Univention Bugzilla – Bug 48132
firefox-esr: Multiple issues (4.2)
Last modified: 2018-11-21 15:55:25 CET
New Debian firefox-esr 60.3.0esr-1~deb8u1 fixes: This update addresses the following issues: * Anonymity feature bypass via crafted web site (CVE-2017-16541) * Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (CVE-2018-12376) * Use-after-free in driver timers (CVE-2018-12377) * Use-after-free in IndexedDB (CVE-2018-12378) * Out-of-bounds write with malicious MAR file (CVE-2018-12379) * Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords (CVE-2018-12383) * Crash in TransportSecurityInfo due to cached data (CVE-2018-12385) * Type confusion in JavaScript (CVE-2018-12386) * stack out-of-bounds read in Array.prototype.push (CVE-2018-12387) * Memory safety bugs fixed in Firefox ESR 60.3 (CVE-2018-12389) * Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 (CVE-2018-12390) * Crash with nested event loops (CVE-2018-12392) * Integer overflow during Unicode conversion while loading JavaScript (CVE-2018-12393) * WebExtension bypass of domain restrictions through header rewriting (CVE-2018-12395) * WebExtension content scripts can execute in disallowed contexts (CVE-2018-12396) * WebExtension local file permission check bypass (CVE-2018-12397)
Currently Debian only carries binaries for amd64, but not for i386: <https://packages.debian.org/jessie/firefox-esr>
--- mirror/ftp/4.2/unmaintained/4.2-5/source/firefox-esr_52.9.0esr-1~deb8u1.dsc +++ apt/ucs_4.2-0-errata4.2-5/source/firefox-esr_60.3.0esr-1~deb8u1.dsc @@ -1,145 +1,483 @@ -52.9.0esr-1~deb8u1 [Wed, 27 Jun 2018 07:33:25 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2018-17, also known as: - CVE-2018-12359, CVE-2018-12360, CVE-2018-12362, CVE-2018-5156, - CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, - CVE-2018-12368, CVE-2018-5188. - +60.3.0esr-1~deb8u1 [Wed, 31 Oct 2018 10:24:02 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: + + * Backport to jessie. + * Build against the embedded jsoncpp, jessie's one is too old. + * Disable elf hack. + +60.3.0esr-1~deb9u1 [Wed, 24 Oct 2018 07:17:22 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-27, also known as: + CVE-2018-12392, CVE-2018-12393, CVE-2018-12395, CVE-2018-12396, + CVE-2018-12397, CVE-2018-12389, CVE-2018-12390. + + * debian/rules: Work around armel FTBFS from conflicting __sync_* symbols + between libgcc and rust's compiler_builtins. + +60.2.2esr-1~deb9u1 [Wed, 03 Oct 2018 07:28:38 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-24, also known as: + CVE-2018-12386, CVE-2018-12387. + + * debian/extra-stuff/addonsInfo.js: Fixes to work with recent versions + of Firefox. Closes: #909056. + * debian/control*, debian/browser.mozconfig.in: Build ALSA support. + Closes: #864987, #900062, #908349 + +60.2.1esr-1~deb9u1 [Sat, 22 Sep 2018 08:10:27 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-23, also known as: + CVE-2018-12385, CVE-2018-12383. + + * debian/control*: + - Enforce nss, nspr and sqlite dependencies to the same versions as + build dependencies. There are subtle non-ABI differences between + versions that Firefox might be relying on (be it features, behavior + changes/fixes, etc.) and can cause subtle problems when older + versions are used. + - Add a suggestion for pulseaudio. + * debian/rules, debian/control: Add libavcodec-extra* packages to the list + of recommends. Closes: #909130 + + * js/src/jit/BaselineJIT.h: Disable baseline JIT when SSE2 is not supported + at runtime. bz#1492064. Closes: #908396, #908449. + * gfx/2d/Swizzle.cpp: Use Swizzle fallback when SSE2 is not supported. + bz#1492065. Closes: #877445. + +60.2.0esr-1~deb9u2 [Fri, 07 Sep 2018 18:21:32 +0900] Mike Hommey <glandium@debian.org>: + + * debian/control*: Remove the sqlite and nss dependencies when not building + against the system libraries. + +60.2.0esr-1~deb9u1 [Thu, 06 Sep 2018 06:18:15 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-21, also known as: + CVE-2018-12377, CVE-2018-12378, CVE-2018-12376. + + * debian/l10n/gen: Use iso-codes json data instead of XML when present. + Closes: #907611. + + * widget/gtk/nsAppShell.cpp: Use remoting name for call to + gdk_set_program_class. Closes: #907574. + +60.1.0esr-3 [Sat, 18 Aug 2018 08:30:36 +0900] Mike Hommey <glandium@debian.org>: + + * debian/control*: + - Build depend on llvm/clang 6.0 for buster. Closes: #906174. + - Bump NSS build dependency to 3.36.4. Closes: #902573. + + * gfx/skia/skia/include/core/SkColorPriv.h, + gfx/skia/skia/include/core/SkImageInfo.h, + gfx/skia/skia/include/gpu/GrTypes.h, + gfx/skia/skia/src/core/SkColorData.h: fix big-endian Skia builds. + bz#1144632. + +60.1.0esr-2 [Sun, 12 Aug 2018 13:43:20 +0900] Mike Hommey <glandium@debian.org>: + + * Upload to unstable. + * debian/upstream.mk: Use the same logic for betas as for releases to find + the source. + * debian/browser.links.in, debian/rules, debian/vendor.js: Use the + spellchecker.dictionary_path pref to set the hunspell directory. + * debian/browser.mozconfig.in: Allow unsigned addons in app and system + scopes. + * debian/rules: Work around the effect the above has on the + --{enable,with}-system-* check. + * debian/vendor.js: Remove extensions.unsignedScopes. The patch that added + the pref was changed to use a configure flag instead. + * debian/control*: Remove old conflicts. Thanks Sylvestre Ledru. + Closes: #882956. + * debian/l10n/recommends, debian/l10n/browser-l10n.control, + debian/control: Update dictionary recommendations, following these rules: + - Transitional myspell packages are not listed except when stable + doesn't have the corresponding hunspell package. + - Both hunspell and myspell packages are listed if they are different. + Closes: #813832, #825843 + * debian/copyright, debian/rules: Refer to /usr/share/common-licenses/MPL* + instead of installing our own copy. Closes: #704303. + * debian/make.mk: Use the same code as dump target for the dump-% target. + * debian/control*, debian/rules: Add Recommends on all supported libavcodec + libraries for h264 playback. Closes: #901600. + + * js/src/jit/mips-shared/MacroAssembler-mips-shared.cpp: Stubout + MacroAssembler::speculationBarrier. bz#1444834 + * toolkit/modules/AppConstants.jsm, toolkit/modules/moz.build, + toolkit/moz.configure, toolkit/mozapps/extensions/internal/XPIInstall.jsm, + toolkit/mozapps/extensions/content/extensions.js, + toolkit/mozapps/extensions/internal/XPIDatabase.jsm: Change how addon + signature requirement relaxation is done. Closes: #899390. + +60.1.0esr-1 [Wed, 27 Jun 2018 10:15:42 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-16, also known as: + CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12362, + CVE-2018-5156, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, + CVE-2018-12371, CVE-2018-12366, CVE-2018-12367, CVE-2018-12369, + CVE-2018-5187, CVE-2018-5188. + + * debian/vendor.js: Relax the addon signature requirements. + + * build/unix/elfhack/elfhack.cpp, build/unix/elfhack/inject.c, + build/unix/elfhack/test.c: Use run-time page size when changing mapping + permissions in elfhack injected code. bz#1470701. Closes: #902231. + * toolkit/mozapps/extensions/content/extensions.js, + toolkit/mozapps/extensions/internal/XPIDatabase.jsm: Allow to relax the + addon signature requirements. + +60.0.2esr-1 [Fri, 08 Jun 2018 17:49:37 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-14, also known as CVE-2018-6126. + + * debian/browser.NEWS.in: Adjust to show the ESR version. + +60.0.1esr-2 [Tue, 22 May 2018 10:05:55 +0900] Mike Hommey <glandium@debian.org>: + + * third_party/rust/libc/.cargo-checksum.json, + third_party/rust/libc/src/unix/notbsd/linux/mod.rs, + third_party/rust/libc/src/unix/notbsd/linux/musl/mod.rs, + third_party/rust/libc/src/unix/notbsd/linux/other/mod.rs, + third_party/rust/libc/src/unix/notbsd/linux/s390x.rs: Apply upstream patch + to add struct ucred for Linux on MIPS. + * gfx/skia/skia/src/jumper/SkJumper_stages.cpp: Fix Skia build on arm64 + linux with GCC. bz#1462868. * intl/icu_sources_data.py: Add --disable-layoutex when running ICU configure. bz#1462859. - -52.8.1esr-1~deb8u1 [Fri, 08 Jun 2018 16:38:21 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2018-14, also known as CVE-2018-6126. - - * debian/control*: Update Maintainer and Vcs fields, moving off alioth. - Closes: #899509 - -52.8.0esr-1~deb8u1 [Thu, 10 May 2018 08:30:12 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2018-12, also known as - CVE-2018-5183, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, - CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178, + * media/webrtc/trunk/gtest/moz.build: Link chromium_atomics to webrtc tests. + bz#1462873. + * media/webrtc/trunk/moz.build: Only build webrtc neon on aarch64. + * browser/locales/Makefile.in, + python/mozbuild/mozbuild/action/langpack_manifest.py, + python/mozbuild/mozbuild/test/action/test_langpack_manifest.py, + toolkit/locales/l10n.mk: Use MOZ_LANGPACK_EID in langpacks manifest.json. + bz#1455100. Closes: #899160. + * dom/media/webaudio/blink/DenormalDisabler.h: Avoid using vmrs/vmsr on + armel. + * mfbt/LinuxSignal.h, mfbt/moz.build, + tools/profiler/core/platform-linux-android.cpp: Remove + MOZ_SIGNAL_TRAMPOLINE. bz#1463035. + * build/autoconf/arch.m4: Add -mfloat-abi=softfp to NEON_FLAGS when it makes + sense. bz#1463036. + * xpcom/string/moz.build: Use HAVE_ARM_NEON instead of BUILD_ARM_NEON for + nsUTF8UtilsNEON.cpp. bz#1463036. + +60.0.1esr-1 [Sat, 19 May 2018 07:25:23 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + + * debian/browser.links.in: Remove /usr/lib/*/browser/icons symlink, leftover + after the removal of /usr/share/*/browser/icons. Closes: #893323. + * debian/control*: Remove mozplugger suggestion. Closes: #888396. + * debian/browser.install.in, debian/browser.mozconfig.in, debian/control.in, + debian/rules: Remove the option to build against gtk+2, it is not + supported anymore. + * debian/control*, debian/rules: Avoid hard dependency on libgtk2.0-0. + Closes: #885144. + + * media/webrtc/trunk/moz.build: Attempt to fix building webrtc on non-x86. + * js/src/jit/mips-shared/LIR-mips-shared.h, js/src/jit/mips32/LIR-mips32.h, + js/src/jit/mips64/LIR-mips64.h: Fix FTBFS on mips*. bz#1444303. + +60.0esr-1 [Thu, 10 May 2018 09:36:46 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-11, also known as + CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, + CVE-2018-5159, CVE-2018-5160, CVE-2018-5152, CVE-2018-5153, + CVE-2018-5163, CVE-2018-5164, CVE-2018-5166, CVE-2018-5167, + CVE-2018-5168, CVE-2018-5169, CVE-2018-5172, CVE-2018-5173, + CVE-2018-5175, CVE-2018-5176, CVE-2018-5177, CVE-2018-5165, + CVE-2018-5180, CVE-2018-5181, CVE-2018-5182, CVE-2018-5151, CVE-2018-5150. -52.7.3esr-1~deb8u1 [Tue, 27 Mar 2018 08:03:45 +0900] Mike Hommey <glandium@debian.org>: + * debian/control*: + - Bump nspr, nss, sqlite, rustc and cargo build dependencies. + - Update Maintainer and Vcs fields, moving off alioth. + * debian/browser.js.in, debian/vendor.js: Use the new syntax for + locked and sticky prefs. + * debian/browser.NEWS.in: Add a NEWS about the deprecation of lockPref. + * debian/rules: Automatically find the ICU data file name. + * debian/browser.mozconfig.in: Revert workaround for bz#1341234. + * debian/browser.install.in, debian/rules: Don't install the ICU data + file, it's linked as a data section in libxul. + * debian/control, debian/rules: Remove iceweasel transitional packages + in non-backports. + + * modules/libpref/parser/src/lib.rs: Adapt to upstream changes to + keep supporting lockPref() for transition purposes, now that upstream + has locked prefs out of the box. + +59.0.2-1 [Tue, 27 Mar 2018 08:29:16 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2018-10, also known as CVE-2018-5148. -52.7.2esr-1~deb8u1 [Sat, 17 Mar 2018 07:26:52 +0900] Mike Hommey <glandium@debian.org>: +59.0.1-1 [Sat, 17 Mar 2018 13:48:08 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147. -52.7.1esr-1~deb8u1 [Thu, 15 Mar 2018 08:29:27 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2018-07, also known as - CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, - CVE-2018-5144, CVE-2018-5125, CVE-2018-5145. +59.0-1 [Wed, 14 Mar 2018 08:30:34 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-06, also known as: + CVE-2018-5127, CVE-2018-5128, CVE-2018-5129, CVE-2018-5130, + CVE-2018-5131, CVE-2018-5132, CVE-2018-5133, CVE-2018-5134, + CVE-2018-5135, CVE-2018-5136, CVE-2018-5137, CVE-2018-5140, + CVE-2018-5141, CVE-2018-5142, CVE-2018-5143, CVE-2018-5126, + CVE-2018-5125. + + * debian/upstream.mk: + - Change how we find the source tarball for releases. + - Stop using milestone.py, it went away in this version. + * debian/control*: Bump nspr, nss, sqlite, rustc and cargo build + dependencies. + * debian/rules: Update ICU_DATA_FILE version. + * debian/browser.install.in, debian/browser.links.in, debian/rules: Take all + icons from chrome/icons/default/ now they are all there. + * debian/browser.install.in, debian/rules: Install watermark icon through + dh_install. + * debian/browser.js.in: Use the new intl.locale.requested instead of + intl.locale.matchOS. + +58.0.1-1 [Tue, 30 Jan 2018 07:43:28 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fix for mfsa2018-05. + + * debian/upstream.mk, debian/l10n_revs.py: Use l10n-changesets.json from the + source tree to find the l10n changesets. + * debian/usptream.mk: Stop using milestone.py, it goes away in version 59. * intl/icu/source/i18n/digitlst.cpp: Apply part of http://bugs.icu-project.org/trac/changeset/40603 to fix FTBFS with glibc - 2.26 on big endian platforms. - -52.6.0esr-1~deb8u1 [Wed, 24 Jan 2018 06:51:46 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2018-03, also known as - CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, - CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, - CVE-2018-5104, CVE-2018-5117, CVE-2018-5089. - -52.5.2esr-1~deb8u1 [Fri, 08 Dec 2017 20:41:27 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2017-28, also known as CVE-2017-7843. - -52.5.0esr-1~deb8u1 [Wed, 15 Nov 2017 07:19:57 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2017-25, also known as: - CVE-2017-7828, CVE-2017-7830, CVE-2017-7826. + 2.26 on big endian platforms. Closes: #888638. + +58.0-1 [Wed, 24 Jan 2018 08:16:43 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-02, also known as: + CVE-2018-5091, CVE-2018-5092, CVE-2018-5093, CVE-2018-5094, + CVE-2018-5095, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, + CVE-2018-5100, CVE-2018-5101, CVE-2018-5102, CVE-2018-5103, + CVE-2018-5104, CVE-2018-5105, CVE-2018-5106, CVE-2018-5107, + CVE-2018-5108, CVE-2018-5109, CVE-2018-5111, CVE-2018-5112, + CVE-2018-5113, CVE-2018-5114, CVE-2018-5115, CVE-2018-5116, + CVE-2018-5117, CVE-2018-5118, CVE-2018-5119, CVE-2018-5122, + CVE-2018-5090, CVE-2018-5089. + + * debian/rules: + - Don't disable necko-wifi on kfreebsd/hurd. This used to be necessary + because that was using libiw, which was linux-only, but libiw is not + used anymore. + - Refresh configure files manually. + - Remove --with-default-mozilla-five-home, it's gone. + - Adapt to compare-locales changes. + - Define MOZ_FFVPX on arm and aarch64. + * debian/browser.install.in, debian/rules, debian/test.mk: Use + DEB_HOST_ARCH* instead of DEB_BUILD_ARCH*. + * debian/control*: + - Bump rustc, cargo and nss build dependencies. + - Add a dependency on libnss3 3.34 for the firefox package. + * debian/noinstall.in: Remove run-mozilla.sh from there, it's not installed + anymore. + +57.0.4-1 [Fri, 05 Jan 2018 15:55:05 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-01, mitigating "Spectre" side-channel attack. + + * debian/control*: Remove build dependencies on unused -dev packages. + * debian/rules: Clean l10n build directory. + * debian/installer/Makefile.in, + debian/installer/package-manifest.browser, debian/rules, moz.build: + Let upstream packaging step preprocess our package manifest, instead + of preprocessing it manually first. + +57.0.3-1 [Sat, 30 Dec 2017 12:06:22 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + +57.0.1-1 [Fri, 01 Dec 2017 14:35:58 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2017-27, also known as: + * CVE-2017-7843, CVE-2017-7844. + + * debian/rules: Don't pass unused variables during make install. + * debian/installer/Makefile.in: Small path correctness fixup. + +57.0-1 [Wed, 15 Nov 2017 09:20:05 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2017-24, also known as: + CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, + CVE-2017-7833, CVE-2017-7834, CVE-2017-7835, CVE-2017-7836, + CVE-2017-7837, CVE-2017-7838, CVE-2017-7839, CVE-2017-7840, + CVE-2017-7842, CVE-2017-7827, CVE-2017-7826. + + * debian/control*: Bump nss, sqlite, rustc and cargo build dependencies. + * debian/rules: + - Always remove configure/old-configure during clean. + - Use a new file as source for the symbolic icon. Closes: #867729. + - Disable tests until they're fixed. The script to run tests uses old + entry points that weren't updated to deal with the sandbox in Firefox, + causing the tests to fail in a way that takes days to go through the + entire suites. Closes: #877565. + * debian/import-tar.py: Make python 3.6 happy. + + * old-configure*: Allow to build against nspr 4.16. + +56.0-2 [Fri, 29 Sep 2017 13:28:38 +0900] Mike Hommey <glandium@debian.org>: + + * debian/browser.mozconfig.in: Pass NSPR directory to bindgen to workaround + bz#1341234. + +56.0-1 [Fri, 29 Sep 2017 07:51:07 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2017-21, also known as: + CVE-2017-7793, CVE-2017-7818, CVE-2017-7819, CVE-2017-7824, + CVE-2017-7812, CVE-2017-7814, CVE-2017-7813, CVE-2017-7815, + CVE-2017-7816, CVE-2017-7821, CVE-2017-7823, CVE-2017-7822, + CVE-2017-7820, CVE-2017-7811, CVE-2017-7810. + + * debian/control*: + - Bump nspr, nss, rustc and cargo build dependencies. + - Build depend on llvm-4.0-dev, libclang-4.0-dev and clang-4.0. + * debian/rules: Update ICU_DATA_FILE version. + * debian/browser.mozconfig.in, debian/google.key: Add the Google API key + from the chromium package for safebrowsing. Thanks Francois Marier. + +55.0.3-1 [Sat, 09 Sep 2017 20:24:43 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. * debian/source/lintian-overrides: Add a lintian override for dotzlib.chm. - * debian/import-tar.py: Make python 3.6 happy. - -52.4.0esr-1~deb8u1 [Fri, 29 Sep 2017 06:02:52 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2017-22, also known as: - CVE-2017-7793, CVE-2017-7818, CVE-2017-7819, CVE-2017-7824, - CVE-2017-7805, CVE-2017-7814, CVE-2017-7823, CVE-2017-7810. - * debian/rules: Really build with gcc 6 on unstable. Closes: #871583. - -52.3.0esr-1~deb8u2 [Fri, 11 Aug 2017 18:19:19 +0900] Mike Hommey <glandium@debian.org>: - - * js/src/jsmath.cpp: Add GETRANDOM_NR definition for powerpc and mips. - bz#1389281. - * media/libcubeb/tests/moz.build: Fixup workaround for binutil assertion on - mips. - -52.3.0esr-1~deb8u1 [Wed, 09 Aug 2017 06:52:55 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2017-19, also known as: - CVE-2017-7798, CVE-2017-7800, CVE-2017-7801, CVE-2017-7784, - CVE-2017-7802, CVE-2017-7785, CVE-2017-7786, CVE-2017-7753, - CVE-2017-7787, CVE-2017-7807, CVE-2017-7792, CVE-2017-7791, - CVE-2017-7803, CVE-2017-7779. - - * debian/upstream.mk: - - Consider testing/unstable as buster, which implies build depending on - system nspr, nss and sqlite again. - - Support DEB_DISTRIBUTION being bustersomething or sid. - Closes: #865650. - + +55.0.2-1 [Wed, 23 Aug 2017 09:41:36 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + + * js/src/jit/ExecutableAllocator.h, js/src/jit/none/MacroAssembler-none.h: + Fix Spidermonkey build with no jit backend. bz#1376268. + +55.0-2 [Thu, 10 Aug 2017 14:29:21 +0900] Mike Hommey <glandium@debian.org>: + + * ipc/chromium/src/base/message_pump_libevent.cc, + ipc/chromium/src/third_party/libevent/linux/event2/event-config.h: + Fix FTBFS on i386. bz#1388981. + * dom/base/nsWrapperCache.h: Fix FTBFS on powerpc64el. bz#1376277. + * media/libcubeb/cubeb-pulse-rs/src/backend/context.rs: Fix cubeb-pulse-rs + FTBFS on arm64. + +55.0-1 [Wed, 09 Aug 2017 20:21:59 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2017-18, also known as: + CVE-2017-7798, CVE-2017-7800, CVE-2017-7801, CVE-2017-7809, + CVE-2017-7784, CVE-2017-7802, CVE-2017-7785, CVE-2017-7786, + CVE-2017-7806, CVE-2017-7753, CVE-2017-7787, CVE-2017-7807, + CVE-2017-7792, CVE-2017-7791, CVE-2017-7808, CVE-2017-7781, + CVE-2017-7794, CVE-2017-7803, CVE-2017-7799, CVE-2017-7783, + CVE-2017-7788, CVE-2017-7789, CVE-2017-7797, CVE-2017-7780, + CVE-2017-7779. + + * debian/control*: Bump nspr, nss and sqlite build dependencies. + * debian/rules: + - Preserve Cargo.toml.orig files ; cargo doesn't like that dh_clean + removes them. + - Copy the MPL-2.0 license from nsprpub instead of b2g, the latter being + gone. + * debian/browser.js.in: Default to no suggestions in the urlbar. This still + brings a panel asking the user whether they want to opt-in on first use. * debian/upstream.mk: Set DIST differently for experimental. - * debian/control*, debian/rules: Build with gcc 6 because display is broken - with gcc 7. - - * FTBFS fixes: - - js/src/jsmath.cpp: Define GETRANDOM_NR on more artitectures. bz#1352236, - bz#1357874. - - media/libyuv/source/row_mips.cc: Only use the perf opcode on mips arches - that support it. bz#1012232. - -52.2.0esr-1~deb8u1 [Wed, 14 Jun 2017 07:53:34 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2017-16, also known as: + + * media/webrtc/trunk/gtest/moz.build: Make webrtc-gtest build work with + system jpeg and libvpx. bz#1373988. + * media/mtransport/third_party/nICEr/nicer.gyp, + media/mtransport/third_party/nrappkit/nrappkit.gyp: Disable + -Wformat-security where -Wformat is disabled. bz#1388681. Closes: #871386. + ('ppc64le', 'Linux'): 'powerpc64le-unknown-linux-gnu', + * build/moz.configure/rust.configure: Add ppc64el target for rust code + (second attempt). Closes: #864822. + +54.0-2 [Sat, 17 Jun 2017 07:20:23 +0900] Mike Hommey <glandium@debian.org>: + + * debian/upstream.mk: Consider testing/unstable as buster, which implies + build depending on system nspr, nss, sqlite and hunspell again. + * debian/rules: Really make overrides with USE_SYSTEM_* set to nothing work. + + * build/moz.configure/rust.configure: Add ppc64el target for rust code. + Closes: #864822. + +54.0-1 [Wed, 14 Jun 2017 10:56:14 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2017-15, also known as: CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756, CVE-2017-7757, - CVE-2017-7778, CVE-2017-7758, CVE-2017-7764, CVE-2017-5470. + CVE-2017-7778, CVE-2017-7758, CVE-2017-7762, CVE-2017-7764, + CVE-2017-5471, CVE-2017-5470. + * Targetting unstable because the required rustc version is available there, + and the freeze is almost over, meaning new versions of rustc will receive + updates, allowing to build newer versions of Firefox. * debian/rules, debian/control.in: Switch to GCC 4.8 on wheezy. * debian/rules: Don't remove debian/control on clean. Thanks to Emilio Pozuelo Monfort for those two changes for wheezy LTS support. - * debian/control.in: Bump nss build dependency. * debian/control.in, debian/rules, debian/symbols.mk, debian/upstream.mk: Rename the BACKPORT variable to DIST, and set it to "stretch" for unstable/testing targetted builds. * debian/rules: Normalize the system libraries used depending on the Debian version. - -52.1.0esr-1 [Wed, 19 Apr 2017 13:28:11 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2017-12, also known as: + * debian/control*: + - Bump nspr and build dependencies. + - Bump rustc and cargo build dependencies. + * debian/rules: + - Allow to override USE_SYSTEM_* variables from the environment. + - Remove rules to create mozilla-nspr.pc. It hasn't been shipped since + 45.0-1. + * debian/browser.install.in: Add the pingsender executable. + +53.0.is.53.0-1 [Thu, 20 Apr 2017 05:25:25 +0900] Mike Hommey <glandium@debian.org>: + + * The "oops, uploaded to unstable instead of experimental" release. + +53.0-1 [Wed, 19 Apr 2017 14:50:13 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2017-10, also known as: CVE-2017-5433, CVE-2017-5435, CVE-2017-5436, CVE-2017-5459, CVE-2017-5466, CVE-2017-5434, CVE-2017-5432, CVE-2017-5460, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5464, CVE-2017-5443, CVE-2017-5444, CVE-2017-5446, CVE-2017-5447, CVE-2017-5465, CVE-2017-5448, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5469, - CVE-2017-5445, CVE-2017-5449, CVE-2017-5451, CVE-2017-5462, - CVE-2017-5467, CVE-2017-5430, CVE-2017-5429. - -52.0.2esr-1 [Sun, 02 Apr 2017 06:34:38 +0900] Mike Hommey <glandium@debian.org>: + CVE-2017-5445, CVE-2017-5449, CVE-2017-5451, CVE-2017-5467, + CVE-2017-5453, CVE-2017-5458, CVE-2017-5468, CVE-2017-5430, + CVE-2017-5429. + + * debian/control*: + - Bump nss and hunspell build dependencies. + * debian/browser-dev*, debian/control*, debian/noinstall.in, + debian/rules: Remove the -dev packages, there is no SDK provided + for Firefox anymore. + * debian/browser.install.in: Install manifest.json instead of clearkey.info. + * debian/rules: + - No system hunspell for backports. + - Build against system nspr/nss, experimental has the right versions. + * debian/browser.mozconfig.in, debian/control*, debian/rules: Always enable + rust, and bump the rustc dependency. As of version 54, it is not possible + to disable rust code anymore. While this is still version 53, there is not + much to win by keeping --disable-rust builds on Debian architectures + without rustc for 6 more weeks. + +52.0.2-1 [Sun, 02 Apr 2017 06:45:39 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * debian/browser.mozconfig.in, debian/mls.key: Enable geolocation using @@ -148,14 +486,21 @@ * browser/app/profile/firefox.js: Use the Mozilla Location Service when the Google Key is not there. -52.0.1esr-1 [Sat, 18 Mar 2017 08:27:13 +0900] Mike Hommey <glandium@debian.org>: +52.0.1-1 [Sat, 18 Mar 2017 08:49:59 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fix for mfsa2017-08, also known as CVE-2017-5428. - * debian/browser.mozconfig.in: Build with --enable-alsa. Closes: #857281. - -52.0esr-1 [Thu, 09 Mar 2017 07:24:59 +0900] Mike Hommey <glandium@debian.org>: + * debian/browser.lintian-overrides.in: Add a lintian override for NSPR and + NSS. + * debian/control*: Build depend on libjsoncpp-dev. + + * config/system-headers, + toolkit/crashreporter/jsoncpp/src/lib_json/moz.build, + toolkit/crashreporter/minidump-analyzer/moz.build: Build against system + libjsoncpp. + +52.0-1 [Wed, 08 Mar 2017 10:24:05 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2017-05, also known as: @@ -167,26 +512,14 @@ CVE-2017-5405, CVE-2017-5421, CVE-2017-5422, CVE-2017-5399, CVE-2017-5398. - * debian/control*: - - Bump nss and sqlite build dependencies. - - Build depend on libjsoncpp-dev. + * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: - Update ICU_DATA_FILE version. - Don't build against system sqlite until we have the right version in Debian. - * debian/browser.lintian-overrides.in: Add a lintian override for NSPR and - NSS. * debian/browser.install.in: - Install chrome.manifest, libmozsandbox.so and minidump-analyzer. - Remove browser/components. - - * browser/installer/allowed-dupes.mn, - toolkit/mozapps/installer/find-dupes.py, - toolkit/mozapps/installer/packager.mk: Preprocess find-dupes exception - list. bz#1315309. - * config/system-headers, toolkit/crashreporter/jsoncpp/src/lib_json/moz.build, - toolkit/crashreporter/minidump-analyzer/moz.build: Build against system - libjsoncpp. 51.0.1-3 [Thu, 23 Feb 2017 16:34:17 +0900] Mike Hommey <glandium@debian.org>: <http://10.200.17.11/4.2-5/#625228074635423282>
OK: yaml OK: announce_errata OK: patch ~OK: piuparts the upgrade test for firefox-esr-l10n-be still failes as that package was only re-introduced with 60.2, which was first announced post UCS-4.3-2 and so was not copied to UCS-4.3-2. [4.2-5] a5182bbfa4 Bug #48132: firefox-esr 60.3.0esr-1~deb8u1 doc/errata/staging/firefox-esr.yaml | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)
<http://errata.software-univention.de/ucs/4.2/548.html>