Univention Bugzilla – Bug 50478
firefox-esr: Multiple issues (4.3)
Last modified: 2019-11-13 17:01:46 CET
New Debian firefox-esr 68.2.0esr-1~deb9u2 fixes: This update addresses the following issues: * Use-after-free when creating index updates in IndexedDB (CVE-2019-11757) * Stack buffer overflow in HKDF output (CVE-2019-11759) * Stack buffer overflow in WebRTC networking (CVE-2019-11760) * Unintended access to a privileged JSONView object (CVE-2019-11761) * document.domain-based origin isolation has same-origin-property violation (CVE-2019-11762) * Incorrect HTML parsing results in XSS bypass technique (CVE-2019-11763) * Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2 (CVE-2019-11764) * heap-based buffer over-read via crafted XML input (CVE-2019-15903)
--- mirror/ftp/4.3/unmaintained/4.3-5/source/firefox-esr_60.9.0esr-1~deb9u1.dsc +++ apt/ucs_4.3-0-errata4.3-5/source/firefox-esr_68.2.0esr-1~deb9u2.dsc @@ -1,118 +1,345 @@ -60.9.0esr-1~deb9u1 [Wed, 04 Sep 2019 09:23:23 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - Fixes for mfsa2019-27, also known as: +68.2.0esr-1~deb9u2 [Wed, 06 Nov 2019 12:22:11 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: + + * Don't set the NASM make variable on architectures without nasm, fixes + FTBFS on !x86. + * Output icu build log to stdout rather than to a file. + +68.2.0esr-1~deb9u1 [Thu, 31 Oct 2019 10:22:07 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-33, also known as: + CVE-2019-15903, CVE-2019-11757, CVE-2019-11758, CVE-2019-11759, + CVE-2019-11760, CVE-2019-11761, CVE-2019-11762, CVE-2019-11763, + CVE-2019-11764. + +68.1.0esr-1 [Wed, 04 Sep 2019 10:22:21 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-26, also known as CVE-2019-11746, CVE-2019-11744, CVE-2019-11742, CVE-2019-11752, - CVE-2019-9812, CVE-2019-11743, CVE-2019-11740. - -60.8.0esr-1~deb9u1 [Wed, 10 Jul 2019 07:13:23 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2019-22, also known as: + CVE-2019-9812, CVE-2019-11743, CVE-2019-11748, CVE-2019-11749, + CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735, + CVE-2019-11740. + + * debian/upstream.mk: Read source repo and revision from json when + getting upstream info. Instead of the .txt file that doesn't exist + as of 69. + * debian/control*: + - Remove unused build dependency against python-ply. + - Remove python-minimal build dependency. All supported versions + of Debian have a new enough version. + * debian/l10n/gen, debian/latest_nightly.py, debian/rules, + debian/symbols.mk, debian/upstream.mk, debian/watch: Use explicit + python2.7 instead of python. + +68.0.2esr-1 [Sun, 18 Aug 2019 22:27:52 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream ESR release. + +68.0.2-3 [Sun, 18 Aug 2019 20:47:26 +0900] Mike Hommey <glandium@debian.org>: + + * debian/control.in: Take source package name from preprocessing. + + * build/moz.configure/old.configure: Avoid race condition creating + old-configure. bz#1574761. + * dom/media/systemservices/CamerasChild.cpp, + dom/media/systemservices/CamerasParent.cpp, + dom/media/systemservices/VideoEngine.cpp, + dom/media/webrtc/MediaEngineRemoteVideoSource.cpp: Don't use + __PRETTY_FUNCTION__ or __FUNCTION__ as format strings. bz#1531309. + Closes: #925680. + +68.0.2-2 [Sun, 18 Aug 2019 08:41:43 +0900] Mike Hommey <glandium@debian.org>: + + * debian/rules: Fix MOZ_APP_REMOTINGNAME. Upstream build system changes + made the config.status editing trick stop working. Export the variable for + configure to pick it instead. Closes: #932256 + +68.0.2-1 [Thu, 15 Aug 2019 08:06:59 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-24, also known as CVE-2019-11733. + + * debian/control*, debian/rules: Don't build against system vpx >= 1.8.0. + It has API changes that cause FTBFS. + +68.0.1-2 [Fri, 19 Jul 2019 10:51:09 +0900] Mike Hommey <glandium@debian.org>: + + * debian/rules: Work around https://github.com/rust-lang/cargo/issues/7147. + +68.0.1-1 [Fri, 19 Jul 2019 07:53:19 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + + * debian/rules: + - Hook stamps/dh_install-l10n to override_dh_install-indep rather than + binary-indep. + - Pass make job server down through dh_auto_build. + * debian/rules, debian/dh: Wrap dh to ensure debian/rules is invoked with + parallelism. + +68.0-3 [Sun, 14 Jul 2019 15:20:45 +0900] Mike Hommey <glandium@debian.org>: + + * debian/browser.README.Debian.in: Fix a reference to iceweasel in + README.Debian. Thanks Edward Betts. + * debian/rules: + - Only exclude "-g" from dpkg-buildflags output. All the other flags + that used to be excluded either already match upstream or add + reproducibility. + - Don't unexpectedly reset LDFLAGS. + - [firefox-esr] Remove iceweasel transitional packages on bullseye. + - Disable dh_strip_nondeterminism. Upstream build system already avoids + non-determinism it would strip, so there is no need for it further + modifying files. + - Avoid arch:all builds building arch:any stuff. + - Move AUTOCONF_DIRS cleanup after dh_clean. + - Add rust flags to improve reproducibility. + - Only touch or remove configure when it wasn't there to begin with. + - Call configure using its full path. + - Factor common configure arguments. + - Build langpacks with --disable-compile-environment, and pass less + configure arguments. + - Build each langpack from a separate build directory. This means time + wasted running configure more times, but all locales can now be built + in parallel. + * debian/symbols.mk, debian/symbols.apt.conf, debian/symbols.sources.list: + Miscellaneous changes to symbols download script. + * debian/make.mk: Exclude symbols.mk variables from dump output. + * debian/browser.mozconfig.in: Remove redundant --prefix=/usr. + * debian/control.in, debian/rules, debian/symbols.mk, debian/upstream.mk: + Remove packaging scripts compatibility with Wheezy. + + * moz.configure: Only add confvars.sh as a dependency to config.status + when it exists. bz#1560340. + +68.0-2 [Fri, 12 Jul 2019 20:37:51 +0900] Mike Hommey <glandium@debian.org>: + + * debian/rules, debian/upstream.mk: Account for next Debian release. + * debian/rules, debian/control: Build against system sqlite again. + + * gfx/skia/skia/third_party/skcms/src/Transform_inl.h: Work around GCC ICE + on mips*, i386 and s390x. Closes: #931757 + * python/mozbuild/mozbuild/action/langpack_manifest.py: Use build id as + langpack version for reproducibility. bz#1565504. + +68.0-1 [Wed, 10 Jul 2019 08:22:05 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-21, also known as: CVE-2019-9811, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, - CVE-2019-11729, CVE-2019-11715, CVE-2019-11717, CVE-2019-11719, - CVE-2019-11730, CVE-2019-11709. - -60.7.2esr-1~deb9u1 [Thu, 20 Jun 2019 10:48:50 -0700] Mike Hommey <glandium@debian.org>: + CVE-2019-11714, CVE-2019-11715, CVE-2019-11716, CVE-2019-11717, + CVE-2019-11718, CVE-2019-11720, CVE-2019-11721, CVE-2019-11730, + CVE-2019-11723, CVE-2019-11724, CVE-2019-11725, CVE-2019-11727, + CVE-2019-11728, CVE-2019-11710, CVE-2019-11709. + + * debian/control*: Bump nss, sqlite, rustc, cargo and cbindgen build + dependencies. Remove Build-Conflicts with nss 3.44-1, since we now + build-depend on a more recent version. + * debian/rules, debian/control: Don't build against system sqlite, as + Debian doesn't have the required version yet. + * [firefox-esr] debian/l10n/browser-l10n.control*, debian/l10n/gen: + Don't generate iceweasel l10n transition packages for locales that + were never offered with iceweasel. + * debian/control, debian/l10n/browser-l10n.control.in: Add transition + dependencies for Bengali l10n. There is now only one Bengali l10n + package instead of two. + * debian/rules: Disable JIT at build time on mips because it fails to build. + + * build/gyp.mozbuild: Revert patch that disables libyuv assembly on + mips64. It apparently compiles, now. + +67.0.4-1 [Thu, 20 Jun 2019 11:05:27 -0700] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2019-19, also known as CVE-2019-11708. -60.7.1esr-1~deb9u1 [Tue, 18 Jun 2019 11:15:36 -0700] Mike Hommey <glandium@debian.org>: +67.0.3-2 [Wed, 19 Jun 2019 13:16:37 -0700] Mike Hommey <glandium@debian.org>: + + * python/mozbuild/mozbuild/action/node.py: Attempt to work around make issue + happening on arch: all buildd. + +67.0.3-1 [Tue, 18 Jun 2019 11:35:40 -0700] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2019-18, also known as CVE-2019-11707. -60.7.0esr-1~deb9u1 [Wed, 22 May 2019 07:23:08 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2019-14, also known as: +67.0.2-1 [Wed, 12 Jun 2019 06:01:15 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + +67.0.1-1 [Wed, 05 Jun 2019 07:14:08 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + +67.0-4 [Sun, 02 Jun 2019 13:13:13 +0900] Mike Hommey <glandium@debian.org>: + + * debian/rules: Work around FTBFS on mips* by disabling webrtc + Build fails because of missing configurations for mips*. + * debian/control*: Build-Conflicts with libnss3-dev 2:3.44-1. + Closes: #929846. + + * js/src/jit/mips32/MacroAssembler-mips32-inl.h: Fix FTBFS on mips/mipsel. + bz#1556197. + +67.0-3 [Sat, 01 Jun 2019 13:44:05 +0900] Mike Hommey <glandium@debian.org>: + + * media/webrtc/trunk/webrtc/system_wrappers/source/cpu_features.cc: Remove + WebRtc_GetCPUFeaturesARM from cpu_features.cc. It is already in + cpu_features_linux.c (and is not in cpu_features.cc in webrtc upstream). + Fixes FTBFS on armhf. bz#1523162. + +67.0-2 [Sat, 01 Jun 2019 09:18:27 +0900] Mike Hommey <glandium@debian.org>: + + * debian/extra-stuff/addonsInfo.jsm: + - Avoid running -dumps-addons-info without a running Firefox counting as a + crash. + - Support addons in resource:// locations in -dump-addons-info + + * js/src/wasm/WasmSignalHandlers.cpp: Include struct definitions for + user_vfp and user_vfp_exc. Fixes FTBFS on armhf. bz#1526653. + * js/src/jit/mips*/MacroAssembler-mips*-inl.h, + js/src/jit/mips*/Trampoline-mips*.cpp: Fix functions: branchTestBigInt, + negPtr, generateVMWrapper on MIPS. bz#1544631. + * toolkit/modules/sessionstore/PrivacyFilter.jsm: Update and harden form + data filtering for privacy to account for no data being passed in. + bz#1553413. + +67.0-1 [Wed, 22 May 2019 09:28:01 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-13, also known as: CVE-2019-9816, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820, - CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-7317, - CVE-2019-9797, CVE-2018-18511, CVE-2019-11698, CVE-2019-5798, + CVE-2019-9821, CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, + CVE-2019-7317, CVE-2019-11695, CVE-2019-11696, CVE-2019-11697, + CVE-2019-11698, CVE-2019-11699, CVE-2019-11701, CVE-2019-9814, CVE-2019-9800. - - * debian/rules: Avoid rust build errors with newer versions of rustc by - capping lints to warnings. - -60.6.3esr-1~deb9u1 [Thu, 09 May 2019 05:14:54 +0900] Mike Hommey <glandium@debian.org>: + * Upload to experimental because the required cbindgen is not available in + unstable. + + * debian/control*: Bump nspr, sqlite, rustc, cargo and cbindgen build + dependencies. + * debian/extra-stuff/addonsInfo.*, debian/extra-stuff/moz.build, + debian/installer/package-manifest.browser, debian/rules: + Modernize addonsInfo per bz#1431533, bz#1432992, bz#1514594, bz#1524688, + etc. + +66.0.5-1 [Wed, 08 May 2019 08:07:21 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. - Additional fixes for addon signature validation. -60.6.2esr-1~deb9u1 [Sun, 05 May 2019 20:12:37 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - - Fixes issues with addon signature validation. Closes: #928415, #928449. +66.0.4-1 [Sun, 05 May 2019 22:52:24 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + - Fixes issues with addon signature validation. Closes: #928417. Note: this didn't affect addons installed via Debian packages. -60.6.1esr-1~deb9u1 [Sun, 24 Mar 2019 08:15:11 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2019-10, also known as: +66.0.1-1 [Sun, 24 Mar 2019 08:17:24 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-09, also known as: CVE-2019-9810, CVE-2019-9813. -60.6.0esr-1~deb9u1 [Wed, 20 Mar 2019 10:18:56 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2019-08, also known as: + * debian/control*: Bump nss, sqlite, rustc, cargo and cbindgen build + dependencies. + +66.0-1 [Wed, 20 Mar 2019 18:35:38 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-07, also known as: CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9793, - CVE-2019-9795, CVE-2019-9796, CVE-2018-18506, CVE-2019-9788. - - * debian/rules: Disable debug symbols on mips/mipsel on buster. - The rust compiler can't deal with them in the available address space. + CVE-2019-9795, CVE-2019-9796, CVE-2019-9797, CVE-2019-9799, + CVE-2019-9802, CVE-2019-9803, CVE-2019-9805, CVE-2019-9806, + CVE-2019-9807, CVE-2019-9809, CVE-2019-9808, CVE-2019-9789, + CVE-2019-9788. + * debian/browser.mozconfig.in: Adjust to the upstream change wrt Google API key configure options. - -60.5.1esr-1~deb9u1 [Thu, 14 Feb 2019 18:35:06 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2019-05, also known as: - CVE-2018-18356, CVE-2019-5785. + * debian/control*: Add nasm build dependency on amd64 and i386. + +65.0.1-1 [Thu, 14 Feb 2019 19:33:05 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-04, also known as: + CVE-2018-18356, CVE-2019-5795, CVE-2018-18511. * debian/rules, debian/upstream.mk: Manually set the update channel. Closes: #921381, #921121, #921654. - * debian/rules: Disable ion JIT on mips and mipsel. This should fix the + * debian/rules: Build with -mfp32 on mips and mipsel. This should fix the FTBFS. -60.5.0esr-1~deb9u1 [Wed, 30 Jan 2019 09:53:01 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2019-02, also known as: - CVE-2018-18500, CVE-2018-18505, CVE-2018-18501. - -60.4.0esr-1~deb9u1 [Wed, 12 Dec 2018 08:29:04 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2018-30, also known as: - CVE-2018-17466, CVE-2018-18492, CVE-2018-18493, CVE-2018-18494, - CVE-2018-18498, CVE-2018-12405. - +65.0-1 [Wed, 30 Jan 2019 11:04:24 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-01, also known as: + CVE-2018-18500, CVE-2018-18503, CVE-2018-18504, CVE-2018-18505, + CVE-2018-18506, CVE-2018-18502, CVE-2018-18501. + + * debian/control*: Bump nss, sqlite, rustc, cargo and cbindgen build + dependencies. + * debian/browser.install.in: Install libmozwayland.so. + +64.0-1 [Wed, 12 Dec 2018 09:26:47 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-29, also known as: + CVE-2018-12407, CVE-2018-17466, CVE-2018-18492, CVE-2018-18493, + CVE-2018-18494, CVE-2018-18495, CVE-2018-18496, CVE-2018-18497, + CVE-2018-18498, CVE-2018-12406, CVE-2018-12405. + + * debian/rules, debian/browser.install.in: Properly copy the watermark + to /usr/share/icons/hicolor/symbolic/apps. + * debian/rules: Disable debug symbols on 32-bits architectures, that + requires too much memory. + * debian/browser.mozconfig.in: + - Remove --enable-pie option, it's the default, now. + - Remove --disable-nodejs now that it's required. + * debian/control*: + - Bump rustc, cargo, cbindgen, nss and sqlite dependencies. + - Add nodejs build dependency. + * debian/browser-symbolic.svg.in: Import the watermark used for the + symbolic icon in the debian/ directory. + +63.0.3-1 [Mon, 26 Nov 2018 10:17:08 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + + * debian/control*: Build depend on unversioned clang/llvm. + Closes: #912802. * debian/rules: Use embedded libevent in backports. Closes: #910397. - * debian/browser.install.in, debian/rules: Properly copy the watermark to - /usr/share/icons/hicolor/symbolic/apps. - * debian/rules: Pass compiler and compiler flags environment variables - down to ICU configure. That will make it use GCC instead of defaulting - to clang now it's in PATH, avoiding the failing to build the ICU data - file on big endian platforms because clang doesn't know some of the GCC - flags it somehow got from the environment. + * debian/rules: Use GNU gold linker on i386 because BFD ld fails to link + libxul.so (memory exhausted). * build/unix/elfhack/test.c: Try to ensure the bss section of the elfhack testcase stays large enough. bz#1505608. * memory/build/mozjemalloc.cpp: Fix run sizes for size classes >= 16KB on systems with large pages. bz#1507035. Closes: #911898. - -60.3.0esr-1~deb9u1 [Wed, 24 Oct 2018 07:17:22 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2018-27, also known as: + * media/libaom/moz.build: Use NEON_FLAGS instead of VPX_ASFLAGS for + libaom neon code. + * gfx/cairo/libpixman/src/pixman-vmx.c: Protect #include <config.h> in + pixman-vmx.c like in other pixman-*.c files + +63.0.1-1 [Fri, 02 Nov 2018 10:50:57 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * debian/google.key: Use new Google API key, courtesy of Francois Marier. + +63.0-1 [Wed, 24 Oct 2018 08:32:15 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-26, also known as: CVE-2018-12392, CVE-2018-12393, CVE-2018-12395, CVE-2018-12396, - CVE-2018-12397, CVE-2018-12389, CVE-2018-12390. - - * debian/rules: Work around armel FTBFS from conflicting __sync_* symbols - between libgcc and rust's compiler_builtins. - -60.2.2esr-1~deb9u1 [Wed, 03 Oct 2018 07:28:38 +0900] Mike Hommey <glandium@debian.org>: + CVE-2018-12397, CVE-2018-12398, CVE-2018-12399, CVE-2018-12401, + CVE-2018-12402, CVE-2018-12403, CVE-2018-12388, CVE-2018-12390. + + * debian/control*: + - Bump nss dependency. + - Add build dependency on cbindgen. + * debian/browser.mozconfig.in: Disable nodejs until it's actually necessary. + * debian/rules: Add -Wl,--compress-debug-sections=zlib to LDFLAGS to work + around elfhack failing with unstripped binaries larger than 2GiB. + +62.0.3-1 [Wed, 03 Oct 2018 16:21:53 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2018-24, also known as: @@ -123,18 +350,21 @@ * debian/control*, debian/browser.mozconfig.in: Build ALSA support. Closes: #864987, #900062, #908349 -60.2.1esr-1~deb9u1 [Sat, 22 Sep 2018 08:10:27 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2018-23, also known as: - CVE-2018-12385, CVE-2018-12383. - - * debian/control*: +62.0.2-1 [Sat, 22 Sep 2018 09:02:25 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-22, also known as CVE-2018-12385. + * Ignore locale change events for the search service on shutdown. + bz#1489820. Closes: #908932. + + * debian/control*: + - Remove the sqlite and nss dependencies when not building against the + system libraries. - Enforce nss, nspr and sqlite dependencies to the same versions as build dependencies. There are subtle non-ABI differences between versions that Firefox might be relying on (be it features, behavior changes/fixes, etc.) and can cause subtle problems when older - versions are used. + versions are used. Closes: #908225, #908520. - Add a suggestion for pulseaudio. * debian/rules, debian/control: Add libavcodec-extra* packages to the list of recommends. Closes: #909130 @@ -144,48 +374,42 @@ * gfx/2d/Swizzle.cpp: Use Swizzle fallback when SSE2 is not supported. bz#1492065. Closes: #877445. -60.2.0esr-1~deb9u2 [Fri, 07 Sep 2018 18:21:32 +0900] Mike Hommey <glandium@debian.org>: - - * debian/control*: Remove the sqlite and nss dependencies when not building - against the system libraries. - -60.2.0esr-1~deb9u1 [Thu, 06 Sep 2018 06:18:15 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2018-21, also known as: - CVE-2018-12377, CVE-2018-12378, CVE-2018-12376. - +62.0-1 [Thu, 06 Sep 2018 07:42:45 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-20, also known as: + CVE-2018-12377, CVE-2018-12378, CVE-2018-12383, CVE-2018-12375, + CVE-2018-12376. + + * debian/control*: + - Bump nss and sqlite build dependencies. + - Build depend on llvm/clang 6.0 for buster. Closes: #906175. + * debian/browser.mozconfig.in, debian/control*, debian/rules: Remove + build dependency on libbz2-dev. It's not used anymore. + * debian/noinstall.in: Remove the dictionaries directory, not part + of the packaged Firefox anymore. * debian/l10n/gen: Use iso-codes json data instead of XML when present. Closes: #907611. * widget/gtk/nsAppShell.cpp: Use remoting name for call to gdk_set_program_class. Closes: #907574. -60.1.0esr-3 [Sat, 18 Aug 2018 08:30:36 +0900] Mike Hommey <glandium@debian.org>: - - * debian/control*: - - Build depend on llvm/clang 6.0 for buster. Closes: #906174. - - Bump NSS build dependency to 3.36.4. Closes: #902573. - - * gfx/skia/skia/include/core/SkColorPriv.h, - gfx/skia/skia/include/core/SkImageInfo.h, - gfx/skia/skia/include/gpu/GrTypes.h, - gfx/skia/skia/src/core/SkColorData.h: fix big-endian Skia builds. - bz#1144632. - -60.1.0esr-2 [Sun, 12 Aug 2018 13:43:20 +0900] Mike Hommey <glandium@debian.org>: - - * Upload to unstable. - * debian/upstream.mk: Use the same logic for betas as for releases to find - the source. +61.0.1-1 [Thu, 19 Jul 2018 06:54:40 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + +61.0-2 [Sun, 08 Jul 2018 10:39:03 +0900] Mike Hommey <glandium@debian.org>: + + * debian/browser.mozconfig.in, debian/control*, debian/rules: Remove + build dependency on system libhunspell. Using system hunspell lacks + features required by Firefox. Next version of Firefox doesn't allow + to build against system hunspell anyways. Closes: #900469. * debian/browser.links.in, debian/rules, debian/vendor.js: Use the spellchecker.dictionary_path pref to set the hunspell directory. * debian/browser.mozconfig.in: Allow unsigned addons in app and system scopes. * debian/rules: Work around the effect the above has on the --{enable,with}-system-* check. - * debian/vendor.js: Remove extensions.unsignedScopes. The patch that added - the pref was changed to use a configure flag instead. * debian/control*: Remove old conflicts. Thanks Sylvestre Ledru. Closes: #882956. * debian/l10n/recommends, debian/l10n/browser-l10n.control, @@ -200,40 +424,72 @@ * debian/control*, debian/rules: Add Recommends on all supported libavcodec libraries for h264 playback. Closes: #901600. - * js/src/jit/mips-shared/MacroAssembler-mips-shared.cpp: Stubout - MacroAssembler::speculationBarrier. bz#1444834 * toolkit/modules/AppConstants.jsm, toolkit/modules/moz.build, toolkit/moz.configure, toolkit/mozapps/extensions/internal/XPIInstall.jsm, toolkit/mozapps/extensions/content/extensions.js, toolkit/mozapps/extensions/internal/XPIDatabase.jsm: Change how addon signature requirement relaxation is done. Closes: #899390. -60.1.0esr-1 [Wed, 27 Jun 2018 10:15:42 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - * Fixes for mfsa2018-16, also known as: - CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12362, - CVE-2018-5156, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, - CVE-2018-12371, CVE-2018-12366, CVE-2018-12367, CVE-2018-12369, - CVE-2018-5187, CVE-2018-5188. - +61.0-1 [Wed, 27 Jun 2018 10:25:44 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-15, also known as: + CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12358, + CVE-2018-12362, CVE-2018-5156, CVE-2018-12363, CVE-2018-12364, + CVE-2018-12365, CVE-2018-12371, CVE-2018-12366, CVE-2018-12367, + CVE-2018-12369, CVE-2018-12370, CVE-2018-5186, CVE-2018-5187, + CVE-2018-5188. + + * debian/control*: + - Bump nss and sqlite build dependencies. + - Add a build dependency on python3. + * debian/browser.install.in: Adjust to upstream changes. * debian/vendor.js: Relax the addon signature requirements. + + * toolkit/mozapps/extensions/content/extensions.js, + toolkit/mozapps/extensions/internal/XPIDatabase.jsm: Allow to relax the + addon signature requirements. + +60.0.2-2 [Sun, 24 Jun 2018 09:23:16 +0900] Mike Hommey <glandium@debian.org>: * build/unix/elfhack/elfhack.cpp, build/unix/elfhack/inject.c, build/unix/elfhack/test.c: Use run-time page size when changing mapping permissions in elfhack injected code. bz#1470701. Closes: #902231. - * toolkit/mozapps/extensions/content/extensions.js, - toolkit/mozapps/extensions/internal/XPIDatabase.jsm: Allow to relax the - addon signature requirements. - -60.0.2esr-1 [Fri, 08 Jun 2018 17:49:37 +0900] Mike Hommey <glandium@debian.org>: + +60.0.2-1 [Fri, 08 Jun 2018 18:25:04 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2018-14, also known as CVE-2018-6126. + * debian/upstream.mk: Use the same logic for betas as for releases to find + the source. * debian/browser.NEWS.in: Adjust to show the ESR version. -60.0.1esr-2 [Tue, 22 May 2018 10:05:55 +0900] Mike Hommey <glandium@debian.org>: +60.0.1-5 [Tue, 22 May 2018 08:01:55 +0900] Mike Hommey <glandium@debian.org>: + + * gfx/skia/moz.build: Revert change from 60.0.1-4. + * dom/media/webaudio/blink/DenormalDisabler.h: Avoid using vmrs/vmsr on + armel. + * mfbt/LinuxSignal.h, mfbt/moz.build, + tools/profiler/core/platform-linux-android.cpp: Remove + MOZ_SIGNAL_TRAMPOLINE. bz#1463035. + * build/autoconf/arch.m4: Add -mfloat-abi=softfp to NEON_FLAGS when it makes + sense. bz#1463036. + * xpcom/string/moz.build: Use HAVE_ARM_NEON instead of BUILD_ARM_NEON for + nsUTF8UtilsNEON.cpp. bz#1463036. + +60.0.1-4 [Mon, 21 May 2018 07:58:43 +0900] Mike Hommey <glandium@debian.org>: + + * gfx/skia/moz.build: Don't build skia neon on armel. + +60.0.1-3 [Sun, 20 May 2018 10:12:15 +0900] Mike Hommey <glandium@debian.org>: + + * debian/browser.links.in: Remove /usr/lib/*/browser/icons symlink, leftover + after the removal of /usr/share/*/browser/icons. Closes: #893323. + + * media/webrtc/trunk/moz.build: Only build webrtc neon on aarch64. + +60.0.1-2 [Sat, 19 May 2018 13:07:39 +0900] Mike Hommey <glandium@debian.org>: * third_party/rust/libc/.cargo-checksum.json, third_party/rust/libc/src/unix/notbsd/linux/mod.rs, @@ -247,28 +503,11 @@ configure. bz#1462859. * media/webrtc/trunk/gtest/moz.build: Link chromium_atomics to webrtc tests. bz#1462873. - * media/webrtc/trunk/moz.build: Only build webrtc neon on aarch64. - * browser/locales/Makefile.in, - python/mozbuild/mozbuild/action/langpack_manifest.py, - python/mozbuild/mozbuild/test/action/test_langpack_manifest.py, - toolkit/locales/l10n.mk: Use MOZ_LANGPACK_EID in langpacks manifest.json. - bz#1455100. Closes: #899160. - * dom/media/webaudio/blink/DenormalDisabler.h: Avoid using vmrs/vmsr on - armel. - * mfbt/LinuxSignal.h, mfbt/moz.build, - tools/profiler/core/platform-linux-android.cpp: Remove - MOZ_SIGNAL_TRAMPOLINE. bz#1463035. - * build/autoconf/arch.m4: Add -mfloat-abi=softfp to NEON_FLAGS when it makes - sense. bz#1463036. - * xpcom/string/moz.build: Use HAVE_ARM_NEON instead of BUILD_ARM_NEON for - nsUTF8UtilsNEON.cpp. bz#1463036. - -60.0.1esr-1 [Sat, 19 May 2018 07:25:23 +0900] Mike Hommey <glandium@debian.org>: - - * New upstream release. - - * debian/browser.links.in: Remove /usr/lib/*/browser/icons symlink, leftover - after the removal of /usr/share/*/browser/icons. Closes: #893323. + +60.0.1-1 [Sat, 19 May 2018 07:25:23 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * debian/control*: Remove mozplugger suggestion. Closes: #888396. * debian/browser.install.in, debian/browser.mozconfig.in, debian/control.in, debian/rules: Remove the option to build against gtk+2, it is not @@ -280,7 +519,7 @@ * js/src/jit/mips-shared/LIR-mips-shared.h, js/src/jit/mips32/LIR-mips32.h, js/src/jit/mips64/LIR-mips64.h: Fix FTBFS on mips*. bz#1444303. -60.0esr-1 [Thu, 10 May 2018 09:36:46 +0900] Mike Hommey <glandium@debian.org>: +60.0-1 [Thu, 10 May 2018 09:36:46 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2018-11, also known as @@ -302,8 +541,6 @@ * debian/browser.mozconfig.in: Revert workaround for bz#1341234. * debian/browser.install.in, debian/rules: Don't install the ICU data file, it's linked as a data section in libxul. - * debian/control, debian/rules: Remove iceweasel transitional packages - in non-backports. * modules/libpref/parser/src/lib.rs: Adapt to upstream changes to keep supporting lockPref() for transition purposes, now that upstream <http://10.200.17.11/4.3-5/#497621981609481335>
OK: yaml OK: announce_errata OK: patch OK: piuparts new translation packages [4.3-5] cd901c6de6 Bug #50478: firefox-esr 68.2.0esr-1~deb9u2 doc/errata/staging/firefox-esr.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.3-5] f3b41bcb72 Bug #50478: firefox-esr 68.2.0esr-1~deb9u2 doc/errata/staging/firefox-esr.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+)
<http://errata.software-univention.de/ucs/4.3/610.html>