MX 17/18 Repository: The Pale Moon Browser Thread

Locked
Message
Author
User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

MX 17/18 Repository: The Pale Moon Browser Thread

#1 Post by Stevo »

We now have an update of the popular Pale Moon browser in the main repository. 27.6.0, a major development update, has a long list of changes, which can be viewed here: https://github.com/MoonchildProductions ... n/releases
Pale Moon offers you a browsing experience in a browser completely built from its own, independently developed source that has been forked off from Firefox/Mozilla code a number of years ago, with carefully selected features and optimizations to improve the browser's stability and user experience, while offering full customization and a growing collection of extensions and themes to make the browser truly your own
Last edited by Stevo on Fri Sep 13, 2019 1:50 pm, edited 1 time in total.

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 17 Repository: The Pale Moon Browser Thread

#2 Post by Stevo »

Minor security/bugfix update 27.6.2 is now in the main repository:
Changes/fixes:

Implemented the concept of so-called "cookie-averse document objects" which is a security&privacy measure that blocks certain web content from setting cookies. This mitigates cookie-injection, which might help against "hidden" cookie tracking.
Mitigated some domain name spoofing through IDN by using dotless-i and dotless-j with accents. (CVE-2017-7832)
Pale Moon will display these kinds of spoofed domains in punycode now in the actual address bar.
Please note that the identity panel will always be able to help you on secure sites when IDNs are in use to notice potential spoofing, as opposed to relying on detection algorithms in the URL itself. As such, some other issues like CVE-2017-7833 are already mitigated by us.
Fixed an issue with mixed-content blocking. (CVE-2017-7835)
Added an extra check for the correct signature data type on certificates.
Added missing sanitization in exporting bookmarks to HTML. (CVE-2017-7840)
Fixed several crashes and memory safety hazards.

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 17 Repository: The Pale Moon Browser Thread

#3 Post by Stevo »

Pale Moon 27.7.0 has landed in the main repository. The release notes for this update can be viewed here.

As a side note, I'm also looking for anyone with a 64-bit Ubuntu 17.10 system to test an experimental gcc-6 version, which is the first version I've been able to build for that release on the openSUSE Build Service. Currently it's sitting in the system, but not published, since Pale Moon developers are wary of any builds done on anything except gcc-4.9.

The zip of the Ubuntu deb is here: https://drive.google.com/open?id=1k0PhN ... Iw2Xw9sc5M

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 17 Repository: The Pale Moon Browser Thread

#4 Post by Stevo »

Pale Moon 27.7.1 has now landed in the main repository.
This is a minor emergency update to address website breakage and a theme issue (theme issue Windows only).

Changes/fixes:

Added support for Array.prototype[@@unscopables].
Unfortunately, the addition of Javascript's ES6 Unscopables in 27.7.0 was incomplete, which caused a number of websites (e.g. Chase on-line banking, some Russian government sites) to display blank or not complete loading after updating to that version of the browser. This update should fix the problem by adding the missing part of the feature.

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 17 Repository: The Pale Moon Browser Thread

#5 Post by Stevo »

Pale Moon 27.7.2 has landed in the main repository. Notably it further "fuzzes" the timer resolution to defeat any Spectre attacks.
- Changed the X-Content-Type-Options: nosniff behavior to only check
"success" class server responses, for web compatibility reasons.
- Changed the perfomance timer resolution once more to a granularity of
1 ms, after evaluating more potential ways of abusing Spectre. This
takes the most cautious approach possible lacking more information
(because apparently NDAs have been signed over this between mainstream
players), follows Safari's lead, and should make it not just infeasible
but downright impossible to use these timers for nefarious purposes in
this context.
- Improved the debug-only startup cache wrapper to prevent a rare crash.
- Fixed a crash in the XML parser.
- Added a check for integer overflow in AesTask::DoCrypto()
(CVE-2018-5122) DiD
- Fixed a potential race condition in the browser cache.
- Fixed a crash in HTML media elements (CVE-2018-5102)
- Fixed a crash in XHR using workers.
- Fixed a crash with some uncommon FTP operations.
- Fixed a potential race condition in the JAR library.

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 17 Repository: The Pale Moon Browser Thread

#6 Post by Stevo »

I've since found out that the builds on Ubuntu 17.10 and Debian testing against gcc-4.9 were failing because of a bug in libc6 2.26. I tried again today and was successful on Buster because of a fixed libc6 that has rolled into testing, but 17.10 is stuck with the bugged version. So I'm going to add Buster builds of palemoon and palemoon-nonsse2 to my main Pale Moon OBS repo, as well as offer the palemoon-repackbinaries version to all users, just in case they prefer that one.

Relevance: antiX that uses the Buster repos.

User avatar
MX-16_fan
Posts: 331
Joined: Mon Feb 13, 2017 12:09 pm

Re: MX 17 Repository: The Pale Moon Browser Thread

#7 Post by MX-16_fan »

@all:

One general question: Would you consider saving login passwords in Pale Moon to be "safe"?


Greetings, and thanks in advance for your answers, Joe

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 17 Repository: The Pale Moon Browser Thread

#8 Post by Stevo »

MX-16_fan wrote:@all:

One general question: Would you consider saving login passwords in Pale Moon to be "safe"?


Greetings, and thanks in advance for your answers, Joe
Not if someone gets access to your browser for a minute so they can look at them; that's the same as in Firefox. Using a "password safe" solution is going to be more secure.

User avatar
MX-16_fan
Posts: 331
Joined: Mon Feb 13, 2017 12:09 pm

Re: MX 17 Repository: The Pale Moon Browser Thread

#9 Post by MX-16_fan »

@Stevo:
Stevo wrote:
MX-16_fan wrote:@all:

One general question: Would you consider saving login passwords in Pale Moon to be "safe"?


Greetings, and thanks in advance for your answers, Joe
Not if someone gets access to your browser for a minute so they can look at them; that's the same as in Firefox. Using a "password safe" solution is going to be more secure.
What if nobody got access to the computer running, but to the HDD (e.g. by stealing the computer)?


Greetings, Joe

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 17 Repository: The Pale Moon Browser Thread

#10 Post by Stevo »

OK, I did a little research, and Pale Moon, like Firefox, has the option to add a Master password before anyone can access your stored password. So no passerby or thief can access them. They are encrypted either way in your profile, but the Master password keeps others out.

Locked

Return to “Package Requests/Status - MX 17/18”