New Release: Tor Browser 8.5.2

by boklm | June 19, 2019

Tor Browser 8.5.2 is now available from the Tor Browser Download page and also from our distribution directory.

This release fixes a critical security update in Firefox. In addition, we update NoScript to 10.6.3, fixing a few issues.

Users of the safer and safest security levels were not affected by this security issue.

Note: As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend. In the meantime, Android users should use the safer or safest security levels. The security level on Android can be changed by going in the menu on the right of the URL bar and selecting Security Settings.

The full changelog since Tor Browser 8.5.1 is:

  • All platforms
    • Pick up fix for Mozilla's bug 1544386
    • Update NoScript to 10.6.3

Comments

Please note that the comment area below has been archived.

June 20, 2019

In reply to boklm

Permalink

In a technical level Tor Project can't do anything, but on a PR level, it can and should. Tor Project could easily approach organizations/corporations like NVidia and explain blocking Tor Users is bad and they should allow it. Of course having other people also contacting and requesting the same is better, but Tor Project can't put itself out of the matter.

June 19, 2019

Permalink

The vulnerability exploits JavaScript, so why would `safer` not be affected if it enables JavaScript on HTTPS websites? Does the bug only work if JIT is enabled or something?

June 21, 2019

In reply to gk

Permalink

Not to say "I told you so", but can I jump in here to say "I told you so"? Not that I was saying anything you didn't already know. To wit: a strong case can be made for making "safest" the default security level and advising users to drop down as needed (choosing new identity each time they change the security level, a habit which should solve the problem that users might easily forget that security level changes affect all open tabs). In this case, at least one of the two critical vulns would have been prevented from affecting most users if this had been the default prior to this latest attack on FF (and TB).

An obvious compromise would be to make the default "safer". It seems Tor Project believes even this default would have prevented most Tor users from becoming easy victims of these FF zero-squared-day exploiting attacks.

June 22, 2019

In reply to gk

Permalink

Link says "Access Denied" but vulnerability is already public nothing to keep secret here.

When will it be open to everyone?

Updating the Firefox version number requires that the Firefox langpacks corresponding to this version are available to start building. Taking the patch without updating the Firefox version number allows us to start building earlier.

June 20, 2019

Permalink

After doing the last Tor update Avast blocked the Firefox.exe telling me it is infected with IPD:Generic ?

anyone else experiencing this?

June 20, 2019

Permalink

Couldn't start the latest version on beta 2 of macOS Catalina. There is an error that "updater.app is from an unidentified developer". I was not able to get the usual dialog to get an exemption by starting updater.app on it's own. After moving "updater.app" to the trash Tor is now starting.

June 21, 2019

In reply to gk

Permalink

In the long run, a better solution might be to use Tails instead of the Mac OS installed on your machine. Tails is free open-source software from a sister project of Tor Project; tails.boum.org. It attempts to provide an "amnesiac" system which boots from a DVD (or USB stick), which means that Tails tries not to leave any hardware traces. Very useful if you are working on human rights issues or as a reporter or children's social worker or municipal employee or telecom engineer or nurse in any other job where you may need to carry sensitive information on a portable device. The general idea is to keep all the information on a LUKS encrypted data stick which you mount and use with Tails booted in off-line mode, and when you need to access the internet, you remove the data stick and reboot Tails in on-line mode. Takes getting used to but it is much more practical than might sound once you get into the rhythm.

June 20, 2019

Permalink

Hi, speed and loading pages on the tour in my area is papin. Please solve the problem barely loading webpages.
 

June 20, 2019

Permalink

Please don't forget to update the alpha series ASAP as well, especially after mfsa2019-19

I believe you meant 0.4.0.x While you wait for it to appear in the release repos, you can edit the suite in your deb line to say one of the "experimental" folder names here: https://deb.torproject.org/torproject.org/dists/

Example for Debian testing (Buster as of this date):
deb <a href="https://deb.torproject.org/torproject.org" rel="nofollow">https://deb.torproject.org/torproject.org</a> tor-experimental-0.4.0.x-buster main

Peter Palfrader manages Tor Project's Debian packages.

June 20, 2019

Permalink

Why is noscript no longer accesible via the address bar? This was far easier to click to temp allow certain domains. I cannot find any other way to see the list of domains to block or unblock each webpage loaded.
Have to manually type the url/domain by going to addons -> no script preferences

Ok thanks. Very easy to do. Overlooked it because there's hardly any space to right click on the toolbar in firefox and there appears to be no "customize" option in "preferences".

For any one else who needs to know how to add the addon widgets back in the toolbar:
https://trac.torproject.org/projects/tor/ticket/30600

It can manually be re-added by right-clicking the toolbar, selecting "Customize..." and dragging the NoScript icon back to the toolbar.

June 20, 2019

Permalink

Does not launch on macOS Catalina 10.15b2. Followed Security and Privacy steps to allow the app to launch, still no joy.

  1. “updater” can’t be opened because it is from an unidentified developer.</p>
  2. <p>Your security preferences allow installation of only apps from the App Store and identified developers.</p>
  3. <p>Q_DETAIL_DOWNLOAD_AGENT_DATE.Q_DETAIL_TYPE_FILE

June 20, 2019

Permalink

To get Tor to launch on macOS Catalina 10.15b2 run the following command to restore the "anywhere" Security and Privacy option.

sudo spctl --master-disable

The option will not persist.

August 04, 2019

In reply to gk

Permalink

Tried the 'spctl' fix, begins execution then fails with a segmentation fault: 11
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: EXC_I386_GPFLT
Exception Note: EXC_CORPSE_NOTIFY

Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [1748]

June 20, 2019

Permalink

Hello, there is a problem, TOR on Windows is not compatible with the use of visual disabilities when using the keyboard to surf the Internet I mean shortcuts to navigate through the links and headers and lists ... Please find a solution to this problem quickly The program used with it is NVDA

June 20, 2019

Permalink

have the default bridges been changed to working ones with this release?

also download page still has 8.5.1 for android

finally, about >> torbrowser from settings does not report torbrowser version but firefox instead

I guess that's all for mobile?

Yes, we updated our default bridges on Android. Additionally, we plan to release the new Android stable versions as soon as we can, probably on the weekend (see the above blog post you are commenting to). Finally, yes, we don't have a way to report the Tor Browser version yet. We should fix that, though. I've opened: https://trac.torproject.org/projects/tor/ticket/30943.

June 20, 2019

Permalink

I am having a ton of problems loading any pages. I just received the latest update to TOR the other evening, so it should be up to day. When I launch TOR, it works great for about 5 minutes and then it starts timing out on any page I attempt to go to. Any tips?