[opensuse-factory] Leap 15.2 Build 521.2 released!
Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=15.2&build=521.2&groupid=50 https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&query_format=advanced&resolution=---&version=Leap%2015.2 When you reply to discuss some issues, make sure to change the subject. Please use the test plan at https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3m... to record your testing efforts and use bugzilla to report bugs. Packages changed: ImageMagick MozillaFirefox (60.8.0 -> 68.2.0) MozillaThunderbird (68.1.1 -> 68.2.1) aaa_base autoyast2 (4.2.12 -> 4.2.19) bluedevil5 (5.17.1 -> 5.17.2) breeze (5.17.1 -> 5.17.2) breeze-gtk (5.17.1 -> 5.17.2) breeze4-style (5.17.1 -> 5.17.2) cpupower (4.19 -> 5.1) digikam (6.0.0 -> 6.3.0) discover (5.17.1 -> 5.17.2) drkonqi5 (5.17.1 -> 5.17.2) ethtool (4.13 -> 5.3) inkscape kactivitymanagerd (5.17.1 -> 5.17.2) kbd kde-cli-tools5 (5.17.1 -> 5.17.2) kde-gtk-config5 (5.17.1 -> 5.17.2) kde-user-manager (5.17.1 -> 5.17.2) kdepim-runtime kgamma5 (5.17.1 -> 5.17.2) khotkeys5 (5.17.1 -> 5.17.2) kinfocenter5 (5.17.1 -> 5.17.2) kmenuedit5 (5.17.1 -> 5.17.2) kscreen5 (5.17.1 -> 5.17.2) kscreenlocker (5.17.1 -> 5.17.2) ksshaskpass5 (5.17.1 -> 5.17.2) ksysguard5 (5.17.1 -> 5.17.2) ktexteditor ktouch (19.08.1 -> 19.08.2) kwayland-integration (5.17.1 -> 5.17.2) kwin5 (5.17.1 -> 5.17.2) kwrited5 (5.17.1 -> 5.17.2) libgnomekbd (3.26.0 -> 3.26.1) libkdecoration2 (5.17.1 -> 5.17.2) libkscreen2 (5.17.1 -> 5.17.2) libksysguard5 (5.17.1 -> 5.17.2) libqt5-qtbase libssh2_org libstorage-ng (4.2.18 -> 4.2.23) milou5 (5.17.1 -> 5.17.2) ovmf (2017+git1510945757.b2662641d5 -> 201908) oxygen5 (5.17.1 -> 5.17.2) php7 plasma-nm5 (5.17.1 -> 5.17.2) plasma5-addons (5.17.1 -> 5.17.2) plasma5-desktop (5.17.1 -> 5.17.2) plasma5-integration (5.17.1 -> 5.17.2) plasma5-openSUSE plasma5-pa (5.17.1 -> 5.17.2) plasma5-workspace (5.17.1 -> 5.17.2) pmdk (1.5 -> 1.7) polkit-kde-agent-5 (5.17.1 -> 5.17.2) poppler (0.62.0 -> 0.79.0) poppler-qt5 (0.62.0 -> 0.79.0) powerdevil5 (5.17.1 -> 5.17.2) qqc2-desktop-style (5.55.0 -> 5.63.0) re2 (20190301 -> 20190901) samba (4.9.5+git.187.71edee57d5a -> 4.9.5+git.210.ab0549acb05) scout (0.2.1+20181004.20a0aae -> 0.2.2+20190613.e6c2668) snapper (0.8.5 -> 0.8.6) systemsettings5 (5.17.1 -> 5.17.2) texlive xfce4-screenshooter (1.9.6 -> 1.9.7) xfce4-whiskermenu-plugin (2.3.3 -> 2.3.4) yast2-installation (4.2.19 -> 4.2.20) yast2-packager (4.2.30 -> 4.2.31) yast2-pkg-bindings (4.2.0 -> 4.2.1) yast2-ruby-bindings (4.2.3 -> 4.2.4) yast2-schema (4.2.5 -> 4.2.6) yast2-storage-ng (4.2.50 -> 4.2.54) yast2-update (4.2.7 -> 4.2.10) === Details === ==== ImageMagick ==== Subpackages: ImageMagick-config-7-SUSE libMagick++-7_Q16HDRI4 libMagickCore-7_Q16HDRI6 libMagickWand-7_Q16HDRI6 - security update - added patches CVE-2019-16713 [bsc#1151786] + ImageMagick-CVE-2019-16713.patch CVE-2019-16711 [bsc#1151784] + ImageMagick-CVE-2019-16711.patch CVE-2019-16712 [bsc#1151785] + ImageMagick-CVE-2019-16712.patch CVE-2019-16710 [bsc#1151783] + ImageMagick-CVE-2019-16710.patch CVE-2019-16708 [bsc#1151781], CVE-2019-16709 [bsc#1151782] + ImageMagick-CVE-2019-16708,16709.patch - security update - added patches CVE-2019-15139 [bsc#1146213] + ImageMagick-CVE-2019-15139.patch CVE-2019-15140 [bsc#1146212] + ImageMagick-CVE-2019-15140.patch CVE-2019-15141 [bsc#1146211] + ImageMagick-CVE-2019-15141.patch CVE-2019-14980 [bsc#1146068] + ImageMagick-CVE-2019-14980.patch CVE-2019-14981 [bsc#1146065] + ImageMagick-CVE-2019-14981.patch ==== MozillaFirefox ==== Version update (60.8.0 -> 68.2.0) Subpackages: MozillaFirefox-translations-common MozillaFirefox-translations-other - Resolved issues fixed earlier: * [bsc#1104841] Newer versions of firefox have a dependency on GLIBCXX_3.4.20 * [bsc#1129528] SLES15 - IBM s390-tools-2.1.0 Maintenance Patches (#6) * [bsc#1137990] Firefox 60.7 ESR changed the user interface language - Firefox Extended Support Release 68.2.0 ESR * Enterprise: New administrative policies were added. More information and templates are available at the Policy Templates page. * Fixed: Various security fixes MFSA 2019-33 (bsc#1154738) * CVE-2019-15903 (bmo#1584907) Heap overflow in expat library in XML_GetCurrentLineNumber * CVE-2019-11757 (bmo#1577107) Use-after-free when creating index updates in IndexedDB * CVE-2019-11758 (bmo#1536227) Potentially exploitable crash due to 360 Total Security * CVE-2019-11759 (bmo#1577953) Stack buffer overflow in HKDF output * CVE-2019-11760 (bmo#1577719) Stack buffer overflow in WebRTC networking * CVE-2019-11761 (bmo#1561502) Unintended access to a privileged JSONView object * CVE-2019-11762 (bmo#1582857) document.domain-based origin isolation has same-origin- property violation * CVE-2019-11763 (bmo#1584216) Incorrect HTML parsing results in XSS bypass technique * CVE-2019-11764 (bmo#1548044, bmo#1558522, bmo#1571223, bmo#1573048, bmo#1575217, bmo#1577061, bmo#1578933, bmo#1581950, bmo#1583463, bmo#1583684, bmo#1586599, bmo#1586845) Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2 - removed now upstream patches: * mozilla-bmo1573381.patch * mozilla-bmo1512162.patch - Add patch to lower python requirement to 3.4 in order to build on SLE-12: * mozilla-sle12-lower-python-requirement.patch - Add Provides-line for translations-common (bsc#1153423) - Moved some settings from branding-package here (bsc#1153869) - add patch to fix LTO build (w/o PGO): * mozilla-fix-top-level-asm.patch - remove obsolete kde.js setting (boo#1151186) and related patch: * firefox-add-kde.js-in-order-to-survive-PGO-build.patch * modified firefox-kde.patch for the removal of kde.js - Update mozilla-bmo1512162.patch to the patch now commited upstream * No more -O1 builds for ppc64le necessary - Disable DoH by default * Not yet officially active in ESR, but just to make sure - Mozilla Firefox ESR 68.1 Resolves the following bigendian s390x issues: * [bsc#1109465] Latest Firefox update not released for s390x * [bsc#1117473] Firefox segmentation fault on s390vsl082 * [bsc#1123482] openQA test fails in firefox - firefox doesn't start * [bsc#1124525] Firefox is core dumping on SLES15 s390x * [bsc#1133810] Firefox: Segmentation fault (core dumped) MFSA 2019-26 (bsc#1149323) * CVE-2019-11751 (bmo#1572838) Malicious code execution through command line parameters * CVE-2019-11746 (bmo#1564449) Use-after-free while manipulating video * CVE-2019-11744 (bmo#1562033) XSS by breaking out of title and textarea elements using innerHTML * CVE-2019-11742 (bmo#1559715) Same-origin policy violation with SVG filters and canvas to steal cross-origin images * CVE-2019-11736 (bmo#1551913, bmo#1552206) File manipulation and privilege escalation in Mozilla Maintenance Service * CVE-2019-11753 (bmo#1574980) Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location * CVE-2019-11752 (bmo#1501152) Use-after-free while extracting a key value in IndexedDB * CVE-2019-9812 (bmo#1538008, bmo#1538015) Sandbox escape through Firefox Sync * CVE-2019-11743 (bmo#1560495, bmo#https://w3c.github.io/navigation-timing) Cross-origin access to unload event attributes * CVE-2019-11748 (bmo#1564588) Persistence of WebRTC permissions in a third party context * CVE-2019-11749 (bmo#1565374) Camera information available without prompting using getUserMedia * CVE-2019-11750 (bmo#1568397) Type confusion in Spidermonkey * CVE-2019-11738 (bmo#1452037) Content security policy bypass through hash-based sources in directives * CVE-2019-11747 (bmo#1564481) 'Forget about this site' removes sites from pre-loaded HSTS list * CVE-2019-11735 (bmo#1561404, bmo#1561484, bmo#1561912, bmo#1565744, bmo#1568047, bmo#1568858, bmo#1570358) Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 * CVE-2019-11740 (bmo#1563133, bmo#1573160) Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 - Mozilla Firefox ESR 68.0.2 * Fixed: Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar (bmo#1560228) * Fixed: Allow fonts to be loaded via file:// URLs when opening a page locally (bmo#1565942) * Fixed: Printing emails from the Outlook web app no longer prints only the header and footer (bmo#1567105) * Fixed: Fixed a bug causing some images not to be displayed on reload, including on Google Maps (bmo#1565542) * Fixed: Fixed an error when starting external applications configured as URI handlers (bmo#1567614) * Fixed: Security fixes - MFSA 2019-24 (bsc#1145665) * CVE-2019-11733 (bmo#1565780) Stored passwords in 'Saved Logins' can be copied without master password entry - Mozilla Firefox ESR 68.0.1 * macOS releases are now signed by the Apple notary service, allowing Firefox to properly run on macOS 10.15 Beta releases * Fixed missing Full Screen button when watching videos in full screen mode on HBO GO (bmo#1562837) * Fixed a bug causing incorrect messages to appear for some locales when sites try to request the use of the Storage Access API (bmo#1558503) * Users in Russian regions may have their default search engine changed (bmo#1565315) * Built-in search engines in some locales do not function correctly (bmo#1565779) * SupportMenu policy doesn't always work (bmo#1553290) * Allow the new ExtensionSettings policy to work with GPO on Windows (bmo#1553586) * Allow the privacy.file_unique_origin pref to be controlled by policy (bmo#1563759) - Mozilla Firefox ESR 68.0 * Dark mode in reader view * Improved extension security and discovery * Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences * Camera and microphone access now require an HTTPS connection MFSA 2019-21 (bsc#1140868) * CVE-2019-9811 (bmo#1523741, bmo#1538007, bmo#1539598, bmo#1539759, bmo#1563327) Sandbox escape via installation of malicious language pack * CVE-2019-11711 (bmo#1552541) Script injection within domain through inner window reuse * CVE-2019-11712 (bmo#1543804) Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects * CVE-2019-11713 (bmo#1528481) Use-after-free with HTTP/2 cached stream * CVE-2019-11714 (bmo#1542593) NeckoChild can trigger crash when accessed off of main thread * CVE-2019-11729 (bmo#1515342) Empty or malformed p256-ECDH public keys may trigger a segmentation fault * CVE-2019-11715 (bmo#1555523) HTML parsing error can contribute to content XSS * CVE-2019-11716 (bmo#1552632) globalThis not enumerable until accessed * CVE-2019-11717 (bmo#1548306) Caret character improperly escaped in origins * CVE-2019-11718 (bmo#1408349) Activity Stream writes unsanitized content to innerHTML * CVE-2019-11719 (bmo#1540541) Out-of-bounds read when importing curve25519 private key * CVE-2019-11720 (bmo#1556230) Character encoding XSS vulnerability * CVE-2019-11721 (bmo#1256009) Domain spoofing through unicode latin 'kra' character * CVE-2019-11730 (bmo#1558299) Same-origin policy treats all files in a directory as having the same-origin * CVE-2019-11723 (bmo#1528335) Cookie leakage during add-on fetching across private browsing boundaries * CVE-2019-11724 (bmo#1512511) Retired site input.mozilla.org has remote troubleshooting permissions * CVE-2019-11725 (bmo#1483510) Websocket resources bypass safebrowsing protections * CVE-2019-11727 (bmo#1552208) PKCS#1 v1.5 signatures can be used for TLS 1.3 * CVE-2019-11728 (bmo#1552993) Port scanning through Alt-Svc header * CVE-2019-11710 (bmo#1507696, bmo#1510345, bmo#1533842, bmo#1535482, bmo#1535848, bmo#1537692, bmo#1540590, bmo#1544180, bmo#1547472, bmo#1547760, bmo#1548611, bmo#1549768, bmo#1551907) Memory safety bugs fixed in Firefox 68 * CVE-2019-11709 (bmo#1515052, bmo#1533522, bmo#1539219, bmo#1540759, bmo#1547266, bmo#1547757, bmo#1548822, bmo#1550498, bmo#1550498) Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 - removed patches that are now upstream * mozilla-bmo1375074.patch * mozilla-bmo1436242.patch * mozilla-bmo256180.patch * mozilla-i586-DecoderDoctorLogger.patch * mozilla-i586-domPrefs.patch * mozilla-bmo1464766.patch * mozilla-bigendian_bit_flags_alias.patch - removed workaround-patch for build memory consumption on i586; other mitigations meanwhile introduced (mainly parallelity) will be sufficient * mozilla-reduce-files-per-UnifiedBindings.patch - added patch to make builds reproducible * mozilla-bmo1568145.patch - added a bunch of patches mainly for big endian platforms * mozilla-bmo1504834-part1.patch * mozilla-bmo1504834-part2.patch * mozilla-bmo1504834-part3.patch * mozilla-bmo1511604.patch * mozilla-bmo1512162.patch * mozilla-bmo1554971.patch * mozilla-bmo1573381.patch * mozilla-nestegg-big-endian.patch - added patches to fix build on armv7: * mozilla-bmo1463035.patch * mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch - added patch to fix non-return function * mozilla-cubeb-noreturn.patch - added patch to fix aarch64 build: * mozilla-fix-aarch64-libopus.patch (bmo#1539737) - added patch to enable PGO for x86_64. * firefox-add-kde.js-in-order-to-survive-PGO-build.patch - added patch to reduce build-load * mozilla-reduce-rust-debuginfo.patch - Mozilla Firefox Firefox 60.7.2 MFSA 2019-19 (bsc#1138872) * CVE-2019-11708 (bmo#1559858) sandbox escape using Prompt:Open - Build Firefox with gcc instead of clang (bsc#1138688) - Mozilla Firefox Firefox 60.7.1 MFSA 2019-18 (bsc#1138614) * CVE-2019-11707 (bmo#1544386) Type confusion in Array.pop - Added the new Mozilla's GPG key with subkey fingerprint 097B 3130 77AE 62A0 2F84 DA4D F1A6 668F BB7D 572E, expiring on 2021-05-29 to the mozilla.keyring file - Fix broken language plugins (bsc#1137792) - update to Firefox ESR 60.7 (bsc#1135824) * Font and date adjustments to accommodate the new Reiwa era in Japan * MFSA 2019-14/CVE-2019-9817 (bmo#1540221) Stealing of cross-domain images using canvas * MFSA 2019-14/CVE-2019-9800 (bmo#1499108, bmo#1499719, bmo#1516325, bmo#1532465, bmo#1533554, bmo#1534593, bmo#1535194, bmo#1535612, bmo#1538042, bmo#1538619, bmo#1538736, bmo#1540136, bmo#1540166, bmo#1541580, bmo#1542097, bmo#1542324, bmo#1546327) Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 * MFSA 2019-14/CVE-2019-9816 (bmo#1536768) Type confusion with object groups and UnboxedObjects * MFSA 2019-14/CVE-2019-9815 (bmo#1546544, bmo#https://mdsattacks.com/) Disable hyperthreading on content JavaScript threads on macOS * MFSA 2019-14/CVE-2019-11698 (bmo#1543191) Theft of user history data through drag and drop of hyperlinks to and from bookmarks * MFSA 2019-14/CVE-2019-11692 (bmo#1544670) Use-after-free removing listeners in the event listener manager * MFSA 2019-14/CVE-2019-11693 (bmo#1532525) Buffer overflow in WebGL bufferdata on Linux * MFSA 2019-14/CVE-2019-7317 (bmo#1542829) Use-after-free in png_image_free of libpng library * MFSA 2019-14/CVE-2019-9820 (bmo#1536405) Use-after-free of ChromeEventHandler by DocShell * MFSA 2019-14/CVE-2019-9818 (bmo#1542581) Use-after-free in crash generation server * MFSA 2019-14/CVE-2019-11691 (bmo#1542465) Use-after-free in XMLHttpRequest * MFSA 2019-14/CVE-2019-9819 (bmo#1532553) Compartment mismatch with fetch API * MFSA 2019-14/CVE-2019-11694 (bmo#1534196) Uninitialized memory memory leakage in Windows sandbox - Sync with Devel:Desktop:Mozilla:*:next - Enable Firefox to build with Rust >= 1.30 with fix. See below. - update to 60.6.3 (bmo#1549249) * Further improvements to re-enable web extensions which had been disabled for users with a master password set. - update to 60.6.2 (bsc#1134126) * Repaired certificate chain to re-enable web extensions that had been disabled. - Update BuildRequires rust >= 1.30 from 1.24 * Upstream Firefox ESR presumes rust version stable at release (1.24). SUSE currently uses improved packaging for rust >= 1.30. * boo#1130694 rust 1.33.0 breaks Firefox and Thunderbird due to missing macro comment docs in Firefox rust sources bmo#1539901 ESR 60 build fails with Rust 1.33 due to missing documentation on macros in stylo bmo#1519629 Stylo fails with --enable-warnings-as-errors using Rust 1.33 * Fix build using RUSTFLAGS="--cap-lints allow" Preferred alternative to patching and revendoring stylo rust crates Revisit with intent to remove in next Firefox ESR 68.0 2019-07-09 - Fixed translations provides - update to Firefox ESR 60.6.1 (bsc#1130262) * MFSA 2019-10/CVE-2019-9813 (bmo#1538006) Ionmonkey type confusion with __proto__ mutations * MFSA 2019-10/CVE-2019-9810 (bmo#1537924) IonMonkey MArraySlice has incorrect alias information - update to Firefox ESR 60.6 (bsc#1129821) * MFSA 2019-08/CVE-2018-18506 (bmo#1503393) Proxy Auto-Configuration file can define localhost access to be proxied * MFSA 2019-08/CVE-2019-9801 (bmo#1527717) Windows programs that are not 'URL Handlers' are exposed to web content * MFSA 2019-08/CVE-2019-9788 (bmo#1506665, bmo#1516834, bmo#1518001, bmo#1518774, bmo#1521214, bmo#1521304, bmo#1523362, bmo#1524214, bmo#1524755, bmo#1529203) Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * MFSA 2019-08/CVE-2019-9790 (bmo#1525145) Use-after-free when removing in-use DOM elements * MFSA 2019-08/CVE-2019-9791 (bmo#1530958) Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey * MFSA 2019-08/CVE-2019-9792 (bmo#1532599) IonMonkey leaks JS_OPTIMIZED_OUT magic value to script * MFSA 2019-08/CVE-2019-9793 (bmo#1528829) Improper bounds checks when Spectre mitigations are disabled * MFSA 2019-08/CVE-2019-9794 (bmo#1530103) Command line arguments not discarded during execution * MFSA 2019-08/CVE-2019-9795 (bmo#1514682) Type-confusion in IonMonkey JIT compiler * MFSA 2019-08/CVE-2019-9796 (bmo#1531277) Use-after-free with SMIL animation controller - Fix for [bsc#1127987] MozillaFirefox-translations-common causing error on update - Mozilla Firefox 60.5.2esr: * Fix a frequent crash when reading various Reuters news articles (bmo#1505844) - Update to Firefox ESR 60.5.1 MFSA-2019-05 (bsc#1125330) * CVE-2018-18356 (bmo#1525817) A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash. * CVE-2019-5785 (bmo#1525433) An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash. * CVE-2018-18335 (bmo#1525815) A buffer overflow vulnerability in the Skia library can occur with Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration in Firefox ESR. Note: this does not affect other versions and platforms where Canvas 2D acceleration is already disabled by default. - Update to Firefox ESR 60.5 MFSA 2019-02 (bsc#1122983) * CVE-2018-18501 (bmo#1460619, bmo#1502871, bmo#1512450, bmo#1513201, bmo#1516514, bmo#1516738, bmo#1517542) Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * CVE-2018-18500 (bmo#1510114) Use-after-free parsing HTML5 stream * CVE-2018-18505 (bmo#1087565, bmo#1497749) Privilege escalation through IPC channel messages - Removed obsolete patches: [mozilla-no-stdcxx-check.patch] Applied upstream [mozilla-s390-nojit.patch] Applied upstream - Fix for language pack build error (bsc#1120374) - Revert dependency for branding package back to >= 60 due to dependency issues. - Depend on branding package version >= 60.0 - Mozilla Firefox 60.4.0esr: * Updated list of currency codes to include Unidad Previsional (UYW) (bmo#1499028) MFSA 2018-30 (bsc#1119105) * CVE-2018-17466 bmo#1488295 Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 * CVE-2018-18492 bmo#1499861 Use-after-free with select element * CVE-2018-18493 bmo#1504452 Buffer overflow in accelerated 2D canvas with Skia * CVE-2018-18494 bmo#1487964 Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs * CVE-2018-18498 bmo#1500011 Integer overflow when calculating buffer sizes for images * CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759 bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471 Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 - requires NSS >= 3.36.6 - Removed obsolete patch: [mozilla-update-cc-crate.patch] Applied upstream - Mozilla Firefox 60.3.0esr: * Various stability and regression fixes MFSA 2018-27 bsc#1112852 * CVE-2018-12392 bmo#1492823 Crash with nested event loops * CVE-2018-12393 bmo#1495011 Integer overflow during Unicode conversion while loading JavaScript * CVE-2018-12395 bmo#1467523 WebExtension bypass of domain restrictions through header rewriting * CVE-2018-12396 bmo#1483602 WebExtension content scripts can execute in disallowed contexts * CVE-2018-12397 bmo#1487478 WebExtension local file access vulnerability * CVE-2018-12389 bmo#1498460, bmo#1499198 Memory safety bugs fixed in Firefox ESR 60.3 * CVE-2018-12390 bmo#1487098 bmo#1487660 bmo#1490234 bmo#1496159 bmo#1443748 bmo#1496340 bmo#1483905 bmo#1493347 bmo#1488803 bmo#1498701 bmo#1498482 bmo#1442010 bmo#1495245 bmo#1483699 bmo#1469486 bmo#1484905 bmo#1490561 bmo#1492524 bmo#1481844 Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 - Drop mozilla-bmo1472538-update-bindgen.patch which was already merged upstream - Update mozilla-update-cc-crate.patch, since cc was updated to 1.0.9 upstream, but this patch still updates it to a newer version - Update create-tar.sh and source-stamp.txt as should be done with every version update. - Mozilla Firefox 60.2.2esr: MFSA 2018-24 * CVE-2018-12386 (bsc#1110506, bmo#1493900) Type confusion in JavaScript allowed remote code execution * CVE-2018-12387 (bsc#1110507, bmo#1493903) Array.prototype.push stack pointer vulnerability may enable exploits in the sandboxed content process - Avoid undefined behavior in IPC fd-passing code with mozilla-bmo1436242.patch (boo#1094767, bmo#1436242) - Mozilla Firefox 60.2.1esr: MFSA 2018-23 * CVE-2018-12385 (boo#1109363, bmo#1490585) Crash in TransportSecurityInfo due to cached data * CVE-2018-12383 (boo#1107343, bmo#1475775) Setting a master password did not delete unencrypted previously stored passwords * Fixed a startup crash affecting users migrating from older ESR releases * Clean up old NSS DB files after upgrading - Fix typo in an old changelog entry which mentioned a wrong patch file and really remove mozilla-glibc-getrandom.patch as should have been done some weeks ago. - bsc#1109465 - Add mozilla-bmo1472538-update-bindgen.patch and mozilla-update-cc-crate.patch. This fixes an endianness problem in bindgen's handling of bitfields, which was causing Firefox to crash on startup on big-endian machines. Also, updates the cc crate, which was buggy in the version that was originally vendored in. - added patch [mozilla-bigendian_bit_flags_alias.patch] (bmo#1488552) - update to Firefox ESR 60.2 (bsc#1107343) * MFSA 2018-20/CVE-2018-12381 (bmo#1435319) Dragging and dropping Outlook email message results in page navigation * MFSA 2018-20/CVE-2017-16541 (bmo#1412081) Proxy bypass using automount and autofs * MFSA 2018-20/CVE-2018-12376 (bmo#1450989, bmo#1466577, bmo#1466991, bmo#1467363, bmo#1467889, bmo#1468738, bmo#1469309, bmo#1469914, bmo#1471953, bmo#1472925, bmo#1473161, bmo#1478575, bmo#1478849, bmo#1480092, bmo#1480517, bmo#1480521, bmo#1481093, bmo#1483120) Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * MFSA 2018-20/CVE-2018-12377 (bmo#1470260) Use-after-free in refresh driver timers * MFSA 2018-20/CVE-2018-12378 (bmo#1459383) Use-after-free in IndexedDB * MFSA 2018-20/CVE-2018-12379 (bmo#1473113) Out-of-bounds write with malicious MAR file - removed obsolete patches: [mozilla-glibc-getrandom.patch] [firefox-no-default-ualocale.patch] [mozilla-bmo1005640.patch] [mozilla-language.patch] [mozilla-shared-nss-db.patch] - added patches sync with openSUSE: [mozilla-bmo1005535.patch] [mozilla-bmo1375074.patch] [mozilla-bmo1464766.patch] [mozilla-bmo256180.patch] [mozilla-i586-DecoderDoctorLogger.patch] [mozilla-i586-domPrefs.patch] additional architecture enablement: [mozilla-ppc-altivec_static_inline.patch] [mozilla-s390-context.patch] - update to Firefox ESR 52.9 (bsc#1098998) * MFSA 2018-17/CVE-2018-5188 (bmo#1392739, bmo#1437842, bmo#1442722, bmo#1450688, bmo#1451297, bmo#1452576, bmo#1456189, bmo#1456975, bmo#1458048, bmo#1458264, bmo#1458270, bmo#1463494, bmo#1464063, bmo#1464079, bmo#1464829, bmo#1465108, bmo#1465898) Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9 * MFSA 2018-17/CVE-2018-12368 (bmo#1468217, bmo#https://posts.specterops.io/the-tale-of- settingcontent-ms-files-f1ea253e4d39) No warning when opening executable SettingContent-ms files * MFSA 2018-17/CVE-2018-12366 (bmo#1464039) Invalid data handling during QCMS transformations * MFSA 2018-17/CVE-2018-12365 (bmo#1459206) Compromised IPC child process can list local filenames * MFSA 2018-17/CVE-2018-12364 (bmo#1436241) CSRF attacks through 307 redirects and NPAPI plugins * MFSA 2018-17/CVE-2018-12363 (bmo#1464784) Use-after-free when appending DOM nodes * MFSA 2018-17/CVE-2018-12362 (bmo#1452375) Integer overflow in SSSE3 scaler * MFSA 2018-17/CVE-2018-12360 (bmo#1459693) Use-after-free when using focus() * MFSA 2018-17/CVE-2018-5156 (bmo#1453127) Media recorder segmentation fault when track type is changed during capture * MFSA 2018-17/CVE-2018-12359 (bmo#1459162) Buffer overflow using computed size of canvas element - update to Firefox 52.8.1 (bsc#1096449) * MFSA 2018-14/CVE-2018-6126 (bmo#1462682) Heap buffer overflow rasterizing paths in SVG with Skia - update to Firefox 52.8.0: * Various stability and regression fixes * Performance improvements to the Safe Browsing service to avoid slowdowns while updating site classification data - Security fixes (bsc#1092548, MFSA 2018-12): * CVE-2018-5183 (bmo#1454692) Backport critical security fixes in Skia * CVE-2018-5154 (bmo#1443092) Use-after-free with SVG animations and clip paths * CVE-2018-5155 (bmo#1448774) Use-after-free with SVG animations and text paths * CVE-2018-5157 (bmo#1449898) Same-origin bypass of PDF Viewer to view protected PDF files * CVE-2018-5158 (bmo#1452075) Malicious PDF can inject JavaScript into PDF Viewer * CVE-2018-5159 (bmo#1441941) Integer overflow and out-of-bounds write in Skia * CVE-2018-5168 (bmo#1449548) Lightweight themes can be installed without user interaction * CVE-2018-5178 (bmo#1443891) Buffer overflow during UTF-8 to Unicode string conversion through legacy extension * CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705, bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415, bmo#1426129) Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 - fix release tag and tarball to correctly identify 52.7.3esr - update to Firefox 52.7.3 MFSA 2018-10 (bsc#1087059) * CVE-2018-5148 (bmo#1440717) Use-after-free in compositor - removed obsolete patch mozilla-bmo1446062.patch - update to Firefox 52.7.2 (bsc#1085671) MFSA 2018-08 * CVE-2018-5146 (bmo#1446062) Out of bounds memory write in libvorbis * CVE-2018-5147 (bmo#1446365) Out of bounds memory write in libtremor (in mozilla-bmo1446062.patch) - Firefox 52.7.1 fixes - issues with the IT locale (bmo#1445278) - update to Firefox 52.7esr (bsc#1085130, MFSA 2018-07): * CVE-2018-5127 (bmo#1430557) Buffer overflow manipulating SVG animatedPathSegList * CVE-2018-5129 (bmo#1428947) Out-of-bounds write with malformed IPC messages * CVE-2018-5130 (bmo#1433005) Mismatched RTP payload type can trigger memory corruption * CVE-2018-5131 (bmo#1440775) Fetch API improperly returns cached copies of no-store/no-cache resources * CVE-2018-5144 (bmo#1440926) Integer overflow during Unicode conversion * CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450, bmo#1437507,bmo#1426988,bmo#1438425,bmo#1324042,bmo#1437087, bmo#1443865,bmo#1425520) Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * CVE-2018-5145 (bmo#1261175,bmo#1348955) Memory safety bugs fixed in Firefox ESR 52.7 - correct requires and provides handling (boo#1076907) - update to Firefox 52.6esr (bsc#1077291) MFSA 2018-01 * Speculative execution side-channel attack ("Spectre") MFSA 2018-03 * CVE-2018-5091 (bmo#1423086) Use-after-free with DTMF timers * CVE-2018-5095 (bmo#1418447) Integer overflow in Skia library during edge builder allocation * CVE-2018-5096 (bmo#1418922) Use-after-free while editing form elements * CVE-2018-5097 (bmo#1387427) Use-after-free when source document is manipulated during XSLT * CVE-2018-5098 (bmo#1399400) Use-after-free while manipulating form input elements * CVE-2018-5099 (bmo#1416878) Use-after-free with widget listener * CVE-2018-5102 (bmo#1419363) Use-after-free in HTML media elements * CVE-2018-5103 (bmo#1423159) Use-after-free during mouse event handling * CVE-2018-5104 (bmo#1425000) Use-after-free during font face manipulation * CVE-2018-5117 (bmo#1395508) URL spoofing with right-to-left text aligned left-to-right * CVE-2018-5089 Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6 - remove obsolete patch mozilla-ucontext.patch - official NSS requirement is >= 3.28.6 therefore putting 3.29.5 into an ifarch - Escape the usage of %{VERSION} when calling out to rpm. RPM 4.14 has %{VERSION} defined as 'the main package's version'. - Added additional patches and configurations to fix builds on s390 and PowerPC. * Added firefox-glibc-getrandom.patch effecting builds on s390 and PowerPC * Added mozilla-s390-bigendian.patch along with icudt58b.dat bigendian ICU data file for running Firefox on bigendian architectures (bmo#1322212 and bmo#1264836) * Added mozilla-s390-nojit.patch to enable atomic operations used by the JS engine when JIT is disabled on s390 * Build configuration options specific to s390 * Requires NSS >= 3.29.5 - Update to Firefox 52.5.3esr: * Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in (bmo#1427111, bsc#1074235) - Add BuildRequires python-xml to fix build on TW/SLE15. - update to Firefox 52.5.2esr (MFSA 2017-28): * CVE-2017-7843 (bsc#1072034, bmo#1410106) Web worker in Private Browsing mode can write IndexedDB data - update to Firefox 52.5.0esr (boo#1068101) MFSA 2017-25 * CVE-2017-7828 (bmo#1406750. bmo#1412252) Use-after-free of PressShell while restyling layout * CVE-2017-7830 (bmo#1408990) Cross-origin URL information leak through Resource Timing API * CVE-2017-7826 Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5 - Correct plugin directory for aarch64 (boo#1061207). The wrapper script was not detecting aarch64 as a 64 bit architecture, thus used /usr/lib/browser-plugins/. - Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0), pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0), pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure looks for. - update to Firefox 52.4esr (boo#1060445) * requires NSS >= 3.28.6 MFSA 2017-22 * CVE-2017-7793 (bmo#1371889) Use-after-free with Fetch API * CVE-2017-7818 (bmo#1363723) Use-after-free during ARIA array manipulation * CVE-2017-7819 (bmo#1380292) Use-after-free while resizing images in design mode * CVE-2017-7824 (bmo#1398381) Buffer overflow when drawing and validating elements with ANGLE * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) Use-after-free in TLS 1.2 generating handshake hashes * CVE-2017-7814 (bmo#1376036) Blob and data URLs bypass phishing and malware protection warnings * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) OS X fonts render some Tibetan and Arabic unicode characters as spaces * CVE-2017-7823 (bmo#1396320) CSP sandbox directive did not create a unique origin * CVE-2017-7810 Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 - fixed language accept header to use correct locale (mozilla-bmo1005640.patch, boo#1029917) - Add alsa-devel BuildRequires: we care for ALSA support to be built and thus need to ensure we get the dependencies in place. In the past, alsa-devel was pulled in by accident: we buildrequire libgnome-devel. This required esound-devel and that in turn pulled in alsa-devel for us. libgnome is being fixed to no longer require esound-devel. - mozilla-ucontext.patch: use ucontext_t instead of struct ucontext - update to Firefox 52.3esr (boo#1052829) MFSA 2017-19 * CVE-2017-7798 (bmo#1371586, bmo#1372112) XUL injection in the style editor in devtools * CVE-2017-7800 (bmo#1374047) Use-after-free in WebSockets during disconnection * CVE-2017-7801 (bmo#1371259) Use-after-free with marquee during window resizing * CVE-2017-7784 (bmo#1376087) Use-after-free with image observers * CVE-2017-7802 (bmo#1378147) Use-after-free resizing image elements * CVE-2017-7785 (bmo#1356985) Buffer overflow manipulating ARIA attributes in DOM * CVE-2017-7786 (bmo#1365189) Buffer overflow while painting non-displayable SVG * CVE-2017-7753 (bmo#1353312) Out-of-bounds read with cached style data and pseudo-elements# * CVE-2017-7787 (bmo#1322896) Same-origin policy bypass with iframes through page reloads * CVE-2017-7807 (bmo#1376459) Domain hijacking through AppCache fallback * CVE-2017-7792 (bmo#1368652) Buffer overflow viewing certificates with an extremely long OID * CVE-2017-7804 (bmo#1372849) Memory protection bypass through WindowsDllDetourPatcher * CVE-2017-7791 (bmo#1365875) Spoofing following page navigation with data: protocol and modal alerts * CVE-2017-7782 (bmo#1344034) WindowsDllDetourPatcher allocates memory without DEP protections * CVE-2017-7803 (bmo#1377426) CSP containing 'sandbox' improperly applied * CVE-2017-7779 Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 - Mozilla Firefox 52.2.1esr: * Printing text does not work on Windows when Direct2D is disabled (bmo#1318845) - update to Firefox 52.2esr (boo#1043960) MFSA 2017-16 * CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when regenerating trees * CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading * CVE-2017-7750 (bmo#1356558) Use-after-free with track elements * CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners * CVE-2017-7752 (bmo#1359547) Use-after-free with IME input * CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo object * CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox Installer with same directory DLL files (Windows only) * CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging XHR header errors * CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777 Vulnerabilities in the Graphite 2 library * CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder * CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service (Windows only) * CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application (Windows only) * CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian Syllabics and other unicode blocks * CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving executable files (Windows only) * CVE-2017-7766 (bmo#1342742) File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service (Windows only) * CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service (Windows only) * CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla Maintenance Service (Windows only) * CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2 - requires NSS 3.28.5 - remove -fno-inline-small-functions and explicitely optimize with - O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105) - update to Firefox 52.1.1 MFSA 2017-14 * CVE-2017-5031: Use after free in ANGLE (bmo#1328762) (Windows only, Linux not affected) - switch to Mozilla's geolocation service (boo#1026989) - removed mozilla-preferences.patch obsoleted by overriding via firefox.js - fixed KDE integration to avoid crash caused by filepicker (boo#1015998) - update to Firefox 52.1.0esr (boo#1035082) MFSA 2017-12 * CVE-2017-5443 (bmo#1342661) Out-of-bounds write during BinHex decoding * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894, bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088) Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 * CVE-2017-5464 (bmo#1347075) Memory corruption with accessibility and DOM manipulation * CVE-2017-5465 (bmo#1347617) Out-of-bounds read in ConvolvePixel * CVE-2017-5466 (bmo#1353975) Origin confusion when reloading isolated data:text/html URL * CVE-2017-5467 (bmo#1347262) Memory corruption when drawing Skia content * CVE-2017-5460 (bmo#1343642) Use-after-free in frame selection * CVE-2017-5461 (bmo#1344380) Out-of-bounds write in Base64 encoding in NSS * CVE-2017-5448 (bmo#1346648) Out-of-bounds write in ClearKeyDecryptor * CVE-2017-5449 (bmo#1340127) Crash during bidirectional unicode manipulation with animation * CVE-2017-5446 (bmo#1343505) Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data * CVE-2017-5447 (bmo#1343552) Out-of-bounds read during glyph processing * CVE-2017-5444 (bmo#1344461) Buffer overflow while parsing application/http-index-format content * CVE-2017-5445 (bmo#1344467) Uninitialized values used while parsing application/http-index-format content * CVE-2017-5442 (bmo#1347979) Use-after-free during style changes * CVE-2017-5469 (bmo#1292534) Potential Buffer overflow in flex-generated code * CVE-2017-5440 (bmo#1336832) Use-after-free in txExecutionState destructor during XSLT processing * CVE-2017-5441 (bmo#1343795) Use-after-free with selection during scroll events * CVE-2017-5439 (bmo#1336830) Use-after-free in nsTArray Length() during XSLT processing * CVE-2017-5438 (bmo#1336828) Use-after-free in nsAutoPtr during XSLT processing * CVE-2017-5437 (bmo#1343453) Vulnerabilities in Libevent library * CVE-2017-5436 (bmo#1345461) Out-of-bounds write with malicious font in Graphite 2 * CVE-2017-5435 (bmo#1350683) Use-after-free during transaction processing in the editor * CVE-2017-5434 (bmo#1349946) Use-after-free during focus handling * CVE-2017-5433 (bmo#1347168) Use-after-free in SMIL animation functions * CVE-2017-5432 (bmo#1346654) Use-after-free in text input selection * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482, bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476) Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 * CVE-2017-5459 (bmo#1333858) Buffer overflow in WebGL * CVE-2017-5462 (bmo#1345089) DRBG flaw in NSS * CVE-2017-5455 (bmo#1341191) Sandbox escape through internal feed reader APIs * CVE-2017-5454 (bmo#1349276) Sandbox escape allowing file system read access through file picker * CVE-2017-5456 (bmo#1344415) Sandbox escape allowing local file system access * CVE-2017-5451 (bmo#1273537) Addressbar spoofing with onblur event - requires NSS 3.28.4 - rebased patches - switch package to use ESR52 branch * enables plugin support by default * service workers are disabled by default * push notifications are disabled by default * WebAssembly (wasm) is disabled * Less use of multiprocess architecture Electrolysis (e10s) - update to Firefox 52.0.2 * Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787) * Fix loading tab icons on session restore (bmo#1338009) * Fix a crash on startup on Linux (bmo#1345413) * Fix new installs erroneously not prompting to change the default browser setting (bmo#1343938) - disable rust usage for everything but x86(-64) - explicitely add libffi build requirement - update to Firefox 52.0.1 (boo#1029822) MFSA 2017-08 CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168) - reenable ALSA support which was removed by default upstream - update to Firefox 52.0 (boo#1028391) * requires NSS >= 3.28.3 * Pages containing insecure password fields now display a warning directly within username and password fields. * Send and open a tab from one device to another with Sync * Removed NPAPI support for plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported. * Removed Battery Status API to reduce fingerprinting of users by trackers * MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861) CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186) CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890) CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622) CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687) CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711) CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323) CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504) CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370) CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719) CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121) CVE-2017-5417: Addressbar spoofing by draging and dropping URLs (bmo#791597) CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361) CVE-2017-5427: Non-existent chrome.manifest file loaded during startup (bmo#1295542) CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876) CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243) CVE-2017-5420: Javascript: URLs can obfuscate addressbar location (bmo#1284395) CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699) CVE-2017-5421: Print preview spoofing (bmo#1301876) CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002) CVE-2017-5399: Memory safety bugs fixed in Firefox 52 CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 - removed obsolete patches * mozilla-binutils-visibility.patch * mozilla-check_return.patch * mozilla-disable-skia-be.patch * mozilla-skia-overflow.patch * mozilla-skia-ppc-endianess.patch - rebased patches - enable rust usage for Tumbleweed - Mozilla Firefox 51.0.1: - Multiprocess incompatibility did not correctly register with some add-ons (bmo#1333423) - update to Firefox 51.0 * requires NSPR >= 4.13.1, NSS >= 3.28.1 * Added support for FLAC (Free Lossless Audio Codec) playback * Added support for WebGL 2 * Added Georgian (ka) and Kabyle (kab) locales * Support saving passwords for forms without 'submit' events * Improved video performance for users without GPU acceleration * Zoom indicator is shown in the URL bar if the zoom level is not at default level * View passwords from the prompt before saving them * Remove Belarusian (be) locale * Use Skia for content rendering (Linux) * MFSA 2017-01 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (bmo#1325200, boo#1021814) CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) CVE-2017-5377: Memory corruption with transforms to create gradients in Skia (bmo#1306883, boo#1021826) CVE-2017-5378: Pointer and frame data leakage of Javascript objects (bmo#1312001, bmo#1330769, boo#1021818) CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827) CVE-2017-5380: Potential use-after-free during DOM manipulations (bmo#1322107, boo#1021819) CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (bmo#1297361, boo#1021820) CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests (bmo#1308688, boo#1021828) CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403, boo#1021821) CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations (bmo#1017616, boo#1021830) CVE-2017-5382: Feed preview can expose privileged content errors and exceptions (bmo#1295322, boo#1021831) CVE-2017-5383: Location bar spoofing with unicode characters (bmo#1323338, bmo#1324716, boo#1021822) CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) (bmo#1255474, boo#1021832) CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers (bmo#1295945, boo#1021833) CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions (bmo#1319070, boo#1021823) CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events (bmo#1222798) CVE-2017-5391: Content about: pages can load privileged about: pages (bmo#1309310, boo#1021835) CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage (bmo#1293709) (Android only) CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager (bmo#1309282, boo#1021837) CVE-2017-5395: Android location bar spoofing during scrolling (bmo#1293463) (Android only) CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages (bmo#1295023, boo#1021839) CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks (bmo#1281482, boo#1021840) CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841) CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (boo#1021824) - switch Firefox to Gtk3 for Tumbleweed - removed obsolete patches * mozilla-flex_buffer_overrun.patch - updated RPM locale support tag - improve recognition of LANGUAGE env variable (boo#1017174) - add upstream patch to fix PPC64LE (bmo#1319389) (mozilla-skia-ppc-endianess.patch) - fix build without skia (big endian archs) (bmo#1319374) (mozilla-disable-skia-be.patch) - update to Firefox 50.1.0 (boo#1015422) * MFSA 2016-94 CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628) CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements (bmo#1317409) CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272) CVE-2016-9896: Use-after-free with WebVR (bmo#1315543) CVE-2016-9897: Memory corruption in libGLES (bmo#1301381) CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees (bmo#1314442) CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs (bmo#1319122) CVE-2016-9904: Cross-origin information leak in shared atoms (bmo#1317936) CVE-2016-9901: Data from Pocket server improperly sanitized before execution (bmo#1320057) CVE-2016-9902: Pocket extension does not validate the origin of events (bmo#1320039) CVE-2016-9903: XSS injection vulnerability in add-ons SDK (bmo#1315435) CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 - added patch mozilla-aarch64-startup-crash.patch (bsc#1011922) - update to Firefox 50.0.2 * Firefox crashes with 3rd party Chinese IME when using IME text (50.0.1) security fixes (in 50.0.1): (boo#1012807) * MFSA 2016-91 CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect (bmo#1317641) security fixes (in 50.0.2) (boo#1012964) * MFSA 2016-92 CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066) - update to Firefox 50.0 (boo#1009026) * requires NSS 3.26.2 new features * Updates to keyboard shortcuts Set a preference to have Ctrl+Tab cycle through tabs in recently used order View a page in Reader Mode by using Ctrl+Alt+R * Added option to Find in page that allows users to limit search to whole words only * Added download protection for a large number of executable file types on Windows, Mac and Linux * Fixed rendering of dashed and dotted borders with rounded corners (border-radius) * Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux) * Blocked versions of libavcodec older than 54.35.1 * additional locale security fixes: * MFSA 2016-89 CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) CVE-2016-5292: URL parsing causes crash (bmo#1288482) CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink (Windows only) (bmo#1246945) CVE-2016-5294: Arbitrary target directory for result files of update process (Windows only) (bmo#1246972) CVE-2016-5297: Incorrect argument length checking in Javascript (bmo#1303678) CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen (Android only) (bmo#1306696) CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile (bmo#1300083) (Windows only) CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM (Windows only) (bmo#1247239) CVE-2016-5298: SSL indicator can mislead the user about the real URL visited (bmo#1227538) (Android only) CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (bmo#1245791) (Android only) CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions (Android only) (bmo#1245795) CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file (Android only) (bmo#1294438) CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl" (bmo#1289273) CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bmo#1293334) (fixed via NSS 3.26.1) CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s (bmo#1276976) CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat (bmo#1274777) CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP (bmo#1285003) CVE-2016-5289: Memory safety bugs fixed in Firefox 50 CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 - make aarch64 build more similar to x86_64 build (remove conditionals that don't seem to be necessary anymore) - Mozilla Firefox 49.0.2: * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475) * CVE-2016-5288: Web content can read cache entries (bsc#1006476) * Asynchronous rendering of the Flash plugins is now enabled by default * Change D3D9 default fallback preference to prevent graphical artifacts * Network issue prevents some users from seeing the Firefox UI on startup * Web compatibility issue with file uploads * Web compatibility issue with Array.prototype.values * Diagnostic information on timing for tab switching * Fix a Canvas filters graphics issue affecting HTML5 apps - Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0 and fixes have been incorporated by upstream. - Mozilla Firefox 49.0.1: * Mitigate a startup crash issue caused by Websense - bmo#1304783 - update to Firefox 49.0 (boo#999701) new features * Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. * Added features to Reader Mode that make it easier on the eyes and the ears * Improved video performance for users on systems that support SSE3 without hardware acceleration * Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed * Improvements in about:memory reports for tracking font memory usage security related * MFSA 2016-85 CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in PropertyProvider::GetSpacingInternal CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin CVE-2016-5273 (bmo#1280387) - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5274 (bmo#1282076) - use-after-free in nsFrameManager::CaptureFrameState CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame CVE-2016-5279 (bmo#1249522) - Full local path of files is available to web pages after drag and drop CVE-2016-5280 (bmo#1289970) - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons from non-whitelisted schemes CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can reveal cross-origin data CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 - removed obsolete patches: * mozilla-aarch64-48bit-va.patch * mozilla-exclude-nametablecpp.patch * mozilla-old_configure-bmo1282843.patch - added patch mozilla-skia-overflow.patch (bmo#1304114) - requires NSS 3.25 - Mozilla Firefox 48.0.2: * Mitigate a startup crash issue caused on Windows (bmo#1291738) - Mozilla Firefox 48.0.1: * Fix an audio regression impacting some major websites (bmo#1295296) * Fix a top crash in the JavaScript engine (bmo#1290469) * Fix a startup crash issue caused by Websense (bmo#1291738) * Fix a different behavior with e10s / non-e10s on <select> and mouse events (bmo#1291078) * Fix a top crash caused by plugin issues (bmo#1264530) * Fix a shutdown issue (bmo#1276920) * Fix a crash in WebRTC - added upstream patch so system plugins/extensions are correctly loaded again on x86-64 (bmo#1282843) (mozilla-old_configure-bmo1282843.patch) - Fix for possible buffer overrun (bsc#990856) CVE-2016-6354 (bmo#1292534) [mozilla-flex_buffer_overrun.patch] - Update mozilla-gtk3_20.patch to latest version from Fedora. - update to Firefox 48.0 (boo#991809) * requires NSS 3.24 * Process separation (e10s) is enabled for some of you * Add-ons that have not been verified and signed by Mozilla will not load * WebRTC embetterments * The media parser has been redeveloped using the Rust programming language * better Canvas performance with speedy Skia support security fixes: * MFSA 2016-62/CVE-2016-2835/CVE-2016-2836 Miscellaneous memory safety hazards * MFSA 2016-63/CVE-2016-2830 (bmo#1255270) Favicon network connection can persist when page is closed * MFSA 2016-64/CVE-2016-2838 (bmo#1279814) Buffer overflow rendering SVG with bidirectional content * MFSA 2016-65/CVE-2016-2839 (bmo#1275339) Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 * MFSA 2016-66/CVE-2016-5251 (bmo#1255570) Location bar spoofing via data URLs with malformed/invalid mediatypes * MFSA 2016-67/CVE-2016-5252 (bmo#1268854) Stack underflow during 2D graphics rendering * MFSA 2016-68/CVE-2016-0718 (bmo#1236923) Out-of-bounds read during XML parsing in Expat library * MFSA 2016-69/CVE-2016-5253 (bmo#1246944) Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter (Windows-only) * MFSA 2016-70/CVE-2016-5254 (bmo#1266963) Use-after-free when using alt key and toplevel menus * MFSA 2016-71/CVE-2016-5255 (bmo#1212356) Crash in incremental garbage collection in JavaScript * MFSA 2016-72/CVE-2016-5258 (bmo#1279146) Use-after-free in DTLS during WebRTC session shutdown * MFSA 2016-73/CVE-2016-5259 (bmo#1282992) Use-after-free in service workers with nested sync events * MFSA 2016-74/CVE-2016-5260 (bmo#1280294) Form input type change from password to text can store plain text password in session restore file * MFSA 2016-75/CVE-2016-5261 (bmo#1287266) Integer overflow in WebSockets during data buffering * MFSA 2016-76/CVE-2016-5262 (bmo#1277475) Scripts on marquee tag can execute in sandboxed iframes * MFSA 2016-77/CVE-2016-2837 (bmo#1274637) Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback * MFSA 2016-78/CVE-2016-5263 (bmo#1276897) Type confusion in display transformation * MFSA 2016-79/CVE-2016-5264 (bmo#1286183) Use-after-free when applying SVG effects * MFSA 2016-80/CVE-2016-5265 (bmo#1278013) Same-origin policy violation using local HTML file and saved shortcut file * MFSA 2016-81/CVE-2016-5266 (bmo#1226977) Information disclosure and local file manipulation through drag and drop * MFSA 2016-82/CVE-2016-5267 (bmo#1284372) Addressbar spoofing with right-to-left characters on Firefox for Android (Android only) * MFSA 2016-83/CVE-2016-5268 (bmo#1253673) Spoofing attack through text injection into internal error pages * MFSA 2016-84/CVE-2016-5250 (bmo#1254688) Information disclosure through Resource Timing API during page navigation - removed obsolete mozilla-gcc6.patch - Update description and screenshots in appdata.xml file. - Fix Firefox crash on startup on i586 (boo#986541): * Add -fno-delete-null-pointer-checks and - fno-inline-small-functions to CFLAGS - Update the appdata.xml file (replace Windows XP screenshot) - Mozilla Firefox 47.0.1: * Selenium WebDriver may cause Firefox to crash at startup (bmo#1280854) - mozilla-binutils-visibility.patch to fix build issues with gcc/binutils combination used in Leap 42.2 (boo#984637) - Update mozilla-gtk3_20.patch to latest version from Fedora. - Fix running on 48bit va aarch64 (bsc#984126) * add patch mozilla-aarch64-48bit-va.patch - fix XUL dialog button order under KDE session (boo#984403) - update to Firefox 47.0 (boo#983549) * Enable VP9 video codec for users with fast machines * Embedded YouTube videos now play with HTML5 video if Flash is not installed * View and search open tabs from your smartphone or another computer in a sidebar * Allow no-cache on back/forward navigations for https resources security fixes: * MFSA 2016-49/CVE-2016-2815/CVE-2016-2818 (boo#983638) (bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743, bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493, bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752, bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130, bmo#1269729, bmo#1273202, bmo#1273701) Miscellaneous memory safety hazards (rv:47.0 / rv:45.2) * MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381) Buffer overflow parsing HTML5 fragments * MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460) Use-after-free deleting tables from a contenteditable document * MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129) Addressbar spoofing though the SELECT element * MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580) Out-of-bounds write with WebGL shader * MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093) Partial same-origin-policy through setting location.host through data URI * MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810) Use-after-free when textures are used in WebGL operations after recycle pool destruction * MFSA 2016-57/CVE-2016-2829 (boo#983644) (bmo#1248329) Incorrect icon displayed on permissions notifications * MFSA 2016-58/CVE-2016-2831 (boo#983643) (bmo#1261933) Entering fullscreen and persistent pointerlock without user permission * MFSA 2016-59/CVE-2016-2832 (boo#983632) (bmo#1025267) Information disclosure of disabled plugins through CSS pseudo-classes * MFSA 2016-60/CVE-2016-2833 (boo#983640) (bmo#908933) Java applets bypass CSP protections * MFSA 2016-62/CVE-2016-2834 (boo#983639) (bmo#1206283, bmo#1221620, bmo#1241034, bmo#1241037) Network Security Services (NSS) vulnerabilities fixed by requiring NSS 3.23 packaging changes: * cleanup configure options (boo#981695): - notably remove GStreamer support which is gone from FF * remove obsolete patches - mozilla-libproxy.patch - mozilla-repo.patch - The conditional testing for gcc was failing for different openSUSE versions, drop it and apply patches unconditionally. - Add patches to fix building with gcc6: + mozilla-gcc6.patch: fix building with gcc >= 6.1; patch taken from upstream: https://hg.mozilla.org/mozilla-central/rev/55212130f19d. + mozilla-exclude-nametablecpp.patch: Exclude NameTable.cpp from unified compilation because #include <cmath> in other source files causes gcc6 compilation failure; patch taken from upstream: https://hg.mozilla.org/mozilla-central/rev/9c57b7cacffc. - enable build with PIE and full relro on x86_64 (boo#980384) - update to Firefox 46.0.1 Fixed: * Search plugin issue for various locales * Add-on signing certificate expiration * Service worker update issue * Build issue when jit is disabled * Limit Sync registration updates - removed now obsolete mozilla-jit_branch64.patch - add mozilla-jit_branch64.patch to avoid PowerPC build failure (from bmo#1266366) - Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest version from Fedora). - update to Firefox 46.0 (boo#977333) * Improved security of the JavaScript Just In Time (JIT) Compiler * WebRTC fixes to improve performance and stability * Added support for document.elementsFromPoint * Added HKDF support for Web Crypto API * requires NSPR 4.12 and NSS 3.22.3 * added patch to fix unchecked return value mozilla-check_return.patch * Gtk3 builds not supported at the moment security fixes: * MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807 (boo#977373, boo#977375, boo#977376) Miscellaneous memory safety hazards * MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377) Privilege escalation through file deletion by Maintenance Service updater (Windows only) * MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378) Content provider permission bypass allows malicious application to access data (Android only) * MFSA 2016-42/CVE-2016-2811/CVE-2016-2812 (bmo#1252330, bmo#1261776, boo#977379) Use-after-free and buffer overflow in Service Workers * MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380) Disclosure of user actions through JavaScript with motion and orientation sensors (only affects mobile variants) * MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381) Buffer overflow in libstagefright with CENC offsets * MFSA 2016-45/CVE-2016-2816 (bmo#1223743, boo#977382) CSP not applied to pages sent with multipart/x-mixed-replace * MFSA 2016-46/CVE-2016-2817 (bmo#1227462, boo#977384) Elevation of privilege with chrome.tabs.update API in web extensions * MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386) Write to invalid HashMap entry through JavaScript.watch() * MFSA 2016-48/CVE-2016-2820 (bmo#870870, boo#977388) Firefox Health Reports could accept events from untrusted domains - Update mozilla-gtk3_20.patch to fix scrollbar appearance under gtk >= 3.20 (patch synced to Fedora's version). - Compile against gtk3 depending on whether the macro %firefox_use_gtk3 is defined or not (e.g., at the prjconf level); macro is undefined by default and so gtk2 is used as the default toolkit. - Add BuildRequires for additional packages needed when building against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0), pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0). - Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20; patch taken from Fedora (bmo#1230955). - Mozilla Firefox 45.0.2: * Fix an issue impacting the cookie header when third-party cookies are blocked (bmo#1257861) * Fix a web compatibility regression impacting the srcset attribute of the image tag (bmo#1259482) * Fix a crash impacting the video playback with Media Source Extension (bmo#1258562) * Fix a regression impacting some specific uploads (bmo#1255735) * Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (bmo#1254980) - Mozilla Firefox 45.0.1: * Fix a regression causing search engine settings to be lost in some context (bmo#1254694) * Bring back non-standard jar: URIs to fix a regression in IBM iNotes (bmo#1255139) * XSLTProcessor.importStylesheet was failing when <import> was used (bmo#1249572) * Fix an issue which could cause the list of search provider to be empty (bmo#1255605) * Fix a regression when using the location bar (bmo#1254503) * Fix some loading issues when Accept third-party cookies: was set to Never (bmo#1254856) * Disabled Graphite font shaping library - update to Firefox 45.0 (boo#969894) * requires NSPR 4.12 / NSS 3.21.1 * Instant browser tab sharing through Hello * Synced Tabs button in button bar * Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching * Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level * Tab Groups (Panorama) feature removed * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953 Miscellaneous memory safety hazards * MFSA 2016-17/CVE-2016-1954 (bmo#1243178) Local file overwriting and potential privilege escalation through CSP reports * MFSA 2016-18/CVE-2016-1955 (bmo#1208946) CSP reports fail to strip location information for embedded iframe pages * MFSA 2016-19/CVE-2016-1956 (bmo#1199923) Linux video memory DOS with Intel drivers * MFSA 2016-20/CVE-2016-1957 (bmo#1227052) Memory leak in libstagefright when deleting an array during MP4 processing * MFSA 2016-21/CVE-2016-1958 (bmo#1228754) Displayed page address can be overridden * MFSA 2016-22/CVE-2016-1959 (bmo#1234949) Service Worker Manager out-of-bounds read in Service Worker Manager * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014) Use-after-free in HTML5 string parser * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377) Use-after-free in SetBody * MFSA 2016-25/CVE-2016-1962 (bmo#1240760) Use-after-free when using multiple WebRTC data channels * MFSA 2016-26/CVE-2016-1963 (bmo#1238440) Memory corruption when modifying a file being read by FileReader * MFSA 2016-27/CVE-2016-1964 (bmo#1243335) Use-after-free during XML transformations * MFSA 2016-28/CVE-2016-1965 (bmo#1245264) Addressbar spoofing though history navigation and Location protocol property * MFSA 2016-29/CVE-2016-1967 (bmo#1246956) Same-origin policy violation using perfomance.getEntries and history navigation with session restore * MFSA 2016-30/CVE-2016-1968 (bmo#1246742) Buffer overflow in Brotli decompression * MFSA 2016-31/CVE-2016-1966 (bmo#1246054) Memory corruption with malicious NPAPI plugin * MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/ CVE-2016-1976/CVE-2016-1972 WebRTC and LibVPX vulnerabilities found through code inspection * MFSA 2016-33/CVE-2016-1973 (bmo#1219339) Use-after-free in GetStaticInstance in WebRTC * MFSA 2016-34/CVE-2016-1974 (bmo#1228103) Out-of-bounds read in HTML parser following a failed allocation * MFSA 2016-35/CVE-2016-1950 (bmo#1245528) Buffer overflow during ASN.1 decoding in NSS (fixed by requiring 3.21.1) * MFSA 2016-36/CVE-2016-1979 (bmo#1185033) Use-after-free during processing of DER encoded keys in NSS (fixed by requiring 3.21.1) * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/ CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/ CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/ CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 Font vulnerabilities in the Graphite 2 library - Remove B_CNT from symbols.zip filename to reduce build-compare noise - fix build problems on i586, caused by too large unified compile units - adding mozilla-reduce-files-per-UnifiedBindings.patch - update to Firefox 44.0.2 * MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438) Same-origin-policy violation using Service Workers with plugins * Fix issue which could lead to the removal of stored passwords under certain circumstances (bmo#1242176) * Allows spaces in cookie names (bmo#1244505) * Disable opus/vorbis audio with H.264 (bmo#1245696) * Fix for graphics startup crash (GNU/Linux) (bmo#1222171) * Fix a crash in cache networking (bmo#1244076) * Fix using WebSockets in service worker controlled pages (bmo#1243942) - build fixes for arm/aarch64: * disable webrtc for arm/aarch64 * switch away from openGL-ES backend to default for arm/aarch64 since it almost never builds * reenable neon - reenable webrtc for powerpc as it seems to build - update to Firefox 44.0 * MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633 Miscellaneous memory safety hazards * MFSA 2016-02/CVE-2016-1933 (bmo#1231761) boo#963634 Out of Memory crash when parsing GIF format images * MFSA 2016-03/CVE-2016-1935 (bmo#1220450) boo#963635 Buffer overflow in WebGL after out of memory allocation * MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) boo#963637 Firefox allows for control characters to be set in cookie names * MFSA 2016-06/CVE-2016-1937 (bmo#724353) boo#963641 Missing delay following user click events in protocol handler dialog * MFSA 2016-07/CVE-2016-1938 (bmo#1190248) boo#963731 Errors in mp_div and mp_exptmod cryptographic functions in NSS (fixed by requiring NSS 3.21) * MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590) Addressbar spoofing attacks boo#963643 * MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946 (bmo#1186621, bmo#1214782, bmo#1232096) boo#963644 Unsafe memory manipulation found through code inspection * MFSA 2016-11/CVE-2016-1947 (bmo#1237103) boo#963645 Application Reputation service disabled in Firefox 43 * requires NSPR 4.11 * requires NSS 3.21 - prepare mozilla-kde.patch for Gtk3 builds - rebased patches - Mozilla Firefox 43.0.4: * Re-enable SHA-1 certificates to prevent outdated man-in-the-middle security devices from interfering with properly secured SSL/TLS connections (bmo#1236975) * Fix for startup crash for users of a third party antivirus tool (bmo#1235537) - The following change was previously in the package as a patch: * Multi-user GNU/Linux download folders can be created (bmo#1233434), removed mozilla-bmo1233434.patch - update to Firefox 43.0.3 * requires NSS 3.20.2 to fix MFSA 2015-150/CVE-2015-7575 (bmo#1158489) MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature * various changes to support Windows update (SHA-1 vs. SHA-2) * workaround Youtube user agent detection issue (bmo#1233970) - fix file download regression for multi user systems (bmo#1233434) (mozilla-bmo1233434.patch) - explicitely requires libXcomposite-devel - update to Firefox 43.0 (bnc#959277) * Improved API support for m4v video playback * Users can opt-in to receive search suggestions from the Awesome Bar * WebRTC streaming on multiple monitors * User selectable second block list for Private Browsing's Tracking Protection security fixes: * MFSA 2015-134/CVE-2015-7201/CVE-2015-7202 Miscellaneous memory safety hazards * MFSA 2015-135/CVE-2015-7204 (bmo#1216130) Crash with JavaScript variable assignment with unboxed objects * MFSA 2015-136/CVE-2015-7207 (bmo#1185256) Same-origin policy violation using perfomance.getEntries and history navigation * MFSA 2015-137/CVE-2015-7208 (bmo#1191423) Firefox allows for control characters to be set in cookies * MFSA 2015-138/CVE-2015-7210 (bmo#1218326) Use-after-free in WebRTC when datachannel is used after being destroyed * MFSA 2015-139/CVE-2015-7212 (bmo#1222809) Integer overflow allocating extremely large textures * MFSA 2015-140/CVE-2015-7215 (bmo#1160890) Cross-origin information leak through web workers error events * MFSA 2015-141/CVE-2015-7211 (bmo#1221444) Hash in data URI is incorrectly parsed * MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820) DOS due to malformed frames in HTTP/2 * MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078) Linux file chooser crashes on malformed images due to flaws in Jasper library * MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221 (bmo#1201183, bmo#1178033, bmo#1199400) Buffer overflows found through code inspection * MFSA 2015-145/CVE-2015-7205 (bmo#1220493) Underflow through code inspection * MFSA 2015-146/CVE-2015-7213 (bmo#1206211) Integer overflow in MP4 playback in 64-bit versions * MFSA 2015-147/CVE-2015-7222 (bmo#1216748) Integer underflow and buffer overflow processing MP4 metadata in libstagefright * MFSA 2015-148/CVE-2015-7223 (bmo#1226423) Privilege escalation vulnerabilities in WebExtension APIs * MFSA 2015-149/CVE-2015-7214 (bmo#1228950) Cross-site reading attack through data and view-source URIs - rebased patches - Add desktop menu action for private browsing window to desktop file (boo#954747) - remove obsolete patch mozilla-bmo1005535.patch completely from source package to avoid automatic check failures - update to Firefox 42.0 (bnc#952810) * Private Browsing with Tracking Protection blocks certain Web elements that could be used to record your behavior across sites * Control Center that contains site security and privacy controls * Login Manager improvements * WebRTC improvements * Indicator added to tabs that play audio with one-click muting * Media Source Extension for HTML5 video available for all sites security fixes: * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514 Miscellaneous memory safety hazards * MFSA 2015-117/CVE-2015-4515 (bmo#1046421) Information disclosure through NTLM authentication * MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692) CSP bypass due to permissive Reader mode whitelist * MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only) Firefox for Android addressbar can be removed after fullscreen mode * MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only) Reading sensitive profile files through local HTML file on Android * MFSA 2015-121/CVE-2015-7187 (bmo#1195735) disabling scripts in Add-on SDK panels has no effect * MFSA 2015-122/CVE-2015-7188 (bmo#1199430) Trailing whitespace in IP address hostnames can bypass same-origin policy * MFSA 2015-123/CVE-2015-7189 (bmo#1205900) Buffer overflow during image interactions in canvas * MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only) Android intents can be used on Firefox for Android to open privileged files * MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only) XSS attack through intents on Firefox for Android * MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only) Crash when accessing HTML tables with accessibility tools on OS X * MFSA 2015-127/CVE-2015-7193 (bmo#1210302) CORS preflight is bypassed when non-standard Content-Type headers are received * MFSA 2015-128/CVE-2015-7194 (bmo#1211262) Memory corruption in libjar through zip files * MFSA 2015-129/CVE-2015-7195 (bmo#1211871) Certain escaped characters in host of Location-header are being treated as non-escaped * MFSA 2015-130/CVE-2015-7196 (bmo#1140616) JavaScript garbage collection crash with Java applet * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 (bmo#1188010, bmo#1204061, bmo#1204155) Vulnerabilities found through code inspection * MFSA 2015-132/CVE-2015-7197 (bmo#1204269) Mixed content WebSocket policy bypass through workers * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 (bmo#1202868, bmo#1205157) NSS and NSPR memory corruption issues (fixed in mozilla-nspr and mozilla-nss packages) - requires NSPR >= 4.10.10 and NSS >= 3.19.4 - removed obsolete patches * mozilla-arm-disable-edsp.patch * mozilla-icu-strncat.patch * mozilla-skia-be-le.patch * toolkit-download-folder.patch - fixed build with enable-libproxy (bmo#1220399) * mozilla-libproxy.patch - update to Firefox 41.0.2 (bnc#950686) * MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669) Cross-origin restriction bypass using Fetch - added explicit appdata provides (bnc#949983) - do not build with --enable-stdcxx-compat (this starts to fail build on various toolchain combinations and is not required for openSUSE builds in general - update to Firefox 41.0.1 * Fix a startup crash related to Yandex toolbar and Adblock Plus (bmo#1209124) * Fix potential hangs with Flash plugins (bmo#1185639) * Fix a regression in the bookmark creation (bmo#1206376) * Fix a startup crash with some Intel Media Accelerator 3150 graphic cards (bmo#1207665) * Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601) - update to Firefox 41.0 (bnc#947003) * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous memory safety hazards * MFSA 2015-97/CVE-2015-4503 (bmo#994337) Memory leak in mozTCPSocket to servers * MFSA 2015-98/CVE-2015-4504 (bmo#1132467) Out of bounds read in QCMS library with ICC V4 profile attributes * MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only) Site attribute spoofing on Android by pasting URL with unknown scheme * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only) Arbitrary file manipulation by local user through Mozilla updater * MFSA 2015-101/CVE-2015-4506 (bmo#1192226) Buffer overflow in libvpx while parsing vp9 format video * MFSA 2015-102/CVE-2015-4507 (bmo#1192401) Crash when using debugger with SavedStacks in JavaScript * MFSA 2015-103/CVE-2015-4508 (bmo#1195976) URL spoofing in reader mode * MFSA 2015-104/CVE-2015-4510 (bmo#1200004) Use-after-free with shared workers and IndexedDB * MFSA 2015-105/CVE-2015-4511 (bmo#1200148) Buffer overflow while decoding WebM video * MFSA 2015-106/CVE-2015-4509 (bmo#1198435) Use-after-free while manipulating HTML media content * MFSA 2015-107/CVE-2015-4512 (bmo#1170390) Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems * MFSA 2015-108/CVE-2015-4502 (bmo#1105045) Scripted proxies can access inner window * MFSA 2015-109/CVE-2015-4516 (bmo#904886) JavaScript immutable property enforcement can be bypassed * MFSA 2015-110/CVE-2015-4519 (bmo#1189814) Dragging and dropping images exposes final URL after redirects * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869) Errors in the handling of CORS preflight request headers * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/ CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/ CVE-2015-7180 Vulnerabilities found through code inspection * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860, bmo#1190526) (Windows only) Memory safety errors in libGLES in the ANGLE graphics library * MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only) Information disclosure via the High Resolution Time API - rebased patches - removed obsolete patches * mozilla-arm64-libjpeg-turbo.patch - update to Firefox 40.0.3 (bnc#943550) * Disable the asynchronous plugin initialization (bmo#1198590) * Fix a segmentation fault in the GStreamer support (bmo#1145230) * Fix a regression with some Japanese fonts used in the <input> field (bmo#1194055) * On some sites, the selection in a select combox box using the mouse could be broken (bmo#1194733) security fixes * MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278) Use-after-free when resizing canvas element during restyling * MFSA 2015-95/CVE-2015-4498 (bmo#1042699) Add-on notification bypass through data URLs - update to Firefox 40.0 (bnc#940806) * Added protection against unwanted software downloads * Suggested Tiles show sites of interest, based on categories from your recent browsing history * Hello allows adding a link to conversations to provide context on what the conversation will be about * New style for add-on manager based on the in-content preferences style * Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only) * Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked security fixes: * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety hazards * MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with malformed MP3 file * MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free in MediaStream playback * MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of non-configurable JavaScript object properties * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues in libstagefright * MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting through Mozilla Maintenance Service with hard links (only affected Windows) * MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with Updater and malicious MAR file (does not affect openSUSE RPM packages which do not ship the updater) * MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol with POST bypasses mixed content protections * MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared memory in JavaScript * MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf when scaling bitmap images * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) Buffer overflows on Libvpx when decoding WebM video * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection * MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification * MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in XMLHttpRequest with shared workers - added mozilla-no-stdcxx-check.patch - removed obsolete patches * mozilla-add-glibcxx_use_cxx11_abi.patch * firefox-multilocale-chrome.patch - rebased patches - requires version 40 of the branding package - removed browser/searchplugins/ location as it's not valid anymore - security update to Firefox 39.0.3 (bnc#940918) * MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058) Same origin violation and local file stealing via PDF reader - update to Firefox 39.0 (bnc#935979) * Share Hello URLs with social networks * Support for 'switch' role in ARIA 1.1 (web accessibility) * SafeBrowsing malware detection lookups enabled for downloads (Mac OS X and Linux) * Support for new Unicode 8.0 skin tone emoji * Removed support for insecure SSLv3 for network communications * Disable use of RC4 except for temporarily whitelisted hosts * NPAPI Plug-in performance improved via asynchronous initialization security fixes: * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726 Miscellaneous memory safety hazards * MFSA 2015-60/CVE-2015-2727 (bmo#1163422) Local files or privileged URLs in pages can be opened into new tabs * MFSA 2015-61/CVE-2015-2728 (bmo#1142210) Type confusion in Indexed Database Manager * MFSA 2015-62/CVE-2015-2729 (bmo#1122218) Out-of-bound read while computing an oscillator rendering range in Web Audio * MFSA 2015-63/CVE-2015-2731 (bmo#1149891) Use-after-free in Content Policy due to microtask execution error * MFSA 2015-64/CVE-2015-2730 (bmo#1125025) ECDSA signature validation fails to handle some signatures correctly (this fix is shipped by NSS 3.19.1 externally) * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867) Use-after-free in workers while using XMLHttpRequest * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737 CVE-2015-2738/CVE-2015-2739/CVE-2015-2740 Vulnerabilities found through code inspection * MFSA 2015-67/CVE-2015-2741 (bmo#1147497) Key pinning is ignored when overridable errors are encountered * MFSA 2015-68/CVE-2015-2742 (bmo#1138669) OS X crash reports may contain entered key press information (not relevant under Linux) * MFSA 2015-69/CVE-2015-2743 (bmo#1163109) Privilege escalation in PDF.js * MFSA 2015-70/CVE-2015-4000 (bmo#1138554) NSS accepts export-length DHE keys with regular DHE cipher suites (this fix is shipped by NSS 3.19.1 externally) * MFSA 2015-71/CVE-2015-2721 (bmo#1086145) NSS incorrectly permits skipping of ServerKeyExchange (this fix is shipped by NSS 3.19.1 externally) - dropped mozilla-prefer_plugin_pref.patch as this feature is likely not worth maintaining further - rebased patches - require NSS 3.19.2 - mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration - update to Firefox 38.0.6 * fixes bmo#1171730 which is not really relevant to oS builds - fix KDE regression from 38.0.5 builds (bsc#933439) - update to Firefox 38.0.5 * Keep track of articles and videos with Pocket * Clean formatting for articles and blog posts with Reader View * Share the active tab or window in a Hello conversation - add changes file as source for SRPM (bsc#932142) - add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from https://bugzilla.mozilla.org/show_bug.cgi?id=1153109 - update to Firefox 38.0.1 stability and regression fixes * Systems with first generation NVidia Optimus graphics cards may crash on start-up * Users who import cookies from Google Chrome can end up with broken websites * Large animated images may fail to play and may stop other images from loading - update to Firefox 38.0 (bnc#930622) * New tab-based preferences * Ruby annotation support * more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/ security fixes: * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 Miscellaneous memory safety hazards * MFSA 2015-47/VE-2015-0797 (bmo#1080995) Buffer overflow parsing H.264 video with Linux Gstreamer * MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow with SVG content and CSS * MFSA 2015-49/CVE-2015-2711 (bmo#1113431) Referrer policy ignored when links opened by middle-click and context menu * MFSA 2015-50/CVE-2015-2712 (bmo#1152280) Out-of-bounds read and write in asm.js validation * MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free during text processing with vertical text enabled * MFSA 2015-53/CVE-2015-2715 (bmo#988698) Use-after-free due to Media Decoder Thread creation during shutdown * MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow when parsing compressed XML * MFSA 2015-55/CVE-2015-2717 (bmo#1154683) Buffer overflow and out-of-bounds read while parsing MP4 video metadata * MFSA 2015-56/CVE-2015-2718 (bmo#1146724) Untrusted site hosting trusted page can intercept webchannel responses * MFSA 2015-57/CVE-2011-3079 (bmo#1087565) Privilege escalation through IPC channel messages - requires NSS 3.18.1 - removed obsolete patches: * mozilla-skia-bmo1136958.patch - remove gnomevfs build options as it is removed from sources - rebased patches - update to Firefox 37.0.2 (bnc#928116) * MFSA 2015-45/CVE-2015-2706 (bmo#1141081) Memory corruption during failed plugin initialization - update to Firefox 37.0.1 (bnc#926166) * MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only) Loading privileged content through Reader mode * MFSA 2015-44/CVE-2015-0799 (bmo#1148328) Certificate verification bypass through the HTTP/2 Alt-Svc header - update to Firefox 37.0 (bnc#925368) * Heartbeat user rating system * Yandex set as default search provider for the Turkish locale * Bing search now uses HTTPS for secure searching * Improved protection against site impersonation via OneCRL centralized certificate revocation * Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc * some more behaviour changes for TLS security fixes: * MFSA 2015-30/CVE-2015-0814/CVE-2015-0815 Miscellaneous memory safety hazards * MFSA 2015-31/CVE-2015-0813 (bmo#1106596)) Use-after-free when using the Fluendo MP3 GStreamer plugin * MFSA 2015-32/CVE-2015-0812 (bmo#1128126) Add-on lightweight theme installation approval bypassed through MITM attack * MFSA 2015-33/CVE-2015-0816 (bmo#1144991) resource:// documents can load privileged pages * MFSA-2015-34/CVE-2015-0811 (bmo#1132468) Out of bounds read in QCMS library * MFSA-2015-35/CVE-2015-0810 (bmo#1125013) Cursor clickjacking with flash and images (OS X only) * MFSA-2015-36/CVE-2015-0808 (bmo#1109552) Incorrect memory management for simple-type arrays in WebRTC * MFSA-2015-37/CVE-2015-0807 (bmo#1111834) CORS requests should not follow 30x redirections after preflight * MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437) Memory corruption crashes in Off Main Thread Compositing * MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560) Use-after-free due to type confusion flaws * MFSA-2015-40/CVE-2015-0801 (bmo#1146339) Same-origin bypass through anchor navigation * MFSA-2015-41/CVE-2015-0800/CVE-2012-2808 PRNG weakness allows for DNS poisoning on Android (only) * MFSA-2015-42/CVE-2015-0802 (bmo#1124898) Windows can retain access to privileged content on navigation to unprivileged pages - removed obsolete patches * mozilla-bmo1088588.patch * mozilla-bmo1108834.patch - requires NSPR 4.10.8 - Fix builds with skia on Power mozilla-skia-be-le.patch (patch from #bmo1136958) mozilla-bmo1108834.patch mozilla-bmo1005535.patch - update to Firefox 36.0.4 (bnc#923534) * MFSA 2015-28/CVE-2015-0818 (bmo#1144988) Privilege escalation through SVG navigation * MFSA 2015-29/CVE-2015-0817 (bmo#1145255) Code execution through incorrect JavaScript bounds checking elimination - Copy the icons to /usr/share/icons instead of symlinking them: in preparation for containerized apps (e.g. xdg-app) as well as AppStream metadata extraction, there are a couple locations that need to be real files for system integration (.desktop files, icons, mime-type info). - update to Firefox 36.0.1 Bugfixes: * Disable the usage of the ANY DNS query type (bmo#1093983) * Hello may become inactive until restart (bmo#1137469) * Print preferences may not be preserved (bmo#1136855) * Hello contact tabs may not be visible (bmo#1137141) * Accept hostnames that include an underscore character ("_") (bmo#1136616) * WebGL may use significant memory with Canvas2d (bmo#1137251) * Option -remote has been restored (bmo#1080319) - added mozilla-skia-bmo1136958.patch to fix build issues for ARM and PPC - update to Firefox 36.0 (bnc#917597) * mozilla-xremote-client was removed * added libclearkey.so media plugin * Pinned tiles on the new tab page can be synced * Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web. * Locale added: Uzbek (uz) security fixes: * MFSA 2015-11/CVE-2015-0835/CVE-2015-0836 Miscellaneous memory safety hazards * MFSA 2015-12/CVE-2015-0833 (bmo#945192) Invoking Mozilla updater will load locally stored DLL files (Windows only) * MFSA 2015-13/CVE-2015-0832 (bmo#1065909) Appended period to hostnames can bypass HPKP and HSTS protections * MFSA 2015-14/CVE-2015-0830 (bmo#1110488) Malicious WebGL content crash when writing strings * MFSA 2015-15/CVE-2015-0834 (bmo#1098314) TLS TURN and STUN connections silently fail to simple TCP connections * MFSA 2015-16/CVE-2015-0831 (bmo#1130514) Use-after-free in IndexedDB * MFSA 2015-17/CVE-2015-0829 (bmo#1128939) Buffer overflow in libstagefright during MP4 video playback * MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675) Double-free when using non-default memory allocators with a zero-length XHR * MFSA 2015-19/CVE-2015-0827 (bmo#1117304) Out-of-bounds read and write while rendering SVG content * MFSA 2015-20/CVE-2015-0826 (bmo#1092363) Buffer overflow during CSS restyling * MFSA 2015-21/CVE-2015-0825 (bmo#1092370) Buffer underflow during MP3 playback * MFSA 2015-22/CVE-2015-0824 (bmo#1095925) Crash using DrawTarget in Cairo graphics library * MFSA 2015-23/CVE-2015-0823 (bmo#1098497) Use-after-free in Developer Console date with OpenType Sanitiser * MFSA 2015-24/CVE-2015-0822 (bmo#1110557) Reading of local files through manipulation of form autocomplete * MFSA 2015-25/CVE-2015-0821 (bmo#1111960) Local files or privileged URLs in pages can be opened into new tabs * MFSA 2015-26/CVE-2015-0819 (bmo#1079554) UI Tour whitelisted sites in background tab can spoof foreground tabs * MFSA 2015-27CVE-2015-0820 (bmo#1125398) Caja Compiler JavaScript sandbox bypass - rebased patches - requires NSS 3.17.4 - update to Firefox 35.0.1 * With the Enhanced Steam extension, Firefox could crash (bmo#1123732) * Kerberos authentication did not work with alias (bmo#1108971) * SVG / CSS animation had a regression causing rendering issues on websites like openstreemap.org (bmo#1083079) * On Godaddy webmail, Firefox could crash (bmo#1113121) * document.baseURI did not get updated to document.location after base tag was removed from DOM for site with a CSP (bmo#1121857) * With a Right-to-left (RTL) version of Firefox, the text selection could be broken (bmo#1104036) * CSP had a change in behavior with regard to case sensitivity resources loading (bmo#1122445) - update to Firefox 35.0 (bnc#910669) notable features: * Firefox Hello with new rooms-based conversations model * Implemented HTTP Public Key Pinning Extension (for enhanced authentication of encrypted connections) security fixes: * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635 Miscellaneous memory safety hazards * MFSA 2015-02/CVE-2014-8637 (bmo#1094536) Uninitialized memory use during bitmap rendering * MFSA 2015-03/CVE-2014-8638 (bmo#1080987) sendBeacon requests lack an Origin header * MFSA 2015-04/CVE-2014-8639 (bmo#1095859) Cookie injection through Proxy Authenticate responses * MFSA 2015-05/CVE-2014-8640 (bmo#1100409) Read of uninitialized memory in Web Audio * MFSA 2015-06/CVE-2014-8641 (bmo#1108455) Read-after-free in WebRTC * MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only) Gecko Media Plugin sandbox escape * MFSA 2015-08/CVE-2014-8642 (bmo#1079658) Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension * MFSA 2015-09/CVE-2014-8636 (bmo#987794) XrayWrapper bypass through DOM objects - rebased patches - dropped explicit support for everything older than 12.3 (including SLES11) * merge firefox-kde.patch and firefox-kde-114.patch * dropped mozilla-sle11.patch - reworked specfile to build conditionally based on release channel either Firefox or Firefox Developer Edition - added mozilla-openaes-decl.patch to fix implicit declarations - obsolete tracker-miner-firefox < 0.15 because it leads to startup crashes (bnc#908892) - fix bashism in mozilla.sh script - update to Firefox 34.0.5 (bnc#908009) * Default search engine changed to Yahoo! for North America * Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales * Improved search bar (en-US only) * Firefox Hello real-time communication client * Easily switch themes/personas directly in the Customizing mode * Implementation of HTTP/2 (draft14) and ALPN * Disabled SSLv3 * MFSA 2014-83/CVE-2014-1587/CVE-2014-1588 Miscellaneous memory safety hazards * MFSA 2014-84/CVE-2014-1589 (bmo#1043787) XBL bindings accessible via improper CSS declarations * MFSA 2014-85/CVE-2014-1590 (bmo#1087633) XMLHttpRequest crashes with some input streams * MFSA 2014-86/CVE-2014-1591 (bmo#1069762) CSP leaks redirect data via violation reports * MFSA 2014-87/CVE-2014-1592 (bmo#1088635) Use-after-free during HTML5 parsing * MFSA 2014-88/CVE-2014-1593 (bmo#1085175) Buffer overflow while parsing media content * MFSA 2014-89/CVE-2014-1594 (bmo#1074280) Bad casting from the BasicThebesLayer to BasicContainerLayer - rebased patches - limit linker memory usage for %ix86 - rebased patches - update to Firefox 33.1 * Adding DuckDuckGo as a search option (upstream) * Forget Button added * Enhanced Tiles * Privacy tour introduced - fix typo in GStreamer Recommends - Disable elf-hack for aarch64 - Enable EGL for aarch64 - Limit RAM usage during link for %arm - Fix _constraints for ARM - use proper macros for ARM - use '--disable-optimize' not only on 32-bit x86, but on 32-bit arm too to fix compiling. - pass '-Wl,--no-keep-memory' to linker to reduce required memory during linking on arm. - update to Firefox 33.0.2 * Fix a startup crash with some combination of hardware and drivers 33.0.1 * Firefox displays a black screen at start-up with certain graphics drivers - adjusted _constraints for ARM - added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588) - define /usr/share/myspell as additional dictionary location and remove add-plugins.sh finally (bnc#900639) - use Firefox default optimization flags instead of -Os - specfile cleanup - fix build for all ppc by not enabling elf-hack (bnc#901213) ==== MozillaThunderbird ==== Version update (68.1.1 -> 68.2.1) Subpackages: MozillaThunderbird-translations-common MozillaThunderbird-translations-other - Mozilla Thunderbird 68.2.1 * new: A language for the user interface can now be chosen in the advanced settings (multilingual UI) (bmo#1590206) * fixed: Problem with Google authentication (OAuth2) (bmo#1592407) * fixed: Selected or unread messages not shown in the correct color in the thread pane (message list) under some circumstances (bmo#1585765) * fixed: When using a language pack, names of standard folders weren't localized (bmo#1575512, boo#1149126) * fixed: Address book default startup directory in preferences panel not persisted (bmo#1591364) * fixed: Various visual glitches: Conditions in filter editor not high enough, folder location widget not showing folder name, problem with menubar customization, add-on home page links accumulating, theme issues on Windows 7 (bmo#1590666) * fixed: Issues when upgrading from a 32bit version of Thunderbird to a 64bit version. Note: If your profile is still not recognised, selected it by visiting about:profiles in the Troubleshooting Information. (bmo#1587067) * fixed: Chat: Extended context menu on Instant messaging status dialog (Show Accounts) (bmo#1591506) - added mozilla-bmo1504834-part4.patch to fix some visual issues on big endian platforms - Mozilla Thunderbird 68.2 * new: Message Display WebExtension API * new: Message Search WebExtension API * Bugfixes Better visual feedback for unread messages when using the dark theme Various issues when editing mailing lists Integration with macOS addressbook and notifications not working after introduction of notarization Application windows not maintaining their size after restart Issues when upgrading from a 32bit version of Thunderbird to a 64bit version. * various security fixes MFSA 2019-33/2019-35 (bsc#1154738) * CVE-2019-15903 (bmo#1584907) Heap overflow in expat library in XML_GetCurrentLineNumber * CVE-2019-11757 (bmo#1577107) Use-after-free when creating index updates in IndexedDB * CVE-2019-11758 (bmo#1536227) Potentially exploitable crash due to 360 Total Security * CVE-2019-11759 (bmo#1577953) Stack buffer overflow in HKDF output * CVE-2019-11760 (bmo#1577719) Stack buffer overflow in WebRTC networking * CVE-2019-11761 (bmo#1561502) Unintended access to a privileged JSONView object * CVE-2019-11762 (bmo#1582857) document.domain-based origin isolation has same-origin- property violation * CVE-2019-11763 (bmo#1584216) Incorrect HTML parsing results in XSS bypass technique * CVE-2019-11764 (bmo#1548044, bmo#1558522, bmo#1571223, bmo#1573048, bmo#1575217, bmo#1577061, bmo#1578933, bmo#1581950, bmo#1583463, bmo#1583684, bmo#1586599, bmo#1586845) Memory safety bugs fixed in Thunderbird 68.2 - removed upstream patches: * mozilla-bmo1512162.patch * mozilla-bmo1573381.patch * mozilla-bmo1585099.patch - Mozilla Thunderbird 68.1.2 (bsc#1153879) Bugfixes * Some attachments couldn't be opened in messages originating from MS Outlook 2016 * Address book import from CSV * Performance problem in message body search * Ctrl+Enter to send a message would open an attachment if the attachment pane had focus * Calendar: Issues with "Today Pane" start-up * Calendar: Glitches with custom repeat and reminder number input * Calendar: Problems with WCAP provider - add mozilla-bmo1585099.patch to fix build with rust >= 1.38 - add mozilla-fix-top-level-asm.patch to fix LTO build (w/o PGO) - updated translations-other locale list - remove kde.js since disabling instantApply breaks extensions and is obsolete with the move to HTML views for preferences (boo#1151186) - Update create-tar.sh (bsc#1152778) - Update mozilla-bmo1512162.patch to the patch now commited upstream * No more -O1 builds for ppc64le necessary - Deactivate currently useless crashreporter for the last remaining arch ==== aaa_base ==== Subpackages: aaa_base-extras aaa_base-malloccheck - Add patch git-12-80d14205f913cc67a98c562f988ea700a56c369b.patch * service: check if there is a second argument before using it (bsc#1051143) - Add patch git-11-b20083a930f766939f47dddc66d089c9fee5d38a.patch * check if variables can be set before modifying them to avoid warnings on login with a restricted shell (bsc#1138869) - Add patch git-08-9875dffab3ddda0c3e8399f935f059246c961f2a.patch * Add s390x compressed kernel support (bsc#1151023) - Add git-09-c6cd010dd8b6efddd71c30f00a923d8f2537584c.patch * Fix LC_NAME and LC_ADDRESS in sh.ssh - Add patch git-10-43091e644ff54997468a215b891dcaa75173f133.patch * fix string test to arithmetic test in /etc/profile.d/wsl.sh ==== autoyast2 ==== Version update (4.2.12 -> 4.2.19) Subpackages: autoyast2-installation - report wrong type of param-list instead of crash (bsc#1143260) - 4.2.19 - Fix autoinstallation on online medium (bsc#1156058) - 4.2.18 - Update schema to support setting the encryption method through the 'crypt_method' (related to jsc#SLE-7376). - 4.2.17 - AutoYaST support for the Full installation medium (jsc#SLE-7101) - 4.2.16 - fix auto-adding required packages for autoyast sections (bsc#1153746) - don't run kdump autoyast config in 2nd stage - 4.2.15 - bnc#1154855 - During firstboot ayast_setup will not be executed. - 4.2.14 - Do not crash when using the online medium without the registration section in the AY XML profile, display an error message with some hints (bsc#1154988) - 4.2.13 ==== bluedevil5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: bluedevil5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== breeze ==== Version update (5.17.1 -> 5.17.2) Subpackages: breeze5-cursors breeze5-decoration breeze5-style breeze5-style-lang breeze5-wallpapers libbreezecommon5-5 - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== breeze-gtk ==== Version update (5.17.1 -> 5.17.2) Subpackages: gtk2-metatheme-breeze gtk3-metatheme-breeze metatheme-breeze-common - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - Changes since 5.17.1: * [GTK3] Revert checkbox recolouring (kde#412078) ==== breeze4-style ==== Version update (5.17.1 -> 5.17.2) Subpackages: libbreezecommon4-5 - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== cpupower ==== Version update (4.19 -> 5.1) Subpackages: libcpupower0 - Update turbostat to latest version 19.08.31 - Add intel-speed-select tool (jsc#SLE-5364) A intel-speed-select-1.0.tar.bz2 A intel-speed-select_remove_DATE_TIME.patch - Fix missing governors when running cpupower frequency-info (bsc#1117709) M rapl_monitor.patch - jira#5244 Turbostat for Ice Lake - Remove very old cpufrequtils provides and requires (predecessor) - Update libcpupower description - Sidenote about fate#321274 - This feature is on the kernel side and got wrongly mentioned in cpupower in a released product. - Update to latest kernel HEAD sources (5.1-rc4, 15ade5d2e7775667cf191cf2f94327a4889f8b9d) Patches included mainline: D cpupower_fix_compilation_and_sysfs_read_file_mess.patch D cpupower_bash-completion_for_cpupower_tool.patch Adjusted patches: M turbostat_makefile_fix_asm_header.patch M x86_perf_makefile_fix_asm_header.patch M rapl_monitor.patch M cpupower_rapl.patch - Description updates. - Run spec-cleaner - Don't disable as-needed, it works now. - Add bash completion for cpupower command (from mainline submit) A cpupower_bash-completion_for_cpupower_tool.patch - Fix static compilation and sysfs_read_file mess A cpupower_fix_compilation_and_sysfs_read_file_mess.patch ==== digikam ==== Version update (6.0.0 -> 6.3.0) Subpackages: digikam-lang libdigikamcore6 showfoto - Do not enable Faces Engine DNN for ppc64le to avoid build error - Update to 6.3.0 * https://www.digikam.org/news/2019-09-08-6.3.0_release_announcement/ - New features (from NEWS): General : Internal Libraw updated to last stable 0.19.5. General : First version of exported DPlugin API for future external contributions. ImageEditor: new external plugin based on GMicQt included in all bundles (https://github.com/c-koi/gmic-qt) - 193 bugs fixed - bsc#1144232 - Drop jasper dependency from Digikam: Disable JPEG2000 support due to removal of jasper - Add BuildRequires libjpeg8 for regular JPEG support - Update to 6.2.0 * https://www.digikam.org/news/2019-08-04-6.2.0_release_announcement/ - New features (from NEWS): IconView : HiDPI support for 4K screens. General : Internal Libraw updated to last stable 0.19.3. New camera supported: Canon A560, FujiFilm X-T30, Nikon Coolpix A1000, Z6, Z7, Olympus E-M1X, Sony ILCE-6400, Several dng files from phones and drones. Full camera List supported: https://www.libraw.org/supported-cameras-snapshot-201903 - 310 bugs fixed - Drop patches merged upstream: * Fix-compilation-with-Qt-5.6.patch * Fix-build-with-QtWebEngine-5.6.patch - Refresh 0001-Disable-detection-of-OpenGL-for-GLES-platforms.patch - Drop Lower-minimum-exiv2-version.patch, the latest digikam version just crashes on start with exiv2-0.25 (kde#407022) - Update to 6.1.0 * https://www.digikam.org/news/2019-04-14-6.1.0_release_announcement/ - New features (from NEWS): General : New plugins interface for digiKam and Showfoto named dplugins. General : All export tools become generic plugins and are shared with Showfoto. General : Update internal libpgf to last 07193. General : Add compatiblity with OpenCV version 4. General : MacOS and AppImage bundles are now published with Qt 5.11.3. General : Add new optional configuration option to compile with Faces Engine Neural Network. General : Add optional support to ImageMagick codecs to support extra image formats as XCF, FITS, HEIC, etc. BQM : Add new advanced settings in resize tool. BQM : All Batch Queue Manager tools become Bqm plugins. Editor : All Image Editor tools become Editor plugins and are shared with Showfoto. Item View : Add sort items by modification date. DPlugin : New plugin to copy items to a local storage. DPlugin : New plugin to set image as Linux desktop wallpaper. - 138 bugs fixed - Add digikam-devel subpackage - Add digikam-plugins subpackage that contains all the plugins - Move plugins' icons to the -plugins subpackage - Move enblend-enfuse and hugin Recommends to the -plugins package as the functionality has been moved to the plugins - Add pkgconfig(Magic++) BuildRequires to enable the new ImageMagick support - Add patches to fix build on Leap 42.3: * Fix-compilation-with-Qt-5.6.patch * Fix-build-with-QtWebEngine-5.6.patch - Refresh 0001-Disable-detection-of-OpenGL-for-GLES-platforms.patch ==== discover ==== Version update (5.17.1 -> 5.17.2) Subpackages: discover-backend-flatpak discover-backend-fwupd discover-backend-packagekit discover-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - Changes since 5.17.1: * notifier: make it possible to replace the instance * app delegate: improve on narrow windows (kde#411828) * flatpak: oops * pk: notify about problems regarding file listing * appstream: support more formats of appstream urls (kde#408419) * notifier: don't autostart outside of Plasma (kde#413235) * snap: fix cancelling (kde#404358) * pk: readability * pk: Make action buttons translatable * notifier: Make action buttons translatable * pk: don't show redundant packages on updates ==== drkonqi5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: drkonqi5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - Changes since 5.17.1: * typo-- ==== ethtool ==== Version update (4.13 -> 5.3) - upgrade to upstream version 5.3 (jsc#SLE-7328) * drop mainline backports contained in v5.3 Revert-ethtool-Add-DMA-Coalescing-support.patch ethtool-Support-for-FEC-encoding-control.patch ethtool-add-support-for-extra-RSS-contexts-and-RSS-s.patch ethtool-better-syntax-for-combinations-of-FEC-modes.patch ethtool-copy.h-sync-with-net-next-2.patch ethtool-copy.h-sync-with-net-next.patch ethtool-correct-VF-index-values-for-the-ring_cookie-.patch ethtool-correct-display-of-VF-when-showing-vf-queue-.patch ethtool-don-t-fall-back-to-grxfhindir-when-context-w.patch ethtool-fix-MFLCN-register-dump-for-82599-and-newer.patch ethtool-fix-stack-clash-in-do_get_phy_tunable-and-do.patch ethtool-show-VF-and-queue-in-the-help-for-N.patch ethtool-support-combinations-of-FEC-modes.patch ethtool.8-Document-RSS-context-control-and-RSS-filte.patch * provide bash completion - minor specfile cleanup ==== inkscape ==== Subpackages: inkscape-extensions-extra inkscape-extensions-gimp inkscape-lang - Add patches from upstream (some with slight modifications to apply correctly) to adapt to poppler 0.79 (boo#1155596): * 0001-Fix-compilation-with-poppler-0.64.patch * 0002-Fix-compilation-with-poppler-0.65.patch * 0003-Modified-fix-for-compatibility-with-poppler-0.64.patch * 0004-fix-1789208-poppler-0.69.patch * 0005-fix-poppler-0.71.0-build.patch * 0006-fix-poppler-0.72.0-build.patch * 0007-Tentative-fix-for-poppler-0.76.patch ==== kactivitymanagerd ==== Version update (5.17.1 -> 5.17.2) Subpackages: kactivitymanagerd-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== kbd ==== Subpackages: kbd-legacy - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) - fbtest.c: include <sys/sysmacros.h> for major/minor - Use %license instead of %doc [bsc#1082318] - Disable characters >=U+F000. These do not work properly (bsc#1085432#c15, kbd-unicode-fxxx.patch). - Do not cause error on UNICODE characters >= 0xF000 (e. g. ligature fi) (bsc#1085432, kbd-unicode-fxxx.patch). - Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service written by Thomas Blume (boo#1010880, kbdsettings, kbdsettings.service, numlockbios.c, update sysconfig.console and sysconfig.keyboard). * Exclude numlockbios support for non x86 platforms (kbdsettings-nox86.patch). - Drop references to KEYTABLE and COMPOSETABLE (boo#1010880#c32, boo#1010880#c54, sysconfig.keyboard.del, README.SUSE, drop kbd.fillup). - Fix paths in kbd.pl. - Drop from some fill-up templates, a couple of sysconfig variables no more read by systemd (fate#319454) So the relevant settings can be defined in only one place. - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - Add vlock.pamd PAM file (bsc#1056449#c8). - Clean spec file. - Version update to 2.0.4: * translation updates * support for U+202F * minor fixes and code cleanup * minor improvements and more characters support - Enable vlock (bsc#1056449, FATE#261). - call gzip -n to make build fully reproducible - Revert dropping of kdb-legacy Requires: There are still packages and installation flows that needs this to be present (boo#1027379). - Drop kdb-legacy Requires: No longer needed, and was always meant to be temporary. - Version update to 2.0.3: * Various small updates - Obsolete merged patch: * kbd-1.15.5-br-abnt2-slash-question.patch - Quickly run over with spec-cleaner - Remove arch check for alpha and other unused platforms - Drop kbd.fillup.nonpc as it should not be needed nowdays - Fix data/keymaps/i386/querty/br-abnt2.map (boo#984958, kbd-1.15.5-br-abnt2-slash-question.patch) - Fix missing dependency on coreutils for initrd macros (boo#958562) - Call missing initrd macro at postun (boo#958562) - Rename conflicting legacy keymaps: * dvorak/no.map -> dvorak/no-dvorak.map * fgGIod/trf.map -> fgGIod/trf-fgGIod.map * olpc/pt.map -> olpc/pt-olpc.map * qwerty/cz.map -> qwerty/cz-qwerty.map - i386/qwerty/sr-latin links to sr-cy - add compose rules to cz layout (rh#1181581) - genmap4systemd.sh: use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' before) (FATE#318426) - added genmap4systemd.sh tool, which generates entries for systemd's /usr/share/systemd/kbd-model-map table from xkeyboard-config converted keymaps; entries are written to /usr/share/systemd/kbd-model-map.xkb-generated, so these can easily be added to /usr/share/systemd/kbd-model-map by systemd package (FATE#318426) - Include xkb layouts from xkeyboard-config converted to console keymaps, (FATE#318426) * Rename Finnish xkb converted layout * Add xkb and legacy keymaps subdirs to loadkyes search path (kbd-1.15.5-loadkeys-search-path.patch), remove symlinks, Don't convert layouts that can't input ASCII, * Original keymaps moved to legacy dir, created symlinks to xkb keymaps - For the previos change to wok, we need to buildrequire suse-module-tools to get the initrd rpm macros. - Regenerate the initrd if this package changes as it is included there for early console setup. - Convert changelog to utf8 - fix bashisms in scripts - add patches: * kbd-2.0.2-fix-bashisms.patch - update patches: * kbd-1.15.2-unicode_scripts.patch ==== kde-cli-tools5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: kde-cli-tools5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== kde-gtk-config5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: kde-gtk-config5-gtk2 kde-gtk-config5-gtk3 kde-gtk-config5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== kde-user-manager ==== Version update (5.17.1 -> 5.17.2) Subpackages: kde-user-manager-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== kdepim-runtime ==== Subpackages: kdepim-runtime-lang - Update build requirements ==== kgamma5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: kgamma5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== khotkeys5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: khotkeys5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== kinfocenter5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: kinfocenter5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== kmenuedit5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: kmenuedit5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - Changes since 5.17.1: * Create directory when saving the menu file (kde#413079) ==== kscreen5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: kscreen5-lang kscreen5-plasmoid - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== kscreenlocker ==== Version update (5.17.1 -> 5.17.2) Subpackages: kscreenlocker-lang libKScreenLocker5 - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== ksshaskpass5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: ksshaskpass5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== ksysguard5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: ksysguard5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== ktexteditor ==== Subpackages: ktexteditor-lang - Add 0001-fix-crash-in-variableexpansionhelpers.patch to fix a crash when adding a variable to swap file name (kde#413474) ==== ktouch ==== Version update (19.08.1 -> 19.08.2) Subpackages: ktouch-lang - Update to 19.08.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/announce-applications-19.08.2.php - No code change since 19.08.1 ==== kwayland-integration ==== Version update (5.17.1 -> 5.17.2) - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== kwin5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: kwin5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - Changes since 5.17.1: * Dmabuf recovery on EGL reset (kde#411980) * [kcmkwin/kwindecoration] Fix default window size in KCMShell This also fixes a binding loop. (kde#413557) * [kcmkwin/desktop] Elide "Show animation when switching" checkbox text (kde#403151) * [kcmkwin/kwinvirtualdesktops] Improve default window size when opened in kcmshell * [scripting] Provide conversion functions for AbstractClient (kde#413044) * Don't use MESA_EGL_NO_X11_HEADERS * [kcmkwin/kwindecoration] Elide "theme default border size" CheckBox ==== kwrited5 ==== Version update (5.17.1 -> 5.17.2) - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== libgnomekbd ==== Version update (3.26.0 -> 3.26.1) - Add explicit conflicts in typelib-1_0-Gkbd-3_0 and gnomekbd-tools against libgnomekbd < 3.26.1, before package split was done. - Make -lang package installable and ease upgrade: provide/obsolete libgnomekbd by libgnomekbd8. - Remove --with-pic which has no effect with --disable-static. - Split package to SLPP standard: + Add sover define and set it to 8. + New subpackage gnomekbd-tools. + New subpackage libgnomekbd8. + New subpackage typelib-1_0-Gkbd-3_0. + Drop BUILD_FROM_VCS conditionals. + Add post(un) handling of the new shared library package. + Update URL to current GNOME gitlab home. - Drop libgnomekbd-default-group-switch.patch: It does not seem to make any noticeable change today. - Modernize spec, run spec-cleaner, drop post(un) handling of glib2_gsettings_schema_post(un) and desktop_database_post(un) and glib2_gsettings_schema_requires macro. - Update to version 3.26.1: + Fix build with new GLib. + Updated translations. - Modernize spec-file by calling spec-cleaner ==== libkdecoration2 ==== Version update (5.17.1 -> 5.17.2) Subpackages: libkdecorations2-5 libkdecorations2-5-lang libkdecorations2private6 - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== libkscreen2 ==== Version update (5.17.1 -> 5.17.2) Subpackages: libKF5Screen7 libkscreen2-plugin - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== libksysguard5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: libksysguard5-helper libksysguard5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== libqt5-qtbase ==== Subpackages: libQt5Concurrent5 libQt5Core5 libQt5DBus5 libQt5Gui5 libQt5Network5 libQt5OpenGL5 libQt5PrintSupport5 libQt5Sql5 libQt5Sql5-mysql libQt5Sql5-sqlite libQt5Test5 libQt5Widgets5 libQt5Xml5 libqt5-qtbase-platformtheme-gtk3 - Add patch to fix crash when running libQt5Core5.so.5 as executable (boo#1155955): * 0001-Fix-crash-when-running-QtCore-Stack-is-misaligned-on.patch ==== libssh2_org ==== - Security fix: [bsc#1154862, CVE-2019-17498] * The SSH_MSG_DISCONNECT:packet.c logic has an integer overflow in a bounds check that might lead to disclose sensitive information or cause a denial of service * Add patch libssh2_org-CVE-2019-17498.patch ==== libstorage-ng ==== Version update (4.2.18 -> 4.2.23) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Estonian) (bsc#1149754) - 4.2.23 - Translated using Weblate (Estonian) (bsc#1149754) - 4.2.22 - Translated using Weblate (Estonian) (bsc#1149754) - 4.2.21 - Translated using Weblate (Estonian) (bsc#1149754) - 4.2.20 - merge gh#openSUSE/libstorage-ng#676 - handle is_permanent() in possible_mount_bys() (bsc#1155566) - simplified code - 4.2.19 ==== milou5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: milou5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== ovmf ==== Version update (2017+git1510945757.b2662641d5 -> 201908) Subpackages: qemu-ovmf-x86_64 - Update to edk2-stable201908 + Add TLS and IPv6 supports for ArmVirtQemu + Various fixes and updates for TPM2 + Various fixes for OvmfPkg and the underlying infrastructures + Drop the build requirement of python2 + Drop the obsolete IntelFrameworkPkg and IntelFrameworkModulePkg + Remove ShellBinPkg and move the platform packages out of edk2 - Update openssl to 1.1.1b + Add berkeley-softfloat-3-b64af41c3276f.tar.xz since arm7 needs the softfloat implementation for openssl 1.1.1b - Add ovmf-bsc1153072-fix-invalid-https-cert.patch to reject the invalid server certificates for HTTPS Boot (bsc#1153072, CVE-2019-14553) - Build the varstore templates with EnrollDefaultKeys.efi + Create the iso files for key enrollment - Add gen-key-enrollment-iso.sh to generate the iso file + Drop the non-upstream ovmf-embed-default-keys.patch - Also drop owner-guid-zero.h + Drop the MS keys and dbx since they are already in EnrollDefaultKeys.efi: MicCorKEKCA2011_2011-06-24.crt, MicCorUEFCA2011_2011-06-27.crt, MicWinProPCA2011_2011-10-19.crt, and dbxupdate.zip - Also drop the related script strip_authinfo.pl + Add ovmf-set-fixed-enroll-time.patch to set the fixed enrolling time to make the varstore template reproducible + Require qemu 3.0.0 for fw_cfg - Enable TLS (HTTPS Boot) and TPM2 support - Add the firmware descriptors for QEMU - Update README to match the current settings - Update the License tag to BSD-2-Clause-Patent - Build SecureBoot firmwares for aarch64 - Add a new "smm" flavor to enable System Management Mode + Also add ovmf-add-exclude-shell-flag.patch to exclude shell from the resultant SMM firmware files - Retire the old openSUSE 4096 bit certificates since all those programs are unmaintained. - Drop upstreamed patches + ovmf-bsc1092943-fix-attributes-table.patch + ovmf-bsc1099193-fix-sev-flash-variables.patch + ovmf-bsc1115916-fix-timestamp-zeroing.patch + ovmf-bsc1115917-bounds-checking-for-ueficompress.patch + ovmf-bsc1127820-fix-blockio-buffer-overflow.patch + ovmf-bsc1127821-dns-check-packet-size.patch + ovmf-bsc1127822-fix-fv-parsing.patch + ovmf-bsc1128503-fix-stack-overflow-in-HiiImage-and-HiiDatabase.patch + ovmf-bsc1130267-overflow-in-partition-and-udf.patch + ovmf-bsc1131361-fix-stack-overflow-xhci.patch - Refresh patches: + ovmf-add-exclude-shell-flag.patch + ovmf-disable-ia32-firmware-piepic.patch + ovmf-pie.patch - Drop the requirement of xxd ==== oxygen5 ==== Version update (5.17.1 -> 5.17.2) - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== php7 ==== Subpackages: apache2-mod_php7 php7-ctype php7-dom php7-iconv php7-json php7-mysql php7-pdo php7-pgsql php7-sqlite php7-tokenizer php7-xmlreader php7-xmlwriter - security update - added patches CVE-2019-11043 [bsc#1154999] + php7-CVE-2019-11043.patch ==== plasma-nm5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: plasma-nm5-lang plasma-nm5-openconnect plasma-nm5-openvpn plasma-nm5-pptp plasma-nm5-vpnc - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== plasma5-addons ==== Version update (5.17.1 -> 5.17.2) Subpackages: plasma5-addons-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== plasma5-desktop ==== Version update (5.17.1 -> 5.17.2) Subpackages: plasma5-desktop-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - Changes since 5.17.1: * Fix force font DPI UI logic ==== plasma5-integration ==== Version update (5.17.1 -> 5.17.2) Subpackages: plasma5-integration-plugin plasma5-integration-plugin-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== plasma5-openSUSE ==== Subpackages: plasma5-defaults-openSUSE plasma5-theme-openSUSE plasma5-workspace-branding-openSUSE sddm-theme-openSUSE - Update to 5.17.2 ==== plasma5-pa ==== Version update (5.17.1 -> 5.17.2) Subpackages: plasma5-pa-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== plasma5-workspace ==== Version update (5.17.1 -> 5.17.2) Subpackages: gmenudbusmenuproxy plasma5-session plasma5-session-wayland plasma5-workspace-lang plasma5-workspace-libs xembedsniproxy - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - Changes since 5.17.1: * [wallpapers/image] Randomise new batches of images in the slideshow (kde#413463) * [wallpapers/image] Seed random number generator * [Lock Screen] Don't use black shadows with black text (kde#413537) * clear the cells before relayouting the items (kde#413019) ==== pmdk ==== Version update (1.5 -> 1.7) Subpackages: libpmem1 - Update to PMDK 1.7 (jsc#SLE-9886) - Introduces new APIs in libpmemobj for managing space used by transactions. (see pmemobj_tx_log_append_buffer man page for details) - Introduces new APIs in librpmem, splitting rpmem_persist into rpmem_flush and rpmem_drain, allowing applications to use the flush + drain model already known from libpmem. (libpmemobj does not use this feature yet) - Optimizes large libpmemobj transactions by significantly reducing the amount of memory modified at the commit phase. - Optimizes tracking of libpmemobj reservations. - Adds new flags for libpmemobj's pmemobj_tx_xadd_range[_direct] API: POBJ_XADD_NO_SNAPSHOT and POBJ_XADD_ASSUME_INITIALIZED, allowing applications to optimize how memory is tracked by the library. - To support some of the above changes the libpmemobj on-media layout had to be changed, which means that old pools have to be converted using pmdk-convert >= 1.7. - Disable Werror to deal with a new GCC 9 warning. - Update to PMDK 1.6 (jsc#SLE-5400) - See ChangeLog for details - Disable LTO (boo#1133276). ==== polkit-kde-agent-5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: polkit-kde-agent-5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== poppler ==== Version update (0.62.0 -> 0.79.0) Subpackages: libpoppler-cpp0 libpoppler-glib8 poppler-tools - Update to version 0.79.0: + core: - Fix regression on TextSelectionPainter. - Fix parsing of DefaultAppearance. - Fix memory leak in PostScriptFunction. - Fix crashes in fuzzed files. + qt5: - Implemented support for setIcon by changing appearance. - Added option to set the form available to print. - QString::null is deprecated, use QString(). - Replace deprecated qStableSort with std::stable_sort. + build system: Turn README into README.md and expand it. - Update to version 0.78.0: + core: - Fix line annotation arrows for usage in dimensioning. - Handle Ink annots without an InkList but with an AP. - Fix typos preventing parsing of Movie start and duration. - Fix crash on malformed files. + glib: - Add poppler_document_create_dests_tree(). - Don't use the deprecated g_type_class_add_private(). - Document the differences between render() and render_for_printing(). - Fix introspection for poppler_document_new_from_data. - Don't create PopplerInputStream with length 0. - Document G_IO_ERROR as a possible error condition. - Docs: Add index for API new in 0.78. + build system: - Fixes cross compilation of gir in Void Linux. - Add -Wshadow to the default warning flags. - Install pkg-config pc files if pkg-config is found. - Bump poppler_sover following upstream changes. - Update to version 0.77.0: + core: - Fix crash on signature handling. Issue #766 - Fix small memory leak in SignatureHandler::getCertificateInfo - Splash: Restrict filling of overlapping boxes. Issue #750 - Fix crash on malformed files + qt5: Fix optional content handling with exclusive layers + cpp: Make render_page thread-safe + utils: - pdfsig: Fix small memory leak - pdftotext: Fix typo in manpage - Changes from version 0.76.1: + core: - Make the mul tables be calculated at compile time with constexpr. - splash: Fix compile with SPLASH_CMYK enabled - Some typo fixing in error messages + qt5: Fix regression in annotation handling + build system: Fix some typos in build system output and comments - Changes from version 0.76.0: + core: - Fix regression on case-insensitive search. Issue #743 - Remove GooList, use std::vector instead - Fix radiobutton reporting wrong state. Issue #159 - Handle UTF16-LE strings - Don't error out if there's no DA in FreeText annotation - cairo: . Compute correct coverage values for box filter. . Constrain number of cycles in rescale filter. - Read more fields from ViewerPreferences . Introduce and use Ref::INVALID . Fix crashes in broken files . Fix mismatched free/delete . Add missing include guards + utils: pdftohtml: Properly initialize HtmlOutputDev::page to avoid SIGSEGV upon error exit. - Changes from version 0.75.0: + core: - Fix rendering of some annotations - Fix crashes in broken files - Small internal code improvements + cpp: - Improve documentation - tests: Add showing version information to poppler-dump + utils: - pdfattach: new util - pdftohtml: add -dataurls parameter - pdftoppm: add -sep and -forcenum parameters - pdftohtml: make singleHtml and stout not mutually exclusive - pdfsig: fix use after free - Bump poppler_sover following upstream changes. - Update to version 0.74.0: + core: - Remove support for obsolete systems. - Include timezone in timeToDateString(). - Fix/silence some warnings. - Fix issues with broken files. + build system: - Fix linking in FreeBSD. - Fix fseeko configure check on Android for API level < 24. - Remove unused MacroPushRequiredVars.cmake. + qt5: - Add API that lazily builds an outline by wrapping the internal objects. - Demo: Use new API to build Table Of Contents lazily. + glib: - Improve documentation. - Fix cast from 'GTime *' (aka 'int *') to 'time_t *' (aka 'long *'). + utils: pdfsig: add -nssdir option. + cpp: Add a way to get all the named destinations in a document. - Bump poppler_sover following upstream changes. - Update to version 0.73.0: + core: - Fix regression reading some encrypted files. - Add X509CertificateInfo classes. - Add new 'IgnoreDiacritics' option to ::findText(). - Open files with CLOEXEC flag set. - Remove Gulong, Guint, Gushort, Guchar typedefs. - Fix handling of some broken files. + qt5: - Expose X509CertificateInfo. - Add the possibility of getting version. - Add new 'IgnoreDiacritics' search flag. - Make initialization of globalParams threadsafe. - ArthurOutputDev: Remove all Splash code usage. + cpp: - Make initialization of globalParams threadsafe. - Fix page::text_list encoding issue. - Improve handling of UTF-16 by considering Endianess. - Add API to specify a custom data directory. + glib: - add new 'POPPLER_FIND_IGNORE_DIACRITICS' find flag. - Fix named destinations. - Make PrintScaling preference available in API. + build system: - Rename ENABLE_XPDF_HEADERS to ENABLE_UNSTABLE_API_ABI_HEADERS. - support enabling NSS on mingw. - Windows: only set SOVERSION for shared libs. - Bump poppler_sover following upstream changes. - Pass ENABLE_UNSTABLE_API_ABI_HEADERS=on to cmake, replacing ENABLE_XPDF_HEADERS=on we had before. - Update to version 0.72.0: + core: - Fix checkbox lacking AP not being able to change state. - Draw line annotation endings (arrow, circle, ...). - cairo: Don't use UNIQUE_ID for PS output, to avoid using PS memory on cairo >= 1.5.10. - Be more stubborn looking for a nssdb. - GooString::fromInt: Repair the return value. - Minor performance improvements. - Avoid cycles in PDF parsing. - Stream::makeFilter: Fix memory leak. - Fix various issues with malformed files. - Rename GooString::getCString to GooString::c_str. - Regenerate UnicodeDecompTables.h from python 3.7.1. + utils: - pdfdetach: Check for valid embedded file before trying to save it. - pdfdetach: Check for valid file name of embedded file before using it to determine save path. - Fix typos in utils. + glib: - Fix missing PopplerAttachment destructor call. - Support getting form widget additional actions. - docs: Small improvements. + qt5: Internally compile with -DQT_NO_SIGNALS_SLOTS_KEYWORDS. - Bump poppler_sover following upstream changes. - Update to version 0.71.0: + core: - Replace the implementation of GooString by std::string but keep the exact interface intact. - Replace GBool, gTrue, and gFalse by bool, true, false, resp. - Splash: Fix crash if document is malformed (too wide). + qt5: - Fix crash when adding Highlight Annotations. - Default to hidden symbols. - Fix two leaks in a test. + glib: - demo: Fix build on Windows. - demo: Align property labels to top of cell. + cpp: Fix typos in documentation. + build system: - Enable searching for GTK on Windows - Remove unused files - Add fuzzer target from oss-fuzz project - Changes from version 0.70.1: + glib: Install missing file. - Changes from version 0.70.0: + core: - FreeText annotations: default to font from default appearance string. - Splash: Speed improvements. - Fix security issues found by oss-fuzz. - Improve page lable parsing. - Use std some std classes instead of self grown ones. - Various internal improvements. + glib: - Fix crash on missing embedded file. - Add support for PDF subtype property. - Only export symbols in the public API. + qt5: - Add Page::index() method. - Improve method to get the page from a label string. + utils: pdftohtml: Improve font handling. - Bump poppler_sover following upstream changes. - Update to version 0.69.0: + core: - Add annotation font color - Splash: Some speed improvements - PSOutputDev: add native support for type 7 shadings when using level 3 - Add support for PDF subtype property - Link: Fix memory leak regarding next actions - Fix handling of Signature Info Location and Reason - Fix errors in computation of type3 glyphs transformation matrix - Reimplement Dict class in a more modern way - Fix security issues found by oss-fuzz - Fix memory issues in GfxImageColorMap copy ctor - Don't abort if the SampleFunction has too many samples. Issue glfdo#poppler/poppler#634 - Document the OutputDev::clip and OutputDev::oeClip methods - Fix macOS compilation due to boolean define in jpeglib - Split GDir and GDirEntry out of gfile.h. Issue glfdo#poppler/poppler#370 + qt5: - Add annotation font color + utils: - pdfinfo: Show PDF subtype - pdftotext: Fix only outputs first page content with - bbox-layout option. Issue glfdo#poppler/poppler#88 - pdftotext: Fix memory leak in printLine + build system - Require C++14 - Update to version 0.68.0: + core: - Add Reason and Location to SignatureInfo (fdo#107299). - Fix memory misuse on signature handling - Fix security issues found by oss-fuzz - Don't give a warning when Marked value is false (fdo#107430). + qt5: Add Reason and Location to SignatureInfo (fdo#107299). + cpp: - Add rotation() to text_box (fdo#106562). - Fix build with MSVC + utils: - pdftoppm: Add -jpegopt optimize option support - pdftocairo: Add -jpegopt optimize option support - pdftohtml: . Add option to not round coordinates . Fix possible crash (fdo#107316). + build system: - Use OpenJpeg cmake config file instead of pkgconfig - Remove wchar_t- on MSVC - Changes from version 0.67.0: + core: - Fix lots of security/leak issues found by oss-fuzz - Splash: . Optimize some files, making them 20% faster . Correctly manipulate spot colors if SPOT_NCOMPS != 4 - Fix compilation with some strict compilers. - Bump poppler_sover following upstream changes. - Add openjpeg2 BuildRequires: New dependency. - Update to version 0.66.0: + core: - Fix lots of security/leak issues found by oss-fuzz - Splash: Optimize some files, making them 20% faster - Splash: Correctly manipulate spot colors if SPOT_NCOMPS != 4 - Fix compilation with some strict compilers - Changes from version 0.65.0: + core: - SplashOutputDev: Add the invisible character check beginType3Char. (fdo#106244) - XRef: Fix runtime undefined behaviour. (fdo#105970) - Fix issues with malformed documents. (fdo#104942), (fdo#103238) - Remove GooHash after replacing it by std::unordered_map - Add conversion methods between GooString and std::string. + cpp: - Add newline after error message - Expose more image modes, add option to select mode in renderer. (fdo#105558) + build system: - Fix compilation with libc++ - Small improvement to FindLIBOPENJPEG2.cmake + qt5: - Add widget annot actions to FormFields + utils: - pdffonts: Minor formatting changes in the man page. (fdo#105194) - Changes from version 0.64.0: + core: - Workaround form field text not being drawn on broken files. (fdo#103245) - Add read only setter for form fields - Add support for Link Hide action - Add support for Next actions in Links - Fix parsing of Annot focus out actions - Fix PDFDoc::checkHeader() for PDFs smaller than 1 KiB. (fdo#105674) - Add const to several classes and members - gfile: Fix build on some platforms - Fix issues with on malformed documents. (fdo#105972), (fdo#105969), (fdo#106059), (fdo#106061) - Several small code improvements + qt5: - Allow setting of Form visibility status - Allow setting of Form read only status - Add support for Link Hide action - Add support for Next actions in Links - ArthurOutputDev: Implement axialShadedFill - ArthurOutputDev: Implement drawImageMask. (fdo#105531) - ArthurOutputDev: Implement Type3 font support + utils: - pdfsig: Add -dump which writes signatures to disk (fdo#104881) + glib: - less deprecated calls + build system: - bring back the option to disable GObject introspection - Add iconv include dir when compiling - Make it possible to build poppler without fontconfig. Default for Android. - Bump soversion and data_version to 77 and 0.4.9 respectively. - Update to version 0.63.0: + Core: - CairoOutputDev: support embedding CCITT image data. (fdo#103399) - CairoOutputDev: limit image size when printing. (fdo#103399) - CairoOutputDev: use GOOD instead of BEST as the default cairo filter for scaling. (fdo#103136) - Error out on save if file has changed since we opened it. (fdo#103793) - PDFDoc: use %c instead of \x to output binary. (fdo#103873) - Fix index out of bounds undefined behaviour in PSTokenizer. (fdo#103583) - Fix opening files with OutlineItem loops. (fdo#102914) - Fix some bugs in StructTreeRoot parsing of parent tree. (fdo#103912) - Remove error for wrong child type for tagged pdf. (fdo#103587) - FoFiTrueType::readPostTable() from xpdf 4.00. (fdo#102880) - GfxFontDict: merge reference generation from xpdf 4.00. (fdo#104565) - Reset lastAbortCheck on updateLevel reset - PDFDoc::setup: Fail early if base stream length is 0. (fdo#103552) - Check curStr is actually a Stream before doing Stream operations. (fdo#104518) - Fix new Object API porting bug. (fdo#104517) - Check return code of getChar(), abort reading on error. (fdo#104502) - TextPage: Add horizontal scaling to font matrix. (fdo#105259) - Fix EmbedStream replay. (fdo#103446) - Fix memory leak on error condition - Fix assert on malformed documents. (fdo#104354) - Fix abort in Gfx::opBeginMarkedContent if args[1] is not a name. (fdo#104468) - GfxGouraudTriangleShading::parse: Don't abort on malformed documents. (fdo#104567) - GfxFunctionShading::parse: Fix abort in malformed document. (fdo#104581) - Remove the extern C from glib.h. (fdo#103621) - Don't let ArthurOutputDev be friend of SplashPath anymore - Fix undefined sanitizer warning about qsort - Form.h: include time.h for time_t - Various code improvements + Qt5: - Add cancellation support to renderToImage and textList - Do not assume all Screen annotation actions are Renditions. (kde#388175) - qt5: Implement operator= for PageTransition - ArthurOutputDev: 'clip' should intersect new and old clipping path - ArthurOutputDev: Implement updateBlendMode - ArthurOutputDev: Replace the QPainter by a stack of QPainters - ArthurOutputDev: Rudimentary support for transparency groups - Remove stale libcms1 code. (fdo#104358) - demo: don't crash if page is malformed - Fix warnings due to the use of deprecated overloads of Poppler::Page::Search in tests. + Utils: - pdfimages: Fix for files with flate encoded inline images. (fdo#103446) - pdftocairo: Remove stale libcms1 code. (fdo#104358) - pdfimages: Fix build without libtiff and libpng - pdfseparate: Fix buffer size warning due to missing space for null terminator + Build System: - Enable building all libs as static libs - Enable no-missing-field-initializers - Remove unused FindLIBOPENJPEG.cmake - Add "--owner root:0 --group root:0" options to tar command in dist target. (fdo#104398) - Add python3 support to gtkdoc.py - gtkdoc.py: Make it work with newer gtk-doc. (fdo#105075) + Cpp: - Add page::text_list ==== poppler-qt5 ==== Version update (0.62.0 -> 0.79.0) - Update to version 0.79.0: + core: - Fix regression on TextSelectionPainter. - Fix parsing of DefaultAppearance. - Fix memory leak in PostScriptFunction. - Fix crashes in fuzzed files. + qt5: - Implemented support for setIcon by changing appearance. - Added option to set the form available to print. - QString::null is deprecated, use QString(). - Replace deprecated qStableSort with std::stable_sort. + build system: Turn README into README.md and expand it. - Update to version 0.78.0: + core: - Fix line annotation arrows for usage in dimensioning. - Handle Ink annots without an InkList but with an AP. - Fix typos preventing parsing of Movie start and duration. - Fix crash on malformed files. + glib: - Add poppler_document_create_dests_tree(). - Don't use the deprecated g_type_class_add_private(). - Document the differences between render() and render_for_printing(). - Fix introspection for poppler_document_new_from_data. - Don't create PopplerInputStream with length 0. - Document G_IO_ERROR as a possible error condition. - Docs: Add index for API new in 0.78. + build system: - Fixes cross compilation of gir in Void Linux. - Add -Wshadow to the default warning flags. - Install pkg-config pc files if pkg-config is found. - Bump poppler_sover following upstream changes. - Update to version 0.77.0: + core: - Fix crash on signature handling. Issue #766 - Fix small memory leak in SignatureHandler::getCertificateInfo - Splash: Restrict filling of overlapping boxes. Issue #750 - Fix crash on malformed files + qt5: Fix optional content handling with exclusive layers + cpp: Make render_page thread-safe + utils: - pdfsig: Fix small memory leak - pdftotext: Fix typo in manpage - Changes from version 0.76.1: + core: - Make the mul tables be calculated at compile time with constexpr. - splash: Fix compile with SPLASH_CMYK enabled - Some typo fixing in error messages + qt5: Fix regression in annotation handling + build system: Fix some typos in build system output and comments - Changes from version 0.76.0: + core: - Fix regression on case-insensitive search. Issue #743 - Remove GooList, use std::vector instead - Fix radiobutton reporting wrong state. Issue #159 - Handle UTF16-LE strings - Don't error out if there's no DA in FreeText annotation - cairo: . Compute correct coverage values for box filter. . Constrain number of cycles in rescale filter. - Read more fields from ViewerPreferences . Introduce and use Ref::INVALID . Fix crashes in broken files . Fix mismatched free/delete . Add missing include guards + utils: pdftohtml: Properly initialize HtmlOutputDev::page to avoid SIGSEGV upon error exit. - Changes from version 0.75.0: + core: - Fix rendering of some annotations - Fix crashes in broken files - Small internal code improvements + cpp: - Improve documentation - tests: Add showing version information to poppler-dump + utils: - pdfattach: new util - pdftohtml: add -dataurls parameter - pdftoppm: add -sep and -forcenum parameters - pdftohtml: make singleHtml and stout not mutually exclusive - pdfsig: fix use after free - Bump poppler_sover following upstream changes. - Update to version 0.74.0: + core: - Remove support for obsolete systems. - Include timezone in timeToDateString(). - Fix/silence some warnings. - Fix issues with broken files. + build system: - Fix linking in FreeBSD. - Fix fseeko configure check on Android for API level < 24. - Remove unused MacroPushRequiredVars.cmake. + qt5: - Add API that lazily builds an outline by wrapping the internal objects. - Demo: Use new API to build Table Of Contents lazily. + glib: - Improve documentation. - Fix cast from 'GTime *' (aka 'int *') to 'time_t *' (aka 'long *'). + utils: pdfsig: add -nssdir option. + cpp: Add a way to get all the named destinations in a document. - Bump poppler_sover following upstream changes. - Update to version 0.73.0: + core: - Fix regression reading some encrypted files. - Add X509CertificateInfo classes. - Add new 'IgnoreDiacritics' option to ::findText(). - Open files with CLOEXEC flag set. - Remove Gulong, Guint, Gushort, Guchar typedefs. - Fix handling of some broken files. + qt5: - Expose X509CertificateInfo. - Add the possibility of getting version. - Add new 'IgnoreDiacritics' search flag. - Make initialization of globalParams threadsafe. - ArthurOutputDev: Remove all Splash code usage. + cpp: - Make initialization of globalParams threadsafe. - Fix page::text_list encoding issue. - Improve handling of UTF-16 by considering Endianess. - Add API to specify a custom data directory. + glib: - add new 'POPPLER_FIND_IGNORE_DIACRITICS' find flag. - Fix named destinations. - Make PrintScaling preference available in API. + build system: - Rename ENABLE_XPDF_HEADERS to ENABLE_UNSTABLE_API_ABI_HEADERS. - support enabling NSS on mingw. - Windows: only set SOVERSION for shared libs. - Bump poppler_sover following upstream changes. - Pass ENABLE_UNSTABLE_API_ABI_HEADERS=on to cmake, replacing ENABLE_XPDF_HEADERS=on we had before. - Update to version 0.72.0: + core: - Fix checkbox lacking AP not being able to change state. - Draw line annotation endings (arrow, circle, ...). - cairo: Don't use UNIQUE_ID for PS output, to avoid using PS memory on cairo >= 1.5.10. - Be more stubborn looking for a nssdb. - GooString::fromInt: Repair the return value. - Minor performance improvements. - Avoid cycles in PDF parsing. - Stream::makeFilter: Fix memory leak. - Fix various issues with malformed files. - Rename GooString::getCString to GooString::c_str. - Regenerate UnicodeDecompTables.h from python 3.7.1. + utils: - pdfdetach: Check for valid embedded file before trying to save it. - pdfdetach: Check for valid file name of embedded file before using it to determine save path. - Fix typos in utils. + glib: - Fix missing PopplerAttachment destructor call. - Support getting form widget additional actions. - docs: Small improvements. + qt5: Internally compile with -DQT_NO_SIGNALS_SLOTS_KEYWORDS. - Bump poppler_sover following upstream changes. - Update to version 0.71.0: + core: - Replace the implementation of GooString by std::string but keep the exact interface intact. - Replace GBool, gTrue, and gFalse by bool, true, false, resp. - Splash: Fix crash if document is malformed (too wide). + qt5: - Fix crash when adding Highlight Annotations. - Default to hidden symbols. - Fix two leaks in a test. + glib: - demo: Fix build on Windows. - demo: Align property labels to top of cell. + cpp: Fix typos in documentation. + build system: - Enable searching for GTK on Windows - Remove unused files - Add fuzzer target from oss-fuzz project - Changes from version 0.70.1: + glib: Install missing file. - Changes from version 0.70.0: + core: - FreeText annotations: default to font from default appearance string. - Splash: Speed improvements. - Fix security issues found by oss-fuzz. - Improve page lable parsing. - Use std some std classes instead of self grown ones. - Various internal improvements. + glib: - Fix crash on missing embedded file. - Add support for PDF subtype property. - Only export symbols in the public API. + qt5: - Add Page::index() method. - Improve method to get the page from a label string. + utils: pdftohtml: Improve font handling. - Bump poppler_sover following upstream changes. - Update to version 0.69.0: + core: - Add annotation font color - Splash: Some speed improvements - PSOutputDev: add native support for type 7 shadings when using level 3 - Add support for PDF subtype property - Link: Fix memory leak regarding next actions - Fix handling of Signature Info Location and Reason - Fix errors in computation of type3 glyphs transformation matrix - Reimplement Dict class in a more modern way - Fix security issues found by oss-fuzz - Fix memory issues in GfxImageColorMap copy ctor - Don't abort if the SampleFunction has too many samples. Issue glfdo#poppler/poppler#634 - Document the OutputDev::clip and OutputDev::oeClip methods - Fix macOS compilation due to boolean define in jpeglib - Split GDir and GDirEntry out of gfile.h. Issue glfdo#poppler/poppler#370 + qt5: - Add annotation font color + utils: - pdfinfo: Show PDF subtype - pdftotext: Fix only outputs first page content with - bbox-layout option. Issue glfdo#poppler/poppler#88 - pdftotext: Fix memory leak in printLine + build system - Require C++14 - Update to version 0.68.0: + core: - Add Reason and Location to SignatureInfo (fdo#107299). - Fix memory misuse on signature handling - Fix security issues found by oss-fuzz - Don't give a warning when Marked value is false (fdo#107430). + qt5: Add Reason and Location to SignatureInfo (fdo#107299). + cpp: - Add rotation() to text_box (fdo#106562). - Fix build with MSVC + utils: - pdftoppm: Add -jpegopt optimize option support - pdftocairo: Add -jpegopt optimize option support - pdftohtml: . Add option to not round coordinates . Fix possible crash (fdo#107316). + build system: - Use OpenJpeg cmake config file instead of pkgconfig - Remove wchar_t- on MSVC - Changes from version 0.67.0: + core: - Fix lots of security/leak issues found by oss-fuzz - Splash: . Optimize some files, making them 20% faster . Correctly manipulate spot colors if SPOT_NCOMPS != 4 - Fix compilation with some strict compilers. - Bump poppler_sover following upstream changes. - Add openjpeg2 BuildRequires: New dependency. - Update to version 0.66.0: + core: - Fix lots of security/leak issues found by oss-fuzz - Splash: Optimize some files, making them 20% faster - Splash: Correctly manipulate spot colors if SPOT_NCOMPS != 4 - Fix compilation with some strict compilers - Changes from version 0.65.0: + core: - SplashOutputDev: Add the invisible character check beginType3Char. (fdo#106244) - XRef: Fix runtime undefined behaviour. (fdo#105970) - Fix issues with malformed documents. (fdo#104942), (fdo#103238) - Remove GooHash after replacing it by std::unordered_map - Add conversion methods between GooString and std::string. + cpp: - Add newline after error message - Expose more image modes, add option to select mode in renderer. (fdo#105558) + build system: - Fix compilation with libc++ - Small improvement to FindLIBOPENJPEG2.cmake + qt5: - Add widget annot actions to FormFields + utils: - pdffonts: Minor formatting changes in the man page. (fdo#105194) - Changes from version 0.64.0: + core: - Workaround form field text not being drawn on broken files. (fdo#103245) - Add read only setter for form fields - Add support for Link Hide action - Add support for Next actions in Links - Fix parsing of Annot focus out actions - Fix PDFDoc::checkHeader() for PDFs smaller than 1 KiB. (fdo#105674) - Add const to several classes and members - gfile: Fix build on some platforms - Fix issues with on malformed documents. (fdo#105972), (fdo#105969), (fdo#106059), (fdo#106061) - Several small code improvements + qt5: - Allow setting of Form visibility status - Allow setting of Form read only status - Add support for Link Hide action - Add support for Next actions in Links - ArthurOutputDev: Implement axialShadedFill - ArthurOutputDev: Implement drawImageMask. (fdo#105531) - ArthurOutputDev: Implement Type3 font support + utils: - pdfsig: Add -dump which writes signatures to disk (fdo#104881) + glib: - less deprecated calls + build system: - bring back the option to disable GObject introspection - Add iconv include dir when compiling - Make it possible to build poppler without fontconfig. Default for Android. - Bump soversion and data_version to 77 and 0.4.9 respectively. - Update to version 0.63.0: + Core: - CairoOutputDev: support embedding CCITT image data. (fdo#103399) - CairoOutputDev: limit image size when printing. (fdo#103399) - CairoOutputDev: use GOOD instead of BEST as the default cairo filter for scaling. (fdo#103136) - Error out on save if file has changed since we opened it. (fdo#103793) - PDFDoc: use %c instead of \x to output binary. (fdo#103873) - Fix index out of bounds undefined behaviour in PSTokenizer. (fdo#103583) - Fix opening files with OutlineItem loops. (fdo#102914) - Fix some bugs in StructTreeRoot parsing of parent tree. (fdo#103912) - Remove error for wrong child type for tagged pdf. (fdo#103587) - FoFiTrueType::readPostTable() from xpdf 4.00. (fdo#102880) - GfxFontDict: merge reference generation from xpdf 4.00. (fdo#104565) - Reset lastAbortCheck on updateLevel reset - PDFDoc::setup: Fail early if base stream length is 0. (fdo#103552) - Check curStr is actually a Stream before doing Stream operations. (fdo#104518) - Fix new Object API porting bug. (fdo#104517) - Check return code of getChar(), abort reading on error. (fdo#104502) - TextPage: Add horizontal scaling to font matrix. (fdo#105259) - Fix EmbedStream replay. (fdo#103446) - Fix memory leak on error condition - Fix assert on malformed documents. (fdo#104354) - Fix abort in Gfx::opBeginMarkedContent if args[1] is not a name. (fdo#104468) - GfxGouraudTriangleShading::parse: Don't abort on malformed documents. (fdo#104567) - GfxFunctionShading::parse: Fix abort in malformed document. (fdo#104581) - Remove the extern C from glib.h. (fdo#103621) - Don't let ArthurOutputDev be friend of SplashPath anymore - Fix undefined sanitizer warning about qsort - Form.h: include time.h for time_t - Various code improvements + Qt5: - Add cancellation support to renderToImage and textList - Do not assume all Screen annotation actions are Renditions. (kde#388175) - qt5: Implement operator= for PageTransition - ArthurOutputDev: 'clip' should intersect new and old clipping path - ArthurOutputDev: Implement updateBlendMode - ArthurOutputDev: Replace the QPainter by a stack of QPainters - ArthurOutputDev: Rudimentary support for transparency groups - Remove stale libcms1 code. (fdo#104358) - demo: don't crash if page is malformed - Fix warnings due to the use of deprecated overloads of Poppler::Page::Search in tests. + Utils: - pdfimages: Fix for files with flate encoded inline images. (fdo#103446) - pdftocairo: Remove stale libcms1 code. (fdo#104358) - pdfimages: Fix build without libtiff and libpng - pdfseparate: Fix buffer size warning due to missing space for null terminator + Build System: - Enable building all libs as static libs - Enable no-missing-field-initializers - Remove unused FindLIBOPENJPEG.cmake - Add "--owner root:0 --group root:0" options to tar command in dist target. (fdo#104398) - Add python3 support to gtkdoc.py - gtkdoc.py: Make it work with newer gtk-doc. (fdo#105075) + Cpp: - Add page::text_list ==== powerdevil5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: powerdevil5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - No code changes since 5.17.1 ==== qqc2-desktop-style ==== Version update (5.55.0 -> 5.63.0) - Update to 5.63.0 * New feature release * For more details please see: * https://www.kde.org/announcements/kde-frameworks-5.63.0.php - Changes since 5.62.0: * Fix several build system errors * Fix typo * take margins from qstyle * [QQC2 Desktop Style] Port away from deprecated methods in Qt 5.14 * [Tab] Fix sizing (kde#409390) - Update to 5.62.0 * New feature release * For more details please see: * https://www.kde.org/announcements/kde-frameworks-5.62.0.php - Changes since 5.61.0: * Prevent dragging QQC2 ComboBox contents outside menu * metainfo.yaml: set fancy name, auto-name from cmake project() is not nice * metainfo.yaml: remove bogus note about library to link to - Replace foo-devel with cmake(KF5Foo) in build requirements - Update to 5.61.0 * New feature release * For more details please see: * https://www.kde.org/announcements/kde-frameworks-5.61.0.php - Changes since 5.60.0: * Fix broken guard that prevents styling sliders with negative values * Slow down the busy indicator's rotation speed * Fix "Type error" when creating a TextField with focus: true * [ComboBox] Set close policy to close on click outside instead of only outside parent (kde#408950) * [SpinBox] Set renderType (kde#409888) - Don't lower minimum Qt version anymore, it requires 5.11 now - Drop patch to support Qt 5.9: * 0001-Fix-MobileTextActionsToolBar.qml-with-Qt-5.9.patch - Drop patch for Leap 42.3 which is EOL: * fix-build-with-gcc48.patch - Update to 5.60.0 * New feature release * For more details please see: * https://www.kde.org/announcements/kde-frameworks-5.60.0.php - Changes since 5.59.0: * Remove Qt 5.11 ifdef since we require that version now * MobileTextActionsToolBar: fix runtime warnings when controlRoot isn't set yet (kde#408719) * Show shortcut in menu item when specified (kde#405541) * Add MenuSeparator * Fix ToolButton remaining in a pressed state after press * [ToolButton] Pass custom icon size to StyleItem * honor visibility policy (kde#407014) - Refreshed patches: * 0001-Fix-MobileTextActionsToolBar.qml-with-Qt-5.9.patch - Update to 5.59.0 * New feature release * For more details please see: * https://www.kde.org/announcements/kde-frameworks-5.59.0.php - Changes since 5.58.0: * Remove DefaultListItemBackground and MenuItem animation * [QQC2 Slider Style] Fix wrong handle positioning when initial value is 1 (kde#405471) * guard minimum and maximum for sliders * ScrollBar: Make it work as a horizontal scroll bar as well (kde#390351) - Update to 5.58.0 * New feature release * For more details please see: * https://www.kde.org/announcements/kde-frameworks-5.58.0.php - Changes since 5.57.0: * Avoid nesting Controls in TextField (kde#406851) * make the mobile text toolbar appear only on press * [TabBar] Update height when TabButtons are added dynamically * refer to the proper id * use the new Kirigami.WheelHandler * Support custom icon size for ToolButton * It compile fine without foreach Refreshed patches: * 0001-Fix-MobileTextActionsToolBar.qml-with-Qt-5.9.patch - Update to 5.57.0 * New feature release * For more details please see: * https://www.kde.org/announcements/kde-frameworks-5.57.0.php - Changes since 5.56.0: * the plasma desktop style supports icon coloring * [SpinBox] Improve mouse wheel behavior * add a bit of padding in ToolBars * fix RoundButton icons * scrollbar based padding on all delegates * look for a scrollview to take its scrollbar for margins - Update to 5.56.0 * New feature release * For more details please see: * https://www.kde.org/announcements/kde-frameworks-5.56.0.php - Changes since 5.55.0: * Use PointingHand when hovering links in Label * Respect the display property of buttons * clicking on empty areas behaves like pgup/pgdown (kde#402578) * Support icon on ComboBox * support text positioning api * Support icons from local files in buttons * Use the correct cursor when hovering over the editable part of a spinbox ==== re2 ==== Version update (20190301 -> 20190901) - update to 2019-09-01: * build system fixes - Update to 2019-08-01: * Update Unicode data to 12.1.0 * Various developer visible changes - Fix download url - Update to 2019-07-01: * developer visible changes ==== samba ==== Version update (4.9.5+git.187.71edee57d5a -> 4.9.5+git.210.ab0549acb05) Subpackages: libdcerpc-binding0 libdcerpc-binding0-32bit libdcerpc0 libdcerpc0-32bit libndr-krb5pac0 libndr-krb5pac0-32bit libndr-nbt0 libndr-nbt0-32bit libndr-standard0 libndr-standard0-32bit libndr0 libndr0-32bit libnetapi0 libnetapi0-32bit libsamba-credentials0 libsamba-credentials0-32bit libsamba-errors0 libsamba-errors0-32bit libsamba-hostconfig0 libsamba-hostconfig0-32bit libsamba-passdb0 libsamba-passdb0-32bit libsamba-policy0-python3 libsamba-util0 libsamba-util0-32bit libsamdb0 libsamdb0-32bit libsmbclient0 libsmbconf0 libsmbconf0-32bit libsmbldap2 libsmbldap2-32bit libtevent-util0 libtevent-util0-32bit libwbclient0 libwbclient0-32bit samba-client samba-client-32bit samba-libs samba-libs-32bit samba-libs-python samba-libs-python3 samba-python3 samba-winbind samba-winbind-32bit - CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902); - CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289). - Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128). - Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832). ==== scout ==== Version update (0.2.1+20181004.20a0aae -> 0.2.2+20190613.e6c2668) Subpackages: command-not-found - Update to version 0.2.2+20190613.e6c2668: * Bump version to 0.2.2 * Fix bug where sbin packages would print as bytes strings (boo#1135598) * Newly generated po files (new line numbers). * The make_trans script did not work, because strings were not marked because of eval * Fix bash i18n support. The translations are expanded during definition of the function, when LANG is not yet set. Use eval to postpone it. * Fix i18n support. * Updated translations ==== snapper ==== Version update (0.8.5 -> 0.8.6) Subpackages: libsnapper4 snapper-zypp-plugin - add --machine-readable option for CSV and JSON outputs. - add --columns option for selecting columns in the commands list, list-configs and get-config. - bsc#1149322 - version 0.8.6 ==== systemsettings5 ==== Version update (5.17.1 -> 5.17.2) Subpackages: systemsettings5-lang - Update to 5.17.2 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.2.php - Changes since 5.17.1: * [sidebar] Add a hover effect to intro page icons ==== texlive ==== - Add patch poppler-fix-0.79.patch to fix compilation with poppler 0.79 which has many api incompatible changes aggregated since 0.63 (boo#1152776). - Fix broken link to texlive-20170524-source-poppler059-1.patch . ==== xfce4-screenshooter ==== Version update (1.9.6 -> 1.9.7) Subpackages: xfce4-screenshooter-lang - Update to version 1.9.7 * Add warning notice to imgur upload option (bxo#15347) * Fix cursor capture when near screen edge (bxo#9262) * Improve wording (bxo#15429) * Allow compilation with panel 4.15 * Restore libxfce4ui 4.12 compatibility * Translation Updates ==== xfce4-whiskermenu-plugin ==== Version update (2.3.3 -> 2.3.4) Subpackages: xfce4-whiskermenu-plugin-lang - Update to 2.3.4 * Fix building against xfce4-panel 4.15.0 * Translation updates ==== yast2-installation ==== Version update (4.2.19 -> 4.2.20) - Implement upgrade for the Full medium (jsc#SLE-7101) - 4.2.20 ==== yast2-packager ==== Version update (4.2.30 -> 4.2.31) - Do not crash when the product licenses cannot be read (bsc#1155454) - 4.2.31 ==== yast2-pkg-bindings ==== Version update (4.2.0 -> 4.2.1) - Returning raw packages dependencies while calling <Y2Packager::Resolvable>.deps (bsc#1132650). - 4.2.1 ==== yast2-ruby-bindings ==== Version update (4.2.3 -> 4.2.4) - Added symbol for new UI CustomStatusItemSelector widget (bsc#1084674) - Added symbol for UI icon term - 4.2.4 ==== yast2-schema ==== Version update (4.2.5 -> 4.2.6) - Update schema to support setting the encryption method through the 'crypt_method' (related to jsc#SLE-7376). - 4.2.6 ==== yast2-storage-ng ==== Version update (4.2.50 -> 4.2.54) - AutoYaST: do not repeat filesystem related information when cloning multidevice Btrfs filesystems (bsc#1148578). - AutoYaST: do not export the enable_snapshots element for drives which do not contain the root filesystem. - 4.2.54 - AutoYaST: add support to set the encryption method (related to jsc#SLE-7376). - 4.2.53 - fix creation of secure key for new partitions (bsc#1154267) - 4.2.52 - AutoYaST: consider CT_DMMULTIPATH an alias of CT_DISK (related to bsc#1130988). - 4.2.51 ==== yast2-update ==== Version update (4.2.7 -> 4.2.10) - Fixed too eager Rubocop cleanup resulting in "No fstab found" error after selecting a partition to upgrade (related to jsc#SLE-7101) - 4.2.10 - Implement upgrade for Full medium (jsc#SLE-7101) - 4.2.9 - Add support for online auto_upgrade (jsc#SLE-7214) - 4.2.8 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (1)
-
Ludwig Nussel