head	1.2;
access;
symbols
	pkgsrc-2016Q4:1.1.0.2
	pkgsrc-2016Q4-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2017.01.25.13.24.51;	author ryoon;	state dead;
branches;
next	1.1;
commitid	3acwYN6np6o7SlDz;

1.1
date	2016.12.03.09.58.26;	author ryoon;	state Exp;
branches;
next	;
commitid	uIUIk0K6tuQSqwwz;


desc
@@


1.2
log
@Update to 51.0

Changelog:
New
    Users can view passwords in the save password prompt before saving them

    Added a zoom button in the URL bar:
        Displays percent above or below 100 percent when a user has changed the page zoom setting from the default
        Lets users return to the default setting by clicking on the button

    Improved video performance for users without GPU acceleration for less CPU usage and a better full screen experience

    Firefox will save passwords even in forms that do not have “submit” events

    Added support for FLAC (Free Lossless Audio Codec) playback

    Added support for WebGL 2, with advanced graphics rendering features like transform feedback, improved texturing capabilities, and a new sophisticated shading language

    A warning is displayed when a login page does not have a secure connection

    Added Georgian (ka) and Kabyle (kab) locales

    An even faster E10s! Tab Switching is better!

    Improved reliability of browser data sync

    Remove Belarusian (be) locale

Fixed
    Various security fixes

Changed
    Use 2D graphics library (Skia) for content rendering on Linux

    Re-enabled E10s support for Russian (ru) locale

    Updated to NSS 3.28.1

Security fixes:
 #CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
 #CVE-2017-5376: Use-after-free in XSL
 #CVE-2017-5377: Memory corruption with transforms to create gradients in Skia
 #CVE-2017-5378: Pointer and frame data leakage of Javascript objects
 #CVE-2017-5379: Use-after-free in Web Animations
 #CVE-2017-5380: Potential use-after-free during DOM manipulations
 #CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer
 #CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests
 #CVE-2017-5396: Use-after-free with Media Decoder
 #CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations
 #CVE-2017-5382: Feed preview can expose privileged content errors and exceptions
 #CVE-2017-5383: Location bar spoofing with unicode characters
 #CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
 #CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers
 #CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions
 #CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events
 #CVE-2017-5391: Content about: pages can load privileged about: pages
 #CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage
 #CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager
 #CVE-2017-5395: Android location bar spoofing during scrolling
 #CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages
 #CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks
 #CVE-2017-5374: Memory safety bugs fixed in Firefox 51
 #CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7
@
text
@$NetBSD: patch-extensions_spellcheck_src_moz.build,v 1.1 2016/12/03 09:58:26 ryoon Exp $

--- extensions/spellcheck/src/moz.build.orig	2016-10-31 20:15:27.000000000 +0000
+++ extensions/spellcheck/src/moz.build
@@@@ -17,9 +17,13 @@@@ SOURCES += [
 
 FINAL_LIBRARY = 'xul'
 
+if CONFIG['MOZ_SYSTEM_HUNSPELL']:
+    CXXFLAGS += CONFIG['MOZ_HUNSPELL_CFLAGS']
+else:
+    LOCAL_INCLUDES += ['../hunspell/src']
+
 LOCAL_INCLUDES += [
     '../hunspell/glue',
-    '../hunspell/src',
     '/dom/base',
 ]
 EXPORTS.mozilla += [
@


1.1
log
@Update to 50.0.2

* Change default audio support to ALSA.
  You can use OSS or pulseaudio via ALSA plugin package.

Changelog:
50.0.2:
Fixed in Firefox 50.0.2
 #CVE-2016-9079: Use-after-free in SVG Animation

50.0.1:
Fixed
   *Firefox crashes with 3rd party Chinese IME when using IME text

Security vulnerabilities fixed in Firefox 50.0.1:
 #CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect

50.0:

New
   *Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac
   *Improved performance for SDK extensions or extensions using the SDK module loader
   *Added download protection for a large number of executable file types on Windows, Mac and Linux
   *Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer
   *Added Guarani (gn) locale
   *Added option to Find in page that allows users to limit search to whole words only
   *Updates to keyboard shortcuts
       *Set a preference to have Ctrl+Tab cycle through tabs in recently used order
       *View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac)

Fixed
   *Login cookies are now saved for sites with a high number of cookies (Bug 1264192)
   *Various security fixes

   *Fixed rendering of dashed and dotted borders with rounded corners (border-radius)

Changed
   *The link to check for plugin security updates has been removed from the addon manager as Firefox automatically checks for plugin updates
   *Blocked versions of libavcodec older than 54.35.1
   *Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux)

Developer
   *Changes for web developers

Security vulnerabilities fixed in Firefox 50:
 #CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
 #CVE-2016-5292: URL parsing causes crash
 #CVE-2016-5293: Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink
 #CVE-2016-5294: Arbitrary target directory for result files of update process
 #CVE-2016-5297: Incorrect argument length checking in JavaScript
 #CVE-2016-9064: Add-ons update must verify IDs match between current and new versions
 #CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen
 #CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
 #CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
 #CVE-2016-9068: heap-use-after-free in nsRefreshDriver
 #CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
 #CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges
 #CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them
 #CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
 #CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM
 #CVE-2016-5298: SSL indicator can mislead the user about the real URL visited
 #CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissionsPI key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
 #CVE-2016-9062: Private browsing browser traces (Android) in browser.db and wal file
 #CVE-2016-9070: Sidebar bookmark can have reference to chrome window
 #CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
 #CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
 #CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s
 #CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in Expat
 #CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
 #CVE-2016-5289: Memory safety bugs fixed in Firefox 50
 #CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
@
text
@d1 1
a1 1
$NetBSD$
@