Tor Browser 6.5.1 is now available from the Tor Browser Project page [1]
and also from our distribution directory [2].
1: https://www.torproject.org/download/download-easy.html
2: https://www.torproject.org/dist/torbrowser/6.5.1/
This release features important security updates [3] to Firefox.
3: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/
This is the first minor release in the 6.5 series and it mainly contains
updates to several of our Tor Browser components: Firefox got updated
to 45.8.0esr, Tor to 0.2.9.10, OpenSSL to 1.0.1k, and HTTPS-Everywhere
to 5.2.11.
Additionally, we updated the bridges we ship with Tor Browser and fixed
some regressions that came with our last release.
In Tor Browser 6.5 we introduced filtering of content requests to
resource:// and chrome:// URIs [4] in order to neuter a fingerprinting
vector. This change however breaks the Session Manager addon [5]. Users
who think having extensions like that one working is much more important
than avoiding the possible information leakage associated with that can
now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting'
preference, setting it to 'true' to disable our defense against this
type of fingerprinting.
4: https://trac.torproject.org/projects/tor/ticket/8725
5: https://trac.torproject.org/projects/tor/ticket/21396
An other regression introduced in Tor Browser 6.5 is the resizing of
the window [6]. We are currently working on a fix for this issue.
6: https://trac.torproject.org/projects/tor/ticket/20905
Here is the full changelog since 6.5:
* All Platforms
* Update Firefox to 45.8.0esr
* Tor to 0.2.9.10
* OpenSSL to 1.0.2k
* Update Torbutton to 1.9.6.14
* Bug 21396: Allow leaking of resource/chrome URIs (off by default)
* Bug 21574: Add link for zh manual and create manual links dynamically
* Bug 21330: Non-usable scrollbar appears in tor browser security settings
* Translation updates
* Update HTTPS-Everywhere to 5.2.11
* Bug 21514: Restore W^X JIT implementation removed from ESR45
* Bug 21536: Remove scramblesuit bridge
* Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
* Linux
* Bug 21326: Update the "Using a system-installed Tor" section in start script
(If you are about to reply saying "please take me off
this list", instead please follow these instructions:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/
You will have to enter the actual email address you used to subscribe.)
You can download the source code from https://dist.torproject.org/
but most users should wait for the upcoming Tor Browser release, or
for their upcoming system package updates.
(0.3.0.4-rc also came out today, but non-stable releases get announced
on tor-talk.)
Changes in version 0.2.9.10 - 2017-03-01
Tor 0.2.9.10 backports a security fix from a later Tor release. It also
includes fixes for some major issues affecting directory authorities,
LibreSSL compatibility, and IPv6 correctness.
The Tor 0.2.9.x release series is now marked as a long-term-support
series. We intend to backport security fixes to 0.2.9.x until at
least January of 2020.
o Major bugfixes (directory authority, 0.3.0.3-alpha):
- During voting, when marking a relay as a probable sybil, do not
clear its BadExit flag: sybils can still be bad in other ways
too. (We still clear the other flags.) Fixes bug 21108; bugfix
on 0.2.0.13-alpha.
o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha):
- Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
any IPv6 addresses. Instead, only reject a port over IPv6 if the
exit policy rejects that port on more than an IPv6 /16 of
addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
which rejected a relay's own IPv6 address by default. Fixes bug
21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
o Major bugfixes (parsing, also in 0.3.0.4-rc):
- Fix an integer underflow bug when comparing malformed Tor
versions. This bug could crash Tor when built with
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
0.2.9.8, which were built with -ftrapv by default. In other cases
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
on 0.0.8pre1. Found by OSS-Fuzz.
o Minor features (directory authorities, also in 0.3.0.4-rc):
- Directory authorities now reject descriptors that claim to be
malformed versions of Tor. Helps prevent exploitation of
bug 21278.
- Reject version numbers with components that exceed INT32_MAX.
Otherwise 32-bit and 64-bit platforms would behave inconsistently.
Fixes bug 21450; bugfix on 0.0.8pre1.
o Minor features (geoip):
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
Country database.
o Minor features (portability, compilation, backport from 0.3.0.3-alpha):
- Autoconf now checks to determine if OpenSSL structures are opaque,
instead of explicitly checking for OpenSSL version numbers. Part
of ticket 21359.
- Support building with recent LibreSSL code that uses opaque
structures. Closes ticket 21359.
o Minor bugfixes (code correctness, also in 0.3.0.4-rc):
- Repair a couple of (unreachable or harmless) cases of the risky
comparison-by-subtraction pattern that caused bug 21278.
o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha):
- The tor-resolve command line tool now rejects hostnames over 255
characters in length. Previously, it would silently truncate them,
which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
Patch by "junglefowl".
