Pale Moon: Release notes
25.4.1 (2015-05-10)This is a small but important update to the previous major release to address some critical issues:
- Fixed loss of the browser's disk cache on startup due to incorrect corruption detection logic
- Fixed a browser crash on some HTML5 games
IMPORTANT: If you use a language pack, make sure to update it to the latest version!
We do have automatic updates enabled for language packs but please
double-check that the version matches. If you are using an older
language pack with this version of the browser, some dialog boxes may
come up blank.
is a major update - too much has changed for this little blurb to do it
justice so please see below for the most important changes/fixes in
- Updated SQLite from 3.7.17 to v220.127.116.11, improving history/bookmark/etc. performance by up to 50% depending on operation
- Added a new "mixed-mode"
state for HTTPS connections. Clarified mixed-mode connections with a mixed-mode
padlock and better tooltips.
a conditional partial shading to the URL bar and made it default
(shading only on secure sites, no red shading at all by default).
- Dev: Fixed file system mode flags for *nix systems, to make executable files like scripts actually flagged as executable
- Added native IPv6 lookups to NSPR to solve IPv6-only and dual-stack setups in some situations
- Added a pref to control the unloading of idle plugins from
memory and lowered the default "idle" time to 60 seconds before plugins
version strings for e.g. flash on Linux being displayed with commas
instead of periods - this should also fix the incorrect "your plugin is
vulnerable" message while being on the latest version
- Windows: Set the double-click/Ctrl+arrow word selection to not eat the space (only select the actual word)
DNS fix for VPN connections, preventing the "server not found" issues
people have been reporting for certain VPN providers on mobile
- Updated a number of trusted root certificates, and distrusted the CNNIC root certificate by popular demand
- Linux: Worked around the slice memory allocator not being properly disabled on later GLib versions
- Android: updated the random number generator handling on later versions of Android
- Added fix to prevent spurious re-paints with plugins (performance/UX improvement)
the plugin check link from the Addons Manager, since it's no longer
reliable and not officially available for browsers except Mozilla
Firefox. (Bonus: no user profiling/tracking through optimizely!)
- Optimized the NSS callback for secure connections
the domains that are whitelisted for installation of
extensions/themes/personas, streamlining the use of addons.palemoon.org
- Added personas support to titlebar text (adopt the lightweight
theme's coloring/shading) in custom titlebar mode (Pale Moon
- Added display of HTTPS protocol (SSL/TLS) to the page info window (thanks Travis!)
- Improved certificate display: Removed MD5 and added SHA256 fingerprint, and made them selectable/copyable
classification of secure connections: Classify any encryption with less
than 128 bits or including RC4 (if manually enabled, see previous
version notes) as weak.
- Dev: Added availability of
the full ciphersuite string for use in extensions to the nsISSLStatus
- Added MAKE_UNLINKABLE to the about: page redirector and added that as default for the reader mode on Android
the compilation and inclusion of a one-time-use pre-compiled startup
cache in omni.ja, reducing overall application size significantly and
avoiding a number of quirks of both the build process and the operation
of the browser
- Fixed an NVIDIA specific GLX server vendor bug for pixmap depth and fbConfig depth
- Removed most telemetry code, reducing code complexity and wasted CPU
- Linux: Added OSS support (mutually exclusive with ALSA): configure with --enable-oss
- Made DNS caching a lot less aggressive to align the browser's behavior with the dynamic nature of the modern web.
- Removed Mozilla-specific parameters for searches.
Search suggestions should now work again for Google searches
- Added the option to allow users to use a fixed (JSON) file-based geolocation response in favor of a GeoIP service.
Improvements to Clang builds (thanks Axiomatic/BitVapor!). Clang is not
currently producing stable builds on Linux, so please use GCC for that
- Linux: removed GnomeVFS that's no longer in use
- Fixed the "double padlock while loading a secure site" niggle in the UI
- Dev: added allowance of using -moz-appearance:none on
drop-down lists to hide the arrow button (catering to custom styling of
- Added some more ES6 math/number functions:
- Implemented Math.fround(x)
- Implemented Number.isSafeInteger(x)
- Implemented Math.clz32(x)
- Fixed several memory safety hazards (UAF/DF/UU); applicable bugs covered by CVE-2015-0814 and CVE-2015-0815
- Fixed CVE-2015-0811
[qcms] heap info leak
- Fixed CVE-2015-0810 clickjacking attacks via a Flash object in conjunction with DIV elements
- Fixed CVE-2015-0801 a variant of CVE-2015-0818
- Fixed CVE-2015-0800 improve randomness of DNS resolver queries on Android
- Fixed CVE-2015-0798 access to privileged URLs through about: redirector
release is an emergency update to fix crashes that started occurring
because of Mozilla improperly signing the extensions and extension
updates as offered through the Firefox Add-ons site addons.mozilla.org.
Any improperly signed extension would not be able to be installed, and
would immediately crash the browser.
No other changes were made in this release - this is a bugfix for this particular issue only.
is a security update to the browser to address a critical vulnerability
found in the pwn2own contest. Only one vulnerability found in this
contest applies to Pale Moon, which has been addressed in this update.
- Fixed security vulnerability CVE-2015-0818.
This vulnerability would allow remote attackers to bypass the Same
privileges via vectors involving SVG hash navigation.
- Fixed IPv6 DNS resolution regression in some less common cases.
This is an important update to improve features and performance, as well as address important security issues.
- Overhauled WebGL. It now properly supports depth textures, shadow mapping and glow shaders.
Note that older operating systems or older/embedded video processors may be limited in their support of these features.
- Updated the ANGLE library to a much more current version.
- Removed the crash reporter code completely to improve overall browser responsiveness and operation.
Please note that a necessary victim of this has been the in-browser
(devtools) SPS profiler because of its reliance on crash reporter
- Removed the Mozilla Plugin Finder Service (no longer in use @Mozilla).
- Android: removed the Mozilla "product announcements" service.
- Re-added control of the number of concurrent tabs to be restored from a session with browser.sessionstore.max_concurrent_tabs (accepted values 1-10)
- Significantly improved performance and accuracy of date/time/timer handling.
- Significantly improved performance of the creation of DOM elements with plain text content.
- Added several code performance optimizations and bugfixes
in SVG, the presentation shell, SCTP, style gradients and CSS parsing
routines. (Thanks, Axiomatic!)
- Added an "Open link in current tab" context menu entry on links for UI consistency.
- Updated styling of the browser with personas (lightweight themes)
once more to improve display in tabs-on-top mode, improve overall
legibility of tab text, and display of inverted close buttons on some controls on dark personas.
- Added a special case check for the Flash plugin version
check on Linux failing due to commas instead of periods in the version
- Added Windows 10 compatibility in executable manifests.
- Android: Fixed a crash on GL canvas surfaces.
- Fixed incorrect Sync "howto" instruction links from the Sync dialogs.
- Fixed the color of selected tabs in Linux when personas
(lightweight themes) are in use that do not match the overall tone of
the OS system theme.
- Fixed a bug where the address bar would incorrectly be cleared.
- Fixed padding issues for dropdown lists.
- Fixed DNS lookups so proper record types are requested for IPv4 and IPv6.
DiD This means that
the fix is "Defense-in-Depth": It is a fix that does not apply to an
actively exploitable vulnerability in Pale Moon, but prevents future
vulnerabilities caused by the same code when surrounding code changes,
exposing the problem.
- Disabled all RC4-based encryption ciphers by default. [More info]
- Fixed several miscellaneous memory safety hazards.
(applicable bugs related to CVE-2015-0835 and CVE-2015-0836)
- Fixed loading of locally stored DLL files through the internal updater. (CVE-2015-0833)
- Fixed a potential crash point in IndexedDB. (CVE-2015-0831) DiD
- Fixed a double-free situation when using non-default memory allocators and a 0-length XHR. (CVE-2015-0828)
Note: production builds of Pale Moon were never vulnerable.
- Fixed a crash using DrawTarget in the Cairo graphics library. (CVE-2015-0824)
- Fixed potential reading of local files through manipulation of form autocomplete. (CVE-2015-0822)
- Fixed a potential PNG heap-overflow crash. DiD
- Followed up on research regarding CVE-2014-8639 (see 25.2) and made cookie handling through proxies more restrictive again.
Release notes for previous versions (unsupported)
You can find the release
notes for previous releases of Pale Moon on the Archived Versions Release Notes