Tor Browser 3.6.4 and 4.0-alpha-1 are released

The fourth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features an update to OpenSSL to address the latest round of OpenSSL security issues. Tor Browser should only be vulnerable to one of these issues - the null pointer dereference. As this issue is only a DoS, we are not considering this a critical security update, but users are advised to upgrade anyway. This release also features an update to Tor to alert users of the RELAY_EARLY attack via a log message, and a fix for a hang that was happening to some users at startup/Tor network bootstrap.

Here is the complete changelog for 3.6.4:

• Tor Browser 3.6.4 -- All Platforms
• Update Tor to 0.2.4.23
• Update Tor launcher to 0.2.5.6
• Update OpenSSL to 1.0.1i
• Backported Tor Patches:
• Bug 11654: Properly apply the fix for malformed bug11156 log message
• Bug 11200: Fix a hang during bootstrap introduced in the initial
  bug11200 patch.
• Update NoScript to 2.6.8.36
• Bug 9516: Send Tor Launcher log messages to Browser Console
• Update Torbutton to 1.6.11.1
• Bug 11472: Adjust about:tor font and logo positioning to avoid overlap
• Bug 12680: Fix Torbutton about url.

In addition, we are also releasing the first alpha of the 4.0 series, available for download on the extended downloads page.

This alpha paves the way to our upcoming autoupdater by reorganizing the directory structure of the browser. This means that in-place upgrades from Tor Browser 3.6 (by extracting/copying over the old directory) will not work.

This release also features Tor 0.2.5.6, and some new defaults for NoScript to make the script permissions for a given url bar domain automatically cascade to all third parties by default (though this may be changed in the NoScript configuration).

• Tor Browser 4.0-alpha-1 -- All Platforms
• Ticket 10935: Include the Meek Pluggable Transport (version 0.10)
• Two modes of Meek are provided: Meek over Google and Meek over Amazon
• Update Firefox to 24.7.0esr
• Update Tor to 0.2.5.6-alpha
• Update OpenSSL to 1.0.1i
• Update NoScript to 2.6.8.36
• Script permissions now apply based on URL bar
• Update HTTPS Everywhere to 5.0development.0
• Update Torbutton to 1.6.12.0
  • Bug 12221: Remove obsolete Javascript components from the toggle era
  • Bug 10819: Bind new third party isolation pref to Torbutton security UI
  • Bug 9268: Fix some window resizing corner cases with DPI and taskbar size.
  • Bug 12680: Change Torbutton URL in about dialog.
  • Bug 11472: Adjust about:tor font and logo positioning to avoid overlap
  • Bug 9531: Workaround to avoid rare hangs during New Identity
• Update Tor Launcher to 0.2.6.2
• Bug 11199: Improve behavior if tor exits
• Bug 12451: Add option to hide TBB's logo
• Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
• Bug 11471: Ensure text fits the initial configuration dialog
• Bug 9516: Send Tor Launcher log messages to Browser Console
• Bug 11641: Reorganize bundle directory structure to mimic Firefox
• Bug 10819: Create a preference to enable/disable third party isolation
• Backported Tor Patches:
• Bug 11200: Fix a hang during bootstrap introduced in the initial
  bug11200 patch.
• Tor Browser 4.0-alpha-1 -- Linux Changes
• Bug 10178: Make it easier to set an alternate Tor control port and password
• Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
• Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.