Updates 12/20/22 - Pale Moon

PaleMoon v31.4.2 (2022-12-20)

This is a bugfix and security update.

Changes/fixes:

• Fixed JPEG-XL's transparency display for images with an alpha channel.
• Temporarily removed regex lookbehind to stop crashes occurring on 32-bit builds of the browser.
• Added some extra sanity checks to our zip/jar/xpi reader to avoid issues with corrupt archives.
• Aligned cookie checks with RFC 6265 bis. See implementation notes.
• Removed obsolete code in Windows widgets that could cause potential issues with long paths and file names on supported versions.
• Fixed several crashes.
• Security issues addressed: CVE-2022-46876, CVE-2022-46874 and several others that do not have a CVE number.
• UXP Mozilla security patch summary: 4 fixed, 20 not applicable.

Implementation notes:

• RFC 6265 has been worked on with draft changes describing how cookies are actually being handled in the real world, in the bis versions of the RFC. While these changes have not yet been finalized, browsers in general do adhere to the latest available bis version of this RFC. Specifically, the long-standing exceptions for cookie names and values have been formalized, e.g. having quoted values. Our behavior has changed in that we now once again accept Tab characters (0x09) which is the one excluded control character from the range that is otherwise forbidden. We also no longer apply these checks exclusively to those in http headers, and any way of setting cookies must now adhere to the valid range. Cookies that fail these range checks for valid characters will be ignored.

-------------------------------

Available via the internal updater:   Help / Check for Updates

or Full downloads:   Pale Moon for Windows downloads