Just a reminder: Firefox 62.0.2 is available.

Firefox 62.0.3 has been released with a few critical security fixes: https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/

Firefox 63 has been released already.

Firefox 63.0.1 is available: https://www.mozilla.org/en-US/firefox/notes/
According to release notes, it seems not to have security fixes, but 63.0 has lots of them, including critical ones.

A new version 63.0.3 of Firefox is available https://www.mozilla.org/en-US/firefox/notes/

A new version 64.0 of Firefox is available [1].
Arch already built it [2].

It includes various security fixes, some of which are critical [3].
Although some people here might think "nah, I have JavaScript disabled all the time, so won't be affected", bug reports for some of the issues fixed are not public. So it's not clear (at least for me) whether they are related to JS, or to anything other. And even if they are all JS-specific, Iceweasel ships with JS enabled by default, so those users who didn't disable it, can be seriously vulnerable anyway.

[1] https://www.mozilla.org/en-US/firefox/notes/
[2] https://www.archlinux.org/packages/extra/x86_64/firefox/
[3] https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/

Just one more friendly nudge: Firefox 65 has been released and is already on Arch.
Again, it comes with the usual set of security fixes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/

Thank you for doing this hard work of updating the package!

A few issues I noticed when tried to use v65 from libre-testing (with brand new profile after I deleted ~/.mozilla folder):
1. Default start page has a section Top Sites, where YouTube, Facebook, Twitter, and Amazon are listed by default among the other sites. I'm almost certain they serve non-free JavaScript code. Not totally sure what's Parabola stance on this matter. However, I personally don't care much, because even if their JS is 100% free and harmless now (all of which is highly doubtful), nobody guarantees it will be that way the next visit of the website. So I chose to disable JS altogether on almost all websites I visit. In that mode, at least YouTube is totally broken.
2. Browsing through Preferences, I noticed some new functionality in 'Preferences' - 'General' - 'Browsing' section: 'Recommend extensions as you browse', which is enabled by default. Description for it on Mozilla website seems satisfactory, but it's not clear to me whether it can recommend non-free extensions that way.
3. 'Preferences' - 'Search' seems to not work. Nothing happens when I click 'Search' link. It looks like no default search engines are available, because if I enter some text into the address bar, and hit Enter, it tries to either open a website with that domain name (if that's one word), or do nothing (if that's multiple words separated by space).

BTW, if that can help with the fix, # 1 and # 3 are not reproducible in Abrowser 64.0 in freshly updated Trisquel.

Ahh, I wish one day we have some unified fork of Firefox that all FSDG-compliant distros (like Parabola, Trisquel, PureOS, etc.) can use and contribute to. Without duplication of effort and with faster development cycle to deliver security patches in timely fashion.

grizzlyuser wrote:

1. Default start page has a section Top Sites, where YouTube, Facebook, Twitter, and Amazon are listed by default . Not totally sure what's Parabola stance on this matter.

we usually remove all trademarks regardless of if they are functional - in this case we have removed those same buttons before - mozilla keeps re-arranging (aka breaking) things constantly - these just found a way to pop back out again

grizzlyuser wrote:

2. 'Recommend extensions as you browse', which is enabled by default. it's not clear to me whether it can recommend non-free extensions that way.

we probably need to disable that feature - many such reccomendations would be non-free and the FSDG does not permit actively recommending any non-free software

grizzlyuser wrote:

Ahh, I wish one day we have some unified fork of Firefox that all FSDG-compliant distros (like Parabola, Trisquel, PureOS, etc.) can use and contribute to. Without duplication of effort and with faster development cycle to deliver security patches in timely fashion.

indeed that is a great idea that is being considered

https://lists.parabola.nu/pipermail/dev/2018-December/007072.html

I'm able to reproduce all three issues mentioned in https://labs.parabola.nu/issues/1981#note-10 using the iceweasel 1:66.0.2-1.parabola1 x86_64 from [libre].

Issue 3 works fine when I downgrade to iceweasel 1:65.0.2-1.parabola2 x86_64. Also tried to test earlier versions to determine on which build issue 3 had been fixed, but they didn't start due to missing libvpx.so.5.

All three work fine under freshly updated Trisquel 8.0 in abrowser 66.0.2+build1-0ubuntu0.16.04.1+8.0trisquel61.

The broken search appears to be due to a syntax issue in the libre-searchengines patch. I haven't taken the time to rebuild iceweasel to test this theory, because it's very much an overnight job on my machine, but a few different locales stood out as ones that were recently modified and show up in red highlight when I open the patched list.json in vim. Those locales are cs, ja-JP-macos, and ja. The search engine list had some duplicate entries that ended up outside of the "visibleDefaultEngines" block where they presumably should be.

If I'm correct on the cause and I haven't missed anything, this would be the fixed patch: https://gitlab.com/snippets/1840768

And here's a plaintext link for those who don't want to allow GitLab's JS: https://gitlab.com/snippets/1840768/raw

If no one else does, I'll try building with it overnight.

well spotted! I have applied your updated patch to the iceweasel build, and queued rebuilds.