Pale Moon Version 32.1.1 Released with Security Updates

Started by Corrine, April 18, 2023, 01:07:01 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Corrine

Pale Moon has been updated to version 32.1.1.  This is a bugfix and security release.

Changes/Fixes:

  • Fixed a crash in CompareDocumentPosition with Shadow DOM.
  • Fixed a crash with display:contents styling.
  • Added a preference to disable the TLS 1.3 protocol downgrade sentinel (see implementation notes).
  • Changed the way large clipboard copy/paste operations are handled, improving privacy (see implementation notes).
  • Improved filename safety when saving files to prevent potential environment leaks (bis).
  • Improved sanity checks of MIME type headers.
  • Security issues addressed: CVE-2023-29545 and CVE-2023-29539.
  • UXP Mozilla security patch summary: 2 fixed, 1 rejected, 49 not applicable.

Implementation notes:

  • Some proxies and middleware boxes improperly handle the TLS 1.3 protocol handshake causing an insecure downgrade to TLS 1.2. With our recent update of NSS, Pale Moon no longer allows this kind of protocol downgrade when trying to establish a TLS 1.3 connection to a server. The resulting error is ssl_error_rx_malformed_server_hello with an inability to connect to the server. To enable users to still connect to the servers or devices in question, we've added an option to switch off the downgrade sentinel. To switch it off as a temporary workaround, set security.tls.hello_downgrade_check to false.
  • If copy and paste operations to/from the browser are performed, Pale Moon writes clipboard contents to disk in a temporary cache file if the copy/paste amount is particularly large, to avoid using large amounts of memory to hold this data. The average paste/clipboard size doesn't tend to hit this limit in which case it is just held in memory.

        Previously, these cache files, while in the O.S. temporary file location (%TEMP% or /tmp), would not be consistently cleaned up, potentially causing privacy issues if persisted. This was changed to using auto-cleaning anonymous temp files, improving user privacy and relying less on the O.S. or user performing cleanup of temporary file storage. Thanks to Sandra for pointing this out and providing the patch.

Notes:

DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads. To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.