firefox-49.0.2 (CVE-2016-5288 CVE-2016-5287)

[Douglas R. Reno]

New minor version.

​https://www.mozilla.org/en-US/firefox/49.0.2/releasenotes/

new
Asynchronous rendering of the Flash plugins is now enabled by default. This should improve performance and reduce crashes for sites that use the Flash plugin. (Bug 1307108)

fixed
Change D3D9 default fallback preference to prevent graphical artifacts (Bug 1306465)
Network issue prevents some users from seeing the Firefox UI on startup (Bug 1305436)
Web compatibility issue with Array.prototype.values (Bug 1299593)
Various security fixes
Web compatibility issue with file uploads (Bug 1306472)

changed
Diagnostic information on timing for tab switching (Bug 1304113)
Reference link to Firefox 49.0.1 release notes
Fix a Canvas filters graphics issue affecting HTML5 apps (Bug 1304539)

Security advisory for firefox-49.0.2 is available here:

​https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/

CVE-2016-5287: Crash in nsTArray_base<T>::SwapArrayElements

REPORTER
Philipp
IMPACT
HIGH
Description

A potentially exploitable use-after-free crash during actor destruction with service workers. This issue does not affect releases earlier than Firefox 49.

CVE-2016-5288: Web content can read cache entries

REPORTER
Developers at Cliqz.com
IMPACT
HIGH
Description

A Cliqz.com developer demonstrated that web content could access information in the HTTP cache if e10s is disabled. This can reveal some visited URLs and the contents of those pages. This issue affects Firefox 48 and 49.

[Samuel]

Security info now available

[ken@…]

Fixed at r17928.

[bdubbs@…]

Milestone renamed