Pale Moon updated to 27.7.2

Pale Moon releases and site news
(read-only)
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35404
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Pale Moon updated to 27.7.2

Unread post by Moonchild » 2018-02-01, 12:53

Pale Moon has been updated to 27.7.2, a security and stability update.

Changes/fixes:
  • Changed the X-Content-Type-Options: nosniff behavior to only check "success" class server responses, for web compatibility reasons.
  • Changed the performance timer resolution once more to a granularity of 1 ms, after evaluating more potential ways of abusing Spectre. DiD
    This takes the most cautious approach possible lacking more information (because apparently NDAs have been signed over this between mainstream players), follows Safari's lead, and should make it not just infeasible but downright impossible to use these timers for nefarious purposes in this context.
  • Improved the debug-only startup cache wrapper to prevent a rare crash.
  • Fixed a crash in the XML parser.
  • Added a check for integer overflow in AesTask::DoCrypto() (CVE-2018-5122) DiD
  • Fixed a potential race condition in the browser cache.
  • Fixed a crash in HTML media elements (CVE-2018-5102)
  • Fixed a crash in XHR using workers.
  • Fixed a crash with some uncommon FTP operations.
  • Fixed a potential race condition in the JAR library.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
Last edited by Moonchild on 2018-02-01, 12:54, edited 1 time in total.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked