Pale Moon has been updated to Version 26.5.0. The update includes two Defense-in-Depth (DiD) fixes. "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
The Linux version will be released shortly.
Details from the Release Notes:
Security fixes:
- Fixed a potentially exploitable crash related to text writing direction. (CVE-2016-5280)
- Made checking for invalid PNG files more strict. Pale Moon will now reject more PNG files that have corrupted/invalid data that could otherwise lead to potential security issues.
- Changed the way paletted image frames are allocated so the space is cleared before it's used. DiD
- Fixed a crash in nsNodeUtils::CloneAndAdopt() due to a typo. DiD
- Fixed several memory safety issues and crashes.
- Implemented a breaking CSP (content security policy) spec change; when a page with CSP is loaded over http, Pale Moon now interprets CSP directives to also include https versions of the hosts listed in CSP if a scheme (http/https) isn't explicitly listed. This breaks with CSP 1.0 which is more restrictive and doesn't allow this cross-protocol access, but is in line with CSP 2 where this is allowed.
- Fixed an issue with the XML parser where it would sometimes end up in an unknown state and throw an error (e.g. when specific networking errors would occur).
- Improved the performance of canvas poisoning by explicitly parallelizing it.
- Windows Vista/Windows 7/Windows 8/Server 2008 or later
- A processor with SSE2 support
- 256 MB of free RAM (512 MB or more recommended)
- At least 150 MB of free (uncompressed) disk space
Other versions:
- PM4XP (Pale Moon for XP) has reached end of support and has been replaced with Pale Moon for Atom.
- Linux version: Available from http://www.palemoon.org/contributed-builds.shtml
No comments:
Post a Comment
Neither spam nor comments containing vulgarities will be approved.