File MozillaFirefox.changes of Package MozillaFirefox
-------------------------------------------------------------------
Wed Jan 24 22:14:50 UTC 2018 - pcerny@suse.com
- update to Firefox ESR 52.6 (bsc#1077291)
* MFSA 2018-02/CVE-2018-5091
(bmo#1423086)
Use-after-free with DTMF timers
* MFSA 2018-02/CVE-2018-5095
(bmo#1418447)
Integer overflow in Skia library during edge builder
allocation
* MFSA 2018-02/CVE-2018-5096
(bmo#1418922)
Use-after-free while editing form elements
* MFSA 2018-02/CVE-2018-5097
(bmo#1387427)
Use-after-free when source document is manipulated during
XSLT
* MFSA 2018-02/CVE-2018-5098
(bmo#1399400)
Use-after-free while manipulating form input elements
* MFSA 2018-02/CVE-2018-5099
(bmo#1416878)
Use-after-free with widget listener
* MFSA 2018-02/CVE-2018-5104
(bmo#1425000)
Use-after-free during font face manipulation
* MFSA 2018-02/CVE-2018-5089
(bmo#1224396, bmo#1331209, bmo#1382366, bmo#1399520,
bmo#1408017, bmo#1408276, bmo#1409951, bmo#1410134,
bmo#1412145, bmo#1412420, bmo#1414452, bmo#1415582,
bmo#1415598, bmo#1417797, bmo#1418854, bmo#1422389,
bmo#1425612, bmo#1425780, bmo#1426783, bmo#1428589)
Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
* MFSA 2018-02/CVE-2018-5117
(bmo#1395508)
URL spoofing with right-to-left text aligned left-to-right
* MFSA 2018-02/CVE-2018-5102
(bmo#1419363)
Use-after-free in HTML media elements
* MFSA 2018-02/CVE-2018-5103
(bmo#1423159)
Use-after-free during mouse event handling
-------------------------------------------------------------------
Thu Nov 16 16:36:42 UTC 2017 - pcerny@suse.com
- update to Firefox ESR 52.5 (bsc#1068101)
* MFSA 2017-25/CVE-2017-7826
(bmo#1261175, bmo#1339259, bmo#1369561, bmo#1375146,
bmo#1387799, bmo#1393840, bmo#1394265, bmo#1394530,
bmo#1395138, bmo#1397811, bmo#1400003, bmo#1400554,
bmo#1400763, bmo#1401804, bmo#1404636, bmo#1406398,
bmo#1407740, bmo#1407751, bmo#1408005, bmo#1408412,
bmo#1411458)
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
* MFSA 2017-25/CVE-2017-7830
(bmo#1408990)
Cross-origin URL information leak through Resource Timing API
* MFSA 2017-25/CVE-2017-7828
(bmo#1406750, bmo#1412252)
Use-after-free of PressShell while restyling layout
-------------------------------------------------------------------
Fri Sep 29 07:50:37 UTC 2017 - pcerny@suse.com
- update to Firefox ESR 52.4 (bsc#1060445)
* MFSA 2017-22/CVE-2017-7825
(bmo#1390980, bmo#1393624)
OS X fonts render some Tibetan and Arabic unicode characters
as spaces
* MFSA 2017-22/CVE-2017-7805
(bmo#1377618)
Use-after-free in TLS 1.2 generating handshake hashes
* MFSA 2017-22/CVE-2017-7819
(bmo#1380292)
Use-after-free while resizing images in design mode
* MFSA 2017-22/CVE-2017-7818
(bmo#1363723)
Use-after-free during ARIA array manipulation
* MFSA 2017-22/CVE-2017-7793
(bmo#1371889)
Use-after-free with Fetch API
* MFSA 2017-22/CVE-2017-7824
(bmo#1398381)
Buffer overflow when drawing and validating elements with
ANGLE
* MFSA 2017-22/CVE-2017-7810
(bmo#1360334, bmo#1371657, bmo#1380824, bmo#1386787,
bmo#1387918, bmo#1389974, bmo#1390550, bmo#1395598)
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
* MFSA 2017-22/CVE-2017-7823
(bmo#1396320)
CSP sandbox directive did not create a unique origin
* MFSA 2017-22/CVE-2017-7814
(bmo#1376036)
Blob and data URLs bypass phishing and malware protection
warnings
-------------------------------------------------------------------
Tue Aug 8 18:20:15 UTC 2017 - pcerny@suse.com
- update to Firefox ESR 52.3 (bsc#1052829)
* MFSA 2017-19/CVE-2017-7807
(bmo#1376459)
Domain hijacking through AppCache fallback
* MFSA 2017-19/CVE-2017-7791
(bmo#1365875)
Spoofing following page navigation with data: protocol and
modal alerts
* MFSA 2017-19/CVE-2017-7792
(bmo#1368652)
Buffer overflow viewing certificates with an extremely long
OID
* MFSA 2017-19/CVE-2017-7782
(bmo#1344034)
WindowsDllDetourPatcher allocates memory without DEP
protections
* MFSA 2017-19/CVE-2017-7787
(bmo#1322896)
Same-origin policy bypass with iframes through page reloads
* MFSA 2017-19/CVE-2017-7786
(bmo#1365189)
Buffer overflow while painting non-displayable SVG
* MFSA 2017-19/CVE-2017-7785
(bmo#1356985)
Buffer overflow manipulating ARIA attributes in DOM
* MFSA 2017-19/CVE-2017-7784
(bmo#1376087)
Use-after-free with image observers
* MFSA 2017-19/CVE-2017-7753
(bmo#1353312)
Out-of-bounds read with cached style data and pseudo-elements
* MFSA 2017-19/CVE-2017-7798
(bmo#1371586, bmo#1372112)
XUL injection in the style editor in devtools
* MFSA 2017-19/CVE-2017-7804
(bmo#1372849)
Memory protection bypass through WindowsDllDetourPatcher
* MFSA 2017-19/CVE-2017-7779
(bmo#1321384, bmo#1346590, bmo#1354443, bmo#1362924,
bmo#1366903, bmo#1368030, bmo#1368105, bmo#1368362,
bmo#1368576, bmo#1369913, bmo#1369994, bmo#1371283,
bmo#1371424, bmo#1371890, bmo#1372985, bmo#1373220,
bmo#1378826, bmo#1380426, bmo#1383002)
Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
* MFSA 2017-19/CVE-2017-7800
(bmo#1374047)
Use-after-free in WebSockets during disconnection
* MFSA 2017-19/CVE-2017-7801
(bmo#1371259)
Use-after-free with marquee during window resizing
* MFSA 2017-19/CVE-2017-7802
(bmo#1378147)
Use-after-free resizing image elements
* MFSA 2017-19/CVE-2017-7803
(bmo#1377426)
CSP containing 'sandbox' improperly applied
-------------------------------------------------------------------
Wed Jun 14 22:49:23 UTC 2017 - cgrobertson@suse.com
- update to Firefox ESR 52.2 (bsc#1043960)
* MFSA 2017-16/CVE-2017-7758
(bmo#1368490)
Out-of-bounds read in Opus encoder
* MFSA 2017-16/CVE-2017-7749
(bmo#1355039)
Use-after-free during docshell reloading
* MFSA 2017-16/CVE-2017-7751
(bmo#1363396)
Use-after-free with content viewer listeners
* MFSA 2017-16/CVE-2017-5472
(bmo#1365602)
Use-after-free using destroyed node when regenerating trees
* MFSA 2017-16/CVE-2017-5470
(bmo#1297111, bmo#1325513, bmo#1342552, bmo#1342567,
bmo#1346012, bmo#1347748, bmo#1348424, bmo#1349266,
bmo#1349595, bmo#1352093, bmo#1352295, bmo#1352556,
bmo#1356025, bmo#1357462, bmo#1359639, bmo#1362590,
bmo#1363280, bmo#1366140, bmo#1367692, bmo#1368732)
Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
* MFSA 2017-16/CVE-2017-7752
(bmo#1359547)
Use-after-free with IME input
* MFSA 2017-16/CVE-2017-7750
(bmo#1356558)
Use-after-free with track elements
* MFSA 2017-16/CVE-2017-7768
(bmo#1336979)
32 byte arbitrary file read through Mozilla Maintenance
Service
* MFSA 2017-16/CVE-2017-7778
(bmo#1349310, bmo#1350047, bmo#1352745, bmo#1352747,
bmo#1355174, bmo#1355182, bmo#1356607, bmo#1358551)
Vulnerabilities in the Graphite 2 library
* MFSA 2017-16/CVE-2017-7754
(bmo#1357090)
Out-of-bounds read in WebGL with ImageInfo object
* MFSA 2017-16/CVE-2017-7755
(bmo#1361326)
Privilege escalation through Firefox Installer with same
directory DLL files
* MFSA 2017-16/CVE-2017-7756
(bmo#1366595)
Use-after-free and use-after-scope logging XHR header errors
* MFSA 2017-16/CVE-2017-7757
(bmo#1356824)
Use-after-free in IndexedDB
* MFSA 2017-16/CVE-2017-7761
(bmo#1215648, bmo#https://sourceforge.net/p/nsis/bugs/1125/)
File deletion and privilege escalation through Mozilla
Maintenance Service helper.exe application
* MFSA 2017-16/CVE-2017-7763
(bmo#1360309)
Mac fonts render some unicode characters as spaces
* MFSA 2017-16/CVE-2017-7765
(bmo#1273265)
Mark of the Web bypass when saving executable files
* MFSA 2017-16/CVE-2017-7764
(bmo#1364283, bmo#http://www.unicode.org/reports/tr31/tr31-26
.html#Aspirational_Use_Scripts)
Domain spoofing with combination of Canadian Syllabics and
other unicode blocks
-------------------------------------------------------------------
Thu May 25 17:26:36 UTC 2017 - cgrobertson@suse.com
- update to Firefox ESR 52.1 (bsc#1035082)
* MFSA 2017-12/CVE-2016-10196
(bmo#1343453)
Vulnerabilities in Libevent library
* MFSA 2017-12/CVE-2017-5443
(bmo#1342661)
Out-of-bounds write during BinHex decoding
* MFSA 2017-12/CVE-2017-5429
(bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926,
bmo#1353088,)
Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
Firefox ESR 52.1
* MFSA 2017-12/CVE-2017-5464
(bmo#1347075)
Memory corruption with accessibility and DOM manipulation
* MFSA 2017-12/CVE-2017-5465
(bmo#1347617)
Out-of-bounds read in ConvolvePixel
* MFSA 2017-12/CVE-2017-5466
(bmo#1353975)
Origin confusion when reloading isolated data:text/html URL
* MFSA 2017-12/CVE-2017-5467
(bmo#1347262)
Memory corruption when drawing Skia content
* MFSA 2017-12/CVE-2017-5460
(bmo#1343642)
Use-after-free in frame selection
* MFSA 2017-12/CVE-2017-5461
(bmo#1344380)
Out-of-bounds write in Base64 encoding in NSS
* MFSA 2017-12/CVE-2017-5448
(bmo#1346648)
Out-of-bounds write in ClearKeyDecryptor
* MFSA 2017-12/CVE-2017-5449
(bmo#1340127)
Crash during bidirectional unicode manipulation with
animation
* MFSA 2017-12/CVE-2017-5446
(bmo#1343505)
Out-of-bounds read when HTTP/2 DATA frames are sent with
incorrect data
* MFSA 2017-12/CVE-2017-5447
(bmo#1343552)
Out-of-bounds read during glyph processing
* MFSA 2017-12/CVE-2017-5444
(bmo#1344461)
Buffer overflow while parsing application/http-index-format
content
* MFSA 2017-12/CVE-2017-5445
(bmo#1344467)
Uninitialized values used while parsing application/http-
index-format content
* MFSA 2017-12/CVE-2017-5442
(bmo#1347979)
Use-after-free during style changes
* MFSA 2017-12/CVE-2017-5469
(bmo#1292534)
Potential Buffer overflow in flex-generated code
* MFSA 2017-12/CVE-2017-5440
(bmo#1336832)
Use-after-free in txExecutionState destructor during XSLT
processing
* MFSA 2017-12/CVE-2017-5441
(bmo#1343795)
Use-after-free with selection during scroll events
* MFSA 2017-12/CVE-2017-5439
(bmo#1336830)
Use-after-free in nsTArray Length() during XSLT processing
* MFSA 2017-12/CVE-2017-5438
(bmo#1336828)
Use-after-free in nsAutoPtr during XSLT processing
* MFSA 2017-12/CVE-2017-5436
(bmo#1345461)
Out-of-bounds write with malicious font in Graphite 2
* MFSA 2017-12/CVE-2017-5435
(bmo#1350683)
Use-after-free during transaction processing in the editor
* MFSA 2017-12/CVE-2017-5434
(bmo#1349946)
Use-after-free during focus handling
* MFSA 2017-12/CVE-2017-5433
(bmo#1347168)
Use-after-free in SMIL animation functions
* MFSA 2017-12/CVE-2017-5432
(bmo#1346654)
Use-after-free in text input selection
* MFSA 2017-12/CVE-2017-5430
(bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686,
bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621,
bmo#1349719, bmo#1353476)
Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
* MFSA 2017-12/CVE-2017-5459
(bmo#1333858)
Buffer overflow in WebGL
* MFSA 2017-12/CVE-2017-5462
(bmo#1345089)
DRBG flaw in NSS
* MFSA 2017-12/CVE-2017-5455
(bmo#1341191)
Sandbox escape through internal feed reader APIs
* MFSA 2017-12/CVE-2017-5454
(bmo#1349276)
Sandbox escape allowing file system read access through file
picker
* MFSA 2017-12/CVE-2017-5456
(bmo#1344415)
Sandbox escape allowing local file system access
* MFSA 2017-12/CVE-2017-5451
(bmo#1273537)
Addressbar spoofing with onblur event
- Removed obsolete patches fixed upstream:
[mozilla-repo.patch,
mozilla-skia-be-le.patch,
mozilla-libproxy.patch,
mozilla-aarch64-48bit-va.patch,
mozilla-aarch64-4k-page-size.patch,
mozilla-aarch64-nojit-1.patch,
mozilla-aarch64-nojit-2.patch,
mozilla-fullscreen_part_1.patch,
mozilla-fullscreen_part_2.patch,
mozilla-fullscreen_part_3.patch,
mozilla-protected_symbols.patch,
mozilla-flex_buffer_overrun.patch,
mozilla-disable-webm-dependencies.patch,
mozilla-disable-ogg.patch,
firefox-kde-114.patch]
- Added patches:
[mozilla-aarch64_getrandom.patch]
[mozilla-s390-bigendian.patch] (bmo#1322212 and bmo#1264836)
- Added file [icudt58b.dat] ICU big-endian data file
for big-endian builds
-------------------------------------------------------------------
Thu Apr 20 09:59:07 UTC 2017 - pcerny@suse.com
- update to Firefox ESR 45.9 (bsc#1035082)
* MFSA 2017-11/CVE-2017-5469
(bmo#1292534)
Potential Buffer overflow in flex-generated code
* MFSA 2017-11/CVE-2017-5429
(bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926,
bmo#1353088,)
Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
Firefox ESR 52.1
* MFSA 2017-11/CVE-2017-5439
(bmo#1336830)
Use-after-free in nsTArray Length() during XSLT processing
* MFSA 2017-11/CVE-2017-5438
(bmo#1336828)
Use-after-free in nsAutoPtr during XSLT processing
* MFSA 2017-11/CVE-2017-5437
(bmo#1343453)
Vulnerabilities in Libevent library
* MFSA 2017-11/CVE-2017-5436
(bmo#1345461)
Out-of-bounds write with malicious font in Graphite 2
* MFSA 2017-11/CVE-2017-5435
(bmo#1350683)
Use-after-free during transaction processing in the editor
* MFSA 2017-11/CVE-2017-5434
(bmo#1349946)
Use-after-free during focus handling
* MFSA 2017-11/CVE-2017-5433
(bmo#1347168)
Use-after-free in SMIL animation functions
* MFSA 2017-11/CVE-2017-5432
(bmo#1346654)
Use-after-free in text input selection
* MFSA 2017-11/CVE-2017-5464
(bmo#1347075)
Memory corruption with accessibility and DOM manipulation
* MFSA 2017-11/CVE-2017-5465
(bmo#1347617)
Out-of-bounds read in ConvolvePixel
* MFSA 2017-11/CVE-2017-5460
(bmo#1343642)
Use-after-free in frame selection
* MFSA 2017-11/CVE-2017-5461
(bmo#1344380)
Out-of-bounds write in Base64 encoding in NSS
* MFSA 2017-11/CVE-2017-5448
(bmo#1346648)
Out-of-bounds write in ClearKeyDecryptor
* MFSA 2017-11/CVE-2017-5446
(bmo#1343505)
Out-of-bounds read when HTTP/2 DATA frames are sent with
incorrect data
* MFSA 2017-11/CVE-2017-5447
(bmo#1343552)
Out-of-bounds read during glyph processing
* MFSA 2017-11/CVE-2017-5444
(bmo#1344461)
Buffer overflow while parsing application/http-index-format
content
* MFSA 2017-11/CVE-2017-5445
(bmo#1344467)
Uninitialized values used while parsing application/http-
index-format content
* MFSA 2017-11/CVE-2017-5442
(bmo#1347979)
Use-after-free during style changes
* MFSA 2017-11/CVE-2017-5443
(bmo#1342661)
Out-of-bounds write during BinHex decoding
* MFSA 2017-11/CVE-2017-5440
(bmo#1336832)
Use-after-free in txExecutionState destructor during XSLT
processing
* MFSA 2017-11/CVE-2017-5441
(bmo#1343795)
Use-after-free with selection during scroll events
* MFSA 2017-11/CVE-2017-5462
(bmo#1345089)
DRBG flaw in NSS
* MFSA 2017-11/CVE-2017-5459
(bmo#1333858)
Buffer overflow in WebGL
-------------------------------------------------------------------
Wed Mar 8 00:01:39 UTC 2017 - pcerny@suse.com
- update to Firefox ESR 45.8 (bsc#1028391)
* MFSA 2017-06/CVE-2017-5402
(bmo#1334876)
Use-after-free working with events in FontFace objects
* MFSA 2017-06/CVE-2017-5410
(bmo#1330687)
Memory corruption during JavaScript garbage collection
incremental sweeping
* MFSA 2017-06/CVE-2017-5400
(bmo#1334933)
asm.js JIT-spray bypass of ASLR and DEP
* MFSA 2017-06/CVE-2017-5401
(bmo#1328861)
Memory Corruption when handling ErrorResult
* MFSA 2017-06/CVE-2017-5407
(bmo#1336622)
Pixel and history stealing via floating-point timing side
channel with SVG filters
* MFSA 2017-06/CVE-2017-5404
(bmo#1340138)
Use-after-free working with ranges in selections
* MFSA 2017-06/CVE-2017-5405
(bmo#1336699)
FTP response codes can cause use of uninitialized values for
ports
* MFSA 2017-06/CVE-2017-5408
(bmo#1313711)
Cross-origin reading of video captions in violation of CORS
* MFSA 2017-06/CVE-2017-5409
(bmo#1321814)
File deletion via callback parameter in Mozilla Windows
Updater and Maintenance Service
* MFSA 2017-06/CVE-2017-5398
(bmo#1321612, bmo#1322971, bmo#1324379, bmo#1325052,
bmo#1332550, bmo#1332597, bmo#1333568, bmo#1333887,
bmo#1335450, bmo#1336510, bmo#1338383)
Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8
-------------------------------------------------------------------
Wed Jan 25 22:09:27 UTC 2017 - pcerny@suse.com
- update to Firefox ESR 45.7 (bsc#1021991)
* MFSA 2017-02/CVE-2017-5378 (bsc#1021818)
(bmo#1312001, bmo#1330769)
Pointer and frame data leakage of Javascript objects
* MFSA 2017-02/CVE-2017-5396 (bsc#1021821)
(bmo#1329403)
Use-after-free with Media Decoder
* MFSA 2017-02/CVE-2017-5386 (bsc#1021823)
(bmo#1319070)
WebExtensions can use data: protocol to affect other
extensions
* MFSA 2017-02/CVE-2017-5380 (bsc#1021819)
(bmo#1322107)
Potential use-after-free during DOM manipulations
* MFSA 2017-02/CVE-2017-5390 (bsc#1021820)
(bmo#1297361)
Insecure communication methods in Developer Tools JSON viewer
* MFSA 2017-02/CVE-2017-5373 (bsc#1021824)
(bmo#1285833, bmo#1285960, bmo#1322315, bmo#1322420,
bmo#1325877, bmo#1325938, bmo#1328251, bmo#1328834,
bmo#1331058)
Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7
* MFSA 2017-02/CVE-2017-5375 (bsc#1021814)
(bmo#1325200)
Excessive JIT code allocation allows bypass of ASLR and DEP
* MFSA 2017-02/CVE-2017-5376 (bsc#1021817)
(bmo#1311687)
Use-after-free in XSL
* MFSA 2017-02/CVE-2017-5383 (bsc#1021822)
(bmo#1323338, bmo#1324716)
Location bar spoofing with unicode characters
-------------------------------------------------------------------
Wed Dec 14 16:00:03 UTC 2016 - pcerny@suse.com
- update to Firefox ESR 45.6 (bsc#1015422)
* MFSA 2016-95/CVE-2016-9897
(bmo#1301381)
Memory corruption in libGLES
* MFSA 2016-95/CVE-2016-9901
(bmo#1320057)
Data from Pocket server improperly sanitized before execution
* MFSA 2016-95/CVE-2016-9898
(bmo#1314442)
Use-after-free in Editor while manipulating DOM subtrees
* MFSA 2016-95/CVE-2016-9899
(bmo#1317409)
Use-after-free while manipulating DOM events and audio
elements
* MFSA 2016-95/CVE-2016-9904
(bmo#1317936)
Cross-origin information leak in shared atoms
* MFSA 2016-95/CVE-2016-9905
(bmo#1293985)
Crash in EnumerateSubDocuments
* MFSA 2016-95/CVE-2016-9895
(bmo#1312272)
CSP bypass using marquee tag
* MFSA 2016-95/CVE-2016-9900
(bmo#1319122)
Restricted external resources can be loaded by SVG images
through data URLs
* MFSA 2016-95/CVE-2016-9893
(bmo#1287912, bmo#1298773, bmo#1299098, bmo#1309834,
bmo#1312548, bmo#1312609, bmo#1313212, bmo#1315631,
bmo#1317805, bmo#1319524)
Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6
* MFSA 2016-95/CVE-2016-9902
(bmo#1320039)
Pocket extension does not validate the origin of events
-------------------------------------------------------------------
Thu Dec 1 10:47:58 UTC 2016 - pcerny@suse.com
- update to Firefox ESR 45.5.1 (bsc#1012964)
* MFSA 2016-92/CVE-2016-9079
(bmo#1321066)
Use-after-free in SVG Animation
-------------------------------------------------------------------
Tue Nov 15 23:48:00 UTC 2016 - pcerny@suse.com
- update to Firefox ESR 45.5 (bsc#1009026)
* CVE-2016-5297: Incorrect argument length checking in Javascript
(bsc#1010401)
* CVE-2016-9066: Integer overflow leading to a buffer overflow in
nsScriptLoadHandler (bsc#1010404)
* CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
(bsc#1010395)
* CVE-2016-9064: Addons update must verify IDs match between
current and new versions (bsc#1010402)
* CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox
ESR 45.5 (bsc#1010427)
* CVE-2016-5291: Same-origin policy violation using local HTML
file and saved shortcut file (bsc#1010410)
- fix fullscreen mode with some window managers (bsc#992549)
[mozilla-fullscreen_part_1.patch,
mozilla-fullscreen_part_2.patch,
mozilla-fullscreen_part_3.patch]
-------------------------------------------------------------------
Fri Oct 7 09:46:10 UTC 2016 - astieger@suse.com
- document patched dropped in previous update:
* removed mozilla-libproxy.patch, upstream
* removed firefox-kde-114.patch, is not applied on SLE 12,
functionality contained in firefox-kde.patch
-------------------------------------------------------------------
Wed Sep 21 19:14:38 UTC 2016 - cgrobertson@novell.com
- update to Firefox 45.4.0 ESR (bsc#999701)
* MFSA 2016-86/CVE-2016-5270
(bmo#1291016)
Heap-buffer-overflow in
nsCaseTransformTextRunFactory::TransformString
* MFSA 2016-86/CVE-2016-5272
(bmo#1297934)
Bad cast in nsImageGeometryMixin
* MFSA 2016-86/CVE-2016-5276
(bmo#1287721)
Heap-use-after-free in
mozilla::a11y::DocAccessible::ProcessInvalidationList
* MFSA 2016-86/CVE-2016-5274
(bmo#1282076)
use-after-free in nsFrameManager::CaptureFrameState
* MFSA 2016-86/CVE-2016-5277
(bmo#1291665)
Heap-use-after-free in nsRefreshDriver::Tick
* MFSA 2016-86/CVE-2016-5278
(bmo#1294677)
Heap-buffer-overflow in nsBMPEncoder::AddImageFrame
* MFSA 2016-86/CVE-2016-5280
(bmo#1289970)
Use-after-free in
mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
* MFSA 2016-86/CVE-2016-5281
(bmo#1284690)
use-after-free in DOMSVGLength
* MFSA 2016-86/CVE-2016-5284
(bmo#1303127)
Add-on update site certificate pin expiration
* MFSA 2016-86/CVE-2016-5250
(bmo#1254688)
Resource Timing API is storing resources sent by the previous
page
* MFSA 2016-86/CVE-2016-5261
(bmo#1287266)
Integer overflow and memory corruption in WebSocketChannel
* MFSA 2016-86/CVE-2016-5257
(bmo#1277213, bmo#1287204, bmo#1288555, bmo#1288588,
bmo#1288780, bmo#1289280, bmo#1293347, bmo#1294095,
bmo#1294407)
Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4
-------------------------------------------------------------------
Wed Sep 14 20:39:11 UTC 2016 - cgrobertson@novell.com
- Fix for aarch64 Firefox startup crash (bsc#991344)
-------------------------------------------------------------------
Thu Aug 4 21:41:56 UTC 2016 - pcerny@suse.com
- update to Firefox 45.3.0 ESR (bsc#991809)
* MFSA 2016-62/CVE-2016-2835/CVE-2016-2836
(bmo#822081, bmo#1154923, bmo#1249578, bmo#1257765,
bmo#1258079, bmo#1268626, bmo#1282502, bmo#1283823)
Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
* MFSA 2016-63/CVE-2016-2830
(bmo#1255270)
Favicon network connection can persist when page is closed
* MFSA 2016-64/CVE-2016-2838
(bmo#1279814)
Buffer overflow rendering SVG with bidirectional content
* MFSA 2016-65/CVE-2016-2839
(bmo#1275339)
Cairo rendering crash due to memory allocation issue with
FFmpeg 0.10
* MFSA 2016-67/CVE-2016-5252
(bmo#1268854)
Stack underflow during 2D graphics rendering
* MFSA 2016-70/CVE-2016-5254
(bmo#1266963)
Use-after-free when using alt key and toplevel menus
* MFSA 2016-72/CVE-2016-5258
(bmo#1279146)
Use-after-free in DTLS during WebRTC session shutdown
* MFSA 2016-73/CVE-2016-5259
(bmo#1282992)
Use-after-free in service workers with nested sync events
* MFSA 2016-76/CVE-2016-5262
(bmo#1277475)
Scripts on marquee tag can execute in sandboxed iframes
* MFSA 2016-77/CVE-2016-2837
(bmo#1274637)
Buffer overflow in ClearKey Content Decryption Module (CDM)
during video playback
* MFSA 2016-78/CVE-2016-5263
(bmo#1276897)
Type confusion in display transformation
* MFSA 2016-79/CVE-2016-5264
(bmo#1286183)
Use-after-free when applying SVG effects
* MFSA 2016-80/CVE-2016-5265
(bmo#1278013)
Same-origin policy violation using local HTML file and saved
shortcut file
- Fix for possible buffer overrun (bsc#990856)
CVE-2016-6354 (bmo#1292534)
-------------------------------------------------------------------
Tue Jun 7 17:33:56 UTC 2016 - pcerny@suse.com
- update to Firefox 45.2.0 ESR (bsc#983549)
* MFSA 2016-49/CVE-2016-2815/CVE-2016-2818
(bsc#983638)
(bmo#1234147, bmo#1256493, bmo#1256739, bmo#1256968,
bmo#1261230, bmo#1261752, bmo#1263384, bmo#1264575,
bmo#1265577, bmo#1267130, bmo#1269729, bmo#1273202,
bmo#1273701)
Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
* MFSA 2016-50/CVE-2016-2819
(bsc#983655)
(bmo#1270381)
Buffer overflow parsing HTML5 fragments
* MFSA 2016-51/CVE-2016-2821
(bsc#983653)
(bmo#1271460)
Use-after-free deleting tables from a contenteditable
document
* MFSA 2016-52/CVE-2016-2822
(bsc#983652)
(bmo#1273129)
Addressbar spoofing though the SELECT element
* MFSA 2016-53/CVE-2016-2824
(bsc#983651)
(bmo#1248580)
Out-of-bounds write with WebGL shader
* MFSA 2016-56/CVE-2016-2828
(bsc#983646)
(bmo#1223810)
Use-after-free when textures are used in WebGL operations
after recycle pool destruction
* MFSA 2016-58/CVE-2016-2831
(bsc#983643)
(bmo#1261933)
Entering fullscreen and persistent pointerlock without user
permission
- use system myspell directly (remove add-plugins.sh)
- all extensions must now be signed by addons.mozilla.org;
read README.SUSE for more details
- Fix crashes on aarch64
* Determine page size at runtime (bsc#984006)
* Allow aarch64 to work in safe mode (bsc#985659)
[mozilla-aarch64-48bit-va.patch] (bmo#1143022)
[mozilla-aarch64-4k-page-size.patch] (bmo#1091515)
[mozilla-aarch64-nojit-1.patch] (bmo#1253216)
[mozilla-aarch64-nojit-2.patch] (bmo#1257055)
- fix crashes on mainframes
[mozilla-s390-nojit.patch]
-------------------------------------------------------------------
Wed Apr 27 18:57:49 UTC 2016 - pcerny@suse.com
- update to Firefox 38.8.0 ESR (bsc#977333)
* MFSA 2016-39/CVE-2016-2805/CVE-2016-2807
(bsc#977374, bsc#977376)
(bmo#1241731, bmo#1187420, bmo#1252707, bmo#1254164,
bmo#1254622, bmo#1254876)
Miscellaneous memory safety hazards
(rv:46.0 / rv:45.1 / rv:38.8)
* MFSA 2016-44/CVE-2016-2814 (bsc#977381)
(bmo#1254721)
Buffer overflow in libstagefright with CENC offsets
* MFSA 2016-47/CVE-2016-2808 (bsc#977386)
(bmo#1246061)
Write to invalid HashMap entry through JavaScript.watch()
-------------------------------------------------------------------
Tue Mar 8 23:24:47 UTC 2016 - pcerny@suse.com
- update to Firefox 38.7.0 ESR (bsc#969894)
* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
(bmo#1199171, bmo#1205163, bmo#1207958, bmo#1224361,
bmo#1224363, bmo#1224369, bmo#1225618, bmo#1234425,
bmo#1236519, bmo#1238558, bmo#1238935, bmo#1241731,
bmo#1243555, bmo#1243583, bmo#1245866, bmo#1247236,
bmo#1248794, bmo#1123661, bmo#1221872, bmo#1224979,
bmo#1234578, bmo#1241217, bmo#1242279, bmo#1244250,
bmo#1244995, bmo#1249685)
Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
* MFSA 2016-17/CVE-2016-1954
(bmo#1243178)
Local file overwriting and potential privilege escalation
through CSP reports
* MFSA 2016-20/CVE-2016-1957
(bmo#1227052)
Memory leak in libstagefright when deleting an array during
MP4 processing
* MFSA 2016-21/CVE-2016-1958
(bmo#1228754)
Displayed page address can be overridden
* MFSA 2016-23/CVE-2016-1960
(bmo#1246014)
Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961
(bmo#1249377)
Use-after-free in SetBody
* MFSA 2016-25/CVE-2016-1962
(bmo#1240760)
Use-after-free when using multiple WebRTC data channels
* MFSA 2016-27/CVE-2016-1964
(bmo#1243335)
Use-after-free during XML transformations
* MFSA 2016-28/CVE-2016-1965
(bmo#1245264)
Addressbar spoofing though history navigation and Location
protocol property
* MFSA 2016-31/CVE-2016-1966
(bmo#1246054)
Memory corruption with malicious NPAPI plugin
* MFSA 2016-34/CVE-2016-1974
(bmo#1228103)
Out-of-bounds read in HTML parser following a failed
allocation
* MFSA 2016-35/CVE-2016-1950
(bmo#1245528)
Buffer overflow during ASN.1 decoding in NSS
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
(bmo#1249920, bmo#1249338, bmo#1243816, bmo#1248805,
bmo#1243482, bmo#1249081, bmo#1243513, bmo#1243526,
bmo#1243473, bmo#1243464, bmo#1243597, bmo#1243823,
bmo#1248804, bmo#1248876)
Font vulnerabilities in the Graphite 2 library
- remove obsolete mozilla-ppc.patch
-------------------------------------------------------------------
Tue Feb 16 23:11:52 UTC 2016 - pcerny@suse.com
- update to Firefox 38.6.1 ESR (bsc#967087)
* MFSA 2016-14/CVE-2016-1523
(bmo#1246093)
Vulnerabilities in Graphite 2
-------------------------------------------------------------------
Wed Jan 27 00:02:33 UTC 2016 - pcerny@suse.com
- update to Firefox 38.5.0 ESR (bsc#963520)
* MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 (bsc#963632)
(bmo#1180064, bmo#1186973, bmo#1206675, bmo#1207298,
bmo#1209358, bmo#1209365, bmo#1209366, bmo#1209368,
bmo#1209546, bmo#1222015, bmo#1229825, bmo#1231121,
bmo#1234576, bmo#1221385, bmo#1223670, bmo#1224200,
bmo#1230483, bmo#1230639, bmo#1230668, bmo#1230686,
bmo#1233152, bmo#1233346, bmo#1233925, bmo#1234280,
bmo#1234571)
Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)
* MFSA 2016-03/CVE-2016-1935 (bsc#963635)
(bmo#1220450)
Buffer overflow in WebGL after out of memory allocation
- require NSS 3.20.2
-------------------------------------------------------------------
Wed Dec 16 16:05:33 UTC 2015 - pcerny@suse.com
- update to Firefox 38.5.0 ESR (bsc#9959277)
* MFSA 2015-134/CVE-2015-7201/CVE-2015-7202
(bmo#1188105, bmo#1193757, bmo#1193999, bmo#1194002,
bmo#1194006, bmo#1197012, bmo#1200580, bmo#1207571,
bmo#1207571, bmo#1208059, bmo#1212305, bmo#1219330,
bmo#1221421, bmo#1221904, bmo#1203135, bmo#1224100,
bmo#1225250)
Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)
* MFSA 2015-138/CVE-2015-7210
(bmo#1218326)
Use-after-free in WebRTC when datachannel is used after being
destroyed
* MFSA 2015-139/CVE-2015-7212
(bmo#1222809)
Integer overflow allocating extremely large textures
* MFSA 2015-145/CVE-2015-7205
(bmo#1220493)
Underflow through code inspection
* MFSA 2015-146/CVE-2015-7213
(bmo#1206211)
Integer overflow in MP4 playback in 64-bit versions
* MFSA 2015-147/CVE-2015-7222
(bmo#1216748)
Integer underflow and buffer overflow processing MP4 metadata
in libstagefright
* MFSA 2015-149/CVE-2015-7214
(bmo#1228950)
Cross-site reading attack through data and view-source URIs
-------------------------------------------------------------------
Tue Nov 3 23:02:43 UTC 2015 - pcerny@suse.com
- update to Firefox 38.4.0 ESR (bsc#952810)
* MFSA 2015-116/CVE-2015-4513
(bmo#1107011, bmo#1191942, bmo#1193038, bmo#1204580,
bmo#1204669, bmo#1204700, bmo#1205707, bmo#1206564,
bmo#1208665, bmo#1209471, bmo#1213979)
Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)
* MFSA 2015-122/CVE-2015-7188
(bmo#1199430)
Trailing whitespace in IP address hostnames can bypass
same-origin policy
* MFSA 2015-123/CVE-2015-7189
(bmo#1205900)
Buffer overflow during image interactions in canvas
* MFSA 2015-127/CVE-2015-7193
(bmo#1210302)
CORS preflight is bypassed when non-standard Content-Type
headers are received
* MFSA 2015-128/CVE-2015-7194
(bmo#1211262)
Memory corruption in libjar through zip files
* MFSA 2015-130/CVE-2015-7196
(bmo#1140616)
JavaScript garbage collection crash with Java applet
* MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
(bmo#1204061, bmo#1188010, bmo#1204155)
Vulnerabilities found through code inspection
* MFSA 2015-132/CVE-2015-7197
(bmo#1204269)
Mixed content WebSocket policy bypass through workers
* MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
(bmo#1202868, bmo#1192028, bmo#1205157)
NSS and NSPR memory corruption issues
- fix printing on landscape media (bsc#908275)
-------------------------------------------------------------------
Tue Sep 22 23:21:21 UTC 2015 - pcerny@suse.com
- update to Firefox 38.3.0 ESR (bsc#947003)
* MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
(bmo#1165706, bmo#1186657, bmo#1044077, bmo#1152026,
bmo#1161063, bmo#1181651, bmo#1183153, bmo#1186962,
bmo#1201793, bmo#1202844)
Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)
* MFSA 2015-101/CVE-2015-4506
(bmo#1192226)
Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-105/CVE-2015-4511
(bmo#1200148)
Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509
(bmo#1198435)
Use-after-free while manipulating HTML media content
* MFSA 2015-110/CVE-2015-4519
(bmo#1189814)
Dragging and dropping images exposes final URL after
redirects
* MFSA 2015-111/CVE-2015-4520
(bmo#1200856, bmo#1200869)
Errors in the handling of CORS preflight request headers
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522
CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177
CVE-2015-7180
(bmo#1170246, bmo#1172055, bmo#1174479, bmo#1186725,
bmo#1170794, bmo#1168959, bmo#1172189, bmo#1191463)
Vulnerabilities found through code inspection
-------------------------------------------------------------------
Fri Aug 28 10:41:39 UTC 2015 - pcerny@suse.com
- update to Firefox 38.2.1 ESR (bsc#943608)
* MFSA 2015-94/CVE-2015-4497 (bsc#943557)
(bmo#1164766, bmo#1175278)
Use-after-free when resizing canvas element during restyling
* MFSA 2015-95/CVE-2015-4498 (bsc#943558)
(bmo#1042699)
Add-on notification bypass through data URLs
-------------------------------------------------------------------
Tue Aug 11 17:21:59 UTC 2015 - pcerny@suse.com
- update to Firefox 38.2.0 ESR (bsc#940806)
* MFSA 2015-78/CVE-2015-4495
(bmo#1178058, bmo#1179262)
Same origin violation and local file stealing via PDF reader
* MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
(bmo#1143130, bmo#1161719, bmo#1177501, bmo#1181204,
bmo#1184068, bmo#1188590, bmo#1146213, bmo#1178890,
bmo#1182711)
Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
* MFSA 2015-80/CVE-2015-4475
(bmo#1175396)
Out-of-bounds read with malformed MP3 file
* MFSA 2015-82/CVE-2015-4478
(bmo#1105914)
Redefinition of non-configurable JavaScript object properties
* MFSA 2015-83/CVE-2015-4479
(bmo#1185115, bmo#1144107, bmo#1170344, bmo#1186718)
Overflow issues in libstagefright
* MFSA 2015-87/CVE-2015-4484
(bmo#1171540)
Crash when using shared memory in JavaScript
* MFSA 2015-88/CVE-2015-4491
(bmo#1184009)
Heap overflow in gdk-pixbuf when scaling bitmap images
* MFSA 2015-89/CVE-2015-4485/CVE-2015-4486
(bmo#1177948, bmo#1178148)
Buffer overflows on Libvpx when decoding WebM video
* MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
(bmo#1176270, bmo#1182723, bmo#1171603)
Vulnerabilities found through code inspection
* MFSA 2015-92/CVE-2015-4492
(bmo#1185820)
Use-after-free in XMLHttpRequest with shared workers
-------------------------------------------------------------------
Mon Aug 10 18:25:05 UTC 2015 - pcerny@suse.com
- hotfix update (bsc#940918)
* MFSA 2015-78/CVE-2015-4495
(bmo#1178058)
Same origin violation
[-fix_expanded_principals]
* Remove PlayPreview registration from PDF Viewer
(bmo#1179262)
[-fix_pdfjs_playpreview]
-------------------------------------------------------------------
Mon Jul 6 17:33:57 UTC 2015 - cgrobertson@suse.com
- update to Firefox 31.8.0 ESR (bsc#935979)
* MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726
(bmo#1059081, bmo#1132265, bmo#1145781, bmo#1146416,
bmo#1155985, bmo#1056410, bmo#1151650, bmo#1156861,
bmo#1159321, bmo#1159973, bmo#1163359, bmo#1163852,
bmo#1172076, bmo#1172397, bmo#1143679, bmo#1154876,
bmo#1160884, bmo#1164567)
Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 /
rv:38.1)
* MFSA 2015-61/CVE-2015-2728
(bmo#1142210)
Type confusion in Indexed Database Manager
* MFSA 2015-64/CVE-2015-2730
(bmo#1125025)
ECDSA signature validation fails to handle some signatures
correctly
* MFSA 2015-65/CVE-2015-2722/CVE-2015-2733
(bmo#1169867, bmo#1166924)
Use-after-free in workers while using XMLHttpRequest
* MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/
CVE-2015-2737/CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
(bmo#1170809, bmo#1166900, bmo#1168207, bmo#1167888,
bmo#1166082, bmo#1167356, bmo#1167332)
Vulnerabilities found through code inspection
* MFSA 2015-69/CVE-2015-2743
(bmo#1163109)
Privilege escalation in PDF.js
* MFSA 2015-70/CVE-2015-4000
(bmo#1138554)
NSS accepts export-length DHE keys with regular DHE cipher
suites
* MFSA 2015-71/CVE-2015-2721
(bmo#1086145)
NSS incorrectly permits skipping of ServerKeyExchange
-------------------------------------------------------------------
Fri May 15 11:37:01 UTC 2015 - pcerny@suse.com
- update to Firefox 31.7.0 ESR (bsc#930622)
* MFSA 2015-46/CVE-2015-2708/CVE-2015-2709
(bmo#1120655, bmo#1143299, bmo#1151139, bmo#1152177,
bmo#1111251, bmo#1117977, bmo#1128064, bmo#1135066,
bmo#1143194, bmo#1146101, bmo#1149526, bmo#1153688,
bmo#1155474)
Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
* MFSA 2015-47/CVE-2015-0797
(bmo#1080995)
Buffer overflow parsing H.264 video with Linux Gstreamer
* MFSA 2015-48/CVE-2015-2710
(bmo#1149542)
Buffer overflow with SVG content and CSS
* MFSA 2015-51/CVE-2015-2713
(bmo#1153478)
Use-after-free during text processing with vertical text
enabled
* MFSA 2015-54/CVE-2015-2716
(bmo#1140537)
Buffer overflow when parsing compressed XML
-------------------------------------------------------------------
Wed Apr 1 18:19:20 UTC 2015 - pcerny@suse.com
- update to Firefox 31.6.0 ESR (bsc#925368)
* MFSA 2015-30/CVE-2015-0814/CVE-2015-0815
(bmo#1005991, bmo#1111327, bmo#1116306, bmo#1127012,
bmo#1130150, bmo#1132342, bmo#1133909, bmo#1136397,
bmo#1137624, bmo#1138391, bmo#1036515, bmo#1137326,
bmo#1138199)
Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)
* MFSA 2015-31/CVE-2015-0813
(bmo#1106596)
Use-after-free when using the Fluendo MP3 GStreamer plugin
* MFSA 2015-33/CVE-2015-0816
(bmo#1144991)
resource:// documents can load privileged pages
* MFSA 2015-37/CVE-2015-0807
(bmo#1111834)
CORS requests should not follow 30x redirections after
preflight
* MFSA 2015-40/CVE-2015-0801
(bmo#1146339)
Same-origin bypass through anchor navigation
-------------------------------------------------------------------
Mon Mar 23 12:16:49 UTC 2015 - pcerny@suse.com
- update to Firefox 31.5.3 ESR (bsc#923534)
* MFSA 2015-29/CVE-2015-0817
(bmo#1145255)
Code execution through incorrect JavaScript
bounds checking elimination
* MFSA 2015-28/CVE-2015-0818
(bmo#1144988)
Privilege escalation through SVG navigation
-------------------------------------------------------------------
Tue Feb 24 23:49:33 UTC 2015 - pcerny@suse.com
- update to Firefox 31.5.0 ESR (bsc#917597)
* MFSA 2015-11/CVE-2015-0835/CVE-2015-0836
(bmo#1072760, bmo#1092947, bmo#1114058, bmo#1114569,
bmo#1118894, bmo#1119019, bmo#1122387, bmo#1125734,
bmo#1127206, bmo#1127246, bmo#1096138, bmo#1107009,
bmo#1111243, bmo#1111248, bmo#1115776, bmo#1117406,
bmo#1119579, bmo#1123882, bmo#1124018, bmo#1128196)
Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)
* MFSA 2015-16/CVE-2015-0831
(bmo#1130541)
Use-after-free in IndexedDB
* MFSA 2015-19/CVE-2015-0827
(bmo#1117304)
Out-of-bounds read and write while rendering SVG content
* MFSA 2015-24/CVE-2015-0822
(bmo#1110557)
Reading of local files through manipulation of form
autocomplete
-------------------------------------------------------------------
Wed Jan 14 10:57:41 UTC 2015 - pcerny@suse.com
- update to Firefox 31.4.0 ESR (bsc#910669)
* MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
(bmo#1109889, bmo#1111737, bmo#1026774, bmo#1027300,
bmo#1054538, bmo#1067473, bmo#1070962, bmo#1072130,
bmo#1072871, bmo#1098583)
Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)
* MFSA 2015-03/CVE-2014-8638
(bmo#1080987)
sendBeacon requests lack an Origin header
* MFSA 2015-04/CVE-2014-8639
(bmo#1095859)
Cookie injection through Proxy Authenticate responses
* MFSA 2015-06/CVE-2014-8641
(bmo#1108455)
Read-after-free in WebRTC
- fix broken install scripts in some locales (bsc#909563)
-------------------------------------------------------------------
Wed Dec 3 10:43:35 UTC 2014 - pcerny@suse.com
- update to Firefox 31.3.0 ESR (bnc#908009)
* MFSA 2014-83/CVE-2014-1587/CVE-2014-1588
(bmo#1042567, bmo#1072847, bmo#1079729, bmo#1080312,
bmo#1089207, bmo#1013001, bmo#1023158, bmo#1026037,
bmo#1037830, bmo#1048517, bmo#1064835, bmo#1073577,
bmo#1075546, bmo#1077687, bmo#1086842, bmo#1096026)
Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)
* MFSA 2014-85/CVE-2014-1590
(bmo#1087633)
XMLHttpRequest crashes with some input streams
* MFSA 2014-87/CVE-2014-1592
(bmo#1088635)
Use-after-free during HTML5 parsing
* MFSA 2014-88/CVE-2014-1593
(bmo#1085175)
Buffer overflow while parsing media content
* MFSA 2014-89/CVE-2014-1594
(bmo#1074280)
Bad casting from the BasicThebesLayer to BasicContainerLayer
- removing merged patch disabling SSLv3 by default
-------------------------------------------------------------------
Wed Oct 15 17:18:10 UTC 2014 - pcerny@suse.com
- update to Firefox 31.2.0 ESR (bnc#900941)
* MFSA 2014-74/CVE-2014-1574/CVE-2014-1575
(bmo#1001994, bmo#1011354, bmo#1018916, bmo#1020034,
bmo#1023035, bmo#1032208, bmo#1033020, bmo#1034230,
bmo#1061214, bmo#1061600, bmo#1064346, bmo#1072044,
bmo#1072174)
Miscellaneous memory safety hazards (rv:33.0/rv:31.2)
* MFSA 2014-75/CVE-2014-1576
(bmo#1041512)
Buffer overflow during CSS manipulation
* MFSA 2014-76/CVE-2014-1577
(bmo#1012609)
Web Audio memory corruption issues with custom waveforms
* MFSA 2014-77/CVE-2014-1578
(bmo#1063327)
Out-of-bounds write with WebM video
* MFSA 2014-79/CVE-2014-1581
(bmo#1068218)
Use-after-free interacting with text directionality
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586
(bmo#1062876, bmo#1062981)
Inconsistent video sharing within iframe
* MFSA 2014-82/CVE-2014-1583
(bmo#1015540)
Accessing cross-origin objects via the Alarms API
- SSLv3 is disabled by default. See README.POODLE for more
detailed information.
-------------------------------------------------------------------
Fri Sep 5 08:27:05 UTC 2014 - pcerny@suse.com
- update to Firefox 31.1.0 (bnc#894370)
* MFSA 2014-67/CVE-2014-1553/CVE-2014-1554/CVE-2014-1562
(bmo#990247,bmo#995075,bmo#995704,bmo#1004480,bmo#1016519,
bmo#1022945,bmo#1027359,bmo#1033121,bmo#1035007,bmo#1037666,
bmo#1041148,bmo#1054359)
Miscellaneous memory safety hazards
* MFSA 2014-68/CVE-2014-1563 (bmo#1018524)
Use-after-free during DOM interactions with SVG
* MFSA 2014-69/CVE-2014-1564 (bmo#1045977)
Uninitialized memory use during GIF rendering
* MFSA 2014-70/CVE-2014-1565 (bmo#1047831)
Out-of-bounds read in Web Audio audio timeline
* MFSA 2014-72/CVE-2014-1567 (bmo#1037641)
Use-after-free setting text directionality
- require NSPR 4.10.7/NSS 3.16.4
-------------------------------------------------------------------
Wed Aug 20 13:46:39 CEST 2014 - behlert@suse.de
- adapted _constraints, used more than 3900MB on s390x during
last build
-------------------------------------------------------------------
Thu Jul 17 11:53:42 UTC 2014 - pcerny@suse.com
- update to Firefox 31.0.0 ESR (bnc#887746)
* MFSA 2014-56/CVE-2014-1547/CVE-2014-1548
Miscellaneous memory safety hazards
* MFSA 2014-61/CVE-2014-1555 (bmo#1023121)
Use-after-free with FireOnStateChange event
* MFSA 2014-62/CVE-2014-1556 (bmo#1028891)
Exploitable WebGL crash with Cesium JavaScript library
* MFSA 2014-63/CVE-2014-1544 (bmo#963150)
Use-after-free while when manipulating certificates in the
trusted cache
(solved with NSS 3.16.3 requirement)
* MFSA 2014-64/CVE-2014-1557 (bmo#913805)
Crash in Skia library when scaling high quality images
- require NSS 3.16.3
-----------------------------------------------------------------
Fri Jun 13 21:40:37 UTC 2014 - pcerny@suse.com
- update to Firefox 31 beta 6
- require NSS 3.16.1
-------------------------------------------------------------------
Mon Apr 28 23:19:05 UTC 2014 - pcerny@suse.com
- update to Firefox 30 beta 8
- requires NSS 3.16
- removed obsolete patches
* firefox-browser-css.patch
* mozilla-aarch64-599882cfb998.diff
* mozilla-aarch64-bmo-963028.patch
* mozilla-aarch64-bmo-963029.patch
* mozilla-aarch64-bmo-963030.patch
* mozilla-aarch64-bmo-963031.patch
- added mozilla-icu-strncat.patch to fix post build checks
-------------------------------------------------------------------
Mon Apr 7 15:34:31 UTC 2014 - dmueller@suse.com
- add mozilla-aarch64-599882cfb998.patch,
mozilla-aarch64-bmo-810631.patch,
mozilla-aarch64-bmo-962488.patch,
mozilla-aarch64-bmo-963030.patch,
mozilla-aarch64-bmo-963027.patch,
mozilla-aarch64-bmo-963028.patch,
mozilla-aarch64-bmo-963029.patch,
mozilla-aarch64-bmo-963023.patch,
mozilla-aarch64-bmo-963024.patch,
mozilla-aarch64-bmo-963031.patch: AArch64 porting
-------------------------------------------------------------------
Mon Mar 31 18:20:22 UTC 2014 - dvaleev@suse.com
- Fix MozillaFirefox builds for ppc64 and ppc64le
- added patches:
* mozilla-ppc64-xpcom.patch
- modified patches:
* mozilla-ppc64le-xpcom.patch
-------------------------------------------------------------------
Sun Mar 16 23:49:34 UTC 2014 - pcerny@suse.com
- update to Firefox 28.0 (bnc#868603)
- requires NSPR 4.10.4 and NSS 3.15.5
- new build dependency:
* libpulse
- update of PowerPC 64 patches (bmo#976648)
- rebased patches
-------------------------------------------------------------------
Tue Mar 4 14:09:57 UTC 2014 - dvaleev@suse.com
- Refresh patch to fit Firefox27 build system
- modified patches:
* mozilla-ppc64le-xpcom.patch
-------------------------------------------------------------------
Fri Feb 28 13:17:49 UTC 2014 - pcerny@suse.com
- update to Firefox 27.0.1
* Fixed stability issues with Greasemonkey and other JS that used
ClearTimeoutOrInterval
* JS math correctness issue (bnc#941381)
- incorporate Google API key for geolocation (bnc#864170)
- updated list of "other" locales in RPM requirements
- update of PowerPC 64 patches (bmo#976648)
-------------------------------------------------------------------
Tue Jan 28 15:45:41 UTC 2014 - wr@rosenauer.org
- update to Firefox 27.0 (bnc#861847)
* MFSA 2014-01/CVE-2014-1477/CVE-2014-1478
Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
* MFSA 2014-02/CVE-2014-1479 (bmo#911864)
Clone protected content with XBL scopes
* MFSA 2014-03/CVE-2014-1480 (bmo#916726)
UI selection timeout missing on download prompts
* MFSA 2014-04/CVE-2014-1482 (bmo#943803)
Incorrect use of discarded images by RasterImage
* MFSA 2014-05/CVE-2014-1483 (bmo#950427)
Information disclosure with *FromPoint on iframes
* MFSA 2014-06/CVE-2014-1484 (bmo#953993)
Profile path leaks to Android system log
* MFSA 2014-07/CVE-2014-1485 (bmo#910139)
XSLT stylesheets treated as styles in Content Security Policy
* MFSA 2014-08/CVE-2014-1486 (bmo#942164)
Use-after-free with imgRequestProxy and image proccessing
* MFSA 2014-09/CVE-2014-1487 (bmo#947592)
Cross-origin information leak through web workers
* MFSA 2014-10/CVE-2014-1489 (bmo#959531)
Firefox default start page UI content invokable by script
* MFSA 2014-11/CVE-2014-1488 (bmo#950604)
Crash when using web workers with asm.js
* MFSA 2014-12/CVE-2014-1490/CVE-2014-1491
(bmo#934545, bmo#930874, bmo#930857)
NSS ticket handling issues
* MFSA 2014-13/CVE-2014-1481(bmo#936056)
Inconsistent JavaScript handling of access to Window objects
- requires NSS 3.15.4 or higher
- rebased/reworked patches
- removed obsolete mozilla-bug929439.patch
-------------------------------------------------------------------
Thu Dec 12 21:19:54 UTC 2013 - uweigand@de.ibm.com
- Add support for powerpc64le-linux.
* mozilla-ppc64le.patch: general support
* mozilla-libffi-ppc64le.patch: libffi backport
* mozilla-xpcom-ppc64le.patch: port xpcom
- Add build fix from mainline.
* mozilla-bug929439.patch
-------------------------------------------------------------------
Sun Dec 8 20:26:23 UTC 2013 - wr@rosenauer.org
- update to Firefox 26.0 (bnc#854367, bnc#854370)
* rebased patches
* requires NSPR 4.10.2 and NSS 3.15.3.1
* MFSA 2013-104/CVE-2013-5609/CVE-2013-5610
Miscellaneous memory safety hazards
* MFSA 2013-105/CVE-2013-5611 (bmo#771294)
Application Installation doorhanger persists on navigation
* MFSA 2013-106/CVE-2013-5612 (bmo#871161)
Character encoding cross-origin XSS attack
* MFSA 2013-107/CVE-2013-5614 (bmo#886262)
Sandbox restrictions not applied to nested object elements
* MFSA 2013-108/CVE-2013-5616 (bmo#938341)
Use-after-free in event listeners
* MFSA 2013-109/CVE-2013-5618 (bmo#926361)
Use-after-free during Table Editing
* MFSA 2013-110/CVE-2013-5619 (bmo#917841)
Potential overflow in JavaScript binary search algorithms
* MFSA 2013-111/CVE-2013-6671 (bmo#930281)
Segmentation violation when replacing ordered list elements
* MFSA 2013-112/CVE-2013-6672 (bmo#894736)
Linux clipboard information disclosure though selection paste
* MFSA 2013-113/CVE-2013-6673 (bmo#970380)
Trust settings for built-in roots ignored during EV certificate
validation
* MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449)
Use-after-free in synthetic mouse movement
* MFSA 2013-115/CVE-2013-5615 (bmo#929261)
GetElementIC typed array stubs can be generated outside observed
typesets
* MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693)
JPEG information leak
* MFSA 2013-117 (bmo#946351)
Mis-issued ANSSI/DCSSI certificate
(fixed via NSS 3.15.3.1)
- removed gecko.js preference file as GStreamer is enabled by
default now
-------------------------------------------------------------------
Thu Oct 24 18:16:19 UTC 2013 - wr@rosenauer.org
- update to Firefox 25.0 (bnc#847708)
* rebased patches
* requires NSS 3.15.2 or above
* MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592
Miscellaneous memory safety hazards
* MFSA 2013-94/CVE-2013-5593 (bmo#868327)
Spoofing addressbar through SELECT element
* MFSA 2013-95/CVE-2013-5604 (bmo#914017)
Access violation with XSLT and uninitialized data
* MFSA 2013-96/CVE-2013-5595 (bmo#916580)
Improperly initialized memory and overflows in some JavaScript
functions
* MFSA 2013-97/CVE-2013-5596 (bmo#910881)
Writing to cycle collected object during image decoding
* MFSA 2013-98/CVE-2013-5597 (bmo#918864)
Use-after-free when updating offline cache
* MFSA 2013-99/CVE-2013-5598 (bmo#920515)
Security bypass of PDF.js checks using iframes
* MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601
(bmo#915210, bmo#915576, bmo#916685)
Miscellaneous use-after-free issues found through ASAN fuzzing
* MFSA 2013-101/CVE-2013-5602 (bmo#897678)
Memory corruption in workers
* MFSA 2013-102/CVE-2013-5603 (bmo#916404)
Use-after-free in HTML document templates
-------------------------------------------------------------------
Tue Sep 24 07:31:30 UTC 2013 - wr@rosenauer.org
- as GStreamer is not automatically required anymore but loaded
dynamically if available, require it explicitely
- recommend optional GStreamer plugins for comprehensive media
support
-------------------------------------------------------------------
Mon Sep 16 11:59:18 UTC 2013 - lnussel@suse.de
- move greek to the translations-common package (bnc#840551)
-------------------------------------------------------------------
Sat Sep 14 14:39:58 UTC 2013 - wr@rosenauer.org
- update to Firefox 24.0 (bnc#840485)
* MFSA 2013-76/CVE-2013-1718/CVE-2013-1719
Miscellaneous memory safety hazards
* MFSA 2013-77/CVE-2013-1720 (bmo#888820)
Improper state in HTML5 Tree Builder with templates
* MFSA 2013-78/CVE-2013-1721 (bmo#890277)
Integer overflow in ANGLE library
* MFSA 2013-79/CVE-2013-1722 (bmo#893308)
Use-after-free in Animation Manager during stylesheet cloning
* MFSA 2013-80/CVE-2013-1723 (bmo#891292)
NativeKey continues handling key messages after widget is destroyed
* MFSA 2013-81/CVE-2013-1724 (bmo#894137)
Use-after-free with select element
* MFSA 2013-82/CVE-2013-1725 (bmo#876762)
Calling scope for new Javascript objects can lead to memory corruption
* MFSA 2013-85/CVE-2013-1728 (bmo#883686)
Uninitialized data in IonMonkey
* MFSA 2013-88/CVE-2013-1730 (bmo#851353)
Compartment mismatch re-attaching XBL-backed nodes
* MFSA 2013-89/CVE-2013-1732 (bmo#883514)
Buffer overflow with multi-column, lists, and floats
* MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301)
Memory corruption involving scrolling
* MFSA 2013-91/CVE-2013-1737 (bmo#907727)
User-defined properties on DOM proxies get the wrong "this" object
* MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897)
GC hazard with default compartments and frame chain restoration
- enable gstreamer explicitely via pref (gecko.js)
- require NSS 3.15.1
-------------------------------------------------------------------
Mon Aug 26 07:35:36 UTC 2013 - wr@rosenauer.org
- update to Firefox 23.0.1
* Audio static/"burble"/breakup in Firefox to Firefox WebRTC calls
(bmo#901527)
-------------------------------------------------------------------
Sun Aug 4 18:30:11 UTC 2013 - wr@rosenauer.org
- update to Firefox 23.0 (bnc#833389)
* MFSA 2013-63/CVE-2013-1701/CVE-2013-1702
Miscellaneous memory safety hazards
* MFSA 2013-64/CVE-2013-1704 (bmo#883313)
Use after free mutating DOM during SetBody
* MFSA 2013-65/CVE-2013-1705 (bmo#882865)
Buffer underflow when generating CRMF requests
* MFSA 2013-67/CVE-2013-1708 (bmo#879924)
Crash during WAV audio file decoding
* MFSA 2013-68/CVE-2013-1709 (bmo#838253)
Document URI misrepresentation and masquerading
* MFSA 2013-69/CVE-2013-1710 (bmo#871368)
CRMF requests allow for code execution and XSS attacks
* MFSA 2013-70/CVE-2013-1711 (bmo#843829)
Bypass of XrayWrappers using XBL Scopes
* MFSA 2013-72/CVE-2013-1713 (bmo#887098)
Wrong principal used for validating URI for some Javascript
components
* MFSA 2013-73/CVE-2013-1714 (bmo#879787)
Same-origin bypass with web workers and XMLHttpRequest
* MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file system
- requires NSPR 4.10 and NSS 3.15
-------------------------------------------------------------------
Wed Jul 3 17:14:35 UTC 2013 - dmueller@suse.com
- fix build on ARM (/-g/ matches /-grecord-switches/)
-------------------------------------------------------------------
Sat Jun 22 17:48:06 UTC 2013 - wr@rosenauer.org
- update to Firefox 22.0 (bnc#825935)
* removed obsolete patches
+ mozilla-qcms-ppc.patch
+ mozilla-gstreamer-760140.patch
* GStreamer support does not build on 12.1 anymore (build only
on 12.2 and later)
* MFSA 2013-49/CVE-2013-1682/CVE-2013-1683
Miscellaneous memory safety hazards
* MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686
Memory corruption found using Address Sanitizer
* MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)
Privileged content access and execution via XBL
* MFSA 2013-52/CVE-2013-1688 (bmo#873966)
Arbitrary code execution within Profiler
* MFSA 2013-53/CVE-2013-1690 (bmo#857883)
Execution of unmapped memory through onreadystatechange event
* MFSA 2013-54/CVE-2013-1692 (bmo#866915)
Data in the body of XHR HEAD requests leads to CSRF attacks
* MFSA 2013-55/CVE-2013-1693 (bmo#711043)
SVG filters can lead to information disclosure
* MFSA 2013-56/CVE-2013-1694 (bmo#848535)
PreserveWrapper has inconsistent behavior
* MFSA 2013-57/CVE-2013-1695 (bmo#849791)
Sandbox restrictions not applied to nested frame elements
* MFSA 2013-58/CVE-2013-1696 (bmo#761667)
X-Frame-Options ignored when using server push with multi-part
responses
* MFSA 2013-59/CVE-2013-1697 (bmo#858101)
XrayWrappers can be bypassed to run user defined methods in a
privileged context
* MFSA 2013-60/CVE-2013-1698 (bmo#876044)
getUserMedia permission dialog incorrectly displays location
* MFSA 2013-61/CVE-2013-1699 (bmo#840882)
Homograph domain spoofing in .com, .net and .name
-------------------------------------------------------------------
Tue Jun 11 21:06:58 UTC 2013 - dvaleev@suse.com
- Fix qcms altivec include (mozilla-qcms-ppc.patch)
-------------------------------------------------------------------
Fri May 10 05:25:39 UTC 2013 - wr@rosenauer.org
- update to Firefox 21.0 (bnc#819204)
* removed upstreamed patch firefox-712763.patch
* removed disabled mozilla-disable-neon-option.patch
* MFSA 2013-41/CVE-2013-0801/CVE-2013-1669
Miscellaneous memory safety hazards
* MFSA 2013-42/CVE-2013-1670 (bmo#853709)
Privileged access for content level constructor
* MFSA 2013-43/CVE-2013-1671 (bmo#842255)
File input control has access to full path
* MFSA 2013-46/CVE-2013-1674 (bmo#860971)
Use-after-free with video and onresize event
* MFSA 2013-47/CVE-2013-1675 (bmo#866825)
Uninitialized functions in DOMSVGZoomEvent
* MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/
CVE-2013-1679/CVE-2013-1680/CVE-2013-1681
Memory corruption found using Address Sanitizer
-------------------------------------------------------------------
Tue Apr 9 06:41:31 UTC 2013 - wr@rosenauer.org
- revert to use GStreamer 0.10 on 12.3 (bnc#814101)
(remove mozilla-gstreamer-1.patch)
-------------------------------------------------------------------
Fri Apr 5 17:04:11 UTC 2013 - schwab@linux-m68k.org
- Explicitly disable WebRTC support on non-x86, the configure script
disables it only half-heartedly
-------------------------------------------------------------------
Fri Mar 29 22:15:21 UTC 2013 - wr@rosenauer.org
- update to Firefox 20.0 (bnc#813026)
* requires NSPR 4.9.5 and NSS 3.14.3
* mozilla-webrtc-ppc.patch included upstream
* MFSA 2013-30/CVE-2013-0788/CVE-2013-0789
Miscellaneous memory safety hazards
* MFSA 2013-31/CVE-2013-0800 (bmo#825721)
Out-of-bounds write in Cairo library
* MFSA 2013-35/CVE-2013-0796 (bmo#827106)
WebGL crash with Mesa graphics driver on Linux
* MFSA 2013-36/CVE-2013-0795 (bmo#825697)
Bypass of SOW protections allows cloning of protected nodes
* MFSA 2013-37/CVE-2013-0794 (bmo#626775)
Bypass of tab-modal dialog origin disclosure
* MFSA 2013-38/CVE-2013-0793 (bmo#803870)
Cross-site scripting (XSS) using timed history navigations
* MFSA 2013-39/CVE-2013-0792 (bmo#722831)
Memory corruption while rendering grayscale PNG images
- use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch)
-------------------------------------------------------------------
Tue Mar 12 23:08:15 UTC 2013 - dmueller@suse.com
- build fixes for armv7hl:
* disable debug build as armv7hl does not have enough memory
* disable webrtc on armv7hl as it is non-compiling
-------------------------------------------------------------------
Thu Mar 7 19:03:32 UTC 2013 - wr@rosenauer.org
- update to Firefox 19.0.2 (bnc#808243)
* MFSA 2013-29/CVE-2013-0787 (bmo#848644)
Use-after-free in HTML Editor
-------------------------------------------------------------------
Thu Feb 28 22:06:36 UTC 2013 - wr@rosenauer.org
- update to Firefox 19.0.1
* blocklist updates
-------------------------------------------------------------------
Sat Feb 16 07:08:55 UTC 2013 - wr@rosenauer.org
- update to Firefox 19.0 (bnc#804248)
* MFSA 2013-21/CVE-2013-0783/2013-0784
Miscellaneous memory safety hazards
* MFSA 2013-22/CVE-2013-0772 (bmo#801366)
Out-of-bounds read in image rendering
* MFSA 2013-23/CVE-2013-0765 (bmo#830614)
Wrapped WebIDL objects can be wrapped again
* MFSA 2013-24/CVE-2013-0773 (bmo#809652)
Web content bypass of COW and SOW security wrappers
* MFSA 2013-25/CVE-2013-0774 (bmo#827193)
Privacy leak in JavaScript Workers
* MFSA 2013-26/CVE-2013-0775 (bmo#831095)
Use-after-free in nsImageLoadingContent
* MFSA 2013-27/CVE-2013-0776 (bmo#796475)
Phishing on HTTPS connection through malicious proxy
* MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/
CVE-2013-0778/CVE-2013-0779/CVE-2013-0781
Use-after-free, out of bounds read, and buffer overflow issues
found using Address Sanitizer
- removed obsolete patches
* mozilla-webrtc.patch
* mozilla-gstreamer-803287.patch
- added patch to fix session restore window order (bmo#712763)
-------------------------------------------------------------------
Sat Feb 2 08:40:52 UTC 2013 - wr@rosenauer.org
- update to Firefox 18.0.2
* blocklist and CTP updates
* fixes in JS engine
-------------------------------------------------------------------
Wed Jan 16 20:51:55 UTC 2013 - wr@rosenauer.org
- update to Firefox 18.0.1
* blocklist updates
* backed out bmo#677092 (removed patch)
* fixed problems involving HTTP proxy transactions
-------------------------------------------------------------------
Sat Jan 12 17:25:11 UTC 2013 - schwab@linux-m68k.org
- Fix WebRTC to build on powerpc
-------------------------------------------------------------------
Sun Jan 6 21:54:18 UTC 2013 - wr@rosenauer.org
- update to Firefox 18.0 (bnc#796895)
* MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770
Miscellaneous memory safety hazards
* MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767
CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829
Use-after-free and buffer overflow issues found using Address Sanitizer
* MFSA 2013-03/CVE-2013-0768 (bmo#815795)
Buffer Overflow in Canvas
* MFSA 2013-04/CVE-2012-0759 (bmo#802026)
URL spoofing in addressbar during page loads
* MFSA 2013-05/CVE-2013-0744 (bmo#814713)
Use-after-free when displaying table with many columns and column groups
* MFSA 2013-06/CVE-2013-0751 (bmo#790454)
Touch events are shared across iframes
* MFSA 2013-07/CVE-2013-0764 (bmo#804237)
Crash due to handling of SSL on threads
* MFSA 2013-08/CVE-2013-0745 (bmo#794158)
AutoWrapperChanger fails to keep objects alive during garbage collection
* MFSA 2013-09/CVE-2013-0746 (bmo#816842)
Compartment mismatch with quickstubs returned values
* MFSA 2013-10/CVE-2013-0747 (bmo#733305)
Event manipulation in plugin handler to bypass same-origin policy
* MFSA 2013-11/CVE-2013-0748 (bmo#806031)
Address space layout leaked in XBL objects
* MFSA 2013-12/CVE-2013-0750 (bmo#805121)
Buffer overflow in Javascript string concatenation
* MFSA 2013-13/CVE-2013-0752 (bmo#805024)
Memory corruption in XBL with XML bindings containing SVG
* MFSA 2013-14/CVE-2013-0757 (bmo#813901)
Chrome Object Wrapper (COW) bypass through changing prototype
* MFSA 2013-15/CVE-2013-0758 (bmo#813906)
Privilege escalation through plugin objects
* MFSA 2013-16/CVE-2013-0753 (bmo#814001)
Use-after-free in serializeToStream
* MFSA 2013-17/CVE-2013-0754 (bmo#814026)
Use-after-free in ListenerManager
* MFSA 2013-18/CVE-2013-0755 (bmo#814027)
Use-after-free in Vibrate
* MFSA 2013-19/CVE-2013-0756 (bmo#814029)
Use-after-free in Javascript Proxy objects
- requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743)
- removed obsolete SLE11 patches (mozilla-gcc43*)
- reenable WebRTC
- added mozilla-libproxy-compat.patch for libproxy API compat
on openSUSE 11.2 and earlier
- backed out restartless language packs as it broke multi-locale
setup (bmo#677092, bmo#818468)
-------------------------------------------------------------------
Thu Nov 29 19:56:51 UTC 2012 - wr@rosenauer.org
- update to Firefox 17.0.1
* revert some useragent changes introduced in 17.0
* leaving private browsing with social enabled doesn't reset all
social components (bmo#815042)
- fix KDE integration for file dialogs
-------------------------------------------------------------------
Tue Nov 20 19:52:02 UTC 2012 - wr@rosenauer.org
- update to Firefox 17.0 (bnc#790140)
* MFSA 2012-91/CVE-2012-5842/CVE-2012-5843
Miscellaneous memory safety hazards
* MFSA 2012-92/CVE-2012-4202 (bmo#758200)
Buffer overflow while rendering GIF images
* MFSA 2012-93/CVE-2012-4201 (bmo#747607)
evalInSanbox location context incorrectly applied
* MFSA 2012-94/CVE-2012-5836 (bmo#792857)
Crash when combining SVG text on path with CSS
* MFSA 2012-95/CVE-2012-4203 (bmo#765628)
Javascript: URLs run in privileged context on New Tab page
* MFSA 2012-96/CVE-2012-4204 (bmo#778603)
Memory corruption in str_unescape
* MFSA 2012-97/CVE-2012-4205 (bmo#779821)
XMLHttpRequest inherits incorrect principal within sandbox
* MFSA 2012-99/CVE-2012-4208 (bmo#798264)
XrayWrappers exposes chrome-only properties when not in chrome
compartment
* MFSA 2012-100/CVE-2012-5841 (bmo#805807)
Improper security filtering for cross-origin wrappers
* MFSA 2012-101/CVE-2012-4207 (bmo#801681)
Improper character decoding in HZ-GB-2312 charset
* MFSA 2012-102/CVE-2012-5837 (bmo#800363)
Script entered into Developer Toolbar runs with chrome privileges
* MFSA 2012-103/CVE-2012-4209 (bmo#792405)
Frames can shadow top.location
* MFSA 2012-104/CVE-2012-4210 (bmo#796866)
CSS and HTML injection through Style Inspector
* MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/
CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/
CVE-2012-4213/CVE-2012-4217/CVE-2012-4218
Use-after-free and buffer overflow issues found using Address
Sanitizer
* MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838
Use-after-free, buffer overflow, and memory corruption issues
found using Address Sanitizer
- rebased patches
- disabled WebRTC since build is broken (bmo#776877)
-------------------------------------------------------------------
Tue Nov 20 15:42:55 UTC 2012 - pcerny@suse.com
- build on SLE11
* mozilla-gcc43-enums.patch
* mozilla-gcc43-template_hacks.patch
* mozilla-gcc43-templates_instantiation.patch
-------------------------------------------------------------------
Wed Oct 24 08:27:29 UTC 2012 - wr@rosenauer.org
- update to Firefox 16.0.2 (bnc#786522)
* MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196
(bmo#800666, bmo#793121, bmo#802557)
Fixes for Location object issues
- bring back Obsoletes for libproxy's mozjs plugin for distributions
before 12.2 to avoid crashes
-------------------------------------------------------------------
Thu Oct 11 01:51:16 UTC 2012 - wr@rosenauer.org
- update to Firefox 16.0.1 (bnc#783533)
* MFSA 2012-88/CVE-2012-4191 (bmo#798045)
Miscellaneous memory safety hazards
* MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619)
defaultValue security checks not applied
-------------------------------------------------------------------
Sun Oct 7 21:40:14 UTC 2012 - wr@rosenauer.org
- update to Firefox 16.0 (bnc#783533)
* MFSA 2012-74/CVE-2012-3982/CVE-2012-3983
Miscellaneous memory safety hazards
* MFSA 2012-75/CVE-2012-3984 (bmo#575294)
select element persistance allows for attacks
* MFSA 2012-76/CVE-2012-3985 (bmo#655649)
Continued access to initial origin after setting document.domain
* MFSA 2012-77/CVE-2012-3986 (bmo#775868)
Some DOMWindowUtils methods bypass security checks
* MFSA 2012-79/CVE-2012-3988 (bmo#725770)
DOS and crash with full screen and history navigation
* MFSA 2012-80/CVE-2012-3989 (bmo#783867)
Crash with invalid cast when using instanceof operator
* MFSA 2012-81/CVE-2012-3991 (bmo#783260)
GetProperty function can bypass security checks
* MFSA 2012-82/CVE-2012-3994 (bmo#765527)
top object and location property accessible by plugins
* MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370)
Chrome Object Wrapper (COW) does not disallow acces to privileged
functions or properties
* MFSA 2012-84/CVE-2012-3992 (bmo#775009)
Spoofing and script injection through location.hash
* MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/
CVE-2012-4181/CVE-2012-4182/CVE-2012-4183
Use-after-free, buffer overflow, and out of bounds read issues
found using Address Sanitizer
* MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/
CVE-2012-4188
Heap memory corruption issues found using Address Sanitizer
* MFSA 2012-87/CVE-2012-3990 (bmo#787704)
Use-after-free in the IME State Manager
- requires NSPR 4.9.2
- improve GStreamer integration (bmo#760140)
- removed upstreamed mozilla-crashreporter-restart-args.patch
- webapprt now included
- use kmozillahelper's new REVEAL command (bnc#777415)
(requires mozilla-kde4-integration >= 0.6.4)
- updated translations-other with new languages
-------------------------------------------------------------------
Mon Sep 10 19:37:56 UTC 2012 - wr@rosenauer.org
- update to Firefox 15.0.1 (bnc#779936)
* Sites visited while in Private Browsing mode could be found
through manual browser cache inspection (bmo#787743)
-------------------------------------------------------------------
Sun Aug 26 13:47:43 UTC 2012 - wr@rosenauer.org
- update to Firefox 15.0 (bnc#777588)
* MFSA 2012-57/CVE-2012-1970
Miscellaneous memory safety hazards
* MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975
CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959
CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964
Use-after-free issues found using Address Sanitizer
* MFSA 2012-59/CVE-2012-1956 (bmo#756719)
Location object can be shadowed using Object.defineProperty
* MFSA 2012-60/CVE-2012-3965 (bmo#769108)
Escalation of privilege through about:newtab
* MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793)
Memory corruption with bitmap format images with negative height
* MFSA 2012-62/CVE-2012-3967/CVE-2012-3968
WebGL use-after-free and memory corruption
* MFSA 2012-63/CVE-2012-3969/CVE-2012-3970
SVG buffer overflow and use-after-free issues
* MFSA 2012-64/CVE-2012-3971
Graphite 2 memory corruption
* MFSA 2012-65/CVE-2012-3972 (bmo#746855)
Out-of-bounds read in format-number in XSLT
* MFSA 2012-66/CVE-2012-3973 (bmo#757128)
HTTPMonitor extension allows for remote debugging without explicit
activation
* MFSA 2012-68/CVE-2012-3975 (bmo#770684)
DOMParser loads linked resources in extensions when parsing
text/html
* MFSA 2012-69/CVE-2012-3976 (bmo#768568)
Incorrect site SSL certificate data display
* MFSA 2012-70/CVE-2012-3978 (bmo#770429)
Location object security checks bypassed by chrome code
* MFSA 2012-72/CVE-2012-3980 (bmo#771859)
Web console eval capable of executing chrome-privileged code
- fix HTML5 video crash with GStreamer enabled (bmo#761030)
- GStreamer is only used for MP4 (no WebM, OGG)
- updated filelist
- moved browser specific preferences to correct location
-------------------------------------------------------------------
Sun Jul 29 08:34:39 UTC 2012 - aj@suse.de
- Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16)
-------------------------------------------------------------------
Sat Jul 14 19:31:51 UTC 2012 - wr@rosenauer.org
- update to 14.0.1 (bnc#771583)
* MFSA 2012-42/CVE-2012-1949/CVE-2012-1948
Miscellaneous memory safety hazards
* MFSA 2012-43/CVE-2012-1950
Incorrect URL displayed in addressbar through drag and drop
* MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952
Gecko memory corruption
* MFSA 2012-45/CVE-2012-1955 (bmo#757376)
Spoofing issue with location
* MFSA 2012-46/CVE-2012-1966 (bmo#734076)
XSS through data: URLs
* MFSA 2012-47/CVE-2012-1957 (bmo#750096)
Improper filtering of javascript in HTML feed-view
* MFSA 2012-48/CVE-2012-1958 (bmo#750820)
use-after-free in nsGlobalWindow::PageHidden
* MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559)
Same-compartment Security Wrappers can be bypassed
* MFSA 2012-50/CVE-2012-1960 (bmo#761014)
Out of bounds read in QCMS
* MFSA 2012-51/CVE-2012-1961 (bmo#761655)
X-Frame-Options header ignored when duplicated
* MFSA 2012-52/CVE-2012-1962 (bmo#764296)
JSDependentString::undepend string conversion results in memory
corruption
* MFSA 2012-53/CVE-2012-1963 (bmo#767778)
Content Security Policy 1.0 implementation errors cause data
leakage
* MFSA 2012-55/CVE-2012-1965 (bmo#758990)
feed: URLs with an innerURI inherit security context of page
* MFSA 2012-56/CVE-2012-1967 (bmo#758344)
Code execution through javascript: URLs
- license change from tri license to MPL-2.0
- fix crashreporter restart option (bmo#762780)
- require NSS 3.13.5
- remove mozjs pacrunner obsoletes again for now
- adopted mozilla-prefer_plugin_pref.patch
- PPC fixes:
* reenabled mozilla-yarr-pcre.patch to fix build for PPC
* add patches for bmo#750620 and bmo#746112
* fix xpcshell segfault on ppc
-------------------------------------------------------------------
Fri Jun 15 12:37:09 UTC 2012 - wr@rosenauer.org
- update to Firefox 13.0.1
* bugfix release
- obsolete libproxy's mozjs pacrunner (bnc#759123)
-------------------------------------------------------------------
Sat Jun 2 08:22:51 UTC 2012 - wr@rosenauer.org
- update to Firefox 13.0 (bnc#765204)
* MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101
Miscellaneous memory safety hazards
* MFSA 2012-36/CVE-2012-1944 (bmo#751422)
Content Security Policy inline-script bypass
* MFSA 2012-37/CVE-2012-1945 (bmo#670514)
Information disclosure though Windows file shares and shortcut
files
* MFSA 2012-38/CVE-2012-1946 (bmo#750109)
Use-after-free while replacing/inserting a node in a document
* MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941
Buffer overflow and use-after-free issues found using Address
Sanitizer
- require NSS 3.13.4
* MFSA 2012-39/CVE-2012-0441 (bmo#715073)
- fix sound notifications when filename/path contains a whitespace
(bmo#749739)
-------------------------------------------------------------------
Wed May 23 14:40:16 UTC 2012 - adrian@suse.de
- fix build on arm
-------------------------------------------------------------------
Wed May 16 05:34:01 UTC 2012 - wr@rosenauer.org
- reenabled crashreporter for Factory/12.2
(fix in mozilla-gcc47.patch)
-------------------------------------------------------------------
Sat Apr 21 10:02:37 UTC 2012 - wr@rosenauer.org
- update to Firefox 12.0 (bnc#758408)
* rebased patches
* MFSA 2012-20/CVE-2012-0467/CVE-2012-0468
Miscellaneous memory safety hazards
* MFSA 2012-22/CVE-2012-0469 (bmo#738985)
use-after-free in IDBKeyRange
* MFSA 2012-23/CVE-2012-0470 (bmo#734288)
Invalid frees causes heap corruption in gfxImageSurface
* MFSA 2012-24/CVE-2012-0471 (bmo#715319)
Potential XSS via multibyte content processing errors
* MFSA 2012-25/CVE-2012-0472 (bmo#744480)
Potential memory corruption during font rendering using cairo-dwrite
* MFSA 2012-26/CVE-2012-0473 (bmo#743475)
WebGL.drawElements may read illegal video memory due to
FindMaxUshortElement error
* MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307)
Page load short-circuit can lead to XSS
* MFSA 2012-28/CVE-2012-0475 (bmo#694576)
Ambiguous IPv6 in Origin headers may bypass webserver access
restrictions
* MFSA 2012-29/CVE-2012-0477 (bmo#718573)
Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
* MFSA 2012-30/CVE-2012-0478 (bmo#727547)
Crash with WebGL content using textImage2D
* MFSA 2012-31/CVE-2011-3062 (bmo#739925)
Off-by-one error in OpenType Sanitizer
* MFSA 2012-32/CVE-2011-1187 (bmo#624621)
HTTP Redirections and remote content can be read by javascript errors
* MFSA 2012-33/CVE-2012-0479 (bmo#714631)
Potential site identity spoofing when loading RSS and Atom feeds
- added mozilla-libnotify.patch to allow fallback from libnotify
to xul based events if no notification-daemon is running
- gcc 4.7 fixes
* mozilla-gcc47.patch
* disabled crashreporter temporarily for Factory
- recommend libcanberra0 for proper sound notifications
-------------------------------------------------------------------
Fri Mar 9 21:47:07 UTC 2012 - wr@rosenauer.org
- update to Firefox 11.0 (bnc#750044)
* MFSA 2012-13/CVE-2012-0455 (bmo#704354)
XSS with Drag and Drop and Javascript: URL
* MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103)
SVG issues found with Address Sanitizer
* MFSA 2012-15/CVE-2012-0451 (bmo#717511)
XSS with multiple Content Security Policy headers
* MFSA 2012-16/CVE-2012-0458
Escalation of privilege with Javascript: URL as home page
* MFSA 2012-17/CVE-2012-0459 (bmo#723446)
Crash when accessing keyframe cssText after dynamic modification
* MFSA 2012-18/CVE-2012-0460 (bmo#727303)
window.fullScreen writeable by untrusted content
* MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/
CVE-2012-0463
Miscellaneous memory safety hazards
- ported and reenabled KDE integration (bnc#746591)
- explicitely build-require X libs
-------------------------------------------------------------------
Mon Mar 5 13:31:48 UTC 2012 - vdziewiecki@suse.com
- add Provides: browser(npapi) FATE#313084
-------------------------------------------------------------------
Fri Feb 17 17:41:11 UTC 2012 - pcerny@suse.com
- better plugin directory resolution (bnc#747320)
-------------------------------------------------------------------
Thu Feb 16 08:47:31 UTC 2012 - wr@rosenauer.org
- update to Firefox 10.0.2 (bnc#747328)
* CVE-2011-3026 (bmo#727401)
libpng: integer overflow leading to heap-buffer overflow
-------------------------------------------------------------------
Thu Feb 9 09:26:11 UTC 2012 - wr@rosenauer.org
- update to Firefox 10.0.1 (bnc#746616)
* MFSA 2012-10/CVE-2012-0452 (bmo#724284)
use after free in nsXBLDocumentInfo::ReadPrototypeBindings
-------------------------------------------------------------------
Tue Feb 7 10:40:58 UTC 2012 - dvaleev@suse.com
- Use YARR interpreter instead of PCRE on platforms where YARR JIT
is not supported, since PCRE doesnt build (bmo#691898)
- fix ppc64 build (bmo#703534)
-------------------------------------------------------------------
Mon Jan 30 09:41:59 UTC 2012 - wr@rosenauer.org
- update to Firefox 10.0 (bnc#744275)
* MFSA 2012-01/CVE-2012-0442/CVE-2012-0443
Miscellaneous memory safety hazards
* MFSA 2012-03/CVE-2012-0445 (bmo#701071)
<iframe> element exposed across domains via name attribute
* MFSA 2012-04/CVE-2011-3659 (bmo#708198)
Child nodes from nsDOMAttribute still accessible after removal
of nodes
* MFSA 2012-05/CVE-2012-0446 (bmo#705651)
Frame scripts calling into untrusted objects bypass security
checks
* MFSA 2012-06/CVE-2012-0447 (bmo#710079)
Uninitialized memory appended when encoding icon images may
cause information disclosure
* MFSA 2012-07/CVE-2012-0444 (bmo#719612)
Potential Memory Corruption When Decoding Ogg Vorbis files
* MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466)
Crash with malformed embedded XSLT stylesheets
- KDE integration has been disabled since it needs refactoring
- removed obsolete ppc64 patch
-------------------------------------------------------------------
Sun Jan 22 12:08:07 UTC 2012 - joop.boonen@opensuse.org
- Disable neon for arm as it doesn't build correctly
-------------------------------------------------------------------
Fri Dec 23 17:02:01 UTC 2011 - wr@rosenauer.org
- update to Firefox 9.0.1
* (strongparent) parentNode of element gets lost (bmo#335998)
-------------------------------------------------------------------
Sun Dec 18 09:58:52 UTC 2011 - adrian@suse.de
- fix arm build, don't package crashreporter there
-------------------------------------------------------------------
Sun Dec 18 09:52:08 UTC 2011 - wr@rosenauer.org
- update to Firefox 9 (bnc#737533)
* MFSA 2011-53/CVE-2011-3660
Miscellaneous memory safety hazards (rv:9.0)
* MFSA 2011-54/CVE-2011-3661 (bmo#691299)
Potentially exploitable crash in the YARR regular expression
library
* MFSA 2011-55/CVE-2011-3658 (bmo#708186)
nsSVGValue out-of-bounds access
* MFSA 2011-56/CVE-2011-3663 (bmo#704482)
Key detection without JavaScript via SVG animation
* MFSA 2011-58/VE-2011-3665 (bmo#701259)
Crash scaling <video> to extreme sizes
-------------------------------------------------------------------
Sun Nov 27 03:51:54 UTC 2011 - mgorse@suse.com
- Fix accessibility under GNOME 3 (bnc#732898)
-------------------------------------------------------------------
Sat Nov 12 15:16:38 UTC 2011 - dvaleev@suse.com
- fix ppc64 build
-------------------------------------------------------------------
Sun Nov 6 08:20:59 UTC 2011 - wr@rosenauer.org
- update to Firefox 8 (bnc#728520)
* MFSA 2011-47/CVE-2011-3648 (bmo#690225)
Potential XSS against sites using Shift-JIS
* MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654
Miscellaneous memory safety hazards
* MFSA 2011-49/CVE-2011-3650 (bmo#674776)
Memory corruption while profiling using Firebug
* MFSA 2011-52/CVE-2011-3655 (bmo#672182)
Code execution via NoWaiverWrapper
- rebased patches
-------------------------------------------------------------------
Thu Oct 20 12:34:47 UTC 2011 - wr@rosenauer.org
- enable telemetry prompt
-------------------------------------------------------------------
Fri Sep 30 10:52:36 UTC 2011 - wr@rosenauer.org
- update to minor release 7.0.1
* fixed staged addon updates
- set intl.locale.matchOS=true in the base package as it causes
too much confusion when it's only available with branding-openSUSE
-------------------------------------------------------------------
Fri Sep 23 11:22:22 UTC 2011 - wr@rosenauer.org
- update to Firefox 7 (bnc#720264)
including
* Improve Responsiveness with Memory Reductions
* Instant Sync
* WebSocket protocol 8
* MFSA 2011-36/CVE-2011-2995/CVE-2011-2996/CVE-2011-2997
Miscellaneous memory safety hazards
* MFSA 2011-39/CVE-2011-3000 (bmo#655389)
Defense against multiple Location headers due to CRLF Injection
* MFSA 2011-40/CVE-2011-2372/CVE-2011-3001
Code installation through holding down Enter
* MFSA 2011-41/CVE-2011-3002/CVE-2011-3003 (bmo#680840, bmo#682335)
Potentially exploitable WebGL crashes
* MFSA 2011-42/CVE-2011-3232 (bmo#653672)
Potentially exploitable crash in the YARR regular expression
library
* MFSA 2011-43/CVE-2011-3004 (bmo#653926)
loadSubScript unwraps XPCNativeWrapper scope parameter
* MFSA 2011-44/CVE-2011-3005 (bmo#675747)
Use after free reading OGG headers
* MFSA 2011-45
Inferring keystrokes from motion data
- removed obsolete mozilla-cairo-lcd.patch
- rebased patches
- removed XLIB_SKIP_ARGB_VISUALS=1 from environment in
mozilla.sh.in (bnc#680758)
-------------------------------------------------------------------
Fri Sep 16 06:57:38 UTC 2011 - wr@rosenauer.org
- fixed loading of kde.js under KDE (bnc#718311)
-------------------------------------------------------------------
Wed Sep 14 07:02:04 UTC 2011 - wr@rosenauer.org
- add dbus-1-glib-devel to BuildRequires (not pulled in
automatically anymore on 12.1)
- increase minversions for NSPR and NSS
-------------------------------------------------------------------
Fri Sep 9 20:44:15 UTC 2011 - wr@rosenauer.org
- recreated source archive to get correct source-stamp.txt
-------------------------------------------------------------------
Wed Sep 7 14:30:34 UTC 2011 - pcerny@suse.com
- security update to 6.0.2 (bnc#714931)
* Complete blocking of certificates issued by DigiNotar
(bmo#683449)
-------------------------------------------------------------------
Fri Sep 2 14:40:07 UTC 2011 - pcerny@suse.com
- security update to 6.0.1 (bnc#714931)
* MFSA 2011-34
Protection against fraudulent DigiNotar certificates
(bmo#682927)
-------------------------------------------------------------------
Fri Aug 12 21:16:19 UTC 2011 - wr@rosenauer.org
- update to 6.0 (bnc#712224)
included security fixes MFSA 2011-29
* CVE-2011-2989/CVE-2011-2991/CVE-2011-2992/CVE-2011-2985
Miscellaneous memory safety hazards
* CVE-2011-2993 (bmo#657267)
Unsigned scripts can call script inside signed JAR
* CVE-2011-2988 (bmo#665934)
Heap overflow in ANGLE library
* CVE-2011-0084 (bmo#648094)
Crash in SVGTextElement.getCharNumAtPosition()
* CVE-2011-2990
Credential leakage using Content Security Policy reports
* CVE-2011-2986 (bmo#655836)
Cross-origin data theft using canvas and Windows D2D
- removed obsolete curl header dependency (mozilla-curl.patch)
-------------------------------------------------------------------
Fri Jul 22 13:34:12 UTC 2011 - wr@rosenauer.org
- update to 6.0b3
* removed obsolete patches
- firefox-shellservice.patch
- mozilla-gio.patch
- mozilla-ppc-ipc.patch
- firefox-linkorder.patch
- firefox-no-sync-l10n.patch
- recognize linux3 as platform for symbolstore.py
-------------------------------------------------------------------
Fri Jul 1 19:53:18 CEST 2011 - vuntz@opensuse.org
- Add x-scheme-handler/ftp to the MimeType key in the .desktop, to
let desktops know that Firefox can deal with ftp: URIs.
-------------------------------------------------------------------
Fri Jul 1 06:45:08 UTC 2011 - wr@rosenauer.org
- create upstream branding package again (supposedly empty)
(bnc#703401)
- fix build on SLE11 (changes do not affect/are not applied for
later versions)
-------------------------------------------------------------------
Wed Jun 22 06:41:17 UTC 2011 - wr@rosenauer.org
- enable startup notification (bnc#701465)
-------------------------------------------------------------------
Mon Jun 20 19:37:01 UTC 2011 - wr@rosenauer.org
- update to 5.0 final
- included fixes for security issues: (bnc#701296, bnc#700578)
* MFSA 2011-19/CVE-2011-2374 CVE-2011-2375
Miscellaneous memory safety hazards
* MFSA 2011-20/CVE-2011-2373 (bmo#617247)
Use-after-free vulnerability when viewing XUL document with
script disabled
* MFSA 2011-21/CVE-2011-2377 (bmo#638018, bmo#639303)
Memory corruption due to multipart/x-mixed-replace images
* MFSA 2011-22/CVE-2011-2371 (bmo#664009)
Integer overflow and arbitrary code execution in
Array.reduceRight()
* MFSA 2011-25/CVE-2011-2366
Stealing of cross-domain images using WebGL textures
* MFSA 2011-26/CVE-2011-2367 CVE-2011-2368
Multiple WebGL crashes
* MFSA 2011-27/CVE-2011-2369 (bmo#650001)
XSS encoding hazard with inline SVG
* MFSA 2011-28/CVE-2011-2370 (bmo#645699)
Non-whitelisted site can trigger xpinstall
-------------------------------------------------------------------
Mon Jun 20 09:17:42 UTC 2011 - wr@rosenauer.org
- update to 5.0b7
* updated supported locales
- do not build dump_syms static (not needed for us)
-> fix build for openSUSE 12.1 and above
-------------------------------------------------------------------
Wed Jun 15 14:59:32 UTC 2011 - wr@rosenauer.org
- update to 5.0b6
- include proper revision information into the build
- speedier find-external-requires.sh
-------------------------------------------------------------------
Tue May 31 06:53:55 UTC 2011 - wr@rosenauer.org
- update to 5.0b3
- transformed to standalone Firefox (not xulrunner based)
(with new Firefox rapid release cycle it makes no sense anymore)
* imported all relevant xulrunner patches
- do not compile in build timestamp
-------------------------------------------------------------------
Fri Apr 15 07:08:53 UTC 2011 - wr@rosenauer.org
- security update to 4.0.1 (bnc#689281)
* MFSA 2011-12/ CVE-2011-0069 CVE-2011-0070 CVE-2011-0079
CVE-2011-0080 CVE-2011-0081
Miscellaneous memory safety hazards
* MFSA 2011-17/CVE-2011-0068 (bmo#623791)
WebGLES vulnerabilities
* MFSA 2011-18/CVE-2011-1202 (bmo#640339)
XSLT generate-id() function heap address leak
-------------------------------------------------------------------
Wed Mar 30 11:24:36 UTC 2011 - wr@rosenauer.org
- add all available icon sizes
-------------------------------------------------------------------
Tue Mar 29 11:55:53 UTC 2011 - cfarrell@novell.com
- license update: MPLv1.1 or GPLv2+ or LGPLv2+
Sync licenses with Fedora. MPL does not state ^or later^
-------------------------------------------------------------------
Fri Mar 18 08:49:15 UTC 2011 - wr@rosenauer.org
- update to version 4.0rc2
- fixed rpm macros delivered with devel package (bnc#679950)
-------------------------------------------------------------------
Wed Feb 23 07:52:04 UTC 2011 - wr@rosenauer.org
- update to version 4.0b12
- rebased patches
-------------------------------------------------------------------
Fri Feb 4 09:32:50 UTC 2011 - wr@rosenauer.org
- update to version 4.0b11
* loads of bugfixes compared to last beta
* added "Do Not Track" option
- rebased patches
- disable testpilot
-------------------------------------------------------------------
Fri Jan 28 08:56:12 UTC 2011 - wr@rosenauer.org
- set correct desktop file name within KDE for 11.4 and up
- add devel package with macros for extensions (from lnussel@suse.de)
-------------------------------------------------------------------
Sat Jan 22 22:21:52 UTC 2011 - wr@rosenauer.org
- update to version 4.0b10
- removed obsolete firefox-shell-bmo624267.patch
- testpilot moved to distribution/extensions
- updated locale provides and removed bn-IN from locales
-------------------------------------------------------------------
Tue Jan 11 06:13:40 UTC 2011 - wr@rosenauer.org
- update to version 4.0b9
- added x-scheme-handler for http and https to desktop file for
newer Gnome environments
- fixed default browser check/set for GIO (bmo#611953)
(mozilla-shellservice.patch)
- removed obsolete firefox-appname.patch (integrated into
shellservice patch)
- renamed desktop file to firefox.desktop for 11.4 and newer
(bnc#664211)
- removed support for 10.3 and older from the spec file
- removed obsolete "Ximian" categories from desktop file
-------------------------------------------------------------------
Mon Jan 3 17:35:46 CET 2011 - meissner@suse.de
- Mirror ac_add_options --disable-ipc from xulrunner for PowerPC.
-------------------------------------------------------------------
Wed Dec 15 07:49:45 UTC 2010 - wr@rosenauer.org
- update to version 4.0beta8
-------------------------------------------------------------------
Tue Nov 30 14:19:59 UTC 2010 - wr@rosenauer.org
- major update to version 4.0beta7
* based on mozilla-xulrunner20
* far too many internal changes to list
-------------------------------------------------------------------
Wed Oct 27 07:12:14 CEST 2010 - wr@rosenauer.org
- security update to 3.6.12 (bnc#649492)
* MFSA 2010-73/CVE-2010-3765 (bmo#607222)
Heap buffer overflow mixing document.write and DOM insertion
-------------------------------------------------------------------
Wed Oct 6 07:13:52 CEST 2010 - wr@rosenauer.org
- security update to 3.6.11 (bnc#645315)
* MFSA 2010-64/CVE-2010-3174/CVE-2010-3175/CVE-2010-3176
Miscellaneous memory safety hazards
* MFSA 2010-65/CVE-2010-3179 (bmo#583077)
Buffer overflow and memory corruption using document.write
* MFSA 2010-66/CVE-2010-3180 (bmo#588929)
Use-after-free error in nsBarProp
* MFSA 2010-67/CVE-2010-3183 (bmo#598669)
Dangling pointer vulnerability in LookupGetterOrSetter
* MFSA 2010-68/CVE-2010-3177 (bmo#556734)
XSS in gopher parser when parsing hrefs
* MFSA 2010-69/CVE-2010-3178 (bmo#576616)
Cross-site information disclosure via modal calls
* MFSA 2010-70/CVE-2010-3170 (bmo#578697)
SSL wildcard certificate matching IP addresses
* MFSA 2010-71/CVE-2010-3182 (bmo#590753)
Unsafe library loading vulnerabilities
* MFSA 2010-72/CVE-2010-3173
Insecure Diffie-Hellman key exchange
-------------------------------------------------------------------
Wed Sep 15 07:39:22 CEST 2010 - wr@rosenauer.org
- update to 3.6.10
* fixing startup topcrash (bmo#594699)
-------------------------------------------------------------------
Thu Aug 26 07:40:28 CEST 2010 - wr@rosenauer.org
- security update to 3.6.9 (bnc#637303)
* MFSA 2010-49/CVE-2010-3169
Miscellaneous memory safety hazards
* MFSA 2010-50/CVE-2010-2765 (bmo#576447)
Frameset integer overflow vulnerability
* MFSA 2010-51/CVE-2010-2767 (bmo#584512)
Dangling pointer vulnerability using DOM plugin array
* MFSA 2010-53/CVE-2010-3166 (bmo#579655)
Heap buffer overflow in nsTextFrameUtils::TransformText
* MFSA 2010-54/CVE-2010-2760 (bmo#585815)
Dangling pointer vulnerability in nsTreeSelection
* MFSA 2010-55/CVE-2010-3168 (bmo#576075)
XUL tree removal crash and remote code execution
* MFSA 2010-56/CVE-2010-3167 (bmo#576070)
Dangling pointer vulnerability in nsTreeContentView
* MFSA 2010-57/CVE-2010-2766 (bmo#580445)
Crash and remote code execution in normalizeDocument
* MFSA 2010-59/CVE-2010-2762 (bmo#584180)
SJOW creates scope chains ending in outer object
* MFSA 2010-61/CVE-2010-2768 (bmo#579744)
UTF-7 XSS by overriding document charset using <object> type
attribute
* MFSA 2010-62/CVE-2010-2769 (bmo#520189)
Copy-and-paste or drag-and-drop into designMode document allows
XSS
* MFSA 2010-63/CVE-2010-2764 (bmo#552090)
Information leak via XMLHttpRequest statusText
-------------------------------------------------------------------
Wed Jul 28 08:33:14 CEST 2010 - meissner@suse.de
- disable crash reporter for non x86/x86_64 to make it build.
-------------------------------------------------------------------
Sat Jul 24 12:42:58 CEST 2010 - wr@rosenauer.org
- security update to 3.6.8 (bnc#622506)
* MFSA 2010-48/CVE-2010-2755 (bmo#575836)
Dangling pointer crash regression from plugin parameter array
fix
-------------------------------------------------------------------
Fri Jul 16 06:48:44 CEST 2010 - wr@rosenauer.org
- security update to 3.6.7 (bnc#622506)
* MFSA 2010-34/CVE-2010-1211/CVE-2010-1212
Miscellaneous memory safety hazards
* MFSA 2010-35/CVE-2010-1208 (bmo#572986)
DOM attribute cloning remote code execution vulnerability
* MFSA 2010-36/CVE-2010-1209 (bmo#552110)
Use-after-free error in NodeIterator
* MFSA 2010-37/CVE-2010-1214 (bmo#572985)
Plugin parameter EnsureCachedAttrParamArrays remote code
execution vulnerability
* MFSA 2010-38/CVE-2010-1215 (bmo#567069)
Arbitrary code execution using SJOW and fast native function
* MFSA 2010-39/CVE-2010-2752 (bmo#574059)
nsCSSValue::Array index integer overflow
* MFSA 2010-40/CVE-2010-2753 (bmo#571106)
nsTreeSelection dangling pointer remote code execution
vulnerability
* MFSA 2010-41/CVE-2010-1205 (bmo#570451)
Remote code execution using malformed PNG image
* MFSA 2010-42/CVE-2010-1213 (bmo#568148)
Cross-origin data disclosure via Web Workers and importScripts
* MFSA 2010-43/CVE-2010-1207 (bmo#571287)
Same-origin bypass using canvas context
* MFSA 2010-44/CVE-2010-1210 (bmo#564679)
Characters mapped to U+FFFD in 8 bit encodings cause subsequent
character to vanish
* MFSA 2010-45/CVE-2010-1206/CVE-2010-2751 (bmo#536466,556957)
Multiple location bar spoofing vulnerabilities
* MFSA 2010-46/CVE-2010-0654 (bmo#524223)
Cross-domain data theft using CSS
* MFSA 2010-47/CVE-2010-2754 (bmo#568564)
Cross-origin data leakage from script filename in error messages
-------------------------------------------------------------------
Sun Jun 27 20:24:31 CEST 2010 - wr@rosenauer.org
- update to 3.6.6 release
* modifies the crash protection feature to increase the amount
of time that plugins are allowed to be non-responsive before
being terminated.
-------------------------------------------------------------------
Wed Jun 23 14:40:35 CEST 2010 - wr@rosenauer.org
- update to final 3.6.4 release (bnc#603356)
* MFSA 2010-26/CVE-2010-1200/CVE-2010-1201/CVE-2010-1202/
CVE-2010-1203
Crashes with evidence of memory corruption (rv:1.9.2.4)
* MFSA 2010-28/CVE-2010-1198 (bmo#532246)
Freed object reuse across plugin instances
* MFSA 2010-29/CVE-2010-1196 (bmo#534666)
Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
* MFSA 2010-30/CVE-2010-1199 (bmo#554255)
Integer Overflow in XSLT Node Sorting
* MFSA 2010-31/CVE-2010-1125 (bmo#552255)
focus() behavior can be used to inject or steal keystrokes
* MFSA 2010-32/CVE-2010-1197 (bmo#537120)
Content-Disposition: attachment ignored if
Content-Type: multipart also present
* MFSA 2010-33/CVE-2008-5913 (bmo#475585)
User tracking across sites using Math.random()
-------------------------------------------------------------------
Mon Jun 7 07:07:33 CEST 2010 - wr@rosenauer.org
- update to 3.6.4(build6)
-------------------------------------------------------------------
Sun Apr 18 09:42:40 CEST 2010 - wr@rosenauer.org
- security update to 3.6.4 (Lorentz)
* enable crashreporter also for x86-64
* Flash runs in a separate process to avoid crashing Firefox
(ix86 only; x86-64 still uses nspluginwrapper)
-------------------------------------------------------------------
Thu Apr 1 11:15:38 UTC 2010 - wr@rosenauer.org
- security update to 3.6.3
* MFSA 2010-25/CVE-2010-1121 (bmo#555109)
Re-use of freed object due to scope confusion
-------------------------------------------------------------------
Thu Mar 18 06:43:33 CET 2010 - wr@rosenauer.org
- security update to version 3.6.2 (bnc#586567)
* MFSA 2010-08/CVE-2010-1028
WOFF heap corruption due to integer overflow
* MFSA 2010-09/CVE-2010-0164 (bmo#547143)
Deleted frame reuse in multipart/x-mixed-replace image
* MFSA 2010-10/CVE-2010-0170 (bmo#541530)
XSS via plugins and unprotected Location object
* MFSA 2010-11/CVE-2010-0165/CVE-2010-0166/CVE-2010-0167
Crashes with evidence of memory corruption
* MFSA 2010-12/CVE-2010-0171 (bmo#531364)
XSS using addEventListener and setTimeout on a wrapped object
* MFSA 2010-13/CVE-2010-0168 (bmo#540642)
Content policy bypass with image preloading
* MFSA 2010-14/CVE-2010-0169 (bmo#535806)
Browser chrome defacement via cached XUL stylesheets
* MFSA 2010-15/CVE-2010-0172 (bmo#537862)
Asynchronous Auth Prompt attaches to wrong window
* MFSA 2010-16/CVE-2010-0173/CVE-2010-0174
Crashes with evidence of memory corruption
* MFSA 2010-18/CVE-2010-0176 (bmo#538308)
Dangling pointer vulnerability in nsTreeContentView
* MFSA 2010-19/CVE-2010-0177 (bmo#538310)
Dangling pointer vulnerability in nsPluginArray
* MFSA 2010-20/CVE-2010-0178 (bmo#546909)
Chrome privilege escalation via forced URL drag and drop
* MFSA 2010-22/CVE-2009-3555 (bmo#545755)
Update NSS to support TLS renegotiation indication
* MFSA 2010-23/CVE-2010-0181 (bmo#452093)
Image src redirect to mailto: URL opens email editor
* MFSA 2010-24/CVE-2010-0182 (bmo#490790)
XMLDocument::load() doesn't check nsIContentPolicy
-------------------------------------------------------------------
Mon Jan 18 09:42:50 CET 2010 - wr@rosenauer.org
- update to 3.6rc2 (already named 3.6.0)
- removed obsolete orbit-devel build requirement
-------------------------------------------------------------------
Wed Jan 6 17:15:40 CET 2010 - wr@rosenauer.org
- major update to 3.6rc1
-------------------------------------------------------------------
Fri Dec 25 09:39:42 CET 2009 - wr@rosenauer.org
- update to version 3.5.7 (bnc#568011)
* DNS resolution in MakeSN of nsAuthSSPI causing issues for
proxy servers that support NTLM auth (bmo#535193)
- added missing lockdown preferences (bnc#567131)
-------------------------------------------------------------------
Thu Dec 17 20:06:38 CET 2009 - wr@rosenauer.org
- readded firefox-ui-lockdown.patch (bnc#546158)
-------------------------------------------------------------------
Thu Dec 3 21:53:59 CET 2009 - wr@rosenauer.org
- security update to version 3.5.6 (bnc#559807)
* MFSA 2009-65/CVE-2009-3979/CVE-2009-3980/CVE-2009-3982
Crashes with evidence of memory corruption (rv:1.9.1.6)
* MFSA 2009-66/CVE-2009-3388 (bmo#504843,bmo#523816)
Memory safety fixes in liboggplay media library
* MFSA 2009-67/CVE-2009-3389 (bmo#515882,bmo#504613)
Integer overflow, crash in libtheora video library
* MFSA 2009-68/CVE-2009-3983 (bmo#487872)
NTLM reflection vulnerability
* MFSA 2009-69/CVE-2009-3984/CVE-2009-3985 (bmo#521461,bmo#514232)
Location bar spoofing vulnerabilities
* MFSA 2009-70/VE-2009-3986 (bmo#522430)
Privilege escalation via chrome window.opener
- fixed firefox-browser-css.patch (bnc#561027)
-------------------------------------------------------------------
Mon Nov 23 22:31:21 CET 2009 - wr@rosenauer.org
- rebased patches for fuzz=0
-------------------------------------------------------------------
Thu Nov 5 19:49:33 UTC 2009 - wr@rosenauer.org
- update to version 3.5.5 (bnc#553172)
-------------------------------------------------------------------
Sat Oct 17 23:19:23 CEST 2009 - wr@rosenauer.org
- security update to version 3.5.4 (bnc#545277)
* MFSA 2009-52/CVE-2009-3370 (bmo#511615)
Form history vulnerable to stealing
* MFSA 2009-53/CVE-2009-3274 (bmo#514823)
Local downloaded file tampering
* MFSA 2009-54/CVE-2009-3371 (bmo#514554)
Crash with recursive web-worker calls
* MFSA 2009-55/CVE-2009-3372 (bmo#500644)
Crash in proxy auto-configuration regexp parsing
* MFSA 2009-56/CVE-2009-3373 (bmo#511689)
Heap buffer overflow in GIF color map parser
* MFSA 2009-57/CVE-2009-3374 (bmo#505988)
Chrome privilege escalation in XPCVariant::VariantDataToJS()
* MFSA 2009-59/CVE-2009-1563 (bmo#516396, bmo#516862)
Heap buffer overflow in string to number conversion
* MFSA 2009-61/CVE-2009-3375 (bmo#503226)
Cross-origin data theft through document.getSelection()
* MFSA 2009-62/CVE-2009-3376 (bmo#511521)
Download filename spoofing with RTL override
* MFSA 2009-63/CVE-2009-3377/CVE-2009-3379/CVE-2009-3378
Upgrade media libraries to fix memory safety bugs
* MFSA 2009-64/CVE-2009-3380/CVE-2009-3381/CVE-2009-3383
Crashes with evidence of memory corruption
- removed upstreamed patch
* firefox-bug506901.patch
-------------------------------------------------------------------
Wed Oct 7 20:11:24 CEST 2009 - llunak@novell.com
- fix KDE button order in one more place (bnc#170055)
-------------------------------------------------------------------
Fri Oct 2 20:26:49 CEST 2009 - wr@rosenauer.org
- improve UI colors to be usable with dark themes at all
(firefox-browser-css.patch) (bnc#503351)
- extend list of supported architectures as ABI identifier
(mozilla-abi.patch) (bnc#543460)
-------------------------------------------------------------------
Mon Sep 14 00:07:55 CEST 2009 - wr@rosenauer.org
- added KDE integration patch from llunak@novell.com
(firefox-kde.patch)
* support for knotify, making -kde4-addon obsolete
* KDE-specific support functional (bnc#170055)
- do not build libnkgnomevfs (bmo#512671) (firefox-no-gnomevfs)
-------------------------------------------------------------------
Thu Sep 10 09:34:26 CEST 2009 - wr@rosenauer.org
- security update to version 3.5.3 (bnc#534458)
* MFSA 2009-47/CVE-2009-3069/CVE-2009-3070/CVE-2009-3071/
CVE-2009-3072/CVE-2009-3073/CVE-2009-3074/CVE-2009-3075
Crashes with evidence of memory corruption
* MFSA 2009-49/CVE-2009-3077 (bmo#506871)
TreeColumns dangling pointer vulnerability
* MFSA 2009-50/CVE-2009-3078 (bmo#453827)
Location bar spoofing via tall line-height Unicode characters
* MFSA 2009-51/CVE-2009-3079 (bmo#454363)
Chrome privilege escalation with FeedWriter
-------------------------------------------------------------------
Wed Aug 19 22:14:07 CEST 2009 - wr@rosenauer.org
- renamed patch firefox-contextmenu-gnome to firefox-cross-desktop
as it contains more tweaks to handle non-Gnome environments and
especially KDE integration:
* added the ability to set the KDE default browser
(still part of bnc#170055)
-------------------------------------------------------------------
Sat Aug 8 00:14:18 CEST 2009 - wr@rosenauer.org
- split -translations package into -common and -other
(bnc#529180)
- remove "set as background" from context menu if not running in
Gnome (part of bnc#170055)
-------------------------------------------------------------------
Fri Jul 31 09:01:57 CEST 2009 - wr@rosenauer.org
- security update to version 3.5.2
* MFSA 2009-38/CVE-2009-2470 (bmo#459524)
Data corruption with SOCKS5 reply containing DNS name longer
than 15 characters
* MFSA 2009-44/CVE-2009-2654 (bmo#451898)
Location bar and SSL indicator spoofing via window.open() on
invalid URL
* MFSA 2009-45
Crashes with evidence of memory corruption
* MFSA 2009-46 (bmo#498897)
Chrome privilege escalation due to incorrectly cached wrapper
* various other stability fixes
- export MOZ_APP_LAUNCHER in the startscript (bmo#453689)
-------------------------------------------------------------------
Tue Jul 28 14:54:46 CEST 2009 - wr@rosenauer.org
- fixed %exclude usage
- fixed preferences' advanced pane for fresh profiles (bmo#506901)
-------------------------------------------------------------------
Wed Jul 15 20:13:19 CEST 2009 - wr@rosenauer.org
- security update to version 3.5.1
* MFSA 2009-41
Corrupt JIT state after deep return from native function
-------------------------------------------------------------------
Mon Jul 6 12:33:47 CEST 2009 - wr@rosenauer.org
- added mozilla-linkorder.patch to fix build with --as-needed
-------------------------------------------------------------------
Tue Jun 30 08:52:00 CEST 2009 - wr@rosenauer.org
- update to final version 3.5 (20090623)
-------------------------------------------------------------------
Tue Jun 23 09:39:50 CEST 2009 - wr@rosenauer.org
- fixed build by linking to a real file
-------------------------------------------------------------------
Thu Jun 18 10:19:40 CEST 2009 - wr@rosenauer.org
- update to version 3.5rc2 (20090617)
- BuildRequire mozilla-xulrunner191 = 1.9.1.0
-------------------------------------------------------------------
Sat Jun 6 15:59:02 CEST 2009 - wr@rosenauer.org
- update to version 3.5b99 (20090604)
- BuildRequire mozilla-xulrunner191 = 1.9.1b99
-------------------------------------------------------------------
Wed May 27 08:03:16 CEST 2009 - wr@rosenauer.org
- fixed typos in improved xulrunner dependencies
-------------------------------------------------------------------
Mon May 11 18:25:12 CEST 2009 - wr@rosenauer.org
- use non-localized Downloads folder (bnc#501724)
-------------------------------------------------------------------
Mon May 4 07:57:50 CEST 2009 - wr@rosenauer.org
- update to new major version 3.5b4
* based on Gecko 1.9.1 (mozilla-xulrunner191)
* Private Browsing Mode
* TraceMonkey JavaScript engine
* Geolocation support
* native JSON and web worker threads support
* speculative parsing for faster content rendering
* Some HTML5 support
- updated firefox.schemas
- improved firefox-no-update.patch
-------------------------------------------------------------------
Tue Apr 28 10:47:54 CEST 2009 - wr@rosenauer.org
- security update to 3.0.10
* MFSA 2009-23/CVE-2009-1313 (bmo#489647)
Crash in nsTextFrame::ClearTextRun()
-------------------------------------------------------------------
Thu Apr 16 13:52:21 CEST 2009 - wr@rosenauer.org
- security update to 3.0.9 (bnc#495473)
* MFSA 2009-14/CVE-2009-1302/CVE-2009-1303/CVE-2009-1304/CVE-2009-1305
Crashes with evidence of memory corruption (rv:1.9.0.9)
* MFSA 2009-15/CVE-2009-0652 (bmo#479336)
URL spoofing with box drawing character
* MFSA 2009-16/CVE-2009-1306 (bmo#474536)
jar: scheme ignores the content-disposition: header on the
inner URI
* MFSA 2009-17/CVE-2009-1307 (bmo#481342)
Same-origin violations when Adobe Flash loaded via
view-source: scheme
* MFSA 2009-18/CVE-2009-1308 (bmo#481558)
XSS hazard using third-party stylesheets and XBL bindings
* MFSA 2009-19/CVE-2009-1309 (bmo#482206,478433)
Same-origin violations in XMLHttpRequest and
XPCNativeWrapper.toString
* MFSA 2009-20/CVE-2009-1310 (bmo#483086)
Malicious search plugins can inject code into arbitrary sites
* MFSA 2009-21/CVE-2009-1311 (bmo#471962)
POST data sent to wrong site when saving web page with
embedded frame
* MFSA 2009-22/CVE-2009-1312 (bmo#475636)
Firefox allows Refresh header to redirect to javascript: URIs
-------------------------------------------------------------------
Fri Mar 27 09:43:43 CET 2009 - wr@rosenauer.org
- security update to 1.9.0.8 (bnc#488955,489411)
* MFSA 2009-12/CVE-2009-1169 (bmo#460090,485217)
Crash and remote code execution in XSL transformation
* MFSA 2009-13/CVE-2009-1044 (bmo#484320)
Arbitrary code execution via XUL tree moveToEdgeShift
- allow RPM provides for stuff besides shared libraries
(e.g. mime-types)
-------------------------------------------------------------------
Sun Mar 1 11:08:58 CET 2009 - wr@rosenauer.org
- security update to 3.0.7 (bnc#478625)
* MFSA 2009-07 - Crashes with evidence of memory corruption
CVE-2009-0771 - Layout Engine Crashes
CVE-2009-0772 - Layout Engine Crashes
CVE-2009-0773 - crashes in the JavaScript engine
CVE-2009-0774 - Layout Engine Crashes
* MFSA 2009-08/CVE-2009-0775 - (bmo#474456)
Mozilla Firefox XUL Linked Clones Double Free Vulnerability
* MFSA 2009-09/CVE-2009-0776 (bmo#414540)
XML data theft via RDFXMLDataSource and cross-domain redirect
* MFSA 2009-10/CVE-2009-0040 (bmo#478901)
Upgrade PNG library to fix memory safety hazards
* MFSA 2009-11/CVE-2009-0777 (bmo#452979)
URL spoofing with invisible control characters
-------------------------------------------------------------------
Wed Feb 4 18:58:59 EST 2009 - hfiguiere@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Wed Jan 28 13:48:00 CET 2009 - wr@rosenauer.org
- security update to 3.0.6 (bnc#470074)
* MFSA 2009-06/CVE-2009-0358: Directives to not cache pages ignored
(bmo#441751)
* MFSA 2009-05/CVE-2009-0357: XMLHttpRequest allows reading
HTTPOnly cookies (bmo#380418)
* MFSA 2009-04/CVE-2009-0356: Chrome privilege escalation via
local .desktop files (bmo#460425)
* MFSA 2009-03/CVE-2009-0355: Local file stealing with SessionStore
(bmo#466937)
* MFSA 2009-02/CVE-2009-0354: XSS using a chrome XBL method
and window.eval (bmo#468581)
* MFSA 2009-01/CVE-2009-0352 - CVE-2009-0353: Crashes with
evidence of memory corruption (rv:1.9.0.6) (bmo#452913,
bmo#449006, bmo#331088, bmo#401042, bmo#416461, bmo#422283,
bmo#422301, bmo#431705, bmo#437142, bmo#421839, bmo#420697,
bmo#461027)
* (non security) added lv locale
-------------------------------------------------------------------
Thu Jan 22 11:09:42 EST 2009 - hfiguiere@suse.de
- Fix the wrapper script for PowerPC 64-bits (bnc#464753)
-------------------------------------------------------------------
Wed Dec 17 13:13:25 EST 2008 - hfiguiere@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Mon Dec 15 16:41:57 CET 2008 - wr@rosenauer.org
- security update to 1.9.0.5 (bnc#455804)
for details
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
* removed aboutRights workaround again
* added et locale
-------------------------------------------------------------------
Tue Nov 25 10:14:45 EST 2008 - hfiguiere@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Sat Nov 22 13:26:03 CET 2008 - wr@rosenauer.org
- replace license agreement with about:rights toolbar
(backported from upcoming FF 3.0.5) (bnc#436054, bmo#456439)
(it's always displayed in en-US)
-------------------------------------------------------------------
Fri Nov 21 03:11:41 EST 2008 - hfiguiere@suse.de
- Update firefox-lockdown-ui.patch
* Print Setup is now properly locked down. bnc#431028
* Bookmark editing it now properly locked down. bnc#439335
* Bookmars are properly hidden.
* History is properly locked down. bnc#439343
* Make sure the search bar is not put back when resetting the
toolbar. bnc#439358
-------------------------------------------------------------------
Thu Nov 20 18:49:19 CST 2008 - maw@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Thu Nov 13 08:22:13 CET 2008 - wr@rosenauer.org
- lockdown cleanup
* removed gecko-lockdown.patch from Firefox (it's in xulrunner)
* stripped out some toolkit stuff from firefox-ui-lockdown
* added extra default preferences for lockdown
-------------------------------------------------------------------
Wed Nov 12 17:55:19 CST 2008 - maw@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Tue Nov 11 09:15:59 CET 2008 - wr@rosenauer.org
- update to security/maintenance release 3.0.4 (bnc#439841)
* support additional locales (bg, cy, eo, oc)
- removed obsolete configure option (enable-gconf)
-------------------------------------------------------------------
Fri Nov 7 15:39:54 CST 2008 - maw@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Tue Nov 4 23:27:03 CET 2008 - wr@rosenauer.org
- moved gconf schema into branding packages (bnc#441646)
-------------------------------------------------------------------
Tue Oct 28 16:16:14 EDT 2008 - hfiguiere@suse.de
- Fix missing %endif (for fix for bnc#434283)
-------------------------------------------------------------------
Mon Oct 27 17:05:02 EDT 2008 - hfiguiere@suse.de
- Add disable_show_passwords to firefox.schemas. (FATE #301534)
-------------------------------------------------------------------
Mon Oct 27 11:57:29 CET 2008 - wr@rosenauer.org
- make biarch dependencies work correctly (bnc#434283)
-------------------------------------------------------------------
Thu Oct 23 10:14:22 EDT 2008 - hfiguiere@suse.de
- Added firefox-ui-lockdown.patch and gecko-lockdown.patch
* Lockdown: FATE#302023, FATE#302024
-------------------------------------------------------------------
Mon Oct 6 14:55:48 CEST 2008 - sbrabec@suse.cz
- Conflict with other branding providers (FATE#304881).
-------------------------------------------------------------------
Mon Sep 29 12:27:43 CDT 2008 - maw@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Mon Sep 29 11:36:30 CDT 2008 - maw@suse.de
- Remove a reference to a stale patch.
-------------------------------------------------------------------
Sun Sep 28 18:19:26 CEST 2008 - wr@rosenauer.org
- update to regression fix release 3.0.3
* Fixed a problem where users were unable to retrieve saved
passwords or save new passwords (bmo#454708, bnc#429179#c20,
CVE-2008-4063, CVE-2008-4064, CVE-2008-3836, andCVE-2008-4070)
-------------------------------------------------------------------
Thu Sep 25 14:47:13 CDT 2008 - maw@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Mon Sep 15 13:45:16 CEST 2008 - wr@rosenauer.org
- update to security/maintenance release 3.0.2 (bnc#429179)
- removed unused files from sources
- fix more rpmlint complaints and provide a config file to filter
false positives
- disable Gnome crashreporter as it has no value
- brought man-page up to date for the firefox stub
(removing firefox-bin reference)
- en-US locale not longer packaged in translations subpackage
-------------------------------------------------------------------
Fri Aug 15 18:56:26 CDT 2008 - maw@novell.com
- Review and approve changes.
-------------------------------------------------------------------
Mon Aug 4 09:26:05 CEST 2008 - wr@rosenauer.org
- Tweak branding split
-------------------------------------------------------------------
Tue Jul 29 15:02:47 CEST 2008 - vuntz@novell.com
- Create branding package (bnc#390752):
+ search-addons.tar.bz2, bookmarks.html.suse and
firefox-suse-default-prefs.js will be moved to
MozillaFirefox-branding-openSUSE
+ create a MozillaFirefox-branding-upstream package
-------------------------------------------------------------------
Mon Jul 28 20:54:22 CEST 2008 - mauro@suse.de
- Update to stability/security release 3.0.1 (bnc#407573)
(thanks, Wolfgang)
+ MFSA 2008-36 Crash with malformed GIF file on Mac OS X
+ MFSA 2008-35 Command-line URLs launch multiple tabs when
Firefox not running
+ MFSA 2008-34 Remote code execution by overflowing CSS reference counter
- Set browser.shell.checkDefaultBrowser to true (bnc#404119)
-------------------------------------------------------------------
Tue Jun 17 18:49:33 CEST 2008 - maw@suse.de
- Merge changes from the build service (thanks, Wolfgang)
(bnc#400001 and SWAMP#18164).
-------------------------------------------------------------------
Tue Jun 17 14:40:04 CEST 2008 - wr@rosenauer.org
- update to version 3.0
- fixed double entry in bookmarks for www.opensuse.org (bnc#396980
-------------------------------------------------------------------
Thu May 15 13:45:51 CEST 2008 - aj@suse.de
- Add Planet SUSE, forums.o.o and How to participate to default
URLs.
-------------------------------------------------------------------
Fri May 2 16:25:24 CEST 2008 - maw@suse.de
- network.protocol-handler.app.* prefs are no longer supported;
remove references to them from firefox-suse-default-prefs.js
(bnc#383697).
-------------------------------------------------------------------
Thu Apr 3 01:42:34 CEST 2008 - maw@suse.de
- Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang).
-------------------------------------------------------------------
Wed Mar 26 01:05:18 CET 2008 - maw@suse.de
- Merge changes from the build service (thanks, Wolfgang)
- Update to the fourth Firefox 3.0 Beta (2.9.94):
+ Based upon the Gecko 1.9 Web rendering platform, which improves
performance, stability, and rendering correctness; it also
boasts a considerable simplification in its code
+ Security improvements:
* One-click site info
* Malware Protection
* New Web Forgery Protection page
* New SSL error pages
* Add-ons and Plugin version check
* Secure add-on updates
* Effective top-level domain (eTLD) service to better restrict
cookies and other restricted content to a single domain
* Better protection against cross-site JSON data leaks
+ Usability improvements:
* Easier password management
* Simplified add-on installation
* New Download Manager
* Resumable downloading
* Full page zoom
* Podcasts and Videocasts can be associated with your media
playback tools
* Tab scrolling and quickmenu
* Save what you were doing: Firefox will prompt users to save
tabs on exit
* Optimized Open in Tabs behavior
* Location and Search bar size can now be customized with a
simple resizer item
* Text selection improvements
* Find toolbar
* Improved integration with Linux: Firefox's default icons,
buttons, and menu styles now use the native GTK theme
+ Personalization improvements:
* Star button: quickly add bookmarks from the location bar
with a single click; a second click lets you file and tag them
* Tags: associate keywords with your bookmarks to sort them
by topic
* Location bar & auto-complete
* Smart Bookmarks Folder
* Places Organizer: view, organize and search through all
of your bookmarks, tags, and browsing history with multiple
views and smart folders to store your frequent searches
* Web-based protocol handlers
* Download & Install Add-ons
* Easy to use Download Actions
+ Improved platform for web developers:
* New graphics and font handling: new graphics and text
rendering architectures in Gecko 1.9 provides rendering
improvements in CSS, SVG as well as improved display of
fonts with ligatures and complex scripts
* Color management: (set gfx.color_management.enabled on
in about:config and restart the browser to enable.);
Firefox can now adjust images with embedded color profiles
* Offline support: enables web applications to provide
offline functionality (website authors must add support
for offline browsing to their site for this feature
to be available to users)
+ Improved performance:
* Speed: improvements to the JavaScript engine as well as
profile guided optimizations have resulted in significant
improvements in performance; compared to Firefox 2,
web applications like Google Mail and Zoho Office run
twice as fast in Firefox 3 Beta 4, and the popular
SunSpider test from Apple shows improvements over
previous releases
* Memory usage: Several new technologies work together to
reduce the amount of memory used by Firefox 3 Beta 4
over a web browsing session; memory cycles are broken
and collected by an automated cycle collector, a new
memory allocator reduces fragmentation, hundreds of leaks
have been fixed, and caching strategies have been tuned
* Reliability: A user's bookmarks, history, cookies, and
preferences are now stored in a transactionally secure
database format which will prevent data loss even if their
system crashes
- This version depends upon the mozilla-xulrunner190 package
- Drop various stale packages, respin several that have been
kept around, and add a few new ones.
-------------------------------------------------------------------
Mon Feb 11 18:18:14 CET 2008 - maw@suse.de
- Security update to version 2.0.0.12 (bnc#354469):
+ MFSA 2008-11/CVE-2008-0594 Web forgery overwrite with div
overlay
+ MFSA 2008-10/CVE-2008-0593 URL token stealing via stylesheet
redirect
+ MFSA 2008-09/CVE-2008-0592 Mishandling of locally-saved plain
text files
+ MFSA 2008-08/CVE-2008-0591 File action dialog tampering
+ MFSA 2008-06/CVE-2008-0419 Web browsing history and forward
navigation stealing
+ MFSA 2008-05/CVE-2008-0418 Directory traversal via chrome: URI
+ MFSA 2008-04/CVE-2008-0417 Stored password corruption
+ MFSA 2008-03/CVE-2008-0415 Privilege escalation, XSS, Remote
Code Execution
+ MFSA 2008-02/CVE-2008-0414 Multiple file input focus stealing
vulnerabilities
+ MFSA 2008-01/CVE-2008-0412 Crashes with evidence of memory
corruption (rv:1.8.1.12)
- Reference libaoss.so in start script (bnc#117079)
- Remove mozilla-canvas-1.8.1.10.patch, as it has been upstreamed
- Update firefox-ui-lockdown.patch (FATE#301534, FATE#302023, and
FATE#302024)
- Add application/x-xpinstall mime type to MozillaFirefox.desktop
- Add MozillaFirefox.xml to bind .xpi to application/x-xpinstall
in desktop.
-------------------------------------------------------------------
Thu Jan 17 17:52:47 CET 2008 - maw@suse.de
- Add mozilla-maxpathlen.patch (#354150 and bmo #412610).
-------------------------------------------------------------------
Fri Dec 21 18:46:50 CET 2007 - maw@suse.de
- Add firefox-348446-empty-lists.patch (bnc#348446).
-------------------------------------------------------------------
Wed Dec 5 02:21:26 CET 2007 - maw@suse.de
- Respin proxy-dev.patch (bnc#340678) -- thanks, Anders!
-------------------------------------------------------------------
Tue Nov 27 18:25:25 CET 2007 - maw@suse.de
- Security update to version 2.0.0.10 (#341905, #341591):
+ MFSA 2007-39 Referer-spoofing via window.location race condition
+ MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
+ MFSA 2007-37 jar: URI scheme XSS hazard
+ Fixes for regressions introduced in 2.0.0.8
+ Updated dbus.patch, startup.patch, misc.dif, and configure.patch
- Add mozilla-gcc4.3-fixes.patch
- Add mozilla-canvas-1.8.1.10.patch (#341591#c10).
-------------------------------------------------------------------
Mon Nov 26 18:27:25 CET 2007 - maw@suse.de
- Build with -ftree-vrp -fwrapv, per advice in #342603#c17.
-------------------------------------------------------------------
Tue Nov 13 17:49:01 CET 2007 - maw@suse.de
- Add firefox-gcc4.3-fixes.patch.
-------------------------------------------------------------------
Fri Oct 19 02:04:45 CEST 2007 - maw@suse.de
- Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang)
* MFSA 2007-29 Crashes with evidence of memory corruption
* MFSA 2007-30 onUnload Tailgating
* MFSA 2007-31 Digest authentication request splitting
* MFSA 2007-32 File input focus stealing vulnerability
* MFSA 2007-33 XUL pages can hide the window titlebar
* MFSA 2007-34 Possible file stealing through sftp protocol
* MFSA 2007-35 XPCNativeWraper pollution using Script object
complete advisories on
http://www.mozilla.org/projects/security/known-vulnerabilities.html
-------------------------------------------------------------------
Sun Sep 23 19:49:12 CEST 2007 - maw@suse.de
- Don't explicitly require libaoss.so (#326751).
-------------------------------------------------------------------
Fri Sep 14 23:13:06 CEST 2007 - maw@suse.de
- Update the Novell Support search plugin in search-addons.tar.bz2
(#297261)
- Set the browser.tabs.loadFolderAndReplace preference to false
by default (#230759).
-------------------------------------------------------------------
Wed Sep 12 15:21:06 CEST 2007 - dmueller@suse.de
- fix hardlinks accross partitions
-------------------------------------------------------------------
Thu Sep 6 16:07:12 CEST 2007 - maw@suse.de
- Add http://software.opensuse.org/search?baseproject=openSUSE:10.3
to the default bookmarks (#308223).
-------------------------------------------------------------------
Mon Sep 3 22:33:09 CEST 2007 - ro@suse.de
- move last change a bit further in specfile
-------------------------------------------------------------------
Fri Aug 31 18:36:16 CEST 2007 - maw@suse.de
- Mark a .png file as nonexecutable.
-------------------------------------------------------------------
Tue Aug 28 16:44:08 CEST 2007 - maw@suse.de
- Minor .spec update (#305193)
+ Remove two obsolete patches
+ Correct releasedate
+ Include only the officially supported locales.
-------------------------------------------------------------------
Wed Aug 22 17:53:03 CEST 2007 - maw@suse.de
- Merge changes from the build service (thanks, Wolfgang):
+ Provide locale dependency information (#302288)
+ Add x11-session.patch, supporting X11 session management
(#227047)
+ Update to version 2.0.0.6
* MFSA 2007-26 Privilege escalation through chrome-loaded
about:blank windows
* MFSA 2007-27 Unescaped URIs passed to external programs
(only relevant on Windows)
- Use %fdupes.
-------------------------------------------------------------------
Tue Aug 21 09:45:35 CEST 2007 - aj@suse.de
- Adjust bookmarks: Add news.opensuse.org, use new software.o.o
page.
-------------------------------------------------------------------
Thu Aug 16 14:57:27 CEST 2007 - mauro@suse.de
- Revert previous change.
-------------------------------------------------------------------
Tue Aug 14 11:58:23 CEST 2007 - mauro@suse.de
- Added support for ymp in the mimetypes.rdf
- Added OneClickInstallUrlHandler for handing the actual call from firefox.
- Fixes bnc #295677
-------------------------------------------------------------------
Mon Jul 23 18:57:07 CEST 2007 - maw@suse.de
- Security update to version 2.0.0.5 (#288115) which has fixes for:
MFSA 2007-18
CVE-2007-3734 - Browser flaws
CVE-2007-3735 - Javascript flaws
MFSA 2007-19
CVE-2007-3736
MFSA 2007-20
CVE-2007-3089
MFSA 2007-21
CVE-2007-3737
MFSA 2007-22
CVE-2007-3285
MFSA 2007-23
CVE-2007-3670
MFSA 2007-24
CVE-2007-3656
MFSA 2007-25
CVE-2007-3738
-------------------------------------------------------------------
Thu Jun 21 15:59:01 CEST 2007 - adrian@suse.de
- fix changelog entry order
-------------------------------------------------------------------
Mon Jun 18 13:22:42 CDT 2007 - maw@suse.de
- Use mozilla.sh.in from the build service (#230681).
-------------------------------------------------------------------
Tue Jun 5 15:55:08 CEST 2007 - sbrabec@suse.cz
- Removed invalid desktop category "Application" (#254654).
-------------------------------------------------------------------
Mon Jun 4 19:53:35 CDT 2007 - maw@suse.de
- Security update to version 2.0.0.4
- Refresh configure.patch, startup.patch, and visibility.patch
- Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2.
-------------------------------------------------------------------
Mon Apr 30 16:49:55 CEST 2007 - ro@suse.de
- added unzip to BuildRequires
-------------------------------------------------------------------
Wed Apr 18 14:16:44 CEST 2007 - mfabian@suse.de
- add Japanese to the languages which get PANGO enabled in the
start script to support the Japanese combining characters
U+3099 U+309A (see bugzilla #262718 comment #29).
-------------------------------------------------------------------
Mon Mar 12 11:06:10 CST 2007 - maw@suse.de
- Package gconf stuff.
-------------------------------------------------------------------
Wed Feb 21 16:37:25 CST 2007 - maw@suse.de
- Security update to 2.0.0.2 (#244923), which covers:
+ mfsa2007-01
* CVE-2007-0775 - layout engine crashes
* CVE-2007-0776 - SVG
* CVE-2007-0777 - javascript engine corruption
+ mfsa2007-02
* CVE-2007-0995 - Invalid trailing characters in HTML tag attributes
* CVE-2007-0996 - Child frame character set inheritance
* CVE-2006-6077 - Injected password forms
+ mfsa2007-02
+ mfsa2007-03
* CVE-2007-0078
+ mfsa2007-04
* CVE-2007-0079
+ mfsa2007-05
* CVE-2007-0780
* CVE-2007-0800
+ mfsa2007-06
* CVE-2007-0008 - client flaw
* CVE-2007-0009 - server flaw
+ mfsa2007-07
* CVE-2007-0981
- Updates mozilla.sh.in (#230681)
- Fixes #232209
- Updates the man page (#243037)
- Properly propagates exit codes (#241492)
- Adds em-356370.patch (#217374)
-------------------------------------------------------------------
Thu Jan 25 10:16:56 CST 2007 - maw@suse.de
- Fixup the Gnome paths, keeping in closer sync with the
buildservice.
-------------------------------------------------------------------
Thu Jan 18 09:27:54 CST 2007 - maw@suse.de
- Gnome is now in /usr, so remove references to /opt/gnome
- Install firefox.png with the executable bit not set.
-------------------------------------------------------------------
Wed Jan 10 12:57:39 CET 2007 - meissner@suse.de
- readd MozillaFirebird provides (was incorrect in removing it).
-------------------------------------------------------------------
Mon Jan 8 11:16:08 CET 2007 - meissner@suse.de
- Do not provide MozillaFirebird, just obsolete it.
-------------------------------------------------------------------
Fri Dec 1 02:22:49 CET 2006 - maw@suse.de
- Update gecko-lockdown.patch (#220616).
-------------------------------------------------------------------
Thu Nov 30 19:02:54 CET 2006 - maw@suse.de
- Update firefox-suse-default-prefs.js, adding
'pref("browser.backspace_action", 2);' (#217374)
-------------------------------------------------------------------
Thu Nov 30 08:17:28 CET 2006 - aj@suse.de
- Fix last change (#224431).
-------------------------------------------------------------------
Wed Nov 29 11:45:47 CET 2006 - aj@suse.de
- Change download bookmark (#224431).
- Rename bookmark folder to openSUSE.
-------------------------------------------------------------------
Tue Nov 28 08:09:48 CET 2006 - aj@suse.de
- Sync from Buildservice with following critical fixes (thanks
Wolfgang Rosenauer!):
* fixed system-proxies.patch to actually work (#223881).
* Rearrange Bookmarks to pass trademark review.
-------------------------------------------------------------------
Mon Nov 27 19:40:44 CET 2006 - aj@suse.de
- Fix tango theme (#223796).
-------------------------------------------------------------------
Mon Nov 27 17:40:50 CET 2006 - aj@suse.de
- Use www.opensuse.org as home page.
-------------------------------------------------------------------
Sun Nov 12 11:28:00 CET 2006 - aj@suse.de
- Set novell.com as home page.
- Update from BuildService (thanks Wolfgang!):
- fixed crash in htmlparser (#217257, bmo #358797)
- added gconf2 as PreReq (#212505)
- added 32bit libaoss.so as requirement (#216266)
- Removed SUSE searchplugin (Portal not available anymore)
(#216054)
- Removed obsolete xul-picker.patch and system-nspr.patch
- Fixed building on 10.1 and 10.0 (dbus)
- Removed obsolete throbber preference
-------------------------------------------------------------------
Thu Nov 9 19:09:46 CET 2006 - jhargadon@suse.de
- updated tango theme
-------------------------------------------------------------------
Sun Oct 29 12:05:46 CET 2006 - aj@suse.de
- Another fix for 214125, patch by Wolfgang Rosenauer.
-------------------------------------------------------------------
Thu Oct 26 06:58:59 CEST 2006 - aj@suse.de
- Fix gcc warnings about undefined operations, patch by
Robert O'Callahan.
- Update system-proxies.patch to fix error box (214125), patch by
Robert O'Callahan.
-------------------------------------------------------------------
Mon Oct 23 21:54:54 CEST 2006 - aj@suse.de
- Update to current CVS version of 2.0.
- Use www.opensuse.org as default home page for now (#203547).
-------------------------------------------------------------------
Sat Oct 21 08:53:50 CEST 2006 - aj@suse.de
- Disable non-working plasticfox and tango themes.
-------------------------------------------------------------------
Fri Oct 20 20:16:29 CEST 2006 - aj@suse.de
- Fix building of locales.
-------------------------------------------------------------------
Fri Oct 20 11:27:23 CEST 2006 - mkoenig@suse.de
- update to version 2.0rc3:
* New features: Visual Refresh, Built-in phishing protection,
Enhanced search capabilities, Improved tabbed browsing,
Resuming your browsing session, Previewing and subscribing
to Web feeds, Inline spell checking, Live Titles,
Improved Add-ons manager, JavaScript 1.7, Extended search
plugin format, Updates to the extension system,
Client-side session and persistent storage, SVG text
-------------------------------------------------------------------
Tue Oct 17 11:26:44 CEST 2006 - meissner@suse.de
- disabled debugging.
-------------------------------------------------------------------
Tue Sep 12 20:27:02 CEST 2006 - stark@suse.de
- security update to version 1.5.0.7
-------------------------------------------------------------------
Mon Aug 21 12:53:50 CEST 2006 - stark@suse.de
- added greasemonkey helper change (#199920)
- fixed packager.mk for new make version
-------------------------------------------------------------------
Fri Aug 11 20:51:48 CEST 2006 - stark@suse.de
- fixed crash in dbus component (patch by thoenig #197928)
- use external adresses for PAC configuration (#196506)
-------------------------------------------------------------------
Mon Aug 7 09:26:58 CEST 2006 - stark@suse.de
- added symlink for Firefox 1.0.x compatibility
-------------------------------------------------------------------
Sat Jul 29 08:48:53 CEST 2006 - stark@suse.de
- update to regression release 1.5.0.6 (#195043)
-------------------------------------------------------------------
Thu Jul 27 06:20:36 CEST 2006 - stark@suse.de
- security update to version 1.5.0.5 (#195043)
* observer-lock.patch integrated now
- fixed leak in JS' liveconnect (#186066)
- fixed desktop file for old distributions
(StartupNotify=false)
-------------------------------------------------------------------
Thu Jun 29 20:13:28 CEST 2006 - stark@suse.de
- fixed printing crash if the last used printer is not available
anymore (#187013)
-------------------------------------------------------------------
Fri Jun 16 22:11:22 CEST 2006 - stark@suse.de
- added 48x48 icon (#185777)
-------------------------------------------------------------------
Mon Jun 12 20:20:02 CEST 2006 - stark@suse.de
- fix overwrite confirmation for GTK filesaver (#179531)
- get network.negotiate-auth.trusted-uris and
network.negotiate-auth.delegation-uris from gconf if
system-settings are enabled (#184489)
-------------------------------------------------------------------
Thu Jun 1 20:34:43 CEST 2006 - stark@suse.de
- update to security/stability release 1.5.0.4 (#179011)
- moved locale-global prefs to browserconfig.properties (#177881)
-------------------------------------------------------------------
Tue May 23 21:11:11 CEST 2006 - stark@suse.de
- complete implementation of startup-notification (#115417)
(including autoconf and remote support)
- different home-pages for SLE10 and SL (#177881)
-------------------------------------------------------------------
Tue May 16 06:27:26 CEST 2006 - stark@suse.de
- fixed potential deadlock in nsObserverList::RemoveObserver
(#173986, bmo #338069)
- base startup notification on libstartup-notification (#115417)
-------------------------------------------------------------------
Thu May 11 09:39:27 CEST 2006 - stark@suse.de
- save printer settings properly (#174082, bmo #324072)
- added startup notification support for showing load activity
in Gnome and to avoid focus stealing prevention (#115417)
- added StartupNotify=true to desktop file (#115417)
- provide legacy symlink for NLD9 update compatibility (#173138)
- fixed system-proxies patch to avoid unwanted wpad requests
(#171743, #167613)
-------------------------------------------------------------------
Mon May 8 14:55:52 CEST 2006 - stark@suse.de
- preconfigure the theme according to the used desktop (#151163)
-------------------------------------------------------------------
Thu Apr 27 10:24:07 CEST 2006 - stark@suse.de
- last minute change for 1.5.0.3
-------------------------------------------------------------------
Wed Apr 26 14:23:33 CEST 2006 - stark@suse.de
- security update to 1.5.0.3
- fix for typo in postscript.patch
-------------------------------------------------------------------
Tue Apr 25 14:14:51 CEST 2006 - stark@suse.de
- fixed iframe crash (#169039, bmo #334515)
- fixed img tag misuse (#168710, bmo #334341)
-------------------------------------------------------------------
Mon Apr 24 08:04:16 CEST 2006 - stark@suse.de
- improved postscript output (bmo #334485)
- changed defaults for printer properties (#6534)
- overwrite gnome-vfs' file protocol by providing "desktop-launch"
(#131501)
- get available paper sizes from CUPS (#65482)
- replaced/removed complicated gconfd reload in %post (#167989)
- fixed memory leak in clipboard caching (bmo #289897)
-------------------------------------------------------------------
Tue Apr 11 08:35:53 CEST 2006 - stark@suse.de
- added (optional) plastikfox theme (#151163)
- get some more security related patches (#148876)
- finally fixed the default proxy configuration by adding a new
UI option (#132398)
-------------------------------------------------------------------
Mon Apr 3 11:41:13 CEST 2006 - stark@suse.de
- fixed keyword fixup patch (#162532)
-------------------------------------------------------------------
Tue Mar 28 07:17:04 CEST 2006 - stark@suse.de
- don't use keyword fixup for pasted text (#160034, bmo #331522)
-------------------------------------------------------------------
Mon Mar 20 09:28:58 CET 2006 - stark@suse.de
- added Tango theme
- fixed reading proxies from gconf (#132398)
-------------------------------------------------------------------
Sun Mar 12 09:04:05 CET 2006 - stark@suse.de
- tweaked bookmarks (fixed URLs)
- added Khmer (km-*) to pango locales (#157397)
-------------------------------------------------------------------
Sat Mar 4 21:08:45 CET 2006 - stark@suse.de
- fixed crash with multipart JPEGs (bmo #328684) (#140416)
- got latest security fixes from upstream (#148876)
-------------------------------------------------------------------
Wed Feb 22 13:24:58 CET 2006 - stark@suse.de
- fixed plugin loading when launched from Thunderbird (#151614)
- merged dbus reconnection patch (#150042)
- default to autodetect proxy (network.proxy.type=4) (#151811)
- added GTK category to desktop file
-------------------------------------------------------------------
Tue Feb 14 06:45:24 CET 2006 - stark@suse.de
- modified lockdown patches (#67281, #67282)
- applied set of security patches (#148876)
bmo bugs: 282105, 307989, 315625, 320459, 323634, 325403, 325947
-------------------------------------------------------------------
Tue Feb 7 20:09:43 CET 2006 - stark@suse.de
- fixed disabling of Pango (#148788)
-------------------------------------------------------------------
Thu Feb 2 21:51:30 CET 2006 - stark@suse.de
- define gssapi lib explicitely (#147670)
- use only official Firefox-Icon
- changed home-download patch
-------------------------------------------------------------------
Sun Jan 29 09:54:49 CET 2006 - stark@suse.de
- throbber URL is default again
- removed firefox-showpass patch
- removed additional CA certs from builtin NSS
-------------------------------------------------------------------
Fri Jan 27 17:55:21 CET 2006 - stark@suse.de
- got some l10n changes from 1.8.0 branch
-------------------------------------------------------------------
Fri Jan 27 08:15:09 CET 2006 - stark@suse.de
- final 1.5.0.1 version
- make it possible to choose $HOME as download directory
(#144894, bmo #300856)
-------------------------------------------------------------------
Wed Jan 25 21:33:43 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Sun Jan 22 17:06:57 CET 2006 - stark@suse.de
- disable Pango if MOZ_ENABLE_PANGO is not set
and no typical language which needs Pango is used (#143428)
-------------------------------------------------------------------
Wed Jan 18 10:27:30 CET 2006 - stark@suse.de
- fixed DumpStackToFile() for glibc 2.4
- added default (font) settings
-------------------------------------------------------------------
Thu Jan 12 10:23:58 CET 2006 - stark@suse.de
- update to 1.5.0.1pre (20060111)
- updated man-page
- fixed hovered tab close button
- only Requires mozilla-nspr instead of PreReq since
there is no postinstall registration necessary anymore
- use system NSS from CODE10 on
- use -fstack-protector where available
- changed unixproxy component to work on older distributions
-------------------------------------------------------------------
Mon Jan 2 13:39:09 CET 2006 - stark@suse.de
- added unixproxy component written by Robert O'Callahan (#132398)
(bmo #66057)
- added official translations
- preload libaoss for plugin sound (#117079)
-------------------------------------------------------------------
Wed Dec 28 08:16:03 CET 2005 - stark@suse.de
- get some patches from 1.8.0 branch
- readded modification to gconf-backend (bmo #321315)
- readded lockdown stuff
- enable additional extension install directory (#120329)
(/usr/lib/browser-extensions/firefox)
- added patch to make the XUL filechooser optional
(MOZ_XUL_PICKER)
-------------------------------------------------------------------
Wed Dec 14 16:08:12 CET 2005 - stark@suse.de
- fixed patch for parsing -remote parameter
- removed default-plugin patch (not needed anymore)
-------------------------------------------------------------------
Fri Dec 9 17:21:29 CET 2005 - stark@suse.de
- fix to ignore X composite extension (#135373)
- fixed parsing of -remote parameters (#134396)
- activated locales as released
-------------------------------------------------------------------
Tue Nov 29 21:33:13 CET 2005 - stark@suse.de
- update to 1.5 (20051128)
- don't override startup URL when changing Gecko versions (#135314)
- added patch for GTK2 handling (#134831)
- readded add-plugins stuff for compatibility
-------------------------------------------------------------------
Fri Nov 18 07:41:41 CET 2005 - stark@suse.de
- update to 1.5rc3 (20051117)
-------------------------------------------------------------------
Mon Oct 31 08:58:14 CET 2005 - stark@suse.de
- updated l10n archive (20051030)
- fixed postinstall script to copy plugin links instead of files
-------------------------------------------------------------------
Fri Oct 28 06:43:27 CEST 2005 - stark@suse.de
- update to 1.5rc1 (20051027)
- fixed profile locking on FAT partitions (bmo #313360)
- introduced an rpath again
-------------------------------------------------------------------
Wed Oct 19 20:03:48 CEST 2005 - stark@suse.de
- update to snapshot 1.5 (20051019)
- moved installation to /usr/%{_lib}/firefox
- added dbus component to be able to get network status from
NetworkManager (bmo #312793)
- remove all update UI for application
- removed diable-gconf (no registration at build time anymore)
- removed rebuild-databases.sh (no system registration anymore)
- open links in new windows (#128087)
-------------------------------------------------------------------
Thu Oct 6 20:44:53 CEST 2005 - stark@suse.de
- update to Firefox 1.5b2 (20051005)
- added supported translations
-------------------------------------------------------------------
Sat Oct 1 15:09:18 CEST 2005 - stark@suse.de
- update to Firefox 1.5b1 (20050930) RPM version 1.4.1
- removed rebuild-databases.sh calls
- removed add-plugins.sh calls and corresponding triggers
- enabled SVG and Canvas support
- fixed gconf urlhandler registration
-------------------------------------------------------------------
Tue Sep 20 10:24:16 CEST 2005 - stark@suse.de
- security update to 1.0.7 (#117619)
* MFSA 2005-57: IDN heap overrun using soft-hyphens (bmo #307259)
(enabled IDN pref again)
* MFSA 2005-58:
CAN-2005-2701 Heap overrun in XBM image processing
CAN-2005-2702 Crash on "zero-width non-joiner" sequence
CAN-2005-2703 XMLHttpRequest header spoofing
CAN-2005-2704 Object spoofing using XBL <implements>
CAN-2005-2705 JavaScript integer overflow
CAN-2005-2706 Privilege escalation using about: scheme
CAN-2005-2707 Chrome window spoofing
Regression fixes
- register beagle extension if it gets installed (#116787)
-------------------------------------------------------------------
Tue Sep 13 15:41:37 CEST 2005 - aj@suse.de
- Change SUSE bookmarks.
-------------------------------------------------------------------
Sun Sep 11 17:05:07 CEST 2005 - stark@suse.de
- disable IDN per default (#116070)
- unlocalize bookmarks (#114279)
-------------------------------------------------------------------
Thu Sep 8 08:52:13 CEST 2005 - stark@suse.de
- fixed some filemodes (#114849)
-------------------------------------------------------------------
Sun Sep 4 00:03:53 CEST 2005 - stark@suse.de
- fixed gconf-backend patch to be able to use
system prefs (#114054)
-------------------------------------------------------------------
Thu Sep 1 13:22:17 CEST 2005 - stark@suse.de
- changed default font to sans-serif (#114464)
- removed de-de parts of the bookmark-links (#114279)
-------------------------------------------------------------------
Mon Aug 22 06:10:12 CEST 2005 - stark@suse.de
- install gconf schema for lockdown also on non-NLD
- added backports (firefox-backports.patch)
* gtk_im_context_set_cursor_location() is not used (bmo #281339)
* fixed crash in imgCacheValidator::OnStartRequest()
(bmo #293307)
- workaround for linking with pangoxft and pangox
(broken by gtk 2.8 update) (#105764)
- remove extensions on deinstallation
- include dragonegg (kparts) plugin (#105468)
-------------------------------------------------------------------
Thu Aug 18 13:08:55 CEST 2005 - stark@suse.de
- fixed regression in profile locking change (bmo #303633)
- added rtsp handler to global config (#104434)
- don't blacklist help: protocol (bmo #304833)
- fixed Gdk-WARNING at startup (gtk.patch)
- fixed crash with gtk 2.7 (bmo #300226, bnc #104586)
- fixed installation of the beagle plugin
- update industrial theme to 1.0.11 (#104564)
- included lockdownV2 (removed obsolete gconf.diff)
- linked firefox-bin with rpath to progdir
-------------------------------------------------------------------
Fri Aug 5 09:51:26 CEST 2005 - stark@suse.de
- fixed profile locking (bmo #151188)
- install beagle extension globally
-------------------------------------------------------------------
Fri Jul 29 06:58:24 CEST 2005 - stark@suse.de
- don't require and provide NSS libs (#98002)
- fixed printing error 'You cannot print while in print preview'
(#96991, bmo #302445)
-------------------------------------------------------------------
Wed Jul 27 09:34:12 CEST 2005 - stark@suse.de
- fixed Firefox on ppc (stack-direction.patch) (#97359)
- removed open-pref from startscript as it is done
automatically now (#73042)
- updated Novell searchplugins
-------------------------------------------------------------------
Mon Jul 25 12:32:13 CEST 2005 - stark@suse.de
- GTK filechooser is now modal (#8533)
- backed out patch to add tooltips to print-preview
because it breaks localization
-------------------------------------------------------------------
Fri Jul 22 10:54:39 CEST 2005 - stark@suse.de
- fixed another problem in printing patch
-------------------------------------------------------------------
Tue Jul 19 10:44:59 CEST 2005 - stark@suse.de
- fixed error in ft-xft-ps2.patch
- disabled stripping in spec instead of patch
- added NSPR to PreReq
-------------------------------------------------------------------
Mon Jul 18 08:43:24 CEST 2005 - stark@suse.de
- fixed some more regressions with final 1.0.6
- fixed width calculation in Postscript module (bmo #290292)
- fixed plugin event starvation (bnc #94749, #94751, bmo #301161)
-------------------------------------------------------------------
Fri Jul 15 11:24:47 CEST 2005 - stark@suse.de
- searchplugins can now be installed per profile (#8176)
-------------------------------------------------------------------
Fri Jul 15 06:54:02 CEST 2005 - stark@suse.de
- update to 1.0.6 which restores API compatibility
-------------------------------------------------------------------
Tue Jul 12 06:20:37 CEST 2005 - stark@suse.de
- update to 1.0.5 final (#88509)
- don't strip explicitely
- don't ship beagle.xpi
-------------------------------------------------------------------
Wed Jul 6 14:13:09 CEST 2005 - stark@suse.de
- update to 1.0.5-pre (20050705)
- use RPM_OPT_FLAGS for NSS component
- fixed implicit declarations and uninitialized used variables
- added patch for bmo #87969
-------------------------------------------------------------------
Tue Jul 5 10:17:16 CEST 2005 - stark@suse.de
- fixed regression from security update (#95069, bmo #298478)
-------------------------------------------------------------------
Mon Jun 27 21:46:58 CEST 2005 - stark@suse.de
- don't use system-prefs by default on NLD
- removed basic lockdown stuff for SUSE Linux
(it's not needed and caused problems: bnc #75418)
- fixed NLD lockdown patch (bnc #75418)
- don't write prefs back to gconf for now
-------------------------------------------------------------------
Wed Jun 22 07:32:42 CEST 2005 - stark@suse.de
- new NLD lockdown patch which is syncing user prefs to gconf
- update to 1.0.5pre security-release
-------------------------------------------------------------------
Thu Jun 9 06:56:02 CEST 2005 - stark@suse.de
- new revision of NLD lockdown patch
- fixed remote usage behaviour in start script (bnc #41903)
- got more bugfixes from the branch
-------------------------------------------------------------------
Thu Jun 2 10:31:48 CEST 2005 - stark@suse.de
- fixed neededforbuild
-------------------------------------------------------------------
Wed Jun 1 20:15:25 CEST 2005 - stark@suse.de
- fixed IDN for 64bit platforms (bmo #236425, bnc #46268)
-------------------------------------------------------------------
Fri May 20 15:12:06 CEST 2005 - stark@suse.de
- fixed keybinding for KP separator (bnc #84147)
- pulled security related patch from upstream branch
- update plastikfox theme to version 1.6
-------------------------------------------------------------------
Thu May 12 06:16:25 CEST 2005 - stark@suse.de
- update to final 1.0.4 release
-------------------------------------------------------------------
Tue May 10 06:38:05 CEST 2005 - stark@suse.de
- update to 1.0.4 security release
- removed s390(x) patches (upstream)
- made two more files %verify (81692)
- updated NLD lockdown patch (81304)
-------------------------------------------------------------------
Thu Apr 28 09:45:53 CEST 2005 - stark@suse.de
- use static NSPR libs from new location
-------------------------------------------------------------------
Sat Apr 23 15:56:08 CEST 2005 - stark@suse.de
- activate usage of system NSPR for distributions after 9.3
- add patch to be able to use systen NSPR at all
-------------------------------------------------------------------
Fri Apr 22 02:06:06 CEST 2005 - ro@suse.de
- use mozilla-gcc4.patch
-------------------------------------------------------------------
Thu Apr 21 12:51:19 CEST 2005 - stark@suse.de
- don't execute gconf magic within build environment
-------------------------------------------------------------------
Sat Apr 16 13:05:37 CEST 2005 - stark@suse.de
- update to final 1.0.3 release
-------------------------------------------------------------------
Fri Apr 15 00:10:54 CEST 2005 - ro@suse.de
- fix problem in postinstall script
-------------------------------------------------------------------
Wed Apr 14 09:20:02 CEST 2005 - stark@suse.de
- included fixed lockdown patch for NLD
- linked proxies within Firefox with gnome settings (NLD)
- added gconfd restart procedure to install script
(only needed if gconf changes are done) (#76852)
-------------------------------------------------------------------
Sat Apr 2 21:03:11 CEST 2005 - stark@suse.de
- update to security pre-release 1.0.3 (#75692)
* Manual plug-in install, javascript vulnerability (bmo #288556)
* Access memory vulnerability (bmo #288688)
-------------------------------------------------------------------
Fri Apr 1 11:32:44 CEST 2005 - stark@suse.de
- added advanced lockdown features for ZLM integration (NLD-only)
-------------------------------------------------------------------
Tue Mar 22 12:33:15 CET 2005 - stark@suse.de
- update to final 1.0.2
- use new theme handling on NLD
- added default-plugin-less-annoying from mozilla
- use GTK2 for Flash
- use system NSPR on SUSE releases after 9.3
- made startscript PIS aware
- set g-application-name correctly (bmo #281979)
- added man-page
- use GTK system colors
- modify useragent string and add vendor id
- activate smooth-scrolling by default (#74310)
-------------------------------------------------------------------
Tue Mar 22 08:59:06 CET 2005 - stark@suse.de
- don't register beagle automatically (#74062)
- added default bookmarks for SUSE LINUX
-------------------------------------------------------------------
Mon Mar 21 18:20:39 CET 2005 - max@suse.de
- Fixed a typo in the shell code that handles inclusion of the
Acrobat Reader plugin (#70861).
-------------------------------------------------------------------
Thu Mar 17 21:01:11 CET 2005 - stark@suse.de
- updates from upcoming 1.0.2
- added again logic to use Adobe Reader 7 (#70861)
- fixed crash in ICO decoding (#67142, bmo #245631)
- preinstall beagle extension (#72920)
- bugfixes in trigger scripts
- fixed industrial theming for Gnome (#72918)
-------------------------------------------------------------------
Sat Mar 12 12:42:16 CET 2005 - stark@suse.de
- fixed more security related bugs
(bmo #284551, #284627, #285595)
-------------------------------------------------------------------
Wed Mar 9 21:42:05 CET 2005 - stark@suse.de
- update also GNOME desktop file (#71810)
- added firefox-gnome.png to filelist
- use correct Firefox icon
-------------------------------------------------------------------
Mon Mar 7 20:47:00 CET 2005 - stark@suse.de
- disable inclusion of acrobat plugin again (#70861)
- don't use gconfd in registration phase (#66381)
-------------------------------------------------------------------
Mon Mar 7 16:13:29 CET 2005 - adrian@suse.de
- use standard icon again for the default desktop file and
add a Gnome-only desktop file for the Gnome icon
- add plastikfox chrome theme to fix button order within KDE
- add patch for automatic theme selection for KDE and Gnome
- do register extensions in rebuild-databases.sh instead of %install,
to fix needed timestamps
-------------------------------------------------------------------
Fri Mar 4 07:54:47 CET 2005 - stark@suse.de
- extend add-plugins to recognize Java 1.5 (#66909)
- changed comment in desktop-file (#66867)
-------------------------------------------------------------------
Tue Feb 22 09:33:44 CET 2005 - stark@suse.de
- make --display parameter working in all cases (bnc #66043)
- revised postscript patch
- final 1.0.1 codebase
-------------------------------------------------------------------
Mon Feb 21 13:09:30 CET 2005 - stark@suse.de
- added patch to create Postscript level 2 (instead of 3)
(special thanks to Jungshik Shin)
- disabled freetype explicitly to be able to use the above patch
(freetype wasn't used anymore since some time anyway)
-------------------------------------------------------------------
Fri Feb 18 09:10:10 CET 2005 - stark@suse.de
- got more patches from branch to get another IDN fix and to
fix bug #51019
- enabled IDN again
-------------------------------------------------------------------
Wed Feb 16 09:20:39 CET 2005 - stark@suse.de
- bumped version number to 1.0.1
-------------------------------------------------------------------
Tue Feb 15 10:26:04 CET 2005 - stark@suse.de
- got updates from 1.0.1 branch
-------------------------------------------------------------------
Thu Feb 10 06:57:33 CET 2005 - stark@suse.de
- additional fireflashing fix (#50635, bmo #280664)
- some more security related fixes
(bmo #268483, #273498, #277322)
- fire up GTK2 filepicker if GNOME is running
-------------------------------------------------------------------
Tue Feb 8 07:51:13 CET 2005 - stark@suse.de
- some prefs are ignored (bmo #261934)
- disabled default IDN (#50566)
- fixed some more bugzilla.mozilla.org bugs:
#276482, #280056, #280603
-------------------------------------------------------------------
Sun Feb 6 13:10:12 CET 2005 - stark@suse.de
- use same desktop categories for Professional and NLD
- added some lockdown stuff for printing and page saving
(bmo #280488)
-------------------------------------------------------------------
Wed Feb 2 13:58:53 CET 2005 - stark@suse.de
- modified gconf.diff to honor ignore_hosts (bmo #280742)
- added a JS crasher fix (bmo #268535)
- added more fixes (bmo #255441, #273024, #275405, #275634)
-------------------------------------------------------------------
Fri Jan 28 12:39:37 CET 2005 - stark@suse.de
- added gplflash inclusion
- improved JRE inclusion
- reactivated usage of Acrobat Reader plugin
(ready for acroread 7)
-------------------------------------------------------------------
Sat Jan 22 13:16:47 CET 2005 - stark@suse.de
- added some backported bugfixes
-------------------------------------------------------------------
Sat Dec 18 10:30:11 CET 2004 - stark@suse.de
- updated industrial theme to 1.0.9
- use slightly changed icon for menu-entry (bnc #275)
- use original desktop file for NLD again
-------------------------------------------------------------------
Thu Dec 16 19:37:48 CET 2004 - stark@suse.de
- newer patch for GNOME associations (bnc #362)
- fix overwriting of files with GTK picker (Ximian #65068)
- readded the industrial default theme patch for NLD
-------------------------------------------------------------------
Wed Dec 15 11:50:56 CET 2004 - stark@suse.de
- activate GTK filepicker for NLD again
- fix for GNOME helper applications with parameters
- make GNOME associations the default on NLD
-------------------------------------------------------------------
Sat Dec 4 16:11:01 CET 2004 - stark@suse.de
- fixed build on s390/s390x
- added patch to be able to install-global without running X
(bmo #265859)
-------------------------------------------------------------------
Thu Nov 18 21:48:05 CET 2004 - stark@suse.de
- update industrial theme to 1.0.8 (still not activated)
- added patch to make home-directory the default download dir
(on NLD is still used Desktop)
-------------------------------------------------------------------
Thu Nov 11 09:01:58 CET 2004 - stark@suse.de
- made initial window height smaller again
-------------------------------------------------------------------
Tue Nov 9 09:09:06 CET 2004 - stark@suse.de
- update to final 1.0 release (20041109)
-------------------------------------------------------------------
Thu Nov 4 08:22:36 CET 2004 - stark@suse.de
- update to 1.0rc2
-------------------------------------------------------------------
Sat Oct 30 21:27:29 CEST 2004 - stark@suse.de
- added missing s390(x) patch
-------------------------------------------------------------------
Wed Oct 27 07:26:25 CEST 2004 - stark@suse.de
- update to 1.0rc1 codebase
- printing via XFT/fontconfig
- freetype changes to avoid API conflicts with newer freetype2
- fixed build for s390/s390x
- removed AMD64 patch (included upstream)
- added translations sub-package
- removed "Show folder" patch for NLD (resolved upstream)
- don't use gnome-filepicker patch for NLD for now
- removed hppa buildfix (included upstream)
- removed untitled.patch (bmo #24068) resolved by (bmo #262478)
- use make -C browser/installer now to prepare installation
- don't check for default browser at startup (#47587)
- updated industrial.jar (0.99.13) (disabled)
-------------------------------------------------------------------
Fri Oct 15 13:51:54 CEST 2004 - stark@suse.de
- inherit locale from system
- fixed chrome registration
-------------------------------------------------------------------
Wed Oct 6 23:11:01 CEST 2004 - joeshaw@suse.de
- disable gconf settings as default (Ximian #67718)
-------------------------------------------------------------------
Wed Oct 6 07:04:05 CEST 2004 - stark@suse.de
- fixed inclusion of RealPlayer plugin again
-------------------------------------------------------------------
Tue Oct 5 10:09:04 CEST 2004 - stark@suse.de
- small important fix in firefox-download.patch (Ximian #65472)
-------------------------------------------------------------------
Sun Oct 3 00:02:09 CEST 2004 - stark@suse.de
- added security-fix from 0.10.1 (mozilla.org #259708) (#46687)
-------------------------------------------------------------------
Fri Oct 1 12:49:38 CEST 2004 - stark@suse.de
- final fix for downloading to Desktop folder (Ximian #65756)
- remove Postscript from printer names (Ximian #65560)
-------------------------------------------------------------------
Thu Sep 30 16:14:10 CEST 2004 - shprasad@suse.de
- Modified the MozillaFirefox.desktop file.
Changed the name 'Firefox' to 'Firefox Web Browser'.
Also changed it for all languages.
-------------------------------------------------------------------
Wed Sep 29 15:54:46 CEST 2004 - stark@suse.de
- fix inclusion of RealPlayer plugin (Ximian #65711)
-------------------------------------------------------------------
Mon Sep 27 17:51:24 CEST 2004 - joeshaw@suse.de
- Update the industrial default patch, for some reason it didn't
take before.
-------------------------------------------------------------------
Fri Sep 24 07:34:48 CEST 2004 - stark@suse.de
- fix for Ximian #65176 (mozilla.org #240068)
- revised patch for update function (Ximian #65615)
-------------------------------------------------------------------
Thu Sep 23 20:21:39 CEST 2004 - joeshaw@suse.de
- Uncomment the patch which tells the UI that industrial is the
default.
-------------------------------------------------------------------
Thu Sep 23 12:38:06 CEST 2004 - stark@suse.de
- open Nautilus on NLD for 'Show folder' in download settings
(Ximian #65472) by sragavan@novell.com
- save to Desktop folder if selected (Ximian #65756)
by sragavan@novell.com
-------------------------------------------------------------------
Wed Sep 22 10:23:01 CEST 2004 - stark@suse.de
- synced NLD package with 9.2 version
- GTK2 filepicker does now ask for confirmation when overwriting
files (Ximian #65068) by sagarwala@novell.com
- no direct update function (Ximian #65615) by rganesan@novell.com
- throbber linked to Novell (Ximian #66283) by rganesan@novell.com
- make industrial the default theme for NLD
(Ximian #65542) by joeshaw@suse.de
-------------------------------------------------------------------
Mon Sep 20 22:00:55 CEST 2004 - joeshaw@suse.de
- Add default bookmarks. Ximian #65546.
- Add the industrial theme, but it's not the default yet.
- Remove acroread from add-plugins because it's badly behaved.
Ximian #65499.
-------------------------------------------------------------------
Mon Sep 20 17:57:38 CEST 2004 - federico@ximian.com
- Added MozillaFirefox-toplevel-window-height.diff for
http://bugzilla.ximian.com/show_bug.cgi?id=65543
-------------------------------------------------------------------
Sun Sep 19 15:42:30 CEST 2004 - stark@suse.de
- use GNOME system prefs only for NLD by default
(fixes bug #45575)
-------------------------------------------------------------------
Fri Sep 17 08:59:32 CEST 2004 - stark@suse.de
- joeshaw@suse.de: Update GConf patch so that proxy settings work
correctly (Ximian #64461)
- don't search Java on every path (Ximian #65383)
- added some missing fixes for official release
- added new java package name for triggers (#45257)
-------------------------------------------------------------------
Sat Sep 11 13:25:41 CEST 2004 - stark@suse.de
- update to official 1.0PR (0.10)
- adopted gnome-filepicker patch
- removed obsolete CUPS hack from start-script
(Ximian #65635, #65560)
-------------------------------------------------------------------
Thu Sep 9 21:35:42 CEST 2004 - stark@suse.de
- fixed endianess on AMD64 in JS component (#34743)
-------------------------------------------------------------------
Mon Sep 6 17:33:07 CEST 2004 - stark@suse.de
- fixed filelist
-------------------------------------------------------------------
Mon Sep 6 13:48:03 CEST 2004 - stark@suse.de
- update to 1.0PR (aka 0.10)
-------------------------------------------------------------------
Fri Sep 3 21:35:47 CEST 2004 - stark@suse.de
- added ppc64 patch
-------------------------------------------------------------------
Thu Sep 2 03:08:59 CEST 2004 - dave@suse.de
- Fixed up the .desktop installation on nld
-------------------------------------------------------------------
Wed Sep 1 15:05:48 CEST 2004 - shprasad@suse.de
- Doesn't ask to set Firefox as default web-browser.
-------------------------------------------------------------------
Tue Aug 31 14:01:18 CEST 2004 - stark@suse.de
- next new version for filepicker stuff
- deactivated native filepicker for NLD
- update to snapshot (20040831)
-------------------------------------------------------------------
Tue Aug 24 17:35:52 CEST 2004 - stark@suse.de
- new version of gnome-filepicker patch
- added patch for config
-------------------------------------------------------------------
Fri Aug 20 17:12:48 CEST 2004 - stark@suse.de
- update to snapshot (20040820)
-------------------------------------------------------------------
Thu Aug 19 08:46:42 CEST 2004 - stark@suse.de
- added workaround for mozilla bug #246313
(Firefox does not start: getting "cannot open display" error)
-------------------------------------------------------------------
Wed Aug 18 15:07:22 CEST 2004 - stark@suse.de
- added some patches from Ximian
- use GNOME filepicker
- use more gconf settings
- set startup homepage to Novell
-------------------------------------------------------------------
Tue Aug 17 13:12:35 CEST 2004 - stark@suse.de
- update to pre-1.0.0 (20040817)
-------------------------------------------------------------------
Thu Aug 5 06:27:41 CEST 2004 - stark@suse.de
- security update to 0.9.3
(including #43312 and others)
- handle RealPlayer 9 plugin
-------------------------------------------------------------------
Mon Aug 2 15:11:51 CEST 2004 - ro@suse.de
- recode desktop file to utf-8
-------------------------------------------------------------------
Wed Jul 28 08:46:31 CEST 2004 - stark@suse.de
- added fix against certificate spoofing (#43312)
-------------------------------------------------------------------
Fri Jul 23 06:31:41 CEST 2004 - stark@suse.de
- update to 0.9.2
- added workaround for extension registry
- removed old (incompatible) mozex extension
-------------------------------------------------------------------
Tue Jun 29 06:27:59 CEST 2004 - stark@suse.de
- update to 0.9.1
- added hint to run as root first
-------------------------------------------------------------------
Tue Jun 15 12:42:28 CEST 2004 - stark@suse.de
- update to 0.9
- added patch for newer freetype
-------------------------------------------------------------------
Fri Apr 2 10:31:45 CEST 2004 - stark@suse.de
- removing relocation of TEMP directory (#34391)
-------------------------------------------------------------------
Mon Mar 29 11:43:51 CEST 2004 - stark@suse.de
- update to 0.8.0+ (20040503)
- removed firefox logos and activate official branding for
milestone builds
- changed profile-dir to .firefox
- added some needed files
- enabled gnomevfs extension
-------------------------------------------------------------------
Fri Mar 26 18:09:34 CET 2004 - uli@suse.de
- fixed hang during build on s390* (bug #35440)
-------------------------------------------------------------------
Wed Mar 3 06:52:00 CET 2004 - stark@suse.de
- removed unused patches for GTK2 build
- more fixes for (#35179)
-------------------------------------------------------------------
Mon Mar 1 07:32:52 CET 2004 - stark@suse.de
- improved start-script to interact with thunderbird (#35179)
-------------------------------------------------------------------
Thu Feb 26 06:57:05 CET 2004 - stark@suse.de
- use official releasedate
- added official (trademarked) artwork
- added firefox icon to /usr/share/pixmaps
- cleaned up spec-file (there will be no GTK1 version)
-------------------------------------------------------------------
Tue Feb 24 16:43:17 CET 2004 - stark@suse.de
- fixed optimization for non-x86 archs
-------------------------------------------------------------------
Tue Feb 24 07:43:35 CET 2004 - stark@suse.de
- adopted file-list and build options to original distribution
- added prdtoa fix (#32963)
- added hook for static firefox build to rebuild-databases.sh
- added compiler flags for security/ (nss-opt.patch)
- included mozex (mozex.mozdev.org)
- added -Os as optimization flag
-------------------------------------------------------------------
Mon Feb 9 21:59:37 CET 2004 - stark@suse.de
- renamed to MozillaFirefox
- update to final version 0.8
-------------------------------------------------------------------
Fri Feb 6 08:39:15 CET 2004 - stark@suse.de
- update to Firebird 0.8 (20040205)
- added mips build fix
- set PS printer list in MozillaFirebird.sh
- use lib64 again for biarch platforms
-------------------------------------------------------------------
Sat Jan 10 10:33:54 CET 2004 - adrian@suse.de
- build as user
-------------------------------------------------------------------
Fri Aug 22 11:32:07 CEST 2003 - stark@suse.de
- upstream sync for 0.6.1post
-------------------------------------------------------------------
Sun Aug 10 22:01:12 CEST 2003 - stark@suse.de
- removed dmoz from searchplugins-filelist
-------------------------------------------------------------------
Fri Aug 8 10:30:50 CEST 2003 - stark@suse.de
- update to 0.6.1post (TRUNK)
- use -fno-strict-aliasing
-------------------------------------------------------------------
Thu Jul 31 11:25:39 CEST 2003 - stark@suse.de
- update to 0.6.1 (MOZILLA_1_4_BRANCH)
- synchronized with mozilla-source
- created file-list
-------------------------------------------------------------------
Thu Jul 10 09:45:49 CEST 2003 - stark@suse.de
- update to snapshot 20030709
- fixed generation of symlink MozillaFirebird-xremote-client
-------------------------------------------------------------------
Fri Jun 20 06:53:08 CEST 2003 - stark@suse.de
- update to snapshot 20030622 (0.7pre)
-------------------------------------------------------------------
Mon May 19 08:54:46 CEST 2003 - stark@suse.de
- update to snapshot 20030518 (0.6)
-------------------------------------------------------------------
Sun May 7 10:11:16 CEST 2003 - stark@suse.de
- update to snapshot 20030507
-------------------------------------------------------------------
Wed Apr 30 13:26:43 CEST 2003 - stark@suse.de
- initial SuSE package