Releases
-
UXP - November 24, 2020
mattatobin 1 day ago 0 commits to release since this release
This is a stable release of the Unified XUL Platform.
Resolved
- Issue #1391 - Disable DOM Filesystem/dirpicker APIs by default.
- Issue #1667 - Fix macOS 11.0 Big Sur issues
- This does not solve all MacOS 11 issues and applications running on OS 11 may still malfunction
- Issue #1673 - Fix up
-moz-tab-sizeand unprefix it. - Prerequisites for Issue #1679
- Issue #1682 - Remove vibrator DOM interface and support code.
- Issue #1683 - Update in-tree Brotli and libjar components
- Issue #1686 - Align a keybinding definition with the others
- Standalone Commit
b9c41e262- More gracefully (than a crash) handle stack capture failures. - Standalone Commit
14f7bec52- Change default compatibility mode version to 68.0
Follow-ups and Continual Progression
- Issue #251 - Move configure defines and options back to autoconf configure
- Move chrome packaging options to ac configure (also includes changes for Issue #1683)
- Issue #1280 - Remove HPKP
- Get rid of (leftover) HPKP pinning mode.
Security Fix Overview (by component)
- DOM: Base (CVE-2020-26951 and CVE-2020-26956)
- GFX: Skia
- Media: WebRTC
- Modules: Freetype2 (CVE-2020-15999)
- Netwerk: HTTP
- Parser: HTML
- XPCOM: Glue (CVE-2020-26960)
- XPCOM: IO
Downloads
-
UXP - October 24, 2020
This is a stable release of the Unified XUL Platform.
Resolved
- Issue #1606 - Add support for multi-monitor DPI awareness v2 (W10 1706+)
- Issue #1665 - Take overflow-wrap into account when calculating min-content intrinsic size.
- Issue #1666 - Implement
overflow-wrap:anywhere- Includes Standalone Commit
e7a0013f8
- Includes Standalone Commit
- Issue #1668 - Implement CSS
caret-color - Issue #1671 - Unprefix
::-moz-selection
Follow-ups and Continual Progression
- Issue #1643 - Implement ResizeObserver
- Ensure we properly clear our pointers when the Presentation of a document is destroyed.
Security Fix Overview (by component)
- DOM: Base (CVE-2020-15680)
- DOM: Fetch
- Netwerk: Base (Defense in Depth)
- Layout: Tables (Defense in Depth)
Downloads
-
UXP - October 1, 2020
1 month ago 384 commits to master since this release
This is a stable release of the Unified XUL Platform.
Follow-ups and Continual Progression
Downloads
-
UXP - September 30, 2020
1 month ago 387 commits to master since this release
This is a stable release of the Unified XUL Platform.
Follow-ups and Continual Progression
- Issue #1643 - Follow up: Add a null check for
mOwnerinResizeObserverNotificationHelper::Unregister
Downloads
- Issue #1643 - Follow up: Add a null check for
-
UXP - September 29, 2020
1 month ago 389 commits to master since this release
This is a stable release of the Unified XUL Platform.
Resolved
- Issue #618 - [Meta] Implement module type scripting
- Issue #1525 - Remove the obsolete
<marquee>element and its interface - Issue #1639 - Implement Object.fromEntries()
- Issue #1641 - Implement CSS flow-root keyword
- Issue #1643 - Implement ResizeObserver
- Issue #1644 - Remove plugin check leftovers
- Issue #1647 - Implement percentage for CSS opacity keywords
- Issue #1650 - Add null check to
CreateClipPath(drawTarget)innsCSSClipPathInstance - Issue #1653 - Clean up Windows widget code
- Includes Standalone Commit
eb1315e09
- Includes Standalone Commit
- Issue #1655 - Update MediaQueryList to the current spec
- Standalone Commit
f624bd1375- Output webidl filenames as they are processed, for real this time.
Follow-ups and Continual Progression
- Issue #457 - Fix usage of a macro in a cocoa widget
- Issue #1224 - Remove constant expressions from /dom
- Issue #1280 - Remove hostname parameter to trust domain
- Issue #1629 - Disabled attribute cannot be set on elements from HTML
- Part 4: Ensure isExplicitlyEnabled is false upon sheet creation.
- Part 5: Remove pointless local variables.
Security Fix Overview (by component)
- SVG (CVE-2020-15676)
- DOM MediaStream (Defense in Depth)
- DOM WebAudio (Defense in Depth)
Downloads
-
UXP - September 1, 2020
2 months ago 424 commits to master since this release
This is a stable release of UXP.
Please see the relevant application release notes or the commit history for associated changes.
Downloads
-
UXP - July 30, 2020
3 months ago 484 commits to master since this release
This is a stable release of UXP.
Please see the relevant application release notes or the commit history for associated changes.
Downloads
-
UXP - July 12, 2020
4 months ago 507 commits to master since this release
This is a stable release of UXP.
Please see the relevant application release notes or the commit history for associated changes.
Downloads
-
UXP - June 3, 2020
5 months ago 566 commits to master since this release
This is a stable release of UXP.
Please see the relevant application release notes or the commit history for associated changes.
Downloads
-
UXP - May 6, 2020
6 months ago 712 commits to master since this release
This is a stable release of UXP.
Please see the relevant application release notes or the commit history for associated changes.
Downloads
-
UXP - April 27, 2020
7 months ago 719 commits to master since this release
This is a stable release of UXP.
Please see the relevant application release notes or the commit history for associated changes.
Downloads
-
UXP - April 8, 2020
7 months ago 708 commits to master since this release
This is a stable release of UXP.
Please see the relevant application release notes or the commit history for associated changes.
Downloads
-
UXP - March 24, 2020
8 months ago 715 commits to master since this release
This is a stable release of UXP.
Please see the relevant application release notes or the commit history for associated changes.
Downloads
-
Pale Moon 28.8.4
9 months ago 973 commits to master since this release
This is a small web compatibility and security release.
Changes/fixes:
- Implemented optional catch binding (ES2019).
- Fixed a hazardous crash related to module scripting.
Downloads
-
Pale Moon 28.8.3
9 months ago 978 commits to master since this release
This is a regular maintenance bugfix and security release.
Changes/fixes:
- Fixed an issue in CSP blocking requests without a port for custom schemes.
- Fixed a potentially hazardous crash in layers.
- Fixed random crashes on some sites using IndexedDB.
- Changed the way the application can be invoked from the command-line to prevent a whole class of potential exploits involving modified omnijars.
If your special-needs environment requires that you launch the browser with custom browser/gre omnijars from the command-line, you must set the UXP_CUSTOM_OMNI environment variable before launch from this point forward. - Fixed an issue in the html parser after using HTML5 template tags, allowing JavaScript parsing and execution when it should not be allowed, risking XSS vulnerabilities on sites relying on correct operation of the browser. (CVE-2020-6798)
- Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 2 DiD, 10 not applicable.
Downloads
-
Basilisk 2020.02.06/07
9 months ago 1125 commits to master since this release
This is a small bugfix and compatibility update.
- Backed out regular expression lookbehind code for causing crashes.
- Fixed an issue where some poorly-implemented FTP servers could hang the browser.
- Changed behavior for YouTube to prevent the deprecated interface being selected by default.
Downloads
-
Pale Moon 28.8.2.1
9 months ago 986 commits to master since this release
This is a minor release in response to YouTube deprecating their old web UI. This change will enable the new YouTube UI by default.
Downloads
-
Pale Moon 28.8.2
10 months ago 987 commits to master since this release
This is a small bugfix and compatibility update.
Changes/fixes:
- Reverted the addition of JavaScript regular expression lookarounds since the implementation caused crashes. We’ll have to revisit this later.
- Fixed an issue where FTP servers would hang the browser if they were not sending answers according to the protocol specification.
- Added a workaround for GitHub trying to enforce more Google-isms (which we don’t support at this time) to browsers that identify as “Firefox-alike”.
Downloads
-
Pale Moon 28.8.1
10 months ago 997 commits to master since this release
This is an important security and stability release. Please update your browser to this version as soon as possible.
Changes/fixes:
- Fixed a sampling issue in libsoundtouch (DiD)
- Fixed an issue with a new upcoming Windows 10 feature not honoring Private Browsing mode by default (DiD)
- Fixed several stability and memory safety hazards. (DiD)
- Fixed an issue where files could inadvertently be executed with the designated file type handler instead of opened. (CVE-2019-17019)
- Fixed an issue with the JavaScript JIT compiler that could lead to exploitable crashes. (CVE-2019-17026) actively exploited
- Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 7 DiD, 12 not applicable.
Note: for releases on the new milestone please go over to the MoonchildProductions/Pale-Moon repo
Downloads
-
Pale Moon 28.8.0
11 months ago 1018 commits to master since this release
This is a major development release. Many things have been improved, some landmark features have been added/enabled, and many libraries have been updated for added stability and performance. We hope you are as happy with this progress as we are!
All the best wishes for the Holidays to everyone!
New features:
- Added support for modern Solaris operating systems like Illumos (thanks Athenian200!).
- Implemented position:sticky for table parts - You can now use CSS to e.g. stick table headers so they don’t scroll off the screen!
- Enabled basic implementation of module type scripting. While not fully spec compliant (yet), this will fix the few web compatibility issues with sites that rely on this feature without fallback (e.g. the Chromium bugtracker).
- Implemented
Promise.prototype.finally()(ES2018). - Implemented Regular Expression lookbehind (ES2018).
- Implemented Regular Expression
/sflag (dotAll support) (ES2018). - Implemented
String.prototype.matchAll(regex) (ES2020). - Added Ekoru to the list of default search engines. This is a Bing-backed search engine that donates the majority of its revenue to various charities that support the planet and animals. An environment-supporting alternative to Ecosia if you don’t want to support Google in the process.
Changes/fixes:
- Changed the way tables are rendered to fix a number of spec compliance issues and allow relative positioning of table parts.
- Now building against the Windows 10 SDK 10.0.17763.132 for increased compatibility with Windows 10 and improved Spectre mitigation.
- Removed the unused
DiskSpaceWatchercomponent. - Updated cairo code.
- Updated SQLite to 3.30.1.
- Updated the Brotli library to 1.0.7.
- Updated the woff2 library to 1.0.2.
- Updated the OpenType Sanitizer to 8.0.0.
- Updated the Javascript math library for precision and performance fixes.
- Updated the embedded Emoji font to Mozilla’s COLR-mapped twemoji 0.5.0 (Twemoji 12.1.3), to support Emoji 12.
- Improved CSS grid rendering.
- Changed packaging for archives to use 7z/xz instead of zip/bz2.
- Made the second argument of (DOM/CSS)
insertRule()optional for (Chrome) web compatibility. - Removed the non-standard
object.prototype.watch()/unwatch()functions. Please note that this may affect some extensions; those will need to be updated to no longer use these non-standard functions. - Fixed the status bar module to work around an issue with relying on
watch()/unwatch(). - Fixed a build failure in the libcubeb sndio module.
- Fixed a small oversight in the release branch that would potentially still mark
jnlpfiles as executable. - Fixed the certificate retrieval logic in the certificate exception dialog.
- Fixed an issue with add-ons potentially getting confused during add-on updates due to cached scripts.
- Fixed a crash due to unnecessary reparenting calls in layout.
- Reinstated the mentioning of the number of accelerated/total windows in Troubleshooting Information, for completeness.
- Moved the embedded font for Emoji from application to platform so all UXP applications can easily benefit from it (thanks Tobin!).
- Cleaned up the jemalloc code: Removed dead/unused code, removed conditionals around “always on” code, and made the allocator VLA-free.
Security-related fixes:
- Removed the silent fallback to insecure install locations on Windows.
Pale Moon will no longer by default install into unprotected program locations (this was a regression in v28).
If your operating system account does not have the necessary privileges, you need to manually select an accessible folder to install into. This is important to prevent malware from modifying installed programs in well-known but otherwise unprotected installation locations. - Added a preference for, and disabled, the confirmation prompt for URL authentication (prevents evil traps).
- Disabled the use of HPKP by default due to the inherent risks involved with this feature. A preference was added to completely disable header processing, and using preloaded pins is effectively disabled. Please note that this is automatically disabled by default for everyone, regardless of your previous setting for this feature, and it is strongly recommended you keep this feature disabled. HPKP will eventually be removed (overall Internet concensus).
- Fixed a potential issue when interacting with plugins. (DiD)
- Fixed a potential crash scenario when reading PAC configuration. (DiD)
- Fixed a potential issue with text selection painting. (DiD)
- Fixed an issue with element references not being properly updated. (DiD)
- Fixed an issue with incorrect saving of web pages as text. (DiD)
- Fixed a potential issue with clipboard handling. (DiD)
- Fixed a potential issue with attaching the debugger to web workers. (DiD)
- Updated NSS to 3.41.4 to address CVE-2019-11756 and CVE-2019-11745.
- Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 8 DiD, 16 not applicable.
Downloads
-
Basilisk 2019.10.31 🎃
1 year ago 1481 commits to master since this release
This is a security and bugfix update.
- Updated timezone data for internationalization functions.
- Fixed the option to use hardware acceleration over RDP for Windows 8.1 and 10.
- Fixed an issue with inner window navigation potentially leaking.
- Fixed a startup crash caused by Qihoo 360 Safeguard/360 Total Security.
- Ported some expat parser fixes from upstream.
- Ported several NSS upstream fixes to our build.
- Aligned handling of U+0000 in the html5 parser with expectations.
- Added size checks to WebGL data buffering.
- Fixed build issues with newer glibc versions.
- Fixed build issues for ARM targets.
- Worked around a gcc9 compiler issue that would prevent building with it.
- Security issues fixed: CVE-2019-15903, CVE-2019-11757, CVE-2019-11763 and several potentially exploitable crashes and memory safety hazards that don’t have a CVE number.
- Unified XUL Platform Mozilla Security Patch Summary: 6 fixed, 6 DiD, 1 rejected, 24 not applicable.
Downloads
-
Pale Moon 28.7.2
1 year ago 1350 commits to master since this release
This is a security and bugfix update.
Changes/fixes:
- Disabled the use of ICC color profiles for images on Linux by default.
- Updated timezone data for internationalization functions.
- Fixed the option to use hardware acceleration over RDP for Windows 8.1 and 10.
- Fixed an issue with inner window navigation potentially leaking.
- Fixed a startup crash caused by Qihoo 360 Safeguard/360 Total Security.
- Ported some expat parser fixes from upstream.
- Ported several NSS upstream fixes to our build.
- Aligned handling of U+0000 in the html5 parser with expectations.
- Added size checks to WebGL data buffering.
- Fixed build issues with newer glibc versions.
- Fixed build issues for ARM targets.
- Worked around a gcc9 compiler issue that would prevent building with it.
- Sec bug fixes: CVE-2019-15903, CVE-2019-11757, CVE-2019-11763 and several potentially exploitable crashes and memory safety hazards that don’t have a CVE number.
- Unified XUL Platform Mozilla Security Patch Summary: 6 fixed, 6 DiD, 1 rejected, 24 not applicable.
Downloads