[Deletion of "Custom File and Folders" takes 10x as long as Delete in Explorer]

21 hours ago, trium said:

(1 gb

Sorry, not 1 gb. 

Some 100's if mb :-).

perhaps its slow because it delete every single entry - step by step instead of cleaning all entrys in one step (secure deletion...)

[Deletion of "Custom File and Folders" takes 10x as long as Delete in Explorer]

On 12/02/2022 at 11:51, warpc0il said:

It's only when clearing Custom File and Folders that the problem occurs.
 

Perhaps its only by me but the cleaning of ff cache with a fews days without cleaning it takes a little bit longer (1 gb or so)

[ublock users]

ublock v1.41.2

10. Feb 2022

Notes

Mozilla Add-ons Team rejected 1.41.0 and disabled the submission, and this breaks the history of uBO's versions for Firefox. See Release 1.41.0 for complete release notes for 1.41.2.

Closed as fixed:

• Textarea focus border is slightly cut off from the sides in the static filter pane in the logger

Notable commits without an entry in the issue tracker:

• Use theme-related shade of red for DOM inspector
• Fix bad font size in DOM inspector
• Fix visually glitchy Create button in element picker

[ublock users]

ublock v1.41.0

08. Feb 2022

Firefox: Rejected by Mozilla Add-ons Team. The reason is that I did not provide an exact link to the origin of the hsluv-0.1.0.min.js library used by uBO to implement dark theme (uBO's About page does credit the author of the library). A README has been added to 1.41.2 to disclose the exact origin of the library.

Notes

Minimum supported browser versions has been bumped up:

• Firefox 68
• Chromium 66
  • Consequently, Opera 53

New

Dark mode

Support for dark mode added to the Settings pane, under the (new) Appearance section:

The new setting can be either Auto, Light, or Dark.

In addition, there is a new setting to control the accent color used by uBO throughout its user interface:

For example, changing the accent color changes the look of the popup panel:

Behavior at browser launch

A new setting in "Filter lists" pane to control whether uBO should wait for all filter lists to be loaded before unsuspending network activity.

By default, at browser launch uBO waits for all filter lists to be loaded before unsuspending network activity so as to ensure web pages are properly filtered at launch.

The new setting allows to opt out of network activity suspension at launch, i.e. allowing web pages to load without waiting for filter lists to be fully loaded, of course at the cost of potentially not filtering properly those web pages.

Closed as fixed:

Chromium-based browsers

• Conflicted with another extension called WebRTC Protect

Core

• Logger incorrectly reporting header= filters
• Picker is broken by quotation mark in attribute
• Use "…" instead of "..."
• Fix bad detection of unnecessary trailing |
• Unexplained popup block on streamlare
• Scrollbars appear in click2load.html
• Element Zapper denies on a specific website
• Prevent uBO from hiding html or body when matched by a generic cosmetic filter (final fix)
• Dark Mode support

Notable commits without an entry in the issue tracker:

• Add a redirectable script that sets canRunAds true
  • Related commit (contributed by @Yuki2718)
• Raise minimum versions of browsers
• Improve dealing with ambiguity in regex-based-looking network filters
• Improve google-analytics shim
• Fix regression causing regex-based filters to be case sensitive
• Add shim for FingerprintJS (aka Fingerprint v3)
• Disable the suspending of network requests when installing the extension
• Do not select background images as best candidate in picker
• Add "blockedDetails" section to troubleshooting information
• Remove "ABP X Files" from stock filter lists
• Add setting to control suspension on network activity at launch
• Make FilterJustOrigin derive from FilterOriginHitSet

[ublock users]

ublock v1.40.8

11. Jan 2022

• Fix selfie with invalid data in some circumstances (reported internally by @gwarser)
  • Fix bad release 1.40.6: the previous release should have forced an invalidation of existing selfie, I overlooked this.

[ublock users]

ublock v1.40.4

02. Jan 2022

Notes

This release is intended for Chromium-based browsers only.

Closed as fixed:

Chromium

• Better test for presence of browser extensions API

Notable commits without an entry in the issue tracker:

• Offer a way to disable tab-reloading at launch on Chromium-based browsers
• Fix broken suspendTabsUntilReady for Chromium-based browsers

[ublock users]

ublock v1.40.2

26. Dec 2021

Closed as fixed:

• localhost: breakage

[ublock users]

ublock v1.40.0

22. Dec 2021

Notes:

Given that the format of compiled lists and selfie changed, this may cause a noticeable delay for the first launch after updating to 1.40.0 on less powerful devices. For a concrete example, in Firefox for Android I got ~7 seconds launch time after update to 1.40.0. Subsequent launches will be back to normal, for example on mobile I get ~790ms with selfie (and "uBlock filters -- Annoyances" enabled). On more powerful devices, this should be less noticeable if at all.

Closed as fixed:

• Inconsistent line-break in the support pane for Japanese environment
• Wrong description in Trusted site pane
• Update nobab
• Specific-generic cosmetic filter is not disabled by generichide
• "Your request URL is too long": problem with too many filters and the new "problem with filter lists" button
• Exceptions do not work when processing requests with long paths

Notable commits without an entry in the issue tracker

• Improve auto-completion in "My filters" editor
• Store domain= option into trie container's character buffer
• Partially bring suspendTabsUntilReady out of experimental status
• Fix potentially reporting wrong context in logger for ghide filters
• Fine-tune static network filtering engine code
• Wait for placeholders to be present (in googlesyndication_adsbygoogle.js)
• Create synthetic event for new windows created from external application
• Add window.close scriptlet
• Store regex filter pattern into bidi-trie buffer
• Ignore pointless trailing *^ in network filters
• Change compiled list format to a saner block id management
• Store generic pattern string into bidi-trie buffer
• Remove classes specialized in handling single-wildcarded patterns
• Refactoring work in static network filtering engine
• Have getAll() returns at least one neutered Tracker object

[ublock users]

ublock v1.39.2

30. Nov 2021

Closed as fixed

• 'Address of webpage' textbox needs to be readonly or changes to it need to be monitored

Notable commits without an entry in the issue tracker

• Fine tune new reporting feature
• Link to filter descriptions (patch by @breyed)
• Reject generic HTML block filters

[ublock users]

ublock v1.39.0

Important

Fixed security issues reported by @hackvertor, see "uBlock, I exfiltrate: exploiting ad blockers with CSS".

New

A new "Report an issue on this website" icon has been added to the popup panel, to make it easier to report filter issue to volunteers maintaining filter lists. Reporting filter issues through this new feature requires a GitHub account.

A new Support pane has been added to the dashboard, to make it easy for users to share technical information about their current uBO's configuration, and consequently make it easier for volunteers to diagnose reported issues.

Closed as fixed

Chromium

• Text editing boxes have mouse location issues in higher DPIs
• Cosmetic filters not working on many websites with "Experimental Web Platform features" in chrome://flags
  • This also fixed "Security: Comments can still be used to smuggle arbitrary CSS", which was reported afterward.

Core

• [discovered by @hackvertor] Security: Cosmetic filters can make background requests using image-set() on Firefox
• uBlock GA overwrites breaking _link implementation when using a named property
• [discovered by @hackvertor] Security: Smuggle arbitrary CSS inside cosmetic uBlock filters
• [discovered by @hackvertor] Security: JavaScript URL injection allowed in query string parameter and redirection to uBlock origin urls
• Fix not highlighting cases of invalid syntax
• [patch by @pixeltris] Twitch bypass is circumvented
• Extension report website adblocking option
• [patch by @eligrey] Don't assume document.documentElement is non-null
• Add support for pseudo classes

Notable commits without an entry in the issue tracker

• Do not decode query parameter name when used as token
• Suggest network filter as best candidate by default
• Auto-escape commas in removeparam's regexes
• Simplify handling of valid HTML tags in i18n files
• Give precedence to negated types in case of ambiguity
• Fix regression in isBlockImportant()
• Add refresh-defuser scriptlet
• Add advanced setting to modify default webext flavor
• Convert fingerprint2.js scriptlet into a redirectable resource

 

 

[ublock users]

ublock v1.38.6

Closed as fixed

• [patch by @pixeltris] Fix broken twitch.tv functionality

[ublock users]

ublock v1.38.4

Notable commits without an entry in the issue tracker

• Update twitch-videoad scriptlet (solution contibuted by @pixeltris)

[ublock users]

ublock v1.38.2

Closed as fixed:

• Regression with important filter option
• Weird issues with removeparam and negated types

[ublock users]

ublock v1.38.0

New

:matches-path(...)

New cosmetic procedural operator, :matches-path(...). See "Add $path modifier of Adguard or any equivalents of this".

Node.js

A new Node.js package will now published with every release. The package allows to import and use uBO's static and dynamic filtering engines into Node.js. This is currently minimal and a first iteration, and issues regarding the Node.js package are accepted in order to improve usability of uBO's filtering engines in a Node.js package. The ability to run code from a Node.js package also opens the door to have test coverage in uBO.

For now the package can be downloaded and unzipped locally. Once installed, you can execute node test in the root of the package to verify that the static network filtering engine works properly. For usage, refer to the test.js, or ublock.js used in Cliqz's benchmark.

Since I have little experience with dealing with Node.js environment/packages, thanks to @mjethani for assistance.

Removed

The setting "Prevent WebRTC from leaking local IP addresses" has been removed since it is no longer necessary in modern browsers, except for Firefox for Android where the issue is still present.

Closed as fixed:

• Remove WebRTC leak prevention
• $removeparam doesn't work well with UrlEncoded gb2312 Chinese word
• Scriptlets don't work randomly in Firefox
• Security: comments can be used to smuggle url() functions into css values
• Prevent uBO from hiding html or body when matched by a generic cosmetic filter
• On Android Popup Overlays [or Underlays] On-Screen Navigation Buttons
• Add $path modifier of Adguard or any equivalents of this
• The overview panel will not show everything if the uBO's icon is placed in the Firefox overflow menu
• [patch by @vtriolet] TypeError in noscript-spoof scriptlet with invalid meta refresh URL
• TypeError when trying to use element picker on plaintext resource
• Split out core functionality into separate module
  • This is of course an ongoing work for the foreseeable future, but the concrete goal sought in the issue has been reached, i.e. the static network filtering engine can be used as a nodejs module with no external dependencies.
  • Since uBO's codebase now uses JS modules, the minimum version of supported browsers has been increased to Chromium 61, Firefox 60, and Opera 48.

Notable commits without an entry in the issue tracker

• Better lookup all elements under mouse cursor in element picker
• Add visual hint to grab area of element picker dialog
• Add no-xhr-if scriptlet
• Refactor hntrie to avoid the need for boundary cells
• Fix bad test in WASM version of HNTrieContainer
• Export the rule-based filtering engines to the nodejs package
• Rewrite logical expressions for ESLint
• [patch by @mjethani] Add Makefile
• [patch by @mjethani] Make uAssets a submodule
• Ensure compiled sections are ordered in ascending id
• Fix handling of some procedural cosmetic filters with explicit :scope

[The Firefox/Mozilla Thread]

ff v.91.6.0 esr

08. february 2022

Fixed

• Various stability, functionality, and security fixes

Quote

Security Vulnerabilities fixed in Firefox ESR 91.6

Announced February 8, 2022

Impact high

Products Firefox ESR

Fixed in

• Firefox ESR 91.6

#CVE-2022-22753: Privilege Escalation to SYSTEM on Windows via Maintenance Service

Reporter Seb Patane

Impact high

Description

A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access.
This bug only affects Firefox on Windows. Other operating systems are unaffected.

References

• Bug 1732435

#CVE-2022-22754: Extensions could have bypassed permission confirmation during update

Reporter Rob Wu

Impact high

Description

If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions.

References

• Bug 1750565

#CVE-2022-22756: Drag and dropping an image could have resulted in the dropped object being an executable

Reporter Abdulrahman Alqabandi

Impact moderate

Description

If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after the user clicked on it.

References

• Bug 1317873

#CVE-2022-22759: Sandboxed iframes could have executed script if the parent appended elements

Reporter Johan Carlsson

Impact moderate

Description

If a document created a sandboxed iframe without allow-scripts, and subsequently appended an element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have run despite the iframe's sandbox.

References

• Bug 1739957

#CVE-2022-22760: Cross-Origin responses could be distinguished between script and non-script content-types

Reporter Luan Herrera

Impact moderate

Description

When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin.

References

• Bug 1740985
• Bug 1748503

#CVE-2022-22761: frame-ancestors Content Security Policy directive was not enforced for framed extension pages

Reporter Mart Gil Robles (Mart at FlowCrypt)

Impact moderate

Description

Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy.

References

• Bug 1745566

#CVE-2022-22763: Script Execution during invalid object state

Reporter Mozilla Fuzzing Team

Impact moderate

Description

When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible.

References

• Bug 1740534

#CVE-2022-22764: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6

Reporter Mozilla developers and community

Impact high

Description

Mozilla developers and community members Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96 and Firefox ESR 91.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6

[The Firefox/Mozilla Thread]

ff v97.0

08. february 2022

New

• Firefox now supports and displays the new style of scrollbars on Windows 11.

Fixed

• On macOS, we’ve made improvements to system font loading which makes opening and switching to new tabs faster in certain situations.

• Various security fixes

Changed

• On February 8, we will be expiring the 18 colorway themes of Firefox version 94. This signals the end of a special, limited-time feature set. However, you can hold onto your favorite colorway, as long as you’re using it on the expiration date. In other words, if a colorway is “enabled” in the add-ons manager, that colorway is yours forever. Read more about colorway updates here.

• Support for directly generating PostScript for printing on Linux has been removed. Printing to PostScript printers still remains a supported option, however.

Enterprise

• Various bug fixes and new policies have been implemented in the latest version of Firefox. You can find more information in the Firefox for Enterprise 97 Release Notes.

Developer

Developer Information

unresolved

• Users running WebRoot SecureAnywhere Antivirus may experience impaired functionality when upgrading to Firefox 97. Closing WebRoot will allow Firefox to resume normal operation.

[The Firefox/Mozilla Thread]

ff v91.5.1 esr

27. january 2022

Fixed

• Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry (bug 1752317)

[The Firefox/Mozilla Thread]

ff v96.0.3

27. january 2022

Fixed

• Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry (bug 1752317)

[The Firefox/Mozilla Thread]

ff v96.0.2

20. january 2022

Fixed

• Fixed an issue that caused tab height to display inconsistently on Linux when audio was played (bug 1714276)

• Fixed an issue that caused Lastpass dropdowns to appear blank in Private Browsing mode (bug 1748158)

• Fixed a crash encountered when resizing a Facebook app (bug 1746084)

[The Firefox/Mozilla Thread]

ff v96.0.1

14. january 2022

Fixed

• Addresses proxy rule exceptions not working on Windows systems when "Use system proxy settings" is set (bug 1749501)

• Improvements to make the parsing of content-length headers more robust (bug 1749957)

[The Firefox/Mozilla Thread]

ff v91.5.0 esr

11. january 2022

Fixed

• Various stability, functionality, and security fixes

Quote

Security Vulnerabilities fixed in Firefox ESR 91.5

Announced January 11, 2022

Impact high

Products Firefox ESR

Fixed in

• Firefox ESR 91.5

#CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof

Reporter Irvan Kurniawan

Impact high

Description

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.
This bug only affects Thunderbird for Windows. Other operating systems are unaffected.

References

• Bug 1735071

#CVE-2022-22743: Browser window spoof using fullscreen mode

Reporter Irvan Kurniawan

Impact high

Description

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode.

References

• Bug 1739220

#CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode

Reporter Irvan Kurniawan

Impact high

Description

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash.

References

• Bug 1739923

#CVE-2022-22741: Browser window spoof using fullscreen mode

Reporter Irvan Kurniawan

Impact high

Description

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode.

References

• Bug 1740389

#CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner

Reporter bo13oy of Cyber Kunlun Lab

Impact high

Description

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash.

References

• Bug 1742334

#CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur

Reporter Atte Kettunen

Impact high

Description

Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash.

References

• Bug 1742382

#CVE-2022-22737: Race condition when playing audio files

Reporter bo13oy of Cyber Kunlun Lab

Impact high

Description

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash.

References

• Bug 1745874

#CVE-2021-4140: Iframe sandbox bypass with XSLT

Reporter Peter Van der Beken

Impact high

Description

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox.

References

• Bug 1746720

#CVE-2022-22748: Spoofed origin on external protocol launch dialog

Reporter Alesandro Ortiz

Impact moderate

Description

Malicious websites could have confused Thunderbird into showing the wrong origin when asking to launch a program and handling an external URL protocol.

References

• Bug 1705211

#CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event

Reporter Jannis Rautenstrauch

Impact moderate

Description

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations

References

• Bug 1735856

#CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection

Reporter Mattias Jacobsson

Impact moderate

Description

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.
This bug only affects Firefox for Windows. Other operating systems are unaffected.

References

• Bug 1737252

#CVE-2022-22747: Crash when handling empty pkcs7 sequence

Reporter Tavis Ormandy

Impact low

Description

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable.

References

• Bug 1735028

#CVE-2022-22739: Missing throttling on external protocol launch dialog

Reporter Alesandro Ortiz

Impact low

Description

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol.

References

• Bug 1744158

#CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

Reporter Mozilla developers and community

Impact high

Description

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

[The Firefox/Mozilla Thread]

ff v96.0

11. january 2022

New

• We’ve made significant improvements in noise-suppression and auto-gain-control as well as slight improvements in echo-cancellation to provide you with a better overall experience.

• We’ve also significantly reduced main-thread load.

• When printing, you can now choose to print only the odd/even pages.

Fixed

• On macOS, command-clicking links in Gmail now opens them in a new tab as expected.

• Our newest release fixes an issue where video intermittently drops SSRC.

• It also fixes an issue where WebRTC downgrades screen sharing resolution to provide you with a clearer browsing experience.

• Plus, we’ve fixed video quality degradation issues on certain sites.

• Detached video in fullscreen on macOS has been temporarily disabled to avoid some issues with corruption, brightness changes, missing subtitles and high cpu usage.

• Various security fixes

Enterprise

• Various bug fixes and new policies have been implemented in the latest version of Firefox. You can find more information in the Firefox for Enterprise 96 Release Notes.

Developer

Developer Information

• Firefox for Linux changes the shortcut key for "Select All" from Alt-A to Ctrl-A for solving web-compatibility and avoiding conflict with access keys. If you want to keep using Emacs like key bindings, e.g., you configured your GTK settings to use Ctrl-A as a shortcut key for moving caret to beginning of a line, you must change ui.key.textcontrol.prefer_native_key_bindings_over_builtin_shortcut_key_definitions and ui.key.use_select_all_in_single_line_editor from about:config. Currently, these are disabled by default but will be enabled by default in a future release.

Web Platform

• The Web Locks API landed. This allows scripts running in different service workers or tabs to coordinate with each other.

• WebRTC library updated, bringing improved audio and video features for web conferencing applications.

• Added CSS color-scheme support to allow web pages to indicate which color schemes they can be rendered with (for example, operating system dark mode).

[CCleaner Professional für Windows für 3 Geräte]

hallo timon,

nach dem, was ich so gelesen habe, glaube ich nicht, dass du deine lizenz auf die ccleaner-app für android übertragen kannst.

ich denke, bei der windows-version kannst du ccleaner pro nur 3 windows-computern verwenden und auf der android-version kannst du ccleaner auf mehr als 1 android gerät verwenden.

 

Quote

We don't include CCleaner for Android, Chromebooks, and Kindle Fire in the Professional Plus bundle.

Quote

The CCleaner Professional Plus bundle works on up to 3 computers

Quote

Your CCleaner Android Pro subscription is connected to your Google account, and activates automatically on all devices connected to your account when you install the app. If the premium features are not automatically unlocked, you can activate an existing subscription in your CCleaner Android settings.

 

[The Firefox/Mozilla Thread]

ff v91.4.1 esr

16. dec 2021

Fixed

• Fixed frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains (bug 1745600)

[The Firefox/Mozilla Thread]

ff v95.0.2

19. dec 2021

Fixed

• Addresses frequent crashes experienced by users with C/E/Z-Series "Bobcat" CPUs running on Windows 7, 8, and 8.1.