Jump to content

Pale Moon Version 31.4.0 Released with Security Updates


Corrine

Recommended Posts

Pale Moon has been updated to version 31.4.0.  This is a major development and security update adding JPEG-XL image support and more.

 

Changes/Fixes:

  • Added support for the JPEG-XL image format.
  • Implemented regular expressions lookaround/lookbehind.
  • Aligned CORS header parsing with the updated spec. See implementation notes.
  • We no longer fire keypress events for non-printable keys. See implementation notes.
  • Added support for MacOS 13 "Ventura" in the platform, primarily benefitting White Star.
  • Fixed potentially problematic thread locking code on *nix platforms.
  • Fixed some small issues in the display and operation of the Web Developer tools.
  • Removed unused but performance-impacting panning and tab animation measuring code. (telemetry leftovers)
  • Improved code for SunOS builds.
  • Updated Internationalization data for time zones.
  • Fixed a buffer overflow for Mac builds.
  • Security issues addressed: CVE-2022-45411 and potential issues without a CVE number.
  • UXP Mozilla security patch summary: 2 fixed, 1 DiD, 1 deferred, 25 not applicable.

Implementation Notes:

  • CORS support has been updated to the current spec. Most importantly, Pale Moon now accepts wildcard entries ("*") for the CORS statements Access-Control-Expose-Headers, Access-Control-Allow-Headers and Access-Control-Allow-Method. Note that wildcards are ignored (according to the spec) when credentials are passed.
  • Pale Moon will no longer fire the keypress events in content when the key pressed is a non-printable key. This is in response to issues where webmasters would use rudimentary and naïve input-restricting scripts in onkeypress handlers that would not take into account editing keys or navigation keys, causing issues for users trying to enter data into forms (and e.g. finding they could no longer use backspace, cursor keys or tab). This aligns our behavior with other browsers for web compatibility, although it should be considered a website error expecting not all keypresses to be intercepted in keypress events.


*DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

**Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

 

Update
To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

 

Release Notes

  • Like 1
Link to comment
Share on other sites

Via Twitter

We are aware of our JPEG-XL decoder in 31.4.0 doing something funky with the colors. We're working on a fix for this!


Job Bautista #RejectSIMCardReg@jobbautista9

·Nov 24
Replying to @jobbautista9 @jonsneyers and @palemoonbrowser
We're currently tracking this color inversion issue at #2033 at our repo, anyone interested can follow the discussion there: https://repo.palemoon.org/MoonchildProductions/UXP/issues/2033

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...