IMPORTANT: If you use a language pack, make sure to update it to the latest version! Although automatic updates are enabled for language packs, double-check that the version matches. If you are using an older language pack with this version of the browser, some dialog boxes may come up blank.
Update: Version 25.4.1 was released to address two minor but important bug fixes.
- Fixed several memory safety hazards (UAF/DF/UU); applicable bugs covered by CVE-2015-0815 and CVE-2015-0815.
- Fixed CVE-2015-0811 [qcms] heap info leak.
- Fixed CVE-2015-0810 clickjacking attacks via a Flash object in conjunction with DIV elements.
- Fixed CVE-2015-0801 a variant of CVE-2015-0818.
- Fixed CVE-2015-0800 improve randomness of DNS resolver queries on Android.
- Fixed CVE-2015-0798 access to privileged URLs through about: redirector.
Listed below is just a small portion of the fixes and changes to this release. For the complete list, including many Android, Linux changes, see the Release Notes.
- Added a new "mixed-mode" state for HTTPS connections. Clarified mixed-mode connections with a mixed-mode padlock and better tooltips.
- Added a conditional partial shading to the URL bar and made it default (shading only on secure sites, no red shading at all by default).
- Added native IPv6 lookups to NSPR to solve IPv6-only and dual-stack setups in some situations
- Added a pref to control the unloading of idle plugins from memory and lowered the default "idle" time to 60 seconds before plugins are unloaded\
- Added fix to prevent spurious re-paints with plugins (performance/UX improvement)
- Added display of HTTPS protocol (SSL/TLS) to the page info window (thanks Travis!)
- Updated SQLite from 3.7.17 to v184.108.40.206, improving history/bookmark/etc. performance by up to 50% depending on operation
- Windows: Set the double-click/Ctrl+arrow word selection to not eat the space (only select the actual word)
- Updated a number of trusted root certificates, and distrusted the CNNIC root certificate by popular demand
- Removed the plugin check link from the Addons Manager, since it's no longer reliable and not officially available for browsers except Mozilla Firefox. (Bonus: no user profiling/tracking through optimizely!)
- Optimized the NSS callback for secure connections
the domains that are whitelisted for installation of
extensions/themes/personas, streamlining the use of addons.palemoon.org
- Improved certificate display: Removed MD5 and added SHA256 fingerprint, and made them selectable/copyable
- Updated classification of secure connections: Classify any encryption with less than 128 bits or including RC4 (if manually enabled, see previous version notes) as weak.
- Fixed an NVIDIA specific GLX server vendor bug for pixmap depth and fbConfig depth
- Removed most telemetry code, reducing code complexity and wasted CPU
- Made DNS caching a lot less aggressive to align the browser's behavior with the dynamic nature of the modern web.
- Removed Mozilla-specific parameters for searches.
Search suggestions should now work again for Google searches.
- Fixed the "double padlock while loading a secure site" niggle in the UI
Minimum system Requirements (Windows):
- Windows Vista/Windows 7/Windows 8/Server 2008 or later
- A processor with SSE2 support
- 256 MB of free RAM (512 MB or more recommended)
- At least 150 MB of free (uncompressed) disk space
- PM4XP (Pale Moon for XP): A rebuild by Matt Tobin: http://binaryoutcast.com/software/projects/pm4xp/
- Linux version: Available from http://www.palemoon.org/contributed-builds.shtml
UpdateTo get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window. Select About Pale Moon > Check for Updates.
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...