Changelog:
# What's New in SeaMonkey 2.31
SeaMonkey 2.31 contains the following major changes relative to SeaMonkey 2.30:
## SeaMonkey-specific changes
Text zoom is now available in Composer.
GStreamer and PulseAudio support has been re-enabled on Linux.
## Mozilla platform changes
Support for H264 (MP4) is now built in on Mac OS X Snow Leopard (10.6) and newer through native APIs.
HTTP/2 (draft14) and ALPN have been implemented.
Added ability to recover from a locked process in the "SeaMonkey is already running" dialog on Windows.
Added ECDH support for WebCrypto.
The console.table function has been added to the Error Console.
CSS transitions start correctly now when started at the same time as changes to display, position, overflow, and similar properties.
Also see Firefox 34 for Developers.
Fixed several stability issues.
# Security fixes
Fixed in SeaMonkey 2.31
2014-91 Privileged access to security wrapped protected objects
2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer
2014-88 Buffer overflow while parsing media content
2014-87 Use-after-free during HTML5 parsing
2014-86 CSP leaks redirect data via violation reports
2014-85 XMLHttpRequest crashes with some input streams
2014-84 XBL bindings accessible via improper CSS declarations
2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)
Changelog:
SeaMonkey-specific changes
The delimiter for forwarded messages can now be configured.
An option to not strip signatures on reply has been added to prevent top signatures from deleting the body.
Add to Searchbar (search-engine autodiscovery) was implemented.
The location bar tooltip now shows the complete current URL in case it is displayed only partially.
See the changes page for a more complete overview.
Mozilla platform changes
The Gamepad API has been finalized and enabled (learn more).
navigator.plugins is no longer enumerable, for user privacy.
ECMAScript Internationalization API has been enabled.
'box-sizing' (dropping the -moz- prefix) has been implemented.
SharedWorker is now enabled by default.
CSS3 variables have been implemented.
Console object is now available in Web Workers.
Promises have been enabled by default.
<input type="number"> has been implemented and enabled.
<input type="color"> has been implemented and enabled.
Fixed several stability issues.
Fixed in SeaMonkey 2.26.1
MFSA 2014-54 Buffer overflow in Gamepad API
MFSA 2014-53 Buffer overflow in Web Audio Speex resampler
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-51 Use-after-free in Event Listener Manager
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
Fixed in SeaMonkey 2.26
MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript
MFSA 2014-46 Use-after-free in nsHostResolve
MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates
MFSA 2014-44 Use-after-free in imgLoader while resizing images
MFSA 2014-43 Cross-site scripting (XSS) using history navigations
MFSA 2014-42 Privilege escalation through Web Notification API
MFSA 2014-41 Out-of-bounds write in Cairo
MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video
MFSA 2014-38 Buffer overflow when using non-XBL object as XBL
MFSA 2014-37 Out of bounds read while decoding JPG images
MFSA 2014-36 Web Audio memory corruption issues
MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)
* Change enigmail build mechanism
Changelog:
2.25:
SeaMonkey-specific changes
Newsgroup names can now be entered using autocompletion.
See the changes page for a more complete overview.
Mozilla platform changes
The Gamepad API has been finalized and enabled (learn more).
VP9 video decoding has been implemented.
Support for Opus in WebM was added.
Volume control for HTML5 audio/video has been added.
Mac OS X Notification Center support has been added for web notifications.
Support for spdy/2 has been removed.
Support for multi-line flexbox in layout has been added.
Support for the MathML 2.0 mathvariant attribute has been added.
Background thread hang reporting has been added.
<input type=color> has been implemented and enabled.
Fixed several stability issues.
Fixed in SeaMonkey 2.25
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-23 Content Security Policy for data: documents not preserved by session restore
MFSA 2014-22 WebGL content injection from one domain to rendering in another
MFSA 2014-20 onbeforeunload and Javascript navigation DOS
MFSA 2014-19 Spoofing attack on WebRTC permission prompt
MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)
2.24:
SeaMonkey-specific changes
The DoNotTrack and Prompt on Sanitize preferences are now kept in sync.
A pref (mailnews.p7m_external) has been added to allow users to choose an alternate application/pkcs7-mime handling.
Support for Atom Threading Extensions (RFC 4685) has been added.
Migrating profiles from Thunderbird supports the new signons file format now (support for the old format has been dropped).
Autocomplete drop-downs (e.g. used on the Location Bar and Open Location dialog) now show favicons for their entries.
The account name is now displayed in the status bar for all messages when checking mail.
IMAP alert messages now show the server of the corresponding mail account.
Newsgroup names are now searched for all search strings combined (AND-search) on the subscribe dialog.
See the changes page for a more complete overview.
Mozilla platform changes
Removed support for importing logins from the legacy signons.txt format, including the Base64 conversion (bug 717490).
Enabled support for TLS 1.2 (RFC 5246) by default (bug 861266).
Added support for the SPDY 3.1 protocol.
Added ability to reset style sheets using all:unset.
Added support for scrolled fieldsets (overflow property support, bug 261037).
Implemented allow-popups directive for iframe sandbox, enabling increased security (bug 766282).
Unprefixed CSS cursor keywords -moz-grab and -moz-grabbing (bug 880672).
Added support for ES6 generators in SpiderMonkey (blog post).
Implemented support for mathematical function Math.hypot() in ES6 (bug 896264).
Added dashed line support on Canvas (bug 768067).
Fixed Azure/Skia content rendering on Linux (bug 740200).
Fixed several stability issues.
Fixed in SeaMonkey 2.24
MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects
MFSA 2014-12 NSS ticket handling issues
MFSA 2014-11 Crash when using web workers with asm.js
MFSA 2014-09 Cross-origin information leak through web workers
MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing
MFSA 2014-07 XSLT stylesheets treated as styles in Content Security Policy
MFSA 2014-05 Information disclosure with *FromPoint on iframes
MFSA 2014-04 Incorrect use of discarded images by RasterImage
MFSA 2014-03 UI selection timeout missing on download prompts
MFSA 2014-02 Clone protected content with XBL scopes
MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
Changelog:
SeaMonkey-specific changes
Download progress is now shown in the Mac OS X app dock icon.
EXIF orientation is now being used when displaying attached images in MailNews.
"This folder is being processed... to get messages." alerts on active MailNews folders now identify the account or folder.
MailNews notifications have a new look.
See the changes page for a more complete overview.
Mozilla platform changes
All plugins, with the exception of recent Flash plugins, now default to click-to-play.
The password manager now supports script-generated password fields.
Support for H.264 on Linux is now available if the appropriate GStreamer plugins are installed.
Support for MP3 decoding on Windows XP has been added, completing MP3 support across Windows OS versions.
The CSP implementation now supports multiple policies, including the case of both an enforced and Report-Only policy, per the spec.
There is no longer a prompt when websites use appcache.
Support for the CSS image orientation property has been added.
IndexedDB can now be used as an "optimistic" storage area so it does not require any prompts and data is stored in a pool with LRU eviction policy, in short temporary storage.
When displaying a standalone images, the EXIF orientation information contained within the JPEG image is now matched (bug 298619).
Page load times have been improved due to no longer decoding images that are not visible (bug 847223).
Support for the AudioToolbox MP3 backend has been added on Mac OS X (bug 914479).
Fixed several stability issues.
Fixed in SeaMonkey 2.23
MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-112 Linux clipboard information disclosure though selection paste
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-110 Potential overflow in JavaScript binary search algorithms
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-107 Sandbox restrictions not applied to nested object elements
MFSA 2013-106 Character encoding cross-origin XSS attack
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)
* Add mozilla-chatzilla option for chatzilla (and some JavaScript
development tools, I cannot separate them.)
Changelog:
Fixed in SeaMonkey 2.22.1
MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities
Changelog:
SeaMonkey-specific changes
Sorting messages by date can now be configured to look at the thread root instead of the newest message in it (pref: mailnews.sort_threads_by_root).
Plugins doorhangers now allow to activate different plugin types independently.
The proxy popup is now also available from the MailNews main window.
A new Recipients column has been added that shows all recipients (To, CC, BCC).
The default HTML5 audio/video player controls allow to change the playback rate now.
A "Validate this page" entry has been added to Tools/Web Development.
The Firefox devtools debugger can now be used to debug SeaMonkey remotely.
See the changes page for a more complete overview.
Mozilla platform changes
Web Audio support has been added.
CSS3 background-attachment:local support to control background scrolling has been implemented.
Many new ES6 functions have been implemented.
iframe document content can now be specified inline.
Fixed several stability issues.
Fixed in SeaMonkey 2.22
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)
Changelog:
SeaMonkey-specific changes
Implemented an option to thread messages received by date.
Allowed deletion of news posts by default.
Implemented optional taskbar preview-per-tab.
Added support (permission prompt) for desktop notifications.
Added Isn't operator for searching by Priority.
See the changes page for a more complete overview.
Mozilla platform changes
Support for new scrollbar style on Mac OS X 10.7 and newer.
Accessibility related improvements on using pinned tabs (bug 577727).
Major SVG rendering improvements around Image tiling and scaling (bug 600207).
Removed support for sherlock files that are loaded from application or profile directory.
Support for W3C touch events disabled (bug 888304).
Fixed several stability issues.
Fixed in SeaMonkey 2.21
MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-78 Integer overflow in ANGLE library
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
* Merge SunOS patches from www/firefox.
Changelog:
SeaMonkey-specific changes
The Content Security Policy (CSP) 1.0 parser has been enabled.
The Mixed Content Blocker has been enabled, blocking insecure active content loads on HTTPS pages.
New mail alert information can be customized now (Preferences/Mail & Newsgroups/Notifications).
A confirmation prompt has been introduced to protect against accidental permanent data loss when force-deleting messages using Shift+Del.
MailNews Save As Template supports multiple selections now.
The size on disk is now shown for newsgroup folders.
See the changes page for a more complete overview.
Mozilla platform changes
Added support for scrollbar style in Mac OS X 10.7 and newer.
Enabled mixed content blocking to protects users from man-in-the-middle attacks and eavesdroppers on HTTPS pages (learn more).
Improved about:memory's functional UI.
Enabled DXVA2 on Windows Vista+ to accelerate H.264 video decoding.
Simplified interface for notifications of plugin installation.
Enabled users to switch the search provider across the entire browser.
CSP policies using the standard syntax and semantics will now be enforced.
Implemented the HTML5 <input type="range"> form control.
Added unprefixed requestAnimationFrame.
Dropped blink effect from CSS rule text-decoration:blink and completely removed <blink> element.
Fixed several stability issues.
Fixed in SeaMonkey 2.20
MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-74 Firefox full and stub installer DLL hijacking
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-67 Crash during WAV audio file decoding
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-65 Buffer underflow when generating CRMF requests
MFSA 2013-64 Use after free mutating DOM during SetBody
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)
* Update enigmail to 1.5.2.
Changelog:
SeaMonkey-specific changes
Mark -> As Read now checks the state of all selected messages instead of only the first one's.
Notifications for mixed content blocker have been implemented.
A new 3rd-party cookie restriction to visited websites option has been added to the Cookies pref pane.
The context menu Search option is now available for textareas and input fields.
Website storage mechanisms are now available in the Data Manager (localStorage, indexedDB, etc.).
"Open Containing Folder" is now already available during download.
See the changes page for minor changes.
Mozilla platform changes
asm.js optimizations (OdinMonkey) have been enabled for major performance improvements.
Improved WebGL rendering performance through asynchronous canvas updates.
Plain text files displayed within the browser will now word-wrap.
For user security, the Components object is no longer accessible from web content.
Improved memory usage and display time when rendering images.
The Pointer Lock API can now be used outside of fullscreen.
CSS3 Flexbox has been implemented and enabled by default.
The new Web Notifications API has been implemented.
Added clipboardData API for JavaScript access to a user's clipboard.
Support for new HTML5 <data> and <time> elements has been added.
Fixed several stability issues.
* Use common files for www/firefox.
SeaMonkey-specific changes
Basic Private Browsing support has been added (experimental for now).
Added support for safe browsing which blocks potentially malicious websites reported as attack sites (malware) or web forgeries (phishing).
Information like preview text, subject and sender can be shown in new mail notifications now.
See the changes page for minor changes.
Mozilla platform changes
CSS -moz-user-select:none selection has been changed to improve compatibility with -webkit-user-select:none (bug 816298).
Applied graphics-related performance improvements (bug 809821).
Removed E4X support from SpiderMonkey.
Added support for the <main> element.
Implemented scoped stylesheets.
Fixed some function keys not working when pressed (bug 833719).
Fixed several stability issues.
* I will check the build on NetBSD 5.2 later...
Changelog:
Continued performance improvements around common browser tasks (page loads, downloads, shutdown, etc.).
Continued implementation of draft ECMAScript 6 (clear() and Math.imul).
<canvas> now supports blend modes.
Various <audio> and <video> improvements have been implemented.
The Details button on the Crash Reporter has been fixed (bug 793972).
Fixed several stability issues.
Fixed in SeaMonkey 2.17
MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
MFSA 2013-39 Memory corruption while rendering grayscale PNG images
MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations
MFSA 2013-37 Bypass of tab-modal dialog origin disclosure
MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes
MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux
MFSA 2013-34 Privilege escalation through Mozilla Updater
MFSA 2013-31 Out-of-bounds write in Cairo library
MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)
Fixed in SeaMonkey 2.16.1
MFSA 2013-29 Use-after-free in HTML Editor
* enigmail is broken
Changelog:
SeaMonkey-specific changes
Reply to List is now supported.
SSL-related warning prompts (leaving or entering a secure site, viewing mixed content) have been replaced by less intrusive, non-modal notification bars.
See the changes page for minor changes.
Mozilla platform changes
Image quality has been improved through a new HTML scaling algorithm.
Canvas elements can export their content as an image blob using canvas.toBlob() now.
CSS @page is now supported.
CSS viewport-percentage length units have been implemented (vh, vw, vmin and vmax).
CSS text-transform now supports full-width.
Fixed several stability issues.
Fixed in SeaMonkey 2.16
MFSA 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer
MFSA 2013-27 Phishing on HTTPS connection through malicious proxy
MFSA 2013-26 Use-after-free in nsImageLoadingContent
MFSA 2013-25 Privacy leak in JavaScript Workers
MFSA 2013-24 Web content bypass of COW and SOW security wrappers
MFSA 2013-23 Wrapped WebIDL objects can be wrapped again
MFSA 2013-22 Out-of-bounds read in image rendering
MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)
* Use Lightning in seamonkey tar ball, 2.0pre.
Changelog:
SeaMonkey-specific changes
SeaMonkey can be set as default client/browser on Mac and Linux now.
See the changes page for minor changes.
Mozilla platform changes
The new IonMonkey compiler improves JavaScript performance.
Preliminary support for WebRTC has been added.
Image quality has been improved through a new HTML scaling algorithm.
CSS3 Flexbox has been implemented.
Support for new DOM property window.devicePixelRatio has been added.
Support for @supports has been added (disabled for now).
Startup time has been improved through smart handling of signed extension certificates.
HTML5: Support for W3C touch events has been implemented, taking the place of MozTouch events
Insecure content loading has been disabled on HTTPS pages (see bug 62178).
Responsiveness for users on proxies has been improved.
Fixed several stability issues.
Fixed in SeaMonkey 2.15
MFSA 2013-20 Mis-issued TURKTRUST certificates
MFSA 2013-19 Use-after-free in Javascript Proxy objects
MFSA 2013-18 Use-after-free in Vibrate
MFSA 2013-17 Use-after-free in ListenerManager
MFSA 2013-16 Use-after-free in serializeToStream
MFSA 2013-15 Privilege escalation through plugin objects
MFSA 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype
MFSA 2013-13 Memory corruption in XBL with XML bindings containing SVG
MFSA 2013-12 Buffer overflow in Javascript string concatenation
MFSA 2013-11 Address space layout leaked in XBL objects
MFSA 2013-10 Event manipulation in plugin handler to bypass same-origin policy
MFSA 2013-09 Compartment mismatch with quickstubs returned values
MFSA 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection
MFSA 2013-07 Crash due to handling of SSL on threads
MFSA 2013-06 Touch events are shared across iframes
MFSA 2013-05 Use-after-free when displaying table with many columns and column groups
MFSA 2013-04 URL spoofing in addressbar during page loads
MFSA 2013-03 Buffer Overflow in Canvas
MFSA 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer
MFSA 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)
* Patches are synced with xulrunner-17.0, and regen patches
* Update Mozilla Lightning to 1.9
Changelog:
SeaMonkey-specific changes
None (see changes page for minor changes).
Mozilla platform changes
OS X 10.6 is now the minimum supported Mac version.
JavaScript Maps and Sets are now iterable.
SVG FillPaint and StrokePaint have been implemented.
The sandbox attribute has been implemented for iframes, enabling increased security.
Fixed several stability issues.
Security fixes
Fixed in SeaMonkey 2.14
MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
MFSA 2012-105 Use-after-free and buffer overflow issues found using Address Sanitizer
MFSA 2012-103 Frames can shadow top.location
MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset
MFSA 2012-100 Improper security filtering for cross-origin wrappers
MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment
MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox
MFSA 2012-96 Memory corruption in str_unescape
MFSA 2012-94 Crash when combining SVG text on path with CSS
MFSA 2012-93 evalInSanbox location context incorrectly applied
MFSA 2012-92 Buffer overflow while rendering GIF images
MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)
* Update enigmail to 1.4.5
* Update Mozilla Lightning to 1.8
Changelog:
SeaMonkey-specific changes
None.
Mozilla platform changes
JavaScript responsiveness has been improved through incremental garbage collection.
CSS3 Animations, Transitions, Transforms and Gradients have been unprefixed.
MD5 is no longer supported as a hash algorithm in digital signatures.
The Opus codec is now support by default.
The reverse CSS3 animation direction has been implemented.
Per tab reporting is now available in about:memory.
Fixed several stability issues.
* Update Mozilla Lightning to 1.7
* Update Enigmail to 1.4.4 (functionality is not tested yet; should
be updated)
* Regen patches
Changelog:
SeaMonkey-specific changes
None.
Mozilla platform changes
Added support for SPDY networking protocol v3.
Implemented WebGL enhancements, including compressed textures for better performance.
Optimized memory usage for add-ons.
Implemented the CSS word-break property.
Implemented high precision event timer.
HTML5: Added native support for the Opus audio codec.
HTML5: Added support for the source element media attribute.
HTML5: Added support for the audio element and video element played attribute.
Fixed several stability issues.
Fixed in SeaMonkey 2.12
MFSA 2012-70 Location object security checks bypassed by chrome code
MFSA 2012-69 Incorrect site SSL certificate data display
MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html
MFSA 2012-65 Out-of-bounds read in format-number in XSLT
MFSA 2012-64 Graphite 2 memory corruption
MFSA 2012-63 SVG buffer overflow and use-after-free issues
MFSA 2012-62 WebGL use-after-free and memory corruption
MFSA 2012-61 Memory corruption with bitmap format images with negative height
MFSA 2012-59 Location object can be shadowed using Object.defineProperty
MFSA 2012-58 Use-after-free issues found using Address Sanitizer
MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)
* Use Lightning 1.6 release
* Enigmail is not tested fully
Changelog: from http://www.seamonkey-project.org/releases/seamonkey2.11/
SeaMonkey-specific changes
A click-to-play option (off by default for now) has been implemented for plugins.
Mozilla platform changes
The Pointer Lock API has been implemented.
A new API to prevent your display from sleeping is available.
New text-transform and font-variant CSS improvements have been made for Turkic languages and Greek.
Fixed several stability issues.
Changelog: from http://www.seamonkey-project.org/releases/seamonkey2.10/
SeaMonkey-specific changes
The domain name is highlighted in the location bar by default now, configurable in Preferences.
The amount of tabs to be restored concurrently can be configured in Preferences now.
News username and password auth dialogs have been combined and show for which server the prompt is now.
Mozilla platform changes
The new minimum supported Windows version is now XP SP2, Windows 2000 support has been dropped.
The SPDY protocol now enabled by default for faster browsing on supported sites
The column-fill CSS property has been implemented.
Experimental support for ECMAScript 6 Map and Set objects has been implemented.
Support for the CSS3 background-position property extended syntax has been added.
The :invalid pseudo-class can now be applied to the <form> element.
The CSS turn <angle> unit is now supported.
Fixed several stability issues.
* Remove unused option.
* Restore jemalloc option.
Changelog:
* The File and Move Bookmarks dialogs are resizable now.
* HTML5 videos that do not start automatically show a large play button now.
* Add-ons Sync can now be configured without the Add-ons Sync Prefs add-on.
* Pasting a URL from the clipboard into the Download Manager window will
download it.
* Plugins can be disabled for the whole suite now in addition to
Mail & Newsgroups only.
* View Source now has line numbers.
* Line breaks are now supported in the title attribute.
* Find in Page search results are scrolled into view now.
* The column-fill CSS property has been implemented.
* Support for the text-align-last CSS property has been added.
* Experimental support for ECMAScript 6 Map and Set objects has been
implemented.
* Fixed several stability issues.
Based on the mozilla-5.0 branch.
SeaMonkey 2.2 contains the following major changes relative to SeaMonkey 2.1:
Windows: Bundled extensions/add-ons are no longer optional in SeaMonkey's
installer.
Archive options can now be changed from the Copies & Folders Account Settings pane.
Mozilla platform changes
CSS Animations are now supported.
Improved canvas, JavaScript, memory, and networking performance.
Improved standards support for HTML5, XHR, MathML, SMIL, and canvas.
Improved spell checking for some locales.
WebGL content can no longer load cross-domain textures.
Background tabs have setTimeout and setInterval clamped to 1000ms to improve
performance.
Security fixes in this version:
MFSA 2008-33 Crash and remote code execution in block reflow
MFSA 2008-32 Remote site run as local file via Windows URL shortcut
MFSA 2008-31 Peer-trusted certs can use alt names to spoof
MFSA 2008-30 File location URL in directory listings not escaped properly
MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range
MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
MFSA 2008-24 Chrome script loading from fastload file
MFSA 2008-23 Signed JAR tampering
MFSA 2008-22 XSS through JavaScript same-origin violation
MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)
MFSA 2008-20 Crash in JavaScript garbage collector
For more info, see http://www.seamonkey-project.org/releases/seamonkey1.1.10/
cairo versions that conflict with Mozilla's included version.
Reported via PR#37006 and fixed with input from Vincent on tech-pkg@netbsd.org.
Bump PKGREVISION.
Security fixes in this version:
MFSA 2007-25 XPCNativeWrapper pollution
MFSA 2007-24 Unauthorized access to wyciwyg:// documents
MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer
MFSA 2007-22 File type confusion due to %00 in name
MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
MFSA 2007-20 Frame spoofing while window is loading
MFSA 2007-19 XSS using addEventListener and setTimeout
MFSA 2007-18 Crashes with evidence of memory corruption
For more info, see http://www.mozilla.org/projects/seamonkey/releases/seamonkey1.1.3/
Security fixes in this version:
MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-15 Security Vulnerability in APOP Authentication
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-12 Crashes with evidence of memory corruption
For the complete changelog, see
http://www.mozilla.org/projects/seamonkey/releases/seamonkey1.1.2/changelog.html
the exact names of the freebl libraries depends on the platform and they
have a habit of changing even on minor releases. This causes these mozilla
packages to be broken quite a lot on platforms other than NetBSD/i386.
Hopefully this fix will last longer than previous ones. pkgrevision bumps
all around.
two issues. The PLIST was incorrect and since the PLIST is used by
the "moz-install" script, anything missing from the PLIST is never
installed even when building from source. When libfreebl* were not
installed it caused the clients to fail to load the security component
and fail with "The browser failed to load its security component".
The second issue is that many installations of solaris-2.9 include
various glib/gtk/gnome libraries in /usr/lib. This causes failures
because the pkgsrc ones were used at link time and the /usr/lib ones
at run time. Work around this by setting a LD_LIBRARY_PATH that includes
the pkgsrc lib directory first.
pkgrevision bumps all around.
release.
The calendar component has been removed from Seamonkey in favour of Sunbird
(time/sunbird) and Lightning, see http://www.mozilla.org/projects/calendar/
New features and fixes in this version:
General
* ChatZilla has been updated to a newer version (Bug 324439)
* When launching SeaMonkey, already-running instances are detected (Bug 122698)
Browser
* Spelling is checked when writing in textareas (Bug 302050 and bug 338318)
* A warning page is now shown before displaying about:config (Bug 339720)
* Tooltips from web pages can now be multiple lines, either due to automatic
text wrapping or explicit newlines added to the text value (Bug 356900)
* When you visit a secure site, the URL bar changes color to turns make
security status more visible (Bug 335113)
* When using keyword URLs, it is no longer necessary to type "keyword:" (typing
"keyword:" will no longer work). Just type the keyword name (Bug 337339)
* You can now drop URLs and bookmarks between existing tabs, which will result
in a new tab being created where you dropped the URL (Bug 324591)
* When hovering on a tab, the tooltip now displays a preview of the tab's
contents (Bug 315207)
* The search sidebar now behaves better (Bug 252802)
* The bookmarks menu and personal toolbar folder overflow menu now have context
menus (Bug 50504)
Mail & Newsgroups
* Message labelling has been superceded by tagging, which provides much more
than the original 5 labels and comes with new preferences (Bug 342560 and
others)
* The preferences for junk mail have been reorganized, and can now be set on a
per-account basis (Bug 335846)
* Improved phishing detection (Bug 326082 and others)
* New mail notification has been improved (Bug 327613, 305384, and others)
Address Book
* It is now possible to move or copy cards between address books. Cards can
only be copied to mailing lists, so you need to use ctrl key while dragging
to copy the card to the mailing list. When dragging cards between address
books, the default action is move, use ctrl to copy instead. (Bug 35837)
For the complete changelog, see
http://www.mozilla.org/projects/seamonkey/releases/seamonkey1.1/changelog.html
mail/thunderbird-gtk1 to 1.5.0.4, and www/seamonkey, www/seamonkey-gtk1
and www/seamonkey-bin to 1.0.2 (salo has already updated www/firefox-bin).
Note that thunderbird skipped one release number (again) to stay on par
with firefox.
These updates provide:
* improvements to product stability,
* several important security fixes (see below).
Fixed in Firefox 1.5.0.4:
MFSA 2006-43 Privilege escalation using addSelectionListener
MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-41 File stealing by changing input type (variant)
MFSA 2006-39 "View Image" local resource linking (Windows)
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-36 PLUGINSPAGE privileged JavaScript execution 2
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-34 XSS viewing javascript: frames or images from context menu
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
Fixed in Thunderbird 1.5.0.4:
MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-40 Double-free on malformed VCard
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
Fixed in SeaMonkey 1.0.2:
MFSA 2006-43 Privilege escalation using addSelectionListener
MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-41 File stealing by changing input type (variant)
MFSA 2006-40 Double-free on malformed VCard
MFSA 2006-39 "View Image" local resource linking (Windows)
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-34 XSS viewing javascript: frames or images from context menu
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
