Sisyphus repository
Last update: 1 october 2023 | SRPMs: 18631 | Visits: 37040224
en ru br
ALT Linux repos
S:115.3.1-alt1

Group :: Networking/WWW
RPM: firefox-esr

 Main   Changelog   Spec   Patches   Sources   Download   Gear   Bugs and FR  Repocop 

29 september 2023 Pavel Vasenkov <pav at altlinux.org> 115.3.1-alt1

  • New ESR version.
  • Security fixes
     + CVE-2023-5168 Out-of-bounds write in FilterNodeD2D1
     + CVE-2023-5169 Out-of-bounds write in PathOps
     + CVE-2023-5171 Use-after-free in Ion Compiler
     + CVE-2023-5174 Double-free in process spawning on Windows
     + CVE-2023-5176 Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3
     + CVE-2023-5217 Heap buffer overflow in libvpx

20 september 2023 Pavel Vasenkov <pav at altlinux.org> 115.2.1-alt2

  • Restored build for 32bit archs

8 september 2023 Pavel Vasenkov <pav at altlinux.org> 115.2.1-alt1

  • New ESR version.
  • Security fixes
     + CVE-2023-3600 Use-after-free in workers
     + CVE-2023-4045 Offscreen Canvas could have bypassed cross-origin restrictions
     + CVE-2023-4046 Incorrect value used during WASM compilation
     + CVE-2023-4047 Potential permissions request bypass via clickjacking
     + CVE-2023-4048 Crash in DOMParser due to out-of-memory conditions
     + CVE-2023-4049 Fix potential race conditions when releasing platform objects
     + CVE-2023-4050 Stack buffer overflow in StorageManager
     + CVE-2023-4052 File deletion and privilege escalation through Firefox uninstaller
     + CVE-2023-4054 Lack of warning when opening appref-ms files
     + CVE-2023-4055 Cookie jar overflow caused unexpected cookie jar state
     + CVE-2023-4056 Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
     + CVE-2023-4057 Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1
     + CVE-2023-4573 Memory corruption in IPC CanvasTranslator
     + CVE-2023-4574 Memory corruption in IPC ColorPickerShownCallback
     + CVE-2023-4575 Memory corruption in IPC FilePickerShownCallback
     + CVE-2023-4576 Integer Overflow in RecordedSourceSurfaceCreation
     + CVE-2023-4577 Memory corruption in JIT UpdateRegExpStatics
     + CVE-2023-4051 Full screen notification obscured by file open dialog
     + CVE-2023-4578 Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception
     + CVE-2023-4053 Full screen notification obscured by external program
     + CVE-2023-4580 Push notifications saved to disk unencrypted
     + CVE-2023-4581 XLL file extensions were downloadable without warnings
     + CVE-2023-4582 Buffer Overflow in WebGL glGetProgramiv
     + CVE-2023-4583 Browsing Context potentially not cleared when closing Private Window
     + CVE-2023-4584 Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2
     + CVE-2023-4585 Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2
     + CVE-2023-4863 Heap buffer overflow in libwebp

27 june 2023 Pavel Vasenkov <pav at altlinux.org> 102.12.0-alt2

  • Fixes: Unstable name collisions
            Build failure with GCC 13

7 june 2023 Pavel Vasenkov <pav at altlinux.org> 102.12.0-alt1

  • New ESR version.
  • Security fixes
     + CVE-2023-34414 Click-jacking certificate exceptions through rendering lag
     + CVE-2023-34416 Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12

15 may 2023 Pavel Vasenkov <pav at altlinux.org> 102.11.0-alt1

  • New ESR version.
  • Security fixes
     + CVE-2023-32205 Browser prompts could have been obscured by popups
     + CVE-2023-32206 Crash in RLBox Expat driver
     + CVE-2023-32207 Potential permissions request bypass via clickjacking
     + CVE-2023-32211 Content process crash due to invalid wasm code
     + CVE-2023-32212 Potential spoof due to obscured address bar
     + CVE-2023-32213 Potential memory corruption in FileReader::DoReadData()
     + CVE-2023-32214 Potential DoS via exposed protocol handlers
     + CVE-2023-32215 Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

19 april 2023 Pavel Vasenkov <pav at altlinux.org> 102.10.0-alt1

  • New ESR version.
  • Security fixes
     + CVE-2023-29531 Out-of-bound memory access in WebGL on macOS
     + CVE-2023-29532 Mozilla Maintenance Service Write-lock bypass
     + CVE-2023-29533 Fullscreen notification obscured
     + CVE-2023-1999 Double-free in libwebp
     + CVE-2023-29535 Potential Memory Corruption following Garbage Collector compaction
     + CVE-2023-29536 Invalid free from JavaScript code
     + CVE-2023-29539 Content-Disposition filename truncation leads to Reflected File Download
     + CVE-2023-29541 Files with malicious extensions could have been downloaded unsafely on Linux
     + CVE-2023-29542 Bypass of file download extension restrictions
     + CVE-2023-29545 Windows Save As dialog resolved environment variables
     + CVE-2023-1945 Memory Corruption in Safe Browsing Code
     + CVE-2023-29548 Incorrect optimization result on ARM64
     + CVE-2023-29550 Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10

22 march 2023 Pavel Vasenkov <pav at altlinux.org> 102.9.0-alt1

  • New ESR version.
  • Security fixes
     + CVE-2023-25751 Incorrect code generation during JIT compilation
     + CVE-2023-28164 URL being dragged from a removed cross-origin iframe into the same tab triggered navigation
     + CVE-2023-28162 Invalid downcast in Worklets
     + CVE-2023-25752 Potential out-of-bounds when accessing throttled streams
     + CVE-2023-28163 Windows Save As dialog resolved environment variables
     + CVE-2023-28176 Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

3 march 2023 Pavel Vasenkov <pav at altlinux.org> 102.8.0-alt1

  • New ESR version.
  • Security fixes
     + CVE-2023-25728 Content security policy leak in violation reports using iframes
     + CVE-2023-25730 Screen hijack via browser fullscreen mode
     + CVE-2023-0767 Arbitrary memory write via PKCS 12 in NSS
     + CVE-2023-25735 Potential use-after-free from compartment mismatch in SpiderMonkey
     + CVE-2023-25737 Invalid downcast in SVGUtils::SetupStrokeGeometry
     + CVE-2023-25738 Printing on Windows could potentially crash Firefox with some device drivers
     + CVE-2023-25739 Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
     + CVE-2023-25729 Extensions could have opened external schemes without user knowledge
     + CVE-2023-25732 Out of bounds memory write from EncodeInputStream
     + CVE-2023-25734 Opening local .url files could cause unexpected network loads
     + CVE-2023-25742 Web Crypto ImportKey crashes tab
     + CVE-2023-25744 Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8
     + CVE-2023-25746 Memory safety bugs fixed in Firefox ESR 102.8

18 january 2023 Pavel Vasenkov <pav at altlinux.org> 102.7.0-alt1

  • New ESR version.
  • Security fixes
     + CVE-2022-46871 libusrsctp library out of date
     + CVE-2023-23598 Arbitrary file read from GTK drag and drop on Linux
     + CVE-2023-23599 Malicious command could be hidden in devtools output on Windows
     + CVE-2023-23601 URL being dragged from cross-origin iframe into same tab triggers navigation
     + CVE-2023-23602 Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
     + CVE-2022-46877 Fullscreen notification bypass
     + CVE-2023-23603 Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive
     + CVE-2023-23605 Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7

14 december 2022 Pavel Vasenkov <pav at altlinux.org> 102.6.0-alt1

  • New ESR version.
  • Security fixes
     + CVE-2022-46880 Use-after-free in WebGL
     + CVE-2022-46872 Arbitrary file read from a compromised content process
     + CVE-2022-46881 Memory corruption in WebGL
     + CVE-2022-46874 Drag and Dropped Filenames could have been truncated to malicious extensions
     + CVE-2022-46875 Download Protections were bypassed by .atloc and .ftploc files on Mac OS
     + CVE-2022-46882 Use-after-free in WebGL
     + CVE-2022-46878 Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6

9 december 2022 Pavel Vasenkov <pav at altlinux.org> 102.5.0-alt2

  • Build with llvm-version 12 instead llvm-version 13 (Closes: #44436)

16 november 2022 Pavel Vasenkov <pav at altlinux.org> 102.5.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-45403 Service Workers might have learned size of cross-origin media files
     + CVE-2022-45404 Fullscreen notification bypass
     + CVE-2022-45405 Use-after-free in InputStream implementation
     + CVE-2022-45406 Use-after-free of a JavaScript Realm
     + CVE-2022-45408 Fullscreen notification bypass via windowName
     + CVE-2022-45409 Use-after-free in Garbage Collection
     + CVE-2022-45410 ServiceWorker-intercepted requests bypassed SameSite cookie policy
     + CVE-2022-45411 Cross-Site Tracing was possible via non-standard override headers
     + CVE-2022-45412 Symlinks may resolve to partially uninitialized buffers
     + CVE-2022-45416 Keystroke Side-Channel Leakage
     + CVE-2022-45418 Custom mouse cursor could have been drawn over browser UI
     + CVE-2022-45420 Iframe contents could be rendered outside the iframe
     + CVE-2022-45421 Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

24 october 2022 Pavel Vasenkov <pav at altlinux.org> 102.4.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-42927 Same-origin policy violation could have leaked cross-origin URLs
     + CVE-2022-42928 Memory Corruption in JS Engine
     + CVE-2022-42929 Denial of Service via window.print
     + CVE-2022-42932 Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4

10 october 2022 Pavel Vasenkov <pav at altlinux.org> 102.3.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-3266 Out of bounds read when decoding H264
     + CVE-2022-40959 Bypassing FeaturePolicy restrictions on transient pages
     + CVE-2022-40960 Data-race when parsing non-UTF-8 URLs in threads
     + CVE-2022-40958 Bypassing Secure Context restriction for cookies with __Host and __Secure prefix
     + CVE-2022-40956 Content-Security-Policy base-uri bypass
     + CVE-2022-40957 Incoherent instruction cache when building WASM on ARM64
     + CVE-2022-40962 Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

15 september 2022 Pavel Vasenkov <pav at altlinux.org> 102.2.0-alt2

  • Update language support

25 august 2022 Pavel Vasenkov <pav at altlinux.org> 102.2.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-38472 Address bar spoofing via XSLT error handling
     + CVE-2022-38473 Cross-origin XSLT Documents would have inherited the parent's permissions
     + CVE-2022-38476 Data race and potential use-after-free in PK11_ChangePW
     + CVE-2022-38477 Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
     + CVE-2022-38478 Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13

22 july 2022 Pavel Vasenkov <pav at altlinux.org> 102.1.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-36319 Mouse Position spoofing with CSS transforms
     + CVE-2022-36318 Directory indexes for bundled resources reflected URL parameters
     + CVE-2022-36314 Opening local <code>.lnk</code> files could cause unexpected network loads
     + CVE-2022-2505 Memory safety bugs fixed in Firefox 103 and 102.1

29 june 2022 Pavel Vasenkov <pav at altlinux.org> 91.11.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-34479 A popup window could be resized in a way to overlay the address bar with web content
     + CVE-2022-34470 Use-after-free in nsSHistory
     + CVE-2022-34468 CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
     + CVE-2022-34481 Potential integer overflow in ReplaceElementsAt
     + CVE-2022-31744 CSP bypass enabling stylesheet injection
     + CVE-2022-34472 Unavailable PAC file resulted in OCSP requests being blocked
     + CVE-2022-34478 Microsoft protocols can be attacked if a user accepts a prompt
     + CVE-2022-2200 Undesired attributes could be set as part of prototype pollution
     + CVE-2022-34484 Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11

3 june 2022 Pavel Vasenkov <pav at altlinux.org> 91.10.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-31736 Cross-Origin resource's length leaked
     + CVE-2022-31737 Heap buffer overflow in WebGL
     + CVE-2022-31738 Browser window spoof using fullscreen mode
     + CVE-2022-31739 Attacker-influenced path traversal when saving downloaded files
     + CVE-2022-31740 Register allocation problem in WASM on arm64
     + CVE-2022-31741 Uninitialized variable leads to invalid memory read
     + CVE-2022-31742 Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
     + CVE-2022-31747 Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10

22 may 2022 Pavel Vasenkov <pav at altlinux.org> 91.9.1-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-1802 Prototype pollution in Top-Level Await implementation
     + CVE-2022-1529 Untrusted input used in JavaScript object indexing, leading to prototype pollution

4 may 2022 Pavel Vasenkov <pav at altlinux.org> 91.9.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-29914 Fullscreen notification bypass using popups
     + CVE-2022-29909 Bypassing permission prompt in nested browsing contexts
     + CVE-2022-29916 Leaking browser history with CSS variables
     + CVE-2022-29911 iframe Sandbox bypass
     + CVE-2022-29912 Reader mode bypassed SameSite cookies
     + CVE-2022-29917 Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9

6 april 2022 Pavel Vasenkov <pav at altlinux.org> 91.8.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-1097 Use-after-free in NSSToken objects
     + CVE-2022-28281 Out of bounds write due to unexpected WebAuthN Extensions
     + CVE-2022-1196 Use-after-free after VR Process destruction
     + CVE-2022-28282 Use-after-free in DocumentL10n::TranslateDocument
     + CVE-2022-28285 Incorrect AliasSet used in JIT Codegen
     + CVE-2022-28286 iframe contents could be rendered outside the border
     + CVE-2022-24713 Denial of Service via complex regular expressions
     + CVE-2022-28289 Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8

13 march 2022 Pavel Vasenkov <pav at altlinux.org> 91.7.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-26383 Browser window spoof using fullscreen mode
     + CVE-2022-26384 iframe allow-scripts sandbox bypass
     + CVE-2022-26387 Time-of-check time-of-use bug when verifying add-on signatures
     + CVE-2022-26381 Use-after-free in text reflows
     + CVE-2022-26386 Temporary files downloaded to /tmp and accessible by other local users

7 march 2022 Pavel Vasenkov <pav at altlinux.org> 91.6.1-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-26485 Use-after-free in XSLT parameter processing
     + CVE-2022-26486 Use-after-free in WebGPU IPC Framework

9 february 2022 Pavel Vasenkov <pav at altlinux.org> 91.6.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-22753 Privilege Escalation to SYSTEM on Windows via Maintenance Service
     + CVE-2022-22754 Extensions could have bypassed permission confirmation during update
     + CVE-2022-22756 Drag and dropping an image could have resulted in the dropped object being an executable
     + CVE-2022-22759 Sandboxed iframes could have executed script if the parent appended elements
     + CVE-2022-22760 Cross-Origin responses could be distinguished between script and non-script content-types
     + CVE-2022-22761 frame-ancestors Content Security Policy directive was not enforced for framed extension pages
     + CVE-2022-22763 Script Execution during invalid object state
     + CVE-2022-22764 Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6

27 january 2022 Pavel Vasenkov <pav at altlinux.org> 91.5.1-alt1

  • New ESR version.

11 january 2022 Andrey Cherepanov <cas at altlinux.org> 91.5.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2022-22746 Calling into reportValidity could have lead to fullscreen window spoof
     + CVE-2022-22743 Browser window spoof using fullscreen mode
     + CVE-2022-22742 Out-of-bounds memory access when inserting text in edit mode
     + CVE-2022-22741 Browser window spoof using fullscreen mode
     + CVE-2022-22740 Use-after-free of ChannelEventQueue::mOwner
     + CVE-2022-22738 Heap-buffer-overflow in blendGaussianBlur
     + CVE-2022-22737 Race condition when playing audio files
     + CVE-2021-4140 Iframe sandbox bypass with XSLT
     + CVE-2022-22748 Spoofed origin on external protocol launch dialog
     + CVE-2022-22745 Leaking cross-origin URLs through securitypolicyviolation event
     + CVE-2022-22744 The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
     + CVE-2022-22747 Crash when handling empty pkcs7 sequence
     + CVE-2022-22739 Missing throttling on external protocol launch dialog
     + CVE-2022-22751 Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

17 december 2021 Andrey Cherepanov <cas at altlinux.org> 91.4.1-alt1

  • New ESR version.

6 december 2021 Andrey Cherepanov <cas at altlinux.org> 91.4.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2021-43536 URL leakage when navigating while executing asynchronous function
     + CVE-2021-43537 Heap buffer overflow when using structured clone
     + CVE-2021-43538 Missing fullscreen and pointer lock notification when requesting both
     + CVE-2021-43539 GC rooting failure when calling wasm instance methods
     + CVE-2021-43541 External protocol handler parameters were unescaped
     + CVE-2021-43542 XMLHttpRequest error codes could have leaked the existence of an external protocol handler
     + CVE-2021-43543 Bypass of CSP sandbox directive when embedding
     + CVE-2021-43545 Denial of Service when using the Location API in a loop
     + CVE-2021-43546 Cursor spoofing could overlay user interface when native cursor is zoomed

18 november 2021 Andrey Cherepanov <cas at altlinux.org> 91.3.0-alt2

  • Show Home button on toolbar by default (ALT #41360).

2 november 2021 Andrey Cherepanov <cas at altlinux.org> 91.3.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2021-38503 iframe sandbox rules did not apply to XSLT stylesheets
     + CVE-2021-38504 Use-after-free in file picker dialog
     + CVE-2021-38505 Windows 10 Cloud Clipboard may have recorded sensitive user data
     + CVE-2021-38506 Firefox could be coaxed into going into fullscreen mode without notification or warning
     + CVE-2021-38507 Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
     + CVE-2021-38508 Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
     + CVE-2021-38509 Javascript alert box could have been spoofed onto an arbitrary domain
     + CVE-2021-38510 Download Protections were bypassed by .inetloc files on Mac OS

5 october 2021 Andrey Cherepanov <cas at altlinux.org> 91.2.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2021-38496 Use-after-free in MessageTask
     + CVE-2021-38497 Validation message could have been overlaid on another origin
     + CVE-2021-38498 Use-after-free of nsLanguageAtomService object
     + CVE-2021-32810 Data race in crossbeam-deque
     + CVE-2021-38500 Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
     + CVE-2021-38501 Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2

7 september 2021 Andrey Cherepanov <cas at altlinux.org> 91.1.0-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2021-38492 Navigating to `mk:` URL scheme could load Internet Explorer
     + CVE-2021-38495 Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1

4 september 2021 Andrey Cherepanov <cas at altlinux.org> 91.0.1-alt1

  • New ESR version.
  • Security fixes:
     + CVE-2021-29991: Header Splitting possible with HTTP/3 Responses
     + CVE-2021-29981: Live range splitting could have led to conflicting assignments in the JIT
     + CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
     + CVE-2021-29987: Users could have been tricked into accepting unwanted permissions on Linux
     + CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and type confusion
     + CVE-2021-29990: Memory safety bugs fixed in Firefox 91

10 august 2021 Andrey Cherepanov <cas at altlinux.org> 78.13.0-alt1

  • New version (78.13.0).
  • Security fixes:
     + CVE-2021-29986 Race condition when resolving DNS names could have led to memory corruption
     + CVE-2021-29988 Memory corruption as a result of incorrect style treatment
     + CVE-2021-29984 Incorrect instruction reordering during JIT optimization
     + CVE-2021-29980 Uninitialized memory in a canvas object could have led to memory corruption
     + CVE-2021-29985 Use-after-free media channels
     + CVE-2021-29989 Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13

12 july 2021 Andrey Cherepanov <cas at altlinux.org> 78.12.0-alt1

  • New version (78.12.0).
  • Security fixes:
     + CVE-2021-29970 Use-after-free in accessibility features of a document
     + CVE-2021-30547 Out of bounds write in ANGLE
     + CVE-2021-29976 Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12

1 june 2021 Andrey Cherepanov <cas at altlinux.org> 78.11.0-alt1

  • New version (78.11.0).
  • Security fixes:
     + CVE-2021-29964 Out of bounds-read when parsing a `WM_COPYDATA` message
     + CVE-2021-29967 Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11

5 may 2021 Andrey Cherepanov <cas at altlinux.org> 78.10.1-alt1

  • New version (78.10.1).
  • Security fixes:
     + CVE-2021-29951 Mozilla Maintenance Service could have been started or stopped by domain users

21 april 2021 Andrey Cherepanov <cas at altlinux.org> 78.10.0-alt1

  • New version (78.10.0).
  • Security fixes:
     + CVE-2021-23994 Out of bound write due to lazy initialization
     + CVE-2021-23995 Use-after-free in Responsive Design Mode
     + CVE-2021-23998 Secure Lock icon could have been spoofed
     + CVE-2021-23961 More internal network hosts could have been probed by a malicious webpage
     + CVE-2021-23999 Blob URLs may have been granted additional privileges
     + CVE-2021-24002 Arbitrary FTP command execution on FTP servers using an encoded URL
     + CVE-2021-29945 Incorrect size computation in WebAssembly JIT could lead to null-reads
     + CVE-2021-29946 Port blocking could be bypassed

23 march 2021 Andrey Cherepanov <cas at altlinux.org> 78.9.0-alt1

  • New version (78.9.0).
  • Security fixes:
     + CVE-2021-23981 Texture upload into an unbound backing buffer resulted in an out-of-bound read
     + CVE-2021-23982 Internal network hosts could have been probed by a malicious webpage
     + CVE-2021-23984 Malicious extensions could have spoofed popup information
     + CVE-2021-23987 Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
  • Do not build for ppc64le.

23 february 2021 Andrey Cherepanov <cas at altlinux.org> 78.8.0-alt1

  • New version (78.8.0).
  • Security fixes:
     + CVE-2021-23969 Content Security Policy violation report could have contained the destination of a redirect
     + CVE-2021-23968 Content Security Policy violation report could have contained the destination of a redirect
     + CVE-2021-23973 MediaError message property could have leaked information about cross-origin resources
     + CVE-2021-23978 Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8

12 february 2021 Andrey Cherepanov <cas at altlinux.org> 78.7.1-alt2

  • Rebuild with llvm11.0.

5 february 2021 Andrey Cherepanov <cas at altlinux.org> 78.7.1-alt1

  • New version (78.7.1).
  • Security fixes:
     + MOZ-2021-0001: Buffer overflow in depth pitch calculations for compressed textures

26 january 2021 Andrey Cherepanov <cas at altlinux.org> 78.7.0-alt1

  • New version (78.7.0).
  • Security fixes:
     + CVE-2021-23953 Cross-origin information leakage via redirected PDF requests
     + CVE-2021-23954 Type confusion when using logical assignment operators in JavaScript switch statements
     + CVE-2020-26976 HTTPS pages could have been intercepted by a registered service worker when they should not have been
     + CVE-2021-23960 Use-after-poison for incorrectly redeclared JavaScript variables during GC
     + CVE-2021-23964 Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7

6 january 2021 Andrey Cherepanov <cas at altlinux.org> 78.6.1-alt1

  • New version (78.6.1).
  • Security fixes:
     + CVE-2020-16044 Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk

14 december 2020 Andrey Cherepanov <cas at altlinux.org> 78.6.0-alt1

  • New version (78.6.0).
  • Fixes:
     + CVE-2020-16042 Operations on a BigInt could have caused uninitialized memory to be exposed
     + CVE-2020-26971 Heap buffer overflow in WebGL
     + CVE-2020-26973 CSS Sanitizer performed incorrect sanitization
     + CVE-2020-26974 Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free
     + CVE-2020-26978 Internal network hosts could have been probed by a malicious webpage
     + CVE-2020-35111 The proxy.onRequest API did not catch view-source URLs
     + CVE-2020-35112 Opening an extension-less download may have inadvertently launched an executable instead
     + CVE-2020-35113 Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6

3 december 2020 Andrey Cherepanov <cas at altlinux.org> 78.5.0-alt2

  • Fix build against rust-1.48.

16 november 2020 Andrey Cherepanov <cas at altlinux.org> 78.5.0-alt1

  • New version (78.5.0).
  • Fixes:
     + CVE-2020-26951 Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
     + CVE-2020-16012 Variable time processing of cross-origin images during drawImage calls
     + CVE-2020-26953 Fullscreen could be enabled without displaying the security UI
     + CVE-2020-26956 XSS through paste (manual and clipboard API)
     + CVE-2020-26958 Requests intercepted through ServiceWorkers lacked MIME type restrictions
     + CVE-2020-26959 Use-after-free in WebRequestService
     + CVE-2020-26960 Potential use-after-free in uses of nsTArray
     + CVE-2020-15999 Heap buffer overflow in freetype
     + CVE-2020-26961 DoH did not filter IPv4 mapped IP Addresses
     + CVE-2020-26965 Software keyboards may have remembered typed passwords
     + CVE-2020-26966 Single-word search queries were also broadcast to local network
     + CVE-2020-26968 Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5

10 november 2020 Andrey Cherepanov <cas at altlinux.org> 78.4.1-alt1

  • New version (78.4.1).
  • Fixes:
     + CVE-2020-26950 Write side effects in MCallGetProperty opcode not accounted for

26 october 2020 Andrey Cherepanov <cas at altlinux.org> 78.4.0-alt2

  • Build with nss-3.58.0 (thanks legion@).

20 october 2020 Andrey Cherepanov <cas at altlinux.org> 78.4.0-alt1

  • New version (78.4.0).
  • Fixes:
     + CVE-2020-15969 Use-after-free in usersctp
     + CVE-2020-15683 Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4

1 october 2020 Andrey Cherepanov <cas at altlinux.org> 78.3.1-alt1

  • New version (78.3.1).

23 september 2020 Andrey Cherepanov <cas at altlinux.org> 78.3.0-alt1

  • New release (78.3.0).
  • Fixes:
     + CVE-2020-15677 Download origin spoofing via redirect
     + CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element
     + CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free
     + CVE-2020-15673 Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3

14 september 2020 Andrey Cherepanov <cas at altlinux.org> 78.2.0-alt2

  • Allow sideloading app and system unsigned addons.

25 august 2020 Andrey Cherepanov <cas at altlinux.org> 78.2.0-alt1

  • New release (78.2.0).
  • Fixes:
     + CVE-2020-15663 Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege
     + CVE-2020-15664 Attacker-induced prompt for extension installation
     + CVE-2020-15670 Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2

14 august 2020 Andrey Cherepanov <cas at altlinux.org> 78.1.0-alt2

  • Remove python2-base from build requirements.

28 july 2020 Andrey Cherepanov <cas at altlinux.org> 78.1.0-alt1

  • New release (78.1.0).
  • Fixes:
     + CVE-2020-15652 Potential leak of redirect targets when loading scripts in a worker
     + CVE-2020-6514 WebRTC data channel leaks internal address to peer
     + CVE-2020-15655 Extension APIs could be used to bypass Same-Origin Policy
     + CVE-2020-15653 Bypassing iframe sandbox when allowing popups
     + CVE-2020-6463 Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
     + CVE-2020-15656 Type confusion for special arguments in IonMonkey
     + CVE-2020-15658 Overriding file type when saving to disk
     + CVE-2020-15657 DLL hijacking due to incorrect loading path
     + CVE-2020-15654 Custom cursor can overlay user interface
     + CVE-2020-15659 Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1

18 july 2020 Andrey Cherepanov <cas at altlinux.org> 78.0.2-alt1

  • New ESR version (78.0.2) (based on legion@ spec and patches).
  • Package localization files bundled (only kk,ru,uk locales are suppored).

13 july 2020 Alexey Gladkov <legion at altlinux.ru> 78.0.2-alt1

  • New release (78.0.2).
  • Fixes:
     + MFSA-2020-0003: X-Frame-Options bypass using object or embed tags

4 july 2020 Alexey Gladkov <legion at altlinux.ru> 78.0.1-alt1

  • New release (78.0.1).
  • Fixes:
     + CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing
     + CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster
     + CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64
     + CVE-2020-12418: Information disclosure due to manipulated URL object
     + CVE-2020-12419: Use-after-free in nsGlobalWindowInner
     + CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
     + CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack
     + CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates
     + CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer
     + CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library
     + CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process
     + CVE-2020-12425: Out of bound read in Date.parse()
     + CVE-2020-12426: Memory safety bugs fixed in Firefox 78

3 june 2020 Andrey Cherepanov <cas at altlinux.org> 68.9.0-alt1

  • New ESR version (68.9.0).
  • Fixes:
     + CVE-2020-12399 Timing attack on DSA signatures in NSS library
     + CVE-2020-12405 Use-after-free in SharedWorkerService
     + CVE-2020-12406 JavaScript Type confusion with NativeTypes
     + CVE-2020-12410 Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9

13 may 2020 Andrey Cherepanov <cas at altlinux.org> 68.8.0-alt3

  • Disable User-Agent patch due to possible infomation leak.

13 may 2020 Andrey Cherepanov <cas at altlinux.org> 68.8.0-alt2

  • Add ALT operating system string to browser User-Agent (ALT #38475).

5 may 2020 Andrey Cherepanov <cas at altlinux.org> 68.8.0-alt1

  • New ESR version (68.8.0).
  • Fixes:
     + CVE-2020-12387 Use-after-free during worker shutdown
     + CVE-2020-12388 Sandbox escape with improperly guarded Access Tokens
     + CVE-2020-12389 Sandbox escape with improperly separated process types
     + CVE-2020-6831 Buffer overflow in SCTP chunk input validation
     + CVE-2020-12392 Arbitrary local file access with 'Copy as cURL'
     + CVE-2020-12393 Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
     + CVE-2020-12395 Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8

6 april 2020 Andrey Cherepanov <cas at altlinux.org> 68.7.0-alt1

  • New ESR version (68.7.0).
  • Fixes:
     + CVE-2020-6828 Preference overwrite via crafted Intent from malicious Android application
     + CVE-2020-6827 Custom Tabs in Firefox for Android could have the URI spoofed
     + CVE-2020-6821 Uninitialized memory could be read when using the WebGL copyTexSubImage method
     + CVE-2020-6822 Out of bounds write in GMPDecodeData when processing large images
     + CVE-2020-6825 Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7

4 april 2020 Andrey Cherepanov <cas at altlinux.org> 68.6.1-alt1

  • New ESR version (68.6.1).
  • Fixed:
     + CVE-2020-6819 Use-after-free while running the nsDocShell destructor
     + CVE-2020-6820 Use-after-free when handling a ReadableStream

10 march 2020 Andrey Cherepanov <cas at altlinux.org> 68.6.0-alt1

  • New ESR version (68.6.0).
  • Fix license tag according to SPDX.
  • Fixed:
     + CVE-2020-6805 Use-after-free when removing data about origins
     + CVE-2020-6806 BodyStream::OnInputStreamReady was missing protections against state confusion
     + CVE-2020-6807 Use-after-free in cubeb during stream destruction
     + CVE-2020-6811 Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
     + CVE-2019-20503 Out of bounds reads in sctp_load_addresses_from_init
     + CVE-2020-6812 The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission
     + CVE-2020-6814 Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6

12 february 2020 Andrey Cherepanov <cas at altlinux.org> 68.5.0-alt1

  • New ESR version (68.5.0).
  • Fixed:
     + CVE-2020-6796 Missing bounds check on shared memory read in the parent process
     + CVE-2020-6797 Extensions granted downloads.open permission could open arbitrary applications on Mac OSX
     + CVE-2020-6798 Incorrect parsing of template tag could result in JavaScript injection
     + CVE-2020-6799 Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader
     + CVE-2020-6800 Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5

21 january 2020 Andrey Cherepanov <cas at altlinux.org> 68.4.2-alt1

  • New ESR version (68.4.2).
  • Bugs fixed:
     + Fixed various issues opening files with spaces in their path (bug 1601905, bug 1602726).

8 january 2020 Andrey Cherepanov <cas at altlinux.org> 68.4.1-alt1

  • New ESR version (68.4.1).
  • Fixed:
     + CVE-2019-17015 Memory corruption in parent process during new content process initialization on Windows
     + CVE-2019-17016 Bypass of @namespace CSS sanitization during pasting
     + CVE-2019-17017 Type Confusion in XPCVariant.cpp
     + CVE-2019-17021 Heap address disclosure in parent process during content process initialization on Windows
     + CVE-2019-17022 CSS sanitization does not escape HTML tags
     + CVE-2019-17024 Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4

6 december 2019 Andrey Cherepanov <cas at altlinux.org> 68.3.0-alt2

  • Fix last changelog according to https://www.altlinux.org/Vulnerability_Policy.

5 december 2019 Andrey Cherepanov <cas at altlinux.org> 68.3.0-alt1

  • New ESR version (68.3.0).
  • Fixed:
     + CVE-2019-17008 Use-after-free in worker destruction
     + CVE-2019-13722 Stack corruption due to incorrect number of arguments in WebRTC code
     + CVE-2019-11745 Out of bounds write in NSS when encrypting with a block cipher
     + CVE-2019-17009 Updater temporary files accessible to unprivileged processes
     + CVE-2019-17010 Use-after-free when performing device orientation checks
     + CVE-2019-17005 Buffer overflow in plain text serializer
     + CVE-2019-17011 Use-after-free when retrieving a document in antitracking
     + CVE-2019-17012 Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3

27 october 2019 Andrey Cherepanov <cas at altlinux.org> 68.2.0-alt1

  • New ESR version (68.2.0).
  • Fixed:
     + CVE-2019-15903 Heap overflow in expat library in XML_GetCurrentLineNumber
     + CVE-2019-11757 Use-after-free when creating index updates in IndexedDB
     + CVE-2019-11758 Potentially exploitable crash due to 360 Total Security
     + CVE-2019-11759 Stack buffer overflow in HKDF output
     + CVE-2019-11760 Stack buffer overflow in WebRTC networking
     + CVE-2019-11761 Unintended access to a privileged JSONView object
     + CVE-2019-11762 document.domain-based origin isolation has same-origin-property violation
     + CVE-2019-11763 Incorrect HTML parsing results in XSS bypass technique
     + CVE-2019-11764 Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2

19 september 2019 Andrey Cherepanov <cas at altlinux.org> 68.1.0-alt2

  • Fix open context menu (thanks george@).

4 september 2019 Andrey Cherepanov <cas at altlinux.org> 68.1.0-alt1

  • New ESR version (68.1.0).
  • Fixed:
     + CVE-2019-11751 Malicious code execution through command line parameters
     + CVE-2019-11746 Use-after-free while manipulating video
     + CVE-2019-11744 XSS by breaking out of title and textarea elements using innerHTML
     + CVE-2019-11742 Same-origin policy violation with SVG filters and canvas to steal cross-origin images
     + CVE-2019-11736 File manipulation and privilege escalation in Mozilla Maintenance Service
     + CVE-2019-11753 Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location
     + CVE-2019-11752 Use-after-free while extracting a key value in IndexedDB
     + CVE-2019-9812 Sandbox escape through Firefox Sync
     + CVE-2019-11743 Cross-origin access to unload event attributes
     + CVE-2019-11748 Persistence of WebRTC permissions in a third party context
     + CVE-2019-11749 Camera information available without prompting using getUserMedia
     + CVE-2019-11750 Type confusion in Spidermonkey
     + CVE-2019-11738 Content security policy bypass through hash-based sources in directives
     + CVE-2019-11747 'Forget about this site' removes sites from pre-loaded HSTS list
     + CVE-2019-11735 Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
     + CVE-2019-11740 Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
  • Build in 8 jobs.

15 august 2019 Andrey Cherepanov <cas at altlinux.org> 68.0.2-alt1

  • New ESR version (68.0.2).
  • Fixed:
     + CVE-2019-11733 Stored passwords in 'Saved Logins' can be copied without master password entry

19 july 2019 Andrey Cherepanov <cas at altlinux.org> 68.0.1-alt1

  • New ESR version (68.0.1).
  • Fixed:
     + CVE-2019-9811 Sandbox escape via installation of malicious language pack
     + CVE-2019-11711 Script injection within domain through inner window reuse
     + CVE-2019-11712 Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
     + CVE-2019-11713 Use-after-free with HTTP/2 cached stream
     + CVE-2019-11729 Empty or malformed p256-ECDH public keys may trigger a segmentation fault
     + CVE-2019-11715 HTML parsing error can contribute to content XSS
     + CVE-2019-11717 Caret character improperly escaped in origins
     + CVE-2019-11719 Out-of-bounds read when importing curve25519 private key
     + CVE-2019-11730 Same-origin policy treats all files in a directory as having the same-origin
     + CVE-2019-11709 Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

15 july 2019 Andrey Cherepanov <cas at altlinux.org> 60.8.0-alt2

  • Fix Russian description encoding.

9 july 2019 Andrey Cherepanov <cas at altlinux.org> 60.8.0-alt1

  • New ESR version (60.8.0).
  • Fixed:
     + CVE-2019-9811 Sandbox escape via installation of malicious language pack
     + CVE-2019-11711 Script injection within domain through inner window reuse
     + CVE-2019-11712 Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
     + CVE-2019-11713 Use-after-free with HTTP/2 cached stream
     + CVE-2019-11729 Empty or malformed p256-ECDH public keys may trigger a segmentation fault
     + CVE-2019-11715 HTML parsing error can contribute to content XSS
     + CVE-2019-11717 Caret character improperly escaped in origins
     + CVE-2019-11719 Out-of-bounds read when importing curve25519 private key
     + CVE-2019-11730 Same-origin policy treats all files in a directory as having the same-origin
     + CVE-2019-11709 Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

3 july 2019 Gleb F-Malinovskiy <glebfm at altlinux.org> 60.7.2-alt2

  • Added ppc64le support.
  • spec: cleaned up rpm-build internal macros.

20 june 2019 Andrey Cherepanov <cas at altlinux.org> 60.7.2-alt1

  • New ESR version (60.7.2).
  • Fixed:
     + CVE-2019-11708 sandbox escape using Prompt:Open

18 june 2019 Andrey Cherepanov <cas at altlinux.org> 60.7.1-alt1

  • New ESR version (60.7.1).
  • Fixed:
     + CVE-2019-11707 Type confusion in Array.pop

16 june 2019 Andrey Cherepanov <cas at altlinux.org> 60.7.0-alt2

  • Fix build with Rust > 1.33.

21 may 2019 Andrey Cherepanov <cas at altlinux.org> 60.7.0-alt1

  • New ESR version (60.7.0).
  • Fixed:
     + CVE-2019-9815 Disable hyperthreading on content JavaScript threads on macOS
     + CVE-2019-9816 Type confusion with object groups and UnboxedObjects
     + CVE-2019-9817 Stealing of cross-domain images using canvas
     + CVE-2019-9818 Use-after-free in crash generation server
     + CVE-2019-9819 Compartment mismatch with fetch API
     + CVE-2019-9820 Use-after-free of ChromeEventHandler by DocShell
     + CVE-2019-11691 Use-after-free in XMLHttpRequest
     + CVE-2019-11692 Use-after-free removing listeners in the event listener manager
     + CVE-2019-11693 Buffer overflow in WebGL bufferdata on Linux
     + CVE-2019-7317 Use-after-free in png_image_free of libpng library
     + CVE-2019-9797 Cross-origin theft of images with createImageBitmap
     + CVE-2018-18511 Cross-origin theft of images with ImageBitmapRenderingContext
     + CVE-2019-11694 Uninitialized memory memory leakage in Windows sandbox
     + CVE-2019-11698 Theft of user history data through drag and drop of hyperlinks to and from bookmarks
     + CVE-2019-5798 Out-of-bounds read in Skia
     + CVE-2019-9800 Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7

5 may 2019 Andrey Cherepanov <cas at altlinux.org> 60.6.2-alt1

  • New ESR version (60.6.2).
  • Hotfix for addon signing cert has not been applied.

23 march 2019 Andrey Cherepanov <cas at altlinux.org> 60.6.1-alt1

  • New ESR version (60.6.1).
  • Fixed:
     + CVE-2019-9810 IonMonkey MArraySlice has incorrect alias information
     + CVE-2019-9813 Ionmonkey type confusion with __proto__ mutations

21 march 2019 Andrey Cherepanov <cas at altlinux.org> 60.6.0-alt1

  • New ESR version (60.6.0).
  • Fixed:
     + CVE-2019-9790 Use-after-free when removing in-use DOM elements
     + CVE-2019-9791 Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey
     + CVE-2019-9792 IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
     + CVE-2019-9793 Improper bounds checks when Spectre mitigations are disabled
     + CVE-2019-9794 Command line arguments not discarded during execution
     + CVE-2019-9795 Type-confusion in IonMonkey JIT compiler
     + CVE-2019-9796 Use-after-free with SMIL animation controller
     + CVE-2019-9801 Windows programs that are not 'URL Handlers' are exposed to web content
     + CVE-2018-18506 Proxy Auto-Configuration file can define localhost access to be proxied
     + CVE-2019-9788 Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6

27 february 2019 Andrey Cherepanov <cas at altlinux.org> 60.5.2-alt1.1

  • Rebuild vith libvpx5.

23 february 2019 Andrey Cherepanov <cas at altlinux.org> 60.5.2-alt1

  • New ESR version (60.5.2).

15 february 2019 Andrey Cherepanov <cas at altlinux.org> 60.5.1-alt1

  • New ESR version (60.5.1).
  • Fixed:
     + CVE-2018-18356 Use-after-free in Skia
     + CVE-2019-5785 Integer overflow in Skia
     + CVE-2018-18335 Buffer overflow in Skia with accelerated Canvas 2D

1 february 2019 Andrey Cherepanov <cas at altlinux.org> 60.5.0-alt1

  • New ESR version (60.5.0).
  • Fixed:
     + CVE-2018-18500 Use-after-free parsing HTML5 stream
     + CVE-2018-18505 Privilege escalation through IPC channel messages
     + CVE-2018-18501 Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5

10 january 2019 Andrey Cherepanov <cas at altlinux.org> 60.4.0-alt2

  • Rebuild with llvm7.0 (ALT #35858).
  • Build with gcc on %ix86.

11 december 2018 Andrey Cherepanov <cas at altlinux.org> 60.4.0-alt1

  • New ESR version (60.4.0)
  • Fixed:
     + CVE-2018-17466 Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
     + CVE-2018-18492 Use-after-free with select element
     + CVE-2018-18493 Buffer overflow in accelerated 2D canvas with Skia
     + CVE-2018-18494 Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs
     + CVE-2018-18498 Integer overflow when calculating buffer sizes for images
     + CVE-2018-12405 Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4

23 october 2018 Andrey Cherepanov <cas at altlinux.org> 60.3.0-alt1

  • New ESR version (60.3.0).
  • Fixed:
     + CVE-2018-12391 HTTP Live Stream audio data is accessible cross-origin
     + CVE-2018-12392 Crash with nested event loops
     + CVE-2018-12393 Integer overflow during Unicode conversion while loading JavaScript
     + CVE-2018-12395 WebExtension bypass of domain restrictions through header rewriting
     + CVE-2018-12396 WebExtension content scripts can execute in disallowed contexts
     + CVE-2018-12397 WebExtension can request access to local files without the warning prompt
     + CVE-2018-12389 Memory safety bugs fixed in Firefox ESR 60.3
     + CVE-2018-12390 Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3

2 october 2018 Andrey Cherepanov <cas at altlinux.org> 60.2.2-alt1

  • New ESR version (60.2.2)
  • Fixed:
     + CVE-2018-12386 Type confusion in JavaScript
     + CVE-2018-12387 JavaScript JIT compiler inlines Array.prototype.push with multiple arguments

24 september 2018 Andrey Cherepanov <cas at altlinux.org> 60.2.1-alt1

  • New ESR version (60.2.1).
  • Fixed:
     + CVE-2018-12385 Crash in TransportSecurityInfo due to cached data
     + CVE-2018-12383 Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords

10 september 2018 Andrey Cherepanov <cas at altlinux.org> 60.2.0-alt1

  • New ESR version (60.2.0).
  • Fixed:
     + CVE-2018-12377 Use-after-free in refresh driver timers
     + CVE-2018-12378 Use-after-free in IndexedDB
     + CVE-2018-12379 Out-of-bounds write with malicious MAR file
     + CVE-2017-16541 Proxy bypass using automount and autofs
     + CVE-2018-12381 Dragging and dropping Outlook email message results in page navigation
     + CVE-2018-12376 Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2

26 june 2018 Andrey Cherepanov <cas at altlinux.org> 60.1.0-alt1

  • New ESR version (60.1.0).
  • Fixed:
     + CVE-2018-12359 Buffer overflow using computed size of canvas element
     + CVE-2018-12360 Use-after-free when using focus()
     + CVE-2018-12361 Integer overflow in SwizzleData
     + CVE-2018-12362 Integer overflow in SSSE3 scaler
     + CVE-2018-5156 Media recorder segmentation fault when track type is changed during capture
     + CVE-2018-12363 Use-after-free when appending DOM nodes
     + CVE-2018-12364 CSRF attacks through 307 redirects and NPAPI plugins
     + CVE-2018-12365 Compromised IPC child process can list local filenames
     + CVE-2018-12371 Integer overflow in Skia library during edge builder allocation
     + CVE-2018-12366 Invalid data handling during QCMS transformations
     + CVE-2018-12367 Timing attack mitigation of PerformanceNavigationTiming
     + CVE-2018-12368 No warning when opening executable SettingContent-ms files
     + CVE-2018-12369 WebExtension security permission checks bypassed by embedded experiments
     + CVE-2018-5187 Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1
     + CVE-2018-5188 Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9

18 june 2018 Andrey Cherepanov <cas at altlinux.org> 60.0.2-alt2

  • Fix build for aarch64 (thanks legion@).

11 june 2018 Andrey Cherepanov <cas at altlinux.org> 60.0.2-alt1

  • New ESR version (60.0.2).
  • Fixed:
     + CVE-2018-6126 Heap buffer overflow rasterizing paths in SVG with Skia

5 june 2018 Andrey Cherepanov <cas at altlinux.org> 60.0.1-alt1

  • New ESR version (60.0.1).
  • Fixed:
     + CVE-2018-5154: Use-after-free with SVG animations and clip paths
     + CVE-2018-5155: Use-after-free with SVG animations and text paths
     + CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files
     + CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer
     + CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
     + CVE-2018-5160: Uninitialized memory use by WebRTC encoder
     + CVE-2018-5152: WebExtensions information leak through webRequest API
     + CVE-2018-5153: Out-of-bounds read in mixed content websocket messages
     + CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache
     + CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace
     + CVE-2018-5166: WebExtension host permission bypass through filterReponseData
     + CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger
     + CVE-2018-5168: Lightweight themes can be installed without user interaction
     + CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages
     + CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer
     + CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters
     + CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update
     + CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies
     + CVE-2018-5176: JSON Viewer script injection
     + CVE-2018-5177: Buffer overflow in XSLT during number formatting
     + CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox
     + CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
     + CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink
     + CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar
     + CVE-2018-5151: Memory safety bugs fixed in Firefox 60
     + CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8

9 may 2018 Andrey Cherepanov <cas at altlinux.org> 52.8.0-alt1

  • New ESR version (52.8.0).
  • Fixes:
     + CVE-2018-5183 Backport critical security fixes in Skia
     + CVE-2018-5154 Use-after-free with SVG animations and clip paths
     + CVE-2018-5155 Use-after-free with SVG animations and text paths
     + CVE-2018-5157 Same-origin bypass of PDF Viewer to view protected PDF files
     + CVE-2018-5158 Malicious PDF can inject JavaScript into PDF Viewer
     + CVE-2018-5159 Integer overflow and out-of-bounds write in Skia
     + CVE-2018-5168 Lightweight themes can be installed without user interaction
     + CVE-2018-5178 Buffer overflow during UTF-8 to Unicode string conversion through legacy extension
     + CVE-2018-5150 Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8

2 may 2018 Andrey Cherepanov <cas at altlinux.org> 52.7.4-alt1

  • New ESR version (52.7.4).

26 march 2018 Andrey Cherepanov <cas at altlinux.org> 52.7.3-alt1

  • New ESR version (52.7.3)
  • Fixes:
     + CVE-2018-5148 Use-after-free in compositor

16 march 2018 Andrey Cherepanov <cas at altlinux.org> 52.7.2-alt1

  • New ESR version (52.7.2)

15 march 2018 Andrey Cherepanov <cas at altlinux.org> 52.7.1-alt1

  • New ESR version (52.7.1)

10 march 2018 Andrey Cherepanov <cas at altlinux.org> 52.7.0-alt1

  • New ESR version (52.7.0).
  • Fixes:
     + CVE-2018-5127 Buffer overflow manipulating SVG animatedPathSegList
     + CVE-2018-5129 Out-of-bounds write with malformed IPC messages
     + CVE-2018-5130 Mismatched RTP payload type can trigger memory corruption
     + CVE-2018-5131 Fetch API improperly returns cached copies of no-store/no-cache resources
     + CVE-2018-5144 Integer overflow during Unicode conversion
     + CVE-2018-5125 Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
     + CVE-2018-5145 Memory safety bugs fixed in Firefox ESR 52.7

5 march 2018 Andrey Cherepanov <cas at altlinux.org> 52.6.0-alt2

  • Enable ALSA support (ALT #34608)

22 january 2018 Andrey Cherepanov <cas at altlinux.org> 52.6.0-alt1

  • New ESR version (52.6.0)
  • Fixes:
     + CVE-2018-5095 Integer overflow in Skia library during edge builder allocation
     + CVE-2018-5096 Use-after-free while editing form elements
     + CVE-2018-5097 Use-after-free when source document is manipulated during XSLT
     + CVE-2018-5098 Use-after-free while manipulating form input elements
     + CVE-2018-5099 Use-after-free with widget listener
     + CVE-2018-5102 Use-after-free in HTML media elements
     + CVE-2018-5103 Use-after-free during mouse event handling
     + CVE-2018-5104 Use-after-free during font face manipulation
     + CVE-2018-5117 URL spoofing with right-to-left text aligned left-to-right
     + CVE-2018-5089 Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
  • Continue fix of Speculative execution side-channel attack ("Spectre")

10 january 2018 Andrey Cherepanov <cas at altlinux.org> 52.5.3-alt1

  • New ESR version (52.5.3)
  • Fixes:
     + Speculative execution side-channel attack ("Spectre")

10 december 2017 Andrey Cherepanov <cas at altlinux.org> 52.5.2-alt1

  • New ESR version (52.5.2)
  • Fixes:
     + CVE-2017-7843 Web worker in Private Browsing mode can write IndexedDB data
  • Build with DBUS support (ALT #34302)

15 november 2017 Andrey Cherepanov <cas at altlinux.org> 52.5.0-alt1

  • New ESR version (52.5.0)
  • Fixes:
     + CVE-2017-7828 Use-after-free of PressShell while restyling layout
     + CVE-2017-7830 Cross-origin URL information leak through Resource
     + CVE-2017-7826 Memory safety bugs fixed in Firefox 57 and Firefox ESR

29 september 2017 Andrey Cherepanov <cas at altlinux.org> 52.4.0-alt1

  • New ESR version (52.4.0)
  • Fixes:
     + CVE-2017-7793 Use-after-free with Fetch API
     + CVE-2017-7818 Use-after-free during ARIA array manipulation
     + CVE-2017-7819 Use-after-free while resizing images in design mode
     + CVE-2017-7824 Buffer overflow when drawing and validating elements with ANGLE
     + CVE-2017-7805 Use-after-free in TLS 1.2 generating handshake hashes
     + CVE-2017-7814 Blob and data URLs bypass phishing and malware protection warnings
     + CVE-2017-7825 OS X fonts render some Tibetan and Arabic unicode characters as spaces
     + CVE-2017-7823 CSP sandbox directive did not create a unique origin
     + CVE-2017-7810 Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4

8 august 2017 Andrey Cherepanov <cas at altlinux.org> 52.3.0-alt1

  • New ESR version (52.3.0)
  • Security fixes:
     + CVE-2017-7798: XUL injection in the style editor in devtools
     + CVE-2017-7800: Use-after-free in WebSockets during disconnection
     + CVE-2017-7801: Use-after-free with marquee during window resizing
     + CVE-2017-7809: Use-after-free while deleting attached editor DOM node
     + CVE-2017-7784: Use-after-free with image observers
     + CVE-2017-7802: Use-after-free resizing image elements
     + CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM
     + CVE-2017-7786: Buffer overflow while painting non-displayable SVG
     + CVE-2017-7806: Use-after-free in layer manager with SVG
     + CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements
     + CVE-2017-7787: Same-origin policy bypass with iframes through page reloads
     + CVE-2017-7807: Domain hijacking through AppCache fallback
     + CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID
     + CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher
     + CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts
     + CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections
     + CVE-2017-7803: CSP containing 'sandbox' improperly applied
     + CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3

11 july 2017 Andrey Cherepanov <cas at altlinux.org> 52.2.1-alt1

  • New ESR version (52.2.1)

21 june 2017 Andrey Cherepanov <cas at altlinux.org> 52.2.0-alt1

  • New ESR version (52.2.0)
  • Security fixes:
     + CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
     + CVE-2017-7749: Use-after-free during docshell reloading
     + CVE-2017-7750: Use-after-free with track elements
     + CVE-2017-7751: Use-after-free with content viewer listeners
     + CVE-2017-7752: Use-after-free with IME input
     + CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
     + CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files
     + CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
     + CVE-2017-7757: Use-after-free in IndexedDB
     + CVE-2017-7778: Vulnerabilities in the Graphite 2 library
     + CVE-2017-7758: Out-of-bounds read in Opus encoder
     + CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service
     + CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application
     + CVE-2017-7763: Mac fonts render some unicode characters as spaces
     + CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
     + CVE-2017-7765: Mark of the Web bypass when saving executable files
     + CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service
     + CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service
     + CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service
     + CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2

8 may 2017 Andrey Cherepanov <cas at altlinux.org> 52.1.1-alt1

  • New ESR version (52.1.1)
  • Set plugin.load_flash_only setting to false to allow use all NPAPI plugins
  • Security fixes since 52.0:
     + CVE-2016-10196: Vulnerabilities in Libevent library
     + CVE-2017-5031: Use after free in ANGLE
     + CVE-2017-5428: integer overflow in createImageBitmap()
     + CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR
     + CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR
     + CVE-2017-5435: Use-after-free during transaction processing in the
     + CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT
     + CVE-2017-5440: Use-after-free in txExecutionState destructor during
     + CVE-2017-5444: Buffer overflow while parsing
     + CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent
     + CVE-2017-5451: Addressbar spoofing with onblur event
     + CVE-2017-5454: Sandbox escape allowing file system read access through
     + CVE-2017-5455: Sandbox escape through internal feed reader APIs
     + CVE-2017-5456: Sandbox escape allowing local file system access
     + CVE-2017-5464: Memory corruption with accessibility and DOM
     + CVE-2017-5466: Origin confusion when reloading isolated data:text/html
     + CVE-2017-5467: Memory corruption when drawing Skia content

8 may 2017 Andrey Cherepanov <cas at altlinux.org> 52.0-alt1

  • New release (52.0) based on legion@ build.
  • Built with internal icu.
  • Fixed:
     + CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
     + CVE-2017-5401: Memory Corruption when handling ErrorResult
     + CVE-2017-5402: Use-after-free working with events in FontFace objects
     + CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
     + CVE-2017-5404: Use-after-free working with ranges in selections
     + CVE-2017-5406: Segmentation fault in Skia with canvas operations
     + CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
     + CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
     + CVE-2017-5411: Use-after-free in Buffer Storage in libGLES
     + CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service
     + CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
     + CVE-2017-5412: Buffer overflow read in SVG filters
     + CVE-2017-5413: Segmentation fault during bidirectional operations
     + CVE-2017-5414: File picker can choose incorrect default directory
     + CVE-2017-5415: Addressbar spoofing through blob URL
     + CVE-2017-5416: Null dereference crash in HttpChannel
     + CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
     + CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access
     + CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running
     + CVE-2017-5427: Non-existent chrome.manifest file loaded during startup
     + CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses
     + CVE-2017-5419: Repeated authentication prompts lead to DOS attack
     + CVE-2017-5420: Javascript: URLs can obfuscate addressbar location
     + CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
     + CVE-2017-5421: Print preview spoofing
     + CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink
     + CVE-2017-5399: Memory safety bugs fixed in Firefox 52
     + CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8

20 april 2017 Andrey Cherepanov <cas at altlinux.org> 45.9.0-alt1

  • New ESR version
  • Security fixes:
     + CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9,
     + CVE-2017-5462: DRBG flaw in NSS
     + CVE-2017-5445: Uninitialized values used while parsing
     + CVE-2017-5469: Potential Buffer overflow in flex-generated code
     + CVE-2017-5437: Vulnerabilities in Libevent library
     + CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor
     + CVE-2017-5465: Out-of-bounds read in ConvolvePixel
     + CVE-2017-5447: Out-of-bounds read during glyph processing
     + CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with
     + CVE-2017-5444: Buffer overflow while parsing application/http-index-format
     + CVE-2017-5443: Out-of-bounds write during BinHex decoding
     + CVE-2017-5464: Memory corruption with accessibility and DOM manipulation
     + CVE-2017-5442: Use-after-free during style changes
     + CVE-2017-5441: Use-after-free with selection during scroll events
     + CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT
     + CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing
     + CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing
     + CVE-2017-5460: Use-after-free in frame selection
     + CVE-2017-5432: Use-after-free in text input selection
     + CVE-2017-5434: Use-after-free during focus handling
     + CVE-2017-5459: Buffer overflow in WebGL
     + CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS
     + CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2
     + CVE-2017-5435: Use-after-free during transaction processing in the editor
     + CVE-2017-5433: Use-after-free in SMIL animation functions

7 march 2017 Andrey Cherepanov <cas at altlinux.org> 45.8.0-alt1

  • New ESR version
  • Require fresh libnss for correct https open

25 january 2017 Andrey Cherepanov <cas at altlinux.org> 45.7.0-alt1

  • New ESR version

20 january 2017 Andrey Cherepanov <cas at altlinux.org> 45.6.0-alt2

  • Fix build with GCC 6.1

16 december 2016 Andrey Cherepanov <cas at altlinux.org> 45.6.0-alt1

  • New ESR version

6 december 2016 Ivan Zakharyaschev <imz at altlinux.org> 45.5.1-alt2

  • Make it pass strict verification of unresolved ELF symbols; this will also
     protect us from missing dependencies on libgtk symbols. (Thx legion@ for
     the original hack, removed in 44.0.2-alt3, but found to be restorable by
     ruslandh@'s work on strict unresolved symbols verification in palemoon.)

1 december 2016 Andrey Cherepanov <cas at altlinux.org> 45.5.1-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2016-92 Firefox SVG Animation Remote Code Execution

17 november 2016 Andrey Cherepanov <cas at altlinux.org> 45.5.0-alt1

  • New ESR version

20 september 2016 Andrey Cherepanov <cas at altlinux.org> 45.4.0-alt1

  • New ESR version

2 august 2016 Andrey Cherepanov <cas at altlinux.org> 45.3.0-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2016-80 Same-origin policy violation using local HTML file and saved shortcut file
     + MFSA 2016-79 Use-after-free when applying SVG effects
     + MFSA 2016-78 Type confusion in display transformation
     + MFSA 2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
     + MFSA 2016-76 Scripts on marquee tag can execute in sandboxed iframes
     + MFSA 2016-73 Use-after-free in service workers with nested sync events
     + MFSA 2016-72 Use-after-free in DTLS during WebRTC session shutdown
     + MFSA 2016-70 Use-after-free when using alt key and toplevel menus
     + MFSA 2016-67 Stack underflow during 2D graphics rendering
     + MFSA 2016-65 Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
     + MFSA 2016-64 Buffer overflow rendering SVG with bidirectional content
     + MFSA 2016-63 Favicon network connection can persist when page is closed

12 june 2016 Andrey Cherepanov <cas at altlinux.org> 45.2.0-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2016-58 Entering fullscreen and persistent pointerlock without user permission
     + MFSA 2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
     + MFSA 2016-55 File overwrite and privilege escalation through Mozilla Windows updater
     + MFSA 2016-53 Out-of-bounds write with WebGL shader
     + MFSA 2016-52 Addressbar spoofing though the SELECT element
     + MFSA 2016-51 Use-after-free deleting tables from a contenteditable document
     + MFSA 2016-50 Buffer overflow parsing HTML5 fragments

24 may 2016 Andrey Cherepanov <cas at altlinux.org> 45.1.1-alt2

  • Build with GTK+ 2.x (ALT #32120)

4 may 2016 Andrey Cherepanov <cas at altlinux.org> 45.1.1-alt1

  • New ESR version

2 may 2016 Andrey Cherepanov <cas at altlinux.org> 45.1.0-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2016-47 Write to invalid HashMap entry through JavaScript.watch()
     + MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets
     + MFSA 2016-39 Miscellaneous memory safety hazards

15 april 2016 Andrey Cherepanov <cas at altlinux.org> 45.0.2-alt1

  • New ESR version (switch to 45.x)

24 march 2016 Andrey Cherepanov <cas at altlinux.org> 38.7.1-alt1

  • New ESR version

10 march 2016 Andrey Cherepanov <cas at altlinux.org> 38.7.0-alt2

  • Rebuild with new rpm

9 march 2016 Andrey Cherepanov <cas at altlinux.org> 38.7.0-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2016-37 Font vulnerabilities in the Graphite 2 library
     + MFSA 2016-35 Buffer overflow during ASN.1 decoding in NSS
     + MFSA 2016-34 Out-of-bounds read in HTML parser following a failed allocation
     + MFSA 2016-31 Memory corruption with malicious NPAPI plugin
     + MFSA 2016-28 Addressbar spoofing though history navigation and Location protocol property
     + MFSA 2016-27 Use-after-free during XML transformations
     + MFSA 2016-25 Use-after-free when using multiple WebRTC data channels
     + MFSA 2016-24 Use-after-free in SetBody
     + MFSA 2016-23 Use-after-free in HTML5 string parser
     + MFSA 2016-21 Displayed page address can be overridden
     + MFSA 2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
     + MFSA 2016-17 Local file overwriting and potential privilege escalation through CSP reports
     + MFSA 2016-16 Miscellaneous memory safety hazards
     + MFSA 2015-136 Same-origin policy violation using performance.getEntries and history navigation
     + MFSA 2015-81 Use-after-free in MediaStream playback

12 february 2016 Andrey Cherepanov <cas at altlinux.org> 38.6.1-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2016-14 Vulnerabilities in Graphite 2

28 january 2016 Andrey Cherepanov <cas at altlinux.org> 38.6.0-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2016-03 Buffer overflow in WebGL after out of memory allocation
     + MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)
     + MFSA 2015-150 MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature

26 december 2015 Andrey Cherepanov <cas at altlinux.org> 38.5.2-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2015-150 MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature

22 december 2015 Andrey Cherepanov <cas at altlinux.org> 38.5.1-alt1

  • New ESR version

16 december 2015 Andrey Cherepanov <cas at altlinux.org> 38.5.0-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2015-149 Cross-site reading attack through data and view-source URIs
     + MFSA 2015-147 Integer underflow and buffer overflow processing MP4 metadata in libstagefright
     + MFSA 2015-146 Integer overflow in MP4 playback in 64-bit versions
     + MFSA 2015-145 Underflow through code inspection
     + MFSA 2015-139 Integer overflow allocating extremely large textures
     + MFSA 2015-138 Use-after-free in WebRTC when datachannel is used after being destroyed

4 november 2015 Andrey Cherepanov <cas at altlinux.org> 38.4.0-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2015-133 NSS and NSPR memory corruption issues
     + MFSA 2015-132 Mixed content WebSocket policy bypass through workers
     + MFSA 2015-131 Vulnerabilities found through code inspection
     + MFSA 2015-130 JavaScript garbage collection crash with Java applet
     + MFSA 2015-128 Memory corruption in libjar through zip files
     + MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
     + MFSA 2015-123 Buffer overflow during image interactions in canvas
     + MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy

28 september 2015 Andrey Cherepanov <cas at altlinux.org> 38.3.0-alt2

  • Use GStreamer 1.0 (ALT #31305)

23 september 2015 Andrey Cherepanov <cas at altlinux.org> 38.3.0-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2015-113 Memory safety errors in libGLES in the ANGLE graphics library
     + MFSA 2015-112 Vulnerabilities found through code inspection
     + MFSA 2015-111 Errors in the handling of CORS preflight request headers
     + MFSA 2015-110 Dragging and dropping images exposes final URL after redirects
     + MFSA 2015-106 Use-after-free while manipulating HTML media content
     + MFSA 2015-105 Buffer overflow while decoding WebM video
     + MFSA 2015-101 Buffer overflow in libvpx while parsing vp9 format video
     + MFSA 2015-100 Arbitrary file manipulation by local user through Mozilla updater

28 august 2015 Andrey Cherepanov <cas at altlinux.org> 38.2.1-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2015-95 Add-on notification bypass through data URLs
     + MFSA 2015-94 Use-after-free when resizing canvas element during restyling

12 august 2015 Andrey Cherepanov <cas at altlinux.org> 38.2.0-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2015-92 Use-after-free in XMLHttpRequest with shared workers
     + MFSA 2015-90 Vulnerabilities found through code inspection
     + MFSA 2015-89 Buffer overflows on Libvpx when decoding WebM video
     + MFSA 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
     + MFSA 2015-87 Crash when using shared memory in JavaScript
     + MFSA 2015-85 Out-of-bounds write with Updater and malicious MAR file
     + MFSA 2015-84 Arbitrary file overwriting through Mozilla Maintenance
                    Service with hard links
     + MFSA 2015-83 Overflow issues in libstagefright
     + MFSA 2015-82 Redefinition of non-configurable JavaScript object
                    properties
     + MFSA 2015-80 Out-of-bounds read with malformed MP3 file

8 august 2015 Andrey Cherepanov <cas at altlinux.org> 38.1.1-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2015-78 Same origin violation and local file stealing via PDF reader

16 july 2015 Andrey Cherepanov <cas at altlinux.org> 38.1.0-alt1

  • New ESR version
  • Security fixes:
     + MFSA 2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
     + MFSA 2015-69 Privilege escalation through internal workers
     + MFSA 2015-67 Key pinning is ignored when overridable errors are encountered
     + MFSA 2015-66 Vulnerabilities found through code inspection
     + MFSA 2015-65 Use-after-free in workers while using XMLHttpRequest
     + MFSA 2015-64 ECDSA signature validation fails to handle some signatures correctly
     + MFSA 2015-63 Use-after-free in Content Policy due to microtask execution error
     + MFSA 2015-62 Out-of-bound read while computing an oscillator rendering range in Web Audio
     + MFSA 2015-61 Type confusion in Indexed Database Manager
     + MFSA 2015-60 Local files or privileged URLs in pages can be opened into new tabs

25 may 2015 Andrey Cherepanov <cas at altlinux.org> 38.0.1-alt1

  • New ESR version
     + 2015-19 Out-of-bounds read and write while rendering SVG content
     + 2015-16 Use-after-free in IndexedDB
     + 2015-12 Invoking Mozilla updater will load locally stored DLL files

8 february 2015 Andrey Cherepanov <cas at altlinux.org> 31.4.0-alt1

  • Package ESR version as firefox-esr
  • Fixed:
     + MFSA 2015-06 Read-after-free in WebRTC
     + MFSA 2015-04 Cookie injection through Proxy Authenticate responses
     + MFSA 2015-03 sendBeacon requests lack an Origin header
 
design & coding: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
current maintainer: Michael Shigorin