CHangelog:
New
Asynchronous rendering of the Flash plugins is now enabled by default. This should improve performance and reduce crashes for sites that use the Flash plugin. (Bug 1307108)
Fixed
Change D3D9 default fallback preference to prevent graphical artifacts (Bug 1306465)
Network issue prevents some users from seeing the Firefox UI on startup (Bug 1305436)
Web compatibility issue with Array.prototype.values (Bug 1299593)
Various security fixes (CVE-2016-5287, CVE-2016-5288)
Web compatibility issue with file uploads (Bug 1306472)
Changed
Diagnostic information on timing for tab switching (Bug 1304113)
Fix a Canvas filters graphics issue affecting HTML5 apps (Bug 1304539)
Changelog:
New
Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. It’s one more way Firefox is supporting Let’s Encrypt and helping users transition to a more secure web.
Added features to Reader Mode that make it easier on the eyes and the ears
Controls that allow users to adjust the width and line spacing of text
Narrate, which reads the content of a page out loud
Improved video performance for users on systems that support SSSE3 without hardware acceleration
Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed
Enhancements for Mac users
Improved performance on OS X systems without hardware acceleration
Improved appearance of anti-aliased OS X fonts
Improvements in about:memory reports for tracking font memory usage
Improve performance on Windows systems without hardware acceleration
Fixed
Fixed an issue that prevented users from updating Firefox for Mac unless they originally installed Firefox. Now, those users as well as any user with administrative credentials can update Firefox.
Various security fixes
Changed
Ended Firefox for Mac support for OS X 10.6, 10.7, and 10.8.
Ended Firefox for Windows support for SSE processors
Removed Firefox Hello
Re-enabled the default for Graphite2 font shaping
Developer
Added a Cause column to the Network Monitor to show what caused each network request
Introduced web speech synthesis API
Fixed in Firefox 49
2016-85 Security vulnerabilities fixed in Firefox 49
CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]
Reporter: Atte Kettunen
Description: A content security policy (CSP) containing a referrer directive with no values can cause a non-exploitable crash. [1289085]
CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]
Reporter: Atte Kettunen
Description: An out-of-bounds write of a boolean value during text conversion with some unicode characters. [1291016]
CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]
Reporter: Abhishek Arya
Description: An out-of-bounds read during the processing of text runs in some pages using display:contents. [1288946]
CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]
Reporter: Abhishek Arya
Description: A bad cast when processing layout with input elements can result in a potentially exploitable crash. [1297934]
CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]
Reporter: Nils
Description: A potentially exploitable crash in accessibility [1280387]
CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]
Reporter: Nils
Description: A use-after-free vulnerability triggered by setting a aria-owns attribute [1287721]
CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]
Reporter: Nils
Description: A use-after-free issue in web animations during restyling. [1282076]
CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]
Reporter: Nils
Description: A user-after-free vulnerability with web animations when destroying a timeline [1291665]
CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]
Reporter: Nils
Description: A buffer overflow when working with empty filters during canvas rendering [1287316]
CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]
Reporter: Nils
Description: A potentially exploitable crash caused by a buffer overflow while encoding image frames to images [1294677]
CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]
Reporter: Rafael Gieschke
Description: The full path to local files is available to scripts when local files are drag and dropped into Firefox [1249522]
CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]
Reporter: Mei Wang
Description: Use-after-free vulnerability when changing text direction [1289970]
CVE-2016-5281 - use-after-free in DOMSVGLength [high]
Reporter: Brian Carpenter
Description: Use-after-free vulnerability when manipulating SVG format content through script [1284690]
CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]
Reporter: Richard Newman
Description: Favicons can be loaded through non-whitelisted protocols, such as jar: [932335]
CVE-2016-5283 - <iframe src> fragment timing attack can reveal cross-origin data [high]
Reporter: Gavin Sharp
Description: A timing attack vulnerability using iframes to potentially reveal private data using document resizes and link colors [928187]
CVE-2016-5284 - Add-on update site certificate pin expiration [high]
Reporter: Ryan Duff
Description: Due to flaws in the process we used to update "Preloaded Public Key Pinning" in our releases, the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected. [1303127]
CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]
Reporter: Mozilla developers
Description: Mozilla developers Christoph Diehl, Christian Holler, Gary Kwong, Nathan Froyd, Honza Bambas, Seth Fowler, and Michael Smith reported memory safety bugs present in Firefox 48. Some of these bugs showed evidence of memory corruption under certain circumstances could potentially exploited to run arbitrary code. [Memory safety bugs fixed in Firefox 49]
CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]
Reporter: Mozilla developers
Description: Mozilla developers and community members Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, Philipp, and Carsten Book reported memory safety bugs present in Firefox 48 and Firefox ESR 45.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code. [Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4]
* Remove dbus-glib dependency and add dbus option (from Robert Swindells)
* Fix potential build failure in skia (from Robert Swindells)
Changelog:
Fixed
Fix an audio regression impacting some major websites (bug 1295296)
Fix a top crash in the JavaScript engine (Bug 1290469)
Fix a startup crash issue caused by Websense (Bug 1291738)
Fix a different behavior with e10s / non-e10s on <select> and mouse events (Bug 1291078)
Fix a top crash caused by plugin issues (Bug 1264530)
Fix an unsigned add-ons issue on Windows
Fix a shutdown issue (Bug 1276920)
Fix a crash in WebRTC
--disable-elf-dynstr-gc
--disable-installer
--disable-javaxpcom
--disable-mochitest
--disable-pedantic
--enable-canvas
--enable-crypto
--enable-mathml
--enable-pango
--enable-svg
--with-system-ply
you can see it:
cd /usr/pkgsrc/www/firefox/work/firefox-48.0
./configure --help
* OSS audio support may not work. I will revisit later
Changelog:
New:
Roar for moar protection against harmful downloads! We've got your back
Process separation (e10s) is enabled for some of you. Like it? Let us know and we'll roll it out to more.
Add-ons that have not been verified and signed by Mozilla will not load
GNU/Linux fans: Get better Canvas performance with speedy Skia support. Try saying that three times fast
WebRTC embetterments:
Delay-agnostic AEC enabled
Full duplex for GNU/Linux enabled
ICE Restart & Update is supported
Cloning of MediaStream and MediaStreamTrack is now supported
Searching for something already in your bookmarks or open tabs? We added super smart icons to let you know
Windows folks: Tab (move buttons) and Shift+F10 (pop-up menus) now behave as they should in Firefox customization mode
The media parser has been redeveloped using the Rust programming language
Windows 7 systems without Platform Update can now use D3D11 WARP
Fixed:
Various security fixes
Heyo, Jabra & Logitech C920 webcam users. We fixed those pesky WebRTC bugs causing frequency distortions. Buh-bye, squeaky voice!
Improved step debugging on last line of functions
Changed:
Starting with the Firefox version 49 release, so long to support for 10.6, 10.7 and 10.8. Now we can focus on where most Mac users are: 10.9. Don't forget to upgrade!
After version 48, SSE2 CPU extensions are going to be required on Windows
Au revoir to Windows Remote Access Service modem Autodial
Developer:
WebExtensions support is now considered as stable
Workers can now use the Web Crypto API
Want to move absolute & fixed positioned elements? (Who doesn't, right?) Now you can with our geometry editor.
The memory tool now has a tree map view for your debugging pleasure. It's a little bit of "boo" and a whole lot of "ya."
We're putting the spotlight on the background. Now you can debug WebExtensions background content scripts and background pages
Content Security Policy (CSP) is now enforced for WebExtensions. (Who's down with CSP?)
Old and busted: Error Console. New hotness: Browser Console for your debugging pleasure.
Add-on development just got easier because you can reload them from about:debugging — because we're all about debugging.
This theme is hot, hot, hot! Say hi to the Firebug theme for Developer Tools.
Expand network requests from the console panel to view request details in line, so you can see things in context
Fixed in Firefox 48:
2016-84 Information disclosure through Resource Timing API during page navigation
2016-83 Spoofing attack through text injection into internal error pages
2016-82 Addressbar spoofing with right-to-left characters on Firefox for Android
2016-81 Information disclosure and local file manipulation through drag and drop
2016-80 Same-origin policy violation using local HTML file and saved shortcut file
2016-79 Use-after-free when applying SVG effects
2016-78 Type confusion in display transformation
2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
2016-76 Scripts on marquee tag can execute in sandboxed iframes
2016-75 Integer overflow in WebSockets during data buffering
2016-74 Form input type change from password to text can store plain text password in session restore file
2016-73 Use-after-free in service workers with nested sync events
2016-72 Use-after-free in DTLS during WebRTC session shutdown
2016-71 Crash in incremental garbage collection in JavaScript
2016-70 Use-after-free when using alt key and toplevel menus
2016-69 Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter
2016-68 Out-of-bounds read during XML parsing in Expat library
2016-67 Stack underflow during 2D graphics rendering
2016-66 Location bar spoofing via data URLs with malformed/invalid mediatypes
2016-65 Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
2016-64 Buffer overflow rendering SVG with bidirectional content
2016-63 Favicon network connection can persist when page is closed
2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
* Remove macOS patches, because I cannot confirm them sadly
Changelog:
New
Support for Google’s Widevine CDM on Windows and Mac OS X so streaming services like Amazon Video can switch from Silverlight to encrypted HTML5 video.
Enable VP9 video codec for users with fast machines
Embedded YouTube videos now play with HTML5 video if Flash is not installed.
View and search open tabs from your smartphone or another computer in a sidebar
Allow no-cache on back/forward navigations for https resources
Latgalu [ltg] locale added. Wikipedia tells us there are 164,500 daily speakers.
Fixed
Various security fixes
Changed
FUEL (Firefox User Extension Library) has been removed. Add-ons relying on it will stop working.
The browser.sessionstore.restore_on_demand preference has been reset to its default value (true) to avoid e10s performance problems. Because faster is better!
The Firefox click-to-activate plugin whitelist has been removed.
XRender is no longer used for rendering web content on Linux as this may cause a regression in remote X performance
Developer
Web platform changes
View, start,and debug registered Service Workers in the Service Workers developer tool
Simulate Push messages in the Service Workers developer tool
'Start' button for service workers in about:debugging to start registered Service Workers
Changes that can affect add-on compatibility
Added support for ChaCha20/Poly1305 cipher suites
Custom user agents supported in Responsive Design Mode
Smart multi-line input in the Web Console
Developer Information
HTML5
cuechange events are now available on TextTrack objects
WebCrypto: PBKDF2 supports SHA-2 hash algorithms
WebCrypto: RSA-PSS signature support
Fixed in Firefox 47
2016-61 Network Security Services (NSS) vulnerabilities
2016-60 Java applets bypass CSP protections
2016-59 Information disclosure of disabled plugins through CSS pseudo-classes
2016-58 Entering fullscreen and persistent pointerlock without user permission
2016-57 Incorrect icon displayed on permissions notifications
2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
2016-55 File overwrite and privilege escalation through Mozilla Windows updater
2016-54 Partial same-origin-policy through setting location.host through data URI
2016-53 Out-of-bounds write with WebGL shader
2016-52 Addressbar spoofing though the SELECT element
2016-51 Use-after-free deleting tables from a contenteditable document
2016-50 Buffer overflow parsing HTML5 fragments
2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
* Drop buildlink to gstreamer1
Changelog:
New
Improved security of the JavaScript Just In Time (JIT) Compiler
GTK3 integration (GNU/Linux only)
Fixed
Correct rendering for scaled SVGs that use a clip and a mask
Various security fixes
Screen reader behavior with blank spaces in Google Docs corrected
Changed
WebRTC fixes to improve performance and stability
Developer
Display dominator trees in Memory tool
Allocation and garbage collection pause profiling in the performance panel
Launch responsive mode from the Style Editor @media sidebar
HTML5
Added support for document.elementsFromPoint
Added HKDF support for Web Crypto API
Fixed in Firefox 46
2016-48 Firefox Health Reports could accept events from untrusted domains
2016-47 Write to invalid HashMap entry through JavaScript.watch()
2016-46 Elevation of privilege with chrome.tabs.update API in web extensions
2016-45 CSP not applied to pages sent with multipart/x-mixed-replace
2016-44 Buffer overflow in libstagefright with CENC offsets
2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors
2016-42 Use-after-free and buffer overflow in Service Workers
2016-41 Content provider permission bypass allows malicious application to access data
2016-40 Privilege escalation through file deletion by Maintenance Service updater
2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
Changelog:
Fixed:
Fix an issue impacting the cookie header when third-party cookies are blocked (1257861)
Fix a web compatibility regression impacting the srcset attribute of the image tag (1259482)
Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (1254980)
Fix a crash impacting the video playback with Media Source Extension (1258562)
Fix a regression impacting some specific uploads (1255735)
Changelog:
Fixed
Fix a potential performance regression (Youtube for example) (1220502)
Fix a regression causing search engine settings to be lost in some context (1254694)
Bring back non-standard jar: URIs to fix a regression in IBM iNotes (1255139)
XSLTProcessor.importStylesheet was failing when <import> was used (1249572)
Fix an issue which could cause the list of search provider to be empty (1255605)
Fix a regression when using the location bar (1254503)
Fix some loading issues when Accept third-party cookies: was set to Never (1254856)
Changed
Disabled Graphite font shaping library
Changelog:
New
Instant browser tab sharing through Hello
Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching
Synced Tabs button in button bar
Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level
Guarani [gn] locale added
Fixed
URLs containing a Unicode-format Internationalized Domain Name (IDN) are now properly redirected
Various security fixes
Fixed in Firefox 45
2016-37 Font vulnerabilities in the Graphite 2 library
2016-36 Use-after-free during processing of DER encoded keys in NSS
2016-35 Buffer overflow during ASN.1 decoding in NSS
2016-34 Out-of-bounds read in HTML parser following a failed allocation
2016-33 Use-after-free in GetStaticInstance in WebRTC
2016-32 WebRTC and LibVPX vulnerabilities found through code inspection
2016-31 Memory corruption with malicious NPAPI plugin
2016-30 Buffer overflow in Brotli decompression
2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore
2016-28 Addressbar spoofing though history navigation and Location protocol property
2016-27 Use-after-free during XML transformations
2016-26 Memory corruption when modifying a file being read by FileReader
2016-25 Use-after-free when using multiple WebRTC data channels
2016-24 Use-after-free in SetBody
2016-23 Use-after-free in HTML5 string parser
2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager
2016-21 Displayed page address can be overridden
2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
2016-19 Linux video memory DOS with Intel drivers
2016-18 CSP reports fail to strip location information for embedded iframe pages
2016-17 Local file overwriting and potential privilege escalation through CSP reports
2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
Changelog:
Fix:
Fix issue which could lead to the removal of stored passwords under certain circumstances (1242176)
Allows spaces in cookie names (1244505)
Fix WebSockets when used in a Service Worker context (1243942)
Disable opus/vorbis audio with H.264 (1245696)
Require NSS 3.21 (1244069)
Ship the Gecko SDK (1243740)
Fix for graphics startup crash (GNU/Linux) (1222171)
Fix a crash in cache networking (1244076)
Changelog:
New
Improved warning pages for certificate errors and untrusted connections
Enable H.264 if system decoder is available
Enable WebM/VP9 video support on systems that don't support MP4/H.264
In the animation-inspector timeline, lightning bolt icon next to animations running on the compositor thread
Support the brotli compression format via HTTPS content-encoding
Screenshot commands allow user choice of pixel ratio in Developer Tools
Fixed
Windows XP and Vista screensaver doesn't disable when watching videos (Bug 1193610)
Various security fixes
Changed
To support unicode-range descriptor for webfonts, font matching under Linux now uses the same font matching code as other platforms
Use a SHA-256 signing certificate for Windows builds, to meet new signing requirements
Firefox has removed support for the RC4 decipher
Firefox will no longer trust the Equifax Secure Certificate Authority 1024-bit root certificate or the UTN - DATACorp SGC to validate secure website certificates
Stricter validation of web fonts
On-screen keyboard support temporarily turned off for Windows 8 and Windows 8.1
Developer
Right click on a logged object in the console to store it as a global variable on the page
Visual tools for Animation:
View/Edit CSS animation keyframe rules directly in the inspector
Visually modify the cubic-bezier curve that drives the way animations progress through time
Discover and scrub through all CSS animations and transitions playing on the page
Learn more: http://devtoolschallenger.com/
Visual tools for Layout and Styles:
Display rulers along the viewport to verify size and position and use the measurement tool to easily detect spacing and alignment problems
Use CSS filters to preview and create real-time effects like drop-shadows, sepia, etc
Learn more: http://devtoolschallenger.com/
New memory tool for inspecting the memory heap
Service Workers API
Built-in JSON reader to intuitively view, search, copy and save data without extensions
Jump to function definitions in the debugger with Cmd-Click
WebSocket Debugging API and add-on
The rule view now displays styles using their authored text, and edits in the rule view are now linked to the style editor
Security bugs:
Fixed in Firefox 44
2016-12 Lightweight themes on Firefox for Android do not verify a secure connection
2016-11 Application Reputation service disabled in Firefox 43
2016-10 Unsafe memory manipulation found through code inspection
2016-09 Addressbar spoofing attacks
2016-08 Delay following click events in file download dialog too short on OS X
2016-07 Errors in mp_div and mp_exptmod cryptographic functions in NSS
2016-06 Missing delay following user click events in protocol handler dialog
2016-05 Addressbar spoofing through stored data url shortcuts on Firefox for Android
2016-04 Firefox allows for control characters to be set in cookie names
2016-03 Buffer overflow in WebGL after out of memory allocation
2016-02 Out of Memory crash when parsing GIF format images
2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)
Changelog:
Fixed: Fix for startup crash for users of a third party antivirus tool (Bug 1235537)
Fixed: Multi-user GNU/Linux download folders can be created (Bug 1233434)
Changed: Re-enable SHA-1 certificates (Bug 1236975)
* Fix alsa option build, fix PR pkg/50427
Changelog:
Fix: Fix network issue when using Nvidia's Network Access Manager (1233237)
Fix: On some Windows configurations, improve the decoding of some videos on YouTube (1233970)
Changelog:
New Private Browsing with Tracking Protection offers choice of blocking additional trackers
New Improved API support for m4v video playback
New Firefox 64-bit for Windows is now available via the Firefox download page
New Users can choose search suggestions from the Awesome Bar
New On-screen keyboard displayed on selecting input field on devices running Windows 8 or greater
New Firefox Health Report has switched to use the same data collection mechanism as telemetry
Developer Markup view shows indicators for pseudo-classes locked for elements
Developer Bind F1 key to open the settings when the toolbox is focused
Developer New 'Use in Console' context menu item in Inspector to store selected element in a temporary variable
Developer Search button next to overridden CSS properties to find similar properties in the rules view
Developer Ability to filter styles from their property names in the rules view
Developer Stack traces are now shown for exceptions inside the console
Developer Added ability to display server-side logs in the console
Developer Ability to choose resolution for the GCLI screenshot command
Developer Subresource integrity allows developers to make their sites more secure
Developer Network requests in Console now link to Network panel instead of opening in a popup
Developer Unprefixed 'hyphens' property is now supported
Developer WebIDE now has a sidebar-based UI
Developer The 'transform-origin' property is now supported on SVG elements
Developer Animation inspector now displays animations in a timeline
Developer Single-process mode is no longer supported for NPAPI plugins
Fixed Eyedropper tool does not work as expected when page is zoomed
Fixed Various security fixes
Fixed in Firefox 43
2015-149 Cross-site reading attack through data and view-source URIs
2015-148 Privilege escalation vulnerabilities in WebExtension APIs
2015-147 Integer underflow and buffer overflow processing MP4 metadata in libstagefright
2015-146 Integer overflow in MP4 playback in 64-bit versions
2015-145 Underflow through code inspection
2015-144 Buffer overflows found through code inspection
2015-143 Linux file chooser crashes on malformed images due to flaws in Jasper library
2015-142 DOS due to malformed frames in HTTP/2
2015-141 Hash in data URI is incorrectly parsed
2015-140 Cross-origin information leak through web workers error events
2015-139 Integer overflow allocating extremely large textures
2015-138 Use-after-free in WebRTC when datachannel is used after being destroyed
2015-137 Firefox allows for control characters to be set in cookies
2015-136 Same-origin policy violation using perfomance.getEntries and history navigation
2015-135 Crash with JavaScript variable assignment with unboxed objects
2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)
The find-prefix infrastructure was required in a pkgviews world where
packages installed from pkgsrc could have different installation
prefixes, and this was a way for a dependency prefix to be determined.
Now that pkgviews has been removed there is no longer any need for the
overhead of this infrastructure. Instead we use BUILDLINK_PREFIX.pkg
for dependencies pulled in via buildlink, or LOCALBASE/PREFIX where the
dependency is coming from pkgsrc.
Provides a reasonable performance win due to the reduction of `pkg_info
-qp` calls, some of which were redundant anyway as they were duplicating
the same information provided by BUILDLINK_PREFIX.pkg.
Changelog:
New Private Browsing with Tracking Protection blocks certain Web elements that could be used to record your behavior across sites
New Control Center that contains site security and privacy controls
New Indicator added to tabs that play audio with one-click muting
New WebRTC improvements:
IPV6 support
Preferences for controlling ICE candidate generation and IP exposure
Hooks for extensions to allow/deny createOffer/Answer
Improved ability for applications to monitor and control which devices are used in getUserMedia
New Login Manager improvements:
Improved heuristics to save usernames and passwords
Edit and show all logins in line, Copy/Paste usernames/passwords from the Context menu
Migration imports your passwords to Firefox from Google Chrome for Windows and Internet Explorer; import anytime from the Login Manager
Changed Improved performance on interactive websites that trigger a lot of restyles
HTML5 Media Source Extension for HTML5 video available for all sites
HTML5 Support ImageBitmap and createImageBitmap()
HTML5 Implemented ES6 Reflect
Developer Ability to save filter presets inside CSS Filter Tooltip
Developer CSS filter presets in the Inspector
Developer Configurable Firefox OS Simulator in WebIDE, to simulate reference devices like phones, tablets, even TVs
Developer Asynchronous call stacks now allow web developers to follow the code flow through setTimeout, DOM event handlers, and Promise handlers.
Developer Remote website debugging over WiFi (no USB cable or ADB needed)
Developer View HTML source in a tab
Changelog:
Fixed Fix a startup crash related to Yandex toolbar and Adblock Plus (1209124)
Fixed Fix potential hangs with Flash plugins (1185639)
Fixed Fix a regression in the bookmark creation (1206376)
Fixed Fix a startup crash with some Intel Media Accelerator 3150 graphic cards (1207665)
Fixed Fix a graphic crash, occurring occasionally on Facebook (1178601)
It might still be possible that pkgsrc needs adjustments for gmp loading
if/when we adopt some gmp packages, but until then they serve no purpose
and in fact appear to be harmful. Fixes Firefox startup error message:
addons.manager ERROR Exception calling provider GMPProvider.startup
Changelog:
New Enhance IME support on Windows (Vista +) using TSF (Text Services Framework)
New Ability to set a profile picture for your Firefox Account
New Firefox Hello now includes instant messaging
New SVG images can be used as favicons
New Improved box-shadow rendering performance
Changed WebRTC now requires perfect forward secrecy
Changed WARP is disabled on Windows 7
Changed Updates to image decoding process
Changed Support for running animations of 'transform' and 'opacity' on the compositor thread
HTML5 MessageChannel and MessagePort API enabled by default
HTML5 Added support for the transform-origin property on SVG elements
HTML5 CSS Font Loading API enabled by default
HTML5 Navigator.onLine now varies with actual internet connectivity (Windows and Mac OS X only)
HTML5 Copy/Cut Web content from JavaScript to the OS clipboard with document.execCommand("cut"/"copy")
HTML5 Implemented Cache API for querying named caches that are accessible Window, Worker, and ServiceWorker
Developer Removed support for binary XPCOM components in extensions, use addon SDK "system/child_process" pipe mechanism for native binaries instead
Developer Network requests can be exported in HAR format
Developer Quickly add new CSS rule with New Rule button in the Inspector
Developer Screenshot a node or element from markup view with the Screenshot Node context menu item
Developer Copy element CSS rule declarations with the Copy Rule Declaration context menu item in the Inspector
Developer Pseudo-Class panel in the Inspector
Fixed Picture element does not react to resize/viewport changes
Fixed Various security fixes
Security fixes:
Fixed in Firefox 41
2015-114 Information disclosure via the High Resolution Time API
2015-113 Memory safety errors in libGLES in the ANGLE graphics library
2015-112 Vulnerabilities found through code inspection
2015-111 Errors in the handling of CORS preflight request headers
2015-110 Dragging and dropping images exposes final URL after redirects
2015-109 JavaScript immutable property enforcement can be bypassed
2015-108 Scripted proxies can access inner window
2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems
2015-106 Use-after-free while manipulating HTML media content
2015-105 Buffer overflow while decoding WebM video
2015-104 Use-after-free with shared workers and IndexedDB
2015-103 URL spoofing in reader mode
2015-102 Crash when using debugger with SavedStacks in JavaScript
2015-101 Buffer overflow in libvpx while parsing vp9 format video
2015-100 Arbitrary file manipulation by local user through Mozilla updater
2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme
2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes
2015-97 Memory leak in mozTCPSocket to servers
2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)
* Enable PIE.
Changelog:
Changed Disable the asynchronous plugin initialization (1198590)
Fixed Fix a segmentation fault in the GStreamer support (GNU/Linux) (1145230)
Fixed Fix a startup crash when using DisplayLink (Windows Only) (1195844)
Fixed Fix a regression with some Japanese fonts used in the <input> field (1194055)
Fixed On some sites, the selection in a select combox box using the mouse could be broken (1194733)
Fixed Some search partner codes were missing (1195683)
Fixed Various security fixes
Fixed in Firefox 40.0.3
2015-95 Add-on notification bypass through data URLs
2015-94 Use-after-free when resizing canvas element during restyling
* Disable OSS support explicitly under NetBSD.
Changelog:
New Enabled API allowing Windows 10 users to open settings dialog (1193196)
Fixed mozalloc.lib was missing from the xulrunner package (1168291)
Fixed Fix a startup crash with some combination of hardware and drivers (1160295)
Changelog:
New Support for Windows 10
New Added protection against unwanted software downloads
New User can receive suggested tiles in the new tab page based on categories Firefox matches to browsing history (en-US only).
New Hello allows adding a link to conversations to provide context on what the conversation will be about
New New style for add-on manager based on the in-content preferences style
New Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only)
New Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked
Changed Add-on extensions that are not signed by Mozilla will display a warning
Changed NPAPI Plug-in performance improved via asynchronous initialization
Changed Smoother animation and scrolling with hardware vsync (Windows only)
Changed JPEG images use less memory when scaled and can be painted faster
Changed Sub-resources can no longer request HTTP authentication, thus protecting users from inadvertently disclosing login data
HTML5 IndexedDB transactions are now non-durable by default
HTML5 Implemented AudioBufferSourceNode.detune to modulate playback rate in cents, a logarithmic unit of measure used for musical intervals
Developer Improved Performance tools in the developer tools: Waterfall view, Call Tree view and a Flame Chart view
Developer New rules view tooltip in the Inspector to tweak CSS Filter values
Developer Console API messages from SharedWorker and ServiceWorker are now displayed in web console
Developer New page ruler highlighting tool that displays lightweight horizontal and vertical rules on a page
Developer Inspector now searches across all content frames in a page
Fixed Kannada text does not display properly in built-in pdf viewer
Fixed Various security fixes
Known Issues
unresolved If Firefox is restarted from an add-on install notification, on-going private browsing downloads might be canceled without warning (1185294)
Fixed in Firefox 40
2015-92 Use-after-free in XMLHttpRequest with shared workers
2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification
2015-90 Vulnerabilities found through code inspection
2015-89 Buffer overflows on Libvpx when decoding WebM video
2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
2015-87 Crash when using shared memory in JavaScript
2015-86 Feed protocol with POST bypasses mixed content protections
2015-85 Out-of-bounds write with Updater and malicious MAR file
2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links
2015-83 Overflow issues in libstagefright
2015-82 Redefinition of non-configurable JavaScript object properties
2015-81 Use-after-free in MediaStream playback
2015-80 Out-of-bounds read with malformed MP3 file
2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
Fixes Mozilla Foundation Security Advisory 2015-78:
Same origin violation and local file stealing via PDF reader
* Fixes CVE-2015-4495 - It's possible to read local files or
perform privilege escalation by using a native setter, bug 1178058.
* Remove PlayPreview registration from PDF viewer, bug 1179262.
Changelog:
New Share Hello URLs with social networks
New Project Silk: Smoother animation and scrolling (Mac OS X)
New Support for 'switch' role in ARIA 1.1 (web accessibility)
New SafeBrowsing malware detection lookups enabled for downloads (Mac OS X and Linux)
New Support for new Unicode 8.0 skin tone emoji
Changed Removed support for insecure SSLv3 for network communications
Changed Disable use of RC4 except for temporarily whitelisted hosts
Changed The malware detection service for downloads now covers common Mac file types (Bug 1138721)
Changed of displaying dashed lines is improved (Mac OS X) (Bug 1123019)
HTML5 List-style-type now accepts a string value
HTML5 Enable the Fetch API for network requests from dedicated, shared and service workers
HTML5 Cascading of CSS transitions and animations now matches the current spec
HTML5 Implement <link rel="preconnect">allowing anticipation of a future connection without revealing any information
HTML5 Added support for CSS Scroll Snap Points
Developer Drag and drop enabled for nodes in Inspector markup view
Developer Webconsole input history persists even after closing the toolbox
Developer Cubic bezier tooltip now shows a gallery of timing-function presets for use with CSS animations
Developer localhost is now available offline for WebSocket connections
Fixed Improve performance for IPv6 fallback to IPv4
Fixed Fix incomplete downloads being marked as complete by detecting broken HTTP1.1 transfers
Fixed The Security state indicator on a page now correctly ignores loads caused by previous pages
Fixed Fixed an issue where a Hello conversation window would sometimes fail to open
Fixed A regression that could lead to Flash not displaying has been fixed
Fixed Update to NSS 3.19.2
Fixed Various security fixes
Fixed in Firefox 39
2015-71 NSS incorrectly permits skipping of ServerKeyExchange
2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
2015-69 Privilege escalation in PDF.js
2015-68 OS X crash reports may contain entered key press information
2015-67 Key pinning is ignored when overridable errors are encountered
2015-66 Vulnerabilities found through code inspection
2015-65 Use-after-free in workers while using XMLHttpRequest
2015-64 ECDSA signature validation fails to handle some signatures correctly
2015-63 Use-after-free in Content Policy due to microtask execution error
2015-62 Out-of-bound read while computing an oscillator rendering range in Web Audio
2015-61 Type confusion in Indexed Database Manager
2015-60 Local files or privileged URLs in pages can be opened into new tabs
2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)
Changelog:
New: Keep track of articles and videos with Pocket
New: Clean formatting for articles and blog posts with Reader View
New: Share the active tab or window in a Hello conversation
Fixed: A race condition that would cause Firefox to stop painting when switching tabs (bug 1067470)
Fixed: Fixed graphics performance when using the built-in VGA driver on Windows 7 (Bug 1165732)
Changelog:
Fixed Systems with first generation NVidia Optimus graphics cards may crash on start-up
Fixed Users who import cookies from Google Chrome can end up with broken websites
Fixed WebRTC H264 video streams from CiscoSpark native clients are not decoded correctly. (Fixed in Firefox ESR 38.0.1; was already fixed in Firefox 38.0)
Fixed Large animated images may fail to play and may stop other images from loading
Changelog:
New New tab-based preferences
New Ruby annotation support
New Base for the next ESR release.
Changed autocomplete=off is no longer supported for username/password fields
Changed URL parser avoids doing percent encoding when setting the Fragment part of the URL, and percent decoding when getting the Fragment in line with the URL spec
Changed RegExp.prototype.source now returns "(?:)" instead of the empty string for empty regular expressions
Changed Improved page load times via speculative connection warmup
HTML5 WebSocket now available in Web Workers
HTML5 BroadcastChannel API implemented
HTML5 Implemented srcset attribute and <picture> element for responsive images
HTML5 Implemented DOM3 Events KeyboardEvent.code
HTML5 Mac OS X: Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube
HTML5 Implemented Encrypted Media Extensions (EME) API to support encrypted HTML5 video/audio playback (Windows Vista or later only)
HTML5 Automatically download Adobe Primetime Content Decryption Module (CDM) for DRM playback through EME (Windows Vista or later only)
Developer Optimized-out variables are now visible in Debugger UI
Developer XMLHttpRequest logs in the web console are now visually labelled and can be filtered separately from regular network requests
Developer WebRTC now has multistream and renegotiation support
Developer copy command added to console
Fixed Various security fixes
Fixed in Firefox 38
2015-58 Mozilla Windows updater can be run outside of application directory
2015-57 Privilege escalation through IPC channel messages
2015-56 Untrusted site hosting trusted page can intercept webchannel responses
2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata
2015-54 Buffer overflow when parsing compressed XML
2015-53 Use-after-free due to Media Decoder Thread creation during shutdown
2015-52 Sensitive URL encoded information written to Android logcat
2015-51 Use-after-free during text processing with vertical text enabled
2015-50 Out-of-bounds read and write in asm.js validation
2015-49 Referrer policy ignored when links opened by middle-click and context menu
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
* Bump nspr requirement.
Changelog:
New Heartbeat user rating system - your feedback about Firefox
New Yandex set as default search provider for the Turkish locale
New Bing search now uses HTTPS for secure searching
New Improved protection against site impersonation via OneCRL centralized certificate revocation
New Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc
Changed Disabled insecure TLS version fallback for site security
Changed Extended SSL error reporting for reporting non-certificate errors
Changed TLS False Start optimization now requires a cipher suite using AEAD construction
Changed Improved certificate and TLS communication security by removing support for DSA
Changed Improved performance of WebGL rendering on Windows
HTML5 Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube (Windows only)
HTML5 Added support for CSS display:contents
HTML5 IndexedDB now accessible from worker threads
HTML5 New SDP/JSEP implementation in WebRTC
Developer Debug tabs opened in Chrome Desktop, Chrome for Android, and Safari for iOS
Developer New Inspector animations panel to control element animations
Developer New Security Panel included in Network Panel
Developer Debugger panel support for chrome:// and about:// URIs
Developer Added logging of weak ciphers to the web console
Fixed Various security fixes
Fixed in Firefox 37
2015-42 Windows can retain access to privileged content on navigation to unprivileged pages
2015-41 PRNG weakness allows for DNS poisoning on Android
2015-40 Same-origin bypass through anchor navigation
2015-39 Use-after-free due to type confusion flaws
2015-38 Memory corruption crashes in Off Main Thread Compositing
2015-37 CORS requests should not follow 30x redirections after preflight
2015-36 Incorrect memory management for simple-type arrays in WebRTC
2015-35 Cursor clickjacking with flash and images
2015-34 Out of bounds read in QCMS library
2015-33 resource:// documents can load privileged pages
2015-32 Add-on lightweight theme installation approval bypassed through MITM attack
2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)
Changelog:
Fixed 36.0.4: Security fixes for issues disclosed at HP Zero Day Initiative's Pwn2Own contest
Fixed in Firefox 36.0.4
2015-28 Privilege escalation through SVG navigation
Fixed in Firefox 36.0.3
2015-29 Code execution through incorrect JavaScript bounds checking elimination
Changelog:
Fixed 36.0.1 - Disable the usage of the ANY DNS query type (1093983)
Fixed 36.0.1 - Fixed a startup crash with EMET (1137050)
Fixed 36.0.1 - Hello may become inactive until restart (1137469)
Fixed 36.0.1 - Print preferences may not be preserved (1136855)
Fixed 36.0.1 - Hello contact tabs may not be visible (1137141)
Fixed 36.0.1 - Accept hostnames that include an underscore character ("_") (1136616)
Fixed 36.0.1 - WebGL may use significant memory with Canvas2d (1137251)
Fixed 36.0.1 - Option -remote has been restored (1080319)
Fixed 36.0.1 - Fix a top crash
Changelog:
New Pinned tiles on the new tab page can be synced
New Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web.
New Locale added: Uzbek (uz)
Changed -remote option removed
Changed No longer accept insecure RC4 ciphers whenever possible
Changed Phasing out Certificates with 1024-bit RSA Keys
Changed Shut down hangs will now show the crash reporter before exiting the program
Changed Add-on Compatibility
HTML5 Support for the ECMAScript 6 Symbol data type added
HTML5 unicode-range CSS descriptor implemented
HTML5 CSSOM-View scroll behavior implemented allowing smooth scrolling of content without custom libraries
HTML5 object-fit and object-position implemented.
Defines how and where the content of a replaced element is displayed
HTML5 isolation CSS property implemented.
Create a new stacking context to isolate groups of boxes to control which blend together
HTML5 CSS3 will-change property implemented.
Hints the browser of elements that will be modified. The browser will perform some performance optimization for these
HTML5 Changed JavaScript 'const' semantics to conform better to the ES6 specification.
The const declaration is now block-scoped and requires an initializer. It also can not be redeclared anymore.
HTML5 Improved ES6 generators for better performance
Developer Eval sources now appear in the Debugger
Debug JavaScript code that is evaluated dynamically, either as a string passed to eval() or as a string passed to the Function constructor
Developer DOM Promises inspection
Developer Inspector: More paste options in markup view
Fixed CSS gradients work on premultiplied colors
Fixed Fix some unexpected logout from Facebook or Google after restart
Fixed Various security fixes
Fixed in Firefox 36
2015-27 Caja Compiler JavaScript sandbox bypass
2015-26 UI Tour whitelisted sites in background tab can spoof foreground tabs
2015-25 Local files or privileged URLs in pages can be opened into new tabs
2015-24 Reading of local files through manipulation of form autocomplete
2015-23 Use-after-free in Developer Console date with OpenType Sanitiser
2015-22 Crash using DrawTarget in Cairo graphics library
2015-21 Buffer underflow during MP3 playback
2015-20 Buffer overflow during CSS restyling
2015-19 Out-of-bounds read and write while rendering SVG content
2015-18 Double-free when using non-default memory allocators with a zero-length XHR
2015-17 Buffer overflow in libstagefright during MP4 video playback
2015-16 Use-after-free in IndexedDB
2015-15 TLS TURN and STUN connections silently fail to simple TCP connections
2015-14 Malicious WebGL content crash when writing strings
2015-13 Appended period to hostnames can bypass HPKP and HSTS protections
2015-12 Invoking Mozilla updater will load locally stored DLL files
2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)
PLIST:
* lib/firefox/libmozglue.so is built and installed as a shared
library on some platforms including Darwin.
mozilla-common.mk:
* Sandboxing support is only available when the toolkit is
cairo-cocoa.
* It tries to use MacOS X 10.6 SDK by default, which is not always
possible.
patches/patch-build_gyp.mozbuild:
* Don't assume iOS just because the toolkit is not cocoa. Ideally
there should be an AC_SUBST just like 'ARM_ARCH' but nothing
exists currently.
* MacOS X SDK version should be able to configure with ./configure
--enable-macos-target=VER
patches/patch-extensions_spellcheck_hunspell_src_mozHunspell.cpp:
* NS_NewNativeLocalFile() can fail and leave hunDir null, so we must
check if it succeeded. This is not Darwin specific though.
* "%%LOCALBASE%%" in the hunspell path is currently not substituted,
which looks very erroneous to me. But since I don't know why
ryoon@ changed it from "@PREFIX@" to "%%LOCALBASE%%" I leave it as
it is.
patches/patch-ipc_glue_moz.build:
* Don't assume cocoa toolkit just because OS_ARCH is Darwin.
patches/patch-js_src_asmjs_AsmJSSignalHandlers.cpp:
* Increase portability for non-x86 Darwin by not hardwiring
x86_THREAD_STATE.
patches/patch-js_xpconnect_src_xpcprivate.h:
* The declaration has to be C++11 'extern template', otherwise
non-weak symbol collision will occur between libmozjs and
libxul. We can't easily test if the feature is supported by
compiler due to GCC bug #1773:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=1773
patches/patch-memory_mozalloc_VolatileBufferOSX.cpp:
* Try to fallback to valloc(3) if posix_memalign(3) is not
avialble. It has been added since MacOS 10.6.
patches/patch-toolkit_library_moz.build:
* GSTREAMER_LIBS are linked to libxul on Darwin, while they are
dlopen(3)'ed at runtime on other platforms. The problem is that
the toolkit being cocoa isn't relevant at all. It's Darwin that
needs the special handling, not Cocoa.
patches/patch-toolkit_xre_nsAppRunner.cpp:
* MacOS X < 10.6 had an undocumented behavior concerning execve(2)
inside a threaded process. If a process tried to call execve(2)
and had more than one active thread, the kernel returned
ENOTSUP. So we have to either fork(2) or vfork(2) before calling
execve(2) to make sure the caller is single-threaded as otherwise
the application fails to restart itself.
patches/patch-xpcom_base_nsStackWalk.cpp,
patches/patch-xpcom_build_PoisonIOInterposer.h:
* Replace XP_MACOSX with XP_DARWIN as the former is not defined when
the toolkit is not cocoa.
patches/patch-xpcom_glue_standalone_nsXPCOMGlue.cpp:
* Fix inconsistent use of XP_DARWIN and XP_MACOSX:
LEADING_UNDERSCORE should be empty when we are going to load XPCOM
using dlopen(3), not NSAddImage().
Changelog:
Fixed 35.0.1 - With the Enhanced Steam extension, Firefox could crash (1123732)
Fixed 35.0.1 - Fix a potential startup crash (1122367)
Fixed 35.0.1 - Kerberos authentication did not work with alias (1108971)
Fixed 35.0.1 - SVG / CSS animation had a regression causing rendering issues on websites like openstreemap.org (1083079)
Fixed 35.0.1 - On Godaddy webmail, Firefox could crash (1113121)
Fixed 35.0.1 - document.baseURI did not get updated to document.location after base tag was removed from DOM for site with a CSP (1121857)
Fixed 35.0.1 - With a Right-to-left (RTL) version of Firefox, the text selection could be broken (1104036)
Fixed 35.0.1 - CSP had a change in behavior with regard to case sensitivity resources loading (1122445)
Changelog:
New Firefox Hello with new rooms-based conversations model
New New search UI improved and enabled for more locales
New Access the Firefox Marketplace from the Tools menu and optional toolbar button
New Built-in support for H264 (MP4) on Mac OS X Snow Leopard (10.6) and newer through native APIs
New Use tiled rendering on OS X
New Improved high quality image resizing performance
New Improved handling of dynamic styling changes to increase responsiveness
HTML5 Added support for the CSS Font Loading API
HTML5 Resource Timing API implemented
HTML5 CSS filters enabled by default
HTML5 Changed JavaScript 'let' semantics to conform better to the ES6 specification
Developer Support for inspecting ::before and ::after pseudo elements
Developer Computed view: Nodes matching the hovered selector are now highlighted
Developer Network Monitor: New request/response headers view (more info)
Developer Added support for the EXT_blend_minmax WebGL extension
Fixed Show DOM Properties context menu item in inspector
Fixed Reduced resource usage for scaled images
Fixed PDF.js updated to version 1.0.907
Fixed Non-HTTP(S) XHR now returns correct status code
Fixed Various security fixes
Security fixes:
2015-09 XrayWrapper bypass through DOM objects
2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension
2015-07 Gecko Media Plugin sandbox escape
2015-06 Read-after-free in WebRTC
2015-05 Read of uninitialized memory in Web Audio
2015-04 Cookie injection through Proxy Authenticate responses
2015-03 sendBeacon requests lack an Origin header
2015-02 Uninitialized memory use during bitmap rendering
2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)
Changelog:
New Default search engine changed to Yahoo! for North America
New Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales
New Improved search bar (en-US only)
New Firefox Hello real-time communication client
New Easily switch themes/personas directly in the Customizing mode
New Wikipedia search now uses HTTPS for secure searching (en-US only)
New Implementation of HTTP/2 (draft14) and ALPN
New Recover from a locked Firefox process in the "Firefox is already running" dialog on Windows
Changed Disabled SSLv3
Changed Proprietary window.crypto properties/functions re-enabled (to be removed in Firefox 35)
Changed Firefox signed by Apple OS X version 2 signature
HTML5 ECMAScript 6 WeakSet Implemented
HTML5 JavaScript Template Strings Implemented
HTML5 CSS3 Font variants and features control (e.g. kerning) implemented
HTML5 WebCrypto: RSA-OAEP, PBKDF2 and AES-KW support
HTML5 WebCrypto: wrapKey and unwrapKey implemented
HTML5 WebCrypto: Import/export of JWK-formatted keys
HTML5 matches() DOM API implemented (formerly mozMatchesSelector())
HTML5 Performance.now() for workers implemented
HTML5 WebCrypto: ECDH support
Developer WebIDE: Create, edit, and test a new Web application from your browser
Developer Highlight all nodes that match a given selector in the Style Editor and the Inspector's Rules panel
Developer Improved User Interface of the Profiler
Developer console.table function added to web console
Fixed CSS transitions start correctly when started at the same time as changes to display, position, overflow, and similar properties
Fixed Various security fixes
2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer
2014-88 Buffer overflow while parsing media content
2014-87 Use-after-free during HTML5 parsing
2014-86 CSP leaks redirect data via violation reports
2014-85 XMLHttpRequest crashes with some input streams
2014-84 XBL bindings accessible via improper CSS declarations
2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)
Changelog:
Fixed
33.0.3: Blacklisted graphics drivers that were causing black screens with OMTC enabled (1093863)
Fixed
33.0.3 Fix two startup crashes with some combination of hardware and drivers (1064107 and 1021265)
Changelog:
New
OpenH264 support (sandboxed)
New
Improved search experience through the location bar
New
Slimmer and faster JavaScript strings
New
Search suggestions on the Firefox Start (about:home) and new tab (about:newtab) pages
New
Windows: OMTC enabled by default
New
New CSP (Content Security Policy) backend
New
Support for connecting to HTTP proxy over HTTPS
New
Improved reliability of the session restoration
New
Azerbaijani [az] locale added
Changed
Proprietary window.crypto properties/functions removed
Changed
JSD (JavaScript Debugger Service) removed in favor of the Debugger interface
HTML5
@counter-style rule from CSS3 Counter Styles specification implemented
HTML5
DOMMatrix interface implemented
Developer
Cubic-bezier curves editor
Developer
Display which elements have listeners attached
Developer
New sidebar which displays a list of shortcuts to every @media rule in the current stylesheet
Developer
Paint flashing for browser content repaints
Developer
Editable @keyframes rules in the Rules section of the Inspector
Developer
CSS transform highlighter in the style-inspector
Fixed
Fix incomplete downloads being marked as complete by detecting broken HTTP1.1 transfers (237623)
Fixed
Various security fixes
Fixed in Firefox 33
MFSA 2014-82 Accessing cross-origin objects via the Alarms API
MFSA 2014-81 Inconsistent video sharing within iframe
MFSA 2014-80 Key pinning bypasses
MFSA 2014-79 Use-after-free interacting with text directionality
MFSA 2014-78 Further uninitialized memory use during GIF
MFSA 2014-77 Out-of-bounds write with WebM video
MFSA 2014-76 Web Audio memory corruption issues with custom waveforms
MFSA 2014-75 Buffer overflow during CSS manipulation
MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)
Changelog:
Fixed
32.0.3: New security fixes can be found here
New
New HTTP cache provides improved performance including crash recovery
New
Integration of generational garbage collection
New
Public key pinning support enabled
New
View historical use information for logins stored in password manager
New
Display the number of found items in the find toolbar
New
Easier back, forward, reload, and bookmarking through the context menu
New
Lower Sorbian [dsb] locale added
Changed
Removed and turned off trust bit for some 1024-bit root certificates
Changed
Performance improvements to Password Manager and Add-on Manager
HTML5
drawFocusIfNeeded enabled by default
HTML5
ECMAScript 6 built-in method Array#copyWithin implemented
HTML5
CSS position:sticky enabled by default
HTML5
mix-blend-mode enabled by default
HTML5
New Array built-in: Array.from()
HTML5
navigator.languages property and languagechange event implemented
HTML5
Vibration API updated to latest W3C spec
HTML5
CSS box-decoration-break replaces -moz-background-inline-policy
HTML5
box-decoration-break enabled by default
Developer
HiDPI support in Developer Tools UI
Developer
Inspector button moved to the top left
Developer
Hidden nodes displayed differently in the markup-view
Developer
New Web Audio Editor
Developer
Code completion and inline documentation added to Scratchpad
Fixed
32.0.2 - Corrupt installations cause Firefox to crash on update
Fixed
32.0.1 - Stability issues for computers with multiple graphics cards
Fixed
32.0.1 - Mixed content icon may be incorrectly displayed instead of lock icon for SSL sites
Fixed
32.0.1 - WebRTC: setRemoteDescription() silently fails if no success callback is specified
Fixed
Various security fixes
Fixed
Mac OS X: cmd-L does not open a new window when no window is available
Fixed
Text Rendering Issues on Windows 7 with Platform Update KB2670838 (MSIE 10 Prerequisite) or on Windows 8.1
Security fixes:
Fixed in Firefox 32.0.3
MFSA 2014-73 RSA Signature Forgery in NSS
Fixed in Firefox 32
MFSA 2014-72 Use-after-free setting text directionality
MFSA 2014-71 Profile directory file access through file: protocol
MFSA 2014-70 Out-of-bounds read in Web Audio audio timeline
MFSA 2014-69 Uninitialized memory use during GIF rendering
MFSA 2014-68 Use-after-free during DOM interactions with SVG
MFSA 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)
