Fixes/changes:
- Updated LibVPX to 1.4.x to be able to play more kinds of VP9-encoded videos.
- Updated the JPEG decoder library to 1.4.0.
- Fixed and cleaned up XPCOM timer thread code to avoid intermittent issues with events not firing (especially after stand-by).
- Updated overrides to work around issues with Facebook and Netflix.
- Fixed an issue where too-old system-supplied NSPR and/or NSS libraries would be accepted for use.
Security fixes:
- Updated the libpng library to 1.5.24 to address critical security issues CVE-2015-7981 and CVE-2015-8126
- Updated the NSPR library to 4.10.10 to address several security issues.
- Updated the NSS library to 3.19.4 to address several security issues.
- Fixed a memory safety hazard in SVG path code (CVE-2015-7199).
- Fixed an issue with IP address parsing potentially allowing an attacker to bypass the Same Origin Policy (CVE-2015-7188).
- Fixed an Add-on SDK (Jetpack) issue that would allow scripts to be executed despite being forbidden (CVE-2015-7187).
- Fixed a crash due to a buffer underflow in libjar (CVE-2015-7194).
- Fixed an issue for Android full screen that would potentially allow address spoofing (CVE-2015-7185).
- Added size checks in canvas manipulations to avoid potential image encoding vulnerabilities like CVE-2015-7189. DiD
- Fixed potential information disclosure vulnerabilities through the NTLM authentication mechanism. Insecure NTLM v1 is now disabled by default, and the workstation name is set to WORKSTATION by default (configurable with a preference for environments where identification of workstations is done by actual reported machine name). This avoids issues like CVE-2015-4515.
- Fixed a potentially vulnerable crash from a spinning event loop during resize painting. DiD
- Fixed several Javascript-based memory safety hazards.