summaryrefslogtreecommitdiff
path: root/newmoon/debian/changelog
blob: cb52d58689131d5f837e6e0f5ac0c57fac1baccc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
newmoon (33.0.0-1+stackrpms) obs; urgency=medium

  * Upstream updates
    * Implemented a restricted version of the asynchronous clipboard API
      (navigator.clipboard). This API is restricted to writing only for
      obvious security considerations. It supports both plaintext and the
      standard DataTransfer methods. We did not implement the reinvented
      wheel concept of ClipboardItem objects.
    * Implemented support for SHA-2 (SHA-256/SHA-512/etc.) signatures for
      OCSP stapled responses.
    * Implemented an option (Found in Preferences -> Content -> Media tab
      (new this version)) to restrict DOM full-screen mode to the existing
      browser window.
    * Implemented several options in a new preferences tab (Preference ->
      Privacy -> Tracking) to allow users to more easily control several
      privacy-impacting features, namely poisoning of canvas data (to prevent
      fingerprinting), and enabling of Performance observers (a developer
      feature) that some websites rely on for their operation.
    * Implemented PromiseRejectionEvent. Although this is rarely actually
      used, some common JS libraries (you know who you are!) use it as a
      feature level canary and start loading (broken!) Promise shims if it is
      not found, causing compatibility issues and broken websites due to the
      shims.
  * Fixes:
    * Aligned microtasks and Promises scheduling with the current spec and
      expected behavior.
    * We now no longer send click events to top levels of the document
      hierarchy when using non-primary buttons (use auxclick, instead, to
      capture these events).
    * Greatly improved the performance of box shadows.
    * Greatly improved the performance of file/data uploads over HTTP/2
      (most of the secure websites out there).
    * Fixed several issues related to focus and content selection.
    * Fixed issues with the use of focus-within caused by unexpected
      processing of DOM events.
    * Fixed an issue with CSP not behaving as-expected when using
      importScripts(), and fixed a number of additional CSP-related issues.
    * Fixed a web compatibility issue with CORS preflights not sending the
      original request's referrer policy or referrer header.
    * Fixed a spec compliance issue with StructuredClone.
    * Fixed a crash due to clamping code introduced for SetInterval and
      SetTimeout timers.
    * Fixed crashes when dynamic imports are canceled (e.g. by navigation).
  * Other changes:
    * Changed <input type=file> to now have its .files property be writable
      following a spec change and recommendation.
    * We are now requiring and building against the C++17 language standard.
    * Updated the in-tree ffvpx lib to 6.0.
    * Added a preference to allow users to completely disable reporting of
      CSP errors to webmasters. Using this is strongly discouraged as it will
      provide essential troubleshooting information to webmasters setting up
      CSP, and does not pose a privacy issue, but for those who really want
      it, it can now be fully disabled. The preference is
      security.csp.reporting.enabled.
    * Updated the IntersectionObserver interface to now also accept
      documents for the observer root instead of only HTML elements.
    * Cleaned up various bits of code surrounding GMP, memory allocation,
      system libraries, vestigial Android code, freetype2 and developer tools.
    * Improved efficiency of handling D3D textures.
    * Added initial and experimental Mac PowerPC and Big Endian support.
    * Changed the behavior of hung scripts. We now automatically terminate
      them instead of presenting the user with a dialog box (which may or may
      not show in a reasonable time if the browser is too busy trying to
      process the hung script). If you prefer the old behavior, uncheck the
      box "Automatically stop non-responsive scripts" in Preferences ->
      Content -> General
    * Security issues addressed: CVE-2024-0746, CVE-2024-0741,
      CVE-2024-0743 DiD, CVE-2024-0750 DiD, and CVE-2024-0753.
    * UXP Mozilla security patch summary: 3 fixed, 2 DiD, 12 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Thu, 08 Feb 2024 22:46:46 -0500

newmoon (32.5.2-1+stackrpms) obs; urgency=medium

  * Bugfix and security update:
    - Removed the standard Twitter/X user-agent override because they decided
      to block us on it.
    - Added preferences for the user to control whether or not the tab page
      title should be included in the window title or not. In Private Browsing
      mode, the default is now to not show the title in the window. This was
      done to avoid potential leakage to system logs (e.g. GNOME shell logs or
      Windows event logs) of websites visited through the recorded window
      title. The new preferences are privacy.exposeContentTitleInWindow and
      privacy.exposeContentTitleInWindow.pbm for normal mode and Private
      Browsing mode, respectively.
    - Fixed several crashes in DOM and relating to dynamic JavaScript
      module imports.
    - Removed a restriction on Fetch preflight redirects, following a spec
      update.
    - Improved the handling of web workers if they get aborted mid-action.
    - Security issues addressed: CVE-2023-6863, CVE-2023-6858 and several
      others that do not have a CVE number.

 -- B. Stack <bgstack15@gmail.com>  Fri, 26 Jan 2024 19:50:47 -0500

newmoon (32.1.0-1+stackrpms) obs; urgency=low

    * Shadow DOM and CustomElements, collectively making up WebComponents,
      have been enabled by default which should bring much broader web
      compatibility to the browser for many a site that uses web 2.0+
      frameworks. See implementation notes.
    * Tab titles in the browser now fade if they are too long instead of
      using ellipses, to provide a little more readable space to page titles.
      Note that this may require some updates to tab extensions or themes.
    * A number of site-specific overrides have been updated or removed
      because they are no longer necessary or current with the platform
      developments in terms of web compatibility. We could use your help
      evaluating the ones that are still there; see the issue on our repo.
    * Updated our promises and async function implementation to the current
      spec.
    * Implemented Promise.any()
    * Fixed several crashes related to regular expression code.
    * Improved regular expression object handling so it can be properly
      garbage collected.
    * Fixed some VP8 video playback.
    * Fixed an issue where the caret (text cursor) would sometimes not be
      properly visible.
    * Updated the embedded emoji font.
    * Implemented the :is() and :where() CSS pseudo-classes.
    * Implemented complex selectors for the :not() CSS pseudo-class.
    * Implemented the inset CSS shorthand property.
    * Implemented the env() environment variable CSS function. See
      implementation notes.
    * Implemented handling for RGB encoded video playback (instead of just
      YUV).
    * Implemented handling for full-range videos (0-255 luminance levels)
      giving better video playback quality.
    * Removed the WebP image decoder pref. See implementation notes.
    * Enabled the Web text-to-speech API by default (only supported on some
      operating systems).
    * Updated NSPR to 4.35 and NSS to 3.79.4
    * Cleaned up unused "tracking protection" plumbing. See implementation
      notes.
    * Cleaned up URI Classifier plumbing (Google SafeBrowsing leftover).
    * Fixed several intermittent and difficult-to-trace crashes.
    * Improved content type security of jar: channels. DiD
    * Improved JavaScript JIT code generation safety. DiD
    * Fixed potential crash scenarios in the graphics subsystem. DiD
    * Improved filename safety when saving files to prevent potential
      environment leaks.
    * Security issues addressed: CVE-2023-25751, CVE-2023-28163 and several
      others that do not have a CVE.
    * UXP Mozilla security patch summary: 1 fixed, 4 DiD, 14 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Thu, 23 Mar 2023 13:53:33 -0400

newmoon (32.0.1-1+stackrpms) obs; urgency=low

  * Upstream updates
    * Fixed a crash in the new regular expression code.
    * Added {Extended_Pictographic} unicode property escape to regular
      expressions.
    * Fixed a regression in regular expressions for literal parsing of
      invalid ranges.
    * Updated NSS to pick up fixes.
    * Security issues addressed: CVE-2023-25733 DiD, CVE-2023-25739 DiD and
      CVE-2023-0767.
    * UXP Mozilla security patch summary: 1 fixed, 2 DiD, 14 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Tue, 21 Feb 2023 20:34:55 -0500

newmoon (32.0.0-1+stackrpms) obs; urgency=low

  * New milestone release:
    - Implemented Regular Expression named capture groups.
    - Implemented Regular Expression unicode property escapes.
    - Re-implemented Regular Expression lookaround/lookbehind (without
      crashing this time ;) ).
    - Implemented progressive decoding for JPEG-XL.
    - Implemented animation for JPEG-XL.
    - Renamed CSS offset-* properties to inset-* to align with the latest spec
      and the web.
    - Fixed CSS inheritance and padding issues in some cases.
    - Aligned parsing of incorrectly duplicated HSTS headers with expected
      behavior (discard all but the first one).
    - Implemented a method to avoid memory exhaustion in case of (very) large
      resolution animated images.
    - Updated the JPEG-XL and Highway libraries to a recent, stable version.
    - Cleaned up some unused CSS prefixing code.
    - Improved the ability to link on *nix operating systems with other linkers
      than gcc's default.
    - Stability improvements (potential crash fixes).
    - Security issues addressed: CVE-2023-23598, CVE-2023-23599 and several
      others that do not have a CVE number.
    - UXP Mozilla security patch summary: 4 fixed, 2 DiD, 19 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Thu, 16 Feb 2023 19:40:20 -0500

newmoon (31.4.0-1) obs; urgency=medium

  * Upstream updates
    * Added support for the JPEG-XL image format.
    * Implemented regular expressions lookaround/lookbehind.
    * Aligned CORS header parsing with the updated spec. See implementation
      notes.
    * We no longer fire keypress events for non-printable keys. See
      implementation notes.
    * Added support for MacOS 13 "Ventura" in the platform, primarily
      benefitting White Star.
    * Fixed potentially problematic thread locking code on *nix platforms.
    * Fixed some small issues in the display and operation of the Web
      Developer tools.
    * Removed unused but performance-impacting panning and tab animation
      measuring code. (telemetry leftovers)
    * Improved code for SunOS builds.
    * Updated Internationalization data for time zones.
    * Fixed a buffer overflow for Mac builds.
    * Security issues addressed: CVE-2022-45411 and potential issues
      without a CVE number.
    * UXP Mozilla security patch summary: 2 fixed, 1 DiD, 1 deferred, 25
      not applicable.

 -- B. Stack <bgstack15@gmail.com>  Tue, 22 Nov 2022 10:03:10 -0500

newmoon (31.3.1-1) obs; urgency=medium

  * Upstream updates
    * Added detection suport for the newly-released MacOS 13 (Ventura).
    * Fixed a potential heap Use-After-Free risk in Expat. (CVE-2022-40674)
      DiD
    * Fixed potentially undefined behavior in our thread locking code. DiD
    * Fixed a potentially exploitable crash in the refresh driver.
    * Fixed potentially undefined behavior when base-64 decoding. DiD
    * Implemented a texture size cap for WebGL to prevent potential issues
      with some graphics drivers. DiD
    * Updated site-specific overrides to address issues with ZoHo.
    * UXP Mozilla security patch summary: 1 fixed, 2 DiD, 6 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Tue, 01 Nov 2022 14:09:10 -0400

newmoon (31.3.0-1) UNRELEASED; urgency=low

  * Upstream updates
    * Implemented .at(index) JavaScript method on built-in indexables
      (Array, String, TypedArray).
    * Implemented the use of EventSource in workers.
    * Enabled the sending of the Origin: header by default on same-origin
      requests.
    * Changed how Pale Moon is built. We are now using Visual Studio 2022
      on Windows, and have made build system changes to reduce build times
      and pressure on the linker on all platforms.
    * Changed how Pale Moon handles standalone wave audio files (.wav). See
      implementation notes.
    * Improved string normalization.
    * Updated the handling of CSS "supports" to now accept unparenthesized
      strings (spec update).
    * Updated the handling of flex containers in web pages for web
      compatibility.
    * Fixed various issues when building for Mac OS X.
    * Fixed various C++ standard conformance issues in the source code.
    * Fixed several issues building on SunOS and Linux with various
      configurations and gcc versions.
    * Fixed an issue with regular expressions' dotAll syntax and usage. See
      implementation notes.
    * Switched custom hash map to std::unordered_map where prudent.
    * Cleaned up and updated IPC thread locking code.
    * Removed spacing for accessibility focus rings in form controls to
      align styling of them with expected metrics.
    * Removed the unnecessary control module for building with non-standard
      configurations of the platform.
    * Removed the -moz prefix from min-content and max-content CSS keywords
      where it was still in use.
    * Security fixes: CVE-2022-40956 and CVE-2022-40958.
    * UXP Mozilla security patch summary: 2 fixed, 11 not applicable.


 -- B. Stack <bgstack15@gmail.com>  Tue, 01 Nov 2022 14:09:09 -0400

newmoon (31.2.0-1) obs; urgency=medium

  * Changes/fixes:
    * Implemented CSS white-space: break-spaces for web compatibility.
    * Implemented Intl.RelativeTimeFormat for web compatibility.
    * Implemented "Origin header CSRF mitigation". This is still disabled
      by default to investigate potential issues with CloudFlare-backed sites.
    * Implemented support for async generator methods in JavaScript.
    * Added preliminary support for building on Apple Silicon like M1/M2
      SoC.
    * Added support for building with Visual Studio 2022.
    * Improved the handling of CSS "sticky" elements in tables.
    * Improved stack size limits on all platforms. See implementation notes.
    * Updated function.toString handling to align with the updated
      JavaScript spec. This should improve web compatibility.
    * Updated Unicode support to Unicode v11, and updated the ICU library
      accordingly. Building without ICU is no longer supported.
    * Updated many in-tree third-party libraries to pick up various
      performance and stability improvements.
    * Updated site-specific user-agent overrides to work around issues with
      Google fonts, Citi bank (again!) and MeWe.
    * Removed some leftover (and unused) telemetry code in the platform and
      front-end.
    * Fixed an issue with VP9 video playback on Windows on some systems.
    * Fixed an issue with the add-ons manager not properly handling empty
      update URLs.
    * Fixed a major performance regression on *nix based systems due to
      incorrect thread handling.
    * Fixed volume handling when building with the sndio audio back-end.
    * Pale Moon no longer applies content security policies to documents
      that are explicitly loaded as data documents or to images. See
      implementation notes.
    * Cleaned up some unnecessary code from the source tree for unused
      build back-ends, Firefox marketplace "apps", and the rather ridiculous
      moz://a protocol handler.
    * Updated NSS to 3.52.8 to pick up several defense-in-depth security
      fixes.
    * UXP Mozilla security patch summary: 3 DiD, 12 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Wed, 03 Aug 2022 14:09:10 -0400

newmoon (31.1.1-1) obs; urgency=medium

  * Changes/fixes:
    * Updated the list of blocked external protocol handlers to combat
      abuse of OS-supplied services on Windows.
    * Fixed a potential issue with revoked site certificates when
      connecting through a proxy.
    * Updated NSS to 3.52.7 to pick up some security fixes.
    * Updated site-specific user agent overrides to work around bad
      sniffing practices of dropbox and vimeo.
    * Security issues addressed: CVE-2022-34478, CVE-2022-34476,
      CVE-2022-34480 DiD, CVE-2022-34472, CVE-2022-34475 DiD, CVE-2022-34473
      DiD, CVE-2022-34481 and a memory safety issue that doesn't have a CVE
      number.
    * UXP Mozilla security patch summary: 4 fixed, 4 DiD, 2 rejected, 11
      not applicable.

 -- B. Stack <bgstack15@gmail.com>  Mon, 11 Jul 2022 11:34:11 -0400

newmoon (31.1.0-1) UNRELEASED; urgency=medium

  * Changes/fixes:
    * Added Mojeek as an additional search engine in the browser. See
      implementation notes.
    * Implemented "nullish coalescing operator" (thanks, FranklinDM!) for
      web compatibility.
    * Fixed various crash scenarios in XPCOM.
    * Fixed an important stability and performance issue related to
      hardware acceleration.
    * Fixed a long-standing issue where overly-long address bar tooltips
      wouldn't break into multiple lines but instead cut off on the right
      side.
    * Fixed a long-standing issue where dynamic datalist updates for
      <select> and similar elements wouldn't properly update the option list.
    * Disabled broken links to MDN articles in developer tools.
    * Updated media support to include support for libavcodec 59/FFmpeg 5.0
      for MP4 playback on Linux (thanks, Travis!)
    * Enabled the date picker for <input type=date>. See implementation
      notes.
    * Re-enabled the use of FIPS mode for NSS. See implementation notes.
    * Improved memory handling and memory safety in the JavaScript engine,
      further reducing current and future crash scenarios.
    * Improved memory handling in the graphics subsystem of Goanna.
    * Updated FFvpx to v4.2.7
    * Slightly reduced strictness of media checking for improved
      compatibility with questionable "gif" video encoders used on major
      websites.
    * Cleaned up the way file pickers (file open/save/save as dialogs) are
      handled on Windows.
    * Restored the gMultiProcessBrowser property of the browser for Firefox
      extension compatibility. See implementation notes.
    * Improved the way data is transferred to and from canvases to prevent
      memory safety issues.
    * Updated NSS to 3.52.6 to address security issues.
    * Reduced blocking severity for some extensions that were marked hard
      blockers for GRE (but aren't for UXP).
    * Security issues addressed: CVE-2022-31739, CVE-2022-31741, and other
      security issues that do not have a CVE number.
    * UXP Mozilla security patch summary: 2 fixed, 1 DiD, 26 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Mon, 11 Jul 2022 11:33:18 -0400

newmoon (31.0.0-1) obs; urgency=medium

  * Major milestone release:
    - Once again accepts the installation of legacy Firefox extensions alongside
      own Pale Moon exclusive extensions. As always, please note that using
      extensions for an old version of a different browser is entirely at your
      own risk and we obviously cannot and will not provide much (if any)
      support for their use. Firefox extensions will be indicated with an
      orange dot in the Add-ons Manager in the browser. This will include the
      converted extensions for the few of you who are coming from recalled
      versions with -fxguid suffixes.
    - Implemented Global Privacy Control, taking the place of the unenforceable
      "DNT" (Do Not Track) signal. Through GPC, you indicate to websites that
      you do not want them to share or sell your data.
    - Implemented "optional chaining" (thanks, FranklinDM!).
    - Implemented setBaseAndExtent for text selections.
    - Implemented queueMicroTask() "pseudo-promise" callbacks.
    - Implemented accepting unit-less values for rootMargin in Intersection
      observers for web compatibility, making it act more like CSS margin as one
      would expect.
    - Improvements to CSS grid and flexbox rendering and display following spec
      changes and improving web compatibility.
    - Improved performance of parallel web workers in JavaScript.
    - Improved display of cursive scripts (on Windows). Good-bye Comic Sans!
    - Updated various in-tree libraries.
    - "Default browser" controls in preferences has been moved to "General".
    - Added support for extended VPx codec strings in media delivery via
      MSE (RFC-6381).
    - Fixed a long-time regression where the browser would no longer honor
      old-style body and iframe body margins when indicated in the HTML tags
      directly instead of CSS. This improves compatibility with particularly old and/or archived websites.
    - Fixed several crashes and stability issues.
    - Added a licensing screen to the Windows installer to clarify the browser's
      licensing. In other installations, you may find this licensing statement
      in the added license.txt file in the browser installation location.
    - Removed all Google SafeBrowsing/URLClassifier service code.
    - Restored Mac OS X code and buildability in the platform.
    - Removed the non-standard ArchiveReader DOM API that was only ever a
      prototype implementation from the platform. This potentially improves
      performance on some systems.
    - Removed leftover Electrolysis controls that could sometimes trick parts of
      the browser into starting in a (very broken) multi-process mode due to
      some plumbing for it still being present, if users would try to force the
      issue with preferences. Obviously, this was a footgun for power users.
    - Removed more Android/Fennec code (on-going effort to clean up our code).
    - Removed the Marionette automated testing framework.
    -  Security issues addressed: CVE-2022-29915, CVE-2022-29911, and several
       issues that do not have a CVE number.
    - UXP Mozilla security patch summary: 4 fixed, 1 DiD, 19 not applicable.

  * Disable all patches.

 -- B. Stack <bgstack15@gmail.com>  Sun, 22 May 2022 11:04:46 -0400

newmoon (29.4.4-1+devuan) obs; urgency=medium

  - This is a security update.
    * Improved application library loading security. DiD
    * Fixed an issue in JavaScript serialization. DiD
    * Fixed a potential out-of-bounds issue in IndexedDB. DiD
    * Fixed a potential issue in widget data handling code. DiD
    * Fixed potentially exploitable crashes in handling truncated/corrupt
      media files or streams.
    * Fixed an issue in the DOM FileReader code.
    * Updated NSS to 3.52.3 to address a security issue.
    * Fixed the following security issues: CVE-2022-22736, CVE-2022-22741,
      CVE-2021-4140, CVE-2022-22746, CVE-2022-22744 and CVE-2022-22747.
    * Unified XUL Platform Mozilla Security Patch Summary: 8 fixed, 4 DiD,
      17 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Thu, 20 Jan 2022 14:02:40 -0500

newmoon (29.4.3-1+devuan) obs; urgency=medium

  -  This is a security update with a few extras.
    * Restored the FUEL abstraction library again.
    * Added some extra sanity checks to timers and text fragments. DiD
    * Added a potential crash safeguard in program threading logic. DiD
    * Fixed the following security issues: CVE-2021-43537, CVE-2021-43541,
      CVE-2021-43536, CVE-2021-43545 and CVE-2021-43542.
    * Unified XUL Platform Mozilla Security Patch Summary: 5 fixed, 3 DiD,
      10 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Tue, 04 Jan 2022 12:54:49 -0500

newmoon (29.4.2-1+devuan) obs; urgency=medium

  - This is a security update.
    * Fixed a spec compliance issue with IDN that could potentially cause
      confusion of domain names.
    * Fixed several intermittent thread sanity issues. DiD
    * Fixed a potential UAF risk in certain situations in networking. DiD
    * Fixed a potential crash risk (not exposed). DiD
    * Fixed a potential spoofing risk using form validation.
      (CVE-2021-38508)
    * Fixed a script sandbox escape issue through XSLT. (CVE-2021-38503)
    * Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 1
      already applied, 4 DiD, 7 not applicable.
  - Force using gcc-10

 -- B. Stack <bgstack15@gmail.com>  Tue, 11 Nov 2021 09:09:16 -0500

newmoon (29.4.1-1+devuan) obs; urgency=medium

  - This is a security update.
    * Fixed potential crashes. DiD
    * Fixed a potential indirect exploit of Microsoft Internet Explorer.
      (CVE-2021-38492)
    * Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 2 DiD,
      8 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Tue, 14 Sep 2021 21:02:17 -0400

newmoon (29.4.0-2+devuan) obs; urgency=medium

  - Rebuild, with dh $@ --without autoreconf so it can actually build.

 -- B. Stack <bgstack15@gmail.com>  Sat, 11 Sep 2021 22:33:42 -0400

newmoon (29.4.0-1+devuan) obs; urgency=medium

  - This is a development, bugfix and security release
    * Implemented promise.allSettled().
    * Implemented global origin on windows and workers.
    * Improved performance of memory allocations.
    * Updated libcubeb to the current development version.
    * This improves OSS compatibility and addresses potential crashes, performance issues and security issues.
    * Updated SQLite to 3.36.0.
    * Improved thread safety of the web content cache. DiD
    * Added several fixes to avoid potential crashes and security issues. DiD
    * Unified XUL Platform Mozilla Security Patch Summary: 5 DiD, 12 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Tue, 17 Aug 2021 18:43:23 -0400

newmoon (29.3.0-1+devuan) obs; urgency=medium

  - This is a development, bugfix and security release.
    * "Web Developer" is now called "Developer Tools" in the menus.
    * Updated and aligned about:home, the QuickDial page and logopage
      styling.
    * Re-organized the privacy category in the preferences window.
    * Enabled brotli compression for http for sites that support it. See
      implementation notes.
    * Implemented EventTarget as a constructor.
    * Updated Windows 10 toolkit styling.
    * Updated the port blacklist (removed 10080). See implementation notes.
    * CSS: Implemented calc() and animation support for stroke-dashoffset.
    * Added support for checking boolean preferences to chrome CSS style
      sheets, to support more advanced theming options.
    * Added support for dynamic dark color capable themes in CSS.
    * Updated ResizeObserver implementation to a more recent specification.
      See implementation notes.
    * Removed a metric ton of Macintosh code.
    * Removed obsolete system theme support from the layout engine.
    * Fixed several crashes.
    * Linux: blocked particularly old versions of Mesa/Nouveau drivers due
      to issues.
    * Security issues addressed: CVE-2021-30547 and several other issues
      that don't have a CVE number.
    * Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 3 DiD,
      2 deferred (DiD), 12 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Mon, 19 Jul 2021 19:11:44 -0400

newmoon (29.2.1-1+devuan) obs; urgency=medium

  - This is a small bugfix release.
    * Worked around an issue with autocomplete popups sometimes failing to
      work (and added some debug console logging to it in case it happens to
      help find the root cause)
    * Fixed an issue with DOM mouse scrolling throwing errors.
    * Fixed a race with network detection routines firing incorrectly when
      resuming from standby.
    * Fixed a crash when using large uploads through DOM.
    * Fixed an issue where the menulist-button on editable menulist widgets
      was not visible on GTK3.
    * Reduced the number of reported "important preferences" in
      troubleshooting information, excluding individual printer details.
    * Fixed an issue with the JS JIT compiler not tracing debugger
      environments (DiD).

 -- B. Stack <bgstack15@gmail.com>  Wed, 09 Jun 2021 08:51:28 -0400

newmoon (29.2.0-1+devuan) obs; urgency=medium

  * This is a development and bugfix release.
    - Starting with this version, we will no longer be supporting
      unmaintained legacy Firefox extensions that are not updated
      for/targeting Pale Moon directly.
    - Please see https://forum.palemoon.org/viewtopic.php?f=1&t=26657
      for details.
  * Changes/fixes:
    - When opening tabs from the History side bar, Pale Moon will now
      warn you about the action if it would result in opening many tabs at
      once.
    - Pale Moon now offers "Open All in Tabs" on bookmark folders
      even if there is only one sub-item in it, for UI consistency.
    - Added media format controls in the Content category of
      Preferences.
    - Added controls for preferred color scheme. See implementation
      notes.
    - Updated several site-specific user-agent overrides for web
      compatibility.
    - Removed the ability to accept Firefox IDs for extension
      installation.
    - Removed conditional Macintosh code from the application front-end.
    - Updated the AV1 reference library to 2.0.
    - Cleaned up more Android code from the platform.
    - Updated the embedded emoji font to cater to even more
      race-dependent profession emoji.
    - Fixed an overflow in clip paths, potentially causing them to be
      rendered incorrectly.
    - Added CSS values smooth, high-quality and pixelated to the
      image-rendering keyword.
    - Implemented Intl.NumberFormat.formatToParts() to allow
      deconstruction of localized number formats by scripts.
    - Reinstated the dom.details_element.enabled preference and fixed a
      rendering issue with summary/details html elements.
    - Fixed an issue with CSP .nonce attributes on elements.
    - Security issues addressed: CVE-2021-29946 DiD and CVE-2021-23994
      DiD.
    - Unified XUL Platform Mozilla Security Patch Summary: 2 DiD, 14
      not applicable.
  * Implementation notes:
    - This version adds support for the prefers-color-scheme CSS
      keyword. This keyword is a media query keyword that indicates to
      websites whether your content styling preference is "light" or "dark".
      Unlike other browsers where this will be tied to your system color
      scheme and determined automatically (which might be a point on which
      you can be fingerprinted, so this would be a privacy concern), we've
      decided to give the user control through Preferences -> Content ->
      Colors where you will find a new control to indicate your user
      preference (it defaults to "light" for everyone). While this control
      also gives you the option to disable this feature and effectively not
      support the keyword, be aware that this might cause issues on some
      websites that do not provide styling for "unspecified" color scheme
      preferences.
    - In the future we may add an "automatic" option similar to other
      browsers in case you regularly switch your system application style
      from light to dark and v.v.

 -- B. Stack <bgstack15@gmail.com>  Tue, 27 Apr 2021 14:56:07 -0400

newmoon (29.1.1-1+devuan) obs; urgency=medium

  * Changes/fixes:
    - Updated NSS to fix certificate import and keygen regressions.
    - Removed restrictions for units of width/height attributes on SVG elements.
    - Enabled scrollbar-width CSS keyword by default.
    - Security issues addressed: CVE-2021-23981 and a DiD fix for potential document parser confusion.
    - Unified XUL Platform Mozilla Security Patch Summary: 2 DiD, 9 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Thu, 01 Apr 2021 12:53:29 -0400

newmoon (29.1.0-1+devuan) obs; urgency=medium

  * New features:
    - Language packs for the following newly-supported languages:
      Arabic (ar), Chinese Traditional (zh-TW), Croatian (hr), Danish (da),
      Finnish (fi), Galician (gl), Indonesian (id), Icelandic (is), Japanese
      (ja), Romanian (ro), Serbian (cyrillic) (sr), Slovenian (sl), Thai (th)
    - Implemented String.prototype.replaceAll().
    - Implemented JSON superset proposal.
    - Implemented well-formed JSON stringify.
    - Implemented numeric separators in JavaScript.
  * Changes/fixes:
    - Updated timezone data to 2021a.
    - Updated the wording and inclusion of more select license blocks
      in about:license.
    - Updated some site-specific user-agent overrides for web
      compatibility.
    - Updated the lz4 library for performance and security updates.
    - Improved performance of JSON stringify.
    - Further improved support for building on FreeBSD.
    - Fixed a regression where changes to useragent compatibility
      required a restart to take effect.
    - Fixed a regression where AES-GCM in WebCrypto ("subtle" crypto
      API) wasn't working.
    - This could make certain login procedures fail to work.
    - Fixed a full browser deadlock when page scripting would flood
      browsing history with rapid location state changes.
    - Disabled AV1 codec use by default again since our implementation
      has significant streaming issues (particularly audio) that needs
      further work.
    - Added required interaction with file/folder open dialog boxes on
      html file input elements on some operating systems to avoid malicious
      content tricking users into uploading sensitive files unintentionally
      (related to CVE-2021-23956).
    - Added a font sanity check to avoid triggering a potential
      vulnerability on unpatched Windows operating systems (related to
      CVE-2021-24093).
    - Security issues addressed: CVE-2021-23974, CVE-2021-23973 and
      several memory safety hazards that don't have CVE numbers.
    - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2
      DiD, 19 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Tue, 02 Mar 2021 21:53:23 -0500
newmoon (29.0.1-1+devuan) obs; urgency=medium

  * Changes/fixes:
    - Fixed a browser crash when manipulating frame trees.
    - Fixed an issue with depth textures in ANGLE.
    - Updated the SSOAU for YouTube Studio.
    - Security issue addressed: ZDI-CAN-12197.

 -- B. Stack <bgstack15@gmail.com>  Mon, 15 Feb 2021 11:20:33 -0500

newmoon (29.0.0-1+devuan) obs; urgency=medium

  * New major milestone release:
    - Implemented Intl.PluralRules API for JavaScript.
    - Added a frequently-requested preference (browser.tabs.allowTabDetach) to
      disable "tearing off" of tabs (meaning dragging them outside of the tab
      bar resulting in them being made into their own window).
    - Added FLAC as a recognized filetype-by-extension.
    - Implemented basic support for the scrollbar-width CSS keyword. See
      implementation notes.
    - Added preliminary support for modern FreeBSD builds.
    - Selectively enabled core features of the DOM Animations API.
    - Enabled AV1 video support by default (previously built but not enabled in
      releases).
    - Added support for pointer events.
    - Added support for the SVG transform-box property.
    - Added support for the inputmode property for forms to enable
      context-sensitive display of soft keyboards.
    - Enabled shutting down of the file I/O worker when idle for a while
      (resource optimization).
    - Enabled blocking of auto-play of media in the background by default.
    - We now offer official GTK3 builds for Linux alongside the GTK2 builds.
    - Partial (and as of yet, not acceptably functional) implementation of
      Google WebComponents. See implementation notes.
   Changes/fixes:
    - Updated NSPR to 4.29.
    - Updated NSS to 3.59.
    - Disabled legacy database format for storage of certificates and passwords.
    - Updated several site-specific user-agent overrides for web compatibility.
    - Improved styling of the "find in page" bar to avoid unreadable text on
      some system themes.
    - Removed a large chunk of Android-specific code.
    - Split gkmedias.dll back out from xul.dll.
    - Cleaned up a number of redundant and obsolete code paths.
    - Fixed a regression with the Performance API.
    - Fixed an initialization issue in the browser when users would
      force-disable certain types of caching.
    - Fixed a crash when attempting to save a file from FTP that could be
      displayed in the browser.
    - Fixed the root cause of an issue with JavaScript module loading causing
      crashes. See implementation notes.
    - Fixed a rare initialization issue for the print preview window causing it
      to not display.
    - Fixed a crash on Mac when text input was not secure.
    - Disabled the Storage Manager API by default.
    - Disabled the <menuitem> html tag by default. If you still need this, you
      can re-enable it with the preference dom.menuitem.enabled in about:config.
    - Fixed a memory safety issue related to XUL trees (CVE-2021-23962).
    - Implemented several defense-in-depth measures to improve stability and
      future security.

 -- B. Stack <bgstack15@gmail.com>  Tue, 02 Feb 2021 19:04:30 -0500

newmoon (28.17.0-1+devuan) obs; urgency=low

  * This is a development, bugfix and security update.
    - Changed the way dates and times are formatted in the UI to
      properly adhere to the user's regional settings in the O.S.
    - Re-enabled the DOM Filesystem API for web compatibility.
    - Moved the global user-agent override to the networking component.
      See implementation notes.
    - Worked around crashes and run-time issues with module scripts.
      See implementation notes.
    - Fixed a website layout issue with table-styled elements
      potentially overlapping when placed inside a flexbox.
    - Fixed some code logic issues with websockets.
    - Fixed a regression when waking the computer from standby causing
      high CPU usage in some uncommon situations.
    - Updated the list of prohibited ports the browser can use. See
      implementation notes.
    - Updated root certificates.
    - Windows: Changed the way downloaded files without an extension
      are handled. See implementation notes.
    - Mac-beta: Improved version detection of MacOS including Big Sur.
    - Security issues addressed: CVE-2020-26978 and CVE-2020-35112.
    - Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 1
      deferred to the next release, 16 not applicable.
    - The global user-agent override was moved to the networking
      component where it is actually implemented. The new preference name is
      network.http.useragent.global_override. Please note that using a
      blanket override is normally (very) counterproductive and does not, in
      fact, help much with privacy. It would also override the compatibility
      modes (Native/Gecko/Firefox) in Pale Moon. As such, the browser will
      now warn you if the user-agent is globally overridden (in preferences)
      and allow you to easily reset that override and re-enable the various
      compatibility modes.
    - Module scripting caused some persistent and very hard to track
      browser crashes that we've narrowed down to a specific optimization in
      the JavaScript JIT (Just-In-Time) compiler (IonMonkey). This
      optimization is now disabled by default but if you need that little
      extra performance (usually only noticed in very optimized code or some
      benchmarks) then you can re-enable it, trading in stability, by setting
      the new preference javascript.options.ion.inlining to true.
    - Prohibited ports: Pale Moon maintains a blacklist of ports the
      browser may normally not connect to on servers, to mitigate abusive web
      scripting employing your browser as an attack bot on servers (e.g. by
      connecting to mail servers or what not), NAT slipstreaming, and similar
      security issues. To more thoroughly prevent known abusable ports on
      servers, this list was extended with a number of additional default
      ports for various non-http protocols.
    - Downloaded files without a file extension: When a file without an
      extension is downloaded, we will now open the download folder where you
      may choose to take any specific action manually, instead of trying to
      execute it as a program or through an associated program.

 -- B. Stack <bgstack15@gmail.com>  Fri, 18 Dec 2020 13:52:12 -0500

newmoon (28.16.0-1+devuan) obs; urgency=low

  * This is a development and security update to the browser.
  * Note for Linux users: With CentOS 6 going end-of-life, this
    version will be the last for which we will be building 32-bit Linux
    official binaries to download. While your distribution may choose to
    continue offering 32-bit versions of the browser, built from source
    by the maintainers, we won't be offering any further official 32-bit
    Linux binaries on our website. Please check with your distribution's
    package maintainers to know if further 32-bit support will be
    available on your particular flavor of Linux.
    - Aligned CSS tab-size with the specification and un-prefixed it.
    - Updated Brotli library to 1.0.9.
    - Updated JAR lib code.
    - Optimized UI code, resulting in smaller downloads and less
      space consumed on disk.
    - Changed the default Firefox Compatibility version number to
      68.0 (since versions ending in .9 makes some frameworks unhappy,
      refusing access to users)
    - Cleaned up HPKP leftovers.
    - Disabled the DOM filesystem API by default.
    - Removed Phone Vibrator API.
    - Fixed an issue where the software uninstaller would not remove
      the program files it should.
    - Fixed a devtools crash related to timeline snapshots.
    - Fixed an issue in Skia that could cause unsafe memory access.
      [DiD]
    - Fixed several data race conditions. [DiD]
    - Fixed an XSS vulnerability where scripts could be executed when
      pasting data into on-line editors.
    - Linux: Fixed an overflow issue in freetype.
    - Security issues addressed: CVE-2020-26960, CVE-2020-26951,
      CVE-2020-26956, CVE-2020-15999 and several others that do not have a
      CVE designation.
    - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 4
      defense-in-depth, 3 rejected, 20 not applicable.

 -- B. Stack <bgstack15@gmail.com>  Wed, 25 Nov 2020 09:13:05 -0500

newmoon (28.15.0-1+devuan) obs; urgency=low

  * This is a standard development and bugfix release.
    - Implemented support for CSS caret-color.
    - Implemented support for un-prefixed ::selection CSS pseudo-element styling.
    - Fixed another potential crashing scenario in ResizeObservers.
    - Fixed several crashes in the DOM Fetch API.
    - Fixed a crash in table pagination.
    - Security issues fixed: CVE-2020-15680 (VG-VD-20-115) and several memory safety hazards.
    - Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 2 defense-in-depth, 12 not applicable.
  * reenable jemalloc to match palemoon.
  * disable eme to match palemoon.
  * so now newmoon's only changes are config location and branding.

 -- B. Stack <bgstack15@gmail.com>  Tue, 27 Oct 2020 20:05:31 -0400

newmoon (28.14.2-3+devuan) obs; urgency=low

  * disable all use-system options to see if stability returns

 -- B. Stack <bgstack15@gmail.com>  Fri, 23 Oct 2020 14:58:17 -0400

newmoon (28.14.2-2+devuan) obs; urgency=low

  * revert to gtk2 to see if stability returns

 -- B. Stack <bgstack15@gmail.com>  Fri, 23 Oct 2020 22:40:55 -0400

newmoon (28.14.2-1+devuan) obs; urgency=low

  * Update version

 -- B. Stack <bgstack15@gmail.com>  Mon, 05 Oct 2020 09:07:33 -0400

newmoon (28.13.0-5+devuan) obs; urgency=medium

  * Import bluemoon icons from Gord N. Squash

 -- B. Stack <bgstack15@gmail.com>  Wed, 16 Sep 2020 19:16:08 -0400

newmoon (28.13.0-4+devuan) obs; urgency=low

  * Import xfce-helper/palemoon.desktop from stevep@mxlinux.org release

 -- B. Stack <bgstack15@gmail.com>  Wed, 09 Sep 2020 14:43:04 -0400

newmoon (28.13.0-3+devuan) obs; urgency=medium

  * This is a compatibility, bugfix and security update. Special thanks
    to our new code contributors this cycle (you know who you are)!
    - Updated the included site-specific user-agent overrides for a
      number of websites that need them.
    - Rewritten the browser's padlock code to use more modern APIs and
      provide more accurate security status indication.
    - Now also with localized tooltips!
    - Fixed a missing close button on the undo prompt after removing a
      thumbnail from the QuickDial new tab page.
    - Fixed an issue with the alternative stylesheet menu in the
      browser's UI not working.
    - Implemented the use of intrinsic aspect ratios for images to
      improve layout during load and page positioning.
    - Added a preference to the use of node.getRootNode and disabled by
      default. See implementation notes.
    - Added CSS -webkit-appearance as an alias for -moz-appearance to
      improve compatibility with websites that only try to use
      Chrome-specific keywords to style standard form elements.
    - Updated the SQLite library to 3.33.0.
    - Reinstated precise floating point precision model in JavaScript
      for those alternate builders who foolishly try to use the inaccurate
      "fast" model.
    - Improved spec compliance of modular JavaScript use (ECMAScript
      modules).
    - Changed media errors to be a more generic response, and added a
      preference (media.sourceErrorDetails.enabled) to enable detailed error
      reporting of media errors for debugging purposes.
    - Previously, detailed errors were provided by default which could
      lead to privacy issues.
    - Improved code stability of the AbortController implementation.
    - Fixed a race condition in the secure connection library (NSS).
    - Security issues fixed: CVE-2020-15664, CVE-2020-15666,
      CVE-2020-15667, CVE-2020-15668 and CVE-2020-15669.
    - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 1
      defense-in-depth, 1 rejected, 9 not applicable.
  * Implementation notes
    - In 28.11.0 we introduced node.getRootNode because some websites
      would fail with an error if this function was not present.
      Unfortunately, this caused problems with other sites that (incorrectly)
      assume Google WebComponents are available when this utility function is
      present (feature detection gone wrong). While it is considered by some
      to be part of the Google WebComponents implementation, it actually has
      utility value outside of that use. Because of the problems caused,
      we've added a preference and disabled it by default, fixing these kinds
      of websites.
    - When needed, you can re-enable this function with
      dom.getRootNode.enabled
    - This should improve web compatibility by default yet still allow
      users to enable this function for websites that use its utility but do
      not use WebComponents.

 -- B. Stack <bgstack15@gmail.com>  Fri, 04 Sep 2020 19:50:02 -0400

newmoon (28.12.0-2+devuan) obs; urgency=low

  * Forked from palemoon. This is an experimental release
    that does everything that the original dev team would
    consider wrong, including:
    - use gtk3 exclusively
    - enable webrtc
    - enable system libraries for everything possible

 -- B. Stack <bgstack15@gmail.com>  Thu, 27 Aug 2020 16:55:11 -0400

newmoon (28.12.0-1+devuan) UNRELEASED; urgency=low

  * First release of newmoon.

 -- B. Stack <bgstack15@gmail.com>  Wed, 05 Aug 2020 14:43:18 -0400
bgstack15