The NetBSD Project

CVS log for pkgsrc/www/firefox/PLIST

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / www / firefox

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.181 / (download) - annotate - [select for diffs], Sat Oct 8 21:18:55 2022 UTC (7 weeks, 2 days ago) by ryoon
Branch: MAIN
CVS Tags: HEAD
Changes since 1.180: +1 -2 lines
Diff to previous 1.180 (colored)

firefox: Update to 105.0.3

* Add --enable-new-pass-manager.
* Disable sysutils/dbus dependency for non-Linux platforms by default.

Changelog:
105.0.3:
Fixed
  * Mitigated frequent crashes for Windows users with Avast or AVG Antivirus
    software installed (bug 1794064)

105.0.2:
Fixed
  * Fixed poor contrast on various menu items with certain themes on Linux
    systems (bug 1792063)

  * Fixed the scrollbar appearing on the wrong side of select elements in
    right-to-left locales (bug 1791219)

  * Fixed a possible deadlock when loading some sites in Troubleshoot Mode (bug
    1786259)

  * Fixed a bug causing some dynamic appearance changes to not appear when
    expected (bug 1786521)

  * Fixed a bug causing theme styling to not be properly applied to sidebars
    for some add-ons in Private Browsing Mode (bug 1787543)

105.0.1:
Fixed
  * Reverted focus behavior for new windows back to the content area
    instead of the address bar (bug 1784692)

105.0:
New
  * Added an option to print only the current page from the print preview
    dialog.

  * Firefox now supports partitioned service workers in third-party contexts.
    You can register service workers in a third-party iframe and it will be
    partitioned under the top-level domain.

  * Swipe to navigate (two fingers on a touchpad swiped left or right to
    perform history back or forward) on Windows is now enabled.

  * Firefox is now compliant with the User Timing L3 specification, which adds
    additional optional arguments to the performance.mark and
    performance.measure methods to provide custom start times, end times,
    duration, and attached details.

  * Searching in large lists for individual items is now 2x faster. This
    performance enhancement replaces array.includes and array.indexOf with an
    optimized SIMD version.

Fixed
  * Stability on Windows is significantly improved as Firefox handles
    low-memory situations much better.

  * Touchpad scrolling on macOS was made more accessible by reducing unintended
    diagonal scrolling opposite of the intended scroll axis.

  * Firefox is less likely to run out of memory on Linux and performs more
    efficiently for the rest of the system when memory runs low.

  * Various security fixes.

Web Platform
  * Support for the Offscreen Canvas DOM API with full context and font
    support. The OffscreenCanvas API provides a canvas that can be rendered
    off-screen in both Window and Web Worker contexts.

Security fixes:
#CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages
#CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads
#CVE-2022-40958: Bypassing Secure Context restriction for cookies with __Host
 and __Secure prefix
#CVE-2022-40961: Stack-buffer overflow when initializing Graphics
#CVE-2022-40956: Content-Security-Policy base-uri bypass
#CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64
#CVE-2022-40962: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

Revision 1.180 / (download) - annotate - [select for diffs], Tue Mar 1 13:35:33 2022 UTC (8 months, 4 weeks ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base, pkgsrc-2022Q3, pkgsrc-2022Q2-base, pkgsrc-2022Q2, pkgsrc-2022Q1-base, pkgsrc-2022Q1
Changes since 1.179: +2 -2 lines
Diff to previous 1.179 (colored)

firefox: Update to 97.0.1

* Remove removed or changed configure options.

Changelog:
97.0.1:
Fixed
  * Fixed an issue where TikTok videos would fail to load when selected from a
    user's profile page (bug 1750973)

  * Fixed an issue which led to Picture-in-Picture mode being unable to be
    toggled on Hulu (bug 1753401)

  * Works around problems with WebRoot SecureAnywhere antivirus rendering
    Firefox unusable in some situations (bug 1752466)

  * Fixed an issue causing users to see the Restore Session screen unexpectedly
    when starting Firefox (bug 1749996)

97.0:
New
  * On February 8, we expired the 18 colorway themes that shipped along with
    Firefox 94. This signals the end of a special, limited-time feature set.
    However, you can hold onto your favorite colorway, as long as you??re using
    it on the expiration date. In other words, if a colorway is ??enabled?? in
    the add-ons manager, that colorway is yours forever.

  * Beginning February 15, we are releasing 6 brand-new colorways in a special
    partner collaboration. U.S.-based fans of the film can visit
    truecolors.firefox.com to activate official Turning Red-inspired Colorways,
    available exclusively in Firefox for desktop through April 30, 2022.
    Firefox users who visit the ??True Colors?? campaign landing page will be
    able to modify how their web browser looks, with colors and moods inspired
    by some of the main characters in the film. To enjoy the new Colorways, you
    ??ll need to make sure you upgrade to the latest Firefox 97 version. This
    collection will be available in the add-ons manager, within the Colorways
    section. Read more about colorway updates here.

  * Firefox now supports and displays the new style of scrollbars on Windows
    11.

Fixed
  * On macOS, we??ve made improvements to system font loading which makes
    opening and switching to new tabs faster in certain situations.

  * Various security fixes

Changed
  * Support for directly generating PostScript for printing on Linux has been
    removed. Printing to PostScript printers still remains a supported option,
    however.

Security fixes:
#CVE-2022-22753: Privilege Escalation to SYSTEM on Windows via Maintenance
 Service
#CVE-2022-22754: Extensions could have bypassed permission confirmation during
 update
#CVE-2022-22755: XSL could have allowed JavaScript execution after a tab was
 closed
#CVE-2022-22756: Drag and dropping an image could have resulted in the dropped
 object being an executable
#CVE-2022-22757: Remote Agent did not prevent local websites from connecting
#CVE-2022-22758: tel: links could have sent USSD codes to the dialer on Firefox
 for Android
#CVE-2022-22759: Sandboxed iframes could have executed script if the parent
 appended elements
#CVE-2022-22760: Cross-Origin responses could be distinguished between script
 and non-script content-types
#CVE-2022-22761: frame-ancestors Content Security Policy directive was not
 enforced for framed extension pages
#CVE-2022-22762: JavaScript Dialogs could have been displayed over other
 domains on Firefox for Android
#CVE-2022-22764: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
#CVE-2022-0511: Memory safety bugs fixed in Firefox 97

Revision 1.179 / (download) - annotate - [select for diffs], Thu Nov 11 16:48:04 2021 UTC (12 months, 2 weeks ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base, pkgsrc-2021Q4
Changes since 1.178: +2 -1 lines
Diff to previous 1.178 (colored)

firefox: Update to 94.0.1

Changelog:
94.0.1
Fixed
* Fixed browser hangs when viewing fullscreen videos on macOS 10.12 (bug 1737998)

94.0
New
  * Colorways animated screenshot

    With 94, you'll find a selection of six fun seasonal Colorways (available
    for a limited time only). Now you can find a color to suit (or lift) your
    every mood.
    Fun fact: Did you know we have more daily users with color themes than dark
    or Alpenglow on Beta? With Firefox 89, 32% of users clicked through to
    customize their color theme. And that was just on the first day! We decided
    to introduce these new Colorways to give our users more to love.

  * Firefox macOS now uses Apple's low power mode for fullscreen video on sites
    such as YouTube and Twitch. This meaningfully extends battery life in long
    viewing sessions. Now your kids can find out what the fox says on a loop
    without you ever missing a beat'

  * With this release, power users can use about:unloads to release system
    resources by manually unloading tabs without closing them.

  * On Windows, there will now be fewer interruptions because Firefox won't
    prompt you for updates. Instead, a background agent will download and
    install updates even if Firefox is closed.

  * And on Linux, we've improved WebGL performance and reduced power
    consumption for many users.

  * To better protect all Firefox users against side-channel attacks such as
    Spectre, we're introducing Site Isolation. It will be rolled out to
    Firefox 94 users over the next few weeks. We've got your
    back...errr...side!

  * We're rolling out the Firefox Multi-Account Containers extension with
    Mozilla VPN integration. This lets you use a different server location for
    each container.

  * Firefox no longer warns you by default when you exit the browser or close a
    window using a menu, button, or three-key command. This should cut back on
    unwelcome notifications which is always nice--however, if you prefer a bit
    of notice, you'll still have full control over the quit/close modal
    behavior. All warnings can be managed within Firefox Settings. No worries!
    (More details)

  * And now, Firefox supports the new Snap Layouts menus when running on
    Windows 11.

Fixed

  * We've reduced the overhead of using performance.mark() and
    performance.measure() APIs with a large set of performance entries.

  * Plus, we've modified paint suppression during load to greatly improve
    warmload performance in Site Isolation mode.

  * You'll also notice a small reduction in Javascript memory usage.

  * With this release, you'll notice faster Javascript property enumeration as
    well.

  * We've also implemented better scheduling of garbage collection which has
    improved some pageload benchmarks.

  * This release also sees reduced CPU usage during socket polling for HTTPS
    connections.

  * Additionally, you'll notice faster storage initialization.

  * We've also improved cold startup by reducing main thread I/O.

  * Plus, closing devtools now reclaims more memory than ever before.

  * And we've improved pageload (especially with Site Isolation mode) by
    setting a higher priority for loading and displaying images.

  * Various security fixes

Enterprise

  * Enterprise users now have more control over Firefox deployments with the
    availability of our MSIX package on Windows platforms.

  * You'll also notice various bug fixes and new policies have been
    implemented in this latest version of Firefox. See more details in the
    Firefox for Enterprise 94 Release Notes.

Security fixes:
#CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
#CVE-2021-38504: Use-after-free in file picker dialog
#CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user
 data
#CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode
 without notification or warning
#CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the
 Same-Origin-Policy on services hosted on other ports
#MOZ-2021-0003: Universal XSS in Firefox for Android via QR Code URLs
#CVE-2021-38508: Permission Prompt could be overlaid, resulting in user
 confusion and potential spoofing
#MOZ-2021-0004: Web Extensions could access pre-redirect URL when their context
 menu was triggered by a user
#CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary
 domain
#CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS
#MOZ-2021-0005: 'Copy Image Link' context menu action could have been abused to
 see authentication tokens
#MOZ-2021-0006: URL Parsing may incorrectly parse internationalized domains
#MOZ-2021-0007: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3

Revision 1.178 / (download) - annotate - [select for diffs], Thu Sep 16 16:46:24 2021 UTC (14 months, 1 week ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base, pkgsrc-2021Q3
Changes since 1.177: +9 -2 lines
Diff to previous 1.177 (colored)

firefox: Install scalable icon sizes, bump PKGREVISION

Revision 1.177 / (download) - annotate - [select for diffs], Fri Aug 13 14:57:52 2021 UTC (15 months, 2 weeks ago) by ryoon
Branch: MAIN
Changes since 1.176: +8 -5775 lines
Diff to previous 1.176 (colored)

firefox: Update to 91.0

* Convert to --enable-chrome-format=omni.
  It is not necessary to modify JavaScript files to improve support recently.
* Fix build under NetBSD/i386 like lang/mozjs78.

Changelog:
New

  * Building on Total Cookie Protection, we've added a more comprehensive logic
    for clearing cookies that prevents hidden data leaks and makes it easy for
    users to understand which websites are storing local information. Learn
    more

  * Firefox now supports logging into Microsoft, work, and school accounts
    using Windows single sign-on. Learn more

  * The simplify page when printing feature is back! When printing, under More
    settings > Format select the Simplified option when available to get a
    clutter-free page. Learn more

  * HTTPS-First Policy: Firefox Private Browsing windows now attempt to make
    all connections to websites secure, and fall back to insecure connections
    only when websites do not support it. Learn more

  * We've added a new locale: Scots (sco)

  * The address bar now provides Switch to Tab results also in Private Browsing
    windows.

  * Firefox now automatically enables High Contrast Mode when "Increase
    Contrast" is checked on MacOS

  * Firefox now does catch-up paints for almost all user interactions, enabling
    a 10-20% improvement in response time to most user interactions.

Fixed

  * Various security fixes

Enterprise

  * Various bug fixes and new policies have been implemented in the latest
    version of Firefox. See more details in the Firefox for Enterprise 91
    Release Notes.

Developer

  * Developer Information

Web Platform

  * The Visual Viewport API is now supported on desktop platforms

Security fixes:
#CVE-2021-29986: Race condition when resolving DNS names could have led to
 memory corruption
#CVE-2021-29981: Live range splitting could have led to conflicting assignments
 in the JIT
#CVE-2021-29988: Memory corruption as a result of incorrect style treatment
#CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
#CVE-2021-29984: Incorrect instruction reordering during JIT optimization
#CVE-2021-29980: Uninitialized memory in a canvas object could have led to
 memory corruption
#CVE-2021-29987: Users could have been tricked into accepting unwanted
 permissions on Linux
#CVE-2021-29985: Use-after-free media channels
#CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
 type confusion
#CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
#CVE-2021-29990: Memory safety bugs fixed in Firefox 91

Revision 1.176 / (download) - annotate - [select for diffs], Tue Jul 13 14:52:22 2021 UTC (16 months, 2 weeks ago) by ryoon
Branch: MAIN
Changes since 1.175: +62 -72 lines
Diff to previous 1.175 (colored)

firefox: Update to 90.0

Changelog:
New

  * On Windows, updates can now be applied in the background while Firefox is
    not running.

  * Firefox for Windows now offers a new page about:third-party to help
    identify compatibility issues caused by third-party applications

  * Exceptions to HTTPS-Only mode can be managed in about:preferences#privacy

  * Print to PDF now produces working hyperlinks

  * Version 2 of Firefox??s SmartBlock feature further improves private
    browsing. Third-party Facebook scripts are blocked to prevent you from
    being tracked, but are now automatically loaded ??just in time?? if you
    decide to ??Log in with Facebook?? on any website.

Fixed

  * Various security fixes

Changed

  * The "Open Image in New Tab" context menu item now opens images and media in
    a background tab by default. Learn more

  * Most users without hardware accelerated WebRender will now be using
    software WebRender.

  * Improved software WebRender performance

  * FTP support has been removed

Enterprise

  * Various bug fixes and new policies have been implemented in the latest
    version of Firefox. See more details in the Firefox for Enterprise 90
    Release Notes.

Developer

  * Developer Information
  * Support for Private Fields (TC39 proposal, stage 3) is available in
    DevTools. The support includes: object inspection, autocompletion,
    expression evaluation, variable tooltips, and pretty printing (bug)

  * The Network panel shows a preview of HTTP requests for fonts in the
    Response tab (bug)

    Network panel font preview screenshot

Web Platform

  * Support for Fetch Metadata Request Headers, which allows web applications
    to better protect themselves and their users against various cross-origin
    threats.

  * Added the ability to use client authentication certificates stored in
    hardware tokens or in Operating System storage.

Security fixes:
#CVE-2021-29970: Use-after-free in accessibility features of a document
#CVE-2021-29971: Granted permissions only compared host; omitting scheme and
 port on Android
#CVE-2021-30547: Out of bounds write in ANGLE
#CVE-2021-29972: Use of out-of-date library included use-after-free
 vulnerability
#CVE-2021-29973: Password autofill on HTTP websites was enabled without user
 interaction on Android
#CVE-2021-29974: HSTS errors could be overridden when network partitioning was
 enabled
#CVE-2021-29975: Text message could be overlaid on top of another website
#CVE-2021-29976: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
#CVE-2021-29977: Memory safety bugs fixed in Firefox 90

Revision 1.175 / (download) - annotate - [select for diffs], Wed Jun 30 15:09:55 2021 UTC (16 months, 4 weeks ago) by ryoon
Branch: MAIN
Changes since 1.174: +116 -109 lines
Diff to previous 1.174 (colored)

firefox: Update to 89.0.2

Changelog:
89.0.2
Fixed

  * Fix occasional hangs with Software WebRender on Linux (bug 1708224)

89.0.1
Fixed

  * Windows: Resolved an issue causing some screen readers to not interact
    correctly with Firefox anymore (bug 1714212)

  * Updated translations, including full Spanish (Mexico) localization and
    other improvements (bug 1714946)

  * Fix various font related regressions (bug 1694174)

  * Linux: Fix performance and stability regressions with WebRender (bug
    1715895, bug 1715902)

  * macOS: Fix screen flickering when scrolling a page on an external monitor (
    bug 1715452)

  * Enterprise: Fix for the DisableDeveloperTools policy not having effect
    anymore (bug 1715777)

  * Linux: Fix broken scrollbars on some GTK themes (bug 1714103)

  * Various stability and security fixes.

Security fixes:
#CVE-2021-29968: Out of bounds read when drawing text characters onto a Canvas

89.0
New

  * Say hello to a fresh new Firefox, designed to get you where you want to go
    even faster. We??ve redesigned and modernized the core experience to be
    cleaner, more inviting, and easier to use.

    Beginning in 89, you??ll notice a number of changes, including:

    Simplified browser chrome and toolbar: Less frequently used items removed
    to focus on the most important navigation items.

    Simplified browser chrome and toolbar screenshot

    Clear, streamlined menus: Re-organized and prioritized menu content
    according to usage. Updated labels and removed iconography.

    Clear, streamlined menus screenshot

    Updated prompts: Infobars, panels, and modals have a cleaner design and
    clearer language.

    Updated prompts screenshot

    Inspired tab design: Floating tabs neatly contain information and surface
    cues when you need them, like visual indicators for audio controls. The
    rounded design of the active tab supports focus and signals the ability to
    easily move the tab as needed.

    Inspired tab design screenshot

    Fewer interruptions: Reduced number of alerts and messages, so you can
    browse with fewer distractions.

    Cohesive, calmer visuals: Lighter iconography, a refined color palette, and
    more consistent styling throughout.

    This release also includes enhancements to our privacy offerings:

      + We??ve enhanced the privacy of the Firefox Browser??s Private Browsing
        mode with Total Cookie Protection, which confines cookies to the site
        where they were created, preventing companies from using cookies to
        track your browsing across sites. This feature was originally launched
        in Firefox??s ETP Strict mode.
  * For macOS users, we're introducing the elastic overscroll effect known from
    many other applications. A gentle bouncing animation will indicate that you
    reached the end of the page.

    In addition, we added support for smart zoom. Double-tap with two fingers
    on your trackpad, or with a single finger on your Magic Mouse, to zoom the
    content below your cursor into focus.

  * Native context menus: Context menus on macOS are now native and support
    Dark Mode.

    macOS native context menus screenshot

  * WebRender is now enabled on Linux with the NVIDIA binary driver and on all
    desktop environments

#

Fixed

  * Colors in Firefox on macOS will no longer be saturated on wide gamut
    displays, untagged images are properly treated as sRGB, and colors in
    images tagged as sRGB will now match CSS colors.

  * In full screen mode on macOS, moving your mouse to the top of the screen
    will no longer hide your tabs behind the system menu bar.

  * Also in full screen mode on macOS, it is now possible to hide the browser
    toolbars for a fully immersive full screen experience. This brings macOS in
    line with Windows and Linux.

  * Various stability and security fixes.

#

Changed

  * Introducing a non-native implementation of web form controls, which
    delivers a new modern design and some improvements to page load
    performance. Watch for layout bugs in web pages that make assumptions about
    the dimensions or styling of form controls.

  * The screenshots feature is available in the right-click context menu. You
    can also add a screenshots shortcut to your toolbar. Learn more.

Security fixes:
#CVE-2021-29965: Password Manager on Firefox for Android susceptible to domain
 spoofing
#CVE-2021-29960: Filenames printed from private browsing mode incorrectly
 retained in preferences
#CVE-2021-29961: Firefox UI spoof using `<select>` elements and CSS scaling
#CVE-2021-29963: Shared cookies for search suggestions in private browsing mode
#CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message
#CVE-2021-29959: Devices could be re-enabled without additional permission
 prompt
#CVE-2021-29962: No rate-limiting for popups on Firefox for Android
#CVE-2021-29967: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11
#CVE-2021-29966: Memory safety bugs fixed in Firefox 89

Revision 1.174 / (download) - annotate - [select for diffs], Sat May 22 14:00:05 2021 UTC (18 months, 1 week ago) by rin
Branch: MAIN
CVS Tags: pkgsrc-2021Q2-base, pkgsrc-2021Q2
Changes since 1.173: +3 -3 lines
Diff to previous 1.173 (colored)

firefox: Sort PLIST. No functional changes.

Revision 1.173 / (download) - annotate - [select for diffs], Sat May 22 13:49:16 2021 UTC (18 months, 1 week ago) by rin
Branch: MAIN
Changes since 1.172: +4 -3 lines
Diff to previous 1.172 (colored)

firefox: Fix PLIST for debug option.

Revision 1.172 / (download) - annotate - [select for diffs], Mon Apr 19 13:50:07 2021 UTC (19 months, 1 week ago) by ryoon
Branch: MAIN
Changes since 1.171: +67 -101 lines
Diff to previous 1.171 (colored)

firefox: Update to 88.0

Changelog:
New

  * PDF forms now support JavaScript embedded in PDF files. Some PDF forms use
    JavaScript for validation and other interactive features.

  * Print updates: Margin units are now localized.

  * Smooth pinch-zooming using a touchpad is now supported on Linux

  * To protect against cross-site privacy leaks, Firefox now isolates
    window.name data to the website that created it. Learn more

Fixed

  * Screen readers no longer incorrectly read content that websites have
    visually hidden, as in the case of articles in the Google Help panel.

  * Various security fixes.

Changed

  * Firefox will not prompt for access to your microphone or camera if you've
    already granted access to the same device on the same site in the same tab
    within the past 50 seconds. This new grace period reduces the number of
    times you're prompted to grant device access.

  * The "Take a Screenshot" feature was removed from the Page Actions menu in
    the url bar. To take a screenshot, right-click to open the context menu.
    You can also add a screenshots shortcut directly to your toolbar via the
    Customize menu. Open the Firefox menu and select Customize...

  * FTP support has been disabled, and its full removal is planned for an
    upcoming release. Addressing this security risk reduces the likelihood of
    an attack while also removing support for a non-encrypted protocol.

Security fixes:
#CVE-2021-23994: Out of bound write due to lazy initialization
#CVE-2021-23995: Use-after-free in Responsive Design Mode
#CVE-2021-23996: Content rendered outside of webpage viewport
#CVE-2021-23997: Use-after-free when freeing fonts from cache
#CVE-2021-23998: Secure Lock icon could have been spoofed
#CVE-2021-23999: Blob URLs may have been granted additional privileges
#CVE-2021-24000: requestPointerLock() could be applied to a tab different from
 the visible tab
#CVE-2021-24001: Testing code could have enabled session history manipulations
 by a compromised content process
#CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an
 encoded URL
#CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to
 null-reads
#CVE-2021-29944: HTML injection vulnerability in Firefox for Android's Reader
 View
#CVE-2021-29946: Port blocking could be bypassed
#CVE-2021-29947: Memory safety bugs fixed in Firefox 88

Revision 1.171 / (download) - annotate - [select for diffs], Tue Mar 30 16:39:06 2021 UTC (20 months ago) by ryoon
Branch: MAIN
Changes since 1.170: +101 -114 lines
Diff to previous 1.170 (colored)

firefox: Update to 87.0

Changelog:
New

  * You'll encounter less website breakage in Private Browsing and Strict
    Enhanced Tracking Protection with SmartBlock, which provides stand-in
    scripts so that websites load properly.

  * To further protect your privacy, our new default HTTP Referrer policy will
    trim path and query string information from referrer headers to prevent
    sites from accidentally leaking sensitive user data.

  * The "Highlight All" feature on Find in Page now displays tick marks
    alongside your scrollbar that correspond to the location of matches found
    on that page.

  * We're proud to announce full support for macOS built-in screen reader,
    VoiceOver.

  * We've added a new locale: Silesian (szl)

Fixed

  * We've fixed several significant accessibility issues:

      + Video controls now have visible focus styling and video and audio
        controls are now keyboard navigable. (Bug 1681007)
      + HTML <meter> is now spoken by screen readers. (Bug 1460378)
      + Firefox now sets a useful initial focus in Add-ons Manager. (Bug 580537
        )
      + Firefox will now fire a name/description change event when
        aria-labelledby/describedby content changes. (Bug 493683)
  * Various security fixes.

Changed

  * To prevent user data loss when filling out forms, we've disabled the
    Backspace key as a navigation shortcut for the back navigation button. To
    re-enable the Backspace keyboard shortcut, you can change the about:config
    preference browser.backspace_action to 0. You can also use the recommended
    Alt + Left arrow (Command + Left arrow on Mac) shortcut instead.
    Firefox keyboard shortcuts

  * We've removed items from the Library menu that weren't used often or have
    other access points in the browser: Synced tabs, Recent highlights, and
    Pocket list.

  * We've simplified the Help menu by reducing redundant items, such as those
    that point to Firefox support pages that can also be accessed via the Get
    Help item.

Enterprise

  * Various bug fixes and new policies have been implemented in the latest
    version of Firefox. You can see more details in the Firefox for Enterprise
    87 Release Notes.

Developer

  * Developer Information
  * We've greatly simplified the Web Developer menu. Go to Application Menu >
    Web Developer > Web Developer Tools to access Inspector, Web Console,
    Debugger, Network Style Error, Performance, Storage Inspector,
    Accessibility, and Application

  * Developers can now use the Page Inspector to simulate prefers-color-scheme
    media queries, without having to change the operating system to light or
    dark mode.

  * Developers can now use the Page Inspector to toggle the :target
    pseudo-class for the currently selected element in addition to the
    pseudo-classes that were previously supported: :hover, :active and :focus,
    :focus-within, :focus-visible, and :visited.

  * There is a number of Page Inspector improvements and bug fixes related to
    inactive CSS rules:

      + The table-layout property is now marked as inactive for non-table
        elements.
      + The scroll-padding properties (shorthand and longhand) are now marked
        as inactive for non-scrollable elements.
      + The text-overflow property was previously incorrectly marked as
        inactive for some overflow values.

Securiy fixes:
#CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an
 out-of-bound read
#CVE-2021-23982: Internal network hosts could have been probed by a malicious
 webpage
#CVE-2021-23983: Transitions for invalid ::marker properties resulted in memory
 corruption
#CVE-2021-23984: Malicious extensions could have spoofed popup information
#CVE-2021-23985: Devtools remote debugging feature could have been enabled
 without indication to the user
#CVE-2021-23986: A malicious extension could have performed credential-less
 same origin policy violations
#CVE-2021-23987: Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
#CVE-2021-23988: Memory safety bugs fixed in Firefox 87

Revision 1.170 / (download) - annotate - [select for diffs], Tue Feb 23 17:02:04 2021 UTC (21 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1
Changes since 1.169: +81 -51 lines
Diff to previous 1.169 (colored)

firefox: Update to 86.0

Changelog:
New

  * Firefox now supports simultaneously watching multiple videos in
    Picture-in-Picture.

  * Today, Firefox introduces Total Cookie Protection to Strict Mode. In Total
    Cookie Protection, every website gets its own "cookie jar," preventing
    cookies from being used to track you from site to site.

  * We've improved our Print functionality with a cleaner design and better
    integration with your computer's printer settings.

  * For Firefox users in Canada, credit card management and auto-fill are now
    enabled.

  * Notable performance and stability improvements are achieved by moving
    canvas drawing and WebGL drawing to the GPU process.

Fixed

  * Reader mode now works with local HTML pages.

  * Using screen reader quick navigation to move to editable text controls no
    longer incorrectly reaches non-editable cells in some grids such as on
    messenger.com.

  * The Orca screen reader's mouse review feature now works correctly after
    switching tabs in Firefox.

  * Screen readers no longer report column headers incorrectly in tables
    containing cells spanning multiple columns.

  * Links in Reader View now have more color contrast.

  * Various security fixes.

Changed

  * On Linux and Android, the protection to mitigate the stack clash attack has
    been activated.

  * From Firefox 86 onward, DTLS 1.0 is no longer supported for establishing
    WebRTC's PeerConnections. All WebRTC services need to support DTLS 1.2 from
    now on as the minimum version.

  * Consolidated all video decoding in the new RDD process which results in a
    more secure Firefox.

Enterprise

  * Various bug fixes and new policies have been implemented in the latest
    version of Firefox. You can see more details in the Firefox for Enterprise
    86 Release Notes.

Developer

  * Developer Information
  * CSS image-set() function in CSS is now enabled, allowing for responsive
    images in CSS.

  * Inactive CSS tool is now showing a warning when margin or padding is set on
    internal table elements.
    Inactive CSS screenshot

  * Developer Tools Toolbox is now showing a number of errors on the current
    page. This is a quick way to surface information to a developer that
    something is wrong with their page. Clicking on the red exclamation icon
    navigates the user to the Console panel.
    Develeoper tools: screenshot of number of errors

Security fixes:
#CVE-2021-23969: Content Security Policy violation report could have contained
the destination of a redirect
#CVE-2021-23970: Multithreaded WASM triggered assertions validating separation
of script domains
#CVE-2021-23968: Content Security Policy violation report could have contained
the destination of a redirect
#CVE-2021-23974: noscript elements could have led to an HTML Sanitizer bypass
#CVE-2021-23971: A website's Referrer-Policy could have been be overridden,
potentially resulting in the full URL being sent as a Referrer
#CVE-2021-23976: Local spoofing of web manifests for arbitrary pages in Firefox
for Android
#CVE-2021-23977: Malicious application could read sensitive data from Firefox
for Android's application directories
#CVE-2021-23972: HTTP Auth phishing warning was omitted when a redirect is
cached
#CVE-2021-23975: about:memory Measure function caused an incorrect pointer
operation
#CVE-2021-23973: MediaError message property could have leaked information
about cross-origin resources
#CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
#CVE-2021-23979: Memory safety bugs fixed in Firefox 86

Revision 1.169 / (download) - annotate - [select for diffs], Tue Jan 26 15:02:55 2021 UTC (22 months ago) by ryoon
Branch: MAIN
Changes since 1.168: +47 -34 lines
Diff to previous 1.168 (colored)

firefox: Update to 85.0

Changelog:
New

  * Firefox now protects you from supercookies, a type of tracker that can stay
    hidden in your browser and track you online, even after you clear cookies.
    By isolating supercookies, Firefox prevents them from tracking your web
    browsing from one site to the next.

  * It??s easier than ever to save and access your bookmarks. Firefox now
    remembers your preferred location for saved bookmarks, displays the
    bookmarks toolbar by default on new tabs, and gives you easy access to all
    of your bookmarks via a toolbar folder.

  * The password manager now allows you to remove all of your saved logins with
    one click, as opposed to having to delete each login individually.

Fixed

  * Various security fixes.


Changed

  * Firefox no longer supports Adobe Flash. There is no setting available to
    re-enable Flash support.


Enterprise

  * Various bug fixes and new policies have been implemented in the latest
    version of Firefox. You can see more details in the Firefox for Enterprise
    85 Release Notes.


Developer

  * Developer Information
  * CSS: We have added support for the :focus-visible pseudo class.

  * It's possible to prettify JS expressions in Console source code Editor
    (available in multiline mode) using a new toolbar button.
    Console Editor Pretty Print Expression Screenshot

Security fixes:
#CVE-2021-23953: Cross-origin information leakage via redirected PDF requests
#CVE-2021-23954: Type confusion when using logical assignment operators in
 JavaScript switch statements
#CVE-2021-23955: Clickjacking across tabs through misusing requestPointerLock
#CVE-2021-23956: File picker dialog could have been used to disclose a complete
 directory
#CVE-2021-23957: Iframe sandbox could have been bypassed on Android via the
 intent URL scheme
#CVE-2021-23958: Screen sharing permission leaked across tabs
#CVE-2021-23959: Cross-Site Scripting in error pages on Firefox for Android
#CVE-2021-23960: Use-after-poison for incorrectly redeclared JavaScript
 variables during GC
#CVE-2021-23961: More internal network hosts could have been probed by a
malicious webpage
#CVE-2021-23962: Use-after-poison in <code>nsTreeBodyFrame::RowCountChanged</
 code>
#CVE-2021-23963: Permission prompt inaccessible after asking for additional
 permissions
#CVE-2021-23964: Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7
#CVE-2021-23965: Memory safety bugs fixed in Firefox 85

Revision 1.168 / (download) - annotate - [select for diffs], Fri Jan 1 12:52:16 2021 UTC (22 months, 3 weeks ago) by ryoon
Branch: MAIN
Changes since 1.167: +2 -1 lines
Diff to previous 1.167 (colored)

firefox: Update to 84.0.1

Changelog:
Fixed

  * Fixed problems loading secure websites and crashes for users with certain
    third-party PKCS11 modules and smartcards installed (bug 1682881).

  * Fixed slower than expected performance and flickering on Canvas elements
    for some Windows users (bug 1683116).

  * Fixed a bug causing some Unity JS games to not load on Apple Silicon
    devices due to improper detection of the OS version (bug 1680516).

  * Fixed crashes caused by various third-party antivirus software.

Revision 1.167 / (download) - annotate - [select for diffs], Thu Dec 17 09:53:15 2020 UTC (23 months, 1 week ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4
Changes since 1.166: +91 -151 lines
Diff to previous 1.166 (colored)

firefox: Update to 84.0

Changelog:
New

  * Native support for macOS devices built with Apple Silicon CPUs brings
    dramatic performance improvements over the non-native build that was
    shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps
    are now twice as responsive (per the SpeedoMeter 2.0 test). If you are on a
    new Apple device, follow these steps to upgrade to the latest Firefox.

  * WebRender rolls out to MacOS Big Sur, Windows devices with Intel Gen 6
    GPUs, and Intel laptops running Windows 7 and 8. Additionally we'll ship an
    accelerated rendering pipeline for Linux/GNOME/X11 users for the first
    time, ever!

  * Firefox now uses more modern techniques for allocating shared memory on
    Linux, improving performance and increasing compatibility with Docker.

  * Firefox 84 is the final release to support Adobe Flash.


Fixed

  * Various security fixes

#CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory
to be exposed
#CVE-2020-26971: Heap buffer overflow in WebGL
#CVE-2020-26972: Use-After-Free in WebGL
#CVE-2020-26973: CSS Sanitizer performed incorrect sanitization
#CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
#CVE-2020-26975: Malicious applications on Android could have induced Firefox
for Android into sending arbitrary attacker-specified headers
#CVE-2020-26976: HTTPS pages could have been intercepted by a registered
service worker when they should not have been
#CVE-2020-26977: URL spoofing via unresponsive port in Firefox for Android
#CVE-2020-26978: Internal network hosts could have been probed by a malicious
webpage
#CVE-2020-26979: When entering an address in the address or search bars, a
website could have redirected the user before they were navigated to the
intended url
#CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs
#CVE-2020-35112: Opening an extension-less download may have inadvertently
launched an executable instead
#CVE-2020-35113: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6

Revision 1.166 / (download) - annotate - [select for diffs], Tue Nov 17 16:11:06 2020 UTC (2 years ago) by ryoon
Branch: MAIN
Changes since 1.165: +84 -53 lines
Diff to previous 1.165 (colored)

firefox: Update to 83.0

Changelog:
Version 83.0, first offered to Release channel users on November 17, 2020

New

  * Firefox keeps getting faster as a result of significant updates to
    SpiderMonkey, our JavaScript engine, you will now experience improved page
    load performance by up to 15%, page responsiveness by up to 12%, and
    reduced memory usage by up to 8%. We have replaced part of the JavaScript
    engine that helps to compile and display websites for you, improving
    security and maintainability of the engine at the same time.

  * Firefox introduces HTTPS-Only Mode. When enabled, this new mode ensures
    that every connection Firefox makes to the web is secure and alerts you
    when a secure connection is not available. You can enable it in Firefox
    Preferences.

  * Pinch zooming will now be supported for our users with Windows touchscreen
    devices and touchpads on Mac devices. Firefox users may now use pinch to
    zoom on touch-capable devices to zoom in and out of webpages.

  * Picture-in-Picture now supports keyboard shortcuts for fast forwarding and
    rewinding videos: use the arrow keys to move forward and back 15 seconds,
    along with volume controls. For a list of supported commands see Support
    Mozilla

  * When you are presenting your screen on a video conference in Firefox, you
    will see our improved user interface that makes it clearer which devices or
    displays are being shared.

  * We've improved functionality and design for a number of Firefox search
    features:

      + Selecting a search engine at the bottom of the search panel now enters
        search mode for that engine, allowing you to see suggestions (if
        available) for your search terms. The old behavior (immediately
        performing a search) is available with a shift-click.
      + When Firefox autocompletes the URL of one of your search engines, you
        can now search with that engine directly in the address bar by
        selecting the shortcut in the address bar results.
      + We've added buttons at the bottom of the search panel to allow you to
        search your bookmarks, open tabs, and history.
  * Firefox supports AcroForm, which will allow you to fill in, print, and save
    supported PDF forms and the PDF viewer also has a new fresh look.

  * Our users in India on the English build of Firefox will now see Pocket
    recommendations in their new tab featuring some of the best stories on the
    web. If you don't see them, you can turn on Pocket articles in your new
    tab by following these steps.

  * For the recently released Apple devices built with Apple Silicon CPUs, you
    can use Firefox 83 and future releases without any change. This release
    (83) will support emulation under Apple's Rosetta 2 that ships with macOS
    Big Sur. We are working toward Firefox being natively-compiled for these
    CPUs in a future release.

  * This is a major release for WebRender as we roll out to more Firefox users
    on Windows 7 and 8 as well as on macOS 10.12 to 10.15.

Fixed

  * This release also includes a number of accessibility fixes:

      + Screen reader features which report paragraphs now correctly report
        paragraphs instead of lines in Google Docs
      + When reading by word using a screen reader, words are now correctly
        reported when there is punctuation nearby
      + The arrow keys now work correctly after tabbing in the
        picture-in-picture window
  * For users on macOS restoring a session with minimized windows, Firefox now
    uses much less power and you should see much longer battery life.

  * Various security fixes

Security fixes:
#CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
#CVE-2020-26952: Out of memory handling of JITed, inlined functions could lead to a memory corruption
#CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
#CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
#CVE-2020-26954: Local spoofing of web manifests for arbitrary pages in Firefox for Android
#CVE-2020-26955: Cookies set during file downloads are shared between normal and Private Browsing Mode in Firefox for Android
#CVE-2020-26956: XSS through paste (manual and clipboard API)
#CVE-2020-26957: OneCRL was not working in Firefox for Android
#CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
#CVE-2020-26959: Use-after-free in WebRequestService
#CVE-2020-26960: Potential use-after-free in uses of nsTArray
#CVE-2020-15999: Heap buffer overflow in freetype
#CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
#CVE-2020-26962: Cross-origin iframes supported login autofill
#CVE-2020-26963: History and Location interfaces could have been used to hang the browser
#CVE-2020-26964: Firefox for Android's Remote Debugging via USB could have been abused by untrusted apps on older versions of Android
#CVE-2020-26965: Software keyboards may have remembered typed passwords
#CVE-2020-26966: Single-word search queries were also broadcast to local network
#CVE-2020-26967: Mutation Observers could break or confuse Firefox Screenshots feature
#CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
#CVE-2020-26969: Memory safety bugs fixed in Firefox 83

Revision 1.163.2.1 / (download) - annotate - [select for diffs], Thu Oct 29 12:18:54 2020 UTC (2 years, 1 month ago) by spz
Branch: pkgsrc-2020Q3
Changes since 1.163: +398 -333 lines
Diff to previous 1.163 (colored) next main 1.164 (colored)

Pullup ticket #6356 - requested by maya
www/firefox: security update
www/firefox-l10n: security update

Revisions pulled up:
- www/firefox-l10n/Makefile                                     1.186-1.191
- www/firefox-l10n/PLIST                                        1.67
- www/firefox-l10n/distinfo                                     1.168-1.173
- www/firefox/Makefile                                          1.448-1.453
- www/firefox/PLIST                                             1.164-1.165
- www/firefox/distinfo                                          1.411-1.418
- www/firefox/mozilla-common.mk                                 1.181-1.182
- www/firefox/patches/patch-build_moz.configure_rust.configure  1.7
- www/firefox/patches/patch-config_makefiles_rust.mk            1.5
- www/firefox/patches/patch-js_src_jit_arm64_vixl_MozCpu-vixl.cpp 1.1
- www/firefox/patches/patch-js_src_jsfriendapi.h                1.3
- www/firefox/patches/patch-race_recurse.mk                     1.1
- www/firefox/patches/patch-third__party_rust_getrandom_src_lib.rs deleted
- www/firefox/patches/patch-third__party_rust_libc_src_unix_bsd_netbsdlike_netbsd_mod.rs deleted

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Mon Sep 28 13:30:01 UTC 2020

   Modified Files:
           pkgsrc/www/firefox: Makefile PLIST distinfo
           pkgsrc/www/firefox/patches: patch-config_makefiles_rust.mk
               patch-js_src_jsfriendapi.h
   Removed Files:
           pkgsrc/www/firefox/patches:
               patch-third__party_rust_getrandom_src_lib.rs
               patch-third__party_rust_libc_src_unix_bsd_netbsdlike_netbsd_mod.rs

   Log Message:
   firefox: Update to 81.0

   Changelog:
   September 22, 2020

   Version 81.0, first offered to Release channel users on September 22, 2020

   We'd like to extend a special thank you to all of the new Mozillians who
   contributed to this release of Firefox.

   New

     * You can pause and play audio or video in Firefox right from your keyboard
       or headset, giving you easy access to control your media when in another
       Firefox tab, another program, or even when your computer is locked.

     * In addition to our default, dark and light themes, with this release,
       Firefox introduces the Alpenglow theme: a colorful appearance for buttons,
       menus, and windows. You can update your Firefox themes under settings or
       preferences.

     * For our users in the US and Canada, Firefox can now save, manage, and
       auto-fill credit card information for you, making shopping on Firefox ever
       more convenient. To ensure the smoothest experience, this will be rolling
       out to users gradually.

     * Firefox supports AcroForm, which will soon allow you to fill in, print, and
       save supported PDF forms and the PDF viewer also has a new fresh look.

     * Our users in Austria, Belgium and Switzerland using the German version of
       Firefox will now see Pocket recommendations in their new tab featuring some
       of the best stories on the web. If you don„ŗ—’ see them, you can turn on
       Pocket articles in your new tab by following these steps. In addition to
       Firefox„ŗ—‘ new tab, Pocket is also available as an app on iOS and Android.

   Fixed

     * Various security fixes.

     * We„ŗ—◊e fixed a bug for users of language packs where the default language
       was reset to English after Firefox updates.

     * Browser native HTML5 audio/video controls received several important
       accessibility fixes:

         + Audio/video controls remain accessible to screen readers even when they
           are temporarily hidden visually.
         + Audio/video elapsed and total time are now accessible to screen readers
           where they weren't previously.
         + Various unlabelled controls are now labelled making them identifiable
           to screen readers.
         + Screen readers no longer intrusively report progress information unless
           the user requests it.

   Changed

     * You will soon find Picture-in-Picture more easily on all the videos you
       watch with new iconography.

     * The bookmarks toolbar is now automatically revealed once bookmarks are
       imported into Firefox, making it easier to find your most important
       websites.

     * We have expanded our supported file types - .xml, .svg, and .webp - so
       files you„ŗ—◊e downloaded can be opened right in Firefox.

   Security fixes:
   #CVE-2020-15675: Use-After-Free in WebGL
   #CVE-2020-15677: Download origin spoofing via redirect
   #CVE-2020-15676: XSS when pasting attacker-controlled data into a
   contenteditable element
   #CVE-2020-15678: When recursing through layers while scrolling, an iterator may
   have become invalid, resulting in a potential use-after-free scenario
   #CVE-2020-15673: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
   corruption and we presume that with enough effort some of these could have been
   exploited to run arbitrary code.
   #CVE-2020-15674: Memory safety bugs fixed in Firefox 81


   To generate a diff of this commit:
   cvs rdiff -u -r1.447 -r1.448 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.163 -r1.164 pkgsrc/www/firefox/PLIST
   cvs rdiff -u -r1.410 -r1.411 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r1.4 -r1.5 \
       pkgsrc/www/firefox/patches/patch-config_makefiles_rust.mk
   cvs rdiff -u -r1.2 -r1.3 \
       pkgsrc/www/firefox/patches/patch-js_src_jsfriendapi.h
   cvs rdiff -u -r1.1 -r0 \
       pkgsrc/www/firefox/patches/patch-third__party_rust_getrandom_src_lib.rs
   cvs rdiff -u -r1.3 -r0 \
       pkgsrc/www/firefox/patches/patch-third__party_rust_libc_src_unix_bsd_netbsdlike_netbsd_mod.rs

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Mon Sep 28 13:31:02 UTC 2020

   Modified Files:
           pkgsrc/www/firefox-l10n: Makefile PLIST distinfo

   Log Message:
   firefox-l10n: Update to 81.0

   * Add ur locale.
   * Sync with www/firefox-81.0.


   To generate a diff of this commit:
   cvs rdiff -u -r1.185 -r1.186 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.66 -r1.67 pkgsrc/www/firefox-l10n/PLIST
   cvs rdiff -u -r1.167 -r1.168 pkgsrc/www/firefox-l10n/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   gutteridge
   Date:           Tue Sep 29 23:20:23 UTC 2020

   Modified Files:
           pkgsrc/www/firefox: mozilla-common.mk

   Log Message:
   firefox: 81.0 requires nss >= 3.56


   To generate a diff of this commit:
   cvs rdiff -u -r1.180 -r1.181 pkgsrc/www/firefox/mozilla-common.mk

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Fri Oct  2 15:44:16 UTC 2020

   Modified Files:
           pkgsrc/www/firefox: Makefile distinfo

   Log Message:
   firefox: Update to 81.0.1

   Changelog:
   Fixed

       Fixed missing content on Blackboard course listings (bug 1665447)

       Resolved incorrect scaling of Flash content on HiDPI macOS
       systems (bug 1667267)

       Fixes for various printing issues (bug 1667342, bug 1667510,
       bug 1667723)

       Fixed legacy preferences not being properly applied when set
       via GPO (bug 1666836)

       Fixed Picture-in-Picture controls being visible on audio-only
       page elements (bug 1666775)

       Fixed high memory growth with addons such as Disconnect installed,
       causing browser responsiveness issues over time (bug 1658571)

       Various stability improvements (bug 1661485, bug 1664542, bug
       1664843)


   To generate a diff of this commit:
   cvs rdiff -u -r1.448 -r1.449 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.411 -r1.412 pkgsrc/www/firefox/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Fri Oct  2 15:45:25 UTC 2020

   Modified Files:
           pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   firefox-l10n: Update to 81.0.1

   * Sync with www/firefox-81.0.1.


   To generate a diff of this commit:
   cvs rdiff -u -r1.186 -r1.187 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.168 -r1.169 pkgsrc/www/firefox-l10n/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Mon Oct 12 23:45:35 UTC 2020

   Modified Files:
           pkgsrc/www/firefox: Makefile distinfo
           pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   firefox{,-l10n}: Update to 81.0.2

   Release notes not available yet.


   To generate a diff of this commit:
   cvs rdiff -u -r1.449 -r1.450 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.412 -r1.413 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r1.187 -r1.188 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.169 -r1.170 pkgsrc/www/firefox-l10n/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Tue Oct 20 20:15:30 UTC 2020

   Modified Files:
           pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk
           pkgsrc/www/firefox-l10n: Makefile distinfo
           pkgsrc/www/firefox/patches: patch-build_moz.configure_rust.configure

   Log Message:
   firefox{,-l10n}: Update to 82.0

   New:

   With this release, Firefox introduces a number of improvements that make watching videos more delightful:

       the Picture-In-Picture button has a new look and position, making it easier for you to find and use the feature.
       Picture-In-Picture now has a keyboard shortcut for Mac users (Option + Command + Shift + Right bracket) that works before you start playing the video.
       For Windows users, Firefox now uses DirectComposition for hardware decoded video, which will improve CPU and GPU usage during video playback, improving battery life.

   Firefox is faster than ever with improved performance on both page loads and start up time:

       Websites that use flexbox-based layouts load 20% faster than before;
       Restoring a session is 17% quicker, meaning you can more quickly pick up where you left off;
       For Windows users, opening new windows got quicker by 10%.

   You can now explore new articles when you save a webpage to Pocket from the Firefox toolbar.

   WebRender continues to roll out to more Firefox users on Windows.

   Fixed:

   Screen reader features which report paragraphs now correctly report paragraphs in Firefox instead of lines.

   Various security fixes.


   To generate a diff of this commit:
   cvs rdiff -u -r1.450 -r1.451 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.164 -r1.165 pkgsrc/www/firefox/PLIST
   cvs rdiff -u -r1.413 -r1.414 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r1.181 -r1.182 pkgsrc/www/firefox/mozilla-common.mk
   cvs rdiff -u -r1.188 -r1.189 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.170 -r1.171 pkgsrc/www/firefox-l10n/distinfo
   cvs rdiff -u -r1.6 -r1.7 \
       pkgsrc/www/firefox/patches/patch-build_moz.configure_rust.configure

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   tnn
   Date:           Fri Oct 23 12:37:14 UTC 2020

   Modified Files:
           pkgsrc/www/firefox: distinfo
   Added Files:
           pkgsrc/www/firefox/patches: patch-js_src_jit_arm64_vixl_MozCpu-vixl.cpp

   Log Message:
   firefox: NetBSD/aarch64 build fix


   To generate a diff of this commit:
   cvs rdiff -u -r1.414 -r1.415 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r0 -r1.1 \
       pkgsrc/www/firefox/patches/patch-js_src_jit_arm64_vixl_MozCpu-vixl.cpp

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Mon Oct 26 21:20:59 UTC 2020

   Modified Files:
           pkgsrc/www/firefox: distinfo
   Added Files:
           pkgsrc/www/firefox/patches: patch-race_recurse.mk

   Log Message:
   firefox: backport upstream patch to fix a build race. This appears as
   libmozgtk.so missing as well as the symbols it contains.

   This affects pkgsrc-stable as well.


   To generate a diff of this commit:
   cvs rdiff -u -r1.415 -r1.416 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/www/firefox/patches/patch-race_recurse.mk

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Tue Oct 27 16:59:00 UTC 2020

   Modified Files:
           pkgsrc/www/firefox: Makefile distinfo
           pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   firefox{,-l10n}: update to 82.0.1

   Avoid an unnecessary prompt to reboot when using the full installer on Windows (bug 1671715)

   Restored the ability to print on paper whose width or height is larger than 100 inches, e.g. for receipts (bug 1672370)

   Fixed printing of documents with margins of zero, e.g. some PDFs (bug 1672529)

   Fixed handling of the WebDriver:ClickElement command in the marionette testing framework (bug 1666755)

   Stability fix (bug 1660539)


   To generate a diff of this commit:
   cvs rdiff -u -r1.451 -r1.452 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.416 -r1.417 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r1.189 -r1.190 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.171 -r1.172 pkgsrc/www/firefox-l10n/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Wed Oct 28 15:34:41 UTC 2020

   Modified Files:
           pkgsrc/www/firefox: Makefile distinfo
           pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   firefox{,-l10n}: Update to 82.0.2

   Fixed duplication of WebSocket messages in certain cases (bug 1673340)


   To generate a diff of this commit:
   cvs rdiff -u -r1.452 -r1.453 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.417 -r1.418 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r1.190 -r1.191 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.172 -r1.173 pkgsrc/www/firefox-l10n/distinfo

Revision 1.165 / (download) - annotate - [select for diffs], Tue Oct 20 20:15:29 2020 UTC (2 years, 1 month ago) by maya
Branch: MAIN
Changes since 1.164: +266 -259 lines
Diff to previous 1.164 (colored)

firefox{,-l10n}: Update to 82.0

New:

With this release, Firefox introduces a number of improvements that make watching videos more delightful:

    the Picture-In-Picture button has a new look and position, making it easier for you to find and use the feature.
    Picture-In-Picture now has a keyboard shortcut for Mac users (Option + Command + Shift + Right bracket) that works before you start playing the video.
    For Windows users, Firefox now uses DirectComposition for hardware decoded video, which will improve CPU and GPU usage during video playback, improving battery life.


Firefox is faster than ever with improved performance on both page loads and start up time:

    Websites that use flexbox-based layouts load 20% faster than before;
    Restoring a session is 17% quicker, meaning you can more quickly pick up where you left off;
    For Windows users, opening new windows got quicker by 10%.

You can now explore new articles when you save a webpage to Pocket from the Firefox toolbar.

WebRender continues to roll out to more Firefox users on Windows.

Fixed:

Screen reader features which report paragraphs now correctly report paragraphs in Firefox instead of lines.

Various security fixes.

Revision 1.164 / (download) - annotate - [select for diffs], Mon Sep 28 13:30:01 2020 UTC (2 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.163: +143 -85 lines
Diff to previous 1.163 (colored)

firefox: Update to 81.0

Changelog:
September 22, 2020

Version 81.0, first offered to Release channel users on September 22, 2020

We'd like to extend a special thank you to all of the new Mozillians who
contributed to this release of Firefox.

New

  * You can pause and play audio or video in Firefox right from your keyboard
    or headset, giving you easy access to control your media when in another
    Firefox tab, another program, or even when your computer is locked.

  * In addition to our default, dark and light themes, with this release,
    Firefox introduces the Alpenglow theme: a colorful appearance for buttons,
    menus, and windows. You can update your Firefox themes under settings or
    preferences.

  * For our users in the US and Canada, Firefox can now save, manage, and
    auto-fill credit card information for you, making shopping on Firefox ever
    more convenient. To ensure the smoothest experience, this will be rolling
    out to users gradually.

  * Firefox supports AcroForm, which will soon allow you to fill in, print, and
    save supported PDF forms and the PDF viewer also has a new fresh look.

  * Our users in Austria, Belgium and Switzerland using the German version of
    Firefox will now see Pocket recommendations in their new tab featuring some
    of the best stories on the web. If you don„ŗ—’ see them, you can turn on
    Pocket articles in your new tab by following these steps. In addition to
    Firefox„ŗ—‘ new tab, Pocket is also available as an app on iOS and Android.

Fixed

  * Various security fixes.

  * We„ŗ—◊e fixed a bug for users of language packs where the default language
    was reset to English after Firefox updates.

  * Browser native HTML5 audio/video controls received several important
    accessibility fixes:

      + Audio/video controls remain accessible to screen readers even when they
        are temporarily hidden visually.
      + Audio/video elapsed and total time are now accessible to screen readers
        where they weren't previously.
      + Various unlabelled controls are now labelled making them identifiable
        to screen readers.
      + Screen readers no longer intrusively report progress information unless
        the user requests it.

Changed

  * You will soon find Picture-in-Picture more easily on all the videos you
    watch with new iconography.

  * The bookmarks toolbar is now automatically revealed once bookmarks are
    imported into Firefox, making it easier to find your most important
    websites.

  * We have expanded our supported file types - .xml, .svg, and .webp - so
    files you„ŗ—◊e downloaded can be opened right in Firefox.

Security fixes:
#CVE-2020-15675: Use-After-Free in WebGL
#CVE-2020-15677: Download origin spoofing via redirect
#CVE-2020-15676: XSS when pasting attacker-controlled data into a
contenteditable element
#CVE-2020-15678: When recursing through layers while scrolling, an iterator may
have become invalid, resulting in a potential use-after-free scenario
#CVE-2020-15673: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code.
#CVE-2020-15674: Memory safety bugs fixed in Firefox 81

Revision 1.163 / (download) - annotate - [select for diffs], Tue Aug 25 14:35:24 2020 UTC (2 years, 3 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base
Branch point for: pkgsrc-2020Q3
Changes since 1.162: +449 -428 lines
Diff to previous 1.162 (colored)

firefox: Update to 80.0

Changelog:
New
    Firefox can now be set as the default system PDF viewer.

    The name reported by accessibility tools for items in multi-tiered
    tree controls no longer incorrectly includes information from
    items at deeper levels, providing users with the correct level
    of content when using a screen reader.

Fixed
    Various security fixes.

    Several crashes while using a screen reader were fixed including
    a frequently encountered crash when using the JAWS screen
    reader.

    Firefox Developer Tools received significant fixes allowing
    screen reader users to benefit from some of the tools that were
    previously inaccessible.

    SVG title and desc elements (labels and descriptions) are now
    correctly exposed to assistive technology products such as
    screen readers.

Changed
    For users with reduced motion settings, we've reduced a number
    of animations such as tab loading to reduce motion for users
    with migraines and epilepsy.

    The new add-ons blocklist has been enabled to improve performance
    and scalability.

Enterprise
    A number of bug fixes and new policies have been implemented
    in the latest version of Firefox. You can see more details in
    the Firefox for Enterprise 80 Release Notes.

    Today's release is the final scheduled for Firefox 68 ESR
    (68.12) unless there is a critical security issue found prior
    to the release of Firefox ESR 78.3 on September 22, 2020. Users
    of Firefox 68 ESR will be automatically upgraded to the Firefox
    78 ESR series with the release of 78.3.

Developer
    We've shipped an experimental sidebar panel in the inspector
    to Firefox Developer Edition that helps developers more quickly
    identify potential browser compatibility problems based on MDN
    data.

    In the Network Monitor request list, a turtle icon is shown
    for "slow" requests that exceed a threshold for the waiting
    time.

    Firefox now supports RTX and Transport-cc for improved call
    quality in poor network conditions and better bandwidth
    estimation. These features also provide better compatibility
    with many websites using WebRTC.

Security fixes:
#CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege
#CVE-2020-15664: Attacker-induced prompt for extension installation
#CVE-2020-12401: Timing-attack on ECDSA signature generation
#CVE-2020-6829: P-384 and P-521 vulnerable to an electro-magnetic side channel attack on signature generation
#CVE-2020-12400: P-384 and P-521 vulnerable to a side channel attack on modular inversion
#CVE-2020-15665: Address bar not reset when choosing to stay on a page after the beforeunload dialog is shown
#CVE-2020-15666: MediaError message property leaks cross-origin response status
#CVE-2020-15667: Heap overflow when processing an update file
#CVE-2020-15668: Data Race when reading certificate information
#CVE-2020-15670: Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2

Revision 1.162 / (download) - annotate - [select for diffs], Fri Jul 31 01:26:43 2020 UTC (2 years, 3 months ago) by maya
Branch: MAIN
Changes since 1.161: +87 -70 lines
Diff to previous 1.161 (colored)

firefox: update to 79.0

New

    We„ŗ—◊e rolled out WebRender to more Windows users with Intel and AMD GPUs, bringing improved graphics performance to an even larger audience.

    Firefox users in Germany will now see more Pocket recommendations in their new tab featuring some of the best stories on the web. If you don„ŗ—’ see them, you can turn on Pocket articles in your new tab by following these steps.

Fixed

    Various security fixes.

    Several crashes while using a screen reader were fixed, including a frequently encountered crash when using the JAWS screen reader.

    Firefox Developer Tools received significant fixes allowing screen reader users to benefit from some of the tools that were previously inaccessible.

    SVG title and desc elements (labels and descriptions) are now correctly exposed to assistive technology products such as screen readers.

Enterprise

    A number of bug fixes and new policies have been implemented in the latest version of Firefox. You can see more details in the Firefox for Enterprise 79 Release Notes.

    Updates to the password policy allow admins to require a primary password (formerly called master password. Previously the policy could disable the primary password but not force a primary password. Users required to use a primary password will only be asked to create a primary password the first time they try to save a password.

Developer

    Developer Information

    Newly added asynchronous call stacks let developers trace their async code through events, timeouts, and promises. The async execution chains are shown in the Debugger„ŗ—‘ call stack, but also for stack traces in Console errors and Network initiators.

    Erroneous network responses with 4xx/5xx status codes display as errors in the Console, making it easy to understand them in the context of related logs. The request/response details can be expanded or resent for quick debugging.

    JavaScript errors are now visible not only in the Console, but also in the Debugger. The relevant line of code will be highlighted and display error details on hover.

    Opening SCSS and CSS-in-JS sources from the Inspector now works more reliably thanks to improved source map handling across all panels.

    Inspecting accessibility properties from the browser context menu is now available to all users by default.

Revision 1.161 / (download) - annotate - [select for diffs], Wed Jul 1 13:01:01 2020 UTC (2 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.160: +64 -22 lines
Diff to previous 1.160 (colored)

firefox: Update to 78.0

* Some dependency changes.
* Wayland and webcam may not work.

Changelog:  New

    The Protections Dashboard includes consolidated reports about
    tracking protection, data breaches, and password management.
    New features let you:

	Track how many breaches you„ŗ—◊e resolved right from the
	dashboard

	See if any of your saved passwords may have been exposed
	in a data breach

    To view your dashboard, type about:protections into the address
    bar, or select „ŗ◊Īrotections Dashboard„ŗfrom the main menu.

    Because we know people try to fix problems by reinstalling
    Firefox when a simple refresh is more likely to solve the issue,
    we„ŗ—◊e added a Refresh button to the Uninstaller.

    With this release, your screen saver will no longer interrupt
    WebRTC calls on Firefox, making conference and video calling
    in Firefox better.

    We„ŗ—◊e rolled out WebRender to Windows users with Intel GPUs,
    bringing improved graphics performance to an even larger
    audience.

    Firefox 78 is also our Extended Support Release (ESR), where
    the changes made over the course of the previous 10 releases
    will now roll out to our ESR users. Some of the highlights are:

	Kiosk mode

	Client certificates

	Service Worker and Push APIs are now enabled

	The Block Autoplay feature is enabled

	Picture-in-picture support

	View and manage web certificates in about:certificate

    Pocket recommendations, featuring some of the best stories on
    the web, will now appear on the Firefox new tab for 100% of
    our users in the UK. If you don„ŗ—’ see them, you can turn on
    Pocket articles in your new tab, follow these steps.

Fixed

    Various security fixes.

    We fixed bugs in the search results quality composition and
    improved search result texts based on recommendations by our
    partners.

Changed

    The minimal system requirements on Linux have been updated.
    Firefox now needs GNU libc 2.17, libstdc++ 4.8.1 and GTK+ 3.14
    or newer versions.

    As part of our ongoing effort to deprecate obsolete cryptography,
    we have disabled all remaining DHE-based TLS ciphersuites by
    default.

	To mitigate web compatibility issues from disabling DHE-based
	TLS ciphersuites, Firefox 78 enables two more AES-GCM
	SHA2-based ciphersuites.

    We have disabled TLS 1.0 and TLS 1.1 to improve your website
    connections. Sites that don't support TLS version 1.2 will now
    show an error page.

    The context menu (accessed by right clicking on a tab) lets
    you undo multiple tab closings with a single click and places
    Close Tabs to the Right and Close Other Tabs in a submenu.

    A number of accessibility improvements have been made with this
    release.

	When using the JAWS screen reader, pressing the down arrow
	in an HTML input control with a datalist no longer incorrectly
	moves the cursor to the next element after the input control.

	Screen readers no longer severely lag or freeze when focusing
	the microphone/camera/screen sharing indicator.

	Large tables with thousands of rows now load much faster
	for screen reader users.

	Text input controls with custom styling now correctly show
	the focus outline when appropriate.

	Screen readers no longer sometimes incorrectly switch to
	document browsing mode unexpectedly when the user enters
	the main Developer Tools window.

	We reduced a number of animations such as tab hover, search
	bar expansion, and others to reduce motion for users with
	migraines and epilepsy.

Enterprise

    Enable support for client certificates stored on macOS and
    Windows by setting the experimental preference
    security.osclientcerts.autoload to true.

    New policies allow you to configure application handlers,
    disable picture in picture, and require a master password,
    which will be renamed to „ŗŌ—rimary password„ŗin future releases.

    More details in the Firefox for Enterprise 78 release notes

Security fixes:
Not available yet.

Revision 1.160 / (download) - annotate - [select for diffs], Wed Jun 3 09:00:24 2020 UTC (2 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base, pkgsrc-2020Q2
Changes since 1.159: +187 -112 lines
Diff to previous 1.159 (colored)

firefox: Update to 77.0

Changelog:
New
    Pocket recommendations, featuring some of the best stories on the web, will appear on the Firefox new tab for our users in the UK. If you don„ŗ—’ see them, you can turn on Pocket articles in your new tab, follow these steps.

    WebRender continues its roll out to more Firefox for Windows users, now available by default on Windows 10 laptops running on Nvidia GPUs with medium (<= 3440x1440) and large screens (> 3440x1440).

    You can view and manage web certificates more easily on the new about:certificate page.

Fixed
    Various security fixes.

    A number of features have been fixed to improve Firefox accessibility.
        The applications list in Firefox Options is now accessible to screen reader users.
        Some live regions previously didn't report updated text with the JAWS screen reader. This issue has been fixed.
        Date/time inputs are now no longer missing labels for users of accessibility tools.

Changed
    The browser.urlbar.oneOffSearches preference has been removed. To hide one-off search buttons uncheck search engines on the about:preferences#search page

Security fixes:
#CVE-2020-12399: Timing attack on DSA signatures in NSS library
#CVE-2020-12405: Use-after-free in SharedWorkerService
#CVE-2020-12406: JavaScript type confusion with NativeTypes
#CVE-2020-12407: WebRender leaking GPU memory when using border-image CSS directive
#CVE-2020-12408: URL spoofing when using IP addresses
#CVE-2020-12409: URL spoofing with unicode characters
#CVE-2020-12410: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
#CVE-2020-12411: Memory safety bugs fixed in Firefox 77

Revision 1.159 / (download) - annotate - [select for diffs], Wed May 6 01:00:08 2020 UTC (2 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.158: +133 -155 lines
Diff to previous 1.158 (colored)

firefox: Update to 76.0

Changelog:
New
    With today„ŗ—‘ release, Firefox strengthens protections for your
    online account logins and passwords, with innovative approaches
    to managing your accounts during this critical time:

	Firefox displays critical alerts in the Lockwise password
	manager when a website is breached;

	If one of your accounts is involved in a website breach
	and you've used the same password on other websites, you
	will now be prompted to update your password. A key icon
	identifies which accounts use that vulnerable password.

	Automatically generate secure, complex passwords for new
	accounts across more of the web that are easily saved right
	in the browser;

	You have been able to access and see your saved passwords
	under Logins and Passwords easily under the main menu. If
	your device happens to be shared among your family or
	roommates, the latest update helps to prevent casual snooping
	over your shoulder. If you don„ŗ—’ have a master password
	set up for Firefox, Windows and macOS now requires a login
	to your operating system account before showing your saved
	passwords.

    Picture-in-Picture allows you to multitask, the small video
    window following along no matter what you are doing on your
    computer, across different applications and even workspaces.
    Now, when you are ready to focus on the video, a double click
    can take the small window into full screen. Double click again
    to reduce the size again.

    Firefox now supports Audio Worklets that will allow more complex
    audio processing like VR and gaming on the web; and is being
    adopted by some of your favorite software programs.

	With this change, you can now join Zoom calls on Firefox
	without the need for any additional downloads.

    WebRender continues its roll out to more Firefox for Windows
    users, now available by default on modern Intel laptops with
    a small screen (<= 1920x1200) for improved graphics rendering.

Fixed
    Various security fixes

Changed
    Two updates to the address bar improve its usability and
    visibility:

	The shadow around the address bar field is reduced in width
	when a new tab is opened;

	The bookmarks toolbar has expanded slightly in size to
	improve its surface area for touchscreens.

Security fixes:
#CVE-2020-12387: Use-after-free during worker shutdown
#CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens
#CVE-2020-12389: Sandbox escape with improperly separated process types
#CVE-2020-6831: Buffer overflow in SCTP chunk input validation
#CVE-2020-12390: Incorrect serialization of nsIPrincipal.origin for IPv6 addresses
#CVE-2020-12391: Content-Security-Policy bypass using object elements
#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
#CVE-2020-12394: URL spoofing in location bar when unfocussed
#CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
#CVE-2020-12396: Memory safety bugs fixed in Firefox 76

Revision 1.158 / (download) - annotate - [select for diffs], Thu Apr 9 14:01:26 2020 UTC (2 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.157: +82 -58 lines
Diff to previous 1.157 (colored)

firefox: Update to 75.0

Changelog:
New
    With today's release, a number of improvements will help you
    search smarter, faster. Type less and find more with Firefox's
    revamped address bar:

	Focused, clean search experience that's optimized for
	smaller laptop screens

	Top sites now appear when you select the address

	Improved readability of search suggestions with a focus on
	new search terms

	Suggestions include solutions to common Firefox issues

	On Linux, the behavior when clicking on the Address Bar
	and the Search Bar now matches other desktop platforms: a
	single click selects all without primary selection, a double
	click selects a word, and a triple click selects all with
	primary selection

    Firefox will locally cache all trusted Web PKI Certificate
    Authority certificates known to Mozilla. This will improve
    HTTPS compatibility with misconfigured web servers and improve
    security.

    Firefox is now available in Flatpak, an easier way to install
    and use Firefox on Linux.

    Direct Composition is being integrated for our users on Windows
    to help improve performance and enable our ongoing work to ship
    WebRender on Windows 10 laptops with Intel graphics cards.

Fixed
    Various security fixes

Enterprise
    Experimental support for using client certificates from the OS
    certificate store can be enabled on macOS by setting the
    preference security.osclientcerts.autoload to true.

    Enterprise policies may be used to exclude domains from being
    resolved via TRR (Trusted Recursive Resolver) using DNS over
    HTTPS.

Developer
    Developer Information

    Save bandwidth and reduce browser memory by using the loading
    attribute on the <img> element. The default "eager" value loads
    images immediately, and the "lazy" value delays loading until
    the image is within range of the viewport.

    Instant evaluation for Console expressions lets developers
    identify and fix errors more rapidly than before. As long as
    expressions typed into the Web Console are side-effect free,
    their results will be previewed while you type.

Security fixes:
#CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method
#CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large images
#CVE-2020-6823: Malicious Extension could obtain auth codes from OAuth login flows
#CVE-2020-6824: Generated passwords may be identical on the same site between separate private browsing sessions
#CVE-2020-6825: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
#CVE-2020-6826: Memory safety bugs fixed in Firefox 75

Revision 1.157 / (download) - annotate - [select for diffs], Fri Mar 27 00:24:20 2020 UTC (2 years, 8 months ago) by gutteridge
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base, pkgsrc-2020Q1
Changes since 1.156: +2 -1 lines
Diff to previous 1.156 (colored)

firefox: fix 74.0 debug build packaging

Revision 1.156 / (download) - annotate - [select for diffs], Sat Mar 14 04:49:16 2020 UTC (2 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.155: +58 -131 lines
Diff to previous 1.155 (colored)

firefox: Update to 74.0

* Follow HOMEPAGE redirect

Changelog:
New
    Your login management has improved with the ability to reverse
    alpha sort (Name Z-A) in Lockwise, which you can access under
    Logins and Passwords.

    Firefox now makes importing your bookmarks and history from
    the new Microsoft Edge browser on Windows and Mac simple.

    Add-ons installed by external applications can now be removed
    using the Add-ons Manager (about:addons). Going forward, only
    users can install add-ons; they cannot be installed by an
    application.

    Facebook Container prevents Facebook from tracking you around
    the web - Facebook logins, likes, and comments are automatically
    blocked on non-Facebook sites. But when we need an exception,
    you can now create one by adding custom sites to the Facebook
    Container.

    Firefox now provides better privacy for your web voice and
    video calls through support for mDNS ICE by cloaking your
    computer„ŗ—‘ IP address with a random ID in certain WebRTC
    scenarios.

Fixed
    Various security fixes.

    We have fixed issues involving pinned tabs such as being lost.
    You should also no longer see them reorder themselves.

Security fixes:
#CVE-2020-6805: Use-after-free when removing data about origins
#CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections against state confusion
#CVE-2020-6807: Use-after-free in cubeb during stream destruction
#CVE-2020-6808: URL Spoofing via javascript: URL
#CVE-2020-6809: Web Extensions with the all-urls permission could access local files
#CVE-2020-6810: Focusing a popup while in fullscreen could have obscured the fullscreen notification
#CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
#CVE-2019-20503: Out of bounds reads in sctp_load_addresses_from_init
#CVE-2020-6812: The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission
#CVE-2020-6813: @import statements in CSS could bypass the Content Security Policy nonce feature
#CVE-2020-6814: Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6
#CVE-2020-6815: Memory and script safety bugs fixed in Firefox 74

Revision 1.155 / (download) - annotate - [select for diffs], Wed Feb 26 20:55:43 2020 UTC (2 years, 9 months ago) by maya
Branch: MAIN
Changes since 1.154: +3 -3 lines
Diff to previous 1.154 (colored)

firefox: fix PLIST on linux.

A bunch of files that are mysteriously not on linux, and a bunch of files
that are mysteriously OS-specific (probably missing "else").

And a sandboxing library.

Revision 1.154 / (download) - annotate - [select for diffs], Wed Feb 12 16:36:50 2020 UTC (2 years, 9 months ago) by ryoon
Branch: MAIN
Changes since 1.153: +89 -106 lines
Diff to previous 1.153 (colored)

firefox: Update to 73.0

Changelog:
New
    Today's Firefox release includes two features that help users
    view and read website content more easily, quickly. Like all
    accessibility improvements, these features improve browsing
    for everyone.

	Firefox has offered a page zoom feature for more than a
	decade that allows users to set the zoom level on a per-site
	basis. For users who need to zoom most websites, having to
	adjust zoom for each new site can be an annoyance. To
	address this, we have implemented a new global default zoom
	level setting. This option is available in about:preferences
	under "Language and Appearance" and can be scaled up or
	down from 100% as needed and sets the default zoom level
	for all sites. Per-site zoom is still available to make
	adjustments to individual sites as needed.

	Many users with low vision rely on Windows' High Contrast
	Mode to make websites more readable. Traditionally, to
	increase the readability of text, Firefox has disabled
	background images when High Contrast Mode is enabled. With
	today's release of Firefox 73, we introduce a "readability
	backplate" solution which places a block of background
	color between the text and background image. Now, websites
	in High Contrast Mode are more readable without disabling
	background images.

Fixed
    Various security fixes.

    Improved audio quality when playing back audio at a faster or
    slower speed.

    Firefox will now only prompt you to save logins if a field in
    a login form was modified.

Changed
    WebRender will roll out to laptops with Nvidia graphics cards
    with drivers newer than 432.00, and screen sizes smaller than
    1920x1200

Security fixes:
#CVE-2020-6796: Missing bounds check on shared memory read in the parent process
#CVE-2020-6797: Extensions granted downloads.open permission could open arbitrary applications on Mac OSX
#CVE-2020-6798: Incorrect parsing of template tag could result in JavaScript injection
#CVE-2020-6799: Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader
#CVE-2020-6800: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
#CVE-2020-6801: Memory safety bugs fixed in Firefox 73

Revision 1.153 / (download) - annotate - [select for diffs], Sat Jan 11 20:38:32 2020 UTC (2 years, 10 months ago) by gutteridge
Branch: MAIN
Changes since 1.152: +2 -2 lines
Diff to previous 1.152 (colored)

firefox: update PLIST.debug for 72.0.1

One file name changed amongst the extra files generated when the full
debugging option is set.

Revision 1.152 / (download) - annotate - [select for diffs], Thu Jan 9 15:06:28 2020 UTC (2 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.151: +243 -170 lines
Diff to previous 1.151 (colored)

firefox: Update to 72.0.1

Changelog:
72.0.1
Security fixes:
#CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement

72.0
New
    Firefox„ŗ—‘ Enhanced Tracking Protection marks a major new
    milestone in our battle against cross-site tracking: we now
    block fingerprinting scripts by default for all users, taking
    a new bold step in the fight for our users„ŗprivacy.

    Firefox replaces annoying notification request pop-ups with a
    more delightful experience, by default for all users. The
    pop-ups no longer interrupt your browsing, in its place, a
    speech bubble will appear in the address bar when you interact
    with the site.

    Picture-in-picture video is now also available in Firefox for
    Mac and Linux: Select the blue icon from the right edge of a
    video to pop open a floating window so you can keep watching
    while working in other tabs or apps. Learn how the feature
    works.

Security fixes:
#CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows
#CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
#CVE-2019-17017: Type Confusion in XPCVariant.cpp
#CVE-2019-17018: Windows Keyboard in Private Browsing Mode may retain word suggestions
#CVE-2019-17019: Python files could be inadvertently executed upon opening a download
#CVE-2019-17020: Content Security Policy not applied to XSL stylesheets applied to XML documents
#CVE-2019-17021: Heap address disclosure in parent process during content process initialization on Windows
#CVE-2019-17022: CSS sanitization does not escape HTML tags
#CVE-2019-17023: NSS may negotiate TLS 1.2 or below after a TLS 1.3 HelloRetryRequest had been sent
#CVE-2019-17024: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
#CVE-2019-17025: Memory safety bugs fixed in Firefox 72

Revision 1.151 / (download) - annotate - [select for diffs], Mon Jan 6 07:53:53 2020 UTC (2 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.150: +2 -2 lines
Diff to previous 1.150 (colored)

firefox: Fix pasto, remove 68 suffix

Revision 1.150 / (download) - annotate - [select for diffs], Sun Jan 5 17:55:22 2020 UTC (2 years, 10 months ago) by nia
Branch: MAIN
Changes since 1.149: +2 -1 lines
Diff to previous 1.149 (colored)

*: Enable Wayland where supported in GTK and Firefox.

Bump PKGREVISIONs

Revision 1.149 / (download) - annotate - [select for diffs], Tue Dec 3 14:21:20 2019 UTC (2 years, 11 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4
Changes since 1.148: +122 -117 lines
Diff to previous 1.148 (colored)

Update to 71.0

* Remove oss option. Its patch is not usable for 71.0.

Changelog:
New
    Improvements to Lockwise, our integrated password manager:
        Firefox now recognizes subdomains and will autofill domain logins from Lockwise
        Integrated breach alerts from Firefox Monitor are now available to users with screen readers

    More information about Enhanced Tracking Protection in action:
        Notifications when Firefox blocks cryptominers
        A running tally of blocked trackers in the protection panel accessed by clicking the address bar shield

    Picture-in-picture video comes to Firefox for Windows: Select the blue icon from the right edge of a video to pop open a floating window so you can keep watching while working in other tabs. Learn how the feature works.

    Native MP3 decoding on Windows, Linux, and macOS

Security fixes:
Not available yet.

Revision 1.148 / (download) - annotate - [select for diffs], Sat Nov 2 19:45:46 2019 UTC (3 years ago) by gutteridge
Branch: MAIN
Changes since 1.147: +2 -1 lines
Diff to previous 1.147 (colored)

firefox: update PLIST to include new file when DEBUG is enabled

Revision 1.147 / (download) - annotate - [select for diffs], Mon Oct 28 13:03:27 2019 UTC (3 years, 1 month ago) by ryoon
Branch: MAIN
Changes since 1.146: +481 -265 lines
Diff to previous 1.146 (colored)

Update to 70.0

* Offline build is incomplete. However I cannot finish the fix.

Changelog:
New
    More privacy protections from Enhanced Tracking Protection:
        Social tracking protection, which blocks cross-site tracking cookies from sites like Facebook, Twitter, and LinkedIn, is now a standard feature of Enhanced Tracking Protection.
        The Privacy Protections report shows an overview, with details, of the trackers Firefox has blocked. It provides consolidated reports from Monitor and Lockwise.

    More security protections from Firefox Lockwise, our digital identity and password management tool:
        Lockwise for desktop lets you create, update, and delete your logins and passwords to sync across all your devices, including the Lockwise mobile apps and Firefox mobile browsers„ŗ
        Integrated breach alerts from Firefox Monitor, to alert you when saved logins and passwords are compromised in online data breaches.
        Complex password generation, to help you create and save strong passwords for new online accounts.

    Improvements to core engine components, for better browsing on more sites
        A faster Javascript Baseline Interpreter to handle the modern web—‘
        large codebases and improve page load performance by as much as 8
        percent.
        WebRender rolled out to more Firefox for Windows users, now available by default on Windows desktops with integrated Intel graphics cards and resolution of 1920x1200 or less) for improved graphics rendering.
        Compositor improvements in Firefox for macOS that reduce power
        consumption, speed up page load by as much as 22 percent, and reduce
        resource use for video by up to 37 percent.

    More browser features to help you get the most out of Firefox products and services
        A stand-alone Firefox account menu for easy access to Firefox services like Monitor and Send.
        A message panel accessed from the gift icon in the toolbar that offers a quick overview of new releases and key features.
        When a website uses your geolocation, an indicator is shown in the
        address bar.

Fixed
    Various security fixes

Changed
    Built-in Firefox pages now follow the system dark mode preference

    Aliased theme properties have been removed, which may affect some themes

    Passwords can now be imported from Chrome on macOS in addition to existing support for Windows

    Readability is now greatly improved on under- or overlined texts, including links. The lines will now be interrupted instead of crossing over a glyph.

    Improved privacy and security indicators
        A new crossed-out lock icon will indicate sites delivered via
        insecure HTTP
        The formerly green lock icon is now grey
        The Extended Validation (EV) indicator has been moved to the identity
        popup that appears when clicking the lock icon

Security fixes:
#CVE-2018-6156: Heap buffer overflow in FEC processing in WebRTC
#CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber
#CVE-2019-11757: Use-after-free when creating index updates in IndexedDB
#CVE-2019-11759: Stack buffer overflow in HKDF output
#CVE-2019-11760: Stack buffer overflow in WebRTC networking
#CVE-2019-11761: Unintended access to a privileged JSONView object
#CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation
#CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique
#CVE-2019-11765: Incorrect permissions could be granted to a website
#CVE-2019-17000: CSP bypass using object tag with data: URI
#CVE-2019-17001: CSP bypass using object tag when script-src 'none' is specified
#CVE-2019-17002: upgrade-insecure-requests was not being honored for links dragged and dropped
#CVE-2019-11764: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2

Revision 1.146 / (download) - annotate - [select for diffs], Fri Oct 4 12:43:20 2019 UTC (3 years, 1 month ago) by ryoon
Branch: MAIN
Changes since 1.145: +19 -1 lines
Diff to previous 1.145 (colored)

Update to 69.0.2

Changelog:
Fixed
    Fixed a crash when editing files on Office 365 websites (bug 1579858)

    Fixed detection of the Windows 10 Parental Controls feature being enabled (bug 1584613)

    Fixed a Linux-only crash when changing the playback speed while watching YouTube videos (bug 1582222)

Revision 1.145 / (download) - annotate - [select for diffs], Sat Sep 21 07:25:50 2019 UTC (3 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3
Changes since 1.144: +2 -1 lines
Diff to previous 1.144 (colored)

Update to 69.0.1

Changelog:
Fixed
    Fixed external programs launching in the background when clicking a link from inside Firefox to launch them (bug 1570845)

    Usability improvements to the Add-ons Manager for users with screen readers (bug 1567600)

    Fixed the Captive Portal notification bar not being dismissable in some situations after login is complete (bug 1578633)

    Fixed the maximum size of fonts in Reader Mode when zoomed (bug 1578454)

    Fixed missing stacks in the Developer Tools Performance section (bug 1578354)

    Security and stability fixes

        irefox 69.0.1

Security fixes:
#CVE-2019-11754: Pointer Lock is enabled with no user notification

Revision 1.144 / (download) - annotate - [select for diffs], Sat Sep 7 03:41:42 2019 UTC (3 years, 2 months ago) by gutteridge
Branch: MAIN
Changes since 1.143: +2 -2 lines
Diff to previous 1.143 (colored)

firefox: fix build when webrtc option is not enabled

PeerConnectionIdp.jsm is installed universally, not just when webrtc is
an enabled option.

Revision 1.143 / (download) - annotate - [select for diffs], Fri Sep 6 03:00:23 2019 UTC (3 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.142: +166 -548 lines
Diff to previous 1.142 (colored)

Update to 69.0

* Use clang to compile all files. Mix of gcc and clang causes some errors in
  Rust c++ command invocation (C++ header mismatches).

Changelog:
New

    Enhanced Tracking Protection (ETP) rolls out stronger privacy protections:
        The default standard setting for this feature now blocks third-party tracking cookies and cryptominers.
        The optional strict setting blocks fingerprinters as well as the items blocked in the standard setting.

    The Block Autoplay feature is enhanced to give users the option to block any video that automatically starts playing, not just those that automatically play with sound.

    For our users in the US or using the en-US browser, we are shipping a new „ŗ◊Įew Tab„ŗpage experience that connects you to the best of Pocket„ŗ—‘ content.

    Support for the Web Authentication HmacSecret extension via Windows Hello now comes with this release, for versions of Windows 10 May 2019 or newer, enabling more passwordless experiences on the web.

    Support for receiving multiple video codecs with this release makes it easier for WebRTC conferencing services to mix video from different clients.

    For our users on Windows 10, you„ŗ—Õl see performance and UI improvements:
        Firefox will give Windows hints to appropriately set content process priority levels, meaning more processor time spent on the tasks you're actively working on, and less processor time spent on things in the background (with the exception of video and audio playback).
        For our existing Windows 10 users, you can easily find and launch Firefox from a shortcut on the Win10 taskbar.

    For our users on macOS, battery life and download UI are both improved:
        macOS users on dual-graphics-card machines (like MacBook Pro) will switch back to the low-power GPU more aggressively, saving battery life.
        Finder on macOS now displays download progress for files being downloaded.

    JIT support comes to ARM64 for improved performance of our JavaScript Optimizing JIT compiler.

Fixed

    Various security fixes

Changed

    As previously announced in the Plugin Roadmap for Firefox, the "Always Activate" option for Flash plugin content has been removed. Firefox will now always ask for user permission before activating Flash content on a website.

    With the deprecation of Adobe Flash Player, there is no longer a need to identify users on 32-bit version of the Firefox browser on 64-bit version operating systems reducing user agent fingerprinting factors providing greater level of privacy to our users as well as improving the experience of downloading other apps.

    Firefox no longer loads userChrome.css or userContent.css by default improving start-up performance. Users who wish to customize Firefox by using these files can set the toolkit.legacyUserProfileCustomizations.stylesheets preference to true to restore this ability.

Enterprise

    For Enterprise system administrators that manage macOS computers, we begin shipping a Mozilla signed PKG installer to simplify your deployments.

Developer

    For our mobile web developers, we have migrated remote debugging from the old WebIDE into a re-designed about:debugging, making debugging GeckoView on remote devices via USB rock solid.

    The network panel will now show blocked resources to allow developers to best understand the impact of content blocking and ad blocking extensions given our ongoing expansion of Enhanced Tracking Protection to all users with this release.

    The new event listener breakpoint feature allows developers to pause on a host of different event types, whether it be related to animations, DOM, media, mouse, touch, worker, and many other event types.

    Firefox Developer Tools now offers an audit for the presence of text alternatives for non-text content, the a11y panel checks toolbar has been augmented to better help developers adhere to WCAG Guideline 1.1.


Security fixes:
#CVE-2019-11751: Malicious code execution through command line parameters
#CVE-2019-11746: Use-after-free while manipulating video
#CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML
#CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images
#CVE-2019-11736: File manipulation and privilege escalation in Mozilla Maintenance Service
#CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location
#CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
#CVE-2019-9812: Sandbox escape through Firefox Sync
#CVE-2019-11741: Isolate addons.mozilla.org and accounts.firefox.com
#CVE-2019-11743: Cross-origin access to unload event attributes
#CVE-2019-11749: Camera information available without prompting using getUserMedia
#CVE-2019-5849: Out-of-bounds read in Skia
#CVE-2019-11750: Type confusion in Spidermonkey
#CVE-2019-11737: Content security policy directives ignore port and path if host is a wildcard
#CVE-2019-11738: Content security policy bypass through hash-based sources in directives
#CVE-2019-11747: 'Forget about this site' removes sites from pre-loaded HSTS list
#CVE-2019-11734: Memory safety bugs fixed in Firefox 69
#CVE-2019-11735: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
#CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9

Revision 1.142 / (download) - annotate - [select for diffs], Fri Aug 16 14:04:18 2019 UTC (3 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.141: +21 -15 lines
Diff to previous 1.141 (colored)

Update to 68.0.2

Changelog:
Fixed
    Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar (bug 1560228)

    Allow fonts to be loaded via file:// URLs when opening a page locally (bug 1565942)

    Printing emails from the Outlook web app no longer prints only the header and footer (bug 1567105)

    Fixed a bug causing some images not to be displayed on reload, including on Google Maps (bug 1565542)

    Fixed an error when starting external applications configured as URI handlers (bug 1567614)

Security fixes
#CVE-2019-11733: Stored passwords in 'Saved Logins' can be copied without master password entry

Revision 1.141 / (download) - annotate - [select for diffs], Thu Jul 11 11:32:40 2019 UTC (3 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.140: +887 -630 lines
Diff to previous 1.140 (colored)

Update to 68.0

Changelog:

New
    Dark mode in reader view expands so that windows are also dark on the controls, sidebars and toolbars.

    Improved extension security and discovery:
        New reporting feature in about:addons allows you to report security and performance issues with extensions and themes.
        Redesigned extensions dashboard in about:addons provides easy access to information about your extensions, including data and settings access required by each extension.
        Find high quality, secure extensions via the Recommended Extensions program in about:addons, which now displays user count and ratings for each extension. "Recommended„ŗbadges for these extensions also appear on AMO. More extensions will be added over time.

    Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences.

    WebRender will roll out to Windows 10 users with AMD graphics cards.

    Windows Background Intelligent Transfer Service (BITS) update download support, which allows Firefox update downloads to continue when Firefox is closed.

Fixed

    Various security fixes

    Local files can no longer access other files in the same directory.

Security fixes:
#CVE-2019-9811: Sandbox escape via installation of malicious language pack
#CVE-2019-11711: Script injection within domain through inner window reuse
#CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
#CVE-2019-11713: Use-after-free with HTTP/2 cached stream
#CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread
#CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault
#CVE-2019-11715: HTML parsing error can contribute to content XSS
#CVE-2019-11716: globalThis not enumerable until accessed
#CVE-2019-11717: Caret character improperly escaped in origins
#CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML
#CVE-2019-11719: Out-of-bounds read when importing curve25519 private key
#CVE-2019-11720: Character encoding XSS vulnerability
#CVE-2019-11721: Domain spoofing through unicode latin 'kra' character
#CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin
#CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries
#CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions
#CVE-2019-11725: Websocket resources bypass safebrowsing protections
#CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3
#CVE-2019-11728: Port scanning through Alt-Svc header
#CVE-2019-11710: Memory safety bugs fixed in Firefox 68
#CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

Revision 1.140 / (download) - annotate - [select for diffs], Mon May 27 05:57:40 2019 UTC (3 years, 6 months ago) by gutteridge
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2
Changes since 1.139: +10 -1 lines
Diff to previous 1.139 (colored)

firefox: amend PLIST to reflect option "debug"

Fix packaging when the "debug" option is enabled, which generates nine
extra files.

Revision 1.139 / (download) - annotate - [select for diffs], Wed May 22 13:32:51 2019 UTC (3 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.138: +334 -275 lines
Diff to previous 1.138 (colored)

Update to 67.0

Changelog:
New
    Firefox 67 demonstrates improved performance thanks to a number of changes such as:
        Lowering priority of setTimeout during page load
        Delayed component initialization until after start up
        Painting sooner during page load but less often
        Suspending unused tabs

    Learn more about our approach to performance in 67 in the Mozilla blog.

    Users can block known cryptominers and fingerprinters in the Custom settings of their Content Blocking preferences.

    Keyboard accessibility has improved in the latest version of Firefox. Toolbar and toolbar overflow menu are both fully keyboard accessible: keyboard users can now access add-ons, the downloads panel, the overflow, Page actions and Firefox menus, and much more.

    Private Browsing sees both usability and security improvements:
        Save passwords in private browsing mode
        Choose which extensions to exclude from private tabs

    A myriad of new features help make Firefox easier to use:
        We„ŗ—◊e added a toolbar menu for your Firefox Account to provide more transparency for when you are synced, sharing data across devices and with Firefox. Personalize the appearance of the menu with your own avatar
        Tabs can now be pinned from the Page Actions menu in the address bar
        Firefox will highlight useful features (like Pin Tabs) when users are most likely to benefit from them.
        Easier access to your list of saved logins from the main menu and login autocomplete. Learn about all the ways you can manage your passwords in Firefox.
        The Import Data from Another Browser feature is now also available from the File menu
        Users will be able to run different Firefox installs side by side by default so that you can run the beta and release versions simultaneously

    Firefox will now protect you against running older versions of the browser which can lead to data corruption and stability issues

    Firefox is upgrading to the newer, higher performance, AV1 decoder known as „ŗŌŇav1d„ŗ
    WebRender is gradually enabled by default on Windows 10 desktops with NVIDIA graphics cards

    Mozilla„ŗ—‘ highest performing JavaScript compiler now supports ARM64 Windows devices.

    Enable FIDO U2F API, and permit registrations for Google Accounts

    Some users will see experiments with an improved Pocket experience in Firefox Home with different layouts and more topical content.

Fixed
    Various security fixes

#CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS
#CVE-2019-9816: Type confusion with object groups and UnboxedObjects
#CVE-2019-9817: Stealing of cross-domain images using canvas
#CVE-2019-9818: Use-after-free in crash generation server
#CVE-2019-9819: Compartment mismatch with fetch API
#CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
#CVE-2019-9821: Use-after-free in AssertWorkerThread
#CVE-2019-11691: Use-after-free in XMLHttpRequest
#CVE-2019-11692: Use-after-free removing listeners in the event listener manager
#CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
#CVE-2019-7317: Use-after-free in png_image_free of libpng library
#CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox
#CVE-2019-11695: Custom cursor can render over user interface outside of web content
#CVE-2019-11t .JNLP files are not recognized as executable files for download prompts
#CVE-2019-11697: Pressing key combinations can bypass installation prompt delays and install extensions
#CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to andsulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site.
#CVE-2019-11700: res: protocol can be used to open known local files
#CVE-2019-11699: Incorrect domain name highlighting during page navigation
#CVE-2019-11701: webcal: protocol default handler loads vulnerable web page
#CVE-2019-9814: Memory safety bugs fixed in Firefox 67
#CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7

Revision 1.138 / (download) - annotate - [select for diffs], Tue Mar 19 16:11:27 2019 UTC (3 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base, pkgsrc-2019Q1
Changes since 1.137: +143 -76 lines
Diff to previous 1.137 (colored)

Update to 66.0

Changelog:
New
    Firefox now prevents websites from automatically playing sound. You can add individual sites to an exceptions list or turn blocking off. To learn more about block autoplay, which will be rolled out gradually to all users, visit the Mozilla blog.

    Improved search experience:
        Find a specific webpage faster when you have a lot of tabs open: You can now search within all of your open tabs from the tab overflow menu
        Easier search via a redesigned new tab in Private Windows

    Smoother scrolling: Scroll anchoring keeps content from jumping as images and ads load at the top of the page

    Improved performance and better user experience for extensions:
        Extensions now store their settings in a Firefox database, rather than individual JSON files, making every site you visit faster
        A redesigned keyboard shortcuts section in about:addons makes it easier to view and adjust default shortcuts

    Redesigned certificate error pages help you better understand and resolve issues, including identification of certificate issuers for anti-virus software

    Added basic support for macOS Touch Bar

    Experimenting with an improved Pocket experience in New Tab with different layouts and more topical content

    Improved performance and reduced crash rates by [doubling web content loading processes from 4 to 8 [1]

    Easier, passwordless security: Added support for Windows Hello on Windows 10, allowing you to use your face, fingerprint, or external security keys for website authentication

Fixed
    The Dark and Light Firefox themes now override the system setting for title bar accent color on Windows 10

    Linux users: Resolved an issue that caused Firefox to freeze when downloading files

    Various security fixes

Changed

    System title bar is hidden by default to match Gnome guideline for Linux users

Developer

    DevTools Inspector is now fully usable when the Debugger is paused

    Lowered priority of setTimeout and setInterval during page load to improve overall page load performance

    Fixed: <button> element is no longer special cased in event dispatch, per latest specifications

Security fixes:
Not available yet.

Revision 1.137 / (download) - annotate - [select for diffs], Tue Feb 26 12:14:12 2019 UTC (3 years, 9 months ago) by rin
Branch: MAIN
Changes since 1.136: +3 -3 lines
Diff to previous 1.136 (colored)

Add support for NetBSD/aarch64 and arm.

This includes patches for third_party/rust/libc 2.43, which requires
hack to overwrite checksum fields in .cargo-checksum.json. These will
become unnecessary if libc >= 2.45 is imported.

For aarch64,

- python locks up randomly when "make configure"; see lib/54017:
http://gnats.netbsd.org/54017

- nodejs randomly(?) crashes sometimes.

However, if you are luckly enough ;-), you will have a working binary.

Bump revision.

Revision 1.136 / (download) - annotate - [select for diffs], Tue Jan 29 16:28:22 2019 UTC (3 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.135: +165 -177 lines
Diff to previous 1.135 (colored)

Updatet to 65.0

Changelog:
New

    Enhanced tracking protection: Simplified content blocking settings give users standard, strict, and custom options to control online trackers. A redesigned content blocking section in the site information panel (viewed by expanding the small „ŗ◊ „ŗicon in the address bar) shows what Firefox detects and blocks on each website you visit. To learn more about content blocking, visit the Mozilla Blog.

    A better experience for multilingual users: An updated Language section in Preferences allows users to install multiple language packs and order language preferences for Firefox and websites, without having to download locale-specific versions.

    Support for Handoff on macOS: Continue browsing across devices. Pick up where you left off with iOS (via Firefox or Safari) on Firefox on Mac.

    A better video streaming experience for Windows users: Firefox now supports the next-generation, royalty-free video compression technology called AV1. Read about Mozilla„ŗ—‘ contribution to this new open standard.

    Improved performance and web compatibility, with support for the WebP image format: WebP brings the same image quality as existing formats at smaller file sizes, which saves bandwidth and speeds up page load.

Fixed

    Various security fixes.

Changed

    Enhanced security for macOS, Linux, and Android users via stronger stack smashing protection which is now enabled by default for all platforms. "Stack smashing" is a common security attack in which malicious actors corrupt or take control of a vulnerable program.

    Firefox will now warn you when closing a window (regardless of whether you have automatic session restore enabled for restart).

    Easier performance management: The revamped Task Manager page found at about:performance now reports memory usage for tabs and add-ons.

    Improved the pop-up blocker to prevent multiple pop-up windows from being opened by websites at the same time.

Security fixes:
Not available yet.

Revision 1.135 / (download) - annotate - [select for diffs], Fri Dec 14 10:21:27 2018 UTC (3 years, 11 months ago) by prlw1
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base, pkgsrc-2018Q4
Changes since 1.134: +2 -1 lines
Diff to previous 1.134 (colored)

Fix build with webrtc option.

http://mail-index.netbsd.org/pkgsrc-users/2018/11/10/msg027658.html

Revision 1.134 / (download) - annotate - [select for diffs], Wed Dec 12 14:08:50 2018 UTC (3 years, 11 months ago) by ryoon
Branch: MAIN
Changes since 1.133: +386 -438 lines
Diff to previous 1.133 (colored)

Update to 64.0

Changelog:
New
    Better recommendations: You may see suggestions in regular browsing mode for new and relevant Firefox features, services, and extensions based on how you use the web (for US users only)

    Enhanced tab management: You can now select multiple tabs from the tab bar and close, move, bookmark, or pin them quickly and easily

    Easier performance management: The new Task Manager page found at about:performance lets you see how much energy each open tab consumes and provides access to close tabs to conserve power

    Improved performance for Mac and Linux users, by enabling link time optimization (Clang LTO). (Clang LTO was enabled for Windows users in Firefox 63.)

    More seamless sharing on Windows: Windows users can now share web pages using the native sharing experience. You can access Share in the Page Actions menu

    Added option to remove add-ons using the context menu on their toolbar buttons

    New for enterprise users: Updated the policy engine on macOS to allow using configuration profiles to customize Firefox for enterprise deployments

Fixed
    Various security fixes

Changed
    RSS feed preview and live bookmarks are available only via add-ons

    TLS certificates issued by Symantec are no longer trusted by Firefox. Website operators are strongly encouraged to replace any remaining Symantec TLS certificates as soon as possible.

    about:crashes has been redesigned to make it clear when a crash is being submitted to Mozilla, as well as being clear that removing crashes locally does not remove them from crash-stats.mozilla.com

    The macOS keyboard shortcut to add "www" and ".com" to a URL is now ctrl-enter instead of [apple]-enter

Security fixes:
#CVE-2018-12407: Buffer overflow with ANGLE library when using VertexBuffer11 module
#CVE-2018-17466: Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
#CVE-2018-18492: Use-after-free with select element
#CVE-2018-18493: Buffer overflow in accelerated 2D canvas with Skia
#CVE-2018-18494: Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs
#CVE-2018-18495: WebExtension content scripts can be loaded in about: pages
#CVE-2018-18496: Embedded feed preview page can be abused for clickjacking
#CVE-2018-18497: WebExtensions can load arbitrary URLs through pipe separators
#CVE-2018-18498: Integer overflow when calculating buffer sizes for images
#CVE-2018-12406: Memory safety bugs fixed in Firefox 64
#CVE-2018-12405: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4

Revision 1.133 / (download) - annotate - [select for diffs], Sun Nov 4 00:38:44 2018 UTC (4 years ago) by ryoon
Branch: MAIN
Changes since 1.132: +916 -565 lines
Diff to previous 1.132 (colored)

Update to 63.0.1

* Minimize pkgsrc specific patches.
* A build system written in Rust lang does not find a C++ header files
  from pkgsrc (non-base) GCC, this version is not buildable on NetBSD 7.
  I will investigate this problem again.

Changelog:
63.0.1
Fixed

    Snippets are not loaded due to missing element (bug 1503047)

    Print preview always shows 30% scale when it is actually Shrink To Fit
    (bug 1501952)

    Dialog displayed when closing multiple windows shows unreplaced %1$S
    placeholder in Japanese and potentially other locales (bug 1500823)


63.0
New

    Performance and visual improvements for Windows users

    Performance improvements for macOS users

    Added content blocking, a collection of Firefox settings that offer
    users greater control over technology that can track them around the
    web. In 63, users can opt to block third-party tracking cookies or
    block all trackers and create exceptions for trusted sites that don't
    work correctly with content blocking enabled.

    WebExtensions now run in their own process on Linux

    Firefox now warns about having multiple windows and tabs open
    when quitting from the main menu. The Save and Quit feature has been
    removed. You can restore your session by ticking the box for Restore
    previous session in the General->Startup options or by using Restore
    Previous Session in the main menu.

    Firefox now recognizes the operating system accessibility setting for
    reducing animation

    Added search shortcuts for Top Sites: Amazon and Google appear as Top
    Sites tiles on the Firefox Home (New Tab) page. When selected these
    tiles will change focus to the address bar to initiate a search.
    Currently in US only.


Fixed

    Resolved an issue that prevented the address bar from autofilling
    bookmarked URLs in certain cases

    Various security fixes


Changed

    In the Library, the Open in Sidebar feature for individual bookmarks
    was removed

    The option to Never check for updates was removed from about:preferences.
    You can use the DisableAppUpdate enterprise policy as a substitute.

    The Ctrl+Tab shortcut now displays thumbnail previews of your tabs and
    cycles through tabs in recently used order. This new default behavior
    is activated only in new profiles and can be changed in preferences.


#CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin
#CVE-2018-12392: Crash with nested event loops
#CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript
#CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting
#CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts
#CVE-2018-12397: Missing warning prompt when WebExtension requests local file access
#CVE-2018-12398: CSP bypass through stylesheet injection in resource URIs
#CVE-2018-12399: Spoofing of protocol registration notification bar
#CVE-2018-12400: Favicons are cached in private browsing mode on Firefox for Android
#CVE-2018-12401: DOS attack through special resource URI parsing
#CVE-2018-12402: SameSite cookies leak when pages are explicitly saved
#CVE-2018-12403: Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP
#CVE-2018-12388: Memory safety bugs fixed in Firefox 63
#CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3

Revision 1.132 / (download) - annotate - [select for diffs], Thu Sep 6 03:30:51 2018 UTC (4 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base, pkgsrc-2018Q3
Changes since 1.131: +6 -4 lines
Diff to previous 1.131 (colored)

Restore conditional PLIST

Noticed by Marc Baudoin.

Revision 1.131 / (download) - annotate - [select for diffs], Wed Sep 5 15:29:58 2018 UTC (4 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.130: +661 -161 lines
Diff to previous 1.130 (colored)

Update to 62.0

Changelog:
New
    Firefox Home (the default New Tab) now allows users to display up to
      4 rows of top sites, Pocket stories, and highlights

    "Reopen in Container" tab menu option appears for users with Containers
      that lets them choose to reopen a tab in a different container

    In advance of removing all trust for Symantec-issued certificates in
      Firefox 63, a preference was added that allows users to distrust
      certificates issued by Symantec. To use this preference, go to
      about:config in the address bar and set the preference
      "security.pki.distrust_ca_policy" to 2.

    Added FreeBSD support for WebAuthn

    Improved graphics rendering for Windows users without accelerated hardware
      using Parallel-Off-Main-Thread Painting

    Support for CSS Shapes, allowing for richer web page layouts. This goes
      hand in hand with a brand new Shape Path Editor in the CSS inspector.

    CSS Variable Fonts (OpenType Font Variations) support, which makes it
      possible to create beautiful typography with a single font file

    Updates for enterprise environments:
        AutoConfig is sandboxed to the documented API by default. You
        can disable the sandbox by setting the preference
        general.config.sandbox_enabled to false. Our long term plan is to
        remove the ability to turn off the sandboxing. If you need to
        continue to use more complex AutoConfig scripts, you will need to use
        Firefox Extended Support Release (ESR).

    Added Canadian English (en-CA) locale

Changed
    Removed the description field for bookmarks. Users who have stored
      descriptions using the field may wish to export these descriptions
      as html or json files, as they will be removed in a future release.

    Dark theme is automatically enabled in macOS 10.14 dark mode

    Changed the default setting to Enforce (3) for the
      security.pki.name_matching_mode preference

    Adobe Flash applets now run in a more secure mode using process
      sandboxing on macOS. Learn how this may affect features here.

    Users disconnecting from Sync are now offered the option to wipe
      their Firefox profile data (including bookmarks, passwords, history,
      cookies, and site data) from their desktop computer

    Changed how WebRTC handles screen sharing: When screen-sharing a window,
      the window will be brought to front

Developer
    Three-pane Inspector in Developer Tools separates the rules into its own
       panel

Revision 1.130 / (download) - annotate - [select for diffs], Sat Aug 11 18:45:16 2018 UTC (4 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.129: +1 -5 lines
Diff to previous 1.129 (colored)

Update to 61.0.2

Changelog:
New
    Adds support for automatically restoring your Firefox session
    after Windows restarts. Currently, this feature is not enabled
    by default for most users, but will be gradually enabled over
    the coming weeks.

Fixed
    Improved website rendering with the Retained Display List
    feature enabled (Bug 1474402)

    Fixed broken DevTools panels with certain extensions installed
    (Bug 1474379)

    Fixed a crash for users with some accessibility tools enabled
    (Bug 1474007)

Revision 1.129 / (download) - annotate - [select for diffs], Thu Jun 28 13:52:37 2018 UTC (4 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base, pkgsrc-2018Q2
Changes since 1.128: +383 -376 lines
Diff to previous 1.128 (colored)

Update to 61.0

Changelog:
New
    Enhanced performance:
        Faster page rendering with Quantum CSS improvements and the new
          retained display list feature
        Faster switching between tabs on Windows and Linux
        WebExtensions now run in their own process on MacOS

    Convenient access to more search engines: You can now add search engines
      to the address bar "Search with" tool from the page action menu when on
      a webpage that provides an OpenSearch plugin

    Share links from Firefox for MacOS more easily: You can now share the URL
      of an active tab from the page actions menu in the address bar

    Improved security:
        On-by-default support for the latest draft of the TLS 1.3 specification
        Access to FTP subresources inside http(s) pages has been blocked

    A more consistent user experience: Improvements for dark theme support
      across the entire Firefox user interface

    More customization for tab management: added support to allow WebExtensions
      to hide tabs

    Improved bookmark syncing

Fixed
    Various security fixes

Changed
    The settings for customizing your homepage and new tab page in Firefox
      have been added to a new Preferences section that can be accessed from
      Firefox at about:preferences#home. The settings can also be accessed via
      the gear icon on the New Tab page.

Security fixes:
#CVE-2018-12359: Buffer overflow using computed size of canvas element
#CVE-2018-12360: Use-after-free when using focus()
#CVE-2018-12361: Integer overflow in SwizzleData
#CVE-2018-12358: Same-origin bypass using service worker and redirection
#CVE-2018-12362: Integer overflow in SSSE3 scaler
#CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture
#CVE-2018-12363: Use-after-free when appending DOM nodes
#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
#CVE-2018-12365: Compromised IPC child process can list local filenames
#CVE-2018-12371: Integer overflow in Skia library during edge builder allocation
#CVE-2018-12366: Invalid data handling during QCMS transformations
#CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
#CVE-2018-12368: No warning when opening executable SettingContent-ms files
#CVE-2018-12369: WebExtension security permission checks bypassed by embedded experiments
#CVE-2018-12370: SameSite cookie protections bypassed when exiting Reader View
#CVE-2018-5186: Memory safety bugs fixed in Firefox 61
#CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1
#CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9

Revision 1.128 / (download) - annotate - [select for diffs], Thu May 10 20:01:53 2018 UTC (4 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.127: +150 -132 lines
Diff to previous 1.127 (colored)

Update to 60.0

* Remove untested patches including NetBSD/earm support

Changelog:
New
    Added a policy engine that allows customized Firefox deployments in
      enterprise environments, using Windows Group Policy or a cross-platform
      JSON file

    Enhancements to New Tab / Firefox Home
        Responsive layout that shows more content for users with wide-screen
          displays
        Highlights section includes web sites saved to Pocket
        More options to reorder sections and content on the page
        Pocket Sponsored Stories will appear for a percentage of users in
          the US. Read about our privacy-conscious approach to sponsored content

    Redesigned Cookies and Site Storage section in Preferences for greater
      clarity and control of first- and third-party cookies

    Applied Quantum CSS to render browser UI

    Added support for Web Authentication API, which allows USB tokens for
      website authentication

    Enhanced camera privacy indicators: Firefox now turns off your camera
      and the camera's light when you disable video recording, and turns
      the camera and light on when you resume recording

    Added an option for Linux users to show or hide page titles in a bar
      at the top of the browser. You'll find the Title Bar option in the
      Customize panel available from the main browser menu.

    Improved WebRTC audio performance and playback for Linux users

    Locale added: Occitan (oc)

Fixed
    Various security fixes

Changed
#CVE-2018-5154: Use-after-free with SVG animations and clip paths
#CVE-2018-5155: Use-after-free with SVG animations and text paths
#CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files
#CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer
#CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
#CVE-2018-5160: Uninitialized memory use by WebRTC encoder
#CVE-2018-5152: WebExtensions information leak through webRequest API
#CVE-2018-5153: Out-of-bounds read in mixed content websocket messages
#CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache
#CVE-2018-5164: CSP not applied to all multipart content sent with
                multipart/x-mixed-replace
#CVE-2018-5166: WebExtension host permission bypass through filterReponseData
#CVE-2018-5167: Improper linkification of chrome: and javascript: content
                in web console and JavaScript debugger
#CVE-2018-5168: Lightweight themes can be installed without user interaction
#CVE-2018-5169: Dragging and dropping link text onto home button can set home
                page to include chrome pages
#CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks
                page or PDF viewer
#CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters
#CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior
                for downloaded files in Windows 10 April 2018 Update
#CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in
                their policies
#CVE-2018-5176: JSON Viewer script injection
#CVE-2018-5177: Buffer overflow in XSLT during number formatting
#CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in
                32-bit Firefox
#CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
#CVE-2018-5181: Local file can be displayed in noopener tab through drag and
                drop of hyperlink
#CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped
                on addressbar
#CVE-2018-5151: Memory safety bugs fixed in Firefox 60
#CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8

Revision 1.125.2.2 / (download) - annotate - [select for diffs], Thu Mar 22 06:56:21 2018 UTC (4 years, 8 months ago) by spz
Branch: pkgsrc-2017Q4
Changes since 1.125.2.1: +91 -79 lines
Diff to previous 1.125.2.1 (colored) to branchpoint 1.125 (colored) next main 1.126 (colored)

Pullup ticket #5728 - requested by maya
devel/nspr: dependency update
devel/nss: dependency update
www/firefox-l10n: dependent update
www/firefox: security update

Revisions pulled up:
- devel/nspr/Makefile                                           1.94-1.95
- devel/nspr/distinfo                                           1.48-1.49
- devel/nspr/patches/patch-az                                   deleted
- devel/nspr/patches/patch-nspr_pr_include_md___pth.h           1.1
- devel/nspr/patches/patch-nspr_pr_src_pthreads_ptthread.c      1.1
- devel/nspr/patches/patch-nsprpub_pr_include_md__pth.h         deleted
- devel/nss/Makefile                                            1.146,1.148
- devel/nss/PLIST                                               1.24
- devel/nss/distinfo                                            1.81,1.83
- devel/nss/patches/patch-nss_lib_freebl_config.mk              deleted
- devel/nss/patches/patch-nss_lib_freebl_verified_kremlib.h     deleted
- www/firefox-l10n/Makefile                                     1.121-1.123
- www/firefox-l10n/distinfo                                     1.111-1.113
- www/firefox/Makefile                                          1.320-1.321,1.324
- www/firefox/PLIST                                             1.127
- www/firefox/distinfo                                          1.307-1.309
- www/firefox/mozilla-common.mk                                 1.105-1.106
- www/firefox/patches/patch-aa                                  1.56
- www/firefox/patches/patch-build_gyp.mozbuild                  1.8
- www/firefox/patches/patch-build_moz.configure_keyfiles.configure 1.5
- www/firefox/patches/patch-build_moz.configure_memory.configure deleted
- www/firefox/patches/patch-config_baseconfig.mk                deleted
- www/firefox/patches/patch-config_external_moz.build           1.17
- www/firefox/patches/patch-dom_media_moz.build                 1.9
- www/firefox/patches/patch-gfx_skia_generate__mozbuild.py      1.8
- www/firefox/patches/patch-gfx_skia_moz.build                  1.15
- www/firefox/patches/patch-gfx_thebes_moz.build                1.9
- www/firefox/patches/patch-media_libcubeb_gtest_moz.build      1.2
- www/firefox/patches/patch-media_libtheora_moz.build           1.8
- www/firefox/patches/patch-media_libvorbis_moz.build           1.4
- www/firefox/patches/patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc 1.1
- www/firefox/patches/patch-modules_libpref_init_all.js         1.7
- www/firefox/patches/patch-modules_pdfium_update.sh            1.2
- www/firefox/patches/patch-netwerk_dns_moz.build               1.8
- www/firefox/patches/patch-netwerk_srtp_src_crypto_hash_hmac.c deleted
- www/firefox/patches/patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c deleted
- www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs deleted
- www/firefox/patches/patch-third__party_rust_simd_.cargo-checksum.json 1.1
- www/firefox/patches/patch-third__party_rust_simd_src_x86_avx2.rs 1.1
- www/firefox/patches/patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h deleted
- www/firefox/patches/patch-toolkit_moz.configure               1.10
- www/firefox/patches/patch-toolkit_xre_nsEmbedFunctions.cpp    deleted
- www/firefox/patches/patch-xpcom_build_BinaryPath.h            1.3-1.4

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Wed Jan 24 16:21:43 UTC 2018

   Modified Files:
           pkgsrc/devel/nspr: Makefile distinfo
   Added Files:
           pkgsrc/devel/nspr/patches: patch-nspr_pr_include_md___pth.h
               patch-nspr_pr_src_pthreads_ptthread.c
   Removed Files:
           pkgsrc/devel/nspr/patches: patch-az patch-nsprpub_pr_include_md__pth.h

   Log Message:
   Update to 4.18

   Changelog:
   NSPR 4.18 contains the following changes:
   - removed HP-UX DCE threads support
   - improvements for the Windows implementation of PR_SetCurrentThreadName
   - fixes for the Windows implementation of TCP Fast Open


   To generate a diff of this commit:
   cvs rdiff -u -r1.93 -r1.94 pkgsrc/devel/nspr/Makefile
   cvs rdiff -u -r1.47 -r1.48 pkgsrc/devel/nspr/distinfo
   cvs rdiff -u -r1.4 -r0 pkgsrc/devel/nspr/patches/patch-az
   cvs rdiff -u -r0 -r1.1 \
       pkgsrc/devel/nspr/patches/patch-nspr_pr_include_md___pth.h \
       pkgsrc/devel/nspr/patches/patch-nspr_pr_src_pthreads_ptthread.c
   cvs rdiff -u -r1.3 -r0 \
       pkgsrc/devel/nspr/patches/patch-nsprpub_pr_include_md__pth.h

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Mar 17 01:06:18 UTC 2018

   Modified Files:
           pkgsrc/devel/nspr: Makefile distinfo

   Log Message:
   Update to 4.29

   Changelog:
   NSPR 4.19 contains the following changes:
   - changed order of shutdown cleanup to avoid a crash on Mac OSX
   - build compatibility with Android NDK r16 and glibc 2.26


   To generate a diff of this commit:
   cvs rdiff -u -r1.94 -r1.95 pkgsrc/devel/nspr/Makefile
   cvs rdiff -u -r1.48 -r1.49 pkgsrc/devel/nspr/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Wed Jan 24 16:23:52 UTC 2018

   Modified Files:
           pkgsrc/devel/nss: Makefile distinfo
   Removed Files:
           pkgsrc/devel/nss/patches: patch-nss_lib_freebl_config.mk
               patch-nss_lib_freebl_verified_kremlib.h

   Log Message:
   Update to 3.35

   Changelog:
   The NSS team has released Network Security Services (NSS) 3.35,
   which is a minor release.

   Summary of the major changes included in this release:
   - The default database storage format has been changed to SQL,
     using filenames cert9.db, key4.db, pkcs11.txt.
   - TLS 1.3 support has been updated to draft -23, along with
     additional significant changes.
   - Support for TLS compression was removed.
   - Added formally verified implementations of non-vectorized Chacha20
     and non-vectorized Poly1305 64-bit.
   - When creating encrypted PKCS#7 or PKCS#12 data, NSS uses a
     higher iteration count for stronger security.
   - The CA trust list was updated to version 2.22.


   To generate a diff of this commit:
   cvs rdiff -u -r1.145 -r1.146 pkgsrc/devel/nss/Makefile
   cvs rdiff -u -r1.80 -r1.81 pkgsrc/devel/nss/distinfo
   cvs rdiff -u -r1.2 -r0 \
       pkgsrc/devel/nss/patches/patch-nss_lib_freebl_config.mk
   cvs rdiff -u -r1.1 -r0 \
       pkgsrc/devel/nss/patches/patch-nss_lib_freebl_verified_kremlib.h

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Mar 17 01:07:15 UTC 2018

   Modified Files:
           pkgsrc/devel/nss: Makefile PLIST distinfo

   Log Message:
   Update to 3.36

   * Require devel/nspr-4.19

   Changelog:
   The NSS team has released Network Security Services (NSS) 3.36,
   which is a minor release.

   Summary of the major changes included in this release:
   - Replaced existing vectorized ChaCha20 code with verified
     HACL* implementation.
   - Experimental APIs for TLS session cache handling.


   To generate a diff of this commit:
   cvs rdiff -u -r1.147 -r1.148 pkgsrc/devel/nss/Makefile
   cvs rdiff -u -r1.23 -r1.24 pkgsrc/devel/nss/PLIST
   cvs rdiff -u -r1.82 -r1.83 pkgsrc/devel/nss/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Wed Jan 31 14:02:18 UTC 2018

   Modified Files:
           pkgsrc/www/firefox: Makefile distinfo
   Added Files:
           pkgsrc/www/firefox/patches: patch-xpcom_build_BinaryPath.h

   Log Message:
   Update to 58.0.1

   * Fix build under netbsd-7, PR pkg/52956

   Changelog:
   Fix Mozilla Foundation Security Advisory 2018-05:
   Arbitrary code execution through unsanitized browser UI

   When using certain non-default security policies on Windows (for
   example with Windows Defender Exploit Protection or Webroot security
   products), Firefox 58.0 would fail to load pages (bug 1433065).


   To generate a diff of this commit:
   cvs rdiff -u -r1.319 -r1.320 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.306 -r1.307 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r0 -r1.3 \
       pkgsrc/www/firefox/patches/patch-xpcom_build_BinaryPath.h

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Feb 10 07:02:47 UTC 2018

   Modified Files:
           pkgsrc/www/firefox: Makefile distinfo mozilla-common.mk
           pkgsrc/www/firefox/patches: patch-xpcom_build_BinaryPath.h

   Log Message:
   Update to 58.0.2

   * Fix segfault on netbsd-7

   Changelog:
   Fix
       Avoid a signature validation issue during update on macOS

       Blocklisted graphics drivers related to off main thread painting crashes

       Tab crash during printing

       Fix clicking links and scrolling emails on Microsoft Hotmail and Outlook
         (OWA) webmail


   To generate a diff of this commit:
   cvs rdiff -u -r1.320 -r1.321 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.307 -r1.308 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r1.104 -r1.105 pkgsrc/www/firefox/mozilla-common.mk
   cvs rdiff -u -r1.3 -r1.4 \
       pkgsrc/www/firefox/patches/patch-xpcom_build_BinaryPath.h

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Mar 17 00:59:03 UTC 2018

   Modified Files:
           pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk
           pkgsrc/www/firefox/patches: patch-aa patch-build_gyp.mozbuild
               patch-config_external_moz.build patch-dom_media_moz.build
               patch-gfx_skia_generate__mozbuild.py patch-gfx_skia_moz.build
               patch-gfx_thebes_moz.build patch-media_libcubeb_gtest_moz.build
               patch-media_libtheora_moz.build patch-media_libvorbis_moz.build
               patch-modules_pdfium_update.sh patch-netwerk_dns_moz.build
               patch-toolkit_moz.configure
   Added Files:
           pkgsrc/www/firefox/patches:
               patch-build_moz.configure_keyfiles.configure
               patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc
               patch-modules_libpref_init_all.js
               patch-third__party_rust_simd_.cargo-checksum.json
               patch-third__party_rust_simd_src_x86_avx2.rs
   Removed Files:
           pkgsrc/www/firefox/patches: patch-build_moz.configure_memory.configure
               patch-config_baseconfig.mk
               patch-netwerk_srtp_src_crypto_hash_hmac.c
               patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c
               patch-servo_components_style_properties_helpers_animated__properties.mako.rs
               patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h
               patch-toolkit_xre_nsEmbedFunctions.cpp

   Log Message:
   Update to 59.0.1

   Changelog:
   59.0.1
   Security fix
   #CVE-2018-5146: Out of bounds memory write in libvorbis

   59.0
   New
       Performance enhancements:
       - Faster load times for content on the Firefox Home page
       - Faster page load times by loading either from the networked cache
           or the cache on the user's hard drive (Race Cache With Network)
       - Improved graphics rendering using Off-Main-Thread Painting (OMTP)
           for Mac users (OMTP for Windows was released in Firefox 58)

       Drag-and-drop to rearrange Top Sites on the Firefox Home page, and
         customize new windows and tabs in other ways

       Added features for Firefox Screenshots:
       - Basic annotation lets the user draw on and highlight saved screenshots
       - Recropping to change the viewable area of saved screenshots

       Enhanced WebExtensions API including better support for decentralized
         protocols and the ability to dynamically register content scripts

       Improved Real-Time Communications (RTC) capabilities.
       - Implemented RTP Transceiver to give pages more fine grained control
           over calls
       - Implemented features to support large scale conferences

       Added support for W3C specs for pointer events and improved platform
         integration with added device support for mouse, pen, and touch
         screen pointer input

       Added the Ecosia search engine as an option for German Firefox

       Added the Qwant search engine as an option for French Firefox

       Added settings in about:preferences to stop websites from asking to
         send notifications or access your device's camera, microphone, and
         location, while still allowing trusted websites to use these features

   Fixed
       Various security fixes

   Changed
       Firefox Private Browsing Mode will remove path information from
         referrers to prevent cross-site tracking

   Security fixes:
   #CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
   #CVE-2018-5128: Use-after-free manipulating editor selection ranges
   #CVE-2018-5129: Out-of-bounds write with malformed IPC messages
   #CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption
   #CVE-2018-5131: Fetch API improperly returns cached copies of
     no-store/no-cache resources
   #CVE-2018-5132: WebExtension Find API can search privileged pages
   #CVE-2018-5133: Value of the app.support.baseURL preference is not properly
     sanitized
   #CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content
     restrictions
   #CVE-2018-5135: WebExtension browserAction can inject scripts into
     unintended contexts
   #CVE-2018-5136: Same-origin policy violation with data: URL shared workers
   #CVE-2018-5137: Script content can access legacy extension
     non-contentaccessible resources
   #CVE-2018-5138: Android Custom Tab address spoofing through long domain names
   #CVE-2018-5140: Moz-icon images accessible to web content through moz-icon:
     protocol
   #CVE-2018-5141: DOS attack through notifications Push API
   #CVE-2018-5142: Media Capture and Streams API permissions display
     incorrect origin with data: and blob: URLs
   #CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into
     addressbar
   #CVE-2018-5126: Memory safety bugs fixed in Firefox 59
   #CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7


   To generate a diff of this commit:
   cvs rdiff -u -r1.323 -r1.324 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.126 -r1.127 pkgsrc/www/firefox/PLIST
   cvs rdiff -u -r1.308 -r1.309 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r1.105 -r1.106 pkgsrc/www/firefox/mozilla-common.mk
   cvs rdiff -u -r1.55 -r1.56 pkgsrc/www/firefox/patches/patch-aa
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/firefox/patches/patch-build_gyp.mozbuild \
       pkgsrc/www/firefox/patches/patch-gfx_skia_generate__mozbuild.py \
       pkgsrc/www/firefox/patches/patch-media_libtheora_moz.build \
       pkgsrc/www/firefox/patches/patch-netwerk_dns_moz.build
   cvs rdiff -u -r0 -r1.5 \
       pkgsrc/www/firefox/patches/patch-build_moz.configure_keyfiles.configure
   cvs rdiff -u -r1.2 -r0 \
       pkgsrc/www/firefox/patches/patch-build_moz.configure_memory.configure \
       pkgsrc/www/firefox/patches/patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h
   cvs rdiff -u -r1.10 -r0 pkgsrc/www/firefox/patches/patch-config_baseconfig.mk
   cvs rdiff -u -r1.16 -r1.17 \
       pkgsrc/www/firefox/patches/patch-config_external_moz.build
   cvs rdiff -u -r1.8 -r1.9 pkgsrc/www/firefox/patches/patch-dom_media_moz.build \
       pkgsrc/www/firefox/patches/patch-gfx_thebes_moz.build
   cvs rdiff -u -r1.14 -r1.15 \
       pkgsrc/www/firefox/patches/patch-gfx_skia_moz.build
   cvs rdiff -u -r1.1 -r1.2 \
       pkgsrc/www/firefox/patches/patch-media_libcubeb_gtest_moz.build \
       pkgsrc/www/firefox/patches/patch-modules_pdfium_update.sh
   cvs rdiff -u -r1.3 -r1.4 \
       pkgsrc/www/firefox/patches/patch-media_libvorbis_moz.build
   cvs rdiff -u -r0 -r1.1 \
       pkgsrc/www/firefox/patches/patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc \
       pkgsrc/www/firefox/patches/patch-third__party_rust_simd_.cargo-checksum.json \
       pkgsrc/www/firefox/patches/patch-third__party_rust_simd_src_x86_avx2.rs
   cvs rdiff -u -r0 -r1.7 \
       pkgsrc/www/firefox/patches/patch-modules_libpref_init_all.js
   cvs rdiff -u -r1.4 -r0 \
       pkgsrc/www/firefox/patches/patch-netwerk_srtp_src_crypto_hash_hmac.c
   cvs rdiff -u -r1.3 -r0 \
       pkgsrc/www/firefox/patches/patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c
   cvs rdiff -u -r1.1 -r0 \
       pkgsrc/www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs
   cvs rdiff -u -r1.9 -r1.10 \
       pkgsrc/www/firefox/patches/patch-toolkit_moz.configure
   cvs rdiff -u -r1.7 -r0 \
       pkgsrc/www/firefox/patches/patch-toolkit_xre_nsEmbedFunctions.cpp

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Wed Jan 31 14:03:25 UTC 2018

   Modified Files:
           pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   Update to 58.0.1

   * Sync with www/firefox-58.0.1


   To generate a diff of this commit:
   cvs rdiff -u -r1.120 -r1.121 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.110 -r1.111 pkgsrc/www/firefox-l10n/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Feb 10 07:05:20 UTC 2018

   Modified Files:
           pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   Update to 58.0.2

   * Sync with www/firefox-58.0.2


   To generate a diff of this commit:
   cvs rdiff -u -r1.121 -r1.122 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.111 -r1.112 pkgsrc/www/firefox-l10n/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Mar 17 01:00:20 UTC 2018

   Modified Files:
           pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   Update to 59.0.1

   * Sync with www/firefox-59.0.1


   To generate a diff of this commit:
   cvs rdiff -u -r1.122 -r1.123 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.112 -r1.113 pkgsrc/www/firefox-l10n/distinfo

Revision 1.127 / (download) - annotate - [select for diffs], Sat Mar 17 00:59:02 2018 UTC (4 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base, pkgsrc-2018Q1
Changes since 1.126: +90 -78 lines
Diff to previous 1.126 (colored)

Update to 59.0.1

Changelog:
59.0.1
Security fix
#CVE-2018-5146: Out of bounds memory write in libvorbis

59.0
New
    Performance enhancements:
    - Faster load times for content on the Firefox Home page
    - Faster page load times by loading either from the networked cache
        or the cache on the user's hard drive (Race Cache With Network)
    - Improved graphics rendering using Off-Main-Thread Painting (OMTP)
        for Mac users (OMTP for Windows was released in Firefox 58)

    Drag-and-drop to rearrange Top Sites on the Firefox Home page, and
      customize new windows and tabs in other ways

    Added features for Firefox Screenshots:
    - Basic annotation lets the user draw on and highlight saved screenshots
    - Recropping to change the viewable area of saved screenshots

    Enhanced WebExtensions API including better support for decentralized
      protocols and the ability to dynamically register content scripts

    Improved Real-Time Communications (RTC) capabilities.
    - Implemented RTP Transceiver to give pages more fine grained control
        over calls
    - Implemented features to support large scale conferences

    Added support for W3C specs for pointer events and improved platform
      integration with added device support for mouse, pen, and touch
      screen pointer input

    Added the Ecosia search engine as an option for German Firefox

    Added the Qwant search engine as an option for French Firefox

    Added settings in about:preferences to stop websites from asking to
      send notifications or access your device's camera, microphone, and
      location, while still allowing trusted websites to use these features

Fixed
    Various security fixes

Changed
    Firefox Private Browsing Mode will remove path information from
      referrers to prevent cross-site tracking

Security fixes:
#CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
#CVE-2018-5128: Use-after-free manipulating editor selection ranges
#CVE-2018-5129: Out-of-bounds write with malformed IPC messages
#CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption
#CVE-2018-5131: Fetch API improperly returns cached copies of
  no-store/no-cache resources
#CVE-2018-5132: WebExtension Find API can search privileged pages
#CVE-2018-5133: Value of the app.support.baseURL preference is not properly
  sanitized
#CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content
  restrictions
#CVE-2018-5135: WebExtension browserAction can inject scripts into
  unintended contexts
#CVE-2018-5136: Same-origin policy violation with data: URL shared workers
#CVE-2018-5137: Script content can access legacy extension
  non-contentaccessible resources
#CVE-2018-5138: Android Custom Tab address spoofing through long domain names
#CVE-2018-5140: Moz-icon images accessible to web content through moz-icon:
  protocol
#CVE-2018-5141: DOS attack through notifications Push API
#CVE-2018-5142: Media Capture and Streams API permissions display
  incorrect origin with data: and blob: URLs
#CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into
  addressbar
#CVE-2018-5126: Memory safety bugs fixed in Firefox 59
#CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7

Revision 1.125.2.1 / (download) - annotate - [select for diffs], Fri Mar 9 07:17:29 2018 UTC (4 years, 8 months ago) by spz
Branch: pkgsrc-2017Q4
Changes since 1.125: +557 -267 lines
Diff to previous 1.125 (colored)

Pullup ticket #5695 - requested by he and maya
www/firefox: security update
www/firefox-l10n: dependent update

NOTE: firefox-58 needs rust and rust in pkgsrc-2017Q4 needs /proc

Revisions pulled up:
- www/firefox-l10n/Makefile                                     1.117-1.120
- www/firefox-l10n/PLIST                                        1.58-1.59
- www/firefox-l10n/distinfo                                     1.108-1.110
- www/firefox/Makefile                                          1.316-1.318
- www/firefox/PLIST                                             1.126
- www/firefox/distinfo                                          1.304-1.306
- www/firefox/mozilla-common.mk                                 1.103-1.104
- www/firefox/patches/patch-aa                                  1.55
- www/firefox/patches/patch-build_moz.configure_keyfiles.configure deleted
- www/firefox/patches/patch-config_Makefile.in                  deleted
- www/firefox/patches/patch-config_system-headers               deleted
- www/firefox/patches/patch-config_system-headers.mozbuild      1.1
- www/firefox/patches/patch-dom_media_flac_FlacDecoder.cpp      1.1
- www/firefox/patches/patch-dom_media_moz.build                 1.8
- www/firefox/patches/patch-intl_unicharutil_util_moz.build     1.7
- www/firefox/patches/patch-ipc_chromium_src_base_process__util.h deleted
- www/firefox/patches/patch-ipc_glue_MessageChannel.cpp         1.1
- www/firefox/patches/patch-js_src_build_moz.build              1.2
- www/firefox/patches/patch-media_libcubeb_src_cubeb__alsa.c    1.26
- www/firefox/patches/patch-media_libsoundtouch_src_cpu__detect__x86.cpp deleted
- www/firefox/patches/patch-netwerk_dns_moz.build               1.7
- www/firefox/patches/patch-servo_components_gfx_font.rs        deleted
- www/firefox/patches/patch-servo_components_net__traits_response.rs deleted
- www/firefox/patches/patch-servo_components_net_fetch_cors__cache.rs deleted
- www/firefox/patches/patch-servo_components_net_fetch_methods.rs deleted
- www/firefox/patches/patch-servo_components_net_websocket__loader.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_bindings_str.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_blob.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_cssstyledeclaration.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_document.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_element.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_htmlelement.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_htmllinkelement.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_htmlmetaelement.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_htmlscriptelement.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_macros.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_namednodemap.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_serviceworkercontainer.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_servoparser_async__html.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_websocket.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_window.rs deleted
- www/firefox/patches/patch-servo_components_script_dom_xmlhttprequest.rs deleted
- www/firefox/patches/patch-servo_components_selectors_attr.rs  deleted
- www/firefox/patches/patch-servo_components_selectors_parser.rs deleted
- www/firefox/patches/patch-servo_components_style__traits_viewport.rs deleted
- www/firefox/patches/patch-servo_components_style_attr.rs      deleted
- www/firefox/patches/patch-servo_components_style_counter__style_mod.rs deleted
- www/firefox/patches/patch-servo_components_style_custom__properties.rs deleted
- www/firefox/patches/patch-servo_components_style_gecko__string__cache_mod.rs deleted
- www/firefox/patches/patch-servo_components_style_gecko_generated_pseudo__element__definition.rs deleted
- www/firefox/patches/patch-servo_components_style_gecko_pseudo__element__definition.mako.rs deleted
- www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs 1.1
- www/firefox/patches/patch-servo_components_style_properties_longhand_font.mako.rs deleted
- www/firefox/patches/patch-servo_components_style_properties_longhand_pointing.mako.rs deleted
- www/firefox/patches/patch-servo_components_style_servo_selector__parser.rs deleted
- www/firefox/patches/patch-servo_components_style_str.rs       deleted
- www/firefox/patches/patch-servo_components_style_stylesheets_viewport__rule.rs deleted
- www/firefox/patches/patch-servo_components_style_values_mod.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_align.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_angle.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_calc.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_grid.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_length.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_mod.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_percentage.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_text.rs deleted
- www/firefox/patches/patch-servo_components_style_values_specified_time.rs deleted
- www/firefox/patches/patch-third__party_python_futures_concurrent_futures_process.py 1.3
- www/firefox/patches/patch-toolkit_components_protobuf_src_google_protobuf_stubs_atomicops.h 1.4
- www/firefox/patches/patch-toolkit_moz.configure               1.9
- www/firefox/patches/patch-toolkit_mozapps_installer_packager.mk 1.1
- www/firefox/patches/patch-xpcom_reflect_xptcall_md_unix_Makefile.in deleted

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Mon Jan  1 07:02:17 UTC 2018

   Modified Files:
   	pkgsrc/www/firefox: Makefile distinfo

   Log Message:
   Update to 57.0.3

   Changelog:
   Fixed
     * Fix a crash reporting issue that inadvertently sends background tab
       crash reports to Mozilla without user opt-in (bug 1427111)


   To generate a diff of this commit:
   cvs rdiff -u -r1.315 -r1.316 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.303 -r1.304 pkgsrc/www/firefox/distinfo

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Mon Jan  1 07:03:33 UTC 2018

   Modified Files:
   	pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   Update to 57.0.3

   * Sync with www/firefox-57.0.3


   To generate a diff of this commit:
   cvs rdiff -u -r1.116 -r1.117 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.107 -r1.108 pkgsrc/www/firefox-l10n/distinfo

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Mon Jan  8 09:37:57 UTC 2018

   Modified Files:
   	pkgsrc/www/firefox: Makefile distinfo mozilla-common.mk
   Added Files:
   	pkgsrc/www/firefox/patches: patch-servo_components_gfx_font.rs
   	    patch-servo_components_net__traits_response.rs
   	    patch-servo_components_net_fetch_cors__cache.rs
   	    patch-servo_components_net_fetch_methods.rs
   	    patch-servo_components_net_websocket__loader.rs
   	    patch-servo_components_script_dom_bindings_str.rs
   	    patch-servo_components_script_dom_blob.rs
   	    patch-servo_components_script_dom_cssstyledeclaration.rs
   	    patch-servo_components_script_dom_document.rs
   	    patch-servo_components_script_dom_element.rs
   	    patch-servo_components_script_dom_htmlelement.rs
   	    patch-servo_components_script_dom_htmllinkelement.rs
   	    patch-servo_components_script_dom_htmlmetaelement.rs
   	    patch-servo_components_script_dom_htmlscriptelement.rs
   	    patch-servo_components_script_dom_macros.rs
   	    patch-servo_components_script_dom_namednodemap.rs
   	    patch-servo_components_script_dom_serviceworkercontainer.rs
   	    patch-servo_components_script_dom_servoparser_async__html.rs
   	    patch-servo_components_script_dom_websocket.rs
   	    patch-servo_components_script_dom_window.rs
   	    patch-servo_components_script_dom_xmlhttprequest.rs
   	    patch-servo_components_selectors_attr.rs
   	    patch-servo_components_selectors_parser.rs
   	    patch-servo_components_style__traits_viewport.rs
   	    patch-servo_components_style_attr.rs
   	    patch-servo_components_style_counter__style_mod.rs
   	    patch-servo_components_style_custom__properties.rs
   	    patch-servo_components_style_gecko__string__cache_mod.rs
   	    patch-servo_components_style_gecko_generated_pseudo__element__definition.rs
   	    patch-servo_components_style_gecko_pseudo__element__definition.mako.rs
   	    patch-servo_components_style_properties_longhand_font.mako.rs
   	    patch-servo_components_style_properties_longhand_pointing.mako.rs
   	    patch-servo_components_style_servo_selector__parser.rs
   	    patch-servo_components_style_str.rs
   	    patch-servo_components_style_stylesheets_viewport__rule.rs
   	    patch-servo_components_style_values_mod.rs
   	    patch-servo_components_style_values_specified_align.rs
   	    patch-servo_components_style_values_specified_angle.rs
   	    patch-servo_components_style_values_specified_calc.rs
   	    patch-servo_components_style_values_specified_grid.rs
   	    patch-servo_components_style_values_specified_length.rs
   	    patch-servo_components_style_values_specified_mod.rs
   	    patch-servo_components_style_values_specified_percentage.rs
   	    patch-servo_components_style_values_specified_text.rs
   	    patch-servo_components_style_values_specified_time.rs

   Log Message:
   Update to 57.0.4

   * Use lang/rust-1.23.0

   Changelog:
   Speculative execution side-channel attack ("Spectre")

   Announced
       January 4, 2018
   Reporter
       Jann Horn (Google Project Zero); Microsoft Vunerability Research
   Impact
       High
   Products
       Firefox
   Fixed in
       Firefox 57.0.4

   Description

   Jann Horn of Google Project Zero Security reported that speculative
   execution performed by modern CPUs could leak information through
   a timing side-channel attack. Microsoft Vulnerability Research extended
   this attack to browser JavaScript engines and demonstrated that code on
   a malicious web page could read data from other web sites (violating
   the same-origin policy) or private data from the browser itself.

   Since this new class of attacks involves measuring precise time intervals,
   as a partial, short-term, mitigation we are disabling or reducing
   the precision of several time sources in Firefox. The precision of
   performance.now() has been reduced from 5us to 20us, and
   the SharedArrayBuffer feature has been disabled because it can be
   used to construct a high-resolution timer.

   SharedArrayBuffer is already disabled in Firefox 52 ESR.


   To generate a diff of this commit:
   cvs rdiff -u -r1.316 -r1.317 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.304 -r1.305 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r1.102 -r1.103 pkgsrc/www/firefox/mozilla-common.mk
   cvs rdiff -u -r0 -r1.1 \
       pkgsrc/www/firefox/patches/patch-servo_components_gfx_font.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_net__traits_response.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_net_fetch_cors__cache.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_net_fetch_methods.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_net_websocket__loader.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_bindings_str.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_blob.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_element.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmlelement.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmllinkelement.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmlmetaelement.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmlscriptelement.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_macros.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_namednodemap.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_serviceworkercontainer.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_websocket.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_window.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_selectors_attr.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style__traits_viewport.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_attr.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_counter__style_mod.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_custom__properties.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_gecko__string__cache_mod.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_gecko_generated_pseudo__element__definition.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_gecko_pseudo__element__definition.mako.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_properties_longhand_font.mako.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_properties_longhand_pointing.mako.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_servo_selector__parser.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_str.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_stylesheets_viewport__rule.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_mod.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_align.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_angle.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_calc.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_grid.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_length.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_mod.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_percentage.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_text.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_time.rs
   cvs rdiff -u -r0 -r1.3 \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_cssstyledeclaration.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_document.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_servoparser_async__html.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_xmlhttprequest.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_selectors_parser.rs

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Sun Jan 21 01:29:28 UTC 2018

   Modified Files:
   	pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   Update to 57.0.4

   * Sync with www/firefox-57.0.4


   To generate a diff of this commit:
   cvs rdiff -u -r1.117 -r1.118 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.108 -r1.109 pkgsrc/www/firefox-l10n/distinfo

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Wed Jan 24 16:52:08 UTC 2018

   Modified Files:
   	pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk
   	pkgsrc/www/firefox/patches: patch-aa patch-dom_media_moz.build
   	    patch-intl_unicharutil_util_moz.build patch-js_src_build_moz.build
   	    patch-media_libcubeb_src_cubeb__alsa.c patch-netwerk_dns_moz.build
   	    patch-toolkit_components_protobuf_src_google_protobuf_stubs_atomicops.h
   	    patch-toolkit_moz.configure
   Added Files:
   	pkgsrc/www/firefox/patches: patch-config_system-headers.mozbuild
   	    patch-dom_media_flac_FlacDecoder.cpp
   	    patch-ipc_glue_MessageChannel.cpp
   	    patch-servo_components_style_properties_helpers_animated__properties.mako.rs
   	    patch-third__party_python_futures_concurrent_futures_process.py
   	    patch-toolkit_mozapps_installer_packager.mk
   Removed Files:
   	pkgsrc/www/firefox/patches:
   	    patch-build_moz.configure_keyfiles.configure
   	    patch-config_Makefile.in patch-config_system-headers
   	    patch-ipc_chromium_src_base_process__util.h
   	    patch-media_libsoundtouch_src_cpu__detect__x86.cpp
   	    patch-servo_components_gfx_font.rs
   	    patch-servo_components_net__traits_response.rs
   	    patch-servo_components_net_fetch_cors__cache.rs
   	    patch-servo_components_net_fetch_methods.rs
   	    patch-servo_components_net_websocket__loader.rs
   	    patch-servo_components_script_dom_bindings_str.rs
   	    patch-servo_components_script_dom_blob.rs
   	    patch-servo_components_script_dom_cssstyledeclaration.rs
   	    patch-servo_components_script_dom_document.rs
   	    patch-servo_components_script_dom_element.rs
   	    patch-servo_components_script_dom_htmlelement.rs
   	    patch-servo_components_script_dom_htmllinkelement.rs
   	    patch-servo_components_script_dom_htmlmetaelement.rs
   	    patch-servo_components_script_dom_htmlscriptelement.rs
   	    patch-servo_components_script_dom_macros.rs
   	    patch-servo_components_script_dom_namednodemap.rs
   	    patch-servo_components_script_dom_serviceworkercontainer.rs
   	    patch-servo_components_script_dom_servoparser_async__html.rs
   	    patch-servo_components_script_dom_websocket.rs
   	    patch-servo_components_script_dom_window.rs
   	    patch-servo_components_script_dom_xmlhttprequest.rs
   	    patch-servo_components_selectors_attr.rs
   	    patch-servo_components_selectors_parser.rs
   	    patch-servo_components_style__traits_viewport.rs
   	    patch-servo_components_style_attr.rs
   	    patch-servo_components_style_counter__style_mod.rs
   	    patch-servo_components_style_custom__properties.rs
   	    patch-servo_components_style_gecko__string__cache_mod.rs
   	    patch-servo_components_style_gecko_generated_pseudo__element__definition.rs
   	    patch-servo_components_style_gecko_pseudo__element__definition.mako.rs
   	    patch-servo_components_style_properties_longhand_font.mako.rs
   	    patch-servo_components_style_properties_longhand_pointing.mako.rs
   	    patch-servo_components_style_servo_selector__parser.rs
   	    patch-servo_components_style_str.rs
   	    patch-servo_components_style_stylesheets_viewport__rule.rs
   	    patch-servo_components_style_values_mod.rs
   	    patch-servo_components_style_values_specified_align.rs
   	    patch-servo_components_style_values_specified_angle.rs
   	    patch-servo_components_style_values_specified_calc.rs
   	    patch-servo_components_style_values_specified_grid.rs
   	    patch-servo_components_style_values_specified_length.rs
   	    patch-servo_components_style_values_specified_mod.rs
   	    patch-servo_components_style_values_specified_percentage.rs
   	    patch-servo_components_style_values_specified_text.rs
   	    patch-servo_components_style_values_specified_time.rs
   	    patch-xpcom_reflect_xptcall_md_unix_Makefile.in

   Log Message:
   Update to 58.0

   Changelog:
   New
       Performance improvements, including:
           Rendering graphics for Windows users by using Off-Main-Threa
              Painting (OMTP)
           Loading pages faster by changing how Firefox caches and retrieves
              JavaScript

       Improvements to Firefox Screenshots:
           Copy and paste screenshots directly to your clipboard
           Firefox Screenshots now works in Private Browsing mode

       Added Nepali (ne-NP) locale

       In case you missed it--57 Release privacy and performance feature:
         Users can enable Tracking Protection at all times. Learn how to turn
         Tracking Protection on.

   Fixed
       Fonts installed in non-standard directories will no longer appear
         blank for Linux users

       Various security fixes

   Changed
       User profiles created in Firefox 58 (and in future releases) are not
       supported in previous versions of Firefox. Users who downgrade to
       a previous version should create a new profile for that version.
       Learn about alternatives to downgrading on our support site.

       Added a warning to alert users and site owners of planned security
       changes to sites affected by the gradual distrust plan for
       the Symantec certificate authority

   #CVE-2018-5091: Use-after-free with DTMF timers
   #CVE-2018-5092: Use-after-free in Web Workers
   #CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table resizing
   #CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection on
    uninitialized memory
   #CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
   #CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
   #CVE-2018-5098: Use-after-free while manipulating form input elements
   #CVE-2018-5099: Use-after-free with widget listener
   #CVE-2018-5100: Use-after-free when IsPotentiallyScrollable arguments are
    freed from memory
   #CVE-2018-5101: Use-after-free with floating first-letter style elements
   #CVE-2018-5102: Use-after-free in HTML media elements
   #CVE-2018-5103: Use-after-free during mouse event handling
   #CVE-2018-5104: Use-after-free during font face manipulation
   #CVE-2018-5105: WebExtensions can save and execute files on local file
    system without user prompts
   #CVE-2018-5106: Developer Tools can expose style editor information
    cross-origin through service worker
   #CVE-2018-5107: Printing process will follow symlinks for local file access
   #CVE-2018-5108: Manually entered blob URL can be accessed by subsequent
    private browsing tabs
   #CVE-2018-5109: Audio capture prompts and starts with incorrect origin
    attribution
   #CVE-2018-5110: Cursor can be made invisible on OS X
   #CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
   #CVE-2018-5118: Activity Stream images can attempt to load local content
    through file:
   #CVE-2018-5119: Reader view will load cross-origin content in violation
    of CORS headers
   #CVE-2018-5121: OS X Tibetan characters render incompletely in the addressbar
   #CVE-2018-5122: Potential integer overflow in DoCrypt
   #CVE-2018-5090: Memory safety bugs fixed in Firefox 58
   #CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6


   To generate a diff of this commit:
   cvs rdiff -u -r1.317 -r1.318 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.125 -r1.126 pkgsrc/www/firefox/PLIST
   cvs rdiff -u -r1.305 -r1.306 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r1.103 -r1.104 pkgsrc/www/firefox/mozilla-common.mk
   cvs rdiff -u -r1.54 -r1.55 pkgsrc/www/firefox/patches/patch-aa
   cvs rdiff -u -r1.3 -r0 \
       pkgsrc/www/firefox/patches/patch-build_moz.configure_keyfiles.configure \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_cssstyledeclaration.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_document.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_servoparser_async__html.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_xmlhttprequest.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_selectors_parser.rs \
       pkgsrc/www/firefox/patches/patch-xpcom_reflect_xptcall_md_unix_Makefile.in
   cvs rdiff -u -r1.11 -r0 pkgsrc/www/firefox/patches/patch-config_Makefile.in
   cvs rdiff -u -r1.25 -r0 \
       pkgsrc/www/firefox/patches/patch-config_system-headers
   cvs rdiff -u -r0 -r1.1 \
       pkgsrc/www/firefox/patches/patch-config_system-headers.mozbuild \
       pkgsrc/www/firefox/patches/patch-dom_media_flac_FlacDecoder.cpp \
       pkgsrc/www/firefox/patches/patch-ipc_glue_MessageChannel.cpp \
       pkgsrc/www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs \
       pkgsrc/www/firefox/patches/patch-toolkit_mozapps_installer_packager.mk
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/firefox/patches/patch-dom_media_moz.build
   cvs rdiff -u -r1.6 -r1.7 \
       pkgsrc/www/firefox/patches/patch-intl_unicharutil_util_moz.build \
       pkgsrc/www/firefox/patches/patch-netwerk_dns_moz.build
   cvs rdiff -u -r1.6 -r0 \
       pkgsrc/www/firefox/patches/patch-ipc_chromium_src_base_process__util.h
   cvs rdiff -u -r1.1 -r1.2 \
       pkgsrc/www/firefox/patches/patch-js_src_build_moz.build
   cvs rdiff -u -r1.25 -r1.26 \
       pkgsrc/www/firefox/patches/patch-media_libcubeb_src_cubeb__alsa.c
   cvs rdiff -u -r1.5 -r0 \
       pkgsrc/www/firefox/patches/patch-media_libsoundtouch_src_cpu__detect__x86.cpp
   cvs rdiff -u -r1.1 -r0 \
       pkgsrc/www/firefox/patches/patch-servo_components_gfx_font.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_net__traits_response.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_net_fetch_cors__cache.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_net_fetch_methods.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_net_websocket__loader.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_bindings_str.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_blob.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_element.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmlelement.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmllinkelement.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmlmetaelement.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_htmlscriptelement.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_macros.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_namednodemap.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_serviceworkercontainer.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_websocket.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_script_dom_window.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_selectors_attr.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style__traits_viewport.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_attr.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_counter__style_mod.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_custom__properties.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_gecko__string__cache_mod.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_gecko_generated_pseudo__element__definition.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_gecko_pseudo__element__definition.mako.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_properties_longhand_font.mako.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_properties_longhand_pointing.mako.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_servo_selector__parser.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_str.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_stylesheets_viewport__rule.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_mod.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_align.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_angle.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_calc.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_grid.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_length.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_mod.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_percentage.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_text.rs \
       pkgsrc/www/firefox/patches/patch-servo_components_style_values_specified_time.rs
   cvs rdiff -u -r0 -r1.3 \
       pkgsrc/www/firefox/patches/patch-third__party_python_futures_concurrent_futures_process.py
   cvs rdiff -u -r1.3 -r1.4 \
       pkgsrc/www/firefox/patches/patch-toolkit_components_protobuf_src_google_protobuf_stubs_atomicops.h
   cvs rdiff -u -r1.8 -r1.9 \
       pkgsrc/www/firefox/patches/patch-toolkit_moz.configure

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Wed Jan 24 16:54:05 UTC 2018

   Modified Files:
   	pkgsrc/www/firefox-l10n: Makefile PLIST distinfo

   Log Message:
   Update to 58.0

   * Sync with www/firefox-58.0
   * Add ne-NP locale


   To generate a diff of this commit:
   cvs rdiff -u -r1.118 -r1.119 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.57 -r1.58 pkgsrc/www/firefox-l10n/PLIST
   cvs rdiff -u -r1.109 -r1.110 pkgsrc/www/firefox-l10n/distinfo

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Mon Jan 29 15:22:54 UTC 2018

   Modified Files:
   	pkgsrc/www/firefox-l10n: Makefile PLIST

   Log Message:
   Previous revison does not work. Install xpi files instead. Bump PKGREVISION


   To generate a diff of this commit:
   cvs rdiff -u -r1.119 -r1.120 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.58 -r1.59 pkgsrc/www/firefox-l10n/PLIST

Revision 1.126 / (download) - annotate - [select for diffs], Wed Jan 24 16:52:08 2018 UTC (4 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.125: +557 -267 lines
Diff to previous 1.125 (colored)

Update to 58.0

Changelog:
New
    Performance improvements, including:
        Rendering graphics for Windows users by using Off-Main-Threa
           Painting (OMTP)
        Loading pages faster by changing how Firefox caches and retrieves
           JavaScript

    Improvements to Firefox Screenshots:
        Copy and paste screenshots directly to your clipboard
        Firefox Screenshots now works in Private Browsing mode

    Added Nepali (ne-NP) locale

    In case you missed it--57 Release privacy and performance feature:
      Users can enable Tracking Protection at all times. Learn how to turn
      Tracking Protection on.

Fixed
    Fonts installed in non-standard directories will no longer appear
      blank for Linux users

    Various security fixes

Changed
    User profiles created in Firefox 58 (and in future releases) are not
    supported in previous versions of Firefox. Users who downgrade to
    a previous version should create a new profile for that version.
    Learn about alternatives to downgrading on our support site.

    Added a warning to alert users and site owners of planned security
    changes to sites affected by the gradual distrust plan for
    the Symantec certificate authority

#CVE-2018-5091: Use-after-free with DTMF timers
#CVE-2018-5092: Use-after-free in Web Workers
#CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table resizing
#CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection on
 uninitialized memory
#CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
#CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
#CVE-2018-5098: Use-after-free while manipulating form input elements
#CVE-2018-5099: Use-after-free with widget listener
#CVE-2018-5100: Use-after-free when IsPotentiallyScrollable arguments are
 freed from memory
#CVE-2018-5101: Use-after-free with floating first-letter style elements
#CVE-2018-5102: Use-after-free in HTML media elements
#CVE-2018-5103: Use-after-free during mouse event handling
#CVE-2018-5104: Use-after-free during font face manipulation
#CVE-2018-5105: WebExtensions can save and execute files on local file
 system without user prompts
#CVE-2018-5106: Developer Tools can expose style editor information
 cross-origin through service worker
#CVE-2018-5107: Printing process will follow symlinks for local file access
#CVE-2018-5108: Manually entered blob URL can be accessed by subsequent
 private browsing tabs
#CVE-2018-5109: Audio capture prompts and starts with incorrect origin
 attribution
#CVE-2018-5110: Cursor can be made invisible on OS X
#CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
#CVE-2018-5118: Activity Stream images can attempt to load local content
 through file:
#CVE-2018-5119: Reader view will load cross-origin content in violation
 of CORS headers
#CVE-2018-5121: OS X Tibetan characters render incompletely in the addressbar
#CVE-2018-5122: Potential integer overflow in DoCrypt
#CVE-2018-5090: Memory safety bugs fixed in Firefox 58
#CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6

Revision 1.125 / (download) - annotate - [select for diffs], Thu Nov 16 01:04:38 2017 UTC (5 years ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base
Branch point for: pkgsrc-2017Q4
Changes since 1.124: +231 -501 lines
Diff to previous 1.124 (colored)

Update to 57.0

Changelog:  New
    A completely new browsing engine, designed to take full advantage
    of the processing power in modern devices

    A redesigned interface with a clean, modern appearance, consistent
    visual elements, and optimizations for touch screens

    A unified address and search bar. New installs will see this
    unified bar. Learn how to add the stand-alone search bar to
    the toolbar

    A revamped new tab page that includes top visited sites, recently
    visited pages, and recommendations from Pocket (in the US,
    Canada, and Germany)

    An updated product tour to orient new and returning Firefox
    users

    AMD VP9 hardware video decoder support for improved video
    playback with lower power consumption

    An expanded section in preferences to manage all website
    permissions

Fixed
    Various security fixes

Changed
    Firefox now exclusively supports extensions built using the
    WebExtension API, and unsupported legacy extensions will no
    longer work. Learn more about our efforts to improve the
    performance and security of extensions

    The browser's autoscroll feature, as well as scrolling by
    keyboard input and touch-dragging of scrollbars, now use
    asynchronous scrolling. These scrolling methods are now similar
    to other input methods like mousewheel, and provide a smoother
    scrolling experience

    The content process now has a stricter security sandbox that
    blocks filesystem reading and writing on Linux, similar to the
    protections for Windows and macOS that shipped in Firefox 56

    Middle mouse paste in the content area no longer navigates to
    URLs by default on Unix systems

    Removed the toolbar Share button. If you relied on this feature,
    you can install the Share Backported extension instead.

    Some older versions of the ATOK IME, including ATOK 2006, 2008,
    2009 and 2010, can cause crashes and are therefore disabled on
    the Windows 64-bit version of Firefox Quantum. To fix those
    incompatibility issues, please use a newer version of ATOK or
    one of other IMEs.

    The default font for Japanese text is now Meiryo

Security fixes:

CVE-2017-7828: Use-after-free of PressShell while restyling layout

Reporter
    Nils
Impact
    critical

Description

A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still in
use. This results in a potentially exploitable crash during these
operations.

References
    Bug 1406750 Bug 1412252

#CVE-2017-7830: Cross-origin URL information leak through Resource
Timing API

Reporter
    Jun Kokatsu
Impact
    high

Description

The Resource Timing API incorrectly revealed navigations in
cross-origin iframes. This is a same-origin policy violation and
could allow for data theft of URLs loaded by users.

References
    Bug 1408990

#CVE-2017-7831: Information disclosure of exposed properties on
JavaScript proxy objects

Reporter
    Oriol Brufau
Impact
    moderate

Description

A vulnerability where the security wrapper does not deny access to
some exposed properties using the deprecated exposedProps mechanism
on proxy objects. These properties should be explicitly unavailable
to proxy objects.

References
    Bug 1392026

#CVE-2017-7832: Domain spoofing through use of dotless 'i' character
followed by accent markers

Reporter
    Jonathan Kew
Impact
    moderate

Description

The combined, single character, version of the letter 'i' with any
of the potential accents in unicode, such as acute or grave, can
be spoofed in the addressbar by the dotless version of 'i' followed
by the same accent as a second character with most font sets. This
allows for domain spoofing attacks because these combined domain
names do not display as punycode.

References
    Bug 1408782

#CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker
characters

Reporter
    Rayyan Bijoora
Impact
    moderate

Description

Some Arabic and Indic vowel marker characters can be combined with
Latin characters in a domain name to eclipse the non-Latin character
with some font sets on the addressbar. The non-Latin character will
not be visible to most viewers. This allows for domain spoofing
attacks because these combined domain names do not display as
punycode.

References
    Bug 1370497

#CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections

Reporter
    Jordi Chancel
Impact
    moderate

Description

A data: URL loaded in a new tab did not inherit the Content Security
Policy (CSP) of the original page, allowing for bypasses of the
policy including the execution of JavaScript. In prior versions
when data: documents also inherited the context of the original
page this would allow for potential cross-site scripting (XSS)
attacks.

References
    Bug 1358009

#CVE-2017-7835: Mixed content blocking incorrectly applies with
redirects

Reporter
    Ben Kelly
Impact
    moderate

Description

Mixed content blocking of insecure (HTTP) sub-resources in a secure
(HTTPS) document was not correctly applied for resources that
redirect from HTTPS to HTTP, allowing content that should be blocked,
such as scripts, to be loaded on a page.

References
    Bug 1402363

#CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and
OS X

Reporter
    Ezra Caltum
Impact
    moderate

Description

The "pingsender" executable used by the Firefox Health Report
dynamically loads a system copy of libcurl, which an attacker could
replace. This allows for privilege escalation as the replaced
libcurl code will run with Firefox's privileges.  Note: This attack
requires an attacker have local system access and only affects OS
X and Linux. Windows systems are not affected.

References
    Bug 1401339

#CVE-2017-7837: SVG loaded as <img> can use meta tags to set cookies

Reporter
    Jun Kokatsu
Impact
    moderate

Description

SVG loaded through <img> tags can use <meta> tags within the SVG
data to set cookies for that page.

References
    Bug 1325923

#CVE-2017-7838: Failure of individual decoding of labels in
international domain names triggers punycode display of entire IDN

Reporter
    Corey Bonnell
Impact
    low

Description

Punycode format text will be displayed for entire qualified
international domain names in some instances when a sub-domain
triggers the punycode display instead of the primary domain being
displayed in native script and the sub-domain only displaying as
punycode. This could be used for limited spoofing attacks due to
user confusion.

References
    Bug 1399540

#CVE-2017-7839: Control characters before javascript: URLs defeats
self-XSS prevention mechanism

Reporter
    Eric Lawrence
Impact
    low

Description

Control characters prepended before javascript: URLs pasted in the
addressbar can cause the leading characters to be ignored and the
pasted JavaScript to be executed instead of being blocked. This
could be used in social engineering and self-cross-site-scripting
(self-XSS) attacks where users are convinced to copy and paste text
into the addressbar.

References
    Bug 1402896

#CVE-2017-7840: Exported bookmarks do not strip script elements
from user-supplied tags

Reporter
    Hanno Bock
Impact
    low

Description

JavaScript can be injected into an exported bookmarks file by
placing JavaScript code into user-supplied tags in saved bookmarks.
If the resulting exported HTML file is later opened in a browser
this JavaScript will be executed. This could be used in social
engineering and self-cross-scripting (self-XSS) attacks if users
were convinced to add malicious tags to bookmarks, export them,
and then open the resulting file.

References
    Bug 1366420

#CVE-2017-7842: Referrer Policy is not always respected for <link>
elements

Reporter
    Jun Kokatsu
Impact
    low

Description

If a document's Referrer Policy attribute is set to "no-referrer"
sometimes two network requests are made for <link> elements
instead of one. One of these requests includes the referrer instead
of respecting the set policy to not include a referrer on requests.

References
    Bug 1397064

#CVE-2017-7827: Memory safety bugs fixed in Firefox 57

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Boris Zbarsky, Carsten Book,
Christian Holler, Byron Campen, Jan de Mooij, Jason Kratzer,
Jesse Schwartzentruber, Marcia Knous, Randell Jesup, Tyson Smith,
and Ting-Yu Chou reported memory safety bugs present in Firefox 56.
Some of these bugs showed evidence of memory corruption and we presume
that with enough effort that some of these could be exploited to run
arbitrary code.

References
    Memory safety bugs fixed in Firefox 57

#CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox
ESR 52.5

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Christian Holler, David
Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer,
Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob
Clary, Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and
Ryan VanderMeulen reported memory safety bugs present in Firefox
56 and Firefox ESR 52.4. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.

References
    Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

Revision 1.124 / (download) - annotate - [select for diffs], Tue Oct 17 03:39:04 2017 UTC (5 years, 1 month ago) by ryoon
Branch: MAIN
Changes since 1.123: +2 -1 lines
Diff to previous 1.123 (colored)

Fix webrtc build on recent NetBSD current
From rjs@. Thank you.

WebRTC connection works.
However video capture does not work.

Revision 1.123 / (download) - annotate - [select for diffs], Sat Sep 30 05:34:11 2017 UTC (5 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.122: +274 -77 lines
Diff to previous 1.122 (colored)

Update to 56.0

New
    Launched Firefox Screenshots, a feature that lets users take, save, and share screenshots without leaving the browser

    Added support for address form autofill (en-US only)

    Updated Preferences
        Added search tool so users can find a specific setting quickly
        Reorganized preferences so users can more easily scan settings
        Rewrote descriptions so users can better understand choices and how they affect browsing
        Revised data collection choices so they align with updated Privacy Notice and data collection strategy

    Media opened in a background tab will not play until the tab is selected

    Improved Send Tabs feature of Sync for iOS and Android, and Send Tabs can be discovered even by users without a Firefox Account

Changed
    Replaced character encoding converters with a new Encoding Standard-compliant implementation written in Rust

    Added hardware acceleration for AES-GCM

    Updated the Safe Browsing protocol to version 4

    Reduced update download file size by approximately 20 percent

    Improved security for verifying update downloads

Developer
    Added Layout Panel to CSS Grid DevTools

Revision 1.122 / (download) - annotate - [select for diffs], Sat Sep 2 03:47:46 2017 UTC (5 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base, pkgsrc-2017Q3
Changes since 1.121: +10 -1 lines
Diff to previous 1.121 (colored)

Update to 55.0.3

Changelog:
Fixed
    Fix an issue with addons when using a path containing non-ascii characters (bug 1389160)

    Fix file uploads to some websites, including YouTube (bug 1383518)

Revision 1.121 / (download) - annotate - [select for diffs], Thu Aug 10 14:46:15 2017 UTC (5 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.120: +353 -299 lines
Diff to previous 1.120 (colored)

Update to 55.0

Changelog:
New
    Launched Windows support for WebVR, bringing immersive experiences to the web. See examples and try working demos at Mozilla VR.

    Added options that let users optimize recent performance improvements
        Setting to enable Hardware VP9 acceleration on Windows 10 Anniversary Edition for better battery life and lower CPU usage while watching videos
        Setting to modify the number of concurrent content processes for faster page loading and more responsive tab switching

    Simplified installation process with a streamlined Windows stub installer
        Firefox for Windows 64-bit is now installed by default on 64-bit systems with at least 2GB of RAM
        Full installers with advanced installation options are still available

    Improved address bar functionality
        Search with any installed one-click search engine directly from the address bar
        Search suggestions appear by default
        When entering a hostname (like pinterest.com) in the URL bar, Firefox resolves to the secure version of the site (https://www.pinterest.com) instead of the insecure version (http://www.pinterest.com) when possible

    Updated Sidebar for bookmarks, history, and synced tabs so it can appear at the right edge of the window as well as the left

    Added support for stereo microphones with WebRTC

    Pages can be simplified before printing from within Print Preview

    Updated Firefox for OSX and macOS to allow users to assign custom keyboard shortcuts to Firefox menu items via System Preferences

    Browsing sessions with a high number of tabs are now restored in an instant

    Make screenshots of webpages, and save them locally or upload them to the cloud. This feature will undergo A/B testing and will not be visible for some users.

    Added Belarusian (be) locale

Fixed
    Various security fixes

Changed
    Made the Adobe Flash plugin click-to-activate by default and allowed only on http:// and https:// URL schemes. (This change will not be visible to all users immediately. For more information see the Firefox plugin roadmap)

    Firefox does not support downgrades, even though this may have worked in past versions. Users who install Firefox 55+ and later downgrade to an earlier version may experience issues with Firefox.

    Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change.

Security fixes:
CVE-2017-7798: XUL injection in the style editor in devtools

Reporter
    Frederik Braun
Impact
    critical

Description

The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool.
References

    Bug 1371586, 1372112

#CVE-2017-7800: Use-after-free in WebSockets during disconnection

Reporter
    Looben Yang
Impact
    critical

Description

A use-after-free vulnerability can occur in WebSockets when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash.
References

    Bug 1374047

#CVE-2017-7801: Use-after-free with marquee during window resizing

Reporter
    Nils
Impact
    critical

Description

A use-after-free vulnerability can occur while re-computing layout for a marquee element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash.
References

    Bug 1371259

#CVE-2017-7809: Use-after-free while deleting attached editor DOM node

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash.
References

    Bug 1380284

#CVE-2017-7784: Use-after-free with image observers

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash.
References

    Bug 1376087

#CVE-2017-7802: Use-after-free resizing image elements

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed.
References

    Bug 1378147

#CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM

Reporter
    Nils
Impact
    high

Description

A buffer overflow can occur when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash.
References

    Bug 1356985

#CVE-2017-7786: Buffer overflow while painting non-displayable SVG

Reporter
    Nils
Impact
    high

Description

A buffer overflow can occur when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash.
References

    Bug 1365189

#CVE-2017-7806: Use-after-free in layer manager with SVG

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when the layer manager is freed too early when rendering specific SVG content, resulting in a potentially exploitable crash.
References

    Bug 1378113

#CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements

Reporter
    SkyLined
Impact
    high

Description

An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data.
References

    Bug 1353312

#CVE-2017-7787: Same-origin policy bypass with iframes through page reloads

Reporter
    Oliver Wagner
Impact
    high

Description

Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure.
References

    Bug 1322896

#CVE-2017-7807: Domain hijacking through AppCache fallback

Reporter
    Mathias Karlsson
Impact
    high

Description

A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory.
References

    Bug 1376459

#CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID

Reporter
    Fraser Tweedale
Impact
    high

Description

A buffer overflow will occur when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash.
References

    Bug 1368652

#CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher

Reporter
    Stephen Fewer
Impact
    high

Description

The destructor function for the WindowsDllDetourPatcher class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References

    Bug 1372849

#CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts

Reporter
    Jose Mar√≠a Acu√Īa
Impact
    moderate

Description

On pages containing an iframe, the data: protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content.
References

    Bug 1365875

#CVE-2017-7808: CSP information leak with frame-ancestors containing paths

Reporter
    Jun Kokatsu
Impact
    moderate

Description

A content security policy (CSP) frame-ancestors directive containing origins with paths allows for comparisons against those paths instead of the origin. This results in a cross-origin information leak of this path information.
References

    Bug 1367531

#CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections

Reporter
    Arthur Edelstein
Impact
    moderate

Description

An error in the WindowsDllDetourPatcher where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References

    Bug 1344034

#CVE-2017-7781: Elliptic curve point addition error when using mixed Jacobian-affine coordinates

Reporter
    Antonio Sanso
Impact
    moderate

Description

An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result POINT_AT_INFINITY when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret.
References

    Bug 1352039

#CVE-2017-7794: Linux file truncation via sandbox broker

Reporter
    Jann Horn
Impact
    moderate

Description

On Linux systems, if the content process is compromised, the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions.
Note: This attack only affects the Linux operating system. Other operating systems are not affected.
References

    Bug 1374281

#CVE-2017-7803: CSP containing 'sandbox' improperly applied

Reporter
    Rhys Enniks
Impact
    moderate

Description

When a page—‘ content security policy (CSP) header contains a sandbox directive, other directives are ignored. This results in the incorrect enforcement of CSP.
References

    Bug 1377426

#CVE-2017-7799: Self-XSS XUL injection in about:webrtc

Reporter
    Frederik Braun
Impact
    moderate

Description

JavaScript in the about:webrtc page is not sanitized properly being being assigned to innerHTML. Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting (XSS) attack.
References

    Bug 1372509

#CVE-2017-7783: DOS attack through long username in URL

Reporter
    Amit Sangra
Impact
    low

Description

If a long user name is used in a username/password combination in a site URL (such as http://UserName:Password@example.com), the resulting modal prompt will hang in a non-responsive state or crash, causing a denial of service.
References

    Bug 1360842

#CVE-2017-7788: Sandboxed about:srcdoc iframes do not inherit CSP directives

Reporter
    Muneaki Nishimura
Impact
    low

Description

When an iframe has a sandbox attribute and its content is specified using srcdoc, that content does not inherit the containing page's Content Security Policy (CSP) as it should unless the sandbox attribute included allow-same-origin.
References

    Bug 1073952

#CVE-2017-7789: Failure to enable HSTS when two STS headers are sent for a connection

Reporter
    Muneaki Nishimura
Impact
    low

Description

If a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection.
References

    Bug 1074642

#CVE-2017-7790: Windows crash reporter reads extra memory for some non-null-terminated registry values

Reporter
    Xiaoyin Liu
Impact
    low

Description

On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References

    Bug 1350460

#CVE-2017-7796: Windows updater can delete any file named update.log

Reporter
    Matt Howell
Impact
    low

Description

On Windows systems, the logger run by the Windows updater deletes the file "update.log" before it runs in order to write a new log of that name. The path to this file is supplied at the command line to the updater and could be used in concert with another local exploit to delete a different file named "update.log" instead of the one intended.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References

    Bug 1234401

#CVE-2017-7797: Response header name interning leaks across origins

Reporter
    Anne van Kesteren
Impact
    low

Description

Response header name interning does not have same-origin protections and these headers are stored in a global registry. This allows stored header names to be available cross-origin.
References

    Bug 1334776

#CVE-2017-7780: Memory safety bugs fixed in Firefox 55

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Gary Kwong, Christian Holler, André Bargull, Bob Clary, Carsten Book, Emilio Cobos lvarez, Masayuki Nakano, Sebastian Hengst, Franziskus Kiefer, Tyson Smith, and Ronald Crane reported memory safety bugs present in Firefox 54. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 55

#CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Masayuki Nakano, Gary Kwong, Ronald Crane, Andrew McCreight, Tyson Smith, Bevis Tseng, Christian Holler, Bryce Van Dyk, Dragana Damjanovic, Kartikaya Gupta, Philipp, Tristan Bourvon, and Andi-Bogdan Postelnicu reported memory safety bugs present in Firefox 54 and Firefox ESR 52.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3

Revision 1.120 / (download) - annotate - [select for diffs], Wed Jun 14 11:28:44 2017 UTC (5 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base, pkgsrc-2017Q2
Changes since 1.119: +227 -151 lines
Diff to previous 1.119 (colored)

Update to 54.0

* If your 54.0 is unstable, please disable e10s with
  browser.tabs.remote.autostart.2=false (this works at least for me)

Changelog:

New
    Simplified the download button and download status panel
    Added support for multiple content processes (e10s-multi)
    Added Burmese (my) locale

Fixed
    Various security fixes

Changed
    Moved the mobile bookmarks folder to the main bookmarks menu for easier access

Security fixes:
 #CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
 #CVE-2017-7749: Use-after-free during docshell reloading
 #CVE-2017-7750: Use-after-free with track elements
 #CVE-2017-7751: Use-after-free with content viewer listeners
 #CVE-2017-7752: Use-after-free with IME input
 #CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
 #CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files
 #CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
 #CVE-2017-7757: Use-after-free in IndexedDB
 #CVE-2017-7778: Vulnerabilities in the Graphite 2 library
 #CVE-2017-7758: Out-of-bounds read in Opus encoder
 #CVE-2017-7759: Android intent URLs can cause navigation to local file system
 #CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service
 #CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application
 #CVE-2017-7762: Addressbar spoofing in Reader mode
 #CVE-2017-7763: Mac fonts render some unicode characters as spaces
 #CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
 #CVE-2017-7765: Mark of the Web bypass when saving executable files
 #CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service
 #CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service
 #CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service
 #CVE-2017-7770: Addressbar spoofing with JavaScript events and fullscreen mode
 #CVE-2017-5471: Memory safety bugs fixed in Firefox 54
 #CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2

Revision 1.119 / (download) - annotate - [select for diffs], Thu Apr 27 01:49:47 2017 UTC (5 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.118: +124 -142 lines
Diff to previous 1.118 (colored)

Update to 53.0

Changelog:
New
    Improved graphics stability for Windows users with the addition of compositor process separation (Quantum Compositor)
    Two new 'compact' themes available in Firefox, dark and light, based on the Firefox Developer Edition theme
    Lightweight themes are now applied in private browsing windows
    Reader Mode now displays estimated reading time for the page
    Windows 7+ users on 64-bit OS can select 32-bit or 64-bit versions in the stub installer

Fixed
    Various security fixes

Changed
    Updated the design of site permission requests to make them harder to miss and easier to understand
    Windows XP and Vista are no longer supported. XP and Vista users running Firefox 52 will continue to receive security updates on Firefox ESR 52.
    32-bit Mac OS X is no longer supported. 32-bit Mac OS X users can switch to Firefox ESR 52 to continue receiving security updates.
    Updates for Mac OS X are smaller in size compared to updates for Firefox 52
    New visual design for audio and video controls
    Ended Firefox Linux support for processors older than Pentium 4 and AMD Opteron
    The last few characters of shortened tab titles fade out instead of being replaced by ellipses to keep more of the title visible

Security fixes:
 #CVE-2017-5433: Use-after-free in SMIL animation functions
 #CVE-2017-5435: Use-after-free during transaction processing in the editor
 #CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2
 #CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS
 #CVE-2017-5459: Buffer overflow in WebGL
 #CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL
 #CVE-2017-5434: Use-after-free during focus handling
 #CVE-2017-5432: Use-after-free in text input selection
 #CVE-2017-5460: Use-after-free in frame selection
 #CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing
 #CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing
 #CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing
 #CVE-2017-5441: Use-after-free with selection during scroll events
 #CVE-2017-5442: Use-after-free during style changes
 #CVE-2017-5464: Memory corruption with accessibility and DOM manipulation
 #CVE-2017-5443: Out-of-bounds write during BinHex decoding
 #CVE-2017-5444: Buffer overflow while parsing application/http-index-format content
 #CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
 #CVE-2017-5447: Out-of-bounds read during glyph processing
 #CVE-2017-5465: Out-of-bounds read in ConvolvePixel
 #CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor
 #CVE-2017-5437: Vulnerabilities in Libevent library
 #CVE-2017-5454: Sandbox escape allowing file system read access through file picker
 #CVE-2017-5455: Sandbox escape through internal feed reader APIs
 #CVE-2017-5456: Sandbox escape allowing local file system access
 #CVE-2017-5469: Potential Buffer overflow in flex-generated code
 #CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content
 #CVE-2017-5449: Crash during bidirectional unicode manipulation with animation
 #CVE-2017-5450: Addressbar spoofing using javascript: URI on Firefox for Android
 #CVE-2017-5451: Addressbar spoofing with onblur event
 #CVE-2017-5462: DRBG flaw in NSS
 #CVE-2017-5463: Addressbar spoofing through reader view on Firefox for Android
 #CVE-2017-5467: Memory corruption when drawing Skia content
 #CVE-2017-5452: Addressbar spoofing during scrolling with editable content on Firefox for Android
 #CVE-2017-5453: HTML injection into RSS Reader feed preview page through TITLE element
 #CVE-2017-5458: Drag and drop of javascript: URLs can allow for self-XSS
 #CVE-2017-5468: Incorrect ownership model for Private Browsing information
 #CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
 #CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1

Revision 1.118 / (download) - annotate - [select for diffs], Thu Mar 30 19:11:14 2017 UTC (5 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.117: +3 -1 lines
Diff to previous 1.117 (colored)

Update to 52.0.2

Changelog:
Fixed:
    Use Nirmala UI as fallback font for additional Indic languages (Bug 1342787)

    Fix loading tab icons on session restore (Bug 1338009)

    Fix a crash on startup on Linux (Bug 1345413)

    Fix new installs erroneously not prompting to change the default browser setting (Bug 1343938)

Revision 1.117 / (download) - annotate - [select for diffs], Tue Mar 7 20:45:43 2017 UTC (5 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base, pkgsrc-2017Q1
Changes since 1.116: +186 -115 lines
Diff to previous 1.116 (colored)

Update to 52.0

* Switch to GTK3 build
* Remove py-sqlite2 dependency, fix PR pkg/52032

Changelog:
New
    Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins.

    Added automatic captive portal detection, for easier access to Wi-Fi hotspots. When accessing the Internet via a captive portal, Firefox will alert users and open the portal login page in a new tab.

    Added user warnings for non-secure HTTP pages with logins. Firefox now displays a "This connection is not secure" message when users click into the username and password fields on pages that don't use HTTPS.

    Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain.

    Enhanced Sync to allow users to send and open tabs from one device to another.

Fixed
    Various security fixes

    Improved text input for third-party keyboard layouts on Windows. This will address some keyboard layouts that
      * have chained dead keys
      * input two or more characters with a non-printable key or a dead key sequence
      * input a character even when a dead key sequence failed to compose a character

Changed
    Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported.

    Removed Battery Status API to reduce fingerprinting of users by trackers

    Improved experience for downloads:
      * Notification in the toolbar when a download fails
      * Quick access to five most recent downloads rather than three
      * Larger buttons for canceling and restarting downloads

    Display (but allow users to override) an "Untrusted Connection" error when encountering SHA-1 certificates that chain up to a root certificate included in Mozilla's CA Certificate Program. (Note: Firefox continues to permit SHA-1 certificates that chain to manually imported root certificates.) Read more about the Mozilla Security Team's plans to deprecate SHA-1

    Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR) version of Firefox.

    When not using Direct2D on Windows, Skia is used for content rendering

Developer
    Enabled CSS Grid Layout, opening up a world of new possibilities for graphic design

    Redesigned Responsive Design Mode to include device selection, network throttling, and more

    Improved security for screen sharing, which now shows a preview and no longer requires a whitelisted domain

unresolved
    Google Hangouts temporarily won't work

Security fixes:
 #CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
 #CVE-2017-5401: Memory Corruption when handling ErrorResult
 #CVE-2017-5402: Use-after-free working with events in FontFace objects
 #CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
 #CVE-2017-5404: Use-after-free working with ranges in selections
 #CVE-2017-5406: Segmentation fault in Skia with canvas operations
 #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
 #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
 #CVE-2017-5411: Use-after-free in Buffer Storage in libGLES
 #CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service
 #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
 #CVE-2017-5412: Buffer overflow read in SVG filters
 #CVE-2017-5413: Segmentation fault during bidirectional operations
 #CVE-2017-5414: File picker can choose incorrect default directory
 #CVE-2017-5415: Addressbar spoofing through blob URL
 #CVE-2017-5416: Null dereference crash in HttpChannel
 #CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
 #CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access
 #CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running
 #CVE-2017-5427: Non-existent chrome.manifest file loaded during startup
 #CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses
 #CVE-2017-5419: Repeated authentication prompts lead to DOS attack
 #CVE-2017-5420: Javascript: URLs can obfuscate addressbar location
 #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
 #CVE-2017-5421: Print preview spoofing
 #CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink
 #CVE-2017-5399: Memory safety bugs fixed in Firefox 52
 #CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8

Revision 1.116 / (download) - annotate - [select for diffs], Sat Feb 11 12:12:02 2017 UTC (5 years, 9 months ago) by abs
Branch: MAIN
Changes since 1.115: +3 -1 lines
Diff to previous 1.115 (colored)

Add gtk3 (cairo-gtk3) option for firefox.
Default build is unchanged with gtk2 (cairo-gtk2)

Revision 1.115 / (download) - annotate - [select for diffs], Wed Jan 25 13:24:51 2017 UTC (5 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.114: +115 -100 lines
Diff to previous 1.114 (colored)

Update to 51.0

Changelog:
New
    Users can view passwords in the save password prompt before saving them

    Added a zoom button in the URL bar:
        Displays percent above or below 100 percent when a user has changed the page zoom setting from the default
        Lets users return to the default setting by clicking on the button

    Improved video performance for users without GPU acceleration for less CPU usage and a better full screen experience

    Firefox will save passwords even in forms that do not have „ŗ◊‘ubmit„ŗevents

    Added support for FLAC (Free Lossless Audio Codec) playback

    Added support for WebGL 2, with advanced graphics rendering features like transform feedback, improved texturing capabilities, and a new sophisticated shading language

    A warning is displayed when a login page does not have a secure connection

    Added Georgian (ka) and Kabyle (kab) locales

    An even faster E10s! Tab Switching is better!

    Improved reliability of browser data sync

    Remove Belarusian (be) locale

Fixed
    Various security fixes

Changed
    Use 2D graphics library (Skia) for content rendering on Linux

    Re-enabled E10s support for Russian (ru) locale

    Updated to NSS 3.28.1

Security fixes:
 #CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
 #CVE-2017-5376: Use-after-free in XSL
 #CVE-2017-5377: Memory corruption with transforms to create gradients in Skia
 #CVE-2017-5378: Pointer and frame data leakage of Javascript objects
 #CVE-2017-5379: Use-after-free in Web Animations
 #CVE-2017-5380: Potential use-after-free during DOM manipulations
 #CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer
 #CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests
 #CVE-2017-5396: Use-after-free with Media Decoder
 #CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations
 #CVE-2017-5382: Feed preview can expose privileged content errors and exceptions
 #CVE-2017-5383: Location bar spoofing with unicode characters
 #CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
 #CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers
 #CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions
 #CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events
 #CVE-2017-5391: Content about: pages can load privileged about: pages
 #CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage
 #CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager
 #CVE-2017-5395: Android location bar spoofing during scrolling
 #CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages
 #CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks
 #CVE-2017-5374: Memory safety bugs fixed in Firefox 51
 #CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7

Revision 1.114 / (download) - annotate - [select for diffs], Sun Dec 18 01:31:00 2016 UTC (5 years, 11 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base, pkgsrc-2016Q4
Changes since 1.113: +2 -1 lines
Diff to previous 1.113 (colored)

Update to 50.1.0

Changelog:
 #CVE-2016-9894: Buffer overflow in SkiaGL
 #CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements
 #CVE-2016-9895: CSP bypass using marquee tag
 #CVE-2016-9896: Use-after-free with WebVR
 #CVE-2016-9897: Memory corruption in libGLES
 #CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees
 #CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs
 #CVE-2016-9904: Cross-origin information leak in shared atoms
 #CVE-2016-9901: Data from Pocket server improperly sanitized before execution
 #CVE-2016-9902: Pocket extension does not validate the origin of events
 #CVE-2016-9903: XSS injection vulnerability in add-ons SDK
 #CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
 #CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6

Revision 1.113 / (download) - annotate - [select for diffs], Tue Dec 6 08:14:22 2016 UTC (5 years, 11 months ago) by martin
Branch: MAIN
Changes since 1.112: +3 -3 lines
Diff to previous 1.112 (colored)

Mark libmozavcodec.so and libmozavutil.so as x86-only

Revision 1.112 / (download) - annotate - [select for diffs], Sat Dec 3 09:58:25 2016 UTC (5 years, 11 months ago) by ryoon
Branch: MAIN
Changes since 1.111: +137 -130 lines
Diff to previous 1.111 (colored)

Update to 50.0.2

* Change default audio support to ALSA.
  You can use OSS or pulseaudio via ALSA plugin package.

Changelog:
50.0.2:
Fixed in Firefox 50.0.2
 #CVE-2016-9079: Use-after-free in SVG Animation

50.0.1:
Fixed
   *Firefox crashes with 3rd party Chinese IME when using IME text

Security vulnerabilities fixed in Firefox 50.0.1:
 #CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect

50.0:

New
   *Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac
   *Improved performance for SDK extensions or extensions using the SDK module loader
   *Added download protection for a large number of executable file types on Windows, Mac and Linux
   *Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer
   *Added Guarani (gn) locale
   *Added option to Find in page that allows users to limit search to whole words only
   *Updates to keyboard shortcuts
       *Set a preference to have Ctrl+Tab cycle through tabs in recently used order
       *View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac)

Fixed
   *Login cookies are now saved for sites with a high number of cookies (Bug 1264192)
   *Various security fixes

   *Fixed rendering of dashed and dotted borders with rounded corners (border-radius)

Changed
   *The link to check for plugin security updates has been removed from the addon manager as Firefox automatically checks for plugin updates
   *Blocked versions of libavcodec older than 54.35.1
   *Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux)

Developer
   *Changes for web developers

Security vulnerabilities fixed in Firefox 50:
 #CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
 #CVE-2016-5292: URL parsing causes crash
 #CVE-2016-5293: Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink
 #CVE-2016-5294: Arbitrary target directory for result files of update process
 #CVE-2016-5297: Incorrect argument length checking in JavaScript
 #CVE-2016-9064: Add-ons update must verify IDs match between current and new versions
 #CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen
 #CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
 #CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
 #CVE-2016-9068: heap-use-after-free in nsRefreshDriver
 #CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
 #CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges
 #CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them
 #CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
 #CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM
 #CVE-2016-5298: SSL indicator can mislead the user about the real URL visited
 #CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissionsPI key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
 #CVE-2016-9062: Private browsing browser traces (Android) in browser.db and wal file
 #CVE-2016-9070: Sidebar bookmark can have reference to chrome window
 #CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
 #CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
 #CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s
 #CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in Expat
 #CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
 #CVE-2016-5289: Memory safety bugs fixed in Firefox 50
 #CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5

Revision 1.111 / (download) - annotate - [select for diffs], Fri Oct 28 17:47:21 2016 UTC (6 years, 1 month ago) by riastradh
Branch: MAIN
Changes since 1.110: +2 -1 lines
Diff to previous 1.110 (colored)

Add a debug-only file.

Revision 1.110 / (download) - annotate - [select for diffs], Tue Sep 20 20:01:41 2016 UTC (6 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q3-base, pkgsrc-2016Q3
Changes since 1.109: +142 -260 lines
Diff to previous 1.109 (colored)

Update to 49.0

Changelog:
New
    Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. It„ŗ—‘ one more way Firefox is supporting Let„ŗ—‘ Encrypt and helping users transition to a more secure web.

    Added features to Reader Mode that make it easier on the eyes and the ears
        Controls that allow users to adjust the width and line spacing of text
        Narrate, which reads the content of a page out loud

    Improved video performance for users on systems that support SSSE3 without hardware acceleration

    Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed

    Enhancements for Mac users
        Improved performance on OS X systems without hardware acceleration
        Improved appearance of anti-aliased OS X fonts

    Improvements in about:memory reports for tracking font memory usage

    Improve performance on Windows systems without hardware acceleration

Fixed
    Fixed an issue that prevented users from updating Firefox for Mac unless they originally installed Firefox. Now, those users as well as any user with administrative credentials can update Firefox.

    Various security fixes

Changed
    Ended Firefox for Mac support for OS X 10.6, 10.7, and 10.8.

    Ended Firefox for Windows support for SSE processors

    Removed Firefox Hello

    Re-enabled the default for Graphite2 font shaping

Developer
    Added a Cause column to the Network Monitor to show what caused each network request

    Introduced web speech synthesis API

Fixed in Firefox 49
    2016-85 Security vulnerabilities fixed in Firefox 49

CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]
Reporter: Atte Kettunen
Description: A content security policy (CSP) containing a referrer directive with no values can cause a non-exploitable crash. [1289085]

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]
Reporter: Atte Kettunen
Description: An out-of-bounds write of a boolean value during text conversion with some unicode characters. [1291016]

CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]
Reporter: Abhishek Arya
Description: An out-of-bounds read during the processing of text runs in some pages using display:contents. [1288946]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]
Reporter: Abhishek Arya
Description: A bad cast when processing layout with input elements can result in a potentially exploitable crash. [1297934]

CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]
Reporter: Nils
Description: A potentially exploitable crash in accessibility [1280387]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]
Reporter: Nils
Description: A use-after-free vulnerability triggered by setting a aria-owns attribute [1287721]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]
Reporter: Nils
Description: A use-after-free issue in web animations during restyling. [1282076]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]
Reporter: Nils
Description: A user-after-free vulnerability with web animations when destroying a timeline [1291665]

CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]
Reporter: Nils
Description: A buffer overflow when working with empty filters during canvas rendering [1287316]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]
Reporter: Nils
Description: A potentially exploitable crash caused by a buffer overflow while encoding image frames to images [1294677]

CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]
Reporter: Rafael Gieschke
Description: The full path to local files is available to scripts when local files are drag and dropped into Firefox [1249522]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]
Reporter: Mei Wang
Description: Use-after-free vulnerability when changing text direction [1289970]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]
Reporter: Brian Carpenter
Description: Use-after-free vulnerability when manipulating SVG format content through script [1284690]

CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]
Reporter: Richard Newman
Description: Favicons can be loaded through non-whitelisted protocols, such as jar: [932335]

CVE-2016-5283 - <iframe src> fragment timing attack can reveal cross-origin data [high]
Reporter: Gavin Sharp
Description: A timing attack vulnerability using iframes to potentially reveal private data using document resizes and link colors [928187]

CVE-2016-5284 - Add-on update site certificate pin expiration [high]
Reporter: Ryan Duff
Description: Due to flaws in the process we used to update "Preloaded Public Key Pinning" in our releases, the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected. [1303127]

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]
Reporter: Mozilla developers
Description: Mozilla developers Christoph Diehl, Christian Holler, Gary Kwong, Nathan Froyd, Honza Bambas, Seth Fowler, and Michael Smith reported memory safety bugs present in Firefox 48. Some of these bugs showed evidence of memory corruption under certain circumstances could potentially exploited to run arbitrary code. [Memory safety bugs fixed in Firefox 49]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]
Reporter: Mozilla developers
Description: Mozilla developers and community members Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, Philipp, and Carsten Book reported memory safety bugs present in Firefox 48 and Firefox ESR 45.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code. [Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4]

Revision 1.109 / (download) - annotate - [select for diffs], Sat Aug 20 11:17:32 2016 UTC (6 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.108: +6 -0 lines
Diff to previous 1.108 (colored)

Update to 48.0.1

* Remove dbus-glib dependency and add dbus option (from Robert Swindells)
* Fix potential build failure in skia (from Robert Swindells)

Changelog:
Fixed
    Fix an audio regression impacting some major websites (bug 1295296)
    Fix a top crash in the JavaScript engine (Bug 1290469)
    Fix a startup crash issue caused by Websense (Bug 1291738)
    Fix a different behavior with e10s / non-e10s on <select> and mouse events (Bug 1291078)
    Fix a top crash caused by plugin issues (Bug 1264530)
    Fix an unsigned add-ons issue on Windows
    Fix a shutdown issue (Bug 1276920)
    Fix a crash in WebRTC

Revision 1.108 / (download) - annotate - [select for diffs], Sat Aug 6 08:46:59 2016 UTC (6 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.107: +227 -102 lines
Diff to previous 1.107 (colored)

Update to 48.0

* OSS audio support may not work. I will revisit later

Changelog:
New:
    Roar for moar protection against harmful downloads! We've got your back

    Process separation (e10s) is enabled for some of you. Like it? Let us know and we'll roll it out to more.

    Add-ons that have not been verified and signed by Mozilla will not load

    GNU/Linux fans: Get better Canvas performance with speedy Skia support. Try saying that three times fast

    WebRTC embetterments:
        Delay-agnostic AEC enabled
        Full duplex for GNU/Linux enabled
        ICE Restart & Update is supported
        Cloning of MediaStream and MediaStreamTrack is now supported

    Searching for something already in your bookmarks or open tabs? We added super smart icons to let you know

    Windows folks: Tab (move buttons) and Shift+F10 (pop-up menus) now behave as they should in Firefox customization mode

    The media parser has been redeveloped using the Rust programming language

    Windows 7 systems without Platform Update can now use D3D11 WARP

Fixed:
    Various security fixes

    Heyo, Jabra & Logitech C920 webcam users. We fixed those pesky WebRTC bugs causing frequency distortions. Buh-bye, squeaky voice!

    Improved step debugging on last line of functions

Changed:
    Starting with the Firefox version 49 release, so long to support for 10.6, 10.7 and 10.8. Now we can focus on where most Mac users are: 10.9. Don't forget to upgrade!

    After version 48, SSE2 CPU extensions are going to be required on Windows

    Au revoir to Windows Remote Access Service modem Autodial

Developer:
    WebExtensions support is now considered as stable

    Workers can now use the Web Crypto API

    Want to move absolute & fixed positioned elements? (Who doesn't, right?) Now you can with our geometry editor.

    The memory tool now has a tree map view for your debugging pleasure. It's a little bit of "boo" and a whole lot of "ya."

    We're putting the spotlight on the background. Now you can debug WebExtensions background content scripts and background pages

    Content Security Policy (CSP) is now enforced for WebExtensions. (Who's down with CSP?)

    Old and busted: Error Console. New hotness: Browser Console for your debugging pleasure.

    Add-on development just got easier because you can reload them from about:debugging „ŗbecause we're all about debugging.

    This theme is hot, hot, hot! Say hi to the Firebug theme for Developer Tools.

    Expand network requests from the console panel to view request details in line, so you can see things in context


Fixed in Firefox 48:
    2016-84 Information disclosure through Resource Timing API during page navigation
    2016-83 Spoofing attack through text injection into internal error pages
    2016-82 Addressbar spoofing with right-to-left characters on Firefox for Android
    2016-81 Information disclosure and local file manipulation through drag and drop
    2016-80 Same-origin policy violation using local HTML file and saved shortcut file
    2016-79 Use-after-free when applying SVG effects
    2016-78 Type confusion in display transformation
    2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
    2016-76 Scripts on marquee tag can execute in sandboxed iframes
    2016-75 Integer overflow in WebSockets during data buffering
    2016-74 Form input type change from password to text can store plain text password in session restore file
    2016-73 Use-after-free in service workers with nested sync events
    2016-72 Use-after-free in DTLS during WebRTC session shutdown
    2016-71 Crash in incremental garbage collection in JavaScript
    2016-70 Use-after-free when using alt key and toplevel menus
    2016-69 Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter
    2016-68 Out-of-bounds read during XML parsing in Expat library
    2016-67 Stack underflow during 2D graphics rendering
    2016-66 Location bar spoofing via data URLs with malformed/invalid mediatypes
    2016-65 Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
    2016-64 Buffer overflow rendering SVG with bidirectional content
    2016-63 Favicon network connection can persist when page is closed
    2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)

Revision 1.107 / (download) - annotate - [select for diffs], Thu Jun 16 12:08:21 2016 UTC (6 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2
Changes since 1.106: +172 -88 lines
Diff to previous 1.106 (colored)

Update to 47.0

* Remove macOS patches, because I cannot confirm them sadly

Changelog:
New
    Support for Google„ŗ—‘ Widevine CDM on Windows and Mac OS X so streaming services like Amazon Video can switch from Silverlight to encrypted HTML5 video.
    Enable VP9 video codec for users with fast machines
    Embedded YouTube videos now play with HTML5 video if Flash is not installed.
    View and search open tabs from your smartphone or another computer in a sidebar
    Allow no-cache on back/forward navigations for https resources
    Latgalu [ltg] locale added. Wikipedia tells us there are 164,500 daily speakers.

Fixed
    Various security fixes

Changed
    FUEL (Firefox User Extension Library) has been removed. Add-ons relying on it will stop working.
    The browser.sessionstore.restore_on_demand preference has been reset to its default value (true) to avoid e10s performance problems. Because faster is better!
    The Firefox click-to-activate plugin whitelist has been removed.
    XRender is no longer used for rendering web content on Linux as this may cause a regression in remote X performance

Developer
    Web platform changes
    View, start,and debug registered Service Workers in the Service Workers developer tool
    Simulate Push messages in the Service Workers developer tool
    'Start' button for service workers in about:debugging to start registered Service Workers
    Changes that can affect add-on compatibility
    Added support for ChaCha20/Poly1305 cipher suites
    Custom user agents supported in Responsive Design Mode
    Smart multi-line input in the Web Console

Developer Information
HTML5
    cuechange events are now available on TextTrack objects
    WebCrypto: PBKDF2 supports SHA-2 hash algorithms
    WebCrypto: RSA-PSS signature support


Fixed in Firefox 47
    2016-61 Network Security Services (NSS) vulnerabilities
    2016-60 Java applets bypass CSP protections
    2016-59 Information disclosure of disabled plugins through CSS pseudo-classes
    2016-58 Entering fullscreen and persistent pointerlock without user permission
    2016-57 Incorrect icon displayed on permissions notifications
    2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
    2016-55 File overwrite and privilege escalation through Mozilla Windows updater
    2016-54 Partial same-origin-policy through setting location.host through data URI
    2016-53 Out-of-bounds write with WebGL shader
    2016-52 Addressbar spoofing though the SELECT element
    2016-51 Use-after-free deleting tables from a contenteditable document
    2016-50 Buffer overflow parsing HTML5 fragments
    2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)

Revision 1.104.2.1 / (download) - annotate - [select for diffs], Thu May 19 12:56:30 2016 UTC (6 years, 6 months ago) by bsiegert
Branch: pkgsrc-2016Q1
Changes since 1.104: +240 -134 lines
Diff to previous 1.104 (colored) next main 1.105 (colored)

Pullup ticket #5015 - requested by sevan
www/firefox: security fix

Revisions pulled up:
- www/firefox/Makefile                                          1.249-1.250
- www/firefox/PLIST                                             1.105-1.106
- www/firefox/distinfo                                          1.242-1.243
- www/firefox/mozilla-common.mk                                 1.73
- www/firefox/patches/patch-aa                                  1.45
- www/firefox/patches/patch-config_external_moz.build           1.11
- www/firefox/patches/patch-config_system-headers               1.18
- www/firefox/patches/patch-dom_media_gstreamer_GStreamerAllocator.cpp deleted
- www/firefox/patches/patch-dom_media_moz.build                 1.3
- www/firefox/patches/patch-gfx_skia_generate__mozbuild.py      1.4
- www/firefox/patches/patch-gfx_skia_moz.build                  1.11
- www/firefox/patches/patch-gfx_skia_skia_src_core_SkUtilsArm.cpp 1.2
- www/firefox/patches/patch-gfx_skia_skia_src_opts_SkBitmapProcState__opts__arm.cpp deleted
- www/firefox/patches/patch-gfx_skia_skia_src_opts_memset.arm.S deleted
- www/firefox/patches/patch-gfx_thebes_moz.build                1.3
- www/firefox/patches/patch-media_libcubeb_src_cubeb.c          1.3
- www/firefox/patches/patch-media_libcubeb_src_cubeb__alsa.c    1.14
- www/firefox/patches/patch-media_libcubeb_src_moz.build        1.7
- www/firefox/patches/patch-media_libtheora_moz.build           1.5
- www/firefox/patches/patch-pb                                  deleted
- www/firefox/patches/patch-pc                                  deleted
- www/firefox/patches/patch-toolkit_library_moz.build           1.5
- www/firefox/patches/patch-xpcom_reflect_xptcall_md_unix_moz.build 1.5

---
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Wed Apr 13 20:37:33 UTC 2016

   Modified Files:
           pkgsrc/www/firefox: Makefile PLIST distinfo

   Log Message:
   Update to 45.0.2

   Changelog:
   Fixed:
       Fix an issue impacting the cookie header when third-party cookies are blocked (1257861)
       Fix a web compatibility regression impacting the srcset attribute of the image tag (1259482)
       Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (1254980)
       Fix a crash impacting the video playback with Media Source Extension (1258562)
       Fix a regression impacting some specific uploads (1255735)

---
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Wed Apr 27 16:22:40 UTC 2016

   Modified Files:
           pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk
           pkgsrc/www/firefox/patches: patch-aa patch-config_external_moz.build
               patch-config_system-headers patch-dom_media_moz.build
               patch-gfx_skia_generate__mozbuild.py patch-gfx_skia_moz.build
               patch-gfx_skia_skia_src_core_SkUtilsArm.cpp
               patch-gfx_thebes_moz.build patch-media_libcubeb_src_cubeb.c
               patch-media_libcubeb_src_cubeb__alsa.c
               patch-media_libcubeb_src_moz.build patch-media_libtheora_moz.build
               patch-toolkit_library_moz.build
               patch-xpcom_reflect_xptcall_md_unix_moz.build

   Removed Files:
           pkgsrc/www/firefox/patches:
               patch-dom_media_gstreamer_GStreamerAllocator.cpp
               patch-gfx_skia_skia_src_opts_SkBitmapProcState__opts__arm.cpp
               patch-gfx_skia_skia_src_opts_memset.arm.S patch-pb patch-pc

   Log Message:
   Update to 46.0

   * Drop buildlink to gstreamer1

   Changelog:
   New
       Improved security of the JavaScript Just In Time (JIT) Compiler
       GTK3 integration (GNU/Linux only)

   Fixed
       Correct rendering for scaled SVGs that use a clip and a mask
       Various security fixes
       Screen reader behavior with blank spaces in Google Docs corrected

   Changed
       WebRTC fixes to improve performance and stability

   Developer
       Display dominator trees in Memory tool
       Allocation and garbage collection pause profiling in the performance panel
       Launch responsive mode from the Style Editor @media sidebar

   HTML5
       Added support for document.elementsFromPoint
       Added HKDF support for Web Crypto API

   Fixed in Firefox 46
       2016-48 Firefox Health Reports could accept events from untrusted domains
       2016-47 Write to invalid HashMap entry through JavaScript.watch()
       2016-46 Elevation of privilege with chrome.tabs.update API in web extensions
       2016-45 CSP not applied to pages sent with multipart/x-mixed-replace
       2016-44 Buffer overflow in libstagefright with CENC offsets
       2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors
       2016-42 Use-after-free and buffer overflow in Service Workers
       2016-41 Content provider permission bypass allows malicious application to access data
       2016-40 Privilege escalation through file deletion by Maintenance Service updater
       2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

Revision 1.106 / (download) - annotate - [select for diffs], Wed Apr 27 16:22:39 2016 UTC (6 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.105: +217 -132 lines
Diff to previous 1.105 (colored)

Update to 46.0

* Drop buildlink to gstreamer1

Changelog:
New
    Improved security of the JavaScript Just In Time (JIT) Compiler
    GTK3 integration (GNU/Linux only)

Fixed
    Correct rendering for scaled SVGs that use a clip and a mask
    Various security fixes
    Screen reader behavior with blank spaces in Google Docs corrected

Changed
    WebRTC fixes to improve performance and stability

Developer
    Display dominator trees in Memory tool
    Allocation and garbage collection pause profiling in the performance panel
    Launch responsive mode from the Style Editor @media sidebar

HTML5
    Added support for document.elementsFromPoint
    Added HKDF support for Web Crypto API

Fixed in Firefox 46
    2016-48 Firefox Health Reports could accept events from untrusted domains
    2016-47 Write to invalid HashMap entry through JavaScript.watch()
    2016-46 Elevation of privilege with chrome.tabs.update API in web extensions
    2016-45 CSP not applied to pages sent with multipart/x-mixed-replace
    2016-44 Buffer overflow in libstagefright with CENC offsets
    2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors
    2016-42 Use-after-free and buffer overflow in Service Workers
    2016-41 Content provider permission bypass allows malicious application to access data
    2016-40 Privilege escalation through file deletion by Maintenance Service updater
    2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

Revision 1.105 / (download) - annotate - [select for diffs], Wed Apr 13 20:37:33 2016 UTC (6 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.104: +23 -2 lines
Diff to previous 1.104 (colored)

Update to 45.0.2

Changelog:
Fixed:
    Fix an issue impacting the cookie header when third-party cookies are blocked (1257861)
    Fix a web compatibility regression impacting the srcset attribute of the image tag (1259482)
    Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (1254980)
    Fix a crash impacting the video playback with Media Source Extension (1258562)
    Fix a regression impacting some specific uploads (1255735)

Revision 1.104 / (download) - annotate - [select for diffs], Tue Mar 8 21:32:52 2016 UTC (6 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base
Branch point for: pkgsrc-2016Q1
Changes since 1.103: +402 -327 lines
Diff to previous 1.103 (colored)

Update to 45.0

Changelog:
New
    Instant browser tab sharing through Hello

    Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching

    Synced Tabs button in button bar

    Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level

    Guarani [gn] locale added


Fixed
    URLs containing a Unicode-format Internationalized Domain Name (IDN) are now properly redirected

    Various security fixes


Fixed in Firefox 45
    2016-37 Font vulnerabilities in the Graphite 2 library
    2016-36 Use-after-free during processing of DER encoded keys in NSS
    2016-35 Buffer overflow during ASN.1 decoding in NSS
    2016-34 Out-of-bounds read in HTML parser following a failed allocation
    2016-33 Use-after-free in GetStaticInstance in WebRTC
    2016-32 WebRTC and LibVPX vulnerabilities found through code inspection
    2016-31 Memory corruption with malicious NPAPI plugin
    2016-30 Buffer overflow in Brotli decompression
    2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore
    2016-28 Addressbar spoofing though history navigation and Location protocol property
    2016-27 Use-after-free during XML transformations
    2016-26 Memory corruption when modifying a file being read by FileReader
    2016-25 Use-after-free when using multiple WebRTC data channels
    2016-24 Use-after-free in SetBody
    2016-23 Use-after-free in HTML5 string parser
    2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager
    2016-21 Displayed page address can be overridden
    2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
    2016-19 Linux video memory DOS with Intel drivers
    2016-18 CSP reports fail to strip location information for embedded iframe pages
    2016-17 Local file overwriting and potential privilege escalation through CSP reports
    2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

Revision 1.103 / (download) - annotate - [select for diffs], Wed Jan 27 00:08:26 2016 UTC (6 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.102: +894 -807 lines
Diff to previous 1.102 (colored)

Update to 44.0

Changelog:
New
    Improved warning pages for certificate errors and untrusted connections
    Enable H.264 if system decoder is available
    Enable WebM/VP9 video support on systems that don't support MP4/H.264
    In the animation-inspector timeline, lightning bolt icon next to animations running on the compositor thread
    Support the brotli compression format via HTTPS content-encoding
    Screenshot commands allow user choice of pixel ratio in Developer Tools

Fixed
    Windows XP and Vista screensaver doesn't disable when watching videos (Bug 1193610)
    Various security fixes

Changed
    To support unicode-range descriptor for webfonts, font matching under Linux now uses the same font matching code as other platforms
    Use a SHA-256 signing certificate for Windows builds, to meet new signing requirements
    Firefox has removed support for the RC4 decipher
    Firefox will no longer trust the Equifax Secure Certificate Authority 1024-bit root certificate or the UTN - DATACorp SGC to validate secure website certificates
    Stricter validation of web fonts
    On-screen keyboard support temporarily turned off for Windows 8 and Windows 8.1

Developer
    Right click on a logged object in the console to store it as a global variable on the page
    Visual tools for Animation:
        View/Edit CSS animation keyframe rules directly in the inspector
        Visually modify the cubic-bezier curve that drives the way animations progress through time
        Discover and scrub through all CSS animations and transitions playing on the page
        Learn more: http://devtoolschallenger.com/
    Visual tools for Layout and Styles:
        Display rulers along the viewport to verify size and position and use the measurement tool to easily detect spacing and alignment problems
        Use CSS filters to preview and create real-time effects like drop-shadows, sepia, etc
        Learn more: http://devtoolschallenger.com/
    New memory tool for inspecting the memory heap
    Service Workers API
    Built-in JSON reader to intuitively view, search, copy and save data without extensions
    Jump to function definitions in the debugger with Cmd-Click
    WebSocket Debugging API and add-on
    The rule view now displays styles using their authored text, and edits in the rule view are now linked to the style editor

Security bugs:
Fixed in Firefox 44
    2016-12 Lightweight themes on Firefox for Android do not verify a secure connection
    2016-11 Application Reputation service disabled in Firefox 43
    2016-10 Unsafe memory manipulation found through code inspection
    2016-09 Addressbar spoofing attacks
    2016-08 Delay following click events in file download dialog too short on OS X
    2016-07 Errors in mp_div and mp_exptmod cryptographic functions in NSS
    2016-06 Missing delay following user click events in protocol handler dialog
    2016-05 Addressbar spoofing through stored data url shortcuts on Firefox for Android
    2016-04 Firefox allows for control characters to be set in cookie names
    2016-03 Buffer overflow in WebGL after out of memory allocation
    2016-02 Out of Memory crash when parsing GIF format images
    2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)

Revision 1.102 / (download) - annotate - [select for diffs], Wed Dec 16 09:34:55 2015 UTC (6 years, 11 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base, pkgsrc-2015Q4
Changes since 1.101: +118 -44 lines
Diff to previous 1.101 (colored)

Update to 43.0

Changelog:
    New Private Browsing with Tracking Protection offers choice of blocking additional trackers
    New Improved API support for m4v video playback
    New Firefox 64-bit for Windows is now available via the Firefox download page
    New Users can choose search suggestions from the Awesome Bar
    New On-screen keyboard displayed on selecting input field on devices running Windows 8 or greater
    New Firefox Health Report has switched to use the same data collection mechanism as telemetry
    Developer Markup view shows indicators for pseudo-classes locked for elements
    Developer Bind F1 key to open the settings when the toolbox is focused
    Developer New 'Use in Console' context menu item in Inspector to store selected element in a temporary variable
    Developer Search button next to overridden CSS properties to find similar properties in the rules view
    Developer Ability to filter styles from their property names in the rules view
    Developer Stack traces are now shown for exceptions inside the console
    Developer Added ability to display server-side logs in the console
    Developer Ability to choose resolution for the GCLI screenshot command
    Developer Subresource integrity allows developers to make their sites more secure
    Developer Network requests in Console now link to Network panel instead of opening in a popup
    Developer Unprefixed 'hyphens' property is now supported
    Developer WebIDE now has a sidebar-based UI
    Developer The 'transform-origin' property is now supported on SVG elements
    Developer Animation inspector now displays animations in a timeline
    Developer Single-process mode is no longer supported for NPAPI plugins
    Fixed Eyedropper tool does not work as expected when page is zoomed
    Fixed Various security fixes

Fixed in Firefox 43
    2015-149 Cross-site reading attack through data and view-source URIs
    2015-148 Privilege escalation vulnerabilities in WebExtension APIs
    2015-147 Integer underflow and buffer overflow processing MP4 metadata in libstagefright
    2015-146 Integer overflow in MP4 playback in 64-bit versions
    2015-145 Underflow through code inspection
    2015-144 Buffer overflows found through code inspection
    2015-143 Linux file chooser crashes on malformed images due to flaws in Jasper library
    2015-142 DOS due to malformed frames in HTTP/2
    2015-141 Hash in data URI is incorrectly parsed
    2015-140 Cross-origin information leak through web workers error events
    2015-139 Integer overflow allocating extremely large textures
    2015-138 Use-after-free in WebRTC when datachannel is used after being destroyed
    2015-137 Firefox allows for control characters to be set in cookies
    2015-136 Same-origin policy violation using perfomance.getEntries and history navigation
    2015-135 Crash with JavaScript variable assignment with unboxed objects
    2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)

Revision 1.101 / (download) - annotate - [select for diffs], Tue Nov 3 15:52:57 2015 UTC (7 years ago) by ryoon
Branch: MAIN
Changes since 1.100: +114 -88 lines
Diff to previous 1.100 (colored)

Update to 42.0

Changelog:
    New Private Browsing with Tracking Protection blocks certain Web elements that could be used to record your behavior across sites
    New Control Center that contains site security and privacy controls
    New Indicator added to tabs that play audio with one-click muting
    New WebRTC improvements:
        IPV6 support
        Preferences for controlling ICE candidate generation and IP exposure
        Hooks for extensions to allow/deny createOffer/Answer
        Improved ability for applications to monitor and control which devices are used in getUserMedia
    New Login Manager improvements:
        Improved heuristics to save usernames and passwords
        Edit and show all logins in line, Copy/Paste usernames/passwords from the Context menu
        Migration imports your passwords to Firefox from Google Chrome for Windows and Internet Explorer; import anytime from the Login Manager
    Changed Improved performance on interactive websites that trigger a lot of restyles
    HTML5 Media Source Extension for HTML5 video available for all sites
    HTML5 Support ImageBitmap and createImageBitmap()
    HTML5 Implemented ES6 Reflect
    Developer Ability to save filter presets inside CSS Filter Tooltip
    Developer CSS filter presets in the Inspector
    Developer Configurable Firefox OS Simulator in WebIDE, to simulate reference devices like phones, tablets, even TVs
    Developer Asynchronous call stacks now allow web developers to follow the code flow through setTimeout, DOM event handlers, and Promise handlers.
    Developer Remote website debugging over WiFi (no USB cable or ADB needed)
    Developer View HTML source in a tab

Revision 1.100 / (download) - annotate - [select for diffs], Wed Sep 23 06:44:41 2015 UTC (7 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q3-base, pkgsrc-2015Q3
Changes since 1.99: +94 -51 lines
Diff to previous 1.99 (colored)

Update to 41.0

Changelog:
    New Enhance IME support on Windows (Vista +) using TSF (Text Services Framework)
    New Ability to set a profile picture for your Firefox Account
    New Firefox Hello now includes instant messaging
    New SVG images can be used as favicons
    New Improved box-shadow rendering performance
    Changed WebRTC now requires perfect forward secrecy
    Changed WARP is disabled on Windows 7
    Changed Updates to image decoding process
    Changed Support for running animations of 'transform' and 'opacity' on the compositor thread
    HTML5 MessageChannel and MessagePort API enabled by default
    HTML5 Added support for the transform-origin property on SVG elements
    HTML5 CSS Font Loading API enabled by default
    HTML5 Navigator.onLine now varies with actual internet connectivity (Windows and Mac OS X only)
    HTML5 Copy/Cut Web content from JavaScript to the OS clipboard with document.execCommand("cut"/"copy")
    HTML5 Implemented Cache API for querying named caches that are accessible Window, Worker, and ServiceWorker
    Developer Removed support for binary XPCOM components in extensions, use addon SDK "system/child_process" pipe mechanism for native binaries instead
    Developer Network requests can be exported in HAR format
    Developer Quickly add new CSS rule with New Rule button in the Inspector
    Developer Screenshot a node or element from markup view with the Screenshot Node context menu item
    Developer Copy element CSS rule declarations with the Copy Rule Declaration context menu item in the Inspector
    Developer Pseudo-Class panel in the Inspector
    Fixed Picture element does not react to resize/viewport changes
    Fixed Various security fixes

Security fixes:
Fixed in Firefox 41
    2015-114 Information disclosure via the High Resolution Time API
    2015-113 Memory safety errors in libGLES in the ANGLE graphics library
    2015-112 Vulnerabilities found through code inspection
    2015-111 Errors in the handling of CORS preflight request headers
    2015-110 Dragging and dropping images exposes final URL after redirects
    2015-109 JavaScript immutable property enforcement can be bypassed
    2015-108 Scripted proxies can access inner window
    2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems
    2015-106 Use-after-free while manipulating HTML media content
    2015-105 Buffer overflow while decoding WebM video
    2015-104 Use-after-free with shared workers and IndexedDB
    2015-103 URL spoofing in reader mode
    2015-102 Crash when using debugger with SavedStacks in JavaScript
    2015-101 Buffer overflow in libvpx while parsing vp9 format video
    2015-100 Arbitrary file manipulation by local user through Mozilla updater
    2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme
    2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes
    2015-97 Memory leak in mozTCPSocket to servers
    2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)

Revision 1.99 / (download) - annotate - [select for diffs], Tue Aug 11 23:48:17 2015 UTC (7 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.98: +185 -109 lines
Diff to previous 1.98 (colored)

Update to 40.0

Changelog:
    New Support for Windows 10
    New Added protection against unwanted software downloads
    New User can receive suggested tiles in the new tab page based on categories Firefox matches to browsing history (en-US only).
    New Hello allows adding a link to conversations to provide context on what the conversation will be about
    New New style for add-on manager based on the in-content preferences style
    New Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only)
    New Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked
    Changed Add-on extensions that are not signed by Mozilla will display a warning
    Changed NPAPI Plug-in performance improved via asynchronous initialization
    Changed Smoother animation and scrolling with hardware vsync (Windows only)
    Changed JPEG images use less memory when scaled and can be painted faster
    Changed Sub-resources can no longer request HTTP authentication, thus protecting users from inadvertently disclosing login data
    HTML5 IndexedDB transactions are now non-durable by default
    HTML5 Implemented AudioBufferSourceNode.detune to modulate playback rate in cents, a logarithmic unit of measure used for musical intervals
    Developer Improved Performance tools in the developer tools: Waterfall view, Call Tree view and a Flame Chart view
    Developer New rules view tooltip in the Inspector to tweak CSS Filter values
    Developer Console API messages from SharedWorker and ServiceWorker are now displayed in web console
    Developer New page ruler highlighting tool that displays lightweight horizontal and vertical rules on a page
    Developer Inspector now searches across all content frames in a page
    Fixed Kannada text does not display properly in built-in pdf viewer
    Fixed Various security fixes

Known Issues
    unresolved If Firefox is restarted from an add-on install notification, on-going private browsing downloads might be canceled without warning (1185294)


Fixed in Firefox 40
    2015-92 Use-after-free in XMLHttpRequest with shared workers
    2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification
    2015-90 Vulnerabilities found through code inspection
    2015-89 Buffer overflows on Libvpx when decoding WebM video
    2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
    2015-87 Crash when using shared memory in JavaScript
    2015-86 Feed protocol with POST bypasses mixed content protections
    2015-85 Out-of-bounds write with Updater and malicious MAR file
    2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links
    2015-83 Overflow issues in libstagefright
    2015-82 Redefinition of non-configurable JavaScript object properties
    2015-81 Use-after-free in MediaStream playback
    2015-80 Out-of-bounds read with malformed MP3 file
    2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)

Revision 1.98 / (download) - annotate - [select for diffs], Fri Jul 3 10:25:40 2015 UTC (7 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.97: +67 -19 lines
Diff to previous 1.97 (colored)

Update to 39.0

Changelog:
New Share Hello URLs with social networks
New Project Silk: Smoother animation and scrolling (Mac OS X)
New Support for 'switch' role in ARIA 1.1 (web accessibility)
New SafeBrowsing malware detection lookups enabled for downloads (Mac OS X and Linux)
New Support for new Unicode 8.0 skin tone emoji
Changed Removed support for insecure SSLv3 for network communications
Changed Disable use of RC4 except for temporarily whitelisted hosts
Changed The malware detection service for downloads now covers common Mac file types (Bug 1138721)
Changed of displaying dashed lines is improved (Mac OS X) (Bug 1123019)
HTML5 List-style-type now accepts a string value
HTML5 Enable the Fetch API for network requests from dedicated, shared and service workers
HTML5 Cascading of CSS transitions and animations now matches the current spec
HTML5 Implement <link rel="preconnect">allowing anticipation of a future connection without revealing any information
HTML5 Added support for CSS Scroll Snap Points
Developer Drag and drop enabled for nodes in Inspector markup view
Developer Webconsole input history persists even after closing the toolbox
Developer Cubic bezier tooltip now shows a gallery of timing-function presets for use with CSS animations
Developer localhost is now available offline for WebSocket connections
Fixed Improve performance for IPv6 fallback to IPv4
Fixed Fix incomplete downloads being marked as complete by detecting broken HTTP1.1 transfers
Fixed The Security state indicator on a page now correctly ignores loads caused by previous pages
Fixed Fixed an issue where a Hello conversation window would sometimes fail to open
Fixed A regression that could lead to Flash not displaying has been fixed
Fixed Update to NSS 3.19.2
Fixed Various security fixes

Fixed in Firefox 39
    2015-71 NSS incorrectly permits skipping of ServerKeyExchange
    2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
    2015-69 Privilege escalation in PDF.js
    2015-68 OS X crash reports may contain entered key press information
    2015-67 Key pinning is ignored when overridable errors are encountered
    2015-66 Vulnerabilities found through code inspection
    2015-65 Use-after-free in workers while using XMLHttpRequest
    2015-64 ECDSA signature validation fails to handle some signatures correctly
    2015-63 Use-after-free in Content Policy due to microtask execution error
    2015-62 Out-of-bound read while computing an oscillator rendering range in Web Audio
    2015-61 Type confusion in Indexed Database Manager
    2015-60 Local files or privileged URLs in pages can be opened into new tabs
    2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)

Revision 1.97 / (download) - annotate - [select for diffs], Wed Jun 3 03:22:31 2015 UTC (7 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base, pkgsrc-2015Q2
Changes since 1.96: +55 -0 lines
Diff to previous 1.96 (colored)

Update to 38.0.5

Changelog:
New: Keep track of articles and videos with Pocket
New: Clean formatting for articles and blog posts with Reader View
New: Share the active tab or window in a Hello conversation
Fixed: A race condition that would cause Firefox to stop painting when switching tabs (bug 1067470)
Fixed: Fixed graphics performance when using the built-in VGA driver on Windows 7 (Bug 1165732)

Revision 1.96 / (download) - annotate - [select for diffs], Tue May 12 22:48:54 2015 UTC (7 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.95: +110 -35 lines
Diff to previous 1.95 (colored)

Update to 38.0

Changelog:
New New tab-based preferences
New Ruby annotation support
New Base for the next ESR release.
Changed autocomplete=off is no longer supported for username/password fields
Changed URL parser avoids doing percent encoding when setting the Fragment part of the URL, and percent decoding when getting the Fragment in line with the URL spec
Changed RegExp.prototype.source now returns "(?:)" instead of the empty string for empty regular expressions
Changed Improved page load times via speculative connection warmup
HTML5 WebSocket now available in Web Workers
HTML5 BroadcastChannel API implemented
HTML5 Implemented srcset attribute and <picture> element for responsive images
HTML5 Implemented DOM3 Events KeyboardEvent.code
HTML5 Mac OS X: Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube
HTML5 Implemented Encrypted Media Extensions (EME) API to support encrypted HTML5 video/audio playback (Windows Vista or later only)
HTML5 Automatically download Adobe Primetime Content Decryption Module (CDM) for DRM playback through EME (Windows Vista or later only)
Developer Optimized-out variables are now visible in Debugger UI
Developer XMLHttpRequest logs in the web console are now visually labelled and can be filtered separately from regular network requests
Developer WebRTC now has multistream and renegotiation support
Developer copy command added to console
Fixed Various security fixes

Fixed in Firefox 38

    2015-58 Mozilla Windows updater can be run outside of application directory
    2015-57 Privilege escalation through IPC channel messages
    2015-56 Untrusted site hosting trusted page can intercept webchannel responses
    2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata
    2015-54 Buffer overflow when parsing compressed XML
    2015-53 Use-after-free due to Media Decoder Thread creation during shutdown
    2015-52 Sensitive URL encoded information written to Android logcat
    2015-51 Use-after-free during text processing with vertical text enabled
    2015-50 Out-of-bounds read and write in asm.js validation
    2015-49 Referrer policy ignored when links opened by middle-click and context menu
    2015-48 Buffer overflow with SVG content and CSS
    2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
    2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

Revision 1.95 / (download) - annotate - [select for diffs], Thu Apr 16 23:36:24 2015 UTC (7 years, 7 months ago) by hiramatsu
Branch: MAIN
Changes since 1.94: +1 -2 lines
Diff to previous 1.94 (colored)

Fix PLIST.

Because this package does not use gnomevfs, libnkgnomevfs.so is
not installed.

Revision 1.94 / (download) - annotate - [select for diffs], Sun Apr 5 12:54:11 2015 UTC (7 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.93: +55 -14 lines
Diff to previous 1.93 (colored)

Update to 37.0

* Bump nspr requirement.

Changelog:
New Heartbeat user rating system - your feedback about Firefox
New Yandex set as default search provider for the Turkish locale
New Bing search now uses HTTPS for secure searching
New Improved protection against site impersonation via OneCRL centralized certificate revocation
New Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc
Changed Disabled insecure TLS version fallback for site security
Changed Extended SSL error reporting for reporting non-certificate errors
Changed TLS False Start optimization now requires a cipher suite using AEAD construction
Changed Improved certificate and TLS communication security by removing support for DSA
Changed Improved performance of WebGL rendering on Windows
HTML5 Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube (Windows only)
HTML5 Added support for CSS display:contents
HTML5 IndexedDB now accessible from worker threads
HTML5 New SDP/JSEP implementation in WebRTC
Developer Debug tabs opened in Chrome Desktop, Chrome for Android, and Safari for iOS
Developer New Inspector animations panel to control element animations
Developer New Security Panel included in Network Panel
Developer Debugger panel support for chrome:// and about:// URIs
Developer Added logging of weak ciphers to the web console
Fixed Various security fixes

Fixed in Firefox 37
    2015-42 Windows can retain access to privileged content on navigation to unprivileged pages
    2015-41 PRNG weakness allows for DNS poisoning on Android
    2015-40 Same-origin bypass through anchor navigation
    2015-39 Use-after-free due to type confusion flaws
    2015-38 Memory corruption crashes in Off Main Thread Compositing
    2015-37 CORS requests should not follow 30x redirections after preflight
    2015-36 Incorrect memory management for simple-type arrays in WebRTC
    2015-35 Cursor clickjacking with flash and images
    2015-34 Out of bounds read in QCMS library
    2015-33 resource:// documents can load privileged pages
    2015-32 Add-on lightweight theme installation approval bypassed through MITM attack
    2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
    2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

Revision 1.93 / (download) - annotate - [select for diffs], Sat Feb 28 04:30:55 2015 UTC (7 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q1-base, pkgsrc-2015Q1
Changes since 1.92: +44 -15 lines
Diff to previous 1.92 (colored)

Update to 36.0

Changelog:
New Pinned tiles on the new tab page can be synced
New Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web.
New Locale added: Uzbek (uz)
Changed -remote option removed
Changed No longer accept insecure RC4 ciphers whenever possible
Changed Phasing out Certificates with 1024-bit RSA Keys
Changed Shut down hangs will now show the crash reporter before exiting the program
Changed Add-on Compatibility
HTML5 Support for the ECMAScript 6 Symbol data type added
HTML5 unicode-range CSS descriptor implemented
HTML5 CSSOM-View scroll behavior implemented allowing smooth scrolling of content without custom libraries
HTML5 object-fit and object-position implemented.
      Defines how and where the content of a replaced element is displayed
HTML5 isolation CSS property implemented.
      Create a new stacking context to isolate groups of boxes to control which blend together
HTML5 CSS3 will-change property implemented.
      Hints the browser of elements that will be modified. The browser will perform some performance optimization for these
HTML5 Changed JavaScript 'const' semantics to conform better to the ES6 specification.
      The const declaration is now block-scoped and requires an initializer. It also can not be redeclared anymore.
HTML5 Improved ES6 generators for better performance
Developer Eval sources now appear in the Debugger
          Debug JavaScript code that is evaluated dynamically, either as a string passed to eval() or as a string passed to the Function constructor
Developer DOM Promises inspection
Developer Inspector: More paste options in markup view
Fixed CSS gradients work on premultiplied colors
Fixed Fix some unexpected logout from Facebook or Google after restart
Fixed Various security fixes

Fixed in Firefox 36
    2015-27 Caja Compiler JavaScript sandbox bypass
    2015-26 UI Tour whitelisted sites in background tab can spoof foreground tabs
    2015-25 Local files or privileged URLs in pages can be opened into new tabs
    2015-24 Reading of local files through manipulation of form autocomplete
    2015-23 Use-after-free in Developer Console date with OpenType Sanitiser
    2015-22 Crash using DrawTarget in Cairo graphics library
    2015-21 Buffer underflow during MP3 playback
    2015-20 Buffer overflow during CSS restyling
    2015-19 Out-of-bounds read and write while rendering SVG content
    2015-18 Double-free when using non-default memory allocators with a zero-length XHR
    2015-17 Buffer overflow in libstagefright during MP4 video playback
    2015-16 Use-after-free in IndexedDB
    2015-15 TLS TURN and STUN connections silently fail to simple TCP connections
    2015-14 Malicious WebGL content crash when writing strings
    2015-13 Appended period to hostnames can bypass HPKP and HSTS protections
    2015-12 Invoking Mozilla updater will load locally stored DLL files
    2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)

Revision 1.92 / (download) - annotate - [select for diffs], Fri Jan 30 07:32:24 2015 UTC (7 years, 10 months ago) by pho
Branch: MAIN
Changes since 1.91: +2 -1 lines
Diff to previous 1.91 (colored)

Fix many issues on Darwin

PLIST:
  * lib/firefox/libmozglue.so is built and installed as a shared
    library on some platforms including Darwin.

mozilla-common.mk:
  * Sandboxing support is only available when the toolkit is
    cairo-cocoa.
  * It tries to use MacOS X 10.6 SDK by default, which is not always
    possible.

patches/patch-build_gyp.mozbuild:
  * Don't assume iOS just because the toolkit is not cocoa. Ideally
    there should be an AC_SUBST just like 'ARM_ARCH' but nothing
    exists currently.
  * MacOS X SDK version should be able to configure with ./configure
    --enable-macos-target=VER

patches/patch-extensions_spellcheck_hunspell_src_mozHunspell.cpp:
  * NS_NewNativeLocalFile() can fail and leave hunDir null, so we must
    check if it succeeded. This is not Darwin specific though.
  * "%%LOCALBASE%%" in the hunspell path is currently not substituted,
    which looks very erroneous to me. But since I don't know why
    ryoon@ changed it from "@PREFIX@" to "%%LOCALBASE%%" I leave it as
    it is.

patches/patch-ipc_glue_moz.build:
  * Don't assume cocoa toolkit just because OS_ARCH is Darwin.

patches/patch-js_src_asmjs_AsmJSSignalHandlers.cpp:
  * Increase portability for non-x86 Darwin by not hardwiring
    x86_THREAD_STATE.

patches/patch-js_xpconnect_src_xpcprivate.h:
  * The declaration has to be C++11 'extern template', otherwise
    non-weak symbol collision will occur between libmozjs and
    libxul. We can't easily test if the feature is supported by
    compiler due to GCC bug #1773:
    http://gcc.gnu.org/bugzilla/show_bug.cgi?id=1773

patches/patch-memory_mozalloc_VolatileBufferOSX.cpp:
  * Try to fallback to valloc(3) if posix_memalign(3) is not
    avialble. It has been added since MacOS 10.6.

patches/patch-toolkit_library_moz.build:
  * GSTREAMER_LIBS are linked to libxul on Darwin, while they are
    dlopen(3)'ed at runtime on other platforms. The problem is that
    the toolkit being cocoa isn't relevant at all. It's Darwin that
    needs the special handling, not Cocoa.

patches/patch-toolkit_xre_nsAppRunner.cpp:
  * MacOS X < 10.6 had an undocumented behavior concerning execve(2)
    inside a threaded process. If a process tried to call execve(2)
    and had more than one active thread, the kernel returned
    ENOTSUP. So we have to either fork(2) or vfork(2) before calling
    execve(2) to make sure the caller is single-threaded as otherwise
    the application fails to restart itself.

patches/patch-xpcom_base_nsStackWalk.cpp,
patches/patch-xpcom_build_PoisonIOInterposer.h:
  * Replace XP_MACOSX with XP_DARWIN as the former is not defined when
    the toolkit is not cocoa.

patches/patch-xpcom_glue_standalone_nsXPCOMGlue.cpp:
  * Fix inconsistent use of XP_DARWIN and XP_MACOSX:
    LEADING_UNDERSCORE should be empty when we are going to load XPCOM
    using dlopen(3), not NSAddImage().

Revision 1.91 / (download) - annotate - [select for diffs], Fri Jan 16 22:42:09 2015 UTC (7 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.90: +84 -38 lines
Diff to previous 1.90 (colored)

Update to 35.0

Changelog:
New Firefox Hello with new rooms-based conversations model
New New search UI improved and enabled for more locales
New Access the Firefox Marketplace from the Tools menu and optional toolbar button
New Built-in support for H264 (MP4) on Mac OS X Snow Leopard (10.6) and newer through native APIs
New Use tiled rendering on OS X
New Improved high quality image resizing performance
New Improved handling of dynamic styling changes to increase responsiveness
HTML5 Added support for the CSS Font Loading API
HTML5 Resource Timing API implemented
HTML5 CSS filters enabled by default
HTML5 Changed JavaScript 'let' semantics to conform better to the ES6 specification
Developer Support for inspecting ::before and ::after pseudo elements
Developer Computed view: Nodes matching the hovered selector are now highlighted
Developer Network Monitor: New request/response headers view (more info)
Developer Added support for the EXT_blend_minmax WebGL extension
Fixed Show DOM Properties context menu item in inspector
Fixed Reduced resource usage for scaled images
Fixed PDF.js updated to version 1.0.907
Fixed Non-HTTP(S) XHR now returns correct status code
Fixed Various security fixes

Security fixes:
    2015-09 XrayWrapper bypass through DOM objects
    2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension
    2015-07 Gecko Media Plugin sandbox escape
    2015-06 Read-after-free in WebRTC
    2015-05 Read of uninitialized memory in Web Audio
    2015-04 Cookie injection through Proxy Authenticate responses
    2015-03 sendBeacon requests lack an Origin header
    2015-02 Uninitialized memory use during bitmap rendering
    2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)

Revision 1.90 / (download) - annotate - [select for diffs], Mon Dec 1 18:11:14 2014 UTC (7 years, 11 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base, pkgsrc-2014Q4
Changes since 1.89: +176 -54 lines
Diff to previous 1.89 (colored)

Update to 34.0.5

Changelog:
New Default search engine changed to Yahoo! for North America
New Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales
New Improved search bar (en-US only)
New Firefox Hello real-time communication client
New Easily switch themes/personas directly in the Customizing mode
New Wikipedia search now uses HTTPS for secure searching (en-US only)
New Implementation of HTTP/2 (draft14) and ALPN
New Recover from a locked Firefox process in the "Firefox is already running" dialog on Windows
Changed Disabled SSLv3
Changed Proprietary window.crypto properties/functions re-enabled (to be removed in Firefox 35)
Changed Firefox signed by Apple OS X version 2 signature
HTML5 ECMAScript 6 WeakSet Implemented
HTML5 JavaScript Template Strings Implemented
HTML5 CSS3 Font variants and features control (e.g. kerning) implemented
HTML5 WebCrypto: RSA-OAEP, PBKDF2 and AES-KW support
HTML5 WebCrypto: wrapKey and unwrapKey implemented
HTML5 WebCrypto: Import/export of JWK-formatted keys
HTML5 matches() DOM API implemented (formerly mozMatchesSelector())
HTML5 Performance.now() for workers implemented
HTML5 WebCrypto: ECDH support
Developer WebIDE: Create, edit, and test a new Web application from your browser
Developer Highlight all nodes that match a given selector in the Style Editor and the Inspector's Rules panel
Developer Improved User Interface of the Profiler
Developer console.table function added to web console
Fixed CSS transitions start correctly when started at the same time as changes to display, position, overflow, and similar properties
Fixed Various security fixes

2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer
2014-88 Buffer overflow while parsing media content
2014-87 Use-after-free during HTML5 parsing
2014-86 CSP leaks redirect data via violation reports
2014-85 XMLHttpRequest crashes with some input streams
2014-84 XBL bindings accessible via improper CSS declarations
2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)

Revision 1.89 / (download) - annotate - [select for diffs], Sat Nov 15 22:04:59 2014 UTC (8 years ago) by szptvlfn
Branch: MAIN
Changes since 1.88: +1 -2 lines
Diff to previous 1.88 (colored)

firefox-33.1 has DuckDuckGo as a search option,
so remove related patches.

Revision 1.88 / (download) - annotate - [select for diffs], Mon Nov 10 20:55:56 2014 UTC (8 years ago) by ryoon
Branch: MAIN
Changes since 1.87: +5 -1 lines
Diff to previous 1.87 (colored)

Update to 33.1

Changelog:
New
Forget Button added

New
Enhanced Tiles

New
Privacy tour introduced

New
Adding DuckDuckGo as a search option

Revision 1.87 / (download) - annotate - [select for diffs], Thu Nov 6 13:56:32 2014 UTC (8 years ago) by ryoon
Branch: MAIN
Changes since 1.86: +2 -1 lines
Diff to previous 1.86 (colored)

Bump PKGREVISION

* Build libmozjs.so shared library again.
  Thank you, joerg@.

Revision 1.86 / (download) - annotate - [select for diffs], Wed Oct 29 22:12:35 2014 UTC (8 years, 1 month ago) by ryoon
Branch: MAIN
Changes since 1.85: +1 -2 lines
Diff to previous 1.85 (colored)

Bump PKGREVISION

* Disable libmozjs.so to avoid WRKDIR reference error.

Revision 1.85 / (download) - annotate - [select for diffs], Wed Oct 15 13:07:07 2014 UTC (8 years, 1 month ago) by ryoon
Branch: MAIN
Changes since 1.84: +154 -12 lines
Diff to previous 1.84 (colored)

Update to 33.0

Changelog:
New
OpenH264 support (sandboxed)

New
Improved search experience through the location bar

New
Slimmer and faster JavaScript strings

New
Search suggestions on the Firefox Start (about:home) and new tab (about:newtab) pages

New
Windows: OMTC enabled by default

New
New CSP (Content Security Policy) backend

New
Support for connecting to HTTP proxy over HTTPS

New
Improved reliability of the session restoration

New
Azerbaijani [az] locale added

Changed
Proprietary window.crypto properties/functions removed

Changed
JSD (JavaScript Debugger Service) removed in favor of the Debugger interface

HTML5
@counter-style rule from CSS3 Counter Styles specification implemented

HTML5
DOMMatrix interface implemented

Developer
Cubic-bezier curves editor

Developer
Display which elements have listeners attached

Developer
New sidebar which displays a list of shortcuts to every @media rule in the current stylesheet

Developer
Paint flashing for browser content repaints

Developer
Editable @keyframes rules in the Rules section of the Inspector

Developer
CSS transform highlighter in the style-inspector

Fixed
Fix incomplete downloads being marked as complete by detecting broken HTTP1.1 transfers (237623)

Fixed
Various security fixes

Fixed in Firefox 33
MFSA 2014-82 Accessing cross-origin objects via the Alarms API
MFSA 2014-81 Inconsistent video sharing within iframe
MFSA 2014-80 Key pinning bypasses
MFSA 2014-79 Use-after-free interacting with text directionality
MFSA 2014-78 Further uninitialized memory use during GIF
MFSA 2014-77 Out-of-bounds write with WebM video
MFSA 2014-76 Web Audio memory corruption issues with custom waveforms
MFSA 2014-75 Buffer overflow during CSS manipulation
MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

Revision 1.84 / (download) - annotate - [select for diffs], Sun Oct 5 01:59:08 2014 UTC (8 years, 1 month ago) by ryoon
Branch: MAIN
Changes since 1.83: +141 -39 lines
Diff to previous 1.83 (colored)

Update to 32.0.3

Changelog:

Fixed
32.0.3: New security fixes can be found here

New
New HTTP cache provides improved performance including crash recovery

New
Integration of generational garbage collection

New
Public key pinning support enabled

New
View historical use information for logins stored in password manager

New
Display the number of found items in the find toolbar

New
Easier back, forward, reload, and bookmarking through the context menu

New
Lower Sorbian [dsb] locale added

Changed
Removed and turned off trust bit for some 1024-bit root certificates

Changed
Performance improvements to Password Manager and Add-on Manager

HTML5
drawFocusIfNeeded enabled by default

HTML5
ECMAScript 6 built-in method Array#copyWithin implemented

HTML5
CSS position:sticky enabled by default

HTML5
mix-blend-mode enabled by default

HTML5
New Array built-in: Array.from()

HTML5
navigator.languages property and languagechange event implemented

HTML5
Vibration API updated to latest W3C spec

HTML5
CSS box-decoration-break replaces -moz-background-inline-policy

HTML5
box-decoration-break enabled by default

Developer
HiDPI support in Developer Tools UI

Developer
Inspector button moved to the top left

Developer
Hidden nodes displayed differently in the markup-view

Developer
New Web Audio Editor

Developer
Code completion and inline documentation added to Scratchpad

Fixed
32.0.2 - Corrupt installations cause Firefox to crash on update

Fixed
32.0.1 - Stability issues for computers with multiple graphics cards

Fixed
32.0.1 - Mixed content icon may be incorrectly displayed instead of lock icon for SSL sites

Fixed
32.0.1 - WebRTC: setRemoteDescription() silently fails if no success callback is specified

Fixed
Various security fixes

Fixed
Mac OS X: cmd-L does not open a new window when no window is available

Fixed
Text Rendering Issues on Windows 7 with Platform Update KB2670838 (MSIE 10 Prerequisite) or on Windows 8.1


Security fixes:
Fixed in Firefox 32.0.3
MFSA 2014-73 RSA Signature Forgery in NSS

Fixed in Firefox 32
MFSA 2014-72 Use-after-free setting text directionality
MFSA 2014-71 Profile directory file access through file: protocol
MFSA 2014-70 Out-of-bounds read in Web Audio audio timeline
MFSA 2014-69 Uninitialized memory use during GIF rendering
MFSA 2014-68 Use-after-free during DOM interactions with SVG
MFSA 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)

Revision 1.83 / (download) - annotate - [select for diffs], Thu Jul 24 14:57:12 2014 UTC (8 years, 4 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2014Q3-base, pkgsrc-2014Q3
Changes since 1.82: +272 -22 lines
Diff to previous 1.82 (colored)

Update to 31.0

Changelog:
    New
    Add the search field to the new tab page

    New
    Support of Prefer:Safe http header for parental control (learn more)

    New
    mozilla::pkix as default certificate verifier (learn more)

    New
    Block malware from downloaded files (learn more)

    New
    Partial implementation of the OpenType MATH table (section 6.3.6) see documentation about mathematical fonts and the MathML Torture Test for details

    New
    audio/video .ogg and .pdf files handled by Firefox if no application specified (Windows only)

    New
    Upper Sorbian [hsb] locale added

    Changed
    Removal of the CAPS infrastructure for specifying site-specific permissions (via capability.policy.* preferences). Most notably, attempts to use this functionality to grant access to the clipboard will no longer work. The sole exception is the checkloaduri permission, which may still be used as before to allow sites to load file:// URIs.

    HTML5
    WebVTT implemented and enabled (learn more)

    HTML5
    CSS3 variables implemented (learn more)

    Developer
    Developer Tools: Add-on Debugger (learn more)

    Developer
    Developer Tools: Canvas Debugger (learn more)

    Developer
    New Array built-in: Array.prototype.fill() (learn more)

    Developer
    New Object built-in: Object.setPrototypeOf() (learn more)

    Developer
    CSP 1.1 nonce-source and hash-source enabled by default

    Developer
    Developer Tools: Eyedropper tool added to the color picker (learn more)

    Developer
    Developer Tools: Editable Box Model (learn more)

    Developer
    Developer Tools: Code Editor improvements (learn more)

    Developer
    Developer Tools: Console stack traces (learn more)

    Developer
    Developer Tools: Copy as cURL (learn more)

    Developer
    Developer Tools: Styled console logs (learn more)

    Developer
    navigator.sendBeacon enabled by default (learn more)

    Developer
    Dialogs spawned from the onbeforeunload event no longer block access to the rest of the browser

    Fixed
    Search for partially selected link text from context menu (985824)

    Fixed
    Various security fixes

Fixed in Firefox 31
MFSA 2014-66 IFRAME sandbox same-origin access through redirect
MFSA 2014-65 Certificate parsing broken by non-standard character encoding
MFSA 2014-64 Crash in Skia library when scaling high quality images
MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache
MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library
MFSA 2014-61 Use-after-free with FireOnStateChange event
MFSA 2014-60 Toolbar dialog customization event spoofing
MFSA 2014-59 Use-after-free in DirectWrite font handling
MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering
MFSA 2014-57 Buffer overflow during Web Audio buffering for playback
MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

Revision 1.82 / (download) - annotate - [select for diffs], Wed Jun 11 00:40:59 2014 UTC (8 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2014Q2-base, pkgsrc-2014Q2
Changes since 1.81: +165 -39 lines
Diff to previous 1.81 (colored)

Update to 30.0

* debug build is broken

Changelog:
    New
    Sidebars button in browser chrome enables faster access to social, bookmark, & history sidebars

    New
    Mac OS X command-E sets find term to selected text

    New
    Support for GStreamer 1.0

    Changed
    Disallow calling WebIDL constructors as functions on the web

    Developer
    With the exception of those bundled inside an extension or ones that are whitelisted, plugins will no longer be activated by default (see blog post)

    Developer
    Fixes to box-shadow and other visual overflow (see bug 480888)

    Developer
    Mute and volume available per window when using WebAudio

    Developer
    background-blend-mode enabled by default

    Developer
    Use of line-height allowed for <input type="reset|button|submit">

    Developer
    ES6 array and generator comprehensions implemented (read docs for more details)

    Developer
    Error stack now contains column number

    Developer
    Support for alpha option in canvas context options (feature description)

    Fixed
    Ignore autocomplete="off" when offering to save passwords via the password manager (see 956906)

    Fixed
    TypedArrays don't support new named properties (see 695438)

    Fixed
    Various security fixes

Fixed in Firefox 30
MFSA 2014-54 Buffer overflow in Gamepad API
MFSA 2014-53 Buffer overflow in Web Audio Speex resampler
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-51 Use-after-free in Event Listener Manager
MFSA 2014-50 Clickjacking through cursor invisability after Flash interaction
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)

Revision 1.81 / (download) - annotate - [select for diffs], Wed May 28 03:25:25 2014 UTC (8 years, 6 months ago) by pho
Branch: MAIN
Changes since 1.80: +2 -1 lines
Diff to previous 1.80 (colored)

PR pkg/48840: Fix PLIST on Cygwin and Darwin

libmozglue is built and installed as a shared library on these platforms.

Revision 1.80 / (download) - annotate - [select for diffs], Mon May 5 20:47:14 2014 UTC (8 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.79: +8 -8 lines
Diff to previous 1.79 (colored)

Fix packaging under OpenBSD

* It create .so.1.0 libraries instead of .so
* Use bsdtar as tar forcibly under OpenBSD
* Fix tremor/vorbis conditional, but it is not used now

Revision 1.79 / (download) - annotate - [select for diffs], Wed Apr 30 15:07:17 2014 UTC (8 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.78: +207 -67 lines
Diff to previous 1.78 (colored)

Update to 29.0

* Restore html5 audio playback under NetBSD

Changelog:

    New
    Significant new customization mode makes it easy to personalize your Web experience to access the features you use the most (learn more)

    New
    A new, easy to access menu sits in the right hand corner of Firefox and includes popular browser controls

    New
    Sleek new tabs provide an overall smoother look and fade into the background when not active

    New
    An interactive onboarding tour to guide users through the new Firefox changes

    New
    The ability to set up Firefox Sync by creating a Firefox account (learn more)

    New
    Gamepad API finalized and enabled (learn more)

    New
    HTTPS used for Yahoo Searches performed in en-US locale

    New
    Malay [ma] locale added

    Changed
    Clicking on a W3C Web Notification will switch to the originating tab

    Developer
    'box-sizing' (dropping the -moz- prefix) implemented (learn more)

    Developer
    Console object available in Web Workers (learn more)

    Developer
    Promises enabled by default (learn more)

    Developer
    SharedWorker enabled by default

    Developer
    <input type="number"> implemented and enabled

    Developer
    <input type="color"> implemented and enabled

    Developer
    Enabled ECMAScript Internationalization API

    Developer
    Add-on bar has been removed, content moved to navigation bar

    Developer
    Implemented URLSearchParams from the URL specification (see MDN for details )

    Fixed
    Various security fixes

Fixed in Firefox 29
MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript
MFSA 2014-46 Use-after-free in nsHostResolve
MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates
MFSA 2014-44 Use-after-free in imgLoader while resizing images
MFSA 2014-43 Cross-site scripting (XSS) using history navigations
MFSA 2014-42 Privilege escalation through Web Notification API
MFSA 2014-41 Out-of-bounds write in Cairo
MFSA 2014-40 Firefox for Android addressbar suppression
MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video
MFSA 2014-38 Buffer overflow when using non-XBL object as XBL
MFSA 2014-37 Out of bounds read while decoding JPG images
MFSA 2014-36 Web Audio memory corruption issues
MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer
MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)

Revision 1.78 / (download) - annotate - [select for diffs], Thu Mar 20 21:02:00 2014 UTC (8 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2014Q1-base, pkgsrc-2014Q1
Changes since 1.77: +50 -25 lines
Diff to previous 1.77 (colored)

Update to 28.0

Changelog:
NEW
VP9 video decoding implemented
NEW
Mac OS X: Notification Center support for web notifications
NEW
Horizontal HTML5 audio/video volume control
NEW
Support for Opus in WebM
CHANGED
Now that spdy/3 is implemented support for spdy/2 has been removed and servers without spdy/3 will negotiate to http/1 without any penalty
DEVELOPER
Support for MathML 2.0 'mathvariant' attribute
DEVELOPER
Background thread hang reporting
DEVELOPER
Support for multi-line flexbox in layout
FIXED
Various security fixes

Fixed in Firefox 28
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-25 Firefox OS DeviceStorageFile object vulnerable to relative path escape
MFSA 2014-24 Android Crash Reporter open to manipulation
MFSA 2014-23 Content Security Policy for data: documents not preserved by session restore
MFSA 2014-22 WebGL content injection from one domain to rendering in another
MFSA 2014-21 Local file access via Open Link in new tab
MFSA 2014-20 onbeforeunload and Javascript navigation DOS
MFSA 2014-19 Spoofing attack on WebRTC permission prompt
MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)

Revision 1.77 / (download) - annotate - [select for diffs], Sat Feb 8 09:36:00 2014 UTC (8 years, 9 months ago) by ryoon
Branch: MAIN
Changes since 1.76: +92 -13 lines
Diff to previous 1.76 (colored)

Update to 27.0

Changelog:
NEW
You can now run more than one service at a time with Firefox SocialAPI, allowing you to receive notifications, chat and more from multiple integrated services
CHANGED
Enabled TLS 1.1 (RFC 4346) and TLS 1.2 (RFC 5246) by default
CHANGED
Added support for SPDY 3.1 protocol
DEVELOPER
Ability to reset style sheets using 'all:unset'
DEVELOPER
You can now choose to deobfuscate javascript in the debugger (see 762761)
DEVELOPER
Added support for scrolled fieldsets (see 261037)
DEVELOPER
Implemented allow-popups directive for iframe sandbox, enabling increased security (see 766282)
DEVELOPER
CSS cursor keywords -moz-grab and -moz-grabbing have been unprefixed (see 880672)
DEVELOPER
Added support for ES6 generators in SpiderMonkey (see blog post)
DEVELOPER
Implemented support for mathematical function Math.hypot() in ES6 (see 896264)
HTML5
Dashed line support on Canvas (see 768067)
FIXED
Get Azure/Skia content rendering working on Linux (see 740200)
FIXED
27.0: Security fixes can be found here

Fixed in Firefox 27
MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects
MFSA 2014-12 NSS ticket handling issues
MFSA 2014-11 Crash when using web workers with asm.js
MFSA 2014-10 Firefox default start page UI content invokable by script
MFSA 2014-09 Cross-origin information leak through web workers
MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing
MFSA 2014-07 XSLT stylesheets treated as styles in Content Security Policy
MFSA 2014-06 Profile path leaks to Android system log
MFSA 2014-05 Information disclosure with *FromPoint on iframes
MFSA 2014-04 Incorrect use of discarded images by RasterImage
MFSA 2014-03 UI selection timeout missing on download prompts
MFSA 2014-02 Clone protected content with XBL scopes
MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)

Revision 1.76 / (download) - annotate - [select for diffs], Sun Dec 15 13:54:37 2013 UTC (8 years, 11 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base, pkgsrc-2013Q4
Changes since 1.75: +107 -17 lines
Diff to previous 1.75 (colored)

Update to 26.0

* Build outside WRKSRC, fix build

Changelog:
NEW
All Java plug-ins are defaulted to 'click to play'
NEW
Password manager now supports script-generated password fields
NEW
Updates can now be performed by Windows users without write permissions to Firefox install directory (requires Mozilla Maintenance Service)
NEW
Support for H.264 on Linux if the appropriate gstreamer plug-ins are installed
CHANGED
Support for MP3 decoding on Windows XP, completing MP3 support across Windows OS versions
CHANGED
CSP implementation now supports multiple policies, including the case of both an enforced and Report-Only policy, per the spec
DEVELOPER
Social API now supports Social Bookmarking for multiple providers through its SocialMarks functionality (see MDN docs)
DEVELOPER
Math.ToFloat32 takes a JS value and converts it to a Float32, whenever possible
DEVELOPER
There is no longer a prompt when websites use appcache
DEVELOPER
Support for the CSS image orientation property
DEVELOPER
New App Manager allows you to deploy and debug HTML5 webapps on Firefox OS phones and the Firefox OS Simulator
DEVELOPER
IndexedDB can now be used as a "optimistic" storage area so it doesn't require any prompts and data is stored in a pool with LRU eviction policy, in short temporary storage
FIXED
When displaying a standalone image, Firefox matches the EXIF orientation information contained within the JPEG image (298619)
FIXED
Text Rendering Issues on Windows 7 with Platform Update KB2670838 (MSIE 10 Prerequisite) or on Windows 8.1 (812695)
FIXED
Improved page load times due to no longer decoding images that aren't visible (847223)
FIXED
AudioToolbox MP3 backend for OSX (914479)
FIXED
Various security fixes

Fixed in Firefox 26
MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-112 Linux clipboard information disclosure though selection paste
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-110 Potential overflow in JavaScript binary search algorithms
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-107 Sandbox restrictions not applied to nested object elements
MFSA 2013-106 Character encoding cross-origin XSS attack
MFSA 2013-105 Application Installation doorhanger persists on navigation
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)

Revision 1.75 / (download) - annotate - [select for diffs], Sat Nov 2 22:57:55 2013 UTC (9 years ago) by ryoon
Branch: MAIN
Changes since 1.74: +67 -4566 lines
Diff to previous 1.74 (colored)

Update to 25.0

* Enable pulseaudio by default, OSS support is dropped, and ALSA support
  on NetBSD does not work properly for me
* Enable GStremer support for non-webm and non-theora video support
* Create alsa option, and enabled on Linux by default

Changelog:
 NEW
Web Audio support
NEW
The find bar is no longer shared between tabs
CHANGED
If away from Firefox for months, you now will be offered the option to reset it to its default state while preserving your essential information
CHANGED
Resetting Firefox no longer clears your browsing session
DEVELOPER
CSS3 background-attachment:local support to control background scrolling
DEVELOPER
Many new ES6 functions implemented
HTML5
iframe document content can now be specified inline
FIXED
Blank or missing page thumbnails when opening a new tab
FIXED
Security fixes can be found here

Fixed in Firefox 25
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-99 Security bypass of PDF.js checks using iframes
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

Revision 1.74 / (download) - annotate - [select for diffs], Sat Sep 21 11:40:57 2013 UTC (9 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2013Q3-base, pkgsrc-2013Q3
Changes since 1.73: +3 -2 lines
Diff to previous 1.73 (colored)

Fix non-official branding build.

Revision 1.73 / (download) - annotate - [select for diffs], Sat Sep 21 10:09:39 2013 UTC (9 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.72: +3 -2 lines
Diff to previous 1.72 (colored)

Try to reintrodece PLIST conditionals related to vorbis.

Revision 1.72 / (download) - annotate - [select for diffs], Sat Sep 21 08:10:56 2013 UTC (9 years, 2 months ago) by martin
Branch: MAIN
Changes since 1.71: +2 -2 lines
Diff to previous 1.71 (colored)

The about-wordmark resource changed from .svg to .png

Revision 1.71 / (download) - annotate - [select for diffs], Thu Sep 19 12:37:49 2013 UTC (9 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.70: +181 -81 lines
Diff to previous 1.70 (colored)

Update to 24.0, ESR edition.

* Merge some patches via FreeBSD ports.
* Tested on NetBSD/amd64 6.99.23 and DragonFly/amd64 3.4.1.
* Use system hunspell dictionaries.
* DuckDuckGo search window.
* Enable system icu support.

Changelog:
NEW
Support for new scrollbar style in Mac OS X 10.7 and newer
NEW
Implemented Close tabs to the right
NEW
Social: Ability to tear-off chat windows to view separately by simply dragging them out
CHANGED
Accessibility related improvements on using pinned tabs (see 577727)
CHANGED
Removed support for Revocation Lists feature (see 867465)
CHANGED
Performance improvements on New Tab Page loads (see 791670)
DEVELOPER
Major SVG rendering improvements around Image tiling and scaling (see 600207 )
DEVELOPER
Improved and unified Browser console for enhanced debugging experience, replacing existing Error console
DEVELOPER
Removed support for sherlock files that are loaded from application or profile directory
FIXED
Replace fixed-ratio audio resampler in webrtc.org capture code with Speex resampler and eliminate pseudo-44000Hz rate ( see 886886)
FIXED
24.0: Security fixes can be found here

Fixed in Firefox 24
MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-87 Shared object library loading from writable location
MFSA 2013-86 WebGL Information disclosure through OS X NVIDIA graphic drivers
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-84 Same-origin bypass through symbolic links
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-78 Integer overflow in ANGLE library
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)

Revision 1.70 / (download) - annotate - [select for diffs], Thu Aug 29 18:48:25 2013 UTC (9 years, 3 months ago) by martin
Branch: MAIN
Changes since 1.69: +2 -2 lines
Diff to previous 1.69 (colored)

Conditionalize the last remaining PLIST difference on sparc64

Revision 1.69 / (download) - annotate - [select for diffs], Thu Aug 29 14:14:34 2013 UTC (9 years, 3 months ago) by martin
Branch: MAIN
Changes since 1.68: +2 -2 lines
Diff to previous 1.68 (colored)

Skia does not support GL on big endian machines yet - so adjust PLIST
by conditionalizing it.

Revision 1.68 / (download) - annotate - [select for diffs], Wed Aug 7 12:17:54 2013 UTC (9 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.67: +308 -119 lines
Diff to previous 1.67 (colored)

Update to 23.0

* Install SDK to firefox-sdk directory.
* Split multiple CONFIGURE_ARS's arguments.
* Enable libmozjs.so build.

Changelog:

    NEW
    Mixed content blocking enabled to protects users from man-in-the-middle attacks and eavesdroppers on HTTPS pages (learn more)
    NEW
    Options panel created for Web Developer Toolbox
    CHANGED
    "Enable JavaScript" preference checkbox has been removed and user-set values will be reset to the default
    CHANGED
    Updated Firefox Logo
    CHANGED
    Improved about:memory's functional UI
    CHANGED
    Simplified interface for notifications of plugin installation
    CHANGED
    Enabled DXVA2 on Windows Vista+ to accelerate H.264 video decoding
    CHANGED
    Users can now switch to a new search provider across the entire browser
    CHANGED
    CSP policies using the standard syntax and semantics will now be enforced
    CHANGED
    <input type='file'> rendering improvements (see bug 838675)
    CHANGED
    Replace fixed-ratio audio resampler in webrtc.org capture code with Speex resampler and eliminate pseudo-44000Hz rate
    CHANGED
    "Load images automatically" and Always show the tab bar" checkboxes removed from preferences and reset to defaults
    DEVELOPER
    HTML5 <input type="range"> form control implemented
    DEVELOPER
    Write more accessible pages on touch interfaces with new ARIA role for key buttons
    DEVELOPER
    Social share functionality
    DEVELOPER
    Added unprefixed requestAnimationFrame
    DEVELOPER
    Implemented a global browser console
    DEVELOPER
    Dropped blink effect from text-decoration: blink; and completely removed <blink> element
    DEVELOPER
    New feature in toolbox: Network Monitor
    FIXED
    Various security fixes

n Firefox 23
MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-74 Firefox full and stub installer DLL hijacking
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-67 Crash during WAV audio file decoding
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-65 Buffer underflow when generating CRMF requests
MFSA 2013-64 Use after free mutating DOM during SetBody
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

Revision 1.67 / (download) - annotate - [select for diffs], Wed Jun 26 11:32:12 2013 UTC (9 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2013Q2-base, pkgsrc-2013Q2
Changes since 1.66: +362 -71 lines
Diff to previous 1.66 (colored)

Update to 22.0

* On NetBSD WebRTC support is disabled, because libxul.so has some errors
  in link stage. WebRTC support should be tested on non-NetBSD platforms.
* It seems that OSS sound support is not working properly on NetBSD.

Changelog:
    NEW
    WebRTC is now enabled by default!
    NEW
    Windows: Firefox now follows display scaling options to render text larger on high-res displays
    NEW
    Mac OS X: Download progress in Dock application icon
    NEW
    HTML5 audio/video playback rate can now be changed
    NEW
    Social services management implemented in Add-ons Manager
    NEW
    asm.js optimizations (OdinMonkey) enabled for major performance improvements
    CHANGED
    Improved WebGL rendering performance through asynchronous canvas updates
    CHANGED
    Plain text files displayed within Firefox will now word-wrap
    CHANGED
    For user security, the |Components| object is no longer accessible from web content
    CHANGED
    Pointer Lock API can now be used outside of fullscreen
    DEVELOPER
    CSS3 Flexbox implemented and enabled by default
    DEVELOPER
    New Web Notifications API implemented
    DEVELOPER
    Added clipboardData API for JavaScript access to a user's clipboard
    DEVELOPER
    New built-in font inspector
    HTML5
    New HTML5 <data> and <time> elements
    FIXED
    Various security fixes
    FIXED
    Scrolling using some high-resolution-scroll aware touchpads feels slow (829952)

Fixed in Firefox 22
MFSA 2013-62 Inaccessible updater can lead to local privilege escalation
MFSA 2013-61 Homograph domain spoofing in .com, .net and .name
MFSA 2013-60 getUserMedia permission dialog incorrectly displays location
MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
MFSA 2013-58 X-Frame-Options ignored when using server push with multi-part responses
MFSA 2013-57 Sandbox restrictions not applied to nested frame elements
MFSA 2013-56 PreserveWrapper has inconsistent behavior
MFSA 2013-55 SVG filters can lead to information disclosure
MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
MFSA 2013-53 Execution of unmapped memory through onreadystatechange event
MFSA 2013-52 Arbitrary code execution within Profiler
MFSA 2013-51 Privileged content access and execution via XBL
MFSA 2013-50 Memory corruption found using Address Sanitizer
MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)

Revision 1.66 / (download) - annotate - [select for diffs], Fri Jun 21 23:11:42 2013 UTC (9 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.65: +1 -7 lines
Diff to previous 1.65 (colored)

Bump PKGREVISION.

* Add NetBSD/sparc64 support from martin@.
  Almost all functionalities work fine, but https handling.
* Enable system jpeg support. This is accidentally disabled.

Revision 1.65 / (download) - annotate - [select for diffs], Thu May 23 13:12:13 2013 UTC (9 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.64: +2 -1 lines
Diff to previous 1.64 (colored)

Bump PKGREVISION.

* Remove reference to devel/xulrunner.
* Move some common files for firefox/xulrunner-21.0.
* Move patches from devel/sulrunner.
* Take MAINTAINERship.

Revision 1.64 / (download) - annotate - [select for diffs], Sun May 19 12:31:58 2013 UTC (9 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.63: +3 -1 lines
Diff to previous 1.63 (colored)

Fix gnome option.

This is related to PR pkg/47801.
But devel/xulrunner is broken now.

Revision 1.63 / (download) - annotate - [select for diffs], Sun May 19 08:50:24 2013 UTC (9 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.62: +6038 -731 lines
Diff to previous 1.62 (colored)

Update to 21.0

* This release of firefox is built with internal xulrunner.
  Because separated (system) xulrunner has prefs and chrome load problem.
* gnome option is broken in libnkmozgnomevfs.so build.

Changelog:
NEW
The Social API now supports multiple providers
NEW
Enhanced three-state UI for Do Not Track (DNT)
NEW
Firefox will suggest how to improve your application startup time if needed
NEW
Preliminary implementation of Firefox Health Report
CHANGED
Ability to restore removed thumbnails on New Tab Page
CHANGED
CSS -moz-user-select:none selection changed to improve compatibility with -webkit-user-select:none (bug 816298)
CHANGED
Graphics related performance improvements (bug 809821)
CHANGED
Removed E4X support from Spidermonkey
DEVELOPER
Implemented Remote Profiling
DEVELOPER
Integrated add-on SDK loader and API libraries into Firefox
HTML5
Added support for <main> element
HTML5
Implemented scoped stylesheets
HTML5
Added support for window.crypto.getRandomValues
FIXED
Some function keys may not work when pressed (833719)
FIXED
Browsing and Download history clearing needs unification to avoid confusion on clearing download history (847627)
FIXED
21.0: Security fixes can be found here

Fixed in Firefox 21
MFSA 2013-48 Memory corruption found using Address Sanitizer
MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
MFSA 2013-46 Use-after-free with video and onresize event
MFSA 2013-45 Mozilla Updater fails to update some Windows Registry entries
MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
MFSA 2013-43 File input control has access to full path
MFSA 2013-42 Privileged access for content level constructor
MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)

Revision 1.62 / (download) - annotate - [select for diffs], Fri Apr 5 13:30:17 2013 UTC (9 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.61: +82 -77 lines
Diff to previous 1.61 (colored)

Update to 20.0

Changelog:
    NEW
    Per-window Private Browsing. Learn more.
    NEW
    New download experience. Learn more.
    NEW
    Ability to close hanging plugins, without the browser hanging
    CHANGED
    Continued performance improvements around common browser tasks (page loads, downloads, shutdown, etc.)
    DEVELOPER
    Continued implementation of draft ECMAScript 6 - clear() and Math.imul
    DEVELOPER
    New JavaScript Profiler tool
    HTML5
    getUserMedia implemented for web access to the user's camera and microphone (with user permission)
    HTML5
    <canvas> now supports blend modes
    HTML5
    Various <audio> and <video> improvements
    FIXED
    Details button on Crash Reporter (793972)
    FIXED
    Unity plugin doesn't display in HiDPI mode (829284)
    FIXED
    20.0: Security fixes can be found here

Fixed in Firefox 20
MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
MFSA 2013-39 Memory corruption while rendering grayscale PNG images
MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations
MFSA 2013-37 Bypass of tab-modal dialog origin disclosure
MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes
MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux
MFSA 2013-34 Privilege escalation through Mozilla Updater
MFSA 2013-33 World read and write access to app_tmp directory on Android
MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service
MFSA 2013-31 Out-of-bounds write in Cairo library
MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)

Revision 1.61 / (download) - annotate - [select for diffs], Fri Feb 22 14:54:01 2013 UTC (9 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2013Q1-base, pkgsrc-2013Q1
Changes since 1.60: +25 -4 lines
Diff to previous 1.60 (colored)

Update to 19.0

Sync with xulrunner-19.0.

Revision 1.60 / (download) - annotate - [select for diffs], Thu Jan 10 15:03:25 2013 UTC (9 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.59: +14 -17 lines
Diff to previous 1.59 (colored)

Update to 18.0

Sync with devel/xulrunner 18.0.

Revision 1.59 / (download) - annotate - [select for diffs], Thu Nov 22 07:32:24 2012 UTC (10 years ago) by abs
Branch: MAIN
CVS Tags: pkgsrc-2012Q4-base, pkgsrc-2012Q4
Changes since 1.58: +1 -2 lines
Diff to previous 1.58 (colored)

fix lib/firefox/chrome/browser/content/branding/about-background.png

Revision 1.58 / (download) - annotate - [select for diffs], Wed Nov 21 15:26:50 2012 UTC (10 years ago) by ryoon
Branch: MAIN
Changes since 1.57: +53 -16 lines
Diff to previous 1.57 (colored)

Update to 17.0

* Add --enable-pulseaudio configure option (functionality is not tested)

Changelog:
    NEW
    First revision of the Social API and support for Facebook Messenger
    NEW
    Click-to-play blocklisting implemented to prevent vulnerable plugin versions from running without the user's permission (see blog post)
    CHANGED
    Updated Awesome Bar experience with larger icons
    CHANGED
    Mac OS X 10.5 is no longer supported
    DEVELOPER
    JavaScript Maps and Sets are now iterable
    DEVELOPER
    SVG FillPaint and StrokePaint implemented
    DEVELOPER
    Improvements that make the Web Console, Debugger and Developer Toolbar faster and easier to use
    DEVELOPER
    New Markup panel in the Page Inspector allows easy editing of the DOM
    HTML5
    Sandbox attribute for iframes implemented, enabling increased security
    FIXED
    Over twenty performance improvements, including fixes around the New Tab page
    FIXED
    Pointer lock doesn't work in web apps (769150)
    FIXED
    Page scrolling on sites with fixed headers (780345)

Revision 1.57 / (download) - annotate - [select for diffs], Fri Oct 12 18:27:21 2012 UTC (10 years, 1 month ago) by ryoon
Branch: MAIN
Changes since 1.56: +30 -2 lines
Diff to previous 1.56 (colored)

Update to 16.0.1

Changelog:
    FIXED
    16.0.1: Vulnerability outlined here
	https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/
    NEW
    Firefox on Mac OS X now has preliminary VoiceOver support turned on by default
    NEW
    Initial web app support (Windows/Mac/Linux)
    NEW
    Acholi and Kazakh localizations added
    CHANGED
    Improvements around JavaScript responsiveness through incremental garbage collection
    DEVELOPER
    New Developer Toolbar with buttons for quick access to tools, error count for the Web Console, and a new command line for quick keyboard access
    DEVELOPER
    CSS3 Animations, Transitions, Transforms and Gradients unprefixed in Firefox 16
    DEVELOPER
    Recently opened files list in Scratchpad implemented
    FIXED
    16.0.1: Vulnerability outlined here
	https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/
    FIXED
    Debugger breakpoints do not catch on page reload (783393)
    FIXED
    No longer supporting MD5 as a hash algorithm in digital signatures (650355)
    FIXED
    Opus support by default (772341)
    FIXED
    Reverse animation direction has been implemented (655920)
    FIXED
    Per tab reporting in about:memory (687724)
    FIXED
    User Agent strings for pre-release Firefox versions now show only major version (728831)

Revision 1.56 / (download) - annotate - [select for diffs], Tue Aug 28 16:39:19 2012 UTC (10 years, 3 months ago) by abs
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base, pkgsrc-2012Q3
Changes since 1.55: +1 -2 lines
Diff to previous 1.55 (colored)

Fix PLIST for !nobranding

Revision 1.55 / (download) - annotate - [select for diffs], Tue Aug 28 12:42:02 2012 UTC (10 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.54: +92 -5 lines
Diff to previous 1.54 (colored)

Update to 15.0

* Use patches from https://bugzilla.mozilla.org/show_bug.cgi?id=753046
* Fix firefox.sh

Changelog:
NEW Preliminary native PDF support (Aurora/Beta only)
NEW Support for SPDY networking protocol v3
NEW WebGL enhancements, including compressed textures for better performance
CHANGED Optimized memory usage for add-ons
DEVELOPER JavaScript debugger integrated into developer tools
DEVELOPER New layout view added to Inspector
DEVELOPER The CSS word-break property has been implemented.
DEVELOPER High precision event timer implemented
DEVELOPER New responsive design tool allows web developers to switch between desktop and mobile views of sites
HTML5 Native support for the Opus audio codec added
HTML5 The <source> element now supports the media attribute
HTML5 The <audio> and <video> elements now support the played attribute

Revision 1.54 / (download) - annotate - [select for diffs], Fri Jul 20 06:45:35 2012 UTC (10 years, 4 months ago) by abs
Branch: MAIN
Changes since 1.53: +1 -2 lines
Diff to previous 1.53 (colored)

fix PLIST for official-mozilla-branding. Bump PKGREVISION

Revision 1.53 / (download) - annotate - [select for diffs], Wed Jul 18 16:10:07 2012 UTC (10 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.52: +44 -7 lines
Diff to previous 1.52 (colored)

Update to 14.0.1

Changelog:
NEW
Google searches now utilize HTTPS
NEW
Full screen support for Mac OS X Lion implemented
NEW
Plugins can now be configured to only load on click (requires an about:config change)
NEW
The Awesome Bar now auto-completes typed URLs
CHANGED
Improved site identity manager, to prevent spoofing of an SSL connection with favicons
DEVELOPER
Pointer Lock API implemented
DEVELOPER
New API to prevent your display from sleeping
DEVELOPER
New text-transform and font-variant CSS improvements for Turkic languages and Greek
FIXED
Various security fixes
FIXED
GIF animation can gets stuck when src and image size are changed (743598)
FIXED
OS X: nsCocoaWindow::ConstrainPosition uses wrong screen in multi-display setup (752149)
FIXED
CSS :hover regression when an element's class name is set by Javascript (758885

Revision 1.52 / (download) - annotate - [select for diffs], Tue Jun 5 21:33:49 2012 UTC (10 years, 5 months ago) by abs
Branch: MAIN
CVS Tags: pkgsrc-2012Q2-base, pkgsrc-2012Q2
Changes since 1.51: +1 -2 lines
Diff to previous 1.51 (colored)

fix !nobranding PLIST

Revision 1.51 / (download) - annotate - [select for diffs], Tue Jun 5 18:10:38 2012 UTC (10 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.50: +60 -35 lines
Diff to previous 1.50 (colored)

Sync with devel/xulrunner-13.0

Revision 1.50 / (download) - annotate - [select for diffs], Thu Apr 26 13:30:30 2012 UTC (10 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.49: +54 -35 lines
Diff to previous 1.49 (colored)

Update to 12.0

Changelog:
* Page Source now has line numbers
* Line breaks are now supported in the title attribute
* Improvements to "Find in Page" to center search result
* URLs pasted into the download manager window are now automatically downloaded
* Support for the text-align-last CSS property has been added
* Various security fixes
* Some TinyMCE-based editors failed to load (739141)

Revision 1.49 / (download) - annotate - [select for diffs], Thu Mar 15 08:31:10 2012 UTC (10 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2012Q1-base, pkgsrc-2012Q1
Changes since 1.48: +35 -3 lines
Diff to previous 1.48 (colored)

Update to 11.0

* Follow devel/xulrunner update.

Revision 1.48 / (download) - annotate - [select for diffs], Sat Mar 10 03:09:42 2012 UTC (10 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.47: +2 -1 lines
Diff to previous 1.47 (colored)

Bump PKGREVISION

* Restore --disable-official-branding.

Revision 1.47 / (download) - annotate - [select for diffs], Tue Mar 6 12:35:14 2012 UTC (10 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.46: +59 -6 lines
Diff to previous 1.46 (colored)

Update xulrunner 10.0.2

* Improve sparc64 support.

Thank you, martin@

Changelog:
* Fix security bugs
* Other improvements and bugfixes

Revision 1.46 / (download) - annotate - [select for diffs], Sat Nov 12 12:45:04 2011 UTC (11 years ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base, pkgsrc-2011Q4
Changes since 1.45: +11 -5 lines
Diff to previous 1.45 (colored)

Update to firefox-8.0.

XXX Set MAKE_JOBS_SAFE=no for now. Should investigate why it fails
without it as it prolongs build time significantly.

Upstream changes:

Add-ons installed by third party programs are now disabled by default
Added a one-time add-on selection dialog to manage previously installed add-ons
Added Twitter to the search bar for select locales. Additional locale support
  will be added in the future
Added a preference to load tabs on demand, improving start-up time when
  windows are restored
Improved performance and memory handling when using <audio> and <video>
  elements
Added CORS support for cross-domain textures in WebGL
Added support for HTML5 context menus
Added support for insertAdjacentHTML
Improved CSS hyphen support for many languages
Improved WebSocket support
Fixed several stability issues
Fixed several security issues

Revision 1.45 / (download) - annotate - [select for diffs], Mon Oct 3 12:37:24 2011 UTC (11 years, 1 month ago) by tnn
Branch: MAIN
Changes since 1.44: +7 -5 lines
Diff to previous 1.44 (colored)

Update to firefox-7.0. Release notes:

Drastically improved memory handling for certain use cases
Added a new rendering backend to speed up Canvas operations on Windows systems
Bookmark and password changes now sync almost instantly when using Firefox Sync
The 'http://' URL prefix is now hidden by default
Added support for text-overflow: ellipsis
Added support for the Web Timing specification
Enhanced support for MathML
The WebSocket protocol has been updated from version 7 to version 8
Added an opt-in system for users to send performance data back to Mozilla
  to improve future versions of Firefox
Fixed several stability issues
Fixed several security issues

Revision 1.44 / (download) - annotate - [select for diffs], Thu Aug 18 18:31:10 2011 UTC (11 years, 3 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2011Q3-base, pkgsrc-2011Q3
Changes since 1.43: +16 -3 lines
Diff to previous 1.43 (colored)

Update to Firefox 6.0.

Major changes include:

The address bar now highlights the domain of the website you're visiting
Streamlined the look of the site identity block
Added support for the latest draft version of WebSockets with a prefixed API
Added support for EventSource / server-sent events
Added support for window.matchMedia
Added Scratchpad, an interactive JavaScript prototyping environment
Added a new Web Developer menu item and moved development-related items into it
Improved usability of the Web Console
Improved the discoverability of Firefox Sync
Reduced browser startup time when using Panorama
Fixed several stability issues
Fixed several security issues

Revision 1.43 / (download) - annotate - [select for diffs], Mon Jul 11 13:17:40 2011 UTC (11 years, 4 months ago) by tnn
Branch: MAIN
Changes since 1.42: +2 -1 lines
Diff to previous 1.42 (colored)

Fix PLIST when official branding is disabled.

Revision 1.42 / (download) - annotate - [select for diffs], Tue Apr 26 14:18:01 2011 UTC (11 years, 7 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2011Q2-base, pkgsrc-2011Q2
Changes since 1.41: +357 -19 lines
Diff to previous 1.41 (colored)

Update to firefox-4.0.

Firefox 4 is based on the Gecko 2.0 Web platform. This release features
JavaScript execution speeds up to six times faster than the previous
version, new capabilities for Web Developers and Add-on Developers such as
hardware accelerated graphics and HTML5 technologies, and a completely
revised user interface.

Revision 1.41 / (download) - annotate - [select for diffs], Wed Dec 29 22:38:49 2010 UTC (11 years, 11 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2011Q1-base, pkgsrc-2011Q1, pkgsrc-2010Q4-base, pkgsrc-2010Q4
Changes since 1.40: +1 -2 lines
Diff to previous 1.40 (colored)

fix installation w/ gnome option enabled

Revision 1.40 / (download) - annotate - [select for diffs], Tue Mar 16 15:57:03 2010 UTC (12 years, 8 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2010Q3-base, pkgsrc-2010Q3, pkgsrc-2010Q2-base, pkgsrc-2010Q2, pkgsrc-2010Q1-base, pkgsrc-2010Q1
Changes since 1.39: +6 -9 lines
Diff to previous 1.39 (colored)

Update to firefox-3.6.2.
.2 is not formally released yet, but is release tagged in the scm and I
want to get this update in before we freeze the tree.

"Firefox 3.6 is built on Mozilla's Gecko 1.9.2 web rendering platform,
which has been under development since early 2009 and contains many
improvements for web developers, add-on developers, and users."

- Improved JavaScript performance, overall browser responsiveness,
  and startup time.
- The ability for web developers to indicate that scripts should run
  asynchronously to speed up page load times.
- Continued support for downloadable web fonts using the new WOFF font format.
- Support for new CSS attributes such as gradients, background sizing,
  and pointer events.
- Support for new DOM and HTML5 specifications including the Drag & Drop API
  and the File API, which allow for more interactive web pages.

Revision 1.38.2.1 / (download) - annotate - [select for diffs], Wed Oct 28 18:13:24 2009 UTC (13 years, 1 month ago) by tron
Branch: pkgsrc-2009Q3
Changes since 1.38: +1 -0 lines
Diff to previous 1.38 (colored) next main 1.39 (colored)

Pullup ticket #2923 - requested by tnn
xulrunner: security update
firefox: security update

Revisions pulled up:
- devel/xulrunner/Makefile			1.24-1.25
- devel/xulrunner/PLIST				1.17-1.18
- devel/xulrunner/distinfo			1.13-1.14
- devel/xulrunner/mozilla-common.mk		1.2
- devel/xulrunner/patches/patch-aa		1.2
- devel/xulrunner/patches/patch-aq		1.3
- devel/xulrunner/patches/patch-ay		1.1
- devel/xulrunner/patches/patch-mf		1.2
- devel/xulrunner/patches/patch-mn		1.2
- devel/xulrunner/patches/patch-nb		delete
- devel/xulrunner/patches/patch-nc		delete
- devel/xulrunner/patches/patch-pd		1.2
- devel/xulrunner/patches/patch-ra		1.1
- devel/xulrunner/patches/patch-rb		1.1
- devel/xulrunner/patches/patch-rc		1.1
- www/firefox/Makefile				1.60-1.61
- www/firefox/PLIST				1.39
- www/firefox/distinfo				delete
- www/firefox/patches/patch-aa			delete
- www/firefox/patches/patch-ao			delete
- www/firefox/patches/patch-ma			delete
- www/firefox/patches/patch-mi			delete
- www/firefox/patches/patch-mk			delete
- www/firefox/patches/patch-mm			delete
- www/firefox/patches/patch-ra			delete
- www/firefox/patches/patch-rb			delete
- www/firefox/patches/patch-rc			delete
---
Module Name:	pkgsrc
Committed By:	tnn
Date:		Sun Oct 11 10:49:57 UTC 2009

Modified Files:
	pkgsrc/devel/xulrunner: Makefile PLIST distinfo
	pkgsrc/devel/xulrunner/patches: patch-aa
	pkgsrc/www/firefox: Makefile
Added Files:
	pkgsrc/devel/xulrunner/patches: patch-ay patch-ra patch-rb
patch-rc Removed Files:
	pkgsrc/www/firefox: distinfo
	pkgsrc/www/firefox/patches: patch-aa patch-ao patch-ma patch-mi
	    patch-mk patch-mm patch-ra patch-rb patch-rc

Log Message:
- allow firefox and xulrunner to share some infrastructure
- install headers for plugin and liveconnect (needed by openjdk7-icedtea-plugin)
- bump revision for both packages
---
Module Name:	pkgsrc
Committed By:	tnn
Date:		Wed Oct 28 11:36:36 UTC 2009

Modified Files:
	pkgsrc/devel/xulrunner: Makefile PLIST distinfo
mozilla-common.mk pkgsrc/devel/xulrunner/patches: patch-aq patch-mf
patch-mn patch-pd pkgsrc/www/firefox: Makefile PLIST
Removed Files:
	pkgsrc/devel/xulrunner/patches: patch-nb patch-nc

Log Message:
Security and bugfix update of firefox (to 3.5.4) and xulrunner (to
1.9.1.4) Also fix broken DESTDIR support.

Fixes the following security issues:
MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/
1.9.0.15) MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-61 Cross-origin data theft through document.getSelection()
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS
() MFSA 2009-56 Heap buffer overflow in GIF color map parser
MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
MFSA 2009-54 Crash with recursive web-worker calls
MFSA 2009-53 Local downloaded file tampering
MFSA 2009-52 Form history vulnerable to stealing

Revision 1.39 / (download) - annotate - [select for diffs], Wed Oct 28 11:36:36 2009 UTC (13 years, 1 month ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2009Q4-base, pkgsrc-2009Q4
Changes since 1.38: +2 -1 lines
Diff to previous 1.38 (colored)

Security and bugfix update of firefox (to 3.5.4) and xulrunner (to 1.9.1.4)
Also fix broken DESTDIR support.

Fixes the following security issues:
MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-61 Cross-origin data theft through document.getSelection()
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
MFSA 2009-56 Heap buffer overflow in GIF color map parser
MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
MFSA 2009-54 Crash with recursive web-worker calls
MFSA 2009-53 Local downloaded file tampering
MFSA 2009-52 Form history vulnerable to stealing

Revision 1.38 / (download) - annotate - [select for diffs], Wed Sep 16 19:06:18 2009 UTC (13 years, 2 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2009Q3-base
Branch point for: pkgsrc-2009Q3
Changes since 1.37: +6 -2065 lines
Diff to previous 1.37 (colored)

Build firefox against external runtime components from devel/xulrunner.
Bump PKGREVISION.

Revision 1.37 / (download) - annotate - [select for diffs], Sun Aug 30 01:14:49 2009 UTC (13 years, 3 months ago) by markd
Branch: MAIN
Changes since 1.36: +2 -1 lines
Diff to previous 1.36 (colored)

libgnome is also needed for the gnome option to do anything.

Revision 1.36 / (download) - annotate - [select for diffs], Sat Aug 29 11:50:32 2009 UTC (13 years, 3 months ago) by tnn
Branch: MAIN
Changes since 1.35: +3 -1 lines
Diff to previous 1.35 (colored)

PLIST fix for previous

Revision 1.35 / (download) - annotate - [select for diffs], Sun Aug 9 23:05:42 2009 UTC (13 years, 3 months ago) by tnn
Branch: MAIN
Changes since 1.34: +1 -2 lines
Diff to previous 1.34 (colored)

remove stale PLIST entry

Revision 1.34 / (download) - annotate - [select for diffs], Wed Aug 5 02:43:47 2009 UTC (13 years, 3 months ago) by tnn
Branch: MAIN
Changes since 1.33: +2129 -2571 lines
Diff to previous 1.33 (colored)

merge pkgsrc-20090805

Revision 1.1.1.2 / (download) - annotate - [select for diffs] (vendor branch), Wed Aug 5 02:37:10 2009 UTC (13 years, 3 months ago) by tnn
Branch: TNF
CVS Tags: pkgsrc-20090805
Changes since 1.1.1.1: +2128 -2373 lines
Diff to previous 1.1.1.1 (colored)

Import firefox-3.5.2 as www/firefox. from pkgsrc-wip.

Firefox 3.5  is based on the Gecko 1.9.1 rendering platform.
Firefox 3.5 offers many changes over the previous version, supporting new web
technologies, improving performance and ease of use.
Some of the notable features are:

* Support for the HTML5 <video> and <audio> elements
* Improved tools for controlling your private data
* Better web application performance using the new TraceMonkey JavaScript engine
* The ability to share your location with websites using Location Aware Browsing
* Support for native JSON, and web worker threads.
* Improvements to the Gecko layout engine, including speculative parsing for
  faster content rendering.
* Support for new web technologies such as: downloadable fonts, CSS media
  queries, new transformations and properties, JavaScript query selectors,
  HTML5 local storage and offline application storage, <canvas> text,
  ICC profiles, and SVG transforms.

Revision 1.33, Wed Aug 5 01:27:31 2009 UTC (13 years, 3 months ago) by tnn
Branch: MAIN
Changes since 1.32: +1 -1 lines
FILE REMOVED

Remove firefox 2.x. Firefox 3.5 branch will be imported in this location.
(I opted for removing and re-importing instead of a plain update due to
 extensive patch rototil)

We may encounter minor turbulence as dependent packages are sorted out.
Thank you for flying pkgsrc-current.

Revision 1.32 / (download) - annotate - [select for diffs], Sun Jun 14 22:00:21 2009 UTC (13 years, 5 months ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2009Q2-base, pkgsrc-2009Q2
Changes since 1.31: +1 -160 lines
Diff to previous 1.31 (colored)

Convert @exec/@unexec to @pkgdir or drop it.

Revision 1.29.4.2 / (download) - annotate - [select for diffs], Fri Sep 26 19:52:40 2008 UTC (14 years, 2 months ago) by tron
Branch: pkgsrc-2008Q2
Changes since 1.29.4.1: +2 -1 lines
Diff to previous 1.29.4.1 (colored) to branchpoint 1.29 (colored) next main 1.30 (colored)

Pullup ticket #2534 - requested by ghen
firefox: security update
firefox-bin:  security update
firefox-gtk1: security update

www/firefox-bin/Makefile			1.45
www/firefox-bin/distinfo			1.45
www/firefox-gtk1/Makefile			1.20-1.21
www/firefox-gtk1/PLIST				1.16
www/firefox/Makefile				1.47-1.48
www/firefox/Makefile-firefox.common		1.60
www/firefox/PLIST				1.31
www/firefox/distinfo				1.81-1.82
www/firefox/patches/patch-ee			1.1
www/firefox/patches/patch-ef			1.1
www/firefox/patches/patch-eg			1.1
---
Module Name:    pkgsrc
Committed By:   martin
Date:           Mon Aug 11 10:09:21 UTC 2008

Modified Files:
        pkgsrc/www/firefox: Makefile distinfo
        pkgsrc/www/firefox-gtk1: Makefile
Added Files:
        pkgsrc/www/firefox/patches: patch-ee patch-ef patch-eg

Log Message:
Add "unicode" processing alignment patch from mozilla's bugzilla to make
firefox work again on archs requiring strict alignement.
Bump pkgrevision.
---
Module Name:	pkgsrc
Committed By:	ghen
Date:		Wed Sep 24 14:34:36 UTC 2008

Modified Files:
	pkgsrc/www/firefox: Makefile Makefile-firefox.common PLIST distinfo
	pkgsrc/www/firefox-bin: Makefile distinfo
	pkgsrc/www/firefox-gtk1: Makefile PLIST

Log Message:
Update firefox, firefox-bin and firefox-gtk1 to 2.0.0.17.
(ok during freeze agc@)

Security fixes in this version:

MFSA 2008-45 XBM image uninitialized memory reading
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.1=
7)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-40 Forced mouse drag
MFSA 2008-39 Privilege escalation using feed preview page and XSS flaw
MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
MFSA 2008-37 UTF-8 URL stack buffer overflow

For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.17/releasenotes/

Revision 1.31 / (download) - annotate - [select for diffs], Wed Sep 24 14:34:36 2008 UTC (14 years, 2 months ago) by ghen
Branch: MAIN
CVS Tags: pkgsrc-2009Q1-base, pkgsrc-2009Q1, pkgsrc-2008Q4-base, pkgsrc-2008Q4, pkgsrc-2008Q3-base, pkgsrc-2008Q3
Changes since 1.30: +2 -1 lines
Diff to previous 1.30 (colored)

Update firefox, firefox-bin and firefox-gtk1 to 2.0.0.17.
(ok during freeze agc@)

Security fixes in this version:

MFSA 2008-45 XBM image uninitialized memory reading
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-40 Forced mouse drag
MFSA 2008-39 Privilege escalation using feed preview page and XSS flaw
MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
MFSA 2008-37 UTF-8 URL stack buffer overflow

For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.17/releasenotes/

Revision 1.29.4.1 / (download) - annotate - [select for diffs], Fri Jul 18 09:13:31 2008 UTC (14 years, 4 months ago) by rtr
Branch: pkgsrc-2008Q2
Changes since 1.29: +1 -2 lines
Diff to previous 1.29 (colored)

pullup ticket 2449 requested by ghen
firefox, firefox-bin: update for security fixes

revisions pulled up:
pkgsrc/www/firefox/Makefile-firefox.common	1.59
pkgsrc/www/firefox/PLIST			1.30
pkgsrc/www/firefox/distinfo			1.80
pkgsrc/www/firefox-bin/Makefile			1.44
pkgsrc/www/firefox-bin/distinfo			1.44

   Module Name:	pkgsrc
   Committed By:	ghen
   Date:		Wed Jul 16 09:52:56 UTC 2008

   Modified Files:
   	pkgsrc/www/firefox: Makefile-firefox.common PLIST distinfo
   	pkgsrc/www/firefox-bin: Makefile distinfo

   Log Message:
   Update firefox, firefox-bin and firefox-gtk1 to 2.0.0.16.

   Security fixes in this version:

   MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
   MFSA 2008-34 Remote code execution by overflowing CSS reference counter

   For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.16/releasenotes/

Revision 1.30 / (download) - annotate - [select for diffs], Wed Jul 16 09:52:56 2008 UTC (14 years, 4 months ago) by ghen
Branch: MAIN
CVS Tags: cube-native-xorg-base, cube-native-xorg
Changes since 1.29: +1 -2 lines
Diff to previous 1.29 (colored)

Update firefox, firefox-bin and firefox-gtk1 to 2.0.0.16.

Security fixes in this version:

MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
MFSA 2008-34 Remote code execution by overflowing CSS reference counter

For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.16/releasenotes/

Revision 1.28.6.1 / (download) - annotate - [select for diffs], Wed Jul 2 13:13:59 2008 UTC (14 years, 5 months ago) by tron
Branch: pkgsrc-2008Q1
Changes since 1.28: +2 -1 lines
Diff to previous 1.28 (colored) next main 1.29 (colored)

Pullup ticket #2441 - requested by ghen
Security update for firefox, firefox-bin and firefox-gtk1

Revisions pulled up:
- www/firefox-bin/Makefile		1.43
- www/firefox-bin/distinfo		1.43
- www/firefox/Makefile-firefox.common	1.58
- www/firefox/PLIST			1.29
- www/firefox/distinfo			1.78
- www/firefox/patches/patch-af		1.6
- www/firefox/patches/patch-ap		1.9
- www/firefox/patches/patch-de		1.2
---
    Module Name:	pkgsrc
    Committed By:	ghen
    Date:		Wed Jul  2 09:03:35 UTC 2008

    Modified Files:
    	pkgsrc/www/firefox: Makefile-firefox.common PLIST distinfo
    	pkgsrc/www/firefox-bin: Makefile distinfo
    	pkgsrc/www/firefox/patches: patch-af patch-ap patch-de

    Log Message:
    Update firefox, firefox-bin and firefox-gtk1 to 2.0.0.15.

    Part of patch-af has been fixed upstream.

    Security fixes in this version:

    MFSA 2008-33 Crash and remote code execution in block reflow
    MFSA 2008-32 Remote site run as local file via Windows URL shortcut
    MFSA 2008-31 Peer-trusted certs can use alt names to spoof
    MFSA 2008-30 File location URL in directory listings not escaped properly
    MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
    MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
    MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range
    MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
    MFSA 2008-24 Chrome script loading from fastload file
    MFSA 2008-23 Signed JAR tampering
    MFSA 2008-22 XSS through JavaScript same-origin violation
    MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)

    For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.15/releasenotes/

Revision 1.29 / (download) - annotate - [select for diffs], Wed Jul 2 09:03:35 2008 UTC (14 years, 5 months ago) by ghen
Branch: MAIN
CVS Tags: pkgsrc-2008Q2-base, cwrapper
Branch point for: pkgsrc-2008Q2
Changes since 1.28: +2 -1 lines
Diff to previous 1.28 (colored)

Update firefox, firefox-bin and firefox-gtk1 to 2.0.0.15.

Part of patch-af has been fixed upstream.

Security fixes in this version:

MFSA 2008-33 Crash and remote code execution in block reflow
MFSA 2008-32 Remote site run as local file via Windows URL shortcut
MFSA 2008-31 Peer-trusted certs can use alt names to spoof
MFSA 2008-30 File location URL in directory listings not escaped properly
MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range
MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
MFSA 2008-24 Chrome script loading from fastload file
MFSA 2008-23 Signed JAR tampering
MFSA 2008-22 XSS through JavaScript same-origin violation
MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)

For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.15/releasenotes/

Revision 1.27.2.1 / (download) - annotate - [select for diffs], Thu Aug 2 22:42:51 2007 UTC (15 years, 4 months ago) by salo
Branch: pkgsrc-2007Q2
Changes since 1.27: +3 -1 lines
Diff to previous 1.27 (colored) next main 1.28 (colored)

Pullup ticket 2154 - requested by ghen
security update for firefox

Revisions pulled up:
- pkgsrc/www/firefox/Makefile-firefox.common		1.46, 1.47
- pkgsrc/www/firefox/PLIST				1.28
- pkgsrc/www/firefox/distinfo				1.67, 1.68
- pkgsrc/www/firefox/patches/patch-cn			1.5
- pkgsrc/www/firefox-gtk1/PLIST				1.15
- pkgsrc/www/firefox-bin/Makefile			1.30, 1.32
- pkgsrc/www/firefox-bin/distinfo			1.27, 1.29
- pkgsrc/www/firefox15-bin/DESCR			1.3
- pkgsrc/www/firefox15-gtk1/DESCR			1.3
- pkgsrc/www/firefox15/DESCR				1.3

   Module Name:		pkgsrc
   Committed By:	xtraeme
   Date:		Thu Jul 19 18:20:59 UTC 2007

   Modified Files:
   	pkgsrc/www/firefox-bin: Makefile distinfo

   Log Message:
   Update to 2.0.0.5:

   MFSA 2007-25 XPCNativeWrapper pollution
   MFSA 2007-24 Unauthorized access to wyciwyg:// documents
   MFSA 2007-23 Remote code execution by launching Firefox from
   		Internet Explorer
   MFSA 2007-22 File type confusion due to %00 in name
   MFSA 2007-21 Privilege escalation using an event handler attached to an
   		element not in the document
   MFSA 2007-20 Frame spoofing while window is loading
   MFSA 2007-19 XSS using addEventListener and setTimeout
   MFSA 2007-18 Crashes with evidence of memory corruption
---
   Module Name:		pkgsrc
   Committed By:	ghen
   Date:		Thu Jul 26 08:43:51 UTC 2007

   Modified Files:
   	pkgsrc/www/firefox: Makefile-firefox.common PLIST distinfo
   	pkgsrc/www/firefox-gtk1: PLIST
   	pkgsrc/www/firefox/patches: patch-cn

   Log Message:
   Update firefox, firefox-bin and firefox-gtk1 to 2.0.0.5.

   Security fixes in this version:

   MFSA 2007-25 XPCNativeWrapper pollution
   MFSA 2007-24 Unauthorized access to wyciwyg:// documents
   MFSA 2007-23 Remote code execution by launching Firefox from Internet
                Explorer
   MFSA 2007-22 File type confusion due to %00 in name
   MFSA 2007-21 Privilege escalation using an event handler attached to an
                element not in the document
   MFSA 2007-20 Frame spoofing while window is loading
   MFSA 2007-19 XSS using addEventListener and setTimeout
   MFSA 2007-18 Crashes with evidence of memory corruption

   For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.5/releasenotes/
---
   Module Name:		pkgsrc
   Committed By:	ghen
   Date:		Tue Jul 31 10:06:48 UTC 2007

   Modified Files:
   	pkgsrc/www/firefox: Makefile-firefox.common distinfo
   	pkgsrc/www/firefox-bin: Makefile distinfo

   Log Message:
   Update firefox, firefox-bin and firefox-gtk1 to 2.0.0.6.

   Security fixes in this version:

   MFSA 2007-27 Unescaped URIs passed to external programs
   MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows

   For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.6/releasenotes/
---
   Module Name:		pkgsrc
   Committed By:	ghen
   Date:		Thu Jul 26 08:47:36 UTC 2007

   Modified Files:
   	pkgsrc/www/firefox15: DESCR
   	pkgsrc/www/firefox15-bin: DESCR
   	pkgsrc/www/firefox15-gtk1: DESCR

   Log Message:
   Firefox 1.5.0.x has been EOL'd.

Revision 1.28 / (download) - annotate - [select for diffs], Thu Jul 26 08:43:50 2007 UTC (15 years, 4 months ago) by ghen
Branch: MAIN
CVS Tags: pkgsrc-2008Q1-base, pkgsrc-2007Q4-base, pkgsrc-2007Q4, pkgsrc-2007Q3-base, pkgsrc-2007Q3
Branch point for: pkgsrc-2008Q1
Changes since 1.27: +3 -1 lines
Diff to previous 1.27 (colored)

Update firefox, firefox-bin and firefox-gtk1 to 2.0.0.5.

Security fixes in this version:

MFSA 2007-25 XPCNativeWrapper pollution
MFSA 2007-24 Unauthorized access to wyciwyg:// documents
MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer
MFSA 2007-22 File type confusion due to %00 in name
MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
MFSA 2007-20 Frame spoofing while window is loading
MFSA 2007-19 XSS using addEventListener and setTimeout
MFSA 2007-18 Crashes with evidence of memory corruption

For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.5/releasenotes/

Revision 1.27 / (download) - annotate - [select for diffs], Thu May 31 07:25:08 2007 UTC (15 years, 6 months ago) by ghen
Branch: MAIN
CVS Tags: pkgsrc-2007Q2-base
Branch point for: pkgsrc-2007Q2
Changes since 1.26: +2 -1 lines
Diff to previous 1.26 (colored)

Update firefox, firefox-bin and firefox-gtk1 to 2.0.0.4.

Security fixes in this version:

MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-13 Persistent Autocomplete Denial of Service
MFSA 2007-12 Crashes with evidence of memory corruption

For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.4/releasenotes/

Revision 1.26 / (download) - annotate - [select for diffs], Sat May 12 13:53:07 2007 UTC (15 years, 6 months ago) by ghen
Branch: MAIN
Changes since 1.25: +149 -25 lines
Diff to previous 1.25 (colored)

Update to Firefox 2.0.0.3 (nb1), from www/firefox2* (see there for history
and change notes).  Firefox 1.5.0.x will be maintained in www/firefox15*,
as discussed on tech-pkg.

Revision 1.25 / (download) - annotate - [select for diffs], Wed Mar 7 21:32:54 2007 UTC (15 years, 8 months ago) by dmcmahill
Branch: MAIN
CVS Tags: pkgsrc-2007Q1-base, pkgsrc-2007Q1
Changes since 1.24: +3 -7 lines
Diff to previous 1.24 (colored)

Dynamically generate the part of the PLIST for libfreebl.  This is because
the exact names of the freebl libraries depends on the platform and they
have a habit of changing even on minor releases.  This causes these mozilla
packages to be broken quite a lot on platforms other than NetBSD/i386.
Hopefully this fix will last longer than previous ones.  pkgrevision bumps
all around.

Revision 1.22.6.1 / (download) - annotate - [select for diffs], Fri Mar 2 20:17:01 2007 UTC (15 years, 9 months ago) by salo
Branch: pkgsrc-2006Q4
Changes since 1.22: +3 -3 lines
Diff to previous 1.22 (colored) next main 1.23 (colored)

Pullup ticket 2036 - requested by ghen
security update for firefox

Revisions pulled up:
- pkgsrc/www/firefox/Makefile-firefox.common			1.41
- pkgsrc/www/firefox/PLIST					1.24
- pkgsrc/www/firefox/distinfo					1.62
- pkgsrc/www/firefox/patches/patch-ap				1.7
- pkgsrc/www/firefox/patches/patch-ax				1.5
- pkgsrc/www/firefox-gtk1/PLIST					1.11
- pkgsrc/www/firefox-bin/Makefile				1.26
- pkgsrc/www/firefox-bin/distinfo				1.23
- pkgsrc/www/firefox2/Makefile-firefox.common			1.5
- pkgsrc/www/firefox2/PLIST					1.4
- pkgsrc/www/firefox2/distinfo					1.8
- pkgsrc/www/firefox2-bin/Makefile				1.5
- pkgsrc/www/firefox2-bin/distinfo				1.3
- pkgsrc/www/firefox2-gtk1/PLIST				1.3

   Module Name:		pkgsrc
   Committed By:	ghen
   Date:		Sat Feb 24 17:26:43 UTC 2007

   Modified Files:
   	pkgsrc/www/firefox2: Makefile-firefox.common PLIST distinfo
   	pkgsrc/www/firefox2-bin: Makefile distinfo
   	pkgsrc/www/firefox2-gtk1: PLIST

   Log Message:
   Update firefox2, firefox2-bin and firefox2-gtk1 to 2.0.0.2.
   Fixed in this version:

   MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
   MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
   MFSA 2007-05 XSS and local file access by opening blocked popups
   MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
   MFSA 2007-03 Information disclosure through cache collisions
   MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
   MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

   For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.2/releasenotes/
---
   Module Name:		pkgsrc
   Committed By:	ghen
   Date:		Sun Feb 25 00:43:24 UTC 2007

   Modified Files:
   	pkgsrc/www/firefox: Makefile Makefile-firefox.common PLIST distinfo
   	pkgsrc/www/firefox-bin: Makefile distinfo
   	pkgsrc/www/firefox-gtk1: PLIST
   	pkgsrc/www/firefox/patches: patch-ap patch-ax
   Removed Files:
   	pkgsrc/www/firefox/patches: patch-ed

   Log Message:
   Update firefox, firefox-bin and firefox-gtk1 to 1.5.0.10.
   Fixed in this version:

   Fixed in Firefox 1.5.0.10
   MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
   MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
   MFSA 2007-05 XSS and local file access by opening blocked popups
   MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
   MFSA 2007-03 Information disclosure through cache collisions
   MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
   MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

   For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.10.html

Revision 1.24 / (download) - annotate - [select for diffs], Sun Feb 25 00:43:23 2007 UTC (15 years, 9 months ago) by ghen
Branch: MAIN
Changes since 1.23: +3 -3 lines
Diff to previous 1.23 (colored)

Update firefox, firefox-bin and firefox-gtk1 to 1.5.0.10. Fixed in this version:

Fixed in Firefox 1.5.0.10
MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
MFSA 2007-05 XSS and local file access by opening blocked popups
MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
MFSA 2007-03 Information disclosure through cache collisions
MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.10.html

Revision 1.23 / (download) - annotate - [select for diffs], Sun Feb 4 00:15:49 2007 UTC (15 years, 9 months ago) by dmcmahill
Branch: MAIN
Changes since 1.22: +6 -2 lines
Diff to previous 1.22 (colored)

Get these mozilla clients to work on Solaris-2.9/sparc.  There were
two issues.  The PLIST was incorrect and since the PLIST is used by
the "moz-install" script, anything missing from the PLIST is never
installed even when building from source.  When libfreebl* were not
installed it caused the clients to fail to load the security component
and fail with "The browser failed to load its security component".

The second issue is that many installations of solaris-2.9 include
various glib/gtk/gnome libraries in /usr/lib.  This causes failures
because the pkgsrc ones were used at link time and the /usr/lib ones
at run time.  Work around this by setting a LD_LIBRARY_PATH that includes
the pkgsrc lib directory first.

pkgrevision bumps all around.

Revision 1.22 / (download) - annotate - [select for diffs], Wed Jun 7 15:23:21 2006 UTC (16 years, 5 months ago) by ghen
Branch: MAIN
CVS Tags: pkgsrc-2006Q4-base, pkgsrc-2006Q3-base, pkgsrc-2006Q3, pkgsrc-2006Q2-base, pkgsrc-2006Q2
Branch point for: pkgsrc-2006Q4
Changes since 1.21: +2 -0 lines
Diff to previous 1.21 (colored)

Add some additional headers introduced with ff1504/tb1504/sm102.  Not worth
bumping PKGREVISION for.

Revision 1.19.2.2 / (download) - annotate - [select for diffs], Thu Feb 9 10:32:29 2006 UTC (16 years, 9 months ago) by salo
Branch: pkgsrc-2005Q4
Changes since 1.19.2.1: +2 -1 lines
Diff to previous 1.19.2.1 (colored) to branchpoint 1.19 (colored) next main 1.20 (colored)

Pullup ticket 1102 - requested by Geert Hendrickx
security update for firefox and thunderbird

Updated via patch from the submitter, includes these changes:

   Module Name:		pkgsrc
   Committed By:	joerg
   Date:		Fri Dec 30 21:35:58 UTC 2005

   Modified Files:
   	pkgsrc/mail/thunderbird/patches: patch-ab patch-ac patch-aq patch-ba
   	    patch-bo patch-bs
   Added Files:
   	pkgsrc/mail/thunderbird/patches: patch-ar patch-da patch-db patch-dc
   	    patch-de patch-df patch-dg patch-dh patch-dj patch-dk patch-dl
   	    patch-dm patch-do patch-ds patch-dt

   Log Message:
   Add DragonFly build support, partly based on the patches from
   www/firefox.
---
   Module Name:		pkgsrc
   Committed By:	joerg
   Date:		Wed Jan  4 08:55:08 UTC 2006

   Modified Files:
   	pkgsrc/mail/thunderbird: distinfo

   Log Message:
   Also commit distinfo. Reminded by wiz@.
---
   Module Name:	pkgsrc
   Committed By:	ghen
   Date:		Sun Feb  5 14:49:05 UTC 2006

   Modified Files:
   	pkgsrc/mail/thunderbird: Makefile Makefile-thunderbird.common PLIST
   	    distinfo
   	pkgsrc/mail/thunderbird-gtk1: Makefile PLIST
   	pkgsrc/mail/thunderbird/patches: patch-aa patch-ab patch-ac patch-af
   	    patch-ag patch-ai patch-aj patch-al patch-ap patch-aq patch-aw
   	    patch-ax patch-bb patch-bo patch-bq patch-br patch-db patch-de
   	    patch-df
   Removed Files:
   	pkgsrc/mail/thunderbird-gtk1: MESSAGE
   	pkgsrc/mail/thunderbird/patches: patch-bt patch-bw patch-cc patch-ce
   	    patch-cf

   Log Message:
   Update to Thunderbird 1.5.

   What's new:
       * Automated update to streamline product upgrades. Notification of an
         update is more prominent, and updates to Thunderbird may now be half
         a megabyte or smaller. Updating extensions has also improved.
       * Sort address autocomplete results by how often you send e-mail
         to each recipient.
       * Spell check as you type.
       * Saved Search Folders can now search across multiple accounts.
       * Built in phishing detector to help protect users against email scams.
       * Podcasting and other RSS Improvements.
       * Deleting attachments from messages.
       * Integration with server side spam filtering.
       * Reply and forward actions for message filters.
       * Kerberos Authentication.
       * Auto save as draft for mail composition.
       * Message aging.
       * Filters for Global Inbox.
       * Improvements to product usability including redesigned options
         interface, and SMTP server management.
       * Many security enhancements.
   For a more detailed list of changes, see
   http://weblogs.mozillazine.org/rumblingedge/archives/2006/01/1-5.html

   Ok with wiz.
---
   Module Name:		pkgsrc
   Committed By:	ghen
   Date:		Sun Feb  5 14:43:59 UTC 2006

   Modified Files:
   	pkgsrc/www/mozilla: Makefile.common

   Log Message:
   Set CATEGORIES ?=www (instead of =) such that thunderbird (and later
   sunbird) can override it.  Ok for wiz.
---
   odule Name:		pkgsrc
   Committed By:	ghen
   Date:		Sun Feb  5 14:46:31 UTC 2006

   Modified Files:
   	pkgsrc/www/firefox: Makefile Makefile-firefox.common PLIST distinfo
   	pkgsrc/www/firefox-gtk1: Makefile PLIST
   Added Files:
   	pkgsrc/www/firefox/patches: patch-dw patch-dx
   Removed Files:
   	pkgsrc/www/firefox/patches: patch-bugzilla-319004

   Log Message:
   Update to Firefox 1.5.0.1, a bug fix release for Firefox 1.5.

   What's new:
   * Improved stability.
   * Improved support for Mac OS X.
   * International Domain Name support for Iceland (.is) is now enabled.
   * Fixes for several memory leaks.
   * Several security enhancements.

   For a more detailed list changes, see
   http://www.squarefree.com/burningedge/releases/1.5.0.1.html

   Ok with wiz.

Revision 1.21 / (download) - annotate - [select for diffs], Sun Feb 5 14:46:31 2006 UTC (16 years, 9 months ago) by ghen
Branch: MAIN
CVS Tags: pkgsrc-2006Q1-base, pkgsrc-2006Q1
Changes since 1.20: +2 -1 lines
Diff to previous 1.20 (colored)

Update to Firefox 1.5.0.1, a bug fix release for Firefox 1.5.

What's new:
* Improved stability.
* Improved support for Mac OS X.
* International Domain Name support for Iceland (.is) is now enabled.
* Fixes for several memory leaks.
* Several security enhancements.

For a more detailed list changes, see http://www.squarefree.com/burningedge/releases/1.5.0.1.html

Ok with wiz.

Revision 1.19.2.1 / (download) - annotate - [select for diffs], Thu Dec 29 18:15:50 2005 UTC (16 years, 11 months ago) by seb
Branch: pkgsrc-2005Q4
Changes since 1.19: +9 -1 lines
Diff to previous 1.19 (colored)

Pullup ticket 976 - requested by Julio M. Merino Vidal
fix firefox installation hence unbreak epiphany, yelp and fix meta-pkg/gnome

Revisions pulled up:
- pkgsrc/www/firefox/Makefile                                 1.26
- pkgsrc/www/firefox/PLIST                                    1.20
- pkgsrc/www/epiphany/Makefile                                1.44
- pkgsrc/misc/yelp/Makefile                                   1.38

   Module Name:    pkgsrc
   Committed By:   jmmv
   Date:           Wed Dec 28 18:11:56 UTC 2005

   Modified Files:
          pkgsrc/www/firefox: Makefile PLIST

   Log Message:
   Install the .pc files again, removed during the update to 1.5 (thus breaking
   packages needing them, e.g., epiphany).  Bump PKGREVISION to 2.
---
   Module Name:    pkgsrc
   Committed By:   jmmv
   Date:           Wed Dec 28 18:12:33 UTC 2005

   Modified Files:
          pkgsrc/www/epiphany: Makefile

   Log Message:
   Unbreak this package by requiring a firefox package that provides the .pc
   files.
---
   Module Name:    pkgsrc
   Committed By:   jmmv
   Date:           Wed Dec 28 18:19:07 UTC 2005

   Modified Files:
          pkgsrc/misc/yelp: Makefile

   Log Message:
   Unbreak this package by requiring a firefox package that provides the .pc
   files.

Revision 1.20 / (download) - annotate - [select for diffs], Wed Dec 28 18:11:56 2005 UTC (16 years, 11 months ago) by jmmv
Branch: MAIN
Changes since 1.19: +9 -1 lines
Diff to previous 1.19 (colored)

Install the .pc files again, removed during the update to 1.5 (thus breaking
packages needing them, e.g., epiphany).  Bump PKGREVISION to 2.

Revision 1.19 / (download) - annotate - [select for diffs], Sat Dec 10 13:47:22 2005 UTC (16 years, 11 months ago) by taya
Branch: MAIN
CVS Tags: pkgsrc-2005Q4-base
Branch point for: pkgsrc-2005Q4
Changes since 1.18: +456 -250 lines
Diff to previous 1.18 (colored)


Update firefox & firefox-gtk1 to 1.5
Including fix for long title & history file problem.
http://www.mozilla.org/security/history-title.html
https://bugzilla.mozilla.org/show_bug.cgi?id=319004


What's New in Firefox 1.5

Firefox 1.5 is the next version of our award-winning Web browser.

Here's what's new in Firefox 1.5:

* Automated update to streamline product upgrades. Notification of an
update is more prominent, and updates to Firefox may now be half a
megabyte or smaller. Updating extensions has also improved.
* Faster browser navigation with improvements to back and forward
button performance.
* Drag and drop reordering for browser tabs.
* Improvements to popup blocking.
* Clear Private Data feature provides an easy way to quickly remove
personal data through a menu item or keyboard shortcut.
* Answers.com is added to the search engine list.
* Improvements to product usability including descriptive error pages,
redesigned options menu, RSS discovery, and "Safe Mode" experience.
* Better accessibility including support for DHTML accessibility and
assistive technologies such as the Window-Eyes 5.5 beta screen reader
for Microsoft Windows. Screen readers read aloud all available
information in applications and documents or show the information on a
Braille display, enabling blind and visually impaired users to use
equivalent software functionality as their sighted peers.
* Report a broken Web site wizard to report Web sites that are not
working in Firefox.
* Better support for Mac OS X (10.2 and greater) including profile
migration from Safari and Mac Internet Explorer.
* New support for Web Standards including SVG, CSS 2 and CSS 3, and
JavaScript 1.6.
* Many security enhancements.

The Burning Edge has more detailed lists of new features and notable bug fixes.
http://www.squarefree.com/burningedge/releases/1.5-comprehensive.html

Revision 1.18 / (download) - annotate - [select for diffs], Thu Sep 22 14:14:04 2005 UTC (17 years, 2 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2005Q3-base, pkgsrc-2005Q3
Changes since 1.17: +2 -1 lines
Diff to previous 1.17 (colored)

Update www/firefox and www/firefox-gtk1 to version 1.0.7.  Changes from
version 1.0.6 include:

     * Fix for a potential buffer overflow vulnerability when loading a
       hostname with all soft-hyphens
     * Fix to prevent URLs passed from external programs from being
       parsed by the shell (Linux only)
     * Fix to prevent a crash when loading a Proxy Auto-Config (PAC)
       script that uses an "eval" statement
     * Fix to restore InstallTrigger.getVersion() for Extension authors
     * Other stability and security fixes

Approved by taya.

Revision 1.17 / (download) - annotate - [select for diffs], Sat Sep 17 02:35:19 2005 UTC (17 years, 2 months ago) by jlam
Branch: MAIN
Changes since 1.16: +1 -4 lines
Diff to previous 1.16 (colored)

For the native firefox and mozilla packages, move the module/extension
registration out of the installation step and into the INSTALL script.
Also, remove the registration commands from the PLIST as well.  Putting
them into the INSTALL script allows for the same commands to be run
in the same way, so that there are fewer differences between installing
from source and installing from a binary package.  Also, this makes
these packages pass CHECK_FILES=yes.  Bump the PKGREVISION of firefox,
firefox-gtk1, mozilla, and mozilla-gtk2.

Also, include bsd.pkg.mk from the package Makefiles, not from within
Makefile.common.  This is a style issue and allows for appending to
variables originally defined in Makefile.common from the package
Makefile.

Revision 1.15.2.1 / (download) - annotate - [select for diffs], Thu Jul 21 02:49:04 2005 UTC (17 years, 4 months ago) by snj
Branch: pkgsrc-2005Q2
Changes since 1.15: +3 -2 lines
Diff to previous 1.15 (colored) next main 1.16 (colored)

Pullup ticket 613 - requested by Shin'ichiro TAYA
security update for firefox and firefox-gtk1

Revisions pulled up:
- pkgsrc/www/firefox/Makefile-firefox.common	1.19, 1.20
- pkgsrc/www/firefox/PLIST			1.16
- pkgsrc/www/firefox/distinfo			1.34, 1.35
- pkgsrc/www/firefox-gtk1/PLIST			1.5
- pkgsrc/www/firefox/buildlink3.mk		1.6
- pkgsrc/www/firefox-gtk1/buildlink3.mk		1.5

    Module Name:  pkgsrc
    Committed By: taya
    Date:         Thu Jul 14 16:38:42 UTC 2005

    Modified Files:
          pkgsrc/www/firefox: Makefile-firefox.common PLIST distinfo
          pkgsrc/www/firefox-gtk1: PLIST

    Log Message:
    Update firefox & firefox-gtk1 to 1.0.5.

    Firefox 1.0.5 is a security update.
    Fixed vulnerabilities are:

    2005-56  Code execution through shared function objects
    MFSA 2005-55 XHTML node spoofing
    MFSA 2005-54 Javascript prompt origin spoofing
    MFSA 2005-53 Standalone applications can run arbitrary code through the
                 browser
    MFSA 2005-52 Same origin violation: frame calling top.focus()
    MFSA 2005-51 The return of frame-injection spoofing
    MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()
    MFSA 2005-49 Script injection from Firefox sidebar panel using data:
    MFSA 2005-48 Same-origin violation with InstallTrigger callback
    MFSA 2005-47 Code execution via "Set as Wallpaper"
    MFSA 2005-46 XBL scripts ran even when Javascript disabled
    MFSA 2005-45 Content-generated event vulnerabilities
----
    Module Name:  pkgsrc
    Committed By: taya
    Date:         Wed Jul 20 23:33:30 UTC 2005

    Modified Files:
         pkgsrc/www/firefox: Makefile-firefox.common buildlink3.mk distinfo
         pkgsrc/www/firefox-gtk1: buildlink3.mk

    Log Message:
    update firefox & firefox-gtk1 to 1.0.6

    Firefox 1.0.6 is a stability update. We recommend that users upgrade
    to this latest version.

    Here's what's new in Firefox 1.0.6:

         * Restore API compatibility for extensions and web applications
         that did not work in Firefox 1.0.5.

Revision 1.16 / (download) - annotate - [select for diffs], Thu Jul 14 16:38:41 2005 UTC (17 years, 4 months ago) by taya
Branch: MAIN
Changes since 1.15: +3 -2 lines
Diff to previous 1.15 (colored)


Update firefox & firefox-gtk1 to 1.0.5.

Firefox 1.0.5 is a security update.
Fixed vulnerabilities are:

2005-56  Code execution through shared function objects
MFSA 2005-55 XHTML node spoofing
MFSA 2005-54 Javascript prompt origin spoofing
MFSA 2005-53 Standalone applications can run arbitrary code through the browser
MFSA 2005-52 Same origin violation: frame calling top.focus()
MFSA 2005-51 The return of frame-injection spoofing
MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()
MFSA 2005-49 Script injection from Firefox sidebar panel using data:
MFSA 2005-48 Same-origin violation with InstallTrigger callback
MFSA 2005-47 Code execution via "Set as Wallpaper"
MFSA 2005-46 XBL scripts ran even when Javascript disabled
MFSA 2005-45 Content-generated event vulnerabilities

Revision 1.12.2.1 / (download) - annotate - [select for diffs], Mon May 16 15:07:13 2005 UTC (17 years, 6 months ago) by salo
Branch: pkgsrc-2005Q1
Changes since 1.12: +11 -42 lines
Diff to previous 1.12 (colored) next main 1.13 (colored)

Pullup ticket 504 - requested by Shin'ichiro TAYA
security update for firefox

Revisions pulled up:
- pkgsrc/www/firefox/Makefile			1.15
- pkgsrc/www/firefox/Makefile-firefox.common	1.14, 1.16-1.18
- pkgsrc/www/firefox/PLIST			1.13-1.15
- pkgsrc/www/firefox/buildlink3.mk		1.5
- pkgsrc/www/firefox/distinfo			1.29
- pkgsrc/www/firefox-gtk1/PLIST			1.3-1.4
- pkgsrc/www/firefox-gtk1/buildlink3.mk		1.4

   Module Name:		pkgsrc
   Committed By:	taya
   Date:		Wed Apr 13 13:34:26 UTC 2005

   Modified Files:
   	pkgsrc/www/firefox: Makefile-firefox.common PLIST
   	pkgsrc/www/firefox-gtk1: PLIST

   Log Message:
   change extensions list as same as Linux official build.
   bump PKGREVISION.
   fix PR pkg/29595
---
   Module Name:		pkgsrc
   Committed By:	wiz
   Date:		Fri Apr 15 12:42:27 UTC 2005

   Modified Files:
   	pkgsrc/www/firefox: PLIST

   Log Message:
   Add two @exec ${MKDIR} lines for empty directories which have @dirrm
   lines, to fix binary packages.
---
   Module Name:		pkgsrc
   Committed By:	wiz
   Date:		Fri Apr 15 12:44:30 UTC 2005

   Modified Files:
   	pkgsrc/www/firefox-gtk1: PLIST

   Log Message:
   Add an @exec ${MKDIR} line for an empty directory which has a @dirrm
   line, to fix binary packages.
---
   Module Name:		pkgsrc
   Committed By:	taya
   Date:		Sun Apr 24 14:00:12 UTC 2005

   Modified Files:
   	pkgsrc/www/firefox: Makefile-firefox.common

   Log Message:
   concatinate extensions with separator ',' and set to MOZILLA_EXTENSIONS,
   instead of using ':ts' modifier.
   becase make of NetBSD-1.6.x doesn't have it.
   suggested by Jeremy C. Reed.
---
   Module Name:		pkgsrc
   Committed By:	reed
   Date:		Mon Apr 25 19:26:10 UTC 2005

   Modified Files:
   	pkgsrc/www/firefox: Makefile-firefox.common

   Log Message:
   Make sure build is without gssapi support. (Okayed by maintainer,
   taya ... well really he said "I don't object your idea.")

   This fixes a build bug when heimdal is detected but not buildlinked.
   It is a known mozilla bug:
    https://bugzilla.mozilla.org/show_bug.cgi?id=245467

   I didn't put this in the mozilla/Makefile.common, because didn't test
   that yet.

   This issue probably only happens when using /usr as the LOCALBASE,
   which is not really supported and maybe I am the only one to hit this
   with pkgsrc.

   Maybe later someone can consider adding a build option for GSSAPI,
   but I don't know anything about it in regards to a web browser myself.
---
   Module Name:		pkgsrc
   Committed By:	taya
   Date:		Sat May 14 15:27:10 UTC 2005

   Modified Files:
   	pkgsrc/www/firefox: Makefile Makefile-firefox.common PLIST
   	    buildlink3.mk distinfo
   	pkgsrc/www/firefox-gtk1: buildlink3.mk

   Log Message:
   Update firefox & firefox-gtk1 to 1.0.4.

   This is a security fix release.
   Fixed vulnerabilities are follows:

   MFSA 2005-44  Privilege escalation via non-DOM property overrides
   MFSA 2005-43 "Wrapped" javascript: urls bypass security checks
   MFSA 2005-42 Code execution via javascript: IconURL

Revision 1.15 / (download) - annotate - [select for diffs], Sat May 14 15:27:10 2005 UTC (17 years, 6 months ago) by taya
Branch: MAIN
CVS Tags: pkgsrc-2005Q2-base
Branch point for: pkgsrc-2005Q2
Changes since 1.14: +9 -1 lines
Diff to previous 1.14 (colored)


Update firefox & firefox-gtk1 to 1.0.4.

This is a security fix release.
Fixed vulnerabilities are follows:

MFSA 2005-44  Privilege escalation via non-DOM property overrides
MFSA 2005-43 "Wrapped" javascript: urls bypass security checks
MFSA 2005-42 Code execution via javascript: IconURL

Revision 1.14 / (download) - annotate - [select for diffs], Fri Apr 15 12:42:27 2005 UTC (17 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.13: +3 -1 lines
Diff to previous 1.13 (colored)

Add two @exec ${MKDIR} lines for empty directories which have @dirrm lines,
to fix binary packages.

Revision 1.13 / (download) - annotate - [select for diffs], Wed Apr 13 13:34:26 2005 UTC (17 years, 7 months ago) by taya
Branch: MAIN
Changes since 1.12: +0 -41 lines
Diff to previous 1.12 (colored)


change extensions list as same as Linux official build.
bump PKGREVISION.
fix PR pkg/29595

Revision 1.11.2.1 / (download) - annotate - [select for diffs], Wed Mar 9 19:16:39 2005 UTC (17 years, 8 months ago) by salo
Branch: pkgsrc-2004Q4
Changes since 1.11: +11 -1 lines
Diff to previous 1.11 (colored) next main 1.12 (colored)

Pullup ticket 339 - requested by Shin'ichiro TAYA
security fix for firefox

Patch supplied by submitter, equals to:

   Module Name:		pkgsrc
   Committed By:	taya
   Date:		Sun Feb 27 13:20:43 UTC 2005

   Log Message:
   Update firefox to 1.0.1.

   Changes from release notes:

   * Improved stability
   * International Domain Names are now displayed as punycode.
     (To show International Domain Names in Unicode, set the
     "network.IDN_show_punycode" preference to false.)
   * Several security fixes.
   MFSA 2005-29  Internationalized Domain Name (IDN) homograph spoofing
   MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files
   MFSA 2005-27 Plugins can be used to load privileged content
   MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab
   MFSA 2005-25 Image drag and drop executable spoofing
   MFSA 2005-24 HTTP auth prompt tab spoofing
   MFSA 2005-23 Download dialog source spoofing
   MFSA 2005-22 Download dialog spoofing using Content-Disposition header
   MFSA 2005-21 Overwrite arbitrary files downloading .lnk twice
   MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts
   MFSA 2005-19 Autocomplete data leak
   MFSA 2005-18 Memory overwrite in string library
   MFSA 2005-17 Install source spoofing with user:pass@host
   MFSA 2005-16 Spoofing download and security dialogs with overlapping windows
   MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion
   MFSA 2005-14 SSL "secure site" indicator spoofing
   MFSA 2005-13 Window Injection Spoofing

Revision 1.12 / (download) - annotate - [select for diffs], Sun Feb 27 13:20:43 2005 UTC (17 years, 9 months ago) by taya
Branch: MAIN
CVS Tags: pkgsrc-2005Q1-base
Branch point for: pkgsrc-2005Q1
Changes since 1.11: +37 -7 lines
Diff to previous 1.11 (colored)


Update firefox to 1.0.1.
And switched to use gtk2.

Changes from release notes:

*  Improved stability
* International Domain Names are now displayed as punycode.
(To show International Domain Names in Unicode, set the
"network.IDN_show_punycode" preference to false.)
* Several security fixes.
MFSA 2005-29  Internationalized Domain Name (IDN) homograph spoofing
MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files
MFSA 2005-27 Plugins can be used to load privileged content
MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab
MFSA 2005-25 Image drag and drop executable spoofing
MFSA 2005-24 HTTP auth prompt tab spoofing
MFSA 2005-23 Download dialog source spoofing
MFSA 2005-22 Download dialog spoofing using Content-Disposition header
MFSA 2005-21 Overwrite arbitrary files downloading .lnk twice
MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts
MFSA 2005-19 Autocomplete data leak
MFSA 2005-18 Memory overwrite in string library
MFSA 2005-17 Install source spoofing with user:pass@host
MFSA 2005-16 Spoofing download and security dialogs with overlapping windows
MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion
MFSA 2005-14 SSL "secure site" indicator spoofing
MFSA 2005-13 Window Injection Spoofing

Revision 1.11 / (download) - annotate - [select for diffs], Fri Dec 3 16:45:54 2004 UTC (17 years, 11 months ago) by taya
Branch: MAIN
CVS Tags: pkgsrc-2004Q4-base
Branch point for: pkgsrc-2004Q4
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)


generate extension directory & related stuff at install time.
fix PR pkg/28396
bump PKGREVISION

Revision 1.7.2.1 / (download) - annotate - [select for diffs], Tue Nov 30 23:29:15 2004 UTC (18 years ago) by salo
Branch: pkgsrc-2004Q3
Changes since 1.7: +11 -8 lines
Diff to previous 1.7 (colored) next main 1.8 (colored)

Pullup ticket 139 - requested by Thomas Klausner
security fixes for mozilla and firefox

        Module Name:    pkgsrc
        Committed By:   grant
        Date:           Mon Oct  4 11:52:09 UTC 2004

        Modified Files:
                pkgsrc/www/mozilla: distinfo

        Log Message:
        bring across a patch in Firefox for using thread-safe resolver
        library functions on NetBSD >=2.0F.
---
        Module Name:    pkgsrc
        Committed By:   grant
        Date:           Mon Oct  4 11:52:45 UTC 2004

        Modified Files:
                pkgsrc/www/mozilla/patches: patch-br

        Log Message:
        bring across a patch in Firefox for using thread-safe resolver
        library functions on NetBSD >=2.0F.
---
        Module Name:    pkgsrc
        Committed By:   sekiya
        Date:           Mon Oct 25 13:02:15 UTC 2004

        Modified Files:
                pkgsrc/www/mozilla: Makefile.common distinfo
                pkgsrc/www/mozilla/patches: patch-bt

        Log Message:
        Force gcc34 and use the right varargs macro for amd64.  Mozilla
        (and its derivatives) now appears to work properly on amd64.

        Patches from Nicholas Joly.
---
        Module Name:    pkgsrc
        Committed By:   jmmv
        Date:           Mon Oct 25 18:06:26 UTC 2004

        Modified Files:
                pkgsrc/www/mozilla: Makefile Makefile.common PLIST
                pkgsrc/www/mozilla-gtk2: Makefile PLIST
                pkgsrc/www/mozilla/files: moz-install

        Log Message:
        Modify mozilla and mozilla-gtk2 to install several additional headers.
        More specifically, this lets Mozilla NSS be used by other programs.

        Also make the pkgconfig substitutions happen at post-build time, so
        that the right rpaths are added to the mozilla-nspr.pc file (which is
        filled in during the build).

        Bump PKGREVISION to 1 for both packages.  Ok'ed by taya@, the
        maintainer.
---
        Module Name:    pkgsrc
        Committed By:   wiz
        Date:           Fri Nov 12 02:11:22 UTC 2004

        Modified Files:
                pkgsrc/www/mozilla: Makefile distinfo
                pkgsrc/www/mozilla-gtk2: Makefile
        Added Files:
                pkgsrc/www/mozilla/patches: patch-bj

        Log Message:
        Update mozilla and mozilla-gtk2 to 1.7.3nb2 with a security fix
        from mozilla CVS.
---
        Module Name:    pkgsrc
        Committed By:   kristerw
        Date:           Mon Nov  1 18:07:24 UTC 2004

        Modified Files:
                pkgsrc/www/firefox: distinfo
                pkgsrc/www/firefox/patches: patch-bt

        Log Message:
        Use __va_copy instead of va_copy for NetBSD.  This is needed on gcc
        3.4 since the build use -ansi that in turn makes gcc 3.4 modify its
        predefined symbols in such a way that va_copy is not defined.
---
        Module Name:    pkgsrc
        Committed By:   xtraeme
        Date:           Tue Nov  9 20:10:14 UTC 2004

        Modified Files:
                pkgsrc/www/firefox: Makefile-firefox.common PLIST distinfo
                pkgsrc/www/firefox-gtk2: PLIST

        Log Message:
        Update firefox and firefox-gtk2 to 1.0.

        This is a bugfix release, to fix the problems reported in Preview
        Releases, etc.
---
        Module Name:    pkgsrc
        Committed By:   taya
        Date:           Wed Nov 10 14:38:45 UTC 2004

        Modified Files:
                pkgsrc/www/firefox: Makefile-firefox.common PLIST

        Log Message:
        - correct path of mirror site
        - add some missing files to PLIST
---
        Module Name:    pkgsrc
        Committed By:   taya
        Date:           Wed Nov 10 14:40:24 UTC 2004

        Modified Files:
                pkgsrc/www/firefox-gtk2: PLIST

        Log Message:
        add some missing files to PLIST
---
        Module Name:    pkgsrc
        Committed By:   taya
        Date:           Sat Nov 13 07:03:08 UTC 2004

        Modified Files:
                pkgsrc/www/firefox: Makefile-firefox.common PLIST

        Log Message:
        remove typeahead extension that confilicts with buildin typeahead
        component.
        fix pkg/28164.
        bump PKGREVISION
---
        Module Name:    pkgsrc
        Committed By:   taya
        Date:           Sat Nov 13 08:57:54 UTC 2004

        Modified Files:
                pkgsrc/www/firefox-gtk2: PLIST

        Log Message:
        remove typeahead extension

Revision 1.10 / (download) - annotate - [select for diffs], Sat Nov 13 07:03:08 2004 UTC (18 years ago) by taya
Branch: MAIN
Changes since 1.9: +1 -5 lines
Diff to previous 1.9 (colored)


remove typeahead extension that confilicts with buildin typeahead component.
fix pkg/28164.
bump PKGREVISION

Revision 1.9 / (download) - annotate - [select for diffs], Wed Nov 10 14:38:45 2004 UTC (18 years ago) by taya
Branch: MAIN
Changes since 1.8: +11 -1 lines
Diff to previous 1.8 (colored)


- correct path of mirror site
- add some missing files to PLIST

Revision 1.8 / (download) - annotate - [select for diffs], Tue Nov 9 20:10:14 2004 UTC (18 years ago) by xtraeme
Branch: MAIN
Changes since 1.7: +1 -4 lines
Diff to previous 1.7 (colored)

Update firefox and firefox-gtk2 to 1.0.

This is a bugfix release, to fix the problems reported in Preview
Releases, etc.

Revision 1.7 / (download) - annotate - [select for diffs], Mon Sep 20 08:03:42 2004 UTC (18 years, 2 months ago) by taya
Branch: MAIN
CVS Tags: pkgsrc-2004Q3-base
Branch point for: pkgsrc-2004Q3
Changes since 1.6: +37 -34 lines
Diff to previous 1.6 (colored)


Update firefox & firefox-gtk2 to 0.10 (a.k.a. 1.0PR)

from Release Notes:

---
Firefox is a fast, full-featured browser that makes browsing more
efficient than ever before. More information about Firefox is
available.

Firefox Preview Release (henceforth refered to as PR) is a Technology
Preview. While this software works well enough to be relied upon as
your primary browser in most cases, we make no guarantees of its
performance or stability. It is a pre-release product and should not
be relied upon for mission-critical tasks. See the License Agreement
for more information.

These release notes cover what's new, download and installation
instructions, known issues and frequently asked questions for the
Firefox PR release. Please read these notes and the bug filing
instructions before reporting any bugs to Bugzilla.

We want to hear your feedback about Firefox. Please join us in the
Firefox forums, hosted by MozillaZine.


What's New

Here's what's new in this release of Firefox:

* Live Bookmarks
      You can now subscribe to and read RSS feeds in your
Bookmarks. When you visit a page that advertises a RSS feed by using a
<link> tag, a RSS icon will appear in the status bar. Click it to view
a list of feeds the page is offering. Click one to subscribe - this
adds a Bookmark Folder that contains all the recent posts from the
feed.

* Improved Find
      Find is easier and more powerful now with our new Find
toolbar. The Find toolbar (which shows at the bottom of the browser
window) automatically highlights text in the page as you type and has
a useful highlight feature.

* Managing Annoyances and Protecting Security
      You can now open blocked popups, and the Extension install
system now blocks all attempts to install software from sites other
than update.mozilla.org. Users can add other sites to a list that
allows them to offer software, but software is never automatically
installed. In addition to these steps, several other measures have
been taken to prevent phishing attacks and to highlight when a page is
being viewed over a secure connection.

* Better Bookmarks
      Numerous improvements to bookmarks including more reliable
presentation of Site icons, and a split pane view in the Bookmarks
window.

* Strong Encryption For Passwords Available
      Passwords saved with the Password Manager can now be more easily
encrypted with strong encryption by creating a "Master Password". If
you create a Master Password, you are prompted once per session to
enter the Master Password so that Password Manager can automatically
fill in site logins. A useful feature for people who share computers
with others and want improved security.

* Improved Compatibility for IE users
      Undetectable document.all support for site compatibility and
improved compatibility for keyboard accelerators further smooth the
transition for IE users

* Better System Integration for GNOME users
      You can now configure Firefox as your Default Browser on GNOME,
and Firefox will adhere to your GNOME settings for edit field key
bindings, etc.

* And a horde of other bug fixes...

See The Burning Edge's Bigger Picture for more details.

-----

Several security holes have been fixed. See the page bellow for
detail.

http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3

Revision 1.6 / (download) - annotate - [select for diffs], Wed Jun 23 16:47:12 2004 UTC (18 years, 5 months ago) by taya
Branch: MAIN
Changes since 1.5: +85 -77 lines
Diff to previous 1.5 (colored)


Update firefox to 0.9

Here's what's new in this release of Firefox:

* New Default Theme
An updated Default Theme now presents a uniform appearance across all
three platforms - a new crisp, clear look for Windows
users. Finetuning for GNOME will follow in future releases.

* Comprehensive Data Migration
Switching to Firefox has never been easier now that Firefox imports
data like Favorites, History, Settings, Cookies and Passwords from
Internet Explorer. Firefox can also import from Mozilla 1.x, Netscape
4.x, 6.x and 7.x, and Opera. MacOS X and Linux migrators for browsers
like Safari, OmniWeb, Konqueror etc. will arrive in future releases.

* Extension/Theme Manager
New Extension and Theme Managers provide a convenient way to manage
and update your add-ons. SmartUpdate also notifies you of updates to
Firefox.

* Help
A new online help system is available.

* Lots of bug fixes and improvements
Copy Image, the ability to delete individual items from Autocomplete
lists, SMB/SFTP support on GNOME via gnome-vfs, better Bookmarks,
Search and many other refinements fine tune the browsing experience.

For Linux/GTK2 Users
* Look and Feel Updates
Ongoing improvements have been made to improve the way Firefox adheres
to your GTK2 themes, such as menus.

* Talkback for GTK2
Help us nail down crashes by submitting talkback reports with this
crash reporting tool.

Revision 1.5 / (download) - annotate - [select for diffs], Sat Jun 19 17:37:37 2004 UTC (18 years, 5 months ago) by xtraeme
Branch: MAIN
CVS Tags: pkgsrc-2004Q2-base, pkgsrc-2004Q2
Changes since 1.4: +1 -9 lines
Diff to previous 1.4 (colored)

Undo my previous commit to install pkgconfig (.pc) files, we should to
use CONFLICTS, because they are installing the same files...

Revision 1.4 / (download) - annotate - [select for diffs], Fri Jun 18 22:40:04 2004 UTC (18 years, 5 months ago) by xtraeme
Branch: MAIN
Changes since 1.3: +9 -1 lines
Diff to previous 1.3 (colored)

Install the .pc (pkgconfig) files, which were disabled in PLIST, they
are required to build some packages.

Bump PKGREVISION.

Revision 1.3 / (download) - annotate - [select for diffs], Wed Mar 10 12:57:01 2004 UTC (18 years, 8 months ago) by taya
Branch: MAIN
CVS Tags: pkgsrc-2004Q1-base, pkgsrc-2004Q1
Changes since 1.2: +1 -3 lines
Diff to previous 1.2 (colored)


correct PLIST
remove non-exist file & not needed file
bump PKGREVISION

Revision 1.2 / (download) - annotate - [select for diffs], Wed Mar 3 17:54:38 2004 UTC (18 years, 9 months ago) by bouyer
Branch: MAIN
Changes since 1.1: +2 -1 lines
Diff to previous 1.1 (colored)

The security component needs libfreebl_hybrid_3.so on SunOS/sparc, so
add it to PLIST so that moz-install will copy it (the mozilla packages
are correct). It seems that firefox dosn't need libfreebl_pure32_3.so to
use SSL, so I didn't add it to the PLIST.

Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Sun Feb 29 17:44:58 2004 UTC (18 years, 9 months ago) by xtraeme
Branch: TNF
CVS Tags: pkgsrc-base
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)

Initial import of firefox-0.8, provided by Kouichirou Hiratsuka 
in PR pkg/24603.

Mozilla Firefox is a free, open-source and cross-platform web browser
for Windows, Linux, MacOS X and many other operating systems. It is
small, fast and easy to use, and offers many advantages over other web
browsers, such as tabbed browsing and the ability to block pop-up
windows.

Firefox also offers excellent bookmark and history management, and it
can be extended by developers using industry standards such as XML,
CSS, JavaScript, C++, etc. Many extensions are available.

Revision 1.1 / (download) - annotate - [select for diffs], Sun Feb 29 17:44:58 2004 UTC (18 years, 9 months ago) by xtraeme
Branch: MAIN

Initial revision

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>