友声网

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
开启左侧

[原创]中兴 ZTE H618B 小改造+刷固件救砖

[复制链接]
卡卡北 发表于 2016-12-29 10:00 | 显示全部楼层 |阅读模式
年底整理书房,找到一个闲置的中兴H618B,这是2014年买的,当时刷成砖了就放起来了,居然还在......

另两台H618B 2012年买的,小改过。
至今退役过各种路由器(841、300R、841、88*...、Dir618、Wayos),但是那两台中兴H618B依然是备用+主力。
不过当年买的时都是二手,后来清理后才能入眼。

现在基本就用这两台H618B,有线、无线运行稳定,无线信号强大,家用实在是找不出比这更好的。
但是不经过小改的H618B还是很一般的,只有激发出其潜质才能成为真正神器。

到此开始路由器的修改,欢迎您继续收看友声网卡卡北的网络"软文"
硬件小改:
1、增加散热
路由器大负荷时,比如通宵BT,没有散热片是不能维持长久稳定的。
改造也相对简单。
用料:
废主板或其他PCB板拆下的散热片、散热硅脂、热熔胶
改造方法:处理器涂散热硅脂,将散热片按压到处理器上,热熔胶打胶固定
当然如果有凝固性的硅脂也可以使用,个人推荐还是按我的方法散热要好些。
改造后:


2、改外置天线
增强无线信号和增加无线稳定性的关键一步。
过程很简单,效果见上图
这里就只需要反转c99贴片电容


ZTE H618B 刷机方式
之前忘记怎么刷成砖了,不过以下方法只要原来不是Tomato DualWAN固件,救砖成功率还是很高的。

刷机方式:
1.、设置电脑为固定IP
以XP、2003为例:
桌面---网上邻居---右键属性---本地连接---右键属性---TCP/IP协议---属性


2、刷机准备
打开H618B路由器电源,连接网线在路由器LAN1~LAN4任意端口

打开命令提示符
或开始---运行---cmd

出现的功能框中输入:ping 192.168.1.1 -t
点击回车开始ping 路由

出现如图所示 说明路由器连接正常.

打开TFTP刷机程序(文章末尾附件中有下载)


路由器IP:192.168.1.1
密码:留空
固件文件:选择下载的固件 (文章末尾附件有下载)
刷新次数:99

3、开始刷机
打开TFTP并设置好后,点击更新固件

关闭路由器电源,3秒钟后打开电源

此时观察正在运行的PING窗口中的 TTL值.
之前为TTL=64 关闭路由器会出现 time out 或者其他
再打开电源之后,稍等片刻会出现TTL=100
在第一出现TTL=100时,TFTP刷机程序会开始自动刷机。


直到出现

此时说明路由器刷新完成.。
等待3~10分钟,观察PING窗口出现TTL=64时,说明路由器刷新成功。
否则请重新断开路由器电源,重复第3步。

提示:如果是已经刷了Tomato DualWAN,忘记密码了,请不要用这个方法,基本上刷不成。
刷过Tomato DualWAN的H618B恢复键也是无效的,只能用别的方法刷机。
所以刷过Tomato DualWAN请牢记路由器帐户密码!

文章中用到的程序及固件:

下载地址:
tftp(刷路由).rar:
网盘 密码:dyqw
MD5:6590971125eebf97811f19328fa52523

tomato_dual_15.02.0068.rar:
网盘 密码:7rsz
MD5:ebe978777b5c9565373d411e42d3b36c

如果下载链接失效,请随时留言!
 楼主| 卡卡北 发表于 2016-12-29 10:12 | 显示全部楼层

Pale Moon for XP

Pale Moon for XP
下载:点击进入下载页面
语言包:
zh-CN:点击进入下载页面
zh-TW:点击进入下载页面
 楼主| 卡卡北 发表于 2016-12-29 10:13 | 显示全部楼层
语言包安装说明:
1、将简体中文语言包直接拖动到PaleMoon界面中,出现倒计时后点”instal”开始安装;
2、地址栏输入 about:config 搜索 general.useragent.locale  默认值改 zh-CN,重启。

 楼主| 卡卡北 发表于 2016-12-29 10:14 | 显示全部楼层

Pale Moon: Release notes

27.7.2 (2018-02-01)This is a security and stability update.

Changes/fixes:
  • Changed the X-Content-Type-Options: nosniff behavior to only check "success" class server responses, for web compatibility reasons.
  • Changed the performance timer resolution once more to a granularity of 1 ms, after evaluating more potential ways of abusing Spectre.
    This takes the most cautious approach possible lacking more information (because apparently NDAs have been signed over this between mainstream players), follows Safari's lead, and should make it not just infeasible but downright impossible to use these timers for nefarious purposes in this context.
  • Improved the debug-only startup cache wrapper to prevent a rare crash.
  • Fixed a crash in the XML parser.
  • Added a check for integer overflow in AesTask::DoCrypto() (CVE-2018-5122) DiD
  • Fixed a potential race condition in the browser cache.
  • Fixed a crash in HTML media elements (CVE-2018-5102)
  • Fixed a crash in XHR using workers.
  • Fixed a crash with some uncommon FTP operations.
  • Fixed a potential race condition in the JAR library.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

27.7.1 (2018-01-18)This is a minor emergency update to address website breakage and a theme issue.

Changes/fixes:
  • Added support for Array.prototype[@@unscopables].
    Unfortunately, the addition of Javascript's ES6 Unscopables in 27.7.0 was incomplete, which caused a number of websites (e.g. Chase on-line banking, some Russian government sites) to display blank or not complete loading after updating to that version of the browser. This update should fix the problem by adding the missing part of the feature.
  • Fixed an issue with the default theme causing tab borders to be drawn too thick at higher settings for visual element scaling (125%/150%) in Windows.


27.7.0 (2018-01-15)This is a stability and bugfix release, as well as adding a number of new features to further improve web compatibility.

Changes/fixes:
  • Reorganized access to preferences (moved to the Tools menu on Linux, and renamed from "Options" to "Preferences" on Windows).
  • Renamed "Restart with add-ons disabled" to "Restart in Safe Mode" to better reflect what it does.
  • Worked around an issue with some improperly-encoded PNG files not decoding after our libpng update.
  • Fixed an issue on Mac builds not properly populating the application menu.
  • Added "My home page" as an option for new tabs.
  • Added an option to disable the 4th and 5th mouse buttons (Windows).
    (mouse.button4.enabled and mouse.button5.enabled, respectively)
  • Improved the resetting of non-default profiles.
  • Fixed an issue with details/summary having the incorrect height if floated, breaking layouts.
  • Made several more improvements to the details/summary tags to align them with the current spec and fix some additional bugs.
  • Implemented support for flex/columnset contents inside buttons to align its behavior with other browsers.
    (this should fix layout issues with Twitch's new web interface)
  • Fixed an issue where CSS clone operations would draw a border.
  • Changed the way fractional border widths are rounded to provide more natural behavior.
  • Fixed an issue where number inputs would incorrectly be flagged as read-only.
  • Added assets for tile display in the Windows start panel.
  • Finished sync infra swapover by adding a one-time pref migration for server used.
  • Improved WebAudio API: Return the connected audio node from AudioNode.connect()
  • Added support for a default playback start position in media elements.
  • Fixed an assert in cubeb-alsa code (Linux).
  • Added support for media cue-change events (e.g. subtitles).
  • Updated SQLite to 3.21.0.
  • Fixed a crash when trying to use the platform embedded.
  • Fixed devtools (gcli) screenshots on vertical-text pages.
  • Fixed devtools copy as cURL for POST requests.
  • Improved the HTML editor component (several bugfixes).
  • Added support for ES7's exponentiation a ** b operator.
  • Fixed an issue with arrow functions incorrectly creating an 'arguments' binding.
  • Added Javascript's ES6 "unscopables".
Security/privacy fixes:
  • Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused (e.g. for tracking) or stolen.
  • Added a preference (in the category security) to easily enable or disable automatic filling in of log-in data.
  • Removed the sending of referrers when opening a link in a new private window.
  • Added an option to disable the page visibility Web API (dom.visibilityAPI.enabled), allowing users to prevent pages from knowing whether they are being actively displayed to the user or not.
  • Removed the "ask every time" policy for cookies. For granular control, please use any of the excellent available extensions to regulate cookie use on a per-site or per-url basis.
  • Added support for X-Content-Type-Options: nosniff (for scripts).
  • Changed the resolution of performance timers to a level where any future potential abuse for hardware-timing attacks becomes impractical. DiD


27.6.2 (2017-11-28)This is a security and minor bugfix update to the browser.
This will most likely be the last update for 2017, with the holidays not far away.

Changes/fixes:
  • Implemented the concept of so-called "cookie-averse document objects" which is a security&privacy measure that blocks certain web content from setting cookies. This mitigates cookie-injection, which might help against "hidden" cookie tracking.
  • Mitigated some domain name spoofing through IDN by using dotless-i and dotless-j with accents. (CVE-2017-7832)
    Pale Moon will display these kinds of spoofed domains in punycode now in the actual address bar.
    Please note that the identity panel will always be able to help you on secure sites when IDNs are in use to notice potential spoofing, as opposed to relying on detection algorithms in the URL itself. As such, some other issues like CVE-2017-7833 are already mitigated by us.
  • Fixed an issue with mixed-content blocking. (CVE-2017-7835)
  • Added an extra check for the correct signature data type on certificates.
  • Added missing sanitization in exporting bookmarks to HTML. (CVE-2017-7840)
  • Fixed several crashes and memory safety hazards.
  • Fixed the Linux load throbber image to be properly encoded, to prevent flickering.
  • Removed the shortcut key combination for restarting the browser to avoid issues with people using certain keyboard layouts hitting the combination and unintentionally triggering a browser restart.


27.6.1 (2017-11-15)This is a minor bugfix release to address some pressing issues people have reported.

Changes/fixes:
  • Fixed a regression with new windows (opening two windows from the command-line or file association, focus issues on new windows, not loading the home page in a new window, etc.)
  • Aligned XHR with the currect spec to allow withCredentials.
  • Fixed an input element focus issue within handlers.
  • Fixed the processing of all-padding HTTP/2 frames to prevent rare HTTP/2 hangups.
  • Updated CitiBank override to work around their login issues.
  • Updated Netflix override to a community-supplied one that seems to satisfy their arbitrary restrictions better.


27.6.0 (2017-11-07)This is a major development update.

Changes/fixes:
  • Dropped support for Direct2D 1.0 to avoid font rendering issues. Windows installations not capable of using Direct2D 1.1 will now fall back to software rendering. As a result, fonts may look different from this version onwards if you are on Windows Vista or Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D.
  • Updated the Brotli decoder library, and enabled support for Brotli HTTP content-encoding by default.
  • Added notifications to inform users about WebExtensions not being supported if they try to install them (as opposed to "extension is corrupt")
  • Added a number of DOM childNode convenience functions. This should fix some lazy-loading frameworks.
    (enjoy your LOLcats again!)
  • Changed automatic updates over to the new infrastructure.
  • Added extra proxy settings in Options, covering DNS lookups through SOCKS v5 and automatic proxy authentication with known credentials.
  • Added a selectable fallback character encoding of UTF-8 and fallback to UTF-8 as a last effort. (Issue #1423)
  • Improved timing of canplay and canplaythrough firing to work around a potential race condition locking up queued video playback.
  • Improved upmixing of mono sound for multi-channel setups.
  • Fixed a parallelization issue with the KISS-FFT library causing CPU-deadlocked threads (Issue #1425)
  • Fixed "Remove from history" function from the downloads panel.
  • Forced focus on the address bar in new windows if the content is a blank/empty document.
  • Fixed the dropmarker in the address bar to allow the suggestions to be closed with a click.
  • Further cleaned up the status bar code.
  • Disabled window.showModalDialog; it's been removed from the spec 2 years ago and has potential abuse issues (modal dialogs block the UI)
  • Fixed image decoder calls to make sure the image load event doesn't fire prematurely.
  • Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding.
  • Updated WOFF2 code from upstream.
  • Updated the zlib compression library.
  • Made general improvements to internal code structure and spec adherence.
  • Fixed an issue with certain command-line parameters being used.
  • Updated the default theme to improve consistency and contrast of toolbar and download buttons.
  • Increased the default duration of notification pop-ups and made them configurable.
  • Improved handling of audio-visual media (ongoing).
  • Fixed an issue in CSS where elements would sometimes reflow to the next line even with sufficient visual space.
  • Aligned the implementation of for(let x=y;;) loops with the final ES6 specification.
  • Fixed the selection system inside of a nested contenteditable element being broken.
  • Fixed Windows 10 detection for blocklisting graphics drivers.
  • Enabled pasting of clipboard data in documents without an editor element to improve web compatibility.
  • Fixed the uninstallation routine of restartless add-ons.
  • Fixed the handling of unimplemented functions in the console API.
  • Updated the Facebook user-agent to enable otherwise vendor-restricted functionality.
  • Updated the SVG scaling cache limit to be more lenient for larger SVG images at a small performance trade-off, working around some sites' design issues.
Security/privacy fixes:
  • Added an option to clear Site Connectivity Data (delete history).
  • Removed stale entries from the HSTS preload list, and improved generation/processing of it.
  • Removed undesired certificate issuer organization to common name fallback (if issuer org is empty).
  • Added pretty-printing for ECDSA-SHA224, 256, 384 and 512 hashed certificate signatures.
  • Worked around some more issues with broken Apple fonts.


27.5.1 (2017-10-10)This is a security and stability update to the browser, as well as fixing some issues users have indicated.

Changes/fixes:
  • Changed the default Windows 10 styling when no accent color is applied to black-on-white.
  • Changed the theme styling on Windows 10 when the system window frame is used (menu bar enabled) to use the window manager background directly, preventing visual lag updating the window color when it changes.
  • Updated user agent overrides for DropBox, YouTube and Yahoo to work around user agent sniffing issues.
  • Fixed a crash in the media subsystem.
  • Fixed a regression where video playback hardware acceleration was disabled incorrectly on some systems.
Security fixes:
  • Updated the hyphenation library to the latest upstream code to fix a security issue.
  • Updated NSPR to 4.16-RTM with a patch to un-bust building on win64.
  • Updated NSS to 3.32.1-RTM.
  • Worked around some more issues with Mac fonts (CVE-2017-7825).
  • Fixed a potential rooting hazard in NPAPI plugin code. DiD
  • Fixed a potential reference issue in JavaScript arrays. DiD


27.5.0 (2017-09-26)This is a major update furthering general development of the browser.

Changes/fixes:
  • User interface:
    • Added a menu option to restart the browser.
    • Added Windows-specific CSS parameters and queries for the use of the system accent color. Added are parameters -moz-win-accentcolor and -moz-win-accentcolortext, and the media query -moz-win-accentcolor-applies to know if Windows is actively using an accent color.
    • Changed Windows' browser CSS sheet ot use variables instead of hard-coding colors, simplifying its style and making it more flexible. Further cleaned up the Windows 10 specific browser style.
    • Changed the theme on Windows 10 to use the new accent colors and improve O.S. consistency.
    • Fixed some general inconsistencies in the Windows theme on all Windows operating systems.
    • Updated Windows widgets to be able to pick up Windows 10 accent colors dynamically and have the browser 's look and feel respond accordingly, even with automatic color changes based on desktop wallpaper.
    • Removed the experimental FF4 prerelease status-in-addressbar feature because the already-crowded address bar needs a break. This should solve some extension interop issues, theme issues and domain highlighting issues people have reported.
    • Cleaned up some dead code for the plugin updater that no longer exists.
    • Fixed a text direction issue in preferences.
    • Fixed an issue with disabled context menu entries after using Customize...
    • Reorganized and cleaned up the status preferences.
  • Media:
    • MSE Media updates (ongoing). We are focusing on improving MP4 handling.
    • Improved MP3 metadata parsing (e.g. incorrect duration with embedded album cover)
    • Fixed a number of searching issues in MP3 files
    • Fixed a few crashes.
  • Fixed an issue with automatically exporting bookmarks to HTML on shutdown.
  • Fixed a regression re: domains allowed to/blocked from installing add-ons.
  • Fixed several internal errors thrown in the front-end.
  • Fixed several minor issues in the devtools.
  • Added a fix to prevent the home page from being loaded (and subsequently overridden) when restoring a session.
  • Added an option to control add-on blocklist behavior (Options -> Security)
  • Added DOM function isSameNode().
  • Added DOM onvisibilitychange event.
  • Added document.scrollingelement (CSSOM).
  • Added a basic implementation of Object.values and Object.entries enumerator functions (ECMA2017 draft).
  • Added "Open in new private window" to bookmarks, feeds and history entries.
  • Added HTTP request method OPTIONS.
  • Added an option to exit to a no-content page after encountering a network or security error.
    This is controlled with the preference browser.escape_to_blank -- when set to true, "Get me out of here" buttons will load a blank page instead of the browser's home page.
  • Added experimental Brotli accept-encoding (alternative to gzip/deflate compressed http data transfer). Disabled by default for now because it causes issues.
  • Improved the handling of several CSS selectors.
  • Changed session storage to remember form data for https sites by default.
  • Added (yet another) trap prevention method to onbeforeunload events.
  • Fixed privacy preferences not correctly resetting all options when choosing "Remember History"
  • Fixed not being able to deselect loading bookmarks in the sidebar.
  • Limited the display of user names and hosts in the http auth dialog to sane lengths, preventing over-sizing issues.
  • Fixed a number of potential crash points.
  • Improved the security of the Windows dll loader module.
  • Reinstated "Open all in tabs" option on folders of live bookmarks (feeds).
  • Made URL matching more liberal in selected text to make it easier to open stated addresses.
  • Fixed an issue with Graphite font rendering where automatic font collision fixing didn't always work.
  • Color Management for images is now disabled by default on Linux, due to many distributions not having a streamlined setup with sane default ICC profiles, which makes images look worse when color management is enabled.
  • Tightened the update security check to prevent acceptance of update manifests that have been intercepted/replaced through https MitM attacks.
    Please be aware that https-filtering antivirus may interfere with future application updates as a result.
  • Updated the ANGLE library to broaden WebGL support and reduce the potential of crashes (due to junk being sent to the video driver).
  • Added content-sniffing for WebP images (working around CloudFront's incorrect content-type headers).
  • Fixed a problem with some H.264 media not playing (SPS NAL).
  • Improved timer efficiency (switch back to lower precision when high precision is no longer needed, reducing CPU/power consumption).
  • Improved context search on selected text/links.
  • Updated address bar handling with Alt or Shift modifiers, so that "switch to tab" with a modifier can open copies of already-opened sites.
  • Added a fix on Linux for starting the browser from Enlightenment.
  • Privacy fix: Pale Moon will now clear QuotaManager storage (asm.js cache/IndexedDB data) as part of clearing Offline Website Data.


27.4.2.1 (2017-08-28)This is an out-of-band update for the portable version of the browser only (Windows).
This fixes a few issues in the portable shell regarding backups and settings.

To update, please follow the recommended update procedure listed on the Pale Moon Portable page.

27.4.2 (2017-08-22)This is a small update to address some security and stability issues.

Changes/fixes:
  • Fixed a number of crashes.
  • Enabled the opt-in debugging feature to log SSL keys to a file in all builds.
  • Added a fix for TLS 1.3 handshakes causing a browser hangup.
    Handshakes should be considerably faster now and no longer stall in the wrong circumstances.
Security fixes:
  • Updated NSPR to 4.15.
  • Updated NSS to 3.31.1.
  • Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783)
  • Fixed an issue where (cross domain) iframes could break scope (CVE-2017-7787)
  • Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
  • Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates (CVE-2017-7781)
  • Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
  • Fixed a UAF in WebSockets (CVE-2017-7800)
  • Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD (accessibility is disabled)
27.4.1 (2017-08-03)This is a small update to address some media and web compatibility issues.

Changes/fixes:
  • Fixed an issue where media playback would not use hardware acceleration properly when using MSE.
    This would cause high CPU usage and/or choppy playback for HD video on e.g. YouTube.
  • Fixed ES6 iterator chains to be spec-compliant.
  • Fixed ES6 vector append calls and some related memory leaks.
  • Added a workaround to reduce the likelihood of a potential rare (timing-critical) crash.
27.4.0 (2017-07-12)This is a major update to straighten out most of the media streaming issues, as well as adding the necessary enhancements, bugfixes and security fixes to the browser.

Changes/fixes:
  • Completely re-worked the Media Source Extensions code to make it spec compliant, and asynchronous as per specification for MSE with MP4. This should fix playback problems on YouTube, Twitch, Vimeo and other sites that previously had some issues. A massive thank you to Travis for his tireless work on making this happen!
    Please note that MSE+WebM (disabled by default) is not using this new code yet (planned for the next release), and as such there is a temporary set of things to keep in mind if you don't use default settings:
    • If you have previously enabled MSE+WebM, this setting will be reset when you update to avoid conflicting settings with the updated MSE code.
    • We've added an extra setting in Options to disable the updated MSE code (asynchronous use) in case you need to use WebM or are otherwise having issues with the updated code (please let us know in that case).
    • Once again, the MSE+WebM and Asynchronous MSE use are currently mutually exclusive. You can have one or the other, not both, until we sort out the code for WebM. To enable MSE+WebM you will first have to disable Asynchronouse MSE in settings (otherwise the WebM setting will be greyed out and disabled).
  • Added a control in options/preferences for HSTS and HPKP usage.
  • Changed HTML bookmark exports to write CRLF line endings to the file on Windows.
  • Leveraged multi-core rendering for libVPX (VP8/VP9 WebM decoding).
  • Fixed some issues accessing DeviantArt (useragent-sniffing).
  • Aligned CSS text-align with the spec.
  • Added a recovery module for browser initialization issues (e.g. when using a wrong language pack).
  • Fixed spurious console errors for XHR requests with certain http response codes.
  • Enabled v-sync aligned refresh for a smoother scrolling experience.
  • Removed support for CSS XP-theme media queries.
  • Improved console error reporting.
  • Fixed resetting toolbars and controls from the safe mode dialog.
  • Fixed bookmark recovery option from the safe mode dialog.
  • Fixed innerText getters for display:none elements.
  • Fixed a GL buffer crash that might occur with certain combinations of drivers and hardware.
  • Added some more details to about:support.
  • Fixed a potential crash when the last audio device is removed during playback.
  • Fixed a crash on about:support when windowless browsers are created.
  • Updated <select> elements to blank if the actively set value doesn't match any of the options.
  • Updated the interpretation of 2-digit years in date formats to match other browsers:
    0-49 = 2000-2049, 50-99 = 1950-1999.
  • Added "q" units to CSS (quarter of a millimeter).
  • Added .origin property to blobs.
  • Fixed several minor layout issues.
  • Fixed disabled HTML elements not producing the proper JS events.
  • Implemented web content handler blacklist according to the spec, allowing more than feeds to be registered.
  • Fixed a spec compliance issue with execCommand() on HTML elements.
  • Fixed a problem with table borders being drawn uneven or being omitted when zooming the page.
  • Added devtools "filter URLs" option in the network panel.
  • Added visual sorting options to the Network inspector.
  • Added importing of login data from Chrome profiles on Windows (Chrome has to be closed first).
  • Added importing of tags from bookmark export files (HTML format).
  • Updated usage of SourceMap headers with the updated spec (SourceMap header, keeping X-SourceMap as a fallback).
  • Fixed several cases of wrongly-used negations in JS modules.
  • Added the auxclick mouse event.
  • Added a control to not autoplay video unless it is in view (media.block-play-until-visible).
  • Updated the Graphite font library to 1.3.10.
  • Updated how image and media elements respond to window size changes (responsive design).
  • Added parsing and use of rotation meta data in video.
  • Fixed several crashes in a number of modules.
  • Fixed performance regression for scaling large vector images (e.g. MSIE Chalkboard test) \o/
  • Fixed some issues with notification icons.
  • Fixed some internal errors with live bookmarks.
  • Updated SQLite to 3.19.3.
  • Fixed several reported issues with devtools (cli-cookies, cli help, copying cURL, inspecting SVGs, element size calculations, etc.)
  • Fixed an issue where a server response was allowed to override add-ons' specified version ranges even for add-ons that have strict compatibility (e.g. themes, language packs).
Security fixes:
  • Removed preloading of HPKP hosts and enabled HPKP header enforcement.
  • Added support for TLS 1.3, the up-next secure connection protocol.
  • Fixed an issue with TLS 1.3 not supporting renegotiation by design.
  • Relaxed some restrictions for CSP to temporarily work around web compatibility issues with the CSP-3 deprecated `child-src` directive.
  • Updated NSS to 3.28.5.1-PM to address some security issues.
  • Updated the installer selfextractor module to address unsafe loading of libraries.
  • Changed the way certain resources are included to reduce effectiveness of some common fingerprinting techniques. (e.g. browserleaks.com)
  • Fixed a regression in the display of security information in the page info dialog for insecure content.
  • Fixed two potential issues with allocating memory for video. DiD
  • Fixed a potential issue with the network prediction algorithm. DiD
  • Restricted the use of Aspirational scripts in IDNs to prevent domain spoofing, in anticipation of the UAX#31 update making this official.
  • Prevented a Mac font specific issue that could be abused for domain spoofing (CVE-2017-7763)
  • Fixed several potentially exploitable crashes. (CVE-2017-7751) (CVE-2017-7757) and some that do not have a CVE designation.



RSS|无图版|手机版|友声网 ( 鲁ICP备15020090号-1 )|网站地图 | | 点击这里给我发消息 |

GMT+8, 2024-11-21 17:14 , Processed in 0.040447 second(s), 8 queries , Gzip On, MemCache On.

Powered by Discuz! X

© ys166.com

快速回复 返回顶部 返回列表