Группа :: Сети/WWW
Пакет: firefox-3.6
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
23 марта 2011 Andrey Cherepanov <cas at altlinux.org> 3.6.15-alt0.20110308.M50P.1
- Backport to p5 branch (new version with security fixes)
- New release (3.6.15).
- Fixed:
+ MFSA 2011-10 CSRF risk with plugins and 307 redirects
+ MFSA 2011-09 Crash caused by corrupted JPEG image
+ MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents
+ MFSA 2011-07 Memory corruption during text run construction (Windows)
+ MFSA 2011-06 Use-after-free error using Web Workers
+ MFSA 2011-05 Buffer overflow in JavaScript atom map
+ MFSA 2011-04 Buffer overflow in JavaScript upvarMap
+ MFSA 2011-03 Use-after-free error in JSON.stringify
+ MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true
+ MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)
- New release (3.6.13).
- Fixed:
+ MFSA 2010-84 XSS hazard in multiple character encodings
+ MFSA 2010-83 Location bar SSL spoofing using network error page
+ MFSA 2010-82 Incomplete fix for CVE-2010-0179
+ MFSA 2010-81 Integer overflow vulnerability in NewIdArray
+ MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver
+ MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh
+ MFSA 2010-78 Add support for OTS font sanitizer
+ MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree
+ MFSA 2010-76 Chrome privilege escalation with window.open and <isindex> element
+ MFSA 2010-75 Buffer overflow while line breaking after document.write with long string
+ MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)
- New release (3.6.12).
- Fixed:
+ MFSA 2010-73 Heap buffer overflow mixing document.write and DOM insertion
- New release (3.6.11).
- Fixed:
+ MFSA 2010-72 Insecure Diffie-Hellman key exchange
+ MFSA 2010-71 Unsafe library loading vulnerabilities
+ MFSA 2010-70 SSL wildcard certificate matching IP addresses
+ MFSA 2010-69 Cross-site information disclosure via modal calls
+ MFSA 2010-68 XSS in gopher parser when parsing hrefs
+ MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter
+ MFSA 2010-66 Use-after-free error in nsBarProp
+ MFSA 2010-65 Buffer overflow and memory corruption using document.write
+ MFSA 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)
- New release (3.6.10).
- New release (3.6.9).
- Fixed:
+ MFSA 2010-63 Information leak via XMLHttpRequest statusText
+ MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
+ MFSA 2010-61 UTF-7 XSS by overriding document charset using <object> type attribute
+ MFSA 2010-59 SJOW creates scope chains ending in outer object
+ MFSA 2010-58 Crash on Mac using fuzzed font in data: URL
+ MFSA 2010-57 Crash and remote code execution in normalizeDocument
+ MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView
+ MFSA 2010-55 XUL tree removal crash and remote code execution
+ MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection
+ MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
+ MFSA 2010-52 Windows XP DLL loading vulnerability
+ MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array
+ MFSA 2010-50 Frameset integer overflow vulnerability
+ MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
- backport to p5 branch (new version with security fixes) (closes: #23809)
- New release (3.6.8).
- Fixed:
+ MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix
+ MFSA 2010-47 Cross-origin data leakage from script filename in error messages
+ MFSA 2010-46 Cross-domain data theft using CSS
+ MFSA 2010-45 Multiple location bar spoofing vulnerabilities
+ MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish
+ MFSA 2010-43 Same-origin bypass using canvas context
+ MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts
+ MFSA 2010-41 Remote code execution using malformed PNG image
+ MFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability
+ MFSA 2010-39 nsCSSValue::Array index integer overflow
+ MFSA 2010-38 Arbitrary code execution using SJOW and fast native function
+ MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability
+ MFSA 2010-36 Use-after-free error in NodeIterator
+ MFSA 2010-35 DOM attribute cloning remote code execution vulnerability
+ MFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)
- New release (3.6.6).
- Fixed:
+ MFSA 2010-33 User tracking across sites using Math.random()
+ MFSA 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present
+ MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes
+ MFSA 2010-30 Integer Overflow in XSLT Node Sorting
+ MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
+ MFSA 2010-28 Freed object reuse across plugin instances
+ MFSA 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)
- New release (3.6.3).
- Fixed:
+ MFSA 2009-25 Re-use of freed object due to scope confusion
- New release (3.6.2).
- Fix for Transport Layer Security (ALT#22994).
- Fix addons search (ALT#22878).
- Fix release notes (ALT#22883).
- Fixed:
+ MFSA 2010-15 Asynchronous Auth Prompt attaches to wrong window
+ MFSA 2010-14 Browser chrome defacement via cached XUL stylesheets
+ MFSA 2010-13 Content policy bypass with image preloading
+ MFSA 2010-12 XSS using addEventListener and setTimeout on a wrapped object
+ MFSA 2010-11 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.8/ 1.9.0.18)
+ MFSA 2010-10 XSS via plugins and unprotected Location object
+ MFSA 2010-09 Deleted frame reuse in multipart/x-mixed-replace image
+ MFSA 2010-08 WOFF heap corruption due to integer overflow
- New release (3.6.0).
- Fix process name (ALT#22731).
- New snapshot (3.6.0 20100113).
- New major branch (3.6.0 b4pre).
- New snapshot (3.5.3 20091010).
- KDE: Update patches (ALT#21509).
- Rebuild with new browser-plugins-npapi.
- New snapshot (3.5.3 20090918).
- Set firefox as default KDE/KDE4 browser (ALT#21509).
- Update desktop file (ALT#21510).
- Update requires (ALT#21533).
- New snapshot (3.5.3 20090831).
- New release (3.5.1).
- New release (3.5).
- New snapshot (3.5 20090601).
- New snapshot (3.5 20090424).
- New snapshot (3.1 20090312).
- New release (3.0.4).
- Fixed:
+ MFSA 2008-58 Parsing error in E4X default namespace
+ MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals
+ MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
+ MFSA 2008-55 Crash and remote code execution in nsFrameManager
+ MFSA 2008-54 Buffer overflow in http-index-format parser
+ MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
+ MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
+ MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome
+ MFSA 2008-47 Information stealing via local shortcut files
- New release (3.0.3).
- Firefox set itself as default browser correctly (ALT#17384).
- Reload new plugins.
- Fixed:
+ MFSA 2008-44 resource: traversal vulnerabilities
+ MFSA 2008-43 BOM characters stripped from JavaScript before execution
+ MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
+ MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
+ MFSA 2008-40 Forced mouse drag
- New bugfix build.
- Update desktop file (ALT#10558).
- New version (3.0.1).
- Fixed:
+ MFSA 2008-36 Crash with malformed GIF file on Mac OS X
+ MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
+ MFSA 2008-34 Remote code execution by overflowing CSS reference counter
- New bugfix build.
- Add searchplugins: bugzilla@altlinux, wikipedia-ru, yandex.
- Remove RPATH.
- New cvs snapshot 3.0 (20080704).
- New cvs snapshot 20080530.
- New cvs snapshot (3.0 rc1).
- New cvs snapshot.
- New major beta version 3.0.b2
- New major beta version 3.0.b1
- New bugfix version 2.0.0.2
- Remove version from requires in *.pc.
- Fixed:
+ MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
+ MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
+ MFSA 2007-05 XSS and local file access by opening blocked popups
+ MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
+ MFSA 2007-03 Information disclosure through cache collisions
+ MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
+ MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)
- New minor version 2.0.0.1
- Fixed:
+ MFSA 2006-76 XSS using outer window's Function object
+ MFSA 2006-75 RSS Feed-preview referrer leak
+ MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
+ MFSA 2006-72 XSS by setting img.src to javascript: URI
+ MFSA 2006-71 LiveConnect crash finalizing JS objects
+ MFSA 2006-70 Privilege escalation using watch point
+ MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
+ MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)
- Add %pre script.
- Remove version specific paths.
- New major version 2.0 .
- Don't build libxul.
- Add support for printing via Pango.
- Change printer paper size at A4.
- Check compatibility disabled.
- Patch disabling OS_TEST autoguessing for %ix86 builds on x86_64 host.
- New version 1.5.0.7 .
- Fixed:
+ MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
+ MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
+ MFSA 2006-61 Frame spoofing using document.open()
+ MFSA 2006-60 RSA Signature Forgery
+ MFSA 2006-59 Concurrency-related vulnerability
+ MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
+ MFSA 2006-57 JavaScript Regular Expression Heap Corruption
- Add libgtkembedmoz.so, firefox-gtkembedmoz.pc .
- Update BuildRequires.
- bugfix build.
- Patch to enable intl.locale.matchOS was removed.
- Added default download directory.
- bugfix build.
- Added patch to handle #9863 (history #4352).
- New version 1.5.0.6 .
- Fixed:
+ Fixed an issue with playing Windows Media content
+ MFSA 2006-56 chrome: scheme loading remote content
+ MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5)
+ MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...)
+ MFSA 2006-53 UniversalBrowserRead privilege escalation
+ MFSA 2006-52 PAC privilege escalation using Function.prototype.call
+ MFSA 2006-51 Privilege escalation using named-functions and redefined "new Object()"
+ MFSA 2006-50 JavaScript engine vulnerabilities
+ MFSA 2006-48 JavaScript new Function race condition
+ MFSA 2006-47 Native DOM methods can be hijacked across domains
+ MFSA 2006-46 Memory corruption with simultaneous events
+ MFSA 2006-45 Javascript navigator Object Vulnerability
+ MFSA 2006-44 Code execution through deleted frame reference
- New version.
- Fixed:
+ MFSA 2006-43 Privilege escalation using addSelectionListener
+ MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
+ MFSA 2006-41 File stealing by changing input type (variant)
+ MFSA 2006-39 "View Image" local resource linking (Windows)
+ MFSA 2006-38 Buffer overflow in crypto.signText()
+ MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
+ MFSA 2006-36 PLUGINSPAGE privileged JavaScript execution 2
+ MFSA 2006-35 Privilege escalation through XUL persist
+ MFSA 2006-34 XSS viewing javascript: frames or images from context menu
+ MFSA 2006-33 HTTP response smuggling
+ MFSA 2006-32 Fixes for crashes with potential memory corruption
+ MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
- New version.
- Build libxul library.
- Fixed:
+ MFSA 2006-30 Deleted object reference when designMode="on".
- bugfix build.
- include fix
- plugins directory fix;
- New version 1.5.0.1
- Buildrequires updated for xorg-7.0
- run-firefox script bugfix:
* usage update
* plugins search path (x86_64)
* unparseable commands handling - bugfix: #7334, #7682, #8757, #8784, #9017
- New version 1.5 .
- Spec cleanup.
- Build with external rpm-build-firefox .
- Build with system NSS and NSPR.
- Unused libraries removed.
- Rpm mascros bugfix.
* fix for new rpm.
* change extension installation sheme (again). - Default preference tunning.
- Startup script rewritten. Now it is single script.
* command line shortcut added: altfaq:NUM . - SVG support enabled.
- directory /usr/share/firefox-@version@/extensions was added to extensions search path .
* this location is controled by the option extensions.dir.extensions . - Bug: #7682, #7801, #7856, #7949 fixed.
- major bugfix.
- build with official branding.
- x86_64 compatibility addon (patch20, patch21).
- release version.
- firsttime script added.
- SVG support disabled.
- Patch #2 bugfix (bug: #7682)
- fix -nox patch.
- add gssapi detection and build fixes from mhz@.
- new version from aviary branch fixing various bugs:
+ MFSA2005-54
+ Restore API compatibility for extensions and web applications
that did not work in Firefox 1.0.5.
- new version from aviary branch;
- new version from aviary branch fixing various security bugs;
- fix: #4846, #5101, #7126 (legion).
- if_{with,without} debug - added (legion).
- keyword 'altbug:' added, patch2 updated (legion).
- postin/postun-scripts scripts bugfixes (legion).
- triggers added for trash cleanup (legion).
- new version from aviary branch;
- fix #6595;
- add switches for svg/xprint easy builds.
- update alt-prefs-tuning.patch (disable annoying default browser dialog).
- new version;
- SA15601 security fix;
- BuildRequires cleanup (remove xorg-x11-libs-static).
- new version;
- requires fix;
- new version;
- RPATH fix;
- NoX patch was rewritten;
- rpm macros was updated;
- new version;
- patch9 was added (mozilla Bug #123315);
- patch10, patch11 was added (#6151);
- plugins path bugfix;
- svg support added;
- x86_64 compatibility added (thx mouse@);
- update patch firefox-1.0-20050201-alt-nox.patch
* uninstall-global-theme command-line option was added;
* update-register command-line option was added; - firefox-1.0-alt-rpm-scripts.tar.bz2 bugfix;
- disable svg support becouse svg layout lead to segfault
when mozilla compile with gcc3.4 . - search plugins was moved into the standalone rpm package.
- Rebuilt with libstdc++.so.6.
- new version;
- browser-plugins-npapi support added;
- new icons default icons(thx shrek@);
- option uninstall-global-extension was fixed;
- extension sheme changes;
- postin/preun scripts chenges;
- new default extensions added;
- protocol 'mailto' external handler added;
- firefox.macro changed;
- postun script changed;
- icons changed;
- New version 1.0PR;
- New extension scheme;
- Add:
* New option 'run-without-x' added (mouse, legion);
* SVG support added;
* Certificate (ALT Linux CA Root) added;
* ALT Linux BTS search plugin added;
* RPATH added to all binary files; - bug #4284 fixed;
- Move back some changes at alt3 build.
- Bug #4157 fixed.
- viewsource protocol was added.
- Minimize buildin extensions;
- Disable debug output;
- Disable some options:
+ disable JavaScript debug library;
+ disable LDAP support;
+ disable logging facilities; - Necko protocols cleanup;
- Splash screen added (thx sadist@);
- Search plugins added;
- Remove devel package Conflicts;
- Change rebuild-database.sh script. Script must be run only as root;
- Change locale hack.
- Mozilla Firebird becomes Mozilla Firefox. Mozilla's next
generation browser has changed names (again); - New version;
- Spec changes.
- run-mozilla.sh script patch.
- first build for ALT Linux.
- rpm macro created.
- new scheme loading extensions added (thx force@)