diff options
Diffstat (limited to 'palemoon/debian/changelog')
-rw-r--r-- | palemoon/debian/changelog | 155 |
1 files changed, 97 insertions, 58 deletions
diff --git a/palemoon/debian/changelog b/palemoon/debian/changelog index e79c5e6..035b079 100644 --- a/palemoon/debian/changelog +++ b/palemoon/debian/changelog @@ -1,3 +1,42 @@ +palemoon (28.16.0-1+devuan) obs; urgency=low + + * This is a development and security update to the browser. + * Note for Linux users: With CentOS 6 going end-of-life, this + version will be the last for which we will be building 32-bit Linux + official binaries to download. While your distribution may choose to + continue offering 32-bit versions of the browser, built from source + by the maintainers, we won't be offering any further official 32-bit + Linux binaries on our website. Please check with your distribution's + package maintainers to know if further 32-bit support will be + available on your particular flavor of Linux. + - Aligned CSS tab-size with the specification and un-prefixed it. + - Updated Brotli library to 1.0.9. + - Updated JAR lib code. + - Optimized UI code, resulting in smaller downloads and less + space consumed on disk. + - Changed the default Firefox Compatibility version number to + 68.0 (since versions ending in .9 makes some frameworks unhappy, + refusing access to users) + - Cleaned up HPKP leftovers. + - Disabled the DOM filesystem API by default. + - Removed Phone Vibrator API. + - Fixed an issue where the software uninstaller would not remove + the program files it should. + - Fixed a devtools crash related to timeline snapshots. + - Fixed an issue in Skia that could cause unsafe memory access. + [DiD] + - Fixed several data race conditions. [DiD] + - Fixed an XSS vulnerability where scripts could be executed when + pasting data into on-line editors. + - Linux: Fixed an overflow issue in freetype. + - Security issues addressed: CVE-2020-26960, CVE-2020-26951, + CVE-2020-26956, CVE-2020-15999 and several others that do not have a + CVE designation. + - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 4 + defense-in-depth, 3 rejected, 20 not applicable. + + -- Ben Stack <bgstack15@gmail.com> Wed, 25 Nov 2020 09:13:05 -0500 + palemoon (28.15.0-1+devuan) obs; urgency=low * This is a standard development and bugfix release. @@ -58,55 +97,55 @@ palemoon (28.13.0-4+devuan) obs; urgency=low palemoon (28.13.0-3+devuan) obs; urgency=medium - * This is a compatibility, bugfix and security update. Special thanks + * This is a compatibility, bugfix and security update. Special thanks to our new code contributors this cycle (you know who you are)! - - Updated the included site-specific user-agent overrides for a + - Updated the included site-specific user-agent overrides for a number of websites that need them. - - Rewritten the browser's padlock code to use more modern APIs and + - Rewritten the browser's padlock code to use more modern APIs and provide more accurate security status indication. - Now also with localized tooltips! - - Fixed a missing close button on the undo prompt after removing a + - Fixed a missing close button on the undo prompt after removing a thumbnail from the QuickDial new tab page. - - Fixed an issue with the alternative stylesheet menu in the + - Fixed an issue with the alternative stylesheet menu in the browser's UI not working. - - Implemented the use of intrinsic aspect ratios for images to + - Implemented the use of intrinsic aspect ratios for images to improve layout during load and page positioning. - - Added a preference to the use of node.getRootNode and disabled by + - Added a preference to the use of node.getRootNode and disabled by default. See implementation notes. - - Added CSS -webkit-appearance as an alias for -moz-appearance to - improve compatibility with websites that only try to use + - Added CSS -webkit-appearance as an alias for -moz-appearance to + improve compatibility with websites that only try to use Chrome-specific keywords to style standard form elements. - Updated the SQLite library to 3.33.0. - - Reinstated precise floating point precision model in JavaScript - for those alternate builders who foolishly try to use the inaccurate + - Reinstated precise floating point precision model in JavaScript + for those alternate builders who foolishly try to use the inaccurate "fast" model. - - Improved spec compliance of modular JavaScript use (ECMAScript + - Improved spec compliance of modular JavaScript use (ECMAScript modules). - - Changed media errors to be a more generic response, and added a - preference (media.sourceErrorDetails.enabled) to enable detailed error + - Changed media errors to be a more generic response, and added a + preference (media.sourceErrorDetails.enabled) to enable detailed error reporting of media errors for debugging purposes. - - Previously, detailed errors were provided by default which could + - Previously, detailed errors were provided by default which could lead to privacy issues. - Improved code stability of the AbortController implementation. - Fixed a race condition in the secure connection library (NSS). - - Security issues fixed: CVE-2020-15664, CVE-2020-15666, + - Security issues fixed: CVE-2020-15664, CVE-2020-15666, CVE-2020-15667, CVE-2020-15668 and CVE-2020-15669. - - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 1 + - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 1 defense-in-depth, 1 rejected, 9 not applicable. * Implementation notes - - In 28.11.0 we introduced node.getRootNode because some websites - would fail with an error if this function was not present. - Unfortunately, this caused problems with other sites that (incorrectly) - assume Google WebComponents are available when this utility function is - present (feature detection gone wrong). While it is considered by some - to be part of the Google WebComponents implementation, it actually has - utility value outside of that use. Because of the problems caused, - we've added a preference and disabled it by default, fixing these kinds + - In 28.11.0 we introduced node.getRootNode because some websites + would fail with an error if this function was not present. + Unfortunately, this caused problems with other sites that (incorrectly) + assume Google WebComponents are available when this utility function is + present (feature detection gone wrong). While it is considered by some + to be part of the Google WebComponents implementation, it actually has + utility value outside of that use. Because of the problems caused, + we've added a preference and disabled it by default, fixing these kinds of websites. - - When needed, you can re-enable this function with + - When needed, you can re-enable this function with dom.getRootNode.enabled - - This should improve web compatibility by default yet still allow - users to enable this function for websites that use its utility but do + - This should improve web compatibility by default yet still allow + users to enable this function for websites that use its utility but do not use WebComponents. -- Ben Stack <bgstack15@gmail.com> Fri, 04 Sep 2020 19:50:02 -0400 @@ -114,53 +153,53 @@ palemoon (28.13.0-3+devuan) obs; urgency=medium palemoon (28.12.0-1+devuan) obs; urgency=medium * This is a development, bugfix and security update. - - Added controls for WASM to the browser's preferences, and enabled + - Added controls for WASM to the browser's preferences, and enabled by default. - Enabled various arbitrarily-disabled CSS functions. - - Added the use of basic path descriptors (i.e. polygon) to css + - Added the use of basic path descriptors (i.e. polygon) to css clip paths. - - Implemented multithreaded request signal handling for the Abort + - Implemented multithreaded request signal handling for the Abort API. Please see implementation notes below. - - Updated the included US-English dictionary, adding approximately + - Updated the included US-English dictionary, adding approximately 2500 additional words. - - Removed the DOM battery API. This was already disabled for + - Removed the DOM battery API. This was already disabled for privacy reasons for a long while. - - Fixed an erroneous warning displayed on toolkit-only add-ons like + - Fixed an erroneous warning displayed on toolkit-only add-ons like supplied dictionaries. - Fixed an issue with the sessionstore tab load preference. - - Improved the generation of the names of downloaded files to + - Improved the generation of the names of downloaded files to prevent confusion. (CVE-2020-15658) - Fixed a code issue with base64 encoding of data. - - Fixed 2 safety hazards in JavaScript. (One being CVE-2020-15656) + - Fixed 2 safety hazards in JavaScript. (One being CVE-2020-15656) DiD - - Fixed a spec compliance issue with regards to the cross-origin + - Fixed a spec compliance issue with regards to the cross-origin loading of scripts. (CVE-2020-15652) - - Improved the loading of a system DLL on Windows, preventing + - Improved the loading of a system DLL on Windows, preventing low-risk hijacking potential. (CVE-2020-15657) See implementation notes. - - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2 + - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2 defense-in-depth, 15 not applicable. * Implementation notes - - In 28.11.0, we introduced the Abort API as new code. The - implementation of it still had an issue where especially web workers - would not always see the availability of abort signals on fetch - requests while AbortSignal was implemented in the browser. This - effectively made some websites (especially those using a particular - polyfill for the Abort API that would detect the need to polyfill by - way of Request.signal) throw errors that were fine before. We offered - users a workaround by temporarily disabling the AbortController in the + - In 28.11.0, we introduced the Abort API as new code. The + implementation of it still had an issue where especially web workers + would not always see the availability of abort signals on fetch + requests while AbortSignal was implemented in the browser. This + effectively made some websites (especially those using a particular + polyfill for the Abort API that would detect the need to polyfill by + way of Request.signal) throw errors that were fine before. We offered + users a workaround by temporarily disabling the AbortController in the browser by way of a preference (dom.abortController.enabled). - - v28.12.0 fixes the multi-threaded handling of signals, which - should solve these problems. As such, the workaround is no longer - needed and upon upgrade the preference will be reset to enable + - v28.12.0 fixes the multi-threaded handling of signals, which + should solve these problems. As such, the workaround is no longer + needed and upon upgrade the preference will be reset to enable AbortControllers again. - - DLL-hijacking on Windows would only be possible if a malicious - actor already either gained administrative access to the program's - installation folder or otherwise have unrestricted access to the - program folder (by having it installed in local application folders - inside the user's profile space or other insecure program locations). - In that case the system is already compromised and any executable can - be replaced, so having dll loading hijacked would be the least of your - concerns (i.e. the main program .exe could also be replaced/infected in + - DLL-hijacking on Windows would only be possible if a malicious + actor already either gained administrative access to the program's + installation folder or otherwise have unrestricted access to the + program folder (by having it installed in local application folders + inside the user's profile space or other insecure program locations). + In that case the system is already compromised and any executable can + be replaced, so having dll loading hijacked would be the least of your + concerns (i.e. the main program .exe could also be replaced/infected in that case). -- Ben Stack <bgstack15@gmail.com> Wed, 05 Aug 2020 14:43:18 -0400 |