This update for MozillaFirefox to ESR 60.2.2 fixes several issues. These general changes are part of the version 60 release. - New browser engine with speed improvements - Redesigned graphical user interface elements - Unified address and search bar for new installations - New tab page listing top visited, recently visited and recommended pages - Support for configuration policies in enterprise deployments via JSON files - Support for Web Authentication, allowing the use of USB tokens for authentication to web sites The following changes affect compatibility: - Now exclusively supports extensions built using the WebExtension API. - Unsupported legacy extensions will no longer work in Firefox 60 ESR - TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted The quot;security.pki.distrust_ca_policyquot; preference can be set to 0 to reinstate trust in those certificates The following issues affect performance: - new format for storing private keys, certificates and certificate trust If the user home or data directory is on a network file system, it is recommended that users set the following environment variable to avoid slowdowns: NSS_SDB_USE_CACHE=yes This setting is not recommended for local, fast file systems. These security issues were fixed: - CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation . - CVE-2017-16541: Proxy bypass using automount and autofs . - CVE-2018-12376: Various memory safety bugs . - CVE-2018-12377: Use-after-free in refresh driver timers . - CVE-2018-12378: Use-after-free in IndexedDB . - CVE-2018-12379: Out-of-bounds write with malicious MAR file . - CVE-2018-12386: Type confusion in JavaScript allowed remote code execution - CVE-2018-12387: Array.prototype.push stack pointer vulnerability may enable exploits in the sandboxed content process - CVE-2018-12385: Crash in TransportSecurityInfo due to cached data - CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords This update for mozilla-nspr to version 4.19 fixes the follwing issues - Added TCP Fast Open functionality - A socket without PR_NSPR_IO_LAYER will no longer trigger an assertion when polling This update for mozilla-nss to version 3.36.4 fixes the follwing issues - Connecting to a server that was recently upgraded to TLS 1.3 would result in a SSL_RX_MALFORMED_SERVER_HELLO error. - Fix a rare bug with PKCS#12 files. - Replaces existing vectorized ChaCha20 code with verified HACL* implementation. - TLS 1.3 support has been updated to draft -23. - Added formally verified implementations of non-vectorized Chacha20 and non-vectorized Poly1305 64-bit. - The following CA certificates were Removed: OU = Security Communication EV RootCA1 CN = CA Disig Root R1 CN = DST ACES CA X6 Certum CA, O=Unizeto Sp. z o.o. StartCom Certification Authority StartCom Certification Authority G2 T#195;#156;B#196;#176;TAK UEKAE K#195;#182;k Sertifika Hizmet Sa#196;#159;lay#196;#177;c#196;#177;s#196;#177; - S#195;#188;r#195;#188;m 3 ACEDICOM Root Certinomis - Autorit#195;#169; Racine T#195;#156;RKTRUST Elektronik Sertifika Hizmet Sa#196;#159;lay#196;#177;c#196;#177;s#196;#177; PSCProcert CA #230;#178;#131;#233;#128;#154;#230;#160;#185;#232;#175;#129;#228;#185;#166;, O=WoSign CA Limited Certification Authority of WoSign Certification Authority of WoSign G2 CA WoSign ECC Root Subject CN = VeriSign Class 3 Secure Server CA - G2 O = Japanese Government, OU = ApplicationCA CN = WellsSecure Public Root Certificate Authority CN = T#195;#156;RKTRUST Elektronik Sertifika Hizmet Sa#196;#159;lay#196;#177;c#196;#177;s#196;#177; H6 CN = Microsec e-Szigno Root * The following CA certificates were Removed: AddTrust Public CA Root AddTrust Qualified CA Root China Internet Network Information Center EV Certificates Root CNNIC ROOT ComSign Secured CA GeoTrust Global CA 2 Secure Certificate Services Swisscom Root CA 1 Swisscom Root EV CA 2 Trusted Certificate Services UTN-USERFirst-Hardware UTN-USERFirst-Object * The following CA certificates were Added CN = D-TRUST Root CA 3 2013 CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 GDCA TrustAUTH R5 ROOT SSL.com Root Certification Authority RSA SSL.com Root Certification Authority ECC SSL.com EV Root Certification Authority RSA R2 SSL.com EV Root Certification Authority ECC TrustCor RootCert CA-1 TrustCor RootCert CA-2 TrustCor ECA-1 * The Websites trust bit was turned off for the following CA certificates: CN = Chambers of Commerce Root CN = Global Chambersign Root * TLS servers are able to handle a ClientHello statelessly, if the client supports TLS 1.3. If the server sends a HelloRetryRequest, it is possible to discard the server socket, and make a new socket to handle any subsequent ClientHello. This better enables stateless server operation. Due to the update of mozilla-nss apache2-mod_nss needs to be updated to change to the SQLite certificate database, which is now the default