--- a/MozillaFirefox/MozillaFirefox.changes Wed May 02 09:28:53 2018 +0200
+++ b/MozillaFirefox/MozillaFirefox.changes Fri Jun 08 22:25:59 2018 +0200
@@ -1,14 +1,144 @@
-------------------------------------------------------------------
-Tue May 1 20:50:14 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 60.0b16
+Thu Jun 7 12:11:06 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 60.0.2
+ * requires NSS 3.36.4
+ MFSA 2018-14 (bsc#1096449)
+ * CVE-2018-6126 (bmo#1462682)
+ Heap buffer overflow rasterizing paths in SVG with Skia
+
+-------------------------------------------------------------------
+Wed Jun 6 18:57:52 UTC 2018 - guillaume.gardet@opensuse.org
+
+- Add upstream patch to fix boo#1093059 instead of '-ffixed-x28'
+ workaround:
+ * mozilla-bmo1375074.patch
+
+-------------------------------------------------------------------
+Sat May 26 15:53:25 UTC 2018 - wr@rosenauer.org
+
+- fixed "open with" option under KDE (boo#1094747)
+- workaround crash on startup on aarch64 (boo#1093059)
+ (contributed by guillaume.gardet@arm.com)
+
+-------------------------------------------------------------------
+Wed May 23 08:49:09 UTC 2018 - guillaume.gardet@opensuse.org
+
+- Disable webrtc for aarch64 due to bmo#1434589
+- Add patch to fix skia build on AArch64:
+ * mozilla-fix-skia-aarch64.patch
+
+-------------------------------------------------------------------
+Thu May 17 14:01:18 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 60.0.1
+ * Avoid overly long cycle collector pauses with some add-ons installed
+ (bmo#1449033)
+ * After unckecking the "Sponsored Stories" option, the New Tab page
+ now immediately stops displaying "Sponsored content" cards (bmo#1458906)
+ * On touchscreen devices, fixed momentum scrolling on non-zoomable pages
+ (bmo#1457743)
+ * Use the right default background when opening tabs or windows in
+ high contrast mode (bmo#1458956)
+ * Restored translations of the Preferences panels when using a
+ language pack (bmo#1461590)
+
+-------------------------------------------------------------------
+Mon May 14 13:37:38 UTC 2018 - pcerny@suse.com
+
+- parellelise locales building
+
+-------------------------------------------------------------------
+Mon May 7 08:32:28 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 60.0
+ * Added a policy engine that allows customized Firefox deployments
+ in enterprise environments, using Windows Group Policy or a
+ cross-platform JSON file
+ * Applied Quantum CSS to render browser UI
+ * Added support for Web Authentication, allowing the use of USB
+ tokens for authentication to web sites
+ * Locale added: Occitan (oc)
+ MFSA 2018-11 (bsc#1092548)
+ * CVE-2018-5154 (bmo#1443092)
+ Use-after-free with SVG animations and clip paths
+ * CVE-2018-5155 (bmo#1448774)
+ Use-after-free with SVG animations and text paths
+ * CVE-2018-5157 (bmo#1449898)
+ Same-origin bypass of PDF Viewer to view protected PDF files
+ * CVE-2018-5158 (bmo#1452075)
+ Malicious PDF can inject JavaScript into PDF Viewer
+ * CVE-2018-5159 (bmo#1441941)
+ Integer overflow and out-of-bounds write in Skia
+ * CVE-2018-5160 (bmo#1436117)
+ Uninitialized memory use by WebRTC encoder
+ * CVE-2018-5152 (bmo#1415644, bmo#1427289)
+ WebExtensions information leak through webRequest API
+ * CVE-2018-5153 (bmo#1436809)
+ Out-of-bounds read in mixed content websocket messages
+ * CVE-2018-5163 (bmo#1426353)
+ Replacing cached data in JavaScript Start-up Bytecode Cache
+ * CVE-2018-5164 (bmo#1416045)
+ CSP not applied to all multipart content sent with
+ multipart/x-mixed-replace
+ * CVE-2018-5166 (bmo#1437325)
+ WebExtension host permission bypass through filterReponseData
+ * CVE-2018-5167 (bmo#1447969)
+ Improper linkification of chrome: and javascript: content in
+ web console and JavaScript debugger
+ * CVE-2018-5168 (bmo#1449548)
+ Lightweight themes can be installed without user interaction
+ * CVE-2018-5169 (bmo#1319157)
+ Dragging and dropping link text onto home button can set home page
+ to include chrome pages
+ * CVE-2018-5172 (bmo#1436482)
+ Pasted script from clipboard can run in the Live Bookmarks page
+ or PDF viewer
+ * CVE-2018-5173 (bmo#1438025)
+ File name spoofing of Downloads panel with Unicode characters
+ * CVE-2018-5174 (bmo#1447080) (Windows-only)
+ Windows Defender SmartScreen UI runs with less secure behavior
+ for downloaded files in Windows 10 April 2018 Update
+ * CVE-2018-5175 (bmo#1432358)
+ Universal CSP bypass on sites using strict-dynamic in their policies
+ * CVE-2018-5176 (bmo#1442840)
+ JSON Viewer script injection
+ * CVE-2018-5177 (bmo#1451908)
+ Buffer overflow in XSLT during number formatting
+ * CVE-2018-5165 (bmo#1451452)
+ Checkbox for enabling Flash protected mode is inverted in 32-bit
+ Firefox
+ * CVE-2018-5180 (bmo#1444086)
+ heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
+ * CVE-2018-5181 (bmo#1424107)
+ Local file can be displayed in noopener tab through drag and
+ drop of hyperlink
+ * CVE-2018-5182 (bmo#1435908)
+ Local file can be displayed from hyperlink dragged and dropped
+ on addressbar
+ * CVE-2018-5151
+ Memory safety bugs fixed in Firefox 60
+ * CVE-2018-5150
+ Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
- removed obsolete patches
0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
+ mozilla-bmo1005535.patch
- requires NSPR 4.19 and NSS 3.36.1
-
--------------------------------------------------------------------
-Tue May 1 18:45:02 UTC 2018 - astieger@suse.com
-
+- requires rust 1.24 or higher
+- use upstream source archive and detached signature for
+ source verification
+
+-------------------------------------------------------------------
+Thu May 3 14:33:37 UTC 2018 - guillaume.gardet@opensuse.org
+
+- Fix armv7 build by:
+ * adding RUSTFLAGS="-Cdebuginfo=0"
+ * updating _constraints for %arm
+
+-------------------------------------------------------------------
+Wed May 2 20:46:37 UTC 2018 - wr@rosenauer.org
+
+- do not try CSD on kwin (boo#1091592)
- fix build in openSUSE:Leap:42.3:Update, use gcc7
-------------------------------------------------------------------