Bug 7501 - [UPDATE REQUEST] newmoon 26.4.1 → 26.5.0
: [UPDATE REQUEST] newmoon 26.4.1 → 26.5.0
Status: VERIFIED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-11 09:03 MSK by Алзим
Modified: 2016-11-22 14:37 MSK (History)
3 users (show)

See Also:
RPM Package:
ISO-related:
Bad POT generating:
Upstream:
vladimir.potapov: qa_verified+
andrey.bondrov: published+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Алзим 2016-11-11 09:03:13 MSK
26.5.0 (2016-09-28)

Fixes/Changes:
Implemented a breaking CSP (content security policy) spec change; when a page with CSP is loaded over http, Pale Moon now interprets CSP directives to also include https versions of the hosts listed in CSP if a scheme (http/https) isn't explicitly listed. This breaks with CSP 1.0 which is more restrictive and doesn't allow this cross-protocol access, but is in line with CSP 2 where this is allowed.
Fixed an issue with the XML parser where it would sometimes end up in an unknown state and throw an error (e.g. when specific networking errors would occur).
Improved the performance of canvas poisoning by explicitly parallelizing it.

Security fixes:
Fixed a potentially exploitable crash related to text writing direction. (CVE-2016-5280)
Made checking for invalid PNG files more strict. Pale Moon will now reject more PNG files that have corrupted/invalid data that could otherwise lead to potential security issues.
Changed the way paletted image frames are allocated so the space is cleared before it's used. DiD
Fixed a crash in nsNodeUtils::CloneAndAdopt() due to a typo. DiD
Fixed several memory safety issues and crashes.

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
Comment 1 Алзим 2016-11-11 09:05:56 MSK
Updated to 26.5.0

Браузер:
https://abf.io/build_lists/2753316
https://abf.io/build_lists/2753317

Локализации:
https://abf.io/build_lists/2753352
https://abf.io/build_lists/2753353
Comment 2 Vladimir Potapov 2016-11-12 19:48:20 MSK
The update is sent to expanded testing
**************************************
Comment 3 Vladimir Potapov 2016-11-21 22:14:16 MSK
newmoon-26.5.0-1
https://abf.io/build_lists/2753316
https://abf.io/build_lists/2753317

newmoon-l10n-26.5.0-1
https://abf.io/build_lists/2753352
https://abf.io/build_lists/2753353
***************************** Advisory **************************
Up to 26.5.0
******************************************************************
QA Verified