summaryrefslogtreecommitdiff
path: root/palemoon
diff options
context:
space:
mode:
Diffstat (limited to 'palemoon')
-rw-r--r--palemoon/debian/changelog155
-rw-r--r--palemoon/debian/palemoon+devuan.dsc2
-rw-r--r--palemoon/palemoon.spec7
3 files changed, 103 insertions, 61 deletions
diff --git a/palemoon/debian/changelog b/palemoon/debian/changelog
index e79c5e6..035b079 100644
--- a/palemoon/debian/changelog
+++ b/palemoon/debian/changelog
@@ -1,3 +1,42 @@
+palemoon (28.16.0-1+devuan) obs; urgency=low
+
+ * This is a development and security update to the browser.
+ * Note for Linux users: With CentOS 6 going end-of-life, this
+ version will be the last for which we will be building 32-bit Linux
+ official binaries to download. While your distribution may choose to
+ continue offering 32-bit versions of the browser, built from source
+ by the maintainers, we won't be offering any further official 32-bit
+ Linux binaries on our website. Please check with your distribution's
+ package maintainers to know if further 32-bit support will be
+ available on your particular flavor of Linux.
+ - Aligned CSS tab-size with the specification and un-prefixed it.
+ - Updated Brotli library to 1.0.9.
+ - Updated JAR lib code.
+ - Optimized UI code, resulting in smaller downloads and less
+ space consumed on disk.
+ - Changed the default Firefox Compatibility version number to
+ 68.0 (since versions ending in .9 makes some frameworks unhappy,
+ refusing access to users)
+ - Cleaned up HPKP leftovers.
+ - Disabled the DOM filesystem API by default.
+ - Removed Phone Vibrator API.
+ - Fixed an issue where the software uninstaller would not remove
+ the program files it should.
+ - Fixed a devtools crash related to timeline snapshots.
+ - Fixed an issue in Skia that could cause unsafe memory access.
+ [DiD]
+ - Fixed several data race conditions. [DiD]
+ - Fixed an XSS vulnerability where scripts could be executed when
+ pasting data into on-line editors.
+ - Linux: Fixed an overflow issue in freetype.
+ - Security issues addressed: CVE-2020-26960, CVE-2020-26951,
+ CVE-2020-26956, CVE-2020-15999 and several others that do not have a
+ CVE designation.
+ - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 4
+ defense-in-depth, 3 rejected, 20 not applicable.
+
+ -- Ben Stack <bgstack15@gmail.com> Wed, 25 Nov 2020 09:13:05 -0500
+
palemoon (28.15.0-1+devuan) obs; urgency=low
* This is a standard development and bugfix release.
@@ -58,55 +97,55 @@ palemoon (28.13.0-4+devuan) obs; urgency=low
palemoon (28.13.0-3+devuan) obs; urgency=medium
- * This is a compatibility, bugfix and security update. Special thanks
+ * This is a compatibility, bugfix and security update. Special thanks
to our new code contributors this cycle (you know who you are)!
- - Updated the included site-specific user-agent overrides for a
+ - Updated the included site-specific user-agent overrides for a
number of websites that need them.
- - Rewritten the browser's padlock code to use more modern APIs and
+ - Rewritten the browser's padlock code to use more modern APIs and
provide more accurate security status indication.
- Now also with localized tooltips!
- - Fixed a missing close button on the undo prompt after removing a
+ - Fixed a missing close button on the undo prompt after removing a
thumbnail from the QuickDial new tab page.
- - Fixed an issue with the alternative stylesheet menu in the
+ - Fixed an issue with the alternative stylesheet menu in the
browser's UI not working.
- - Implemented the use of intrinsic aspect ratios for images to
+ - Implemented the use of intrinsic aspect ratios for images to
improve layout during load and page positioning.
- - Added a preference to the use of node.getRootNode and disabled by
+ - Added a preference to the use of node.getRootNode and disabled by
default. See implementation notes.
- - Added CSS -webkit-appearance as an alias for -moz-appearance to
- improve compatibility with websites that only try to use
+ - Added CSS -webkit-appearance as an alias for -moz-appearance to
+ improve compatibility with websites that only try to use
Chrome-specific keywords to style standard form elements.
- Updated the SQLite library to 3.33.0.
- - Reinstated precise floating point precision model in JavaScript
- for those alternate builders who foolishly try to use the inaccurate
+ - Reinstated precise floating point precision model in JavaScript
+ for those alternate builders who foolishly try to use the inaccurate
"fast" model.
- - Improved spec compliance of modular JavaScript use (ECMAScript
+ - Improved spec compliance of modular JavaScript use (ECMAScript
modules).
- - Changed media errors to be a more generic response, and added a
- preference (media.sourceErrorDetails.enabled) to enable detailed error
+ - Changed media errors to be a more generic response, and added a
+ preference (media.sourceErrorDetails.enabled) to enable detailed error
reporting of media errors for debugging purposes.
- - Previously, detailed errors were provided by default which could
+ - Previously, detailed errors were provided by default which could
lead to privacy issues.
- Improved code stability of the AbortController implementation.
- Fixed a race condition in the secure connection library (NSS).
- - Security issues fixed: CVE-2020-15664, CVE-2020-15666,
+ - Security issues fixed: CVE-2020-15664, CVE-2020-15666,
CVE-2020-15667, CVE-2020-15668 and CVE-2020-15669.
- - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 1
+ - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 1
defense-in-depth, 1 rejected, 9 not applicable.
* Implementation notes
- - In 28.11.0 we introduced node.getRootNode because some websites
- would fail with an error if this function was not present.
- Unfortunately, this caused problems with other sites that (incorrectly)
- assume Google WebComponents are available when this utility function is
- present (feature detection gone wrong). While it is considered by some
- to be part of the Google WebComponents implementation, it actually has
- utility value outside of that use. Because of the problems caused,
- we've added a preference and disabled it by default, fixing these kinds
+ - In 28.11.0 we introduced node.getRootNode because some websites
+ would fail with an error if this function was not present.
+ Unfortunately, this caused problems with other sites that (incorrectly)
+ assume Google WebComponents are available when this utility function is
+ present (feature detection gone wrong). While it is considered by some
+ to be part of the Google WebComponents implementation, it actually has
+ utility value outside of that use. Because of the problems caused,
+ we've added a preference and disabled it by default, fixing these kinds
of websites.
- - When needed, you can re-enable this function with
+ - When needed, you can re-enable this function with
dom.getRootNode.enabled
- - This should improve web compatibility by default yet still allow
- users to enable this function for websites that use its utility but do
+ - This should improve web compatibility by default yet still allow
+ users to enable this function for websites that use its utility but do
not use WebComponents.
-- Ben Stack <bgstack15@gmail.com> Fri, 04 Sep 2020 19:50:02 -0400
@@ -114,53 +153,53 @@ palemoon (28.13.0-3+devuan) obs; urgency=medium
palemoon (28.12.0-1+devuan) obs; urgency=medium
* This is a development, bugfix and security update.
- - Added controls for WASM to the browser's preferences, and enabled
+ - Added controls for WASM to the browser's preferences, and enabled
by default.
- Enabled various arbitrarily-disabled CSS functions.
- - Added the use of basic path descriptors (i.e. polygon) to css
+ - Added the use of basic path descriptors (i.e. polygon) to css
clip paths.
- - Implemented multithreaded request signal handling for the Abort
+ - Implemented multithreaded request signal handling for the Abort
API. Please see implementation notes below.
- - Updated the included US-English dictionary, adding approximately
+ - Updated the included US-English dictionary, adding approximately
2500 additional words.
- - Removed the DOM battery API. This was already disabled for
+ - Removed the DOM battery API. This was already disabled for
privacy reasons for a long while.
- - Fixed an erroneous warning displayed on toolkit-only add-ons like
+ - Fixed an erroneous warning displayed on toolkit-only add-ons like
supplied dictionaries.
- Fixed an issue with the sessionstore tab load preference.
- - Improved the generation of the names of downloaded files to
+ - Improved the generation of the names of downloaded files to
prevent confusion. (CVE-2020-15658)
- Fixed a code issue with base64 encoding of data.
- - Fixed 2 safety hazards in JavaScript. (One being CVE-2020-15656)
+ - Fixed 2 safety hazards in JavaScript. (One being CVE-2020-15656)
DiD
- - Fixed a spec compliance issue with regards to the cross-origin
+ - Fixed a spec compliance issue with regards to the cross-origin
loading of scripts. (CVE-2020-15652)
- - Improved the loading of a system DLL on Windows, preventing
+ - Improved the loading of a system DLL on Windows, preventing
low-risk hijacking potential. (CVE-2020-15657) See implementation notes.
- - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2
+ - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2
defense-in-depth, 15 not applicable.
* Implementation notes
- - In 28.11.0, we introduced the Abort API as new code. The
- implementation of it still had an issue where especially web workers
- would not always see the availability of abort signals on fetch
- requests while AbortSignal was implemented in the browser. This
- effectively made some websites (especially those using a particular
- polyfill for the Abort API that would detect the need to polyfill by
- way of Request.signal) throw errors that were fine before. We offered
- users a workaround by temporarily disabling the AbortController in the
+ - In 28.11.0, we introduced the Abort API as new code. The
+ implementation of it still had an issue where especially web workers
+ would not always see the availability of abort signals on fetch
+ requests while AbortSignal was implemented in the browser. This
+ effectively made some websites (especially those using a particular
+ polyfill for the Abort API that would detect the need to polyfill by
+ way of Request.signal) throw errors that were fine before. We offered
+ users a workaround by temporarily disabling the AbortController in the
browser by way of a preference (dom.abortController.enabled).
- - v28.12.0 fixes the multi-threaded handling of signals, which
- should solve these problems. As such, the workaround is no longer
- needed and upon upgrade the preference will be reset to enable
+ - v28.12.0 fixes the multi-threaded handling of signals, which
+ should solve these problems. As such, the workaround is no longer
+ needed and upon upgrade the preference will be reset to enable
AbortControllers again.
- - DLL-hijacking on Windows would only be possible if a malicious
- actor already either gained administrative access to the program's
- installation folder or otherwise have unrestricted access to the
- program folder (by having it installed in local application folders
- inside the user's profile space or other insecure program locations).
- In that case the system is already compromised and any executable can
- be replaced, so having dll loading hijacked would be the least of your
- concerns (i.e. the main program .exe could also be replaced/infected in
+ - DLL-hijacking on Windows would only be possible if a malicious
+ actor already either gained administrative access to the program's
+ installation folder or otherwise have unrestricted access to the
+ program folder (by having it installed in local application folders
+ inside the user's profile space or other insecure program locations).
+ In that case the system is already compromised and any executable can
+ be replaced, so having dll loading hijacked would be the least of your
+ concerns (i.e. the main program .exe could also be replaced/infected in
that case).
-- Ben Stack <bgstack15@gmail.com> Wed, 05 Aug 2020 14:43:18 -0400
diff --git a/palemoon/debian/palemoon+devuan.dsc b/palemoon/debian/palemoon+devuan.dsc
index dcd6601..5d48807 100644
--- a/palemoon/debian/palemoon+devuan.dsc
+++ b/palemoon/debian/palemoon+devuan.dsc
@@ -2,7 +2,7 @@ Format: 3.0 (quilt)
Source: palemoon
Binary: palemoon
Architecture: any
-Version: 28.15.0-1+devuan
+Version: 28.16.0-1+devuan
Maintainer: B Stack <bgstack15@gmail.com>
Homepage: http://www.palemoon.org/
Standards-Version: 4.1.4
diff --git a/palemoon/palemoon.spec b/palemoon/palemoon.spec
index eb0e036..dbbee22 100644
--- a/palemoon/palemoon.spec
+++ b/palemoon/palemoon.spec
@@ -5,7 +5,7 @@
%global stackrpms_custom 1
# derive from inside the full source tree or from notes at https://github.com/MoonchildProductions/Pale-Moon/releases
# git submodule | awk -v "name=platform" '$2 == name {gsub("-","",$1); print $1}'
-%global submodule_platform_tag RELBASE_20201024
+%global submodule_platform_tag RELBASE_20201124
# additional repos to get python27 and devtoolset-7
# for el6 and el7: Software Collection;, for x86_64 only
@@ -42,7 +42,7 @@ Name: palemoon-stackrpms
Name: palemoon
%endif
Summary: Pale Moon web browser
-Version: 28.15.0
+Version: 28.16.0
Release: 1
Group: Networking/Web
@@ -285,6 +285,9 @@ update-mime-database -n ${_datadir}/mime 1>/dev/null 2>&1 & :
%doc AUTHORS LICENSE
%changelog
+* Wed Nov 25 2020 B Stack <bgstack15@gmail.com> - 28.16.0-1
+- update version
+
* Tue Oct 27 2020 B Stack <bgstack15@gmail.com> - 28.15.0-1
- update version
- change sources to upstream new location, repos.palemoon.org
bgstack15