-
Posts
2,544 -
Joined
-
Last visited
Posts posted by trium
-
-
ff v68.0 esr
09. july 2019
New
-
A number of features improve the browser experience in enterprise settings.
- MSI installer file type is included in this release, helping make deployments in the Windows environment easier and more flexible.
- Configuration profiles in macOS
-
The ability to read added certificates roots from the macOS Keychain
-
For all operating systems, we have a number of additional policies including:
- New tab page configuration and disabling
- Local file links
- Download behavior
- Search suggestions
- Managed storage for using policies in Webextensions
- Extension configuration (allow/deny) by ID and website
- A subset of commonly used Firefox preferences
You can see a full list of policies here.
-
User and enterprise added certificates are read from the operating system by default.
Fixed
-
Local files can no longer access other files in the same directory.
Changed
-
Added support for the event property on the Window object to improve web compatibility for enterprises.
Developer
unresolved
-
Windows Background Intelligent Transfer Service (BITS) update download for proxy users with authentication will fall back to legacy update system on Windows (bug 1561200)
-
Service workers and push notifications remain disabled in Firefox ESR
-
-
ff v60.8.0 esr
09. july 2019
Fixed
-
Various security fixes
Security vulnerabilities fixed in Firefox ESR 60.8
- Announced
- July 9, 2019
- Impact
- critical
- Products
- Firefox ESR
- Fixed in
-
- Firefox ESR 60.8
#CVE-2019-9811: Sandbox escape via installation of malicious language pack
- Reporter
- Niklas Baumstark
- Impact
- high
Description
As part of his winning Pwn2Own entry, Niklas Baumstark demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation.
References
#CVE-2019-11711: Script injection within domain through inner window reuse
- Reporter
- Boris Zbarsky
- Impact
- high
Description
When an inner window is reused, it does not consider the use of
document.domain
for cross-origin protections. If pages on different subdomains ever cooperatively usedocument.domain
, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not usedocument.domain
to relax their origin security.References
#CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
- Reporter
- Gregory Smiley of Security Compass
- Impact
- high
Description
POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks.
References
#CVE-2019-11713: Use-after-free with HTTP/2 cached stream
- Reporter
- Hanno Böck
- Impact
- high
Description
A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash.
References
#CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault
- Reporter
- Jonas Allmann
- Impact
- moderate
Description
Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used.
References
#CVE-2019-11715: HTML parsing error can contribute to content XSS
- Reporter
- Linus Särud
- Impact
- moderate
Description
Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances.
References
#CVE-2019-11717: Caret character improperly escaped in origins
- Reporter
- Tyson Smith
- Impact
- moderate
Description
A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes.
References
#CVE-2019-11719: Out-of-bounds read when importing curve25519 private key
- Reporter
- Henry Corrigan-Gibbs
- Impact
- moderate
Description
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure.
References
#CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin
- Reporter
- Luigi Gubello
- Impact
- moderate
Description
A vulnerability exists where if a user opens a locally saved HTML file, this file can use
file:
URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. Luigi Gubello demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents.References
#CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
- Reporter
- Mozilla developers and community
- Impact
- critical
Description
Mozilla developers and community members Andreea Pavel, Christian Holler, Honza Bambas, Jason Kratzer, and Jeff Gilbert reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References
-
-
ff v68.0
09. july 2019
New
-
Dark mode in reader view expands so that windows are also dark on the controls, sidebars and toolbars.
-
Improved extension security and discovery:
- New reporting feature in about:addons allows you to report security and performance issues with extensions and themes.
- Redesigned extensions dashboard in about:addons provides easy access to information about your extensions, including data and settings access required by each extension.
- Find high quality, secure extensions via the Recommended Extensions program in about:addons, which now displays user count and ratings for each extension. "Recommended” badges for these extensions also appear on AMO. More extensions will be added over time.
-
Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences.
-
WebRender will roll out to Windows 10 users with AMD graphics cards.
-
Windows Background Intelligent Transfer Service (BITS) update download support, which allows Firefox update downloads to continue when Firefox is closed.
Fixed
-
Various security fixes
-
Local files can no longer access other files in the same directory.
Changed
-
Unified existing locales (bn-BD, bn-IN) under a single Bengali (bn) localization.
-
The following unmaintained translations have been removed: Assamese (as), English - South Africa (en-ZA), Maithili (mai), Malayalam (ml), Odia (or). Existing users will be migrated to the British English (en-GB) version.
-
When an HTTPS error caused by antivirus software is detected, Firefox will attempt to automatically fix it
-
Camera and microphone access now require an HTTPS connection.
-
The way non-default preferences are synced has changed. Please see this support article for more details
Enterprise
-
For all operating systems, we have a number of additional policies including:
- New tab page configuration and disabling
- Local file links
- Download behavior
- Search suggestions
- Managed storage for using policies in Webextensions
- Extension whitelisting and blacklisting by ID and website
- A subset of commonly used Firefox preferences
You can see a full list of policies here.
Developer
-
Firefox Developer Tools now offers a full page color contrast audit that identifies all elements on a page that fail color contrast checks.
-
Added about:compat, where website-specific workarounds are listed and may be toggled. These workarounds are meant as temporary fixes for various forms of website breakage for Firefox, while the website fixes them in due time. With about:compat, it is now easy to see all of the workarounds that are active in Firefox, and easy for website developers to disable a given workaround for testing purposes.
-
Introduces CSS Scroll Snap module that enforces scroll snap positions.
unresolved
-
The new URL bar implementation does not handle
javascript:
bookmarklets triggered via bookmark keywords correctly yet (bug 1552141)
-
-
ublock v1.20.2
gorhill released this
Jul 2, 2019
No changes from 1.20.0.
This release exists only to fulfill a request by Mozilla that I submit a new version even if there is no code change, so as to test changes on the back-end of AMO.
-
hello granadamike,
perhaps "smart cleaning" is activated
you can deactivate it:
ccleaner -> options -> smart cleaning -> disable both
note: if you do this, you must start ccleaner manually to clean your pc
-
thanks hazelnut :-)
Summary : Read buffer overflow & double free Date : June 2019 Affected versions : VLC media player 3.0.6 and earlier
Security: * Fix multiple buffer overflows in the ps demuxer * Fix a buffer overflow when copying a biplanar YUV image * Fix multiple buffer overflows in the faad decoder * Fix buffer overflow in the svcdsub decoder * Fix buffer overflows in the ogg muxer & demuxer * Fix buffer overflows in libavformat demuxer * Fix multiple buffer overflows in the MKV demuxer * Fix a buffer overflow in the MP4 demuxer * Fix a buffer overflow in the textst decoder * Fix a buffer overflow in the webvtt decoder * Fix a buffer overflow in the ASF demux * Fix a buffer overflow in the UPNP SD * Fix use after free in the ogg demuxer * Fix multiple use after free in the MKV demuxer * Fix multiple use after free in the DMO decoder * Fix integer underflow in the MKV demuxer * Fix an updater NULL pointer dereference on invalid signing keys * Fix NULL pointer dereference in the MKV demuxer * Fix an integer overflow in the spudec decoder * Fix an integer overflow in the nsc demuxer * Fix an integer overflow in the avi demuxer * Fix reads of uninitialized pointers in the MKV demuxer * Fix a floating point exception in the MKV demuxer * Fix an infinite loop in the flac packetizer
-
it seems to be a version 3.0.7.1-1
* fixes a macOS only packaging issue, additionally.
-
good wish :-)
i mean ms has another wishes with his versions of netframework...
from the beginning with 1 and 1.1 and 2 - two is not compatible with one and so on (i remember me darkly that are two different developer)
also the different versions of the 2 dont be good
and the installation progress was long sometimes also bad and the whole net-installation was for the toilet :-)
i have 4.8 not installed.
i take only what this or one needed to be run - this also saves me a lot of updates
-
ff v60.7.2 esr
20. june 2019
Fixed
QuoteCVE-2019-11708: sandbox escape using Prompt:Open
- Reporter
- Coinbase Security
- Impact
- high
Description
Insufficient vetting of parameters passed with the
Prompt:Open
IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. -
-
bad way from microsoft -> all this updates after support finishing comes not with integrated microsoft update and must download manually from update-catalog or update thing...
-
On 20.6.2019 at 04:09, Andavari said:
Someone posted about that WinXP security update on here before, I already had it archived on my portable USB hard disk from not that long ago.
perhaps from hazelnut :-)
-
On 30.3.2010 at 19:11, luik said:
It would be awesome if Piriform adds "boot-time defrag" to Defraggler features...
defraggler has this feature
--> defraggler -> settings -> boot time defrag
choose
1.) disabled
2.) run once
3.) run every time
-
perhaps ... untick smart cleaning options
ccleaner -> options -> smartcleaning -> untick both
---> "tell me there are junk files to clean"
---> "enable smart cleaning"
-
ff.v68.0 esr is near :-) perhaps 9. july 2019
-
ff v60.7.1 esr
18. juni 2019
Fixed
QuoteA type confusion vulnerability can occur when manipulating JavaScript objects due to issues in
Array.pop
. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.Developer
-
-
belated ff 67.0.2 ...
11. juni 2019
Fixed
-
Fix JavaScript error ("TypeError: data is null in PrivacyFilter.jsm") in console which may significantly degrade sessionstore reliability and performance (bug 1553413)
-
Proxy authentication dialog box repeatedly pops up asking to authenticate after upgrading to Firefox 67 (bug 1548804)
-
Pearson MyCloud breaks if FIDO U2F is not Chrome's implementation (bug 1551282)
-
Starting in safe mode on Linux or macOS causes Firefox to think on the subsequent launch that the profile is too recent to be used with this version of Firefox (bug 1556612)
-
Linux distribution users can't easily install/use additional/different languages using the built-in preferences UI (bug 1554744)
-
Developer tools users can't copy the href/src content from various HTML tags via the context menu in the Inspector markup view (bug 1552275)
-
Custom home page is broken with clearing data on shutdown settings applied (bug 1554167)
-
Performance-regression for eclipse RAP based applications (bug 1555962)
-
macOS 10.15 crash fix (bug 1556076)
-
Can't start two downloads in parallel via
<a download>
anymore (bug 1542912)
Developer
-
-
i mean office 365 is the same "installation" as ms office 2010 starter (click & run) only cached on the os
QuoteOnce fully downloaded, the product is cached locally, and users are free to disconnect from the internet and continue using their Office products:
QuoteThe products still run locally utilizing the PC’s resources, they don’t “run in the cloud”.
QuoteClick-to-Run products are virtualized
do you use "winapp2.ini"?
-
Changes between 3.0.7 and 3.0.7.1: ---------------------------------- Access: * Update libbluray to 1.1.2 macOS: * Fix bluray java menu playback regression in 3.0.7 Video Output: * Fix hardware acceleration with some AMD drivers * Improve direct3d11 HDR support
-
Changes between 3.0.6 and 3.0.7: -------------------------------- Access: * Improve Blu-ray support * Fix sftp module build with libssh >= 1.8.1 Audio output: * Fix pass-through on Android-23 * Fix DirectSound drain Demux: * Improve MP4 support Video Output: * Fix 12 bits sources playback with Direct3D11 * Fix crash on iOS * Fix midstream aspect-ratio changes when Windows hardware decoding is on * Fix HLG display with Direct3D11 Stream Output: * Improve Chromecast support with new ChromeCast apps macOS: * Fix UPNP service discovery, services are discovered on the highest priority active network interface now * Fix video distortion on macOS Mojave Misc: * Update Youtube, Dailymotion, Vimeo, Soundcloud scripts * Work around busy looping when playing an invalid item with loop enabled Translations: * Update of most translations Security: * Fix multiple buffer overflows in the ps demuxer * Fix a buffer overflow when copying a biplanar YUV image * Fix multiple buffer overflows in the faad decoder * Fix buffer overflow in the svcdsub decoder * Fix buffer overflows in the ogg muxer & demuxer * Fix buffer overflows in libavformat demuxer * Fix multiple buffer overflows in the MKV demuxer * Fix a buffer overflow in the MP4 demuxer * Fix a buffer overflow in the textst decoder * Fix a buffer overflow in the webvtt decoder * Fix a buffer overflow in the ASF demux * Fix a buffer overflow in the UPNP SD * Fix use after free in the ogg demuxer * Fix multiple use after free in the MKV demuxer * Fix multiple use after free in the DMO decoder * Fix integer underflow in the MKV demuxer * Fix an updater NULL pointer dereference on invalid signing keys * Fix NULL pointer dereference in the MKV demuxer * Fix an integer overflow in the spudec decoder * Fix an integer overflow in the nsc demuxer * Fix an integer overflow in the avi demuxer * Fix reads of uninitialized pointers in the MKV demuxer * Fix a floating point exception in the MKV demuxer * Fix an infinite loop in the flac packetizer
-
what temporary files we are talking about?
c:\windows\temp?
c:\users\you\appdata\local\temp?
if ccleaner not works fast enought/hangs... windows disk cleanup take is time too... try this
open your windows-explorer
go to "c:\windows\temp"
in this folder -> "select all" (subfolders and files in temp) -> delete it
go to c:\users\you\appdata\local\temp
in this folder -> "select all" (subfolders and files in temp) -> delete it
ps: i have it in ccleaner -> includelist with option "with files and subfolders"
-
ublock v1.20.0
gorhill released this
Jun 14, 2019
Closed as fixed
- Does not block large media fetched over Fetch API
- Last permanent rule is marked as changed when rules are added to the bottom
- Dashboard open from uBO popup triggers unsaved changes dialog
- Multiple "Advanced settings" opened
-
Redirection fails for filters having
*
in the host part -
Show requests blocked in the logger as a result of
csp=
option - Element picker normalize style attrib
- "#@#+js" entries are shown in the logger as yellow instead of green
- no-scripting: behind-the-scene false sticks even after restoring uBO from a config where it's not present
- Revert button remains active/clickable after clicking on Apply changes
- "Block element" item should have ellipsis (usability)
-
Nested
!#if
/!#endif
directives not evaluated properly - Hide predefined whitelist directives
- Non-specific procedural filters
- HTML filter showing up as cosmetic filter in logger
- No warning for unsaved changes in dashboard
- Logger: can't bring up filtering options for popup entries where URL does not start with http
- Switching configuration tabs [appears to stop] list updates
- Cosmetic filter exceptions not displayed in network request logger
Commits with no entry in issue tracker
-
Fix
generichide
not being evaluated for local context -
Discard whole filter with bad
csp=
content - Add a link to the remote asset in asset viewer
- Rearrange inner loop of static network filtering engine
- Fix "Close this window" not working on document-blocked page
-
Add support for
all
filter option - Set default delay for creating selfie to 3 minutes
- Avoid duplicated strings in filterOrigin w/ new approach
- Revisit code to benefit from ES6 syntax
- Refactor runtime storage of specific cosmetic filters
-
Add support for
nth-ancestor
operator in HTML filtering - Ensure "Ignore generic cosmetic filters" sticks on Fennec
-
where is the crying smile? i dont find it
Drive Wiper
in CCleaner
Posted
hello peterw,
ccleaner -> tools -> drive wiper:
what is in the first line "wipe"?
-> entire drive (all data will be erased)
or
-> free space only
ps: with first you cant select your c-drive because it is gray ;-)