- tor-announce - lists.torproject.org

[RELEASE] Tor stable 0.4.8.18 and alpha 0.4.9.3-alpha
by David Goulet 16 Sep '25

16 Sep '25

Greetings, We just released 0.4.8.18 stable and 0.4.9.3-alpha: https://forum.torproject.org/t/alpha-and-stable-release-0-4-8-18-and-0-4-9-… Here is the ChangeLog for both. Cheers! Changes in version 0.4.9.3-alpha - 2025-09-16 This is the third alpha release and likely the last before going stable. This release contains the new CGO circuit encryption. See proposal 359 for more details. Several TLS minor fixes which will strengthen the link security. o New system requirements: - When built with LibreSSL, Tor now requires LibreSSL 3.7 or later. Part of ticket 41059. - When built with OpenSSL, Tor now requires OpenSSL 1.1.1 or later. (We strongly recommend 3.0 or later, but still build with 1.1.1, even though it is not supported by the OpenSSL team, due to its presence in Debian oldstable.) Part of ticket 41059. o Major features (cell format): - Tor now has (unused) internal support to encode and decode relay messages in the new format required by our newer CGO encryption algorithm. Closes ticket 41051. Part of proposal 359. o Major features (cryptography): - Clients and relays can now negotiate Counter Galois Onion (CGO) relay cryptography, as designed by Jean Paul Degabriele, Alessandro Melloni, Jean-Pierre Münch, and Martijn Stam. CGO provides improved resistance to several kinds of tagging attacks, better forward secrecy, and better forgery resistance. Closes ticket 41047. Implements proposal 359. o Major bugfixes (onion service directory cache): - Preserve the download counter of an onion service descriptor across descriptor uploads, so that recently updated descriptors don't get pruned if there is memory pressure soon after update. Additionally, create a separate torrc option MaxHSDirCacheBytes that defaults to the former 20% of MaxMemInQueues threshold, but can be controlled by relay operators under DoS. Also enforce this theshold during HSDir uploads. Fixes bug 41006; bugfix on 0.4.8.14. o Minor features (security): - Increase the size of our finite-field Diffie Hellman TLS group (which we should never actually use!) to 2048 bits. Part of ticket 41067. - Require TLS version 1.2 or later. (Version 1.3 support will be required in the near future.) Part of ticket 41067. - Update TLS 1.2 client cipher list to match current Firefox. Part of ticket 41067. o Minor features (security, TLS): - When we are running with OpenSSL 3.5.0 or later, support using the ML-KEM768 for post-quantum key agreement. Closes ticket 41041. o Minor feature (client, TLS): - Set the TLS 1.3 cipher list instead of falling back on the default value. o Minor feature (padding, logging): - Reduce the amount of messages being logged related to channel padding timeout when log level is "notice". o Minor features (bridges): - Save complete bridge lines to 'datadir/bridgelines'. Closes ticket 29128. o Minor features (fallbackdir): - Regenerate fallback directories generated on September 16, 2025. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/09/16. o Minor features (hidden services): - Reduce the minimum value of hsdir_interval to match recent tor- spec change. o Minor features (hsdesc POW): - Tolerate multiple PoW schemes in onion service descriptors, for future extensibility. Implements torspec ticket 272. o Minor features (performance TLS): - When running with with OpenSSL 3.0.0 or later, support using X25519 for TLS key agreement. (This should slightly improve performance for TLS session establishment.) o Minor features (portability): - Fix warnings when compiling with GCC 15. Closes ticket 41079. o Minor bugfix (conflux): - Remove the pending nonce if we realize that the nonce of the unlinked circuit is not tracked anymore. Should avoid the non fatal assert triggered with a control port circuit event. Fixes bug 41037; bugfix on 0.4.8.15. o Minor bugfixes (bridges, pluggable transport): - Fix a bug causing the initial tor process to hang intead of exiting with RunAsDaemon, when pluggable transports are used. Fixes bug 41088; bugfix on 0.4.9.1-alpha. o Minor bugfixes (circuit handling): - Prevent circuit_mark_for_close() from being called twice on the same circuit. Fixes bug 40951; bugfix on 0.4.8.16-dev. - Prevent circuit_mark_for_close() from being called twice on the same circuit. Second fix attempt Fixes bug 41106; bugfix on 0.4.8.17 o Minor bugfixes (compilation): - Fix linking on systems without a working stdatomic.h. Fixes bug 41076; bugfix on 0.4.9.1-alpha. o Minor bugfixes (compiler warnings): - Make sure the two bitfields in the half-closed edge struct are unsigned, as we're using them for boolean values and assign 1 to them. Fixes bug 40911; bugfix on 0.4.7.2-alpha. o Minor bugfixes (logging, metrics port): - Count BUG statements for the MetricsPort only if they are warnings or errors. Fixes bug 41104; bugfix on 0.4.7.1-alpha. Patch contributed by shadowcoder. o Minor bugfixes (protocol): - Set the length field correctly on RELAY_COMMAND_CONFLUX_SWITCH messages. Previously, it was always set to the maximum value. Fixes bug 41056; bugfix on 0.4.8.1-alpha. o Minor bugfixes (relay): - Fix a crash when FamilyKeyDir is a path that cannot be read. Fixes bug 41043; bugfix on 0.4.9.2-alpha. o Minor bugfixes (threads): - Make thread control POSIX compliant. Fixes bug 41109; bugfix on 0.4.8.17-dev. o Removed features: - Relays no longer support clients that falsely advertise TLS ciphers they don't really support. (Clients have not done this since 0.2.3.17-beta). Part of ticket 41031. - Relays no longer support clients that require obsolete v1 and v2 link handshakes. (The v3 link handshake has been supported since 0.2.3.6-alpha). Part of ticket 41031. Changes in version 0.4.8.18 - 2025-09-16 This is a minor release with a major onion service directory cache (HSDir) bug fix. A series of minor bugfixes as well. As always, we strongly recommend to upgrade as soon as possible. o Major bugfixes (onion service directory cache): - Preserve the download counter of an onion service descriptor across descriptor uploads, so that recently updated descriptors don't get pruned if there is memory pressure soon after update. Additionally, create a separate torrc option MaxHSDirCacheBytes that defaults to the former 20% of MaxMemInQueues threshold, but can be controlled by relay operators under DoS. Also enforce this theshold during HSDir uploads. Fixes bug 41006; bugfix on 0.4.8.14. o Minor feature (padding, logging): - Reduce the amount of messages being logged related to channel padding timeout when log level is "notice". o Minor features (fallbackdir): - Regenerate fallback directories generated on September 16, 2025. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/09/16. o Minor bugfix (conflux): - Remove the pending nonce if we realize that the nonce of the unlinked circuit is not tracked anymore. Should avoid the non fatal assert triggered with a control port circuit event. Fixes bug 41037; bugfix on 0.4.8.15. o Minor bugfixes (circuit handling): - Prevent circuit_mark_for_close() from being called twice on the same circuit. Second fix attempt Fixes bug 41106; bugfix on 0.4.8.17 o Minor bugfixes (threads): - Make thread control POSIX compliant. Fixes bug 41109; bugfix on 0.4.8.17-dev. -- 7foVekONn2ef4TNka+FUrpiKMgHwqW5UJwOt0iGfiXQ=

1 0

New Release: Tor Browser 14.5.7 (Android, Windows, macOS, Linux)
by Giorgio Maone 16 Sep '25

16 Sep '25

Hi everyone, Tor Browser 14.5.7 has now been published for all platforms. For details please see our blog post: - https://blog.torproject.org/new-release-tor-browser-1457 Changelog: Tor Browser 14.5.7 - September 16 2025 * All Platforms * Updated OpenSSL to 3.5.2 * Bug 44136: Backport tor-browser#44081: Swiping away the "private tabs" notification requires rebootstrapping [tor-browser] * Bug 44199: Backport Security Fixes from Firefox 143 [tor-browser] * Bug 41441: Backport tor-browser-build#41432: Bump OpenSSL to 3.5.0 [tor-browser-build] * Bug 41462: Backport #40994 and #41280: Add support in signing scripts to sign release for some archs only & Update download-android-*.json files for android-only releases [tor-browser-build] * Bug 41543: mmdebstrap-image fails to build bookworm images on maint-14.5 [tor-browser-build] * Build System * All Platforms * Bug 41554: Export SIGNING_PROJECTNAME and tbb_version in linux-signer-sign-android-apks, in maint-14.5 [tor-browser-build] -- ma1

1 0

New Release: Tor Browser 15.0a2 (Android, Windows, macOS, Linux)
by Giorgio Maone 01 Sep '25

01 Sep '25

Hi everyone, Tor Browser 15.0a2 has now been published for all platforms. For details please see our blog post: - https://blog.torproject.org/new-release-tor-browser-150a2 Changelog: * All Platforms o Updated NoScript to 13.0.9 o Updated OpenSSL to 3.5.2 o Bug tor-browser#43727 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43727>: Update moz-toggle customisation for ESR 140 o Bug tor-browser#43832 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43832>: Drop eslint-env o Bug tor-browser#43864 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43864>: Remove features from the unified search button o Bug tor-browser#44045 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44045>: Drop AI and machine learning components o Bug tor-browser#44048 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44048>: Backport Bug 1979608 o Bug tor-browser#44069 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44069>: Update |meek-azure| related strings to |meek| o Bug tor-browser#44094 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44094>: Rebase Tor Browser alpha onto 140.2.0esr o Bug tor-browser#44100 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44100>: Backport Security Fixes from Firefox 142 o Bug tor-browser#44140 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44140>: Align PDF changes to 140esr o Bug tor-browser-build#41442 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Update our audit CSVs to use the new Audit template * Windows + macOS + Linux o Updated Firefox to 140.2.0esr o Bug tor-browser#43111 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43111>: Delete our webextensions for search engines when Bug 1885953 is fixed upstream o Bug tor-browser#43519 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43519>: Replace tor-loading.png with SVG o Bug tor-browser#43525 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43525>: Check if our search engine customization still works after ESR 140 transition o Bug tor-browser#43728 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43728>: Update search engine icon sizes o Bug tor-browser#43795 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43795>: Restore the URL classifier XPCOM components. o Bug tor-browser#43817 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43817>: Write e2e test for verifying if the browser is connected to the Tor network o Bug tor-browser#43844 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43844>: Security level shield icon should be flipped for RTL locales o Bug tor-browser#43874 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43874>: Incorporate our unified extension button hiding logic into mozilla's changes for ESR 140 o Bug tor-browser#43901 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43901>: Modify about:license for Tor Browser and drop about:rights o Bug tor-browser#43902 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43902>: Hide Sidebar buttons o Bug tor-browser#43903 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43903>: Report broken site is disabled rather than hidden o Bug tor-browser#44030 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44030>: Security Level selector does not get confirmation before restarting o Bug tor-browser#44034 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44034>: Update string used for checkbox on New Identity confirmation dialog o Bug tor-browser#44040 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44040>: Modify nsIPrompt and the commonDialog code to allow destructive buttons o Bug tor-browser#44041 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44041>: Letterboxing causes greyed out alert background to be mis-aligned o Bug tor-browser#44090 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44090>: Several of our XUL pages cause a crash because of missing CSP o Bug tor-browser#44095 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44095>: Rename connectionPane.xhtml and remove it from the jar o Bug tor-browser#44106 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44106>: Make sure background tasks are not used for shutdown cleanup o Bug tor-browser#44115 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44115>: Make remove all bridges dialog use a destructive red button o Bug tor-browser#44125 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44125>: Do not offer to save signatures by default in Private Browsing Mode * Windows + Android o Bug tor-browser#44062 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44062>: Force touch enabled on Windows and Android * Windows o Bug tor-browser#44046 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44046>: Replace BASE_BROWSER_UPDATE with BASE_BROWSER_VERSION in the font visibility list * macOS o Bug tor-browser#44127 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44127>: Do not show macOS Privacy hint on network error pages * Android o Updated GeckoView to 140.2.0esr o Bug tor-browser#43179 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43179>: Make persistent 'private tabs' notification distinct from Firefox's o Bug 43346: Remove the "[android] Stop PrivateNotificationService" patch [tor-browser] o Bug tor-browser#43645 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43645>: Swiping away doesn't always disconnect from tor o Bug tor-browser#43699 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43699>: Dummy "about:" pages are not cleared from recently closed tabs (and possibly elsewhere) because they are normal tabs, not private tabs. o Bug tor-browser#43826 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43826>: Review Mozilla 1960122: Use |MOZ_BUILD_DATE| in Fenix build configuration o Bug tor-browser#44021 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44021>: Android settings page colors are sometimes messed up (seems to be on the first launch) o Bug tor-browser#44042 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44042>: Debug crash when opening settings too quickly after launching app o Bug tor-browser#44047 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44047>: Tor Browser's home doesn't have the background at the first load on Android o Bug tor-browser#44081 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44081>: Swiping away the "private tabs" notification requires rebootstrapping. o Bug tor-browser#44083 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44083>: "snowflake" is lower case on Android o Bug tor-browser#44098 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44098>: Bookmarks offer a way to go to sync in 15.0a1 o Bug tor-browser#44139 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44139>: Restore the (inactive) YouTube and Reddit search plugins on Android * Build System o All Platforms + Bug tor-browser#44061 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44061>: "Contributing" link is broken + Bug tor-browser#44067 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44067>: Move --enable-geckodriver only to Linux-only mozconfigs + Bug tor-browser#44103 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44103>: git's export-subst is a reproducibility problem + Bug tor-browser#44104 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44104>: Don't run linter when there are no overall changes + Bug tor-browser-build#26408 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/2…>: Make MAR signature checks clearer when creating incremental MAR files + Bug tor-browser-build#40551 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Drop go reproducibility patches + Bug tor-browser-build#40697 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Delete repackage_browser.sh + Bug tor-browser-build#40698 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Update locale in tbb_version.json + Bug tor-browser-build#41517 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Add morgan's key to the setup account on the signing machine + Bug tor-browser-build#41522 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Adapt our signing scripts to be able to sign the VPN app + Bug tor-browser-build#41534 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Copy geckodriver only for Linux x86-64 + Bug tor-browser-build#41537 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Add script to count mar downloads from web logs + Bug tor-browser-build#41539 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Update Ubuntu version used to run mmdebstrap to 24.04.3 + Bug rbm#40087 <https://gitlab.torproject.org/tpo/applications/rbm/-/issues/40087>: Downloaded files getting stricter permissions than expected o Windows + Linux + Android + Updated Go to 1.24.6 o macOS + Bug tor-browser-build#41527 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Update libdmg-hfsplus and enable LZMA compression on dmgs + Bug tor-browser-build#41538 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Bump macOS SDK to 15.5 o Android + Bug tor-browser#44078 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44078>: Modify ./autopublish-settings.gradle for building a-s and glean with uniffi-bindgen no-op + Bug tor-browser-build#41523 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Use custom built Glean package on Android + Bug tor-browser-build#41531 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Update relprep.py script to handle application-services updates + Bug tor-browser-build#41548 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Hide tor's symbols on Android and add other linker options to save space -- ma1

1 0

New Release: Tor Browser 14.5.6 (Android, Windows, macOS, Linux)
by Giorgio Maone 19 Aug '25

19 Aug '25

Hi everyone, Tor Browser 14.5.6 has now been published for all platforms. For details please see our blog post: - https://blog.torproject.org/new-release-tor-browser-1456 Changelog: Tor Browser 14.5.6 - August 19 2025 * All Platforms * Updated NoScript to 13.0.9 * Bug 44048: Backport Bug 1979608 [tor-browser] * Bug 44093: Rebase Tor Browser stable onto 128.14.0esr [tor-browser] * Bug 44100: Backport Security Fixes from Firefox 142 [tor-browser] * Bug 41515: Bump version of Conjure to include P173 improvements [tor-browser-build] * Windows + macOS + Linux * Updated Firefox to 128.14.0esr * Bug 44041: Letterboxing causes greyed out alert background to be mis-aligned [tor-browser] * Android * Updated GeckoView to 128.14.0esr * Updated Zstandard to 1.5.7 * Bug 43346: Remove the "[android] Stop PrivateNotificationService" patch [tor-browser] * Bug 43645: Swiping away doesn't always disconnect from tor [tor-browser] * Build System * Windows + Linux + Android * Updated Go to 1.23.12 -- ma1

1 0

New Release: Tor Browser 15.0a1 (Android, Windows, macOS, Linux)
by Morgan 30 Jul '25

30 Jul '25

Hi everyone, Tor Browser 15.0a1 has now been published for all platforms. For details please see our blog post: - https://blog.torproject.org/new-alpha-release-tor-browser-150a1/ Changelog: > Tor Browser 15.0a1 - July 29 2025 > * All Platforms > * Updated NoScript to 13.0.8 > * Updated OpenSSL to 3.5.1 > * Bug 43397: Click to play should override "Any capability blocked in the top document must be blocked in its subdocuments too" [tor-browser] > * Bug 43772: Do not use official branding for BB/TB/MB [tor-browser] > * Bug 43783: Tighten up the SecurityLevel module to enforce new UX flow [tor-browser] > * Bug 43784: Get confirmation from NoScript that settings are applied [tor-browser] > * Bug 43853: DomainFrontedRequests: setData is no longer a function [tor-browser] > * Bug 43880: Update moat's domain front url [tor-browser] > * Bug 43993: Backport Security Fixes from Firefox 141 [tor-browser] > * Bug 44000: Rebase Tor Browse Alpha onto 140.1.0esr [tor-browser] > * Bug 41502: Application services build is failing on isNetworkAllowed() [tor-browser-build] > * Bug 41508: Switch built-in meek bridge to meek-unredacted [tor-browser-build] > * Bug 41515: Bump version of Conjure to include P173 improvements [tor-browser-build] > * Windows + macOS + Linux > * Updated Firefox to 140.1.0esr > * Bug 42738: Tidy up the commit structure for browser updates UI [tor-browser] > * Bug 43590: Move letterboxing rules out of browser/base/content/browser.css [tor-browser] > * Bug 43610: Use newer CSS variable names for ESR 140 [tor-browser] > * Bug 43629: All migrations in _migrateUIBB are run for new profiles [tor-browser] > * Bug 43635: Console noise due to the x-load capability not being localized [tor-browser] > * Bug 43638: Fix up our `<command>` elements [tor-browser] > * Bug 43765: Temporarily disable Lox [tor-browser] > * Bug 43766: Only save the relevant TorSettings changes to preferences. [tor-browser] > * Bug 43776: Set branding files for l10n merging [tor-browser] > * Bug 43782: Add new UX flow for changing security level (Desktop) [tor-browser] > * Bug 43879: tor-branding.css declarations are overwritten [tor-browser] > * Bug 43886: Fix new tab for ESR 140 [tor-browser] > * Bug 43905: base-browser.ftl missing from about:addons [tor-browser] > * Bug 43906: Extension.sys.mjs change in the wrong commit [tor-browser] > * Bug 43913: Bizarre right-clicking issues: menu items blanked out and/or not working; too many items in the right-click menu; different right-clicking menu displayed initially for links [tor-browser] > * Bug 43929: two about:tor pages opened after update [tor-browser] > * Bug 43930: Onionize toggle not centre aligned in about:tor [tor-browser] > * Bug 43947: Console error from ContentBlockingPrefs.init [tor-browser] > * Bug 43989: Switch off AI chatbot preference [tor-browser] > * Android > * Updated GeckoView to 140.1.0esr > * Bug 43577: Flush settings fails on Android [tor-browser] > * Bug 43786: Add new UX flow for changing security level (Android) [tor-browser] > * Bug 43855: brand.properties merging on Android is broken in 140 [tor-browser] > * Bug 44029: Search/url bar doesn't work on android after ESR 140 [tor-browser] > * Bug 44036: Crash on opening "Search Settings" on android [tor-browser] > * Bug 41494: Update GeckoView build scripts for ESR140 [tor-browser-build] > * Build System > * All Platforms > * Bug 43615: Add Gitlab Issue and Merge request templates [tor-browser] > * Bug 43616: Customize Gitlab Issue and Merge templates [tor-browser] > * Bug 43777: Disable ./mach telemetry [tor-browser] > * Bug 43891: Update the translation CI to use the new mozilla versions [tor-browser] > * Bug 43954: Update tb-dev to handle lightweight tags [tor-browser] > * Bug 43962: update tb-dev auto-fixup for git 2.50 [tor-browser] > * Bug 34434: Remove unused variables from rbm.conf [tor-browser-build] > * Bug 40994: Add support in do-all-signing to sign release for some archs only [tor-browser-build] > * Bug 41227: Update projects/common/list_toolchain_updates-common-firefox-geckoview to include check for binutils [tor-browser-build] > * Bug 41432: Bump OpenSSL to >= 3.5.0 [tor-browser-build] > * Bug 41434: Go updates shouldn't target all platforms until macOS is on legacy in the changelogs [tor-browser-build] > * Bug 41435: Skip update-responses update entries for versions without incremental or full update mar [tor-browser-build] > * Bug 41444: Build artifacts to support artifact builds of Tor/Muillvad/Base Browser [tor-browser-build] > * Bug 41448: Update toolchains for Firefox ESR 140 [tor-browser-build] > * Bug 41449: Add prefix to update-responses xml files [tor-browser-build] > * Bug 41451: When update-responses contains multiple versions, .htaccess only has one no-update.xml redirect [tor-browser-build] > * Bug 41459: Update taskcluster/ci paths in README and comments [tor-browser-build] > * Bug 41460: Add brizental to the list of people who can sign Tor Browser and Mullvad Browser tags [tor-browser-build] > * Bug 41465: Disable development artifacts generation by default, keep it enabled for nightly builds [tor-browser-build] > * Bug 41467: Remove list_toolchain_updates-firefox-android from Makefile [tor-browser-build] > * Bug 41477: Update keyring/boklm.gpg for new subkeys (2025) [tor-browser-build] > * Bug 41478: Add vim and others missing basic tools to base container image [tor-browser-build] > * Bug 41486: Track bundletool and osslicenses-plugin versions in list_toolchain_updates_checks [tor-browser-build] > * Bug 41496: Clean up unused projects [tor-browser-build] > * Bug 41498: Update keyring/morgan.gpg with updated public key [tor-browser-build] > * Bug 41501: cargo_vendor generated archive maintains timestamps [tor-browser-build] > * Bug 41514: Remove var/build_go_lib from projects/go/config [tor-browser-build] > * Bug 40084: Always use bash for the debug terminal [rbm] > * Windows + macOS + Linux > * Bug 41452: Skip update-responses xml files for versions which don't have incrementals [tor-browser-build] > * Bug 41457: Set mar IDs as env variables in tor-browser-build [tor-browser-build] > * Windows + Linux + Android > * Updated Go to 1.23.11 > * macOS > * Bug 41503: Error 403 when downloading macOS SDK [tor-browser-build] > * Linux > * Bug 41458: Ship geckodriver only on Linux [tor-browser-build] > * Bug 41488: Disable sys/random.h for Node.js [tor-browser-build] > * Android > * Bug 43984: Update android build scripts and docs for ESR 140 [tor-browser] > * Bug 43987: 140 Android is not reproducible [tor-browser] > * Bug 41280: download-android-<arch>.json does not get updated for android-only releases [tor-browser-build] > * Bug 41453: Update application-services and uniffi-rs for ESR140 [tor-browser-build] > * Bug 41483: geckoview_example-withGeckoBinaries-....apk doesn't exist anymore in Firefox 140 [tor-browser-build] > * Bug 41484: Create a fork of application-services [tor-browser-build] > * Bug 41499: Android nightly builds are broken [tor-browser-build] > * Bug 41500: Optimize tor and its dependencies for size on Android [tor-browser-build] > * Bug 41506: Use appilcation-services branch for nightlies builds [tor-browser-build] > * Bug 41507: Single-arch build fails because artifacts don't have arch subdirectories [tor-browser-build] best, -morgan

1 0

New Release: Tor Browser 14.5.5 (Android, Windows, macOS, Linux)
by Giorgio Maone 23 Jul '25

23 Jul '25

Hi everyone, Tor Browser 14.5.5 has now been published for all platforms. For details please see our blog post <https://blog.torproject.org/new-release-tor-browser-1455/>. Changelog: * All Platforms o Updated Tor to 0.4.8.17 o Updated OpenSSL to 3.0.17 o Bug tor-browser#43979 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43979>: Rebase Tor Browser Stable onto 128.13.0esr o Bug tor-browser#43993 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43993>: Backport Security Fixes from Firefox 141 o Bug tor-browser-build#41508 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Switch built-in meek bridge to meek-unredacted * Windows + macOS + Linux o Updated Firefox to 128.13.0esr * Android o Updated GeckoView to 128.13.0esr * Build System o Windows + Linux + Android + Updated Go to 1.23.11 -- ma1

1 0

New Release: Tor Browser 13.5.20 (Windows, macOS)
by Beatriz Rizental 23 Jul '25

23 Jul '25

Hi everyone, Tor Browser 13.5.20 has now been published for legacy Windows and macOS platforms. For details please see our blog post: https://blog.torproject.org/new-release-tor-browser-13520/ Changelog: > Tor Browser 13.5.20 - July 22 2025 > * All Platforms > * Updated Firefox to 115.26.0esr > * Updated Tor to 0.4.8.17 > * Updated OpenSSL to 3.0.17 > * Bug 43980: Rebase Tor Browser Legacy onto 115.26.0esr [tor-browser] > * Bug 43993: Backport Security Fixes from Firefox 141 [tor-browser] > * Bug 41508: Switch built-in meek bridge to meek-unredacted [tor-browser-build]

1 0

[RELEASE] Tor 0.4.8.17 stable
by David Goulet 30 Jun '25

30 Jun '25

Greetings, We just released 0.4.8.17: https://forum.torproject.org/t/stable-release-0-4-8-17/19681 Here is the ChangeLog. Changes in version 0.4.8.17 - 2025-06-30 This is a minor providing a series of minor features especially in the realm of TLS. It also brings a new set of recommended and required sub protocols. And finally, few minor bugfixes, nothing major. As always, we strongly recommend you upgrade as soon as possible. o Minor features (security, TLS): - When we are running with OpenSSL 3.5.0 or later, support using the ML-KEM768 for post-quantum key agreement. Closes ticket 41041. o Minor feature (client, TLS): - Set the TLS 1.3 cipher list instead of falling back on the default value. o Minor features (fallbackdir): - Regenerate fallback directories generated on June 30, 2025. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/06/30. o Minor features (hsdesc POW): - Tolerate multiple PoW schemes in onion service descriptors, for future extensibility. Implements torspec ticket 272. o Minor features (performance TLS): - When running with with OpenSSL 3.0.0 or later, support using X25519 for TLS key agreement. (This should slightly improve performance for TLS session establishment.) o Minor features (portability): - Fix warnings when compiling with GCC 15. Closes ticket 41079. o Minor features (recommended protocols): - Directory authorities now vote to recommend that clients support certain protocols beyond those that are required. These include improved support for connecting to relays on IPv6, NtorV3, and congestion control. Part of ticket 40836. o Minor features (required protocols): - Directory authorities now vote to require clients to support the authenticated SENDME feature, which was introduced in 0.4.1.1-alpha. Part of ticket 40836. - Directory authorities now vote to require relays to support certain protocols, all of which have been implemented since 0.4.7.4-alpha or earlier. These include improved support for connecting to relays on IPv6, NtorV3, running as a rate-limited introduction point, authenticated SENDMEs, and congestion control. Part of ticket 40836. o Minor bugfix (conflux): - Avoid a non fatal assert when describing a conflux circuit on the control port after being prepped to be freed. Fixes bug 41037; bugfix on 0.4.8.15. o Minor bugfixes (circuit handling): - Prevent circuit_mark_for_close() from being called twice on the same circuit. Fixes bug 40951; bugfix on 0.4.8.16-dev. o Minor bugfixes (compiler warnings): - Make sure the two bitfields in the half-closed edge struct are unsigned, as we're using them for boolean values and assign 1 to them. Fixes bug 40911; bugfix on 0.4.7.2-alpha. o Minor bugfixes (threads, memory): - Improvements in cleanup of resources used by threads. Fixes bug 40991; bugfix on 0.4.8.13-dev. - Rework start and exit of worker threads. Cheers! David -- ZNrYwobH32o+L/VpumMLyNaw/gGCzrXliuvr+cnpcEM=

1 0

New Release: Tor Browser 13.5.19 (Windows Windows 7/8/8.1, macOS 10.12-10.14)
by Giorgio Maone 24 Jun '25

24 Jun '25

Hi everyone, Tor Browser 13.5.19 has now been published for legacy Windows and macOS platforms. For details please see our blog post <https://blog.torproject.org/new-release-tor-browser-13519/>. <https://blog.torproject.org/new-release-tor-browser-13518/> <https://blog.torproject.org/new-release-tor-browser-13518/> Changelog: * All Platforms o Updated NoScript to 13.0.8 o Bug tor-browser#43835 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43835>: Backport tor-browser#43782: Add new UX flow for changing security level (Desktop) o Bug tor-browser#43910 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43910>: Rebase Tor Browser 13.5.19 Legacy onto Firefox 115.25.0esr o Bug tor-browser#43911 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43911>: Backport security fixes from Firefox 140 * Build System o All Platforms + Bug tor-browser-build#41477 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Update keyring/boklm.gpg for new subkeys (2025) + Bug tor-browser-build#41498 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Update keyring/morgan.gpg with updated public key -- ma1

1 0

New Release: Tor Browser 14.5.4 (Android, Windows, macOS, Linux)
by Giorgio Maone 24 Jun '25

24 Jun '25

Hi everyone, Tor Browser 14.5.4 has now been published for all platforms. For details please see our blog post <https://blog.torproject.org/new-release-tor-browser-1454/>. Changelog: * All Platforms o Updated NoScript to 13.0.8 o Bug tor-browser#43783 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43783>: Tighten up the SecurityLevel module to enforce new UX flow o Bug tor-browser#43784 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43784>: Get confirmation from NoScript that settings are applied o Bug tor-browser#43885 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43885>: Rebase stable onto 128.12.0esr o Bug tor-browser#43911 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43911>: Backport security fixes from Firefox 140 * Windows + macOS + Linux o Updated Firefox to 128.12.0esr o Bug tor-browser#43782 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43782>: Add new UX flow for changing security level (Desktop) * Android o Updated GeckoView to 128.12.0esr o Bug tor-browser#43786 <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43786>: Add new UX flow for changing security level (Android) * Build System o All Platforms + Bug tor-browser-build#41477 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Update keyring/boklm.gpg for new subkeys (2025) + Bug tor-browser-build#41498 <https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…>: Update keyring/morgan.gpg with updated public key o Windows + Linux + Android + Updated Go to 1.23.10 -- ma1

1 0