Revisions of MozillaFirefox
Dominique Leuenberger (dimstar_suse)
accepted
request 978314
from
Wolfgang Rosenauer (wrosenauer)
(revision 366)
- Mozilla Firefox 100.0.2
MFSA 2022-19 (bsc#1199768)
* CVE-2022-1802 (bmo#1770137)
Prototype pollution in Top-Level Await implementation
* CVE-2022-1529 (bmo#1770048)
Untrusted input used in JavaScript object indexing, leading
to prototype pollution
- Mozilla Firefox 100.0.1:
* Fixed: Fixed an issue with subtitles in Picture-in-Picture
mode while using Netflix (bmo#1768818)
* Fixed: Fixed an issue where some commands were unavailable in
the Picture-in-Picture window (bmo#1768201)
Dominique Leuenberger (dimstar_suse)
accepted
request 974815
from
Wolfgang Rosenauer (wrosenauer)
(revision 365)
- Mozilla Firefox 100.0
* subtitle support in PiP
* spell checking supports multiple languages in parallel
* more details here
https://www.mozilla.org/en-US/firefox/100.0/releasenotes
MFSA 2022-16 (boo#1198970)
* CVE-2022-29914 (bmo#1746448)
Fullscreen notification bypass using popups
* CVE-2022-29909 (bmo#1755081)
Bypassing permission prompt in nested browsing contexts
* CVE-2022-29916 (bmo#1760674)
Leaking browser history with CSS variables
* CVE-2022-29911 (bmo#1761981)
iframe Sandbox bypass
* CVE-2022-29912 (bmo#1692655)
Reader mode bypassed SameSite cookies
* CVE-2022-29910 (bmo#1757138)
Firefox for Android forgot HTTP Strict Transport Security
settings
* CVE-2022-29915 (bmo#1751678)
Leaking cross-origin redirect through the Performance API
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
bmo#1762614, bmo#1762620, bmo#1764778)
Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
* CVE-2022-29918 (bmo#1744043, bmo#1747178, bmo#1753535,
bmo#1754017, bmo#1755847, bmo#1756172, bmo#1757477,
bmo#1758223, bmo#1760160, bmo#1761481, bmo#1761771)
Memory safety bugs fixed in Firefox 100
- requires NSS 3.77
Dominique Leuenberger (dimstar_suse)
accepted
request 969574
from
Wolfgang Rosenauer (wrosenauer)
(revision 364)
Dominique Leuenberger (dimstar_suse)
accepted
request 967154
from
Wolfgang Rosenauer (wrosenauer)
(revision 363)
- Mozilla Firefox 99.0
* You can now toggle Narrate in ReaderMode with the keyboard
shortcut "n."
* You can find added support for search—with or without
diacritics—in the PDF viewer.
* The Linux sandbox has been strengthened: processes exposed to web
content no longer have access to the X Window system (X11).
* Firefox now supports credit card autofill and capture in
Germany and France.
MFSA 2022-13 (bsc#1197903)
* CVE-2022-1097 (bmo#1745667)
Use-after-free in NSSToken objects
* CVE-2022-28281 (bmo#1755621)
Out of bounds write due to unexpected WebAuthN Extensions
* CVE-2022-28282 (bmo#1751609)
Use-after-free in DocumentL10n::TranslateDocument
* CVE-2022-28283 (bmo#1754066)
Missing security checks for fetching sourceMapURL
* CVE-2022-28284 (bmo#1754522)
Script could be executed via svg's use element
* CVE-2022-28285 (bmo#1756957)
Incorrect AliasSet used in JIT Codegen
* CVE-2022-28286 (bmo#1735265)
iframe contents could be rendered outside the border
* CVE-2022-28287 (bmo#1741515)
Text Selection could crash Firefox
* CVE-2022-24713 (bmo#1758509)
Denial of Service via complex regular expressions
* CVE-2022-28289 (bmo#1663508, bmo#1744525, bmo#1753508,
bmo#1757476, bmo#1757805, bmo#1758549, bmo#1758776)
Dominique Leuenberger (dimstar_suse)
accepted
request 964778
from
Wolfgang Rosenauer (wrosenauer)
(revision 362)
- MozillaFirefox 98.0.2:
* Fixed: Fixed an issue preventing users from typing in Address
Bar after opening new tab and pressing cmd + enter
(bmo#1757376)
* Fixed: Fixed an issue causing some users to crash in out-of-
memory conditions (bmo#1757618)
* Fixed: Fixed an issue in session history which caused some
sites to fail to load (bmo#1758664)
* Fixed: Fixed an add-on specific compatibility issue
(bmo#1759162)
- Change mozilla-kde.patch to follow the GNOME registry
behavior for new MIME types to avoid opening downloaded files
without any inquiries (bsc#1197319)
- Add patch to fix start-up on aarch64:
* mozilla-bmo1757571.patch
- exclude slow cpus for building
- Add cpu-flag `asimdrdm` to aarch64 constraints, to select newer,
faster buildhosts, as the others struggle to build FF.
- Mozilla Firefox 98.0.1:
* Yandex and Mail.ru have been removed as optional search
providers in the drop-down search menu in Firefox
Dominique Leuenberger (dimstar_suse)
accepted
request 960656
from
Wolfgang Rosenauer (wrosenauer)
(revision 361)
- Mozilla Firefox 98.0
* Firefox has a new optimized download flow
* other changes as documented here
https://www.mozilla.org/en-US/firefox/98.0/releasenotes
MFSA 2022-10 (bsc#1196900)
* CVE-2022-26383 (bmo#1742421)
Browser window spoof using fullscreen mode
* CVE-2022-26384 (bmo#1744352)
iframe allow-scripts sandbox bypass
* CVE-2022-26387 (bmo#1752979)
Time-of-check time-of-use bug when verifying add-on signatures
* CVE-2022-26381 (bmo#1736243)
Use-after-free in text reflows
* CVE-2022-26382 (bmo#1741888)
Autofill Text could be exfiltrated via side-channel attacks
* CVE-2022-26385 (bmo#1747526)
Use-after-free in thread shutdown
* CVE-2022-0843 (bmo#1746523, bmo#1749062, bmo#1749164, bmo#1749214,
bmo#1749610, bmo#1750032, bmo#1752100, bmo#1752405, bmo#1753612,
bmo#1754508)
Memory safety bugs fixed in Firefox 98
- requires NSS 3.75
- add mozilla-bmo1756347.patch to fix i586 build
- Remove bashisms ("source" and "function" keywords) from
mozilla.sh.in to ally with the #!/bin/sh shebang. If the end user
has either dash-sh package or busybox-sh to handle Bourn Shell
scripts rather than having bash-sh package, the script would
fail. Using "." instead of "source" and "create_langpack_link()"
function definition is enough to keep both sides sane,
Dominique Leuenberger (dimstar_suse)
accepted
request 955949
from
Wolfgang Rosenauer (wrosenauer)
(revision 360)
Dominique Leuenberger (dimstar_suse)
accepted
request 952887
from
Wolfgang Rosenauer (wrosenauer)
(revision 359)
- Mozilla Firefox 97.0
MFSA 2022-04 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435)
Privilege Escalation to SYSTEM on Windows via Maintenance Service
* CVE-2022-22754 (bmo#1750565)
Extensions could have bypassed permission confirmation during update
* CVE-2022-22755 (bmo#1309630)
XSL could have allowed JavaScript execution after a tab was closed
* CVE-2022-22756 (bmo#1317873)
Drag and dropping an image could have resulted in the dropped
object being an executable
* CVE-2022-22757 (bmo#1720098)
Remote Agent did not prevent local websites from connecting
* CVE-2022-22758 (bmo#1728742)
tel: links could have sent USSD codes to the dialer on
Firefox for Android
* CVE-2022-22759 (bmo#1739957)
Sandboxed iframes could have executed script if the parent
appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503)
Cross-Origin responses could be distinguished between script
and non-script content-types
* CVE-2022-22761 (bmo#1745566)
frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
* CVE-2022-22762 (bmo#1743931)
JavaScript Dialogs could have been displayed over other
domains on Firefox for Android
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
bmo#1748210, bmo#1748279)
Dominique Leuenberger (dimstar_suse)
accepted
request 949716
from
Wolfgang Rosenauer (wrosenauer)
(revision 358)
- Mozilla Firefox 96.0.3 (bsc#1195230)
* Fixed an issue that allowed unexpected data to be submitted in
some of our search telemetry (bmo#1752317)
Dominique Leuenberger (dimstar_suse)
accepted
request 948332
from
Wolfgang Rosenauer (wrosenauer)
(revision 357)
Dominique Leuenberger (dimstar_suse)
accepted
request 947863
from
Wolfgang Rosenauer (wrosenauer)
(revision 356)
Dominique Leuenberger (dimstar_suse)
accepted
request 946473
from
Wolfgang Rosenauer (wrosenauer)
(revision 355)
Dominique Leuenberger (dimstar_suse)
accepted
request 945699
from
Wolfgang Rosenauer (wrosenauer)
(revision 354)
- Mozilla Firefox 96.0
* https://www.mozilla.org/en-US/firefox/96.0/releasenotes
MFSA 2022-01 (bsc#1194547)
* CVE-2022-22746 (bmo#1735071)
Calling into reportValidity could have lead to fullscreen
window spoof
* CVE-2022-22743 (bmo#1739220)
Browser window spoof using fullscreen mode
* CVE-2022-22742 (bmo#1739923)
Out-of-bounds memory access when inserting text in edit mode
* CVE-2022-22741 (bmo#1740389)
Browser window spoof using fullscreen mode
* CVE-2022-22740 (bmo#1742334)
Use-after-free of ChannelEventQueue::mOwner
* CVE-2022-22738 (bmo#1742382)
Heap-buffer-overflow in blendGaussianBlur
* CVE-2022-22737 (bmo#1745874)
Race condition when playing audio files
* CVE-2021-4140 (bmo#1746720)
Iframe sandbox bypass with XSLT
* CVE-2022-22750 (bmo#1566608)
IPC passing of resource handles could have lead to sandbox
bypass
* CVE-2022-22749 (bmo#1705094)
Lack of URL restrictions when scanning QR codes
* CVE-2022-22748 (bmo#1705211)
Spoofed origin on external protocol launch dialog
* CVE-2022-22745 (bmo#1735856)
Leaking cross-origin URLs through securitypolicyviolation
event
Dominique Leuenberger (dimstar_suse)
accepted
request 943041
from
Wolfgang Rosenauer (wrosenauer)
(revision 353)
- Add upstream patches:
* mozilla-bmo1745560.patch: Fix build against wayland 1.20.
* mozilla-bmo1744896.patch: Create WaylandVsyncSource on window
creation
- Mozilla Firefox 95.0.2
* Addresses frequent crashes experienced by users with C/E/Z-Series
"Bobcat" CPUs running on Windows 7, 8, and 8.1.
- updated constraints for ppc and x86-64
Dominique Leuenberger (dimstar_suse)
accepted
request 941230
from
Wolfgang Rosenauer (wrosenauer)
(revision 352)
- Mozilla Firefox 95.0.1 (bsc#1193845)
* Fixed frequent
MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error
messages when trying to connect to various microsoft.com
domains (bmo#1745600)
* Fix for a WebRender crash on some Linux/X11 systems (bmo#1741956)
* Fix for a frequent Windows shutdown crash (bmo#1738984)
* Fix websites contrast issues for some Linux users with
Dark mode set at OS level (bmo#1740518)
Dominique Leuenberger (dimstar_suse)
accepted
request 936364
from
Wolfgang Rosenauer (wrosenauer)
(revision 351)
- Mozilla Firefox 95.0
* You can now move the Picture-in-Picture toggle button to the
opposite side of the video. Simply look for the new context menu
option Move Picture-in-Picture Toggle to Left (Right) Side.
* To better protect Firefox users against side-channel attacks such
as Spectre, Site Isolation is now enabled for all Firefox 95 users.
* https://www.mozilla.org/en-US/firefox/95.0/releasenotes
MFSA 2021-52 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120)
URL leakage when navigating while executing asynchronous
function
* CVE-2021-43537 (bmo#1738237)
Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091)
Missing fullscreen and pointer lock notification when
requesting both
* CVE-2021-43539 (bmo#1739683)
GC rooting failure when calling wasm instance methods
* MOZ-2021-0010 (bmo#1735852)
Use-after-free in fullscreen objects on MacOS
* CVE-2021-43540 (bmo#1636629)
WebExtensions could have installed persistent ServiceWorkers
* CVE-2021-43541 (bmo#1696685)
External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281)
XMLHttpRequest error codes could have leaked the existence of
an external protocol handler
* CVE-2021-43543 (bmo#1738418)
Bypass of CSP sandbox directive when embedding
* CVE-2021-43544 (bmo#1739934)
Dominique Leuenberger (dimstar_suse)
accepted
request 933355
from
Wolfgang Rosenauer (wrosenauer)
(revision 350)
Dominique Leuenberger (dimstar_suse)
accepted
request 929844
from
Wolfgang Rosenauer (wrosenauer)
(revision 349)
Dominique Leuenberger (dimstar_suse)
accepted
request 927811
from
Wolfgang Rosenauer (wrosenauer)
(revision 348)
- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires - (re-)enable LTO on Tumbleweed - Rebase mozilla-sandbox-fips.patch to punch another hole in the sandbox containment, to be able to open /proc/sys/crypto/fips_enabled from within the newly introduced socket process sandbox. This fixes bsc#1191815 and bsc#1190141 - Add patch to fix build on aarch64 (bmo#1729124)
Dominique Leuenberger (dimstar_suse)
accepted
request 926026
from
Wolfgang Rosenauer (wrosenauer)
(revision 347)
Displaying revisions 61 - 80 of 426
