1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
|
newmoon (29.2.1-1+devuan) obs; urgency=medium
- This is a small bugfix release.
* Worked around an issue with autocomplete popups sometimes failing to
work (and added some debug console logging to it in case it happens to
help find the root cause)
* Fixed an issue with DOM mouse scrolling throwing errors.
* Fixed a race with network detection routines firing incorrectly when
resuming from standby.
* Fixed a crash when using large uploads through DOM.
* Fixed an issue where the menulist-button on editable menulist widgets
was not visible on GTK3.
* Reduced the number of reported "important preferences" in
troubleshooting information, excluding individual printer details.
* Fixed an issue with the JS JIT compiler not tracing debugger
environments (DiD).
-- B. Stack <bgstack15@gmail.com> Wed, 09 Jun 2021 08:51:28 -0400
newmoon (29.2.0-1+devuan) obs; urgency=medium
* This is a development and bugfix release.
- Starting with this version, we will no longer be supporting
unmaintained legacy Firefox extensions that are not updated
for/targeting Pale Moon directly.
- Please see https://forum.palemoon.org/viewtopic.php?f=1&t=26657
for details.
* Changes/fixes:
- When opening tabs from the History side bar, Pale Moon will now
warn you about the action if it would result in opening many tabs at
once.
- Pale Moon now offers "Open All in Tabs" on bookmark folders
even if there is only one sub-item in it, for UI consistency.
- Added media format controls in the Content category of
Preferences.
- Added controls for preferred color scheme. See implementation
notes.
- Updated several site-specific user-agent overrides for web
compatibility.
- Removed the ability to accept Firefox IDs for extension
installation.
- Removed conditional Macintosh code from the application front-end.
- Updated the AV1 reference library to 2.0.
- Cleaned up more Android code from the platform.
- Updated the embedded emoji font to cater to even more
race-dependent profession emoji.
- Fixed an overflow in clip paths, potentially causing them to be
rendered incorrectly.
- Added CSS values smooth, high-quality and pixelated to the
image-rendering keyword.
- Implemented Intl.NumberFormat.formatToParts() to allow
deconstruction of localized number formats by scripts.
- Reinstated the dom.details_element.enabled preference and fixed a
rendering issue with summary/details html elements.
- Fixed an issue with CSP .nonce attributes on elements.
- Security issues addressed: CVE-2021-29946 DiD and CVE-2021-23994
DiD.
- Unified XUL Platform Mozilla Security Patch Summary: 2 DiD, 14
not applicable.
* Implementation notes:
- This version adds support for the prefers-color-scheme CSS
keyword. This keyword is a media query keyword that indicates to
websites whether your content styling preference is "light" or "dark".
Unlike other browsers where this will be tied to your system color
scheme and determined automatically (which might be a point on which
you can be fingerprinted, so this would be a privacy concern), we've
decided to give the user control through Preferences -> Content ->
Colors where you will find a new control to indicate your user
preference (it defaults to "light" for everyone). While this control
also gives you the option to disable this feature and effectively not
support the keyword, be aware that this might cause issues on some
websites that do not provide styling for "unspecified" color scheme
preferences.
- In the future we may add an "automatic" option similar to other
browsers in case you regularly switch your system application style
from light to dark and v.v.
-- B. Stack <bgstack15@gmail.com> Tue, 27 Apr 2021 14:56:07 -0400
newmoon (29.1.1-1+devuan) obs; urgency=medium
* Changes/fixes:
- Updated NSS to fix certificate import and keygen regressions.
- Removed restrictions for units of width/height attributes on SVG elements.
- Enabled scrollbar-width CSS keyword by default.
- Security issues addressed: CVE-2021-23981 and a DiD fix for potential document parser confusion.
- Unified XUL Platform Mozilla Security Patch Summary: 2 DiD, 9 not applicable.
-- B. Stack <bgstack15@gmail.com> Thu, 01 Apr 2021 12:53:29 -0400
newmoon (29.1.0-1+devuan) obs; urgency=medium
* New features:
- Language packs for the following newly-supported languages:
Arabic (ar), Chinese Traditional (zh-TW), Croatian (hr), Danish (da),
Finnish (fi), Galician (gl), Indonesian (id), Icelandic (is), Japanese
(ja), Romanian (ro), Serbian (cyrillic) (sr), Slovenian (sl), Thai (th)
- Implemented String.prototype.replaceAll().
- Implemented JSON superset proposal.
- Implemented well-formed JSON stringify.
- Implemented numeric separators in JavaScript.
* Changes/fixes:
- Updated timezone data to 2021a.
- Updated the wording and inclusion of more select license blocks
in about:license.
- Updated some site-specific user-agent overrides for web
compatibility.
- Updated the lz4 library for performance and security updates.
- Improved performance of JSON stringify.
- Further improved support for building on FreeBSD.
- Fixed a regression where changes to useragent compatibility
required a restart to take effect.
- Fixed a regression where AES-GCM in WebCrypto ("subtle" crypto
API) wasn't working.
- This could make certain login procedures fail to work.
- Fixed a full browser deadlock when page scripting would flood
browsing history with rapid location state changes.
- Disabled AV1 codec use by default again since our implementation
has significant streaming issues (particularly audio) that needs
further work.
- Added required interaction with file/folder open dialog boxes on
html file input elements on some operating systems to avoid malicious
content tricking users into uploading sensitive files unintentionally
(related to CVE-2021-23956).
- Added a font sanity check to avoid triggering a potential
vulnerability on unpatched Windows operating systems (related to
CVE-2021-24093).
- Security issues addressed: CVE-2021-23974, CVE-2021-23973 and
several memory safety hazards that don't have CVE numbers.
- Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2
DiD, 19 not applicable.
-- B. Stack <bgstack15@gmail.com> Tue, 02 Mar 2021 21:53:23 -0500
newmoon (29.0.1-1+devuan) obs; urgency=medium
* Changes/fixes:
- Fixed a browser crash when manipulating frame trees.
- Fixed an issue with depth textures in ANGLE.
- Updated the SSOAU for YouTube Studio.
- Security issue addressed: ZDI-CAN-12197.
-- B. Stack <bgstack15@gmail.com> Mon, 15 Feb 2021 11:20:33 -0500
newmoon (29.0.0-1+devuan) obs; urgency=medium
* New major milestone release:
- Implemented Intl.PluralRules API for JavaScript.
- Added a frequently-requested preference (browser.tabs.allowTabDetach) to
disable "tearing off" of tabs (meaning dragging them outside of the tab
bar resulting in them being made into their own window).
- Added FLAC as a recognized filetype-by-extension.
- Implemented basic support for the scrollbar-width CSS keyword. See
implementation notes.
- Added preliminary support for modern FreeBSD builds.
- Selectively enabled core features of the DOM Animations API.
- Enabled AV1 video support by default (previously built but not enabled in
releases).
- Added support for pointer events.
- Added support for the SVG transform-box property.
- Added support for the inputmode property for forms to enable
context-sensitive display of soft keyboards.
- Enabled shutting down of the file I/O worker when idle for a while
(resource optimization).
- Enabled blocking of auto-play of media in the background by default.
- We now offer official GTK3 builds for Linux alongside the GTK2 builds.
- Partial (and as of yet, not acceptably functional) implementation of
Google WebComponents. See implementation notes.
Changes/fixes:
- Updated NSPR to 4.29.
- Updated NSS to 3.59.
- Disabled legacy database format for storage of certificates and passwords.
- Updated several site-specific user-agent overrides for web compatibility.
- Improved styling of the "find in page" bar to avoid unreadable text on
some system themes.
- Removed a large chunk of Android-specific code.
- Split gkmedias.dll back out from xul.dll.
- Cleaned up a number of redundant and obsolete code paths.
- Fixed a regression with the Performance API.
- Fixed an initialization issue in the browser when users would
force-disable certain types of caching.
- Fixed a crash when attempting to save a file from FTP that could be
displayed in the browser.
- Fixed the root cause of an issue with JavaScript module loading causing
crashes. See implementation notes.
- Fixed a rare initialization issue for the print preview window causing it
to not display.
- Fixed a crash on Mac when text input was not secure.
- Disabled the Storage Manager API by default.
- Disabled the <menuitem> html tag by default. If you still need this, you
can re-enable it with the preference dom.menuitem.enabled in about:config.
- Fixed a memory safety issue related to XUL trees (CVE-2021-23962).
- Implemented several defense-in-depth measures to improve stability and
future security.
-- B. Stack <bgstack15@gmail.com> Tue, 02 Feb 2021 19:04:30 -0500
newmoon (28.17.0-1+devuan) obs; urgency=low
* This is a development, bugfix and security update.
- Changed the way dates and times are formatted in the UI to
properly adhere to the user's regional settings in the O.S.
- Re-enabled the DOM Filesystem API for web compatibility.
- Moved the global user-agent override to the networking component.
See implementation notes.
- Worked around crashes and run-time issues with module scripts.
See implementation notes.
- Fixed a website layout issue with table-styled elements
potentially overlapping when placed inside a flexbox.
- Fixed some code logic issues with websockets.
- Fixed a regression when waking the computer from standby causing
high CPU usage in some uncommon situations.
- Updated the list of prohibited ports the browser can use. See
implementation notes.
- Updated root certificates.
- Windows: Changed the way downloaded files without an extension
are handled. See implementation notes.
- Mac-beta: Improved version detection of MacOS including Big Sur.
- Security issues addressed: CVE-2020-26978 and CVE-2020-35112.
- Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 1
deferred to the next release, 16 not applicable.
- The global user-agent override was moved to the networking
component where it is actually implemented. The new preference name is
network.http.useragent.global_override. Please note that using a
blanket override is normally (very) counterproductive and does not, in
fact, help much with privacy. It would also override the compatibility
modes (Native/Gecko/Firefox) in Pale Moon. As such, the browser will
now warn you if the user-agent is globally overridden (in preferences)
and allow you to easily reset that override and re-enable the various
compatibility modes.
- Module scripting caused some persistent and very hard to track
browser crashes that we've narrowed down to a specific optimization in
the JavaScript JIT (Just-In-Time) compiler (IonMonkey). This
optimization is now disabled by default but if you need that little
extra performance (usually only noticed in very optimized code or some
benchmarks) then you can re-enable it, trading in stability, by setting
the new preference javascript.options.ion.inlining to true.
- Prohibited ports: Pale Moon maintains a blacklist of ports the
browser may normally not connect to on servers, to mitigate abusive web
scripting employing your browser as an attack bot on servers (e.g. by
connecting to mail servers or what not), NAT slipstreaming, and similar
security issues. To more thoroughly prevent known abusable ports on
servers, this list was extended with a number of additional default
ports for various non-http protocols.
- Downloaded files without a file extension: When a file without an
extension is downloaded, we will now open the download folder where you
may choose to take any specific action manually, instead of trying to
execute it as a program or through an associated program.
-- B. Stack <bgstack15@gmail.com> Fri, 18 Dec 2020 13:52:12 -0500
newmoon (28.16.0-1+devuan) obs; urgency=low
* This is a development and security update to the browser.
* Note for Linux users: With CentOS 6 going end-of-life, this
version will be the last for which we will be building 32-bit Linux
official binaries to download. While your distribution may choose to
continue offering 32-bit versions of the browser, built from source
by the maintainers, we won't be offering any further official 32-bit
Linux binaries on our website. Please check with your distribution's
package maintainers to know if further 32-bit support will be
available on your particular flavor of Linux.
- Aligned CSS tab-size with the specification and un-prefixed it.
- Updated Brotli library to 1.0.9.
- Updated JAR lib code.
- Optimized UI code, resulting in smaller downloads and less
space consumed on disk.
- Changed the default Firefox Compatibility version number to
68.0 (since versions ending in .9 makes some frameworks unhappy,
refusing access to users)
- Cleaned up HPKP leftovers.
- Disabled the DOM filesystem API by default.
- Removed Phone Vibrator API.
- Fixed an issue where the software uninstaller would not remove
the program files it should.
- Fixed a devtools crash related to timeline snapshots.
- Fixed an issue in Skia that could cause unsafe memory access.
[DiD]
- Fixed several data race conditions. [DiD]
- Fixed an XSS vulnerability where scripts could be executed when
pasting data into on-line editors.
- Linux: Fixed an overflow issue in freetype.
- Security issues addressed: CVE-2020-26960, CVE-2020-26951,
CVE-2020-26956, CVE-2020-15999 and several others that do not have a
CVE designation.
- Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 4
defense-in-depth, 3 rejected, 20 not applicable.
-- B. Stack <bgstack15@gmail.com> Wed, 25 Nov 2020 09:13:05 -0500
newmoon (28.15.0-1+devuan) obs; urgency=low
* This is a standard development and bugfix release.
- Implemented support for CSS caret-color.
- Implemented support for un-prefixed ::selection CSS pseudo-element styling.
- Fixed another potential crashing scenario in ResizeObservers.
- Fixed several crashes in the DOM Fetch API.
- Fixed a crash in table pagination.
- Security issues fixed: CVE-2020-15680 (VG-VD-20-115) and several memory safety hazards.
- Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 2 defense-in-depth, 12 not applicable.
* reenable jemalloc to match palemoon.
* disable eme to match palemoon.
* so now newmoon's only changes are config location and branding.
-- B. Stack <bgstack15@gmail.com> Tue, 27 Oct 2020 20:05:31 -0400
newmoon (28.14.2-3+devuan) obs; urgency=low
* disable all use-system options to see if stability returns
-- B. Stack <bgstack15@gmail.com> Fri, 23 Oct 2020 14:58:17 -0400
newmoon (28.14.2-2+devuan) obs; urgency=low
* revert to gtk2 to see if stability returns
-- B. Stack <bgstack15@gmail.com> Fri, 23 Oct 2020 22:40:55 -0400
newmoon (28.14.2-1+devuan) obs; urgency=low
* Update version
-- B. Stack <bgstack15@gmail.com> Mon, 05 Oct 2020 09:07:33 -0400
newmoon (28.13.0-5+devuan) obs; urgency=medium
* Import bluemoon icons from Gord N. Squash
-- B. Stack <bgstack15@gmail.com> Wed, 16 Sep 2020 19:16:08 -0400
newmoon (28.13.0-4+devuan) obs; urgency=low
* Import xfce-helper/palemoon.desktop from stevep@mxlinux.org release
-- B. Stack <bgstack15@gmail.com> Wed, 09 Sep 2020 14:43:04 -0400
newmoon (28.13.0-3+devuan) obs; urgency=medium
* This is a compatibility, bugfix and security update. Special thanks
to our new code contributors this cycle (you know who you are)!
- Updated the included site-specific user-agent overrides for a
number of websites that need them.
- Rewritten the browser's padlock code to use more modern APIs and
provide more accurate security status indication.
- Now also with localized tooltips!
- Fixed a missing close button on the undo prompt after removing a
thumbnail from the QuickDial new tab page.
- Fixed an issue with the alternative stylesheet menu in the
browser's UI not working.
- Implemented the use of intrinsic aspect ratios for images to
improve layout during load and page positioning.
- Added a preference to the use of node.getRootNode and disabled by
default. See implementation notes.
- Added CSS -webkit-appearance as an alias for -moz-appearance to
improve compatibility with websites that only try to use
Chrome-specific keywords to style standard form elements.
- Updated the SQLite library to 3.33.0.
- Reinstated precise floating point precision model in JavaScript
for those alternate builders who foolishly try to use the inaccurate
"fast" model.
- Improved spec compliance of modular JavaScript use (ECMAScript
modules).
- Changed media errors to be a more generic response, and added a
preference (media.sourceErrorDetails.enabled) to enable detailed error
reporting of media errors for debugging purposes.
- Previously, detailed errors were provided by default which could
lead to privacy issues.
- Improved code stability of the AbortController implementation.
- Fixed a race condition in the secure connection library (NSS).
- Security issues fixed: CVE-2020-15664, CVE-2020-15666,
CVE-2020-15667, CVE-2020-15668 and CVE-2020-15669.
- Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 1
defense-in-depth, 1 rejected, 9 not applicable.
* Implementation notes
- In 28.11.0 we introduced node.getRootNode because some websites
would fail with an error if this function was not present.
Unfortunately, this caused problems with other sites that (incorrectly)
assume Google WebComponents are available when this utility function is
present (feature detection gone wrong). While it is considered by some
to be part of the Google WebComponents implementation, it actually has
utility value outside of that use. Because of the problems caused,
we've added a preference and disabled it by default, fixing these kinds
of websites.
- When needed, you can re-enable this function with
dom.getRootNode.enabled
- This should improve web compatibility by default yet still allow
users to enable this function for websites that use its utility but do
not use WebComponents.
-- B. Stack <bgstack15@gmail.com> Fri, 04 Sep 2020 19:50:02 -0400
newmoon (28.12.0-2+devuan) obs; urgency=low
* Forked from palemoon. This is an experimental release
that does everything that the original dev team would
consider wrong, including:
- use gtk3 exclusively
- enable webrtc
- enable system libraries for everything possible
-- B. Stack <bgstack15@gmail.com> Thu, 27 Aug 2020 16:55:11 -0400
newmoon (28.12.0-1+devuan) UNRELEASED; urgency=low
* First release of newmoon.
-- B. Stack <bgstack15@gmail.com> Wed, 05 Aug 2020 14:43:18 -0400
|