct plugin directory for aarch64 (boo#1061207). The wrapper script was not detecting aarch64 as a 64 bit architecture, thus used /usr/lib/browser-plugins/. - Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0), pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0), pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure looks for. - update to Firefox 56.0 (boo#1060445) * Firefox Screenshots * Find Options/Preferences more quickly with new search function * Media is no longer auto-played when opened in a background tab * Enable CSS Grid Layout View MFSA 2017-21 * CVE-2017-7793 (bmo#1371889) Use-after-free with Fetch API * CVE-2017-7817 (bmo#1356596) (Android-only) Firefox for Android address bar spoofing through fullscreen mode * CVE-2017-7818 (bmo#1363723) Use-after-free during ARIA array manipulation * CVE-2017-7819 (bmo#1380292) Use-after-free while resizing images in design mode * CVE-2017-7824 (bmo#1398381) Buffer overflow when drawing and validating elements with ANGLE * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) Use-after-free in TLS 1.2 generating handshake hashes * CVE-2017-7812 (bmo#1379842) Drag and drop of malicious page content to the tab bar can open locally stored files * CVE-2017-7814 (bmo#1376036) 530307 72b2f21276abe9c33048ade962932256 57.0 1510837237 dimstar_suse - update to Firefox 57.0 (boo#1068101) * Firefox Quantum * Photon UI * Unified address and search bar * AMD VP9 hardware video decoder support * Added support for Date/Time input * stricter security sandbox blocking filesystem reading and writing on Linux systems * middle mouse paste in the content area no longer navigates to URLs by default on Unix systems MFSA 2017-24 * CVE-2017-7828 (bmo#1406750. bmo#1412252) Use-after-free of PressShell while restyling layout * CVE-2017-7830 (bmo#1408990) Cross-origin URL information leak through Resource Timing API * CVE-2017-7831 (bmo#1392026) Information disclosure of exposed properties on JavaScript proxy objects * CVE-2017-7832 (bmo#1408782) Domain spoofing through use of dotless 'i' character followed by accent markers * CVE-2017-7833 (bmo#1370497) Domain spoofing with Arabic and Indic vowel marker characters * CVE-2017-7834 (bmo#1358009) data: URLs opened in new tabs bypass CSP protections * CVE-2017-7835 (bmo#1402363) Mixed content blocking incorrectly applies with redirects * CVE-2017-7836 (bmo#1401339) Pingsender dynamically loads libcurl on Linux and OS X * CVE-2017-7837 (bmo#1325923) 541950 58a41a530fc533d437fc71bf58f64224 57.0 1512042179 dimstar_suse - Add mozilla-bmo1360278.patch Starting with Firefox 57, the context menu appears on key press. This patch creates a config entry to restore the old behaviour. Without the patch, the mouse gesture extensions require 2 clicks to work (bmo#1360278). The new config entry is named ui.context_menus.after_mouseup (default : false). - Allow experimental CSD for Gtk3 (bmo#1399611) if available and enabled widget.allow-client-side-decoration=true (mozilla-bmo1399611-csd.patch) 545695 891c196649a1e95f4b8abe407bef7802 57.0.1 1512765937 dimstar_suse - update to Firefox 57.0.1 * Fix a video color distortion issue on YouTube and other video sites with some AMD devices (bmo#1417442) * Fix an issue with prefs.js when the profile path has non-ascii characters (bmo#1420427) 547925 d32ac717085443906e0006060cd57d3b 57.0.1 1513110059 dimstar_suse - Explicitly buildrequires python2-xml: The build system relies on it. We wrongly relied on other packages pulling it in for us. - Escape the usage of %{VERSION} when calling out to rpm. RPM 4.14 has %{VERSION} defined as 'the main packages version'. * CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data (bsc#1072034, bmo#1410106) * CVE-2017-7844: Visited history information leak through SVG image (bsc#1072036, bmo#1420001) 555866 29163ecc594a6525bf947ebcec37376b 57.0.4 1515260831 dimstar_suse - update to Firefox 57.0.4 MFSA 2018-1: Speculative execution side-channel attack ("Spectre") (boo#1074723) - fixed regression introduced Oct 10th which made Firefox crash when cancelling the KDE file dialog (boo#1069962) - Mozilla Firefox 57.0.3: * Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in (bmo#1427111, bsc#1074235) - Includes changes from 57.0.2: * fixes for platforms other than GNU/Linux 561754 3bde119f0e586f42e125f2e9e3d0a293 57.0.4 1516091791 dimstar_suse This should hopefully fix the build issue with latest rust in staging. - fixed build with latest rust (mozilla-rust-1.23.patch) 563240 3eab647834a62d29b1d7cd94f999e410 58.0.1 1518025164 dimstar_suse 573290 b43aa3b0a0a19f65914c14902d6af504 58.0.2 1518513986 dimstar_suse 574857 e56b34bb56dc5e34d7d58e8422d34871 59.0.1 1521579141 dimstar_suse yet another small tweak to have really all fixes in place also for ARM (libtremor) which was left out from the upstream Firefox tag (and only applied to the Fennec one) - update to Firefox 59.0.1 (bsc#1085671) MFSA 2018-08 * CVE-2018-5146 (bmo#1446062) Vorbis audio processing out of bounds write * CVE-2018-5147 (bmo#1446365) Out of bounds memory write in libtremor (mozilla-bmo1446062.patch) - Added patch: * mozilla-bmo1005535.patch: Enable skia_gpu on big endian platforms. - update to Firefox 59.0 * Performance enhancements * Drag-and-drop to rearrange Top Sites on the Firefox Home page * added features for Firefox Screenshots * Enhanced WebExtensions API * Improved RTC capabilities MFSA 2018-06 (bsc#1085130) * CVE-2018-5127 (bmo#1430557) Buffer overflow manipulating SVG animatedPathSegList * CVE-2018-5128 (bmo#1431336) Use-after-free manipulating editor selection ranges * CVE-2018-5129 (bmo#1428947) Out-of-bounds write with malformed IPC messages * CVE-2018-5130 (bmo#1433005) Mismatched RTP payload type can trigger memory corruption * CVE-2018-5131 (bmo#1440775) Fetch API improperly returns cached copies of no-store/no-cache resources * CVE-2018-5132 (bmo#1408194) 588116 f57de4ea4c3e448f3d2a08208fb369f4 59.0.2 1522403979 dimstar_suse 591686 7c5977d83ef105f6a8c53b856c56902f 59.0.2 1525023387 dimstar_suse 601060 043f6c7dfcd3418c1a40b4743a645b9b 59.0.3 1525343466 dimstar_suse - do not try CSD on kwin (boo#1091592) - fix build in openSUSE:Leap:42.3:Update, use gcc7 - Mozilla Firefox 59.0.3: * fixes for platforms other than GNU/Linux 603325 696ad38336a73608d4987bf94fb24ada 60.0 1526030803 dimstar_suse Final Firefox 60.0 (regular; non-ESR) for TW - update to Firefox 60.0 * Added a policy engine that allows customized Firefox deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file * Applied Quantum CSS to render browser UI * Added support for Web Authentication, allowing the use of USB tokens for authentication to web sites * Locale added: Occitan (oc) MFSA 2018-11 (bsc#1092548) * CVE-2018-5154 (bmo#1443092) Use-after-free with SVG animations and clip paths * CVE-2018-5155 (bmo#1448774) Use-after-free with SVG animations and text paths * CVE-2018-5157 (bmo#1449898) Same-origin bypass of PDF Viewer to view protected PDF files * CVE-2018-5158 (bmo#1452075) Malicious PDF can inject JavaScript into PDF Viewer * CVE-2018-5159 (bmo#1441941) Integer overflow and out-of-bounds write in Skia * CVE-2018-5160 (bmo#1436117) Uninitialized memory use by WebRTC encoder * CVE-2018-5152 (bmo#1415644, bmo#1427289) WebExtensions information leak through webRequest API * CVE-2018-5153 (bmo#1436809) Out-of-bounds read in mixed content websocket messages * CVE-2018-5163 (bmo#1426353) Replacing cached data in JavaScript Start-up Bytecode Cache * CVE-2018-5164 (bmo#1416045) CSP not applied to all multipart content sent with multipart/x-mixed-replace 605919 c6e4c3bf4a25f448969cb4f77debc592 60.0.1 1527084458 dimstar_suse - Disable webrtc for aarch64 due to bmo#1434589 - Add patch to fix skia build on AArch64: * mozilla-fix-skia-aarch64.patch - update to Firefox 60.0.1 * Avoid overly long cycle collector pauses with some add-ons installed (bmo#1449033) * After unckecking the "Sponsored Stories" option, the New Tab page now immediately stops displaying "Sponsored content" cards (bmo#1458906) * On touchscreen devices, fixed momentum scrolling on non-zoomable pages (bmo#1457743) * Use the right default background when opening tabs or windows in high contrast mode (bmo#1458956) * Restored translations of the Preferences panels when using a language pack (bmo#1461590) - parellelise locales building 611510 61330cb97f4062ef26b31353f26729fc 60.0.1 1527418958 dimstar_suse - fixed "open with" option under KDE (boo#1094747) - workaround crash on startup on aarch64 (boo#1093059) (contributed by guillaume@Arm.com) 612426 371b47040e4806ea0488a93c35dce635 61.0 1530741079 dimstar_suse 619394 2939efdddde3c208beef0b08a1e73ad6 61.0.1 1531469927 dimstar_suse 621751 752201831c6e6a5271b634189c9ef357 61.0.2 1534543091 dimstar_suse - update to Firefox 61.0.2 * Improved website rendering with the Retained Display List feature enabled (bmo#1474402) * Fixed broken DevTools panels with certain extensions installed (bmo#1474379) * Fixed a crash for users with some accessibility tools enabled (bmo#1474007) 628536 4d70ea47163042433a27ca4c26fb5c47 62.0.2 1538502210 dimstar_suse - Mozilla Firefox 62.0.2: MFSA 2018-22 * CVE-2018-12385 (boo#1109363, bmo#1490585) Crash in TransportSecurityInfo due to cached data * Unvisited bookmarks can once again be autofilled in the address bar * Fix WebGL rendering issues * Fix fallback on startup when a language pack is missing * Avoid crash when sharing a profile with newer (as yet unreleased) versions of Firefox * Do not undo removal of search engines when using a language pack * Fixed rendering of some web sites * Restored compatibility with some sites using deprecated TLS settings - disable rust debug symbols to fix build on %ix86 - update to Firefox 62.0 * Firefox Home (the default New Tab) now allows users to display up to 4 rows of top sites, Pocket stories, and highlights * "Reopen in Container" tab menu option appears for users with Containers that lets them choose to reopen a tab in a different container * In advance of removing all trust for Symantec-issued certificates in Firefox 63, a preference was added that allows users to distrust certificates issued by Symantec. To use this preference, go to about:config in the address bar and set the preference "security.pki.distrust_ca_policy" to 2. * Support for CSS Shapes, allowing for richer web page layouts. This goes hand in hand with a brand new Shape Path Editor in the CSS inspector. * CSS Variable Fonts (OpenType Font Variations) support, which makes it possible to create beautiful typography with a single font file * Added Canadian English (en-CA) locale MFSA 2018-20 (bsc#1107343) * CVE-2018-12377 (bmo#1470260) Use-after-free in refresh driver timers * CVE-2018-12378 (bmo#1459383) Use-after-free in IndexedDB * CVE-2018-12379 (bmo#1473113) (updater is disabled for us) Out-of-bounds write with malicious MAR file * CVE-2017-16541 (bmo#1412081) Proxy bypass using automount and autofs * CVE-2018-12381 (bmo#1435319) Dragging and dropping Outlook email message results in page navigation * CVE-2018-12382 (bmo#1479311) (Android only) Addressbar spoofing with javascript URI on Firefox for Android * CVE-2018-12383 (bmo#1475775) Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords * CVE-2018-12375 Memory safety bugs fixed in Firefox 62 * CVE-2018-12376 Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 - requires NSS >= 3.38 - removed obsolete patch mozilla-bmo1464766.patch 637781 80837ffa19c181322789ec423a776331 62.0.3 1539093095 dimstar_suse 639752 9a9703a3890cf846148dd0f58bee8317 63.0.3 1543399842 dimstar_suse - Clean-up %arm build - update to Firefox 63.0.3 * Games using WebGL (created in Unity) get stuck after very short time of gameplay (bmo#1502748) * Slow page loading for some users with specific proxy configurations (bmo#1495024) * Disable HTTP response throttling by default for causing bugs with videos in background tabs (bmo#1503354) * Opening magnet links no longer works (bmo#1498934) * Crash fixes (bmo#1498510, bmo#1503424) - removed mozilla-newer-cbindgen.patch; no longer needed - update to Firefox 63.0.1 * Snippets are not loaded due to missing element (bmo#1503047) * Print preview always shows 30& scale when it is actually Shrink To Fit (bmo#1501952) * Dialog displayed when closing multiple windows shows unreplaced %1$S placeholder in Japanese and potentially other locales (bmo#1500823) - update to Firefox 63.0 * WebExtensions now run in their own process on Linux * The Ctrl+Tab shortcut now displays thumbnail previews of your tabs and cycles through tabs in recently used order. This new default behavior is activated only in new profiles and can be changed in preferences. * Added support for Web Components custom elements and shadow DOM MFSA 2018-26 (bsc#1112852) * CVE-2018-12391 (bmo#1478843) (Android-only) 651985 897e9442794dd30dcdee00473b345fad 64.0 1545222484 dimstar_suse 657819 0d6abe5248aab9bcc851a8aeaf70afce 65.0 1549464278 coolo Hope that the i586 build issue is fixed. It worked in my OBS project but not sure if it occasionally still could fail. - Mozilla Firefox 65.0 * Enhanced tracking protection * allow switching of UI locales within preferences * support for the WebP image format * "top"-like about:performance MFSA 2019-01 (bsc#1122983) * CVE-2018-18500 bmo#1510114 Use-after-free parsing HTML5 stream * CVE-2018-18503 bmo#1509442 Memory corruption with Audio Buffer * CVE-2018-18504 bmo#1496413 Memory corruption and out-of-bounds read of texture client * CVE-2018-18505 bmo#1497749 Privilege escalation through IPC channel messages * CVE-2018-18506 bmo#1503393 Proxy Auto-Configuration file can define localhost access to be proxied * CVE-2018-18502 bmo#1499426 bmo#1480090 bmo#1472990 bmo#1514762 bmo#1501482 bmo#1505887 bmo#1508102 bmo#1508618 bmo#1511580 bmo#1493497 bmo#1510145 bmo#1516289 bmo#1506798 bmo#1512758 Memory safety bugs fixed in Firefox 65 * CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619 bmo#1502871 bmo#1516738 bmo#1516514 Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 - requires NSS 3.41 rust/carge 1.30 rust-cbindgen 0.6.7 - rebased patches - remove workaround for build memory consumption on i586; other mitigations meanwhile introduced (mainly parallelity) will be 670835 798293437be4e42a7f2c9840eb664f0c 65.0.1 1551113178 coolo 676563 79baf28b9f34bcf588e0d10b593b6d7a 65.0.1 1552039323 dimstar_suse 682354 d198c64442b769f765b10281196b0bce 66.0 1553699560 dimstar_suse - Mozilla Firefox 66.0 * Increased content processes to 8 * Added capability to search through open tabs from the tab overflow menu * New backend for the storage.local WebExtensions API, providing I/O performance improvements when the extension updates a small subset of the stored data * WebExtension keyboard shortcuts can now be managed or overridden from about:addons * Improved scrolling behavior: Firefox will now attempt to keep content from jumping around while a page is loading by supporting scroll anchoring * New about:privatebrowsing with search * A certificate error page now notifies the user of the name of the certificate issuer that breaks HTTPs connections on intercepted connections to help troubleshooting possible anti-virus software issues. * Fixed an performance issue some Linux users experienced with the Downloads panel (bmo#1517101) * Firefox now blocks all autoplay media with sound by default. Users can add individual sites to an exceptions list or turn the blocking off. * System title bar is hidden by default to match Gnome guideline MFSA 2019-07 (bsc#1129821) * CVE-2019-9790 (bmo#1525145) Use-after-free when removing in-use DOM elements * CVE-2019-9791 (bmo#1530958) Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey * CVE-2019-9792 (bmo#1532599) IonMonkey leaks JS_OPTIMIZED_OUT magic value to script 686793 7fde5147fa37d7e6ae467d71da0dead7 66.0.2 1554189563 dimstar_suse - Mozilla Firefox 66.0.2 * Fixed Web compatibility issues with Office 365, iCloud and IBM WebMail caused by recent changes to the handling of keyboard events (bmo#1538966) * Crash fixes (bmo#1521370, bmo#1539118) - Add patch to fix aarch64 build: * mozilla-fix-aarch64-libopus.patch (bmo#1539737) - Mozilla Firefox 66.0.1 MFSA 2019-09 (bsc#1130262) * CVE-2019-9810 (bmo#1537924) IonMonkey MArraySlice has incorrect alias information * CVE-2019-9813 (bmo#1538006) Ionmonkey type confusion with __proto__ mutations 690057 901c508fa4323b92fb25e861bc402c04 66.0.3 1555324492 dimstar_suse - Mozilla Firefox 66.0.3 * Fixed: Address bar on tablets running Windows 10 now behaves correctly (bmo#1498973) * Fixed: Performance issues with some HTML5 games (bmo#1537609) * Fixed a bug with keypress events in IBM cloud applications (bmo#1538970) * Fix for keypress events in some Microsoft cloud applications (bmo#1539618) * Changed: Updated Baidu search plugin 693917 8723eac507ab1b257f08967a48c6be60 66.0.4 1557170046 dimstar_suse - Mozilla Firefox 66.0.4 (boo#1134126) * fix extension certificate chain https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/ 700898 aec8a9ff76241b05da61b1415f2caf51 66.0.5 1557653561 dimstar_suse - Mozilla Firefox 66.0.5 * Fixed: Further improvements to re-enable web extensions which had been disabled for users with a master password set (bmo#1549249) 702059 a0a3fe311f15975cfe2496988ceca5f1 67.0 1558938554 dimstar_suse fixed a missing syntax error (missing closing bracket); no extra changelog addition since it's not yet accepted afaik - Mozilla Firefox 67.0 * Firefox 67 will be able to run different Firefox installs side by side https://blog.nightly.mozilla.org/2019/01/14/moving-to-a-profile-per-install-architecture/ * Tabs can now be pinned from the Page Actions menu in the address bar * Users can block known cryptominers and fingerprinters in the Custom settings or their Content Blocking preferences * The Import Data from Another Browser feature is now also available from the File menu * Firefox will now protect you against running older versions which can lead to data corruption and stability issues * Easier access to your list of saved logins from the main menu and login autocomplete * We’ve added a toolbar menu for your Firefox Account to provide more transparency for when you are synced, sharing data across devices and with Firefox. Personalize the appearance of the menu with your own avatar * Enable FIDO U2F API, and permit registrations for Google Accounts * Enabled AV1 support on Linux MFSA 2019-13 (boo#1135824) * CVE-2019-9815 (bmo#1546544) Disable hyperthreading on content JavaScript threads on macOS * CVE-2019-9816 (bmo#1536768) Type confusion with object groups and UnboxedObjects * CVE-2019-9817 (bmo#1540221) Stealing of cross-domain images using canvas * CVE-2019-9818 (bmo#1542581) (Windows only) Use-after-free in crash generation server * CVE-2019-9819 (bmo#1532553) Compartment mismatch with fetch API * CVE-2019-9820 (bmo#1536405) 705211 a22b66b5e6617682d8afe73e017746a4 67.0.4 1561405857 dimstar_suse - Mozilla Firefox 67.0.4 MFSA 2019-19 (boo#1138872) * CVE-2019-11708 (bmo#1559858) sandbox escape using Prompt:Open - Mozilla Firefox 67.0.3 MFSA 2019-18 (boo#1138614) * CVE-2019-11707 (bmo#1544386) Type confusion in Array.pop - Mozilla Firefox 67.0.2 * Fixed: Fix JavaScript error ("TypeError: data is null in PrivacyFilter.jsm") in console which may significantly degrade sessionstore reliability and performance (bmo#1553413) * Fixed: Proxy authentication dialog box repeatedly pops up asking to authenticate after upgrading to Firefox 67 (bmo#1548804) * Fixed: Pearson MyCloud breaks if FIDO U2F is not Chrome's implementation (bmo#1551282) * Fixed: Starting in safe mode on Linux or macOS causes Firefox to think on the subsequent launch that the profile is too recent to be used with this version of Firefox (bmo#1556612) * Fixed: Linux distribution users can't easily install/use additional/different languages using the built-in preferences UI (bmo#1554744) * Fixed: Developer tools users can't copy the href/src content from various HTML tags via the context menu in the Inspector markup view (bmo#1552275) * Fixed: Custom home page is broken with clearing data on shutdown settings applied (bmo#1554167) * Fixed: Performance-regression for eclipse RAP based applications 711215 fe5060657e183ab90e204e6794767aee 68.0.1 1563790721 dimstar_suse - Mozilla Firefox 68.0.1 * Fixed missing Full Screen button when watching videos in full screen mode on HBO GO (bmo#1562837) * Fixed a bug causing incorrect messages to appear for some locales when sites try to request the use of the Storage Access API (bmo#1558503) * Users in Russian regions may have their default search engine changed (bmo#1565315) * Built-in search engines in some locales do not function correctly (bmo#1565779) * SupportMenu policy doesn't always work (bmo#1553290) * Allow the privacy.file_unique_origin pref to be controlled by policy (bmo#1563759) - add fix-build-after-y2038-changes-in-glibc.patch - Generate langpacks sequentially to avoid file corruption from racy file writes (boo#1137970) - Mozilla Firefox 68.0 * Dark mode in reader view * Improved extension security and discovery * Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences * Camera and microphone access now require an HTTPS connection MFSA 2019-21 (bsc#1140868) * CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327) Sandbox escape via installation of malicious languagepack * CVE-2019-11711 (bmo#1552541) Script injection within domain through inner window reuse 717184 4edd2ba8e28dd7e3d63da61939baabe0 68.0.1 1565266942 dimstar_suse 721224 9c93fcdb453cba5ba4d5048c07d485ce 68.0.2 1566912130 dimstar_suse 724714 9ecf3b8b3cb897be104361021d62e8c1 68.1.0 1567848437 dimstar_suse Due to release timing and vacation time as well as security considerations Tumbleweed is getting 68.1esr as intermediate before switching back to regular and release 69. - Mozilla Firefox 68.1.0 MFSA 2019-26 * CVE-2019-11751 (bmo#1572838; Windows only) Malicious code execution through command line parameters * CVE-2019-11746 (bmo#1564449) Use-after-free while manipulating video * CVE-2019-11744 (bmo#1562033) XSS by breaking out of title and textarea elements using innerHTML * CVE-2019-11742 (bmo#1559715) Same-origin policy violation with SVG filters and canvas to steal cross-origin images * CVE-2019-11736 (bmo#1551913, bmo#1552206; Windows only)) File manipulation and privilege escalation in Mozilla Maintenance Service * CVE-2019-11753 (bmo#1574980; Windows only) Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location * CVE-2019-11752 (bmo#1501152) Use-after-free while extracting a key value in IndexedDB * CVE-2019-9812 (bmo#1538008, bmo#1538015) Sandbox escape through Firefox Sync * CVE-2019-11743 (bmo#1560495) Cross-origin access to unload event attributes * CVE-2019-11748 (bmo#1564588) Persistence of WebRTC permissions in a third party context * CVE-2019-11749 (bmo#1565374) Camera information available without prompting using getUserMedia * CVE-2019-11750 (bmo#1568397) Type confusion in Spidermonkey * CVE-2019-11738 (bmo#1452037) Content security policy bypass through hash-based sources in directives 728229 c566c01cbb3cca48d493b19190b8bbbf 69.0 1568720083 maxlin_factory - Mozilla Firefox 69.0 * Enhanced Tracking Protection (ETP) for stronger privacy protections * Block Autoplay feature is enhanced to give users the option to block any video * Users in the US or using the en-US browser, can get a new “New Tab” page experience connecting to the best of Pocket's content. * Support for the Web Authentication HmacSecret extension via Windows Hello introduced. * Support for receiving multiple video codecs with this release makes it easier for WebRTC conferencing services to mix video from different clients. MFSA 2019-25 (boo#1149324) * CVE-2019-11741 (bmo#1539595) Isolate addons.mozilla.org and accounts.firefox.com * CVE-2019-5849 (bmo#1555838) Out-of-bounds read in Skia * CVE-2019-11737 (bmo#1388015) Content security policy directives ignore port and path if host is a wildcard * CVE-2019-11734 (bmo#1352875,bmo#1536227,bmo#1557208,bmo#1560641) Memory safety bugs fixed in Firefox 69 * CVE-2019-11735 (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912, bmo#1565744,bmo#1568858,bmo#1570358) Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 * CVE-2019-11740 (bmo#1563133,bmo#1573160) Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 - requires * rust/cargo >= 1.35 * rust-cbindgen >= 0.9.0 * mozilla-nss >= 3.45 - rebased patches 730473 6ff9f6da65ba8694abdaf3d63d97074a 69.0.1 1569369997 dimstar_suse - Mozilla Firefox 69.0.1 * Fixed external programs launching in the background when clicking a link from inside Firefox to launch them (bmo#1570845) * Usability improvements to the Add-ons Manager for users with screen readers (bmo#1567600) * Fixed the Captive Portal notification bar not being dismissable in some situations after login is complete (bmo#1578633) * Fixed the maximum size of fonts in Reader Mode when zoomed (bmo#1578454) * Fixed missing stacks in the Developer Tools Performance section (bmo#1578354) MFSA 2019-31 * CVE-2019-11754 (bmo#1580506) Pointer Lock is enabled with no user notification - disable DOH by default 732086 32d7093497abb8ec448f16e5712abb6f 69.0.2 1570799508 dimstar_suse - Mozilla Firefox 69.0.2 * Fixed a crash when editing files on Office 365 websites (bmo#1579858) * Fixed a Linux-only crash when changing the playback speed while watching YouTube videos (bmo#1582222) - updated supported locale list - Allow to build without profile guided optimizations (boo#1040589) (contributed by Bernhard Wiedemann) - Make build verbose (contributed by Martin LiÅ¡ka) - remove obsolete kde.js setting (boo#1151186) and related patch firefox-add-kde.js-in-order-to-survive-PGO-build.patch - update create-tar.sh to latest revision and adjusted tar_stamps - add mozilla-fix-top-level-asm.patch to fix LTO build (w/o PGO) - extension preferences moved from branding package to core package (packaging but not branding specific) 735118 dc39799c5805393b4737d6ae0ddee1e8 69.0.3 1571307397 dimstar_suse - Mozilla Firefox 69.0.3 * Fixed Yahoo mail users being prompted to download files when clicking on emails (bmo#1582848) - devel package build can easily be disabled now 738119 d3a4f9414446e2eb88c34887010b6a84 70.0.1 1572883370 dimstar_suse - Mozilla Firefox 70.0.1 * Fix for an issue that caused some websites or page elements using dynamic JavaScript to fail to load. (bmo#1592136) * Title bar no longer shows in full screen view (bmo#1588747) - added mozilla-bmo1504834-part4.patch to fix some visual issues on big endian platforms - Mozilla Firefox 70.0 * more privacy protections from Enhanced Tracking Protection * Firefox Lockwise passwordmanager * Improvements to core engine components, for better browsing on more sites * Improved privacy and security indicators MFSA 2019-34 * CVE-2018-6156 (bmo#1480088) Heap buffer overflow in FEC processing in WebRTC * CVE-2019-15903 (bmo#1584907) Heap overflow in expat library in XML_GetCurrentLineNumber * CVE-2019-11757 (bmo#1577107) Use-after-free when creating index updates in IndexedDB * CVE-2019-11759 (bmo#1577953) Stack buffer overflow in HKDF output * CVE-2019-11760 (bmo#1577719) Stack buffer overflow in WebRTC networking * CVE-2019-11761 (bmo#1561502) Unintended access to a privileged JSONView object * CVE-2019-11762 (bmo#1582857) document.domain-based origin isolation has same-origin-property violation * CVE-2019-11763 (bmo#1584216) Incorrect HTML parsing results in XSS bypass technique * CVE-2019-11765 (bmo#1562582) 744799 c7aa7a727f25aca42d50d5cf9402031a 71.0 1577710101 dimstar_suse - Mozilla Firefox 71.0 * Improvements to Lockwise, our integrated password manager * More information about Enhanced Tracking Protection in action * Native MP3 decoding on Windows, Linux, and macOS * Configuration page (about:config) reimplemented in HTML * New kiosk mode functionality, which allows maximum screen space for customer-facing displays MFSA 2019-36 * CVE-2019-11756 (bmo#1508776) Use-after-free of SFTKSession object * CVE-2019-17008 (bmo#1546331) Use-after-free in worker destruction * CVE-2019-13722 (bmo#1580156) (Windows only) Stack corruption due to incorrect number of arguments in WebRTC code * CVE-2019-17014 (bmo#1322864) Dragging and dropping a cross-origin resource, incorrectly loaded as an image, could result in information disclosure * CVE-2019-17010 (bmo#1581084) Use-after-free when performing device orientation checks * CVE-2019-17005 (bmo#1584170) Buffer overflow in plain text serializer * CVE-2019-17011 (bmo#1591334) Use-after-free when retrieving a document in antitracking * CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209 bmo#1580288, bmo#1585760, bmo#1592502) Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 * CVE-2019-17013 (bmo#1298509, bmo#1472328, bmo#1577439, bmo#1577937 bmo#1580320, bmo#1584195, bmo#1585106, bmo#1586293, bmo#1593865 bmo#1594181) Memory safety bugs fixed in Firefox 71 757910 c0fdd8181eccec3989c61f933b038d81 72.0.1 1578749876 dimstar_suse - Mozilla Firefox 72.0.1 MFSA 2020-03 (bsc#1160498) * CVE-2019-17026 (bmo#1607443) IonMonkey type confusion with StoreElementHole and FallibleStoreElement - Mozilla Firefox 72.0 * block fingerprinting scripts by default * new notification pop-ups * Picture-in-picture video MFSA 2020-01 (bsc#1160305) * CVE-2019-17016 (bmo#1599181) Bypass of @namespace CSS sanitization during pasting * CVE-2019-17017 (bmo#1603055) Type Confusion in XPCVariant.cpp * CVE-2019-17020 (bmo#1597645) Content Security Policy not applied to XSL stylesheets applied to XML documents * CVE-2019-17022 (bmo#1602843) CSS sanitization does not escape HTML tags * CVE-2019-17023 (bmo#1590001) (fixed in NSS FIXME) NSS may negotiate TLS 1.2 or below after a TLS 1.3 HelloRetryRequest had been sent * CVE-2019-17024 (bmo#1507180,bmo#1595470,bmo#1598605,bmo#1601826) Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 * CVE-2019-17025 (bmo#1328295,bmo#1328300,bmo#1590447,bmo#1590965 bmo#1595692,bmo#1597321,bmo#1597481) Memory safety bugs fixed in Firefox 72 - update create-tar.sh to skip compare-locales - requires NSPR 4.24 and NSS 3.48 - removed usage of browser-plugins convention for NPAPI plugins from start wrapper and changed the RPM macro to the 762071 8426f00ee56a988c81038639274514a1 72.0.2 1579871475 dimstar_suse - Mozilla Firefox 72.0.2 * Various stability fixes * Fixed issues opening files with spaces in their path (bmo#1601905) * Fixed a hang opening about:logins when a master password is set (bmo#1606992) * Fixed a web compatibility issue with CSS Shadow Parts which shipped in Firefox 72 (bmo#1604989) * Fixed inconsistent playback performance for fullscreen 1080p videos on some systems (bmo#1608485) - Fix build for aarch64/ppc64le (do not update config.sub file for libbacktrace) 766431 4b1fc66f5f1b6ebd63d06fe23ad9b3b4 72.0.2 1580990779 dimstar_suse 769385 ee268abb9f0888fe755a5f63bd089931 73.0 1581694149 okurz-factory - Mozilla Firefox 73.0 * Added support for setting a default zoom level applicable for all web content * High-contrast mode has been updated to allow background images * Improved audio quality when playing back audio at a faster or slower speed * Added NextDNS as alternative option for DNS over HTTPS MFSA 2020-05 (bsc#1163368) * CVE-2020-6796 (bmo#1610426) Missing bounds check on shared memory read in the parent process * CVE-2020-6797 (bmo#1596668) (MacOS X only) Extensions granted downloads.open permission could open arbitrary applications on Mac OSX * CVE-2020-6798 (bmo#1602944) Incorrect parsing of template tag could result in JavaScript injection * CVE-2020-6799 (bmo#1606596) (Windows only) Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader * CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851, bmo#1608580,bmo#1608785,bmo#1605777) Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 * CVE-2020-6801 (bmo#1601024,bmo#1601712,bmo#1604836,bmo#1606492) Memory safety bugs fixed in Firefox 73 - updated requirements * rust >= 1.39 * NSS >= 3.49.2 * rust-cbindgen >= 0.12.0 - rebased patches - removed obsolete patch * mozilla-bmo1601707.patch 773730 8021c2f982eb13a036e694e89f945fe5 73.0.1 1582642956 dimstar_suse - Mozilla Firefox 73.0.1 * Resolved problems connecting to the RBC Royal Bank website (bmo#1613943) * Fixed Firefox unexpectedly exiting when leaving Print Preview mode (bmo#1611133) * Fixed crashes when playing encrypted content on some Linux systems (bmo#1614535) - start in wayland mode when running under wayland session 777864 01e091053a02ac60ac6d0c261fa02a6b 73.0.1 1583007630 dimstar_suse - big endian fixes - Fix build on aarch64/armv7 with: * mozilla-bmo1610814.patch (boo#1164845, bmo#1610814) 779878 39672695f275234f9b60f4cd6a094db5 74.0 1584530186 dimstar_suse - Mozilla Firefox 74.0 * https://www.mozilla.org/en-US/firefox/74.0/releasenotes/ MFSA 2020-08 (bsc#1166238) * CVE-2020-6805 (bmo#1610880) Use-after-free when removing data about origins * CVE-2020-6806 (bmo#1612308) BodyStream::OnInputStreamReady was missing protections against state confusion * CVE-2020-6807 (bmo#1614971) Use-after-free in cubeb during stream destruction * CVE-2020-6808 (bmo#1247968) URL Spoofing via javascript: URL * CVE-2020-6809 (bmo#1420296) Web Extensions with the all-urls permission could access local files * CVE-2020-6810 (bmo#1432856) Focusing a popup while in fullscreen could have obscured the fullscreen notification * CVE-2020-6811 (bmo#1607742) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection * CVE-2019-20503 (bmo#1613765) Out of bounds reads in sctp_load_addresses_from_init * CVE-2020-6812 (bmo#1616661) The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission * CVE-2020-6813 (bmo#1605814) @import statements in CSS could bypass the Content Security Policy nonce feature * CVE-2020-6814 (bmo#1592078,bmo#1604847,bmo#1608256,bmo#1612636, 784530 6c286a440765bf6d4d9eb5b047e75dce 74.0 1585261831 dimstar_suse - mozilla-sandbox-fips.patch: allow /proc/sys/crypto/fips_enabled to be read, as openssl 1.1.1 FIPS aborts if it cannot access it (bsc#1167132) 788189 1c8a6876aebbd3075471bff10c85a3dc 74.0.1 1586112599 dimstar_suse 791372 0e30296a39091d9010603652ce993ca9 75.0 1586774961 dimstar_suse - Mozilla Firefox 75.0 * https://www.mozilla.org/en-US/firefox/75.0/releasenotes MFSA 2020-12 (bsc#1168874) * CVE-2020-6821 (bmo#1625404) Uninitialized memory could be read when using the WebGL copyTexSubImage method * CVE-2020-6822 (bmo#1544181) Out of bounds write in GMPDecodeData when processing large images * CVE-2020-6823 (bmo#1614919) Malicious Extension could obtain auth codes from OAuth login flows * CVE-2020-6824 (bmo#1621853) Generated passwords may be identical on the same site between separate private browsing sessions * CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203) Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 * CVE-2020-6826 (bmo#1613009,bmo#1613195,bmo#1616734,bmo#1617488, bmo#1619229,bmo#1620719,bmo#1624897) Memory safety bugs fixed in Firefox 75 - removed obsolete patch mozilla-bmo1609538.patch - requires * rust >= 1.41 * rust-cbindgen >= 0.13.1 * mozilla-nss >= 3.51 * nodejs10 >= 10.19 - fix build issue in libvpx for i586 via mozilla-bmo1622013.patch - increase _constraints memory for ppc64le 792914 468b4d9fad42a557e8b3f20e79dba436 76.0 1588866664 dimstar_suse - Mozilla Firefox 76.0 * Lockwise improvements * Improvements in Picture-in-Picture feature * Support Audio Worklets MFSA-2020-16 (bsc#1171186) * CVE-2020-12387 (bmo#1545345) Use-after-free during worker shutdown * CVE-2020-12388 (bmo#1618911) Sandbox escape with improperly guarded Access Tokens * CVE-2020-12389 (bmo#1554110) Sandbox escape with improperly separated process types * CVE-2020-6831 (bmo#1632241) Buffer overflow in SCTP chunk input validation * CVE-2020-12390 (bmo#1141959) Incorrect serialization of nsIPrincipal.origin for IPv6 addresses * CVE-2020-12391 (bmo#1457100) Content-Security-Policy bypass using object elements * CVE-2020-12392 (bmo#1614468) Arbitrary local file access with 'Copy as cURL' * CVE-2020-12393 (bmo#1615471) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection * CVE-2020-12394 (bmo#1628288) URL spoofing in location bar when unfocussed * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 * CVE-2020-12396 (bmo#1339601, bmo#1611938, bmo#1620488, bmo#1622291, bmo#1627644) Memory safety bugs fixed in Firefox 76 800451 bdd13e88984507bfe3350ec72f7a880f 76.0.1 1589491439 dimstar_suse 805460 ced7ac36cc462522fe4d1bfbb9e25cd5 77.0.1 1591380247 dimstar_suse 811277 5165a36e24dda6be09ff4b59805c9e85 78.0.1 1594045226 dimstar_suse - Mozilla Firefox 78.0.1 * Fixed an issue which could cause installed search engines to not be visible when upgrading from a previous release. - enable MOZ_USE_XINPUT2 for TW (boo#1173320) - Mozilla Firefox 78.0 * startup notifications now using Gtk instead of libnotify * PDF downloads now show an option to open the PDF directly in Firefox * Protections Dashboard (about:protections) * WebRTC not interrupted by screensaver anymore * disabled TLS 1.0 and 1.1 by default MFSA 2020-24 (bsc#1173576) * CVE-2020-12415 (bmo#1586630) AppCache manifest poisoning due to url encoded character processing * CVE-2020-12416 (bmo#1639734) Use-after-free in WebRTC VideoBroadcaster * CVE-2020-12417 (bmo#1640737) Memory corruption due to missing sign-extension for ValueTags on ARM64 * CVE-2020-12418 (bmo#1641303) Information disclosure due to manipulated URL object * CVE-2020-12419 (bmo#1643874) Use-after-free in nsGlobalWindowInner * CVE-2020-12420 (bmo#1643437) Use-After-Free when trying to connect to a STUN server * CVE-2020-12402 (bmo#1631597) RSA Key Generation vulnerable to side-channel attack * CVE-2020-12421 (bmo#1308251) Add-On updates did not respect the same certificate trust rules as software updates 818643 b73b03e0eb95c93ebccd4bd6f8d1b129 78.0.2 1594805561 dimstar_suse - Mozilla Firefox 78.0.2 * Fixed an accessibility regression in reader mode (bmo#1650922) * Made the address bar more resilient to data corruption in the user profile (bmo#1649981) * Fixed a regression opening certain external applications (bmo#1650162) MFSA 2020-28 * CVE pending (bmo#1644076) X-Frame-Options bypass using object or embed tags - added desktop file actions - do not use XINPUT2 for the moment until Plasma 5.19.3 has landed (boo#1173993) - rework langpack integration (boo#1173991) * ship XPIs instead of directories * allow addon sideloading * mark signatures for langpacks non-mandatory * do not autodisable user profile scopes - Google API key is not usable for geolocation service - fix pipewire support for TW (boo#1172903) 820688 7ad8edb7c2d97d1a3888732b3f77ed2a 78.0.2 1595339126 dimstar_suse - Add mozilla-libavcodec58_91.patch to link against updated soversion of libavcodec (58.91) with ffmpeg >= 4.3. (patch provided by Atri Bhattacharya <badshah400@gmail.com> - enable MOZ_USE_XINPUT2 for TW (again) (boo#1173320) (Plasma 5.19.3 is now in TW) 821616 6aecf0b70aea4be050d5563da694dfb8 79.0 1596095792 dimstar_suse - Mozilla Firefox 79.0 MFSA 2020-30 (bsc#1174538) * CVE-2020-15652 (bmo#1634872) Potential leak of redirect targets when loading scripts in a worker * CVE-2020-6514 (bmo#1642792) WebRTC data channel leaks internal address to peer * CVE-2020-15655 (bmo#1645204) Extension APIs could be used to bypass Same-Origin Policy * CVE-2020-15653 (bmo#1521542) Bypassing iframe sandbox when allowing popups * CVE-2020-6463 (bmo#1635293) Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture * CVE-2020-15656 (bmo#1647293) Type confusion for special arguments in IonMonkey * CVE-2020-15658 (bmo#1637745) Overriding file type when saving to disk * CVE-2020-15657 (bmo#1644954) DLL hijacking due to incorrect loading path * CVE-2020-15654 (bmo#1648333) Custom cursor can overlay user interface * CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1638856, bmo#1643613, bmo#1644839, bmo#1645835, bmo#1646006, bmo#1646220, bmo#1646787, bmo#1649347, bmo#1650811, bmo#1651678) Memory safety bugs fixed in Firefox 79 - updated dependency requirements: * mozilla-nspr >= 4.26 * mozilla-nss >= 3.54 * rust >= 1.43 * rust-cbindgen >= 0.14.3 - removed obsolete patch 823315 60fd6c4479055996606079fda4d10289 80.0 1599088116 dimstar_suse - Mozilla Firefox 80.0 MFSA 2020-36 (bsc#1175686) * CVE-2020-15663 (bmo#1643199) Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege * CVE-2020-15664 (bmo#1658214) Attacker-induced prompt for extension installation * CVE-2020-12401 (bmo#1631573) Timing-attack on ECDSA signature generation * CVE-2020-6829 (bmo#1631583) P-384 and P-521 vulnerable to an electro-magnetic side channel attack on signature generation * CVE-2020-12400 (bmo#1623116) P-384 and P-521 vulnerable to a side channel attack on modular inversion * CVE-2020-15665 (bmo#1651636) Address bar not reset when choosing to stay on a page after the beforeunload dialog is shown * CVE-2020-15666 (bmo#1450853) MediaError message property leaks cross-origin response status * CVE-2020-15667 (bmo#1653371) Heap overflow when processing an update file * CVE-2020-15668 (bmo#1651520) Data Race when reading certificate information * CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626, bmo#1656957) Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2 - requires * NSPR 4.27 829621 d6073d840d211e44cd4800793c36c393 81.0.1 1602155215 dimstar_suse - Mozilla Firefox 81.0.1 * https://www.mozilla.org/en-US/firefox/81.0.1/releasenotes/ - remove obsolete python2 build requires - Increase disk requirements in _constraints to match current needs - Mozilla Firefox 81.0 * https://www.mozilla.org/en-US/firefox/81.0/releasenotes MFSA 2020-42 (bsc#1176756) * CVE-2020-15675 (bmo#1654211) Use-After-Free in WebGL * CVE-2020-15677 (bmo#1641487) Download origin spoofing via redirect * CVE-2020-15676 (bmo#1646140) XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 (bmo#1660211) When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 (bmo#1648493, bmo#1660800) Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 * CVE-2020-15674 (bmo#1656063, bmo#1656064, bmo#1656067, bmo#1660293) Memory safety bugs fixed in Firefox 81 - requires NSPR 4.28 NSS 3.56 - removed obsolete patches * mozilla-system-nspr.patch * mozilla-bmo1661715.patch 839098 9d31d7f45a04b94d8589ad1256a4f009 82.0 1603724870 dimstar_suse - Mozilla Firefox 82.0 * https://www.mozilla.org/en-US/firefox/82.0/releasenotes/ MFSA 2020-45 (bsc#1177872) * CVE-2020-15969 (bmo#1666570) Use-after-free in usersctp * CVE-2020-15254 (bmo#1668514) Undefined behavior in bounded channel of crossbeam rust crate * CVE-2020-15680 (bmo#1658881) Presence of external protocol handlers could be determined through image tags * CVE-2020-15681 (bmo#1666568) Multiple WASM threads may have overwritten each others' stub table entries * CVE-2020-15682 (bmo#1636654) The domain associated with the prompt to open an external protocol could be spoofed to display the incorrect origin * CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760, bmo#1663439, bmo#1666140) Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4 * CVE-2020-15684 (bmo#1653764, bmo#1661402, bmo#1662259, bmo#1664257) Memory safety bugs fixed in Firefox 82 - requires * NSPR 4.29 * NSS 3.57 843274 063a44565a05888ba2c1a0f7ebe4b128 82.0.3 1605011953 dimstar_suse - Mozilla Firefox 82.0.3 MSFA 2020-49 * CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for - Mozilla Firefox 82.0.2 * few bugfixes for introduced regressions 847338 547a824e8a69ceb52861069ea78613d2 83.0 1606428580 dimstar_suse - Mozilla Firefox 83.0 * major update for SpiderMonkey improving performance significantly * optional HTTPS-Only mode * more improvements https://www.mozilla.org/en-US/firefox/83.0/releasenotes/ MFSA 2020-50 (bsc#1178824)) * CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-26952 (bmo#1667685) Out of memory handling of JITed, inlined functions could lead to a memory corruption * CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without displaying the security UI * CVE-2020-26954 (bmo#1657026) Local spoofing of web manifests for arbitrary pages in Firefox for Android * CVE-2020-26955 (bmo#1663261) Cookies set during file downloads are shared between normal and Private Browsing Mode in Firefox for Android * CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard API) * CVE-2020-26957 (bmo#1667179) OneCRL was not working in Firefox for Android * CVE-2020-26958 (bmo#1669355) Requests intercepted through ServiceWorkers lacked MIME type restrictions 849574 be2618d97b980735cc05e3e6dc341dfe 84.0 1608835219 dimstar_suse - Mozilla Firefox 84.0 * Firefox 84 is the final release to support Adobe Flash * WebRender is enabled by default when run on GNOME-based X11 Linux desktops MFSA 2020-54 (bsc#1180039)) * CVE-2020-16042 (bmo#1679003) Operations on a BigInt could have caused uninitialized memory to be exposed * CVE-2020-26971 (bmo#1663466) Heap buffer overflow in WebGL * CVE-2020-26972 (bmo#1671382) Use-After-Free in WebGL * CVE-2020-26973 (bmo#1680084) CSS Sanitizer performed incorrect sanitization * CVE-2020-26974 (bmo#1681022) Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free * CVE-2020-26975 (bmo#1661071) Malicious applications on Android could have induced Firefox for Android into sending arbitrary attacker-specified headers * CVE-2020-26976 (bmo#1674343) HTTPS pages could have been intercepted by a registered service worker when they should not have been * CVE-2020-26977 (bmo#1676311) URL spoofing via unresponsive port in Firefox for Android * CVE-2020-26978 (bmo#1677047) Internal network hosts could have been probed by a malicious webpage * CVE-2020-26979 (bmo#1641287, bmo#1673299) When entering an address in the address or search bars, a 856849 d59adf2566fb1b513bf31841605ca899 84.0.1 1609783603 dimstar_suse - Mozilla Firefox 84.0.1 * Fixed problems loading secure websites and crashes for users with certain third-party PKCS11 modules and smartcards installed (bmo#1682881) (fixed in NSS 3.59.1) * Fixed a bug causing some Unity JS games to not load on Apple Silicon devices due to improper detection of the OS version (bmo#1680516) - requires NSS 3.59.1 859835 15810ee58d5e57381f4136cd31f7b501 84.0.2 1610381296 dimstar_suse 861466 a69b6e9f3a8f8bc0776b59dafe610eb2 84.0.2 1610633033 dimstar_suse 862423 dad91b383dc0b74266f7d56d452f66b6 85.0 1611928531 dimstar_suse - Mozilla Firefox 85.0 * Adobe Flash is completely history * supercookie protection * new bookmark handling and features MFSA 2021-03 (bsc#1181414) * CVE-2021-23953 (bmo#1683940) Cross-origin information leakage via redirected PDF requests * CVE-2021-23954 (bmo#1684020) Type confusion when using logical assignment operators in JavaScript switch statements * CVE-2021-23955 (bmo#1684837) Clickjacking across tabs through misusing requestPointerLock * CVE-2021-23956 (bmo#1338637) File picker dialog could have been used to disclose a complete directory * CVE-2021-23957 (bmo#1584582) Iframe sandbox could have been bypassed on Android via the intent URL scheme * CVE-2021-23958 (bmo#1642747) Screen sharing permission leaked across tabs * CVE-2021-23959 (bmo#1659035) Cross-Site Scripting in error pages on Firefox for Android * CVE-2021-23960 (bmo#1675755) Use-after-poison for incorrectly redeclared JavaScript variables during GC * CVE-2021-23961 (bmo#1677940) More internal network hosts could have been probed by a malicious webpage * CVE-2021-23962 (bmo#1677194) Use-after-poison in 867008 2077d1f09d0e5a5b6557783ca291b7ff 85.0.1 1613427049 dimstar_suse 870519 85b5d8eeac8e3f5f36ca476dc2a50c83 85.0.2 1614002292 RBrownSUSE 873231 020e00dda87b88e2b888f05a90ddd770 86.0 1614684441 RBrownSUSE - Mozilla Firefox 86.0 * requires NSS >= 3.61 * requires rust-cbindgen >= 0.16.0 * Firefox now supports simultaneously watching multiple videos in Picture-in-Picture. * Total Cookie Protection to Strict Mode * https://www.mozilla.org/en-US/firefox/86.0/releasenotes MSFA 2021-07 (bsc#1182614) * CVE-2021-23969 (bmo#1542194) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23970 (bmo#1681724) Multithreaded WASM triggered assertions validating separation of script domains * CVE-2021-23968 (bmo#1687342) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23974 (bmo#1528997, bmo#1683627) noscript elements could have led to an HTML Sanitizer bypass * CVE-2021-23971 (bmo#1678545) A website's Referrer-Policy could have been be overridden, potentially resulting in the full URL being sent as a Referrer * CVE-2021-23976 (bmo#1684627) Local spoofing of web manifests for arbitrary pages in Firefox for Android * CVE-2021-23977 (bmo#1684761) Malicious application could read sensitive data from Firefox for Android's application directories * CVE-2021-23972 (bmo#1683536) HTTP Auth phishing warning was omitted when a redirect is 874847 e24778024708d2a09c74e15c0e7beff6 86.0.1 1615905718 RBrownSUSE 878728 7755bb1e0a0f1ac1c6cfe182fcacefe6 87.0 1617722963 RBrownSUSE - Switch to clang_build globally; just on TW/x86_64 it does not work due to unreolved externals `__rust_probestack' - disable clang_build then. - useccache: Add conditionals to enable/disable ccache. - Mozilla Firefox 87.0 * requires NSS 3.62 * removed obsolete BigEndian ICU build workaround * rebased patches MFSA 2021-10 (bsc#1183942) * CVE-2021-23981 (bmo#1692832) Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982 (bmo#1677046) Internal network hosts could have been probed by a malicious webpage * CVE-2021-23983 (bmo#1692684) Transitions for invalid ::marker properties resulted in memory corruption * CVE-2021-23984 (bmo#1693664) Malicious extensions could have spoofed popup information * CVE-2021-23985 (bmo#1659129) Devtools remote debugging feature could have been enabled without indication to the user * CVE-2021-23986 (bmo#1692623) A malicious extension could have performed credential-less same origin policy violations * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718) Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9 881766 d69b9c21477c9d30410700d0fcc1701f 88.0 1619192987 dimstar_suse - Mozilla Firefox 88.0 * New: PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features * New: Print updates: Margin units are now localized * New: Smooth pinch-zooming using a touchpad is now supported on Linux * New: To protect against cross-site privacy leaks, Firefox now isolates window.name data to the website that created it. Learn more * Changed: Firefox will not prompt for access to your microphone or camera if you’ve already granted access to the same device on the same site in the same tab within the past 50 seconds. This new grace period reduces the number of times you’re prompted to grant device access * Changed: The ‘Take a Screenshot’ feature was removed from the Page Actions menu in the url bar. To take a screenshot, right-click to open the context menu. You can also add a screenshots shortcut directly to your toolbar via the Customize menu. Open the Firefox menu and select Customize… * Changed: FTP support has been disabled, and its full removal is planned for an upcoming release. Addressing this security risk reduces the likelihood of an attack while also removing support for a non-encrypted protocol * Developer: Introduced a new toggle button in the Network panel for switching between JSON formatted HTTP response and raw data (as received over the wire). !enter image description here * Enterprise: Various bug fixes and new policies have been implemented in the latest version of Firefox. You can see 886904 fff6cae65039a4b3badf2e86e25ed9a7 88.0 1620239946 dimstar_suse - add compatibility for libavcodec58_134 889851 40f7922ca2947ca26a1ec7a47b632fd1 88.0.1 1620504419 dimstar_suse 890833 2b25d741e2e8f6afbeef5d810961c031 88.0.1 1621113358 dimstar_suse Automatic submission by obs-autosubmit 892688 0bffdc8eef2355ee82c122d73a3409c7 89.0 1623443398 dimstar_suse - Mozilla Firefox 89.0 * UI redesign * The Event Timing API is now supported * The CSS forced-colors media query is now supported MFSA 2021-23 (bsc#1186696) * CVE-2021-29965 (bmo#1709257) Password Manager on Firefox for Android susceptible to domain spoofing * CVE-2021-29960 (bmo#1675965) Filenames printed from private browsing mode incorrectly retained in preferences * CVE-2021-29961 (bmo#1700235) Firefox UI spoof using `<select>` elements and CSS scaling * CVE-2021-29963 (bmo#1705068) Shared cookies for search suggestions in private browsing mode * CVE-2021-29964 (bmo#1706501) Out of bounds-read when parsing a `WM_COPYDATA` message * CVE-2021-29959 (bmo#1395819) Devices could be re-enabled without additional permission prompt * CVE-2021-29962 (bmo#1701673) No rate-limiting for popups on Firefox for Android * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760, bmo#1704722, bmo#1706041) Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 * CVE-2021-29966 (bmo#1660307, bmo#1686154, bmo#1702948, bmo#1708124) Memory safety bugs fixed in Firefox 89 - require NSS >= 3.64 rust-cbindgen >= 0.19.0 - do not rely on nodejs10 packagename anymore 897726 a073668dce892d9a9b5b181ea20d1ded 89.0.2 1624626072 dimstar_suse - Mozilla Firefox 89.0.2 (boo#1187648): * Fix occasional hangs with Software WebRender on Linux (bmo#1708224) - Mozilla Firefox 89.0.1 (boo#1187475): * Updated translations, including full Spanish (Mexico) localization and other improvements (bmo#1714946) * Fix various font related regressions (bmo#1694174) * Linux: Fix performance and stability regressions with WebRender (bmo#1715895, bmo#1715902) * Enterprise: Fix for the `DisableDeveloperTools` policy not having effect anymore (bmo#1715777) * Linux: Fix broken scrollbars on some GTK themes (bmo#1714103) * Various stability fixes 901588 7cb4ad6b87a9f16416cffe9a05bfa95b 90.0 1626557788 dimstar_suse - Mozilla Firefox 90.0 MFSA 2021-28 (bsc#1188275) * CVE-2021-29970 (bmo#1709976) Use-after-free in accessibility features of a document * CVE-2021-29971 (bmo#1713638) Granted permissions only compared host; omitting scheme and port on Android * CVE-2021-30547 (bmo#1715766) Out of bounds write in ANGLE * CVE-2021-29972 (bmo#1696816) Use of out-of-date library included use-after-free vulnerability * CVE-2021-29973 (bmo#1701932) Password autofill on HTTP websites was enabled without user interaction on Android * CVE-2021-29974 (bmo#1704843) HSTS errors could be overridden when network partitioning was enabled * CVE-2021-29975 (bmo#1713259) Text message could be overlaid on top of another website * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910, bmo#1711576, bmo#1714391) Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 * CVE-2021-29977 (bmo#1665836, bmo#1686138, bmo#1704316, bmo#1706314, bmo#1709931, bmo#1712084, bmo#1712357, bmo#1714066) Memory safety bugs fixed in Firefox 90 - requires NSPR 4.31 NSS 3.66 906586 5487b1e60a9b9ee60e4d6d46df6da3bd 90.0.1 1626986554 dimstar_suse - Mozilla Firefox 90.0.1 (boo#1188480): * Fixed: Fixed busy looping processing some HTTP3 responses (bmo#1720079) * Fixed: Fixed transient errors authenticating with some smart cards (bmo#1715325) * Fixed: Fixed a rare crash on shutdown (bmo#1707057) * Fixed: Fixed a race on startup that caused about:support to end up empty after upgrade (bmo#1717894, boo#1188330) 907201 b133976b0084847a5edb73a185168071 90.0.2 1627587054 dimstar_suse 908075 8b1bca36fe6da87b00dc04aa95affbb0 91.0.1 1629360042 RBrownSUSE superseding the 91.0 version as another security and hotfix release - Mozilla Firefox 91.0.1 * Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bmo#1704404) * Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to-tab results in the address bar panel (bmo#1720369) * Various stability fixes MFSA 2021-37 (bsc#1189547) * CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses - Mozilla Firefox 91.0 MFSA 2021-33 (bsc#1188891) * CVE-2021-29986 (bmo#1696138) Race condition when resolving DNS names could have led to memory corruption * CVE-2021-29981 (bmo#1707774) Live range splitting could have led to conflicting assignments in the JIT * CVE-2021-29988 (bmo#1717922) Memory corruption as a result of incorrect style treatment * CVE-2021-29983 (bmo#1719088) Firefox for Android could get stuck in fullscreen mode * CVE-2021-29984 (bmo#1720031) Incorrect instruction reordering during JIT optimization * CVE-2021-29980 (bmo#1722204) Uninitialized memory in a canvas object could have led to memory corruption * CVE-2021-29987 (bmo#1716129) Users could have been tricked into accepting unwanted 912837 ca4176993c3ce67fbc4e8f6c81a264b8 91.0.2 1630697143 dimstar_suse 914799 aa83d5a04b3a316504dc0bfc4411acf9 92.0 1631543051 dimstar_suse - Mozilla Firefox 92.0 * More secure connections: Firefox can now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc headers * Full-range color levels are now supported for video playback on many systems MFSA 2021-38 (bsc#1190269) * CVE-2021-29993 (bmo#1708544, bmo#1708767, bmo#1712240, bmo#1712242, bmo#1729259) Handling custom intents could lead to crashes and UI spoofs * CVE-2021-38491 (bmo#1551886) Mixed-Content-Blocking was unable to check opaque origins * CVE-2021-38492 (bmo#1721107) Navigating to `mk:` URL scheme could load Internet Explorer * CVE-2021-38493 (bmo#1723391, bmo#1724101, bmo#1724107) Memory safety bugs fixed in Firefox 92, Firefox ESR 78.14 and Firefox ESR 91.1 * CVE-2021-38494 (bmo#1723920, bmo#1725638) Memory safety bugs fixed in Firefox 92 - updated appdata - remove mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch (does not apply anymore; unclear if obsolete) - bring back mozilla-silence-no-return-type.patch and run post-build-checks everywhere again - requires NSS 3.69.1 - Add mozilla-bmo1708709.patch: On [wayland] popup can be wrongly repositioned due to rounding errors when font scaling != 1 (bmo#1708709); patch taken from upstream bug report and rebased to apply cleanly against current version. 917452 1902d1d617195c3be29e556f837df4cf 92.0.1 1633038192 dimstar_suse 921893 c98e4d7884248148ae21e27774ab894b 93.0 1634068091 dimstar_suse - Mozilla Firefox 93.0 * supports the new AVIF image format * PDF viewer now supports filling more forms (XFA-based forms) * now blocks downloads that rely on insecure connections, protecting against potentially malicious or unsafe downloads * Improved web compatibility for privacy protections with SmartBlock 3.0 * Introducing a new referrer tracking protection in Strict Tracking Protection and Private Browsing * TLS ciphersuites that use 3DES have been disabled. Such ciphersuites can only be enabled when deprecated versions of TLS are also enabled * The download panel now follows the Firefox visual styles MFSA 2021-43 (bsc#1191332) * CVE-2021-38496 (bmo#1725335) Use-after-free in MessageTask * CVE-2021-38497 (bmo#1726621) Validation message could have been overlaid on another origin * CVE-2021-38498 (bmo#1729642) Use-after-free of nsLanguageAtomService object * CVE-2021-32810 (bmo#1729813) https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw) Data race in crossbeam-deque * CVE-2021-38500 (bmo#1725854, bmo#1728321) Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 * CVE-2021-38499 (bmo#1667102, bmo#1723170, bmo#1725356, bmo#1727364) Memory safety bugs fixed in Firefox 93 - removed obsolete mozilla-bmo1708709.patch 923417 120ed38580b68b4d32ab3b0161f46cac 93.0 1634754230 dimstar_suse 926026 19a3468b582b53e1b2cdd668dc27a0e5 93.0 1635539588 dimstar_suse - Drop unused pkgconfig(gdk-x11-2.0) BuildRequires - (re-)enable LTO on Tumbleweed - Rebase mozilla-sandbox-fips.patch to punch another hole in the sandbox containment, to be able to open /proc/sys/crypto/fips_enabled from within the newly introduced socket process sandbox. This fixes bsc#1191815 and bsc#1190141 - Add patch to fix build on aarch64 (bmo#1729124) 927811 e38a1464ce3bd3a2dd6121fe625bf0a2 94.0.1 1636388648 dimstar_suse 929844 3240104e35d0310b4a8b3d385aae6531 94.0.2 1637970635 dimstar_suse 933355 9ddb587c0356f4650ca8760ef9da499b 95.0 1639266969 dimstar_suse - Mozilla Firefox 95.0 * You can now move the Picture-in-Picture toggle button to the opposite side of the video. Simply look for the new context menu option Move Picture-in-Picture Toggle to Left (Right) Side. * To better protect Firefox users against side-channel attacks such as Spectre, Site Isolation is now enabled for all Firefox 95 users. * https://www.mozilla.org/en-US/firefox/95.0/releasenotes MFSA 2021-52 (bsc#1193485) * CVE-2021-43536 (bmo#1730120) URL leakage when navigating while executing asynchronous function * CVE-2021-43537 (bmo#1738237) Heap buffer overflow when using structured clone * CVE-2021-43538 (bmo#1739091) Missing fullscreen and pointer lock notification when requesting both * CVE-2021-43539 (bmo#1739683) GC rooting failure when calling wasm instance methods * MOZ-2021-0010 (bmo#1735852) Use-after-free in fullscreen objects on MacOS * CVE-2021-43540 (bmo#1636629) WebExtensions could have installed persistent ServiceWorkers * CVE-2021-43541 (bmo#1696685) External protocol handler parameters were unescaped * CVE-2021-43542 (bmo#1723281) XMLHttpRequest error codes could have leaked the existence of an external protocol handler * CVE-2021-43543 (bmo#1738418) Bypass of CSP sandbox directive when embedding * CVE-2021-43544 (bmo#1739934) 936364 05d8c797e020c82f081d454050d4372f 95.0.1 1639855765 dimstar_suse - Mozilla Firefox 95.0.1 (bsc#1193845) * Fixed frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains (bmo#1745600) * Fix for a WebRender crash on some Linux/X11 systems (bmo#1741956) * Fix for a frequent Windows shutdown crash (bmo#1738984) * Fix websites contrast issues for some Linux users with Dark mode set at OS level (bmo#1740518) 941230 3d96da4406dbfde33084adcfb09f50a8 95.0.2 1640876128 dimstar_suse - Add upstream patches: * mozilla-bmo1745560.patch: Fix build against wayland 1.20. * mozilla-bmo1744896.patch: Create WaylandVsyncSource on window creation - Mozilla Firefox 95.0.2 * Addresses frequent crashes experienced by users with C/E/Z-Series "Bobcat" CPUs running on Windows 7, 8, and 8.1. - updated constraints for ppc and x86-64 943041 9b873ca6b300ac4c49380c963bfd8016 96.0 1642029734 dimstar_suse - Mozilla Firefox 96.0 * https://www.mozilla.org/en-US/firefox/96.0/releasenotes MFSA 2022-01 (bsc#1194547) * CVE-2022-22746 (bmo#1735071) Calling into reportValidity could have lead to fullscreen window spoof * CVE-2022-22743 (bmo#1739220) Browser window spoof using fullscreen mode * CVE-2022-22742 (bmo#1739923) Out-of-bounds memory access when inserting text in edit mode * CVE-2022-22741 (bmo#1740389) Browser window spoof using fullscreen mode * CVE-2022-22740 (bmo#1742334) Use-after-free of ChannelEventQueue::mOwner * CVE-2022-22738 (bmo#1742382) Heap-buffer-overflow in blendGaussianBlur * CVE-2022-22737 (bmo#1745874) Race condition when playing audio files * CVE-2021-4140 (bmo#1746720) Iframe sandbox bypass with XSLT * CVE-2022-22750 (bmo#1566608) IPC passing of resource handles could have lead to sandbox bypass * CVE-2022-22749 (bmo#1705094) Lack of URL restrictions when scanning QR codes * CVE-2022-22748 (bmo#1705211) Spoofed origin on external protocol launch dialog * CVE-2022-22745 (bmo#1735856) Leaking cross-origin URLs through securitypolicyviolation event 945699 33f4d0f34fb0a0c668aa6dc6f0f31006 96.0.1 1642279512 dimstar_suse 946473 014bd43635b3f8eec79a1dedb590ba5f 96.0.2 1642936508 dimstar_suse 947863 4f34e7dc1bc0ae1060954cf837b5bf7e 96.0.2 1643228790 dimstar_suse 948332 b4d5910cbeb396b38dacf6ac1740e90d 96.0.3 1643720552 dimstar_suse - Mozilla Firefox 96.0.3 (bsc#1195230) * Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry (bmo#1752317) 949716 22e540058222eb8cc377be66c2657496 97.0 1644531096 dimstar_suse - Mozilla Firefox 97.0 MFSA 2022-04 (bsc#1195682) * CVE-2022-22753 (bmo#1732435) Privilege Escalation to SYSTEM on Windows via Maintenance Service * CVE-2022-22754 (bmo#1750565) Extensions could have bypassed permission confirmation during update * CVE-2022-22755 (bmo#1309630) XSL could have allowed JavaScript execution after a tab was closed * CVE-2022-22756 (bmo#1317873) Drag and dropping an image could have resulted in the dropped object being an executable * CVE-2022-22757 (bmo#1720098) Remote Agent did not prevent local websites from connecting * CVE-2022-22758 (bmo#1728742) tel: links could have sent USSD codes to the dialer on Firefox for Android * CVE-2022-22759 (bmo#1739957) Sandboxed iframes could have executed script if the parent appended elements * CVE-2022-22760 (bmo#1740985, bmo#1748503) Cross-Origin responses could be distinguished between script and non-script content-types * CVE-2022-22761 (bmo#1745566) frame-ancestors Content Security Policy directive was not enforced for framed extension pages * CVE-2022-22762 (bmo#1743931) JavaScript Dialogs could have been displayed over other domains on Firefox for Android * CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545, bmo#1748210, bmo#1748279) 952887 f1bf91acd730d61049a4b2b3439383b7 97.0.1 1645461957 dimstar_suse 955949 80948a7b7c1f375dee695487e9bbe1c2 98.0 1647199457 dimstar_suse - Mozilla Firefox 98.0 * Firefox has a new optimized download flow * other changes as documented here https://www.mozilla.org/en-US/firefox/98.0/releasenotes MFSA 2022-10 (bsc#1196900) * CVE-2022-26383 (bmo#1742421) Browser window spoof using fullscreen mode * CVE-2022-26384 (bmo#1744352) iframe allow-scripts sandbox bypass * CVE-2022-26387 (bmo#1752979) Time-of-check time-of-use bug when verifying add-on signatures * CVE-2022-26381 (bmo#1736243) Use-after-free in text reflows * CVE-2022-26382 (bmo#1741888) Autofill Text could be exfiltrated via side-channel attacks * CVE-2022-26385 (bmo#1747526) Use-after-free in thread shutdown * CVE-2022-0843 (bmo#1746523, bmo#1749062, bmo#1749164, bmo#1749214, bmo#1749610, bmo#1750032, bmo#1752100, bmo#1752405, bmo#1753612, bmo#1754508) Memory safety bugs fixed in Firefox 98 - requires NSS 3.75 - add mozilla-bmo1756347.patch to fix i586 build - Remove bashisms ("source" and "function" keywords) from mozilla.sh.in to ally with the #!/bin/sh shebang. If the end user has either dash-sh package or busybox-sh to handle Bourn Shell scripts rather than having bash-sh package, the script would fail. Using "." instead of "source" and "create_langpack_link()" function definition is enough to keep both sides sane, 960656 55dac1236c436d9b4295948a0f466f4c 98.0.2 1648479585 dimstar_suse - MozillaFirefox 98.0.2: * Fixed: Fixed an issue preventing users from typing in Address Bar after opening new tab and pressing cmd + enter (bmo#1757376) * Fixed: Fixed an issue causing some users to crash in out-of- memory conditions (bmo#1757618) * Fixed: Fixed an issue in session history which caused some sites to fail to load (bmo#1758664) * Fixed: Fixed an add-on specific compatibility issue (bmo#1759162) - Change mozilla-kde.patch to follow the GNOME registry behavior for new MIME types to avoid opening downloaded files without any inquiries (bsc#1197319) - Add patch to fix start-up on aarch64: * mozilla-bmo1757571.patch - exclude slow cpus for building - Add cpu-flag `asimdrdm` to aarch64 constraints, to select newer, faster buildhosts, as the others struggle to build FF. - Mozilla Firefox 98.0.1: * Yandex and Mail.ru have been removed as optional search providers in the drop-down search menu in Firefox 964778 678f14baf26382eb7d4ca88bdf0647f8 99.0 1649370413 dimstar_suse - Mozilla Firefox 99.0 * You can now toggle Narrate in ReaderMode with the keyboard shortcut "n." * You can find added support for search—with or without diacritics—in the PDF viewer. * The Linux sandbox has been strengthened: processes exposed to web content no longer have access to the X Window system (X11). * Firefox now supports credit card autofill and capture in Germany and France. MFSA 2022-13 (bsc#1197903) * CVE-2022-1097 (bmo#1745667) Use-after-free in NSSToken objects * CVE-2022-28281 (bmo#1755621) Out of bounds write due to unexpected WebAuthN Extensions * CVE-2022-28282 (bmo#1751609) Use-after-free in DocumentL10n::TranslateDocument * CVE-2022-28283 (bmo#1754066) Missing security checks for fetching sourceMapURL * CVE-2022-28284 (bmo#1754522) Script could be executed via svg's use element * CVE-2022-28285 (bmo#1756957) Incorrect AliasSet used in JIT Codegen * CVE-2022-28286 (bmo#1735265) iframe contents could be rendered outside the border * CVE-2022-28287 (bmo#1741515) Text Selection could crash Firefox * CVE-2022-24713 (bmo#1758509) Denial of Service via complex regular expressions * CVE-2022-28289 (bmo#1663508, bmo#1744525, bmo#1753508, bmo#1757476, bmo#1757805, bmo#1758549, bmo#1758776) 967154 1d4097d4c87282e3a324f580a41dfcbd 99.0.1 1650060806 dimstar_suse 969574 352539f1392e3e4f7fc822b685df5507 100.0 1651856310 dimstar_suse - Mozilla Firefox 100.0 * subtitle support in PiP * spell checking supports multiple languages in parallel * more details here https://www.mozilla.org/en-US/firefox/100.0/releasenotes MFSA 2022-16 (boo#1198970) * CVE-2022-29914 (bmo#1746448) Fullscreen notification bypass using popups * CVE-2022-29909 (bmo#1755081) Bypassing permission prompt in nested browsing contexts * CVE-2022-29916 (bmo#1760674) Leaking browser history with CSS variables * CVE-2022-29911 (bmo#1761981) iframe Sandbox bypass * CVE-2022-29912 (bmo#1692655) Reader mode bypassed SameSite cookies * CVE-2022-29910 (bmo#1757138) Firefox for Android forgot HTTP Strict Transport Security settings * CVE-2022-29915 (bmo#1751678) Leaking cross-origin redirect through the Performance API * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298, bmo#1762614, bmo#1762620, bmo#1764778) Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9 * CVE-2022-29918 (bmo#1744043, bmo#1747178, bmo#1753535, bmo#1754017, bmo#1755847, bmo#1756172, bmo#1757477, bmo#1758223, bmo#1760160, bmo#1761481, bmo#1761771) Memory safety bugs fixed in Firefox 100 - requires NSS 3.77 974815 ef1cc4a8ff48fc27d942f8f9afb9ac49 100.0.2 1653152745 dimstar_suse - Mozilla Firefox 100.0.2 MFSA 2022-19 (bsc#1199768) * CVE-2022-1802 (bmo#1770137) Prototype pollution in Top-Level Await implementation * CVE-2022-1529 (bmo#1770048) Untrusted input used in JavaScript object indexing, leading to prototype pollution - Mozilla Firefox 100.0.1: * Fixed: Fixed an issue with subtitles in Picture-in-Picture mode while using Netflix (bmo#1768818) * Fixed: Fixed an issue where some commands were unavailable in the Picture-in-Picture window (bmo#1768201) 978314 95e53dab11d29717f2f99789843c0d5f 101.0 1654199625 dimstar_suse - Mozilla Firefox 101.0 * Reading is now easier with the prefers-contrast media query, which allows sites to detect if the user has requested that web content is presented with a higher (or lower) contrast * All non-configured MIME types can now be assigned a custom action upon download completion * allows users to use as many microphones as you want, at the same time, during video conferencing. The most exciting benefit is that you can easily switch your microphones at any time (if your conferencing service provider enables this flexibility) MFSA 2022-20 (bsc#1200027) * CVE-2022-31736 (bmo#1735923) Cross-Origin resource's length leaked * CVE-2022-31737 (bmo#1743767) Heap buffer overflow in WebGL * CVE-2022-31738 (bmo#1756388) Browser window spoof using fullscreen mode * CVE-2022-31739 (bmo#1765049) Attacker-influenced path traversal when saving downloaded files * CVE-2022-31740 (bmo#1766806) Register allocation problem in WASM on arm64 * CVE-2022-31741 (bmo#1767590) Uninitialized variable leads to invalid memory read * CVE-2022-31742 (bmo#1730434) Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information * CVE-2022-31743 (bmo#1747388) HTML Parsing incorrectly ended HTML comments prematurely * CVE-2022-31744 (bmo#1757604) CSP bypass enabling stylesheet injection 980191 8ad252e51bb48d7f781d2ba9320ee855 101.0.1 1655493598 dimstar_suse 982081 fb1f576786484f3d6ce5508efe520391 102.0.1 1657559277 dimstar_suse - Firefox 102.0.1: * Fixed: Fixed bookmarks sidebar flashing white when opened in dark mode (bmo#1776157) * Fixed: Fixed multilingual spell checking not working with content in both English and a non-Latin alphabet (bmo#1773802) * Fixed: Developer tools: Fixed an issue where the console output keep getting scrolled to the bottom when the last visible message is an evaluation result (bmo#1776262) * Fixed: Fixed *Delete cookies and site data when Firefox is closed* checkbox getting disabled on startup (bmo#1777419) * Fixed: Various stability fixes - Firefox 102.0 * You can now disable automatic opening of the download panel every time a new download starts * Firefox now mitigates query parameter tracking when navigating sites in ETP strict mode * Improved security by moving audio decoding into a separate process with stricter sandboxing, thus improving process isolation * https://www.mozilla.org/en-US/firefox/102.0/releasenotes MFSA 2022-24 (bsc#1200793) * CVE-2022-34479 (bmo#1745595) A popup window could be resized in a way to overlay the address bar with web content * CVE-2022-34470 (bmo#1765951) Use-after-free in nsSHistory * CVE-2022-34468 (bmo#1768537) CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI 988096 8bc1d100b49fb50ad74f152795483baf 103.0.1 1659554149 dimstar_suse - Mozilla Firefox 103.0.1 * Enabled hardware acceleration on newer AMD cards. * Fixed a crash on Firefox shutdown caused by a bug in the audio manager - Mozilla Firefox 103.0 https://www.mozilla.org/en-US/firefox/103.0/releasenotes MFSA 2022-28 (bsc#1201758) * CVE-2022-36319 (bmo#1737722) Mouse Position spoofing with CSS transforms * CVE-2022-36317 (bmo#1759951) Long URL would hang Firefox for Android * CVE-2022-36318 (bmo#1771774) Directory indexes for bundled resources reflected URL parameters * CVE-2022-36314 (bmo#1773894) Opening local <code>.lnk</code> files could cause unexpected network loads * CVE-2022-36315 (bmo#1762520) Preload Cache Bypasses Subresource Integrity * CVE-2022-36316 (bmo#1768583) Performance API leaked whether a cross-site resource is redirecting * CVE-2022-36320 (bmo#1759794, bmo#1760998) Memory safety bugs fixed in Firefox 103 * CVE-2022-2505 (bmo#1769739, bmo#1772824) Memory safety bugs fixed in Firefox 103 and 102.1 - requires NSS >= 3.80 rust = 1.61 992040 50aa3c0366007db7937e36e3e33a6c40 103.0.2 1660235486 dimstar_suse - Mozilla Firefox 103.0.2 * Fixed menu shortcuts for users of the JAWS screen reader * Fixed an occasional non-overridable certificate error when accessing device configuration pages - The --disable-elf-hack option only exists on ARM and X86 994312 a910dd98c3b3c1d1e31a1a9535e03f26 103.0.2 1660586178 dimstar_suse - added mozilla-glibc236.patch (bmo#1782988, boo#1202323) 994938 e992c44017521dcbc354d157ac940e58 104.0 1661593672 dimstar_suse - Mozilla Firefox 104.0 * https://www.mozilla.org/en-US/firefox/104.0/releasenotes MFSA 2022-33 (bsc#1202645) * CVE-2022-38472 (bmo#1769155) Address bar spoofing via XSLT error handling * CVE-2022-38473 (bmo#1771685) Cross-origin XSLT Documents would have inherited the parent's permissions * CVE-2022-38474 (bmo#1719511) Recording notification not shown when microphone was recording on Android * CVE-2022-38475 (bmo#1773266) Attacker could write a value to a zero-length array * CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363) Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2 * CVE-2022-38478 (bmo#1770630, bmo#1776658) Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13 - requires NSPR 4.34.1 NSS 3.81 rust 1.62 999342 632e5325d445e7aa16bab5f2daf5ba3b 104.0.2 1662639681 dimstar_suse - Mozilla Firefox 104.0.2 (boo#1203177) https://www.mozilla.org/en-US/firefox/104.0.2/releasenotes/ * Fixed a bug making it impossible to use touch or a stylus to drag the scrollbar on pages (bmo#1787361) * Fixed an issue causing some users to crash in out-of-memory conditions (bmo#1774155) * Fixed an issue that would sometimes affect video & audio playback when loaded via a cross-origin iframe src attribute (bmo#1781759) * Fixed an issue that would sometimes affect video & audio playback when served with Content-Security-Policy: sandbox (bmo#1781063) - Mozilla Firefox 104.0.1 * Addresses an issue with Youtube video playback that was affecting some users (boo#1203003) 1001583 15dcfa7223d9d11bffa31a253d45b848 104.0.2 1662833811 dimstar_suse 1002272 b46b1b1a7f0975c77c7b1674e65f8253 105.0.3 1665591775 dimstar_suse - Mozilla Firefox 105.0.3: * Fixes for other platforms - Mozilla Firefox 105.0.2: * Fixed poor contrast on various menu items with certain themes on Linux systems (bmo#1792063) * Fixed the scrollbar appearing on the wrong side of `select` elements in right-to-left locales (bmo#1791219) * Fixed a possible deadlock when loading some sites in Troubleshoot Mode (bmo#1786259) * Fixed a bug causing some dynamic appearance changes to not appear when expected (bmo#1786521) * Fixed a bug causing theme styling to not be properly applied to sidebars for some add-ons in Private Browsing Mode (bmo#1787543) - Mozilla Firefox 105.0.1 * Reverted focus behavior for new windows back to the content area instead of the address bar (bmo#1784692) - added mozilla-i686-build.patch to avoid using avx2 - Mozilla Firefox 105.0 https://www.mozilla.org/en-US/firefox/105.0/releasenotes MFSA 2022-40 (bsc#1203477) * CVE-2022-40959 (bmo#1782211) Bypassing FeaturePolicy restrictions on transient pages * CVE-2022-40960 (bmo#1787633) Data-race when parsing non-UTF-8 URLs in threads * CVE-2022-40958 (bmo#1779993) Bypassing Secure Context restriction for cookies with __Host 1009258 60155f7fd978fa6eff3e5874d7159109 106.0 1666440723 dimstar_suse i686 and aarch64 should be fixed. No idea for ppc64le - Mozilla Firefox 106.0 * support editing of PDFs * introduced Firefox View * major WebRTC update - Better screen sharing for Windows and Linux Wayland users - RTP performance and reliability improvements - Richer statistics - Cross-browser and service compatibility improvements * detailed releasenotes https://www.mozilla.org/en-US/firefox/106.0/releasenotes MFSA 2022-44 (bsc#1204421) * CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have leaked cross-origin URLs * CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine * CVE-2022-42929 (bmo#1789439) Denial of Service via window.print * CVE-2022-42930 (bmo#1789503) Race condition in DOM Workers * CVE-2022-42931 (bmo#1780571) Username saved to a plaintext file on disk * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety bugs fixed in Firefox - added -msse2 flag to fix i386 build and workaround bmo#1795993 - fixed used buildflags - renamed mozilla-i686-build.patch to mozilla-buildfixes.patch as it was extended with changes for other archs 1030290 1e394c238be9ddfea1076dcd8f147ff9 106.0.1 1666535565 dimstar_suse - Mozilla Firefox 106.0.1 * Addresses a crash experienced by users with AMD Zen 1 CPUs (bmo#1796126) 1030584 e9da95c71a62d767741d53e4a929e1bd 106.0.2 1666978172 dimstar_suse - Mozilla Firefox 106.0.2 * Fix missing content on some PDF forms (bmo#1794351) * Fix column width for the Notification sub-panel in Settings (bmo#1793558) * Fix a browser freeze with accessibility enabled on some sites such as the Proxmox Web UI (bmo#1793748) * Fix page reloading not working with Firefox View and not refreshing synced data (bmo#1792680, bmo#1794474) 1031637 09edcc480fde40ff6968a62fd1dc4920 106.0.3 1667499196 dimstar_suse - Mozilla Firefox 106.0.3 * Fixes for other platforms 1032848 8ce8d54aec0bf870cc037a0037fed80e 106.0.5 1667734897 dimstar_suse 1033697 76d5fc097e88a12039f20b333ad334b9 107.0 1668702232 dimstar_suse - Mozilla Firefox 107.0 MFSA 2022-47 (bsc#1205270) * CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files * CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass * CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation * CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm * CVE-2022-45407 (bmo#1793314) Loading fonts on workers was not thread-safe * CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName * CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection * CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy * CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers * CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers * CVE-2022-45413 (bmo#1791201) SameSite=Strict cookies could have been sent cross-site via intent URLs * CVE-2022-40674 (bmo#1791598) Use-after-free vulnerability in expat * CVE-2022-45415 (bmo#1793551) Downloaded file may have been saved with malicious extension * CVE-2022-45416 (bmo#1793676) 1036230 1c4e35681e847e385bf1cd3c5b7a1011 107.0.1 1669983145 dimstar_suse 1039406 769a67be6b1793ba726bc8041d2a4d61 108.0.1 1671635148 dimstar_suse - Mozilla Firefox 108.0.1 (boo#1206507) * Fixes the default search engine being reset on upgrade for profiles which were previously copied from a different location - Mozilla Firefox 108.0 https://www.mozilla.org/en-US/firefox/108.0/releasenotes/ MFSA 2022-51 (bsc#1206242) * CVE-2022-46871 (bmo#1795697) libusrsctp library out of date * CVE-2022-46872 (bmo#1799156) Arbitrary file read from a compromised content process * CVE-2022-46873 (bmo#1644790) Firefox did not implement the CSP directive unsafe-hashes * CVE-2022-46874 (bmo#1746139) Drag and Dropped Filenames could have been truncated to malicious extensions * CVE-2022-46875 (bmo#1786188) Download Protections were bypassed by .atloc and .ftploc files on Mac OS * CVE-2022-46877 (bmo#1795139) Fullscreen notification bypass * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685, bmo#1801102, bmo#1801315, bmo#1802395) Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6 * CVE-2022-46879 (bmo#1736224, bmo#1793407, bmo#1794249, bmo#1795845, bmo#1797682, bmo#1797720, bmo#1798494, bmo#1799479) Memory safety bugs fixed in Firefox 108 - requires NSS >= 3.85 rustc/cargo 1.65 1043934 a40e188372945f2cb50142d26bd35634 108.0.1 1671787248 dimstar_suse - add mozilla-bmo1805809.patch to fix build for x86-32 (boo#1206600) 1044163 a7f37f7e1a6ec0283b117314ab94b06c 108.0.2 1673108167 dimstar_suse 1056394 888d816f58f9ff7b22876c9e7f14b164 109.0 1674232591 dimstar_suse - Mozilla Firefox 109.0 MFSA 2023-01 (bsc#1207119) * CVE-2023-23597 (bmo#1538028) Logic bug in process allocation allowed to read arbitrary files * CVE-2023-23598 (bmo#1800425) Arbitrary file read from GTK drag and drop on Linux * CVE-2023-23599 (bmo#1777800) Malicious command could be hidden in devtools output on Windows * CVE-2023-23600 (bmo#1787034) Notification permissions persisted between Normal and Private Browsing on Android * CVE-2023-23601 (bmo#1794268) URL being dragged from cross-origin iframe into same tab triggers navigation * CVE-2023-23602 (bmo#1800890) Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers * CVE-2023-23603 (bmo#1800832) Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive * CVE-2023-23604 (bmo#1802346) Creation of duplicate <code>SystemPrincipal</code> from less secure contexts * CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974) Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 * CVE-2023-23606 (bmo#1764974, bmo#1798591, bmo#1799201, bmo#1800446, bmo#1801248, bmo#1802100, bmo#1803393, bmo#1804626, bmo#1804971, bmo#1807004) 1059273 3dfa6216e2142e9309e65c7facc40ed7 109.0.1 1675357667 dimstar_suse 1062544