Changelog:
NEW
Google searches now utilize HTTPS
NEW
Full screen support for Mac OS X Lion implemented
NEW
Plugins can now be configured to only load on click (requires an about:config change)
NEW
The Awesome Bar now auto-completes typed URLs
CHANGED
Improved site identity manager, to prevent spoofing of an SSL connection with favicons
DEVELOPER
Pointer Lock API implemented
DEVELOPER
New API to prevent your display from sleeping
DEVELOPER
New text-transform and font-variant CSS improvements for Turkic languages and Greek
FIXED
Various security fixes
FIXED
GIF animation can gets stuck when src and image size are changed (743598)
FIXED
OS X: nsCocoaWindow::ConstrainPosition uses wrong screen in multi-display setup (752149)
FIXED
CSS :hover regression when an element's class name is set by Javascript (758885
Changelog:
* When opening a new tab, users are now presented with their most visited pages
* General performance improvements through incremental JavaScript garbage collection
* The default home page now has quicker access to bookmarks, history, settings, and more SPDY protocol now enabled by default for faster browsing on supported sites
* Restored background tabs are not loaded by default for faster startup
* Smooth scrolling is now enabled by default
* 72 total improvements to Page Inspector, HTML panel, Style Inspector, Scratchpad and Style Editor
* The column-fill CSS property has been implemented
* Experimental support for ECMAScript 6 Map and Set objects has been implemented
* Support for the CSS3 background-position property extended syntax has been added
* The :invalid pseudo-class can now be applied to the element
* The CSS turn <angle> unit is now supported
Changelog:
* Page Source now has line numbers
* Line breaks are now supported in the title attribute
* Improvements to "Find in Page" to center search result
* URLs pasted into the download manager window are now automatically downloaded
* Support for the text-align-last CSS property has been added
* Various security fixes
* Some TinyMCE-based editors failed to load (739141)
XXX Set MAKE_JOBS_SAFE=no for now. Should investigate why it fails
without it as it prolongs build time significantly.
Upstream changes:
Add-ons installed by third party programs are now disabled by default
Added a one-time add-on selection dialog to manage previously installed add-ons
Added Twitter to the search bar for select locales. Additional locale support
will be added in the future
Added a preference to load tabs on demand, improving start-up time when
windows are restored
Improved performance and memory handling when using <audio> and <video>
elements
Added CORS support for cross-domain textures in WebGL
Added support for HTML5 context menus
Added support for insertAdjacentHTML
Improved CSS hyphen support for many languages
Improved WebSocket support
Fixed several stability issues
Fixed several security issues
Drastically improved memory handling for certain use cases
Added a new rendering backend to speed up Canvas operations on Windows systems
Bookmark and password changes now sync almost instantly when using Firefox Sync
The 'http://' URL prefix is now hidden by default
Added support for text-overflow: ellipsis
Added support for the Web Timing specification
Enhanced support for MathML
The WebSocket protocol has been updated from version 7 to version 8
Added an opt-in system for users to send performance data back to Mozilla
to improve future versions of Firefox
Fixed several stability issues
Fixed several security issues
Major changes include:
The address bar now highlights the domain of the website you're visiting
Streamlined the look of the site identity block
Added support for the latest draft version of WebSockets with a prefixed API
Added support for EventSource / server-sent events
Added support for window.matchMedia
Added Scratchpad, an interactive JavaScript prototyping environment
Added a new Web Developer menu item and moved development-related items into it
Improved usability of the Web Console
Improved the discoverability of Firefox Sync
Reduced browser startup time when using Panorama
Fixed several stability issues
Fixed several security issues
Added support for CSS animations
The Do-Not-Track header preference has been moved to increase discoverability
Tuned HTTP idle connection logic for increased performance
Improved canvas, JavaScript, memory, and networking performance
Improved standards support for HTML5, XHR, MathML, SMIL, and canvas
Improved spell checking for some locales
Improved desktop environment integration for Linux users
WebGL content can no longer load cross-domain textures
Background tabs have setTimeout and setInterval clamped to 1000ms to improve
performance
Fixed several stability issues
Fixed several security issues
Firefox 4 is based on the Gecko 2.0 Web platform. This release features
JavaScript execution speeds up to six times faster than the previous
version, new capabilities for Web Developers and Add-on Developers such as
hardware accelerated graphics and HTML5 technologies, and a completely
revised user interface.
MFSA 2010-84 XSS hazard in multiple character encodings
MFSA 2010-83 Location bar SSL spoofing using network error page
MFSA 2010-82 Incomplete fix for CVE-2010-0179
MFSA 2010-81 Integer overflow vulnerability in NewIdArray
MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver
MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta
refresh
MFSA 2010-78 Add support for OTS font sanitizer
MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree
MFSA 2010-76 Chrome privilege escalation with window.open and <isindex> element
MFSA 2010-75 Buffer overflow while line breaking after document.write with
long string
MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)
- devel/nspr from 4.8.6.11 to 4.8.6.12
- devel/xulrunner from 1.9.2.11 to 1.9.2.12
- www/firefox from 3.6.11 to 3.6.12
Security issues fixed since previous versions:
MFSA 2010-73 Heap buffer overflow mixing document.write and DOM insertion
MFSA 2010-63 Information leak via XMLHttpRequest statusText
MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
MFSA 2010-61 UTF-7 XSS by overriding document charset using <object> type
attribute
MFSA 2010-59 SJOW creates scope chains ending in outer object
MFSA 2010-58 Crash on Mac using fuzzed font in data: URL
MFSA 2010-57 Crash and remote code execution in normalizeDocument
MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-55 XUL tree removal crash and remote code execution
MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection
MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
MFSA 2010-52 Windows XP DLL loading vulnerability
MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array
MFSA 2010-50 Frameset integer overflow vulnerability
MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
MFSA 2010-47 Cross-origin data leakage from script filename in error messages
MFSA 2010-46 Cross-domain data theft using CSS
MFSA 2010-45 Multiple location bar spoofing vulnerabilities
MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent
character to vanish
MFSA 2010-43 Same-origin bypass using canvas context
MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts
MFSA 2010-41 Remote code execution using malformed PNG image
MFSA 2010-40 nsTreeSelection dangling pointer remote code execution
MFSA 2010-39 nsCSSValue::Array index integer overflow
MFSA 2010-38 Arbitrary code execution using SJOW and fast native function
MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution
MFSA 2010-36 Use-after-free error in NodeIterator
MFSA 2010-35 DOM attribute cloning remote code execution vulnerability
MFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)
MFSA 2010-33 User tracking across sites using Math.random()
MFSA 2010-32 Content-Disposition: attachment ignored
if Content-Type: multipart also present
MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes
MFSA 2010-30 Integer Overflow in XSLT Node Sorting
MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
MFSA 2010-28 Freed object reuse across plugin instances
MFSA 2010-26 Crashes with evidence of memory corruption
Also add patch for PR pkg/42988 crash, effectively disabling all
sound support until we decide on what sound API to use.
The current dlopen() guesswork is bad, mkay.
Bump PKGREVISION for this and previous changes.
.2 is not formally released yet, but is release tagged in the scm and I
want to get this update in before we freeze the tree.
"Firefox 3.6 is built on Mozilla's Gecko 1.9.2 web rendering platform,
which has been under development since early 2009 and contains many
improvements for web developers, add-on developers, and users."
- Improved JavaScript performance, overall browser responsiveness,
and startup time.
- The ability for web developers to indicate that scripts should run
asynchronously to speed up page load times.
- Continued support for downloadable web fonts using the new WOFF font format.
- Support for new CSS attributes such as gradients, background sizing,
and pointer events.
- Support for new DOM and HTML5 specifications including the Drag & Drop API
and the File API, which allow for more interactive web pages.
While here, switch NetBSD build from sunaudio to OSS emulation.
This greatly improves HTML5 video playback.
(Yes, we ought to fix the busted sunaudio support or PKG_OPTIONalize this.
Perhaps another day.)
Advisories relating to this release:
MFSA 2009-71 GeckoActiveXObject exception messages can be used to
enumerate installed COM objects
MFSA 2009-70 Privilege escalation via chrome window.opener
MFSA 2009-69 Location bar spoofing vulnerabilities
MFSA 2009-68 NTLM reflection vulnerability
MFSA 2009-67 Integer overflow, crash in libtheora video library
MFSA 2009-66 Memory safety fixes in liboggplay media library
MFSA 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)
pkgsrc changes:
- assign devel/xulrunner maintainership to tnn@
- mozilla-common.mk: work around gcc __thread support misdetection on NetBSD
- separate distinfo related stuff into dist.mk for sharing with nss & nspr
"topcrash" bugs fixed:
468562 "ASSERTION: Inserting multiple children without flushing"
521750 Put a runtime NS_IsMainThread check in nsCycleCollector::Suspect2 ...
524462 startup crash [@ gfxWindowsFontGroup::WhichFontSupportsChar(nsTAr ...
525326 Crashes in gif decoder [@ xul.dll@0x348945][@ xul.dll@0x348864][@ ...
525276 crashes [@ nsDocument::RegisterNamedItems(nsIContent*)]
