|
1 ------------------------------------------------------------------- |
|
2 Mon Nov 14 21:07:03 UTC 2016 - wr@rosenauer.org |
|
3 |
|
4 - update to Firefox 50.0 (boo#1009026) |
|
5 * requires NSS 3.26.2 |
|
6 new features |
|
7 * Updates to keyboard shortcuts |
|
8 Set a preference to have Ctrl+Tab cycle through tabs in recently |
|
9 used order |
|
10 View a page in Reader Mode by using Ctrl+Alt+R |
|
11 * Added option to Find in page that allows users to limit search to |
|
12 whole words only |
|
13 * Added download protection for a large number of executable file |
|
14 types on Windows, Mac and Linux |
|
15 * Fixed rendering of dashed and dotted borders with rounded corners |
|
16 (border-radius) |
|
17 * Added a built-in Emoji set for operating systems without native |
|
18 Emoji fonts (Windows 8.0 and lower and Linux) |
|
19 * Blocked versions of libavcodec older than 54.35.1 |
|
20 * additional locale |
|
21 security fixes: |
|
22 * MFSA 2016-89 |
|
23 CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 |
|
24 (bmo#1292443) |
|
25 CVE-2016-5292: URL parsing causes crash (bmo#1288482) |
|
26 CVE-2016-5293: Write to arbitrary file with updater and moz |
|
27 maintenance service using updater.log hardlink |
|
28 (Windows only) (bmo#1246945) |
|
29 CVE-2016-5294: Arbitrary target directory for result files of |
|
30 update process (Windows only) (bmo#1246972) |
|
31 CVE-2016-5297: Incorrect argument length checking in Javascript |
|
32 (bmo#1303678) |
|
33 CVE-2016-9064: Addons update must verify IDs match between |
|
34 current and new versions (bmo#1303418) |
|
35 CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen |
|
36 (Android only) (bmo#1306696) |
|
37 CVE-2016-9066: Integer overflow leading to a buffer overflow in |
|
38 nsScriptLoadHandler (bmo#1299686) |
|
39 CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore |
|
40 (bmo#1301777, bmo#1308922 (CVE-2016-9069)) |
|
41 CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) |
|
42 CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile |
|
43 (bmo#1300083) (Windows only) |
|
44 CVE-2016-9075: WebExtensions can access the mozAddonManager API |
|
45 and use it to gain elevated privileges (bmo#1295324) |
|
46 CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied |
|
47 to cross-origin images, allowing timing attacks on them |
|
48 (bmo#1298552) |
|
49 CVE-2016-5291: Same-origin policy violation using local HTML file |
|
50 and saved shortcut file (bmo#1292159) |
|
51 CVE-2016-5295: Mozilla Maintenance Service: Ability to read |
|
52 arbitrary files as SYSTEM (Windows only) (bmo#1247239) |
|
53 CVE-2016-5298: SSL indicator can mislead the user about the real |
|
54 URL visited (bmo#1227538) (Android only) |
|
55 CVE-2016-5299: Firefox AuthToken in broadcast protected with |
|
56 signature-level permission can be accessed by an |
|
57 application installed beforehand that defines the |
|
58 same permissions (bmo#1245791) (Android only) |
|
59 CVE-2016-9061: API Key (glocation) in broadcast protected with |
|
60 signature-level permission can be accessed by an |
|
61 application installed beforehand that defines the |
|
62 same permissions (Android only) (bmo#1245795) |
|
63 CVE-2016-9062: Private browsing browser traces (android) in |
|
64 browser.db and wal file (Android only) (bmo#1294438) |
|
65 CVE-2016-9070: Sidebar bookmark can have reference to chrome window |
|
66 (bmo#1281071) |
|
67 CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl" |
|
68 (bmo#1289273) |
|
69 CVE-2016-9074: Insufficient timing side-channel resistance in |
|
70 divSpoiler (bmo#1293334) (fixed via NSS 3.26.1) |
|
71 CVE-2016-9076: select dropdown menu can be used for URL bar |
|
72 spoofing on e10s (bmo#1276976) |
|
73 CVE-2016-9063: Possible integer overflow to fix inside XML_Parse |
|
74 in expat (bmo#1274777) |
|
75 CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP |
|
76 (bmo#1285003) |
|
77 CVE-2016-5289: Memory safety bugs fixed in Firefox 50 |
|
78 CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 |
|
79 - make aarch64 build more similar to x86_64 build (remove conditionals |
|
80 that don't seem to be necessary anymore) |
|
81 |
1 ------------------------------------------------------------------- |
82 ------------------------------------------------------------------- |
2 Mon Oct 24 09:41:17 UTC 2016 - astieger@suse.com |
83 Mon Oct 24 09:41:17 UTC 2016 - astieger@suse.com |
3 |
84 |
4 - Mozilla Firefox 49.0.2: |
85 - Mozilla Firefox 49.0.2: |
5 * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475) |
86 * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475) |