diff -r 3604ed712e16 -r f63a4ac0fe06 MozillaFirefox/MozillaFirefox.changes --- a/MozillaFirefox/MozillaFirefox.changes Tue Jan 24 22:19:01 2017 +0100 +++ b/MozillaFirefox/MozillaFirefox.changes Sun Feb 12 08:42:06 2017 +0100 @@ -1,7 +1,14 @@ ------------------------------------------------------------------- +Fri Jan 27 20:25:59 UTC 2017 - astieger@suse.com + +- Mozilla Firefox 51.0.1: + - Multiprocess incompatibility did not correctly register with + some add-ons (bmo#1333423) + +------------------------------------------------------------------- Fri Jan 20 13:57:56 UTC 2017 - wr@rosenauer.org -- update to Firefox 51.0 (boo#) +- update to Firefox 51.0 * requires NSPR >= 4.13.1, NSS >= 3.28.1 * Added support for FLAC (Free Lossless Audio Codec) playback * Added support for WebGL 2 @@ -13,11 +20,65 @@ * View passwords from the prompt before saving them * Remove Belarusian (be) locale * Use Skia for content rendering (Linux) -- switch Firefox to Gtk3 for Tumbleweed and Leap >= 43 + * MFSA 2017-01 + CVE-2017-5375: Excessive JIT code allocation allows bypass of + ASLR and DEP (bmo#1325200, boo#1021814) + CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) + CVE-2017-5377: Memory corruption with transforms to create + gradients in Skia (bmo#1306883, boo#1021826) + CVE-2017-5378: Pointer and frame data leakage of Javascript objects + (bmo#1312001, bmo#1330769, boo#1021818) + CVE-2017-5379: Use-after-free in Web Animations + (bmo#1309198,boo#1021827) + CVE-2017-5380: Potential use-after-free during DOM manipulations + (bmo#1322107, boo#1021819) + CVE-2017-5390: Insecure communication methods in Developer Tools + JSON viewer (bmo#1297361, boo#1021820) + CVE-2017-5389: WebExtensions can install additional add-ons via + modified host requests (bmo#1308688, boo#1021828) + CVE-2017-5396: Use-after-free with Media Decoder + (bmo#1329403, boo#1021821) + CVE-2017-5381: Certificate Viewer exporting can be used to navigate + and save to arbitrary filesystem locations + (bmo#1017616, boo#1021830) + CVE-2017-5382: Feed preview can expose privileged content errors + and exceptions (bmo#1295322, boo#1021831) + CVE-2017-5383: Location bar spoofing with unicode characters + (bmo#1323338, bmo#1324716, boo#1021822) + CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) + (bmo#1255474, boo#1021832) + CVE-2017-5385: Data sent in multipart channels ignores referrer-policy + response headers (bmo#1295945, boo#1021833) + CVE-2017-5386: WebExtensions can use data: protocol to affect other + extensions (bmo#1319070, boo#1021823) + CVE-2017-5394: Android location bar spoofing using fullscreen and + JavaScript events (bmo#1222798) + CVE-2017-5391: Content about: pages can load privileged about: pages + (bmo#1309310, boo#1021835) + CVE-2017-5392: Weak references using multiple threads on weak proxy + objects lead to unsafe memory usage (bmo#1293709) + (Android only) + CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for + mozAddonManager (bmo#1309282, boo#1021837) + CVE-2017-5395: Android location bar spoofing during scrolling + (bmo#1293463) (Android only) + CVE-2017-5387: Disclosure of local file existence through TRACK + tag error messages (bmo#1295023, boo#1021839) + CVE-2017-5388: WebRTC can be used to generate a large amount of + UDP traffic for DDOS attacks + (bmo#1281482, boo#1021840) + CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841) + CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and + Firefox ESR 45.7 (boo#1021824) +- switch Firefox to Gtk3 for Tumbleweed - removed obsolete patches * mozilla-flex_buffer_overrun.patch - updated RPM locale support tag - improve recognition of LANGUAGE env variable (boo#1017174) +- add upstream patch to fix PPC64LE (bmo#1319389) + (mozilla-skia-ppc-endianess.patch) +- fix build without skia (big endian archs) (bmo#1319374) + (mozilla-disable-skia-be.patch) ------------------------------------------------------------------- Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org