head	1.2;
access;
symbols;
locks; strict;
comment	@# @;


1.2
date	2017.03.07.20.45.43;	author ryoon;	state dead;
branches;
next	1.1;
commitid	cj2gfa0XmazzZEIz;

1.1
date	2017.01.25.13.24.51;	author ryoon;	state Exp;
branches;
next	;
commitid	3acwYN6np6o7SlDz;


desc
@@


1.2
log
@Update to 52.0

* Switch to GTK3 build
* Remove py-sqlite2 dependency, fix PR pkg/52032

Changelog:
New
    Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins.

    Added automatic captive portal detection, for easier access to Wi-Fi hotspots. When accessing the Internet via a captive portal, Firefox will alert users and open the portal login page in a new tab.

    Added user warnings for non-secure HTTP pages with logins. Firefox now displays a "This connection is not secure" message when users click into the username and password fields on pages that don't use HTTPS.

    Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain.

    Enhanced Sync to allow users to send and open tabs from one device to another.

Fixed
    Various security fixes

    Improved text input for third-party keyboard layouts on Windows. This will address some keyboard layouts that
      * have chained dead keys
      * input two or more characters with a non-printable key or a dead key sequence
      * input a character even when a dead key sequence failed to compose a character

Changed
    Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported.

    Removed Battery Status API to reduce fingerprinting of users by trackers

    Improved experience for downloads:
      * Notification in the toolbar when a download fails
      * Quick access to five most recent downloads rather than three
      * Larger buttons for canceling and restarting downloads

    Display (but allow users to override) an "Untrusted Connection" error when encountering SHA-1 certificates that chain up to a root certificate included in Mozilla's CA Certificate Program. (Note: Firefox continues to permit SHA-1 certificates that chain to manually imported root certificates.) Read more about the Mozilla Security Team's plans to deprecate SHA-1

    Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR) version of Firefox.

    When not using Direct2D on Windows, Skia is used for content rendering

Developer
    Enabled CSS Grid Layout, opening up a world of new possibilities for graphic design

    Redesigned Responsive Design Mode to include device selection, network throttling, and more

    Improved security for screen sharing, which now shows a preview and no longer requires a whitelisted domain

unresolved
    Google Hangouts temporarily won't work

Security fixes:
 #CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
 #CVE-2017-5401: Memory Corruption when handling ErrorResult
 #CVE-2017-5402: Use-after-free working with events in FontFace objects
 #CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
 #CVE-2017-5404: Use-after-free working with ranges in selections
 #CVE-2017-5406: Segmentation fault in Skia with canvas operations
 #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
 #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
 #CVE-2017-5411: Use-after-free in Buffer Storage in libGLES
 #CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service
 #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
 #CVE-2017-5412: Buffer overflow read in SVG filters
 #CVE-2017-5413: Segmentation fault during bidirectional operations
 #CVE-2017-5414: File picker can choose incorrect default directory
 #CVE-2017-5415: Addressbar spoofing through blob URL
 #CVE-2017-5416: Null dereference crash in HttpChannel
 #CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
 #CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access
 #CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running
 #CVE-2017-5427: Non-existent chrome.manifest file loaded during startup
 #CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses
 #CVE-2017-5419: Repeated authentication prompts lead to DOS attack
 #CVE-2017-5420: Javascript: URLs can obfuscate addressbar location
 #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
 #CVE-2017-5421: Print preview spoofing
 #CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink
 #CVE-2017-5399: Memory safety bugs fixed in Firefox 52
 #CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8
@
text
@$NetBSD: patch-build_moz.configure_toolchain.configure,v 1.1 2017/01/25 13:24:51 ryoon Exp $

--- build/moz.configure/toolchain.configure.orig	2017-01-16 16:16:51.000000000 +0000
+++ build/moz.configure/toolchain.configure
@@@@ -756,23 +756,6 @@@@ def compiler(language, host_or_target, c
     valid_compiler.try_compile(check_msg='%s works' % what,
                                onerror=compiler_error)
 
-
-    # Set CPP/CXXCPP for both the build system and old-configure. We don't
-    # need to check this works for preprocessing, because we already relied
-    # on $CC -E/$CXX -E doing preprocessing work to validate the compiler
-    # in the first place.
-    if host_or_target == target:
-        pp_var = {
-            'C': 'CPP',
-            'C++': 'CXXCPP',
-        }[language]
-
-        preprocessor = depends_if(valid_compiler)(
-                lambda x: list(x.wrapper) + [x.compiler, '-E'] + list(x.flags))
-
-        set_config(pp_var, preprocessor)
-        add_old_configure_assignment(pp_var, preprocessor)
-
     return valid_compiler
 
 
@


1.1
log
@Update to 51.0

Changelog:
New
    Users can view passwords in the save password prompt before saving them

    Added a zoom button in the URL bar:
        Displays percent above or below 100 percent when a user has changed the page zoom setting from the default
        Lets users return to the default setting by clicking on the button

    Improved video performance for users without GPU acceleration for less CPU usage and a better full screen experience

    Firefox will save passwords even in forms that do not have “submit” events

    Added support for FLAC (Free Lossless Audio Codec) playback

    Added support for WebGL 2, with advanced graphics rendering features like transform feedback, improved texturing capabilities, and a new sophisticated shading language

    A warning is displayed when a login page does not have a secure connection

    Added Georgian (ka) and Kabyle (kab) locales

    An even faster E10s! Tab Switching is better!

    Improved reliability of browser data sync

    Remove Belarusian (be) locale

Fixed
    Various security fixes

Changed
    Use 2D graphics library (Skia) for content rendering on Linux

    Re-enabled E10s support for Russian (ru) locale

    Updated to NSS 3.28.1

Security fixes:
 #CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
 #CVE-2017-5376: Use-after-free in XSL
 #CVE-2017-5377: Memory corruption with transforms to create gradients in Skia
 #CVE-2017-5378: Pointer and frame data leakage of Javascript objects
 #CVE-2017-5379: Use-after-free in Web Animations
 #CVE-2017-5380: Potential use-after-free during DOM manipulations
 #CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer
 #CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests
 #CVE-2017-5396: Use-after-free with Media Decoder
 #CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations
 #CVE-2017-5382: Feed preview can expose privileged content errors and exceptions
 #CVE-2017-5383: Location bar spoofing with unicode characters
 #CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
 #CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers
 #CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions
 #CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events
 #CVE-2017-5391: Content about: pages can load privileged about: pages
 #CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage
 #CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager
 #CVE-2017-5395: Android location bar spoofing during scrolling
 #CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages
 #CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks
 #CVE-2017-5374: Memory safety bugs fixed in Firefox 51
 #CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7
@
text
@d1 1
a1 1
$NetBSD$
@