LAGUN

Level 10
Verified
25.5.0 (2015-06-10)
This is an important maintenance update with mostly under-the-hood changes.

Fixes/changes:
  • Logjam fix: Refuse DHE keys with less than 1024 key bits
  • Search plugin updates to re-enable Google suggestions and reduce tracking (Squarefractal)
  • Allow plugin-specific (.dll based) OOPP overrides also for npswf. This will not be used for the "master switch" for OOPP and Flash will still be in the plugin container, unless a specific dom.ipc.plugins.enabled.npswf*.dll boolean is set to override.
  • Fixed a crash during WebGL Conformance Tests for undefined indices (Toady)
  • HSTS preload list updates (Squarefractal)
  • Status bar locale addition: cs
  • Implemented a fix for the toolkit update service so that the same version as the current application will not be offered as a valid update (Tobin)
  • Reorganized the AppMenu (give equal ease for windowed and tabbed browsing, deprioritize Sync)
  • Disabled the Sync promo box in doorhangers.
  • Updated libpng to version 1.5.22
  • Fixed support for builds using newer freetype on Linux. (Axiomatic)
  • Fixed --with-system-pixman builds. (Isaac Dunham)
  • Updated SQLite to version 3.8.10.1
  • Changed the after-upgrade page loaded to the release notes instead of the home page.
    (and hoping people actually do take a moment to read them, preventing unnecessary support requests)
  • Fixed navigator.geolocation - should never be null, to properly adhere to the specification (Travis)
  • Moved paintlock event delay to greprefs, and adjusted it for 2015's heavier sites
  • Fixed the about dialog scripting for pre-release builds (includes build date now as-intended and no longer errors the script)
  • Reorganized how pushed floats are handled in layout flow
  • Implemented a change to run the updater from the install directory instead of copying it.
  • Fixed transparency of the Pale Moon document icon for 256x256
  • Updated padlock code:
    - Added mixed-mode shading, and reorganized shading pref values more logically
    (0=off, 1=secure only, 2=secure+mixed, 3=all)
    - Cleaned up CSS
    - Cleaned up padlock logic a little
  • Hard-coded internal UA sniffing values for the extension legacy of devtools
  • Updated NSPR to 4.10.8
  • Updated the NSS security lib to 3.19-RTM + re-worked Pale Moon changes
  • Bumped the built-in site-specific UA compat mode overrides to v38
  • Fixed a compressed-cache crash due to losing our cache entry while finishing up compression.
  • Updated and patched libcubeb, the main media sound library, to fix a number of audio issues (e.g. when switching output device) and audio-related crashes
  • Added the option to load modules into a named scope (see issue #88)
  • Removed quick access keys for buttons on the updater window (since it may pop up unannounced when people are typing, causing them to make unintended choices)
  • Updated jemalloc and mozjemalloc memory allocator libraries to improve performance
  • Removed implicit access to a whole range of internally-used interfaces and classes that page content has no business calling anyway
  • Added a preference for always preferring a certain dictionary language.
    To use this, create a new preference spellchecker.dictionary.override (string) and set it to your language code.
More information about changes in this version that would be important for extension developers and web programmers can be found here.

Security fixes:
  • Fixes for miscellaneous memory safety hazards (relevant and applicable fixes from CVE-2015-2708 and CVE-2015-2709)
  • DiD (defense-in-depth) fix to prevent potential overflows in CSS restyling
  • Fix for updater hijacking (CVE-2015-2720)
  • Fix to prevent potential disclosure of sensitive information in Android logs (CVE-2015-2714)
  • Fix for a buffer overflow in the XML parser (CVE-2015-2716)
  • Fix for a potentially exploitable crash in DNS handling
https://www.palemoon.org
 

Petrovic

Level 63
Verified
Trusted
Pale Moon switches to Goanna engine, ditches Gecko
Pale Moon, open source Firefox-based web browser that uses Gecko engine to use new layout and rendering engine Goanna from Pale Moon 26.0 onwards, which is in alpha stage and in development. Gecko is a fork of Goanna. “We are working on a new milestone release, Pale Moon 26, which is currently in alpha state, which will debut a new layout and rendering engine: Goanna.”

Why to switch to Goanna from Gecko?

“The technical problem with how Pale Moon (and FossaMail) carry the “Gecko” revision is that it is currently, similar to Firefox, tied to the product version. The problem is, however, that “our” 25.0 is nothing alike “their” 25.0 – and this is carried through to the Gecko platform version as well. This causes problems, because it leads to confusion about what is and is not supported when “Gecko 25.0″ is found by a website, web application, or extension. There is no “closest match” to current revisions of gecko anymore, and even if there was, it would still just be an approximation. This isn’t a situation that can be solved in the current setup and versioning of the browser, so it needs an actual change – this change is why Goanna now exists.”



This change will impact extensions.

Transition or how the change to Goanna takes place

  • The identifying name of the engine will be changed to “Goanna” throughout the code where applicable.
  • The version of the engine will be reset to 1.0 on the first release, and will, from that point forward, carry its own, independent, milestone.major.minor[.point] version independent of the products it is used in (similar to how Mozilla used a non-product-bound version of Gecko in Firefox prior to 4.0).
  • The Platform Version will change accordingly. For the sake of compatibility, we are planning to at least keep the original Gecko-equivalent (from an extension point of view) of the platform version present, and expose the Goanna version separately so as to break as little third party software as possible in this transition period.
  • Goanna will be put on the fast track for new major improvements and additions to the engine, while the current engine will be deprecated and receive fewer feature updates until the new milestone is ready for release. Of course, security and stability updates will continue to have priority on the current development “trunk”
At present, Pale Moon 25.5 is the stable version that uses Gecko.
Source
 

LAGUN

Level 10
Verified
25.6.0 (2015-07-27)
This release addresses some security issues and a range of usability improvements to the browser.

Fixes/changes:
  • Canvas anti-fingerprinting option: Pale Moon now includes the option to make canvas fingerprinting much more difficult. By setting the about:config preference canvas.poisondatato true, any data read back from canvas surfaces will be "poisoned" with humanly-imperceptible data changes. By default this is off, because it has a large performance impact on the routines reading this data.
  • Added a feature to allow icon fonts to be used even when users disallow the use of document-specified fonts. This should retain full navigation for icon-font heavy websites (no more dreaded "boxes" with hex codes) when custom text fonts are disabled.
  • Added a feature to prevent screen savers from kicking in when playing full-screen HTML5 video. This is currently not yet operational on Linux because of stability issues we've run into on that OS, but Windows should properly benefit from this change.
  • The "autocomplete=off" parameter for signon forms is now completely ignored by default, to keep the user in control of their browser's behavior and allowing credentials to be saved if wished. If you prefer the previous behavior, allowing a website to determine whether autocomplete should be allowed or not, then change the about:config preferencesignon.ignoreAutocomplete to false.
  • Reinstated the packaging of pre-compiled scripts in the browser. Hopefully this will fix the reports by some users who found that initial start-up after installation/upgrade of the browser was unacceptably slow. Unfortunately this means a slightly larger download/install size as a trade-off.
  • Added the option to use Chrome://../skin/ overrides, in effect allowing the use of "Icon themes"; toolbar icon replacements to customize your browser icons without the need for any CSS or full-blown theming.
  • Added a count for the number of matches in the find bar. it will now list the total number of matches found, and which match is the currently highlighted one.
  • Fixed the issue where highlighted words after finding and highlighting them all in a page would remain highlighted when closing the find bar.
  • Added support for CSP 'nonce' keywords (CSP 1.1/2.0). Please note that this is still experimental and may not work 100% as-expected. Please report any bugs you may find.
  • Aligned CSP more with the spec in terms of reporting and case-sensitivity of matches, and made it more app-friendly.
  • Added -moz-os-version selectors for @media CSS queries to simplify theming on different operating systems (esp. Windows).
  • Updated and improved several languages for the Status Bar code, and added Slovenian.
  • Fixed an issue in the internal updater window not showing proper language strings.
  • Fixed an issue where the unexpected use of "backface-visibility" on non-3D transformed elements (like the body) would break positioned elements on web pages.
  • Fixed text positioning in the combobox display area when a non-default height is set for the combobox.
  • Fixed a crash caused by bad Opus audio encoding in media files.
  • Fixed a crash when trying to measure memory in about:memory while playing video.
  • Fixed a rare crash in sLayersAccelerationPrefsInitialized
  • Fixed miscellaneous other crashes.
  • Fixed a DNS prefetching issue for the people using this feature.
  • Fixed an issue with single-word searches from the address bar when a proxy is in use.
  • Fixed a number of build issues on Linux when using system libs.
  • Added support for link-time optimization on newer Linux compilers.
  • Removed more telemetry code (ongoing project!).
Security fixes:
  • Fixed a memory safety bug due to a bad test in nsZipArchive.cpp (CVE-2015-2735).
  • Fixed a memory safety bug in nsZipArchive::BuildFileList (CVE-2015-2736).
  • Fixed a memory safety bug caused by an overflow in nsXMLHttpRequest::AppendToResponseText (CVE-2015-2740).
  • Fixed a Use After Free in CanonicalizeXPCOMParticipant (CVE-2015-2722).
  • Fixed off-main-thread nsIPrincipal use of various consumers in the tree (only grab the principal when needed).
  • Fixed an issue where an IPDL message was sent off the main thread.
  • Fixed a potentially exploitable TCPSocket crash due to a race condition.
https://www.palemoon.org
 

LAGUN

Level 10
Verified
25.7.0 (2015-08-26)
This is a bugfix and maintenance release.

Fixes/changes:
  • Code cleanup: Removed the (otherwise unused) visual event tracer code.
  • Code cleanup: Removed reflow performance tracing code (telemetry).
  • Fixed a key JavaScript bug where defining properties on an object would wipe the object.
    This seems to be a common issue with "modern" libraries that use "define" instead of "change" and expecting the other properties on the object to be retained, resulting in "x is undefined" errors all over the place if the object is wiped.
    This aligns the behavior with ES6's "Validate and apply property descriptor" pseudo-function.
  • Updated the SQLite library to 3.8.11.1.
  • Added support for the element.matches() Web API function.
  • Added support for BASE tag parsing in source view. Previously, when viewing the source of a document, clickable links would be incorrect if a base path was specified in the document with this tag.
  • Fixed an issue with running timers after the computer would have been put to sleep with the browser opened.
Security fixes:
  • Added protection against potential bugs where our SVG mPositions is out of sync with the characters in the DOM. DiD
  • Fixed use-after-free vulnerability in XMLHttpRequest::Open() (CVE-2015-4492)
  • Fixed use-after-free vulnerability in the StyleAnimationValue class (CVE-2015-4488)
  • Fixed crash or memory corruption in nsTArray (CVE-2015-4489)
  • Fixed crash or memory corruption in nsTSubstring::ReplacePrep (CVE-2015-4487)
  • Fixed potential escalation of privileges or crash (out-of-bounds write) via a crafted name in MARs (x64 only) (CVE-2015-4482)
  • Fixed an issue that would allow man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request. (CVE-2015-4483)
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

https://www.palemoon.org
 

Petrovic

Level 63
Verified
Trusted
Pale Moon 25.7.1
Changelog (v25.7.1):
Fixes/changes:
  • Code cleanup: Removed the majority of remaining telemetry code (including the data reporting back-end and health report) to prevent a few issues with partially removed code in earlier versions.
  • Fixed a crash due to handling of bogus URIs passed to CSS style filters (e.g. whatsapp's web interface).
  • Permitted spec-breaking syntax in Regex character classes, allowing ranges that would be permitted per the grammar rules in the spec but not necessarily following the syntax rules. This impacts a good number of (also higher profile) sites that use invalid ranges in regular expressions (e.g. Cisco's networking academy site, Yahoo Fantasy Football).
  • Fixed a crash due to the newly introduced WASAPI handling of audio channel mapping that doesn't like actual surround hardware setups (e.g. playing a video with quadraphonic audio on a 4-speaker setup).
  • Fixed an issue where site-specific dictionary selections would be written to content preferences without the user's action, potentially overwriting or clearing a previously-chosen dictionary.
  • Added support for drag and drop of local files from sources which use text/uri-lists. (Some Linux flavors/file managers)
  • Updated libnestegg to the most current version.
  • Fixed an issue where setting the location to an empty string could cause a reload loop.
Security fixes:
  • Changed the jemalloc poison address to something that is not a NOP-slide. DiD
  • Fixed a memory safety hazard in ConvertDialogOptions (CVE-2015-4521)
  • Fixed a buffer overflow/crash hazard in the VertexBufferInterface::reserveVertexSpace function in libGLES in ANGLE (CVE-2015-7179)
  • Fixed an overflow/crash hazard in the XULContentSinkImpl::AddText function (CVE-2015-7175)
  • Fixed a stack buffer overread hazard in the ICC v4 profile parser (CVE-2015-4504)
  • Fixed an HTMLVideoElement Use-After-Free Remote Code Execution 0-day vulnerability (ZDI-CAN-3176) (CVE-2015-4509)
  • Fixed a potentially exploitable crash in nsXBLService::GetBinding
  • Fixed a memory safety hazard in nsAttrAndChildArray::GrowBy (CVE-2015-7174)
  • Fixed a memory safety hazard for callers of nsUnicodeToUTF8::GetMaxLength (CVE-2015-4522)
  • Fixed a heap buffer overflow/crash hazard caused by invalid WebM headers (CVE-2015-4511)
Pale Moon - Release Notes

Installer (32-bit) (20.28 MB): http://relmirror.palemoon.org/release/palemoon-25.7.1.win32.installer.exe
Installer (64-bit) (23.49 MB): http://relmirror.palemoon.org/release/palemoon-25.7.1.win64.installer.exe

Portable (32-bit) (21.93 MB): http://relmirror.palemoon.org/release/Palemoon-Portable-25.7.1.win32.exe
Portable (64-bit) (26.49 MB): http://relmirror.palemoon.org/release/Palemoon-Portable-25.7.1.win64.exe

Language Packs: Pale Moon - Language Packs
 

Petrovic

Level 63
Verified
Trusted
Pale Moon 25.7.2

v25.7.2 (2015-10-02):
  • Fixed a critical hang caused by recursive reloads that might happen in iframes if its hash changed.
  • Fixed a critical hang caused by lazy-loading of stylesheets through a specific web programming technique as advocated by Google's PageSpeed.
Pale Moon - Release Notes

Installer (32-bit) (20.29 MB): http://relmirror.palemoon.org/release/palemoon-25.7.2.win32.installer.exe
Installer (64-bit) (23.49 MB): http://relmirror.palemoon.org/release/palemoon-25.7.2.win64.installer.exe

Portable (32-bit) (21.93 MB): http://relmirror.palemoon.org/release/Palemoon-Portable-25.7.2.win32.exe
Portable (64-bit) (26.49 MB): http://relmirror.palemoon.org/release/Palemoon-Portable-25.7.2.win64.exe

Language Packs: Pale Moon - Language Packs

Windоws XP / Server 2003
Pale Moon Atom/WinXP builds
http://relmirror.palemoon.org/release/palemoon-25.7.2.Atom.WinXP.installer.exe
http://relmirror.palemoon.org/release/palemoon-25.7.2.Atom.WinXP.zip
 
  • Like
Reactions: LAGUN and XhenEd

Petrovic

Level 63
Verified
Trusted
25.7.3 (2015-10-14)

This is a usability update needed due to the fact that Mozilla has shut down their key exchange (J-PAKE) server along with the old Sync servers. This was unexpected and required us to set up our own key server (testing indicates this works as-expected, but please do report any issues on the forum) - which also required reconfiguration of the browser.
Please note that older versions of the browser will no longer be able to link devices to a sync account using the 12-character code since it requires a Mozilla server no longer present. If you need this functionality, you must update to this version or later.


Installer (32-bit) : http://relmirror.palemoon.org/release/palemoon-25.7.3.win32.installer.exe
Installer (64-bit) : http://relmirror.palemoon.org/release/palemoon-25.7.3.win64.installer.exe

Portable (32-bit) : http://relmirror.palemoon.org/release/Palemoon-Portable-25.7.3.win32.exe
Portable (64-bit) : http://relmirror.palemoon.org/release/Palemoon-Portable-25.7.3.win64.exe

Language Packs: Pale Moon - Language Packs

Windоws XP / Server 2003
Pale Moon Atom/WinXP builds
http://relmirror.palemoon.org/release/palemoon-25.7.3.Atom.WinXP.installer.exe
http://relmirror.palemoon.org/release/palemoon-25.7.3.Atom.WinXP.zip
 

floalma

Level 3
Verified
I prefer Privacy Badger as I already installed it on Firefox and I like it. I would like to install the Palemoon.
 
  • Like
Reactions: Moose