head 1.5; access; symbols pkgsrc-2019Q2:1.4.0.2 pkgsrc-2019Q2-base:1.4 pkgsrc-2018Q1:1.1.0.24 pkgsrc-2018Q1-base:1.1 pkgsrc-2017Q4:1.1.0.22 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.20 pkgsrc-2017Q3-base:1.1 pkgsrc-2017Q2:1.1.0.16 pkgsrc-2017Q2-base:1.1 pkgsrc-2017Q1:1.1.0.14 pkgsrc-2017Q1-base:1.1 pkgsrc-2016Q4:1.1.0.12 pkgsrc-2016Q4-base:1.1 pkgsrc-2016Q3:1.1.0.10 pkgsrc-2016Q3-base:1.1 pkgsrc-2016Q2:1.1.0.8 pkgsrc-2016Q2-base:1.1 pkgsrc-2016Q1:1.1.0.6 pkgsrc-2016Q1-base:1.1 pkgsrc-2015Q4:1.1.0.4 pkgsrc-2015Q4-base:1.1 pkgsrc-2015Q3:1.1.0.2 pkgsrc-2015Q3-base:1.1; locks; strict; comment @// @; 1.5 date 2019.09.06.03.00.24; author ryoon; state dead; branches; next 1.4; commitid uhThjAhmbBZzKTBB; 1.4 date 2019.06.04.00.23.11; author maya; state Exp; branches; next 1.3; commitid 9ew5YybEF4jVTNpB; 1.3 date 2019.05.31.10.38.59; author maya; state Exp; branches; next 1.2; commitid CjqiB56jyY79rlpB; 1.2 date 2018.05.10.20.01.53; author ryoon; state dead; branches; next 1.1; commitid xD42Z67JHKvGXMBA; 1.1 date 2015.07.05.11.55.06; author martin; state Exp; branches; next ; commitid tj1BmQp8eCDbH5sy; desc @@ 1.5 log @Update to 69.0 * Use clang to compile all files. Mix of gcc and clang causes some errors in Rust c++ command invocation (C++ header mismatches). Changelog: New Enhanced Tracking Protection (ETP) rolls out stronger privacy protections: The default standard setting for this feature now blocks third-party tracking cookies and cryptominers. The optional strict setting blocks fingerprinters as well as the items blocked in the standard setting. The Block Autoplay feature is enhanced to give users the option to block any video that automatically starts playing, not just those that automatically play with sound. For our users in the US or using the en-US browser, we are shipping a new “New Tab” page experience that connects you to the best of Pocket’s content. Support for the Web Authentication HmacSecret extension via Windows Hello now comes with this release, for versions of Windows 10 May 2019 or newer, enabling more passwordless experiences on the web. Support for receiving multiple video codecs with this release makes it easier for WebRTC conferencing services to mix video from different clients. For our users on Windows 10, you’ll see performance and UI improvements: Firefox will give Windows hints to appropriately set content process priority levels, meaning more processor time spent on the tasks you're actively working on, and less processor time spent on things in the background (with the exception of video and audio playback). For our existing Windows 10 users, you can easily find and launch Firefox from a shortcut on the Win10 taskbar. For our users on macOS, battery life and download UI are both improved: macOS users on dual-graphics-card machines (like MacBook Pro) will switch back to the low-power GPU more aggressively, saving battery life. Finder on macOS now displays download progress for files being downloaded. JIT support comes to ARM64 for improved performance of our JavaScript Optimizing JIT compiler. Fixed Various security fixes Changed As previously announced in the Plugin Roadmap for Firefox, the "Always Activate" option for Flash plugin content has been removed. Firefox will now always ask for user permission before activating Flash content on a website. With the deprecation of Adobe Flash Player, there is no longer a need to identify users on 32-bit version of the Firefox browser on 64-bit version operating systems reducing user agent fingerprinting factors providing greater level of privacy to our users as well as improving the experience of downloading other apps. Firefox no longer loads userChrome.css or userContent.css by default improving start-up performance. Users who wish to customize Firefox by using these files can set the toolkit.legacyUserProfileCustomizations.stylesheets preference to true to restore this ability. Enterprise For Enterprise system administrators that manage macOS computers, we begin shipping a Mozilla signed PKG installer to simplify your deployments. Developer For our mobile web developers, we have migrated remote debugging from the old WebIDE into a re-designed about:debugging, making debugging GeckoView on remote devices via USB rock solid. The network panel will now show blocked resources to allow developers to best understand the impact of content blocking and ad blocking extensions given our ongoing expansion of Enhanced Tracking Protection to all users with this release. The new event listener breakpoint feature allows developers to pause on a host of different event types, whether it be related to animations, DOM, media, mouse, touch, worker, and many other event types. Firefox Developer Tools now offers an audit for the presence of text alternatives for non-text content, the a11y panel checks toolbar has been augmented to better help developers adhere to WCAG Guideline 1.1. Security fixes: #CVE-2019-11751: Malicious code execution through command line parameters #CVE-2019-11746: Use-after-free while manipulating video #CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML #CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images #CVE-2019-11736: File manipulation and privilege escalation in Mozilla Maintenance Service #CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location #CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB #CVE-2019-9812: Sandbox escape through Firefox Sync #CVE-2019-11741: Isolate addons.mozilla.org and accounts.firefox.com #CVE-2019-11743: Cross-origin access to unload event attributes #CVE-2019-11749: Camera information available without prompting using getUserMedia #CVE-2019-5849: Out-of-bounds read in Skia #CVE-2019-11750: Type confusion in Spidermonkey #CVE-2019-11737: Content security policy directives ignore port and path if host is a wildcard #CVE-2019-11738: Content security policy bypass through hash-based sources in directives #CVE-2019-11747: 'Forget about this site' removes sites from pre-loaded HSTS list #CVE-2019-11734: Memory safety bugs fixed in Firefox 69 #CVE-2019-11735: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 #CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 @ text @$NetBSD: patch-gfx_gl_GLContextProviderGLX.cpp,v 1.4 2019/06/04 00:23:11 maya Exp $ NetBSD doesn't ship libGL.so.1 due to a major bump. Look for the unversioned name. https://hg.mozilla.org/integration/mozilla-inbound/rev/8bcc51aaa91e --- gfx/gl/GLContextProviderGLX.cpp.orig 2019-05-17 00:33:26.000000000 +0000 +++ gfx/gl/GLContextProviderGLX.cpp @@@@ -80,7 +80,7 @@@@ bool GLXLibrary::EnsureInitialized() { // which trigger glibc bug // http://sourceware.org/bugzilla/show_bug.cgi?id=12225 const char* libGLfilename = "libGL.so.1"; -#ifdef __OpenBSD__ +#if defined(__OpenBSD__) || defined(__NetBSD__) libGLfilename = "libGL.so"; #endif @ 1.4 log @firefox: reference upstream commit in patch files. @ text @d1 1 a1 1 $NetBSD: patch-gfx_gl_GLContextProviderGLX.cpp,v 1.3 2019/05/31 10:38:59 maya Exp $ @ 1.3 log @firefox: tolerate libGL.so with a different major number on netbsd Fixes WebGL. PR pkg/54247 Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ d5 1 @ 1.2 log @Update to 60.0 * Remove untested patches including NetBSD/earm support Changelog: New Added a policy engine that allows customized Firefox deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file Enhancements to New Tab / Firefox Home Responsive layout that shows more content for users with wide-screen displays Highlights section includes web sites saved to Pocket More options to reorder sections and content on the page Pocket Sponsored Stories will appear for a percentage of users in the US. Read about our privacy-conscious approach to sponsored content Redesigned Cookies and Site Storage section in Preferences for greater clarity and control of first- and third-party cookies Applied Quantum CSS to render browser UI Added support for Web Authentication API, which allows USB tokens for website authentication Enhanced camera privacy indicators: Firefox now turns off your camera and the camera's light when you disable video recording, and turns the camera and light on when you resume recording Added an option for Linux users to show or hide page titles in a bar at the top of the browser. You'll find the Title Bar option in the Customize panel available from the main browser menu. Improved WebRTC audio performance and playback for Linux users Locale added: Occitan (oc) Fixed Various security fixes Changed #CVE-2018-5154: Use-after-free with SVG animations and clip paths #CVE-2018-5155: Use-after-free with SVG animations and text paths #CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files #CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer #CVE-2018-5159: Integer overflow and out-of-bounds write in Skia #CVE-2018-5160: Uninitialized memory use by WebRTC encoder #CVE-2018-5152: WebExtensions information leak through webRequest API #CVE-2018-5153: Out-of-bounds read in mixed content websocket messages #CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache #CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace #CVE-2018-5166: WebExtension host permission bypass through filterReponseData #CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger #CVE-2018-5168: Lightweight themes can be installed without user interaction #CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages #CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer #CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters #CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update #CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies #CVE-2018-5176: JSON Viewer script injection #CVE-2018-5177: Buffer overflow in XSLT during number formatting #CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox #CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced #CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink #CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar #CVE-2018-5151: Memory safety bugs fixed in Firefox 60 #CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 @ text @d1 1 a1 1 $NetBSD: patch-gfx_gl_GLContextProviderGLX.cpp,v 1.1 2015/07/05 11:55:06 martin Exp $ d3 2 a4 2 Fix libGL.so filename on NetBSD, see https://bugzilla.mozilla.org/show_bug.cgi?id=1180498 d6 6 a11 6 --- gfx/gl/GLContextProviderGLX.cpp.orig 2015-07-01 00:58:10.000000000 +0200 +++ gfx/gl/GLContextProviderGLX.cpp 2015-07-04 21:13:15.000000000 +0200 @@@@ -82,7 +82,7 @@@@ // see e.g. bug 608526: it is intrinsically interesting to know whether we have dynamically linked to libGL.so.1 // because at least the NVIDIA implementation requires an executable stack, which causes mprotect calls, // which trigger glibc bug http://sourceware.org/bugzilla/show_bug.cgi?id=12225 d14 3 a16 3 libGLfilename = "libGL.so"; #else libGLfilename = "libGL.so.1"; @ 1.1 log @Make WebGL work on NetBSD @ text @d1 1 a1 1 $NetBSD$ @