diff -r af29b3ac33ae -r e8d4a33582b8 MozillaFirefox/MozillaFirefox.changes --- a/MozillaFirefox/MozillaFirefox.changes Tue Jun 26 07:37:04 2018 +0200 +++ b/MozillaFirefox/MozillaFirefox.changes Mon Dec 10 22:33:01 2018 +0100 @@ -1,7 +1,124 @@ ------------------------------------------------------------------- +Mon Dec 10 21:25:38 UTC 2018 - Wolfgang Rosenauer + +- Mozilla Firefox 60.4.0esr: + MFSA 2018-29 +- requires NSS >= 3.36.6 + +------------------------------------------------------------------- +Tue Oct 23 20:35:31 UTC 2018 - astieger@suse.com + +- Mozilla Firefox 60.3.0esr: + * Various stability and regression fixes + MFSA 2018-27 bsc#1112852 + * CVE-2018-12392 bmo#1492823 + Crash with nested event loops + * CVE-2018-12393 bmo#1495011 + Integer overflow during Unicode conversion while loading + JavaScript + * CVE-2018-12395 bmo#1467523 + WebExtension bypass of domain restrictions through header + rewriting + * CVE-2018-12396 bmo#1483602 + WebExtension content scripts can execute in disallowed + contexts + * CVE-2018-12397 bmo#1487478 + WebExtension local file access vulnerability + * CVE-2018-12389 bmo#1498460, bmo#1499198 + Memory safety bugs fixed in Firefox ESR 60.3 + * CVE-2018-12390 bmo#1487098 bmo#1487660 bmo#1490234 bmo#1496159 + bmo#1443748 bmo#1496340 bmo#1483905 bmo#1493347 bmo#1488803 + bmo#1498701 bmo#1498482 bmo#1442010 bmo#1495245 bmo#1483699 + bmo#1469486 bmo#1484905 bmo#1490561 bmo#1492524 bmo#1481844 + Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 + +------------------------------------------------------------------- +Tue Oct 2 21:28:31 UTC 2018 - astieger@suse.com + +- Mozilla Firefox 60.2.2esr: + MFSA 2018-24 + * CVE-2018-12386 (bsc#1110506, bmo#1493900) + Type confusion in JavaScript allowed remote code execution + * CVE-2018-12387 (bsc#1110507, bmo#1493903) + Array.prototype.push stack pointer vulnerability may enable + exploits in the sandboxed content process + +------------------------------------------------------------------- +Thu Sep 27 10:51:37 UTC 2018 - olaf@aepfle.de + +- Avoid undefined behavior in IPC fd-passing code with + mozilla-bmo1436242.patch (boo#1094767, bmo#1436242) + +------------------------------------------------------------------- +Fri Sep 21 22:46:56 UTC 2018 - astieger@suse.com + +- Mozilla Firefox 60.2.1esr: + MFSA 2018-23 + * CVE-2018-12385 (boo#1109363, bmo#1490585) + Crash in TransportSecurityInfo due to cached data + * CVE-2018-12383 (boo#1107343, bmo#1475775) + Setting a master password did not delete unencrypted + previously stored passwords + * Fixed a startup crash affecting users migrating from older ESR + releases + * Clean up old NSS DB files after upgrading + +------------------------------------------------------------------- +Wed Sep 5 19:39:44 UTC 2018 - security@suse.com + +- Mozilla Firefox 60.2.0esr: + MFSA 2018-21 (bsc#1107343) + * CVE-2018-12377 (bmo#1470260) + Use-after-free in refresh driver timers + * CVE-2018-12378 (bmo#1459383) + Use-after-free in IndexedDB + * CVE-2017-16541 (bsc#1066489, bmo#1412081) + Proxy bypass using automount and autofs + * CVE-2018-12376 (bmo#69309,bmo#69914,bmo#50989,bmo#80092, + bmo#80517,bmo#81093,bmo#78575,bmo#71953,bmo#73161,bmo#66991, + bmo#68738,bmo#83120,bmo#67363,bmo#72925,bmo#66577,bmo#67889, + bmo#80521) + Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 +- unfuzz mozilla-kde.patch + +------------------------------------------------------------------- Sat Jun 23 13:10:32 UTC 2018 - wr@rosenauer.org - update to Firefox 60.1.0esr + MFSA 2018-16 (bsc#1098998) + * CVE-2018-12359 (bmo#1459162) + Buffer overflow using computed size of canvas element + * CVE-2018-12360 (bmo#1459693) + Use-after-free when using focus() + * CVE-2018-12361 (bmo#1463244) + Integer overflow in SwizzleData + * CVE-2018-12362 (bmo#1452375) + Integer overflow in SSSE3 scaler + * CVE-2018-5156 (bmo#1453127) + Media recorder segmentation fault when track type is changed during capture + * CVE-2018-12363 (bmo#1464784) + Use-after-free when appending DOM nodes + * CVE-2018-12364 (bmo#1436241) + CSRF attacks through 307 redirects and NPAPI plugins + * CVE-2018-12365 (bmo#1459206) + Compromised IPC child process can list local filenames + * CVE-2018-12371 (bmo#1465686) + Integer overflow in Skia library during edge builder allocation + * CVE-2018-12366 (bmo#1464039) + Invalid data handling during QCMS transformations + * CVE-2018-12367 (bmo#1462891) + Timing attack mitigation of PerformanceNavigationTiming + * CVE-2018-12369 (bmo#1454909) + WebExtension security permission checks bypassed by embedded experiments + * CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938, + bmo#1461619,bmo#1425930,bmo#1438556,bmo#1454285,bmo#1459568, + bmo#1463884) + Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1 + * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739, + bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576, + bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829, + bmo#1464079,bmo#1463494,bmo#1458048) + Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9 - remove obsolete patches mozilla-enable-csd.patch mozilla-fix-skia-aarch64.patch