commit firefox-esr for openSUSE:Factory

Source-Sync Tue, 27 May 2025 10:10:52 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package firefox-esr for openSUSE:Factory 
checked in at 2025-05-27 18:43:41
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/firefox-esr (Old)
 and      /work/SRC/openSUSE:Factory/.firefox-esr.new.2732 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "firefox-esr"

Tue May 27 18:43:41 2025 rev:11 rq:1280559 version:128.11.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/firefox-esr/firefox-esr.changes  2025-05-20 
09:40:00.510520550 +0200
+++ /work/SRC/openSUSE:Factory/.firefox-esr.new.2732/firefox-esr.changes        
2025-05-27 18:43:58.557059807 +0200
@@ -1,0 +2,33 @@
+Sun May 25 08:47:26 UTC 2025 - Manfred Hollstein <manfre...@gmx.net>
+
+- Firefox Extended Support Release 128.11.0 ESR
+  * Fixed: Various security fixes.
+- Mozilla Firefox ESR 128.11.0
+  https://www.mozilla.org/security/advisories/mfsa2025-44
+  MFSA 2025-44 (boo#1243353)
+  * CVE-2025-5262 (bmo#1962421)
+    Double-free in libvpx encoder
+  * CVE-2025-5263 (bmo#1960745)
+    Error handling for script execution was incorrectly isolated
+    from web content
+  * CVE-2025-5264 (bmo#1950001)
+    Potential local code execution in “Copy as cURL” command
+  * CVE-2025-5265 (bmo#1962301)
+    Potential local code execution in “Copy as cURL” command
+  * CVE-2025-5266 (bmo#1965628)
+    Script element events leaked cross-origin resource status
+  * CVE-2025-5267 (bmo#1954137)
+    Clickjacking vulnerability could have led to leaking saved
+    payment card details
+  * CVE-2025-5268 (bmo#1950136, bmo#1958121, bmo#1960499,
+    bmo#1962634)
+    Memory safety bugs fixed in Firefox 139, Thunderbird 139,
+    Firefox ESR 128.11, and Thunderbird 128.11
+  * CVE-2025-5269 (bmo#1924108)
+    Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird
+    128.11
+- create-tar.sh: Remove additional slash from candidates URL, which
+  upstream doesn't like, and protect against wiping the keyfile
+  accidentally. Fix typo.
+
+-------------------------------------------------------------------

Old:
----
  firefox-128.10.1esr.source.tar.xz
  firefox-128.10.1esr.source.tar.xz.asc
  l10n-128.10.1esr.tar.xz

New:
----
  firefox-128.11.0esr.source.tar.xz
  firefox-128.11.0esr.source.tar.xz.asc
  l10n-128.11.0esr.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ firefox-esr.spec ++++++
--- /var/tmp/diff_new_pack.kF4C5d/_old  2025-05-27 18:44:03.085250350 +0200
+++ /var/tmp/diff_new_pack.kF4C5d/_new  2025-05-27 18:44:03.085250350 +0200
@@ -41,8 +41,8 @@
 # major 69
 # mainver %%major.99
 %define major          128
-%define mainver        %major.10.1
-%define orig_version   128.10.1
+%define mainver        %major.11.0
+%define orig_version   128.11.0
 %define orig_suffix    esr
 %define update_channel esr
 %define branding       1

++++++ MozillaFirefox.changes.txt ++++++
--- /var/tmp/diff_new_pack.kF4C5d/_old  2025-05-27 18:44:03.201255231 +0200
+++ /var/tmp/diff_new_pack.kF4C5d/_new  2025-05-27 18:44:03.205255399 +0200
@@ -1,4 +1,37 @@
 -------------------------------------------------------------------
+Sun May 25 08:47:26 UTC 2025 - Manfred Hollstein <manfre...@gmx.net>
+
+- Firefox Extended Support Release 128.11.0 ESR
+  * Fixed: Various security fixes.
+- Mozilla Firefox ESR 128.11.0
+  https://www.mozilla.org/security/advisories/mfsa2025-44
+  MFSA 2025-44 (boo#1243353)
+  * CVE-2025-5262 (bmo#1962421)
+    Double-free in libvpx encoder
+  * CVE-2025-5263 (bmo#1960745)
+    Error handling for script execution was incorrectly isolated
+    from web content
+  * CVE-2025-5264 (bmo#1950001)
+    Potential local code execution in “Copy as cURL” command
+  * CVE-2025-5265 (bmo#1962301)
+    Potential local code execution in “Copy as cURL” command
+  * CVE-2025-5266 (bmo#1965628)
+    Script element events leaked cross-origin resource status
+  * CVE-2025-5267 (bmo#1954137)
+    Clickjacking vulnerability could have led to leaking saved
+    payment card details
+  * CVE-2025-5268 (bmo#1950136, bmo#1958121, bmo#1960499,
+    bmo#1962634)
+    Memory safety bugs fixed in Firefox 139, Thunderbird 139,
+    Firefox ESR 128.11, and Thunderbird 128.11
+  * CVE-2025-5269 (bmo#1924108)
+    Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird
+    128.11
+- create-tar.sh: Remove additional slash from candidates URL, which
+  upstream doesn't like, and protect against wiping the keyfile
+  accidentally. Fix typo.
+
+-------------------------------------------------------------------
 Mon May 19 06:09:30 UTC 2025 - Manfred Hollstein <manfre...@gmx.net>
 
 - create-tar.sh: Update keyring-file, if necessary

++++++ create-tar.sh ++++++
--- /var/tmp/diff_new_pack.kF4C5d/_old  2025-05-27 18:44:03.261257756 +0200
+++ /var/tmp/diff_new_pack.kF4C5d/_new  2025-05-27 18:44:03.265257924 +0200
@@ -370,7 +370,7 @@
 
   if ! wget --quiet --show-progress --progress=bar "$FTP_URL/$upstream_file"; 
then
       local CANDIDATE_TARBALL_LOCATION=""
-      PARSED_CANDIDATES_URL="$(printf "%s/%s/" "$(get_ftp_candidates_url 
"$PRODUCT" "$VERSION$VERSION_SUFFIX")" "$BUILD_ID")"
+      PARSED_CANDIDATES_URL="$(printf "%s/%s" "$(get_ftp_candidates_url 
"$PRODUCT" "$VERSION$VERSION_SUFFIX")" "$BUILD_ID")"
       CANDIDATE_TARBALL_LOCATION="$(printf "%s/source/%s" 
"$PARSED_CANDIDATES_URL" "$upstream_file" )"
       wget --quiet --show-progress --progress=bar "$CANDIDATE_TARBALL_LOCATION"
   fi
@@ -580,11 +580,15 @@
 function update_key_file() {
   if [ -e "mozilla.keyring" ]; then
     local UPSTREAM_KEYFILE=""
-    if [ -z "$PARSED_CANDIDATES_URL"]; then
-      local UPSTREAM_KEYFILE=$(curl --silent --fail "$KEY_FTP_URL") || return 
1;
+    if [ -z "$PARSED_CANDIDATES_URL" ]; then
+      local UPSTREAM_KEYFILE=$(curl --silent --fail "$KEY_FTP_URL");
     else
       CANDIDATES_KEY_URL="$(printf "%s/KEY" "$PARSED_CANDIDATES_URL")"
-      local UPSTREAM_KEYFILE=$(curl --silent --fail "$CANDIDATES_KEY_URL") || 
return 1;
+      local UPSTREAM_KEYFILE=$(curl --silent --fail "$CANDIDATES_KEY_URL");
+    fi
+    if [ -z "$UPSTREAM_KEYFILE" ]; then
+      echo "Failed to get upstream keyfile. Skipping."
+      return
     fi
     diff -y --suppress-common-lines -d <(cat mozilla.keyring) <(echo 
"$UPSTREAM_KEYFILE") > /dev/null
     local KEYRING_CHANGED=$?
@@ -593,7 +597,7 @@
       echo "Keyring changed. Updating it."
       echo "$UPSTREAM_KEYFILE" > mozilla.keyring
     else
-      echo "Keyring did not changed."
+      echo "Keyring did not change."
     fi
   else
     echo "No local keyring found. Skipping keyring-check."

++++++ firefox-128.10.1esr.source.tar.xz -> firefox-128.11.0esr.source.tar.xz 
++++++
/work/SRC/openSUSE:Factory/firefox-esr/firefox-128.10.1esr.source.tar.xz 
/work/SRC/openSUSE:Factory/.firefox-esr.new.2732/firefox-128.11.0esr.source.tar.xz
 differ: char 15, line 1

++++++ firefox-esr.changes.txt ++++++
--- /var/tmp/diff_new_pack.kF4C5d/_old  2025-05-27 18:44:03.353261627 +0200
+++ /var/tmp/diff_new_pack.kF4C5d/_new  2025-05-27 18:44:03.357261796 +0200
@@ -1,4 +1,37 @@
 -------------------------------------------------------------------
+Sun May 25 08:47:26 UTC 2025 - Manfred Hollstein <manfre...@gmx.net>
+
+- Firefox Extended Support Release 128.11.0 ESR
+  * Fixed: Various security fixes.
+- Mozilla Firefox ESR 128.11.0
+  https://www.mozilla.org/security/advisories/mfsa2025-44
+  MFSA 2025-44 (boo#1243353)
+  * CVE-2025-5262 (bmo#1962421)
+    Double-free in libvpx encoder
+  * CVE-2025-5263 (bmo#1960745)
+    Error handling for script execution was incorrectly isolated
+    from web content
+  * CVE-2025-5264 (bmo#1950001)
+    Potential local code execution in “Copy as cURL” command
+  * CVE-2025-5265 (bmo#1962301)
+    Potential local code execution in “Copy as cURL” command
+  * CVE-2025-5266 (bmo#1965628)
+    Script element events leaked cross-origin resource status
+  * CVE-2025-5267 (bmo#1954137)
+    Clickjacking vulnerability could have led to leaking saved
+    payment card details
+  * CVE-2025-5268 (bmo#1950136, bmo#1958121, bmo#1960499,
+    bmo#1962634)
+    Memory safety bugs fixed in Firefox 139, Thunderbird 139,
+    Firefox ESR 128.11, and Thunderbird 128.11
+  * CVE-2025-5269 (bmo#1924108)
+    Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird
+    128.11
+- create-tar.sh: Remove additional slash from candidates URL, which
+  upstream doesn't like, and protect against wiping the keyfile
+  accidentally. Fix typo.
+
+-------------------------------------------------------------------
 Mon May 19 06:09:30 UTC 2025 - Manfred Hollstein <manfre...@gmx.net>
 
 - create-tar.sh: Update keyring-file, if necessary

++++++ l10n-128.10.1esr.tar.xz -> l10n-128.11.0esr.tar.xz ++++++

++++++ tar_stamps ++++++
--- /var/tmp/diff_new_pack.kF4C5d/_old  2025-05-27 18:44:03.613272568 +0200
+++ /var/tmp/diff_new_pack.kF4C5d/_new  2025-05-27 18:44:03.617272737 +0200
@@ -1,11 +1,11 @@
 PRODUCT="firefox"
 CHANNEL="esr128"
-VERSION="128.10.1"
+VERSION="128.11.0"
 VERSION_SUFFIX="esr"
-PREV_VERSION="128.10.0"
+PREV_VERSION="128.10.1"
 PREV_VERSION_SUFFIX="esr"
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-esr128";
-RELEASE_TAG="cf43f46ebc3d13f3bec9da37ea2c8750b3dfaaf1"
-RELEASE_TIMESTAMP="20250517152055"
+RELEASE_TAG="c6fae8e73635b58fac8a4536e34f63c8518a350d"
+RELEASE_TIMESTAMP="20250519114620"

commit firefox-esr for openSUSE:Factory

Reply via email to