On Wed, 13 Jul 2016 16:53:40 -0400 [email protected] wrote: > On Tue, Jul 12, 2016 at 05:09:28PM -0500, »Q« wrote > > On Tue, 12 Jul 2016 12:14:57 -0500 > > R0b0t1 <[email protected]> wrote: > > > > > Pale Moon is routinely behind Firefox on security fixes (actual > > > fixes, not wanking-in-a-corner fixes). > > > > Is anyone other than the Pale Moon team itself trying to track its > > vulnerabilities? I could only find one CVE for it, from 2013. > > See http://www.palemoon.org/releasenotes.shtml with several mentions > of CVEs and other security fixes. Given the amount of Firefox code > still present "under the hood", many Firefox security fixes will also > apply to Pale Moon.
Checking just a few, the Pale Moon team takes anywhere from a few weeks to a few months to fix security vulnerabilities which have been published and fixed by Mozilla. And other Firefox CVEs aren't listed by Pale Moon, so it's tough to tell whether or not Pale Moon is/was affected. Maybe their fork of Gecko has diverged too much to easily port Mozilla's fixes, I dunno. But not to worry, they have a FAQ. Is Pale Moon safe to use? Absolutely! Pale Moon is based on the Mozilla release source code that has a large community of developers and security-aware people, next to having seen over a decade of development by now. [...] OTOH, when it suits him, Moonchild stresses how very different his codebase is now from Mozilla's. AFAICS, no one but the Pale Moon team is tracking Pale Moon vulnerabilities. I dunno what to make of their claims that it's safe to use.
