| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
release notes.
|
|
|
|
Firefox 2.0.0.20 includes an additional security fix over Firefox 2.0.0.19 for
users of the Windows platform.
So no significant changes for Linux edition, but 2.0.0.19 is not available.
|
|
Security fixes in this version:
MFSA 2008-69 XSS vulnerabilities in SessionStore
MFSA 2008-68 XSS and JavaScript privilege escalation
MFSA 2008-67 Escaped null characters ignored by CSS parser
MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
MFSA 2008-65 Cross-domain data theft via script redirect error message
MFSA 2008-64 XMLHttpRequest 302 response disclosure
MFSA 2008-62 Additional XSS attack vectors in feed preview
MFSA 2008-61 Information stealing via loadBindingDocument
MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.19/releasenotes/
|
|
<pkgsrc-users@NetBSD.org> and only assign the "firefox-bin" package
to <grant@NetBSD.org> because that is the package he really created.
|
|
Security fixes in this version:
MFSA 2008-58 Parsing error in E4X default namespace
MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals
MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
MFSA 2008-55 Crash and remote code execution in nsFrameManager
MFSA 2008-54 Buffer overflow in http-index-format parser
MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
MFSA 2008-50 Crash and remote code execution via __proto__ tampering
MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading
MFSA 2008-48 Image stealing via canvas and HTTP redirect
MFSA 2008-47 Information stealing via local shortcut files
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.18/releasenotes/
|
|
(ok during freeze agc@)
Security fixes in this version:
MFSA 2008-45 XBM image uninitialized memory reading
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-40 Forced mouse drag
MFSA 2008-39 Privilege escalation using feed preview page and XSS flaw
MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
MFSA 2008-37 UTF-8 URL stack buffer overflow
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.17/releasenotes/
|
|
Security fixes in this version:
MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
MFSA 2008-34 Remote code execution by overflowing CSS reference counter
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.16/releasenotes/
|
|
Part of patch-af has been fixed upstream.
Security fixes in this version:
MFSA 2008-33 Crash and remote code execution in block reflow
MFSA 2008-32 Remote site run as local file via Windows URL shortcut
MFSA 2008-31 Peer-trusted certs can use alt names to spoof
MFSA 2008-30 File location URL in directory listings not escaped properly
MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range
MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
MFSA 2008-24 Chrome script loading from fastload file
MFSA 2008-23 Signed JAR tampering
MFSA 2008-22 XSS through JavaScript same-origin violation
MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.15/releasenotes/
|
|
Security fixes in this version:
MFSA 2008-20 Crash in JavaScript garbage collector
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.14/releasenotes/
|
|
following security issues:
- MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
- MFSA 2008-18 Java socket connection to any local port via LiveConnect
- MFSA 2008-17 Privacy issue with SSL Client Authentication
- MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
- MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
- MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
|
|
has already been altered to support user-destdir, so we just need to turn
it on in these packages.
|
|
Security fixes in this version:
MFSA 2008-11 Web forgery overwrite with div overlay
MFSA 2008-10 URL token stealing via stylesheet redirect
MFSA 2008-09 Mishandling of locally-saved plain text files
MFSA 2008-08 File action dialog tampering
MFSA 2008-06 Web browsing history and forward navigation stealing
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-04 Stored password corruption
MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-02 Multiple file input focus stealing vulnerabilities
MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.12/releasenotes/
|
|
This update fixes a bug introduced by the 2.0.0.10 update in the <canvas>
feature that affected some web pages and extensions.
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.11/releasenotes/
|
|
Security fixes in this version:
MFSA 2007-39 Referer-spoofing via window.location race condition
MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
MFSA 2007-37 jar: URI scheme XSS hazard
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.10/releasenotes/
|
|
Fixes a number of regressions introduced in 2.0.0.8:
* Bug 400406 - Firefox will ignore the clear CSS property when used beneath a
box that is using the float property. There is a temporary workaround JS/CSS
code available for web developers with affected layouts.
* Bug 400467 - Windows Vista users will get Java not found or Java not working
errors when trying to load Java applets after updating. To fix this, users
can right-click the Firefox icon and Run as administrator, then browse to a
page with a Java applet doing this once will fix the problem and permanently
restore Java functionality.
* Bug 396695 - Add-ons are disabled after updating. Users can fix this problem
by opening their profile folder and removing three files (extensions.rdf,
extensions.ini and extensions.cache)
* Bug 400421 - Removing a single area element from an image map will cause the
entire map to disappear. There is no workaround available at this time.
* Bug 400735 - Some Windows users may experience crashes at startup. There is
no workaround available at this time.
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.9/releasenotes/
|
|
Security fixes in this version:
MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows
MFSA 2007-35 XPCNativeWrapper pollution using Script object
MFSA 2007-34 Possible file stealing through sftp protocol
MFSA 2007-33 XUL pages can hide the window titlebar
MFSA 2007-32 File input focus stealing vulnerability
MFSA 2007-31 Browser digest authentication request splitting
MFSA 2007-30 onUnload Tailgating
MFSA 2007-29 Crashes with evidence of memory corruption (rv:1.8.1.8)
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.8/releasenotes/
|
|
This version only fixes a Windows-specific security issue, but update
nevertheless so we start the freeze with the latest available version.
(People will start asking about this update anyway?)
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.7/releasenotes/
|
|
|
|
Security fixes in this version:
MFSA 2007-27 Unescaped URIs passed to external programs
MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.6/releasenotes/
|
|
binary-only packages that require binary "emulation" on the native
operating system. Please see pkgsrc/mk/emulator/README for more
details.
* Teach the plist framework to automatically use any existing
PLIST.${EMUL_PLATFORM} as part of the default PLIST_SRC definition.
* Convert all of the binary-only packages in pkgsrc to use the
emulator framework. Most of them have been tested to install and
deinstall correctly. This involves the following cleanup actions:
* Remove use of custom PLIST code and use PLIST.${EMUL_PLATFORM}
more consistently.
* Simplify packages by using default INSTALL and DEINSTALL scripts
instead of custom INSTALL/DEINSTALL code.
* Remove "SUSE_COMPAT32" and "PKG_OPTIONS.suse" from pkgsrc.
Packages only need to state exactly which emulations they support,
and the framework handles any i386-on-x86_64 or sparc-on-sparc64
uses.
* Remove "USE_NATIVE_LINUX" from pkgsrc. The framework will
automatically detect when the package is installing on Linux.
Specific changes to packages include:
* Bump the PKGREVISIONs for all of the suse100* and suse91* packages
due to changes in the +INSTALL/+DEINSTALL scripts used in all
of the packages.
* Remove pkgsrc/emulators/suse_linux, which is unused by any
packages.
* cad/lc -- remove custom code to create the distinfo file for
all supported platforms; just use "emul-fetch" and "emul-distinfo"
instead.
* lang/Cg-compiler -- install the shared libraries under ${EMULDIR}
instead of ${PREFIX}/lib so that compiled programs will find
the shared libraries.
* mail/thunderbird-bin-nightly -- update to latest binary
distributions for supported platforms.
* multimedia/ns-flash -- update Linux version to 9.0.48 as the
older version is no longer available for interactive fetch.
* security/uvscan -- set LD_LIBRARY_PATH explicitly so that
it's not necessary to install library symlinks into
${EMULDIR}/usr/local/lib.
* www/firefox-bin-flash -- update Linux version to 9.0.48 as the
older version is no longer available for interactive fetch.
|
|
MFSA 2007-25 XPCNativeWrapper pollution
MFSA 2007-24 Unauthorized access to wyciwyg:// documents
MFSA 2007-23 Remote code execution by launching Firefox from
Internet Explorer
MFSA 2007-22 File type confusion due to %00 in name
MFSA 2007-21 Privilege escalation using an event handler attached to an
element not in the document
MFSA 2007-20 Frame spoofing while window is loading
MFSA 2007-19 XSS using addEventListener and setTimeout
MFSA 2007-18 Crashes with evidence of memory corruption
|
|
Security fixes in this version:
MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-13 Persistent Autocomplete Denial of Service
MFSA 2007-12 Crashes with evidence of memory corruption
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.4/releasenotes/
|
|
and change notes). Firefox 1.5.0.x will be maintained in www/firefox15*,
as discussed on tech-pkg.
|
|
* Security update: MFSA 2007-11 (FTP PASV port-scanning) has been fixed.
* Website Compatibility: Fixed various web compatibility regressions.
For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.11.html
|
|
Fixed in Firefox 1.5.0.10
MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
MFSA 2007-05 XSS and local file access by opening blocked popups
MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
MFSA 2007-03 Information disclosure through cache collisions
MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)
For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.10.html
|
|
MFSA 2006-75 RSS Feed-preview referrer leak
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escallation using watch point
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)
For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.9.html
|
|
update firefox-bin and firefox2-bin to override MOZ_DIR to point
to the binary Linux distribution; kill their own MASTER_SITES
now firefox-bin and firefox2-bin automaticaly pick up mirror
changes in the master script
|
|
MFSA 2006-67 Running Script can be recompiled
MFSA 2006-66 RSA signature forgery (variant)
MFSA 2006-65 Crashes with evidence of memory corruption (rv:1.8.0.8)
For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.8.html
|
|
|
|
updates will follow later.
Fixed in Firefox 1.5.0.7:
MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
MFSA 2006-61 Frame spoofing using document.open()
MFSA 2006-60 RSA Signature Forgery
MFSA 2006-59 Concurrency-related vulnerability
MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
MFSA 2006-57 JavaScript Regular Expression Heap Corruption
Fixed in SeaMonkey 1.0.5:
MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
MFSA 2006-63 JavaScript execution in mail via XBL
MFSA 2006-61 Frame spoofing using document.open()
MFSA 2006-60 RSA Signature Forgery
MFSA 2006-59 Concurrency-related vulnerability
MFSA 2006-57 JavaScript Regular Expression Heap Corruption
For more info, see http://www.mozilla.com/firefox/releases/1.5.0.7.html and
http://www.mozilla.org/projects/seamonkey/releases/seamonkey1.0.5/
|
|
- Fixed an issue with playing Windows Media content
|
|
- Improvements to product stability
- Several security fixes:
MFSA 2006-56 chrome: scheme loading remote content
MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5)
MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...)
MFSA 2006-53 UniversalBrowserRead privilege escalation
MFSA 2006-52 PAC privilege escalation using Function.prototype.call
MFSA 2006-51 Privilege escalation using named-functions and redefined
"new Object()"
MFSA 2006-50 JavaScript engine vulnerabilities
MFSA 2006-48 JavaScript new Function race condition
MFSA 2006-47 Native DOM methods can be hijacked across domains
MFSA 2006-46 Memory corruption with simultaneous events
MFSA 2006-45 Javascript navigator Object Vulnerability
MFSA 2006-44 Code execution through deleted frame reference
|
|
Changes:
Fixes for security issues:
MFSA 2006-43 Privilege escalation using addSelectionListener
MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-41 File stealing by changing input type (variant)
MFSA 2006-39 "View Image" local resource linking (Windows)
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-36 PLUGINSPAGE privileged JavaScript execution 2
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-34 XSS viewing javascript: frames or images from context menu
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
|
|
- Security fix for denial of service vulnerability reported in
Mozilla Foundation Security Advisory 2006-30
|
|
* Universal Binary support for Mac OS X which provides native support
for Macintosh with Intel Core processors. Firefox supports the
enhancements to performance introduced by the new MacIntel chipsets.
* Improvements to product stability.
* Several security fixes.
|
|
|
|
|
|
* Improved stability.
* Improved support for Mac OS X.
* International Domain Name support for Iceland (.is) is now enabled.
* Fixes for several memory leaks.
* Several security enhancements.
|
|
Changes:
- Automated update to streamline product upgrades. Notification of an
update is more prominent, and updates to Firefox may now be half a
megabyte or smaller. Updating extensions has also improved.
- Faster browser navigation with improvements to back and forward button
performance.
- Drag and drop reordering for browser tabs.
- Improvements to popup blocking.
- Clear Private Data feature provides an easy way to quickly remove
personal data through a menu item or keyboard shortcut.
- Answers.com is added to the search engine list.
- Improvements to product usability including descriptive error pages,
redesigned options menu, RSS discovery, and "Safe Mode" experience.
- Better accessibility including support for DHTML accessibility and
assistive technologies such as the Window-Eyes 5.5 beta screen reader
for Microsoft Windows. Screen readers read aloud all available
information in applications and documents or show the information on
a Braille display, enabling blind and visually impaired users to use
equivalent software functionality as their sighted peers.
- Report a broken Web site wizard to report Web sites that are not
working in Firefox.
- Better support for Mac OS X (10.2 and greater) including profile
migration from Safari and Mac Internet Explorer.
- New support for Web Standards including SVG, CSS 2 and CSS 3, and
JavaScript 1.6.
- Many security enhancements.
Full release notes: http://www.mozilla.com/firefox/releases/1.5.html
XXX: Solaris packages available, need work.
|
|
"pkglint --autofix" change.
|
|
- Fix for a potential buffer overflow vulnerability when loading a
hostname with all soft-hyphens
- Fix to prevent URLs passed from external programs from being parsed
by the shell
- Fix to prevent a crash when loading a Proxy Auto-Config (PAC) script
that uses an "eval" statement
- Fix to restore InstallTrigger.getVersion() for Extension authors
- Other stability and security fixes
|
|
- Restore API compatibility for extensions and web applications that did
not work in Firefox 1.0.5.
|
|
this release fixes the following security issues:
MFSA 2005-56 Code execution through shared function objects
MFSA 2005-55 XHTML node spoofing
MFSA 2005-54 Javascript prompt origin spoofing
MFSA 2005-53 Standalone applications can run arbitrary code through the browser
MFSA 2005-52 Same origin violation: frame calling top.focus()
MFSA 2005-51 The return of frame-injection spoofing
MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()
MFSA 2005-49 Script injection from Firefox sidebar panel using data:
MFSA 2005-48 Same-origin violation with InstallTrigger callback
MFSA 2005-47 Code execution via "Set as Wallpaper"
MFSA 2005-46 XBL scripts ran even when Javascript disabled
MFSA 2005-45 Content-generated event vulnerabilities
|
|
issuses were fixed in this release:
MFSA 2005-44 Privilege escalation via non-DOM property overrides
MFSA 2005-43 "Wrapped" javascript: urls bypass security checks
MFSA 2005-42 Code execution via javascript: IconURL
|
|
package to match.
There are no firefox gtk1 binary packages for linux any longer, so
no need to keep two different -bin packages around.
This way it also matches the non-bin firefox packages.
|
|
Notes:
* NetBSD-native version not available, this can be used only with
MOZILLA_USE_LINUX
* Linux sets MOZ_GTK2, gtk1-compiled version doesn't appear to be available
* Solaris not tested
|
|
and Linux versions (define MOZILLA_USE_LINUX to use the Linux version).
both tested on NetBSD-current.
|
|
Linux tested - there are no NetBSD builds so far and the Linux builds
require glibc-2.3 which isn't in pkgsrc so does not work out of the
box on NetBSD yet.
changes since 0.8 can be found at:
http://www.mozilla.org/products/firefox/releases/0.9.html
|
|
|
