The NetBSD Project

CVS log for pkgsrc/www/firefox/options.mk

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / www / firefox

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.51 / (download) - annotate - [select for diffs], Tue Dec 3 14:21:20 2019 UTC (12 days ago) by ryoon
Branch: MAIN
CVS Tags: HEAD
Changes since 1.50: +5 -10 lines
Diff to previous 1.50 (colored)

Update to 71.0

* Remove oss option. Its patch is not usable for 71.0.

Changelog:
New
    Improvements to Lockwise, our integrated password manager:
        Firefox now recognizes subdomains and will autofill domain logins from Lockwise
        Integrated breach alerts from Firefox Monitor are now available to users with screen readers

    More information about Enhanced Tracking Protection in action:
        Notifications when Firefox blocks cryptominers
        A running tally of blocked trackers in the protection panel accessed by clicking the address bar shield

    Picture-in-picture video comes to Firefox for Windows: Select the blue icon from the right edge of a video to pop open a floating window so you can keep watching while working in other tabs. Learn how the feature works.

    Native MP3 decoding on Windows, Linux, and macOS

Security fixes:
Not available yet.

Revision 1.50 / (download) - annotate - [select for diffs], Mon Nov 4 22:09:54 2019 UTC (5 weeks, 5 days ago) by rillig
Branch: MAIN
Changes since 1.49: +4 -4 lines
Diff to previous 1.49 (colored)

www: align variable assignments

pkglint -Wall -F --only aligned --only indent -r

Manually excluded phraseanet since pkglint got the indentation wrong.

Revision 1.49 / (download) - annotate - [select for diffs], Wed Sep 11 16:30:05 2019 UTC (3 months ago) by gutteridge
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3
Changes since 1.48: +2 -2 lines
Diff to previous 1.48 (colored)

firefox: remove no longer defined/required make variable

Revision 1.48 / (download) - annotate - [select for diffs], Wed Sep 11 14:19:08 2019 UTC (3 months ago) by ryoon
Branch: MAIN
Changes since 1.47: +1 -11 lines
Diff to previous 1.47 (colored)

Remove GCC related things

Reported by David H. Gutteridge, thank you.

Revision 1.47 / (download) - annotate - [select for diffs], Fri Sep 6 03:00:23 2019 UTC (3 months, 1 week ago) by ryoon
Branch: MAIN
Changes since 1.46: +2 -2 lines
Diff to previous 1.46 (colored)

Update to 69.0

* Use clang to compile all files. Mix of gcc and clang causes some errors in
  Rust c++ command invocation (C++ header mismatches).

Changelog:
New

    Enhanced Tracking Protection (ETP) rolls out stronger privacy protections:
        The default standard setting for this feature now blocks third-party tracking cookies and cryptominers.
        The optional strict setting blocks fingerprinters as well as the items blocked in the standard setting.

    The Block Autoplay feature is enhanced to give users the option to block any video that automatically starts playing, not just those that automatically play with sound.

    For our users in the US or using the en-US browser, we are shipping a new „ŗ◊Įew Tab„ŗpage experience that connects you to the best of Pocket„ŗ—‘ content.

    Support for the Web Authentication HmacSecret extension via Windows Hello now comes with this release, for versions of Windows 10 May 2019 or newer, enabling more passwordless experiences on the web.

    Support for receiving multiple video codecs with this release makes it easier for WebRTC conferencing services to mix video from different clients.

    For our users on Windows 10, you„ŗ—Õl see performance and UI improvements:
        Firefox will give Windows hints to appropriately set content process priority levels, meaning more processor time spent on the tasks you're actively working on, and less processor time spent on things in the background (with the exception of video and audio playback).
        For our existing Windows 10 users, you can easily find and launch Firefox from a shortcut on the Win10 taskbar.

    For our users on macOS, battery life and download UI are both improved:
        macOS users on dual-graphics-card machines (like MacBook Pro) will switch back to the low-power GPU more aggressively, saving battery life.
        Finder on macOS now displays download progress for files being downloaded.

    JIT support comes to ARM64 for improved performance of our JavaScript Optimizing JIT compiler.

Fixed

    Various security fixes

Changed

    As previously announced in the Plugin Roadmap for Firefox, the "Always Activate" option for Flash plugin content has been removed. Firefox will now always ask for user permission before activating Flash content on a website.

    With the deprecation of Adobe Flash Player, there is no longer a need to identify users on 32-bit version of the Firefox browser on 64-bit version operating systems reducing user agent fingerprinting factors providing greater level of privacy to our users as well as improving the experience of downloading other apps.

    Firefox no longer loads userChrome.css or userContent.css by default improving start-up performance. Users who wish to customize Firefox by using these files can set the toolkit.legacyUserProfileCustomizations.stylesheets preference to true to restore this ability.

Enterprise

    For Enterprise system administrators that manage macOS computers, we begin shipping a Mozilla signed PKG installer to simplify your deployments.

Developer

    For our mobile web developers, we have migrated remote debugging from the old WebIDE into a re-designed about:debugging, making debugging GeckoView on remote devices via USB rock solid.

    The network panel will now show blocked resources to allow developers to best understand the impact of content blocking and ad blocking extensions given our ongoing expansion of Enhanced Tracking Protection to all users with this release.

    The new event listener breakpoint feature allows developers to pause on a host of different event types, whether it be related to animations, DOM, media, mouse, touch, worker, and many other event types.

    Firefox Developer Tools now offers an audit for the presence of text alternatives for non-text content, the a11y panel checks toolbar has been augmented to better help developers adhere to WCAG Guideline 1.1.


Security fixes:
#CVE-2019-11751: Malicious code execution through command line parameters
#CVE-2019-11746: Use-after-free while manipulating video
#CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML
#CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images
#CVE-2019-11736: File manipulation and privilege escalation in Mozilla Maintenance Service
#CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location
#CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
#CVE-2019-9812: Sandbox escape through Firefox Sync
#CVE-2019-11741: Isolate addons.mozilla.org and accounts.firefox.com
#CVE-2019-11743: Cross-origin access to unload event attributes
#CVE-2019-11749: Camera information available without prompting using getUserMedia
#CVE-2019-5849: Out-of-bounds read in Skia
#CVE-2019-11750: Type confusion in Spidermonkey
#CVE-2019-11737: Content security policy directives ignore port and path if host is a wildcard
#CVE-2019-11738: Content security policy bypass through hash-based sources in directives
#CVE-2019-11747: 'Forget about this site' removes sites from pre-loaded HSTS list
#CVE-2019-11734: Memory safety bugs fixed in Firefox 69
#CVE-2019-11735: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
#CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9

Revision 1.46 / (download) - annotate - [select for diffs], Sun Jun 9 03:44:50 2019 UTC (6 months ago) by gutteridge
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2
Changes since 1.45: +4 -3 lines
Diff to previous 1.45 (colored)

firefox: correct some non-default debug settings

Revision 1.45 / (download) - annotate - [select for diffs], Fri Mar 15 12:52:42 2019 UTC (9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base, pkgsrc-2019Q1
Changes since 1.44: +1 -7 lines
Diff to previous 1.44 (colored)

Fix build with webrtc option, bump PKGREVISION

* webrtc option requires the internal libvpx.
* And remove widevinecdm option. It is not useful.

Revision 1.44 / (download) - annotate - [select for diffs], Sun Dec 10 00:45:09 2017 UTC (2 years ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base, pkgsrc-2018Q4, pkgsrc-2018Q3-base, pkgsrc-2018Q3, pkgsrc-2018Q2-base, pkgsrc-2018Q2, pkgsrc-2018Q1-base, pkgsrc-2018Q1, pkgsrc-2017Q4-base, pkgsrc-2017Q4
Changes since 1.43: +7 -5 lines
Diff to previous 1.43 (colored)

Update to 57.0.2

* Move gtk3 part to mozilla-common.mk
* Add a option for Widevine CDM support

Changelog:
For Windows only.

Revision 1.43 / (download) - annotate - [select for diffs], Tue Oct 17 03:39:04 2017 UTC (2 years, 1 month ago) by ryoon
Branch: MAIN
Changes since 1.42: +2 -2 lines
Diff to previous 1.42 (colored)

Fix webrtc build on recent NetBSD current
From rjs@. Thank you.

WebRTC connection works.
However video capture does not work.

Revision 1.42 / (download) - annotate - [select for diffs], Thu Aug 10 14:46:15 2017 UTC (2 years, 4 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base, pkgsrc-2017Q3, pkgsrc-
Changes since 1.41: +1 -18 lines
Diff to previous 1.41 (colored)

Update to 55.0

Changelog:
New
    Launched Windows support for WebVR, bringing immersive experiences to the web. See examples and try working demos at Mozilla VR.

    Added options that let users optimize recent performance improvements
        Setting to enable Hardware VP9 acceleration on Windows 10 Anniversary Edition for better battery life and lower CPU usage while watching videos
        Setting to modify the number of concurrent content processes for faster page loading and more responsive tab switching

    Simplified installation process with a streamlined Windows stub installer
        Firefox for Windows 64-bit is now installed by default on 64-bit systems with at least 2GB of RAM
        Full installers with advanced installation options are still available

    Improved address bar functionality
        Search with any installed one-click search engine directly from the address bar
        Search suggestions appear by default
        When entering a hostname (like pinterest.com) in the URL bar, Firefox resolves to the secure version of the site (https://www.pinterest.com) instead of the insecure version (http://www.pinterest.com) when possible

    Updated Sidebar for bookmarks, history, and synced tabs so it can appear at the right edge of the window as well as the left

    Added support for stereo microphones with WebRTC

    Pages can be simplified before printing from within Print Preview

    Updated Firefox for OSX and macOS to allow users to assign custom keyboard shortcuts to Firefox menu items via System Preferences

    Browsing sessions with a high number of tabs are now restored in an instant

    Make screenshots of webpages, and save them locally or upload them to the cloud. This feature will undergo A/B testing and will not be visible for some users.

    Added Belarusian (be) locale

Fixed
    Various security fixes

Changed
    Made the Adobe Flash plugin click-to-activate by default and allowed only on http:// and https:// URL schemes. (This change will not be visible to all users immediately. For more information see the Firefox plugin roadmap)

    Firefox does not support downgrades, even though this may have worked in past versions. Users who install Firefox 55+ and later downgrade to an earlier version may experience issues with Firefox.

    Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change.

Security fixes:
CVE-2017-7798: XUL injection in the style editor in devtools

Reporter
    Frederik Braun
Impact
    critical

Description

The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool.
References

    Bug 1371586, 1372112

#CVE-2017-7800: Use-after-free in WebSockets during disconnection

Reporter
    Looben Yang
Impact
    critical

Description

A use-after-free vulnerability can occur in WebSockets when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash.
References

    Bug 1374047

#CVE-2017-7801: Use-after-free with marquee during window resizing

Reporter
    Nils
Impact
    critical

Description

A use-after-free vulnerability can occur while re-computing layout for a marquee element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash.
References

    Bug 1371259

#CVE-2017-7809: Use-after-free while deleting attached editor DOM node

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash.
References

    Bug 1380284

#CVE-2017-7784: Use-after-free with image observers

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash.
References

    Bug 1376087

#CVE-2017-7802: Use-after-free resizing image elements

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed.
References

    Bug 1378147

#CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM

Reporter
    Nils
Impact
    high

Description

A buffer overflow can occur when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash.
References

    Bug 1356985

#CVE-2017-7786: Buffer overflow while painting non-displayable SVG

Reporter
    Nils
Impact
    high

Description

A buffer overflow can occur when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash.
References

    Bug 1365189

#CVE-2017-7806: Use-after-free in layer manager with SVG

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when the layer manager is freed too early when rendering specific SVG content, resulting in a potentially exploitable crash.
References

    Bug 1378113

#CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements

Reporter
    SkyLined
Impact
    high

Description

An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data.
References

    Bug 1353312

#CVE-2017-7787: Same-origin policy bypass with iframes through page reloads

Reporter
    Oliver Wagner
Impact
    high

Description

Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure.
References

    Bug 1322896

#CVE-2017-7807: Domain hijacking through AppCache fallback

Reporter
    Mathias Karlsson
Impact
    high

Description

A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory.
References

    Bug 1376459

#CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID

Reporter
    Fraser Tweedale
Impact
    high

Description

A buffer overflow will occur when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash.
References

    Bug 1368652

#CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher

Reporter
    Stephen Fewer
Impact
    high

Description

The destructor function for the WindowsDllDetourPatcher class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References

    Bug 1372849

#CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts

Reporter
    Jose Mar√≠a Acu√Īa
Impact
    moderate

Description

On pages containing an iframe, the data: protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content.
References

    Bug 1365875

#CVE-2017-7808: CSP information leak with frame-ancestors containing paths

Reporter
    Jun Kokatsu
Impact
    moderate

Description

A content security policy (CSP) frame-ancestors directive containing origins with paths allows for comparisons against those paths instead of the origin. This results in a cross-origin information leak of this path information.
References

    Bug 1367531

#CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections

Reporter
    Arthur Edelstein
Impact
    moderate

Description

An error in the WindowsDllDetourPatcher where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References

    Bug 1344034

#CVE-2017-7781: Elliptic curve point addition error when using mixed Jacobian-affine coordinates

Reporter
    Antonio Sanso
Impact
    moderate

Description

An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result POINT_AT_INFINITY when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret.
References

    Bug 1352039

#CVE-2017-7794: Linux file truncation via sandbox broker

Reporter
    Jann Horn
Impact
    moderate

Description

On Linux systems, if the content process is compromised, the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions.
Note: This attack only affects the Linux operating system. Other operating systems are not affected.
References

    Bug 1374281

#CVE-2017-7803: CSP containing 'sandbox' improperly applied

Reporter
    Rhys Enniks
Impact
    moderate

Description

When a page—‘ content security policy (CSP) header contains a sandbox directive, other directives are ignored. This results in the incorrect enforcement of CSP.
References

    Bug 1377426

#CVE-2017-7799: Self-XSS XUL injection in about:webrtc

Reporter
    Frederik Braun
Impact
    moderate

Description

JavaScript in the about:webrtc page is not sanitized properly being being assigned to innerHTML. Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting (XSS) attack.
References

    Bug 1372509

#CVE-2017-7783: DOS attack through long username in URL

Reporter
    Amit Sangra
Impact
    low

Description

If a long user name is used in a username/password combination in a site URL (such as http://UserName:Password@example.com), the resulting modal prompt will hang in a non-responsive state or crash, causing a denial of service.
References

    Bug 1360842

#CVE-2017-7788: Sandboxed about:srcdoc iframes do not inherit CSP directives

Reporter
    Muneaki Nishimura
Impact
    low

Description

When an iframe has a sandbox attribute and its content is specified using srcdoc, that content does not inherit the containing page's Content Security Policy (CSP) as it should unless the sandbox attribute included allow-same-origin.
References

    Bug 1073952

#CVE-2017-7789: Failure to enable HSTS when two STS headers are sent for a connection

Reporter
    Muneaki Nishimura
Impact
    low

Description

If a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection.
References

    Bug 1074642

#CVE-2017-7790: Windows crash reporter reads extra memory for some non-null-terminated registry values

Reporter
    Xiaoyin Liu
Impact
    low

Description

On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References

    Bug 1350460

#CVE-2017-7796: Windows updater can delete any file named update.log

Reporter
    Matt Howell
Impact
    low

Description

On Windows systems, the logger run by the Windows updater deletes the file "update.log" before it runs in order to write a new log of that name. The path to this file is supplied at the command line to the updater and could be used in concert with another local exploit to delete a different file named "update.log" instead of the one intended.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References

    Bug 1234401

#CVE-2017-7797: Response header name interning leaks across origins

Reporter
    Anne van Kesteren
Impact
    low

Description

Response header name interning does not have same-origin protections and these headers are stored in a global registry. This allows stored header names to be available cross-origin.
References

    Bug 1334776

#CVE-2017-7780: Memory safety bugs fixed in Firefox 55

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Gary Kwong, Christian Holler, André Bargull, Bob Clary, Carsten Book, Emilio Cobos lvarez, Masayuki Nakano, Sebastian Hengst, Franziskus Kiefer, Tyson Smith, and Ronald Crane reported memory safety bugs present in Firefox 54. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 55

#CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Masayuki Nakano, Gary Kwong, Ronald Crane, Andrew McCreight, Tyson Smith, Bevis Tseng, Christian Holler, Bryce Van Dyk, Dragana Damjanovic, Kartikaya Gupta, Philipp, Tristan Bourvon, and Andi-Bogdan Postelnicu reported memory safety bugs present in Firefox 54 and Firefox ESR 52.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3

Revision 1.41 / (download) - annotate - [select for diffs], Mon May 15 15:49:27 2017 UTC (2 years, 7 months ago) by maya
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base, pkgsrc-2017Q2
Changes since 1.40: +3 -9 lines
Diff to previous 1.40 (colored)

firefox: default to oss everywhere but linux, which defaults to pulseaudio.

alsa is not supported upstream, and checks for failures by calling assert,
which means the default setup crashes whenever audio is played.

bump pkgrevision

Revision 1.40 / (download) - annotate - [select for diffs], Mon Mar 20 13:39:33 2017 UTC (2 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base, pkgsrc-2017Q1
Changes since 1.39: +4 -2 lines
Diff to previous 1.39 (colored)

gtk2 is still required from gtk3 option. Fix configure

Revision 1.39 / (download) - annotate - [select for diffs], Mon Mar 20 10:54:46 2017 UTC (2 years, 8 months ago) by szptvlfn
Branch: MAIN
Changes since 1.38: +2 -1 lines
Diff to previous 1.38 (colored)

reduce gtk2 include, move comment to options.mk

Revision 1.38 / (download) - annotate - [select for diffs], Tue Mar 7 20:45:43 2017 UTC (2 years, 9 months ago) by ryoon
Branch: MAIN
Changes since 1.37: +2 -4 lines
Diff to previous 1.37 (colored)

Update to 52.0

* Switch to GTK3 build
* Remove py-sqlite2 dependency, fix PR pkg/52032

Changelog:
New
    Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins.

    Added automatic captive portal detection, for easier access to Wi-Fi hotspots. When accessing the Internet via a captive portal, Firefox will alert users and open the portal login page in a new tab.

    Added user warnings for non-secure HTTP pages with logins. Firefox now displays a "This connection is not secure" message when users click into the username and password fields on pages that don't use HTTPS.

    Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain.

    Enhanced Sync to allow users to send and open tabs from one device to another.

Fixed
    Various security fixes

    Improved text input for third-party keyboard layouts on Windows. This will address some keyboard layouts that
      * have chained dead keys
      * input two or more characters with a non-printable key or a dead key sequence
      * input a character even when a dead key sequence failed to compose a character

Changed
    Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported.

    Removed Battery Status API to reduce fingerprinting of users by trackers

    Improved experience for downloads:
      * Notification in the toolbar when a download fails
      * Quick access to five most recent downloads rather than three
      * Larger buttons for canceling and restarting downloads

    Display (but allow users to override) an "Untrusted Connection" error when encountering SHA-1 certificates that chain up to a root certificate included in Mozilla's CA Certificate Program. (Note: Firefox continues to permit SHA-1 certificates that chain to manually imported root certificates.) Read more about the Mozilla Security Team's plans to deprecate SHA-1

    Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR) version of Firefox.

    When not using Direct2D on Windows, Skia is used for content rendering

Developer
    Enabled CSS Grid Layout, opening up a world of new possibilities for graphic design

    Redesigned Responsive Design Mode to include device selection, network throttling, and more

    Improved security for screen sharing, which now shows a preview and no longer requires a whitelisted domain

unresolved
    Google Hangouts temporarily won't work

Security fixes:
 #CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
 #CVE-2017-5401: Memory Corruption when handling ErrorResult
 #CVE-2017-5402: Use-after-free working with events in FontFace objects
 #CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
 #CVE-2017-5404: Use-after-free working with ranges in selections
 #CVE-2017-5406: Segmentation fault in Skia with canvas operations
 #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
 #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
 #CVE-2017-5411: Use-after-free in Buffer Storage in libGLES
 #CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service
 #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
 #CVE-2017-5412: Buffer overflow read in SVG filters
 #CVE-2017-5413: Segmentation fault during bidirectional operations
 #CVE-2017-5414: File picker can choose incorrect default directory
 #CVE-2017-5415: Addressbar spoofing through blob URL
 #CVE-2017-5416: Null dereference crash in HttpChannel
 #CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
 #CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access
 #CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running
 #CVE-2017-5427: Non-existent chrome.manifest file loaded during startup
 #CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses
 #CVE-2017-5419: Repeated authentication prompts lead to DOS attack
 #CVE-2017-5420: Javascript: URLs can obfuscate addressbar location
 #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
 #CVE-2017-5421: Print preview spoofing
 #CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink
 #CVE-2017-5399: Memory safety bugs fixed in Firefox 52
 #CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8

Revision 1.37 / (download) - annotate - [select for diffs], Sun Feb 12 07:36:27 2017 UTC (2 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.36: +1 -2 lines
Diff to previous 1.36 (colored)

Fix non-gtk3 (gtk2) packaging

Revision 1.36 / (download) - annotate - [select for diffs], Sat Feb 11 12:12:02 2017 UTC (2 years, 10 months ago) by abs
Branch: MAIN
Changes since 1.35: +21 -1 lines
Diff to previous 1.35 (colored)

Add gtk3 (cairo-gtk3) option for firefox.
Default build is unchanged with gtk2 (cairo-gtk2)

Revision 1.35 / (download) - annotate - [select for diffs], Sat Feb 4 11:14:27 2017 UTC (2 years, 10 months ago) by maya
Branch: MAIN
Changes since 1.34: +5 -1 lines
Diff to previous 1.34 (colored)

firefox: use oss on freebsd and dragonflybsd.
no pkgrevision bump because it does not build.

only part of PR pkg/51695 from David Shao.

Revision 1.34 / (download) - annotate - [select for diffs], Sat Feb 4 11:12:04 2017 UTC (2 years, 10 months ago) by maya
Branch: MAIN
Changes since 1.33: +1 -2 lines
Diff to previous 1.33 (colored)

firefox: fix debug build. don't pass --enable-debug-symbols in debug option.
as we do it, we create conflicting flags, and configure complains.

PR pkg/51927

Revision 1.33 / (download) - annotate - [select for diffs], Sat Dec 3 11:30:28 2016 UTC (3 years ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base, pkgsrc-2016Q4
Changes since 1.32: +4 -2 lines
Diff to previous 1.32 (colored)

Bump PKGREVISION. On NetBSD use alsa by default.

Revision 1.32 / (download) - annotate - [select for diffs], Sat Aug 20 11:17:32 2016 UTC (3 years, 3 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q3-base, pkgsrc-2016Q3
Changes since 1.31: +11 -5 lines
Diff to previous 1.31 (colored)

Update to 48.0.1

* Remove dbus-glib dependency and add dbus option (from Robert Swindells)
* Fix potential build failure in skia (from Robert Swindells)

Changelog:
Fixed
    Fix an audio regression impacting some major websites (bug 1295296)
    Fix a top crash in the JavaScript engine (Bug 1290469)
    Fix a startup crash issue caused by Websense (Bug 1291738)
    Fix a different behavior with e10s / non-e10s on <select> and mouse events (Bug 1291078)
    Fix a top crash caused by plugin issues (Bug 1264530)
    Fix an unsigned add-ons issue on Windows
    Fix a shutdown issue (Bug 1276920)
    Fix a crash in WebRTC

Revision 1.31 / (download) - annotate - [select for diffs], Sat Aug 6 08:46:59 2016 UTC (3 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.30: +2 -14 lines
Diff to previous 1.30 (colored)

Update to 48.0

* OSS audio support may not work. I will revisit later

Changelog:
New:
    Roar for moar protection against harmful downloads! We've got your back

    Process separation (e10s) is enabled for some of you. Like it? Let us know and we'll roll it out to more.

    Add-ons that have not been verified and signed by Mozilla will not load

    GNU/Linux fans: Get better Canvas performance with speedy Skia support. Try saying that three times fast

    WebRTC embetterments:
        Delay-agnostic AEC enabled
        Full duplex for GNU/Linux enabled
        ICE Restart & Update is supported
        Cloning of MediaStream and MediaStreamTrack is now supported

    Searching for something already in your bookmarks or open tabs? We added super smart icons to let you know

    Windows folks: Tab (move buttons) and Shift+F10 (pop-up menus) now behave as they should in Firefox customization mode

    The media parser has been redeveloped using the Rust programming language

    Windows 7 systems without Platform Update can now use D3D11 WARP

Fixed:
    Various security fixes

    Heyo, Jabra & Logitech C920 webcam users. We fixed those pesky WebRTC bugs causing frequency distortions. Buh-bye, squeaky voice!

    Improved step debugging on last line of functions

Changed:
    Starting with the Firefox version 49 release, so long to support for 10.6, 10.7 and 10.8. Now we can focus on where most Mac users are: 10.9. Don't forget to upgrade!

    After version 48, SSE2 CPU extensions are going to be required on Windows

    Au revoir to Windows Remote Access Service modem Autodial

Developer:
    WebExtensions support is now considered as stable

    Workers can now use the Web Crypto API

    Want to move absolute & fixed positioned elements? (Who doesn't, right?) Now you can with our geometry editor.

    The memory tool now has a tree map view for your debugging pleasure. It's a little bit of "boo" and a whole lot of "ya."

    We're putting the spotlight on the background. Now you can debug WebExtensions background content scripts and background pages

    Content Security Policy (CSP) is now enforced for WebExtensions. (Who's down with CSP?)

    Old and busted: Error Console. New hotness: Browser Console for your debugging pleasure.

    Add-on development just got easier because you can reload them from about:debugging „ŗbecause we're all about debugging.

    This theme is hot, hot, hot! Say hi to the Firebug theme for Developer Tools.

    Expand network requests from the console panel to view request details in line, so you can see things in context


Fixed in Firefox 48:
    2016-84 Information disclosure through Resource Timing API during page navigation
    2016-83 Spoofing attack through text injection into internal error pages
    2016-82 Addressbar spoofing with right-to-left characters on Firefox for Android
    2016-81 Information disclosure and local file manipulation through drag and drop
    2016-80 Same-origin policy violation using local HTML file and saved shortcut file
    2016-79 Use-after-free when applying SVG effects
    2016-78 Type confusion in display transformation
    2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
    2016-76 Scripts on marquee tag can execute in sandboxed iframes
    2016-75 Integer overflow in WebSockets during data buffering
    2016-74 Form input type change from password to text can store plain text password in session restore file
    2016-73 Use-after-free in service workers with nested sync events
    2016-72 Use-after-free in DTLS during WebRTC session shutdown
    2016-71 Crash in incremental garbage collection in JavaScript
    2016-70 Use-after-free when using alt key and toplevel menus
    2016-69 Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter
    2016-68 Out-of-bounds read during XML parsing in Expat library
    2016-67 Stack underflow during 2D graphics rendering
    2016-66 Location bar spoofing via data URLs with malformed/invalid mediatypes
    2016-65 Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
    2016-64 Buffer overflow rendering SVG with bidirectional content
    2016-63 Favicon network connection can persist when page is closed
    2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)

Revision 1.30 / (download) - annotate - [select for diffs], Thu Jun 16 12:08:21 2016 UTC (3 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2
Changes since 1.29: +7 -2 lines
Diff to previous 1.29 (colored)

Update to 47.0

* Remove macOS patches, because I cannot confirm them sadly

Changelog:
New
    Support for Google„ŗ—‘ Widevine CDM on Windows and Mac OS X so streaming services like Amazon Video can switch from Silverlight to encrypted HTML5 video.
    Enable VP9 video codec for users with fast machines
    Embedded YouTube videos now play with HTML5 video if Flash is not installed.
    View and search open tabs from your smartphone or another computer in a sidebar
    Allow no-cache on back/forward navigations for https resources
    Latgalu [ltg] locale added. Wikipedia tells us there are 164,500 daily speakers.

Fixed
    Various security fixes

Changed
    FUEL (Firefox User Extension Library) has been removed. Add-ons relying on it will stop working.
    The browser.sessionstore.restore_on_demand preference has been reset to its default value (true) to avoid e10s performance problems. Because faster is better!
    The Firefox click-to-activate plugin whitelist has been removed.
    XRender is no longer used for rendering web content on Linux as this may cause a regression in remote X performance

Developer
    Web platform changes
    View, start,and debug registered Service Workers in the Service Workers developer tool
    Simulate Push messages in the Service Workers developer tool
    'Start' button for service workers in about:debugging to start registered Service Workers
    Changes that can affect add-on compatibility
    Added support for ChaCha20/Poly1305 cipher suites
    Custom user agents supported in Responsive Design Mode
    Smart multi-line input in the Web Console

Developer Information
HTML5
    cuechange events are now available on TextTrack objects
    WebCrypto: PBKDF2 supports SHA-2 hash algorithms
    WebCrypto: RSA-PSS signature support


Fixed in Firefox 47
    2016-61 Network Security Services (NSS) vulnerabilities
    2016-60 Java applets bypass CSP protections
    2016-59 Information disclosure of disabled plugins through CSS pseudo-classes
    2016-58 Entering fullscreen and persistent pointerlock without user permission
    2016-57 Incorrect icon displayed on permissions notifications
    2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
    2016-55 File overwrite and privilege escalation through Mozilla Windows updater
    2016-54 Partial same-origin-policy through setting location.host through data URI
    2016-53 Out-of-bounds write with WebGL shader
    2016-52 Addressbar spoofing though the SELECT element
    2016-51 Use-after-free deleting tables from a contenteditable document
    2016-50 Buffer overflow parsing HTML5 fragments
    2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)

Revision 1.29 / (download) - annotate - [select for diffs], Fri Feb 26 10:57:45 2016 UTC (3 years, 9 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base, pkgsrc-2016Q1
Changes since 1.28: +2 -4 lines
Diff to previous 1.28 (colored)

Use OPSYSVARS.

Revision 1.28 / (download) - annotate - [select for diffs], Sun Dec 27 18:25:33 2015 UTC (3 years, 11 months ago) by ryoon
Branch: MAIN
Changes since 1.27: +10 -2 lines
Diff to previous 1.27 (colored)

Update to 43.0.2

* Add OSS support, disabled by default

Changelog:
43.0.2:
Stability fixes.

43.0.1:
Not for non-Microsoft Windows platforms.

Revision 1.27 / (download) - annotate - [select for diffs], Fri Oct 16 12:58:16 2015 UTC (4 years, 2 months ago) by jmcneill
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base, pkgsrc-2015Q4
Changes since 1.26: +3 -4 lines
Diff to previous 1.26 (colored)

gio is part of gtk2 not gnome, so dont make the gio extension conditional on the gnome pkg option. bump pkg revision.

Revision 1.26 / (download) - annotate - [select for diffs], Fri Jul 3 10:25:40 2015 UTC (4 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q3-base, pkgsrc-2015Q3
Changes since 1.25: +2 -2 lines
Diff to previous 1.25 (colored)

Update to 39.0

Changelog:
New Share Hello URLs with social networks
New Project Silk: Smoother animation and scrolling (Mac OS X)
New Support for 'switch' role in ARIA 1.1 (web accessibility)
New SafeBrowsing malware detection lookups enabled for downloads (Mac OS X and Linux)
New Support for new Unicode 8.0 skin tone emoji
Changed Removed support for insecure SSLv3 for network communications
Changed Disable use of RC4 except for temporarily whitelisted hosts
Changed The malware detection service for downloads now covers common Mac file types (Bug 1138721)
Changed of displaying dashed lines is improved (Mac OS X) (Bug 1123019)
HTML5 List-style-type now accepts a string value
HTML5 Enable the Fetch API for network requests from dedicated, shared and service workers
HTML5 Cascading of CSS transitions and animations now matches the current spec
HTML5 Implement <link rel="preconnect">allowing anticipation of a future connection without revealing any information
HTML5 Added support for CSS Scroll Snap Points
Developer Drag and drop enabled for nodes in Inspector markup view
Developer Webconsole input history persists even after closing the toolbox
Developer Cubic bezier tooltip now shows a gallery of timing-function presets for use with CSS animations
Developer localhost is now available offline for WebSocket connections
Fixed Improve performance for IPv6 fallback to IPv4
Fixed Fix incomplete downloads being marked as complete by detecting broken HTTP1.1 transfers
Fixed The Security state indicator on a page now correctly ignores loads caused by previous pages
Fixed Fixed an issue where a Hello conversation window would sometimes fail to open
Fixed A regression that could lead to Flash not displaying has been fixed
Fixed Update to NSS 3.19.2
Fixed Various security fixes

Fixed in Firefox 39
    2015-71 NSS incorrectly permits skipping of ServerKeyExchange
    2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
    2015-69 Privilege escalation in PDF.js
    2015-68 OS X crash reports may contain entered key press information
    2015-67 Key pinning is ignored when overridable errors are encountered
    2015-66 Vulnerabilities found through code inspection
    2015-65 Use-after-free in workers while using XMLHttpRequest
    2015-64 ECDSA signature validation fails to handle some signatures correctly
    2015-63 Use-after-free in Content Policy due to microtask execution error
    2015-62 Out-of-bound read while computing an oscillator rendering range in Web Audio
    2015-61 Type confusion in Indexed Database Manager
    2015-60 Local files or privileged URLs in pages can be opened into new tabs
    2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)

Revision 1.25 / (download) - annotate - [select for diffs], Wed Apr 15 12:36:23 2015 UTC (4 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base, pkgsrc-2015Q2
Changes since 1.24: +4 -4 lines
Diff to previous 1.24 (colored)

Use gio instead of gnomevfs option.
From hiramatsu@. Thank you.

Revision 1.24 / (download) - annotate - [select for diffs], Wed Aug 13 22:33:16 2014 UTC (5 years, 4 months ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2015Q1-base, pkgsrc-2015Q1, pkgsrc-2014Q4-base, pkgsrc-2014Q4, pkgsrc-2014Q3-base, pkgsrc-2014Q3
Changes since 1.23: +4 -2 lines
Diff to previous 1.23 (colored)

Separate the if statements as clang will result in a string expression
and make warning about it.

Revision 1.23 / (download) - annotate - [select for diffs], Fri Jun 20 07:27:50 2014 UTC (5 years, 5 months ago) by martin
Branch: MAIN
CVS Tags: pkgsrc-2014Q2-base, pkgsrc-2014Q2
Changes since 1.22: +18 -5 lines
Diff to previous 1.22 (colored)

Add compiler depenend magic to keep the version compiled with option "debug"
usable with modern gcc.
Since the full "debug" version will behave differently to the standard
version (as it enables all the mozilla internal consistency checks, and
also drops compiler optimization), it is not very usefull when trying to
debug crashes that could be compiler bugs, or mozilla low level bugs -
so provide a new option "debug-info" that creates a debuggable, but
fully optimized version.
The result is best run from the pkgobj dir via the
work/build/dist/bin/run-mozilla script with options "-g ./firefox".
No changes to the default pkg generated.

Revision 1.22 / (download) - annotate - [select for diffs], Mon May 5 00:53:34 2014 UTC (5 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.21: +2 -2 lines
Diff to previous 1.21 (colored)

Try to fix build under OpenBSD

Revision 1.21 / (download) - annotate - [select for diffs], Sat May 3 10:58:26 2014 UTC (5 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)

Fix build under FreeBSD/amd64 10.0

* Use MOZ_SAMPLE_TYPE_FLOAT32=1 for FreeBSD
* Disable WebRTC support under FreeBSD, because graphics/libv4l is not built
  under FreeBSD/amd64 10.0

Revision 1.20 / (download) - annotate - [select for diffs], Sun Apr 20 23:07:55 2014 UTC (5 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.19: +3 -1 lines
Diff to previous 1.19 (colored)

Fix PR pkg/48749. When pulseaudio option is not selected, disable
pulseaudio option explicitly.

Fix Linux build.

Revision 1.19 / (download) - annotate - [select for diffs], Sat Nov 16 02:01:46 2013 UTC (6 years, 1 month ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2014Q1-base, pkgsrc-2014Q1, pkgsrc-2013Q4-base, pkgsrc-2013Q4
Changes since 1.18: +3 -1 lines
Diff to previous 1.18 (colored)

In non-ALSA case, ALSA support is disabled explicitly

Revision 1.18 / (download) - annotate - [select for diffs], Sat Nov 2 22:57:55 2013 UTC (6 years, 1 month ago) by ryoon
Branch: MAIN
Changes since 1.17: +10 -3 lines
Diff to previous 1.17 (colored)

Update to 25.0

* Enable pulseaudio by default, OSS support is dropped, and ALSA support
  on NetBSD does not work properly for me
* Enable GStremer support for non-webm and non-theora video support
* Create alsa option, and enabled on Linux by default

Changelog:
 NEW
Web Audio support
NEW
The find bar is no longer shared between tabs
CHANGED
If away from Firefox for months, you now will be offered the option to reset it to its default state while preserving your essential information
CHANGED
Resetting Firefox no longer clears your browsing session
DEVELOPER
CSS3 background-attachment:local support to control background scrolling
DEVELOPER
Many new ES6 functions implemented
HTML5
iframe document content can now be specified inline
FIXED
Blank or missing page thumbnails when opening a new tab
FIXED
Security fixes can be found here

Fixed in Firefox 25
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-99 Security bypass of PDF.js checks using iframes
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

Revision 1.17 / (download) - annotate - [select for diffs], Sat Sep 21 11:40:57 2013 UTC (6 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2013Q3-base, pkgsrc-2013Q3
Changes since 1.16: +3 -2 lines
Diff to previous 1.16 (colored)

Fix non-official branding build.

Revision 1.16 / (download) - annotate - [select for diffs], Wed Jul 17 11:00:13 2013 UTC (6 years, 5 months ago) by jperkin
Branch: MAIN
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)

Add SunOS/x86 patchset.  This produces a package, but the resulting
firefox binary does not yet work correctly.

Revision 1.15 / (download) - annotate - [select for diffs], Thu Jul 4 08:07:09 2013 UTC (6 years, 5 months ago) by martin
Branch: MAIN
Changes since 1.14: +3 -2 lines
Diff to previous 1.14 (colored)

Remove an uneeded patch (harmless, does not change binary)

Revision 1.14 / (download) - annotate - [select for diffs], Wed Jun 26 11:32:12 2013 UTC (6 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2013Q2-base, pkgsrc-2013Q2
Changes since 1.13: +15 -2 lines
Diff to previous 1.13 (colored)

Update to 22.0

* On NetBSD WebRTC support is disabled, because libxul.so has some errors
  in link stage. WebRTC support should be tested on non-NetBSD platforms.
* It seems that OSS sound support is not working properly on NetBSD.

Changelog:
    NEW
    WebRTC is now enabled by default!
    NEW
    Windows: Firefox now follows display scaling options to render text larger on high-res displays
    NEW
    Mac OS X: Download progress in Dock application icon
    NEW
    HTML5 audio/video playback rate can now be changed
    NEW
    Social services management implemented in Add-ons Manager
    NEW
    asm.js optimizations (OdinMonkey) enabled for major performance improvements
    CHANGED
    Improved WebGL rendering performance through asynchronous canvas updates
    CHANGED
    Plain text files displayed within Firefox will now word-wrap
    CHANGED
    For user security, the |Components| object is no longer accessible from web content
    CHANGED
    Pointer Lock API can now be used outside of fullscreen
    DEVELOPER
    CSS3 Flexbox implemented and enabled by default
    DEVELOPER
    New Web Notifications API implemented
    DEVELOPER
    Added clipboardData API for JavaScript access to a user's clipboard
    DEVELOPER
    New built-in font inspector
    HTML5
    New HTML5 <data> and <time> elements
    FIXED
    Various security fixes
    FIXED
    Scrolling using some high-resolution-scroll aware touchpads feels slow (829952)

Fixed in Firefox 22
MFSA 2013-62 Inaccessible updater can lead to local privilege escalation
MFSA 2013-61 Homograph domain spoofing in .com, .net and .name
MFSA 2013-60 getUserMedia permission dialog incorrectly displays location
MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
MFSA 2013-58 X-Frame-Options ignored when using server push with multi-part responses
MFSA 2013-57 Sandbox restrictions not applied to nested frame elements
MFSA 2013-56 PreserveWrapper has inconsistent behavior
MFSA 2013-55 SVG filters can lead to information disclosure
MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
MFSA 2013-53 Execution of unmapped memory through onreadystatechange event
MFSA 2013-52 Arbitrary code execution within Profiler
MFSA 2013-51 Privileged content access and execution via XBL
MFSA 2013-50 Memory corruption found using Address Sanitizer
MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)

Revision 1.13 / (download) - annotate - [select for diffs], Thu May 23 13:12:13 2013 UTC (6 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.12: +1 -3 lines
Diff to previous 1.12 (colored)

Bump PKGREVISION.

* Remove reference to devel/xulrunner.
* Move some common files for firefox/xulrunner-21.0.
* Move patches from devel/sulrunner.
* Take MAINTAINERship.

Revision 1.12 / (download) - annotate - [select for diffs], Sun May 19 12:31:58 2013 UTC (6 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)

Fix gnome option.

This is related to PR pkg/47801.
But devel/xulrunner is broken now.

Revision 1.11 / (download) - annotate - [select for diffs], Sun May 19 08:50:24 2013 UTC (6 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.10: +44 -1 lines
Diff to previous 1.10 (colored)

Update to 21.0

* This release of firefox is built with internal xulrunner.
  Because separated (system) xulrunner has prefs and chrome load problem.
* gnome option is broken in libnkmozgnomevfs.so build.

Changelog:
NEW
The Social API now supports multiple providers
NEW
Enhanced three-state UI for Do Not Track (DNT)
NEW
Firefox will suggest how to improve your application startup time if needed
NEW
Preliminary implementation of Firefox Health Report
CHANGED
Ability to restore removed thumbnails on New Tab Page
CHANGED
CSS -moz-user-select:none selection changed to improve compatibility with -webkit-user-select:none (bug 816298)
CHANGED
Graphics related performance improvements (bug 809821)
CHANGED
Removed E4X support from Spidermonkey
DEVELOPER
Implemented Remote Profiling
DEVELOPER
Integrated add-on SDK loader and API libraries into Firefox
HTML5
Added support for <main> element
HTML5
Implemented scoped stylesheets
HTML5
Added support for window.crypto.getRandomValues
FIXED
Some function keys may not work when pressed (833719)
FIXED
Browsing and Download history clearing needs unification to avoid confusion on clearing download history (847627)
FIXED
21.0: Security fixes can be found here

Fixed in Firefox 21
MFSA 2013-48 Memory corruption found using Address Sanitizer
MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
MFSA 2013-46 Use-after-free with video and onresize event
MFSA 2013-45 Mozilla Updater fails to update some Windows Registry entries
MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
MFSA 2013-43 File input control has access to full path
MFSA 2013-42 Privileged access for content level constructor
MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)

Revision 1.10 / (download) - annotate - [select for diffs], Mon Jul 11 13:17:40 2011 UTC (8 years, 5 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2013Q1-base, pkgsrc-2013Q1, pkgsrc-2012Q4-base, pkgsrc-2012Q4, pkgsrc-2012Q3-base, pkgsrc-2012Q3, pkgsrc-2012Q2-base, pkgsrc-2012Q2, pkgsrc-2012Q1-base, pkgsrc-2012Q1, pkgsrc-2011Q4-base, pkgsrc-2011Q4, pkgsrc-2011Q3-base, pkgsrc-2011Q3
Changes since 1.9: +4 -1 lines
Diff to previous 1.9 (colored)

Fix PLIST when official branding is disabled.

Revision 1.9 / (download) - annotate - [select for diffs], Tue Mar 16 15:57:03 2010 UTC (9 years, 9 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2011Q2-base, pkgsrc-2011Q2, pkgsrc-2011Q1-base, pkgsrc-2011Q1, pkgsrc-2010Q4-base, pkgsrc-2010Q4, pkgsrc-2010Q3-base, pkgsrc-2010Q3, pkgsrc-2010Q2-base, pkgsrc-2010Q2, pkgsrc-2010Q1-base, pkgsrc-2010Q1
Changes since 1.8: +1 -4 lines
Diff to previous 1.8 (colored)

Update to firefox-3.6.2.
.2 is not formally released yet, but is release tagged in the scm and I
want to get this update in before we freeze the tree.

"Firefox 3.6 is built on Mozilla's Gecko 1.9.2 web rendering platform,
which has been under development since early 2009 and contains many
improvements for web developers, add-on developers, and users."

- Improved JavaScript performance, overall browser responsiveness,
  and startup time.
- The ability for web developers to indicate that scripts should run
  asynchronously to speed up page load times.
- Continued support for downloadable web fonts using the new WOFF font format.
- Support for new CSS attributes such as gradients, background sizing,
  and pointer events.
- Support for new DOM and HTML5 specifications including the Drag & Drop API
  and the File API, which allow for more interactive web pages.

Revision 1.8 / (download) - annotate - [select for diffs], Wed Feb 17 18:32:18 2010 UTC (9 years, 9 months ago) by tnn
Branch: MAIN
Changes since 1.7: +2 -8 lines
Diff to previous 1.7 (colored)

Update to firefox-3.5.8 and xulrunner-1.9.1.8.
Security and bugfix release. (no MFSAs released at time of writing)
While here drop defunct debug option from firefox and reduce diff to wip/

Revision 1.7 / (download) - annotate - [select for diffs], Wed Sep 16 19:06:18 2009 UTC (10 years, 3 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2009Q4-base, pkgsrc-2009Q4, pkgsrc-2009Q3-base, pkgsrc-2009Q3
Changes since 1.6: +3 -37 lines
Diff to previous 1.6 (colored)

Build firefox against external runtime components from devel/xulrunner.
Bump PKGREVISION.

Revision 1.6 / (download) - annotate - [select for diffs], Sun Aug 30 01:14:50 2009 UTC (10 years, 3 months ago) by markd
Branch: MAIN
Changes since 1.5: +2 -1 lines
Diff to previous 1.5 (colored)

libgnome is also needed for the gnome option to do anything.

Revision 1.5 / (download) - annotate - [select for diffs], Sat Aug 29 15:47:58 2009 UTC (10 years, 3 months ago) by tnn
Branch: MAIN
Changes since 1.4: +1 -2 lines
Diff to previous 1.4 (colored)

Upon giving this some more thought, I think the gnome option is better
left disabled by default. Correct me if I'm wrong but it feels like
most pkgsrc users don't use gnome. If someone can comment on the
benefits of these dependencies in the GNOME environment, speak up.

Revision 1.4 / (download) - annotate - [select for diffs], Sat Aug 29 11:50:32 2009 UTC (10 years, 3 months ago) by tnn
Branch: MAIN
Changes since 1.3: +3 -2 lines
Diff to previous 1.3 (colored)

PLIST fix for previous

Revision 1.3 / (download) - annotate - [select for diffs], Sat Aug 29 10:34:37 2009 UTC (10 years, 3 months ago) by tnn
Branch: MAIN
Changes since 1.2: +10 -2 lines
Diff to previous 1.2 (colored)

Add a "gnome" option which toggles gnome-vfs (and dbus) support.
Enable this by default.
Bump revision.

Revision 1.2 / (download) - annotate - [select for diffs], Sun Aug 9 21:13:39 2009 UTC (10 years, 4 months ago) by tnn
Branch: MAIN
Changes since 1.1: +16 -4 lines
Diff to previous 1.1 (colored)

add mozilla-jit option

Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Wed Aug 5 02:37:10 2009 UTC (10 years, 4 months ago) by tnn
Branch: TNF
CVS Tags: pkgsrc-20090805
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)

Import firefox-3.5.2 as www/firefox. from pkgsrc-wip.

Firefox 3.5  is based on the Gecko 1.9.1 rendering platform.
Firefox 3.5 offers many changes over the previous version, supporting new web
technologies, improving performance and ease of use.
Some of the notable features are:

* Support for the HTML5 <video> and <audio> elements
* Improved tools for controlling your private data
* Better web application performance using the new TraceMonkey JavaScript engine
* The ability to share your location with websites using Location Aware Browsing
* Support for native JSON, and web worker threads.
* Improvements to the Gecko layout engine, including speculative parsing for
  faster content rendering.
* Support for new web technologies such as: downloadable fonts, CSS media
  queries, new transformations and properties, JavaScript query selectors,
  HTML5 local storage and offline application storage, <canvas> text,
  ICC profiles, and SVG transforms.

Revision 1.1 / (download) - annotate - [select for diffs], Wed Aug 5 02:37:10 2009 UTC (10 years, 4 months ago) by tnn
Branch: MAIN

Initial revision

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>