Pale Moon 27.2 released!

Pale Moon releases and site news
(read-only)

Moderator: Indalecio

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 18062
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Pale Moon 27.2 released!

Postby Moonchild » Sat Mar 18, 2017 1:49 pm

This is a major update to the browser with a focus on back-end improvements and security.

Changes/Fixes:

  • Updated the ICU lib to 58.2 to fix a number of issues.
  • Added proper control for the user for offline storage for web applications.
  • Added a check to prevent auto-filled URLs from copying the auto-filled selection to clipboard/primary.
  • Added the feature to pass a URL to open in a private window from the command-line.
  • Improved the display of the downloads indicator on the button in bright-text situations.
  • DOM storage now honors the "3rd party cookie" setting in that it will not allow 3rd party data to be stored if 3rd party cookies are disallowed.
  • Allowed toolbar button badges to be properly styled.
  • Updated the hunspell spellchecking library to 1.6.0 to fix a number of issues.
  • Fixed desktop notifications being off-screen if fired in rapid succession.
  • Added Element.insertAdjacentElement and Element.insertAdjacentText DOM functions.
  • Added support for JPEG-XR images.
    This makes Pale Moon have the broadest support for image formats of all web browsers.
    (enabled by default; you can disable this with media.jxr.enabled).
  • Completely removed the use of GStreamer on Linux.
  • Added support for Element.innerText.
  • Custom toolbars should now properly remember their state.
  • Fixed some more playback issues with MP4/MSE videos.
    Please be aware that we are still working on further improving MSE video handling.
  • Changed media processing to reduce dangerous processing asynchronicity.
    This should also make media elements and playback more responsive.
  • Fixed a useragent string regression always displaying the minor Goanna version as .0
  • Updated NSPR to 4.13.1.
  • Updated NSS to 3.28.3-RTM.
  • Fixed unrestricted icon sizes in PMkit buttons.
  • Fixed unresponsive buttons on support page when not building the updater.
  • Fixed the use of "View image" and "Save image as" on extremely large images.
  • Changed the way "View Image" and "Save image as" work on canvas elements.
  • Made checking for dangerously large resolution PNG images smarter.
    It will now accept larger "strip"-aspect ratio images while reducing unsupported large image resolutions.
    This will e.g. fix Gmail's "emoji" window that uses a ridiculously long but very narrow single image to store all the emoticon pictures.
  • Converted several hard-coded URLs to preferences.
  • Updated the google.com override so it would not cripple services based on UA sniffing.
  • Added Inner and Outer Window ID administration.
  • Fixed the add-on discovery pane detection.
  • Added support for canvas ellipse.
  • Improved drawing of certain MathML elements at problematic zoom levels.
  • No longer building gamepad support.
  • Updated Harfbuzz font shaper to 1.4.3 to fix a number of issues.
  • Fixed a number of crashes (layout, plugins, uncommon navigation, bad URLs).
  • Aligned SVG specular filters with the spec.

Security/privacy changes:

  • Added support for 256-bit AES-GCM encryption.
  • Added support for ChaCha20-Poly1305 encryption.
  • Removed support for Camellia-GCM since nobody seems interested in it.
    (Camellia in 128/256-bit CBC block mode is still fully supported)
  • Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to Crypto utils.
  • Improved status handling of secure sites to be less sensitive to "insecure" items that are local.
  • Fixed print preview hijacking. (CVE-2017-5421)
  • Fixed a potentially exploitable crash in OnStartRequest. (CVE-2017-5416)
  • Fixed potential cross-origin content-stealing through a timing attack. (CVE-2017-5407) DiD
  • Fixed a denial-of-service problem with view-source. (CVE-2017-5422)
  • Fixed crash in directional controls. (CVE-2017-5413)
  • Fixed a perceived problem with chrome manifests. (CVE-2017-5427)
  • Fixed the use of an uninitialized value. (CVE-2017-5405)
  • Fixed a buffer overflow. (CVE-2017-5412)
  • Fixed a UAF situation. (CVE-2017-5403)
  • Fixed a potential spoofing issue with the address bar. (CVE-2017-5417)
  • Fixed a potential issue in libvpx. (CVE-2017-5402) DiD
  • Fixed a potential issue with HTTP auth. (CVE-2017-5418)
  • Fixed several memory safety hazards and potentially exploitable crashes. DiD

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
Programmer - an organism that turns coffee into software.
Image

Return to “Announcements”

Who is online

Users browsing this forum: Digg [RSS], Suprfeeder [RSS] and 33 guests