Tor Browser 6.0.7 is now available from the Tor Browser Project page [1]
and also from our distribution directory [2].
1: https://www.torproject.org/download/download-easy.html
2: https://www.torproject.org/dist/torbrowser/6.0.7/
This release features an important security update to Firefox and
contains, in addition to that, an update to NoScript (2.9.5.2).
The security flaw responsible for this urgent release is already
actively exploited on Windows systems. Even though there is currently,
to the best of our knowledge, no similar exploit for OS X or Linux
users available the underlying bug affects those platforms as well.
Thus we strongly recommend that all users apply the update to their
Tor Browser immediately. A restart is required for it to take effect.
Tor Browser users who had set their security slider to "High" are
believed to have been safe from this vulnerability.
We will have alpha and hardened Tor Browser updates out shortly. In the
meantime, users of these series can mitigate the security flaw in at
least two ways:
1) Set the security slider to "High" as this is preventing the exploit
from working.
2) Switch to the stable series until updates for alpha and hardened are
available, too.
Here is the full changelog since 6.0.6:
* All Platforms
* Update Firefox to 45.5.1esr
* Update NoScript to 2.9.5.2
Tor Browser 6.0.6 is now available from the Tor Browser Project page [1]
and also from our distribution directory [2].
1: https://www.torproject.org/download/download-easy.html
2: https://www.torproject.org/dist/torbrowser/6.0.6/
This release features important security updates [3] to Firefox.
3: https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/
This release is updating Firefox to 45.5.0esr. Moreover, other components
got an update as well: Tor to 0.2.8.9, HTTPS-Everywhere to 5.2.7, and
OpenSSL to 1.0.1u.
We fixed a lot of usability bugs, some caused by Apple's macOS Sierra
(meek did not work anymore and windows could not be dragged either). We
moved directly to DuckDuckGo as our search engine avoiding a roundtrip
to Disconnect.me first. Finally, we added a donation banner shown in
some localized bundles starting on Nov 23 in order to point to our
end-of-the-year 2016 donation campaign.
Here is the full changelog since 6.0.5:
* All Platforms
* Update Firefox to 45.5.0esr
* Update Tor to 0.2.8.9
* Update OpenSSL to 1.0.1u
* Update Torbutton to 1.9.5.12
* Bug 20414: Add donation banner on about:tor for 2016 campaign
* Translation updates
* Update Tor Launcher to 0.2.9.4
* Bug 20429: Do not open progress window if tor doesn't get started
* Bug 19646: Wrong location for meek browser profile on OS X
* Update HTTPS-Everywhere to 5.2.7
* Update meek to 0.25
* Bug 19646: Wrong location for meek browser profile on OS X
* Bug 20030: Shut down meek-http-helper cleanly if built with Go > 1.5.4
* Bug 19838: Add dgoulet's bridge and add another one commented out
* Bug 20296: Rotate ports again for default obfs4 bridges
* Bug 19735: Switch default search engine to DuckDuckGo
* Bug 20118: Don't unpack HTTPS Everywhere anymore
* Windows
* Bug 20342: Add tor-gencert.exe to expert bundle
* OS X
* Bug 20204: Windows don't drag on macOS Sierra anymore
* Bug 20250: Meek fails on macOS Sierra if built with Go < 1.7
* Build system
* All platforms
* Bug 20023: Upgrade Go to 1.7.3
