Revisions of MozillaFirefox
Dominique Leuenberger (dimstar_suse)
accepted
request 978314
from
Wolfgang Rosenauer (wrosenauer)
(revision 366)
- Mozilla Firefox 100.0.2 MFSA 2022-19 (bsc#1199768) * CVE-2022-1802 (bmo#1770137) Prototype pollution in Top-Level Await implementation * CVE-2022-1529 (bmo#1770048) Untrusted input used in JavaScript object indexing, leading to prototype pollution - Mozilla Firefox 100.0.1: * Fixed: Fixed an issue with subtitles in Picture-in-Picture mode while using Netflix (bmo#1768818) * Fixed: Fixed an issue where some commands were unavailable in the Picture-in-Picture window (bmo#1768201)
Dominique Leuenberger (dimstar_suse)
accepted
request 974815
from
Wolfgang Rosenauer (wrosenauer)
(revision 365)
- Mozilla Firefox 100.0 * subtitle support in PiP * spell checking supports multiple languages in parallel * more details here https://www.mozilla.org/en-US/firefox/100.0/releasenotes MFSA 2022-16 (boo#1198970) * CVE-2022-29914 (bmo#1746448) Fullscreen notification bypass using popups * CVE-2022-29909 (bmo#1755081) Bypassing permission prompt in nested browsing contexts * CVE-2022-29916 (bmo#1760674) Leaking browser history with CSS variables * CVE-2022-29911 (bmo#1761981) iframe Sandbox bypass * CVE-2022-29912 (bmo#1692655) Reader mode bypassed SameSite cookies * CVE-2022-29910 (bmo#1757138) Firefox for Android forgot HTTP Strict Transport Security settings * CVE-2022-29915 (bmo#1751678) Leaking cross-origin redirect through the Performance API * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298, bmo#1762614, bmo#1762620, bmo#1764778) Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9 * CVE-2022-29918 (bmo#1744043, bmo#1747178, bmo#1753535, bmo#1754017, bmo#1755847, bmo#1756172, bmo#1757477, bmo#1758223, bmo#1760160, bmo#1761481, bmo#1761771) Memory safety bugs fixed in Firefox 100 - requires NSS 3.77
Dominique Leuenberger (dimstar_suse)
accepted
request 969574
from
Wolfgang Rosenauer (wrosenauer)
(revision 364)
Dominique Leuenberger (dimstar_suse)
accepted
request 967154
from
Wolfgang Rosenauer (wrosenauer)
(revision 363)
- Mozilla Firefox 99.0 * You can now toggle Narrate in ReaderMode with the keyboard shortcut "n." * You can find added support for search—with or without diacritics—in the PDF viewer. * The Linux sandbox has been strengthened: processes exposed to web content no longer have access to the X Window system (X11). * Firefox now supports credit card autofill and capture in Germany and France. MFSA 2022-13 (bsc#1197903) * CVE-2022-1097 (bmo#1745667) Use-after-free in NSSToken objects * CVE-2022-28281 (bmo#1755621) Out of bounds write due to unexpected WebAuthN Extensions * CVE-2022-28282 (bmo#1751609) Use-after-free in DocumentL10n::TranslateDocument * CVE-2022-28283 (bmo#1754066) Missing security checks for fetching sourceMapURL * CVE-2022-28284 (bmo#1754522) Script could be executed via svg's use element * CVE-2022-28285 (bmo#1756957) Incorrect AliasSet used in JIT Codegen * CVE-2022-28286 (bmo#1735265) iframe contents could be rendered outside the border * CVE-2022-28287 (bmo#1741515) Text Selection could crash Firefox * CVE-2022-24713 (bmo#1758509) Denial of Service via complex regular expressions * CVE-2022-28289 (bmo#1663508, bmo#1744525, bmo#1753508, bmo#1757476, bmo#1757805, bmo#1758549, bmo#1758776)
Dominique Leuenberger (dimstar_suse)
accepted
request 964778
from
Wolfgang Rosenauer (wrosenauer)
(revision 362)
- MozillaFirefox 98.0.2: * Fixed: Fixed an issue preventing users from typing in Address Bar after opening new tab and pressing cmd + enter (bmo#1757376) * Fixed: Fixed an issue causing some users to crash in out-of- memory conditions (bmo#1757618) * Fixed: Fixed an issue in session history which caused some sites to fail to load (bmo#1758664) * Fixed: Fixed an add-on specific compatibility issue (bmo#1759162) - Change mozilla-kde.patch to follow the GNOME registry behavior for new MIME types to avoid opening downloaded files without any inquiries (bsc#1197319) - Add patch to fix start-up on aarch64: * mozilla-bmo1757571.patch - exclude slow cpus for building - Add cpu-flag `asimdrdm` to aarch64 constraints, to select newer, faster buildhosts, as the others struggle to build FF. - Mozilla Firefox 98.0.1: * Yandex and Mail.ru have been removed as optional search providers in the drop-down search menu in Firefox
Dominique Leuenberger (dimstar_suse)
accepted
request 960656
from
Wolfgang Rosenauer (wrosenauer)
(revision 361)
- Mozilla Firefox 98.0 * Firefox has a new optimized download flow * other changes as documented here https://www.mozilla.org/en-US/firefox/98.0/releasenotes MFSA 2022-10 (bsc#1196900) * CVE-2022-26383 (bmo#1742421) Browser window spoof using fullscreen mode * CVE-2022-26384 (bmo#1744352) iframe allow-scripts sandbox bypass * CVE-2022-26387 (bmo#1752979) Time-of-check time-of-use bug when verifying add-on signatures * CVE-2022-26381 (bmo#1736243) Use-after-free in text reflows * CVE-2022-26382 (bmo#1741888) Autofill Text could be exfiltrated via side-channel attacks * CVE-2022-26385 (bmo#1747526) Use-after-free in thread shutdown * CVE-2022-0843 (bmo#1746523, bmo#1749062, bmo#1749164, bmo#1749214, bmo#1749610, bmo#1750032, bmo#1752100, bmo#1752405, bmo#1753612, bmo#1754508) Memory safety bugs fixed in Firefox 98 - requires NSS 3.75 - add mozilla-bmo1756347.patch to fix i586 build - Remove bashisms ("source" and "function" keywords) from mozilla.sh.in to ally with the #!/bin/sh shebang. If the end user has either dash-sh package or busybox-sh to handle Bourn Shell scripts rather than having bash-sh package, the script would fail. Using "." instead of "source" and "create_langpack_link()" function definition is enough to keep both sides sane,
Dominique Leuenberger (dimstar_suse)
accepted
request 955949
from
Wolfgang Rosenauer (wrosenauer)
(revision 360)
Dominique Leuenberger (dimstar_suse)
accepted
request 952887
from
Wolfgang Rosenauer (wrosenauer)
(revision 359)
- Mozilla Firefox 97.0 MFSA 2022-04 (bsc#1195682) * CVE-2022-22753 (bmo#1732435) Privilege Escalation to SYSTEM on Windows via Maintenance Service * CVE-2022-22754 (bmo#1750565) Extensions could have bypassed permission confirmation during update * CVE-2022-22755 (bmo#1309630) XSL could have allowed JavaScript execution after a tab was closed * CVE-2022-22756 (bmo#1317873) Drag and dropping an image could have resulted in the dropped object being an executable * CVE-2022-22757 (bmo#1720098) Remote Agent did not prevent local websites from connecting * CVE-2022-22758 (bmo#1728742) tel: links could have sent USSD codes to the dialer on Firefox for Android * CVE-2022-22759 (bmo#1739957) Sandboxed iframes could have executed script if the parent appended elements * CVE-2022-22760 (bmo#1740985, bmo#1748503) Cross-Origin responses could be distinguished between script and non-script content-types * CVE-2022-22761 (bmo#1745566) frame-ancestors Content Security Policy directive was not enforced for framed extension pages * CVE-2022-22762 (bmo#1743931) JavaScript Dialogs could have been displayed over other domains on Firefox for Android * CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545, bmo#1748210, bmo#1748279)
Dominique Leuenberger (dimstar_suse)
accepted
request 949716
from
Wolfgang Rosenauer (wrosenauer)
(revision 358)
- Mozilla Firefox 96.0.3 (bsc#1195230) * Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry (bmo#1752317)
Dominique Leuenberger (dimstar_suse)
accepted
request 948332
from
Wolfgang Rosenauer (wrosenauer)
(revision 357)
Dominique Leuenberger (dimstar_suse)
accepted
request 947863
from
Wolfgang Rosenauer (wrosenauer)
(revision 356)
Dominique Leuenberger (dimstar_suse)
accepted
request 946473
from
Wolfgang Rosenauer (wrosenauer)
(revision 355)
Dominique Leuenberger (dimstar_suse)
accepted
request 945699
from
Wolfgang Rosenauer (wrosenauer)
(revision 354)
- Mozilla Firefox 96.0 * https://www.mozilla.org/en-US/firefox/96.0/releasenotes MFSA 2022-01 (bsc#1194547) * CVE-2022-22746 (bmo#1735071) Calling into reportValidity could have lead to fullscreen window spoof * CVE-2022-22743 (bmo#1739220) Browser window spoof using fullscreen mode * CVE-2022-22742 (bmo#1739923) Out-of-bounds memory access when inserting text in edit mode * CVE-2022-22741 (bmo#1740389) Browser window spoof using fullscreen mode * CVE-2022-22740 (bmo#1742334) Use-after-free of ChannelEventQueue::mOwner * CVE-2022-22738 (bmo#1742382) Heap-buffer-overflow in blendGaussianBlur * CVE-2022-22737 (bmo#1745874) Race condition when playing audio files * CVE-2021-4140 (bmo#1746720) Iframe sandbox bypass with XSLT * CVE-2022-22750 (bmo#1566608) IPC passing of resource handles could have lead to sandbox bypass * CVE-2022-22749 (bmo#1705094) Lack of URL restrictions when scanning QR codes * CVE-2022-22748 (bmo#1705211) Spoofed origin on external protocol launch dialog * CVE-2022-22745 (bmo#1735856) Leaking cross-origin URLs through securitypolicyviolation event
Dominique Leuenberger (dimstar_suse)
accepted
request 943041
from
Wolfgang Rosenauer (wrosenauer)
(revision 353)
- Add upstream patches: * mozilla-bmo1745560.patch: Fix build against wayland 1.20. * mozilla-bmo1744896.patch: Create WaylandVsyncSource on window creation - Mozilla Firefox 95.0.2 * Addresses frequent crashes experienced by users with C/E/Z-Series "Bobcat" CPUs running on Windows 7, 8, and 8.1. - updated constraints for ppc and x86-64
Dominique Leuenberger (dimstar_suse)
accepted
request 941230
from
Wolfgang Rosenauer (wrosenauer)
(revision 352)
- Mozilla Firefox 95.0.1 (bsc#1193845) * Fixed frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains (bmo#1745600) * Fix for a WebRender crash on some Linux/X11 systems (bmo#1741956) * Fix for a frequent Windows shutdown crash (bmo#1738984) * Fix websites contrast issues for some Linux users with Dark mode set at OS level (bmo#1740518)
Dominique Leuenberger (dimstar_suse)
accepted
request 936364
from
Wolfgang Rosenauer (wrosenauer)
(revision 351)
- Mozilla Firefox 95.0 * You can now move the Picture-in-Picture toggle button to the opposite side of the video. Simply look for the new context menu option Move Picture-in-Picture Toggle to Left (Right) Side. * To better protect Firefox users against side-channel attacks such as Spectre, Site Isolation is now enabled for all Firefox 95 users. * https://www.mozilla.org/en-US/firefox/95.0/releasenotes MFSA 2021-52 (bsc#1193485) * CVE-2021-43536 (bmo#1730120) URL leakage when navigating while executing asynchronous function * CVE-2021-43537 (bmo#1738237) Heap buffer overflow when using structured clone * CVE-2021-43538 (bmo#1739091) Missing fullscreen and pointer lock notification when requesting both * CVE-2021-43539 (bmo#1739683) GC rooting failure when calling wasm instance methods * MOZ-2021-0010 (bmo#1735852) Use-after-free in fullscreen objects on MacOS * CVE-2021-43540 (bmo#1636629) WebExtensions could have installed persistent ServiceWorkers * CVE-2021-43541 (bmo#1696685) External protocol handler parameters were unescaped * CVE-2021-43542 (bmo#1723281) XMLHttpRequest error codes could have leaked the existence of an external protocol handler * CVE-2021-43543 (bmo#1738418) Bypass of CSP sandbox directive when embedding * CVE-2021-43544 (bmo#1739934)
Dominique Leuenberger (dimstar_suse)
accepted
request 933355
from
Wolfgang Rosenauer (wrosenauer)
(revision 350)
Dominique Leuenberger (dimstar_suse)
accepted
request 929844
from
Wolfgang Rosenauer (wrosenauer)
(revision 349)
Dominique Leuenberger (dimstar_suse)
accepted
request 927811
from
Wolfgang Rosenauer (wrosenauer)
(revision 348)
- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires - (re-)enable LTO on Tumbleweed - Rebase mozilla-sandbox-fips.patch to punch another hole in the sandbox containment, to be able to open /proc/sys/crypto/fips_enabled from within the newly introduced socket process sandbox. This fixes bsc#1191815 and bsc#1190141 - Add patch to fix build on aarch64 (bmo#1729124)
Dominique Leuenberger (dimstar_suse)
accepted
request 926026
from
Wolfgang Rosenauer (wrosenauer)
(revision 347)
Displaying revisions 61 - 80 of 426