Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

MozillaFirefox-branding-upstream-68.0.1-2.1 RPM for ppc64le

From OpenSuSE Ports Tumbleweed for ppc64le

Name: MozillaFirefox-branding-upstream Distribution: openSUSE Tumbleweed
Version: 68.0.1 Vendor: openSUSE
Release: 2.1 Build date: Thu Aug 8 18:09:36 2019
Group: Productivity/Networking/Web/Browsers Build host: obs-power8-01
Size: 0 Source RPM: MozillaFirefox-68.0.1-2.1.src.rpm
Summary: Upstream branding for Firefox
This package provides upstream look and feel for Firefox.






* Thu Aug 01 2019 Guillaume GARDET <>
  - Update build constraints to fix arm builds
* Fri Jul 19 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 68.0.1
    * Fixed missing Full Screen button when watching videos in full
      screen mode on HBO GO (bmo#1562837)
    * Fixed a bug causing incorrect messages to appear for some
      locales when sites try to request the use of the Storage
      Access API (bmo#1558503)
    * Users in Russian regions may have their default search engine
      changed (bmo#1565315)
    * Built-in search engines in some locales do not function
      correctly (bmo#1565779)
    * SupportMenu policy doesn't always work (bmo#1553290)
    * Allow the privacy.file_unique_origin pref to be controlled by
      policy (bmo#1563759)
* Thu Jul 11 2019 Jiri Slaby <>
  - add fix-build-after-y2038-changes-in-glibc.patch
* Wed Jul 10 2019 Bernhard Wiedemann <>
  - Generate langpacks sequentially to avoid file corruption
    from racy file writes (boo#1137970)
* Mon Jul 08 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 68.0
    * Dark mode in reader view
    * Improved extension security and discovery
    * Cryptomining and fingerprinting protections are added to strict
      content blocking settings in Privacy & Security preferences
    * Camera and microphone access now require an HTTPS connection
    MFSA 2019-21 (bsc#1140868)
    * CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
      Sandbox escape via installation of malicious languagepack
    * CVE-2019-11711 (bmo#1552541)
      Script injection within domain through inner window reuse
    * CVE-2019-11712 (bmo#1543804)
      Cross-origin POST requests can be made with NPAPI plugins by
      following 308 redirects
    * CVE-2019-11713 (bmo#1528481)
      Use-after-free with HTTP/2 cached stream
    * CVE-2019-11714 (bmo#1542593)
      NeckoChild can trigger crash when accessed off of main thread
    * CVE-2019-11729 (bmo#1515342)
      Empty or malformed p256-ECDH public keys may trigger a segmentation fault
    * CVE-2019-11715 (bmo#1555523)
      HTML parsing error can contribute to content XSS
    * CVE-2019-11716 (bmo#1552632)
      globalThis not enumerable until accessed
    * CVE-2019-11717 (bmo#1548306)
      Caret character improperly escaped in origins
    * CVE-2019-11718 (bmo#1408349)
      Activity Stream writes unsanitized content to innerHTML
    * CVE-2019-11719 (bmo#1540541)
      Out-of-bounds read when importing curve25519 private key
    * CVE-2019-11720 (bmo#1556230)
      Character encoding XSS vulnerability
    * CVE-2019-11721 (bmo#1256009)
      Domain spoofing through unicode latin 'kra' character
    * CVE-2019-11730 (bmo#1558299)
      Same-origin policy treats all files in a directory as having the
    * CVE-2019-11723 (bmo#1528335)
      Cookie leakage during add-on fetching across private browsing boundaries
    * CVE-2019-11724 (bmo#1512511)
      Retired site has remote troubleshooting permissions
    * CVE-2019-11725 (bmo#1483510)
      Websocket resources bypass safebrowsing protections
    * CVE-2019-11727 (bmo#1552208)
      PKCS#1 v1.5 signatures can be used for TLS 1.3
    * CVE-2019-11728 (bmo#1552993)
      Port scanning through Alt-Svc header
    * CVE-2019-11710 (bmo#1549768, bmo#1548611, bmo#1533842, bmo#1537692,
      bmo#1540590, bmo#1551907, bmo#1510345, bmo#1535482, bmo#1535848,
      bmo#1547472, bmo#1547760, bmo#1507696, bmo#1544180)
      Memory safety bugs fixed in Firefox 68
    * CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498
      bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522)
      Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
  - requires
    * NSS 3.44.1
    * rust/cargo 1.34
    * rust-cbindgen 0.8.7
  - rebased patches
    * mozilla-aarch64-startup-crash.patch
    * mozilla-kde.patch
    * mozilla-nongnome-proxies.patch
    * firefox-kde.patch
  - use new and add tar_stamps for package definitions
  - added patches imported from SLE flavour
    * mozilla-gcc-internal-compiler-error.patch
    * mozilla-bmo1005535.patch
    * mozilla-ppc-altivec_static_inline.patch
    * mozilla-reduce-rust-debuginfo.patch
    * mozilla-s390-bigendian.patch
    * mozilla-s390-context.patch
* Tue Jul 02 2019 Martin Liška <>
  - Enable PGO for x86_64.
    * added firefox-add-kde.js-in-order-to-survive-PGO-build.patch
* Thu Jun 20 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 67.0.4
    MFSA 2019-19 (boo#1138872)
    * CVE-2019-11708 (bmo#1559858)
      sandbox escape using Prompt:Open
* Tue Jun 18 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 67.0.3
    MFSA 2019-18 (boo#1138614)
    * CVE-2019-11707 (bmo#1544386)
      Type confusion in Array.pop
* Wed Jun 12 2019 Manfred Hollstein <>
  - Mozilla Firefox 67.0.2
    * Fixed: Fix JavaScript error ("TypeError: data is null in
      PrivacyFilter.jsm") in console which may significantly degrade
      sessionstore reliability and performance (bmo#1553413)
    * Fixed: Proxy authentication dialog box repeatedly pops up
      asking to authenticate after upgrading to Firefox 67 (bmo#1548804)
    * Fixed: Pearson MyCloud breaks if FIDO U2F is not Chrome's
      implementation (bmo#1551282)
    * Fixed: Starting in safe mode on Linux or macOS causes Firefox
      to think on the subsequent launch that the profile is too
      recent to be used with this version of Firefox (bmo#1556612)
    * Fixed: Linux distribution users can't easily install/use
      additional/different languages using the built-in preferences
      UI (bmo#1554744)
    * Fixed: Developer tools users can't copy the href/src content
      from various HTML tags via the context menu in the Inspector
      markup view (bmo#1552275)
    * Fixed: Custom home page is broken with clearing data on shutdown
      settings applied (bmo#1554167)
    * Fixed: Performance-regression for eclipse RAP based applications
    * Fixed: macOS 10.15 crash fix (bmo#1556076)
    * Fixed: Can't start two downloads in parallel via <a download>
      anymore (bmo#1542912)
* Thu Jun 06 2019 Manfred Hollstein <>
  - Mozilla Firefox 67.0.1
    * enable enhanced tracking protection by default for new users
    * upgrade of Facebook container to version 2.0
    * new version of Firefox Lockwise (password management)
    * new version of Firefox Monitor
    * Firefox Send improvements
* Sun May 19 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 67.0
    * Firefox 67 will be able to run different Firefox installs side by side
    * Tabs can now be pinned from the Page Actions menu in the address bar
    * Users can block known cryptominers and fingerprinters in the
      Custom settings or their Content Blocking preferences
    * The Import Data from Another Browser feature is now also available
      from the File menu
    * Firefox will now protect you against running older versions which
      can lead to data corruption and stability issues
    * Easier access to your list of saved logins from the main menu and
      login autocomplete
    * We’ve added a toolbar menu for your Firefox Account to provide more
      transparency for when you are synced, sharing data across devices
      and with Firefox. Personalize the appearance of the menu with your
      own avatar
    * Enable FIDO U2F API, and permit registrations for Google Accounts
    * Enabled AV1 support on Linux
    MFSA 2019-13 (boo#1135824)
    * CVE-2019-9815 (bmo#1546544)
      Disable hyperthreading on content JavaScript threads on macOS
    * CVE-2019-9816 (bmo#1536768)
      Type confusion with object groups and UnboxedObjects
    * CVE-2019-9817 (bmo#1540221)
      Stealing of cross-domain images using canvas
    * CVE-2019-9818 (bmo#1542581) (Windows only)
      Use-after-free in crash generation server
    * CVE-2019-9819 (bmo#1532553)
      Compartment mismatch with fetch API
    * CVE-2019-9820 (bmo#1536405)
      Use-after-free of ChromeEventHandler by DocShell
    * CVE-2019-9821 (bmo#1539125)
      Use-after-free in AssertWorkerThread
    * CVE-2019-11691 (bmo#1542465)
      Use-after-free in XMLHttpRequest
    * CVE-2019-11692 (bmo#1544670)
      Use-after-free removing listeners in the event listener manager
    * CVE-2019-11693 (bmo#1532525)
      Buffer overflow in WebGL bufferdata on Linux
    * CVE-2019-7317 (bmo#1542829)
      Use-after-free in png_image_free of libpng library
    * CVE-2019-11694 (bmo#1534196) (Windows only)
      Uninitialized memory memory leakage in Windows sandbox
    * CVE-2019-11695 (bmo#1445844)
      Custom cursor can render over user interface outside of web content
    * CVE-2019-11696 (bmo#1392955)
      Java web start .JNLP files are not recognized as executable files
      for download prompts
    * CVE-2019-11697 (bmo#1440079)
      Pressing key combinations can bypass installation prompt delays and
      install extensions
    * CVE-2019-11698 (bmo#1543191)
      Theft of user history data through drag and drop of hyperlinks
      to and from bookmarks
    * CVE-2019-11700 (bmo#1549833) (Windows only)
      res: protocol can be used to open known local files
    * CVE-2019-11699 (bmo#1528939)
      Incorrect domain name highlighting during page navigation
    * CVE-2019-11701 (bmo#1518627)
      webcal: protocol default handler loads vulnerable web page
    * CVE-2019-9814 (bmo#1527592, bmo#1534536, bmo#1520132, bmo#1543159,
      bmo#1539393, bmo#1459932, bmo#1459182, bmo#1516425)
      Memory safety bugs fixed in Firefox 67
    * CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136,
      bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108,
      bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097,
      bmo#1532465, bmo#1533554, bmo#1541580)
      Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
  - requires
    * rust/cargo >= 1.32
    * mozilla-nspr >= 4.21
    * mozilla-nss >= 3.43
    * rust-cbindgen >= 0.8.2
  - rebased patches
  - KDE integration for default browser detection is broken in this revision
* Fri May 17 2019 Guillaume GARDET <>
  - Fix armv7 build with:
    * mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
* Fri May 10 2019 Manfred Hollstein <>
  - Mozilla Firefox 66.0.5
    * Fixed: Further improvements to re-enable web extensions which
      had been disabled for users with a master password set (bmo#1549249)
* Sun May 05 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 66.0.4 (boo#1134126)
    * fix extension certificate chain
* Thu Apr 11 2019 Manfred Hollstein <>
  - Mozilla Firefox 66.0.3
    * Fixed: Address bar on tablets running Windows 10 now behaves
      correctly (bmo#1498973)
    * Fixed: Performance issues with some HTML5 games (bmo#1537609)
    * Fixed a bug with keypress events in IBM cloud applications
    * Fix for keypress events in some Microsoft cloud applications
    * Changed: Updated Baidu search plugin
* Thu Mar 28 2019 Manfred Hollstein <>
  - Mozilla Firefox 66.0.2
    * Fixed Web compatibility issues with Office 365, iCloud and
      IBM WebMail caused by recent changes to the handling of
      keyboard events (bmo#1538966)
    * Crash fixes (bmo#1521370, bmo#1539118)
* Thu Mar 28 2019 Guillaume GARDET <>
  - Add patch to fix aarch64 build:
    * mozilla-fix-aarch64-libopus.patch (bmo#1539737)
* Fri Mar 22 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 66.0.1
    MFSA 2019-09 (bsc#1130262)
    * CVE-2019-9810 (bmo#1537924)
      IonMonkey MArraySlice has incorrect alias information
    * CVE-2019-9813 (bmo#1538006)
      Ionmonkey type confusion with __proto__ mutations
* Sun Mar 17 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 66.0
    * Increased content processes to 8
    * Added capability to search through open tabs from the tab overflow menu
    * New backend for the storage.local WebExtensions API, providing
      I/O performance improvements when the extension updates a small
      subset of the stored data
    * WebExtension keyboard shortcuts can now be managed or overridden
      from about:addons
    * Improved scrolling behavior: Firefox will now attempt to keep content
      from jumping around while a page is loading by supporting scroll
    * New about:privatebrowsing with search
    * A certificate error page now notifies the user of the name of the
      certificate issuer that breaks HTTPs connections on intercepted
      connections to help troubleshooting possible anti-virus software
    * Fixed an performance issue some Linux users experienced with the
      Downloads panel (bmo#1517101)
    * Firefox now blocks all autoplay media with sound by default. Users
      can add individual sites to an exceptions list or turn the blocking
    * System title bar is hidden by default to match Gnome guideline
    MFSA 2019-07 (bsc#1129821)
    * CVE-2019-9790 (bmo#1525145)
      Use-after-free when removing in-use DOM elements
    * CVE-2019-9791 (bmo#1530958)
      Type inference is incorrect for constructors entered through on-stack
      replacement with IonMonkey
    * CVE-2019-9792 (bmo#1532599)
      IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
    * CVE-2019-9793 (bmo#1528829)
      Improper bounds checks when Spectre mitigations are disabled
    * CVE-2019-9794 (bmo#1530103) (Windows only)
      Command line arguments not discarded during execution
    * CVE-2019-9795 (bmo#1514682)
      Type-confusion in IonMonkey JIT compiler
    * CVE-2019-9796 (bmo#1531277)
      Use-after-free with SMIL animation controller
    * CVE-2019-9797 (bmo#1528909)
      Cross-origin theft of images with createImageBitmap
    * CVE-2019-9798 (bmo#1527534) (Android only)
      Library is loaded from world writable APITRACE_LIB location
    * CVE-2019-9799 (bmo#1505678)
      Information disclosure via IPC channel messages
    * CVE-2019-9801 (bmo#1527717) (Windows only)
      Windows programs that are not 'URL Handlers' are exposed to web content
    * CVE-2019-9802 (bmo#1415508)
      Chrome process information leak
    * CVE-2019-9803 (bmo#1515863, bmo#1437009)
      Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation
    * CVE-2019-9804 (bmo#1518026) (MacOS only)
      Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS
    * CVE-2019-9805 (bmo#1521360)
      Potential use of uninitialized memory in Prio
    * CVE-2019-9806 (bmo#1525267)
      Denial of service through successive FTP authorization prompts
    * CVE-2019-9807 (bmo#1362050)
      Text sent through FTP connection can be incorporated into alert messages
    * CVE-2019-9809 (bmo#1282430, bmo#1523249)
      Denial of service through FTP modal alert error messages
    * CVE-2019-9808 (bmo#1434634)
      WebRTC permissions can display incorrect origin with data: and blob: URLs
    * CVE-2019-9789 bmo#1520483, bmo#1522987, bmo#1528199, bmo#1519337,
      bmo#1525549, bmo#1516179, bmo#1518524, bmo#1518331, bmo#1526579,
      bmo#1512567, bmo#1524335, bmo#1448505, bmo#1518821
      Memory safety bugs fixed in Firefox 66
    * CVE-2019-9788 bmo#1518001, bmo#1521304, bmo#1521214, bmo#1506665,
      bmo#1516834, bmo#1518774, bmo#1524755, bmo#1523362, bmo#1524214, bmo#1529203
      Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6
  - updated build/runtime requirements
    * mozilla-nss >= 3.42.1
    * cargo/rust >= 1.31
    * rust-cbindgen >= 0.6.8
    * nasm >= 2.13 (new)
  - removed obsolete patch
    * mozilla-bmo256180.patch
* Tue Mar 05 2019 Stephan Kulow <>
  - Do not hardcode nodejs8 but leave the prefer to the distribution
    (Tumbleweed staging wants to switch to nodejs10)
* Fri Feb 15 2019 Guillaume GARDET <>
  - Update _constraints to avoid 'no space left' error seen on aarch64
* Wed Feb 13 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 65.0.1
    * Fixed accidental requests to when an addon
      recommendation doorhanger is shown (bmo#1526387)
    * Improved playback of interactive Netflix videos (bmo#1524500)
    * Fixed incorrect sizing of the "Clear Recent History" window in
      some situations (bmo#1523696)
    * Fixed audio & video delays while making WebRTC calls
      (bmo#1521577, bmo#1523817)
    * Fixed video sizing problems during some WebRTC calls (bmo#1520200)
    * Fixed looping CONNECT requests when using WebSockets over HTTP/2
      from behind a proxy server (bmo#1523427)
    * Fixed the "Enter" key not working on password entry fields for
      certain Linux distributions (bmo#1523635)
    MFSA 2019-04 (bsc#1125330)
    * CVE-2018-18356 bmo#1525817
      Use-after-free in Skia
    * CVE-2019-5785 bmo#1525433
      Integer overflow in Skia
    * CVE-2018-18511 bmo#1526218
      Cross-origin theft of images with ImageBitmapRenderingContext
* Wed Feb 13 2019 Martin Liška <>
  - Enable LTO only for latest new toolchain (boo#1125038) for x86_64
    (with increased memory constraints)
* Sat Jan 26 2019 Wolfgang Rosenauer <>
  - Mozilla Firefox 65.0
    * Enhanced tracking protection
    * allow switching of UI locales within preferences
    * support for the WebP image format
    * "top"-like about:performance
    MFSA 2019-01 (bsc#1122983)
    * CVE-2018-18500 bmo#1510114
      Use-after-free parsing HTML5 stream
    * CVE-2018-18503 bmo#1509442
      Memory corruption with Audio Buffer
    * CVE-2018-18504 bmo#1496413
      Memory corruption and out-of-bounds read of texture client
    * CVE-2018-18505 bmo#1497749
      Privilege escalation through IPC channel messages
    * CVE-2018-18506 bmo#1503393
      Proxy Auto-Configuration file can define localhost access to be proxied
    * CVE-2018-18502 bmo#1499426 bmo#1480090 bmo#1472990 bmo#1514762
      bmo#1501482 bmo#1505887 bmo#1508102 bmo#1508618 bmo#1511580
      bmo#1493497 bmo#1510145 bmo#1516289 bmo#1506798 bmo#1512758
      Memory safety bugs fixed in Firefox 65
    * CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619
      bmo#1502871 bmo#1516738 bmo#1516514
      Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
  - requires
    NSS 3.41
    rust/carge 1.30
    rust-cbindgen 0.6.7
  - rebased patches
  - remove workaround for build memory consumption on i586; other
    mitigations meanwhile introduced (mainly parallelity) will be
* Tue Jan 15 2019 Martin Liška <>
  - Increase disk constraint.
* Mon Jan 14 2019 Martin Liška <>
  - Remove -v from mach build in order to work-around bmo#1500436.
* Fri Jan 11 2019 Martin Liška <>
  - Set %clang_build to false on all architectures
  - Do not use -fno-delete-null-pointer-checks and -fno-strict-aliasing:
    it should not be needed anymore
  - Do not overwrite enable-optimize and when possible
    enable --enable-debug-symbols.
  - Add -v to mach in order to make build verbose.
* Wed Jan 09 2019
  - Mozilla Firefox 64.0.2:
    * Update the Japanese translation for missing strings (bmo#1513259)
    * Properly restore column sizes in developer tools inspector (bmo#1503175)
    * Fixed video stuttering on Youtube (bmo#1513511)
    * Fix updates for some lightweight themes (bmo#1508777)
* Tue Dec 18 2018 Guillaume GARDET <>
  - Enable build_hardened for all architectures
  - Switch back aarch64 to clang as '-fPIC' fixes bmo#1513605
  - Remove obolete '--enable-pie' as -pie is always enabled for
    gcc and clang
* Wed Dec 12 2018 Guillaume GARDET <>
  - Switch aarch64 builds back to gcc, not clang (bmo#1513605)
  - Switch %arm builds back to gcc, not clang to avoid OOM
  - Fix build flags when clang is not used
  - Fix flags for clang ppc64 builds
* Tue Dec 11 2018 Wolfgang Rosenauer <>
  - update to Firefox 64.0
    * Better recommendations: You may see suggestions in regular browsing
      mode for new and relevant Firefox features, services, and extensions
      based on how you use the web (for US users only)
    * Enhanced tab management: You can now select multiple tabs from the
      tab bar and close, move, bookmark, or pin them quickly and easily
    * Easier performance management: The new Task Manager page found at
      about:performance lets you see how much energy each open tab consumes
      and provides access to close tabs to conserve power
    * Improved performance for Mac and Linux users, by enabling link time
      optimization (Clang LTO).
    * Added option to remove add-ons using the context menu on their
      toolbar buttons
    * RSS feed preview and live bookmarks are available only via add-ons
    * TLS certificates issued by Symantec are no longer trusted by Firefox.
      Website operators are strongly encouraged to replace any remaining
      Symantec TLS certificates as soon as possible
    MFSA 2018-29 (bsc#1119105)
    * CVE-2018-12407 bmo#1505973
      Buffer overflow with ANGLE library when using VertexBuffer11 module
    * CVE-2018-17466 bmo#1488295
      Buffer overflow and out-of-bounds read in ANGLE library with
    * CVE-2018-18492 bmo#1499861
      Use-after-free with select element
    * CVE-2018-18493 bmo#1504452
      Buffer overflow in accelerated 2D canvas with Skia
    * CVE-2018-18494 bmo#1487964
      Same-origin policy violation using location attribute and
      performance.getEntries to steal cross-origin URLs
    * CVE-2018-18495 bmo#1427585
      WebExtension content scripts can be loaded in about: pages
    * CVE-2018-18496 bmo#1422231 (Windows only)
      Embedded feed preview page can be abused for clickjacking
    * CVE-2018-18497 bmo#1488180
      WebExtensions can load arbitrary URLs through pipe separators
    * CVE-2018-18498 bmo#1500011
      Integer overflow when calculating buffer sizes for images
    * CVE-2018-12406 bmo#1456947 bmo#1475669 bmo#1504816 bmo#1502886
      bmo#1500064 bmo#1500310 bmo#1500696 bmo#1498765 bmo#1499198 bmo#1434490
      bmo#1481745 bmo#1458129
      Memory safety bugs fixed in Firefox 64
    * CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759
      bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471
      Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4
  - requires
    * rust/cargo >= 1.29
    * mozilla-nss >= 3.40.1
    * rust-cbindgen >= 0.6.4
  - rebased patches
  - removed obsolete patch
    * mozilla-bmo1491289.patch
  - now uses clang primarily for compilation
* Wed Nov 28 2018 Guillaume GARDET <>
  - Remove --disable-elf-hack when not available: on aarch64 and ppc64*
* Mon Nov 26 2018 Guillaume GARDET <>
  - Clean-up %arm build
* Sun Nov 18 2018
  - update to Firefox 63.0.3
    * Games using WebGL (created in Unity) get stuck after very short
      time of gameplay (bmo#1502748)
    * Slow page loading for some users with specific proxy configurations
    * Disable HTTP response throttling by default for causing bugs with
      videos in background tabs (bmo#1503354)
    * Opening magnet links no longer works (bmo#1498934)
    * Crash fixes (bmo#1498510, bmo#1503424)
  - removed mozilla-newer-cbindgen.patch; no longer needed
* Thu Nov 08 2018
  - update to Firefox 63.0.1
    * Snippets are not loaded due to missing element (bmo#1503047)
    * Print preview always shows 30& scale when it is actually
      Shrink To Fit (bmo#1501952)
    * Dialog displayed when closing multiple windows shows unreplaced
      %1$S placeholder in Japanese and potentially other locales
* Mon Oct 29 2018
  - update to Firefox 63.0
    * WebExtensions now run in their own process on Linux
    * The Ctrl+Tab shortcut now displays thumbnail previews of your
      tabs and cycles through tabs in recently used order. This new
      default behavior is activated only in new profiles and can be
      changed in preferences.
    * Added support for Web Components custom elements and shadow DOM
    MFSA 2018-26 (bsc#1112852)
    * CVE-2018-12391 (bmo#1478843) (Android-only)
      HTTP Live Stream audio data is accessible cross-origin
    * CVE-2018-12392 (bmo#1492823)
      Crash with nested event loops
    * CVE-2018-12393 (bmo#1495011) (only affects non-64-bit archs)
      Integer overflow during Unicode conversion while loading JavaScript
    * CVE-2018-12395 (bmo#1467523)
      WebExtension bypass of domain restrictions through header rewriting
    * CVE-2018-12396 (bmo#1483602)
      WebExtension content scripts can execute in disallowed contexts
    * CVE-2018-12397 (bmo#1487478)
      Missing warning prompt when WebExtension requests local file access
    * CVE-2018-12398 (bmo#1460538, bmo#1488061)
      CSP bypass through stylesheet injection in resource URIs
    * CVE-2018-12399 (bmo#1490276)
      Spoofing of protocol registration notification bar
    * CVE-2018-12400 (bmo#1448305) (Android only)
      Favicons are cached in private browsing mode on Firefox for Android
    * CVE-2018-12401 (bmo#1422456)
      DOS attack through special resource URI parsing
    * CVE-2018-12402 (bmo#1469916)
      SameSite cookies leak when pages are explicitly saved
    * CVE-2018-12403 (bmo#1484753)
      Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP
    * CVE-2018-12388 (bmo#1472639, bmo#1485698, bmo#1301547, bmo#1471427,
      bmo#1379411, bmo#1482122, bmo#1486314, bmo#1487167)
      Memory safety bugs fixed in Firefox 63
    * CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159,
      bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803,
      bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699,
      bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844)
      Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
  - requires NSPR 4.20, NSS 3.39 and Rust 1.28
  - latest rust does not provide rust-std so stop requiring it
  - requires rust-cbindgen >= 0.6.2 to build
  - requires nodejs >= 8.11 to build
  - added mozilla-bmo1491289.patch to fix system NSS build (bmo#1491289)
  - added mozilla-cubeb-noreturn.patch to fix non-return function
  - added mozilla-newer-cbindgen.patch to fix build with cbindgen 0.6.7
  - disable elfhack for TW and newer due to build errors
  - removed obsolete patches
    * mozilla-no-return.patch
    * mozilla-no-stdcxx-check.patch
* Thu Oct 25 2018
  - Update _constraints for armv6/7
* Thu Oct 25 2018
  - Add patch to fix build on armv7:
    * mozilla-bmo1463035.patch
* Tue Oct 02 2018
  - Mozilla Firefox 62.0.3:
    MFSA 2018-24
    * CVE-2018-12386 (bsc#1110506, bmo#1493900)
      Type confusion in JavaScript allowed remote code execution
    * CVE-2018-12387 (bsc#1110507, bmo#1493903)
      Array.prototype.push stack pointer vulnerability may enable
      exploits in the sandboxed content process
* Sat Sep 22 2018
  - Mozilla Firefox 62.0.2:
    MFSA 2018-22
    * CVE-2018-12385 (boo#1109363, bmo#1490585)
      Crash in TransportSecurityInfo due to cached data
    * Unvisited bookmarks can once again be autofilled in the address
    * Fix WebGL rendering issues
    * Fix fallback on startup when a language pack is missing
    * Avoid crash when sharing a profile with newer (as yet
      unreleased) versions of Firefox
    * Do not undo removal of search engines when using a language
    * Fixed rendering of some web sites
    * Restored compatibility with some sites using deprecated TLS
  - disable rust debug symbols to fix build on %ix86
* Mon Sep 03 2018
  - update to Firefox 62.0
    * Firefox Home (the default New Tab) now allows users to display
      up to 4 rows of top sites, Pocket stories, and highlights
    * "Reopen in Container" tab menu option appears for users with
      Containers that lets them choose to reopen a tab in a different
    * In advance of removing all trust for Symantec-issued certificates
      in Firefox 63, a preference was added that allows users to distrust
      certificates issued by Symantec. To use this preference, go to
      about:config in the address bar and set the preference
      "security.pki.distrust_ca_policy" to 2.
    * Support for CSS Shapes, allowing for richer web page layouts.
      This goes hand in hand with a brand new Shape Path Editor in the
      CSS inspector.
    * CSS Variable Fonts (OpenType Font Variations) support, which makes
      it possible to create beautiful typography with a single font file
    * Added Canadian English (en-CA) locale
    MFSA 2018-20 (bsc#1107343)
    * CVE-2018-12377 (bmo#1470260)
      Use-after-free in refresh driver timers
    * CVE-2018-12378 (bmo#1459383)
      Use-after-free in IndexedDB
    * CVE-2018-12379 (bmo#1473113) (updater is disabled for us)
      Out-of-bounds write with malicious MAR file
    * CVE-2017-16541 (bmo#1412081)
      Proxy bypass using automount and autofs
    * CVE-2018-12381 (bmo#1435319)
      Dragging and dropping Outlook email message results in page navigation
    * CVE-2018-12382 (bmo#1479311) (Android only)
      Addressbar spoofing with javascript URI on Firefox for Android
    * CVE-2018-12383 (bmo#1475775)
      Setting a master password post-Firefox 58 does not delete
      unencrypted previously stored passwords
    * CVE-2018-12375
      Memory safety bugs fixed in Firefox 62
    * CVE-2018-12376
      Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
  - requires NSS >= 3.38
  - removed obsolete patch
* Thu Aug 09 2018
  - update to Firefox 61.0.2
    * Improved website rendering with the Retained Display List feature
      enabled (bmo#1474402)
    * Fixed broken DevTools panels with certain extensions installed
    * Fixed a crash for users with some accessibility tools enabled
* Mon Jul 09 2018
  - Mozilla Firefox 61.0.1:
    * Fix missing content on the New Tab Page and the Home section of
      the Preferences page (bmo#1471375)
    * Fixed loss of bookmarks under rare circumstances when upgrading
      from Firefox 60 (bmo#1472127)
    * Improved playback of Twitch 1080p video streams (bmo#1469257)
    * Web pages no longer lose focus when a browser popup window is
      opened (bmo#1471415)
    * Re-allowed downloading files from FTP sites via the "Save Link
      As" option when linked from HTTP pages (bmo#1470295)
    * Fixed extensions being unable to override the default homepage
      in certain situations (bmo#1466846)
* Sat Jun 23 2018
  - update to Firefox 61.0
    * Performance enhancements
    * Various improvements for dark theme support will provide a more
      consistent experience across the entire Firefox UI
    * OpenSearch plugins offered by web pages can now be added from the
      page action menu for easier installation
    * Improved support for allowing WebExtensions to manage and hide tabs
    MFSA 2018-15 (bsc#1098998)
    * CVE-2018-12359 (bmo#1459162)
      Buffer overflow using computed size of canvas element
    * CVE-2018-12360 (bmo#1459693)
      Use-after-free when using focus()
    * CVE-2018-12361 (bmo#1463244)
      Integer overflow in SwizzleData
    * CVE-2018-12358 (bmo#1467852)
      Same-origin bypass using service worker and redirection
    * CVE-2018-12362 (bmo#1452375)
      Integer overflow in SSSE3 scaler
    * CVE-2018-5156 (bmo#1453127)
      Media recorder segmentation fault when track type is changed during capture
    * CVE-2018-12363 (bmo#1464784)
      Use-after-free when appending DOM nodes
    * CVE-2018-12364 (bmo#1436241)
      CSRF attacks through 307 redirects and NPAPI plugins
    * CVE-2018-12365 (bmo#1459206)
      Compromised IPC child process can list local filenames
    * CVE-2018-12371 (bmo#1465686)
      Integer overflow in Skia library during edge builder allocation
    * CVE-2018-12366 (bmo#1464039)
      Invalid data handling during QCMS transformations
    * CVE-2018-12367 (bmo#1462891)
      Timing attack mitigation of PerformanceNavigationTiming
    * CVE-2018-12369 (bmo#1454909)
      WebExtension security permission checks bypassed by embedded experiments
    * CVE-2018-12370 (bmo#1456652)
      SameSite cookie protections bypassed when exiting Reader View
    * CVE-2018-5186 (bmo#1464872,bmo#1463329,bmo#1419373,bmo#1412882,
      Memory safety bugs fixed in Firefox 61
    * CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938,
      Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1
    * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
      Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
  - requires NSS 3.37.3
  - requires python >= 3.5 to build
  - removed obsolete patches
  - patch for new no-return warnings (mozilla-no-return.patch)
  - do not disable system installed locales (mozilla-bmo1464766.patch)
* Fri Jun 08 2018
  - Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass
    conditional --disable-gconf to configure: no longer pull in
    obsolete gconf2 for Tumbleweed.
* Thu Jun 07 2018
  - update to Firefox 60.0.2
    * requires NSS 3.36.4
    MFSA 2018-14 (bsc#1096449)
    * CVE-2018-6126 (bmo#1462682)
      Heap buffer overflow rasterizing paths in SVG with Skia
* Wed Jun 06 2018
  - Add upstream patch to fix boo#1093059 instead of '-ffixed-x28'
    * mozilla-bmo1375074.patch
* Sat May 26 2018
  - fixed "open with" option under KDE (boo#1094747)
  - workaround crash on startup on aarch64 (boo#1093059)
    (contributed by
* Wed May 23 2018
  - Disable webrtc for aarch64 due to bmo#1434589
  - Add patch to fix skia build on AArch64:
    * mozilla-fix-skia-aarch64.patch
* Thu May 17 2018
  - update to Firefox 60.0.1
    * Avoid overly long cycle collector pauses with some add-ons installed
    * After unckecking the "Sponsored Stories" option, the New Tab page
      now immediately stops displaying "Sponsored content" cards (bmo#1458906)
    * On touchscreen devices, fixed momentum scrolling on non-zoomable pages
    * Use the right default background when opening tabs or windows in
      high contrast mode (bmo#1458956)
    * Restored translations of the Preferences panels when using a
      language pack (bmo#1461590)
* Mon May 14 2018
  - parellelise locales building
* Mon May 07 2018
  - update to Firefox 60.0
    * Added a policy engine that allows customized Firefox deployments
      in enterprise environments, using Windows Group Policy or a
      cross-platform JSON file
    * Applied Quantum CSS to render browser UI
    * Added support for Web Authentication, allowing the use of USB
      tokens for authentication to web sites
    * Locale added: Occitan (oc)
    MFSA 2018-11 (bsc#1092548)
    * CVE-2018-5154 (bmo#1443092)
      Use-after-free with SVG animations and clip paths
    * CVE-2018-5155 (bmo#1448774)
      Use-after-free with SVG animations and text paths
    * CVE-2018-5157 (bmo#1449898)
      Same-origin bypass of PDF Viewer to view protected PDF files
    * CVE-2018-5158 (bmo#1452075)
      Malicious PDF can inject JavaScript into PDF Viewer
    * CVE-2018-5159 (bmo#1441941)
      Integer overflow and out-of-bounds write in Skia
    * CVE-2018-5160 (bmo#1436117)
      Uninitialized memory use by WebRTC encoder
    * CVE-2018-5152 (bmo#1415644, bmo#1427289)
      WebExtensions information leak through webRequest API
    * CVE-2018-5153 (bmo#1436809)
      Out-of-bounds read in mixed content websocket messages
    * CVE-2018-5163 (bmo#1426353)
      Replacing cached data in JavaScript Start-up Bytecode Cache
    * CVE-2018-5164 (bmo#1416045)
      CSP not applied to all multipart content sent with
    * CVE-2018-5166 (bmo#1437325)
      WebExtension host permission bypass through filterReponseData
    * CVE-2018-5167 (bmo#1447969)
      Improper linkification of chrome: and javascript: content in
      web console and JavaScript debugger
    * CVE-2018-5168 (bmo#1449548)
      Lightweight themes can be installed without user interaction
    * CVE-2018-5169 (bmo#1319157)
      Dragging and dropping link text onto home button can set home page
      to include chrome pages
    * CVE-2018-5172 (bmo#1436482)
      Pasted script from clipboard can run in the Live Bookmarks page
      or PDF viewer
    * CVE-2018-5173 (bmo#1438025)
      File name spoofing of Downloads panel with Unicode characters
    * CVE-2018-5174 (bmo#1447080) (Windows-only)
      Windows Defender SmartScreen UI runs with less secure behavior
      for downloaded files in Windows 10 April 2018 Update
    * CVE-2018-5175 (bmo#1432358)
      Universal CSP bypass on sites using strict-dynamic in their policies
    * CVE-2018-5176 (bmo#1442840)
      JSON Viewer script injection
    * CVE-2018-5177 (bmo#1451908)
      Buffer overflow in XSLT during number formatting
    * CVE-2018-5165 (bmo#1451452)
      Checkbox for enabling Flash protected mode is inverted in 32-bit
    * CVE-2018-5180 (bmo#1444086)
      heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
    * CVE-2018-5181 (bmo#1424107)
      Local file can be displayed in noopener tab through drag and
      drop of hyperlink
    * CVE-2018-5182 (bmo#1435908)
      Local file can be displayed from hyperlink dragged and dropped
      on addressbar
    * CVE-2018-5151
      Memory safety bugs fixed in Firefox 60
    * CVE-2018-5150
      Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
  - removed obsolete patches
  - requires NSPR 4.19 and NSS 3.36.1
  - requires rust 1.24 or higher
  - use upstream source archive and detached signature for
    source verification
* Thu May 03 2018
  - Fix armv7 build by:
    * adding RUSTFLAGS="-Cdebuginfo=0"
    * updating _constraints for %arm
* Wed May 02 2018
  - do not try CSD on kwin (boo#1091592)
  - fix build in openSUSE:Leap:42.3:Update, use gcc7
* Tue May 01 2018
  - Mozilla Firefox 59.0.3:
    * fixes for platforms other than GNU/Linux
* Fri Apr 20 2018
  - Add 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
    in order to fix boo#1090362.
* Mon Apr 02 2018
  - Add back mozilla-enable-csd.patch: New rebased version from
    Fedora for version 59.0.x.
* Tue Mar 27 2018
  - Reduce constraints on aarch64
* Tue Mar 27 2018
  - update to Firefox 59.0.2
    * Invalid page rendering with hardware acceleration enabled (bmo#1435472)
    * Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites
      that use those keys with resistFingerprinting enabled (bmo#1433592)
    * High CPU / memory churn caused by third-party software on some
      computers (bmo#1446280)
    * Users who have configured an "automatic proxy configuration URL"
      and want to reload their proxy settings from the URL will find
      the Reload button disabled in the Connection Settings dialog when
      they select Preferences/Options>Network Proxy>Settings... (bmo#1445991)
    * URL Fragment Identifiers Break Service Worker Responses (bmo#1443850)
    * User's trying to cancel a print around the time it completes will
      continue to get intermittent crashes (bmo#1441598)
    MFSA 2018-10 (bsc#1087059)
    * CVE-2018-5148 (bmo#1440717)
      Use-after-free in compositor
  - removed obsolete patch mozilla-bmo1446062.patch
* Wed Mar 21 2018
  - Added patches:
    * mozilla-i586-DecoderDoctorLogger.patch - bmo#1447070
      fixes non-unified build error
    * mozilla-i586-domPrefs.patch - DOMPrefs.h
      fixes 32bit build error
* Fri Mar 16 2018
  - update to Firefox 59.0.1 (bsc#1085671)
    MFSA 2018-08
    * CVE-2018-5146 (bmo#1446062)
      Vorbis audio processing out of bounds write
    * CVE-2018-5147 (bmo#1446365)
      Out of bounds memory write in libtremor
* Wed Mar 14 2018
  - Added patch:
    * mozilla-bmo1005535.patch:
      Enable skia_gpu on big endian platforms.
* Sun Mar 11 2018
  - update to Firefox 59.0
    * Performance enhancements
    * Drag-and-drop to rearrange Top Sites on the Firefox Home page
    * added features for Firefox Screenshots
    * Enhanced WebExtensions API
    * Improved RTC capabilities
    MFSA 2018-06 (bsc#1085130)
    * CVE-2018-5127 (bmo#1430557)
      Buffer overflow manipulating SVG animatedPathSegList
    * CVE-2018-5128 (bmo#1431336)
      Use-after-free manipulating editor selection ranges
    * CVE-2018-5129 (bmo#1428947)
      Out-of-bounds write with malformed IPC messages
    * CVE-2018-5130 (bmo#1433005)
      Mismatched RTP payload type can trigger memory corruption
    * CVE-2018-5131 (bmo#1440775)
      Fetch API improperly returns cached copies of no-store/no-cache resources
    * CVE-2018-5132 (bmo#1408194)
      WebExtension Find API can search privileged pages
    * CVE-2018-5133 (bmo#1430511, bmo#1430974)
      Value of the preference is not properly sanitized
    * CVE-2018-5134 (bmo#1429379)
      WebExtensions may use view-source: URLs to bypass content restrictions
    * CVE-2018-5135 (bmo#1431371)
      WebExtension browserAction can inject scripts into unintended contexts
    * CVE-2018-5136 (bmo#1419166)
      Same-origin policy violation with data: URL shared workers
    * CVE-2018-5137 (bmo#1432870)
      Script content can access legacy extension non-contentaccessible resources
    * CVE-2018-5138 (bmo#1432624) (Android only)
      Android Custom Tab address spoofing through long domain names
    * CVE-2018-5140 (bmo#1424261)
      Moz-icon images accessible to web content through moz-icon: protocol
    * CVE-2018-5141 (bmo#1429093)
      DOS attack through notifications Push API
    * CVE-2018-5142 (bmo#1366357)
      Media Capture and Streams API permissions display incorrect origin
      with data: and blob: URLs
    * CVE-2018-5143 (bmo#1422643)
      Self-XSS pasting javascript: URL with embedded tab into addressbar
    * CVE-2018-5126
      Memory safety bugs fixed in Firefox 59
    * CVE-2018-5125
      Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
  - requires NSPR 4.18 and NSS 3.35
  - requires rust >= 1.22.1
  - removed obsolete patches:
  - removed l10n_changesets.txt since same information is now in
    Firefox source tree (updated now requires jq)
* Fri Feb 09 2018
  - Mozilla Firefox 58.0.2:
    * Blocklisted graphics drivers related to off main thread painting
    * Fix tab crash during printing
    * Fix clicking links and scrolling emails on Microsoft Hotmail
      and Outlook (OWA) webmail
* Fri Feb 09 2018
  - correct requires and provides handling (boo#1076907)
* Tue Feb 06 2018
  - Added patch:
    * mozilla-alsa-sandbox.patch: Fix bmo#1430274, ALSA sound (still
      or again?) not working in Firefox 58 due to sandboxing.
* Mon Jan 29 2018
  - update to Firefox 58.0.1
    MFSA 2018-05
    * Arbitrary code execution through unsanitized browser UI (bmo#1432966)
  - use correct language packs
  - readd mozilla-enable-csd.patch as it only lands for FF59 upstream
  - allow larger number of nested elements (mozilla-bmo256180.patch)
* Tue Jan 23 2018
  - update to Firefox 58.0 (bsc#1077291)
    * Added Nepali (ne-NP) locale
    * Added support for form autofill for credit card
    * Optimize page load by caching JavaScript internal representation
    MFSA 2018-02
    * CVE-2018-5091 (bmo#1423086)
      Use-after-free with DTMF timers
    * CVE-2018-5092 (bmo#1418074)
      Use-after-free in Web Workers
    * CVE-2018-5093 (bmo#1415291)
      Buffer overflow in WebAssembly during Memory/Table resizing
    * CVE-2018-5094 (bmo#1415883)
      Buffer overflow in WebAssembly with garbage collection on
      uninitialized memory
    * CVE-2018-5095 (bmo#1418447)
      Integer overflow in Skia library during edge builder allocation
    * CVE-2018-5097 (bmo#1387427)
      Use-after-free when source document is manipulated during XSLT
    * CVE-2018-5098 (bmo#1399400)
      Use-after-free while manipulating form input elements
    * CVE-2018-5099 (bmo#1416878)
      Use-after-free with widget listener
    * CVE-2018-5100 (bmo#1417405)
      Use-after-free when IsPotentiallyScrollable arguments are freed
      from memory
    * CVE-2018-5101 (bmo#1417661)
      Use-after-free with floating first-letter style elements
    * CVE-2018-5102 (bmo#1419363)
      Use-after-free in HTML media elements
    * CVE-2018-5103 (bmo#1423159)
      Use-after-free during mouse event handling
    * CVE-2018-5104 (bmo#1425000)
      Use-after-free during font face manipulation
    * CVE-2018-5105 (bmo#1390882)
      WebExtensions can save and execute files on local file system
      without user prompts
    * CVE-2018-5106 (bmo#1408708)
      Developer Tools can expose style editor information cross-origin
      through service worker
    * CVE-2018-5107 (bmo#1379276)
      Printing process will follow symlinks for local file access
    * CVE-2018-5108 (bmo#1421099)
      Manually entered blob URL can be accessed by subsequent private browsing tabs
    * CVE-2018-5109 (bmo#1405599)
      Audio capture prompts and starts with incorrect origin attribution
    * CVE-2018-5110 (bmo#1423275) (affects only OS X)
      Cursor can be made invisible on OS X
    * CVE-2018-5111 (bmo#1321619)
      URL spoofing in addressbar through drag and drop
    * CVE-2018-5112 (bmo#1425224)
      Extension development tools panel can open a non-relative URL in the panel
    * CVE-2018-5113 (bmo#1425267)
      WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow
    * CVE-2018-5114 (bmo#1421324)
      The old value of a cookie changed to HttpOnly remains accessible to scripts
    * CVE-2018-5115 (bmo#1409449)
      Background network requests can open HTTP authentication in unrelated foreground tabs
    * CVE-2018-5116 (bmo#1396399)
      WebExtension ActiveTab permission allows cross-origin frame content access
    * CVE-2018-5117 (bmo#1395508)
      URL spoofing with right-to-left text aligned left-to-right
    * CVE-2018-5118 (bmo#1420049)
      Activity Stream images can attempt to load local content through file:
    * CVE-2018-5119 (bmo#1420507)
      Reader view will load cross-origin content in violation of CORS headers
    * CVE-2018-5121 (bmo#1402368) (affects only OS X)
      OS X Tibetan characters render incompletely in the addressbar
    * CVE-2018-5122 (bmo#1413841)
      Potential integer overflow in DoCrypt
    * CVE-2018-5090
      Memory safety bugs fixed in Firefox 58
    * CVE-2018-5089
      Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
  - requires NSS 3.34.1
  - requires rust 1.21
  - removed obsolete patches:
  - rebased patches
  - updated man-page
* Tue Jan 09 2018
  - fixed build with latest rust (mozilla-rust-1.23.patch)
* Thu Jan 04 2018
  - update to Firefox 57.0.4
    MFSA 2018-1: Speculative execution side-channel attack ("Spectre")
* Wed Jan 03 2018
  - fixed regression introduced Oct 10th which made Firefox crash
    when cancelling the KDE file dialog (boo#1069962)
* Fri Dec 29 2017
  - Mozilla Firefox 57.0.3:
    * Fix a crash reporting issue that inadvertently sends background
      tab crash reports to Mozilla without user opt-in (bmo#1427111,
  - Includes changes from 57.0.2:
    * fixes for platforms other than GNU/Linux
* Fri Dec 08 2017
  - Explicitly buildrequires python2-xml: The build system relies on
    it. We wrongly relied on other packages pulling it in for us.
* Thu Dec 07 2017
  - Escape the usage of %{VERSION} when calling out to rpm.
    RPM 4.14 has %{VERSION} defined as 'the main packages version'.
* Wed Nov 29 2017
  - update to Firefox 57.0.1
    * CVE-2017-7843: Web worker in Private Browsing mode can write
      IndexedDB data (bsc#1072034, bmo#1410106)
    * CVE-2017-7844: Visited history information leak through SVG
      image (bsc#1072036, bmo#1420001)
    * Fix a video color distortion issue on YouTube and other video
      sites with some AMD devices (bmo#1417442)
    * Fix an issue with prefs.js when the profile path has non-ascii
      characters (bmo#1420427)
* Tue Nov 21 2017
  - Add mozilla-bmo1360278.patch
    Starting with Firefox 57, the context menu appears on key press.
    This patch creates a config entry to restore the
    old behaviour. Without the patch, the mouse gesture extensions
    require 2 clicks to work (bmo#1360278).
    The new config entry is named ui.context_menus.after_mouseup
    (default : false).
* Sat Nov 18 2017
  - Allow experimental CSD for Gtk3 (bmo#1399611) if available and enabled
* Wed Nov 15 2017
  - update to Firefox 57.0 (boo#1068101)
    * Firefox Quantum
    * Photon UI
    * Unified address and search bar
    * AMD VP9 hardware video decoder support
    * Added support for Date/Time input
    * stricter security sandbox blocking filesystem reading and
      writing on Linux systems
    * middle mouse paste in the content area no longer navigates to
      URLs by default on Unix systems
    MFSA 2017-24
    * CVE-2017-7828 (bmo#1406750. bmo#1412252)
      Use-after-free of PressShell while restyling layout
    * CVE-2017-7830 (bmo#1408990)
      Cross-origin URL information leak through Resource Timing API
    * CVE-2017-7831 (bmo#1392026)
      Information disclosure of exposed properties on JavaScript proxy
    * CVE-2017-7832 (bmo#1408782)
      Domain spoofing through use of dotless 'i' character followed
      by accent markers
    * CVE-2017-7833 (bmo#1370497)
      Domain spoofing with Arabic and Indic vowel marker characters
    * CVE-2017-7834 (bmo#1358009)
      data: URLs opened in new tabs bypass CSP protections
    * CVE-2017-7835 (bmo#1402363)
      Mixed content blocking incorrectly applies with redirects
    * CVE-2017-7836 (bmo#1401339)
      Pingsender dynamically loads libcurl on Linux and OS X
    * CVE-2017-7837 (bmo#1325923)
      SVG loaded as <img> can use meta tags to set cookies
    * CVE-2017-7838 (bmo#1399540)
      Failure of individual decoding of labels in international domain
      names triggers punycode display of entire IDN
    * CVE-2017-7839 (bmo#1402896)
      Control characters before javascript: URLs defeats self-XSS
      prevention mechanism
    * CVE-2017-7840 (bmo#1366420)
      Exported bookmarks do not strip script elements from user-supplied
    * CVE-2017-7842 (bmo#1397064)
      Referrer Policy is not always respected for <link> elements
    * CVE-2017-7827
      Memory safety bugs fixed in Firefox 57
    * CVE-2017-7826
      Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
  - requires NSPR 4.17, NSS 3.33 and rustc 1.19
  - rebased patches
  - added mozilla-bindgen-systemlibs.patch to allow stylo build
    with system libs (bmo#1341234)
  - removed mozilla-language.patch since the whole locale code
    changed in Firefox and is relying on ICU now
  - removed obsolete mozilla-ucontext.patch
* Sat Oct 28 2017
  - update to Firefox 56.0.2
    * Disable Form Autofill completely on user request (bmo#1404531)
    * Fix for video-related crashes on Windows 7 (bmo#1409141)
    * Correct detection for 64-bit GSSAPI authentication (bmo#1409275)
    * Fix for shutdown crash (bmo#1404105)
* Tue Oct 10 2017
  - update to Firefox 56.0.1
    * Block D3D11 when using Intel drivers on Windows 7 systems with
      partial AVX support (bmo#1403353)
    - > just to sync the version number
  - enable stylo for TW (requires LLVM >= 3.9)
  - queue KDE filepicker requests to avoid non-opening file dialogs
    happening in certain situations (contributed by Ignaz Forster)
  - the placeholder dot in KDE file dialog in case of empty filenames
    was removed, apparently not required (anymore)
    (contributed by Ignaz Forster)
* Sun Oct 01 2017
  - Correct plugin directory for aarch64 (boo#1061207). The wrapper
    script was not detecting aarch64 as a 64 bit architecture, thus
    used /usr/lib/browser-plugins/.
* Sat Sep 30 2017
  - Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0),
    pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
    pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
    pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure
    looks for.
* Thu Sep 28 2017
  - update to Firefox 56.0 (boo#1060445)
    * Firefox Screenshots
    * Find Options/Preferences more quickly with new search function
    * Media is no longer auto-played when opened in a background tab
    * Enable CSS Grid Layout View
    MFSA 2017-21
    * CVE-2017-7793 (bmo#1371889)
      Use-after-free with Fetch API
    * CVE-2017-7817 (bmo#1356596) (Android-only)
      Firefox for Android address bar spoofing through fullscreen mode
    * CVE-2017-7818 (bmo#1363723)
      Use-after-free during ARIA array manipulation
    * CVE-2017-7819 (bmo#1380292)
      Use-after-free while resizing images in design mode
    * CVE-2017-7824 (bmo#1398381)
      Buffer overflow when drawing and validating elements with ANGLE
    * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
      Use-after-free in TLS 1.2 generating handshake hashes
    * CVE-2017-7812 (bmo#1379842)
      Drag and drop of malicious page content to the tab bar can open locally stored files
    * CVE-2017-7814 (bmo#1376036)
      Blob and data URLs bypass phishing and malware protection warnings
    * CVE-2017-7813 (bmo#1383951)
      Integer truncation in the JavaScript parser
    * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
      OS X fonts render some Tibetan and Arabic unicode characters as spaces
    * CVE-2017-7815 (bmo#1368981)
      Spoofing attack with modal dialogs on non-e10s installations
    * CVE-2017-7816 (bmo#1380597)
      WebExtensions can load about: URLs in extension UI
    * CVE-2017-7821 (bmo#1346515)
      WebExtensions can download and open non-executable files without user interaction
    * CVE-2017-7823 (bmo#1396320)
      CSP sandbox directive did not create a unique origin
    * CVE-2017-7822 (bmo#1368859)
      WebCrypto allows AES-GCM with 0-length IV
    * CVE-2017-7820 (bmo#1378207)
      Xray wrapper bypass with new tab and web console
    * CVE-2017-7811
      Memory safety bugs fixed in Firefox 56
    * CVE-2017-7810
      Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
  - requires NSPR 4.16 and NSS 3.32.1
  - rebased patches
* Thu Sep 28 2017
  - Add alsa-devel BuildRequires: we care for ALSA support to be
    built and thus need to ensure we get the dependencies in place.
    In the past, alsa-devel was pulled in by accident: we
    buildrequire libgnome-devel. This required esound-devel and that
    in turn pulled in alsa-devel for us. libgnome is being fixed to
    no longer require esound-devel.
* Mon Sep 04 2017
  - update to Firefox 55.0.3
    * Fix an issue with addons when using a path containing non-ascii
      characters (bmo#1389160)
    * Fix file uploads to some websites, including YouTube (bmo#1383518)
  - fix Google API key build integration
  - add mozilla-ucontext.patch to fix Tumbleweed build
  - do not enable XINPUT2 for now (boo#1053959)
* Fri Aug 11 2017
  - update to Firefox 55.0.1
    * Fix a regression the tab restoration process (bmo#1388160)
    * Fix a problem causing What's new pages not to be displayed (bmo#1386224)
    * Fix a rendering issue with some PKCS#11 libraries (bmo#1388370)
    * Disable the predictor prefetch (bmo#1388160)
* Sat Aug 05 2017
  - update to Firefox 55.0 (boo#1052829)
    * Browsing sessions with a high number of tabs are now restored
      in an instant
    * Sidebar (bookmarks, history, synced tabs) can now be moved to
      the right edge of the window
    * Fine-tune your browser performance from the Preferences/Options page.
    * Make screenshots of webpages, and save them locally or upload
      them to the cloud. This feature will undergo A/B testing and
      will not be visible for some users.
    * Added Belarusian (be) locale
    * Simplify print jobs from within print preview
    * Use virtual reality devices with the web with the introduction
      of WebVR
    * Search suggestions are now enabled by default for users who
      haven't explicitly opted-out
    * Search with any installed search engine directly from the
      location bar
    * IMPORTANT: Breaking profile changes - do not downgrade Firefox
      and use a profile that has been opened with Firefox 55+.
    * The Adobe Flash plugin is now click-to-activate by default and
      only allowed on http:// and https:// URL schemes. This change
      will be rolled out progressively and so will not be visible to
      all users immediately. For more information see the Firefox
      plugin roadmap
    * Modernized application update UI to be less intrusive and more
      aligned with the rest of the browser. Only users who have not
      restarted their browser 8 days after downloading an update or
      users who opted out of automatic updates will see this change.
    * Insecure sites can no longer access the Geolocation APIs to get
      access to your physical location
    * requires NSPR 4.15 and NSS 3.31
    MFSA 2017-18
    * CVE-2017-7798 (bmo#1371586, bmo#1372112)
      XUL injection in the style editor in devtools
    * CVE-2017-7800 (bmo#1374047)
      Use-after-free in WebSockets during disconnection
    * CVE-2017-7801 (bmo#1371259)
      Use-after-free with marquee during window resizing
    * CVE-2017-7809 (bmo#1380284)
      Use-after-free while deleting attached editor DOM node
    * CVE-2017-7784 (bmo#1376087)
      Use-after-free with image observers
    * CVE-2017-7802 (bmo#1378147)
      Use-after-free resizing image elements
    * CVE-2017-7785 (bmo#1356985)
      Buffer overflow manipulating ARIA attributes in DOM
    * CVE-2017-7786 (bmo#1365189)
      Buffer overflow while painting non-displayable SVG
    * CVE-2017-7806 (bmo#1378113)
      Use-after-free in layer manager with SVG
    * CVE-2017-7753 (bmo#1353312)
      Out-of-bounds read with cached style data and pseudo-elements#
    * CVE-2017-7787 (bmo#1322896)
      Same-origin policy bypass with iframes through page reloads
    * CVE-2017-7807 (bmo#1376459)
      Domain hijacking through AppCache fallback
    * CVE-2017-7792 (bmo#1368652)
      Buffer overflow viewing certificates with an extremely long OID
    * CVE-2017-7804 (bmo#1372849)
      Memory protection bypass through WindowsDllDetourPatcher
    * CVE-2017-7791 (bmo#1365875)
      Spoofing following page navigation with data: protocol and modal alerts
    * CVE-2017-7808 (bmo#1367531)
      CSP information leak with frame-ancestors containing paths
    * CVE-2017-7782 (bmo#1344034)
      WindowsDllDetourPatcher allocates memory without DEP protections
    * CVE-2017-7781 (bmo#1352039)
      Elliptic curve point addition error when using mixed Jacobian-affine coordinates
    * CVE-2017-7794 (bmo#1374281)
      Linux file truncation via sandbox broker
    * CVE-2017-7803 (bmo#1377426)
      CSP containing 'sandbox' improperly applied
    * CVE-2017-7799 (bmo#1372509)
      Self-XSS XUL injection in about:webrtc
    * CVE-2017-7783 (bmo#1360842)
      DOS attack through long username in URL
    * CVE-2017-7788 (bmo#1073952)
      Sandboxed about:srcdoc iframes do not inherit CSP directives
    * CVE-2017-7789 (bmo#1074642)
      Failure to enable HSTS when two STS headers are sent for a connection
    * CVE-2017-7790 (bmo#1350460) (Windows-only)
      Windows crash reporter reads extra memory for some non-null-terminated registry values
    * CVE-2017-7796 (bmo#1234401) (Windows-only)
      Windows updater can delete any file named update.log
    * CVE-2017-7797 (bmo#1334776)
      Response header name interning leaks across origins
    * CVE-2017-7780
      Memory safety bugs fixed in Firefox 55
    * CVE-2017-7779
      Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
  - updated mozilla-kde.patch:
    * removed "downloadfinished" alert as Firefox reimplemented the
      whole thing (TODO: check if there is another function we should
      hook in)
* Tue Jul 04 2017
  - update to Firefox 54.0.1
    * Fix a display issue of tab title (bmo#1357656)
    * Fix a display issue of opening new tab (bmo#1371995)
    * Fix a display issue when opening multiple tabs (bmo#1371962)
    * Fix a tab display issue when downloading files (bmo#1373109)
    * Fix a PDF printing issue (bmo#1366744)
    * Fix a Netflix issue on Linux (bmo#1375708)
* Thu Jun 15 2017
  - update to Firefox 54.0
    * Clearer and more detailed information for download items in the
      download panel
    * Added Burmese (my) locale
    * Bookmarks created on mobile devices are now shown in
      "Mobile Bookmarks” folder in the drop down list from the toolbar
      and Bookmarks option in the menu bar in Desktop Firefox
    * added support for multiple content processes (e10s-multi)
  - requires NSPR 4.14 and NSS 3.30.2
  - requires rust 1.15.1
  - removed mozilla-shared-nss-db.patch as it seems to be a rather
    unused feature
* Thu Jun 01 2017
  - remove -fno-inline-small-functions and explicitely optimize with
    - O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)
* Wed Apr 26 2017
  - switch to Mozilla's geolocation service (boo#1026989)
  - removed mozilla-preferences.patch obsoleted by overriding via
  - fixed KDE integration to avoid crash caused by filepicker
* Mon Apr 17 2017
  - update to Firefox 53.0
    * requires NSS 3.29.5
    * Lightweight themes are now applied in private browsing windows
    * Reader Mode now displays estimated reading time for the page
    * Two new 'compact' themes available in Firefox, dark and light,
      based on the Firefox Developer Edition theme
    * Ended Firefox Linux support for processors older than Pentium 4
      and AMD Opteron
    * Refresh of the media controls user interface
    * Shortened titles on tabs are faded out instead of using ellipsis
      for improved readability
    * Media playback on new tabs is blocked until the tab is visible
    * Permission notifications have a cleaner design and cannot be
      easily missed
    MFSA 2017-10
    * CVE-2017-5456 (bmo#1344415)
      Sandbox escape allowing local file system access
    * CVE-2017-5442 (bmo#1347979)
      Use-after-free during style changes
    * CVE-2017-5443 (bmo#1342661)
      Out-of-bounds write during BinHex decoding
    * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
      bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
      Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
      Firefox ESR 52.1
    * CVE-2017-5464 (bmo#1347075)
      Memory corruption with accessibility and DOM manipulation
    * CVE-2017-5465 (bmo#1347617)
      Out-of-bounds read in ConvolvePixel
    * CVE-2017-5466 (bmo#1353975)
      Origin confusion when reloading isolated data:text/html URL
    * CVE-2017-5467 (bmo#1347262)
      Memory corruption when drawing Skia content
    * CVE-2017-5460 (bmo#1343642)
      Use-after-free in frame selection
    * CVE-2017-5461 (bmo#1344380)
      Out-of-bounds write in Base64 encoding in NSS
    * CVE-2017-5448 (bmo#1346648)
      Out-of-bounds write in ClearKeyDecryptor
    * CVE-2017-5449 (bmo#1340127)
      Crash during bidirectional unicode manipulation with animation
    * CVE-2017-5446 (bmo#1343505)
      Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
    * CVE-2017-5447 (bmo#1343552)
      Out-of-bounds read during glyph processing
    * CVE-2017-5444 (bmo#1344461)
      Buffer overflow while parsing application/http-index-format content
    * CVE-2017-5445 (bmo#1344467)
      Uninitialized values used while parsing application/http-index-format
    * CVE-2017-5468 (bmo#1329521)
      Incorrect ownership model for Private Browsing information
    * CVE-2017-5469 (bmo#1292534)
      Potential Buffer overflow in flex-generated code
    * CVE-2017-5440 (bmo#1336832)
      Use-after-free in txExecutionState destructor during XSLT processing
    * CVE-2017-5441 (bmo#1343795)
      Use-after-free with selection during scroll events
    * CVE-2017-5439 (bmo#1336830)
      Use-after-free in nsTArray Length() during XSLT processing
    * CVE-2017-5438 (bmo#1336828)
      Use-after-free in nsAutoPtr during XSLT processing
    * CVE-2017-5437 (bmo#1343453)
      Vulnerabilities in Libevent library
    * CVE-2017-5436 (bmo#1345461)
      Out-of-bounds write with malicious font in Graphite 2
    * CVE-2017-5435 (bmo#1350683)
      Use-after-free during transaction processing in the editor
    * CVE-2017-5434 (bmo#1349946)
      Use-after-free during focus handling
    * CVE-2017-5433 (bmo#1347168)
      Use-after-free in SMIL animation functions
    * CVE-2017-5432 (bmo#1346654)
      Use-after-free in text input selection
    * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
      bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686,
      bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621,
      bmo#1349719, bmo#1353476)
      Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
    * CVE-2017-5459 (bmo#1333858)
      Buffer overflow in WebGL
    * CVE-2017-5458 (bmo#1229426)
      Drag and drop of javascript: URLs can allow for self-XSS
    * CVE-2017-5455 (bmo#1341191)
      Sandbox escape through internal feed reader APIs
    * CVE-2017-5454 (bmo#1349276)
      Sandbox escape allowing file system read access through file picker
    * CVE-2017-5451 (bmo#1273537)
      Addressbar spoofing with onblur event
    * CVE-2017-5453 (bmo#1321247)
      HTML injection into RSS Reader feed preview page through
      TITLE element
    * CVE-2017-5462 (bmo#1345089)
      DRBG flaw in NSS
  - removed browser(npapi) provides as these plugins are deprecated
  - switch used compiler to gcc5 (FF requires gcc >= 4.9 now) for
    Leap 42
  - Gtk2 is not longer an option; switched to Gtk3
  - apply MOZ_USE_XINPUT2=1 for better touchpad and touchscreen support
* Mon Apr 03 2017
  - update to Firefox 52.0.2
    * Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787)
    * Fix loading tab icons on session restore (bmo#1338009)
    * Fix a crash on startup on Linux (bmo#1345413)
    * Fix new installs erroneously not prompting to change the default
      browser setting (bmo#1343938)
* Mon Mar 20 2017
  - disable rust usage for everything but x86(-64)
  - explicitely add libffi build requirement
* Fri Mar 17 2017
  - update to Firefox 52.0.1 (boo#1029822)
    MFSA 2017-08
    CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168)
* Thu Mar 09 2017
  - reenable ALSA support which was removed by default upstream
* Sat Mar 04 2017
  - update to Firefox 52.0 (boo#1028391)
    * requires NSS >= 3.28.3
    * Pages containing insecure password fields now display a warning
      directly within username and password fields.
    * Send and open a tab from one device to another with Sync
    * Removed NPAPI support for plugins other than Flash. Silverlight,
      Java, Acrobat and the like are no longer supported.
    * Removed Battery Status API to reduce fingerprinting of users by
    * MFSA 2017-05
      CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
      CVE-2017-5401: Memory Corruption when handling ErrorResult
      CVE-2017-5402: Use-after-free working with events in FontFace
      objects (bmo#1334876)
      CVE-2017-5403: Use-after-free using addRange to add range to an
      incorrect root object (bmo#1340186)
      CVE-2017-5404: Use-after-free working with ranges in selections
      CVE-2017-5406: Segmentation fault in Skia with canvas operations
      CVE-2017-5407: Pixel and history stealing via floating-point
      timing side channel with SVG filters (bmo#1336622)
      CVE-2017-5410: Memory corruption during JavaScript garbage
      collection incremental sweeping (bmo#1330687)
      CVE-2017-5408: Cross-origin reading of video captions in violation
      of CORS (bmo#1313711)
      CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
      CVE-2017-5413: Segmentation fault during bidirectional operations
      CVE-2017-5414: File picker can choose incorrect default directory
      CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719)
      CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
      CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
      CVE-2017-5426: Gecko Media Plugin sandbox is not started if
      seccomp-bpf filter is running (bmo#1257361)
      CVE-2017-5427: Non-existent chrome.manifest file loaded during
      startup (bmo#1295542)
      CVE-2017-5418: Out of bounds read when parsing HTTP digest
      authorization responses (bmo#1338876)
      CVE-2017-5419: Repeated authentication prompts lead to DOS
      attack (bmo#1312243)
      CVE-2017-5420: Javascript: URLs can obfuscate addressbar
      location (bmo#1284395)
      CVE-2017-5405: FTP response codes can cause use of
      uninitialized values for ports (bmo#1336699)
      CVE-2017-5421: Print preview spoofing (bmo#1301876)
      CVE-2017-5422: DOS attack by using view-source: protocol
      repeatedly in one hyperlink (bmo#1295002)
      CVE-2017-5399: Memory safety bugs fixed in Firefox 52
      CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
      Firefox ESR 45.8
  - removed obsolete patches
    * mozilla-binutils-visibility.patch
    * mozilla-check_return.patch
    * mozilla-disable-skia-be.patch
    * mozilla-skia-overflow.patch
    * mozilla-skia-ppc-endianess.patch
  - rebased patches
  - enable rust usage for Tumbleweed
* Fri Jan 27 2017
  - Mozilla Firefox 51.0.1:
    - Multiprocess incompatibility did not correctly register with
      some add-ons (bmo#1333423)
* Fri Jan 20 2017
  - update to Firefox 51.0
    * requires NSPR >= 4.13.1, NSS >= 3.28.1
    * Added support for FLAC (Free Lossless Audio Codec) playback
    * Added support for WebGL 2
    * Added Georgian (ka) and Kabyle (kab) locales
    * Support saving passwords for forms without 'submit' events
    * Improved video performance for users without GPU acceleration
    * Zoom indicator is shown in the URL bar if the zoom level is not
      at default level
    * View passwords from the prompt before saving them
    * Remove Belarusian (be) locale
    * Use Skia for content rendering (Linux)
    * MFSA 2017-01
      CVE-2017-5375: Excessive JIT code allocation allows bypass of
      ASLR and DEP (bmo#1325200, boo#1021814)
      CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
      CVE-2017-5377: Memory corruption with transforms to create
      gradients in Skia (bmo#1306883, boo#1021826)
      CVE-2017-5378: Pointer and frame data leakage of Javascript objects
      (bmo#1312001, bmo#1330769, boo#1021818)
      CVE-2017-5379: Use-after-free in Web Animations
      CVE-2017-5380: Potential use-after-free during DOM manipulations
      (bmo#1322107, boo#1021819)
      CVE-2017-5390: Insecure communication methods in Developer Tools
      JSON viewer (bmo#1297361, boo#1021820)
      CVE-2017-5389: WebExtensions can install additional add-ons via
      modified host requests (bmo#1308688, boo#1021828)
      CVE-2017-5396: Use-after-free with Media Decoder
      (bmo#1329403, boo#1021821)
      CVE-2017-5381: Certificate Viewer exporting can be used to navigate
      and save to arbitrary filesystem locations
    (bmo#1017616, boo#1021830)
      CVE-2017-5382: Feed preview can expose privileged content errors
      and exceptions (bmo#1295322, boo#1021831)
      CVE-2017-5383: Location bar spoofing with unicode characters
      (bmo#1323338, bmo#1324716, boo#1021822)
      CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
      (bmo#1255474, boo#1021832)
      CVE-2017-5385: Data sent in multipart channels ignores referrer-policy
      response headers (bmo#1295945, boo#1021833)
      CVE-2017-5386: WebExtensions can use data: protocol to affect other
      extensions (bmo#1319070, boo#1021823)
      CVE-2017-5394: Android location bar spoofing using fullscreen and
      JavaScript events (bmo#1222798)
      CVE-2017-5391: Content about: pages can load privileged about: pages
      (bmo#1309310, boo#1021835)
      CVE-2017-5392: Weak references using multiple threads on weak proxy
      objects lead to unsafe memory usage (bmo#1293709)
    (Android only)
      CVE-2017-5393: Remove CDN from whitelist for
      mozAddonManager (bmo#1309282, boo#1021837)
      CVE-2017-5395: Android location bar spoofing during scrolling
      (bmo#1293463) (Android only)
      CVE-2017-5387: Disclosure of local file existence through TRACK
      tag error messages (bmo#1295023, boo#1021839)
      CVE-2017-5388: WebRTC can be used to generate a large amount of
      UDP traffic for DDOS attacks
    (bmo#1281482, boo#1021840)
      CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841)
      CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and
      Firefox ESR 45.7 (boo#1021824)
  - switch Firefox to Gtk3 for Tumbleweed
  - removed obsolete patches
    * mozilla-flex_buffer_overrun.patch
  - updated RPM locale support tag
  - improve recognition of LANGUAGE env variable (boo#1017174)
  - add upstream patch to fix PPC64LE (bmo#1319389)
  - fix build without skia (big endian archs) (bmo#1319374)
* Mon Dec 12 2016
  - update to Firefox 50.1.0 (boo#1015422)
    * MFSA 2016-94
      CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628)
      CVE-2016-9899: Use-after-free while manipulating DOM events and
      audio elements (bmo#1317409)
      CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
      CVE-2016-9896: Use-after-free with WebVR (bmo#1315543)
      CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
      CVE-2016-9898: Use-after-free in Editor while manipulating
      DOM subtrees (bmo#1314442)
      CVE-2016-9900: Restricted external resources can be loaded by
      SVG images through data URLs (bmo#1319122)
      CVE-2016-9904: Cross-origin information leak in shared atoms
      CVE-2016-9901: Data from Pocket server improperly sanitized
      before execution (bmo#1320057)
      CVE-2016-9902: Pocket extension does not validate the origin
      of events (bmo#1320039)
      CVE-2016-9903: XSS injection vulnerability in add-ons SDK
      CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
      CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and
      Firefox ESR 45.6
* Fri Dec 09 2016
  - added patch mozilla-aarch64-startup-crash.patch (bsc#1011922)
* Thu Dec 01 2016
  - update to Firefox 50.0.2
    * Firefox crashes with 3rd party Chinese IME when using IME text
    security fixes (in 50.0.1): (boo#1012807)
    * MFSA 2016-91
      CVE-2016-9078: data: URL can inherit wrong origin after an
      HTTP redirect (bmo#1317641)
    security fixes (in 50.0.2) (boo#1012964)
    * MFSA 2016-92
      CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066)
* Mon Nov 14 2016
  - update to Firefox 50.0 (boo#1009026)
    * requires NSS 3.26.2
    new features
    * Updates to keyboard shortcuts
      Set a preference to have Ctrl+Tab cycle through tabs in recently
      used order
      View a page in Reader Mode by using Ctrl+Alt+R
    * Added option to Find in page that allows users to limit search to
      whole words only
    * Added download protection for a large number of executable file
      types on Windows, Mac and Linux
    * Fixed rendering of dashed and dotted borders with rounded corners
    * Added a built-in Emoji set for operating systems without native
      Emoji fonts (Windows 8.0 and lower and Linux)
    * Blocked versions of libavcodec older than 54.35.1
    * additional locale
    security fixes:
    * MFSA 2016-89
      CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
      CVE-2016-5292: URL parsing causes crash (bmo#1288482)
      CVE-2016-5293: Write to arbitrary file with updater and moz
      maintenance service using updater.log hardlink
    (Windows only) (bmo#1246945)
      CVE-2016-5294: Arbitrary target directory for result files of
      update process (Windows only) (bmo#1246972)
      CVE-2016-5297: Incorrect argument length checking in Javascript
      CVE-2016-9064: Addons update must verify IDs match between
      current and new versions (bmo#1303418)
      CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen
      (Android only) (bmo#1306696)
      CVE-2016-9066: Integer overflow leading to a buffer overflow in
      nsScriptLoadHandler (bmo#1299686)
      CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
      (bmo#1301777, bmo#1308922 (CVE-2016-9069))
      CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973)
      CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
      (bmo#1300083) (Windows only)
      CVE-2016-9075: WebExtensions can access the mozAddonManager API
      and use it to gain elevated privileges (bmo#1295324)
      CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied
      to cross-origin images, allowing timing attacks on them
      CVE-2016-5291: Same-origin policy violation using local HTML file
      and saved shortcut file (bmo#1292159)
      CVE-2016-5295: Mozilla Maintenance Service: Ability to read
      arbitrary files as SYSTEM (Windows only) (bmo#1247239)
      CVE-2016-5298: SSL indicator can mislead the user about the real
      URL visited (bmo#1227538) (Android only)
      CVE-2016-5299: Firefox AuthToken in broadcast protected with
      signature-level permission can be accessed by an
    application installed beforehand that defines the
    same permissions (bmo#1245791) (Android only)
      CVE-2016-9061: API Key (glocation) in broadcast protected with
      signature-level permission can be accessed by an
    application installed beforehand that defines the
    same permissions (Android only) (bmo#1245795)
      CVE-2016-9062: Private browsing browser traces (android) in
      browser.db and wal file (Android only) (bmo#1294438)
      CVE-2016-9070: Sidebar bookmark can have reference to chrome window
      CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
      CVE-2016-9074: Insufficient timing side-channel resistance in
      divSpoiler (bmo#1293334) (fixed via NSS 3.26.1)
      CVE-2016-9076: select dropdown menu can be used for URL bar
      spoofing on e10s (bmo#1276976)
      CVE-2016-9063: Possible integer overflow to fix inside XML_Parse
      in expat (bmo#1274777)
      CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
      CVE-2016-5289: Memory safety bugs fixed in Firefox 50
      CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
  - make aarch64 build more similar to x86_64 build (remove conditionals
    that don't seem to be necessary anymore)
* Mon Oct 24 2016
  - Mozilla Firefox 49.0.2:
    * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)
    * CVE-2016-5288: Web content can read cache entries (bsc#1006476)
    * Asynchronous rendering of the Flash plugins is now enabled by
    * Change D3D9 default fallback preference to prevent graphical
    * Network issue prevents some users from seeing the Firefox UI on
    * Web compatibility issue with file uploads
    * Web compatibility issue with Array.prototype.values
    * Diagnostic information on timing for tab switching
    * Fix a Canvas filters graphics issue affecting HTML5 apps
* Wed Oct 12 2016
  - Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0
    and fixes have been incorporated by upstream.
* Fri Sep 23 2016
  - Mozilla Firefox 49.0.1:
    * Mitigate a startup crash issue caused by Websense - bmo#1304783
* Tue Sep 20 2016
  - update to Firefox 49.0 (boo#999701)
    new features
    * Updated Firefox Login Manager to allow HTTPS pages to use saved
      HTTP logins.
    * Added features to Reader Mode that make it easier on the eyes and
      the ears
    * Improved video performance for users on systems that support
      SSE3 without hardware acceleration
    * Added context menu controls to HTML5 audio and video that let users
      loops files or play files at 1.25x speed
    * Improvements in about:memory reports for tracking font memory usage
    security related
    * MFSA 2016-85
      CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
      CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
      CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
      CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
      CVE-2016-5273 (bmo#1280387) - crash in
      CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
      CVE-2016-5274 (bmo#1282076) - use-after-free in
      CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
      CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
      CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
      CVE-2016-5279 (bmo#1249522) - Full local path of files is available
      to web pages after drag and drop
      CVE-2016-5280 (bmo#1289970) - Use-after-free in
      CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
      CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons
      from non-whitelisted schemes
      CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can
      reveal cross-origin data
      CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration
      CVE-2016-5256 - Memory safety bugs fixed in Firefox 49
      CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4
  - removed obsolete patches:
    * mozilla-aarch64-48bit-va.patch
    * mozilla-exclude-nametablecpp.patch
    * mozilla-old_configure-bmo1282843.patch
  - added patch mozilla-skia-overflow.patch (bmo#1304114)
  - requires NSS 3.25
* Tue Aug 30 2016
  - Mozilla Firefox 48.0.2:
    * Mitigate a startup crash issue caused on Windows (bmo#1291738)
* Sat Aug 20 2016
  - Mozilla Firefox 48.0.1:
    * Fix an audio regression impacting some major websites
    * Fix a top crash in the JavaScript engine (bmo#1290469)
    * Fix a startup crash issue caused by Websense (bmo#1291738)
    * Fix a different behavior with e10s / non-e10s on <select> and
      mouse events (bmo#1291078)
    * Fix a top crash caused by plugin issues (bmo#1264530)
    * Fix a shutdown issue (bmo#1276920)
    * Fix a crash in WebRTC
* Mon Aug 15 2016
  - added upstream patch so system plugins/extensions are correctly
    loaded again on x86-64 (bmo#1282843)
* Fri Aug 05 2016
  - Fix for possible buffer overrun (bsc#990856)
    CVE-2016-6354 (bmo#1292534)
* Wed Aug 03 2016
  - Update mozilla-gtk3_20.patch to latest version from Fedora.
* Mon Aug 01 2016
  - update to Firefox 48.0 (boo#991809)
    * requires NSS 3.24
    * Process separation (e10s) is enabled for some of you
    * Add-ons that have not been verified and signed by Mozilla will not load
    * WebRTC embetterments
    * The media parser has been redeveloped using the Rust programming
    * better Canvas performance with speedy Skia support
    security fixes:
    * MFSA 2016-62/CVE-2016-2835/CVE-2016-2836
      Miscellaneous memory safety hazards
    * MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
      Favicon network connection can persist when page is closed
    * MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
      Buffer overflow rendering SVG with bidirectional content
    * MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
      Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
    * MFSA 2016-66/CVE-2016-5251 (bmo#1255570)
      Location bar spoofing via data URLs with malformed/invalid mediatypes
    * MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
      Stack underflow during 2D graphics rendering
    * MFSA 2016-68/CVE-2016-0718 (bmo#1236923)
      Out-of-bounds read during XML parsing in Expat library
    * MFSA 2016-69/CVE-2016-5253 (bmo#1246944)
      Arbitrary file manipulation by local user through Mozilla updater
      and callback application path parameter (Windows-only)
    * MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
      Use-after-free when using alt key and toplevel menus
    * MFSA 2016-71/CVE-2016-5255 (bmo#1212356)
      Crash in incremental garbage collection in JavaScript
    * MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
      Use-after-free in DTLS during WebRTC session shutdown
    * MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
      Use-after-free in service workers with nested sync events
    * MFSA 2016-74/CVE-2016-5260 (bmo#1280294)
      Form input type change from password to text can store plain
      text password in session restore file
    * MFSA 2016-75/CVE-2016-5261 (bmo#1287266)
      Integer overflow in WebSockets during data buffering
    * MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
      Scripts on marquee tag can execute in sandboxed iframes
    * MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
      Buffer overflow in ClearKey Content Decryption Module (CDM)
      during video playback
    * MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
      Type confusion in display transformation
    * MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
      Use-after-free when applying SVG effects
    * MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
      Same-origin policy violation using local HTML file and saved shortcut file
    * MFSA 2016-81/CVE-2016-5266 (bmo#1226977)
      Information disclosure and local file manipulation through drag and drop
    * MFSA 2016-82/CVE-2016-5267 (bmo#1284372)
      Addressbar spoofing with right-to-left characters on Firefox for Android
      (Android only)
    * MFSA 2016-83/CVE-2016-5268 (bmo#1253673)
      Spoofing attack through text injection into internal error pages
    * MFSA 2016-84/CVE-2016-5250 (bmo#1254688)
      Information disclosure through Resource Timing API during page navigation
  - removed obsolete mozilla-gcc6.patch
* Fri Jul 29 2016
  - Update description and screenshots in appdata.xml file.
* Sat Jul 23 2016
  - Fix Firefox crash on startup on i586 (boo#986541):
    * Add -fno-delete-null-pointer-checks and
    - fno-inline-small-functions to CFLAGS
* Tue Jul 19 2016
  - Update the appdata.xml file (replace Windows XP screenshot)
* Wed Jun 29 2016
  - Mozilla Firefox 47.0.1:
    * Selenium WebDriver may cause Firefox to crash at startup
* Wed Jun 15 2016
  - mozilla-binutils-visibility.patch to fix build issues with
    gcc/binutils combination used in Leap 42.2 (boo#984637)
* Tue Jun 14 2016
  - Update mozilla-gtk3_20.patch to latest version from Fedora.
* Mon Jun 13 2016
  - Fix running on 48bit va aarch64 (bsc#984126)
    * add patch mozilla-aarch64-48bit-va.patch
* Mon Jun 13 2016
  - fix XUL dialog button order under KDE session (boo#984403)
* Tue Jun 07 2016
  - update to Firefox 47.0 (boo#983549)
    * Enable VP9 video codec for users with fast machines
    * Embedded YouTube videos now play with HTML5 video if Flash is
      not installed
    * View and search open tabs from your smartphone or another
      computer in a sidebar
    * Allow no-cache on back/forward navigations for https resources
    security fixes:
    * MFSA 2016-49/CVE-2016-2815/CVE-2016-2818
      (bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743,
      bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493,
      bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752,
      bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130,
      bmo#1269729, bmo#1273202, bmo#1273701)
      Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
    * MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381)
      Buffer overflow parsing HTML5 fragments
    * MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460)
      Use-after-free deleting tables from a contenteditable document
    * MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129)
      Addressbar spoofing though the SELECT element
    * MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580)
      Out-of-bounds write with WebGL shader
    * MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093)
      Partial same-origin-policy through setting
      through data URI
    * MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810)
      Use-after-free when textures are used in WebGL operations
      after recycle pool destruction
    * MFSA 2016-57/CVE-2016-2829 (boo#983644) (bmo#1248329)
      Incorrect icon displayed on permissions notifications
    * MFSA 2016-58/CVE-2016-2831 (boo#983643) (bmo#1261933)
      Entering fullscreen and persistent pointerlock without user
    * MFSA 2016-59/CVE-2016-2832 (boo#983632) (bmo#1025267)
      Information disclosure of disabled plugins through CSS
    * MFSA 2016-60/CVE-2016-2833 (boo#983640) (bmo#908933)
      Java applets bypass CSP protections
    * MFSA 2016-62/CVE-2016-2834 (boo#983639) (bmo#1206283,
      bmo#1221620, bmo#1241034, bmo#1241037)
      Network Security Services (NSS) vulnerabilities
      fixed by requiring NSS 3.23
    packaging changes:
    * cleanup configure options (boo#981695):
    - notably remove GStreamer support which is gone from FF
    * remove obsolete patches
    - mozilla-libproxy.patch
    - mozilla-repo.patch
* Wed May 25 2016
  - The conditional testing for gcc was failing for different
    openSUSE versions, drop it and apply patches unconditionally.
* Mon May 23 2016
  - Add patches to fix building with gcc6:
    + mozilla-gcc6.patch: fix building with gcc >= 6.1; patch
      taken from upstream:
    + mozilla-exclude-nametablecpp.patch: Exclude NameTable.cpp
      from unified compilation because #include <cmath> in other
      source files causes gcc6 compilation failure; patch taken from
* Thu May 12 2016
  - enable build with PIE and full relro on x86_64 (boo#980384)
* Wed May 04 2016
  - update to Firefox 46.0.1
    * Search plugin issue for various locales
    * Add-on signing certificate expiration
    * Service worker update issue
    * Build issue when jit is disabled
    * Limit Sync registration updates
  - removed now obsolete mozilla-jit_branch64.patch
* Tue May 03 2016
  - add mozilla-jit_branch64.patch to avoid PowerPC build failure
    (from bmo#1266366)
* Wed Apr 27 2016
  - Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest
    version from Fedora).
* Wed Apr 27 2016
  - update to Firefox 46.0 (boo#977333)
    * Improved security of the JavaScript Just In Time (JIT) Compiler
    * WebRTC fixes to improve performance and stability
    * Added support for document.elementsFromPoint
    * Added HKDF support for Web Crypto API
    * requires NSPR 4.12 and NSS 3.22.3
    * added patch to fix unchecked return value
    * Gtk3 builds not supported at the moment
    security fixes:
    * MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807
      (boo#977373, boo#977375, boo#977376)
      Miscellaneous memory safety hazards
    * MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377)
      Privilege escalation through file deletion by Maintenance Service updater
      (Windows only)
    * MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378)
      Content provider permission bypass allows malicious application
      to access data (Android only)
    * MFSA 2016-42/CVE-2016-2811/CVE-2016-2812
      (bmo#1252330, bmo#1261776, boo#977379)
      Use-after-free and buffer overflow in Service Workers
    * MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380)
      Disclosure of user actions through JavaScript with motion and
      orientation sensors (only affects mobile variants)
    * MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381)
      Buffer overflow in libstagefright with CENC offsets
    * MFSA 2016-45/CVE-2016-2816 (bmo#1223743, boo#977382)
      CSP not applied to pages sent with multipart/x-mixed-replace
    * MFSA 2016-46/CVE-2016-2817 (bmo#1227462, boo#977384)
      Elevation of privilege with chrome.tabs.update API in web extensions
    * MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386)
      Write to invalid HashMap entry through
    * MFSA 2016-48/CVE-2016-2820 (bmo#870870, boo#977388)
      Firefox Health Reports could accept events from untrusted domains
* Thu Apr 21 2016
  - Update mozilla-gtk3_20.patch to fix scrollbar appearance under
    gtk >= 3.20 (patch synced to Fedora's version).
* Tue Apr 12 2016
  - Compile against gtk3 depending on whether the macro
    %firefox_use_gtk3 is defined or not (e.g., at the prjconf
    level); macro is undefined by default and so gtk2 is used as the
    default toolkit.
  - Add BuildRequires for additional packages needed when building
    against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0),
    pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0).
  - Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20;
    patch taken from Fedora (bmo#1230955).
* Mon Apr 11 2016
  - Mozilla Firefox 45.0.2:
    * Fix an issue impacting the cookie header when third-party
      cookies are blocked (bmo#1257861)
    * Fix a web compatibility regression impacting the srcset
      attribute of the image tag (bmo#1259482)
    * Fix a crash impacting the video playback with Media Source
      Extension (bmo#1258562)
    * Fix a regression impacting some specific uploads (bmo#1255735)
    * Fix a regression with the copy and paste with some old versions
      of some Gecko applications like Thunderbird (bmo#1254980)
* Fri Mar 18 2016
  - Mozilla Firefox 45.0.1:
    * Fix a regression causing search engine settings to be lost in
      some context (bmo#1254694)
    * Bring back non-standard jar: URIs to fix a regression in IBM
      iNotes (bmo#1255139)
    * XSLTProcessor.importStylesheet was failing when <import> was
      used (bmo#1249572)
    * Fix an issue which could cause the list of search provider to
      be empty (bmo#1255605)
    * Fix a regression when using the location bar (bmo#1254503)
    * Fix some loading issues when Accept third-party cookies: was
      set to Never (bmo#1254856)
    * Disabled Graphite font shaping library
* Sun Mar 06 2016
  - update to Firefox 45.0 (boo#969894)
    * requires NSPR 4.12 / NSS 3.21.1
    * Instant browser tab sharing through Hello
    * Synced Tabs button in button bar
    * Tabs synced via Firefox Accounts from other devices are now shown
      in dropdown area of Awesome Bar when searching
    * Introduce a new preference (network.dns.blockDotOnion) to allow
      blocking .onion at the DNS level
    * Tab Groups (Panorama) feature removed
    * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
      Miscellaneous memory safety hazards
    * MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
      Local file overwriting and potential privilege escalation through
      CSP reports
    * MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
      CSP reports fail to strip location information for embedded iframe pages
    * MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
      Linux video memory DOS with Intel drivers
    * MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
      Memory leak in libstagefright when deleting an array during MP4
    * MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
      Displayed page address can be overridden
    * MFSA 2016-22/CVE-2016-1959 (bmo#1234949)
      Service Worker Manager out-of-bounds read in Service Worker Manager
    * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
      Use-after-free in HTML5 string parser
    * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
      Use-after-free in SetBody
    * MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
      Use-after-free when using multiple WebRTC data channels
    * MFSA 2016-26/CVE-2016-1963 (bmo#1238440)
      Memory corruption when modifying a file being read by FileReader
    * MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
      Use-after-free during XML transformations
    * MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
      Addressbar spoofing though history navigation and Location protocol
    * MFSA 2016-29/CVE-2016-1967 (bmo#1246956)
      Same-origin policy violation using perfomance.getEntries and
      history navigation with session restore
    * MFSA 2016-30/CVE-2016-1968 (bmo#1246742)
      Buffer overflow in Brotli decompression
    * MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
      Memory corruption with malicious NPAPI plugin
    * MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/
      WebRTC and LibVPX vulnerabilities found through code inspection
    * MFSA 2016-33/CVE-2016-1973 (bmo#1219339)
      Use-after-free in GetStaticInstance in WebRTC
    * MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
      Out-of-bounds read in HTML parser following a failed allocation
    * MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
      Buffer overflow during ASN.1 decoding in NSS
      (fixed by requiring 3.21.1)
    * MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
      Use-after-free during processing of DER encoded keys in NSS
      (fixed by requiring 3.21.1)
    * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
      Font vulnerabilities in the Graphite 2 library
* Sat Mar 05 2016
  - Remove B_CNT from filename to reduce build-compare noise
* Fri Feb 26 2016
  - fix build problems on i586, caused by too large unified compile
    units - adding mozilla-reduce-files-per-UnifiedBindings.patch
* Thu Feb 11 2016
  - update to Firefox 44.0.2
    * MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438)
      Same-origin-policy violation using Service Workers with plugins
    * Fix issue which could lead to the removal of stored passwords
      under certain circumstances (bmo#1242176)
    * Allows spaces in cookie names (bmo#1244505)
    * Disable opus/vorbis audio with H.264 (bmo#1245696)
    * Fix for graphics startup crash (GNU/Linux) (bmo#1222171)
    * Fix a crash in cache networking (bmo#1244076)
    * Fix using WebSockets in service worker controlled pages (bmo#1243942)
* Sat Jan 30 2016
  - build fixes for arm/aarch64:
    * disable webrtc for arm/aarch64
    * switch away from openGL-ES backend to default for arm/aarch64
    since it almost never builds
    * reenable neon
  - reenable webrtc for powerpc as it seems to build
* Sun Jan 24 2016
  - update to Firefox 44.0
    * MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633
      Miscellaneous memory safety hazards
    * MFSA 2016-02/CVE-2016-1933 (bmo#1231761) boo#963634
      Out of Memory crash when parsing GIF format images
    * MFSA 2016-03/CVE-2016-1935 (bmo#1220450) boo#963635
      Buffer overflow in WebGL after out of memory allocation
    * MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) boo#963637
      Firefox allows for control characters to be set in cookie names
    * MFSA 2016-06/CVE-2016-1937 (bmo#724353) boo#963641
      Missing delay following user click events in protocol handler dialog
    * MFSA 2016-07/CVE-2016-1938 (bmo#1190248) boo#963731
      Errors in mp_div and mp_exptmod cryptographic functions in NSS
      (fixed by requiring NSS 3.21)
    * MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590)
      Addressbar spoofing attacks boo#963643
    * MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946
      (bmo#1186621, bmo#1214782, bmo#1232096) boo#963644
      Unsafe memory manipulation found through code inspection
    * MFSA 2016-11/CVE-2016-1947 (bmo#1237103) boo#963645
      Application Reputation service disabled in Firefox 43
    * requires NSPR 4.11
    * requires NSS 3.21
  - prepare mozilla-kde.patch for Gtk3 builds
  - rebased patches
* Mon Jan 11 2016
  - Mozilla Firefox 43.0.4:
    * Re-enable SHA-1 certificates to prevent outdated
      man-in-the-middle security devices from interfering with
      properly secured SSL/TLS connections (bmo#1236975)
    * Fix for startup crash for users of a third party antivirus tool
  - The following change was previously in the package as a patch:
    * Multi-user GNU/Linux download folders can be created
    (bmo#1233434), removed mozilla-bmo1233434.patch
* Tue Dec 29 2015
  - update to Firefox 43.0.3
    * requires NSS 3.20.2 to fix
      MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
      MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
      server signature
    * various changes to support Windows update (SHA-1 vs. SHA-2)
    * workaround Youtube user agent detection issue (bmo#1233970)
  - fix file download regression for multi user systems
    (bmo#1233434) (mozilla-bmo1233434.patch)
  - explicitely requires libXcomposite-devel
* Sun Dec 13 2015
  - update to Firefox 43.0 (bnc#959277)
    * Improved API support for m4v video playback
    * Users can opt-in to receive search suggestions from the Awesome Bar
    * WebRTC streaming on multiple monitors
    * User selectable second block list for Private Browsing's Tracking
    security fixes:
    * MFSA 2015-134/CVE-2015-7201/CVE-2015-7202
      Miscellaneous memory safety hazards
    * MFSA 2015-135/CVE-2015-7204 (bmo#1216130)
      Crash with JavaScript variable assignment with unboxed objects
    * MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
      Same-origin policy violation using perfomance.getEntries and
      history navigation
    * MFSA 2015-137/CVE-2015-7208 (bmo#1191423)
      Firefox allows for control characters to be set in cookies
    * MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
      Use-after-free in WebRTC when datachannel is used after being
    * MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
      Integer overflow allocating extremely large textures
    * MFSA 2015-140/CVE-2015-7215 (bmo#1160890)
      Cross-origin information leak through web workers error events
    * MFSA 2015-141/CVE-2015-7211 (bmo#1221444)
      Hash in data URI is incorrectly parsed
    * MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820)
      DOS due to malformed frames in HTTP/2
    * MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078)
      Linux file chooser crashes on malformed images due to flaws in
      Jasper library
    * MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221
      (bmo#1201183, bmo#1178033, bmo#1199400)
      Buffer overflows found through code inspection
    * MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
      Underflow through code inspection
    * MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
      Integer overflow in MP4 playback in 64-bit versions
    * MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
      Integer underflow and buffer overflow processing MP4 metadata in
    * MFSA 2015-148/CVE-2015-7223 (bmo#1226423)
      Privilege escalation vulnerabilities in WebExtension APIs
    * MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
      Cross-site reading attack through data and view-source URIs
  - rebased patches
* Sun Nov 15 2015
  - Add desktop menu action for private browsing window to desktop
    file (boo#954747)
  - remove obsolete patch mozilla-bmo1005535.patch completely from
    source package to avoid automatic check failures
* Sat Oct 31 2015
  - update to Firefox 42.0 (bnc#952810)
    * Private Browsing with Tracking Protection blocks certain Web
      elements that could be used to record your behavior across sites
    * Control Center that contains site security and privacy controls
    * Login Manager improvements
    * WebRTC improvements
    * Indicator added to tabs that play audio with one-click muting
    * Media Source Extension for HTML5 video available for all sites
    security fixes:
    * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
      Miscellaneous memory safety hazards
    * MFSA 2015-117/CVE-2015-4515 (bmo#1046421)
      Information disclosure through NTLM authentication
    * MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692)
      CSP bypass due to permissive Reader mode whitelist
    * MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only)
      Firefox for Android addressbar can be removed after fullscreen mode
    * MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only)
      Reading sensitive profile files through local HTML file on Android
    * MFSA 2015-121/CVE-2015-7187 (bmo#1195735)
      disabling scripts in Add-on SDK panels has no effect
    * MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
      Trailing whitespace in IP address hostnames can bypass same-origin policy
    * MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
      Buffer overflow during image interactions in canvas
    * MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only)
      Android intents can be used on Firefox for Android to open privileged files
    * MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only)
      XSS attack through intents on Firefox for Android
    * MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only)
      Crash when accessing HTML tables with accessibility tools on OS X
    * MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
      CORS preflight is bypassed when non-standard Content-Type headers
      are received
    * MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
      Memory corruption in libjar through zip files
    * MFSA 2015-129/CVE-2015-7195 (bmo#1211871)
      Certain escaped characters in host of Location-header are being
      treated as non-escaped
    * MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
      JavaScript garbage collection crash with Java applet
    * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
      (bmo#1188010, bmo#1204061, bmo#1204155)
      Vulnerabilities found through code inspection
    * MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
      Mixed content WebSocket policy bypass through workers
    * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
      (bmo#1202868, bmo#1205157)
      NSS and NSPR memory corruption issues
      (fixed in mozilla-nspr and mozilla-nss packages)
  - requires NSPR >= 4.10.10 and NSS >= 3.19.4
  - removed obsolete patches
    * mozilla-arm-disable-edsp.patch
    * mozilla-icu-strncat.patch
    * mozilla-skia-be-le.patch
    * toolkit-download-folder.patch
  - fixed build with enable-libproxy (bmo#1220399)
    * mozilla-libproxy.patch
* Thu Oct 15 2015
  - update to Firefox 41.0.2 (bnc#950686)
    * MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669)
      Cross-origin restriction bypass using Fetch
  - added explicit appdata provides (bnc#949983)
* Sun Oct 04 2015
  - do not build with --enable-stdcxx-compat
    (this starts to fail build on various toolchain combinations
    and is not required for openSUSE builds in general
* Thu Oct 01 2015
  - update to Firefox 41.0.1
    * Fix a startup crash related to Yandex toolbar and Adblock Plus
    * Fix potential hangs with Flash plugins (bmo#1185639)
    * Fix a regression in the bookmark creation (bmo#1206376)
    * Fix a startup crash with some Intel Media Accelerator 3150
      graphic cards (bmo#1207665)
    * Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601)
* Sat Sep 19 2015
  - update to Firefox 41.0 (bnc#947003)
    * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
      Miscellaneous memory safety hazards
    * MFSA 2015-97/CVE-2015-4503 (bmo#994337)
      Memory leak in mozTCPSocket to servers
    * MFSA 2015-98/CVE-2015-4504 (bmo#1132467)
      Out of bounds read in QCMS library with ICC V4 profile attributes
    * MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only)
      Site attribute spoofing on Android by pasting URL with unknown scheme
    * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
      Arbitrary file manipulation by local user through Mozilla updater
    * MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
      Buffer overflow in libvpx while parsing vp9 format video
    * MFSA 2015-102/CVE-2015-4507 (bmo#1192401)
      Crash when using debugger with SavedStacks in JavaScript
    * MFSA 2015-103/CVE-2015-4508 (bmo#1195976)
      URL spoofing in reader mode
    * MFSA 2015-104/CVE-2015-4510 (bmo#1200004)
      Use-after-free with shared workers and IndexedDB
    * MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
      Buffer overflow while decoding WebM video
    * MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
      Use-after-free while manipulating HTML media content
    * MFSA 2015-107/CVE-2015-4512 (bmo#1170390)
      Out-of-bounds read during 2D canvas display on Linux 16-bit
      color depth systems
    * MFSA 2015-108/CVE-2015-4502 (bmo#1105045)
      Scripted proxies can access inner window
    * MFSA 2015-109/CVE-2015-4516 (bmo#904886)
      JavaScript immutable property enforcement can be bypassed
    * MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
      Dragging and dropping images exposes final URL after redirects
    * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
      Errors in the handling of CORS preflight request headers
    * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
      Vulnerabilities found through code inspection
    * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
      bmo#1190526) (Windows only)
      Memory safety errors in libGLES in the ANGLE graphics library
    * MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only)
      Information disclosure via the High Resolution Time API
  - rebased patches
  - removed obsolete patches
    * mozilla-arm64-libjpeg-turbo.patch
* Thu Aug 27 2015
  - update to Firefox 40.0.3 (bnc#943550)
    * Disable the asynchronous plugin initialization (bmo#1198590)
    * Fix a segmentation fault in the GStreamer support (bmo#1145230)
    * Fix a regression with some Japanese fonts used in the <input>
      field (bmo#1194055)
    * On some sites, the selection in a select combox box using the
      mouse could be broken (bmo#1194733)
    security fixes
    * MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278)
      Use-after-free when resizing canvas element during restyling
    * MFSA 2015-95/CVE-2015-4498 (bmo#1042699)
      Add-on notification bypass through data URLs
* Fri Aug 07 2015
  - update to Firefox 40.0 (bnc#940806)
    * Added protection against unwanted software downloads
    * Suggested Tiles show sites of interest, based on categories
      from your recent browsing history
    * Hello allows adding a link to conversations to provide context
      on what the conversation will be about
    * New style for add-on manager based on the in-content
      preferences style
    * Improved scrolling, graphics, and video playback performance
      with off main thread compositing (GNU/Linux only)
    * Graphic blocklist mechanism improved: Firefox version ranges
      can be specified, limiting the number of devices blocked
    security fixes:
    * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
      Miscellaneous memory safety hazards
    * MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
      Out-of-bounds read with malformed MP3 file
    * MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
      Use-after-free in MediaStream playback
    * MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
      Redefinition of non-configurable JavaScript object properties
    * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
      Overflow issues in libstagefright
    * MFSA 2015-84/CVE-2015-4481 (bmo1171518)
      Arbitrary file overwriting through Mozilla Maintenance Service
      with hard links (only affected Windows)
    * MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
      Out-of-bounds write with Updater and malicious MAR file
      (does not affect openSUSE RPM packages which do not ship the
    * MFSA 2015-86/CVE-2015-4483 (bmo#1148732)
      Feed protocol with POST bypasses mixed content protections
    * MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
      Crash when using shared memory in JavaScript
    * MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
      Heap overflow in gdk-pixbuf when scaling bitmap images
    * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
      Buffer overflows on Libvpx when decoding WebM video
    * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
      Vulnerabilities found through code inspection
    * MFSA 2015-91/CVE-2015-4490 (bmo#1086999)
      Mozilla Content Security Policy allows for asterisk wildcards
      in violation of CSP specification
    * MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
      Use-after-free in XMLHttpRequest with shared workers
  - added mozilla-no-stdcxx-check.patch
  - removed obsolete patches
    * mozilla-add-glibcxx_use_cxx11_abi.patch
    * firefox-multilocale-chrome.patch
  - rebased patches
  - requires version 40 of the branding package
  - removed browser/searchplugins/ location as it's not valid anymore
* Fri Aug 07 2015
  - security update to Firefox 39.0.3 (bnc#940918)
    * MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058)
      Same origin violation and local file stealing via PDF reader
* Wed Jul 01 2015
  - update to Firefox 39.0 (bnc#935979)
    * Share Hello URLs with social networks
    * Support for 'switch' role in ARIA 1.1 (web accessibility)
    * SafeBrowsing malware detection lookups enabled for downloads
      (Mac OS X and Linux)
    * Support for new Unicode 8.0 skin tone emoji
    * Removed support for insecure SSLv3 for network communications
    * Disable use of RC4 except for temporarily whitelisted hosts
    * NPAPI Plug-in performance improved via asynchronous initialization
    security fixes:
    * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726
      Miscellaneous memory safety hazards
    * MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
      Local files or privileged URLs in pages can be opened into new tabs
    * MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
      Type confusion in Indexed Database Manager
    * MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
      Out-of-bound read while computing an oscillator rendering range in Web Audio
    * MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
      Use-after-free in Content Policy due to microtask execution error
    * MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
      ECDSA signature validation fails to handle some signatures correctly
      (this fix is shipped by NSS 3.19.1 externally)
    * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
      Use-after-free in workers while using XMLHttpRequest
    * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
      Vulnerabilities found through code inspection
    * MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
      Key pinning is ignored when overridable errors are encountered
    * MFSA 2015-68/CVE-2015-2742 (bmo#1138669)
      OS X crash reports may contain entered key press information
      (not relevant under Linux)
    * MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
      Privilege escalation in PDF.js
    * MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
      NSS accepts export-length DHE keys with regular DHE cipher suites
      (this fix is shipped by NSS 3.19.1 externally)
    * MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
      NSS incorrectly permits skipping of ServerKeyExchange
      (this fix is shipped by NSS 3.19.1 externally)
  - dropped mozilla-prefer_plugin_pref.patch as this feature is
    likely not worth maintaining further
  - rebased patches
  - require NSS 3.19.2
* Thu Jun 18 2015
  - mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration
* Sun Jun 07 2015
  - update to Firefox 38.0.6
    * fixes bmo#1171730 which is not really relevant to oS builds
  - fix KDE regression from 38.0.5 builds (bsc#933439)
* Sat May 23 2015
  - update to Firefox 38.0.5
    * Keep track of articles and videos with Pocket
    * Clean formatting for articles and blog posts with Reader View
    * Share the active tab or window in a Hello conversation
  - add changes file as source for SRPM (bsc#932142)
* Fri May 15 2015
  - add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from
* Fri May 15 2015
  - update to Firefox 38.0.1
    stability and regression fixes
    * Systems with first generation NVidia Optimus graphics cards
      may crash on start-up
    * Users who import cookies from Google Chrome can end up with
      broken websites
    * Large animated images may fail to play and may stop other
      images from loading
* Sun May 10 2015
  - update to Firefox 38.0 (bnc#930622)
    * New tab-based preferences
    * Ruby annotation support
    * more info:
    security fixes:
    * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709
      Miscellaneous memory safety hazards
    * MFSA 2015-47/VE-2015-0797 (bmo#1080995)
      Buffer overflow parsing H.264 video with Linux Gstreamer
    * MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
      Buffer overflow with SVG content and CSS
    * MFSA 2015-49/CVE-2015-2711 (bmo#1113431)
      Referrer policy ignored when links opened by middle-click and
      context menu
    * MFSA 2015-50/CVE-2015-2712 (bmo#1152280)
      Out-of-bounds read and write in asm.js validation
    * MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
      Use-after-free during text processing with vertical text enabled
    * MFSA 2015-53/CVE-2015-2715 (bmo#988698)
      Use-after-free due to Media Decoder Thread creation during shutdown
    * MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
      Buffer overflow when parsing compressed XML
    * MFSA 2015-55/CVE-2015-2717 (bmo#1154683)
      Buffer overflow and out-of-bounds read while parsing MP4 video
    * MFSA 2015-56/CVE-2015-2718 (bmo#1146724)
      Untrusted site hosting trusted page can intercept webchannel
    * MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
      Privilege escalation through IPC channel messages
  - requires NSS 3.18.1
  - removed obsolete patches:
    * mozilla-skia-bmo1136958.patch
  - remove gnomevfs build options as it is removed from sources
  - rebased patches
* Fri Apr 17 2015
  - update to Firefox 37.0.2 (bnc#928116)
    * MFSA 2015-45/CVE-2015-2706 (bmo#1141081)
      Memory corruption during failed plugin initialization
* Fri Apr 03 2015
  - update to Firefox 37.0.1 (bnc#926166)
    * MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only)
      Loading privileged content through Reader mode
    * MFSA 2015-44/CVE-2015-0799 (bmo#1148328)
      Certificate verification bypass through the HTTP/2 Alt-Svc header
* Sat Mar 28 2015
  - update to Firefox 37.0 (bnc#925368)
    * Heartbeat user rating system
    * Yandex set as default search provider for the Turkish locale
    * Bing search now uses HTTPS for secure searching
    * Improved protection against site impersonation via OneCRL
      centralized certificate revocation
    * Opportunistically encrypt HTTP traffic where the server supports
      HTTP/2 AltSvc
    * some more behaviour changes for TLS
    security fixes:
    * MFSA 2015-30/CVE-2015-0814/CVE-2015-0815
      Miscellaneous memory safety hazards
    * MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
      Use-after-free when using the Fluendo MP3 GStreamer plugin
    * MFSA 2015-32/CVE-2015-0812 (bmo#1128126)
      Add-on lightweight theme installation approval bypassed through
      MITM attack
    * MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
      resource:// documents can load privileged pages
    * MFSA-2015-34/CVE-2015-0811 (bmo#1132468)
      Out of bounds read in QCMS library
    * MFSA-2015-35/CVE-2015-0810 (bmo#1125013)
      Cursor clickjacking with flash and images (OS X only)
    * MFSA-2015-36/CVE-2015-0808 (bmo#1109552)
      Incorrect memory management for simple-type arrays in WebRTC
    * MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
      CORS requests should not follow 30x redirections after preflight
    * MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437)
      Memory corruption crashes in Off Main Thread Compositing
    * MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560)
      Use-after-free due to type confusion flaws
    * MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
      Same-origin bypass through anchor navigation
    * MFSA-2015-41/CVE-2015-0800/CVE-2012-2808
      PRNG weakness allows for DNS poisoning on Android (only)
    * MFSA-2015-42/CVE-2015-0802 (bmo#1124898)
      Windows can retain access to privileged content on navigation
      to unprivileged pages
  - removed obsolete patches
    * mozilla-bmo1088588.patch
    * mozilla-bmo1108834.patch
  - requires NSPR 4.10.8
* Tue Mar 24 2015
  - Fix builds with skia on Power
    mozilla-skia-be-le.patch (patch from #bmo1136958)
* Sat Mar 21 2015
  - update to Firefox 36.0.4 (bnc#923534)
    * MFSA 2015-28/CVE-2015-0818 (bmo#1144988)
      Privilege escalation through SVG navigation
    * MFSA 2015-29/CVE-2015-0817 (bmo#1145255)
      Code execution through incorrect JavaScript bounds checking
* Fri Mar 20 2015
  - Copy the icons to /usr/share/icons instead of symlinking them:
    in preparation for containerized apps (e.g. xdg-app) as well as
    AppStream metadata extraction, there are a couple locations that
    need to be real files for system integration (.desktop files,
    icons, mime-type info).
* Sat Mar 07 2015
  - update to Firefox 36.0.1
    * Disable the usage of the ANY DNS query type (bmo#1093983)
    * Hello may become inactive until restart (bmo#1137469)
    * Print preferences may not be preserved (bmo#1136855)
    * Hello contact tabs may not be visible (bmo#1137141)
    * Accept hostnames that include an underscore character ("_")
    * WebGL may use significant memory with Canvas2d (bmo#1137251)
    * Option -remote has been restored (bmo#1080319)
  - added mozilla-skia-bmo1136958.patch to fix build issues for
    ARM and PPC
* Fri Feb 20 2015
  - update to Firefox 36.0 (bnc#917597)
    * mozilla-xremote-client was removed
    * added media plugin
    * Pinned tiles on the new tab page can be synced
    * Support for the full HTTP/2 protocol. HTTP/2 enables a faster,
      more scalable, and more responsive web.
    * Locale added: Uzbek (uz)
    security fixes:
    * MFSA 2015-11/CVE-2015-0835/CVE-2015-0836
      Miscellaneous memory safety hazards
    * MFSA 2015-12/CVE-2015-0833 (bmo#945192)
      Invoking Mozilla updater will load locally stored DLL files
      (Windows only)
    * MFSA 2015-13/CVE-2015-0832 (bmo#1065909)
      Appended period to hostnames can bypass HPKP and HSTS protections
    * MFSA 2015-14/CVE-2015-0830 (bmo#1110488)
      Malicious WebGL content crash when writing strings
    * MFSA 2015-15/CVE-2015-0834 (bmo#1098314)
      TLS TURN and STUN connections silently fail to simple TCP connections
    * MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
      Use-after-free in IndexedDB
    * MFSA 2015-17/CVE-2015-0829 (bmo#1128939)
      Buffer overflow in libstagefright during MP4 video playback
    * MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675)
      Double-free when using non-default memory allocators with a
      zero-length XHR
    * MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
      Out-of-bounds read and write while rendering SVG content
    * MFSA 2015-20/CVE-2015-0826 (bmo#1092363)
      Buffer overflow during CSS restyling
    * MFSA 2015-21/CVE-2015-0825 (bmo#1092370)
      Buffer underflow during MP3 playback
    * MFSA 2015-22/CVE-2015-0824 (bmo#1095925)
      Crash using DrawTarget in Cairo graphics library
    * MFSA 2015-23/CVE-2015-0823 (bmo#1098497)
      Use-after-free in Developer Console date with OpenType Sanitiser
    * MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
      Reading of local files through manipulation of form autocomplete
    * MFSA 2015-25/CVE-2015-0821 (bmo#1111960)
      Local files or privileged URLs in pages can be opened into new tabs
    * MFSA 2015-26/CVE-2015-0819 (bmo#1079554)
      UI Tour whitelisted sites in background tab can spoof foreground
    * MFSA 2015-27CVE-2015-0820 (bmo#1125398)
      Caja Compiler JavaScript sandbox bypass
  - rebased patches
  - requires NSS 3.17.4
* Sat Jan 31 2015
  - update to Firefox 35.0.1
    * With the Enhanced Steam extension, Firefox could crash (bmo#1123732)
    * Kerberos authentication did not work with alias (bmo#1108971)
    * SVG / CSS animation had a regression causing rendering issues on
      websites like (bmo#1083079)
    * On Godaddy webmail, Firefox could crash (bmo#1113121)
    * document.baseURI did not get updated to document.location after
      base tag was removed from DOM for site with a CSP (bmo#1121857)
    * With a Right-to-left (RTL) version of Firefox, the text selection
      could be broken (bmo#1104036)
    * CSP had a change in behavior with regard to case sensitivity
      resources loading (bmo#1122445)
* Sat Jan 10 2015
  - update to Firefox 35.0 (bnc#910669)
    notable features:
    * Firefox Hello with new rooms-based conversations model
    * Implemented HTTP Public Key Pinning Extension (for enhanced
      authentication of encrypted connections)
    security fixes:
    * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
      Miscellaneous memory safety hazards
    * MFSA 2015-02/CVE-2014-8637 (bmo#1094536)
      Uninitialized memory use during bitmap rendering
    * MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
      sendBeacon requests lack an Origin header
    * MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
      Cookie injection through Proxy Authenticate responses
    * MFSA 2015-05/CVE-2014-8640 (bmo#1100409)
      Read of uninitialized memory in Web Audio
    * MFSA 2015-06/CVE-2014-8641 (bmo#1108455)
      Read-after-free in WebRTC
    * MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only)
      Gecko Media Plugin sandbox escape
    * MFSA 2015-08/CVE-2014-8642 (bmo#1079658)
      Delegated OCSP responder certificates failure with
      id-pkix-ocsp-nocheck extension
    * MFSA 2015-09/CVE-2014-8636 (bmo#987794)
      XrayWrapper bypass through DOM objects
  - rebased patches
  - dropped explicit support for everything older than 12.3
    (including SLES11)
    * merge firefox-kde.patch and firefox-kde-114.patch
    * dropped mozilla-sle11.patch
  - reworked specfile to build conditionally based on release channel
    either Firefox or Firefox Developer Edition
  - added mozilla-openaes-decl.patch to fix implicit declarations
  - obsolete tracker-miner-firefox < 0.15 because it leads to startup
    crashes (bnc#908892)
* Sat Dec 13 2014 Led <>
  - fix bashism in script
* Sat Nov 29 2014
  - update to Firefox 34.0.5 (bnc#908009)
    * Default search engine changed to Yahoo! for North America
    * Default search engine changed to Yandex for Belarusian, Kazakh,
      and Russian locales
    * Improved search bar (en-US only)
    * Firefox Hello real-time communication client
    * Easily switch themes/personas directly in the Customizing mode
    * Implementation of HTTP/2 (draft14) and ALPN
    * Disabled SSLv3
    * MFSA 2014-83/CVE-2014-1587/CVE-2014-1588
      Miscellaneous memory safety hazards
    * MFSA 2014-84/CVE-2014-1589 (bmo#1043787)
      XBL bindings accessible via improper CSS declarations
    * MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
      XMLHttpRequest crashes with some input streams
    * MFSA 2014-86/CVE-2014-1591 (bmo#1069762)
      CSP leaks redirect data via violation reports
    * MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
      Use-after-free during HTML5 parsing
    * MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
      Buffer overflow while parsing media content
    * MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
      Bad casting from the BasicThebesLayer to BasicContainerLayer
  - rebased patches
  - limit linker memory usage for %ix86
  - rebased patches
* Fri Nov 07 2014
  - update to Firefox 33.1
    * Adding DuckDuckGo as a search option (upstream)
    * Forget Button added
    * Enhanced Tiles
    * Privacy tour introduced
  - fix typo in GStreamer Recommends
* Tue Nov 04 2014
  - Disable elf-hack for aarch64
  - Enable EGL for aarch64
  - Limit RAM usage during link for %arm
  - Fix _constraints for ARM
* Mon Nov 03 2014
  - use proper macros for ARM
* Mon Nov 03 2014
  - use '--disable-optimize' not only on 32-bit x86, but on 32-bit arm too
    to fix compiling.
  - pass '-Wl,--no-keep-memory' to linker to reduce required memory during
    linking on arm.
* Thu Oct 30 2014
  - update to Firefox 33.0.2
    * Fix a startup crash with some combination of hardware and drivers
    * Firefox displays a black screen at start-up with certain
      graphics drivers
  - adjusted _constraints for ARM
* Tue Oct 28 2014
  - added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588)
* Sat Oct 25 2014
  - define /usr/share/myspell as additional dictionary location
    and remove finally (bnc#900639)
* Sun Oct 19 2014
  - use Firefox default optimization flags instead of -Os
  - specfile cleanup
* Wed Oct 15 2014
  - fix build for all ppc by not enabling elf-hack



Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Sep 10 16:06:52 2019