|
1 ------------------------------------------------------------------- |
|
2 Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org |
|
3 |
|
4 - update to Firefox 50.1.0 (boo#) |
|
5 |
|
6 ------------------------------------------------------------------- |
|
7 Fri Dec 9 17:57:22 UTC 2016 - cgrobertson@novell.com |
|
8 |
|
9 - added patch mozilla-aarch64-startup-crash.patch (bsc#1011922) |
|
10 |
|
11 ------------------------------------------------------------------- |
|
12 Thu Dec 1 02:49:45 UTC 2016 - wr@rosenauer.org |
|
13 |
|
14 - update to Firefox 50.0.2 |
|
15 * Firefox crashes with 3rd party Chinese IME when using IME text |
|
16 (50.0.1) |
|
17 security fixes (in 50.0.1): (boo#1012807) |
|
18 * MFSA 2016-91 |
|
19 CVE-2016-9078: data: URL can inherit wrong origin after an |
|
20 HTTP redirect (bmo#1317641) |
|
21 security fixes (in 50.0.2) (boo#1012964) |
|
22 * MFSA 2016-92 |
|
23 CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066) |
|
24 |
|
25 ------------------------------------------------------------------- |
|
26 Mon Nov 14 21:07:03 UTC 2016 - wr@rosenauer.org |
|
27 |
|
28 - update to Firefox 50.0 (boo#1009026) |
|
29 * requires NSS 3.26.2 |
|
30 new features |
|
31 * Updates to keyboard shortcuts |
|
32 Set a preference to have Ctrl+Tab cycle through tabs in recently |
|
33 used order |
|
34 View a page in Reader Mode by using Ctrl+Alt+R |
|
35 * Added option to Find in page that allows users to limit search to |
|
36 whole words only |
|
37 * Added download protection for a large number of executable file |
|
38 types on Windows, Mac and Linux |
|
39 * Fixed rendering of dashed and dotted borders with rounded corners |
|
40 (border-radius) |
|
41 * Added a built-in Emoji set for operating systems without native |
|
42 Emoji fonts (Windows 8.0 and lower and Linux) |
|
43 * Blocked versions of libavcodec older than 54.35.1 |
|
44 * additional locale |
|
45 security fixes: |
|
46 * MFSA 2016-89 |
|
47 CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 |
|
48 (bmo#1292443) |
|
49 CVE-2016-5292: URL parsing causes crash (bmo#1288482) |
|
50 CVE-2016-5293: Write to arbitrary file with updater and moz |
|
51 maintenance service using updater.log hardlink |
|
52 (Windows only) (bmo#1246945) |
|
53 CVE-2016-5294: Arbitrary target directory for result files of |
|
54 update process (Windows only) (bmo#1246972) |
|
55 CVE-2016-5297: Incorrect argument length checking in Javascript |
|
56 (bmo#1303678) |
|
57 CVE-2016-9064: Addons update must verify IDs match between |
|
58 current and new versions (bmo#1303418) |
|
59 CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen |
|
60 (Android only) (bmo#1306696) |
|
61 CVE-2016-9066: Integer overflow leading to a buffer overflow in |
|
62 nsScriptLoadHandler (bmo#1299686) |
|
63 CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore |
|
64 (bmo#1301777, bmo#1308922 (CVE-2016-9069)) |
|
65 CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) |
|
66 CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile |
|
67 (bmo#1300083) (Windows only) |
|
68 CVE-2016-9075: WebExtensions can access the mozAddonManager API |
|
69 and use it to gain elevated privileges (bmo#1295324) |
|
70 CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied |
|
71 to cross-origin images, allowing timing attacks on them |
|
72 (bmo#1298552) |
|
73 CVE-2016-5291: Same-origin policy violation using local HTML file |
|
74 and saved shortcut file (bmo#1292159) |
|
75 CVE-2016-5295: Mozilla Maintenance Service: Ability to read |
|
76 arbitrary files as SYSTEM (Windows only) (bmo#1247239) |
|
77 CVE-2016-5298: SSL indicator can mislead the user about the real |
|
78 URL visited (bmo#1227538) (Android only) |
|
79 CVE-2016-5299: Firefox AuthToken in broadcast protected with |
|
80 signature-level permission can be accessed by an |
|
81 application installed beforehand that defines the |
|
82 same permissions (bmo#1245791) (Android only) |
|
83 CVE-2016-9061: API Key (glocation) in broadcast protected with |
|
84 signature-level permission can be accessed by an |
|
85 application installed beforehand that defines the |
|
86 same permissions (Android only) (bmo#1245795) |
|
87 CVE-2016-9062: Private browsing browser traces (android) in |
|
88 browser.db and wal file (Android only) (bmo#1294438) |
|
89 CVE-2016-9070: Sidebar bookmark can have reference to chrome window |
|
90 (bmo#1281071) |
|
91 CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl" |
|
92 (bmo#1289273) |
|
93 CVE-2016-9074: Insufficient timing side-channel resistance in |
|
94 divSpoiler (bmo#1293334) (fixed via NSS 3.26.1) |
|
95 CVE-2016-9076: select dropdown menu can be used for URL bar |
|
96 spoofing on e10s (bmo#1276976) |
|
97 CVE-2016-9063: Possible integer overflow to fix inside XML_Parse |
|
98 in expat (bmo#1274777) |
|
99 CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP |
|
100 (bmo#1285003) |
|
101 CVE-2016-5289: Memory safety bugs fixed in Firefox 50 |
|
102 CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 |
|
103 - make aarch64 build more similar to x86_64 build (remove conditionals |
|
104 that don't seem to be necessary anymore) |
|
105 |
|
106 ------------------------------------------------------------------- |
|
107 Mon Oct 24 09:41:17 UTC 2016 - astieger@suse.com |
|
108 |
|
109 - Mozilla Firefox 49.0.2: |
|
110 * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475) |
|
111 * CVE-2016-5288: Web content can read cache entries (bsc#1006476) |
|
112 * Asynchronous rendering of the Flash plugins is now enabled by |
|
113 default |
|
114 * Change D3D9 default fallback preference to prevent graphical |
|
115 artifacts |
|
116 * Network issue prevents some users from seeing the Firefox UI on |
|
117 startup |
|
118 * Web compatibility issue with file uploads |
|
119 * Web compatibility issue with Array.prototype.values |
|
120 * Diagnostic information on timing for tab switching |
|
121 * Fix a Canvas filters graphics issue affecting HTML5 apps |
|
122 |
|
123 ------------------------------------------------------------------- |
|
124 Wed Oct 12 20:42:28 UTC 2016 - badshah400@gmail.com |
|
125 |
|
126 - Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0 |
|
127 and fixes have been incorporated by upstream. |
|
128 |
|
129 ------------------------------------------------------------------- |
|
130 Fri Sep 23 20:36:39 UTC 2016 - astieger@suse.com |
|
131 |
|
132 - Mozilla Firefox 49.0.1: |
|
133 * Mitigate a startup crash issue caused by Websense - bmo#1304783 |
|
134 |
|
135 ------------------------------------------------------------------- |
|
136 Tue Sep 20 07:09:52 UTC 2016 - wr@rosenauer.org |
|
137 |
|
138 - update to Firefox 49.0 (boo#999701) |
|
139 new features |
|
140 * Updated Firefox Login Manager to allow HTTPS pages to use saved |
|
141 HTTP logins. |
|
142 * Added features to Reader Mode that make it easier on the eyes and |
|
143 the ears |
|
144 * Improved video performance for users on systems that support |
|
145 SSE3 without hardware acceleration |
|
146 * Added context menu controls to HTML5 audio and video that let users |
|
147 loops files or play files at 1.25x speed |
|
148 * Improvements in about:memory reports for tracking font memory usage |
|
149 security related |
|
150 * MFSA 2016-85 |
|
151 CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in |
|
152 mozilla::net::IsValidReferrerPolicy |
|
153 CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in |
|
154 nsCaseTransformTextRunFactory::TransformString |
|
155 CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in |
|
156 PropertyProvider::GetSpacingInternal |
|
157 CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin |
|
158 CVE-2016-5273 (bmo#1280387) - crash in |
|
159 mozilla::a11y::HyperTextAccessible::GetChildOffset |
|
160 CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in |
|
161 mozilla::a11y::DocAccessible::ProcessInvalidationList |
|
162 CVE-2016-5274 (bmo#1282076) - use-after-free in |
|
163 nsFrameManager::CaptureFrameState |
|
164 CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick |
|
165 CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in |
|
166 mozilla::gfx::FilterSupport::ComputeSourceNeededRegions |
|
167 CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in |
|
168 nsBMPEncoder::AddImageFrame |
|
169 CVE-2016-5279 (bmo#1249522) - Full local path of files is available |
|
170 to web pages after drag and drop |
|
171 CVE-2016-5280 (bmo#1289970) - Use-after-free in |
|
172 mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap |
|
173 CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength |
|
174 CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons |
|
175 from non-whitelisted schemes |
|
176 CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can |
|
177 reveal cross-origin data |
|
178 CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration |
|
179 CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 |
|
180 CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 |
|
181 - removed obsolete patches: |
|
182 * mozilla-aarch64-48bit-va.patch |
|
183 * mozilla-exclude-nametablecpp.patch |
|
184 * mozilla-old_configure-bmo1282843.patch |
|
185 - added patch mozilla-skia-overflow.patch (bmo#1304114) |
|
186 - requires NSS 3.25 |
|
187 |
|
188 ------------------------------------------------------------------- |
|
189 Tue Aug 30 20:25:38 UTC 2016 - astieger@suse.com |
|
190 |
|
191 - Mozilla Firefox 48.0.2: |
|
192 * Mitigate a startup crash issue caused on Windows (bmo#1291738) |
|
193 |
|
194 ------------------------------------------------------------------- |
|
195 Sat Aug 20 10:58:26 UTC 2016 - astieger@suse.com |
|
196 |
|
197 - Mozilla Firefox 48.0.1: |
|
198 * Fix an audio regression impacting some major websites |
|
199 (bmo#1295296) |
|
200 * Fix a top crash in the JavaScript engine (bmo#1290469) |
|
201 * Fix a startup crash issue caused by Websense (bmo#1291738) |
|
202 * Fix a different behavior with e10s / non-e10s on <select> and |
|
203 mouse events (bmo#1291078) |
|
204 * Fix a top crash caused by plugin issues (bmo#1264530) |
|
205 * Fix a shutdown issue (bmo#1276920) |
|
206 * Fix a crash in WebRTC |
|
207 |
|
208 ------------------------------------------------------------------- |
|
209 Mon Aug 15 11:24:00 UTC 2016 - wr@rosenauer.org |
|
210 |
|
211 - added upstream patch so system plugins/extensions are correctly |
|
212 loaded again on x86-64 (bmo#1282843) |
|
213 (mozilla-old_configure-bmo1282843.patch) |
|
214 |
|
215 ------------------------------------------------------------------- |
|
216 Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com |
|
217 |
|
218 - Fix for possible buffer overrun (bsc#990856) |
|
219 CVE-2016-6354 (bmo#1292534) |
|
220 [mozilla-flex_buffer_overrun.patch] |
|
221 |
|
222 ------------------------------------------------------------------- |
|
223 Wed Aug 3 03:38:47 UTC 2016 - badshah400@gmail.com |
|
224 |
|
225 - Update mozilla-gtk3_20.patch to latest version from Fedora. |
|
226 |
1 ------------------------------------------------------------------- |
227 ------------------------------------------------------------------- |
2 Mon Aug 1 12:37:05 UTC 2016 - wr@rosenauer.org |
228 Mon Aug 1 12:37:05 UTC 2016 - wr@rosenauer.org |
3 |
229 |
4 - update to Firefox 48.0 (boo#) |
230 - update to Firefox 48.0 (boo#991809) |
5 * requires NSS 3.24 |
231 * requires NSS 3.24 |
6 * Process separation (e10s) is enabled for some of you |
232 * Process separation (e10s) is enabled for some of you |
7 * Add-ons that have not been verified and signed by Mozilla will not load |
233 * Add-ons that have not been verified and signed by Mozilla will not load |
8 * WebRTC embetterments |
234 * WebRTC embetterments |
9 * The media parser has been redeveloped using the Rust programming |
235 * The media parser has been redeveloped using the Rust programming |
10 language |
236 language |
11 * better Canvas performance with speedy Skia support |
237 * better Canvas performance with speedy Skia support |
|
238 security fixes: |
|
239 * MFSA 2016-62/CVE-2016-2835/CVE-2016-2836 |
|
240 Miscellaneous memory safety hazards |
|
241 * MFSA 2016-63/CVE-2016-2830 (bmo#1255270) |
|
242 Favicon network connection can persist when page is closed |
|
243 * MFSA 2016-64/CVE-2016-2838 (bmo#1279814) |
|
244 Buffer overflow rendering SVG with bidirectional content |
|
245 * MFSA 2016-65/CVE-2016-2839 (bmo#1275339) |
|
246 Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 |
|
247 * MFSA 2016-66/CVE-2016-5251 (bmo#1255570) |
|
248 Location bar spoofing via data URLs with malformed/invalid mediatypes |
|
249 * MFSA 2016-67/CVE-2016-5252 (bmo#1268854) |
|
250 Stack underflow during 2D graphics rendering |
|
251 * MFSA 2016-68/CVE-2016-0718 (bmo#1236923) |
|
252 Out-of-bounds read during XML parsing in Expat library |
|
253 * MFSA 2016-69/CVE-2016-5253 (bmo#1246944) |
|
254 Arbitrary file manipulation by local user through Mozilla updater |
|
255 and callback application path parameter (Windows-only) |
|
256 * MFSA 2016-70/CVE-2016-5254 (bmo#1266963) |
|
257 Use-after-free when using alt key and toplevel menus |
|
258 * MFSA 2016-71/CVE-2016-5255 (bmo#1212356) |
|
259 Crash in incremental garbage collection in JavaScript |
|
260 * MFSA 2016-72/CVE-2016-5258 (bmo#1279146) |
|
261 Use-after-free in DTLS during WebRTC session shutdown |
|
262 * MFSA 2016-73/CVE-2016-5259 (bmo#1282992) |
|
263 Use-after-free in service workers with nested sync events |
|
264 * MFSA 2016-74/CVE-2016-5260 (bmo#1280294) |
|
265 Form input type change from password to text can store plain |
|
266 text password in session restore file |
|
267 * MFSA 2016-75/CVE-2016-5261 (bmo#1287266) |
|
268 Integer overflow in WebSockets during data buffering |
|
269 * MFSA 2016-76/CVE-2016-5262 (bmo#1277475) |
|
270 Scripts on marquee tag can execute in sandboxed iframes |
|
271 * MFSA 2016-77/CVE-2016-2837 (bmo#1274637) |
|
272 Buffer overflow in ClearKey Content Decryption Module (CDM) |
|
273 during video playback |
|
274 * MFSA 2016-78/CVE-2016-5263 (bmo#1276897) |
|
275 Type confusion in display transformation |
|
276 * MFSA 2016-79/CVE-2016-5264 (bmo#1286183) |
|
277 Use-after-free when applying SVG effects |
|
278 * MFSA 2016-80/CVE-2016-5265 (bmo#1278013) |
|
279 Same-origin policy violation using local HTML file and saved shortcut file |
|
280 * MFSA 2016-81/CVE-2016-5266 (bmo#1226977) |
|
281 Information disclosure and local file manipulation through drag and drop |
|
282 * MFSA 2016-82/CVE-2016-5267 (bmo#1284372) |
|
283 Addressbar spoofing with right-to-left characters on Firefox for Android |
|
284 (Android only) |
|
285 * MFSA 2016-83/CVE-2016-5268 (bmo#1253673) |
|
286 Spoofing attack through text injection into internal error pages |
|
287 * MFSA 2016-84/CVE-2016-5250 (bmo#1254688) |
|
288 Information disclosure through Resource Timing API during page navigation |
12 - removed obsolete mozilla-gcc6.patch |
289 - removed obsolete mozilla-gcc6.patch |
13 |
290 |
14 ------------------------------------------------------------------- |
291 ------------------------------------------------------------------- |
15 Fri Jul 29 01:26:13 UTC 2016 - badshah400@gmail.com |
292 Fri Jul 29 01:26:13 UTC 2016 - badshah400@gmail.com |
16 |
293 |