Bug 50478 - firefox-esr: Multiple issues (4.3)
firefox-esr: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-5-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-11 10:30 CET by Quality Assurance
Modified: 2019-11-13 17:01 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2019-11-11 10:30:31 CET
New Debian firefox-esr 68.2.0esr-1~deb9u2 fixes:
This update addresses the following issues:
* Use-after-free when creating index updates in IndexedDB (CVE-2019-11757)
* Stack buffer overflow in HKDF output (CVE-2019-11759)
* Stack buffer overflow in WebRTC networking (CVE-2019-11760)
* Unintended access to a privileged JSONView object (CVE-2019-11761)
* document.domain-based origin isolation has same-origin-property violation  (CVE-2019-11762)
* Incorrect HTML parsing results in XSS bypass technique (CVE-2019-11763)
* Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2  (CVE-2019-11764)
* heap-based buffer over-read via crafted XML input (CVE-2019-15903)
Comment 1 Quality Assurance univentionstaff 2019-11-11 11:00:31 CET
--- mirror/ftp/4.3/unmaintained/4.3-5/source/firefox-esr_60.9.0esr-1~deb9u1.dsc
+++ apt/ucs_4.3-0-errata4.3-5/source/firefox-esr_68.2.0esr-1~deb9u2.dsc
@@ -1,118 +1,345 @@
-60.9.0esr-1~deb9u1 [Wed, 04 Sep 2019 09:23:23 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-    Fixes for mfsa2019-27, also known as:
+68.2.0esr-1~deb9u2 [Wed, 06 Nov 2019 12:22:11 +0100] Emilio Pozuelo Monfort <pochu@debian.org>:
+
+  * Don't set the NASM make variable on architectures without nasm, fixes
+    FTBFS on !x86.
+  * Output icu build log to stdout rather than to a file.
+
+68.2.0esr-1~deb9u1 [Thu, 31 Oct 2019 10:22:07 +0100] Emilio Pozuelo Monfort <pochu@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2019-33, also known as:
+    CVE-2019-15903, CVE-2019-11757, CVE-2019-11758, CVE-2019-11759,
+    CVE-2019-11760, CVE-2019-11761, CVE-2019-11762, CVE-2019-11763,
+    CVE-2019-11764.
+
+68.1.0esr-1 [Wed, 04 Sep 2019 10:22:21 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2019-26, also known as
     CVE-2019-11746, CVE-2019-11744, CVE-2019-11742, CVE-2019-11752,
-    CVE-2019-9812, CVE-2019-11743, CVE-2019-11740.
-
-60.8.0esr-1~deb9u1 [Wed, 10 Jul 2019 07:13:23 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2019-22, also known as:
+    CVE-2019-9812, CVE-2019-11743, CVE-2019-11748, CVE-2019-11749,
+    CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735,
+    CVE-2019-11740.
+
+  * debian/upstream.mk: Read source repo and revision from json when
+    getting upstream info. Instead of the .txt file that doesn't exist
+    as of 69.
+  * debian/control*:
+    - Remove unused build dependency against python-ply.
+    - Remove python-minimal build dependency. All supported versions
+      of Debian have a new enough version.
+  * debian/l10n/gen, debian/latest_nightly.py, debian/rules,
+    debian/symbols.mk, debian/upstream.mk, debian/watch: Use explicit
+    python2.7 instead of python.
+
+68.0.2esr-1 [Sun, 18 Aug 2019 22:27:52 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream ESR release.
+
+68.0.2-3 [Sun, 18 Aug 2019 20:47:26 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/control.in: Take source package name from preprocessing.
+
+  * build/moz.configure/old.configure: Avoid race condition creating
+    old-configure. bz#1574761.
+  * dom/media/systemservices/CamerasChild.cpp,
+    dom/media/systemservices/CamerasParent.cpp,
+    dom/media/systemservices/VideoEngine.cpp,
+    dom/media/webrtc/MediaEngineRemoteVideoSource.cpp: Don't use
+    __PRETTY_FUNCTION__ or __FUNCTION__ as format strings. bz#1531309.
+    Closes: #925680.
+
+68.0.2-2 [Sun, 18 Aug 2019 08:41:43 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/rules: Fix MOZ_APP_REMOTINGNAME. Upstream build system changes
+    made the config.status editing trick stop working. Export the variable for
+    configure to pick it instead. Closes: #932256
+
+68.0.2-1 [Thu, 15 Aug 2019 08:06:59 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2019-24, also known as CVE-2019-11733.
+
+  * debian/control*, debian/rules: Don't build against system vpx >= 1.8.0.
+    It has API changes that cause FTBFS.
+
+68.0.1-2 [Fri, 19 Jul 2019 10:51:09 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/rules: Work around https://github.com/rust-lang/cargo/issues/7147.
+
+68.0.1-1 [Fri, 19 Jul 2019 07:53:19 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+  * debian/rules:
+    - Hook stamps/dh_install-l10n to override_dh_install-indep rather than
+      binary-indep.
+    - Pass make job server down through dh_auto_build.
+  * debian/rules, debian/dh: Wrap dh to ensure debian/rules is invoked with
+    parallelism.
+
+68.0-3 [Sun, 14 Jul 2019 15:20:45 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/browser.README.Debian.in: Fix a reference to iceweasel in
+    README.Debian. Thanks Edward Betts.
+  * debian/rules:
+    - Only exclude "-g" from dpkg-buildflags output. All the other flags
+      that used to be excluded either already match upstream or add
+      reproducibility.
+    - Don't unexpectedly reset LDFLAGS.
+    - [firefox-esr] Remove iceweasel transitional packages on bullseye.
+    - Disable dh_strip_nondeterminism. Upstream build system already avoids
+      non-determinism it would strip, so there is no need for it further
+      modifying files.
+    - Avoid arch:all builds building arch:any stuff.
+    - Move AUTOCONF_DIRS cleanup after dh_clean.
+    - Add rust flags to improve reproducibility.
+    - Only touch or remove configure when it wasn't there to begin with.
+    - Call configure using its full path.
+    - Factor common configure arguments.
+    - Build langpacks with --disable-compile-environment, and pass less
+      configure arguments.
+    - Build each langpack from a separate build directory. This means time
+      wasted running configure more times, but all locales can now be built
+      in parallel.
+  * debian/symbols.mk, debian/symbols.apt.conf, debian/symbols.sources.list:
+    Miscellaneous changes to symbols download script.
+  * debian/make.mk: Exclude symbols.mk variables from dump output.
+  * debian/browser.mozconfig.in: Remove redundant --prefix=/usr.
+  * debian/control.in, debian/rules, debian/symbols.mk, debian/upstream.mk:
+    Remove packaging scripts compatibility with Wheezy.
+
+  * moz.configure: Only add confvars.sh as a dependency to config.status
+    when it exists. bz#1560340.
+
+68.0-2 [Fri, 12 Jul 2019 20:37:51 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/rules, debian/upstream.mk: Account for next Debian release.
+  * debian/rules, debian/control: Build against system sqlite again.
+
+  * gfx/skia/skia/third_party/skcms/src/Transform_inl.h: Work around GCC ICE
+    on mips*, i386 and s390x.  Closes: #931757
+  * python/mozbuild/mozbuild/action/langpack_manifest.py: Use build id as
+    langpack version for reproducibility. bz#1565504.
+
+68.0-1 [Wed, 10 Jul 2019 08:22:05 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2019-21, also known as:
     CVE-2019-9811, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713,
-    CVE-2019-11729, CVE-2019-11715, CVE-2019-11717, CVE-2019-11719,
-    CVE-2019-11730, CVE-2019-11709.
-
-60.7.2esr-1~deb9u1 [Thu, 20 Jun 2019 10:48:50 -0700] Mike Hommey <glandium@debian.org>:
+    CVE-2019-11714, CVE-2019-11715, CVE-2019-11716, CVE-2019-11717,
+    CVE-2019-11718, CVE-2019-11720, CVE-2019-11721, CVE-2019-11730,
+    CVE-2019-11723, CVE-2019-11724, CVE-2019-11725, CVE-2019-11727,
+    CVE-2019-11728, CVE-2019-11710, CVE-2019-11709.
+
+  * debian/control*: Bump nss, sqlite, rustc, cargo and cbindgen build
+    dependencies. Remove Build-Conflicts with nss 3.44-1, since we now
+    build-depend on a more recent version.
+  * debian/rules, debian/control: Don't build against system sqlite, as
+    Debian doesn't have the required version yet.
+  * [firefox-esr] debian/l10n/browser-l10n.control*, debian/l10n/gen:
+    Don't generate iceweasel l10n transition packages for locales that
+    were never offered with iceweasel.
+  * debian/control, debian/l10n/browser-l10n.control.in: Add transition
+    dependencies for Bengali l10n. There is now only one Bengali l10n
+    package instead of two.
+  * debian/rules: Disable JIT at build time on mips because it fails to build.
+
+  * build/gyp.mozbuild: Revert patch that disables libyuv assembly on
+    mips64. It apparently compiles, now.
+
+67.0.4-1 [Thu, 20 Jun 2019 11:05:27 -0700] Mike Hommey <glandium@debian.org>:
 
   * New upstream release.
   * Fixes for mfsa2019-19, also known as CVE-2019-11708.
 
-60.7.1esr-1~deb9u1 [Tue, 18 Jun 2019 11:15:36 -0700] Mike Hommey <glandium@debian.org>:
+67.0.3-2 [Wed, 19 Jun 2019 13:16:37 -0700] Mike Hommey <glandium@debian.org>:
+
+  * python/mozbuild/mozbuild/action/node.py: Attempt to work around make issue
+    happening on arch: all buildd.
+
+67.0.3-1 [Tue, 18 Jun 2019 11:35:40 -0700] Mike Hommey <glandium@debian.org>:
 
   * New upstream release.
   * Fixes for mfsa2019-18, also known as CVE-2019-11707.
 
-60.7.0esr-1~deb9u1 [Wed, 22 May 2019 07:23:08 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2019-14, also known as:
+67.0.2-1 [Wed, 12 Jun 2019 06:01:15 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+67.0.1-1 [Wed, 05 Jun 2019 07:14:08 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+67.0-4 [Sun, 02 Jun 2019 13:13:13 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/rules: Work around FTBFS on mips* by disabling webrtc
+    Build fails because of missing configurations for mips*.
+  * debian/control*: Build-Conflicts with libnss3-dev 2:3.44-1.
+    Closes: #929846.
+
+  * js/src/jit/mips32/MacroAssembler-mips32-inl.h: Fix FTBFS on mips/mipsel.
+    bz#1556197.
+
+67.0-3 [Sat, 01 Jun 2019 13:44:05 +0900] Mike Hommey <glandium@debian.org>:
+
+  * media/webrtc/trunk/webrtc/system_wrappers/source/cpu_features.cc: Remove
+    WebRtc_GetCPUFeaturesARM from cpu_features.cc. It is already in
+    cpu_features_linux.c (and is not in cpu_features.cc in webrtc upstream).
+    Fixes FTBFS on armhf. bz#1523162.
+
+67.0-2 [Sat, 01 Jun 2019 09:18:27 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/extra-stuff/addonsInfo.jsm:
+    - Avoid running -dumps-addons-info without a running Firefox counting as a
+      crash.
+    - Support addons in resource:// locations in -dump-addons-info
+
+  * js/src/wasm/WasmSignalHandlers.cpp: Include struct definitions for
+    user_vfp and user_vfp_exc. Fixes FTBFS on armhf. bz#1526653.
+  * js/src/jit/mips*/MacroAssembler-mips*-inl.h,
+    js/src/jit/mips*/Trampoline-mips*.cpp: Fix functions: branchTestBigInt,
+    negPtr, generateVMWrapper on MIPS. bz#1544631.
+  * toolkit/modules/sessionstore/PrivacyFilter.jsm: Update and harden form
+    data filtering for privacy to account for no data being passed in.
+    bz#1553413.
+
+67.0-1 [Wed, 22 May 2019 09:28:01 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2019-13, also known as:
     CVE-2019-9816, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820,
-    CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-7317,
-    CVE-2019-9797, CVE-2018-18511, CVE-2019-11698, CVE-2019-5798,
+    CVE-2019-9821, CVE-2019-11691, CVE-2019-11692, CVE-2019-11693,
+    CVE-2019-7317, CVE-2019-11695, CVE-2019-11696, CVE-2019-11697,
+    CVE-2019-11698, CVE-2019-11699, CVE-2019-11701, CVE-2019-9814,
     CVE-2019-9800.
-
-  * debian/rules: Avoid rust build errors with newer versions of rustc by
-    capping lints to warnings.
-
-60.6.3esr-1~deb9u1 [Thu, 09 May 2019 05:14:54 +0900] Mike Hommey <glandium@debian.org>:
+  * Upload to experimental because the required cbindgen is not available in
+    unstable.
+
+  * debian/control*: Bump nspr, sqlite, rustc, cargo and cbindgen build
+    dependencies.
+  * debian/extra-stuff/addonsInfo.*, debian/extra-stuff/moz.build,
+    debian/installer/package-manifest.browser, debian/rules:
+    Modernize addonsInfo per bz#1431533, bz#1432992, bz#1514594, bz#1524688,
+    etc.
+
+66.0.5-1 [Wed, 08 May 2019 08:07:21 +0900] Mike Hommey <glandium@debian.org>:
 
   * New upstream release.
     - Additional fixes for addon signature validation.
 
-60.6.2esr-1~deb9u1 [Sun, 05 May 2019 20:12:37 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-    - Fixes issues with addon signature validation. Closes: #928415, #928449.
+66.0.4-1 [Sun, 05 May 2019 22:52:24 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+    - Fixes issues with addon signature validation. Closes: #928417.
     Note: this didn't affect addons installed via Debian packages.
 
-60.6.1esr-1~deb9u1 [Sun, 24 Mar 2019 08:15:11 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2019-10, also known as:
+66.0.1-1 [Sun, 24 Mar 2019 08:17:24 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2019-09, also known as:
     CVE-2019-9810, CVE-2019-9813.
 
-60.6.0esr-1~deb9u1 [Wed, 20 Mar 2019 10:18:56 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2019-08, also known as:
+  * debian/control*: Bump nss, sqlite, rustc, cargo and cbindgen build
+    dependencies.
+
+66.0-1 [Wed, 20 Mar 2019 18:35:38 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2019-07, also known as:
     CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9793,
-    CVE-2019-9795, CVE-2019-9796, CVE-2018-18506, CVE-2019-9788.
-
-  * debian/rules: Disable debug symbols on mips/mipsel on buster.
-    The rust compiler can't deal with them in the available address space.
+    CVE-2019-9795, CVE-2019-9796, CVE-2019-9797, CVE-2019-9799,
+    CVE-2019-9802, CVE-2019-9803, CVE-2019-9805, CVE-2019-9806,
+    CVE-2019-9807, CVE-2019-9809, CVE-2019-9808, CVE-2019-9789,
+    CVE-2019-9788.
+
   * debian/browser.mozconfig.in: Adjust to the upstream change wrt Google
     API key configure options.
-
-60.5.1esr-1~deb9u1 [Thu, 14 Feb 2019 18:35:06 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2019-05, also known as:
-    CVE-2018-18356, CVE-2019-5785.
+  * debian/control*: Add nasm build dependency on amd64 and i386.
+
+65.0.1-1 [Thu, 14 Feb 2019 19:33:05 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2019-04, also known as:
+    CVE-2018-18356, CVE-2019-5795, CVE-2018-18511.
 
   * debian/rules, debian/upstream.mk: Manually set the update channel.
     Closes: #921381, #921121, #921654.
-  * debian/rules: Disable ion JIT on mips and mipsel. This should fix the
+  * debian/rules: Build with -mfp32 on mips and mipsel. This should fix the
     FTBFS.
 
-60.5.0esr-1~deb9u1 [Wed, 30 Jan 2019 09:53:01 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2019-02, also known as:
-    CVE-2018-18500, CVE-2018-18505, CVE-2018-18501.
-
-60.4.0esr-1~deb9u1 [Wed, 12 Dec 2018 08:29:04 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2018-30, also known as:
-    CVE-2018-17466, CVE-2018-18492, CVE-2018-18493, CVE-2018-18494,
-    CVE-2018-18498, CVE-2018-12405.
-
+65.0-1 [Wed, 30 Jan 2019 11:04:24 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2019-01, also known as:
+    CVE-2018-18500, CVE-2018-18503, CVE-2018-18504, CVE-2018-18505,
+    CVE-2018-18506, CVE-2018-18502, CVE-2018-18501.
+
+  * debian/control*: Bump nss, sqlite, rustc, cargo and cbindgen build
+    dependencies.
+  * debian/browser.install.in: Install libmozwayland.so.
+
+64.0-1 [Wed, 12 Dec 2018 09:26:47 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2018-29, also known as:
+    CVE-2018-12407, CVE-2018-17466, CVE-2018-18492, CVE-2018-18493,
+    CVE-2018-18494, CVE-2018-18495, CVE-2018-18496, CVE-2018-18497,
+    CVE-2018-18498, CVE-2018-12406, CVE-2018-12405.
+
+  * debian/rules, debian/browser.install.in: Properly copy the watermark
+    to /usr/share/icons/hicolor/symbolic/apps.
+  * debian/rules: Disable debug symbols on 32-bits architectures, that
+    requires too much memory.
+  * debian/browser.mozconfig.in:
+    - Remove --enable-pie option, it's the default, now.
+    - Remove --disable-nodejs now that it's required.
+  * debian/control*:
+    - Bump rustc, cargo, cbindgen, nss and sqlite dependencies.
+    - Add nodejs build dependency.
+  * debian/browser-symbolic.svg.in: Import the watermark used for the
+    symbolic icon in the debian/ directory.
+
+63.0.3-1 [Mon, 26 Nov 2018 10:17:08 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+  * debian/control*: Build depend on unversioned clang/llvm.
+    Closes: #912802.
   * debian/rules: Use embedded libevent in backports. Closes: #910397.
-  * debian/browser.install.in, debian/rules: Properly copy the watermark to
-    /usr/share/icons/hicolor/symbolic/apps.
-  * debian/rules: Pass compiler and compiler flags environment variables
-    down to ICU configure. That will make it use GCC instead of defaulting
-    to clang now it's in PATH, avoiding the failing to build the ICU data
-    file on big endian platforms because clang doesn't know some of the GCC
-    flags it somehow got from the environment.
+  * debian/rules: Use GNU gold linker on i386 because BFD ld fails to link
+    libxul.so (memory exhausted).
 
   * build/unix/elfhack/test.c: Try to ensure the bss section of the
     elfhack testcase stays large enough. bz#1505608.
   * memory/build/mozjemalloc.cpp: Fix run sizes for size classes >= 16KB
     on systems with large pages. bz#1507035. Closes: #911898.
-
-60.3.0esr-1~deb9u1 [Wed, 24 Oct 2018 07:17:22 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2018-27, also known as:
+  * media/libaom/moz.build: Use NEON_FLAGS instead of VPX_ASFLAGS for
+    libaom neon code.
+  * gfx/cairo/libpixman/src/pixman-vmx.c: Protect #include <config.h> in
+    pixman-vmx.c like in other pixman-*.c files
+
+63.0.1-1 [Fri, 02 Nov 2018 10:50:57 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * debian/google.key: Use new Google API key, courtesy of Francois Marier.
+
+63.0-1 [Wed, 24 Oct 2018 08:32:15 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2018-26, also known as:
     CVE-2018-12392, CVE-2018-12393, CVE-2018-12395, CVE-2018-12396,
-    CVE-2018-12397, CVE-2018-12389, CVE-2018-12390.
-
-  * debian/rules: Work around armel FTBFS from conflicting __sync_* symbols
-    between libgcc and rust's compiler_builtins.
-
-60.2.2esr-1~deb9u1 [Wed, 03 Oct 2018 07:28:38 +0900] Mike Hommey <glandium@debian.org>:
+    CVE-2018-12397, CVE-2018-12398, CVE-2018-12399, CVE-2018-12401,
+    CVE-2018-12402, CVE-2018-12403, CVE-2018-12388, CVE-2018-12390.
+
+  * debian/control*:
+    - Bump nss dependency.
+    - Add build dependency on cbindgen.
+  * debian/browser.mozconfig.in: Disable nodejs until it's actually necessary.
+  * debian/rules: Add -Wl,--compress-debug-sections=zlib to LDFLAGS to work
+    around elfhack failing with unstripped binaries larger than 2GiB.
+
+62.0.3-1 [Wed, 03 Oct 2018 16:21:53 +0900] Mike Hommey <glandium@debian.org>:
 
   * New upstream release.
   * Fixes for mfsa2018-24, also known as:
@@ -123,18 +350,21 @@
   * debian/control*, debian/browser.mozconfig.in: Build ALSA support.
     Closes: #864987, #900062, #908349
 
-60.2.1esr-1~deb9u1 [Sat, 22 Sep 2018 08:10:27 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2018-23, also known as:
-    CVE-2018-12385, CVE-2018-12383.
-
-  * debian/control*:
+62.0.2-1 [Sat, 22 Sep 2018 09:02:25 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2018-22, also known as CVE-2018-12385.
+  * Ignore locale change events for the search service on shutdown.
+    bz#1489820. Closes: #908932.
+
+  * debian/control*:
+    - Remove the sqlite and nss dependencies when not building against the
+      system libraries.
     - Enforce nss, nspr and sqlite dependencies to the same versions as
       build dependencies. There are subtle non-ABI differences between
       versions that Firefox might be relying on (be it features, behavior
       changes/fixes, etc.) and can cause subtle problems when older
-      versions are used.
+      versions are used. Closes: #908225, #908520.
     - Add a suggestion for pulseaudio.
   * debian/rules, debian/control: Add libavcodec-extra* packages to the list
     of recommends. Closes: #909130
@@ -144,48 +374,42 @@
   * gfx/2d/Swizzle.cpp: Use Swizzle fallback when SSE2 is not supported.
     bz#1492065. Closes: #877445.
 
-60.2.0esr-1~deb9u2 [Fri, 07 Sep 2018 18:21:32 +0900] Mike Hommey <glandium@debian.org>:
-
-  * debian/control*: Remove the sqlite and nss dependencies when not building
-    against the system libraries.
-
-60.2.0esr-1~deb9u1 [Thu, 06 Sep 2018 06:18:15 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2018-21, also known as:
-    CVE-2018-12377, CVE-2018-12378, CVE-2018-12376.
-
+62.0-1 [Thu, 06 Sep 2018 07:42:45 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2018-20, also known as:
+    CVE-2018-12377, CVE-2018-12378, CVE-2018-12383, CVE-2018-12375,
+    CVE-2018-12376.
+
+  * debian/control*:
+    - Bump nss and sqlite build dependencies.
+    - Build depend on llvm/clang 6.0 for buster. Closes: #906175.
+  * debian/browser.mozconfig.in, debian/control*, debian/rules: Remove
+    build dependency on libbz2-dev. It's not used anymore.
+  * debian/noinstall.in: Remove the dictionaries directory, not part
+    of the packaged Firefox anymore.
   * debian/l10n/gen: Use iso-codes json data instead of XML when present.
     Closes: #907611.
 
   * widget/gtk/nsAppShell.cpp: Use remoting name for call to
     gdk_set_program_class. Closes: #907574.
 
-60.1.0esr-3 [Sat, 18 Aug 2018 08:30:36 +0900] Mike Hommey <glandium@debian.org>:
-
-  * debian/control*:
-    - Build depend on llvm/clang 6.0 for buster. Closes: #906174.
-    - Bump NSS build dependency to 3.36.4. Closes: #902573.
-
-  * gfx/skia/skia/include/core/SkColorPriv.h,
-    gfx/skia/skia/include/core/SkImageInfo.h,
-    gfx/skia/skia/include/gpu/GrTypes.h,
-    gfx/skia/skia/src/core/SkColorData.h: fix big-endian Skia builds.
-    bz#1144632.
-
-60.1.0esr-2 [Sun, 12 Aug 2018 13:43:20 +0900] Mike Hommey <glandium@debian.org>:
-
-  * Upload to unstable.
-  * debian/upstream.mk: Use the same logic for betas as for releases to find
-    the source.
+61.0.1-1 [Thu, 19 Jul 2018 06:54:40 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+61.0-2 [Sun, 08 Jul 2018 10:39:03 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/browser.mozconfig.in, debian/control*, debian/rules: Remove
+    build dependency on system libhunspell. Using system hunspell lacks
+    features required by Firefox. Next version of Firefox doesn't allow
+    to build against system hunspell anyways. Closes: #900469.
   * debian/browser.links.in, debian/rules, debian/vendor.js: Use the
     spellchecker.dictionary_path pref to set the hunspell directory.
   * debian/browser.mozconfig.in: Allow unsigned addons in app and system
     scopes.
   * debian/rules: Work around the effect the above has on the
     --{enable,with}-system-* check.
-  * debian/vendor.js: Remove extensions.unsignedScopes. The patch that added
-    the pref was changed to use a configure flag instead.
   * debian/control*: Remove old conflicts. Thanks Sylvestre Ledru.
     Closes: #882956.
   * debian/l10n/recommends, debian/l10n/browser-l10n.control,
@@ -200,40 +424,72 @@
   * debian/control*, debian/rules: Add Recommends on all supported libavcodec
     libraries for h264 playback. Closes: #901600.
 
-  * js/src/jit/mips-shared/MacroAssembler-mips-shared.cpp: Stubout
-    MacroAssembler::speculationBarrier. bz#1444834
   * toolkit/modules/AppConstants.jsm, toolkit/modules/moz.build,
     toolkit/moz.configure, toolkit/mozapps/extensions/internal/XPIInstall.jsm,
     toolkit/mozapps/extensions/content/extensions.js,
     toolkit/mozapps/extensions/internal/XPIDatabase.jsm: Change how addon
     signature requirement relaxation is done. Closes: #899390.
 
-60.1.0esr-1 [Wed, 27 Jun 2018 10:15:42 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2018-16, also known as:
-    CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12362,
-    CVE-2018-5156, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365,
-    CVE-2018-12371, CVE-2018-12366, CVE-2018-12367, CVE-2018-12369,
-    CVE-2018-5187, CVE-2018-5188.
-
+61.0-1 [Wed, 27 Jun 2018 10:25:44 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2018-15, also known as:
+    CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12358,
+    CVE-2018-12362, CVE-2018-5156, CVE-2018-12363, CVE-2018-12364,
+    CVE-2018-12365, CVE-2018-12371, CVE-2018-12366, CVE-2018-12367,
+    CVE-2018-12369, CVE-2018-12370, CVE-2018-5186, CVE-2018-5187,
+    CVE-2018-5188.
+
+  * debian/control*:
+    - Bump nss and sqlite build dependencies.
+    - Add a build dependency on python3.
+  * debian/browser.install.in: Adjust to upstream changes.
   * debian/vendor.js: Relax the addon signature requirements.
+
+  * toolkit/mozapps/extensions/content/extensions.js,
+    toolkit/mozapps/extensions/internal/XPIDatabase.jsm: Allow to relax the
+    addon signature requirements.
+
+60.0.2-2 [Sun, 24 Jun 2018 09:23:16 +0900] Mike Hommey <glandium@debian.org>:
 
   * build/unix/elfhack/elfhack.cpp, build/unix/elfhack/inject.c,
     build/unix/elfhack/test.c: Use run-time page size when changing mapping
     permissions in elfhack injected code. bz#1470701. Closes: #902231.
-  * toolkit/mozapps/extensions/content/extensions.js,
-    toolkit/mozapps/extensions/internal/XPIDatabase.jsm: Allow to relax the
-    addon signature requirements.
-
-60.0.2esr-1 [Fri, 08 Jun 2018 17:49:37 +0900] Mike Hommey <glandium@debian.org>:
+
+60.0.2-1 [Fri, 08 Jun 2018 18:25:04 +0900] Mike Hommey <glandium@debian.org>:
 
   * New upstream release.
   * Fixes for mfsa2018-14, also known as CVE-2018-6126.
 
+  * debian/upstream.mk: Use the same logic for betas as for releases to find
+    the source.
   * debian/browser.NEWS.in: Adjust to show the ESR version.
 
-60.0.1esr-2 [Tue, 22 May 2018 10:05:55 +0900] Mike Hommey <glandium@debian.org>:
+60.0.1-5 [Tue, 22 May 2018 08:01:55 +0900] Mike Hommey <glandium@debian.org>:
+
+  * gfx/skia/moz.build: Revert change from 60.0.1-4.
+  * dom/media/webaudio/blink/DenormalDisabler.h: Avoid using vmrs/vmsr on
+    armel.
+  * mfbt/LinuxSignal.h, mfbt/moz.build,
+    tools/profiler/core/platform-linux-android.cpp: Remove
+    MOZ_SIGNAL_TRAMPOLINE. bz#1463035.
+  * build/autoconf/arch.m4: Add -mfloat-abi=softfp to NEON_FLAGS when it makes
+    sense. bz#1463036.
+  * xpcom/string/moz.build: Use HAVE_ARM_NEON instead of BUILD_ARM_NEON for
+    nsUTF8UtilsNEON.cpp. bz#1463036.
+
+60.0.1-4 [Mon, 21 May 2018 07:58:43 +0900] Mike Hommey <glandium@debian.org>:
+
+  * gfx/skia/moz.build: Don't build skia neon on armel.
+
+60.0.1-3 [Sun, 20 May 2018 10:12:15 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/browser.links.in: Remove /usr/lib/*/browser/icons symlink, leftover
+    after the removal of /usr/share/*/browser/icons. Closes: #893323.
+
+  * media/webrtc/trunk/moz.build: Only build webrtc neon on aarch64.
+
+60.0.1-2 [Sat, 19 May 2018 13:07:39 +0900] Mike Hommey <glandium@debian.org>:
 
   * third_party/rust/libc/.cargo-checksum.json,
     third_party/rust/libc/src/unix/notbsd/linux/mod.rs,
@@ -247,28 +503,11 @@
     configure. bz#1462859.
   * media/webrtc/trunk/gtest/moz.build: Link chromium_atomics to webrtc tests.
     bz#1462873.
-  * media/webrtc/trunk/moz.build: Only build webrtc neon on aarch64.
-  * browser/locales/Makefile.in,
-    python/mozbuild/mozbuild/action/langpack_manifest.py,
-    python/mozbuild/mozbuild/test/action/test_langpack_manifest.py,
-    toolkit/locales/l10n.mk: Use MOZ_LANGPACK_EID in langpacks manifest.json.
-    bz#1455100. Closes: #899160.
-  * dom/media/webaudio/blink/DenormalDisabler.h: Avoid using vmrs/vmsr on
-    armel.
-  * mfbt/LinuxSignal.h, mfbt/moz.build,
-    tools/profiler/core/platform-linux-android.cpp: Remove
-    MOZ_SIGNAL_TRAMPOLINE. bz#1463035.
-  * build/autoconf/arch.m4: Add -mfloat-abi=softfp to NEON_FLAGS when it makes
-    sense. bz#1463036.
-  * xpcom/string/moz.build: Use HAVE_ARM_NEON instead of BUILD_ARM_NEON for
-    nsUTF8UtilsNEON.cpp. bz#1463036.
-
-60.0.1esr-1 [Sat, 19 May 2018 07:25:23 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-
-  * debian/browser.links.in: Remove /usr/lib/*/browser/icons symlink, leftover
-    after the removal of /usr/share/*/browser/icons. Closes: #893323.
+
+60.0.1-1 [Sat, 19 May 2018 07:25:23 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
   * debian/control*: Remove mozplugger suggestion. Closes: #888396.
   * debian/browser.install.in, debian/browser.mozconfig.in, debian/control.in,
     debian/rules: Remove the option to build against gtk+2, it is not
@@ -280,7 +519,7 @@
   * js/src/jit/mips-shared/LIR-mips-shared.h, js/src/jit/mips32/LIR-mips32.h,
     js/src/jit/mips64/LIR-mips64.h: Fix FTBFS on mips*. bz#1444303.
 
-60.0esr-1 [Thu, 10 May 2018 09:36:46 +0900] Mike Hommey <glandium@debian.org>:
+60.0-1 [Thu, 10 May 2018 09:36:46 +0900] Mike Hommey <glandium@debian.org>:
 
   * New upstream release.
   * Fixes for mfsa2018-11, also known as
@@ -302,8 +541,6 @@
   * debian/browser.mozconfig.in: Revert workaround for bz#1341234.
   * debian/browser.install.in, debian/rules: Don't install the ICU data
     file, it's linked as a data section in libxul.
-  * debian/control, debian/rules: Remove iceweasel transitional packages
-    in non-backports.
 
   * modules/libpref/parser/src/lib.rs: Adapt to upstream changes to
     keep supporting lockPref() for transition purposes, now that upstream

<http://10.200.17.11/4.3-5/#497621981609481335>
Comment 2 Philipp Hahn univentionstaff 2019-11-12 08:53:32 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts
 new translation packages

[4.3-5] cd901c6de6 Bug #50478: firefox-esr 68.2.0esr-1~deb9u2
 doc/errata/staging/firefox-esr.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

[4.3-5] f3b41bcb72 Bug #50478: firefox-esr 68.2.0esr-1~deb9u2
 doc/errata/staging/firefox-esr.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
Comment 3 Erik Damrose univentionstaff 2019-11-13 17:01:46 CET
<http://errata.software-univention.de/ucs/4.3/610.html>