Tor Browser 7.0.4 is released

Tor Browser 7.0.4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

A lot of Tor Browser components have been updated in this release. Apart from the usual Firefox update (to 52.3.0esr) we include a new Tor stable release (0.3.0.10) + an updated HTTPS-Everywhere (5.2.21) and NoScript (5.0.8.1).

In this new release we continue to fix regressions that happened due to the transition to Firefox 52. Most notably, we avoid the scary warnings popping up when entering passwords on .onion sites without a TLS certificate (bug 21321). Handling of our default start page (about:tor) has improved, too, so that using the searchbox on it is working again and it does no longer need enhanced privileges in order to function.

The full changelog since Tor Browser 7.0.2 (for Linux since Tor Browser 7.0.3) is:

  • All Platforms
    • Update Firefox to 52.3.0esr
    • Update Tor to 0.3.0.10
    • Update Torbutton to 1.9.7.5
      • Bug 21999: Fix display of language prompt in non-en-US locales
      • Bug 18913: Don't let about:tor have chrome privileges
      • Bug 22535: Search on about:tor discards search query
      • Bug 21948: Going back to about:tor page gives "Address isn't valid" error
      • Code clean-up
      • Translations update
    • Update Tor Launcher to 0.2.12.3
      • Bug 22592: Default bridge settings are not removed
      • Translations update
    • Update HTTPS-Everywhere to 5.2.21
    • Update NoScript to 5.0.8.1
      • Bug 22362: Remove workaround for XSS related browser freezing
      • Bug 22067: NoScript Click-to-Play bypass with embedded videos and audio
    • Bug 21321: Exempt .onions from HTTP related security warnings
    • Bug 22073: Disable GetAddons option on addons page
    • Bug 22884: Fix broken about:tor page on higher security levels
  • Windows
    • Bug 22829: Remove default obfs4 bridge riemann.
    • Bug 21617: Fix single RWX page on Windows (included in 52.3.0esr)
  • OS X
    • Bug 22829: Remove default obfs4 bridge riemann.
Anonymous

August 08, 2017

Permalink

Just wanted to share my gratitude for keeping with the Firefox release cycle. Over these past few years, I've deeply appreciated the team's sync to avoid TBB users using known-outdated firefox code!

Anonymous

August 08, 2017

Permalink

H0w d0 I c0nfigure Wget f0r use with the t0r br0wser bundle? please, i'm starving 0ut here and need s()me fast f00d via Wget!

yes, system tor is the way to go, but if you aren't on a system where it is easily installable (or you are, but you don't have root) you can easily tell programs that support SOCKS to use the Tor Browser Bundle's tor process (its SocksPort is listening on port 9150 instead of the 9050 that system tor uses).

Unfortunately wget doesn't seem to support SOCKS, so, if you can't use torsocks (which makes wget or most any other TCP program use socks automatically) maybe you can use curl instead of wget? Just tell curl --proxy socks5://localhost:9150 and it will use your tbb tor. HTH,HAND,LLAP

Anonymous

August 08, 2017

Permalink

Many heartfelt thanks to all the Tor devs! I shudder to think where we would be without all of you and all the great things you have since years now!!!

Anonymous

August 08, 2017

Permalink

Tor Browser 7.5a4 and Tor Browser 7.0.4 both released on Aug 8 2017. There is probably a simple answer to this which as yet I do not know. Why both and or what is the difference.

When I use https://www.torproject.org/download/download it shows 7.0.4 which I am using. Is this the stable, or whatever, version and 7.5a4 is not? Sorry if I do not know the basics. Thank you.

Regards

What most people want to use is version 7.0.4 which is the stable version.

The 7.5a4 version is an alpha version (as all versions which have an 'a' in their version number). It contains experimental features that have not yet been tested enough to be included in the stable release. You can use this version if you want to see new features earlier, or want to help us at finding bugs.

Anonymous

August 08, 2017

Permalink

wäre schön das die Übersetzung auf deutsch ist wenn man schon eine deutsche Installation hat !

Anonymous

August 08, 2017

Permalink

Finally!I was beginning to wonder about the warning on pwrds on onion sites.Caused some very worrying searching for a reason.Figured it out,but still had that little nagging doubt.

Anonymous

August 08, 2017

Permalink

do you know why everytime the Atlas is used, this pops up?

"No Results found!

No Tor relays or bridges matched your query :("

Are you allowing (or temp allowing) scripts? Or, do you have 'bridge' enabled in Tor settings... but have invalid or outdated Bridges? those are the first two causes that come to mind...

Anonymous

August 08, 2017

Permalink

Hi

have involuntarily/automatically updated to 7.04

Now there is no more sound in webpages. Have tested it with various youtube and other sources. A very small bar in the top area of the browser content area tells 'to play audio you may need to install the required pulseaudio software'

???

my os is debian 7 32bit

It was already discussed in comments for previous 7.x TBB releases. It's quite simple solution, AFAIR. Namely, you need to recompile TBB enabling ALSA again. Mozilla didn't remove ALSA code, they just disabled ALSA flag. Why don't you recompile it with ALSA support? Instructions were posted in long discussion in Mozilla bugreport list.

Thanks for that hint. As a last resort I'll try that way.

A minute ago I wrote, that pulseaudio is installed and running.

ALSA is installed too but not running

(forgive: I'm an average 70% knowledge user and not so much into the details)

a.t.m. my quick n dirty solution would be to use tor browser 6.5.2 in case I 'have to' see a video

.. normally I do not see any videos at all :)

greetings

a.t.m. my quick n dirty solution would be to use tor browser 6.5.2 in case I 'have to' see a video

Well, this is my case too. I spent about 1 hour trying to get PA running on my customized Debian, but failed. Mozilla forces us to use vulnerable and outdated version of the browser. Since it runs in VM, it is relatively safe. However, it is still not good solution, at least, from the point of anonymity. Anybody using special version of outdated TBB is well seen among TBB users.

(I came up with this topic)

Yes, I've been reading a lot today about that topic.

BUT:
in my standaard debian 7 system (nothing tuned or experimented with)
pulseaudio is installed (have never cared about it) and has probably been installed since a year
pulseaudio is running (can see it in ps)

standard firefox esr (non-tor) which is 52.2.0 delivers video _with_sound

btw. my old torbrowser 6.5.2 (don't kill me, it's just my in_case backup) delivers video with sound

What I've read in various mozilla discussions people made it a hot topic alsa vs. pulseaudio
and the general hint was 'install pulseaudio and problems will be gone'

But I do have it installed and it's running...

Any ideas or help?

thanks and greetings

So, Debian people don't afraid your argument:

Because that code is unmaintained and nobody is tracking security issues and providing bugfixes once they show up.

and recompiled it. I think user database behind Debian fork of Mozilla is much higher than amount of TBB users.

Well, I understand that it is simpler to take upstream version and do not care about sound issues, but the far perspectives of this approach are bad. What will be the next? Will I have to install systemd to get TBB working? Will I have to migrate to Ubuntu spyware to use tor browser? Tor Project has already forked firefox to apply special patches, so supporting of that ALSA code (it wasn't disabled because of bugs, but because of "make life easier for devs"!) would not be so exceptional thing in general.

The non tor firefox is directly from debian (deb 7 stable)

about:buildflags results in an error. have found elsewhere about:buildconfig which I think is what you meant.

FF ESR 52.2.0 32bit has the compile flag --enable-alsa
Tor Browser 7.0.4 (based on FF 52.3.0) (32-bit) does not

So probably the debian people had mercy/were friendly or how ever to name it.
The different behaviour of two 52.x firefoxes can be seen as solved.

Though strange that while FF playing sounds I do not see ALSA in processlist.

Still not clear, why no sound in tb 7.04 though pulseaudio installed and running.

For the secondbest solution, I have downloaded tb 7.03 (which played sounds) and will use that - forbidding it to update - til I find a way to make tb 7.04 produce sounds.

thanks and greetings

Wait are you saying that only 7.0.4 is affected but earlier 7.x versions are working? Looking at our changelog nothing comes to mind that could have caused this. Could you try whether the problems exists with Firefox versions provided from Mozilla as well?

https://ftp.mozilla.org/pub/firefox/releases/52.3.0esr/ has the one 7.0.4 is based on and
https://ftp.mozilla.org/pub/firefox/releases/52.2.0esr/ has the one 7.0.3 is based on.

>Wait are you saying that only 7.0.4 is affected but earlier 7.x versions are working?

Yes, exactly so - though it may not sound logical.

I had wathed a video clip with 7.03 the evening before without problems. Next day the update to 7.04 came up (I had used tb for just some minutes looking for a topic in the news, ending tb then.) So the update to 7.04 rushed in and since then no sound in videos.

Maybe an incomplete/faulty update? I'll try to download a virgin 7.04 installer and see. Will report back.

greetings

Problem is gone, don't know why ...

In tb 7.04 in about:config
search for 'media.decoder' (without quotes)
brought up 4 lines some days ago when I had no sound in videos.

Now the same procedure comes up with only 3 lines, which are identical in both cases.
media.decoder-doctor.notifications-allowed
media.decoder-doctor.verbose
media.decoder-doctor.wmf-disabled-is-failure

! The one line that doesn't exist anymore NOW was:
media.decoder-doctor.MediaCannotInitializePulseAudio.formats / user set / string / *

#-#-#-#

Now the big surprise: I do have sound now with tb 7.04 !

I have not knowingly changed anything.

I have not reinstalled a fresh tb 7.03 or tb 7.04 as I intended to before

#-#-#-#-#

A strange miracle

But I'm really happy because tb does behave now as it should.

Maybe deleting that variable can help others who have the same problem.

How will this affect users of Qubes/Whonix? From what I've been told, Qubes uses an ad-hoc vchan protocol to send audio to dom0. I assume it uses ALSA, so does this mean it will have to be updated to support PulseAudio? Or is it possible to make PA output to ALSA like a shim?

Anonymous

August 09, 2017

Permalink

The Tor projects guys are the best in the world! Thank God they exist!
What the world would be without the effort of these lovely people?

I don't think there is something need to be done by the Tor team. Tor is open-source, so it would be impossible that such malware could be placed inside the code. This should be dealt by Rising AV.

Anonymous

August 09, 2017

Permalink

Allow Bookmarklets?

For more than one version back from today's, possibly beginning with first 7.x release, bookmarklets do not respond.

I set the Tor Button Security Level to High, and leave Noscript extension to allow bookmarklets. I assume that by a change in TBB7, the High security level overrides Noscript extension option/setting that allows bookmarklets.

So I wonder how to initially set TBB at highest Security Level, then allow bookmarklets to run from Bookmarks Toolbar?

Thanks in advance...

Anonymous

August 09, 2017

Permalink

I don't suppose it matters much but...

It says in the changelog that "Bug 18193: Don't let about:tor have chrome privileges" has been fixed in 7.0.4.
Bug 18193 wasn't fixed in this release; bug 18913 was. The numbers got switched.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

1 + 2 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.