--- a/MozillaFirefox/MozillaFirefox.changes Tue Mar 13 20:14:07 2018 +0100
+++ b/MozillaFirefox/MozillaFirefox.changes Tue Mar 13 20:14:45 2018 +0100
@@ -1,7 +1,50 @@
-------------------------------------------------------------------
-Tue Mar 6 08:27:05 UTC 2018 - wr@rosenauer.org
+Sun Mar 11 22:12:12 UTC 2018 - wr@rosenauer.org
- update to Firefox 59.0
+ * Performance enhancements
+ * Drag-and-drop to rearrange Top Sites on the Firefox Home page
+ * added features for Firefox Screenshots
+ * Enhanced WebExtensions API
+ * Improved RTC capabilities
+ MFSA 2018-06 (bsc#1085130)
+ * CVE-2018-5127 (bmo#1430557)
+ Buffer overflow manipulating SVG animatedPathSegList
+ * CVE-2018-5128 (bmo#1431336)
+ Use-after-free manipulating editor selection ranges
+ * CVE-2018-5129 (bmo#1428947)
+ Out-of-bounds write with malformed IPC messages
+ * CVE-2018-5130 (bmo#1433005)
+ Mismatched RTP payload type can trigger memory corruption
+ * CVE-2018-5131 (bmo#1440775)
+ Fetch API improperly returns cached copies of no-store/no-cache resources
+ * CVE-2018-5132 (bmo#1408194)
+ WebExtension Find API can search privileged pages
+ * CVE-2018-5133 (bmo#1430511, bmo#1430974)
+ Value of the app.support.baseURL preference is not properly sanitized
+ * CVE-2018-5134 (bmo#1429379)
+ WebExtensions may use view-source: URLs to bypass content restrictions
+ * CVE-2018-5135 (bmo#1431371)
+ WebExtension browserAction can inject scripts into unintended contexts
+ * CVE-2018-5136 (bmo#1419166)
+ Same-origin policy violation with data: URL shared workers
+ * CVE-2018-5137 (bmo#1432870)
+ Script content can access legacy extension non-contentaccessible resources
+ * CVE-2018-5138 (bmo#1432624) (Android only)
+ Android Custom Tab address spoofing through long domain names
+ * CVE-2018-5140 (bmo#1424261)
+ Moz-icon images accessible to web content through moz-icon: protocol
+ * CVE-2018-5141 (bmo#1429093)
+ DOS attack through notifications Push API
+ * CVE-2018-5142 (bmo#1366357)
+ Media Capture and Streams API permissions display incorrect origin
+ with data: and blob: URLs
+ * CVE-2018-5143 (bmo#1422643)
+ Self-XSS pasting javascript: URL with embedded tab into addressbar
+ * CVE-2018-5126
+ Memory safety bugs fixed in Firefox 59
+ * CVE-2018-5125
+ Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
- requires NSPR 4.18 and NSS 3.35
- requires rust >= 1.22.1
- removed obsolete patches:
@@ -28,7 +71,7 @@
- update to Firefox 58.0.1
MFSA 2018-05
- * Arbitrary code execution through unsanitized browser UI (bmo#1432966)
+ * Arbitrary code execution through unsanitized browser UI (bmo#1432966)
- use correct language packs
- readd mozilla-enable-csd.patch as it only lands for FF59 upstream
- allow larger number of nested elements (mozilla-bmo256180.patch)