Maintainer Pavel Vasenkov in the sisyphus branch: Information

- Fix removing depricated i810 definations
- New version.
- Security fixes:
  + CVE-2023-32205 Browser prompts could have been obscured by popups
  + CVE-2023-32206 Crash in RLBox Expat driver
  + CVE-2023-32207 Potential permissions request bypass via clickjacking
  + CVE-2023-32211 Content process crash due to invalid wasm code
  + CVE-2023-32212 Potential spoof due to obscured address bar
  + CVE-2023-32213 Potential memory corruption in FileReader::DoReadData()
  + CVE-2023-32214 Potential DoS via exposed protocol handlers
  + CVE-2023-32215 Memory safety bugs fixed in Thunderbird 102.11
- New ESR version.
- Security fixes
  + CVE-2023-32205 Browser prompts could have been obscured by popups
  + CVE-2023-32206 Crash in RLBox Expat driver
  + CVE-2023-32207 Potential permissions request bypass via clickjacking
  + CVE-2023-32211 Content process crash due to invalid wasm code
  + CVE-2023-32212 Potential spoof due to obscured address bar
  + CVE-2023-32213 Potential memory corruption in FileReader::DoReadData()
  + CVE-2023-32214 Potential DoS via exposed protocol handlers
  + CVE-2023-32215 Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11
- New ESR version.
- Security fixes
  + CVE-2023-29531 Out-of-bound memory access in WebGL on macOS
  + CVE-2023-29532 Mozilla Maintenance Service Write-lock bypass
  + CVE-2023-29533 Fullscreen notification obscured
  + CVE-2023-1999 Double-free in libwebp
  + CVE-2023-29535 Potential Memory Corruption following Garbage Collector compaction
  + CVE-2023-29536 Invalid free from JavaScript code
  + CVE-2023-29539 Content-Disposition filename truncation leads to Reflected File Download
  + CVE-2023-29541 Files with malicious extensions could have been downloaded unsafely on Linux
  + CVE-2023-29542 Bypass of file download extension restrictions
  + CVE-2023-29545 Windows Save As dialog resolved environment variables
  + CVE-2023-1945 Memory Corruption in Safe Browsing Code
  + CVE-2023-29548 Incorrect optimization result on ARM64
  + CVE-2023-29550 Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10
- New version.
- Security fixes:
  + CVE-2023-29531 Out-of-bound memory access in WebGL on macOS
  + CVE-2023-29532 Mozilla Maintenance Service Write-lock bypass
  + CVE-2023-29533 Fullscreen notification obscured
  + CVE-2023-1999 Double-free in libwebp
  + CVE-2023-29535 Potential Memory Corruption following Garbage Collector compaction
  + CVE-2023-29536 Invalid free from JavaScript code
  + CVE-2023-0547 Revocation status of S/Mime recipient certificates was not checked
  + CVE-2023-29479 Hang when processing certain OpenPGP messages
  + CVE-2023-29539 Content-Disposition filename truncation leads to Reflected File Download
  + CVE-2023-29541 Files with malicious extensions could have been downloaded unsafely on Linux
  + CVE-2023-29542 Bypass of file download extension restrictions
  + CVE-2023-29545 Windows Save As dialog resolved environment variables
  + CVE-2023-1945 Memory Corruption in Safe Browsing Code
  + CVE-2023-29548 Incorrect optimization result on ARM64
  + CVE-2023-29550 Memory safety bugs fixed in Thunderbird 102.10
- New version.
- Security fixes:
  + CVE-2023-25751 Incorrect code generation during JIT compilation
  + CVE-2023-28164 URL being dragged from a removed cross-origin iframe into the same tab triggered navigation
  + CVE-2023-28162 Invalid downcast in Worklets
  + CVE-2023-25752 Potential out-of-bounds when accessing throttled streams
  + CVE-2023-28163 Windows Save As dialog resolved environment variables
  + CVE-2023-28176 Memory safety bugs fixed in Thunderbird 102.9
- New ESR version.
- Security fixes
  + CVE-2023-25751 Incorrect code generation during JIT compilation
  + CVE-2023-28164 URL being dragged from a removed cross-origin iframe into the same tab triggered navigation
  + CVE-2023-28162 Invalid downcast in Worklets
  + CVE-2023-25752 Potential out-of-bounds when accessing throttled streams
  + CVE-2023-28163 Windows Save As dialog resolved environment variables
  + CVE-2023-28176 Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9
- New ESR version.
- Security fixes
  + CVE-2023-25728 Content security policy leak in violation reports using iframes
  + CVE-2023-25730 Screen hijack via browser fullscreen mode
  + CVE-2023-0767 Arbitrary memory write via PKCS 12 in NSS
  + CVE-2023-25735 Potential use-after-free from compartment mismatch in SpiderMonkey
  + CVE-2023-25737 Invalid downcast in SVGUtils::SetupStrokeGeometry
  + CVE-2023-25738 Printing on Windows could potentially crash Firefox with some device drivers
  + CVE-2023-25739 Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
  + CVE-2023-25729 Extensions could have opened external schemes without user knowledge
  + CVE-2023-25732 Out of bounds memory write from EncodeInputStream
  + CVE-2023-25734 Opening local .url files could cause unexpected network loads
  + CVE-2023-25742 Web Crypto ImportKey crashes tab
  + CVE-2023-25744 Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8
  + CVE-2023-25746 Memory safety bugs fixed in Firefox ESR 102.8
- New version.
- Security fixes:
  + CVE-2023-0616 User Interface lockup with messages combining S/MIME and OpenPGP
  + CVE-2023-25728 Content security policy leak in violation reports using iframes
  + CVE-2023-25730 Screen hijack via browser fullscreen mode
  + CVE-2023-0767 Arbitrary memory write via PKCS 12 in NSS
  + CVE-2023-25735 Potential use-after-free from compartment mismatch in SpiderMonkey
  + CVE-2023-25737 Invalid downcast in SVGUtils::SetupStrokeGeometry
  + CVE-2023-25738 Printing on Windows could potentially crash Thunderbird with some device drivers
  + CVE-2023-25739 Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
  + CVE-2023-25729 Extensions could have opened external schemes without user knowledge
  + CVE-2023-25732 Out of bounds memory write from EncodeInputStream
  + CVE-2023-25734 Opening local .url files could cause unexpected network loads
  + CVE-2023-25742 Web Crypto ImportKey crashes tab
  + CVE-2023-25746 Memory safety bugs fixed in Thunderbird 102.8
- New ESR version.
- Security fixes
  + CVE-2022-46871 libusrsctp library out of date
  + CVE-2023-23598 Arbitrary file read from GTK drag and drop on Linux
  + CVE-2023-23599 Malicious command could be hidden in devtools output on Windows
  + CVE-2023-23601 URL being dragged from cross-origin iframe into same tab triggers navigation
  + CVE-2023-23602 Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
  + CVE-2022-46877 Fullscreen notification bypass
  + CVE-2023-23603 Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive
  + CVE-2023-23605 Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7
- New version.
- Security fixes:
  + CVE-2023-0430 Revocation status of S/Mime signature certificates was not checked
- New version.
- Security fixes:
  + CVE-2022-46871 libusrsctp library out of date
  + CVE-2023-23598 Arbitrary file read from GTK drag and drop on Linux
  + CVE-2023-23599 Malicious command could be hidden in devtools output on Windows
  + CVE-2023-23601 URL being dragged from cross-origin iframe into same tab triggers navigation
  + CVE-2023-23602 Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
  + CVE-2022-46877 Fullscreen notification bypass
  + CVE-2023-23603 Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive
  + CVE-2023-23605 Memory safety bugs fixed in Thunderbird 102.7
- Update from upstream
- Fix missed header file
- Update source url(Closes: #40516)
- New version.
- Security fixes:
  + CVE-2022-46874 Drag and Dropped Filenames could have been truncated to malicious extensions
- New version.
- Security fixes:
  + CVE-2022-46880 Use-after-free in WebGL
  + CVE-2022-46872 Arbitrary file read from a compromised content process
  + CVE-2022-46881 Memory corruption in WebGL
  + CVE-2022-46874 Drag and Dropped Filenames could have been truncated to malicious extensions
  + CVE-2022-46875 Download Protections were bypassed by .atloc and .ftploc files on Mac OS
  + CVE-2022-46882 Use-after-free in WebGL
  + CVE-2022-46878 Memory safety bugs fixed in Thunderbird 102.6
- New ESR version.
- Security fixes
  + CVE-2022-46880 Use-after-free in WebGL
  + CVE-2022-46872 Arbitrary file read from a compromised content process
  + CVE-2022-46881 Memory corruption in WebGL
  + CVE-2022-46874 Drag and Dropped Filenames could have been truncated to malicious extensions
  + CVE-2022-46875 Download Protections were bypassed by .atloc and .ftploc files on Mac OS
  + CVE-2022-46882 Use-after-free in WebGL
  + CVE-2022-46878 Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
- Build with llvm-version 12 instead llvm-version 13 (Closes: #44436)
- New version.
- Security fixes:
  + CVE-2022-45414 Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration
- New version
- New ESR version.
- Security fixes:
  + CVE-2022-45403 Service Workers might have learned size of cross-origin media files
  + CVE-2022-45404 Fullscreen notification bypass
  + CVE-2022-45405 Use-after-free in InputStream implementation
  + CVE-2022-45406 Use-after-free of a JavaScript Realm
  + CVE-2022-45408 Fullscreen notification bypass via windowName
  + CVE-2022-45409 Use-after-free in Garbage Collection
  + CVE-2022-45410 ServiceWorker-intercepted requests bypassed SameSite cookie policy
  + CVE-2022-45411 Cross-Site Tracing was possible via non-standard override headers
  + CVE-2022-45412 Symlinks may resolve to partially uninitialized buffers
  + CVE-2022-45416 Keystroke Side-Channel Leakage
  + CVE-2022-45418 Custom mouse cursor could have been drawn over browser UI
  + CVE-2022-45420 Iframe contents could be rendered outside the iframe
  + CVE-2022-45421 Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5
- New version.
- Security fixes:
  + CVE-2022-45403 Service Workers might have learned size of cross-origin media files
  + CVE-2022-45404 Fullscreen notification bypass
  + CVE-2022-45405 Use-after-free in InputStream implementation
  + CVE-2022-45406 Use-after-free of a JavaScript Realm
  + CVE-2022-45408 Fullscreen notification bypass via windowName
  + CVE-2022-45409 Use-after-free in Garbage Collection
  + CVE-2022-45410 ServiceWorker-intercepted requests bypassed SameSite cookie policy
  + CVE-2022-45411 Cross-Site Tracing was possible via non-standard override headers
  + CVE-2022-45412 Symlinks may resolve to partially uninitialized buffers
  + CVE-2022-45416 Keystroke Side-Channel Leakage
  + CVE-2022-45418 Custom mouse cursor could have been drawn over browser UI
  + CVE-2022-45420 Iframe contents could be rendered outside the iframe
  + CVE-2022-45421 Memory safety bugs fixed in Thunderbird 102.5
- New version.
- New version.
- New ESR version.
- Security fixes:
  + CVE-2022-42927 Same-origin policy violation could have leaked cross-origin URLs
  + CVE-2022-42928 Memory Corruption in JS Engine
  + CVE-2022-42929 Denial of Service via window.print
  + CVE-2022-42932 Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4
- New ESR version.
- Security fixes:
  + CVE-2022-3266 Out of bounds read when decoding H264
  + CVE-2022-40959 Bypassing FeaturePolicy restrictions on transient pages
  + CVE-2022-40960 Data-race when parsing non-UTF-8 URLs in threads
  + CVE-2022-40958 Bypassing Secure Context restriction for cookies with __Host and __Secure prefix
  + CVE-2022-40956 Content-Security-Policy base-uri bypass
  + CVE-2022-40957 Incoherent instruction cache when building WASM on ARM64
  + CVE-2022-40962 Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3
- New version.
- Security fixes:
  + CVE-2022-39249 Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators
  + CVE-2022-39250 Matrix SDK bundled with Thunderbird vulnerable to a device verification attack
  + CVE-2022-39251 Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack
  + CVE-2022-39236 Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue
- Update language support
- New version.
- Security fixes:
  + CVE-2022-3033 Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
  + CVE-2022-3032 Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked
  + CVE-2022-3034 An iframe element in an HTML email could trigger a network request
  + CVE-2022-36059 Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack
- New version.
- Security fixes:
  + CVE-2022-38472 Address bar spoofing via XSLT error handling
  + CVE-2022-38473 Cross-origin XSLT Documents would have inherited the parent's permissions
  + CVE-2022-38476 Data race and potential use-after-free in PK11_ChangePW
  + CVE-2022-38477 Memory safety bugs fixed in Thunderbird 102.2
  + CVE-2022-38478 Memory safety bugs fixed in Thunderbird 102.2, and Thunderbird 91.13
- New ESR version.
- Security fixes:
  + CVE-2022-38472 Address bar spoofing via XSLT error handling
  + CVE-2022-38473 Cross-origin XSLT Documents would have inherited the parent's permissions
  + CVE-2022-38476 Data race and potential use-after-free in PK11_ChangePW
  + CVE-2022-38477 Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
  + CVE-2022-38478 Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13
- New ESR version.
- Security fixes:
  + CVE-2022-36319 Mouse Position spoofing with CSS transforms
  + CVE-2022-36318 Directory indexes for bundled resources reflected URL parameters
  + CVE-2022-36314 Opening local <code>.lnk</code> files could cause unexpected network loads
  + CVE-2022-2505 Memory safety bugs fixed in Firefox 103 and 102.1
- New ESR version.
- Security fixes:
  + CVE-2022-34479 A popup window could be resized in a way to overlay the address bar with web content
  + CVE-2022-34470 Use-after-free in nsSHistory
  + CVE-2022-34468 CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
  + CVE-2022-34481 Potential integer overflow in ReplaceElementsAt
  + CVE-2022-31744 CSP bypass enabling stylesheet injection
  + CVE-2022-34472 Unavailable PAC file resulted in OCSP requests being blocked
  + CVE-2022-34478 Microsoft protocols can be attacked if a user accepts a prompt
  + CVE-2022-2200 Undesired attributes could be set as part of prototype pollution
  + CVE-2022-34484 Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
- New version.
- Security fixes:
  + CVE-2022-31736 Cross-Origin resource's length leaked
  + CVE-2022-31737 Heap buffer overflow in WebGL
  + CVE-2022-31738 Browser window spoof using fullscreen mode
  + CVE-2022-31739 Attacker-influenced path traversal when saving downloaded files
  + CVE-2022-31740 Register allocation problem in WASM on arm64
  + CVE-2022-31741 Uninitialized variable leads to invalid memory read
  + CVE-2022-1834 Braille space character caused incorrect sender email to be shown for a digitally signed email
  + CVE-2022-31742 Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
  + CVE-2022-31747 Memory safety bugs fixed in Thunderbird 91.10
- New ESR version.
- Security fixes:
  + CVE-2022-31736 Cross-Origin resource's length leaked
  + CVE-2022-31737 Heap buffer overflow in WebGL
  + CVE-2022-31738 Browser window spoof using fullscreen mode
  + CVE-2022-31739 Attacker-influenced path traversal when saving downloaded files
  + CVE-2022-31740 Register allocation problem in WASM on arm64
  + CVE-2022-31741 Uninitialized variable leads to invalid memory read
  + CVE-2022-31742 Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
  + CVE-2022-31747 Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
- New version.
- Security fixes:
  + CVE-2022-1802 Prototype pollution in Top-Level Await implementation
  + CVE-2022-1529 Untrusted input used in JavaScript object indexing, leading to prototype pollution
- New ESR version.
- Security fixes:
  + CVE-2022-1802 Prototype pollution in Top-Level Await implementation
  + CVE-2022-1529 Untrusted input used in JavaScript object indexing, leading to prototype pollution
- New ESR version.
- Security fixes:
  + CVE-2022-29914 Fullscreen notification bypass using popups
  + CVE-2022-29909 Bypassing permission prompt in nested browsing contexts
  + CVE-2022-29916 Leaking browser history with CSS variables
  + CVE-2022-29911 iframe Sandbox bypass
  + CVE-2022-29912 Reader mode bypassed SameSite cookies
  + CVE-2022-29917 Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
- New ESR version.
- Security fixes:
  + CVE-2022-1097 Use-after-free in NSSToken objects
  + CVE-2022-28281 Out of bounds write due to unexpected WebAuthN Extensions
  + CVE-2022-1196 Use-after-free after VR Process destruction
  + CVE-2022-28282 Use-after-free in DocumentL10n::TranslateDocument
  + CVE-2022-28285 Incorrect AliasSet used in JIT Codegen
  + CVE-2022-28286 iframe contents could be rendered outside the border
  + CVE-2022-24713 Denial of Service via complex regular expressions
  + CVE-2022-28289 Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
- + disable provides cgi-exception
- New version.
- Security fixes:
  + CVE-2022-26383 Browser window spoof using fullscreen mode
  + CVE-2022-26384 iframe allow-scripts sandbox bypass
  + CVE-2022-26387 Time-of-check time-of-use bug when verifying add-on signatures
  + CVE-2022-26381 Use-after-free in text reflows
  + CVE-2022-26386 Temporary files downloaded to /tmp and accessible by other local users
- New ESR version.
- Security fixes: 
  + CVE-2022-26383 Browser window spoof using fullscreen mode
  + CVE-2022-26384 iframe allow-scripts sandbox bypass
  + CVE-2022-26387 Time-of-check time-of-use bug when verifying add-on signatures
  + CVE-2022-26381 Use-after-free in text reflows
  + CVE-2022-26386 Temporary files downloaded to /tmp and accessible by other local users
- New version.
- Security fixes:
  + CVE-2022-26485 Use-after-free in XSLT parameter processing
  + CVE-2022-26486 Use-after-free in WebGPU IPC Framework
- New ESR version.
- Security fixes:
  + CVE-2022-26485 Use-after-free in XSLT parameter processing
  + CVE-2022-26486 Use-after-free in WebGPU IPC Framework
- New version
- New version.
- Security fixes:
  + CVE-2022-22753 Privilege Escalation to SYSTEM on Windows via Maintenance Service
  + CVE-2022-22754 Extensions could have bypassed permission confirmation during update
  + CVE-2022-22756 Drag and dropping an image could have resulted in the dropped object being an executable
  + CVE-2022-22759 Sandboxed iframes could have executed script if the parent appended elements
  + CVE-2022-22760 Cross-Origin responses could be distinguished between script and non-script content-types
  + CVE-2022-22761 frame-ancestors Content Security Policy directive was not enforced for framed extension pages
  + CVE-2022-22763 Script Execution during invalid object state
  + CVE-2022-22764 Memory safety bugs fixed in Thunderbird 91.6
- New ESR version.
- Security fixes:
  + CVE-2022-22753 Privilege Escalation to SYSTEM on Windows via Maintenance Service
  + CVE-2022-22754 Extensions could have bypassed permission confirmation during update
  + CVE-2022-22756 Drag and dropping an image could have resulted in the dropped object being an executable
  + CVE-2022-22759 Sandboxed iframes could have executed script if the parent appended elements
  + CVE-2022-22760 Cross-Origin responses could be distinguished between script and non-script content-types
  + CVE-2022-22761 frame-ancestors Content Security Policy directive was not enforced for framed extension pages
  + CVE-2022-22763 Script Execution during invalid object state
  + CVE-2022-22764 Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
- New version.
- New ESR version.
- Build for Sisyphus (closes #41170)

Maintainer Pavel Vasenkov in the sisyphus branch: Information

Last changed

#321197 sent by Pavel Vasenkov

#321097 sent by Pavel Vasenkov

#320575 sent by Pavel Vasenkov

#318816 sent by Pavel Vasenkov

#318817 sent by Pavel Vasenkov

#317199 sent by Pavel Vasenkov

#317198 sent by Pavel Vasenkov

#316235 sent by Pavel Vasenkov

#316076 sent by Pavel Vasenkov

#313517 sent by Pavel Vasenkov

#314597 sent by Pavel Vasenkov

#314030 sent by Pavel Vasenkov

#312284 sent by Pavel Vasenkov

#312280 sent by Pavel Vasenkov

#311856 sent by Pavel Vasenkov

#311756 sent by Pavel Vasenkov

#311455 sent by Pavel Vasenkov

#311223 sent by Pavel Vasenkov

#310431 sent by Pavel Vasenkov

#310102 sent by Pavel Vasenkov

#310101 sent by Pavel Vasenkov

#310018 sent by Pavel Vasenkov

#308901 sent by Pavel Vasenkov

#308900 sent by Pavel Vasenkov

#308169 sent by Pavel Vasenkov

#308145 sent by Pavel Vasenkov

#306846 sent by Pavel Vasenkov

#306343 sent by Pavel Vasenkov

#304701 sent by Pavel Vasenkov

#305733 sent by Pavel Vasenkov

#304700 sent by Pavel Vasenkov

#302834 sent by Pavel Vasenkov

#301216 sent by Pavel Vasenkov

#301215 sent by Pavel Vasenkov

#297983 sent by Pavel Vasenkov

#300522 sent by Pavel Vasenkov

#299477 sent by Pavel Vasenkov

#297984 sent by Pavel Vasenkov

#297130 sent by Pavel Vasenkov

#296596 sent by Pavel Vasenkov

#296595 sent by Pavel Vasenkov

#296447 sent by Pavel Vasenkov

#296365 sent by Pavel Vasenkov

#296355 sent by Pavel Vasenkov

#295503 sent by Pavel Vasenkov

#295259 sent by Pavel Vasenkov

#295121 sent by Pavel Vasenkov

#294221 sent by Pavel Vasenkov

#294209 sent by Pavel Vasenkov

#287749 sent by Pavel Vasenkov