- New version.

- New version (3.118.1).
- Certificate Authority Changes:
  + Remove CN=CommScope Public Trust ECC Root-01
  + Remove CN=CommScope Public Trust ECC Root-02
  + Remove CN=CommScope Public Trust RSA Root-01
  + Remove CN=CommScope Public Trust RSA Root-02

- mozilla: sync with nss-3.118.1.

- Fix the verification in checkinstall with an extra space in label start.

- New version.

- New version.

- New version (145.0.1).

- New version.
- Fixes:
  + CVE-2025-13021: Incorrect boundary conditions in the Graphics: WebGPU component
  + CVE-2025-13022: Incorrect boundary conditions in the Graphics: WebGPU component
  + CVE-2025-13012: Race condition in the Graphics component
  + CVE-2025-13023: Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component
  + CVE-2025-13016: Incorrect boundary conditions in the JavaScript: WebAssembly component
  + CVE-2025-13024: JIT miscompilation in the JavaScript Engine: JIT component
  + CVE-2025-13025: Incorrect boundary conditions in the Graphics: WebGPU component
  + CVE-2025-13026: Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component
  + CVE-2025-13017: Same-origin policy bypass in the DOM: Notifications component
  + CVE-2025-13018: Mitigation bypass in the DOM: Security component
  + CVE-2025-13019: Same-origin policy bypass in the DOM: Workers component
  + CVE-2025-13013: Mitigation bypass in the DOM: Core & HTML component
  + CVE-2025-13020: Use-after-free in the WebRTC: Audio/Video component
  + CVE-2025-13014: Use-after-free in the Audio/Video component
  + CVE-2025-13015: Spoofing issue in Thunderbird
  + CVE-2025-13027: Memory safety bugs fixed in Firefox 145 and Thunderbird 145

- alterator-kopidel: update help for 1.0.6

- New version (145.0).
- Fixes:
  + CVE-2025-13021: Incorrect boundary conditions in the Graphics: WebGPU component
  + CVE-2025-13022: Incorrect boundary conditions in the Graphics: WebGPU component
  + CVE-2025-13012: Race condition in the Graphics component
  + CVE-2025-13023: Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component
  + CVE-2025-13016: Incorrect boundary conditions in the JavaScript: WebAssembly component
  + CVE-2025-13024: JIT miscompilation in the JavaScript Engine: JIT component
  + CVE-2025-13025: Incorrect boundary conditions in the Graphics: WebGPU component
  + CVE-2025-13026: Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component
  + CVE-2025-13017: Same-origin policy bypass in the DOM: Notifications component
  + CVE-2025-13018: Mitigation bypass in the DOM: Security component
  + CVE-2025-13019: Same-origin policy bypass in the DOM: Workers component
  + CVE-2025-13013: Mitigation bypass in the DOM: Core & HTML component
  + CVE-2025-13020: Use-after-free in the WebRTC: Audio/Video component
  + CVE-2025-13014: Use-after-free in the Audio/Video component
  + CVE-2025-13015: Spoofing issue in Firefox
  + CVE-2025-13027: Memory safety bugs fixed in Firefox 145 and Thunderbird 145

- Stop renaming the jar file.

- New version after being removed from sisyphus.
- Build from the upstream git repo.
- Build with the xgradle.

- New version after being removed from sisyphus.
- Build from the upstream git repo.
- Build with the xgradle.
- Build without javadoc.

- New version.

- New version (144.0.2).
- Fixes:
  + CVE-2025-12380: Use-after-free in WebGPU internals triggered from a compromised child process

- New version.

- New version.

- First build for ALT.

- CLI: Disable debug output.
- Wait until all the queued udev events are processed for the dev in use only.

- components: remove alt-domain-server from education-server-apps

- server-apps: Stop requiring alt-domain-server.

- CLI: Specify that the -s, --step flag is for testing only (Closes: 56014).

- alterator-kopidel:
  + enhance russian translations (Closes: 56362)
  + new translations from 1.0.5

- Fix FTBFS on x86_64 with GCC 14 by adding PIC flags.

- New version.
- Fix the new_argv to match the standard argv format in the wrapper.

- Speed up the search for ignored files
  when using regular expressions (Closes: 55999).

- Remove fonts-ttf-ms from education edition.
- Fix the changelog for the 0.9.2-alt1.

- New version.
- Fixes:
  + CVE-2025-11708: Use-after-free in MediaTrackGraphImpl::GetInstance()
  + CVE-2025-11709: Out of bounds read/write in a privileged process triggered by WebGL textures
  + CVE-2025-11710: Cross-process information leaked due to malicious IPC messages
  + CVE-2025-11711: Some non-writable Object properties could be modified
  + CVE-2025-11716: Sandboxed iframes allowed links to open in external apps (Android only)
  + CVE-2025-11712: An OBJECT tag type attribute overrode browser behavior on web resources without a content-type
  + CVE-2025-11713: Potential user-assisted code execution in "Copy as cURL" command
  + CVE-2025-11719: Use-after-free caused by the native messaging web extension API on Windows
  + CVE-2025-11714: Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
  + CVE-2025-11715: Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
  + CVE-2025-11721: Memory safety bug fixed in Firefox 144 and Thunderbird 144

- New version (144.0).
- Fixes:
  + CVE-2025-11708: Use-after-free in MediaTrackGraphImpl::GetInstance()
  + CVE-2025-11709: Out of bounds read/write in a privileged process triggered by WebGL textures
  + CVE-2025-11710: Cross-process information leaked due to malicious IPC messages
  + CVE-2025-11711: Some non-writable Object properties could be modified
  + CVE-2025-11716: Sandboxed iframes allowed links to open in external apps (Android only)
  + CVE-2025-11717: The password edit screen was not hidden in Android card view
  + CVE-2025-11712: An OBJECT tag type attribute overrode browser behavior on web resources without a content-type
  + CVE-2025-11718: Address bar could be spoofed on Android using visibilitychange
  + CVE-2025-11713: Potential user-assisted code execution in "Copy as cURL" command
  + CVE-2025-11719: Use-after-free caused by the native messaging web extension API on Windows
  + CVE-2025-11720: Spoofing risk in Android custom tabs
  + CVE-2025-11714: Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
  + CVE-2025-11715: Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
  + CVE-2025-11721: Memory safety bug fixed in Firefox 144 and Thunderbird 144

- New version (3.117).
- Fix FTBFS in mozilla products.
- Certificate Authority Changes:
  + Add CN=OISTE Client Root ECC G1
  + Add CN=OISTE Client Root RSA G1
  + Add CN=OISTE Server Root ECC G1
  + Add CN=OISTE Server Root RSA G1

- New version.

- New version (143.0.4).

- Fix not ignoring regular expressions from
  the default-ignored-files.txt (Closes: 56016).
- UI: Fix the compression warning when switching
  to another image creating method (Closes: 55998).
- libexec/check-fs-features.sh: Remove ntfs from BAD_FS (Closes: 55997).
- Add the ability to run the kopidel from a regular user (Closes: 55996).
- Add the restart of the alteratord service after installation.

- alterator-kopidel: Fix the russian translation
  of the custom list of ignored files

- xfce: Replace the requirement from xfce4-full to xfce4-default.
- xfce: Get rid of xfce4-dict.

- installer-steps: Replace vm-blonde with vm-ortodox.
- installer-steps: Move sysconfig-proxy step after installer-network step.

- Enable going back to change package set in vm/blonde.

- Add default edition to os-release and dconf.
- Return indexhtml to menu and desktop.

- steps: add sysconfig-proxy

- installer-steps:
  + Add sysconfig-proxy step.
  + Select additional applications before
    partitioning the disk and check for free space.

- Components: replace components module with alt-components launcher (Closes: 54844, 56088).

- New version (3.116).

- New version.
- Fixes:
  + CVE-2025-10527: Sandbox escape due to use-after-free in the Graphics: Canvas2D component
  + CVE-2025-10528: Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component
  + CVE-2025-10529: Same-origin policy bypass in the Layout component
  + CVE-2025-10530: Spoofing issue in the WebAuthn component in Firefox for Android
  + CVE-2025-10531: Mitigation bypass in the Web Compatibility: Tooling component
  + CVE-2025-10532: Incorrect boundary conditions in the JavaScript: GC component
  + CVE-2025-10533: Integer overflow in the SVG component
  + CVE-2025-10534: Spoofing issue in the Site Permissions component
  + CVE-2025-10536: Information disclosure in the Networking: Cache component
  + CVE-2025-10537: Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143

- New version (143.0).
- Fixes:
  + CVE-2025-10527: Sandbox escape due to use-after-free in the Graphics: Canvas2D component
  + CVE-2025-10528: Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component
  + CVE-2025-10529: Same-origin policy bypass in the Layout component
  + CVE-2025-10530: Spoofing issue in the WebAuthn component in Firefox for Android
  + CVE-2025-10531: Mitigation bypass in the Web Compatibility: Tooling component
  + CVE-2025-10532: Incorrect boundary conditions in the JavaScript: GC component
  + CVE-2025-10533: Integer overflow in the SVG component
  + CVE-2025-10534: Spoofing issue in the Site Permissions component
  + CVE-2025-10535: Information disclosure, mitigation bypass in the Privacy component in Firefox for Android
  + CVE-2025-10536: Information disclosure in the Networking: Cache component
  + CVE-2025-10537: Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143

- First build for ALT (thx ancieg@ for the review).

- New version (3.115.1).
- Certificate Authority Changes:
  + Remove CN=DigiNotar Root CA

- mozilla: sync with nss-3.115.1.

- Update links and navigation in the "About" page (indexhtml):
  + Update telegram channel link URL.
  + Update links to English pages.
  + Remove the course schedule URL because it leads to a 404 error.
  + Update feedback link URL.
  + Improve navigation and add new links.

- New version.

- alterator-kopidel: new translations from 1.0.2

- CLI: Fix /image/Metadata directory creation for external drives.
- CLI: Implement Ctrl+C interrupt handling.
- CLI: Fix various typos.
- Add shellcheck static analysis.

- New version (142.0.1).

- Add BUILD_ID, ALT_BRANCH_ID, DOCUMENTATION_UR, SUPPORT_URL,
  VARIANT and VARIANT_ID to the os-release.
- Replace hardcoded branch name with a variable in the index.html files.

- Don't ignore regular files in user home directories by default.
- Add POSIX Extended regex type support to the list of ignored files.
- Remove references in descriptions about iso.
- Fix the non-use of the specified ignored list when calculating
  the minimal size of the partitions in the vm-profile.scm.
- CLI: add check for running as root.
- CLI: fix the non-use of the specified ignored list when
  calculating list of the available workdirs and exdrives.
- CLI: add translated outputs and remove unnecessary
  entries when updating the list of ignored files.
- CLI: fix an issue with errors before displaying the progress bar.
- Tests: add the build.log output if failed.
- Add the sbin/kopidel wrapper for using CLI from the git repo.

- alterator-kopidel: new translations from 1.0.1

- New version.
- Fixes:
  + CVE-2025-9179: Sandbox escape due to invalid pointer in the Audio/Video: GMP component
  + CVE-2025-9180: Same-origin policy bypass in the Graphics: Canvas2D component
  + CVE-2025-9181: Uninitialized memory in the JavaScript Engine component
  + CVE-2025-9182: Denial-of-service due to out-of-memory in the Graphics: WebRender component
  + CVE-2025-9187: Memory safety bugs fixed in Firefox 142 and Thunderbird 142
  + CVE-2025-9184: Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142
  + CVE-2025-9185: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142

- New version (142.0).
- Fixes:
  + CVE-2025-9179: Sandbox escape due to invalid pointer in the Audio/Video: GMP component
  + CVE-2025-9180: Same-origin policy bypass in the Graphics: Canvas2D component
  + CVE-2025-9181: Uninitialized memory in the JavaScript Engine component
  + CVE-2025-9186: Spoofing issue in the Address Bar component of Firefox Focus for Android
  + CVE-2025-9182: Denial-of-service due to out-of-memory in the Graphics: WebRender component
  + CVE-2025-9183: Spoofing issue in the Address Bar component
  + CVE-2025-9187: Memory safety bugs fixed in Firefox 142 and Thunderbird 142
  + CVE-2025-9184: Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142
  + CVE-2025-9185: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142

- Improve logging.
- Stop installer and print error message if failed to mount_chroot.
- Check archive availability also in /usr/share/install2/metadata.
- Remove installing grub action.
- Add Vcs tag to the spec file.
- Stop joining the parts in copied-fs.tar (thx to alterator-kopidel 1.0.0):
  + Increase the speed of system installation.
  + Reduce the required disk space.

- Create the razlivochniy.img instead of iso.
- Add the ability to create razlivochniy external storage
  devices (such as flash drives) instead of images.
- Create the hybrid bootable image if it is possible.
- For UEFI bootable image install only grub efi or efi removable.
- Add support for creating an image on file systems without
  the support of access rights and symbolic links (closes: 54050).
- Update the UI:
  + Change comboboxes to listboxes.
  + Add a button that updates ignored files.
  + Add the terminate building buitton.
  + Add asynchronous updating of the list of
    work directorsand external devices.
  + Add a warning for exdrive target about formatting.
  + Add a button to update the list of targets.
  + Add an update targets list when you toggle the target checkboxes.
  + Add 3 check states for the list of ignored files:
    Orange: not verified, green: verified, red: verification failed.
- CLI: don't require workdir or exdrive when only listing possible options.
- Remove the runtime dependency of alterator-preinstall.
- Stop displaying unnecessary information in the CLI.
- Add Vcs tag to the spec file.
- Update Url tag in the spec file.
- Move the executable .sh scripts from lib to the libexec.
- Add tests for the step of creating information about system partitions.

- alterator-kopidel: new translations from 1.0.0

- New version.

- New version (141.0.3).

- New version (141.0.2).

- New version (3.114).
- Certificate Authority Changes:
  + Remove CN=Baltimore CyberTrust Root,OU=CyberTrust
  + Add CN=SwissSign RSA SMIME Root CA 2022 - 1
  + Add CN=SwissSign RSA TLS Root CA 2022 - 1
  + Add CN=TrustAsia SMIME ECC Root CA
  + Add CN=TrustAsia SMIME RSA Root CA
  + Add CN=TrustAsia TLS ECC Root CA
  + Add CN=TrustAsia TLS RSA Root CA

- mozilla: sync with nss-3.114.

- New version (141.0).
- Fixes:
  + CVE-2025-8027: JavaScript engine only wrote partial return value to stack
  + CVE-2025-8028: Large branch table could lead to truncated instruction
  + CVE-2025-8041: Incorrect URL truncation in Firefox for Android
  + CVE-2025-8042: Sandboxed iframe could start downloads
  + CVE-2025-8029: javascript: URLs executed on object and embed tags
  + CVE-2025-8036: DNS rebinding circumvents CORS
  + CVE-2025-8037: Nameless cookies shadow secure cookies
  + CVE-2025-8030: Potential user-assisted code execution in "Copy as cURL" command
  + CVE-2025-8043: Incorrect URL truncation
  + CVE-2025-8031: Incorrect URL stripping in CSP reports
  + CVE-2025-8032: XSLT documents could bypass CSP
  + CVE-2025-8038: CSP frame-src was not correctly enforced for paths
  + CVE-2025-8039: Search terms persisted in URL bar
  + CVE-2025-8033: Incorrect JavaScript state machine for generators
  + CVE-2025-8044: Memory safety bugs fixed in Firefox 141 and Thunderbird 141
  + CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
  + CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
  + CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141

- New version.
- Fixes:
  + CVE-2025-8027: JavaScript engine only wrote partial return value to stack
  + CVE-2025-8028: Large branch table could lead to truncated instruction
  + CVE-2025-8029: javascript: URLs executed on object and embed tags
  + CVE-2025-8036: DNS rebinding circumvents CORS
  + CVE-2025-8037: Nameless cookies shadow secure cookies
  + CVE-2025-8030: Potential user-assisted code execution in "Copy as cURL" command
  + CVE-2025-8043: Incorrect URL truncation
  + CVE-2025-8031: Incorrect URL stripping in CSP reports
  + CVE-2025-8032: XSLT documents could bypass CSP
  + CVE-2025-8038: CSP frame-src was not correctly enforced for paths
  + CVE-2025-8039: Search terms persisted in URL bar
  + CVE-2025-8033: Incorrect JavaScript state machine for generators
  + CVE-2025-8044: Memory safety bugs fixed in Firefox 141 and Thunderbird 141
  + CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
  + CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
  + CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141

- New version.

- New version (140.0.4).
- Terminate buggy unfinished D&D operation as DragDrop (closes: 54713).