DBSoft.org - White Star Release Notes

White Star Release Notes for 29.x series

White Star 29.4.6

This is a security and bugfix release.

Changes/fixes:

Fixed a potential crash issue on bing.com.
Updated NSS to 3.52.4 to address security issues.
Fixed some thread locking issues. DiD
Fixed a potential resource access issue in devtools. DiD
Fix to address performance issues due to caching.
Security issues with CVEs addressed: CVE-2022-1097, CVE-2022-28285 (DiD) and CVE-2022-28283 (DiD).
UXP Mozilla security patch summary: 1 fixed, 5 DiD, 2 rejected, 23 not applicable.

White Star 29.4.5

This is a security update.

Changes/fixes:

Fixed several application crash scenarios. DiD
Fixed a number of thread locking/mutex issues. DiD
Fixed a leak of content types due to inconsistent error reporting. (CVE-2022-22760)
Fixed an issue with iframe sandboxing not being properly applied. (CVE-2022-22759)
Fixed a potential leak of bookmarks from the exported bookmarks file if it included a malicious bookmarklet.
Fixed an issue with drag-and-drop. (CVE-2022-22756)
Fixed a potential crash due to truncated WAV files.
Fixed a memory safety issue with XSLT. (CVE-2022-26485)
First set of fixes to support newer versions of Xcode's clang
Fixed a python extension for builds on MacOS and FreeBSD

White Star 29.4.4

This is a security update.

Changes/fixes:

Improved application library loading security. DiD
Fixed an issue in JavaScript serialization. DiD
Fixed a potential out-of-bounds issue in IndexedDB. DiD
Fixed a potential issue in widget data handling code. DiD
Fixed potentially exploitable crashes in handling truncated/corrupt media files or streams.
Fixed an issue in the DOM FileReader code.
Updated NSS to 3.52.3 to address a security issue.
Fixed the following security issues: CVE-2022-22736, CVE-2022-22741, CVE-2021-4140, CVE-2022-22746, CVE-2022-22744 and CVE-2022-22747.
Unified XUL Platform Mozilla Security Patch Summary: 8 fixed, 4 DiD, 17 not applicable.

White Star 29.4.3

This is a security update with a few extras.
This update reinstates FUEL again for old extension compatibility. See implementation notes.

Changes/fixes:

Restored the FUEL abstraction library again.
Added some extra sanity checks to timers and text fragments. DiD
Added a potential crash safeguard in program threading logic. DiD
Fixed the following security issues: CVE-2021-43537, CVE-2021-43541, CVE-2021-43536, CVE-2021-43545 and CVE-2021-43542.
Unified XUL Platform Mozilla Security Patch Summary: 5 fixed, 3 DiD, 10 not applicable.

Implementation notes:

Despite being removed in 29.4.0 and 29.4.2, the long-since deprecated FUEL abstraction functions inside White Star have been restored again after considerable blowback from the community and lack of effort to fix afflicted extensions. It was decided to just restore this indefinitely in the end, since it serves no-one to have users be forced to do without or stay on insecure versions of the browser for something nobody seems to want to address in the extension ecosystem.

White Star 29.4.2

Changes/fixes:

Fixed a spec compliance issue with IDN that could potentially cause confusion of domain names.
Fixed several intermittent thread sanity issues. DiD
Fixed a potential UAF risk in certain situations in networking. DiD
Fixed a potential crash risk (not exposed). DiD
Fixed a potential spoofing risk using form validation. (CVE-2021-38508)
Fixed a script sandbox escape issue through XSLT. (CVE-2021-38503)
Added a preference to enable compatibility mode with earlier TLS 1.3 specifications. See implementation notes.
Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 1 already applied, 4 DiD, 7 not applicable.

Security notice: If you have enabled HTTP Alternative Services for Opportunistic Encryption, it is strongly recommended you disable this at this time through Preferences -> Security -> Opportunistic Encryption -> Enable HTTP Alternative Services for Opportunistic Encryption. This inherently weak transitional technology for http -> https has been compromised and can be abused (partial opt-in bypass). Note that our platform default for this setting (and any other OE) is disabled due to these kinds of inherent risks, as well as lack of transparency about the connection and server contacted. See CVE-2021-38507 for more details about this problem.

Implementation notes:

A preference (security.ssl.enable_tls13_compat_mode) was added to allow users to enable TLS 1.3 compatibility mode that uses an older draft specification of the protocol. A restart of the browser is required when you change this preference. Please note that you should only use this option if you strictly require it for e.g. outdated proxies, load-balancers or middleware, as it potentially weakens your connection security.

White Star 29.4.1

This is a security update.

Changes/fixes:

Fixed potential crashes. DiD
Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 2 DiD, 8 not applicable.

White Star 29.4.0.1

This is an out-of-band update to address the following issue:

In 29.4.0, the optional FUEL component (long since deprecated precursor to the Mozilla Add-On SDK) was removed from White Star. This had unexpected impact on a number of popular extensions as well as a few bits of core functionality that went unnoticed in our pre-release testing and unstable channel.

As part of our commitment to resolving issues and giving extension developers some more time to address any problems with this removal of the component from the browser, this update temporarily restores the FUEL component.

If you are an extension developer relying on FUEL components or namespaces (e.g. implicit 'Application'), please update your extension before the next major release.

White Star 29.4.0

This is a development, bugfix and security release. Our release schedule was adjusted here to provide web compatibility improvements and not just a security update this month.

Changes/fixes:

Implemented promise.allSettled().
Implemented global origin on windows and workers.
Improved performance of memory allocations.
Updated libcubeb to the current development version.
This improves OSS compatibility and addresses potential crashes, performance issues and security issues.
Updated SQLite to 3.36.0.
Improved thread safety of the web content cache. DiD
Added several fixes to avoid potential crashes and security issues. DiD
Unified XUL Platform Mozilla Security Patch Summary: 5 DiD, 12 not applicable.
Fixed a regression on Big Sur loading OpenGL.

White Star 29.3.0

This is a development, bugfix and security release.

Changes/fixes:

"Web Developer" is now called "Developer Tools" in the menus.
Updated and aligned about:home, the QuickDial page and logopage styling.
Re-organized the privacy category in the preferences window.
Enabled brotli compression for http for sites that support it. See implementation notes.
Implemented EventTarget as a constructor.
Updated the port blacklist (removed 10080). See implementation notes.
CSS: Implemented calc() and animation support for stroke-dashoffset.
Added support for checking boolean preferences to chrome CSS style sheets, to support more advanced theming options.
Added support for dynamic dark color capable themes in CSS.
Updated ResizeObserver implementation to a more recent specification. See implementation notes.
Removed obsolete system theme support from the layout engine.
Fixed several crashes.
Security issues addressed: CVE-2021-30547 and several other issues that don't have a CVE number.
Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 3 DiD, 2 deferred (DiD), 12 not applicable.

Implementation notes:

Brotli compression (introduced a few years back) has originally been restricted to https only in web browsers because there was some concern about interaction with middleware boxes with poor design trying to transparently recompress data not recognizing the new compression stream type and causing failures. The kind of processing done in those boxes (SDCH) has long since been deprecated. Since then, the segregation for Brotli between http and https has been maintained by Chrome and Firefox as a vessel to further promote https over http by artificially keeping http less efficient (denying the use of the more dense Brotli compression). Since there is no technical reason not to enable Brotli over http, we will accept (by way of Accept-encoding) Brotli over plain http from this version on, offering up to 20% less bandwidth use when servers also support it.
We maintain a blacklist of ports that should not be addressed from a browser (primarily to prevent scripted abuse). Not too long ago we updated these ports with a number of additional (higher range) ones, including port 10080 (Amanda). Unfortunately there is too much overlap with other common services/devices that also use this (arbitrarily chosen) port, so we've removed this particular port again from our blacklist.
The ResizeObserver implementation was changed to now support the updated specification for this API, including the experimental properties contentBoxSize and borderBoxSize which allows finer control to respond to size changes of elements. The old spec sizing property of contentRect remains supported for web compatibility.

White Star 29.2.1

Changes/fixes:

Worked around an issue with autocomplete popups sometimes failing to work (and added some debug console logging to it in case it happens to help find the root cause)
Fixed an issue with DOM mouse scrolling throwing errors.
Fixed a race with network detection routines firing incorrectly when resuming from standby.
Fixed a crash when using large uploads through DOM.
Reduced the number of reported "important preferences" in troubleshooting information, excluding individual printer details.
Fixed an issue with the JS JIT compiler not tracing debugger environments (DiD).

There were no security issues that applied to UXP or White Star this release cycle.

White Star 29.2.0

Changes/fixes:

When opening tabs from the History side bar, White Star will now warn you about the action if it would result in opening many tabs at once.
White Star now offers "Open All in Tabs" on bookmark folders even if there is only one sub-item in it, for UI consistency.
Added media format controls in the Content category of Preferences.
Added controls for preferred color scheme. See implementation notes.
Updated several site-specific user-agent overrides for web compatibility.
Removed the ability to accept Firefox IDs for extension installation.
Updated the AV1 reference library to 2.0.
Cleaned up more Android code from the platform.
Updated the embedded emoji font to cater to even more race-dependent profession emoji.
Fixed an overflow in clip paths, potentially causing them to be rendered incorrectly.
Added CSS values smooth, high-quality and pixelated to the image-rendering keyword.
Implemented Intl.NumberFormat.formatToParts() to allow deconstruction of localized number formats by scripts.
Reinstated the dom.details_element.enabled preference and fixed a rendering issue with summary/details html elements.
Fixed an issue with CSP .nonce attributes on elements.
Security issues addressed: CVE-2021-29946 DiD and CVE-2021-23994 DiD .
Unified XUL Platform Mozilla Security Patch Summary: 2 DiD, 14 not applicable.

Implementation notes:

This version adds support for the prefers-color-scheme CSS keyword. This keyword is a media query keyword that indicates to websites whether your content styling preference is "light" or "dark". Unlike other browsers where this will be tied to your system color scheme and determined automatically (which might be a point on which you can be fingerprinted, so this would be a privacy concern), we've decided to give the user control through Preferences -> Content -> Colors where you will find a new control to indicate your user preference (it defaults to "light" for everyone). While this control also gives you the option to disable this feature and effectively not support the keyword, be aware that this might cause issues on some websites that do not provide styling for "unspecified" color scheme preferences.
In the future we may add an "automatic" option similar to other browsers in case you regularly switch your system application style from light to dark and v.v.

White Star 29.1.1

Changes/fixes:

Updated NSS to fix certificate import and keygen regressions.
Removed restrictions for units of width/height attributes on SVG elements.
Enabled scrollbar-width CSS keyword by default.
Security issues addressed: CVE-2021-23981 and a DiD fix for potential document parser confusion.
Unified XUL Platform Mozilla Security Patch Summary: 2 DiD, 9 not applicable.