This repository has been archived by the owner. It is now read-only.

@wolfbeast wolfbeast released this Jul 23, 2018 · 3 commits to master since this release

Assets 2

This will be the final maintenance release of Pale Moon 27 on the "Tycho" platform. Do not expect any further updates.

This is a security and usability update.

Changes/fixes:

  • Updated the useragent for addons.mozilla.org to work around their "Only with Firefox" discrimination preventing users from downloading themes, old versions of extensions, and other files with Pale Moon.
  • Restricted web access to the moz-icon:// scheme that could potentially be abused to infringe the user's privacy.
  • Prevented various location-based threats. DiD
  • Fixed a potential vulnerability with plugins being redirected to different origins (CVE-2018-12364).
  • Improved the security check for launching executable files (by association) on Windows from the browser. For users who have (most likely accidentally) granted a system-wide waiver for opening these kinds of files without being prompted, this permission has been reset.
  • Fixed an issue with invalid qcms transforms (CVE-2018-12366).
  • Fixed a buffer overflow using the computed size of canvas elements (CVE-2018-12359).
  • Fixed a use-after-free when using focus() (CVE-2018-12360).
  • Added some sanity checks on nsMozIconURI. DiD
  • Fixed an issue in the case the preferences file in the profile would not be writable (e.g. temporary permission issues due to backup, virus scanning or similar external processes).

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

@wolfbeast wolfbeast released this Jun 12, 2018 · 15 commits to master since this release

Assets 2

This is a security update.

Changes/fixes:

  • (CVE-2017-0381) Ported a patch from libopus upstream. Note, contrary to that report, the libopus maintainers state they don't believe remote code execution was possible, so this was not a critical patch.
  • Fixed an issue with task counting in JS GC.
  • Fixed a use-after-free in DOMProxyHandler::EnsureExpandoObject (thanks to Berk Cem Göksel for reporting).
  • Portable only: Included the previously omitted registry helper. This may in some cases help with file/type associations.

@wolfbeast wolfbeast released this Jun 12, 2018 · 23 commits to master since this release

Assets 2

This is a security and stability update.

Changes/fixes:

  • We changed the language strings for softblocked items so people will cry less when we do our job.
  • (CVE-2018-5174) Prevent potential SmartScreen bypass on Windows 10.
  • (CVE-2018-5173) Fixed an issue in the Downloads panel improperly rendering some Unicode characters, allowing for the file name to be spoofed. This could be used to obscure the file extension of potentially executable files from user view in the panel.
  • (CVE-2018-5177) Fixed a vulnerability in the XSLT component leading to a buffer overflow and crash if it occurs.
  • (CVE-2018-5159) Fixed an integer overflow vulnerability in the Skia library resulting in possible out-of-bounds writes.
  • (CVE-2018-5154) Fixed a use-after-free vulnerability while enumerating attributes during SVG animations with clip paths.
  • (CVE-2018-5178) Fixed a buffer overflow during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable extension in order to occur.
  • Fixed several stability issues (crashes) and memory safety hazards.

@wolfbeast wolfbeast released this May 7, 2018 · 36 commits to master since this release

Assets 2

This is a maintenance release.

Changes/fixes:

  • Removed the unused/incomplete places protocol handler.
  • Worked around an issue with MSE media without a Track ID. This should help with the playability of some live streams.
  • Ported across jemalloc improvements from UXP.
  • Ported across cairo mutex improvements from UXP.
  • Added support for FFmpeg 4.0/libavcodec 58.
  • Added a fix for Windows 10's "isAlpha()" not being what one would expect in v1803.

@wolfbeast wolfbeast released this Apr 17, 2018 · 48 commits to master since this release

Assets 2

This is the last major development update for the v27 milestone (codenamed "Tycho").
After this, we will be focusing our efforts for new features entirely on UXP and the new v28 milestone building on it. We will continue to support v27.9 with security and stability updates for a while, but no major new features will be added from this point forward.

Changes/fixes:

  • Fixed a number of spec compliance issues in our media subsystem.
  • Added a trailing slash to referrers when policy is set to fix some web compatibility issues.
  • Fixed the property order in Object.getOwnPropertyNames(string) and others for web compatibility.
  • Updated RegExp(RegExp object, flags) to the ES6 standard specification.
  • Changed the embedded font from the no longer free EmojiOne to the open-licensed Twemoji (with additional fixes). This also further extends unicode support to Unicode 10 emoji(s). Please note that as a result, color emoji(s) will look different than before.
  • Adjusted some things in our memory allocator code to provide, among other things, better allocation alignment on Windows.
  • Made the attempt to migrate people from the old sync server domain name to the current one more aggressive. We will be retiring the old pmsync.palemoon.net Sync server address shortly to remove the need for us to maintain a security certificate for it; this preference migration should automatically put everyone on the correct server address when upgrading.
  • Made reading of the sessionstore synchronous, to speed up startup and prevent the homepage from being loaded when restoring a session.
  • Added a fix to switch to the correct window/tab when a web notification is clicked.
  • Changed the placeholder text to not include "Search" when all search functions from the address bar are disabled.
  • Enabled the use of Skia for canvas on Linux and OSX.
  • Worked around a potential cause for some non-standard bitmapped fonts ending up with incorrect line heights (I'm looking at you, Noto fonts!).
  • Added a workaround for incorrectly-encoded JPEG-XR images with planar alpha. Ultimately, the jxrlib reference implementation should be fixed to encode according to spec.
  • Aligned XCTO:nosniff allowed script MIME types with the updated spec.
  • Improved the logic for storing vector images in the surface cache.
  • Fixed character set handling for XMLHttpRequests.

@wolfbeast wolfbeast released this Mar 28, 2018 · 114 commits to master since this release

Assets 2

This is a small update to solve a pervasive crash in responsive web layouts.

@wolfbeast wolfbeast released this Mar 22, 2018 · 114 commits to master since this release

Assets 2

This is a security update.

Changes/fixes:

  • Privacy fix: prevented update checks for the default theme.
  • Added a user-agent override for Dropbox to improve compatibility with their service.
  • Fixed an issue with mouseover handling related to (CVE-2018-5103). DiD
  • Disabled the Mac OSX Nano allocator. DiD
  • Fixed (CVE-2018-5129) OOB Write.
  • Updated the lz4 library to 1.8.0 to solve potential issues. DiD
  • Fixed (CVE-2018-5137) Path traversal on chrome:// URLs
  • Fixed several memory safety an synchronicity hazards.

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

@wolfbeast wolfbeast released this Mar 8, 2018 · 114 commits to master since this release

Assets 2

This is a small update to address some breaking issues.

Changes/fixes:

  • Backed out the NSPR/NSS update from 27.8.0 for causing crashes, general operational instability and handshake issues.
  • Disabled TLS 1.3 draft support by default, because with the NSS backout we only support an older draft right now that is no longer current and may cause connectivity issues. You can manually re-enable it at your own risk in about:config by setting security.tls.version.max to 4.

@wolfbeast wolfbeast released this Mar 4, 2018 · 114 commits to master since this release

Assets 2

This is a development update with new and improved features and bugfixes.

Changes/fixes:

  • Added support for emojis on Windows systems that have relatively poor support for them with standard font sets by including our own font (EmojiOne based for now).
  • Added a setting in preferences to select the use of tab previews with Ctrl+Tab.
  • Added Eyedropper menu entry to the AppMenu.
  • Added a preference to control whether the text cursor (caret) should be thicker when dealing with CJK characters or not (default = yes).
  • Added URL fix-ups for schemes (mis-typed "ttp://" etc.).
  • Added support for ES6 "Symbol species".
  • Updated our TLS 1.3 support to the latest (probably final) draft.
  • Fixed gap inconsistency in the tabstrip.
  • Fixed a number of browser crashes.
  • Fixed a crash with the exponentiation operator "**"
  • Set the performance timer granularity to 1 ms.
  • Updated the kiss-fft library to our forked 1.4.0 version.
  • Disabled a potentially problematic optimization on Win 8+ with high contrast themes in use.
  • Removed the notification bar when in full screen to prevent unwanted visible screen elements.
  • Removed unmaintained and insecure WebRTC code - building with WebRTC enabled is no longer an option.
  • Removed redundant checks for "Vista or later" since that is all we support.
  • Added display of the http status to raw request displays.
  • Added a workaround for cloned videos not retaining their muted state.
  • Added a temporary workaround to avoid crashes on trackless media.
  • Removed some superfluous ellipses from menu labels.
  • Fixed undesired shrinking of line heights as a result of setting minimum font size in preferences.
  • Fixed some issues with setting the new tab preference (regression).
Assets 2

This is a security and stability update.

Changes/fixes:

  • Changed the X-Content-Type-Options: nosniff behavior to only check "success" class server responses, for web compatibility reasons.
  • Changed the perfomance timer resolution once more to a granularity of 1 ms, after evaluating more potential ways of abusing Spectre.
    This takes the most cautious approach possible lacking more information (because apparently NDAs have been signed over this between mainstream players), follows Safari's lead, and should make it not just infeasible but downright impossible to use these timers for nefarious purposes in this context.
  • Improved the debug-only startup cache wrapper to prevent a rare crash.
  • Fixed a crash in the XML parser.
  • Added a check for integer overflow in AesTask::DoCrypto() (CVE-2018-5122) DiD
  • Fixed a potential race condition in the browser cache.
  • Fixed a crash in HTML media elements (CVE-2018-5102)
  • Fixed a crash in XHR using workers.
  • Fixed a crash with some uncommon FTP operations.
  • Fixed a potential race condition in the JAR library.

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.