Tor Browser 7.0.3 is released
Note: Tor Browser 7.0.3 is a security bugfix release for Linux users only. Users on Windows and macOS are not affected and stay on Tor Browser 7.0.2.
This release features an important security update to Tor Browser for Linux users. On Linux systems with GVfs/GIO support Firefox allows to bypass proxy settings as it ships a whitelist of supported protocols. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails and Whonix users, and users of our sandboxed Tor Browser are unaffected, though.
The bug got reported to us yesterday by Julian Jackson (@atechdad) via our HackerOne bug bounty program. Thanks! We are not aware of it being exploited in the wild.
We are currently preparing updated Linux bundles for our alpha series and they should go live within the next couple of hours. Meanwhile Linux users on that series are strongly encouraged to use the stable bundles or one of the above mentioned tools that are not affected by the underlying problem.
Here is the full changelog since 7.0.2:
- Bug 23044: Don't allow GIO supported protocols by default
You can check if gvfs packages are installed on your system. If gvfs is available, you are probably affected. Updating to version 7.0.3 should solve it.
Probably a better way than this but I did this as a quick and dirty.
gvfs: /usr/lib64/gvfs /usr/share/gvfs /usr/share/man/man7/gvfs.7.gz
As you can see my system has gvfs and the man for it., I assume this means this is a good bug fix for me.
Thanks Tor guys/gals.