Changelog:
59.0.1
Security fix
#CVE-2018-5146: Out of bounds memory write in libvorbis
59.0
New
Performance enhancements:
- Faster load times for content on the Firefox Home page
- Faster page load times by loading either from the networked cache
or the cache on the user's hard drive (Race Cache With Network)
- Improved graphics rendering using Off-Main-Thread Painting (OMTP)
for Mac users (OMTP for Windows was released in Firefox 58)
Drag-and-drop to rearrange Top Sites on the Firefox Home page, and
customize new windows and tabs in other ways
Added features for Firefox Screenshots:
- Basic annotation lets the user draw on and highlight saved screenshots
- Recropping to change the viewable area of saved screenshots
Enhanced WebExtensions API including better support for decentralized
protocols and the ability to dynamically register content scripts
Improved Real-Time Communications (RTC) capabilities.
- Implemented RTP Transceiver to give pages more fine grained control
over calls
- Implemented features to support large scale conferences
Added support for W3C specs for pointer events and improved platform
integration with added device support for mouse, pen, and touch
screen pointer input
Added the Ecosia search engine as an option for German Firefox
Added the Qwant search engine as an option for French Firefox
Added settings in about:preferences to stop websites from asking to
send notifications or access your device's camera, microphone, and
location, while still allowing trusted websites to use these features
Fixed
Various security fixes
Changed
Firefox Private Browsing Mode will remove path information from
referrers to prevent cross-site tracking
Security fixes:
#CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
#CVE-2018-5128: Use-after-free manipulating editor selection ranges
#CVE-2018-5129: Out-of-bounds write with malformed IPC messages
#CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption
#CVE-2018-5131: Fetch API improperly returns cached copies of
no-store/no-cache resources
#CVE-2018-5132: WebExtension Find API can search privileged pages
#CVE-2018-5133: Value of the app.support.baseURL preference is not properly
sanitized
#CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content
restrictions
#CVE-2018-5135: WebExtension browserAction can inject scripts into
unintended contexts
#CVE-2018-5136: Same-origin policy violation with data: URL shared workers
#CVE-2018-5137: Script content can access legacy extension
non-contentaccessible resources
#CVE-2018-5138: Android Custom Tab address spoofing through long domain names
#CVE-2018-5140: Moz-icon images accessible to web content through moz-icon:
protocol
#CVE-2018-5141: DOS attack through notifications Push API
#CVE-2018-5142: Media Capture and Streams API permissions display
incorrect origin with data: and blob: URLs
#CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into
addressbar
#CVE-2018-5126: Memory safety bugs fixed in Firefox 59
#CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
remote code execution via ogg files.
Note firefox52 nor this patches tremor, so the vulnerability still exists
for ARM (which uses tremor rather than vorbis).
Blind commit. I don't have the resources to build so many firefoxes.
However it is based off firefox52.
PKGREVISION++
This fixes an out of bound write, but possibly many other changes.
Unfortunately upstream doesn't do releases for tremor, so I manually
fetch the tarball and uploaded it.
Use boost::make_shared instead of std::make_shared in a few places
where it doesn't compile with netbsd-7/gcc4.8.5. I'm not sure, there
may be a more portable way to handle.
## 3.1.5
- Fixed Python 2/3 incompatibility with `itertools.izip_longest()`.
## 3.1.4
- Added `BigAutoField` to support 64-bit auto-incrementing primary
keys.
- Use Peewee-compatible datetime serialization when exporting JSON
from a `DataSet`. Previously the JSON export used ISO-8601 by default.
- Added `Database.batch_commit` helper to wrap iterators in chunked
transactions.
## 3.1.3
- Fixed issue where scope-specific settings were being updated
in-place instead of copied.
- Fixed bug where setting a `ForeignKeyField` did not add it to the
model's "dirty" fields list.
- Use pre-fetched data when using `prefetch()` with `ManyToManyField`.
- Use `JSON` data-type for SQLite `JSONField` instances.
- Add a `json_contains` function for use with SQLite `json1` extension.
- Various documentation updates and additions.
ssl:
- Added new API functions to facilitate cipher suite
handling
erts, observer:
- More crash dump info such as: process binary virtual
heap stats, full info for process causing out-of-mem
during GC, more port related info, and dirty scheduler
info.
inets:
- Add support for unix domain sockets in the http client.
changes in version 1.28:
* The formerly internal yat2m tool is now installed for a native
build.
* The new files gpgrt.m4 and gpgrt-config are now installed. They
can be used instead of gpg-error.m4 and gpg-error-config.
* New logging functions similar to those used by GnuPG.
* New helper functions for platform abstraction.
I'm pleased to announce the 18.0.1 release of xf86-video-ati, the Xorg
driver for ATI/AMD Radeon GPUs supported by the radeon kernel driver.
This release supports xserver versions 1.13-1.19. It also works with
xserver 1.20 RC1, so unless something unexpected happens, it should work
with xserver 1.20 as well.
This is a bug-fix release addressing issues in 18.0.0. While those
issues shouldn't affect most users, I recommend that all users of 18.0.0
update to 18.0.1.
* The Xorg process could crash when multiple primary screens are
configured in xorg.conf.
* TearFree could trigger debugging messages in the pixman library
I'm pleased to announce the 18.0.1 release of xf86-video-amdgpu, the
Xorg driver for AMD Radeon GPUs supported by the amdgpu kernel driver.
This release supports xserver versions 1.13-1.19. It also works with
xserver 1.20 RC1, so unless something unexpected happens, it should work
with xserver 1.20 as well.
This is a bug-fix release addressing issues in 18.0.0. While those
issues shouldn't affect most users, I recommend that all users of 18.0.0
update to 18.0.1.
* The Xorg process could enter an infinite loop after a server reset (in
configurations where Xorg doesn't terminate when the last client
disconnects)
* The Xorg process could crash when multiple primary screens are
configured in xorg.conf.
* TearFree could trigger debugging messages in the pixman library
This is to reflect the behaviour documented in netpgp(1).
Originally submitted on tech-pkg@ as:
[PATCH 09/11] Output signatures to the standard output for "-"
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Originally submitted on tech-pkg@ as:
[PATCH 07/11] Correct option "--armor"
[PATCH 08/11] Also document alternate option "--detach"
As also applied in NetBSD's src repository.
Originally submitted on tech-pkg@ as:
[PATCH 04/11] Do not use random data for pass-phrases on EOF
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Tested on NetBSD/amd64.
This also fixes a crash when the pass-phrase entered is empty.
Originally submitted on tech-pkg@ as:
[PATCH 02/11] Do not truncate pass-phrases without a newline character
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Tested on NetBSD/amd64.
Originally submitted on tech-pkg@ as:
[PATCH 06/11] Do not ask for a passphrase when empty
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Tested on NetBSD/amd64.
