diff -r 4babd1755310 -r d61b64679bb4 MozillaFirefox/MozillaFirefox.changes --- a/MozillaFirefox/MozillaFirefox.changes Tue Mar 13 20:14:07 2018 +0100 +++ b/MozillaFirefox/MozillaFirefox.changes Tue Mar 13 20:14:45 2018 +0100 @@ -1,7 +1,50 @@ ------------------------------------------------------------------- -Tue Mar 6 08:27:05 UTC 2018 - wr@rosenauer.org +Sun Mar 11 22:12:12 UTC 2018 - wr@rosenauer.org - update to Firefox 59.0 + * Performance enhancements + * Drag-and-drop to rearrange Top Sites on the Firefox Home page + * added features for Firefox Screenshots + * Enhanced WebExtensions API + * Improved RTC capabilities + MFSA 2018-06 (bsc#1085130) + * CVE-2018-5127 (bmo#1430557) + Buffer overflow manipulating SVG animatedPathSegList + * CVE-2018-5128 (bmo#1431336) + Use-after-free manipulating editor selection ranges + * CVE-2018-5129 (bmo#1428947) + Out-of-bounds write with malformed IPC messages + * CVE-2018-5130 (bmo#1433005) + Mismatched RTP payload type can trigger memory corruption + * CVE-2018-5131 (bmo#1440775) + Fetch API improperly returns cached copies of no-store/no-cache resources + * CVE-2018-5132 (bmo#1408194) + WebExtension Find API can search privileged pages + * CVE-2018-5133 (bmo#1430511, bmo#1430974) + Value of the app.support.baseURL preference is not properly sanitized + * CVE-2018-5134 (bmo#1429379) + WebExtensions may use view-source: URLs to bypass content restrictions + * CVE-2018-5135 (bmo#1431371) + WebExtension browserAction can inject scripts into unintended contexts + * CVE-2018-5136 (bmo#1419166) + Same-origin policy violation with data: URL shared workers + * CVE-2018-5137 (bmo#1432870) + Script content can access legacy extension non-contentaccessible resources + * CVE-2018-5138 (bmo#1432624) (Android only) + Android Custom Tab address spoofing through long domain names + * CVE-2018-5140 (bmo#1424261) + Moz-icon images accessible to web content through moz-icon: protocol + * CVE-2018-5141 (bmo#1429093) + DOS attack through notifications Push API + * CVE-2018-5142 (bmo#1366357) + Media Capture and Streams API permissions display incorrect origin + with data: and blob: URLs + * CVE-2018-5143 (bmo#1422643) + Self-XSS pasting javascript: URL with embedded tab into addressbar + * CVE-2018-5126 + Memory safety bugs fixed in Firefox 59 + * CVE-2018-5125 + Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 - requires NSPR 4.18 and NSS 3.35 - requires rust >= 1.22.1 - removed obsolete patches: @@ -28,7 +71,7 @@ - update to Firefox 58.0.1 MFSA 2018-05 - * Arbitrary code execution through unsanitized browser UI (bmo#1432966) + * Arbitrary code execution through unsanitized browser UI (bmo#1432966) - use correct language packs - readd mozilla-enable-csd.patch as it only lands for FF59 upstream - allow larger number of nested elements (mozilla-bmo256180.patch)