Tor Browser 7.5a3 is released
Note: Tor Browser 7.5a3 is a security bugfix release for Linux users only. Users on Windows and macOS are not affected and stay on Tor Browser 7.5a2.
This release features an important security update to Tor Browser for Linux users. On Linux systems with GVfs/GIO support Firefox allows to bypass proxy settings as it has a whitelist of supported protocols. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails and Whonix users, and users of our sandboxed Tor Browser are unaffected, though.
The bug got reported to us by Julian Jackson (@atechdad) via our HackerOne bug bounty program on July 26. Thanks! We are not aware of it being exploited in the wild.
Here is the full changelog since 7.5a2:
- Bug 23044: Don't allow GIO supported protocols by default