head 1.6; access; symbols pkgsrc-2020Q3:1.5.0.6 pkgsrc-2020Q3-base:1.5 pkgsrc-2020Q2:1.5.0.4 pkgsrc-2020Q2-base:1.5 pkgsrc-2020Q1:1.5.0.2 pkgsrc-2020Q1-base:1.5 pkgsrc-2019Q4:1.4.0.6 pkgsrc-2019Q4-base:1.4 pkgsrc-2019Q3:1.4.0.2 pkgsrc-2019Q3-base:1.4 pkgsrc-2019Q2:1.3.0.4 pkgsrc-2019Q2-base:1.3 pkgsrc-2019Q1:1.3.0.2 pkgsrc-2019Q1-base:1.3 pkgsrc-2018Q4:1.2.0.2 pkgsrc-2018Q4-base:1.2 pkgsrc-2018Q3:1.1.0.14 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.12 pkgsrc-2018Q2-base:1.1 pkgsrc-2018Q1:1.1.0.10 pkgsrc-2018Q1-base:1.1 pkgsrc-2017Q4:1.1.0.8 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.6 pkgsrc-2017Q3-base:1.1 pkgsrc-2017Q2:1.1.0.2 pkgsrc-2017Q2-base:1.1; locks; strict; comment @// @; 1.6 date 2020.12.17.09.53.15; author ryoon; state dead; branches; next 1.5; commitid zhXrb1Fwr8fEZ4AC; 1.5 date 2020.01.18.15.32.40; author nia; state Exp; branches; next 1.4; commitid NVDfApLiZrhEBbTB; 1.4 date 2019.07.11.11.32.40; author ryoon; state Exp; branches; next 1.3; commitid 78kKTlsMNaN1qCuB; 1.3 date 2019.01.29.16.28.22; author ryoon; state Exp; branches; next 1.2; commitid 6ZD5e5dNV9phiH9B; 1.2 date 2018.11.04.00.38.44; author ryoon; state Exp; branches; next 1.1; commitid VDnZtZgWK5fTNyYA; 1.1 date 2017.04.27.01.49.47; author ryoon; state Exp; branches; next ; commitid J6Df3i7KVGRj47Pz; desc @@ 1.6 log @firefox: Update to 84.0 Changelog: New * Native support for macOS devices built with Apple Silicon CPUs brings dramatic performance improvements over the non-native build that was shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps are now twice as responsive (per the SpeedoMeter 2.0 test). If you are on a new Apple device, follow these steps to upgrade to the latest Firefox. * WebRender rolls out to MacOS Big Sur, Windows devices with Intel Gen 6 GPUs, and Intel laptops running Windows 7 and 8. Additionally we'll ship an accelerated rendering pipeline for Linux/GNOME/X11 users for the first time, ever! * Firefox now uses more modern techniques for allocating shared memory on Linux, improving performance and increasing compatibility with Docker. * Firefox 84 is the final release to support Adobe Flash. Fixed * Various security fixes #CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory to be exposed #CVE-2020-26971: Heap buffer overflow in WebGL #CVE-2020-26972: Use-After-Free in WebGL #CVE-2020-26973: CSS Sanitizer performed incorrect sanitization #CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free #CVE-2020-26975: Malicious applications on Android could have induced Firefox for Android into sending arbitrary attacker-specified headers #CVE-2020-26976: HTTPS pages could have been intercepted by a registered service worker when they should not have been #CVE-2020-26977: URL spoofing via unresponsive port in Firefox for Android #CVE-2020-26978: Internal network hosts could have been probed by a malicious webpage #CVE-2020-26979: When entering an address in the address or search bars, a website could have redirected the user before they were navigated to the intended url #CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs #CVE-2020-35112: Opening an extension-less download may have inadvertently launched an executable instead #CVE-2020-35113: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 @ text @$NetBSD: patch-dom_media_CubebUtils.cpp,v 1.5 2020/01/18 15:32:40 nia Exp $ --- dom/media/CubebUtils.cpp.orig Wed Jan 8 01:23:31 2020 +++ dom/media/CubebUtils.cpp @@@@ -140,7 +140,7 @@@@ const char kBrandBundleURL[] = "chrome://branding/loca const char* AUDIOSTREAM_BACKEND_ID_STR[] = { "jack", "pulse", "alsa", "audiounit", "audioqueue", "wasapi", - "winmm", "directsound", "sndio", "opensl", "audiotrack", "kai"}; + "winmm", "directsound", "sndio", "opensl", "audiotrack", "kai", "sun"}; /* Index for failures to create an audio stream the first time. */ const int CUBEB_BACKEND_INIT_FAILURE_FIRST = ArrayLength(AUDIOSTREAM_BACKEND_ID_STR); @ 1.5 log @firefox: Remove remaining traces of OSS support. We no longer patch this in but it's still searching for the files if you're using something FreeBSDish or Linuxish. This should resolve build problems on these platforms. On NetBSD this problem never appeared because it's been using native audio instead of OSS for a while now. from Michael Forney in PR pkg/54868 @ text @d1 1 a1 1 $NetBSD: patch-dom_media_CubebUtils.cpp,v 1.4 2019/07/11 11:32:40 ryoon Exp $ @ 1.4 log @Update to 68.0 Changelog: New Dark mode in reader view expands so that windows are also dark on the controls, sidebars and toolbars. Improved extension security and discovery: New reporting feature in about:addons allows you to report security and performance issues with extensions and themes. Redesigned extensions dashboard in about:addons provides easy access to information about your extensions, including data and settings access required by each extension. Find high quality, secure extensions via the Recommended Extensions program in about:addons, which now displays user count and ratings for each extension. "Recommended” badges for these extensions also appear on AMO. More extensions will be added over time. Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences. WebRender will roll out to Windows 10 users with AMD graphics cards. Windows Background Intelligent Transfer Service (BITS) update download support, which allows Firefox update downloads to continue when Firefox is closed. Fixed Various security fixes Local files can no longer access other files in the same directory. Security fixes: #CVE-2019-9811: Sandbox escape via installation of malicious language pack #CVE-2019-11711: Script injection within domain through inner window reuse #CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects #CVE-2019-11713: Use-after-free with HTTP/2 cached stream #CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread #CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault #CVE-2019-11715: HTML parsing error can contribute to content XSS #CVE-2019-11716: globalThis not enumerable until accessed #CVE-2019-11717: Caret character improperly escaped in origins #CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML #CVE-2019-11719: Out-of-bounds read when importing curve25519 private key #CVE-2019-11720: Character encoding XSS vulnerability #CVE-2019-11721: Domain spoofing through unicode latin 'kra' character #CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin #CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries #CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions #CVE-2019-11725: Websocket resources bypass safebrowsing protections #CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3 #CVE-2019-11728: Port scanning through Alt-Svc header #CVE-2019-11710: Memory safety bugs fixed in Firefox 68 #CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 @ text @d1 1 a1 1 $NetBSD: patch-dom_media_CubebUtils.cpp,v 1.3 2019/01/29 16:28:22 ryoon Exp $ d3 1 a3 1 --- dom/media/CubebUtils.cpp.orig 2019-07-06 01:48:31.000000000 +0000 d5 1 a5 1 @@@@ -163,7 +163,7 @@@@ const char kBrandBundleURL[] = "chrome:/ d10 1 a10 1 + "winmm", "directsound", "sndio", "opensl", "audiotrack", "kai", "oss", "sun"}; @ 1.3 log @Updatet to 65.0 Changelog: New Enhanced tracking protection: Simplified content blocking settings give users standard, strict, and custom options to control online trackers. A redesigned content blocking section in the site information panel (viewed by expanding the small “i” icon in the address bar) shows what Firefox detects and blocks on each website you visit. To learn more about content blocking, visit the Mozilla Blog. A better experience for multilingual users: An updated Language section in Preferences allows users to install multiple language packs and order language preferences for Firefox and websites, without having to download locale-specific versions. Support for Handoff on macOS: Continue browsing across devices. Pick up where you left off with iOS (via Firefox or Safari) on Firefox on Mac. A better video streaming experience for Windows users: Firefox now supports the next-generation, royalty-free video compression technology called AV1. Read about Mozilla’s contribution to this new open standard. Improved performance and web compatibility, with support for the WebP image format: WebP brings the same image quality as existing formats at smaller file sizes, which saves bandwidth and speeds up page load. Fixed Various security fixes. Changed Enhanced security for macOS, Linux, and Android users via stronger stack smashing protection which is now enabled by default for all platforms. "Stack smashing" is a common security attack in which malicious actors corrupt or take control of a vulnerable program. Firefox will now warn you when closing a window (regardless of whether you have automatic session restore enabled for restart). Easier performance management: The revamped Task Manager page found at about:performance now reports memory usage for tabs and add-ons. Improved the pop-up blocker to prevent multiple pop-up windows from being opened by websites at the same time. Security fixes: Not available yet. @ text @d1 1 a1 1 $NetBSD: patch-dom_media_CubebUtils.cpp,v 1.2 2018/11/04 00:38:44 ryoon Exp $ d3 1 a3 1 --- dom/media/CubebUtils.cpp.orig 2019-01-18 00:20:24.000000000 +0000 d5 1 a5 1 @@@@ -151,7 +151,7 @@@@ const char kBrandBundleURL[] = "chrome:/ d10 1 a10 1 + "winmm", "directsound", "sndio", "opensl", "audiotrack", "kai", "oss"}; @ 1.2 log @Update to 63.0.1 * Minimize pkgsrc specific patches. * A build system written in Rust lang does not find a C++ header files from pkgsrc (non-base) GCC, this version is not buildable on NetBSD 7. I will investigate this problem again. Changelog: 63.0.1 Fixed Snippets are not loaded due to missing element (bug 1503047) Print preview always shows 30% scale when it is actually Shrink To Fit (bug 1501952) Dialog displayed when closing multiple windows shows unreplaced %1$S placeholder in Japanese and potentially other locales (bug 1500823) 63.0 New Performance and visual improvements for Windows users Performance improvements for macOS users Added content blocking, a collection of Firefox settings that offer users greater control over technology that can track them around the web. In 63, users can opt to block third-party tracking cookies or block all trackers and create exceptions for trusted sites that don't work correctly with content blocking enabled. WebExtensions now run in their own process on Linux Firefox now warns about having multiple windows and tabs open when quitting from the main menu. The Save and Quit feature has been removed. You can restore your session by ticking the box for Restore previous session in the General->Startup options or by using Restore Previous Session in the main menu. Firefox now recognizes the operating system accessibility setting for reducing animation Added search shortcuts for Top Sites: Amazon and Google appear as Top Sites tiles on the Firefox Home (New Tab) page. When selected these tiles will change focus to the address bar to initiate a search. Currently in US only. Fixed Resolved an issue that prevented the address bar from autofilling bookmarked URLs in certain cases Various security fixes Changed In the Library, the Open in Sidebar feature for individual bookmarks was removed The option to Never check for updates was removed from about:preferences. You can use the DisableAppUpdate enterprise policy as a substitute. The Ctrl+Tab shortcut now displays thumbnail previews of your tabs and cycles through tabs in recently used order. This new default behavior is activated only in new profiles and can be changed in preferences. #CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin #CVE-2018-12392: Crash with nested event loops #CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript #CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting #CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts #CVE-2018-12397: Missing warning prompt when WebExtension requests local file access #CVE-2018-12398: CSP bypass through stylesheet injection in resource URIs #CVE-2018-12399: Spoofing of protocol registration notification bar #CVE-2018-12400: Favicons are cached in private browsing mode on Firefox for Android #CVE-2018-12401: DOS attack through special resource URI parsing #CVE-2018-12402: SameSite cookies leak when pages are explicitly saved #CVE-2018-12403: Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP #CVE-2018-12388: Memory safety bugs fixed in Firefox 63 #CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- dom/media/CubebUtils.cpp.orig 2018-10-18 20:06:04.000000000 +0000 d5 6 a10 8 @@@@ -159,7 +159,8 @@@@ const char* AUDIOSTREAM_BACKEND_ID_STR[] "sndio", "opensl", "audiotrack", - "kai" + "kai", + "oss", }; d13 1 @ 1.1 log @Update to 53.0 Changelog: New Improved graphics stability for Windows users with the addition of compositor process separation (Quantum Compositor) Two new 'compact' themes available in Firefox, dark and light, based on the Firefox Developer Edition theme Lightweight themes are now applied in private browsing windows Reader Mode now displays estimated reading time for the page Windows 7+ users on 64-bit OS can select 32-bit or 64-bit versions in the stub installer Fixed Various security fixes Changed Updated the design of site permission requests to make them harder to miss and easier to understand Windows XP and Vista are no longer supported. XP and Vista users running Firefox 52 will continue to receive security updates on Firefox ESR 52. 32-bit Mac OS X is no longer supported. 32-bit Mac OS X users can switch to Firefox ESR 52 to continue receiving security updates. Updates for Mac OS X are smaller in size compared to updates for Firefox 52 New visual design for audio and video controls Ended Firefox Linux support for processors older than Pentium 4 and AMD Opteron The last few characters of shortened tab titles fade out instead of being replaced by ellipses to keep more of the title visible Security fixes: #CVE-2017-5433: Use-after-free in SMIL animation functions #CVE-2017-5435: Use-after-free during transaction processing in the editor #CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2 #CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS #CVE-2017-5459: Buffer overflow in WebGL #CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL #CVE-2017-5434: Use-after-free during focus handling #CVE-2017-5432: Use-after-free in text input selection #CVE-2017-5460: Use-after-free in frame selection #CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing #CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing #CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing #CVE-2017-5441: Use-after-free with selection during scroll events #CVE-2017-5442: Use-after-free during style changes #CVE-2017-5464: Memory corruption with accessibility and DOM manipulation #CVE-2017-5443: Out-of-bounds write during BinHex decoding #CVE-2017-5444: Buffer overflow while parsing application/http-index-format content #CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data #CVE-2017-5447: Out-of-bounds read during glyph processing #CVE-2017-5465: Out-of-bounds read in ConvolvePixel #CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor #CVE-2017-5437: Vulnerabilities in Libevent library #CVE-2017-5454: Sandbox escape allowing file system read access through file picker #CVE-2017-5455: Sandbox escape through internal feed reader APIs #CVE-2017-5456: Sandbox escape allowing local file system access #CVE-2017-5469: Potential Buffer overflow in flex-generated code #CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content #CVE-2017-5449: Crash during bidirectional unicode manipulation with animation #CVE-2017-5450: Addressbar spoofing using javascript: URI on Firefox for Android #CVE-2017-5451: Addressbar spoofing with onblur event #CVE-2017-5462: DRBG flaw in NSS #CVE-2017-5463: Addressbar spoofing through reader view on Firefox for Android #CVE-2017-5467: Memory corruption when drawing Skia content #CVE-2017-5452: Addressbar spoofing during scrolling with editable content on Firefox for Android #CVE-2017-5453: HTML injection into RSS Reader feed preview page through TITLE element #CVE-2017-5458: Drag and drop of javascript: URLs can allow for self-XSS #CVE-2017-5468: Incorrect ownership model for Private Browsing information #CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 #CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 @ text @d3 1 a3 1 --- dom/media/CubebUtils.cpp.orig 2017-04-11 04:15:21.000000000 +0000 d5 1 a5 1 @@@@ -71,7 +71,8 @@@@ const char* AUDIOSTREAM_BACKEND_ID_STR[] @