Pale Moon 歷史版本列表
Pale Moon (32-bit)Pale Moon (64-bit)
更新時間:2017-08-22
更新細節:
What's new in this version:
Changes/fixes:
- Fixed a number of crashes
- Enabled the opt-in debugging feature to log SSL keys to a file in all builds
- Added a fix for TLS 1.3 handshakes causing a browser hangup
- Handshakes should be considerably faster now and no longer stall in the wrong circumstances
Security fixes:
- Updated NSPR to 4.15.
- Updated NSS to 3.31.1.
- Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783)
- Fixed an issue where (cross domain) iframes could break scope (CVE-2017-7787)
- Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
- Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates (CVE-2017-7781)
- Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
- Fixed a UAF in WebSockets (CVE-2017-7800)
- Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD (accessibility is disabled)
- DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem
更新時間:2017-08-22
更新細節:
What's new in this version:
Changes/fixes:
- Fixed a number of crashes
- Enabled the opt-in debugging feature to log SSL keys to a file in all builds
- Added a fix for TLS 1.3 handshakes causing a browser hangup
- Handshakes should be considerably faster now and no longer stall in the wrong circumstances
Security fixes:
- Updated NSPR to 4.15.
- Updated NSS to 3.31.1.
- Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783)
- Fixed an issue where (cross domain) iframes could break scope (CVE-2017-7787)
- Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
- Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates (CVE-2017-7781)
- Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
- Fixed a UAF in WebSockets (CVE-2017-7800)
- Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD (accessibility is disabled)
- DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem
更新時間:2017-08-03
更新細節:
What's new in this version:
- Fixed an issue where media playback would not use hardware acceleration properly when using MSE
- This would cause high CPU usage and/or choppy playback for HD video on e.g. YouTube
- Fixed ES6 iterator chains to be spec-compliant
- Fixed ES6 vector append calls and some related memory leaks
- Added a workaround to reduce the likelihood of a potential rare (timing-critical) crash
更新時間:2017-08-03
更新細節:
What's new in this version:
- Fixed an issue where media playback would not use hardware acceleration properly when using MSE
- This would cause high CPU usage and/or choppy playback for HD video on e.g. YouTube
- Fixed ES6 iterator chains to be spec-compliant
- Fixed ES6 vector append calls and some related memory leaks
- Added a workaround to reduce the likelihood of a potential rare (timing-critical) crash
更新時間:2017-07-14
更新細節:
What's new in this version:
Changes/fixes:
- Completely re-worked the Media Source Extensions code to make it spec compliant, and asynchronous as per specification for MSE with MP4. This should fix playback problems on YouTube, Twitch, Vimeo and other sites that previously had some issues
- Added a control in options/preferences for HSTS and HPKP usage
- Changed HTML bookmark exports to write CRLF line endings to the file on Windows
- Leveraged multi-core rendering for libVPX (VP8/VP9 WebM decoding)
- Fixed some issues accessing DeviantArt (useragent-sniffing)
- Aligned CSS text-align with the spec
- Added a recovery module for browser initialization issues (e.g. when using a wrong language pack)
- Fixed spurious console errors for XHR requests with certain http response codes
- Enabled v-sync aligned refresh for a smoother scrolling experience
- Removed support for CSS XP-theme media queries
- Improved console error reporting
- Fixed resetting toolbars and controls from the safe mode dialog
- Fixed bookmark recovery option from the safe mode dialog
- Fixed innerText getters for display:none elements
- Fixed a GL buffer crash that might occur with certain combinations of drivers and hardware
- Added some more details to about:support
- Fixed a potential crash when the last audio device is removed during playback
- Fixed a crash on about:support when windowless browsers are created
- Updated <select> elements to blank if the actively set value doesn't match any of the options
Updated the interpretation of 2-digit years in date formats to match other browsers:
- 0-49 = 2000-2049, 50-99 = 1950-1999
- Added "q" units to CSS (quarter of a millimeter)
- Added .origin property to blobs
- Fixed several minor layout issues
- Fixed disabled HTML elements not producing the proper JS events
- Implemented web content handler blacklist according to the spec, allowing more than feeds to be registered
- Fixed a spec compliance issue with execCommand() on HTML elements
- Fixed a problem with table borders being drawn uneven or being omitted when zooming the page
- Added devtools "filter URLs" option in the network panel
- Added visual sorting options to the Network inspector
- Added importing of login data from Chrome profiles on Windows (Chrome has to be closed first)
- Added importing of tags from bookmark export files (HTML format)
- Updated usage of SourceMap headers with the updated spec (SourceMap header, keeping X-SourceMap as a fallback)
- Fixed several cases of wrongly-used negations in JS modules
- Added the auxclick mouse event
- Added a control to not autoplay video unless it is in view (media.block-play-until-visible)
- Updated the Graphite font library to 1.3.10
- Updated how image and media elements respond to window size changes (responsive design)
- Added parsing and use of rotation meta data in video
- Fixed several crashes in a number of modules
- Fixed performance regression for scaling large vector images (e.g. MSIE Chalkboard test) o/
- Fixed some issues with notification icons
- Fixed some internal errors with live bookmarks
- Updated SQLite to 3.19.3
- Fixed several reported issues with devtools (cli-cookies, cli help, copying cURL, inspecting SVGs, element size calculations, etc.)
- Fixed an issue where a server response was allowed to override add-ons' specified version ranges even for add-ons that have strict compatibility (e.g. themes, language packs)
Please note that MSE+WebM (disabled by default) is not using this new code yet (planned for the next release), and as such there is a temporary set of things to keep in mind if you don't use default settings:
- If you have previously enabled MSE+WebM, this setting will be reset when you update to avoid conflicting settings with the updated MSE code
- We've added an extra setting in Options to disable the updated MSE code (asynchronous use) in case you need to use WebM or are otherwise having issues with the updated code (please let us know in that case)
- Once again, the MSE+WebM and Asynchronous MSE use are currently mutually exclusive. You can have one or the other, not both, until we sort out the code for WebM. To enable MSE+WebM you will first have to disable Asynchronouse MSE in settings (otherwise the WebM setting will be greyed out and disabled)
Security fixes:
- Removed preloading of HPKP hosts and enabled HPKP header enforcement
- Added support for TLS 1.3, the up-next secure connection protocol
- Fixed an issue with TLS 1.3 not supporting renegotiation by design
- Relaxed some restrictions for CSP to temporarily work around web compatibility issues with the CSP-3 deprecated `child-src` directive
- Updated NSS to 3.28.5.1-PM to address some security issues
- Updated the installer selfextractor module to address unsafe loading of libraries
- Changed the way certain resources are included to reduce effectiveness of some common fingerprinting techniques. (e.g. browserleaks.org)
- Fixed a regression in the display of security information in the page info dialog for insecure content
- Fixed two potential issues with allocating memory for video. DiD
- Fixed a potential issue with the network prediction algorithm. DiD
- Restricted the use of Aspirational scripts in IDNs to prevent domain spoofing, in anticipation of the UAX#31 update making this official
- Prevented a Mac font specific issue that could be abused for domain spoofing (CVE-2017-7763)
- Fixed several potentially exploitable crashes. (CVE-2017-7751) (CVE-2017-7757) and some that do not have a CVE designation
更新時間:2017-07-14
更新細節:
What's new in this version:
Changes/fixes:
- Completely re-worked the Media Source Extensions code to make it spec compliant, and asynchronous as per specification for MSE with MP4. This should fix playback problems on YouTube, Twitch, Vimeo and other sites that previously had some issues
- Added a control in options/preferences for HSTS and HPKP usage
- Changed HTML bookmark exports to write CRLF line endings to the file on Windows
- Leveraged multi-core rendering for libVPX (VP8/VP9 WebM decoding)
- Fixed some issues accessing DeviantArt (useragent-sniffing)
- Aligned CSS text-align with the spec
- Added a recovery module for browser initialization issues (e.g. when using a wrong language pack)
- Fixed spurious console errors for XHR requests with certain http response codes
- Enabled v-sync aligned refresh for a smoother scrolling experience
- Removed support for CSS XP-theme media queries
- Improved console error reporting
- Fixed resetting toolbars and controls from the safe mode dialog
- Fixed bookmark recovery option from the safe mode dialog
- Fixed innerText getters for display:none elements
- Fixed a GL buffer crash that might occur with certain combinations of drivers and hardware
- Added some more details to about:support
- Fixed a potential crash when the last audio device is removed during playback
- Fixed a crash on about:support when windowless browsers are created
- Updated <select> elements to blank if the actively set value doesn't match any of the options
Updated the interpretation of 2-digit years in date formats to match other browsers:
- 0-49 = 2000-2049, 50-99 = 1950-1999
- Added "q" units to CSS (quarter of a millimeter)
- Added .origin property to blobs
- Fixed several minor layout issues
- Fixed disabled HTML elements not producing the proper JS events
- Implemented web content handler blacklist according to the spec, allowing more than feeds to be registered
- Fixed a spec compliance issue with execCommand() on HTML elements
- Fixed a problem with table borders being drawn uneven or being omitted when zooming the page
- Added devtools "filter URLs" option in the network panel
- Added visual sorting options to the Network inspector
- Added importing of login data from Chrome profiles on Windows (Chrome has to be closed first)
- Added importing of tags from bookmark export files (HTML format)
- Updated usage of SourceMap headers with the updated spec (SourceMap header, keeping X-SourceMap as a fallback)
- Fixed several cases of wrongly-used negations in JS modules
- Added the auxclick mouse event
- Added a control to not autoplay video unless it is in view (media.block-play-until-visible)
- Updated the Graphite font library to 1.3.10
- Updated how image and media elements respond to window size changes (responsive design)
- Added parsing and use of rotation meta data in video
- Fixed several crashes in a number of modules
- Fixed performance regression for scaling large vector images (e.g. MSIE Chalkboard test) o/
- Fixed some issues with notification icons
- Fixed some internal errors with live bookmarks
- Updated SQLite to 3.19.3
- Fixed several reported issues with devtools (cli-cookies, cli help, copying cURL, inspecting SVGs, element size calculations, etc.)
- Fixed an issue where a server response was allowed to override add-ons' specified version ranges even for add-ons that have strict compatibility (e.g. themes, language packs)
Please note that MSE+WebM (disabled by default) is not using this new code yet (planned for the next release), and as such there is a temporary set of things to keep in mind if you don't use default settings:
- If you have previously enabled MSE+WebM, this setting will be reset when you update to avoid conflicting settings with the updated MSE code
- We've added an extra setting in Options to disable the updated MSE code (asynchronous use) in case you need to use WebM or are otherwise having issues with the updated code (please let us know in that case)
- Once again, the MSE+WebM and Asynchronous MSE use are currently mutually exclusive. You can have one or the other, not both, until we sort out the code for WebM. To enable MSE+WebM you will first have to disable Asynchronouse MSE in settings (otherwise the WebM setting will be greyed out and disabled)
Security fixes:
- Removed preloading of HPKP hosts and enabled HPKP header enforcement
- Added support for TLS 1.3, the up-next secure connection protocol
- Fixed an issue with TLS 1.3 not supporting renegotiation by design
- Relaxed some restrictions for CSP to temporarily work around web compatibility issues with the CSP-3 deprecated `child-src` directive
- Updated NSS to 3.28.5.1-PM to address some security issues
- Updated the installer selfextractor module to address unsafe loading of libraries
- Changed the way certain resources are included to reduce effectiveness of some common fingerprinting techniques. (e.g. browserleaks.org)
- Fixed a regression in the display of security information in the page info dialog for insecure content
- Fixed two potential issues with allocating memory for video. DiD
- Fixed a potential issue with the network prediction algorithm. DiD
- Restricted the use of Aspirational scripts in IDNs to prevent domain spoofing, in anticipation of the UAX#31 update making this official
- Prevented a Mac font specific issue that could be abused for domain spoofing (CVE-2017-7763)
- Fixed several potentially exploitable crashes. (CVE-2017-7751) (CVE-2017-7757) and some that do not have a CVE designation
更新時間:2017-04-28
更新細節:
What's new in this version:
Changes/fixes:
- Fixed up, checked and enabled vertical text writing modes
- Pale Moon will now be able to display vertical, right-to-left script
- Added the option to reset non-default profiles
- Fixed various issues in the WebP image decoder
- Added internally-supported document types to allowed <embed> types
- Fixed locale selection in ICU after update to ICU58
- (Note: Pale Moon uses the system locale for date formatting, not the browser locale)
- Re-implemented the previous spellchecker dictionary logic (allow user override of document/element language, improve logic and make it unambiguous)
- Ongoing fixes for the MP4 parser and MSE
- Made HTML Media Elements' preload attribute MSE-spec compliant
- The preload attribute on HTML media elements is now ignored in the case of an MSE source. This prevents an issue with sourceopen not firing when preload="none"
- Fixed some issues with Windows WMF media playback
- Fixed an issue with Synced preferences sometimes overwriting stored individual preferences
- Fixed display of RSS folder icons
- Fixed issues with custom context menus
- Fixed an issue importing bookmarks with separators losing their extra data
- Changed the way numeric addresses are handled in the address bar so it doesn't perform a search when it shouldn't
- Added an option (browser.sessionstore.cache_behavior) to control from which source restored tabs pull their page content:
0 = load restored tab data from cache (current behavior, default)
1 = refresh restored tab data from the network
2 = refresh stored tab data from the network and bypass any cached data
- Improved upon a v27 performance regression with SVG scaling
- Improved performance by being more selective which CSS animations to process
- As a side-effect, elements changing their display from "none" to something visible now also animate
- Increased memory allocation for the use of very large PAC files
- Added menu entries for the permissions manager and improvements to its function and display
Added preferences to control "highlight all" behavior of the find bar:
accessibility.typeaheadfind.highlightallbydefault = true/false highlight all found words by default
accessibility.typeaheadfind.highlightallremember = true/false remember the last-used state of Highlight All
- Added devtools command-line options
- Added remote IP and protocol to Devtools->Network entry details
- Added support for <details> and <summary> HTML tags
- Fixed a regression in the MSIE profile migrator
- Removed migration of browser-specific settings when migrating data from IE/Safari
- Implemented optional parameters for permessage-deflate in preparation for RFC7692 errata making acceptance of them mandatory (and to prevent web compat issues due to the current conflicting text of it)
- Made the image document favicon skinnable
- Aligned DOM selection addRange with the spec
- Exposed mozAnon constructor js binding to system scopes for XHR
- Enhanced form data handling from JavaScript
Security/privacy changes:
- Updated NSS to 3.28.4-RTM to address a number of issues
- Added support for RSA-AES(-GCM)-SHA256/384 suites to broaden compatibility
- Reconfigured networking security: disabled static DHE suites by default, enabled all RSA-AES(-GCM)-SHA256/384 suites in their stead
- Fixed referrer policy keyword to align with the current spec ("cross-origin" vs "crossorigin")
- Added an option to display punycode domain for IDN websites to combat phishing
This is enabled by default for domain-validated https sites
Preference: browser.identity.display_punycode
0 = Display IDN name in identity panel (previous behavior)
1 = Display punycode name for DV SSL domains (default)
2 = Also display punycode for HTTP sites if IDN name used
- Fixed an issue to prevent contacting remote servers when a connection might get blocked.
- Fixed 3 public security flaws in libevent, which may affect Mozilla-based products. DiD
- Fixed several memory- and thread-safety hazards.
- Fixed an address bar spoofing issue. (CVE-2017-5451)
- Fixed a potentially exploitable crash with HTTP/2. (CVE-2017-5446)
- Fixed several security hazards in XSLT processing. (CVE-2017-5438) (CVE-2017-5439) (CVE-2017-5440)
- Fixed several security hazards in old protocols. (CVE-2017-5444) (CVE-2017-5445)
- Fixed out-of-bounds access in text formatting. (CVE-2017-5447)
- Fixed a potentially exploitable issue with innerText. (CVE-2017-5442)
- Fixed a potentially exploitable issue in graphite font shaping
- Fixed a potentially exploitable crash with credential-authentication
- Fixed out-of-bounds access with text selection in rare cases
- Fixed a security hazard in the ANGLE library
更新時間:2017-04-28
更新細節:
What's new in this version:
Changes/fixes:
- Fixed up, checked and enabled vertical text writing modes
- Pale Moon will now be able to display vertical, right-to-left script
- Added the option to reset non-default profiles
- Fixed various issues in the WebP image decoder
- Added internally-supported document types to allowed types
- Fixed locale selection in ICU after update to ICU58
- (Note: Pale Moon uses the system locale for date formatting, not the browser locale)
- Re-implemented the previous spellchecker dictionary logic (allow user override of document/element language, improve logic and make it unambiguous)
- Ongoing fixes for the MP4 parser and MSE
- Made HTML Media Elements' preload attribute MSE-spec compliant
- The preload attribute on HTML media elements is now ignored in the case of an MSE source. This prevents an issue with sourceopen not firing when preload="none"
- Fixed some issues with Windows WMF media playback
- Fixed an issue with Synced preferences sometimes overwriting stored individual preferences
- Fixed display of RSS folder icons
- Fixed issues with custom context menus
- Fixed an issue importing bookmarks with separators losing their extra data
- Changed the way numeric addresses are handled in the address bar so it doesn't perform a search when it shouldn't
- Added an option (browser.sessionstore.cache_behavior) to control from which source restored tabs pull their page content:
0 = load restored tab data from cache (current behavior, default)
1 = refresh restored tab data from the network
2 = refresh stored tab data from the network and bypass any cached data
- Improved upon a v27 performance regression with SVG scaling
- Improved performance by being more selective which CSS animations to process
- As a side-effect, elements changing their display from "none" to something visible now also animate
- Increased memory allocation for the use of very large PAC files
- Added menu entries for the permissions manager and improvements to its function and display
Added preferences to control "highlight all" behavior of the find bar:
accessibility.typeaheadfind.highlightallbydefault = true/false highlight all found words by default
accessibility.typeaheadfind.highlightallremember = true/false remember the last-used state of Highlight All
- Added devtools command-line options
- Added remote IP and protocol to Devtools->Network entry details
- Added support for and HTML tags
- Fixed a regression in the MSIE profile migrator
- Removed migration of browser-specific settings when migrating data from IE/Safari
- Implemented optional parameters for permessage-deflate in preparation for RFC7692 errata making acceptance of them mandatory (and to prevent web compat issues due to the current conflicting text of it)
- Made the image document favicon skinnable
- Aligned DOM selection addRange with the spec
- Exposed mozAnon constructor js binding to system scopes for XHR
- Enhanced form data handling from JavaScript
Security/privacy changes:
- Updated NSS to 3.28.4-RTM to address a number of issues
- Added support for RSA-AES(-GCM)-SHA256/384 suites to broaden compatibility
- Reconfigured networking security: disabled static DHE suites by default, enabled all RSA-AES(-GCM)-SHA256/384 suites in their stead
- Fixed referrer policy keyword to align with the current spec ("cross-origin" vs "crossorigin")
- Added an option to display punycode domain for IDN websites to combat phishing
This is enabled by default for domain-validated https sites
Preference: browser.identity.display_punycode
0 = Display IDN name in identity panel (previous behavior)
1 = Display punycode name for DV SSL domains (default)
2 = Also display punycode for HTTP sites if IDN name used
- Fixed an issue to prevent contacting remote servers when a connection might get blocked.
- Fixed 3 public security flaws in libevent, which may affect Mozilla-based products. DiD
- Fixed several memory- and thread-safety hazards.
- Fixed an address bar spoofing issue. (CVE-2017-5451)
- Fixed a potentially exploitable crash with HTTP/2. (CVE-2017-5446)
- Fixed several security hazards in XSLT processing. (CVE-2017-5438) (CVE-2017-5439) (CVE-2017-5440)
- Fixed several security hazards in old protocols. (CVE-2017-5444) (CVE-2017-5445)
- Fixed out-of-bounds access in text formatting. (CVE-2017-5447)
- Fixed a potentially exploitable issue with innerText. (CVE-2017-5442)
- Fixed a potentially exploitable issue in graphite font shaping
- Fixed a potentially exploitable crash with credential-authentication
- Fixed out-of-bounds access with text selection in rare cases
- Fixed a security hazard in the ANGLE library
更新時間:2017-03-24
更新細節:
What's new in this version:
Changes/fixes:
- Fixed an issue with planar alpha handling (transparency) when drawing JXR images
- Fixed a crash related to a change JavaScript array handling introduced in 27.2.0
- This became apparent with the pentadactyl extension, but could happen in other situations as well
- Fixed a crash when opening ridiculously large images with HQ scaling enabled (default)
- Pale Moon will now only apply HQ scaling for images within reasonable limits (64 Mpix or smaller). Images larger than that may not display properly when zooming in, or may not display at all, even scaled down (e.g. >256 Mpix large) and show a "broken image" placeholder instead; please use dedicated image viewer applications for those kinds of images; it is outside the scope of a web browser to handle such large images
- Changed the way URL hashes are handled, and will no longer %-decode anchor hash identifiers by default
- Note that this is against RFC 3986, which states that any part of the URL scheme that isn't data should be decoded
- This is required for web compatibility because several sites use hash links to pass actual data to web applications (Please don't do this! Hashes ar part of the URL address, should only consist of "safe" characters, and aren't suited to pass arbitrary data) and the most common browsers no longer follow the RFC in that respect
- If you want RFC compliance, switch dom.url.getters_decode_hash to true
- Restored 2 RSA Camellia cipher suites that were missing: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- Fixed an issue with custom toolbars getting deleted during upgrade from 27.0/27.1 to 27.2
更新時間:2017-03-24
更新細節:
What's new in this version:
Changes/fixes:
- Fixed an issue with planar alpha handling (transparency) when drawing JXR images
- Fixed a crash related to a change JavaScript array handling introduced in 27.2.0
- This became apparent with the pentadactyl extension, but could happen in other situations as well
- Fixed a crash when opening ridiculously large images with HQ scaling enabled (default)
- Pale Moon will now only apply HQ scaling for images within reasonable limits (64 Mpix or smaller). Images larger than that may not display properly when zooming in, or may not display at all, even scaled down (e.g. >256 Mpix large) and show a "broken image" placeholder instead; please use dedicated image viewer applications for those kinds of images; it is outside the scope of a web browser to handle such large images
- Changed the way URL hashes are handled, and will no longer %-decode anchor hash identifiers by default
- Note that this is against RFC 3986, which states that any part of the URL scheme that isn't data should be decoded
- This is required for web compatibility because several sites use hash links to pass actual data to web applications (Please don't do this! Hashes ar part of the URL address, should only consist of "safe" characters, and aren't suited to pass arbitrary data) and the most common browsers no longer follow the RFC in that respect
- If you want RFC compliance, switch dom.url.getters_decode_hash to true
- Restored 2 RSA Camellia cipher suites that were missing: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- Fixed an issue with custom toolbars getting deleted during upgrade from 27.0/27.1 to 27.2