This is a bug fix release.
Fixed bugs are follows:
* Fix for a potential buffer overflow vulnerability when loading
a hostname with all soft-hyphens
* Fix to prevent URLs passed from external programs from being
parsed by the shell (Linux only)
* Fix to prevent a crash when loading a Proxy Auto-Config (PAC)
script that uses an "eval" statement
* Fix to restore InstallTrigger.getVersion() for Extension authors
* Fix a crash in mail when stopping a search and then searching again
* Other stability and security fixes
MFSA 2005-59 Command-line handling on Linux allows shell execution
MFSA 2005-58 Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes
MFSA 2005-57 IDN heap overrun using soft-hyphens
registration out of the installation step and into the INSTALL script.
Also, remove the registration commands from the PLIST as well. Putting
them into the INSTALL script allows for the same commands to be run
in the same way, so that there are fewer differences between installing
from source and installing from a binary package. Also, this makes
these packages pass CHECK_FILES=yes. Bump the PKGREVISION of firefox,
firefox-gtk1, mozilla, and mozilla-gtk2.
Also, include bsd.pkg.mk from the package Makefiles, not from within
Makefile.common. This is a style issue and allows for appending to
variables originally defined in Makefile.common from the package
Makefile.
NetBSD the thread safe resolver is only available on __NetBSD_Version__
>= 299000900. Fixes runtime usage on NetBSD 2.1. New Versions:
- firefox-1.0.6nb2
- firefox-gtk1-1.0.6nb2
- mozilla-1.7.11nb1
- mozilla-gtk2-1.7.11nb1
- thunderbird-1.0.6nb1
- thunderbird-gtk1-1.0.6nb1
this release fixed two issues
Changelog for Mozilla 1.7.11
300749 Switching folders doesn't work on 1st try/Click to mail folder displays
messages not always [JS error in msgMail3PaneWindow.js::ClearMessagePane]
301917 Cursor keys disabled/Caret not moving with keyboard in message compose window
This is a security fix release.
Fixed in Mozilla 1.7.9/1.7.10
MFSA 2005-56 Code execution through shared function objects
MFSA 2005-55 XHTML node spoofing
MFSA 2005-54 Javascript prompt origin spoofing
MFSA 2005-52 Same origin violation: frame calling top.focus()
MFSA 2005-51 The return of frame-injection spoofing
MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()
MFSA 2005-48 Same-origin violation with InstallTrigger callback
MFSA 2005-46 XBL scripts ran even when Javascript disabled
MFSA 2005-45 Content-generated event vulnerabilities
if installed on the system. Follows www/firefox/Makefile 1.13.
PKGREVISION unchanged as generated binary unaltered (on those systems which
could build it previously)
This is a security fix release.
Fixed bugs are follows.
MFSA 2005-32 Drag and drop loading of privileged XUL
MFSA 2005-30 GIF heap overflow parsing Netscape extension 2
MFSA 2005-29 Internationalized Domain Name (IDN) homograph spoofing
MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files
MFSA 2005-27 Plugins can be used to load privileged content
MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab
MFSA 2005-25 Image drag and drop executable spoofing
MFSA 2005-24 HTTP auth prompt tab spoofing
MFSA 2005-23 Download dialog source spoofing
MFSA 2005-21 Overwrite arbitrary files downloading .lnk twice
MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts
MFSA 2005-18 Memory overwrite in string library
MFSA 2005-17 Install source spoofing with user:pass@host
MFSA 2005-16 Spoofing download and security dialogs with overlapping windows
MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion
MFSA 2005-14 SSL "secure site" indicator spoofing
MFSA 2005-13 Window Injection Spoofing
see changelog for detail.
http://www.mozilla.org/releases/mozilla1.7.6/changelog.html
More specifically, this lets Mozilla NSS be used by other programs.
Also make the pkgconfig substitutions happen at post-build time, so that
the right rpaths are added to the mozilla-nspr.pc file (which is filled
in during the build).
Bump PKGREVISION to 1 for both packages. Ok'ed by taya@, the maintainer.
Mozilla 1.7.3 is a security update to Mozilla 1.7 that fixes a several
security vulnerabilities.
#93 "Send page" heap overrun (258005)
#92 javascript clipboard access (257523)
#91 Privilege request confusion (253942)
#90 Buffer overflow when displaying VCard (257314)
#89 BMP integer overflow (255067)
#88 javascript: link dragging (250862)
#87 non-ascii hostname heap overrun (256316)
#86 Malicious POP3 server III (245066, 226669)
#85 Wrong file permissions after installing on Linux (231083, 235781)
#84 Wrong file permissions in linux archive (254303)
See the page bellow for detail
http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3
New features and fixes
Browser
* A new option to prevent sites from using JavaScript to block the
browser's context menu.
* Password Manager has a "show passwords" mode which will display
saved passwords. You will need to enter your master password if
you are using one.
* The "Set As Wallpaper" feature now has a confirmation dialog.
* Linux GTK2 builds have improved support for OS themes.
* Cookie dialogs have been reworked to make them more usable.
* Date handling, especially on OS X, has been improved.
* It is now possible to fine-tune Mozilla's pop-up blocking using
two preferences (dom.popup_maximum and dom.popup_allowed_events)
but there's no UI for that yet. Even without a UI, users should
notice a greater variety of pop-ups blocked (primarily mouseover
pop-ups) and a limit of 20 or so open at one time - regardless
of whether pop-up blocking is active. This will provide some
protection from sites that open hundreds of windows in a loop.
* Downloaded files are now moved to the target directory as soon
as the user selects the desired location. This was the
frequently reported bug 55690.
* There is now user interface to activate Smooth Scrolling
(Preferences -> Appearance).
* Mozilla now supports basic FTP upload.
Mail
* Many improvements to Palm Sync.
* IMAP IDLE support has been added.
* Support for "MSN Authentication" and Secure Password
* Authentication using SSPI NTLM auth for SMTP and POP3.
* A new preference to "always use the default character encoding
for replies" rather than using the encoding of the message being
replied to.
* Improvements to performance of downloading, viewing, and saving
mail messages.
* Support for multiple identities on the same mail account. See
the Multiple Identity Support documentation for more details.
* Support for relative paths for mail folders in prefs.js. This
makes it easier to copy profiles around without having to fix up
prefs.js afterwards.
* You can now edit address lists containing "Last, First" style
names.
* When composing mail, you can now use the up and down arrow keys
to scroll through the To/Cc/Bcc list.
* All Mozilla LDAP queries now default to using LDAPv3
(previously, they used LDAPv2). Mozilla should gracefully fall
back to v2 if v3 isn't found.
Chatzilla
* Chatzilla now supports zooming of fonts with keyboard shortcuts
(Ctrl + and Ctrl -), as well as with the View menu.
* Improved date handling; using the date/time format for the
locale.
* Support for the /ignore command.
* The ability to change the font family and size.
* Working custom sounds on Windows and Linux.
* Improvements to the preferences panel and the user interface for
half-op mode.
Under the Hood
* Size and performance have improved dramatically with this
release. When compared to Mozilla 1.6, Mozilla 1.7 is 7% faster at
startup, is 8% faster to open a window, has 9% faster page
loading, and is 5% smaller in binary size.
* A long-standing bug with CSS backgrounds on table elements has
been fixed (standards mode only).
* Support for Kerberos HTTP authentication using GSSAPI (benefits
Unix-like platforms including Linux and OS X).
* Support for smb:// URLs using the gnome-vfs library (only
enabled in GTK2+XFT Linux builds).
* Support for server push of XML documents using
multipart/x-mixed-replace and XMLHttpRequest.
* Liveconnect now works when a Java applet's codebase is in a
different domain.
* Support for the CSS3 opacity property.
* Mozilla adds support for the onbeforeunload event. This lets web
application developers add code that alerts the user about
potential data-loss when closing a web application, or when
leaving a HTML page with potentially sensitive information.
* This release has a new SVG backend. The feature is not yet
enabled in the mozilla.org releases but developers may wish to
compile with this feature enabled.
* Mozilla handles dynamic style changes much better (see bug 15608
for details.)
* Mozilla has upgraded the NSS libraries to version 3.9. NSS 3.9
passes all the NISCC SSL/TLS and S/MIME tests (1.6 million test
cases of invalid input data) without crashes or memory leaks.
even if it's main app creates another user config directory.
e.g. firefox creates .phoenix, thunderbird creates .thunderbird
so no need to define user config directory for each package based on mozilla.
simply remove ${WRKDIR}/.mozilla is enough
revision 1.53
date: 2004/04/24 10:36:15; author: grant; state: Exp; lines: +2 -1
make sure we link with the correct rpath on Solaris.
----------------------------
revision 1.52
date: 2004/04/24 10:35:23; author: grant; state: Exp; lines: +2 -2
don't pass "-Q option" to ${LD}, it isn't needed and the Solaris linker
errors on it.
----------------------------
revision 1.51
date: 2004/04/23 15:32:04; author: taya; state: Exp; lines: +2 -2
catch up to current statvfs support
by moving the inclusion of buildlink3.mk files outside of the protected
region. This bug would be seen by users that have set PREFER_PKGSRC
or PREFER_NATIVE to non-default values.
BUILDLINK_PACKAGES should be ordered so that for any package in the
list, that package doesn't depend on any packages to the left of it
in the list. This ordering property is used to check for builtin
packages in the correct order. The problem was that including a
buildlink3.mk file for <pkg> correctly ensured that <pkg> was removed
from BUILDLINK_PACKAGES and appended to the end. However, since the
inclusion of any other buildlink3.mk files within that buildlink3.mk
was in a region that was protected against multiple inclusion, those
dependencies weren't also moved to the end of BUILDLINK_PACKAGES.
