Tor Browser 7.5.6 is now available from the Tor Browser Project page [1]
and also from our distribution directory.
1: https://www.torproject.org/download/download-easy.html
2: https://www.torproject.org/dist/torbrowser/7.5.6/
This release features important security updates [3] to Firefox.
3: https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/
Tor Browser 7.5.6 updates Firefox to 52.9.0esr and includes newer
versions of NoScript and HTTPS Everywhere. Moreover, we added the latest
Tor stable version, 0.3.3.7 [4].
4: https://blog.torproject.org/tor-0337-released
This Tor Browser version additionally contains a number of backported
patches from the alpha, most notably the feature to treat cookies set
by .onion domain as secure as well [5].
5: https://trac.torproject.org/projects/tor/ticket/21537
For Windows users we activated an option that prevents an accidental
proxy bypass when dealing with UNC paths [6].
6: https://trac.torproject.org/projects/tor/ticket/26424
The full changelog since Tor Browser 7.5.5 is:
* All platforms
* Update Firefox to 52.9.0esr
* Update Tor to 0.3.3.7
* Update Tor Launcher to 0.2.14.5
* Bug 20890: Increase control port connection timeout
* Update HTTPS Everywhere to 2018.6.21
* Bug 26451: Prevent HTTPS Everywhere from freezing the browser
* Update NoScript to 5.1.8.6
* Bug 21537: Mark .onion cookies as secure
* Bug 25938: Backport fix for cross-origin header leak (bug 1334776)
* Bug 25721: Backport patches from Mozilla's bug 1448771
* Bug 25147+25458: Sanitize HTML fragments for chrome documents
* Bug 26221: Backport fix for leak in SHA256 in nsHttpConnectionInfo.cpp
* Windows
* Bug 26424: Disable UNC paths to prevent possible proxy bypasses
Hello, everyone!
(If you are about to reply saying "please take me off this list",
instead please follow these instructions:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/
. If you have trouble, it is probably because you subscribed using a
different address than the one you are trying to unsubscribe with.
You will have to enter the actual email address you used to
subscribe.)
Source code for Tor 0.3.3.7 is now available; You can download the
source code from the usual place on the website. Packages should be
available within the next several weeks, with a new Tor Browser in the
next couple of weeks.
There is also a new alpha release today; that one is announced on
tor-talk@ as usual.
=============
Changes in version 0.3.3.7 - 2018-06-12
Tor 0.3.3.7 backports several changes from the 0.3.4.x series, including
fixes for bugs affecting compatibility and stability.
o Directory authority changes:
- Add an IPv6 address for the "dannenberg" directory authority.
Closes ticket 26343.
o Minor features (geoip):
- Update geoip and geoip6 to the June 7 2018 Maxmind GeoLite2
Country database. Closes ticket 26351.
o Minor bugfixes (compatibility, openssl, backport from 0.3.4.2-alpha):
- Work around a change in OpenSSL 1.1.1 where return values that
would previously indicate "no password" now indicate an empty
password. Without this workaround, Tor instances running with
OpenSSL 1.1.1 would accept descriptors that other Tor instances
would reject. Fixes bug 26116; bugfix on 0.2.5.16.
o Minor bugfixes (compilation, backport from 0.3.4.2-alpha):
- Silence unused-const-variable warnings in zstd.h with some GCC
versions. Fixes bug 26272; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (controller, backport from 0.3.4.2-alpha):
- Improve accuracy of the BUILDTIMEOUT_SET control port event's
TIMEOUT_RATE and CLOSE_RATE fields. (We were previously
miscounting the total number of circuits for these field values.)
Fixes bug 26121; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (hardening, backport from 0.3.4.2-alpha):
- Prevent a possible out-of-bounds smartlist read in
protover_compute_vote(). Fixes bug 26196; bugfix on 0.2.9.4-alpha.
o Minor bugfixes (path selection, backport from 0.3.4.1-alpha):
- Only select relays when they have the descriptors we prefer to use
for them. This change fixes a bug where we could select a relay
because it had _some_ descriptor, but reject it later with a
nonfatal assertion error because it didn't have the exact one we
wanted. Fixes bugs 25691 and 25692; bugfix on 0.3.3.4-alpha.
