Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

MozillaFirefox-branding-upstream-71.0-1.1 RPM for ppc64

From OpenSuSE Ports Tumbleweed for ppc64

Name: MozillaFirefox-branding-upstream Distribution: openSUSE Tumbleweed
Version: 71.0 Vendor: openSUSE
Release: 1.1 Build date: Mon Dec 30 22:19:48 2019
Group: Productivity/Networking/Web/Browsers Build host: obs-power8-02
Size: 0 Source RPM: MozillaFirefox-71.0-1.1.src.rpm
Summary: Upstream branding for Firefox
This package provides upstream look and feel for Firefox.






* Mon Dec 02 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 71.0
    * Improvements to Lockwise, our integrated password manager
    * More information about Enhanced Tracking Protection in action
    * Native MP3 decoding on Windows, Linux, and macOS
    * Configuration page (about:config) reimplemented in HTML
    * New kiosk mode functionality, which allows maximum screen space
      for customer-facing displays
    MFSA 2019-36
    * CVE-2019-11756 (bmo#1508776)
      Use-after-free of SFTKSession object
    * CVE-2019-17008 (bmo#1546331)
      Use-after-free in worker destruction
    * CVE-2019-13722 (bmo#1580156) (Windows only)
      Stack corruption due to incorrect number of arguments in WebRTC code
    * CVE-2019-17014 (bmo#1322864)
      Dragging and dropping a cross-origin resource, incorrectly loaded
      as an image, could result in information disclosure
    * CVE-2019-17010 (bmo#1581084)
      Use-after-free when performing device orientation checks
    * CVE-2019-17005 (bmo#1584170)
      Buffer overflow in plain text serializer
    * CVE-2019-17011 (bmo#1591334)
      Use-after-free when retrieving a document in antitracking
    * CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209
      bmo#1580288, bmo#1585760, bmo#1592502)
      Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
    * CVE-2019-17013 (bmo#1298509, bmo#1472328, bmo#1577439, bmo#1577937
      bmo#1580320, bmo#1584195, bmo#1585106, bmo#1586293, bmo#1593865
      Memory safety bugs fixed in Firefox 71
  - requires
    NSPR >= 4.23
    NSS >= 3.47.1
    rust/cargo >= 1.37
  - reactivate webrtc for platforms where it was disabled
  - updated to cover buildid and origin repo information
    - > removed obsolete source-stamp.txt
  - removed obsolete patches
  - changed locale building procedure
    * removed obsolete compare-locales.tar.xz
  - added mozilla-bmo1601707.patch to fix gcc/LTO builds
    (bmo#1601707, boo#1158466)
  - added mozilla-bmo849632.patch to fix big endian issues in skia
    used for WebGL
* Fri Nov 01 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 70.0.1
    * Fix for an issue that caused some websites or page elements using
      dynamic JavaScript to fail to load. (bmo#1592136)
    * Title bar no longer shows in full screen view (bmo#1588747)
  - added mozilla-bmo1504834-part4.patch to fix some visual issues on
    big endian platforms
* Sun Oct 20 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 70.0
    * more privacy protections from Enhanced Tracking Protection
    * Firefox Lockwise passwordmanager
    * Improvements to core engine components, for better browsing on more sites
    * Improved privacy and security indicators
    MFSA 2019-34
    * CVE-2018-6156 (bmo#1480088)
      Heap buffer overflow in FEC processing in WebRTC
    * CVE-2019-15903 (bmo#1584907)
      Heap overflow in expat library in XML_GetCurrentLineNumber
    * CVE-2019-11757 (bmo#1577107)
      Use-after-free when creating index updates in IndexedDB
    * CVE-2019-11759 (bmo#1577953)
      Stack buffer overflow in HKDF output
    * CVE-2019-11760 (bmo#1577719)
      Stack buffer overflow in WebRTC networking
    * CVE-2019-11761 (bmo#1561502)
      Unintended access to a privileged JSONView object
    * CVE-2019-11762 (bmo#1582857)
      document.domain-based origin isolation has same-origin-property violation
    * CVE-2019-11763 (bmo#1584216)
      Incorrect HTML parsing results in XSS bypass technique
    * CVE-2019-11765 (bmo#1562582)
      Incorrect permissions could be granted to a website
    * CVE-2019-17000 (bmo#1441468)
      CSP bypass using object tag with data: URI
    * CVE-2019-17001 (bmo#1587976)
      CSP bypass using object tag when script-src 'none' is specified
    * CVE-2019-17002 (bmo#1561056)
      upgrade-insecure-requests was not being honored for links dragged and dropped
    * CVE-2019-11764 (bmo#1558522, bmo#1577061, bmo#1548044, bmo#1571223,
      bmo#1573048, bmo#1578933, bmo#1575217, bmo#1583684, bmo#1586845, bmo#1581950,
      bmo#1583463, bmo#1586599)
      Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
  - requires
      rust/cargo >= 1.36
      NSPR >= 4.22
      NSS >= 3.46.1
      rust-cbindgen >= 0.9.1
  - removed obsolete patches
* Sun Oct 13 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 69.0.3
    * Fixed Yahoo mail users being prompted to download files when
      clicking on emails (bmo#1582848)
  - devel package build can easily be disabled now
* Thu Oct 03 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 69.0.2
    * Fixed a crash when editing files on Office 365 websites (bmo#1579858)
    * Fixed a Linux-only crash when changing the playback speed while
      watching YouTube videos (bmo#1582222)
  - updated supported locale list
  - Allow to build without profile guided optimizations (boo#1040589)
    (contributed by Bernhard Wiedemann)
  - Make build verbose (contributed by Martin Liška)
  - remove obsolete kde.js setting (boo#1151186) and related patch
  - update to latest revision and adjusted tar_stamps
  - add mozilla-fix-top-level-asm.patch to fix LTO build (w/o PGO)
  - extension preferences moved from branding package to core package
    (packaging but not branding specific)
* Thu Sep 19 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 69.0.1
    * Fixed external programs launching in the background when clicking
      a link from inside Firefox to launch them (bmo#1570845)
    * Usability improvements to the Add-ons Manager for users with
      screen readers (bmo#1567600)
    * Fixed the Captive Portal notification bar not being dismissable
      in some situations after login is complete (bmo#1578633)
    * Fixed the maximum size of fonts in Reader Mode when zoomed (bmo#1578454)
    * Fixed missing stacks in the Developer Tools Performance section
    MFSA 2019-31
    * CVE-2019-11754 (bmo#1580506)
      Pointer Lock is enabled with no user notification
  - disable DOH by default
* Thu Sep 05 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 69.0
    * Enhanced Tracking Protection (ETP) for stronger privacy protections
    * Block Autoplay feature is enhanced to give users the option to block
      any video
    * Users in the US or using the en-US browser, can get a new “New Tab”
      page experience connecting to the best of Pocket's content.
    * Support for the Web Authentication HmacSecret extension via
      Windows Hello introduced.
    * Support for receiving multiple video codecs with this release makes
      it easier for WebRTC conferencing services to mix video from
      different clients.
    MFSA 2019-25 (boo#1149324)
    * CVE-2019-11741 (bmo#1539595)
      Isolate and
    * CVE-2019-5849 (bmo#1555838)
      Out-of-bounds read in Skia
    * CVE-2019-11737 (bmo#1388015)
      Content security policy directives ignore port and path if host is a wildcard
    * CVE-2019-11734 (bmo#1352875,bmo#1536227,bmo#1557208,bmo#1560641)
      Memory safety bugs fixed in Firefox 69
    * CVE-2019-11735 (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912,
      Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
    * CVE-2019-11740 (bmo#1563133,bmo#1573160)
      Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
  - requires
    * rust/cargo >= 1.35
    * rust-cbindgen >= 0.9.0
    * mozilla-nss >= 3.45
  - rebased patches
* Wed Sep 04 2019 Wolfgang Rosenauer <>
  - added a bunch of patches mainly for big endian platforms
    * mozilla-bmo1504834-part1.patch
    * mozilla-bmo1504834-part2.patch
    * mozilla-bmo1504834-part3.patch
    * mozilla-bmo1511604.patch
    * mozilla-bmo1554971.patch
    * mozilla-bmo1573381.patch
    * mozilla-nestegg-big-endian.patch
    * mozilla-bmo1512162.patch
* Fri Aug 30 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 68.1.0
    MFSA 2019-26
    * CVE-2019-11751 (bmo#1572838; Windows only)
      Malicious code execution through command line parameters
    * CVE-2019-11746 (bmo#1564449)
      Use-after-free while manipulating video
    * CVE-2019-11744 (bmo#1562033)
      XSS by breaking out of title and textarea elements using innerHTML
    * CVE-2019-11742 (bmo#1559715)
      Same-origin policy violation with SVG filters and canvas to steal
      cross-origin images
    * CVE-2019-11736 (bmo#1551913, bmo#1552206; Windows only))
      File manipulation and privilege escalation in Mozilla Maintenance Service
    * CVE-2019-11753 (bmo#1574980; Windows only)
      Privilege escalation with Mozilla Maintenance Service in custom
      Firefox installation location
    * CVE-2019-11752 (bmo#1501152)
      Use-after-free while extracting a key value in IndexedDB
    * CVE-2019-9812 (bmo#1538008, bmo#1538015)
      Sandbox escape through Firefox Sync
    * CVE-2019-11743 (bmo#1560495)
      Cross-origin access to unload event attributes
    * CVE-2019-11748 (bmo#1564588)
      Persistence of WebRTC permissions in a third party context
    * CVE-2019-11749 (bmo#1565374)
      Camera information available without prompting using getUserMedia
    * CVE-2019-11750 (bmo#1568397)
      Type confusion in Spidermonkey
    * CVE-2019-11738 (bmo#1452037)
      Content security policy bypass through hash-based sources in directives
    * CVE-2019-11747 (bmo#1564481)
      'Forget about this site' removes sites from pre-loaded HSTS list
    * CVE-2019-11735i (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912,
      Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
    * CVE-2019-11740 (bmo#1563133,bmo#1573160)
      Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
  - switched package to ESR branch
  - added mozilla-bmo1568145.patch to make builds reproducible
  - removed upstreamed patch mozilla-gcc-internal-compiler-error.patch
* Sun Aug 18 2019 Andreas Stieger <>
  - Mozilla Firefox 68.0.2:
    * Fixed a bug causing some special characters to be cut off from
      the end of the search terms when searching from the URL bar
    * Allow fonts to be loaded via file:// URLs when opening a page
      locally (bmo#1565942)
    * Printing emails from the Outlook web app no longer prints only
      the header and footer (bmo#1567105)
    * Fixed a bug causing some images not to be displayed on reload,
      including on Google Maps (bmo# 1565542)
    * Fixed an error when starting external applications configured
      as URI handlers (bmo#1567614)
    MFSA 2019-24 (boo#1145665)
    * CVE-2019-11733: Stored passwords in 'Saved Logins' can be
      copied without master password entry (bmo#1565780)
  - drop fix-build-after-y2038-changes-in-glibc.patch, upstream
* Fri Aug 16 2019 Jonathan Brielmaier <>
  - Fix crash when typing in the URL bar on ppc64le (bmo#1512162).
    The upstream patch doesn't resolve the issue on TW, but compiling
    with -O1 does. Do this until we have a proper fix.
* Thu Aug 01 2019 Guillaume GARDET <>
  - Update build constraints to fix arm builds
* Fri Jul 19 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 68.0.1
    * Fixed missing Full Screen button when watching videos in full
      screen mode on HBO GO (bmo#1562837)
    * Fixed a bug causing incorrect messages to appear for some
      locales when sites try to request the use of the Storage
      Access API (bmo#1558503)
    * Users in Russian regions may have their default search engine
      changed (bmo#1565315)
    * Built-in search engines in some locales do not function
      correctly (bmo#1565779)
    * SupportMenu policy doesn't always work (bmo#1553290)
    * Allow the privacy.file_unique_origin pref to be controlled by
      policy (bmo#1563759)
* Thu Jul 11 2019 Jiri Slaby <>
  - add fix-build-after-y2038-changes-in-glibc.patch
* Wed Jul 10 2019 Bernhard Wiedemann <>
  - Generate langpacks sequentially to avoid file corruption
    from racy file writes (boo#1137970)
* Mon Jul 08 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 68.0
    * Dark mode in reader view
    * Improved extension security and discovery
    * Cryptomining and fingerprinting protections are added to strict
      content blocking settings in Privacy & Security preferences
    * Camera and microphone access now require an HTTPS connection
    MFSA 2019-21 (bsc#1140868)
    * CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
      Sandbox escape via installation of malicious languagepack
    * CVE-2019-11711 (bmo#1552541)
      Script injection within domain through inner window reuse
    * CVE-2019-11712 (bmo#1543804)
      Cross-origin POST requests can be made with NPAPI plugins by
      following 308 redirects
    * CVE-2019-11713 (bmo#1528481)
      Use-after-free with HTTP/2 cached stream
    * CVE-2019-11714 (bmo#1542593)
      NeckoChild can trigger crash when accessed off of main thread
    * CVE-2019-11729 (bmo#1515342)
      Empty or malformed p256-ECDH public keys may trigger a segmentation fault
    * CVE-2019-11715 (bmo#1555523)
      HTML parsing error can contribute to content XSS
    * CVE-2019-11716 (bmo#1552632)
      globalThis not enumerable until accessed
    * CVE-2019-11717 (bmo#1548306)
      Caret character improperly escaped in origins
    * CVE-2019-11718 (bmo#1408349)
      Activity Stream writes unsanitized content to innerHTML
    * CVE-2019-11719 (bmo#1540541)
      Out-of-bounds read when importing curve25519 private key
    * CVE-2019-11720 (bmo#1556230)
      Character encoding XSS vulnerability
    * CVE-2019-11721 (bmo#1256009)
      Domain spoofing through unicode latin 'kra' character
    * CVE-2019-11730 (bmo#1558299)
      Same-origin policy treats all files in a directory as having the
    * CVE-2019-11723 (bmo#1528335)
      Cookie leakage during add-on fetching across private browsing boundaries
    * CVE-2019-11724 (bmo#1512511)
      Retired site has remote troubleshooting permissions
    * CVE-2019-11725 (bmo#1483510)
      Websocket resources bypass safebrowsing protections
    * CVE-2019-11727 (bmo#1552208)
      PKCS#1 v1.5 signatures can be used for TLS 1.3
    * CVE-2019-11728 (bmo#1552993)
      Port scanning through Alt-Svc header
    * CVE-2019-11710 (bmo#1549768, bmo#1548611, bmo#1533842, bmo#1537692,
      bmo#1540590, bmo#1551907, bmo#1510345, bmo#1535482, bmo#1535848,
      bmo#1547472, bmo#1547760, bmo#1507696, bmo#1544180)
      Memory safety bugs fixed in Firefox 68
    * CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498
      bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522)
      Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
  - requires
    * NSS 3.44.1
    * rust/cargo 1.34
    * rust-cbindgen 0.8.7
  - rebased patches
    * mozilla-aarch64-startup-crash.patch
    * mozilla-kde.patch
    * mozilla-nongnome-proxies.patch
    * firefox-kde.patch
  - use new and add tar_stamps for package definitions
  - added patches imported from SLE flavour
    * mozilla-gcc-internal-compiler-error.patch
    * mozilla-bmo1005535.patch
    * mozilla-ppc-altivec_static_inline.patch
    * mozilla-reduce-rust-debuginfo.patch
    * mozilla-s390-bigendian.patch
    * mozilla-s390-context.patch
* Tue Jul 02 2019 Martin Liška <>
  - Enable PGO for x86_64.
    * added firefox-add-kde.js-in-order-to-survive-PGO-build.patch
* Thu Jun 20 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 67.0.4
    MFSA 2019-19 (boo#1138872)
    * CVE-2019-11708 (bmo#1559858)
      sandbox escape using Prompt:Open
* Tue Jun 18 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 67.0.3
    MFSA 2019-18 (boo#1138614)
    * CVE-2019-11707 (bmo#1544386)
      Type confusion in Array.pop
* Wed Jun 12 2019 Manfred Hollstein <>
  - Mozilla Firefox 67.0.2
    * Fixed: Fix JavaScript error ("TypeError: data is null in
      PrivacyFilter.jsm") in console which may significantly degrade
      sessionstore reliability and performance (bmo#1553413)
    * Fixed: Proxy authentication dialog box repeatedly pops up
      asking to authenticate after upgrading to Firefox 67 (bmo#1548804)
    * Fixed: Pearson MyCloud breaks if FIDO U2F is not Chrome's
      implementation (bmo#1551282)
    * Fixed: Starting in safe mode on Linux or macOS causes Firefox
      to think on the subsequent launch that the profile is too
      recent to be used with this version of Firefox (bmo#1556612)
    * Fixed: Linux distribution users can't easily install/use
      additional/different languages using the built-in preferences
      UI (bmo#1554744)
    * Fixed: Developer tools users can't copy the href/src content
      from various HTML tags via the context menu in the Inspector
      markup view (bmo#1552275)
    * Fixed: Custom home page is broken with clearing data on shutdown
      settings applied (bmo#1554167)
    * Fixed: Performance-regression for eclipse RAP based applications
    * Fixed: macOS 10.15 crash fix (bmo#1556076)
    * Fixed: Can't start two downloads in parallel via <a download>
      anymore (bmo#1542912)
* Thu Jun 06 2019 Manfred Hollstein <>
  - Mozilla Firefox 67.0.1
    * enable enhanced tracking protection by default for new users
    * upgrade of Facebook container to version 2.0
    * new version of Firefox Lockwise (password management)
    * new version of Firefox Monitor
    * Firefox Send improvements
* Sun May 19 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 67.0
    * Firefox 67 will be able to run different Firefox installs side by side
    * Tabs can now be pinned from the Page Actions menu in the address bar
    * Users can block known cryptominers and fingerprinters in the
      Custom settings or their Content Blocking preferences
    * The Import Data from Another Browser feature is now also available
      from the File menu
    * Firefox will now protect you against running older versions which
      can lead to data corruption and stability issues
    * Easier access to your list of saved logins from the main menu and
      login autocomplete
    * We’ve added a toolbar menu for your Firefox Account to provide more
      transparency for when you are synced, sharing data across devices
      and with Firefox. Personalize the appearance of the menu with your
      own avatar
    * Enable FIDO U2F API, and permit registrations for Google Accounts
    * Enabled AV1 support on Linux
    MFSA 2019-13 (boo#1135824)
    * CVE-2019-9815 (bmo#1546544)
      Disable hyperthreading on content JavaScript threads on macOS
    * CVE-2019-9816 (bmo#1536768)
      Type confusion with object groups and UnboxedObjects
    * CVE-2019-9817 (bmo#1540221)
      Stealing of cross-domain images using canvas
    * CVE-2019-9818 (bmo#1542581) (Windows only)
      Use-after-free in crash generation server
    * CVE-2019-9819 (bmo#1532553)
      Compartment mismatch with fetch API
    * CVE-2019-9820 (bmo#1536405)
      Use-after-free of ChromeEventHandler by DocShell
    * CVE-2019-9821 (bmo#1539125)
      Use-after-free in AssertWorkerThread
    * CVE-2019-11691 (bmo#1542465)
      Use-after-free in XMLHttpRequest
    * CVE-2019-11692 (bmo#1544670)
      Use-after-free removing listeners in the event listener manager
    * CVE-2019-11693 (bmo#1532525)
      Buffer overflow in WebGL bufferdata on Linux
    * CVE-2019-7317 (bmo#1542829)
      Use-after-free in png_image_free of libpng library
    * CVE-2019-11694 (bmo#1534196) (Windows only)
      Uninitialized memory memory leakage in Windows sandbox
    * CVE-2019-11695 (bmo#1445844)
      Custom cursor can render over user interface outside of web content
    * CVE-2019-11696 (bmo#1392955)
      Java web start .JNLP files are not recognized as executable files
      for download prompts
    * CVE-2019-11697 (bmo#1440079)
      Pressing key combinations can bypass installation prompt delays and
      install extensions
    * CVE-2019-11698 (bmo#1543191)
      Theft of user history data through drag and drop of hyperlinks
      to and from bookmarks
    * CVE-2019-11700 (bmo#1549833) (Windows only)
      res: protocol can be used to open known local files
    * CVE-2019-11699 (bmo#1528939)
      Incorrect domain name highlighting during page navigation
    * CVE-2019-11701 (bmo#1518627)
      webcal: protocol default handler loads vulnerable web page
    * CVE-2019-9814 (bmo#1527592, bmo#1534536, bmo#1520132, bmo#1543159,
      bmo#1539393, bmo#1459932, bmo#1459182, bmo#1516425)
      Memory safety bugs fixed in Firefox 67
    * CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136,
      bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108,
      bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097,
      bmo#1532465, bmo#1533554, bmo#1541580)
      Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
  - requires
    * rust/cargo >= 1.32
    * mozilla-nspr >= 4.21
    * mozilla-nss >= 3.43
    * rust-cbindgen >= 0.8.2
  - rebased patches
  - KDE integration for default browser detection is broken in this revision
* Fri May 17 2019 Guillaume GARDET <>
  - Fix armv7 build with:
    * mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
* Fri May 10 2019 Manfred Hollstein <>
  - Mozilla Firefox 66.0.5
    * Fixed: Further improvements to re-enable web extensions which
      had been disabled for users with a master password set (bmo#1549249)
* Sun May 05 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 66.0.4 (boo#1134126)
    * fix extension certificate chain
* Thu Apr 11 2019 Manfred Hollstein <>
  - Mozilla Firefox 66.0.3
    * Fixed: Address bar on tablets running Windows 10 now behaves
      correctly (bmo#1498973)
    * Fixed: Performance issues with some HTML5 games (bmo#1537609)
    * Fixed a bug with keypress events in IBM cloud applications
    * Fix for keypress events in some Microsoft cloud applications
    * Changed: Updated Baidu search plugin
* Thu Mar 28 2019 Manfred Hollstein <>
  - Mozilla Firefox 66.0.2
    * Fixed Web compatibility issues with Office 365, iCloud and
      IBM WebMail caused by recent changes to the handling of
      keyboard events (bmo#1538966)
    * Crash fixes (bmo#1521370, bmo#1539118)
* Thu Mar 28 2019 Guillaume GARDET <>
  - Add patch to fix aarch64 build:
    * mozilla-fix-aarch64-libopus.patch (bmo#1539737)
* Fri Mar 22 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 66.0.1
    MFSA 2019-09 (bsc#1130262)
    * CVE-2019-9810 (bmo#1537924)
      IonMonkey MArraySlice has incorrect alias information
    * CVE-2019-9813 (bmo#1538006)
      Ionmonkey type confusion with __proto__ mutations
* Sun Mar 17 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 66.0
    * Increased content processes to 8
    * Added capability to search through open tabs from the tab overflow menu
    * New backend for the storage.local WebExtensions API, providing
      I/O performance improvements when the extension updates a small
      subset of the stored data
    * WebExtension keyboard shortcuts can now be managed or overridden
      from about:addons
    * Improved scrolling behavior: Firefox will now attempt to keep content
      from jumping around while a page is loading by supporting scroll
    * New about:privatebrowsing with search
    * A certificate error page now notifies the user of the name of the
      certificate issuer that breaks HTTPs connections on intercepted
      connections to help troubleshooting possible anti-virus software
    * Fixed an performance issue some Linux users experienced with the
      Downloads panel (bmo#1517101)
    * Firefox now blocks all autoplay media with sound by default. Users
      can add individual sites to an exceptions list or turn the blocking
    * System title bar is hidden by default to match Gnome guideline
    MFSA 2019-07 (bsc#1129821)
    * CVE-2019-9790 (bmo#1525145)
      Use-after-free when removing in-use DOM elements
    * CVE-2019-9791 (bmo#1530958)
      Type inference is incorrect for constructors entered through on-stack
      replacement with IonMonkey
    * CVE-2019-9792 (bmo#1532599)
      IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
    * CVE-2019-9793 (bmo#1528829)
      Improper bounds checks when Spectre mitigations are disabled
    * CVE-2019-9794 (bmo#1530103) (Windows only)
      Command line arguments not discarded during execution
    * CVE-2019-9795 (bmo#1514682)
      Type-confusion in IonMonkey JIT compiler
    * CVE-2019-9796 (bmo#1531277)
      Use-after-free with SMIL animation controller
    * CVE-2019-9797 (bmo#1528909)
      Cross-origin theft of images with createImageBitmap
    * CVE-2019-9798 (bmo#1527534) (Android only)
      Library is loaded from world writable APITRACE_LIB location
    * CVE-2019-9799 (bmo#1505678)
      Information disclosure via IPC channel messages
    * CVE-2019-9801 (bmo#1527717) (Windows only)
      Windows programs that are not 'URL Handlers' are exposed to web content
    * CVE-2019-9802 (bmo#1415508)
      Chrome process information leak
    * CVE-2019-9803 (bmo#1515863, bmo#1437009)
      Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation
    * CVE-2019-9804 (bmo#1518026) (MacOS only)
      Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS
    * CVE-2019-9805 (bmo#1521360)
      Potential use of uninitialized memory in Prio
    * CVE-2019-9806 (bmo#1525267)
      Denial of service through successive FTP authorization prompts
    * CVE-2019-9807 (bmo#1362050)
      Text sent through FTP connection can be incorporated into alert messages
    * CVE-2019-9809 (bmo#1282430, bmo#1523249)
      Denial of service through FTP modal alert error messages
    * CVE-2019-9808 (bmo#1434634)
      WebRTC permissions can display incorrect origin with data: and blob: URLs
    * CVE-2019-9789 bmo#1520483, bmo#1522987, bmo#1528199, bmo#1519337,
      bmo#1525549, bmo#1516179, bmo#1518524, bmo#1518331, bmo#1526579,
      bmo#1512567, bmo#1524335, bmo#1448505, bmo#1518821
      Memory safety bugs fixed in Firefox 66
    * CVE-2019-9788 bmo#1518001, bmo#1521304, bmo#1521214, bmo#1506665,
      bmo#1516834, bmo#1518774, bmo#1524755, bmo#1523362, bmo#1524214, bmo#1529203
      Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6
  - updated build/runtime requirements
    * mozilla-nss >= 3.42.1
    * cargo/rust >= 1.31
    * rust-cbindgen >= 0.6.8
    * nasm >= 2.13 (new)
  - removed obsolete patch
    * mozilla-bmo256180.patch
* Tue Mar 05 2019 Stephan Kulow <>
  - Do not hardcode nodejs8 but leave the prefer to the distribution
    (Tumbleweed staging wants to switch to nodejs10)
* Fri Feb 15 2019 Guillaume GARDET <>
  - Update _constraints to avoid 'no space left' error seen on aarch64
* Wed Feb 13 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 65.0.1
    * Fixed accidental requests to when an addon
      recommendation doorhanger is shown (bmo#1526387)
    * Improved playback of interactive Netflix videos (bmo#1524500)
    * Fixed incorrect sizing of the "Clear Recent History" window in
      some situations (bmo#1523696)
    * Fixed audio & video delays while making WebRTC calls
      (bmo#1521577, bmo#1523817)
    * Fixed video sizing problems during some WebRTC calls (bmo#1520200)
    * Fixed looping CONNECT requests when using WebSockets over HTTP/2
      from behind a proxy server (bmo#1523427)
    * Fixed the "Enter" key not working on password entry fields for
      certain Linux distributions (bmo#1523635)
    MFSA 2019-04 (bsc#1125330)
    * CVE-2018-18356 bmo#1525817
      Use-after-free in Skia
    * CVE-2019-5785 bmo#1525433
      Integer overflow in Skia
    * CVE-2018-18511 bmo#1526218
      Cross-origin theft of images with ImageBitmapRenderingContext
* Wed Feb 13 2019 Martin Liška <>
  - Enable LTO only for latest new toolchain (boo#1125038) for x86_64
    (with increased memory constraints)
* Sat Jan 26 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 65.0
    * Enhanced tracking protection
    * allow switching of UI locales within preferences
    * support for the WebP image format
    * "top"-like about:performance
    MFSA 2019-01 (bsc#1122983)
    * CVE-2018-18500 bmo#1510114
      Use-after-free parsing HTML5 stream
    * CVE-2018-18503 bmo#1509442
      Memory corruption with Audio Buffer
    * CVE-2018-18504 bmo#1496413
      Memory corruption and out-of-bounds read of texture client
    * CVE-2018-18505 bmo#1497749
      Privilege escalation through IPC channel messages
    * CVE-2018-18506 bmo#1503393
      Proxy Auto-Configuration file can define localhost access to be proxied
    * CVE-2018-18502 bmo#1499426 bmo#1480090 bmo#1472990 bmo#1514762
      bmo#1501482 bmo#1505887 bmo#1508102 bmo#1508618 bmo#1511580
      bmo#1493497 bmo#1510145 bmo#1516289 bmo#1506798 bmo#1512758
      Memory safety bugs fixed in Firefox 65
    * CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619
      bmo#1502871 bmo#1516738 bmo#1516514
      Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
  - requires
    NSS 3.41
    rust/carge 1.30
    rust-cbindgen 0.6.7
  - rebased patches
  - remove workaround for build memory consumption on i586; other
    mitigations meanwhile introduced (mainly parallelity) will be
* Tue Jan 15 2019 Martin Liška <>
  - Increase disk constraint.
* Mon Jan 14 2019 Martin Liška <>
  - Remove -v from mach build in order to work-around bmo#1500436.
* Fri Jan 11 2019 Martin Liška <>
  - Set %clang_build to false on all architectures
  - Do not use -fno-delete-null-pointer-checks and -fno-strict-aliasing:
    it should not be needed anymore
  - Do not overwrite enable-optimize and when possible
    enable --enable-debug-symbols.
  - Add -v to mach in order to make build verbose.
* Wed Jan 09 2019
  - Mozilla Firefox 64.0.2:
    * Update the Japanese translation for missing strings (bmo#1513259)
    * Properly restore column sizes in developer tools inspector (bmo#1503175)
    * Fixed video stuttering on Youtube (bmo#1513511)
    * Fix updates for some lightweight themes (bmo#1508777)
* Tue Dec 18 2018 Guillaume GARDET <>
  - Enable build_hardened for all architectures
  - Switch back aarch64 to clang as '-fPIC' fixes bmo#1513605
  - Remove obolete '--enable-pie' as -pie is always enabled for
    gcc and clang
* Wed Dec 12 2018 Guillaume GARDET <>
  - Switch aarch64 builds back to gcc, not clang (bmo#1513605)
  - Switch %arm builds back to gcc, not clang to avoid OOM
  - Fix build flags when clang is not used
  - Fix flags for clang ppc64 builds
* Tue Dec 11 2018 Wolfgang Rosenauer <>
  - update to Firefox 64.0
    * Better recommendations: You may see suggestions in regular browsing
      mode for new and relevant Firefox features, services, and extensions
      based on how you use the web (for US users only)
    * Enhanced tab management: You can now select multiple tabs from the
      tab bar and close, move, bookmark, or pin them quickly and easily
    * Easier performance management: The new Task Manager page found at
      about:performance lets you see how much energy each open tab consumes
      and provides access to close tabs to conserve power
    * Improved performance for Mac and Linux users, by enabling link time
      optimization (Clang LTO).
    * Added option to remove add-ons using the context menu on their
      toolbar buttons
    * RSS feed preview and live bookmarks are available only via add-ons
    * TLS certificates issued by Symantec are no longer trusted by Firefox.
      Website operators are strongly encouraged to replace any remaining
      Symantec TLS certificates as soon as possible
    MFSA 2018-29 (bsc#1119105)
    * CVE-2018-12407 bmo#1505973
      Buffer overflow with ANGLE library when using VertexBuffer11 module
    * CVE-2018-17466 bmo#1488295
      Buffer overflow and out-of-bounds read in ANGLE library with
    * CVE-2018-18492 bmo#1499861
      Use-after-free with select element
    * CVE-2018-18493 bmo#1504452
      Buffer overflow in accelerated 2D canvas with Skia
    * CVE-2018-18494 bmo#1487964
      Same-origin policy violation using location attribute and
      performance.getEntries to steal cross-origin URLs
    * CVE-2018-18495 bmo#1427585
      WebExtension content scripts can be loaded in about: pages
    * CVE-2018-18496 bmo#1422231 (Windows only)
      Embedded feed preview page can be abused for clickjacking
    * CVE-2018-18497 bmo#1488180
      WebExtensions can load arbitrary URLs through pipe separators
    * CVE-2018-18498 bmo#1500011
      Integer overflow when calculating buffer sizes for images
    * CVE-2018-12406 bmo#1456947 bmo#1475669 bmo#1504816 bmo#1502886
      bmo#1500064 bmo#1500310 bmo#1500696 bmo#1498765 bmo#1499198 bmo#1434490
      bmo#1481745 bmo#1458129
      Memory safety bugs fixed in Firefox 64
    * CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759
      bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471
      Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4
  - requires
    * rust/cargo >= 1.29
    * mozilla-nss >= 3.40.1
    * rust-cbindgen >= 0.6.4
  - rebased patches
  - removed obsolete patch
    * mozilla-bmo1491289.patch
  - now uses clang primarily for compilation
* Wed Nov 28 2018 Guillaume GARDET <>
  - Remove --disable-elf-hack when not available: on aarch64 and ppc64*
* Mon Nov 26 2018 Guillaume GARDET <>
  - Clean-up %arm build
* Sun Nov 18 2018
  - update to Firefox 63.0.3
    * Games using WebGL (created in Unity) get stuck after very short
      time of gameplay (bmo#1502748)
    * Slow page loading for some users with specific proxy configurations
    * Disable HTTP response throttling by default for causing bugs with
      videos in background tabs (bmo#1503354)
    * Opening magnet links no longer works (bmo#1498934)
    * Crash fixes (bmo#1498510, bmo#1503424)
  - removed mozilla-newer-cbindgen.patch; no longer needed
* Thu Nov 08 2018
  - update to Firefox 63.0.1
    * Snippets are not loaded due to missing element (bmo#1503047)
    * Print preview always shows 30& scale when it is actually
      Shrink To Fit (bmo#1501952)
    * Dialog displayed when closing multiple windows shows unreplaced
      %1$S placeholder in Japanese and potentially other locales
* Mon Oct 29 2018
  - update to Firefox 63.0
    * WebExtensions now run in their own process on Linux
    * The Ctrl+Tab shortcut now displays thumbnail previews of your
      tabs and cycles through tabs in recently used order. This new
      default behavior is activated only in new profiles and can be
      changed in preferences.
    * Added support for Web Components custom elements and shadow DOM
    MFSA 2018-26 (bsc#1112852)
    * CVE-2018-12391 (bmo#1478843) (Android-only)
      HTTP Live Stream audio data is accessible cross-origin
    * CVE-2018-12392 (bmo#1492823)
      Crash with nested event loops
    * CVE-2018-12393 (bmo#1495011) (only affects non-64-bit archs)
      Integer overflow during Unicode conversion while loading JavaScript
    * CVE-2018-12395 (bmo#1467523)
      WebExtension bypass of domain restrictions through header rewriting
    * CVE-2018-12396 (bmo#1483602)
      WebExtension content scripts can execute in disallowed contexts
    * CVE-2018-12397 (bmo#1487478)
      Missing warning prompt when WebExtension requests local file access
    * CVE-2018-12398 (bmo#1460538, bmo#1488061)
      CSP bypass through stylesheet injection in resource URIs
    * CVE-2018-12399 (bmo#1490276)
      Spoofing of protocol registration notification bar
    * CVE-2018-12400 (bmo#1448305) (Android only)
      Favicons are cached in private browsing mode on Firefox for Android
    * CVE-2018-12401 (bmo#1422456)
      DOS attack through special resource URI parsing
    * CVE-2018-12402 (bmo#1469916)
      SameSite cookies leak when pages are explicitly saved
    * CVE-2018-12403 (bmo#1484753)
      Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP
    * CVE-2018-12388 (bmo#1472639, bmo#1485698, bmo#1301547, bmo#1471427,
      bmo#1379411, bmo#1482122, bmo#1486314, bmo#1487167)
      Memory safety bugs fixed in Firefox 63
    * CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159,
      bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803,
      bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699,
      bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844)
      Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
  - requires NSPR 4.20, NSS 3.39 and Rust 1.28
  - latest rust does not provide rust-std so stop requiring it
  - requires rust-cbindgen >= 0.6.2 to build
  - requires nodejs >= 8.11 to build
  - added mozilla-bmo1491289.patch to fix system NSS build (bmo#1491289)
  - added mozilla-cubeb-noreturn.patch to fix non-return function
  - added mozilla-newer-cbindgen.patch to fix build with cbindgen 0.6.7
  - disable elfhack for TW and newer due to build errors
  - removed obsolete patches
    * mozilla-no-return.patch
    * mozilla-no-stdcxx-check.patch
* Thu Oct 25 2018
  - Update _constraints for armv6/7
* Thu Oct 25 2018
  - Add patch to fix build on armv7:
    * mozilla-bmo1463035.patch
* Tue Oct 02 2018
  - Mozilla Firefox 62.0.3:
    MFSA 2018-24
    * CVE-2018-12386 (bsc#1110506, bmo#1493900)
      Type confusion in JavaScript allowed remote code execution
    * CVE-2018-12387 (bsc#1110507, bmo#1493903)
      Array.prototype.push stack pointer vulnerability may enable
      exploits in the sandboxed content process
* Sat Sep 22 2018
  - Mozilla Firefox 62.0.2:
    MFSA 2018-22
    * CVE-2018-12385 (boo#1109363, bmo#1490585)
      Crash in TransportSecurityInfo due to cached data
    * Unvisited bookmarks can once again be autofilled in the address
    * Fix WebGL rendering issues
    * Fix fallback on startup when a language pack is missing
    * Avoid crash when sharing a profile with newer (as yet
      unreleased) versions of Firefox
    * Do not undo removal of search engines when using a language
    * Fixed rendering of some web sites
    * Restored compatibility with some sites using deprecated TLS
  - disable rust debug symbols to fix build on %ix86
* Mon Sep 03 2018
  - update to Firefox 62.0
    * Firefox Home (the default New Tab) now allows users to display
      up to 4 rows of top sites, Pocket stories, and highlights
    * "Reopen in Container" tab menu option appears for users with
      Containers that lets them choose to reopen a tab in a different
    * In advance of removing all trust for Symantec-issued certificates
      in Firefox 63, a preference was added that allows users to distrust
      certificates issued by Symantec. To use this preference, go to
      about:config in the address bar and set the preference
      "security.pki.distrust_ca_policy" to 2.
    * Support for CSS Shapes, allowing for richer web page layouts.
      This goes hand in hand with a brand new Shape Path Editor in the
      CSS inspector.
    * CSS Variable Fonts (OpenType Font Variations) support, which makes
      it possible to create beautiful typography with a single font file
    * Added Canadian English (en-CA) locale
    MFSA 2018-20 (bsc#1107343)
    * CVE-2018-12377 (bmo#1470260)
      Use-after-free in refresh driver timers
    * CVE-2018-12378 (bmo#1459383)
      Use-after-free in IndexedDB
    * CVE-2018-12379 (bmo#1473113) (updater is disabled for us)
      Out-of-bounds write with malicious MAR file
    * CVE-2017-16541 (bmo#1412081)
      Proxy bypass using automount and autofs
    * CVE-2018-12381 (bmo#1435319)
      Dragging and dropping Outlook email message results in page navigation
    * CVE-2018-12382 (bmo#1479311) (Android only)
      Addressbar spoofing with javascript URI on Firefox for Android
    * CVE-2018-12383 (bmo#1475775)
      Setting a master password post-Firefox 58 does not delete
      unencrypted previously stored passwords
    * CVE-2018-12375
      Memory safety bugs fixed in Firefox 62
    * CVE-2018-12376
      Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
  - requires NSS >= 3.38
  - removed obsolete patch
* Thu Aug 09 2018
  - update to Firefox 61.0.2
    * Improved website rendering with the Retained Display List feature
      enabled (bmo#1474402)
    * Fixed broken DevTools panels with certain extensions installed
    * Fixed a crash for users with some accessibility tools enabled
* Mon Jul 09 2018
  - Mozilla Firefox 61.0.1:
    * Fix missing content on the New Tab Page and the Home section of
      the Preferences page (bmo#1471375)
    * Fixed loss of bookmarks under rare circumstances when upgrading
      from Firefox 60 (bmo#1472127)
    * Improved playback of Twitch 1080p video streams (bmo#1469257)
    * Web pages no longer lose focus when a browser popup window is
      opened (bmo#1471415)
    * Re-allowed downloading files from FTP sites via the "Save Link
      As" option when linked from HTTP pages (bmo#1470295)
    * Fixed extensions being unable to override the default homepage
      in certain situations (bmo#1466846)
* Sat Jun 23 2018
  - update to Firefox 61.0
    * Performance enhancements
    * Various improvements for dark theme support will provide a more
      consistent experience across the entire Firefox UI
    * OpenSearch plugins offered by web pages can now be added from the
      page action menu for easier installation
    * Improved support for allowing WebExtensions to manage and hide tabs
    MFSA 2018-15 (bsc#1098998)
    * CVE-2018-12359 (bmo#1459162)
      Buffer overflow using computed size of canvas element
    * CVE-2018-12360 (bmo#1459693)
      Use-after-free when using focus()
    * CVE-2018-12361 (bmo#1463244)
      Integer overflow in SwizzleData
    * CVE-2018-12358 (bmo#1467852)
      Same-origin bypass using service worker and redirection
    * CVE-2018-12362 (bmo#1452375)
      Integer overflow in SSSE3 scaler
    * CVE-2018-5156 (bmo#1453127)
      Media recorder segmentation fault when track type is changed during capture
    * CVE-2018-12363 (bmo#1464784)
      Use-after-free when appending DOM nodes
    * CVE-2018-12364 (bmo#1436241)
      CSRF attacks through 307 redirects and NPAPI plugins
    * CVE-2018-12365 (bmo#1459206)
      Compromised IPC child process can list local filenames
    * CVE-2018-12371 (bmo#1465686)
      Integer overflow in Skia library during edge builder allocation
    * CVE-2018-12366 (bmo#1464039)
      Invalid data handling during QCMS transformations
    * CVE-2018-12367 (bmo#1462891)
      Timing attack mitigation of PerformanceNavigationTiming
    * CVE-2018-12369 (bmo#1454909)
      WebExtension security permission checks bypassed by embedded experiments
    * CVE-2018-12370 (bmo#1456652)
      SameSite cookie protections bypassed when exiting Reader View
    * CVE-2018-5186 (bmo#1464872,bmo#1463329,bmo#1419373,bmo#1412882,
      Memory safety bugs fixed in Firefox 61
    * CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938,
      Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1
    * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
      Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
  - requires NSS 3.37.3
  - requires python >= 3.5 to build
  - removed obsolete patches
  - patch for new no-return warnings (mozilla-no-return.patch)
  - do not disable system installed locales (mozilla-bmo1464766.patch)
* Fri Jun 08 2018
  - Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass
    conditional --disable-gconf to configure: no longer pull in
    obsolete gconf2 for Tumbleweed.
* Thu Jun 07 2018
  - update to Firefox 60.0.2
    * requires NSS 3.36.4
    MFSA 2018-14 (bsc#1096449)
    * CVE-2018-6126 (bmo#1462682)
      Heap buffer overflow rasterizing paths in SVG with Skia
* Wed Jun 06 2018
  - Add upstream patch to fix boo#1093059 instead of '-ffixed-x28'
    * mozilla-bmo1375074.patch
* Sat May 26 2018
  - fixed "open with" option under KDE (boo#1094747)
  - workaround crash on startup on aarch64 (boo#1093059)
    (contributed by
* Wed May 23 2018
  - Disable webrtc for aarch64 due to bmo#1434589
  - Add patch to fix skia build on AArch64:
    * mozilla-fix-skia-aarch64.patch
* Thu May 17 2018
  - update to Firefox 60.0.1
    * Avoid overly long cycle collector pauses with some add-ons installed
    * After unckecking the "Sponsored Stories" option, the New Tab page
      now immediately stops displaying "Sponsored content" cards (bmo#1458906)
    * On touchscreen devices, fixed momentum scrolling on non-zoomable pages
    * Use the right default background when opening tabs or windows in
      high contrast mode (bmo#1458956)
    * Restored translations of the Preferences panels when using a
      language pack (bmo#1461590)
* Mon May 14 2018
  - parellelise locales building
* Mon May 07 2018
  - update to Firefox 60.0
    * Added a policy engine that allows customized Firefox deployments
      in enterprise environments, using Windows Group Policy or a
      cross-platform JSON file
    * Applied Quantum CSS to render browser UI
    * Added support for Web Authentication, allowing the use of USB
      tokens for authentication to web sites
    * Locale added: Occitan (oc)
    MFSA 2018-11 (bsc#1092548)
    * CVE-2018-5154 (bmo#1443092)
      Use-after-free with SVG animations and clip paths
    * CVE-2018-5155 (bmo#1448774)
      Use-after-free with SVG animations and text paths
    * CVE-2018-5157 (bmo#1449898)
      Same-origin bypass of PDF Viewer to view protected PDF files
    * CVE-2018-5158 (bmo#1452075)
      Malicious PDF can inject JavaScript into PDF Viewer
    * CVE-2018-5159 (bmo#1441941)
      Integer overflow and out-of-bounds write in Skia
    * CVE-2018-5160 (bmo#1436117)
      Uninitialized memory use by WebRTC encoder
    * CVE-2018-5152 (bmo#1415644, bmo#1427289)
      WebExtensions information leak through webRequest API
    * CVE-2018-5153 (bmo#1436809)
      Out-of-bounds read in mixed content websocket messages
    * CVE-2018-5163 (bmo#1426353)
      Replacing cached data in JavaScript Start-up Bytecode Cache
    * CVE-2018-5164 (bmo#1416045)
      CSP not applied to all multipart content sent with
    * CVE-2018-5166 (bmo#1437325)
      WebExtension host permission bypass through filterReponseData
    * CVE-2018-5167 (bmo#1447969)
      Improper linkification of chrome: and javascript: content in
      web console and JavaScript debugger
    * CVE-2018-5168 (bmo#1449548)
      Lightweight themes can be installed without user interaction
    * CVE-2018-5169 (bmo#1319157)
      Dragging and dropping link text onto home button can set home page
      to include chrome pages
    * CVE-2018-5172 (bmo#1436482)
      Pasted script from clipboard can run in the Live Bookmarks page
      or PDF viewer
    * CVE-2018-5173 (bmo#1438025)
      File name spoofing of Downloads panel with Unicode characters
    * CVE-2018-5174 (bmo#1447080) (Windows-only)
      Windows Defender SmartScreen UI runs with less secure behavior
      for downloaded files in Windows 10 April 2018 Update
    * CVE-2018-5175 (bmo#1432358)
      Universal CSP bypass on sites using strict-dynamic in their policies
    * CVE-2018-5176 (bmo#1442840)
      JSON Viewer script injection
    * CVE-2018-5177 (bmo#1451908)
      Buffer overflow in XSLT during number formatting
    * CVE-2018-5165 (bmo#1451452)
      Checkbox for enabling Flash protected mode is inverted in 32-bit
    * CVE-2018-5180 (bmo#1444086)
      heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
    * CVE-2018-5181 (bmo#1424107)
      Local file can be displayed in noopener tab through drag and
      drop of hyperlink
    * CVE-2018-5182 (bmo#1435908)
      Local file can be displayed from hyperlink dragged and dropped
      on addressbar
    * CVE-2018-5151
      Memory safety bugs fixed in Firefox 60
    * CVE-2018-5150
      Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
  - removed obsolete patches
  - requires NSPR 4.19 and NSS 3.36.1
  - requires rust 1.24 or higher
  - use upstream source archive and detached signature for
    source verification
* Thu May 03 2018
  - Fix armv7 build by:
    * adding RUSTFLAGS="-Cdebuginfo=0"
    * updating _constraints for %arm
* Wed May 02 2018
  - do not try CSD on kwin (boo#1091592)
  - fix build in openSUSE:Leap:42.3:Update, use gcc7
* Tue May 01 2018
  - Mozilla Firefox 59.0.3:
    * fixes for platforms other than GNU/Linux
* Fri Apr 20 2018
  - Add 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
    in order to fix boo#1090362.
* Mon Apr 02 2018
  - Add back mozilla-enable-csd.patch: New rebased version from
    Fedora for version 59.0.x.
* Tue Mar 27 2018
  - Reduce constraints on aarch64
* Tue Mar 27 2018
  - update to Firefox 59.0.2
    * Invalid page rendering with hardware acceleration enabled (bmo#1435472)
    * Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites
      that use those keys with resistFingerprinting enabled (bmo#1433592)
    * High CPU / memory churn caused by third-party software on some
      computers (bmo#1446280)
    * Users who have configured an "automatic proxy configuration URL"
      and want to reload their proxy settings from the URL will find
      the Reload button disabled in the Connection Settings dialog when
      they select Preferences/Options>Network Proxy>Settings... (bmo#1445991)
    * URL Fragment Identifiers Break Service Worker Responses (bmo#1443850)
    * User's trying to cancel a print around the time it completes will
      continue to get intermittent crashes (bmo#1441598)
    MFSA 2018-10 (bsc#1087059)
    * CVE-2018-5148 (bmo#1440717)
      Use-after-free in compositor
  - removed obsolete patch mozilla-bmo1446062.patch
* Wed Mar 21 2018
  - Added patches:
    * mozilla-i586-DecoderDoctorLogger.patch - bmo#1447070
      fixes non-unified build error
    * mozilla-i586-domPrefs.patch - DOMPrefs.h
      fixes 32bit build error
* Fri Mar 16 2018
  - update to Firefox 59.0.1 (bsc#1085671)
    MFSA 2018-08
    * CVE-2018-5146 (bmo#1446062)
      Vorbis audio processing out of bounds write
    * CVE-2018-5147 (bmo#1446365)
      Out of bounds memory write in libtremor
* Wed Mar 14 2018
  - Added patch:
    * mozilla-bmo1005535.patch:
      Enable skia_gpu on big endian platforms.
* Sun Mar 11 2018
  - update to Firefox 59.0
    * Performance enhancements
    * Drag-and-drop to rearrange Top Sites on the Firefox Home page
    * added features for Firefox Screenshots
    * Enhanced WebExtensions API
    * Improved RTC capabilities
    MFSA 2018-06 (bsc#1085130)
    * CVE-2018-5127 (bmo#1430557)
      Buffer overflow manipulating SVG animatedPathSegList
    * CVE-2018-5128 (bmo#1431336)
      Use-after-free manipulating editor selection ranges
    * CVE-2018-5129 (bmo#1428947)
      Out-of-bounds write with malformed IPC messages
    * CVE-2018-5130 (bmo#1433005)
      Mismatched RTP payload type can trigger memory corruption
    * CVE-2018-5131 (bmo#1440775)
      Fetch API improperly returns cached copies of no-store/no-cache resources
    * CVE-2018-5132 (bmo#1408194)
      WebExtension Find API can search privileged pages
    * CVE-2018-5133 (bmo#1430511, bmo#1430974)
      Value of the preference is not properly sanitized
    * CVE-2018-5134 (bmo#1429379)
      WebExtensions may use view-source: URLs to bypass content restrictions
    * CVE-2018-5135 (bmo#1431371)
      WebExtension browserAction can inject scripts into unintended contexts
    * CVE-2018-5136 (bmo#1419166)
      Same-origin policy violation with data: URL shared workers
    * CVE-2018-5137 (bmo#1432870)
      Script content can access legacy extension non-contentaccessible resources
    * CVE-2018-5138 (bmo#1432624) (Android only)
      Android Custom Tab address spoofing through long domain names
    * CVE-2018-5140 (bmo#1424261)
      Moz-icon images accessible to web content through moz-icon: protocol
    * CVE-2018-5141 (bmo#1429093)
      DOS attack through notifications Push API
    * CVE-2018-5142 (bmo#1366357)
      Media Capture and Streams API permissions display incorrect origin
      with data: and blob: URLs
    * CVE-2018-5143 (bmo#1422643)
      Self-XSS pasting javascript: URL with embedded tab into addressbar
    * CVE-2018-5126
      Memory safety bugs fixed in Firefox 59
    * CVE-2018-5125
      Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
  - requires NSPR 4.18 and NSS 3.35
  - requires rust >= 1.22.1
  - removed obsolete patches:
  - removed l10n_changesets.txt since same information is now in
    Firefox source tree (updated now requires jq)
* Fri Feb 09 2018
  - Mozilla Firefox 58.0.2:
    * Blocklisted graphics drivers related to off main thread painting
    * Fix tab crash during printing
    * Fix clicking links and scrolling emails on Microsoft Hotmail
      and Outlook (OWA) webmail
* Fri Feb 09 2018
  - correct requires and provides handling (boo#1076907)
* Tue Feb 06 2018
  - Added patch:
    * mozilla-alsa-sandbox.patch: Fix bmo#1430274, ALSA sound (still
      or again?) not working in Firefox 58 due to sandboxing.
* Mon Jan 29 2018
  - update to Firefox 58.0.1
    MFSA 2018-05
    * Arbitrary code execution through unsanitized browser UI (bmo#1432966)
  - use correct language packs
  - readd mozilla-enable-csd.patch as it only lands for FF59 upstream
  - allow larger number of nested elements (mozilla-bmo256180.patch)
* Tue Jan 23 2018
  - update to Firefox 58.0 (bsc#1077291)
    * Added Nepali (ne-NP) locale
    * Added support for form autofill for credit card
    * Optimize page load by caching JavaScript internal representation
    MFSA 2018-02
    * CVE-2018-5091 (bmo#1423086)
      Use-after-free with DTMF timers
    * CVE-2018-5092 (bmo#1418074)
      Use-after-free in Web Workers
    * CVE-2018-5093 (bmo#1415291)
      Buffer overflow in WebAssembly during Memory/Table resizing
    * CVE-2018-5094 (bmo#1415883)
      Buffer overflow in WebAssembly with garbage collection on
      uninitialized memory
    * CVE-2018-5095 (bmo#1418447)
      Integer overflow in Skia library during edge builder allocation
    * CVE-2018-5097 (bmo#1387427)
      Use-after-free when source document is manipulated during XSLT
    * CVE-2018-5098 (bmo#1399400)
      Use-after-free while manipulating form input elements
    * CVE-2018-5099 (bmo#1416878)
      Use-after-free with widget listener
    * CVE-2018-5100 (bmo#1417405)
      Use-after-free when IsPotentiallyScrollable arguments are freed
      from memory
    * CVE-2018-5101 (bmo#1417661)
      Use-after-free with floating first-letter style elements
    * CVE-2018-5102 (bmo#1419363)
      Use-after-free in HTML media elements
    * CVE-2018-5103 (bmo#1423159)
      Use-after-free during mouse event handling
    * CVE-2018-5104 (bmo#1425000)
      Use-after-free during font face manipulation
    * CVE-2018-5105 (bmo#1390882)
      WebExtensions can save and execute files on local file system
      without user prompts
    * CVE-2018-5106 (bmo#1408708)
      Developer Tools can expose style editor information cross-origin
      through service worker
    * CVE-2018-5107 (bmo#1379276)
      Printing process will follow symlinks for local file access
    * CVE-2018-5108 (bmo#1421099)
      Manually entered blob URL can be accessed by subsequent private browsing tabs
    * CVE-2018-5109 (bmo#1405599)
      Audio capture prompts and starts with incorrect origin attribution
    * CVE-2018-5110 (bmo#1423275) (affects only OS X)
      Cursor can be made invisible on OS X
    * CVE-2018-5111 (bmo#1321619)
      URL spoofing in addressbar through drag and drop
    * CVE-2018-5112 (bmo#1425224)
      Extension development tools panel can open a non-relative URL in the panel
    * CVE-2018-5113 (bmo#1425267)
      WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow
    * CVE-2018-5114 (bmo#1421324)
      The old value of a cookie changed to HttpOnly remains accessible to scripts
    * CVE-2018-5115 (bmo#1409449)
      Background network requests can open HTTP authentication in unrelated foreground tabs
    * CVE-2018-5116 (bmo#1396399)
      WebExtension ActiveTab permission allows cross-origin frame content access
    * CVE-2018-5117 (bmo#1395508)
      URL spoofing with right-to-left text aligned left-to-right
    * CVE-2018-5118 (bmo#1420049)
      Activity Stream images can attempt to load local content through file:
    * CVE-2018-5119 (bmo#1420507)
      Reader view will load cross-origin content in violation of CORS headers
    * CVE-2018-5121 (bmo#1402368) (affects only OS X)
      OS X Tibetan characters render incompletely in the addressbar
    * CVE-2018-5122 (bmo#1413841)
      Potential integer overflow in DoCrypt
    * CVE-2018-5090
      Memory safety bugs fixed in Firefox 58
    * CVE-2018-5089
      Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
  - requires NSS 3.34.1
  - requires rust 1.21
  - removed obsolete patches:
  - rebased patches
  - updated man-page
* Tue Jan 09 2018
  - fixed build with latest rust (mozilla-rust-1.23.patch)
* Thu Jan 04 2018
  - update to Firefox 57.0.4
    MFSA 2018-1: Speculative execution side-channel attack ("Spectre")
* Wed Jan 03 2018
  - fixed regression introduced Oct 10th which made Firefox crash
    when cancelling the KDE file dialog (boo#1069962)



Generated by rpm2html 1.8.1

Fabrice Bellet, Wed Jul 1 23:58:20 2020