You are on page 1of 5

Pale Moon - Release Notes

1 of 5

http://www.palemoon.org/releasenotes.shtml

Main
Pale Moon homepage
Pale Moon Start page
Pale Moon add-ons site
FossaMail homepage
Information
Release notes
The project >
General information
Rumor Control
Project history
Roadmap
Pale Moon branding
Pale Moon layout
Technical details
Screenshots
Donations and Support
Awards
Download
Pale Moon >
Pale Moon
Pale Moon x64
Pale Moon Portable
Pale Moon for Atom/WinXP
Pale Moon for Linux
Pale Moon for Android
Pale Moon language packs
Other >
3rd Party Builds
[DEV] Pre-release WIP
Archived versions
[DEV] Source code
Tools
Pale Moon Sync service
Profile Migration tool
Profile Backup tool
Pale Moon Commander
Pale Moon Tab Groups
Flash Protected Mode tool
Help
Forum
Windows XP support
F.A.Q.
Troubleshooting
Known Issues
Feedback
Testimonials
[NEW] Live chat
Contact

Pale Moon: Release notes


12/06/2015 18:28

Pale Moon - Release Notes

2 of 5

http://www.palemoon.org/releasenotes.shtml

25.5.0 (2015-06-10)
This is an important maintenance update with mostly under-the-hood changes.
Fixes/changes:
Logjam fix: Refuse DHE keys with less than 1024 key bits
Search plugin updates to re-enable Google suggestions and reduce tracking (Squarefractal)
Allow plugin-specific (.dll based) OOPP overrides also for npswf. This will not be used for the "master switch" for
OOPP and Flash will still be in the plugin container, unless a specific dom.ipc.plugins.enabled.npswf*.dll boolean is
set to override.
Fixed a crash during WebGL Conformance Tests for undefined indices (Toady)
HSTS preload list updates (Squarefractal)
Status bar locale addition: cs
Implemented a fix for the toolkit update service so that the same version as the current application will not be offered
as a valid update (Tobin)
Reorganized the AppMenu (give equal ease for windowed and tabbed browsing, deprioritize Sync)
Disabled the Sync promo box in doorhangers.
Updated libpng to version 1.5.22
Fixed support for builds using newer freetype on Linux. (Axiomatic)
Fixed --with-system-pixman builds. (Isaac Dunham)
Updated SQLite to version 3.8.10.1
Changed the after-upgrade page loaded to the release notes instead of the home page.
(and hoping people actually do take a moment to read them, preventing unnecessary support requests)
Fixed navigator.geolocation - should never be null, to properly adhere to the specification (Travis)
Moved paintlock event delay to greprefs, and adjusted it for 2015's heavier sites
Fixed the about dialog scripting for pre-release builds (includes build date now as-intended and no longer errors the
script)
Reorganized how pushed floats are handled in layout flow
Implemented a change to run the updater from the install directory instead of copying it.
Fixed transparency of the Pale Moon document icon for 256x256
Updated padlock code:
- Added mixed-mode shading, and reorganized shading pref values more logically
(0=off, 1=secure only, 2=secure+mixed, 3=all)
- Cleaned up CSS
- Cleaned up padlock logic a little
Hard-coded internal UA sniffing values for the extension legacy of devtools
Updated NSPR to 4.10.8
Updated the NSS security lib to 3.19-RTM + re-worked Pale Moon changes
Bumped the built-in site-specific UA compat mode overrides to v38
Fixed a compressed-cache crash due to losing our cache entry while finishing up compression.
Updated and patched libcubeb, the main media sound library, to fix a number of audio issues (e.g. when switching
output device) and audio-related crashes
Added the option to load modules into a named scope (see issue #88)
Removed quick access keys for buttons on the updater window (since it may pop up unannounced when people are
typing, causing them to make unintended choices)
Updated jemalloc and mozjemalloc memory allocator libraries to improve performance
Removed implicit access to a whole range of internally-used interfaces and classes that page content has no business
calling anyway
Added a preference for always preferring a certain dictionary language.
To use this, create a new preference spellchecker.dictionary.override (string) and set it to your language code.
More information about changes in this version that would be important for extension developers and web programmers can
be found here.
Security fixes:
Fixes for miscellaneous memory safety hazards (relevant and applicable fixes from CVE-2015-2708 and
CVE-2015-2709)

12/06/2015 18:28

Pale Moon - Release Notes

3 of 5

http://www.palemoon.org/releasenotes.shtml

DiD (defense-in-depth) fix to prevent potential overflows in CSS restyling


Fix for updater hijacking (CVE-2015-2720)
Fix to prevent potential disclosure of sensitive information in Android logs (CVE-2015-2714)
Fix for a buffer overflow in the XML parser (CVE-2015-2716)
Fix for a potentially exploitable crash in DNS handling

25.4.1 (2015-05-10)
This is a small but important update to the previous major release to address some critical issues:
Fixed loss of the browser's disk cache on startup due to incorrect corruption detection logic
Fixed a browser crash on some HTML5 games

25.4.0 (2015-05-08)
IMPORTANT: If you use a language pack, make sure to update it to the latest version! We do have automatic updates
enabled for language packs but please double-check that the version matches. If you are using an older language pack with
this version of the browser, some dialog boxes may come up blank.
This is a major update - too much has changed for this little blurb to do it justice so please see below for the most important
changes/fixes in this release:
Fixes/changes:
Updated SQLite from 3.7.17 to v3.8.8.3, improving history/bookmark/etc. performance by up to 50% depending on
operation
Added a new "mixed-mode" state for HTTPS connections. Clarified mixed-mode connections with a mixed-mode
padlock and better tooltips.
Added a conditional partial shading to the URL bar and made it default (shading only on secure sites, no red shading
at all by default).
Dev: Fixed file system mode flags for *nix systems, to make executable files like scripts actually flagged as
executable
Added native IPv6 lookups to NSPR to solve IPv6-only and dual-stack setups in some situations
Added a pref to control the unloading of idle plugins from memory and lowered the default "idle" time to 60 seconds
before plugins are unloaded
Fixed version strings for e.g. flash on Linux being displayed with commas instead of periods - this should also fix the
incorrect "your plugin is vulnerable" message while being on the latest version
Windows: Set the double-click/Ctrl+arrow word selection to not eat the space (only select the actual word)
Android: DNS fix for VPN connections, preventing the "server not found" issues people have been reporting for
certain VPN providers on mobile
Updated a number of trusted root certificates, and distrusted the CNNIC root certificate by popular demand
Linux: Worked around the slice memory allocator not being properly disabled on later GLib versions
Android: updated the random number generator handling on later versions of Android
Added fix to prevent spurious re-paints with plugins (performance/UX improvement)
Removed the plugin check link from the Addons Manager, since it's no longer reliable and not officially available for
browsers except Mozilla Firefox. (Bonus: no user profiling/tracking through optimizely!)
Optimized the NSS callback for secure connections
Updated the domains that are whitelisted for installation of extensions/themes/personas, streamlining the use of
addons.palemoon.org
Added personas support to titlebar text (adopt the lightweight theme's coloring/shading) in custom titlebar mode (Pale
Moon appmenu/button)
Added display of HTTPS protocol (SSL/TLS) to the page info window (thanks Travis!)
Improved certificate display: Removed MD5 and added SHA256 fingerprint, and made them selectable/copyable
Updated classification of secure connections: Classify any encryption with less than 128 bits or including RC4 (if
manually enabled, see previous version notes) as weak.
Dev: Added availability of the full ciphersuite string for use in extensions to the nsISSLStatus interface
(nsISSLStatus.cipherSuite)
Added MAKE_UNLINKABLE to the about: page redirector and added that as default for the reader mode on Android
Removed the compilation and inclusion of a one-time-use pre-compiled startup cache in omni.ja, reducing overall
application size significantly and avoiding a number of quirks of both the build process and the operation of the

12/06/2015 18:28

Pale Moon - Release Notes

4 of 5

http://www.palemoon.org/releasenotes.shtml

browser
Fixed an NVIDIA specific GLX server vendor bug for pixmap depth and fbConfig depth
Removed most telemetry code, reducing code complexity and wasted CPU
Linux: Added OSS support (mutually exclusive with ALSA): configure with --enable-oss
Made DNS caching a lot less aggressive to align the browser's behavior with the dynamic nature of the modern web.
Removed Mozilla-specific parameters for searches. Search suggestions should now work again for Google searches
Added the option to allow users to use a fixed (JSON) file-based geolocation response in favor of a GeoIP service.
Dev: Improvements to Clang builds (thanks Axiomatic/BitVapor!). Clang is not currently producing stable builds on
Linux, so please use GCC for that operating system.
Linux: removed GnomeVFS that's no longer in use
Fixed the "double padlock while loading a secure site" niggle in the UI
Dev: added allowance of using -moz-appearance:none on drop-down lists to hide the arrow button (catering to custom
styling of the control)
Added some more ES6 math/number functions:
Implemented Math.fround(x)
Implemented Number.isSafeInteger(x)
Implemented Math.clz32(x)
Security fixes:
Fixed several memory safety hazards (UAF/DF/UU); applicable bugs covered by CVE-2015-0814 and
CVE-2015-0815
Fixed CVE-2015-0811 [qcms] heap info leak
Fixed CVE-2015-0810 clickjacking attacks via a Flash object in conjunction with DIV elements
Fixed CVE-2015-0801 a variant of CVE-2015-0818
Fixed CVE-2015-0800 improve randomness of DNS resolver queries on Android
Fixed CVE-2015-0798 access to privileged URLs through about: redirector

25.3.2 (2015-04-25)
This release is an emergency update to fix crashes that started occurring because of Mozilla improperly signing the
extensions and extension updates as offered through the Firefox Add-ons site addons.mozilla.org. Any improperly signed
extension would not be able to be installed, and would immediately crash the browser.
No other changes were made in this release - this is a bugfix for this particular issue only.

25.3.1 (2015-03-25)
This is a security update to the browser to address a critical vulnerability found in the pwn2own contest. Only one
vulnerability found in this contest applies to Pale Moon, which has been addressed in this update.
Fixes/changes:
Fixed security vulnerability CVE-2015-0818. This vulnerability would allow remote attackers to bypass the Same
Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash
navigation.
Fixed IPv6 DNS resolution regression in some less common cases.

25.3.0 (2015-03-13)
This is an important update to improve features and performance, as well as address important security issues.
Fixes/changes:
Overhauled WebGL. It now properly supports depth textures, shadow mapping and glow shaders.
Note that older operating systems or older/embedded video processors may be limited in their support of these
features.
Updated the ANGLE library to a much more current version.
Removed the crash reporter code completely to improve overall browser responsiveness and operation.
Please note that a necessary victim of this has been the in-browser (devtools) SPS profiler because of its reliance on

12/06/2015 18:28

Pale Moon - Release Notes

5 of 5

http://www.palemoon.org/releasenotes.shtml

crash reporter data-gathering tools.


Removed the Mozilla Plugin Finder Service (no longer in use @Mozilla).
Android: removed the Mozilla "product announcements" service.
Re-added control of the number of concurrent tabs to be restored from a session with
browser.sessionstore.max_concurrent_tabs (accepted values 1-10)
Significantly improved performance and accuracy of date/time/timer handling.
Significantly improved performance of the creation of DOM elements with plain text content.
Added several significant performance optimizations for arrays and strings in javascript.
Added several code performance optimizations and bugfixes in SVG, the presentation shell, SCTP, style gradients and
CSS parsing routines. (Thanks, Axiomatic!)
Added an "Open link in current tab" context menu entry on links for UI consistency.
Updated styling of the browser with personas (lightweight themes) once more to improve display in tabs-on-top mode,
improve overall legibility of tab text, and display of inverted close buttons on some controls on dark personas.
Added a special case check for the Flash plugin version check on Linux failing due to commas instead of periods in
the version string.
Added Windows 10 compatibility in executable manifests.
Android: Fixed a crash on GL canvas surfaces.
Fixed incorrect Sync "howto" instruction links from the Sync dialogs.
Fixed the color of selected tabs in Linux when personas (lightweight themes) are in use that do not match the overall
tone of the OS system theme.
Fixed a bug where a variable in parentheses would abort Javascript parsing.
Fixed a bug where the address bar would incorrectly be cleared.
Fixed padding issues for dropdown lists.
Fixed DNS lookups so proper record types are requested for IPv4 and IPv6.
Security fixes:
Disabled all RC4-based encryption ciphers by default. [More info]
Fixed several miscellaneous memory safety hazards.
(applicable bugs related to CVE-2015-0835 and CVE-2015-0836)
Fixed loading of locally stored DLL files through the internal updater. (CVE-2015-0833)
Fixed a potential crash point in IndexedDB. (CVE-2015-0831) DiD
Fixed a double-free situation when using non-default memory allocators and a 0-length XHR. (CVE-2015-0828)
Note: production builds of Pale Moon were never vulnerable.
Fixed a crash using DrawTarget in the Cairo graphics library. (CVE-2015-0824)
Fixed potential reading of local files through manipulation of form autocomplete. (CVE-2015-0822)
Fixed a potential PNG heap-overflow crash. DiD
Followed up on research regarding CVE-2014-8639 (see 25.2) and made cookie handling through proxies more
restrictive again.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in
Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the
problem.

Release notes for previous versions (unsupported)


You can find the release notes for previous releases of Pale Moon on the Archived Versions Release Notes page.
Firefox, Mozilla Firefox and Mozilla are registered trademarks of the Mozilla Corporation.
The Pale Moon product/project names and logo are a trademark of Moonchild Productions.
Site and contents 2009-2015 Moonchild Productions - All rights reserved
Pale Moon's distribution is subject to the following redistribution license

12/06/2015 18:28