This is security and bugfix update. Changes/fixes:
Improved handling of FTP resource loading (allow save-as and cater to some FTP-based browsing). Added a preference (security.block_ftp_subresources) to allow users to completely bypass the blocking of FTP subresources if required for their environment, if the improvements made in this release do not suffice. Added blocking of authentication-locked cross-origin image subresources by default to prevent spurious auth prompts. A preference (network.auth.subresource-http-img-XO-auth) was added to allow users to bypass this blocking if required for their environment. Changed the behavior of file: URIs to treat each URI as a unique origin. This prevents cross-file access from scripting. A preference (security.fileuri.unique_origin) was added to allow users to relax this restriction if required for their environment. Implemented a revised version of http2PushedStream to address some thread safety issues. Aligned browser behavior with mainstream regarding inner window behavior when domain is manipulated. Backed out a 28.5.* patch for causing multiple issues in the UI and web content. Updated NSS to 3.41.2 (custom) to pick up several upstream fixes. Fixed a type confusion issue in JavaScript Arrays. (DiD) Added a fix for cross-thread access of Necko. (DiD) Added a port safety check for Alternative Services. Implemented fixes for applicable security issues: CVE-2019-11719, CVE-2019-11711, CVE-2019-11715, CVE-2019-11717, CVE-2019-11714 (DiD), CVE-2019-11729 (DiD), CVE-2019-11727 (DiD), CVE-2019-11730 (DiD), CVE-2019-11713 (DiD) and several networking and memory-safety hazards that do not have CVE numbers.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
Carson Morris
Fuck off you fucking furry and yiff yourself to death.
Who is the user that's still shilling this browser? Less than 0.01% use it, it has one of the worst history of security flaws in a browser, and the 2 or 3 developers behind it seem totally incompetent to work with others, handle criticism or handle those shameful security flaws.
I want to use Palemoon, but the devs are bitches with an ego the size of texas. Seriously, fuck them.
Luis Lewis
Firefox is also shit, is the most doomed thing make a fork of it and expect to have a secure browser. Also, if you are used by the 0,01% you get the 0,01% of the reports, plus literally no serious security researchers are seriously using you, so less serious security reports. They don't have any motivation to do it, since they can perfectly earn a living banging on Firefox and Chrome.
used to do this, but there's nothing i use that doesn't work in palemoon anymore
Jeremiah Murphy
for a minute there i was thinking "didn't this come out a while ago?" not to be confused with 26.6.0.1, which i put off compiling because it doesn't change anything relevant to me
Evan Long
>WebRTC. Apart from opening up a whole can of worms security privacy-wise, "Web Real Time Chat" (comparable with Skype video calls and the likes) is not considered useful or desired functionality for Pale Moon (both according to the developers and the users of the browser at large). This is best left to dedicated programs or at most a browser plug-in. I disagree with this philosophy. WebRTC is best suited in the browser since the underlying network technologies already exist. WebRTC also is crucial to the current and future functioning of the decentralized, as it allows clients to connects directly to each other. Pale Moon seems to be increasingly clinging onto the past and not looking beyond their "UXP" platform.
Did he ever fix the fact that tab restore doesn't work the majority of the time?
Zachary Smith
>the devs are furries Where does this meme originate, and is there any truth to it? Also looking for evidence of devs being malevolent.
Andrew Peterson
can't speak for the normal behaviour, but session manager is an addon i can't go without, and it right up there with treestyletabs as reasons to use a xul-based browser never have i lost any notable part of my session since getting this addon, and i've had it for many years, it takes session snapshots periodically, so no matter what, you at least have a recent snapshot to restore absolutely critical if you keep a ton of tabs open
>WebRTC and VPN's This is not the intended purpose or level of threat (governmental). Do you run Tor through a VPN? Further, your IP address is the hardest point of entropy to spoof or deny access to, only GNUnet has a working implementation. The local IP address leak is old news, there are multiple solutions for it allow WebRTC to still work. uBlock Origin has one such feature. By disabling WebRTC completely you are standing out from the crowd to fingerprinters.
It was between april and june this year, not 2 years, go back and re-read your link before you write nonsense.
William Ramirez
Is it still bundled with malware?
Jordan Gray
it was never bundled with malware, that security breach was about an archive server with very old windows releases which almost nobody uses, The regular installers was and always has been safe and clean.
Grayson Adams
It is malware, never mind being bundled with it.
Gavin Taylor
>security through obscurity works I swear >just because we don't have security researchers looking into our browser doesn't mean 2 devs alone can't outperform hundreds
Dominic Evans
You're confusing Pale moon with Watefrox, the former has far more than two devs
>ESR 52 with sandboxing patched out you glow in the dark
Camden Powell
fun fact: it had tls 1.3 support and webp support before firefox had it
Hunter Sullivan
>we may have had one of the largest and most easily avoidable security breaches ever, completely outing us as incompetent >but like, just trust us it wasnt a big deal
Jayden Evans
>Pale Moon "owner" >Windows Codebase "Engineer" and Server Administrator (!) >Literally, the Windows server he use to compile/distribute archived versions is compromised to the point that attackers can replace complete builds with infected ones and go unnoticed for two years, despite many -ignored- reports that Pale Moon was distributing engaged binaries. FUCKING KEEEEEEKKKK
