Tor Browser 7.0.4 is now available from the Tor Browser Project page [1]
and also from our distribution directory [2].
1: https://www.torproject.org/download/download-easy.html
2: https://www.torproject.org/dist/torbrowser/7.0.4/
This release features important security updates [3] to Firefox.
3: https://www.mozilla.org/en-US/security/advisories/mfsa2017-19/
A lot of Tor Browser components have been updated in this release. Apart
from the usual Firefox update (to 52.3.0esr) we include a new Tor stable
release (0.3.0.10) + an updated HTTPS-Everywhere (5.2.21) and NoScript
(5.0.8.1).
In this new release we continue to fix regressions that happened due to
the transition to Firefox 52. Most notably, we avoid the scary warnings
popping up when entering passwords on .onion sites without a TLS
certificate (bug 21321 [4]). Handling of our default start page (about:tor)
has improved, too, so that using the searchbox on it is working again
and it does no longer need enhanced privileges in order to function.
4: https://trac.torproject.org/projects/tor/ticket/21321
The full changelog since Tor Browser 7.0.2 (for Linux since Tor Browser
7.0.3) is:
* All Platforms
* Update Firefox to 52.3.0esr
* Update Tor to 0.3.0.10
* Update Torbutton to 1.9.7.5
* Bug 21999: Fix display of language prompt in non-en-US locales
* Bug 18193: Don't let about:tor have chrome privileges
* Bug 22535: Search on about:tor discards search query
* Bug 21948: Going back to about:tor page gives "Address isn't valid" error
* Code clean-up
* Translations update
* Update Tor Launcher to 0.2.12.3
* Bug 22592: Default bridge settings are not removed
* Translations update
* Update HTTPS-Everywhere to 5.2.21
* Update NoScript to 5.0.8.1
* Bug 22362: Remove workaround for XSS related browser freezing
* Bug 22067: NoScript Click-to-Play bypass with embedded videos and audio
* Bug 21321: Exempt .onions from HTTP related security warnings
* Bug 22073: Disable GetAddons option on addons page
* Bug 22884: Fix broken about:tor page on higher security levels
* Windows
* Bug 22829: Remove default obfs4 bridge riemann.
* Bug 21617: Fix single RWX page on Windows (included in 52.3.0esr)
* OS X
* Bug 22829: Remove default obfs4 bridge riemann.
(If you are about to reply saying "please take me off this list",
instead please follow these instructions:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/
. If you have trouble, it is probably because you subscribed using a
different address than the one you are trying to unsubscribe with.
You will have to enter the actual email address you used to
subscribe.)
Hello!
Source code for a new Tor release (0.3.0.10) is now available on the
website; packages should be available over the next several days. The
Tor Browser team tells me they will have a release out next week.
One last reminder: Tor 0.2.4, 0.2.6, and 0.2.7 are no longer
supported, as of 1 August of this year. If you need a release with
long-term support, 0.2.9 is what we recommend: we plan to support it
until at least 1 Jan 2020.
Below is the changelog for the new stable release:
Changes in version 0.3.0.10 - 2017-08-02
Tor 0.3.0.10 backports a collection of small-to-medium bugfixes
from the current Tor alpha series. OpenBSD users and TPROXY users
should upgrade; others are probably okay sticking with 0.3.0.9.
o Major features (build system, continuous integration, backport
from 0.3.1.5-alpha):
- Tor's repository now includes a Travis Continuous Integration (CI)
configuration file (.travis.yml). This is meant to help new
developers and contributors who fork Tor to a Github repository be
better able to test their changes, and understand what we expect
to pass. To use this new build feature, you must fork Tor to your
Github account, then go into the "Integrations" menu in the
repository settings for your fork and enable Travis, then push
your changes. Closes ticket 22636.
o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha):
- Fix a typo that had prevented TPROXY-based transparent proxying
from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
Patch from "d4fq0fQAgoJ".
o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
- Avoid an assertion failure bug affecting our implementation of
inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
handling of "0xfoo" differs from what we had expected. Fixes bug
22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
o Minor features (backport from 0.3.1.5-alpha):
- Update geoip and geoip6 to the July 4 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (bandwidth accounting, backport from 0.3.1.2-alpha):
- Roll over monthly accounting at the configured hour and minute,
rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
Found by Andrey Karpov with PVS-Studio.
o Minor bugfixes (compilation warnings, backport from 0.3.1.5-alpha):
- Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
bugfix on 0.2.8.1-alpha.
- Fix warnings when building with libscrypt and openssl scrypt
support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
- When building with certain versions of the mingw C header files,
avoid float-conversion warnings when calling the C functions
isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix
on 0.2.8.1-alpha.
o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
- Backport a fix for an "unused variable" warning that appeared
in some versions of mingw. Fixes bug 22838; bugfix on
0.2.8.1-alpha.
o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha):
- Avoid Coverity build warnings related to our BUG() macro. By
default, Coverity treats BUG() as the Linux kernel does: an
instant abort(). We need to override that so our BUG() macro
doesn't prevent Coverity from analyzing functions that use it.
Fixes bug 23030; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (directory authority, backport from 0.3.1.1-alpha):
- When rejecting a router descriptor for running an obsolete version
of Tor without ntor support, warn about the obsolete tor version,
not the missing ntor key. Fixes bug 20270; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha):
- Avoid a sandbox failure when trying to re-bind to a socket and
mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
o Minor bugfixes (unit tests, backport from 0.3.1.5-alpha)
- Fix a memory leak in the link-handshake/certs_ok_ed25519 test.
Fixes bug 22803; bugfix on 0.3.0.1-alpha.
