File mozilla-xulrunner190.changes of Package mozilla-xulrunner190
-------------------------------------------------------------------
Thu Mar 18 20:06:08 CET 2010 - wr@rosenauer.org
- security update to version 1.9.0.19 (bnc#586567)
* MFSA-2010-21/CVE-2010-0179
Arbitrary code execution with Firebug XMLHttpRequestSpy
(bmo#504021)
* MFSA-2010-20/CVE-2010-0178
Chrome privilege escalation via forced URL drag and drop
(bmo#546909)
* MFSA-2010-19/CVE-2010-0177
Dangling pointer vulnerability in nsPluginArray (bmo#538310)
* MFSA-2010-18/CVE-2010-0176
Dangling pointer vulnerability in nsTreeContentView
(bmo#538308)
* MFSA-2010-17/CVE-2010-0175
Remote code execution with use-after-free in nsTreeSelection
* MFSA-2010-16/CVE-2010-0173/CVE-2010-0174
Crashes with evidence of memory corruption
- clean up correctly on update (bnc#589094)
-------------------------------------------------------------------
Fri Feb 5 17:02:56 CET 2010 - wr@rosenauer.org
- security update to version 1.9.0.18 (bnc#576969)
* MFSA-2010-01/CVE-2010-0159
Crashes with evidence of memory corruption
* MFSA-2010-02/CVE-2010-0160
Web Worker Array Handling Heap Corruption Vulnerability
* MFSA-2010-03/CVE-2009-1571 (bmo#526500)
Use-after-free crash in HTML parser
* MFSA-2010-04/CVE-2009-3988 (bmo#504862)
XSS due to window.dialogArguments being readable cross-domain
* MFSA-2010-05/CVE-2010-0162 (bmo#455472)
XSS hazard using SVG document and binary Content-Type
-------------------------------------------------------------------
Wed Dec 23 14:45:25 CET 2009 - wr@rosenauer.org
- update to version 1.9.0.17
* DNS resolution in MakeSN of nsAuthSSPI causing issues for
proxy servers that support NTLM auth (bmo#535193)
-------------------------------------------------------------------
Fri Dec 4 23:32:34 CET 2009 - wr@rosenauer.org
- security update to 1.9.0.16 (bnc#559807)
* MFSA 2009-65/CVE-2009-3979/CVE-2009-3981
Crashes with evidence of memory corruption (1.9.0.16)
* MFSA 2009-68/CVE-2009-3983 (bmo#487872)
NTLM reflection vulnerability
* MFSA 2009-69/CVE-2009-3984/CVE-2009-3985 (bmo#521461,bmo#514232)
Location bar spoofing vulnerabilities
* MFSA 2009-70/CVE-2009-3986 (bmo#522430)
Privilege escalation via chrome window.opener
-------------------------------------------------------------------
Thu Oct 22 07:32:58 CEST 2009 - wr@rosenauer.org
- security update to 1.9.0.15 (bnc#545277)
* MFSA 2009-52/CVE-2009-3370 (bmo#511615)
Form history vulnerable to stealing
* MFSA 2009-53/CVE-2009-3274 (bmo#514823)
Local downloaded file tampering
* MFSA 2009-55/CVE-2009-3372 (bmo#500644)
Crash in proxy auto-configuration regexp parsing
* MFSA 2009-56/CVE-2009-3373 (bmo#511689)
Heap buffer overflow in GIF color map parser
* MFSA 2009-57/CVE-2009-3374 (bmo#505988)
Chrome privilege escalation in XPCVariant::VariantDataToJS()
* MFSA 2009-59/CVE-2009-1563 (bmo#516396, bmo#516862)
Heap buffer overflow in string to number conversion
* MFSA 2009-61/CVE-2009-3375 (bmo#503226)
Cross-origin data theft through document.getSelection()
* MFSA 2009-62/CVE-2009-3376 (bmo#511521)
Download filename spoofing with RTL override
* MFSA 2009-64/CVE-2009-3380/CVE-2009-3382
Crashes with evidence of memory corruption
-------------------------------------------------------------------
Thu Oct 15 10:33:42 CEST 2009 - pwu@novell.com
- extend list of supported architectures as ABI identifier
(mozilla-abi.patch) (bnc#543460)
-------------------------------------------------------------------
Thu Sep 10 11:16:03 CEST 2009 - wr@rosenauer.org
- security update to 1.9.0.14 (bnc#534458)
* MFSA 2009-47/CVE-2009-3069/CVE-2009-3070/CVE-2009-3071/
CVE-2009-3072/CVE-2009-3073/CVE-2009-3074/CVE-2009-3075
Crashes with evidence of memory corruption
* MFSA 2009-48/CVE-2009-3076
Insufficient warning for PKCS11 module installation and removal
* MFSA 2009-49/CVE-2009-3077 (bmo#506871)
TreeColumns dangling pointer vulnerability
* MFSA 2009-50/CVE-2009-3078 (bmo#453827)
Location bar spoofing via tall line-height Unicode characters
* MFSA 2009-51/CVE-2009-3079 (bmo#454363)
Chrome privilege escalation with FeedWriter
- removed obsolete lcms patches (included upstream)
- don't provide libsqlite3.so (bnc#538094)
-------------------------------------------------------------------
Mon Aug 3 23:09:02 CEST 2009 - wr@rosenauer.org
- security update to 1.9.0.13 (bnc#527489)
* MFSA 2009-42 and MFSA 2009-43 don't apply as NSS is provided
through package mozilla-nss
* MFSA 2009-44/CVE-2009-2654 (bmo#451898)
Location bar and SSL indicator spoofing via window.open() on
invalid URL
-------------------------------------------------------------------
Tue Jul 28 13:03:24 CEST 2009 - wr@rosenauer.org
- fixed %exclude usage
-------------------------------------------------------------------
Tue Jul 21 23:02:12 CEST 2009 - wr@rosenauer.org
- security update to 1.9.0.12 (bnc#522109)
* MFSA 2009-34/CVE-2009-2462/CVE-2009-2463/CVE-2009-2464/
CVE-2009-2465/CVE-2009-2466
Crashes with evidence of memory corruption
* MFSA 2009-35/CVE-2009-2467 (bmo#493601)
Crash and remote code execution during Flash player unloading
* MFSA 2009-36/CVE-2009-1194/oCERT-2009-001 (bmo#480134)
Heap/integer overflows in font glyph rendering libraries
* MFSA 2009-37/CVE-2009-2469 (bmo#488995)
Crash and remote code execution using watch and
__defineSetter__ on SVG
* MFSA 2009-38/CVE-2009-2470 (bmo#459524)
Data corruption with SOCKS5 reply containing DNS name
longer than 15 characters
* MFSA 2009-39/CVE-2009-2471 (bmo#460882)
setTimeout loses XPCNativeWrappers
* MFSA 2009-40/CVE-2009-2472
Multiple cross origin wrapper bypasses
-------------------------------------------------------------------
Mon Jul 13 19:37:04 CEST 2009 - bgmerrell@novell.com
- Fixes bnc#490610 (MozillaFirefox: LittleCMS null pointer
dereference CVE-2009-0793), add a patch lcms-bnc490610.patch.
-------------------------------------------------------------------
Fri Jun 12 08:32:38 CEST 2009 - wr@rosenauer.org
- security update to 1.9.0.11 (bnc#505563)
* MFSA 2009-24/CVE-2009-1392/CVE-2009-1832/CVE-2009-1833
Crashes with evidence of memory corruption (rv:1.9.0.11)
* MFSA 2009-25/CVE-2009-1834 (bmo#479413)
URL spoofing with invalid unicode characters
* MFSA 2009-26/CVE-2009-1835 (bmo#491801)
Arbitrary domain cookie access by local file: resources
* MFSA 2009-27/CVE-2009-1836 (bmo#479880)
SSL tampering via non-200 responses to proxy CONNECT requests
* MFSA 2009-28/CVE-2009-1837 (bmo#486269)
Race condition while accessing the private data of a NPObject
JS wrapper class object
* MFSA 2009-29/CVE-2009-1838 (bmo#489131)
Arbitrary code execution using event listeners attached to an
element whose owner document is null
* MFSA 2009-30/CVE-2009-1839 (bmo#479943)
Incorrect principal set for file: resources loaded via
location bar
* MFSA 2009-31/CVE-2009-1840 (bmo#477979)
XUL scripts bypass content-policy checks
* MFSA 2009-32/CVE-2009-1841 (bmo#479560)
JavaScript chrome privilege escalation
- fixing rpath linker flags (part of bnc#501174)
-------------------------------------------------------------------
Tue Apr 28 10:42:23 CEST 2009 - wr@rosenauer.org
- update to 1.9.0.10
* MFSA 2009-23/CVE-2009-1313 (bmo#489647)
Crash in nsTextFrame::ClearTextRun()
- fix preprocessor statement to fix build with gcc 4.4
-------------------------------------------------------------------
Thu Apr 16 13:44:47 CEST 2009 - wr@rosenauer.org
- security update to 1.9.0.9 (bnc#495473)
* MFSA 2009-14/CVE-2009-1302/CVE-2009-1303/CVE-2009-1304/CVE-2009-1305
Crashes with evidence of memory corruption (rv:1.9.0.9)
* MFSA 2009-15/CVE-2009-0652 (bmo#479336)
URL spoofing with box drawing character
* MFSA 2009-16/CVE-2009-1306 (bmo#474536)
jar: scheme ignores the content-disposition: header on the
inner URI
* MFSA 2009-17/CVE-2009-1307 (bmo#481342)
Same-origin violations when Adobe Flash loaded via
view-source: scheme
* MFSA 2009-18/CVE-2009-1308 (bmo#481558)
XSS hazard using third-party stylesheets and XBL bindings
* MFSA 2009-19/CVE-2009-1309 (bmo#482206,478433)
Same-origin violations in XMLHttpRequest and
XPCNativeWrapper.toString
* MFSA 2009-20/CVE-2009-1310 (bmo#483086)
Malicious search plugins can inject code into arbitrary sites
* MFSA 2009-21/CVE-2009-1311 (bmo#471962)
POST data sent to wrong site when saving web page with
embedded frame
* MFSA 2009-22/CVE-2009-1312 (bmo#475636)
Firefox allows Refresh header to redirect to javascript: URIs
- removed bnc465284-VUL-designMode.patch since it's integrated
in 1.9.0.9
-------------------------------------------------------------------
Fri Mar 27 09:43:43 CET 2009 - wr@rosenauer.org
- security update to 1.9.0.8 (bnc#488955,489411)
* MFSA 2009-12/CVE-2009-1169 (bmo#460090,485217)
Crash and remote code execution in XSL transformation
* MFSA 2009-13/CVE-2009-1044 (bmo#484320)
Arbitrary code execution via XUL tree moveToEdgeShift
-------------------------------------------------------------------
Fri Mar 13 23:00:53 CET 2009 - wr@rosenauer.org
- make mozjs consumers using rpath to the correct location
to find the library at runtime (bnc#479505)
-------------------------------------------------------------------
Wed Mar 11 16:14:09 CST 2009 - pwu@suse.de
- Fixes bnc#479610(MozillaFirefox: LittleCMS integer overflows),
add a patch lcms-bnc479606.patch.
-------------------------------------------------------------------
Thu Mar 5 16:33:09 CST 2009 - pwu@suse.de
- Backport a patch from xulrunner191,
and fix bnc#465284 and CVE-2009-0071.
-------------------------------------------------------------------
Sun Mar 1 11:08:58 CET 2009 - wr@rosenauer.org
- security update to 1.9.0.7 (bnc#478625)
* MFSA 2009-07 - Crashes with evidence of memory corruption
CVE-2009-0771 - Layout Engine Crashes
CVE-2009-0772 - Layout Engine Crashes
CVE-2009-0773 - crashes in the JavaScript engine
CVE-2009-0774 - Layout Engine Crashes
* MFSA 2009-08/CVE-2009-0775 - (bmo#474456)
Mozilla Firefox XUL Linked Clones Double Free Vulnerability
* MFSA 2009-09/CVE-2009-0776 (bmo#414540)
XML data theft via RDFXMLDataSource and cross-domain redirect
* MFSA 2009-10/CVE-2009-0040 (bmo#478901)
Upgrade PNG library to fix memory safety hazards
* MFSA 2009-11/CVE-2009-0777 (bmo#452979)
URL spoofing with invisible control characters
- removed obsolete patch to configure system sqlite
-------------------------------------------------------------------
Wed Feb 4 17:09:55 EST 2009 - hfiguiere@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Tue Feb 3 20:17:40 CET 2009 - wr@rosenauer.org
- security update to 1.9.0.6 (bnc#470074)
* MFSA 2009-06/CVE-2009-0358: Directives to not cache pages ignored
(bmo#441751)
* MFSA 2009-05/CVE-2009-0357: XMLHttpRequest allows reading
HTTPOnly cookies (bmo#380418)
* MFSA 2009-04/CVE-2009-0356: Chrome privilege escalation via
local .desktop files (bmo#460425)
* MFSA 2009-03/CVE-2009-0355: Local file stealing with SessionStore
(bmo#466937)
* MFSA 2009-02/CVE-2009-0354: XSS using a chrome XBL method
and window.eval (bmo#468581)
* MFSA 2009-01/CVE-2009-0352 - CVE-2009-0353: Crashes with
evidence of memory corruption (rv:1.9.0.6) (bmo#452913,
bmo#449006, bmo#331088, bmo#401042, bmo#416461, bmo#422283,
bmo#422301, bmo#431705, bmo#437142, bmo#421839, bmo#420697,
bmo#461027)
* (non security) added lv locale
- never use system sqlite for now since it doesn't provide all
features needed and used by mozstorage (bnc#468689)
- set the actual xul application name as "uniq" identifier for
NSS database merges (instead of hardcoded "mozilla-xul")
- fixed crash in certificate viewer (bmo#472464)
-------------------------------------------------------------------
Thu Jan 29 16:08:43 EST 2009 - hfiguiere@suse.de
- Update gconf-backend.patch to fix a compilation error in debug
mode.
- Update toolkit-ui-lockdown.patch to fix bnc#366746
-------------------------------------------------------------------
Wed Dec 17 11:44:04 EST 2008 - hfiguiere@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Mon Dec 15 16:26:43 CET 2008 - wr@rosenauer.org
- security update to 1.9.0.5 (bnc#455804)
for details
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
* added et locale
-------------------------------------------------------------------
Tue Dec 9 12:33:47 EST 2008 - hfiguiere@suse.de
- Remove the lockdown part of the proxy because of the new upstream
management. (bnc#440625)
-------------------------------------------------------------------
Mon Dec 8 11:08:44 EST 2008 - hfiguiere@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Fri Dec 5 16:10:32 EST 2008 - hfiguiere@suse.de
- resetting /system/proxy/mode to 'none' set back network.proxy.type
to 5 instead of 0. (bnc#441648)
-------------------------------------------------------------------
Thu Nov 20 18:52:14 CST 2008 - maw@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Wed Nov 19 11:49:36 CET 2008 - wr@rosenauer.org
- updated mozilla-shared-nss-db.patch
* make the patch autodetect nss-shared-helper at buildtime
* feature can be disabled completely at runtime exporting
MOZ_XRE_NO_NSSHELPER=1 before starting Firefox
(that helps to workaround bnc#444780 and makes sense anyway)
-------------------------------------------------------------------
Wed Nov 12 19:20:01 EST 2008 - hfiguiere@suse.de
- Added gecko-lockdown.patch and toolkit-ui-lockdown.patch
* Iron out some bugs from lockdown (bnc#439380)
* Apparently fixes (bnc#443420)
-------------------------------------------------------------------
Wed Nov 12 17:55:48 CST 2008 - maw@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Tue Nov 11 09:00:42 CET 2008 - wr@rosenauer.org
- update to security/maintenance release 1.9.0.4 (bnc#439841)
* support additional locales
-------------------------------------------------------------------
Wed Nov 5 22:40:52 CST 2008 - hpj@novell.com
- Add mozilla-shared-nss-db.patch, which migrates the old NSS DB
to the new, shared format and location.
-------------------------------------------------------------------
Tue Oct 28 15:48:37 CST 2008 - maw@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Mon Oct 27 11:52:13 CET 2008 - wr@rosenauer.org
- improved baselibs dependencies
- removed obsolete build flags
- make biarch dependencies work correctly (bnc#434283)
- removed executable bits from PNGs (bnc#433752)
-------------------------------------------------------------------
Thu Oct 23 10:14:22 EDT 2008 - hfiguiere@suse.de
- Added gconf-backend.patch:
* Lockdown: FATE#302023, FATE#302024
-------------------------------------------------------------------
Mon Sep 29 12:27:36 CDT 2008 - maw@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Sun Sep 28 18:19:26 CEST 2008 - wr@rosenauer.org
- update to regression fix release 1.9.0.3
* Fixed a problem where users were unable to retrieve saved
passwords or save new passwords (bmo#454708, bnc#429179#c20,
CVE-2008-4063, CVE-2008-4064, CVE-2008-3836, andCVE-2008-4070)
-------------------------------------------------------------------
Thu Sep 25 14:45:48 CDT 2008 - maw@suse.de
- Review and approve changes.
-------------------------------------------------------------------
Mon Sep 15 10:20:40 CEST 2008 - wr@rosenauer.org
- update to security/maintenance release 1.9.0.2 (bnc#429179)
* support more locales
* removed upstreamed patches
- added PyXPCOM subpackage python-xpcom190
- fix helper app detection for application/octet-stream type
(bnc#406979, bmo#327323)
- stop shipping the "simple" example
- use system provided cairo from 11.1 on
-------------------------------------------------------------------
Thu Sep 4 14:55:33 CEST 2008 - ro@suse.de
- get rid of at least one opensuse_bs check
(should really check project name and not buildsystem)
-------------------------------------------------------------------
Tue Aug 19 18:56:49 CEST 2008 - maw@suse.de
- Check whether the build is happening on the build service
by using 0%{?opensuse_bs}
- Readd unzip to the list of build requirements.
-------------------------------------------------------------------
Fri Aug 15 18:20:55 CDT 2008 - maw@novell.com
- Review and approve changes.
-------------------------------------------------------------------
Wed Aug 6 09:07:34 CEST 2008 - wr@rosenauer.org
- Fix releasedate and apiversion defines
-------------------------------------------------------------------
Tue Jul 29 20:27:24 CEST 2008 - mauro@suse.de
- Merge changes from the Build Service (thanks, Wolfgang)
- Update to stability/security release 1.9.0.1 (bnc#407573)
* added si and sl locales
* for security issues please refer to Firefox 3.0.1
- Fixed a crash [@ cairo_draw_with_xlib] (bmo#435764)
+ Added bmo435764.patch
- Fixed vertical stripes in windowless plugins (bmo#430450)
+ Added bmo430450.patch
- Remove about:about (bnc#402699, bmo#349451)
+ Added mozilla-aboutAbout.patch
-------------------------------------------------------------------
Tue Jun 17 18:06:54 CEST 2008 - maw@suse.de
- Merge changes from the Build Service (thanks, Wolfgang)
(bnc#400001 and SWAMP#18164).
-------------------------------------------------------------------
Tue Jun 17 14:23:59 CEST 2008 - wr@rosenauer.org
- update to version 1.9
- removed obsolete mozilla-fsync* patch
- make it possible to ignore NM events with a pref (bmo#424626)
(toolkit.networkmanager.ignore=false|true)
(mozilla-network-status.patch)
- modify pref to not stop at punctuation for selections
(bnc#395070)
- fixed restart command for session managers (bnc#396552)
- do not compile cairo with SSE support (bnc#397815)
- mozilla-js.pc uses correct cflags (bnc#397814)
-------------------------------------------------------------------
Mon May 26 18:56:46 CEST 2008 - maw@suse.de
- Fix baselibs.conf to mention mozilla-xulrunner190-translations
(bnc#393856).
-------------------------------------------------------------------
Wed May 21 00:49:39 CEST 2008 - maw@suse.de
- Add mozilla-pkgconfig.patch (part of bnc#381154).
-------------------------------------------------------------------
Tue May 20 22:44:40 CEST 2008 - maw@suse.de
- Add mozilla-fsync-bmo499050.patch (bmo#499050).
-------------------------------------------------------------------
Wed Apr 30 22:44:30 CEST 2008 - maw@suse.de
- Merge changes from the build service (thanks, Wolfgang):
+ Only use gconf proxy settings under GNOME (bnc#381172)
+ Add mozilla-extensionmanager.patch (bnc#381733, and #382969)
+ Add mozilla-system-hunspell.patch to enable use of the system's
hunspell (bnc#382437)
+ Add mozilla-gnome-proxies.patch:
* Only use gconf proxy settings when running under GNOME
(bnc#381172)
* Correctly read the ignored hosts settings from gconf
(bmo#429520)
+ Add mozilla-helperapp.patch to offer the gconf default for
protocol handlers (bnc#383697)
- Rename the -lang subpackage to -stranslations (bnc#381635).
-------------------------------------------------------------------
Wed Apr 16 17:07:02 CEST 2008 - maw@suse.de
- Merge changes from the build service:
+ Add mozilla-chrome-registry.patch to fix a startup crash
(bmo#391311 and bnc#379523)
+ Add mozilla-scroll.patch to fix scrolling performance issues
(bmo#424915 and bnc#377055)
+ Update baselibs.conf.
-------------------------------------------------------------------
Mon Apr 14 19:13:47 CEST 2008 - maw@suse.de
- Better sync against the build service's version.
-------------------------------------------------------------------
Thu Apr 10 10:38:08 CEST 2008 - ro@suse.de
- added baselibs.conf file to create xxbit packages
-------------------------------------------------------------------
Tue Apr 1 16:08:05 CEST 2008 - wr@rosenauer.org
- update to version 1.9b5
* including fix for bnc #368967
* integrated mozilla-gnome-vfs.patch
- updated shipped locales "Provides"
- fixed version upgrading (remove leftovers from previous versions)
- remove executable flags from JS scripts
- CSS DPI scaling now occurs with higher dpi values now (>192)
- prerequire coreutils for 'rm' in post scripts
-------------------------------------------------------------------
Tue Mar 18 21:59:17 CET 2008 - maw@suse.de
- Merge changes from the build service (thanks, Wolfgang).
-------------------------------------------------------------------
Mon Mar 10 21:36:24 CET 2008 - wr@rosenauer.org
- new snapshot version 1.9b4
- updated shipped locales "Provides"
- enabled url classifier component
(needed for Firefox' safe browsing feature)
- added mozilla-gnome-vfs.patch (#368238)
-------------------------------------------------------------------
Fri Feb 29 11:18:04 CET 2008 - wr@rosenauer.org
- new snapshot 20080228
- source archive contains browser components now to make it easier
to keep xulrunner and firefox in sync
(use shipped-locales from browser now instead of keeping a copy
in the package)
- proxy-type 5 is default now (removed from default prefs)
-------------------------------------------------------------------
Thu Feb 28 15:34:17 CET 2008 - wr@rosenauer.org
- new snapshot 20080227
- use system provided sqlite for factory/11.0
- use fdupes
- tweak default preferences
- fix debuginfo package
- fix wrong executable permissions
- fix wrong ownership of the gnomevfs libs
- add add-plugins.sh to manage dictionaries
-------------------------------------------------------------------
Tue Feb 26 10:19:24 CET 2008 - wr@rosenauer.org
- new snapshot 20080225
- added -gnomevfs subpackage for evaluation
- added back -l10n subpackage
-------------------------------------------------------------------
Fri Feb 22 08:57:14 CET 2008 - wr@rosenauer.org
- initial xulrunner 1.9 package
* doesn't update any prior xulrunner yet
* can be installed in parallel
* just updates the /usr/bin/xulrunner link to the new version
* needs NSPR 4.7.1 and NSS 3.12
