Like Tree1Likes
  • 1 Post By hackerman1

Thread: Pale Moon, Firefox-based browser

  1. #1
    hackerman1 is offline Moderator
    Join Date
    Dec 2008
    Location
    Sweden
    Posts
    1,525

    Default Pale Moon, Firefox-based browser

    Pale Moon 25.7.1 released (2015-09-28)

    Pale Moon is an Open Source web browser available for Microsoft Windows and Linux,
    (with other operating systems in development), focusing on efficiency and ease of use.
    Make sure to get the most out of your browser !

    Pale Moon offers you a browsing experience in a browser completely built from its own, independently developed source,
    that has been forked off from Firefox/Mozilla code, with carefully selected features and optimizations to maximize the browser's speed*,
    stability and user experience, while offering a rich collection of extensions and themes
    (including compatibility with many Firefox extensions users have come to love and rely on).

    * Please note that current, popular "benchmarks" are extremely limited in what they test,
    and the way they test "browser speed".
    Pale Moon does not aim to have an "as high as possible benchmark score",
    but instead focuses heavily on overall browser smoothness,
    CPU usage, efficient networking and program-wide optimizations not related to a certain (limited) subset of functions.
    Benchmarks, by definition, do not provide a real world browsing scenario,
    and should not be relied on to determine "which browser is faster or better".


    This is a security, stability and web-compatibility update.

    This also marks a security update for the Android version of Pale Moon,
    to keep users of the otherwise currently unmaintained OS updated regarding known security vulnerabilities.

    Fixes/changes

    Code cleanup: Removed the majority of remaining telemetry code (including the data reporting back-end and health report),
    to prevent a few issues with partially removed code in earlier versions.
    Fixed a crash due to handling of bogus URIs passed to CSS style filters (e.g. whatsapp's web interface).
    Permitted spec-breaking syntax in Regex character classes,
    allowing ranges that would be permitted per the grammar rules in the spec but not necessarily following the syntax rules.
    This impacts a good number of (also higher profile) sites that use invalid ranges in regular expressions (e.g. Cisco's networking academy site, Yahoo Fantasy Football).
    Fixed a crash due to the newly introduced WASAPI handling of audio channel mapping,
    that doesn't like actual surround hardware setups (e.g. playing a video with quadraphonic audio on a 4-speaker setup).
    Fixed an issue where site-specific dictionary selections would be written to content preferences without the user's action,
    potentially overwriting or clearing a previously-chosen dictionary.
    Added support for drag and drop of local files from sources which use text/uri-lists (some Linux flavors/file managers).
    Updated libnestegg to the most current version.
    Fixed an issue where setting the location to an empty string could cause a reload loop.

    Security fixes

    Changed the jemalloc poison address to something that is not a NOP-slide. DiD
    Fixed a memory safety hazard in ConvertDialogOptions (CVE-2015-4521)
    Fixed a buffer overflow/crash hazard in the VertexBufferInterface::reserveVertexSpace function in libGLES in ANGLE (CVE-2015-7179)
    Fixed an overflow/crash hazard in the XULContentSinkImpl::AddText function (CVE-2015-7175)
    Fixed a stack buffer overread hazard in the ICC v4 profile parser (CVE-2015-4504)
    Fixed an HTMLVideoElement Use-After-Free Remote Code Execution 0-day vulnerability (ZDI-CAN-3176) (CVE-2015-4509)
    Fixed a potentially exploitable crash in nsXBLService::GetBinding
    Fixed a memory safety hazard in nsAttrAndChildArray::GrowBy (CVE-2015-7174)
    Fixed a memory safety hazard for callers of nsUnicodeToUTF8::GetMaxLength (CVE-2015-4522)
    Fixed a heap buffer overflow/crash hazard caused by invalid WebM headers (CVE-2015-4511)

    DiD means "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon,
    but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

    Pale Moon - Release Notes

    Pale Moon Homepage
    Last edited by hackerman1; 1st December 2015 at 20:39.
    HappyAndyK likes this.

  2. #2
    hackerman1 is offline Moderator
    Join Date
    Dec 2008
    Location
    Sweden
    Posts
    1,525

    Default

    Pale Moon 25.7.2 released (2015-10-02)

    This is a stability update, addressing 2 critical hangs:
    Fixed a critical hang caused by recursive reloads that might happen in iframes if its hash changed.
    Fixed a critical hang caused by lazy-loading of stylesheets through a specific web programming technique as advocated by Google's PageSpeed.

  3. #3
    hackerman1 is offline Moderator
    Join Date
    Dec 2008
    Location
    Sweden
    Posts
    1,525

    Default

    Pale Moon 25.8.1 released (2015-11-28)

    Homepage: Pale Moon

    The latest versions

    25.7.3 (2015-10-14)


    This is a usability update needed due to the fact that Mozilla has shut down their key exchange (J-PAKE) server along with the old Sync servers.
    This was unexpected and required us to set up our own key server which also required reconfiguration of the browser.
    Testing indicates this works as-expected, but please do report any issues on the forum.
    Please note that older versions of the browser will no longer be able to link devices to a sync account using the 12-character code,
    since it requires a Mozilla server no longer present.
    If you need this functionality, you must update to this version or later.

    25.8.0 (2015-11-17)

    This is a security, stability and usability update.

    Fixes/changes:

    • Updated LibVPX to 1.4.x to be able to play more kinds of VP9-encoded videos.
    • Updated the JPEG decoder library to 1.4.0.
    • Fixed and cleaned up XPCOM timer thread code to avoid intermittent issues with events not firing (especially after stand-by).
    • Updated overrides to work around issues with Facebook and Netflix.
    • Fixed an issue where too-old system-supplied NSPR and/or NSS libraries would be accepted for use.


    Security fixes:


    • Updated the libpng library to 1.5.24 to address critical security issues CVE-2015-7981 and CVE-2015-8126
    • Updated the NSPR library to 4.10.10 to address several security issues.
    • Updated the NSS library to 3.19.4 to address several security issues.
    • Fixed a memory safety hazard in SVG path code (CVE-2015-7199).
    • Fixed an issue with IP address parsing potentially allowing an attacker to bypass the Same Origin Policy (CVE-2015-7188).
    • Fixed an Add-on SDK (Jetpack) issue that would allow scripts to be executed despite being forbidden (CVE-2015-7187).
    • Fixed a crash due to a buffer underflow in libjar (CVE-2015-7194).
    • Fixed an issue for Android full screen that would potentially allow address spoofing (CVE-2015-7185).
    • Added size checks in canvas manipulations to avoid potential image encoding vulnerabilities like CVE-2015-7189. DiD
    • Fixed potential information disclosure vulnerabilities through the NTLM authentication mechanism. Insecure NTLM v1 is now disabled by default, and the workstation name is set to WORKSTATION by default (configurable with a preference for environments where identification of workstations is done by actual reported machine name). This avoids issues like CVE-2015-4515.
    • Fixed a potentially vulnerable crash from a spinning event loop during resize painting. DiD
    • Fixed several Javascript-based memory safety hazards. DiD


    DiD This means that the fix is "Defense-in-Depth":
    It does not apply to an actively exploitable vulnerability in Pale Moon,
    but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

    25.8.1 (2015-11-28)

    A small update to address two important issues:

    • Fix for a crash that could occur at random since the update to 25.8.0.
    • Fix for CSP (Content Security Policy) to be more lenient towards the incorrect passing of full URLs with all sorts of parameters in the CSP header, leading to misinterpretation of the header and incorrectly blocking the loading of content.
    Last edited by hackerman1; 1st December 2015 at 20:30.

  4. #4
    hackerman1 is offline Moderator
    Join Date
    Dec 2008
    Location
    Sweden
    Posts
    1,525

    Default

    There is a known problem with Firefox and Adobe Flash Player crashing on Youtube.
    This also affects Pale Moon.

    Windows 32-bit: C:\Windows\System32\Macromed\Flash

    Windows 64-bit: C:\Windows\SysWOW64\Macromed\Flash

    Edit mms.cfg and add: ProtectedMode=0

    Note: You have to use the editor as Administrator.

    If you use Notepad, right-click and select Run as Administrator, then navigate to the folder listed above.

    Flash - MozillaZine Knowledge Base

    Pale Moon forum ? View topic - Anyone having flash crashing all time on youtube read this



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Log in

Log in

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22