erinn's blog

Tor Browser 3.6.4 and 4.0-alpha-1 are released

The fourth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features an update to OpenSSL to address the latest round of OpenSSL security issues. Tor Browser should only be vulnerable to one of these issues - the null pointer dereference. As this issue is only a DoS, we are not considering this a critical security update, but users are advised to upgrade anyway. This release also features an update to Tor to alert users of the RELAY_EARLY attack via a log message, and a fix for a hang that was happening to some users at startup/Tor network bootstrap.

Here is the complete changelog for 3.6.4:

  • Tor Browser 3.6.4 -- All Platforms
    • Update Tor to 0.2.4.23
    • Update Tor launcher to 0.2.5.6
    • Update OpenSSL to 1.0.1i
    • Backported Tor Patches:
      • Bug 11654: Properly apply the fix for malformed bug11156 log message
      • Bug 11200: Fix a hang during bootstrap introduced in the initial
        bug11200 patch.
    • Update NoScript to 2.6.8.36
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Update Torbutton to 1.6.11.1
      • Bug 11472: Adjust about:tor font and logo positioning to avoid overlap
      • Bug 12680: Fix Torbutton about url.

In addition, we are also releasing the first alpha of the 4.0 series, available for download on the extended downloads page.

This alpha paves the way to our upcoming autoupdater by reorganizing the directory structure of the browser. This means that in-place upgrades from Tor Browser 3.6 (by extracting/copying over the old directory) will not work.

This release also features Tor 0.2.5.6, and some new defaults for NoScript to make the script permissions for a given url bar domain automatically cascade to all third parties by default (though this may be changed in the NoScript configuration).

  • Tor Browser 4.0-alpha-1 -- All Platforms
    • Ticket 10935: Include the Meek Pluggable Transport (version 0.10)
      • Two modes of Meek are provided: Meek over Google and Meek over Amazon
    • Update Firefox to 24.7.0esr
    • Update Tor to 0.2.5.6-alpha
    • Update OpenSSL to 1.0.1i
    • Update NoScript to 2.6.8.36
      • Script permissions now apply based on URL bar
    • Update HTTPS Everywhere to 5.0development.0
    • Update Torbutton to 1.6.12.0
      • Bug 12221: Remove obsolete Javascript components from the toggle era
      • Bug 10819: Bind new third party isolation pref to Torbutton security UI
      • Bug 9268: Fix some window resizing corner cases with DPI and taskbar size.
      • Bug 12680: Change Torbutton URL in about dialog.
      • Bug 11472: Adjust about:tor font and logo positioning to avoid overlap
      • Bug 9531: Workaround to avoid rare hangs during New Identity
    • Update Tor Launcher to 0.2.6.2
      • Bug 11199: Improve behavior if tor exits
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Backported Tor Patches:
      • Bug 11200: Fix a hang during bootstrap introduced in the initial
        bug11200 patch.
  • Tor Browser 4.0-alpha-1 -- Linux Changes
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

64-bit GNU/Linux Tor Browser Bundles updated

It turns out that the 64-bit bundles were a bit crashy because of a change in the way they were built. This change has been reverted and I've updated the stable and RC versions of the 2.x series of GNU/Linux Tor Browser Bundles.

Direct links:
Stable 64-bit GNU/Linux Tor Browser Bundle (sig)
RC 64-bit GNU/Linux Tor Browser Bundle (sig)

Tor Browser Bundle (2.3.25-16); suite=linux

  • Update 64-bit Linux's mozconfig to --disable-optimize so Tor Browser will
    stop crashing (closes: #10195)

Tor Browser Bundle (2.4.18-rc-2); suite=linux

  • Update 64-bit Linux's mozconfig to --disable-optimize so Tor Browser will
    stop crashing (closes: #10195)

New Tor Browser Bundles with Firefox 17.0.11esr and Tor 0.2.4.18-rc

Firefox 17.0.11esr has been released with several security fixes and the stable and RC Tor Browser Bundles have been updated

There is also a new Tor 0.2.4.18-rc release and the RC bundles have been updated to include that as well.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-15)

  • Update Firefox to 17.0.11esr
  • Update NoScript to 2.6.8.5
  • Fix paths so Mac OS X 10.9 can find the geoip file. Patch by David Fifield.
    (closes: #10092)

Tor Browser Bundle (2.4.18-rc-1)

  • Update Tor to 0.2.4.18-rc
  • Update Firefox to 17.0.11esr
  • Update NoScript to 2.6.8.5
  • Remove PDF.js since it is no longer supported in Firefox 17
  • Fix paths so Mac OS X 10.9 can find the geoip file. Patch by David Fifield.
    (closes: #10092)

New Tor Browser Bundles with Firefox 17.0.10esr

Firefox 17.0.10esr has been released with several security fixes and all of the Tor Browser Bundles have been updated. All users are encouraged to upgrade.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-14)

  • Update Firefox to 17.0.10esr
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...
  • Update LibPNG to 1.6.6
  • Update NoScript to 2.6.8.4
  • Update HTTPS-Everywhere to 3.4.2
  • Firefox patch changes:
    • Hide infobar for missing plugins. (closes: #9012)
    • Change the default entry page for the addons tab to the installed addons page. (closes: #8364)
    • Make flash objects really be click-to-play if flash is enabled. (closes: #9867)
    • Make getFirstPartyURI log+handle errors internally to simplify caller usage of the API. (closes: #3661)
    • Remove polipo and privoxy from the banned ports list. (closes: #3661)
    • misc: Fix a potential memory leak in the Image Cache isolation
    • misc: Fix a potential crash if OS theme information is ever absent

Tor Browser Bundle (2.4.17-rc-1)

  • Update Firefox to 17.0.10esr
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...
  • Update LibPNG to 1.6.6
  • Update NoScript to 2.6.8.4
  • Downgrade HTTPS-Everywhere to 3.4.2 in preparation for this becoming the stable bundle
  • Firefox patch changes:
    • Hide infobar for missing plugins. (closes: #9012)
    • Change the default entry page for the addons tab to the installed addons page. (closes: #8364)
    • Make flash objects really be click-to-play if flash is enabled. (closes: #9867)
    • Make getFirstPartyURI log+handle errors internally to simplify caller usage of the API. (closes: #3661)
    • Remove polipo and privoxy from the banned ports list. (closes: #3661)
    • misc: Fix a potential memory leak in the Image Cache isolation
    • misc: Fix a potential crash if OS theme information is ever absent

New Tor Browser Bundles with Firefox 17.0.9esr

The stable and beta Tor Browser Bundles have been updated with Firefox 17.0.9esr. This release of Firefox has many important security updates and all users are strongly encouraged to upgrade.

The beta version includes an updated HTTPS Everywhere which fixes the problems many users were having with the google.com OCSP meltdown.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-13)

Tor Browser Bundle (2.4.17-beta-2)

  • Update Firefox to 17.0.9esr
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...
  • Update LibPNG to 1.6.3
  • Update HTTPS Everywhere to 4.0development.12
  • Update NoScript to 2.6.7.1
  • Remove extraneous libevent libraries (closes: #9727)
  • Enable GCC hardening for Tor
  • Firefox patch changes:
    • - Disable filtered results in Startpage omnibox (closes: #8839)
  • Add missing geoip file to Linux bundle
  • (entry missing from regular changelog)

New Tor 0.2.4.17-rc packages

There's a new Tor 0.2.4.17-rc to hopefully help mitigate some of the problems with the botnet issues Tor is experiencing. All packages, including the beta Tor Browser Bundles, have been updated. Relay operators are strongly encouraged to upgrade to the latest versions, since it mostly has server-side improvements in it, but users will hopefully benefit from upgrading too. Please try it out and let us know.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.4.17-beta-1)

  • Update Tor to 0.2.4.17-rc
  • Update NoScript to 2.6.7.1
  • Update HTTPS Everywhere to 4.0development.11

New Tor 0.2.4.16-rc packages and updated stable Tor Browser Bundles

There's a new Tor 0.2.4.16-rc out and all packages, including the beta Tor Browser Bundles, have been updated. The stable Tor Browser Bundles have also been updated to fix a bug in the last release which prevented the language packs from working (which resulted in all of the bundles being in English!). We're very sorry about this.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-12)

  • Re-add the locale pref to the Firefox prefs file to allow for localization
    of bundles again (closes: #9436)

Tor Browser Bundle (2.4.16-beta-1)

  • Update Tor to 0.2.4.16-rc
  • Re-add the locale pref to the Firefox prefs file to allow for localization
    of bundles again (closes: #9436)

New Tor Browser Bundles with Firefox 17.0.8esr

All of the Tor Browser Bundles have been updated with Firefox 17.0.8esr which includes critical security fixes. All users are strongly encouraged to upgrade. To read more about which kinds of fixes are in this version of Firefox, please click here. This link is also included in the changelogs and we will continue to add it in the future versions of Tor Browser Bundle as well so that users can always be aware of major issues.

https://www.torproject.org/download/download-easy.html.en
https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-11)

Tor Browser Bundle (2.4.15-beta-2)

Syndicate content Syndicate content