MozillaFirefox-branding-upstream-78.10.0-8.38.1 >  A `~*p9|J $^1߾7D3|]f {.88D9!+7\:bR!|o#'.PY沖]f\-Ԃqh @ `J|Δ,[nW4680c250603b1d564c6319cd4b35447dcff9829136c6c42412de9809c5c319080730949e11463ebc0dee03de07f1b714f8604bd6鼉`~*p9|sҦTm!>AJ-a^o 9;csFĠ |AAv)/*[$X#L۝2Zպ ɲ]g \r^AprD-㡷Ÿ4 .6;.j:T}cUlK=|:(4 ̣a/n3\fRmc*Tv5" k#22o GhIMw%s6Nwn8%rhR)ne:gAQWpZ ?A >pA?d#+ 2 P 5;DH J L P Q TX]bc(89:FGHIXY\]^bcd&e+f.l0uDvHzRdhCMozillaFirefox-branding-upstream78.10.08.38.1Upstream branding for FirefoxThis package provides upstream look and feel for Firefox.`~8s390zp39SUSE Linux Enterprise 15SUSE LLC MPL-2.0https://www.suse.com/Productivity/Networking/Web/Browsershttp://www.mozilla.org/linuxs390xA`~rootrootMozillaFirefox-78.10.0-8.38.1.src.rpmMozillaFirefox-brandingMozillaFirefox-branding-upstreamMozillaFirefox-branding-upstream(s390-64)    rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-1otherproviders(MozillaFirefox-branding)4.14.1`}p`[)`4@`!'`@__إ@_@_/@_@_u_i@_a@_a@_D@_C_6|_*@_'@_ @_^@^z^)@^?@^V@^U@^k@^v^t@^g@^B@^&^^r]N@]]@]d@]]@]]n]@]z@]@]v>] ] #] #\\@\ޢ@\ڭ\@\!\f\e\@\\u*@\d\Q\@n@\@\@\@[ @[;@[@[@[h@[3|@[@ZZZ2@ZZ@Z}@Zg#Z_:Z]@ZF.@Z3@Z+@Z YYχ@Y5Y@Y@YY\YA%@Y$$@Y]XX9@X9@X@XXCX@X6@XXN@XJX@X)@X W%W@W$Wu@WF@WWWW9WE@W\@W@Ws@WaC@W_W^@W^@WV@WEWBW4p@W)@W(W W WW @W VVV@V>@VwVVV@VuVm]VHsV4@V@VV @UN@UUĝUĝU@UUt2@U`kUUUUUOH@U0UUUQU ]@U T@T!TT@T*@Ty@T\@TXTWn@TWn@TR(@TO@TKTCT>amartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.comcgrobertson@suse.comcgrobertson@suse.comcgrobertson@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.comcgrobertson@suse.comcgrobertson@suse.comcgrobertson@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.comcgrobertson@suse.commartin.sirringhaus@suse.comcgrobertson@suse.comcgrobertson@suse.commartin.sirringhaus@suse.comcgrobertson@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.comandreas.stieger@gmx.decgrobertson@suse.commartin.sirringhaus@suse.comcgrobertson@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.comcgrobertson@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.comcgrobertson@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.comcgrobertson@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.commartin.sirringhaus@suse.comcgrobertson@suse.comcgrobertson@suse.compsimons@suse.comjkowalczyk@suse.comcgrobertson@suse.comcgrobertson@suse.comcgrobertson@suse.comcgrobertson@suse.comalarrosa@suse.comcgrobertson@suse.comcgrobertson@suse.comkbabioch@suse.decgrobertson@suse.comcgrobertson@suse.comalarrosa@suse.comalarrosa@suse.comalarrosa@suse.comcgrobertson@suse.compcerny@suse.compcerny@suse.compcerny@suse.comwr@rosenauer.orgastieger@suse.comwr@rosenauer.orgwr@rosenauer.orgastieger@suse.comwr@rosenauer.orgwr@rosenauer.orgwbauer@tmo.atcgrobertson@suse.comastieger@suse.comfcrozat@suse.comsecurity@suse.comwr@rosenauer.orgstefan.bruens@rwth-aachen.dezaitor@opensuse.orgwr@rosenauer.orgdimstar@opensuse.orgschwab@suse.dewr@rosenauer.orgastieger@suse.comwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgastieger@suse.comwr@rosenauer.orgwr@rosenauer.orgcgrobertson@novell.comwr@rosenauer.orgwr@rosenauer.orgastieger@suse.combadshah400@gmail.comastieger@suse.comwr@rosenauer.orgastieger@suse.comastieger@suse.comwr@rosenauer.orgpcerny@suse.combadshah400@gmail.comwr@rosenauer.orgbadshah400@gmail.comantoine.belvire@laposte.netmailaender@opensuse.orgastieger@suse.comwr@rosenauer.orgbadshah400@gmail.comagraf@suse.comwr@rosenauer.orgwr@rosenauer.orgbadshah400@gmail.combadshah400@gmail.comdsterba@suse.czwr@rosenauer.orgnormand@linux.vnet.ibm.combadshah400@gmail.comwr@rosenauer.orgbadshah400@gmail.combadshah400@gmail.comastieger@suse.comastieger@suse.comwr@rosenauer.orgolaf@aepfle.deastieger@suse.comwr@rosenauer.orgdmueller@suse.comwr@rosenauer.orgastieger@suse.comwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgschwab@suse.dewr@rosenauer.orgwr@rosenauer.orgnormand@linux.vnet.ibm.comwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgdvaleev@suse.comwr@rosenauer.orgdimstar@opensuse.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgwr@rosenauer.orgledest@gmail.comwr@rosenauer.orgwr@rosenauer.orgguillaume@opensuse.orgdmueller@suse.comjosua.mayer97@gmail.comwr@rosenauer.orgjosua.mayer97@gmail.comwr@rosenauer.orgvindex17@outlook.itwr@rosenauer.org- Firefox Extended Support Release 78.10.0 ESR * Fixed: Various stability, functionality, and security fixes - Mozilla Firefox ESR 78.10 MFSA 2021-15 (bsc#1184960) * CVE-2021-23994 (bmo#1699077) Out of bound write due to lazy initialization * CVE-2021-23995 (bmo#1699835) Use-after-free in Responsive Design Mode * CVE-2021-23998 (bmo#1667456) Secure Lock icon could have been spoofed * CVE-2021-23961 (bmo#1677940) More internal network hosts could have been probed by a malicious webpage * CVE-2021-23999 (bmo#1691153) Blob URLs may have been granted additional privileges * CVE-2021-24002 (bmo#1702374) Arbitrary FTP command execution on FTP servers using an encoded URL * CVE-2021-29945 (bmo#1700690) Incorrect size computation in WebAssembly JIT could lead to null-reads * CVE-2021-29946 (bmo#1698503) Port blocking could be bypassed- Firefox Extended Support Release 78.9.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-11 (bsc#1183942) * CVE-2021-23981 (bmo#1692832) Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982 (bmo#1677046) Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984 (bmo#1693664) Malicious extensions could have spoofed popup information * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718) Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9- Firefox Extended Support Release 78.8.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-08 (bsc#1182614) * CVE-2021-23969 (bmo#1542194) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968 (bmo#1687342) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973 (bmo#1690976) MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597, bmo#786797) Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 - Update create-tar.sh to use https instead of http (bsc#1182357)- Firefox Extended Support Release 78.7.1 ESR * Fixed: Prevent access to NTFS special paths that could lead to filesystem corruption. (bmo#1689598) * Fixed: Security fix MFSA 2021-06 (bsc#1181848) * MOZ-2021-0001 (bmo#1676636) Buffer overflow in depth pitch calculations for compressed textures- Firefox Extended Support Release 78.7.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-04 (bsc#1181414) * CVE-2021-23953 (bmo#1683940) Cross-origin information leakage via redirected PDF requests * CVE-2021-23954 (bmo#1684020) Type confusion when using logical assignment operators in JavaScript switch statements * CVE-2020-26976 (bmo#1674343) HTTPS pages could have been intercepted by a registered service worker when they should not have been * CVE-2021-23960 (bmo#1675755) Use-after-poison for incorrectly redeclared JavaScript variables during GC * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844, bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410, bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736, bmo#1685260, bmo#1685925) Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7- Firefox Extended Support Release 78.6.1 ESR * Fixed: Security fix * Fixed: Fixed a crash during video playback on Apple Silicon devices (bmo#1683579) MFSA 2021-01 (bsc#1180623) * CVE-2020-16044 (bmo#1683964) Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk- Firefox Extended Support Release 78.6.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2020-55 (bsc#1180039) * CVE-2020-16042 (bmo#1679003) Operations on a BigInt could have caused uninitialized memory to be exposed * CVE-2020-26971 (bmo#1663466) Heap buffer overflow in WebGL * CVE-2020-26973 (bmo#1680084) CSS Sanitizer performed incorrect sanitization * CVE-2020-26974 (bmo#1681022) Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free * CVE-2020-26978 (bmo#1677047) Internal network hosts could have been probed by a malicious webpage * CVE-2020-35111 (bmo#1657916) The proxy.onRequest API did not catch view-source URLs * CVE-2020-35112 (bmo#1661365) Opening an extension-less download may have inadvertently launched an executable instead * CVE-2020-35113 (bmo#1664831, bmo#1673589) Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6- Firefox Extended Support Release 78.5.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2020-51 (bsc#1178824) * CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without displaying the security UI * CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard API) * CVE-2020-26958 (bmo#1669355) Requests intercepted through ServiceWorkers lacked MIME type restrictions * CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService * CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of nsTArray * CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype * CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP Addresses * CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered typed passwords * CVE-2020-26966 (bmo#1663571) Single-word search queries were also broadcast to local network * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5- Firefox Extended Support Release 78.4.1 ESR * Fixed: Security fix MFSA 2020-49 (bsc#1178588) * CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for- Firefox Extended Support Release 78.4.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2020-46 (bsc#1177872) * CVE-2020-15969 (bmo#1666570, bmo#https://github.com/sctplab/u srsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019) Use-after-free in usersctp * CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760, bmo#1663439, bmo#1666140) Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4- Firefox Extended Support Release 78.3.1 ESR (bsc#1176756) * Fixed: Fixed legacy preferences not being properly applied when set via GPO (bmo#1666836)- Firefox Extended Support Release 78.3.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2020-43 (bsc#1176756) * CVE-2020-15677 (bmo#1641487) Download origin spoofing via redirect * CVE-2020-15676 (bmo#1646140) XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 (bmo#1660211) When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 (bmo#1648493, bmo#1660800) Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3- Enhance fix for wayland-detection (bsc#1174420)- Try to fix langpack-parallelization by introducing separate obj-dirs for each lang (boo#1173986, boo#1167976)- Firefox Extended Support Release 78.2.0 ESR * Fixed: Various stability, functionality, and security fixes - Mozilla Firefox ESR 78.2 MFSA 2020-38 (bsc#1175686) * CVE-2020-15663 (bmo#1643199) Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege * CVE-2020-15664 (bmo#1658214) Attacker-induced prompt for extension installation * CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626, bmo#1656957) Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2- Added patch: firefox-dev-random-sandbox.patch (bsc#1174284) * Firefox tab crash in FIPS mode- Fix: Do not allow Firefox to use wayland on SLED15-SP0/1 (bsc#1174420)- Activate ccache - Parallelize langpack build- Fix broken translation-loading (boo#1173991) * allow addon sideloading * mark signatures for langpacks non-mandatory * do not autodisable user profile scopes - Google API key is not usable for geolocation service any more- Firefox Extended Support Release 78.1.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2020-32 (bsc#1174538) * CVE-2020-15652 (bmo#1634872) Potential leak of redirect targets when loading scripts in a worker * CVE-2020-6514 (bmo#1642792) WebRTC data channel leaks internal address to peer * CVE-2020-15655 (bmo#1645204) Extension APIs could be used to bypass Same-Origin Policy * CVE-2020-15653 (bmo#1521542) Bypassing iframe sandbox when allowing popups * CVE-2020-6463 (bmo#1635293) Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture * CVE-2020-15656 (bmo#1647293) Type confusion for special arguments in IonMonkey * CVE-2020-15658 (bmo#1637745) Overriding file type when saving to disk * CVE-2020-15657 (bmo#1644954) DLL hijacking due to incorrect loading path * CVE-2020-15654 (bmo#1648333) Custom cursor can overlay user interface * CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1643613, bmo#1644839, bmo#1645835, bmo#1646006, bmo#1646787, bmo#1649347, bmo#1650811, bmo#1651678) Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1- Mozilla Firefox 78.0.2 MFSA 2020-28 (bsc#1173948) * MFSA-2020-0003 (bmo#1644076) X-Frame-Options bypass using object or embed tags - Firefox Extended Support Release 78.0.2esr ESR * Fixed: Security fix * Fixed: Fixed an accessibility regression in reader mode (bmo#1650922) * Fixed: Made the address bar more resilient to data corruption in the user profile (bmo#1649981) * Fixed: Fixed a regression opening certain external applications (bmo#1650162)- Add specific requirement for libfreetype6 (bsc#1173613)- Firefox Extended Support Release 78.0.1 ESR * Fixed: Fixed an issue which could cause installed search engines to not be visible when upgrading from a previous release. (bmo#1649558) - Mozilla Firefox 78 MFSA 2020-24 (bsc#1173576) * CVE-2020-12415 (bmo#1586630) AppCache manifest poisoning due to url encoded character processing * CVE-2020-12416 (bmo#1639734) Use-after-free in WebRTC VideoBroadcaster * CVE-2020-12417 (bmo#1640737) Memory corruption due to missing sign-extension for ValueTags on ARM64 * CVE-2020-12418 (bmo#1641303) Information disclosure due to manipulated URL object * CVE-2020-12419 (bmo#1643874) Use-after-free in nsGlobalWindowInner * CVE-2020-12420 (bmo#1643437) Use-After-Free when trying to connect to a STUN server * CVE-2020-12402 (bmo#1631597) RSA Key Generation vulnerable to side-channel attack * CVE-2020-12421 (bmo#1308251) Add-On updates did not respect the same certificate trust rules as software updates * CVE-2020-12422 (bmo#1450353) Integer overflow in nsJPEGEncoder::emptyOutputBuffer * CVE-2020-12423 (bmo#1642400) DLL Hijacking due to searching %PATH% for a library * CVE-2020-12424 (bmo#1562600) WebRTC permission prompt could have been bypassed by a compromised content process * CVE-2020-12425 (bmo#1634738) Out of bound read in Date.parse() * CVE-2020-12426 (bmo#1608068, bmo#1609951, bmo#1631187, bmo#1637682) Memory safety bugs fixed in Firefox 78- Firefox Extended Support Release 78.0esr ESR * New: Some of the highlights of the new Extended Support Release are: - Kiosk mode - Client certificates - Service Worker and Push APIs are now enabled - The Block Autoplay feature is enabled - Picture-in-picture support - View and manage web certificates in about:certificate For more information about what's new in the Firefox 78 ESR release, see the more detailed release notes at support.mozilla.org. - Add patches to fix big endian problems: * mozilla-s390x-skia-gradient.patch * mozilla-bmo998749.patch * mozilla-bmo1626236.patch - Add patch to fix broken build on ppc64le * mozilla-bmo1512162.patch - Add patch to add screensharing capability on wayland * mozilla-pipewire-0-3.patch - Rename firefox-fips.patch to mozilla-sandbox-fips.patch - Removed upstreamed patches: * mozilla-cubeb-noreturn.patch * mozilla-nestegg-big-endian.patch * mozilla-openaes-decl.patch * mozilla-s390x-bigendian.patch * mozilla-sle12-lower-python-requirement.patch- Firefox Extended Support Release 68.9.0 ESR * Fixed: Various stability and security fixes MFSA 2020-21 (bsc#1172402) * CVE-2020-12405 (bmo#1619305, bmo#1632717) Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9 * CVE-2020-12406 (bmo#1639590) * CVE-2020-12410: Memory safety bugs fixed in Firefox 77 and Firefox- Removed %is_opensuse macro from spec file to align builds with openSUSE Leap.- Firefox Extended Support Release 68.8.0 ESR MFSA 2020-17 (bsc#1171186) * CVE-2020-12387 (bmo#1545345) Use-after-free during worker shutdown * CVE-2020-12388 (bmo#1618911) Sandbox escape with improperly guarded Access Tokens * CVE-2020-12389 (bmo#1554110) Sandbox escape with improperly separated process types * CVE-2020-6831 (bmo#1632241) Buffer overflow in SCTP chunk input validation * CVE-2020-12392 (bmo#1614468) Arbitrary local file access with 'Copy as cURL' * CVE-2020-12393 (bmo#1615471) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8- Firefox Extended Support Release 68.7.0 ESR MFSA 2020-13 (bsc#1168874) * CVE-2020-6828 (bmo#1617928) Preference overwrite via crafted Intent from malicious Android application * CVE-2020-6827 (bmo#1622278) Custom Tabs in Firefox for Android could have the URI spoofed * CVE-2020-6821 (bmo#1625404) Uninitialized memory could be read when using the WebGL copyTexSubImage method * CVE-2020-6822 (bmo#1544181) Out of bounds write in GMPDecodeData when processing large images * CVE-2020-6825 (bmo#1572541, bmo#1620193, bmo#1620203) Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7- Mozilla Firefox 68.6.1esr MFSA 2020-11 (boo#1168630) * CVE-2020-6819 (bmo#1620818) Use-after-free while running the nsDocShell destructor * CVE-2020-6820 (bmo#1626728) Use-after-free when handling a ReadableStream- Added patch: firefox-fips.patch (bsc#1167231) * FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled- Firefox Extended Support Release 68.6.0 ESR (bsc#1166238) * Fixed: Various stability and security fixes MFSA 2020-09 (bsc#1132665) * CVE-2020-6805 (bmo#1610880) Use-after-free when removing data about origins * CVE-2020-6806 (bmo#1612308) BodyStream::OnInputStreamReady was missing protections against state confusion * CVE-2020-6807 (bmo#1614971) Use-after-free in cubeb during stream destruction * CVE-2020-6811 (bmo#1607742) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection * CVE-2019-20503 (bmo#1613765) Out of bounds reads in sctp_load_addresses_from_init * CVE-2020-6812 (bmo#1616661) The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission * CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636, bmo#1614339) Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6- Firefox Extended Support Release 68.5.0 ESR * Fixed: Various stability and security fixes - Mozilla Firefox ESR68.5 MFSA 2020-06 (bsc#1163368) * CVE-2020-6796 (bmo#1610426) Missing bounds check on shared memory read in the parent process * CVE-2020-6797 (bmo#1596668) Extensions granted downloads.open permission could open arbitrary applications on Mac OSX * CVE-2020-6798 (bmo#1602944) Incorrect parsing of template tag could result in JavaScript injection * CVE-2020-6799 (bmo#1606596) Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader * CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543, bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785) Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5- Firefox Extended Support Release 68.4.2 ESR * Fixed: Fixed various issues opening files with spaces in their path (bmo#1601905, bmo#1602726)- Firefox Extended Support Release 68.4.1 ESR * Fixed: Security fix MFSA 2020-03 (bsc#1160498) * CVE-2019-17026 (bmo#1607443) IonMonkey type confusion with StoreElementHole and FallibleStoreElement- Firefox Extended Support Release 68.4.0 ESR * Fixed: Various security fixes MFSA 2020-02 (bsc#1160305) * CVE-2019-17015 (bmo#1599005) Memory corruption in parent process during new content process initialization on Windows * CVE-2019-17016 (bmo#1599181) Bypass of @namespace CSS sanitization during pasting * CVE-2019-17017 (bmo#1603055) Type Confusion in XPCVariant.cpp * CVE-2019-17021 (bmo#1599008) Heap address disclosure in parent process during content process initialization on Windows * CVE-2019-17022 (bmo#1602843) CSS sanitization does not escape HTML tags * CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826) Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 - Removed patch that is now upstream: mozilla-bmo1511604.patch - Added patch to fix broken URL-bar on s390x: mozilla-bmo1602730.patch- Firefox Extended Support Release 68.3.0 ESR * Changed: Updates to improve performance and stability MFSA 2019-37 (bsc#1158328) * CVE-2019-17008 (bmo#1546331) Use-after-free in worker destruction * CVE-2019-13722 (bmo#1580156) Stack corruption due to incorrect number of arguments in WebRTC code * CVE-2019-11745 (bmo#1586176) Out of bounds write in NSS when encrypting with a block cipher * CVE-2019-17009 (bmo#1510494) Updater temporary files accessible to unprivileged processes * CVE-2019-17010 (bmo#1581084) Use-after-free when performing device orientation checks * CVE-2019-17005 (bmo#1584170) Buffer overflow in plain text serializer * CVE-2019-17011 (bmo#1591334) Use-after-free when retrieving a document in antitracking * CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209, bmo#1580288, bmo#1585760, bmo#1592502) Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3- Fix _constraints for ppc64le (bsc#1157652)- Add patch mozilla-bmo849632.patch to partially fix broken webGL sites on big endian machines (wrong colors) - Replace source-stamp.txt with tar_stamps - Reference create-tar.sh by direct commit-hash in the spec-file- Reactivate webRTC for all architectures- Add patch mozilla-bmo1504834-part4.patch to fix broken tab-titles on s390x- Resolved issues fixed earlier: * [bsc#1104841] Newer versions of firefox have a dependency on GLIBCXX_3.4.20 * [bsc#1129528] SLES15 - IBM s390-tools-2.1.0 Maintenance Patches (#6) * [bsc#1137990] Firefox 60.7 ESR changed the user interface language- Firefox Extended Support Release 68.2.0 ESR * Enterprise: New administrative policies were added. More information and templates are available at the Policy Templates page. * Fixed: Various security fixes MFSA 2019-33 (bsc#1154738) * CVE-2019-15903 (bmo#1584907) Heap overflow in expat library in XML_GetCurrentLineNumber * CVE-2019-11757 (bmo#1577107) Use-after-free when creating index updates in IndexedDB * CVE-2019-11758 (bmo#1536227) Potentially exploitable crash due to 360 Total Security * CVE-2019-11759 (bmo#1577953) Stack buffer overflow in HKDF output * CVE-2019-11760 (bmo#1577719) Stack buffer overflow in WebRTC networking * CVE-2019-11761 (bmo#1561502) Unintended access to a privileged JSONView object * CVE-2019-11762 (bmo#1582857) document.domain-based origin isolation has same-origin- property violation * CVE-2019-11763 (bmo#1584216) Incorrect HTML parsing results in XSS bypass technique * CVE-2019-11764 (bmo#1548044, bmo#1558522, bmo#1571223, bmo#1573048, bmo#1575217, bmo#1577061, bmo#1578933, bmo#1581950, bmo#1583463, bmo#1583684, bmo#1586599, bmo#1586845) Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2 - removed now upstream patches: * mozilla-bmo1573381.patch * mozilla-bmo1512162.patch- Add patch to lower python requirement to 3.4 in order to build on SLE-12: * mozilla-sle12-lower-python-requirement.patch- Add Provides-line for translations-common (bsc#1153423)- Moved some settings from branding-package here (bsc#1153869) - add patch to fix LTO build (w/o PGO): * mozilla-fix-top-level-asm.patch - remove obsolete kde.js setting (boo#1151186) and related patch: * firefox-add-kde.js-in-order-to-survive-PGO-build.patch * modified firefox-kde.patch for the removal of kde.js- Update mozilla-bmo1512162.patch to the patch now commited upstream * No more -O1 builds for ppc64le necessary - Disable DoH by default * Not yet officially active in ESR, but just to make sure- Mozilla Firefox ESR 68.1 Resolves the following bigendian s390x issues: * [bsc#1109465] Latest Firefox update not released for s390x * [bsc#1117473] Firefox segmentation fault on s390vsl082 * [bsc#1123482] openQA test fails in firefox - firefox doesn't start * [bsc#1124525] Firefox is core dumping on SLES15 s390x * [bsc#1133810] Firefox: Segmentation fault (core dumped) MFSA 2019-26 (bsc#1149323) * CVE-2019-11751 (bmo#1572838) Malicious code execution through command line parameters * CVE-2019-11746 (bmo#1564449) Use-after-free while manipulating video * CVE-2019-11744 (bmo#1562033) XSS by breaking out of title and textarea elements using innerHTML * CVE-2019-11742 (bmo#1559715) Same-origin policy violation with SVG filters and canvas to steal cross-origin images * CVE-2019-11736 (bmo#1551913, bmo#1552206) File manipulation and privilege escalation in Mozilla Maintenance Service * CVE-2019-11753 (bmo#1574980) Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location * CVE-2019-11752 (bmo#1501152) Use-after-free while extracting a key value in IndexedDB * CVE-2019-9812 (bmo#1538008, bmo#1538015) Sandbox escape through Firefox Sync * CVE-2019-11743 (bmo#1560495, bmo#https://w3c.github.io/navigation-timing) Cross-origin access to unload event attributes * CVE-2019-11748 (bmo#1564588) Persistence of WebRTC permissions in a third party context * CVE-2019-11749 (bmo#1565374) Camera information available without prompting using getUserMedia * CVE-2019-11750 (bmo#1568397) Type confusion in Spidermonkey * CVE-2019-11738 (bmo#1452037) Content security policy bypass through hash-based sources in directives * CVE-2019-11747 (bmo#1564481) 'Forget about this site' removes sites from pre-loaded HSTS list * CVE-2019-11735 (bmo#1561404, bmo#1561484, bmo#1561912, bmo#1565744, bmo#1568047, bmo#1568858, bmo#1570358) Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 * CVE-2019-11740 (bmo#1563133, bmo#1573160) Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 - Mozilla Firefox ESR 68.0.2 * Fixed: Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar (bmo#1560228) * Fixed: Allow fonts to be loaded via file:// URLs when opening a page locally (bmo#1565942) * Fixed: Printing emails from the Outlook web app no longer prints only the header and footer (bmo#1567105) * Fixed: Fixed a bug causing some images not to be displayed on reload, including on Google Maps (bmo#1565542) * Fixed: Fixed an error when starting external applications configured as URI handlers (bmo#1567614) * Fixed: Security fixes - MFSA 2019-24 (bsc#1145665) * CVE-2019-11733 (bmo#1565780) Stored passwords in 'Saved Logins' can be copied without master password entry - Mozilla Firefox ESR 68.0.1 * macOS releases are now signed by the Apple notary service, allowing Firefox to properly run on macOS 10.15 Beta releases * Fixed missing Full Screen button when watching videos in full screen mode on HBO GO (bmo#1562837) * Fixed a bug causing incorrect messages to appear for some locales when sites try to request the use of the Storage Access API (bmo#1558503) * Users in Russian regions may have their default search engine changed (bmo#1565315) * Built-in search engines in some locales do not function correctly (bmo#1565779) * SupportMenu policy doesn't always work (bmo#1553290) * Allow the new ExtensionSettings policy to work with GPO on Windows (bmo#1553586) * Allow the privacy.file_unique_origin pref to be controlled by policy (bmo#1563759) - Mozilla Firefox ESR 68.0 * Dark mode in reader view * Improved extension security and discovery * Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences * Camera and microphone access now require an HTTPS connection MFSA 2019-21 (bsc#1140868) * CVE-2019-9811 (bmo#1523741, bmo#1538007, bmo#1539598, bmo#1539759, bmo#1563327) Sandbox escape via installation of malicious language pack * CVE-2019-11711 (bmo#1552541) Script injection within domain through inner window reuse * CVE-2019-11712 (bmo#1543804) Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects * CVE-2019-11713 (bmo#1528481) Use-after-free with HTTP/2 cached stream * CVE-2019-11714 (bmo#1542593) NeckoChild can trigger crash when accessed off of main thread * CVE-2019-11729 (bmo#1515342) Empty or malformed p256-ECDH public keys may trigger a segmentation fault * CVE-2019-11715 (bmo#1555523) HTML parsing error can contribute to content XSS * CVE-2019-11716 (bmo#1552632) globalThis not enumerable until accessed * CVE-2019-11717 (bmo#1548306) Caret character improperly escaped in origins * CVE-2019-11718 (bmo#1408349) Activity Stream writes unsanitized content to innerHTML * CVE-2019-11719 (bmo#1540541) Out-of-bounds read when importing curve25519 private key * CVE-2019-11720 (bmo#1556230) Character encoding XSS vulnerability * CVE-2019-11721 (bmo#1256009) Domain spoofing through unicode latin 'kra' character * CVE-2019-11730 (bmo#1558299) Same-origin policy treats all files in a directory as having the same-origin * CVE-2019-11723 (bmo#1528335) Cookie leakage during add-on fetching across private browsing boundaries * CVE-2019-11724 (bmo#1512511) Retired site input.mozilla.org has remote troubleshooting permissions * CVE-2019-11725 (bmo#1483510) Websocket resources bypass safebrowsing protections * CVE-2019-11727 (bmo#1552208) PKCS#1 v1.5 signatures can be used for TLS 1.3 * CVE-2019-11728 (bmo#1552993) Port scanning through Alt-Svc header * CVE-2019-11710 (bmo#1507696, bmo#1510345, bmo#1533842, bmo#1535482, bmo#1535848, bmo#1537692, bmo#1540590, bmo#1544180, bmo#1547472, bmo#1547760, bmo#1548611, bmo#1549768, bmo#1551907) Memory safety bugs fixed in Firefox 68 * CVE-2019-11709 (bmo#1515052, bmo#1533522, bmo#1539219, bmo#1540759, bmo#1547266, bmo#1547757, bmo#1548822, bmo#1550498, bmo#1550498) Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 - removed patches that are now upstream * mozilla-bmo1375074.patch * mozilla-bmo1436242.patch * mozilla-bmo256180.patch * mozilla-i586-DecoderDoctorLogger.patch * mozilla-i586-domPrefs.patch * mozilla-bmo1464766.patch * mozilla-bigendian_bit_flags_alias.patch - removed workaround-patch for build memory consumption on i586; other mitigations meanwhile introduced (mainly parallelity) will be sufficient * mozilla-reduce-files-per-UnifiedBindings.patch - added patch to make builds reproducible * mozilla-bmo1568145.patch - added a bunch of patches mainly for big endian platforms * mozilla-bmo1504834-part1.patch * mozilla-bmo1504834-part2.patch * mozilla-bmo1504834-part3.patch * mozilla-bmo1511604.patch * mozilla-bmo1512162.patch * mozilla-bmo1554971.patch * mozilla-bmo1573381.patch * mozilla-nestegg-big-endian.patch - added patches to fix build on armv7: * mozilla-bmo1463035.patch * mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch - added patch to fix non-return function * mozilla-cubeb-noreturn.patch - added patch to fix aarch64 build: * mozilla-fix-aarch64-libopus.patch (bmo#1539737) - added patch to enable PGO for x86_64. * firefox-add-kde.js-in-order-to-survive-PGO-build.patch - added patch to reduce build-load * mozilla-reduce-rust-debuginfo.patch- Mozilla Firefox Firefox 60.7.2 MFSA 2019-19 (bsc#1138872) * CVE-2019-11708 (bmo#1559858) sandbox escape using Prompt:Open- Build Firefox with gcc instead of clang (bsc#1138688)- Mozilla Firefox Firefox 60.7.1 MFSA 2019-18 (bsc#1138614) * CVE-2019-11707 (bmo#1544386) Type confusion in Array.pop - Added the new Mozilla's GPG key with subkey fingerprint 097B 3130 77AE 62A0 2F84 DA4D F1A6 668F BB7D 572E, expiring on 2021-05-29 to the mozilla.keyring file- Fix broken language plugins (bsc#1137792)- update to Firefox ESR 60.7 (bsc#1135824) * Font and date adjustments to accommodate the new Reiwa era in Japan * MFSA 2019-14/CVE-2019-9817 (bmo#1540221) Stealing of cross-domain images using canvas * MFSA 2019-14/CVE-2019-9800 (bmo#1499108, bmo#1499719, bmo#1516325, bmo#1532465, bmo#1533554, bmo#1534593, bmo#1535194, bmo#1535612, bmo#1538042, bmo#1538619, bmo#1538736, bmo#1540136, bmo#1540166, bmo#1541580, bmo#1542097, bmo#1542324, bmo#1546327) Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 * MFSA 2019-14/CVE-2019-9816 (bmo#1536768) Type confusion with object groups and UnboxedObjects * MFSA 2019-14/CVE-2019-9815 (bmo#1546544, bmo#https://mdsattacks.com/) Disable hyperthreading on content JavaScript threads on macOS * MFSA 2019-14/CVE-2019-11698 (bmo#1543191) Theft of user history data through drag and drop of hyperlinks to and from bookmarks * MFSA 2019-14/CVE-2019-11692 (bmo#1544670) Use-after-free removing listeners in the event listener manager * MFSA 2019-14/CVE-2019-11693 (bmo#1532525) Buffer overflow in WebGL bufferdata on Linux * MFSA 2019-14/CVE-2019-7317 (bmo#1542829) Use-after-free in png_image_free of libpng library * MFSA 2019-14/CVE-2019-9820 (bmo#1536405) Use-after-free of ChromeEventHandler by DocShell * MFSA 2019-14/CVE-2019-9818 (bmo#1542581) Use-after-free in crash generation server * MFSA 2019-14/CVE-2019-11691 (bmo#1542465) Use-after-free in XMLHttpRequest * MFSA 2019-14/CVE-2019-9819 (bmo#1532553) Compartment mismatch with fetch API * MFSA 2019-14/CVE-2019-11694 (bmo#1534196) Uninitialized memory memory leakage in Windows sandbox- Sync with Devel:Desktop:Mozilla:*:next- Enable Firefox to build with Rust >= 1.30 with fix. See below.- update to 60.6.3 (bmo#1549249) * Further improvements to re-enable web extensions which had been disabled for users with a master password set.- update to 60.6.2 (bsc#1134126) * Repaired certificate chain to re-enable web extensions that had been disabled.- Update BuildRequires rust >= 1.30 from 1.24 * Upstream Firefox ESR presumes rust version stable at release (1.24). SUSE currently uses improved packaging for rust >= 1.30. * boo#1130694 rust 1.33.0 breaks Firefox and Thunderbird due to missing macro comment docs in Firefox rust sources bmo#1539901 ESR 60 build fails with Rust 1.33 due to missing documentation on macros in stylo bmo#1519629 Stylo fails with --enable-warnings-as-errors using Rust 1.33 * Fix build using RUSTFLAGS="--cap-lints allow" Preferred alternative to patching and revendoring stylo rust crates Revisit with intent to remove in next Firefox ESR 68.0 2019-07-09- Fixed translations provides- update to Firefox ESR 60.6.1 (bsc#1130262) * MFSA 2019-10/CVE-2019-9813 (bmo#1538006) Ionmonkey type confusion with __proto__ mutations * MFSA 2019-10/CVE-2019-9810 (bmo#1537924) IonMonkey MArraySlice has incorrect alias information- update to Firefox ESR 60.6 (bsc#1129821) * MFSA 2019-08/CVE-2018-18506 (bmo#1503393) Proxy Auto-Configuration file can define localhost access to be proxied * MFSA 2019-08/CVE-2019-9801 (bmo#1527717) Windows programs that are not 'URL Handlers' are exposed to web content * MFSA 2019-08/CVE-2019-9788 (bmo#1506665, bmo#1516834, bmo#1518001, bmo#1518774, bmo#1521214, bmo#1521304, bmo#1523362, bmo#1524214, bmo#1524755, bmo#1529203) Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * MFSA 2019-08/CVE-2019-9790 (bmo#1525145) Use-after-free when removing in-use DOM elements * MFSA 2019-08/CVE-2019-9791 (bmo#1530958) Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey * MFSA 2019-08/CVE-2019-9792 (bmo#1532599) IonMonkey leaks JS_OPTIMIZED_OUT magic value to script * MFSA 2019-08/CVE-2019-9793 (bmo#1528829) Improper bounds checks when Spectre mitigations are disabled * MFSA 2019-08/CVE-2019-9794 (bmo#1530103) Command line arguments not discarded during execution * MFSA 2019-08/CVE-2019-9795 (bmo#1514682) Type-confusion in IonMonkey JIT compiler * MFSA 2019-08/CVE-2019-9796 (bmo#1531277) Use-after-free with SMIL animation controller - Fix for [bsc#1127987] MozillaFirefox-translations-common causing error on update- Mozilla Firefox 60.5.2esr: * Fix a frequent crash when reading various Reuters news articles (bmo#1505844)- Update to Firefox ESR 60.5.1 MFSA-2019-05 (bsc#1125330) * CVE-2018-18356 (bmo#1525817) A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash. * CVE-2019-5785 (bmo#1525433) An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash. * CVE-2018-18335 (bmo#1525815) A buffer overflow vulnerability in the Skia library can occur with Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration in Firefox ESR. Note: this does not affect other versions and platforms where Canvas 2D acceleration is already disabled by default.- Update to Firefox ESR 60.5 MFSA 2019-02 (bsc#1122983) * CVE-2018-18501 (bmo#1460619, bmo#1502871, bmo#1512450, bmo#1513201, bmo#1516514, bmo#1516738, bmo#1517542) Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * CVE-2018-18500 (bmo#1510114) Use-after-free parsing HTML5 stream * CVE-2018-18505 (bmo#1087565, bmo#1497749) Privilege escalation through IPC channel messages - Removed obsolete patches: [mozilla-no-stdcxx-check.patch] Applied upstream [mozilla-s390-nojit.patch] Applied upstream- Fix for language pack build error (bsc#1120374)- Revert dependency for branding package back to >= 60 due to dependency issues.- Depend on branding package version >= 60.0- Mozilla Firefox 60.4.0esr: * Updated list of currency codes to include Unidad Previsional (UYW) (bmo#1499028) MFSA 2018-30 (bsc#1119105) * CVE-2018-17466 bmo#1488295 Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 * CVE-2018-18492 bmo#1499861 Use-after-free with select element * CVE-2018-18493 bmo#1504452 Buffer overflow in accelerated 2D canvas with Skia * CVE-2018-18494 bmo#1487964 Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs * CVE-2018-18498 bmo#1500011 Integer overflow when calculating buffer sizes for images * CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759 bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471 Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 - requires NSS >= 3.36.6 - Removed obsolete patch: [mozilla-update-cc-crate.patch] Applied upstream- Mozilla Firefox 60.3.0esr: * Various stability and regression fixes MFSA 2018-27 bsc#1112852 * CVE-2018-12392 bmo#1492823 Crash with nested event loops * CVE-2018-12393 bmo#1495011 Integer overflow during Unicode conversion while loading JavaScript * CVE-2018-12395 bmo#1467523 WebExtension bypass of domain restrictions through header rewriting * CVE-2018-12396 bmo#1483602 WebExtension content scripts can execute in disallowed contexts * CVE-2018-12397 bmo#1487478 WebExtension local file access vulnerability * CVE-2018-12389 bmo#1498460, bmo#1499198 Memory safety bugs fixed in Firefox ESR 60.3 * CVE-2018-12390 bmo#1487098 bmo#1487660 bmo#1490234 bmo#1496159 bmo#1443748 bmo#1496340 bmo#1483905 bmo#1493347 bmo#1488803 bmo#1498701 bmo#1498482 bmo#1442010 bmo#1495245 bmo#1483699 bmo#1469486 bmo#1484905 bmo#1490561 bmo#1492524 bmo#1481844 Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 - Drop mozilla-bmo1472538-update-bindgen.patch which was already merged upstream - Update mozilla-update-cc-crate.patch, since cc was updated to 1.0.9 upstream, but this patch still updates it to a newer version- Update create-tar.sh and source-stamp.txt as should be done with every version update.- Mozilla Firefox 60.2.2esr: MFSA 2018-24 * CVE-2018-12386 (bsc#1110506, bmo#1493900) Type confusion in JavaScript allowed remote code execution * CVE-2018-12387 (bsc#1110507, bmo#1493903) Array.prototype.push stack pointer vulnerability may enable exploits in the sandboxed content process - Avoid undefined behavior in IPC fd-passing code with mozilla-bmo1436242.patch (boo#1094767, bmo#1436242) - Mozilla Firefox 60.2.1esr: MFSA 2018-23 * CVE-2018-12385 (boo#1109363, bmo#1490585) Crash in TransportSecurityInfo due to cached data * CVE-2018-12383 (boo#1107343, bmo#1475775) Setting a master password did not delete unencrypted previously stored passwords * Fixed a startup crash affecting users migrating from older ESR releases * Clean up old NSS DB files after upgrading - Fix typo in an old changelog entry which mentioned a wrong patch file and really remove mozilla-glibc-getrandom.patch as should have been done some weeks ago.- bsc#1109465 - Add mozilla-bmo1472538-update-bindgen.patch and mozilla-update-cc-crate.patch. This fixes an endianness problem in bindgen's handling of bitfields, which was causing Firefox to crash on startup on big-endian machines. Also, updates the cc crate, which was buggy in the version that was originally vendored in. - added patch [mozilla-bigendian_bit_flags_alias.patch] (bmo#1488552)- update to Firefox ESR 60.2 (bsc#1107343) * MFSA 2018-20/CVE-2018-12381 (bmo#1435319) Dragging and dropping Outlook email message results in page navigation * MFSA 2018-20/CVE-2017-16541 (bmo#1412081) Proxy bypass using automount and autofs * MFSA 2018-20/CVE-2018-12376 (bmo#1450989, bmo#1466577, bmo#1466991, bmo#1467363, bmo#1467889, bmo#1468738, bmo#1469309, bmo#1469914, bmo#1471953, bmo#1472925, bmo#1473161, bmo#1478575, bmo#1478849, bmo#1480092, bmo#1480517, bmo#1480521, bmo#1481093, bmo#1483120) Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * MFSA 2018-20/CVE-2018-12377 (bmo#1470260) Use-after-free in refresh driver timers * MFSA 2018-20/CVE-2018-12378 (bmo#1459383) Use-after-free in IndexedDB * MFSA 2018-20/CVE-2018-12379 (bmo#1473113) Out-of-bounds write with malicious MAR file - removed obsolete patches: [mozilla-glibc-getrandom.patch] [firefox-no-default-ualocale.patch] [mozilla-bmo1005640.patch] [mozilla-language.patch] [mozilla-shared-nss-db.patch] - added patches sync with openSUSE: [mozilla-bmo1005535.patch] [mozilla-bmo1375074.patch] [mozilla-bmo1464766.patch] [mozilla-bmo256180.patch] [mozilla-i586-DecoderDoctorLogger.patch] [mozilla-i586-domPrefs.patch] additional architecture enablement: [mozilla-ppc-altivec_static_inline.patch] [mozilla-s390-context.patch]- update to Firefox ESR 52.9 (bsc#1098998) * MFSA 2018-17/CVE-2018-5188 (bmo#1392739, bmo#1437842, bmo#1442722, bmo#1450688, bmo#1451297, bmo#1452576, bmo#1456189, bmo#1456975, bmo#1458048, bmo#1458264, bmo#1458270, bmo#1463494, bmo#1464063, bmo#1464079, bmo#1464829, bmo#1465108, bmo#1465898) Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9 * MFSA 2018-17/CVE-2018-12368 (bmo#1468217, bmo#https://posts.specterops.io/the-tale-of- settingcontent-ms-files-f1ea253e4d39) No warning when opening executable SettingContent-ms files * MFSA 2018-17/CVE-2018-12366 (bmo#1464039) Invalid data handling during QCMS transformations * MFSA 2018-17/CVE-2018-12365 (bmo#1459206) Compromised IPC child process can list local filenames * MFSA 2018-17/CVE-2018-12364 (bmo#1436241) CSRF attacks through 307 redirects and NPAPI plugins * MFSA 2018-17/CVE-2018-12363 (bmo#1464784) Use-after-free when appending DOM nodes * MFSA 2018-17/CVE-2018-12362 (bmo#1452375) Integer overflow in SSSE3 scaler * MFSA 2018-17/CVE-2018-12360 (bmo#1459693) Use-after-free when using focus() * MFSA 2018-17/CVE-2018-5156 (bmo#1453127) Media recorder segmentation fault when track type is changed during capture * MFSA 2018-17/CVE-2018-12359 (bmo#1459162) Buffer overflow using computed size of canvas element- update to Firefox 52.8.1 (bsc#1096449) * MFSA 2018-14/CVE-2018-6126 (bmo#1462682) Heap buffer overflow rasterizing paths in SVG with Skia- update to Firefox 52.8.0: * Various stability and regression fixes * Performance improvements to the Safe Browsing service to avoid slowdowns while updating site classification data - Security fixes (bsc#1092548, MFSA 2018-12): * CVE-2018-5183 (bmo#1454692) Backport critical security fixes in Skia * CVE-2018-5154 (bmo#1443092) Use-after-free with SVG animations and clip paths * CVE-2018-5155 (bmo#1448774) Use-after-free with SVG animations and text paths * CVE-2018-5157 (bmo#1449898) Same-origin bypass of PDF Viewer to view protected PDF files * CVE-2018-5158 (bmo#1452075) Malicious PDF can inject JavaScript into PDF Viewer * CVE-2018-5159 (bmo#1441941) Integer overflow and out-of-bounds write in Skia * CVE-2018-5168 (bmo#1449548) Lightweight themes can be installed without user interaction * CVE-2018-5178 (bmo#1443891) Buffer overflow during UTF-8 to Unicode string conversion through legacy extension * CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705, bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415, bmo#1426129) Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8- fix release tag and tarball to correctly identify 52.7.3esr- update to Firefox 52.7.3 MFSA 2018-10 (bsc#1087059) * CVE-2018-5148 (bmo#1440717) Use-after-free in compositor - removed obsolete patch mozilla-bmo1446062.patch- update to Firefox 52.7.2 (bsc#1085671) MFSA 2018-08 * CVE-2018-5146 (bmo#1446062) Out of bounds memory write in libvorbis * CVE-2018-5147 (bmo#1446365) Out of bounds memory write in libtremor (in mozilla-bmo1446062.patch) - Firefox 52.7.1 fixes - issues with the IT locale (bmo#1445278)- update to Firefox 52.7esr (bsc#1085130, MFSA 2018-07): * CVE-2018-5127 (bmo#1430557) Buffer overflow manipulating SVG animatedPathSegList * CVE-2018-5129 (bmo#1428947) Out-of-bounds write with malformed IPC messages * CVE-2018-5130 (bmo#1433005) Mismatched RTP payload type can trigger memory corruption * CVE-2018-5131 (bmo#1440775) Fetch API improperly returns cached copies of no-store/no-cache resources * CVE-2018-5144 (bmo#1440926) Integer overflow during Unicode conversion * CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450, bmo#1437507,bmo#1426988,bmo#1438425,bmo#1324042,bmo#1437087, bmo#1443865,bmo#1425520) Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * CVE-2018-5145 (bmo#1261175,bmo#1348955) Memory safety bugs fixed in Firefox ESR 52.7- correct requires and provides handling (boo#1076907)- update to Firefox 52.6esr (bsc#1077291) MFSA 2018-01 * Speculative execution side-channel attack ("Spectre") MFSA 2018-03 * CVE-2018-5091 (bmo#1423086) Use-after-free with DTMF timers * CVE-2018-5095 (bmo#1418447) Integer overflow in Skia library during edge builder allocation * CVE-2018-5096 (bmo#1418922) Use-after-free while editing form elements * CVE-2018-5097 (bmo#1387427) Use-after-free when source document is manipulated during XSLT * CVE-2018-5098 (bmo#1399400) Use-after-free while manipulating form input elements * CVE-2018-5099 (bmo#1416878) Use-after-free with widget listener * CVE-2018-5102 (bmo#1419363) Use-after-free in HTML media elements * CVE-2018-5103 (bmo#1423159) Use-after-free during mouse event handling * CVE-2018-5104 (bmo#1425000) Use-after-free during font face manipulation * CVE-2018-5117 (bmo#1395508) URL spoofing with right-to-left text aligned left-to-right * CVE-2018-5089 Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6 - remove obsolete patch mozilla-ucontext.patch - official NSS requirement is >= 3.28.6 therefore putting 3.29.5 into an ifarch- Escape the usage of %{VERSION} when calling out to rpm. RPM 4.14 has %{VERSION} defined as 'the main package's version'.- Added additional patches and configurations to fix builds on s390 and PowerPC. * Added firefox-glibc-getrandom.patch effecting builds on s390 and PowerPC * Added mozilla-s390-bigendian.patch along with icudt58b.dat bigendian ICU data file for running Firefox on bigendian architectures (bmo#1322212 and bmo#1264836) * Added mozilla-s390-nojit.patch to enable atomic operations used by the JS engine when JIT is disabled on s390 * Build configuration options specific to s390 * Requires NSS >= 3.29.5- Update to Firefox 52.5.3esr: * Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in (bmo#1427111, bsc#1074235)- Add BuildRequires python-xml to fix build on TW/SLE15.- update to Firefox 52.5.2esr (MFSA 2017-28): * CVE-2017-7843 (bsc#1072034, bmo#1410106) Web worker in Private Browsing mode can write IndexedDB data- update to Firefox 52.5.0esr (boo#1068101) MFSA 2017-25 * CVE-2017-7828 (bmo#1406750. bmo#1412252) Use-after-free of PressShell while restyling layout * CVE-2017-7830 (bmo#1408990) Cross-origin URL information leak through Resource Timing API * CVE-2017-7826 Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5- Correct plugin directory for aarch64 (boo#1061207). The wrapper script was not detecting aarch64 as a 64 bit architecture, thus used /usr/lib/browser-plugins/.- Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0), pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0), pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure looks for.- update to Firefox 52.4esr (boo#1060445) * requires NSS >= 3.28.6 MFSA 2017-22 * CVE-2017-7793 (bmo#1371889) Use-after-free with Fetch API * CVE-2017-7818 (bmo#1363723) Use-after-free during ARIA array manipulation * CVE-2017-7819 (bmo#1380292) Use-after-free while resizing images in design mode * CVE-2017-7824 (bmo#1398381) Buffer overflow when drawing and validating elements with ANGLE * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) Use-after-free in TLS 1.2 generating handshake hashes * CVE-2017-7814 (bmo#1376036) Blob and data URLs bypass phishing and malware protection warnings * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) OS X fonts render some Tibetan and Arabic unicode characters as spaces * CVE-2017-7823 (bmo#1396320) CSP sandbox directive did not create a unique origin * CVE-2017-7810 Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 - fixed language accept header to use correct locale (mozilla-bmo1005640.patch, boo#1029917)- Add alsa-devel BuildRequires: we care for ALSA support to be built and thus need to ensure we get the dependencies in place. In the past, alsa-devel was pulled in by accident: we buildrequire libgnome-devel. This required esound-devel and that in turn pulled in alsa-devel for us. libgnome is being fixed to no longer require esound-devel.- mozilla-ucontext.patch: use ucontext_t instead of struct ucontext- update to Firefox 52.3esr (boo#1052829) MFSA 2017-19 * CVE-2017-7798 (bmo#1371586, bmo#1372112) XUL injection in the style editor in devtools * CVE-2017-7800 (bmo#1374047) Use-after-free in WebSockets during disconnection * CVE-2017-7801 (bmo#1371259) Use-after-free with marquee during window resizing * CVE-2017-7784 (bmo#1376087) Use-after-free with image observers * CVE-2017-7802 (bmo#1378147) Use-after-free resizing image elements * CVE-2017-7785 (bmo#1356985) Buffer overflow manipulating ARIA attributes in DOM * CVE-2017-7786 (bmo#1365189) Buffer overflow while painting non-displayable SVG * CVE-2017-7753 (bmo#1353312) Out-of-bounds read with cached style data and pseudo-elements# * CVE-2017-7787 (bmo#1322896) Same-origin policy bypass with iframes through page reloads * CVE-2017-7807 (bmo#1376459) Domain hijacking through AppCache fallback * CVE-2017-7792 (bmo#1368652) Buffer overflow viewing certificates with an extremely long OID * CVE-2017-7804 (bmo#1372849) Memory protection bypass through WindowsDllDetourPatcher * CVE-2017-7791 (bmo#1365875) Spoofing following page navigation with data: protocol and modal alerts * CVE-2017-7782 (bmo#1344034) WindowsDllDetourPatcher allocates memory without DEP protections * CVE-2017-7803 (bmo#1377426) CSP containing 'sandbox' improperly applied * CVE-2017-7779 Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3- Mozilla Firefox 52.2.1esr: * Printing text does not work on Windows when Direct2D is disabled (bmo#1318845)- update to Firefox 52.2esr (boo#1043960) MFSA 2017-16 * CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when regenerating trees * CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading * CVE-2017-7750 (bmo#1356558) Use-after-free with track elements * CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners * CVE-2017-7752 (bmo#1359547) Use-after-free with IME input * CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo object * CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox Installer with same directory DLL files (Windows only) * CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging XHR header errors * CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777 Vulnerabilities in the Graphite 2 library * CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder * CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service (Windows only) * CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application (Windows only) * CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian Syllabics and other unicode blocks * CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving executable files (Windows only) * CVE-2017-7766 (bmo#1342742) File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service (Windows only) * CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service (Windows only) * CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla Maintenance Service (Windows only) * CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2 - requires NSS 3.28.5- remove -fno-inline-small-functions and explicitely optimize with - O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)- update to Firefox 52.1.1 MFSA 2017-14 * CVE-2017-5031: Use after free in ANGLE (bmo#1328762) (Windows only, Linux not affected) - switch to Mozilla's geolocation service (boo#1026989) - removed mozilla-preferences.patch obsoleted by overriding via firefox.js - fixed KDE integration to avoid crash caused by filepicker (boo#1015998)- update to Firefox 52.1.0esr (boo#1035082) MFSA 2017-12 * CVE-2017-5443 (bmo#1342661) Out-of-bounds write during BinHex decoding * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894, bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088) Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 * CVE-2017-5464 (bmo#1347075) Memory corruption with accessibility and DOM manipulation * CVE-2017-5465 (bmo#1347617) Out-of-bounds read in ConvolvePixel * CVE-2017-5466 (bmo#1353975) Origin confusion when reloading isolated data:text/html URL * CVE-2017-5467 (bmo#1347262) Memory corruption when drawing Skia content * CVE-2017-5460 (bmo#1343642) Use-after-free in frame selection * CVE-2017-5461 (bmo#1344380) Out-of-bounds write in Base64 encoding in NSS * CVE-2017-5448 (bmo#1346648) Out-of-bounds write in ClearKeyDecryptor * CVE-2017-5449 (bmo#1340127) Crash during bidirectional unicode manipulation with animation * CVE-2017-5446 (bmo#1343505) Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data * CVE-2017-5447 (bmo#1343552) Out-of-bounds read during glyph processing * CVE-2017-5444 (bmo#1344461) Buffer overflow while parsing application/http-index-format content * CVE-2017-5445 (bmo#1344467) Uninitialized values used while parsing application/http-index-format content * CVE-2017-5442 (bmo#1347979) Use-after-free during style changes * CVE-2017-5469 (bmo#1292534) Potential Buffer overflow in flex-generated code * CVE-2017-5440 (bmo#1336832) Use-after-free in txExecutionState destructor during XSLT processing * CVE-2017-5441 (bmo#1343795) Use-after-free with selection during scroll events * CVE-2017-5439 (bmo#1336830) Use-after-free in nsTArray Length() during XSLT processing * CVE-2017-5438 (bmo#1336828) Use-after-free in nsAutoPtr during XSLT processing * CVE-2017-5437 (bmo#1343453) Vulnerabilities in Libevent library * CVE-2017-5436 (bmo#1345461) Out-of-bounds write with malicious font in Graphite 2 * CVE-2017-5435 (bmo#1350683) Use-after-free during transaction processing in the editor * CVE-2017-5434 (bmo#1349946) Use-after-free during focus handling * CVE-2017-5433 (bmo#1347168) Use-after-free in SMIL animation functions * CVE-2017-5432 (bmo#1346654) Use-after-free in text input selection * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482, bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476) Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 * CVE-2017-5459 (bmo#1333858) Buffer overflow in WebGL * CVE-2017-5462 (bmo#1345089) DRBG flaw in NSS * CVE-2017-5455 (bmo#1341191) Sandbox escape through internal feed reader APIs * CVE-2017-5454 (bmo#1349276) Sandbox escape allowing file system read access through file picker * CVE-2017-5456 (bmo#1344415) Sandbox escape allowing local file system access * CVE-2017-5451 (bmo#1273537) Addressbar spoofing with onblur event - requires NSS 3.28.4 - rebased patches- switch package to use ESR52 branch * enables plugin support by default * service workers are disabled by default * push notifications are disabled by default * WebAssembly (wasm) is disabled * Less use of multiprocess architecture Electrolysis (e10s)- update to Firefox 52.0.2 * Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787) * Fix loading tab icons on session restore (bmo#1338009) * Fix a crash on startup on Linux (bmo#1345413) * Fix new installs erroneously not prompting to change the default browser setting (bmo#1343938)- disable rust usage for everything but x86(-64) - explicitely add libffi build requirement- update to Firefox 52.0.1 (boo#1029822) MFSA 2017-08 CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168)- reenable ALSA support which was removed by default upstream- update to Firefox 52.0 (boo#1028391) * requires NSS >= 3.28.3 * Pages containing insecure password fields now display a warning directly within username and password fields. * Send and open a tab from one device to another with Sync * Removed NPAPI support for plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported. * Removed Battery Status API to reduce fingerprinting of users by trackers * MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861) CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186) CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890) CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622) CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687) CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711) CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323) CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504) CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370) CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719) CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121) CVE-2017-5417: Addressbar spoofing by draging and dropping URLs (bmo#791597) CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361) CVE-2017-5427: Non-existent chrome.manifest file loaded during startup (bmo#1295542) CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876) CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243) CVE-2017-5420: Javascript: URLs can obfuscate addressbar location (bmo#1284395) CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699) CVE-2017-5421: Print preview spoofing (bmo#1301876) CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002) CVE-2017-5399: Memory safety bugs fixed in Firefox 52 CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 - removed obsolete patches * mozilla-binutils-visibility.patch * mozilla-check_return.patch * mozilla-disable-skia-be.patch * mozilla-skia-overflow.patch * mozilla-skia-ppc-endianess.patch - rebased patches - enable rust usage for Tumbleweed- Mozilla Firefox 51.0.1: - Multiprocess incompatibility did not correctly register with some add-ons (bmo#1333423)- update to Firefox 51.0 * requires NSPR >= 4.13.1, NSS >= 3.28.1 * Added support for FLAC (Free Lossless Audio Codec) playback * Added support for WebGL 2 * Added Georgian (ka) and Kabyle (kab) locales * Support saving passwords for forms without 'submit' events * Improved video performance for users without GPU acceleration * Zoom indicator is shown in the URL bar if the zoom level is not at default level * View passwords from the prompt before saving them * Remove Belarusian (be) locale * Use Skia for content rendering (Linux) * MFSA 2017-01 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (bmo#1325200, boo#1021814) CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) CVE-2017-5377: Memory corruption with transforms to create gradients in Skia (bmo#1306883, boo#1021826) CVE-2017-5378: Pointer and frame data leakage of Javascript objects (bmo#1312001, bmo#1330769, boo#1021818) CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827) CVE-2017-5380: Potential use-after-free during DOM manipulations (bmo#1322107, boo#1021819) CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (bmo#1297361, boo#1021820) CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests (bmo#1308688, boo#1021828) CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403, boo#1021821) CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations (bmo#1017616, boo#1021830) CVE-2017-5382: Feed preview can expose privileged content errors and exceptions (bmo#1295322, boo#1021831) CVE-2017-5383: Location bar spoofing with unicode characters (bmo#1323338, bmo#1324716, boo#1021822) CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) (bmo#1255474, boo#1021832) CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers (bmo#1295945, boo#1021833) CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions (bmo#1319070, boo#1021823) CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events (bmo#1222798) CVE-2017-5391: Content about: pages can load privileged about: pages (bmo#1309310, boo#1021835) CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage (bmo#1293709) (Android only) CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager (bmo#1309282, boo#1021837) CVE-2017-5395: Android location bar spoofing during scrolling (bmo#1293463) (Android only) CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages (bmo#1295023, boo#1021839) CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks (bmo#1281482, boo#1021840) CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841) CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (boo#1021824) - switch Firefox to Gtk3 for Tumbleweed - removed obsolete patches * mozilla-flex_buffer_overrun.patch - updated RPM locale support tag - improve recognition of LANGUAGE env variable (boo#1017174) - add upstream patch to fix PPC64LE (bmo#1319389) (mozilla-skia-ppc-endianess.patch) - fix build without skia (big endian archs) (bmo#1319374) (mozilla-disable-skia-be.patch)- update to Firefox 50.1.0 (boo#1015422) * MFSA 2016-94 CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628) CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements (bmo#1317409) CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272) CVE-2016-9896: Use-after-free with WebVR (bmo#1315543) CVE-2016-9897: Memory corruption in libGLES (bmo#1301381) CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees (bmo#1314442) CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs (bmo#1319122) CVE-2016-9904: Cross-origin information leak in shared atoms (bmo#1317936) CVE-2016-9901: Data from Pocket server improperly sanitized before execution (bmo#1320057) CVE-2016-9902: Pocket extension does not validate the origin of events (bmo#1320039) CVE-2016-9903: XSS injection vulnerability in add-ons SDK (bmo#1315435) CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6- added patch mozilla-aarch64-startup-crash.patch (bsc#1011922)- update to Firefox 50.0.2 * Firefox crashes with 3rd party Chinese IME when using IME text (50.0.1) security fixes (in 50.0.1): (boo#1012807) * MFSA 2016-91 CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect (bmo#1317641) security fixes (in 50.0.2) (boo#1012964) * MFSA 2016-92 CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066)- update to Firefox 50.0 (boo#1009026) * requires NSS 3.26.2 new features * Updates to keyboard shortcuts Set a preference to have Ctrl+Tab cycle through tabs in recently used order View a page in Reader Mode by using Ctrl+Alt+R * Added option to Find in page that allows users to limit search to whole words only * Added download protection for a large number of executable file types on Windows, Mac and Linux * Fixed rendering of dashed and dotted borders with rounded corners (border-radius) * Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux) * Blocked versions of libavcodec older than 54.35.1 * additional locale security fixes: * MFSA 2016-89 CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) CVE-2016-5292: URL parsing causes crash (bmo#1288482) CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink (Windows only) (bmo#1246945) CVE-2016-5294: Arbitrary target directory for result files of update process (Windows only) (bmo#1246972) CVE-2016-5297: Incorrect argument length checking in Javascript (bmo#1303678) CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen (Android only) (bmo#1306696) CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile (bmo#1300083) (Windows only) CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM (Windows only) (bmo#1247239) CVE-2016-5298: SSL indicator can mislead the user about the real URL visited (bmo#1227538) (Android only) CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (bmo#1245791) (Android only) CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (Android only) (bmo#1245795) CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file (Android only) (bmo#1294438) CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl" (bmo#1289273) CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bmo#1293334) (fixed via NSS 3.26.1) CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s (bmo#1276976) CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat (bmo#1274777) CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP (bmo#1285003) CVE-2016-5289: Memory safety bugs fixed in Firefox 50 CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 - make aarch64 build more similar to x86_64 build (remove conditionals that don't seem to be necessary anymore)- Mozilla Firefox 49.0.2: * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475) * CVE-2016-5288: Web content can read cache entries (bsc#1006476) * Asynchronous rendering of the Flash plugins is now enabled by default * Change D3D9 default fallback preference to prevent graphical artifacts * Network issue prevents some users from seeing the Firefox UI on startup * Web compatibility issue with file uploads * Web compatibility issue with Array.prototype.values * Diagnostic information on timing for tab switching * Fix a Canvas filters graphics issue affecting HTML5 apps- Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0 and fixes have been incorporated by upstream.- Mozilla Firefox 49.0.1: * Mitigate a startup crash issue caused by Websense - bmo#1304783- update to Firefox 49.0 (boo#999701) new features * Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. * Added features to Reader Mode that make it easier on the eyes and the ears * Improved video performance for users on systems that support SSE3 without hardware acceleration * Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed * Improvements in about:memory reports for tracking font memory usage security related * MFSA 2016-85 CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in PropertyProvider::GetSpacingInternal CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin CVE-2016-5273 (bmo#1280387) - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5274 (bmo#1282076) - use-after-free in nsFrameManager::CaptureFrameState CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame CVE-2016-5279 (bmo#1249522) - Full local path of files is available to web pages after drag and drop CVE-2016-5280 (bmo#1289970) - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons from non-whitelisted schemes CVE-2016-5283 (bmo#928187) -