diff options
Diffstat (limited to 'palemoon/debian/changelog')
| -rw-r--r-- | palemoon/debian/changelog | 1544 |
1 files changed, 1544 insertions, 0 deletions
diff --git a/palemoon/debian/changelog b/palemoon/debian/changelog new file mode 100644 index 0000000..6866558 --- /dev/null +++ b/palemoon/debian/changelog @@ -0,0 +1,1544 @@ +palemoon (28.3.0-devuan) obs; urgency=medium + + * Initial build for devuan + + -- B Stack <bgstack15@gmail.com> Wed, 23 Jan 2019 13:11:18 -0500 + +palemoon (28.3.0+repack-1) obs; urgency=medium + + * Import new 28.3.0 major development and bugfix release: + - Added AV1 support for MP4/MSE videos. Please note that this is a reference + library implementation and the upstream decoding lib currently has poor + performance for higher resolutions (720p+). This is disabled by default; + use the about:config preference media.av1.enabled to enable this codec. + - Changed the API used for video playback with FFmpeg 58+. This should solve + performance issues (dropped frames) with VP8 and VP9. + - Redesigned the main toolbar icons as SVG images to make them HiDPI + compliant. + - Fixed the sync notification (infobar) icon. + - Fixed a potential cycle collector resource leak. + - Added icons and controls to tabs to indicate if sound is playing the tab + and if so, allowing the user to mute it with a click. This is a native + implementation of the API in use in Basilisk and performs the same + function as the "expose noisy tabs" extension, although the extension may + still be preferred by some for e.g. skinning capabilities. The feature may + be disabled with browser.tabs.showAudioPlayingIcon. + - Removed support for VR hardware. + - Fixed out-of-bounds sizes for CSS calculation strings. + - Removed the DirectShow component since it is no longer necessary. + - Removed Firefox Accounts integration, phase 1: + - Changed the Sync client to the one from Tycho. + - Made Sync optional at build time. + - Stopped trying to cater to addons.mozilla.org since they no longer offer + anything useful to Pale Moon after the Great XUL Extension Purge™. + - Added an option to process favicons for optimal sized display and removing + animations. Enable this with browser.chrome.favicons.process + - Fixed an incorrect preference reference in feed reader. + - Fixed an issue with lazy frame construction on display:contents elements. + This should solve e.g. the use of mathjax in comments on stackoverflow. + - Media code improvements and cleanup (ongoing). + - Updated the DropBox useragent override to solve login issues. + - Fixed potential crashes due to shutdown observers in VTT and font + lists. DiD + - Enabled some mistakingly-disabled optimizations in the JS JIT compiler. + - Fixed several potential crashes in JS. DiD + - Fixed several potential crashes in WebCrypto. DiD + - Fixed a potential crash in JS Range Analysis. DiD + - Fixed a potential crash in the layout engine due to combo boxes. DiD + - Fixed a potential shutdown crash in non-standard environments related to + 2D Canvas. DiD + - Fixed a potential overflow in the PNG writer. DiD + - Fixed a potential double-free in the MAR signing utility. DiD + - Fixed an issue where URLs could be extracted cross-origin (CVE-2018-18494). + - Updated NSPR to v4.20. + - Updated NSS to 3.41, providing (among other things) full compatibility with + the final version of TLS 1.3 on websites. + - Updated location.protocol to the latest spec. + - Updated Intersection Observers to the latest spec and enabled them + by default. + - Updated the SQLite lib to 3.26.0. + - Fixed errors about the login manager's recipeManager not being + available (yet). + - Switched status bar download arrow to SVG. + - Fixed a crash in IntersectionObservers. + - Fixed initialization of the Search service from browser code to avoid + synchronous init. + - Added logging of performance warnings to devtools consoles. + - Fixed favicons in taskbar tab preview listings. + - Blocked Comodo IS dll < version 6.3 to prevent startup crashes. + - Fixed issues in the HTML form submit observer module. + - Limited resolving depth of CSS variables to a sane maximum (fixes + cras.sh issue). + - Removed Mozilla's proprietary constructor on WebAudio's AudioContext, + aligning it with the standard specification. + - Exposed the previously hidden preference in about:config for page thumbnail + generation (some people prefer this for local privacy). + - Aligned Element.ScrollIntoView with the DOM specification. This improves, + among other things, compatibility with the React framework. + + * Totally revise debian/copyright to conform to Debian Policy. + * Install copies of MPL-1.1 and MPL-2 licenses in docs. + * Change versioning to "+repack" now that the OBS supports it. + + -- Steven Pusser <stevep@mxlinux.org> Tue, 15 Jan 2019 12:11:18 -0800 + +palemoon (28.2.2~repack-1~mx17+1) mx; urgency=medium + + * New upstream minor security and stablility release. + + -- Steven Pusser <stevep@mxlinux.org> Wed, 05 Dec 2018 12:23:18 -0800 + +palemoon (28.2.1~repack-1~mx17+1) mx; urgency=medium + + * New release; addresses issues with history and bookmarks. + + -- Steven Pusser <stevep@mxlinux.org> Sun, 18 Nov 2018 11:54:00 -0800 + +palemoon (28.2.0~repack-1) obs; urgency=medium + + * Import new 28.2.0 major development and bugfix release: + - Fixed a major performance issue with web workers. + - Fixed a rare crash on local networks with HTTP basic auth and unsupported + cipher suites. + - Fixed a performance/timer issue when leaving the browser idle. + - Fixed an issue causing an empty dialog when launching executable files + from the browser. + - Fixed an issue preventing making entries to disallow sites to store data + for off-line use. + - Removed code to prevent extensions with binary components. + - Fixed an issue with common dialogs being sized incorrectly for their + content. + - Fixed an issue with event handling on the tab bar that would cause + frustrating behavior when trying to open/close tabs in rapid succession. + - Switched default behavior for scrolling when a context or pop-up menu is + open to allow scrolling, like in v27. This also affects scrolling in very + long menus, e.g. bookmarks. + - Added experimental Asynchronous Panning and Zooming (APZ) for desktop use. + - Re-enabled the use and parsing of ICC v4 color profiles. + - Removed telemetry code from the caching subsystem. + - Improved full-screen detection for suppressing status messages. + - Made all arguments passed to Init*Event() optional except the first for + parity with other browsers. + - Cleaned up some internal installer code. + - Fixed making caret width configurable when dealing with CJK characters + (regression). + - Fixed drawing of table borders consistently when zooming a page + (regression). + - Exposed the "Save download location per site" pref in about:config. + - Improved media handling (ongoing). + - Added experimental support for AV1 in WebM videos (disabled by default). + - Note: this is for WebM only for now, so MP4 and MSE AV1 streams (e.g. + YouTube) will not (yet) play. + - Removed the (defunct and incomplete) in-browser translation code. + - Fixed an issue with CSS Grid layouts unnecessarily shrinking element + blocks. + - Fixed notification settings menu entry (opes about:permissions with + relevant data now). + - Fixed the launching of an undesirable background content process for + capturing page thumbnails. + - Fixed a focus issue in the bookmark properties dialog. + - Changed the setting for reporting CSS errors to the console to false by + default, to prevent unnecessary performance loss for recording this data. + - Added control mechanisms for Opportunistic Encryption (both for + alternative services and upgrade-insecure-requests) in preferences, + and disabled this by default due to potential security and privacy issues + with this transitional technology. + - Updated the default reported Firefox version in Firefox Compatibility Mode + to prevent "too old Firefox" complaints on websites. + - Updated libnestegg, ffvpx, reader view components and several other + modules from upstream. + - Implemented security fixes for CVE-2018-12381, CVE-2017-7797, a better fix + for CVE-2018-12386 (DiD), CVE-2018-12401 (DiD), CVE-2018-12398, + CVE-2018-12392, several Skia bugs, and several crashes and memory safety + hazards that do not have a CVE number. + + * debian/mozconfig: enable AV1 decoding. + + -- Steven Pusser <stevep@mxlinux.org> Mon, 12 Nov 2018 09:38:43 -0800 + +palemoon (28.1.0~repack-1) obs; urgency=medium + + * New upstream release: + + - Updated NSS to 3.38, removed TLS 1.3 draft version check since it's + considered final. + - Reinstated RC4 as an optional encryption cypher for non-standard + environments (e.g. old routing/peripheral networked hardware on LAN). RC4 + and 3DES are marked weak and disabled, and will never be used in the first + handshake with a site, only as last-ditch fallback when specifically + enabled (meaning they won't show up on ssllabs' test, for example). + - Removed Telemetry accumulation calls, automatic timers and stopwatches. + This removes a very noticeable performance sink for all operations on all + platforms. + - Fixed many occurrences of discouraged types of memory access for primarily + GCC 8 compatibility. This improves overall code security as a + defense-in-depth measure. + - Re-implemented the pref-controlled custom background color for + standalone images. + - Updated session history handling for internal pages. about:logopage is no + longer stored in history, and you can choose to store the QuickDial page in + history by setting the pref browser.newtabpage.add_to_session_history to + true. This is disabled by default (meaning you can't use the "Back" button + to go back to the QuickDial page) as a defense-in-depth security measure. + - Added ui.menu.allow_content_scroll to control whether content can be + scrolled if a context menu is open. + - Fixed incorrect code removal in ipc. + - Removed support for TLS session caches in TLSServerSocket. + - Added support for local-ref as SVG xlink:href values. + - Changed the find bar to be a browser-global toolbar again (like in Pale + Moon 27) instead of per-tab. For people who prefer search terms to be + saved on a per-tab basis (like with the per-tab findbar previously), this + is possible by setting findbar.termPerTab to true. This resolves a number + of issues, including styling with lightweight themes not applying to the + find bar, and status pop-ups overlapping the find bar. + - Ported all relevant security fixes from Mozilla's Gecko/62 release, + including CVE-2018-12377 and CVE-2018-12379. + - Restored part of the searchplugin API that was removed by Mozilla, so + extensions can provide and save edits to installed search engines. + - Improved the speed of restoring browsing sessions upon startup. + - Fixed the "Restore previous session" button sometimes being missing from + about:home, while a restorable session would be present. + - Fixed tab previews in the Windows taskbar (if enabled). + - Fixed the setting of the new tab page being "My Home Page" so it'll pick up + subsequent changes to the home page URL automatically. + - Removed the Firefox Accounts migrator from Sync. + - Fixed an issue with the enabled state of number controls if appearances + changed. + - Stopped building ffvpx on 32-bit platforms (except Windows) to use the + (faster) system-installed lib instead. + - Re-added a horizontal scroll action option for mouse wheel. (regression) + - Fixed handling of content language if the locale is changed. + - Fixed document navigation with the F6 key. + - Fixed toolbar styling in toolkit themes. + - Fixed viewing the source of a selection. + + * Now has full support for gcc-8, so stop forcing gcc-7 build on Buster and + recent Ubuntus where gcc-8 is default. + + -- Steven Pusser <stevep@mxlinux.org> Mon, 17 Sep 2018 19:05:20 -0700 + +palemoon (28.0.1~repack-1~mx17+1) mx; urgency=medium + + * New upstream release. + - Backed out a Mozilla upstream patch causing issues with IPC and texture + allocation for the compositor. + - Backed out a Mozilla upstream patch causing issues with Javascript memory + buffer allocation. + * debian/mozconfig: add an option to tune for the number of parallel build + threads. + + -- Steven Pusser <stevep@mxlinux.org> Fri, 31 Aug 2018 17:26:11 -0700 + +palemoon (28.0.0~repack-3) obs; urgency=medium + + * Add libavcodec-ffmpeg56 and libavcodec-ffmpeg-extra56 D for Ubuntu 16.04. + + -- Steven Pusser <stevep@mxlinux.org> Sat, 18 Aug 2018 11:19:45 -0700 + +palemoon (28.0.0~repack-2) obs; urgency=medium + + * Add alternative libavcodec-extraXX dependencies. + + -- Steven Pusser <stevep@mxlinux.org> Thu, 16 Aug 2018 18:15:14 -0700 + +palemoon (28.0.0~repack-1) obs; urgency=medium + + * Import final 28.0.0 release. + + -- Steven Pusser <stevep@mxlinux.org> Wed, 15 Aug 2018 11:55:12 -0700 + +palemoon (28.0.0~rc1~repack-2) obs; urgency=medium + + * Depend on a version of libavcodec instead of ffmpeg. + * For Buster, build on gcc-7, just to be safe. Restore the lsb-release distro + detection setup to rules to enable this, and add the new build-depends. This + should no longer be required in 28.1.0. + + -- Steven Pusser <stevep@mxlinux.org> Tue, 14 Aug 2018 12:13:31 -0700 + +palemoon (28.0.0~rc1~repack-1) obs; urgency=medium + + * New upstream release. + + -- Steven Pusser <stevep@mxlinux.org> Sun, 12 Aug 2018 13:28:16 -0700 + +palemoon (28.0.0~b5~repack-1) obs; urgency=medium + + * Import new beta release. + + -- Steven Pusser <stevep@mxlinux.org> Wed, 01 Aug 2018 14:41:07 -0700 + +palemoon (28.0~b4~repack-1mx17+1) mx; urgency=medium + + * New beta release. + * Build with native gcc releases, remove lsb-release as build-depend since it's + no longer needed to check for the distrelease. + * Add libgconf2-dev and libx11-xcb-dev to build-depends. + * Add command to dh_auto_clean override to remove pyc files somehow generated + by dh_clean. + * Add new options to debian/mozconfig. + + -- Steven Pusser <stevep@mxlinux.org> Sat, 28 Jul 2018 15:06:18 -0700 + +palemoon (27.9.4~repack-1~mx17+1) mx; urgency=medium + + * Import new upstream 27.9.4 release. + - Updated the useragent for addons.mozilla.org to work around their "Only + with Firefox" discrimination preventing users from downloading themes, old + versions of extensions, and other files with Pale Moon. + - Restricted web access to the moz-icon:// scheme that could potentially be + abused to infringe the user's privacy. + - Prevented various location-based threats. DiD + - Fixed a potential vulnerability with plugins being redirected to different + origins (CVE-2018-12364). + - Improved the security check for launching executable files + (by association) on Windows from the browser. For users who have (most + likely accidentally) granted a system-wide waiver for opening these kinds + of files without being prompted, this permission has been reset. + - Fixed an issue with invalid qcms transforms (CVE-2018-12366). + - Fixed a buffer overflow using the computed size of canvas elements + (CVE-2018-12359). + - Fixed a use-after-free when using focus() (CVE-2018-12360). + - Added some sanity checks on nsMozIconURI. DiD + - Fixed an issue in the case the preferences file in the profile would not be + writable (e.g. temporary permission issues due to backup, virus scanning or + similar external processes). + + -- Steven Pusser <stevep@mxlinux.org> Wed, 11 Jul 2018 13:59:46 -0700 + +palemoon (27.9.3~repack-1~mx17+1) mx; urgency=medium + + * New upstream security update: + + - Changes/fixes: + - (CVE-2017-0381) Ported a patch from libopus upstream. Note, contrary to + that report, the libopus maintainers state they don't believe remote + code execution was possible, so this was not a critical patch. + - Fixed an issue with task counting in JS GC. + - Fixed a use-after-free in DOMProxyHandler::EnsureExpandoObject (thanks + to Berk Cem Göksel for reporting). + + -- Steven Pusser <stevep@mxlinux.org> Tue, 12 Jun 2018 11:12:06 -0700 + +palemoon (27.9.2~repack-1~mx17+1) mx; urgency=medium + + * New upstream security and stability update: + + - Changes/fixes: + - We changed the language strings for softblocked items so people will cry + less when we do our job. + - (CVE-2018-5174) Prevent potential SmartScreen bypass on Windows 10. + - (CVE-2018-5173) Fixed an issue in the Downloads panel improperly + rendering some Unicode characters, allowing for the file name to be + spoofed. This could be used to obscure the file extension of potentially + executable files from user view in the panel. + - (CVE-2018-5177) Fixed a vulnerability in the XSLT component leading to a + buffer overflow and crash if it occurs. + - (CVE-2018-5159) Fixed an integer overflow vulnerability in the Skia + library resulting in possible out-of-bounds writes. + - (CVE-2018-5154) Fixed a use-after-free vulnerability while enumerating + attributes during SVG animations with clip paths. + - (CVE-2018-5178) Fixed a buffer overflow during UTF8 to Unicode string + conversion within JavaScript with extremely large amounts of data. This + vulnerability requires the use of a malicious or vulnerable extension in + order to occur. + - Fixed several stability issues (crashes) and memory safety hazards. + + -- Steven Pusser <stevep@mxlinux.org> Mon, 21 May 2018 11:43:14 -0700 + +palemoon (27.9.1~repack-1) obs; urgency=medium + + * New upstream maintenance update: + - Removed the unused/incomplete places protocol handler. + - Worked around an issue with MSE media without a Track ID. This should help + with the playability of some live streams. + - Ported across jemalloc improvements from UXP. + - Ported across cairo mutex improvements from UXP. + - Added support for FFmpeg 4.0/libavcodec 58. + - Added a fix for Windows 10's "isAlpha()" not being what one would expect + in v1803. + + -- Steven Pusser <stevep@mxlinux.org> Mon, 07 May 2018 15:07:33 -0700 + +palemoon (27.9.0~repack-1~mx17+1) mx; urgency=medium + + * New upstream release: + - Fixed a number of spec compliance issues in our media subsystem. + - Added a trailing slash to referrers when policy is set to fix some web + compatibility issues. + - Fixed the property order in Object.getOwnPropertyNames(string) and others + for web compatibility. + - Updated RegExp(RegExp object, flags) to the ES6 standard specification. + - Changed the embedded font from the no longer free EmojiOne to the + open-licensed Twemoji (with additional fixes). This also further extends + unicode support to Unicode 10 emoji(s). Please note that as a result, color + emoji(s) will look different than before. + - Adjusted some things in our memory allocator code to provide, among other + things, better allocation alignment on Windows. + - Made the attempt to migrate people from the old sync server domain name to + the current one more aggressive. We will be retiring the old + pmsync.palemoon.net Sync server address shortly to remove the need for us + to maintain a security certificate for it; this preference migration should + automatically put everyone on the correct server address when upgrading. + - Made reading of the sessionstore synchronous, to speed up startup and + prevent the homepage from being loaded when restoring a session. + - Added a fix to switch to the correct window/tab when a web notification + is clicked. + - Changed the placeholder text to not include "Search" when all search + functions from the address bar are disabled. + - Enabled the use of Skia for canvas on Linux and OSX. + - Worked around a potential cause for some non-standard bitmapped fonts + ending up with incorrect line heights (I'm looking at you, Noto fonts!). + - Added a workaround for incorrectly-encoded JPEG-XR images with planar + alpha. Ultimately, the jxrlib reference implementation should be fixed to + encode according to spec. + - Aligned XCTO:nosniff allowed script MIME types with the updated spec. + - Improved the logic for storing vector images in the surface cache. + - Fixed character set handling for XMLHttpRequests. + + -- Steven Pusser <stevep@mxlinux.org> Tue, 17 Apr 2018 10:14:19 -0700 + +palemoon (27.8.3~repack-1) obs; urgency=medium + + * New upstream bugfix update: + - This is a small update to solve a pervasive crash in responsive web + layouts. + + -- Steven Pusser <stevep@mxlinux.org> Thu, 29 Mar 2018 12:48:14 -0700 + +palemoon (27.8.2~repack-1) obs; urgency=medium + + * New upstream security update: + - Privacy fix: prevented update checks for the default theme. + - Added a user-agent override for Dropbox to improve compatibility with + their service. + - Fixed an issue with mouseover handling related to (CVE-2018-5103). DiD + - Disabled the Mac OSX Nano allocator. DiD + - Fixed (CVE-2018-5129) OOB Write. + - Updated the lz4 library to 1.8.0 to solve potential issues. DiD + - Fixed (CVE-2018-5137) Path traversal on chrome:// URLs + - Fixed several memory safety an synchronicity hazards. + + -- Steven Pusser <stevep@mxlinux.org> Thu, 22 Mar 2018 10:31:24 -0700 + +palemoon (27.8.1~repack-1) obs; urgency=medium + + * New upstream release: + - Backed out the NSPR/NSS update from 27.8.0 for causing crashes, general + operational instability and handshake issues. + - Disabled TLS 1.3 draft support by default, because with the NSS backout we + only support an older draft right now that is no longer current and may + cause connectivity issues. You can manually re-enable it at your own risk + in about:config by setting security.tls.version.max to 4. + + -- Steven Pusser <stevep@mxlinux.org> Tue, 06 Mar 2018 12:04:10 -0800 + +palemoon (27.8.0~repack-1) obs; urgency=medium + + * New upstream release: + - Added support for emojis on Windows systems that have relatively poor + support for them with standard font sets by including our own font + (EmojiOne based for now). + - Added a setting in preferences to select the use of tab previews with + Ctrl+Tab. + - Added Eyedropper menu entry to the AppMenu. + - Added a preference to control whether the text cursor (caret) should be + thicker when dealing with CJK characters or not (default = yes). + - Added URL fix-ups for schemes (mis-typed "ttp://" etc.). + - Added support for ES6 "Symbol species". + - Updated our TLS 1.3 support to the latest (probably final) draft. + - Fixed gap inconsistency in the tabstrip. + - Fixed a number of browser crashes. + - Fixed a crash with the exponentiation operator "**" + - Set the performance timer granularity to 1 ms. + - Updated the kiss-fft library to our forked 1.4.0 version. + - Disabled a potentially problematic optimization on Win 8+ with high + contrast themes in use. + - Removed the notification bar when in full screen to prevent unwanted + visible screen elements. + - Removed unmaintained and insecure WebRTC code - building with WebRTC + enabled is no longer an option. + - Removed redundant checks for "Vista or later" since that is all we support. + - Added display of the http status to raw request displays. + - Added a workaround for cloned videos not retaining their muted state. + - Added a temporary workaround to avoid crashes on trackless media. + - Removed some superfluous ellipses from menu labels. + - Fixed undesired shrinking of line heights as a result of setting minimum + font size in preferences. + - Fixed some issues with setting the new tab preference (regression). + + * Add support for building on Debian Buster on gcc-4.9. + + -- Steven Pusser <stevep@mxlinux.org> Fri, 02 Mar 2018 17:38:20 -0800 + +palemoon (27.7.2~repack-1~mx17+1) mx; urgency=medium + + * New upstream release: + - Changed the X-Content-Type-Options: nosniff behavior to only check + "success" class server responses, for web compatibility reasons. + - Changed the perfomance timer resolution once more to a granularity of + 1 ms, after evaluating more potential ways of abusing Spectre. This + takes the most cautious approach possible lacking more information + (because apparently NDAs have been signed over this between mainstream + players), follows Safari's lead, and should make it not just infeasible + but downright impossible to use these timers for nefarious purposes in + this context. + - Improved the debug-only startup cache wrapper to prevent a rare crash. + - Fixed a crash in the XML parser. + - Added a check for integer overflow in AesTask::DoCrypto() + (CVE-2018-5122) DiD + - Fixed a potential race condition in the browser cache. + - Fixed a crash in HTML media elements (CVE-2018-5102) + - Fixed a crash in XHR using workers. + - Fixed a crash with some uncommon FTP operations. + - Fixed a potential race condition in the JAR library. + + -- Steven Pusser <stevep@mxlinux.org> Thu, 01 Feb 2018 13:48:26 -0800 + +palemoon (27.7.1~repack-1~mx17+1) mx; urgency=medium + + * New upstream release: + - Added support for Array.prototype[@@unscopables]. + Unfortunately, the addition of Javascript's ES6 Unscopables in 27.7.0 was + incomplete, which caused a number of websites (e.g. Chase on-line banking, + some Russian government sites) to display blank or not complete loading + after updating to that version of the browser. This update should fix the + problem by adding the missing part of the feature. + - Fixed an issue with the default theme causing tab borders to be drawn too + thick at higher settings for visual element scaling (125/150%) in Windows. + + -- Steven Pusser <stevep@mxlinux.org> Thu, 18 Jan 2018 10:03:02 -0800 + +palemoon (27.7.0~repack-1~mx17+1) mx; urgency=medium + + * New upstream release: + - Reorganized access to preferences (moved to the Tools menu on Linux, and + renamed from "Options" to "Preferences" on Windows). + - Renamed "Restart with add-ons disabled" to "Restart in Safe Mode" to + better reflect what it does. + - Worked around an issue with some improperly-encoded PNG files not decoding + after our libpng update. + - Fixed an issue on Mac builds not properly populating the application menu. + - Added "My home page" as an option for new tabs. + - Added an option to disable the 4th and 5th mouse buttons (Windows). + - (mouse.button4.enabled and mouse.button5.enabled, respectively) + - Improved the resetting of non-default profiles. + - Fixed an issue with details/summary having the incorrect height if floated, + breaking layouts. + - Implemented support for flex/columnset contents inside buttons to align + its behavior with other browsers. + - (this should fix layout issues with Twitch's new web interface) + - Made several more improvements to the details/summary tags to align them + with the current spec and fix several bugs. + - Fixed an issue where CSS clone operations would draw a border. + - Changed the way fractional border widths are rounded to provide more + natural behavior. + - Fixed an issue where number inputs would incorrectly be flagged as + read-only. + - Added assets for tile display in the Windows start panel. + - Finished sync infra swapover by adding a one-time pref migration for + server used. + - Improved WebAudio API: Return the connected audio node from + AudioNode.connect() + - Added support for a default playback start position in media elements. + - Fixed an assert in cubeb-alsa code (Linux). + - Added support for media cue-change events (e.g. subtitles). + - Updated SQLite to 3.21.0. + - Fixed a crash when trying to use the platform embedded. + - Fixed devtools (gcli) screenshots on vertical-text pages. + - Fixed devtools copy as cURL for POST requests. + - Improved the HTML editor component (several bugfixes). + - Added support for ES7's exponentiation a ** b operator. + - Fixed an issue with arrow functions incorrectly creating an arguments + binding. + - Added Javascript's ES6 unscopables. + Security/privacy fixes: + - Disabled automatic filling in of log-in details by default to prevent + potential risks of credentials being abused (e.g. for tracking) or stolen. + - Added a preference (in the category security) to easily enable or disable + automatic filling in of log-in data. + - Removed the sending of referrers when opening a link in a new + private window. + - Added an option to disable the page visibility Web API + (dom.visibilityAPI.enabled), allowing users to prevent pages from knowing + whether they are being actively displayed to the user or not. + - Removed the "ask every time" policy for cookies. For granular control, + please use any of the excellent available extensions to regulate cookie use + on a per-site or per-url basis. + - Added support for X-Content-Type-Options: nosniff (for scripts). + - Changed the resolution of performance timers to a level where any future + potential abuse for hardware-timing attacks becomes impractical. + + -- Steven Pusser <stevep@mxlinux.org> Tue, 16 Jan 2018 12:02:55 -0800 + +palemoon (27.6.2~repack-1) obs; urgency=medium + + * Minor security and bugfix release: + - Implemented the concept of so-called "cookie-averse document objects", + which is a security&privacy measure that blocks certain web content from + setting cookies. This mitigates cookie-injection, which might help against + "hidden" cookie tracking. + - Mitigated some domain name spoofing through IDN by using dotless-i and + dotless-j with accents. (CVE-2017-7832) + - Pale Moon will display these kinds of spoofed domains in punycode now in + the actual address bar. Please note that the identity panel will always be + able to help you on secure sites when IDNs are in use to notice potential + spoofing, as opposed to relying on detection algorithms in the URL itself. + As such, some other issues like CVE-2017-7833 are already mitigated by us. + - Fixed an issue with mixed-content blocking. (CVE-2017-7835) + - Added an extra check for the correct signature data type on certificates. + - Added missing sanitization in exporting bookmarks to HTML. (CVE-2017-7840) + - Fixed several crashes and memory safety hazards. + * Bump debhelper build-depend to >= 9. + + -- Steven Pusser <stevep@mxlinux.org> Wed, 29 Nov 2017 12:31:22 -0800 + +palemoon (27.6.1~repack-1mx15+1) mx; urgency=medium + + * Minor bugfix release: + - Fixed a regression with new windows (opening two windows from the + command-line or file association, focus issues on new windows, not + loading the home page in a new window, etc.) + - Aligned XHR with the currect spec to allow withCredentials. + - Fixed an input element focus issue within handlers. + - Fixed the processing of all-padding HTTP/2 frames to prevent rare + HTTP/2 hangups. + - Updated CitiBank override to work around their login issues. + - Updated Netflix override to a community-supplied one that seems to + satisfy their arbitrary restrictions better. + + -- Steven Pusser <stevep@mxlinux.org> Mon, 20 Nov 2017 15:52:34 -0800 + +palemoon (27.6.0~repack-1) obs; urgency=medium + + * Major development update; changes can be viewed at + https://github.com/MoonchildProductions/Pale-Moon/releases. + * debian/mozconfig: add vectorization flags for distreleases that support it. + Those that don't get the mozconfig without the flags. + + -- Steven Pusser <stevep@mxlinux.org> Wed, 08 Nov 2017 11:10:24 -0800 + +palemoon (27.5.1~repack-1) obs; urgency=medium + + * Minor bugfix release: + - Changed the default Windows 10 styling when no accent color is applied to + black-on-white. + - Changed the theme styling on Windows 10 when the system window frame is + used (menu bar enabled) to use the window manager background directly, + preventing visual lag updating the window color when it changes. + - Updated user agent overrides for DropBox, YouTube and Yahoo to work around + user agent sniffing issues. + - Fixed a crash in the media subsystem. + - Fixed a regression where video playback hardware acceleration was disabled + incorrectly on some systems. + + -- Steven Pusser <stevep@mxlinux.org> Fri, 13 Oct 2017 15:15:01 -0700 + +palemoon (27.5.0~repack-1mx15+1) mx; urgency=medium + + * New upstream major release, changes can be viewed at + https://github.com/MoonchildProductions/Pale-Moon/releases. + * Disable updater and installer in mozconfig. + + -- Steven Pusser <stevep@mxlinux.org> Tue, 26 Sep 2017 18:32:35 -0700 + +palemoon (27.4.2~repack-1) obs; urgency=medium + + * New upstream bugfix release: + - Fixed a number of crashes. + - Enabled the opt-in debugging feature to log SSL keys to a file in all + builds. + - Added a fix for TLS 1.3 handshakes causing a browser hangup. + - Handshakes should be considerably faster now and no longer stall in the + wrong circumstances. + - Updated NSPR to 4.15. + - Updated NSS to 3.31.1. + - Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783) + - Fixed an issue where (cross domain) iframes could break + scope (CVE-2017-7787) + - Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804) + - Fixed an issue with elliptic curve addition in mixed Jacobian-affine + coordinates (CVE-2017-7781) + - Fixed a UAF in nsImageLoadingContent (CVE-2017-7784) + - Fixed a UAF in WebSockets (CVE-2017-7800) + - Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD + (accessibility is disabled) + + -- Steven Pusser <stevep@mxlinux.org> Wed, 23 Aug 2017 15:50:07 -0700 + +palemoon (27.4.1~repack-1mx15+1) mx; urgency=medium + + * New upstream bugfix release: + - Fixed an issue where MSE media playback would not use hardware + acceleration when it could, causing choppy playback and high CPU usage. + - Fixed ES6 iterator chains to be spec-compliant. + - Fixed ES6 vector append calls and some related memory leaks. + - Added a workaround to reduce the chances of a rare crash occurring. + + -- Steven Pusser <stevep@mxlinux.org> Fri, 04 Aug 2017 18:22:19 -0700 + +palemoon (27.4.0~repack-2) obs; urgency=medium + + * debian/mozconfig: drop deprecated "--disable-gstreamer" option. + + -- Steven Pusser <stevep@mxlinux.org> Wed, 12 Jul 2017 13:25:27 -0700 + +palemoon (27.4.0~repack-1) obs; urgency=medium + + * New upstream release--the github 27.4.0 was not a real release: + Changes/fixes: + - Completely re-worked the Media Source Extensions code to make it spec + compliant, and asynchronous as per specification for MSE with MP4. This + should fix playback problems on YouTube, Twitch, Vimeo and other sites + that previously had some issues. A massive thank you to Travis for his + tireless work on making this happen! + Please note that MSE+WebM (disabled by default) is not using this new code + yet (planned for the next release), and as such there is a temporary set + of things to keep in mind if you don't use default settings: + If you have previously enabled MSE+WebM, this setting will be reset when + you update to avoid conflicting settings with the updated MSE code. + We've added an extra setting in Options to disable the updated MSE code + (asynchronous use) in case you need to use WebM or are otherwise having + issues with the updated code (please let us know in that case). + Once again, the MSE+WebM and Asynchronous MSE use are currently mutually + exclusive. You can have one or the other, not both, until we sort out + the code for WebM. To enable MSE+WebM you will first have to disable + Asynchronouse MSE in settings (otherwise the WebM setting will be greyed + out and disabled). + - Added a control in options/preferences for HSTS and HPKP usage. + - Changed HTML bookmark exports to write CRLF line endings to the file on + Windows. + - Leveraged multi-core rendering for libVPX (VP8/VP9 WebM decoding). + - Fixed some issues accessing DeviantArt (useragent-sniffing). + - Aligned CSS text-align with the spec. + - Added a recovery module for browser initialization issues (e.g. when using + a wrong language pack). + - Fixed spurious console errors for XHR requests with certain http response + codes. + - Enabled v-sync aligned refresh for a smoother scrolling experience. + - Removed support for CSS XP-theme media queries. + - Improved console error reporting. + - Fixed resetting toolbars and controls from the safe mode dialog. + - Fixed bookmark recovery option from the safe mode dialog. + - Fixed innerText getters for display:none elements. + - Fixed a GL buffer crash that might occur with certain combinations of + drivers and hardware. + - Added some more details to about:support. + - Fixed a potential crash when the last audio device is removed during + playback. + - Fixed a crash on about:support when windowless browsers are created. + - Updated <select> elements to blank if the actively set value doesn't match + any of the options. + - Updated the interpretation of 2-digit years in date formats to match other + browsers: + - 0-49 = 2000-2049, 50-99 = 1950-1999. + - Added "q" units to CSS (quarter of a millimeter). + - Added .origin property to blobs. + - Fixed several minor layout issues. + - Fixed disabled HTML elements not producing the proper JS events. + - Implemented web content handler blacklist according to the spec, allowing + more than feeds to be registered. + - Fixed a spec compliance issue with execCommand() on HTML elements. + - Fixed a problem with table borders being drawn uneven or being omitted + when zooming the page. + - Added devtools "filter URLs" option in the network panel. + - Added visual sorting options to the Network inspector. + - Added importing of login data from Chrome profiles on Windows (Chrome + has to be closed first). + - Added importing of tags from bookmark export files (HTML format). + - Updated usage of SourceMap headers with the updated spec (SourceMap + header, keeping X-SourceMap as a fallback). + - Fixed several cases of wrongly-used negations in JS modules. + - Added the auxclick mouse event. + - Added a control to not autoplay video unless it is in view + (media.block-play-until-visible). + - Updated the Graphite font library to 1.3.10. + - Updated how image and media elements respond to window size changes + (responsive design). + - Added parsing and use of rotation meta data in video. + - Fixed several crashes in a number of modules. + - Fixed performance regression for scaling large vector images (e.g. MSIE + Chalkboard test) \o/ + - Fixed some issues with notification icons. + - Fixed some internal errors with live bookmarks. + - Updated SQLite to 3.19.3. + - Fixed several reported issues with devtools (cli-cookies, cli help, + copying cURL, inspecting SVGs, element size calculations, etc.) + - Fixed an issue where a server response was allowed to override add-ons' + specified version ranges even for add-ons that have strict compatibility + (e.g. themes, language packs). + + Security fixes: + + - Removed preloading of HPKP hosts and enabled HPKP header enforcement. + - Added support for TLS 1.3, the up-next secure connection protocol. + - Fixed an issue with TLS 1.3 not supporting renegotiation by design. + - Relaxed some restrictions for CSP to temporarily work around web + compatibility issues with the CSP-3 deprecated `child-src` directive. + - Updated NSS to 3.28.5.1-PM to address some security issues. + - Updated the installer selfextractor module to address unsafe loading of + libraries. + - Changed the way certain resources are included to reduce effectiveness of + some common fingerprinting techniques. (e.g. browserleaks.org) + - Fixed a regression in the display of security information in the page info + dialog for insecure content. + - Fixed two potential issues with allocating memory for video. DiD + - Fixed a potential issue with the network prediction algorithm. DiD + - Restricted the use of Aspirational scripts in IDNs to prevent domain + spoofing, in anticipation of the UAX#31 update making this official. + - Prevented a Mac font specific issue that could be abused for domain + spoofing (CVE-2017-7763) + - Fixed several potentially exploitable crashes. (CVE-2017-7751) + (CVE-2017-7757) and some that do not have a CVE designation. + + -- Steven Pusser <stevep@mxlinux.org> Wed, 12 Jul 2017 10:54:26 -0700 + +palemoon (27.3.0~repack-1) obs; urgency=medium + + * New upstream release. + + -- Steven Pusser <stevep@mxlinux.org> Sat, 29 Apr 2017 19:50:41 -0700 + +palemoon (27.2.1~repack-1) obs; urgency=medium + + * New upstream release: + + - Changes/Fixes: + - Fixed an issue with planar alpha handling (transparency) when drawing + JXR images. + - Fixed a crash related to a change JavaScript array handling introduced + in 27.2.0. This became apparent with the pentadactyl extension, but + could happen in other situations as well. + - Fixed a crash when opening ridiculously large images with HQ scaling + enabled (default). Pale Moon will now only apply HQ scaling for images + within reasonable limits (64 Mpix or smaller). Images larger than that + may not display properly when zooming in, or may not display at all, + even scaled down (e.g. >256 Mpix large) and show a "broken image" + placeholder instead; please use dedicated image viewer applications for + those kinds of images; it is outside the scope of a web browser to + handle such large images. + - Changed the way URL hashes are handled, and will no longer %-decode + anchor hash identifiers by default. Note that this is against RFC 3986, + which states that any part of the URL scheme that isn't data should be + decoded. This is required for web compatibility because several sites + use hash links to pass actual data to web applications (Please don't do + this! Hashes are part of the URL address, should only consist of "safe" + characters, and aren't suited to pass arbitrary data) and the most + common browsers no longer follow the RFC in that respect. If you want + RFC compliance, switch dom.url.getters_decode_hash to true. + - Restored 2 RSA Camellia cipher suites that were missing: + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA. + - Fixed an issue with custom toolbars getting deleted during upgrade + from 27.0/27.1 to 27.2 + + -- Steven Pusser <stevep@mxlinux.org> Wed, 29 Mar 2017 12:27:06 -0700 + +palemoon (27.2.0~repack-1mx15+1) mx; urgency=medium + + * New upstream release: + + - Changes/Fixes: + - Updated the ICU lib to 58.2 to fix a number of issues. + - Added proper control for the user for offline storage for web + applications. + - Added a check to prevent auto-filled URLs from copying the auto-filled + selection to clipboard/primary. + - Added the feature to pass a URL to open in a private window from the + command-line. + - Improved the display of the downloads indicator on the button in + bright-text situations. + - DOM storage now honors the "3rd party cookie" setting in that it will + not allow 3rd party data to be stored if 3rd party cookies are + disallowed. + - Allowed toolbar button badges to be properly styled. + - Updated the hunspell spellchecking library to 1.6.0 to fix a number + of issues. + - Fixed desktop notifications being off-screen if fired in rapid + succession. + - Added Element.insertAdjacentElement and Element.insertAdjacentText + DOM functions. + - Added support for JPEG-XR images. This makes Pale Moon have the broadest + support for image formats of all web browsers. (enabled by default; you + can disable this with media.jxr.enabled). + - Completely removed the use of GStreamer on Linux. + - Added support for Element.innerText. + - Custom toolbars should now properly remember their state. + - Fixed some more playback issues with MP4/MSE videos. Please be aware + that we are still working on further improving MSE video handling. + - Changed media processing to reduce dangerous processing asynchronicity. + This should also make media elements and playback more responsive. + - Fixed a useragent string regression always displaying the minor Goanna + version as .0 + - Updated NSPR to 4.13.1. + - Updated NSS to 3.28.3-RTM. + - Fixed unrestricted icon sizes in PMkit buttons. + - Fixed unresponsive buttons on support page when not building + the updater. + - Fixed the use of "View image" and "Save image as" on extremely + large images. + - Changed the way "View Image" and "Save image as" work on canvas + elements. + - Made checking for dangerously large resolution PNG images smarter. It + will now accept larger "strip"-aspect ratio images while reducing + unsupported large image resolutions. This will e.g. fix Gmail's "emoji" + window that uses a ridiculously long but very narrow single image to + store all the emoticon pictures. + - Converted several hard-coded URLs to preferences. + - Updated the google.com override so it would not cripple services based + on UA sniffing. + - Added Inner and Outer Window ID administration. + - Fixed the add-on discovery pane detection. + - Added support for canvas ellipse. + - Improved drawing of certain MathML elements at problematic zoom levels. + - No longer building gamepad support. + - Updated Harfbuzz font shaper to 1.4.3 to fix a number of issues. + - Fixed a number of crashes (layout, plugins, uncommon navigation, + bad URLs). + - Aligned SVG specular filters with the spec. + + - Security/privacy changes: + - Added support for 256-bit AES-GCM encryption. + - Added support for ChaCha20-Poly1305 encryption. + - Removed support for Camellia-GCM since nobody seems interested in it. + (Camellia in 128/256-bit CBC block mode is still fully supported). + - Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to Crypto utils. + - Improved status handling of secure sites to be less sensitive to + "insecure" items that are local. + - Fixed print preview hijacking. (CVE-2017-5421) + - Fixed a potentially exploitable crash in OnStartRequest. (CVE-2017-5416) + - Fixed potential cross-origin content-stealing through a timing + attack. (CVE-2017-5407) + - Fixed a denial-of-service problem with view-source. (CVE-2017-5422) + - Fixed crash in directional controls. (CVE-2017-5413) + - Fixed a perceived problem with chrome manifests. (CVE-2017-5427) + - Fixed the use of an uninitialized value. (CVE-2017-5405) + - Fixed a buffer overflow. (CVE-2017-5412) + - Fixed a UAF situation. (CVE-2017-5403) + - Fixed a potential spoofing issue with the address bar. (CVE-2017-5417) + - Fixed a potential issue in libvpx. (CVE-2017-5402) DiD + - Fixed a potential issue with HTTP auth. (CVE-2017-5418) + - Fixed several memory safety hazards and potentially exploitable crashes. + + -- Steven Pusser <stevep@mxlinux.org> Sun, 19 Mar 2017 12:49:24 -0700 + +palemoon (27.1.2~repack-1mx15+1) mx; urgency=medium + + * New upstream release: + -adds workaround for potential deadlocks happening in media elements. + + -- Steven Pusser <stevep@mxlinux.org> Fri, 03 Mar 2017 13:45:54 -0800 + +palemoon (27.1.1~repack-1mx15+1) mx; urgency=medium + + * New upstream release: + - Implemented a fix in media handling to prevent crashes with concurrent + videos and/or rapidly starting/stopping video playback in the browser. + - Fixed the way the Adobe Flash plugin is detected to prevent confusion with + other plugins that identify themselves as "Flash" (e.g. VLC). + - Windows: Solved stability issues caused by the release build process, + resulting in unexpected behavior (e.g. hangups). + + -- Steven Pusser <stevep@mxlinux.org> Wed, 22 Feb 2017 13:52:07 -0800 + +palemoon (27.1.0~repack-1) obs; urgency=medium + + * New major upstream release: + - Reworked the media back-end completely (thanks Travis!) to use FFmpeg + (including support for FFmpeg v3 and MP3 playback) and our own MP4 parser, + and no longer relying on gstreamer on Linux, as well as adding some + improvements on Windows for media parsing and playing. + - On Linux, Apple .mov files of the correct type will also be played through + FFmpeg now, for those rare occasions where they are still in use, + considering there is no Quicktime plug-in available on that operating + system. + - Restored the classic about:config styling. + - Added a fallback to US-ASCII if the autoconfig UTF-8 conversion fails. + - Improved cross-compartment wrapper handling when managing a large number + of tabs (fixes a performance regression with v27). + - Changed the way audio and video synchronization is calculated to account + for (slow) device latency, preventing things from getting out of sync on, + e.g. BlueTooth-connected speakers. + - Changed the way scripts are handled when they are stopped from the + "unresponsive script" dialog, to prevent browser lockup. We will now stop + all scripts in the affected compartment in one go. + - Fixed several errors in the devtools. + - Fixed a nasty crash caused by cross-origin referrers. + - Added HTML5-spec clipboard handling for content (cut© only -- paste + is not allowed for security reasons). + - Made multiple changes to the toolkit jetpack modules to cater to PMkit + extensions. This should make running SDK-based extensions as PMkit + extensions fairly simple for extension developers. + - Fixed a css layout issue: make max-width affect contributions to intrinsic + min-width. + - Implemented several updates to the permissions manager. Among others, + improved the permissions manager (about:permissions) with a more complete + set of permissions for pages. + - Removed otherwise unused Metro browser platform/widget code. + - Removed support for non-standard/deprecated let blocks and expressions. + - Made the use of let as a keyword versionless and ES6 compliant. + - Made the privacy category in preferences a tabbed setup to better fit the + current options. + - Fixed a regression preventing certain MP4 video files from playing. + - Fixed a regression where seeking in media files would halt playback/jump + to the end of the stream. + - Fixed a crash caused by certain downloadable fonts with DirectWrite + in use. + -Improved downloads-button indicator legibility on some combinations of + Windows versions and system theme colors. + - Changed the Facebook user-agent override to be our native one, based on + reports from users that it is (finally) working acceptably. + - Fixed site-specific useragents being ignored if a global override is + defined. + + Security/privacy changes: + + - Changed CORS handling to allow data: sources, assuming they are + same-origin. This should fix the infamous "Facebook endless reload" issue + and may make some other sites that assume this particular (unspecified) + CORS behavior happy with Pale Moon. + - Reinstated the network.stricttransportsecurity.enabled preference so + people who choose privacy over HSTS can do so again. + - Added, In HSTS "off" state, prevention of HSTS site status from being + written to disk. + - Updated the IDN blacklist with more extended unicode characters that + "look very similar to" normal ASCII characters, to prevent spoofing of + well-known domains. If blacklisted characters are found, the IDN domain + name will be displayed in its punycode form. (CVE-2017-5383 and similar) + - Fixed an exploitable crash when using MP4 video. (CVE-2017-5396) + - Fixed an exploitable crash in XSL parsing. (CVE-2017-5376) + - Fixed a potential security issue when exporting certificates with + specially-crafted credentials. (CVE-2017-5381) + - Fixed a potential use-after-free situation in frame selection. + (CVE-2017-5380) DiD + - Fixed a leak of window details through the Ion compiler in certain + situations. + - Fixed the potential for an exploitable crash involving Javascript GC. DiD + - Fixed a potential overflow situation in (non-released) WebRTC code. DiD + - Fixed a potentially unsafe situation in websockets. DiD + - Fixed several memory and other safety hazards (BMO bugs 1318766, 1325877, + 1328834 DiD, 1288561 DiD, 1322420 DiD, 1293327 DiD, 1322315, 1325344, + 1285960). + * debian/mozconfig: + - add "ac_add_options --disable-necko-wifi" and "--disable-gstreamer".. + - drop "ac_add_options --enable-jemalloc-lib". + * debian/control: + - remove all gstreamer dependencies and build-deps. + - ffmepg | libav-tools added to Depends. + + -- Steven Pusser <stevep@mxlinux.org> Thu, 09 Feb 2017 13:53:41 -0800 + +palemoon (27.0.3~repack-3) stable; urgency=medium + + * debian rules and control: add some code and alternative depends to force + building on gcc-4.9 on releases that default to gcc 5 or 6. + + -- Steven Pusser <stevep@mxlinux.org> Wed, 25 Jan 2017 10:19:25 -0800 + +palemoon (27.0.3~repack-2) stable; urgency=medium + + * debian/mozconfig: reenable the dev tools. + * debian/rules: don't install duplicate /usr/lib/palemoon/palemoon-bin file. + + -- Steven Pusser <stevep@mxlinux.org> Thu, 29 Dec 2016 12:05:29 -0800 + +palemoon (27.0.3~repack-1) stable; urgency=medium + + * New upstream bugfix and security release. + + -- Steven Pusser <stevep@mxlinux.org> Mon, 19 Dec 2016 20:05:49 -0800 + +palemoon (27.0.2~repack-1mx15+1) mx; urgency=medium + + * New upstream bugfix release. + -fixed crash in SVG renderer related to CVE-2016-9079 (defense in depth) + -Firefox compatibility mode is default in useragent string. + * Drop debian/menu, deprecated with the use of desktop file. + * Drop use of debian/palemoon.xpm, link takes care of that in pixmaps. + * Install much better palemoon.desktop from source instead of from debian + folder. + + -- Steven Pusser <stevep@mxlinux.org> Fri, 02 Dec 2016 17:39:30 -0800 + +palemoon (27.0.1~repack-3mx15+1) mx; urgency=medium + + * Revise debian/mozconfig to remove deprecated configs and add sse2 + optimization. + * debian/rules: add override to help shlibdeps find libs on some releases. + + -- Steven Pusser <stevep@mxlinux.org> Wed, 30 Nov 2016 16:42:03 -0800 + +palemoon (27.0.1~repack-2mx15+1) mx; urgency=medium + + * debian/mozconfig: drop the "1.0" from the gstreamer flag. + * debian/install: don't install anything from /integration; part of default + install now. + * debian/compat: bump compat level to 9. + + -- Steven Pusser <stevep@mxlinux.org> Sun, 27 Nov 2016 13:50:54 -0800 + +palemoon (27.0.1~repack-1) mx; urgency=medium + + * New upstream release. + + -- Steven Pusser <stevep@mxlinux.org> Sat, 26 Nov 2016 10:09:18 -0800 + +palemoon (26.5.0~repack-1mx150+1) mx; urgency=medium + + * Repackaged for MX 15. + + -- Mike Elstad (v3g4n) <maintainer@mepiscommunity.org> Thu, 29 Sep 2016 18:22:24 -0500 + +palemoon (26.5.0~repack-1) obs; urgency=medium + + * New upstream release: + Fixes/Changes: + - Implemented a breaking CSP (content security policy) spec change; when a + page with CSP is loaded over http, Pale Moon now interprets CSP directives + to also include https versions of the hosts listed in CSP if a scheme + (http/https) isn't explicitly listed. This breaks with CSP 1.0 which is + more restrictive and doesn't allow this cross-protocol access, but is in + line with CSP 2 where this is allowed. + - Fixed an issue with the XML parser where it would sometimes end up in an + unknown state and throw an error (e.g. when specific networking errors + would occur). + - Improved the performance of canvas poisoning by explicitly + parallelizing it. + + Security fixes: + - Fixed a potentially exploitable crash related to text writing direction. + (CVE-2016-5280) + - Made checking for invalid PNG files more strict. Pale Moon will now reject + more PNG files that have corrupted/invalid data that could otherwise lead + to potential security issues. + - Changed the way paletted image frames are allocated so the space is + cleared before it's used. DiD + - Fixed a crash in nsNodeUtils::CloneAndAdopt() due to a typo. DiD + - Fixed several memory safety errors. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Wed, 28 Sep 2016 11:44:18 -0700 + +palemoon (26.4.1~repack-1) obs; urgency=medium + + * New upstream release: + Changes/fixes: + - Fixed a crash in the XSS filter. + - Slightly changed the address bar shading on secure sites to be more subtle + and easily-blended. + - Fixed the occurrence of "null" titles in bookmarks dragged from special + folders. + - Fixed an error initializing the browser due to trying to restore + scratchpad data from a stored session when having switched from a version + with devtools to a version without devtools, and the previous version had + scratchpad data saved. + - Fixed some minor issues in scratchpad and gcli devtools. + + Security fixes: + - Updated the HSTS preload list to a much more updated source list, and + performing our own checks on validity from now on to have the list be as + accurate as possible. + - Disabled Triple-DES cipher suites by default (mitigating SWEET32). + + * Add a "~repack" to the versioning because we have to repack the source. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Fri, 23 Sep 2016 17:07:58 -0700 + +palemoon (26.4.0-1mx150+1) mx; urgency=medium + + * New upstream release: + - Removed Google Search as a bundled search provider. If desired, you can + manually install it (or other search engines) after the update by following + the steps in the Manage Search Engines topic. + - Fixed the URL API to allow "stringification" of the object per + specification. This should make a number of websites happy. + - Added the ES6 string .includes() function in addition to the pre-existing + .contains() function for checking if a string contains another string. + The .contains() function is retained for compatibility with web and + extension scripts that adhere to the ES6 pre-release specification up to + and including RC3. + - Fixed the calculation of standalone SVG embeds width and height, which + should solve some reported issues with html5 graphs being displayed + incorrectly. + - Linux: improved memory allocation. + - Updated the graphite font library to 1.3.9. + - Added a blocking rule for F-Secure's 64-bit deepguard library to prevent + crashes. + - Updated the SQLite library to 3.13.0. + - Download= properties of links are now honored from the context menu + "Save" option. + - Fixed a crash in the XSS filter. + - Fixed a crash in the DOM error module. + - Worked around a crash on Linux + - Linux: Improved optimization and GCC6 compatibility (Note: compiling with + GCC 6 is still not recommended and it may or may not work, depending on + your environment) + + Security fixes: + - (CVE-2016-5251)Potential URL spoofing in the address bar. + - (CVE-2016-0718) Context-dependent crash in expat 2.1.0. + - (CVE-2016-5266) Outgoing dataTransfer items are not properly filtered. + - Fixed potentially exploitable crash in the array splice implementation. + - Fixed potentially exploitable crash caused by badly formatted ICO files. + - (CVE-2016-5254) Heap-use-after-free in nsXULPopupManager::KeyDown + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Fri, 19 Aug 2016 13:08:56 -0700 + +palemoon (26.3.3-1mx150+1) mx; urgency=medium + + * New upstream release: + - Fixed an additional issue found that could cause menu text on Windows 10 + to be white-on-white (and therefore unreadable). + - Fixed an issue with news feeds not showing up when embedded in web pages. + - Removed recently-added parsing of the child-src content security policy + directive, after some web compatibility issues with it came to light, as + well as it becoming clear that the CSP spec will see it removed in favor + of the previous directive for embedded content. This should fix some + intermittent issues people have reported on e.g. the main google.com page + and phpMyAdmin installations. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Fri, 01 Jul 2016 12:50:32 -0700 + +palemoon (26.3.2-1mx150+1) mx; urgency=medium + + * New upstream release: + - 26.3.2 (2016-06-27) - Windows only + This release only has pertinent changes for Windows. Other operating + systems do not need this update. + Changes/fixes: + + -Fixed a rare issue where the browser would not initialize properly + (missing bookmarks and menu entries) if certain Windows registry values + were missing (Windows 8 only). + -Fixed an issue on Windows 10 where the classic menu bar would become + unreadable (white on white). + -Portable only: Switched to non-compressed binaries to prevent issues with + antivirus packages, to prevent issues with browser run-time operation, and + to simplify code signing. + + - 26.3.1 (2016-06-25) + Changes/fixes: + + -Fixed an issue with new tab button theming on dark toolbars. + -Reverted the useragent identification of Firefox compatibility mode to + 38.9 to avoid WOFF2 font issues for sites that don't use proper font + deployment as recommended by the W3C. + -Added a site-specific override for Google fonts to make sure it always + works even if not using Firefox compatibility mode. (workaround pending + for a proper solution on Google's side) + -Adjusted the "dark color" detection routine to switch text to white at + higher relative contrast levels. This will more closely match Windows 10's + "flip point" for different accent colors and is within the recommended + range determined by the WCAG. + + - 26.3.0 (2016-06-21) + Changes/fixes: + + -Added detection for dark system themes on Windows 10 and re-worked Windows + 10 specific theming to better integrate into the OS and provide more + clarity. + -HTML5 media controls have been reworked to a horizontal volume control on + all media, including HTML5 audio that was previously without an + element-control for volume. + -Default HTML5 media volume preference added as media.default_volume -- + fractional, default 1.0 (=100%). + -String.prototype.match() and .replace() are now fully spec compliant. + -NSPR and NSS now correctly no longer enforce IA32 architecture + compatibility, getting the advantage of SSE2 like the rest of the code. + -Worked around crashes in the XSS filter when navigating back in history + due to document fragments. + -Instated a hard minimum of 10,000 places entries regardless of free disk + space and total memory to prevent undesired expiration of history. That is + around 16MB for an average entry size, which should be sane enough even on + low-memory machines. + -Fixed a typo in networking code introduced in 26.2.2 that would cause + issues on some sites due to adding extra forward slashes to the URL. + + - Security fixes: + + -Fixed a number of memory safety hazards and potentially exploitable + crashes. + -Fixed CVE-2016-2821 Use-after-free in the mozilla::dom::Element class + -Fixed netaddr deserialization for AF_UNSPEC and AF_LOCAL. + -Fixed a memory overrun error in the VP8 encoder. DiD + -Fixed non-threadsafe re-use of pixman images to prevent potential race + conditions. DiD + -Fixed CVE-2016-2825 Partial Same Origin Policy violation + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Mon, 27 Jun 2016 10:51:22 -0700 + +palemoon (26.2.2-1mx150+1) mx; urgency=medium + + * New upstream bugfix and security release: + + - CSS classes prefixed with "--" no longer stop parsing of the selectors. + - Several crash fixes. + - Made GC suppression more aggressive to prevent issues when actually out + of memory. + - Fixed a memory safety hazard in jpeg decoding. + - Fixed a potentially exploitable crash when using bi-directional text. + - Updated NSS to 3.19.4.2-PM, fixing CVE-2016-1938 among other things. + * Add Suggested packages gstreamer1.0-libav, gstreamer1.0-plugins-good, + gstreamer1.0-plugins-bad, gstreamer1.0-plugins-ugly to provide the most + comprehensive HTML 5 media playback. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Tue, 10 May 2016 18:26:54 -0700 + +palemoon (26.2.1-2) mx; urgency=medium + + * Switch to gstreamer 1.0 build-deps. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Sat, 09 Apr 2016 10:58:13 -0700 + +palemoon (26.2.1-1) mx; urgency=medium + + * New upstream release. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Fri, 08 Apr 2016 20:50:19 -0700 + +palemoon (26.1.1-1mx150+1) mx; urgency=medium + + * Repackaged for MX 15. + + -- Mike Purtell <mandbx@sbcglobal.net> Sat, 27 Feb 2016 19:41:04 -0800 + +palemoon (26.1.0-1mx150+1) mx; urgency=medium + + * New security, web compatibility, and bugfix release. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Wed, 17 Feb 2016 10:18:12 -0800 + +palemoon (26.0.3-1mx150+1) mx; urgency=medium + + * Repackaged for MX 15. + + -- Mike Purtell <mandbx@sbcglobal.net> Sat, 06 Feb 2016 18:02:47 -0800 + +palemoon (26.0.2-1mx150+1) mx; urgency=medium + + * Repackaged for MX 15. + + -- Mike Purtell <mandbx@sbcglobal.net> Thu, 04 Feb 2016 19:31:53 -0800 + +palemoon (26.0.2-1mcr120+1) mepis; urgency=medium + + * New security and bugfix release. + * Install extensions directly from /integration folder in source, remove + debian/distribution. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Thu, 04 Feb 2016 14:02:54 -0800 + +palemoon (26.0.0-1mcr120+2) mepis; urgency=medium + + * Install addons from debian/distribution, taken from Pale Moon tarball. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Mon, 01 Feb 2016 08:08:54 -0800 + +palemoon (26.0.0-1mcr120+1) mepis; urgency=medium + + * Add libpulse-dev to build-depends to prevent FTBFS. + * Add Suggests: gstreamer0.10-ffmpeg to debian/control file. + * Add Mozilla Public License 2.0 to debian/copyright. + * debian/mozconfig: use -O2 optimization and remove the jmalloc option, + and match what results from about:buildconfig from the official binary. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Tue, 26 Jan 2016 15:43:43 -0800 + +palemoon (25.8.1-2mcr120+1) mepis; urgency=medium + + * Drop mozconfig.patch; use debian/mozconfig instead. + * Refresh debian/copyright. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Sun, 06 Dec 2015 13:08:26 -0800 + +palemoon (25.8.1-1mcr120+1) mepis; urgency=medium + + * A small update to address two important issues: + - Fix for a crash that could occur at random since the update to 25.8.0. + - Fix for CSP (Content Security Policy) to be more lenient towards the + incorrect passing of full URLs with all sorts of parameters in the CSP + header, leading to misinterpretation of the header and incorrectly + blocking the loading of content. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Mon, 30 Nov 2015 10:20:18 -0800 + +palemoon (25.8.0-1mcr120+1) mepis; urgency=medium + + * New bugfix and maintenance release: + Fixes/changes: + - Updated LibVPX to 1.4.x to be able to play more kinds of VP9-encoded + videos. + - Updated the JPEG decoder library to 1.4.0. + - Fixed and cleaned up XPCOM timer thread code to avoid intermittent + issues with events not firing (especially after stand-by). + - Updated overrides to work around issues with Facebook and Netflix. + - Fixed an issue where too-old system-supplied NSPR and/or NSS libraries + would be accepted for use. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Wed, 18 Nov 2015 11:52:32 -0800 + +palemoon (25.7.3-1mcr120+1) mepis; urgency=medium + + * New bugfix and maintenance release: + - usability update needed due to the fact that Mozilla has shut down their key + exchange (J-PAKE) server along with the old Sync servers. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Wed, 14 Oct 2015 19:40:39 -0700 + +palemoon (25.7.2-1mcr120+1) mepis; urgency=medium + + * New bugfix and maintenance release: + - Fixed a critical hang caused by recursive reloads that might happen in + iframes if its hash changed. + - Fixed a critical hang caused by lazy-loading of stylesheets through a + specific web programming technique as advocated by Google's PageSpeed. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Mon, 05 Oct 2015 15:19:18 -0700 + +palemoon (25.7.1-1mcr120+1) mepis; urgency=medium + + * New bugfix and maintenance release: + + Fixes/changes: + + - Code cleanup: Removed the majority of remaining telemetry code (including + the data reporting back-end and health report) to prevent a few issues + with partially removed code in earlier versions. + - Fixed a crash due to handling of bogus URIs passed to CSS style filters + (e.g. whatsapp's web interface). + - Permitted spec-breaking syntax in Regex character classes, allowing + ranges that would be permitted per the grammar rules in the spec but not + necessarily following the syntax rules. This impacts a good number of + (also higher profile) sites that use invalid ranges in regular + expressions (e.g. Cisco's networking academy site, Yahoo Fantasy + Football). + - Fixed a crash due to the newly introduced WASAPI handling of audio + channel mapping that doesn't like actual surround hardware setups (e.g. + playing a video with quadraphonic audio on a 4-speaker setup). + - Fixed an issue where site-specific dictionary selections would be written + to content preferences without the user's action, potentially overwriting + or clearing a previously-chosen dictionary. + - Added support for drag and drop of local files from sources which use + text/uri-lists. (Some Linux flavors/file managers) + - Updated libnestegg to the most current version. + - Fixed an issue where setting the location to an empty string could cause + a reload loop. + + Security fixes: + + - Changed the jemalloc poison address to something that is not a NOP-slide. + DiD + - Fixed a memory safety hazard in ConvertDialogOptions (CVE-2015-4521) + - Fixed a buffer overflow/crash hazard in the + VertexBufferInterface::reserveVertexSpace function in libGLES in ANGLE + (CVE-2015-7179) + - Fixed an overflow/crash hazard in the XULContentSinkImpl::AddText function + (CVE-2015-7175) + - Fixed a stack buffer overread hazard in the ICC v4 profile parser + (CVE-2015-4504) + - Fixed an HTMLVideoElement Use-After-Free Remote Code Execution 0-day + vulnerability (ZDI-CAN-3176) (CVE-2015-4509) + - Fixed a potentially exploitable crash in nsXBLService::GetBinding + - Fixed a memory safety hazard in nsAttrAndChildArray::GrowBy + (CVE-2015-7174) + - Fixed a memory safety hazard for callers of nsUnicodeToUTF8::GetMaxLength + (CVE-2015-4522) + - Fixed a heap buffer overflow/crash hazard caused by invalid WebM headers + (CVE-2015-4511) + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Wed, 30 Sep 2015 12:11:14 -0700 + +palemoon (25.7.0-1mcr120+1) mepis; urgency=medium + + * New bugfix and maintenance release: + - Code cleanup: Removed the (otherwise unused) visual event tracer code. + - Code cleanup: Removed reflow performance tracing code (telemetry). + - Fixed a key JavaScript bug where defining properties on an object would + wipe the object. + - This seems to be a common issue with "modern" libraries that use "define" + instead of "change" and expecting the other properties on the object to be + retained, resulting in "x is undefined" errors all over the place if the + object is wiped. + - This aligns the behavior with ES6's "Validate and apply property + descriptor" pseudo-function. + - Updated the SQLite library to 3.8.11.1. + - Added support for the element.matches() Web API function. + - Added support for BASE tag parsing in source view. Previously, when + viewing the source of a document, clickable links would be incorrect if a + base path was specified in the document with this tag. + - Fixed an issue with running timers after the computer would have been put + to sleep with the browser opened. + + Security fixes: + + - Added protection against potential bugs where our SVG mPositions is out of + sync with the characters in the DOM. DiD + - Fixed use-after-free vulnerability in XMLHttpRequest::Open() + (CVE-2015-4492) + - Fixed use-after-free vulnerability in the StyleAnimationValue class + (CVE-2015-4488) + - Fixed crash or memory corruption in nsTArray (CVE-2015-4489) + - Fixed crash or memory corruption in nsTSubstring::ReplacePrep + (CVE-2015-4487) + - Fixed potential escalation of privileges or crash (out-of-bounds write) + via a crafted name in MARs (x64 only) -(CVE-2015-4482) + - Fixed an issue that would allow man-in-the-middle attackers to bypass a + mixed-content protection mechanism via a feed: URL in a POST request. + (CVE-2015-4483) + * Added blurb to postinst script. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Wed, 26 Aug 2015 14:50:58 -0700 + +palemoon (25.6.0-1mcr120+1) mepis; urgency=medium + + * New upstream release. + * Add debian README.7z-source to explain how to use the .7z source archive. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Fri, 31 Jul 2015 16:40:45 -0700 + +palemoon (25.5.0-1mx150+1) mx; urgency=medium + + * Rebuild for MX 15. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Fri, 26 Jun 2015 14:43:57 -0700 + +palemoon (25.5.0-1mcr120+1) mepis; urgency=medium + + * New upstream release. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Thu, 11 Jun 2015 14:53:31 -0700 + +palemoon (25.4.1-1mcr120+1) mepis; urgency=low + + * Bugfix release, rebuild for MEPIS 12.0. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Fri, 01 May 2015 12:47:55 -0700 + +palemoon (25.3.1-0mcr120+1) mepis; urgency=low + + * Rebuild for MEPIS 12.0. + * debian/rules: compress deb packages with xz. + + -- Steven Pusser (Stevo) <maintainer@mepiscommunity.org> Thu, 26 Mar 2015 11:23:26 -0700 + +palemoon (25.3.1-0~precise1) precise; urgency=low + + * New upstream release + + -- Marián Kadaňka <marian.kadanka@openmailbox.org> Wed, 25 Mar 2015 20:46:17 +0100 + +palemoon (25.3.0-0~trusty1) trusty; urgency=low + + * New upstream release + + -- Marián Kadaňka <marian.kadanka@openmailbox.org> Sat, 14 Mar 2015 12:12:57 +0100 + +palemoon (25.2.1-0~trusty1) trusty; urgency=low + + * New upstream release + + -- Marián Kadaňka <marian.kadanka@openmailbox.org> Sun, 01 Feb 2015 16:18:52 +0100 + +palemoon (24.5.0-0~precise1) precise; urgency=low + + * Initial packaging + + -- Marián Kadaňka <marian.kadanka@openmailbox.org> Mon, 12 May 2014 20:42:01 +0200 |