Note: Tor Browser 7.0.3 is a security bugfix release for Linux users
only. Users on Windows and macOS are not affected and stay on Tor Browser
7.0.2.
Tor Browser 7.0.3 is now available for our Linux users from the
Tor Browser Project page [1] and also from our distribution directory [2].
1: https://www.torproject.org/download/download-easy.html#linux
2: https://www.torproject.org/dist/torbrowser/7.0.3/
This release features an important security update to Tor Browser for
Linux users. On Linux systems with GVfs/GIO support Firefox allows to
bypass proxy settings as it ships a whitelist of supported protocols.
Once an affected user navigates to a specially crafted URL the operating
system may directly connect to the remote host, bypassing Tor Browser.
Tails and Whonix users, and users of our sandboxed Tor Browser are
unaffected, though.
The bug got reported to us yesterday by Julian Jackson (@atechdad) via
our HackerOne bug bounty program. Thanks! We are not aware of it being
exploited in the wild.
We are currently preparing updated Linux bundles for our alpha series
and they should go live within the next couple of hours. Meanwhile Linux
users on that series are strongly encouraged to use the stable bundles
or one of the above mentioned tools that are not affected by the
underlying problem.
Here is the full changelog since 7.0.2:
* Linux
* Bug 23044: Don't allow GIO supported protocols by default
Tor Browser 7.0.2 is now available from the Tor Browser Project page [1]
and also from our distribution directory [2].
1: https://www.torproject.org/download/download-easy.html
2: https://www.torproject.org/dist/torbrowser/7.0.2/
This release features an important security update to Tor.
We are updating Tor to version 0.3.0.9 [3], fixing a path selection bug
that would allow a client to use a guard that was in the same network
family as a chosen exit relay. This release also updates HTTPS-Everywhere
to 5.2.19.
3: https://blog.torproject.org/blog/tor-0309-released-security-update-clients
Here is the full changelog since 7.0.1:
* All Platforms
* Update Tor to 0.3.0.9, fixing bug #22753
* Update HTTPS-Everywhere to 5.2.19
