Welcome!
Important information
-- Required MX 15/16 Repository Changes
-- Information on torrent hosting changes
-- Information on MX15/16 GPG Keys
-- Spectre and Meltdown vulnerabilities

News
-- Introducing our new Website
-- MX Linux on social media: here

Current releases
-- MX-18.3 Point Release release info here
-- Migration Information to MX-18 here
-- antiX-17.4.1 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

MX 15 Repository: The palemoon thread

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 19291
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 15 Repository: The palemoon thread

#251

Post by Stevo » Thu Dec 06, 2018 5:29 pm

Pale Moon has been updated to 28.2.2 in the main repository, from 28.2.1 that I forgot to enter here.
28.2.2:

Changes/fixes:

Changed the about:feeds icon for external applications to a generic icon, since that kind of access to executables is no longer allowed for security reasons.
Fixed issues with copying/pasting bookmarks in the Library View.
Fixed a crash occurring when using HTTP pipelining over some (broken) proxies.
Fixed several issues with animated WebP display (animations stopping, corrupted frames on lossy images, etc.)
Fixed an issue with the display of truncated GIF images.
Fixed an issue with deleting recent history not working properly.
Fixed incorrect duplicate compatibility mode preferences in about:config.

28.2.1:

This is a bugfix release to address critical usability issues with the bookmarks/history window.

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 19291
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 15 Repository: The palemoon thread

#252

Post by Stevo » Wed Jan 16, 2019 5:29 pm

Pale Moon 28.3.0 is now in the main repository and should be propagating through the mirrors.

This is a major development and bugfix release. Packaging changes include shipping a much better copyright file and also shipping copies of the MPL 1.1 and MPL 2 licenses.
Changes/fixes:

Added AV1 support for MP4/MSE videos. Please note that this is a reference library implementation and the upstream decoding lib currently has poor performance for higher resolutions (720p+). This is disabled by default; use the about:config preference media.av1.enabled to enable this codec.
Changed the API used for video playback with FFmpeg 58+. This should solve performance issues with VPx.
Redesigned the main toolbar icons as SVG images to make them HiDPI compliant.
Fixed the sync notification (infobar) icon.
Fixed a potential cycle collector resource leak.
Added icons and controls to tabs to indicate if sound is playing the tab and if so, allowing the user to mute it with a click.
This is a native implementation of the API in use in Basilisk and performs the same function as the "expose noisy tabs" extension, although the extension may still be preferred by some for e.g. skinning capabilities. The feature may be disabled with browser.tabs.showAudioPlayingIcon.
Removed support for VR hardware.
Fixed out-of-bounds sizes for CSS calculation strings.
Removed the DirectShow component since it is no longer necessary.
Removed Firefox Accounts integration, phase 1:
Changed the Sync client to the one from Tycho.
Made Sync optional at build time.
Stopped trying to cater to addons.mozilla.org since they no longer offer anything useful to Pale Moon after the Great XUL Extension Purge™.
Added an option to process favicons for optimal sized display and removing animations. Enable this with browser.chrome.favicons.process
Fixed an incorrect preference reference in feed reader.
Fixed an issue with lazy frame construction on display:contents elements. This should solve e.g. the use of mathjax in comments on stackoverflow.
Media code improvements and cleanup (ongoing).
Updated the DropBox useragent override to solve login issues.
Fixed potential crashes due to shutdown observers in VTT and font lists. DiD
Enabled some mistakingly-disabled optimizations in the JS JIT compiler.
Fixed several potential crashes in JS. DiD
Fixed several potential crashes in WebCrypto. DiD
Fixed a potential crash in JS Range Analysis. DiD
Fixed a potential crash in the layout engine due to combo boxes. DiD
Fixed a potential shutdown crash in non-standard environments related to 2D Canvas. DiD
Fixed a potential overflow in the PNG writer. DiD
Fixed a potential double-free in the MAR signing utility. DiD
Fixed an issue where URLs could be extracted cross-origin (CVE-2018-18494).
Updated NSPR to v4.20.
Updated NSS to 3.41, providing (among other things) full compatibility with the final version of TLS 1.3 on websites.
Updated location.protocol to the latest spec.
Updated Intersection Observers to the latest spec and enabled them by default.
Updated the SQLite lib to 3.26.0.
Fixed errors about the login manager's recipeManager not being available (yet).
Switched status bar download arrow to SVG.
Fixed a crash in IntersectionObservers.
Fixed initialization of the Search service from browser code to avoid synchronous init.
Added logging of performance warnings to devtools consoles.
Fixed favicons in taskbar tab preview listings.
Blocked Comodo IS dll < version 6.3 to prevent startup crashes.
Fixed issues in the HTML form submit observer module.
Limited resolving depth of CSS variables to a sane maximum (fixes cras.sh issue).
Removed Mozilla's proprietary constructor on WebAudio's AudioContext, aligning it with the standard specification.
Exposed the previously hidden preference in about:config for page thumbnail generation (some people prefer this for local privacy).
Aligned Element.ScrollIntoView with the DOM specification. This improves, among other things, compatibility with the React framework.

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 19291
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 15 Repository: The palemoon thread

#253

Post by Stevo » Sat Jan 26, 2019 2:35 pm

Updated to 28.3.1 in main:

This is a minor bugfix and stability release.

If you are using a language pack, please make sure you have the matching version for this browser version installed. Some strings were added for Captive Portal detection (see below) and outdated language packs will cause blank preference pages.
Changes/fixes:

• Improved toolbar icon display for all DPIs on Windows.
• Disabled the IntersectionObserver API by default while we work on resolving crashes caused by it.
• Added isIntersecting to the IntersectionObserver API per specification.
• Added an option to the preferences window to enable Captive Portal detection (Advanced -> General). If your network connection regularly encounters Captive Portals (e.g. using a laptop on the road or other WiFi connections that require login or agreement to terms) then enabling this detection may make your use of such networks more convenient.
For those worried about privacy: the detection service makes use of our own infrastructure and does not contact third parties like Apple or Google.

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 19291
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 15 Repository: The palemoon thread

#254

Post by Stevo » Wed Feb 20, 2019 12:18 am

Pale Moon 28.4.0 is now in the main repo and making its way through the mirrors. Changes include:
This is a major development, stability and security release.

Changes/fixes:

Removed more telemetry code from the platform.
Fixed implementation of the IntersectionObserver API to avoid crashes, and enabled it by default.
Switched to the new ffmpeg decode API to avoid dropping of frames.
Fixed a buffering issue in the WebP decoder that caused intermittent browser crashes.
Improved resource-efficiency for internal stopwatch timers.
Improved handling of incorrectly-encoded CTTS in media files, resolving some playback issues of videos.
Improved the Cycle Collector and Garbage Collector.
Improved fullscreen navigation bar handling in the situation it has focus when switching to full screen.
Aligned instanceof with the final ES6 spec.
Improved Windows DIB (bitmap) clipboard data handling.
Exposed TLS 1.3 cipher suite prefs in about:config in case people want to disable them individually.
Allowed empty string on the location.search setter to clear URL query parameters from JS.
Added a potential fix for external links not opening in the current window/tab (untested).
Enabled C++11 thread-safe statics in the entire application.
Updated several preferences for integration with the new add-ons site.

Security fixes:

Fixed a potential use-after-free in IndexedDB code. (DiD)
Improved proxy handling to avoid localhost getting proxied. (CVE-2018-18506)
Ported upstream Skia fixes. (CVE-2018-18356, CVE-2018-18335)
Fixed an additional Skia issue. (CVE-2019-5785)
Fixed several potentially-exploitable memory safety hazards and crashes. (DiD)
Fixed a possible data race when performing compacting GC.

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

User avatar
cyrilus31
Forum Regular
Forum Regular
Posts: 780
Joined: Thu Nov 03, 2016 3:24 pm

Re: MX 15 Repository: The palemoon thread

#255

Post by cyrilus31 » Tue Mar 19, 2019 4:23 pm

@Stevo : I don't know if you can do something about that but libfontconfig1 2.13 is missing in antiX.

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 19291
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 15 Repository: The palemoon thread

#256

Post by Stevo » Tue Mar 19, 2019 4:50 pm

cyrilus31 wrote:
Tue Mar 19, 2019 4:23 pm
@Stevo : I don't know if you can do something about that but libfontconfig1 2.13 is missing in antiX.
I'm not really sure why you're bringing this up in an MX 15 Pale Moon thread, since I build them in "clean" Jessie and Stretch sbuild environments, as far as I know...I know we have libfontconfig1 2.13 in the test repo to fix that Arial font style bug. AntiX might be reluctant to update it from the stock Stretch version, but MX 18 had to do it to support GIMP 2.10.X.

User avatar
cyrilus31
Forum Regular
Forum Regular
Posts: 780
Joined: Thu Nov 03, 2016 3:24 pm

Re: MX 15 Repository: The palemoon thread

#257

Post by cyrilus31 » Tue Mar 19, 2019 6:17 pm

My mistake. Wrong thread. Palemoon won't install on antiX because of missing libfontconfig1 >=2.12 version

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 19291
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 15 Repository: The palemoon thread

#258

Post by Stevo » Thu Mar 28, 2019 1:41 pm

Pale Moon 28.4.1 is now available in the main repository.
This is a security and bugfix update.

Fixed hover state arrows on some controls.
Fixed potential denial-of-service issues involving FTP (loading of subresources and spamming errors).
Disabled Microsoft Family Safety (Win 8.1) by default. This prevents security issues as a result of a local MitM setup.
Added several site-specific overrides (Firefox Send and polyfill.io) to work around website UA-sniffing isues.
Implemented the origin-clean algorithm for controlling access to image resources.
Cleaned up the helper application service code.
Ported applicable security fixes from Mozilla (CVE-2019-9791, CVE-2019-9792, CVE-2019-9796, CVE-2019-9801, CVE-2019-9793, CVE-2019-9794, CVE-2019-9808 and ZDI-CAN-8368).
Implemented several defense-in-depth measures (for CVE-2019-9790, CVE-2019-9797, CVE-2019-9804, and a JavaScript issue).
Fixed several memory safety hazards and crashes.
Binaries are now code-signed again (including the setup program for the installer).
The Pale Moon package now also provides www-browser and gnome-www-browser for any desktop metapackages that require one of those virtual browser packages

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 19291
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 15 Repository: The palemoon thread

#259

Post by Stevo » Wed May 01, 2019 3:14 pm

Updated to 28.5.0 in the main repo:
* New upstream major development and bugfix release:
- Redesigned the about box.
- Added "Check for updates" menu entries to the AppMenu and classic menu
(since the About box redesign no longer has application update in it).
- Restored the app.update.url.override pref for AUS testing/override.
- Added "Loop" control to html5 video.
- Fixed a crash with frames (e.g. when using Tile Tabs).
- Fixed an issue with textarea placeholders (spec compliance).
- Removed the Windows Maintenance Service one last time.
- Improved http basic auth DoS heuristics.
- Fixed an issue on big-endian machines (e.g. PPC64/linux).
- Removed e10s code from widgets.
- Preffed the various http "Accept" headers and aligned with the Fetch spec
(except for image requests).
- Aligned URLSearchParams with the spec.
- Updated several site-specific UA overrides.
- Fixed "Yet Another special case of a flex frame being the absolute
containing block"™
- Fixed border drawing when the tab bar is hidden.
- Pref-controlled and disabled the use of unboxed plain objects in
JavaScript's JIT compiler.
- Improved handling of interrupted connections through proxies and
pseudo-VPN extensions.
- Removed contextual identity.
- Updated the 7zip installer stub to a much more recent code version.
- Fixed an issue with applying percentages to 0 in layout sizes.
- Fixed an issue with calculating linear sums in JS JITed code.
- Added default value feature to get*Pref() preference functions.
- Fixed an issue that would occasionally overwrite the new tab custom URL.
- Updated the SQLite library to 3.27.2
- Killed the crashreporter toolkit files and exception handler hooks.
- Fixed an issue with a missing border on the tab bar when on the bottom.
- Fixed a crash with badly-formatted SVG files.
- Showed the robots to the exit after squatting in the browser for decades.
- JavaScript: Implemented TC39 toString() revision proposal.
- Rearchitectured the JavaScript front-end parser to provide better and more
logical parsing of JS code.
- Removed support code and leftovers for unsupported SunOS, AIX, BEOS, HPUX
and OS/2 operating systems.
- Fixed a scrollbar arrow issue on OS X.
- Removed all Firefox Accounts code.
- Made the CSS parser more robust and aligned url() behavior with the CSS3
spec in case of bad input.
- Fixed an issue with blocklist updates not actually dynamically applying
due to a wrong URL.
- Updated the embedded emoji font to the TweMoji v11.4.0 equivalent.
- Fixed an issue with async/deferred scripts preventing page loads from
completing.

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 19291
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 15 Repository: The palemoon thread

#260

Post by Stevo » Fri Jun 07, 2019 8:22 pm

Updated to 28.5.2 in the main repo. Changes include:

- Restored a global getBoolPref() function shortcut for extension
compatibility with old extensions.
- If you are currently using this global function, please change it to
Services.prefs.getBoolPref()
- Fixed an issue with the UI when the address bar was removed from the
navigation toolbar.
- Fixed an issue with scripting of the Help menu.
- Fixed a crash resulting from non-standard manipulation of XML stylesheets
by extensions.
- Fixed Aero Peek (taskbar previews) on Windows.
- Fixed browser.link.open_newwindow functionality.
- Removed the default handler for webcal since the site doesn't seem to be
properly maintained.
- Prevented some ways smart places queries could be abused for social
engineering attacks.
- Ported an upstream Skia fix.
- Improved the origin-clean algorithm for canvases.
- Improved the efficiency of certain types of memory allocations in the
JavaScript compiler.
- Changed the way the application update checker code is hooked up so it
will not require a user to go idle before being activated.
- This solves the primary issue with application updates not notifying
users as promptly as they should; more improvements are slated for the
next major release.
- Applicable security issues fixed: CVE-2019-7317, CVE-2019-11701,
CVE-2019-11698, CVE-2019-9817 (DiD), CVE-2019-11700, CVE-2019-11696,
CVE-2019-11693, and several potentially exploitable crashes and memory
safety hazards that do not have a CVE number assigned to them.

Post Reply

Return to “Package Requests/Status - MX-15/16”