stable

mozilla-noscript-10.1.9.6-1.fc28

FEDORA-2018-e9821afbca created by rathann 6 years ago for Fedora 28

Changes since 10.1.8.16:

v 10.1.9.6

  • [TB] Gracefully handle legacy external message recipients
  • [XSS] Updated known HTML5 events
  • Better IPV6 support
  • UI support for protocol-only entries

v 10.1.9.5

  • Fix for various content script timing related issues (thanks therube for reporting)

v 10.1.9.4

  • Prevent total breakages when policies accidentally map to invalid match patterns
  • Internal messaging dispatch better coping with multiple option windows
  • Avoid multiple CSP DOM insertions

v 10.1.9.3

  • Fixed message handling regression breaking embedders and causing potential internal message loops

v 10.1.9.2

  • More efficient window.name-based tab-scoped permissions persistence
  • Fixed URL parsing bugs
  • Fixed bug in requestKey generation
  • [Build] Enhanced TLD data update subsystem
  • [UI] CUSTOM presets gets initialized with currently applied preset, including temporary/permanent status
  • Improved internal message dispatching, avoiding potential race conditions
  • [L10n] Transifex integration
  • Work-around for DOM-injected CSP not being honored when appended to the root element, rather than HEAD
  • Transparent support for FQDNs
  • Better file: protocol support
  • Full-page placeholders for media/plugin documents

v 10.1.9.1

  • Fixed NOSCRIPT emulation not running in contexts where service workers are disabled, such as private windows (thanks Peter Wu for patch)

v 10.1.9

  • Completely revamped CSP backend, enforcing policies both in webRequest and in the DOM
  • Reload-less service worker busting
  • removed obsoleted failsafes, including forced reloads
  • Better timing for popup UI feedback on permissions changes
  • Send out a "started" message after initialization to help embedders (like the Tor browser) interact with NoScript
  • Updated TLDs

v 10.1.8.23

  • Hotfix for reload loops before CSP management refactoring

v 10.1.8.22

  • Fixed reload loop on unrestricted tabs (thanks random for reporting)

v 10.1.8.20

  • Fixed Sites.domainImplies() misplaced optimization.
  • [L10n] Added Catalan (ca)

v 10.1.8.19

  • Fixed onResponseHeader failing on session restore because of onBeforeRequest not having being called.
  • Fixed regression: framed documents' URLs not being reported in the UI (thanks xaex for report)

v 10.1.8.18

  • More resilient and optimized Sites.domainImplies()
  • Update ChildPolicies when automatic temp TRUST for top-level documents is enabled
  • Fixed messages from content scripts being "eaten" by the wrong dispatcher when UI is open (thanks skriptimaahinen)
  • Fixed typo causing accidental permissions/status mismatches being checked only while pages are still loading (thanks skriptimaahinen)
  • Fixed typo in XSS name sanitization script injection (thanks skriptimaahinen)

v 10.1.8.17

  • Fix: Sites.domainImplies() should match subdomains
  • More coherent wrapper around the webex messaging API
  • Fixed inconsistencies affecting ChildPolicies content script auto-generated matching rules.
  • Fixed potential issues with cross-process messages
  • Simpler and more reliable safety net to ensure CSP headers are injected last among WebExtensions
  • Fixed regression causing refresh loops on pages which use type="object" requests to load images, css and other types
  • [L10n] ru and de translations
  • [XSS] Updated HTML events auto-generate matching code to use both latest Mozilla source code and archived data since Firefox ESR 52
  • New dynamic scripts management strategy based on the browser.contentScripts API, should fix some elusive, likely requestFilter-induced, bugs
  • Fixed no-dot domains threated as empty TLDs (thanks Peter Wu for patch)
  • Removed requestFilter hack for dynamic scripts management
  • [L10n] br and tr translations (thanks Transifex/OTF, https://www.transifex.com/otf/noscript/)
  • Best effort to have webRequest.onHeaderReceived listener run last (issue #6, thanks kkapsner)
  • [L10n] Localized "NoScript Options" title (thanks Diklabyte)
  • Fixed inline scripts not being reported to UI (thanks skriptimaahinen for patch)
  • Skip non-content windows when deferring startup page loads (thanks Rob Wu for reporting)
  • Broader detection of UTF-8 encoding in responses (thanks Rob Wu for reporting)
  • Improved support for debugging code removal in releases
  • Fixed startup race condition with pending request tracking
  • Fixed updating NoScript reloads tabs with revoked temporary permissions.

Legacy version:

v 5.1.8.7

  • [Security] Fixed script blocking bypass zero-day (thanks Zerodium for unresponsible disclosure, https://twitter.com/Zerodium/status/1039127214602641409)
  • [Surrogate] Fixed typo in 2mdn replacement (thansk barbaz)
  • [XSS] Fixed InjectionChecker choking at some big JSON payloads sents as POST form data
  • [XSS] In-depth protection against native ES6 modules abuse
  • Fixed classic beta channel users being accidentally migrated to stable (thanks barbaz)

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2018-e9821afbca

This update has been submitted for testing by rathann.

6 years ago

rathann edited this update.

6 years ago

rathann edited this update.

6 years ago

This update has been pushed to testing.

6 years ago
User Icon robatino provided feedback 6 years ago
karma
BZ#1629661 mozilla-noscript-10.1.9.6 is available

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

6 years ago

This update has been submitted for batched by rathann.

6 years ago

This update has been submitted for stable by bodhi.

6 years ago

This update has been pushed to stable.

6 years ago

Please login to add feedback.

Metadata
Type
security
Karma
1
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-2
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
6 years ago
in testing
6 years ago
in stable
6 years ago
modified
6 years ago
BZ#1629212 CVE-2018-16983 mozilla-noscript: NoScript Bypass via the text/html;/json Content-Type value
0
0
BZ#1629661 mozilla-noscript-10.1.9.6 is available
0
1

Automated Test Results