-
firefox (2.0.0.17+0nobinonly-0ubuntu0.7.4) feisty-security; urgency=low
* New security/stability upstream release (v2.0.0.17)
- see USN-645-1
-- Alexander Sack <email address hidden> Thu, 18 Sep 2008 13:56:50 +0200
-
firefox (2.0.0.16+0nobinonly-0ubuntu0.7.4) feisty-security; urgency=low
* New security/stability upstream release (v2.0.0.16)
- see USN-623-1
-- Alexander Sack <email address hidden> Mon, 14 Jul 2008 15:11:40 +0200
-
firefox (2.0.0.15+0nobinonly-0ubuntu0.7.4) feisty-security; urgency=low
[ Alexander Sack ]
* New security/stability upstream release (v2.0.0.15)
- see USN-619-1
-- Alexander Sack <email address hidden> Mon, 23 Jun 2008 15:08:12 +0200
-
firefox (2.0.0.14+1nobinonly-0ubuntu0.7.4) feisty-security; urgency=low
[ Alexander Sack ]
* New security/stability upstream release (v2.0.0.14)
- see USN-602-1
-- Alexander Sack <email address hidden> Fri, 18 Apr 2008 12:57:37 +0200
-
firefox (2.0.0.13+0nobinonly-0ubuntu0.7.4) feisty-security; urgency=low
* New security/stability upstream release (v2.0.0.13)
- see USN-592-1
-- Alexander Sack <email address hidden> Tue, 25 Mar 2008 12:14:29 +0100
-
firefox (2.0.0.12+1nobinonly+2-0ubuntu0.7.4) feisty-security; urgency=low
* New stability upstream release (v2.0.0.12)
* New security/stability upstream release (v2.0.0.12) - 1.8.0.14 prepatches
* MFSA 2008-01 aka CVE-2008-0412: Crashes with evidence of memory corruption
v1.8.1.12 (Browser crashes)
* MFSA 2008-01 aka CVE-2008-0413: Crashes with evidence of memory corruption
v1.8.1.12 (javascript crashes)
* MFSA 2008-02 aka CVE-2008-0414: Multiple file input focus stealing
vulnerabilities: 1. Focus shifting bugs and 2. Selective keystroke blocking
bugs
* MFSA 2008-03 aka CVE-2008-0415: Privilege escalation, XSS, Remote Code
Execution (JavaScript privilege escalation bugs)
* MFSA 2008-04 aka CVE-2008-0416: Multiple XSS vulnerabilities from
character encoding
* MFSA 2008-05 aka CVE-2008-0417: Stored password corruption
* MFSA 2008-06 aka CVE-2008-0418: Directory traversal via chrome: URI
* MFSA 2008-07 aka CVE-2008-0419: Web browsing history and forward navigation
stealing
* MFSA 2008-08 aka CVE-2008-0420: Possible information disclosure in BMP
decoder
* MFSA 2008-09 aka CVE-2008-0591: File action dialog tampering
* MFSA 2008-10 aka CVE-2008-0592: Mishandling of locally-saved plain text
files
* MFSA 2008-11 aka CVE-2008-0593: URL token stealing via stylesheet redirect
* MFSA 2008-12 aka CVE-2008-0594: Web forgery overwrite with div overlay
-- Alexander Sack <email address hidden> Mon, 04 Feb 2008 13:35:29 +0100
-
firefox (2.0.0.11+1nobinonly-0ubuntu0.7.4) feisty-security; urgency=low
* New stability upstream release (v2.0.0.11)
* fix canvas regression introduced in firefox 2.0.0.10
-- Alexander Sack <email address hidden> Tue, 04 Dec 2007 10:44:08 +0100
-
firefox (2.0.0.10+1nobinonly-0ubuntu1) feisty-security; urgency=low
* New security/stability upstream release (v2.0.0.10)
* MFSA 2007-37 aka CVE-2007-5947
* MFSA 2007-38 aka CVE-2007-5959
* MFSA 2007-39 aka CVE-2007-5960
-- Alexander Sack <email address hidden> Sun, 25 Nov 2007 18:21:07 +0100
-
firefox (2.0.0.8+1nobinonly-0ubuntu1) feisty-security; urgency=low
* New security/stability upstream release (v2.0.0.8)
* MFSA 2007-29 aka CVE-2007-5339 (browser), CVE-2007-5340 (javascript)
* MFSA 2007-30 aka CVE-2007-1095
* MFSA 2007-31 aka CVE-2007-2292
* MFSA 2007-32 aka CVE-2007-3511, CVE-2006-2894
* MFSA 2007-33 aka CVE-2007-5334
* MFSA 2007-34 aka CVE-2007-5337
* MFSA 2007-35 aka CVE-2007-5338
* MFSA 2007-36 aka CVE-2007-4841 (windows only)
-- Alexander Sack <email address hidden> Fri, 19 Oct 2007 01:09:21 +0200
-
firefox (2.0.0.6+1-0ubuntu1) feisty-security; urgency=low
* New security/stability upstream release (v2.0.0.6)
* MFSA 2007-26 aka CVE-2007-3844
* MFSA 2007-27 aka CVE-2007-3845
-- Alexander Sack <email address hidden> Tue, 31 Jul 2007 12:12:15 +0200
-
firefox (2.0.0.5+1-0ubuntu1) feisty-security; urgency=low
* New security/stability upstream release (v2.0.0.5)
* MFSA 2007-18 aka CVE-2007-3734 (browser), CVE-2007-3735 (Javascript)
* MFSA 2007-19 aka CVE-2007-3736
* MFSA 2007-20 aka CVE-2007-3089
* MFSA 2007-21 aka CVE-2007-3737
* MFSA 2007-22 aka CVE-2007-3285
* MFSA 2007-23 aka CVE-2007-3670
* MFSA 2007-24 aka CVE-2007-3656
* MFSA 2007-25 aka CVE-2007-3738
-- Alexander Sack <email address hidden> Wed, 18 Jul 2007 10:30:49 +0200
-
firefox (2.0.0.4+1-0ubuntu1) feisty-security; urgency=low
* New security/stability upstream updated (v2.0.0.4)
* MFSA2007-17 aka CVE-2007-2871: XUL Popup Spoofing
* MFSA2007-16 aka CVE-2007-2870: XSS using addEventListener
* MFSA2007-14 aka CVE-2007-1362: Path Abuse in Cookies
* MFSA2007-13 aka CVE-2007-2869: Persistent Autocomplete Denial of Service
* MFSA2007-12 aka CVE-2007-2867 (layout engine) + CVE-2007-2868
(javascript engine): Crashes with evidence of memory corruption
* configure.in, configure: drop visibility hidden attribute patch
as it has been applied upstream; regen configure accordingly
* uriloader/exthandler/unix/nsOSHelperAppService.cpp: drop modifications
we previously carried for bz273524; the helper part has been dealt with
in landing of bz373955 attachment 260203
* embedding/browser/gtk/src/EmbedWindow.cpp: drop patch since bz312998
has been applied upstream
-- Alexander Sack <email address hidden> Wed, 30 May 2007 21:22:00 +0200
-
firefox (2.0.0.3+1-0ubuntu2) feisty; urgency=low
* debian/control: fix missing firefox-libthai depends on firefox
* xpfe/components/killAll/Makefile.in: drop unapproved/useless patch
to install/remove nsKillAll.js component.
* browser/locales/en-US/profile/bookmarks.html: fix bookmarks urls;
www.ubuntulinux.org/wiki/FrontPage -> wiki.ubuntu.com; www.ubuntulinux.org
-> www.ubuntu.com (LP#93502)
* browser/base/content/baseMenuOverlay.xul: commenting out ubuntu help
menu entries: Get Help Online; Translate This application. Reenable as
soon as launchpad supports these features.
* layout/svg/renderer/src/cairo/nsSVGCairoGradient.cpp: fix for bz358930
(LP#69721): 2.0 doesn't respect SVG gradient spreadMethod="pad"
* gfx/src/gtk/nsFontMetricsPango.cpp: fix for bz335810: cursor up/down
keypresses do not preserve horizontal position when using pango (LP#36571)
* debian/firefoxrc: fix old malone url in comment (LP#94392)
-- Alexander Sack <email address hidden> Tue, 3 Apr 2007 12:45:00 +0200
-
firefox (2.0.0.3+1-0ubuntu1) feisty; urgency=low
* new upstream security/stability update (v2.0.0.3)
* MFSA-2006-11 aka CVE-2007-1562: FTP PASV port-scanning
* add Report a Bug ... menu entry to Help menu overlay (LP#85041)
* gfx/src/gtk/nsFontMetricsXft.cpp: revert not-approved patch
bz252033-gtk2-xft-text-clipping-problem, because fix seems to
have pretty bad performance overhead.
* config/autoconf.mk.in, configure.in, gfx/src/gtk/mozilla-decoder.cpp:
revert not-approved patch bz305185-system-pango-fix-for-gtk-2-8, because
no longer necessary, upstream bug was duped to
https://bugzilla.mozilla.org/show_bug.cgi?id=338446
* xpfe/components/killAll/Makefile.in: revert not-approved patch
bz333289-nskillall-not-installed, because its just cruft from
old suite and not used for firefox.
* debian/control: add depends on libnspr4 to libnss3 (LP#84481)
firefox (2.0.0.2+1-0ubuntu2) feisty; urgency=low
* reworked patchset and updated thai patch to latest
* debian/firefox.desktop: updated finnish translation for
.desktop file (Contributed by Timo Jyrinki <email address hidden>)
* browser/app/profile/firefox.js: set pref browser.startup.homepage_override.mstone
to "ignore" (Closes LP#91798)
* browser/components/nsBrowserContentHandler.js: disable welcome and update
url feature completely (LP#91798)
* use pref distributionID only ... don't hard code this anymore
* produce chromelist.txt files again (e.g. drop patch that prevents that)
* exclude patch that disabled mangle dir in
security/nss/cmd/shlibsign/manifest.mn
[ Theppitak Karoonboonyanan <email address hidden> ]
* Update Thai line breaker patch based on libthai.
- Replace old patch with componentized mozlibthai patch extracted and
adapted from submitted patch in Debian #366306, which was backported
from patch against HEAD proposed in bz#7969.
- debian/control, debian/firefox-libthai.{install,postinst,prerm}:
+ Add firefox-libthai sub-package and Build-Depends: libthai-dev
+ Remove Suggests: libthai0 from firefox (we don't need PR_LoadLibrary()
hack any more), and Suggests: firefox-libthai instead
- debian/rules:
+ Add --enable-libthai configure option
+ Exclude mozlibthai component from firefox
+ Add dh_install -pfirefox-libthai.
-- Alexander Sack <email address hidden> Fri, 23 Mar 2007 22:00:00 +0100
-
firefox (2.0.0.2+1-0ubuntu1) feisty; urgency=low
* new upstream release 2.0.0.2
* MFSA2007-01 - Crashes with evidence of memory corruption
(rv:1.8.0.10/1.8.1.2):
- CVE-2007-0775 - layout engine crashes
- CVE-2007-0776 - SVG
- CVE-2007-0777 - javascript engine corruption
* MFSA2007-02 - Improvements to help protect against Cross-Site
Scripting attacks:
- CVE-2007-0995 - Invalid trailing characters in HTML tag attributes
- CVE-2007-0996 - Child frame character set inheritance
- CVE-2006-6077 - Injected password forms
* MFSA2007-03 aka CVE-2007-0778: Information disclosure through cache
collisions
* MFSA2007-04 aka CVE-2007-0779: Spoofing using custom cursor and CSS3
hotspot
* MFSA2007-05 aka CVE-2007-0780, CVE-2007-0800: XSS and local file access
by opening blocked popups
* MFSA2007-06 aka CVE-2007-0008, CVE-2007-0009: Mozilla Network Security
Services (NSS) SSLv2 buffer overflow
* MFSA2007-07 aka CVE-2007-0981: Embedded nulls in location.hostname
confuse same-domain checks
firefox (2.0.0.1+1-0ubuntu2) feisty; urgency=low
* browser/components/feeds/src/FeedWriter.js: fix
RSS preview/subscription for flat chrome
(Closes LP#61182)
* browser/app/Makefile.in: regression; reenable -Wl,--no-as-needed
for libxpcom.so (Closes: LP#85112). Note: this patch will be
removed in feisty+1
* debian/rules: set BUILD_OFFICIAL and MOZILLA_OFFICIAL environment
so build gets a proper BUILD_ID (Closes LP#68459).
-- Alexander Sack <email address hidden> Sat, 24 Feb 2007 23:00:00 +0100
-
firefox (2.0.0.1+1-0ubuntu1) feisty; urgency=low
* repackage with new upstream mozilla.org and split up patches
into distinct feature patches available at
http://people.ubuntu.com/~asac/firefox-patches/
* make use of original source tarball as distributed from
ftp.mozilla.org
* debian/rules: use --enable-official-branding to produce
official firefox branding; remove icons in debian/ dir;
add more garbage cleanup
* debian/firefox.links: /usr/share/pixmaps/firefox.png and
usr/share/pixmaps/mozilla-firefox.png now link to
usr/share/firefox/icons/mozicon128.png
* drop FeedWriter.js patch, no rational available.
* xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp,
xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp,
xpcom/reflect/xptcall/src/md/unix/Makefile.in,
xpcom/reflect/xptcall/src/md/unix/xptcinvoke_mips.cpp,
xpcom/reflect/xptcall/src/md/unix/xptcinvoke_asm_mips.s,
xpcom/reflect/xptcall/src/md/unix/xptcstubs_linux_m68k.cpp,
xpcom/reflect/xptcall/src/md/unix/xptcinvoke_asm_parisc_linux.s,
xpcom/reflect/xptcall/src/md/unix/xptcstubs_asm_parisc_linux.s,
xpcom/reflect/xptcall/src/md/unix/xptcstubs_asm_mips.s,
configure.in, config/rules.mk, security/coreconf/Linux.mk:
drop debian architecture patches for
not ubuntu platforms
* debian/control: taking over maintainership
* configure.in: update hidden visibility patch from bugzilla
* configure.in: drop
* Makefile.in: drop explicit export of nss as build system is not
broken anymore
* browser/app/Makefile.in: drop linker tweaks for now.
* browser/app/profile/firefox.js: drop override for homepage
* browser/locales/en-US/chrome/branding/brand.properties: drop further
branding hacks not needed anymore
* browser/components/search/nsSearchService.js: drop not needed
official browser hacks
* prefs-size.diff: removed garbage file from source
-- Alexander Sack <email address hidden> Wed, 15 Feb 2007 23:15:00 +0100
-
firefox (2.0.0.1+0dfsg-0ubuntu2) feisty; urgency=low
* Build using hunspell instead of myspell.
- debian/control: Build-depend on libhunspell-dev instead of libmyspell-dev.
- config/autoconf.mk.in: Add MOZ_MYSPELL_CFLAGS.
- extensions/spellcheck/myspell/src/Makefile.in: Use MOZ_MYSPELL_CFLAGS.
- extensions/spellcheck/myspell/src/mozMySpell.h: Include hunspell.cxx
instead of myspell.cxx.
- configure.in, configure: Overwrite myspell detection with hunspell.
-- Matthias Klose <email address hidden> Thu, 18 Jan 2007 11:57:14 +0000
-
firefox (2.0.0.1+0dfsg-0ubuntu1) feisty; urgency=low
* New upstream security update:
- CVE-2006-6507, MFSA 2006-76: XSS using outer window's Function object.
- CVE-2006-6506, MFSA 2006-75: RSS Feed-preview referrer leak.
- CVE-2006-6504, MFSA 2006-73: SVG Processing Remote Code Execution.
- CVE-2006-6503, MFSA 2006-72: XSS by setting img.src to javascript: URI.
- CVE-2006-6502, MFSA 2006-71: LiveConnect crash finalizing JS objects.
- CVE-2006-6501, MFSA 2006-70: Privilege escallation using watch point.
- CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, MFSA 2006-68: Crashes
with evidence of memory corruption.
* debian/rules: use original upstream icons (Closes LP#68180).
* debian/debsearch.src: make feisty the default debsearch target.
* browser/base/content/utilityOverlay.js: change Launchpad translation/help
pages for Feisty.
-- Kees Cook <email address hidden> Thu, 21 Dec 2006 09:51:22 -0800
-
firefox (2.0+0dfsg-0ubuntu3) edgy; urgency=low
* Patch from upstream CVS to fix RSS preview/subscription, thanks to Mike
Connor and Martin Jürgens (Closes: LP#61182)
-- Matt Zimmerman <email address hidden> Mon, 23 Oct 2006 10:20:25 +0100
