Tor Browser 7.0.10 is now available from the Tor Browser Project page [1]
and also from our distribution directory [2].
1: https://www.torproject.org/download/download-easy.html
2: https://www.torproject.org/dist/torbrowser/7.0.10/
This release features important security updates [3] to Firefox.
3: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/
This release updates Firefox to version 52.5.0esr [4] and Tor to version
version 0.3.1.8 [5], the second stable release in the 0.3.1 series. In
addition to that we updated the HTTPS Everywhere and NoScript extensions
we ship. For Windows users we backported patches from the alpha series
that update the msvcr100.dll runtime library we include and which should
make Tor Browser more robust against crashes due to misbehvaing third
party software.
4: https://www.mozilla.org/en-US/firefox/52.5.0/releasenotes/
5: https://blog.torproject.org/new-stable-tor-releases-0318-03012-02913-02816-…
The full changelog since Tor Browser 7.0.9 (7.0.8 for Windows) is:
* All Platforms
* Update Firefox to 52.5.0esr
* Update Tor to 0.3.1.8
* Update Torbutton to 1.9.7.10
* Bug 23997: Add link to Tor Browser manual for de, nl, tr, vi
* Translations update
* Update HTTPS-Everywhere to 2017.10.30
* Bug 24178: Use make.sh for building HTTPS-Everywhere
* Update NoScript to 5.1.5
* Bug 23968: NoScript icon jumps to the right after update
* Windows
* Bug 23582: Enable the Windows DLL blocklist for mingw-w64 builds
* Bug 23396: Update the msvcr100.dll we ship
* Bug 24052: Block file:// redirects early
Note: Tor Browser 7.0.9 is a security bugfix release for macOS and
Linux users only. Users on Windows are not affected and stay on Tor
Browser 7.0.8.
Tor Browser 7.0.9 is now available for our macOS [1] and Linux [2] users
from the Tor Browser Project page and also from our distribution
directory [3].
1: https://www.torproject.org/download/download-easy.html#mac
2: https://www.torproject.org/download/download-easy.html#linux
3: https://www.torproject.org/dist/torbrowser/7.0.9/
This release features an important security update to Tor Browser for
macOS and Linux users. Due to a Firefox bug [4] in handling file:// URLs
it is possible on both systems that users leak their IP address. Once
an affected user navigates to a specially crafted URL the operating
system may directly connect to the remote host, bypassing Tor Browser.
Tails users and users of our sandboxed-tor-browser are unaffected, though.
4: https://bugzilla.mozilla.org/show_bug.cgi?id=1412081
The bug got reported to us on Thursday, October 26, by Filippo Cavallarin.
We created a workaround with the help of Mozilla engineers on the next
day which, alas, fixed the leak only partially. We developed an additional
fix on Tuesday, October 31, plugging all known holes. We are not aware
of this vulnerability being exploited in the wild. Thanks to everyone
who helped during this process!
We are currently preparing updated macOS and Linux bundles for our alpha
series which will be tentatively available on Monday, November 6. Meanwhile
macOS and Linux users on that series are strongly encouraged to use the
stable bundles or one of the above mentioned tools that are not affected
by the underlying problem.
Known issues: The fix we deployed is just a workaround stopping the leak.
As a result of that navigating file:// URLs in the browser might not
work as expected anymore. In particular entering file:// URLs in the URL
bar and clicking on resulting links is broken. Opening those in a new
tab or new window does not work either. A workaround for those issues
is dragging the link into the URL bar or on a tab instead. We track this
follow-up regression in bug 24136 [5].
5: https://trac.torproject.org/projects/tor/ticket/24136
Here is the full changelog since 7.0.8:
* OS X
* Bug 24052: Streamline handling of file:// resources
* Linux
* Bug 24052: Streamline handling of file:// resources
