Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

MozillaFirefox-60.0-95.1 RPM for x86_64

From OpenSuSE Leap 42.3 updates for x86_64

Name: MozillaFirefox Distribution: openSUSE Leap 42.3
Version: 60.0 Vendor: openSUSE
Release: 95.1 Build date: Sat May 12 23:36:31 2018
Group: Productivity/Networking/Web/Browsers Build host: lamb77
Size: 159860168 Source RPM: MozillaFirefox-60.0-95.1.src.rpm
Packager: http://bugs.opensuse.org
Url: http://www.mozilla.org/
Summary: Mozilla Firefox Web Browser
Mozilla Firefox is a standalone web browser, designed for standards
compliance and performance.  Its functionality can be enhanced via a
plethora of extensions.

Provides

Requires

License

MPL-2.0

Changelog

* Mon May 07 2018 wr@rosenauer.org
  - update to Firefox 60.0esr
    * Added a policy engine that allows customized Firefox deployments
      in enterprise environments, using Windows Group Policy or a
      cross-platform JSON file
    * Applied Quantum CSS to render browser UI
    * Added support for Web Authentication, allowing the use of USB
      tokens for authentication to web sites
    * Locale added: Occitan (oc)
    MFSA 2018-11 (bsc#1092548)
    * CVE-2018-5154 (bmo#1443092)
      Use-after-free with SVG animations and clip paths
    * CVE-2018-5155 (bmo#1448774)
      Use-after-free with SVG animations and text paths
    * CVE-2018-5157 (bmo#1449898)
      Same-origin bypass of PDF Viewer to view protected PDF files
    * CVE-2018-5158 (bmo#1452075)
      Malicious PDF can inject JavaScript into PDF Viewer
    * CVE-2018-5159 (bmo#1441941)
      Integer overflow and out-of-bounds write in Skia
    * CVE-2018-5160 (bmo#1436117)
      Uninitialized memory use by WebRTC encoder
    * CVE-2018-5152 (bmo#1415644, bmo#1427289)
      WebExtensions information leak through webRequest API
    * CVE-2018-5153 (bmo#1436809)
      Out-of-bounds read in mixed content websocket messages
    * CVE-2018-5163 (bmo#1426353)
      Replacing cached data in JavaScript Start-up Bytecode Cache
    * CVE-2018-5164 (bmo#1416045)
      CSP not applied to all multipart content sent with
      multipart/x-mixed-replace
    * CVE-2018-5166 (bmo#1437325)
      WebExtension host permission bypass through filterReponseData
    * CVE-2018-5167 (bmo#1447969)
      Improper linkification of chrome: and javascript: content in
      web console and JavaScript debugger
    * CVE-2018-5168 (bmo#1449548)
      Lightweight themes can be installed without user interaction
    * CVE-2018-5169 (bmo#1319157)
      Dragging and dropping link text onto home button can set home page
      to include chrome pages
    * CVE-2018-5172 (bmo#1436482)
      Pasted script from clipboard can run in the Live Bookmarks page
      or PDF viewer
    * CVE-2018-5173 (bmo#1438025)
      File name spoofing of Downloads panel with Unicode characters
    * CVE-2018-5174 (bmo#1447080) (Windows-only)
      Windows Defender SmartScreen UI runs with less secure behavior
      for downloaded files in Windows 10 April 2018 Update
    * CVE-2018-5175 (bmo#1432358)
      Universal CSP bypass on sites using strict-dynamic in their policies
    * CVE-2018-5176 (bmo#1442840)
      JSON Viewer script injection
    * CVE-2018-5177 (bmo#1451908)
      Buffer overflow in XSLT during number formatting
    * CVE-2018-5165 (bmo#1451452)
      Checkbox for enabling Flash protected mode is inverted in 32-bit
      Firefox
    * CVE-2018-5180 (bmo#1444086)
      heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
    * CVE-2018-5181 (bmo#1424107)
      Local file can be displayed in noopener tab through drag and
      drop of hyperlink
    * CVE-2018-5182 (bmo#1435908)
      Local file can be displayed from hyperlink dragged and dropped
      on addressbar
    * CVE-2018-5151
      Memory safety bugs fixed in Firefox 60
    * CVE-2018-5150
      Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
  - removed obsolete patches
    0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
    mozilla-bmo1005535.patch
  - requires NSPR 4.19 and NSS 3.36.1
  - requires rust 1.24 or higher
  - use upstream source archive and detached signature for
    source verification
* Thu May 03 2018 guillaume.gardet@opensuse.org
  - Fix armv7 build by:
    * adding RUSTFLAGS="-Cdebuginfo=0"
    * updating _constraints for %arm
* Wed May 02 2018 wr@rosenauer.org
  - do not try CSD on kwin (boo#1091592)
  - fix build in openSUSE:Leap:42.3:Update, use gcc7
* Tue May 01 2018 astieger@suse.com
  - Mozilla Firefox 59.0.3:
    * fixes for platforms other than GNU/Linux
* Fri Apr 20 2018 mliska@suse.cz
  - Add 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
    in order to fix boo#1090362.
* Mon Apr 02 2018 badshah400@gmail.com
  - Add back mozilla-enable-csd.patch: New rebased version from
    Fedora for version 59.0.x.
* Tue Mar 27 2018 schwab@suse.de
  - Reduce constraints on aarch64
* Tue Mar 27 2018 wr@rosenauer.org
  - update to Firefox 59.0.2
    * Invalid page rendering with hardware acceleration enabled (bmo#1435472)
    * Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites
      that use those keys with resistFingerprinting enabled (bmo#1433592)
    * High CPU / memory churn caused by third-party software on some
      computers (bmo#1446280)
    * Users who have configured an "automatic proxy configuration URL"
      and want to reload their proxy settings from the URL will find
      the Reload button disabled in the Connection Settings dialog when
      they select Preferences/Options>Network Proxy>Settings... (bmo#1445991)
    * URL Fragment Identifiers Break Service Worker Responses (bmo#1443850)
    * User's trying to cancel a print around the time it completes will
      continue to get intermittent crashes (bmo#1441598)
    MFSA 2018-10 (bsc#1087059)
    * CVE-2018-5148 (bmo#1440717)
      Use-after-free in compositor
  - removed obsolete patch mozilla-bmo1446062.patch
* Wed Mar 21 2018 cgrobertson@suse.com
  - Added patches:
    * mozilla-i586-DecoderDoctorLogger.patch - bmo#1447070
      fixes non-unified build error
    * mozilla-i586-domPrefs.patch - DOMPrefs.h
      fixes 32bit build error
* Fri Mar 16 2018 wr@rosenauer.org
  - update to Firefox 59.0.1 (bsc#1085671)
    MFSA 2018-08
    * CVE-2018-5146 (bmo#1446062)
      Vorbis audio processing out of bounds write
    * CVE-2018-5147 (bmo#1446365)
      Out of bounds memory write in libtremor
      (mozilla-bmo1446062.patch)
* Wed Mar 14 2018 cgrobertson@suse.com
  - Added patch:
    * mozilla-bmo1005535.patch:
      Enable skia_gpu on big endian platforms.
* Sun Mar 11 2018 wr@rosenauer.org
  - update to Firefox 59.0
    * Performance enhancements
    * Drag-and-drop to rearrange Top Sites on the Firefox Home page
    * added features for Firefox Screenshots
    * Enhanced WebExtensions API
    * Improved RTC capabilities
    MFSA 2018-06 (bsc#1085130)
    * CVE-2018-5127 (bmo#1430557)
      Buffer overflow manipulating SVG animatedPathSegList
    * CVE-2018-5128 (bmo#1431336)
      Use-after-free manipulating editor selection ranges
    * CVE-2018-5129 (bmo#1428947)
      Out-of-bounds write with malformed IPC messages
    * CVE-2018-5130 (bmo#1433005)
      Mismatched RTP payload type can trigger memory corruption
    * CVE-2018-5131 (bmo#1440775)
      Fetch API improperly returns cached copies of no-store/no-cache resources
    * CVE-2018-5132 (bmo#1408194)
      WebExtension Find API can search privileged pages
    * CVE-2018-5133 (bmo#1430511, bmo#1430974)
      Value of the app.support.baseURL preference is not properly sanitized
    * CVE-2018-5134 (bmo#1429379)
      WebExtensions may use view-source: URLs to bypass content restrictions
    * CVE-2018-5135 (bmo#1431371)
      WebExtension browserAction can inject scripts into unintended contexts
    * CVE-2018-5136 (bmo#1419166)
      Same-origin policy violation with data: URL shared workers
    * CVE-2018-5137 (bmo#1432870)
      Script content can access legacy extension non-contentaccessible resources
    * CVE-2018-5138 (bmo#1432624) (Android only)
      Android Custom Tab address spoofing through long domain names
    * CVE-2018-5140 (bmo#1424261)
      Moz-icon images accessible to web content through moz-icon: protocol
    * CVE-2018-5141 (bmo#1429093)
      DOS attack through notifications Push API
    * CVE-2018-5142 (bmo#1366357)
      Media Capture and Streams API permissions display incorrect origin
      with data: and blob: URLs
    * CVE-2018-5143 (bmo#1422643)
      Self-XSS pasting javascript: URL with embedded tab into addressbar
    * CVE-2018-5126
      Memory safety bugs fixed in Firefox 59
    * CVE-2018-5125
      Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
  - requires NSPR 4.18 and NSS 3.35
  - requires rust >= 1.22.1
  - removed obsolete patches:
    mozilla-alsa-sandbox.patch
    mozilla-enable-csd.patch
    firefox-no-default-ualocale.patch
  - removed l10n_changesets.txt since same information is now in
    Firefox source tree (updated create-tar.sh now requires jq)
* Fri Feb 09 2018 astieger@suse.com
  - Mozilla Firefox 58.0.2:
    * Blocklisted graphics drivers related to off main thread painting
      crashes
    * Fix tab crash during printing
    * Fix clicking links and scrolling emails on Microsoft Hotmail
      and Outlook (OWA) webmail
* Fri Feb 09 2018 wr@rosenauer.org
  - correct requires and provides handling (boo#1076907)
* Tue Feb 06 2018 fstrba@suse.com
  - Added patch:
    * mozilla-alsa-sandbox.patch: Fix bmo#1430274, ALSA sound (still
      or again?) not working in Firefox 58 due to sandboxing.
* Mon Jan 29 2018 wr@rosenauer.org
  - update to Firefox 58.0.1
    MFSA 2018-05
    * Arbitrary code execution through unsanitized browser UI (bmo#1432966)
  - use correct language packs
  - readd mozilla-enable-csd.patch as it only lands for FF59 upstream
  - allow larger number of nested elements (mozilla-bmo256180.patch)
* Tue Jan 23 2018 wr@rosenauer.org
  - update to Firefox 58.0 (bsc#1077291)
    * Added Nepali (ne-NP) locale
    * Added support for form autofill for credit card
    * Optimize page load by caching JavaScript internal representation
    MFSA 2018-02
    * CVE-2018-5091 (bmo#1423086)
      Use-after-free with DTMF timers
    * CVE-2018-5092 (bmo#1418074)
      Use-after-free in Web Workers
    * CVE-2018-5093 (bmo#1415291)
      Buffer overflow in WebAssembly during Memory/Table resizing
    * CVE-2018-5094 (bmo#1415883)
      Buffer overflow in WebAssembly with garbage collection on
      uninitialized memory
    * CVE-2018-5095 (bmo#1418447)
      Integer overflow in Skia library during edge builder allocation
    * CVE-2018-5097 (bmo#1387427)
      Use-after-free when source document is manipulated during XSLT
    * CVE-2018-5098 (bmo#1399400)
      Use-after-free while manipulating form input elements
    * CVE-2018-5099 (bmo#1416878)
      Use-after-free with widget listener
    * CVE-2018-5100 (bmo#1417405)
      Use-after-free when IsPotentiallyScrollable arguments are freed
      from memory
    * CVE-2018-5101 (bmo#1417661)
      Use-after-free with floating first-letter style elements
    * CVE-2018-5102 (bmo#1419363)
      Use-after-free in HTML media elements
    * CVE-2018-5103 (bmo#1423159)
      Use-after-free during mouse event handling
    * CVE-2018-5104 (bmo#1425000)
      Use-after-free during font face manipulation
    * CVE-2018-5105 (bmo#1390882)
      WebExtensions can save and execute files on local file system
      without user prompts
    * CVE-2018-5106 (bmo#1408708)
      Developer Tools can expose style editor information cross-origin
      through service worker
    * CVE-2018-5107 (bmo#1379276)
      Printing process will follow symlinks for local file access
    * CVE-2018-5108 (bmo#1421099)
      Manually entered blob URL can be accessed by subsequent private browsing tabs
    * CVE-2018-5109 (bmo#1405599)
      Audio capture prompts and starts with incorrect origin attribution
    * CVE-2018-5110 (bmo#1423275) (affects only OS X)
      Cursor can be made invisible on OS X
    * CVE-2018-5111 (bmo#1321619)
      URL spoofing in addressbar through drag and drop
    * CVE-2018-5112 (bmo#1425224)
      Extension development tools panel can open a non-relative URL in the panel
    * CVE-2018-5113 (bmo#1425267)
      WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow
    * CVE-2018-5114 (bmo#1421324)
      The old value of a cookie changed to HttpOnly remains accessible to scripts
    * CVE-2018-5115 (bmo#1409449)
      Background network requests can open HTTP authentication in unrelated foreground tabs
    * CVE-2018-5116 (bmo#1396399)
      WebExtension ActiveTab permission allows cross-origin frame content access
    * CVE-2018-5117 (bmo#1395508)
      URL spoofing with right-to-left text aligned left-to-right
    * CVE-2018-5118 (bmo#1420049)
      Activity Stream images can attempt to load local content through file:
    * CVE-2018-5119 (bmo#1420507)
      Reader view will load cross-origin content in violation of CORS headers
    * CVE-2018-5121 (bmo#1402368) (affects only OS X)
      OS X Tibetan characters render incompletely in the addressbar
    * CVE-2018-5122 (bmo#1413841)
      Potential integer overflow in DoCrypt
    * CVE-2018-5090
      Memory safety bugs fixed in Firefox 58
    * CVE-2018-5089
      Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
  - requires NSS 3.34.1
  - requires rust 1.21
  - removed obsolete patches:
    mozilla-bindgen-systemlibs.patch
    mozilla-bmo1360278.patch
    mozilla-bmo1399611-csd.patch
    mozilla-rust-1.23.patch
  - rebased patches
  - updated man-page
* Tue Jan 09 2018 wr@rosenauer.org
  - fixed build with latest rust (mozilla-rust-1.23.patch)
* Thu Jan 04 2018 wr@rosenauer.org
  - update to Firefox 57.0.4
    MFSA 2018-1: Speculative execution side-channel attack ("Spectre")
    (boo#1074723)
* Wed Jan 03 2018 wr@rosenauer.org
  - fixed regression introduced Oct 10th which made Firefox crash
    when cancelling the KDE file dialog (boo#1069962)
* Fri Dec 29 2017 astieger@suse.com
  - Mozilla Firefox 57.0.3:
    * Fix a crash reporting issue that inadvertently sends background
      tab crash reports to Mozilla without user opt-in (bmo#1427111,
      bsc#1074235)
  - Includes changes from 57.0.2:
    * fixes for platforms other than GNU/Linux
* Fri Dec 08 2017 dimstar@opensuse.org
  - Explicitly buildrequires python2-xml: The build system relies on
    it. We wrongly relied on other packages pulling it in for us.
* Thu Dec 07 2017 dimstar@opensuse.org
  - Escape the usage of %{VERSION} when calling out to rpm.
    RPM 4.14 has %{VERSION} defined as 'the main packages version'.
* Wed Nov 29 2017 wr@rosenauer.org
  - update to Firefox 57.0.1
    * CVE-2017-7843: Web worker in Private Browsing mode can write
      IndexedDB data (bsc#1072034, bmo#1410106)
    * CVE-2017-7844: Visited history information leak through SVG
      image (bsc#1072036, bmo#1420001)
    * Fix a video color distortion issue on YouTube and other video
      sites with some AMD devices (bmo#1417442)
    * Fix an issue with prefs.js when the profile path has non-ascii
      characters (bmo#1420427)
* Tue Nov 21 2017 christophe@krop.fr
  - Add mozilla-bmo1360278.patch
    Starting with Firefox 57, the context menu appears on key press.
    This patch creates a config entry to restore the
    old behaviour. Without the patch, the mouse gesture extensions
    require 2 clicks to work (bmo#1360278).
    The new config entry is named ui.context_menus.after_mouseup
    (default : false).
* Sat Nov 18 2017 wr@rosenauer.org
  - Allow experimental CSD for Gtk3 (bmo#1399611) if available and enabled
    widget.allow-client-side-decoration=true
    (mozilla-bmo1399611-csd.patch)
* Wed Nov 15 2017 wr@rosenauer.org
  - update to Firefox 57.0 (boo#1068101)
    * Firefox Quantum
    * Photon UI
    * Unified address and search bar
    * AMD VP9 hardware video decoder support
    * Added support for Date/Time input
    * stricter security sandbox blocking filesystem reading and
      writing on Linux systems
    * middle mouse paste in the content area no longer navigates to
      URLs by default on Unix systems
    MFSA 2017-24
    * CVE-2017-7828 (bmo#1406750. bmo#1412252)
      Use-after-free of PressShell while restyling layout
    * CVE-2017-7830 (bmo#1408990)
      Cross-origin URL information leak through Resource Timing API
    * CVE-2017-7831 (bmo#1392026)
      Information disclosure of exposed properties on JavaScript proxy
      objects
    * CVE-2017-7832 (bmo#1408782)
      Domain spoofing through use of dotless 'i' character followed
      by accent markers
    * CVE-2017-7833 (bmo#1370497)
      Domain spoofing with Arabic and Indic vowel marker characters
    * CVE-2017-7834 (bmo#1358009)
      data: URLs opened in new tabs bypass CSP protections
    * CVE-2017-7835 (bmo#1402363)
      Mixed content blocking incorrectly applies with redirects
    * CVE-2017-7836 (bmo#1401339)
      Pingsender dynamically loads libcurl on Linux and OS X
    * CVE-2017-7837 (bmo#1325923)
      SVG loaded as <img> can use meta tags to set cookies
    * CVE-2017-7838 (bmo#1399540)
      Failure of individual decoding of labels in international domain
      names triggers punycode display of entire IDN
    * CVE-2017-7839 (bmo#1402896)
      Control characters before javascript: URLs defeats self-XSS
      prevention mechanism
    * CVE-2017-7840 (bmo#1366420)
      Exported bookmarks do not strip script elements from user-supplied
      tags
    * CVE-2017-7842 (bmo#1397064)
      Referrer Policy is not always respected for <link> elements
    * CVE-2017-7827
      Memory safety bugs fixed in Firefox 57
    * CVE-2017-7826
      Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
  - requires NSPR 4.17, NSS 3.33 and rustc 1.19
  - rebased patches
  - added mozilla-bindgen-systemlibs.patch to allow stylo build
    with system libs (bmo#1341234)
  - removed mozilla-language.patch since the whole locale code
    changed in Firefox and is relying on ICU now
  - removed obsolete mozilla-ucontext.patch
* Sat Oct 28 2017 wr@rosenauer.org
  - update to Firefox 56.0.2
    * Disable Form Autofill completely on user request (bmo#1404531)
    * Fix for video-related crashes on Windows 7 (bmo#1409141)
    * Correct detection for 64-bit GSSAPI authentication (bmo#1409275)
    * Fix for shutdown crash (bmo#1404105)
* Tue Oct 10 2017 wr@rosenauer.org
  - update to Firefox 56.0.1
    * Block D3D11 when using Intel drivers on Windows 7 systems with
      partial AVX support (bmo#1403353)
    - > just to sync the version number
  - enable stylo for TW (requires LLVM >= 3.9)
  - queue KDE filepicker requests to avoid non-opening file dialogs
    happening in certain situations (contributed by Ignaz Forster)
  - the placeholder dot in KDE file dialog in case of empty filenames
    was removed, apparently not required (anymore)
    (contributed by Ignaz Forster)
* Sun Oct 01 2017 stefan.bruens@rwth-aachen.de
  - Correct plugin directory for aarch64 (boo#1061207). The wrapper
    script was not detecting aarch64 as a 64 bit architecture, thus
    used /usr/lib/browser-plugins/.
* Sat Sep 30 2017 zaitor@opensuse.org
  - Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0),
    pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
    pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
    pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure
    looks for.
* Thu Sep 28 2017 wr@rosenauer.org
  - update to Firefox 56.0 (boo#1060445)
    * Firefox Screenshots
    * Find Options/Preferences more quickly with new search function
    * Media is no longer auto-played when opened in a background tab
    * Enable CSS Grid Layout View
    MFSA 2017-21
    * CVE-2017-7793 (bmo#1371889)
      Use-after-free with Fetch API
    * CVE-2017-7817 (bmo#1356596) (Android-only)
      Firefox for Android address bar spoofing through fullscreen mode
    * CVE-2017-7818 (bmo#1363723)
      Use-after-free during ARIA array manipulation
    * CVE-2017-7819 (bmo#1380292)
      Use-after-free while resizing images in design mode
    * CVE-2017-7824 (bmo#1398381)
      Buffer overflow when drawing and validating elements with ANGLE
    * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
      Use-after-free in TLS 1.2 generating handshake hashes
    * CVE-2017-7812 (bmo#1379842)
      Drag and drop of malicious page content to the tab bar can open locally stored files
    * CVE-2017-7814 (bmo#1376036)
      Blob and data URLs bypass phishing and malware protection warnings
    * CVE-2017-7813 (bmo#1383951)
      Integer truncation in the JavaScript parser
    * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
      OS X fonts render some Tibetan and Arabic unicode characters as spaces
    * CVE-2017-7815 (bmo#1368981)
      Spoofing attack with modal dialogs on non-e10s installations
    * CVE-2017-7816 (bmo#1380597)
      WebExtensions can load about: URLs in extension UI
    * CVE-2017-7821 (bmo#1346515)
      WebExtensions can download and open non-executable files without user interaction
    * CVE-2017-7823 (bmo#1396320)
      CSP sandbox directive did not create a unique origin
    * CVE-2017-7822 (bmo#1368859)
      WebCrypto allows AES-GCM with 0-length IV
    * CVE-2017-7820 (bmo#1378207)
      Xray wrapper bypass with new tab and web console
    * CVE-2017-7811
      Memory safety bugs fixed in Firefox 56
    * CVE-2017-7810
      Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
  - requires NSPR 4.16 and NSS 3.32.1
  - rebased patches
* Thu Sep 28 2017 dimstar@opensuse.org
  - Add alsa-devel BuildRequires: we care for ALSA support to be
    built and thus need to ensure we get the dependencies in place.
    In the past, alsa-devel was pulled in by accident: we
    buildrequire libgnome-devel. This required esound-devel and that
    in turn pulled in alsa-devel for us. libgnome is being fixed to
    no longer require esound-devel.
* Mon Sep 04 2017 wr@rosenauer.org
  - update to Firefox 55.0.3
    * Fix an issue with addons when using a path containing non-ascii
      characters (bmo#1389160)
    * Fix file uploads to some websites, including YouTube (bmo#1383518)
  - fix Google API key build integration
  - add mozilla-ucontext.patch to fix Tumbleweed build
  - do not enable XINPUT2 for now (boo#1053959)
* Fri Aug 11 2017 wr@rosenauer.org
  - update to Firefox 55.0.1
    * Fix a regression the tab restoration process (bmo#1388160)
    * Fix a problem causing What's new pages not to be displayed (bmo#1386224)
    * Fix a rendering issue with some PKCS#11 libraries (bmo#1388370)
    * Disable the predictor prefetch (bmo#1388160)
* Sat Aug 05 2017 wr@rosenauer.org
  - update to Firefox 55.0 (boo#1052829)
    * Browsing sessions with a high number of tabs are now restored
      in an instant
    * Sidebar (bookmarks, history, synced tabs) can now be moved to
      the right edge of the window
    * Fine-tune your browser performance from the Preferences/Options page.
    * Make screenshots of webpages, and save them locally or upload
      them to the cloud. This feature will undergo A/B testing and
      will not be visible for some users.
    * Added Belarusian (be) locale
    * Simplify print jobs from within print preview
    * Use virtual reality devices with the web with the introduction
      of WebVR
    * Search suggestions are now enabled by default for users who
      haven't explicitly opted-out
    * Search with any installed search engine directly from the
      location bar
    * IMPORTANT: Breaking profile changes - do not downgrade Firefox
      and use a profile that has been opened with Firefox 55+.
    * The Adobe Flash plugin is now click-to-activate by default and
      only allowed on http:// and https:// URL schemes. This change
      will be rolled out progressively and so will not be visible to
      all users immediately. For more information see the Firefox
      plugin roadmap
    * Modernized application update UI to be less intrusive and more
      aligned with the rest of the browser. Only users who have not
      restarted their browser 8 days after downloading an update or
      users who opted out of automatic updates will see this change.
    * Insecure sites can no longer access the Geolocation APIs to get
      access to your physical location
    * requires NSPR 4.15 and NSS 3.31
    MFSA 2017-18
    * CVE-2017-7798 (bmo#1371586, bmo#1372112)
      XUL injection in the style editor in devtools
    * CVE-2017-7800 (bmo#1374047)
      Use-after-free in WebSockets during disconnection
    * CVE-2017-7801 (bmo#1371259)
      Use-after-free with marquee during window resizing
    * CVE-2017-7809 (bmo#1380284)
      Use-after-free while deleting attached editor DOM node
    * CVE-2017-7784 (bmo#1376087)
      Use-after-free with image observers
    * CVE-2017-7802 (bmo#1378147)
      Use-after-free resizing image elements
    * CVE-2017-7785 (bmo#1356985)
      Buffer overflow manipulating ARIA attributes in DOM
    * CVE-2017-7786 (bmo#1365189)
      Buffer overflow while painting non-displayable SVG
    * CVE-2017-7806 (bmo#1378113)
      Use-after-free in layer manager with SVG
    * CVE-2017-7753 (bmo#1353312)
      Out-of-bounds read with cached style data and pseudo-elements#
    * CVE-2017-7787 (bmo#1322896)
      Same-origin policy bypass with iframes through page reloads
    * CVE-2017-7807 (bmo#1376459)
      Domain hijacking through AppCache fallback
    * CVE-2017-7792 (bmo#1368652)
      Buffer overflow viewing certificates with an extremely long OID
    * CVE-2017-7804 (bmo#1372849)
      Memory protection bypass through WindowsDllDetourPatcher
    * CVE-2017-7791 (bmo#1365875)
      Spoofing following page navigation with data: protocol and modal alerts
    * CVE-2017-7808 (bmo#1367531)
      CSP information leak with frame-ancestors containing paths
    * CVE-2017-7782 (bmo#1344034)
      WindowsDllDetourPatcher allocates memory without DEP protections
    * CVE-2017-7781 (bmo#1352039)
      Elliptic curve point addition error when using mixed Jacobian-affine coordinates
    * CVE-2017-7794 (bmo#1374281)
      Linux file truncation via sandbox broker
    * CVE-2017-7803 (bmo#1377426)
      CSP containing 'sandbox' improperly applied
    * CVE-2017-7799 (bmo#1372509)
      Self-XSS XUL injection in about:webrtc
    * CVE-2017-7783 (bmo#1360842)
      DOS attack through long username in URL
    * CVE-2017-7788 (bmo#1073952)
      Sandboxed about:srcdoc iframes do not inherit CSP directives
    * CVE-2017-7789 (bmo#1074642)
      Failure to enable HSTS when two STS headers are sent for a connection
    * CVE-2017-7790 (bmo#1350460) (Windows-only)
      Windows crash reporter reads extra memory for some non-null-terminated registry values
    * CVE-2017-7796 (bmo#1234401) (Windows-only)
      Windows updater can delete any file named update.log
    * CVE-2017-7797 (bmo#1334776)
      Response header name interning leaks across origins
    * CVE-2017-7780
      Memory safety bugs fixed in Firefox 55
    * CVE-2017-7779
      Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
  - updated mozilla-kde.patch:
    * removed "downloadfinished" alert as Firefox reimplemented the
      whole thing (TODO: check if there is another function we should
      hook in)
* Tue Jul 04 2017 wr@rosenauer.org
  - update to Firefox 54.0.1
    * Fix a display issue of tab title (bmo#1357656)
    * Fix a display issue of opening new tab (bmo#1371995)
    * Fix a display issue when opening multiple tabs (bmo#1371962)
    * Fix a tab display issue when downloading files (bmo#1373109)
    * Fix a PDF printing issue (bmo#1366744)
    * Fix a Netflix issue on Linux (bmo#1375708)
* Thu Jun 15 2017 wr@rosenauer.org
  - update to Firefox 54.0
    * Clearer and more detailed information for download items in the
      download panel
    * Added Burmese (my) locale
    * Bookmarks created on mobile devices are now shown in
      "Mobile Bookmarks” folder in the drop down list from the toolbar
      and Bookmarks option in the menu bar in Desktop Firefox
    * added support for multiple content processes (e10s-multi)
  - requires NSPR 4.14 and NSS 3.30.2
  - requires rust 1.15.1
  - removed mozilla-shared-nss-db.patch as it seems to be a rather
    unused feature
* Thu Jun 01 2017 kah0922@gmail.com
  - remove -fno-inline-small-functions and explicitely optimize with
    - O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)
* Wed Apr 26 2017 wr@rosenauer.org
  - switch to Mozilla's geolocation service (boo#1026989)
  - removed mozilla-preferences.patch obsoleted by overriding via
    firefox.js
  - fixed KDE integration to avoid crash caused by filepicker
    (boo#1015998)
* Mon Apr 17 2017 wr@rosenauer.org
  - update to Firefox 53.0
    * requires NSS 3.29.5
    * Lightweight themes are now applied in private browsing windows
    * Reader Mode now displays estimated reading time for the page
    * Two new 'compact' themes available in Firefox, dark and light,
      based on the Firefox Developer Edition theme
    * Ended Firefox Linux support for processors older than Pentium 4
      and AMD Opteron
    * Refresh of the media controls user interface
    * Shortened titles on tabs are faded out instead of using ellipsis
      for improved readability
    * Media playback on new tabs is blocked until the tab is visible
    * Permission notifications have a cleaner design and cannot be
      easily missed
    MFSA 2017-10
    * CVE-2017-5456 (bmo#1344415)
      Sandbox escape allowing local file system access
    * CVE-2017-5442 (bmo#1347979)
      Use-after-free during style changes
    * CVE-2017-5443 (bmo#1342661)
      Out-of-bounds write during BinHex decoding
    * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
      bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
      Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
      Firefox ESR 52.1
    * CVE-2017-5464 (bmo#1347075)
      Memory corruption with accessibility and DOM manipulation
    * CVE-2017-5465 (bmo#1347617)
      Out-of-bounds read in ConvolvePixel
    * CVE-2017-5466 (bmo#1353975)
      Origin confusion when reloading isolated data:text/html URL
    * CVE-2017-5467 (bmo#1347262)
      Memory corruption when drawing Skia content
    * CVE-2017-5460 (bmo#1343642)
      Use-after-free in frame selection
    * CVE-2017-5461 (bmo#1344380)
      Out-of-bounds write in Base64 encoding in NSS
    * CVE-2017-5448 (bmo#1346648)
      Out-of-bounds write in ClearKeyDecryptor
    * CVE-2017-5449 (bmo#1340127)
      Crash during bidirectional unicode manipulation with animation
    * CVE-2017-5446 (bmo#1343505)
      Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
    * CVE-2017-5447 (bmo#1343552)
      Out-of-bounds read during glyph processing
    * CVE-2017-5444 (bmo#1344461)
      Buffer overflow while parsing application/http-index-format content
    * CVE-2017-5445 (bmo#1344467)
      Uninitialized values used while parsing application/http-index-format
      content
    * CVE-2017-5468 (bmo#1329521)
      Incorrect ownership model for Private Browsing information
    * CVE-2017-5469 (bmo#1292534)
      Potential Buffer overflow in flex-generated code
    * CVE-2017-5440 (bmo#1336832)
      Use-after-free in txExecutionState destructor during XSLT processing
    * CVE-2017-5441 (bmo#1343795)
      Use-after-free with selection during scroll events
    * CVE-2017-5439 (bmo#1336830)
      Use-after-free in nsTArray Length() during XSLT processing
    * CVE-2017-5438 (bmo#1336828)
      Use-after-free in nsAutoPtr during XSLT processing
    * CVE-2017-5437 (bmo#1343453)
      Vulnerabilities in Libevent library
    * CVE-2017-5436 (bmo#1345461)
      Out-of-bounds write with malicious font in Graphite 2
    * CVE-2017-5435 (bmo#1350683)
      Use-after-free during transaction processing in the editor
    * CVE-2017-5434 (bmo#1349946)
      Use-after-free during focus handling
    * CVE-2017-5433 (bmo#1347168)
      Use-after-free in SMIL animation functions
    * CVE-2017-5432 (bmo#1346654)
      Use-after-free in text input selection
    * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
      bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686,
      bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621,
      bmo#1349719, bmo#1353476)
      Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
    * CVE-2017-5459 (bmo#1333858)
      Buffer overflow in WebGL
    * CVE-2017-5458 (bmo#1229426)
      Drag and drop of javascript: URLs can allow for self-XSS
    * CVE-2017-5455 (bmo#1341191)
      Sandbox escape through internal feed reader APIs
    * CVE-2017-5454 (bmo#1349276)
      Sandbox escape allowing file system read access through file picker
    * CVE-2017-5451 (bmo#1273537)
      Addressbar spoofing with onblur event
    * CVE-2017-5453 (bmo#1321247)
      HTML injection into RSS Reader feed preview page through
      TITLE element
    * CVE-2017-5462 (bmo#1345089)
      DRBG flaw in NSS
  - removed browser(npapi) provides as these plugins are deprecated
  - switch used compiler to gcc5 (FF requires gcc >= 4.9 now) for
    Leap 42
  - Gtk2 is not longer an option; switched to Gtk3
  - apply MOZ_USE_XINPUT2=1 for better touchpad and touchscreen support
    (boo#1032003)
* Mon Apr 03 2017 wr@rosenauer.org
  - update to Firefox 52.0.2
    * Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787)
    * Fix loading tab icons on session restore (bmo#1338009)
    * Fix a crash on startup on Linux (bmo#1345413)
    * Fix new installs erroneously not prompting to change the default
      browser setting (bmo#1343938)
* Mon Mar 20 2017 wr@rosenauer.org
  - disable rust usage for everything but x86(-64)
  - explicitely add libffi build requirement
* Fri Mar 17 2017 wr@rosenauer.org
  - update to Firefox 52.0.1 (boo#1029822)
    MFSA 2017-08
    CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168)
* Thu Mar 09 2017 wr@rosenauer.org
  - reenable ALSA support which was removed by default upstream
* Sat Mar 04 2017 wr@rosenauer.org
  - update to Firefox 52.0 (boo#1028391)
    * requires NSS >= 3.28.3
    * Pages containing insecure password fields now display a warning
      directly within username and password fields.
    * Send and open a tab from one device to another with Sync
    * Removed NPAPI support for plugins other than Flash. Silverlight,
      Java, Acrobat and the like are no longer supported.
    * Removed Battery Status API to reduce fingerprinting of users by
      trackers
    * MFSA 2017-05
      CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
      (bmo#1334933)
      CVE-2017-5401: Memory Corruption when handling ErrorResult
      (bmo#1328861)
      CVE-2017-5402: Use-after-free working with events in FontFace
      objects (bmo#1334876)
      CVE-2017-5403: Use-after-free using addRange to add range to an
      incorrect root object (bmo#1340186)
      CVE-2017-5404: Use-after-free working with ranges in selections
      (bmo#1340138)
      CVE-2017-5406: Segmentation fault in Skia with canvas operations
      (bmo#1306890)
      CVE-2017-5407: Pixel and history stealing via floating-point
      timing side channel with SVG filters (bmo#1336622)
      CVE-2017-5410: Memory corruption during JavaScript garbage
      collection incremental sweeping (bmo#1330687)
      CVE-2017-5408: Cross-origin reading of video captions in violation
      of CORS (bmo#1313711)
      CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
      CVE-2017-5413: Segmentation fault during bidirectional operations
      (bmo#1337504)
      CVE-2017-5414: File picker can choose incorrect default directory
      (bmo#1319370)
      CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719)
      CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
      CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
      (bmo#791597)
      CVE-2017-5426: Gecko Media Plugin sandbox is not started if
      seccomp-bpf filter is running (bmo#1257361)
      CVE-2017-5427: Non-existent chrome.manifest file loaded during
      startup (bmo#1295542)
      CVE-2017-5418: Out of bounds read when parsing HTTP digest
      authorization responses (bmo#1338876)
      CVE-2017-5419: Repeated authentication prompts lead to DOS
      attack (bmo#1312243)
      CVE-2017-5420: Javascript: URLs can obfuscate addressbar
      location (bmo#1284395)
      CVE-2017-5405: FTP response codes can cause use of
      uninitialized values for ports (bmo#1336699)
      CVE-2017-5421: Print preview spoofing (bmo#1301876)
      CVE-2017-5422: DOS attack by using view-source: protocol
      repeatedly in one hyperlink (bmo#1295002)
      CVE-2017-5399: Memory safety bugs fixed in Firefox 52
      CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
      Firefox ESR 45.8
  - removed obsolete patches
    * mozilla-binutils-visibility.patch
    * mozilla-check_return.patch
    * mozilla-disable-skia-be.patch
    * mozilla-skia-overflow.patch
    * mozilla-skia-ppc-endianess.patch
  - rebased patches
  - enable rust usage for Tumbleweed
* Fri Jan 27 2017 astieger@suse.com
  - Mozilla Firefox 51.0.1:
    - Multiprocess incompatibility did not correctly register with
      some add-ons (bmo#1333423)
* Fri Jan 20 2017 wr@rosenauer.org
  - update to Firefox 51.0
    * requires NSPR >= 4.13.1, NSS >= 3.28.1
    * Added support for FLAC (Free Lossless Audio Codec) playback
    * Added support for WebGL 2
    * Added Georgian (ka) and Kabyle (kab) locales
    * Support saving passwords for forms without 'submit' events
    * Improved video performance for users without GPU acceleration
    * Zoom indicator is shown in the URL bar if the zoom level is not
      at default level
    * View passwords from the prompt before saving them
    * Remove Belarusian (be) locale
    * Use Skia for content rendering (Linux)
    * MFSA 2017-01
      CVE-2017-5375: Excessive JIT code allocation allows bypass of
      ASLR and DEP (bmo#1325200, boo#1021814)
      CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
      CVE-2017-5377: Memory corruption with transforms to create
      gradients in Skia (bmo#1306883, boo#1021826)
      CVE-2017-5378: Pointer and frame data leakage of Javascript objects
      (bmo#1312001, bmo#1330769, boo#1021818)
      CVE-2017-5379: Use-after-free in Web Animations
      (bmo#1309198,boo#1021827)
      CVE-2017-5380: Potential use-after-free during DOM manipulations
      (bmo#1322107, boo#1021819)
      CVE-2017-5390: Insecure communication methods in Developer Tools
      JSON viewer (bmo#1297361, boo#1021820)
      CVE-2017-5389: WebExtensions can install additional add-ons via
      modified host requests (bmo#1308688, boo#1021828)
      CVE-2017-5396: Use-after-free with Media Decoder
      (bmo#1329403, boo#1021821)
      CVE-2017-5381: Certificate Viewer exporting can be used to navigate
      and save to arbitrary filesystem locations
    (bmo#1017616, boo#1021830)
      CVE-2017-5382: Feed preview can expose privileged content errors
      and exceptions (bmo#1295322, boo#1021831)
      CVE-2017-5383: Location bar spoofing with unicode characters
      (bmo#1323338, bmo#1324716, boo#1021822)
      CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
      (bmo#1255474, boo#1021832)
      CVE-2017-5385: Data sent in multipart channels ignores referrer-policy
      response headers (bmo#1295945, boo#1021833)
      CVE-2017-5386: WebExtensions can use data: protocol to affect other
      extensions (bmo#1319070, boo#1021823)
      CVE-2017-5394: Android location bar spoofing using fullscreen and
      JavaScript events (bmo#1222798)
      CVE-2017-5391: Content about: pages can load privileged about: pages
      (bmo#1309310, boo#1021835)
      CVE-2017-5392: Weak references using multiple threads on weak proxy
      objects lead to unsafe memory usage (bmo#1293709)
    (Android only)
      CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for
      mozAddonManager (bmo#1309282, boo#1021837)
      CVE-2017-5395: Android location bar spoofing during scrolling
      (bmo#1293463) (Android only)
      CVE-2017-5387: Disclosure of local file existence through TRACK
      tag error messages (bmo#1295023, boo#1021839)
      CVE-2017-5388: WebRTC can be used to generate a large amount of
      UDP traffic for DDOS attacks
    (bmo#1281482, boo#1021840)
      CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841)
      CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and
      Firefox ESR 45.7 (boo#1021824)
  - switch Firefox to Gtk3 for Tumbleweed
  - removed obsolete patches
    * mozilla-flex_buffer_overrun.patch
  - updated RPM locale support tag
  - improve recognition of LANGUAGE env variable (boo#1017174)
  - add upstream patch to fix PPC64LE (bmo#1319389)
    (mozilla-skia-ppc-endianess.patch)
  - fix build without skia (big endian archs) (bmo#1319374)
    (mozilla-disable-skia-be.patch)
* Mon Dec 12 2016 wr@rosenauer.org
  - update to Firefox 50.1.0 (boo#1015422)
    * MFSA 2016-94
      CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628)
      CVE-2016-9899: Use-after-free while manipulating DOM events and
      audio elements (bmo#1317409)
      CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
      CVE-2016-9896: Use-after-free with WebVR (bmo#1315543)
      CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
      CVE-2016-9898: Use-after-free in Editor while manipulating
      DOM subtrees (bmo#1314442)
      CVE-2016-9900: Restricted external resources can be loaded by
      SVG images through data URLs (bmo#1319122)
      CVE-2016-9904: Cross-origin information leak in shared atoms
      (bmo#1317936)
      CVE-2016-9901: Data from Pocket server improperly sanitized
      before execution (bmo#1320057)
      CVE-2016-9902: Pocket extension does not validate the origin
      of events (bmo#1320039)
      CVE-2016-9903: XSS injection vulnerability in add-ons SDK
      (bmo#1315435)
      CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
      CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and
      Firefox ESR 45.6
* Fri Dec 09 2016 cgrobertson@novell.com
  - added patch mozilla-aarch64-startup-crash.patch (bsc#1011922)
* Thu Dec 01 2016 wr@rosenauer.org
  - update to Firefox 50.0.2
    * Firefox crashes with 3rd party Chinese IME when using IME text
      (50.0.1)
    security fixes (in 50.0.1): (boo#1012807)
    * MFSA 2016-91
      CVE-2016-9078: data: URL can inherit wrong origin after an
      HTTP redirect (bmo#1317641)
    security fixes (in 50.0.2) (boo#1012964)
    * MFSA 2016-92
      CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066)
* Mon Nov 14 2016 wr@rosenauer.org
  - update to Firefox 50.0 (boo#1009026)
    * requires NSS 3.26.2
    new features
    * Updates to keyboard shortcuts
      Set a preference to have Ctrl+Tab cycle through tabs in recently
      used order
      View a page in Reader Mode by using Ctrl+Alt+R
    * Added option to Find in page that allows users to limit search to
      whole words only
    * Added download protection for a large number of executable file
      types on Windows, Mac and Linux
    * Fixed rendering of dashed and dotted borders with rounded corners
      (border-radius)
    * Added a built-in Emoji set for operating systems without native
      Emoji fonts (Windows 8.0 and lower and Linux)
    * Blocked versions of libavcodec older than 54.35.1
    * additional locale
    security fixes:
    * MFSA 2016-89
      CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
      (bmo#1292443)
      CVE-2016-5292: URL parsing causes crash (bmo#1288482)
      CVE-2016-5293: Write to arbitrary file with updater and moz
      maintenance service using updater.log hardlink
    (Windows only) (bmo#1246945)
      CVE-2016-5294: Arbitrary target directory for result files of
      update process (Windows only) (bmo#1246972)
      CVE-2016-5297: Incorrect argument length checking in Javascript
      (bmo#1303678)
      CVE-2016-9064: Addons update must verify IDs match between
      current and new versions (bmo#1303418)
      CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen
      (Android only) (bmo#1306696)
      CVE-2016-9066: Integer overflow leading to a buffer overflow in
      nsScriptLoadHandler (bmo#1299686)
      CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
      (bmo#1301777, bmo#1308922 (CVE-2016-9069))
      CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973)
      CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
      (bmo#1300083) (Windows only)
      CVE-2016-9075: WebExtensions can access the mozAddonManager API
      and use it to gain elevated privileges (bmo#1295324)
      CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied
      to cross-origin images, allowing timing attacks on them
    (bmo#1298552)
      CVE-2016-5291: Same-origin policy violation using local HTML file
      and saved shortcut file (bmo#1292159)
      CVE-2016-5295: Mozilla Maintenance Service: Ability to read
      arbitrary files as SYSTEM (Windows only) (bmo#1247239)
      CVE-2016-5298: SSL indicator can mislead the user about the real
      URL visited (bmo#1227538) (Android only)
      CVE-2016-5299: Firefox AuthToken in broadcast protected with
      signature-level permission can be accessed by an
    application installed beforehand that defines the
    same permissions (bmo#1245791) (Android only)
      CVE-2016-9061: API Key (glocation) in broadcast protected with
      signature-level permission can be accessed by an
    application installed beforehand that defines the
    same permissions (Android only) (bmo#1245795)
      CVE-2016-9062: Private browsing browser traces (android) in
      browser.db and wal file (Android only) (bmo#1294438)
      CVE-2016-9070: Sidebar bookmark can have reference to chrome window
      (bmo#1281071)
      CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
      (bmo#1289273)
      CVE-2016-9074: Insufficient timing side-channel resistance in
      divSpoiler (bmo#1293334) (fixed via NSS 3.26.1)
      CVE-2016-9076: select dropdown menu can be used for URL bar
      spoofing on e10s (bmo#1276976)
      CVE-2016-9063: Possible integer overflow to fix inside XML_Parse
      in expat (bmo#1274777)
      CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
      (bmo#1285003)
      CVE-2016-5289: Memory safety bugs fixed in Firefox 50
      CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
  - make aarch64 build more similar to x86_64 build (remove conditionals
    that don't seem to be necessary anymore)
* Mon Oct 24 2016 astieger@suse.com
  - Mozilla Firefox 49.0.2:
    * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)
    * CVE-2016-5288: Web content can read cache entries (bsc#1006476)
    * Asynchronous rendering of the Flash plugins is now enabled by
      default
    * Change D3D9 default fallback preference to prevent graphical
      artifacts
    * Network issue prevents some users from seeing the Firefox UI on
      startup
    * Web compatibility issue with file uploads
    * Web compatibility issue with Array.prototype.values
    * Diagnostic information on timing for tab switching
    * Fix a Canvas filters graphics issue affecting HTML5 apps
* Wed Oct 12 2016 badshah400@gmail.com
  - Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0
    and fixes have been incorporated by upstream.
* Fri Sep 23 2016 astieger@suse.com
  - Mozilla Firefox 49.0.1:
    * Mitigate a startup crash issue caused by Websense - bmo#1304783
* Tue Sep 20 2016 wr@rosenauer.org
  - update to Firefox 49.0 (boo#999701)
    new features
    * Updated Firefox Login Manager to allow HTTPS pages to use saved
      HTTP logins.
    * Added features to Reader Mode that make it easier on the eyes and
      the ears
    * Improved video performance for users on systems that support
      SSE3 without hardware acceleration
    * Added context menu controls to HTML5 audio and video that let users
      loops files or play files at 1.25x speed
    * Improvements in about:memory reports for tracking font memory usage
    security related
    * MFSA 2016-85
      CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
      mozilla::net::IsValidReferrerPolicy
      CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
      nsCaseTransformTextRunFactory::TransformString
      CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
      PropertyProvider::GetSpacingInternal
      CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
      CVE-2016-5273 (bmo#1280387) - crash in
      mozilla::a11y::HyperTextAccessible::GetChildOffset
      CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
      mozilla::a11y::DocAccessible::ProcessInvalidationList
      CVE-2016-5274 (bmo#1282076) - use-after-free in
      nsFrameManager::CaptureFrameState
      CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
      CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
      mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
      CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
      nsBMPEncoder::AddImageFrame
      CVE-2016-5279 (bmo#1249522) - Full local path of files is available
      to web pages after drag and drop
      CVE-2016-5280 (bmo#1289970) - Use-after-free in
      mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
      CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
      CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons
      from non-whitelisted schemes
      CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can
      reveal cross-origin data
      CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration
      CVE-2016-5256 - Memory safety bugs fixed in Firefox 49
      CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4
  - removed obsolete patches:
    * mozilla-aarch64-48bit-va.patch
    * mozilla-exclude-nametablecpp.patch
    * mozilla-old_configure-bmo1282843.patch
  - added patch mozilla-skia-overflow.patch (bmo#1304114)
  - requires NSS 3.25
* Tue Aug 30 2016 astieger@suse.com
  - Mozilla Firefox 48.0.2:
    * Mitigate a startup crash issue caused on Windows (bmo#1291738)
* Sat Aug 20 2016 astieger@suse.com
  - Mozilla Firefox 48.0.1:
    * Fix an audio regression impacting some major websites
      (bmo#1295296)
    * Fix a top crash in the JavaScript engine (bmo#1290469)
    * Fix a startup crash issue caused by Websense (bmo#1291738)
    * Fix a different behavior with e10s / non-e10s on <select> and
      mouse events (bmo#1291078)
    * Fix a top crash caused by plugin issues (bmo#1264530)
    * Fix a shutdown issue (bmo#1276920)
    * Fix a crash in WebRTC
* Mon Aug 15 2016 wr@rosenauer.org
  - added upstream patch so system plugins/extensions are correctly
    loaded again on x86-64 (bmo#1282843)
    (mozilla-old_configure-bmo1282843.patch)
* Fri Aug 05 2016 pcerny@suse.com
  - Fix for possible buffer overrun (bsc#990856)
    CVE-2016-6354 (bmo#1292534)
    [mozilla-flex_buffer_overrun.patch]
* Wed Aug 03 2016 badshah400@gmail.com
  - Update mozilla-gtk3_20.patch to latest version from Fedora.
* Mon Aug 01 2016 wr@rosenauer.org
  - update to Firefox 48.0 (boo#991809)
    * requires NSS 3.24
    * Process separation (e10s) is enabled for some of you
    * Add-ons that have not been verified and signed by Mozilla will not load
    * WebRTC embetterments
    * The media parser has been redeveloped using the Rust programming
      language
    * better Canvas performance with speedy Skia support
    security fixes:
    * MFSA 2016-62/CVE-2016-2835/CVE-2016-2836
      Miscellaneous memory safety hazards
    * MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
      Favicon network connection can persist when page is closed
    * MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
      Buffer overflow rendering SVG with bidirectional content
    * MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
      Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
    * MFSA 2016-66/CVE-2016-5251 (bmo#1255570)
      Location bar spoofing via data URLs with malformed/invalid mediatypes
    * MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
      Stack underflow during 2D graphics rendering
    * MFSA 2016-68/CVE-2016-0718 (bmo#1236923)
      Out-of-bounds read during XML parsing in Expat library
    * MFSA 2016-69/CVE-2016-5253 (bmo#1246944)
      Arbitrary file manipulation by local user through Mozilla updater
      and callback application path parameter (Windows-only)
    * MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
      Use-after-free when using alt key and toplevel menus
    * MFSA 2016-71/CVE-2016-5255 (bmo#1212356)
      Crash in incremental garbage collection in JavaScript
    * MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
      Use-after-free in DTLS during WebRTC session shutdown
    * MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
      Use-after-free in service workers with nested sync events
    * MFSA 2016-74/CVE-2016-5260 (bmo#1280294)
      Form input type change from password to text can store plain
      text password in session restore file
    * MFSA 2016-75/CVE-2016-5261 (bmo#1287266)
      Integer overflow in WebSockets during data buffering
    * MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
      Scripts on marquee tag can execute in sandboxed iframes
    * MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
      Buffer overflow in ClearKey Content Decryption Module (CDM)
      during video playback
    * MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
      Type confusion in display transformation
    * MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
      Use-after-free when applying SVG effects
    * MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
      Same-origin policy violation using local HTML file and saved shortcut file
    * MFSA 2016-81/CVE-2016-5266 (bmo#1226977)
      Information disclosure and local file manipulation through drag and drop
    * MFSA 2016-82/CVE-2016-5267 (bmo#1284372)
      Addressbar spoofing with right-to-left characters on Firefox for Android
      (Android only)
    * MFSA 2016-83/CVE-2016-5268 (bmo#1253673)
      Spoofing attack through text injection into internal error pages
    * MFSA 2016-84/CVE-2016-5250 (bmo#1254688)
      Information disclosure through Resource Timing API during page navigation
  - removed obsolete mozilla-gcc6.patch
* Fri Jul 29 2016 badshah400@gmail.com
  - Update description and screenshots in appdata.xml file.
* Sat Jul 23 2016 antoine.belvire@laposte.net
  - Fix Firefox crash on startup on i586 (boo#986541):
    * Add -fno-delete-null-pointer-checks and
    - fno-inline-small-functions to CFLAGS
* Tue Jul 19 2016 mailaender@opensuse.org
  - Update the appdata.xml file (replace Windows XP screenshot)
* Wed Jun 29 2016 astieger@suse.com
  - Mozilla Firefox 47.0.1:
    * Selenium WebDriver may cause Firefox to crash at startup
      (bmo#1280854)
* Wed Jun 15 2016 wr@rosenauer.org
  - mozilla-binutils-visibility.patch to fix build issues with
    gcc/binutils combination used in Leap 42.2 (boo#984637)
* Tue Jun 14 2016 badshah400@gmail.com
  - Update mozilla-gtk3_20.patch to latest version from Fedora.
* Mon Jun 13 2016 agraf@suse.com
  - Fix running on 48bit va aarch64 (bsc#984126)
    * add patch mozilla-aarch64-48bit-va.patch
* Mon Jun 13 2016 wr@rosenauer.org
  - fix XUL dialog button order under KDE session (boo#984403)
* Tue Jun 07 2016 wr@rosenauer.org
  - update to Firefox 47.0 (boo#983549)
    * Enable VP9 video codec for users with fast machines
    * Embedded YouTube videos now play with HTML5 video if Flash is
      not installed
    * View and search open tabs from your smartphone or another
      computer in a sidebar
    * Allow no-cache on back/forward navigations for https resources
    security fixes:
    * MFSA 2016-49/CVE-2016-2815/CVE-2016-2818
      (boo#983638)
      (bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743,
      bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493,
      bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752,
      bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130,
      bmo#1269729, bmo#1273202, bmo#1273701)
      Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
    * MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381)
      Buffer overflow parsing HTML5 fragments
    * MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460)
      Use-after-free deleting tables from a contenteditable document
    * MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129)
      Addressbar spoofing though the SELECT element
    * MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580)
      Out-of-bounds write with WebGL shader
    * MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093)
      Partial same-origin-policy through setting location.host
      through data URI
    * MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810)
      Use-after-free when textures are used in WebGL operations
      after recycle pool destruction
    * MFSA 2016-57/CVE-2016-2829 (boo#983644) (bmo#1248329)
      Incorrect icon displayed on permissions notifications
    * MFSA 2016-58/CVE-2016-2831 (boo#983643) (bmo#1261933)
      Entering fullscreen and persistent pointerlock without user
      permission
    * MFSA 2016-59/CVE-2016-2832 (boo#983632) (bmo#1025267)
      Information disclosure of disabled plugins through CSS
      pseudo-classes
    * MFSA 2016-60/CVE-2016-2833 (boo#983640) (bmo#908933)
      Java applets bypass CSP protections
    * MFSA 2016-62/CVE-2016-2834 (boo#983639) (bmo#1206283,
      bmo#1221620, bmo#1241034, bmo#1241037)
      Network Security Services (NSS) vulnerabilities
      fixed by requiring NSS 3.23
    packaging changes:
    * cleanup configure options (boo#981695):
    - notably remove GStreamer support which is gone from FF
    * remove obsolete patches
    - mozilla-libproxy.patch
    - mozilla-repo.patch
* Wed May 25 2016 badshah400@gmail.com
  - The conditional testing for gcc was failing for different
    openSUSE versions, drop it and apply patches unconditionally.
* Mon May 23 2016 badshah400@gmail.com
  - Add patches to fix building with gcc6:
    + mozilla-gcc6.patch: fix building with gcc >= 6.1; patch
      taken from upstream:
      https://hg.mozilla.org/mozilla-central/rev/55212130f19d.
    + mozilla-exclude-nametablecpp.patch: Exclude NameTable.cpp
      from unified compilation because #include <cmath> in other
      source files causes gcc6 compilation failure; patch taken from
      upstream:
      https://hg.mozilla.org/mozilla-central/rev/9c57b7cacffc.
* Thu May 12 2016 dsterba@suse.cz
  - enable build with PIE and full relro on x86_64 (boo#980384)
* Wed May 04 2016 wr@rosenauer.org
  - update to Firefox 46.0.1
    Fixed:
    * Search plugin issue for various locales
    * Add-on signing certificate expiration
    * Service worker update issue
    * Build issue when jit is disabled
    * Limit Sync registration updates
  - removed now obsolete mozilla-jit_branch64.patch
* Tue May 03 2016 normand@linux.vnet.ibm.com
  - add mozilla-jit_branch64.patch to avoid PowerPC build failure
    (from bmo#1266366)
* Wed Apr 27 2016 badshah400@gmail.com
  - Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest
    version from Fedora).
* Wed Apr 27 2016 wr@rosenauer.org
  - update to Firefox 46.0 (boo#977333)
    * Improved security of the JavaScript Just In Time (JIT) Compiler
    * WebRTC fixes to improve performance and stability
    * Added support for document.elementsFromPoint
    * Added HKDF support for Web Crypto API
    * requires NSPR 4.12 and NSS 3.22.3
    * added patch to fix unchecked return value
      mozilla-check_return.patch
    * Gtk3 builds not supported at the moment
    security fixes:
    * MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807
      (boo#977373, boo#977375, boo#977376)
      Miscellaneous memory safety hazards
    * MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377)
      Privilege escalation through file deletion by Maintenance Service updater
      (Windows only)
    * MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378)
      Content provider permission bypass allows malicious application
      to access data (Android only)
    * MFSA 2016-42/CVE-2016-2811/CVE-2016-2812
      (bmo#1252330, bmo#1261776, boo#977379)
      Use-after-free and buffer overflow in Service Workers
    * MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380)
      Disclosure of user actions through JavaScript with motion and
      orientation sensors (only affects mobile variants)
    * MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381)
      Buffer overflow in libstagefright with CENC offsets
    * MFSA 2016-45/CVE-2016-2816 (bmo#1223743, boo#977382)
      CSP not applied to pages sent with multipart/x-mixed-replace
    * MFSA 2016-46/CVE-2016-2817 (bmo#1227462, boo#977384)
      Elevation of privilege with chrome.tabs.update API in web extensions
    * MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386)
      Write to invalid HashMap entry through JavaScript.watch()
    * MFSA 2016-48/CVE-2016-2820 (bmo#870870, boo#977388)
      Firefox Health Reports could accept events from untrusted domains
* Thu Apr 21 2016 badshah400@gmail.com
  - Update mozilla-gtk3_20.patch to fix scrollbar appearance under
    gtk >= 3.20 (patch synced to Fedora's version).
* Tue Apr 12 2016 badshah400@gmail.com
  - Compile against gtk3 depending on whether the macro
    %firefox_use_gtk3 is defined or not (e.g., at the prjconf
    level); macro is undefined by default and so gtk2 is used as the
    default toolkit.
  - Add BuildRequires for additional packages needed when building
    against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0),
    pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0).
  - Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20;
    patch taken from Fedora (bmo#1230955).
* Mon Apr 11 2016 astieger@suse.com
  - Mozilla Firefox 45.0.2:
    * Fix an issue impacting the cookie header when third-party
      cookies are blocked (bmo#1257861)
    * Fix a web compatibility regression impacting the srcset
      attribute of the image tag (bmo#1259482)
    * Fix a crash impacting the video playback with Media Source
      Extension (bmo#1258562)
    * Fix a regression impacting some specific uploads (bmo#1255735)
    * Fix a regression with the copy and paste with some old versions
      of some Gecko applications like Thunderbird (bmo#1254980)
* Fri Mar 18 2016 astieger@suse.com
  - Mozilla Firefox 45.0.1:
    * Fix a regression causing search engine settings to be lost in
      some context (bmo#1254694)
    * Bring back non-standard jar: URIs to fix a regression in IBM
      iNotes (bmo#1255139)
    * XSLTProcessor.importStylesheet was failing when <import> was
      used (bmo#1249572)
    * Fix an issue which could cause the list of search provider to
      be empty (bmo#1255605)
    * Fix a regression when using the location bar (bmo#1254503)
    * Fix some loading issues when Accept third-party cookies: was
      set to Never (bmo#1254856)
    * Disabled Graphite font shaping library
* Sun Mar 06 2016 wr@rosenauer.org
  - update to Firefox 45.0 (boo#969894)
    * requires NSPR 4.12 / NSS 3.21.1
    * Instant browser tab sharing through Hello
    * Synced Tabs button in button bar
    * Tabs synced via Firefox Accounts from other devices are now shown
      in dropdown area of Awesome Bar when searching
    * Introduce a new preference (network.dns.blockDotOnion) to allow
      blocking .onion at the DNS level
    * Tab Groups (Panorama) feature removed
    * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
      Miscellaneous memory safety hazards
    * MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
      Local file overwriting and potential privilege escalation through
      CSP reports
    * MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
      CSP reports fail to strip location information for embedded iframe pages
    * MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
      Linux video memory DOS with Intel drivers
    * MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
      Memory leak in libstagefright when deleting an array during MP4
      processing
    * MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
      Displayed page address can be overridden
    * MFSA 2016-22/CVE-2016-1959 (bmo#1234949)
      Service Worker Manager out-of-bounds read in Service Worker Manager
    * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
      Use-after-free in HTML5 string parser
    * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
      Use-after-free in SetBody
    * MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
      Use-after-free when using multiple WebRTC data channels
    * MFSA 2016-26/CVE-2016-1963 (bmo#1238440)
      Memory corruption when modifying a file being read by FileReader
    * MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
      Use-after-free during XML transformations
    * MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
      Addressbar spoofing though history navigation and Location protocol
      property
    * MFSA 2016-29/CVE-2016-1967 (bmo#1246956)
      Same-origin policy violation using perfomance.getEntries and
      history navigation with session restore
    * MFSA 2016-30/CVE-2016-1968 (bmo#1246742)
      Buffer overflow in Brotli decompression
    * MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
      Memory corruption with malicious NPAPI plugin
    * MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/
      CVE-2016-1976/CVE-2016-1972
      WebRTC and LibVPX vulnerabilities found through code inspection
    * MFSA 2016-33/CVE-2016-1973 (bmo#1219339)
      Use-after-free in GetStaticInstance in WebRTC
    * MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
      Out-of-bounds read in HTML parser following a failed allocation
    * MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
      Buffer overflow during ASN.1 decoding in NSS
      (fixed by requiring 3.21.1)
    * MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
      Use-after-free during processing of DER encoded keys in NSS
      (fixed by requiring 3.21.1)
    * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
      CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
      CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
      CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
      Font vulnerabilities in the Graphite 2 library
* Sat Mar 05 2016 olaf@aepfle.de
  - Remove B_CNT from symbols.zip filename to reduce build-compare noise
* Fri Feb 26 2016 astieger@suse.com
  - fix build problems on i586, caused by too large unified compile
    units - adding mozilla-reduce-files-per-UnifiedBindings.patch
* Thu Feb 11 2016 wr@rosenauer.org
  - update to Firefox 44.0.2
    * MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438)
      Same-origin-policy violation using Service Workers with plugins
    * Fix issue which could lead to the removal of stored passwords
      under certain circumstances (bmo#1242176)
    * Allows spaces in cookie names (bmo#1244505)
    * Disable opus/vorbis audio with H.264 (bmo#1245696)
    * Fix for graphics startup crash (GNU/Linux) (bmo#1222171)
    * Fix a crash in cache networking (bmo#1244076)
    * Fix using WebSockets in service worker controlled pages (bmo#1243942)
* Sat Jan 30 2016 dmueller@suse.com
  - build fixes for arm/aarch64:
    * disable webrtc for arm/aarch64
    * switch away from openGL-ES backend to default for arm/aarch64
    since it almost never builds
    * reenable neon
  - reenable webrtc for powerpc as it seems to build
* Sun Jan 24 2016 wr@rosenauer.org
  - update to Firefox 44.0
    * MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633
      Miscellaneous memory safety hazards
    * MFSA 2016-02/CVE-2016-1933 (bmo#1231761) boo#963634
      Out of Memory crash when parsing GIF format images
    * MFSA 2016-03/CVE-2016-1935 (bmo#1220450) boo#963635
      Buffer overflow in WebGL after out of memory allocation
    * MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) boo#963637
      Firefox allows for control characters to be set in cookie names
    * MFSA 2016-06/CVE-2016-1937 (bmo#724353) boo#963641
      Missing delay following user click events in protocol handler dialog
    * MFSA 2016-07/CVE-2016-1938 (bmo#1190248) boo#963731
      Errors in mp_div and mp_exptmod cryptographic functions in NSS
      (fixed by requiring NSS 3.21)
    * MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590)
      Addressbar spoofing attacks boo#963643
    * MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946
      (bmo#1186621, bmo#1214782, bmo#1232096) boo#963644
      Unsafe memory manipulation found through code inspection
    * MFSA 2016-11/CVE-2016-1947 (bmo#1237103) boo#963645
      Application Reputation service disabled in Firefox 43
    * requires NSPR 4.11
    * requires NSS 3.21
  - prepare mozilla-kde.patch for Gtk3 builds
  - rebased patches
* Mon Jan 11 2016 astieger@suse.com
  - Mozilla Firefox 43.0.4:
    * Re-enable SHA-1 certificates to prevent outdated
      man-in-the-middle security devices from interfering with
      properly secured SSL/TLS connections (bmo#1236975)
    * Fix for startup crash for users of a third party antivirus tool
      (bmo#1235537)
  - The following change was previously in the package as a patch:
    * Multi-user GNU/Linux download folders can be created
    (bmo#1233434), removed mozilla-bmo1233434.patch
* Tue Dec 29 2015 wr@rosenauer.org
  - update to Firefox 43.0.3
    * requires NSS 3.20.2 to fix
      MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
      MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
      server signature
    * various changes to support Windows update (SHA-1 vs. SHA-2)
    * workaround Youtube user agent detection issue (bmo#1233970)
  - fix file download regression for multi user systems
    (bmo#1233434) (mozilla-bmo1233434.patch)
  - explicitely requires libXcomposite-devel
* Sun Dec 13 2015 wr@rosenauer.org
  - update to Firefox 43.0 (bnc#959277)
    * Improved API support for m4v video playback
    * Users can opt-in to receive search suggestions from the Awesome Bar
    * WebRTC streaming on multiple monitors
    * User selectable second block list for Private Browsing's Tracking
      Protection
    security fixes:
    * MFSA 2015-134/CVE-2015-7201/CVE-2015-7202
      Miscellaneous memory safety hazards
    * MFSA 2015-135/CVE-2015-7204 (bmo#1216130)
      Crash with JavaScript variable assignment with unboxed objects
    * MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
      Same-origin policy violation using perfomance.getEntries and
      history navigation
    * MFSA 2015-137/CVE-2015-7208 (bmo#1191423)
      Firefox allows for control characters to be set in cookies
    * MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
      Use-after-free in WebRTC when datachannel is used after being
      destroyed
    * MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
      Integer overflow allocating extremely large textures
    * MFSA 2015-140/CVE-2015-7215 (bmo#1160890)
      Cross-origin information leak through web workers error events
    * MFSA 2015-141/CVE-2015-7211 (bmo#1221444)
      Hash in data URI is incorrectly parsed
    * MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820)
      DOS due to malformed frames in HTTP/2
    * MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078)
      Linux file chooser crashes on malformed images due to flaws in
      Jasper library
    * MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221
      (bmo#1201183, bmo#1178033, bmo#1199400)
      Buffer overflows found through code inspection
    * MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
      Underflow through code inspection
    * MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
      Integer overflow in MP4 playback in 64-bit versions
    * MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
      Integer underflow and buffer overflow processing MP4 metadata in
      libstagefright
    * MFSA 2015-148/CVE-2015-7223 (bmo#1226423)
      Privilege escalation vulnerabilities in WebExtension APIs
    * MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
      Cross-site reading attack through data and view-source URIs
  - rebased patches
* Sun Nov 15 2015 wr@rosenauer.org
  - Add desktop menu action for private browsing window to desktop
    file (boo#954747)
  - remove obsolete patch mozilla-bmo1005535.patch completely from
    source package to avoid automatic check failures
* Sat Oct 31 2015 wr@rosenauer.org
  - update to Firefox 42.0 (bnc#952810)
    * Private Browsing with Tracking Protection blocks certain Web
      elements that could be used to record your behavior across sites
    * Control Center that contains site security and privacy controls
    * Login Manager improvements
    * WebRTC improvements
    * Indicator added to tabs that play audio with one-click muting
    * Media Source Extension for HTML5 video available for all sites
    security fixes:
    * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
      Miscellaneous memory safety hazards
    * MFSA 2015-117/CVE-2015-4515 (bmo#1046421)
      Information disclosure through NTLM authentication
    * MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692)
      CSP bypass due to permissive Reader mode whitelist
    * MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only)
      Firefox for Android addressbar can be removed after fullscreen mode
    * MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only)
      Reading sensitive profile files through local HTML file on Android
    * MFSA 2015-121/CVE-2015-7187 (bmo#1195735)
      disabling scripts in Add-on SDK panels has no effect
    * MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
      Trailing whitespace in IP address hostnames can bypass same-origin policy
    * MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
      Buffer overflow during image interactions in canvas
    * MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only)
      Android intents can be used on Firefox for Android to open privileged files
    * MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only)
      XSS attack through intents on Firefox for Android
    * MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only)
      Crash when accessing HTML tables with accessibility tools on OS X
    * MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
      CORS preflight is bypassed when non-standard Content-Type headers
      are received
    * MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
      Memory corruption in libjar through zip files
    * MFSA 2015-129/CVE-2015-7195 (bmo#1211871)
      Certain escaped characters in host of Location-header are being
      treated as non-escaped
    * MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
      JavaScript garbage collection crash with Java applet
    * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
      (bmo#1188010, bmo#1204061, bmo#1204155)
      Vulnerabilities found through code inspection
    * MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
      Mixed content WebSocket policy bypass through workers
    * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
      (bmo#1202868, bmo#1205157)
      NSS and NSPR memory corruption issues
      (fixed in mozilla-nspr and mozilla-nss packages)
  - requires NSPR >= 4.10.10 and NSS >= 3.19.4
  - removed obsolete patches
    * mozilla-arm-disable-edsp.patch
    * mozilla-icu-strncat.patch
    * mozilla-skia-be-le.patch
    * toolkit-download-folder.patch
  - fixed build with enable-libproxy (bmo#1220399)
    * mozilla-libproxy.patch
* Thu Oct 15 2015 wr@rosenauer.org
  - update to Firefox 41.0.2 (bnc#950686)
    * MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669)
      Cross-origin restriction bypass using Fetch
  - added explicit appdata provides (bnc#949983)
* Sun Oct 04 2015 wr@rosenauer.org
  - do not build with --enable-stdcxx-compat
    (this starts to fail build on various toolchain combinations
    and is not required for openSUSE builds in general
* Thu Oct 01 2015 wr@rosenauer.org
  - update to Firefox 41.0.1
    * Fix a startup crash related to Yandex toolbar and Adblock Plus
      (bmo#1209124)
    * Fix potential hangs with Flash plugins (bmo#1185639)
    * Fix a regression in the bookmark creation (bmo#1206376)
    * Fix a startup crash with some Intel Media Accelerator 3150
      graphic cards (bmo#1207665)
    * Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601)
* Sat Sep 19 2015 wr@rosenauer.org
  - update to Firefox 41.0 (bnc#947003)
    * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
      Miscellaneous memory safety hazards
    * MFSA 2015-97/CVE-2015-4503 (bmo#994337)
      Memory leak in mozTCPSocket to servers
    * MFSA 2015-98/CVE-2015-4504 (bmo#1132467)
      Out of bounds read in QCMS library with ICC V4 profile attributes
    * MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only)
      Site attribute spoofing on Android by pasting URL with unknown scheme
    * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
      Arbitrary file manipulation by local user through Mozilla updater
    * MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
      Buffer overflow in libvpx while parsing vp9 format video
    * MFSA 2015-102/CVE-2015-4507 (bmo#1192401)
      Crash when using debugger with SavedStacks in JavaScript
    * MFSA 2015-103/CVE-2015-4508 (bmo#1195976)
      URL spoofing in reader mode
    * MFSA 2015-104/CVE-2015-4510 (bmo#1200004)
      Use-after-free with shared workers and IndexedDB
    * MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
      Buffer overflow while decoding WebM video
    * MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
      Use-after-free while manipulating HTML media content
    * MFSA 2015-107/CVE-2015-4512 (bmo#1170390)
      Out-of-bounds read during 2D canvas display on Linux 16-bit
      color depth systems
    * MFSA 2015-108/CVE-2015-4502 (bmo#1105045)
      Scripted proxies can access inner window
    * MFSA 2015-109/CVE-2015-4516 (bmo#904886)
      JavaScript immutable property enforcement can be bypassed
    * MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
      Dragging and dropping images exposes final URL after redirects
    * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
      Errors in the handling of CORS preflight request headers
    * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
      CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
      CVE-2015-7180
      Vulnerabilities found through code inspection
    * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
      bmo#1190526) (Windows only)
      Memory safety errors in libGLES in the ANGLE graphics library
    * MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only)
      Information disclosure via the High Resolution Time API
  - rebased patches
  - removed obsolete patches
    * mozilla-arm64-libjpeg-turbo.patch
* Thu Aug 27 2015 wr@rosenauer.org
  - update to Firefox 40.0.3 (bnc#943550)
    * Disable the asynchronous plugin initialization (bmo#1198590)
    * Fix a segmentation fault in the GStreamer support (bmo#1145230)
    * Fix a regression with some Japanese fonts used in the <input>
      field (bmo#1194055)
    * On some sites, the selection in a select combox box using the
      mouse could be broken (bmo#1194733)
    security fixes
    * MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278)
      Use-after-free when resizing canvas element during restyling
    * MFSA 2015-95/CVE-2015-4498 (bmo#1042699)
      Add-on notification bypass through data URLs
* Fri Aug 07 2015 wr@rosenauer.org
  - update to Firefox 40.0 (bnc#940806)
    * Added protection against unwanted software downloads
    * Suggested Tiles show sites of interest, based on categories
      from your recent browsing history
    * Hello allows adding a link to conversations to provide context
      on what the conversation will be about
    * New style for add-on manager based on the in-content
      preferences style
    * Improved scrolling, graphics, and video playback performance
      with off main thread compositing (GNU/Linux only)
    * Graphic blocklist mechanism improved: Firefox version ranges
      can be specified, limiting the number of devices blocked
    security fixes:
    * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
      Miscellaneous memory safety hazards
    * MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
      Out-of-bounds read with malformed MP3 file
    * MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
      Use-after-free in MediaStream playback
    * MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
      Redefinition of non-configurable JavaScript object properties
    * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
      Overflow issues in libstagefright
    * MFSA 2015-84/CVE-2015-4481 (bmo1171518)
      Arbitrary file overwriting through Mozilla Maintenance Service
      with hard links (only affected Windows)
    * MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
      Out-of-bounds write with Updater and malicious MAR file
      (does not affect openSUSE RPM packages which do not ship the
      updater)
    * MFSA 2015-86/CVE-2015-4483 (bmo#1148732)
      Feed protocol with POST bypasses mixed content protections
    * MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
      Crash when using shared memory in JavaScript
    * MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
      Heap overflow in gdk-pixbuf when scaling bitmap images
    * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
      Buffer overflows on Libvpx when decoding WebM video
    * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
      Vulnerabilities found through code inspection
    * MFSA 2015-91/CVE-2015-4490 (bmo#1086999)
      Mozilla Content Security Policy allows for asterisk wildcards
      in violation of CSP specification
    * MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
      Use-after-free in XMLHttpRequest with shared workers
  - added mozilla-no-stdcxx-check.patch
  - removed obsolete patches
    * mozilla-add-glibcxx_use_cxx11_abi.patch
    * firefox-multilocale-chrome.patch
  - rebased patches
  - requires version 40 of the branding package
  - removed browser/searchplugins/ location as it's not valid anymore
* Fri Aug 07 2015 wr@rosenauer.org
  - security update to Firefox 39.0.3 (bnc#940918)
    * MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058)
      Same origin violation and local file stealing via PDF reader
* Wed Jul 01 2015 wr@rosenauer.org
  - update to Firefox 39.0 (bnc#935979)
    * Share Hello URLs with social networks
    * Support for 'switch' role in ARIA 1.1 (web accessibility)
    * SafeBrowsing malware detection lookups enabled for downloads
      (Mac OS X and Linux)
    * Support for new Unicode 8.0 skin tone emoji
    * Removed support for insecure SSLv3 for network communications
    * Disable use of RC4 except for temporarily whitelisted hosts
    * NPAPI Plug-in performance improved via asynchronous initialization
    security fixes:
    * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726
      Miscellaneous memory safety hazards
    * MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
      Local files or privileged URLs in pages can be opened into new tabs
    * MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
      Type confusion in Indexed Database Manager
    * MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
      Out-of-bound read while computing an oscillator rendering range in Web Audio
    * MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
      Use-after-free in Content Policy due to microtask execution error
    * MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
      ECDSA signature validation fails to handle some signatures correctly
      (this fix is shipped by NSS 3.19.1 externally)
    * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
      Use-after-free in workers while using XMLHttpRequest
    * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
      CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
      Vulnerabilities found through code inspection
    * MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
      Key pinning is ignored when overridable errors are encountered
    * MFSA 2015-68/CVE-2015-2742 (bmo#1138669)
      OS X crash reports may contain entered key press information
      (not relevant under Linux)
    * MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
      Privilege escalation in PDF.js
    * MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
      NSS accepts export-length DHE keys with regular DHE cipher suites
      (this fix is shipped by NSS 3.19.1 externally)
    * MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
      NSS incorrectly permits skipping of ServerKeyExchange
      (this fix is shipped by NSS 3.19.1 externally)
  - dropped mozilla-prefer_plugin_pref.patch as this feature is
    likely not worth maintaining further
  - rebased patches
  - require NSS 3.19.2
* Thu Jun 18 2015 schwab@suse.de
  - mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration
* Sun Jun 07 2015 wr@rosenauer.org
  - update to Firefox 38.0.6
    * fixes bmo#1171730 which is not really relevant to oS builds
  - fix KDE regression from 38.0.5 builds (bsc#933439)
* Sat May 23 2015 wr@rosenauer.org
  - update to Firefox 38.0.5
    * Keep track of articles and videos with Pocket
    * Clean formatting for articles and blog posts with Reader View
    * Share the active tab or window in a Hello conversation
  - add changes file as source for SRPM (bsc#932142)
* Fri May 15 2015 normand@linux.vnet.ibm.com
  - add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from
    https://bugzilla.mozilla.org/show_bug.cgi?id=1153109
* Fri May 15 2015 wr@rosenauer.org
  - update to Firefox 38.0.1
    stability and regression fixes
    * Systems with first generation NVidia Optimus graphics cards
      may crash on start-up
    * Users who import cookies from Google Chrome can end up with
      broken websites
    * Large animated images may fail to play and may stop other
      images from loading
* Sun May 10 2015 wr@rosenauer.org
  - update to Firefox 38.0 (bnc#930622)
    * New tab-based preferences
    * Ruby annotation support
    * more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
    security fixes:
    * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709
      Miscellaneous memory safety hazards
    * MFSA 2015-47/VE-2015-0797 (bmo#1080995)
      Buffer overflow parsing H.264 video with Linux Gstreamer
    * MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
      Buffer overflow with SVG content and CSS
    * MFSA 2015-49/CVE-2015-2711 (bmo#1113431)
      Referrer policy ignored when links opened by middle-click and
      context menu
    * MFSA 2015-50/CVE-2015-2712 (bmo#1152280)
      Out-of-bounds read and write in asm.js validation
    * MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
      Use-after-free during text processing with vertical text enabled
    * MFSA 2015-53/CVE-2015-2715 (bmo#988698)
      Use-after-free due to Media Decoder Thread creation during shutdown
    * MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
      Buffer overflow when parsing compressed XML
    * MFSA 2015-55/CVE-2015-2717 (bmo#1154683)
      Buffer overflow and out-of-bounds read while parsing MP4 video
      metadata
    * MFSA 2015-56/CVE-2015-2718 (bmo#1146724)
      Untrusted site hosting trusted page can intercept webchannel
      responses
    * MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
      Privilege escalation through IPC channel messages
  - requires NSS 3.18.1
  - removed obsolete patches:
    * mozilla-skia-bmo1136958.patch
  - remove gnomevfs build options as it is removed from sources
  - rebased patches
* Fri Apr 17 2015 wr@rosenauer.org
  - update to Firefox 37.0.2 (bnc#928116)
    * MFSA 2015-45/CVE-2015-2706 (bmo#1141081)
      Memory corruption during failed plugin initialization
* Fri Apr 03 2015 wr@rosenauer.org
  - update to Firefox 37.0.1 (bnc#926166)
    * MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only)
      Loading privileged content through Reader mode
    * MFSA 2015-44/CVE-2015-0799 (bmo#1148328)
      Certificate verification bypass through the HTTP/2 Alt-Svc header
* Sat Mar 28 2015 wr@rosenauer.org
  - update to Firefox 37.0 (bnc#925368)
    * Heartbeat user rating system
    * Yandex set as default search provider for the Turkish locale
    * Bing search now uses HTTPS for secure searching
    * Improved protection against site impersonation via OneCRL
      centralized certificate revocation
    * Opportunistically encrypt HTTP traffic where the server supports
      HTTP/2 AltSvc
    * some more behaviour changes for TLS
    security fixes:
    * MFSA 2015-30/CVE-2015-0814/CVE-2015-0815
      Miscellaneous memory safety hazards
    * MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
      Use-after-free when using the Fluendo MP3 GStreamer plugin
    * MFSA 2015-32/CVE-2015-0812 (bmo#1128126)
      Add-on lightweight theme installation approval bypassed through
      MITM attack
    * MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
      resource:// documents can load privileged pages
    * MFSA-2015-34/CVE-2015-0811 (bmo#1132468)
      Out of bounds read in QCMS library
    * MFSA-2015-35/CVE-2015-0810 (bmo#1125013)
      Cursor clickjacking with flash and images (OS X only)
    * MFSA-2015-36/CVE-2015-0808 (bmo#1109552)
      Incorrect memory management for simple-type arrays in WebRTC
    * MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
      CORS requests should not follow 30x redirections after preflight
    * MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437)
      Memory corruption crashes in Off Main Thread Compositing
    * MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560)
      Use-after-free due to type confusion flaws
    * MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
      Same-origin bypass through anchor navigation
    * MFSA-2015-41/CVE-2015-0800/CVE-2012-2808
      PRNG weakness allows for DNS poisoning on Android (only)
    * MFSA-2015-42/CVE-2015-0802 (bmo#1124898)
      Windows can retain access to privileged content on navigation
      to unprivileged pages
  - removed obsolete patches
    * mozilla-bmo1088588.patch
    * mozilla-bmo1108834.patch
  - requires NSPR 4.10.8
* Tue Mar 24 2015 dvaleev@suse.com
  - Fix builds with skia on Power
    mozilla-skia-be-le.patch (patch from #bmo1136958)
    mozilla-bmo1108834.patch
    mozilla-bmo1005535.patch
* Sat Mar 21 2015 wr@rosenauer.org
  - update to Firefox 36.0.4 (bnc#923534)
    * MFSA 2015-28/CVE-2015-0818 (bmo#1144988)
      Privilege escalation through SVG navigation
    * MFSA 2015-29/CVE-2015-0817 (bmo#1145255)
      Code execution through incorrect JavaScript bounds checking
      elimination
* Fri Mar 20 2015 dimstar@opensuse.org
  - Copy the icons to /usr/share/icons instead of symlinking them:
    in preparation for containerized apps (e.g. xdg-app) as well as
    AppStream metadata extraction, there are a couple locations that
    need to be real files for system integration (.desktop files,
    icons, mime-type info).
* Sat Mar 07 2015 wr@rosenauer.org
  - update to Firefox 36.0.1
    Bugfixes:
    * Disable the usage of the ANY DNS query type (bmo#1093983)
    * Hello may become inactive until restart (bmo#1137469)
    * Print preferences may not be preserved (bmo#1136855)
    * Hello contact tabs may not be visible (bmo#1137141)
    * Accept hostnames that include an underscore character ("_")
      (bmo#1136616)
    * WebGL may use significant memory with Canvas2d (bmo#1137251)
    * Option -remote has been restored (bmo#1080319)
  - added mozilla-skia-bmo1136958.patch to fix build issues for
    ARM and PPC
* Fri Feb 20 2015 wr@rosenauer.org
  - update to Firefox 36.0 (bnc#917597)
    * mozilla-xremote-client was removed
    * added libclearkey.so media plugin
    * Pinned tiles on the new tab page can be synced
    * Support for the full HTTP/2 protocol. HTTP/2 enables a faster,
      more scalable, and more responsive web.
    * Locale added: Uzbek (uz)
    security fixes:
    * MFSA 2015-11/CVE-2015-0835/CVE-2015-0836
      Miscellaneous memory safety hazards
    * MFSA 2015-12/CVE-2015-0833 (bmo#945192)
      Invoking Mozilla updater will load locally stored DLL files
      (Windows only)
    * MFSA 2015-13/CVE-2015-0832 (bmo#1065909)
      Appended period to hostnames can bypass HPKP and HSTS protections
    * MFSA 2015-14/CVE-2015-0830 (bmo#1110488)
      Malicious WebGL content crash when writing strings
    * MFSA 2015-15/CVE-2015-0834 (bmo#1098314)
      TLS TURN and STUN connections silently fail to simple TCP connections
    * MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
      Use-after-free in IndexedDB
    * MFSA 2015-17/CVE-2015-0829 (bmo#1128939)
      Buffer overflow in libstagefright during MP4 video playback
    * MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675)
      Double-free when using non-default memory allocators with a
      zero-length XHR
    * MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
      Out-of-bounds read and write while rendering SVG content
    * MFSA 2015-20/CVE-2015-0826 (bmo#1092363)
      Buffer overflow during CSS restyling
    * MFSA 2015-21/CVE-2015-0825 (bmo#1092370)
      Buffer underflow during MP3 playback
    * MFSA 2015-22/CVE-2015-0824 (bmo#1095925)
      Crash using DrawTarget in Cairo graphics library
    * MFSA 2015-23/CVE-2015-0823 (bmo#1098497)
      Use-after-free in Developer Console date with OpenType Sanitiser
    * MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
      Reading of local files through manipulation of form autocomplete
    * MFSA 2015-25/CVE-2015-0821 (bmo#1111960)
      Local files or privileged URLs in pages can be opened into new tabs
    * MFSA 2015-26/CVE-2015-0819 (bmo#1079554)
      UI Tour whitelisted sites in background tab can spoof foreground
      tabs
    * MFSA 2015-27CVE-2015-0820 (bmo#1125398)
      Caja Compiler JavaScript sandbox bypass
  - rebased patches
  - requires NSS 3.17.4
* Sat Jan 31 2015 wr@rosenauer.org
  - update to Firefox 35.0.1
    * With the Enhanced Steam extension, Firefox could crash (bmo#1123732)
    * Kerberos authentication did not work with alias (bmo#1108971)
    * SVG / CSS animation had a regression causing rendering issues on
      websites like openstreemap.org (bmo#1083079)
    * On Godaddy webmail, Firefox could crash (bmo#1113121)
    * document.baseURI did not get updated to document.location after
      base tag was removed from DOM for site with a CSP (bmo#1121857)
    * With a Right-to-left (RTL) version of Firefox, the text selection
      could be broken (bmo#1104036)
    * CSP had a change in behavior with regard to case sensitivity
      resources loading (bmo#1122445)
* Sat Jan 10 2015 wr@rosenauer.org
  - update to Firefox 35.0 (bnc#910669)
    notable features:
    * Firefox Hello with new rooms-based conversations model
    * Implemented HTTP Public Key Pinning Extension (for enhanced
      authentication of encrypted connections)
    security fixes:
    * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
      Miscellaneous memory safety hazards
    * MFSA 2015-02/CVE-2014-8637 (bmo#1094536)
      Uninitialized memory use during bitmap rendering
    * MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
      sendBeacon requests lack an Origin header
    * MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
      Cookie injection through Proxy Authenticate responses
    * MFSA 2015-05/CVE-2014-8640 (bmo#1100409)
      Read of uninitialized memory in Web Audio
    * MFSA 2015-06/CVE-2014-8641 (bmo#1108455)
      Read-after-free in WebRTC
    * MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only)
      Gecko Media Plugin sandbox escape
    * MFSA 2015-08/CVE-2014-8642 (bmo#1079658)
      Delegated OCSP responder certificates failure with
      id-pkix-ocsp-nocheck extension
    * MFSA 2015-09/CVE-2014-8636 (bmo#987794)
      XrayWrapper bypass through DOM objects
  - rebased patches
  - dropped explicit support for everything older than 12.3
    (including SLES11)
    * merge firefox-kde.patch and firefox-kde-114.patch
    * dropped mozilla-sle11.patch
  - reworked specfile to build conditionally based on release channel
    either Firefox or Firefox Developer Edition
  - added mozilla-openaes-decl.patch to fix implicit declarations
  - obsolete tracker-miner-firefox < 0.15 because it leads to startup
    crashes (bnc#908892)
* Sat Dec 13 2014 Led <ledest@gmail.com>
  - fix bashism in mozilla.sh script
* Sat Nov 29 2014 wr@rosenauer.org
  - update to Firefox 34.0.5 (bnc#908009)
    * Default search engine changed to Yahoo! for North America
    * Default search engine changed to Yandex for Belarusian, Kazakh,
      and Russian locales
    * Improved search bar (en-US only)
    * Firefox Hello real-time communication client
    * Easily switch themes/personas directly in the Customizing mode
    * Implementation of HTTP/2 (draft14) and ALPN
    * Disabled SSLv3
    * MFSA 2014-83/CVE-2014-1587/CVE-2014-1588
      Miscellaneous memory safety hazards
    * MFSA 2014-84/CVE-2014-1589 (bmo#1043787)
      XBL bindings accessible via improper CSS declarations
    * MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
      XMLHttpRequest crashes with some input streams
    * MFSA 2014-86/CVE-2014-1591 (bmo#1069762)
      CSP leaks redirect data via violation reports
    * MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
      Use-after-free during HTML5 parsing
    * MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
      Buffer overflow while parsing media content
    * MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
      Bad casting from the BasicThebesLayer to BasicContainerLayer
  - rebased patches
  - limit linker memory usage for %ix86
  - rebased patches
* Fri Nov 07 2014 wr@rosenauer.org
  - update to Firefox 33.1
    * Adding DuckDuckGo as a search option (upstream)
    * Forget Button added
    * Enhanced Tiles
    * Privacy tour introduced
  - fix typo in GStreamer Recommends
* Tue Nov 04 2014 guillaume@opensuse.org
  - Disable elf-hack for aarch64
  - Enable EGL for aarch64
  - Limit RAM usage during link for %arm
  - Fix _constraints for ARM
* Mon Nov 03 2014 dmueller@suse.com
  - use proper macros for ARM
* Mon Nov 03 2014 josua.mayer97@gmail.com
  - use '--disable-optimize' not only on 32-bit x86, but on 32-bit arm too
    to fix compiling.
  - pass '-Wl,--no-keep-memory' to linker to reduce required memory during
    linking on arm.
* Thu Oct 30 2014 wr@rosenauer.org
  - update to Firefox 33.0.2
    * Fix a startup crash with some combination of hardware and drivers
    33.0.1
    * Firefox displays a black screen at start-up with certain
      graphics drivers
  - adjusted _constraints for ARM
* Tue Oct 28 2014 josua.mayer97@gmail.com
  - added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588)
* Sat Oct 25 2014 wr@rosenauer.org
  - define /usr/share/myspell as additional dictionary location
    and remove add-plugins.sh finally (bnc#900639)
* Sun Oct 19 2014 vindex17@outlook.it
  - use Firefox default optimization flags instead of -Os
  - specfile cleanup
* Wed Oct 15 2014 wr@rosenauer.org
  - fix build for all ppc by not enabling elf-hack
    (bnc#901213)
* Sat Oct 11 2014 wr@rosenauer.org
  - update to Firefox 33.0 (bnc#900941)
    New features:
    * OpenH264 support (sandboxed)
    * Enhanced Tiles
    * Improved search experience through the location bar
    * Slimmer and faster JavaScript strings
    * New CSP (Content Security Policy) backend
    * Support for connecting to HTTP proxy over HTTPS
    * Improved reliability of the session restoration
    * Proprietary window.crypto properties/functions removed
    Security:
    * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575
      Miscellaneous memory safety hazards
    * MFSA 2014-75/CVE-2014-1576 (bmo#1041512)
      Buffer overflow during CSS manipulation
    * MFSA 2014-76/CVE-2014-1577 (bmo#1012609)
      Web Audio memory corruption issues with custom waveforms
    * MFSA 2014-77/CVE-2014-1578 (bmo#1063327)
      Out-of-bounds write with WebM video
    * MFSA 2014-78/CVE-2014-1580 (bmo#1063733)
      Further uninitialized memory use during GIF rendering
    * MFSA 2014-79/CVE-2014-1581 (bmo#1068218)
      Use-after-free interacting with text directionality
    * MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190)
      Key pinning bypasses
    * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
      Inconsistent video sharing within iframe
    * MFSA 2014-82/CVE-2014-1583 (bmo#1015540)
      Accessing cross-origin objects via the Alarms API
      (only relevant for installed web apps)
  - requires NSPR 4.10.7
  - requires NSS 3.17.1
  - removed obsolete patches:
    * mozilla-ppc.patch
    * mozilla-libproxy-compat.patch
  - added basic appdata information
* Sat Sep 20 2014 wr@rosenauer.org
  - update to Firefox 32.0.2
    * just a version bump for our builds
    * fixed the in application update process for certain environments
      (in application update is not enabled in openSUSE and Linux
      is unaffected in any case)
  - build with --disable-optimize for 13.1 and above for i586 to
    workaround miscompilations (bnc#896624)
  - use some more build flags to align with upstream
* Sat Sep 13 2014 wr@rosenauer.org
  - update to Firefox 32.0.1
    * fixed stability issues for computers with multiple graphics cards
    * mixed content icon may be incorrectly displayed instead of lock
      icon for SSL sites in 32.0 (
    * WebRTC: setRemoteDescription() silently fails if no success
      callback is specified (bmo#1063971)
* Sun Aug 31 2014 wr@rosenauer.org
  - update to Firefox 32.0 (bnc#894370)
    * MFSA 2014-67/CVE-2014-1553/CVE-2014-1554/CVE-2014-1562
      Miscellaneous memory safety hazards
    * MFSA 2014-68/CVE-2014-1563 (bmo#1018524)
      Use-after-free during DOM interactions with SVG
    * MFSA 2014-69/CVE-2014-1564 (bmo#1045977)
      Uninitialized memory use during GIF rendering
    * MFSA 2014-70/CVE-2014-1565 (bmo#1047831)
      Out-of-bounds read in Web Audio audio timeline
    * MFSA 2014-72/CVE-2014-1567 (bmo#1037641)
      Use-after-free setting text directionality
  - rebased patches
  - requires NSS 3.16.4
  - removed upstreamed patch
    * mozilla-aarch64-bmo-810631.patch
* Wed Aug 20 2014 behlert@suse.de
  - adapted _constraints, used more than 3900MB on s390x during
    last build
* Sun Jul 20 2014 wr@rosenauer.org
  - update to Firefox 31.0 (bnc#887746)
    * MFSA 2014-56/CVE-2014-1547/CVE-2014-1548
      Miscellaneous memory safety hazards
    * MFSA 2014-57/CVE-2014-1549 (bmo#1020205)
      Buffer overflow during Web Audio buffering for playback
    * MFSA 2014-58/CVE-2014-1550 (bmo#1020411)
      Use-after-free in Web Audio due to incorrect control message ordering
    * MFSA 2014-60/CVE-2014-1561 (bmo#1000514, bmo#910375)
      Toolbar dialog customization event spoofing
    * MFSA 2014-61/CVE-2014-1555 (bmo#1023121)
      Use-after-free with FireOnStateChange event
    * MFSA 2014-62/CVE-2014-1556 (bmo#1028891)
      Exploitable WebGL crash with Cesium JavaScript library
    * MFSA 2014-63/CVE-2014-1544 (bmo#963150)
      Use-after-free while when manipulating certificates in the trusted cache
      (solved with NSS 3.16.2 requirement)
    * MFSA 2014-64/CVE-2014-1557 (bmo#913805)
      Crash in Skia library when scaling high quality images
    * MFSA 2014-65/CVE-2014-1558/CVE-2014-1559/CVE-2014-1560
      (bmo#1015973, bmo#1026022, bmo#997795)
      Certificate parsing broken by non-standard character encoding
    * MFSA 2014-66/CVE-2014-1552 (bmo#985135)
      IFRAME sandbox same-origin access through redirect
  - use EGL on ARM
  - rebased patches
  - requires NSS 3.16.2
  - requires python-devel (not only python)
* Mon Jun 09 2014 wr@rosenauer.org
  - update to Firefox 30.0 (bnc#881874)
    * MFSA 2014-48/CVE-2014-1533/CVE-2014-1534
      (bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874,
      bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981,
      bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817,
      bmo#996536, bmo#996715, bmo#999651, bmo#1000598,
      bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223,
      bmo#1009952, bmo#1011007)
      Miscellaneous memory safety hazards (rv:30.0)
    * MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538
      (bmo#989994, bmo#999274, bmo#1005584)
      Use-after-free and out of bounds issues found using Address
      Sanitizer
    * MFSA 2014-50/CVE-2014-1539 (bmo#995603)
      Clickjacking through cursor invisability after Flash interaction
    * MFSA 2014-51/CVE-2014-1540 (bmo#978862)
      Use-after-free in Event Listener Manager
    * MFSA 2014-52/CVE-2014-1541 (bmo#1000185)
      Use-after-free with SMIL Animation Controller
    * MFSA 2014-53/CVE-2014-1542 (bmo#991533)
      Buffer overflow in Web Audio Speex resampler
    * MFSA 2014-54/CVE-2014-1543 (bmo#1011859)
      Buffer overflow in Gamepad API
    * MFSA 2014-55/CVE-2014-1545 (bmo#1018783)
      Out of bounds write in NSPR
  - rebased patches
  - removed obsolete patches
    * firefox-browser-css.patch
    * mozilla-aarch64-bmo-962488.patch
    * mozilla-aarch64-bmo-963023.patch
    * mozilla-aarch64-bmo-963024.patch
    * mozilla-aarch64-bmo-963027.patch
    * mozilla-ppc64-xpcom.patch
    * mozilla-ppc64le-javascript.patch
    * mozilla-ppc64le-libffi.patch
    * mozilla-ppc64le-mfbt.patch
    * mozilla-ppc64le-webrtc.patch
    * mozilla-ppc64le-xpcom.patch
    * mozilla-ppc64le-build.patch
  - requires NSPR 4.10.6
  - enabled GStreamer 1.0 usage for 13.2 and above
* Sat May 10 2014 wr@rosenauer.org
  - update to Firefox 29.0.1
    * Seer disabled by default (bmo#1005958)
    * Session Restore failed with a corrupted sessionstore.js file
      (bmo#1001167)
    * pdf.js printing white page (bmo#1003707, bnc#876833)
  - general.useragent.locale gets overwritten with en-US while it
    should be using the active langpack's setting
* Sat Apr 26 2014 wr@rosenauer.org
  - update to Firefox 29.0 (bnc#875378)
    * MFSA 2014-34/CVE-2014-1518/CVE-2014-1519
      Miscellaneous memory safety hazards
    * MFSA 2014-36/CVE-2014-1522 (bmo#995289)
      Web Audio memory corruption issues
    * MFSA 2014-37/CVE-2014-1523 (bmo#969226)
      Out of bounds read while decoding JPG images
    * MFSA 2014-38/CVE-2014-1524 (bmo#989183)
      Buffer overflow when using non-XBL object as XBL
    * MFSA 2014-39/CVE-2014-1525 (bmo#989210)
      Use-after-free in the Text Track Manager for HTML video
    * MFSA 2014-41/CVE-2014-1528 (bmo#963962)
      Out-of-bounds write in Cairo
    * MFSA 2014-42/CVE-2014-1529 (bmo#987003)
      Privilege escalation through Web Notification API
    * MFSA 2014-43/CVE-2014-1530 (bmo#895557)
      Cross-site scripting (XSS) using history navigations
    * MFSA 2014-44/CVE-2014-1531 (bmo#987140)
      Use-after-free in imgLoader while resizing images
    * MFSA 2014-45/CVE-2014-1492 (bmo#903885)
      Incorrect IDNA domain name matching for wildcard certificates
      (fixed by NSS 3.16)
    * MFSA 2014-46/CVE-2014-1532 (bmo#966006)
      Use-after-free in nsHostResolver
    * MFSA 2014-47/CVE-2014-1526 (bmo#988106)
      Debugger can bypass XrayWrappers with JavaScript
  - rebased patches
  - removed obsolete patches
    * firefox-browser-css.patch
    * mozilla-aarch64-599882cfb998.diff
    * mozilla-aarch64-bmo-963028.patch
    * mozilla-aarch64-bmo-963029.patch
    * mozilla-aarch64-bmo-963030.patch
    * mozilla-aarch64-bmo-963031.patch
  - requires NSS 3.16
  - added mozilla-icu-strncat.patch to fix post build checks
* Mon Apr 07 2014 dmueller@suse.com
  - add mozilla-aarch64-599882cfb998.patch,
      mozilla-aarch64-bmo-810631.patch,
      mozilla-aarch64-bmo-962488.patch,
      mozilla-aarch64-bmo-963030.patch,
      mozilla-aarch64-bmo-963027.patch,
      mozilla-aarch64-bmo-963028.patch,
      mozilla-aarch64-bmo-963029.patch,
      mozilla-aarch64-bmo-963023.patch,
      mozilla-aarch64-bmo-963024.patch,
      mozilla-aarch64-bmo-963031.patch: AArch64 porting
* Mon Mar 24 2014 dvaleev@suse.com
  - Add patch for bmo#973977
    * mozilla-ppc64-xpcom.patch
* Mon Mar 24 2014 dvaleev@suse.com
  - Refresh mozilla-ppc64le-xpcom.patch patch
* Fri Mar 21 2014 dvaleev@suse.com
  - Adapt mozilla-ppc64le-xpcom.patch to Mozilla > 24.0 build system
* Sun Mar 16 2014 wr@rosenauer.org
  - update to Firefox 28.0 (bnc#868603)
    * MFSA 2014-15/CVE-2014-1493/CVE-2014-1494
      Miscellaneous memory safety hazards
    * MFSA 2014-17/CVE-2014-1497 (bmo#966311)
      Out of bounds read during WAV file decoding
    * MFSA 2014-18/CVE-2014-1498 (bmo#935618)
      crypto.generateCRMFRequest does not validate type of key
    * MFSA 2014-19/CVE-2014-1499 (bmo#961512)
      Spoofing attack on WebRTC permission prompt
    * MFSA 2014-20/CVE-2014-1500 (bmo#956524)
      onbeforeunload and Javascript navigation DOS
    * MFSA 2014-22/CVE-2014-1502 (bmo#972622)
      WebGL content injection from one domain to rendering in another
    * MFSA 2014-23/CVE-2014-1504 (bmo#911547)
      Content Security Policy for data: documents not preserved by
      session restore
    * MFSA 2014-26/CVE-2014-1508 (bmo#963198)
      Information disclosure through polygon rendering in MathML
    * MFSA 2014-27/CVE-2014-1509 (bmo#966021)
      Memory corruption in Cairo during PDF font rendering
    * MFSA 2014-28/CVE-2014-1505 (bmo#941887)
      SVG filters information disclosure through feDisplacementMap
    * MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909)
      Privilege escalation using WebIDL-implemented APIs
    * MFSA 2014-30/CVE-2014-1512 (bmo#982957)
      Use-after-free in TypeObject
    * MFSA 2014-31/CVE-2014-1513 (bmo#982974)
      Out-of-bounds read/write through neutering ArrayBuffer objects
    * MFSA 2014-32/CVE-2014-1514 (bmo#983344)
      Out-of-bounds write through TypedArrayObject after neutering
  - requires NSPR 4.10.3 and NSS 3.15.5
  - new build dependency (and recommends):
    * libpulse
  - update of PowerPC 64 patches (bmo#976648) (pcerny@suse.com)
  - rebased patches
* Mon Feb 17 2014 wr@rosenauer.org
  - update to Firefox 27.0.1
    * Fixed stability issues with Greasemonkey and other JS that used
      ClearTimeoutOrInterval
    * JS math correctness issue (bmo#941381)
  - incorporate Google API key for geolocation (bnc#864170)
  - updated list of "other" locales in RPM requirements
* Tue Jan 28 2014 wr@rosenauer.org
  - update to Firefox 27.0 (bnc#861847)
    * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478
      Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
    * MFSA 2014-02/CVE-2014-1479 (bmo#911864)
      Clone protected content with XBL scopes
    * MFSA 2014-03/CVE-2014-1480 (bmo#916726)
      UI selection timeout missing on download prompts
    * MFSA 2014-04/CVE-2014-1482 (bmo#943803)
      Incorrect use of discarded images by RasterImage
    * MFSA 2014-05/CVE-2014-1483 (bmo#950427)
      Information disclosure with *FromPoint on iframes
    * MFSA 2014-06/CVE-2014-1484 (bmo#953993)
      Profile path leaks to Android system log
    * MFSA 2014-07/CVE-2014-1485 (bmo#910139)
      XSLT stylesheets treated as styles in Content Security Policy
    * MFSA 2014-08/CVE-2014-1486 (bmo#942164)
      Use-after-free with imgRequestProxy and image proccessing
    * MFSA 2014-09/CVE-2014-1487 (bmo#947592)
      Cross-origin information leak through web workers
    * MFSA 2014-10/CVE-2014-1489 (bmo#959531)
      Firefox default start page UI content invokable by script
    * MFSA 2014-11/CVE-2014-1488 (bmo#950604)
      Crash when using web workers with asm.js
    * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491
      (bmo#934545, bmo#930874, bmo#930857)
      NSS ticket handling issues
    * MFSA 2014-13/CVE-2014-1481(bmo#936056)
      Inconsistent JavaScript handling of access to Window objects
  - requires NSS 3.15.4 or higher
  - rebased/reworked patches
  - removed obsolete mozilla-bug929439.patch
* Thu Dec 12 2013 uweigand@de.ibm.com
  - Add support for powerpc64le-linux.
    * mozilla-ppc64le.patch: general support
    * mozilla-libffi-ppc64le.patch: libffi backport
    * mozilla-xpcom-ppc64le.patch: port xpcom
  - Add build fix from mainline.
    * mozilla-bug929439.patch
* Sun Dec 08 2013 wr@rosenauer.org
  - update to Firefox 26.0 (bnc#854367, bnc#854370)
    * rebased patches
    * requires NSPR 4.10.2 and NSS 3.15.3.1
    * MFSA 2013-104/CVE-2013-5609/CVE-2013-5610
      Miscellaneous memory safety hazards
    * MFSA 2013-105/CVE-2013-5611 (bmo#771294)
      Application Installation doorhanger persists on navigation
    * MFSA 2013-106/CVE-2013-5612 (bmo#871161)
      Character encoding cross-origin XSS attack
    * MFSA 2013-107/CVE-2013-5614 (bmo#886262)
      Sandbox restrictions not applied to nested object elements
    * MFSA 2013-108/CVE-2013-5616 (bmo#938341)
      Use-after-free in event listeners
    * MFSA 2013-109/CVE-2013-5618 (bmo#926361)
      Use-after-free during Table Editing
    * MFSA 2013-110/CVE-2013-5619 (bmo#917841)
      Potential overflow in JavaScript binary search algorithms
    * MFSA 2013-111/CVE-2013-6671 (bmo#930281)
      Segmentation violation when replacing ordered list elements
    * MFSA 2013-112/CVE-2013-6672 (bmo#894736)
      Linux clipboard information disclosure though selection paste
    * MFSA 2013-113/CVE-2013-6673 (bmo#970380)
      Trust settings for built-in roots ignored during EV certificate
      validation
    * MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449)
      Use-after-free in synthetic mouse movement
    * MFSA 2013-115/CVE-2013-5615 (bmo#929261)
      GetElementIC typed array stubs can be generated outside observed
      typesets
    * MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693)
      JPEG information leak
    * MFSA 2013-117 (bmo#946351)
      Mis-issued ANSSI/DCSSI certificate
      (fixed via NSS 3.15.3.1)
  - removed gecko.js preference file as GStreamer is enabled by
    default now
* Thu Oct 24 2013 wr@rosenauer.org
  - update to Firefox 25.0 (bnc#847708)
    * rebased patches
    * requires NSS 3.15.2 or above
    * MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592
      Miscellaneous memory safety hazards
    * MFSA 2013-94/CVE-2013-5593 (bmo#868327)
      Spoofing addressbar through SELECT element
    * MFSA 2013-95/CVE-2013-5604 (bmo#914017)
      Access violation with XSLT and uninitialized data
    * MFSA 2013-96/CVE-2013-5595 (bmo#916580)
      Improperly initialized memory and overflows in some JavaScript
      functions
    * MFSA 2013-97/CVE-2013-5596 (bmo#910881)
      Writing to cycle collected object during image decoding
    * MFSA 2013-98/CVE-2013-5597 (bmo#918864)
      Use-after-free when updating offline cache
    * MFSA 2013-99/CVE-2013-5598 (bmo#920515)
      Security bypass of PDF.js checks using iframes
    * MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601
      (bmo#915210, bmo#915576, bmo#916685)
      Miscellaneous use-after-free issues found through ASAN fuzzing
    * MFSA 2013-101/CVE-2013-5602 (bmo#897678)
      Memory corruption in workers
    * MFSA 2013-102/CVE-2013-5603 (bmo#916404)
      Use-after-free in HTML document templates
* Tue Sep 24 2013 wr@rosenauer.org
  - as GStreamer is not automatically required anymore but loaded
    dynamically if available, require it explicitely
  - recommend optional GStreamer plugins for comprehensive media
    support
* Mon Sep 16 2013 lnussel@suse.de
  - move greek to the translations-common package (bnc#840551)
* Sat Sep 14 2013 wr@rosenauer.org
  - update to Firefox 24.0 (bnc#840485)
    * MFSA 2013-76/CVE-2013-1718/CVE-2013-1719
      Miscellaneous memory safety hazards
    * MFSA 2013-77/CVE-2013-1720 (bmo#888820)
      Improper state in HTML5 Tree Builder with templates
    * MFSA 2013-78/CVE-2013-1721 (bmo#890277)
      Integer overflow in ANGLE library
    * MFSA 2013-79/CVE-2013-1722 (bmo#893308)
      Use-after-free in Animation Manager during stylesheet cloning
    * MFSA 2013-80/CVE-2013-1723 (bmo#891292)
      NativeKey continues handling key messages after widget is destroyed
    * MFSA 2013-81/CVE-2013-1724 (bmo#894137)
      Use-after-free with select element
    * MFSA 2013-82/CVE-2013-1725 (bmo#876762)
      Calling scope for new Javascript objects can lead to memory corruption
    * MFSA 2013-85/CVE-2013-1728 (bmo#883686)
      Uninitialized data in IonMonkey
    * MFSA 2013-88/CVE-2013-1730 (bmo#851353)
      Compartment mismatch re-attaching XBL-backed nodes
    * MFSA 2013-89/CVE-2013-1732 (bmo#883514)
      Buffer overflow with multi-column, lists, and floats
    * MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301)
      Memory corruption involving scrolling
    * MFSA 2013-91/CVE-2013-1737 (bmo#907727)
      User-defined properties on DOM proxies get the wrong "this" object
    * MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897)
      GC hazard with default compartments and frame chain restoration
  - enable gstreamer explicitely via pref (gecko.js)
  - require NSS 3.15.1
* Mon Aug 26 2013 wr@rosenauer.org
  - update to Firefox 23.0.1
    * Audio static/"burble"/breakup in Firefox to Firefox WebRTC calls
      (bmo#901527)
* Sun Aug 04 2013 wr@rosenauer.org
  - update to Firefox 23.0 (bnc#833389)
    * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702
      Miscellaneous memory safety hazards
    * MFSA 2013-64/CVE-2013-1704 (bmo#883313)
      Use after free mutating DOM during SetBody
    * MFSA 2013-65/CVE-2013-1705 (bmo#882865)
      Buffer underflow when generating CRMF requests
    * MFSA 2013-67/CVE-2013-1708 (bmo#879924)
      Crash during WAV audio file decoding
    * MFSA 2013-68/CVE-2013-1709 (bmo#838253)
      Document URI misrepresentation and masquerading
    * MFSA 2013-69/CVE-2013-1710 (bmo#871368)
      CRMF requests allow for code execution and XSS attacks
    * MFSA 2013-70/CVE-2013-1711 (bmo#843829)
      Bypass of XrayWrappers using XBL Scopes
    * MFSA 2013-72/CVE-2013-1713 (bmo#887098)
      Wrong principal used for validating URI for some Javascript
      components
    * MFSA 2013-73/CVE-2013-1714 (bmo#879787)
      Same-origin bypass with web workers and XMLHttpRequest
    * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
      Local Java applets may read contents of local file system
  - requires NSPR 4.10 and NSS 3.15
* Wed Jul 03 2013 dmueller@suse.com
  - fix build on ARM (/-g/ matches /-grecord-switches/)
* Sat Jun 22 2013 wr@rosenauer.org
  - update to Firefox 22.0 (bnc#825935)
    * removed obsolete patches
      + mozilla-qcms-ppc.patch
      + mozilla-gstreamer-760140.patch
    * GStreamer support does not build on 12.1 anymore (build only
      on 12.2 and later)
    * MFSA 2013-49/CVE-2013-1682/CVE-2013-1683
      Miscellaneous memory safety hazards
    * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686
      Memory corruption found using Address Sanitizer
    * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)
      Privileged content access and execution via XBL
    * MFSA 2013-52/CVE-2013-1688 (bmo#873966)
      Arbitrary code execution within Profiler
    * MFSA 2013-53/CVE-2013-1690 (bmo#857883)
      Execution of unmapped memory through onreadystatechange event
    * MFSA 2013-54/CVE-2013-1692 (bmo#866915)
      Data in the body of XHR HEAD requests leads to CSRF attacks
    * MFSA 2013-55/CVE-2013-1693 (bmo#711043)
      SVG filters can lead to information disclosure
    * MFSA 2013-56/CVE-2013-1694 (bmo#848535)
      PreserveWrapper has inconsistent behavior
    * MFSA 2013-57/CVE-2013-1695 (bmo#849791)
      Sandbox restrictions not applied to nested frame elements
    * MFSA 2013-58/CVE-2013-1696 (bmo#761667)
      X-Frame-Options ignored when using server push with multi-part
      responses
    * MFSA 2013-59/CVE-2013-1697 (bmo#858101)
      XrayWrappers can be bypassed to run user defined methods in a
      privileged context
    * MFSA 2013-60/CVE-2013-1698 (bmo#876044)
      getUserMedia permission dialog incorrectly displays location
    * MFSA 2013-61/CVE-2013-1699 (bmo#840882)
      Homograph domain spoofing in .com, .net and .name
* Tue Jun 11 2013 dvaleev@suse.com
  - Fix qcms altivec include (mozilla-qcms-ppc.patch)
* Fri May 10 2013 wr@rosenauer.org
  - update to Firefox 21.0 (bnc#819204)
    * removed upstreamed patch firefox-712763.patch
    * removed disabled mozilla-disable-neon-option.patch
    * MFSA 2013-41/CVE-2013-0801/CVE-2013-1669
      Miscellaneous memory safety hazards
    * MFSA 2013-42/CVE-2013-1670 (bmo#853709)
      Privileged access for content level constructor
    * MFSA 2013-43/CVE-2013-1671 (bmo#842255)
      File input control has access to full path
    * MFSA 2013-46/CVE-2013-1674 (bmo#860971)
      Use-after-free with video and onresize event
    * MFSA 2013-47/CVE-2013-1675 (bmo#866825)
      Uninitialized functions in DOMSVGZoomEvent
    * MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/
      CVE-2013-1679/CVE-2013-1680/CVE-2013-1681
      Memory corruption found using Address Sanitizer
* Tue Apr 09 2013 wr@rosenauer.org
  - revert to use GStreamer 0.10 on 12.3 (bnc#814101)
    (remove mozilla-gstreamer-1.patch)
* Fri Apr 05 2013 schwab@linux-m68k.org
  - Explicitly disable WebRTC support on non-x86, the configure script
    disables it only half-heartedly
* Fri Mar 29 2013 wr@rosenauer.org
  - update to Firefox 20.0 (bnc#813026)
    * requires NSPR 4.9.5 and NSS 3.14.3
    * mozilla-webrtc-ppc.patch included upstream
    * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789
      Miscellaneous memory safety hazards
    * MFSA 2013-31/CVE-2013-0800 (bmo#825721)
      Out-of-bounds write in Cairo library
    * MFSA 2013-35/CVE-2013-0796 (bmo#827106)
      WebGL crash with Mesa graphics driver on Linux
    * MFSA 2013-36/CVE-2013-0795 (bmo#825697)
      Bypass of SOW protections allows cloning of protected nodes
    * MFSA 2013-37/CVE-2013-0794 (bmo#626775)
      Bypass of tab-modal dialog origin disclosure
    * MFSA 2013-38/CVE-2013-0793 (bmo#803870)
      Cross-site scripting (XSS) using timed history navigations
    * MFSA 2013-39/CVE-2013-0792 (bmo#722831)
      Memory corruption while rendering grayscale PNG images
  - use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch)
* Tue Mar 12 2013 dmueller@suse.com
  - build fixes for armv7hl:
    * disable debug build as armv7hl does not have enough memory
    * disable webrtc on armv7hl as it is non-compiling
* Thu Mar 07 2013 wr@rosenauer.org
  - update to Firefox 19.0.2 (bnc#808243)
    * MFSA 2013-29/CVE-2013-0787 (bmo#848644)
      Use-after-free in HTML Editor
* Thu Feb 28 2013 wr@rosenauer.org
  - update to Firefox 19.0.1
    * blocklist updates
* Sat Feb 16 2013 wr@rosenauer.org
  - update to Firefox 19.0 (bnc#804248)
    * MFSA 2013-21/CVE-2013-0783/2013-0784
      Miscellaneous memory safety hazards
    * MFSA 2013-22/CVE-2013-0772 (bmo#801366)
      Out-of-bounds read in image rendering
    * MFSA 2013-23/CVE-2013-0765 (bmo#830614)
      Wrapped WebIDL objects can be wrapped again
    * MFSA 2013-24/CVE-2013-0773 (bmo#809652)
      Web content bypass of COW and SOW security wrappers
    * MFSA 2013-25/CVE-2013-0774 (bmo#827193)
      Privacy leak in JavaScript Workers
    * MFSA 2013-26/CVE-2013-0775 (bmo#831095)
      Use-after-free in nsImageLoadingContent
    * MFSA 2013-27/CVE-2013-0776 (bmo#796475)
      Phishing on HTTPS connection through malicious proxy
    * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/
      CVE-2013-0778/CVE-2013-0779/CVE-2013-0781
      Use-after-free, out of bounds read, and buffer overflow issues
      found using Address Sanitizer
  - removed obsolete patches
    * mozilla-webrtc.patch
    * mozilla-gstreamer-803287.patch
  - added patch to fix session restore window order (bmo#712763)
* Sat Feb 02 2013 wr@rosenauer.org
  - update to Firefox 18.0.2
    * blocklist and CTP updates
    * fixes in JS engine
* Wed Jan 16 2013 wr@rosenauer.org
  - update to Firefox 18.0.1
    * blocklist updates
    * backed out bmo#677092 (removed patch)
    * fixed problems involving HTTP proxy transactions
* Sat Jan 12 2013 schwab@linux-m68k.org
  - Fix WebRTC to build on powerpc
* Sun Jan 06 2013 wr@rosenauer.org
  - update to Firefox 18.0 (bnc#796895)
    * MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770
      Miscellaneous memory safety hazards
    * MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767
      CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829
      Use-after-free and buffer overflow issues found using Address Sanitizer
    * MFSA 2013-03/CVE-2013-0768 (bmo#815795)
      Buffer Overflow in Canvas
    * MFSA 2013-04/CVE-2012-0759 (bmo#802026)
      URL spoofing in addressbar during page loads
    * MFSA 2013-05/CVE-2013-0744 (bmo#814713)
      Use-after-free when displaying table with many columns and column groups
    * MFSA 2013-06/CVE-2013-0751 (bmo#790454)
      Touch events are shared across iframes
    * MFSA 2013-07/CVE-2013-0764 (bmo#804237)
      Crash due to handling of SSL on threads
    * MFSA 2013-08/CVE-2013-0745 (bmo#794158)
      AutoWrapperChanger fails to keep objects alive during garbage collection
    * MFSA 2013-09/CVE-2013-0746 (bmo#816842)
      Compartment mismatch with quickstubs returned values
    * MFSA 2013-10/CVE-2013-0747 (bmo#733305)
      Event manipulation in plugin handler to bypass same-origin policy
    * MFSA 2013-11/CVE-2013-0748 (bmo#806031)
      Address space layout leaked in XBL objects
    * MFSA 2013-12/CVE-2013-0750 (bmo#805121)
      Buffer overflow in Javascript string concatenation
    * MFSA 2013-13/CVE-2013-0752 (bmo#805024)
      Memory corruption in XBL with XML bindings containing SVG
    * MFSA 2013-14/CVE-2013-0757 (bmo#813901)
      Chrome Object Wrapper (COW) bypass through changing prototype
    * MFSA 2013-15/CVE-2013-0758 (bmo#813906)
      Privilege escalation through plugin objects
    * MFSA 2013-16/CVE-2013-0753 (bmo#814001)
      Use-after-free in serializeToStream
    * MFSA 2013-17/CVE-2013-0754 (bmo#814026)
      Use-after-free in ListenerManager
    * MFSA 2013-18/CVE-2013-0755 (bmo#814027)
      Use-after-free in Vibrate
    * MFSA 2013-19/CVE-2013-0756 (bmo#814029)
      Use-after-free in Javascript Proxy objects
  - requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743)
  - removed obsolete SLE11 patches (mozilla-gcc43*)
  - reenable WebRTC
  - added mozilla-libproxy-compat.patch for libproxy API compat
    on openSUSE 11.2 and earlier
  - backed out restartless language packs as it broke multi-locale
    setup (bmo#677092, bmo#818468)
* Thu Nov 29 2012 wr@rosenauer.org
  - update to Firefox 17.0.1
    * revert some useragent changes introduced in 17.0
    * leaving private browsing with social enabled doesn't reset all
      social components (bmo#815042)
  - fix KDE integration for file dialogs
* Tue Nov 20 2012 wr@rosenauer.org
  - update to Firefox 17.0 (bnc#790140)
    * MFSA 2012-91/CVE-2012-5842/CVE-2012-5843
      Miscellaneous memory safety hazards
    * MFSA 2012-92/CVE-2012-4202 (bmo#758200)
      Buffer overflow while rendering GIF images
    * MFSA 2012-93/CVE-2012-4201 (bmo#747607)
      evalInSanbox location context incorrectly applied
    * MFSA 2012-94/CVE-2012-5836 (bmo#792857)
      Crash when combining SVG text on path with CSS
    * MFSA 2012-95/CVE-2012-4203 (bmo#765628)
      Javascript: URLs run in privileged context on New Tab page
    * MFSA 2012-96/CVE-2012-4204 (bmo#778603)
      Memory corruption in str_unescape
    * MFSA 2012-97/CVE-2012-4205 (bmo#779821)
      XMLHttpRequest inherits incorrect principal within sandbox
    * MFSA 2012-99/CVE-2012-4208 (bmo#798264)
      XrayWrappers exposes chrome-only properties when not in chrome
      compartment
    * MFSA 2012-100/CVE-2012-5841 (bmo#805807)
      Improper security filtering for cross-origin wrappers
    * MFSA 2012-101/CVE-2012-4207 (bmo#801681)
      Improper character decoding in HZ-GB-2312 charset
    * MFSA 2012-102/CVE-2012-5837 (bmo#800363)
      Script entered into Developer Toolbar runs with chrome privileges
    * MFSA 2012-103/CVE-2012-4209 (bmo#792405)
      Frames can shadow top.location
    * MFSA 2012-104/CVE-2012-4210 (bmo#796866)
      CSS and HTML injection through Style Inspector
    * MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/
      CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/
      CVE-2012-4213/CVE-2012-4217/CVE-2012-4218
      Use-after-free and buffer overflow issues found using Address
      Sanitizer
    * MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838
      Use-after-free, buffer overflow, and memory corruption issues
      found using Address Sanitizer
  - rebased patches
  - disabled WebRTC since build is broken (bmo#776877)
* Tue Nov 20 2012 pcerny@suse.com
  - build on SLE11
    * mozilla-gcc43-enums.patch
    * mozilla-gcc43-template_hacks.patch
    * mozilla-gcc43-templates_instantiation.patch
* Wed Oct 24 2012 wr@rosenauer.org
  - update to Firefox 16.0.2 (bnc#786522)
    * MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196
      (bmo#800666, bmo#793121, bmo#802557)
      Fixes for Location object issues
  - bring back Obsoletes for libproxy's mozjs plugin for distributions
    before 12.2 to avoid crashes
* Thu Oct 11 2012 wr@rosenauer.org
  - update to Firefox 16.0.1 (bnc#783533)
    * MFSA 2012-88/CVE-2012-4191 (bmo#798045)
      Miscellaneous memory safety hazards
    * MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619)
      defaultValue security checks not applied
* Sun Oct 07 2012 wr@rosenauer.org
  - update to Firefox 16.0 (bnc#783533)
    * MFSA 2012-74/CVE-2012-3982/CVE-2012-3983
      Miscellaneous memory safety hazards
    * MFSA 2012-75/CVE-2012-3984 (bmo#575294)
      select element persistance allows for attacks
    * MFSA 2012-76/CVE-2012-3985 (bmo#655649)
      Continued access to initial origin after setting document.domain
    * MFSA 2012-77/CVE-2012-3986 (bmo#775868)
      Some DOMWindowUtils methods bypass security checks
    * MFSA 2012-79/CVE-2012-3988 (bmo#725770)
      DOS and crash with full screen and history navigation
    * MFSA 2012-80/CVE-2012-3989 (bmo#783867)
      Crash with invalid cast when using instanceof operator
    * MFSA 2012-81/CVE-2012-3991 (bmo#783260)
      GetProperty function can bypass security checks
    * MFSA 2012-82/CVE-2012-3994 (bmo#765527)
      top object and location property accessible by plugins
    * MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370)
      Chrome Object Wrapper (COW) does not disallow acces to privileged
      functions or properties
    * MFSA 2012-84/CVE-2012-3992 (bmo#775009)
      Spoofing and script injection through location.hash
    * MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/
      CVE-2012-4181/CVE-2012-4182/CVE-2012-4183
      Use-after-free, buffer overflow, and out of bounds read issues
      found using Address Sanitizer
    * MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/
      CVE-2012-4188
      Heap memory corruption issues found using Address Sanitizer
    * MFSA 2012-87/CVE-2012-3990 (bmo#787704)
      Use-after-free in the IME State Manager
  - requires NSPR 4.9.2
  - improve GStreamer integration (bmo#760140)
  - removed upstreamed mozilla-crashreporter-restart-args.patch
  - webapprt now included
  - use kmozillahelper's new REVEAL command (bnc#777415)
    (requires mozilla-kde4-integration >= 0.6.4)
  - updated translations-other with new languages
* Mon Sep 10 2012 wr@rosenauer.org
  - update to Firefox 15.0.1 (bnc#779936)
    * Sites visited while in Private Browsing mode could be found
      through manual browser cache inspection (bmo#787743)
* Sun Aug 26 2012 wr@rosenauer.org
  - update to Firefox 15.0 (bnc#777588)
    * MFSA 2012-57/CVE-2012-1970
      Miscellaneous memory safety hazards
    * MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975
      CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959
      CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964
      Use-after-free issues found using Address Sanitizer
    * MFSA 2012-59/CVE-2012-1956 (bmo#756719)
      Location object can be shadowed using Object.defineProperty
    * MFSA 2012-60/CVE-2012-3965 (bmo#769108)
      Escalation of privilege through about:newtab
    * MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793)
      Memory corruption with bitmap format images with negative height
    * MFSA 2012-62/CVE-2012-3967/CVE-2012-3968
      WebGL use-after-free and memory corruption
    * MFSA 2012-63/CVE-2012-3969/CVE-2012-3970
      SVG buffer overflow and use-after-free issues
    * MFSA 2012-64/CVE-2012-3971
      Graphite 2 memory corruption
    * MFSA 2012-65/CVE-2012-3972 (bmo#746855)
      Out-of-bounds read in format-number in XSLT
    * MFSA 2012-66/CVE-2012-3973 (bmo#757128)
      HTTPMonitor extension allows for remote debugging without explicit
      activation
    * MFSA 2012-68/CVE-2012-3975 (bmo#770684)
      DOMParser loads linked resources in extensions when parsing
      text/html
    * MFSA 2012-69/CVE-2012-3976 (bmo#768568)
      Incorrect site SSL certificate data display
    * MFSA 2012-70/CVE-2012-3978 (bmo#770429)
      Location object security checks bypassed by chrome code
    * MFSA 2012-72/CVE-2012-3980 (bmo#771859)
      Web console eval capable of executing chrome-privileged code
  - fix HTML5 video crash with GStreamer enabled (bmo#761030)
  - GStreamer is only used for MP4 (no WebM, OGG)
  - updated filelist
  - moved browser specific preferences to correct location
* Sun Jul 29 2012 aj@suse.de
  - Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16)
* Sat Jul 14 2012 wr@rosenauer.org
  - update to 14.0.1 (bnc#771583)
    * MFSA 2012-42/CVE-2012-1949/CVE-2012-1948
      Miscellaneous memory safety hazards
    * MFSA 2012-43/CVE-2012-1950
      Incorrect URL displayed in addressbar through drag and drop
    * MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952
      Gecko memory corruption
    * MFSA 2012-45/CVE-2012-1955 (bmo#757376)
      Spoofing issue with location
    * MFSA 2012-46/CVE-2012-1966 (bmo#734076)
      XSS through data: URLs
    * MFSA 2012-47/CVE-2012-1957 (bmo#750096)
      Improper filtering of javascript in HTML feed-view
    * MFSA 2012-48/CVE-2012-1958 (bmo#750820)
      use-after-free in nsGlobalWindow::PageHidden
    * MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559)
      Same-compartment Security Wrappers can be bypassed
    * MFSA 2012-50/CVE-2012-1960 (bmo#761014)
      Out of bounds read in QCMS
    * MFSA 2012-51/CVE-2012-1961 (bmo#761655)
      X-Frame-Options header ignored when duplicated
    * MFSA 2012-52/CVE-2012-1962 (bmo#764296)
      JSDependentString::undepend string conversion results in memory
      corruption
    * MFSA 2012-53/CVE-2012-1963 (bmo#767778)
      Content Security Policy 1.0 implementation errors cause data
      leakage
    * MFSA 2012-55/CVE-2012-1965 (bmo#758990)
      feed: URLs with an innerURI inherit security context of page
    * MFSA 2012-56/CVE-2012-1967 (bmo#758344)
      Code execution through javascript: URLs
  - license change from tri license to MPL-2.0
  - fix crashreporter restart option (bmo#762780)
  - require NSS 3.13.5
  - remove mozjs pacrunner obsoletes again for now
  - adopted mozilla-prefer_plugin_pref.patch
  - PPC fixes:
    * reenabled mozilla-yarr-pcre.patch to fix build for PPC
    * add patches for bmo#750620 and bmo#746112
    * fix xpcshell segfault on ppc
* Fri Jun 15 2012 wr@rosenauer.org
  - update to Firefox 13.0.1
    * bugfix release
  - obsolete libproxy's mozjs pacrunner (bnc#759123)
* Sat Jun 02 2012 wr@rosenauer.org
  - update to Firefox 13.0 (bnc#765204)
    * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101
      Miscellaneous memory safety hazards
    * MFSA 2012-36/CVE-2012-1944 (bmo#751422)
      Content Security Policy inline-script bypass
    * MFSA 2012-37/CVE-2012-1945 (bmo#670514)
      Information disclosure though Windows file shares and shortcut
      files
    * MFSA 2012-38/CVE-2012-1946 (bmo#750109)
      Use-after-free while replacing/inserting a node in a document
    * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941
      Buffer overflow and use-after-free issues found using Address
      Sanitizer
  - require NSS 3.13.4
    * MFSA 2012-39/CVE-2012-0441 (bmo#715073)
  - fix sound notifications when filename/path contains a whitespace
    (bmo#749739)
* Wed May 23 2012 adrian@suse.de
  - fix build on arm
* Wed May 16 2012 wr@rosenauer.org
  - reenabled crashreporter for Factory/12.2
    (fix in mozilla-gcc47.patch)
* Sat Apr 21 2012 wr@rosenauer.org
  - update to Firefox 12.0 (bnc#758408)
    * rebased patches
    * MFSA 2012-20/CVE-2012-0467/CVE-2012-0468
      Miscellaneous memory safety hazards
    * MFSA 2012-22/CVE-2012-0469 (bmo#738985)
      use-after-free in IDBKeyRange
    * MFSA 2012-23/CVE-2012-0470 (bmo#734288)
      Invalid frees causes heap corruption in gfxImageSurface
    * MFSA 2012-24/CVE-2012-0471 (bmo#715319)
      Potential XSS via multibyte content processing errors
    * MFSA 2012-25/CVE-2012-0472 (bmo#744480)
      Potential memory corruption during font rendering using cairo-dwrite
    * MFSA 2012-26/CVE-2012-0473 (bmo#743475)
      WebGL.drawElements may read illegal video memory due to
      FindMaxUshortElement error
    * MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307)
      Page load short-circuit can lead to XSS
    * MFSA 2012-28/CVE-2012-0475 (bmo#694576)
      Ambiguous IPv6 in Origin headers may bypass webserver access
      restrictions
    * MFSA 2012-29/CVE-2012-0477 (bmo#718573)
      Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
    * MFSA 2012-30/CVE-2012-0478 (bmo#727547)
      Crash with WebGL content using textImage2D
    * MFSA 2012-31/CVE-2011-3062 (bmo#739925)
      Off-by-one error in OpenType Sanitizer
    * MFSA 2012-32/CVE-2011-1187 (bmo#624621)
      HTTP Redirections and remote content can be read by javascript errors
    * MFSA 2012-33/CVE-2012-0479 (bmo#714631)
      Potential site identity spoofing when loading RSS and Atom feeds
  - added mozilla-libnotify.patch to allow fallback from libnotify
    to xul based events if no notification-daemon is running
  - gcc 4.7 fixes
    * mozilla-gcc47.patch
    * disabled crashreporter temporarily for Factory
  - recommend libcanberra0 for proper sound notifications
* Fri Mar 09 2012 wr@rosenauer.org
  - update to Firefox 11.0 (bnc#750044)
    * MFSA 2012-13/CVE-2012-0455 (bmo#704354)
      XSS with Drag and Drop and Javascript: URL
    * MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103)
      SVG issues found with Address Sanitizer
    * MFSA 2012-15/CVE-2012-0451 (bmo#717511)
      XSS with multiple Content Security Policy headers
    * MFSA 2012-16/CVE-2012-0458
      Escalation of privilege with Javascript: URL as home page
    * MFSA 2012-17/CVE-2012-0459 (bmo#723446)
      Crash when accessing keyframe cssText after dynamic modification
    * MFSA 2012-18/CVE-2012-0460 (bmo#727303)
      window.fullScreen writeable by untrusted content
    * MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/
      CVE-2012-0463
      Miscellaneous memory safety hazards
  - ported and reenabled KDE integration (bnc#746591)
  - explicitely build-require X libs
* Mon Mar 05 2012 vdziewiecki@suse.com
  - add Provides: browser(npapi) FATE#313084
* Fri Feb 17 2012 pcerny@suse.com
  - better plugin directory resolution (bnc#747320)
* Thu Feb 16 2012 wr@rosenauer.org
  - update to Firefox 10.0.2 (bnc#747328)
    * CVE-2011-3026 (bmo#727401)
      libpng: integer overflow leading to heap-buffer overflow
* Thu Feb 09 2012 wr@rosenauer.org
  - update to Firefox 10.0.1 (bnc#746616)
    * MFSA 2012-10/CVE-2012-0452 (bmo#724284)
      use after free in nsXBLDocumentInfo::ReadPrototypeBindings
* Tue Feb 07 2012 dvaleev@suse.com
  - Use YARR interpreter instead of PCRE on platforms where YARR JIT
    is not supported, since PCRE doesnt build (bmo#691898)
  - fix ppc64 build (bmo#703534)
* Mon Jan 30 2012 wr@rosenauer.org
  - update to Firefox 10.0 (bnc#744275)
    * MFSA 2012-01/CVE-2012-0442/CVE-2012-0443
      Miscellaneous memory safety hazards
    * MFSA 2012-03/CVE-2012-0445 (bmo#701071)
      <iframe> element exposed across domains via name attribute
    * MFSA 2012-04/CVE-2011-3659 (bmo#708198)
      Child nodes from nsDOMAttribute still accessible after removal
      of nodes
    * MFSA 2012-05/CVE-2012-0446 (bmo#705651)
      Frame scripts calling into untrusted objects bypass security
      checks
    * MFSA 2012-06/CVE-2012-0447 (bmo#710079)
      Uninitialized memory appended when encoding icon images may
      cause information disclosure
    * MFSA 2012-07/CVE-2012-0444 (bmo#719612)
      Potential Memory Corruption When Decoding Ogg Vorbis files
    * MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466)
      Crash with malformed embedded XSLT stylesheets
  - KDE integration has been disabled since it needs refactoring
  - removed obsolete ppc64 patch
* Sun Jan 22 2012 joop.boonen@opensuse.org
  - Disable neon for arm as it doesn't build correctly
* Fri Dec 23 2011 wr@rosenauer.org
  - update to Firefox 9.0.1
    * (strongparent) parentNode of element gets lost (bmo#335998)
* Sun Dec 18 2011 adrian@suse.de
  - fix arm build, don't package crashreporter there
* Sun Dec 18 2011 wr@rosenauer.org
  - update to Firefox 9 (bnc#737533)
    * MFSA 2011-53/CVE-2011-3660
      Miscellaneous memory safety hazards (rv:9.0)
    * MFSA 2011-54/CVE-2011-3661 (bmo#691299)
      Potentially exploitable crash in the YARR regular expression
      library
    * MFSA 2011-55/CVE-2011-3658 (bmo#708186)
      nsSVGValue out-of-bounds access
    * MFSA 2011-56/CVE-2011-3663 (bmo#704482)
      Key detection without JavaScript via SVG animation
    * MFSA 2011-58/VE-2011-3665 (bmo#701259)
      Crash scaling <video> to extreme sizes
* Sun Nov 27 2011 mgorse@suse.com
  - Fix accessibility under GNOME 3 (bnc#732898)
* Sat Nov 12 2011 dvaleev@suse.com
  - fix ppc64 build
* Sun Nov 06 2011 wr@rosenauer.org
  - update to Firefox 8 (bnc#728520)
    * MFSA 2011-47/CVE-2011-3648 (bmo#690225)
      Potential XSS against sites using Shift-JIS
    * MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654
      Miscellaneous memory safety hazards
    * MFSA 2011-49/CVE-2011-3650 (bmo#674776)
      Memory corruption while profiling using Firebug
    * MFSA 2011-52/CVE-2011-3655 (bmo#672182)
      Code execution via NoWaiverWrapper
  - rebased patches
* Thu Oct 20 2011 wr@rosenauer.org
  - enable telemetry prompt
* Fri Sep 30 2011 wr@rosenauer.org
  - update to minor release 7.0.1
    * fixed staged addon updates
  - set intl.locale.matchOS=true in the base package as it causes
    too much confusion when it's only available with branding-openSUSE
* Fri Sep 23 2011 wr@rosenauer.org
  - update to Firefox 7 (bnc#720264)
    including
    * Improve Responsiveness with Memory Reductions
    * Instant Sync
    * WebSocket protocol 8
    * MFSA 2011-36/CVE-2011-2995/CVE-2011-2996/CVE-2011-2997
      Miscellaneous memory safety hazards
    * MFSA 2011-39/CVE-2011-3000 (bmo#655389)
      Defense against multiple Location headers due to CRLF Injection
    * MFSA 2011-40/CVE-2011-2372/CVE-2011-3001
      Code installation through holding down Enter
    * MFSA 2011-41/CVE-2011-3002/CVE-2011-3003 (bmo#680840, bmo#682335)
      Potentially exploitable WebGL crashes
    * MFSA 2011-42/CVE-2011-3232 (bmo#653672)
      Potentially exploitable crash in the YARR regular expression
      library
    * MFSA 2011-43/CVE-2011-3004 (bmo#653926)
      loadSubScript unwraps XPCNativeWrapper scope parameter
    * MFSA 2011-44/CVE-2011-3005 (bmo#675747)
      Use after free reading OGG headers
    * MFSA 2011-45
      Inferring keystrokes from motion data
  - removed obsolete mozilla-cairo-lcd.patch
  - rebased patches
  - removed XLIB_SKIP_ARGB_VISUALS=1 from environment in
    mozilla.sh.in (bnc#680758)
* Fri Sep 16 2011 wr@rosenauer.org
  - fixed loading of kde.js under KDE (bnc#718311)
* Wed Sep 14 2011 wr@rosenauer.org
  - add dbus-1-glib-devel to BuildRequires (not pulled in
    automatically anymore on 12.1)
  - increase minversions for NSPR and NSS
* Fri Sep 09 2011 wr@rosenauer.org
  - recreated source archive to get correct source-stamp.txt
* Wed Sep 07 2011 pcerny@suse.com
  - security update to 6.0.2 (bnc#714931)
    * Complete blocking of certificates issued by DigiNotar
      (bmo#683449)
* Fri Sep 02 2011 pcerny@suse.com
  - security update to 6.0.1 (bnc#714931)
    * MFSA 2011-34
      Protection against fraudulent DigiNotar certificates
      (bmo#682927)
* Fri Aug 12 2011 wr@rosenauer.org
  - update to 6.0 (bnc#712224)
    included security fixes MFSA 2011-29
    * CVE-2011-2989/CVE-2011-2991/CVE-2011-2992/CVE-2011-2985
      Miscellaneous memory safety hazards
    * CVE-2011-2993 (bmo#657267)
      Unsigned scripts can call script inside signed JAR
    * CVE-2011-2988 (bmo#665934)
      Heap overflow in ANGLE library
    * CVE-2011-0084 (bmo#648094)
      Crash in SVGTextElement.getCharNumAtPosition()
    * CVE-2011-2990
      Credential leakage using Content Security Policy reports
    * CVE-2011-2986 (bmo#655836)
      Cross-origin data theft using canvas and Windows D2D
  - removed obsolete curl header dependency (mozilla-curl.patch)
* Fri Jul 22 2011 wr@rosenauer.org
  - update to 6.0b3
    * removed obsolete patches
    - firefox-shellservice.patch
    - mozilla-gio.patch
    - mozilla-ppc-ipc.patch
    - firefox-linkorder.patch
    - firefox-no-sync-l10n.patch
  - recognize linux3 as platform for symbolstore.py
* Fri Jul 01 2011 vuntz@opensuse.org
  - Add x-scheme-handler/ftp to the MimeType key in the .desktop, to
    let desktops know that Firefox can deal with ftp: URIs.
* Fri Jul 01 2011 wr@rosenauer.org
  - create upstream branding package again (supposedly empty)
    (bnc#703401)
  - fix build on SLE11 (changes do not affect/are not applied for
    later versions)
* Wed Jun 22 2011 wr@rosenauer.org
  - enable startup notification (bnc#701465)
* Mon Jun 20 2011 wr@rosenauer.org
  - update to 5.0 final
  - included fixes for security issues: (bnc#701296, bnc#700578)
    * MFSA 2011-19/CVE-2011-2374 CVE-2011-2375
      Miscellaneous memory safety hazards
    * MFSA 2011-20/CVE-2011-2373 (bmo#617247)
      Use-after-free vulnerability when viewing XUL document with
      script disabled
    * MFSA 2011-21/CVE-2011-2377 (bmo#638018, bmo#639303)
      Memory corruption due to multipart/x-mixed-replace images
    * MFSA 2011-22/CVE-2011-2371 (bmo#664009)
      Integer overflow and arbitrary code execution in
      Array.reduceRight()
    * MFSA 2011-25/CVE-2011-2366
      Stealing of cross-domain images using WebGL textures
    * MFSA 2011-26/CVE-2011-2367 CVE-2011-2368
      Multiple WebGL crashes
    * MFSA 2011-27/CVE-2011-2369 (bmo#650001)
      XSS encoding hazard with inline SVG
    * MFSA 2011-28/CVE-2011-2370 (bmo#645699)
      Non-whitelisted site can trigger xpinstall
* Mon Jun 20 2011 wr@rosenauer.org
  - update to 5.0b7
    * updated supported locales
  - do not build dump_syms static (not needed for us)
    - > fix build for openSUSE 12.1 and above
* Wed Jun 15 2011 wr@rosenauer.org
  - update to 5.0b6
  - include proper revision information into the build
  - speedier find-external-requires.sh
* Tue May 31 2011 wr@rosenauer.org
  - update to 5.0b3
  - transformed to standalone Firefox (not xulrunner based)
    (with new Firefox rapid release cycle it makes no sense anymore)
    * imported all relevant xulrunner patches
  - do not compile in build timestamp
* Fri Apr 15 2011 wr@rosenauer.org
  - security update to 4.0.1 (bnc#689281)
    * MFSA 2011-12/ CVE-2011-0069 CVE-2011-0070 CVE-2011-0079
      CVE-2011-0080 CVE-2011-0081
      Miscellaneous memory safety hazards
    * MFSA 2011-17/CVE-2011-0068 (bmo#623791)
      WebGLES vulnerabilities
    * MFSA 2011-18/CVE-2011-1202 (bmo#640339)
      XSLT generate-id() function heap address leak
* Wed Mar 30 2011 wr@rosenauer.org
  - add all available icon sizes
* Tue Mar 29 2011 cfarrell@novell.com
  - license update: MPLv1.1 or GPLv2+ or LGPLv2+
    Sync licenses with Fedora. MPL does not state ^or later^
* Fri Mar 18 2011 wr@rosenauer.org
  - update to version 4.0rc2
  - fixed rpm macros delivered with devel package (bnc#679950)
* Wed Feb 23 2011 wr@rosenauer.org
  - update to version 4.0b12
  - rebased patches
* Fri Feb 04 2011 wr@rosenauer.org
  - update to version 4.0b11
    * loads of bugfixes compared to last beta
    * added "Do Not Track" option
  - rebased patches
  - disable testpilot
* Fri Jan 28 2011 wr@rosenauer.org
  - set correct desktop file name within KDE for 11.4 and up
  - add devel package with macros for extensions (from lnussel@suse.de)
* Sat Jan 22 2011 wr@rosenauer.org
  - update to version 4.0b10
  - removed obsolete firefox-shell-bmo624267.patch
  - testpilot moved to distribution/extensions
  - updated locale provides and removed bn-IN from locales
* Tue Jan 11 2011 wr@rosenauer.org
  - update to version 4.0b9
  - added x-scheme-handler for http and https to desktop file for
    newer Gnome environments
  - fixed default browser check/set for GIO (bmo#611953)
    (mozilla-shellservice.patch)
  - removed obsolete firefox-appname.patch (integrated into
    shellservice patch)
  - renamed desktop file to firefox.desktop for 11.4 and newer
    (bnc#664211)
  - removed support for 10.3 and older from the spec file
  - removed obsolete "Ximian" categories from desktop file
* Mon Jan 03 2011 meissner@suse.de
  - Mirror ac_add_options --disable-ipc from xulrunner for PowerPC.
* Wed Dec 15 2010 wr@rosenauer.org
  - update to version 4.0beta8
* Tue Nov 30 2010 wr@rosenauer.org
  - major update to version 4.0beta7
    * based on mozilla-xulrunner20
    * far too many internal changes to list
* Wed Oct 27 2010 wr@rosenauer.org
  - security update to 3.6.12 (bnc#649492)
    * MFSA 2010-73/CVE-2010-3765 (bmo#607222)
      Heap buffer overflow mixing document.write and DOM insertion
* Wed Oct 06 2010 wr@rosenauer.org
  - security update to 3.6.11 (bnc#645315)
    * MFSA 2010-64/CVE-2010-3174/CVE-2010-3175/CVE-2010-3176
      Miscellaneous memory safety hazards
    * MFSA 2010-65/CVE-2010-3179 (bmo#583077)
      Buffer overflow and memory corruption using document.write
    * MFSA 2010-66/CVE-2010-3180 (bmo#588929)
      Use-after-free error in nsBarProp
    * MFSA 2010-67/CVE-2010-3183 (bmo#598669)
      Dangling pointer vulnerability in LookupGetterOrSetter
    * MFSA 2010-68/CVE-2010-3177 (bmo#556734)
      XSS in gopher parser when parsing hrefs
    * MFSA 2010-69/CVE-2010-3178 (bmo#576616)
      Cross-site information disclosure via modal calls
    * MFSA 2010-70/CVE-2010-3170 (bmo#578697)
      SSL wildcard certificate matching IP addresses
    * MFSA 2010-71/CVE-2010-3182 (bmo#590753)
      Unsafe library loading vulnerabilities
    * MFSA 2010-72/CVE-2010-3173
      Insecure Diffie-Hellman key exchange
* Wed Sep 15 2010 wr@rosenauer.org
  - update to 3.6.10
    * fixing startup topcrash (bmo#594699)
* Thu Aug 26 2010 wr@rosenauer.org
  - security update to 3.6.9 (bnc#637303)
    * MFSA 2010-49/CVE-2010-3169
      Miscellaneous memory safety hazards
    * MFSA 2010-50/CVE-2010-2765 (bmo#576447)
      Frameset integer overflow vulnerability
    * MFSA 2010-51/CVE-2010-2767 (bmo#584512)
      Dangling pointer vulnerability using DOM plugin array
    * MFSA 2010-53/CVE-2010-3166 (bmo#579655)
      Heap buffer overflow in nsTextFrameUtils::TransformText
    * MFSA 2010-54/CVE-2010-2760 (bmo#585815)
      Dangling pointer vulnerability in nsTreeSelection
    * MFSA 2010-55/CVE-2010-3168 (bmo#576075)
      XUL tree removal crash and remote code execution
    * MFSA 2010-56/CVE-2010-3167 (bmo#576070)
      Dangling pointer vulnerability in nsTreeContentView
    * MFSA 2010-57/CVE-2010-2766 (bmo#580445)
      Crash and remote code execution in normalizeDocument
    * MFSA 2010-59/CVE-2010-2762 (bmo#584180)
      SJOW creates scope chains ending in outer object
    * MFSA 2010-61/CVE-2010-2768 (bmo#579744)
      UTF-7 XSS by overriding document charset using <object> type
      attribute
    * MFSA 2010-62/CVE-2010-2769 (bmo#520189)
      Copy-and-paste or drag-and-drop into designMode document allows
      XSS
    * MFSA 2010-63/CVE-2010-2764 (bmo#552090)
      Information leak via XMLHttpRequest statusText
* Wed Jul 28 2010 meissner@suse.de
  - disable crash reporter for non x86/x86_64 to make it build.
* Sat Jul 24 2010 wr@rosenauer.org
  - security update to 3.6.8 (bnc#622506)
    * MFSA 2010-48/CVE-2010-2755 (bmo#575836)
      Dangling pointer crash regression from plugin parameter array
      fix
* Fri Jul 16 2010 wr@rosenauer.org
  - security update to 3.6.7 (bnc#622506)
    * MFSA 2010-34/CVE-2010-1211/CVE-2010-1212
      Miscellaneous memory safety hazards
    * MFSA 2010-35/CVE-2010-1208 (bmo#572986)
      DOM attribute cloning remote code execution vulnerability
    * MFSA 2010-36/CVE-2010-1209 (bmo#552110)
      Use-after-free error in NodeIterator
    * MFSA 2010-37/CVE-2010-1214 (bmo#572985)
      Plugin parameter EnsureCachedAttrParamArrays remote code
      execution vulnerability
    * MFSA 2010-38/CVE-2010-1215 (bmo#567069)
      Arbitrary code execution using SJOW and fast native function
    * MFSA 2010-39/CVE-2010-2752 (bmo#574059)
      nsCSSValue::Array index integer overflow
    * MFSA 2010-40/CVE-2010-2753 (bmo#571106)
      nsTreeSelection dangling pointer remote code execution
      vulnerability
    * MFSA 2010-41/CVE-2010-1205 (bmo#570451)
      Remote code execution using malformed PNG image
    * MFSA 2010-42/CVE-2010-1213 (bmo#568148)
      Cross-origin data disclosure via Web Workers and importScripts
    * MFSA 2010-43/CVE-2010-1207 (bmo#571287)
      Same-origin bypass using canvas context
    * MFSA 2010-44/CVE-2010-1210 (bmo#564679)
      Characters mapped to U+FFFD in 8 bit encodings cause subsequent
      character to vanish
    * MFSA 2010-45/CVE-2010-1206/CVE-2010-2751 (bmo#536466,556957)
      Multiple location bar spoofing vulnerabilities
    * MFSA 2010-46/CVE-2010-0654 (bmo#524223)
      Cross-domain data theft using CSS
    * MFSA 2010-47/CVE-2010-2754 (bmo#568564)
      Cross-origin data leakage from script filename in error messages
* Sun Jun 27 2010 wr@rosenauer.org
  - update to 3.6.6 release
    * modifies the crash protection feature to increase the amount
      of time that plugins are allowed to be non-responsive before
      being terminated.
* Wed Jun 23 2010 wr@rosenauer.org
  - update to final 3.6.4 release (bnc#603356)
    * MFSA 2010-26/CVE-2010-1200/CVE-2010-1201/CVE-2010-1202/
      CVE-2010-1203
      Crashes with evidence of memory corruption (rv:1.9.2.4)
    * MFSA 2010-28/CVE-2010-1198 (bmo#532246)
      Freed object reuse across plugin instances
    * MFSA 2010-29/CVE-2010-1196 (bmo#534666)
      Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
    * MFSA 2010-30/CVE-2010-1199 (bmo#554255)
      Integer Overflow in XSLT Node Sorting
    * MFSA 2010-31/CVE-2010-1125 (bmo#552255)
      focus() behavior can be used to inject or steal keystrokes
    * MFSA 2010-32/CVE-2010-1197 (bmo#537120)
      Content-Disposition: attachment ignored if
      Content-Type: multipart also present
    * MFSA 2010-33/CVE-2008-5913 (bmo#475585)
      User tracking across sites using Math.random()
* Mon Jun 07 2010 wr@rosenauer.org
  - update to 3.6.4(build6)
* Sun Apr 18 2010 wr@rosenauer.org
  - security update to 3.6.4 (Lorentz)
    * enable crashreporter also for x86-64
    * Flash runs in a separate process to avoid crashing Firefox
      (ix86 only; x86-64 still uses nspluginwrapper)
* Thu Apr 01 2010 wr@rosenauer.org
  - security update to 3.6.3
    * MFSA 2010-25/CVE-2010-1121 (bmo#555109)
      Re-use of freed object due to scope confusion
* Thu Mar 18 2010 wr@rosenauer.org
  - security update to version 3.6.2 (bnc#586567)
    * MFSA 2010-08/CVE-2010-1028
      WOFF heap corruption due to integer overflow
    * MFSA 2010-09/CVE-2010-0164 (bmo#547143)
      Deleted frame reuse in multipart/x-mixed-replace image
    * MFSA 2010-10/CVE-2010-0170 (bmo#541530)
      XSS via plugins and unprotected Location object
    * MFSA 2010-11/CVE-2010-0165/CVE-2010-0166/CVE-2010-0167
      Crashes with evidence of memory corruption
    * MFSA 2010-12/CVE-2010-0171 (bmo#531364)
      XSS using addEventListener and setTimeout on a wrapped object
    * MFSA 2010-13/CVE-2010-0168 (bmo#540642)
      Content policy bypass with image preloading
    * MFSA 2010-14/CVE-2010-0169 (bmo#535806)
      Browser chrome defacement via cached XUL stylesheets
    * MFSA 2010-15/CVE-2010-0172 (bmo#537862)
      Asynchronous Auth Prompt attaches to wrong window
    * MFSA 2010-16/CVE-2010-0173/CVE-2010-0174
      Crashes with evidence of memory corruption
    * MFSA 2010-18/CVE-2010-0176 (bmo#538308)
      Dangling pointer vulnerability in nsTreeContentView
    * MFSA 2010-19/CVE-2010-0177 (bmo#538310)
      Dangling pointer vulnerability in nsPluginArray
    * MFSA 2010-20/CVE-2010-0178 (bmo#546909)
      Chrome privilege escalation via forced URL drag and drop
    * MFSA 2010-22/CVE-2009-3555 (bmo#545755)
      Update NSS to support TLS renegotiation indication
    * MFSA 2010-23/CVE-2010-0181 (bmo#452093)
      Image src redirect to mailto: URL opens email editor
    * MFSA 2010-24/CVE-2010-0182 (bmo#490790)
      XMLDocument::load() doesn't check nsIContentPolicy
* Mon Jan 18 2010 wr@rosenauer.org
  - update to 3.6rc2 (already named 3.6.0)
  - removed obsolete orbit-devel build requirement
* Wed Jan 06 2010 wr@rosenauer.org
  - major update to 3.6rc1
* Fri Dec 25 2009 wr@rosenauer.org
  - update to version 3.5.7 (bnc#568011)
    * DNS resolution in MakeSN of nsAuthSSPI causing issues for
      proxy servers that support NTLM auth (bmo#535193)
  - added missing lockdown preferences (bnc#567131)
* Thu Dec 17 2009 wr@rosenauer.org
  - readded firefox-ui-lockdown.patch (bnc#546158)
* Thu Dec 03 2009 wr@rosenauer.org
  - security update to version 3.5.6 (bnc#559807)
    * MFSA 2009-65/CVE-2009-3979/CVE-2009-3980/CVE-2009-3982
      Crashes with evidence of memory corruption (rv:1.9.1.6)
    * MFSA 2009-66/CVE-2009-3388 (bmo#504843,bmo#523816)
      Memory safety fixes in liboggplay media library
    * MFSA 2009-67/CVE-2009-3389 (bmo#515882,bmo#504613)
      Integer overflow, crash in libtheora video library
    * MFSA 2009-68/CVE-2009-3983 (bmo#487872)
      NTLM reflection vulnerability
    * MFSA 2009-69/CVE-2009-3984/CVE-2009-3985 (bmo#521461,bmo#514232)
      Location bar spoofing vulnerabilities
    * MFSA 2009-70/VE-2009-3986 (bmo#522430)
      Privilege escalation via chrome window.opener
  - fixed firefox-browser-css.patch (bnc#561027)
* Mon Nov 23 2009 wr@rosenauer.org
  - rebased patches for fuzz=0
* Thu Nov 05 2009 wr@rosenauer.org
  - update to version 3.5.5 (bnc#553172)
* Sat Oct 17 2009 wr@rosenauer.org
  - security update to version 3.5.4 (bnc#545277)
    * MFSA 2009-52/CVE-2009-3370 (bmo#511615)
      Form history vulnerable to stealing
    * MFSA 2009-53/CVE-2009-3274 (bmo#514823)
      Local downloaded file tampering
    * MFSA 2009-54/CVE-2009-3371 (bmo#514554)
      Crash with recursive web-worker calls
    * MFSA 2009-55/CVE-2009-3372 (bmo#500644)
      Crash in proxy auto-configuration regexp parsing
    * MFSA 2009-56/CVE-2009-3373 (bmo#511689)
      Heap buffer overflow in GIF color map parser
    * MFSA 2009-57/CVE-2009-3374 (bmo#505988)
      Chrome privilege escalation in XPCVariant::VariantDataToJS()
    * MFSA 2009-59/CVE-2009-1563 (bmo#516396, bmo#516862)
      Heap buffer overflow in string to number conversion
    * MFSA 2009-61/CVE-2009-3375 (bmo#503226)
      Cross-origin data theft through document.getSelection()
    * MFSA 2009-62/CVE-2009-3376 (bmo#511521)
      Download filename spoofing with RTL override
    * MFSA 2009-63/CVE-2009-3377/CVE-2009-3379/CVE-2009-3378
      Upgrade media libraries to fix memory safety bugs
    * MFSA 2009-64/CVE-2009-3380/CVE-2009-3381/CVE-2009-3383
      Crashes with evidence of memory corruption
  - removed upstreamed patch
    * firefox-bug506901.patch
* Wed Oct 07 2009 llunak@novell.com
  - fix KDE button order in one more place (bnc#170055)
* Fri Oct 02 2009 wr@rosenauer.org
  - improve UI colors to be usable with dark themes at all
    (firefox-browser-css.patch) (bnc#503351)
  - extend list of supported architectures as ABI identifier
    (mozilla-abi.patch) (bnc#543460)
* Sun Sep 13 2009 wr@rosenauer.org
  - added KDE integration patch from llunak@novell.com
    (firefox-kde.patch)
    * support for knotify, making -kde4-addon obsolete
    * KDE-specific support functional (bnc#170055)
  - do not build libnkgnomevfs (bmo#512671) (firefox-no-gnomevfs)
* Thu Sep 10 2009 wr@rosenauer.org
  - security update to version 3.5.3 (bnc#534458)
    * MFSA 2009-47/CVE-2009-3069/CVE-2009-3070/CVE-2009-3071/
      CVE-2009-3072/CVE-2009-3073/CVE-2009-3074/CVE-2009-3075
      Crashes with evidence of memory corruption
    * MFSA 2009-49/CVE-2009-3077 (bmo#506871)
      TreeColumns dangling pointer vulnerability
    * MFSA 2009-50/CVE-2009-3078 (bmo#453827)
      Location bar spoofing via tall line-height Unicode characters
    * MFSA 2009-51/CVE-2009-3079 (bmo#454363)
      Chrome privilege escalation with FeedWriter
* Wed Aug 19 2009 wr@rosenauer.org
  - renamed patch firefox-contextmenu-gnome to firefox-cross-desktop
    as it contains more tweaks to handle non-Gnome environments and
    especially KDE integration:
    * added the ability to set the KDE default browser
      (still part of bnc#170055)
* Fri Aug 07 2009 wr@rosenauer.org
  - split -translations package into -common and -other
    (bnc#529180)
  - remove "set as background" from context menu if not running in
    Gnome (part of bnc#170055)
* Fri Jul 31 2009 wr@rosenauer.org
  - security update to version 3.5.2
    * MFSA 2009-38/CVE-2009-2470 (bmo#459524)
      Data corruption with SOCKS5 reply containing DNS name longer
      than 15 characters
    * MFSA 2009-44/CVE-2009-2654 (bmo#451898)
      Location bar and SSL indicator spoofing via window.open() on
      invalid URL
    * MFSA 2009-45
      Crashes with evidence of memory corruption
    * MFSA 2009-46 (bmo#498897)
      Chrome privilege escalation due to incorrectly cached wrapper
    * various other stability fixes
  - export MOZ_APP_LAUNCHER in the startscript (bmo#453689)
* Tue Jul 28 2009 wr@rosenauer.org
  - fixed %exclude usage
  - fixed preferences' advanced pane for fresh profiles (bmo#506901)
* Wed Jul 15 2009 wr@rosenauer.org
  - security update to version 3.5.1
    * MFSA 2009-41
      Corrupt JIT state after deep return from native function
* Mon Jul 06 2009 wr@rosenauer.org
  - added mozilla-linkorder.patch to fix build with --as-needed
* Tue Jun 30 2009 wr@rosenauer.org
  - update to final version 3.5 (20090623)
* Tue Jun 23 2009 wr@rosenauer.org
  - fixed build by linking to a real file
* Thu Jun 18 2009 wr@rosenauer.org
  - update to version 3.5rc2 (20090617)
  - BuildRequire mozilla-xulrunner191 = 1.9.1.0
* Sat Jun 06 2009 wr@rosenauer.org
  - update to version 3.5b99 (20090604)
  - BuildRequire mozilla-xulrunner191 = 1.9.1b99
* Wed May 27 2009 wr@rosenauer.org
  - fixed typos in improved xulrunner dependencies
* Mon May 11 2009 wr@rosenauer.org
  - use non-localized Downloads folder (bnc#501724)
* Mon May 04 2009 wr@rosenauer.org
  - update to new major version 3.5b4
    * based on Gecko 1.9.1 (mozilla-xulrunner191)
    * Private Browsing Mode
    * TraceMonkey JavaScript engine
    * Geolocation support
    * native JSON and web worker threads support
    * speculative parsing for faster content rendering
    * Some HTML5 support
  - updated firefox.schemas
  - improved firefox-no-update.patch
* Tue Apr 28 2009 wr@rosenauer.org
  - security update to 3.0.10
    * MFSA 2009-23/CVE-2009-1313 (bmo#489647)
      Crash in nsTextFrame::ClearTextRun()
* Thu Apr 16 2009 wr@rosenauer.org
  - security update to 3.0.9 (bnc#495473)
    * MFSA 2009-14/CVE-2009-1302/CVE-2009-1303/CVE-2009-1304/CVE-2009-1305
      Crashes with evidence of memory corruption (rv:1.9.0.9)
    * MFSA 2009-15/CVE-2009-0652 (bmo#479336)
      URL spoofing with box drawing character
    * MFSA 2009-16/CVE-2009-1306 (bmo#474536)
      jar: scheme ignores the content-disposition: header on the
      inner URI
    * MFSA 2009-17/CVE-2009-1307 (bmo#481342)
      Same-origin violations when Adobe Flash loaded via
      view-source: scheme
    * MFSA 2009-18/CVE-2009-1308 (bmo#481558)
      XSS hazard using third-party stylesheets and XBL bindings
    * MFSA 2009-19/CVE-2009-1309 (bmo#482206,478433)
      Same-origin violations in XMLHttpRequest and
      XPCNativeWrapper.toString
    * MFSA 2009-20/CVE-2009-1310 (bmo#483086)
      Malicious search plugins can inject code into arbitrary sites
    * MFSA 2009-21/CVE-2009-1311 (bmo#471962)
      POST data sent to wrong site when saving web page with
      embedded frame
    * MFSA 2009-22/CVE-2009-1312 (bmo#475636)
      Firefox allows Refresh header to redirect to javascript: URIs
* Fri Mar 27 2009 wr@rosenauer.org
  - security update to 1.9.0.8 (bnc#488955,489411)
    * MFSA 2009-12/CVE-2009-1169 (bmo#460090,485217)
      Crash and remote code execution in XSL transformation
    * MFSA 2009-13/CVE-2009-1044 (bmo#484320)
      Arbitrary code execution via XUL tree moveToEdgeShift
  - allow RPM provides for stuff besides shared libraries
    (e.g. mime-types)
* Sun Mar 01 2009 wr@rosenauer.org
  - security update to 3.0.7 (bnc#478625)
    * MFSA 2009-07 - Crashes with evidence of memory corruption
      CVE-2009-0771 - Layout Engine Crashes
      CVE-2009-0772 - Layout Engine Crashes
      CVE-2009-0773 - crashes in the JavaScript engine
      CVE-2009-0774 - Layout Engine Crashes
    * MFSA 2009-08/CVE-2009-0775 - (bmo#474456)
      Mozilla Firefox XUL Linked Clones Double Free Vulnerability
    * MFSA 2009-09/CVE-2009-0776 (bmo#414540)
      XML data theft via RDFXMLDataSource and cross-domain redirect
    * MFSA 2009-10/CVE-2009-0040 (bmo#478901)
      Upgrade PNG library to fix memory safety hazards
    * MFSA 2009-11/CVE-2009-0777 (bmo#452979)
      URL spoofing with invisible control characters

Files

/usr/bin/firefox
/usr/lib64/firefox
/usr/lib64/firefox/Throbber-small.gif
/usr/lib64/firefox/application.ini
/usr/lib64/firefox/browser
/usr/lib64/firefox/browser/blocklist.xml
/usr/lib64/firefox/browser/chrome
/usr/lib64/firefox/browser/chrome.manifest
/usr/lib64/firefox/browser/chrome/icons
/usr/lib64/firefox/browser/chrome/icons/default
/usr/lib64/firefox/browser/chrome/icons/default/default128.png
/usr/lib64/firefox/browser/chrome/icons/default/default16.png
/usr/lib64/firefox/browser/chrome/icons/default/default22.png
/usr/lib64/firefox/browser/chrome/icons/default/default24.png
/usr/lib64/firefox/browser/chrome/icons/default/default256.png
/usr/lib64/firefox/browser/chrome/icons/default/default32.png
/usr/lib64/firefox/browser/chrome/icons/default/default48.png
/usr/lib64/firefox/browser/chrome/icons/default/default64.png
/usr/lib64/firefox/browser/crashreporter-override.ini
/usr/lib64/firefox/browser/defaults
/usr/lib64/firefox/browser/defaults/preferences
/usr/lib64/firefox/browser/defaults/preferences/firefox.js
/usr/lib64/firefox/browser/defaults/preferences/kde.js
/usr/lib64/firefox/browser/extensions
/usr/lib64/firefox/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
/usr/lib64/firefox/browser/features
/usr/lib64/firefox/browser/features/activity-stream@mozilla.org.xpi
/usr/lib64/firefox/browser/features/aushelper@mozilla.org.xpi
/usr/lib64/firefox/browser/features/firefox@getpocket.com.xpi
/usr/lib64/firefox/browser/features/followonsearch@mozilla.com.xpi
/usr/lib64/firefox/browser/features/formautofill@mozilla.org.xpi
/usr/lib64/firefox/browser/features/onboarding@mozilla.org.xpi
/usr/lib64/firefox/browser/features/screenshots@mozilla.org.xpi
/usr/lib64/firefox/browser/features/webcompat@mozilla.org.xpi
/usr/lib64/firefox/browser/omni.ja
/usr/lib64/firefox/chrome.manifest
/usr/lib64/firefox/crashreporter
/usr/lib64/firefox/crashreporter.ini
/usr/lib64/firefox/defaults
/usr/lib64/firefox/defaults/pref
/usr/lib64/firefox/defaults/pref/channel-prefs.js
/usr/lib64/firefox/defaults/pref/spellcheck.js
/usr/lib64/firefox/dependentlibs.list
/usr/lib64/firefox/dictionaries
/usr/lib64/firefox/distribution
/usr/lib64/firefox/distribution/extensions
/usr/lib64/firefox/firefox
/usr/lib64/firefox/firefox-bin
/usr/lib64/firefox/firefox.sh
/usr/lib64/firefox/fonts
/usr/lib64/firefox/fonts/EmojiOneMozilla.ttf
/usr/lib64/firefox/gmp-clearkey
/usr/lib64/firefox/gmp-clearkey/0.1
/usr/lib64/firefox/gmp-clearkey/0.1/libclearkey.so
/usr/lib64/firefox/gmp-clearkey/0.1/manifest.json
/usr/lib64/firefox/gtk2
/usr/lib64/firefox/gtk2/libmozgtk.so
/usr/lib64/firefox/liblgpllibs.so
/usr/lib64/firefox/libmozavcodec.so
/usr/lib64/firefox/libmozavutil.so
/usr/lib64/firefox/libmozgtk.so
/usr/lib64/firefox/libmozsandbox.so
/usr/lib64/firefox/libmozsqlite3.so
/usr/lib64/firefox/libxul.so
/usr/lib64/firefox/minidump-analyzer
/usr/lib64/firefox/omni.ja
/usr/lib64/firefox/pingsender
/usr/lib64/firefox/platform.ini
/usr/lib64/firefox/plugin-container
/usr/lib64/mozilla
/usr/lib64/mozilla/extensions
/usr/lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
/usr/share/appdata
/usr/share/appdata/firefox.appdata.xml
/usr/share/applications/firefox.desktop
/usr/share/icons/hicolor
/usr/share/icons/hicolor/128x128
/usr/share/icons/hicolor/128x128/apps
/usr/share/icons/hicolor/128x128/apps/firefox.png
/usr/share/icons/hicolor/16x16
/usr/share/icons/hicolor/16x16/apps
/usr/share/icons/hicolor/16x16/apps/firefox.png
/usr/share/icons/hicolor/22x22
/usr/share/icons/hicolor/22x22/apps
/usr/share/icons/hicolor/22x22/apps/firefox.png
/usr/share/icons/hicolor/24x24
/usr/share/icons/hicolor/24x24/apps
/usr/share/icons/hicolor/24x24/apps/firefox.png
/usr/share/icons/hicolor/256x256
/usr/share/icons/hicolor/256x256/apps
/usr/share/icons/hicolor/256x256/apps/firefox.png
/usr/share/icons/hicolor/32x32
/usr/share/icons/hicolor/32x32/apps
/usr/share/icons/hicolor/32x32/apps/firefox.png
/usr/share/icons/hicolor/48x48
/usr/share/icons/hicolor/48x48/apps
/usr/share/icons/hicolor/48x48/apps/firefox.png
/usr/share/icons/hicolor/64x64
/usr/share/icons/hicolor/64x64/apps
/usr/share/icons/hicolor/64x64/apps/firefox.png
/usr/share/man/man1/firefox.1.gz
/usr/share/mime/packages/firefox.xml
/usr/share/mozilla
/usr/share/mozilla/extensions
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
/usr/share/pixmaps/firefox-gnome.png
/usr/share/pixmaps/firefox.png


Generated by rpm2html 1.8.1

Fabrice Bellet, Sun Nov 10 09:13:04 2019