25.3.1 (2015-03-25)This is a security update to the browser to address a critical vulnerability found in the pwn2own contest. Only one vulnerability found in this contest applies to Pale Moon, which has been addressed in this update.
Fixes/changes:• Fixed security vulnerability CVE-2015-0818. This vulnerability would allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation.
• Fixed IPv6 DNS resolution regression in some less common cases.
25.3.0 (2015-03-13)This is an important update to improve features and performance, as well as address important security issues.
Fixes/changes:• Overhauled WebGL. It now properly supports depth textures, shadow mapping and glow shaders.
Note that older operating systems or older/embedded video processors may be limited in their support of these features.
• Updated the ANGLE library to a much more current version.
• Removed the crash reporter code completely to improve overall browser responsiveness and operation.
Please note that a necessary victim of this has been the in-browser (devtools) SPS profiler because of its reliance on crash reporter data-gathering tools.
• Removed the Mozilla Plugin Finder Service (no longer in use @Mozilla).
• Android: removed the Mozilla "product announcements" service.
• Re-added control of the number of concurrent tabs to be restored from a session with browser.sessionstore.max_concurrent_tabs (accepted values 1-10)
• Significantly improved performance and accuracy of date/time/timer handling.
• Significantly improved performance of the creation of DOM elements with plain text content.
• Added several significant performance optimizations for arrays and strings in javascript.
• Added several code performance optimizations and bugfixes in SVG, the presentation shell, SCTP, style gradients and CSS parsing routines. (Thanks, Axiomatic!)
• Added an "Open link in current tab" context menu entry on links for UI consistency.
• Updated styling of the browser with personas (lightweight themes) once more to improve display in tabs-on-top mode, improve overall legibility of tab text, and display of inverted close buttons on some controls on dark personas.
• Added a special case check for the Flash plugin version check on Linux failing due to commas instead of periods in the version string.
• Added Windows 10 compatibility in executable manifests.
• Android: Fixed a crash on GL canvas surfaces.
• Fixed incorrect Sync "howto" instruction links from the Sync dialogs.
• Fixed the color of selected tabs in Linux when personas (lightweight themes) are in use that do not match the overall tone of the OS system theme.
• Fixed a bug where a variable in parentheses would abort Javascript parsing.
• Fixed a bug where the address bar would incorrectly be cleared.
• Fixed padding issues for dropdown lists.
• Fixed DNS lookups so proper record types are requested for IPv4 and IPv6.
Security fixes:• Disabled all RC4-based encryption ciphers by default. [More info]
• Fixed several miscellaneous memory safety hazards.
(applicable bugs related to CVE-2015-0835 and CVE-2015-0836)
• Fixed loading of locally stored DLL files through the internal updater. (CVE-2015-0833)
• Fixed a potential crash point in IndexedDB. (CVE-2015-0831) DiD
• Fixed a double-free situation when using non-default memory allocators and a 0-length XHR. (CVE-2015-0828)
Note: production builds of Pale Moon were never vulnerable.
• Fixed a crash using DrawTarget in the Cairo graphics library. (CVE-2015-0824)
• Fixed potential reading of local files through manipulation of form autocomplete. (CVE-2015-0822)
• Fixed a potential PNG heap-overflow crash. DiD
• Followed up on research regarding CVE-2014-8639 (see 25.2) and made cookie handling through proxies more restrictive again.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
25.2.1 (2015-01-27)This is a small update to address cookie handling through proxies causing issues for some authenticating proxies in corporate environments.
25.2.0 (2015-01-15)This is an important update after rapid development on the back-end to extend browser capabilities and implement some ES6 draft functions for web programmers, as well as provide some important crashfixes, bugfixes and security updates.
Fixes/changes:• ES6: Added the following functions:
◦ Array.prototype.find and Array.prototype.findIndex
◦ IsConstructor(arg)
◦ Array.of(items...)
◦ Number.parseInt and Number.parseFloat
◦ Advanced math functions: hyperbolic sin/cos/tan/asin/acos/atan, hypotenuse, cube root, expm1, log1p, log10, log2, sign and trunc
◦ Map.prototype.forEach and Set.prototype.forEach
• ES6: Added the following number constants: EPSILON, MIN_SAFE_INTEGER and MAX_SAFE_INTEGER
• ES6: Added the use of binary and octal numeric literals (&b... and &o...)
• ES6: Updated behavior of accessing indexed values in accordance with the spec.
• CSS: Added overflow-clip-box:content-box|padding-box
• DOM: Added table.createTBody() function
• Added a clearer alltabs button for dark personas.
• Added a development tools toggle hotkey (F12)
• Added a preference prompts.tab_modal.focusSwitch to enable or disable tab switching when a modal dialog (e.g. javascript confirmation) is presented in a page.
• IonMonkey on Android: fixed the implementation of AbsI.
• IonMonkey: fixed a bug where actively used objects were discarded.
• Fixed register initialization to prevent incorrect detection of SIMD instructions on some CPUs.
• Optimized some loops in the spell checker to increase performance.
• Simplified cache handling, updated cache parameters to better reflect current web use, and enabled automatic cache sizing by default.
• Adjusted memory cache sizing to better reflect capacities of current hardware.
• Updated UserAgent override workarounds for Netflix and FaceBook to fix some site issues.
• Aligned programmatic access to geolocation with the spec.
• Fixed a crash when being fed a data file (XML) with too deeply nested tags.
• Fixed a crash in HTML5/WebAudio that affected some games.
• Fixed a crash when programmatically collapsing elements.
• Fixed a few non-breaking bugs related to e10s code.
• Fixed text input/padding issues.
• Updated surround downmixing code for Vorbis.
• Improved tolerance in WebAudio for loading multichannel audio files.
• Android: Fixed an issue with Flash, it should now run on more devices.
• Updated the DDG search plugin to make the actual query be the last parameter in the address bar for easy editing after a search has been performed.
• Removed some unused update channel code.
• Updated branding to more clearly indicate Pale Moon's trademark.
• Updated some licensing texts in-browser to properly reflect used code and rights.
Security/privacy fixes:
• Added a preference network.stricttransportsecurity.enabled to enable or disable the use of HSTS (HTTP Strict Transport Security), allowing users to choose between privacy and security in this matter. (hidden pref)
• Fixed CVE-2014-1589 by whitelisting XBL bindings that may be applied to untrusted content.
Important: extension developers should read this related thread.
•Fixed CVE-2014-1593.
• Mac: fixed CVE-2014-1595.
• Fixed CVE-2014-8639 by adjusting cookie handling through proxies.
• Fixed CVE-2014-8636.
• Fixed several memory safety hazards that do not have CVE numbers.
25.1.0 (2014-11-14)This is an important update after rapid development on the back-end to keep pace with the current changes on the web and improve compatibility with websites.
Fixes/changes:• New feature: multi-line flexbox support.
Pale Moon now supports more advanced multi-line and multi-column flex elements. This will allow websites to use these elements for easier responsive design of web pages and ordering/layout of multiple elements. This has been on Pale Moon's to-do list for a while but was rather complex to tackle, hence the delay in implementation. This should address layout issues on several recently-updated websites (e.g. the MSN home page).
• New feature: added support for collapsed flex element items.
• Enhanced feature: Content Security Policy (CSP)
Pale Moon now fully supports the CSP 1.0 specification allowing websites to set restrictions on content to prevent XSS (Cross-site scripting) attacks. Previously, the implementation in Pale Moon was partial, and did not support a number of features, resulting in some websites not rendering properly because Pale Moon was being too strict in enforcing the policy. This should address issues on websites enforcing CSP (e.g. the Dropbox web interface and FaceBook galleries).
• New feature: added support for iframes with inline content.
• Updated the Firefox Compatibility mode version to 31.9.
With the improvements in rendering and overall feature set, the Firefox Compatibility mode (as presented in the UserAgent string) has been bumped to prevent websites from complaining about "using a too old/unsupported version of Firefox" (e.g. Google websites).
• Pale Moon no longer builds the so-called "media navigator" by default.
This module provides access to the user's webcam and microphone. Although it can be used for other purposes, in practice this is only used for WebRTC and, in fact, its support (GetUserMedia) is often mistaken for actually supporting WebRTC in a browser (causing errors since Pale Moon does not support WebRTC). No longer including these features reduces input complexity and overhead for a feature not actively used. This also circumvents privacy concerns/confusion like CVE-2014-1586.
• Improved tab handling on lightweight themes (personas) some more to enhance contrast on certain themes and to make the tab hover effect slightly more distinct.
• Fixed oversized/blocky menu arrows on Windows 8.1 in HiDPI mode.
• Fixed incorrect operating system being passed on to addons.mozilla.org.
• Fixed an error being thrown in the error console/web console when opening a new window.
• Removed the NVidia 3D Vision auxiliary utility library.
This library has been the likely cause for a number of crashes on NVidia cards, and is completely unnecessary for Pale Moon.
• Made the installer less aggressive for file type associations, to prevent "stealing" of globally associated file types.
• Android: improved restoring of session tabs.
• Android: added an option to automatically restore tabs.
An important thing to note with this new option is the following: with the option enabled, Pale Moon will now automatically restore tabs you had open previously when the app gets suspended (pushed out of memory by other apps, closed by swipe, etc.). The "quit" main menu option, however, completely shuts down your session, unloads Pale Moon from active memory, and tabs will not be automatically restored when you launch Pale Moon again. This is by design. To restore tabs in that situation, use the link from the home screen.
• Fixed memory security hazards CVE-2014-1574 and CVE-2014-1575 security fix
• Fixed CVE-2014-1581. security fix
• Fixed bug 1069584: Bail if a cairo surface is in an invalid state. security fix
• Made sure to initialize surfaces for draw targets. security fix
• Fixed CVE-2014-1594: Use AsContainerLayer() in order to avoid a bad cast. security fix
• Fixed several problems in the HTML parser. security fix
• Improved security of XHR by filtering out types of requests that can potentially be abused. security fix
25.0.2 (2014-10-24)This is a small update to address a number of teething problems with the new milestone release.
Fixes/changes:• Added a "Firefox compatibility mode" selection in Options -> Advanced.
This mode is enabled by default (reluctantly so), because too many websites (including some very big players who, themselves, promote an Open Web...) still use very poor browser detection methods based on arbitrary User Agent string comparisons, not catering to alternative browsers, and the resulting user experience being poor (being presented with mobile site layouts, broken pages, or even being flat-out refused service because someone exercises freedom of choice for web browser used). This should alleviate most, if not all, issues with browser-discriminating websites.
• Improved active tab display on particularly dark personas.
People using "black" personas/lightweight themes should now have a lot less difficulty distinguishing the active tab.
• Disabled SSL 3.0 by default (to put a muzzle on the POODLE).
Please note that this may cause issues with some poorly configured web servers (usually ones with a hopelessly broken security setup that do not support TLS 1.2 or secure (re)negotiation of the protocol).
• Fixed add-on update issue (that was preventing update checking through addons.palemoon.org).
• Fixed the redundant redundancy in asking redundantly if the browser would be allowed to ask to install an extension when not on addons.mozilla.org.
• Fixed the internal UA-sniffing insanity that broke devtools in a few different and colorful ways.
25.0.1 (2014-10-15)This is a small update to address an important Jetpack extension compatibility issue and includes a number of security fixes.
Fixes/changes:• Update of the add-on SDK to add missing "Pale Moon" engine entries to lists. This should fix extension compatibility issues for jetpack extensions that otherwise already work with the new GUID.
• About box release notes link corrected
• Fix for VP9 decoder vulnerability security fix
• Fix for direct access to raw connection sockets in http security fix
• Fix for unsafe conversion to JSON of data through the alarm dom element security fix
• Update of NSS to 3.16.2.2-RTM security fix
»» Нажмите, для закрытия спойлера | Press to close the spoiler «« Размер: 20,33 МБ.
Размер: 23,52 МБ.
Размер: 21,97 МБ.
Размер: 26,52 МБ.