Tor Browser 7.5a3 is released

Note: Tor Browser 7.5a3 is a security bugfix release for Linux users only. Users on Windows and macOS are not affected and stay on Tor Browser 7.5a2.

Tor Browser 7.5a3 is now available for our Linux users from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Tor Browser for Linux users. On Linux systems with GVfs/GIO support Firefox allows to bypass proxy settings as it has a whitelist of supported protocols. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails and Whonix users, and users of our sandboxed Tor Browser are unaffected, though.

The bug got reported to us by Julian Jackson (@atechdad) via our HackerOne bug bounty program on July 26. Thanks! We are not aware of it being exploited in the wild.

Here is the full changelog since 7.5a2:

  • Linux
    • Bug 23044: Don't allow GIO supported protocols by default

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our ​support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

1 + 6 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.