Print Page - Pale Moon Version 25.3.0 Releaed with Security Updates

Title: Pale Moon Version 25.3.0 Releaed with Security Updates
Post by: Corrine on March 13, 2015, 02:24:32 PM

Pale Moon has been updated to version 25.3.0 with improved features and performance as well as security updates.

From the Release Notes (http://www.palemoon.org/releasenotes.shtml), it is noted that several security fixes are identified as DiD. This means that the fix is "Defense-in-Depth":

Quote"It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem."

Although I haven't run into any issues with PaleMoon on Windows 10 Technical Preview, note the addition of Windows 10 compatibility in executable manifests to the update.

Security fixes:

Disabled all RC4-based encryption ciphers by default.
Fixed several miscellaneous memory safety hazards.
(applicable bugs related to CVE-2015-0835 and CVE-2015-0836)
Fixed loading of locally stored DLL files through the internal updater. (CVE-2015-0833)
Fixed a potential crash point in IndexedDB. (CVE-2015-0831) DiD
Fixed a double-free situation when using non-default memory allocators and a 0-length XHR. (CVE-2015-0828)
Note: production builds of Pale Moon were never vulnerable.
Fixed a crash using DrawTarget in the Cairo graphics library. (CVE-2015-0824)
Fixed potential reading of local files through manipulation of form autocomplete. (CVE-2015-0822)
Fixed a potential PNG heap-overflow crash. DiD
Followed up on research regarding CVE-2014-8639 (see 25.2) and made cookie handling through proxies more restrictive again.

See the Release Notes (http://www.palemoon.org/releasenotes.shtml) for the complete list of fixes, additions and improvements.

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window. Select About Pale Moon > Check for Updates.

Title: Re: Pale Moon Version 25.3.0 Releaed with Security Updates
Post by: ky331 on March 25, 2015, 12:04:10 PM

Pale Moon 25.3.1 (2015-03-25)

This is a security update to the browser to address a critical vulnerability found in the pwn2own contest. Only one vulnerability found in this contest applies to Pale Moon, which has been addressed in this update.

Fixes/changes:

•Fixed security vulnerability CVE-2015-0818 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0818 ). This vulnerability would allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation.
•Fixed IPv6 DNS resolution regression in some less common cases.

LandzDown Forum

Software & More => General Software News, Updates & Discussions => Topic started by: Corrine on March 13, 2015, 02:24:32 PM