Changelog:
Fixed in Firefox ESR 38.8
2016-47 Write to invalid HashMap entry through JavaScript.watch()
2016-44 Buffer overflow in libstagefright with CENC offsets
2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
2016-36 Use-after-free during processing of DER encoded keys in NSS
2016-29 Same-origin policy violation using performance.getEntries and history navigation with session restore
2016-15 Use-after-free in NSS during SSL connections in low memory
2016-07 Errors in mp_div and mp_exptmod cryptographic functions in NSS
Changelog:
Fixed in Firefox ESR 38.7
2016-37 Font vulnerabilities in the Graphite 2 library
2016-35 Buffer overflow during ASN.1 decoding in NSS
2016-34 Out-of-bounds read in HTML parser following a failed allocation
2016-31 Memory corruption with malicious NPAPI plugin
2016-28 Addressbar spoofing though history navigation and Location protocol property
2016-27 Use-after-free during XML transformations
2016-25 Use-after-free when using multiple WebRTC data channels
2016-24 Use-after-free in SetBody
2016-23 Use-after-free in HTML5 string parser
2016-21 Displayed page address can be overridden
2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
2016-17 Local file overwriting and potential privilege escalation through CSP reports
2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
2015-136 Same-origin policy violation using performance.getEntries and history navigation
2015-81 Use-after-free in MediaStream playback
Changelog:
Fixed in Firefox ESR 38.6
2016-03 Buffer overflow in WebGL after out of memory allocation
2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)
2015-150 MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature
Changelog:
Fixed Various security fixes
Fixed Improved stability with Java (1221448)
Fixed in Firefox ESR 38.5
2015-149 Cross-site reading attack through data and view-source URIs
2015-147 Integer underflow and buffer overflow processing MP4 metadata in libstagefright
2015-146 Integer overflow in MP4 playback in 64-bit versions
2015-145 Underflow through code inspection
2015-139 Integer overflow allocating extremely large textures
2015-138 Use-after-free in WebRTC when datachannel is used after being destroyed
2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)
The find-prefix infrastructure was required in a pkgviews world where
packages installed from pkgsrc could have different installation
prefixes, and this was a way for a dependency prefix to be determined.
Now that pkgviews has been removed there is no longer any need for the
overhead of this infrastructure. Instead we use BUILDLINK_PREFIX.pkg
for dependencies pulled in via buildlink, or LOCALBASE/PREFIX where the
dependency is coming from pkgsrc.
Provides a reasonable performance win due to the reduction of `pkg_info
-qp` calls, some of which were redundant anyway as they were duplicating
the same information provided by BUILDLINK_PREFIX.pkg.
Changelog:
Fixed in Firefox ESR 38.4
2015-133 NSS and NSPR memory corruption issues
2015-132 Mixed content WebSocket policy bypass through workers
2015-131 Vulnerabilities found through code inspection
2015-130 JavaScript garbage collection crash with Java applet
2015-128 Memory corruption in libjar through zip files
2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
2015-123 Buffer overflow during image interactions in canvas
2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)
It might still be possible that pkgsrc needs adjustments for gmp loading
if/when we adopt some gmp packages, but until then they serve no purpose
and in fact appear to be harmful. Fixes Firefox startup error message:
addons.manager ERROR Exception calling provider GMPProvider.startup
Changelog:
Fixed in Firefox ESR 38.3
2015-113 Memory safety errors in libGLES in the ANGLE graphics library
2015-112 Vulnerabilities found through code inspection
2015-111 Errors in the handling of CORS preflight request headers
2015-110 Dragging and dropping images exposes final URL after redirects
2015-106 Use-after-free while manipulating HTML media content
2015-105 Buffer overflow while decoding WebM video
2015-101 Buffer overflow in libvpx while parsing vp9 format video
2015-100 Arbitrary file manipulation by local user through Mozilla updater
2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)
* Fix build with newer freetype.
Changelog:
Fixed in Firefox ESR 38.2.1
2015-95 Add-on notification bypass through data URLs
2015-94 Use-after-free when resizing canvas element during restyling
Upstream changes, ref.
https://www.mozilla.org/en-US/firefox/38.2.0/releasenotes/
* Firefox may crash during mp4 video playback
* Significant memory leak with GreaseMonkey add-on
* crash [@ RtlEnterCriticalSection | MessageLoop::PostTask_Helper]
on browser shutdown
* Browser UI becomes unresponsive state when using Unity Web Player Plugin
* ESRs will not build on hppa platform
* crash in mozilla::layers::SyncObjectD3D11::FinalizeFrame()
and a smattering of security fixes:
* 2015-92 Use-after-free in XMLHttpRequest with shared workers
* 2015-90 Vulnerabilities found through code inspection
* 2015-89 Buffer overflows on Libvpx when decoding WebM video
* 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
* 2015-87 Crash when using shared memory in JavaScript
* 2015-85 Out-of-bounds write with Updater and malicious MAR file
* 2015-84 Arbitrary file overwriting through Mozilla Maintenance Service
with hard links
* 2015-83 Overflow issues in libstagefright
* 2015-82 Redefinition of non-configurable JavaScript object properties
* 2015-80 Out-of-bounds read with malformed MP3 file
* 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
Fixes Mozilla Foundation Security Advisory 2015-78:
Same origin violation and local file stealing via PDF reader
* Fixes CVE-2015-4495 - It's possible to read local files or
perform privilege escalation by using a native setter, bug 1178058.
* Remove PlayPreview registration from PDF viewer, bug 1179262.
ref. https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
Mozilla Firefox is a free, open-source and cross-platform web browser
for Windows, Linux, MacOS X and many other operating systems.
It is fast and easy to use, and offers many advantages over other web
browsers, such as tabbed browsing and the ability to block pop-up
windows.
Firefox also offers excellent bookmark and history management, and it
can be extended by developers using industry standards such as XML,
CSS, JavaScript, C++, etc. Many extensions are available.
This package tracks 38 ESR.
