* Fri Jul 13 2018 wr@rosenauer.org
- update to Seamonkey 2.49.4
* Gecko 52.9.1esr (bsc#1098998)
MFSA 2018-16 (bsc#1098998)
* CVE-2018-12359 (bmo#1459162)
Buffer overflow using computed size of canvas element
* CVE-2018-12360 (bmo#1459693)
Use-after-free when using focus()
* CVE-2018-12362 (bmo#1452375)
Integer overflow in SSSE3 scaler
* CVE-2018-5156 (bmo#1453127)
Media recorder segmentation fault when track type is changed during capture
* CVE-2018-12363 (bmo#1464784)
Use-after-free when appending DOM nodes
* CVE-2018-12364 (bmo#1436241)
CSRF attacks through 307 redirects and NPAPI plugins
* CVE-2018-12365 (bmo#1459206)
Compromised IPC child process can list local filenames
* CVE-2018-12366 (bmo#1464039)
Invalid data handling during QCMS transformations
* CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576,
bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829,
bmo#1464079,bmo#1463494,bmo#1458048)
Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
- localizations finally included again (boo#1062195)
* Thu Jun 07 2018 bjorn.lie@gmail.com
- Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass
conditional --disable-gconf to configure: no longer pull in
obsolete gconf2 for Tumbleweed.
* Tue Jun 05 2018 psychonaut@nothingisreal.com
- update spec file summary and description to more accurately
reflect what SeaMonkey is, giving less prominence to the long-
discontinued Mozilla Application Suite that many users may no
longer be familiar with
- update project URL in spec file
* Sat Mar 03 2018 wr@rosenauer.org
- update to Seamonkey 2.49.2
* Gecko 52.6esr (including security relevant fixes) (bsc#1077291)
* fix issue in Composer
* With some themes, the menulist- and history-dropmarker didn't show
* Scrollbars didn't show the buttons
* WebRTC has been disabled by default. It needs an add-on to enable it per site
* The active title bar was not visually emphasized
- correct requires and provides handling (boo#1076907)
Version: 2.49.1-bp150.2.5
* Tue Jan 09 2018 wr@rosenauer.org
- Explicitly buildrequires python2-xml: The build system relies on
it. We wrongly relied on other packages pulling it in for us.
- use parallel compression in create-tar if available
- use XZ instead of BZ2 for source archives
- import upstream patch mozilla-bmo1338655.patch to fix failing
build
* Thu Dec 07 2017 dimstar@opensuse.org
- Escape the usage of %{VERSION} when calling out to rpm.
RPM 4.14 has %{VERSION} defined as 'the main packages version'.
* Fri Nov 10 2017 zaitor@opensuse.org
- Drop obsolete libgnomeui-devel BuildRequires: No longer needed.
- Following the above, add explicit pkgconfig(gconf-2.0),
pkgconfig(gobject-2.0)pkgconfig(gdk-x11-2.0), pkgconfig(gtk+-2.0)
and pkgconfig(gtk+-unix-print-2.0) BuildRequires: previously
pulled in by libgnomeui-devel, and is what configure really
checks for.
* Fri Aug 04 2017 wr@rosenauer.org
- update to Seamonkey 2.48
* based on Gecko 51.0.3
* requires NSPR 4.13.1 and NSS 3.28.5 (aligned with 52ESR)
- removed obsolete (upstreamed) patches
* mozilla-http2-ecdh-keybits.patch
* mozilla-sed43.patch
* mozilla-flex_buffer_overrun.patch
* mozilla-shared-nss-db.patch (feature dropped from SM due to
maintenance costs vs. usefulness)
* mozilla-binutils-visibility.patch
* mozilla-check_return.patch
* mozilla-skia-overflow.patch
- rebased patches
* Sun Feb 12 2017 wr@rosenauer.org
- fix configure with for sed >= 4.3 (boo#1020631) (mozilla-sed43.patch)
* Tue Jan 24 2017 wr@rosenauer.org
- improve recognition of LANGUAGE env variable (boo#1017174)
- update minimum keybits in H2 so it allows a smaller value
(e.g. for curve25519 as supported with NSS 3.28) (bmo#1290037)
(boo#1021636) (mozilla-http2-ecdh-keybits.patch)
* Fri Dec 23 2016 wr@rosenauer.org
- update to Seamonkey 2.46
* based on Gecko 49.0.2
* Chatzilla and DOM Inspector were removed/disabled and therefore
those subpackages are not available at this moment
- requires NSPR 4.12 and NSS 3.25
- removed obsolete patches
* mozilla-libproxy.patch
* mozilla-gcc6.patch
* mozilla-openaes-decl.patch
- rebased patches
- added patches imported from Firefox 49:
* mozilla-check_return.patch
* mozilla-flex_buffer_overrun.patch
* mozilla-skia-overflow.patch
* Mon Oct 17 2016 wr@rosenauer.org
- mozilla-binutils-visibility.patch to fix build issues with
gcc/binutils combination used in Leap 42.2 (boo#984637)
* Sun Aug 21 2016 antoine.belvire@laposte.net
- Build also with fno-lifetime-dse and fno-schedule-insns2 for GCC6
(still boo#991027)
- Check compiler version instead of openSUSE version for this
* Mon Aug 08 2016 wr@rosenauer.org
- build with -fno-delete-null-pointer-checks for Tumbleweed/gcc6
as long as underlying issues have been addressed upstream
(boo#991027)
* Fri Aug 05 2016 pcerny@suse.com
- Fix for possible buffer overrun (bsc#990856)
CVE-2016-6354 (bmo#1292534)
[mozilla-flex_buffer_overrun.patch]
* Tue Jul 26 2016 badshah400@gmail.com
- Add appstream metainfo files as a tar.bz2 source
(seamonkey-appdata.tar.bz2) and install these appdata.xml files
to the appdata dir (/usr/share/appdata); with these appdata
files installed, seamonkey shows up in appstores like GNOME
software and KDE Discover.
* Sun Jul 17 2016 badshah400@gmail.com
- Add mozilla-gcc6.patch to fix building with gcc >= 6.0.
* Sat Mar 05 2016 wr@rosenauer.org
- fix build problems on i586, caused by too large unified compile
units - adding mozilla-reduce-files-per-UnifiedBindings.patch
- increased _constraints as required
* Tue Jan 19 2016 wr@rosenauer.org
- update to Seamonkey 2.40 (bnc#959277)
* requires NSS 3.20.2 to fix
MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
server signature
* MFSA 2015-134/CVE-2015-7201/CVE-2015-7202
Miscellaneous memory safety hazards
* MFSA 2015-135/CVE-2015-7204 (bmo#1216130)
Crash with JavaScript variable assignment with unboxed objects
* MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
Same-origin policy violation using perfomance.getEntries and
history navigation
* MFSA 2015-137/CVE-2015-7208 (bmo#1191423)
Firefox allows for control characters to be set in cookies
* MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
Use-after-free in WebRTC when datachannel is used after being
destroyed
* MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
Integer overflow allocating extremely large textures
* MFSA 2015-140/CVE-2015-7215 (bmo#1160890)
Cross-origin information leak through web workers error events
* MFSA 2015-141/CVE-2015-7211 (bmo#1221444)
Hash in data URI is incorrectly parsed
* MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820)
DOS due to malformed frames in HTTP/2
* MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078)
Linux file chooser crashes on malformed images due to flaws in
Jasper library
* MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221
(bmo#1201183, bmo#1178033, bmo#1199400)
Buffer overflows found through code inspection
* MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
Underflow through code inspection
* MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
Integer overflow in MP4 playback in 64-bit versions
* MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
Integer underflow and buffer overflow processing MP4 metadata in
libstagefright
* MFSA 2015-148/CVE-2015-7223 (bmo#1226423)
Privilege escalation vulnerabilities in WebExtension APIs
* MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
Cross-site reading attack through data and view-source URIs
- rebased patches
- buildrequire xcomposite now explicitely
* Thu Nov 05 2015 wr@rosenauer.org
- update to Seamonkey 2.39 (bnc#952810)
* MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
Miscellaneous memory safety hazards
* MFSA 2015-117/CVE-2015-4515 (bmo#1046421)
Information disclosure through NTLM authentication
* MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692)
CSP bypass due to permissive Reader mode whitelist
* MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only)
Firefox for Android addressbar can be removed after fullscreen mode
* MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only)
Reading sensitive profile files through local HTML file on Android
* MFSA 2015-121/CVE-2015-7187 (bmo#1195735)
disabling scripts in Add-on SDK panels has no effect
* MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
Trailing whitespace in IP address hostnames can bypass same-origin policy
* MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
Buffer overflow during image interactions in canvas
* MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only)
Android intents can be used on Firefox for Android to open privileged files
* MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only)
XSS attack through intents on Firefox for Android
* MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only)
Crash when accessing HTML tables with accessibility tools on OS X
* MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
CORS preflight is bypassed when non-standard Content-Type headers
are received
* MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
Memory corruption in libjar through zip files
* MFSA 2015-129/CVE-2015-7195 (bmo#1211871)
Certain escaped characters in host of Location-header are being
treated as non-escaped
* MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
JavaScript garbage collection crash with Java applet
* MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
(bmo#1188010, bmo#1204061, bmo#1204155)
Vulnerabilities found through code inspection
* MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
Mixed content WebSocket policy bypass through workers
* MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
(bmo#1202868, bmo#1205157)
NSS and NSPR memory corruption issues
(fixed in mozilla-nspr and mozilla-nss packages)
- requires NSPR >= 4.10.10 and NSS >= 3.19.4
- removed obsolete patches
* mozilla-icu-strncat.patch
- fixed build with enable-libproxy (bmo#1220399)
* mozilla-libproxy.patch
* Thu Oct 01 2015 wr@rosenauer.org
- update to SeaMonkey 2.38 (bnc#947003)
* based on 41.0.1
* MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
Miscellaneous memory safety hazards
* MFSA 2015-97/CVE-2015-4503 (bmo#994337)
Memory leak in mozTCPSocket to servers
* MFSA 2015-98/CVE-2015-4504 (bmo#1132467)
Out of bounds read in QCMS library with ICC V4 profile attributes
* MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
Arbitrary file manipulation by local user through Mozilla updater
* MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-102/CVE-2015-4507 (bmo#1192401)
Crash when using debugger with SavedStacks in JavaScript
* MFSA 2015-104/CVE-2015-4510 (bmo#1200004)
Use-after-free with shared workers and IndexedDB
* MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
Use-after-free while manipulating HTML media content
* MFSA 2015-107/CVE-2015-4512 (bmo#1170390)
Out-of-bounds read during 2D canvas display on Linux 16-bit
color depth systems
* MFSA 2015-108/CVE-2015-4502 (bmo#1105045)
Scripted proxies can access inner window
* MFSA 2015-109/CVE-2015-4516 (bmo#904886)
JavaScript immutable property enforcement can be bypassed
* MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
Dragging and dropping images exposes final URL after redirects
* MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
Errors in the handling of CORS preflight request headers
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
CVE-2015-7180
Vulnerabilities found through code inspection
* MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
bmo#1190526) (Windows only)
Memory safety errors in libGLES in the ANGLE graphics library
* MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only)
Information disclosure via the High Resolution Time API
- removed obsolete patch
* mozilla-add-glibcxx_use_cxx11_abi.patch
- added mozilla-no-stdcxx-check.patch
* Sat Aug 29 2015 wr@rosenauer.org
- update to SeaMonkey 2.35 (bnc#935979)
* based on 38.1.1esr
* requires NSPR 4.10.8 and NSS 3.19.2
- removed obsolete patches
* mozilla-visitSubstr.patch
* mozilla-undef-CONST.patch
* mozilla-reintroduce-pixman-code-path.patch
* mozilla-fix-prototype.patch
* mozilla-disable-JEMALLOC_STATIC_SIZES-on-ppc.patch
- renamed mozilla-add-D_GLIBCXX_USE_CXX11_ABI-0-to-CXXFLAG.patch
to mozilla-add-glibcxx_use_cxx11_abi.patch (sync with Firefox)
- dropped mozilla-prefer_plugin_pref.patch as this feature is
likely not worth maintaining further
* Sat Jun 27 2015 antoine.belvire@laposte.net
- Fix compilation issues:
* Add mozilla-add-D_GLIBCXX_USE_CXX11_ABI-0-to-CXXFLAG.patch (bmo#1153109)
* Add mozilla-reintroduce-pixman-code-path.patch (bmo#1136958)
* Add mozilla-visitSubstr.patch (bmo#1108834)
* Add mozilla-undef-CONST.patch (bmo#1111395)
* Add mozilla-disable-JEMALLOC_STATIC_SIZES-on-ppc.patch
* Sun Mar 22 2015 wr@rosenauer.org
- update to SeaMonkey 2.33.1 (bnc#923534)
* MFSA 2015-28/CVE-2015-0818 (bmo#1144988)
Privilege escalation through SVG navigation
* MFSA 2015-29/CVE-2015-0817 (bmo#1145255)
Code execution through incorrect JavaScript bounds checking
elimination