Univention Bugzilla – Bug 52160
firefox-esr: Multiple issues (4.4)
Last modified: 2020-10-07 14:32:04 CEST
New Debian firefox-esr 78.3.0esr-1~deb9u1 fixes: This update addresses the following issues: * Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 (CVE-2020-15673) * XSS when pasting attacker-controlled data into a contenteditable element (CVE-2020-15676) * Download origin spoofing via redirect (CVE-2020-15677) * When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario (CVE-2020-15678)
--- mirror/ftp/4.4/unmaintained/4.4-6/source/firefox-esr_68.12.0esr-1~deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-6/source/firefox-esr_78.3.0esr-1~deb9u1.dsc @@ -1,113 +1,293 @@ -68.12.0esr-1~deb9u1 [Thu, 27 Aug 2020 09:46:39 +0200] Emilio Pozuelo Monfort <pochu@debian.org>: - - * New upstream release. - * Fixes for mfsa2020-37, also known as CVE-2020-15664 and CVE-2020-15669. - -68.11.0esr-1~deb9u1 [Wed, 29 Jul 2020 07:23:16 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release - * Fixes for mfsa2020-31, also known as: - CVE-2020-15652, CVE-2020-6514, CVE-2020-6463, CVE-2020-15659. - -68.10.0esr-1~deb9u1 [Wed, 01 Jul 2020 09:08:58 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release - * Fixes for mfsa2020-25, also known as: - CVE-2020-12417, CVE-2020-12418, CVE-2020-12419, CVE-2020-12420, - CVE-2020-12421. - -68.9.0esr-1~deb9u1 [Wed, 03 Jun 2020 06:11:28 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release - * Fixes for mfsa2020-21, also known as: - CVE-2020-12399, CVE-2020-12405, CVE-2020-12406, CVE-2020-12410. - - * debian/rules: Force using old PKCS11 API when building against newer NSS - releases. Closes: #961762. - * debian/control*: Bump nss build dependencies. - -68.8.0esr-1~deb9u1 [Wed, 06 May 2020 05:29:30 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release - * Fixes for mfsa2020-17, also known as: - CVE-2020-12387, CVE-2020-6831, CVE-2020-12392, CVE-2020-12395. - -68.7.0esr-1~deb9u1 [Wed, 08 Apr 2020 07:54:16 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release - * Fixes for mfsa2020-13, also known as: - CVE-2020-6821, CVE-2020-6822, CVE-2020-6825. - -68.6.1esr-1~deb9u1 [Sat, 04 Apr 2020 06:41:17 +0900] Mike Hommey <glandium@debian.org>: +78.3.0esr-1~deb9u1 [Wed, 23 Sep 2020 11:03:28 +0200] Emilio Pozuelo Monfort <pochu@debian.org>: + + * Non-maintainer upload. + * Backport to stretch. + * debian/l10n/gen: open iso-codes files as unicode. + * Build with LLVM 7, 4.0 doesn't support -std=gnu++17. + * Build with GCC 7 from gcc-mozilla. + +78.3.0esr-1 [Wed, 23 Sep 2020 07:25:27 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2020-43, also known as: + CVE-2020-15677, CVE-2020-15676, CVE-2020-15678, CVE-2020-15673. + + * js/src/jit/mips-shared/CodeGenerator-mips-shared.cpp: Add + CodeGenerator::visitWasmRegisterResult function. bz#1649655. + * js/src/jit/none/MacroAssembler-none.h: Bump CodeAlignment to 8. + bz#1666646. + +78.2.0esr-1 [Thu, 03 Sep 2020 09:30:52 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2020-32 and mfsa2020-38, also known as: + CVE-2020-15652, CVE-2020-6514, CVE-2020-15655, CVE-2020-15653, + CVE-2020-6463, CVE-2020-15656, CVE-2020-15658, CVE-2020-15654, + CVE-2020-15659, CVE-2020-15664, CVE-2020-15670. + +78.0.2-1 [Fri, 10 Jul 2020 09:37:04 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fix for mfsa2020-28. + +78.0.1-1 [Fri, 03 Jul 2020 17:07:38 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + + * debian/rules: + - Replace --disable-ion with --disable-jit. + - Don't generated the ICU data file for big-endian manually. + + * js/src/jit/mips-shared/MacroAssembler-mips-shared-inl.h, + js/src/jit/mips64/MacroAssembler-mips64-inl.h: Add branchTestSymbol + and fallibleUnboxPtr. bz#1642265. + * config/external/icu/data/*icudata*, config/external/icu/data/moz.build, + js/moz.configure: Unify the includion of the ICU data file. bz#1650299. + * config/external/icu/common/moz.build, + config/external/icu/common/sources.mozbuild, + config/external/icu/data/convert_icudata.py, + config/external/icu/data/moz.build, + config/external/icu/defs.mozbuild, + config/external/icu/i18n/moz.build, + config/external/icu/i18n/sources.mozbuild, + config/external/icu/icupkg/moz.build, + config/external/icu/icupkg/sources.mozbuild, + config/external/icu/moz.build, + config/external/icu/toolutil/moz.build, + config/external/icu/toolutil/sources.mozbuild, + config/recurse.mk, + intl/icu_sources_data.py: Automatically convert the little-endian ICU data + file for big-endian builds. + +78.0-1 [Wed, 01 Jul 2020 10:14:06 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release + * Fixes for mfsa2020-24, also known as: + CVE-2020-12415, CVE-2020-12416, CVE-2020-12417, CVE-2020-12418, + CVE-2020-12419, CVE-2020-12420, CVE-2020-12421, CVE-2020-12422, + CVE-2020-12424, CVE-2020-12425, CVE-2020-12426. + + * debian/control*: Bump nss build dependency. + * debian/control*, debian/rules: Remove build dependency on python2.7. + * debian/browser.mozconfig.in: Remove obsolete configure options. + + * build/virtualenv_packages.txt: Don't install enum and enum34 virtualenv + packages in python3 virtualenvs. bz#1632429. + +77.0-1 [Wed, 03 Jun 2020 07:53:04 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release + * Fixes for mfsa2020-20, also known as: + CVE-2020-12399, CVE-2020-12405, CVE-2020-12406, CVE-2020-12407, + CVE-2020-12408, CVE-2020-12409, CVE-2020-12410, CVE-2020-12411. + + * debian/l10n/gen, debian/l10n_revs.py, debian/latest_nightly.py, + debian/rules, debian/symbols.mk: Convert to python 3. + * debian/control*: Bump nss and cbindgen build dependencies. + * debian/rules: + - Revert PKCS11 API change from 76.0.1-1 because the new API is + now explicitly used by upstream code. + - Stop passing -fno-schedule-insns2 -fno-lifetime-dse and + -fno-delete-null-pointer-checks to GCC. + +76.0.1-2 [Fri, 15 May 2020 09:10:36 +0900] Mike Hommey <glandium@debian.org>: + + * debian/browser.mozconfig.in: Allow addon sideload. Closes: #960084. + * debian/control*: Bump nasm build dependency to 2.14. + +76.0.1-1 [Wed, 13 May 2020 09:09:57 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release + + * debian/rules: Force using old PKCS11 API when building against newer + NSS releases. Closes: #960012. + +76.0-2 [Wed, 06 May 2020 14:27:30 +0900] Mike Hommey <glandium@debian.org>: + + * Cargo.lock, third_party/rust/typenum/*: Upgrade typename to 1.12.0. + bz#1635671. Fixes FTBFS on i386. + +76.0-1 [Wed, 06 May 2020 05:41:56 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release + * Fixes for mfsa2020-16, also known as: + CVE-2020-12387, CVE-2020-6831, CVE-2020-12390, CVE-2020-12391, + CVE-2020-12392, CVE-2020-12394, CVE-2020-12395, CVE-2020-12396. + + * debian/control*: Bump nss build dependency. + * debian/browser.install.in: Don't install blocklist.xml, it's not there + anymore. + + * config/recurse.mk: Don't depend on in-tree NSS/NSPR when building against + system NSS/NSPR. bz#1634926. + +75.0-2 [Sun, 19 Apr 2020 09:03:28 +0900] Mike Hommey <glandium@debian.org>: + + * build/moz.configure/util.configure: In configure, pass extra compiler + flags after source path. Fixes FTBFS with --with-system-libvpx with + gcc-9 >= 9-20190125-2. + +75.0-1 [Wed, 08 Apr 2020 09:41:38 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release + * Fixes for mfsa2020-12, also known as: + CVE-2020-6821, CVE-2020-6822, CVE-2020-6823, CVE-2020-6824, + CVE-2020-6825, CVE-2020-6826. + + * debian/control*: Bump nss, rustc, cargo, cbindgen and nodejs build + dependencies. + * debian/control*, debian/rules: Build against libvpx >= 1.8. We used + to build-conflicts with that version, but that's not necessary now + that upstream needs that version. + * debian/browser.install.in: Don't install .chk files, they aren't + produced anymore. + * debian/browser.install.in, debian/browser.mozconfig.in, debian/control*, + debian/rules: Don't build against system sqlite. This is not supported + anymore. + + * python/mozbuild/mozbuild/nodeutil.py: Allow to build with older + versions of nodejs 10. + +74.0.1-1 [Sat, 04 Apr 2020 06:42:37 +0900] Mike Hommey <glandium@debian.org>: * New upstream release * Fixes for mfsa2020-11, also known as: CVE-2020-6819, CVE-2020-6820. -68.6.0esr-1~deb9u1 [Wed, 11 Mar 2020 06:59:57 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release - * Fixes for mfsa2020-09, also known as: - CVE-2020-6805, CVE-2020-6806, CVE-2020-6807, CVE-2020-6811, - CVE-2019-20503, CVE-2020-6812, CVE-2020-6814. - -68.5.0esr-1~deb9u1 [Wed, 12 Feb 2020 06:50:33 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release - * Fixes for mfsa2020-06, also known as: - CVE-2020-6796, CVE-2020-6798, CVE-2020-6800. - -68.4.1esr-1~deb9u1 [Thu, 09 Jan 2020 06:40:28 +0900] Mike Hommey <glandium@debian.org>: +74.0-1 [Wed, 11 Mar 2020 12:15:37 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2020-08, also known as: + CVE-2020-6805, CVE-2020-6806, CVE-2020-6807, CVE-2020-6808, + CVE-2020-6809, CVE-2020-6810, CVE-2020-6811, CVE-2019-20503, + CVE-2020-6812, CVE-2020-6813, CVE-2020-6814, CVE-2020-6815. + + * debian/rules: + - Use the -o flag to redirect preprocessor output rather than shell + redirection to work around bz#1621465. + - Remove obj-*/.mozbuild on clean. + * debian/control*: Bump nspr, nss, sqlite and cbindgen build dependencies. + + * config/mozunit/mozunit/mozunit.py, + python/mozbuild/mozbuild/action/langpack_manifest.py, + python/mozbuild/mozbuild/jar.py, python/mozbuild/mozbuild/preprocessor.py, + python/mozbuild/mozbuild/test/backend/test_build.py: Use io.open() rather + than open() in mozbuild/preprocessor.py. bz#1613263. + * dom/canvas/ClientWebGLContext.h, dom/canvas/WebGLContext.h: Fix build + errors with -Werror=format-security with GCC. + +73.0.1-1 [Thu, 20 Feb 2020 09:07:58 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + + * gfx/2d/SwizzleNEON.cpp: Fix NEON compile error with gcc and RGB unpacking. + bz#1610814. + +73.0-1 [Wed, 12 Feb 2020 06:57:23 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2020-05, also known as: + CVE-2020-6796, CVE-2020-6798, CVE-2020-6800, CVE-2020-6801. + + * debian/control*: Bump nss, rustc, cargo and cbindgen build dependencies. + * debian/browser.install.in: Do not install now removed chrome.manifest + and libnssdbm3.* files. + +72.0.2-1 [Wed, 22 Jan 2020 12:06:25 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + +72.0.1-1 [Thu, 09 Jan 2020 06:46:44 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fix for mfsa2020-03, also known as CVE-2019-17026. -68.4.0esr-1~deb9u1 [Wed, 08 Jan 2020 08:54:04 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2020-02, also known as: - CVE-2019-17016, CVE-2019-17017, CVE-2019-17022, CVE-2019-17024. - - * debian/rules: Don't build with --compress-debug-sections on jessie. - * debian/rules: Use sourcestamp.txt for MOZ_BUILD_DATE. Closes: #946193. - - * sourcestamp.txt: Fill with the missing info. - -68.3.0esr-1~deb9u1 [Sat, 07 Dec 2019 08:58:01 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2019-37, also known as: - CVE-2019-17008, CVE-2019-11745, CVE-2019-17010, CVE-2019-17005, - CVE-2019-17011, CVE-2019-17012. - - * debian/control.in: Bump nss build dependencies. - * intl/icu_sources_data.py: - - Revert change from 68.2.0esr-1~deb9u2. - - Don't build ICU in parallel. - * gfx/skia/skia/third_party/skcms/src/Transform_inl.h: Work around - GCC ICEs on arm. +72.0-1 [Wed, 08 Jan 2020 08:54:04 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2020-01, also known as: + CVE-2019-17016, CVE-2019-17017, CVE-2019-17020, CVE-2019-17022, + CVE-2019-17023, CVE-2019-17024, CVE-2019-17025. + + * debian/rules: + - Don't build with --compress-debug-sections on jessie. + - Use sourcestamp.txt for MOZ_BUILD_DATE. + - Avoid running dh_update_autotools_config. We're dealing with this + manually and we don't want config.* files being touched under + third_party/rust. + * debian/control*: + - Bump nspr, nss and sqlite build dependencies. + - Add missing dependency on libdrm-dev. + * debian/browser.mozconfig.in: Explicitly build with wayland support + enabled. + + * intl/icu_sources_data.py: Don't build ICU in parallel. + * gfx/skia/skia/third_party/skcms/src/Transform_inl.h: Work around older + GCC ICE on arm. (Thanks Emilio Pozuelo Monfort) -68.2.0esr-1~deb9u2 [Wed, 06 Nov 2019 12:22:11 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: - - * Don't set the NASM make variable on architectures without nasm, fixes - FTBFS on !x86. - * Output icu build log to stdout rather than to a file. - -68.2.0esr-1~deb9u1 [Thu, 31 Oct 2019 10:22:07 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: - - * New upstream release. - * Fixes for mfsa2019-33, also known as: - CVE-2019-15903, CVE-2019-11757, CVE-2019-11758, CVE-2019-11759, +71.0-2 [Thu, 12 Dec 2019 09:38:33 +0900] Mike Hommey <glandium@debian.org>: + + * dom/indexedDB/ActorsParent.cpp: Work around lack of support for + http://eel.is/c++draft/class.temporary#6.7 in compilers. bz#1601707 + Closes: #946249, #946547. + * layout/generic/WritingModes.h, servo/ports/geckolib/cbindgen.toml: + Fix build with newer cbindgen. bz#1602358. + +71.0-1 [Wed, 04 Dec 2019 10:09:38 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-36, also known as: + CVE-2019-11756, CVE-2019-17008, CVE-2019-11745, CVE-2019-17014, + CVE-2019-17010, CVE-2019-17005, CVE-2019-17011, CVE-2019-17012, + CVE-2019-17013. + + * debian/l10n/gen: Add support for ca-valencia. + * debian/control*: Bump nspr, nss, rustc and cargo build dependencies. + * debian/rules, debian/control.in: + - Build with nodejs-mozilla on jessie and stretch. + - Build with nasm-mozilla on jessie and stretch. + - Don't build with system libvpx on stretch. + (Thanks Emilio Pozuelo Monfort) + +70.0.1-1 [Sat, 09 Nov 2019 07:53:49 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + +70.0-1 [Wed, 23 Oct 2019 07:30:42 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-34, also known as: + CVE-2018-6156, CVE-2019-15903, CVE-2019-11757, CVE-2019-11759, CVE-2019-11760, CVE-2019-11761, CVE-2019-11762, CVE-2019-11763, + CVE-2019-11765, CVE-2019-17000, CVE-2019-17001, CVE-2019-17002, CVE-2019-11764. -68.1.0esr-1 [Wed, 04 Sep 2019 10:22:21 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2019-26, also known as + * debian/control*: Bump nss, sqlite, rustc, cargo, and cbindgen build + dependencies. + +69.0.2-1 [Tue, 08 Oct 2019 08:06:31 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + +69.0.1-1 [Tue, 24 Sep 2019 06:39:36 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fix for mfsa2019-31, also known as CVE-2019-11754. + + * debian/control*: + - Bump nss, rustc, cargo and cbindgen build dependencies. Closes: #939412. + - Remove build dependency versions where Debian has had the right version + since Jessie. + * debian/source/lintian-overrides: Adjust DotZlib.chm path. + +69.0-1 [Wed, 04 Sep 2019 13:48:54 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-25, also known as: CVE-2019-11746, CVE-2019-11744, CVE-2019-11742, CVE-2019-11752, - CVE-2019-9812, CVE-2019-11743, CVE-2019-11748, CVE-2019-11749, - CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735, + CVE-2019-9812, CVE-2019-11741, CVE-2019-11743, CVE-2019-11748, + CVE-2019-11749, CVE-2019-5849, CVE-2019-11750, CVE-2019-11737, + CVE-2019-11738, CVE-2019-11747, CVE-2019-11734, CVE-2019-11735, CVE-2019-11740. * debian/upstream.mk: Read source repo and revision from json when @@ -117,13 +297,20 @@ - Remove unused build dependency against python-ply. - Remove python-minimal build dependency. All supported versions of Debian have a new enough version. + - Remove build dependency against libjsoncpp-dev. * debian/l10n/gen, debian/latest_nightly.py, debian/rules, debian/symbols.mk, debian/upstream.mk, debian/watch: Use explicit python2.7 instead of python. - -68.0.2esr-1 [Sun, 18 Aug 2019 22:27:52 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream ESR release. + * debian/rules: Use `mach python --no-virtualenv` to invoke the + preprocessor. + + * config/system-headers, + toolkit/crashreporter/jsoncpp/src/lib_json/moz.build, + toolkit/crashreporter/minidump-analyzer/moz.build: Revert hack to + build against libjsoncpp. It was fine when it was only used by + the crash reporter, but that's not the case anymore, and it breaks + the build. Also, the bundled version is newer than what is available + in Debian. 68.0.2-3 [Sun, 18 Aug 2019 20:47:26 +0900] Mike Hommey <glandium@debian.org>: <http://10.200.17.11/4.4-6/#5413035401497204776>
OK: yaml OK: announce_errata OK: patch ~OK: piuparts new language packages [4.4-6] 4957efba75 Bug #52160: firefox-esr 78.3.0esr-1~deb9u1 doc/errata/staging/firefox-esr.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) [4.4-6] 333ceac3a6 Bug #52160: firefox-esr 78.3.0esr-1~deb9u1 doc/errata/staging/firefox-esr.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)
Reopen: DVD Installation fails. With this new firefox version it is possible to show the firefox interface when moving the mouse to the top of the screen.
New firefox versions do not load the userChrome.css file by default, has to be enabled with user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); see https://support.mozilla.org/de/kb/firefox-enterprise-78-release-notes Fixed in univention-system-setup 12.0.2-28A~4.4.0.202009301314 1b3cff2a Add userpref option to make new firefox esr versions load userChrome.css 17ba1608 univention-system-setup.yaml (also release for 4.4-5-errata, just as firefox security update)
https://git.knut.univention.de/univention/ucs/-/merge_requests/5
OK - univention-system-setup (install tests worked for me) OK - yaml OK - merge request
The merge request is empty?
(In reply to Felix Botner from comment #7) > The merge request is empty? no, was already merged
OK: yaml OK: announce_errata OK: patch FAIL: piuparts ~ new language packs [4.4-6] 1794e1d1c9 Bug #52160: yaml doc/errata/staging/firefox-esr.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) [4.4-6] 7493e9a957 Bug #52160: firefox-esr 78.3.0esr-1~deb9u2 doc/errata/staging/firefox-esr.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) [4.4-6] 4957efba75 Bug #52160: firefox-esr 78.3.0esr-1~deb9u1 doc/errata/staging/firefox-esr.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) [4.4-6] 333ceac3a6 Bug #52160: firefox-esr 78.3.0esr-1~deb9u1 doc/errata/staging/firefox-esr.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x764> <https://errata.software-univention.de/#/?erratum=4.4x765>