diff -r 4b65b5cfd428 -r 0b1f7ee785d3 xulrunner/xulrunner.changes --- a/xulrunner/xulrunner.changes Wed Sep 18 16:26:48 2013 +0200 +++ b/xulrunner/xulrunner.changes Sat Sep 28 13:21:55 2013 +0200 @@ -1,3 +1,186 @@ +------------------------------------------------------------------- +Wed Sep 18 14:39:34 UTC 2013 - wr@rosenauer.org + +- update to 24.0 (bnc#840485) + * MFSA 2013-76/CVE-2013-1718/CVE-2013-1719 + Miscellaneous memory safety hazards + * MFSA 2013-77/CVE-2013-1720 (bmo#888820) + Improper state in HTML5 Tree Builder with templates + * MFSA 2013-78/CVE-2013-1721 (bmo#890277) + Integer overflow in ANGLE library + * MFSA 2013-79/CVE-2013-1722 (bmo#893308) + Use-after-free in Animation Manager during stylesheet cloning + * MFSA 2013-80/CVE-2013-1723 (bmo#891292) + NativeKey continues handling key messages after widget is destroyed + * MFSA 2013-81/CVE-2013-1724 (bmo#894137) + Use-after-free with select element + * MFSA 2013-82/CVE-2013-1725 (bmo#876762) + Calling scope for new Javascript objects can lead to memory corruption + * MFSA 2013-85/CVE-2013-1728 (bmo#883686) + Uninitialized data in IonMonkey + * MFSA 2013-88/CVE-2013-1730 (bmo#851353) + Compartment mismatch re-attaching XBL-backed nodes + * MFSA 2013-89/CVE-2013-1732 (bmo#883514) + Buffer overflow with multi-column, lists, and floats + * MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301) + Memory corruption involving scrolling + * MFSA 2013-91/CVE-2013-1737 (bmo#907727) + User-defined properties on DOM proxies get the wrong "this" object + * MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897) + GC hazard with default compartments and frame chain restoration +- require NSPR 4.10 and NSS 3.15.1 + +------------------------------------------------------------------- +Fri Aug 2 10:56:43 UTC 2013 - wr@rosenauer.org + +- update to 17.0.8esr (bnc#833389) + * MFSA 2013-63/CVE-2013-1701 + Miscellaneous memory safety hazards + * MFSA 2013-68/CVE-2013-1709 (bmo#838253) + Document URI misrepresentation and masquerading + * MFSA 2013-69/CVE-2013-1710 (bmo#871368) + CRMF requests allow for code execution and XSS attacks + * MFSA 2013-72/CVE-2013-1713 (bmo#887098) + Wrong principal used for validating URI for some Javascript + components + * MFSA 2013-73/CVE-2013-1714 (bmo#879787) + Same-origin bypass with web workers and XMLHttpRequest + * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) + Local Java applets may read contents of local file system + +------------------------------------------------------------------- +Mon Jun 24 15:26:27 UTC 2013 - wr@rosenauer.org + +- update to 17.0.7esr (bnc#825935) + * MFSA 2013-49/CVE-2013-1682 + Miscellaneous memory safety hazards + * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686 + Memory corruption found using Address Sanitizer + * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823) + Privileged content access and execution via XBL + * MFSA 2013-53/CVE-2013-1690 (bmo#857883) + Execution of unmapped memory through onreadystatechange event + * MFSA 2013-54/CVE-2013-1692 (bmo#866915) + Data in the body of XHR HEAD requests leads to CSRF attacks + * MFSA 2013-55/CVE-2013-1693 (bmo#711043) + SVG filters can lead to information disclosure + * MFSA 2013-56/CVE-2013-1694 (bmo#848535) + PreserveWrapper has inconsistent behavior + * MFSA 2013-59/CVE-2013-1697 (bmo#858101) + XrayWrappers can be bypassed to run user defined methods in a + privileged context + +------------------------------------------------------------------- +Tue Jun 4 16:24:51 UTC 2013 - dvaleev@suse.com + +- Fix build on powerpc (ppc-xpcshell.patch) + +------------------------------------------------------------------- +Fri May 10 17:27:23 UTC 2013 - wr@rosenauer.org + +- update to 17.0.6esr (bnc#819204) + * MFSA 2013-41/CVE-2013-0801/CVE-2013-1669 + Miscellaneous memory safety hazards + * MFSA 2013-42/CVE-2013-1670 (bmo#853709) + Privileged access for content level constructor + * MFSA 2013-46/CVE-2013-1674 (bmo#860971) + Use-after-free with video and onresize event + * MFSA 2013-47/CVE-2013-1675 (bmo#866825) + Uninitialized functions in DOMSVGZoomEvent + * MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/ + CVE-2013-1679/CVE-2013-1680/CVE-2013-1681 + Memory corruption found using Address Sanitizer + +------------------------------------------------------------------- +Fri Mar 29 16:27:59 UTC 2013 - wr@rosenauer.org + +- update to 17.0.5esr (bnc#813026) + * requires NSPR 4.9.5 and NSS 3.14.3 + * MFSA 2013-30/CVE-2013-0788 + Miscellaneous memory safety hazards + * MFSA 2013-31/CVE-2013-0800 (bmo#825721) + Out-of-bounds write in Cairo library + * MFSA 2013-35/CVE-2013-0796 (bmo#827106) + WebGL crash with Mesa graphics driver on Linux + * MFSA 2013-36/CVE-2013-0795 (bmo#825697) + Bypass of SOW protections allows cloning of protected nodes + * MFSA 2013-37/CVE-2013-0794 (bmo#626775) + Bypass of tab-modal dialog origin disclosure + * MFSA 2013-38/CVE-2013-0793 (bmo#803870) + Cross-site scripting (XSS) using timed history navigations + +------------------------------------------------------------------- +Fri Mar 8 09:00:09 UTC 2013 - wr@rosenauer.org + +- update to 17.0.4esr (bnc#808243) + * MFSA 2013-29/CVE-2013-0787 (bmo#848644) + Use-after-free in HTML Editor + +------------------------------------------------------------------- +Sat Feb 16 17:38:21 UTC 2013 - wr@rosenauer.org + +- update to 17.0.3esr (bnc#804248) + * MFSA 2013-21/CVE-2013-0783 + Miscellaneous memory safety hazards + * MFSA 2013-24/CVE-2013-0773 (bmo#809652) + Web content bypass of COW and SOW security wrappers + * MFSA 2013-25/CVE-2013-0774 (bmo#827193) + Privacy leak in JavaScript Workers + * MFSA 2013-26/CVE-2013-0775 (bmo#831095) + Use-after-free in nsImageLoadingContent + * MFSA 2013-27/CVE-2013-0776 (bmo#796475) + Phishing on HTTPS connection through malicious proxy + * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782 + Use-after-free, out of bounds read, and buffer overflow issues + found using Address Sanitizer + +------------------------------------------------------------------- +Sat Jan 5 14:46:06 UTC 2013 - wr@rosenauer.org + +- update to 17.0.2esr (bnc#796895) + * MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770 + Miscellaneous memory safety hazards + * MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767 + CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829 + Use-after-free and buffer overflow issues found using Address Sanitizer + * MFSA 2013-03/CVE-2013-0768 (bmo#815795) + Buffer Overflow in Canvas + * MFSA 2013-04/CVE-2012-0759 (bmo#802026) + URL spoofing in addressbar during page loads + * MFSA 2013-05/CVE-2013-0744 (bmo#814713) + Use-after-free when displaying table with many columns and column groups + * MFSA 2013-07/CVE-2013-0764 (bmo#804237) + Crash due to handling of SSL on threads + * MFSA 2013-08/CVE-2013-0745 (bmo#794158) + AutoWrapperChanger fails to keep objects alive during garbage collection + * MFSA 2013-09/CVE-2013-0746 (bmo#816842) + Compartment mismatch with quickstubs returned values + * MFSA 2013-10/CVE-2013-0747 (bmo#733305) + Event manipulation in plugin handler to bypass same-origin policy + * MFSA 2013-11/CVE-2013-0748 (bmo#806031) + Address space layout leaked in XBL objects + * MFSA 2013-12/CVE-2013-0750 (bmo#805121) + Buffer overflow in Javascript string concatenation + * MFSA 2013-13/CVE-2013-0752 (bmo#805024) + Memory corruption in XBL with XML bindings containing SVG + * MFSA 2013-14/CVE-2013-0757 (bmo#813901) + Chrome Object Wrapper (COW) bypass through changing prototype + * MFSA 2013-15/CVE-2013-0758 (bmo#813906) + Privilege escalation through plugin objects + * MFSA 2013-16/CVE-2013-0753 (bmo#814001) + Use-after-free in serializeToStream + * MFSA 2013-17/CVE-2013-0754 (bmo#814026) + Use-after-free in ListenerManager + * MFSA 2013-18/CVE-2013-0755 (bmo#814027) + Use-after-free in Vibrate + * MFSA 2013-19/CVE-2013-0756 (bmo#814029) + Use-after-free in Javascript Proxy objects +- requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743) +- build on SLE11 + * mozilla-gcc43-enums.patch + * mozilla-gcc43-template_hacks.patch + * mozilla-gcc43-templates_instantiation.patch + ------------------------------------------------------------------- Thu Nov 29 20:04:34 UTC 2012 - wr@rosenauer.org