-
firefox (1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1) dapper-security; urgency=low
[ Alexander Sack ]
* release backports for security issues disclosed in 3.0.8
- see USN-745-3
* patches used: moz_1.8.0.15prepatches080614l.tar.gz
from: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.21tb+3.0.8
-- Alexander Sack <email address hidden> Fri, 27 Mar 2009 13:29:35 +0100
-
firefox (1.5.dfsg+1.5.0.15~prepatch080614k-0ubuntu2) dapper-security; urgency=low
* from CVE-2004-2761: blacklist rogue PoC md5 collision certificate. Note:
this only blacklists the PoC cert referred to by CVE-2004-2761 and does
not fix the CVE itself; see: https://bugzilla.mozilla.org/show_bug.cgi?id=471715
- patching file security/nss/lib/ckfw/builtins/certdata.c
- patching file security/nss/lib/ckfw/builtins/certdata.txt
- patching file security/nss/lib/ckfw/builtins/nssckbi.h
-- Alexander Sack <email address hidden> Mon, 09 Mar 2009 15:42:55 +0100
-
firefox (1.5.dfsg+1.5.0.15~prepatch080614k-0ubuntu1) dapper-security; urgency=low
[ Alexander Sack ]
* release backports for security issues disclosed in 3.0.7
- see USN-728-3
* patches used: moz_1.8.0.15prepatches080614k.tar.gz
from: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.21tb+3.0.7
-- Alexander Sack <email address hidden> Thu, 05 Mar 2009 12:36:21 +0100
-
firefox (1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1) dapper-security; urgency=low
[ Alexander Sack ]
* release backports for security issues disclosed in 3.0.6
- see USN-717-3
* patches used: moz_1.8.0.15prepatches080614j.tar.gz
from: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.21+3.0.6/
-- Alexander Sack <email address hidden> Mon, 09 Feb 2009 20:24:58 +0100
-
firefox (1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1) dapper-security; urgency=low
[ Alexander Sack ]
* release backports for security issues disclosed in 2.0.0.19
- see USN-690-3
* patches used: moz_1.8.0.15prepatches080614i.tar.gz
from: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/
-- Alexander Sack <email address hidden> Mon, 10 Nov 2008 20:47:13 +0100
-
firefox (1.5.dfsg+1.5.0.15~prepatch080614h-0ubuntu1) dapper-security; urgency=low
[ Alexander Sack ]
* release backports for security issues disclosed in 2.0.0.18
- see 667-1
* patches used: moz_1.8.0.15prepatches080614h.tar.gz
from: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.18/
-- Alexander Sack <email address hidden> Mon, 10 Nov 2008 20:47:13 +0100
-
firefox (1.5.dfsg+1.5.0.15~prepatch080614e-0ubuntu3) dapper-security; urgency=low
* release backports for security issues disclosed in 2.0.0.17
- see USN-645-2
* patches used: moz_1.8.0.15prepatches080614e.tar.gz
from: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.17/
* late coming patch in diff.gz: 451617_attachment_334949.patch,
449703_attachment_335439.patch
- add patches/451617_attachment_334949.patch
- add patches/449703_attachment_335439.patch
- update patches/series
-- Alexander Sack <email address hidden> Thu, 18 Sep 2008 13:16:42 +0200
-
firefox (1.5.dfsg+1.5.0.15~prepatch080614d-0ubuntu1) dapper-security; urgency=low
* release backports for security issues disclosed in 2.0.0.15
- see USN-623-1
* patches used: moz_1.8.0.15prepatches080614d.tar.gz
from: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.16/
-- Alexander Sack <email address hidden> Fri, 11 Jul 2008 17:24:18 +0200
-
firefox (1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1) dapper-security; urgency=low
* release backports for security issues disclosed in 2.0.0.15
- see USN-619-1
* patches used: moz_1.8.0.15prepatches080614c.tar.gz
from: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.15/
-- Alexander Sack <email address hidden> Sun, 15 Jun 2008 10:45:39 +0200
-
firefox (1.5.dfsg+1.5.0.15~prepatch080417a-0ubuntu1) dapper-security; urgency=low
* release backports for security issues disclosed in 2.0.0.14
- see USN-602-1
* patches on top of 1.8.0 branch cvs checkout (17 apr 08) are in
patches/series
-- Alexander Sack <email address hidden> Thu, 17 Apr 2008 12:18:04 +0200
-
firefox (1.5.dfsg+1.5.0.15~prepatch080323a-0ubuntu1) dapper-security; urgency=low
* release backports for security issues disclosed in 2.0.0.13
- see USN-592-1
* patches on top of 1.8.0 branch cvs checkout are in patches/series
* fix greasemonkey regression (bmo 417617) introduced by bmo 403168
- add patches/417617_attachment_306518.patch (in orig sources)
- update and apply patches/series (in orig sources)
-- Alexander Sack <email address hidden> Tue, 25 Mar 2008 18:45:23 +0100
-
firefox (1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1) dapper-security; urgency=low
[ Alexander Sack ]
* New security/stability upstream release (v2.0.0.12) - 1.8.0.14 prepatches
* MFSA 2008-01 aka CVE-2008-0412: Crashes with evidence of memory corruption
v1.8.1.12 (Browser crashes)
* MFSA 2008-01 aka CVE-2008-0413: Crashes with evidence of memory corruption
v1.8.1.12 (javascript crashes)
* MFSA 2008-02 aka CVE-2008-0414: Multiple file input focus stealing
vulnerabilities: 1. Focus shifting bugs and 2. Selective keystroke blocking
bugs
* MFSA 2008-03 aka CVE-2008-0415: Privilege escalation, XSS, Remote Code
Execution (JavaScript privilege escalation bugs)
* MFSA 2008-04 aka CVE-2008-0416: Multiple XSS vulnerabilities from
character encoding
* MFSA 2008-05 aka CVE-2008-0417: Stored password corruption
* MFSA 2008-06 aka CVE-2008-0418: Directory traversal via chrome: URI
* MFSA 2008-07 aka CVE-2008-0419: Web browsing history and forward navigation
stealing
* MFSA 2008-08 aka CVE-2008-0420: Possible information disclosure in BMP
decoder
* MFSA 2008-09 aka CVE-2008-0591: File action dialog tampering
* MFSA 2008-10 aka CVE-2008-0592: Mishandling of locally-saved plain text
files
* MFSA 2008-11 aka CVE-2008-0593: URL token stealing via stylesheet redirect
* MFSA 2008-12 aka CVE-2008-0594: Web forgery overwrite with div overlay
* new patches in patches/ directory.
- 0035_400556-attachment-291144.patch
- 0036_404627-attachment-289554.patch
- 0037_373344-attachment-290723.patch
- 0038_197052-attachment-293907.patch
- 0039_408256-attachment-293003.patch
- 0040_398085-(backport-for-1.8.0-based-on-attachment-294254).patch
- 0041_407720-(backported-attachment-292398).patch
- 0042_405299-attachment-290682.patch
- 0043_397427-attachment-289039.patch
- 0044_398088-attachment-293903.patch
- 0045_398006-(backported-attachment-285966-to-1.8.0-branch).patch
- 0046_372075-attachment-283810.patch
- 0047_402150-attachment-287556.patch
- 0048_387258-attachment-284314.patch
- 0049_404252-attachment-294506.patch
- 0050_407161-attachment-291904.patch
- 0051_390597-attachment-294507.patch
- 0052_402087-attachment-294455.patch
- 0053_396613-attachment-294993.patch
- 0054_386695-attachment-271164.patch
- 0055_399298-attachment-294508-(plus-merge-fix-from-CVS).patch
- 0056_394610-attachment-294615.patch
- 0057_393141-attachment-299679.patch
- 0058_413135-attachment-298006-299567-combined.patch
- 0059_413250-attachment-299017.patch
- 0060_406572-attachment-296606.patch
- 0061_346405-attachment-298420.patch
- 0062_364801-attachment-286245.patch
- 0063_412363-attachment-299387.patch
- 0064_393762-attachment-294964.patch
- 0065_364801-attachment-286245-(fix-build).patch
- 0066_411072-attachment-296728.patch
- 0067_405818-attachment-298126-(followup-for-397427).patch
- 0068_376473-attachment-299684.patch
- 0069_413250-attachment-300720.patch
- 0070_413250-attachment-300976-(fix-french-help-regresion).patch
-- Alexander Sack <email address hidden> Mon, 04 Feb 2008 12:59:19 +0100
-
firefox (1.5.dfsg+1.5.0.14~prepatch071125a-0ubuntu1) dapper-security; urgency=low
* New security/stability upstream release (v2.0.0.10) - 1.8.0.14 prepatches
* MFSA 2007-37 aka CVE-2007-5947
* MFSA 2007-38 aka CVE-2007-5959
* MFSA 2007-39 aka CVE-2007-5960
-- Alexander Sack <email address hidden> Sun, 25 Nov 2007 20:48:44 +0100
-
firefox (1.5.dfsg+1.5.0.14~prepatch071011b-0ubuntu1) dapper-security; urgency=low
* New security/stability upstream release (v2.0.0.8) - 1.8.0.14 prepatches
- CVE-2007-1095 - Trick the user when leaving the page
- CVE-2007-5334 - Trick the user by changing the titlebar
- CVE-2007-3511 - file input focus stealing vulnerability
- CVE-2007-5335 - addMicrosummaryGenerator sidebar method can install from
file URI (1.8.0 doesn't ship the affected feature)
- CVE-2007-2292 - Browser Digest Authentication Request Splitting
- CVE-2007-5336 - Notify on text changes before firing mutation events
- CVE-2007-5337 - sftp protocol support
- CVE-2007-5338 - Arbitrary code execution by polluting implicit
XPCNativeWrapper
- CVE-2007-5339 - crashes with evidence of memory corruption
(layout + unsorted)
- CVE-2007-5340 - crashes with evidence of memory corruption (javascript)
- CVE-2007-5341 - Bugs in Venkman extension (not shipped)
- CVE-2007-4841 - URIs with invalid % encodings launch wrong handler on
WinXP+IE7 (not affected)
-- Alexander Sack <email address hidden> Thu, 18 Oct 2007 15:32:18 +0200
-
firefox (1.5.dfsg+1.5.0.13~prepatch070731-0ubuntu1) dapper-security; urgency=low
* New security/stability upstream release (v2.0.0.6) - 1.8.0.13 prepatches
* MFSA 2007-26 aka CVE-2007-3844
* MFSA 2007-27 aka CVE-2007-3845
-- Alexander Sack <email address hidden> Tue, 31 Jul 2007 12:25:11 +0200
-
firefox (1.5.dfsg+1.5.0.13~prepatch070716-0ubuntu1) dapper-security; urgency=low
* New security/stability upstream release (v2.0.0.5)
* MFSA 2007-18 aka CVE-2007-3734 (browser), CVE-2007-3735 (Javascript)
* MFSA 2007-19 aka CVE-2007-3736
* MFSA 2007-20 aka CVE-2007-3089
* MFSA 2007-21 aka CVE-2007-3737
* MFSA 2007-22 aka CVE-2007-3285
* MFSA 2007-23 aka CVE-2007-3670
* MFSA 2007-24 aka CVE-2007-3656
* MFSA 2007-25 aka CVE-2007-3738
-- Alexander Sack <email address hidden> Wed, 18 Jul 2007 14:18:00 +0200
-
firefox (1.5.dfsg+1.5.0.12+sg1.8.1.5~prepatch070716-0ubuntu1) dapper-proposed; urgency=low
* preview of security backports for 1.8.1.5 release.
-- Alexander Sack <email address hidden> Mon, 16 Jul 2007 15:20:58 +0200
-
firefox (1.5.dfsg+1.5.0.12-0ubuntu0.6.06.1) dapper-security; urgency=low
* New upstream stability/security release
* MFSA2007-17 aka CVE-2007-2871: XUL Popup Spoofing
* MFSA2007-16 aka CVE-2007-2870: XSS using addEventListener
* MFSA2007-14 aka CVE-2007-1362: Path Abuse in Cookies
* MFSA2007-13 aka CVE-2007-2869: Persistent Autocomplete Denial of Service
* MFSA2007-12 aka CVE-2007-2867 (layout engine) + CVE-2007-2868
(javascript engine): Crashes with evidence of memory corruption
-- Alexander Sack <email address hidden> Thu, 31 May 2007 11:01:11 +0100
-
firefox (1.5.dfsg+1.5.0.11-0ubuntu0.6.06.1) dapper-security; urgency=low
* New upstream stability/security release
* MFSA2007-11 aka CVE-2007-1562: FTP PASV port-scanning
-- Alexander Sack <email address hidden> Wed, 21 Mar 2007 15:00:00 +0100
-
firefox (1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2) dapper-security; urgency=low
* debian/rules: fix for regression: libfreebl3.so installed in wrong directory
after libnss upstream branch switch (LP#89054, LP#88990).
add libfreebl3.so to /usr/lib/ in libnss3 package
- verified fix for evolution
- verified fix for gaim-encryption
-- Alexander Sack <email address hidden> Thu, 1 Mar 2007 23:50:00 +0100
-
firefox (1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1) dapper-security; urgency=low
* New upstream security update:
* MFSA2007-01 - Crashes with evidence of memory corruption
(rv:1.8.0.10/1.8.1.2):
- CVE-2007-0775 - layout engine crashes
- CVE-2007-0776 - SVG
- CVE-2007-0777 - javascript engine corruption
* MFSA2007-02 - Improvements to help protect against Cross-Site
Scripting attacks:
- CVE-2007-0995 - Invalid trailing characters in HTML tag attributes
- CVE-2007-0996 - Child frame character set inheritance
- CVE-2006-6077 - Injected password forms
* MFSA2007-03 aka CVE-2007-0778: Information disclosure through cache
collisions
* MFSA2007-04 aka CVE-2007-0779: Spoofing using custom cursor and CSS3
hotspot
* MFSA2007-05 aka CVE-2007-0780, CVE-2007-0800: XSS and local file access
by opening blocked popups
* MFSA2007-06 aka CVE-2007-0008, CVE-2007-0009: Mozilla Network Security
Services (NSS) SSLv2 buffer overflow
* MFSA2007-07 aka CVE-2007-0981: Embedded nulls in location.hostname
confuse same-domain checks
* security/nss/lib/freebl/unix_rand.c: dropping preprocessor condition
as an equivalent check has been introduced upstream (#ifndef LINUX
-> #ifdef DO_NETSTAT)
* security/coreconf/rules.mk: adapted patch to changed upstream code base
* security/coreconf/Linux.mk: dropping ppc64 OS_TEST as it has been
applied upstream
* toolkit/components/passwordmgr/base/nsPasswordManager.cpp: adapting
patch to updated code-base.
-- Alexander Sack <email address hidden> Wed, 21 Feb 2007 18:05:00 -0800
-
firefox (1.5.dfsg+1.5.0.9-0ubuntu0.6.06.1) dapper-security; urgency=low
* toolkit/components/passwordmgr/base/nsPasswordManager.cpp: Regression
fix for crashes on auto-filling forms without usernames (Closes LP#77859).
-- Kees Cook <email address hidden> Fri, 26 Jan 2007 09:14:16 -0800
-
firefox (1.5.dfsg+1.5.0.9-0ubuntu0.6.06) dapper-security; urgency=low
* New upstream security update:
- CVE-2006-6504, MFSA 2006-73: SVG Processing Remote Code Execution.
- CVE-2006-6503, MFSA 2006-72: XSS by setting img.src to javascript: URI.
- CVE-2006-6502, MFSA 2006-71: LiveConnect crash finalizing JS objects.
- CVE-2006-6501, MFSA 2006-70: Privilege escallation using watch point.
- CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, MFSA 2006-68: Crashes
with evidence of memory corruption.
-- Kees Cook <email address hidden> Tue, 2 Jan 2007 11:23:28 -0800
-
firefox (1.5.dfsg+1.5.0.8-0ubuntu0.6.06) dapper-security; urgency=low
* New upstream security update:
- CVE-2006-5463, MFSA 2006-67: Running Script can be recompiled.
- CVE-2006-5462, MFSA 2006-66: RSA signature forgery (variant).
- CVE-2006-5464, CVE-2006-5747, CVE-2006-5748, MFSA 2006-65: Crashes with
evidence of memory corruption.
-- Martin Pitt <email address hidden> Tue, 14 Nov 2006 19:45:44 +0000
-
firefox (1.5.dfsg+1.5.0.7-ubuntu0.6.06) dapper-security; urgency=low
* New upstream security update:
- MFSA 2006-64, CVE-2006-4571: Crashes with evidence of memory corruption
(rv:1.8.0.7)
- MFSA 2006-62, CVE-2006-4569: Popup-blocker cross-site scripting (XSS)
- MFSA 2006-61, CVE-2006-4568: Frame spoofing using document.open()
- MFSA 2006-60, CVE-2006-4340: RSA Signature Forgery
- MFSA 2006-59, CVE-2006-4253: Concurrency-related vulnerability
- MFSA 2006-58, CVE-2006-4567: Auto-Update compromise through DNS and SSL
spoofing
- MFSA 2006-57, CVE-2006-4565, CVE-2006-4566: JavaScript Regular Expression
Heap Corruption
-- Martin Pitt <email address hidden> Thu, 21 Sep 2006 07:16:32 +0000
-
firefox (1.5.dfsg+1.5.0.5-0ubuntu6.06.1) dapper-security; urgency=low
* Fix to non-HTTP loading of <object ...>'s (eg, streaming media
files). Mozilla Bugzilla #346167. Expected to be the sole
change in Firefox upstream 1.5.0.6.
-- Ian Jackson <email address hidden> Mon, 31 Jul 2006 13:55:56 +0100
-
firefox (1.5.dfsg+1.5.0.5-0ubuntu6.06) dapper-security; urgency=low
* New upstream version 1.5.0.5, `security and stability fixes'.
- MFSA 2006-44, CVE-2006-3801: Code execution through deleted frame
reference [does not affect 1.0]
- MFSA 2006-45, CVE-2006-3677: Javascript navigator Object
Vulnerability [does not affect 1.0]
- MFSA 2006-46, CVE-2006-3113: Memory corruption with simultaneous
events [does not affect 1.0]
- MFSA 2006-47, CVE-2006-3802: Native DOM methods can be hijacked
across domains [does not affect 1.0]
- MFSA 2006-48, CVE-2006-3803: JavaScript new Function race
condition [does not affect 1.0]
- MFSA 2006-50, CVE-2006-3805, CVE-2006-3806: JavaScript engine
vulnerabilities
- MFSA 2006-51, CVE-2006-3807: Privilege escalation using
named-functions and redefined "new Object()"
- MFSA 2006-52, CVE-2006-3808: PAC privilege escalation using
Function.prototype.call
- MFSA 2006-53, CVE-2006-3809: UniversalBrowserRead privilege
escalation
- MFSA 2006-54, CVE-2006-3810: XSS with XPCNativeWrapper
(window).Function(...) [does not affect 1.0]
- MFSA 2006-55, CVE-2006-3811: Crashes with evidence of memory
corruption (rv:1.8.0.5)
- MFSA 2006-56, CVE-2006-3812: chrome: scheme loading remote
content
* The above includes upstream's different fixes for Malone 45395's
two crashing bugs in nsCopySupport.cpp and nsHTMLFormatConverter.cpp.
* Reran autoconf2.13.
-- Ian Jackson <email address hidden> Thu, 27 Jul 2006 12:13:37 +0100
-
firefox (1.5.dfsg+1.5.0.4-0ubuntu6.06) dapper-security; urgency=low
* New upstream version, 1.5.0.4, security/stability fixes
from upstream. This is known to include the following security fixes:
- MFSA 2006-43, CVE-2006-2777: Privilege escalation using
addSelectionListener
- MFSA 2006-42, CVE-2006-2783: Web site XSS using BOM on UTF-8
pages
- MFSA 2006-41, CVE-2006-2782: File stealing by changing input
type (variant)
- MFSA 2006-38, CVE-2006-2778: Buffer overflow in
crypto.signText()
- MFSA 2006-37, CVE-2006-2776: Remote compromise via
content-defined setter on object prototypes
- MFSA 2006-36, CVE-2006-2784: PLUGINSPAGE privileged JavaScript
execution 2
- MFSA 2006-35, CVE-2006-2775: Privilege escalation through XUL
persist
- MFSA 2006-34, CVE-2006-2785: XSS viewing javascript: frames or
images from context menu
- MFSA 2006-33, CVE-2006-2786: HTTP response smuggling
- MFSA 2006-32, CVE-2006-2779, CVE-2006-2780: Fixes for crashes with
potential memory corruption
- MFSA 2006-31, CVE-2006-2787: EvalInSandbox escape (Proxy
Autoconfig, Greasemonkey)
- CVE-2006-2788: Double memory free in nsIX509::getRawDER when
called from JavaScript (Mozilla bug #321598)
This package is based on Debian's firefox_1.5.dfsg+1.5.0.4.orig.tar.gz
but has none of the corresponding Debian changes.
-- Ian Jackson <email address hidden> Tue, 6 Jun 2006 14:32:13 +0100
-
firefox (1.5.dfsg+1.5.0.3-0ubuntu3) dapper; urgency=low
* Thai-related crash fix (Malone 45395):
- nsCopySupport.cpp, nsCopySupport::HTMLCopy:
do not crash if htmlConverter->Convert fails.
- nsHTMLFormatConverter.cpp, nsHTMLFormatConverter::Convert:
properly report failure if dataStr.IsEmpty.
- nsJISx4501LineBreaker.cpp: fix printf(stderr -> fprintf.
* Add Polish translation for firefox.desktop (Malone 45447).
Thanks to contribution from Tomasz Dominikowski.
* Do not attempt to merge /usr/lib/mozilla-firefox and /usr/lib/firefox
and make the former a link to the latter; this is unfortunately
error-prone and makes more problems than it solves.
Fixes Malone 44487; regresses the plugins directory confusion bug.
* Include MFSA and CVE numbers in changelog entry for 1.5.dfsg-1.
-- Ian Jackson <email address hidden> Tue, 23 May 2006 17:45:30 +0100
-
firefox (1.5.dfsg+1.5.0.3-0ubuntu2) dapper; urgency=low
* Fix memory leak in large clipboard handling. Malone 41093.
Mozilla Bugzilla 289897; applied attachments 218749, 218753.
* Provide symlink /usr/lib/mozilla-firefox -> /usr/lib/firefox
(and shuffle stuff across if both directories exist).
* Remove update-notifier `restart required' on removal so that if you
remove firefox you're no longer asked to restart it. Malone 36739.
* Increase size of prefs window explicitly. Malone 43528.
* Suppress the error if /var/lib/locales/supported.d/* can't be read
(probably because it doesn't exist). If you get EIO or EACCES or some
such then having pango mysteriously disabled will be the least of your
worries. Malone 44016.
* Really use firefox_1.5.dfsg+1.5.0.3.orig.tar.gz from Debian.
-- Ian Jackson <email address hidden> Fri, 12 May 2006 19:20:30 +0100
-
firefox (1.5.dfsg+1.5.0.3-0ubuntu1) dapper; urgency=low
* New upstream version, 1.5.0.3, security/stability fix from upstream:
MFSA 2006-30, CVE-2006-1993: Deleted
object reference when designMode="on"
This package is based on Debian's firefox_1.5.dfsg+1.5.0.3.orig.tar.gz
but has none of the corresponding Debian changes.
-- Ian Jackson <email address hidden> Wed, 10 May 2006 12:13:30 +0100
-
firefox (1.5.dfsg+1.5.0.2-0ubuntu2) dapper; urgency=low
* Increase sizes of various dialogue boxes so that all of the contents
fit. Malone 26225, 36985, and probably others.
* Set MOZ_DISABLE_PANGO=1 to disable pango, unless some locale is
selected as supported which would need pango for rendering; the
default can be overridden by setting MOZ_DISABLE_PANGO to 0 or 1.
Malone 32561 (workaround).
* Use update-notifier to request a firefox restart. Malone 36739.
* Added Spanish translation to firefox.desktop.
Malone 39972. Thanks to Rocco Stanzione for the patch.
* Add a couple of missing trailing newlines.
Malone 39972 again. Thanks Rocco Stanzione for the report.
* EbmedWindow::GetVisibility bugfix, Malone 40320, upstream 312998,
thanks to chpe for the patch and discussion.
* Add FC_ANY_METRICS set to FcTrue to all patterns that are going to be
used for finding (rather than enumerating) fonts. Malone 42559.
-- Ian Jackson <email address hidden> Tue, 2 May 2006 18:59:32 +0100
-
firefox (1.5.dfsg+1.5.0.2-0ubuntu1) dapper; urgency=low
* New upstream version, 1.5.0.2.
Described as `stability and security fixes' by upstream but many
changes are included and producing a complete list is infeasible :-(.
Fixes are known to be included for:
- MFSA 2006-29, CVE-2006-1725: Spoofing with translucent windows
- MFSA 2006-28, CVE-2006-1726: Security check of
js_ValueToFunctionObject() can be circumvented
- MFSA 2006-27, CVE-2006-0748: Table Rebuilding Code Execution
Vulnerability
- MFSA 2006-25, CVE-2006-1727: Privilege escalation through Print Preview
- MFSA 2006-24, CVE-2006-1728: Privilege escalation using
crypto.generateCRMFRequest
- MFSA 2006-23, CVE-2006-1729: File stealing by changing input type
- MFSA 2006-22, CVE-2006-1730: CSS Letter-Spacing Heap Overflow
Vulnerability
- MFSA 2006-20, CVE-2006-1529, CVE-2006-1530, CVE-2006-1531,
CVE-2006-1723, CVE-2006-1724: Crashes with evidence of memory
corruption.
This package is based on Debian's firefox_1.5.dfsg+1.5.0.2.orig.tar.gz
but has none of the corresponding Debian changes.
firefox (1.5.dfsg+1.5.0.1-1ubuntu12) dapper; urgency=low
* Sponsored upload for Theppitak Karoonboonyanan
* Updated Thai word breaking patch:
- load `libthai.so.0' instead of `libthai.so'.
- print debug message only when DEBUG is defined.
- debian/control: Suggests libthai0
-- Ian Jackson <email address hidden> Wed, 26 Apr 2006 16:53:22 +0100
-
firefox (1.5.dfsg+1.5.0.1-1ubuntu12) dapper; urgency=low
* Sponsored upload for Theppitak Karoonboonyanan
* Updated Thai word breaking patch:
- load `libthai.so.0' instead of `libthai.so'.
- print debug message only when DEBUG is defined.
- debian/control: Suggests libthai0
-- Michael Vogt <email address hidden> Thu, 13 Apr 2006 13:25:14 +0200
-
firefox (1.5.dfsg+1.5.0.1-1ubuntu11) dapper; urgency=low
* Fix silly lack of [ ] quoting in AC_DEFUN use.
Malone 36659, Mozilla bugzilla 298457.
* Make Preferences window not chop off various elements:
- specify a width of 50em instead of 42em
- do not specify a height
- add another <separator/> to the bottom of privacy.xul's prefpane.
I have no idea why this is necessary :-(.
Malone 36985.
* Fix broken UTF-8 in .desktop file (again). Malone 37779.
* Document how to use xpcshell in README.Debian. Malone 35333.
* Clarify updateReadOnlyMessage to refer to `system package manager'
which will help the misunderstanding in Malone 31284.
-- Ian Jackson <email address hidden> Wed, 12 Apr 2006 17:18:52 +0100
-
firefox (1.5.dfsg+1.5.0.1-1ubuntu10) dapper; urgency=low
* Generate `firefox-dbg' package with debugging symbols.
This involves changing debian/compat to 5, which should be safe.
* Fix Norwegian translation in firefox.desktop. (Malone 30603.)
* Fix trivial syntax problems in firefox.desktop. (Malone 33567.)
* Remove x-directory/webdav x-directory/webdav-prefer-directory
from MimeType list in desktop file. (Malone 35928.)
* Use `about.png.upstream' instead of `about.png.orig' is the saved
original version for the branding; *.orig tends to get clobbered.
-- Ian Jackson <email address hidden> Fri, 24 Mar 2006 18:49:46 +0000
-
firefox (1.5.dfsg+1.5.0.1-1ubuntu9) dapper; urgency=low
* added thai linebreaking support (thanks to Theppitak Karoonboonyanan)
-- Michael Vogt <email address hidden> Tue, 14 Mar 2006 15:16:52 +0000
-
firefox (1.5.dfsg+1.5.0.1-1ubuntu8) dapper; urgency=low
* debian/rules:
- renamed the idl directory to match the .pc name,
replace mozilla-firefox by firefox for firefox-config too
-- Sebastien Bacher <email address hidden> Mon, 13 Mar 2006 15:12:43 +0100
-
firefox (1.5.dfsg+1.5.0.1-1ubuntu7) dapper; urgency=low
* Pointing the .pc files to /usr/include/firefox is not enough,
better install the headers there too.
-- Matthias Klose <email address hidden> Sat, 11 Mar 2006 17:41:24 +0000
-
firefox (1.5.dfsg+1.5.0.1-1ubuntu6) dapper; urgency=low
* Replace Ubuntu Bugzilla bookmark with Launchpad's `Request
support with Ubuntu' ticket creation page. (Malone 28896.)
* Reinstate `Translate This Application' in Help menu, despite the fact
that Launchpad doesn't do this yet - you just get a page saying there
are no translations for Firefox. mdz assures us that this will be
done some time during dapper's service life.
* Make -P, -CreateProfile and -ProfileManager imply sensible
values for -a, and document -a in firefox(1). (Malone 31746.)
* Fix md5sum mismatch which causes spurious conffile prompt on
bookmarks.html.
* Set browser.startup.homepage_override.mstone to ignore,
to avoid the silly thing where the first time after the upgrade,
firefox looks like it has lost your home page because it is so keen to
tell you about the release notes. (Malone 33895.)
* Change `Latest Headlines' to `Latest BBC Headlines' to properly
disclose the source up front, and use a corresponding RSS URL.
* Revert the `you have chosen to open' dialogue, as discussed on
ubuntu-devel.
* Fix firefox-*.pc files to contain correct references to libs and
includes, just like the mozilla-*.pc files. (Malone 34200.)
-- Ian Jackson <email address hidden> Thu, 9 Mar 2006 19:56:58 +0000
-
firefox (1.5.dfsg+1.5.0.1-1ubuntu5) dapper; urgency=low
* Disable `Translate This Application' and don't try to have `Get Help
Online' translated because we don't know how to translate firefox:
https://launchpad.net/products/rosetta/+spec/rosetta-firefox-support
-- Ian Jackson <email address hidden> Fri, 24 Feb 2006 14:49:23 +0000
-
firefox (1.5.dfsg+1.5.0.1-1ubuntu4) dapper; urgency=low
* Disable (by default) the `you have chosen to open' dialogue box;
instead, we just take the default (which is to open with the
application from the Gnome MIME database). This behaviour is
controlled by browser.helperApps.defaultNoAsk.openFile.
Bookmark, search and translation reference regression fixes:
* Restore `Translate This Application' and `Get Help Online'
* Add Ubuntu and Free Software links back to bookmarks
Bookmark, search and translation references improvements:
* Add Wikipedia to search box.
* Remove `Quick searches' from bookmarks (these just replicate
entries from the search box, and are broken anyway).
* Get rid of README.Ubuntu - the contents are now no longer relevant.
-- Ian Jackson <email address hidden> Thu, 23 Feb 2006 14:44:42 +0000
-
firefox (1.5.dfsg+1.5.0.1-1ubuntu3) dapper; urgency=low
* Move /usr/lib/libxpcom*.so etc. back to /usr/lib/firefox; avoids
clashes with other packages (eg mozilla).
* Add rpath setting for /usr/lib/firefox to all .pc files in
firefox-dev. This is suboptimal, but at least it allows programs
which use firefox-dev at compile-time to find firefox's .so's.
* Take some redundant and perhaps privacy-leaking information out
of the default User-Agent (Malone 30677).
-- Ian Jackson <email address hidden> Fri, 10 Feb 2006 17:42:12 +0000
-
firefox (1.5.dfsg+1.5.0.1-1ubuntu2) dapper; urgency=low
* Fix stupid FTBFS on default.xpm introduced in last upload.
* Retrospectively insert CVE numbers into 1ubuntu1 changelog entry.
-
firefox (1.5.dfsg+1.5.0.1-1ubuntu1) dapper; urgency=low
Changes since 1.5.dfsg-4ubuntu6:
* New upstream version (1.5.0.1) - security and stability fixes,
allegedly. (About 7000 lines of diff, so not reviewed for Ubuntu.)
* Fix Norwegian translation in .desktop file. (Malone #30603.)
* mkdir /usr/include/mozilla in firefox-dev.preinst to avoid
maintainer script sometimes preventing installation.
* Move the shlibs needed for gtkmozembed to /usr/lib (avoids
need for rpath and nonsense in firefox-gtkmozembed.pc).
* Work around new GNU make braindamage by adding seddery to
security/coreconf/rules.mk.
Expected-permanent differences between Ubuntu and Debian:
* Build nspr and nss for use by all other programs in the distribution
(Packages: libnspr-dev, libnss-dev, libnspr4, libnss3. Fairly main
changes to parts of the build system.) This is so that mozilla
can be in Ubuntu universe.
* Disable xprint. (xprint is not used in Ubuntu.)
* Slightly different arrangements do with with transitional arrangements
related to package renaming from mozilla-firefox-*.
* Removed transitional packages mozilla-firefox-dom-inspector and
mozilla-firefox-gnome-support (not needed in Ubuntu).
* Build firefox-dev; applications which embed a browser in Ubuntu
generally embed Firefox rather than mozilla. This also means that we
build firefox with dynamic linking so that embedders and load ff.
* Debian package search replaced by Ubuntu package search (and defaults
to searching only in dapper, not all releases).
* Changes to various icons (and their installation paths).
* Strip CUPS/ from the front of displayed printer names, since
all printing in Ubuntu is done via CUPS.
Other differences remaining between Ubuntu and Debian:
* debian/rules clean removes various junk left over by the mozilla build
system. (Debian #350616.)
* Exclude libssl3.so from dpkg_shlibdeps as this triggers a bug in
fakeroot on amd64 in Ubuntu.
* Set FIREFOX_DSP=none by default. Will sometimes break sound from eg
Flash. See https://launchpad.net/malone/bugs/29760 for rationale.
(Debian maintainers notified but no bug filed.)
* Append our plugin path to any previous value of MOZ_PLUGIN_PATH.
(Malone 29412. Debian #351806)
* firefox.desktop file has more translations and consistently calls the
application `Firefox Web Browser' (for better UI in the menus - this
change is also in firefox.menu). Debian #351807.
* Default printing command doesn't break if printer name contains
spaces (actually a preference, in all.js). (Debian #351809,
Mozilla Bugzilla #326245).
* security/coreconf/rules.mk adjusted with awful seddery to cope with
GNU make change to POSIXly interpretation of backslash line-joining.
See http://lists.debian.org/debian-devel/2005/12/msg00988.html.
Mozilla Bugzilla #325148.
* security/coreconf/ruleset.mk has a set -e added.
* Use GNOME mime database instead of mailcap. Patch imported from Red
Hat; see debian/gnome-mime-handling.diff.
* Change various preferences:
- Ubuntu-specific default homepage
- Ubuntu-specific release notes
- default homepage can be locale-specific
- middlebutton paste disabled
- do not load a special home page on first start after an upgrade
- disable File / Import (wizard is nonfunctional).
Malone #28563, Debian #350599, Mozilla Bugzilla 117844.
- save files to Desktop by default
- README.Ubuntu file (still rather full of junk)
- Prevent websites disabling the right-button context menu.
- Default font for display is sans, but:
- Default CSS for printing uses a serif font.
firefox (1.5.dfsg+1.5.0.1-1) unstable; urgency=low
* The "those Ubuntu guys are great after all" release.
* New upstream release. (Closes: #351442)
[ Mike Hommey ]
* debian/presubj: Added indications to try to reproduce without extensions
before actually filing a bug, and a hint to the safe mode.
* debian/firefox.install: added the reporter chrome files. (Closes: #344888)
* widget/src/gtk2/nsWindow.cpp: Revert additional stale patch for
extended mouse buttons support.
* debian/firefox.postinst, debian/firefox.prerm: unbashified.
(Closes: #349946)
* debian/control, debian/firefox-gnome-support.postinst,
debian/firefox-gnome-support.prerm: Let the firefox-gnome-support
package provide gnome-www-browser and handle a gnome-www-browser
alternative. Thanks Loïc Minier. (Closes: #350788)
* debian/firefox-runner: Enable Pango support by default. The
MOZ_ENABLE_PANGO environment variable is now useless. (Closes: #338716)
* debian/README.Debian: Change the paragraph about Pango to hint about
the MOZ_DISABLE_PANGO variable.
[ Eric Dorland ]
* content/events/src/nsEventStateManager.cpp,
modules/libpref/src/init/all.js, widget/public/nsGUIEvent.h: Apply
patch from Ian Jackson to revert a stale patch for multiple mouse
button support that was fixed in a different way in 1.5
(Closes: #348375)
* debian/firefox.preinst: Check md5sum's of old conffiles before cp'ing
them on upgrade. This won't stop all unnecessary conffile prompting in
all situations (especially from really old versions), but should
definitely should work for upgrading from testing or stable. (Closes:
#345112)
* debian/firefox.install:
- Remove run-mozilla.sh. (Closes: #348902)
- Reorganize things a bit.
- Move profile into /etc/firefox here, instead of in the rules file.
* debian/firefox.install, debian/firefox.preinst, debian/firefox.links,
debian/firefox.dirs, debian/rules: Move chrome, defaults, greprefs
into /usr/share/firefox for more FHS goodnesss.
* debian/firefox.1: Document -new-tab and -new-window options, and
remove deprecated -remote option. (Closes: #348699)
* debian/firefox-runner: Apply patch to properly URL escape local
files. Thanks Morita Sho. (Closes: #348451)
* browser/app/profile/firefox.js:
- Reallow 40-bit ciphers, since now firefox warns people who
use them. (Closes: #349624)
- Enable bidi UI elements for our bi-directional friends.
(Closes: #348069)
* debian/rules: Remove glob pattern from dh_install invocation. Thanks
Ian Jackson. (Closes: #350571)
* browser/base/content/aboutDialog.xul: Fix spurious scrollbar in the
about dialog box. Thanks Ian Jackson. (Closes: #350608)
* js/src/fdlibm/fdlibm.h: Patch to fix little endianess of
mipsel. Thanks Ian Jackson and Thiemo Seufer. (Closes: #350621)
* browser/base/content/search.xml: Patch from Ian Jackson to remove
misleading Clear option from search box context menu. (Closes: #350611)
* debian/watch: Fix regex to actually find the upstream tarballs.
* modules/libpref/src/init/all.js: Cope better with printers with spaces
in the name. Thanks Ian Jackson.
* toolkit/components/passwordmgr/base/nsPasswordManager.cpp: Take patch
from bz#235336 as suggested by Ian Jackson to allow password manager
to work with sites that only have a password field, no username.
-
firefox (1.5.dfsg-4ubuntu6) dapper; urgency=low
* Better comment regarding Import Wizard disablement, referring to
upstream (117844) and Debian (350599) bugs.
* Remove obsolete patch from run-mozilla.sh (which we don't use).
* FIREFOX_DSP=none is really the default this time. (See 4ubuntu5; it
turns out that /etc/firefoxrc exists for no good reason and contains
an override for FIREFOX_DSP).
* firefox(1) manpage adjusted wrt FIREFOX_DSP.
* Fix mozilla-nss.pc to refer to mozilla-nspr, not firefox-nspr.
-- Ian Jackson <email address hidden> Mon, 30 Jan 2006 19:15:43 +0000
-
firefox (1.5.dfsg-4ubuntu5) dapper; urgency=low
* FIREFOX_DSP=none is the default everywhere, since the crashing
problems due to esddsp non-thread-safety appear on i386 too.
This will break sound from Flash in some situations.
See https://launchpad.net/malone/bugs/29760 for the rationale.
* Remove erroneous build-dependency on libxp-dev.
* Append our plugin path to any previous value of MOZ_PLUGIN_PATH.
(Malone 29412.)
* Do not put anything in, or look at, /usr/lib/mozilla and
/usr/include/mozilla. We use /usr/{lib,include}/firefox.
-- Ian Jackson <email address hidden> Fri, 27 Jan 2006 16:40:28 +0000
-
firefox (1.5.dfsg-4ubuntu4) dapper; urgency=low
* libnssckbi.so must not be installed in /usr/lib/mozilla, move it to
/usr/lib/firefox; /usr/lib/mozilla is the namespace of the mozilla/
mozilla-browser package; we cannot conflict runtime packages like
libnss3 and mozilla-browser as we do for the -dev packages.
* Current libnss3 replaces older firefox package.
* Set vendor name to Ubuntu.
-- Matthias Klose <email address hidden> Sat, 21 Jan 2006 15:27:01 +0100
-
firefox (1.4.99+1.5rc3.dfsg-1ubuntu12) dapper; urgency=low
* downloads.js (twice): fix `download manager empty' bug.
(Ubuntu Bugzilla 19927 20450.)
-- Ian Jackson <email address hidden> Thu, 5 Jan 2006 19:20:27 +0000
-
firefox (1.4.99+1.5rc3.dfsg-1ubuntu10) dapper; urgency=low
* debian/rules:
- fix lack of libnssckbi.so in the directory the firefox browser
expects. (fallout from libnss/libnspr integration changes;
Ubuntu bugzilla 21310).
* debian/rules:
- create a gre.conf (Ubuntu bugzilla 13750).
* mozilla-firefox/include/{nspr,nss} (debian/rules etc.):
- include these directories in firefox-dev, not libnss/libnspr-dev.
- help dpkg with directory/symlink transition.
-- Ian Jackson <email address hidden> Wed, 4 Jan 2006 18:39:15 +0000
-
firefox (1.4.99+1.5rc3.dfsg-1ubuntu9) dapper; urgency=low
* debian/rules:
- use the correct arguments to call dh_install, install firefox-nspr.pc
-- Sebastien Bacher <email address hidden> Wed, 21 Dec 2005 21:18:46 +0100
-
firefox (1.4.99+1.5rc3.dfsg-1ubuntu8) dapper; urgency=low
* debian/rules:
- use the same dirty fix for the libnss-dev headers.
-- Matthias Klose <email address hidden> Tue, 20 Dec 2005 18:26:25 +0100
-
firefox (1.4.99+1.5rc3.dfsg-1ubuntu4) dapper; urgency=low
* Applied mozilla-1.7.12-2.src.rpm's firefox-1.0-uriloader.patch
which causes firefox to look first in the Gnome MIME handling registry
(MIME handling is still very wrong).
* Disabled File / Import from main menu since it does not work at all
(Ubuntu bugzilla 10339 still applies; patch brought forward).
* Displayed printer names no longer show `CUPS/' prefix.
(Ubuntu bugzilla 11481 regressed; patch from Breezy enhanced).
* Print command fixed (again) to cope with spaces in printer names.
* Remove incorrect note about Pango from README.Debian.
* Re-fix-up localised startup URLs in en-US region.properties.
* Fix incorrect layout/sizing in Help / About box (a bit hacky).
* Re-forward-port patch to fix printer names with spaces.
* Remove all subdirectories '*.OBJ' during clean.
-- Ian Jackson <email address hidden> Fri, 2 Dec 2005 20:16:18 +0000
