Tor Browser 6.5a5 is released

Tor Browser 6.5a5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Firefox and contains, in addition to that, an update to NoScript (2.9.5.2) and a fix of our updater code so it can handle unix domain sockets.

The Firefox security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.

Tor Browser users who had set their security slider to "High" are believed to have been safe from this vulnerability.

A note to Linux users: We still require the same update procedure as experienced during the update to 6.5a4: a dialog will be shown asking to either set `app.update.staging.enabled` or `extensions.torlauncher.control_port_use_ipc` and `extensions.torlauncher.socks_port_use_ipc` to `false` (and restart the browser in the latter case) before attempting to update. The fix for this problem is shipped with this release and we will be back to a normal update experience with the update to 6.5a6. We are sorry for this inconvenience.

Here is the full changelog since 6.5a4:

  • All Platforms
    • Update Firefox to 45.5.1esr
    • Update NoScript to 2.9.5.2
  • Linux
    • Bug 20691: Updater breaks if unix domain sockets are used

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

i'm problem with update.

there were problems checking for, downloading, or installing this update. Navigateur Tor could not updated because:

The integrity of the update could not be verified

where in my problem please.

thank you

Is that still an issue for you? Which operating system are you using and which Tor Browser locale?

i no problem with update, everything work.

hi,
I'm running TB 6.0.7 (based on Mozilla Firefox 45.5.1) and it says there are no updates available when I check...

WHY??

(win xp sp3 on a amd athlon xp processor)

Sounds like you're on the "stable" branch of Tor Browser.

There is an "alpha" branch too, which is what this post is about.

If you're on the stable branch (which is totally fine -- most people are), it will track updates to stable. Whereas the alpha branch tracks updates to alpha.

This is a five year old bug, https://bugzilla.mozilla.org/show_bug.cgi?id=1321066#c17

Anyone audited this thing?

Thanks for another great release!

On a highly loaded system during New Identity:

Torbutton cannot safely give you a new identity. It does not have access to the Tor Control Port.

Are you running Tor Browser Bundle?

Is that reproducible? If so do you see any message/error in the error console that could be related? (You open it in Tor Browser with Ctrl + Shift + J)

Seems to be during overload of network stack. During CPU overload:

NS_ERROR_NOT_AVAILABLE: Cannot call openModalWindow on a hidden window nsPrompter.js:347:0
Error: Script terminated by timeout at:
torbutton_do_new_identity/<@chrome://torbutton/content/torbutton.js:1360:24
torbutton.js:1360:24

Hm. You mean this is related to the alert dialog popping up? Like, every time you get one error you get the other one as well?

No. Only "unresponsive script" dialog appears during high CPU load, and those errors in Console. So that alert dialog is another issue.

OP here.
I dunno if that's reproducible. When I pressed OK on that dialog and opened error console, I found this:
[12-08 15:28:13] Torbutton NOTE: Exception on control port [Exception... "Component returned failure code: 0x804b000e (NS_ERROR_NET_TIMEOUT) [nsIBinaryInputStream.readBytes]" nsresult: "0x804b000e (NS_ERROR_NET_TIMEOUT)" location: "JS frame :: chrome://torbutton/content/torbutton.js :: torbutton_socket_readline :: line 1534" data: no]
[12-08 15:28:13] Torbutton WARN: Torbutton was unable to request a new circuit from Tor

Which operating system are you using? FWIW: I've created https://trac.torproject.org/projects/tor/ticket/20902 for further investigation. Thanks for using an alpha release and reporting issues back.

It was only once on Win XP SP3, so it was reported as a notice, not an issue.

https://aus1.torproject.org/dist/torbrowser/update_2/alpha/WINNT_x86-gcc3-x86/6.5a5/en-US
09:08:51.824 Public-Key-Pins: An unknown error occurred processing the header specified by the site. en-US

Interesting. Where did you get that log from? Is that reproducible?

Appears here and there in the current alphas.

I just tested it on Windows and I don't get this error. More importantly after closing Tor Browser the HPKP entry for aus1.torproject.org gets written to SiteSecurityServiceState in the browser profile. Thus, this seems to be working.

Do you get that entry in the SiteSecurityServiceState as well? You should be able to find that file in your profile directory in Tor Browser\Browser\TorBrowser\Data\Browser\profile.default.

Yes, it's working and isn't site-specific. It happens sometimes for an unknown reason. And it seems better to test it with filled entries in that file - to check inconsistencies between received and written states.

If you reload the main page (tpo) with Network tab (in Web Developer), you'll get:
Torbutton INFO: tor SOCKS isolation catchall: https://www.torproject.org/images/onion-heart.png via --unknown--:de6a28fb71abeba4febbbdde61de345e

Thanks for this report! I've opened https://trac.torproject.org/projects/tor/ticket/20915 to investigate what is going wrong.

Thanks for the TOR I like Tor and Appreciate your hard work. i must add that.

Post new comment

  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <b> <i> <strike> <p> <br>

More information about formatting options

Syndicate content Syndicate content