[opensuse-factory] New Tumbleweed snapshot 20171009 released!
Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20171009 When you reply to report some issues, make sure to change the subject. It is not helpful to keep the release announcement subject in a thread while discussing a specific problem. Packages changed: MozillaFirefox (52.3.0 -> 56.0) MozillaThunderbird (52.3.0 -> 52.4.0) bluedevil5 (5.10.5 -> 5.11.0) breeze (5.10.5 -> 5.11.0) breeze-gtk (5.10.5 -> 5.11.0) breeze4-style (5.10.5 -> 5.11.0) clamav dracut drkonqi5 (5.10.5 -> 5.11.0) file graphviz graphviz-addons kactivitymanagerd (5.10.5 -> 5.11.0) kcm_sddm (5.10.5 -> 5.11.0) kde-cli-tools5 (5.10.5 -> 5.11.0) kde-gtk-config5 (5.10.5 -> 5.11.0) kde-user-manager (5.10.5 -> 5.11.0) kernel-source (4.13.4 -> 4.13.5) kgamma5 (5.10.5 -> 5.11.0) khotkeys5 (5.10.5 -> 5.11.0) kinfocenter5 (5.10.5 -> 5.11.0) kmenuedit5 (5.10.5 -> 5.11.0) kscreen5 (5.10.5 -> 5.11.0) kscreenlocker (5.10.5 -> 5.11.0) ksshaskpass5 (5.10.5 -> 5.11.0) ksysguard5 (5.10.5 -> 5.11.0) kwin5 (5.10.5 -> 5.11.0) libkdecoration2 (5.10.5 -> 5.11.0) libkscreen2 (5.10.5 -> 5.11.0) libksysguard5 (5.10.5 -> 5.11.0) linphone milou5 (5.10.5 -> 5.11.0) oxygen5 (5.10.5 -> 5.11.0) perl-Class-Multimethods (1.70 -> 1.701) perl-DBD-CSV (0.48 -> 0.49) perl-Log-Dispatch (2.66 -> 2.67) plasma-nm5 (5.10.5 -> 5.11.0) plasma5-addons (5.10.5 -> 5.11.0) plasma5-desktop (5.10.5 -> 5.11.0) plasma5-integration (5.10.5 -> 5.11.0) plasma5-openSUSE plasma5-pa (5.10.5 -> 5.11.0) plasma5-workspace (5.10.5 -> 5.11.0) polkit-kde-agent-5 (5.10.5 -> 5.11.0) powerdevil5 (5.10.5 -> 5.11.0) systemsettings5 (5.10.5 -> 5.11.0) timezone timezone-java xdg-desktop-portal-kde (5.10.5 -> 5.11.0) === Details === ==== MozillaFirefox ==== Version update (52.3.0 -> 56.0) Subpackages: MozillaFirefox-translations-common - Correct plugin directory for aarch64 (boo#1061207). The wrapper script was not detecting aarch64 as a 64 bit architecture, thus used /usr/lib/browser-plugins/. - Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0), pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0), pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure looks for. - update to Firefox 56.0 (boo#1060445) * Firefox Screenshots * Find Options/Preferences more quickly with new search function * Media is no longer auto-played when opened in a background tab * Enable CSS Grid Layout View MFSA 2017-21 * CVE-2017-7793 (bmo#1371889) Use-after-free with Fetch API * CVE-2017-7817 (bmo#1356596) (Android-only) Firefox for Android address bar spoofing through fullscreen mode * CVE-2017-7818 (bmo#1363723) Use-after-free during ARIA array manipulation * CVE-2017-7819 (bmo#1380292) Use-after-free while resizing images in design mode * CVE-2017-7824 (bmo#1398381) Buffer overflow when drawing and validating elements with ANGLE * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) Use-after-free in TLS 1.2 generating handshake hashes * CVE-2017-7812 (bmo#1379842) Drag and drop of malicious page content to the tab bar can open locally stored files * CVE-2017-7814 (bmo#1376036) Blob and data URLs bypass phishing and malware protection warnings * CVE-2017-7813 (bmo#1383951) Integer truncation in the JavaScript parser * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) OS X fonts render some Tibetan and Arabic unicode characters as spaces * CVE-2017-7815 (bmo#1368981) Spoofing attack with modal dialogs on non-e10s installations * CVE-2017-7816 (bmo#1380597) WebExtensions can load about: URLs in extension UI * CVE-2017-7821 (bmo#1346515) WebExtensions can download and open non-executable files without user interaction * CVE-2017-7823 (bmo#1396320) CSP sandbox directive did not create a unique origin * CVE-2017-7822 (bmo#1368859) WebCrypto allows AES-GCM with 0-length IV * CVE-2017-7820 (bmo#1378207) Xray wrapper bypass with new tab and web console * CVE-2017-7811 Memory safety bugs fixed in Firefox 56 * CVE-2017-7810 Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 - requires NSPR 4.16 and NSS 3.32.1 - rebased patches - Add alsa-devel BuildRequires: we care for ALSA support to be built and thus need to ensure we get the dependencies in place. In the past, alsa-devel was pulled in by accident: we buildrequire libgnome-devel. This required esound-devel and that in turn pulled in alsa-devel for us. libgnome is being fixed to no longer require esound-devel. - update to Firefox 55.0.3 * Fix an issue with addons when using a path containing non-ascii characters (bmo#1389160) * Fix file uploads to some websites, including YouTube (bmo#1383518) - fix Google API key build integration - add mozilla-ucontext.patch to fix Tumbleweed build - do not enable XINPUT2 for now (boo#1053959) - update to Firefox 55.0.1 * Fix a regression the tab restoration process (bmo#1388160) * Fix a problem causing What's new pages not to be displayed (bmo#1386224) * Fix a rendering issue with some PKCS#11 libraries (bmo#1388370) * Disable the predictor prefetch (bmo#1388160) - update to Firefox 55.0 (boo#1052829) * Browsing sessions with a high number of tabs are now restored in an instant * Sidebar (bookmarks, history, synced tabs) can now be moved to the right edge of the window * Fine-tune your browser performance from the Preferences/Options page. * Make screenshots of webpages, and save them locally or upload them to the cloud. This feature will undergo A/B testing and will not be visible for some users. * Added Belarusian (be) locale * Simplify print jobs from within print preview * Use virtual reality devices with the web with the introduction of WebVR * Search suggestions are now enabled by default for users who haven't explicitly opted-out * Search with any installed search engine directly from the location bar * IMPORTANT: Breaking profile changes - do not downgrade Firefox and use a profile that has been opened with Firefox 55+. * The Adobe Flash plugin is now click-to-activate by default and only allowed on http:// and https:// URL schemes. This change will be rolled out progressively and so will not be visible to all users immediately. For more information see the Firefox plugin roadmap * Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change. * Insecure sites can no longer access the Geolocation APIs to get access to your physical location * requires NSPR 4.15 and NSS 3.31 MFSA 2017-18 * CVE-2017-7798 (bmo#1371586, bmo#1372112) XUL injection in the style editor in devtools * CVE-2017-7800 (bmo#1374047) Use-after-free in WebSockets during disconnection * CVE-2017-7801 (bmo#1371259) Use-after-free with marquee during window resizing * CVE-2017-7809 (bmo#1380284) Use-after-free while deleting attached editor DOM node * CVE-2017-7784 (bmo#1376087) Use-after-free with image observers * CVE-2017-7802 (bmo#1378147) Use-after-free resizing image elements * CVE-2017-7785 (bmo#1356985) Buffer overflow manipulating ARIA attributes in DOM * CVE-2017-7786 (bmo#1365189) Buffer overflow while painting non-displayable SVG * CVE-2017-7806 (bmo#1378113) Use-after-free in layer manager with SVG * CVE-2017-7753 (bmo#1353312) Out-of-bounds read with cached style data and pseudo-elements# * CVE-2017-7787 (bmo#1322896) Same-origin policy bypass with iframes through page reloads * CVE-2017-7807 (bmo#1376459) Domain hijacking through AppCache fallback * CVE-2017-7792 (bmo#1368652) Buffer overflow viewing certificates with an extremely long OID * CVE-2017-7804 (bmo#1372849) Memory protection bypass through WindowsDllDetourPatcher * CVE-2017-7791 (bmo#1365875) Spoofing following page navigation with data: protocol and modal alerts * CVE-2017-7808 (bmo#1367531) CSP information leak with frame-ancestors containing paths * CVE-2017-7782 (bmo#1344034) WindowsDllDetourPatcher allocates memory without DEP protections * CVE-2017-7781 (bmo#1352039) Elliptic curve point addition error when using mixed Jacobian-affine coordinates * CVE-2017-7794 (bmo#1374281) Linux file truncation via sandbox broker * CVE-2017-7803 (bmo#1377426) CSP containing 'sandbox' improperly applied * CVE-2017-7799 (bmo#1372509) Self-XSS XUL injection in about:webrtc * CVE-2017-7783 (bmo#1360842) DOS attack through long username in URL * CVE-2017-7788 (bmo#1073952) Sandboxed about:srcdoc iframes do not inherit CSP directives * CVE-2017-7789 (bmo#1074642) Failure to enable HSTS when two STS headers are sent for a connection * CVE-2017-7790 (bmo#1350460) (Windows-only) Windows crash reporter reads extra memory for some non-null-terminated registry values * CVE-2017-7796 (bmo#1234401) (Windows-only) Windows updater can delete any file named update.log * CVE-2017-7797 (bmo#1334776) Response header name interning leaks across origins * CVE-2017-7780 Memory safety bugs fixed in Firefox 55 * CVE-2017-7779 Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 - updated mozilla-kde.patch: * removed "downloadfinished" alert as Firefox reimplemented the whole thing (TODO: check if there is another function we should hook in) - update to Firefox 54.0.1 * Fix a display issue of tab title (bmo#1357656) * Fix a display issue of opening new tab (bmo#1371995) * Fix a display issue when opening multiple tabs (bmo#1371962) * Fix a tab display issue when downloading files (bmo#1373109) * Fix a PDF printing issue (bmo#1366744) * Fix a Netflix issue on Linux (bmo#1375708) - update to Firefox 54.0 * Clearer and more detailed information for download items in the download panel * Added Burmese (my) locale * Bookmarks created on mobile devices are now shown in "Mobile Bookmarks? folder in the drop down list from the toolbar and Bookmarks option in the menu bar in Desktop Firefox * added support for multiple content processes (e10s-multi) - requires NSPR 4.14 and NSS 3.30.2 - requires rust 1.15.1 - removed mozilla-shared-nss-db.patch as it seems to be a rather unused feature - remove -fno-inline-small-functions and explicitely optimize with - O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105) - switch to Mozilla's geolocation service (boo#1026989) - removed mozilla-preferences.patch obsoleted by overriding via firefox.js - fixed KDE integration to avoid crash caused by filepicker (boo#1015998) - update to Firefox 53.0 * requires NSS 3.29.5 * Lightweight themes are now applied in private browsing windows * Reader Mode now displays estimated reading time for the page * Two new 'compact' themes available in Firefox, dark and light, based on the Firefox Developer Edition theme * Ended Firefox Linux support for processors older than Pentium 4 and AMD Opteron * Refresh of the media controls user interface * Shortened titles on tabs are faded out instead of using ellipsis for improved readability * Media playback on new tabs is blocked until the tab is visible * Permission notifications have a cleaner design and cannot be easily missed MFSA 2017-10 * CVE-2017-5456 (bmo#1344415) Sandbox escape allowing local file system access * CVE-2017-5442 (bmo#1347979) Use-after-free during style changes * CVE-2017-5443 (bmo#1342661) Out-of-bounds write during BinHex decoding * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894, bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088) Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 * CVE-2017-5464 (bmo#1347075) Memory corruption with accessibility and DOM manipulation * CVE-2017-5465 (bmo#1347617) Out-of-bounds read in ConvolvePixel * CVE-2017-5466 (bmo#1353975) Origin confusion when reloading isolated data:text/html URL * CVE-2017-5467 (bmo#1347262) Memory corruption when drawing Skia content * CVE-2017-5460 (bmo#1343642) Use-after-free in frame selection * CVE-2017-5461 (bmo#1344380) Out-of-bounds write in Base64 encoding in NSS * CVE-2017-5448 (bmo#1346648) Out-of-bounds write in ClearKeyDecryptor * CVE-2017-5449 (bmo#1340127) Crash during bidirectional unicode manipulation with animation * CVE-2017-5446 (bmo#1343505) Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data * CVE-2017-5447 (bmo#1343552) Out-of-bounds read during glyph processing * CVE-2017-5444 (bmo#1344461) Buffer overflow while parsing application/http-index-format content * CVE-2017-5445 (bmo#1344467) Uninitialized values used while parsing application/http-index-format content * CVE-2017-5468 (bmo#1329521) Incorrect ownership model for Private Browsing information * CVE-2017-5469 (bmo#1292534) Potential Buffer overflow in flex-generated code * CVE-2017-5440 (bmo#1336832) Use-after-free in txExecutionState destructor during XSLT processing * CVE-2017-5441 (bmo#1343795) Use-after-free with selection during scroll events * CVE-2017-5439 (bmo#1336830) Use-after-free in nsTArray Length() during XSLT processing * CVE-2017-5438 (bmo#1336828) Use-after-free in nsAutoPtr during XSLT processing * CVE-2017-5437 (bmo#1343453) Vulnerabilities in Libevent library * CVE-2017-5436 (bmo#1345461) Out-of-bounds write with malicious font in Graphite 2 * CVE-2017-5435 (bmo#1350683) Use-after-free during transaction processing in the editor * CVE-2017-5434 (bmo#1349946) Use-after-free during focus handling * CVE-2017-5433 (bmo#1347168) Use-after-free in SMIL animation functions * CVE-2017-5432 (bmo#1346654) Use-after-free in text input selection * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482, bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476) Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 * CVE-2017-5459 (bmo#1333858) Buffer overflow in WebGL * CVE-2017-5458 (bmo#1229426) Drag and drop of javascript: URLs can allow for self-XSS * CVE-2017-5455 (bmo#1341191) Sandbox escape through internal feed reader APIs * CVE-2017-5454 (bmo#1349276) Sandbox escape allowing file system read access through file picker * CVE-2017-5451 (bmo#1273537) Addressbar spoofing with onblur event * CVE-2017-5453 (bmo#1321247) HTML injection into RSS Reader feed preview page through TITLE element * CVE-2017-5462 (bmo#1345089) DRBG flaw in NSS - removed browser(npapi) provides as these plugins are deprecated - switch used compiler to gcc5 (FF requires gcc >= 4.9 now) for Leap 42 - Gtk2 is not longer an option; switched to Gtk3 - apply MOZ_USE_XINPUT2=1 for better touchpad and touchscreen support (boo#1032003) - update to Firefox 52.0.2 * Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787) * Fix loading tab icons on session restore (bmo#1338009) * Fix a crash on startup on Linux (bmo#1345413) * Fix new installs erroneously not prompting to change the default browser setting (bmo#1343938) - disable rust usage for everything but x86(-64) - explicitely add libffi build requirement - update to Firefox 52.0.1 (boo#1029822) MFSA 2017-08 CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168) - reenable ALSA support which was removed by default upstream - update to Firefox 52.0 (boo#1028391) * requires NSS >= 3.28.3 * Pages containing insecure password fields now display a warning directly within username and password fields. * Send and open a tab from one device to another with Sync * Removed NPAPI support for plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported. * Removed Battery Status API to reduce fingerprinting of users by trackers * MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861) CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186) CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890) CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622) CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687) CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711) CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323) CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504) CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370) CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719) CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121) CVE-2017-5417: Addressbar spoofing by draging and dropping URLs (bmo#791597) CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361) CVE-2017-5427: Non-existent chrome.manifest file loaded during startup (bmo#1295542) CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876) CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243) CVE-2017-5420: Javascript: URLs can obfuscate addressbar location (bmo#1284395) CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699) CVE-2017-5421: Print preview spoofing (bmo#1301876) CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002) CVE-2017-5399: Memory safety bugs fixed in Firefox 52 CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 - removed obsolete patches * mozilla-binutils-visibility.patch * mozilla-check_return.patch * mozilla-disable-skia-be.patch * mozilla-skia-overflow.patch * mozilla-skia-ppc-endianess.patch - rebased patches - enable rust usage for Tumbleweed - Mozilla Firefox 51.0.1: - Multiprocess incompatibility did not correctly register with some add-ons (bmo#1333423) - update to Firefox 51.0 * requires NSPR >= 4.13.1, NSS >= 3.28.1 * Added support for FLAC (Free Lossless Audio Codec) playback * Added support for WebGL 2 * Added Georgian (ka) and Kabyle (kab) locales * Support saving passwords for forms without 'submit' events * Improved video performance for users without GPU acceleration * Zoom indicator is shown in the URL bar if the zoom level is not at default level * View passwords from the prompt before saving them * Remove Belarusian (be) locale * Use Skia for content rendering (Linux) * MFSA 2017-01 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (bmo#1325200, boo#1021814) CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) CVE-2017-5377: Memory corruption with transforms to create gradients in Skia (bmo#1306883, boo#1021826) CVE-2017-5378: Pointer and frame data leakage of Javascript objects (bmo#1312001, bmo#1330769, boo#1021818) CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827) CVE-2017-5380: Potential use-after-free during DOM manipulations (bmo#1322107, boo#1021819) CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (bmo#1297361, boo#1021820) CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests (bmo#1308688, boo#1021828) CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403, boo#1021821) CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations (bmo#1017616, boo#1021830) CVE-2017-5382: Feed preview can expose privileged content errors and exceptions (bmo#1295322, boo#1021831) CVE-2017-5383: Location bar spoofing with unicode characters (bmo#1323338, bmo#1324716, boo#1021822) CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) (bmo#1255474, boo#1021832) CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers (bmo#1295945, boo#1021833) CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions (bmo#1319070, boo#1021823) CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events (bmo#1222798) CVE-2017-5391: Content about: pages can load privileged about: pages (bmo#1309310, boo#1021835) CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage (bmo#1293709) (Android only) CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager (bmo#1309282, boo#1021837) CVE-2017-5395: Android location bar spoofing during scrolling (bmo#1293463) (Android only) CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages (bmo#1295023, boo#1021839) CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks (bmo#1281482, boo#1021840) CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841) CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (boo#1021824) - switch Firefox to Gtk3 for Tumbleweed - removed obsolete patches * mozilla-flex_buffer_overrun.patch - updated RPM locale support tag - improve recognition of LANGUAGE env variable (boo#1017174) - add upstream patch to fix PPC64LE (bmo#1319389) (mozilla-skia-ppc-endianess.patch) - fix build without skia (big endian archs) (bmo#1319374) (mozilla-disable-skia-be.patch) - update to Firefox 50.1.0 (boo#1015422) * MFSA 2016-94 CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628) CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements (bmo#1317409) CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272) CVE-2016-9896: Use-after-free with WebVR (bmo#1315543) CVE-2016-9897: Memory corruption in libGLES (bmo#1301381) CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees (bmo#1314442) CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs (bmo#1319122) CVE-2016-9904: Cross-origin information leak in shared atoms (bmo#1317936) CVE-2016-9901: Data from Pocket server improperly sanitized before execution (bmo#1320057) CVE-2016-9902: Pocket extension does not validate the origin of events (bmo#1320039) CVE-2016-9903: XSS injection vulnerability in add-ons SDK (bmo#1315435) CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 - added patch mozilla-aarch64-startup-crash.patch (bsc#1011922) - update to Firefox 50.0.2 * Firefox crashes with 3rd party Chinese IME when using IME text (50.0.1) security fixes (in 50.0.1): (boo#1012807) * MFSA 2016-91 CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect (bmo#1317641) security fixes (in 50.0.2) (boo#1012964) * MFSA 2016-92 CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066) - update to Firefox 50.0 (boo#1009026) * requires NSS 3.26.2 new features * Updates to keyboard shortcuts Set a preference to have Ctrl+Tab cycle through tabs in recently used order View a page in Reader Mode by using Ctrl+Alt+R * Added option to Find in page that allows users to limit search to whole words only * Added download protection for a large number of executable file types on Windows, Mac and Linux * Fixed rendering of dashed and dotted borders with rounded corners (border-radius) * Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux) * Blocked versions of libavcodec older than 54.35.1 * additional locale security fixes: * MFSA 2016-89 CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) CVE-2016-5292: URL parsing causes crash (bmo#1288482) CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink (Windows only) (bmo#1246945) CVE-2016-5294: Arbitrary target directory for result files of update process (Windows only) (bmo#1246972) CVE-2016-5297: Incorrect argument length checking in Javascript (bmo#1303678) CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen (Android only) (bmo#1306696) CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile (bmo#1300083) (Windows only) CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM (Windows only) (bmo#1247239) CVE-2016-5298: SSL indicator can mislead the user about the real URL visited (bmo#1227538) (Android only) CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (bmo#1245791) (Android only) CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (Android only) (bmo#1245795) CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file (Android only) (bmo#1294438) CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl" (bmo#1289273) CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bmo#1293334) (fixed via NSS 3.26.1) CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s (bmo#1276976) CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat (bmo#1274777) CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP (bmo#1285003) CVE-2016-5289: Memory safety bugs fixed in Firefox 50 CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 - make aarch64 build more similar to x86_64 build (remove conditionals that don't seem to be necessary anymore) - Mozilla Firefox 49.0.2: * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475) * CVE-2016-5288: Web content can read cache entries (bsc#1006476) * Asynchronous rendering of the Flash plugins is now enabled by default * Change D3D9 default fallback preference to prevent graphical artifacts * Network issue prevents some users from seeing the Firefox UI on startup * Web compatibility issue with file uploads * Web compatibility issue with Array.prototype.values * Diagnostic information on timing for tab switching * Fix a Canvas filters graphics issue affecting HTML5 apps - Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0 and fixes have been incorporated by upstream. - Mozilla Firefox 49.0.1: * Mitigate a startup crash issue caused by Websense - bmo#1304783 - update to Firefox 49.0 (boo#999701) new features * Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. * Added features to Reader Mode that make it easier on the eyes and the ears * Improved video performance for users on systems that support SSE3 without hardware acceleration * Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed * Improvements in about:memory reports for tracking font memory usage security related * MFSA 2016-85 CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in PropertyProvider::GetSpacingInternal CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin CVE-2016-5273 (bmo#1280387) - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5274 (bmo#1282076) - use-after-free in nsFrameManager::CaptureFrameState CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame CVE-2016-5279 (bmo#1249522) - Full local path of files is available to web pages after drag and drop CVE-2016-5280 (bmo#1289970) - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons from non-whitelisted schemes CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can reveal cross-origin data CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 - removed obsolete patches: * mozilla-aarch64-48bit-va.patch * mozilla-exclude-nametablecpp.patch * mozilla-old_configure-bmo1282843.patch - added patch mozilla-skia-overflow.patch (bmo#1304114) - requires NSS 3.25 - Mozilla Firefox 48.0.2: * Mitigate a startup crash issue caused on Windows (bmo#1291738) - Mozilla Firefox 48.0.1: * Fix an audio regression impacting some major websites (bmo#1295296) * Fix a top crash in the JavaScript engine (bmo#1290469) * Fix a startup crash issue caused by Websense (bmo#1291738) * Fix a different behavior with e10s / non-e10s on <select> and mouse events (bmo#1291078) * Fix a top crash caused by plugin issues (bmo#1264530) * Fix a shutdown issue (bmo#1276920) * Fix a crash in WebRTC - added upstream patch so system plugins/extensions are correctly loaded again on x86-64 (bmo#1282843) (mozilla-old_configure-bmo1282843.patch) - Fix for possible buffer overrun (bsc#990856) CVE-2016-6354 (bmo#1292534) [mozilla-flex_buffer_overrun.patch] - Update mozilla-gtk3_20.patch to latest version from Fedora. - update to Firefox 48.0 (boo#991809) * requires NSS 3.24 * Process separation (e10s) is enabled for some of you * Add-ons that have not been verified and signed by Mozilla will not load * WebRTC embetterments * The media parser has been redeveloped using the Rust programming language * better Canvas performance with speedy Skia support security fixes: * MFSA 2016-62/CVE-2016-2835/CVE-2016-2836 Miscellaneous memory safety hazards * MFSA 2016-63/CVE-2016-2830 (bmo#1255270) Favicon network connection can persist when page is closed * MFSA 2016-64/CVE-2016-2838 (bmo#1279814) Buffer overflow rendering SVG with bidirectional content * MFSA 2016-65/CVE-2016-2839 (bmo#1275339) Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 * MFSA 2016-66/CVE-2016-5251 (bmo#1255570) Location bar spoofing via data URLs with malformed/invalid mediatypes * MFSA 2016-67/CVE-2016-5252 (bmo#1268854) Stack underflow during 2D graphics rendering * MFSA 2016-68/CVE-2016-0718 (bmo#1236923) Out-of-bounds read during XML parsing in Expat library * MFSA 2016-69/CVE-2016-5253 (bmo#1246944) Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter (Windows-only) * MFSA 2016-70/CVE-2016-5254 (bmo#1266963) Use-after-free when using alt key and toplevel menus * MFSA 2016-71/CVE-2016-5255 (bmo#1212356) Crash in incremental garbage collection in JavaScript * MFSA 2016-72/CVE-2016-5258 (bmo#1279146) Use-after-free in DTLS during WebRTC session shutdown * MFSA 2016-73/CVE-2016-5259 (bmo#1282992) Use-after-free in service workers with nested sync events * MFSA 2016-74/CVE-2016-5260 (bmo#1280294) Form input type change from password to text can store plain text password in session restore file * MFSA 2016-75/CVE-2016-5261 (bmo#1287266) Integer overflow in WebSockets during data buffering * MFSA 2016-76/CVE-2016-5262 (bmo#1277475) Scripts on marquee tag can execute in sandboxed iframes * MFSA 2016-77/CVE-2016-2837 (bmo#1274637) Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback * MFSA 2016-78/CVE-2016-5263 (bmo#1276897) Type confusion in display transformation * MFSA 2016-79/CVE-2016-5264 (bmo#1286183) Use-after-free when applying SVG effects * MFSA 2016-80/CVE-2016-5265 (bmo#1278013) Same-origin policy violation using local HTML file and saved shortcut file * MFSA 2016-81/CVE-2016-5266 (bmo#1226977) Information disclosure and local file manipulation through drag and drop * MFSA 2016-82/CVE-2016-5267 (bmo#1284372) Addressbar spoofing with right-to-left characters on Firefox for Android (Android only) * MFSA 2016-83/CVE-2016-5268 (bmo#1253673) Spoofing attack through text injection into internal error pages * MFSA 2016-84/CVE-2016-5250 (bmo#1254688) Information disclosure through Resource Timing API during page navigation - removed obsolete mozilla-gcc6.patch - Update description and screenshots in appdata.xml file. - Fix Firefox crash on startup on i586 (boo#986541): * Add -fno-delete-null-pointer-checks and - fno-inline-small-functions to CFLAGS - Update the appdata.xml file (replace Windows XP screenshot) - Mozilla Firefox 47.0.1: * Selenium WebDriver may cause Firefox to crash at startup (bmo#1280854) - mozilla-binutils-visibility.patch to fix build issues with gcc/binutils combination used in Leap 42.2 (boo#984637) - Update mozilla-gtk3_20.patch to latest version from Fedora. - Fix running on 48bit va aarch64 (bsc#984126) * add patch mozilla-aarch64-48bit-va.patch - fix XUL dialog button order under KDE session (boo#984403) - update to Firefox 47.0 (boo#983549) * Enable VP9 video codec for users with fast machines * Embedded YouTube videos now play with HTML5 video if Flash is not installed * View and search open tabs from your smartphone or another computer in a sidebar * Allow no-cache on back/forward navigations for https resources security fixes: * MFSA 2016-49/CVE-2016-2815/CVE-2016-2818 (boo#983638) (bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743, bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493, bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752, bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130, bmo#1269729, bmo#1273202, bmo#1273701) Miscellaneous memory safety hazards (rv:47.0 / rv:45.2) * MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381) Buffer overflow parsing HTML5 fragments * MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460) Use-after-free deleting tables from a contenteditable document * MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129) Addressbar spoofing though the SELECT element * MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580) Out-of-bounds write with WebGL shader * MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093) Partial same-origin-policy through setting location.host through data URI * MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810) Use-after-free when textures are used in WebGL operations after recycle pool destruction * MFSA 2016-57/CVE-2016-2829 (boo#983644) (bmo#1248329) Incorrect icon displayed on permissions notifications * MFSA 2016-58/CVE-2016-2831 (boo#983643) (bmo#1261933) Entering fullscreen and persistent pointerlock without user permission * MFSA 2016-59/CVE-2016-2832 (boo#983632) (bmo#1025267) Information disclosure of disabled plugins through CSS pseudo-classes * MFSA 2016-60/CVE-2016-2833 (boo#983640) (bmo#908933) Java applets bypass CSP protections * MFSA 2016-62/CVE-2016-2834 (boo#983639) (bmo#1206283, bmo#1221620, bmo#1241034, bmo#1241037) Network Security Services (NSS) vulnerabilities fixed by requiring NSS 3.23 packaging changes: * cleanup configure options (boo#981695): - notably remove GStreamer support which is gone from FF * remove obsolete patches - mozilla-libproxy.patch - mozilla-repo.patch - The conditional testing for gcc was failing for different openSUSE versions, drop it and apply patches unconditionally. - Add patches to fix building with gcc6: + mozilla-gcc6.patch: fix building with gcc >= 6.1; patch taken from upstream: https://hg.mozilla.org/mozilla-central/rev/55212130f19d. + mozilla-exclude-nametablecpp.patch: Exclude NameTable.cpp from unified compilation because #include <cmath> in other source files causes gcc6 compilation failure; patch taken from upstream: https://hg.mozilla.org/mozilla-central/rev/9c57b7cacffc. - enable build with PIE and full relro on x86_64 (boo#980384) - update to Firefox 46.0.1 Fixed: * Search plugin issue for various locales * Add-on signing certificate expiration * Service worker update issue * Build issue when jit is disabled * Limit Sync registration updates - removed now obsolete mozilla-jit_branch64.patch - add mozilla-jit_branch64.patch to avoid PowerPC build failure (from bmo#1266366) - Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest version from Fedora). - update to Firefox 46.0 (boo#977333) * Improved security of the JavaScript Just In Time (JIT) Compiler * WebRTC fixes to improve performance and stability * Added support for document.elementsFromPoint * Added HKDF support for Web Crypto API * requires NSPR 4.12 and NSS 3.22.3 * added patch to fix unchecked return value mozilla-check_return.patch * Gtk3 builds not supported at the moment security fixes: * MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807 (boo#977373, boo#977375, boo#977376) Miscellaneous memory safety hazards * MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377) Privilege escalation through file deletion by Maintenance Service updater (Windows only) * MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378) Content provider permission bypass allows malicious application to access data (Android only) * MFSA 2016-42/CVE-2016-2811/CVE-2016-2812 (bmo#1252330, bmo#1261776, boo#977379) Use-after-free and buffer overflow in Service Workers * MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380) Disclosure of user actions through JavaScript with motion and orientation sensors (only affects mobile variants) * MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381) Buffer overflow in libstagefright with CENC offsets * MFSA 2016-45/CVE-2016-2816 (bmo#1223743, boo#977382) CSP not applied to pages sent with multipart/x-mixed-replace * MFSA 2016-46/CVE-2016-2817 (bmo#1227462, boo#977384) Elevation of privilege with chrome.tabs.update API in web extensions * MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386) Write to invalid HashMap entry through JavaScript.watch() * MFSA 2016-48/CVE-2016-2820 (bmo#870870, boo#977388) Firefox Health Reports could accept events from untrusted domains - Update mozilla-gtk3_20.patch to fix scrollbar appearance under gtk >= 3.20 (patch synced to Fedora's version). - Compile against gtk3 depending on whether the macro %firefox_use_gtk3 is defined or not (e.g., at the prjconf level); macro is undefined by default and so gtk2 is used as the default toolkit. - Add BuildRequires for additional packages needed when building against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0), pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0). - Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20; patch taken from Fedora (bmo#1230955). - Mozilla Firefox 45.0.2: * Fix an issue impacting the cookie header when third-party cookies are blocked (bmo#1257861) * Fix a web compatibility regression impacting the srcset attribute of the image tag (bmo#1259482) * Fix a crash impacting the video playback with Media Source Extension (bmo#1258562) * Fix a regression impacting some specific uploads (bmo#1255735) * Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (bmo#1254980) - Mozilla Firefox 45.0.1: * Fix a regression causing search engine settings to be lost in some context (bmo#1254694) * Bring back non-standard jar: URIs to fix a regression in IBM iNotes (bmo#1255139) * XSLTProcessor.importStylesheet was failing when <import> was used (bmo#1249572) * Fix an issue which could cause the list of search provider to be empty (bmo#1255605) * Fix a regression when using the location bar (bmo#1254503) * Fix some loading issues when Accept third-party cookies: was set to Never (bmo#1254856) * Disabled Graphite font shaping library - update to Firefox 45.0 (boo#969894) * requires NSPR 4.12 / NSS 3.21.1 * Instant browser tab sharing through Hello * Synced Tabs button in button bar * Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching * Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level * Tab Groups (Panorama) feature removed * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953 Miscellaneous memory safety hazards * MFSA 2016-17/CVE-2016-1954 (bmo#1243178) Local file overwriting and potential privilege escalation through CSP reports * MFSA 2016-18/CVE-2016-1955 (bmo#1208946) CSP reports fail to strip location information for embedded iframe pages * MFSA 2016-19/CVE-2016-1956 (bmo#1199923) Linux video memory DOS with Intel drivers * MFSA 2016-20/CVE-2016-1957 (bmo#1227052) Memory leak in libstagefright when deleting an array during MP4 processing * MFSA 2016-21/CVE-2016-1958 (bmo#1228754) Displayed page address can be overridden * MFSA 2016-22/CVE-2016-1959 (bmo#1234949) Service Worker Manager out-of-bounds read in Service Worker Manager * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014) Use-after-free in HTML5 string parser * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377) Use-after-free in SetBody * MFSA 2016-25/CVE-2016-1962 (bmo#1240760) Use-after-free when using multiple WebRTC data channels * MFSA 2016-26/CVE-2016-1963 (bmo#1238440) Memory corruption when modifying a file being read by FileReader * MFSA 2016-27/CVE-2016-1964 (bmo#1243335) Use-after-free during XML transformations * MFSA 2016-28/CVE-2016-1965 (bmo#1245264) Addressbar spoofing though history navigation and Location protocol property * MFSA 2016-29/CVE-2016-1967 (bmo#1246956) Same-origin policy violation using perfomance.getEntries and history navigation with session restore * MFSA 2016-30/CVE-2016-1968 (bmo#1246742) Buffer overflow in Brotli decompression * MFSA 2016-31/CVE-2016-1966 (bmo#1246054) Memory corruption with malicious NPAPI plugin * MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/ CVE-2016-1976/CVE-2016-1972 WebRTC and LibVPX vulnerabilities found through code inspection * MFSA 2016-33/CVE-2016-1973 (bmo#1219339) Use-after-free in GetStaticInstance in WebRTC * MFSA 2016-34/CVE-2016-1974 (bmo#1228103) Out-of-bounds read in HTML parser following a failed allocation * MFSA 2016-35/CVE-2016-1950 (bmo#1245528) Buffer overflow during ASN.1 decoding in NSS (fixed by requiring 3.21.1) * MFSA 2016-36/CVE-2016-1979 (bmo#1185033) Use-after-free during processing of DER encoded keys in NSS (fixed by requiring 3.21.1) * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/ CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/ CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/ CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 Font vulnerabilities in the Graphite 2 library - Remove B_CNT from symbols.zip filename to reduce build-compare noise - fix build problems on i586, caused by too large unified compile units - adding mozilla-reduce-files-per-UnifiedBindings.patch - update to Firefox 44.0.2 * MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438) Same-origin-policy violation using Service Workers with plugins * Fix issue which could lead to the removal of stored passwords under certain circumstances (bmo#1242176) * Allows spaces in cookie names (bmo#1244505) * Disable opus/vorbis audio with H.264 (bmo#1245696) * Fix for graphics startup crash (GNU/Linux) (bmo#1222171) * Fix a crash in cache networking (bmo#1244076) * Fix using WebSockets in service worker controlled pages (bmo#1243942) - build fixes for arm/aarch64: * disable webrtc for arm/aarch64 * switch away from openGL-ES backend to default for arm/aarch64 since it almost never builds * reenable neon - reenable webrtc for powerpc as it seems to build - update to Firefox 44.0 * MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633 Miscellaneous memory safety hazards * MFSA 2016-02/CVE-2016-1933 (bmo#1231761) boo#963634 Out of Memory crash when parsing GIF format images * MFSA 2016-03/CVE-2016-1935 (bmo#1220450) boo#963635 Buffer overflow in WebGL after out of memory allocation * MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) boo#963637 Firefox allows for control characters to be set in cookie names * MFSA 2016-06/CVE-2016-1937 (bmo#724353) boo#963641 Missing delay following user click events in protocol handler dialog * MFSA 2016-07/CVE-2016-1938 (bmo#1190248) boo#963731 Errors in mp_div and mp_exptmod cryptographic functions in NSS (fixed by requiring NSS 3.21) * MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590) Addressbar spoofing attacks boo#963643 * MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946 (bmo#1186621, bmo#1214782, bmo#1232096) boo#963644 Unsafe memory manipulation found through code inspection * MFSA 2016-11/CVE-2016-1947 (bmo#1237103) boo#963645 Application Reputation service disabled in Firefox 43 * requires NSPR 4.11 * requires NSS 3.21 - prepare mozilla-kde.patch for Gtk3 builds - rebased patches - Mozilla Firefox 43.0.4: * Re-enable SHA-1 certificates to prevent outdated man-in-the-middle security devices from interfering with properly secured SSL/TLS connections (bmo#1236975) * Fix for startup crash for users of a third party antivirus tool (bmo#1235537) - The following change was previously in the package as a patch: * Multi-user GNU/Linux download folders can be created (bmo#1233434), removed mozilla-bmo1233434.patch - update to Firefox 43.0.3 * requires NSS 3.20.2 to fix MFSA 2015-150/CVE-2015-7575 (bmo#1158489) MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature * various changes to support Windows update (SHA-1 vs. SHA-2) * workaround Youtube user agent detection issue (bmo#1233970) - fix file download regression for multi user systems (bmo#1233434) (mozilla-bmo1233434.patch) - explicitely requires libXcomposite-devel - update to Firefox 43.0 (bnc#959277) * Improved API support for m4v video playback * Users can opt-in to receive search suggestions from the Awesome Bar * WebRTC streaming on multiple monitors * User selectable second block list for Private Browsing's Tracking Protection security fixes: * MFSA 2015-134/CVE-2015-7201/CVE-2015-7202 Miscellaneous memory safety hazards * MFSA 2015-135/CVE-2015-7204 (bmo#1216130) Crash with JavaScript variable assignment with unboxed objects * MFSA 2015-136/CVE-2015-7207 (bmo#1185256) Same-origin policy violation using perfomance.getEntries and history navigation * MFSA 2015-137/CVE-2015-7208 (bmo#1191423) Firefox allows for control characters to be set in cookies * MFSA 2015-138/CVE-2015-7210 (bmo#1218326) Use-after-free in WebRTC when datachannel is used after being destroyed * MFSA 2015-139/CVE-2015-7212 (bmo#1222809) Integer overflow allocating extremely large textures * MFSA 2015-140/CVE-2015-7215 (bmo#1160890) Cross-origin information leak through web workers error events * MFSA 2015-141/CVE-2015-7211 (bmo#1221444) Hash in data URI is incorrectly parsed * MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820) DOS due to malformed frames in HTTP/2 * MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078) Linux file chooser crashes on malformed images due to flaws in Jasper library * MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221 (bmo#1201183, bmo#1178033, bmo#1199400) Buffer overflows found through code inspection * MFSA 2015-145/CVE-2015-7205 (bmo#1220493) Underflow through code inspection * MFSA 2015-146/CVE-2015-7213 (bmo#1206211) Integer overflow in MP4 playback in 64-bit versions * MFSA 2015-147/CVE-2015-7222 (bmo#1216748) Integer underflow and buffer overflow processing MP4 metadata in libstagefright * MFSA 2015-148/CVE-2015-7223 (bmo#1226423) Privilege escalation vulnerabilities in WebExtension APIs * MFSA 2015-149/CVE-2015-7214 (bmo#1228950) Cross-site reading attack through data and view-source URIs - rebased patches - Add desktop menu action for private browsing window to desktop file (boo#954747) - remove obsolete patch mozilla-bmo1005535.patch completely from source package to avoid automatic check failures - update to Firefox 42.0 (bnc#952810) * Private Browsing with Tracking Protection blocks certain Web elements that could be used to record your behavior across sites * Control Center that contains site security and privacy controls * Login Manager improvements * WebRTC improvements * Indicator added to tabs that play audio with one-click muting * Media Source Extension for HTML5 video available for all sites security fixes: * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514 Miscellaneous memory safety hazards * MFSA 2015-117/CVE-2015-4515 (bmo#1046421) Information disclosure through NTLM authentication * MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692) CSP bypass due to permissive Reader mode whitelist * MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only) Firefox for Android addressbar can be removed after fullscreen mode * MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only) Reading sensitive profile files through local HTML file on Android * MFSA 2015-121/CVE-2015-7187 (bmo#1195735) disabling scripts in Add-on SDK panels has no effect * MFSA 2015-122/CVE-2015-7188 (bmo#1199430) Trailing whitespace in IP address hostnames can bypass same-origin policy * MFSA 2015-123/CVE-2015-7189 (bmo#1205900) Buffer overflow during image interactions in canvas * MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only) Android intents can be used on Firefox for Android to open privileged files * MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only) XSS attack through intents on Firefox for Android * MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only) Crash when accessing HTML tables with accessibility tools on OS X * MFSA 2015-127/CVE-2015-7193 (bmo#1210302) CORS preflight is bypassed when non-standard Content-Type headers are received * MFSA 2015-128/CVE-2015-7194 (bmo#1211262) Memory corruption in libjar through zip files * MFSA 2015-129/CVE-2015-7195 (bmo#1211871) Certain escaped characters in host of Location-header are being treated as non-escaped * MFSA 2015-130/CVE-2015-7196 (bmo#1140616) JavaScript garbage collection crash with Java applet * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 (bmo#1188010, bmo#1204061, bmo#1204155) Vulnerabilities found through code inspection * MFSA 2015-132/CVE-2015-7197 (bmo#1204269) Mixed content WebSocket policy bypass through workers * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 (bmo#1202868, bmo#1205157) NSS and NSPR memory corruption issues (fixed in mozilla-nspr and mozilla-nss packages) - requires NSPR >= 4.10.10 and NSS >= 3.19.4 - removed obsolete patches * mozilla-arm-disable-edsp.patch * mozilla-icu-strncat.patch * mozilla-skia-be-le.patch * toolkit-download-folder.patch - fixed build with enable-libproxy (bmo#1220399) * mozilla-libproxy.patch - update to Firefox 41.0.2 (bnc#950686) * MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669) Cross-origin restriction bypass using Fetch - added explicit appdata provides (bnc#949983) - do not build with --enable-stdcxx-compat (this starts to fail build on various toolchain combinations and is not required for openSUSE builds in general - update to Firefox 41.0.1 * Fix a startup crash related to Yandex toolbar and Adblock Plus (bmo#1209124) * Fix potential hangs with Flash plugins (bmo#1185639) * Fix a regression in the bookmark creation (bmo#1206376) * Fix a startup crash with some Intel Media Accelerator 3150 graphic cards (bmo#1207665) * Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601) - update to Firefox 41.0 (bnc#947003) * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous memory safety hazards * MFSA 2015-97/CVE-2015-4503 (bmo#994337) Memory leak in mozTCPSocket to servers * MFSA 2015-98/CVE-2015-4504 (bmo#1132467) Out of bounds read in QCMS library with ICC V4 profile attributes * MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only) Site attribute spoofing on Android by pasting URL with unknown scheme * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only) Arbitrary file manipulation by local user through Mozilla updater * MFSA 2015-101/CVE-2015-4506 (bmo#1192226) Buffer overflow in libvpx while parsing vp9 format video * MFSA 2015-102/CVE-2015-4507 (bmo#1192401) Crash when using debugger with SavedStacks in JavaScript * MFSA 2015-103/CVE-2015-4508 (bmo#1195976) URL spoofing in reader mode * MFSA 2015-104/CVE-2015-4510 (bmo#1200004) Use-after-free with shared workers and IndexedDB * MFSA 2015-105/CVE-2015-4511 (bmo#1200148) Buffer overflow while decoding WebM video * MFSA 2015-106/CVE-2015-4509 (bmo#1198435) Use-after-free while manipulating HTML media content * MFSA 2015-107/CVE-2015-4512 (bmo#1170390) Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems * MFSA 2015-108/CVE-2015-4502 (bmo#1105045) Scripted proxies can access inner window * MFSA 2015-109/CVE-2015-4516 (bmo#904886) JavaScript immutable property enforcement can be bypassed * MFSA 2015-110/CVE-2015-4519 (bmo#1189814) Dragging and dropping images exposes final URL after redirects * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869) Errors in the handling of CORS preflight request headers * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/ CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/ CVE-2015-7180 Vulnerabilities found through code inspection * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860, bmo#1190526) (Windows only) Memory safety errors in libGLES in the ANGLE graphics library * MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only) Information disclosure via the High Resolution Time API - rebased patches - removed obsolete patches * mozilla-arm64-libjpeg-turbo.patch - update to Firefox 40.0.3 (bnc#943550) * Disable the asynchronous plugin initialization (bmo#1198590) * Fix a segmentation fault in the GStreamer support (bmo#1145230) * Fix a regression with some Japanese fonts used in the <input> field (bmo#1194055) * On some sites, the selection in a select combox box using the mouse could be broken (bmo#1194733) security fixes * MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278) Use-after-free when resizing canvas element during restyling * MFSA 2015-95/CVE-2015-4498 (bmo#1042699) Add-on notification bypass through data URLs - update to Firefox 40.0 (bnc#940806) * Added protection against unwanted software downloads * Suggested Tiles show sites of interest, based on categories from your recent browsing history * Hello allows adding a link to conversations to provide context on what the conversation will be about * New style for add-on manager based on the in-content preferences style * Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only) * Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked security fixes: * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety hazards * MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with malformed MP3 file * MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free in MediaStream playback * MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of non-configurable JavaScript object properties * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues in libstagefright * MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting through Mozilla Maintenance Service with hard links (only affected Windows) * MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with Updater and malicious MAR file (does not affect openSUSE RPM packages which do not ship the updater) * MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol with POST bypasses mixed content protections * MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared memory in JavaScript * MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf when scaling bitmap images * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) Buffer overflows on Libvpx when decoding WebM video * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection * MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification * MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in XMLHttpRequest with shared workers - added mozilla-no-stdcxx-check.patch - removed obsolete patches * mozilla-add-glibcxx_use_cxx11_abi.patch * firefox-multilocale-chrome.patch - rebased patches - requires version 40 of the branding package - removed browser/searchplugins/ location as it's not valid anymore - security update to Firefox 39.0.3 (bnc#940918) * MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058) Same origin violation and local file stealing via PDF reader - update to Firefox 39.0 (bnc#935979) * Share Hello URLs with social networks * Support for 'switch' role in ARIA 1.1 (web accessibility) * SafeBrowsing malware detection lookups enabled for downloads (Mac OS X and Linux) * Support for new Unicode 8.0 skin tone emoji * Removed support for insecure SSLv3 for network communications * Disable use of RC4 except for temporarily whitelisted hosts * NPAPI Plug-in performance improved via asynchronous initialization security fixes: * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726 Miscellaneous memory safety hazards * MFSA 2015-60/CVE-2015-2727 (bmo#1163422) Local files or privileged URLs in pages can be opened into new tabs * MFSA 2015-61/CVE-2015-2728 (bmo#1142210) Type confusion in Indexed Database Manager * MFSA 2015-62/CVE-2015-2729 (bmo#1122218) Out-of-bound read while computing an oscillator rendering range in Web Audio * MFSA 2015-63/CVE-2015-2731 (bmo#1149891) Use-after-free in Content Policy due to microtask execution error * MFSA 2015-64/CVE-2015-2730 (bmo#1125025) ECDSA signature validation fails to handle some signatures correctly (this fix is shipped by NSS 3.19.1 externally) * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867) Use-after-free in workers while using XMLHttpRequest * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737 CVE-2015-2738/CVE-2015-2739/CVE-2015-2740 Vulnerabilities found through code inspection * MFSA 2015-67/CVE-2015-2741 (bmo#1147497) Key pinning is ignored when overridable errors are encountered * MFSA 2015-68/CVE-2015-2742 (bmo#1138669) OS X crash reports may contain entered key press information (not relevant under Linux) * MFSA 2015-69/CVE-2015-2743 (bmo#1163109) Privilege escalation in PDF.js * MFSA 2015-70/CVE-2015-4000 (bmo#1138554) NSS accepts export-length DHE keys with regular DHE cipher suites (this fix is shipped by NSS 3.19.1 externally) * MFSA 2015-71/CVE-2015-2721 (bmo#1086145) NSS incorrectly permits skipping of ServerKeyExchange (this fix is shipped by NSS 3.19.1 externally) - dropped mozilla-prefer_plugin_pref.patch as this feature is likely not worth maintaining further - rebased patches - require NSS 3.19.2 - mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration - update to Firefox 38.0.6 * fixes bmo#1171730 which is not really relevant to oS builds - fix KDE regression from 38.0.5 builds (bsc#933439) - update to Firefox 38.0.5 * Keep track of articles and videos with Pocket * Clean formatting for articles and blog posts with Reader View * Share the active tab or window in a Hello conversation - add changes file as source for SRPM (bsc#932142) - add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from https://bugzilla.mozilla.org/show_bug.cgi?id=1153109 - update to Firefox 38.0.1 stability and regression fixes * Systems with first generation NVidia Optimus graphics cards may crash on start-up * Users who import cookies from Google Chrome can end up with broken websites * Large animated images may fail to play and may stop other images from loading - update to Firefox 38.0 (bnc#930622) * New tab-based preferences * Ruby annotation support * more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/ security fixes: * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 Miscellaneous memory safety hazards * MFSA 2015-47/VE-2015-0797 (bmo#1080995) Buffer overflow parsing H.264 video with Linux Gstreamer * MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow with SVG content and CSS * MFSA 2015-49/CVE-2015-2711 (bmo#1113431) Referrer policy ignored when links opened by middle-click and context menu * MFSA 2015-50/CVE-2015-2712 (bmo#1152280) Out-of-bounds read and write in asm.js validation * MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free during text processing with vertical text enabled * MFSA 2015-53/CVE-2015-2715 (bmo#988698) Use-after-free due to Media Decoder Thread creation during shutdown * MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow when parsing compressed XML * MFSA 2015-55/CVE-2015-2717 (bmo#1154683) Buffer overflow and out-of-bounds read while parsing MP4 video metadata * MFSA 2015-56/CVE-2015-2718 (bmo#1146724) Untrusted site hosting trusted page can intercept webchannel responses * MFSA 2015-57/CVE-2011-3079 (bmo#1087565) Privilege escalation through IPC channel messages - requires NSS 3.18.1 - removed obsolete patches: * mozilla-skia-bmo1136958.patch - remove gnomevfs build options as it is removed from sources - rebased patches - update to Firefox 37.0.2 (bnc#928116) * MFSA 2015-45/CVE-2015-2706 (bmo#1141081) Memory corruption during failed plugin initialization - update to Firefox 37.0.1 (bnc#926166) * MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only) Loading privileged content through Reader mode * MFSA 2015-44/CVE-2015-0799 (bmo#1148328) Certificate verification bypass through the HTTP/2 Alt-Svc header - update to Firefox 37.0 (bnc#925368) * Heartbeat user rating system * Yandex set as default search provider for the Turkish locale * Bing search now uses HTTPS for secure searching * Improved protection against site impersonation via OneCRL centralized certificate revocation * Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc * some more behaviour changes for TLS security fixes: * MFSA 2015-30/CVE-2015-0814/CVE-2015-0815 Miscellaneous memory safety hazards * MFSA 2015-31/CVE-2015-0813 (bmo#1106596)) Use-after-free when using the Fluendo MP3 GStreamer plugin * MFSA 2015-32/CVE-2015-0812 (bmo#1128126) Add-on lightweight theme installation approval bypassed through MITM attack * MFSA 2015-33/CVE-2015-0816 (bmo#1144991) resource:// documents can load privileged pages * MFSA-2015-34/CVE-2015-0811 (bmo#1132468) Out of bounds read in QCMS library * MFSA-2015-35/CVE-2015-0810 (bmo#1125013) Cursor clickjacking with flash and images (OS X only) * MFSA-2015-36/CVE-2015-0808 (bmo#1109552) Incorrect memory management for simple-type arrays in WebRTC * MFSA-2015-37/CVE-2015-0807 (bmo#1111834) CORS requests should not follow 30x redirections after preflight * MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437) Memory corruption crashes in Off Main Thread Compositing * MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560) Use-after-free due to type confusion flaws * MFSA-2015-40/CVE-2015-0801 (bmo#1146339) Same-origin bypass through anchor navigation * MFSA-2015-41/CVE-2015-0800/CVE-2012-2808 PRNG weakness allows for DNS poisoning on Android (only) * MFSA-2015-42/CVE-2015-0802 (bmo#1124898) Windows can retain access to privileged content on navigation to unprivileged pages - removed obsolete patches * mozilla-bmo1088588.patch * mozilla-bmo1108834.patch - requires NSPR 4.10.8 - Fix builds with skia on Power mozilla-skia-be-le.patch (patch from #bmo1136958) mozilla-bmo1108834.patch mozilla-bmo1005535.patch - update to Firefox 36.0.4 (bnc#923534) * MFSA 2015-28/CVE-2015-0818 (bmo#1144988) Privilege escalation through SVG navigation * MFSA 2015-29/CVE-2015-0817 (bmo#1145255) Code execution through incorrect JavaScript bounds checking elimination - Copy the icons to /usr/share/icons instead of symlinking them: in preparation for containerized apps (e.g. xdg-app) as well as AppStream metadata extraction, there are a couple locations that need to be real files for system integration (.desktop files, icons, mime-type info). - update to Firefox 36.0.1 Bugfixes: * Disable the usage of the ANY DNS query type (bmo#1093983) * Hello may become inactive until restart (bmo#1137469) * Print preferences may not be preserved (bmo#1136855) * Hello contact tabs may not be visible (bmo#1137141) * Accept hostnames that include an underscore character ("_") (bmo#1136616) * WebGL may use significant memory with Canvas2d (bmo#1137251) * Option -remote has been restored (bmo#1080319) - added mozilla-skia-bmo1136958.patch to fix build issues for ARM and PPC - update to Firefox 36.0 (bnc#917597) * mozilla-xremote-client was removed * added libclearkey.so media plugin * Pinned tiles on the new tab page can be synced * Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web. * Locale added: Uzbek (uz) security fixes: * MFSA 2015-11/CVE-2015-0835/CVE-2015-0836 Miscellaneous memory safety hazards * MFSA 2015-12/CVE-2015-0833 (bmo#945192) Invoking Mozilla updater will load locally stored DLL files (Windows only) * MFSA 2015-13/CVE-2015-0832 (bmo#1065909) Appended period to hostnames can bypass HPKP and HSTS protections * MFSA 2015-14/CVE-2015-0830 (bmo#1110488) Malicious WebGL content crash when writing strings * MFSA 2015-15/CVE-2015-0834 (bmo#1098314) TLS TURN and STUN connections silently fail to simple TCP connections * MFSA 2015-16/CVE-2015-0831 (bmo#1130514) Use-after-free in IndexedDB * MFSA 2015-17/CVE-2015-0829 (bmo#1128939) Buffer overflow in libstagefright during MP4 video playback * MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675) Double-free when using non-default memory allocators with a zero-length XHR * MFSA 2015-19/CVE-2015-0827 (bmo#1117304) Out-of-bounds read and write while rendering SVG content * MFSA 2015-20/CVE-2015-0826 (bmo#1092363) Buffer overflow during CSS restyling * MFSA 2015-21/CVE-2015-0825 (bmo#1092370) Buffer underflow during MP3 playback * MFSA 2015-22/CVE-2015-0824 (bmo#1095925) Crash using DrawTarget in Cairo graphics library * MFSA 2015-23/CVE-2015-0823 (bmo#1098497) Use-after-free in Developer Console date with OpenType Sanitiser * MFSA 2015-24/CVE-2015-0822 (bmo#1110557) Reading of local files through manipulation of form autocomplete * MFSA 2015-25/CVE-2015-0821 (bmo#1111960) Local files or privileged URLs in pages can be opened into new tabs * MFSA 2015-26/CVE-2015-0819 (bmo#1079554) UI Tour whitelisted sites in background tab can spoof foreground tabs * MFSA 2015-27CVE-2015-0820 (bmo#1125398) Caja Compiler JavaScript sandbox bypass - rebased patches - requires NSS 3.17.4 - update to Firefox 35.0.1 * With the Enhanced Steam extension, Firefox could crash (bmo#1123732) * Kerberos authentication did not work with alias (bmo#1108971) * SVG / CSS animation had a regression causing rendering issues on websites like openstreemap.org (bmo#1083079) * On Godaddy webmail, Firefox could crash (bmo#1113121) * document.baseURI did not get updated to document.location after base tag was removed from DOM for site with a CSP (bmo#1121857) * With a Right-to-left (RTL) version of Firefox, the text selection could be broken (bmo#1104036) * CSP had a change in behavior with regard to case sensitivity resources loading (bmo#1122445) - update to Firefox 35.0 (bnc#910669) notable features: * Firefox Hello with new rooms-based conversations model * Implemented HTTP Public Key Pinning Extension (for enhanced authentication of encrypted connections) security fixes: * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635 Miscellaneous memory safety hazards * MFSA 2015-02/CVE-2014-8637 (bmo#1094536) Uninitialized memory use during bitmap rendering * MFSA 2015-03/CVE-2014-8638 (bmo#1080987) sendBeacon requests lack an Origin header * MFSA 2015-04/CVE-2014-8639 (bmo#1095859) Cookie injection through Proxy Authenticate responses * MFSA 2015-05/CVE-2014-8640 (bmo#1100409) Read of uninitialized memory in Web Audio * MFSA 2015-06/CVE-2014-8641 (bmo#1108455) Read-after-free in WebRTC * MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only) Gecko Media Plugin sandbox escape * MFSA 2015-08/CVE-2014-8642 (bmo#1079658) Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension * MFSA 2015-09/CVE-2014-8636 (bmo#987794) XrayWrapper bypass through DOM objects - rebased patches - dropped explicit support for everything older than 12.3 (including SLES11) * merge firefox-kde.patch and firefox-kde-114.patch * dropped mozilla-sle11.patch - reworked specfile to build conditionally based on release channel either Firefox or Firefox Developer Edition - added mozilla-openaes-decl.patch to fix implicit declarations - obsolete tracker-miner-firefox < 0.15 because it leads to startup crashes (bnc#908892) - fix bashism in mozilla.sh script - update to Firefox 34.0.5 (bnc#908009) * Default search engine changed to Yahoo! for North America * Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales * Improved search bar (en-US only) * Firefox Hello real-time communication client * Easily switch themes/personas directly in the Customizing mode * Implementation of HTTP/2 (draft14) and ALPN * Disabled SSLv3 * MFSA 2014-83/CVE-2014-1587/CVE-2014-1588 Miscellaneous memory safety hazards * MFSA 2014-84/CVE-2014-1589 (bmo#1043787) XBL bindings accessible via improper CSS declarations * MFSA 2014-85/CVE-2014-1590 (bmo#1087633) XMLHttpRequest crashes with some input streams * MFSA 2014-86/CVE-2014-1591 (bmo#1069762) CSP leaks redirect data via violation reports * MFSA 2014-87/CVE-2014-1592 (bmo#1088635) Use-after-free during HTML5 parsing * MFSA 2014-88/CVE-2014-1593 (bmo#1085175) Buffer overflow while parsing media content * MFSA 2014-89/CVE-2014-1594 (bmo#1074280) Bad casting from the BasicThebesLayer to BasicContainerLayer - rebased patches - limit linker memory usage for %ix86 - rebased patches - update to Firefox 33.1 * Adding DuckDuckGo as a search option (upstream) * Forget Button added * Enhanced Tiles * Privacy tour introduced - fix typo in GStreamer Recommends - Disable elf-hack for aarch64 - Enable EGL for aarch64 - Limit RAM usage during link for %arm - Fix _constraints for ARM - use proper macros for ARM - use '--disable-optimize' not only on 32-bit x86, but on 32-bit arm too to fix compiling. - pass '-Wl,--no-keep-memory' to linker to reduce required memory during linking on arm. - update to Firefox 33.0.2 * Fix a startup crash with some combination of hardware and drivers 33.0.1 * Firefox displays a black screen at start-up with certain graphics drivers - adjusted _constraints for ARM - added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588) - define /usr/share/myspell as additional dictionary location and remove add-plugins.sh finally (bnc#900639) - use Firefox default optimization flags instead of -Os - specfile cleanup - fix build for all ppc by not enabling elf-hack (bnc#901213) - update to Firefox 33.0 (bnc#900941) New features: * OpenH264 support (sandboxed) * Enhanced Tiles * Improved search experience through the location bar * Slimmer and faster JavaScript strings * New CSP (Content Security Policy) backend * Support for connecting to HTTP proxy over HTTPS * Improved reliability of the session restoration * Proprietary window.crypto properties/functions removed Security: * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety hazards * MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation * MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms * MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video * MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory use during GIF rendering * MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality * MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190) Key pinning bypasses * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe * MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API (only relevant for installed web apps) - requires NSPR 4.10.7 - requires NSS 3.17.1 - removed obsolete patches: * mozilla-ppc.patch * mozilla-libproxy-compat.patch - added basic appdata information - update to Firefox 32.0.2 * just a version bump for our builds * fixed the in application update process for certain environments (in application update is not enabled in openSUSE and Linux is unaffected in any case) - build with --disable-optimize for 13.1 and above for i586 to workaround miscompilations (bnc#896624) - use some more build flags to align with upstream - update to Firefox 32.0.1 * fixed stability issues for computers with multiple graphics cards * mixed content icon may be incorrectly displayed instead of lock icon for SSL sites in 32.0 ( * WebRTC: setRemoteDescription() silently fails if no success callback is specified (bmo#1063971) - update to Firefox 32.0 (bnc#894370) * MFSA 2014-67/CVE-2014-1553/CVE-2014-1554/CVE-2014-1562 Miscellaneous memory safety hazards * MFSA 2014-68/CVE-2014-1563 (bmo#1018524) Use-after-free during DOM interactions with SVG * MFSA 2014-69/CVE-2014-1564 (bmo#1045977) Uninitialized memory use during GIF rendering * MFSA 2014-70/CVE-2014-1565 (bmo#1047831) Out-of-bounds read in Web Audio audio timeline * MFSA 2014-72/CVE-2014-1567 (bmo#1037641) Use-after-free setting text directionality - rebased patches - requires NSS 3.16.4 - removed upstreamed patch * mozilla-aarch64-bmo-810631.patch - adapted _constraints, used more than 3900MB on s390x during last build - update to Firefox 31.0 (bnc#887746) * MFSA 2014-56/CVE-2014-1547/CVE-2014-1548 Miscellaneous memory safety hazards * MFSA 2014-57/CVE-2014-1549 (bmo#1020205) Buffer overflow during Web Audio buffering for playback * MFSA 2014-58/CVE-2014-1550 (bmo#1020411) Use-after-free in Web Audio due to incorrect control message ordering * MFSA 2014-60/CVE-2014-1561 (bmo#1000514, bmo#910375) Toolbar dialog customization event spoofing * MFSA 2014-61/CVE-2014-1555 (bmo#1023121) Use-after-free with FireOnStateChange event * MFSA 2014-62/CVE-2014-1556 (bmo#1028891) Exploitable WebGL crash with Cesium JavaScript library * MFSA 2014-63/CVE-2014-1544 (bmo#963150) Use-after-free while when manipulating certificates in the trusted cache (solved with NSS 3.16.2 requirement) * MFSA 2014-64/CVE-2014-1557 (bmo#913805) Crash in Skia library when scaling high quality images * MFSA 2014-65/CVE-2014-1558/CVE-2014-1559/CVE-2014-1560 (bmo#1015973, bmo#1026022, bmo#997795) Certificate parsing broken by non-standard character encoding * MFSA 2014-66/CVE-2014-1552 (bmo#985135) IFRAME sandbox same-origin access through redirect - use EGL on ARM - rebased patches - requires NSS 3.16.2 - requires python-devel (not only python) - update to Firefox 30.0 (bnc#881874) * MFSA 2014-48/CVE-2014-1533/CVE-2014-1534 (bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874, bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981, bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817, bmo#996536, bmo#996715, bmo#999651, bmo#1000598, bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223, bmo#1009952, bmo#1011007) Miscellaneous memory safety hazards (rv:30.0) * MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538 (bmo#989994, bmo#999274, bmo#1005584) Use-after-free and out of bounds issues found using Address Sanitizer * MFSA 2014-50/CVE-2014-1539 (bmo#995603) Clickjacking through cursor invisability after Flash interaction * MFSA 2014-51/CVE-2014-1540 (bmo#978862) Use-after-free in Event Listener Manager * MFSA 2014-52/CVE-2014-1541 (bmo#1000185) Use-after-free with SMIL Animation Controller * MFSA 2014-53/CVE-2014-1542 (bmo#991533) Buffer overflow in Web Audio Speex resampler * MFSA 2014-54/CVE-2014-1543 (bmo#1011859) Buffer overflow in Gamepad API * MFSA 2014-55/CVE-2014-1545 (bmo#1018783) Out of bounds write in NSPR - rebased patches - removed obsolete patches * firefox-browser-css.patch * mozilla-aarch64-bmo-962488.patch * mozilla-aarch64-bmo-963023.patch * mozilla-aarch64-bmo-963024.patch * mozilla-aarch64-bmo-963027.patch * mozilla-ppc64-xpcom.patch * mozilla-ppc64le-javascript.patch * mozilla-ppc64le-libffi.patch * mozilla-ppc64le-mfbt.patch * mozilla-ppc64le-webrtc.patch * mozilla-ppc64le-xpcom.patch * mozilla-ppc64le-build.patch - requires NSPR 4.10.6 - enabled GStreamer 1.0 usage for 13.2 and above - update to Firefox 29.0.1 * Seer disabled by default (bmo#1005958) * Session Restore failed with a corrupted sessionstore.js file (bmo#1001167) * pdf.js printing white page (bmo#1003707, bnc#876833) - general.useragent.locale gets overwritten with en-US while it should be using the active langpack's setting - update to Firefox 29.0 (bnc#875378) * MFSA 2014-34/CVE-2014-1518/CVE-2014-1519 Miscellaneous memory safety hazards * MFSA 2014-36/CVE-2014-1522 (bmo#995289) Web Audio memory corruption issues * MFSA 2014-37/CVE-2014-1523 (bmo#969226) Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 (bmo#989183) Buffer overflow when using non-XBL object as XBL * MFSA 2014-39/CVE-2014-1525 (bmo#989210) Use-after-free in the Text Track Manager for HTML video * MFSA 2014-41/CVE-2014-1528 (bmo#963962) Out-of-bounds write in Cairo * MFSA 2014-42/CVE-2014-1529 (bmo#987003) Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 (bmo#895557) Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 (bmo#987140) Use-after-free in imgLoader while resizing images * MFSA 2014-45/CVE-2014-1492 (bmo#903885) Incorrect IDNA domain name matching for wildcard certificates (fixed by NSS 3.16) * MFSA 2014-46/CVE-2014-1532 (bmo#966006) Use-after-free in nsHostResolver * MFSA 2014-47/CVE-2014-1526 (bmo#988106) Debugger can bypass XrayWrappers with JavaScript - rebased patches - removed obsolete patches * firefox-browser-css.patch * mozilla-aarch64-599882cfb998.diff * mozilla-aarch64-bmo-963028.patch * mozilla-aarch64-bmo-963029.patch * mozilla-aarch64-bmo-963030.patch * mozilla-aarch64-bmo-963031.patch - requires NSS 3.16 - added mozilla-icu-strncat.patch to fix post build checks - add mozilla-aarch64-599882cfb998.patch, mozilla-aarch64-bmo-810631.patch, mozilla-aarch64-bmo-962488.patch, mozilla-aarch64-bmo-963030.patch, mozilla-aarch64-bmo-963027.patch, mozilla-aarch64-bmo-963028.patch, mozilla-aarch64-bmo-963029.patch, mozilla-aarch64-bmo-963023.patch, mozilla-aarch64-bmo-963024.patch, mozilla-aarch64-bmo-963031.patch: AArch64 porting - Add patch for bmo#973977 * mozilla-ppc64-xpcom.patch - Refresh mozilla-ppc64le-xpcom.patch patch - Adapt mozilla-ppc64le-xpcom.patch to Mozilla > 24.0 build system - update to Firefox 28.0 (bnc#868603) * MFSA 2014-15/CVE-2014-1493/CVE-2014-1494 Miscellaneous memory safety hazards * MFSA 2014-17/CVE-2014-1497 (bmo#966311) Out of bounds read during WAV file decoding * MFSA 2014-18/CVE-2014-1498 (bmo#935618) crypto.generateCRMFRequest does not validate type of key * MFSA 2014-19/CVE-2014-1499 (bmo#961512) Spoofing attack on WebRTC permission prompt * MFSA 2014-20/CVE-2014-1500 (bmo#956524) onbeforeunload and Javascript navigation DOS * MFSA 2014-22/CVE-2014-1502 (bmo#972622) WebGL content injection from one domain to rendering in another * MFSA 2014-23/CVE-2014-1504 (bmo#911547) Content Security Policy for data: documents not preserved by session restore * MFSA 2014-26/CVE-2014-1508 (bmo#963198) Information disclosure through polygon rendering in MathML * MFSA 2014-27/CVE-2014-1509 (bmo#966021) Memory corruption in Cairo during PDF font rendering * MFSA 2014-28/CVE-2014-1505 (bmo#941887) SVG filters information disclosure through feDisplacementMap * MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909) Privilege escalation using WebIDL-implemented APIs * MFSA 2014-30/CVE-2014-1512 (bmo#982957) Use-after-free in TypeObject * MFSA 2014-31/CVE-2014-1513 (bmo#982974) Out-of-bounds read/write through neutering ArrayBuffer objects * MFSA 2014-32/CVE-2014-1514 (bmo#983344) Out-of-bounds write through TypedArrayObject after neutering - requires NSPR 4.10.3 and NSS 3.15.5 - new build dependency (and recommends): * libpulse - update of PowerPC 64 patches (bmo#976648) (pcerny@suse.com) - rebased patches - update to Firefox 27.0.1 * Fixed stability issues with Greasemonkey and other JS that used ClearTimeoutOrInterval * JS math correctness issue (bmo#941381) - incorporate Google API key for geolocation (bnc#864170) - updated list of "other" locales in RPM requirements - update to Firefox 27.0 (bnc#861847) * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3) * MFSA 2014-02/CVE-2014-1479 (bmo#911864) Clone protected content with XBL scopes * MFSA 2014-03/CVE-2014-1480 (bmo#916726) UI selection timeout missing on download prompts * MFSA 2014-04/CVE-2014-1482 (bmo#943803) Incorrect use of discarded images by RasterImage * MFSA 2014-05/CVE-2014-1483 (bmo#950427) Information disclosure with *FromPoint on iframes * MFSA 2014-06/CVE-2014-1484 (bmo#953993) Profile path leaks to Android system log * MFSA 2014-07/CVE-2014-1485 (bmo#910139) XSLT stylesheets treated as styles in Content Security Policy * MFSA 2014-08/CVE-2014-1486 (bmo#942164) Use-after-free with imgRequestProxy and image proccessing * MFSA 2014-09/CVE-2014-1487 (bmo#947592) Cross-origin information leak through web workers * MFSA 2014-10/CVE-2014-1489 (bmo#959531) Firefox default start page UI content invokable by script * MFSA 2014-11/CVE-2014-1488 (bmo#950604) Crash when using web workers with asm.js * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 (bmo#934545, bmo#930874, bmo#930857) NSS ticket handling issues * MFSA 2014-13/CVE-2014-1481(bmo#936056) Inconsistent JavaScript handling of access to Window objects - requires NSS 3.15.4 or higher - rebased/reworked patches - removed obsolete mozilla-bug929439.patch - Add support for powerpc64le-linux. * mozilla-ppc64le.patch: general support * mozilla-libffi-ppc64le.patch: libffi backport * mozilla-xpcom-ppc64le.patch: port xpcom - Add build fix from mainline. * mozilla-bug929439.patch - update to Firefox 26.0 (bnc#854367, bnc#854370) * rebased patches * requires NSPR 4.10.2 and NSS 3.15.3.1 * MFSA 2013-104/CVE-2013-5609/CVE-2013-5610 Miscellaneous memory safety hazards * MFSA 2013-105/CVE-2013-5611 (bmo#771294) Application Installation doorhanger persists on navigation * MFSA 2013-106/CVE-2013-5612 (bmo#871161) Character encoding cross-origin XSS attack * MFSA 2013-107/CVE-2013-5614 (bmo#886262) Sandbox restrictions not applied to nested object elements * MFSA 2013-108/CVE-2013-5616 (bmo#938341) Use-after-free in event listeners * MFSA 2013-109/CVE-2013-5618 (bmo#926361) Use-after-free during Table Editing * MFSA 2013-110/CVE-2013-5619 (bmo#917841) Potential overflow in JavaScript binary search algorithms * MFSA 2013-111/CVE-2013-6671 (bmo#930281) Segmentation violation when replacing ordered list elements * MFSA 2013-112/CVE-2013-6672 (bmo#894736) Linux clipboard information disclosure though selection paste * MFSA 2013-113/CVE-2013-6673 (bmo#970380) Trust settings for built-in roots ignored during EV certificate validation * MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449) Use-after-free in synthetic mouse movement * MFSA 2013-115/CVE-2013-5615 (bmo#929261) GetElementIC typed array stubs can be generated outside observed typesets * MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693) JPEG information leak * MFSA 2013-117 (bmo#946351) Mis-issued ANSSI/DCSSI certificate (fixed via NSS 3.15.3.1) - removed gecko.js preference file as GStreamer is enabled by default now - update to Firefox 25.0 (bnc#847708) * rebased patches * requires NSS 3.15.2 or above * MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592 Miscellaneous memory safety hazards * MFSA 2013-94/CVE-2013-5593 (bmo#868327) Spoofing addressbar through SELECT element * MFSA 2013-95/CVE-2013-5604 (bmo#914017) Access violation with XSLT and uninitialized data * MFSA 2013-96/CVE-2013-5595 (bmo#916580) Improperly initialized memory and overflows in some JavaScript functions * MFSA 2013-97/CVE-2013-5596 (bmo#910881) Writing to cycle collected object during image decoding * MFSA 2013-98/CVE-2013-5597 (bmo#918864) Use-after-free when updating offline cache * MFSA 2013-99/CVE-2013-5598 (bmo#920515) Security bypass of PDF.js checks using iframes * MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601 (bmo#915210, bmo#915576, bmo#916685) Miscellaneous use-after-free issues found through ASAN fuzzing * MFSA 2013-101/CVE-2013-5602 (bmo#897678) Memory corruption in workers * MFSA 2013-102/CVE-2013-5603 (bmo#916404) Use-after-free in HTML document templates - as GStreamer is not automatically required anymore but loaded dynamically if available, require it explicitely - recommend optional GStreamer plugins for comprehensive media support - move greek to the translations-common package (bnc#840551) - update to Firefox 24.0 (bnc#840485) * MFSA 2013-76/CVE-2013-1718/CVE-2013-1719 Miscellaneous memory safety hazards * MFSA 2013-77/CVE-2013-1720 (bmo#888820) Improper state in HTML5 Tree Builder with templates * MFSA 2013-78/CVE-2013-1721 (bmo#890277) Integer overflow in ANGLE library * MFSA 2013-79/CVE-2013-1722 (bmo#893308) Use-after-free in Animation Manager during stylesheet cloning * MFSA 2013-80/CVE-2013-1723 (bmo#891292) NativeKey continues handling key messages after widget is destroyed * MFSA 2013-81/CVE-2013-1724 (bmo#894137) Use-after-free with select element * MFSA 2013-82/CVE-2013-1725 (bmo#876762) Calling scope for new Javascript objects can lead to memory corruption * MFSA 2013-85/CVE-2013-1728 (bmo#883686) Uninitialized data in IonMonkey * MFSA 2013-88/CVE-2013-1730 (bmo#851353) Compartment mismatch re-attaching XBL-backed nodes * MFSA 2013-89/CVE-2013-1732 (bmo#883514) Buffer overflow with multi-column, lists, and floats * MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301) Memory corruption involving scrolling * MFSA 2013-91/CVE-2013-1737 (bmo#907727) User-defined properties on DOM proxies get the wrong "this" object * MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897) GC hazard with default compartments and frame chain restoration - enable gstreamer explicitely via pref (gecko.js) - require NSS 3.15.1 - update to Firefox 23.0.1 * Audio static/"burble"/breakup in Firefox to Firefox WebRTC calls (bmo#901527) - update to Firefox 23.0 (bnc#833389) * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous memory safety hazards * MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free mutating DOM during SetBody * MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow when generating CRMF requests * MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during WAV audio file decoding * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of XrayWrappers using XBL Scopes * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) Local Java applets may read contents of local file system - requires NSPR 4.10 and NSS 3.15 - fix build on ARM (/-g/ matches /-grecord-switches/) - update to Firefox 22.0 (bnc#825935) * removed obsolete patches + mozilla-qcms-ppc.patch + mozilla-gstreamer-760140.patch * GStreamer support does not build on 12.1 anymore (build only on 12.2 and later) * MFSA 2013-49/CVE-2013-1682/CVE-2013-1683 Miscellaneous memory safety hazards * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686 Memory corruption found using Address Sanitizer * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823) Privileged content access and execution via XBL * MFSA 2013-52/CVE-2013-1688 (bmo#873966) Arbitrary code execution within Profiler * MFSA 2013-53/CVE-2013-1690 (bmo#857883) Execution of unmapped memory through onreadystatechange event * MFSA 2013-54/CVE-2013-1692 (bmo#866915) Data in the body of XHR HEAD requests leads to CSRF attacks * MFSA 2013-55/CVE-2013-1693 (bmo#711043) SVG filters can lead to information disclosure * MFSA 2013-56/CVE-2013-1694 (bmo#848535) PreserveWrapper has inconsistent behavior * MFSA 2013-57/CVE-2013-1695 (bmo#849791) Sandbox restrictions not applied to nested frame elements * MFSA 2013-58/CVE-2013-1696 (bmo#761667) X-Frame-Options ignored when using server push with multi-part responses * MFSA 2013-59/CVE-2013-1697 (bmo#858101) XrayWrappers can be bypassed to run user defined methods in a privileged context * MFSA 2013-60/CVE-2013-1698 (bmo#876044) getUserMedia permission dialog incorrectly displays location * MFSA 2013-61/CVE-2013-1699 (bmo#840882) Homograph domain spoofing in .com, .net and .name - Fix qcms altivec include (mozilla-qcms-ppc.patch) - update to Firefox 21.0 (bnc#819204) * removed upstreamed patch firefox-712763.patch * removed disabled mozilla-disable-neon-option.patch * MFSA 2013-41/CVE-2013-0801/CVE-2013-1669 Miscellaneous memory safety hazards * MFSA 2013-42/CVE-2013-1670 (bmo#853709) Privileged access for content level constructor * MFSA 2013-43/CVE-2013-1671 (bmo#842255) File input control has access to full path * MFSA 2013-46/CVE-2013-1674 (bmo#860971) Use-after-free with video and onresize event * MFSA 2013-47/CVE-2013-1675 (bmo#866825) Uninitialized functions in DOMSVGZoomEvent * MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/ CVE-2013-1679/CVE-2013-1680/CVE-2013-1681 Memory corruption found using Address Sanitizer - revert to use GStreamer 0.10 on 12.3 (bnc#814101) (remove mozilla-gstreamer-1.patch) - Explicitly disable WebRTC support on non-x86, the configure script disables it only half-heartedly - update to Firefox 20.0 (bnc#813026) * requires NSPR 4.9.5 and NSS 3.14.3 * mozilla-webrtc-ppc.patch included upstream * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards * MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library * MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux * MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes * MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure * MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations * MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory corruption while rendering grayscale PNG images - use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch) - build fixes for armv7hl: * disable debug build as armv7hl does not have enough memory * disable webrtc on armv7hl as it is non-compiling - update to Firefox 19.0.2 (bnc#808243) * MFSA 2013-29/CVE-2013-0787 (bmo#848644) Use-after-free in HTML Editor - update to Firefox 19.0.1 * blocklist updates - update to Firefox 19.0 (bnc#804248) * MFSA 2013-21/CVE-2013-0783/2013-0784 Miscellaneous memory safety hazards * MFSA 2013-22/CVE-2013-0772 (bmo#801366) Out-of-bounds read in image rendering * MFSA 2013-23/CVE-2013-0765 (bmo#830614) Wrapped WebIDL objects can be wrapped again * MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers * MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers * MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent * MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/ CVE-2013-0778/CVE-2013-0779/CVE-2013-0781 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer - removed obsolete patches * mozilla-webrtc.patch * mozilla-gstreamer-803287.patch - added patch to fix session restore window order (bmo#712763) - update to Firefox 18.0.2 * blocklist and CTP updates * fixes in JS engine - update to Firefox 18.0.1 * blocklist updates * backed out bmo#677092 (removed patch) * fixed problems involving HTTP proxy transactions - Fix WebRTC to build on powerpc - update to Firefox 18.0 (bnc#796895) * MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770 Miscellaneous memory safety hazards * MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767 CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829 Use-after-free and buffer overflow issues found using Address Sanitizer * MFSA 2013-03/CVE-2013-0768 (bmo#815795) Buffer Overflow in Canvas * MFSA 2013-04/CVE-2012-0759 (bmo#802026) URL spoofing in addressbar during page loads * MFSA 2013-05/CVE-2013-0744 (bmo#814713) Use-after-free when displaying table with many columns and column groups * MFSA 2013-06/CVE-2013-0751 (bmo#790454) Touch events are shared across iframes * MFSA 2013-07/CVE-2013-0764 (bmo#804237) Crash due to handling of SSL on threads * MFSA 2013-08/CVE-2013-0745 (bmo#794158) AutoWrapperChanger fails to keep objects alive during garbage collection * MFSA 2013-09/CVE-2013-0746 (bmo#816842) Compartment mismatch with quickstubs returned values * MFSA 2013-10/CVE-2013-0747 (bmo#733305) Event manipulation in plugin handler to bypass same-origin policy * MFSA 2013-11/CVE-2013-0748 (bmo#806031) Address space layout leaked in XBL objects * MFSA 2013-12/CVE-2013-0750 (bmo#805121) Buffer overflow in Javascript string concatenation * MFSA 2013-13/CVE-2013-0752 (bmo#805024) Memory corruption in XBL with XML bindings containing SVG * MFSA 2013-14/CVE-2013-0757 (bmo#813901) Chrome Object Wrapper (COW) bypass through changing prototype * MFSA 2013-15/CVE-2013-0758 (bmo#813906) Privilege escalation through plugin objects * MFSA 2013-16/CVE-2013-0753 (bmo#814001) Use-after-free in serializeToStream * MFSA 2013-17/CVE-2013-0754 (bmo#814026) Use-after-free in ListenerManager * MFSA 2013-18/CVE-2013-0755 (bmo#814027) Use-after-free in Vibrate * MFSA 2013-19/CVE-2013-0756 (bmo#814029) Use-after-free in Javascript Proxy objects - requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743) - removed obsolete SLE11 patches (mozilla-gcc43*) - reenable WebRTC - added mozilla-libproxy-compat.patch for libproxy API compat on openSUSE 11.2 and earlier - backed out restartless language packs as it broke multi-locale setup (bmo#677092, bmo#818468) - update to Firefox 17.0.1 * revert some useragent changes introduced in 17.0 * leaving private browsing with social enabled doesn't reset all social components (bmo#815042) - fix KDE integration for file dialogs - update to Firefox 17.0 (bnc#790140) * MFSA 2012-91/CVE-2012-5842/CVE-2012-5843 Miscellaneous memory safety hazards * MFSA 2012-92/CVE-2012-4202 (bmo#758200) Buffer overflow while rendering GIF images * MFSA 2012-93/CVE-2012-4201 (bmo#747607) evalInSanbox location context incorrectly applied * MFSA 2012-94/CVE-2012-5836 (bmo#792857) Crash when combining SVG text on path with CSS * MFSA 2012-95/CVE-2012-4203 (bmo#765628) Javascript: URLs run in privileged context on New Tab page * MFSA 2012-96/CVE-2012-4204 (bmo#778603) Memory corruption in str_unescape * MFSA 2012-97/CVE-2012-4205 (bmo#779821) XMLHttpRequest inherits incorrect principal within sandbox * MFSA 2012-99/CVE-2012-4208 (bmo#798264) XrayWrappers exposes chrome-only properties when not in chrome compartment * MFSA 2012-100/CVE-2012-5841 (bmo#805807) Improper security filtering for cross-origin wrappers * MFSA 2012-101/CVE-2012-4207 (bmo#801681) Improper character decoding in HZ-GB-2312 charset * MFSA 2012-102/CVE-2012-5837 (bmo#800363) Script entered into Developer Toolbar runs with chrome privileges * MFSA 2012-103/CVE-2012-4209 (bmo#792405) Frames can shadow top.location * MFSA 2012-104/CVE-2012-4210 (bmo#796866) CSS and HTML injection through Style Inspector * MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/ CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/ CVE-2012-4213/CVE-2012-4217/CVE-2012-4218 Use-after-free and buffer overflow issues found using Address Sanitizer * MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer - rebased patches - disabled WebRTC since build is broken (bmo#776877) - build on SLE11 * mozilla-gcc43-enums.patch * mozilla-gcc43-template_hacks.patch * mozilla-gcc43-templates_instantiation.patch - update to Firefox 16.0.2 (bnc#786522) * MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196 (bmo#800666, bmo#793121, bmo#802557) Fixes for Location object issues - bring back Obsoletes for libproxy's mozjs plugin for distributions before 12.2 to avoid crashes - update to Firefox 16.0.1 (bnc#783533) * MFSA 2012-88/CVE-2012-4191 (bmo#798045) Miscellaneous memory safety hazards * MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619) defaultValue security checks not applied - update to Firefox 16.0 (bnc#783533) * MFSA 2012-74/CVE-2012-3982/CVE-2012-3983 Miscellaneous memory safety hazards * MFSA 2012-75/CVE-2012-3984 (bmo#575294) select element persistance allows for attacks * MFSA 2012-76/CVE-2012-3985 (bmo#655649) Continued access to initial origin after setting document.domain * MFSA 2012-77/CVE-2012-3986 (bmo#775868) Some DOMWindowUtils methods bypass security checks * MFSA 2012-79/CVE-2012-3988 (bmo#725770) DOS and crash with full screen and history navigation * MFSA 2012-80/CVE-2012-3989 (bmo#783867) Crash with invalid cast when using instanceof operator * MFSA 2012-81/CVE-2012-3991 (bmo#783260) GetProperty function can bypass security checks * MFSA 2012-82/CVE-2012-3994 (bmo#765527) top object and location property accessible by plugins * MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370) Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties * MFSA 2012-84/CVE-2012-3992 (bmo#775009) Spoofing and script injection through location.hash * MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/ CVE-2012-4181/CVE-2012-4182/CVE-2012-4183 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer * MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/ CVE-2012-4188 Heap memory corruption issues found using Address Sanitizer * MFSA 2012-87/CVE-2012-3990 (bmo#787704) Use-after-free in the IME State Manager - requires NSPR 4.9.2 - improve GStreamer integration (bmo#760140) - removed upstreamed mozilla-crashreporter-restart-args.patch - webapprt now included - use kmozillahelper's new REVEAL command (bnc#777415) (requires mozilla-kde4-integration >= 0.6.4) - updated translations-other with new languages - update to Firefox 15.0.1 (bnc#779936) * Sites visited while in Private Browsing mode could be found through manual browser cache inspection (bmo#787743) - update to Firefox 15.0 (bnc#777588) * MFSA 2012-57/CVE-2012-1970 Miscellaneous memory safety hazards * MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975 CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959 CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964 Use-after-free issues found using Address Sanitizer * MFSA 2012-59/CVE-2012-1956 (bmo#756719) Location object can be shadowed using Object.defineProperty * MFSA 2012-60/CVE-2012-3965 (bmo#769108) Escalation of privilege through about:newtab * MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793) Memory corruption with bitmap format images with negative height * MFSA 2012-62/CVE-2012-3967/CVE-2012-3968 WebGL use-after-free and memory corruption * MFSA 2012-63/CVE-2012-3969/CVE-2012-3970 SVG buffer overflow and use-after-free issues * MFSA 2012-64/CVE-2012-3971 Graphite 2 memory corruption * MFSA 2012-65/CVE-2012-3972 (bmo#746855) Out-of-bounds read in format-number in XSLT * MFSA 2012-66/CVE-2012-3973 (bmo#757128) HTTPMonitor extension allows for remote debugging without explicit activation * MFSA 2012-68/CVE-2012-3975 (bmo#770684) DOMParser loads linked resources in extensions when parsing text/html * MFSA 2012-69/CVE-2012-3976 (bmo#768568) Incorrect site SSL certificate data display * MFSA 2012-70/CVE-2012-3978 (bmo#770429) Location object security checks bypassed by chrome code * MFSA 2012-72/CVE-2012-3980 (bmo#771859) Web console eval capable of executing chrome-privileged code - fix HTML5 video crash with GStreamer enabled (bmo#761030) - GStreamer is only used for MP4 (no WebM, OGG) - updated filelist - moved browser specific preferences to correct location - Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16) - update to 14.0.1 (bnc#771583) * MFSA 2012-42/CVE-2012-1949/CVE-2012-1948 Miscellaneous memory safety hazards * MFSA 2012-43/CVE-2012-1950 Incorrect URL displayed in addressbar through drag and drop * MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952 Gecko memory corruption * MFSA 2012-45/CVE-2012-1955 (bmo#757376) Spoofing issue with location * MFSA 2012-46/CVE-2012-1966 (bmo#734076) XSS through data: URLs * MFSA 2012-47/CVE-2012-1957 (bmo#750096) Improper filtering of javascript in HTML feed-view * MFSA 2012-48/CVE-2012-1958 (bmo#750820) use-after-free in nsGlobalWindow::PageHidden * MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559) Same-compartment Security Wrappers can be bypassed * MFSA 2012-50/CVE-2012-1960 (bmo#761014) Out of bounds read in QCMS * MFSA 2012-51/CVE-2012-1961 (bmo#761655) X-Frame-Options header ignored when duplicated * MFSA 2012-52/CVE-2012-1962 (bmo#764296) JSDependentString::undepend string conversion results in memory corruption * MFSA 2012-53/CVE-2012-1963 (bmo#767778) Content Security Policy 1.0 implementation errors cause data leakage * MFSA 2012-55/CVE-2012-1965 (bmo#758990) feed: URLs with an innerURI inherit security context of page * MFSA 2012-56/CVE-2012-1967 (bmo#758344) Code execution through javascript: URLs - license change from tri license to MPL-2.0 - fix crashreporter restart option (bmo#762780) - require NSS 3.13.5 - remove mozjs pacrunner obsoletes again for now - adopted mozilla-prefer_plugin_pref.patch - PPC fixes: * reenabled mozilla-yarr-pcre.patch to fix build for PPC * add patches for bmo#750620 and bmo#746112 * fix xpcshell segfault on ppc - update to Firefox 13.0.1 * bugfix release - obsolete libproxy's mozjs pacrunner (bnc#759123) - update to Firefox 13.0 (bnc#765204) * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101 Miscellaneous memory safety hazards * MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content Security Policy inline-script bypass * MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information disclosure though Windows file shares and shortcut files * MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free while replacing/inserting a node in a document * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941 Buffer overflow and use-after-free issues found using Address Sanitizer - require NSS 3.13.4 * MFSA 2012-39/CVE-2012-0441 (bmo#715073) - fix sound notifications when filename/path contains a whitespace (bmo#749739) - fix build on arm - reenabled crashreporter for Factory/12.2 (fix in mozilla-gcc47.patch) - update to Firefox 12.0 (bnc#758408) * rebased patches * MFSA 2012-20/CVE-2012-0467/CVE-2012-0468 Miscellaneous memory safety hazards * MFSA 2012-22/CVE-2012-0469 (bmo#738985) use-after-free in IDBKeyRange * MFSA 2012-23/CVE-2012-0470 (bmo#734288) Invalid frees causes heap corruption in gfxImageSurface * MFSA 2012-24/CVE-2012-0471 (bmo#715319) Potential XSS via multibyte content processing errors * MFSA 2012-25/CVE-2012-0472 (bmo#744480) Potential memory corruption during font rendering using cairo-dwrite * MFSA 2012-26/CVE-2012-0473 (bmo#743475) WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error * MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307) Page load short-circuit can lead to XSS * MFSA 2012-28/CVE-2012-0475 (bmo#694576) Ambiguous IPv6 in Origin headers may bypass webserver access restrictions * MFSA 2012-29/CVE-2012-0477 (bmo#718573) Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues * MFSA 2012-30/CVE-2012-0478 (bmo#727547) Crash with WebGL content using textImage2D * MFSA 2012-31/CVE-2011-3062 (bmo#739925) Off-by-one error in OpenType Sanitizer * MFSA 2012-32/CVE-2011-1187 (bmo#624621) HTTP Redirections and remote content can be read by javascript errors * MFSA 2012-33/CVE-2012-0479 (bmo#714631) Potential site identity spoofing when loading RSS and Atom feeds - added mozilla-libnotify.patch to allow fallback from libnotify to xul based events if no notification-daemon is running - gcc 4.7 fixes * mozilla-gcc47.patch * disabled crashreporter temporarily for Factory - recommend libcanberra0 for proper sound notifications - update to Firefox 11.0 (bnc#750044) * MFSA 2012-13/CVE-2012-0455 (bmo#704354) XSS with Drag and Drop and Javascript: URL * MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103) SVG issues found with Address Sanitizer * MFSA 2012-15/CVE-2012-0451 (bmo#717511) XSS with multiple Content Security Policy headers * MFSA 2012-16/CVE-2012-0458 Escalation of privilege with Javascript: URL as home page * MFSA 2012-17/CVE-2012-0459 (bmo#723446) Crash when accessing keyframe cssText after dynamic modification * MFSA 2012-18/CVE-2012-0460 (bmo#727303) window.fullScreen writeable by untrusted content * MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/ CVE-2012-0463 Miscellaneous memory safety hazards - ported and reenabled KDE integration (bnc#746591) - explicitely build-require X libs - add Provides: browser(npapi) FATE#313084 - better plugin directory resolution (bnc#747320) - update to Firefox 10.0.2 (bnc#747328) * CVE-2011-3026 (bmo#727401) libpng: integer overflow leading to heap-buffer overflow - update to Firefox 10.0.1 (bnc#746616) * MFSA 2012-10/CVE-2012-0452 (bmo#724284) use after free in nsXBLDocumentInfo::ReadPrototypeBindings - Use YARR interpreter instead of PCRE on platforms where YARR JIT is not supported, since PCRE doesnt build (bmo#691898) - fix ppc64 build (bmo#703534) - update to Firefox 10.0 (bnc#744275) * MFSA 2012-01/CVE-2012-0442/CVE-2012-0443 Miscellaneous memory safety hazards * MFSA 2012-03/CVE-2012-0445 (bmo#701071) <iframe> element exposed across domains via name attribute * MFSA 2012-04/CVE-2011-3659 (bmo#708198) Child nodes from nsDOMAttribute still accessible after removal of nodes * MFSA 2012-05/CVE-2012-0446 (bmo#705651) Frame scripts calling into untrusted objects bypass security checks * MFSA 2012-06/CVE-2012-0447 (bmo#710079) Uninitialized memory appended when encoding icon images may cause information disclosure * MFSA 2012-07/CVE-2012-0444 (bmo#719612) Potential Memory Corruption When Decoding Ogg Vorbis files * MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466) Crash with malformed embedded XSLT stylesheets - KDE integration has been disabled since it needs refactoring - removed obsolete ppc64 patch - Disable neon for arm as it doesn't build correctly - update to Firefox 9.0.1 * (strongparent) parentNode of element gets lost (bmo#335998) - fix arm build, don't package crashreporter there - update to Firefox 9 (bnc#737533) * MFSA 2011-53/CVE-2011-3660 Miscellaneous memory safety hazards (rv:9.0) * MFSA 2011-54/CVE-2011-3661 (bmo#691299) Potentially exploitable crash in the YARR regular expression library * MFSA 2011-55/CVE-2011-3658 (bmo#708186) nsSVGValue out-of-bounds access * MFSA 2011-56/CVE-2011-3663 (bmo#704482) Key detection without JavaScript via SVG animation * MFSA 2011-58/VE-2011-3665 (bmo#701259) Crash scaling <video> to extreme sizes - Fix accessibility under GNOME 3 (bnc#732898) - fix ppc64 build - update to Firefox 8 (bnc#728520) * MFSA 2011-47/CVE-2011-3648 (bmo#690225) Potential XSS against sites using Shift-JIS * MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654 Miscellaneous memory safety hazards * MFSA 2011-49/CVE-2011-3650 (bmo#674776) Memory corruption while profiling using Firebug * MFSA 2011-52/CVE-2011-3655 (bmo#672182) Code execution via NoWaiverWrapper - rebased patches - enable telemetry prompt - update to minor release 7.0.1 * fixed staged addon updates - set intl.locale.matchOS=true in the base package as it causes too much confusion when it's only available with branding-openSUSE - update to Firefox 7 (bnc#720264) including * Improve Responsiveness with Memory Reductions * Instant Sync * WebSocket protocol 8 * MFSA 2011-36/CVE-2011-2995/CVE-2011-2996/CVE-2011-2997 Miscellaneous memory safety hazards * MFSA 2011-39/CVE-2011-3000 (bmo#655389) Defense against multiple Location headers due to CRLF Injection * MFSA 2011-40/CVE-2011-2372/CVE-2011-3001 Code installation through holding down Enter * MFSA 2011-41/CVE-2011-3002/CVE-2011-3003 (bmo#680840, bmo#682335) Potentially exploitable WebGL crashes * MFSA 2011-42/CVE-2011-3232 (bmo#653672) Potentially exploitable crash in the YARR regular expression library * MFSA 2011-43/CVE-2011-3004 (bmo#653926) loadSubScript unwraps XPCNativeWrapper scope parameter * MFSA 2011-44/CVE-2011-3005 (bmo#675747) Use after free reading OGG headers * MFSA 2011-45 Inferring keystrokes from motion data - removed obsolete mozilla-cairo-lcd.patch - rebased patches - removed XLIB_SKIP_ARGB_VISUALS=1 from environment in mozilla.sh.in (bnc#680758) - fixed loading of kde.js under KDE (bnc#718311) - add dbus-1-glib-devel to BuildRequires (not pulled in automatically anymore on 12.1) - increase minversions for NSPR and NSS - recreated source archive to get correct source-stamp.txt - security update to 6.0.2 (bnc#714931) * Complete blocking of certificates issued by DigiNotar (bmo#683449) - security update to 6.0.1 (bnc#714931) * MFSA 2011-34 Protection against fraudulent DigiNotar certificates (bmo#682927) - update to 6.0 (bnc#712224) included security fixes MFSA 2011-29 * CVE-2011-2989/CVE-2011-2991/CVE-2011-2992/CVE-2011-2985 Miscellaneous memory safety hazards * CVE-2011-2993 (bmo#657267) Unsigned scripts can call script inside signed JAR * CVE-2011-2988 (bmo#665934) Heap overflow in ANGLE library * CVE-2011-0084 (bmo#648094) Crash in SVGTextElement.getCharNumAtPosition() * CVE-2011-2990 Credential leakage using Content Security Policy reports * CVE-2011-2986 (bmo#655836) Cross-origin data theft using canvas and Windows D2D - removed obsolete curl header dependency (mozilla-curl.patch) - update to 6.0b3 * removed obsolete patches - firefox-shellservice.patch - mozilla-gio.patch - mozilla-ppc-ipc.patch - firefox-linkorder.patch - firefox-no-sync-l10n.patch - recognize linux3 as platform for symbolstore.py - Add x-scheme-handler/ftp to the MimeType key in the .desktop, to let desktops know that Firefox can deal with ftp: URIs. - create upstream branding package again (supposedly empty) (bnc#703401) - fix build on SLE11 (changes do not affect/are not applied for later versions) - enable startup notification (bnc#701465) - update to 5.0 final - included fixes for security issues: (bnc#701296, bnc#700578) * MFSA 2011-19/CVE-2011-2374 CVE-2011-2375 Miscellaneous memory safety hazards * MFSA 2011-20/CVE-2011-2373 (bmo#617247) Use-after-free vulnerability when viewing XUL document with script disabled * MFSA 2011-21/CVE-2011-2377 (bmo#638018, bmo#639303) Memory corruption due to multipart/x-mixed-replace images * MFSA 2011-22/CVE-2011-2371 (bmo#664009) Integer overflow and arbitrary code execution in Array.reduceRight() * MFSA 2011-25/CVE-2011-2366 Stealing of cross-domain images using WebGL textures * MFSA 2011-26/CVE-2011-2367 CVE-2011-2368 Multiple WebGL crashes * MFSA 2011-27/CVE-2011-2369 (bmo#650001) XSS encoding hazard with inline SVG * MFSA 2011-28/CVE-2011-2370 (bmo#645699) Non-whitelisted site can trigger xpinstall - update to 5.0b7 * updated supported locales - do not build dump_syms static (not needed for us) - > fix build for openSUSE 12.1 and above - update to 5.0b6 - include proper revision information into the build - speedier find-external-requires.sh - update to 5.0b3 - transformed to standalone Firefox (not xulrunner based) (with new Firefox rapid release cycle it makes no sense anymore) * imported all relevant xulrunner patches - do not compile in build timestamp - security update to 4.0.1 (bnc#689281) * MFSA 2011-12/ CVE-2011-0069 CVE-2011-0070 CVE-2011-0079 CVE-2011-0080 CVE-2011-0081 Miscellaneous memory safety hazards * MFSA 2011-17/CVE-2011-0068 (bmo#623791) WebGLES vulnerabilities * MFSA 2011-18/CVE-2011-1202 (bmo#640339) XSLT generate-id() function heap address leak - add all available icon sizes - license update: MPLv1.1 or GPLv2+ or LGPLv2+ Sync licenses with Fedora. MPL does not state ^or later^ - update to version 4.0rc2 - fixed rpm macros delivered with devel package (bnc#679950) - update to version 4.0b12 - rebased patches - update to version 4.0b11 * loads of bugfixes compared to last beta * added "Do Not Track" option - rebased patches - disable testpilot - set correct desktop file name within KDE for 11.4 and up - add devel package with macros for extensions (from lnussel@suse.de) - update to version 4.0b10 - removed obsolete firefox-shell-bmo624267.patch - testpilot moved to distribution/extensions - updated locale provides and removed bn-IN from locales - update to version 4.0b9 - added x-scheme-handler for http and https to desktop file for newer Gnome environments - fixed default browser check/set for GIO (bmo#611953) (mozilla-shellservice.patch) - removed obsolete firefox-appname.patch (integrated into shellservice patch) - renamed desktop file to firefox.desktop for 11.4 and newer (bnc#664211) - removed support for 10.3 and older from the spec file - removed obsolete "Ximian" categories from desktop file - Mirror ac_add_options --disable-ipc from xulrunner for PowerPC. - update to version 4.0beta8 - major update to version 4.0beta7 * based on mozilla-xulrunner20 * far too many internal changes to list - security update to 3.6.12 (bnc#649492) * MFSA 2010-73/CVE-2010-3765 (bmo#607222) Heap buffer overflow mixing document.write and DOM insertion - security update to 3.6.11 (bnc#645315) * MFSA 2010-64/CVE-2010-3174/CVE-2010-3175/CVE-2010-3176 Miscellaneous memory safety hazards * MFSA 2010-65/CVE-2010-3179 (bmo#583077) Buffer overflow and memory corruption using document.write * MFSA 2010-66/CVE-2010-3180 (bmo#588929) Use-after-free error in nsBarProp * MFSA 2010-67/CVE-2010-3183 (bmo#598669) Dangling pointer vulnerability in LookupGetterOrSetter * MFSA 2010-68/CVE-2010-3177 (bmo#556734) XSS in gopher parser when parsing hrefs * MFSA 2010-69/CVE-2010-3178 (bmo#576616) Cross-site information disclosure via modal calls * MFSA 2010-70/CVE-2010-3170 (bmo#578697) SSL wildcard certificate matching IP addresses * MFSA 2010-71/CVE-2010-3182 (bmo#590753) Unsafe library loading vulnerabilities * MFSA 2010-72/CVE-2010-3173 Insecure Diffie-Hellman key exchange - update to 3.6.10 * fixing startup topcrash (bmo#594699) - security update to 3.6.9 (bnc#637303) * MFSA 2010-49/CVE-2010-3169 Miscellaneous memory safety hazards * MFSA 2010-50/CVE-2010-2765 (bmo#576447) Frameset integer overflow vulnerability * MFSA 2010-51/CVE-2010-2767 (bmo#584512) Dangling pointer vulnerability using DOM plugin array * MFSA 2010-53/CVE-2010-3166 (bmo#579655) Heap buffer overflow in nsTextFrameUtils::TransformText * MFSA 2010-54/CVE-2010-2760 (bmo#585815) Dangling pointer vulnerability in nsTreeSelection * MFSA 2010-55/CVE-2010-3168 (bmo#576075) XUL tree removal crash and remote code execution * MFSA 2010-56/CVE-2010-3167 (bmo#576070) Dangling pointer vulnerability in nsTreeContentView * MFSA 2010-57/CVE-2010-2766 (bmo#580445) Crash and remote code execution in normalizeDocument * MFSA 2010-59/CVE-2010-2762 (bmo#584180) SJOW creates scope chains ending in outer object * MFSA 2010-61/CVE-2010-2768 (bmo#579744) UTF-7 XSS by overriding document charset using <object> type attribute * MFSA 2010-62/CVE-2010-2769 (bmo#520189) Copy-and-paste or drag-and-drop into designMode document allows XSS * MFSA 2010-63/CVE-2010-2764 (bmo#552090) Information leak via XMLHttpRequest statusText - disable crash reporter for non x86/x86_64 to make it build. - security update to 3.6.8 (bnc#622506) * MFSA 2010-48/CVE-2010-2755 (bmo#575836) Dangling pointer crash regression from plugin parameter array fix - security update to 3.6.7 (bnc#622506) * MFSA 2010-34/CVE-2010-1211/CVE-2010-1212 Miscellaneous memory safety hazards * MFSA 2010-35/CVE-2010-1208 (bmo#572986) DOM attribute cloning remote code execution vulnerability * MFSA 2010-36/CVE-2010-1209 (bmo#552110) Use-after-free error in NodeIterator * MFSA 2010-37/CVE-2010-1214 (bmo#572985) Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability * MFSA 2010-38/CVE-2010-1215 (bmo#567069) Arbitrary code execution using SJOW and fast native function * MFSA 2010-39/CVE-2010-2752 (bmo#574059) nsCSSValue::Array index integer overflow * MFSA 2010-40/CVE-2010-2753 (bmo#571106) nsTreeSelection dangling pointer remote code execution vulnerability * MFSA 2010-41/CVE-2010-1205 (bmo#570451) Remote code execution using malformed PNG image * MFSA 2010-42/CVE-2010-1213 (bmo#568148) Cross-origin data disclosure via Web Workers and importScripts * MFSA 2010-43/CVE-2010-1207 (bmo#571287) Same-origin bypass using canvas context * MFSA 2010-44/CVE-2010-1210 (bmo#564679) Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish * MFSA 2010-45/CVE-2010-1206/CVE-2010-2751 (bmo#536466,556957) Multiple location bar spoofing vulnerabilities * MFSA 2010-46/CVE-2010-0654 (bmo#524223) Cross-domain data theft using CSS * MFSA 2010-47/CVE-2010-2754 (bmo#568564) Cross-origin data leakage from script filename in error messages - update to 3.6.6 release * modifies the crash protection feature to increase the amount of time that plugins are allowed to be non-responsive before being terminated. - update to final 3.6.4 release (bnc#603356) * MFSA 2010-26/CVE-2010-1200/CVE-2010-1201/CVE-2010-1202/ CVE-2010-1203 Crashes with evidence of memory corruption (rv:1.9.2.4) * MFSA 2010-28/CVE-2010-1198 (bmo#532246) Freed object reuse across plugin instances * MFSA 2010-29/CVE-2010-1196 (bmo#534666) Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal * MFSA 2010-30/CVE-2010-1199 (bmo#554255) Integer Overflow in XSLT Node Sorting * MFSA 2010-31/CVE-2010-1125 (bmo#552255) focus() behavior can be used to inject or steal keystrokes * MFSA 2010-32/CVE-2010-1197 (bmo#537120) Content-Disposition: attachment ignored if Content-Type: multipart also present * MFSA 2010-33/CVE-2008-5913 (bmo#475585) User tracking across sites using Math.random() - update to 3.6.4(build6) - security update to 3.6.4 (Lorentz) * enable crashreporter also for x86-64 * Flash runs in a separate process to avoid crashing Firefox (ix86 only; x86-64 still uses nspluginwrapper) - security update to 3.6.3 * MFSA 2010-25/CVE-2010-1121 (bmo#555109) Re-use of freed object due to scope confusion - security update to version 3.6.2 (bnc#586567) * MFSA 2010-08/CVE-2010-1028 WOFF heap corruption due to integer overflow * MFSA 2010-09/CVE-2010-0164 (bmo#547143) Deleted frame reuse in multipart/x-mixed-replace image * MFSA 2010-10/CVE-2010-0170 (bmo#541530) XSS via plugins and unprotected Location object * MFSA 2010-11/CVE-2010-0165/CVE-2010-0166/CVE-2010-0167 Crashes with evidence of memory corruption * MFSA 2010-12/CVE-2010-0171 (bmo#531364) XSS using addEventListener and setTimeout on a wrapped object * MFSA 2010-13/CVE-2010-0168 (bmo#540642) Content policy bypass with image preloading * MFSA 2010-14/CVE-2010-0169 (bmo#535806) Browser chrome defacement via cached XUL stylesheets * MFSA 2010-15/CVE-2010-0172 (bmo#537862) Asynchronous Auth Prompt attaches to wrong window * MFSA 2010-16/CVE-2010-0173/CVE-2010-0174 Crashes with evidence of memory corruption * MFSA 2010-18/CVE-2010-0176 (bmo#538308) Dangling pointer vulnerability in nsTreeContentView * MFSA 2010-19/CVE-2010-0177 (bmo#538310) Dangling pointer vulnerability in nsPluginArray * MFSA 2010-20/CVE-2010-0178 (bmo#546909) Chrome privilege escalation via forced URL drag and drop * MFSA 2010-22/CVE-2009-3555 (bmo#545755) Update NSS to support TLS renegotiation indication * MFSA 2010-23/CVE-2010-0181 (bmo#452093) Image src redirect to mailto: URL opens email editor * MFSA 2010-24/CVE-2010-0182 (bmo#490790) XMLDocument::load() doesn't check nsIContentPolicy - update to 3.6rc2 (already named 3.6.0) - removed obsolete orbit-devel build requirement - major update to 3.6rc1 - update to version 3.5.7 (bnc#568011) * DNS resolution in MakeSN of nsAuthSSPI causing issues for proxy servers that support NTLM auth (bmo#535193) - added missing lockdown preferences (bnc#567131) - readded firefox-ui-lockdown.patch (bnc#546158) - security update to version 3.5.6 (bnc#559807) * MFSA 2009-65/CVE-2009-3979/CVE-2009-3980/CVE-2009-3982 Crashes with evidence of memory corruption (rv:1.9.1.6) * MFSA 2009-66/CVE-2009-3388 (bmo#504843,bmo#523816) Memory safety fixes in liboggplay media library * MFSA 2009-67/CVE-2009-3389 (bmo#515882,bmo#504613) Integer overflow, crash in libtheora video library * MFSA 2009-68/CVE-2009-3983 (bmo#487872) NTLM reflection vulnerability * MFSA 2009-69/CVE-2009-3984/CVE-2009-3985 (bmo#521461,bmo#514232) Location bar spoofing vulnerabilities * MFSA 2009-70/VE-2009-3986 (bmo#522430) Privilege escalation via chrome window.opener - fixed firefox-browser-css.patch (bnc#561027) - rebased patches for fuzz=0 - update to version 3.5.5 (bnc#553172) - security update to version 3.5.4 (bnc#545277) * MFSA 2009-52/CVE-2009-3370 (bmo#511615) Form history vulnerable to stealing * MFSA 2009-53/CVE-2009-3274 (bmo#514823) Local downloaded file tampering * MFSA 2009-54/CVE-2009-3371 (bmo#514554) Crash with recursive web-worker calls * MFSA 2009-55/CVE-2009-3372 (bmo#500644) Crash in proxy auto-configuration regexp parsing * MFSA 2009-56/CVE-2009-3373 (bmo#511689) Heap buffer overflow in GIF color map parser * MFSA 2009-57/CVE-2009-3374 (bmo#505988) Chrome privilege escalation in XPCVariant::VariantDataToJS() * MFSA 2009-59/CVE-2009-1563 (bmo#516396, bmo#516862) Heap buffer overflow in string to number conversion * MFSA 2009-61/CVE-2009-3375 (bmo#503226) Cross-origin data theft through document.getSelection() * MFSA 2009-62/CVE-2009-3376 (bmo#511521) Download filename spoofing with RTL override * MFSA 2009-63/CVE-2009-3377/CVE-2009-3379/CVE-2009-3378 Upgrade media libraries to fix memory safety bugs * MFSA 2009-64/CVE-2009-3380/CVE-2009-3381/CVE-2009-3383 Crashes with evidence of memory corruption - removed upstreamed patch * firefox-bug506901.patch - fix KDE button order in one more place (bnc#170055) - improve UI colors to be usable with dark themes at all (firefox-browser-css.patch) (bnc#503351) - extend list of supported architectures as ABI identifier (mozilla-abi.patch) (bnc#543460) - added KDE integration patch from llunak@novell.com (firefox-kde.patch) * support for knotify, making -kde4-addon obsolete * KDE-specific support functional (bnc#170055) - do not build libnkgnomevfs (bmo#512671) (firefox-no-gnomevfs) - security update to version 3.5.3 (bnc#534458) * MFSA 2009-47/CVE-2009-3069/CVE-2009-3070/CVE-2009-3071/ CVE-2009-3072/CVE-2009-3073/CVE-2009-3074/CVE-2009-3075 Crashes with evidence of memory corruption * MFSA 2009-49/CVE-2009-3077 (bmo#506871) TreeColumns dangling pointer vulnerability * MFSA 2009-50/CVE-2009-3078 (bmo#453827) Location bar spoofing via tall line-height Unicode characters * MFSA 2009-51/CVE-2009-3079 (bmo#454363) Chrome privilege escalation with FeedWriter - renamed patch firefox-contextmenu-gnome to firefox-cross-desktop as it contains more tweaks to handle non-Gnome environments and especially KDE integration: * added the ability to set the KDE default browser (still part of bnc#170055) - split -translations package into -common and -other (bnc#529180) - remove "set as background" from context menu if not running in Gnome (part of bnc#170055) - security update to version 3.5.2 * MFSA 2009-38/CVE-2009-2470 (bmo#459524) Data corruption with SOCKS5 reply containing DNS name longer than 15 characters * MFSA 2009-44/CVE-2009-2654 (bmo#451898) Location bar and SSL indicator spoofing via window.open() on invalid URL * MFSA 2009-45 Crashes with evidence of memory corruption * MFSA 2009-46 (bmo#498897) Chrome privilege escalation due to incorrectly cached wrapper * various other stability fixes - export MOZ_APP_LAUNCHER in the startscript (bmo#453689) - fixed %exclude usage - fixed preferences' advanced pane for fresh profiles (bmo#506901) - security update to version 3.5.1 * MFSA 2009-41 Corrupt JIT state after deep return from native function - added mozilla-linkorder.patch to fix build with --as-needed - update to final version 3.5 (20090623) - fixed build by linking to a real file - update to version 3.5rc2 (20090617) - BuildRequire mozilla-xulrunner191 = 1.9.1.0 - update to version 3.5b99 (20090604) - BuildRequire mozilla-xulrunner191 = 1.9.1b99 - fixed typos in improved xulrunner dependencies - use non-localized Downloads folder (bnc#501724) - update to new major version 3.5b4 * based on Gecko 1.9.1 (mozilla-xulrunner191) * Private Browsing Mode * TraceMonkey JavaScript engine * Geolocation support * native JSON and web worker threads support * speculative parsing for faster content rendering * Some HTML5 support - updated firefox.schemas - improved firefox-no-update.patch - security update to 3.0.10 * MFSA 2009-23/CVE-2009-1313 (bmo#489647) Crash in nsTextFrame::ClearTextRun() - security update to 3.0.9 (bnc#495473) * MFSA 2009-14/CVE-2009-1302/CVE-2009-1303/CVE-2009-1304/CVE-2009-1305 Crashes with evidence of memory corruption (rv:1.9.0.9) * MFSA 2009-15/CVE-2009-0652 (bmo#479336) URL spoofing with box drawing character * MFSA 2009-16/CVE-2009-1306 (bmo#474536) jar: scheme ignores the content-disposition: header on the inner URI * MFSA 2009-17/CVE-2009-1307 (bmo#481342) Same-origin violations when Adobe Flash loaded via view-source: scheme * MFSA 2009-18/CVE-2009-1308 (bmo#481558) XSS hazard using third-party stylesheets and XBL bindings * MFSA 2009-19/CVE-2009-1309 (bmo#482206,478433) Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString * MFSA 2009-20/CVE-2009-1310 (bmo#483086) Malicious search plugins can inject code into arbitrary sites * MFSA 2009-21/CVE-2009-1311 (bmo#471962) POST data sent to wrong site when saving web page with embedded frame * MFSA 2009-22/CVE-2009-1312 (bmo#475636) Firefox allows Refresh header to redirect to javascript: URIs - security update to 1.9.0.8 (bnc#488955,489411) * MFSA 2009-12/CVE-2009-1169 (bmo#460090,485217) Crash and remote code execution in XSL transformation * MFSA 2009-13/CVE-2009-1044 (bmo#484320) Arbitrary code execution via XUL tree moveToEdgeShift - allow RPM provides for stuff besides shared libraries (e.g. mime-types) - security update to 3.0.7 (bnc#478625) * MFSA 2009-07 - Crashes with evidence of memory corruption CVE-2009-0771 - Layout Engine Crashes CVE-2009-0772 - Layout Engine Crashes CVE-2009-0773 - crashes in the JavaScript engine CVE-2009-0774 - Layout Engine Crashes * MFSA 2009-08/CVE-2009-0775 - (bmo#474456) Mozilla Firefox XUL Linked Clones Double Free Vulnerability * MFSA 2009-09/CVE-2009-0776 (bmo#414540) XML data theft via RDFXMLDataSource and cross-domain redirect * MFSA 2009-10/CVE-2009-0040 (bmo#478901) Upgrade PNG library to fix memory safety hazards * MFSA 2009-11/CVE-2009-0777 (bmo#452979) URL spoofing with invisible control characters ==== MozillaThunderbird ==== Version update (52.3.0 -> 52.4.0) Subpackages: MozillaThunderbird-translations-common - Mozilla Thunderbird 52.4.0 (bsc#1060445) * new behavior was introduced for replies to mailing list posts: "When replying to a mailing list, reply will be sent to address in From header ignoring Reply-to header". A new preference mail.override_list_reply_to allows to restore the previous behavior. * Under certain circumstances (image attachment and non-image attachment), attached images were shown truncated in messages stored in IMAP folders not synchronised for offline use. * IMAP UIDs > 0x7FFFFFFF now handled properly Security fixes from Gecko 52.4esr * CVE-2017-7793 (bmo#1371889) Use-after-free with Fetch API * CVE-2017-7818 (bmo#1363723) Use-after-free during ARIA array manipulation * CVE-2017-7819 (bmo#1380292) Use-after-free while resizing images in design mode * CVE-2017-7824 (bmo#1398381) Buffer overflow when drawing and validating elements with ANGLE * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) Use-after-free in TLS 1.2 generating handshake hashes * CVE-2017-7814 (bmo#1376036) Blob and data URLs bypass phishing and malware protection warnings * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) OS X fonts render some Tibetan and Arabic unicode characters as spaces * CVE-2017-7823 (bmo#1396320) CSP sandbox directive did not create a unique origin * CVE-2017-7810 Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 - Add alsa-devel BuildRequires: we care for ALSA support to be built and thus need to ensure we get the dependencies in place. In the past, alsa-devel was pulled in by accident: we buildrequire libgnome-devel. This required esound-devel and that in turn pulled in alsa-devel for us. libgnome is being fixed to no longer require esound-devel. ==== bluedevil5 ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * fix spdx licence for appstream happyness * fix spdx licence for appstream happyness * Use Q_DECL_OVERRIDE ==== breeze ==== Version update (5.10.5 -> 5.11.0) Subpackages: breeze5-cursors breeze5-decoration breeze5-style breeze5-style-lang breeze5-wallpapers - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Too many changes to list here ==== breeze-gtk ==== Version update (5.10.5 -> 5.11.0) Subpackages: gtk2-metatheme-breeze gtk3-metatheme-breeze metatheme-breeze-common - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * Fix background-image warning * Don't show scrollbar steppers - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Adjusted Scrollbars so now they fit the Qt theme ==== breeze4-style ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Too many changes to list here ==== clamav ==== - Implement shared library guideline. ==== dracut ==== - Add IMA functionality (fate#323289) This is implemented as a sub module analogous to FIPS * adds 0539-Add-IMA-functionality-fate-323289.patch ==== drkonqi5 ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 - Initial package, split from plasma5-workspace ==== file ==== Subpackages: file-devel file-magic libmagic1 - remove python build instructions from master spec file, move completely into python-magic.spec ==== graphviz ==== Subpackages: graphviz-plugins-core libgraphviz6 - Exclude %{_mandir}/man1/smyrna.1%{ext_man} from graphiz' main package, since the man page is packaged in the -smyrna sub package already. ==== graphviz-addons ==== Subpackages: graphviz-gd graphviz-gnome - Exclude %{_mandir}/man1/smyrna.1%{ext_man} from graphiz' main package, since the man page is packaged in the -smyrna sub package already. ==== kactivitymanagerd ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Separating queries for removing from a specific activity and from all activities ==== kcm_sddm ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Use Q_DECL_OVERRIDE ==== kde-cli-tools5 ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * always install kdesu docs, the translations are always installed so this has minimal effect * update kcm statistics in kcmshell too * Use Q_DECL_OVERRIDE ==== kde-gtk-config5 ==== Version update (5.10.5 -> 5.11.0) Subpackages: kde-gtk-config5-gtk2 kde-gtk-config5-gtk3 - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Add some keywords so it's more easily found in System Settings search * Fix look-up of gtk preview modules (kde#383198) * Remove unused KNS file * Make the kde-gtk-config kcm better at checking global gtk settings (kde#378013) * Fix test * Add a checkbox to enable dark GTK3 Themes (kde#346469) * Use override * Use Q_DECL_OVERRIDE - Remove patches, now upstream: * 0001-Fix-look-up-of-gtk-preview-modules.patch ==== kde-user-manager ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Don't show a region selector when selecting avatars from a gallery * Use Q_DECL_OVERRIDE ==== kernel-source ==== Version update (4.13.4 -> 4.13.5) Subpackages: kernel-default kernel-default-devel kernel-devel kernel-docs kernel-macros kernel-syms - Linux 4.13.5 (bnc#1012628). - cifs: check rsp for NULL before dereferencing in SMB2_open (bnc#1012628). - cifs: release cifs root_cred after exit_cifs (bnc#1012628). - cifs: release auth_key.response for reconnect (bnc#1012628). - nvme-pci: fix host memory buffer allocation fallback (bnc#1012628). - nvme-pci: use appropriate initial chunk size for HMB allocation (bnc#1012628). - nvme-pci: propagate (some) errors from host memory buffer setup (bnc#1012628). - dax: remove the pmem_dax_ops->flush abstraction (bnc#1012628). - dm integrity: do not check integrity for failed read operations (bnc#1012628). - mmc: block: Fix incorrectly initialized requests (bnc#1012628). - fs/proc: Report eip/esp in /prod/PID/stat for coredumping (bnc#1012628). - scsi: scsi_transport_fc: fix NULL pointer dereference in fc_bsg_job_timeout (bnc#1012628). - SMB3: Add support for multidialect negotiate (SMB2.1 and later) (bnc#1012628). - mac80211: fix VLAN handling with TXQs (bnc#1012628). - mac80211_hwsim: Use proper TX power (bnc#1012628). - mac80211: flush hw_roc_start work before cancelling the ROC (bnc#1012628). - mac80211: fix deadlock in driver-managed RX BA session start (bnc#1012628). - genirq: Make sparse_irq_lock protect what it should protect (bnc#1012628). - genirq/msi: Fix populating multiple interrupts (bnc#1012628). - genirq: Fix cpumask check in __irq_startup_managed() (bnc#1012628). - KVM: PPC: Book3S HV: Hold kvm->lock around call to kvmppc_update_lpcr (bnc#1012628). - KVM: PPC: Book3S HV: Fix bug causing host SLB to be restored incorrectly (bnc#1012628). - KVM: PPC: Book3S HV: Don't access XIVE PIPR register using byte accesses (bnc#1012628). - tracing: Fix trace_pipe behavior for instance traces (bnc#1012628). - tracing: Erase irqsoff trace with empty write (bnc#1012628). - tracing: Remove RCU work arounds from stack tracer (bnc#1012628). - md/raid5: fix a race condition in stripe batch (bnc#1012628). - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list (bnc#1012628). - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (bnc#1012628). - scsi: aacraid: Fix 2T+ drives on SmartIOC-2000 (bnc#1012628). - scsi: aacraid: Add a small delay after IOP reset (bnc#1012628). - drm/exynos: Fix locking in the suspend/resume paths (bnc#1012628). - drm/i915/gvt: Fix incorrect PCI BARs reporting (bnc#1012628). - Revert "drm/i915/bxt: Disable device ready before shutdown command" (bnc#1012628). - drm/radeon: disable hard reset in hibernate for APUs (bnc#1012628). - crypto: drbg - fix freeing of resources (bnc#1012628). - crypto: talitos - Don't provide setkey for non hmac hashing algs (bnc#1012628). - crypto: talitos - fix sha224 (bnc#1012628). - crypto: talitos - fix hashing (bnc#1012628). - security/keys: properly zero out sensitive key material in big_key (bnc#1012628). - security/keys: rewrite all of big_key crypto (bnc#1012628). - KEYS: fix writing past end of user-supplied buffer in keyring_read() (bnc#1012628). - KEYS: prevent creating a different user's keyrings (bnc#1012628). - KEYS: prevent KEYCTL_READ on negative key (bnc#1012628). - libnvdimm, namespace: fix btt claim class crash (bnc#1012628). - powerpc/eeh: Create PHB PEs after EEH is initialized (bnc#1012628). - powerpc/pseries: Fix parent_dn reference leak in add_dt_node() (bnc#1012628). - powerpc/tm: Flush TM only if CPU has TM feature (bnc#1012628). - MIPS: Fix perf event init (bnc#1012628). - s390/perf: fix bug when creating per-thread event (bnc#1012628). - s390/mm: make pmdp_invalidate() do invalidation only (bnc#1012628). - s390/mm: fix write access check in gup_huge_pmd() (bnc#1012628). - PM: core: Fix device_pm_check_callbacks() (bnc#1012628). - Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" (bnc#1012628). - Fix SMB3.1.1 guest authentication to Samba (bnc#1012628). - SMB3: Fix endian warning (bnc#1012628). - SMB3: Warn user if trying to sign connection that authenticated as guest (bnc#1012628). - SMB: Validate negotiate (to protect against downgrade) even if signing off (bnc#1012628). - SMB3: handle new statx fields (bnc#1012628). - SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags (bnc#1012628). - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets (bnc#1012628). - libceph: don't allow bidirectional swap of pg-upmap-items (bnc#1012628). - brd: fix overflow in __brd_direct_access (bnc#1012628). - gfs2: Fix debugfs glocks dump (bnc#1012628). - bsg-lib: don't free job in bsg_prepare_job (bnc#1012628). - iw_cxgb4: drop listen destroy replies if no ep found (bnc#1012628). - iw_cxgb4: remove the stid on listen create failure (bnc#1012628). - iw_cxgb4: put ep reference in pass_accept_req() (bnc#1012628). - rcu: Allow for page faults in NMI handlers (bnc#1012628). - mmc: sdhci-pci: Fix voltage switch for some Intel host controllers (bnc#1012628). - extable: Consolidate *kernel_text_address() functions (bnc#1012628). - extable: Enable RCU if it is not watching in kernel_text_address() (bnc#1012628). - selftests/seccomp: Support glibc 2.26 siginfo_t.h (bnc#1012628). - seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() (bnc#1012628). - arm64: Make sure SPsel is always set (bnc#1012628). - arm64: mm: Use READ_ONCE when dereferencing pointer to pte table (bnc#1012628). - arm64: fault: Route pte translation faults via do_translation_fault (bnc#1012628). - KVM: VMX: extract __pi_post_block (bnc#1012628). - KVM: VMX: avoid double list add with VT-d posted interrupts (bnc#1012628). - KVM: VMX: simplify and fix vmx_vcpu_pi_load (bnc#1012628). - KVM: nVMX: fix HOST_CR3/HOST_CR4 cache (bnc#1012628). - kvm/x86: Handle async PF in RCU read-side critical sections (bnc#1012628). - KVM: VMX: Do not BUG() on out-of-bounds guest IRQ (bnc#1012628). - kvm: nVMX: Don't allow L2 to access the hardware CR8 (bnc#1012628). - xfs: validate bdev support for DAX inode flag (bnc#1012628). - fix infoleak in waitid(2) (bnc#1012628). - sched/sysctl: Check user input value of sysctl_sched_time_avg (bnc#1012628). - irq/generic-chip: Don't replace domain's name (bnc#1012628). - mtd: Fix partition alignment check on multi-erasesize devices (bnc#1012628). - mtd: nand: atmel: fix buffer overflow in atmel_pmecc_user (bnc#1012628). - etnaviv: fix submit error path (bnc#1012628). - etnaviv: fix gem object list corruption (bnc#1012628). - futex: Fix pi_state->owner serialization (bnc#1012628). - md: fix a race condition for flush request handling (bnc#1012628). - md: separate request handling (bnc#1012628). - PCI: Fix race condition with driver_override (bnc#1012628). - btrfs: fix NULL pointer dereference from free_reloc_roots() (bnc#1012628). - btrfs: clear ordered flag on cleaning up ordered extents (bnc#1012628). - btrfs: finish ordered extent cleaning if no progress is found (bnc#1012628). - btrfs: propagate error to btrfs_cmp_data_prepare caller (bnc#1012628). - btrfs: prevent to set invalid default subvolid (bnc#1012628). - PM / OPP: Call notifier without holding opp_table->lock (bnc#1012628). - x86/mm: Fix fault error path using unsafe vma pointer (bnc#1012628). - x86/fpu: Don't let userspace set bogus xcomp_bv (bnc#1012628). - KVM: VMX: do not change SN bit in vmx_update_pi_irte() (bnc#1012628). - KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt (bnc#1012628). - KVM: VMX: use cmpxchg64 (bnc#1012628). - video: fbdev: aty: do not leak uninitialized padding in clk to userspace (bnc#1012628). - Update config files. - commit 3fd9659 - orc: mark it as reliable (bnc#1058115). - Update config files. - commit 3cbbf06 - x86/asm: Use register variable to get stack pointer value (bnc#1058115). - commit a5d4692 - x86/asm: Fix inline asm call constraints for GCC 4.4 (bnc#1058115). - commit 034c016 - platform/x86: fujitsu-laptop: Don't oops when FUJ02E3 is not presnt (bnc#1058814). - commit 80338f6 - ORC crypto patches: Update upstream status. - commit 01974c6 - Refresh patches.suse/0001-objtool-Don-t-report-end-of-section-error-after-an-e.patch. - Refresh patches.suse/0002-x86-head-Remove-confusing-comment.patch. - Refresh patches.suse/0003-x86-head-Remove-unused-bad_address-code.patch. - Refresh patches.suse/0004-x86-head-Fix-head-ELF-function-annotations.patch. - Refresh patches.suse/0005-x86-boot-Annotate-verify_cpu-as-a-callable-function.patch. - Refresh patches.suse/0006-x86-xen-Fix-xen-head-ELF-annotations.patch. - Refresh patches.suse/0007-x86-xen-Add-unwind-hint-annotations.patch. - Refresh patches.suse/0008-x86-head-Add-unwind-hint-annotations.patch. - Delete patches.suse/0002-dwarf-do-not-throw-away-unwind-info.patch. Update upstream status and drop the dwarf remainder. - commit c3e0cbe ==== kgamma5 ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Use Q_DECL_OVERRIDE * Use QFormLayout for sliders * Don't fix a height of sliders * Fix spacing in "Select test picture:" row * Remove .png extension from icon name in the desktop file ==== khotkeys5 ==== Version update (5.10.5 -> 5.11.0) Subpackages: khotkeys5-devel - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Use Q_DECL_OVERRIDE ==== kinfocenter5 ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Allow to select module with keyboard * Do not leak XVisualInfo (X11 EGL path) * Do not mark {variantLabel} as translatable * Use Q_DECL_OVERRIDE ==== kmenuedit5 ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Remove obsolete add_dependencies * Use Q_DECL_OVERRIDE ==== kscreen5 ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * Don't auto scale outputs where we don't know the physical size * Keep monitoring the initial config * track the config to monitor, save scale * add size hint to KScreen KCM - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Also generate default output scale on first run not just new monitors * [OutputConfig] Locale-format refresh rate * Automatic scaling selection * Fix deprecated usage of ecm_install_icons * Show UI for per screen scaling options on supported platforms * Port OutputConfig away from blockSignals * Use Q_DECL_OVERRIDE * Get rid of extra margins ==== kscreenlocker ==== Version update (5.10.5 -> 5.11.0) Subpackages: libKScreenLocker5 - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * Workaround crash on lockscreen close - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * seccomp filter: Handle openat as well (kde#384651) * Don't dissallow open with write flag syscall on NVIDIA (kde#384005) * Tell user to unlock his session only * Use Q_DECL_OVERRIDE * Fix detection of sys/event.h on FreeBSD < 12 * include <signal.h> for kill(2) - Remove patches, now upstream: * 0001-Don-t-dissallow-open-with-write-flag-syscall-on-NVID.patch ==== ksshaskpass5 ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * None ==== ksysguard5 ==== Version update (5.10.5 -> 5.11.0) - Add patch to fix gathering of the CPU clock with kernel >= 4.13 (boo#1061071, kde#382561): * 0001-Try-to-read-CPU-clock-from-cpufreq-scaling_cur_freq-.patch - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * softraid: Remove dead code and associated warning. * Properly check if mdraid array is active. * FreeBSD build fix, v4. * FreeBSD compile fix, try 3. * Fix FreeBSD build, try 2. * Fix build regression on FreeBSD * Fix compilation with strict libc (such as musl). * remove extra <nlist.h> include on FreeBSD * Use Q_DECL_OVERRIDE ==== kwin5 ==== Version update (5.10.5 -> 5.11.0) Subpackages: kwin5-devel - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * Fix: Missing dependencies for kwin autotests * remove xdgv6 use from 5.11 branch * Also send Wayland clients to a new desktop if their desktop was removed * Don't recreate kwayland blurmanager on screen size changes * Don't reload background contrast effect on screen resize * [tabbox] Create X11Filter on establishKeyboardGrab (kde#385032) * Restore cursors across multiple screens (kde#385003) * Properly update the visible (icon) name when the caption changes (kde#384760) * Make sure OpenGL Context is valid before deleting shader (kde#384884) * Don't scale cursor hotspot differently to cursor (kde#384769) - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Too many changes to list here ==== libkdecoration2 ==== Version update (5.10.5 -> 5.11.0) Subpackages: libkdecoration2-devel libkdecorations2-5 libkdecorations2private5 - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * [autotests] Fix DecorationButtonTest::testPressAndHold with Qt 5.9 ==== libkscreen2 ==== Version update (5.10.5 -> 5.11.0) Subpackages: libKF5Screen7 libkscreen2-devel libkscreen2-plugin - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * When cloning a config also clone supportedFeatures * warnings--; * let's continue in debug code instead of returning from XRandRConfig::applyKScreenConfig * Add setScale option to kscreendoctor * USe Q_DECL_OVERRIDE * Delete registry before connection * Update unit test to match scaling ==== libksysguard5 ==== Version update (5.10.5 -> 5.11.0) Subpackages: libksysguard5-devel libksysguard5-helper - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * libksysguard does not appear to use QtScript, but just includes it. * Inject custom style sheet with system colors (kde#360214) * Use Q_DECL_OVERRIDE * Fix compilation on CentOS 6 ==== linphone ==== Subpackages: liblinphone++9 liblinphone-data liblinphone-devel liblinphone-lang liblinphone9 - Add build condtionally for C++ bindings to fix build in Leap - Remove build conditionally for ffmpeg - Remove build conditionally for ldap - Remove unused BuildRequires for disabled rootca download ==== milou5 ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * make krunner accessible * spdx validation * Remove unused import * Remove unused import * [ResultDelegate] Enforce PlainText * Use Q_DECL_OVERRIDE ==== oxygen5 ==== Version update (5.10.5 -> 5.11.0) Subpackages: oxygen5-cursors oxygen5-decoration oxygen5-devel oxygen5-lang oxygen5-sounds oxygen5-style - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * renamed oxygen specific KCMs CCBUG: 383283 * - hide shadow when mask is empty - properly handle creating shadow when mdi window is already visible at registration - added some "auto" declarations * - hide shadow when mask is empty - properly handle creating shadow when mdi window is already visible at registration - added some "auto" declarations * fixed warning about unused variable * removed double ;; * Fixed calculation of top border. * Fixed calculation of top border. * Partially revert "Use Q_DECL_OVERRIDE" (kde#380452) * Q_DECL_OVERRIDE -> override Rationale is that oxygen decoration depends on libkdecoration, which uses override directly already. * Use Q_DECL_OVERRIDE * Set a mask to shadow widget to make sure that it does not overlap with the mdi window. BUG:379790 (kde#379790) * Set a mask to shadow widget to make sure that it does not overlap with the mdi window. BUG:379790 (kde#379790) ==== perl-Class-Multimethods ==== Version update (1.70 -> 1.701) - regenerate spec file with cpanspec - update to 1.701 - Added handler registration code to clean up installation (thanks Robert) - Changed demo shebang lines for Debian compatibility (thanks Florian and Jay) - obsoleting Class-Multimethods-1.70.diff ==== perl-DBD-CSV ==== Version update (0.48 -> 0.49) - updated to 0.49 see /usr/share/doc/packages/perl-DBD-CSV/ChangeLog 0.49 - 2016-05-12, H.Merijn Brand * Simplified test-table-name generation * Prefer quote_empty over quote_always for size (Text::CSV_XS => 1.18) * Add CONTRIBUTING.md * It's 2016 * Added docs to warn for reserved words (RT#106529) * Minor spelling corrections (PRC Guillermo O. Freschi) * Test with perl 5.24.0, DBI 1.636, SQL::Statement-1.410, and Text::CSV_XS-1.23 ==== perl-Log-Dispatch ==== Version update (2.66 -> 2.67) - updated to 2.67 see /usr/share/doc/packages/perl-Log-Dispatch/Changes 2.67 2017-09-24 - Added a lazy_open option to the File output. This delays opening the file until the first time a log message is written to it. Implemented by Slaven Rezi?. GH #50. ==== plasma-nm5 ==== Version update (5.10.5 -> 5.11.0) Subpackages: plasma-nm5-openconnect plasma-nm5-openvpn plasma-nm5-pptp plasma-nm5-vpnc - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * Don't duplicate UI option for automatic speed detection (kde#383505) * Remove unused identity model * It makes sense to show VPN connections only when we are connected to internet - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Drop the old legacy connection editor * Add option to allow managing virtual connections (kde#376664) * Summary: L2TP: pre-sharedkey should be mask * Add support for fortisslvpn * Openconnect: make sure the UI fits into the password dialog (kde#380399) * UI updates for NetworkManager-l2tp 1.2.6 * Add missing file with UI for configuration * Allow to have wider password dialog while preffering minimum size (kde#380399) * Openconnect: make sure we accept the dialog (kde#380299) * Openconnect: Add option to select protocol * Properly pass specific vpn type when selecting new connection by double click * Openconnect (juniper): Properly make sure we are compatible with the rest of nm tools * Openconnect (juniper): Make sure we are compatible with the rest of nm tools (kde#380244) * Add option to disable unlocking modem on detection (kde#380150) ==== plasma5-addons ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * Fix ksysguard not starting on plasmoid click - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Try to get higher quality image for flickr potd. (kde#377917) * spdx syntax fix http://metadata.neon.kde.org/appstream/html/xenial/main/issues/plasma-dataen... * fix .desktop files for appstream compliance http://metadata.neon.kde.org/appstream/html/xenial/main/issues/plasma-widget... * fixes for appstream compliance http://metadata.neon.kde.org/appstream/html/xenial/main/issues/plasma-wallpa... * [Color Picker] Add drag pixmap for color * [Color Picker] Allow running color picker applet standalone * [Notes applet] Wrap in FocusScope * remove wrong X-Ubuntu-Gettext-Domain key * Restore original formatButtonsRow.opacity * [Notes Applet] Show formatting options when it has focus * Use Q_DECL_OVERRIDE * Fix fifteen puzzle solveability (kde#358940) ==== plasma5-desktop ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * kimpanel: Wrap everything in an item for PlasmaCore.Dialog * kimpanel: another try to workaround kimpanel window not getting updated issue. * Error out if the device returns a negative number of buttons * Sync XRDB DPI to the platform specific setting * Use a different key for font DPI on X and Wayland - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Too many changes to list here - Remove patches, now upstream: * fix-writing-Qt4-font-settings.patch ==== plasma5-integration ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * link test against QuickControls2 to fix compile * Use QQuickStyle to set the QQC2 style (kde#384481) * Set QtQuickControls theme in QPT (kde#384466,kde#384481) - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Add ~/.local/share/icons to icons search paths * Group find_package(KF5*) calls together * Fix faulty merge * Allow to change toolbar font separately again (kde#358254) * [KHintsSettings] Update AA_DontShowIconsInMenus at runtime * Also specify a default StyleName for fonts (kde#383191) * Middle-click on QSystemTrayIcon ?auses context menu (kde#382855) * KDE QFileDialog helper: support name filters without parenthesis. * Introduce KDE_NO_GLOBAL_MENU env variable to disable global menu * Introduce KDE_NO_GLOBAL_MENU env variable to disable global menu * check window visibility at expose event * Allow to disable blinking cursor completely * Fix deprecation warnings. setSelection -> setSelectedUrl ui -> uiDelegate * Replace Q_DECL_OVERRIDE with override. ==== plasma5-openSUSE ==== Subpackages: plasma5-defaults-openSUSE plasma5-theme-openSUSE plasma5-workspace-branding-openSUSE sddm-theme-openSUSE - Update to 5.11.0 - Update to 5.10.95 - Fix minor issues in org.opensuse.desktop.defaultPanel metadata - Force "Regular" font style in /etc/xdg/kdeglobals by default ==== plasma5-pa ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * [ListItemBase] Use section instead of disabled menu item * StreamRestore: Always set channel count to 1 (kde#383787) ==== plasma5-workspace ==== Version update (5.10.5 -> 5.11.0) Subpackages: plasma5-session plasma5-workspace-devel plasma5-workspace-lang plasma5-workspace-libs - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * update selected wallpaper when adding from file browser * Stop setting the QQC1 style in startkde * Fix another test failure. * Fix test failure after favorites URL mangling refactoring. * [PowerDevil Runner] Obliterate traces of power profiles * [TasksModel] Use std::acumulate on the QHash directly * remove extra executable bits * Don't set QQC Style in startkde * Unhide autohidden panel when using global menu (kde#384861) * Use a separate config value for Wayland font DPI - Remove the fix related to a knotifications bug (boo#1046458): * bug is fixed upstream (knotifications 5.38.0) - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Too many changes to list here - Remove patches, now upstream: * plasma5-workspace/0001-Don-t-search-for-and-link-to-libcln-when-using-libqa.patch * plasma5-workspace/applauncher-allow-to-show-apps-by-name.patch * plasma5-workspace/logoutdialog-honor-Offer-shutdown-options.patch - Move plasma5-session into here - Convert kde-plasma.desktop session file to link to avoid duplicate entries in display managers - Add AppStreamQt BuildReq ==== polkit-kde-agent-5 ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Use Q_DECL_OVERRIDE ==== powerdevil5 ==== Version update (5.10.5 -> 5.11.0) - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Disable DDCUtil by default * Bump the version requirement for Qt * Revert "skip the disabled backlight device" (kde#381114,kde#381199) * Use Q_DECL_OVERRIDE * cmake: link to ddcutil only if found * Add brightness control using ddcutil lib ==== systemsettings5 ==== Version update (5.10.5 -> 5.11.0) Subpackages: systemsettings5-devel - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * Remove unnecessary remove_definitions() * Define -DQT_NO_URL_CAST_FROM_STRING and fix compilation. * Also extract i18n messages from *.qml - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Too many changes to list here - Add patch to fix appearance of the front page with long words (kde#380972): * 0001-try-harder-to-wrap-very-long-words.patch ==== timezone ==== - Require simply java, since with the new version of javazic, it is possible to generate the timezone information using any java version ==== timezone-java ==== - Require simply java, since with the new version of javazic, it is possible to generate the timezone information using any java version ==== xdg-desktop-portal-kde ==== Version update (5.10.5 -> 5.11.0) Subpackages: xdg-desktop-portal-kde-lang - Update to 5.11.0 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.11.0.php - Changes since 5.10.95: * None - Update to 5.10.95 * New feature release * For more details please see: * https://www.kde.org/announcements/plasma-5.10.95.php - Changes since 5.10.5: * Use CMAKE_INSTALL_FULL_LIBEXECDIR * Use CMAKE_INSTALL_FULL_LIBEXECDIR * Add arcconfig * Massively simplify the class DesktopPortal * Add missing files * Add Access portal for requesting hardware access * Restore previous version * Fix description * Update AppChooser portal * Fix minor issues spotted by Lamarque -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Dominique Leuenberger composed on 2017-10-11 01:39 (UTC+0200): [roughly 173kb archived, approximately 70% of which is Firefox] ...
Packages changed: MozillaFirefox (52.3.0 -> 56.0) ... ==== MozillaFirefox ==== Version update (52.3.0 -> 56.0) Subpackages: MozillaFirefox-translations-common ... - update to Firefox 55.0.1 ... - update to Firefox 55.0 (boo#1052829) ... - update to Firefox 54.0.1 ... ... - update to Firefox 53.0 ... - update to Firefox 52.0.2 ... - Mozilla Firefox 51.0.1: ... - update to Firefox 51.0 ... * MFSA 2017-01 ... - update to Firefox 50.1.0 (boo#1015422) * MFSA 2016-94 ... - update to Firefox 50.0.2 ... - update to Firefox 50.0 (boo#1009026) ... (Windows only) (bmo#1246945) ... - Mozilla Firefox 49.0.2: ... - Mozilla Firefox 49.0.1: ... - Mozilla Firefox 48.0.2: * Mitigate a startup crash issue caused on Windows (bmo#1291738) ... - Mozilla Firefox 48.0.1: ... - update to Firefox 48.0 (boo#991809) ... - Mozilla Firefox 47.0.1: ... - update to Firefox 46.0.1 ... - Mozilla Firefox 45.0.1: ... - update to Firefox 45.0 (boo#969894) ... ... - update to Firefox 44.0.2 ... - update to Firefox 44.0 * MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633 ... - Mozilla Firefox 43.0.4: ... - update to Firefox 43.0.3 ... - update to Firefox 43.0 (bnc#959277) ... - update to Firefox 42.0 (bnc#952810) ... - update to Firefox 41.0.2 (bnc#950686) ... - update to Firefox 41.0.1 ... - update to Firefox 41.0 (bnc#947003) ... - update to Firefox 40.0.3 (bnc#943550) ... - update to Firefox 40.0 (bnc#940806) ... * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 ... - update to Firefox 39.0 (bnc#935979) ... - update to Firefox 38.0.1 ... - update to Firefox 38.0 (bnc#930622) ... - update to Firefox 37.0.2 (bnc#928116) ... - update to Firefox 37.0 (bnc#925368) ... - update to Firefox 36.0.4 (bnc#923534) ... - update to Firefox 36.0 (bnc#917597) ... - update to Firefox 35.0.1 ... - update to Firefox 35.0 (bnc#910669) ... - update to Firefox 34.0.5 (bnc#908009) ... - update to Firefox 33.1 ... - update to Firefox 32.0.2 ... - update to Firefox 32.0.1 ... - update to Firefox 31.0 (bnc#887746) * MFSA 2014-56/CVE-2014-1547/CVE-2014-1548 ... - update to Firefox 30.0 (bnc#881874) ... - update to Firefox 29.0.1 ... - update to Firefox 29.0 (bnc#875378) ... - update to Firefox 28.0 (bnc#868603) * MFSA 2014-15/CVE-2014-1493/CVE-2014-1494 ... - update to Firefox 27.0.1 ... - update to Firefox 27.0 (bnc#861847) ... - update to Firefox 26.0 (bnc#854367, bnc#854370) ... - update to Firefox 25.0 (bnc#847708) ... - update to Firefox 24.0 (bnc#840485) ... - update to Firefox 23.0.1 ... - update to Firefox 23.0 (bnc#833389) * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 ... - update to Firefox 22.0 (bnc#825935) ... - update to Firefox 21.0 (bnc#819204) ... - update to Firefox 20.0 (bnc#813026) ... - update to Firefox 19.0.2 (bnc#808243) ... - update to Firefox 19.0.1 ... - update to Firefox 19.0 (bnc#804248) * MFSA 2013-21/CVE-2013-0783/2013-0784 ... - update to Firefox 18.0.2 ... - update to Firefox 18.0.1 ... - update to Firefox 18.0 (bnc#796895) ... - update to Firefox 17.0.1 ... - update to Firefox 17.0 (bnc#790140) * MFSA 2012-91/CVE-2012-5842/CVE-2012-5843 ... - update to Firefox 16.0.2 (bnc#786522) ... - update to Firefox 16.0.1 (bnc#783533) ... - update to Firefox 15.0.1 (bnc#779936) ... - update to Firefox 15.0 (bnc#777588) * MFSA 2012-57/CVE-2012-1970 ... - update to 14.0.1 (bnc#771583) * MFSA 2012-42/CVE-2012-1949/CVE-2012-1948 ... - update to Firefox 13.0 (bnc#765204) ... - update to Firefox 12.0 (bnc#758408) ... - update to Firefox 11.0 (bnc#750044) ... - update to Firefox 10.0.2 (bnc#747328) ... - update to Firefox 10.0.1 (bnc#746616) ... - update to Firefox 10.0 (bnc#744275) ... - update to Firefox 9.0.1 ... - update to Firefox 9 (bnc#737533) ... - update to Firefox 8 (bnc#728520) * MFSA 2011-47/CVE-2011-3648 (bmo#690225) ... - update to minor release 7.0.1 ... - security update to 6.0.2 (bnc#714931) ... - update to 6.0 (bnc#712224) ... - update to 6.0b3 ... - update to 5.0 final - included fixes for security issues: (bnc#701296, bnc#700578) * MFSA 2011-19/CVE-2011-2374 CVE-2011-2375 ... - update to 5.0b7 ... - security update to 4.0.1 (bnc#689281) * MFSA 2011-12/ CVE-2011-0069 CVE-2011-0070 CVE-2011-0079 ... - update to version 4.0b10 ... - update to version 4.0beta8 - major update to version 4.0beta7 ... - security update to 3.6.12 (bnc#649492) ... - security update to 3.6.11 (bnc#645315) * MFSA 2010-64/CVE-2010-3174/CVE-2010-3175/CVE-2010-3176 ... - update to 3.6.10 ... - security update to 3.6.9 (bnc#637303) ... - update to 3.6.6 release ... - update to final 3.6.4 release (bnc#603356) * MFSA 2010-26/CVE-2010-1200/CVE-2010-1201/CVE-2010-1202/ ... - update to 3.6.4(build6) - security update to 3.6.4 (Lorentz) ... - security update to 3.6.3 ... - security update to version 3.6.2 (bnc#586567) * MFSA 2010-08/CVE-2010-1028 ... - update to 3.6rc2 (already named 3.6.0) ... - major update to 3.6rc1 - update to version 3.5.7 (bnc#568011) ... - security update to version 3.5.6 (bnc#559807) ... - update to version 3.5.5 (bnc#553172) - security update to version 3.5.4 (bnc#545277) * MFSA 2009-52/CVE-2009-3370 (bmo#511615) ... - security update to version 3.5.3 (bnc#534458) ... - security update to version 3.5.2 ... - update to final version 3.5 (20090623) ... - update to version 3.5rc2 (20090617) ... - update to version 3.5b99 (20090604) ... - update to new major version 3.5b4 ... - security update to 3.0.10 ... - security update to 3.0.9 (bnc#495473) * MFSA 2009-14/CVE-2009-1302/CVE-2009-1303/CVE-2009-1304/CVE-2009-1305 ... - security update to 3.0.7 (bnc#478625) * MFSA 2009-07 - Crashes with evidence of memory corruption CVE-2009-0771 - Layout Engine Crashes... Is this resource wastage necessary or relevant? :-( -- "Wisdom is supreme; therefore get wisdom. Whatever else you get, get wisdom." Proverbs 4:7 (New Living Translation)
Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 11.10.2017 um 05:05 schrieb Felix Miata:
Dominique Leuenberger composed on 2017-10-11 01:39 (UTC+0200):
CVE-2009-0771 - Layout Engine Crashes...
Is this resource wastage necessary or relevant? :-(
Just don't print it Greetings, Stephan -- Ma muaß weiterkämpfen, kämpfen bis zum Umfalln, a wenn die ganze Welt an Arsch offen hat, oder grad deswegn. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Felix Miata wrote:
Dominique Leuenberger composed on 2017-10-11 01:39 (UTC+0200):
[roughly 173kb archived, approximately 70% of which is Firefox]
Yeah, we had that earlier, with several thousand lines of changelog. At that time someone said there'd be work in progress to supress this in future. Seems not to work.... -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
with sddm 0.15.0-1.1 change user does not work anymore. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Mittwoch, 11. Oktober 2017, 09:06:49 schrieb Karl Mistelberger:
with sddm 0.15.0-1.1 change user does not work anymore.
That's a regression in Plasma 5.11.0 (unrelated to sddm 0.15.0, which is in Tumbleweed since weeks already). A fix is on the way: https://build.opensuse.org/request/show/533431 Btw, you can apply it locally if you don't want to wait for the update, just change the file /usr/share/plasma/look-and- feel/org.openSUSE.desktop/contents/components/UserDelegate.qml with a text editor accordingly: @@ -28,6 +@@ -28,6 +28,7 @@ Item { property bool isCurrent: true + readonly property var m: model property string name property string userName property string avatarPath Kind Regards, Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Mittwoch, 11. Oktober 2017, 19:52:49 CEST schrieb Wolfgang Bauer:
Am Mittwoch, 11. Oktober 2017, 09:06:49 schrieb Karl Mistelberger:
with sddm 0.15.0-1.1 change user does not work anymore.
That's a regression in Plasma 5.11.0 (unrelated to sddm 0.15.0, which is in Tumbleweed since weeks already).
A fix is on the way: https://build.opensuse.org/request/show/533431
Btw, you can apply it locally if you don't want to wait for the update, just change the file /usr/share/plasma/look-and- feel/org.openSUSE.desktop/contents/components/UserDelegate.qml with a text editor accordingly: @@ -28,6 +@@ -28,6 +28,7 @@ Item {
property bool isCurrent: true
+ readonly property var m: model property string name property string userName property string avatarPath
Changed the file and switch user works again. Thanks a lot! Karl -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (6)
-
Dominique Leuenberger
-
Felix Miata
-
Karl Mistelberger
-
Peter Suetterlin
-
Stephan Kulow
-
Wolfgang Bauer