./www/firefox, Web browser with support for extensions (version 49)

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 49.0, Package name: firefox-49.0, Maintainer: ryoon

Mozilla Firefox is a free, open-source and cross-platform web browser
for Windows, Linux, MacOS X and many other operating systems.

It is fast and easy to use, and offers many advantages over other web
browsers, such as tabbed browsing and the ability to block pop-up

Firefox also offers excellent bookmark and history management, and it
can be extended by developers using industry standards such as XML,
CSS, JavaScript, C++, etc. Many extensions are available.

Required to run:
[sysutils/desktop-file-utils] [sysutils/dbus-glib] [textproc/icu] [graphics/MesaLib] [graphics/cairo] [graphics/jpeg] [net/libIDL] [devel/nspr] [devel/libffi] [devel/nss] [x11/gtk2] [textproc/hunspell] [x11/pixman] [audio/pulseaudio] [multimedia/libvpx] [lang/gcc48-libs] [multimedia/ffmpeg3]

Required to build:
[databases/py-sqlite2] [pkgtools/x11-links] [devel/yasm] [x11/compositeproto] [x11/glproto] [x11/renderproto] [x11/xproto] [x11/xf86vidmodeproto] [x11/recordproto] [x11/xf86driproto] [x11/damageproto] [x11/inputproto] [x11/xextproto] [x11/randrproto] [x11/dri2proto] [x11/xcb-proto] [x11/fixesproto4] [lang/python27] [lang/gcc48]

Package options: dbus, pulseaudio

Master sites: (Expand)

SHA1: 55dd05fc7b9ba58e6e0568e9aa7173de5eb4df86
RMD160: 74bfc31a2ff988ddbea03dc6a41f3acc4c64df43
Filesize: 185171.078 KB

Version history: (Expand)

CVS history: (Expand)

   2016-09-20 22:01:41 by Ryo ONODERA | Files touched by this commit (13) | Package updated
Log message:
Update to 49.0

    Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. \ 
It’s one more way Firefox is supporting Let’s Encrypt and helping users \ 
transition to a more secure web.

    Added features to Reader Mode that make it easier on the eyes and the ears
        Controls that allow users to adjust the width and line spacing of text
        Narrate, which reads the content of a page out loud

    Improved video performance for users on systems that support SSSE3 without \ 
hardware acceleration

    Added context menu controls to HTML5 audio and video that let users loops \ 
files or play files at 1.25x speed

    Enhancements for Mac users
        Improved performance on OS X systems without hardware acceleration
        Improved appearance of anti-aliased OS X fonts

    Improvements in about:memory reports for tracking font memory usage

    Improve performance on Windows systems without hardware acceleration

    Fixed an issue that prevented users from updating Firefox for Mac unless \ 
they originally installed Firefox. Now, those users as well as any user with \ 
administrative credentials can update Firefox.

    Various security fixes

    Ended Firefox for Mac support for OS X 10.6, 10.7, and 10.8.

    Ended Firefox for Windows support for SSE processors

    Removed Firefox Hello

    Re-enabled the default for Graphite2 font shaping

    Added a Cause column to the Network Monitor to show what caused each network \ 

    Introduced web speech synthesis API

Fixed in Firefox 49
    2016-85 Security vulnerabilities fixed in Firefox 49

CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]
Reporter: Atte Kettunen
Description: A content security policy (CSP) containing a referrer directive \ 
with no values can cause a non-exploitable crash. [1289085]

CVE-2016-5270 - Heap-buffer-overflow in \ 
nsCaseTransformTextRunFactory::TransformString [high]
Reporter: Atte Kettunen
Description: An out-of-bounds write of a boolean value during text conversion \ 
with some unicode characters. [1291016]

CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]
Reporter: Abhishek Arya
Description: An out-of-bounds read during the processing of text runs in some \ 
pages using display:contents. [1288946]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]
Reporter: Abhishek Arya
Description: A bad cast when processing layout with input elements can result in \ 
a potentially exploitable crash. [1297934]

CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]
Reporter: Nils
Description: A potentially exploitable crash in accessibility [1280387]

CVE-2016-5276 - Heap-use-after-free in \ 
mozilla::a11y::DocAccessible::ProcessInvalidationList [high]
Reporter: Nils
Description: A use-after-free vulnerability triggered by setting a aria-owns \ 
attribute [1287721]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]
Reporter: Nils
Description: A use-after-free issue in web animations during restyling. [1282076]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]
Reporter: Nils
Description: A user-after-free vulnerability with web animations when destroying \ 
a timeline [1291665]

CVE-2016-5275 - global-buffer-overflow in \ 
mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]
Reporter: Nils
Description: A buffer overflow when working with empty filters during canvas \ 
rendering [1287316]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]
Reporter: Nils
Description: A potentially exploitable crash caused by a buffer overflow while \ 
encoding image frames to images [1294677]

CVE-2016-5279 - Full local path of files is available to web pages after drag \ 
and drop [moderate]
Reporter: Rafael Gieschke
Description: The full path to local files is available to scripts when local \ 
files are drag and dropped into Firefox [1249522]

CVE-2016-5280 - Use-after-free in \ 
mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]
Reporter: Mei Wang
Description: Use-after-free vulnerability when changing text direction [1289970]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]
Reporter: Brian Carpenter
Description: Use-after-free vulnerability when manipulating SVG format content \ 
through script [1284690]

CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted \ 
schemes [moderate]
Reporter: Richard Newman
Description: Favicons can be loaded through non-whitelisted protocols, such as \ 
jar: [932335]

CVE-2016-5283 - <iframe src> fragment timing attack can reveal \ 
cross-origin data [high]
Reporter: Gavin Sharp
Description: A timing attack vulnerability using iframes to potentially reveal \ 
private data using document resizes and link colors [928187]

CVE-2016-5284 - Add-on update site certificate pin expiration [high]
Reporter: Ryan Duff
Description: Due to flaws in the process we used to update "Preloaded \ 
Public Key Pinning" in our releases, the pinning for add-on updates became \ 
ineffective in early September. An attacker who was able to get a mis-issued \ 
certificate for a Mozilla web site could send malicious add-on updates to users \ 
on networks controlled by the attacker. Users who have not installed any add-ons \ 
are not affected. [1303127]

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]
Reporter: Mozilla developers
Description: Mozilla developers Christoph Diehl, Christian Holler, Gary Kwong, \ 
Nathan Froyd, Honza Bambas, Seth Fowler, and Michael Smith reported memory \ 
safety bugs present in Firefox 48. Some of these bugs showed evidence of memory \ 
corruption under certain circumstances could potentially exploited to run \ 
arbitrary code. [Memory safety bugs fixed in Firefox 49]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 \ 
Reporter: Mozilla developers
Description: Mozilla developers and community members Christoph Diehl, Andrew \ 
McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, \ 
Philipp, and Carsten Book reported memory safety bugs present in Firefox 48 and \ 
Firefox ESR 45.3. Some of these bugs showed evidence of memory corruption and we \ 
presume that with enough effort at least some of these could be exploited to run \ 
arbitrary code. [Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4]
   2016-08-29 14:56:53 by Ryo ONODERA | Files touched by this commit (2) | Package updated
Log message:
Update to 48.0.2

Fix a startup crash issue caused by Websense (Windows only) (Bug 1291738)
   2016-08-20 13:17:32 by Ryo ONODERA | Files touched by this commit (6) | Package updated
Log message:
Update to 48.0.1

* Remove dbus-glib dependency and add dbus option (from Robert Swindells)
* Fix potential build failure in skia (from Robert Swindells)

    Fix an audio regression impacting some major websites (bug 1295296)
    Fix a top crash in the JavaScript engine (Bug 1290469)
    Fix a startup crash issue caused by Websense (Bug 1291738)
    Fix a different behavior with e10s / non-e10s on <select> and mouse \ 
events (Bug 1291078)
    Fix a top crash caused by plugin issues (Bug 1264530)
    Fix an unsigned add-ons issue on Windows
    Fix a shutdown issue (Bug 1276920)
    Fix a crash in WebRTC
   2016-08-17 02:06:47 by Ryo ONODERA | Files touched by this commit (102)
Log message:
Recursive revbump from multimedia/libvpx uppdate
   2016-08-16 11:34:12 by Tobias Nygren | Files touched by this commit (3)
Log message:
fix pkg/50767 linker error when using clang
   2016-08-07 03:25:41 by Ryosuke Moro | Files touched by this commit (1)
Log message:
these options does not exist
you can see it:
 cd /usr/pkgsrc/www/firefox/work/firefox-48.0
 ./configure --help
   2016-08-06 10:46:59 by Ryo ONODERA | Files touched by this commit (26) | Package updated
Log message:
Update to 48.0

* OSS audio support may not work. I will revisit later

    Roar for moar protection against harmful downloads! We've got your back

    Process separation (e10s) is enabled for some of you. Like it? Let us know \ 
and we'll roll it out to more.

    Add-ons that have not been verified and signed by Mozilla will not load

    GNU/Linux fans: Get better Canvas performance with speedy Skia support. Try \ 
saying that three times fast

    WebRTC embetterments:
        Delay-agnostic AEC enabled
        Full duplex for GNU/Linux enabled
        ICE Restart & Update is supported
        Cloning of MediaStream and MediaStreamTrack is now supported

    Searching for something already in your bookmarks or open tabs? We added \ 
super smart icons to let you know

    Windows folks: Tab (move buttons) and Shift+F10 (pop-up menus) now behave as \ 
they should in Firefox customization mode

    The media parser has been redeveloped using the Rust programming language

    Windows 7 systems without Platform Update can now use D3D11 WARP

    Various security fixes

    Heyo, Jabra & Logitech C920 webcam users. We fixed those pesky WebRTC \ 
bugs causing frequency distortions. Buh-bye, squeaky voice!

    Improved step debugging on last line of functions

    Starting with the Firefox version 49 release, so long to support for 10.6, \ 
10.7 and 10.8. Now we can focus on where most Mac users are: 10.9. Don't forget \ 
to upgrade!

    After version 48, SSE2 CPU extensions are going to be required on Windows

    Au revoir to Windows Remote Access Service modem Autodial

    WebExtensions support is now considered as stable

    Workers can now use the Web Crypto API

    Want to move absolute & fixed positioned elements? (Who doesn't, right?) \ 
Now you can with our geometry editor.

    The memory tool now has a tree map view for your debugging pleasure. It's a \ 
little bit of "boo" and a whole lot of "ya."

    We're putting the spotlight on the background. Now you can debug \ 
WebExtensions background content scripts and background pages

    Content Security Policy (CSP) is now enforced for WebExtensions. (Who's down \ 
with CSP?)

    Old and busted: Error Console. New hotness: Browser Console for your \ 
debugging pleasure.

    Add-on development just got easier because you can reload them from \ 
about:debugging — because we're all about debugging.

    This theme is hot, hot, hot! Say hi to the Firebug theme for Developer Tools.

    Expand network requests from the console panel to view request details in \ 
line, so you can see things in context

Fixed in Firefox 48:
    2016-84 Information disclosure through Resource Timing API during page navigation
    2016-83 Spoofing attack through text injection into internal error pages
    2016-82 Addressbar spoofing with right-to-left characters on Firefox for Android
    2016-81 Information disclosure and local file manipulation through drag and drop
    2016-80 Same-origin policy violation using local HTML file and saved \ 
shortcut file
    2016-79 Use-after-free when applying SVG effects
    2016-78 Type confusion in display transformation
    2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during \ 
video playback
    2016-76 Scripts on marquee tag can execute in sandboxed iframes
    2016-75 Integer overflow in WebSockets during data buffering
    2016-74 Form input type change from password to text can store plain text \ 
password in session restore file
    2016-73 Use-after-free in service workers with nested sync events
    2016-72 Use-after-free in DTLS during WebRTC session shutdown
    2016-71 Crash in incremental garbage collection in JavaScript
    2016-70 Use-after-free when using alt key and toplevel menus
    2016-69 Arbitrary file manipulation by local user through Mozilla updater \ 
and callback application path parameter
    2016-68 Out-of-bounds read during XML parsing in Expat library
    2016-67 Stack underflow during 2D graphics rendering
    2016-66 Location bar spoofing via data URLs with malformed/invalid mediatypes
    2016-65 Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
    2016-64 Buffer overflow rendering SVG with bidirectional content
    2016-63 Favicon network connection can persist when page is closed
    2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
   2016-08-04 19:03:41 by Ryo ONODERA | Files touched by this commit (145)
Log message:
Recursive revbump from audio/pulseaudio