Tor Browser 11.5.5 is now available from the Tor Browser download page and also from our distribution directory.

Tor Browser 11.5.5 backports the following security updates from Firefox ESR 102.4 to to Firefox ESR 91.13 on Windows, macOS and Linux:

CVE-2022-40674: libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c CVE-2022-42927: Same-origin policy violation could have leaked cross-origin URLs CVE-2022-42928: Memory Corruption in JS Engine CVE-2022-42929: Denial of Service via window.print CVE-2022-42932: Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4

Tor Browser 11.5.5 updates GeckoView on Android to 102.4.0esr and includes important security updates. There were no Android-specific security updates to backport from the Firefox 106 release.

The full changelog since Tor Browser 11.5.4 is:

All Platforms Update Translations Bug tor-browser-build#40649: Update meek default bridge Bug tor-browser-build#40654: Enable uTLS and use the full bridge line for snowflake Windows + macOS + Linux Update Manual Bug tor-browser#40465: Onion Authentication fails when connecting to a subdomain Bug tor-browser#41355: Amends to YEC 2022 Takeover Desktop Stable 11.5.5 Bug tor-browser#41359: Backport ESR 102.4 security fixes to 91.13-based Tor Browser Bug tor-browser#41364: Continued amends to YEC 2022 Takeover Desktop Stable 11.5.5 Android Bug tor-browser-build#40650: Rebase geckoview-102.3.0esr-11.5-1 to ESR 102.4 Bug tor-browser#41360: Backport Android-specific Firefox 106 to ESR 102.4-based Tor Browser Bug tor-browser#41365: Amends to YEC 2022 Takeover on Android Build Windows + macOS + Linux Update Go to 1.18.7 Bug tor-browser-build#40464: go 1.18 fails to build on macOS