Pale Moon updated to 26.0.2!

Pale Moon releases and site news
(read-only)
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Pale Moon updated to 26.0.2!

Unread post by Moonchild » 2016-02-03, 13:05

This is a bugfix, security and web compatibility release.

Changes/fixes:
  • Removed the sanity check for unsupported point-of-sale XP-based operating systems by user request.
    Please see the relevant boards for information on which operating systems we can reasonably support.
  • Changed the way "transparent" is handled in Goanna to improve transparent gradients using this keyword.
    We now handle linear gradients going to "transparent' without going through a "black point" causing grey/silver to appear in fades from color to transparent, but without compromising on the color gradients that might be present when opacity changes.
  • Made sure that dom.disable_beforeunload is predefined in about:config.
  • Fixed web compatibility issues with Youtube, Youtube Gaming, Yuku fora and Netflix.
  • Fixed web compatibility with Comcast/XFinity webmail and other sites or web applications that expect older JavaScript versions as default.
    If you've had issues with 26.0.0 using on-line services, please try again with this version.
  • Reinstated the about:config warning by default, with a proper alternative text.
  • Fixed 2 potential browser crashes.
Security fixes:
  • Updated NSS to 3.19.4.1-PM to fix a potential UAF and CVE-2015-7575.
    For people building from source: we currently do not support building with a system-installed NSS because our version is forked for extra functionality and differences in built-in certificate trust.
    It's strongly recommended to build Pale Moon with in-tree NSPR as well as in-tree NSS to keep those libraries at expected versions for the Pale Moon code.
  • Crash fix: Prevented queueing multiple media sources that could lead to unsafe memory access.
  • Prevented unsafe memory manipulations in zip archives. (CVE-2016-1945) DiD
  • Prevented a potential buffer overflow in WebGL. (x64 only) (CVE-2016-1935) DiD
  • Updated the way binaries are code-signed. Not only does v26.0 use a new SHA256-signed digital certificate, but starting this version will also be signed with both SHA1 and SHA256 digest algorithms to satisfy later Windows' code-signing requirements.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

Note: version 26.0.1 was an internal development/testing release that was not published due to a critical flaw that would cause hangups.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked