diff options
Diffstat (limited to 'newmoon/debian/changelog')
| -rw-r--r-- | newmoon/debian/changelog | 350 |
1 files changed, 310 insertions, 40 deletions
diff --git a/newmoon/debian/changelog b/newmoon/debian/changelog index 186727b..875e2e4 100644 --- a/newmoon/debian/changelog +++ b/newmoon/debian/changelog @@ -1,39 +1,309 @@ +newmoon (33.0.0-1+stackrpms) obs; urgency=medium + + * remove obsolete ffmpeg.git-effadce6c756247ea8bae32dc13bb3e6f464f0eb.patch + * remove obsolete fix-armhf-FTBFS.patch + * Upstream updates + * Implemented a restricted version of the asynchronous clipboard API + (navigator.clipboard). This API is restricted to writing only for + obvious security considerations. It supports both plaintext and the + standard DataTransfer methods. We did not implement the reinvented + wheel concept of ClipboardItem objects. + * Implemented support for SHA-2 (SHA-256/SHA-512/etc.) signatures for + OCSP stapled responses. + * Implemented an option (Found in Preferences -> Content -> Media tab + (new this version)) to restrict DOM full-screen mode to the existing + browser window. + * Implemented several options in a new preferences tab (Preference -> + Privacy -> Tracking) to allow users to more easily control several + privacy-impacting features, namely poisoning of canvas data (to prevent + fingerprinting), and enabling of Performance observers (a developer + feature) that some websites rely on for their operation. + * Implemented PromiseRejectionEvent. Although this is rarely actually + used, some common JS libraries (you know who you are!) use it as a + feature level canary and start loading (broken!) Promise shims if it is + not found, causing compatibility issues and broken websites due to the + shims. + * Fixes: + * Aligned microtasks and Promises scheduling with the current spec and + expected behavior. + * We now no longer send click events to top levels of the document + hierarchy when using non-primary buttons (use auxclick, instead, to + capture these events). + * Greatly improved the performance of box shadows. + * Greatly improved the performance of file/data uploads over HTTP/2 + (most of the secure websites out there). + * Fixed several issues related to focus and content selection. + * Fixed issues with the use of focus-within caused by unexpected + processing of DOM events. + * Fixed an issue with CSP not behaving as-expected when using + importScripts(), and fixed a number of additional CSP-related issues. + * Fixed a web compatibility issue with CORS preflights not sending the + original request's referrer policy or referrer header. + * Fixed a spec compliance issue with StructuredClone. + * Fixed a crash due to clamping code introduced for SetInterval and + SetTimeout timers. + * Fixed crashes when dynamic imports are canceled (e.g. by navigation). + * Other changes: + * Changed <input type=file> to now have its .files property be writable + following a spec change and recommendation. + * We are now requiring and building against the C++17 language standard. + * Updated the in-tree ffvpx lib to 6.0. + * Added a preference to allow users to completely disable reporting of + CSP errors to webmasters. Using this is strongly discouraged as it will + provide essential troubleshooting information to webmasters setting up + CSP, and does not pose a privacy issue, but for those who really want + it, it can now be fully disabled. The preference is + security.csp.reporting.enabled. + * Updated the IntersectionObserver interface to now also accept + documents for the observer root instead of only HTML elements. + * Cleaned up various bits of code surrounding GMP, memory allocation, + system libraries, vestigial Android code, freetype2 and developer tools. + * Improved efficiency of handling D3D textures. + * Added initial and experimental Mac PowerPC and Big Endian support. + * Changed the behavior of hung scripts. We now automatically terminate + them instead of presenting the user with a dialog box (which may or may + not show in a reasonable time if the browser is too busy trying to + process the hung script). If you prefer the old behavior, uncheck the + box "Automatically stop non-responsive scripts" in Preferences -> + Content -> General + * Security issues addressed: CVE-2024-0746, CVE-2024-0741, + CVE-2024-0743 DiD, CVE-2024-0750 DiD, and CVE-2024-0753. + * UXP Mozilla security patch summary: 3 fixed, 2 DiD, 12 not applicable. + + -- B. Stack <bgstack15@gmail.com> Thu, 08 Feb 2024 22:46:46 -0500 + +newmoon (32.5.2-1+stackrpms) obs; urgency=medium + + * Bugfix and security update: + - Removed the standard Twitter/X user-agent override because they decided + to block us on it. + - Added preferences for the user to control whether or not the tab page + title should be included in the window title or not. In Private Browsing + mode, the default is now to not show the title in the window. This was + done to avoid potential leakage to system logs (e.g. GNOME shell logs or + Windows event logs) of websites visited through the recorded window + title. The new preferences are privacy.exposeContentTitleInWindow and + privacy.exposeContentTitleInWindow.pbm for normal mode and Private + Browsing mode, respectively. + - Fixed several crashes in DOM and relating to dynamic JavaScript + module imports. + - Removed a restriction on Fetch preflight redirects, following a spec + update. + - Improved the handling of web workers if they get aborted mid-action. + - Security issues addressed: CVE-2023-6863, CVE-2023-6858 and several + others that do not have a CVE number. + + -- B. Stack <bgstack15@gmail.com> Fri, 26 Jan 2024 19:50:47 -0500 + +newmoon (32.1.0-1+stackrpms) obs; urgency=low + + * Shadow DOM and CustomElements, collectively making up WebComponents, + have been enabled by default which should bring much broader web + compatibility to the browser for many a site that uses web 2.0+ + frameworks. See implementation notes. + * Tab titles in the browser now fade if they are too long instead of + using ellipses, to provide a little more readable space to page titles. + Note that this may require some updates to tab extensions or themes. + * A number of site-specific overrides have been updated or removed + because they are no longer necessary or current with the platform + developments in terms of web compatibility. We could use your help + evaluating the ones that are still there; see the issue on our repo. + * Updated our promises and async function implementation to the current + spec. + * Implemented Promise.any() + * Fixed several crashes related to regular expression code. + * Improved regular expression object handling so it can be properly + garbage collected. + * Fixed some VP8 video playback. + * Fixed an issue where the caret (text cursor) would sometimes not be + properly visible. + * Updated the embedded emoji font. + * Implemented the :is() and :where() CSS pseudo-classes. + * Implemented complex selectors for the :not() CSS pseudo-class. + * Implemented the inset CSS shorthand property. + * Implemented the env() environment variable CSS function. See + implementation notes. + * Implemented handling for RGB encoded video playback (instead of just + YUV). + * Implemented handling for full-range videos (0-255 luminance levels) + giving better video playback quality. + * Removed the WebP image decoder pref. See implementation notes. + * Enabled the Web text-to-speech API by default (only supported on some + operating systems). + * Updated NSPR to 4.35 and NSS to 3.79.4 + * Cleaned up unused "tracking protection" plumbing. See implementation + notes. + * Cleaned up URI Classifier plumbing (Google SafeBrowsing leftover). + * Fixed several intermittent and difficult-to-trace crashes. + * Improved content type security of jar: channels. DiD + * Improved JavaScript JIT code generation safety. DiD + * Fixed potential crash scenarios in the graphics subsystem. DiD + * Improved filename safety when saving files to prevent potential + environment leaks. + * Security issues addressed: CVE-2023-25751, CVE-2023-28163 and several + others that do not have a CVE. + * UXP Mozilla security patch summary: 1 fixed, 4 DiD, 14 not applicable. + + -- B. Stack <bgstack15@gmail.com> Thu, 23 Mar 2023 13:53:33 -0400 + +newmoon (32.0.1-1+stackrpms) obs; urgency=low + + * Upstream updates + * Fixed a crash in the new regular expression code. + * Added {Extended_Pictographic} unicode property escape to regular + expressions. + * Fixed a regression in regular expressions for literal parsing of + invalid ranges. + * Updated NSS to pick up fixes. + * Security issues addressed: CVE-2023-25733 DiD, CVE-2023-25739 DiD and + CVE-2023-0767. + * UXP Mozilla security patch summary: 1 fixed, 2 DiD, 14 not applicable. + + -- B. Stack <bgstack15@gmail.com> Tue, 21 Feb 2023 20:34:55 -0500 + +newmoon (32.0.0-1+stackrpms) obs; urgency=low + + * New milestone release: + - Implemented Regular Expression named capture groups. + - Implemented Regular Expression unicode property escapes. + - Re-implemented Regular Expression lookaround/lookbehind (without + crashing this time ;) ). + - Implemented progressive decoding for JPEG-XL. + - Implemented animation for JPEG-XL. + - Renamed CSS offset-* properties to inset-* to align with the latest spec + and the web. + - Fixed CSS inheritance and padding issues in some cases. + - Aligned parsing of incorrectly duplicated HSTS headers with expected + behavior (discard all but the first one). + - Implemented a method to avoid memory exhaustion in case of (very) large + resolution animated images. + - Updated the JPEG-XL and Highway libraries to a recent, stable version. + - Cleaned up some unused CSS prefixing code. + - Improved the ability to link on *nix operating systems with other linkers + than gcc's default. + - Stability improvements (potential crash fixes). + - Security issues addressed: CVE-2023-23598, CVE-2023-23599 and several + others that do not have a CVE number. + - UXP Mozilla security patch summary: 4 fixed, 2 DiD, 19 not applicable. + + -- B. Stack <bgstack15@gmail.com> Thu, 16 Feb 2023 19:40:20 -0500 + +newmoon (31.4.0-1) obs; urgency=medium + + * Upstream updates + * Added support for the JPEG-XL image format. + * Implemented regular expressions lookaround/lookbehind. + * Aligned CORS header parsing with the updated spec. See implementation + notes. + * We no longer fire keypress events for non-printable keys. See + implementation notes. + * Added support for MacOS 13 "Ventura" in the platform, primarily + benefitting White Star. + * Fixed potentially problematic thread locking code on *nix platforms. + * Fixed some small issues in the display and operation of the Web + Developer tools. + * Removed unused but performance-impacting panning and tab animation + measuring code. (telemetry leftovers) + * Improved code for SunOS builds. + * Updated Internationalization data for time zones. + * Fixed a buffer overflow for Mac builds. + * Security issues addressed: CVE-2022-45411 and potential issues + without a CVE number. + * UXP Mozilla security patch summary: 2 fixed, 1 DiD, 1 deferred, 25 + not applicable. + + -- B. Stack <bgstack15@gmail.com> Tue, 22 Nov 2022 10:03:10 -0500 + +newmoon (31.3.1-1) obs; urgency=medium + + * Upstream updates + * Added detection suport for the newly-released MacOS 13 (Ventura). + * Fixed a potential heap Use-After-Free risk in Expat. (CVE-2022-40674) + DiD + * Fixed potentially undefined behavior in our thread locking code. DiD + * Fixed a potentially exploitable crash in the refresh driver. + * Fixed potentially undefined behavior when base-64 decoding. DiD + * Implemented a texture size cap for WebGL to prevent potential issues + with some graphics drivers. DiD + * Updated site-specific overrides to address issues with ZoHo. + * UXP Mozilla security patch summary: 1 fixed, 2 DiD, 6 not applicable. + + -- B. Stack <bgstack15@gmail.com> Tue, 01 Nov 2022 14:09:10 -0400 + +newmoon (31.3.0-1) UNRELEASED; urgency=low + + * Upstream updates + * Implemented .at(index) JavaScript method on built-in indexables + (Array, String, TypedArray). + * Implemented the use of EventSource in workers. + * Enabled the sending of the Origin: header by default on same-origin + requests. + * Changed how Pale Moon is built. We are now using Visual Studio 2022 + on Windows, and have made build system changes to reduce build times + and pressure on the linker on all platforms. + * Changed how Pale Moon handles standalone wave audio files (.wav). See + implementation notes. + * Improved string normalization. + * Updated the handling of CSS "supports" to now accept unparenthesized + strings (spec update). + * Updated the handling of flex containers in web pages for web + compatibility. + * Fixed various issues when building for Mac OS X. + * Fixed various C++ standard conformance issues in the source code. + * Fixed several issues building on SunOS and Linux with various + configurations and gcc versions. + * Fixed an issue with regular expressions' dotAll syntax and usage. See + implementation notes. + * Switched custom hash map to std::unordered_map where prudent. + * Cleaned up and updated IPC thread locking code. + * Removed spacing for accessibility focus rings in form controls to + align styling of them with expected metrics. + * Removed the unnecessary control module for building with non-standard + configurations of the platform. + * Removed the -moz prefix from min-content and max-content CSS keywords + where it was still in use. + * Security fixes: CVE-2022-40956 and CVE-2022-40958. + * UXP Mozilla security patch summary: 2 fixed, 11 not applicable. + + + -- B. Stack <bgstack15@gmail.com> Tue, 01 Nov 2022 14:09:09 -0400 + newmoon (31.2.0-1) obs; urgency=medium * Changes/fixes: * Implemented CSS white-space: break-spaces for web compatibility. * Implemented Intl.RelativeTimeFormat for web compatibility. - * Implemented "Origin header CSRF mitigation". This is still disabled + * Implemented "Origin header CSRF mitigation". This is still disabled by default to investigate potential issues with CloudFlare-backed sites. * Implemented support for async generator methods in JavaScript. - * Added preliminary support for building on Apple Silicon like M1/M2 + * Added preliminary support for building on Apple Silicon like M1/M2 SoC. * Added support for building with Visual Studio 2022. * Improved the handling of CSS "sticky" elements in tables. * Improved stack size limits on all platforms. See implementation notes. - * Updated function.toString handling to align with the updated + * Updated function.toString handling to align with the updated JavaScript spec. This should improve web compatibility. - * Updated Unicode support to Unicode v11, and updated the ICU library + * Updated Unicode support to Unicode v11, and updated the ICU library accordingly. Building without ICU is no longer supported. - * Updated many in-tree third-party libraries to pick up various + * Updated many in-tree third-party libraries to pick up various performance and stability improvements. - * Updated site-specific user-agent overrides to work around issues with + * Updated site-specific user-agent overrides to work around issues with Google fonts, Citi bank (again!) and MeWe. - * Removed some leftover (and unused) telemetry code in the platform and + * Removed some leftover (and unused) telemetry code in the platform and front-end. * Fixed an issue with VP9 video playback on Windows on some systems. - * Fixed an issue with the add-ons manager not properly handling empty + * Fixed an issue with the add-ons manager not properly handling empty update URLs. - * Fixed a major performance regression on *nix based systems due to + * Fixed a major performance regression on *nix based systems due to incorrect thread handling. * Fixed volume handling when building with the sndio audio back-end. - * Pale Moon no longer applies content security policies to documents - that are explicitly loaded as data documents or to images. See + * Pale Moon no longer applies content security policies to documents + that are explicitly loaded as data documents or to images. See implementation notes. - * Cleaned up some unnecessary code from the source tree for unused - build back-ends, Firefox marketplace "apps", and the rather ridiculous + * Cleaned up some unnecessary code from the source tree for unused + build back-ends, Firefox marketplace "apps", and the rather ridiculous moz://a protocol handler. - * Updated NSS to 3.52.8 to pick up several defense-in-depth security + * Updated NSS to 3.52.8 to pick up several defense-in-depth security fixes. * UXP Mozilla security patch summary: 3 DiD, 12 not applicable. @@ -42,18 +312,18 @@ newmoon (31.2.0-1) obs; urgency=medium newmoon (31.1.1-1) obs; urgency=medium * Changes/fixes: - * Updated the list of blocked external protocol handlers to combat + * Updated the list of blocked external protocol handlers to combat abuse of OS-supplied services on Windows. - * Fixed a potential issue with revoked site certificates when + * Fixed a potential issue with revoked site certificates when connecting through a proxy. * Updated NSS to 3.52.7 to pick up some security fixes. - * Updated site-specific user agent overrides to work around bad + * Updated site-specific user agent overrides to work around bad sniffing practices of dropbox and vimeo. - * Security issues addressed: CVE-2022-34478, CVE-2022-34476, - CVE-2022-34480 DiD, CVE-2022-34472, CVE-2022-34475 DiD, CVE-2022-34473 - DiD, CVE-2022-34481 and a memory safety issue that doesn't have a CVE + * Security issues addressed: CVE-2022-34478, CVE-2022-34476, + CVE-2022-34480 DiD, CVE-2022-34472, CVE-2022-34475 DiD, CVE-2022-34473 + DiD, CVE-2022-34481 and a memory safety issue that doesn't have a CVE number. - * UXP Mozilla security patch summary: 4 fixed, 4 DiD, 2 rejected, 11 + * UXP Mozilla security patch summary: 4 fixed, 4 DiD, 2 rejected, 11 not applicable. -- B. Stack <bgstack15@gmail.com> Mon, 11 Jul 2022 11:34:11 -0400 @@ -61,41 +331,41 @@ newmoon (31.1.1-1) obs; urgency=medium newmoon (31.1.0-1) UNRELEASED; urgency=medium * Changes/fixes: - * Added Mojeek as an additional search engine in the browser. See + * Added Mojeek as an additional search engine in the browser. See implementation notes. - * Implemented "nullish coalescing operator" (thanks, FranklinDM!) for + * Implemented "nullish coalescing operator" (thanks, FranklinDM!) for web compatibility. * Fixed various crash scenarios in XPCOM. - * Fixed an important stability and performance issue related to + * Fixed an important stability and performance issue related to hardware acceleration. - * Fixed a long-standing issue where overly-long address bar tooltips - wouldn't break into multiple lines but instead cut off on the right + * Fixed a long-standing issue where overly-long address bar tooltips + wouldn't break into multiple lines but instead cut off on the right side. - * Fixed a long-standing issue where dynamic datalist updates for + * Fixed a long-standing issue where dynamic datalist updates for <select> and similar elements wouldn't properly update the option list. * Disabled broken links to MDN articles in developer tools. - * Updated media support to include support for libavcodec 59/FFmpeg 5.0 + * Updated media support to include support for libavcodec 59/FFmpeg 5.0 for MP4 playback on Linux (thanks, Travis!) - * Enabled the date picker for <input type=date>. See implementation + * Enabled the date picker for <input type=date>. See implementation notes. * Re-enabled the use of FIPS mode for NSS. See implementation notes. - * Improved memory handling and memory safety in the JavaScript engine, + * Improved memory handling and memory safety in the JavaScript engine, further reducing current and future crash scenarios. * Improved memory handling in the graphics subsystem of Goanna. * Updated FFvpx to v4.2.7 - * Slightly reduced strictness of media checking for improved - compatibility with questionable "gif" video encoders used on major + * Slightly reduced strictness of media checking for improved + compatibility with questionable "gif" video encoders used on major websites. - * Cleaned up the way file pickers (file open/save/save as dialogs) are + * Cleaned up the way file pickers (file open/save/save as dialogs) are handled on Windows. - * Restored the gMultiProcessBrowser property of the browser for Firefox + * Restored the gMultiProcessBrowser property of the browser for Firefox extension compatibility. See implementation notes. - * Improved the way data is transferred to and from canvases to prevent + * Improved the way data is transferred to and from canvases to prevent memory safety issues. * Updated NSS to 3.52.6 to address security issues. - * Reduced blocking severity for some extensions that were marked hard + * Reduced blocking severity for some extensions that were marked hard blockers for GRE (but aren't for UXP). - * Security issues addressed: CVE-2022-31739, CVE-2022-31741, and other + * Security issues addressed: CVE-2022-31739, CVE-2022-31741, and other security issues that do not have a CVE number. * UXP Mozilla security patch summary: 2 fixed, 1 DiD, 26 not applicable. @@ -162,13 +432,13 @@ newmoon (29.4.4-1+devuan) obs; urgency=medium * Fixed an issue in JavaScript serialization. DiD * Fixed a potential out-of-bounds issue in IndexedDB. DiD * Fixed a potential issue in widget data handling code. DiD - * Fixed potentially exploitable crashes in handling truncated/corrupt + * Fixed potentially exploitable crashes in handling truncated/corrupt media files or streams. * Fixed an issue in the DOM FileReader code. * Updated NSS to 3.52.3 to address a security issue. - * Fixed the following security issues: CVE-2022-22736, CVE-2022-22741, + * Fixed the following security issues: CVE-2022-22736, CVE-2022-22741, CVE-2021-4140, CVE-2022-22746, CVE-2022-22744 and CVE-2022-22747. - * Unified XUL Platform Mozilla Security Patch Summary: 8 fixed, 4 DiD, + * Unified XUL Platform Mozilla Security Patch Summary: 8 fixed, 4 DiD, 17 not applicable. -- B. Stack <bgstack15@gmail.com> Thu, 20 Jan 2022 14:02:40 -0500 |