Revisions of MozillaFirefox
Dominique Leuenberger (dimstar_suse)
accepted
request 867008
from
Wolfgang Rosenauer (wrosenauer)
(revision 327)
- Mozilla Firefox 85.0
* Adobe Flash is completely history
* supercookie protection
* new bookmark handling and features
MFSA 2021-03 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940)
Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020)
Type confusion when using logical assignment operators in
JavaScript switch statements
* CVE-2021-23955 (bmo#1684837)
Clickjacking across tabs through misusing requestPointerLock
* CVE-2021-23956 (bmo#1338637)
File picker dialog could have been used to disclose a
complete directory
* CVE-2021-23957 (bmo#1584582)
Iframe sandbox could have been bypassed on Android via the
intent URL scheme
* CVE-2021-23958 (bmo#1642747)
Screen sharing permission leaked across tabs
* CVE-2021-23959 (bmo#1659035)
Cross-Site Scripting in error pages on Firefox for Android
* CVE-2021-23960 (bmo#1675755)
Use-after-poison for incorrectly redeclared JavaScript
variables during GC
* CVE-2021-23961 (bmo#1677940)
More internal network hosts could have been probed by a
malicious webpage
* CVE-2021-23962 (bmo#1677194)
Use-after-poison in
Dominique Leuenberger (dimstar_suse)
accepted
request 862423
from
Wolfgang Rosenauer (wrosenauer)
(revision 326)
Dominique Leuenberger (dimstar_suse)
accepted
request 861466
from
Wolfgang Rosenauer (wrosenauer)
(revision 325)
Dominique Leuenberger (dimstar_suse)
accepted
request 859835
from
Wolfgang Rosenauer (wrosenauer)
(revision 324)
- Mozilla Firefox 84.0.1
* Fixed problems loading secure websites and crashes for users
with certain third-party PKCS11 modules and smartcards installed
(bmo#1682881) (fixed in NSS 3.59.1)
* Fixed a bug causing some Unity JS games to not load on Apple
Silicon devices due to improper detection of the OS version
(bmo#1680516)
- requires NSS 3.59.1
Dominique Leuenberger (dimstar_suse)
accepted
request 856849
from
Wolfgang Rosenauer (wrosenauer)
(revision 323)
- Mozilla Firefox 84.0
* Firefox 84 is the final release to support Adobe Flash
* WebRender is enabled by default when run on GNOME-based X11
Linux desktops
MFSA 2020-54 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26972 (bmo#1671382)
Use-After-Free in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26975 (bmo#1661071)
Malicious applications on Android could have induced Firefox
for Android into sending arbitrary attacker-specified headers
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2020-26977 (bmo#1676311)
URL spoofing via unresponsive port in Firefox for Android
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-26979 (bmo#1641287, bmo#1673299)
When entering an address in the address or search bars, a
Dominique Leuenberger (dimstar_suse)
accepted
request 849574
from
Wolfgang Rosenauer (wrosenauer)
(revision 322)
- Mozilla Firefox 83.0
* major update for SpiderMonkey improving performance significantly
* optional HTTPS-Only mode
* more improvements
https://www.mozilla.org/en-US/firefox/83.0/releasenotes/
MFSA 2020-50 (bsc#1178824))
* CVE-2020-26951 (bmo#1667113)
Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
* CVE-2020-26952 (bmo#1667685)
Out of memory handling of JITed, inlined functions could lead
to a memory corruption
* CVE-2020-16012 (bmo#1642028)
Variable time processing of cross-origin images during
drawImage calls
* CVE-2020-26953 (bmo#1656741)
Fullscreen could be enabled without displaying the security UI
* CVE-2020-26954 (bmo#1657026)
Local spoofing of web manifests for arbitrary pages in
Firefox for Android
* CVE-2020-26955 (bmo#1663261)
Cookies set during file downloads are shared between normal
and Private Browsing Mode in Firefox for Android
* CVE-2020-26956 (bmo#1666300)
XSS through paste (manual and clipboard API)
* CVE-2020-26957 (bmo#1667179)
OneCRL was not working in Firefox for Android
* CVE-2020-26958 (bmo#1669355)
Requests intercepted through ServiceWorkers lacked MIME type
restrictions
Dominique Leuenberger (dimstar_suse)
accepted
request 847338
from
Wolfgang Rosenauer (wrosenauer)
(revision 321)
- Mozilla Firefox 82.0.3
MSFA 2020-49
* CVE-2020-26950 (bmo#1675905)
Write side effects in MCallGetProperty opcode not accounted for
- Mozilla Firefox 82.0.2
* few bugfixes for introduced regressions
Dominique Leuenberger (dimstar_suse)
accepted
request 843274
from
Wolfgang Rosenauer (wrosenauer)
(revision 320)
- Mozilla Firefox 82.0
* https://www.mozilla.org/en-US/firefox/82.0/releasenotes/
MFSA 2020-45 (bsc#1177872)
* CVE-2020-15969 (bmo#1666570)
Use-after-free in usersctp
* CVE-2020-15254 (bmo#1668514)
Undefined behavior in bounded channel of crossbeam rust crate
* CVE-2020-15680 (bmo#1658881)
Presence of external protocol handlers could be determined
through image tags
* CVE-2020-15681 (bmo#1666568)
Multiple WASM threads may have overwritten each others' stub
table entries
* CVE-2020-15682 (bmo#1636654)
The domain associated with the prompt to open an external
protocol could be spoofed to display the incorrect origin
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954,
bmo#1662760, bmo#1663439, bmo#1666140)
Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* CVE-2020-15684 (bmo#1653764, bmo#1661402, bmo#1662259,
bmo#1664257)
Memory safety bugs fixed in Firefox 82
- requires
* NSPR 4.29
* NSS 3.57
Dominique Leuenberger (dimstar_suse)
accepted
request 839098
from
Wolfgang Rosenauer (wrosenauer)
(revision 319)
- Mozilla Firefox 81.0.1
* https://www.mozilla.org/en-US/firefox/81.0.1/releasenotes/
- remove obsolete python2 build requires
- Increase disk requirements in _constraints to match current needs
- Mozilla Firefox 81.0
* https://www.mozilla.org/en-US/firefox/81.0/releasenotes
MFSA 2020-42 (bsc#1176756)
* CVE-2020-15675 (bmo#1654211)
Use-After-Free in WebGL
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
* CVE-2020-15674 (bmo#1656063, bmo#1656064, bmo#1656067, bmo#1660293)
Memory safety bugs fixed in Firefox 81
- requires
NSPR 4.28
NSS 3.56
- removed obsolete patches
* mozilla-system-nspr.patch
* mozilla-bmo1661715.patch
Dominique Leuenberger (dimstar_suse)
accepted
request 829621
from
Wolfgang Rosenauer (wrosenauer)
(revision 318)
- Mozilla Firefox 80.0
MFSA 2020-36 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-12401 (bmo#1631573)
Timing-attack on ECDSA signature generation
* CVE-2020-6829 (bmo#1631583)
P-384 and P-521 vulnerable to an electro-magnetic side
channel attack on signature generation
* CVE-2020-12400 (bmo#1623116)
P-384 and P-521 vulnerable to a side channel attack on
modular inversion
* CVE-2020-15665 (bmo#1651636)
Address bar not reset when choosing to stay on a page after
the beforeunload dialog is shown
* CVE-2020-15666 (bmo#1450853)
MediaError message property leaks cross-origin response
status
* CVE-2020-15667 (bmo#1653371)
Heap overflow when processing an update file
* CVE-2020-15668 (bmo#1651520)
Data Race when reading certificate information
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
bmo#1656957)
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
- requires
* NSPR 4.27
Dominique Leuenberger (dimstar_suse)
accepted
request 823315
from
Wolfgang Rosenauer (wrosenauer)
(revision 317)
- Mozilla Firefox 79.0
MFSA 2020-30 (bsc#1174538)
* CVE-2020-15652 (bmo#1634872)
Potential leak of redirect targets when loading scripts in a worker
* CVE-2020-6514 (bmo#1642792)
WebRTC data channel leaks internal address to peer
* CVE-2020-15655 (bmo#1645204)
Extension APIs could be used to bypass Same-Origin Policy
* CVE-2020-15653 (bmo#1521542)
Bypassing iframe sandbox when allowing popups
* CVE-2020-6463 (bmo#1635293)
Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15656 (bmo#1647293)
Type confusion for special arguments in IonMonkey
* CVE-2020-15658 (bmo#1637745)
Overriding file type when saving to disk
* CVE-2020-15657 (bmo#1644954)
DLL hijacking due to incorrect loading path
* CVE-2020-15654 (bmo#1648333)
Custom cursor can overlay user interface
* CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1638856,
bmo#1643613, bmo#1644839, bmo#1645835, bmo#1646006, bmo#1646220,
bmo#1646787, bmo#1649347, bmo#1650811, bmo#1651678)
Memory safety bugs fixed in Firefox 79
- updated dependency requirements:
* mozilla-nspr >= 4.26
* mozilla-nss >= 3.54
* rust >= 1.43
* rust-cbindgen >= 0.14.3
- removed obsolete patch
Dominique Leuenberger (dimstar_suse)
accepted
request 821616
from
Wolfgang Rosenauer (wrosenauer)
(revision 316)
- Add mozilla-libavcodec58_91.patch to link against updated soversion of libavcodec (58.91) with ffmpeg >= 4.3. (patch provided by Atri Bhattacharya <badshah400@gmail.com> - enable MOZ_USE_XINPUT2 for TW (again) (boo#1173320) (Plasma 5.19.3 is now in TW)
Dominique Leuenberger (dimstar_suse)
accepted
request 820688
from
Wolfgang Rosenauer (wrosenauer)
(revision 315)
- Mozilla Firefox 78.0.2
* Fixed an accessibility regression in reader mode (bmo#1650922)
* Made the address bar more resilient to data corruption in the
user profile (bmo#1649981)
* Fixed a regression opening certain external applications (bmo#1650162)
MFSA 2020-28
* CVE pending (bmo#1644076)
X-Frame-Options bypass using object or embed tags
- added desktop file actions
- do not use XINPUT2 for the moment until Plasma 5.19.3 has landed
(boo#1173993)
- rework langpack integration (boo#1173991)
* ship XPIs instead of directories
* allow addon sideloading
* mark signatures for langpacks non-mandatory
* do not autodisable user profile scopes
- Google API key is not usable for geolocation service
- fix pipewire support for TW (boo#1172903)
Dominique Leuenberger (dimstar_suse)
accepted
request 818643
from
Wolfgang Rosenauer (wrosenauer)
(revision 314)
- Mozilla Firefox 78.0.1
* Fixed an issue which could cause installed search engines to not
be visible when upgrading from a previous release.
- enable MOZ_USE_XINPUT2 for TW (boo#1173320)
- Mozilla Firefox 78.0
* startup notifications now using Gtk instead of libnotify
* PDF downloads now show an option to open the PDF directly in Firefox
* Protections Dashboard (about:protections)
* WebRTC not interrupted by screensaver anymore
* disabled TLS 1.0 and 1.1 by default
MFSA 2020-24 (bsc#1173576)
* CVE-2020-12415 (bmo#1586630)
AppCache manifest poisoning due to url encoded character processing
* CVE-2020-12416 (bmo#1639734)
Use-after-free in WebRTC VideoBroadcaster
* CVE-2020-12417 (bmo#1640737)
Memory corruption due to missing sign-extension for ValueTags
on ARM64
* CVE-2020-12418 (bmo#1641303)
Information disclosure due to manipulated URL object
* CVE-2020-12419 (bmo#1643874)
Use-after-free in nsGlobalWindowInner
* CVE-2020-12420 (bmo#1643437)
Use-After-Free when trying to connect to a STUN server
* CVE-2020-12402 (bmo#1631597)
RSA Key Generation vulnerable to side-channel attack
* CVE-2020-12421 (bmo#1308251)
Add-On updates did not respect the same certificate trust
rules as software updates
Dominique Leuenberger (dimstar_suse)
accepted
request 811277
from
Wolfgang Rosenauer (wrosenauer)
(revision 313)
Dominique Leuenberger (dimstar_suse)
accepted
request 805460
from
Wolfgang Rosenauer (wrosenauer)
(revision 312)
Dominique Leuenberger (dimstar_suse)
accepted
request 800451
from
Wolfgang Rosenauer (wrosenauer)
(revision 311)
- Mozilla Firefox 76.0
* Lockwise improvements
* Improvements in Picture-in-Picture feature
* Support Audio Worklets
MFSA-2020-16 (bsc#1171186)
* CVE-2020-12387 (bmo#1545345)
Use-after-free during worker shutdown
* CVE-2020-12388 (bmo#1618911)
Sandbox escape with improperly guarded Access Tokens
* CVE-2020-12389 (bmo#1554110)
Sandbox escape with improperly separated process types
* CVE-2020-6831 (bmo#1632241)
Buffer overflow in SCTP chunk input validation
* CVE-2020-12390 (bmo#1141959)
Incorrect serialization of nsIPrincipal.origin for IPv6 addresses
* CVE-2020-12391 (bmo#1457100)
Content-Security-Policy bypass using object elements
* CVE-2020-12392 (bmo#1614468)
Arbitrary local file access with 'Copy as cURL'
* CVE-2020-12393 (bmo#1615471)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2020-12394 (bmo#1628288)
URL spoofing in location bar when unfocussed
* CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098,
bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508)
Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
* CVE-2020-12396 (bmo#1339601, bmo#1611938, bmo#1620488,
bmo#1622291, bmo#1627644)
Memory safety bugs fixed in Firefox 76
Dominique Leuenberger (dimstar_suse)
accepted
request 792914
from
Wolfgang Rosenauer (wrosenauer)
(revision 310)
- Mozilla Firefox 75.0
* https://www.mozilla.org/en-US/firefox/75.0/releasenotes
MFSA 2020-12 (bsc#1168874)
* CVE-2020-6821 (bmo#1625404)
Uninitialized memory could be read when using the WebGL
copyTexSubImage method
* CVE-2020-6822 (bmo#1544181)
Out of bounds write in GMPDecodeData when processing large images
* CVE-2020-6823 (bmo#1614919)
Malicious Extension could obtain auth codes from OAuth login flows
* CVE-2020-6824 (bmo#1621853)
Generated passwords may be identical on the same site between
separate private browsing sessions
* CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203)
Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
* CVE-2020-6826 (bmo#1613009,bmo#1613195,bmo#1616734,bmo#1617488,
bmo#1619229,bmo#1620719,bmo#1624897)
Memory safety bugs fixed in Firefox 75
- removed obsolete patch
mozilla-bmo1609538.patch
- requires
* rust >= 1.41
* rust-cbindgen >= 0.13.1
* mozilla-nss >= 3.51
* nodejs10 >= 10.19
- fix build issue in libvpx for i586 via mozilla-bmo1622013.patch
- increase _constraints memory for ppc64le
Dominique Leuenberger (dimstar_suse)
accepted
request 791372
from
Wolfgang Rosenauer (wrosenauer)
(revision 309)
Dominique Leuenberger (dimstar_suse)
accepted
request 788189
from
Wolfgang Rosenauer (wrosenauer)
(revision 308)
- mozilla-sandbox-fips.patch: allow /proc/sys/crypto/fips_enabled to be read, as openssl 1.1.1 FIPS aborts if it cannot access it (bsc#1167132)
Displaying revisions 101 - 120 of 427
