Tor Browser 3.6-beta-2 is released
The Tor Browser Team is proud to announce the second beta in the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.
This release is an important security update over 3.6-beta-1. This release updates OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.
The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.
This beta also features a Turkish language bundle, experimental Javascript hardening options, fixes for pluggable transport issues, and a fix for improper update notification while extracting the bundle over an already existing copy.
Here is the complete changelog since 3.6-beta-1:
- All Platforms
- Update OpenSSL to 1.0.1g
- Bug 9010: Add Turkish language support.
- Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
- Update fte transport to 0.2.12
- Update NoScript to 2.6.8.19
- Update Torbutton to 1.6.8.1
- Update Tor Launcher to 0.2.5.3
- Bug 9665: Localize Tor's unreachable bridges bootstrap error
- Backport Pending Tor Patches:
- Linux:
- Windows:
- Bug 11286: Fix fte transport launch error
A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.
TBB 3.5.4 does indeed have a
TBB 3.5.4 does indeed have a fixed openssl. (3.5.3 did not.)
TBB 3.6-beta-2 also has a fixed openssl. (3.6-beta-1 did not.)
The NSA has exploited
The NSA has exploited Heartbleed bug for years, Bloomberg reports.
Do you still believe in TOR!?
I thought the 3.5-4 release
I thought the 3.5-4 release had openssl fixed.