head 1.12; access; symbols pkgsrc-2019Q4:1.10.0.6 pkgsrc-2019Q4-base:1.10 pkgsrc-2019Q3:1.10.0.2 pkgsrc-2019Q3-base:1.10 pkgsrc-2019Q2:1.9.0.6 pkgsrc-2019Q2-base:1.9 pkgsrc-2019Q1:1.9.0.4 pkgsrc-2019Q1-base:1.9 pkgsrc-2018Q4:1.9.0.2 pkgsrc-2018Q4-base:1.9 pkgsrc-2018Q3:1.8.0.2 pkgsrc-2018Q3-base:1.8 pkgsrc-2018Q2:1.7.0.2 pkgsrc-2018Q2-base:1.7 pkgsrc-2018Q1:1.6.0.10 pkgsrc-2018Q1-base:1.6 pkgsrc-2017Q4:1.6.0.8 pkgsrc-2017Q4-base:1.6 pkgsrc-2017Q3:1.6.0.6 pkgsrc-2017Q3-base:1.6 pkgsrc-2017Q2:1.6.0.2 pkgsrc-2017Q2-base:1.6 pkgsrc-2017Q1:1.5.0.2 pkgsrc-2017Q1-base:1.5 pkgsrc-2016Q4:1.3.0.2 pkgsrc-2016Q4-base:1.3 pkgsrc-2016Q3:1.2.0.2 pkgsrc-2016Q3-base:1.2; locks; strict; comment @# @; 1.12 date 2020.01.20.21.40.57; author nia; state dead; branches; next 1.11; commitid wOIpzlRVyRl3AtTB; 1.11 date 2020.01.18.15.32.40; author nia; state Exp; branches; next 1.10; commitid NVDfApLiZrhEBbTB; 1.10 date 2019.07.11.11.32.40; author ryoon; state Exp; branches; next 1.9; commitid 78kKTlsMNaN1qCuB; 1.9 date 2018.11.04.00.38.44; author ryoon; state Exp; branches; next 1.8; commitid VDnZtZgWK5fTNyYA; 1.8 date 2018.09.05.15.29.58; author ryoon; state Exp; branches; next 1.7; commitid tov9G6FsBVzdFVQA; 1.7 date 2018.05.10.20.01.53; author ryoon; state Exp; branches; next 1.6; commitid xD42Z67JHKvGXMBA; 1.6 date 2017.04.27.01.49.47; author ryoon; state Exp; branches; next 1.5; commitid J6Df3i7KVGRj47Pz; 1.5 date 2017.03.07.20.45.43; author ryoon; state Exp; branches; next 1.4; commitid cj2gfa0XmazzZEIz; 1.4 date 2017.01.25.13.24.51; author ryoon; state Exp; branches; next 1.3; commitid 3acwYN6np6o7SlDz; 1.3 date 2016.12.03.09.58.26; author ryoon; state Exp; branches; next 1.2; commitid uIUIk0K6tuQSqwwz; 1.2 date 2016.09.20.20.01.41; author ryoon; state Exp; branches; next 1.1; commitid WhBC6OrwOUAn94nz; 1.1 date 2016.08.06.08.46.59; author ryoon; state Exp; branches; next ; commitid E1GJBeRJuobrRdhz; desc @@ 1.12 log @firefox: Remove dropped patch properly. @ text @@ 1.11 log @firefox: Remove remaining traces of OSS support. We no longer patch this in but it's still searching for the files if you're using something FreeBSDish or Linuxish. This should resolve build problems on these platforms. On NetBSD this problem never appeared because it's been using native audio instead of OSS for a while now. from Michael Forney in PR pkg/54868 @ text @@ 1.10 log @Update to 68.0 Changelog: New Dark mode in reader view expands so that windows are also dark on the controls, sidebars and toolbars. Improved extension security and discovery: New reporting feature in about:addons allows you to report security and performance issues with extensions and themes. Redesigned extensions dashboard in about:addons provides easy access to information about your extensions, including data and settings access required by each extension. Find high quality, secure extensions via the Recommended Extensions program in about:addons, which now displays user count and ratings for each extension. "Recommended” badges for these extensions also appear on AMO. More extensions will be added over time. Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences. WebRender will roll out to Windows 10 users with AMD graphics cards. Windows Background Intelligent Transfer Service (BITS) update download support, which allows Firefox update downloads to continue when Firefox is closed. Fixed Various security fixes Local files can no longer access other files in the same directory. Security fixes: #CVE-2019-9811: Sandbox escape via installation of malicious language pack #CVE-2019-11711: Script injection within domain through inner window reuse #CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects #CVE-2019-11713: Use-after-free with HTTP/2 cached stream #CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread #CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault #CVE-2019-11715: HTML parsing error can contribute to content XSS #CVE-2019-11716: globalThis not enumerable until accessed #CVE-2019-11717: Caret character improperly escaped in origins #CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML #CVE-2019-11719: Out-of-bounds read when importing curve25519 private key #CVE-2019-11720: Character encoding XSS vulnerability #CVE-2019-11721: Domain spoofing through unicode latin 'kra' character #CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin #CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries #CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions #CVE-2019-11725: Websocket resources bypass safebrowsing protections #CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3 #CVE-2019-11728: Port scanning through Alt-Svc header #CVE-2019-11710: Memory safety bugs fixed in Firefox 68 #CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 @ text @a0 12 $NetBSD: patch-build_moz.configure_old.configure,v 1.9 2018/11/04 00:38:44 ryoon Exp $ --- build/moz.configure/old.configure.orig 2019-07-06 01:48:30.000000000 +0000 +++ build/moz.configure/old.configure @@@@ -248,6 +248,7 @@@@ def old_configure_options(*options): '--with-nspr-prefix', '--with-nss-exec-prefix', '--with-nss-prefix', + '--with-oss', '--with-qemu-exe', '--with-sixgill', '--with-system-bz2', @ 1.9 log @Update to 63.0.1 * Minimize pkgsrc specific patches. * A build system written in Rust lang does not find a C++ header files from pkgsrc (non-base) GCC, this version is not buildable on NetBSD 7. I will investigate this problem again. Changelog: 63.0.1 Fixed Snippets are not loaded due to missing element (bug 1503047) Print preview always shows 30% scale when it is actually Shrink To Fit (bug 1501952) Dialog displayed when closing multiple windows shows unreplaced %1$S placeholder in Japanese and potentially other locales (bug 1500823) 63.0 New Performance and visual improvements for Windows users Performance improvements for macOS users Added content blocking, a collection of Firefox settings that offer users greater control over technology that can track them around the web. In 63, users can opt to block third-party tracking cookies or block all trackers and create exceptions for trusted sites that don't work correctly with content blocking enabled. WebExtensions now run in their own process on Linux Firefox now warns about having multiple windows and tabs open when quitting from the main menu. The Save and Quit feature has been removed. You can restore your session by ticking the box for Restore previous session in the General->Startup options or by using Restore Previous Session in the main menu. Firefox now recognizes the operating system accessibility setting for reducing animation Added search shortcuts for Top Sites: Amazon and Google appear as Top Sites tiles on the Firefox Home (New Tab) page. When selected these tiles will change focus to the address bar to initiate a search. Currently in US only. Fixed Resolved an issue that prevented the address bar from autofilling bookmarked URLs in certain cases Various security fixes Changed In the Library, the Open in Sidebar feature for individual bookmarks was removed The option to Never check for updates was removed from about:preferences. You can use the DisableAppUpdate enterprise policy as a substitute. The Ctrl+Tab shortcut now displays thumbnail previews of your tabs and cycles through tabs in recently used order. This new default behavior is activated only in new profiles and can be changed in preferences. #CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin #CVE-2018-12392: Crash with nested event loops #CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript #CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting #CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts #CVE-2018-12397: Missing warning prompt when WebExtension requests local file access #CVE-2018-12398: CSP bypass through stylesheet injection in resource URIs #CVE-2018-12399: Spoofing of protocol registration notification bar #CVE-2018-12400: Favicons are cached in private browsing mode on Firefox for Android #CVE-2018-12401: DOS attack through special resource URI parsing #CVE-2018-12402: SameSite cookies leak when pages are explicitly saved #CVE-2018-12403: Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP #CVE-2018-12388: Memory safety bugs fixed in Firefox 63 #CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- build/moz.configure/old.configure.orig 2018-10-18 20:06:03.000000000 +0000 d5 1 a5 1 @@@@ -259,6 +259,7 @@@@ def old_configure_options(*options): d12 1 a12 1 '--with-soft-float', @ 1.8 log @Update to 62.0 Changelog: New Firefox Home (the default New Tab) now allows users to display up to 4 rows of top sites, Pocket stories, and highlights "Reopen in Container" tab menu option appears for users with Containers that lets them choose to reopen a tab in a different container In advance of removing all trust for Symantec-issued certificates in Firefox 63, a preference was added that allows users to distrust certificates issued by Symantec. To use this preference, go to about:config in the address bar and set the preference "security.pki.distrust_ca_policy" to 2. Added FreeBSD support for WebAuthn Improved graphics rendering for Windows users without accelerated hardware using Parallel-Off-Main-Thread Painting Support for CSS Shapes, allowing for richer web page layouts. This goes hand in hand with a brand new Shape Path Editor in the CSS inspector. CSS Variable Fonts (OpenType Font Variations) support, which makes it possible to create beautiful typography with a single font file Updates for enterprise environments: AutoConfig is sandboxed to the documented API by default. You can disable the sandbox by setting the preference general.config.sandbox_enabled to false. Our long term plan is to remove the ability to turn off the sandboxing. If you need to continue to use more complex AutoConfig scripts, you will need to use Firefox Extended Support Release (ESR). Added Canadian English (en-CA) locale Changed Removed the description field for bookmarks. Users who have stored descriptions using the field may wish to export these descriptions as html or json files, as they will be removed in a future release. Dark theme is automatically enabled in macOS 10.14 dark mode Changed the default setting to Enforce (3) for the security.pki.name_matching_mode preference Adobe Flash applets now run in a more secure mode using process sandboxing on macOS. Learn how this may affect features here. Users disconnecting from Sync are now offered the option to wipe their Firefox profile data (including bookmarks, passwords, history, cookies, and site data) from their desktop computer Changed how WebRTC handles screen sharing: When screen-sharing a window, the window will be brought to front Developer Three-pane Inspector in Developer Tools separates the rules into its own panel @ text @d1 1 a1 1 $NetBSD: patch-build_moz.configure_old.configure,v 1.7 2018/05/10 20:01:53 ryoon Exp $ d3 1 a3 1 --- build/moz.configure/old.configure.orig 2018-08-30 16:44:17.000000000 +0000 @ 1.7 log @Update to 60.0 * Remove untested patches including NetBSD/earm support Changelog: New Added a policy engine that allows customized Firefox deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file Enhancements to New Tab / Firefox Home Responsive layout that shows more content for users with wide-screen displays Highlights section includes web sites saved to Pocket More options to reorder sections and content on the page Pocket Sponsored Stories will appear for a percentage of users in the US. Read about our privacy-conscious approach to sponsored content Redesigned Cookies and Site Storage section in Preferences for greater clarity and control of first- and third-party cookies Applied Quantum CSS to render browser UI Added support for Web Authentication API, which allows USB tokens for website authentication Enhanced camera privacy indicators: Firefox now turns off your camera and the camera's light when you disable video recording, and turns the camera and light on when you resume recording Added an option for Linux users to show or hide page titles in a bar at the top of the browser. You'll find the Title Bar option in the Customize panel available from the main browser menu. Improved WebRTC audio performance and playback for Linux users Locale added: Occitan (oc) Fixed Various security fixes Changed #CVE-2018-5154: Use-after-free with SVG animations and clip paths #CVE-2018-5155: Use-after-free with SVG animations and text paths #CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files #CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer #CVE-2018-5159: Integer overflow and out-of-bounds write in Skia #CVE-2018-5160: Uninitialized memory use by WebRTC encoder #CVE-2018-5152: WebExtensions information leak through webRequest API #CVE-2018-5153: Out-of-bounds read in mixed content websocket messages #CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache #CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace #CVE-2018-5166: WebExtension host permission bypass through filterReponseData #CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger #CVE-2018-5168: Lightweight themes can be installed without user interaction #CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages #CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer #CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters #CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update #CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies #CVE-2018-5176: JSON Viewer script injection #CVE-2018-5177: Buffer overflow in XSLT during number formatting #CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox #CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced #CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink #CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar #CVE-2018-5151: Memory safety bugs fixed in Firefox 60 #CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 @ text @d1 1 a1 1 $NetBSD: patch-build_moz.configure_old.configure,v 1.6 2017/04/27 01:49:47 ryoon Exp $ d3 1 a3 1 --- build/moz.configure/old.configure.orig 2018-05-03 16:58:26.000000000 +0000 d5 1 a5 1 @@@@ -262,6 +262,7 @@@@ def old_configure_options(*options): a9 1 '--with-pthreads', d12 1 @ 1.6 log @Update to 53.0 Changelog: New Improved graphics stability for Windows users with the addition of compositor process separation (Quantum Compositor) Two new 'compact' themes available in Firefox, dark and light, based on the Firefox Developer Edition theme Lightweight themes are now applied in private browsing windows Reader Mode now displays estimated reading time for the page Windows 7+ users on 64-bit OS can select 32-bit or 64-bit versions in the stub installer Fixed Various security fixes Changed Updated the design of site permission requests to make them harder to miss and easier to understand Windows XP and Vista are no longer supported. XP and Vista users running Firefox 52 will continue to receive security updates on Firefox ESR 52. 32-bit Mac OS X is no longer supported. 32-bit Mac OS X users can switch to Firefox ESR 52 to continue receiving security updates. Updates for Mac OS X are smaller in size compared to updates for Firefox 52 New visual design for audio and video controls Ended Firefox Linux support for processors older than Pentium 4 and AMD Opteron The last few characters of shortened tab titles fade out instead of being replaced by ellipses to keep more of the title visible Security fixes: #CVE-2017-5433: Use-after-free in SMIL animation functions #CVE-2017-5435: Use-after-free during transaction processing in the editor #CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2 #CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS #CVE-2017-5459: Buffer overflow in WebGL #CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL #CVE-2017-5434: Use-after-free during focus handling #CVE-2017-5432: Use-after-free in text input selection #CVE-2017-5460: Use-after-free in frame selection #CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing #CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing #CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing #CVE-2017-5441: Use-after-free with selection during scroll events #CVE-2017-5442: Use-after-free during style changes #CVE-2017-5464: Memory corruption with accessibility and DOM manipulation #CVE-2017-5443: Out-of-bounds write during BinHex decoding #CVE-2017-5444: Buffer overflow while parsing application/http-index-format content #CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data #CVE-2017-5447: Out-of-bounds read during glyph processing #CVE-2017-5465: Out-of-bounds read in ConvolvePixel #CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor #CVE-2017-5437: Vulnerabilities in Libevent library #CVE-2017-5454: Sandbox escape allowing file system read access through file picker #CVE-2017-5455: Sandbox escape through internal feed reader APIs #CVE-2017-5456: Sandbox escape allowing local file system access #CVE-2017-5469: Potential Buffer overflow in flex-generated code #CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content #CVE-2017-5449: Crash during bidirectional unicode manipulation with animation #CVE-2017-5450: Addressbar spoofing using javascript: URI on Firefox for Android #CVE-2017-5451: Addressbar spoofing with onblur event #CVE-2017-5462: DRBG flaw in NSS #CVE-2017-5463: Addressbar spoofing through reader view on Firefox for Android #CVE-2017-5467: Memory corruption when drawing Skia content #CVE-2017-5452: Addressbar spoofing during scrolling with editable content on Firefox for Android #CVE-2017-5453: HTML injection into RSS Reader feed preview page through TITLE element #CVE-2017-5458: Drag and drop of javascript: URLs can allow for self-XSS #CVE-2017-5468: Incorrect ownership model for Private Browsing information #CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 #CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- build/moz.configure/old.configure.orig 2017-04-11 04:15:17.000000000 +0000 d5 1 a5 1 @@@@ -275,6 +275,7 @@@@ def old_configure_options(*options): a12 13 @@@@ -286,7 +287,12 @@@@ def old_configure_options(*options): '--with-system-libvpx', '--with-system-nspr', '--with-system-nss', + '--with-system-ogg', '--with-system-png', + '--with-system-soundtouch', + '--with-system-theora', + '--with-system-tremor', + '--with-system-vorbis', '--with-system-zlib', '--with-thumb', '--with-thumb-interwork', @ 1.5 log @Update to 52.0 * Switch to GTK3 build * Remove py-sqlite2 dependency, fix PR pkg/52032 Changelog: New Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins. Added automatic captive portal detection, for easier access to Wi-Fi hotspots. When accessing the Internet via a captive portal, Firefox will alert users and open the portal login page in a new tab. Added user warnings for non-secure HTTP pages with logins. Firefox now displays a "This connection is not secure" message when users click into the username and password fields on pages that don't use HTTPS. Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain. Enhanced Sync to allow users to send and open tabs from one device to another. Fixed Various security fixes Improved text input for third-party keyboard layouts on Windows. This will address some keyboard layouts that * have chained dead keys * input two or more characters with a non-printable key or a dead key sequence * input a character even when a dead key sequence failed to compose a character Changed Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported. Removed Battery Status API to reduce fingerprinting of users by trackers Improved experience for downloads: * Notification in the toolbar when a download fails * Quick access to five most recent downloads rather than three * Larger buttons for canceling and restarting downloads Display (but allow users to override) an "Untrusted Connection" error when encountering SHA-1 certificates that chain up to a root certificate included in Mozilla's CA Certificate Program. (Note: Firefox continues to permit SHA-1 certificates that chain to manually imported root certificates.) Read more about the Mozilla Security Team's plans to deprecate SHA-1 Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR) version of Firefox. When not using Direct2D on Windows, Skia is used for content rendering Developer Enabled CSS Grid Layout, opening up a world of new possibilities for graphic design Redesigned Responsive Design Mode to include device selection, network throttling, and more Improved security for screen sharing, which now shows a preview and no longer requires a whitelisted domain unresolved Google Hangouts temporarily won't work Security fixes: #CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP #CVE-2017-5401: Memory Corruption when handling ErrorResult #CVE-2017-5402: Use-after-free working with events in FontFace objects #CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object #CVE-2017-5404: Use-after-free working with ranges in selections #CVE-2017-5406: Segmentation fault in Skia with canvas operations #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping #CVE-2017-5411: Use-after-free in Buffer Storage in libGLES #CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS #CVE-2017-5412: Buffer overflow read in SVG filters #CVE-2017-5413: Segmentation fault during bidirectional operations #CVE-2017-5414: File picker can choose incorrect default directory #CVE-2017-5415: Addressbar spoofing through blob URL #CVE-2017-5416: Null dereference crash in HttpChannel #CVE-2017-5417: Addressbar spoofing by draging and dropping URLs #CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access #CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running #CVE-2017-5427: Non-existent chrome.manifest file loaded during startup #CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses #CVE-2017-5419: Repeated authentication prompts lead to DOS attack #CVE-2017-5420: Javascript: URLs can obfuscate addressbar location #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports #CVE-2017-5421: Print preview spoofing #CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink #CVE-2017-5399: Memory safety bugs fixed in Firefox 52 #CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 @ text @d1 1 a1 1 $NetBSD: patch-build_moz.configure_old.configure,v 1.4 2017/01/25 13:24:51 ryoon Exp $ d3 1 a3 1 --- build/moz.configure/old.configure.orig 2017-01-23 16:13:47.000000000 +0000 d5 1 a5 1 @@@@ -276,6 +276,7 @@@@ def old_configure_options(*options): d13 1 a13 1 @@@@ -287,7 +288,12 @@@@ def old_configure_options(*options): @ 1.4 log @Update to 51.0 Changelog: New Users can view passwords in the save password prompt before saving them Added a zoom button in the URL bar: Displays percent above or below 100 percent when a user has changed the page zoom setting from the default Lets users return to the default setting by clicking on the button Improved video performance for users without GPU acceleration for less CPU usage and a better full screen experience Firefox will save passwords even in forms that do not have “submit” events Added support for FLAC (Free Lossless Audio Codec) playback Added support for WebGL 2, with advanced graphics rendering features like transform feedback, improved texturing capabilities, and a new sophisticated shading language A warning is displayed when a login page does not have a secure connection Added Georgian (ka) and Kabyle (kab) locales An even faster E10s! Tab Switching is better! Improved reliability of browser data sync Remove Belarusian (be) locale Fixed Various security fixes Changed Use 2D graphics library (Skia) for content rendering on Linux Re-enabled E10s support for Russian (ru) locale Updated to NSS 3.28.1 Security fixes: #CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP #CVE-2017-5376: Use-after-free in XSL #CVE-2017-5377: Memory corruption with transforms to create gradients in Skia #CVE-2017-5378: Pointer and frame data leakage of Javascript objects #CVE-2017-5379: Use-after-free in Web Animations #CVE-2017-5380: Potential use-after-free during DOM manipulations #CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer #CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests #CVE-2017-5396: Use-after-free with Media Decoder #CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations #CVE-2017-5382: Feed preview can expose privileged content errors and exceptions #CVE-2017-5383: Location bar spoofing with unicode characters #CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) #CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers #CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions #CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events #CVE-2017-5391: Content about: pages can load privileged about: pages #CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage #CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager #CVE-2017-5395: Android location bar spoofing during scrolling #CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages #CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks #CVE-2017-5374: Memory safety bugs fixed in Firefox 51 #CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 @ text @d1 1 a1 1 $NetBSD: patch-build_moz.configure_old.configure,v 1.3 2016/12/03 09:58:26 ryoon Exp $ d3 1 a3 1 --- build/moz.configure/old.configure.orig 2017-01-16 16:16:51.000000000 +0000 d5 1 a5 17 @@@@ -159,6 +159,7 @@@@ def old_configure_options(*options): '--enable-accessibility', '--enable-address-sanitizer', '--enable-alsa', + '--enable-alsa-dlopen', '--enable-android-omx', '--enable-b2g-bt', '--enable-b2g-camera', @@@@ -241,6 +242,7 @@@@ def old_configure_options(*options): '--enable-url-classifier', '--enable-valgrind', '--enable-verify-mar', + '--enable-webm', '--enable-webrtc', '--enable-xul', '--enable-zipwriter', @@@@ -279,18 +281,26 @@@@ def old_configure_options(*options): d13 1 a13 6 '--with-soft-float', '--with-system-bz2', + '--with-system-celt', '--with-system-icu', '--with-system-jpeg', '--with-system-libevent', a17 1 + '--with-system-opus', @ 1.3 log @Update to 50.0.2 * Change default audio support to ALSA. You can use OSS or pulseaudio via ALSA plugin package. Changelog: 50.0.2: Fixed in Firefox 50.0.2 #CVE-2016-9079: Use-after-free in SVG Animation 50.0.1: Fixed *Firefox crashes with 3rd party Chinese IME when using IME text Security vulnerabilities fixed in Firefox 50.0.1: #CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect 50.0: New *Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac *Improved performance for SDK extensions or extensions using the SDK module loader *Added download protection for a large number of executable file types on Windows, Mac and Linux *Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer *Added Guarani (gn) locale *Added option to Find in page that allows users to limit search to whole words only *Updates to keyboard shortcuts *Set a preference to have Ctrl+Tab cycle through tabs in recently used order *View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac) Fixed *Login cookies are now saved for sites with a high number of cookies (Bug 1264192) *Various security fixes *Fixed rendering of dashed and dotted borders with rounded corners (border-radius) Changed *The link to check for plugin security updates has been removed from the addon manager as Firefox automatically checks for plugin updates *Blocked versions of libavcodec older than 54.35.1 *Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux) Developer *Changes for web developers Security vulnerabilities fixed in Firefox 50: #CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 #CVE-2016-5292: URL parsing causes crash #CVE-2016-5293: Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink #CVE-2016-5294: Arbitrary target directory for result files of update process #CVE-2016-5297: Incorrect argument length checking in JavaScript #CVE-2016-9064: Add-ons update must verify IDs match between current and new versions #CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen #CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler #CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore #CVE-2016-9068: heap-use-after-free in nsRefreshDriver #CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile #CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges #CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them #CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file #CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM #CVE-2016-5298: SSL indicator can mislead the user about the real URL visited #CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissionsPI key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions #CVE-2016-9062: Private browsing browser traces (Android) in browser.db and wal file #CVE-2016-9070: Sidebar bookmark can have reference to chrome window #CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl" #CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler #CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s #CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in Expat #CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP #CVE-2016-5289: Memory safety bugs fixed in Firefox 50 #CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 @ text @d1 1 a1 1 $NetBSD: patch-build_moz.configure_old.configure,v 1.2 2016/09/20 20:01:41 ryoon Exp $ d3 1 a3 1 --- build/moz.configure/old.configure.orig 2016-10-31 20:15:27.000000000 +0000 a10 1 '--enable-approximate-location', d12 4 a15 1 @@@@ -259,6 +260,7 @@@@ def old_configure_options(*options): a16 2 '--enable-warnings-as-errors', '--enable-webapp-runtime', d19 3 a21 3 '--enable-websms-backend', '--enable-webspeech', @@@@ -306,19 +308,27 @@@@ def old_configure_options(*options): a27 1 '--with-servo', @ 1.2 log @Update to 49.0 Changelog: New Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. It’s one more way Firefox is supporting Let’s Encrypt and helping users transition to a more secure web. Added features to Reader Mode that make it easier on the eyes and the ears Controls that allow users to adjust the width and line spacing of text Narrate, which reads the content of a page out loud Improved video performance for users on systems that support SSSE3 without hardware acceleration Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed Enhancements for Mac users Improved performance on OS X systems without hardware acceleration Improved appearance of anti-aliased OS X fonts Improvements in about:memory reports for tracking font memory usage Improve performance on Windows systems without hardware acceleration Fixed Fixed an issue that prevented users from updating Firefox for Mac unless they originally installed Firefox. Now, those users as well as any user with administrative credentials can update Firefox. Various security fixes Changed Ended Firefox for Mac support for OS X 10.6, 10.7, and 10.8. Ended Firefox for Windows support for SSE processors Removed Firefox Hello Re-enabled the default for Graphite2 font shaping Developer Added a Cause column to the Network Monitor to show what caused each network request Introduced web speech synthesis API Fixed in Firefox 49 2016-85 Security vulnerabilities fixed in Firefox 49 CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low] Reporter: Atte Kettunen Description: A content security policy (CSP) containing a referrer directive with no values can cause a non-exploitable crash. [1289085] CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high] Reporter: Atte Kettunen Description: An out-of-bounds write of a boolean value during text conversion with some unicode characters. [1291016] CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low] Reporter: Abhishek Arya Description: An out-of-bounds read during the processing of text runs in some pages using display:contents. [1288946] CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high] Reporter: Abhishek Arya Description: A bad cast when processing layout with input elements can result in a potentially exploitable crash. [1297934] CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high] Reporter: Nils Description: A potentially exploitable crash in accessibility [1280387] CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high] Reporter: Nils Description: A use-after-free vulnerability triggered by setting a aria-owns attribute [1287721] CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high] Reporter: Nils Description: A use-after-free issue in web animations during restyling. [1282076] CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high] Reporter: Nils Description: A user-after-free vulnerability with web animations when destroying a timeline [1291665] CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical] Reporter: Nils Description: A buffer overflow when working with empty filters during canvas rendering [1287316] CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical] Reporter: Nils Description: A potentially exploitable crash caused by a buffer overflow while encoding image frames to images [1294677] CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate] Reporter: Rafael Gieschke Description: The full path to local files is available to scripts when local files are drag and dropped into Firefox [1249522] CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high] Reporter: Mei Wang Description: Use-after-free vulnerability when changing text direction [1289970] CVE-2016-5281 - use-after-free in DOMSVGLength [high] Reporter: Brian Carpenter Description: Use-after-free vulnerability when manipulating SVG format content through script [1284690] CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate] Reporter: Richard Newman Description: Favicons can be loaded through non-whitelisted protocols, such as jar: [932335] CVE-2016-5283 -