Hold on your palemoon horses! Danger!

  All new Palemoon 27.9.1 is out (stardate: 20180507)

Did we or did we NOT say that this space is for users, by users, and it would be nobody’s puppet?  WE DID SAY IT!  So no developer/s will coerce this here pen to write supportive statements when they don’t deserve it, we have nothing to gain but everything to lose if we start playing these games.

In LIGHT of this intrusion into our systems’ security Palemoon has decided to utilize its  plug-in update check (which runs at every start and can possibly be disabled in about:config)  to pass a script that will disable a security feature.  That makes palemoon “malicious” in our book!  It is using an acceptable and known feature to do something else!

Read the comments below and those on palemoon’s forum (those that were not blocked by the emperor palemoon himself that is).  We will do research on what is at stake but from this moment we consider palemoon a problem, or at least not a solution.

We shall return where there is more light thrown into the subject and hopefully we are wrong, because we have relied on palemoon for most of our browsing and editing this blog.

, for those that don’t know, and for those who liked Firefox in the past but thought it got overloaded in recent time, is a great browser.  It avoids some of the nasty dependencies of late popular browsers and does what they all do with less resources.  Meanwhile it keeps current with all the late security concerns.

Read the release notes of this edition to get an idea of how serious of a project this is.  It is all I use so I am recommending it.

http://www.palemoon.org/releasenotes.shtml

To install it in any linux system use the installer script and keep it around as it also does removals, updates, and fixes a broken installation, if that ever happens to anyone.

Pale Moon: Release notes

27.9.1 (2018-05-07)

This is a maintenance release.

Changes/fixes:

• Removed the unused/incomplete places protocol handler.
• Worked around an issue with MSE media without a Track ID. This should help with the playability of some live streams.
• Ported across jemalloc improvements from UXP.
• Ported across cairo mutex improvements from UXP.
• Added support for FFmpeg 4.0/libavcodec 58.
• Added a fix for Windows 10’s “isAlpha()” not being what one would expect in v1803.

 27.9.0 (2018-04-17)

This is the last major development update for the v27 milestone (codenamed “Tycho”).
After this, we will be focusing our efforts for new features entirely on UXP and the new v28 milestone building on it. We will continue to support v27.9 with security and stability updates for a while, but no major new features will be added from this point forward.

Changes/fixes:

• Fixed a number of spec compliance issues in our media subsystem.
• Added a trailing slash to referrers when policy is set to fix some web compatibility issues.
• Fixed the property order in Object.getOwnPropertyNames(string) and others for web compatibility.
• Updated RegExp(RegExp object, flags) to the ES6 standard specification.
• Changed the embedded font from the no longer free EmojiOne to the open-licensed Twemoji (with additional fixes). This also further extends unicode support to Unicode 10 emoji(s). Please note that as a result, color emoji(s) will look different than before.
• Adjusted some things in our memory allocator code to provide, among other things, better allocation alignment on Windows.
• Made the attempt to migrate people from the old sync server domain name to the current one more aggressive. We will be retiring the old pmsync.palemoon.net Sync server address shortly to remove the need for us to maintain a security certificate for it; this preference migration should automatically put everyone on the correct server address (pmsync.palemoon.org) when upgrading.
• Made reading of the sessionstore synchronous, to speed up startup and prevent the homepage from being loaded when restoring a session.
• Added a fix to switch to the correct window/tab when a web notification is clicked.
• Changed the placeholder text to not include “Search” when all search functions from the address bar are disabled.
• Enabled the use of Skia for canvas on Linux and OSX.
• Worked around a potential cause for some non-standard bitmapped fonts ending up with incorrect line heights (I’m looking at you, Noto fonts!).
• Added a workaround for incorrectly-encoded JPEG-XR images with planar alpha. Ultimately, the jxrlib reference implementation should be fixed to encode according to spec.
• Aligned XCTO:nosniff allowed script MIME types with the updated spec.
• Improved the logic for storing vector images in the surface cache.
• Fixed character set handling for XMLHttpRequests.

27.8.3 (2018-03-28)

This is a small update to address a pervasive crashing issue.

Changes/fixes:

• Backed out some responsive layout code that caused intermittent but not uncommon crashes in the browser depending on window sizes and page content.

27.8.2 (2018-03-22)

This is a security update.

Changes/fixes:

• Privacy fix: prevented update checks for the default theme.
• Added a user-agent override for Dropbox to improve compatibility with their service.
• Fixed an issue with mouseover handling related to (CVE-2018-5103). DiD
• Disabled the Mac OSX Nano allocator. DiD
• Fixed (CVE-2018-5129) OOB Write.
• Updated the lz4 library to 1.8.0 to solve potential issues. DiD
• Fixed (CVE-2018-5137) Path traversal on chrome:// URLs
• Fixed several memory safety an synchronicity hazards.

DiD This means that the fix is “Defense-in-Depth”: It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

27.8.1 (2018-03-06)

This is a small update to address some breaking issues.

Changes/fixes:

• Backed out the NSPR/NSS update from 27.8.0 for causing crashes, general operational instability and handshake issues.
• Disabled TLS 1.3 draft support by default, because with the NSS backout we only support an older draft right now that is no longer current and may cause connectivity issues. You can manually re-enable it at your own risk in about:config by setting security.tls.version.max to 4.

Latest version: 27.8.1

If you prefer not to use the installer, you can download a tar.bz2 here instead. To use, simply extract the tarball anywhere you like and execute the “palemoon” file inside it, or follow the instructions here if you want to install manually. Please be sure to download the correct archive that matches the architecture of your OS.

Download links:

Download x64 tar.bz2 (direct download)
Size: 41.13 MB
SHA-256 checksum: a33dcdf4d03d05ec3d634e94411c72ad300cf1c16d69247ce831071b378a7938
PGP signature: [Sig]

Download x86 tar.bz2 (direct download)
Size: 41.91 MB
SHA-256 checksum: d4c518cffc362e361b3ddf930a8f542fade24b1578b6a73b997bbf783061decd
PGP signature: [Sig]

27.8.0 (2018-03-02)

This is a development update with new and improved features and bugfixes.

Changes/fixes:

• Added support for emojis on Windows systems that have relatively poor support for them with standard font sets by including our own font (EmojiOne based for now).
• Added a setting in preferences to select the use of tab previews with Ctrl+Tab.
• Added Eyedropper menu entry to the AppMenu.
• Added a preference to control whether the text cursor (caret) should be thicker when dealing with CJK characters or not (default = yes).
• Added URL fix-ups for schemes (mis-typed “ttp://” etc.).
• Added support for ES6 “Symbol species”.
• Updated our TLS 1.3 support to the latest (probably final) draft.
• Fixed gap inconsistency in the tabstrip.
• Fixed a number of browser crashes.
• Fixed a crash with the exponentiation operator “**“
• Set the performance timer granularity to 1 ms.
• Updated the kiss-fft library to our forked 1.4.0 version.
• Disabled a potentially problematic optimization on Win 8+ with high contrast themes in use.
• Removed the notification bar when in full screen to prevent unwanted visible screen elements.
• Removed unmaintained and insecure WebRTC code – building with WebRTC enabled is no longer an option.
• Removed redundant checks for “Vista or later” since that is all we support.
• Added display of the http status to raw request displays.
• Added a workaround for cloned videos not retaining their muted state.
• Added a temporary workaround to avoid crashes on trackless media.
• Removed some superfluous ellipses from menu labels.
• Fixed undesired shrinking of line heights as a result of setting minimum font size in preferences.
• Fixed some issues with setting the new tab preference (regression).

Installation:

Installation, uninstallation and updates can be managed using the pminstaller tool. You can also download Pale Moon for Linux as a bzipped tarball that can be extracted and run from any location on your system.

Additionally, you can install one of these fully-endorsed third-party builds of Pale Moon for Linux:

• Pale Moon repositories for Debian and Ubuntu — maintained by Steve Pusser
• Pale Moon SlackBuild packages — maintained by khronosschoty
• Pale Moon repacks for Ubuntu and Debian — maintained by László Kovács
• Pale Moon for Linux – SSE-only build — maintained by Walter Dnes

Pale Moon: Release notes

Latest version: 27.7.2

If you prefer not to use the installer, you can download a tar.bz2 here instead. To use, simply extract the tarball anywhere you like and execute the “palemoon” file inside it, or follow the instructions here if you want to install manually. Please be sure to download the correct archive that matches the architecture of your OS.

Download links:

Download x64 tar.bz2 (direct download)
Size: 41.13 MB
SHA-256 checksum: 8ab2ee9fac45cd0804c0922bb599b46652a213efc203add4992aa4f4ba0f0ff0
PGP signature: [Sig]

Download x86 tar.bz2 (direct download)
Size: 41.91 MB
SHA-256 checksum: 6dded8cb96db38a7a418e9bb491ab8ae681275b4ceef636a0afae3ea85ebb3fd
PGP signature: [Sig]

For more information, please read the release notes.

27.7.1 (2018-01-18)

This is a minor emergency update to address website breakage and a theme issue.

Changes/fixes:

• Added support for Array.prototype[@@unscopables].
  Unfortunately, the addition of Javascript’s ES6 Unscopables in 27.7.0 was incomplete, which caused a number of websites (e.g. Chase on-line banking, some Russian government sites) to display blank or not complete loading after updating to that version of the browser. This update should fix the problem by adding the missing part of the feature.
• Fixed an issue with the default theme causing tab borders to be drawn too thick at higher settings for visual element scaling (125%/150%) in Windows.

 27.7.0 (2018-01-15)

This is a stability and bugfix release, as well as adding a number of new features to further improve web compatibility.

Changes/fixes:

• Reorganized access to preferences (moved to the Tools menu on Linux, and renamed from “Options” to “Preferences” on Windows).
• Renamed “Restart with add-ons disabled” to “Restart in Safe Mode” to better reflect what it does.
• Worked around an issue with some improperly-encoded PNG files not decoding after our libpng update.
• Fixed an issue on Mac builds not properly populating the application menu.
• Added “My home page” as an option for new tabs.
• Added an option to disable the 4th and 5th mouse buttons (Windows).
  (mouse.button4.enabled and mouse.button5.enabled, respectively)
• Improved the resetting of non-default profiles.
• Fixed an issue with details/summary having the incorrect height if floated, breaking layouts.
• Made several more improvements to the details/summary tags to align them with the current spec and fix some additional bugs.
• Implemented support for flex/columnset contents inside buttons to align its behavior with other browsers.
  (this should fix layout issues with Twitch’s new web interface)
• Fixed an issue where CSS clone operations would draw a border.
• Changed the way fractional border widths are rounded to provide more natural behavior.
• Fixed an issue where number inputs would incorrectly be flagged as read-only.
• Added assets for tile display in the Windows start panel.
• Finished sync infra swapover by adding a one-time pref migration for server used.
• Improved WebAudio API: Return the connected audio node from AudioNode.connect()
• Added support for a default playback start position in media elements.
• Fixed an assert in cubeb-alsa code (Linux).
• Added support for media cue-change events (e.g. subtitles).
• Updated SQLite to 3.21.0.
• Fixed a crash when trying to use the platform embedded.
• Fixed devtools (gcli) screenshots on vertical-text pages.
• Fixed devtools copy as cURL for POST requests.
• Improved the HTML editor component (several bugfixes).
• Added support for ES7’s exponentiation a ** b operator.
• Fixed an issue with arrow functions incorrectly creating an ‘arguments’ binding.
• Added Javascript’s ES6 “unscopables”.

Security/privacy fixes:

• Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused (e.g. for tracking) or stolen.
• Added a preference (in the category security) to easily enable or disable automatic filling in of log-in data.
• Removed the sending of referrers when opening a link in a new private window.
• Added an option to disable the page visibility Web API (dom.visibilityAPI.enabled), allowing users to prevent pages from knowing whether they are being actively displayed to the user or not.
• Removed the “ask every time” policy for cookies. For granular control, please use any of the excellent available extensions to regulate cookie use on a per-site or per-url basis.
• Added support for X-Content-Type-Options: nosniff (for scripts).
• Changed the resolution of performance timers to a level where any future potential abuse for hardware-timing attacks becomes impractical. DiD

DiD This means that the fix is “Defense-in-Depth”: It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.