diff -r 84cdfb476431 -r 8e9195853a32 MozillaFirefox/MozillaFirefox.changes --- a/MozillaFirefox/MozillaFirefox.changes Sun Mar 17 10:00:10 2019 +0100 +++ b/MozillaFirefox/MozillaFirefox.changes Tue Nov 19 22:54:22 2019 +0100 @@ -1,4 +1,597 @@ ------------------------------------------------------------------- +Sun Oct 20 20:19:31 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 70.0 + * more privacy protections from Enhanced Tracking Protection + * Firefox Lockwise passwordmanager + * Improvements to core engine components, for better browsing on more sites + * Improved privacy and security indicators + MFSA 2019-34 + * CVE-2018-6156 (bmo#1480088) + Heap buffer overflow in FEC processing in WebRTC + * CVE-2019-15903 (bmo#1584907) + Heap overflow in expat library in XML_GetCurrentLineNumber + * CVE-2019-11757 (bmo#1577107) + Use-after-free when creating index updates in IndexedDB + * CVE-2019-11759 (bmo#1577953) + Stack buffer overflow in HKDF output + * CVE-2019-11760 (bmo#1577719) + Stack buffer overflow in WebRTC networking + * CVE-2019-11761 (bmo#1561502) + Unintended access to a privileged JSONView object + * CVE-2019-11762 (bmo#1582857) + document.domain-based origin isolation has same-origin-property violation + * CVE-2019-11763 (bmo#1584216) + Incorrect HTML parsing results in XSS bypass technique + * CVE-2019-11765 (bmo#1562582) + Incorrect permissions could be granted to a website + * CVE-2019-17000 (bmo#1441468) + CSP bypass using object tag with data: URI + * CVE-2019-17001 (bmo#1587976) + CSP bypass using object tag when script-src 'none' is specified + * CVE-2019-17002 (bmo#1561056) + upgrade-insecure-requests was not being honored for links dragged and dropped + * CVE-2019-11764 (bmo#1558522, bmo#1577061, bmo#1548044, bmo#1571223, + bmo#1573048, bmo#1578933, bmo#1575217, bmo#1583684, bmo#1586845, bmo#1581950, + bmo#1583463, bmo#1586599) + Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2 +- requires + rust/cargo >= 1.36 + NSPR >= 4.22 + NSS >= 3.46.1 + rust-cbindgen >= 0.9.1 +- removed obsolete patches + mozilla-bmo1573381.patch + mozilla-nestegg-big-endian.patch + +------------------------------------------------------------------- +Sun Oct 13 08:58:12 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 69.0.3 + * Fixed Yahoo mail users being prompted to download files when + clicking on emails (bmo#1582848) +- devel package build can easily be disabled now + +------------------------------------------------------------------- +Thu Oct 3 08:40:05 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 69.0.2 + * Fixed a crash when editing files on Office 365 websites (bmo#1579858) + * Fixed a Linux-only crash when changing the playback speed while + watching YouTube videos (bmo#1582222) +- updated supported locale list +- Allow to build without profile guided optimizations (boo#1040589) + (contributed by Bernhard Wiedemann) +- Make build verbose (contributed by Martin Liška) +- remove obsolete kde.js setting (boo#1151186) and related patch + firefox-add-kde.js-in-order-to-survive-PGO-build.patch +- update create-tar.sh to latest revision and adjusted tar_stamps +- add mozilla-fix-top-level-asm.patch to fix LTO build (w/o PGO) +- extension preferences moved from branding package to core package + (packaging but not branding specific) + +------------------------------------------------------------------- +Thu Sep 19 13:31:16 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 69.0.1 + * Fixed external programs launching in the background when clicking + a link from inside Firefox to launch them (bmo#1570845) + * Usability improvements to the Add-ons Manager for users with + screen readers (bmo#1567600) + * Fixed the Captive Portal notification bar not being dismissable + in some situations after login is complete (bmo#1578633) + * Fixed the maximum size of fonts in Reader Mode when zoomed (bmo#1578454) + * Fixed missing stacks in the Developer Tools Performance section + (bmo#1578354) + MFSA 2019-31 + * CVE-2019-11754 (bmo#1580506) + Pointer Lock is enabled with no user notification +- disable DOH by default + +------------------------------------------------------------------- +Thu Sep 5 13:02:39 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 69.0 + * Enhanced Tracking Protection (ETP) for stronger privacy protections + * Block Autoplay feature is enhanced to give users the option to block + any video + * Users in the US or using the en-US browser, can get a new “New Tab” + page experience connecting to the best of Pocket's content. + * Support for the Web Authentication HmacSecret extension via + Windows Hello introduced. + * Support for receiving multiple video codecs with this release makes + it easier for WebRTC conferencing services to mix video from + different clients. + MFSA 2019-25 (boo#1149324) + * CVE-2019-11741 (bmo#1539595) + Isolate addons.mozilla.org and accounts.firefox.com + * CVE-2019-5849 (bmo#1555838) + Out-of-bounds read in Skia + * CVE-2019-11737 (bmo#1388015) + Content security policy directives ignore port and path if host is a wildcard + * CVE-2019-11734 (bmo#1352875,bmo#1536227,bmo#1557208,bmo#1560641) + Memory safety bugs fixed in Firefox 69 + * CVE-2019-11735 (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912, + bmo#1565744,bmo#1568858,bmo#1570358) + Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 + * CVE-2019-11740 (bmo#1563133,bmo#1573160) + Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 +- requires + * rust/cargo >= 1.35 + * rust-cbindgen >= 0.9.0 + * mozilla-nss >= 3.45 +- rebased patches + +------------------------------------------------------------------- +Wed Sep 4 15:38:40 UTC 2019 - Wolfgang Rosenauer + +- added a bunch of patches mainly for big endian platforms + * mozilla-bmo1504834-part1.patch + * mozilla-bmo1504834-part2.patch + * mozilla-bmo1504834-part3.patch + * mozilla-bmo1511604.patch + * mozilla-bmo1554971.patch + * mozilla-bmo1573381.patch + * mozilla-nestegg-big-endian.patch + * mozilla-bmo1512162.patch + +------------------------------------------------------------------- +Fri Aug 30 20:49:11 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 68.1.0 + MFSA 2019-26 + * CVE-2019-11751 (bmo#1572838; Windows only) + Malicious code execution through command line parameters + * CVE-2019-11746 (bmo#1564449) + Use-after-free while manipulating video + * CVE-2019-11744 (bmo#1562033) + XSS by breaking out of title and textarea elements using innerHTML + * CVE-2019-11742 (bmo#1559715) + Same-origin policy violation with SVG filters and canvas to steal + cross-origin images + * CVE-2019-11736 (bmo#1551913, bmo#1552206; Windows only)) + File manipulation and privilege escalation in Mozilla Maintenance Service + * CVE-2019-11753 (bmo#1574980; Windows only) + Privilege escalation with Mozilla Maintenance Service in custom + Firefox installation location + * CVE-2019-11752 (bmo#1501152) + Use-after-free while extracting a key value in IndexedDB + * CVE-2019-9812 (bmo#1538008, bmo#1538015) + Sandbox escape through Firefox Sync + * CVE-2019-11743 (bmo#1560495) + Cross-origin access to unload event attributes + * CVE-2019-11748 (bmo#1564588) + Persistence of WebRTC permissions in a third party context + * CVE-2019-11749 (bmo#1565374) + Camera information available without prompting using getUserMedia + * CVE-2019-11750 (bmo#1568397) + Type confusion in Spidermonkey + * CVE-2019-11738 (bmo#1452037) + Content security policy bypass through hash-based sources in directives + * CVE-2019-11747 (bmo#1564481) + 'Forget about this site' removes sites from pre-loaded HSTS list + * CVE-2019-11735i (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912, + bmo#1565744,bmo#1568858,bmo#1570358) + Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 + * CVE-2019-11740 (bmo#1563133,bmo#1573160) + Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 +- switched package to ESR branch +- added mozilla-bmo1568145.patch to make builds reproducible +- removed upstreamed patch mozilla-gcc-internal-compiler-error.patch + +------------------------------------------------------------------- +Sun Aug 18 17:29:25 UTC 2019 - Andreas Stieger + +- Mozilla Firefox 68.0.2: + * Fixed a bug causing some special characters to be cut off from + the end of the search terms when searching from the URL bar + (bmo#1560228) + * Allow fonts to be loaded via file:// URLs when opening a page + locally (bmo#1565942) + * Printing emails from the Outlook web app no longer prints only + the header and footer (bmo#1567105) + * Fixed a bug causing some images not to be displayed on reload, + including on Google Maps (bmo# 1565542) + * Fixed an error when starting external applications configured + as URI handlers (bmo#1567614) + MFSA 2019-24 (boo#1145665) + * CVE-2019-11733: Stored passwords in 'Saved Logins' can be + copied without master password entry (bmo#1565780) +- drop fix-build-after-y2038-changes-in-glibc.patch, upstream + +------------------------------------------------------------------- +Fri Aug 16 16:49:24 UTC 2019 - Jonathan Brielmaier + +- Fix crash when typing in the URL bar on ppc64le (bmo#1512162). + The upstream patch doesn't resolve the issue on TW, but compiling + with -O1 does. Do this until we have a proper fix. + +------------------------------------------------------------------- +Thu Aug 1 14:25:02 UTC 2019 - Guillaume GARDET + +- Update build constraints to fix arm builds + +------------------------------------------------------------------- +Fri Jul 19 08:11:27 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 68.0.1 + * Fixed missing Full Screen button when watching videos in full + screen mode on HBO GO (bmo#1562837) + * Fixed a bug causing incorrect messages to appear for some + locales when sites try to request the use of the Storage + Access API (bmo#1558503) + * Users in Russian regions may have their default search engine + changed (bmo#1565315) + * Built-in search engines in some locales do not function + correctly (bmo#1565779) + * SupportMenu policy doesn't always work (bmo#1553290) + * Allow the privacy.file_unique_origin pref to be controlled by + policy (bmo#1563759) + +------------------------------------------------------------------- +Thu Jul 11 10:51:39 UTC 2019 - Jiri Slaby + +- add fix-build-after-y2038-changes-in-glibc.patch + +------------------------------------------------------------------- +Wed Jul 10 13:47:41 UTC 2019 - Bernhard Wiedemann + +- Generate langpacks sequentially to avoid file corruption + from racy file writes (boo#1137970) + +------------------------------------------------------------------- +Mon Jul 8 13:30:35 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 68.0 + * Dark mode in reader view + * Improved extension security and discovery + * Cryptomining and fingerprinting protections are added to strict + content blocking settings in Privacy & Security preferences + * Camera and microphone access now require an HTTPS connection + MFSA 2019-21 (bsc#1140868) + * CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327) + Sandbox escape via installation of malicious languagepack + * CVE-2019-11711 (bmo#1552541) + Script injection within domain through inner window reuse + * CVE-2019-11712 (bmo#1543804) + Cross-origin POST requests can be made with NPAPI plugins by + following 308 redirects + * CVE-2019-11713 (bmo#1528481) + Use-after-free with HTTP/2 cached stream + * CVE-2019-11714 (bmo#1542593) + NeckoChild can trigger crash when accessed off of main thread + * CVE-2019-11729 (bmo#1515342) + Empty or malformed p256-ECDH public keys may trigger a segmentation fault + * CVE-2019-11715 (bmo#1555523) + HTML parsing error can contribute to content XSS + * CVE-2019-11716 (bmo#1552632) + globalThis not enumerable until accessed + * CVE-2019-11717 (bmo#1548306) + Caret character improperly escaped in origins + * CVE-2019-11718 (bmo#1408349) + Activity Stream writes unsanitized content to innerHTML + * CVE-2019-11719 (bmo#1540541) + Out-of-bounds read when importing curve25519 private key + * CVE-2019-11720 (bmo#1556230) + Character encoding XSS vulnerability + * CVE-2019-11721 (bmo#1256009) + Domain spoofing through unicode latin 'kra' character + * CVE-2019-11730 (bmo#1558299) + Same-origin policy treats all files in a directory as having the + same-origin + * CVE-2019-11723 (bmo#1528335) + Cookie leakage during add-on fetching across private browsing boundaries + * CVE-2019-11724 (bmo#1512511) + Retired site input.mozilla.org has remote troubleshooting permissions + * CVE-2019-11725 (bmo#1483510) + Websocket resources bypass safebrowsing protections + * CVE-2019-11727 (bmo#1552208) + PKCS#1 v1.5 signatures can be used for TLS 1.3 + * CVE-2019-11728 (bmo#1552993) + Port scanning through Alt-Svc header + * CVE-2019-11710 (bmo#1549768, bmo#1548611, bmo#1533842, bmo#1537692, + bmo#1540590, bmo#1551907, bmo#1510345, bmo#1535482, bmo#1535848, + bmo#1547472, bmo#1547760, bmo#1507696, bmo#1544180) + Memory safety bugs fixed in Firefox 68 + * CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498 + bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522) + Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 +- requires + * NSS 3.44.1 + * rust/cargo 1.34 + * rust-cbindgen 0.8.7 +- rebased patches + * mozilla-aarch64-startup-crash.patch + * mozilla-kde.patch + * mozilla-nongnome-proxies.patch + * firefox-kde.patch +- use new create-tar.sh and add tar_stamps for package definitions +- added patches imported from SLE flavour + * mozilla-gcc-internal-compiler-error.patch + * mozilla-bmo1005535.patch + * mozilla-ppc-altivec_static_inline.patch + * mozilla-reduce-rust-debuginfo.patch + * mozilla-s390-bigendian.patch + * mozilla-s390-context.patch + +------------------------------------------------------------------- +Mon Jul 2 14:15:17 UTC 2019 - Martin Liška + +- Enable PGO for x86_64. + * added firefox-add-kde.js-in-order-to-survive-PGO-build.patch + +------------------------------------------------------------------- +Thu Jun 20 06:20:59 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 67.0.4 + MFSA 2019-19 (boo#1138872) + * CVE-2019-11708 (bmo#1559858) + sandbox escape using Prompt:Open + +------------------------------------------------------------------- +Tue Jun 18 18:36:15 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 67.0.3 + MFSA 2019-18 (boo#1138614) + * CVE-2019-11707 (bmo#1544386) + Type confusion in Array.pop + +------------------------------------------------------------------- +Thu Jun 12 14:56:32 UTC 2019 - Manfred Hollstein + +- Mozilla Firefox 67.0.2 + * Fixed: Fix JavaScript error ("TypeError: data is null in + PrivacyFilter.jsm") in console which may significantly degrade + sessionstore reliability and performance (bmo#1553413) + * Fixed: Proxy authentication dialog box repeatedly pops up + asking to authenticate after upgrading to Firefox 67 (bmo#1548804) + * Fixed: Pearson MyCloud breaks if FIDO U2F is not Chrome's + implementation (bmo#1551282) + * Fixed: Starting in safe mode on Linux or macOS causes Firefox + to think on the subsequent launch that the profile is too + recent to be used with this version of Firefox (bmo#1556612) + * Fixed: Linux distribution users can't easily install/use + additional/different languages using the built-in preferences + UI (bmo#1554744) + * Fixed: Developer tools users can't copy the href/src content + from various HTML tags via the context menu in the Inspector + markup view (bmo#1552275) + * Fixed: Custom home page is broken with clearing data on shutdown + settings applied (bmo#1554167) + * Fixed: Performance-regression for eclipse RAP based applications + (bmo#1555962) + * Fixed: macOS 10.15 crash fix (bmo#1556076) + * Fixed: Can't start two downloads in parallel via + anymore (bmo#1542912) + +------------------------------------------------------------------- +Thu Jun 6 06:49:51 UTC 2019 - Manfred Hollstein + +- Mozilla Firefox 67.0.1 + * enable enhanced tracking protection by default for new users + * upgrade of Facebook container to version 2.0 + * new version of Firefox Lockwise (password management) + * new version of Firefox Monitor + * Firefox Send improvements + +------------------------------------------------------------------- +Sun May 19 20:40:30 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 67.0 + * Firefox 67 will be able to run different Firefox installs side by side + https://blog.nightly.mozilla.org/2019/01/14/moving-to-a-profile-per-install-architecture/ + * Tabs can now be pinned from the Page Actions menu in the address bar + * Users can block known cryptominers and fingerprinters in the + Custom settings or their Content Blocking preferences + * The Import Data from Another Browser feature is now also available + from the File menu + * Firefox will now protect you against running older versions which + can lead to data corruption and stability issues + * Easier access to your list of saved logins from the main menu and + login autocomplete + * We’ve added a toolbar menu for your Firefox Account to provide more + transparency for when you are synced, sharing data across devices + and with Firefox. Personalize the appearance of the menu with your + own avatar + * Enable FIDO U2F API, and permit registrations for Google Accounts + * Enabled AV1 support on Linux + MFSA 2019-13 (boo#1135824) + * CVE-2019-9815 (bmo#1546544) + Disable hyperthreading on content JavaScript threads on macOS + * CVE-2019-9816 (bmo#1536768) + Type confusion with object groups and UnboxedObjects + * CVE-2019-9817 (bmo#1540221) + Stealing of cross-domain images using canvas + * CVE-2019-9818 (bmo#1542581) (Windows only) + Use-after-free in crash generation server + * CVE-2019-9819 (bmo#1532553) + Compartment mismatch with fetch API + * CVE-2019-9820 (bmo#1536405) + Use-after-free of ChromeEventHandler by DocShell + * CVE-2019-9821 (bmo#1539125) + Use-after-free in AssertWorkerThread + * CVE-2019-11691 (bmo#1542465) + Use-after-free in XMLHttpRequest + * CVE-2019-11692 (bmo#1544670) + Use-after-free removing listeners in the event listener manager + * CVE-2019-11693 (bmo#1532525) + Buffer overflow in WebGL bufferdata on Linux + * CVE-2019-7317 (bmo#1542829) + Use-after-free in png_image_free of libpng library + * CVE-2019-11694 (bmo#1534196) (Windows only) + Uninitialized memory memory leakage in Windows sandbox + * CVE-2019-11695 (bmo#1445844) + Custom cursor can render over user interface outside of web content + * CVE-2019-11696 (bmo#1392955) + Java web start .JNLP files are not recognized as executable files + for download prompts + * CVE-2019-11697 (bmo#1440079) + Pressing key combinations can bypass installation prompt delays and + install extensions + * CVE-2019-11698 (bmo#1543191) + Theft of user history data through drag and drop of hyperlinks + to and from bookmarks + * CVE-2019-11700 (bmo#1549833) (Windows only) + res: protocol can be used to open known local files + * CVE-2019-11699 (bmo#1528939) + Incorrect domain name highlighting during page navigation + * CVE-2019-11701 (bmo#1518627) + webcal: protocol default handler loads vulnerable web page + * CVE-2019-9814 (bmo#1527592, bmo#1534536, bmo#1520132, bmo#1543159, + bmo#1539393, bmo#1459932, bmo#1459182, bmo#1516425) + Memory safety bugs fixed in Firefox 67 + * CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136, + bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108, + bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097, + bmo#1532465, bmo#1533554, bmo#1541580) + Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 +- requires + * rust/cargo >= 1.32 + * mozilla-nspr >= 4.21 + * mozilla-nss >= 3.43 + * rust-cbindgen >= 0.8.2 +- rebased patches +- KDE integration for default browser detection is broken in this revision + +------------------------------------------------------------------- +Fri May 17 12:04:49 UTC 2019 - Guillaume GARDET + +- Fix armv7 build with: + * mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch + +------------------------------------------------------------------- +Fri May 10 10:30:05 UTC 2019 - Manfred Hollstein + +- Mozilla Firefox 66.0.5 + * Fixed: Further improvements to re-enable web extensions which + had been disabled for users with a master password set (bmo#1549249) + +------------------------------------------------------------------- +Sun May 5 20:21:02 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 66.0.4 (boo#1134126) + * fix extension certificate chain + https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/ + +------------------------------------------------------------------- +Thu Apr 11 09:16:17 UTC 2019 - Manfred Hollstein + +- Mozilla Firefox 66.0.3 + * Fixed: Address bar on tablets running Windows 10 now behaves + correctly (bmo#1498973) + * Fixed: Performance issues with some HTML5 games (bmo#1537609) + * Fixed a bug with keypress events in IBM cloud applications + (bmo#1538970) + * Fix for keypress events in some Microsoft cloud applications + (bmo#1539618) + * Changed: Updated Baidu search plugin + +------------------------------------------------------------------- +Thu Mar 28 19:01:41 UTC 2019 - Manfred Hollstein + +- Mozilla Firefox 66.0.2 + * Fixed Web compatibility issues with Office 365, iCloud and + IBM WebMail caused by recent changes to the handling of + keyboard events (bmo#1538966) + * Crash fixes (bmo#1521370, bmo#1539118) + +------------------------------------------------------------------- +Thu Mar 28 09:58:36 UTC 2019 - Guillaume GARDET + +- Add patch to fix aarch64 build: + * mozilla-fix-aarch64-libopus.patch (bmo#1539737) + +------------------------------------------------------------------- +Fri Mar 22 22:22:08 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 66.0.1 + MFSA 2019-09 (bsc#1130262) + * CVE-2019-9810 (bmo#1537924) + IonMonkey MArraySlice has incorrect alias information + * CVE-2019-9813 (bmo#1538006) + Ionmonkey type confusion with __proto__ mutations + +------------------------------------------------------------------- +Sun Mar 17 10:08:51 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Firefox 66.0 + * Increased content processes to 8 + * Added capability to search through open tabs from the tab overflow menu + * New backend for the storage.local WebExtensions API, providing + I/O performance improvements when the extension updates a small + subset of the stored data + * WebExtension keyboard shortcuts can now be managed or overridden + from about:addons + * Improved scrolling behavior: Firefox will now attempt to keep content + from jumping around while a page is loading by supporting scroll + anchoring + * New about:privatebrowsing with search + * A certificate error page now notifies the user of the name of the + certificate issuer that breaks HTTPs connections on intercepted + connections to help troubleshooting possible anti-virus software + issues. + * Fixed an performance issue some Linux users experienced with the + Downloads panel (bmo#1517101) + * Firefox now blocks all autoplay media with sound by default. Users + can add individual sites to an exceptions list or turn the blocking + off. + * System title bar is hidden by default to match Gnome guideline + MFSA 2019-07 (bsc#1129821) + * CVE-2019-9790 (bmo#1525145) + Use-after-free when removing in-use DOM elements + * CVE-2019-9791 (bmo#1530958) + Type inference is incorrect for constructors entered through on-stack + replacement with IonMonkey + * CVE-2019-9792 (bmo#1532599) + IonMonkey leaks JS_OPTIMIZED_OUT magic value to script + * CVE-2019-9793 (bmo#1528829) + Improper bounds checks when Spectre mitigations are disabled + * CVE-2019-9794 (bmo#1530103) (Windows only) + Command line arguments not discarded during execution + * CVE-2019-9795 (bmo#1514682) + Type-confusion in IonMonkey JIT compiler + * CVE-2019-9796 (bmo#1531277) + Use-after-free with SMIL animation controller + * CVE-2019-9797 (bmo#1528909) + Cross-origin theft of images with createImageBitmap + * CVE-2019-9798 (bmo#1527534) (Android only) + Library is loaded from world writable APITRACE_LIB location + * CVE-2019-9799 (bmo#1505678) + Information disclosure via IPC channel messages + * CVE-2019-9801 (bmo#1527717) (Windows only) + Windows programs that are not 'URL Handlers' are exposed to web content + * CVE-2019-9802 (bmo#1415508) + Chrome process information leak + * CVE-2019-9803 (bmo#1515863, bmo#1437009) + Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation + * CVE-2019-9804 (bmo#1518026) (MacOS only) + Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS + * CVE-2019-9805 (bmo#1521360) + Potential use of uninitialized memory in Prio + * CVE-2019-9806 (bmo#1525267) + Denial of service through successive FTP authorization prompts + * CVE-2019-9807 (bmo#1362050) + Text sent through FTP connection can be incorporated into alert messages + * CVE-2019-9809 (bmo#1282430, bmo#1523249) + Denial of service through FTP modal alert error messages + * CVE-2019-9808 (bmo#1434634) + WebRTC permissions can display incorrect origin with data: and blob: URLs + * CVE-2019-9789 bmo#1520483, bmo#1522987, bmo#1528199, bmo#1519337, + bmo#1525549, bmo#1516179, bmo#1518524, bmo#1518331, bmo#1526579, + bmo#1512567, bmo#1524335, bmo#1448505, bmo#1518821 + Memory safety bugs fixed in Firefox 66 + * CVE-2019-9788 bmo#1518001, bmo#1521304, bmo#1521214, bmo#1506665, + bmo#1516834, bmo#1518774, bmo#1524755, bmo#1523362, bmo#1524214, bmo#1529203 + Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 +- updated build/runtime requirements + * mozilla-nss >= 3.42.1 + * cargo/rust >= 1.31 + * rust-cbindgen >= 0.6.8 + * nasm >= 2.13 (new) +- removed obsolete patch + * mozilla-bmo256180.patch + +------------------------------------------------------------------- Tue Mar 5 10:17:01 UTC 2019 - Stephan Kulow - Do not hardcode nodejs8 but leave the prefer to the distribution