Maintainer Ajrat Makhmutov in the sisyphus branch: Information

- New version (1.85.1).
- New version (136.0.2).
- Set the MOZ_APP_REMOTINGNAME variable (closes: 52594, 53117).
- Update desktop file.
- New version.
- Security fixes:
  + CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase() causes string to get longer
  + CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird 136
- New version (136.0.1).
- New version (136.0).
- Security fixes:
  + CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in the Browser process
  + CVE-2025-1939: Tapjacking in Android Custom Tabs using transition animations
  + CVE-2025-1931: Use-after-free in WebTransportChild
  + CVE-2025-1932: Inconsistent comparator in XSLT sorting led to out-of-bounds access
  + CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
  + CVE-2025-1940: Android Intent confirmation prompt tapjacking using Select options
  + CVE-2024-9956: Passkey phishing within Bluetooth range
  + CVE-2025-1934: Unexpected GC during RegExp bailout processing
  + CVE-2025-1941: Lock screen setting bypass in Firefox Focus for Android
  + CVE-2025-1942: Disclosure of uninitialized memory when .toUpperCase() causes string to get longer
  + CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
  + CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed the interpretation of the contents
  + CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird 136, Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8
  + CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8
  + CVE-2025-1943: Memory safety bugs fixed in Firefox 136 and Thunderbird 136
- New version.
- Security fixes:
  + CVE-2024-43097: Overflow when growing an SkRegion's RunArray
  + CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in the Browser process
  + CVE-2025-1931: Use-after-free in WebTransportChild
  + CVE-2025-1932: Inconsistent comparator in XSLT sorting led to out-of-bounds access
  + CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
  + CVE-2025-1934: Unexpected GC during RegExp bailout processing
  + CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
  + CVE-2025-1936: Adding %00 and a fake extension to a jar: URL changed the interpretation of the contents
  + CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird 136, Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8
  + CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8
- New version (3.109).
- New version.
- Add ISO9660 level 3 images support (thanks proskur@).
- Fix License tag according to SPDX.
- New version.
- New version (1.85.0).
- Ignore all NFS when copying (thx protvin@).
- New version (135.0.1).
- Security fixes:
  + CVE-2025-1414: Memory safety bugs fixed in Firefox 135.0.1
- New version.
- New version.
- mozilla: sync with nss-3.108.
- New version (3.108).
- Certificate Authority Changes:
  + Add CN=D-TRUST BR Root CA 2 2023
  + Add CN=D-TRUST EV Root CA 2 2023
  + Remove CN=SwissSign Silver CA - G2
- New version (135.0).
- Security fixes:
  + CVE-2025-1009: Use-after-free in XSLT
  + CVE-2025-1010: Use-after-free in Custom Highlight
  + CVE-2025-1018: Fullscreen notification is not displayed when fullscreen is re-requested
  + CVE-2025-1011: A bug in WebAssembly code generation could result in a crash
  + CVE-2025-1012: Use-after-free during concurrent delazification
  + CVE-2025-1019: Fullscreen notification not properly displayed
  + CVE-2025-1013: Potential opening of private browsing tabs in normal browsing windows
  + CVE-2025-1014: Certificate length was not properly checked
  + CVE-2025-1016: Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20, and Thunderbird 128.7
  + CVE-2025-1017: Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7
  + CVE-2025-1020: Memory safety bugs fixed in Firefox 135 and Thunderbird 135
- New version.
- Security fixes:
  + CVE-2025-1009: Use-after-free in XSLT
  + CVE-2025-1010: Use-after-free in Custom Highlight
  + CVE-2025-1011: A bug in WebAssembly code generation could result in a crash
  + CVE-2025-1012: Use-after-free during concurrent delazification
  + CVE-2024-11704: Potential double-free vulnerability in PKCS#7 decryption handling
  + CVE-2025-1013: Potential opening of private browsing tabs in normal browsing windows
  + CVE-2025-1014: Certificate length was not properly checked
  + CVE-2025-1015: Unsanitized address book fields
  + CVE-2025-0510: Address of e-mail sender can be spoofed by malicious email
  + CVE-2025-1016: Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20, and Thunderbird 128.7
  + CVE-2025-1017: Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7
- Fix the Russian translation of the character '&&' (logical AND).
- New version (1.84.1).
- New version (134.0.2).
- New version (1.84.0).
- New version.
- New version (134.0.1).
- New version.
- Security fixes:
  + CVE-2025-0237: WebChannel APIs susceptible to confused deputy attack
  + CVE-2025-0238: Use-after-free when breaking lines in text
  + CVE-2025-0239: Alt-Svc ALPN validation failure when redirected
  + CVE-2025-0240: Compartment mismatch when parsing JavaScript JSON module
  + CVE-2025-0241: Memory corruption when using JavaScript Text Segmentation
  + CVE-2025-0242: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6
  + CVE-2025-0243: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6
- New version (134.0).
- Security fixes:
  + CVE-2025-0244: Address bar spoofing using an invalid protocol scheme on Firefox for Android
  + CVE-2025-0245: Lock screen setting bypass in Firefox Focus for Android
  + CVE-2025-0246: Address bar spoofing using an invalid protocol scheme on Firefox for Android
  + CVE-2025-0237: WebChannel APIs susceptible to confused deputy attack
  + CVE-2025-0238: Use-after-free when breaking lines in text
  + CVE-2025-0239: Alt-Svc ALPN validation failure when redirected
  + CVE-2025-0240: Compartment mismatch when parsing JavaScript JSON module
  + CVE-2025-0241: Memory corruption when using JavaScript Text Segmentation
  + CVE-2025-0242: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6
  + CVE-2025-0243: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6
  + CVE-2025-0247: Memory safety bugs fixed in Firefox 134 and Thunderbird 134
- New ESR version.
- Security fixes:
  + CVE-2025-0237: WebChannel APIs susceptible to confused deputy attack
  + CVE-2025-0238: Use-after-free when breaking lines in text
  + CVE-2025-0239: Alt-Svc ALPN validation failure when redirected
  + CVE-2025-0240: Compartment mismatch when parsing JavaScript JSON module
  + CVE-2025-0241: Memory corruption when using JavaScript Text Segmentation
  + CVE-2025-0242: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6
  + CVE-2025-0243: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6
- Fix the creation of a workdir for the first use.
- New version.
- The first version of the new installer step!
- The first version of the new alterator module!
- alterator-kopidel: Initial translations and help
- New ESR version.
- Fix FTBFS with python 3.12.8.
- New version (133.0.3).
- Fix FTBFS with python 3.12.8.
- New version.
- Security fixes:
  + CVE-2024-50336: matrix-js-sdk has insufficient MXC URI validation which could allow client-side path traversal
- Fix FTBFS with python 3.12.8.
- New version (1.83.0).
- Change the llvm version to 18.
- Leave libstd.so in rustlib.
- New version (3.107).
- Certificate Authority Changes:
  + Remove CN=SecureSign RootCA11
  + Remove CN=Security Communication RootCA3
- mozilla: sync with nss-3.107.
- New version.
- New version.
- Configurator: add Russian translation to PolicyKit file.
- New ESR version.
- New version.
- Security fixes:
  + CVE-2024-11691: Out-of-bounds write in Apple GPU drivers via WebGL
  + CVE-2024-11692: Select list elements could be shown over another site
  + CVE-2024-11693: Download Protections were bypassed by .library-ms files on Windows
  + CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility Shims
  + CVE-2024-11695: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters
  + CVE-2024-11696: Unhandled Exception in Add-on Signature Verification
  + CVE-2024-11697: Improper Keypress Handling in Executable File Confirmation Dialog
  + CVE-2024-11698: Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS
  + CVE-2024-11699: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5
- New ESR version.
- Security fixes:
  + CVE-2024-11691: Out-of-bounds write in Apple GPU drivers via WebGL
  + CVE-2024-11692: Select list elements could be shown over another site
  + CVE-2024-11693: Download Protections were bypassed by .library-ms files on Windows
  + CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility Shims
  + CVE-2024-11695: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters
  + CVE-2024-11696: Unhandled Exception in Add-on Signature Verification
  + CVE-2024-11697: Improper Keypress Handling in Executable File Confirmation Dialog
  + CVE-2024-11698: Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS
  + CVE-2024-11699: Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5, and Thunderbird 128.5
- New version (133.0.0).
- Security fixes:
  + CVE-2024-11691: Out-of-bounds write in Apple GPU drivers via WebGL
  + CVE-2024-11700: Potential Tapjacking Exploit for Intent Confirmation on Android
  + CVE-2024-11692: Select list elements could be shown over another site
  + CVE-2024-11701: Misleading Address Bar State During Navigation Interruption
  + CVE-2024-11702: Inadequate Clipboard Protection in Private Browsing Mode on Android
  + CVE-2024-11693: Download Protections were bypassed by .library-ms files on Windows
  + CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility Shims
  + CVE-2024-11695: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters
  + CVE-2024-11703: Password access without authentication via PIN bypass on Android
  + CVE-2024-11696: Unhandled Exception in Add-on Signature Verification
  + CVE-2024-11697: Improper Keypress Handling in Executable File Confirmation Dialog
  + CVE-2024-11704: Potential Double-Free Vulnerability in PKCS#7 Decryption Handling
  + CVE-2024-11698: Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS
  + CVE-2024-11705: Null Pointer Dereference in NSC_DeriveKey
  + CVE-2024-11706: Null Pointer Dereference in PKCS#12 Utility
  + CVE-2024-11708: Data race with PlaybackParams
  + CVE-2024-11699: Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5, and Thunderbird 128.5
- New version.
- Correct the Russian translation (closes: 41249).
- Add the security fix in 128.4.3 changelog.
- New version.
- New version (132.0.2).
- New version.
- Enable ALT debuginfod server support for character resolution in KCrash.
- New version (3.106).
- New version (132.0.1).
- New version.
- New ESR version.
- Security fixes:
  + CVE-2024-10458: Permission leak via embed or object elements
  + CVE-2024-10459: Use-after-free in layout with accessibility
  + CVE-2024-10460: Confusing display of origin for external protocol handler prompt
  + CVE-2024-10461: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
  + CVE-2024-10462: Origin of permission prompt could be spoofed by long URL
  + CVE-2024-10463: Cross origin video frame leak
  + CVE-2024-10464: History interface could have been used to cause a Denial of Service condition in the browser
  + CVE-2024-10465: Clipboard "paste" button persisted across tabs
  + CVE-2024-10466: DOM push subscription message could hang Firefox
  + CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4
- New version (132.0.0).
- Security fixes:
  + CVE-2024-10458: Permission leak via embed or object elements
  + CVE-2024-10459: Use-after-free in layout with accessibility
  + CVE-2024-10460: Confusing display of origin for external protocol handler prompt
  + CVE-2024-10461: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
  + CVE-2024-10462: Origin of permission prompt could be spoofed by long URL
  + CVE-2024-10463: Cross origin video frame leak
  + CVE-2024-10468: Race conditions in IndexedDB
  + CVE-2024-10464: History interface could have been used to cause a Denial of Service condition in the browser
  + CVE-2024-10465: Clipboard "paste" button persisted across tabs
  + CVE-2024-10466: DOM push subscription message could hang Firefox
  + CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4
- New version.
- Reduce the height of the Create key dialog (closes: 51608).
- Security fixes:
  + CVE-2024-10458: Permission leak via embed or object elements
  + CVE-2024-10459: Use-after-free in layout with accessibility
  + CVE-2024-10460: Confusing display of origin for external protocol handler prompt
  + CVE-2024-10461: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
  + CVE-2024-10462: Origin of permission prompt could be spoofed by long URL
  + CVE-2024-10463: Cross origin video frame leak
  + CVE-2024-10464: History interface could have been used to cause a Denial of Service condition in the browser
  + CVE-2024-10465: Clipboard "paste" button persisted across tabs
  + CVE-2024-10466: DOM push subscription message could hang Firefox
  + CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4
- New version.

Maintainer Ajrat Makhmutov in the sisyphus branch: Information

Last changes

#378602 sent by Ajrat Makhmutov

#378457 sent by Ajrat Makhmutov

#378178 sent by Ajrat Makhmutov

#377747 sent by Ajrat Makhmutov

#376916 sent by Ajrat Makhmutov

#377184 sent by Ajrat Makhmutov

#376839 sent by Ajrat Makhmutov

#376722 sent by Ajrat Makhmutov

#376304 sent by Ajrat Makhmutov

#375939 sent by Ajrat Makhmutov

#375915 sent by Ajrat Makhmutov

#375912 sent by Ajrat Makhmutov

#375422 sent by Ajrat Makhmutov

#375355 sent by Ajrat Makhmutov

#375099 sent by Ajrat Makhmutov

#374929 sent by Ajrat Makhmutov

#374228 sent by Ajrat Makhmutov

#374232 sent by Ajrat Makhmutov

#372901 sent by Ajrat Makhmutov

#372265 sent by Ajrat Makhmutov

#371099 sent by Ajrat Makhmutov

#368500 sent by Ajrat Makhmutov

#369639 sent by Ajrat Makhmutov

#369540 sent by Ajrat Makhmutov

#368499 sent by Ajrat Makhmutov

#368493 sent by Ajrat Makhmutov

#368492 sent by Ajrat Makhmutov

#366248 sent by Ajrat Makhmutov

#366241 sent by Ajrat Makhmutov

#360965 sent by Ajrat Makhmutov

#366203 sent by Ajrat Makhmutov

#365526 sent by Ajrat Makhmutov

#365529 sent by Ajrat Makhmutov

#363776 sent by Ajrat Makhmutov

#364633 sent by Ajrat Makhmutov

#364724 sent by Ajrat Makhmutov

#364071 sent by Ajrat Makhmutov

#363816 sent by Ajrat Makhmutov

#363536 sent by Ajrat Makhmutov

#363436 sent by Ajrat Makhmutov

#363264 sent by Ajrat Makhmutov

#362709 sent by Ajrat Makhmutov

#362553 sent by Ajrat Makhmutov

#362382 sent by Ajrat Makhmutov

#362144 sent by Ajrat Makhmutov

#362138 sent by Ajrat Makhmutov

#362136 sent by Ajrat Makhmutov

#361301 sent by Ajrat Makhmutov

#361189 sent by Ajrat Makhmutov

#360525 sent by Ajrat Makhmutov