CLD-565 Details

Other IDs this deficiency may be known by:

CVE ID None
Other ID(s) fixed-in-28.1.0

Basic Information:

Affected Package(s) palemoon
Deficiency Type SECURITY
Date Created 2018-09-25 13:12:30
Date Last Modified 2018-09-28 12:25:39

Version Specific Information:

Cucumber 1.0 i686 vulnerable
Cucumber 1.0 x86_64 vulnerable

Cucumber 1.1 i686 vulnerable
Cucumber 1.1 x86_64 vulnerable

Details:

This update is proving quite problematic, as the palemoon build process has
changed substantially in version 28, and the new build process is not
documented.

This update will not be applied to Cucumber Linux 1.0 due to the fact that
palemoon is a testing package on that version. We have always stated that we
make no guarantees about the security of testing packages.

Full details from http://www.palemoon.org/releasenotes.shtml:

v28.1.0 (2018-09-20)
This major update is focused on performance, security and some regression and bug fixes.

Changes/fixes:

    Updated NSS to 3.38, removed TLS 1.3 draft version check since it's considered final.
    Reinstated RC4 as an optional encryption cypher for non-standard environments (e.g. old routing/peripheral networked hardware on LAN). RC4 and 3DES are marked weak and disabled, and will never be used in the first handshake with a site, only as last-ditch fallback when specifically enabled (meaning they won't show up on ssllabs' test, for example).
    Removed Telemetry accumulation calls, automatic timers and stopwatches. This removes a very noticeable performance sink for all operations on all platforms.
    Fixed many occurrences of discouraged types of memory access for primarily GCC 8 compatibility. This improves overall code security as a defense-in-depth measure.
    Re-implemented the pref-controlled custom background color for standalone images.
    Updated session history handling for internal pages. about:logopage is no longer stored in history, and you can choose to store the QuickDial page in history by setting the pref browser.newtabpage.add_to_session_history to true. This is disabled by default (meaning you can't use the "Back" button to go back to the QuickDial page) as a defense-in-depth security measure.
    Added ui.menu.allow_content_scroll to control whether content can be scrolled if a context menu is open.
    Fixed incorrect code removal in ipc.
    Removed support for TLS session caches in TLSServerSocket.
    Added support for local-ref as SVG xlink:href values.
    Changed the find bar to be a browser-global toolbar again (like in Pale Moon 27) instead of per-tab. For people who prefer search terms to be saved on a per-tab basis (like with the per-tab findbar previously), this is possible by setting findbar.termPerTab to true. This resolves a number of issues, including styling with lightweight themes not applying to the find bar, and status pop-ups overlapping the find bar.
    Ported all relevant security fixes from Mozilla's Gecko/62 release, including CVE-2018-12377 and CVE-2018-12379.
    Restored part of the searchplugin API that was removed by Mozilla, so extensions can provide and save edits to installed search engines.
    Improved the speed of restoring browsing sessions upon startup.
    Fixed the "Restore previous session" button sometimes being missing from about:home, while a restorable session would be present.
    Fixed tab previews in the Windows taskbar (if enabled).
    Fixed the setting of the new tab page being "My Home Page" so it'll pick up subsequent changes to the home page URL automatically.
    Removed the Firefox Accounts migrator from Sync.
    Fixed an issue with the enabled state of number controls if appearances changed.
    Stopped building ffvpx on 32-bit platforms (except windows) to use the (faster) system-installed lib instead.
    Re-added a horizontal scroll action option for mouse wheel. (regression)
    Fixed handling of content language if the locale is changed.
    Fixed document navigation with the F6 key.
    Fixed toolbar styling in toolkit themes.
    Fixed viewing the source of a selection.