Pale Moon Version 25.5.0 Released with Security Updates

[Corrine]

The complete list of fixes, changes and additions is available in the Release Notes. In addition to the fixing the Logjam vulnerability (DHE keys with less than 1024 key bits refused), the following additional security fixes are included in the update:

Security fixes:

• Fixes for miscellaneous memory safety hazards (relevant and applicable fixes from CVE-2015-2708 and CVE-2015-2709)
• DiD (defense-in-depth) fix to prevent potential overflows in CSS restyling
• Fix for updater hijacking (CVE-2015-2720)
• Fix to prevent potential disclosure of sensitive information in Android logs (CVE-2015-2714)
• Fix for a buffer overflow in the XML parser (CVE-2015-2716)
• Fix for a potentially exploitable crash in DNS handling

Of interest to some users is the addition of a preference for always preferring a certain dictionary language. To use this, create a new preference spellchecker.dictionary.override (string) and set it to your language code.

 

[Corrine]

For any Linux users, from: Pale Moon for Linux is moving!

Pale Moon for Linux will be moving from SourceForge to our own in-house server soon. Version 25.5.* will be the last version that is offered on SourceForge.

We are moving away from SourceForge for a few reasons:

• Pale Moon includes strong encryption methodology that would be subject to US cryptography export laws on SourceForge. Since we have no intention to compromise on user security, we are currently using SourceForge in the "grey area" of still being condoned as-such, but it's not exactly correct.
• SourceForge has been very unscrupulous in its applying of stub installers to Open Source software to bundle "offers"; even going as far as hijacking abandoned accounts to plant their stub installers in place or otherwise control previous projects' sites without consent. We cannot condone that kind of behavior.
• SourceForge is too advertisement-heavy these days to be a comfortable place to host Pale Moon.