--- a/MozillaFirefox/MozillaFirefox.changes Mon Aug 01 14:45:11 2016 +0200
+++ b/MozillaFirefox/MozillaFirefox.changes Wed Jan 18 22:06:23 2017 +0100
@@ -1,7 +1,233 @@
-------------------------------------------------------------------
+Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 50.1.0 (boo#)
+
+-------------------------------------------------------------------
+Fri Dec 9 17:57:22 UTC 2016 - cgrobertson@novell.com
+
+- added patch mozilla-aarch64-startup-crash.patch (bsc#1011922)
+
+-------------------------------------------------------------------
+Thu Dec 1 02:49:45 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 50.0.2
+ * Firefox crashes with 3rd party Chinese IME when using IME text
+ (50.0.1)
+ security fixes (in 50.0.1): (boo#1012807)
+ * MFSA 2016-91
+ CVE-2016-9078: data: URL can inherit wrong origin after an
+ HTTP redirect (bmo#1317641)
+ security fixes (in 50.0.2) (boo#1012964)
+ * MFSA 2016-92
+ CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066)
+
+-------------------------------------------------------------------
+Mon Nov 14 21:07:03 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 50.0 (boo#1009026)
+ * requires NSS 3.26.2
+ new features
+ * Updates to keyboard shortcuts
+ Set a preference to have Ctrl+Tab cycle through tabs in recently
+ used order
+ View a page in Reader Mode by using Ctrl+Alt+R
+ * Added option to Find in page that allows users to limit search to
+ whole words only
+ * Added download protection for a large number of executable file
+ types on Windows, Mac and Linux
+ * Fixed rendering of dashed and dotted borders with rounded corners
+ (border-radius)
+ * Added a built-in Emoji set for operating systems without native
+ Emoji fonts (Windows 8.0 and lower and Linux)
+ * Blocked versions of libavcodec older than 54.35.1
+ * additional locale
+ security fixes:
+ * MFSA 2016-89
+ CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
+ (bmo#1292443)
+ CVE-2016-5292: URL parsing causes crash (bmo#1288482)
+ CVE-2016-5293: Write to arbitrary file with updater and moz
+ maintenance service using updater.log hardlink
+ (Windows only) (bmo#1246945)
+ CVE-2016-5294: Arbitrary target directory for result files of
+ update process (Windows only) (bmo#1246972)
+ CVE-2016-5297: Incorrect argument length checking in Javascript
+ (bmo#1303678)
+ CVE-2016-9064: Addons update must verify IDs match between
+ current and new versions (bmo#1303418)
+ CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen
+ (Android only) (bmo#1306696)
+ CVE-2016-9066: Integer overflow leading to a buffer overflow in
+ nsScriptLoadHandler (bmo#1299686)
+ CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
+ (bmo#1301777, bmo#1308922 (CVE-2016-9069))
+ CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973)
+ CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
+ (bmo#1300083) (Windows only)
+ CVE-2016-9075: WebExtensions can access the mozAddonManager API
+ and use it to gain elevated privileges (bmo#1295324)
+ CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied
+ to cross-origin images, allowing timing attacks on them
+ (bmo#1298552)
+ CVE-2016-5291: Same-origin policy violation using local HTML file
+ and saved shortcut file (bmo#1292159)
+ CVE-2016-5295: Mozilla Maintenance Service: Ability to read
+ arbitrary files as SYSTEM (Windows only) (bmo#1247239)
+ CVE-2016-5298: SSL indicator can mislead the user about the real
+ URL visited (bmo#1227538) (Android only)
+ CVE-2016-5299: Firefox AuthToken in broadcast protected with
+ signature-level permission can be accessed by an
+ application installed beforehand that defines the
+ same permissions (bmo#1245791) (Android only)
+ CVE-2016-9061: API Key (glocation) in broadcast protected with
+ signature-level permission can be accessed by an
+ application installed beforehand that defines the
+ same permissions (Android only) (bmo#1245795)
+ CVE-2016-9062: Private browsing browser traces (android) in
+ browser.db and wal file (Android only) (bmo#1294438)
+ CVE-2016-9070: Sidebar bookmark can have reference to chrome window
+ (bmo#1281071)
+ CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
+ (bmo#1289273)
+ CVE-2016-9074: Insufficient timing side-channel resistance in
+ divSpoiler (bmo#1293334) (fixed via NSS 3.26.1)
+ CVE-2016-9076: select dropdown menu can be used for URL bar
+ spoofing on e10s (bmo#1276976)
+ CVE-2016-9063: Possible integer overflow to fix inside XML_Parse
+ in expat (bmo#1274777)
+ CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
+ (bmo#1285003)
+ CVE-2016-5289: Memory safety bugs fixed in Firefox 50
+ CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
+- make aarch64 build more similar to x86_64 build (remove conditionals
+ that don't seem to be necessary anymore)
+
+-------------------------------------------------------------------
+Mon Oct 24 09:41:17 UTC 2016 - astieger@suse.com
+
+- Mozilla Firefox 49.0.2:
+ * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)
+ * CVE-2016-5288: Web content can read cache entries (bsc#1006476)
+ * Asynchronous rendering of the Flash plugins is now enabled by
+ default
+ * Change D3D9 default fallback preference to prevent graphical
+ artifacts
+ * Network issue prevents some users from seeing the Firefox UI on
+ startup
+ * Web compatibility issue with file uploads
+ * Web compatibility issue with Array.prototype.values
+ * Diagnostic information on timing for tab switching
+ * Fix a Canvas filters graphics issue affecting HTML5 apps
+
+-------------------------------------------------------------------
+Wed Oct 12 20:42:28 UTC 2016 - badshah400@gmail.com
+
+- Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0
+ and fixes have been incorporated by upstream.
+
+-------------------------------------------------------------------
+Fri Sep 23 20:36:39 UTC 2016 - astieger@suse.com
+
+- Mozilla Firefox 49.0.1:
+ * Mitigate a startup crash issue caused by Websense - bmo#1304783
+
+-------------------------------------------------------------------
+Tue Sep 20 07:09:52 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 49.0 (boo#999701)
+ new features
+ * Updated Firefox Login Manager to allow HTTPS pages to use saved
+ HTTP logins.
+ * Added features to Reader Mode that make it easier on the eyes and
+ the ears
+ * Improved video performance for users on systems that support
+ SSE3 without hardware acceleration
+ * Added context menu controls to HTML5 audio and video that let users
+ loops files or play files at 1.25x speed
+ * Improvements in about:memory reports for tracking font memory usage
+ security related
+ * MFSA 2016-85
+ CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
+ mozilla::net::IsValidReferrerPolicy
+ CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
+ nsCaseTransformTextRunFactory::TransformString
+ CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
+ PropertyProvider::GetSpacingInternal
+ CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
+ CVE-2016-5273 (bmo#1280387) - crash in
+ mozilla::a11y::HyperTextAccessible::GetChildOffset
+ CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
+ mozilla::a11y::DocAccessible::ProcessInvalidationList
+ CVE-2016-5274 (bmo#1282076) - use-after-free in
+ nsFrameManager::CaptureFrameState
+ CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
+ CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
+ mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
+ CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
+ nsBMPEncoder::AddImageFrame
+ CVE-2016-5279 (bmo#1249522) - Full local path of files is available
+ to web pages after drag and drop
+ CVE-2016-5280 (bmo#1289970) - Use-after-free in
+ mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
+ CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
+ CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons
+ from non-whitelisted schemes
+ CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can
+ reveal cross-origin data
+ CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration
+ CVE-2016-5256 - Memory safety bugs fixed in Firefox 49
+ CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4
+- removed obsolete patches:
+ * mozilla-aarch64-48bit-va.patch
+ * mozilla-exclude-nametablecpp.patch
+ * mozilla-old_configure-bmo1282843.patch
+- added patch mozilla-skia-overflow.patch (bmo#1304114)
+- requires NSS 3.25
+
+-------------------------------------------------------------------
+Tue Aug 30 20:25:38 UTC 2016 - astieger@suse.com
+
+- Mozilla Firefox 48.0.2:
+ * Mitigate a startup crash issue caused on Windows (bmo#1291738)
+
+-------------------------------------------------------------------
+Sat Aug 20 10:58:26 UTC 2016 - astieger@suse.com
+
+- Mozilla Firefox 48.0.1:
+ * Fix an audio regression impacting some major websites
+ (bmo#1295296)
+ * Fix a top crash in the JavaScript engine (bmo#1290469)
+ * Fix a startup crash issue caused by Websense (bmo#1291738)
+ * Fix a different behavior with e10s / non-e10s on <select> and
+ mouse events (bmo#1291078)
+ * Fix a top crash caused by plugin issues (bmo#1264530)
+ * Fix a shutdown issue (bmo#1276920)
+ * Fix a crash in WebRTC
+
+-------------------------------------------------------------------
+Mon Aug 15 11:24:00 UTC 2016 - wr@rosenauer.org
+
+- added upstream patch so system plugins/extensions are correctly
+ loaded again on x86-64 (bmo#1282843)
+ (mozilla-old_configure-bmo1282843.patch)
+
+-------------------------------------------------------------------
+Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com
+
+- Fix for possible buffer overrun (bsc#990856)
+ CVE-2016-6354 (bmo#1292534)
+ [mozilla-flex_buffer_overrun.patch]
+
+-------------------------------------------------------------------
+Wed Aug 3 03:38:47 UTC 2016 - badshah400@gmail.com
+
+- Update mozilla-gtk3_20.patch to latest version from Fedora.
+
+-------------------------------------------------------------------
Mon Aug 1 12:37:05 UTC 2016 - wr@rosenauer.org
-- update to Firefox 48.0 (boo#)
+- update to Firefox 48.0 (boo#991809)
* requires NSS 3.24
* Process separation (e10s) is enabled for some of you
* Add-ons that have not been verified and signed by Mozilla will not load
@@ -9,6 +235,57 @@
* The media parser has been redeveloped using the Rust programming
language
* better Canvas performance with speedy Skia support
+ security fixes:
+ * MFSA 2016-62/CVE-2016-2835/CVE-2016-2836
+ Miscellaneous memory safety hazards
+ * MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
+ Favicon network connection can persist when page is closed
+ * MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
+ Buffer overflow rendering SVG with bidirectional content
+ * MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
+ Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
+ * MFSA 2016-66/CVE-2016-5251 (bmo#1255570)
+ Location bar spoofing via data URLs with malformed/invalid mediatypes
+ * MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
+ Stack underflow during 2D graphics rendering
+ * MFSA 2016-68/CVE-2016-0718 (bmo#1236923)
+ Out-of-bounds read during XML parsing in Expat library
+ * MFSA 2016-69/CVE-2016-5253 (bmo#1246944)
+ Arbitrary file manipulation by local user through Mozilla updater
+ and callback application path parameter (Windows-only)
+ * MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
+ Use-after-free when using alt key and toplevel menus
+ * MFSA 2016-71/CVE-2016-5255 (bmo#1212356)
+ Crash in incremental garbage collection in JavaScript
+ * MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
+ Use-after-free in DTLS during WebRTC session shutdown
+ * MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
+ Use-after-free in service workers with nested sync events
+ * MFSA 2016-74/CVE-2016-5260 (bmo#1280294)
+ Form input type change from password to text can store plain
+ text password in session restore file
+ * MFSA 2016-75/CVE-2016-5261 (bmo#1287266)
+ Integer overflow in WebSockets during data buffering
+ * MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
+ Scripts on marquee tag can execute in sandboxed iframes
+ * MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
+ Buffer overflow in ClearKey Content Decryption Module (CDM)
+ during video playback
+ * MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
+ Type confusion in display transformation
+ * MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
+ Use-after-free when applying SVG effects
+ * MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
+ Same-origin policy violation using local HTML file and saved shortcut file
+ * MFSA 2016-81/CVE-2016-5266 (bmo#1226977)
+ Information disclosure and local file manipulation through drag and drop
+ * MFSA 2016-82/CVE-2016-5267 (bmo#1284372)
+ Addressbar spoofing with right-to-left characters on Firefox for Android
+ (Android only)
+ * MFSA 2016-83/CVE-2016-5268 (bmo#1253673)
+ Spoofing attack through text injection into internal error pages
+ * MFSA 2016-84/CVE-2016-5250 (bmo#1254688)
+ Information disclosure through Resource Timing API during page navigation
- removed obsolete mozilla-gcc6.patch
-------------------------------------------------------------------