Dr. Drill Posted January 11, 2020 Posted January 11, 2020 (edited) 10 hours ago, roytam1 said: New build of Serpent/UXP for XP! Test binary: Win32 https://o.rths.ml/basilisk/basilisk52-g4.5.win32-git-20200104-fd382bb-uxp-26b297510-xpmod.7z Win64 https://o.rths.ml/basilisk/basilisk52-g4.5.win64-git-20200104-fd382bb-uxp-26b297510-xpmod.7z source code that is comparable to my current working tree is available here: https://github.com/roytam1/UXP/commits/custom IA32 Win32 https://o.rths.ml/basilisk/basilisk52-g4.5.win32-git-20200104-fd382bb-uxp-26b297510-xpmod-ia32.7z source code that is comparable to my current working tree is available here: https://github.com/roytam1/UXP/commits/ia32 NM28XP build: Win32 https://o.rths.ml/palemoon/palemoon-28.9.0a1.win32-git-20200104-d6dd25b5e-uxp-26b297510-xpmod.7z Win64 https://o.rths.ml/palemoon/palemoon-28.9.0a1.win64-git-20200104-d6dd25b5e-uxp-26b297510-xpmod.7z Old links in the post - 20200104. And here too - https://rtfreesoft.blogspot.com/search/label/browser Edited January 11, 2020 by Dr. Drill
roytam1 Posted January 11, 2020 Author Posted January 11, 2020 16 minutes ago, Dr. Drill said: Old links in the post - 20200104. And here too - https://rtfreesoft.blogspot.com/search/label/browser fixed 1
roytam1 Posted January 11, 2020 Author Posted January 11, 2020 and yeah moonchild did same fix in their tree. https://github.com/MoonchildProductions/UXP/commit/60dc9eaa95b96abbe881063b62304a58eadd6b8e
Sampei.Nihira Posted January 11, 2020 Posted January 11, 2020 14 hours ago, roytam1 said: patch ported. https://github.com/roytam1/UXP/commit/b8ab527949bdf21e00bbcd4173d58ebfa373b6ed Thanks a lot for patching browsers from this dangerous security vulnerability. 1
DanR20 Posted January 11, 2020 Posted January 11, 2020 (edited) Was that link to an older version of basilisk? Might explain the crashes I was having last night. Redownloaded today and so far it seems fine but it's only been a few hours. Since this is Windows 7 it could be related to this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1606138#c25 Edited January 11, 2020 by DanR20
cloudstr Posted January 11, 2020 Posted January 11, 2020 On 1/9/2020 at 1:05 PM, roytam1 said: K-Meleon 74 with Goanna 2.2 archive refreshed with sha384 support: http://o.rths.ml/gpc/files1.rt/KM74-g22-20180718.win2000.7z pm26 archive also refreshed: http://o.rths.ml/gpc/files1.rt/palemoon-26.5.0-20180718.win2000.7z Hi roytam1, Could you please provide an update for the file "palemoon.exe" from pm26xp-no-manifest.7z package also ? The "refreshed" build of PM26 causing BSOD on my xp sp2 machine due to manifest issue. I can fix the issue by replacing those files from pm26xp-no-manifest.7z package, but "palemoon.exe" seems to be an old version (26.5.0.6699), the newest one is version 26.5.0.7312. Thank you!
roytam1 Posted January 11, 2020 Author Posted January 11, 2020 6 hours ago, cloudstr said: Hi roytam1, Could you please provide an update for the file "palemoon.exe" from pm26xp-no-manifest.7z package also ? The "refreshed" build of PM26 causing BSOD on my xp sp2 machine due to manifest issue. I can fix the issue by replacing those files from pm26xp-no-manifest.7z package, but "palemoon.exe" seems to be an old version (26.5.0.6699), the newest one is version 26.5.0.7312. Thank you! it should be possible to overwrite new build with files from pm26xp-no-manifest.7z without issue. but anyway it is updated. 1
VistaLover Posted January 12, 2020 Posted January 12, 2020 23 hours ago, DanR20 said: On 1/11/2020 at 1:57 AM, roytam1 said: - Block Nouveau NV96 mesa driver layers acceleration. (b7841e5cf) Whatever you do, please don't re-block ATI radeon drivers. I'm even getting good acceleration in an old W2k box ... Please understand Roytam1 doesn't block graphics drivers on his own, only upstream do... FWIW, https://github.com/MoonchildProductions/Pale-Moon/commit/b7841e5 was pushed to mitigate crashes on Linux, as reported in https://forum.palemoon.org/viewtopic.php?f=37&t=23512 But previous commit was reverted by Moonchild on Jan 10th, via https://github.com/MoonchildProductions/Pale-Moon/commit/b4a6053 ... which @roytam1 might've missed by a narrow margin (was published on GitHub at 202001101821UTC) ; in any case, nothing to fear on Windows... 1
DanR20 Posted January 12, 2020 Posted January 12, 2020 (edited) 48 minutes ago, VistaLover said: ... Please understand Roytam1 doesn't block graphics drivers on his own, only upstream do... FWIW, in any case, nothing to fear on Windows... Yes that’s true, my comment was meant for the whole MC team since I know some of them are following this thread. Fortunately Roy sometimes reverts changes so if they do get re-blocked I can ask nicely. --). As I've stated many times before, these latest versions of UXP are what Firefox 52 should have and could have been if the developers took the time to listen to users. Edited January 12, 2020 by DanR20
NotHereToPlayGames Posted January 12, 2020 Posted January 12, 2020 (edited) 17 hours ago, Sampei.Nihira said: Thanks a lot for patching browsers from this dangerous security vulnerability. Ugh! I "dislike" posts like this. I did NOT patch my browser (approx 28.2.2) and I do NOT feel "vulnerable"! I contend that you are only "vulnerable" if you visit web sites you probably shouldn't be on in the first place And if you enable JavaScript by default and don't white-list then you INVITE "vulnerabilities". The ONLY way to TRULY be protected from ZERO-DAY vulnerabilites is to NOT enable JavaScript! Correct me if I'm mistaken, but aren't *ALL* Zero-Day vulnerabilities spread via JavaScript? Edited January 12, 2020 by ArcticFoxie
Sampei.Nihira Posted January 12, 2020 Posted January 12, 2020 (edited) 2 hours ago, ArcticFoxie said: Ugh! I "dislike" posts like this. I did NOT patch my browser (approx 28.2.2) and I do NOT feel "vulnerable"! I contend that you are only "vulnerable" if you visit web sites you probably shouldn't be on in the first place And if you enable JavaScript by default and don't white-list then you INVITE "vulnerabilities". The ONLY way to TRULY be protected from ZERO-DAY vulnerabilites is to NOT enable JavaScript! Correct me if I'm mistaken, but aren't *ALL* Zero-Day vulnerabilities spread via JavaScript? But what are you writing? It is the primary duty of each team to patch zero-Days bugs especially if there are recognized on the wild attacks. https://securityaffairs.co/wordpress/96181/hacking/cve-2019-17026-firefox-zero-day.html Regarding javascript you are not at risk (almost never) if they are totally disabled. But this is impossible take for example this website where you have to enable them, even if only partially, to login. See my analysis below: https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fmsfn.org%2Fboard%2F The Content Security Policy of the website is not implemented. This means that you may be at risk of XSS attacks. and also of MITM attacks. I'll put you on a test to check your XSS protections: http://www.example.com/>"><script>alert("XSS")</script>& Mine are perfect: Edited January 12, 2020 by Sampei.Nihira
NotHereToPlayGames Posted January 12, 2020 Posted January 12, 2020 29 minutes ago, Sampei.Nihira said: It is the primary duty of each team to patch zero-Days bugs especially if there are recognized on the wild attacks. Primary duty? NO, IT ISN'T! Anybody that runs WinXP (as I do and as you do) is a HYPOCRITE if they feel that ZERO-DAY exploits should be fixed "immediately". If we want to run WinXP, which I wholeheartedly support and run it on FOUR of my FIVE home computers (the fifth runs Win 2003), then we can NOT do that on one hand and shout from rooftops to patch a zero-day on the other hand. That *IS* the very definition of hypocrisy! But anywhoo...
Sampei.Nihira Posted January 12, 2020 Posted January 12, 2020 Not to mention that each browser currently has remote exploitable vulnerabilities, not yet recognized, which could allow to exploit an OS that is no longer patched. So I also highly recommend that you use also dedicated anti-exploit protection for your browser. As an additional line of defense in the case of browser bypassing............
roytam1 Posted January 12, 2020 Author Posted January 12, 2020 3 hours ago, ArcticFoxie said: aren't *ALL* Zero-Day vulnerabilities spread via JavaScript? no, it can be anything you received from remote, for example, HTML, CSS, images, videos, audios, etc. 3
VistaLover Posted January 13, 2020 Posted January 13, 2020 (edited) On 1/12/2020 at 10:07 AM, Sampei.Nihira said: It is the primary duty of each team to patch zero-Days bugs especially if there are recognized on the wild attacks. Special message from upstream: https://forum.palemoon.org/viewtopic.php?f=1&t=23605 (and https://forum.palemoon.org/viewtopic.php?p=181666#p181666 ) Edited January 13, 2020 by VistaLover Added second link 1
Recommended Posts