Pale Moon 29.4.2 released

Pale Moon releases and site news
(read-only)
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35404
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Pale Moon 29.4.2 released

Unread post by Moonchild » 2021-11-09, 11:19

This is a security update.

Changes/fixes:
  • Fixed a spec compliance issue with IDN that could potentially cause confusion of domain names.
  • Fixed several intermittent thread sanity issues. DiD
  • Fixed a potential UAF risk in certain situations in networking. DiD
  • Fixed a potential crash risk (not exposed). DiD
  • Fixed a potential spoofing risk using form validation. (CVE-2021-38508)
  • Fixed a script sandbox escape issue through XSLT. (CVE-2021-38503)
  • Added a preference to enable compatibility mode with earlier TLS 1.3 specifications. See implementation notes.
  • Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 1 already applied, 4 DiD, 7 not applicable.
Security notice: If you have enabled HTTP Alternative Services for Opportunistic Encryption, it is strongly recommended you disable this at this time through Preferences -> Security -> Opportunistic Encryption -> Enable HTTP Alternative Services for Opportunistic Encryption. This inherently weak transitional technology for http -> https has been compromised and can be abused (partial opt-in bypass). Note that our platform default for this setting (and any other OE) is disabled due to these kinds of inherent risks, as well as lack of transparency about the connection and server contacted. See CVE-2021-38507 for more details about this problem.

Implementation notes:
  • A preference (security.ssl.enable_tls13_compat_mode) was added to allow users to enable TLS 1.3 compatibility mode that uses an older draft specification of the protocol. A restart of the browser is required when you change this preference. Please note that you should only use this option if you strictly require it for e.g. outdated proxies, load-balancers or middleware, as it potentially weakens your connection security.
  • FUEL was removed (again). If extensions that used FUEL weren't updated to account for this since the clear warning 3 months ago when we removed it in 29.4.0 and temporarily reinstated it to give extension developers more time to address this issue, then they will no longer function properly with this release.
DiD = defense-in-depth
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked