Pale Moon 歷史版本列表 Page73

更新時間：2015-11-17
更新細節：

What's new in this version:

Fixes/changes:
- Updated LibVPX to 1.4.x to be able to play more kinds of VP9-encoded videos
- Updated the JPEG decoder library to 1.4.0
- Fixed and cleaned up XPCOM timer thread code to avoid intermittent issues with events not firing (especially after stand-by)
- Updated overrides to work around issues with Facebook and Netflix
- Fixed an issue where too-old system-supplied NSPR and/or NSS libraries would be accepted for use

Security fixes:
- Updated the libpng library to 1.5.24 to address critical security issues CVE-2015-7981 and CVE-2015-8126
- Updated the NSPR library to 4.10.10 to address several security issues
- Updated the NSS library to 3.19.4 to address several security issues
- Fixed a memory safety hazard in SVG path code (CVE-2015-7199)
- Fixed an issue with IP address parsing potentially allowing an attacker to bypass the Same Origin Policy (CVE-2015-7188)
- Fixed an Add-on SDK (Jetpack) issue that would allow scripts to be executed despite being forbidden (CVE-2015-7187)
- Fixed a crash due to a buffer underflow in libjar (CVE-2015-7194)
- Fixed an issue for Android full screen that would potentially allow address spoofing (CVE-2015-7185)
- Added size checks in canvas manipulations to avoid potential image encoding vulnerabilities like CVE-2015-7189. DiD
- Fixed potential information disclosure vulnerabilities through the NTLM authentication mechanism. Insecure NTLM v1 is now disabled by default, and the workstation name is set to WORKSTATION by default (configurable with a preference for environments where identification of workstations is done by actual reported machine name). This avoids issues like CVE-2015-4515
- Fixed a potentially vulnerable crash from a spinning event loop during resize painting. DiD
- Fixed several Javascript-based memory safety hazards. DiD
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

更新時間：2015-11-17
更新細節：

What's new in this version:

Fixes/changes:
- Updated LibVPX to 1.4.x to be able to play more kinds of VP9-encoded videos
- Updated the JPEG decoder library to 1.4.0
- Fixed and cleaned up XPCOM timer thread code to avoid intermittent issues with events not firing (especially after stand-by)
- Updated overrides to work around issues with Facebook and Netflix
- Fixed an issue where too-old system-supplied NSPR and/or NSS libraries would be accepted for use

Security fixes:
- Updated the libpng library to 1.5.24 to address critical security issues CVE-2015-7981 and CVE-2015-8126
- Updated the NSPR library to 4.10.10 to address several security issues
- Updated the NSS library to 3.19.4 to address several security issues
- Fixed a memory safety hazard in SVG path code (CVE-2015-7199)
- Fixed an issue with IP address parsing potentially allowing an attacker to bypass the Same Origin Policy (CVE-2015-7188)
- Fixed an Add-on SDK (Jetpack) issue that would allow scripts to be executed despite being forbidden (CVE-2015-7187)
- Fixed a crash due to a buffer underflow in libjar (CVE-2015-7194)
- Fixed an issue for Android full screen that would potentially allow address spoofing (CVE-2015-7185)
- Added size checks in canvas manipulations to avoid potential image encoding vulnerabilities like CVE-2015-7189. DiD
- Fixed potential information disclosure vulnerabilities through the NTLM authentication mechanism. Insecure NTLM v1 is now disabled by default, and the workstation name is set to WORKSTATION by default (configurable with a preference for environments where identification of workstations is done by actual reported machine name). This avoids issues like CVE-2015-4515
- Fixed a potentially vulnerable crash from a spinning event loop during resize painting. DiD
- Fixed several Javascript-based memory safety hazards. DiD
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

更新時間：2015-10-14
更新細節：

更新時間：2015-10-14
更新細節：

更新時間：2015-10-02
更新細節：

What's new in this version:

- Fixed a critical hang caused by recursive reloads that might happen in iframes if its hash changed
- Fixed a critical hang caused by lazy-loading of stylesheets through a specific web programming technique as advocated by Google's PageSpeed

更新時間：2015-10-02
更新細節：

What's new in this version:

- Fixed a critical hang caused by recursive reloads that might happen in iframes if its hash changed
- Fixed a critical hang caused by lazy-loading of stylesheets through a specific web programming technique as advocated by Google's PageSpeed

更新時間：2015-09-28
更新細節：

What's new in this version:

This is a security, stability and web-compatibility update. This also marks a security update for the Android version of Pale Moon to keep users of the otherwise currently unmaintained OS updated regarding known security vulnerabilities.

Fixes/changes:
- Code cleanup: Removed the majority of remaining telemetry code (including the data reporting back-end and health report) to prevent a few issues with partially removed code in earlier versions.
- Fixed a crash due to handling of bogus URIs passed to CSS style filters (e.g. whatsapp's web interface).
- Permitted spec-breaking syntax in Regex character classes, allowing ranges that would be permitted per the grammar rules in the spec but not necessarily following the syntax rules. This impacts a good number of (also higher profile) sites that use invalid ranges in regular expressions (e.g. Cisco's networking academy site, Yahoo Fantasy Football).
- Fixed a crash due to the newly introduced WASAPI handling of audio channel mapping that doesn't like actual surround hardware setups (e.g. playing a video with quadraphonic audio on a 4-speaker setup).
- Fixed an issue where site-specific dictionary selections would be written to content preferences without the user's action, potentially overwriting or clearing a previously-chosen dictionary.
- Added support for drag and drop of local files from sources which use text/uri-lists. (Some Linux flavors/file managers)
- Updated libnestegg to the most current version.
- Fixed an issue where setting the location to an empty string could cause a reload loop.

Security fixes:
- Changed the jemalloc poison address to something that is not a NOP-slide. DiD
- Fixed a memory safety hazard in ConvertDialogOptions (CVE-2015-4521)
- Fixed a buffer overflow/crash hazard in the VertexBufferInterface::reserveVertexSpace function in libGLES in ANGLE (CVE-2015-7179)
- Fixed an overflow/crash hazard in the XULContentSinkImpl::AddText function (CVE-2015-7175)
- Fixed a stack buffer overread hazard in the ICC v4 profile parser (CVE-2015-4504)
- Fixed an HTMLVideoElement Use-After-Free Remote Code Execution 0-day vulnerability (ZDI-CAN-3176) (CVE-2015-4509)
- Fixed a potentially exploitable crash in nsXBLService::GetBinding
- Fixed a memory safety hazard in nsAttrAndChildArray::GrowBy (CVE-2015-7174)
- Fixed a memory safety hazard for callers of nsUnicodeToUTF8::GetMaxLength (CVE-2015-4522)
- Fixed a heap buffer overflow/crash hazard caused by invalid WebM headers (CVE-2015-4511)

更新時間：2015-09-28
更新細節：

What's new in this version:

This is a security, stability and web-compatibility update. This also marks a security update for the Android version of Pale Moon to keep users of the otherwise currently unmaintained OS updated regarding known security vulnerabilities.

Fixes/changes:
- Code cleanup: Removed the majority of remaining telemetry code (including the data reporting back-end and health report) to prevent a few issues with partially removed code in earlier versions.
- Fixed a crash due to handling of bogus URIs passed to CSS style filters (e.g. whatsapp's web interface).
- Permitted spec-breaking syntax in Regex character classes, allowing ranges that would be permitted per the grammar rules in the spec but not necessarily following the syntax rules. This impacts a good number of (also higher profile) sites that use invalid ranges in regular expressions (e.g. Cisco's networking academy site, Yahoo Fantasy Football).
- Fixed a crash due to the newly introduced WASAPI handling of audio channel mapping that doesn't like actual surround hardware setups (e.g. playing a video with quadraphonic audio on a 4-speaker setup).
- Fixed an issue where site-specific dictionary selections would be written to content preferences without the user's action, potentially overwriting or clearing a previously-chosen dictionary.
- Added support for drag and drop of local files from sources which use text/uri-lists. (Some Linux flavors/file managers)
- Updated libnestegg to the most current version.
- Fixed an issue where setting the location to an empty string could cause a reload loop.

Security fixes:
- Changed the jemalloc poison address to something that is not a NOP-slide. DiD
- Fixed a memory safety hazard in ConvertDialogOptions (CVE-2015-4521)
- Fixed a buffer overflow/crash hazard in the VertexBufferInterface::reserveVertexSpace function in libGLES in ANGLE (CVE-2015-7179)
- Fixed an overflow/crash hazard in the XULContentSinkImpl::AddText function (CVE-2015-7175)
- Fixed a stack buffer overread hazard in the ICC v4 profile parser (CVE-2015-4504)
- Fixed an HTMLVideoElement Use-After-Free Remote Code Execution 0-day vulnerability (ZDI-CAN-3176) (CVE-2015-4509)
- Fixed a potentially exploitable crash in nsXBLService::GetBinding
- Fixed a memory safety hazard in nsAttrAndChildArray::GrowBy (CVE-2015-7174)
- Fixed a memory safety hazard for callers of nsUnicodeToUTF8::GetMaxLength (CVE-2015-4522)
- Fixed a heap buffer overflow/crash hazard caused by invalid WebM headers (CVE-2015-4511)

更新時間：2015-08-27
更新細節：

What's new in this version:

Fixes/changes:
- Code cleanup: Removed the (otherwise unused) visual event tracer code
- Code cleanup: Removed reflow performance tracing code (telemetry)
- Fixed a key JavaScript bug where defining properties on an object would wipe the object
- This seems to be a common issue with "modern" libraries that use "define" instead of "change" and expecting the other properties on the object to be retained, resulting in "x is undefined" errors all over the place if the object is wiped
- This aligns the behavior with ES6's "Validate and apply property descriptor" pseudo-function
- Updated the SQLite library to 3.8.11.1
- Added support for the element.matches() Web API function
- Added support for BASE tag parsing in source view. Previously, when viewing the source of a document, clickable links would be incorrect if a base path was specified in the document with this tag
- Fixed an issue with running timers after the computer would have been put to sleep with the browser opened

Security fixes:
- Added protection against potential bugs where our SVG mPositions is out of sync with the characters in the DOM. DiD
- Fixed use-after-free vulnerability in XMLHttpRequest::Open() (CVE-2015-4492)
- Fixed use-after-free vulnerability in the StyleAnimationValue class (CVE-2015-4488)
- Fixed crash or memory corruption in nsTArray (CVE-2015-4489)
- Fixed crash or memory corruption in nsTSubstring::ReplacePrep (CVE-2015-4487)
- Fixed potential escalation of privileges or crash (out-of-bounds write) via a crafted name in MARs (x64 only) (CVE-2015-4482)
- Fixed an issue that would allow man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request. (CVE-2015-4483)

更新時間：2015-08-27
更新細節：

What's new in this version:

Fixes/changes:
- Code cleanup: Removed the (otherwise unused) visual event tracer code
- Code cleanup: Removed reflow performance tracing code (telemetry)
- Fixed a key JavaScript bug where defining properties on an object would wipe the object
- This seems to be a common issue with "modern" libraries that use "define" instead of "change" and expecting the other properties on the object to be retained, resulting in "x is undefined" errors all over the place if the object is wiped
- This aligns the behavior with ES6's "Validate and apply property descriptor" pseudo-function
- Updated the SQLite library to 3.8.11.1
- Added support for the element.matches() Web API function
- Added support for BASE tag parsing in source view. Previously, when viewing the source of a document, clickable links would be incorrect if a base path was specified in the document with this tag
- Fixed an issue with running timers after the computer would have been put to sleep with the browser opened

Security fixes:
- Added protection against potential bugs where our SVG mPositions is out of sync with the characters in the DOM. DiD
- Fixed use-after-free vulnerability in XMLHttpRequest::Open() (CVE-2015-4492)
- Fixed use-after-free vulnerability in the StyleAnimationValue class (CVE-2015-4488)
- Fixed crash or memory corruption in nsTArray (CVE-2015-4489)
- Fixed crash or memory corruption in nsTSubstring::ReplacePrep (CVE-2015-4487)
- Fixed potential escalation of privileges or crash (out-of-bounds write) via a crafted name in MARs (x64 only) (CVE-2015-4482)
- Fixed an issue that would allow man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request. (CVE-2015-4483)