03-18-2017 , 09:05 PM
http://www.palemoon.org/releasenotes.shtml Pale Moon: Release notes
27.2.0 (2017-03-18)
This is a major update to the browser with a focus on back-end improvements and security.
Changes/Fixes:
Updated the ICU lib to 58.2 to fix a number of issues.
Added proper control for the user for offline storage for web applications.
Added a check to prevent auto-filled URLs from copying the auto-filled selection to clipboard/primary.
Added the feature to pass a URL to open in a private window from the command-line.
Improved the display of the downloads indicator on the button in bright-text situations.
DOM storage now honors the "3rd party cookie" setting in that it will not allow 3rd party data to be stored if 3rd party cookies are disallowed.
Allowed toolbar button badges to be properly styled.
Updated the hunspell spellchecking library to 1.6.0 to fix a number of issues.
Fixed desktop notifications being off-screen if fired in rapid succession.
Added Element.insertAdjacentElement and Element.insertAdjacentText DOM functions.
Added support for JPEG-XR images.
This makes Pale Moon have the broadest support for image formats of all web browsers.
(enabled by default; you can disable this with media.jxr.enabled).
Completely removed the use of GStreamer on Linux.
Added support for element.innerText.
Custom toolbars should now properly remember their state.
Fixed some more playback issues with MP4/MSE videos.
Please be aware that we are still working on further improving MSE video handling.
Changed media processing to reduce dangerous processing asynchronicity.
This should also make media elements and playback more responsive.
Fixed a useragent string regression always displaying the minor Goanna version as .0
Updated NSPR to 4.13.1.
Updated NSS to 3.28.3-RTM.
Fixed unrestricted icon sizes in PMkit buttons.
Fixed unresponsive buttons on support page when not building the updater.
Fixed the use of "View image" and "Save image as" on extremely large images.
Changed the way "View Image" and "Save image as" work on canvas elements.
Made checking for dangerously large resolution PNG images smarter.
It will now accept larger "strip"-aspect ratio images while reducing unsupported large image resolutions.
This will e.g. fix Gmail's "emoji" window that uses a ridiculously long but very narrow single image to store all the emoticon pictures.
Converted several hard-coded URLs to preferences.
Updated the google.com override so it would not cripple services based on UA sniffing.
Added Inner and Outer Window ID administration.
Fixed the add-on discovery pane detection.
Added support for canvas ellipse.
Improved drawing of certain MathML elements at problematic zoom levels.
No longer building gamepad support.
Updated Harfbuzz font shaper to 1.4.3 to fix a number of issues.
Fixed a number of crashes (layout, plugins, uncommon navigation, bad URLs).
Aligned SVG specular filters with the spec.
Security/privacy changes:
Added support for 256-bit AES-GCM encryption.
Added support for ChaCha20-Poly1305 encryption.
Removed support for Camellia-GCM since nobody seems interested in it.
(Camellia in 128/256-bit CBC block mode is still fully supported).
Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to Crypto utils.
Improved status handling of secure sites to be less sensitive to "insecure" items that are local.
Fixed print preview hijacking. (CVE-2017-5421)
Fixed a potentially exploitable crash in OnStartRequest. (CVE-2017-5416)
Fixed potential cross-origin content-stealing through a timing attack. (CVE-2017-5407) DiD
Fixed a denial-of-service problem with view-source. (CVE-2017-5422)
Fixed crash in directional controls. (CVE-2017-5413)
Fixed a perceived problem with chrome manifests. (CVE-2017-5427)
Fixed the use of an uninitialized value. (CVE-2017-5405)
Fixed a buffer overflow. (CVE-2017-5412)
Fixed a UAF situation. (CVE-2017-5403)
Fixed a potential spoofing issue with the address bar. (CVE-2017-5417)
Fixed a potential issue in libvpx. (CVE-2017-5402) DiD
Fixed a potential issue with HTTP auth. (CVE-2017-5418)
Fixed several memory safety hazards and potentially exploitable crashes. DiD
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem. : https://www.virustotal.com/en/file/0caca.../analysis/ SHA256: 0caca3dd8fdf4810f2cecfd2df8e6afd9ac04370fe2f2d4ad392f3c4dd8c1a54
File name: palemoon-27.2.0.win32.installer.exe
Detection ratio: 0 / 61
Analysis date: 2017-03-18 19:14:54 UTC ( 40 minutes ago ) Signing date 1:57 PM 3/16/2017
Signers
[+] Markus Straver
[+] StartCom Class 2 Object CA
[+] StartCom Certification Authority
Counter signers
[+] COMODO SHA-256 Time Stamping Signer
[+] USERTrust (Code Signing)
Packers identified
F-PROT UPX, NSIS, appended, 7Z, Unicode VirusTotal metadata
First submission 2017-03-18 17:24:18 UTC ( 2 hours, 31 minutes ago )
Last submission 2017-03-18 19:14:54 UTC ( 40 minutes ago )
File names palemoon-27.2.0.win32.installer.exe
https://www.virustotal.com/en/file/b5e0b.../analysis/ SHA256: b5e0bb15a08046a7b46a5f378bef5bc077cb19c46c253d134afd402ebc694e87
File name: palemoon-27.2.0.win64.installer.exe
Detection ratio: 0 / 61
Analysis date: 2017-03-18 18:49:00 UTC ( 1 hour, 8 minutes ago ) Signing date 1:57 PM 3/16/2017
Signers
[+] Markus Straver
[+] StartCom Class 2 Object CA
[+] StartCom Certification Authority
Counter signers
[+] COMODO SHA-256 Time Stamping Signer
[+] USERTrust (Code Signing)
Packers identified
F-PROT UPX, NSIS, 7Z, Unicode VirusTotal metadata
First submission 2017-03-18 15:01:50 UTC ( 4 hours, 55 minutes ago )
Last submission 2017-03-18 18:49:00 UTC ( 1 hour, 8 minutes ago )
File names palemoon-27.2.0.win64.installer.exe
https://www.virustotal.com/en/file/83cea.../analysis/ SHA256: 83cea442a5ad0c35c69189995465f5d14223b81ae81704f4606d337741cce6c6
File name: Palemoon-Portable-27.2.0.win32.exe
Detection ratio: 0 / 61
Analysis date: 2017-03-18 18:13:14 UTC ( 1 hour, 44 minutes ago ) Copyright © 1999-2016 Igor Pavlov
Product 7-Zip
Original name 7z.sfx.exe
Internal name 7z.sfx
File version 16.02
Description 7z SFX
Signature verification Signed file, verified signature
Signing date 12:36 PM 3/17/2017
Signers
[+] Markus Straver
[+] StartCom Class 2 Object CA
[+] StartCom Certification Authority
Counter signers
[+] COMODO SHA-256 Time Stamping Signer
[+] USERTrust (Code Signing)
Packers identified
F-PROT AutoIt, 7Z, UPX, UTF-8 VirusTotal metadata
First submission 2017-03-18 17:27:47 UTC ( 2 hours, 30 minutes ago )
Last submission 2017-03-18 18:13:14 UTC ( 1 hour, 44 minutes ago )
File names 7z.sfx.exe
Palemoon-Portable-27.2.0.win32.exe
7z.sfx
27.2.0 (2017-03-18)
This is a major update to the browser with a focus on back-end improvements and security.
Changes/Fixes:
Updated the ICU lib to 58.2 to fix a number of issues.
Added proper control for the user for offline storage for web applications.
Added a check to prevent auto-filled URLs from copying the auto-filled selection to clipboard/primary.
Added the feature to pass a URL to open in a private window from the command-line.
Improved the display of the downloads indicator on the button in bright-text situations.
DOM storage now honors the "3rd party cookie" setting in that it will not allow 3rd party data to be stored if 3rd party cookies are disallowed.
Allowed toolbar button badges to be properly styled.
Updated the hunspell spellchecking library to 1.6.0 to fix a number of issues.
Fixed desktop notifications being off-screen if fired in rapid succession.
Added Element.insertAdjacentElement and Element.insertAdjacentText DOM functions.
Added support for JPEG-XR images.
This makes Pale Moon have the broadest support for image formats of all web browsers.
(enabled by default; you can disable this with media.jxr.enabled).
Completely removed the use of GStreamer on Linux.
Added support for element.innerText.
Custom toolbars should now properly remember their state.
Fixed some more playback issues with MP4/MSE videos.
Please be aware that we are still working on further improving MSE video handling.
Changed media processing to reduce dangerous processing asynchronicity.
This should also make media elements and playback more responsive.
Fixed a useragent string regression always displaying the minor Goanna version as .0
Updated NSPR to 4.13.1.
Updated NSS to 3.28.3-RTM.
Fixed unrestricted icon sizes in PMkit buttons.
Fixed unresponsive buttons on support page when not building the updater.
Fixed the use of "View image" and "Save image as" on extremely large images.
Changed the way "View Image" and "Save image as" work on canvas elements.
Made checking for dangerously large resolution PNG images smarter.
It will now accept larger "strip"-aspect ratio images while reducing unsupported large image resolutions.
This will e.g. fix Gmail's "emoji" window that uses a ridiculously long but very narrow single image to store all the emoticon pictures.
Converted several hard-coded URLs to preferences.
Updated the google.com override so it would not cripple services based on UA sniffing.
Added Inner and Outer Window ID administration.
Fixed the add-on discovery pane detection.
Added support for canvas ellipse.
Improved drawing of certain MathML elements at problematic zoom levels.
No longer building gamepad support.
Updated Harfbuzz font shaper to 1.4.3 to fix a number of issues.
Fixed a number of crashes (layout, plugins, uncommon navigation, bad URLs).
Aligned SVG specular filters with the spec.
Security/privacy changes:
Added support for 256-bit AES-GCM encryption.
Added support for ChaCha20-Poly1305 encryption.
Removed support for Camellia-GCM since nobody seems interested in it.
(Camellia in 128/256-bit CBC block mode is still fully supported).
Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to Crypto utils.
Improved status handling of secure sites to be less sensitive to "insecure" items that are local.
Fixed print preview hijacking. (CVE-2017-5421)
Fixed a potentially exploitable crash in OnStartRequest. (CVE-2017-5416)
Fixed potential cross-origin content-stealing through a timing attack. (CVE-2017-5407) DiD
Fixed a denial-of-service problem with view-source. (CVE-2017-5422)
Fixed crash in directional controls. (CVE-2017-5413)
Fixed a perceived problem with chrome manifests. (CVE-2017-5427)
Fixed the use of an uninitialized value. (CVE-2017-5405)
Fixed a buffer overflow. (CVE-2017-5412)
Fixed a UAF situation. (CVE-2017-5403)
Fixed a potential spoofing issue with the address bar. (CVE-2017-5417)
Fixed a potential issue in libvpx. (CVE-2017-5402) DiD
Fixed a potential issue with HTTP auth. (CVE-2017-5418)
Fixed several memory safety hazards and potentially exploitable crashes. DiD
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem. : https://www.virustotal.com/en/file/0caca.../analysis/ SHA256: 0caca3dd8fdf4810f2cecfd2df8e6afd9ac04370fe2f2d4ad392f3c4dd8c1a54
File name: palemoon-27.2.0.win32.installer.exe
Detection ratio: 0 / 61
Analysis date: 2017-03-18 19:14:54 UTC ( 40 minutes ago ) Signing date 1:57 PM 3/16/2017
Signers
[+] Markus Straver
[+] StartCom Class 2 Object CA
[+] StartCom Certification Authority
Counter signers
[+] COMODO SHA-256 Time Stamping Signer
[+] USERTrust (Code Signing)
Packers identified
F-PROT UPX, NSIS, appended, 7Z, Unicode VirusTotal metadata
First submission 2017-03-18 17:24:18 UTC ( 2 hours, 31 minutes ago )
Last submission 2017-03-18 19:14:54 UTC ( 40 minutes ago )
File names palemoon-27.2.0.win32.installer.exe
https://www.virustotal.com/en/file/b5e0b.../analysis/ SHA256: b5e0bb15a08046a7b46a5f378bef5bc077cb19c46c253d134afd402ebc694e87
File name: palemoon-27.2.0.win64.installer.exe
Detection ratio: 0 / 61
Analysis date: 2017-03-18 18:49:00 UTC ( 1 hour, 8 minutes ago ) Signing date 1:57 PM 3/16/2017
Signers
[+] Markus Straver
[+] StartCom Class 2 Object CA
[+] StartCom Certification Authority
Counter signers
[+] COMODO SHA-256 Time Stamping Signer
[+] USERTrust (Code Signing)
Packers identified
F-PROT UPX, NSIS, 7Z, Unicode VirusTotal metadata
First submission 2017-03-18 15:01:50 UTC ( 4 hours, 55 minutes ago )
Last submission 2017-03-18 18:49:00 UTC ( 1 hour, 8 minutes ago )
File names palemoon-27.2.0.win64.installer.exe
https://www.virustotal.com/en/file/83cea.../analysis/ SHA256: 83cea442a5ad0c35c69189995465f5d14223b81ae81704f4606d337741cce6c6
File name: Palemoon-Portable-27.2.0.win32.exe
Detection ratio: 0 / 61
Analysis date: 2017-03-18 18:13:14 UTC ( 1 hour, 44 minutes ago ) Copyright © 1999-2016 Igor Pavlov
Product 7-Zip
Original name 7z.sfx.exe
Internal name 7z.sfx
File version 16.02
Description 7z SFX
Signature verification Signed file, verified signature
Signing date 12:36 PM 3/17/2017
Signers
[+] Markus Straver
[+] StartCom Class 2 Object CA
[+] StartCom Certification Authority
Counter signers
[+] COMODO SHA-256 Time Stamping Signer
[+] USERTrust (Code Signing)
Packers identified
F-PROT AutoIt, 7Z, UPX, UTF-8 VirusTotal metadata
First submission 2017-03-18 17:27:47 UTC ( 2 hours, 30 minutes ago )
Last submission 2017-03-18 18:13:14 UTC ( 1 hour, 44 minutes ago )
File names 7z.sfx.exe
Palemoon-Portable-27.2.0.win32.exe
7z.sfx