Pale Moon 25.5 has been published!

Pale Moon releases and site news
User avatar
Pale Moon guru
Pale Moon guru
Posts: 29663
Joined: 2011-08-28, 17:27
Location: Tranås, SE

Pale Moon 25.5 has been published!

Post by Moonchild » 2015-06-10, 12:34

Pale Moon 25.5 has been released to the public.

This version of the browser sees many under-the-hood changes, fixes the Logjam vulnerability, and adds a specific indicator for mixed-mode web pages.

  • Logjam fix: Refuse DHE keys with less than 1024 key bits. For more information, check
  • Search plugin updates to re-enable Google suggestions and reduce tracking (Squarefractal)
  • Allow plugin-specific (.dll based) OOPP overrides also for npswf. This will not be used for the "master switch" for OOPP and Flash will still be in the plugin container, unless a specific dom.ipc.plugins.enabled.npswf*.dll boolean is set to override.
    This is to help people with specific issues with Flash running poorly in the plugin container in Pale Moon or causing issues on secondary monitors.
  • Fixed a crash during WebGL Conformance Tests for undefined indices (Toady)
  • HSTS preload list updates (Squarefractal)
  • Status bar locale addition: cs
  • Implemented a fix for the toolkit update service so that the same version as the current application will not be offered as a valid update (Tobin)
  • Reorganized the AppMenu (give equal ease for windowed and tabbed browsing, deprioritize Sync)
  • Disabled the Sync promo box in doorhangers.
  • Updated libpng to version 1.5.22
  • Fixed support for builds using newer freetype on Linux. (Axiomatic)
  • Fixed --with-system-pixman builds. (Isaac Dunham)
  • Updated SQLite to version
  • Changed the after-upgrade page loaded to the release notes instead of the home page.
    (and hoping people actually do take a moment to read them, preventing unnecessary support requests)
  • Fixed navigator.geolocation - should never be null, to properly adhere to the specification for real this time (Travis)
  • Moved paintlock event delay to greprefs, and adjusted it for 2015's heavier sites
    This should prevent the infamous "briefly flashing web site display without styling"
  • Fixed the about dialog scripting for pre-release builds (includes build date now as-intended and no longer errors the script)
  • Reorganized how pushed floats are handled in layout flow
  • Implemented a change to run the updater from the install directory instead of copying it.
    This prevents potential security issues as well as elevation issues on some setups.
  • Fixed transparency of the Pale Moon document icon for 256x256
  • Updated padlock code:
    • Added mixed-mode shading (yellow), and reorganized shading pref values more logically
      (0=off, 1=secure only, 2=secure+mixed, 3=all)
    • Cleaned up CSS
    • Cleaned up padlock logic a little
  • Hard-coded internal UA sniffing values for the extension legacy of devtools
  • Updated NSPR to 4.10.8
  • Updated the NSS security lib to 3.19-RTM + re-worked Pale Moon changes
  • Bumped the built-in site-specific UA compat mode overrides to v38
    To prevent these sites from starting to complain again about "too old firefox"
  • Fixed a rare compressed-cache crash due to losing our cache entry while finishing up compression.
  • Updated and patched libcubeb, the main media sound library, to fix a number of audio issues (e.g. when switching output device) and audio-related crashes
  • Added the option to load modules into a named scope
  • Removed quick access keys for buttons on the updater window (since it may pop up unannounced when people are typing, causing them to make unintended choices)
  • Updated jemalloc and mozjemalloc memory allocator libraries to improve performance
  • Removed implicit access to a whole range of internally-used interfaces and classes that page content has no business calling anyway
  • Added a preference for always preferring a certain dictionary language.
    To use this, create a new preference spellchecker.dictionary.override (string) and set it to your language code.
More information about changes in this version that would be important for extension developers and web programmers can be found here.

Security fixes:
  • Fixes for miscellaneous memory safety hazards (relevant and applicable fixes from CVE-2015-2708 and CVE-2015-2709)
  • DiD (defense-in-depth) fix to prevent potential overflows in CSS restyling
  • Fix for updater hijacking (CVE-2015-2720)
  • Fix to prevent potential disclosure of sensitive information in Android logs (CVE-2015-2714)
  • Fix for a buffer overflow in the XML parser (CVE-2015-2716)
  • Fix for a potentially exploitable crash in DNS handling
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss