File mozilla-xulrunner190.changes of Package mozilla-xulrunner190

-------------------------------------------------------------------
Thu Mar 18 20:06:08 CET 2010 - wr@rosenauer.org

- security update to version 1.9.0.19 (bnc#586567)
  * MFSA-2010-21/CVE-2010-0179
    Arbitrary code execution with Firebug XMLHttpRequestSpy
    (bmo#504021)
  * MFSA-2010-20/CVE-2010-0178
    Chrome privilege escalation via forced URL drag and drop
    (bmo#546909) 
  * MFSA-2010-19/CVE-2010-0177
    Dangling pointer vulnerability in nsPluginArray (bmo#538310)
  * MFSA-2010-18/CVE-2010-0176
    Dangling pointer vulnerability in nsTreeContentView
    (bmo#538308)
  * MFSA-2010-17/CVE-2010-0175
    Remote code execution with use-after-free in nsTreeSelection
  * MFSA-2010-16/CVE-2010-0173/CVE-2010-0174
    Crashes with evidence of memory corruption
- clean up correctly on update (bnc#589094)

-------------------------------------------------------------------
Fri Feb  5 17:02:56 CET 2010 - wr@rosenauer.org

- security update to version 1.9.0.18 (bnc#576969)
  * MFSA-2010-01/CVE-2010-0159
    Crashes with evidence of memory corruption
  * MFSA-2010-02/CVE-2010-0160
    Web Worker Array Handling Heap Corruption Vulnerability
  * MFSA-2010-03/CVE-2009-1571 (bmo#526500)
    Use-after-free crash in HTML parser
  * MFSA-2010-04/CVE-2009-3988 (bmo#504862)
    XSS due to window.dialogArguments being readable cross-domain
  * MFSA-2010-05/CVE-2010-0162 (bmo#455472)
    XSS hazard using SVG document and binary Content-Type

-------------------------------------------------------------------
Wed Dec 23 14:45:25 CET 2009 - wr@rosenauer.org

- update to version 1.9.0.17
  * DNS resolution in MakeSN of nsAuthSSPI causing issues for 
    proxy servers that support NTLM auth (bmo#535193)

-------------------------------------------------------------------
Fri Dec  4 23:32:34 CET 2009 - wr@rosenauer.org

- security update to 1.9.0.16 (bnc#559807)
  * MFSA 2009-65/CVE-2009-3979/CVE-2009-3981
    Crashes with evidence of memory corruption (1.9.0.16)
  * MFSA 2009-68/CVE-2009-3983 (bmo#487872)
    NTLM reflection vulnerability
  * MFSA 2009-69/CVE-2009-3984/CVE-2009-3985 (bmo#521461,bmo#514232)
    Location bar spoofing vulnerabilities
  * MFSA 2009-70/CVE-2009-3986 (bmo#522430)
    Privilege escalation via chrome window.opener

-------------------------------------------------------------------
Thu Oct 22 07:32:58 CEST 2009 - wr@rosenauer.org

- security update to 1.9.0.15 (bnc#545277)
  * MFSA 2009-52/CVE-2009-3370 (bmo#511615)
    Form history vulnerable to stealing
  * MFSA 2009-53/CVE-2009-3274 (bmo#514823)
    Local downloaded file tampering
  * MFSA 2009-55/CVE-2009-3372 (bmo#500644)
    Crash in proxy auto-configuration regexp parsing
  * MFSA 2009-56/CVE-2009-3373 (bmo#511689)
    Heap buffer overflow in GIF color map parser
  * MFSA 2009-57/CVE-2009-3374 (bmo#505988)
    Chrome privilege escalation in XPCVariant::VariantDataToJS()
  * MFSA 2009-59/CVE-2009-1563 (bmo#516396, bmo#516862)
    Heap buffer overflow in string to number conversion
  * MFSA 2009-61/CVE-2009-3375 (bmo#503226)
    Cross-origin data theft through document.getSelection()
  * MFSA 2009-62/CVE-2009-3376 (bmo#511521)
    Download filename spoofing with RTL override
  * MFSA 2009-64/CVE-2009-3380/CVE-2009-3382
    Crashes with evidence of memory corruption

-------------------------------------------------------------------
Thu Oct 15 10:33:42 CEST 2009 - pwu@novell.com

- extend list of supported architectures as ABI identifier
  (mozilla-abi.patch) (bnc#543460)

-------------------------------------------------------------------
Thu Sep 10 11:16:03 CEST 2009 - wr@rosenauer.org

- security update to 1.9.0.14 (bnc#534458)
  * MFSA 2009-47/CVE-2009-3069/CVE-2009-3070/CVE-2009-3071/
    CVE-2009-3072/CVE-2009-3073/CVE-2009-3074/CVE-2009-3075
    Crashes with evidence of memory corruption
  * MFSA 2009-48/CVE-2009-3076
    Insufficient warning for PKCS11 module installation and removal
  * MFSA 2009-49/CVE-2009-3077 (bmo#506871)
    TreeColumns dangling pointer vulnerability
  * MFSA 2009-50/CVE-2009-3078 (bmo#453827)
    Location bar spoofing via tall line-height Unicode characters
  * MFSA 2009-51/CVE-2009-3079 (bmo#454363)
    Chrome privilege escalation with FeedWriter
- removed obsolete lcms patches (included upstream)
- don't provide libsqlite3.so (bnc#538094)

-------------------------------------------------------------------
Mon Aug  3 23:09:02 CEST 2009 - wr@rosenauer.org

- security update to 1.9.0.13 (bnc#527489)
  * MFSA 2009-42 and MFSA 2009-43 don't apply as NSS is provided 
    through package mozilla-nss
  * MFSA 2009-44/CVE-2009-2654 (bmo#451898)
    Location bar and SSL indicator spoofing via window.open() on
    invalid URL

-------------------------------------------------------------------
Tue Jul 28 13:03:24 CEST 2009 - wr@rosenauer.org

- fixed %exclude usage

-------------------------------------------------------------------
Tue Jul 21 23:02:12 CEST 2009 - wr@rosenauer.org

- security update to 1.9.0.12 (bnc#522109)
  * MFSA 2009-34/CVE-2009-2462/CVE-2009-2463/CVE-2009-2464/
    CVE-2009-2465/CVE-2009-2466
      Crashes with evidence of memory corruption
  * MFSA 2009-35/CVE-2009-2467 (bmo#493601)
      Crash and remote code execution during Flash player unloading
  * MFSA 2009-36/CVE-2009-1194/oCERT-2009-001 (bmo#480134)
      Heap/integer overflows in font glyph rendering libraries
  * MFSA 2009-37/CVE-2009-2469 (bmo#488995)
      Crash and remote code execution using watch and
      __defineSetter__ on SVG
  * MFSA 2009-38/CVE-2009-2470 (bmo#459524)
      Data corruption with SOCKS5 reply containing DNS name 
      longer than 15 characters
  * MFSA 2009-39/CVE-2009-2471 (bmo#460882)
      setTimeout loses XPCNativeWrappers
  * MFSA 2009-40/CVE-2009-2472
      Multiple cross origin wrapper bypasses

-------------------------------------------------------------------
Mon Jul 13 19:37:04 CEST 2009 - bgmerrell@novell.com

- Fixes bnc#490610 (MozillaFirefox: LittleCMS null pointer
  dereference CVE-2009-0793), add a patch lcms-bnc490610.patch.

-------------------------------------------------------------------
Fri Jun 12 08:32:38 CEST 2009 - wr@rosenauer.org

- security update to 1.9.0.11 (bnc#505563)
  * MFSA 2009-24/CVE-2009-1392/CVE-2009-1832/CVE-2009-1833
      Crashes with evidence of memory corruption (rv:1.9.0.11)
  * MFSA 2009-25/CVE-2009-1834 (bmo#479413)
      URL spoofing with invalid unicode characters
  * MFSA 2009-26/CVE-2009-1835 (bmo#491801)
      Arbitrary domain cookie access by local file: resources
  * MFSA 2009-27/CVE-2009-1836 (bmo#479880)
      SSL tampering via non-200 responses to proxy CONNECT requests
  * MFSA 2009-28/CVE-2009-1837 (bmo#486269)
      Race condition while accessing the private data of a NPObject 
      JS wrapper class object
  * MFSA 2009-29/CVE-2009-1838 (bmo#489131)
      Arbitrary code execution using event listeners attached to an 
      element whose owner document is null
  * MFSA 2009-30/CVE-2009-1839 (bmo#479943)
      Incorrect principal set for file: resources loaded via 
      location bar
  * MFSA 2009-31/CVE-2009-1840 (bmo#477979)
      XUL scripts bypass content-policy checks
  * MFSA 2009-32/CVE-2009-1841 (bmo#479560)
      JavaScript chrome privilege escalation
- fixing rpath linker flags (part of bnc#501174)

-------------------------------------------------------------------
Tue Apr 28 10:42:23 CEST 2009 - wr@rosenauer.org

- update to 1.9.0.10
  * MFSA 2009-23/CVE-2009-1313 (bmo#489647)
      Crash in nsTextFrame::ClearTextRun()
- fix preprocessor statement to fix build with gcc 4.4

-------------------------------------------------------------------
Thu Apr 16 13:44:47 CEST 2009 - wr@rosenauer.org

- security update to 1.9.0.9 (bnc#495473)
  * MFSA 2009-14/CVE-2009-1302/CVE-2009-1303/CVE-2009-1304/CVE-2009-1305
      Crashes with evidence of memory corruption (rv:1.9.0.9)
  * MFSA 2009-15/CVE-2009-0652 (bmo#479336)
      URL spoofing with box drawing character
  * MFSA 2009-16/CVE-2009-1306 (bmo#474536)
      jar: scheme ignores the content-disposition: header on the 
      inner URI
  * MFSA 2009-17/CVE-2009-1307 (bmo#481342)
      Same-origin violations when Adobe Flash loaded via 
      view-source: scheme  
  * MFSA 2009-18/CVE-2009-1308 (bmo#481558)
      XSS hazard using third-party stylesheets and XBL bindings
  * MFSA 2009-19/CVE-2009-1309 (bmo#482206,478433)
      Same-origin violations in XMLHttpRequest and 
      XPCNativeWrapper.toString
  * MFSA 2009-20/CVE-2009-1310 (bmo#483086)
      Malicious search plugins can inject code into arbitrary sites
  * MFSA 2009-21/CVE-2009-1311 (bmo#471962)
      POST data sent to wrong site when saving web page with 
      embedded frame
  * MFSA 2009-22/CVE-2009-1312 (bmo#475636)
      Firefox allows Refresh header to redirect to javascript: URIs
- removed bnc465284-VUL-designMode.patch since it's integrated
  in 1.9.0.9

-------------------------------------------------------------------
Fri Mar 27 09:43:43 CET 2009 - wr@rosenauer.org

- security update to 1.9.0.8 (bnc#488955,489411)
  * MFSA 2009-12/CVE-2009-1169 (bmo#460090,485217)
      Crash and remote code execution in XSL transformation
  * MFSA 2009-13/CVE-2009-1044 (bmo#484320)
      Arbitrary code execution via XUL tree moveToEdgeShift

-------------------------------------------------------------------
Fri Mar 13 23:00:53 CET 2009 - wr@rosenauer.org

- make mozjs consumers using rpath to the correct location
  to find the library at runtime (bnc#479505)

-------------------------------------------------------------------
Wed Mar 11 16:14:09 CST 2009 - pwu@suse.de

- Fixes bnc#479610(MozillaFirefox: LittleCMS integer overflows),
  add a patch lcms-bnc479606.patch.

-------------------------------------------------------------------
Thu Mar  5 16:33:09 CST 2009 - pwu@suse.de

- Backport a patch from xulrunner191, 
  and fix bnc#465284 and CVE-2009-0071.

-------------------------------------------------------------------
Sun Mar  1 11:08:58 CET 2009 - wr@rosenauer.org

- security update to 1.9.0.7 (bnc#478625)
  * MFSA 2009-07 - Crashes with evidence of memory corruption
    CVE-2009-0771 - Layout Engine Crashes
    CVE-2009-0772 - Layout Engine Crashes
    CVE-2009-0773 - crashes in the JavaScript engine
    CVE-2009-0774 - Layout Engine Crashes
  * MFSA 2009-08/CVE-2009-0775 - (bmo#474456)
    Mozilla Firefox XUL Linked Clones Double Free Vulnerability
  * MFSA 2009-09/CVE-2009-0776 (bmo#414540)
    XML data theft via RDFXMLDataSource and cross-domain redirect
  * MFSA 2009-10/CVE-2009-0040 (bmo#478901)
    Upgrade PNG library to fix memory safety hazards
  * MFSA 2009-11/CVE-2009-0777 (bmo#452979)
    URL spoofing with invisible control characters
- removed obsolete patch to configure system sqlite

-------------------------------------------------------------------
Wed Feb  4 17:09:55 EST 2009 - hfiguiere@suse.de

- Review and approve changes.

-------------------------------------------------------------------
Tue Feb  3 20:17:40 CET 2009 - wr@rosenauer.org

- security update to 1.9.0.6 (bnc#470074)
  * MFSA 2009-06/CVE-2009-0358: Directives to not cache pages ignored
    (bmo#441751)
  * MFSA 2009-05/CVE-2009-0357: XMLHttpRequest allows reading 
    HTTPOnly cookies (bmo#380418)
  * MFSA 2009-04/CVE-2009-0356: Chrome privilege escalation via 
    local .desktop files (bmo#460425)
  * MFSA 2009-03/CVE-2009-0355: Local file stealing with SessionStore
    (bmo#466937)
  * MFSA 2009-02/CVE-2009-0354: XSS using a chrome XBL method 
    and window.eval (bmo#468581)
  * MFSA 2009-01/CVE-2009-0352 - CVE-2009-0353: Crashes with 
    evidence of memory corruption (rv:1.9.0.6) (bmo#452913, 
    bmo#449006, bmo#331088, bmo#401042, bmo#416461, bmo#422283,
    bmo#422301, bmo#431705, bmo#437142, bmo#421839, bmo#420697,
    bmo#461027)
  * (non security) added lv locale
- never use system sqlite for now since it doesn't provide all
  features needed and used by mozstorage (bnc#468689)
- set the actual xul application name as "uniq" identifier for
  NSS database merges (instead of hardcoded "mozilla-xul")
- fixed crash in certificate viewer (bmo#472464)

-------------------------------------------------------------------
Thu Jan 29 16:08:43 EST 2009 - hfiguiere@suse.de

- Update gconf-backend.patch to fix a compilation error in debug
  mode.
- Update toolkit-ui-lockdown.patch to fix bnc#366746

-------------------------------------------------------------------
Wed Dec 17 11:44:04 EST 2008 - hfiguiere@suse.de

- Review and approve changes.

-------------------------------------------------------------------
Mon Dec 15 16:26:43 CET 2008 - wr@rosenauer.org

- security update to 1.9.0.5 (bnc#455804)
  for details
  http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
  * added et locale

-------------------------------------------------------------------
Tue Dec  9 12:33:47 EST 2008 - hfiguiere@suse.de

- Remove the lockdown part of the proxy because of the new upstream
  management. (bnc#440625)

-------------------------------------------------------------------
Mon Dec  8 11:08:44 EST 2008 - hfiguiere@suse.de

- Review and approve changes.

-------------------------------------------------------------------
Fri Dec  5 16:10:32 EST 2008 - hfiguiere@suse.de

- resetting /system/proxy/mode to 'none' set back network.proxy.type
  to 5 instead of 0. (bnc#441648)

-------------------------------------------------------------------
Thu Nov 20 18:52:14 CST 2008 - maw@suse.de

- Review and approve changes.

-------------------------------------------------------------------
Wed Nov 19 11:49:36 CET 2008 - wr@rosenauer.org

- updated mozilla-shared-nss-db.patch
  * make the patch autodetect nss-shared-helper at buildtime
  * feature can be disabled completely at runtime exporting
    MOZ_XRE_NO_NSSHELPER=1 before starting Firefox
    (that helps to workaround bnc#444780 and makes sense anyway)

-------------------------------------------------------------------
Wed Nov 12 19:20:01 EST 2008 - hfiguiere@suse.de

- Added gecko-lockdown.patch and toolkit-ui-lockdown.patch
  * Iron out some bugs from lockdown (bnc#439380)
  * Apparently fixes (bnc#443420)

-------------------------------------------------------------------
Wed Nov 12 17:55:48 CST 2008 - maw@suse.de

- Review and approve changes.

-------------------------------------------------------------------
Tue Nov 11 09:00:42 CET 2008 - wr@rosenauer.org

- update to security/maintenance release 1.9.0.4 (bnc#439841)
  * support additional locales

-------------------------------------------------------------------
Wed Nov  5 22:40:52 CST 2008 - hpj@novell.com

- Add mozilla-shared-nss-db.patch, which migrates the old NSS DB
  to the new, shared format and location.

-------------------------------------------------------------------
Tue Oct 28 15:48:37 CST 2008 - maw@suse.de

- Review and approve changes.

-------------------------------------------------------------------
Mon Oct 27 11:52:13 CET 2008 - wr@rosenauer.org

- improved baselibs dependencies
- removed obsolete build flags
- make biarch dependencies work correctly (bnc#434283)
- removed executable bits from PNGs (bnc#433752)

-------------------------------------------------------------------
Thu Oct 23 10:14:22 EDT 2008 - hfiguiere@suse.de

- Added gconf-backend.patch:
  * Lockdown: FATE#302023, FATE#302024

-------------------------------------------------------------------
Mon Sep 29 12:27:36 CDT 2008 - maw@suse.de

- Review and approve changes.

-------------------------------------------------------------------
Sun Sep 28 18:19:26 CEST 2008 - wr@rosenauer.org

- update to regression fix release 1.9.0.3
  * Fixed a problem where users were unable to retrieve saved
    passwords or save new passwords (bmo#454708, bnc#429179#c20,
    CVE-2008-4063, CVE-2008-4064, CVE-2008-3836, andCVE-2008-4070)

-------------------------------------------------------------------
Thu Sep 25 14:45:48 CDT 2008 - maw@suse.de

- Review and approve changes.

-------------------------------------------------------------------
Mon Sep 15 10:20:40 CEST 2008 - wr@rosenauer.org

- update to security/maintenance release 1.9.0.2 (bnc#429179)
  * support more locales
  * removed upstreamed patches
- added PyXPCOM subpackage python-xpcom190
- fix helper app detection for application/octet-stream type
  (bnc#406979, bmo#327323)
- stop shipping the "simple" example
- use system provided cairo from 11.1 on

-------------------------------------------------------------------
Thu Sep  4 14:55:33 CEST 2008 - ro@suse.de

- get rid of at least one opensuse_bs check
  (should really check project name and not buildsystem)

-------------------------------------------------------------------
Tue Aug 19 18:56:49 CEST 2008 - maw@suse.de

- Check whether the build is happening on the build service
  by using 0%{?opensuse_bs}
- Readd unzip to the list of build requirements.

-------------------------------------------------------------------
Fri Aug 15 18:20:55 CDT 2008 - maw@novell.com

- Review and approve changes.

-------------------------------------------------------------------
Wed Aug  6 09:07:34 CEST 2008 - wr@rosenauer.org

- Fix releasedate and apiversion defines

-------------------------------------------------------------------
Tue Jul 29 20:27:24 CEST 2008 - mauro@suse.de

- Merge changes from the Build Service (thanks, Wolfgang)
- Update to stability/security release 1.9.0.1 (bnc#407573)
  * added si and sl locales
  * for security issues please refer to Firefox 3.0.1
- Fixed a crash [@ cairo_draw_with_xlib] (bmo#435764)
  + Added bmo435764.patch
- Fixed vertical stripes in windowless plugins (bmo#430450)
  + Added bmo430450.patch
- Remove about:about (bnc#402699, bmo#349451)
  + Added mozilla-aboutAbout.patch

-------------------------------------------------------------------
Tue Jun 17 18:06:54 CEST 2008 - maw@suse.de

- Merge changes from the Build Service (thanks, Wolfgang)
  (bnc#400001 and SWAMP#18164).

-------------------------------------------------------------------
Tue Jun 17 14:23:59 CEST 2008 - wr@rosenauer.org

- update to version 1.9
- removed obsolete mozilla-fsync* patch
- make it possible to ignore NM events with a pref (bmo#424626)
  (toolkit.networkmanager.ignore=false|true)
  (mozilla-network-status.patch)
- modify pref to not stop at punctuation for selections
  (bnc#395070)
- fixed restart command for session managers (bnc#396552)
- do not compile cairo with SSE support (bnc#397815)
- mozilla-js.pc uses correct cflags (bnc#397814)

-------------------------------------------------------------------
Mon May 26 18:56:46 CEST 2008 - maw@suse.de

- Fix baselibs.conf to mention mozilla-xulrunner190-translations
  (bnc#393856).

-------------------------------------------------------------------
Wed May 21 00:49:39 CEST 2008 - maw@suse.de

- Add mozilla-pkgconfig.patch (part of bnc#381154).

-------------------------------------------------------------------
Tue May 20 22:44:40 CEST 2008 - maw@suse.de

- Add mozilla-fsync-bmo499050.patch (bmo#499050).

-------------------------------------------------------------------
Wed Apr 30 22:44:30 CEST 2008 - maw@suse.de

- Merge changes from the build service (thanks, Wolfgang):
  + Only use gconf proxy settings under GNOME (bnc#381172)
  + Add mozilla-extensionmanager.patch (bnc#381733, and #382969)
  + Add mozilla-system-hunspell.patch to enable use of the system's
    hunspell (bnc#382437)
  + Add mozilla-gnome-proxies.patch:
    * Only use gconf proxy settings when running under GNOME
      (bnc#381172)
    * Correctly read the ignored hosts settings from gconf
      (bmo#429520)
  + Add mozilla-helperapp.patch to offer the gconf default for
    protocol handlers (bnc#383697)
- Rename the -lang subpackage to -stranslations (bnc#381635).

-------------------------------------------------------------------
Wed Apr 16 17:07:02 CEST 2008 - maw@suse.de

- Merge changes from the build service:
  + Add mozilla-chrome-registry.patch to fix a startup crash
    (bmo#391311 and bnc#379523)
  + Add mozilla-scroll.patch to fix scrolling performance issues
    (bmo#424915 and bnc#377055)
  + Update baselibs.conf.

-------------------------------------------------------------------
Mon Apr 14 19:13:47 CEST 2008 - maw@suse.de

- Better sync against the build service's version.

-------------------------------------------------------------------
Thu Apr 10 10:38:08 CEST 2008 - ro@suse.de

- added baselibs.conf file to create xxbit packages 

-------------------------------------------------------------------
Tue Apr  1 16:08:05 CEST 2008 - wr@rosenauer.org

- update to version 1.9b5
  * including fix for bnc #368967
  * integrated mozilla-gnome-vfs.patch
- updated shipped locales "Provides"
- fixed version upgrading (remove leftovers from previous versions)
- remove executable flags from JS scripts
- CSS DPI scaling now occurs with higher dpi values now (>192)
- prerequire coreutils for 'rm' in post scripts

-------------------------------------------------------------------
Tue Mar 18 21:59:17 CET 2008 - maw@suse.de

- Merge changes from the build service (thanks, Wolfgang).

-------------------------------------------------------------------
Mon Mar 10 21:36:24 CET 2008 - wr@rosenauer.org

- new snapshot version 1.9b4
- updated shipped locales "Provides"
- enabled url classifier component 
  (needed for Firefox' safe browsing feature)
- added mozilla-gnome-vfs.patch (#368238)

-------------------------------------------------------------------
Fri Feb 29 11:18:04 CET 2008 - wr@rosenauer.org

- new snapshot 20080228
- source archive contains browser components now to make it easier
  to keep xulrunner and firefox in sync
  (use shipped-locales from browser now instead of keeping a copy
  in the package)
- proxy-type 5 is default now (removed from default prefs)

-------------------------------------------------------------------
Thu Feb 28 15:34:17 CET 2008 - wr@rosenauer.org

- new snapshot 20080227
- use system provided sqlite for factory/11.0
- use fdupes
- tweak default preferences
- fix debuginfo package
- fix wrong executable permissions
- fix wrong ownership of the gnomevfs libs
- add add-plugins.sh to manage dictionaries

-------------------------------------------------------------------
Tue Feb 26 10:19:24 CET 2008 - wr@rosenauer.org

- new snapshot 20080225
- added -gnomevfs subpackage for evaluation
- added back -l10n subpackage

-------------------------------------------------------------------
Fri Feb 22 08:57:14 CET 2008 - wr@rosenauer.org

- initial xulrunner 1.9 package
  * doesn't update any prior xulrunner yet
  * can be installed in parallel
  * just updates the /usr/bin/xulrunner link to the new version
  * needs NSPR 4.7.1 and NSS 3.12