head 1.17;
access;
symbols
pkgsrc-2026Q1:1.17.0.22
pkgsrc-2026Q1-base:1.17
pkgsrc-2025Q4:1.17.0.20
pkgsrc-2025Q4-base:1.17
pkgsrc-2025Q3:1.17.0.18
pkgsrc-2025Q3-base:1.17
pkgsrc-2025Q2:1.17.0.16
pkgsrc-2025Q2-base:1.17
pkgsrc-2025Q1:1.17.0.14
pkgsrc-2025Q1-base:1.17
pkgsrc-2024Q4:1.17.0.12
pkgsrc-2024Q4-base:1.17
pkgsrc-2024Q3:1.17.0.10
pkgsrc-2024Q3-base:1.17
pkgsrc-2024Q2:1.17.0.8
pkgsrc-2024Q2-base:1.17
pkgsrc-2024Q1:1.17.0.6
pkgsrc-2024Q1-base:1.17
pkgsrc-2023Q4:1.17.0.4
pkgsrc-2023Q4-base:1.17
pkgsrc-2023Q3:1.17.0.2
pkgsrc-2023Q3-base:1.17
pkgsrc-2023Q2:1.16.0.2
pkgsrc-2023Q2-base:1.16
pkgsrc-2023Q1:1.15.0.2
pkgsrc-2023Q1-base:1.15
pkgsrc-2022Q4:1.14.0.6
pkgsrc-2022Q4-base:1.14
pkgsrc-2022Q3:1.14.0.4
pkgsrc-2022Q3-base:1.14
pkgsrc-2022Q2:1.14.0.2
pkgsrc-2022Q2-base:1.14
pkgsrc-2021Q3:1.12.0.8
pkgsrc-2021Q3-base:1.12
pkgsrc-2021Q2:1.12.0.6
pkgsrc-2021Q2-base:1.12
pkgsrc-2021Q1:1.12.0.4
pkgsrc-2021Q1-base:1.12
pkgsrc-2020Q4:1.12.0.2
pkgsrc-2020Q4-base:1.12
pkgsrc-2020Q3:1.11.0.20
pkgsrc-2020Q3-base:1.11
pkgsrc-2020Q2:1.11.0.18
pkgsrc-2020Q2-base:1.11
pkgsrc-2020Q1:1.11.0.14
pkgsrc-2020Q1-base:1.11
pkgsrc-2019Q4:1.11.0.16
pkgsrc-2019Q4-base:1.11
pkgsrc-2019Q3:1.11.0.12
pkgsrc-2019Q3-base:1.11
pkgsrc-2019Q2:1.11.0.10
pkgsrc-2019Q2-base:1.11
pkgsrc-2019Q1:1.11.0.8
pkgsrc-2019Q1-base:1.11
pkgsrc-2018Q4:1.11.0.6
pkgsrc-2018Q4-base:1.11
pkgsrc-2018Q3:1.11.0.4
pkgsrc-2018Q3-base:1.11
pkgsrc-2018Q2:1.11.0.2
pkgsrc-2018Q2-base:1.11
pkgsrc-2018Q1:1.10.0.2
pkgsrc-2018Q1-base:1.10
pkgsrc-2017Q4:1.8.0.2
pkgsrc-2017Q4-base:1.8
pkgsrc-2017Q3:1.5.0.4
pkgsrc-2017Q3-base:1.5
pkgsrc-2017Q2:1.3.0.2
pkgsrc-2017Q2-base:1.3
pkgsrc-2017Q1:1.2.0.2
pkgsrc-2017Q1-base:1.2
pkgsrc-2016Q4:1.1.0.4
pkgsrc-2016Q4-base:1.1
pkgsrc-2016Q3:1.1.0.2
pkgsrc-2016Q3-base:1.1;
locks; strict;
comment @# @;
1.17
date 2023.08.22.13.48.17; author tnn; state Exp;
branches;
next 1.16;
commitid Xo4ZigcTWkCLQMBE;
1.16
date 2023.04.05.14.22.36; author ryoon; state Exp;
branches;
next 1.15;
commitid 2mcgkmDUoGwYvVjE;
1.15
date 2023.01.24.17.57.09; author nia; state Exp;
branches;
next 1.14;
commitid 9Me0jLePQPV5ZOaE;
1.14
date 2022.05.13.14.12.53; author ryoon; state Exp;
branches;
next 1.13;
commitid eLQooaDi6UGiYTDD;
1.13
date 2021.09.30.14.18.28; author ryoon; state dead;
branches;
next 1.12;
commitid 7qkk1LqWCavFeZaD;
1.12
date 2020.12.17.09.53.15; author ryoon; state Exp;
branches;
next 1.11;
commitid zhXrb1Fwr8fEZ4AC;
1.11
date 2018.05.10.20.01.53; author ryoon; state Exp;
branches;
next 1.10;
commitid xD42Z67JHKvGXMBA;
1.10
date 2018.03.17.00.59.03; author ryoon; state Exp;
branches;
next 1.9;
commitid yheX9IRIu7EcnKuA;
1.9
date 2018.01.24.16.52.08; author ryoon; state Exp;
branches;
next 1.8;
commitid Yl8uDmLMV5LNj9oA;
1.8
date 2017.12.10.00.45.09; author ryoon; state Exp;
branches
1.8.2.1;
next 1.7;
commitid 5NfkBjwiRoVLphiA;
1.7
date 2017.11.16.01.04.38; author ryoon; state Exp;
branches;
next 1.6;
commitid Azr5anfpJDEficfA;
1.6
date 2017.09.30.05.34.12; author ryoon; state Exp;
branches;
next 1.5;
commitid FvJcfB7R3sEnib9A;
1.5
date 2017.08.15.01.24.47; author ryoon; state Exp;
branches;
next 1.4;
commitid yN5PpLVQk7Zmof3A;
1.4
date 2017.08.10.14.46.15; author ryoon; state Exp;
branches;
next 1.3;
commitid rDI4h24RNI2oZF2A;
1.3
date 2017.06.14.11.28.44; author ryoon; state Exp;
branches;
next 1.2;
commitid TvqH8xBKhv2gJkVz;
1.2
date 2017.03.07.20.45.43; author ryoon; state Exp;
branches;
next 1.1;
commitid cj2gfa0XmazzZEIz;
1.1
date 2016.09.20.20.01.41; author ryoon; state Exp;
branches;
next ;
commitid WhBC6OrwOUAn94nz;
1.8.2.1
date 2018.03.09.07.17.30; author spz; state Exp;
branches;
next 1.8.2.2;
commitid DwVK6v0Mc0P0JKtA;
1.8.2.2
date 2018.03.22.06.56.21; author spz; state Exp;
branches;
next ;
commitid 8s0l4dxdhHyRbqvA;
desc
@@
1.17
log
@firefox: build with --enable-forkserver. Bump.
This makes parent of content processes be the forkserver process rather than
the chrome process. It removes some complexity around setting up and tearing
down content processes from the main process and decreases memory usage.
This is the default on Linux and other BSDs and makes us less likely to trip
over bugs in code paths upstream don't test often.
@
text
@$NetBSD$
* Enable ALSA for NetBSD too.
* Support --enable-forkserver on NetBSD.
--- toolkit/moz.configure.orig 2023-08-15 21:10:03.000000000 +0000
+++ toolkit/moz.configure
@@@@ -242,6 +242,7 @@@@ def imply_alsa(values, target):
any("alsa" in value for value in values)
and target.kernel != "Linux"
and target.os != "FreeBSD"
+ and target.os != "NetBSD"
):
die("Cannot enable ALSA on %s", target.os)
return any("alsa" in value for value in values) or None
@@@@ -2816,6 +2817,7 @@@@ def forkserver_default(target, build_pro
(target.os == "GNU" and target.kernel == "Linux")
or target.os == "FreeBSD"
or target.os == "OpenBSD"
+ or target.os == "NetBSD"
)
@@@@ -2834,6 +2836,7 @@@@ def forkserver_flag(value, target):
or (target.os == "GNU" and target.kernel == "Linux")
or target.os == "FreeBSD"
or target.os == "OpenBSD"
+ or target.os == "NetBSD"
):
return bool(value)
pass
@
1.16
log
@firefox: Update to 111.0.1
* Enable eventfd(2) for NetBSD 10 or later.
* Fix LICENSE in official Firefox branding case.
Changelog:
111.0.1
Fixed
* Fixed a crash on macOS while pinch-zooming under some circumstances (bug
1658986).
* Fixed a bug causing Firefox to freeze on startup for some Windows users (
bug 1823159).
111.0
New
* Windows native notifications are now enabled.
* Firefox Relay users can now opt-in to create Relay email masks directly
from the Firefox credential manager. You must be signed in with your
Firefox Account.
* We've added two new locales: Silhe Friulian (fur) and Sardinian (sc).
Fixed
* Various security fixes.
Security fixes
#CVE-2023-28159: Fullscreen Notification could have been hidden by download
popups on Android
#CVE-2023-25748: Fullscreen Notification could have been hidden by window
prompts on Android
#CVE-2023-25749: Firefox for Android may have opened third-party apps without a
prompt
#CVE-2023-25750: Potential ServiceWorker cache leak during private browsing
mode
#CVE-2023-25751: Incorrect code generation during JIT compilation
#CVE-2023-28160: Redirect to Web Extension files may have leaked local path
#CVE-2023-28164: URL being dragged from a removed cross-origin iframe into the
same tab triggered navigation
#CVE-2023-28161: One-time permissions granted to a local file were extended to
other local files loaded in the same tab
#CVE-2023-28162: Invalid downcast in Worklets
#CVE-2023-25752: Potential out-of-bounds when accessing throttled streams
#CVE-2023-28163: Windows Save As dialog resolved environment variables
#CVE-2023-28176: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9
#CVE-2023-28177: Memory safety bugs fixed in Firefox 111
@
text
@d4 1
d6 1
a6 1
--- toolkit/moz.configure.orig 2023-03-02 21:15:57.000000000 +0000
d8 1
a8 1
@@@@ -243,6 +243,7 @@@@ def imply_alsa(values, target):
d16 16
@
1.15
log
@firefox: Update patch comments.
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.14 2022/05/13 14:12:53 ryoon Exp $
a2 1
* Add Sun audio support and enable for NetBSD and SunOS by default.
d5 1
a5 3
https://bugzilla.mozilla.org/show_bug.cgi?id=1811911
--- toolkit/moz.configure.orig 2022-04-28 23:01:47.000000000 +0000
d7 1
a7 20
@@@@ -198,6 +198,10 @@@@ def audio_backends_default(target):
return ("sndio",)
elif target.os == "OSX":
return ("audiounit",)
+ elif target.os == "NetBSD":
+ return ("sunaudio",)
+ elif target.os == "SunOS":
+ return ("sunaudio",)
elif target.os == "WINNT":
return ("wasapi",)
else:
@@@@ -216,6 +220,7 @@@@ option(
"oss",
"pulseaudio",
"sndio",
+ "sunaudio",
"wasapi",
),
default=audio_backends_default,
@@@@ -236,6 +241,7 @@@@ def imply_alsa(values, target):
a14 23
@@@@ -290,6 +296,13 @@@@ def imply_sndio(values, target):
die("Cannot enable sndio on %s", target.os)
return any("sndio" in value for value in values) or None
+@@depends("--enable-audio-backends", target)
+def imply_sunaudio(values, target):
+ if any("sunaudio" in value for value in values) and (
+ target.os != "NetBSD" and target.os != "SunOS"
+ ):
+ die("Cannot enable sunaudio on %s", target.os)
+ return any("sunaudio" in value for value in values) or None
@@depends("--enable-audio-backends", target)
def imply_wasapi(values, target):
@@@@ -314,6 +327,8 @@@@ imply_option("--enable-pulseaudio", impl
imply_option("--enable-sndio", imply_sndio, reason="--enable-audio-backends")
+set_config("MOZ_SUNAUDIO", imply_sunaudio, when="--enable-audio-backends")
+
set_config("MOZ_WASAPI", imply_wasapi, when="--enable-audio-backends")
# ALSA cubeb backend
@
1.14
log
@firefox: Update to 100.0
* Simplify some option logics.
* Add sunaudio and jack options as audio backends.
Changelog
100.0:
New
* We now support captions/subtitles display on YouTube, Prime Video, and
Netflix videos you watch in Picture-in-Picture. Just turn on the subtitles
on the in-page video player, and they will appear in PiP.
* Picture-in-Picture now also supports video captions on websites that use
WebVTT (Web Video Text Track) format, like Coursera.org, Canadian
Broadcasting Corporation, and many more.
* On the first run after install, Firefox detects when its language does not
match the operating system language and offers the user a choice between
the two languages.
* Firefox spell checking now checks spelling in multiple languages. To enable
additional languages, select them in the text field's context menu.
* HDR video is now supported in Firefox on Mac --- starting with YouTube!
Firefox users on macOS 11+ (with HDR-compatible screens) can enjoy
higher-fidelity video content. No need to manually flip any preferences to
turn HDR video support on --- just make sure battery preferences are NOT set
to "optimize video streaming while on battery".
* Hardware accelerated AV1 video decoding is enabled on Windows with
supported GPUs (Intel Gen 11+, AMD RDNA 2 Excluding Navi 24, GeForce 30).
Installing the AV1 Video Extension from the Microsoft Store may also be
required.
* Video overlay is enabled on Windows for Intel GPUs, reducing power usage
during video playback.
* Improved fairness between painting and handling other events. This
noticeably improves the performance of the volume slider on Twitch.
* Scrollbars on Linux and Windows 11 won't take space by default. On Linux,
users can change this in Settings. On Windows, Firefox follows the system
setting (System Settings > Accessibility > Visual Effects > Always show
scrollbars).
* Firefox now supports credit card autofill and capture in the United
Kingdom.
* Firefox now ignores less restricted referrer policies --- including
unsafe-url, no-referrer-when-downgrade, and origin-when-cross-origin
--- for cross-site subresource/iframe requests to prevent privacy
leaks from the referrer.
Fixed
* Users can now choose preferred color schemes for websites. Theme authors
can now make better decisions about which color scheme Firefox uses for
menus. Web content appearance can now be changed in Settings.
* Beginning in this release, the Firefox installer for Windows is signed with
a SHA-256 digest, rather than SHA-1. Update KB4474419 is required for
successful installation on a computer running Microsoft Windows 7. For more
details about this update, visit the Microsoft Technical Support website.
* In macOS 11+ we now only rasterize the fonts once per window. This means
that opening a new tab is fast, and switching tabs in the same window is
also fast. (There's still work to do to share fonts across windows, or to
reduce the time it takes to initialize these fonts.)
* The performance of deeply-nested display: grid elements is greatly
improved.
* Support for profiling multiple java threads has been added.
* Soft-reloading a web page will no longer cause revalidation for all
resources.
* Non-vsync tasks are given more time to run, which improves behavior on
Google docs and Twitch.
* Geckoview APIs have been added to control the start/stop time of capturing
a profile.
* Various security fixes.
Changed
* Firefox has a new focus indicator for links which replaces the old dotted
outline with a solid blue outline. This change unifies the focus indicators
across form fields and links, which makes it easier to identify the focused
link, especially for users with low vision.
* New users can now set Firefox as the default PDF handler when setting
Firefox as their default browser.
* Some websites might not work correctly in Firefox version 100 due to
Firefox's new three-digit number. You can read about it in our blog post
here!
See the Mozilla Support article Difficulties opening or using a website in
Firefox 100 for possible workarounds you can use. There, you will also find
instructions for reporting a broken website so that Mozilla can help fix
the problem.
Mozilla Foundation Security Advisory 2022-16
#CVE-2022-29914: Fullscreen notification bypass using popups
#CVE-2022-29909: Bypassing permission prompt in nested browsing contexts
#CVE-2022-29916: Leaking browser history with CSS variables
#CVE-2022-29911: iframe Sandbox bypass
#CVE-2022-29912: Reader mode bypassed SameSite cookies
#CVE-2022-29910: Firefox for Android forgot HTTP Strict Transport Security
settings
#CVE-2022-29915: Leaking cross-origin redirect through the Performance API
#CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
#CVE-2022-29918: Memory safety bugs fixed in Firefox 100
99.0.1:
Fixed
* Fixed an issue for Windows users that prevented hardware video decoding on
newer Intel drivers (bug 1762125)
* Fixed an issue with text rendering in Bengali (bug 1763368)
* Fixed a selection issue in the Download panel with drag and drop (bug
1762723)
* Fixed an issue preventing Zoom gallery mode for users who go to zoom.us
URLs instead of subdomain.zoom.us URLs (bug 1763801)
99.0:
New
* You can now toggle Narrate in ReaderMode with the keyboard shortcut "n."
* You can find added support for search --- with or without diacritics ---
in the PDF viewer.
* The Linux sandbox has been strengthened: processes exposed to web content
no longer have access to the X Window system (X11).
* Firefox now supports credit card autofill and capture in Germany and
France.
Fixed
* Various security fixes.
Mozilla Foundation Security Advisory 2022-13
#CVE-2022-1097: Use-after-free in NSSToken objects
#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions
#CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument
#CVE-2022-28283: Missing security checks for fetching sourceMapURL
#CVE-2022-28284: Script could be executed via svg's use element
#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen
#CVE-2022-28286: iframe contents could be rendered outside the border
#CVE-2022-28287: Text Selection could crash Firefox
#CVE-2022-24713: Denial of Service via complex regular expressions
#CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
#CVE-2022-28288: Memory safety bugs fixed in Firefox 99
@
text
@d1 1
a1 1
$NetBSD$
d6 2
@
1.13
log
@firefox: Update to 92.0.1
Changelog:
92.0.1
Fixed
* Fixes an issue where audio playback was not working on some Linux systems (
bug 1730499)
* Fixes issues with the findbar close button on different operating systems (
bug 1728368)
92.0
New
* More secure connections: Firefox can now automatically upgrade to HTTPS
using HTTPS RR as Alt-Svc headers.
* Full-range color levels are now supported for video playback on many
systems.
* Mac users can now access the macOS share options from the Firefox File
menu.
* Support for images containing ICC v4 profiles is enabled on macOS.
Fixed
* Firefox performance with screen readers and other accessibility tools is no
longer severely degraded if Mozilla Thunderbird is installed or updated
after Firefox.
* macOS VoiceOver now correctly reports buttons and links marked as ??
expanded?? using the aria-expanded attribute.
* An open alert in a tab no longer causes performance issues in other tabs
using the same process.
* Various security fixes
Changed
* Canonical is now building the official Firefox snap. It's also now
available on two additional architectures, ARMhf and ARM64.
* The bookmark toolbar menus on macOS now follow Firefox visual styles.
* Certificate error pages have been redesigned for a better user experience.
* Continuing work to restructure Firefox??s JavaScript memory management to
be more performant and use less memory.
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.12 2020/12/17 09:53:15 ryoon Exp $
d3 2
a4 1
* skia part: support bigendian architectures
d6 1
a6 1
--- toolkit/moz.configure.orig 2020-12-03 23:14:21.000000000 +0000
d8 30
a37 2
@@@@ -927,11 +927,11 @@@@ set_config("MOZ_IPDL_TESTS", depends_if(
option("--disable-skia", help="Disable use of Skia")
d39 7
d47 3
a49 11
-@@depends("--disable-skia")
-def skia(value):
- if not value:
- die("--disable-skia is not supported anymore")
- else:
+@@depends('--disable-skia', target)
+def skia(value, target):
+ if value.origin == 'default' and target.endianness == 'big':
+ return None
+ if value:
return True
d51 1
d53 5
@
1.12
log
@firefox: Update to 84.0
Changelog:
New
* Native support for macOS devices built with Apple Silicon CPUs brings
dramatic performance improvements over the non-native build that was
shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps
are now twice as responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest Firefox.
* WebRender rolls out to MacOS Big Sur, Windows devices with Intel Gen 6
GPUs, and Intel laptops running Windows 7 and 8. Additionally we'll ship an
accelerated rendering pipeline for Linux/GNOME/X11 users for the first
time, ever!
* Firefox now uses more modern techniques for allocating shared memory on
Linux, improving performance and increasing compatibility with Docker.
* Firefox 84 is the final release to support Adobe Flash.
Fixed
* Various security fixes
#CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory
to be exposed
#CVE-2020-26971: Heap buffer overflow in WebGL
#CVE-2020-26972: Use-After-Free in WebGL
#CVE-2020-26973: CSS Sanitizer performed incorrect sanitization
#CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
#CVE-2020-26975: Malicious applications on Android could have induced Firefox
for Android into sending arbitrary attacker-specified headers
#CVE-2020-26976: HTTPS pages could have been intercepted by a registered
service worker when they should not have been
#CVE-2020-26977: URL spoofing via unresponsive port in Firefox for Android
#CVE-2020-26978: Internal network hosts could have been probed by a malicious
webpage
#CVE-2020-26979: When entering an address in the address or search bars, a
website could have redirected the user before they were navigated to the
intended url
#CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs
#CVE-2020-35112: Opening an extension-less download may have inadvertently
launched an executable instead
#CVE-2020-35113: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.11 2018/05/10 20:01:53 ryoon Exp $
@
1.11
log
@Update to 60.0
* Remove untested patches including NetBSD/earm support
Changelog:
New
Added a policy engine that allows customized Firefox deployments in
enterprise environments, using Windows Group Policy or a cross-platform
JSON file
Enhancements to New Tab / Firefox Home
Responsive layout that shows more content for users with wide-screen
displays
Highlights section includes web sites saved to Pocket
More options to reorder sections and content on the page
Pocket Sponsored Stories will appear for a percentage of users in
the US. Read about our privacy-conscious approach to sponsored content
Redesigned Cookies and Site Storage section in Preferences for greater
clarity and control of first- and third-party cookies
Applied Quantum CSS to render browser UI
Added support for Web Authentication API, which allows USB tokens for
website authentication
Enhanced camera privacy indicators: Firefox now turns off your camera
and the camera's light when you disable video recording, and turns
the camera and light on when you resume recording
Added an option for Linux users to show or hide page titles in a bar
at the top of the browser. You'll find the Title Bar option in the
Customize panel available from the main browser menu.
Improved WebRTC audio performance and playback for Linux users
Locale added: Occitan (oc)
Fixed
Various security fixes
Changed
#CVE-2018-5154: Use-after-free with SVG animations and clip paths
#CVE-2018-5155: Use-after-free with SVG animations and text paths
#CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files
#CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer
#CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
#CVE-2018-5160: Uninitialized memory use by WebRTC encoder
#CVE-2018-5152: WebExtensions information leak through webRequest API
#CVE-2018-5153: Out-of-bounds read in mixed content websocket messages
#CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache
#CVE-2018-5164: CSP not applied to all multipart content sent with
multipart/x-mixed-replace
#CVE-2018-5166: WebExtension host permission bypass through filterReponseData
#CVE-2018-5167: Improper linkification of chrome: and javascript: content
in web console and JavaScript debugger
#CVE-2018-5168: Lightweight themes can be installed without user interaction
#CVE-2018-5169: Dragging and dropping link text onto home button can set home
page to include chrome pages
#CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks
page or PDF viewer
#CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters
#CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior
for downloaded files in Windows 10 April 2018 Update
#CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in
their policies
#CVE-2018-5176: JSON Viewer script injection
#CVE-2018-5177: Buffer overflow in XSLT during number formatting
#CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in
32-bit Firefox
#CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
#CVE-2018-5181: Local file can be displayed in noopener tab through drag and
drop of hyperlink
#CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped
on addressbar
#CVE-2018-5151: Memory safety bugs fixed in Firefox 60
#CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.10 2018/03/17 00:59:03 ryoon Exp $
d5 1
a5 1
--- toolkit/moz.configure.orig 2018-05-03 16:58:41.000000000 +0000
d7 2
a8 3
@@@@ -932,11 +932,11 @@@@ include('nss.configure')
# ==============================================================
option('--disable-skia', help='Disable use of Skia')
d10 2
a11 1
-@@depends('--disable-skia')
d14 1
a14 1
- die('--disable-skia is not supported anymore')
d23 1
a23 1
set_config('MOZ_ENABLE_SKIA', skia)
@
1.10
log
@Update to 59.0.1
Changelog:
59.0.1
Security fix
#CVE-2018-5146: Out of bounds memory write in libvorbis
59.0
New
Performance enhancements:
- Faster load times for content on the Firefox Home page
- Faster page load times by loading either from the networked cache
or the cache on the user's hard drive (Race Cache With Network)
- Improved graphics rendering using Off-Main-Thread Painting (OMTP)
for Mac users (OMTP for Windows was released in Firefox 58)
Drag-and-drop to rearrange Top Sites on the Firefox Home page, and
customize new windows and tabs in other ways
Added features for Firefox Screenshots:
- Basic annotation lets the user draw on and highlight saved screenshots
- Recropping to change the viewable area of saved screenshots
Enhanced WebExtensions API including better support for decentralized
protocols and the ability to dynamically register content scripts
Improved Real-Time Communications (RTC) capabilities.
- Implemented RTP Transceiver to give pages more fine grained control
over calls
- Implemented features to support large scale conferences
Added support for W3C specs for pointer events and improved platform
integration with added device support for mouse, pen, and touch
screen pointer input
Added the Ecosia search engine as an option for German Firefox
Added the Qwant search engine as an option for French Firefox
Added settings in about:preferences to stop websites from asking to
send notifications or access your device's camera, microphone, and
location, while still allowing trusted websites to use these features
Fixed
Various security fixes
Changed
Firefox Private Browsing Mode will remove path information from
referrers to prevent cross-site tracking
Security fixes:
#CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
#CVE-2018-5128: Use-after-free manipulating editor selection ranges
#CVE-2018-5129: Out-of-bounds write with malformed IPC messages
#CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption
#CVE-2018-5131: Fetch API improperly returns cached copies of
no-store/no-cache resources
#CVE-2018-5132: WebExtension Find API can search privileged pages
#CVE-2018-5133: Value of the app.support.baseURL preference is not properly
sanitized
#CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content
restrictions
#CVE-2018-5135: WebExtension browserAction can inject scripts into
unintended contexts
#CVE-2018-5136: Same-origin policy violation with data: URL shared workers
#CVE-2018-5137: Script content can access legacy extension
non-contentaccessible resources
#CVE-2018-5138: Android Custom Tab address spoofing through long domain names
#CVE-2018-5140: Moz-icon images accessible to web content through moz-icon:
protocol
#CVE-2018-5141: DOS attack through notifications Push API
#CVE-2018-5142: Media Capture and Streams API permissions display
incorrect origin with data: and blob: URLs
#CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into
addressbar
#CVE-2018-5126: Memory safety bugs fixed in Firefox 59
#CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.9 2018/01/24 16:52:08 ryoon Exp $
d5 1
a5 1
--- toolkit/moz.configure.orig 2018-03-10 02:54:17.000000000 +0000
d7 1
a7 21
@@@@ -414,7 +414,7 @@@@ option('--enable-eme',
def enable_eme(value, target):
# Widevine EME by default enabled on desktop Windows, MacOS and Linux,
# x86 and x64 builds.
- if (target.kernel in ('Darwin', 'WINNT', 'Linux') and
+ if (target.kernel in ('Darwin', 'WINNT', 'Linux', 'NetBSD') and
target.os not in ('Android', 'iOS') and
target.cpu in ('x86', 'x86_64')):
return value
@@@@ -815,8 +815,8 @@@@ def webrender(value, milestone):
enable_webrender = None
if value.origin == 'default':
- # if nothing is specified, default to just building on Nightly
- build_webrender = milestone.is_nightly
+ # build by default downstream
+ build_webrender = True
elif len(value) and value[0] == 'build':
# if explicitly set to 'build', then we build but don't enable
build_webrender = True
@@@@ -924,11 +924,11 @@@@ include('nss.configure')
a23 27
@@@@ -1051,6 +1051,26 @@@@ add_old_configure_assignment('FT2_LIBS',
add_old_configure_assignment('FT2_CFLAGS',
ft2_info.cflags)
+# Graphite2
+# ==============================================================
+option('--with-system-graphite2',
+ help="Use system graphite2 (located with pkgconfig)")
+
+system_graphite2 = pkg_check_modules('MOZ_GRAPHITE2', 'graphite2',
+ when='--with-system-graphite2')
+
+set_config('MOZ_SYSTEM_GRAPHITE2', depends_if(system_graphite2)(lambda _: True))
+
+# HarfBuzz
+# ==============================================================
+option('--with-system-harfbuzz',
+ help="Use system harfbuzz (located with pkgconfig)")
+
+system_harfbuzz = pkg_check_modules('MOZ_HARFBUZZ', 'harfbuzz >= 1.7.4',
+ when='--with-system-harfbuzz')
+
+set_config('MOZ_SYSTEM_HARFBUZZ', depends_if(system_harfbuzz)(lambda _: True))
+
# Mortar
# ==============================================================
option('--enable-mortar', help='Enable mortar extension')
@
1.9
log
@Update to 58.0
Changelog:
New
Performance improvements, including:
Rendering graphics for Windows users by using Off-Main-Threa
Painting (OMTP)
Loading pages faster by changing how Firefox caches and retrieves
JavaScript
Improvements to Firefox Screenshots:
Copy and paste screenshots directly to your clipboard
Firefox Screenshots now works in Private Browsing mode
Added Nepali (ne-NP) locale
In case you missed it--57 Release privacy and performance feature:
Users can enable Tracking Protection at all times. Learn how to turn
Tracking Protection on.
Fixed
Fonts installed in non-standard directories will no longer appear
blank for Linux users
Various security fixes
Changed
User profiles created in Firefox 58 (and in future releases) are not
supported in previous versions of Firefox. Users who downgrade to
a previous version should create a new profile for that version.
Learn about alternatives to downgrading on our support site.
Added a warning to alert users and site owners of planned security
changes to sites affected by the gradual distrust plan for
the Symantec certificate authority
#CVE-2018-5091: Use-after-free with DTMF timers
#CVE-2018-5092: Use-after-free in Web Workers
#CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table resizing
#CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection on
uninitialized memory
#CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
#CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
#CVE-2018-5098: Use-after-free while manipulating form input elements
#CVE-2018-5099: Use-after-free with widget listener
#CVE-2018-5100: Use-after-free when IsPotentiallyScrollable arguments are
freed from memory
#CVE-2018-5101: Use-after-free with floating first-letter style elements
#CVE-2018-5102: Use-after-free in HTML media elements
#CVE-2018-5103: Use-after-free during mouse event handling
#CVE-2018-5104: Use-after-free during font face manipulation
#CVE-2018-5105: WebExtensions can save and execute files on local file
system without user prompts
#CVE-2018-5106: Developer Tools can expose style editor information
cross-origin through service worker
#CVE-2018-5107: Printing process will follow symlinks for local file access
#CVE-2018-5108: Manually entered blob URL can be accessed by subsequent
private browsing tabs
#CVE-2018-5109: Audio capture prompts and starts with incorrect origin
attribution
#CVE-2018-5110: Cursor can be made invisible on OS X
#CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
#CVE-2018-5118: Activity Stream images can attempt to load local content
through file:
#CVE-2018-5119: Reader view will load cross-origin content in violation
of CORS headers
#CVE-2018-5121: OS X Tibetan characters render incompletely in the addressbar
#CVE-2018-5122: Potential integer overflow in DoCrypt
#CVE-2018-5090: Memory safety bugs fixed in Firefox 58
#CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.8 2017/12/10 00:45:09 ryoon Exp $
d5 1
a5 1
--- toolkit/moz.configure.orig 2018-01-11 20:17:05.000000000 +0000
d7 1
a7 1
@@@@ -418,7 +418,7 @@@@ option('--enable-eme',
d16 1
a16 1
@@@@ -829,8 +829,8 @@@@ def webrender(value, milestone):
d27 1
a27 1
@@@@ -938,11 +938,11 @@@@ include('nss.configure')
d44 1
a44 1
@@@@ -1065,6 +1065,26 @@@@ add_old_configure_assignment('FT2_LIBS',
d63 1
a63 1
+system_harfbuzz = pkg_check_modules('MOZ_HARFBUZZ', 'harfbuzz >= 1.7.2',
@
1.8
log
@Update to 57.0.2
* Move gtk3 part to mozilla-common.mk
* Add a option for Widevine CDM support
Changelog:
For Windows only.
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.7 2017/11/16 01:04:38 ryoon Exp $
d5 1
a5 1
--- toolkit/moz.configure.orig 2017-11-02 16:16:34.000000000 +0000
d7 1
a7 28
@@@@ -317,6 +317,26 @@@@ def freetype2_combined_info(fontconfig_i
add_old_configure_assignment('_HAVE_FREETYPE2',
depends_if(freetype2_info)(lambda _: True))
+# Graphite2
+# ==============================================================
+option('--with-system-graphite2',
+ help="Use system graphite2 (located with pkgconfig)")
+
+system_graphite2 = pkg_check_modules('MOZ_GRAPHITE2', 'graphite2',
+ when='--with-system-graphite2')
+
+set_config('MOZ_SYSTEM_GRAPHITE2', depends_if(system_graphite2)(lambda _: True))
+
+# HarfBuzz
+# ==============================================================
+option('--with-system-harfbuzz',
+ help="Use system harfbuzz (located with pkgconfig)")
+
+system_harfbuzz = pkg_check_modules('MOZ_HARFBUZZ', 'harfbuzz >= 1.4.7',
+ when='--with-system-harfbuzz')
+
+set_config('MOZ_SYSTEM_HARFBUZZ', depends_if(system_harfbuzz)(lambda _: True))
+
# Apple platform decoder support
# ==============================================================
@@depends(toolkit)
@@@@ -418,7 +438,7 @@@@ option('--enable-eme',
d16 12
a27 1
@@@@ -940,11 +960,11 @@@@ include('nss.configure')
d44 27
@
1.8.2.1
log
@Pullup ticket #5695 - requested by he and maya
www/firefox: security update
www/firefox-l10n: dependent update
NOTE: firefox-58 needs rust and rust in pkgsrc-2017Q4 needs /proc
Revisions pulled up:
- www/firefox-l10n/Makefile 1.117-1.120
- www/firefox-l10n/PLIST 1.58-1.59
- www/firefox-l10n/distinfo 1.108-1.110
- www/firefox/Makefile 1.316-1.318
- www/firefox/PLIST 1.126
- www/firefox/distinfo 1.304-1.306
- www/firefox/mozilla-common.mk 1.103-1.104
- www/firefox/patches/patch-aa 1.55
- www/firefox/patches/patch-build_moz.configure_keyfiles.configure deleted
- www/firefox/patches/patch-config_Makefile.in deleted
- www/firefox/patches/patch-config_system-headers deleted
- www/firefox/patches/patch-config_system-headers.mozbuild 1.1
- www/firefox/patches/patch-dom_media_flac_FlacDecoder.cpp 1.1
- www/firefox/patches/patch-dom_media_moz.build 1.8
- www/firefox/patches/patch-intl_unicharutil_util_moz.build 1.7
- www/firefox/patches/patch-ipc_chromium_src_base_process__util.h deleted
- www/firefox/patches/patch-ipc_glue_MessageChannel.cpp 1.1
- www/firefox/patches/patch-js_src_build_moz.build 1.2
- www/firefox/patches/patch-media_libcubeb_src_cubeb__alsa.c 1.26
- www/firefox/patches/patch-media_libsoundtouch_src_cpu__detect__x86.cpp deleted
- www/firefox/patches/patch-netwerk_dns_moz.build 1.7
- www/firefox/patches/patch-servo_components_gfx_font.rs deleted
- www/firefox/patches/patch-servo_components_net__traits_response.rs deleted
- www/firefox/patches/patch-servo_components_net_fetch_cors__cache.rs deleted
- www/firefox/patches/patch-servo_components_net_fetch_methods.rs deleted
- www/firefox/patches/patch-servo_components_net_websocket__loader.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_bindings_str.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_blob.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_cssstyledeclaration.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_document.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_element.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_htmlelement.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_htmllinkelement.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_htmlmetaelement.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_htmlscriptelement.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_macros.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_namednodemap.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_serviceworkercontainer.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_servoparser_async__html.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_websocket.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_window.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_xmlhttprequest.rs deleted
- www/firefox/patches/patch-servo_components_selectors_attr.rs deleted
- www/firefox/patches/patch-servo_components_selectors_parser.rs deleted
- www/firefox/patches/patch-servo_components_style__traits_viewport.rs deleted
- www/firefox/patches/patch-servo_components_style_attr.rs deleted
- www/firefox/patches/patch-servo_components_style_counter__style_mod.rs deleted
- www/firefox/patches/patch-servo_components_style_custom__properties.rs deleted
- www/firefox/patches/patch-servo_components_style_gecko__string__cache_mod.rs deleted
- www/firefox/patches/patch-servo_components_style_gecko_generated_pseudo__element__definition.rs deleted
- www/firefox/patches/patch-servo_components_style_gecko_pseudo__element__definition.mako.rs deleted
- www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs 1.1
- www/firefox/patches/patch-servo_components_style_properties_longhand_font.mako.rs deleted
- www/firefox/patches/patch-servo_components_style_properties_longhand_pointing.mako.rs deleted
- www/firefox/patches/patch-servo_components_style_servo_selector__parser.rs deleted
- www/firefox/patches/patch-servo_components_style_str.rs deleted
- www/firefox/patches/patch-servo_components_style_stylesheets_viewport__rule.rs deleted
- www/firefox/patches/patch-servo_components_style_values_mod.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_align.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_angle.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_calc.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_grid.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_length.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_mod.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_percentage.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_text.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_time.rs deleted
- www/firefox/patches/patch-third__party_python_futures_concurrent_futures_process.py 1.3
- www/firefox/patches/patch-toolkit_components_protobuf_src_google_protobuf_stubs_atomicops.h 1.4
- www/firefox/patches/patch-toolkit_moz.configure 1.9
- www/firefox/patches/patch-toolkit_mozapps_installer_packager.mk 1.1
- www/firefox/patches/patch-xpcom_reflect_xptcall_md_unix_Makefile.in deleted
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Mon Jan 1 07:02:17 UTC 2018
Modified Files:
pkgsrc/www/firefox: Makefile distinfo
Log Message:
Update to 57.0.3
Changelog:
Fixed
* Fix a crash reporting issue that inadvertently sends background tab
crash reports to Mozilla without user opt-in (bug 1427111)
To generate a diff of this commit:
cvs rdiff -u -r1.315 -r1.316 pkgsrc/www/firefox/Makefile
cvs rdiff -u -r1.303 -r1.304 pkgsrc/www/firefox/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Mon Jan 1 07:03:33 UTC 2018
Modified Files:
pkgsrc/www/firefox-l10n: Makefile distinfo
Log Message:
Update to 57.0.3
* Sync with www/firefox-57.0.3
To generate a diff of this commit:
cvs rdiff -u -r1.116 -r1.117 pkgsrc/www/firefox-l10n/Makefile
cvs rdiff -u -r1.107 -r1.108 pkgsrc/www/firefox-l10n/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Mon Jan 8 09:37:57 UTC 2018
Modified Files:
pkgsrc/www/firefox: Makefile distinfo mozilla-common.mk
Added Files:
pkgsrc/www/firefox/patches: patch-servo_components_gfx_font.rs
patch-servo_components_net__traits_response.rs
patch-servo_components_net_fetch_cors__cache.rs
patch-servo_components_net_fetch_methods.rs
patch-servo_components_net_websocket__loader.rs
patch-servo_components_script_dom_bindings_str.rs
patch-servo_components_script_dom_blob.rs
patch-servo_components_script_dom_cssstyledeclaration.rs
patch-servo_components_script_dom_document.rs
patch-servo_components_script_dom_element.rs
patch-servo_components_script_dom_htmlelement.rs
patch-servo_components_script_dom_htmllinkelement.rs
patch-servo_components_script_dom_htmlmetaelement.rs
patch-servo_components_script_dom_htmlscriptelement.rs
patch-servo_components_script_dom_macros.rs
patch-servo_components_script_dom_namednodemap.rs
patch-servo_components_script_dom_serviceworkercontainer.rs
patch-servo_components_script_dom_servoparser_async__html.rs
patch-servo_components_script_dom_websocket.rs
patch-servo_components_script_dom_window.rs
patch-servo_components_script_dom_xmlhttprequest.rs
patch-servo_components_selectors_attr.rs
patch-servo_components_selectors_parser.rs
patch-servo_components_style__traits_viewport.rs
patch-servo_components_style_attr.rs
patch-servo_components_style_counter__style_mod.rs
patch-servo_components_style_custom__properties.rs
patch-servo_components_style_gecko__string__cache_mod.rs
patch-servo_components_style_gecko_generated_pseudo__element__definition.rs
patch-servo_components_style_gecko_pseudo__element__definition.mako.rs
patch-servo_components_style_properties_longhand_font.mako.rs
patch-servo_components_style_properties_longhand_pointing.mako.rs
patch-servo_components_style_servo_selector__parser.rs
patch-servo_components_style_str.rs
patch-servo_components_style_stylesheets_viewport__rule.rs
patch-servo_components_style_values_mod.rs
patch-servo_components_style_values_specified_align.rs
patch-servo_components_style_values_specified_angle.rs
patch-servo_components_style_values_specified_calc.rs
patch-servo_components_style_values_specified_grid.rs
patch-servo_components_style_values_specified_length.rs
patch-servo_components_style_values_specified_mod.rs
patch-servo_components_style_values_specified_percentage.rs
patch-servo_components_style_values_specified_text.rs
patch-servo_components_style_values_specified_time.rs
Log Message:
Update to 57.0.4
* Use lang/rust-1.23.0
Changelog:
Speculative execution side-channel attack ("Spectre")
Announced
January 4, 2018
Reporter
Jann Horn (Google Project Zero); Microsoft Vunerability Research
Impact
High
Products
Firefox
Fixed in
Firefox 57.0.4
Description
Jann Horn of Google Project Zero Security reported that speculative
execution performed by modern CPUs could leak information through
a timing side-channel attack. Microsoft Vulnerability Research extended
this attack to browser JavaScript engines and demonstrated that code on
a malicious web page could read data from other web sites (violating
the same-origin policy) or private data from the browser itself.
Since this new class of attacks involves measuring precise time intervals,
as a partial, short-term, mitigation we are disabling or reducing
the precision of several time sources in Firefox. The precision of
performance.now() has been reduced from 5us to 20us, and
the SharedArrayBuffer feature has been disabled because it can be
used to construct a high-resolution timer.
SharedArrayBuffer is already disabled in Firefox 52 ESR.
To generate a diff of this commit:
cvs rdiff -u -r1.316 -r1.317 pkgsrc/www/firefox/Makefile
cvs rdiff -u -r1.304 -r1.305 pkgsrc/www/firefox/distinfo
cvs rdiff -u -r1.102 -r1.103 pkgsrc/www/firefox/mozilla-common.mk
cvs rdiff -u -r0 -r1.1 \
pkgsrc/www/firefox/patches/patch-servo_components_gfx_font.rs \
pkgsrc/www/firefox/patches/patch-servo_components_net__traits_response.rs \
pkgsrc/www/firefox/patches/patch-servo_components_net_fetch_cors__cache.rs \
pkgsrc/www/firefox/patches/patch-servo_components_net_fetch_methods.rs \
pkgsrc/www/firefox/patches/patch-servo_components_net_websocket__loader.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_bindings_str.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_blob.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_element.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmlelement.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmllinkelement.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmlmetaelement.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmlscriptelement.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_macros.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_namednodemap.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_serviceworkercontainer.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_websocket.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_window.rs \
pkgsrc/www/firefox/patches/patch-servo_components_selectors_attr.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style__traits_viewport.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_attr.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_counter__style_mod.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_custom__properties.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_gecko__string__cache_mod.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_gecko_generated_pseudo__element__definition.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_gecko_pseudo__element__definition.mako.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_properties_longhand_font.mako.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_properties_longhand_pointing.mako.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_servo_selector__parser.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_str.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_stylesheets_viewport__rule.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_mod.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_align.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_angle.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_calc.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_grid.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_length.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_mod.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_percentage.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_text.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_time.rs
cvs rdiff -u -r0 -r1.3 \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_cssstyledeclaration.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_document.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_servoparser_async__html.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_xmlhttprequest.rs \
pkgsrc/www/firefox/patches/patch-servo_components_selectors_parser.rs
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sun Jan 21 01:29:28 UTC 2018
Modified Files:
pkgsrc/www/firefox-l10n: Makefile distinfo
Log Message:
Update to 57.0.4
* Sync with www/firefox-57.0.4
To generate a diff of this commit:
cvs rdiff -u -r1.117 -r1.118 pkgsrc/www/firefox-l10n/Makefile
cvs rdiff -u -r1.108 -r1.109 pkgsrc/www/firefox-l10n/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Jan 24 16:52:08 UTC 2018
Modified Files:
pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk
pkgsrc/www/firefox/patches: patch-aa patch-dom_media_moz.build
patch-intl_unicharutil_util_moz.build patch-js_src_build_moz.build
patch-media_libcubeb_src_cubeb__alsa.c patch-netwerk_dns_moz.build
patch-toolkit_components_protobuf_src_google_protobuf_stubs_atomicops.h
patch-toolkit_moz.configure
Added Files:
pkgsrc/www/firefox/patches: patch-config_system-headers.mozbuild
patch-dom_media_flac_FlacDecoder.cpp
patch-ipc_glue_MessageChannel.cpp
patch-servo_components_style_properties_helpers_animated__properties.mako.rs
patch-third__party_python_futures_concurrent_futures_process.py
patch-toolkit_mozapps_installer_packager.mk
Removed Files:
pkgsrc/www/firefox/patches:
patch-build_moz.configure_keyfiles.configure
patch-config_Makefile.in patch-config_system-headers
patch-ipc_chromium_src_base_process__util.h
patch-media_libsoundtouch_src_cpu__detect__x86.cpp
patch-servo_components_gfx_font.rs
patch-servo_components_net__traits_response.rs
patch-servo_components_net_fetch_cors__cache.rs
patch-servo_components_net_fetch_methods.rs
patch-servo_components_net_websocket__loader.rs
patch-servo_components_script_dom_bindings_str.rs
patch-servo_components_script_dom_blob.rs
patch-servo_components_script_dom_cssstyledeclaration.rs
patch-servo_components_script_dom_document.rs
patch-servo_components_script_dom_element.rs
patch-servo_components_script_dom_htmlelement.rs
patch-servo_components_script_dom_htmllinkelement.rs
patch-servo_components_script_dom_htmlmetaelement.rs
patch-servo_components_script_dom_htmlscriptelement.rs
patch-servo_components_script_dom_macros.rs
patch-servo_components_script_dom_namednodemap.rs
patch-servo_components_script_dom_serviceworkercontainer.rs
patch-servo_components_script_dom_servoparser_async__html.rs
patch-servo_components_script_dom_websocket.rs
patch-servo_components_script_dom_window.rs
patch-servo_components_script_dom_xmlhttprequest.rs
patch-servo_components_selectors_attr.rs
patch-servo_components_selectors_parser.rs
patch-servo_components_style__traits_viewport.rs
patch-servo_components_style_attr.rs
patch-servo_components_style_counter__style_mod.rs
patch-servo_components_style_custom__properties.rs
patch-servo_components_style_gecko__string__cache_mod.rs
patch-servo_components_style_gecko_generated_pseudo__element__definition.rs
patch-servo_components_style_gecko_pseudo__element__definition.mako.rs
patch-servo_components_style_properties_longhand_font.mako.rs
patch-servo_components_style_properties_longhand_pointing.mako.rs
patch-servo_components_style_servo_selector__parser.rs
patch-servo_components_style_str.rs
patch-servo_components_style_stylesheets_viewport__rule.rs
patch-servo_components_style_values_mod.rs
patch-servo_components_style_values_specified_align.rs
patch-servo_components_style_values_specified_angle.rs
patch-servo_components_style_values_specified_calc.rs
patch-servo_components_style_values_specified_grid.rs
patch-servo_components_style_values_specified_length.rs
patch-servo_components_style_values_specified_mod.rs
patch-servo_components_style_values_specified_percentage.rs
patch-servo_components_style_values_specified_text.rs
patch-servo_components_style_values_specified_time.rs
patch-xpcom_reflect_xptcall_md_unix_Makefile.in
Log Message:
Update to 58.0
Changelog:
New
Performance improvements, including:
Rendering graphics for Windows users by using Off-Main-Threa
Painting (OMTP)
Loading pages faster by changing how Firefox caches and retrieves
JavaScript
Improvements to Firefox Screenshots:
Copy and paste screenshots directly to your clipboard
Firefox Screenshots now works in Private Browsing mode
Added Nepali (ne-NP) locale
In case you missed it--57 Release privacy and performance feature:
Users can enable Tracking Protection at all times. Learn how to turn
Tracking Protection on.
Fixed
Fonts installed in non-standard directories will no longer appear
blank for Linux users
Various security fixes
Changed
User profiles created in Firefox 58 (and in future releases) are not
supported in previous versions of Firefox. Users who downgrade to
a previous version should create a new profile for that version.
Learn about alternatives to downgrading on our support site.
Added a warning to alert users and site owners of planned security
changes to sites affected by the gradual distrust plan for
the Symantec certificate authority
#CVE-2018-5091: Use-after-free with DTMF timers
#CVE-2018-5092: Use-after-free in Web Workers
#CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table resizing
#CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection on
uninitialized memory
#CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
#CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
#CVE-2018-5098: Use-after-free while manipulating form input elements
#CVE-2018-5099: Use-after-free with widget listener
#CVE-2018-5100: Use-after-free when IsPotentiallyScrollable arguments are
freed from memory
#CVE-2018-5101: Use-after-free with floating first-letter style elements
#CVE-2018-5102: Use-after-free in HTML media elements
#CVE-2018-5103: Use-after-free during mouse event handling
#CVE-2018-5104: Use-after-free during font face manipulation
#CVE-2018-5105: WebExtensions can save and execute files on local file
system without user prompts
#CVE-2018-5106: Developer Tools can expose style editor information
cross-origin through service worker
#CVE-2018-5107: Printing process will follow symlinks for local file access
#CVE-2018-5108: Manually entered blob URL can be accessed by subsequent
private browsing tabs
#CVE-2018-5109: Audio capture prompts and starts with incorrect origin
attribution
#CVE-2018-5110: Cursor can be made invisible on OS X
#CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
#CVE-2018-5118: Activity Stream images can attempt to load local content
through file:
#CVE-2018-5119: Reader view will load cross-origin content in violation
of CORS headers
#CVE-2018-5121: OS X Tibetan characters render incompletely in the addressbar
#CVE-2018-5122: Potential integer overflow in DoCrypt
#CVE-2018-5090: Memory safety bugs fixed in Firefox 58
#CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
To generate a diff of this commit:
cvs rdiff -u -r1.317 -r1.318 pkgsrc/www/firefox/Makefile
cvs rdiff -u -r1.125 -r1.126 pkgsrc/www/firefox/PLIST
cvs rdiff -u -r1.305 -r1.306 pkgsrc/www/firefox/distinfo
cvs rdiff -u -r1.103 -r1.104 pkgsrc/www/firefox/mozilla-common.mk
cvs rdiff -u -r1.54 -r1.55 pkgsrc/www/firefox/patches/patch-aa
cvs rdiff -u -r1.3 -r0 \
pkgsrc/www/firefox/patches/patch-build_moz.configure_keyfiles.configure \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_cssstyledeclaration.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_document.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_servoparser_async__html.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_xmlhttprequest.rs \
pkgsrc/www/firefox/patches/patch-servo_components_selectors_parser.rs \
pkgsrc/www/firefox/patches/patch-xpcom_reflect_xptcall_md_unix_Makefile.in
cvs rdiff -u -r1.11 -r0 pkgsrc/www/firefox/patches/patch-config_Makefile.in
cvs rdiff -u -r1.25 -r0 \
pkgsrc/www/firefox/patches/patch-config_system-headers
cvs rdiff -u -r0 -r1.1 \
pkgsrc/www/firefox/patches/patch-config_system-headers.mozbuild \
pkgsrc/www/firefox/patches/patch-dom_media_flac_FlacDecoder.cpp \
pkgsrc/www/firefox/patches/patch-ipc_glue_MessageChannel.cpp \
pkgsrc/www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs \
pkgsrc/www/firefox/patches/patch-toolkit_mozapps_installer_packager.mk
cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/firefox/patches/patch-dom_media_moz.build
cvs rdiff -u -r1.6 -r1.7 \
pkgsrc/www/firefox/patches/patch-intl_unicharutil_util_moz.build \
pkgsrc/www/firefox/patches/patch-netwerk_dns_moz.build
cvs rdiff -u -r1.6 -r0 \
pkgsrc/www/firefox/patches/patch-ipc_chromium_src_base_process__util.h
cvs rdiff -u -r1.1 -r1.2 \
pkgsrc/www/firefox/patches/patch-js_src_build_moz.build
cvs rdiff -u -r1.25 -r1.26 \
pkgsrc/www/firefox/patches/patch-media_libcubeb_src_cubeb__alsa.c
cvs rdiff -u -r1.5 -r0 \
pkgsrc/www/firefox/patches/patch-media_libsoundtouch_src_cpu__detect__x86.cpp
cvs rdiff -u -r1.1 -r0 \
pkgsrc/www/firefox/patches/patch-servo_components_gfx_font.rs \
pkgsrc/www/firefox/patches/patch-servo_components_net__traits_response.rs \
pkgsrc/www/firefox/patches/patch-servo_components_net_fetch_cors__cache.rs \
pkgsrc/www/firefox/patches/patch-servo_components_net_fetch_methods.rs \
pkgsrc/www/firefox/patches/patch-servo_components_net_websocket__loader.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_bindings_str.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_blob.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_element.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmlelement.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmllinkelement.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmlmetaelement.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmlscriptelement.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_macros.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_namednodemap.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_serviceworkercontainer.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_websocket.rs \
pkgsrc/www/firefox/patches/patch-servo_components_script_dom_window.rs \
pkgsrc/www/firefox/patches/patch-servo_components_selectors_attr.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style__traits_viewport.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_attr.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_counter__style_mod.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_custom__properties.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_gecko__string__cache_mod.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_gecko_generated_pseudo__element__definition.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_gecko_pseudo__element__definition.mako.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_properties_longhand_font.mako.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_properties_longhand_pointing.mako.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_servo_selector__parser.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_str.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_stylesheets_viewport__rule.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_mod.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_align.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_angle.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_calc.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_grid.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_length.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_mod.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_percentage.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_text.rs \
pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_time.rs
cvs rdiff -u -r0 -r1.3 \
pkgsrc/www/firefox/patches/patch-third__party_python_futures_concurrent_futures_process.py
cvs rdiff -u -r1.3 -r1.4 \
pkgsrc/www/firefox/patches/patch-toolkit_components_protobuf_src_google_protobuf_stubs_atomicops.h
cvs rdiff -u -r1.8 -r1.9 \
pkgsrc/www/firefox/patches/patch-toolkit_moz.configure
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Jan 24 16:54:05 UTC 2018
Modified Files:
pkgsrc/www/firefox-l10n: Makefile PLIST distinfo
Log Message:
Update to 58.0
* Sync with www/firefox-58.0
* Add ne-NP locale
To generate a diff of this commit:
cvs rdiff -u -r1.118 -r1.119 pkgsrc/www/firefox-l10n/Makefile
cvs rdiff -u -r1.57 -r1.58 pkgsrc/www/firefox-l10n/PLIST
cvs rdiff -u -r1.109 -r1.110 pkgsrc/www/firefox-l10n/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Mon Jan 29 15:22:54 UTC 2018
Modified Files:
pkgsrc/www/firefox-l10n: Makefile PLIST
Log Message:
Previous revison does not work. Install xpi files instead. Bump PKGREVISION
To generate a diff of this commit:
cvs rdiff -u -r1.119 -r1.120 pkgsrc/www/firefox-l10n/Makefile
cvs rdiff -u -r1.58 -r1.59 pkgsrc/www/firefox-l10n/PLIST
@
text
@d1 1
a1 1
$NetBSD$
d5 1
a5 1
--- toolkit/moz.configure.orig 2018-01-11 20:17:05.000000000 +0000
d7 28
a34 1
@@@@ -418,7 +418,7 @@@@ option('--enable-eme',
d43 1
a43 12
@@@@ -829,8 +829,8 @@@@ def webrender(value, milestone):
enable_webrender = None
if value.origin == 'default':
- # if nothing is specified, default to just building on Nightly
- build_webrender = milestone.is_nightly
+ # build by default downstream
+ build_webrender = True
elif len(value) and value[0] == 'build':
# if explicitly set to 'build', then we build but don't enable
build_webrender = True
@@@@ -938,11 +938,11 @@@@ include('nss.configure')
a59 27
@@@@ -1065,6 +1065,26 @@@@ add_old_configure_assignment('FT2_LIBS',
add_old_configure_assignment('FT2_CFLAGS',
ft2_info.cflags)
+# Graphite2
+# ==============================================================
+option('--with-system-graphite2',
+ help="Use system graphite2 (located with pkgconfig)")
+
+system_graphite2 = pkg_check_modules('MOZ_GRAPHITE2', 'graphite2',
+ when='--with-system-graphite2')
+
+set_config('MOZ_SYSTEM_GRAPHITE2', depends_if(system_graphite2)(lambda _: True))
+
+# HarfBuzz
+# ==============================================================
+option('--with-system-harfbuzz',
+ help="Use system harfbuzz (located with pkgconfig)")
+
+system_harfbuzz = pkg_check_modules('MOZ_HARFBUZZ', 'harfbuzz >= 1.7.2',
+ when='--with-system-harfbuzz')
+
+set_config('MOZ_SYSTEM_HARFBUZZ', depends_if(system_harfbuzz)(lambda _: True))
+
# Mortar
# ==============================================================
option('--enable-mortar', help='Enable mortar extension')
@
1.8.2.2
log
@Pullup ticket #5728 - requested by maya
devel/nspr: dependency update
devel/nss: dependency update
www/firefox-l10n: dependent update
www/firefox: security update
Revisions pulled up:
- devel/nspr/Makefile 1.94-1.95
- devel/nspr/distinfo 1.48-1.49
- devel/nspr/patches/patch-az deleted
- devel/nspr/patches/patch-nspr_pr_include_md___pth.h 1.1
- devel/nspr/patches/patch-nspr_pr_src_pthreads_ptthread.c 1.1
- devel/nspr/patches/patch-nsprpub_pr_include_md__pth.h deleted
- devel/nss/Makefile 1.146,1.148
- devel/nss/PLIST 1.24
- devel/nss/distinfo 1.81,1.83
- devel/nss/patches/patch-nss_lib_freebl_config.mk deleted
- devel/nss/patches/patch-nss_lib_freebl_verified_kremlib.h deleted
- www/firefox-l10n/Makefile 1.121-1.123
- www/firefox-l10n/distinfo 1.111-1.113
- www/firefox/Makefile 1.320-1.321,1.324
- www/firefox/PLIST 1.127
- www/firefox/distinfo 1.307-1.309
- www/firefox/mozilla-common.mk 1.105-1.106
- www/firefox/patches/patch-aa 1.56
- www/firefox/patches/patch-build_gyp.mozbuild 1.8
- www/firefox/patches/patch-build_moz.configure_keyfiles.configure 1.5
- www/firefox/patches/patch-build_moz.configure_memory.configure deleted
- www/firefox/patches/patch-config_baseconfig.mk deleted
- www/firefox/patches/patch-config_external_moz.build 1.17
- www/firefox/patches/patch-dom_media_moz.build 1.9
- www/firefox/patches/patch-gfx_skia_generate__mozbuild.py 1.8
- www/firefox/patches/patch-gfx_skia_moz.build 1.15
- www/firefox/patches/patch-gfx_thebes_moz.build 1.9
- www/firefox/patches/patch-media_libcubeb_gtest_moz.build 1.2
- www/firefox/patches/patch-media_libtheora_moz.build 1.8
- www/firefox/patches/patch-media_libvorbis_moz.build 1.4
- www/firefox/patches/patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc 1.1
- www/firefox/patches/patch-modules_libpref_init_all.js 1.7
- www/firefox/patches/patch-modules_pdfium_update.sh 1.2
- www/firefox/patches/patch-netwerk_dns_moz.build 1.8
- www/firefox/patches/patch-netwerk_srtp_src_crypto_hash_hmac.c deleted
- www/firefox/patches/patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c deleted
- www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs deleted
- www/firefox/patches/patch-third__party_rust_simd_.cargo-checksum.json 1.1
- www/firefox/patches/patch-third__party_rust_simd_src_x86_avx2.rs 1.1
- www/firefox/patches/patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h deleted
- www/firefox/patches/patch-toolkit_moz.configure 1.10
- www/firefox/patches/patch-toolkit_xre_nsEmbedFunctions.cpp deleted
- www/firefox/patches/patch-xpcom_build_BinaryPath.h 1.3-1.4
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Jan 24 16:21:43 UTC 2018
Modified Files:
pkgsrc/devel/nspr: Makefile distinfo
Added Files:
pkgsrc/devel/nspr/patches: patch-nspr_pr_include_md___pth.h
patch-nspr_pr_src_pthreads_ptthread.c
Removed Files:
pkgsrc/devel/nspr/patches: patch-az patch-nsprpub_pr_include_md__pth.h
Log Message:
Update to 4.18
Changelog:
NSPR 4.18 contains the following changes:
- removed HP-UX DCE threads support
- improvements for the Windows implementation of PR_SetCurrentThreadName
- fixes for the Windows implementation of TCP Fast Open
To generate a diff of this commit:
cvs rdiff -u -r1.93 -r1.94 pkgsrc/devel/nspr/Makefile
cvs rdiff -u -r1.47 -r1.48 pkgsrc/devel/nspr/distinfo
cvs rdiff -u -r1.4 -r0 pkgsrc/devel/nspr/patches/patch-az
cvs rdiff -u -r0 -r1.1 \
pkgsrc/devel/nspr/patches/patch-nspr_pr_include_md___pth.h \
pkgsrc/devel/nspr/patches/patch-nspr_pr_src_pthreads_ptthread.c
cvs rdiff -u -r1.3 -r0 \
pkgsrc/devel/nspr/patches/patch-nsprpub_pr_include_md__pth.h
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Mar 17 01:06:18 UTC 2018
Modified Files:
pkgsrc/devel/nspr: Makefile distinfo
Log Message:
Update to 4.29
Changelog:
NSPR 4.19 contains the following changes:
- changed order of shutdown cleanup to avoid a crash on Mac OSX
- build compatibility with Android NDK r16 and glibc 2.26
To generate a diff of this commit:
cvs rdiff -u -r1.94 -r1.95 pkgsrc/devel/nspr/Makefile
cvs rdiff -u -r1.48 -r1.49 pkgsrc/devel/nspr/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Jan 24 16:23:52 UTC 2018
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
Removed Files:
pkgsrc/devel/nss/patches: patch-nss_lib_freebl_config.mk
patch-nss_lib_freebl_verified_kremlib.h
Log Message:
Update to 3.35
Changelog:
The NSS team has released Network Security Services (NSS) 3.35,
which is a minor release.
Summary of the major changes included in this release:
- The default database storage format has been changed to SQL,
using filenames cert9.db, key4.db, pkcs11.txt.
- TLS 1.3 support has been updated to draft -23, along with
additional significant changes.
- Support for TLS compression was removed.
- Added formally verified implementations of non-vectorized Chacha20
and non-vectorized Poly1305 64-bit.
- When creating encrypted PKCS#7 or PKCS#12 data, NSS uses a
higher iteration count for stronger security.
- The CA trust list was updated to version 2.22.
To generate a diff of this commit:
cvs rdiff -u -r1.145 -r1.146 pkgsrc/devel/nss/Makefile
cvs rdiff -u -r1.80 -r1.81 pkgsrc/devel/nss/distinfo
cvs rdiff -u -r1.2 -r0 \
pkgsrc/devel/nss/patches/patch-nss_lib_freebl_config.mk
cvs rdiff -u -r1.1 -r0 \
pkgsrc/devel/nss/patches/patch-nss_lib_freebl_verified_kremlib.h
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Mar 17 01:07:15 UTC 2018
Modified Files:
pkgsrc/devel/nss: Makefile PLIST distinfo
Log Message:
Update to 3.36
* Require devel/nspr-4.19
Changelog:
The NSS team has released Network Security Services (NSS) 3.36,
which is a minor release.
Summary of the major changes included in this release:
- Replaced existing vectorized ChaCha20 code with verified
HACL* implementation.
- Experimental APIs for TLS session cache handling.
To generate a diff of this commit:
cvs rdiff -u -r1.147 -r1.148 pkgsrc/devel/nss/Makefile
cvs rdiff -u -r1.23 -r1.24 pkgsrc/devel/nss/PLIST
cvs rdiff -u -r1.82 -r1.83 pkgsrc/devel/nss/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Jan 31 14:02:18 UTC 2018
Modified Files:
pkgsrc/www/firefox: Makefile distinfo
Added Files:
pkgsrc/www/firefox/patches: patch-xpcom_build_BinaryPath.h
Log Message:
Update to 58.0.1
* Fix build under netbsd-7, PR pkg/52956
Changelog:
Fix Mozilla Foundation Security Advisory 2018-05:
Arbitrary code execution through unsanitized browser UI
When using certain non-default security policies on Windows (for
example with Windows Defender Exploit Protection or Webroot security
products), Firefox 58.0 would fail to load pages (bug 1433065).
To generate a diff of this commit:
cvs rdiff -u -r1.319 -r1.320 pkgsrc/www/firefox/Makefile
cvs rdiff -u -r1.306 -r1.307 pkgsrc/www/firefox/distinfo
cvs rdiff -u -r0 -r1.3 \
pkgsrc/www/firefox/patches/patch-xpcom_build_BinaryPath.h
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Feb 10 07:02:47 UTC 2018
Modified Files:
pkgsrc/www/firefox: Makefile distinfo mozilla-common.mk
pkgsrc/www/firefox/patches: patch-xpcom_build_BinaryPath.h
Log Message:
Update to 58.0.2
* Fix segfault on netbsd-7
Changelog:
Fix
Avoid a signature validation issue during update on macOS
Blocklisted graphics drivers related to off main thread painting crashes
Tab crash during printing
Fix clicking links and scrolling emails on Microsoft Hotmail and Outlook
(OWA) webmail
To generate a diff of this commit:
cvs rdiff -u -r1.320 -r1.321 pkgsrc/www/firefox/Makefile
cvs rdiff -u -r1.307 -r1.308 pkgsrc/www/firefox/distinfo
cvs rdiff -u -r1.104 -r1.105 pkgsrc/www/firefox/mozilla-common.mk
cvs rdiff -u -r1.3 -r1.4 \
pkgsrc/www/firefox/patches/patch-xpcom_build_BinaryPath.h
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Mar 17 00:59:03 UTC 2018
Modified Files:
pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk
pkgsrc/www/firefox/patches: patch-aa patch-build_gyp.mozbuild
patch-config_external_moz.build patch-dom_media_moz.build
patch-gfx_skia_generate__mozbuild.py patch-gfx_skia_moz.build
patch-gfx_thebes_moz.build patch-media_libcubeb_gtest_moz.build
patch-media_libtheora_moz.build patch-media_libvorbis_moz.build
patch-modules_pdfium_update.sh patch-netwerk_dns_moz.build
patch-toolkit_moz.configure
Added Files:
pkgsrc/www/firefox/patches:
patch-build_moz.configure_keyfiles.configure
patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc
patch-modules_libpref_init_all.js
patch-third__party_rust_simd_.cargo-checksum.json
patch-third__party_rust_simd_src_x86_avx2.rs
Removed Files:
pkgsrc/www/firefox/patches: patch-build_moz.configure_memory.configure
patch-config_baseconfig.mk
patch-netwerk_srtp_src_crypto_hash_hmac.c
patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c
patch-servo_components_style_properties_helpers_animated__properties.mako.rs
patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h
patch-toolkit_xre_nsEmbedFunctions.cpp
Log Message:
Update to 59.0.1
Changelog:
59.0.1
Security fix
#CVE-2018-5146: Out of bounds memory write in libvorbis
59.0
New
Performance enhancements:
- Faster load times for content on the Firefox Home page
- Faster page load times by loading either from the networked cache
or the cache on the user's hard drive (Race Cache With Network)
- Improved graphics rendering using Off-Main-Thread Painting (OMTP)
for Mac users (OMTP for Windows was released in Firefox 58)
Drag-and-drop to rearrange Top Sites on the Firefox Home page, and
customize new windows and tabs in other ways
Added features for Firefox Screenshots:
- Basic annotation lets the user draw on and highlight saved screenshots
- Recropping to change the viewable area of saved screenshots
Enhanced WebExtensions API including better support for decentralized
protocols and the ability to dynamically register content scripts
Improved Real-Time Communications (RTC) capabilities.
- Implemented RTP Transceiver to give pages more fine grained control
over calls
- Implemented features to support large scale conferences
Added support for W3C specs for pointer events and improved platform
integration with added device support for mouse, pen, and touch
screen pointer input
Added the Ecosia search engine as an option for German Firefox
Added the Qwant search engine as an option for French Firefox
Added settings in about:preferences to stop websites from asking to
send notifications or access your device's camera, microphone, and
location, while still allowing trusted websites to use these features
Fixed
Various security fixes
Changed
Firefox Private Browsing Mode will remove path information from
referrers to prevent cross-site tracking
Security fixes:
#CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
#CVE-2018-5128: Use-after-free manipulating editor selection ranges
#CVE-2018-5129: Out-of-bounds write with malformed IPC messages
#CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption
#CVE-2018-5131: Fetch API improperly returns cached copies of
no-store/no-cache resources
#CVE-2018-5132: WebExtension Find API can search privileged pages
#CVE-2018-5133: Value of the app.support.baseURL preference is not properly
sanitized
#CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content
restrictions
#CVE-2018-5135: WebExtension browserAction can inject scripts into
unintended contexts
#CVE-2018-5136: Same-origin policy violation with data: URL shared workers
#CVE-2018-5137: Script content can access legacy extension
non-contentaccessible resources
#CVE-2018-5138: Android Custom Tab address spoofing through long domain names
#CVE-2018-5140: Moz-icon images accessible to web content through moz-icon:
protocol
#CVE-2018-5141: DOS attack through notifications Push API
#CVE-2018-5142: Media Capture and Streams API permissions display
incorrect origin with data: and blob: URLs
#CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into
addressbar
#CVE-2018-5126: Memory safety bugs fixed in Firefox 59
#CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
To generate a diff of this commit:
cvs rdiff -u -r1.323 -r1.324 pkgsrc/www/firefox/Makefile
cvs rdiff -u -r1.126 -r1.127 pkgsrc/www/firefox/PLIST
cvs rdiff -u -r1.308 -r1.309 pkgsrc/www/firefox/distinfo
cvs rdiff -u -r1.105 -r1.106 pkgsrc/www/firefox/mozilla-common.mk
cvs rdiff -u -r1.55 -r1.56 pkgsrc/www/firefox/patches/patch-aa
cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/firefox/patches/patch-build_gyp.mozbuild \
pkgsrc/www/firefox/patches/patch-gfx_skia_generate__mozbuild.py \
pkgsrc/www/firefox/patches/patch-media_libtheora_moz.build \
pkgsrc/www/firefox/patches/patch-netwerk_dns_moz.build
cvs rdiff -u -r0 -r1.5 \
pkgsrc/www/firefox/patches/patch-build_moz.configure_keyfiles.configure
cvs rdiff -u -r1.2 -r0 \
pkgsrc/www/firefox/patches/patch-build_moz.configure_memory.configure \
pkgsrc/www/firefox/patches/patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h
cvs rdiff -u -r1.10 -r0 pkgsrc/www/firefox/patches/patch-config_baseconfig.mk
cvs rdiff -u -r1.16 -r1.17 \
pkgsrc/www/firefox/patches/patch-config_external_moz.build
cvs rdiff -u -r1.8 -r1.9 pkgsrc/www/firefox/patches/patch-dom_media_moz.build \
pkgsrc/www/firefox/patches/patch-gfx_thebes_moz.build
cvs rdiff -u -r1.14 -r1.15 \
pkgsrc/www/firefox/patches/patch-gfx_skia_moz.build
cvs rdiff -u -r1.1 -r1.2 \
pkgsrc/www/firefox/patches/patch-media_libcubeb_gtest_moz.build \
pkgsrc/www/firefox/patches/patch-modules_pdfium_update.sh
cvs rdiff -u -r1.3 -r1.4 \
pkgsrc/www/firefox/patches/patch-media_libvorbis_moz.build
cvs rdiff -u -r0 -r1.1 \
pkgsrc/www/firefox/patches/patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc \
pkgsrc/www/firefox/patches/patch-third__party_rust_simd_.cargo-checksum.json \
pkgsrc/www/firefox/patches/patch-third__party_rust_simd_src_x86_avx2.rs
cvs rdiff -u -r0 -r1.7 \
pkgsrc/www/firefox/patches/patch-modules_libpref_init_all.js
cvs rdiff -u -r1.4 -r0 \
pkgsrc/www/firefox/patches/patch-netwerk_srtp_src_crypto_hash_hmac.c
cvs rdiff -u -r1.3 -r0 \
pkgsrc/www/firefox/patches/patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c
cvs rdiff -u -r1.1 -r0 \
pkgsrc/www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs
cvs rdiff -u -r1.9 -r1.10 \
pkgsrc/www/firefox/patches/patch-toolkit_moz.configure
cvs rdiff -u -r1.7 -r0 \
pkgsrc/www/firefox/patches/patch-toolkit_xre_nsEmbedFunctions.cpp
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Jan 31 14:03:25 UTC 2018
Modified Files:
pkgsrc/www/firefox-l10n: Makefile distinfo
Log Message:
Update to 58.0.1
* Sync with www/firefox-58.0.1
To generate a diff of this commit:
cvs rdiff -u -r1.120 -r1.121 pkgsrc/www/firefox-l10n/Makefile
cvs rdiff -u -r1.110 -r1.111 pkgsrc/www/firefox-l10n/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Feb 10 07:05:20 UTC 2018
Modified Files:
pkgsrc/www/firefox-l10n: Makefile distinfo
Log Message:
Update to 58.0.2
* Sync with www/firefox-58.0.2
To generate a diff of this commit:
cvs rdiff -u -r1.121 -r1.122 pkgsrc/www/firefox-l10n/Makefile
cvs rdiff -u -r1.111 -r1.112 pkgsrc/www/firefox-l10n/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Mar 17 01:00:20 UTC 2018
Modified Files:
pkgsrc/www/firefox-l10n: Makefile distinfo
Log Message:
Update to 59.0.1
* Sync with www/firefox-59.0.1
To generate a diff of this commit:
cvs rdiff -u -r1.122 -r1.123 pkgsrc/www/firefox-l10n/Makefile
cvs rdiff -u -r1.112 -r1.113 pkgsrc/www/firefox-l10n/distinfo
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.8.2.1 2018/03/09 07:17:30 spz Exp $
d5 1
a5 1
--- toolkit/moz.configure.orig 2018-03-10 02:54:17.000000000 +0000
d7 1
a7 1
@@@@ -414,7 +414,7 @@@@ option('--enable-eme',
d16 1
a16 1
@@@@ -815,8 +815,8 @@@@ def webrender(value, milestone):
d27 1
a27 1
@@@@ -924,11 +924,11 @@@@ include('nss.configure')
d44 1
a44 1
@@@@ -1051,6 +1051,26 @@@@ add_old_configure_assignment('FT2_LIBS',
d63 1
a63 1
+system_harfbuzz = pkg_check_modules('MOZ_HARFBUZZ', 'harfbuzz >= 1.7.4',
@
1.7
log
@Update to 57.0
Changelog: New
A completely new browsing engine, designed to take full advantage
of the processing power in modern devices
A redesigned interface with a clean, modern appearance, consistent
visual elements, and optimizations for touch screens
A unified address and search bar. New installs will see this
unified bar. Learn how to add the stand-alone search bar to
the toolbar
A revamped new tab page that includes top visited sites, recently
visited pages, and recommendations from Pocket (in the US,
Canada, and Germany)
An updated product tour to orient new and returning Firefox
users
AMD VP9 hardware video decoder support for improved video
playback with lower power consumption
An expanded section in preferences to manage all website
permissions
Fixed
Various security fixes
Changed
Firefox now exclusively supports extensions built using the
WebExtension API, and unsupported legacy extensions will no
longer work. Learn more about our efforts to improve the
performance and security of extensions
The browser's autoscroll feature, as well as scrolling by
keyboard input and touch-dragging of scrollbars, now use
asynchronous scrolling. These scrolling methods are now similar
to other input methods like mousewheel, and provide a smoother
scrolling experience
The content process now has a stricter security sandbox that
blocks filesystem reading and writing on Linux, similar to the
protections for Windows and macOS that shipped in Firefox 56
Middle mouse paste in the content area no longer navigates to
URLs by default on Unix systems
Removed the toolbar Share button. If you relied on this feature,
you can install the Share Backported extension instead.
Some older versions of the ATOK IME, including ATOK 2006, 2008,
2009 and 2010, can cause crashes and are therefore disabled on
the Windows 64-bit version of Firefox Quantum. To fix those
incompatibility issues, please use a newer version of ATOK or
one of other IMEs.
The default font for Japanese text is now Meiryo
Security fixes:
CVE-2017-7828: Use-after-free of PressShell while restyling layout
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still in
use. This results in a potentially exploitable crash during these
operations.
References
Bug 1406750 Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource
Timing API
Reporter
Jun Kokatsu
Impact
high
Description
The Resource Timing API incorrectly revealed navigations in
cross-origin iframes. This is a same-origin policy violation and
could allow for data theft of URLs loaded by users.
References
Bug 1408990
#CVE-2017-7831: Information disclosure of exposed properties on
JavaScript proxy objects
Reporter
Oriol Brufau
Impact
moderate
Description
A vulnerability where the security wrapper does not deny access to
some exposed properties using the deprecated exposedProps mechanism
on proxy objects. These properties should be explicitly unavailable
to proxy objects.
References
Bug 1392026
#CVE-2017-7832: Domain spoofing through use of dotless 'i' character
followed by accent markers
Reporter
Jonathan Kew
Impact
moderate
Description
The combined, single character, version of the letter 'i' with any
of the potential accents in unicode, such as acute or grave, can
be spoofed in the addressbar by the dotless version of 'i' followed
by the same accent as a second character with most font sets. This
allows for domain spoofing attacks because these combined domain
names do not display as punycode.
References
Bug 1408782
#CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker
characters
Reporter
Rayyan Bijoora
Impact
moderate
Description
Some Arabic and Indic vowel marker characters can be combined with
Latin characters in a domain name to eclipse the non-Latin character
with some font sets on the addressbar. The non-Latin character will
not be visible to most viewers. This allows for domain spoofing
attacks because these combined domain names do not display as
punycode.
References
Bug 1370497
#CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections
Reporter
Jordi Chancel
Impact
moderate
Description
A data: URL loaded in a new tab did not inherit the Content Security
Policy (CSP) of the original page, allowing for bypasses of the
policy including the execution of JavaScript. In prior versions
when data: documents also inherited the context of the original
page this would allow for potential cross-site scripting (XSS)
attacks.
References
Bug 1358009
#CVE-2017-7835: Mixed content blocking incorrectly applies with
redirects
Reporter
Ben Kelly
Impact
moderate
Description
Mixed content blocking of insecure (HTTP) sub-resources in a secure
(HTTPS) document was not correctly applied for resources that
redirect from HTTPS to HTTP, allowing content that should be blocked,
such as scripts, to be loaded on a page.
References
Bug 1402363
#CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and
OS X
Reporter
Ezra Caltum
Impact
moderate
Description
The "pingsender" executable used by the Firefox Health Report
dynamically loads a system copy of libcurl, which an attacker could
replace. This allows for privilege escalation as the replaced
libcurl code will run with Firefox's privileges. Note: This attack
requires an attacker have local system access and only affects OS
X and Linux. Windows systems are not affected.
References
Bug 1401339
#CVE-2017-7837: SVG loaded as can use meta tags to set cookies
Reporter
Jun Kokatsu
Impact
moderate
Description
SVG loaded through tags can use tags within the SVG
data to set cookies for that page.
References
Bug 1325923
#CVE-2017-7838: Failure of individual decoding of labels in
international domain names triggers punycode display of entire IDN
Reporter
Corey Bonnell
Impact
low
Description
Punycode format text will be displayed for entire qualified
international domain names in some instances when a sub-domain
triggers the punycode display instead of the primary domain being
displayed in native script and the sub-domain only displaying as
punycode. This could be used for limited spoofing attacks due to
user confusion.
References
Bug 1399540
#CVE-2017-7839: Control characters before javascript: URLs defeats
self-XSS prevention mechanism
Reporter
Eric Lawrence
Impact
low
Description
Control characters prepended before javascript: URLs pasted in the
addressbar can cause the leading characters to be ignored and the
pasted JavaScript to be executed instead of being blocked. This
could be used in social engineering and self-cross-site-scripting
(self-XSS) attacks where users are convinced to copy and paste text
into the addressbar.
References
Bug 1402896
#CVE-2017-7840: Exported bookmarks do not strip script elements
from user-supplied tags
Reporter
Hanno Bock
Impact
low
Description
JavaScript can be injected into an exported bookmarks file by
placing JavaScript code into user-supplied tags in saved bookmarks.
If the resulting exported HTML file is later opened in a browser
this JavaScript will be executed. This could be used in social
engineering and self-cross-scripting (self-XSS) attacks if users
were convinced to add malicious tags to bookmarks, export them,
and then open the resulting file.
References
Bug 1366420
#CVE-2017-7842: Referrer Policy is not always respected for
elements
Reporter
Jun Kokatsu
Impact
low
Description
If a document's Referrer Policy attribute is set to "no-referrer"
sometimes two network requests are made for elements
instead of one. One of these requests includes the referrer instead
of respecting the set policy to not include a referrer on requests.
References
Bug 1397064
#CVE-2017-7827: Memory safety bugs fixed in Firefox 57
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Boris Zbarsky, Carsten Book,
Christian Holler, Byron Campen, Jan de Mooij, Jason Kratzer,
Jesse Schwartzentruber, Marcia Knous, Randell Jesup, Tyson Smith,
and Ting-Yu Chou reported memory safety bugs present in Firefox 56.
Some of these bugs showed evidence of memory corruption and we presume
that with enough effort that some of these could be exploited to run
arbitrary code.
References
Memory safety bugs fixed in Firefox 57
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox
ESR 52.5
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, David
Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer,
Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob
Clary, Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and
Ryan VanderMeulen reported memory safety bugs present in Firefox
56 and Firefox ESR 52.4. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.6 2017/09/30 05:34:12 ryoon Exp $
d5 1
a5 1
--- toolkit/moz.configure.orig 2017-09-15 04:15:40.000000000 +0000
d34 9
@
1.6
log
@Update to 56.0
New
Launched Firefox Screenshots, a feature that lets users take, save, and share screenshots without leaving the browser
Added support for address form autofill (en-US only)
Updated Preferences
Added search tool so users can find a specific setting quickly
Reorganized preferences so users can more easily scan settings
Rewrote descriptions so users can better understand choices and how they affect browsing
Revised data collection choices so they align with updated Privacy Notice and data collection strategy
Media opened in a background tab will not play until the tab is selected
Improved Send Tabs feature of Sync for iOS and Android, and Send Tabs can be discovered even by users without a Firefox Account
Changed
Replaced character encoding converters with a new Encoding Standard-compliant implementation written in Rust
Added hardware acceleration for AES-GCM
Updated the Safe Browsing protocol to version 4
Reduced update download file size by approximately 20 percent
Improved security for verifying update downloads
Developer
Added Layout Panel to CSS Grid DevTools
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.5 2017/08/15 01:24:47 ryoon Exp $
d5 1
a5 1
--- toolkit/moz.configure.orig 2017-09-14 20:16:01.000000000 +0000
d7 1
a7 1
@@@@ -314,6 +314,26 @@@@ def freetype2_combined_info(fontconfig_i
d34 1
a34 10
@@@@ -600,7 +620,7 @@@@ def stylo_config(value, _, target):
# If nothing is specified, default to building stylo where possible.
if value.origin == 'default':
- if target.os == 'GNU' and target.bitness == 32:
+ if target.os != 'WINNT' and target.bitness == 32:
# The clang setup we use in automation is a little unusual, and
# doesn't play well with bindgen on 32-bit Linux.
pass
@@@@ -1047,11 +1067,11 @@@@ add_old_configure_assignment('NECKO_PROT
@
1.5
log
@Fix build under bigendian architectures from Jan Beich
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.4 2017/08/10 14:46:15 ryoon Exp $
d5 1
a5 1
--- toolkit/moz.configure.orig 2017-07-31 16:20:52.000000000 +0000
d7 3
a9 13
@@@@ -88,8 +88,7 @@@@ include('../js/moz.configure')
# Rust
# ==============================================================
-include('../build/moz.configure/rust.configure',
- when='--enable-compile-environment')
+include('../build/moz.configure/rust.configure')
# L10N
@@@@ -356,6 +355,26 @@@@ add_old_configure_assignment('FT2_LIBS',
add_old_configure_assignment('FT2_CFLAGS',
ft2_info.cflags)
d26 1
a26 1
+system_harfbuzz = pkg_check_modules('MOZ_HARFBUZZ', 'harfbuzz >= 1.4.6',
d34 1
a34 27
@@@@ -623,13 +642,13 @@@@ id_and_secret_keyfile('Leanplum SDK')
option('--enable-stylo', nargs='?', choices=('build',),
help='Include Stylo in the build and/or enable it at runtime')
-@@depends('--enable-stylo')
-def stylo_config(value):
+@@depends('--enable-stylo', '--enable-rust')
+def stylo_config(value, rust_enabled):
build_stylo = None
enable_stylo = None
# The default is to not build Stylo at all.
- if value.origin == 'default':
+ if not rust_enabled or value.origin == 'default':
pass
elif value == 'build':
build_stylo = True
@@@@ -769,12 +788,14 @@@@ set_config('SERVO_TARGET_DIR', servo_tar
option('--enable-webrender', nargs='?', choices=('build',),
help='Include WebRender in the build and/or enable it at runtime')
-@@depends('--enable-webrender', milestone)
-def webrender(value, milestone):
+@@depends('--enable-webrender', '--enable-rust', milestone)
+def webrender(value, rust_enabled, milestone):
build_webrender = None
enable_webrender = None
d36 8
a43 8
- if value.origin == 'default':
+ if not rust_enabled:
+ pass
+ elif value.origin == 'default':
# if nothing is specified, default to just building on Nightly
build_webrender = milestone.is_nightly
elif value == 'build':
@@@@ -954,11 +975,11 @@@@ add_old_configure_assignment('NECKO_PROT
@
1.4
log
@Update to 55.0
Changelog:
New
Launched Windows support for WebVR, bringing immersive experiences to the web. See examples and try working demos at Mozilla VR.
Added options that let users optimize recent performance improvements
Setting to enable Hardware VP9 acceleration on Windows 10 Anniversary Edition for better battery life and lower CPU usage while watching videos
Setting to modify the number of concurrent content processes for faster page loading and more responsive tab switching
Simplified installation process with a streamlined Windows stub installer
Firefox for Windows 64-bit is now installed by default on 64-bit systems with at least 2GB of RAM
Full installers with advanced installation options are still available
Improved address bar functionality
Search with any installed one-click search engine directly from the address bar
Search suggestions appear by default
When entering a hostname (like pinterest.com) in the URL bar, Firefox resolves to the secure version of the site (https://www.pinterest.com) instead of the insecure version (http://www.pinterest.com) when possible
Updated Sidebar for bookmarks, history, and synced tabs so it can appear at the right edge of the window as well as the left
Added support for stereo microphones with WebRTC
Pages can be simplified before printing from within Print Preview
Updated Firefox for OSX and macOS to allow users to assign custom keyboard shortcuts to Firefox menu items via System Preferences
Browsing sessions with a high number of tabs are now restored in an instant
Make screenshots of webpages, and save them locally or upload them to the cloud. This feature will undergo A/B testing and will not be visible for some users.
Added Belarusian (be) locale
Fixed
Various security fixes
Changed
Made the Adobe Flash plugin click-to-activate by default and allowed only on http:// and https:// URL schemes. (This change will not be visible to all users immediately. For more information see the Firefox plugin roadmap)
Firefox does not support downgrades, even though this may have worked in past versions. Users who install Firefox 55+ and later downgrade to an earlier version may experience issues with Firefox.
Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change.
Security fixes:
CVE-2017-7798: XUL injection in the style editor in devtools
Reporter
Frederik Braun
Impact
critical
Description
The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool.
References
Bug 1371586, 1372112
#CVE-2017-7800: Use-after-free in WebSockets during disconnection
Reporter
Looben Yang
Impact
critical
Description
A use-after-free vulnerability can occur in WebSockets when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash.
References
Bug 1374047
#CVE-2017-7801: Use-after-free with marquee during window resizing
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur while re-computing layout for a marquee element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash.
References
Bug 1371259
#CVE-2017-7809: Use-after-free while deleting attached editor DOM node
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash.
References
Bug 1380284
#CVE-2017-7784: Use-after-free with image observers
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash.
References
Bug 1376087
#CVE-2017-7802: Use-after-free resizing image elements
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed.
References
Bug 1378147
#CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM
Reporter
Nils
Impact
high
Description
A buffer overflow can occur when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash.
References
Bug 1356985
#CVE-2017-7786: Buffer overflow while painting non-displayable SVG
Reporter
Nils
Impact
high
Description
A buffer overflow can occur when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash.
References
Bug 1365189
#CVE-2017-7806: Use-after-free in layer manager with SVG
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when the layer manager is freed too early when rendering specific SVG content, resulting in a potentially exploitable crash.
References
Bug 1378113
#CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements
Reporter
SkyLined
Impact
high
Description
An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data.
References
Bug 1353312
#CVE-2017-7787: Same-origin policy bypass with iframes through page reloads
Reporter
Oliver Wagner
Impact
high
Description
Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure.
References
Bug 1322896
#CVE-2017-7807: Domain hijacking through AppCache fallback
Reporter
Mathias Karlsson
Impact
high
Description
A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory.
References
Bug 1376459
#CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID
Reporter
Fraser Tweedale
Impact
high
Description
A buffer overflow will occur when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash.
References
Bug 1368652
#CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher
Reporter
Stephen Fewer
Impact
high
Description
The destructor function for the WindowsDllDetourPatcher class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References
Bug 1372849
#CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts
Reporter
Jose María Acuña
Impact
moderate
Description
On pages containing an iframe, the data: protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content.
References
Bug 1365875
#CVE-2017-7808: CSP information leak with frame-ancestors containing paths
Reporter
Jun Kokatsu
Impact
moderate
Description
A content security policy (CSP) frame-ancestors directive containing origins with paths allows for comparisons against those paths instead of the origin. This results in a cross-origin information leak of this path information.
References
Bug 1367531
#CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections
Reporter
Arthur Edelstein
Impact
moderate
Description
An error in the WindowsDllDetourPatcher where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References
Bug 1344034
#CVE-2017-7781: Elliptic curve point addition error when using mixed Jacobian-affine coordinates
Reporter
Antonio Sanso
Impact
moderate
Description
An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result POINT_AT_INFINITY when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret.
References
Bug 1352039
#CVE-2017-7794: Linux file truncation via sandbox broker
Reporter
Jann Horn
Impact
moderate
Description
On Linux systems, if the content process is compromised, the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions.
Note: This attack only affects the Linux operating system. Other operating systems are not affected.
References
Bug 1374281
#CVE-2017-7803: CSP containing 'sandbox' improperly applied
Reporter
Rhys Enniks
Impact
moderate
Description
When a page’s content security policy (CSP) header contains a sandbox directive, other directives are ignored. This results in the incorrect enforcement of CSP.
References
Bug 1377426
#CVE-2017-7799: Self-XSS XUL injection in about:webrtc
Reporter
Frederik Braun
Impact
moderate
Description
JavaScript in the about:webrtc page is not sanitized properly being being assigned to innerHTML. Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting (XSS) attack.
References
Bug 1372509
#CVE-2017-7783: DOS attack through long username in URL
Reporter
Amit Sangra
Impact
low
Description
If a long user name is used in a username/password combination in a site URL (such as http://UserName:Password@@example.com), the resulting modal prompt will hang in a non-responsive state or crash, causing a denial of service.
References
Bug 1360842
#CVE-2017-7788: Sandboxed about:srcdoc iframes do not inherit CSP directives
Reporter
Muneaki Nishimura
Impact
low
Description
When an iframe has a sandbox attribute and its content is specified using srcdoc, that content does not inherit the containing page's Content Security Policy (CSP) as it should unless the sandbox attribute included allow-same-origin.
References
Bug 1073952
#CVE-2017-7789: Failure to enable HSTS when two STS headers are sent for a connection
Reporter
Muneaki Nishimura
Impact
low
Description
If a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection.
References
Bug 1074642
#CVE-2017-7790: Windows crash reporter reads extra memory for some non-null-terminated registry values
Reporter
Xiaoyin Liu
Impact
low
Description
On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References
Bug 1350460
#CVE-2017-7796: Windows updater can delete any file named update.log
Reporter
Matt Howell
Impact
low
Description
On Windows systems, the logger run by the Windows updater deletes the file "update.log" before it runs in order to write a new log of that name. The path to this file is supplied at the command line to the updater and could be used in concert with another local exploit to delete a different file named "update.log" instead of the one intended.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References
Bug 1234401
#CVE-2017-7797: Response header name interning leaks across origins
Reporter
Anne van Kesteren
Impact
low
Description
Response header name interning does not have same-origin protections and these headers are stored in a global registry. This allows stored header names to be available cross-origin.
References
Bug 1334776
#CVE-2017-7780: Memory safety bugs fixed in Firefox 55
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Gary Kwong, Christian Holler, André Bargull, Bob Clary, Carsten Book, Emilio Cobos Álvarez, Masayuki Nakano, Sebastian Hengst, Franziskus Kiefer, Tyson Smith, and Ronald Crane reported memory safety bugs present in Firefox 54. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 55
#CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Masayuki Nakano, Gary Kwong, Ronald Crane, Andrew McCreight, Tyson Smith, Bevis Tseng, Christian Holler, Bryce Van Dyk, Dragana Damjanovic, Kartikaya Gupta, Philipp, Tristan Bourvon, and Andi-Bogdan Postelnicu reported memory safety bugs present in Firefox 54 and Firefox ESR 52.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.3 2017/06/14 11:28:44 ryoon Exp $
d3 1
a3 1
* Enable widevide CDM for NetBSD
d79 17
@
1.3
log
@Update to 54.0
* If your 54.0 is unstable, please disable e10s with
browser.tabs.remote.autostart.2=false (this works at least for me)
Changelog:
New
Simplified the download button and download status panel
Added support for multiple content processes (e10s-multi)
Added Burmese (my) locale
Fixed
Various security fixes
Changed
Moved the mobile bookmarks folder to the main bookmarks menu for easier access
Security fixes:
#CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
#CVE-2017-7749: Use-after-free during docshell reloading
#CVE-2017-7750: Use-after-free with track elements
#CVE-2017-7751: Use-after-free with content viewer listeners
#CVE-2017-7752: Use-after-free with IME input
#CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
#CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files
#CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
#CVE-2017-7757: Use-after-free in IndexedDB
#CVE-2017-7778: Vulnerabilities in the Graphite 2 library
#CVE-2017-7758: Out-of-bounds read in Opus encoder
#CVE-2017-7759: Android intent URLs can cause navigation to local file system
#CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service
#CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application
#CVE-2017-7762: Addressbar spoofing in Reader mode
#CVE-2017-7763: Mac fonts render some unicode characters as spaces
#CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
#CVE-2017-7765: Mark of the Web bypass when saving executable files
#CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service
#CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service
#CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service
#CVE-2017-7770: Addressbar spoofing with JavaScript events and fullscreen mode
#CVE-2017-5471: Memory safety bugs fixed in Firefox 54
#CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.2 2017/03/07 20:45:43 ryoon Exp $
d5 1
a5 1
--- toolkit/moz.configure.orig 2017-06-05 20:45:23.000000000 +0000
d7 11
a17 1
@@@@ -343,6 +343,26 @@@@ add_old_configure_assignment('FT2_LIBS',
d19 1
a19 1
delayed_getattr(ft2_info, 'cflags'))
d36 1
a36 1
+system_harfbuzz = pkg_check_modules('MOZ_HARFBUZZ', 'harfbuzz >= 1.4.3',
d44 35
@
1.2
log
@Update to 52.0
* Switch to GTK3 build
* Remove py-sqlite2 dependency, fix PR pkg/52032
Changelog:
New
Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins.
Added automatic captive portal detection, for easier access to Wi-Fi hotspots. When accessing the Internet via a captive portal, Firefox will alert users and open the portal login page in a new tab.
Added user warnings for non-secure HTTP pages with logins. Firefox now displays a "This connection is not secure" message when users click into the username and password fields on pages that don't use HTTPS.
Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain.
Enhanced Sync to allow users to send and open tabs from one device to another.
Fixed
Various security fixes
Improved text input for third-party keyboard layouts on Windows. This will address some keyboard layouts that
* have chained dead keys
* input two or more characters with a non-printable key or a dead key sequence
* input a character even when a dead key sequence failed to compose a character
Changed
Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported.
Removed Battery Status API to reduce fingerprinting of users by trackers
Improved experience for downloads:
* Notification in the toolbar when a download fails
* Quick access to five most recent downloads rather than three
* Larger buttons for canceling and restarting downloads
Display (but allow users to override) an "Untrusted Connection" error when encountering SHA-1 certificates that chain up to a root certificate included in Mozilla's CA Certificate Program. (Note: Firefox continues to permit SHA-1 certificates that chain to manually imported root certificates.) Read more about the Mozilla Security Team's plans to deprecate SHA-1
Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR) version of Firefox.
When not using Direct2D on Windows, Skia is used for content rendering
Developer
Enabled CSS Grid Layout, opening up a world of new possibilities for graphic design
Redesigned Responsive Design Mode to include device selection, network throttling, and more
Improved security for screen sharing, which now shows a preview and no longer requires a whitelisted domain
unresolved
Google Hangouts temporarily won't work
Security fixes:
#CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
#CVE-2017-5401: Memory Corruption when handling ErrorResult
#CVE-2017-5402: Use-after-free working with events in FontFace objects
#CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
#CVE-2017-5404: Use-after-free working with ranges in selections
#CVE-2017-5406: Segmentation fault in Skia with canvas operations
#CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
#CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
#CVE-2017-5411: Use-after-free in Buffer Storage in libGLES
#CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service
#CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
#CVE-2017-5412: Buffer overflow read in SVG filters
#CVE-2017-5413: Segmentation fault during bidirectional operations
#CVE-2017-5414: File picker can choose incorrect default directory
#CVE-2017-5415: Addressbar spoofing through blob URL
#CVE-2017-5416: Null dereference crash in HttpChannel
#CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
#CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access
#CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running
#CVE-2017-5427: Non-existent chrome.manifest file loaded during startup
#CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses
#CVE-2017-5419: Repeated authentication prompts lead to DOS attack
#CVE-2017-5420: Javascript: URLs can obfuscate addressbar location
#CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
#CVE-2017-5421: Print preview spoofing
#CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink
#CVE-2017-5399: Memory safety bugs fixed in Firefox 52
#CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8
@
text
@d1 1
a1 1
$NetBSD: patch-toolkit_moz.configure,v 1.1 2016/09/20 20:01:41 ryoon Exp $
d5 1
a5 1
--- toolkit/moz.configure.orig 2017-01-23 16:13:54.000000000 +0000
d7 1
a7 1
@@@@ -338,6 +338,26 @@@@ add_old_configure_assignment('FT2_LIBS',
d26 1
a26 1
+system_harfbuzz = pkg_check_modules('MOZ_HARFBUZZ', 'harfbuzz >= 1.4.1',
@
1.1
log
@Update to 49.0
Changelog:
New
Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. It’s one more way Firefox is supporting Let’s Encrypt and helping users transition to a more secure web.
Added features to Reader Mode that make it easier on the eyes and the ears
Controls that allow users to adjust the width and line spacing of text
Narrate, which reads the content of a page out loud
Improved video performance for users on systems that support SSSE3 without hardware acceleration
Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed
Enhancements for Mac users
Improved performance on OS X systems without hardware acceleration
Improved appearance of anti-aliased OS X fonts
Improvements in about:memory reports for tracking font memory usage
Improve performance on Windows systems without hardware acceleration
Fixed
Fixed an issue that prevented users from updating Firefox for Mac unless they originally installed Firefox. Now, those users as well as any user with administrative credentials can update Firefox.
Various security fixes
Changed
Ended Firefox for Mac support for OS X 10.6, 10.7, and 10.8.
Ended Firefox for Windows support for SSE processors
Removed Firefox Hello
Re-enabled the default for Graphite2 font shaping
Developer
Added a Cause column to the Network Monitor to show what caused each network request
Introduced web speech synthesis API
Fixed in Firefox 49
2016-85 Security vulnerabilities fixed in Firefox 49
CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]
Reporter: Atte Kettunen
Description: A content security policy (CSP) containing a referrer directive with no values can cause a non-exploitable crash. [1289085]
CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]
Reporter: Atte Kettunen
Description: An out-of-bounds write of a boolean value during text conversion with some unicode characters. [1291016]
CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]
Reporter: Abhishek Arya
Description: An out-of-bounds read during the processing of text runs in some pages using display:contents. [1288946]
CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]
Reporter: Abhishek Arya
Description: A bad cast when processing layout with input elements can result in a potentially exploitable crash. [1297934]
CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]
Reporter: Nils
Description: A potentially exploitable crash in accessibility [1280387]
CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]
Reporter: Nils
Description: A use-after-free vulnerability triggered by setting a aria-owns attribute [1287721]
CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]
Reporter: Nils
Description: A use-after-free issue in web animations during restyling. [1282076]
CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]
Reporter: Nils
Description: A user-after-free vulnerability with web animations when destroying a timeline [1291665]
CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]
Reporter: Nils
Description: A buffer overflow when working with empty filters during canvas rendering [1287316]
CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]
Reporter: Nils
Description: A potentially exploitable crash caused by a buffer overflow while encoding image frames to images [1294677]
CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]
Reporter: Rafael Gieschke
Description: The full path to local files is available to scripts when local files are drag and dropped into Firefox [1249522]
CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]
Reporter: Mei Wang
Description: Use-after-free vulnerability when changing text direction [1289970]
CVE-2016-5281 - use-after-free in DOMSVGLength [high]
Reporter: Brian Carpenter
Description: Use-after-free vulnerability when manipulating SVG format content through script [1284690]
CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]
Reporter: Richard Newman
Description: Favicons can be loaded through non-whitelisted protocols, such as jar: [932335]
CVE-2016-5283 -