Sampei.Nihira Posted April 9, 2021 Posted April 9, 2021 (edited) These days many MSFN members read that many modern browses have blocked some ports to prevent NAT Slipstreaming attacks. For members who want to learn more: https://www.bleepingcomputer.com/news/security/google-chrome-to-block-port-554-to-stop-nat-slipstreaming-attacks/ If we want to take as an example the ports blocked by Google Chome these are: 69, 137, 161, 554, 1719, 1720, 1723, 5060, 5061, 6566. Quote ...Google and Safari developers are also discussing blocking access to port 10080, which Firefox (and Pale Moon) already blocks, but are hesitant due to legitimate web browser requests to that port.... But are our browsers protected too? I did some testing with my NM28 and the answer is yes. For those who want to do a simple test: http://example.com:554/ or https://example.com:554/ Example of what we get on the screen: I ran all the blocked port tests in Chrome but unfortunately Pale Moon decided not to block port 69. To block a port: Quote about:config new string network.security.ports.banned If our needs require that a locked port be reachable: about:config new string network.security.ports.banned.override Edited April 10, 2021 by Sampei.Nihira 3
roytam1 Posted April 9, 2021 Author Posted April 9, 2021 New NewMoon 27 Build! 32bit https://o.rthost.win/palemoon/palemoon-27.10.0.win32-git-20210410-2f3df1855-xpmod.7z 32bit SSE https://o.rthost.win/palemoon/palemoon-27.10.0.win32-git-20210410-2f3df1855-xpmod-sse.7z 32bit noSSE https://o.rthost.win/palemoon/palemoon-27.10.0.win32-git-20210410-2f3df1855-xpmod-ia32.7z 64bit https://o.rthost.win/palemoon/palemoon-27.10.0.win64-git-20210410-2f3df1855-xpmod.7z source repo: https://github.com/roytam1/palemoon27 repo changes since my last build: - import changes from `dev' branch of rmottola/Arctic-Fox: - namespace comment (0548ea8a8) - Bug 1167411 - Add JSAutoStructuredCloneBuffer::abandon, r=jorendorff (6589a8900) - Bug 911972 - MessagePort and MessageChannel in workers, r=smaug, r=bent (4c533d3ca) - Bug 1172264 - Track the MDSM's duration as a TimeUnit and eliminate the separate concept of 'end time'. r=jww (49f8f2442) - Bug 1172264 - Require Manual disconnection for all mirrors. r=jww (845e57496) - Bug 1172264 - Switch MediaDecoder's mDuration represenation to a double. r=jww (dfde6482d) - Bug 1172264 - Mirror duration from the MDSM to the MediaDecoder. r=jww (a744fd08f) - No bug. Refactor GC type annotations, re=terrence (b6bc5723e) - Bug 1132744 - Update set of GC types, r=sfink (935175adb) - Bug 967031 - Rename DumpHeapComplete to DumpHeap; r=terrence (337391745) - Bug 1169097 - Remove CountHeap; r=sfink (074fdb34c) - Bug 1169086 - Use virtual dispatch to implement callback tracer; r=jonco, r=mccr8 (667218a33) (6f81d7d0d) - import changes from `dev' branch of rmottola/Arctic-Fox: - Bug 1164463 - Clean up MediaManager shutdown to be reliable and avoid holding locks while Joining a thread. r=jib (636e2e5dc) - missing part of Bug 1154389 - Stop leaking DeviceSuccessCallbackRunnable objects (2f8906119) - Bug 1169665 - Have enumerateDevices return empty array on zero devices instead of fail. r=jesup (f83fcb269) - Bug 1162720 - enumerateDevices visits main thread for profileDir. r=jesup (20687dcb7) - Bug 1173255 - Cleanup MediaManager e10s code in prep for deviceId constraint. r=jesup (43496fe28) - Bug 1136110 - Define OS.Constants.Sys.bits. r=yoric (384b01680) - Bug 1177892 part 4 - Remove INT_TO_JSVAL. r=evilpie (70fc1c3e7) - Bug 1177892 part 5 - Remove DOUBLE_TO_JSVAL. r=evilpie (a6943687b) - Bug 1177892 part 6 - Remove UINT_TO_JSVAL. r=evilpie (10fa41862) - Bug 1184564 part 1 - Use Value instead of jsval in XPConnect. r=bholley (a6e63ec42) - Bug 1184564 part 2 - Use Value instead of jsval in dom/ and storage/. r=bz (e50a374cf) - Bug 1184564 part 3 - Use Value instead of jsval in CTypes. r=arai (7f426bbdd) - Bug 1155618 - Add better support for testing OOM behaviour r=terrence (382c1005e) - fix mispatch of Bug 1092544 - Use assertRecoveredOnBailout in the test suite. (eba837c73) - Bug 1138265 - TraceLogger: Throw more errors, r=bbouvier ON CLOSED TREE (02edf22d4) - Bug 1184564 part 4 - Use Value instead of jsval in SpiderMonkey. r=evilpie (52f751286) - Bug 1184564 part 5 - Remove jsval typedef. r=jorendorff (f08006461) (07bb94721) - import changes from `dev' branch of rmottola/Arctic-Fox: - Bug 1172264 - Mirror duration from the MDSM to the MediaDecoderReader and remove MDSM::GetDuration. r=jww (369a3d1b4) - Bug 1172264 - Route mExplicitDuration directly from the mediasource code to MediaDecoder, and stop passing an argument to DurationChanged. r=pending=jww (b429dfe41) - Bug 1172264 - Watch mStateMachineDuration, and stop manually firing DurationChanged. r=jww (54091368c) - bug 1126065 - Make JS callers of ios.newChannel call ios.newChannel2 in dom/browser-element. r=sicking (8c38534ed) - Bug 1144015 - (Browser API) mozbrowseropentab support. r=kchen (8b1eecb4e) - Bug 1143650: Update webref failure links r=karlt (b3c94f173) - Bug 1172264 - Mark WPT as succeeding. r=jya (664350c56) - Bug 1141029 - Disabling mochitests on Mulet with parity to B2G Desktop for taskcluster. r=ahal (73bb186cb) - Bug 1144080 - Disable mochitests on Mulet for TaskCluster. r=ahal (0b71b6a05) - Bug 1145407: Add mochitests that cause multiple tracks of the same type to be placed in the same remote stream. r=mt (263770e16) - Bug 1148649: Reenable video multistream mochitests on debug e10s. r=drno (f7674fe4a) - part of Bug 1094764 - Implement AudioContext.suspend and friends. @ (baa450713) - Bug 1166803 - Add an `msg` tag to mochitest.ini in dom/media/*. r=jesup (5284df8b2) - Bug 1166659 - Add mochitest tags for webaudio and webrtc. r=jesup, r=padenot (f5424f26f) - Bug 1087551: updated tests around addIceCandidate(). r=jib (f28cde40b) - Bug 1169338 - Part 1: Re-enable a subset of the webrtc mochitests on B2G emulator and Mulet. r=mt (9c0f8c2da) - Bug 1143827 - remove default stun server. r=abr,bsmedberg (f1e306a95) - Bug 1169338 - Part 2: Extend ICE timeouts since mochitests are frequently run on systems that are performance constrained. r=mt (da6147576) - Bug 1155493 - Part 1: Add CaretStateChangedEvent and corresponding utility function. r=roc, sr=smaug (9d710ad21) - Bug 995394: Removed parts of BrowserElementPanning.js that are only used when APZ is disabled and added that to a separte file BrowserElementPanningAPZDisabled.js r=botond, a=RyanVM (8b76bca9f) - Bug 1138252 - Load BrowserElementPanning.js only if touch events are enabled. r=botond (30f5f3197) - Bug 1155493 - Part 2: Event hook for mozbrowser element. r=kanru (6f6db8248) - Bug 1162844 - Add meta name="viewmode" to have configurable VR experiences. r=fabrice (07d6d0736) - Bug 1163961 - Browser API: Page search. r=kchen, r=ehsan (df0c37dfa) - Bug 1179718 - Convert BrowserElement.webidl to use CheckAllPermissions. r=bz (4a92b2c7d) - Bug 1147819 - Any media element should be stopped by the AudioChannelService when the window is destroyed, r=ehsan (e949db77f) - Bug 1153915 - Null check the window in AudioChannelService::WindowDestroyedEnumerator(); r=baku (b38261d9d) - Bug 1089526 - Change speaker state. r=baku (8dbf54b04) - Bug 1157121 - Add speaker status checking. r=baku (ec5416680) - Bug 1037389 - add support for deviceId in gUM constraints (merged 11 patches). r=smaug, r=jesup (bc6f9640d) - Bug 1180748 - Unbreak building with --disable-webrtc. r=jesup (b5d53b666) (2f3df1855) 3
roytam1 Posted April 9, 2021 Author Posted April 9, 2021 New regular/weekly KM-Goanna release: https://o.rthost.win/kmeleon/KM76.4.3-Goanna-20210410.7z Changelog: Out-of-tree changes: * update Goanna3 to git 5bd78e063..2f3df1855: - import changes from `dev' branch of rmottola/Arctic-Fox: - namespace comment (0548ea8a8) - Bug 1167411 - Add JSAutoStructuredCloneBuffer::abandon, r=jorendorff (6589a8900) - Bug 911972 - MessagePort and MessageChannel in workers, r=smaug, r=bent (4c533d3ca) - Bug 1172264 - Track the MDSM's duration as a TimeUnit and eliminate the separate concept of 'end time'. r=jww (49f8f2442) - Bug 1172264 - Require Manual disconnection for all mirrors. r=jww (845e57496) - Bug 1172264 - Switch MediaDecoder's mDuration represenation to a double. r=jww (dfde6482d) - Bug 1172264 - Mirror duration from the MDSM to the MediaDecoder. r=jww (a744fd08f) - No bug. Refactor GC type annotations, re=terrence (b6bc5723e) - Bug 1132744 - Update set of GC types, r=sfink (935175adb) - Bug 967031 - Rename DumpHeapComplete to DumpHeap; r=terrence (337391745) - Bug 1169097 - Remove CountHeap; r=sfink (074fdb34c) - Bug 1169086 - Use virtual dispatch to implement callback tracer; r=jonco, r=mccr8 (667218a33) (6f81d7d0d) - import changes from `dev' branch of rmottola/Arctic-Fox: - Bug 1164463 - Clean up MediaManager shutdown to be reliable and avoid holding locks while Joining a thread. r=jib (636e2e5dc) - missing part of Bug 1154389 - Stop leaking DeviceSuccessCallbackRunnable objects (2f8906119) - Bug 1169665 - Have enumerateDevices return empty array on zero devices instead of fail. r=jesup (f83fcb269) - Bug 1162720 - enumerateDevices visits main thread for profileDir. r=jesup (20687dcb7) - Bug 1173255 - Cleanup MediaManager e10s code in prep for deviceId constraint. r=jesup (43496fe28) - Bug 1136110 - Define OS.Constants.Sys.bits. r=yoric (384b01680) - Bug 1177892 part 4 - Remove INT_TO_JSVAL. r=evilpie (70fc1c3e7) - Bug 1177892 part 5 - Remove DOUBLE_TO_JSVAL. r=evilpie (a6943687b) - Bug 1177892 part 6 - Remove UINT_TO_JSVAL. r=evilpie (10fa41862) - Bug 1184564 part 1 - Use Value instead of jsval in XPConnect. r=bholley (a6e63ec42) - Bug 1184564 part 2 - Use Value instead of jsval in dom/ and storage/. r=bz (e50a374cf) - Bug 1184564 part 3 - Use Value instead of jsval in CTypes. r=arai (7f426bbdd) - Bug 1155618 - Add better support for testing OOM behaviour r=terrence (382c1005e) - fix mispatch of Bug 1092544 - Use assertRecoveredOnBailout in the test suite. (eba837c73) - Bug 1138265 - TraceLogger: Throw more errors, r=bbouvier ON CLOSED TREE (02edf22d4) - Bug 1184564 part 4 - Use Value instead of jsval in SpiderMonkey. r=evilpie (52f751286) - Bug 1184564 part 5 - Remove jsval typedef. r=jorendorff (f08006461) (07bb94721) - import changes from `dev' branch of rmottola/Arctic-Fox: - Bug 1172264 - Mirror duration from the MDSM to the MediaDecoderReader and remove MDSM::GetDuration. r=jww (369a3d1b4) - Bug 1172264 - Route mExplicitDuration directly from the mediasource code to MediaDecoder, and stop passing an argument to DurationChanged. r=pending=jww (b429dfe41) - Bug 1172264 - Watch mStateMachineDuration, and stop manually firing DurationChanged. r=jww (54091368c) - bug 1126065 - Make JS callers of ios.newChannel call ios.newChannel2 in dom/browser-element. r=sicking (8c38534ed) - Bug 1144015 - (Browser API) mozbrowseropentab support. r=kchen (8b1eecb4e) - Bug 1143650: Update webref failure links r=karlt (b3c94f173) - Bug 1172264 - Mark WPT as succeeding. r=jya (664350c56) - Bug 1141029 - Disabling mochitests on Mulet with parity to B2G Desktop for taskcluster. r=ahal (73bb186cb) - Bug 1144080 - Disable mochitests on Mulet for TaskCluster. r=ahal (0b71b6a05) - Bug 1145407: Add mochitests that cause multiple tracks of the same type to be placed in the same remote stream. r=mt (263770e16) - Bug 1148649: Reenable video multistream mochitests on debug e10s. r=drno (f7674fe4a) - part of Bug 1094764 - Implement AudioContext.suspend and friends. @ (baa450713) - Bug 1166803 - Add an `msg` tag to mochitest.ini in dom/media/*. r=jesup (5284df8b2) - Bug 1166659 - Add mochitest tags for webaudio and webrtc. r=jesup, r=padenot (f5424f26f) - Bug 1087551: updated tests around addIceCandidate(). r=jib (f28cde40b) - Bug 1169338 - Part 1: Re-enable a subset of the webrtc mochitests on B2G emulator and Mulet. r=mt (9c0f8c2da) - Bug 1143827 - remove default stun server. r=abr,bsmedberg (f1e306a95) - Bug 1169338 - Part 2: Extend ICE timeouts since mochitests are frequently run on systems that are performance constrained. r=mt (da6147576) - Bug 1155493 - Part 1: Add CaretStateChangedEvent and corresponding utility function. r=roc, sr=smaug (9d710ad21) - Bug 995394: Removed parts of BrowserElementPanning.js that are only used when APZ is disabled and added that to a separte file BrowserElementPanningAPZDisabled.js r=botond, a=RyanVM (8b76bca9f) - Bug 1138252 - Load BrowserElementPanning.js only if touch events are enabled. r=botond (30f5f3197) - Bug 1155493 - Part 2: Event hook for mozbrowser element. r=kanru (6f6db8248) - Bug 1162844 - Add meta name="viewmode" to have configurable VR experiences. r=fabrice (07d6d0736) - Bug 1163961 - Browser API: Page search. r=kchen, r=ehsan (df0c37dfa) - Bug 1179718 - Convert BrowserElement.webidl to use CheckAllPermissions. r=bz (4a92b2c7d) - Bug 1147819 - Any media element should be stopped by the AudioChannelService when the window is destroyed, r=ehsan (e949db77f) - Bug 1153915 - Null check the window in AudioChannelService::WindowDestroyedEnumerator(); r=baku (b38261d9d) - Bug 1089526 - Change speaker state. r=baku (8dbf54b04) - Bug 1157121 - Add speaker status checking. r=baku (ec5416680) - Bug 1037389 - add support for deviceId in gUM constraints (merged 11 patches). r=smaug, r=jesup (bc6f9640d) - Bug 1180748 - Unbreak building with --disable-webrtc. r=jesup (b5d53b666) (2f3df1855) * Notice: the changelog above may not always applicable to XULRunner code which K-Meleon uses. A goanna3 source tree that has kmeleon adaption patch applied is available here: https://github.com/roytam1/palemoon27/tree/kmeleon76 2
XPerceniol Posted April 9, 2021 Posted April 9, 2021 1 hour ago, Sampei.Nihira said: But are our browsers protected too? I did some testing with my NM28 and the answer is yes. For those who want to do a simple test: http://example.com:554/ or https://example.com:554/ Good to know - page wouldn't load on both tests with both Serpent and New Moon :)
XPerceniol Posted April 9, 2021 Posted April 9, 2021 We're also doing great in other areas; as well :) The only thing I'm showing is weak encryption strength ?
NotHereToPlayGames Posted April 10, 2021 Posted April 10, 2021 5 hours ago, roytam1 said: New NewMoon 27 Build! @roytam1 I've pointed this out several times throughout the years but it seems to remain among the forgotten. The "about:permissions" Permissions Manager is still broken! The last version where the Permissions Manager worked fully was palemoon-27.9.6.win32-git-20190803-23551d191-xpmod. 1
roytam1 Posted April 10, 2021 Author Posted April 10, 2021 1 hour ago, ArcticFoxie said: @roytam1 I've pointed this out several times throughout the years but it seems to remain among the forgotten. The "about:permissions" Permissions Manager is still broken! The last version where the Permissions Manager worked fully was palemoon-27.9.6.win32-git-20190803-23551d191-xpmod. not forgotten just not able to fix it properly 2
RainyShadow Posted April 10, 2021 Posted April 10, 2021 (edited) https://www.kongregate.com/games/KekGames/unpuzzle Reaching level 9 causes NM27 to crash every time. Serpent52 seems to work fine. Uses WebGL. Just drag the squares to throw them out. Graphics Adapter Description ATI Radeon HD 2600 Pro AGP Adapter Drivers ati2dvag Adapter RAM Unknown Asynchronous Pan/Zoom none Device ID 0x9587 DirectWrite Enabled false (0.0.0.0) Driver Date 4-24-2013 Driver Version 8.970.100.0 GPU #2 Active false GPU Accelerated Windows 1/1 Direct3D 9 (OMTC) Subsys ID 00281002 Supports Hardware H264 Decoding false Vendor ID 0x1002 WebGL Renderer ATI Technologies Inc. -- ATI Radeon HD 2600 Pro AGP windowLayerManagerRemote true AzureCanvasBackend skia AzureContentBackend cairo AzureFallbackCanvasBackend cairo AzureSkiaAccelerated 0 webgl.angle.try-d3d11 false webgl.disable-angle true webgl.enable-draft-extensions true webgl.enable-privileged-extensions true webgl.enable-prototype-webgl2 true webgl.force-enabled true webgl.prefer-native-gl false Edited April 10, 2021 by RainyShadow
nicolaasjan Posted April 10, 2021 Posted April 10, 2021 11 hours ago, Sampei.Nihira said: I ran all the blocked port tests in Chrome but unfortunately Pale Moon decided not to block port 69. Blocked here by default (Pale Moon 29.1.1; Linux)...: And in New Moon (28.10.3a1; XP) as well: 2
Sampei.Nihira Posted April 10, 2021 Posted April 10, 2021 (edited) @nicolaasjan I tried now, the port 69 is closed. Many thanks. I probably did too many tests yesterday. Or given the late night hour I was very tired. P.S. I made the necessary corrections in my post. Edited April 10, 2021 by Sampei.Nihira 2
VistaLover Posted April 10, 2021 Posted April 10, 2021 (edited) On 4/9/2021 at 7:41 PM, XPerceniol said: but I have these prefs set to the following: (redacted) user_pref("javascript.options.jit_trustedprincipals", true); If that is on Serpent 52.9.0, on latest build at least, javascript.options.jit_trustedprincipals is not an included pref by default ; I found a mention about it here : Quote Note that this option will need to be created (as a boolean pref, with value false initially; you can remove it afterwards) but that Bugzilla bug refers to a relatively recent Firefox version; further searches landed me on: https://github.com/arkenfox/user.js/issues/928 which states: new in 75beta but commented out by default //user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] so, in all probability, it is not applicable to St52... If you're just picking up user.js files from the web, please make sure first they are valid for the version of the browser used; and remember, St52 != Fx52 (and, certainly, not later Firefox versions... ) ... Best wishes Edited April 10, 2021 by VistaLover 3
XPerceniol Posted April 10, 2021 Posted April 10, 2021 (edited) Again, thank you @VistaLover for your research. You got it, I picked that up from this user.js on the net. I (just now) toggled it to "False" and then reset it and now its empty Lol. For now, I"ll just reset those 3 to their defaults. This is what is stated in arkenfox. Quote /* 2421: disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN] * [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new * hidden pref is enabled, then Ion can still be used by extensions (1599226) * [WARNING] Disabling Ion/JIT can cause some site issues and performance loss * [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/ // user_pref("javascript.options.ion", false); // user_pref("javascript.options.baselinejit", false); // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] So I will need to read through it better as I've likely many invalid prefs and I am using 52.9.0. Best wishes to you as well Edited April 10, 2021 by XPerceniol 1
Sampei.Nihira Posted April 11, 2021 Posted April 11, 2021 (edited) @XPerceniol The Ghacks user.js v.52: https://github.com/arkenfox/user.js/releases?after=55.0 would be more specific to the versions of browsers you mentioned. But not always. Because over time,that is from the year 2017 to now many settings have changed. For example the Insecure Chipher Suites adopted today compared to yesterday by Pale Moon. My advice is to evaluate case by case and not to use js v.52. Edited April 11, 2021 by Sampei.Nihira 2
XPerceniol Posted April 11, 2021 Posted April 11, 2021 (edited) So this week I'm going to sit down (its just easier than trying to do it standing) and go through to see what is (and isn't) valid to New Moon 28 and Serpent 52 - as Roy has some settings already where they should be and I trust him completely; then, I shall cough up a legitimate prefs.js here. Honestly, I don't even really need a user.js - I only have a handful of prefs that I like to personalize (some are not in agreement with arkenfox) and I can do that in the native "about:config". I'll start out with fresh profiles as my profiles are getting a bit 'long in the tooth' anyway. Enjoy your Sunday everyone EDIT: Such as.. I'm relatively certain this pref on my computer is not applicable. user_pref("reversecowgirl_enabled", 1) Edited April 11, 2021 by XPerceniol
Recommended Posts