- tor-announce - lists.torproject.org

Tor Browser 10.5.8 is released
by Matthew Finkel 06 Oct '21

06 Oct '21

Hello! Tor Browser 10.5.8 is now available from the Tor Browser download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/10.5.8/ This version updates Firefox on Windows, macOS, and Linux to 78.15.0esr and includes important security updates [3]. Please see the blog post [4] for more details about this version. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2021-44/ 4: https://blog.torproject.org/new-release-tor-browser-1058 The full changelog since Tor Browser 10.5.7 is: * Windows + OS X + Linux * Update Firefox to 78.15.0esr * Bug 40049: Add banner for VPN survey to about:tor [torbutton] * Android * Bug 40193: Add banner for VPN survey to Android homepage [fenix] * Build System * All Platforms * Bug 40363: Change bsaes git url [tor-browser-build]

1 0

Tor Browser 10.5.5 is released
by Matthew Finkel 20 Aug '21

20 Aug '21

Hello! Tor Browser 10.5.5 is now available from the Tor Browser download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/10.5.5/ This version updates Tor to 0.4.5.10 [3] that includes a fix for a security issue. On Android, this version updates Firefox to 91.2.0 and includes important security updates [4]. Please see the blog post [5] for more details about this version. 3: https://blog.torproject.org/node/2062 4: https://www.mozilla.org/en-US/security/advisories/mfsa2021-34/ 5: https://blog.torproject.org/new-release-tor-browser-1055 The full changelog since Tor Browser 10.5.4 is: * All Platforms * Update Tor to 0.4.5.10 * Linux * Bug 40582: Tor Browser 10.5.2 tabs always crash on Fedora Xfce Rawhide [tor-browser] * Android * Update Fenix to 91.2.0 * Update NoScript to 11.2.11 * Bug 40063: Move custom search providers [android-components] * Bug 40176: TBA: sometimes I only see the banner and can't tap on the address bar [fenix] * Bug 40181: Remove V2 Deprecation banner on about:tor for Android [fenix] * Bug 40184: Rebase fenix patches to fenix v91.0.0-beta.5 [fenix] * Bug 40185: Use NimbusDisabled [fenix] * Bug 40186: Hide Credit Cards in Settings [fenix] * Build System * Android * Update Go to 1.15.15 * Bug 40331: Update components for mozilla91 [tor-browser-build]

1 0

New stable security release: Tor 0.4.6.7
by Alexander Færøy 16 Aug '21

16 Aug '21

Hello, everyone! (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used when you subscribed.) Source code for Tor 0.4.6.7 is now available; you can download the source code from the download page at https://www.torproject.org/download/tor/. Packages should be available within the next several weeks, with a new Tor Browser later this week. Changes in version 0.4.6.7 - 2021-08-16 This version fixes several bugs from earlier versions of Tor, including one that could lead to a denial-of-service attack. Everyone running an earlier version, whether as a client, a relay, or an onion service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7. o Major bugfixes (cryptography, security): - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. o Minor feature (fallbackdir): - Regenerate fallback directories list. Close ticket 40447. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2021/08/12. o Minor bugfix (crypto): - Disable the unused batch verification feature of ed25519-donna. Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence. o Minor bugfixes (onion service): - Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) for a v2 onion address. Fixes bug 40421; bugfix on 0.4.6.2-alpha. o Minor bugfixes (relay): - Reduce the compression level for data streaming from HIGH to LOW in order to reduce CPU load on the directory relays. Fixes bug 40301; bugfix on 0.3.5.1-alpha. o Minor bugfixes (timekeeping): - Calculate the time of day correctly on systems where the time_t type includes leap seconds. (This is not the case on most operating systems, but on those where it occurs, our tor_timegm function did not correctly invert the system's gmtime function, which could result in assertion failures when calculating voting schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha. -- Alexander Færøy

1 0

Tor Browser 10.5.4 is released (Windows, macOS, Linux)
by Matthew Finkel 10 Aug '21

10 Aug '21

Hello! Tor Browser 10.5.4 is now available from the Tor Browser download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/10.5.4/ This version updates Firefox to 78.13.0esr. This version includes important security updates [3] to Firefox. Please see the blog post [4] for more details about this version. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2021-34/ 4: https://blog.torproject.org/new-release-tor-browser-1054 The full changelog since Tor Browser 10.5.2 is: * Windows + OS X + Linux * Update Firefox to 78.13.0esr * Update NoScript to 11.2.11 * Bug 40041: Remove V2 Deprecation banner on about:tor for desktop [torbutton] * Bug 40506: Saved Logins not available in 10.5 [tor-browser] * Bug 40524: Update DuckDuckGo onion site URL in search preferences and onboarding [tor-browser] * Build System * Windows + OS X + Linux * Update Go to 1.15.14

1 0

Tor Browser 10.5.3 is released (Android)
by Matthew Finkel 20 Jul '21

20 Jul '21

Hello! Tor Browser 10.5.3 is now available from the Tor Browser download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/10.5.3/ This version updates Firefox to 90.1.1. This version includes important security updates [3] to Firefox. Please see the blog post [4] for more details about this version. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2021-28/ 4: https://blog.torproject.org/new-release-tor-browser-1053 The full changelog since Tor Browser 10.5.1 is: * Android * Update HTTPS Everywhere to 2021.7.13 * Update Fenix to 90.1.1 * Bug 40172: Find the Quit button [fenix] * Bug 40173: Rebase fenix patches to fenix v90.0.0-beta.6 [fenix] * Bug 40177: Hide Tor icons in settings [fenix] * Bug 40179: Show Snowflake bridge option on Release [fenix] * Bug 40180: Rebase fenix patches to fenix v90.1.1 [fenix] * Build System * Android * Bug 40312: Update components for mozilla90 [tor-browser-build]

1 0

Tor Browser 10.5.2 is released (Windows, macOS, Linux)
by Matthew Finkel 13 Jul '21

13 Jul '21

Hello! Tor Browser 10.5.2 is now available from the Tor Browser download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/10.5.2/ This version updates Firefox to 78.12.0esr. This version includes important security updates [3] to Firefox. Please see the blog post [4] for more details about this version. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2021-29/ 4: https://blog.torproject.org/new-release-tor-browser-1052 The full changelog since Tor Browser 10.5 is: * Windows + OS X + Linux * Update Firefox to 78.12.0esr * Bug 40497: Cannot set multiple pages as home pages in 10.5a17 [tor-browser] * Bug 40507: Full update is not downloaded after applying partial update fails [tor-browser] * Bug 40510: open tabs get redirected to about:torconnect on restart [tor-browser]

1 0

Tor Browser 10.5.1 is released (Android Only)
by Matthew Finkel 07 Jul '21

07 Jul '21

Hello! Tor Browser 10.5.1 is now available for Android from the Tor Browser download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/10.5.1/ This release is a bugfix for Tor Browser 10.5. Please see the blog post [3] for more details about this version. 3: https://blog.torproject.org/new-release-tor-browser-1051 The full changelog since Tor Browser 10.5.1 is: * Android * Bug 40324: Change Fenix variant to Release [fenix]

1 0

Tor Browser 10.5 is released
by Matthew Finkel 06 Jul '21

06 Jul '21

Hello! Tor Browser 10.5 is now available from the Tor Browser download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/10.5/ This release includes is focused on improving the internet access of users connecting through Tor in censored contexts. Please see the blog post [3] for more details about this version. 3: https://blog.torproject.org/new-release-tor-browser-105 The full changelog since Tor Browser 10.0.18 is: * All Platforms * Update NoScript to 11.2.9 * Update Tor Launcher to 0.2.30 * Translations update * Bug 25483: Provide Snowflake based on Pion for Windows, macOS, and Linux * Bug 33761: Remove unnecessary snowflake dependencies * Bug 40064: Bump libevent to 2.1.12 [tor-browser-build] * Bug 40137: Migrate https-everywhere storage to idb [tor-browser] * Bug 40261: Bump versions of snowflake and webrtc [tor-browser-build] * Bug 40263: Update domain front for Snowflake [tor-browser-build] * Bug 40302: Update version of snowflake [tor-browser-build] * Bug 40030: DuckDuckGo redirect to html doesn't work [torbutton] * Windows + OS X + Linux * Bug 27476: Implement about:torconnect captive portal within Tor Browser [tor-browser] * Bug 32228: Bookmark TPO support domains in Tor Browser * Bug 33803: Add a secondary nightly MAR signing key [tor-browser] * Bug 33954: Consider different approach for Bug 2176 * Bug 34345: "Don't Bootstrap" Startup Mode * Bug 40011: Rename tor-browser-brand.ftl to brand.ftl [torbutton] * Bug 40012: Fix about:tor not loading some images in 82 [torbutton] * Bug 40138: Move our primary nightly MAR signing key to tor-browser [tor-browser-build] * Bug 40209: Implement Basic Crypto Safety [tor-browser] * Bug 40428: Correct minor Cryptocurrency warning string typo [tor-browser] * Bug 40429: Update Onboarding for 10.5 [tor-browser] * Bug 40455: Block or recover background requests after bootstrap [tor-browser] * Bug 40456: Update the SecureDrop HTTPS-Everywhere update channel [tor-browser] * Bug 40475: Include clearing CORS preflight cache [tor-browser] * Bug 40478: Onion alias url rewrite is broken [tor-browser] * Bug 40484: Bootstrapping page show Quickstart text [tor-browser] * Bug 40490: BridgeDB bridge captcha selection is broken in alpha [tor-browser] * Bug 40495: Onion pattern is focusable by click on about:torconnect [tor-browser] * Bug 40499: Onion Alias doesn't work with TOR_SKIP_LAUNCH [tor-browser] * Android * Bug 30318: Integrate snowflake into mobile Tor Browser * Bug 40206: Disable the /etc/hosts parser [tor-browser] * Linux * Bug 40089: Remove CentOS 6 support for Tor Browser 10.5 [tor-browser] * Build System * All Platforms * Update Go to 1.15.13 * Bug 23631: Use rootless containers [tor-browser-build] * Bug 33693: Change snowflake and meek dummy address [tor-browser] * Bug 40016: getfpaths is not setting origin_project [rbm] * Bug 40169: Update apt package cache after calling pre_pkginst, too [tor-browser-build] * Bug 40194: Remove osname part in cbindgen filename [tor-browser-build] * Windows + OS X + Linux * Bug 40081: Build Mozilla code with --enable-rust-simd [tor-browser-build] * Bug 40104: Use our TMPDIR when creating our .mar files [tor-browser-build] * Bug 40133: Bump Rust version for ESR 78 to 1.43.0 [tor-browser-build] * Bug 40166: Update apt cache before calling pre_pkginst in container-image config [tor-browser-build] * Android * Bug 28672: Android reproducible build of Snowflake * Bug 40313: Use apt-get to install openjdk-8 .deb files with their dependencies [tor-browser-build] * Windows * Bug 34360: Bump binutils to 2.35.1 * Bug 40131: Remove unused binutils patches [tor-browser-build] * Linux * Bug 26238: Move to Debian Jessie for our Linux builds * Bug 31729: Support Wayland * Bug 40041: Remove CentOS 6 support for 10.5 series [tor-browser-build] * Bug 40103: Add i386 pkg-config path for linux-i686 [tor-browser-build] * Bug 40112: Strip libstdc++ we ship [tor-browser-build] * Bug 40118: Add missing libdrm dev package to firefox container [tor-browser-build] * Bug 40235: Bump apt for Jessie containers [tor-browser-build]

1 0

Tor 0.4.6.6 is released
by Nick Mathewson 30 Jun '21

30 Jun '21

Hello, everyone! (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used when you subscribed.) Source code for Tor 0.4.6.6 is now available; you can download the source code from the download page at https://www.torproject.org/download/tor/. This is a small release, primarily intended to fix a compilation issue that had kept Tor 0.4.6.5 from building on some systems. If 0.4.6.5 is already working for you, there's no reason to upgrade to this one. Packagers might not distribute packages for this one, if they already have working packages for 0.4.6.5. Changes in version 0.4.6.6 - 2021-06-30 Tor 0.4.6.6 makes several small fixes on 0.4.6.5, including one that allows Tor to build correctly on older versions of GCC. You should upgrade to this version if you were having trouble building Tor 0.4.6.5; otherwise, there is probably no need. o Minor bugfixes (compilation): - Fix a compilation error when trying to build Tor with a compiler that does not support const variables in static initializers. Fixes bug 40410; bugfix on 0.4.6.5. - Suppress a strict-prototype warning when building with some versions of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha. o Minor bugfixes (testing): - Enable the deterministic RNG for unit tests that covers the address set bloomfilter-based API's. Fixes bug 40419; bugfix on 0.3.3.2-alpha.

1 0

New stable _security_ releases: Tor 0.3.5.15, 0.4.4.9, and 0.4.5.9
by Nick Mathewson 14 Jun '21

14 Jun '21

Hello, everyone! (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used when you subscribed.) Source code for Tor 0.3.5.15, 0.4.4.9, and 0.4.5.9 is now available; since these are older release series, you can download the source code at https://dist.torproject.org/ . Packages should be available within the next several weeks, with a new Tor Browser around the end of the week. This release fixes several security vulnerabilities, described in the changelogs. We are also releasing security fixes for the other supported release series; I'll describe them in a separate email. I recommend that everybody upgrade to 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5 as soon as binaries are available (or right now, if you build from source). Below is the changelog for 0.4.5.9. You can find the changelogs for the other releases at: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.15 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.4.9 Changes in version 0.4.5.9 - 2021-06-14 Tor 0.4.5.9 fixes several security issues, including a denial-of-service attack against onion service clients, and another denial-of-service attack against relays. Everybody should upgrade to one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. o Major bugfixes (security, backport from 0.4.6.5): - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on half-closed streams. Previously, clients failed to validate which hop sent these cells: this would allow a relay on a circuit to end a stream that wasn't actually built with it. Fixes bug 40389; bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- 003 and CVE-2021-34548. o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): - Detect more failure conditions from the OpenSSL RNG code. Previously, we would detect errors from a missing RNG implementation, but not failures from the RNG code itself. Fortunately, it appears those failures do not happen in practice when Tor is using OpenSSL's default RNG implementation. Fixes bug 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. o Major bugfixes (security, denial of service, backport from 0.4.6.5): - Resist a hashtable-based CPU denial-of-service attack against relays. Previously we used a naive unkeyed hash function to look up circuits in a circuitmux object. An attacker could exploit this to construct circuits with chosen circuit IDs, to create collisions and make the hash table inefficient. Now we use a SipHash construction here instead. Fixes bug 40391; bugfix on 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. - Fix an out-of-bounds memory access in v3 onion service descriptor parsing. An attacker could exploit this bug by crafting an onion service descriptor that would crash any client that tried to visit it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei Glazunov from Google's Project Zero. o Minor features (compatibility, backport from 0.4.6.4-rc): - Remove an assertion function related to TLS renegotiation. It was used nowhere outside the unit tests, and it was breaking compilation with recent alpha releases of OpenSSL 3.0.0. Closes ticket 40399. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2021/06/10. o Minor bugfixes (control, sandbox, backport from 0.4.6.4-rc): - Allow the control command SAVECONF to succeed when the seccomp sandbox is enabled, and make SAVECONF keep only one backup file to simplify implementation. Previously SAVECONF allowed a large number of backup files, which made it incompatible with the sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by Daniel Pinto. o Minor bugfixes (metrics port, backport from 0.4.6.4-rc): - Fix a bug that made tor try to re-bind() on an already open MetricsPort every 60 seconds. Fixes bug 40370; bugfix on 0.4.5.1-alpha.

1 0