Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package MozillaFirefox for openSUSE:Factory checked in at 2026-02-26 18:37:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/MozillaFirefox (Old) and /work/SRC/openSUSE:Factory/.MozillaFirefox.new.29461 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "MozillaFirefox" Thu Feb 26 18:37:06 2026 rev:479 rq:1334868 version:148.0 Changes: -------- --- /work/SRC/openSUSE:Factory/MozillaFirefox/MozillaFirefox.changes 2026-02-19 14:18:00.725412153 +0100 +++ /work/SRC/openSUSE:Factory/.MozillaFirefox.new.29461/MozillaFirefox.changes 2026-02-26 18:37:27.097601221 +0100 @@ -1,0 +2,122 @@ +Mon Feb 23 19:35:36 UTC 2026 - Wolfgang Rosenauer <[email protected]> + +- Mozilla Firefox 148.0 + * https://www.firefox.com/en-US/firefox/148.0/releasenotes + MFSA 2026-13 (bsc#1258568) + * CVE-2026-2757 (bmo#2001637) + Incorrect boundary conditions in the WebRTC: Audio/Video component + * CVE-2026-2794 (bmo#2008365) + Information disclosure due to uninitialized memory in Firefox + and Firefox Focus for Android + * CVE-2026-2758 (bmo#2009608) + Use-after-free in the JavaScript: GC component + * CVE-2026-2759 (bmo#2010933) + Incorrect boundary conditions in the Graphics: ImageLib component + * CVE-2026-2795 (bmo#2010940) + Use-after-free in the JavaScript: GC component + * CVE-2026-2760 (bmo#2011062) + Sandbox escape due to incorrect boundary conditions in the + Graphics: WebRender component + * CVE-2026-2761 (bmo#2011063) + Sandbox escape in the Graphics: WebRender component + * CVE-2026-2762 (bmo#2011649) + Integer overflow in the JavaScript: Standard Library component + * CVE-2026-2763 (bmo#2012018) + Use-after-free in the JavaScript Engine component + * CVE-2026-2764 (bmo#2012608) + JIT miscompilation, use-after-free in the JavaScript Engine: + JIT component + * CVE-2026-2796 (bmo#2013165) + JIT miscompilation in the JavaScript: WebAssembly component + * CVE-2026-2797 (bmo#2013561) + Use-after-free in the JavaScript: GC component + * CVE-2026-2765 (bmo#2013562) + Use-after-free in the JavaScript Engine component + * CVE-2026-2766 (bmo#2013583) + Use-after-free in the JavaScript Engine: JIT component + * CVE-2026-2767 (bmo#2013741) + Use-after-free in the JavaScript: WebAssembly component + * CVE-2026-2768 (bmo#2014101) + Sandbox escape in the Storage: IndexedDB component + * CVE-2026-2798 (bmo#2014136) + Use-after-free in the DOM: Core & HTML component + * CVE-2026-2769 (bmo#2014550) + Use-after-free in the Storage: IndexedDB component + * CVE-2026-2799 (bmo#2014551) + Use-after-free in the DOM: Core & HTML component + * CVE-2026-2770 (bmo#2014585) + Use-after-free in the DOM: Bindings (WebIDL) component + * CVE-2026-2771 (bmo#2014593) + Undefined behavior in the DOM: Core & HTML component + * CVE-2026-2772 (bmo#2014827) + Use-after-free in the Audio/Video: Playback component + * CVE-2026-2773 (bmo#2014832) + Incorrect boundary conditions in the Web Audio component + * CVE-2026-2774 (bmo#2014883) + Integer overflow in the Audio/Video component + * CVE-2026-2775 (bmo#2015199) + Mitigation bypass in the DOM: HTML Parser component + * CVE-2026-2776 (bmo#2015266) + Sandbox escape due to incorrect boundary conditions in the + Telemetry component in External Software + * CVE-2026-2777 (bmo#2015305) + Privilege escalation in the Messaging System component + * CVE-2026-2778 (bmo#2016358) + Sandbox escape due to incorrect boundary conditions in the + DOM: Core & HTML component + * CVE-2026-2779 (bmo#1164141) + Incorrect boundary conditions in the Networking: JAR component + * CVE-2026-2800 (bmo#1988145) + Spoofing issue in the WebAuthn component in Firefox for Android + * CVE-2026-2780 (bmo#2007829) + Privilege escalation in the Netmonitor component + * CVE-2026-2781 (bmo#2009552) + Integer overflow in the Libraries component in NSS + * CVE-2026-2801 (bmo#2009901) + Incorrect boundary conditions in the JavaScript: WebAssembly + component + * CVE-2026-2782 (bmo#2010743) + Privilege escalation in the Netmonitor component + * CVE-2026-2783 (bmo#2010943) + Information disclosure due to JIT miscompilation in the + JavaScript Engine: JIT component + * CVE-2026-2802 (bmo#2011069) + Race condition in the JavaScript: GC component + * CVE-2026-2803 (bmo#2012012) + Information disclosure, mitigation bypass in the Settings UI + component + * CVE-2026-2784 (bmo#2012984) + Mitigation bypass in the DOM: Security component + * CVE-2026-2785 (bmo#2013549) + Invalid pointer in the JavaScript Engine component + * CVE-2026-2804 (bmo#2013584) + Use-after-free in the JavaScript: WebAssembly component + * CVE-2026-2786 (bmo#2013612) + Use-after-free in the JavaScript Engine component + * CVE-2026-2805 (bmo#2014549) + Invalid pointer in the DOM: Core & HTML component + * CVE-2026-2787 (bmo#2014560) + Use-after-free in the DOM: Window and Location component + * CVE-2026-2788 (bmo#2014824) + Incorrect boundary conditions in the Audio/Video: GMP component + * CVE-2026-2789 (bmo#2015179) + Use-after-free in the Graphics: ImageLib component + * CVE-2026-2806 (bmo#2006199) + Uninitialized memory in the Graphics: Text component + * CVE-2026-2790 (bmo#2008426) + Same-origin policy bypass in the Networking: JAR component + * CVE-2026-2791 (bmo#2015220) + Mitigation bypass in the Networking: Cache component + * CVE-2026-2807 (bmo#1756056, bmo#1999402, bmo#2004872, + bmo#2006037, bmo#2012855) + Memory safety bugs fixed in Firefox 148 and Thunderbird 148 + * CVE-2026-2792 (bmo#2008912, bmo#2010050, bmo#2010275, bmo#2012331) + Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird + ESR 140.8, Firefox 148 and Thunderbird 148 + * CVE-2026-2793 (bmo#2015196, bmo#2016423, bmo#2016498) + Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR + 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 +- requires NSS 3.120.1 +- added mozilla-breakpad.patch to fix build + +------------------------------------------------------------------- Old: ---- firefox-147.0.4.source.tar.xz firefox-147.0.4.source.tar.xz.asc l10n-147.0.4.tar.xz New: ---- firefox-148.0.source.tar.xz firefox-148.0.source.tar.xz.asc l10n-148.0.tar.xz mozilla-breakpad.patch ----------(New B)---------- New:- requires NSS 3.120.1 - added mozilla-breakpad.patch to fix build ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ MozillaFirefox.spec ++++++ --- /var/tmp/diff_new_pack.reC96C/_old 2026-02-26 18:37:58.282891956 +0100 +++ /var/tmp/diff_new_pack.reC96C/_new 2026-02-26 18:37:58.286892121 +0100 @@ -28,9 +28,9 @@ # orig_suffix b3 # major 69 # mainver %%major.99 -%define major 147 -%define mainver %major.0.4 -%define orig_version 147.0.4 +%define major 148 +%define mainver %major.0 +%define orig_version 148.0 %define orig_suffix %{nil} %define update_channel release %define branding 1 @@ -114,7 +114,7 @@ BuildRequires: libproxy-devel BuildRequires: makeinfo BuildRequires: mozilla-nspr-devel >= 4.38.2 -BuildRequires: mozilla-nss-devel >= 3.119 +BuildRequires: mozilla-nss-devel >= 3.120.1 BuildRequires: nasm >= 2.14 BuildRequires: nodejs >= 12.22.12 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 @@ -229,6 +229,7 @@ Patch20: one_swizzle_to_rule_them_all.patch Patch21: svg-rendering.patch Patch24: mozilla-bmo1746799.patch +Patch25: mozilla-breakpad.patch # Firefox/browser Patch102: firefox-branded-icons.patch %endif ++++++ firefox-147.0.4.source.tar.xz -> firefox-148.0.source.tar.xz ++++++ /work/SRC/openSUSE:Factory/MozillaFirefox/firefox-147.0.4.source.tar.xz /work/SRC/openSUSE:Factory/.MozillaFirefox.new.29461/firefox-148.0.source.tar.xz differ: char 15, line 1 ++++++ l10n-147.0.4.tar.xz -> l10n-148.0.tar.xz ++++++ /work/SRC/openSUSE:Factory/MozillaFirefox/l10n-147.0.4.tar.xz /work/SRC/openSUSE:Factory/.MozillaFirefox.new.29461/l10n-148.0.tar.xz differ: char 15, line 1 ++++++ mozilla-bmo1504834-part1.patch ++++++ --- /var/tmp/diff_new_pack.reC96C/_old 2026-02-26 18:37:58.546902883 +0100 +++ /var/tmp/diff_new_pack.reC96C/_new 2026-02-26 18:37:58.550903048 +0100 @@ -1,11 +1,11 @@ # HG changeset patch -# Parent e31f5228a09ed69d7ac3c84e54f0faa6a5910ae0 +# Parent 30360f7dae4c2a1046c3327d73580b29fb4ac32e Taken from https://bugzilla.mozilla.org/show_bug.cgi?id=1504834 diff --git a/gfx/2d/DrawTargetSkia.cpp b/gfx/2d/DrawTargetSkia.cpp --- a/gfx/2d/DrawTargetSkia.cpp +++ b/gfx/2d/DrawTargetSkia.cpp -@@ -155,17 +155,18 @@ static IntRect CalculateSurfaceBounds(co +@@ -156,17 +156,18 @@ static IntRect CalculateSurfaceBounds(co if (!sampledBounds.ToIntRect(&bounds)) { return surfaceBounds; } @@ -28,11 +28,11 @@ diff --git a/gfx/2d/Types.h b/gfx/2d/Types.h --- a/gfx/2d/Types.h +++ b/gfx/2d/Types.h -@@ -94,28 +94,21 @@ enum class SurfaceFormat : int8_t { - // this format. - HSV, - Lab, - Depth, +@@ -102,28 +102,21 @@ enum class SurfaceFormat : int8_t { + R10G10B10X2_UINT32, // 0b00RRRRRRRRRRGGGGGGGGGGBBBBBBBBBB + // 4 half-float (f16) components in RGBA order for HDR rendering, each is + // machine endian. + R16G16B16A16F, // This represents the unknown format. UNKNOWN, // TODO: Replace uses with Maybe<SurfaceFormat>. @@ -82,7 +82,7 @@ void skcms_DisableRuntimeCPUDetection() { sAllowRuntimeCPUDetection = false; -@@ -319,30 +321,38 @@ enum { +@@ -374,30 +376,38 @@ enum { skcms_Signature_sf32 = 0x73663332, // XYZ is also a PCS signature, so it's defined in skcms.h // skcms_Signature_XYZ = 0x58595A20, ++++++ mozilla-breakpad.patch ++++++ # HG changeset patch # User Wolfgang Rosenauer <[email protected]> # Parent 0582001f108d3435a346ca0937057e73051e4baf diff --git a/toolkit/crashreporter/breakpad-client/linux/handler/minidump_descriptor.h b/toolkit/crashreporter/breakpad-client/linux/handler/minidump_descriptor.h --- a/toolkit/crashreporter/breakpad-client/linux/handler/minidump_descriptor.h +++ b/toolkit/crashreporter/breakpad-client/linux/handler/minidump_descriptor.h @@ -27,16 +27,17 @@ // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #ifndef CLIENT_LINUX_HANDLER_MINIDUMP_DESCRIPTOR_H_ #define CLIENT_LINUX_HANDLER_MINIDUMP_DESCRIPTOR_H_ #include <assert.h> #include <sys/types.h> +#include <cstdint> #include <string> #include "linux/handler/microdump_extra_info.h" #include "common/using_std_string.h" // This class describes how a crash dump should be generated, either: // - Writing a full minidump to a file in a given directory (the actual path, ++++++ tar_stamps ++++++ --- /var/tmp/diff_new_pack.reC96C/_old 2026-02-26 18:37:58.658907518 +0100 +++ /var/tmp/diff_new_pack.reC96C/_new 2026-02-26 18:37:58.662907684 +0100 @@ -1,11 +1,11 @@ PRODUCT="firefox" CHANNEL="release" -VERSION="147.0.4" +VERSION="148.0" VERSION_SUFFIX="" -PREV_VERSION="147.0.3" +PREV_VERSION="147.0.4" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release"; -RELEASE_TAG="fc43c97c72749b9e222d68e0d37e7c696ae933e2" -RELEASE_TIMESTAMP="20260212191108" +RELEASE_TAG="eff69d257e44ce2a29f947baf876e992af8bb9b0" +RELEASE_TIMESTAMP="20260216153405"
