Pale Moon: Release notes
This is a security, stability and usability update.
Updated LibVPX to 1.4.x to be able to play more kinds of VP9-encoded videos.
Updated the JPEG decoder library to 1.4.0.
Fixed and cleaned up XPCOM timer thread code to avoid intermittent issues with events not firing (especially after stand-by).
Updated overrides to work around issues with Facebook and Netflix.
Fixed an issue where too-old system-supplied NSPR and/or NSS libraries would be accepted for use.
Updated the libpng library to 1.5.24 to address critical security issues CVE-2015-7981 and CVE-2015-8126
Updated the NSPR library to 4.10.10 to address several security issues.
Updated the NSS library to 3.19.4 to address several security issues.
Fixed a memory safety hazard in SVG path code (CVE-2015-7199).
Fixed an issue with IP address parsing potentially allowing an attacker to bypass the Same Origin Policy (CVE-2015-7188).
Fixed an Add-on SDK (Jetpack) issue that would allow scripts to be executed despite being forbidden (CVE-2015-7187).
Fixed a crash due to a buffer underflow in libjar (CVE-2015-7194).
Fixed an issue for Android full screen that would potentially allow address spoofing (CVE-2015-7185).
Added size checks in canvas manipulations to avoid potential image encoding vulnerabilities like CVE-2015-7189. DiD
Fixed potential information disclosure vulnerabilities through the NTLM authentication mechanism. Insecure NTLM v1 is now disabled by default, and the workstation name is set to WORKSTATION by default (configurable with a preference for environments where identification of workstations is done by actual reported machine name). This avoids issues like CVE-2015-4515.
Fixed a potentially vulnerable crash from a spinning event loop during resize painting. DiD
DiD This means that the fix is “Defense-in-Depth”: It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.