Path to this page:
Subject: CVS commit: pkgsrc/www/firefox
From: Ryo ONODERA
Date: 2023-12-31 10:03:56
Message id: 20231231090356.3F8EDFA42@cvs.NetBSD.org
Log Message:
firefox: Update to 121.0
* CXXFLAGS has all CFLAGS values. Remove duplicated CXXFLAGS.
Changelog:
121.0
New
* Firefox now prompts Windows users to install the Microsoft AV1 Video
Extension to enable hardware decoding support for the AV1 video codec from
about:support if not already installed.
* Firefox now supports Voice Control commands on macOS systems.
* On Linux, Firefox now defaults to the Wayland compositor when available
instead of XWayland. This brings support for touchpad & touchscreen
gestures, swipe-to-nav, per-monitor DPI settings, better graphics
performance, and more.
Note that due to Wayland protocol limitations, Picture-in-Picture windows
require an extra user interaction (generally right-click on the window) or
a shell / desktop-environment tweak. See bug 1621261 for related discussion
and tracking, this post for a KDE configuration, and this extension for
GNOME. It is also a known issue that windows are not correctly placed when
restoring a previous session on launch.
* Firefox can now force links to always be underlined. This option can be
enabled in the Browsing section of the Firefox Settings menu.
* The PDF viewer now includes a floating button to simplify deleting
drawings, text, and images added in PDFs.
Fixed
* Various security fixes.
* Ubuntu Firefox Snap builds did not default to Wayland compositing on some
systems as expected when Firefox 121 was first released. This is now fixed
and updated builds can be installed with the Ubuntu Software Updater.
Security fixes:
Mozilla Foundation Security Advisory 2023-56
#CVE-2023-6856: Heap-buffer-overflow affecting WebGL DrawElementsInstanced
method with Mesa VM driver
#CVE-2023-6135: NSS susceptible to "Minerva" attack
#CVE-2023-6865: Potential exposure of uninitialized data in
EncryptingOutputStream
#CVE-2023-6857: Symlinks may resolve to smaller than expected buffers
#CVE-2023-6858: Heap buffer overflow in nsTextFragment
#CVE-2023-6859: Use-after-free in PR_GetIdentitiesLayer
#CVE-2023-6866: TypedArrays lack sufficient exception handling
#CVE-2023-6860: Potential sandbox escape due to VideoBridge lack of texture
validation
#CVE-2023-6867: Clickjacking permission prompts using the popup transition
#CVE-2023-6861: Heap buffer overflow affected nsWindow::PickerOpen(void) in
headless mode
#CVE-2023-6868: WebPush requests on Firefox for Android did not require VAPID
key
#CVE-2023-6869: Content can paint outside of sandboxed iframe
#CVE-2023-6870: Android Toast notifications may obscure fullscreen event
notifications
#CVE-2023-6871: Lack of protocol handler warning in some instances
#CVE-2023-6872: Browsing history leaked to syslogs via GNOME
#CVE-2023-6863: Undefined behavior in ShutdownObserver()
#CVE-2023-6864: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and
Thunderbird 115.6
#CVE-2023-6873: Memory safety bugs fixed in Firefox 121
Files: