head 1.18; access; symbols pkgsrc-2018Q1:1.17.0.2 pkgsrc-2018Q1-base:1.17 pkgsrc-2017Q4:1.16.0.2 pkgsrc-2017Q4-base:1.16 pkgsrc-2017Q3:1.15.0.8 pkgsrc-2017Q3-base:1.15 pkgsrc-2017Q2:1.15.0.4 pkgsrc-2017Q2-base:1.15 pkgsrc-2017Q1:1.15.0.2 pkgsrc-2017Q1-base:1.15 pkgsrc-2016Q4:1.14.0.2 pkgsrc-2016Q4-base:1.14 pkgsrc-2016Q3:1.13.0.2 pkgsrc-2016Q3-base:1.13 pkgsrc-2016Q2:1.12.0.2 pkgsrc-2016Q2-base:1.12 pkgsrc-2016Q1:1.10.0.6 pkgsrc-2016Q1-base:1.10 pkgsrc-2015Q4:1.10.0.4 pkgsrc-2015Q4-base:1.10 pkgsrc-2015Q3:1.10.0.2 pkgsrc-2015Q3-base:1.10 pkgsrc-2015Q2:1.8.0.2 pkgsrc-2015Q2-base:1.8 pkgsrc-2015Q1:1.6.0.2 pkgsrc-2015Q1-base:1.6 pkgsrc-2014Q4:1.5.0.2 pkgsrc-2014Q4-base:1.5 pkgsrc-2014Q3:1.3.0.4 pkgsrc-2014Q3-base:1.3 pkgsrc-2014Q2:1.3.0.2 pkgsrc-2014Q2-base:1.3 pkgsrc-2014Q1:1.1.0.2 pkgsrc-2014Q1-base:1.1; locks; strict; comment @# @; 1.18 date 2018.05.10.20.01.53; author ryoon; state dead; branches; next 1.17; commitid xD42Z67JHKvGXMBA; 1.17 date 2018.03.17.00.59.03; author ryoon; state Exp; branches; next 1.16; commitid yheX9IRIu7EcnKuA; 1.16 date 2017.09.30.05.34.12; author ryoon; state Exp; branches 1.16.2.1; next 1.15; commitid FvJcfB7R3sEnib9A; 1.15 date 2017.03.07.20.45.43; author ryoon; state Exp; branches; next 1.14; commitid cj2gfa0XmazzZEIz; 1.14 date 2016.12.03.09.58.26; author ryoon; state Exp; branches; next 1.13; commitid uIUIk0K6tuQSqwwz; 1.13 date 2016.08.06.08.46.59; author ryoon; state Exp; branches; next 1.12; commitid E1GJBeRJuobrRdhz; 1.12 date 2016.06.16.12.08.21; author ryoon; state Exp; branches; next 1.11; commitid LAwegbTYgLLjCGaz; 1.11 date 2016.04.27.16.22.40; author ryoon; state Exp; branches; next 1.10; commitid u2rwBznaaKPcDh4z; 1.10 date 2015.09.23.06.44.42; author ryoon; state Exp; branches 1.10.6.1; next 1.9; commitid A8JQd1PZS2cnplCy; 1.9 date 2015.08.11.23.48.18; author ryoon; state Exp; branches; next 1.8; commitid uPb40BQqdcXesUwy; 1.8 date 2015.05.12.22.48.54; author ryoon; state Exp; branches; next 1.7; commitid NJZg0HQjg2n73dly; 1.7 date 2015.04.05.12.54.11; author ryoon; state Exp; branches; next 1.6; commitid K8Tn7QcmAk8VWogy; 1.6 date 2015.01.16.22.42.09; author ryoon; state Exp; branches; next 1.5; commitid 4cICGew1Cni4Ki6y; 1.5 date 2014.12.01.18.11.14; author ryoon; state Exp; branches; next 1.4; commitid jJPLy0Wr2QzMIm0y; 1.4 date 2014.10.05.01.59.08; author ryoon; state Exp; branches; next 1.3; commitid kbqsx4twOadQaXSx; 1.3 date 2014.06.11.00.40.59; author ryoon; state Exp; branches; next 1.2; commitid QTw894DEf2Let2Ex; 1.2 date 2014.04.30.15.07.18; author ryoon; state Exp; branches; next 1.1; commitid BxErbE5mH8g3CIyx; 1.1 date 2014.03.20.21.02.00; author ryoon; state Exp; branches; next ; commitid 7yTA4yPlY6RyTttx; 1.16.2.1 date 2018.03.22.06.56.21; author spz; state Exp; branches; next ; commitid 8s0l4dxdhHyRbqvA; 1.10.6.1 date 2016.05.19.12.56.30; author bsiegert; state Exp; branches; next ; commitid 53h9eCcjRRHEM57z; desc @@ 1.18 log @Update to 60.0 * Remove untested patches including NetBSD/earm support Changelog: New Added a policy engine that allows customized Firefox deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file Enhancements to New Tab / Firefox Home Responsive layout that shows more content for users with wide-screen displays Highlights section includes web sites saved to Pocket More options to reorder sections and content on the page Pocket Sponsored Stories will appear for a percentage of users in the US. Read about our privacy-conscious approach to sponsored content Redesigned Cookies and Site Storage section in Preferences for greater clarity and control of first- and third-party cookies Applied Quantum CSS to render browser UI Added support for Web Authentication API, which allows USB tokens for website authentication Enhanced camera privacy indicators: Firefox now turns off your camera and the camera's light when you disable video recording, and turns the camera and light on when you resume recording Added an option for Linux users to show or hide page titles in a bar at the top of the browser. You'll find the Title Bar option in the Customize panel available from the main browser menu. Improved WebRTC audio performance and playback for Linux users Locale added: Occitan (oc) Fixed Various security fixes Changed #CVE-2018-5154: Use-after-free with SVG animations and clip paths #CVE-2018-5155: Use-after-free with SVG animations and text paths #CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files #CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer #CVE-2018-5159: Integer overflow and out-of-bounds write in Skia #CVE-2018-5160: Uninitialized memory use by WebRTC encoder #CVE-2018-5152: WebExtensions information leak through webRequest API #CVE-2018-5153: Out-of-bounds read in mixed content websocket messages #CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache #CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace #CVE-2018-5166: WebExtension host permission bypass through filterReponseData #CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger #CVE-2018-5168: Lightweight themes can be installed without user interaction #CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages #CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer #CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters #CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update #CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies #CVE-2018-5176: JSON Viewer script injection #CVE-2018-5177: Buffer overflow in XSLT during number formatting #CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox #CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced #CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink #CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar #CVE-2018-5151: Memory safety bugs fixed in Firefox 60 #CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 @ text @$NetBSD: patch-config_external_moz.build,v 1.17 2018/03/17 00:59:03 ryoon Exp $ * Support system libraries --- config/external/moz.build.orig 2018-03-10 02:54:17.000000000 +0000 +++ config/external/moz.build @@@@ -23,12 +23,21 @@@@ external_dirs += ['modules/woff2'] external_dirs += ['modules/xz-embedded'] -if CONFIG['MOZ_VORBIS']: +if not CONFIG['MOZ_SYSTEM_OGG']: + external_dirs += ['media/libogg'] + +if CONFIG['MOZ_VORBIS'] and not CONFIG['MOZ_SYSTEM_VORBIS']: external_dirs += ['media/libvorbis'] -if CONFIG['MOZ_TREMOR']: +if CONFIG['MOZ_TREMOR'] and not CONFIG['MOZ_SYSTEM_TREMOR']: external_dirs += ['media/libtremor'] +if not CONFIG['MOZ_SYSTEM_THEORA']: + external_dirs += ['media/libtheora'] + +if not CONFIG['MOZ_SYSTEM_SOUNDTOUCH']: + external_dirs += ['media/libsoundtouch'] + if CONFIG['MOZ_WEBM_ENCODER']: external_dirs += ['media/libmkv'] @@@@ -51,11 +60,8 @@@@ external_dirs += [ 'media/kiss_fft', 'media/libcubeb', 'media/libnestegg', - 'media/libogg', 'media/libopus', - 'media/libtheora', 'media/libspeex_resampler', - 'media/libsoundtouch', 'media/mp4parse-rust', 'media/psshparser' ] @ 1.17 log @Update to 59.0.1 Changelog: 59.0.1 Security fix #CVE-2018-5146: Out of bounds memory write in libvorbis 59.0 New Performance enhancements: - Faster load times for content on the Firefox Home page - Faster page load times by loading either from the networked cache or the cache on the user's hard drive (Race Cache With Network) - Improved graphics rendering using Off-Main-Thread Painting (OMTP) for Mac users (OMTP for Windows was released in Firefox 58) Drag-and-drop to rearrange Top Sites on the Firefox Home page, and customize new windows and tabs in other ways Added features for Firefox Screenshots: - Basic annotation lets the user draw on and highlight saved screenshots - Recropping to change the viewable area of saved screenshots Enhanced WebExtensions API including better support for decentralized protocols and the ability to dynamically register content scripts Improved Real-Time Communications (RTC) capabilities. - Implemented RTP Transceiver to give pages more fine grained control over calls - Implemented features to support large scale conferences Added support for W3C specs for pointer events and improved platform integration with added device support for mouse, pen, and touch screen pointer input Added the Ecosia search engine as an option for German Firefox Added the Qwant search engine as an option for French Firefox Added settings in about:preferences to stop websites from asking to send notifications or access your device's camera, microphone, and location, while still allowing trusted websites to use these features Fixed Various security fixes Changed Firefox Private Browsing Mode will remove path information from referrers to prevent cross-site tracking Security fixes: #CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList #CVE-2018-5128: Use-after-free manipulating editor selection ranges #CVE-2018-5129: Out-of-bounds write with malformed IPC messages #CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption #CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources #CVE-2018-5132: WebExtension Find API can search privileged pages #CVE-2018-5133: Value of the app.support.baseURL preference is not properly sanitized #CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content restrictions #CVE-2018-5135: WebExtension browserAction can inject scripts into unintended contexts #CVE-2018-5136: Same-origin policy violation with data: URL shared workers #CVE-2018-5137: Script content can access legacy extension non-contentaccessible resources #CVE-2018-5138: Android Custom Tab address spoofing through long domain names #CVE-2018-5140: Moz-icon images accessible to web content through moz-icon: protocol #CVE-2018-5141: DOS attack through notifications Push API #CVE-2018-5142: Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs #CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into addressbar #CVE-2018-5126: Memory safety bugs fixed in Firefox 59 #CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.16 2017/09/30 05:34:12 ryoon Exp $ @ 1.16 log @Update to 56.0 New Launched Firefox Screenshots, a feature that lets users take, save, and share screenshots without leaving the browser Added support for address form autofill (en-US only) Updated Preferences Added search tool so users can find a specific setting quickly Reorganized preferences so users can more easily scan settings Rewrote descriptions so users can better understand choices and how they affect browsing Revised data collection choices so they align with updated Privacy Notice and data collection strategy Media opened in a background tab will not play until the tab is selected Improved Send Tabs feature of Sync for iOS and Android, and Send Tabs can be discovered even by users without a Firefox Account Changed Replaced character encoding converters with a new Encoding Standard-compliant implementation written in Rust Added hardware acceleration for AES-GCM Updated the Safe Browsing protocol to version 4 Reduced update download file size by approximately 20 percent Improved security for verifying update downloads Developer Added Layout Panel to CSS Grid DevTools @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.15 2017/03/07 20:45:43 ryoon Exp $ d5 1 a5 1 --- config/external/moz.build.orig 2017-09-14 20:15:53.000000000 +0000 d31 1 a31 1 @@@@ -57,12 +66,9 @@@@ external_dirs += [ a38 1 'media/libstagefright', d40 1 a42 1 @ 1.16.2.1 log @Pullup ticket #5728 - requested by maya devel/nspr: dependency update devel/nss: dependency update www/firefox-l10n: dependent update www/firefox: security update Revisions pulled up: - devel/nspr/Makefile 1.94-1.95 - devel/nspr/distinfo 1.48-1.49 - devel/nspr/patches/patch-az deleted - devel/nspr/patches/patch-nspr_pr_include_md___pth.h 1.1 - devel/nspr/patches/patch-nspr_pr_src_pthreads_ptthread.c 1.1 - devel/nspr/patches/patch-nsprpub_pr_include_md__pth.h deleted - devel/nss/Makefile 1.146,1.148 - devel/nss/PLIST 1.24 - devel/nss/distinfo 1.81,1.83 - devel/nss/patches/patch-nss_lib_freebl_config.mk deleted - devel/nss/patches/patch-nss_lib_freebl_verified_kremlib.h deleted - www/firefox-l10n/Makefile 1.121-1.123 - www/firefox-l10n/distinfo 1.111-1.113 - www/firefox/Makefile 1.320-1.321,1.324 - www/firefox/PLIST 1.127 - www/firefox/distinfo 1.307-1.309 - www/firefox/mozilla-common.mk 1.105-1.106 - www/firefox/patches/patch-aa 1.56 - www/firefox/patches/patch-build_gyp.mozbuild 1.8 - www/firefox/patches/patch-build_moz.configure_keyfiles.configure 1.5 - www/firefox/patches/patch-build_moz.configure_memory.configure deleted - www/firefox/patches/patch-config_baseconfig.mk deleted - www/firefox/patches/patch-config_external_moz.build 1.17 - www/firefox/patches/patch-dom_media_moz.build 1.9 - www/firefox/patches/patch-gfx_skia_generate__mozbuild.py 1.8 - www/firefox/patches/patch-gfx_skia_moz.build 1.15 - www/firefox/patches/patch-gfx_thebes_moz.build 1.9 - www/firefox/patches/patch-media_libcubeb_gtest_moz.build 1.2 - www/firefox/patches/patch-media_libtheora_moz.build 1.8 - www/firefox/patches/patch-media_libvorbis_moz.build 1.4 - www/firefox/patches/patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc 1.1 - www/firefox/patches/patch-modules_libpref_init_all.js 1.7 - www/firefox/patches/patch-modules_pdfium_update.sh 1.2 - www/firefox/patches/patch-netwerk_dns_moz.build 1.8 - www/firefox/patches/patch-netwerk_srtp_src_crypto_hash_hmac.c deleted - www/firefox/patches/patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c deleted - www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs deleted - www/firefox/patches/patch-third__party_rust_simd_.cargo-checksum.json 1.1 - www/firefox/patches/patch-third__party_rust_simd_src_x86_avx2.rs 1.1 - www/firefox/patches/patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h deleted - www/firefox/patches/patch-toolkit_moz.configure 1.10 - www/firefox/patches/patch-toolkit_xre_nsEmbedFunctions.cpp deleted - www/firefox/patches/patch-xpcom_build_BinaryPath.h 1.3-1.4 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Wed Jan 24 16:21:43 UTC 2018 Modified Files: pkgsrc/devel/nspr: Makefile distinfo Added Files: pkgsrc/devel/nspr/patches: patch-nspr_pr_include_md___pth.h patch-nspr_pr_src_pthreads_ptthread.c Removed Files: pkgsrc/devel/nspr/patches: patch-az patch-nsprpub_pr_include_md__pth.h Log Message: Update to 4.18 Changelog: NSPR 4.18 contains the following changes: - removed HP-UX DCE threads support - improvements for the Windows implementation of PR_SetCurrentThreadName - fixes for the Windows implementation of TCP Fast Open To generate a diff of this commit: cvs rdiff -u -r1.93 -r1.94 pkgsrc/devel/nspr/Makefile cvs rdiff -u -r1.47 -r1.48 pkgsrc/devel/nspr/distinfo cvs rdiff -u -r1.4 -r0 pkgsrc/devel/nspr/patches/patch-az cvs rdiff -u -r0 -r1.1 \ pkgsrc/devel/nspr/patches/patch-nspr_pr_include_md___pth.h \ pkgsrc/devel/nspr/patches/patch-nspr_pr_src_pthreads_ptthread.c cvs rdiff -u -r1.3 -r0 \ pkgsrc/devel/nspr/patches/patch-nsprpub_pr_include_md__pth.h ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Mar 17 01:06:18 UTC 2018 Modified Files: pkgsrc/devel/nspr: Makefile distinfo Log Message: Update to 4.29 Changelog: NSPR 4.19 contains the following changes: - changed order of shutdown cleanup to avoid a crash on Mac OSX - build compatibility with Android NDK r16 and glibc 2.26 To generate a diff of this commit: cvs rdiff -u -r1.94 -r1.95 pkgsrc/devel/nspr/Makefile cvs rdiff -u -r1.48 -r1.49 pkgsrc/devel/nspr/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Wed Jan 24 16:23:52 UTC 2018 Modified Files: pkgsrc/devel/nss: Makefile distinfo Removed Files: pkgsrc/devel/nss/patches: patch-nss_lib_freebl_config.mk patch-nss_lib_freebl_verified_kremlib.h Log Message: Update to 3.35 Changelog: The NSS team has released Network Security Services (NSS) 3.35, which is a minor release. Summary of the major changes included in this release: - The default database storage format has been changed to SQL, using filenames cert9.db, key4.db, pkcs11.txt. - TLS 1.3 support has been updated to draft -23, along with additional significant changes. - Support for TLS compression was removed. - Added formally verified implementations of non-vectorized Chacha20 and non-vectorized Poly1305 64-bit. - When creating encrypted PKCS#7 or PKCS#12 data, NSS uses a higher iteration count for stronger security. - The CA trust list was updated to version 2.22. To generate a diff of this commit: cvs rdiff -u -r1.145 -r1.146 pkgsrc/devel/nss/Makefile cvs rdiff -u -r1.80 -r1.81 pkgsrc/devel/nss/distinfo cvs rdiff -u -r1.2 -r0 \ pkgsrc/devel/nss/patches/patch-nss_lib_freebl_config.mk cvs rdiff -u -r1.1 -r0 \ pkgsrc/devel/nss/patches/patch-nss_lib_freebl_verified_kremlib.h ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Mar 17 01:07:15 UTC 2018 Modified Files: pkgsrc/devel/nss: Makefile PLIST distinfo Log Message: Update to 3.36 * Require devel/nspr-4.19 Changelog: The NSS team has released Network Security Services (NSS) 3.36, which is a minor release. Summary of the major changes included in this release: - Replaced existing vectorized ChaCha20 code with verified HACL* implementation. - Experimental APIs for TLS session cache handling. To generate a diff of this commit: cvs rdiff -u -r1.147 -r1.148 pkgsrc/devel/nss/Makefile cvs rdiff -u -r1.23 -r1.24 pkgsrc/devel/nss/PLIST cvs rdiff -u -r1.82 -r1.83 pkgsrc/devel/nss/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Wed Jan 31 14:02:18 UTC 2018 Modified Files: pkgsrc/www/firefox: Makefile distinfo Added Files: pkgsrc/www/firefox/patches: patch-xpcom_build_BinaryPath.h Log Message: Update to 58.0.1 * Fix build under netbsd-7, PR pkg/52956 Changelog: Fix Mozilla Foundation Security Advisory 2018-05: Arbitrary code execution through unsanitized browser UI When using certain non-default security policies on Windows (for example with Windows Defender Exploit Protection or Webroot security products), Firefox 58.0 would fail to load pages (bug 1433065). To generate a diff of this commit: cvs rdiff -u -r1.319 -r1.320 pkgsrc/www/firefox/Makefile cvs rdiff -u -r1.306 -r1.307 pkgsrc/www/firefox/distinfo cvs rdiff -u -r0 -r1.3 \ pkgsrc/www/firefox/patches/patch-xpcom_build_BinaryPath.h ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Feb 10 07:02:47 UTC 2018 Modified Files: pkgsrc/www/firefox: Makefile distinfo mozilla-common.mk pkgsrc/www/firefox/patches: patch-xpcom_build_BinaryPath.h Log Message: Update to 58.0.2 * Fix segfault on netbsd-7 Changelog: Fix Avoid a signature validation issue during update on macOS Blocklisted graphics drivers related to off main thread painting crashes Tab crash during printing Fix clicking links and scrolling emails on Microsoft Hotmail and Outlook (OWA) webmail To generate a diff of this commit: cvs rdiff -u -r1.320 -r1.321 pkgsrc/www/firefox/Makefile cvs rdiff -u -r1.307 -r1.308 pkgsrc/www/firefox/distinfo cvs rdiff -u -r1.104 -r1.105 pkgsrc/www/firefox/mozilla-common.mk cvs rdiff -u -r1.3 -r1.4 \ pkgsrc/www/firefox/patches/patch-xpcom_build_BinaryPath.h ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Mar 17 00:59:03 UTC 2018 Modified Files: pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk pkgsrc/www/firefox/patches: patch-aa patch-build_gyp.mozbuild patch-config_external_moz.build patch-dom_media_moz.build patch-gfx_skia_generate__mozbuild.py patch-gfx_skia_moz.build patch-gfx_thebes_moz.build patch-media_libcubeb_gtest_moz.build patch-media_libtheora_moz.build patch-media_libvorbis_moz.build patch-modules_pdfium_update.sh patch-netwerk_dns_moz.build patch-toolkit_moz.configure Added Files: pkgsrc/www/firefox/patches: patch-build_moz.configure_keyfiles.configure patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc patch-modules_libpref_init_all.js patch-third__party_rust_simd_.cargo-checksum.json patch-third__party_rust_simd_src_x86_avx2.rs Removed Files: pkgsrc/www/firefox/patches: patch-build_moz.configure_memory.configure patch-config_baseconfig.mk patch-netwerk_srtp_src_crypto_hash_hmac.c patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c patch-servo_components_style_properties_helpers_animated__properties.mako.rs patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h patch-toolkit_xre_nsEmbedFunctions.cpp Log Message: Update to 59.0.1 Changelog: 59.0.1 Security fix #CVE-2018-5146: Out of bounds memory write in libvorbis 59.0 New Performance enhancements: - Faster load times for content on the Firefox Home page - Faster page load times by loading either from the networked cache or the cache on the user's hard drive (Race Cache With Network) - Improved graphics rendering using Off-Main-Thread Painting (OMTP) for Mac users (OMTP for Windows was released in Firefox 58) Drag-and-drop to rearrange Top Sites on the Firefox Home page, and customize new windows and tabs in other ways Added features for Firefox Screenshots: - Basic annotation lets the user draw on and highlight saved screenshots - Recropping to change the viewable area of saved screenshots Enhanced WebExtensions API including better support for decentralized protocols and the ability to dynamically register content scripts Improved Real-Time Communications (RTC) capabilities. - Implemented RTP Transceiver to give pages more fine grained control over calls - Implemented features to support large scale conferences Added support for W3C specs for pointer events and improved platform integration with added device support for mouse, pen, and touch screen pointer input Added the Ecosia search engine as an option for German Firefox Added the Qwant search engine as an option for French Firefox Added settings in about:preferences to stop websites from asking to send notifications or access your device's camera, microphone, and location, while still allowing trusted websites to use these features Fixed Various security fixes Changed Firefox Private Browsing Mode will remove path information from referrers to prevent cross-site tracking Security fixes: #CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList #CVE-2018-5128: Use-after-free manipulating editor selection ranges #CVE-2018-5129: Out-of-bounds write with malformed IPC messages #CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption #CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources #CVE-2018-5132: WebExtension Find API can search privileged pages #CVE-2018-5133: Value of the app.support.baseURL preference is not properly sanitized #CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content restrictions #CVE-2018-5135: WebExtension browserAction can inject scripts into unintended contexts #CVE-2018-5136: Same-origin policy violation with data: URL shared workers #CVE-2018-5137: Script content can access legacy extension non-contentaccessible resources #CVE-2018-5138: Android Custom Tab address spoofing through long domain names #CVE-2018-5140: Moz-icon images accessible to web content through moz-icon: protocol #CVE-2018-5141: DOS attack through notifications Push API #CVE-2018-5142: Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs #CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into addressbar #CVE-2018-5126: Memory safety bugs fixed in Firefox 59 #CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 To generate a diff of this commit: cvs rdiff -u -r1.323 -r1.324 pkgsrc/www/firefox/Makefile cvs rdiff -u -r1.126 -r1.127 pkgsrc/www/firefox/PLIST cvs rdiff -u -r1.308 -r1.309 pkgsrc/www/firefox/distinfo cvs rdiff -u -r1.105 -r1.106 pkgsrc/www/firefox/mozilla-common.mk cvs rdiff -u -r1.55 -r1.56 pkgsrc/www/firefox/patches/patch-aa cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/firefox/patches/patch-build_gyp.mozbuild \ pkgsrc/www/firefox/patches/patch-gfx_skia_generate__mozbuild.py \ pkgsrc/www/firefox/patches/patch-media_libtheora_moz.build \ pkgsrc/www/firefox/patches/patch-netwerk_dns_moz.build cvs rdiff -u -r0 -r1.5 \ pkgsrc/www/firefox/patches/patch-build_moz.configure_keyfiles.configure cvs rdiff -u -r1.2 -r0 \ pkgsrc/www/firefox/patches/patch-build_moz.configure_memory.configure \ pkgsrc/www/firefox/patches/patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h cvs rdiff -u -r1.10 -r0 pkgsrc/www/firefox/patches/patch-config_baseconfig.mk cvs rdiff -u -r1.16 -r1.17 \ pkgsrc/www/firefox/patches/patch-config_external_moz.build cvs rdiff -u -r1.8 -r1.9 pkgsrc/www/firefox/patches/patch-dom_media_moz.build \ pkgsrc/www/firefox/patches/patch-gfx_thebes_moz.build cvs rdiff -u -r1.14 -r1.15 \ pkgsrc/www/firefox/patches/patch-gfx_skia_moz.build cvs rdiff -u -r1.1 -r1.2 \ pkgsrc/www/firefox/patches/patch-media_libcubeb_gtest_moz.build \ pkgsrc/www/firefox/patches/patch-modules_pdfium_update.sh cvs rdiff -u -r1.3 -r1.4 \ pkgsrc/www/firefox/patches/patch-media_libvorbis_moz.build cvs rdiff -u -r0 -r1.1 \ pkgsrc/www/firefox/patches/patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc \ pkgsrc/www/firefox/patches/patch-third__party_rust_simd_.cargo-checksum.json \ pkgsrc/www/firefox/patches/patch-third__party_rust_simd_src_x86_avx2.rs cvs rdiff -u -r0 -r1.7 \ pkgsrc/www/firefox/patches/patch-modules_libpref_init_all.js cvs rdiff -u -r1.4 -r0 \ pkgsrc/www/firefox/patches/patch-netwerk_srtp_src_crypto_hash_hmac.c cvs rdiff -u -r1.3 -r0 \ pkgsrc/www/firefox/patches/patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c cvs rdiff -u -r1.1 -r0 \ pkgsrc/www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs cvs rdiff -u -r1.9 -r1.10 \ pkgsrc/www/firefox/patches/patch-toolkit_moz.configure cvs rdiff -u -r1.7 -r0 \ pkgsrc/www/firefox/patches/patch-toolkit_xre_nsEmbedFunctions.cpp ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Wed Jan 31 14:03:25 UTC 2018 Modified Files: pkgsrc/www/firefox-l10n: Makefile distinfo Log Message: Update to 58.0.1 * Sync with www/firefox-58.0.1 To generate a diff of this commit: cvs rdiff -u -r1.120 -r1.121 pkgsrc/www/firefox-l10n/Makefile cvs rdiff -u -r1.110 -r1.111 pkgsrc/www/firefox-l10n/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Feb 10 07:05:20 UTC 2018 Modified Files: pkgsrc/www/firefox-l10n: Makefile distinfo Log Message: Update to 58.0.2 * Sync with www/firefox-58.0.2 To generate a diff of this commit: cvs rdiff -u -r1.121 -r1.122 pkgsrc/www/firefox-l10n/Makefile cvs rdiff -u -r1.111 -r1.112 pkgsrc/www/firefox-l10n/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Mar 17 01:00:20 UTC 2018 Modified Files: pkgsrc/www/firefox-l10n: Makefile distinfo Log Message: Update to 59.0.1 * Sync with www/firefox-59.0.1 To generate a diff of this commit: cvs rdiff -u -r1.122 -r1.123 pkgsrc/www/firefox-l10n/Makefile cvs rdiff -u -r1.112 -r1.113 pkgsrc/www/firefox-l10n/distinfo @ text @d1 1 a1 1 $NetBSD$ d5 1 a5 1 --- config/external/moz.build.orig 2018-03-10 02:54:17.000000000 +0000 d31 1 a31 1 @@@@ -51,11 +60,8 @@@@ external_dirs += [ d39 1 a40 1 'media/mp4parse-rust', d43 1 @ 1.15 log @Update to 52.0 * Switch to GTK3 build * Remove py-sqlite2 dependency, fix PR pkg/52032 Changelog: New Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins. Added automatic captive portal detection, for easier access to Wi-Fi hotspots. When accessing the Internet via a captive portal, Firefox will alert users and open the portal login page in a new tab. Added user warnings for non-secure HTTP pages with logins. Firefox now displays a "This connection is not secure" message when users click into the username and password fields on pages that don't use HTTPS. Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain. Enhanced Sync to allow users to send and open tabs from one device to another. Fixed Various security fixes Improved text input for third-party keyboard layouts on Windows. This will address some keyboard layouts that * have chained dead keys * input two or more characters with a non-printable key or a dead key sequence * input a character even when a dead key sequence failed to compose a character Changed Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported. Removed Battery Status API to reduce fingerprinting of users by trackers Improved experience for downloads: * Notification in the toolbar when a download fails * Quick access to five most recent downloads rather than three * Larger buttons for canceling and restarting downloads Display (but allow users to override) an "Untrusted Connection" error when encountering SHA-1 certificates that chain up to a root certificate included in Mozilla's CA Certificate Program. (Note: Firefox continues to permit SHA-1 certificates that chain to manually imported root certificates.) Read more about the Mozilla Security Team's plans to deprecate SHA-1 Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR) version of Firefox. When not using Direct2D on Windows, Skia is used for content rendering Developer Enabled CSS Grid Layout, opening up a world of new possibilities for graphic design Redesigned Responsive Design Mode to include device selection, network throttling, and more Improved security for screen sharing, which now shows a preview and no longer requires a whitelisted domain unresolved Google Hangouts temporarily won't work Security fixes: #CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP #CVE-2017-5401: Memory Corruption when handling ErrorResult #CVE-2017-5402: Use-after-free working with events in FontFace objects #CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object #CVE-2017-5404: Use-after-free working with ranges in selections #CVE-2017-5406: Segmentation fault in Skia with canvas operations #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping #CVE-2017-5411: Use-after-free in Buffer Storage in libGLES #CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS #CVE-2017-5412: Buffer overflow read in SVG filters #CVE-2017-5413: Segmentation fault during bidirectional operations #CVE-2017-5414: File picker can choose incorrect default directory #CVE-2017-5415: Addressbar spoofing through blob URL #CVE-2017-5416: Null dereference crash in HttpChannel #CVE-2017-5417: Addressbar spoofing by draging and dropping URLs #CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access #CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running #CVE-2017-5427: Non-existent chrome.manifest file loaded during startup #CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses #CVE-2017-5419: Repeated authentication prompts lead to DOS attack #CVE-2017-5420: Javascript: URLs can obfuscate addressbar location #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports #CVE-2017-5421: Print preview spoofing #CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink #CVE-2017-5399: Memory safety bugs fixed in Firefox 52 #CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.14 2016/12/03 09:58:26 ryoon Exp $ d5 1 a5 1 --- config/external/moz.build.orig 2017-01-23 16:13:47.000000000 +0000 d7 3 a9 3 @@@@ -21,12 +21,21 @@@@ if CONFIG['MOZ_UPDATER']: external_dirs += ['modules/brotli'] external_dirs += ['modules/woff2'] d31 1 a31 1 @@@@ -52,12 +61,9 @@@@ external_dirs += [ @ 1.14 log @Update to 50.0.2 * Change default audio support to ALSA. You can use OSS or pulseaudio via ALSA plugin package. Changelog: 50.0.2: Fixed in Firefox 50.0.2 #CVE-2016-9079: Use-after-free in SVG Animation 50.0.1: Fixed *Firefox crashes with 3rd party Chinese IME when using IME text Security vulnerabilities fixed in Firefox 50.0.1: #CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect 50.0: New *Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac *Improved performance for SDK extensions or extensions using the SDK module loader *Added download protection for a large number of executable file types on Windows, Mac and Linux *Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer *Added Guarani (gn) locale *Added option to Find in page that allows users to limit search to whole words only *Updates to keyboard shortcuts *Set a preference to have Ctrl+Tab cycle through tabs in recently used order *View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac) Fixed *Login cookies are now saved for sites with a high number of cookies (Bug 1264192) *Various security fixes *Fixed rendering of dashed and dotted borders with rounded corners (border-radius) Changed *The link to check for plugin security updates has been removed from the addon manager as Firefox automatically checks for plugin updates *Blocked versions of libavcodec older than 54.35.1 *Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux) Developer *Changes for web developers Security vulnerabilities fixed in Firefox 50: #CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 #CVE-2016-5292: URL parsing causes crash #CVE-2016-5293: Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink #CVE-2016-5294: Arbitrary target directory for result files of update process #CVE-2016-5297: Incorrect argument length checking in JavaScript #CVE-2016-9064: Add-ons update must verify IDs match between current and new versions #CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen #CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler #CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore #CVE-2016-9068: heap-use-after-free in nsRefreshDriver #CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile #CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges #CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them #CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file #CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM #CVE-2016-5298: SSL indicator can mislead the user about the real URL visited #CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissionsPI key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions #CVE-2016-9062: Private browsing browser traces (Android) in browser.db and wal file #CVE-2016-9070: Sidebar bookmark can have reference to chrome window #CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl" #CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler #CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s #CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in Expat #CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP #CVE-2016-5289: Memory safety bugs fixed in Firefox 50 #CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.13 2016/08/06 08:46:59 ryoon Exp $ d5 1 a5 1 --- config/external/moz.build.orig 2016-10-31 20:15:28.000000000 +0000 d41 1 a43 1 DIRS += ['../../' + i for i in external_dirs] @ 1.13 log @Update to 48.0 * OSS audio support may not work. I will revisit later Changelog: New: Roar for moar protection against harmful downloads! We've got your back Process separation (e10s) is enabled for some of you. Like it? Let us know and we'll roll it out to more. Add-ons that have not been verified and signed by Mozilla will not load GNU/Linux fans: Get better Canvas performance with speedy Skia support. Try saying that three times fast WebRTC embetterments: Delay-agnostic AEC enabled Full duplex for GNU/Linux enabled ICE Restart & Update is supported Cloning of MediaStream and MediaStreamTrack is now supported Searching for something already in your bookmarks or open tabs? We added super smart icons to let you know Windows folks: Tab (move buttons) and Shift+F10 (pop-up menus) now behave as they should in Firefox customization mode The media parser has been redeveloped using the Rust programming language Windows 7 systems without Platform Update can now use D3D11 WARP Fixed: Various security fixes Heyo, Jabra & Logitech C920 webcam users. We fixed those pesky WebRTC bugs causing frequency distortions. Buh-bye, squeaky voice! Improved step debugging on last line of functions Changed: Starting with the Firefox version 49 release, so long to support for 10.6, 10.7 and 10.8. Now we can focus on where most Mac users are: 10.9. Don't forget to upgrade! After version 48, SSE2 CPU extensions are going to be required on Windows Au revoir to Windows Remote Access Service modem Autodial Developer: WebExtensions support is now considered as stable Workers can now use the Web Crypto API Want to move absolute & fixed positioned elements? (Who doesn't, right?) Now you can with our geometry editor. The memory tool now has a tree map view for your debugging pleasure. It's a little bit of "boo" and a whole lot of "ya." We're putting the spotlight on the background. Now you can debug WebExtensions background content scripts and background pages Content Security Policy (CSP) is now enforced for WebExtensions. (Who's down with CSP?) Old and busted: Error Console. New hotness: Browser Console for your debugging pleasure. Add-on development just got easier because you can reload them from about:debugging — because we're all about debugging. This theme is hot, hot, hot! Say hi to the Firebug theme for Developer Tools. Expand network requests from the console panel to view request details in line, so you can see things in context Fixed in Firefox 48: 2016-84 Information disclosure through Resource Timing API during page navigation 2016-83 Spoofing attack through text injection into internal error pages 2016-82 Addressbar spoofing with right-to-left characters on Firefox for Android 2016-81 Information disclosure and local file manipulation through drag and drop 2016-80 Same-origin policy violation using local HTML file and saved shortcut file 2016-79 Use-after-free when applying SVG effects 2016-78 Type confusion in display transformation 2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback 2016-76 Scripts on marquee tag can execute in sandboxed iframes 2016-75 Integer overflow in WebSockets during data buffering 2016-74 Form input type change from password to text can store plain text password in session restore file 2016-73 Use-after-free in service workers with nested sync events 2016-72 Use-after-free in DTLS during WebRTC session shutdown 2016-71 Crash in incremental garbage collection in JavaScript 2016-70 Use-after-free when using alt key and toplevel menus 2016-69 Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter 2016-68 Out-of-bounds read during XML parsing in Expat library 2016-67 Stack underflow during 2D graphics rendering 2016-66 Location bar spoofing via data URLs with malformed/invalid mediatypes 2016-65 Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 2016-64 Buffer overflow rendering SVG with bidirectional content 2016-63 Favicon network connection can persist when page is closed 2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3) @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.12 2016/06/16 12:08:21 ryoon Exp $ d5 1 a5 1 --- config/external/moz.build.orig 2016-07-25 20:22:04.000000000 +0000 d7 1 a7 1 @@@@ -21,10 +21,19 @@@@ if CONFIG['MOZ_UPDATER']: a14 6 +if not CONFIG['MOZ_SYSTEM_CELT'] or not CONFIG['MOZ_SYSTEM_OPUS']: + external_dirs += ['media/libopus'] + +if not CONFIG['MOZ_SYSTEM_THEORA']: + external_dirs += ['media/libtheora'] + d22 6 d29 3 a31 1 @@@@ -52,9 +61,6 @@@@ external_dirs += [ d36 1 a36 1 - 'media/libopus', d40 4 a43 1 'media/libsoundtouch', @ 1.12 log @Update to 47.0 * Remove macOS patches, because I cannot confirm them sadly Changelog: New Support for Google’s Widevine CDM on Windows and Mac OS X so streaming services like Amazon Video can switch from Silverlight to encrypted HTML5 video. Enable VP9 video codec for users with fast machines Embedded YouTube videos now play with HTML5 video if Flash is not installed. View and search open tabs from your smartphone or another computer in a sidebar Allow no-cache on back/forward navigations for https resources Latgalu [ltg] locale added. Wikipedia tells us there are 164,500 daily speakers. Fixed Various security fixes Changed FUEL (Firefox User Extension Library) has been removed. Add-ons relying on it will stop working. The browser.sessionstore.restore_on_demand preference has been reset to its default value (true) to avoid e10s performance problems. Because faster is better! The Firefox click-to-activate plugin whitelist has been removed. XRender is no longer used for rendering web content on Linux as this may cause a regression in remote X performance Developer Web platform changes View, start,and debug registered Service Workers in the Service Workers developer tool Simulate Push messages in the Service Workers developer tool 'Start' button for service workers in about:debugging to start registered Service Workers Changes that can affect add-on compatibility Added support for ChaCha20/Poly1305 cipher suites Custom user agents supported in Responsive Design Mode Smart multi-line input in the Web Console Developer Information HTML5 cuechange events are now available on TextTrack objects WebCrypto: PBKDF2 supports SHA-2 hash algorithms WebCrypto: RSA-PSS signature support Fixed in Firefox 47 2016-61 Network Security Services (NSS) vulnerabilities 2016-60 Java applets bypass CSP protections 2016-59 Information disclosure of disabled plugins through CSS pseudo-classes 2016-58 Entering fullscreen and persistent pointerlock without user permission 2016-57 Incorrect icon displayed on permissions notifications 2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction 2016-55 File overwrite and privilege escalation through Mozilla Windows updater 2016-54 Partial same-origin-policy through setting location.host through data URI 2016-53 Out-of-bounds write with WebGL shader 2016-52 Addressbar spoofing though the SELECT element 2016-51 Use-after-free deleting tables from a contenteditable document 2016-50 Buffer overflow parsing HTML5 fragments 2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2) @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.11 2016/04/27 16:22:40 ryoon Exp $ d5 1 a5 1 --- config/external/moz.build.orig 2016-05-12 17:04:58.000000000 +0000 d12 1 a12 1 +if not CONFIG['MOZ_NATIVE_OGG']: d15 1 a15 1 +if not CONFIG['MOZ_NATIVE_CELT'] or not CONFIG['MOZ_NATIVE_OPUS']: d18 1 a18 1 +if not CONFIG['MOZ_NATIVE_THEORA']: d21 1 a21 1 +if CONFIG['MOZ_VORBIS'] and not CONFIG['MOZ_NATIVE_VORBIS']: d25 1 a25 1 +if CONFIG['MOZ_TREMOR'] and not CONFIG['MOZ_NATIVE_TREMOR']: @ 1.11 log @Update to 46.0 * Drop buildlink to gstreamer1 Changelog: New Improved security of the JavaScript Just In Time (JIT) Compiler GTK3 integration (GNU/Linux only) Fixed Correct rendering for scaled SVGs that use a clip and a mask Various security fixes Screen reader behavior with blank spaces in Google Docs corrected Changed WebRTC fixes to improve performance and stability Developer Display dominator trees in Memory tool Allocation and garbage collection pause profiling in the performance panel Launch responsive mode from the Style Editor @@media sidebar HTML5 Added support for document.elementsFromPoint Added HKDF support for Web Crypto API Fixed in Firefox 46 2016-48 Firefox Health Reports could accept events from untrusted domains 2016-47 Write to invalid HashMap entry through JavaScript.watch() 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace 2016-44 Buffer overflow in libstagefright with CENC offsets 2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors 2016-42 Use-after-free and buffer overflow in Service Workers 2016-41 Content provider permission bypass allows malicious application to access data 2016-40 Privilege escalation through file deletion by Maintenance Service updater 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8) @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.10 2015/09/23 06:44:42 ryoon Exp $ d3 3 a5 1 --- config/external/moz.build.orig 2016-04-15 16:57:45.000000000 +0000 d7 1 a7 2 @@@@ -20,10 +20,19 @@@@ if CONFIG['MOZ_UPDATER']: # There's no "native brotli" yet, but probably in the future... d9 1 d29 1 a29 1 @@@@ -51,9 +60,6 @@@@ external_dirs += [ @ 1.10 log @Update to 41.0 Changelog: New Enhance IME support on Windows (Vista +) using TSF (Text Services Framework) New Ability to set a profile picture for your Firefox Account New Firefox Hello now includes instant messaging New SVG images can be used as favicons New Improved box-shadow rendering performance Changed WebRTC now requires perfect forward secrecy Changed WARP is disabled on Windows 7 Changed Updates to image decoding process Changed Support for running animations of 'transform' and 'opacity' on the compositor thread HTML5 MessageChannel and MessagePort API enabled by default HTML5 Added support for the transform-origin property on SVG elements HTML5 CSS Font Loading API enabled by default HTML5 Navigator.onLine now varies with actual internet connectivity (Windows and Mac OS X only) HTML5 Copy/Cut Web content from JavaScript to the OS clipboard with document.execCommand("cut"/"copy") HTML5 Implemented Cache API for querying named caches that are accessible Window, Worker, and ServiceWorker Developer Removed support for binary XPCOM components in extensions, use addon SDK "system/child_process" pipe mechanism for native binaries instead Developer Network requests can be exported in HAR format Developer Quickly add new CSS rule with New Rule button in the Inspector Developer Screenshot a node or element from markup view with the Screenshot Node context menu item Developer Copy element CSS rule declarations with the Copy Rule Declaration context menu item in the Inspector Developer Pseudo-Class panel in the Inspector Fixed Picture element does not react to resize/viewport changes Fixed Various security fixes Security fixes: Fixed in Firefox 41 2015-114 Information disclosure via the High Resolution Time API 2015-113 Memory safety errors in libGLES in the ANGLE graphics library 2015-112 Vulnerabilities found through code inspection 2015-111 Errors in the handling of CORS preflight request headers 2015-110 Dragging and dropping images exposes final URL after redirects 2015-109 JavaScript immutable property enforcement can be bypassed 2015-108 Scripted proxies can access inner window 2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems 2015-106 Use-after-free while manipulating HTML media content 2015-105 Buffer overflow while decoding WebM video 2015-104 Use-after-free with shared workers and IndexedDB 2015-103 URL spoofing in reader mode 2015-102 Crash when using debugger with SavedStacks in JavaScript 2015-101 Buffer overflow in libvpx while parsing vp9 format video 2015-100 Arbitrary file manipulation by local user through Mozilla updater 2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme 2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes 2015-97 Memory leak in mozTCPSocket to servers 2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3) @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.9 2015/08/11 23:48:18 ryoon Exp $ d3 1 a3 1 --- config/external/moz.build.orig 2015-08-24 21:53:10.000000000 +0000 d5 1 a5 1 @@@@ -19,10 +19,19 @@@@ if CONFIG['MOZ_UPDATER']: d26 2 a27 3 if CONFIG['MOZ_WEBM']: @@@@ -49,9 +58,6 @@@@ if CONFIG['MOZ_WEBSPEECH_POCKETSPHINX']: external_dirs += [ d30 1 @ 1.10.6.1 log @Pullup ticket #5015 - requested by sevan www/firefox: security fix Revisions pulled up: - www/firefox/Makefile 1.249-1.250 - www/firefox/PLIST 1.105-1.106 - www/firefox/distinfo 1.242-1.243 - www/firefox/mozilla-common.mk 1.73 - www/firefox/patches/patch-aa 1.45 - www/firefox/patches/patch-config_external_moz.build 1.11 - www/firefox/patches/patch-config_system-headers 1.18 - www/firefox/patches/patch-dom_media_gstreamer_GStreamerAllocator.cpp deleted - www/firefox/patches/patch-dom_media_moz.build 1.3 - www/firefox/patches/patch-gfx_skia_generate__mozbuild.py 1.4 - www/firefox/patches/patch-gfx_skia_moz.build 1.11 - www/firefox/patches/patch-gfx_skia_skia_src_core_SkUtilsArm.cpp 1.2 - www/firefox/patches/patch-gfx_skia_skia_src_opts_SkBitmapProcState__opts__arm.cpp deleted - www/firefox/patches/patch-gfx_skia_skia_src_opts_memset.arm.S deleted - www/firefox/patches/patch-gfx_thebes_moz.build 1.3 - www/firefox/patches/patch-media_libcubeb_src_cubeb.c 1.3 - www/firefox/patches/patch-media_libcubeb_src_cubeb__alsa.c 1.14 - www/firefox/patches/patch-media_libcubeb_src_moz.build 1.7 - www/firefox/patches/patch-media_libtheora_moz.build 1.5 - www/firefox/patches/patch-pb deleted - www/firefox/patches/patch-pc deleted - www/firefox/patches/patch-toolkit_library_moz.build 1.5 - www/firefox/patches/patch-xpcom_reflect_xptcall_md_unix_moz.build 1.5 --- Module Name: pkgsrc Committed By: ryoon Date: Wed Apr 13 20:37:33 UTC 2016 Modified Files: pkgsrc/www/firefox: Makefile PLIST distinfo Log Message: Update to 45.0.2 Changelog: Fixed: Fix an issue impacting the cookie header when third-party cookies are blocked (1257861) Fix a web compatibility regression impacting the srcset attribute of the image tag (1259482) Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (1254980) Fix a crash impacting the video playback with Media Source Extension (1258562) Fix a regression impacting some specific uploads (1255735) --- Module Name: pkgsrc Committed By: ryoon Date: Wed Apr 27 16:22:40 UTC 2016 Modified Files: pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk pkgsrc/www/firefox/patches: patch-aa patch-config_external_moz.build patch-config_system-headers patch-dom_media_moz.build patch-gfx_skia_generate__mozbuild.py patch-gfx_skia_moz.build patch-gfx_skia_skia_src_core_SkUtilsArm.cpp patch-gfx_thebes_moz.build patch-media_libcubeb_src_cubeb.c patch-media_libcubeb_src_cubeb__alsa.c patch-media_libcubeb_src_moz.build patch-media_libtheora_moz.build patch-toolkit_library_moz.build patch-xpcom_reflect_xptcall_md_unix_moz.build Removed Files: pkgsrc/www/firefox/patches: patch-dom_media_gstreamer_GStreamerAllocator.cpp patch-gfx_skia_skia_src_opts_SkBitmapProcState__opts__arm.cpp patch-gfx_skia_skia_src_opts_memset.arm.S patch-pb patch-pc Log Message: Update to 46.0 * Drop buildlink to gstreamer1 Changelog: New Improved security of the JavaScript Just In Time (JIT) Compiler GTK3 integration (GNU/Linux only) Fixed Correct rendering for scaled SVGs that use a clip and a mask Various security fixes Screen reader behavior with blank spaces in Google Docs corrected Changed WebRTC fixes to improve performance and stability Developer Display dominator trees in Memory tool Allocation and garbage collection pause profiling in the performance panel Launch responsive mode from the Style Editor @@media sidebar HTML5 Added support for document.elementsFromPoint Added HKDF support for Web Crypto API Fixed in Firefox 46 2016-48 Firefox Health Reports could accept events from untrusted domains 2016-47 Write to invalid HashMap entry through JavaScript.watch() 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace 2016-44 Buffer overflow in libstagefright with CENC offsets 2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors 2016-42 Use-after-free and buffer overflow in Service Workers 2016-41 Content provider permission bypass allows malicious application to access data 2016-40 Privilege escalation through file deletion by Maintenance Service updater 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8) @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- config/external/moz.build.orig 2016-04-15 16:57:45.000000000 +0000 d5 1 a5 1 @@@@ -20,10 +20,19 @@@@ if CONFIG['MOZ_UPDATER']: d26 3 a28 2 if CONFIG['MOZ_WEBM_ENCODER']: @@@@ -51,9 +60,6 @@@@ external_dirs += [ a30 1 'media/libnestegg', @ 1.9 log @Update to 40.0 Changelog: New Support for Windows 10 New Added protection against unwanted software downloads New User can receive suggested tiles in the new tab page based on categories Firefox matches to browsing history (en-US only). New Hello allows adding a link to conversations to provide context on what the conversation will be about New New style for add-on manager based on the in-content preferences style New Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only) New Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked Changed Add-on extensions that are not signed by Mozilla will display a warning Changed NPAPI Plug-in performance improved via asynchronous initialization Changed Smoother animation and scrolling with hardware vsync (Windows only) Changed JPEG images use less memory when scaled and can be painted faster Changed Sub-resources can no longer request HTTP authentication, thus protecting users from inadvertently disclosing login data HTML5 IndexedDB transactions are now non-durable by default HTML5 Implemented AudioBufferSourceNode.detune to modulate playback rate in cents, a logarithmic unit of measure used for musical intervals Developer Improved Performance tools in the developer tools: Waterfall view, Call Tree view and a Flame Chart view Developer New rules view tooltip in the Inspector to tweak CSS Filter values Developer Console API messages from SharedWorker and ServiceWorker are now displayed in web console Developer New page ruler highlighting tool that displays lightweight horizontal and vertical rules on a page Developer Inspector now searches across all content frames in a page Fixed Kannada text does not display properly in built-in pdf viewer Fixed Various security fixes Known Issues unresolved If Firefox is restarted from an add-on install notification, on-going private browsing downloads might be canceled without warning (1185294) Fixed in Firefox 40 2015-92 Use-after-free in XMLHttpRequest with shared workers 2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification 2015-90 Vulnerabilities found through code inspection 2015-89 Buffer overflows on Libvpx when decoding WebM video 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images 2015-87 Crash when using shared memory in JavaScript 2015-86 Feed protocol with POST bypasses mixed content protections 2015-85 Out-of-bounds write with Updater and malicious MAR file 2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links 2015-83 Overflow issues in libstagefright 2015-82 Redefinition of non-configurable JavaScript object properties 2015-81 Use-after-free in MediaStream playback 2015-80 Out-of-bounds read with malformed MP3 file 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2) @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.8 2015/05/12 22:48:54 ryoon Exp $ d3 1 a3 1 --- config/external/moz.build.orig 2015-08-07 15:54:10.000000000 +0000 d27 1 a27 10 @@@@ -40,15 +49,16 @@@@ if not CONFIG['MOZ_NATIVE_PNG']: if CONFIG['CPU_ARCH'] == 'arm': external_dirs += ['media/openmax_dl'] +if not CONFIG['MOZ_NATIVE_SPEEX']: + external_dirs += ['media/libspeex_resampler'] + +if not CONFIG['MOZ_NATIVE_SOUNDTOUCH']: + external_dirs += ['media/libsoundtouch'] + d34 1 a34 1 - 'media/libspeex_resampler', d36 1 a36 4 - 'media/libsoundtouch', ] DIRS += ['../../' + i for i in external_dirs] @ 1.8 log @Update to 38.0 Changelog: New New tab-based preferences New Ruby annotation support New Base for the next ESR release. Changed autocomplete=off is no longer supported for username/password fields Changed URL parser avoids doing percent encoding when setting the Fragment part of the URL, and percent decoding when getting the Fragment in line with the URL spec Changed RegExp.prototype.source now returns "(?:)" instead of the empty string for empty regular expressions Changed Improved page load times via speculative connection warmup HTML5 WebSocket now available in Web Workers HTML5 BroadcastChannel API implemented HTML5 Implemented srcset attribute and element for responsive images HTML5 Implemented DOM3 Events KeyboardEvent.code HTML5 Mac OS X: Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube HTML5 Implemented Encrypted Media Extensions (EME) API to support encrypted HTML5 video/audio playback (Windows Vista or later only) HTML5 Automatically download Adobe Primetime Content Decryption Module (CDM) for DRM playback through EME (Windows Vista or later only) Developer Optimized-out variables are now visible in Debugger UI Developer XMLHttpRequest logs in the web console are now visually labelled and can be filtered separately from regular network requests Developer WebRTC now has multistream and renegotiation support Developer copy command added to console Fixed Various security fixes Fixed in Firefox 38 2015-58 Mozilla Windows updater can be run outside of application directory 2015-57 Privilege escalation through IPC channel messages 2015-56 Untrusted site hosting trusted page can intercept webchannel responses 2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata 2015-54 Buffer overflow when parsing compressed XML 2015-53 Use-after-free due to Media Decoder Thread creation during shutdown 2015-52 Sensitive URL encoded information written to Android logcat 2015-51 Use-after-free during text processing with vertical text enabled 2015-50 Out-of-bounds read and write in asm.js validation 2015-49 Referrer policy ignored when links opened by middle-click and context menu 2015-48 Buffer overflow with SVG content and CSS 2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer 2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7) @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.7 2015/04/05 12:54:11 ryoon Exp $ d3 1 a3 1 --- config/external/moz.build.orig 2015-05-04 00:43:23.000000000 +0000 d27 3 a29 3 @@@@ -37,15 +46,16 @@@@ if CONFIG['MOZ_VPX'] and not CONFIG['MOZ if not CONFIG['MOZ_NATIVE_PNG']: external_dirs += ['media/libpng'] @ 1.7 log @Update to 37.0 * Bump nspr requirement. Changelog: New Heartbeat user rating system - your feedback about Firefox New Yandex set as default search provider for the Turkish locale New Bing search now uses HTTPS for secure searching New Improved protection against site impersonation via OneCRL centralized certificate revocation New Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc Changed Disabled insecure TLS version fallback for site security Changed Extended SSL error reporting for reporting non-certificate errors Changed TLS False Start optimization now requires a cipher suite using AEAD construction Changed Improved certificate and TLS communication security by removing support for DSA Changed Improved performance of WebGL rendering on Windows HTML5 Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube (Windows only) HTML5 Added support for CSS display:contents HTML5 IndexedDB now accessible from worker threads HTML5 New SDP/JSEP implementation in WebRTC Developer Debug tabs opened in Chrome Desktop, Chrome for Android, and Safari for iOS Developer New Inspector animations panel to control element animations Developer New Security Panel included in Network Panel Developer Debugger panel support for chrome:// and about:// URIs Developer Added logging of weak ciphers to the web console Fixed Various security fixes Fixed in Firefox 37 2015-42 Windows can retain access to privileged content on navigation to unprivileged pages 2015-41 PRNG weakness allows for DNS poisoning on Android 2015-40 Same-origin bypass through anchor navigation 2015-39 Use-after-free due to type confusion flaws 2015-38 Memory corruption crashes in Off Main Thread Compositing 2015-37 CORS requests should not follow 30x redirections after preflight 2015-36 Incorrect memory management for simple-type arrays in WebRTC 2015-35 Cursor clickjacking with flash and images 2015-34 Out of bounds read in QCMS library 2015-33 resource:// documents can load privileged pages 2015-32 Add-on lightweight theme installation approval bypassed through MITM attack 2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin 2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6) @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.6 2015/01/16 22:42:09 ryoon Exp $ d3 1 a3 1 --- config/external/moz.build.orig 2015-03-27 02:20:20.000000000 +0000 d13 1 a13 1 +if not CONFIG['MOZ_NATIVE_OPUS']: @ 1.6 log @Update to 35.0 Changelog: New Firefox Hello with new rooms-based conversations model New New search UI improved and enabled for more locales New Access the Firefox Marketplace from the Tools menu and optional toolbar button New Built-in support for H264 (MP4) on Mac OS X Snow Leopard (10.6) and newer through native APIs New Use tiled rendering on OS X New Improved high quality image resizing performance New Improved handling of dynamic styling changes to increase responsiveness HTML5 Added support for the CSS Font Loading API HTML5 Resource Timing API implemented HTML5 CSS filters enabled by default HTML5 Changed JavaScript 'let' semantics to conform better to the ES6 specification Developer Support for inspecting ::before and ::after pseudo elements Developer Computed view: Nodes matching the hovered selector are now highlighted Developer Network Monitor: New request/response headers view (more info) Developer Added support for the EXT_blend_minmax WebGL extension Fixed Show DOM Properties context menu item in inspector Fixed Reduced resource usage for scaled images Fixed PDF.js updated to version 1.0.907 Fixed Non-HTTP(S) XHR now returns correct status code Fixed Various security fixes Security fixes: 2015-09 XrayWrapper bypass through DOM objects 2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension 2015-07 Gecko Media Plugin sandbox escape 2015-06 Read-after-free in WebRTC 2015-05 Read of uninitialized memory in Web Audio 2015-04 Cookie injection through Proxy Authenticate responses 2015-03 sendBeacon requests lack an Origin header 2015-02 Uninitialized memory use during bitmap rendering 2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4) @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.5 2014/12/01 18:11:14 ryoon Exp $ d3 1 a3 1 --- config/external/moz.build.orig 2015-01-09 04:38:18.000000000 +0000 d5 1 a5 1 @@@@ -19,13 +19,19 @@@@ if CONFIG['MOZ_UPDATER']: d13 3 a25 4 -if CONFIG['MOZ_OPUS']: +if CONFIG['MOZ_OPUS'] and not CONFIG['MOZ_NATIVE_OPUS']: external_dirs += ['media/libopus'] d27 1 a27 1 @@@@ -40,14 +46,16 @@@@ if CONFIG['MOZ_VPX'] and not CONFIG['MOZ d41 1 @ 1.5 log @Update to 34.0.5 Changelog: New Default search engine changed to Yahoo! for North America New Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales New Improved search bar (en-US only) New Firefox Hello real-time communication client New Easily switch themes/personas directly in the Customizing mode New Wikipedia search now uses HTTPS for secure searching (en-US only) New Implementation of HTTP/2 (draft14) and ALPN New Recover from a locked Firefox process in the "Firefox is already running" dialog on Windows Changed Disabled SSLv3 Changed Proprietary window.crypto properties/functions re-enabled (to be removed in Firefox 35) Changed Firefox signed by Apple OS X version 2 signature HTML5 ECMAScript 6 WeakSet Implemented HTML5 JavaScript Template Strings Implemented HTML5 CSS3 Font variants and features control (e.g. kerning) implemented HTML5 WebCrypto: RSA-OAEP, PBKDF2 and AES-KW support HTML5 WebCrypto: wrapKey and unwrapKey implemented HTML5 WebCrypto: Import/export of JWK-formatted keys HTML5 matches() DOM API implemented (formerly mozMatchesSelector()) HTML5 Performance.now() for workers implemented HTML5 WebCrypto: ECDH support Developer WebIDE: Create, edit, and test a new Web application from your browser Developer Highlight all nodes that match a given selector in the Style Editor and the Inspector's Rules panel Developer Improved User Interface of the Profiler Developer console.table function added to web console Fixed CSS transitions start correctly when started at the same time as changes to display, position, overflow, and similar properties Fixed Various security fixes 2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer 2014-88 Buffer overflow while parsing media content 2014-87 Use-after-free during HTML5 parsing 2014-86 CSP leaks redirect data via violation reports 2014-85 XMLHttpRequest crashes with some input streams 2014-84 XBL bindings accessible via improper CSS declarations 2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3) @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.4 2014/10/05 01:59:08 ryoon Exp $ d3 1 a3 1 --- config/external/moz.build.orig 2014-11-21 03:37:23.000000000 +0000 d5 3 a7 3 @@@@ -16,13 +16,19 @@@@ if CONFIG['MOZ_UPDATER']: if not CONFIG['MOZ_NATIVE_BZ2']: external_dirs += ['modules/libbz2'] d28 1 a28 1 @@@@ -37,14 +43,16 @@@@ if CONFIG['MOZ_VPX'] and not CONFIG['MOZ @ 1.4 log @Update to 32.0.3 Changelog: Fixed 32.0.3: New security fixes can be found here New New HTTP cache provides improved performance including crash recovery New Integration of generational garbage collection New Public key pinning support enabled New View historical use information for logins stored in password manager New Display the number of found items in the find toolbar New Easier back, forward, reload, and bookmarking through the context menu New Lower Sorbian [dsb] locale added Changed Removed and turned off trust bit for some 1024-bit root certificates Changed Performance improvements to Password Manager and Add-on Manager HTML5 drawFocusIfNeeded enabled by default HTML5 ECMAScript 6 built-in method Array#copyWithin implemented HTML5 CSS position:sticky enabled by default HTML5 mix-blend-mode enabled by default HTML5 New Array built-in: Array.from() HTML5 navigator.languages property and languagechange event implemented HTML5 Vibration API updated to latest W3C spec HTML5 CSS box-decoration-break replaces -moz-background-inline-policy HTML5 box-decoration-break enabled by default Developer HiDPI support in Developer Tools UI Developer Inspector button moved to the top left Developer Hidden nodes displayed differently in the markup-view Developer New Web Audio Editor Developer Code completion and inline documentation added to Scratchpad Fixed 32.0.2 - Corrupt installations cause Firefox to crash on update Fixed 32.0.1 - Stability issues for computers with multiple graphics cards Fixed 32.0.1 - Mixed content icon may be incorrectly displayed instead of lock icon for SSL sites Fixed 32.0.1 - WebRTC: setRemoteDescription() silently fails if no success callback is specified Fixed Various security fixes Fixed Mac OS X: cmd-L does not open a new window when no window is available Fixed Text Rendering Issues on Windows 7 with Platform Update KB2670838 (MSIE 10 Prerequisite) or on Windows 8.1 Security fixes: Fixed in Firefox 32.0.3 MFSA 2014-73 RSA Signature Forgery in NSS Fixed in Firefox 32 MFSA 2014-72 Use-after-free setting text directionality MFSA 2014-71 Profile directory file access through file: protocol MFSA 2014-70 Out-of-bounds read in Web Audio audio timeline MFSA 2014-69 Uninitialized memory use during GIF rendering MFSA 2014-68 Use-after-free during DOM interactions with SVG MFSA 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8) @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.3 2014/06/11 00:40:59 ryoon Exp $ d3 1 a3 1 --- config/external/moz.build.orig 2014-09-24 01:05:10.000000000 +0000 d5 1 a5 1 @@@@ -15,13 +15,19 @@@@ if CONFIG['MOZ_UPDATER']: d28 1 a28 1 @@@@ -36,14 +42,16 @@@@ if CONFIG['MOZ_VPX'] and not CONFIG['MOZ d48 1 a48 1 PARALLEL_DIRS += ['../../' + i for i in external_dirs] @ 1.3 log @Update to 30.0 * debug build is broken Changelog: New Sidebars button in browser chrome enables faster access to social, bookmark, & history sidebars New Mac OS X command-E sets find term to selected text New Support for GStreamer 1.0 Changed Disallow calling WebIDL constructors as functions on the web Developer With the exception of those bundled inside an extension or ones that are whitelisted, plugins will no longer be activated by default (see blog post) Developer Fixes to box-shadow and other visual overflow (see bug 480888) Developer Mute and volume available per window when using WebAudio Developer background-blend-mode enabled by default Developer Use of line-height allowed for Developer ES6 array and generator comprehensions implemented (read docs for more details) Developer Error stack now contains column number Developer Support for alpha option in canvas context options (feature description) Fixed Ignore autocomplete="off" when offering to save passwords via the password manager (see 956906) Fixed TypedArrays don't support new named properties (see 695438) Fixed Various security fixes Fixed in Firefox 30 MFSA 2014-54 Buffer overflow in Gamepad API MFSA 2014-53 Buffer overflow in Web Audio Speex resampler MFSA 2014-52 Use-after-free with SMIL Animation Controller MFSA 2014-51 Use-after-free in Event Listener Manager MFSA 2014-50 Clickjacking through cursor invisability after Flash interaction MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6) @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.2 2014/04/30 15:07:18 ryoon Exp $ d3 1 a3 1 --- config/external/moz.build.orig 2014-05-29 23:30:30.000000000 +0000 d28 1 a28 1 @@@@ -36,13 +42,15 @@@@ if CONFIG['MOZ_VPX'] and not CONFIG['MOZ d44 1 @ 1.2 log @Update to 29.0 * Restore html5 audio playback under NetBSD Changelog: New Significant new customization mode makes it easy to personalize your Web experience to access the features you use the most (learn more) New A new, easy to access menu sits in the right hand corner of Firefox and includes popular browser controls New Sleek new tabs provide an overall smoother look and fade into the background when not active New An interactive onboarding tour to guide users through the new Firefox changes New The ability to set up Firefox Sync by creating a Firefox account (learn more) New Gamepad API finalized and enabled (learn more) New HTTPS used for Yahoo Searches performed in en-US locale New Malay [ma] locale added Changed Clicking on a W3C Web Notification will switch to the originating tab Developer 'box-sizing' (dropping the -moz- prefix) implemented (learn more) Developer Console object available in Web Workers (learn more) Developer Promises enabled by default (learn more) Developer SharedWorker enabled by default Developer implemented and enabled Developer implemented and enabled Developer Enabled ECMAScript Internationalization API Developer Add-on bar has been removed, content moved to navigation bar Developer Implemented URLSearchParams from the URL specification (see MDN for details ) Fixed Various security fixes Fixed in Firefox 29 MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript MFSA 2014-46 Use-after-free in nsHostResolve MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates MFSA 2014-44 Use-after-free in imgLoader while resizing images MFSA 2014-43 Cross-site scripting (XSS) using history navigations MFSA 2014-42 Privilege escalation through Web Notification API MFSA 2014-41 Out-of-bounds write in Cairo MFSA 2014-40 Firefox for Android addressbar suppression MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video MFSA 2014-38 Buffer overflow when using non-XBL object as XBL MFSA 2014-37 Out of bounds read while decoding JPG images MFSA 2014-36 Web Audio memory corruption issues MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5) @ text @d1 1 a1 1 $NetBSD: patch-config_external_moz.build,v 1.1 2014/03/20 21:02:00 ryoon Exp $ d3 1 a3 1 --- config/external/moz.build.orig 2014-04-18 02:02:39.000000000 +0000 d5 1 a5 1 @@@@ -15,13 +15,13 @@@@ if CONFIG['MOZ_UPDATER']: d10 6 d28 1 a28 10 @@@@ -34,16 +34,23 @@@@ if CONFIG['MOZ_VPX'] and not CONFIG['MOZ external_dirs += ['media/libvpx'] if CONFIG['MOZ_OGG']: - external_dirs += ['media/libogg', 'media/libtheora'] + if not CONFIG['MOZ_NATIVE_OGG']: + external_dirs += ['media/libogg'] + if not CONFIG['MOZ_NATIVE_THEORA']: + external_dirs += ['media/libtheora'] d41 2 @ 1.1 log @Update to 28.0 Changelog: NEW VP9 video decoding implemented NEW Mac OS X: Notification Center support for web notifications NEW Horizontal HTML5 audio/video volume control NEW Support for Opus in WebM CHANGED Now that spdy/3 is implemented support for spdy/2 has been removed and servers without spdy/3 will negotiate to http/1 without any penalty DEVELOPER Support for MathML 2.0 'mathvariant' attribute DEVELOPER Background thread hang reporting DEVELOPER Support for multi-line flexbox in layout FIXED Various security fixes Fixed in Firefox 28 MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects MFSA 2014-30 Use-after-free in TypeObject MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs MFSA 2014-28 SVG filters information disclosure through feDisplacementMap MFSA 2014-27 Memory corruption in Cairo during PDF font rendering MFSA 2014-26 Information disclosure through polygon rendering in MathML MFSA 2014-25 Firefox OS DeviceStorageFile object vulnerable to relative path escape MFSA 2014-24 Android Crash Reporter open to manipulation MFSA 2014-23 Content Security Policy for data: documents not preserved by session restore MFSA 2014-22 WebGL content injection from one domain to rendering in another MFSA 2014-21 Local file access via Open Link in new tab MFSA 2014-20 onbeforeunload and Javascript navigation DOS MFSA 2014-19 Spoofing attack on WebRTC permission prompt MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key MFSA 2014-17 Out of bounds read during WAV file decoding MFSA 2014-16 Files extracted during updates are not always read only MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4) @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- config/external/moz.build.orig 2014-03-15 05:19:09.000000000 +0000 d13 2 a14 1 if CONFIG['MOZ_TREMOR']: d22 1 a22 1 @@@@ -31,7 +31,9 @@@@ if CONFIG['MOZ_VP8'] and not CONFIG['MOZ d29 2 a30 1 + external_dirs += ['media/libtheora'] d34 15 @