Univention Bugzilla – Bug 55221
firefox-esr: Multiple issues (5.0)
Last modified: 2022-09-29 12:38:53 CEST
New Debian firefox-esr 102.3.0esr-1~deb10u1 fixes: This update addresses the following issues: 102.3.0esr-1~deb10u1 (Fri, 23 Sep 2022 11:38:58 +0200) * Backport to buster. * Use internal libevent, the system one is too old. 102.2.0esr-1 (Wed, 24 Aug 2022 06:35:58 +0900) * New upstream release. * Fixes for mfsa2022-34, also known as: CVE-2022-38472, CVE-2022-38473, CVE-2022-38477, CVE-2022-38478. * debian/rules, debian/control: Fix libavcodec recommends.. * debian/control*: Bump nss build dependency. 102.1.0esr-2 (Mon, 15 Aug 2022 15:46:49 +0900) * debian/rules: Remove old and now unnecessary workarounds. * intl/icu/source/common/unicode/std_string.h, intl/icu/source/common/utypeinfo.h, intl/icu/source/io/unicode/ustream.h: Remove workaround for old libstdc++ problem, which now causes problems with GCC 12 on arm. * third_party/libwebrtc/moz.build: Add missing webrtc directory for ppc64el (bz#1775202). 102.1.0esr-1 (Sun, 14 Aug 2022 16:59:19 +0900) * Fixes for mfsa2022-28, also known as: CVE-2022-36319, CVE-2022-36318, CVE-2022-36315, CVE-2022-36316, CVE-2022-36320, CVE-2022-2505. * debian/rules: - Improve detection of known failing cases on armhf and mipsel. - Use thinLTO for rust on armhf, to stay in the memory budget with an armhf toolchain. - Use MACH_BUILD_PYTHON_NATIVE_PACKAGE_SOURCE=none instead of MACH_USE_SYSTEM_PYTHON=1. * debian/rules, debian/watch, debian/watch.in: Generate debian/watch and fix it. * third_party/libwebrtc/moz.build: Work around bz#1775202 to fix FTBFS on ppc64el. * config/makefiles/rust.mk: Allow to override rust LTO flag. 102.0-1 (Wed, 29 Jun 2022 07:41:32 +0900) * Fixes for mfsa2022-24, also known as: CVE-2022-34479, CVE-2022-34470, CVE-2022-34468, CVE-2022-34482, CVE-2022-34483, CVE-2022-34476, CVE-2022-34481, CVE-2022-34474, CVE-2022-34471, CVE-2022-34472, CVE-2022-2200, CVE-2022-34480, CVE-2022-34477, CVE-2022-34475, CVE-2022-34473, CVE-2022-34484, CVE-2022-34485. * build/moz.configure/bindgen.configure, gfx/webrender_bindings/webrender_ffi.h: Work around build failure with newer cbindgen. bz#1773259 101.0.1-1 (Fri, 10 Jun 2022 06:24:01 +0900) * build/moz.configure/rust.configure, debian/control*: Allow to build with cargo in unstable. 101.0-1 (Wed, 01 Jun 2022 06:07:37 +0900) * Fixes for mfsa2022-20, also known as: CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31740, CVE-2022-31741, CVE-2022-31742, CVE-2022-31743, CVE-2022-31744, CVE-2022-31745, CVE-2022-1919, CVE-2022-31747, CVE-2022-31748. * debian/rules: Fail the build early when building for armhf on armhf (only works on arm64), and when building for mipsel on mipsel. * debian/control*: Bump rustc, cargo, cbindgen and nss build dependencies. 100.0.2-1 (Sat, 21 May 2022 07:32:04 +0900) * Fixes for mfsa2022-19, also known as CVE-2022-1802 and CVE-2022-1529. 100.0-1 (Wed, 04 May 2022 08:48:41 +0900) * Fixes for mfsa2022-16, also known as: CVE-2022-29914, CVE-2022-29909, CVE-2022-29916, CVE-2022-29911, CVE-2022-29912, CVE-2022-29915, CVE-2022-29917, CVE-2022-29918. 99.0-1 (Wed, 06 Apr 2022 09:04:22 +0900) * Fixes for mfsa2022-13, also known as: CVE-2022-1097, CVE-2022-28281, CVE-2022-28282, CVE-2022-28283, CVE-2022-28284, CVE-2022-28285, CVE-2022-28286, CVE-2022-28287, CVE-2022-24713, CVE-2022-28289, CVE-2022-28288. 98.0-2 (Thu, 10 Mar 2022 09:09:43 +0900) * debian/rules: Install crash reporter files on arm64. * js/src/jit/GenerateAtomicOperations.py: Work around a GCC issue with generated atomics. bz#1756347. 98.0-1 (Wed, 09 Mar 2022 07:09:27 +0900) * Fixes for mfsa2022-10, also known as: CVE-2022-26383, CVE-2022-26384, CVE-2022-26387, CVE-2022-26381, CVE-2022-26382, CVE-2022-26385, CVE-2022-0843. * Fixes for mfsa2022-09, also known as: CVE-2022-26485, CVE-2022-26486. * debian/control*: - Bump nss build dependency. - Downgrade rust dependency to 1.56, and cargo to 0.57. * Cargo.lock, config/makefiles/rust.mk, python/mozboot/mozboot/util.py, servo/components/style/Cargo.toml, servo/components/style/build.rs, servo/components/style/lib.rs, servo/components/style/stylesheets/page_rule.rs, servo/components/style/stylist.rs, third_party/rust/audioipc2-client/.cargo-checksum.json, third_party/rust/audioipc2-client/Cargo.toml, third_party/rust/audioipc2-client/build.rs, third_party/rust/audioipc2-client/src/lib.rs, third_party/rust/wgpu-hal/.cargo-checksum.json, third_party/rust/wgpu-hal/src/gles/egl.rs: Relax minimum supported Rust version to 1.56.0. 97.0-1 (Wed, 09 Feb 2022 07:53:42 +0900) * Fixes for mfsa2022-04, also known as: CVE-2022-22754, CVE-2022-22755, CVE-2022-22756, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22764, CVE-2022-0511. * debian/control*: Bump nss, rustc and cargo build dependencies. * debian/browser.install.in: Install libipcclientcerts.so. 96.0.3-1 (Mon, 31 Jan 2022 06:21:31 +0900) 96.0.1-1 (Sat, 15 Jan 2022 07:41:14 +0900) * modules/libpref/init/StaticPrefList.yaml: Disable cookie sameSite schemeful. bz#1750264. * dom/media/webrtc/third_party_build/gn-configs/x64_*_arm_linux.json, dom/media/webrtc/third_party_build/gn-configs/x64_*_ppc64_linux.json, third_party/libwebrtc/**/moz.build: Add webrtc configs for arm and ppc64 linux. bz#1738845. 96.0-1 (Wed, 12 Jan 2022 08:03:30 +0900) * Fixes for mfsa2022-01, also known as: CVE-2022-22743, CVE-2022-22742, CVE-2022-22741, CVE-2022-22740, CVE-2022-22738, CVE-2022-22737, CVE-2021-4140, CVE-2022-22748, CVE-2022-22745, CVE-2022-22747, CVE-2022-22739, CVE-2022-22751, CVE-2022-22752. * debian/rules: - Adjust preprocessor command to upstream changes. - Set an objdir when using the preprocessor, and clean that up. 95.0.1-1 (Fri, 17 Dec 2021 07:05:23 +0900) * debian/control.in: Build against rustc-mozilla/cargo-mozilla on relevant older releases. * modules/fdlibm/src/math_private.h: Fix FTBFS on i386. bz#1729459. 95.0-1 (Wed, 08 Dec 2021 06:38:07 +0900) * Fixes for mfsa2021-52, also known as: CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43540, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43544, CVE-2021-43545, CVE-2021-43546, MOZ-2021-0009. * debian/browser.mozconfig.in: Explicitly disable wasm sandboxing. We don't have the necessary tools yet. 94.0.2-1 (Wed, 24 Nov 2021 06:57:55 +0900) 94.0-2 (Thu, 11 Nov 2021 16:32:50 +0900) * debian/firefox.in: Use `command -v` instead of `which`. Does not affect this package, though. * .cargo/config.in, Cargo.lock, Cargo.toml, third_party/rust/cc/.cargo-checksum.json, third_party/rust/cc/Cargo.toml, third_party/rust/cc/src/lib.rs, third_party/rust/cc/src/windows_registry.rs: Update cc crate to b2f6b146b75299c444e05bbde50d03705c7c4b6e, aka 1.0.71 + GCC-11 fix for armhf. bz#1739040. * .cargo/config.in, Cargo.lock, third_party/rust/cubeb-pulse/.cargo-checksum.json, third_party/rust/cubeb-pulse/src/backend/stream.rs, toolkit/library/rust/shared/Cargo.toml: Upgrade cubeb-pulse to fix a race condition that can lead to shutdown deadlock. bz#1735905. (suspected to). 94.0-1 (Wed, 03 Nov 2021 08:20:50 +0900) * Fixes for mfsa2021-48, also known as: CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-38508, MOZ-2021-0004, CVE-2021-38509, MOZ-2021-0005, MOZ-2021-0006, MOZ-2021-0007. (MOZ-* pending CVE assignment) * Cargo.toml, Cargo.lock, third_party/rust/naga/.cargo-checksum.json, third_party/rust/naga/Cargo.toml, third_party/rust/wgpu-core/.cargo-checksum.json, third_party/rust/wgpu-core/Cargo.toml, build/moz.configure/rust.configure: Remove workaround to build with an old cargo, now that Debian has a recent version. 93.0-1 (Wed, 06 Oct 2021 06:53:13 +0900) * Fixes for mfsa2021-43, also known as: CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-32810, CVE-2021-38500, CVE-2021-38501, CVE-2021-38499. * debian/rules: Set MOZBUILD_STATE_PATH. * Cargo.toml, Cargo.lock, third_party/rust/naga/.cargo-checksum.json, third_party/rust/naga/Cargo.toml, third_party/rust/wgpu-core/.cargo-checksum.json, third_party/rust/wgpu-core/Cargo.toml: Work around the lack of resolver feature in unstable's cargo. 92.0-1 (Wed, 08 Sep 2021 07:57:38 +0900) * Fixes for mfsa2021-38, also known as: CVE-2021-38491, CVE-2021-38493, CVE-2021-38494. * debian/rules: Build against embedded nspr and nss on bullseye. * debian/upstream.mk: Add bookworm and trixie.
--- mirror/ftp/pool/main/f/firefox-esr/firefox-esr_91.13.0esr-1~deb10u1.dsc +++ apt/ucs_5.0-0-errata5.0-2/source/firefox-esr_102.3.0esr-1~deb10u1.dsc @@ -1,147 +1,273 @@ -91.13.0esr-1~deb10u1 [Wed, 24 Aug 2022 06:09:13 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2022-35, also known as: - CVE-2022-38472, CVE-2022-38473, CVE-2022-38478. - -91.12.0esr-1~deb10u1 [Wed, 27 Jul 2022 09:08:20 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2022-29, also known as: - CVE-2022-36319, CVE-2022-36318. - -91.11.0esr-1~deb10u1 [Wed, 29 Jun 2022 06:30:12 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2022-25, also known as: - CVE-2022-34479, CVE-2022-34470, CVE-2022-34468, CVE-2022-34481, - CVE-2022-31744, CVE-2022-34472, CVE-2022-2200, CVE-2022-34484. +102.3.0esr-1~deb10u1 [Fri, 23 Sep 2022 11:38:58 +0200] Emilio Pozuelo Monfort <pochu@debian.org>: + + * Backport to buster. + * Use internal libevent, the system one is too old. + +102.3.0esr-1 [Wed, 21 Sep 2022 06:58:15 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2022-41, also known as: + CVE-2022-40959, CVE-2022-40960, CVE-2022-40958, CVE-2022-40956, + CVE-2022-40957, CVE-2022-40962. + +102.2.0esr-1 [Wed, 24 Aug 2022 06:35:58 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2022-34, also known as: + CVE-2022-38472, CVE-2022-38473, CVE-2022-38477, CVE-2022-38478. + + * debian/rules, debian/control: Fix libavcodec recommends. Closes: #1017782. + * debian/control*: Bump nss build dependency. + +102.1.0esr-2 [Mon, 15 Aug 2022 15:46:49 +0900] Mike Hommey <glandium@debian.org>: + + * debian/rules: Remove old and now unnecessary workarounds. + + * intl/icu/source/common/unicode/std_string.h, + intl/icu/source/common/utypeinfo.h, + intl/icu/source/io/unicode/ustream.h: Remove workaround for old libstdc++ + problem, which now causes problems with GCC 12 on arm. + * third_party/libwebrtc/moz.build: Add missing webrtc directory for ppc64el + (bz#1775202). + +102.1.0esr-1 [Sun, 14 Aug 2022 16:59:19 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2022-28, also known as: + CVE-2022-36319, CVE-2022-36318, CVE-2022-36315, CVE-2022-36316, + CVE-2022-36320, CVE-2022-2505. + + * debian/rules: + - Improve detection of known failing cases on armhf and mipsel. + - Use thinLTO for rust on armhf, to stay in the memory budget with an + armhf toolchain. + - Use MACH_BUILD_PYTHON_NATIVE_PACKAGE_SOURCE=none instead of + MACH_USE_SYSTEM_PYTHON=1. + * debian/rules, debian/watch, debian/watch.in: Generate debian/watch and + fix it. + + * third_party/libwebrtc/moz.build: Work around bz#1775202 to fix FTBFS on + ppc64el. + * config/makefiles/rust.mk: Allow to override rust LTO flag. + +102.0-1 [Wed, 29 Jun 2022 07:41:32 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2022-24, also known as: + CVE-2022-34479, CVE-2022-34470, CVE-2022-34468, CVE-2022-34482, + CVE-2022-34483, CVE-2022-34476, CVE-2022-34481, CVE-2022-34474, + CVE-2022-34471, CVE-2022-34472, CVE-2022-2200, CVE-2022-34480, + CVE-2022-34477, CVE-2022-34475, CVE-2022-34473, CVE-2022-34484, + CVE-2022-34485. * build/moz.configure/bindgen.configure, gfx/webrender_bindings/webrender_ffi.h: Work around build failure with newer cbindgen. bz#1773259 -91.10.0esr-1~deb10u1 [Wed, 01 Jun 2022 05:24:22 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2022-21, also known as: +101.0.1-1 [Fri, 10 Jun 2022 06:24:01 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + + * build/moz.configure/rust.configure, debian/control*: Allow to build with + cargo in unstable. + +101.0-1 [Wed, 01 Jun 2022 06:07:37 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2022-20, also known as: CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31740, - CVE-2022-31741, CVE-2022-31742, CVE-2022-31747. - -91.9.1esr-1~deb10u1 [Sat, 21 May 2022 06:22:04 +0900] Mike Hommey <glandium@debian.org>: + CVE-2022-31741, CVE-2022-31742, CVE-2022-31743, CVE-2022-31744, + CVE-2022-31745, CVE-2022-1919, CVE-2022-31747, CVE-2022-31748. + + * debian/rules: Fail the build early when building for armhf on armhf + (only works on arm64), and when building for mipsel on mipsel. + * debian/control*: Bump rustc, cargo, cbindgen and nss build dependencies. + +100.0.2-1 [Sat, 21 May 2022 07:32:04 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2022-19, also known as CVE-2022-1802 and CVE-2022-1529. -91.9.0esr-1~deb10u1 [Wed, 04 May 2022 06:43:23 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2022-17, also known as +100.0-1 [Wed, 04 May 2022 08:48:41 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2022-16, also known as: CVE-2022-29914, CVE-2022-29909, CVE-2022-29916, CVE-2022-29911, - CVE-2022-29912, CVE-2022-29917. - -91.8.0esr-1~deb10u1 [Wed, 06 Apr 2022 08:13:44 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2022-14, also known as - CVE-2022-1097, CVE-2022-28281, CVE-2022-1196, CVE-2022-28282, - CVE-2022-28285, CVE-2022-28286, CVE-2022-24713, CVE-2022-28289. - -91.7.0esr-1~deb10u1 [Wed, 09 Mar 2022 06:47:37 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2022-11, also known as + CVE-2022-29912, CVE-2022-29915, CVE-2022-29917, CVE-2022-29918. + +99.0-1 [Wed, 06 Apr 2022 09:04:22 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2022-13, also known as: + CVE-2022-1097, CVE-2022-28281, CVE-2022-28282, CVE-2022-28283, + CVE-2022-28284, CVE-2022-28285, CVE-2022-28286, CVE-2022-28287, + CVE-2022-24713, CVE-2022-28289, CVE-2022-28288. + + * debian/control*: Bump nss build dependency. + +98.0-2 [Thu, 10 Mar 2022 09:09:43 +0900] Mike Hommey <glandium@debian.org>: + + * debian/rules: Install crash reporter files on arm64. + + * js/src/jit/GenerateAtomicOperations.py: Work around a GCC issue with + generated atomics. bz#1756347. + +98.0-1 [Wed, 09 Mar 2022 07:09:27 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2022-10, also known as: CVE-2022-26383, CVE-2022-26384, CVE-2022-26387, CVE-2022-26381, - CVE-2022-26386. - -91.6.1esr-1~deb10u1 [Sun, 06 Mar 2022 07:31:23 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2022-09, also known as CVE-2022-26485, CVE-2022-26486. - -91.6.0esr-1~deb10u1 [Wed, 09 Feb 2022 07:37:27 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2022-05, also known as: - CVE-2022-22754, CVE-2022-22756, CVE-2022-22759, CVE-2022-22760, - CVE-2022-22761, CVE-2022-22763, CVE-2022-22764. - - * netwerk/base/SimpleChannel.*, netwerk/base/nsBaseChannel.*, - netwerk/protocol/res/ExtensionProtocolHandler.cpp, - netwerk/protocol/res/PageThumbProtocolHandler.cpp, - toolkit/components/places/nsAnnoProtocolHandler.cpp, - dom/file/ipc/RemoteLazyInputStream.cpp: Apply upstream patches to fix - excessive CPU usage in web extensions. bz#1706594, bz#1735899. - Closes: #1002868. - -91.5.0esr-1~deb10u1 [Wed, 12 Jan 2022 06:58:53 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2022-02, also known as: + CVE-2022-26382, CVE-2022-26385, CVE-2022-0843. + * Fixes for mfsa2022-09, also known as: CVE-2022-26485, CVE-2022-26486. + + * debian/control*: + - Bump nss build dependency. + - Downgrade rust dependency to 1.56, and cargo to 0.57. + + * Cargo.lock, config/makefiles/rust.mk, python/mozboot/mozboot/util.py, + servo/components/style/Cargo.toml, servo/components/style/build.rs, + servo/components/style/lib.rs, + servo/components/style/stylesheets/page_rule.rs, + servo/components/style/stylist.rs, + third_party/rust/audioipc2-client/.cargo-checksum.json, + third_party/rust/audioipc2-client/Cargo.toml, + third_party/rust/audioipc2-client/build.rs, + third_party/rust/audioipc2-client/src/lib.rs, + third_party/rust/wgpu-hal/.cargo-checksum.json, + third_party/rust/wgpu-hal/src/gles/egl.rs: Relax minimum supported Rust + version to 1.56.0. + +97.0-1 [Wed, 09 Feb 2022 07:53:42 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2022-04, also known as: + CVE-2022-22754, CVE-2022-22755, CVE-2022-22756, CVE-2022-22759, + CVE-2022-22760, CVE-2022-22761, CVE-2022-22764, CVE-2022-0511. + + * debian/control*: Bump nss, rustc and cargo build dependencies. + * debian/browser.install.in: Install libipcclientcerts.so. + +96.0.3-1 [Mon, 31 Jan 2022 06:21:31 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + +96.0.1-1 [Sat, 15 Jan 2022 07:41:14 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + + * modules/libpref/init/StaticPrefList.yaml: Disable cookie sameSite + schemeful. bz#1750264. + * dom/media/webrtc/third_party_build/gn-configs/x64_*_arm_linux.json, + dom/media/webrtc/third_party_build/gn-configs/x64_*_ppc64_linux.json, + third_party/libwebrtc/**/moz.build: Add webrtc configs for arm and + ppc64 linux. bz#1738845. + +96.0-1 [Wed, 12 Jan 2022 08:03:30 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2022-01, also known as: CVE-2022-22743, CVE-2022-22742, CVE-2022-22741, CVE-2022-22740, CVE-2022-22738, CVE-2022-22737, CVE-2021-4140, CVE-2022-22748, - CVE-2022-22745, CVE-2022-22747, CVE-2022-22739, CVE-2022-22751. - -91.4.1esr-1~deb10u1 [Sun, 19 Dec 2021 06:44:45 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - - * debian/rules: Build against embedded nspr and nss on bullseye. - * debian/control*: Build against rustc-mozilla/cargo-mozilla on relevant - older release. - * debian/upstream.mk: Add definitions for newer releases of Debian. - -91.4.0esr-1 [Wed, 08 Dec 2021 06:38:58 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes cubeb deadlock. Closes: #998679. - * Fixes for mfsa2021-53, also known as: + CVE-2022-22745, CVE-2022-22747, CVE-2022-22739, CVE-2022-22751, + CVE-2022-22752. + + * debian/rules: + - Adjust preprocessor command to upstream changes. + - Set an objdir when using the preprocessor, and clean that up. + * debian/control*: Bump nss build dependency. + +95.0.1-1 [Fri, 17 Dec 2021 07:05:23 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + + * debian/control.in: Build against rustc-mozilla/cargo-mozilla on relevant + older releases. + + * modules/fdlibm/src/math_private.h: Fix FTBFS on i386. bz#1729459. + +95.0-1 [Wed, 08 Dec 2021 06:38:07 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2021-52, also known as: CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, - CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, - CVE-2021-43546, MOZ-2021-0009. - -91.3.0esr-2 [Sat, 27 Nov 2021 06:50:56 +0900] Mike Hommey <glandium@debian.org>: - - * debian/firefox.in: Use `command -v` instead of `which`. Closes: #996455. - - * modules/fdlibm/src/math_private.h: Fix FTBFS on i386. bz#1729459. + CVE-2021-43540, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, + CVE-2021-43544, CVE-2021-43545, CVE-2021-43546, MOZ-2021-0009. + + * debian/browser.mozconfig.in: Explicitly disable wasm sandboxing. We don't + have the necessary tools yet. + +94.0.2-1 [Wed, 24 Nov 2021 06:57:55 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + +94.0-2 [Thu, 11 Nov 2021 16:32:50 +0900] Mike Hommey <glandium@debian.org>: + + * debian/firefox.in: Use `command -v` instead of `which`. Does not affect + this package, though. + * .cargo/config.in, Cargo.lock, Cargo.toml, third_party/rust/cc/.cargo-checksum.json, third_party/rust/cc/Cargo.toml, third_party/rust/cc/src/lib.rs, third_party/rust/cc/src/windows_registry.rs: Update cc crate to b2f6b146b75299c444e05bbde50d03705c7c4b6e, aka 1.0.71 + GCC-11 fix for armhf. bz#1739040. - -91.3.0esr-1 [Wed, 03 Nov 2021 06:04:59 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2021-49, also known as: + * .cargo/config.in, Cargo.lock, + third_party/rust/cubeb-pulse/.cargo-checksum.json, + third_party/rust/cubeb-pulse/src/backend/stream.rs, + toolkit/library/rust/shared/Cargo.toml: Upgrade cubeb-pulse to fix a race + condition that can lead to shutdown deadlock. bz#1735905. + (suspected to) Closes: #998108. + +94.0-1 [Wed, 03 Nov 2021 08:20:50 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2021-48, also known as: CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, - MOZ-2021-0008, CVE-2021-38508, CVE-2021-38509, MOZ-2021-0007. + CVE-2021-38508, MOZ-2021-0004, CVE-2021-38509, MOZ-2021-0005, + MOZ-2021-0006, MOZ-2021-0007. (MOZ-* pending CVE assignment) -91.2.0esr-1 [Wed, 06 Oct 2021 06:29:51 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2021-45, also known as: + * debian/control*: Bump nss, rustc and cargo build dependencies. + + * Cargo.toml, Cargo.lock, third_party/rust/naga/.cargo-checksum.json, + third_party/rust/naga/Cargo.toml, + third_party/rust/wgpu-core/.cargo-checksum.json, + third_party/rust/wgpu-core/Cargo.toml, build/moz.configure/rust.configure: + Remove workaround to build with an old cargo, now that Debian has a recent + version. + +93.0-1 [Wed, 06 Oct 2021 06:53:13 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2021-43, also known as: CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-32810, - CVE-2021-38500, CVE-2021-38501. - -91.1.0esr-1 [Wed, 08 Sep 2021 07:46:16 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2021-40, also known as CVE-2021-38495. - -91.0.1esr-1 [Wed, 18 Aug 2021 10:28:37 +0900] Mike Hommey <glandium@debian.org>: + CVE-2021-38500, CVE-2021-38501, CVE-2021-38499. + + * debian/control*: Bump nss build dependency. + * debian/rules: Set MOZBUILD_STATE_PATH. + + * Cargo.toml, Cargo.lock, third_party/rust/naga/.cargo-checksum.json, + third_party/rust/naga/Cargo.toml, + third_party/rust/wgpu-core/.cargo-checksum.json, + third_party/rust/wgpu-core/Cargo.toml: Work around the lack of resolver + feature in unstable's cargo. + +92.0-1 [Wed, 08 Sep 2021 07:57:38 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2021-38, also known as: + CVE-2021-38491, CVE-2021-38493, CVE-2021-38494. + + * debian/rules: Build against embedded nspr and nss on bullseye. + * debian/upstream.mk: Add bookworm and trixie. + * debian/control*: Bump nss build dependency. + +91.0.1-1 [Wed, 18 Aug 2021 10:28:35 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2021-37, also known as CVE-2021-29991. * debian/import-tar.py, debian/repack.py: Fixed for python 3.9. - -91.0esr-1 [Wed, 11 Aug 2021 11:05:38 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. 91.0-1 [Wed, 11 Aug 2021 07:18:22 +0900] Mike Hommey <glandium@debian.org>: <http://piuparts.knut.univention.de/5.0-2/#13437586994538044>
OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-2] dd5fedd89c Bug #55221: firefox-esr 102.3.0esr-1~deb10u2 doc/errata/staging/firefox-esr.yaml | 203 +++++++----------------------------- 1 file changed, 37 insertions(+), 166 deletions(-) [5.0-2] bb7c4d77c1 Bug #55221: firefox-esr 102.3.0esr-1~deb10u2 doc/errata/staging/firefox-esr.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) [5.0-2] cd07d9b060 Bug #55221: firefox-esr 102.3.0esr-1~deb10u1 doc/errata/staging/firefox-esr.yaml | 283 ++++++++++++++++++++++++++++++++++++ 1 file changed, 283 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x434>