í«îÛ    MozillaFirefox-translations-common-140.4.0-150200.152.207.1                         Ž­è         <   >     ,     è            ê          ì         Ø‰ hñöSp¯ž9Û|‚È/þ,æÐëÌ+++* ²¶* «ì‚*c_…Uä±˜”RÊ5¿?·æF,4&× ò#Y>Ÿšù3ôæÆƒ$ŠÊ'ËÈ­éEfÀt8$H
NRƒ!Ÿæ
4”æsrêÑ~ð°L$ÞMÄ*EáðwÏyÍ«§[G÷ñ«œe÷ñ…‹v÷
›/üTÑ'e¿¢’xê>ï* •Þ„}¤ÿQU^å[|[s£2]ÄWSËÐ¨Š‹‹wkDœ=NÚÀ½Ì,Šñ±Nib«møa@?šÌ›ûNõú¿â
'ÿÓŠfÒBºô»fv¥›½$ÅÖ[l”KO}}åÌFH§ðÂ^õ ÎÜY0DI‹™èó   >   ÿÿÿÀ       Ž­è       > ËÔ   ?    ËÄ      d            è           é      %     ê      -     ì   	   >     í   	   ^     î      °     ï      ´     ñ      À     ò      Ä     ó      Ý     ö      þ     ÷          ø   	       ü     0     ý     H     þ     N          X          Ä     	     ú     
     0          œ          ÷          	          	€          
          
Ž          
À          ,                    ,          ž     (     Â     8     Ì    9          :     )ª    B    Ã7     F    ÃS     G    Ãh     H    ÃÔ     I    Ä@     X    Ä\     Y    Äl     Z    Ä      [    Ä¤     \    ÄÀ     ]    Å,     ^    Èá     b    É0     c    ÉÙ     d    Êb     e    Êg     f    Êj     l    Êl     u    Ê€     v    Êì     z    Ëa     “    Ët     Æ    Ëx     ä    Ë~     å    ËÀ   C MozillaFirefox-translations-common 140.4.0 150200.152.207.1 Common translations for Firefox This package contains several common languages for the user interface
of Firefox. hñöSh01-ch5a     —‡SUSE Linux Enterprise 15 SUSE LLC <https://www.suse.com/> MPL-2.0 https://www.suse.com/ System/Localization http://www.mozilla.org/ linux x86_64             ä= Oý e’ ¾ã , E? oû øÀ ûÂ þ` ¼ü 'W C$ çw o} 65 ·¿ Õ *J å û š Ñ h :AíAí¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤                                                      hñõÆhñõ¸hñõ·hñõ·hñõ·hñõ·hñõ·hñõ·hñõ·hñõ·hñõ·hñõ·hñõ¸hñõ¸hñõ¸hñõ¸hñõ¸hñõ¸hñõ¸hñõ¸hñõ¸hñõ¸hñõ¸hñõ¸hñõ¸hñõ¸hñõ¸  ff1c5743f96a4d22b36f8fca697177bb0c11d3c26ee081ed423b2a583399f6e3 c8821d5cb8ba98cc5e75cd9728288716a04ee7f1d8ce83fe21253f4262d9e7ed 60fccacd0b65db80169be734a6535ebcee9eb6a7e4d6c000b4c48779bdbffeb0 2dfdd0e5c8613585b215b57af8a5c6883d2b62df800c0272d77dd8e04bfcb46b d29b743f63cf2f61a597803ecee82b22c653999e76ca90a36718236df8964fd4 fa6543419f7ea85cc7cd045682a7d50ec27d9f62bd2d21a9f39cf025b20c9b3d 07a8e024842bd55d80130e8c012c2cabb73a00af0e43e15110bac80cd9c52c5a 74ca9a6f2034acbb26e5774564c385d6f2a59c566f0ce3bc551b4e2c136c8be5 0bbb5c4132da692af3251371d203dfaaff5d8ccaae6bb821af1736508a8b8df5 5d1ec6ddc9a77cca1ba2f432c01d2cb2e9f62c29942a69a6dfff9d40254bd13c 173d4109db369b8fb1f93a06da351e1ff04ac8412213ec4c00191056af2a67c5 d343f209b44b83c4b41e36ba9db0525b4daa9fc71619205816ef6af95d0ab359 526a1e009e4f469572c008f24e35e17bcc7e19c3817774bf987a167068e6e5a7 4fafda6ad5a4f08f2a99830fdee9eeb25829cfacc63a5e15fc20cc6d939ffd3e 5bc8edad172e4330927b8f1d8d670038e8f1c481f23eca07a725364ad54000e1 ad8d662b3187ae2216f82faf8ee9717ec69683bd86c876a2f2e6a33aaa83a3e1 868ebafc2040a1e03c8ec4d3129eda1def90401ad26aa3a123368eeaf790788b b1a949157751058dc1a3439f0e4112b6c95929ce00f908c36bce45afb2ff184d 449384646cae660231acc6cc089e8146ac296a428dd91cbb053fd137cd69bbd5 0ff5311dd7a17f2700902bc6a6d90d4ee9a793a311ffac410d2b20f4509897d9 1629567058021328af5d4992c6cac4e94dbda8a6fb33e5a793627d6ed885c947 137ea17fad15194d5fb134bc0df6bd9899f080690c21862e2bba96f27c6b9dc1 f9f774d2ce86fa333659718069f222f7bedc6ab073b7dfc1695855cf3d293a5d 0278f8c6182f656301abda73bcf69da7d14dd1c7d0694fedf092f0f494d016ab 75883a06d8dc58e56f52c37ca4f9e591b8afdfacedc0fa9dccf3062a8e1657ed                                                                                                                                          root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root MozillaFirefox-140.4.0-150200.152.207.1.src.rpm   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿMozillaFirefox-translations MozillaFirefox-translations-common MozillaFirefox-translations-common(x86-64) locale(MozillaFirefox:ar;ca;cs;da;de;el;en_GB;es_AR;es_CL;es_ES;fi;fr;hu;it;ja;ko;nb_NO;nl;pl;pt_BR;pt_PT;ru;sv_SE;zh_CN;zh_TW)        
  
  
  
MozillaFirefox rpmlib(CompressedFileNames) rpmlib(FileDigests) rpmlib(PayloadFilesHavePrefix) rpmlib(PayloadIsXz) 140.4.0 3.0.4-1 4.6.0-1 4.0-1 5.2-1 4.14.1    hæR@hÒ‹ÀhÒ‹ÀhÁh@h£Àh›,Àh‹ZÀhxåÀhk¶Àh]6@hQXÀhQXÀh,nÀh+@hÖ@gâšÀg½°Àg˜ÆÀgvÀgM¡@gDfÀg“Àgp@fóû@fÞã@fª'@fŽwÀf…=@f‚š@fa¤Àf;i@f-ÀeýrÀeñ•@eÓBÀe¸äÀe©ÀexK@eV@e.w@e¼@e0@e RÀdûÀdè—ÀdÂ\@dÁ
Àd­D@dšÏ@dxˆ@dXä@d.´@d¾Àcæ1ÀcÁGÀc‘ÑÀclçÀcN•@c$e@cÀcÁ@bÙ?Àb³@b”±Àb‡‚Àbi0@bL/@bDF@b3"Àb0Àb(–Àb%óÀb[@aò‰@aÝq@a»*@a¯LÀa¨µ@a(@apÀa\>@aVø@a9÷@a8¥Àaö@a»Àaj@`ð#@`í€@`¶!@`’ˆÀ`}pÀ`[)À`4î@`!'À`@_ö÷À_Ø¥@_³»@_©/@_ŽÑ@_uÄÀ_iç@_aþ@_aþ@_Dý@_C«À_6|À_*Ÿ@_'ü@_ @_À^ýÌ@^üzÀ^û)@^Ö?@^ÎV@^±U@^Œk@^ˆvÀ^t°@^g@^B—@^&çÀ^À^rÀ]æN@]ÝÀ]ÓÙ@]Ád@]ºÌÀ]±’@]­À] nÀ]Ÿ@]œz@]Š@]v>À]ÆÀ]
#À]
#À\ÿ—À\ãè@\Þ¢@\Ú­À\Ô@\Ð!À\¸fÀ\›eÀ\”Î@\ÙÀ\u*@\dÀ\Q‘À\@n@\„@\›@\ø@[Ï@[¿;@[¼˜@[´¯@[’h@[3|@[@ZòâÀZ»ƒÀZº2@Z«±ÀZ§½@Z}@Zg#ÀZ_:ÀZ]é@ZF.@Z3¹@Z+Ð@Z
ÚÀYÐØÀYÏ‡@YÎ5ÀYÌä@YŠù@Y‰§ÀY\ÔÀYA%@Y$$@Y]ÀXîÀXâ9@Xâ9@XÏÄ@XËÏÀXÁCÀXº¬@X‹6@XûÀXN‘@XJœÀX@ÀX)§@X÷ÀWþ%ÀWå@Wá$ÀWÅu@W¸F@W±®ÀW¤ÀW¡ÜÀWŸ9ÀW›E@W“\@WŽ@Ws¸@WaC@W_ñÀW^ @W^ @WV·@WE“ÀWBðÀW4p@W)ä@W(’ÀW ©ÀW ©ÀWÀÀWã@W‘ÀVëíÀVÜÀVÚÊ@VÐ>@V¼wÀV¬¥ÀV¤¼ÀV“™@V‚uÀVm]ÀVHsÀV4­@V•@VÀV @UýN@UÞûÀUÄÀUÄÀU“Ö@U‚²ÀUt2@U`kÀUUßÀUUßÀUOH@U0õÀU€ÀU—ÀUQÀU]@UÀTúè@Tç!ÀTÌÃÀT±@TŒ*@Tyµ@T\´@TX¿ÀTWn@TWn@TR(@TO…@TKÀTC§ÀT>aÀmartin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com meissner@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com andreas.stieger@gmx.de martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com william.brown@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com cgrobertson@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com cgrobertson@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com andreas.stieger@gmx.de cgrobertson@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com martin.sirringhaus@suse.com cgrobertson@suse.com cgrobertson@suse.com psimons@suse.com jkowalczyk@suse.com cgrobertson@suse.com cgrobertson@suse.com cgrobertson@suse.com cgrobertson@suse.com alarrosa@suse.com cgrobertson@suse.com cgrobertson@suse.com kbabioch@suse.de cgrobertson@suse.com cgrobertson@suse.com alarrosa@suse.com alarrosa@suse.com alarrosa@suse.com cgrobertson@suse.com pcerny@suse.com pcerny@suse.com pcerny@suse.com wr@rosenauer.org astieger@suse.com wr@rosenauer.org wr@rosenauer.org astieger@suse.com wr@rosenauer.org wr@rosenauer.org wbauer@tmo.at cgrobertson@suse.com astieger@suse.com fcrozat@suse.com security@suse.com wr@rosenauer.org stefan.bruens@rwth-aachen.de zaitor@opensuse.org wr@rosenauer.org dimstar@opensuse.org schwab@suse.de wr@rosenauer.org astieger@suse.com wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org astieger@suse.com wr@rosenauer.org wr@rosenauer.org cgrobertson@novell.com wr@rosenauer.org wr@rosenauer.org astieger@suse.com badshah400@gmail.com astieger@suse.com wr@rosenauer.org astieger@suse.com astieger@suse.com wr@rosenauer.org pcerny@suse.com badshah400@gmail.com wr@rosenauer.org badshah400@gmail.com antoine.belvire@laposte.net mailaender@opensuse.org astieger@suse.com wr@rosenauer.org badshah400@gmail.com agraf@suse.com wr@rosenauer.org wr@rosenauer.org badshah400@gmail.com badshah400@gmail.com dsterba@suse.cz wr@rosenauer.org normand@linux.vnet.ibm.com badshah400@gmail.com wr@rosenauer.org badshah400@gmail.com badshah400@gmail.com astieger@suse.com astieger@suse.com wr@rosenauer.org olaf@aepfle.de astieger@suse.com wr@rosenauer.org dmueller@suse.com wr@rosenauer.org astieger@suse.com wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org schwab@suse.de wr@rosenauer.org wr@rosenauer.org normand@linux.vnet.ibm.com wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org dvaleev@suse.com wr@rosenauer.org dimstar@opensuse.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org wr@rosenauer.org ledest@gmail.com wr@rosenauer.org wr@rosenauer.org guillaume@opensuse.org dmueller@suse.com josua.mayer97@gmail.com wr@rosenauer.org josua.mayer97@gmail.com wr@rosenauer.org vindex17@outlook.it wr@rosenauer.org - Firefox Extended Support Release 140.4.0 ESR
  * Fixed: Various security fixes.
  MFSA 2025-83 (bsc#1251263)
  * MFSA-RESERVE-2025-1988931 (bmo#1988931)
    Use-after-free in MediaTrackGraphImpl::GetInstance()
  * MFSA-RESERVE-2025-1989127 (bmo#1989127)
    Out of bounds read/write in a privileged process triggered by
    WebGL textures
  * MFSA-RESERVE-2025-1989899 (bmo#1989899)
    Cross-process information leaked due to malicious IPC
    messages
  * MFSA-RESERVE-2025-1989978 (bmo#1989978)
    Some non-writable Object properties could be modified
  * MFSA-RESERVE-2025-1979536 (bmo#1979536)
    An OBJECT tag type attribute overrode browser behavior on web
    resources without a content-type
  * MFSA-RESERVE-2025-1986142 (bmo#1986142)
    Potential user-assisted code execution in â€œCopy as cURLâ€
    command
  * MFSA-RESERVE-2025-0 (bmo#1973699, bmo#1989945, bmo#1990970,
    bmo#1991040, bmo#1992113)
    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
    140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
  * MFSA-RESERVE-2025-1 (bmo#1983838, bmo#1987624, bmo#1988244,
    bmo#1988912, bmo#1989734, bmo#1990085, bmo#1991899)
    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
    ESR 140.4, Firefox 144 and Thunderbird 144 - Firefox Extended Support Release 140.3.1 ESR (bsc#1250452)
  * Fixed: Improved reliability when HTTP/3 connections fail:
    Firefox no longer forces HTTP/2 during fallback, allowing the
    server to choose the protocol and preventing stalls on some
    sites. (bmo#1980812) - Replace mozilla-bmo998749.patch with upstreams version - Firefox Extended Support Release 140.3.0 ESR
  * Fixed: Various security fixes.
  MFSA 2025-75 (bsc#1249391)
  * CVE-2025-10527 (bmo#1984825)
    Sandbox escape due to use-after-free in the Graphics:
    Canvas2D component
  * CVE-2025-10528 (bmo#1986185)
    Sandbox escape due to undefined behavior, invalid pointer in
    the Graphics: Canvas2D component
  * CVE-2025-10529 (bmo#1970490)
    Same-origin policy bypass in the Layout component
  * CVE-2025-10532 (bmo#1979502)
    Incorrect boundary conditions in the JavaScript: GC component
  * CVE-2025-10533 (bmo#1980788)
    Integer overflow in the SVG component
  * CVE-2025-10536 (bmo#1981502)
    Information disclosure in the Networking: Cache component
  * CVE-2025-10537 (bmo#1938220, bmo#1980730, bmo#1981280,
    bmo#1981283, bmo#1984505, bmo#1985067)
    Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird
    ESR 140.3, Firefox 143 and Thunderbird 143 - Firefox Extended Support Release 140.2.0 ESR
  * Fixed: Various security fixes.
  MFSA 2025-67 (bsc#1248162)
  * CVE-2025-9179 (bmo#1979527)
    Sandbox escape due to invalid pointer in the Audio/Video: GMP
    component
  * CVE-2025-9180 (bmo#1979782)
    Same-origin policy bypass in the Graphics: Canvas2D component
  * CVE-2025-9181 (bmo#1977130)
    Uninitialized memory in the JavaScript Engine component
  * CVE-2025-9182 (bmo#1975837)
    Denial-of-service due to out-of-memory in the Graphics:
    WebRender component
  * CVE-2025-9183 (bmo#1976102)
    Spoofing issue in the Address Bar component
  * CVE-2025-9184 (bmo#1929482, bmo#1976376, bmo#1979163,
    bmo#1979955)
    Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird
    ESR 140.2, Firefox 142 and Thunderbird 142
  * CVE-2025-9185 (bmo#1970154, bmo#1976782, bmo#1977166)
    Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR
    128.14, Thunderbird ESR 128.14, Firefox ESR 140.2,
    Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 - Add build_limit for s390x on SLE16 (bsc#1247774) - Add patch mozilla-kde-force-xdg-portal.patch to switch to using
  xdg-desktop-portal file-picker on KDE on SLE-15 (bsc#1226112) - Firefox Extended Support Release 140.1.0 ESR
  * Fixed: Various security fixes.
  MFSA 2025-59 (bsc#1246664)
  * CVE-2025-8027 (bmo#1968423)
    JavaScript engine only wrote partial return value to stack
  * CVE-2025-8028 (bmo#1971581)
    Large branch table could lead to truncated instruction
  * CVE-2025-8029 (bmo#1928021)
    javascript: URLs executed on object and embed tags
  * CVE-2025-8036 (bmo#1960834)
    DNS rebinding circumvents CORS
  * CVE-2025-8037 (bmo#1964767)
    Nameless cookies shadow secure cookies
  * CVE-2025-8030 (bmo#1968414)
    Potential user-assisted code execution in â€œCopy as cURLâ€
    command
  * CVE-2025-8031 (bmo#1971719)
    Incorrect URL stripping in CSP reports
  * CVE-2025-8032 (bmo#1974407)
    XSLT documents could bypass CSP
  * CVE-2025-8038 (bmo#1808979)
    CSP frame-src was not correctly enforced for paths
  * CVE-2025-8039 (bmo#1970997)
    Search terms persisted in URL bar
  * CVE-2025-8033 (bmo#1973990)
    Incorrect JavaScript state machine for generators
  * CVE-2025-8034 (bmo#1970422, bmo#1970422, bmo#1970422,
    bmo#1970422)
    Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR
    128.13, Thunderbird ESR 128.13, Firefox ESR 140.1,
    Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
  * CVE-2025-8040 (bmo#1975058, bmo#1975058, bmo#1975998,
    bmo#1975998)
    Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird
    ESR 140.1, Firefox 141 and Thunderbird 141
  * CVE-2025-8035 (bmo#1975961, bmo#1975961, bmo#1975961)
    Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird
    ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox
    141 and Thunderbird 141 - Replace usage of %jobs for reproducible builds (boo#1237231) - Firefox Extended Support Release 140.0esr ESR
  * General
  - Reader View now has an enhanced Text and Layout menu with
    new options for character spacing, word spacing, and text
    alignment. These changes offer a more accessible reading
    experience.
  - Reader View now has a Theme menu with additional Contrast
    and Gray options. You can also select custom colors for text,
    background, and links from the Custom tab.
  - Firefox will now offer to temporarily remember when users
    grant permissions to sites (e.g. geolocation). Temporary
    permissions will be removed either after one hour or when the
    tab is closed.
  - Firefox now includes safeguards to prevent sites from
    abusing the history API by generating excessive history
    entries, which can make navigating with the back and forward
    buttons difficult by cluttering the history. This
    intervention ensures that such entries, unless interacted
    with by the user, are skipped when using the back and forward
    buttons.
  - Firefox now identifies all links in PDFs and turns them
    into hyperlinks.
  - You can now copy links from background tabs using the
    tabstrip context menu on macOS and Linux.
  - Users on macOS and Linux are now given the option to close
    only the current tab if the Quit keyboard shortcut is used
    while multiple tabs are open in the window. (bmo#None)
  * Sidebar and Tabs
  - You can now enable the updated Firefox sidebar in Settings
    > General > Browser Layout to quickly access multiple tools
    in one click, without leaving your main view. Sidebar tools
    include an AI chatbot of your choice, bookmarks, history, and
    tabs from devices you sync with your Mozilla account.
  - Keep a lot of tabs open? Try our new vertical tabs layout
    to quickly scan your list of tabs. With vertical tabs, your
    open and pinned tabs appear in the sidebar instead of along
    the top of the browser. To turn on vertical tabs, right-click
    on the toolbar near the top of the browser and select Turn on
    Vertical Tabs. If youâ€™ve enabled the updated sidebar, you can
    also go to Customize sidebar and check Vertical tabs. Early
    testers report feeling more organized after using vertical
    tabs for a few days.
  - Stay productive and organized with less effort by grouping
    related tabs together. One simple way to create a group is to
    drag a tab onto another, pause until you see a highlight,
    then drop to create the group. Tab groups can be named,
    color-coded, and are always saved. You can close a group and
    reopen it later.
  - A tab preview is now displayed when hovering the mouse over
    background tabs, making it easier to locate the desired tab
    without needing to switch tabs.
  - The sidebar to view tabs from other devices can now be
    opened via the Tab overview menu.
  * Security & Privacy
  - HTTPS is replacing HTTP as the default protocol in the
    address bar on non-local sites. If a site is not available
    via HTTPS, Firefox will fall back to HTTP.
  - Firefox now blocks third-party cookie access when Enhanced
    Tracking Protection's Strict mode is enabled.
  - Firefox now has a new anti-tracking feature, Bounce
    Tracking Protection, which is now available in Enhanced
    Tracking Protection's "Strict" mode. This feature detects
    bounce trackers based on their redirect behavior and
    periodically purges their cookies and site data to block
    tracking.
  - Firefox now enforces certificate transparency, requiring
    web servers to provide sufficient proof that their
    certificates were publicly disclosed before they will be
    trusted. This only affects servers using certificates issued
    by a certificate authority in Mozilla's Root CA Program.
  - Smartblock Embeds allows users to selectively unblock
    certain social media embeds that are blocked in ETP Strict
    and Private Browsing modes. Currently, support is limited to
    a few embed types, with more to be added in future updates.
  - Firefox now upgrades page loads to HTTPS by default and
    gracefully falls back to HTTP if the secure connection fails.
    This behavior is known as HTTPS-First.
  - The "Copy Without Site Tracking" menu item was renamed to
    "Copy Clean Link" to help clarify expectations around what
    the feature does. "Copy Clean Link" is a list based approach
    to remove - known tracking parameters from links. This option
    can also now be used on plain text links.
  - The Clear browsing data and cookies dialog now allows
    clearing saved form info separately from browsing history.
  * Translations
  - Firefox now allows translating selected text portions to
    different languages after a full-page translation.
  - Full-Page Translations are now available within Firefox
    extension pages that start with the moz-extension:// URL
    scheme.
  - When suggesting a default translation language, Firefox
    will now take into consideration languages you have
    previously used for translations.
  - Added support for many new languages in Firefox
    translation.
  * Windows
  - Canvas2D switched from Direct2D to a platform independent
    acceleration backend on Windows.
  - Hardware-accelerated playback of HEVC video content is now
    supported on Windows.
  - Firefox on Windows 11 now uses acrylic-style menus for
    popup windows, which better match the operating systemâ€™s
    aesthetic.
  * macOS
  - Added support for multiple languages in the same document
    spoken in macOS VoiceOver.
  - The macOS session resume feature has been enhanced. Firefox
    will now automatically relaunch if it was open before a
    system restart, like after an OS update.
  - The macOS DMG installer packages now use LZMA for
    compression, reducing download size and installation time.
  - Due to recent changes in macOS Sequoia, the shortcut for
    completing search strings to .com addresses has been changed
    from Ctrl+Enter to Cmd+Enter.
  * Linux
  - Firefox now supports touchpad hold gestures on Linux. This
    means that kinetic (momentum) scrolling can now be
    interrupted by placing two fingers on the touchpad.
  * Developer: - Firefox now supports text fragments, which
    allows users to link directly to a specific portion of text
    in a web document via a special URL fragment.
  - Debugger log-point values are now automatically converted
    into profiler markers, making it easy to add information to
    the marker timeline directly from the Debugger.
  - The Debugger's directory root is now scoped to the specific
    domain where it was set, which aligns with typical usage and
    avoids applying it across unrelated domains. This builds on
    previous improvements such as a redesigned UI and easier
    removal of the root setting. Setting a directory root updates
    the Source List to show only the selected directory and its
    children. (Learn more)
  - The Network Blocking feature in the Network panel now
    blocks HTTP requests in addition to blocking responses.
  - The Network panel displays information about Early Hints,
    including a dedicated indicator for the 103 HTTP status code
    in the user interface.
  - The Network panel now allows overriding network request
    responses with local files.
  - The filter setting in the Network panel is now preserved
    across DevTools Toolbox sessions.
  - A new column has been added to the Network panel to display
    the full path of the request URL. This enhancement makes
    helps developers quickly view and analyze complete request
    paths.
  - Introduced a new console command `$$$` that allows
    searching the page, including within shadow roots.
  - Improved support for debugging web extensions, such as
    automatically reloading the web extension's source code in
    the Debugger when the extension is reloaded. Workers are now
    available in the Console panelâ€™s context selector and
    breakpoints function correctly in content scripts.
  - In the Inspector Fonts panel, we now display fonts
    metadata, like the font version, designer, vendor, license,
    etc.
  - Added support for the import map integrity field, allowing
    you to ensure the integrity of dynamically or statically
    imported modules.
  - Implemented support for `Error.isError`, enabling brand
    checks to determine whether an object is an instance of
    Error. (Learn more)
  - Added support for the `error.captureStackTrace` extension
    to improve compatibility with other browsers. (Learn more:
    http://github.com/tc39/proposal-error-capturestacktrace)
  * Enterprise: - The UserMessaging policy has been updated with
    a new option to allow disabling Firefox Labs in preferences.
  - The Preferences policy has been updated to allow setting
    the preference security.pki.certificate_transparency.mode.
  - HTTPS-First is now on by default. You can manage this
    behavior using the HttpsOnlyMode and HttpAllowlist policies.
  - An internal change has been made to Firefox that removes
    `XPCOMUtils.defineLazyGetter`. For most people, this
    shouldn't matter, but if you encounter problems with
    AutoConfig or third party software like PolicyPak, this might
    be the cause. You'll need to reach out to your provider.
  - Firefox now supports the Content Analysis SDK for
    integrating DLP software. For more information, see this
    post.
  - The SearchEngines policy is now available on all versions
    of Firefox (not just the ESR).
  * Fixed: Various security fixes.
  MFSA 2025-51 (bsc#1244670)
  * CVE-2025-6424 (bmo#1966423)
    Use-after-free in FontFaceSet
  * CVE-2025-6425 (bmo#1717672)
    The WebCompat WebExtension shipped with Firefox exposed a
    persistent UUID
  * CVE-2025-6426 (bmo#1964385)
    No warning when opening executable terminal files on macOS
  * CVE-2025-6427 (bmo#1966927)
    connect-src Content Security Policy restriction could be
    bypassed
  * CVE-2025-6428 (bmo#1970151)
    Firefox for Android opened URLs specified in a link
    querystring parameter
  * CVE-2025-6429 (bmo#1970658)
    Incorrect parsing of URLs could have allowed embedding of
    youtube.com
  * CVE-2025-6430 (bmo#1971140)
    Content-Disposition header ignored when a file is included in
    an embed or object tag
  * CVE-2025-6431 (bmo#1942716)
    The prompt in Firefox for Android that asks before opening a
    link in an external application could be bypassed
  * CVE-2025-6432 (bmo#1943804)
    DNS Requests leaked outside of a configured SOCKS proxy
  * CVE-2025-6433 (bmo#1954033)
    WebAuthn would allow a user to sign a challenge on a webpage
    with an invalid TLS certificate
  * CVE-2025-6434 (bmo#1955182)
    HTTPS-Only exception screen lacked anti-clickjacking delay
  * CVE-2025-6435 (bmo#1950056, bmo#1961777)
    Save as in Devtools could download files without sanitizing
    the extension
  * CVE-2025-6436 (bmo#1941377, bmo#1960948, bmo#1966187,
    bmo#1966505, bmo#1970764)
    Memory safety bugs fixed in Firefox 140 and Thunderbird 140 - removed patches firefox-kde.patch, mozilla-kde.patch,
  fix-sle12-build-errors.patch, mozilla-rust-disable-future-incompat.patch
- added patches mozilla-bmo1746799.patch - Firefox Extended Support Release 128.12.0 ESR
  * Fixed: Various security fixes.
  MFSA 2025-53 (bsc#1244670)
  * CVE-2025-6424 (bmo#1966423)
    Use-after-free in FontFaceSet
  * CVE-2025-6425 (bmo#1717672)
    The WebCompat WebExtension shipped with Firefox exposed a
    persistent UUID
  * CVE-2025-6426 (bmo#1964385)
    No warning when opening executable terminal files on macOS
  * CVE-2025-6429 (bmo#1970658)
    Incorrect parsing of URLs could have allowed embedding of
    youtube.com
  * CVE-2025-6430 (bmo#1971140)
    Content-Disposition header ignored when a file is included in
    an embed or object tag - Firefox Extended Support Release 128.11.0 ESR
  MFSA 2025-44 (bsc#1243353)
  * CVE-2025-5283 (bmo#1962421)
    Double-free in libvpx encoder
  * CVE-2025-5263 (bmo#1960745)
    Error handling for script execution was incorrectly isolated
    from web content
  * CVE-2025-5264 (bmo#1950001)
    Potential local code execution in â€œCopy as cURLâ€ command
  * CVE-2025-5265 (bmo#1962301)
    Potential local code execution in â€œCopy as cURLâ€ command
  * CVE-2025-5266 (bmo#1965628)
    Script element events leaked cross-origin resource status
  * CVE-2025-5267 (bmo#1954137)
    Clickjacking vulnerability could have led to leaking saved
    payment card details
  * CVE-2025-5268 (bmo#1950136, bmo#1958121, bmo#1960499,
    bmo#1962634)
    Memory safety bugs fixed in Firefox 139, Thunderbird 139,
    Firefox ESR 128.11, and Thunderbird 128.11
  * CVE-2025-5269 (bmo#1924108)
    Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird
    128.11 - Firefox Extended Support Release 128.10.1 ESR
  * Fixed: Security Fixes.
  MFSA 2025-37 (bsc#1243303)
  * CVE-2025-4918 (bmo#1966612)
    Out-of-bounds access when resolving Promise objects
  * CVE-2025-4919 (bmo#1966614)
    Out-of-bounds access when optimizing linear sums - Firefox Extended Support Release 128.10.0 ESR
  MFSA 2025-29 (bsc#1241621)
  * CVE-2025-2817 (bmo#1917536)
    Potential privilege escalation in Firefox Updater
  * MFSA-RESERVE-2025-1937097 (bmo#1937097)
    WebGL shader attribute memory corruption in Firefox for macOS
  * MFSA-RESERVE-2025-1958350 (bmo#1958350)
    Process isolation bypass using `javascript:` URI links in
    cross-origin frames
  * MFSA-RESERVE-2025-1949994 (bmo#1949994, bmo#1956698,
    bmo#1960198)
    Potential local code execution in "copy as cURL" command
  * MFSA-RESERVE-2025-1952465 (bmo#1952465)
    Unsafe attribute access during XPath parsing
  * MFSA-RESERVE-2025-3 (bmo#1951161, bmo#1952105)
    Memory safety bugs fixed in Firefox 138, Thunderbird 138,
    Firefox ESR 128.10, and Thunderbird 128.10
  * MFSA-RESERVE-2025-7 (bmo#1894100)
    Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird
    128.10 - Firefox Extended Support Release 128.9.0 ESR
  * Fixed: Various security fixes.
  MFSA 2025-22 (bsc#1240083)
  * CVE-2025-3028 (bmo#1941002)
    Use-after-free triggered by XSLTProcessor
  * CVE-2025-3029 (bmo#1952213)
    URL Bar Spoofing via non-BMP Unicode characters
  * CVE-2025-3030 (bmo#1850615, bmo#1932468, bmo#1942551,
    bmo#1951017, bmo#1951494)
    Memory safety bugs fixed in Firefox 137, Thunderbird 137,
    Firefox ESR 128.9, and Thunderbird 128.9
- Firefox Extended Support Release 128.8.1 ESR
  * Fixed: Security fix.
  MFSA 2025-19 (bsc#1240140)
  * CVE-2025-2857 (bmo#1956398, https://www.cve.org/CVERecord?id=CVE-2025-2783)
    Incorrect handle could lead to sandbox escapes
  NOTE: This only affects Firefox on Windows. Other operating systems are unaffected. - Firefox Extended Support Release 128.8.0 ESR
  * Fixed: Various security fixes.
  MFSA 2025-16 (bsc#1237683)
  * CVE-2024-43097 (bmo#1945624)
    Overflow when growing an SkRegion's RunArray
  * CVE-2025-1930 (bmo#1902309)
    AudioIPC StreamData could trigger a use-after-free in the
    Browser process
  * CVE-2025-1931 (bmo#1944126)
    Use-after-free in WebTransportChild
  * CVE-2025-1932 (bmo#1944313)
    Inconsistent comparator in XSLT sorting led to out-of-bounds
    access
  * CVE-2025-1933 (bmo#1946004)
    JIT corruption of WASM i32 return values on 64-bit CPUs
  * CVE-2025-1934 (bmo#1942881)
    Unexpected GC during RegExp bailout processing
  * CVE-2025-1935 (bmo#1866661)
    Clickjacking the registerProtocolHandler info-bar
  * CVE-2025-1936 (bmo#1940027)
    Adding %00 and a fake extension to a jar: URL  changed the
    interpretation of the contents
  * CVE-2025-1937 (bmo#1938471, bmo#1940716)
    Memory safety bugs fixed in Firefox 136, Thunderbird 136,
    Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8
  * CVE-2025-1938 (bmo#1922889, bmo#1935004, bmo#1943586,
    bmo#1943912, bmo#1948111)
    Memory safety bugs fixed in Firefox 136, Thunderbird 136,
    Firefox ESR 128.8, and Thunderbird 128.8 - Firefox Extended Support Release 128.7.0 ESR
  * Fixed: Various security fixes.
  MFSA 2025-09 (bsc#1236539)
  * CVE-2025-1009 (bmo#1936613)
    Use-after-free in XSLT
  * CVE-2025-1010 (bmo#1936982)
    Use-after-free in Custom Highlight
  * CVE-2025-1011 (bmo#1936454)
    A bug in WebAssembly code generation could result in a crash
  * CVE-2025-1012 (bmo#1939710)
    Use-after-free during concurrent delazification
  * CVE-2024-11704 (bmo#1899402)
    Potential double-free vulnerability in PKCS#7 decryption
    handling
  * CVE-2025-1013 (bmo#1932555)
    Potential opening of private browsing tabs in normal browsing
    windows
  * CVE-2025-1014 (bmo#1940804)
    Certificate length was not properly checked
  * CVE-2025-1016 (bmo#1936601, bmo#1936844, bmo#1937694,
    bmo#1938469, bmo#1939583, bmo#1940994)
    Memory safety bugs fixed in Firefox 135, Thunderbird 135,
    Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20,
    and Thunderbird 128.7
  * CVE-2025-1017 (bmo#1926256, bmo#1935471, bmo#1935984)
    Memory safety bugs fixed in Firefox 135, Thunderbird 135,
    Firefox ESR 128.7, and Thunderbird 128.7 - Firefox Extended Support Release 128.6.0 ESR
  * Fixed: Various security fixes.
  MFSA 2025-02 (bsc#1234991)
  * CVE-2025-0237 (bmo#1915257)
    WebChannel APIs susceptible to confused deputy attack
  * CVE-2025-0238 (bmo#1915535)
    Use-after-free when breaking lines in text
  * CVE-2025-0239 (bmo#1929156)
    Alt-Svc ALPN validation failure when redirected
  * CVE-2025-0240 (bmo#1929623)
    Compartment mismatch when parsing JavaScript JSON module
  * CVE-2025-0241 (bmo#1933023)
    Memory corruption when using JavaScript Text Segmentation
  * CVE-2025-0242 (bmo#1874523, bmo#1926454, bmo#1931873,
    bmo#1932169)
    Memory safety bugs fixed in Firefox 134, Thunderbird 134,
    Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19,
    and Thunderbird 128.6
  * CVE-2025-0243 (bmo#1827142, bmo#1932783)
    Memory safety bugs fixed in Firefox 134, Thunderbird 134,
    Firefox ESR 128.6, and Thunderbird 128.6
- Firefox Extended Support Release 128.5.2 ESR
  * Fixed: Fixed a crash experienced by Windows users with Qihoo
    360 Total Security Antivirus software installed (bmo#1934258) - Firefox Extended Support Release 128.5.1 ESR (bsc#1234326)
  * Fixed: Fixed an issue that prevented some websites from
    loading when using SSL Inspection. (bmo#1933747) - Firefox Extended Support Release 128.5.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-64 (bsc#1233695)
  * CVE-2024-11691 (bmo#1914707, bmo#1924184)
    Out-of-bounds write in Apple GPU drivers via WebGL
  * CVE-2024-11692 (bmo#1909535)
    Select list elements could be shown over another site
  * CVE-2024-11693 (bmo#1921458)
    Download Protections were bypassed by .library-ms files on
    Windows
  * CVE-2024-11694 (bmo#1924167)
    CSP Bypass and XSS Exposure via Web Compatibility Shims
  * CVE-2024-11695 (bmo#1925496)
    URL Bar Spoofing via Manipulated Punycode and Whitespace
    Characters
  * CVE-2024-11696 (bmo#1929600)
    Unhandled Exception in Add-on Signature Verification
  * CVE-2024-11697 (bmo#1842187)
    Improper Keypress Handling in Executable File Confirmation
    Dialog
  * CVE-2024-11698 (bmo#1916152)
    Fullscreen Lock-Up When Modal Dialog Interrupts Transition on
    macOS
  * CVE-2024-11699 (bmo#1880582, bmo#1929911)
    Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5,
    and Thunderbird 128.5 - Firefox Extended Support Release 128.4.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-56 (bsc#1231879)
  * CVE-2024-10458 (bmo#1921733)
    Permission leak via embed or object elements
  * CVE-2024-10459 (bmo#1919087)
    Use-after-free in layout with accessibility
  * CVE-2024-10460 (bmo#1912537)
    Confusing display of origin for external protocol handler
    prompt
  * CVE-2024-10461 (bmo#1914521)
    XSS due to Content-Disposition being ignored in
    multipart/x-mixed-replace response
  * CVE-2024-10462 (bmo#1920423)
    Origin of permission prompt could be spoofed by long URL
  * CVE-2024-10463 (bmo#1920800)
    Cross origin video frame leak
  * CVE-2024-10464 (bmo#1913000)
    History interface could have been used to cause a Denial of
    Service condition in the browser
  * CVE-2024-10465 (bmo#1918853)
    Clipboard "paste" button persisted across tabs
  * CVE-2024-10466 (bmo#1924154)
    DOM push subscription message could hang Firefox
  * CVE-2024-10467 (bmo#1829029, bmo#1888538, bmo#1900394,
    bmo#1904059, bmo#1917742, bmo#1919809, bmo#1923706)
    Memory safety bugs fixed in Firefox 132, Thunderbird 132,
    Firefox ESR 128.4, and Thunderbird 128.4
- Rebase mozilla-rust-disable-future-incompat.patch - Firefox Extended Support Release 128.3.1 ESR
  MFSA 2024-51 (bsc#1231413)
  * CVE-2024-9680 (bmo#1923344)
    Use-after-free in Animation timeline - Firefox Extended Support Release 128.3.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-47 (bsc#1230979)
  * CVE-2024-9392 (bmo#1899154, bmo#1905843)
    Compromised content process can bypass site isolation
  * CVE-2024-9393 (bmo#1918301)
    Cross-origin access to PDF contents through multipart
    responses
  * CVE-2024-9394 (bmo#1918874)
    Cross-origin access to JSON contents through multipart
    responses
  * CVE-2024-8900 (bmo#1872841)
    Clipboard write permission bypass
  * CVE-2024-9396 (bmo#1912471)
    Potential memory corruption may occur when cloning certain
    objects
  * CVE-2024-9397 (bmo#1916659)
    Potential directory upload bypass via clickjacking
  * CVE-2024-9398 (bmo#1881037)
    External protocol handlers could be enumerated via popups
  * CVE-2024-9399 (bmo#1907726)
    Specially crafted WebTransport requests could lead to denial
    of service
  * CVE-2024-9400 (bmo#1915249)
    Potential memory corruption during JIT compilation
  * CVE-2024-9401 (bmo#1872744, bmo#1897792, bmo#1911317,
    bmo#1916476)
    Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
    Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
  * CVE-2024-9402 (bmo#1872744, bmo#1897792, bmo#1911317,
    bmo#1913445, bmo#1914106, bmo#1914475, bmo#1914963,
    bmo#1915008, bmo#1916476)
    Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
    Thunderbird 131, and Thunderbird 128.3 - Firefox Extended Support Release 128.2.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-40 (bsc#1229821)
  * CVE-2024-8385 (bmo#1911909)
    WASM type confusion involving ArrayTypes
  * CVE-2024-8381 (bmo#1912715)
    Type confusion when looking up a property name in a "with"
    block
  * CVE-2024-8382 (bmo#1906744)
    Internal event interfaces were exposed to web content when
    browser EventHandler listener callbacks ran
  * CVE-2024-8383 (bmo#1908496)
    Firefox did not ask before openings news: links in an
    external application
  * CVE-2024-8384 (bmo#1911288)
    Garbage collection could mis-color cross-compartment objects
    in OOM conditions
  * CVE-2024-8386 (bmo#1907032, bmo#1909163, bmo#1909529)
    SelectElements could be shown over another site if popups are
    allowed
  * CVE-2024-8387 (bmo#1857607, bmo#1911858, bmo#1914009)
    Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2,
    and Thunderbird 128.2
- Removed upstreamed patches mozilla-bmo1907511.patch mozilla-bmo1898476.patch - Firefox Extended Support Release 128.1.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-35 (bsc#1228648)
  * CVE-2024-7518 (bmo#1875354)
    Fullscreen notification dialog can be obscured by document
    content
  * CVE-2024-7519 (bmo#1902307)
    Out of bounds memory access in graphics shared memory
    handling
  * CVE-2024-7520 (bmo#1903041)
    Type confusion in WebAssembly
  * CVE-2024-7521 (bmo#1904644)
    Incomplete WebAssembly exception handing
  * CVE-2024-7522 (bmo#1906727)
    Out of bounds read in editor component
  * CVE-2024-7524 (bmo#1909241)
    CSP strict-dynamic bypass using web-compatibility shims
  * CVE-2024-7525 (bmo#1909298)
    Missing permission check when creating a StreamFilter
  * CVE-2024-7526 (bmo#1910306)
    Uninitialized memory used by WebGL
  * CVE-2024-7527 (bmo#1871303)
    Use-after-free in JavaScript garbage collection
  * CVE-2024-7528 (bmo#1895951)
    Use-after-free in IndexedDB
  * CVE-2024-7529 (bmo#1903187)
    Document content could partially obscure security prompts
  * CVE-2024-7531 (bmo#1905691)
    PK11_Encrypt using CKM_CHACHA20 can reveal plaintext on Intel
    Sandy Bridge machines - Firefox Extended Support Release 128.0esr ESR
  * ### General
  * Windows 7-8.1 and macOS 10.12-10.14 are no longer supported
    operating systems.
  * Firefox now supports automated translation of web content.
    Also, unlike cloud-based alternatives, translation is done
    locally so that the text being translated never leaves the
    machine.
  * The line breaking rules of web content now match the
    Unicode standard, improving cross-browser compatibility.
    Additionally, for East Asian and South East Asian end users,
    Firefox now supports proper language-aware word selection
    when double-clicking on text for languages including Chinese,
    Japanese, Burmese, Lao, Khmer, and Thai.
  * Video effects and background blur are now available to
    Firefox users on Google Meet.
    Firefox now displays images and descriptions for search
    suggestions when provided by the search engine.
  * It is now possible to copy and paste any file from the
    operating system into Firefox.
  * Having any issues with a website on Firefox, yet the site
    seems to be working as expected on another browser? You can
    now let us know via the Web Compatibility Reporting Tool! By
    filing a web compatibility issue, youâ€™re directly helping us
    detect, target, and fix the most impacted sites to make your
    browsing experience on Firefox smoother.
  * Firefox now prompts users in the US and Canada to save
    their addresses upon submitting an address form, allowing
    Firefox to autofill stored address information in the future.
  * Support for credit card autofill has been extended to users
    running Firefox in the IT, ES, AT, BE, and PL locales.
  * Recently closed tabs now persist between sessions that
    don't have automatic session restore enabled. Manually
    restoring a previous session will continue to reopen any
    previously open tabs or windows.
  * When migrating data from Chrome, Firefox now offers the
    ability to import certain extensions as well.
  * The Screenshots feature in Firefox has been updated. It now
    supports taking screenshots of file types like SVG, XML, and
    more as well as various about: pages within Firefox. The
    screenshot tool was also made more accessible to everyone by
    implementing new keyboard shortcuts and adding theme
    compatibility and High Contrast Mode (HCM) support. And
    finally, performance for capturing large screenshots has been
    improved.
  * ### PDF Viewer
  * The Firefox PDF viewer has expanded PDF editing
    capabilities:
  * Text highlighting is now supported.
  * Editing already-existing text annotations is now
    supported.
  * Images and alt text can be added in addition to text
    and drawings.
  * A floating button is now included to simplify deleting
    drawings, text, and images added in PDFs.
  * Caret browsing mode now also works in the PDF viewer.
    (Learn more)
  * ### Firefox View
  * Firefox View includes more content. You can now see all
    open tabs from all windows. If you sync open tabs, youâ€™ll see
    all tabs from other devices. Browsing history is now listed
    and you can sort by date or by site. As before, recently
    closed tabs are also listed on Firefox View.
    To access Firefox View, select the file folder icon at the
    top left of your tab strip.
  * Weâ€™ve integrated search into Firefox View. You can now
    search through all of the tabs on each of the section
    subpages - Recent Browsing, Open Tabs, Recently Closed Tabs,
    Tabs from other devices, or History.
  * In Firefox View, open tabs can now be sorted by either
    recent activity or tab order. Recent activity is the default
    setting.
  * Firefox View now displays pinned tabs in the Open tabs
    section. Tab indicators have also been added to Open tabs, so
    users can do things like see which tabs are playing media and
    quickly mute or unmute across windows. Indicators were also
    added for bookmarks, tabs with notifications, and more!
  * It is now possible to close all duplicate tabs in a window
    with the `Close duplicate tabs` command available from the
    `List all tabs` widget in the tab bar or a tab context menu.
  * ### Security & Privacy
  * For added protection on macOS and Windows, a device sign in
    (e.g. operating system password, fingerprint, face or voice
    login if enabled) can be required when accessing and filling
    stored passwords in the Firefox Password Manager about:logins
    page.
  * Firefox now supports creating and using passkeys stored in
    the iCloud Keychain on macOS.
  * Firefox now imports user-added TLS trust anchors (e.g.,
    certificates) from the operating system root store. This will
    be enabled by default on Windows, macOS, and Android, and if
    needed, can be turned off in settings (Settings â†’ Privacy &
    Security â†’ Certificates).
  * The Storage Access API web standard was updated to improve
    security while mitigating website breakages and further
    enabling the phase out of third-party cookies in Firefox.
  * Encrypted Client Hello (ECH) is now available to Firefox
    users, delivering a more private browsing experience. ECH
    extends the encryption used in TLS connections to cover more
    of the handshake and better protect sensitive fields. Read
    more about the launch of ECH on Mozilla Distilled.
  * Firefox supports a new â€œCopy Link Without Site Trackingâ€
    feature in the context menu which ensures that copied links
    no longer contain tracking information.
  * Firefox now supports a setting (in Preferences â†’ Privacy &
    Security) to enable Global Privacy Control. With this opt-in
    feature, Firefox informs the websites that the user doesnâ€™t
    want their data to be shared or sold. This feature is enabled
    in private browsing mode by default.
  * Firefox now more proactively blocks downloads from URLs
    that are considered to be potentially untrustworthy.
  * ### Anti-Fingerprinting
  * Web Audio in Firefox now uses the FDLIBM math library on
    all systems to improve anonymity with Fingerprint Protection.
  * As part of Total Cookie Protection, Firefox now supports
    the partitioning of Blob URLs, this mitigates a potential
    tracking vector that third-party agents could use to track an
    individual.
  * To mitigate font fingerprinting, the visibility of fonts to
    websites has been restricted to system fonts and language
    pack fonts when in Private Browsing Mode or with Enhanced
    Tracking Protection set to strict mode.
  * Firefoxâ€™s private windows and ETP-Strict privacy
    configuration now enhance the Canvas APIs with Fingerprinting
    Protection.
  * To reduce user fingerprinting information and the risk of
    some website compatibility issues, the CPU architecture for
    32-bit x86 Linux will now be reported as x86_64 in Firefox's
    User-Agent string and `navigator.platform` and
    `navigator.oscpu` Web APIs.
  * ### Windows
  * Firefox can now be set to automatically launch whenever the
    computer starts up. (Learn more)
  * The background updater now updates properly when there are
    multiple user accounts on a system.
  * Firefox now populates the Windows taskbar jump list more
    efficiently, which should allow for a smoother overall
    browsing experience.
  * ### macOS
  * Firefox now supports Voice Control commands on macOS
    systems.
  * Links and other focusable elements are now tab-navigable by
    default on macOS, instead of following macOS' "Keyboard
    navigation" setting. This is a more accessible default and
    matches the default in all other platforms. A checkbox in the
    settings page still allows users to restore the old behavior.
  * Firefox on Mac now uses the macOS fullscreen API for all
    types of fullscreen windows. This should better match the
    expected macOS user experience for fullscreen spaces, menubar
    and the Dock.
  * ### Linux
  * Firefox now defaults to the Wayland compositor when
    available instead of XWayland. This brings support for
    touchpad & touchscreen gestures, swipe-to-nav, per-monitor
    DPI settings, better graphics performance, and more.
  * Firefox now ships with a new .deb package for Linux users
    on Ubuntu, Debian, and Linux Mint.
  * ### Video Playback
  * Enabled AV1 hardware decode acceleration on macOS for M3
    Macs.
  * Firefox now supports the AV1 codec for Encrypted Media
    Extensions (EME), enabling higher-quality playback from video
    streaming providers.
  * NVIDIA RTX Video Super Resolution (â€œVSRâ€) is now available
    in Firefox. RTX VSR enhances and sharpens lower resolution
    video when upscaled to higher resolutions and also removes
    blocky artifacts commonly visible on low bitrate streamed
    video. VSR requires at least a 20-series or higher NVIDIA RTX
    GPU, Microsoft Windows 10/11 64-bit, and NVIDIA driver
    version R530 or higher. The feature can be enabled in the
    NVIDIA control panel.
  * NVIDIA RTX Video HDR is now available in Firefox. RTX Video
    HDR automatically converts SDR video to vibrant HDR10 in real
    time, letting you enjoy video with improved clarity on your
    HDR10 panel. It requires at least a 20-series NVIDIA RTX GPU,
    Microsoft Windows 10/11 64-bit, and NVIDIA driver version 550
    or higher. The feature can be enabled in the NVIDIA control
    panel.
  * Developer: * Firefox now supports DNS prefetching for HTTPS
    documents via the `rel="dns-prefetch"` link hint. This
    standard allows web developers to specify domain names for
    important assets that should be resolved preemptively.
  * Firefox will now automatically try to upgrade <img>,
    <audio>, and <video> elements from HTTP to HTTPS
    if they are embedded within an HTTPS page. If these so-called
    mixed content elements do not support HTTPS, they will no
    longer load.
  * Firefox now supports Content-encoding: zstd (zstandard
    compression). This is an alternative to brotli and gzip
    compression for web content, and can provide higher
    compression levels for the same CPU used, or conversely lower
    server CPU use to get the same compression.
    [2]: http://facebook.github.io/zstd/
  * Enterprise: * The FirefoxHome policy has been updated to
    reflect that the Snippets option is now deprecated.
  * The DNSOverHTTPS policy has been updated to support setting
    a `Fallback` value to prevent falling back to your default
    DNS Provider.
  * The AllowFileSelectionDialogs policy has been added for
    controlling file selection dialogs.
  * The TranslateEnabled policy has been added.
  * The DisableEncryptedClientHello policy has been added to
    control Encrypted Client Hello.
  * The PostQuantumKeyAgreementEnabled policy has been added to
    control post-quantum key agreement for TLS.
  * The HttpsOnlyMode policy has been added to control HTTPS-
    Only Mode.
  * The HttpAllowlist policy has been added to add exceptions
    to HTTPS-Only Mode.
  * The Preferences policy has been updated to allow setting
    the preferences
    `security.mixed_content.block_display_content` and
    `security.mixed_content.upgrade_display_content`.
  * The UserMessaging policy has been updated to remove the
    WhatsNew option.
  * The ExtensionSettings policy has been updated to add
    `temporarily_allow_weak_signatures` to allow installing
    extensions signed using deprecated signature algorithms.
  * Fixed: Various security fixes.
  MFSA 2024-29 (bsc#1226316)
  * CVE-2024-6605 (bmo#1836786)
    Firefox Android missed activation delay to prevent tapjacking
  * CVE-2024-6606 (bmo#1902305)
    Out-of-bounds read in clipboard component
  * CVE-2024-6607 (bmo#1694513)
    Leaving pointerlock by pressing the escape key could be
    prevented
  * CVE-2024-6608 (bmo#1743329)
    Cursor could be moved out of the viewport using pointerlock.
  * CVE-2024-6609 (bmo#1839258)
    Memory corruption in NSS
  * CVE-2024-6610 (bmo#1883396)
    Form validation popups could block exiting full-screen mode
  * CVE-2024-6600 (bmo#1888340)
    Memory corruption in WebGL API
  * CVE-2024-6601 (bmo#1890748)
    Race condition in permission assignment
  * CVE-2024-6602 (bmo#1895032)
    Memory corruption in NSS
  * CVE-2024-6603 (bmo#1895081)
    Memory corruption in thread creation
  * CVE-2024-6611 (bmo#1844827)
    Incorrect handling of SameSite cookies
  * CVE-2024-6612 (bmo#1880374)
    CSP violation leakage when using devtools
  * CVE-2024-6613 (bmo#1900523)
    Incorrect listing of stack frames
  * CVE-2024-6614 (bmo#1902983)
    Incorrect listing of stack frames
  * CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266)
    Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13,
    and Thunderbird 115.13
  * CVE-2024-6615 (bmo#1892875, bmo#1894428, bmo#1898364)
    Memory safety bugs fixed in Firefox 128
- remove unneeded patches mozilla-fix-aarch64-libopus.patch
  mozilla-bmo1504834-part3.patch mozilla-bmo1512162.patch
  mozilla-fix-top-level-asm.patch mozilla-bmo531915.patch
  mozilla-partial-revert-1768632.patch
- added patches mozilla-rust-disable-future-incompat.patch
  fix-sle12-build-errors.patch
- added patches mozilla-bmo1898476.patch and mozilla-bmo1907511.patch
  to fix Wayland-crashes - Firefox Extended Support Release 115.13.0 ESR
  * Changed: The root certificate used to verify add-ons and
    signed content has been renewed to avoid upcoming expiration.
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-30 (bsc#1226316)
  * CVE-2024-6600 (bmo#1888340)
    Memory corruption in WebGL API
  * CVE-2024-6601 (bmo#1890748)
    Race condition in permission assignment
  * CVE-2024-6602 (bmo#1895032)
    Memory corruption in NSS
  * CVE-2024-6603 (bmo#1895081)
    Memory corruption in thread creation
  * CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266)
    Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13,
    and Thunderbird 115.13 - Fix GNOME search provider (boo#1225278) - Firefox Extended Support Release 115.12.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-26 (bsc#1226027)
  * CVE-2024-5702 (bmo#1193389)
    Use-after-free in networking
  * CVE-2024-5688 (bmo#1895086)
    Use-after-free in JavaScript object transplant
  * CVE-2024-5690 (bmo#1883693)
    External protocol handlers leaked by timing attack
  * CVE-2024-5691 (bmo#1888695)
    Sandboxed iframes were able to bypass sandbox restrictions to
    open a new window
  * CVE-2024-5692 (bmo#1891234)
    Bypass of file name restrictions during saving
  * CVE-2024-5693 (bmo#1891319)
    Cross-Origin Image leak via Offscreen Canvas
  * CVE-2024-5696 (bmo#1896555)
    Memory Corruption in Text Fragments
  * CVE-2024-5700 (bmo#1862809, bmo#1889355, bmo#1893388,
    bmo#1895123)
    Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12,
    and Thunderbird 115.12 - Firefox Extended Support Release 115.11.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-22 (bsc#1224056)
  * CVE-2024-4367 (bmo#1893645)
    Arbitrary JavaScript execution in PDF.js
  * CVE-2024-4767 (bmo#1878577)
    IndexedDB files retained in private browsing mode
  * CVE-2024-4768 (bmo#1886082)
    Potential permissions request bypass via clickjacking
  * CVE-2024-4769 (bmo#1886108)
    Cross-origin responses could be distinguished between script
    and non-script content-types
  * CVE-2024-4770 (bmo#1893270)
    Use-after-free could occur when printing to PDF
  * CVE-2024-4777 (bmo#1878199, bmo#1893340)
    Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11,
    and Thunderbird 115.11 - Firefox Extended Support Release 115.10.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-19 (bsc#1222535)
  * CVE-2024-3852 (bmo#1883542)
    GetBoundName in the JIT returned the wrong object
  * CVE-2024-3854 (bmo#1884552)
    Out-of-bounds-read after mis-optimized switch statement
  * CVE-2024-3857 (bmo#1886683)
    Incorrect JITting of arguments led to use-after-free during
    garbage collection
  * CVE-2024-2609 (bmo#1866100)
    Permission prompt input delay could expire when not in focus
  * CVE-2024-3859 (bmo#1874489)
    Integer-overflow led to out-of-bounds-read in the OpenType
    sanitizer
  * CVE-2024-3861 (bmo#1883158)
    Potential use-after-free due to AlignedBuffer self-move
  * CVE-2024-3863 (bmo#1885855)
    Download Protections were bypassed by .xrm-ms files on
    Windows
  * CVE-2024-3302 (bmo#1881183, https://kb.cert.org/vuls/id/421644)
    Denial of Service using HTTP/2 CONTINUATION frames
  * CVE-2024-3864 (bmo#1888333)
    Memory safety bug fixed in Firefox 125, Firefox ESR 115.10,
    and Thunderbird 115.10 - Firefox Extended Support Release 115.9.1esr ESR
  * Fixed: Security fix.
  MFSA 2024-16 (bsc#1221850)
  * CVE-2024-29944 (bmo#1886852)
    Privileged JavaScript Execution via Event Handlers - Firefox Extended Support Release 115.9.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-13 (bsc#1221327)
  * CVE-2024-0743 (bmo#1867408)
    Crash in NSS TLS method
  * CVE-2024-2605 (bmo#1872920)
    Windows Error Reporter could be used as a Sandbox escape
    vector
  * CVE-2024-2607 (bmo#1879939)
    JIT code failed to save return registers on Armv7-A
  * CVE-2024-2608 (bmo#1880692)
    Integer overflow could have led to out of bounds write
  * CVE-2024-2616 (bmo#1846197)
    Improve handling of out-of-memory conditions in ICU
  * CVE-2023-5388 (bmo#1780432)
    NSS susceptible to timing attack against RSA decryption
  * CVE-2024-2610 (bmo#1871112)
    Improper handling of html and body tags enabled CSP nonce
    leakage
  * CVE-2024-2611 (bmo#1876675)
    Clickjacking vulnerability could have led to a user
    accidentally granting permissions
  * CVE-2024-2612 (bmo#1879444)
    Self referencing object could have potentially led to a use-
    after-free
  * CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405,
    bmo#1881093)
    Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9,
    and Thunderbird 115.9 - Firefox Extended Support Release 115.8.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2024-06 (bsc#1220048)
  * CVE-2024-1546 (bmo#1843752)
    Out-of-bounds memory read in networking channels
  * CVE-2024-1547 (bmo#1877879)
    Alert dialog could have been spoofed on another site
  * CVE-2024-1548 (bmo#1832627)
    Fullscreen Notification could have been hidden by select
    element
  * CVE-2024-1549 (bmo#1833814)
    Custom cursor could obscure the permission dialog
  * CVE-2024-1550 (bmo#1860065)
    Mouse cursor re-positioned unexpectedly could have led to
    unintended permission grants
  * CVE-2024-1551 (bmo#1864385)
    Multipart HTTP Responses would accept the Set-Cookie header
    in response parts
  * CVE-2024-1552 (bmo#1874502)
    Incorrect code generation on 32-bit ARM devices
  * CVE-2024-1553 (bmo#1855686, bmo#1867982, bmo#1871498,
    bmo#1872296, bmo#1873521, bmo#1873577, bmo#1873597,
    bmo#1873866, bmo#1874080, bmo#1874740, bmo#1875795,
    bmo#1875906, bmo#1876425, bmo#1878211, bmo#1878286)
    Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8,
    and Thunderbird 115.8 - Recommend libfido2-udev on codestreams that exist, in order to try
  to get security keys (e.g. Yubikeys) work out of the box. (bsc#1184272) - Firefox Extended Support Release 115.7.0 ESR
  * Fixed: Various security fixes and other quality improvements.
- Mozilla Firefox ESR 115.7
  MFSA 2024-02 (bsc#1218955)
  * CVE-2024-0741 (bmo#1864587)
    Out of bounds write in ANGLE
  * CVE-2024-0742 (bmo#1867152)
    Failure to update user input timestamp
  * CVE-2024-0746 (bmo#1660223)
    Crash when listing printers on Linux
  * CVE-2024-0747 (bmo#1764343)
    Bypass of Content Security Policy when directive unsafe-
    inline was set
  * CVE-2024-0749 (bmo#1813463)
    Phishing site popup could show local origin in address bar
  * CVE-2024-0750 (bmo#1863083)
    Potential permissions request bypass via clickjacking
  * CVE-2024-0751 (bmo#1865689)
    Privilege escalation through devtools
  * CVE-2024-0753 (bmo#1870262)
    HSTS policy on subdomain could bypass policy of upper domain
  * CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701)
    Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7,
    and Thunderbird 115.7 - Firefox Extended Support Release 115.6.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2023-54 (bsc#1217974)
  * CVE-2023-6856 (bmo#1843782)
    Heap-buffer-overflow affecting WebGL DrawElementsInstanced
    method with Mesa VM driver
  * CVE-2023-6865 (bmo#1864123)
    Potential exposure of uninitialized data in
    EncryptingOutputStream
  * CVE-2023-6857 (bmo#1796023)
    Symlinks may resolve to smaller than expected buffers
  * CVE-2023-6858 (bmo#1826791)
    Heap buffer overflow in nsTextFragment
  * CVE-2023-6859 (bmo#1840144)
    Use-after-free in PR_GetIdentitiesLayer
  * CVE-2023-6860 (bmo#1854669)
    Potential sandbox escape due to VideoBridge lack of texture
    validation
  * CVE-2023-6867 (bmo#1863863)
    Clickjacking permission prompts using the popup transition
  * CVE-2023-6861 (bmo#1864118)
    Heap buffer overflow affected nsWindow::PickerOpen(void) in
    headless mode
  * CVE-2023-6862 (bmo#1868042)
    Use-after-free in nsDNSService
  * CVE-2023-6863 (bmo#1868901)
    Undefined behavior in ShutdownObserver()
  * CVE-2023-6864 (bmo#1736385, bmo#1810805, bmo#1846328,
    bmo#1856090, bmo#1858033, bmo#1858509, bmo#1862089,
    bmo#1862777, bmo#1864015)
    Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6,
    and Thunderbird 115.6 - Firefox Extended Support Release 115.5.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2023-50 (bsc#1217230)
  * CVE-2023-6204 (bmo#1841050)
    Out-of-bound memory access in WebGL2 blitFramebuffer
  * CVE-2023-6205 (bmo#1854076)
    Use-after-free in MessagePort::Entangled
  * CVE-2023-6206 (bmo#1857430)
    Clickjacking permission prompts using the fullscreen
    transition
  * CVE-2023-6207 (bmo#1861344)
    Use-after-free in ReadableByteStreamQueueEntry::Buffer
  * CVE-2023-6208 (bmo#1855345)
    Using Selection API would copy contents into X11 primary
    selection.
  * CVE-2023-6209 (bmo#1858570)
    Incorrect parsing of relative URLs starting with "///"
  * CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252,
    bmo#1856072, bmo#1856091, bmo#1859030, bmo#1860943,
    bmo#1862782)
    Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5,
    and Thunderbird 115.5 - Firefox Extended Support Release 115.4.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2023-46 (bsc#1216338)
  * CVE-2023-5721 (bmo#1830820)
    Queued up rendering could have allowed websites to clickjack
  * CVE-2023-5732 (bmo#1690979, bmo#1836962)
    Address bar spoofing via bidirectional characters
  * CVE-2023-5724 (bmo#1836705)
    Large WebGL draw could have led to a crash
  * CVE-2023-5725 (bmo#1845739)
    WebExtensions could open arbitrary URLs
  * CVE-2023-5726 (bmo#1846205)
    Full screen notification obscured by file open dialog on
    macOS
  * CVE-2023-5727 (bmo#1847180)
    Download Protections were bypassed by .msix, .msixbundle,
    .appx, and .appxbundle files on Windows
  * CVE-2023-5728 (bmo#1852729)
    Improper object tracking during GC in the JavaScript engine
    could have led to a crash.
  * CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694,
    bmo#1848833, bmo#1850191, bmo#1850259, bmo#1852596,
    bmo#1853201, bmo#1854002, bmo#1855306, bmo#1855640,
    bmo#1856695)
    Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4,
    and Thunderbird 115.4.1
- Removed upstreamed patch mozilla-fix-broken-ffmpeg.patch - Firefox Extended Support Release 115.3.1 ESR
  * Fixed: Security fix.
  MFSA 2023-44 (bsc#1215814)
  * CVE-2023-5217 (bmo#1855550)
    Heap buffer overflow in libvpx - Firefox Extended Support Release 115.3.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2023-42 (bsc#1215575)
  * CVE-2023-5168 (bmo#1846683)
    Out-of-bounds write in FilterNodeD2D1
  * CVE-2023-5169 (bmo#1846685)
    Out-of-bounds write in PathOps
  * CVE-2023-5171 (bmo#1851599)
    Use-after-free in Ion Compiler
  * CVE-2023-5174 (bmo#1848454)
    Double-free in process spawning on Windows
  * CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824,
    bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983,
    bmo#1851195)
    Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3,
    and Thunderbird 115.3
- Add patch mozilla-fix-broken-ffmpeg.patch to fix broken build
  with newer binutils (bsc#1215309) - Firefox Extended Support Release 115.2.1 ESR
  * Fixed: Security fix
  MFSA 2023-40 (bsc#1215245)
  * CVE-2023-4863 (bmo#1852649)
    Heap buffer overflow in libwebp - Fix i586 build by reducing debug info to -g1. (boo#1210168) - Firefox Extended Support Release 115.2.0 ESR
  * Fixed: Various  security  fixes and other quality
    improvements.
  MFSA 2023-36 (bsc#1214606)
  * CVE-2023-4574: (bmo#1846688)
    Memory corruption in IPC ColorPickerShownCallback
  * CVE-2023-4575: (bmo#1846689)
    Memory corruption in IPC FilePickerShownCallback
  * CVE-2023-4576: (bmo#1846694)
    Integer Overflow in RecordedSourceSurfaceCreation
  * CVE-2023-4577: (bmo#1847397)
    Memory corruption in JIT UpdateRegExpStatics
  * CVE-2023-4051: (bmo#1821884)
    Full screen notification obscured by file open dialog
  * CVE-2023-4578: (bmo#1839007)
    Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception
  * CVE-2023-4053: (bmo#1839079)
    Full screen notification obscured by external program
  * CVE-2023-4580: (bmo#1843046)
    Push notifications saved to disk unencrypted
  * CVE-2023-4581: (bmo#1843758)
    XLL file extensions were downloadable without warnings
  * CVE-2023-4582: (bmo#1773874)
    Buffer Overflow in WebGL glGetProgramiv
  * CVE-2023-4583: (bmo#1842030)
    Browsing Context potentially not cleared when closing Private Window
  * CVE-2023-4584: (bmo#1843968, bmo#1845205, bmo#1846080, bmo#1846526, bmo#1847529)
    Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15,
    Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2
  * CVE-2023-4585: (bmo#1751583, bmo#1833504, bmo#1841082, bmo#1847904, bmo#1848999)
    Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2,
    and Thunderbird 115.2 - Firefox Extended Support Release 115.1.0 ESR
  * Fixed: Various security fixes.
  MFSA 2023-30 (bsc#1213746)
  * CVE-2023-4045 (bmo#1833876)
    Offscreen Canvas could have bypassed cross-origin
    restrictions
  * CVE-2023-4046 (bmo#1837686)
    Incorrect value used during WASM compilation
  * CVE-2023-4047 (bmo#1839073)
    Potential permissions request bypass via clickjacking
  * CVE-2023-4048 (bmo#1841368)
    Crash in DOMParser due to out-of-memory conditions
  * CVE-2023-4049 (bmo#1842658)
    Fix potential race conditions when releasing platform objects
  * CVE-2023-4050 (bmo#1843038)
    Stack buffer overflow in StorageManager
  * CVE-2023-4054 (bmo#1840777)
    Lack of warning when opening appref-ms files
  * CVE-2023-4055 (bmo#1782561)
    Cookie jar overflow caused unexpected cookie jar state
  * CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235,
    bmo#1842325, bmo#1843847)
    Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
    Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
- Remove now upstreamed patch mozilla-bmo1838323.patch and mozilla-bmo1775202.patch - Remove bashisms from startup-script (bsc#1213657) - Firefox Extended Support Release 115.0.2 ESR
  MFSA 2023-26 (bsc#1213230)
  * CVE-2023-3600 (bmo#1839703)
    Use-after-free in workers
  - 
  * Fixed: Fixed a startup crash experienced by some Windows
    users by blocking instances of a malicious injected DLL
    (bmo#1841751)
  * Fixed: Fixed a bug with displaying a caret in the text editor
    on some websites (bmo#1840804)
  * Fixed: Fixed a bug with broken audio rendering on some
    websites (bmo#1841982)
  * Fixed: Fixed a bug with patternTransform translate using the
    wrong units (bmo#1840746)
  * Fixed: A security fix.
  * Fixed: Fixed a crash affecting Windows 7 users related to the
    DLL blocklist.
- Firefox Extended Support Release 115.0.1 ESR
  * Fixed: Fixed a startup crash for Windows users with Kingsoft
    Antivirus software installed (bmo#1837242) - Firefox Extended Support Release 115.0 ESR
  * New:
  - Required fields are now highlighted in PDF forms.
  - Improved performance on high-refresh rate monitors
    (120Hz+).
  - Buttons in the Tabs toolbar can now be reached with Tab,
    Shift+Tab, and Arrow keys. View this article for additional
    details.
  - Windows' "Make text bigger" accessibility setting now
    affects all the UI and content pages, rather than only
    applying to system font sizes.
  - Non-breaking spaces are now preservedâ€”preventing automatic
    line breaksâ€”when copying text from a form control.
  - Fixed WebGL performance issues on NVIDIA binary drivers via
    DMA-Buf on Linux.
  - Fixed an issue in which Firefox startup could be
    significantly slowed down by the processing of Web content
    local storage. This had the greatest impact on users with
    platter hard drives and significant local storage.
  - Removed a configuration option to allow SHA-1 signatures in
    certificates: SHA-1 signatures in certificatesâ€”long since
    determined to no longer be secure enoughâ€”are now not
    supported.
  - Highlight color is preserved correctly after typing `Enter`
    in the mail composer of Yahoo Mail and Outlook.
    After bypassing the https only error page navigating back
    would take you to the error page that was previously
    dismissed. Back now takes you to the previous site that was
    visited.
  - Paste unformatted shortcut (shift+ctrl/cmd+v) now works in
    plain text contexts, such as input and text area.
  - Added an option to print only the current page from the
    print preview dialog.
  - Swipe to navigate (two fingers on a touchpad swiped left or
    right to perform history back or forward) on Windows is now
    enabled.
  - Stability on Windows is significantly improved as Firefox
    handles low-memory situations much better.
  - Touchpad scrolling on macOS was made more accessible by
    reducing unintended diagonal scrolling opposite of the
    intended scroll axis.
  - Firefox is less likely to run out of memory on Linux and
    performs more efficiently for the rest of the system when
    memory runs low.
  - It is now possible to edit PDFs: including writing text,
    drawing, and adding signatures.
  - Setting Firefox as your default browser now also makes it
    the default PDF application on Windows systems.
  - Swipe-to-navigate (two fingers on a touchpad swiped left or
    right to perform history back or forward) now works for Linux
    users on Wayland.
  - Text Recognition in images allows users on macOS 10.15 and
    higher to extract text from the selected image (such as a
    meme or screenshot).
  - Firefox View helps you get back to content you previously
    discovered. A pinned tab allows you to find and open recently
    closed tabs on your current device and access tabs from other
    devices (via our â€œTab Pickupâ€ feature).
  - Import maps, which allow web pages to control the behavior
    of JavaScript imports, are now enabled by default.
  - Processes used for background tabs now use efficiency mode
    on Windows 11 to limit resource use.
  - The shift+esc keyboard shortcut now opens the Process
    Manager, offering a way to quickly identify processes that
    are using too many resources.
  - Firefox now supports properly color correcting images
    tagged with ICCv4 profiles.
  - Support for non-English characters when saving and printing
    PDF forms.
  - The bookmarks toolbar's default "Only show on New Tab"
    state works correctly for blank new tabs. As before, you can
    change the bookmark toolbar's behavior using the toolbar
    context menu.
  - Manifest Version 3 (MV3) extension support is now enabled
    by default (MV2 remains enabled/supported). This major update
    also ushers an exciting user interface change in the form of
    the new extensions button.
  - The Arbitrary Code Guard exploit protection has been
    enabled in the media playback utility processes, improving
    security for Windows users.
  - The native HTML date picker for date and datetime inputs
    can now be used with a keyboard alone, improving its
    accessibility for screen reader users. Users with limited
    mobility can also now use common keyboard shortcuts to
    navigate the calendar grid and month selection spinners.
  - Firefox builds in the Spanish from Spain (es-ES) and
    Spanish from Argentina (es-AR) locales now come with a built-
    in dictionary for the Firefox spellchecker.
  - On macOS, Ctrl or Cmd + trackpad or mouse wheel now scrolls
    the page instead of zooming. This avoids accidental zooming
    and matches the behavior of other web browsers on macOS.
  - It's now possible to import bookmarks, history and
    passwords not only from Edge, Chrome or Safari but also from
    Opera, Opera GX, and Vivaldi.
  - GPU sandboxing has been enabled on Windows.
  - On Windows, third-party modules can now be blocked from
    injecting themselves into Firefox, which can be helpful if
    they are causing crashes or other undesirable behavior.
  - Date, time, and datetime-local input fields can now be
    cleared with `Cmd+Backspace` and `Cmd+Delete` shortcut on
    macOS and `Ctrl+Backspace` and `Ctrl+Delete` on Windows and
    Linux.
  - GPU-accelerated Canvas2D is enabled by default on macOS and
    Linux.
  - WebGL performance improvement on Windows, MacOS and Linux.
  - Enables overlay of hardware-decoded video with non-Intel
    GPUs on Windows 10/11, improving video playback performance
    and video scaling quality.
  - Windows native notifications are now enabled.
  - Firefox Relay users can now opt-in to create Relay email
    masks directly from the Firefox credential manager. You must
    be signed in with your Firefox Account.
  - Weâ€™ve added two new locales: Silhe Friulian (fur) and
    Sardinian (sc).
  - Right-clicking on password fields now shows an option to
    reveal the password.
  - Private windows and ETP set to strict will now include
    email tracking protection. This will make it harder for email
    trackers to learn the browsing habits of Firefox users. You
    can check the Tracking Content in the sub-panel on the shield
    icon panel.
  - The deprecated U2F Javascript API is now disabled by
    default. The U2F protocol remains usable through the WebAuthn
    API. The U2F API can be re-enabled using the
    `security.webauth.u2f` preference.
  - Say hello to enhanced Picture-in-Picture! Rewind, check
    video duration, and effortlessly switch to full-screen mode
    on the web's most popular video websites.
  - Firefox's address bar is already a great place to search
    for what you're looking for. Now you'll always be able to see
    your web search terms and refine them while viewing your
    search's results - no additional scrolling needed! Also, a
    new result menu has been added making it easier to remove
    history results and dismiss sponsored Firefox Suggest
    entries.
  - Private windows now protect users even better by blocking
    third-party cookies and storage of content trackers.
  - Passwords automatically generated by Firefox now include
    special characters, giving users more secure passwords by
    default.
  - Firefox 115 introduces a redesigned accessibility engine
    which significantly improves the speed, responsiveness, and
    stability of Firefox when used with:
  - Screen readers, as well as certain other accessibility
    software;
  - East Asian input methods;
  - Enterprise single sign-on software; and
  - Other applications which use accessibility frameworks to
    access information.
  - Firefox 115 now supports AV1 Image Format files containing
    animations (AVIS), improving support for AVIF images across
    the web.
  - The Windows GPU sandbox first shipped in the Firefox 110
    release has been tightened to enhance the security benefits
    it provides.
  - A 13-year-old feature request was fulfilled and Firefox now
    supports files being drag-and-dropped directly from Microsoft
    Outlook. A special thanks to volunteer contributor Marco
    Spiess for helping to get this across the finish line!
  - Users on macOS can now access the Services sub-menu
    directly from Firefox context menus.
  - On Windows, the elastic overscroll effect has been enabled
    by default. When two-finger scrolling on the touchpad or
    scrolling on the touchscreen, you will now see a bouncing
    animation when scrolling past the edge of a scroll container.
  - Firefox is now available in the Tajik (tg) language.
  - Added UI to manage the DNS over HTTPS exception list.
  - Bookmarks can now be searched from the Bookmarks menu. The
    Bookmarks menu is accessible by adding the Bookmarks menu
    button to the toolbar.
  - Restrict searches to your local browsing history by
    selecting Search history from the History, Library or
    Application menu buttons.
  - Mac users can now capture video from their cameras in all
    supported native resolutions. This enables resolutions higher
    than 1280x720.
  - It is now possible to reorder the extensions listed in the
    extensions panel.
  - Users on macOS, Linux, and Windows 7 can now use FIDO2 /
    WebAuthn authenticators over USB. Some advanced features,
    such as fully passwordless logins, require a PIN to be set on
    the authenticator.
  - Pocket Recommended content can now be seen in France,
    Italy, and Spain.
  - DNS over HTTPS settings are now part of the Privacy &
    Security section of the Settings page and allow the user to
    choose from all the supported modes.
  - Migrating from another browser? Now you can bring over
    payment methods you've saved in Chrome-based browsers to
    Firefox.
  - Hardware video decoding enabled for Intel GPUs on Linux.
  - The Tab Manager dropdown now features close buttons, so you
    can close tabs more quickly.
  - Windows Magnifier now follows the text cursor correctly
    when the Firefox title bar is visible.
  - Undo and redo are now available in Password fields.
    [1]:https://support.mozilla.org/kb/access-toolbar-functions-
    using-keyboard?_gl=1*16it7nj*_ga*MTEzNjg4MjY5NC4xNjQ1MjAxMDU3
  * _ga_MQ7767QQQW*MTY1Njk2MzExMS43LjEuMTY1Njk2MzIzMy4w
    [2]:https://support.mozilla.org/kb/how-set-tab-pickup-
    firefox-view
    [3]:https://support.mozilla.org/kb/task-manager-tabs-or-
    extensions-are-slowing-firefox
    [4]:https://blog.mozilla.org/addons/2022/11/17/manifest-v3-
    signing-available-november-21-on-firefox-nightly/
    [5]:https://blog.mozilla.org/addons/2022/05/18/manifest-v3-
    in-firefox-recap-next-steps/
    [6]:https://support.mozilla.org/kb/unified-extensions
    [7]:https://support.mozilla.org/kb/import-data-another-
    browser
    [8]:https://support.mozilla.org/kb/identify-problems-third-
    party-modules-firefox-windows
    [9]:https://support.mozilla.org/kb/how-generate-secure-
    password-firefox
    [10]:https://blog.mozilla.org/accessibility/firefox-113-
    accessibility-performance/
  * Fixed: Various security fixes.
  MFSA 2023-22 (bsc#1212438)
  * CVE-2023-3482 (bmo#1839464)
    Block all cookies bypass for localstorage
  * CVE-2023-37201 (bmo#1826002)
    Use-after-free in WebRTC certificate generation
  * CVE-2023-37202 (bmo#1834711)
    Potential use-after-free from compartment mismatch in
    SpiderMonkey
  * CVE-2023-37203 (bmo#291640)
    Drag and Drop API may provide access to local system files
  * CVE-2023-37204 (bmo#1832195)
    Fullscreen notification obscured via option element
  * CVE-2023-37205 (bmo#1704420)
    URL spoofing in address bar using RTL characters
  * CVE-2023-37206 (bmo#1813299)
    Insufficient validation of symlinks in the FileSystem API
  * CVE-2023-37207 (bmo#1816287)
    Fullscreen notification obscured
  * CVE-2023-37208 (bmo#1837675)
    Lack of warning when opening Diagcab files
  * CVE-2023-37209 (bmo#1837993)
    Use-after-free in `NotifyOnHistoryReload`
  * CVE-2023-37210 (bmo#1821886)
    Full-screen mode exit prevention
  * CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886,
    bmo#1836550, bmo#1837450)
    Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
    and Thunderbird 102.13
  * CVE-2023-37212 (bmo#1750870, bmo#1825552, bmo#1826206,
    bmo#1827076, bmo#1828690, bmo#1833503, bmo#1835710,
    bmo#1838587)
    Memory safety bugs fixed in Firefox 115
- Remove obsolete patches mozilla-bmo1568145.patch, mozilla-bmo1005535.patch,
  mozilla-s390x-skia-gradient.patch
- Add mozilla-bmo1838323.patch to fix potential SIGILL on old CPUs
  (bsc#1212101) - Firefox Extended Support Release 102.12.0 ESR
  * Fixed: Various  security  fixes and other quality
    improvements.
  MFSA 2023-19 (bsc#1211922)
  * CVE-2023-34414 (bmo#1695986)
    Click-jacking certificate exceptions through rendering lag
  * CVE-2023-34416 (bmo#1752703, bmo#1818394, bmo#1826875,
    bmo#1827340, bmo#1827655, bmo#1828065, bmo#1830190,
    bmo#1830206, bmo#1830795, bmo#1833339)
    Memory safety bugs fixed in Firefox 114 and Firefox ESR
    102.12
- update keyring - Firefox Extended Support Release 102.11.0 ESR
  * Fixed: Various security fixes and other quality improvements.
  MFSA 2023-17 (bsc#1211175)
  * CVE-2023-32205 (bmo#1753339, bmo#1753341)
    Browser prompts could have been obscured by popups
  * CVE-2023-32206 (bmo#1824892)
    Crash in RLBox Expat driver
  * CVE-2023-32207 (bmo#1826116)
    Potential permissions request bypass via clickjacking
  * CVE-2023-32211 (bmo#1823379)
    Content process crash due to invalid wasm code
  * CVE-2023-32212 (bmo#1826622)
    Potential spoof due to obscured address bar
  * CVE-2023-32213 (bmo#1826666)
    Potential memory corruption in FileReader::DoReadData()
  * CVE-2023-32214 (bmo#1828716)
    Potential DoS via exposed protocol handlers
  * CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856,
    bmo#1820210, bmo#1821480, bmo#1827019, bmo#1827024,
    bmo#1827144, bmo#1827359, bmo#1830186)
    Memory safety bugs fixed in Firefox 113 and Firefox ESR
    102.11 - Firefox Extended Support Release 102.10.0 ESR
  * Fixed: Various security fixes.
  MFSA 2023-14 (bsc#1210212)
  * CVE-2023-29531 (bmo#1794292)
    Out-of-bound memory access in WebGL on macOS
  * CVE-2023-29532 (bmo#1806394)
    Mozilla Maintenance Service Write-lock bypass
  * CVE-2023-29533 (bmo#1798219, bmo#1814597)
    Fullscreen notification obscured
  * CVE-2023-1999 (bmo#1819244)
    Double-free in libwebp
  * CVE-2023-29535 (bmo#1820543)
    Potential Memory Corruption following Garbage Collector
    compaction
  * CVE-2023-29536 (bmo#1821959)
    Invalid free from JavaScript code
  * CVE-2023-29539 (bmo#1784348)
    Content-Disposition filename truncation leads to Reflected
    File Download
  * CVE-2023-29541 (bmo#1810191)
    Files with malicious extensions could have been downloaded
    unsafely on Linux
  * CVE-2023-29542 (bmo#1810793, bmo#1815062)
    Bypass of file download extension restrictions
  * CVE-2023-29545 (bmo#1823077)
    Windows Save As dialog resolved environment variables
  * CVE-2023-1945 (bmo#1777588)
    Memory Corruption in Safe Browsing Code
  * CVE-2023-29548 (bmo#1822754)
    Incorrect optimization result on ARM64
  * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498,
    bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493,
    bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413,
    bmo#1824828)
    Memory safety bugs fixed in Firefox 112 and Firefox ESR
    102.10 - Firefox Extended Support Release 102.9.0 ESR
  * Fixed: Various security fixes.
  MFSA 2023-10 (bsc#1209173)
  * CVE-2023-25751 (bmo#1814899)
    Incorrect code generation during JIT compilation
  * CVE-2023-28164 (bmo#1809122)
    URL being dragged from a removed cross-origin iframe into the
    same tab triggered navigation
  * CVE-2023-28162 (bmo#1811327)
    Invalid downcast in Worklets
  * CVE-2023-25752 (bmo#1811627)
    Potential out-of-bounds when accessing throttled streams
  * CVE-2023-28163 (bmo#1817768)
    Windows Save As dialog resolved environment variables
  * CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904,
    bmo#1817442, bmo#1818674)
    Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9 - Firefox Extended Support Release 102.8.0 ESR
  * Fixed: Various security fixes.
  MFSA 2023-06 (bsc#1208144)
  * CVE-2023-25728 (bmo#1790345)
    Content security policy leak in violation reports using
    iframes
  * CVE-2023-25730 (bmo#1794622)
    Screen hijack via browser fullscreen mode
  * CVE-2023-25743 (bmo#1800203)
    Fullscreen notification not shown in Firefox Focus
  * CVE-2023-0767 (bmo#1804640)
    Arbitrary memory write via PKCS 12 in NSS
  * CVE-2023-25735 (bmo#1810711)
    Potential use-after-free from compartment mismatch in
    SpiderMonkey
  * CVE-2023-25737 (bmo#1811464)
    Invalid downcast in SVGUtils::SetupStrokeGeometry
  * CVE-2023-25738 (bmo#1811852)
    Printing on Windows could potentially crash Firefox with some
    device drivers
  * CVE-2023-25739 (bmo#1811939)
    Use-after-free in
    mozilla::dom::ScriptLoadContext::~ScriptLoadContext
  * CVE-2023-25729 (bmo#1792138)
    Extensions could have opened external schemes without user
    knowledge
  * CVE-2023-25732 (bmo#1804564)
    Out of bounds memory write from EncodeInputStream
  * CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143,
    bmo#1812338)
    Opening local .url files could cause unexpected network loads
  * CVE-2023-25742 (bmo#1813424)
    Web Crypto ImportKey crashes tab
  * CVE-2023-25744 (bmo#1789449, bmo#1803628, bmo#1810536)
    Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8
  * CVE-2023-25746 (bmo#1544127, bmo#1762368)
    Memory safety bugs fixed in Firefox ESR 102.8 - Firefox Extended Support Release 102.7.0 ESR
  * Fixed: Various stability, functionality, and security fixes.
  MFSA 2023-02 (bsc#1207119)
  * CVE-2022-46871 (bmo#1795697)
    libusrsctp library out of date
  * CVE-2023-23598 (bmo#1800425)
    Arbitrary file read from GTK drag and drop on Linux
  * CVE-2023-23599 (bmo#1777800)
    Malicious command could be hidden in devtools output on
    Windows
  * CVE-2023-23601 (bmo#1794268)
    URL being dragged from cross-origin iframe into same tab
    triggers navigation
  * CVE-2023-23602 (bmo#1800890)
    Content Security Policy wasn't being correctly applied to
    WebSockets in WebWorkers
  * CVE-2022-46877 (bmo#1795139)
    Fullscreen notification bypass
  * CVE-2023-23603 (bmo#1800832)
    Calls to <code>console.log</code> allowed bypasing Content
    Security Policy via format directive
  * CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)
    Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 - Firefox Extended Support Release 102.6.0 ESR
  * Fixed: Various stability, functionality, and security fixes.
  MFSA 2022-52 (bsc#1206242)
  * CVE-2022-46880 (bmo#1749292)
    Use-after-free in WebGL
  * CVE-2022-46872 (bmo#1799156)
    Arbitrary file read from a compromised content process
  * CVE-2022-46881 (bmo#1770930)
    Memory corruption in WebGL
  * CVE-2022-46874 (bmo#1746139)
    Drag and Dropped Filenames could have been truncated to
    malicious extensions
  * CVE-2022-46875 (bmo#1786188)
    Download Protections were bypassed by .atloc and .ftploc
    files on Mac OS
  * CVE-2022-46882 (bmo#1789371)
    Use-after-free in WebGL
  * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
    bmo#1801102, bmo#1801315, bmo#1802395)
    Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6 - Firefox Extended Support Release 102.5.0 ESR
  * Fixed: Various stability, functionality, and security fixes.
  MFSA 2022-48 (bsc#1205270)
  * CVE-2022-45403 (bmo#1762078)
    Service Workers might have learned size of cross-origin media
    files
  * CVE-2022-45404 (bmo#1790815)
    Fullscreen notification bypass
  * CVE-2022-45405 (bmo#1791314)
    Use-after-free in InputStream implementation
  * CVE-2022-45406 (bmo#1791975)
    Use-after-free of a JavaScript Realm
  * CVE-2022-45408 (bmo#1793829)
    Fullscreen notification bypass via windowName
  * CVE-2022-45409 (bmo#1796901)
    Use-after-free in Garbage Collection
  * CVE-2022-45410 (bmo#1658869)
    ServiceWorker-intercepted requests bypassed SameSite cookie
    policy
  * CVE-2022-45411 (bmo#1790311)
    Cross-Site Tracing was possible via non-standard override
    headers
  * CVE-2022-45412 (bmo#1791029)
    Symlinks may resolve to partially uninitialized buffers
  * CVE-2022-45416 (bmo#1793676)
    Keystroke Side-Channel Leakage
  * CVE-2022-45418 (bmo#1795815)
    Custom mouse cursor could have been drawn over browser UI
  * CVE-2022-45420 (bmo#1792643)
    Iframe contents could be rendered outside the iframe
  * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061)
    Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 - Firefox Extended Support Release 102.4.0 ESR
  * Fixed: Various stability, functionality, and security fixes.
  MFSA 2022-45 (bsc#1204421)
  * CVE-2022-42927 (bmo#1789128)
    Same-origin policy violation could have leaked cross-origin
    URLs
  * CVE-2022-42928 (bmo#1791520)
    Memory Corruption in JS Engine
  * CVE-2022-42929 (bmo#1789439)
    Denial of Service via window.print
  * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041)
    Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4
- Added mozilla-partial-revert-1768632.patch to fix build on i586 - Firefox Extended Support Release 102.3.0 ESR
  * Fixed: Various stability, functionality, and security fixes.
  MFSA 2022-40 (bsc#1203477)
  * CVE-2022-3266 (bmo#1767360)
    Out of bounds read when decoding H264
  * CVE-2022-40959 (bmo#1782211)
    Bypassing FeaturePolicy restrictions on transient pages
  * CVE-2022-40960 (bmo#1787633)
    Data-race when parsing non-UTF-8 URLs in threads
  * CVE-2022-40958 (bmo#1779993)
    Bypassing Secure Context restriction for cookies with __Host
    and __Secure prefix
  * CVE-2022-40956 (bmo#1770094)
    Content-Security-Policy base-uri bypass
  * CVE-2022-40957 (bmo#1777604)
    Incoherent instruction cache when building WASM on ARM64
  * CVE-2022-40962 (bmo#1776655, bmo#1777574, bmo#1784835,
    bmo#1785109, bmo#1786502, bmo#1789440)
    Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3
- Rebase mozilla-silence-no-return-type.patch to apply with fuzz=0 - Firefox 102.2.0esr ESR
  * Fixed: Various stability, functionality, and security fixes.
  MFSA 2022-34 (bsc#1202645)
  * CVE-2022-38472 (bmo#1769155)
    Address bar spoofing via XSLT error handling
  * CVE-2022-38473 (bmo#1771685)
    Cross-origin XSLT Documents would have inherited the parent's
    permissions
  * CVE-2022-38476 (bmo#1760998)
    Data race and potential use-after-free in PK11_ChangePW
  * CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159,
    bmo#1773363)
    Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
  * CVE-2022-38478 (bmo#1770630, bmo#1776658)
    Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2,
    and Firefox ESR 91.13
- Add mozilla-bmo1775202.patch to fix build on ppc64le
- Firefox Extended Support Release 102.1 ESR
  * Fixed: Various stability, functionality, and security fixes.
  MFSA 2022-30 (bsc#1201758)
  * CVE-2022-36319 (bmo#1737722)
    Mouse Position spoofing with CSS transforms
  * CVE-2022-36318 (bmo#1771774)
    Directory indexes for bundled resources reflected URL
    parameters
  * CVE-2022-36314 (bmo#1773894)
    Opening local <code>.lnk</code> files could cause unexpected
    network loads
  * CVE-2022-2505 (bmo#1769739, bmo#1772824)
    Memory safety bugs fixed in Firefox 103 and 102.1
- Firefox Extended Support Release 102.0.1 ESR
  * Fixed: Fixed bookmark shortcut creation by dragging to
    Windows File Explorer and dropping partially broken
    (bmo#1774683)
  * Fixed: Fixed bookmarks sidebar flashing white when opened in
    dark mode (bmo#1776157)
  * Fixed: Fixed multilingual spell checking not working with
    content in both English and a non-Latin alphabet
    (bmo#1773802)
  * Fixed: Developer tools:  Fixed an issue where the console
    output keep getting scrolled to the bottom when the last
    visible message is an evaluation result (bmo#1776262)
  * Fixed: Fixed *Delete cookies and site data when Firefox is
    closed* checkbox getting disabled on startup (bmo#1777419)
  * Fixed: Various stability fixes
- Firefox 102.0 ESR
  * New:
  - We now provide more secure connections: Firefox can
    now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc
    headers.
  - For added viewing pleasure, full-range color levels are now
    supported for video playback on many systems.
  - Find it easier now! Mac users can now access the macOS
    share options from the Firefox File menu.
  - VoilÃ ! Support for images containing ICC v4 profiles is
    enabled on macOS.
  - Firefox now supports the new AVIF image format, which is
    based on the modern and royalty-free AV1 video codec. It
    offers significant bandwidth savings for sites compared to
    existing image formats. It also supports transparency and
    other advanced features.
  - Firefox PDF viewer now supports filling more forms (e.g.,
    XFA-based forms, used by multiple governments and banks).
    Learn more.
  - When available system memory is critically low, Firefox on
    Windows will automatically unload tabs based on their last
    access time, memory usage, and other attributes. This helps
    to reduce Firefox out-of-memory crashes. Forgot something?
    Switching to an unloaded tab automatically reloads it.
  - To prevent session loss for macOS users who are running
    Firefox from a mounted .dmg file, theyâ€™ll now be prompted to
    finish installation. Bear in mind, this permission prompt
    only appears the first time these users run Firefox on their
    computer.
  - For your safety, Firefox now blocks downloads that rely on
    insecure connections, protecting against potentially
    malicious or unsafe downloads. Learn more and see where to
    find downloads in Firefox.
  - Improved web compatibility for privacy protections with
    SmartBlock 3.0: In Private Browsing and Strict Tracking
    Protection, Firefox goes to great lengths to protect your web
    browsing activity from trackers. As part of this, the built-
    in content blocking will automatically block third-party
    scripts, images, and other content from being loaded from
    cross-site tracking companies reported by Disconnect. Learn
    more.
  - Introducing a new referrer tracking protection in Strict
    Tracking Protection and Private Browsing. This feature
    prevents sites from unknowingly leaking private information
    to trackers. Learn more.
  - Introducing Firefox Suggest, a feature that provides
    website suggestions as you type into the address bar. Learn
    more about this faster way to navigate the web and locale-
    specific features.
  - Firefox macOS now uses Apple's low-power mode for
    fullscreen video on sites such as YouTube and Twitch. This
    meaningfully extends battery life in long viewing sessions.
    Now your kids can find out what the fox says on a loop
    without you ever missing a beatâ€¦
  - With this release, power users can use about:unloads to
    release system resources by manually unloading tabs without
    closing them.
  - On Windows, there will now be fewer interruptions because
    Firefox wonâ€™t prompt you for updates. Instead, a background
    agent will download and install updates even if Firefox is
    closed.
  - On Linux, weâ€™ve improved WebGL performance and reduced
    power consumption for many users.
  - To better protect all Firefox users against side-channel
    attacks, such as Spectre, we introduced Site Isolation.
  - Firefox no longer warns you by default when you exit the
    browser or close a window using a menu, button, or three-key
    command. This should cut back on unwelcome notifications,
    which is always niceâ€”however, if you prefer a bit of notice,
    youâ€™ll still have full control over the quit/close modal
    behavior. All warnings can be managed within Firefox
    Settings. No worries! More details here.
  - Firefox supports the new Snap Layouts menus when running on
    Windows 11.
  - RLBoxâ€”a new technology that hardens Firefox against
    potential security vulnerabilities in third-party
    librariesâ€”is now enabled on all platforms.
  - Weâ€™ve reduced CPU usage on macOS in Firefox and
    WindowServer during event processing.
  - Weâ€™ve also reduced the power usage of software decoded
    video on macOS, especially in fullscreen. This includes
    streaming sites such as Netflix and Amazon Prime Video.
  - You can now move the Picture-in-Picture toggle button to
    the opposite side of the video. Simply look for the new
    context menu option Move Picture-in-Picture Toggle to Left
    (Right) Side.
  - Weâ€™ve made significant improvements in noise suppression
    and auto-gain-control, as well as slight improvements in
    echo-cancellation to provide you with a better overall
    experience.
  - Weâ€™ve also significantly reduced main-thread load.
  - When printing, you can now choose to print only the
    odd/even pages.
  - Firefox now supports and displays the new style of
    scrollbars on Windows 11.
  - Firefox has a new optimized download flow. Instead of
    prompting every time, files will download automatically.
    However, they can still be opened from the downloads panel
    with just one click. Easy! More information
  - Firefox no longer asks what to do for each file by default.
    You wonâ€™t be prompted to choose a helper application or save
    to disk before downloading a file unless you have changed
    your download action setting for that type of file.
  - Any files you download will be immediately saved on your
    disk. Depending on the current configuration, theyâ€™ll be
    saved in your preferred download folder, or youâ€™ll be asked
    to select a location for each download. Windows and Linux
    users will find their downloaded files in the destination
    folder. Theyâ€™ll no longer be put in the Temp folder.
  - Firefox allows users to choose from a number of built-in
    search engines to set as their default. In this release, some
    users who had previously configured a default engine might
    notice their default search engine has changed since Mozilla
    was unable to secure formal permission to continue including
    certain search engines in Firefox.
  - You can now toggle Narrate in ReaderMode with the keyboard
    shortcut "n."
  - You can find added support for searchâ€”with or without
    diacriticsâ€”in the PDF viewer.
  - The Linux sandbox has been strengthened: processes exposed
    to web content no longer have access to the X Window system
    (X11).
  - Firefox now supports credit card autofill and capture in
    Germany, France, and the United Kingdom.
  - We now support captions/subtitles display on YouTube, Prime
    Video, and Netflix videos you watch in Picture-in-Picture.
    Just turn on the subtitles on the in-page video player, and
    they will appear in PiP.
  - Picture-in-Picture now also supports video captions on
    websites that use Web Video Text Track (WebVTT) format (e.g.,
    Coursera.org, Canadian Broadcasting Corporation, and many
    more).
  - On the first run after install, Firefox detects when its
    language does not match the operating system language and
    offers the user a choice between the two languages.
  - Firefox spell checking now checks spelling in multiple
    languages. To enable additional languages, select them in the
    text fieldâ€™s context menu.
  - HDR video is now supported in Firefox on Macâ€”starting with
    YouTube! Firefox users on macOS 11+ (with HDR-compatible
    screens) can enjoy higher-fidelity video content. No need to
    manually flip any preferences to turn HDR video support
    onâ€”just make sure battery preferences are NOT set to
    â€œoptimize video streaming while on batteryâ€.
  - Hardware-accelerated AV1 video decoding is enabled on
    Windows with supported GPUs (Intel Gen 11+, AMD RDNA 2
    Excluding Navi 24, GeForce 30). Installing the AV1 Video
    Extension from the Microsoft Store may also be required.
  - Video overlay is enabled on Windows for Intel GPUs,
    reducing power usage during video playback.
  - Improved fairness between painting and handling other
    events. This noticeably improves the performance of the
    volume slider on Twitch.
  - Scrollbars on Linux and Windows 11 won't take space by
    default. On Linux, users can change this in Settings. On
    Windows, Firefox follows the system setting (System Settings
    > Accessibility > Visual Effects > Always show scrollbars).
  - Firefox now ignores less restricted referrer
    policiesâ€”including unsafe-url, no-referrer-when-downgrade,
    and origin-when-cross-originâ€”for cross-site
    subresource/iframe requests to prevent privacy leaks from the
    referrer.
  - Reading is now easier with the prefers-contrast media
    query, which allows sites to detect if the user has requested
    that web content is presented with a higher (or lower)
    contrast.
  - All non-configured MIME types can now be assigned a custom
    action upon download completion.
  - Firefox now allows users to use as many microphones as they
    want, at the same time, during video conferencing. The most
    exciting benefit is that you can easily switch your
    microphones at any time (if your conferencing service
    provider enables this flexibility).
  - Print preview has been updated.
  * Fixed: Various security fixes.
  MFSA 2022-24 (bsc#1200793)
  * CVE-2022-34479 (bmo#1745595)
    A popup window could be resized in a way to overlay the
    address bar with web content
  * CVE-2022-34470 (bmo#1765951)
    Use-after-free in nsSHistory
  * CVE-2022-34468 (bmo#1768537)
    CSP sandbox header without `allow-scripts` can be bypassed
    via retargeted javascript: URI
  * CVE-2022-34482 (bmo#845880)
    Drag and drop of malicious image could have led to malicious
    executable and potential code execution
  * CVE-2022-34483 (bmo#1335845)
    Drag and drop of malicious image could have led to malicious
    executable and potential code execution
  * CVE-2022-34476 (bmo#1387919)
    ASN.1 parser could have been tricked into accepting malformed
    ASN.1
  * CVE-2022-34481 (bmo#1483699, bmo#1497246)
    Potential integer overflow in ReplaceElementsAt
  * CVE-2022-34474 (bmo#1677138)
    Sandboxed iframes could redirect to external schemes
  * CVE-2022-34469 (bmo#1721220)
    TLS certificate errors on HSTS-protected domains could be
    bypassed by the user on Firefox for Android
  * CVE-2022-34471 (bmo#1766047)
    Compromised server could trick a browser into an addon
    downgrade
  * CVE-2022-34472 (bmo#1770123)
    Unavailable PAC file resulted in OCSP requests being blocked
  * CVE-2022-34478 (bmo#1773717)
    Microsoft protocols can be attacked if a user accepts a
    prompt
  * CVE-2022-2200 (bmo#1771381)
    Undesired attributes could be set as part of prototype
    pollution
  * CVE-2022-34480 (bmo#1454072)
    Free of uninitialized pointer in lg_init
  * CVE-2022-34477 (bmo#1731614)
    MediaError message property leaked information on cross-
    origin same-site pages
  * CVE-2022-34475 (bmo#1757210)
    HTML Sanitizer could have been bypassed via same-origin
    script via use tags
  * CVE-2022-34473 (bmo#1770888)
    HTML Sanitizer could have been bypassed via use tags
  * CVE-2022-34484 (bmo#1763634, bmo#1772651)
    Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
  * CVE-2022-34485 (bmo#1768409, bmo#1768578)
    Memory safety bugs fixed in Firefox 102
- Add patch one_swizzle_to_rule_them_all.patch to fix big endian
  platforms and remove old patches for this:
  mozilla-bmo1626236.patch, mozilla-bmo1602730.patch,
  mozilla-bmo1504834-part2.patch, mozilla-bmo1504834-part4.patch
- Rename and rebase firefox-i586-conflict-typedef-error.patch
  to mozilla-bmo531915.patch
- Remove upstreamed mozilla-sandbox-fips.patch - Firefox Extended Support Release 91.13.0 ESR
  * Fixed: Various stability, functionality, and security fixes.
  MFSA 2022-35 (bsc#1202645)
  * CVE-2022-38472 (bmo#1769155)
    Address bar spoofing via XSLT error handling
  * CVE-2022-38473 (bmo#1771685)
    Cross-origin XSLT Documents would have inherited the parent's
    permissions
  * CVE-2022-38478 (bmo#1770630, bmo#1776658)
    Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2,
    and Firefox ESR 91.13 - Firefox Extended Support Release 91.12.0 ESR
  * Fixed: Various stability, functionality, and security fixes.
  MFSA 2022-29 (bsc#1201758)
  * CVE-2022-36319 (bmo#1737722)
    Mouse Position spoofing with CSS transforms
  * CVE-2022-36318 (bmo#1771774)
    Directory indexes for bundled resources reflected URL
    parameters - Firefox Extended Support Release 91.11.0 ESR
  * Fixed: Various stability, functionality, and security fixes.
  MFSA 2022-25 (bsc#1200793)
  * CVE-2022-34479 (bmo#1745595)
    A popup window could be resized in a way to overlay the
    address bar with web content
  * CVE-2022-34470 (bmo#1765951)
    Use-after-free in nsSHistory
  * CVE-2022-34468 (bmo#1768537)
    CSP sandbox header without `allow-scripts` can be bypassed
    via retargeted javascript: URI
  * CVE-2022-34481 (bmo#1497246)
    Potential integer overflow in ReplaceElementsAt
  * CVE-2022-31744 (bmo#1757604)
    CSP bypass enabling stylesheet injection
  * CVE-2022-34472 (bmo#1770123)
    Unavailable PAC file resulted in OCSP requests being blocked
  * CVE-2022-34478 (bmo#1773717)
    Microsoft protocols can be attacked if a user accepts a
    prompt
  * CVE-2022-2200 (bmo#1771381)
    Undesired attributes could be set as part of prototype
    pollution
  * CVE-2022-34484 (bmo#1763634, bmo#1772651)
    Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11 - Firefox Extended Support Release 91.10.0 ESR
  * Fixed: Various stability, functionality, and security fixes.
  MFSA 2022-21 (bsc#1200027)
  * CVE-2022-31736 (bmo#1735923)
    Cross-Origin resource's length leaked
  * CVE-2022-31737 (bmo#1743767)
    Heap buffer overflow in WebGL
  * CVE-2022-31738 (bmo#1756388)
    Browser window spoof using fullscreen mode
  * CVE-2022-31739 (bmo#1765049)
    Attacker-influenced path traversal when saving downloaded
    files
  * CVE-2022-31740 (bmo#1766806)
    Register allocation problem in WASM on arm64
  * CVE-2022-31741 (bmo#1767590)
    Uninitialized variable leads to invalid memory read
  * CVE-2022-31742 (bmo#1730434)
    Querying a WebAuthn token with a large number of
    allowCredential entries may have leaked cross-origin
    information
  * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
    bmo#1767365, bmo#1768559, bmo#1768734)
    Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10 - Firefox Extended Support Release 91.9.1 ESR
  * Fixed: Security fix
  MFSA 2022-19 (bsc#1199768)
  * CVE-2022-1802 (bmo#1770137)
    Prototype pollution in Top-Level Await implementation
  * CVE-2022-1529 (bmo#1770048)
    Untrusted input used in JavaScript object indexing, leading
    to prototype pollution - Firefox Extended Support Release 91.9.0 ESR
  MFSA 2022-17 (bsc#1198970)
  * CVE-2022-29914 (bmo#1746448)
    Fullscreen notification bypass using popups
  * CVE-2022-29909 (bmo#1755081)
    Bypassing permission prompt in nested browsing contexts
  * CVE-2022-29916 (bmo#1760674)
    Leaking browser history with CSS variables
  * CVE-2022-29911 (bmo#1761981)
    iframe Sandbox bypass
  * CVE-2022-29912 (bmo#1692655)
    Reader mode bypassed SameSite cookies
  * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
    bmo#1762614, bmo#1762620, bmo#1764778)
    Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9 - Firefox Extended Support Release 91.8.0 ESR
  MFSA 2022-14 (bsc#1197903)
  * CVE-2022-1097 (bmo#1745667)
    Use-after-free in NSSToken objects
  * CVE-2022-28281 (bmo#1755621)
    Out of bounds write due to unexpected WebAuthN Extensions
  * CVE-2022-1196 (bmo#1750679)
    Use-after-free after VR Process destruction
  * CVE-2022-28282 (bmo#1751609)
    Use-after-free in DocumentL10n::TranslateDocument
  * CVE-2022-28285 (bmo#1756957)
    Incorrect AliasSet used in JIT Codegen
  * CVE-2022-28286 (bmo#1735265)
    iframe contents could be rendered outside the border
  * CVE-2022-24713 (bmo#1758509)
    Denial of Service via complex regular expressions
  * CVE-2022-28289 (bmo#1663508, bmo#1744525, bmo#1753508,
    bmo#1757476, bmo#1757805, bmo#1758549, bmo#1758776)
    Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8 - Adjust rust dependency for SP3 and later. TW uses always the
  newest version of rust, but we don't, so we can't use the
  rust+cargo notation, which would need both < and >= requirements.
  (bsc#1197698) - Add cpu-flag `asimdrdm` to aarch64 constraints, to select newer,
  faster buildhosts, as the others struggle to build FF. - Firefox Extended Support Release 91.7.1 ESR
  * Changed: Yandex and Mail.ru have been removed as optional
    search providers in the drop-down search menu in Firefox.
    If you previously installed a customized version of Firefox
    with Yandex or Mail.ru, offered through partner distribution
    channels, this release removes those customizations,
    including add-ons and default bookmarks. Where applicable,
    your browser will revert back to default settings, as offered
    by Mozilla. All other releases of Firefox remain unaffected
    by the change. - Firefox Extended Support Release 91.7.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2022-10 (bsc#1196900)
  * CVE-2022-26383 (bmo#1742421)
    Browser window spoof using fullscreen mode
  * CVE-2022-26384 (bmo#1744352)
    iframe allow-scripts sandbox bypass
  * CVE-2022-26387 (bmo#1752979)
    Time-of-check time-of-use bug when verifying add-on
    signatures
  * CVE-2022-26381 (bmo#1736243)
    Use-after-free in text reflows
  * CVE-2022-26386 (bmo#1752396)
    Temporary files downloaded to /tmp and accessible by other
    local users - Firefox Extended Support Release 91.6.1 ESR
  * Fixed: Security fix
- Mozilla Firefox ESR 91.6.1
  MFSA 2022-09 (bsc#1196809)
  * CVE-2022-26485 (bmo#1758062)
    Use-after-free in XSLT parameter processing
  * CVE-2022-26486 (bmo#1758070)
    Use-after-free in WebGPU IPC Framework - Firefox Extended Support Release 91.6.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2022-05 (bsc#1195682)
  * CVE-2022-22753 (bmo#1732435)
    Privilege Escalation to SYSTEM on Windows via Maintenance
    Service
  * CVE-2022-22754 (bmo#1750565)
    Extensions could have bypassed permission confirmation during
    update
  * CVE-2022-22756 (bmo#1317873)
    Drag and dropping an image could have resulted in the dropped
    object being an executable
  * CVE-2022-22759 (bmo#1739957)
    Sandboxed iframes could have executed script if the parent
    appended elements
  * CVE-2022-22760 (bmo#1740985, bmo#1748503)
    Cross-Origin responses could be distinguished between script
    and non-script content-types
  * CVE-2022-22761 (bmo#1745566)
    frame-ancestors Content Security Policy directive was not
    enforced for framed extension pages
  * CVE-2022-22763 (bmo#1740534)
    Script Execution during invalid object state
  * CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
    bmo#1748210, bmo#1748279)
    Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6 - Firefox Extended Support Release 91.5.1 ESR (bsc#1195230)
  * Fixed: Fixed an issue that allowed unexpected data to be
    submitted in some of our search telemetry (bmo#1752317) - Firefox Extended Support Release 91.5.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2022-03 (bsc#1194547)
  * CVE-2022-22746 (bmo#1735071)
    Calling into reportValidity could have lead to fullscreen
    window spoof
  * CVE-2022-22743 (bmo#1739220)
    Browser window spoof using fullscreen mode
  * CVE-2022-22742 (bmo#1739923)
    Out-of-bounds memory access when inserting text in edit mode
  * CVE-2022-22741 (bmo#1740389)
    Browser window spoof using fullscreen mode
  * CVE-2022-22740 (bmo#1742334)
    Use-after-free of ChannelEventQueue::mOwner
  * CVE-2022-22738 (bmo#1742382)
    Heap-buffer-overflow in blendGaussianBlur
  * CVE-2022-22737 (bmo#1745874)
    Race condition when playing audio files
  * CVE-2021-4140 (bmo#1746720)
    Iframe sandbox bypass with XSLT
  * CVE-2022-22748 (bmo#1705211)
    Spoofed origin on external protocol launch dialog
  * CVE-2022-22745 (bmo#1735856)
    Leaking cross-origin URLs through securitypolicyviolation
    event
  * CVE-2022-22744 (bmo#1737252)
    The 'Copy as curl' feature in DevTools did not fully escape
    website-controlled data, potentially leading to command
    injection
  * CVE-2022-22747 (bmo#1735028)
    Crash when handling empty pkcs7 sequence
  * CVE-2022-22739 (bmo#1744158)
    Missing throttling on external protocol launch dialog
  * CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366,
    bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869,
    bmo#1743221, bmo#1743515, bmo#1745373, bmo#1746011)
    Memory safety bugs fixed in Thunderbird 91.5 - Firefox Extended Support Release 91.4.1 ESR (bsc#1193845)
  * Fixed frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING
    error messages when trying to connect to various microsoft.com
    domains (bmo#1745600) - Firefox Extended Support Release 91.4.0 ESR
  * Fixed: Various security fixes
- Mozilla Firefox ESR 91.4.0
  MFSA 2021-53 (bsc#1193485)
  * CVE-2021-43536 (bmo#1730120)
    URL leakage when navigating while executing asynchronous
    function
  * CVE-2021-43537 (bmo#1738237)
    Heap buffer overflow when using structured clone
  * CVE-2021-43538 (bmo#1739091)
    Missing fullscreen and pointer lock notification when
    requesting both
  * CVE-2021-43539 (bmo#1739683)
    GC rooting failure when calling wasm instance methods
  * CVE-2021-43541 (bmo#1696685)
    External protocol handler parameters were unescaped
  * CVE-2021-43542 (bmo#1723281)
    XMLHttpRequest error codes could have leaked the existence of
    an external protocol handler
  * CVE-2021-43543 (bmo#1738418)
    Bypass of CSP sandbox directive when embedding
  * CVE-2021-43545 (bmo#1720926)
    Denial of Service when using the Location API in a loop
  * CVE-2021-43546 (bmo#1737751)
    Cursor spoofing could overlay user interface when native
    cursor is zoomed
  * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
    bmo#1737009, bmo#1739372, bmo#1739421)
    Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4 - remove x-scheme-handler/ftp from MozillaFirefox.desktop boo#1193321 - Firefox Extended Support Release 91.3.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2021-49 (bsc#1192250)
  * CVE-2021-38503 (bmo#1729517)
    iframe sandbox rules did not apply to XSLT stylesheets
  * CVE-2021-38504 (bmo#1730156)
    Use-after-free in file picker dialog
  * CVE-2021-38505 (bmo#1730194)
    Windows 10 Cloud Clipboard may have recorded sensitive user
    data
  * CVE-2021-38506 (bmo#1730750)
    Firefox could be coaxed into going into fullscreen mode
    without notification or warning
  * CVE-2021-38507 (bmo#1730935)
    Opportunistic Encryption in HTTP2 could be used to bypass the
    Same-Origin-Policy on services hosted on other ports
  * MOZ-2021-0008 (bmo#1667102)
    Use-after-free in HTTP2 Session object
  * CVE-2021-38508 (bmo#1366818)
    Permission Prompt could be overlaid, resulting in user
    confusion and potential spoofing
  * CVE-2021-38509 (bmo#1718571)
    Javascript alert box could have been spoofed onto an
    arbitrary domain
  * CVE-2021-38510 (bmo#1731779)
    Download Protections were bypassed by .inetloc files on Mac
    OS
  * MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
    bmo#1735152)
    Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3
- Removed mozilla-bmo1735309.patch which is now upstream - Rebase mozilla-sandbox-fips.patch to punch another hole in the
  sandbox containment, to be able to open /proc/sys/crypto/fips_enabled
  from within the newly introduced socket process sandbox.
  This fixes bsc#1191815 and bsc#1190141
- Add a way to let users overwrite MOZ_ENABLE_WAYLAND
- Rename mozilla-neqo-fix-fips-crash.patch to mozilla-bmo1735309.patch
  and rebase to the official upstream patch - Firefox Extended Support Release 91.2.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2021-45 (bsc#1191332)
  * CVE-2021-38496 (bmo#1725335)
    Use-after-free in MessageTask
  * CVE-2021-38497 (bmo#1726621)
    Validation message could have been overlaid on another origin
  * CVE-2021-38498 (bmo#1729642)
    Use-after-free of nsLanguageAtomService object
  * CVE-2021-32810 (bmo#1729813,
    https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
    Data race in crossbeam-deque
  * CVE-2021-38500 (bmo#1725854, bmo#1728321)
    Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
    and Firefox ESR 91.2
  * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
    Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 - Add mozilla-neqo-fix-fips-crash.patch to fix crash in FIPS mode
  (bsc#1190710) - Added firefox-i586-conflict-typedef-error.patch
    to fix 32bit i586 compile error - Firefox Extended Support Release 91.1.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2021-40 (bsc#1190269, bsc#1190274)
  * CVE-2021-38492 (bmo#1721107)
    Navigating to `mk:` URL scheme could load Internet Explorer
  * CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101,
    bmo#1724107)
    Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
- Removed mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
  made obsolete by upstream changes.
- Rebased patches:
    firefox-branded-icons.patch
    firefox-kde.patch
    mozilla-aarch64-startup-crash.patch
    mozilla-bmo1504834-part1.patch
    mozilla-bmo1504834-part4.patch
    mozilla-bmo1512162.patch
    mozilla-bmo1626236.patch
    mozilla-bmo849632.patch
    mozilla-kde.patch
    mozilla-ntlm-full-path.patch
    mozilla-s390-context.patch
    mozilla-sandbox-fips.patch - Firefox 91.0.1esr ESR
  * Fixed: Fixed an issue causing buttons on the tab bar to be
    resized when loading certain websites (bug 1704404)
    (bmo#1704404)
  * Fixed: Fixed an issue which caused tabs from private windows
    to be visible in non-private windows when viewing switch-to-
    tab results in the address bar panel (bug 1720369)
    (bmo#1720369)
  * Fixed: Various stability fixes
  * Fixed: Security fix
  MFSA 2021-37 (bsc#1189547)
  * CVE-2021-29991 (bmo#1724896)
    Header Splitting possible with HTTP/3 Responses
- Re-add mozilla-silence-no-return-type.patch - Firefox Extended Support Release 91.0 ESR
  * New: Some of the highlights of the new Extended Support
    Release are:
  - A number of user interface changes. For more information,
    see the Firefox 89 release notes.
  - Firefox now supports logging into Microsoft, work, and
    school accounts using Windows single sign-on. Learn more
  - On Windows, updates can now be applied in the background
    while Firefox is not running.
  - Firefox for Windows now offers a new page about:third-party
    to help identify compatibility issues caused by third-party
    applications
  - Version 2 of Firefox's SmartBlock feature further improves
    private browsing. Third party Facebook scripts are blocked to
    prevent you from being tracked, but are now automatically
    loaded "just in time" if you decide to "Log in with Facebook"
    on any website.
  - Enhanced the privacy of the Firefox Browser's Private
    Browsing mode with Total Cookie Protection, which confines
    cookies to the site where they were created, preventing
    companis from using cookies to track your browsing across
    sites. This feature was originally launched in Firefox's ETP
    Strict mode.
  - PDF forms now support JavaScript embedded in PDF files.
    Some PDF forms use JavaScript for validation and other
    interactive features.
  - You'll encounter less website breakage in Private Browsing
    and Strict Enhanced Tracking Protection with SmartBlock,
    which provides stand-in scripts so that websites load
    properly.
  - Improved Print functionality with a cleaner design and
    better integration with your computer's printer settings.
  - Firefox now protects you from supercookies, a type of
    tracker that can stay hidden in your browser and track you
    online, even after you clear cookies. By isolating
    supercookies, Firefox prevents them from tracking your web
    browsing from one site to the next.
  - Firefox now remembers your preferred location for saved
    bookmarks, displays the bookmarks toolbar by default on new
    tabs, and gives you easy access to all of your bookmarks via
    a toolbar folder.
  - Native support for macOS devices built with Apple Silicon
    CPUs brings dramatic performance improvements over the non-
    native build that was shipped in Firefox 83: Firefox launches
    over 2.5 times faster and web apps are now twice as
    responsive (per the SpeedoMeter 2.0 test). If you are on a
    new Apple device, follow these steps to upgrade to the latest
    Firefox.
  - Pinch zooming will now be supported for our users with
    Windows touchscreen devices and touchpads on Mac devices.
    Firefox users may now use pinch to zoom on touch-capable
    devices to zoom in and out of webpages.
  - Weâ€™ve improved functionality and design for a number of
    Firefox search features:
  * Selecting a search engine at the bottom of the search
    panel now enters search mode for that engine, allowing you to
    see suggestions (if available) for your search terms. The old
    behavior (immediately performing a search) is available with
    a shift-click.
  * When Firefox autocompletes the URL of one of your search
    engines, you can now search with that engine directly in the
    address bar by selecting the shortcut in the address bar
    results.
  * Weâ€™ve added buttons at the bottom of the search panel to
    allow you to search your bookmarks, open tabs, and history.
  - Firefox supports AcroForm, which will allow you to fill in,
    print, and save supported PDF forms and the PDF viewer also
    has a new fresh look.
  - For our users in the US and Canada, Firefox can now save,
    manage, and auto-fill credit card information for you, making
    shopping on Firefox ever more convenient.
  - In addition to our default, dark and light themes, with
    this release, Firefox introduces the Alpenglow theme: a
    colorful appearance for buttons, menus, and windows. You can
    update your Firefox themes under settings or preferences.
  * Changed: Firefox no longer supports Adobe Flash. There is no
    setting available to re-enable Flash support.
  * Enterprise: Various bug fixes and new policies have been
    implemented in the latest version of Firefox. See more
    details in the Firefox for Enterprise 91 Release Notes.
  MFSA 2021-33 (bsc#1188891)
  * CVE-2021-29986 (bmo#1696138)
    Race condition when resolving DNS names could have led to
    memory corruption
  * CVE-2021-29981 (bmo#1707774)
    Live range splitting could have led to conflicting
    assignments in the JIT
  * CVE-2021-29988 (bmo#1717922)
    Memory corruption as a result of incorrect style treatment
  * CVE-2021-29983 (bmo#1719088)
    Firefox for Android could get stuck in fullscreen mode
  * CVE-2021-29984 (bmo#1720031)
    Incorrect instruction reordering during JIT optimization
  * CVE-2021-29980 (bmo#1722204)
    Uninitialized memory in a canvas object could have led to
    memory corruption
  * CVE-2021-29987 (bmo#1716129)
    Users could have been tricked into accepting unwanted
    permissions on Linux
  * CVE-2021-29985 (bmo#1722083)
    Use-after-free media channels
  * CVE-2021-29982 (bmo#1715318)
    Single bit data leak due to incorrect JIT optimization and
    type confusion
  * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
    bmo#1719998, bmo#1720568)
    Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
  * CVE-2021-29990 (bmo#1544190, bmo#1716481, bmo#1717778,
    bmo#1719319, bmo#1722073)
    Memory safety bugs fixed in Firefox 91 - Firefox Extended Support Release 78.13.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2021-34 (bsc#1188891)
  * CVE-2021-29986 (bmo#1696138)
    Race condition when resolving DNS names could have led to
    memory corruption
  * CVE-2021-29988 (bmo#1717922)
    Memory corruption as a result of incorrect style treatment
  * CVE-2021-29984 (bmo#1720031)
    Incorrect instruction reordering during JIT optimization
  * CVE-2021-29980 (bmo#1722204)
    Uninitialized memory in a canvas object could have led to
    memory corruption
  * CVE-2021-29985 (bmo#1722083)
    Use-after-free media channels
  * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
    bmo#1719998, bmo#1720568)
    Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13 - jsc#SLE-18626 - Migrate rust to parallel versioned packages allowing
  more flexible build requirements to be expressed.
- Update Firefox to use the 1.43 version of Rust. - Firefox Extended Support Release 78.12.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2021-29 (bsc#1188275)
  * CVE-2021-29970 (bmo#1709976)
    Use-after-free in accessibility features of a document
  * CVE-2021-30547 (bmo#1715766)
    Out of bounds write in ANGLE
  * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
    bmo#1711576, bmo#1714391)
    Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 - Firefox Extended Support Release 78.11.0 ESR
  * Fixed: Various stability, functionality, and security fixes
- Mozilla Firefox ESR 78.11
  MFSA 2021-24 (bsc#1186696)
  * CVE-2021-29964 (bmo#1706501)
    Out of bounds-read when parsing a `WM_COPYDATA` message
  * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
    bmo#1704722, bmo#1706041)
    Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11
- Added the new Mozilla's GPG key, expiring on 2023-05-17 to the
  mozilla.keyring file - Firefox Extended Support Release 78.10.1 ESR
  * Fixed: Resolved an issue caused by a recent Widevine plugin
    update which prevented some purchased video content from
    playing correctly (bmo#1705138)
  * Fixed: Security fix
  MFSA 2021-18 (bsc#1185633)
  * CVE-2021-29951 (bmo#1690062)
    Mozilla Maintenance Service could have been started or
    stopped by domain users - Firefox Extended Support Release 78.10.0 ESR
  * Fixed: Various stability, functionality, and security fixes
- Mozilla Firefox ESR 78.10
  MFSA 2021-15 (bsc#1184960)
  * CVE-2021-23994 (bmo#1699077)
    Out of bound write due to lazy initialization
  * CVE-2021-23995 (bmo#1699835)
    Use-after-free in Responsive Design Mode
  * CVE-2021-23998 (bmo#1667456)
    Secure Lock icon could have been spoofed
  * CVE-2021-23961 (bmo#1677940)
    More internal network hosts could have been probed by a
    malicious webpage
  * CVE-2021-23999 (bmo#1691153)
    Blob URLs may have been granted additional privileges
  * CVE-2021-24002 (bmo#1702374)
    Arbitrary FTP command execution on FTP servers using an
    encoded URL
  * CVE-2021-29945 (bmo#1700690)
    Incorrect size computation in WebAssembly JIT could lead to
    null-reads
  * CVE-2021-29946 (bmo#1698503)
    Port blocking could be bypassed - Firefox Extended Support Release 78.9.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2021-11 (bsc#1183942)
  * CVE-2021-23981 (bmo#1692832)
    Texture upload into an unbound backing buffer resulted in an
    out-of-bound read
  * CVE-2021-23982 (bmo#1677046)
    Internal network hosts could have been probed by a malicious
    webpage
  * CVE-2021-23984 (bmo#1693664)
    Malicious extensions could have spoofed popup information
  * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169,
    bmo#1690718)
    Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9 - Firefox Extended Support Release 78.8.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2021-08 (bsc#1182614)
  * CVE-2021-23969 (bmo#1542194)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23968 (bmo#1687342)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23973 (bmo#1690976)
    MediaError message property could have leaked information
    about cross-origin resources
  * CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597,
    bmo#786797)
    Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
- Update create-tar.sh to use https instead of http (bsc#1182357) - Firefox Extended Support Release 78.7.1 ESR
  * Fixed: Prevent access to NTFS special paths that could lead
    to filesystem corruption. (bmo#1689598)
  * Fixed: Security fix
  MFSA 2021-06 (bsc#1181848)
  * MOZ-2021-0001 (bmo#1676636)
    Buffer overflow in depth pitch calculations for compressed
    textures - Firefox Extended Support Release 78.7.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2021-04 (bsc#1181414)
  * CVE-2021-23953 (bmo#1683940)
    Cross-origin information leakage via redirected PDF requests
  * CVE-2021-23954 (bmo#1684020)
    Type confusion when using logical assignment operators in
    JavaScript switch statements
  * CVE-2020-26976 (bmo#1674343)
    HTTPS pages could have been intercepted by a registered
    service worker when they should not have been
  * CVE-2021-23960 (bmo#1675755)
    Use-after-poison for incorrectly redeclared JavaScript
    variables during GC
  * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526,
    bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844,
    bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410,
    bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736,
    bmo#1685260, bmo#1685925)
    Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7 - Firefox Extended Support Release 78.6.1 ESR
  * Fixed: Security fix
  * Fixed: Fixed a crash during video playback on Apple Silicon
    devices (bmo#1683579)
  MFSA 2021-01 (bsc#1180623)
  * CVE-2020-16044 (bmo#1683964)
    Use-after-free write when handling a malicious COOKIE-ECHO
    SCTP chunk - Firefox Extended Support Release 78.6.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2020-55 (bsc#1180039)
  * CVE-2020-16042 (bmo#1679003)
    Operations on a BigInt could have caused uninitialized memory
    to be exposed
  * CVE-2020-26971 (bmo#1663466)
    Heap buffer overflow in WebGL
  * CVE-2020-26973 (bmo#1680084)
    CSS Sanitizer performed incorrect sanitization
  * CVE-2020-26974 (bmo#1681022)
    Incorrect cast of StyleGenericFlexBasis resulted in a heap
    use-after-free
  * CVE-2020-26978 (bmo#1677047)
    Internal network hosts could have been probed by a malicious
    webpage
  * CVE-2020-35111 (bmo#1657916)
    The proxy.onRequest API did not catch view-source URLs
  * CVE-2020-35112 (bmo#1661365)
    Opening an extension-less download may have inadvertently
    launched an executable instead
  * CVE-2020-35113 (bmo#1664831, bmo#1673589)
    Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 - Firefox Extended Support Release 78.5.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2020-51 (bsc#1178824)
  * CVE-2020-26951 (bmo#1667113)
    Parsing mismatches could confuse and bypass security
    sanitizer for chrome privileged code
  * CVE-2020-16012 (bmo#1642028)
    Variable time processing of cross-origin images during
    drawImage calls
  * CVE-2020-26953 (bmo#1656741)
    Fullscreen could be enabled without displaying the security
    UI
  * CVE-2020-26956 (bmo#1666300)
    XSS through paste (manual and clipboard API)
  * CVE-2020-26958 (bmo#1669355)
    Requests intercepted through ServiceWorkers lacked MIME type
    restrictions
  * CVE-2020-26959 (bmo#1669466)
    Use-after-free in WebRequestService
  * CVE-2020-26960 (bmo#1670358)
    Potential use-after-free in uses of nsTArray
  * CVE-2020-15999 (bmo#1672223)
    Heap buffer overflow in freetype
  * CVE-2020-26961 (bmo#1672528)
    DoH did not filter IPv4 mapped IP Addresses
  * CVE-2020-26965 (bmo#1661617)
    Software keyboards may have remembered typed passwords
  * CVE-2020-26966 (bmo#1663571)
    Single-word search queries were also broadcast to local
    network
  * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
    bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479,
    bmo#1671923)
    Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5 - Firefox Extended Support Release 78.4.1 ESR
  * Fixed: Security fix
  MFSA 2020-49 (bsc#1178588)
  * CVE-2020-26950 (bmo#1675905)
    Write side effects in MCallGetProperty opcode not accounted
    for - Firefox Extended Support Release 78.4.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2020-46 (bsc#1177872)
  * CVE-2020-15969 (bmo#1666570, bmo#https://github.com/sctplab/u
    srsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019)
    Use-after-free in usersctp
  * CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954,
    bmo#1662760, bmo#1663439, bmo#1666140)
    Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4 - Firefox Extended Support Release 78.3.1 ESR (bsc#1176756)
  * Fixed: Fixed legacy preferences not being properly applied
    when set via GPO (bmo#1666836) - Firefox Extended Support Release 78.3.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2020-43 (bsc#1176756)
  * CVE-2020-15677 (bmo#1641487)
    Download origin spoofing via redirect
  * CVE-2020-15676 (bmo#1646140)
    XSS when pasting attacker-controlled data into a
    contenteditable element
  * CVE-2020-15678 (bmo#1660211)
    When recursing through layers while scrolling, an iterator
    may have become invalid, resulting in a potential use-after-
    free scenario
  * CVE-2020-15673 (bmo#1648493, bmo#1660800)
    Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 - Enhance fix for wayland-detection (bsc#1174420) - Try to fix langpack-parallelization by introducing separate
  obj-dirs for each lang (boo#1173986, boo#1167976) - Firefox Extended Support Release 78.2.0 ESR
  * Fixed: Various stability, functionality, and security fixes
- Mozilla Firefox ESR 78.2
  MFSA 2020-38 (bsc#1175686)
  * CVE-2020-15663 (bmo#1643199)
    Downgrade attack on the Mozilla Maintenance Service could
    have resulted in escalation of privilege
  * CVE-2020-15664 (bmo#1658214)
    Attacker-induced prompt for extension installation
  * CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
    bmo#1656957)
    Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2 - Added patch: firefox-dev-random-sandbox.patch (bsc#1174284)
  * Firefox tab crash in FIPS mode - Fix: Do not allow Firefox to use wayland on SLED15-SP0/1
  (bsc#1174420) - Activate ccache
- Parallelize langpack build - Fix broken translation-loading (boo#1173991)
  * allow addon sideloading
  * mark signatures for langpacks non-mandatory
  * do not autodisable user profile scopes
- Google API key is not usable for geolocation service any more - Firefox Extended Support Release 78.1.0 ESR
  * Fixed: Various stability, functionality, and security fixes
  MFSA 2020-32 (bsc#1174538)
  * CVE-2020-15652 (bmo#1634872)
    Potential leak of redirect targets when loading scripts in a
    worker
  * CVE-2020-6514 (bmo#1642792)
    WebRTC data channel leaks internal address to peer
  * CVE-2020-15655 (bmo#1645204)
    Extension APIs could be used to bypass Same-Origin Policy
  * CVE-2020-15653 (bmo#1521542)
    Bypassing iframe sandbox when allowing popups
  * CVE-2020-6463 (bmo#1635293)
    Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
  * CVE-2020-15656 (bmo#1647293)
    Type confusion for special arguments in IonMonkey
  * CVE-2020-15658 (bmo#1637745)
    Overriding file type when saving to disk
  * CVE-2020-15657 (bmo#1644954)
    DLL hijacking due to incorrect loading path
  * CVE-2020-15654 (bmo#1648333)
    Custom cursor can overlay user interface
  * CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1643613,
    bmo#1644839, bmo#1645835, bmo#1646006, bmo#1646787,
    bmo#1649347, bmo#1650811, bmo#1651678)
    Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1 - Mozilla Firefox 78.0.2
  MFSA 2020-28 (bsc#1173948)
  * MFSA-2020-0003 (bmo#1644076)
    X-Frame-Options bypass using object or embed tags
- Firefox Extended Support Release 78.0.2esr ESR
  * Fixed: Security fix
  * Fixed: Fixed an accessibility regression in reader mode
    (bmo#1650922)
  * Fixed: Made the address bar more resilient to data corruption
    in the user profile (bmo#1649981)
  * Fixed: Fixed a regression opening certain external
    applications (bmo#1650162) - Add specific requirement for libfreetype6 (bsc#1173613) - Firefox Extended Support Release 78.0.1 ESR
  * Fixed: Fixed an issue which could cause installed search
    engines to not be visible when upgrading from a previous
    release. (bmo#1649558)
- Mozilla Firefox 78
  MFSA 2020-24 (bsc#1173576)
  * CVE-2020-12415 (bmo#1586630)
    AppCache manifest poisoning due to url encoded character
    processing
  * CVE-2020-12416 (bmo#1639734)
    Use-after-free in WebRTC VideoBroadcaster
  * CVE-2020-12417 (bmo#1640737)
    Memory corruption due to missing sign-extension for ValueTags
    on ARM64
  * CVE-2020-12418 (bmo#1641303)
    Information disclosure due to manipulated URL object
  * CVE-2020-12419 (bmo#1643874)
    Use-after-free in nsGlobalWindowInner
  * CVE-2020-12420 (bmo#1643437)
    Use-After-Free when trying to connect to a STUN server
  * CVE-2020-12402 (bmo#1631597)
    RSA Key Generation vulnerable to side-channel attack
  * CVE-2020-12421 (bmo#1308251)
    Add-On updates did not respect the same certificate trust
    rules as software updates
  * CVE-2020-12422 (bmo#1450353)
    Integer overflow in nsJPEGEncoder::emptyOutputBuffer
  * CVE-2020-12423 (bmo#1642400)
    DLL Hijacking due to searching %PATH% for a library
  * CVE-2020-12424 (bmo#1562600)
    WebRTC permission prompt could have been bypassed by a
    compromised content process
  * CVE-2020-12425 (bmo#1634738)
    Out of bound read in Date.parse()
  * CVE-2020-12426 (bmo#1608068, bmo#1609951, bmo#1631187,
    bmo#1637682)
    Memory safety bugs fixed in Firefox 78 - Firefox Extended Support Release 78.0esr ESR
  * New: Some of the highlights of the new Extended Support
    Release are:
  - Kiosk mode
  - Client certificates
  - Service Worker and Push APIs are now enabled
  - The Block Autoplay feature is enabled
  - Picture-in-picture support
  - View and manage web certificates in about:certificate
    For more information about what's new in the Firefox 78 ESR
    release, see the more detailed release notes at
    support.mozilla.org.
- Add patches to fix big endian problems:
  * mozilla-s390x-skia-gradient.patch
  * mozilla-bmo998749.patch
  * mozilla-bmo1626236.patch
- Add patch to fix broken build on ppc64le
  * mozilla-bmo1512162.patch
- Add patch to add screensharing capability on wayland
  * mozilla-pipewire-0-3.patch
- Rename firefox-fips.patch to mozilla-sandbox-fips.patch
- Removed upstreamed patches:
  * mozilla-cubeb-noreturn.patch
  * mozilla-nestegg-big-endian.patch
  * mozilla-openaes-decl.patch
  * mozilla-s390x-bigendian.patch
  * mozilla-sle12-lower-python-requirement.patch - Firefox Extended Support Release 68.9.0 ESR
  * Fixed: Various stability and security fixes
  MFSA 2020-21 (bsc#1172402)
  * CVE-2020-12405 (bmo#1619305, bmo#1632717)
    Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
  * CVE-2020-12406 (bmo#1639590)
  * CVE-2020-12410: Memory safety bugs fixed in Firefox 77 and Firefox - Removed %is_opensuse macro from spec file to align builds with
  openSUSE Leap. - Firefox Extended Support Release 68.8.0 ESR
  MFSA 2020-17 (bsc#1171186)
  * CVE-2020-12387 (bmo#1545345)
    Use-after-free during worker shutdown
  * CVE-2020-12388 (bmo#1618911)
    Sandbox escape with improperly guarded Access Tokens
  * CVE-2020-12389 (bmo#1554110)
    Sandbox escape with improperly separated process types
  * CVE-2020-6831 (bmo#1632241)
    Buffer overflow in SCTP chunk input validation
  * CVE-2020-12392 (bmo#1614468)
    Arbitrary local file access with 'Copy as cURL'
  * CVE-2020-12393 (bmo#1615471)
    Devtools' 'Copy as cURL' feature did not fully escape
    website-controlled data, potentially leading to command
    injection
  * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704,
    bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076,
    bmo#1631508)
    Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 - Firefox Extended Support Release 68.7.0 ESR
  MFSA 2020-13 (bsc#1168874)
  * CVE-2020-6828 (bmo#1617928)
    Preference overwrite via crafted Intent from malicious
    Android application
  * CVE-2020-6827 (bmo#1622278)
    Custom Tabs in Firefox for Android could have the URI spoofed
  * CVE-2020-6821 (bmo#1625404)
    Uninitialized memory could be read when using the WebGL
    copyTexSubImage method
  * CVE-2020-6822 (bmo#1544181)
    Out of bounds write in GMPDecodeData when processing large
    images
  * CVE-2020-6825 (bmo#1572541, bmo#1620193, bmo#1620203)
    Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 - Mozilla Firefox 68.6.1esr
  MFSA 2020-11 (boo#1168630)
  * CVE-2020-6819 (bmo#1620818)
    Use-after-free while running the nsDocShell destructor
  * CVE-2020-6820 (bmo#1626728)
    Use-after-free when handling a ReadableStream - Added patch: firefox-fips.patch (bsc#1167231)
  * FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled - Firefox Extended Support Release 68.6.0 ESR (bsc#1166238)
  * Fixed: Various stability and security fixes
  MFSA 2020-09 (bsc#1132665)
  * CVE-2020-6805 (bmo#1610880)
    Use-after-free when removing data about origins
  * CVE-2020-6806 (bmo#1612308)
    BodyStream::OnInputStreamReady was missing protections
    against state confusion
  * CVE-2020-6807 (bmo#1614971)
    Use-after-free in cubeb during stream destruction
  * CVE-2020-6811 (bmo#1607742)
    Devtools' 'Copy as cURL' feature did not fully escape
    website-controlled data, potentially leading to command
    injection
  * CVE-2019-20503 (bmo#1613765)
    Out of bounds reads in sctp_load_addresses_from_init
  * CVE-2020-6812 (bmo#1616661)
    The names of AirPods with personally identifiable information
    were exposed to websites with camera or microphone permission
  * CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256,
    bmo#1612636, bmo#1614339)
    Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6 - Firefox Extended Support Release 68.5.0 ESR
  * Fixed: Various stability and security fixes
- Mozilla Firefox ESR68.5
  MFSA 2020-06 (bsc#1163368)
  * CVE-2020-6796 (bmo#1610426)
    Missing bounds check on shared memory read in the parent
    process
  * CVE-2020-6797 (bmo#1596668)
    Extensions granted downloads.open permission could open
    arbitrary applications on Mac OSX
  * CVE-2020-6798 (bmo#1602944)
    Incorrect parsing of template tag could result in JavaScript
    injection
  * CVE-2020-6799 (bmo#1606596)
    Arbitrary code execution when opening pdf links from other
    applications, when Firefox is configured as default pdf
    reader
  * CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543,
    bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785)
    Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 - Firefox Extended Support Release 68.4.2 ESR
  * Fixed: Fixed various issues opening files with spaces in
    their path (bmo#1601905, bmo#1602726) - Firefox Extended Support Release 68.4.1 ESR
  * Fixed: Security fix
  MFSA 2020-03 (bsc#1160498)
  * CVE-2019-17026 (bmo#1607443)
    IonMonkey type confusion with StoreElementHole and
    FallibleStoreElement - Firefox Extended Support Release 68.4.0 ESR
  * Fixed: Various security fixes
  MFSA 2020-02 (bsc#1160305)
  * CVE-2019-17015 (bmo#1599005)
    Memory corruption in parent process during new content
    process initialization on Windows
  * CVE-2019-17016 (bmo#1599181)
    Bypass of @namespace CSS sanitization during pasting
  * CVE-2019-17017 (bmo#1603055)
    Type Confusion in XPCVariant.cpp
  * CVE-2019-17021 (bmo#1599008)
    Heap address disclosure in parent process during content
    process initialization on Windows
  * CVE-2019-17022 (bmo#1602843)
    CSS sanitization does not escape HTML tags
  * CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,
    bmo#1601826)
    Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
- Removed patch that is now upstream: mozilla-bmo1511604.patch
- Added patch to fix broken URL-bar on s390x:
  mozilla-bmo1602730.patch - Firefox Extended Support Release 68.3.0 ESR
  * Changed: Updates to improve performance and stability
  MFSA 2019-37 (bsc#1158328)
  * CVE-2019-17008 (bmo#1546331)
    Use-after-free in worker destruction
  * CVE-2019-13722 (bmo#1580156)
    Stack corruption due to incorrect number of arguments in
    WebRTC code
  * CVE-2019-11745 (bmo#1586176)
    Out of bounds write in NSS when encrypting with a block
    cipher
  * CVE-2019-17009 (bmo#1510494)
    Updater temporary files accessible to unprivileged processes
  * CVE-2019-17010 (bmo#1581084)
    Use-after-free when performing device orientation checks
  * CVE-2019-17005 (bmo#1584170)
    Buffer overflow in plain text serializer
  * CVE-2019-17011 (bmo#1591334)
    Use-after-free when retrieving a document in antitracking
  * CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667,
    bmo#1567209, bmo#1580288, bmo#1585760, bmo#1592502)
    Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 - Fix _constraints for ppc64le (bsc#1157652) - Add patch mozilla-bmo849632.patch to partially fix broken webGL
  sites on big endian machines (wrong colors)
- Replace source-stamp.txt with tar_stamps
- Reference create-tar.sh by direct commit-hash in the spec-file - Reactivate webRTC for all architectures - Add patch mozilla-bmo1504834-part4.patch to fix broken
  tab-titles on s390x - Resolved issues fixed earlier:
  * [bsc#1104841] Newer versions of firefox have a dependency on GLIBCXX_3.4.20
  * [bsc#1129528] SLES15 - IBM s390-tools-2.1.0 Maintenance Patches (#6)
  * [bsc#1137990] Firefox 60.7 ESR changed the user interface language - Firefox Extended Support Release 68.2.0 ESR
  * Enterprise: New administrative policies were added. More
    information and templates are available at the Policy
    Templates page.
  * Fixed: Various security fixes
  MFSA 2019-33 (bsc#1154738)
  * CVE-2019-15903 (bmo#1584907)
    Heap overflow in expat library in XML_GetCurrentLineNumber
  * CVE-2019-11757 (bmo#1577107)
    Use-after-free when creating index updates in IndexedDB
  * CVE-2019-11758 (bmo#1536227)
    Potentially exploitable crash due to 360 Total Security
  * CVE-2019-11759 (bmo#1577953)
    Stack buffer overflow in HKDF output
  * CVE-2019-11760 (bmo#1577719)
    Stack buffer overflow in WebRTC networking
  * CVE-2019-11761 (bmo#1561502)
    Unintended access to a privileged JSONView object
  * CVE-2019-11762 (bmo#1582857)
    document.domain-based origin isolation has same-origin-
    property violation
  * CVE-2019-11763 (bmo#1584216)
    Incorrect HTML parsing results in XSS bypass technique
  * CVE-2019-11764 (bmo#1548044, bmo#1558522, bmo#1571223,
    bmo#1573048, bmo#1575217, bmo#1577061, bmo#1578933,
    bmo#1581950, bmo#1583463, bmo#1583684, bmo#1586599,
    bmo#1586845)
    Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
- removed now upstream patches:
  * mozilla-bmo1573381.patch
  * mozilla-bmo1512162.patch - Add patch to lower python requirement to 3.4 in order to
  build on SLE-12:
  * mozilla-sle12-lower-python-requirement.patch - Add Provides-line for translations-common (bsc#1153423) - Moved some settings from branding-package here (bsc#1153869)
- add patch to fix LTO build (w/o PGO):
  * mozilla-fix-top-level-asm.patch
- remove obsolete kde.js setting (boo#1151186) and related patch:
  * firefox-add-kde.js-in-order-to-survive-PGO-build.patch
  * modified firefox-kde.patch for the removal of kde.js - Update mozilla-bmo1512162.patch to the patch now commited upstream
  * No more -O1 builds for ppc64le necessary
- Disable DoH by default
  * Not yet officially active in ESR, but just to make sure - Mozilla Firefox ESR 68.1
  Resolves the following bigendian s390x issues:
  * [bsc#1109465] Latest Firefox update not released for s390x
  * [bsc#1117473] Firefox segmentation fault on s390vsl082
  * [bsc#1123482] openQA test fails in firefox - firefox doesn't start
  * [bsc#1124525] Firefox is core dumping on SLES15 s390x
  * [bsc#1133810] Firefox: Segmentation fault (core dumped)
  MFSA 2019-26 (bsc#1149323)
  * CVE-2019-11751 (bmo#1572838)
    Malicious code execution through command line parameters
  * CVE-2019-11746 (bmo#1564449)
    Use-after-free while manipulating video
  * CVE-2019-11744 (bmo#1562033)
    XSS by breaking out of title and textarea elements using
    innerHTML
  * CVE-2019-11742 (bmo#1559715)
    Same-origin policy violation with SVG filters and canvas to
    steal cross-origin images
  * CVE-2019-11736 (bmo#1551913, bmo#1552206)
    File manipulation and privilege escalation in Mozilla
    Maintenance Service
  * CVE-2019-11753 (bmo#1574980)
    Privilege escalation with Mozilla Maintenance Service in
    custom Firefox installation location
  * CVE-2019-11752 (bmo#1501152)
    Use-after-free while extracting a key value in IndexedDB
  * CVE-2019-9812 (bmo#1538008, bmo#1538015)
    Sandbox escape through Firefox Sync
  * CVE-2019-11743 (bmo#1560495,
    bmo#https://w3c.github.io/navigation-timing)
    Cross-origin access to unload event attributes
  * CVE-2019-11748 (bmo#1564588)
    Persistence of WebRTC permissions in a third party context
  * CVE-2019-11749 (bmo#1565374)
    Camera information available without prompting using
    getUserMedia
  * CVE-2019-11750 (bmo#1568397)
    Type confusion in Spidermonkey
  * CVE-2019-11738 (bmo#1452037)
    Content security policy bypass through hash-based sources in
    directives
  * CVE-2019-11747 (bmo#1564481)
    'Forget about this site' removes sites from pre-loaded HSTS
    list
  * CVE-2019-11735 (bmo#1561404, bmo#1561484, bmo#1561912,
    bmo#1565744, bmo#1568047, bmo#1568858, bmo#1570358)
    Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
  * CVE-2019-11740 (bmo#1563133, bmo#1573160)
    Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and
    Firefox ESR 60.9
- Mozilla Firefox ESR 68.0.2
  * Fixed: Fixed a bug causing some special characters to be cut
    off from the end of the search terms when searching from the
    URL bar (bmo#1560228)
  * Fixed: Allow fonts to be loaded via file:// URLs when opening
    a page locally (bmo#1565942)
  * Fixed: Printing emails from the Outlook web app no longer
    prints only the header and footer (bmo#1567105)
  * Fixed: Fixed a bug causing some images not to be displayed on
    reload, including on Google Maps (bmo#1565542)
  * Fixed: Fixed an error when starting external applications
    configured as URI handlers (bmo#1567614)
  * Fixed: Security fixes
- MFSA 2019-24 (bsc#1145665)
  * CVE-2019-11733 (bmo#1565780)
    Stored passwords in 'Saved Logins' can be copied without
    master password entry
- Mozilla Firefox ESR 68.0.1
  * macOS releases are now signed by the Apple notary service,
    allowing Firefox to properly run on macOS 10.15 Beta releases
  * Fixed missing Full Screen button when watching videos in full
    screen mode on HBO GO (bmo#1562837)
  * Fixed a bug causing incorrect messages to appear for some
    locales when sites try to request the use of the Storage
    Access API (bmo#1558503)
  * Users in Russian regions may have their default search engine
    changed (bmo#1565315)
  * Built-in search engines in some locales do not function
    correctly (bmo#1565779)
  * SupportMenu policy doesn't always work (bmo#1553290)
  * Allow the new ExtensionSettings policy to work with GPO on
    Windows (bmo#1553586)
  * Allow the privacy.file_unique_origin pref to be controlled by
    policy (bmo#1563759)
- Mozilla Firefox ESR 68.0
  * Dark mode in reader view
  * Improved extension security and discovery
  * Cryptomining and fingerprinting protections are added to strict
    content blocking settings in Privacy & Security preferences
  * Camera and microphone access now require an HTTPS connection
  MFSA 2019-21 (bsc#1140868)
  * CVE-2019-9811 (bmo#1523741, bmo#1538007, bmo#1539598,
    bmo#1539759, bmo#1563327)
    Sandbox escape via installation of malicious language pack
  * CVE-2019-11711 (bmo#1552541)
    Script injection within domain through inner window reuse
  * CVE-2019-11712 (bmo#1543804)
    Cross-origin POST requests can be made with NPAPI plugins by
    following 308 redirects
  * CVE-2019-11713 (bmo#1528481)
    Use-after-free with HTTP/2 cached stream
  * CVE-2019-11714 (bmo#1542593)
    NeckoChild can trigger crash when accessed off of main thread
  * CVE-2019-11729 (bmo#1515342)
    Empty or malformed p256-ECDH public keys may trigger a
    segmentation fault
  * CVE-2019-11715 (bmo#1555523)
    HTML parsing error can contribute to content XSS
  * CVE-2019-11716 (bmo#1552632)
    globalThis not enumerable until accessed
  * CVE-2019-11717 (bmo#1548306)
    Caret character improperly escaped in origins
  * CVE-2019-11718 (bmo#1408349)
    Activity Stream writes unsanitized content to innerHTML
  * CVE-2019-11719 (bmo#1540541)
    Out-of-bounds read when importing curve25519 private key
  * CVE-2019-11720 (bmo#1556230)
    Character encoding XSS vulnerability
  * CVE-2019-11721 (bmo#1256009)
    Domain spoofing through unicode latin 'kra' character
  * CVE-2019-11730 (bmo#1558299)
    Same-origin policy treats all files in a directory as having
    the same-origin
  * CVE-2019-11723 (bmo#1528335)
    Cookie leakage during add-on fetching across private browsing
    boundaries
  * CVE-2019-11724 (bmo#1512511)
    Retired site input.mozilla.org has remote troubleshooting
    permissions
  * CVE-2019-11725 (bmo#1483510)
    Websocket resources bypass safebrowsing protections
  * CVE-2019-11727 (bmo#1552208)
    PKCS#1 v1.5 signatures can be used for TLS 1.3
  * CVE-2019-11728 (bmo#1552993)
    Port scanning through Alt-Svc header
  * CVE-2019-11710 (bmo#1507696, bmo#1510345, bmo#1533842,
    bmo#1535482, bmo#1535848, bmo#1537692, bmo#1540590,
    bmo#1544180, bmo#1547472, bmo#1547760, bmo#1548611,
    bmo#1549768, bmo#1551907)
    Memory safety bugs fixed in Firefox 68
  * CVE-2019-11709 (bmo#1515052, bmo#1533522, bmo#1539219,
    bmo#1540759, bmo#1547266, bmo#1547757, bmo#1548822,
    bmo#1550498, bmo#1550498)
    Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
- removed patches that are now upstream
  * mozilla-bmo1375074.patch
  * mozilla-bmo1436242.patch
  * mozilla-bmo256180.patch
  * mozilla-i586-DecoderDoctorLogger.patch
  * mozilla-i586-domPrefs.patch
  * mozilla-bmo1464766.patch
  * mozilla-bigendian_bit_flags_alias.patch
- removed workaround-patch for build memory consumption on i586;
  other mitigations meanwhile introduced (mainly parallelity)
  will be sufficient
  * mozilla-reduce-files-per-UnifiedBindings.patch
- added patch to make builds reproducible
  * mozilla-bmo1568145.patch
- added a bunch of patches mainly for big endian platforms
  * mozilla-bmo1504834-part1.patch
  * mozilla-bmo1504834-part2.patch
  * mozilla-bmo1504834-part3.patch
  * mozilla-bmo1511604.patch
  * mozilla-bmo1512162.patch
  * mozilla-bmo1554971.patch
  * mozilla-bmo1573381.patch
  * mozilla-nestegg-big-endian.patch
- added patches to fix build on armv7:
  * mozilla-bmo1463035.patch
  * mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
- added patch to fix non-return function
  * mozilla-cubeb-noreturn.patch
- added patch to fix aarch64 build:
  * mozilla-fix-aarch64-libopus.patch (bmo#1539737)
- added patch to enable PGO for x86_64.
  * firefox-add-kde.js-in-order-to-survive-PGO-build.patch
- added patch to reduce build-load
  * mozilla-reduce-rust-debuginfo.patch - Mozilla Firefox Firefox 60.7.2
  MFSA 2019-19 (bsc#1138872)
  * CVE-2019-11708 (bmo#1559858)
    sandbox escape using Prompt:Open - Build Firefox with gcc instead of clang (bsc#1138688) - Mozilla Firefox Firefox 60.7.1
  MFSA 2019-18 (bsc#1138614)
  * CVE-2019-11707 (bmo#1544386)
    Type confusion in Array.pop
- Added the new Mozilla's GPG key with subkey fingerprint
  097B 3130 77AE 62A0 2F84 DA4D F1A6 668F BB7D 572E, expiring on
  2021-05-29 to the mozilla.keyring file - Fix broken language plugins (bsc#1137792) - update to Firefox ESR 60.7 (bsc#1135824)
  * Font and date adjustments to accommodate the new Reiwa era
    in Japan
  * MFSA 2019-14/CVE-2019-9817
    (bmo#1540221)
    Stealing of cross-domain images using canvas
  * MFSA 2019-14/CVE-2019-9800
    (bmo#1499108, bmo#1499719, bmo#1516325, bmo#1532465,
    bmo#1533554, bmo#1534593, bmo#1535194, bmo#1535612,
    bmo#1538042, bmo#1538619, bmo#1538736, bmo#1540136,
    bmo#1540166, bmo#1541580, bmo#1542097, bmo#1542324,
    bmo#1546327)
    Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
  * MFSA 2019-14/CVE-2019-9816
    (bmo#1536768)
    Type confusion with object groups and UnboxedObjects
  * MFSA 2019-14/CVE-2019-9815
    (bmo#1546544, bmo#https://mdsattacks.com/)
    Disable hyperthreading on content JavaScript threads on macOS
  * MFSA 2019-14/CVE-2019-11698
    (bmo#1543191)
    Theft of user history data through drag and drop of
    hyperlinks to and from bookmarks
  * MFSA 2019-14/CVE-2019-11692
    (bmo#1544670)
    Use-after-free removing listeners in the event listener
    manager
  * MFSA 2019-14/CVE-2019-11693
    (bmo#1532525)
    Buffer overflow in WebGL bufferdata on Linux
  * MFSA 2019-14/CVE-2019-7317
    (bmo#1542829)
    Use-after-free in png_image_free of libpng library
  * MFSA 2019-14/CVE-2019-9820
    (bmo#1536405)
    Use-after-free of ChromeEventHandler by DocShell
  * MFSA 2019-14/CVE-2019-9818
    (bmo#1542581)
    Use-after-free in crash generation server
  * MFSA 2019-14/CVE-2019-11691
    (bmo#1542465)
    Use-after-free in XMLHttpRequest
  * MFSA 2019-14/CVE-2019-9819
    (bmo#1532553)
    Compartment mismatch with fetch API
  * MFSA 2019-14/CVE-2019-11694
    (bmo#1534196)
    Uninitialized memory memory leakage in Windows sandbox - Sync with Devel:Desktop:Mozilla:*:next - Enable Firefox to build with Rust >= 1.30 with fix. See below. - update to 60.6.3 (bmo#1549249)
  * Further improvements to re-enable web extensions which had been
    disabled for users with a master password set. - update to 60.6.2 (bsc#1134126)
  * Repaired certificate chain to re-enable web extensions that
    had been disabled. - Update BuildRequires rust >= 1.30 from 1.24
  * Upstream Firefox ESR presumes rust version stable at release (1.24).
    SUSE currently uses improved packaging for rust >= 1.30.
  * boo#1130694 rust 1.33.0 breaks Firefox and Thunderbird
    due to missing macro comment docs in Firefox rust sources
    bmo#1539901 ESR 60 build fails with Rust 1.33 due to missing documentation on macros in stylo
    bmo#1519629 Stylo fails with --enable-warnings-as-errors using Rust 1.33
  * Fix build using RUSTFLAGS="--cap-lints allow"
    Preferred alternative to patching and revendoring stylo rust crates
    Revisit with intent to remove in next Firefox ESR 68.0 2019-07-09 - Fixed translations provides - update to Firefox ESR 60.6.1 (bsc#1130262)
  * MFSA 2019-10/CVE-2019-9813
    (bmo#1538006)
    Ionmonkey type confusion with __proto__ mutations
  * MFSA 2019-10/CVE-2019-9810
    (bmo#1537924)
    IonMonkey MArraySlice has incorrect alias information - update to Firefox ESR 60.6 (bsc#1129821)
  * MFSA 2019-08/CVE-2018-18506
    (bmo#1503393)
    Proxy Auto-Configuration file can define localhost access to
    be proxied
  * MFSA 2019-08/CVE-2019-9801
    (bmo#1527717)
    Windows programs that are not 'URL Handlers' are exposed to
    web content
  * MFSA 2019-08/CVE-2019-9788
    (bmo#1506665, bmo#1516834, bmo#1518001, bmo#1518774,
    bmo#1521214, bmo#1521304, bmo#1523362, bmo#1524214,
    bmo#1524755, bmo#1529203)
    Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6
  * MFSA 2019-08/CVE-2019-9790
    (bmo#1525145)
    Use-after-free when removing in-use DOM elements
  * MFSA 2019-08/CVE-2019-9791
    (bmo#1530958)
    Type inference is incorrect for constructors entered through
    on-stack replacement with IonMonkey
  * MFSA 2019-08/CVE-2019-9792
    (bmo#1532599)
    IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
  * MFSA 2019-08/CVE-2019-9793
    (bmo#1528829)
    Improper bounds checks when Spectre mitigations are disabled
  * MFSA 2019-08/CVE-2019-9794
    (bmo#1530103)
    Command line arguments not discarded during execution
  * MFSA 2019-08/CVE-2019-9795
    (bmo#1514682)
    Type-confusion in IonMonkey JIT compiler
  * MFSA 2019-08/CVE-2019-9796
    (bmo#1531277)
    Use-after-free with SMIL animation controller
- Fix for [bsc#1127987] MozillaFirefox-translations-common causing
    error on update - Mozilla Firefox 60.5.2esr:
  * Fix a frequent crash when reading various Reuters news articles
    (bmo#1505844) - Update to Firefox ESR 60.5.1
  MFSA-2019-05 (bsc#1125330)
  * CVE-2018-18356 (bmo#1525817)
    A use-after-free vulnerability in the Skia library can occur when
    creating a path, leading to a potentially exploitable crash.
  * CVE-2019-5785 (bmo#1525433)
    An integer overflow vulnerability in the Skia library can occur
    after specific transform operations, leading to a potentially
    exploitable crash.
  * CVE-2018-18335 (bmo#1525815)
    A buffer overflow vulnerability in the Skia library can occur with
    Canvas 2D acceleration on macOS. This issue was addressed by
    disabling Canvas 2D acceleration in Firefox ESR.  Note: this does
    not affect other versions and platforms where Canvas 2D
    acceleration is already disabled by default. - Update to Firefox ESR 60.5
  MFSA 2019-02 (bsc#1122983)
  * CVE-2018-18501 (bmo#1460619, bmo#1502871, bmo#1512450,
    bmo#1513201, bmo#1516514, bmo#1516738, bmo#1517542)
    Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
  * CVE-2018-18500 (bmo#1510114)
    Use-after-free parsing HTML5 stream
  * CVE-2018-18505 (bmo#1087565, bmo#1497749)
    Privilege escalation through IPC channel messages
- Removed obsolete patches:
    [mozilla-no-stdcxx-check.patch] Applied upstream
    [mozilla-s390-nojit.patch] Applied upstream - Fix for language pack build error (bsc#1120374) - Revert dependency for branding package back to >= 60 due to dependency
  issues. - Depend on branding package version >= 60.0 - Mozilla Firefox 60.4.0esr:
  * Updated list of currency codes to include Unidad Previsional (UYW)
    (bmo#1499028)
  MFSA 2018-30 (bsc#1119105)
  * CVE-2018-17466 bmo#1488295
    Buffer overflow and out-of-bounds read in ANGLE library with
    TextureStorage11
  * CVE-2018-18492 bmo#1499861
    Use-after-free with select element
  * CVE-2018-18493 bmo#1504452
    Buffer overflow in accelerated 2D canvas with Skia
  * CVE-2018-18494 bmo#1487964
    Same-origin policy violation using location attribute and
    performance.getEntries to steal cross-origin URLs
  * CVE-2018-18498 bmo#1500011
    Integer overflow when calculating buffer sizes for images
  * CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759
    bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471
    Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4
- requires NSS >= 3.36.6
- Removed obsolete patch:
    [mozilla-update-cc-crate.patch] Applied upstream - Mozilla Firefox 60.3.0esr:
  * Various stability and regression fixes
  MFSA 2018-27 bsc#1112852
  * CVE-2018-12392 bmo#1492823
    Crash with nested event loops
  * CVE-2018-12393 bmo#1495011
    Integer overflow during Unicode conversion while loading
    JavaScript
  * CVE-2018-12395 bmo#1467523
    WebExtension bypass of domain restrictions through header
    rewriting
  * CVE-2018-12396 bmo#1483602
    WebExtension content scripts can execute in disallowed
    contexts
  * CVE-2018-12397 bmo#1487478
    WebExtension local file access vulnerability
  * CVE-2018-12389 bmo#1498460, bmo#1499198
    Memory safety bugs fixed in Firefox ESR 60.3
  * CVE-2018-12390 bmo#1487098 bmo#1487660 bmo#1490234 bmo#1496159
    bmo#1443748 bmo#1496340 bmo#1483905 bmo#1493347 bmo#1488803
    bmo#1498701 bmo#1498482 bmo#1442010 bmo#1495245 bmo#1483699
    bmo#1469486 bmo#1484905 bmo#1490561 bmo#1492524 bmo#1481844
    Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
- Drop mozilla-bmo1472538-update-bindgen.patch which was already
  merged upstream
- Update mozilla-update-cc-crate.patch, since cc was updated to 1.0.9
  upstream, but this patch still updates it to a newer version - Update create-tar.sh and source-stamp.txt as should be done
  with every version update. - Mozilla Firefox 60.2.2esr:
  MFSA 2018-24
  * CVE-2018-12386 (bsc#1110506, bmo#1493900)
    Type confusion in JavaScript allowed remote code execution
  * CVE-2018-12387 (bsc#1110507, bmo#1493903)
    Array.prototype.push stack pointer vulnerability may enable
    exploits in the sandboxed content process
- Avoid undefined behavior in IPC fd-passing code with
  mozilla-bmo1436242.patch (boo#1094767, bmo#1436242)
- Mozilla Firefox 60.2.1esr:
  MFSA 2018-23
  * CVE-2018-12385 (boo#1109363, bmo#1490585)
    Crash in TransportSecurityInfo due to cached data
  * CVE-2018-12383 (boo#1107343, bmo#1475775)
    Setting a master password did not delete unencrypted
    previously stored passwords
  * Fixed a startup crash affecting users migrating from older ESR
    releases
  * Clean up old NSS DB files after upgrading
- Fix typo in an old changelog entry which mentioned a wrong patch file
  and really remove mozilla-glibc-getrandom.patch as should have
  been done some weeks ago. - bsc#1109465 - Add mozilla-bmo1472538-update-bindgen.patch and
  mozilla-update-cc-crate.patch.  This fixes an endianness problem in
  bindgen's handling of bitfields, which was causing Firefox to crash
  on startup on big-endian machines.  Also, updates the cc crate,
  which was buggy in the version that was originally vendored in.
- added patch
  [mozilla-bigendian_bit_flags_alias.patch] (bmo#1488552) - update to Firefox ESR 60.2 (bsc#1107343)
  * MFSA 2018-20/CVE-2018-12381
    (bmo#1435319)
    Dragging and dropping Outlook email message results in page
    navigation
  * MFSA 2018-20/CVE-2017-16541
    (bmo#1412081)
    Proxy bypass using automount and autofs
  * MFSA 2018-20/CVE-2018-12376
    (bmo#1450989, bmo#1466577, bmo#1466991, bmo#1467363,
    bmo#1467889, bmo#1468738, bmo#1469309, bmo#1469914,
    bmo#1471953, bmo#1472925, bmo#1473161, bmo#1478575,
    bmo#1478849, bmo#1480092, bmo#1480517, bmo#1480521,
    bmo#1481093, bmo#1483120)
    Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
  * MFSA 2018-20/CVE-2018-12377
    (bmo#1470260)
    Use-after-free in refresh driver timers
  * MFSA 2018-20/CVE-2018-12378
    (bmo#1459383)
    Use-after-free in IndexedDB
  * MFSA 2018-20/CVE-2018-12379
    (bmo#1473113)
    Out-of-bounds write with malicious MAR file
- removed obsolete patches:
    [mozilla-glibc-getrandom.patch]
    [firefox-no-default-ualocale.patch]
    [mozilla-bmo1005640.patch]
    [mozilla-language.patch]
    [mozilla-shared-nss-db.patch]
- added patches
  sync with openSUSE:
    [mozilla-bmo1005535.patch]
    [mozilla-bmo1375074.patch]
    [mozilla-bmo1464766.patch]
    [mozilla-bmo256180.patch]
    [mozilla-i586-DecoderDoctorLogger.patch]
    [mozilla-i586-domPrefs.patch]
  additional architecture enablement:
    [mozilla-ppc-altivec_static_inline.patch]
    [mozilla-s390-context.patch] - update to Firefox ESR 52.9 (bsc#1098998)
  * MFSA 2018-17/CVE-2018-5188
    (bmo#1392739, bmo#1437842, bmo#1442722, bmo#1450688,
    bmo#1451297, bmo#1452576, bmo#1456189, bmo#1456975,
    bmo#1458048, bmo#1458264, bmo#1458270, bmo#1463494,
    bmo#1464063, bmo#1464079, bmo#1464829, bmo#1465108,
    bmo#1465898)
    Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and
    Firefox ESR 52.9
  * MFSA 2018-17/CVE-2018-12368
    (bmo#1468217, bmo#https://posts.specterops.io/the-tale-of-
    settingcontent-ms-files-f1ea253e4d39)
    No warning when opening executable SettingContent-ms files
  * MFSA 2018-17/CVE-2018-12366
    (bmo#1464039)
    Invalid data handling during QCMS transformations
  * MFSA 2018-17/CVE-2018-12365
    (bmo#1459206)
    Compromised IPC child process can list local filenames
  * MFSA 2018-17/CVE-2018-12364
    (bmo#1436241)
    CSRF attacks through 307 redirects and NPAPI plugins
  * MFSA 2018-17/CVE-2018-12363
    (bmo#1464784)
    Use-after-free when appending DOM nodes
  * MFSA 2018-17/CVE-2018-12362
    (bmo#1452375)
    Integer overflow in SSSE3 scaler
  * MFSA 2018-17/CVE-2018-12360
    (bmo#1459693)
    Use-after-free when using focus()
  * MFSA 2018-17/CVE-2018-5156
    (bmo#1453127)
    Media recorder segmentation fault when track type is changed
    during capture
  * MFSA 2018-17/CVE-2018-12359
    (bmo#1459162)
    Buffer overflow using computed size of canvas element - update to Firefox 52.8.1 (bsc#1096449)
  * MFSA 2018-14/CVE-2018-6126
    (bmo#1462682)
    Heap buffer overflow rasterizing paths in SVG with Skia - update to Firefox 52.8.0:
  * Various stability and regression fixes
  * Performance improvements to the Safe Browsing service to avoid
  slowdowns while updating site classification data
- Security fixes (bsc#1092548, MFSA 2018-12):
  * CVE-2018-5183 (bmo#1454692)
    Backport critical security fixes in Skia
  * CVE-2018-5154 (bmo#1443092)
    Use-after-free with SVG animations and clip paths
  * CVE-2018-5155 (bmo#1448774)
    Use-after-free with SVG animations and text paths
  * CVE-2018-5157 (bmo#1449898)
    Same-origin bypass of PDF Viewer to view protected PDF files
  * CVE-2018-5158 (bmo#1452075)
    Malicious PDF can inject JavaScript into PDF Viewer
  * CVE-2018-5159 (bmo#1441941)
    Integer overflow and out-of-bounds write in Skia
  * CVE-2018-5168 (bmo#1449548)
    Lightweight themes can be installed without user interaction
  * CVE-2018-5178 (bmo#1443891)
    Buffer overflow during UTF-8 to Unicode string conversion
    through legacy extension
  * CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705,
    bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415,
    bmo#1426129)
    Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 - fix release tag and tarball to correctly identify 52.7.3esr - update to Firefox 52.7.3
  MFSA 2018-10 (bsc#1087059)
  * CVE-2018-5148 (bmo#1440717)
    Use-after-free in compositor
- removed obsolete patch mozilla-bmo1446062.patch - update to Firefox 52.7.2 (bsc#1085671)
  MFSA 2018-08
  * CVE-2018-5146 (bmo#1446062)
    Out of bounds memory write in libvorbis
  * CVE-2018-5147 (bmo#1446365)
    Out of bounds memory write in libtremor
    (in mozilla-bmo1446062.patch)
- Firefox 52.7.1 fixes
  - issues with the IT locale (bmo#1445278) - update to Firefox 52.7esr (bsc#1085130, MFSA 2018-07):
  * CVE-2018-5127 (bmo#1430557)
    Buffer overflow manipulating SVG animatedPathSegList
  * CVE-2018-5129 (bmo#1428947)
    Out-of-bounds write with malformed IPC messages
  * CVE-2018-5130 (bmo#1433005)
    Mismatched RTP payload type can trigger memory corruption
  * CVE-2018-5131 (bmo#1440775)
    Fetch API improperly returns cached copies of no-store/no-cache
    resources
  * CVE-2018-5144 (bmo#1440926)
    Integer overflow during Unicode conversion
  * CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450,
    bmo#1437507,bmo#1426988,bmo#1438425,bmo#1324042,bmo#1437087,
    bmo#1443865,bmo#1425520)
    Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
  * CVE-2018-5145 (bmo#1261175,bmo#1348955)
    Memory safety bugs fixed in Firefox ESR 52.7 - correct requires and provides handling (boo#1076907) - update to Firefox 52.6esr (bsc#1077291)
  MFSA 2018-01
  * Speculative execution side-channel attack ("Spectre")
  MFSA 2018-03
  * CVE-2018-5091 (bmo#1423086)
    Use-after-free with DTMF timers
  * CVE-2018-5095 (bmo#1418447)
    Integer overflow in Skia library during edge builder allocation
  * CVE-2018-5096 (bmo#1418922)
    Use-after-free while editing form elements
  * CVE-2018-5097 (bmo#1387427)
    Use-after-free when source document is manipulated during XSLT
  * CVE-2018-5098 (bmo#1399400)
    Use-after-free while manipulating form input elements
  * CVE-2018-5099 (bmo#1416878)
    Use-after-free with widget listener
  * CVE-2018-5102 (bmo#1419363)
    Use-after-free in HTML media elements
  * CVE-2018-5103 (bmo#1423159)
    Use-after-free during mouse event handling
  * CVE-2018-5104 (bmo#1425000)
    Use-after-free during font face manipulation
  * CVE-2018-5117 (bmo#1395508)
    URL spoofing with right-to-left text aligned left-to-right
  * CVE-2018-5089
    Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
- remove obsolete patch mozilla-ucontext.patch
- official NSS requirement is >= 3.28.6 therefore putting 3.29.5
  into an ifarch - Escape the usage of %{VERSION} when calling out to rpm.
  RPM 4.14 has %{VERSION} defined as 'the main package's version'. - Added additional patches and configurations to fix
  builds on s390 and PowerPC.
  * Added firefox-glibc-getrandom.patch effecting builds on
    s390 and PowerPC
  * Added mozilla-s390-bigendian.patch along with icudt58b.dat
    bigendian ICU data file for running Firefox on bigendian
    architectures (bmo#1322212 and bmo#1264836)
  * Added mozilla-s390-nojit.patch to enable atomic operations
    used by the JS engine when JIT is disabled on s390
  * Build configuration options specific to s390
  * Requires NSS >= 3.29.5 - Update to Firefox 52.5.3esr:
  * Fix a crash reporting issue that inadvertently sends background
  tab crash reports to Mozilla without user opt-in (bmo#1427111,
  bsc#1074235) - Add BuildRequires python-xml to fix build on TW/SLE15. - update to Firefox 52.5.2esr (MFSA 2017-28):
  * CVE-2017-7843 (bsc#1072034, bmo#1410106)
    Web worker in Private Browsing mode can write IndexedDB data - update to Firefox 52.5.0esr (boo#1068101)
  MFSA 2017-25
  * CVE-2017-7828 (bmo#1406750. bmo#1412252)
    Use-after-free of PressShell while restyling layout
  * CVE-2017-7830 (bmo#1408990)
    Cross-origin URL information leak through Resource Timing API
  * CVE-2017-7826
    Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5 - Correct plugin directory for aarch64 (boo#1061207). The wrapper
  script was not detecting aarch64 as a 64 bit architecture, thus
  used /usr/lib/browser-plugins/. - Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0),
  pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
  pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
  pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure
  looks for. - update to Firefox 52.4esr (boo#1060445)
  * requires NSS >= 3.28.6
  MFSA 2017-22
  * CVE-2017-7793 (bmo#1371889)
    Use-after-free with Fetch API
  * CVE-2017-7818 (bmo#1363723)
    Use-after-free during ARIA array manipulation
  * CVE-2017-7819 (bmo#1380292)
    Use-after-free while resizing images in design mode
  * CVE-2017-7824 (bmo#1398381)
    Buffer overflow when drawing and validating elements with ANGLE
  * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
    Use-after-free in TLS 1.2 generating handshake hashes
  * CVE-2017-7814 (bmo#1376036)
    Blob and data URLs bypass phishing and malware protection warnings
  * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
    OS X fonts render some Tibetan and Arabic unicode characters as spaces
  * CVE-2017-7823 (bmo#1396320)
    CSP sandbox directive did not create a unique origin
  * CVE-2017-7810
    Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
- fixed language accept header to use correct locale
  (mozilla-bmo1005640.patch, boo#1029917) - Add alsa-devel BuildRequires: we care for ALSA support to be
  built and thus need to ensure we get the dependencies in place.
  In the past, alsa-devel was pulled in by accident: we
  buildrequire libgnome-devel. This required esound-devel and that
  in turn pulled in alsa-devel for us. libgnome is being fixed to
  no longer require esound-devel. - mozilla-ucontext.patch: use ucontext_t instead of struct ucontext - update to Firefox 52.3esr (boo#1052829)
  MFSA 2017-19
  * CVE-2017-7798 (bmo#1371586, bmo#1372112)
    XUL injection in the style editor in devtools
  * CVE-2017-7800 (bmo#1374047)
    Use-after-free in WebSockets during disconnection
  * CVE-2017-7801 (bmo#1371259)
    Use-after-free with marquee during window resizing
  * CVE-2017-7784 (bmo#1376087)
    Use-after-free with image observers
  * CVE-2017-7802 (bmo#1378147)
    Use-after-free resizing image elements
  * CVE-2017-7785 (bmo#1356985)
    Buffer overflow manipulating ARIA attributes in DOM
  * CVE-2017-7786 (bmo#1365189)
    Buffer overflow while painting non-displayable SVG
  * CVE-2017-7753 (bmo#1353312)
    Out-of-bounds read with cached style data and pseudo-elements#
  * CVE-2017-7787 (bmo#1322896)
    Same-origin policy bypass with iframes through page reloads
  * CVE-2017-7807 (bmo#1376459)
    Domain hijacking through AppCache fallback
  * CVE-2017-7792 (bmo#1368652)
    Buffer overflow viewing certificates with an extremely long OID
  * CVE-2017-7804 (bmo#1372849)
    Memory protection bypass through WindowsDllDetourPatcher
  * CVE-2017-7791 (bmo#1365875)
    Spoofing following page navigation with data: protocol and modal alerts
  * CVE-2017-7782 (bmo#1344034)
    WindowsDllDetourPatcher allocates memory without DEP protections
  * CVE-2017-7803 (bmo#1377426)
    CSP containing 'sandbox' improperly applied
  * CVE-2017-7779
    Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 - Mozilla Firefox 52.2.1esr:
  * Printing text does not work on Windows when Direct2D is
    disabled (bmo#1318845) - update to Firefox 52.2esr (boo#1043960)
  MFSA 2017-16
  * CVE-2017-5472 (bmo#1365602)
    Use-after-free using destroyed node when regenerating trees
  * CVE-2017-7749 (bmo#1355039)
    Use-after-free during docshell reloading
  * CVE-2017-7750 (bmo#1356558)
    Use-after-free with track elements
  * CVE-2017-7751 (bmo#1363396)
    Use-after-free with content viewer listeners
  * CVE-2017-7752 (bmo#1359547)
    Use-after-free with IME input
  * CVE-2017-7754 (bmo#1357090)
    Out-of-bounds read in WebGL with ImageInfo object
  * CVE-2017-7755 (bmo#1361326)
    Privilege escalation through Firefox Installer with same
    directory DLL files (Windows only)
  * CVE-2017-7756 (bmo#1366595)
    Use-after-free and use-after-scope logging XHR header errors
  * CVE-2017-7757 (bmo#1356824)
    Use-after-free in IndexedDB
  * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
    CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
    CVE-2017-7777
    Vulnerabilities in the Graphite 2 library
  * CVE-2017-7758 (bmo#1368490)
    Out-of-bounds read in Opus encoder
  * CVE-2017-7760 (bmo#1348645)
    File manipulation and privilege escalation via callback parameter
    in Mozilla Windows Updater and Maintenance Service (Windows only)
  * CVE-2017-7761 (bmo#1215648)
    File deletion and privilege escalation through Mozilla Maintenance
    Service helper.exe application (Windows only)
  * CVE-2017-7764 (bmo#1364283)
    Domain spoofing with combination of Canadian Syllabics and other
    unicode blocks
  * CVE-2017-7765 (bmo#1273265)
    Mark of the Web bypass when saving executable files (Windows only)
  * CVE-2017-7766 (bmo#1342742)
    File execution and privilege escalation through updater.ini,
    Mozilla Windows Updater, and Mozilla Maintenance Service
    (Windows only)
  * CVE-2017-7767 (bmo#1336964)
    Privilege escalation and arbitrary file overwrites through Mozilla
    Windows Updater and Mozilla Maintenance Service (Windows only)
  * CVE-2017-7768 (bmo#1336979)
    32 byte arbitrary file read through Mozilla Maintenance Service
    (Windows only)
  * CVE-2017-5470
    Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
- requires NSS 3.28.5 - remove -fno-inline-small-functions and explicitely optimize with
  - O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105) - update to Firefox 52.1.1
  MFSA 2017-14
  * CVE-2017-5031: Use after free in ANGLE (bmo#1328762)
    (Windows only, Linux not affected)
- switch to Mozilla's geolocation service (boo#1026989)
- removed mozilla-preferences.patch obsoleted by overriding via
  firefox.js
- fixed KDE integration to avoid crash caused by filepicker
  (boo#1015998) - update to Firefox 52.1.0esr (boo#1035082)
  MFSA 2017-12
  * CVE-2017-5443 (bmo#1342661)
    Out-of-bounds write during BinHex decoding
  * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
    bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
    Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
    Firefox ESR 52.1
  * CVE-2017-5464 (bmo#1347075)
    Memory corruption with accessibility and DOM manipulation
  * CVE-2017-5465 (bmo#1347617)
    Out-of-bounds read in ConvolvePixel
  * CVE-2017-5466 (bmo#1353975)
    Origin confusion when reloading isolated data:text/html URL
  * CVE-2017-5467 (bmo#1347262)
    Memory corruption when drawing Skia content
  * CVE-2017-5460 (bmo#1343642)
    Use-after-free in frame selection
  * CVE-2017-5461 (bmo#1344380)
    Out-of-bounds write in Base64 encoding in NSS
  * CVE-2017-5448 (bmo#1346648)
    Out-of-bounds write in ClearKeyDecryptor
  * CVE-2017-5449 (bmo#1340127)
    Crash during bidirectional unicode manipulation with animation
  * CVE-2017-5446 (bmo#1343505)
    Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
  * CVE-2017-5447 (bmo#1343552)
    Out-of-bounds read during glyph processing
  * CVE-2017-5444 (bmo#1344461)
    Buffer overflow while parsing application/http-index-format content
  * CVE-2017-5445 (bmo#1344467)
    Uninitialized values used while parsing application/http-index-format
    content
  * CVE-2017-5442 (bmo#1347979)
    Use-after-free during style changes
  * CVE-2017-5469 (bmo#1292534)
    Potential Buffer overflow in flex-generated code
  * CVE-2017-5440 (bmo#1336832)
    Use-after-free in txExecutionState destructor during XSLT processing
  * CVE-2017-5441 (bmo#1343795)
    Use-after-free with selection during scroll events
  * CVE-2017-5439 (bmo#1336830)
    Use-after-free in nsTArray Length() during XSLT processing
  * CVE-2017-5438 (bmo#1336828)
    Use-after-free in nsAutoPtr during XSLT processing
  * CVE-2017-5437 (bmo#1343453)
    Vulnerabilities in Libevent library
  * CVE-2017-5436 (bmo#1345461)
    Out-of-bounds write with malicious font in Graphite 2
  * CVE-2017-5435 (bmo#1350683)
    Use-after-free during transaction processing in the editor
  * CVE-2017-5434 (bmo#1349946)
    Use-after-free during focus handling
  * CVE-2017-5433 (bmo#1347168)
    Use-after-free in SMIL animation functions
  * CVE-2017-5432 (bmo#1346654)
    Use-after-free in text input selection
  * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
    bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140,
    bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476)
    Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
  * CVE-2017-5459 (bmo#1333858)
    Buffer overflow in WebGL
  * CVE-2017-5462 (bmo#1345089)
    DRBG flaw in NSS
  * CVE-2017-5455 (bmo#1341191)
    Sandbox escape through internal feed reader APIs
  * CVE-2017-5454 (bmo#1349276)
    Sandbox escape allowing file system read access through file
    picker
  * CVE-2017-5456 (bmo#1344415)
    Sandbox escape allowing local file system access
  * CVE-2017-5451 (bmo#1273537)
    Addressbar spoofing with onblur event
- requires NSS 3.28.4
- rebased patches - switch package to use ESR52 branch
  * enables plugin support by default
  * service workers are disabled by default
  * push notifications are disabled by default
  * WebAssembly (wasm) is disabled
  * Less use of multiprocess architecture Electrolysis (e10s) - update to Firefox 52.0.2
  * Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787)
  * Fix loading tab icons on session restore (bmo#1338009)
  * Fix a crash on startup on Linux (bmo#1345413)
  * Fix new installs erroneously not prompting to change the default
    browser setting (bmo#1343938) - disable rust usage for everything but x86(-64)
- explicitely add libffi build requirement - update to Firefox 52.0.1 (boo#1029822)
  MFSA 2017-08
  CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168) - reenable ALSA support which was removed by default upstream - update to Firefox 52.0 (boo#1028391)
  * requires NSS >= 3.28.3
  * Pages containing insecure password fields now display a warning
    directly within username and password fields.
  * Send and open a tab from one device to another with Sync
  * Removed NPAPI support for plugins other than Flash. Silverlight,
    Java, Acrobat and the like are no longer supported.
  * Removed Battery Status API to reduce fingerprinting of users by
    trackers
  * MFSA 2017-05
    CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
    (bmo#1334933)
    CVE-2017-5401: Memory Corruption when handling ErrorResult
    (bmo#1328861)
    CVE-2017-5402: Use-after-free working with events in FontFace
    objects (bmo#1334876)
    CVE-2017-5403: Use-after-free using addRange to add range to an
    incorrect root object (bmo#1340186)
    CVE-2017-5404: Use-after-free working with ranges in selections
    (bmo#1340138)
    CVE-2017-5406: Segmentation fault in Skia with canvas operations
    (bmo#1306890)
    CVE-2017-5407: Pixel and history stealing via floating-point
    timing side channel with SVG filters (bmo#1336622)
    CVE-2017-5410: Memory corruption during JavaScript garbage
    collection incremental sweeping (bmo#1330687)
    CVE-2017-5408: Cross-origin reading of video captions in violation
    of CORS (bmo#1313711)
    CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
    CVE-2017-5413: Segmentation fault during bidirectional operations
    (bmo#1337504)
    CVE-2017-5414: File picker can choose incorrect default directory
    (bmo#1319370)
    CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719)
    CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
    CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
    (bmo#791597)
    CVE-2017-5426: Gecko Media Plugin sandbox is not started if
    seccomp-bpf filter is running (bmo#1257361)
    CVE-2017-5427: Non-existent chrome.manifest file loaded during
    startup (bmo#1295542)
    CVE-2017-5418: Out of bounds read when parsing HTTP digest
    authorization responses (bmo#1338876)
    CVE-2017-5419: Repeated authentication prompts lead to DOS
    attack (bmo#1312243)
    CVE-2017-5420: Javascript: URLs can obfuscate addressbar
    location (bmo#1284395)
    CVE-2017-5405: FTP response codes can cause use of
    uninitialized values for ports (bmo#1336699)
    CVE-2017-5421: Print preview spoofing (bmo#1301876)
    CVE-2017-5422: DOS attack by using view-source: protocol
    repeatedly in one hyperlink (bmo#1295002)
    CVE-2017-5399: Memory safety bugs fixed in Firefox 52
    CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
    Firefox ESR 45.8
- removed obsolete patches
  * mozilla-binutils-visibility.patch
  * mozilla-check_return.patch
  * mozilla-disable-skia-be.patch
  * mozilla-skia-overflow.patch
  * mozilla-skia-ppc-endianess.patch
- rebased patches
- enable rust usage for Tumbleweed - Mozilla Firefox 51.0.1:
  - Multiprocess incompatibility did not correctly register with
    some add-ons (bmo#1333423) - update to Firefox 51.0
  * requires NSPR >= 4.13.1, NSS >= 3.28.1
  * Added support for FLAC (Free Lossless Audio Codec) playback
  * Added support for WebGL 2
  * Added Georgian (ka) and Kabyle (kab) locales
  * Support saving passwords for forms without 'submit' events
  * Improved video performance for users without GPU acceleration
  * Zoom indicator is shown in the URL bar if the zoom level is not
    at default level
  * View passwords from the prompt before saving them
  * Remove Belarusian (be) locale
  * Use Skia for content rendering (Linux)
  * MFSA 2017-01
    CVE-2017-5375: Excessive JIT code allocation allows bypass of
    ASLR and DEP (bmo#1325200, boo#1021814)
    CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
    CVE-2017-5377: Memory corruption with transforms to create
    gradients in Skia (bmo#1306883, boo#1021826)
    CVE-2017-5378: Pointer and frame data leakage of Javascript objects
    (bmo#1312001, bmo#1330769, boo#1021818)
    CVE-2017-5379: Use-after-free in Web Animations
    (bmo#1309198,boo#1021827)
    CVE-2017-5380: Potential use-after-free during DOM manipulations
    (bmo#1322107, boo#1021819)
    CVE-2017-5390: Insecure communication methods in Developer Tools
    JSON viewer (bmo#1297361, boo#1021820)
    CVE-2017-5389: WebExtensions can install additional add-ons via
    modified host requests (bmo#1308688, boo#1021828)
    CVE-2017-5396: Use-after-free with Media Decoder
    (bmo#1329403, boo#1021821)
    CVE-2017-5381: Certificate Viewer exporting can be used to navigate
    and save to arbitrary filesystem locations
  (bmo#1017616, boo#1021830)
    CVE-2017-5382: Feed preview can expose privileged content errors
    and exceptions (bmo#1295322, boo#1021831)
    CVE-2017-5383: Location bar spoofing with unicode characters
    (bmo#1323338, bmo#1324716, boo#1021822)
    CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
    (bmo#1255474, boo#1021832)
    CVE-2017-5385: Data sent in multipart channels ignores referrer-policy
    response headers (bmo#1295945, boo#1021833)
    CVE-2017-5386: WebExtensions can use data: protocol to affect other
    extensions (bmo#1319070, boo#1021823)
    CVE-2017-5394: Android location bar spoofing using fullscreen and
    JavaScript events (bmo#1222798)
    CVE-2017-5391: Content about: pages can load privileged about: pages
    (bmo#1309310, boo#1021835)
    CVE-2017-5392: Weak references using multiple threads on weak proxy
    objects lead to unsafe memory usage (bmo#1293709)
  (Android only)
    CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for
    mozAddonManager (bmo#1309282, boo#1021837)
    CVE-2017-5395: Android location bar spoofing during scrolling
    (bmo#1293463) (Android only)
    CVE-2017-5387: Disclosure of local file existence through TRACK
    tag error messages (bmo#1295023, boo#1021839)
    CVE-2017-5388: WebRTC can be used to generate a large amount of
    UDP traffic for DDOS attacks
  (bmo#1281482, boo#1021840)
    CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841)
    CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and
    Firefox ESR 45.7 (boo#1021824)
- switch Firefox to Gtk3 for Tumbleweed
- removed obsolete patches
  * mozilla-flex_buffer_overrun.patch
- updated RPM locale support tag
- improve recognition of LANGUAGE env variable (boo#1017174)
- add upstream patch to fix PPC64LE (bmo#1319389)
  (mozilla-skia-ppc-endianess.patch)
- fix build without skia (big endian archs) (bmo#1319374)
  (mozilla-disable-skia-be.patch) - update to Firefox 50.1.0 (boo#1015422)
  * MFSA 2016-94
    CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628)
    CVE-2016-9899: Use-after-free while manipulating DOM events and
    audio elements (bmo#1317409)
    CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
    CVE-2016-9896: Use-after-free with WebVR (bmo#1315543)
    CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
    CVE-2016-9898: Use-after-free in Editor while manipulating
    DOM subtrees (bmo#1314442)
    CVE-2016-9900: Restricted external resources can be loaded by
    SVG images through data URLs (bmo#1319122)
    CVE-2016-9904: Cross-origin information leak in shared atoms
    (bmo#1317936)
    CVE-2016-9901: Data from Pocket server improperly sanitized
    before execution (bmo#1320057)
    CVE-2016-9902: Pocket extension does not validate the origin
    of events (bmo#1320039)
    CVE-2016-9903: XSS injection vulnerability in add-ons SDK
    (bmo#1315435)
    CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
    CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and
    Firefox ESR 45.6 - added patch mozilla-aarch64-startup-crash.patch (bsc#1011922) - update to Firefox 50.0.2
  * Firefox crashes with 3rd party Chinese IME when using IME text
    (50.0.1)
  security fixes (in 50.0.1): (boo#1012807)
  * MFSA 2016-91
    CVE-2016-9078: data: URL can inherit wrong origin after an
    HTTP redirect (bmo#1317641)
  security fixes (in 50.0.2) (boo#1012964)
  * MFSA 2016-92
    CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066) - update to Firefox 50.0 (boo#1009026)
  * requires NSS 3.26.2
  new features
  * Updates to keyboard shortcuts
    Set a preference to have Ctrl+Tab cycle through tabs in recently
    used order
    View a page in Reader Mode by using Ctrl+Alt+R
  * Added option to Find in page that allows users to limit search to
    whole words only
  * Added download protection for a large number of executable file
    types on Windows, Mac and Linux
  * Fixed rendering of dashed and dotted borders with rounded corners
    (border-radius)
  * Added a built-in Emoji set for operating systems without native
    Emoji fonts (Windows 8.0 and lower and Linux)
  * Blocked versions of libavcodec older than 54.35.1
  * additional locale
  security fixes:
  * MFSA 2016-89
    CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
    (bmo#1292443)
    CVE-2016-5292: URL parsing causes crash (bmo#1288482)
    CVE-2016-5293: Write to arbitrary file with updater and moz
    maintenance service using updater.log hardlink
  (Windows only) (bmo#1246945)
    CVE-2016-5294: Arbitrary target directory for result files of
    update process (Windows only) (bmo#1246972)
    CVE-2016-5297: Incorrect argument length checking in Javascript
    (bmo#1303678)
    CVE-2016-9064: Addons update must verify IDs match between
    current and new versions (bmo#1303418)
    CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen
    (Android only) (bmo#1306696)
    CVE-2016-9066: Integer overflow leading to a buffer overflow in
    nsScriptLoadHandler (bmo#1299686)
    CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
    (bmo#1301777, bmo#1308922 (CVE-2016-9069))
    CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973)
    CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
    (bmo#1300083) (Windows only)
    CVE-2016-9075: WebExtensions can access the mozAddonManager API
    and use it to gain elevated privileges (bmo#1295324)
    CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied
    to cross-origin images, allowing timing attacks on them
  (bmo#1298552)
    CVE-2016-5291: Same-origin policy violation using local HTML file
    and saved shortcut file (bmo#1292159)
    CVE-2016-5295: Mozilla Maintenance Service: Ability to read
    arbitrary files as SYSTEM (Windows only) (bmo#1247239)
    CVE-2016-5298: SSL indicator can mislead the user about the real
    URL visited (bmo#1227538) (Android only)
    CVE-2016-5299: Firefox AuthToken in broadcast protected with
    signature-level permission can be accessed by an
  application installed beforehand that defines the
  same permissions (bmo#1245791) (Android only)
    CVE-2016-9061: API Key (glocation) in broadcast protected with
    signature-level permission can be accessed by an
  application installed beforehand that defines the
  same permissions (Android only) (bmo#1245795)
    CVE-2016-9062: Private browsing browser traces (android) in
    browser.db and wal file (Android only) (bmo#1294438)
    CVE-2016-9070: Sidebar bookmark can have reference to chrome window
    (bmo#1281071)
    CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
    (bmo#1289273)
    CVE-2016-9074: Insufficient timing side-channel resistance in
    divSpoiler (bmo#1293334) (fixed via NSS 3.26.1)
    CVE-2016-9076: select dropdown menu can be used for URL bar
    spoofing on e10s (bmo#1276976)
    CVE-2016-9063: Possible integer overflow to fix inside XML_Parse
    in expat (bmo#1274777)
    CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
    (bmo#1285003)
    CVE-2016-5289: Memory safety bugs fixed in Firefox 50
    CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
- make aarch64 build more similar to x86_64 build (remove conditionals
  that don't seem to be necessary anymore) - Mozilla Firefox 49.0.2:
  * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)
  * CVE-2016-5288: Web content can read cache entries (bsc#1006476)
  * Asynchronous rendering of the Flash plugins is now enabled by
    default
  * Change D3D9 default fallback preference to prevent graphical
    artifacts
  * Network issue prevents some users from seeing the Firefox UI on
    startup
  * Web compatibility issue with file uploads
  * Web compatibility issue with Array.prototype.values
  * Diagnostic information on timing for tab switching
  * Fix a Canvas filters graphics issue affecting HTML5 apps - Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0
  and fixes have been incorporated by upstream. - Mozilla Firefox 49.0.1:
  * Mitigate a startup crash issue caused by Websense - bmo#1304783 - update to Firefox 49.0 (boo#999701)
  new features
  * Updated Firefox Login Manager to allow HTTPS pages to use saved
    HTTP logins.
  * Added features to Reader Mode that make it easier on the eyes and
    the ears
  * Improved video performance for users on systems that support
    SSE3 without hardware acceleration
  * Added context menu controls to HTML5 audio and video that let users
    loops files or play files at 1.25x speed
  * Improvements in about:memory reports for tracking font memory usage
  security related
  * MFSA 2016-85
    CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
    mozilla::net::IsValidReferrerPolicy
    CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
    nsCaseTransformTextRunFactory::TransformString
    CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
    PropertyProvider::GetSpacingInternal
    CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
    CVE-2016-5273 (bmo#1280387) - crash in
    mozilla::a11y::HyperTextAccessible::GetChildOffset
    CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
    mozilla::a11y::DocAccessible::ProcessInvalidationList
    CVE-2016-5274 (bmo#1282076) - use-after-free in
    nsFrameManager::CaptureFrameState
    CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
    CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
    mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
    CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
    nsBMPEncoder::AddImageFrame
    CVE-2016-5279 (bmo#1249522) - Full local path of files is available
    to web pages after drag and drop
    CVE-2016-5280 (bmo#1289970) - Use-after-free in
    mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
    CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
    CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons
    from non-whitelisted schemes
    CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can
    reveal cross-origin data
    CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration
    CVE-2016-5256 - Memory safety bugs fixed in Firefox 49
    CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4
- removed obsolete patches:
  * mozilla-aarch64-48bit-va.patch
  * mozilla-exclude-nametablecpp.patch
  * mozilla-old_configure-bmo1282843.patch
- added patch mozilla-skia-overflow.patch (bmo#1304114)
- requires NSS 3.25 - Mozilla Firefox 48.0.2:
  * Mitigate a startup crash issue caused on Windows (bmo#1291738) - Mozilla Firefox 48.0.1:
  * Fix an audio regression impacting some major websites
    (bmo#1295296)
  * Fix a top crash in the JavaScript engine (bmo#1290469)
  * Fix a startup crash issue caused by Websense (bmo#1291738)
  * Fix a different behavior with e10s / non-e10s on <select> and
    mouse events (bmo#1291078)
  * Fix a top crash caused by plugin issues (bmo#1264530)
  * Fix a shutdown issue (bmo#1276920)
  * Fix a crash in WebRTC - added upstream patch so system plugins/extensions are correctly
  loaded again on x86-64 (bmo#1282843)
  (mozilla-old_configure-bmo1282843.patch) - Fix for possible buffer overrun (bsc#990856)
  CVE-2016-6354 (bmo#1292534)
  [mozilla-flex_buffer_overrun.patch] - Update mozilla-gtk3_20.patch to latest version from Fedora. - update to Firefox 48.0 (boo#991809)
  * requires NSS 3.24
  * Process separation (e10s) is enabled for some of you
  * Add-ons that have not been verified and signed by Mozilla will not load
  * WebRTC embetterments
  * The media parser has been redeveloped using the Rust programming
    language
  * better Canvas performance with speedy Skia support
  security fixes:
  * MFSA 2016-62/CVE-2016-2835/CVE-2016-2836
    Miscellaneous memory safety hazards
  * MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
    Favicon network connection can persist when page is closed
  * MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
    Buffer overflow rendering SVG with bidirectional content
  * MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
    Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
  * MFSA 2016-66/CVE-2016-5251 (bmo#1255570)
    Location bar spoofing via data URLs with malformed/invalid mediatypes
  * MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
    Stack underflow during 2D graphics rendering
  * MFSA 2016-68/CVE-2016-0718 (bmo#1236923)
    Out-of-bounds read during XML parsing in Expat library
  * MFSA 2016-69/CVE-2016-5253 (bmo#1246944)
    Arbitrary file manipulation by local user through Mozilla updater
    and callback application path parameter (Windows-only)
  * MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
    Use-after-free when using alt key and toplevel menus
  * MFSA 2016-71/CVE-2016-5255 (bmo#1212356)
    Crash in incremental garbage collection in JavaScript
  * MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
    Use-after-free in DTLS during WebRTC session shutdown
  * MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
    Use-after-free in service workers with nested sync events
  * MFSA 2016-74/CVE-2016-5260 (bmo#1280294)
    Form input type change from password to text can store plain
    text password in session restore file
  * MFSA 2016-75/CVE-2016-5261 (bmo#1287266)
    Integer overflow in WebSockets during data buffering
  * MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
    Scripts on marquee tag can execute in sandboxed iframes
  * MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
    Buffer overflow in ClearKey Content Decryption Module (CDM)
    during video playback
  * MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
    Type confusion in display transformation
  * MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
    Use-after-free when applying SVG effects
  * MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
    Same-origin policy violation using local HTML file and saved shortcut file
  * MFSA 2016-81/CVE-2016-5266 (bmo#1226977)
    Information disclosure and local file manipulation through drag and drop
  * MFSA 2016-82/CVE-2016-5267 (bmo#1284372)
    Addressbar spoofing with right-to-left characters on Firefox for Android
    (Android only)
  * MFSA 2016-83/CVE-2016-5268 (bmo#1253673)
    Spoofing attack through text injection into internal error pages
  * MFSA 2016-84/CVE-2016-5250 (bmo#1254688)
    Information disclosure through Resource Timing API during page navigation
- removed obsolete mozilla-gcc6.patch - Update description and screenshots in appdata.xml file. - Fix Firefox crash on startup on i586 (boo#986541):
  * Add -fno-delete-null-pointer-checks and
  - fno-inline-small-functions to CFLAGS - Update the appdata.xml file (replace Windows XP screenshot) - Mozilla Firefox 47.0.1:
  * Selenium WebDriver may cause Firefox to crash at startup
    (bmo#1280854) - mozilla-binutils-visibility.patch to fix build issues with
  gcc/binutils combination used in Leap 42.2 (boo#984637) - Update mozilla-gtk3_20.patch to latest version from Fedora. - Fix running on 48bit va aarch64 (bsc#984126)
  * add patch mozilla-aarch64-48bit-va.patch - fix XUL dialog button order under KDE session (boo#984403) - update to Firefox 47.0 (boo#983549)
  * Enable VP9 video codec for users with fast machines
  * Embedded YouTube videos now play with HTML5 video if Flash is
    not installed
  * View and search open tabs from your smartphone or another
    computer in a sidebar
  * Allow no-cache on back/forward navigations for https resources
  security fixes:
  * MFSA 2016-49/CVE-2016-2815/CVE-2016-2818
    (boo#983638)
    (bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743,
    bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493,
    bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752,
    bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130,
    bmo#1269729, bmo#1273202, bmo#1273701)
    Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
  * MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381)
    Buffer overflow parsing HTML5 fragments
  * MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460)
    Use-after-free deleting tables from a contenteditable document
  * MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129)
    Addressbar spoofing though the SELECT element
  * MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580)
    Out-of-bounds write with WebGL shader
  * MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093)
    Partial same-origin-policy through setting location.host
    through data URI
  * MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810)
    Use-after-free when textures are used in WebGL operations
    after recycle pool destruction
  * MFSA 2016-57/CVE-2016-2829 (boo#983644) (bmo#1248329)
    Incorrect icon displayed on permissions notifications
  * MFSA 2016-58/CVE-2016-2831 (boo#983643) (bmo#1261933)
    Entering fullscreen and persistent pointerlock without user
    permission
  * MFSA 2016-59/CVE-2016-2832 (boo#983632) (bmo#1025267)
    Information disclosure of disabled plugins through CSS
    pseudo-classes
  * MFSA 2016-60/CVE-2016-2833 (boo#983640) (bmo#908933)
    Java applets bypass CSP protections
  * MFSA 2016-62/CVE-2016-2834 (boo#983639) (bmo#1206283,
    bmo#1221620, bmo#1241034, bmo#1241037)
    Network Security Services (NSS) vulnerabilities
    fixed by requiring NSS 3.23
  packaging changes:
  * cleanup configure options (boo#981695):
  - notably remove GStreamer support which is gone from FF
  * remove obsolete patches
  - mozilla-libproxy.patch
  - mozilla-repo.patch - The conditional testing for gcc was failing for different
  openSUSE versions, drop it and apply patches unconditionally. - Add patches to fix building with gcc6:
  + mozilla-gcc6.patch: fix building with gcc >= 6.1; patch
    taken from upstream:
    https://hg.mozilla.org/mozilla-central/rev/55212130f19d.
  + mozilla-exclude-nametablecpp.patch: Exclude NameTable.cpp
    from unified compilation because #include <cmath> in other
    source files causes gcc6 compilation failure; patch taken from
    upstream:
    https://hg.mozilla.org/mozilla-central/rev/9c57b7cacffc. - enable build with PIE and full relro on x86_64 (boo#980384) - update to Firefox 46.0.1
  Fixed:
  * Search plugin issue for various locales
  * Add-on signing certificate expiration
  * Service worker update issue
  * Build issue when jit is disabled
  * Limit Sync registration updates
- removed now obsolete mozilla-jit_branch64.patch - add mozilla-jit_branch64.patch to avoid PowerPC build failure
  (from bmo#1266366) - Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest
  version from Fedora). - update to Firefox 46.0 (boo#977333)
  * Improved security of the JavaScript Just In Time (JIT) Compiler
  * WebRTC fixes to improve performance and stability
  * Added support for document.elementsFromPoint
  * Added HKDF support for Web Crypto API
  * requires NSPR 4.12 and NSS 3.22.3
  * added patch to fix unchecked return value
    mozilla-check_return.patch
  * Gtk3 builds not supported at the moment
  security fixes:
  * MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807
    (boo#977373, boo#977375, boo#977376)
    Miscellaneous memory safety hazards
  * MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377)
    Privilege escalation through file deletion by Maintenance Service updater
    (Windows only)
  * MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378)
    Content provider permission bypass allows malicious application
    to access data (Android only)
  * MFSA 2016-42/CVE-2016-2811/CVE-2016-2812
    (bmo#1252330, bmo#1261776, boo#977379)
    Use-after-free and buffer overflow in Service Workers
  * MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380)
    Disclosure of user actions through JavaScript with motion and
    orientation sensors (only affects mobile variants)
  * MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381)
    Buffer overflow in libstagefright with CENC offsets
  * MFSA 2016-45/CVE-2016-2816 (bmo#1223743, boo#977382)
    CSP not applied to pages sent with multipart/x-mixed-replace
  * MFSA 2016-46/CVE-2016-2817 (bmo#1227462, boo#977384)
    Elevation of privilege with chrome.tabs.update API in web extensions
  * MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386)
    Write to invalid HashMap entry through JavaScript.watch()
  * MFSA 2016-48/CVE-2016-2820 (bmo#870870, boo#977388)
    Firefox Health Reports could accept events from untrusted domains - Update mozilla-gtk3_20.patch to fix scrollbar appearance under
  gtk >= 3.20 (patch synced to Fedora's version). - Compile against gtk3 depending on whether the macro
  %firefox_use_gtk3 is defined or not (e.g., at the prjconf
  level); macro is undefined by default and so gtk2 is used as the
  default toolkit.
- Add BuildRequires for additional packages needed when building
  against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0),
  pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0).
- Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20;
  patch taken from Fedora (bmo#1230955). - Mozilla Firefox 45.0.2:
  * Fix an issue impacting the cookie header when third-party
    cookies are blocked (bmo#1257861)
  * Fix a web compatibility regression impacting the srcset
    attribute of the image tag (bmo#1259482)
  * Fix a crash impacting the video playback with Media Source
    Extension (bmo#1258562)
  * Fix a regression impacting some specific uploads (bmo#1255735)
  * Fix a regression with the copy and paste with some old versions
    of some Gecko applications like Thunderbird (bmo#1254980) - Mozilla Firefox 45.0.1:
  * Fix a regression causing search engine settings to be lost in
    some context (bmo#1254694)
  * Bring back non-standard jar: URIs to fix a regression in IBM
    iNotes (bmo#1255139)
  * XSLTProcessor.importStylesheet was failing when <import> was
    used (bmo#1249572)
  * Fix an issue which could cause the list of search provider to
    be empty (bmo#1255605)
  * Fix a regression when using the location bar (bmo#1254503)
  * Fix some loading issues when Accept third-party cookies: was
    set to Never (bmo#1254856)
  * Disabled Graphite font shaping library - update to Firefox 45.0 (boo#969894)
  * requires NSPR 4.12 / NSS 3.21.1
  * Instant browser tab sharing through Hello
  * Synced Tabs button in button bar
  * Tabs synced via Firefox Accounts from other devices are now shown
    in dropdown area of Awesome Bar when searching
  * Introduce a new preference (network.dns.blockDotOnion) to allow
    blocking .onion at the DNS level
  * Tab Groups (Panorama) feature removed
  * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
    Miscellaneous memory safety hazards
  * MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
    Local file overwriting and potential privilege escalation through
    CSP reports
  * MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
    CSP reports fail to strip location information for embedded iframe pages
  * MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
    Linux video memory DOS with Intel drivers
  * MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
    Memory leak in libstagefright when deleting an array during MP4
    processing
  * MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
    Displayed page address can be overridden
  * MFSA 2016-22/CVE-2016-1959 (bmo#1234949)
    Service Worker Manager out-of-bounds read in Service Worker Manager
  * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
    Use-after-free in HTML5 string parser
  * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
    Use-after-free in SetBody
  * MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
    Use-after-free when using multiple WebRTC data channels
  * MFSA 2016-26/CVE-2016-1963 (bmo#1238440)
    Memory corruption when modifying a file being read by FileReader
  * MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
    Use-after-free during XML transformations
  * MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
    Addressbar spoofing though history navigation and Location protocol
    property
  * MFSA 2016-29/CVE-2016-1967 (bmo#1246956)
    Same-origin policy violation using perfomance.getEntries and
    history navigation with session restore
  * MFSA 2016-30/CVE-2016-1968 (bmo#1246742)
    Buffer overflow in Brotli decompression
  * MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
    Memory corruption with malicious NPAPI plugin
  * MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/
    CVE-2016-1976/CVE-2016-1972
    WebRTC and LibVPX vulnerabilities found through code inspection
  * MFSA 2016-33/CVE-2016-1973 (bmo#1219339)
    Use-after-free in GetStaticInstance in WebRTC
  * MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
    Out-of-bounds read in HTML parser following a failed allocation
  * MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
    Buffer overflow during ASN.1 decoding in NSS
    (fixed by requiring 3.21.1)
  * MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
    Use-after-free during processing of DER encoded keys in NSS
    (fixed by requiring 3.21.1)
  * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
    CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
    CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
    CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
    Font vulnerabilities in the Graphite 2 library - Remove B_CNT from symbols.zip filename to reduce build-compare noise - fix build problems on i586, caused by too large unified compile
  units - adding mozilla-reduce-files-per-UnifiedBindings.patch - update to Firefox 44.0.2
  * MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438)
    Same-origin-policy violation using Service Workers with plugins
  * Fix issue which could lead to the removal of stored passwords
    under certain circumstances (bmo#1242176)
  * Allows spaces in cookie names (bmo#1244505)
  * Disable opus/vorbis audio with H.264 (bmo#1245696)
  * Fix for graphics startup crash (GNU/Linux) (bmo#1222171)
  * Fix a crash in cache networking (bmo#1244076)
  * Fix using WebSockets in service worker controlled pages (bmo#1243942) - build fixes for arm/aarch64:
  * disable webrtc for arm/aarch64
  * switch away from openGL-ES backend to default for arm/aarch64
  since it almost never builds
  * reenable neon
- reenable webrtc for powerpc as it seems to build - update to Firefox 44.0
  * MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633
    Miscellaneous memory safety hazards
  * MFSA 2016-02/CVE-2016-1933 (bmo#1231761) boo#963634
    Out of Memory crash when parsing GIF format images
  * MFSA 2016-03/CVE-2016-1935 (bmo#1220450) boo#963635
    Buffer overflow in WebGL after out of memory allocation
  * MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) boo#963637
    Firefox allows for control characters to be set in cookie names
  * MFSA 2016-06/CVE-2016-1937 (bmo#724353) boo#963641
    Missing delay following user click events in protocol handler dialog
  * MFSA 2016-07/CVE-2016-1938 (bmo#1190248) boo#963731
    Errors in mp_div and mp_exptmod cryptographic functions in NSS
    (fixed by requiring NSS 3.21)
  * MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590)
    Addressbar spoofing attacks boo#963643
  * MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946
    (bmo#1186621, bmo#1214782, bmo#1232096) boo#963644
    Unsafe memory manipulation found through code inspection
  * MFSA 2016-11/CVE-2016-1947 (bmo#1237103) boo#963645
    Application Reputation service disabled in Firefox 43
  * requires NSPR 4.11
  * requires NSS 3.21
- prepare mozilla-kde.patch for Gtk3 builds
- rebased patches - Mozilla Firefox 43.0.4:
  * Re-enable SHA-1 certificates to prevent outdated
    man-in-the-middle security devices from interfering with
    properly secured SSL/TLS connections (bmo#1236975)
  * Fix for startup crash for users of a third party antivirus tool
    (bmo#1235537)
- The following change was previously in the package as a patch:
  * Multi-user GNU/Linux download folders can be created
  (bmo#1233434), removed mozilla-bmo1233434.patch - update to Firefox 43.0.3
  * requires NSS 3.20.2 to fix
    MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
    MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
    server signature
  * various changes to support Windows update (SHA-1 vs. SHA-2)
  * workaround Youtube user agent detection issue (bmo#1233970)
- fix file download regression for multi user systems
  (bmo#1233434) (mozilla-bmo1233434.patch)
- explicitely requires libXcomposite-devel - update to Firefox 43.0 (bnc#959277)
  * Improved API support for m4v video playback
  * Users can opt-in to receive search suggestions from the Awesome Bar
  * WebRTC streaming on multiple monitors
  * User selectable second block list for Private Browsing's Tracking
    Protection
  security fixes:
  * MFSA 2015-134/CVE-2015-7201/CVE-2015-7202
    Miscellaneous memory safety hazards
  * MFSA 2015-135/CVE-2015-7204 (bmo#1216130)
    Crash with JavaScript variable assignment with unboxed objects
  * MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
    Same-origin policy violation using perfomance.getEntries and
    history navigation
  * MFSA 2015-137/CVE-2015-7208 (bmo#1191423)
    Firefox allows for control characters to be set in cookies
  * MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
    Use-after-free in WebRTC when datachannel is used after being
    destroyed
  * MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
    Integer overflow allocating extremely large textures
  * MFSA 2015-140/CVE-2015-7215 (bmo#1160890)
    Cross-origin information leak through web workers error events
  * MFSA 2015-141/CVE-2015-7211 (bmo#1221444)
    Hash in data URI is incorrectly parsed
  * MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820)
    DOS due to malformed frames in HTTP/2
  * MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078)
    Linux file chooser crashes on malformed images due to flaws in
    Jasper library
  * MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221
    (bmo#1201183, bmo#1178033, bmo#1199400)
    Buffer overflows found through code inspection
  * MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
    Underflow through code inspection
  * MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
    Integer overflow in MP4 playback in 64-bit versions
  * MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
    Integer underflow and buffer overflow processing MP4 metadata in
    libstagefright
  * MFSA 2015-148/CVE-2015-7223 (bmo#1226423)
    Privilege escalation vulnerabilities in WebExtension APIs
  * MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
    Cross-site reading attack through data and view-source URIs
- rebased patches - Add desktop menu action for private browsing window to desktop
  file (boo#954747)
- remove obsolete patch mozilla-bmo1005535.patch completely from
  source package to avoid automatic check failures - update to Firefox 42.0 (bnc#952810)
  * Private Browsing with Tracking Protection blocks certain Web
    elements that could be used to record your behavior across sites
  * Control Center that contains site security and privacy controls
  * Login Manager improvements
  * WebRTC improvements
  * Indicator added to tabs that play audio with one-click muting
  * Media Source Extension for HTML5 video available for all sites
  security fixes:
  * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
    Miscellaneous memory safety hazards
  * MFSA 2015-117/CVE-2015-4515 (bmo#1046421)
    Information disclosure through NTLM authentication
  * MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692)
    CSP bypass due to permissive Reader mode whitelist
  * MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only)
    Firefox for Android addressbar can be removed after fullscreen mode
  * MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only)
    Reading sensitive profile files through local HTML file on Android
  * MFSA 2015-121/CVE-2015-7187 (bmo#1195735)
    disabling scripts in Add-on SDK panels has no effect
  * MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
    Trailing whitespace in IP address hostnames can bypass same-origin policy
  * MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
    Buffer overflow during image interactions in canvas
  * MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only)
    Android intents can be used on Firefox for Android to open privileged files
  * MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only)
    XSS attack through intents on Firefox for Android
  * MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only)
    Crash when accessing HTML tables with accessibility tools on OS X
  * MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
    CORS preflight is bypassed when non-standard Content-Type headers
    are received
  * MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
    Memory corruption in libjar through zip files
  * MFSA 2015-129/CVE-2015-7195 (bmo#1211871)
    Certain escaped characters in host of Location-header are being
    treated as non-escaped
  * MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
    JavaScript garbage collection crash with Java applet
  * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
    (bmo#1188010, bmo#1204061, bmo#1204155)
    Vulnerabilities found through code inspection
  * MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
    Mixed content WebSocket policy bypass through workers
  * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
    (bmo#1202868, bmo#1205157)
    NSS and NSPR memory corruption issues
    (fixed in mozilla-nspr and mozilla-nss packages)
- requires NSPR >= 4.10.10 and NSS >= 3.19.4
- removed obsolete patches
  * mozilla-arm-disable-edsp.patch
  * mozilla-icu-strncat.patch
  * mozilla-skia-be-le.patch
  * toolkit-download-folder.patch
- fixed build with enable-libproxy (bmo#1220399)
  * mozilla-libproxy.patch - update to Firefox 41.0.2 (bnc#950686)
  * MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669)
    Cross-origin restriction bypass using Fetch
- added explicit appdata provides (bnc#949983) - do not build with --enable-stdcxx-compat
  (this starts to fail build on various toolchain combinations
  and is not required for openSUSE builds in general - update to Firefox 41.0.1
  * Fix a startup crash related to Yandex toolbar and Adblock Plus
    (bmo#1209124)
  * Fix potential hangs with Flash plugins (bmo#1185639)
  * Fix a regression in the bookmark creation (bmo#1206376)
  * Fix a startup crash with some Intel Media Accelerator 3150
    graphic cards (bmo#1207665)
  * Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601) - update to Firefox 41.0 (bnc#947003)
  * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
    Miscellaneous memory safety hazards
  * MFSA 2015-97/CVE-2015-4503 (bmo#994337)
    Memory leak in mozTCPSocket to servers
  * MFSA 2015-98/CVE-2015-4504 (bmo#1132467)
    Out of bounds read in QCMS library with ICC V4 profile attributes
  * MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only)
    Site attribute spoofing on Android by pasting URL with unknown scheme
  * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
    Arbitrary file manipulation by local user through Mozilla updater
  * MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
    Buffer overflow in libvpx while parsing vp9 format video
  * MFSA 2015-102/CVE-2015-4507 (bmo#1192401)
    Crash when using debugger with SavedStacks in JavaScript
  * MFSA 2015-103/CVE-2015-4508 (bmo#1195976)
    URL spoofing in reader mode
  * MFSA 2015-104/CVE-2015-4510 (bmo#1200004)
    Use-after-free with shared workers and IndexedDB
  * MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
    Buffer overflow while decoding WebM video
  * MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
    Use-after-free while manipulating HTML media content
  * MFSA 2015-107/CVE-2015-4512 (bmo#1170390)
    Out-of-bounds read during 2D canvas display on Linux 16-bit
    color depth systems
  * MFSA 2015-108/CVE-2015-4502 (bmo#1105045)
    Scripted proxies can access inner window
  * MFSA 2015-109/CVE-2015-4516 (bmo#904886)
    JavaScript immutable property enforcement can be bypassed
  * MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
    Dragging and dropping images exposes final URL after redirects
  * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
    Errors in the handling of CORS preflight request headers
  * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
    CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
    CVE-2015-7180
    Vulnerabilities found through code inspection
  * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
    bmo#1190526) (Windows only)
    Memory safety errors in libGLES in the ANGLE graphics library
  * MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only)
    Information disclosure via the High Resolution Time API
- rebased patches
- removed obsolete patches
  * mozilla-arm64-libjpeg-turbo.patch - update to Firefox 40.0.3 (bnc#943550)
  * Disable the asynchronous plugin initialization (bmo#1198590)
  * Fix a segmentation fault in the GStreamer support (bmo#1145230)
  * Fix a regression with some Japanese fonts used in the <input>
    field (bmo#1194055)
  * On some sites, the selection in a select combox box using the
    mouse could be broken (bmo#1194733)
  security fixes
  * MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278)
    Use-after-free when resizing canvas element during restyling
  * MFSA 2015-95/CVE-2015-4498 (bmo#1042699)
    Add-on notification bypass through data URLs - update to Firefox 40.0 (bnc#940806)
  * Added protection against unwanted software downloads
  * Suggested Tiles show sites of interest, based on categories
    from your recent browsing history
  * Hello allows adding a link to conversations to provide context
    on what the conversation will be about
  * New style for add-on manager based on the in-content
    preferences style
  * Improved scrolling, graphics, and video playback performance
    with off main thread compositing (GNU/Linux only)
  * Graphic blocklist mechanism improved: Firefox version ranges
    can be specified, limiting the number of devices blocked
  security fixes:
  * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
    Miscellaneous memory safety hazards
  * MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
    Out-of-bounds read with malformed MP3 file
  * MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
    Use-after-free in MediaStream playback
  * MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
    Redefinition of non-configurable JavaScript object properties
  * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
    Overflow issues in libstagefright
  * MFSA 2015-84/CVE-2015-4481 (bmo1171518)
    Arbitrary file overwriting through Mozilla Maintenance Service
    with hard links (only affected Windows)
  * MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
    Out-of-bounds write with Updater and malicious MAR file
    (does not affect openSUSE RPM packages which do not ship the
    updater)
  * MFSA 2015-86/CVE-2015-4483 (bmo#1148732)
    Feed protocol with POST bypasses mixed content protections
  * MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
    Crash when using shared memory in JavaScript
  * MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
    Heap overflow in gdk-pixbuf when scaling bitmap images
  * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
    Buffer overflows on Libvpx when decoding WebM video
  * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
    Vulnerabilities found through code inspection
  * MFSA 2015-91/CVE-2015-4490 (bmo#1086999)
    Mozilla Content Security Policy allows for asterisk wildcards
    in violation of CSP specification
  * MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
    Use-after-free in XMLHttpRequest with shared workers
- added mozilla-no-stdcxx-check.patch
- removed obsolete patches
  * mozilla-add-glibcxx_use_cxx11_abi.patch
  * firefox-multilocale-chrome.patch
- rebased patches
- requires version 40 of the branding package
- removed browser/searchplugins/ location as it's not valid anymore - security update to Firefox 39.0.3 (bnc#940918)
  * MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058)
    Same origin violation and local file stealing via PDF reader - update to Firefox 39.0 (bnc#935979)
  * Share Hello URLs with social networks
  * Support for 'switch' role in ARIA 1.1 (web accessibility)
  * SafeBrowsing malware detection lookups enabled for downloads
    (Mac OS X and Linux)
  * Support for new Unicode 8.0 skin tone emoji
  * Removed support for insecure SSLv3 for network communications
  * Disable use of RC4 except for temporarily whitelisted hosts
  * NPAPI Plug-in performance improved via asynchronous initialization
  security fixes:
  * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726
    Miscellaneous memory safety hazards
  * MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
    Local files or privileged URLs in pages can be opened into new tabs
  * MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
    Type confusion in Indexed Database Manager
  * MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
    Out-of-bound read while computing an oscillator rendering range in Web Audio
  * MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
    Use-after-free in Content Policy due to microtask execution error
  * MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
    ECDSA signature validation fails to handle some signatures correctly
    (this fix is shipped by NSS 3.19.1 externally)
  * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
    Use-after-free in workers while using XMLHttpRequest
  * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
    CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
    Vulnerabilities found through code inspection
  * MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
    Key pinning is ignored when overridable errors are encountered
  * MFSA 2015-68/CVE-2015-2742 (bmo#1138669)
    OS X crash reports may contain entered key press information
    (not relevant under Linux)
  * MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
    Privilege escalation in PDF.js
  * MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
    NSS accepts export-length DHE keys with regular DHE cipher suites
    (this fix is shipped by NSS 3.19.1 externally)
  * MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
    NSS incorrectly permits skipping of ServerKeyExchange
    (this fix is shipped by NSS 3.19.1 externally)
- dropped mozilla-prefer_plugin_pref.patch as this feature is
  likely not worth maintaining further
- rebased patches
- require NSS 3.19.2 - mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration - update to Firefox 38.0.6
  * fixes bmo#1171730 which is not really relevant to oS builds
- fix KDE regression from 38.0.5 builds (bsc#933439) - update to Firefox 38.0.5
  * Keep track of articles and videos with Pocket
  * Clean formatting for articles and blog posts with Reader View
  * Share the active tab or window in a Hello conversation
- add changes file as source for SRPM (bsc#932142) - add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from
  https://bugzilla.mozilla.org/show_bug.cgi?id=1153109 - update to Firefox 38.0.1
  stability and regression fixes
  * Systems with first generation NVidia Optimus graphics cards
    may crash on start-up
  * Users who import cookies from Google Chrome can end up with
    broken websites
  * Large animated images may fail to play and may stop other
    images from loading - update to Firefox 38.0 (bnc#930622)
  * New tab-based preferences
  * Ruby annotation support
  * more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
  security fixes:
  * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709
    Miscellaneous memory safety hazards
  * MFSA 2015-47/VE-2015-0797 (bmo#1080995)
    Buffer overflow parsing H.264 video with Linux Gstreamer
  * MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
    Buffer overflow with SVG content and CSS
  * MFSA 2015-49/CVE-2015-2711 (bmo#1113431)
    Referrer policy ignored when links opened by middle-click and
    context menu
  * MFSA 2015-50/CVE-2015-2712 (bmo#1152280)
    Out-of-bounds read and write in asm.js validation
  * MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
    Use-after-free during text processing with vertical text enabled
  * MFSA 2015-53/CVE-2015-2715 (bmo#988698)
    Use-after-free due to Media Decoder Thread creation during shutdown
  * MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
    Buffer overflow when parsing compressed XML
  * MFSA 2015-55/CVE-2015-2717 (bmo#1154683)
    Buffer overflow and out-of-bounds read while parsing MP4 video
    metadata
  * MFSA 2015-56/CVE-2015-2718 (bmo#1146724)
    Untrusted site hosting trusted page can intercept webchannel
    responses
  * MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
    Privilege escalation through IPC channel messages
- requires NSS 3.18.1
- removed obsolete patches:
  * mozilla-skia-bmo1136958.patch
- remove gnomevfs build options as it is removed from sources
- rebased patches - update to Firefox 37.0.2 (bnc#928116)
  * MFSA 2015-45/CVE-2015-2706 (bmo#1141081)
    Memory corruption during failed plugin initialization - update to Firefox 37.0.1 (bnc#926166)
  * MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only)
    Loading privileged content through Reader mode
  * MFSA 2015-44/CVE-2015-0799 (bmo#1148328)
    Certificate verification bypass through the HTTP/2 Alt-Svc header - update to Firefox 37.0 (bnc#925368)
  * Heartbeat user rating system
  * Yandex set as default search provider for the Turkish locale
  * Bing search now uses HTTPS for secure searching
  * Improved protection against site impersonation via OneCRL
    centralized certificate revocation
  * Opportunistically encrypt HTTP traffic where the server supports
    HTTP/2 AltSvc
  * some more behaviour changes for TLS
  security fixes:
  * MFSA 2015-30/CVE-2015-0814/CVE-2015-0815
    Miscellaneous memory safety hazards
  * MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
    Use-after-free when using the Fluendo MP3 GStreamer plugin
  * MFSA 2015-32/CVE-2015-0812 (bmo#1128126)
    Add-on lightweight theme installation approval bypassed through
    MITM attack
  * MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
    resource:// documents can load privileged pages
  * MFSA-2015-34/CVE-2015-0811 (bmo#1132468)
    Out of bounds read in QCMS library
  * MFSA-2015-35/CVE-2015-0810 (bmo#1125013)
    Cursor clickjacking with flash and images (OS X only)
  * MFSA-2015-36/CVE-2015-0808 (bmo#1109552)
    Incorrect memory management for simple-type arrays in WebRTC
  * MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
    CORS requests should not follow 30x redirections after preflight
  * MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437)
    Memory corruption crashes in Off Main Thread Compositing
  * MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560)
    Use-after-free due to type confusion flaws
  * MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
    Same-origin bypass through anchor navigation
  * MFSA-2015-41/CVE-2015-0800/CVE-2012-2808
    PRNG weakness allows for DNS poisoning on Android (only)
  * MFSA-2015-42/CVE-2015-0802 (bmo#1124898)
    Windows can retain access to privileged content on navigation
    to unprivileged pages
- removed obsolete patches
  * mozilla-bmo1088588.patch
  * mozilla-bmo1108834.patch
- requires NSPR 4.10.8 - Fix builds with skia on Power
  mozilla-skia-be-le.patch (patch from #bmo1136958)
  mozilla-bmo1108834.patch
  mozilla-bmo1005535.patch - update to Firefox 36.0.4 (bnc#923534)
  * MFSA 2015-28/CVE-2015-0818 (bmo#1144988)
    Privilege escalation through SVG navigation
  * MFSA 2015-29/CVE-2015-0817 (bmo#1145255)
    Code execution through incorrect JavaScript bounds checking
    elimination - Copy the icons to /usr/share/icons instead of symlinking them:
  in preparation for containerized apps (e.g. xdg-app) as well as
  AppStream metadata extraction, there are a couple locations that
  need to be real files for system integration (.desktop files,
  icons, mime-type info). - update to Firefox 36.0.1
  Bugfixes:
  * Disable the usage of the ANY DNS query type (bmo#1093983)
  * Hello may become inactive until restart (bmo#1137469)
  * Print preferences may not be preserved (bmo#1136855)
  * Hello contact tabs may not be visible (bmo#1137141)
  * Accept hostnames that include an underscore character ("_")
    (bmo#1136616)
  * WebGL may use significant memory with Canvas2d (bmo#1137251)
  * Option -remote has been restored (bmo#1080319)
- added mozilla-skia-bmo1136958.patch to fix build issues for
  ARM and PPC - update to Firefox 36.0 (bnc#917597)
  * mozilla-xremote-client was removed
  * added libclearkey.so media plugin
  * Pinned tiles on the new tab page can be synced
  * Support for the full HTTP/2 protocol. HTTP/2 enables a faster,
    more scalable, and more responsive web.
  * Locale added: Uzbek (uz)
  security fixes:
  * MFSA 2015-11/CVE-2015-0835/CVE-2015-0836
    Miscellaneous memory safety hazards
  * MFSA 2015-12/CVE-2015-0833 (bmo#945192)
    Invoking Mozilla updater will load locally stored DLL files
    (Windows only)
  * MFSA 2015-13/CVE-2015-0832 (bmo#1065909)
    Appended period to hostnames can bypass HPKP and HSTS protections
  * MFSA 2015-14/CVE-2015-0830 (bmo#1110488)
    Malicious WebGL content crash when writing strings
  * MFSA 2015-15/CVE-2015-0834 (bmo#1098314)
    TLS TURN and STUN connections silently fail to simple TCP connections
  * MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
    Use-after-free in IndexedDB
  * MFSA 2015-17/CVE-2015-0829 (bmo#1128939)
    Buffer overflow in libstagefright during MP4 video playback
  * MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675)
    Double-free when using non-default memory allocators with a
    zero-length XHR
  * MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
    Out-of-bounds read and write while rendering SVG content
  * MFSA 2015-20/CVE-2015-0826 (bmo#1092363)
    Buffer overflow during CSS restyling
  * MFSA 2015-21/CVE-2015-0825 (bmo#1092370)
    Buffer underflow during MP3 playback
  * MFSA 2015-22/CVE-2015-0824 (bmo#1095925)
    Crash using DrawTarget in Cairo graphics library
  * MFSA 2015-23/CVE-2015-0823 (bmo#1098497)
    Use-after-free in Developer Console date with OpenType Sanitiser
  * MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
    Reading of local files through manipulation of form autocomplete
  * MFSA 2015-25/CVE-2015-0821 (bmo#1111960)
    Local files or privileged URLs in pages can be opened into new tabs
  * MFSA 2015-26/CVE-2015-0819 (bmo#1079554)
    UI Tour whitelisted sites in background tab can spoof foreground
    tabs
  * MFSA 2015-27CVE-2015-0820 (bmo#1125398)
    Caja Compiler JavaScript sandbox bypass
- rebased patches
- requires NSS 3.17.4 - update to Firefox 35.0.1
  * With the Enhanced Steam extension, Firefox could crash (bmo#1123732)
  * Kerberos authentication did not work with alias (bmo#1108971)
  * SVG / CSS animation had a regression causing rendering issues on
    websites like openstreemap.org (bmo#1083079)
  * On Godaddy webmail, Firefox could crash (bmo#1113121)
  * document.baseURI did not get updated to document.location after
    base tag was removed from DOM for site with a CSP (bmo#1121857)
  * With a Right-to-left (RTL) version of Firefox, the text selection
    could be broken (bmo#1104036)
  * CSP had a change in behavior with regard to case sensitivity
    resources loading (bmo#1122445) - update to Firefox 35.0 (bnc#910669)
  notable features:
  * Firefox Hello with new rooms-based conversations model
  * Implemented HTTP Public Key Pinning Extension (for enhanced
    authentication of encrypted connections)
  security fixes:
  * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
    Miscellaneous memory safety hazards
  * MFSA 2015-02/CVE-2014-8637 (bmo#1094536)
    Uninitialized memory use during bitmap rendering
  * MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
    sendBeacon requests lack an Origin header
  * MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
    Cookie injection through Proxy Authenticate responses
  * MFSA 2015-05/CVE-2014-8640 (bmo#1100409)
    Read of uninitialized memory in Web Audio
  * MFSA 2015-06/CVE-2014-8641 (bmo#1108455)
    Read-after-free in WebRTC
  * MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only)
    Gecko Media Plugin sandbox escape
  * MFSA 2015-08/CVE-2014-8642 (bmo#1079658)
    Delegated OCSP responder certificates failure with
    id-pkix-ocsp-nocheck extension
  * MFSA 2015-09/CVE-2014-8636 (bmo#987794)
    XrayWrapper bypass through DOM objects
- rebased patches
- dropped explicit support for everything older than 12.3
  (including SLES11)
  * merge firefox-kde.patch and firefox-kde-114.patch
  * dropped mozilla-sle11.patch
- reworked specfile to build conditionally based on release channel
  either Firefox or Firefox Developer Edition
- added mozilla-openaes-decl.patch to fix implicit declarations
- obsolete tracker-miner-firefox < 0.15 because it leads to startup
  crashes (bnc#908892) - fix bashism in mozilla.sh script - update to Firefox 34.0.5 (bnc#908009)
  * Default search engine changed to Yahoo! for North America
  * Default search engine changed to Yandex for Belarusian, Kazakh,
    and Russian locales
  * Improved search bar (en-US only)
  * Firefox Hello real-time communication client
  * Easily switch themes/personas directly in the Customizing mode
  * Implementation of HTTP/2 (draft14) and ALPN
  * Disabled SSLv3
  * MFSA 2014-83/CVE-2014-1587/CVE-2014-1588
    Miscellaneous memory safety hazards
  * MFSA 2014-84/CVE-2014-1589 (bmo#1043787)
    XBL bindings accessible via improper CSS declarations
  * MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
    XMLHttpRequest crashes with some input streams
  * MFSA 2014-86/CVE-2014-1591 (bmo#1069762)
    CSP leaks redirect data via violation reports
  * MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
    Use-after-free during HTML5 parsing
  * MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
    Buffer overflow while parsing media content
  * MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
    Bad casting from the BasicThebesLayer to BasicContainerLayer
- rebased patches
- limit linker memory usage for %ix86
- rebased patches - update to Firefox 33.1
  * Adding DuckDuckGo as a search option (upstream)
  * Forget Button added
  * Enhanced Tiles
  * Privacy tour introduced
- fix typo in GStreamer Recommends - Disable elf-hack for aarch64
- Enable EGL for aarch64
- Limit RAM usage during link for %arm
- Fix _constraints for ARM - use proper macros for ARM - use '--disable-optimize' not only on 32-bit x86, but on 32-bit arm too
  to fix compiling.
- pass '-Wl,--no-keep-memory' to linker to reduce required memory during
  linking on arm. - update to Firefox 33.0.2
  * Fix a startup crash with some combination of hardware and drivers
  33.0.1
  * Firefox displays a black screen at start-up with certain
    graphics drivers
- adjusted _constraints for ARM - added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588) - define /usr/share/myspell as additional dictionary location
  and remove add-plugins.sh finally (bnc#900639) - use Firefox default optimization flags instead of -Os
- specfile cleanup - fix build for all ppc by not enabling elf-hack
  (bnc#901213) MozillaFirefox-translations h01-ch5a 1760687699                                                                                                              	   
                                                                                              140.4.0-150200.152.207.1 140.4.0-150200.152.207.1     140.4.0-150200.152.207.1                                                                                      firefox extensions langpack-ar@firefox.mozilla.org.xpi langpack-ca@firefox.mozilla.org.xpi langpack-cs@firefox.mozilla.org.xpi langpack-da@firefox.mozilla.org.xpi langpack-de@firefox.mozilla.org.xpi langpack-el@firefox.mozilla.org.xpi langpack-en-GB@firefox.mozilla.org.xpi langpack-es-AR@firefox.mozilla.org.xpi langpack-es-CL@firefox.mozilla.org.xpi langpack-es-ES@firefox.mozilla.org.xpi langpack-fi@firefox.mozilla.org.xpi langpack-fr@firefox.mozilla.org.xpi langpack-hu@firefox.mozilla.org.xpi langpack-it@firefox.mozilla.org.xpi langpack-ja@firefox.mozilla.org.xpi langpack-ko@firefox.mozilla.org.xpi langpack-nb-NO@firefox.mozilla.org.xpi langpack-nl@firefox.mozilla.org.xpi langpack-pl@firefox.mozilla.org.xpi langpack-pt-BR@firefox.mozilla.org.xpi langpack-pt-PT@firefox.mozilla.org.xpi langpack-ru@firefox.mozilla.org.xpi langpack-sv-SE@firefox.mozilla.org.xpi langpack-zh-CN@firefox.mozilla.org.xpi langpack-zh-TW@firefox.mozilla.org.xpi /usr/lib64/ /usr/lib64/firefox/browser/ /usr/lib64/firefox/browser/extensions/ -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g obs://build.suse.de/SUSE:Maintenance:41133/SUSE_SLE-15-SP2_Update/486f7e6b5aefdb69db0ca17e262bed90-MozillaFirefox.SUSE_SLE-15-SP2_Update drpm xz 5 x86_64-suse-linux                                                                                      directory UTF-8 Unicode text (Zip archive data, at least v2.0 to extract Zip archive data, at least v2.0 to extract) æM€Æ‹y%CØYpl×      utf-8 4606b9d774cf45cbd675b4a6cefd3d668bf465256ca38bf193d8deee80e5d8b9        ?   ÿÿü    ý7zXZ  
áû¡ !   t/å£àRC»] "ÌkÀ&i_ñÒQiŽ­ÐÝ,¹	˜žw˜‘Öµ5À±—Ø‚æÒ+’›®€5)5•™e	~xº¶Ü:¹}v
ð¨bS&]Í÷¹ÚåV;™º v« k'®b6Ç’4ãrÀývjW?P\Œ.<’yMGÁì³¨ÎB¤ÝXW ÑâtûPä„+Åi’èS4S9ƒÎ,sB.µZúÜã%\ÉõçÑC!@ˆ
ñ¶ÇÏêŒ1‘ZÖŽÀ^>Õï\§Þzéäl’…U% 
@5ø›„1XàäÂ(rhÒºAÄ|êèåƒìôÔ‡“š~ŠäiÑ•#[“È÷@ëaÕ|;ÿRûkÔpjŠ-ºéÎë2±P8l ±%
ÐzT/ô@ÂI«ºQý\„"(·W%TÈãsM(€‘_]YœI b#.L¼:|‰¶VV˜Ažc} O×~ÒÛiQ9*”ñí“BÉžÒ§v´Ûn)õp-4„¬™rr §ñúžãà£DZnVÝISu“>Zåûµ[»÷èùjw›©•,±Âs6â7&ÎûúÃÜ›äpL+¼gÔ‘ôã´d?§{•žà½Çuò–R%ëÿ[•q’ÊÓ•Xì+#Jv÷ôñgLÌ«¦î >¬Î€ãIøŠ äöÔôà75N`2Ì uÌÔ
^?#DZÏ°(”ŸÌjXT·;àãçãµ{j£§s¹IGå„`É¹7
Í%O™3GKnI/a=YHMž½Z®.=.»¯M
Vî²uzÚR(ƒ±ÔXñó]1Ï Å<ZQ¦Pæð¬¯'Ç“ÊØ·×‹is¦°fßA *ÑõÑ¦wßìè—QÀìüí½T·íXÌ<Y37ÉVchµ‹D"ÂØ&¥J
·*¾}´"òôº0ùœ*õ[ƒ2´Â"FâÜÊ;>L¼}HQŒôá•î \ÁyAÌ”1ÿ²l~nx¬¿ôI]ûâRVBÄª°OC·#úWæ¿°wo²å‡$äwœµò\RÌï7ù'P‘¢Œˆó]=ìÓ{3S¯'@úl¯‹	Ms£ksWœø®ùÒ›–Ì[P±¡ðVñÞóa²í¥>¿I‡CÞ G°½©(kŒå"5‡ñ:’"Â»AR·‰hçb?v‹ )áçã·‘úÕœîq£[•f(ã‹éú7¸»¦[/Ká£CGŸŸÑXu@®r]ýS¼°@%¿èi¦‡µYõ$Ê©	l½ÛY×Æ™ºY§ñ€O³ó¬ÌsÁ°<#]iÓ$Qs%åXÖ¬`: ìƒÇ1Ç½# L)¹>®ÙcÞ±ÏÉÁ"Ä± ÏéjÕ¿2êó‡%E?NÓÞ”%ivýûÖïdŸùHfqì"ºyã°tÙ©/¹¡Õ­äŸ4ÌNxõú.:2:R¸*´ƒ/ŸE¶ÈhD=üíãŠ^ÎsBe·IŒ¸ ½‡BúÎ¥Cß‰¯ƒžNiß‡N/Yôyõ±ËØOŒ8!ä•eFÕýå¨˜Ð­Ã#šÅ¸6zËumÀôÛt|ÊR÷
³v¡7ýßÈ:ýï³‰2¤çô„…Þ¬{LwÎI]€DÔ,OFÖÝœ§;ùS¡/’_h®DÄÉa²ðÕqŽ”dÕ®m…òGÆî}Ì^£ÛJ×[ÇÁe…ñõÂ¼(ÿKx}DåÒ=‰ÚÒ-¡AÍ—È7ð³üP©½ŽWüv¨cˆz2ªò:—ëD}.syq¢\N·>!ÞIý£	ÄŠ€öý@|¾Þ5&™¾šø±;Ê}MKùuøö“6bC£¢|väucé&ŸØ«/‚—9À$ÎÖ%àÇ|ÔG®ø01ººÄ«lo7K/»y@}ýî+î˜ôiÍc¦TÎ`JÒ†ÒYo!piöIëœëJè‹7E¿*kÞàT˜.‰3G©N¼ìûÅ!Ê!`²Ó<ú’+Í ì(¤`ÐQ¥µ¶ŸÀ…Þ§6|Bg²F÷þ1¯¯{%ˆÛÁÝ¿Œž…9FÝêÃïIS«#’‰¼V‰Q­}ž:
X§©"_Û‡Ûzx6p› J†¶ITË—€âˆg¹ÄæÁµ9æj¡è.en¦"û©„ÞS»0«Z¿7t™‡e3–w 61§·Dƒ¨c³ï@%·q2ÂÀÚöafÜibÚ+ÑØ¸Ðá‰àjòþ³FñÞ€€6Å[ÿ¦:íöŸó„–MœÙ„6#“<'¥¼­ÿŽ¢Ü§
äoTØ]Y\”s¬žgq½¹Ò¡?·ZŠzX£Y BãyX5QÿŸ‰ÉGf7nÆ”!Tœë¯(˜¢ÓYË.¬–Êõ–­T6›aUZ3Õ«cþT–²É
dJ†A??ÛçfG%ŸÔß
dÍïÃ-û™YAÿ…e¤ì¼‰xš·ÒaƒR`Sâ?{²«0§§:ÍÃ‰ë§þòbþêð¼TF¼…‘ñz  {ŸFj_ž ø:&€ÔÖð—ÖU¨)¨C†ÒêS1 'íR›ˆ¶bJã«ðow¾Éº¡ÔÖk[lßáýû§½Ž’·½19¹¯'M#ª]; kóyA·G’ ´ÜÛÍÓ
/oŒœ&Ç©Á%èòÄq‰ßPHúP‡q+¥¯´ÓhØ=¡£rŒq¡hŽn"5»N+|­†<9Ø ðýÏ¥›ö@µáq`Í³ Èz*²Œ˜´a'¢?ÛbQMËåÀ¤ÐÞvfPƒŽåñ;Hˆuhç€Î¥·s·öfÎº-
Y€8Û2¥`PmÀ+¤+N<©¶eÜniŒ%ÞðŒmBGŽþä³oè'Ù¨@-ëƒ¤²6â½…K•!ãvÙŒ!Ÿ	9Q2W,IÄ¼-Kþð—Äa¼Ø>í·RÄCa;ýUG”[ˆØï¹N½²“Ymœ ‹áSÈÛ÷}•d]/O•ïáÀ(áêÐ÷†D°[Dø×þ‚^vè@Ý*<Ê“L†(â|¶&P\Wx&µ´dÜ.d¨,xÈøþ~þêJnÿz§–A¶¬ÊNÝÂ8÷ÑÑš]ûâ÷ÙX§|“]×u{¦§­ê
ØŒ…¨sÊë ¨&3®—»Ÿ‚jqA°}ý8•d-ª…ïF²§ôÏÀ-×þ†·¢G¶ù§¯J‚«áyÜ–íÌðï;^›Eò’7PoôÂ“ÏŸ•SYó8Qž,76´à©Yw¾¤Kèù[ô}þ–ƒˆ/ÑŸcS©,É"_vöˆÜ]Zž¶?kË<žh¸>¯;EñKlNsH?û¹ä4É¡ôø·6‡)­5*Cõ™v« ï=cêÀ¡²¶µL©û¼™±Ï`F[Hú8»’ŠRÿÇ=¥aD¹jÔÈÛ„8é™Äõ'áêìŠì{G… r;ŽŸ@E Õ‰¤\ý¨ê^–¾Ña\Ší #y-zYïl‰µ°>)Õ8·M‡®ŸŽ
Ã\Å4Ø-ËÆý3;>¹l ZÆCòÄ+„½rNÐuûìƒCv…cÍÑÒi˜…(’k\{â[‘#¯ c¨Ï'>Uä¼¹…ú*Ÿ5kµŸbO]~MÍ}íÀ-ŠÖX¼ªˆ´©<z[òƒma’üØìçØk<\¢,‰2üÖÔèÌ5í+„¬™.~e¶X:Ž!t´b•Üôß³)f±ãŽsÂ34Ói{¬Æïí–zö^ñ6²ò®ôõHÐÚ‡_±þTÌ£€dB|h,ÔZÖH$qm m5NÚòîœP«T!‚Åj¯ÿ‰÷ê“gZç~¾,‡WßÃéY=6þ!s«4Ýü›Pþƒæ'Ž$ZÃqÇÛÚShP¨‰¢{D‡œ$Þ9
P
ïX.å›h{ü)ZAFpû%ò%[ñŸX©ym¨>.@â»®-Vd÷’õ–(ïÔlnÌMüÏtn¨áñã?$`À¿GÃ{Ž™E@H¼ìPîJ+ë
Rƒ5³t®¦g<!2<Ã•„6­Â¥$Ìt„·ç—ˆ™ä'ø€êñ6&$Ä¿žl ÁÔÍ³…öYà~TP¼ïåøÇÏT¢öf›}˜p¿z×(Vú§L¼¢p‰§ïq£ç.Û§&‚Lñ	µ'ð€ÜÏKŽ×ãPvu—RîHŒ%e·w¬²ëüËÎ"Íæ=WûÄý=Âç‰P+¦"4jËUe„±K»v®¾HFþp¡fž¿õm¼-t_Ù–LúYTÁàYMb{-°3p†5êE0F²ÐPÊn=Sý€qr].³š.±Ò°PÖ%«Ø¯6Ò]a}ì>ZÚ¥Ü°]fDÕý¼ÀnaÿÐ¢ÞVíWJ…V Cæ%ZL2…Õ c“C àÊ¿N¾L|†r„¾[hí})¬ø×x˜š7ÄÿÓýÁ×?À¬<>kH¸à6ônx€ò¡µ×Üš‘q–Öï„~›Ö÷$NN³õ©À·šÝlE_q`ðœäÀ{zg§C|Äçå°0ÀÓq‘§g·¤jeIêH³Ú
.š–¯*rFøïÛrY;ª…Ž0!X'¹‡áÁ\ åÄ_©±µ—Žì=:ßú˜±KÜÜ3€GòÅQ `TCÙ%KsS	îëŸ¼jÿ{¨ˆpžj 4û(z>,#I :¾ÖHŸO\
dé²ÄòÃ	%«VžøFíÔ`}:lmL8¹ÔÑUdïEMñè•G‡ZÕµ);È|ˆ„¢A#tF—2Fë!:(˜…
-{øÅ"Í¦¸*›èòî§"`Rê¸€fÿ:Ý‡ñe}ê¤J³a"Â;a<!ÙÅNÊ»ßçn›Äû<!sÿ	º²IÈÛp×?A6‚?%žÖ$qœ{”¶sOpÁ®û‹ãkþE·“i¾»^çÕtßËª´£yëí‡	ªPàè”*BK°YômÅ»ÙÞ©|Ø?@°4‹qçµº‡Qz¼lè<º$$%: »Ë_K0ÍÉM²ËÿÒ«7 Þ÷žNe»!À¥=ƒSùFþ+žY¾wµý¤ÛÇ»AÙ€ž“(vu6Câ½þìæógrÌ©‘ôéZÁEŽtšNïø. S9ºï¾þQ<I%8Nêp§…)™æ•w®î‹MD$º—‚Îˆš!è0SG§;ýFî‰“OäÔN¨FKç™!ÂhvÇGÎ2D³$€|¤\•ÉŒoe¶²D‡¬ Ì] ¯œiÌpq@>ìs–o²¼eB•¢‡3 žT¿i®¢(õáÅCãv[0ì(åßIûD/Öü_ÙUì<?ùT¾‰¥j;‰{Þ41Ô>‚|1ëÙíÁÇæìH&v…}0GŠüƒiºèZí†òÊ€m,qrºy£}´¾«Ii.¾õ¤ )NØyQrŽE·læPKÃ*«àôIÖ¡ôb*£¿¦†ÕM#ŒbÖ'Töe×±¨îãÔæb‹0‘Ä nãÉûzuKÂ÷c¥fXïæ†õœØÛ¼Ð‘º[ kX¾%€Â&ö{Ãì<ì>Dê—·ŽârãhÊ²:'MÄ3i–¼´jÛ7¶ì‘²R¡ÙNÀ[‚ÑWŸ“K»µï²†:ÈÿÃäJS,“ÙÛ¤Çž4n2x‰×Ì£ò"cÍ½s»YÙÿ=<š`åùf<ü¤xÌŠ°«a¢ÿÃ :Z%"Ë<Üÿ“…4Ì‘N'‰äÜ<}ºÅwM¾#Æ<Ù¹
¬æSËu€%‡<ðSðpŽ×Ã¸íéšpú¼µ%Ñ«Ÿ¤aÿ$Ga•C¢?œ`ã&•aT‰í†ÉOüÏx	zi«MÿYòÛž;"‰HÞÚ™¶ÜY¡'çqã{ªŽ:!)ƒ(ýà-ø÷ª!Â6®[PÐšAŒãÚÌµ7Ú”UsÈÂ{‹zÉäN
,	cÿ²}ôÜaúTñ8­pµ¹@7
šÚqJRtƒh,åE!#CÙ—íq.ZùB4‰Ý5¡âŽÎ.þ7ëX0.}í±Íl*×ÍX-b²`ÜÙM×l¿>Dy.Ê­hK”I´u|Gc”n¯ô›kž¬5…u¢¢z¬ÿ"áÝ{Ý÷ƒÂ0$xrb‚ú ÿsÈ¥%€s|q×²Ê$¶Kýf¸nµ±¸eÍ­Q ËeŒ]ÒE˜Cvd|“=C<U{¿-á¼_´„œgï!2ã«ï1ÙTøtTYCþÍˆŠ#TŸ÷è—çG-“ùK;#Ó• –V0ßnËáç"_z®ÕŸ»[LRè*KHC˜8I'útz3Þ™âÌðê€¢ŠéüÃòl½­:&ûæÍ8bÿ‹|×ç²ƒìv;înZ¿°Wžš3ëf±Š””‘%A:™Îz	Èg®-Ñ»LzÜÍ´”ƒ^A&ò³L,MÐ?’±|ÀÇÝÇ=e˜q…NBè~æwA´io/¾XovëñÍ­,^âSÞ’ºÍ)©íéz)˜×û8$çþ¼›Ã ¶ÄC÷uŸ,nšÖAøS]“Ah ß:ÏJ gRáB™B5øústí(ï'@by»~¨°É‘|G¯ú±µç"‰™×•­O¢ë^-Ïl|e”‡£îèÐef|ßTA\ÕA&Ú<àœ|éOÜÄ¸ïi’óŠàAŒ‚3iõÐ’?”Zõ¸‹.dÃ¸ËÈýuk¥ePêæ	á`¹ƒfŠŠAH+ç‚ºæGüoqË7ü¶ª¹XßyøeŽ¾by5)àÇG›Qs€%Š…
o@q·ôÂñÈþ4Dœ°Ï˜YyäïØôÞ²áyƒ_«ïñö4bµ`v&lÄ‚U=ƒªBFÜƒ«¢gz¶nd04`º¯ïäáÝ”é×ÿ
"»Ý~ë	‰¹:=Nì—M€¼¾K/\Ô¿oaül¥JÛa
pÞÒö…û÷ø‹‹·RÍ±ßÁþç^‡T‚œÙPqMá72ÍpáÝï˜™ý%èÂ8wë¾Î8©Œ‘ XüpØt)>/dœªžØ a`^@ª“ÛÉÀ…cÈ5Ä†1Ê ø)‡ÁÃ‰ig2lb`xUîw˜r¤Ùa—¶ #Æ‚%>U«ãŒ2õikª„ÎKsC…eö¤{¢ÍcÁèbìFËy_Ø!<ŠUM&nÏŒÁEä-9JR¢h	« ¤ÆFæÎšá§5óÃUŒÇ1 ¥[‘^ ä¸Ý¹òkêc™B5ƒv
a‡²-$(ŸÑ×’ÓpX]Œ¹d‹ÛÔ‰J»N”1b¼¥²°Ÿ§PB´,Ä¾êä×Ú\ÎFFlôíÛ‚^Ž*+÷a‡’ðaÕ}æ“³•¬ª;j¿Þ+@BEa	Çûåèæœ7H}/—K¾OpÎˆE\M  Õ»øõ’ ×o®xŽN+Âà(8õT“¬¾YÏ”Ö¦ž§›wTíƒ½Qs¼œ>"9ícg—	‚M©rã]Œ·,ÚŸ×‰!°où1uNÅ'ñêt‘,þlŠô#È(3^ ì’“bë©•À.Cô±g ç@Qì2¤Tô,*ž= Á÷›òA½Ê3,cs3°¤„ý(ªJ–ø;r¡óØ+‡LšðuFt3N¥Ðs(Ià²UqL‡¯°Œj`Ê‘ÖÍ2
mçQç^J†ŒVR¢„M!ÅÕMý²	ø#z
ò
™’›´#D‡ë^¥HöŽIâÎÕ«äœ¾µhA9ŒÖœ¯/;mŸ­^á7.¼×ÿªžib‚˜Öü»·ÿ _lºË<Y!¨4zÒü’–›ˆúo}yEl!*¼™|´â ù(6[%;4öYhLÎõø?Yó×-a‚À×¨Æ”9×1f &t%æLFž«RµxV” ®ñ‘¿O`h¯r;-Ñ›yöOL»N{Š>G5t9l¾Ã‰möôlGÀäîPõâÜÕê²EÎlQ€h]Œ“ÛÃŽ¥QBŠA 7G¼ç&:Q¼ò¼¯«6J(Mb%@G¡U¥¶xB]þ€4xä¿òmÏø—Cí3üŽ¦(à,x‹†ÙÓt­LWPp}†kPœA'Š)9þ{l^=J’S—–ÔAÅ-Oë¹–˜•)(®½ä SÉCóÜkþÙtnöŽØ‹xóVûBnï­ÒdË¤ãåÀ¥¾%®…t#`Ò2“xM Û¿‡heX ¡oÈc\h_Ž’(³sZ™á}8E˜i«i¾Ö»Î|åÀ^Ý±›™ÖUÞØ-ÔÒ-;²‚ºså­·$:ONŸ<;S”@ô8|e2ßµvÞ5s’.žÎÂsy}bùQ6°êèbós?œË‡4u\­Å[:…­}OY>ˆˆ#H6Ü€¸Ó”lÎmë£¯ŸýÉöux?Ð©„ŠCnžï •¯ì]üÅÇº&=Ìâž=—2_Qr'†ƒKJ«â”€’cL44xdìø½ Éi#åæ¥Ñ…–£j´î;±ú`¡h•þRC²€×æ^Þ³Vprƒ¿cWþoY’/Õ7’¥[ŒŠÐ£åÝõÐâOD`oŒ*®«…q$¯‘Ý «XC`à$-ýÜ{Äº÷*Ý·oßØ–Üš`;eí0i·²zOŸ±ïf®/í_!EhñˆlpÑ:fòäa»@^Â†R#ò!=§a­Å˜ÕV¹±W^¶4¤ÚÀ…Z¤]æ%SŒ8­@»\Yèä^‡b'úÂÿØ&»F>Èƒ÷ý!	ÌÃ.5Â¶rÝg•jh çiÑÉ /æOæS®	\-cÓ¼¸2€%ÇìFŽÚF/þT®ÒÓm.["F}?ëB^Âkœ÷ÏzáÐVÀ°Z
tK½M¡áQ<2â©íÏdÞìê©%ª”m<.Qs½¶Æ·Ùéjj—”œÍà–s êZ{{>ge'w7d‡›aƒ‹ò!äØŒ#1¶8îäªˆ$<«*2›±VRÍfŠ±êÛŒ[j“Ëåâäýv{;]œ51Oãà'ÂÆ¤VIÄïìðÝ‹¥ þv‡NhÜ˜CXFlxXà×ÕM³s~M¼ÚlÜAº>ÉL‡XmG3Ó$óÀ d´×¡hß‰7í#Žÿ9:©kÁ3¸åúÞ« 5?wEœïƒþn9€ p3‹Ê^dÃüà¢„àUYüQà½´B&ÇAìå¸‚“ÝÇìHÜK$?·Ã¾ÂÔFJŽ3ÿ¡Lê)oá‚ŸzÌ@dî4W –_¶í„ÿºkh"€¾ÀJ¤„š¹Ú_gC£9ŒK›Ð–$K¥èÆÅa/Œ®ŠÔ<9î[U“Ì¬
^U€ŽM|ttb›´l~Ã0±t#ç­P³ðzŽ¶u¼»xµ²z‰­> ×HyÆ×!„5ÜH8&ÉN:­KUÀC®26S¬KØ.²à~Öìé&‡j‹Z‡d;-0±‰8GÊÜ™70Ùû3ìbfªv6·Ï0|§Ó dµÂJOØé)÷£“V>B8t&%]0•zç­]Zl—kÍvWæ¡ÚÆ;j?ê­`‚6zÁèÿ(¾ÇšÂOÍoÉó°ékËÌ©nË±¸hæ¡ÍÑIÚéÛP¼t…ü4µ`¿þ£~ÊýFI{ÈPÚQÿ;Y(‹Ä[sô¥ãkœKt'ÈØa‘¯OÎë]þ‚è¾‰ÛÛª7ÕòyMg!Ê¾ú[ŽÏ-WãÒ¼û&ŠCD€7ø
œ[âÒU5Û¥á]ÍŸ¡gS’¸=¹,­"VW~]8°oñ“iåìÐ‹=º<+åÌqm'ø|éN°‘Í$Èªc÷%vƒðÜJèÏÜ¨€]£>ìAáÈ¤Ç–÷Š#³S²H³1ø7xæþßÃŠTëf°gÚl3ïìÓ&ÎÎTöÕMøý(¸æp["¡™ï« ¯Œ¥¨ï ;n_ÒËQß/c+å€ËÜ‡P²A‡ñàëG"©P¦ŒÝ#Ožb ÓU°µÚEÂïBCÎ#S9;ó¶{c"[ªªÎŽ.Ñ«“"3¬Ð >†Í•?[Sí¼©V¤¯Ð{±¾|H[h.’¨x¬@íêïz•oD³#‚Ú¨ù)Éú/É6áÞpÛ*×Gç@SÉK4÷£\^Afnvotoã:ìÒ­;õÝ”Ïå)b:üu[Ox³•¨ëøÛ´
ŒÜc„}ô_{±åšAVd`ÆCˆèÞÔÀÛ]ëâi³à]c1iVùöE½?]˜GØÑu[»ƒç	J§â¦Õ15dïímuÃÉ®kë¯×ÖäÃŒ…b+½Pæ«ˆP‰ý0Hh˜ÕA=y0øÞ›G	Ä¼^šˆ‰£Ebºâºýÿ+:žê¸€V+XõÓ?$ˆß ŒŒÕ/Å«¹ÒtÞG¢ätyjZã|þ#¶§þGuèr+…Ùé¾KÝ‡£
ì+ =6Ý‚ïcUORÓÇ‚_¿€]Lû—Áf·ÖuH2ãï·µ÷™:FÀiÿlÄBH±CXØW¢>op#& Ùa¯òžÏª
Ú›Âó¶s ñ¤0XaˆË…›"µÂ†u¹^“8ÉâK,‰6@“#Ò‹gÅÚLó¥ñü¹’ÕìâÞ Ê6±»YQW,_ãg¯ñ »Ÿègì?s±xPª¶ƒŸlòR«ùY¾«ÍçFGé1S.3¹í¾nÛnâ5ÝÊ˜Ð´Œ-× ]óÌñÝçÕZcªP^H4CÓ¡À1Ð„AÖ½,
”m…rÄÜdO#‘€„·¹jD\/Ù`‹pO¡ŸåE"ÈX_É!wÙ€sx7q'ô^AÀÎž‰@ÍåhÐé Âs4@)=\‹¯¦°Èþµ“A ¢”RòÖ6¹bJÝSŠ­‚nƒÑ¬ž‰_=‚÷ÿ©YXb`vN*æ#šßî%ûÄ¤r†@lªMŠöaÙ«üÀÒ”.”/fáÅºõéº}@Õ rT­Á©#%Ùm€Y§¶°‡òÔ.©‚£9`QfaºOûY‘!´ºÒEÒP÷uß.Qï$LO†at`Ò]0j&çE†dÝýã"ŒPE&ÒZë½€óŸÆâ_©¤ôþ1ÄôÇri´WÆÄ”ç^gŽžÚÿF]ö;AªôíNÎ“†¥û÷ŠÝ]ý=¯˜=	 n¿Ï*
ó}ºÇÏÏBÂÏµ½î_ÚƒCöe>£v¨#ü‹ôfPã‹$>ƒ+þ>^¥ŒH~‰aÀÑ_Lf7oDUtrß7ëHuÿ9Š núð»]e¦|áÍ}[j*¾Fó%K0kˆ2ÒEÖ¨ZRrjßÀ¯Ù"eÒË~¤¡på÷‘þß;÷6:»±Öºu=ÐÒwõúÎ[Ën2K\z^¨Žïœ„÷‘›ÅÊŽ„ZF‹”è–Pþß™çÜXv<6¬òØ³Š!g7’¯úuJœÌöSÐ«Ú®7Md¯?´Ä·NLÇéFÏŠCªÖYšW³	D…,µHR@-s×—x«øäœÎ“ÖÛîi£!»Æ¿ÏJ… d×4=÷·˜ÁŽbÂG8Åµâ1ÅaŠNÉ9`R-e€¦°áË^K*³ç¶‰¢óBŒÏúžOì%PV•	–C'FK;OiaÉÚÞ|¾ùX28¢Pw(ûWýfKÃŠý|š73Øv[Žðçíöò#Y†fu`É«-
.|vöB€@äv2„F-—¯J¸W’'PÇ	Äf±./, œ<ÎÄø´ôk)·t4HYi®Öæ)ð”³ûØ¿wE•¬ÕaW—²!©d–3«Waó/òÜ.6Û Âr¾.Ô8_ñ–¿m4œhžÜ›,­AçrÄ˜t•
×©9MRÎlLžÀvº,r;”¿£!ß¹~8ñøúp”Ìà«An üð±èÎZÒïÁ†Ê¯pÚ ]©'Oš EhNâÌœYÚH3ïÅZØËfI	þä¤Ÿ›4”a<O]ò8ÄC×[&›r‚R’”«°*ãx §2©À+öò7k¶ý0¹¯ìX¿?p¯#óÎÓQ&ã2uæá Då‚«C2ãfxòÈ´¥´„{gS	`ßò?üÀ©}rŸÐ ãÑYCAóhí6ÚÉœ“äz4àAœ2ôâpÎR[åÛèN 5 ÜËICñèí$ÿI[ºó:	4Q©ÎÛ67Yhí¥¥Ì,}+÷^Ç' 9 ”TncdmÈ~ÖvÃCÉõÓú¾¸PËßêWú¯U~HJò¡ÏyFØº/“v¥1ÀG³Ÿº³1èÎ"Ä²¡Ã¶Ç-«ÑŽt©Tã¯ÚŠRá7—0Ì6ÒMAÍU PB:Í˜Ž-Ï¹Úû]-xð"I²1Ãð\õrŒmt`ÔèÐLó›8VtÐü÷Téùâž kù`ê7;Ö]z—›s²Êé¬ÈöÃ/bžFt»þ ¾+˜öÖ¨eVÐ6"è(lmÿ‡4½ã1r€r~Ø:ºƒƒþÝIn–D>Ýv‡Wá$[äÔ/z¼ êB~ŽÔÁŠÒD€¥?hT~±»ø·°^ÁjÄ‹ºì„ÛŸ¬3mrÇ?ÂH+t"[³ô}1×½;öð¾´Ö»QSý†Ìqö¦ô¼k$O&”¹§Œ˜—º/…ŠŠ,DÖÙèÅGj+ƒŠY^±Áï©m zÇº¹›•¡ÙØªNÖï¹`õ“‘V.ªŽœÙ˜Qr§B¶¹AÙ_
n_Ôew&^bkõ¿8Q¤J
÷øéÛÝPMÇé‘jÓ ä®úã±)ŠZ§Vk‰Ì…97%”'*a£>Â˜†ÑÇö“¾ òe˜ó?,Ø¬n~³!.	,kÎÅ—H®…¯yHH‘CgÊ~ÂIpÁ$	{øMüœQôÞ~ñ<‚ïÌ(K]VPN+€ò.›T^	O,dí Hœ,ÞŽ7Ã\»gÒò?ey>–:^ÖI®ïA&vREŸ‰÷©9	ÄŒç\ßØ»Ó:¼‘’ôþìj€Ù•ö–V&°E&U3³t`?Ï1Ã,
ÖRÊCoÍ6k ¾E–ÔmQæ”·QÙŽUØÌÔkÜˆµÒ0gkêè³Å.„ù¹ã¨£{Œ«3`8ÔÐq~XÊYV|$fö£zÊ$»¨%2
äú!£ Y"Â´›ù?‘ppÞ±àô˜¹s¸ÄpŸ9‹Ô›½®ñÆ&‡]´0è³ªT€ŽdÂ{YƒÌBkúi\í4Æììÿ†4‘æI´‘i—±ë:#0ŽànûS¹-yØßd\ž‡7‘M«¸·’@MEöÃa²<Ö:hG¡çØ‹v÷Í­-
ÐnLxOÂ·%|l¨Wråöš„é®*àZi®ë3º°xöâ«tKÊÔ{À»Ž1Ç!¤ô\¦ÄD<SØòÈù=þÑM}èpâgdŒ7oï!ÐkÓŒ+Hi£[è0óâ9 yZbÅù6ëe&‹wCx}cjY´„™£VšcAFV†üà €·nk ]§©ß®™tÛÉz^…ÝÉÅÐOà^¿/Ø°w¾´EÕ¸Àá/IkOJøD7q3	óÎôÏË4*14ëZæËÜ$9‘IBðdš¸¤¼y4É|&]y©Õvnë!¦ãS´ ó¾‚Ò£›Â”Ñ}ÙÕhj2Ýoƒ£xèÄä¿æpÌ–y“õ!<GÄ|ul&=Gn-"‘9X¥¾òNÆ|Þœ—XØF—tE…Gê9’ToíŸê
4ÿ=ªô¾s‚oŽTj`o/KÌ³ëZ«ôX»8ˆJJëãÆ¤ Fxßú¶0¡sô¦Ù5†Ð¬Ø©©³ò:aX"IÄ$rÜcc·™¦vªNŠ¤aDÚ:üCÎ«’ê•4r5¢s$}}ÂJùúÛ´
Âkt°w¬S{l@ü#@rRÚ³ ÿ†ˆ}–ÜÁ€® µÏŠUóY<ë¢MwWOl›ðc’"ˆn +o•©v8Zç² ‹Ï„ÕÿÖ=ôŸÙ*ÁJœUg%XY ÿÎ5æ18—öç×ò«ñ8,OûôÃr$îVç\8QýP·‡þJñßƒ3‚=ˆ$d”2†º´“uÀ«áÜX0›TŸÜøqo™Jøli~¨'£ ”Æ=p	ø KÔnß[¾%!!;†Š[m€&Ü3Õj	6Ëôc™|r_ºM¢pNV.Xßï¢vŒù§'¹ ïyƒŽøÅ. [ãïqÛÌ]ERä…|4Ç±ð¸÷ƒ‡?M¢&õ-±‘O“yjs¢#ùqTÇR&p~’Ð–ÕÖÛ^Öø3£?P$¸ªÔ¬IUŠ›Ÿ¹üñ¿î’y`pAìÄÆ_SF·pR’…¢ŒsŒ—Œ?Î»yÊííÃND5x=ô4i
fâ{ôÏ0w%–FFÑÂQ¿y8F½Xx]3/€+ŽlãfIµL9XñØåÁFsá˜5·º[S³+A ·}Ï]Y³Vg³ÉÁïn‰¸WyÉ‡¸[c‘Äæý#¯Ævá9+±v!WS¤§t@wX"†Åm}HŽúhÍŠƒcÀ&ƒ•Á–¬MîWhÎ®ddÓ;qÝ×zXÙd8O]ïßÔýn…Å³ÛDägÂÂi*ë²‰àjÌß¤ŸÚ(•×Á>ðì“ªáK¯¥Íg‘ÑVºñp¬u‡Ï¨¸ý¨³™È¯&Ô„ˆ’}tj_?1L‡44…CjI¨'û³“P7uw»‚ê—©.†tÙNR6ýêÍ_lôAÔžå•0g¼zFG¾”á\V“°žàœbÃ S¼šÐ@Á(‘À`òÝ¬“é²­/¬ï¼~„¯»¿ËÂÙ+ü¦›QÏ¹¨ØexCºÑOí_µ¸À`
*šÿ$Ì“Ë'ÿ§YyÅ¿Ûõð#.dáûc8wm®ÜÒ¶×Ž~Ž<œäÃA·6ÊúGè0”-wMÒª–"ñ·å”DƒÓÈf÷ª
sçG’">º{yº‘`Ñ÷@¡a:ù½WnëÊ áÁõßþµ³â»\‚Tœ¿
Â!„G[AËSÏÄ¬ÝøI;àÑ×%<á¹¯:õâp(ÍS_²´vºEÁXø¿rqGú²5ˆ#ÏD×V‡['œ9ã·Búà6>Î¢»çÙ^¤×ã)'¸\mý,‚ºyº„d9<†Í ãâYàñçø'ïFhR«hÙDaD„L>†t{Ÿ1×-Ò5Úo†%åd‘ÌTZõŸ£úPïú¬v\îqå;äUX.ã"6ÚzNõ¥ bº ì–Ìpà®s¡Ë-¢åk0•çƒwî˜¢p\%Åì²e›Ôj‚…J§øÜ\¶¤ÿâ1²(w2˜ Ùßú_¿[ºç;¹ùŒ0moàGD35)­*»†|Y‹éŒ:êz&Ó¯Õ(é¢H>—Z³¿ãäÁ!@T,,²ÏÇÔ!µ—ºz³~F Êù¢Rs]Ck\<•£dìÿx5]ÐD,ñÑŽ±p©¹lDÕ‡™È\Ôùùö…}†keîÍì 3FlK0‹*´oÅÝv.Ns•Ý‚U±ƒ›ÿ¤àäaúDœ¼M1¥9PÖ’Á1æXSZ‹,•ò4ÞÏs¸×~¼Ô‘·­ýÏDKmlÙ0­KBå>à—|bÉ¼°A~áæ­áC¼zûFU^ï.þ‘€¬·q³š“Ä`þ´ƒ;ÏØä/6— cÙÝEé—Aû	¨¨Ò%„¾»ãKL€J
4Çú4¹";¸™‡ŒtSú(¹Ç='çQënw?¾Ó¢7K ÅøÀk¼;_¬îì¹Úd(aàœuä°DÈx‘@ú±µhÓ)–KT<)	‘ùã%pž1<ÉÎîšã+"…éw2<Sy¢,Í]Q"öÅ V5Êpé1\•O]#LÕÀÒ Ìòd:¦tQ›øE,^[EÊš$­³	¿JY1åé{+ô(°ËÓxÃÐ¦¢Û}%4	…ØéYÂTO•	üØðMQ¤¢¡­Ž.Ã+3zÖù1#òJ ÝN=ñ·I–”¥%Wmü{eS¨-r
Ô€<WÔ¡VÐ.IÓÒ!r¾Šì_c<ÀrÈ¬bÙŒ–?‚ÿËuÞÕhºù\„¸Š°d0ïh„$_GnÕ|ö5ÖäðˆÙŸžCÎÊ­êÍLw2ˆôeˆãõbî¹ÑÏ¡‚ª”,3®EâÙuûío6V{!÷üÁÌöZDY–RbØ&zåÌ-%ÈpÐ8V»6»
­ÓŒ´oLFÆpáƒ¡Öõ³'Á(ÒaÇî‡§å	ö0­ a=|úJÊ‰uÈ¤+N€[t+÷Å¶«ëÊZ½=øw|>"T/Ð†géH?–=¦-ôðÉÇ$-´ˆVç+8`˜OqÜf9K»û`ÑM¡C­›gRœ­³”á%›7©À™~?ÞŽ˜ûù~v/zUÅÍøNœpƒ¥E&¼BBè¼”ØVWo=‰tþDiGñÈaÁ31­‹‚¸üÜ·ã¶ábŽMVCÐcª>Ø«ã}©Ÿ$_DxyËqlO— ;¢,H©ruy^­ºjìâ…èöBÁM¢ÛáBìTnžå(Þí(ƒ9ý<š…âÎïk"ƒ×•h Kélnþ£U ‘Ê2×á§Ç`·ÇšXQùgíïô•Oºg ®IEA	zª™E™-dc’æé—ªƒš0uu·ÿÑ(òyz‚#+ÊéUMáöûxOÏTúAU+š°1…ÌG6IKËƒEj,>‘ðâZA“0”!UÈ×ñÒ¿@#8ìÞ"Œ;äè6Sšy\·VÖhc	Îv
³J½xd®šùøuÜ10§q{~ùz„ƒPÑýÛ»‰ˆê\?¢ó¸ùÜrBñ)³þ f¤P29>þªb” /¢·•:î¯‚~ß¯øoˆ\Dƒß¥õß“ÞP#Ô7Šà¾á¸i[‹8ˆmÃš^æÄmMžŸOpVØÕ„è$!ã~9 Nr«ÐEõ9º“aHEÇ}"+¼-ØçŠ±ÎµŽ‡8‹ÎgÉ<¿`0RW’@Ñ^¤¡ºðG|-Y„e÷SLˆ±ìž"‹¦b®ðˆCqž b^–ˆT„wmÉZœ´ðFLé5‡5¾ªÖ×©7úñ©ó\[P?ßbÿÅ=A¥÷»’L®}Þo„rßûh*ä¾çœÎöY8öýoû{>†ÈÓöå»‘¸·>¹33àD×<8­[9ƒQÅè<9Tò73°vÏéì•ƒ3 n›ÆëX:§‹s_ð˜ñl˜k#AÜe¼3íæ˜ˆŠ¿eÂ¾³W|îBíõïŒ»ø×!Vk]3\$’ÈT˜k·,Ò”«ŠOð†U K‚ÂRý`Ö—@ð¶É|ç…÷öKRš>nË/1ÂýR³QÚéE`Î€ßÝ¹p @±T„‘ýLs„ÇÐøaÆï“ðO|v¶<lø} ‡ƒv‹µ1íFÈ$Ðµ*Yû§O[ç£2Hš£@Ç+2Ô£zŸd÷¡É¦ÞüÑ4häÒ–×2*¤43XèõË÷éé8–Îl½·.ni?e½ú™˜­Y1€ÆJr	”Ë(æ·½ùyô¡ZÖ
é“Ÿ¯—dê¼ÈpußbX÷DbD!ýéÙeÍm—å#µ_é™†—^òÕ[có`ß†rô†çMWR}(pü{³HŒYŠ­ü~~—ÆôfŠ–|Áaßï€‚d{º?I²…¼ZáÃpF6P_ÌÇ¸É`,•1
Ç;çðxÆÿ·³þæN	Ò)ð.?i•›‡ó_W=$çÈÌ®Thý[ÁjûÈ}ëÎÉ/nå©ÓÍÓ–$4*ò¯õõDÖþ¾NÖ&n‚5øŒàÞúEXvà™pÔµA¥„äsmÎß¼…‡"{WJb _$:Ç‡["4c˜
3;›	HØdØªPßBŽÈ†ÏéÎ·„L'«Ñ»C®KK£÷@Ôõ–#ë%ï2;Š`;Ey
Ð¡#ñŸ*AŽ<WÿÄÊXÙé>Ä87ÿ9íØÙƒ5¨õ{ÏnpÄšÒ-©wŠƒÙâƒ4,Ú`¶Ø™à¦)Ð¸ Hâ³Ú lí­‡Zdƒ><½{Fð®ß!¦ÿSWí´ì
‘ciÜæ¨ÍŽ¶ß¤¦†.Ê6ÚOïé{›®´Áúyiò›bzF
nÉ¾±O9Îâžt9Ã%‹RƒPM16„û¥wù´ÂkÊ'Ôgh·˜ùÈÚm°—Ë‰	˜¸rsÂ†°îÿ*MÃÚ¸ö"ÙŸËó„8¥˜¤oOU6™xzñF9KO¬ÒÈ¨¨­­ß9=º”bü¬¿?3 JŠ^^q(] Ã'GàT§ÑºNü~o‘¬IžŽ¯Î7~,Ýôê)Š–æGö(ÑÂí?õ5ÑØî?@š‚eáxEùS™%—ÞÍ½…ƒQ»#(Œ$´Ä3Ã‰ýT¦üûˆœ®áµÁ/ºV®ªHÎrÁ‰œÃŒáªƒ1ˆ~ŠôqOBÚi¢&¦BÅÙ-‹Bx\øäÀpî,Ëõe,áWòKþ%øÝ¢Ü'o.¸9ß’™à_4¡ï7ïÔ¶¡î;f¾RÎF®·ìß6*DÃ:›`fŸñÓ…Gn}–(À²j»- Æ2Ç ú)õvÄR„þå¨¸,é.z%6ã|¹®ïÝª5¿ÄY«Ø0^õO×ªÃTd;T+J;¡Ò,@í+¡Tá:5Œ¨®ÒÃ‘ÙWc”ñ]AÎ©µ#ß‰u^Õ2e¬‘ŠŽ¢¡+ûrsØÇlfì2éª&F€sˆ!gü”XIµ4§Ôš@›á†«dÄÈšÌaðpYiùÑfMÉ¶œÁ³¶Ó†z¨\ÑI{÷TäAŠ"öù¬‡fV¡âü-4ÑŒaóÜ¤tÑ¹w0Õ:ÒÒ4z¶Ýµ›†û–G€mäŒÚùÐÓWÿPÙŠs"¸¼tt%²Ž»cþ™è÷%ØséÜV©ñ£êr¶âko÷ÞT²ŽÚ+?>T'¼¢+(Sà[•à¼úÏ8ÉOà‘¯+“Ø,â½×YI,.H4»ÀÂ ­‘M2‚WÚûC‡Ü+òã3œN²n>AdY7¸ mòþèÝÌKˆ…äèPÅóÌáN\­²š,Ï7¹"&¢îLÙÛ·„7,µ‰ÁWˆÁTó_–žÄ-´aEá7’ÈÒ?ñEáo&Z;V«o•ƒ‹§MQ Ûk¯­ãVúÎ&G^›äŽ–ar.ßDµ&ßþ³é•}µÑ×¶Ëò¿#ð¢™Yº`ºE˜^(I2»ùJk¢^8ÌæÛdàMµn×Ýˆ€ÏÈ"…3V›_çòEP!¿…¾\ïjø1#°þªf´Sª`)CuáàF¿aa:öOÜpXu›9ð¿‹›yXAÄ|ˆÛ«q*à7’—˜=>U-#®E–&MsÏ]±Ö¼ÄÊ¢ÐB€¾™ÜiÛ(›‹¤ü’4€þRÜ&RŸ#×<×ß‚?¡äýÉ^ƒ%ûk1Ëý'¸€j‚o[ßÕ#«ät¼ ÅYåƒ½Ü¢™d^±4Ø¼x·cØ ¬Z£Zòq8³XbòŸ­Wj#ú—xHÆ‡¡,×¦S!	ãE°ƒÒg'uÙ7^s‚Cüï,?ŠÓ`¬Gò^]1Í	ù=¦ŒxxÜ^ÿ$tùà›ÜîöÓOÜVnÂ?EÍ¼ˆQÚ«n%î'(•øÇÍ¶íD´d%ÆŸÉ’Í±Y¥…ddªîú}+~¯Ø&$EYŠD(¸	Ùæ…¼»DU¡4#•õ')lBŠ}OîØ8ËyÉRJïÍíæ*‡PÄ–žX,›(Ë‡¤Ý.ë ¦íÅ‹|æÞ?Q³Žîq2Âbçäå	Ÿ€Òü$¿2ãþëW>³°}b”¶ë\‡xh\³X¤übÌY›`?– $Á	Ò†ØìšŒš"þ~¢ž«=Ô´ÿ™Ú'uô\T¿nPÛŸ?£Îìby8EÄ6ö;	¤À.Hç„F‘Hô~DT²‘‡¦Ó~®ãCB…¼Ã&ŠvVö“ÿ*^ã-‘Èê–(œÓêòú;íCfÛ'¼ƒ*9‚Fãò§»ÌâÊ% #®ÌEÄGY„%EæÝF­š.gÂÄ‚Ao²4ƒ¶Y¢–Î²F·ü^Ö“DÞL³¡7‰©ÍamÖÙÏ™5!¬]Õß¨ÅšÞš~ƒ«”oùÄ±›‹ÁU'Ú‰p¶—×^uðBÀÌ Œ¬Ç¸œ·c“¸¸Ð)Q5vù³ð´÷ƒ§sÏÔ7¶N‘«ÓF~ðzé|'#º›ún ¥SÐS–µjyîÈ™°w#Ô€„ùNX¿»—VIŠùíT!4ó€7<o¬;|Ê*“@7¸j;ÏŸ@º—mþ¶çÁg27ŸQzŽÛ#Ãƒ4"~óˆK@ØŽžQ†µXI1Tfî.9K‡TÀ+ÎI"÷ˆë™Né*>Ø…¾Uvt¬–q•àÈô•¤Øùˆls­ô2sBÎ¿ö\þW[‡uF³¯¸µü'S»|‚ÿNÀ&Ïä/úÞçBÄv•S ÛÐ*¹Ñ‘WmWx‘½M@ßÛ^¡¾uZ·G*1…F*"vnõãW¾÷¿-ÀUõ>MoyA-»eÂ&†FsWh­FµôßH‡à…§ª3]´•óÔU£¶)EÈý_Ê È§ý’‘wÀLùOÐ¢_¤s±€hO‰(Y‹ïrÚ ßð 5íÎ¸ö?/{WyEÎEÀ©ó³êSlïòºì‡%aŽGÊ»uŽCô1†íKjÅƒ¼[f0c¬ßgRðöó÷ûƒO¨wFCEâfyßga0ŠxŠÛécˆ`ûJó‹h¤82BYPËÑrjüŠ+¦’˜N){°‰»¦üáýN4Èf{¼rn¼ðŽD^Ñ+¢ Õ€aV¡Àô·?	÷B/“X%¡õãzÂxûªæñd9™8‘E`ñuÀaCî´wD@ÜzóX‹ôQ¨yÌ[D#ÕÄ$kô”`+KXùŒ[’ÈKß™£v•¹5E»ô__ºa|D%®Eî~—–Ûa(¦¦°P¡2oø"º¼ðÃ~AA’ºxkîWë(Y¾Åî+¶·Q}Ì¹êéŒ³ûs0£AB¹AE0ÍtÜ–#¥´˜"-ß*è‚­ë¨>H§œ—|”¦­y©{úØRB^oŽ>‘DÕorù+Ô`žÂ¦M«i ¬“TôVÉhI£ÊD¬¼rÚîm4`—d,_s¡u(WAk¾ž,UÜJdâZÂ<—ƒ¶nõ¨žJ ˆŸ‹]¶úÝw¨„r+/BJ¯Ûvu
ˆ¤~.ÿ•L¤¾\£ïèÏnW‘[0üI¥[}xÎzôzŒ3´æ´bãõj(7™ hÕYã£„¸ˆý°ºÜ×»u¤èªÉŒu›ŽbVÛ¦š‡UGãÊÚ6máxåJøð%ã‹ŠÌžJÐÐŽtóö}G&RÛ|†FB]ctl2fáƒîÓ–êÀæÖ÷èIh;2û”?0PM“½Æ`#Ãpñ/$«3x›ÿû7Ã>îª¿=7Ê¾vVD÷ÌÉ/o)5V¾j_&›:¢Äš£g«YX6ýêLJä1œs~ˆ*Ú0Ûã¢/æ=f,í´æÚ¾†»WÞ'&¦B³WUï¹æRQ4B‰ªý -‚úÙió¹».³O9B¯[FXœ#0igî6$hV¢?Ò0jëÃI~3a@ÿ~Nw¦{ŽŠo’Ô~Ô¼zò9ƒî×´6–Ž²å@m™’‘ãxCc¬:|¥]øÅW~n>ï++LÁ{1 /Äh+ìíîˆ€_Ž5û“)Q„EÜT2#Õãý*“.Vw8~}çú£óïÑLqŽØÓÓ ú/Ìÿ/ß'ö¤Þ/X¶å-Q3Û@q²77qÑÀ€÷û´û}Ú8|gñQÐ-¶Îgº}iØ Ó>î_;>%,Èu8ÎþµÌ¢q(Eu‚õ9É¬! {3Ï!ÓO8f×År®ò±£áÿ9n_˜ã5Ðùúô+sR”ñ‹”õûI¥µbx\Q·òá^V›&´‹¬ËQi*Çp™ò,ÿsÈ„è.D‚àÀ%Îä³Qº¶íÿ·ç-kÖ§­@AbN7ûzjwUÿz»ì!H£Y]¼Ô¾ë(·_Ù‡_³õ…-Zî«ÃÝƒ7 µQîÙcYsˆAËhs ã,Ì¡¢ ­Å¯Î2…iO¨ã3B–™4CVÇ¦q©ý¨“JÀüN(_3œ¢_PÐ5BÑËŒØó1+ùÃÄæ;5ÉFÚ¦ *±ÃVéîÉ·v°/VE¡(»>ËWcûÂs\JºØyÙ’¢2õ y§ïFÜtXiIþÂFižùÿ’U®ä´©X†]Ú¡ˆ©Š•Øãl²Ò‹ÄØÙÍÉ\ +Ê3RV¢e€>pÂô-Acz{"×hNÇÉ6ÿª&i“wÛâLBµ¢
Šª‹uN;¬^àÊ¯—x!ßk–r®8Y¥[á!Hž	¸F¡ý„ÓÜFP½ˆ6ÅOŸ—hW2îÎ‡ù/ËR¸àW †Ù\’ÈìFTÓ ÉQ–u?á¼ÈêÍ ’3ûk)v9‘ö—¤e$tm±[ý(ÇïJyø,u‰uÚ"dõ\ãÉfq¦¯è;#¶»ãÑ-„AbƒÐ¦f¢3‰¶ŒCs oÖ$§Ì ›D?+,'	ŠõÃs`=ÅÝ«	< IJ½© þs©IÇëL3_ïV½    SiW¨ª</Ò†F!¬öÍûG„À
¥ý8¶¡· ï‡¤æ‡Bß¶éß    
YZ