[tbb-commits] [tor-browser-bundle/hardened-builds] Changelog update and version bumps

gk at torproject.org gk at torproject.org
Mon Dec 14 08:59:04 UTC 2015


commit 8da5fa2f35ae4ffb3489f748b16cf36d4a73ed95
Author: Georg Koppen <gk at torproject.org>
Date:   Mon Dec 14 08:57:29 2015 +0000

    Changelog update and version bumps
---
 Bundle-Data/Docs/ChangeLog.txt    | 1177 +------------------------------------
 gitian/versions.alpha             |   18 +-
 tools/update-responses/config.yml |   12 +-
 3 files changed, 48 insertions(+), 1159 deletions(-)

diff --git a/Bundle-Data/Docs/ChangeLog.txt b/Bundle-Data/Docs/ChangeLog.txt
index 2a4af99..8072453 100644
--- a/Bundle-Data/Docs/ChangeLog.txt
+++ b/Bundle-Data/Docs/ChangeLog.txt
@@ -1,1145 +1,32 @@
-Tor Browser 5.5a4 -- November 3 2015
- * All Platforms
-   * Update Firefox to 38.4.0esr
-   * Update Tor to 0.2.7.4-rc
-   * Update NoScript to 2.6.9.39
-   * Update HTTPS-Everywhere to 5.1.1
-   * Update Torbutton to 1.9.4.1
-     * Bug 9623: Spoof Referer when leaving a .onion domain
-     * Bug 16620: Remove old window.name handling code
-     * Bug 17164: Don't show text-select cursor on circuit display
-     * Bug 17351: Remove unused code
-     * Translation updates
-   * Bug 17207: Hide MIME types and plugins from websites
-   * Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
-   * Bug 16620: Move window.name handling into a Firefox patch
-   * Bug 17220: Support math symbols in font whitelist
-   * Bug 10599+17305: Include updater and build patches needed for hardened builds
-   * Bug 17318: Remove dead ScrambleSuit bridge
-   * Bug 17428: Remove default Flashproxy bridges
-   * Bug 17473: Update meek-amazon fingerprint
- * Windows
-   * Bug 17250: Add localized font names to font whitelist
- * OS X
-   * Bug 17122: Rename Japanese OS X bundle
- * Linux
-   * Bug 17329: Ensure that non-ASCII characters can be typed (fixup of #5926)
-
-Tor Browser 5.5a3 -- September 22 2015
- * All Platforms
-   * Update Firefox to 38.3.0esr
-   * Update libevent to 2.0.22-stable
-   * Update Torbutton to 1.9.4
-     * Bug 16937: Don't translate the homepage/spellchecker dictionary string
-     * Bug 16735: about:tor should accommodate different fonts/font sizes
-     * Bug 16887: Update intl.accept_languages value
-     * Bug 15493: Update circuit display on new circuit info
-     * Bug 16797: brandShorterName is missing from brand.properties
-     * Translation updates
-   * Bug 10140: Add new Tor Browser locale (Japanese)
-   * Bug 17102: Don't crash while opening a second Tor Browser
-   * Bug 16983: Isolate favicon requests caused by the tab list dropdown
-   * Bug 13512: Load a static tab with change notes after an update
-   * Bug 16937: Remove the en-US dictionary from non en-US Tor Browser bundles
-   * Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains)
-   * Bug 16837: Disable Firefox Hotfix updates
-   * Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz)
-   * Bug 16781: Allow saving pdf files in built-in pdf viewer
-   * Bug 16842: Restore Media tab on Page information dialog
-   * Bug 16727: Disable about:healthreport page
-   * Bug 16783: Normalize NoScript default whitelist
-   * Bug 16775: Fix preferences dialog with security slider set to "High"
-   * Bug 13579: Update download progress bar automatically
-   * Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent
-   * Bug 17046: Event.timeStamp should not reveal startup time
-   * Bug 16872: Fix warnings when opening about:downloads
-   * Bug 17097: Fix intermittent crashes when using the print dialog
- * Windows
-  * Bug 16906: Fix Mingw-w64 compilation/Don't depend on Windows crypto DLLs
-  * Bug 16707: Allow more system fonts to get used on Windows
- * OS X
-  * Bug 16910: Update copyright year in OS X bundles
-  * Bug 16707: Allow more system fonts to get used on OS X
- * Linux
-  * Bug 16672: Don't use font whitelisting for Linux users
-
-Tor Browser 5.0.3 -- September 22 2015
- * All Platforms
-   * Update Firefox to 38.3.0esr
-   * Update Torbutton to 1.9.3.4
-     * Bug 16887: Update intl.accept_languages value
-     * Bug 15493: Update circuit display on new circuit info
-     * Bug 16797: brandShorterName is missing from brand.properties
-     * Bug 14429: Make sure the automatic resizing is disabled
-     * Translation updates
-   * Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains)
-   * Bug 16837: Disable Firefox Hotfix updates
-   * Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz)
-   * Bug 16781: Allow saving pdf files in built-in pdf viewer
-   * Bug 16842: Restore Media tab on Page information dialog
-   * Bug 16727: Disable about:healthreport page
-   * Bug 16783: Normalize NoScript default whitelist
-   * Bug 16775: Fix preferences dialog with security slider set to "High"
-   * Bug 13579: Update download progress bar automatically
-   * Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent
-   * Bug 17046: Event.timeStamp should not reveal startup time
-   * Bug 16872: Fix warnings when opening about:downloads
-   * Bug 17097: Fix intermittent crashes when using the print dialog
- * Windows
-  * Bug 16906: Fix Mingw-w64 compilation breakage
- * OS X
-  * Bug 16910: Update copyright year in OS X bundles
-
-Tor Browser 5.5a2 -- August 28 2015
- * All Platforms:
-   * Update Firefox to 38.2.1esr
-   * Update NoScript to 2.6.9.36
-   * Bug 16771: Fix crash on some websites due to blob URIs
- * Linux
-   * Bug 16860: Avoid duplicate desktop icons on Gnome and Unity
-
-Tor Browser 5.0.2 -- August 27 2015
- * All Platforms
-   * Update Firefox to 38.2.1esr
-   * Update NoScript to 2.6.9.36
- * Linux
-   * Bug 16860: Avoid duplicate icons on Unity and Gnome
-
-Tor Browser 5.0.1 -- August 18 2015
- * All Platforms
-   * Bug 16771: Fix crash on some websites due to blob URIs
-
-Tor Browser 5.5a1 -- August 11 2015
- * All Platforms
-   * Update Firefox to 38.2.0esr
-   * Update NoScript to 2.6.9.34
-   * Update Torbutton to 1.9.3.3
-     * Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
-     * Bug 16730: Reset NoScript whitelist on upgrade
-     * Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
-     * Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
-     * Bug 14429: Make sure the automatic resizing is enabled
-     * Translation updates
-   * Update Tor Launcher to 0.2.7.7
-     * Translation updates
-   * Bug 16730: Prevent NoScript from updating the default whitelist
-   * Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
-   * Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
-   * Bug 16311: Fix navigation timing in ESR 38
-   * Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
-   * Bug 16672: Change font whitelists and configs for rendering issues (partial)
-
-Tor Browser 5.0 -- August 11 2015
- * All Platforms
-   * Update Firefox to 38.2.0esr
-   * Update OpenSSL to 1.0.1p
-   * Update HTTPS-Everywhere to 5.0.7
-   * Update NoScript to 2.6.9.34
-   * Update meek to 0.20
-   * Update Tor to 0.2.6.10 with patches:
-     * Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name checks.
-     * Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
-     * Bug 15482: Don't allow circuits to change while a site is in use
-   * Update Torbutton to 1.9.3.2
-     * Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
-     * Bug 16730: Reset NoScript whitelist on upgrade
-     * Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
-     * Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
-     * Bug 16268: Show Tor Browser logo on About page
-     * Bug 16639: Check for Updates menu item can cause update download failure
-     * Bug 15781: Remove the sessionstore filter
-     * Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
-     * Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1)
-     * Bug 16200: Update Cache API usage and prefs for FF38
-     * Bug 16357: Use Mozilla API to wipe permissions db
-     * Bug 14429: Make sure the automatic resizing is disabled
-     * Translation updates
-   * Update Tor Launcher to 0.2.7.7
-     * Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1)
-     * Bug 15145: Visually distinguish "proxy" and "bridge" screens.
-     * Translation updates
-   * Bug 16730: Prevent NoScript from updating the default whitelist
-   * Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
-   * Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
-   * Bug 16884: Prefer IPv6 when supported by the current Tor exit
-   * Bug 16488: Remove "Sign in to Sync" from the browser menu
-   * Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
-   * Bug 15703: Isolate mediasource URIs and media streams to first party
-   * Bug 16429+16416: Isolate blob URIs to first party
-   * Bug 16632: Turn on the background updater and restart prompting
-   * Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere
-   * Bug 16523: Fix in-browser JavaScript debugger
-   * Bug 16236: Windows updater: avoid writing to the registry
-   * Bug 16625: Fully disable network connection prediction
-   * Bug 16495: Fix SVG crash when security level is set to "High"
-   * Bug 13247: Fix meek profile error after bowser restarts
-   * Bug 16005: Relax WebGL minimal mode
-   * Bug 16300: Isolate Broadcast Channels to first party
-   * Bug 16439: Remove Roku screencasting code
-   * Bug 16285: Disabling EME bits
-   * Bug 16206: Enforce certificate pinning
-   * Bug 15910: Disable Gecko Media Plugins for now
-   * Bug 13670: Isolate OCSP requests by first party domain
-   * Bug 16448: Isolate favicon requests by first party
-   * Bug 7561: Disable FTP request caching
-   * Bug 6503: Fix single-word URL bar searching
-   * Bug 15526: ES6 page crashes Tor Browser
-   * Bug 16254: Disable GeoIP-based search results.
-   * Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
-   * Bug 13024: Disable DOM Resource Timing API
-   * Bug 16340: Disable User Timing API
-   * Bug 14952: Disable HTTP/2
-   * Bug 1517: Reduce precision of time for Javascript
-   * Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
-   * Bug 16311: Fix navigation timing in ESR 38
- * Windows
-   * Bug 16014: Staged update fails if meek is enabled
-   * Bug 16269: repeated add-on compatibility check after update (meek enabled)
- * Mac OS
-   * Use OSX 10.7 SDK
-   * Bug 16253: Tor Browser menu on OS X is broken with ESR 38
-   * Bug 15773: Enable ICU on OS X
- * Build System
-   * Bug 16351: Upgrade our toolchain to use GCC 5.1
-   * Bug 15772 and child tickets: Update build system for Firefox 38
-   * Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
-   * Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
-
-Tor Browser 5.0a4 -- August 3 2015
- * All Platforms
-   * Update Tor to 0.2.7.2-alpha with patches:
-     * Bug 15482: Don't allow circuits to change while a site is in use
-   * Update OpenSSL to 1.0.1p
-   * Update HTTPS-Everywhere to 5.0.7
-   * Update NoScript to 2.6.9.31
-   * Update Torbutton to 1.9.3.1
-     * Bug 16268: Show Tor Browser logo on About page
-     * Bug 16639: Check for Updates menu item can cause update download failure
-     * Bug 15781: Remove the sessionstore filter
-     * Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
-     * Translation updates
-   * Bug 16884: Prefer IPv6 when supported by the current Tor exit
-   * Bug 16488: Remove "Sign in to Sync" from the browser menu
-   * Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
-   * Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
-   * Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
-   * Bug 15703: Isolate mediasource URIs and media streams to first party
-   * Bug 16429+16416: Isolate blob URIs to first party
-   * Bug 16632: Turn on the background updater and restart prompting
-   * Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere
-   * Bug 16523: Fix in-browser JavaScript debugger
-   * Bug 16236: Windows updater: avoid writing to the registry
-   * Bug 16005: Restrict WebGL minimal mode a bit (fixup)
-   * Bug 16625: Fully disable network connection prediction
-   * Bug 16495: Fix SVG crash when security level is set to "High"
- * Build System
-   * Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
-
-Tor Browser 5.0a3 -- June 30 2015
- * All Platforms
-   * Update Firefox to 38.1.0esr
-   * Update OpenSSL to 1.0.1o
-   * Update NoScript to 2.6.9.27
-   * Update meek to 0.20
-   * Tor patch backport
-     * Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
-   * Update Torbutton to 1.9.3.0
-     * Bug 16403: Set search parameters for Disconnect
-     * Bug 14429: Make sure the automatic resizing is disabled
-     * Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1)
-     * Bug 16200: Update Cache API usage and prefs for FF38
-     * Bug 16357: Use Mozilla API to wipe permissions db
-     * Translation updates
-   * Update Tor Launcher to 0.2.7.6
-     * Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1)
-     * Bug 15145: Visually distinguish "proxy" and "bridge" screens.
-     * Translation updates
-   * Bug 13247: Fix meek profile error after bowser restarts
-   * Bug 16397: Fix crash related to disabling SVG
-   * Bug 16403: Set search parameters for Disconnect
-   * Bug 16446: Update FTE bridge #1 fingerprint
-   * Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent
-   * Bug 16005: Relax WebGL minimal mode
-   * Bug 16300: Isolate Broadcast Channels to first party
-   * Bug 16439: Remove Roku screencasting code
-   * Bug 16285: Disabling EME bits
-   * Bug 16206: Enforce certificate pinning
-   * Bug 15910: Disable GMPs for now
-   * Bug 13670: Isolate OCSP requests by first party domain
-   * Bug 16448: Isolate favicon requests by first party
-   * Bug 7561: Disable FTP request caching
-   * Bug 6503: Fix single-word URL bar searching
-   * Bug 15526: ES6 page crashes Tor Browser
-   * Bug 16254: Disable GeoIP-based search results.
-   * Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
-   * Bug 13024: Disable DOM Resource Timing API
-   * Bug 16340: Disable User Timing API
-   * Bug 14952: Disable HTTP/2
- * Mac OS
-   * Use OSX 10.7 SDK
-   * Bug 16253: Tor Browser menu on OS X is broken with ESR 38
- * Build System
-   * Bug 16351: Upgrade our toolchain to use GCC 5.1
-   * Bug 15772 and child tickets: Update build system for Firefox 38
-
-Tor Browser 4.5.3 -- June 30 2015
- * All Platforms
-   * Update Firefox to 31.8.0esr
-   * Update OpenSSL to 1.0.1o
-   * Update NoScript to 2.6.9.27
-   * Update Torbutton to 1.9.2.8
-     * Bug 16403: Set search parameters for Disconnect
-     * Bug 14429: Make sure the automatic resizing is disabled
-     * Translation updates
-   * Bug 16397: Fix crash related to disabling SVG
-   * Bug 16403: Set search parameters for Disconnect
-   * Bug 16446: Update FTE bridge #1 fingerprint
-   * Tor patch backport
-     * Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
-
-Tor Browser 5.0a2 -- June 15 2015
- * All Platforms
-   * Update Tor to 0.2.7.1-alpha
-   * Update HTTPS-Everywhere to 5.0.5
-   * Update OpenSSL to 1.0.1n
-   * Update NoScript to 2.6.9.26
-   * Update meek to 0.19
-   * Update Torbutton to 1.9.2.7
-     * Bug 15984: Disabling Torbutton breaks the Add-ons Manager
-     * Bug 14429: Make sure the automatic resizing is enabled
-     * Translation updates
-   * Bug 16130: Defend against logjam attack
-   * Bug 15984: Disabling Torbutton breaks the Add-ons Manager
- * Windows
-   * Bug 16014: Staged update fails if meek is enabled
-   * Bug 16269: repeated add-on compatibility check after update (meek enabled)
- * Linux
-   * Bug 16026: Fix crash in GStreamer
-   * Bug 16083: Update comment in start-tor-browser
-
-Tor Browser 4.5.2 -- June 15 2015
- * All Platforms
-   * Update Tor to 0.2.6.9
-   * Update HTTPS-Everywhere to 5.0.5
-   * Update OpenSSL to 1.0.1n
-   * Update NoScript to 2.6.9.26
-   * Update Torbutton to 1.9.2.6
-     * Bug 15984: Disabling Torbutton breaks the Add-ons Manager
-     * Bug 14429: Make sure the automatic resizing is disabled
-     * Translation updates
-   * Bug 16130: Defend against logjam attack
-   * Bug 15984: Disabling Torbutton breaks the Add-ons Manager
- * Linux
-   * Bug 16026: Fix crash in GStreamer
-   * Bug 16083: Update comment in start-tor-browser
-
-Tor Browser 5.0a1 -- May 14 2015
- * All Platforms
-   * Update Firefox to 31.7.0esr
-   * Update meek to 0.18
-   * Update Tor Launcher to 0.2.7.5
-     * Translation updates only
-   * Update Torbutton to 1.9.2.5
-     * Bug 15837: Show descriptions if unchecking custom mode
-     * Bug 15927: Force update of the NoScript UI when changing security level
-     * Bug 15915: Hide circuit display if it is disabled.
-     * Bug 14429: Improved automatic window resizing
-     * Translation updates
-   * Bug 15945: Disable NoScript's ClearClick protection for now
-   * Bug 15933: Isolate by base (top-level) domain name instead of FQDN
-   * Bug 15857: Fix file descriptor leak in updater that caused update failures
-   * Bug 15899: Fix errors with downloading and displaying PDFs
-   * Bug 15773: Enable ICU on OS X
-   * Bug 1517: Reduce precision of time for Javascript
-   * Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
-   * Bug 13875: Improve the spoofing of window.devicePixelRatio
- * Windows
-   * Bug 15872: Fix meek pluggable transport startup issue with Windows 7
- * Build System
-   * Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
-   * Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
-
-Tor Browser 4.5.1 -- May 12 2015
- * All Platforms
-   * Update Firefox to 31.7.0esr
-   * Update meek to 0.18
-   * Update Tor Launcher to 0.2.7.5
-     * Translation updates only
-   * Update Torbutton to 1.9.2.3
-     * Bug 15837: Show descriptions if unchecking custom mode
-     * Bug 15927: Force update of the NoScript UI when changing security level
-     * Bug 15915: Hide circuit display if it is disabled.
-     * Translation updates
-   * Bug 15945: Disable NoScript's ClearClick protection for now
-   * Bug 15933: Isolate by base (top-level) domain name instead of FQDN
-   * Bug 15857: Fix file descriptor leak in updater that caused update failures
-   * Bug 15899: Fix errors with downloading and displaying PDFs
- * Windows
-   * Bug 15872: Fix meek pluggable transport startup issue with Windows 7
- * Build System
-   * Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
-   * Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
-
-Tor Browser 4.5 -- Apr 28 2015
- * All Platforms
-   * Update Tor to 0.2.6.7 with additional patches:
-     * Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used
-   * Update NoScript to 2.6.9.22
-   * Update HTTPS-Everywhere to 5.0.3
-     * Bug 15689: Resume building HTTPS-Everywhere from git tags
-   * Update meek to 0.17
-   * Update obfs4proxy to 0.0.5
-   * Update Tor Launcher to 0.2.7.4
-     * Bug 15704: Do not enable network if wizard is opened
-     * Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
-     * Bug 13576: Don't strip "bridge" from the middle of bridge lines
-     * Bug 15657: Display the host:port of any connection faiures in bootstrap
-   * Update Torbutton to 1.9.2.2
-     * Bug 15562: Bind SharedWorkers to thirdparty pref
-     * Bug 15533: Restore default security level when restoring defaults
-     * Bug 15510: Close Tor Circuit UI control port connections on New Identity
-     * Bug 15472: Make node text black in circuit status UI
-     * Bug 15502: Wipe blob URIs on New Identity
-     * Bug 15795: Some security slider prefs do not trigger custom checkbox
-     * Bug 14429: Disable automatic window resizing for now
-   * Bug 4100: Raise HTTP Keep-Alive back to 115 second default
-   * Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
-   * Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism
-   * Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info display
-   * Bug 15502: Isolate blob URI scope to URL domain; block WebWorker access
-   * Bug 15794: Crash on some pages with SVG images if SVG is disabled
-   * Bug 15562: Disable Javascript SharedWorkers due to third party tracking
-   * Bug 15757: Disable Mozilla video statistics API extensions
-   * Bug 15758: Disable Device Sensor APIs
- * Linux
-   * Bug 15747: Improve start-tor-browser argument handling
-   * Bug 15672: Provide desktop app registration+unregistration for Linux
- * Windows
-   * Bug 15539: Make installer exe signatures reproducibly removable
-   * Bug 10761: Fix instances of shutdown crashes
-
-Tor Browser 4.5a5 -- Mar 31 2015
- * All Platforms
-   * Update Firefox to 31.6.0esr
-   * Update OpenSSL to 1.0.1m
-   * Update Tor to 0.2.6.6
-   * Update NoScript to 2.6.9.19
-   * Update HTTPS-Everywhere to 5.0
-   * Update meek to 0.16
-   * Update Tor Launcher to 0.2.7.3
-     * Bug 13983: Directory search path fix for Tor Messanger+TorBirdy
-   * Update Torbutton to 1.9.1.0
-     * Bug 9387: "Security Slider 1.0"
-       * Include descriptions and tooltip hints for security levels
-       * Notify users that the security slider exists
-       * Flip slider so that "low" is on the bottom
-       * Make use of new SVG and MathML prefs
-     * Bug 13766: Set a 10 minute circuit lifespan for non-content requests
-     * Bug 15460: Ensure FTP urls use content-window circuit isolation
-     * Bug 13650: Clip initial window height to 1000px
-     * Bug 14429: Ensure windows can only be resized to 200x100px multiples
-     * Bug 15334: Display Cookie Protections menu if disk records are enabled
-     * Bug 14324: Show HS circuit in Tor circuit display
-     * Bug 15086: Handle RTL text in Tor circuit display
-     * Bug 15085: Fix about:tor RTL text alignment problems
-     * Bug 10216: Add a pref to disable the local tor control port test
-     * Bug 14937: Show meek and flashproxy bridges in tor circuit display
-     * Bugs 13891+15207: Fix exceptions/errors in circuit display with bridges
-     * Bug 13019: Change locale hiding pref to boolean
-     * Bug 7255: Warn users about maximizing windows
-     * Bug 14631: Improve profile access error msgs (strings).
-   * Pluggable Transport Dependency Updates:
-     * Bug 15448: Use golang 1.4.2 for meek and obs4proxy
-     * Bug 15265: Switch go.net repo to golang.org/x/net
-   * Bug 14937: Hard-code meek and flashproxy node fingerprints
-   * Bug 13019: Prevent Javascript from leaking system locale
-   * Bug 10280: Improved fix to prevent loading plugins into address space
-   * Bug 15406: Only include addons in incremental updates if they actually update
-   * Bug 15029: Don't prompt to include missing plugins
-   * Bug 12827: Create preference to disable SVG images (for security slider)
-   * Bug 13548: Create preference to disable MathML (for security slider)
-   * Bug 14631: Improve startup error messages for filesystem permissions issues
-   * Bug 15482: Don't allow circuits to change while a site is in use
- * Linux
-   * Bug 13375: Create a hybrid GUI/desktop/shell launcher wrapper
-   * Bug 12468: Only print/write log messages if launched with --debug
- * Windows
-   * Bug 3861: Begin signing Tor Browser for Windows the Windows way
-   * Bug 15201: Disable 'runas Administrator' codepaths in updater
-   * Bug 14688: Create shortcuts to desktop and start menu by default (optional)
-
-Tor Browser 4.0.6 -- Mar 31 2015
- * All Platforms
-   * Update Firefox to 31.6.0esr
-   * Update meek to 0.16
-   * Update OpenSSL to 1.0.1m
-
-Tor Browser 4.0.5 -- Mar 23 2015
- * All Platforms
-   * Update Firefox to 31.5.3esr
-   * Update Tor to 0.2.5.11
-   * Update NoScript to 2.6.9.19
-
-Tor Browser 4.5a4 -- Feb 24 2015
- * All Platforms
-   * Update Firefox to 31.5.0esr
-   * Update Tor to 0.2.6.3-alpha
-   * Update OpenSSL to 1.0.1l
-   * Update NoScript to 2.6.9.15
-   * Update obfs4proxy to 0.0.4
-     * Use obfs4proxy for ScrambleSuit bridges
-   * Update Torbutton to 1.9.0.0
-     * Bug 13882: Fix display of bridges after bridge settings have been changed
-     * Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
-     * Bug 10280: Strings and pref for preventing plugin initialization.
-     * Bug 14866: Show correct circuit when more than one exists for a given domain
-     * Bug 9442: Add New Circuit button to Torbutton menu
-     * Bug 9906: Warn users before closing all windows and performing new identity.
-     * Bug 8400: Prompt for restart if disk records are enabled/disabled.
-     * Bug 14630: Hide Torbutton's proxy settings tab.
-     * Bug 14632: Disable Cookie Manager until we get it working.
-     * Bug 11175: Remove "About Torbutton" from onion menu.
-     * Bug 13900: Remove remaining SafeCache code in favor of C++ patch
-     * Bug 14490: Use Disconnect search in about:tor search box
-     * Bug 14392: Don't steal input focus in about:tor search box
-     * Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
-     * Bug 13406: Stop directing users to download-easy.html.en on update
-     * Bug 9387: Handle "custom" mode better in Security Slider
-     * Bug 12430: Bind jar: pref to Security Slider
-     * Bug 14448: Restore Torbutton menu operation on non-English localizations
-     * Translation updates
-   * Update Tor Launcher to 0.2.7.2
-     * Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
-     * Bug 14336: Fix navigation button display issues on some wizard panes
-     * Translation updates
-   * Bug 14203: Prevent meek from displaying an extra update notification
-   * Bug 14849: Remove new NoScript menu option to make permissions permanent
-   * Bug 14851: Set NoScript pref to disable permanent permissions
-   * Bug 14490: Make Disconnect the default omnibox search engine
-   * Bug 11236: Fix omnibox order for non-English builds
-     * Also remove Amazon, eBay and bing; add Youtube and Twitter
-   * Bug 10280: Don't load any plugins into the address space.
-   * Bug 14392: Make about:tor hide itself from the URL bar
-   * Bug 12430: Provide a preference to disable remote jar: urls
-   * Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
-   * Bug 5698: Fix branding in "About Torbrowser" window
- * Windows:
-   * Bug 13169: Don't use /dev/random on Windows for SSP
- * Linux:
-   * Bug 13717: Make sure we use the bash shell on Linux
-
-Tor Browser 4.0.4 -- Feb 24 2015
- * All Platforms
-   * Update Firefox to 31.5.0esr
-   * Update OpenSSL to 1.0.1l
-   * Update NoScript to 2.6.9.15
-   * Update HTTPS-Everywhere to 4.0.3
-   * Bug 14203: Prevent meek from displaying an extra update notification
-   * Bug 14849: Remove new NoScript menu option to make permissions permanent
-   * Bug 14851: Set NoScript pref to disable permanent permissions
-
-Tor Browser 4.5a3 -- Jan 19 2015
- * All Platforms
-   * Update Firefox to 31.4.0esr
-   * Update Tor to 0.2.6.2-alpha
-   * Update NoScript to 2.6.9.10
-   * Update HTTPS Everywhere to 5.0development.2
-   * Update meek to 0.15
-   * Update Torbutton to 1.8.1.3
-     * Bug 13998: Handle changes in NoScript 2.6.9.8+
-     * Bug 14100: Option to hide NetworkSettings menuitem
-     * Bug 13079: Option to skip control port verification
-     * Bug 13835: Option to change default Tor Browser homepage
-     * Bug 11449: Fix new identity error if NoScript is not enabled
-     * Bug 13881: Localize strings for tor circuit display
-     * Bug 9387: Incorporate user feedback
-     * Bug 13671: Fixup for circuit display if bridges are used
-     * Translation updates
-   * Update Tor Launcher to 0.2.7.1
-     * Bug 14122: Hide logo if TOR_HIDE_BROWSER_LOGO set
-     * Translation updates
-   * Bug 13379: Sign our MAR files
-   * Bug 13788: Fix broken meek in 4.5-alpha series
-   * Bug 13439: No canvas prompt for content callers
-
-Tor Browser 4.0.3 -- Jan 13 2015
- * All Platforms
-   * Update Firefox to 31.4.0esr
-   * Update NoScript to 2.6.9.10
-   * Update meek to 0.15
-   * Update Tor Launcher to 0.2.7.0.2
-     * Translation updates only
-
-Tor Browser 4.5-alpha-2 -- Dec 5 2014
- * All Platforms
-   * Update Firefox to 31.3.0esr
-   * Update NoScript to 2.6.9.5
-   * Update HTTPS Everywhere to 5.0development.1
-   * Update Torbutton to 1.8.1.2
-     * Bug 13672: Make circuit display optional
-     * Bug 13671: Make bridges visible on circuit display
-     * Bug 9387: Incorporate user feedback
-     * Bug 13784: Remove third party authentication tokens
-   * Bug 13435: Remove our custom POODLE fix (fixed by Mozilla in ESR 31.3.0)
-
-Tor Browser 4.0.2 -- Dec 2 2014
- * All Platforms
-   * Update Firefox to 31.3.0esr
-   * Update NoScript to 2.6.9.5
-   * Update HTTPS Everywhere to 4.0.2
-   * Update Torbutton to 1.7.0.2
-     * Bug 13019: Synchronize locale spoofing pref with our Firefox patch
-     * Bug 13746: Properly link Torbutton UI to thirdparty pref.
-   * Bug 13742: Fix domain isolation for content cache and disk-enabled browsing mode
-   * Bug 5926: Prevent JS engine locale leaks (by setting the C library locale)
-   * Bug 13504: Remove unreliable/unreachable non-public bridges
-   * Bug 13435: Remove our custom POODLE fix
- * Windows
-   * Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
-   * Bug 13558: Fix crash on Windows XP during download folder changing
-   * Bug 13594: Fix update failure for Windows XP users
-
-Tor Browser 4.5-alpha-1 -- Nov 14 2014
- * All Platforms
-   * Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
-   * Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
-   * Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
-   * Bug 13019: Make JS engine use English locale if a pref is set by Torbutton
-   * Bug 13301: Prevent extensions incompatibility error after upgrades
-   * Bug 13460: Fix MSVC compilation issue
-   * Bug 13504: Remove stale bridges from default bridge set
-   * Bug 13742: Fix domain isolation for content cache and disk-enabled browsing mode
-   * Update Tor to 0.2.6.1-alpha
-   * Update NoScript to 2.6.9.3
-   * Update Torbutton to 1.8.1.1
-     * Bug 9387: Provide a "Security Slider" for vulnerability surface reduction
-     * Bug 13019: Synchronize locale spoofing pref with our Firefox patch
-     * Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
-     * Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
-     * Bug 13651: Prevent circuit-status related UI hang.
-     * Bug 13666: Various circuit status UI fixes
-     * Bugs 13742+13751: Remove cache isolation code in favor of direct C++ patch
-     * Bug 13746: Properly update third party isolation pref if disabled from UI
-   * Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
-   * Bug 12903: Include obfs4proxy pluggable transport
- * Windows
-   * Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
-   * Bug 13558: Fix crash on Windows XP during download folder changing
-   * Bug 13091: Make app name "Tor Browser" instead of "Tor"
-   * Bug 13594: Fix update failure for Windows XP users
- * Mac
-   * Bug 10138: Switch to 64bit builds for MacOS
-
-Tor Browser 4.0.1 -- Oct 30 2014
- * All Platforms
-   * Update Tor to 0.2.5.10
-   * Update NoScript to 2.6.9.3
-   * Bug 13301: Prevent extensions incompatibility error after upgrades
-   * Bug 13460: Fix MSVC compilation issue
- * Windows
-   * Bug 13443: Disable DirectShow to prevent crashes on many sites
-   * Bug 13091: Make app name "Tor Browser" instead of "Tor"
-
-Tor Browser 4.0 -- Oct 15 2014
- * All Platforms
-   * Update Firefox to 31.2.0esr
-   * Update Torbutton to 1.7.0.1
-      * Bug 13378: Prevent addon reordering in toolbars on first-run.
-      * Bug 10751: Adapt Torbutton to ESR31's Australis UI.
-      * Bug 13138: ESR31-about:tor shows "Tor is not working"
-      * Bug 12947: Adapt session storage blocker to ESR 31.
-      * Bug 10716: Take care of drag/drop events in ESR 31.
-      * Bug 13366: Fix cert exemption dialog when disk storage is enabled.
-   * Update Tor Launcher to 0.2.7.0.1
-     * Translation updates only
-   * Udate fteproxy to 0.2.19
-   * Update NoScript to 2.6.9.1
-   * Bug 13416: Defend against new SSLv3 attack (poodle).
-   * Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
-   * Bug 13016: Hide CSS -moz-osx-font-smoothing values.
-   * Bug 13356: Meek and other symlinks missing after complete update.
-   * Bug 13025: Spoof screen orientation to landscape-primary.
-   * Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
-   * Bug 13318: Minimize number of buttons on the browser toolbar.
-   * Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
-   * Bug 13023: Disable the gamepad API.
-   * Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
-   * Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
-   * Bug 13186: Disable DOM Performance timers
-   * Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
-
-Tor Browser 4.0-alpha-3 -- Sep 24 2014
- * All Platforms
-   * Update Tor to 0.2.5.8-rc
-   * Update Firefox to 24.8.1esr
-   * Update meek to 0.11
-   * Update NoScript to 2.6.8.42
-   * Update Torbutton to 1.6.12.3
-     * Bug 13091: Use "Tor Browser" everywhere
-     * Bug 10804: Workaround fix for some cases of startup hang
-   * Bug 13091: Use "Tor Browser" everywhere
-   * Bug 13049: Browser update failure (self.update is undefined)
-   * Bug 13047: Updater should not send Kernel and GTK version
-   * Bug 12998: Prevent intermediate certs from being written to disk
-   * Bug 13245: Prevent non-english TBBs from upgrading to english version.
- * Linux:
-   * Bug 9150: Make RPATH unavailable on Tor binary.
-   * Bug 13031: Add full RELRO protection.
-
-Tor Browser Bundle 3.6.6 -- Sep 24 2014
- * All Platforms
-   * Update Tor to tor-0.2.4.24
-   * Update Firefox to 24.8.1esr
-   * Update NoScript to 2.6.8.42
-   * Update HTTPS Everywhere to 4.0.1
-   * Bug 12998: Prevent intermediate certs from being written to disk
-   * Update Torbutton to 1.6.12.3
-     * Bug 13091: Use "Tor Browser" everywhere
-     * Bug 10804: Workaround fix for some cases of startup hang
- * Linux
-   * Bug 9150: Make RPATH unavailable on Tor binary.
-
-Tor Browser Bundle 4.0-alpha-2 -- Sep 2 2014
- * All Platforms
-   * Update Firefox to 24.8.0esr
-   * Update NoScript to 2.6.8.39
-   * Update Tor Launcher to 0.2.7.0
-     * Bug 11405: Remove firewall prompt from wizard.
-     * Bug 12895: Mention @riseup.net as a valid bridge request email address
-     * Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
-     * Bug 11199: Improve error messages if Tor exits unexpectedly
-   * Update Torbutton to 1.6.12.1
-     * Bug 12684: New strings for canvas image extraction message
-     * Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
-   * Bug 12684: Improve Canvas image extraction permissions prompt
-   * Bug 7265: Only prompt for first party canvas access. Log all scripts
-               that attempt to extract canvas images to Browser console.
-   * Bug 12974: Disable NTLM and Negotiate HTTP Auth
-   * Bug 2874: Remove Components.* from content access (regression)
-   * Bug 4234: Automatic Update support (off by default)
-   * Bug 9881: Open popups in new tabs by default
-   * Meek Pluggable Transport:
-     * Bug 12766: Use TLSv1.0 in meek-http-helper to blend in with Firefox 24
- * Windows:
-   * Bug 10065: Enable DEP, ASLR, and SSP hardening options
- * Linux:
-   * Bug 12103: Adding RELRO hardening back to browser binaries.
-
-Tor Browser Bundle 3.6.5 -- Sep 2 2014
- * All Platforms
-   * Update Firefox to 24.8.0esr
-   * Update NoScript to 2.6.8.39
-   * Update HTTPS Everywhere to 4.0.0
-   * Update Torbutton to 1.6.12.1
-     * Bug 12684: New strings for canvas image extraction message
-     * Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
-     * Bug 9531: Workaround to avoid rare hangs during New Identity
-   * Bug 12684: Improve Canvas image extraction permissions prompt
-   * Bug 7265: Only prompt for first party canvas access. Log all scripts
-               that attempt to extract canvas images to Browser console.
-   * Bug 12974: Disable NTLM and Negotiate HTTP Auth
-   * Bug 2874: Remove Components.* from content access (regression)
-   * Bug 9881: Open popups in new tabs by default
- * Linux:
-   * Bug 12103: Adding RELRO hardening back to browser binaries.
-
-Tor Browser Bundle 4.0-alpha-1 -- Aug 8 2014
- * All Platforms
-   * Ticket 10935: Include the Meek Pluggable Transport (version 0.10)
-     * Two modes of Meek are provided: Meek over Google and Meek over Amazon
-   * Update Firefox to 24.7.0esr
-   * Update Tor to 0.2.5.6-alpha
-   * Update OpenSSL to 1.0.1i
-   * Update NoScript to 2.6.8.36
-     * Script permissions now apply based on URL bar
-   * Update HTTPS Everywhere to 5.0development.0
-   * Update Torbutton to 1.6.12.0
-     * Bug 12221: Remove obsolete Javascript components from the toggle era
-     * Bug 10819: Bind new third party isolation pref to Torbutton security UI
-     * Bug 9268: Fix some window resizing corner cases with DPI and taskbar size.
-     * Bug 12680: Change Torbutton URL in about dialog.
-     * Bug 11472: Adjust about:tor font and logo positioning to avoid overlap
-     * Bug 9531: Workaround to avoid rare hangs during New Identity
-   * Update Tor Launcher to 0.2.6.2
-     * Bug 11199: Improve behavior if tor exits
-     * Bug 12451: Add option to hide TBB's logo
-     * Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
-     * Bug 11471: Ensure text fits the initial configuration dialog
-     * Bug 9516: Send Tor Launcher log messages to Browser Console
-   * Bug 11641: Reorganize bundle directory structure to mimic Firefox
-   * Bug 10819: Create a preference to enable/disable third party isolation
-   * Backported Tor Patches:
-     * Bug 11200: Fix a hang during bootstrap introduced in the initial
-                  bug11200 patch.
- * Linux:
-   * Bug 10178: Make it easier to set an alternate Tor control port and password
-   * Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
-   * Bug 12249: Don't create PT debug files anymore
-
-Tor Browser Bundle 3.6.4 -- Aug 8 2014
- * All Platforms
-   * Update Tor to 0.2.4.23
-   * Update Tor launcher to 0.2.5.6
-     * Bug 9516: Show Tor log in TorBrowser's Browser Console
-   * Update OpenSSL to 1.0.1i
-   * Backported Tor Patches:
-     * Bug 11654: Properly apply the fix for malformed bug11156 log message
-     * Bug 11200: Fix a hang during bootstrap introduced in the initial
-                  bug11200 patch.
-   * Update NoScript to 2.6.8.36
-   * Update Torbutton to 1.6.11.1
-     * Bug 11472: Adjust about:tor font and logo positioning to avoid overlap
-     * Bug 12680: Fix Torbutton about url.
-
-Tor Browser Bundle 3.6.3 -- Jul 24 2014
- * All Platforms
-   * Update Firefox to 24.7.0esr
-   * Update obfsproxy to 0.2.12
-   * Update FTE to 0.2.17
-   * Update NoScript to 2.6.8.33
-   * Update HTTPS Everywhere to 3.5.3
-   * Bug 12673: Update FTE bridges
-   * Update Torbutton to 1.6.11.0
-     * Bug 12221: Remove obsolete Javascript components from the toggle era
-     * Bug 10819: Bind new third party isolation pref to Torbutton security UI
-     * Bug 9268: Fix some window resizing corner cases with DPI and taskbar size.
- * Linux:
-   * Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
-   * Bug 12249: Don't create PT debug files anymore
-
-Tor Browser Bundle 3.6.2 -- Jun 9 2014
- * All Platforms
-   * Update Firefox to 24.6.0esr
-   * Update OpenSSL to 1.0.1h
-   * Update NoScript to 2.6.8.28
-   * Update Tor to 0.2.4.22
-   * Update Tor Launcher to 0.2.5.5
-     * Bug 10425: Provide geoip6 file location to Tor process
-     * Bug 11754: Remove untranslated locales that were dropped from Transifex
-     * Bug 11772: Set Proxy Type menu correctly after restart
-     * Bug 11699: Change &#160 to   in UI elements
-   * Update Torbutton to 1.6.10.0
-     * Bug 11510: about:tor should not report success if tor proxy is unreachable
-     * Bug 11783: Avoid b.webProgress error when double-clicking on New Identity
-     * Bug 11722: Add hidden pref to force remote Tor check
-     * Bug 11763: Fix pref dialog double-click race that caused settings to be reset
-   * Bug 11629: Support proxies with Pluggable Transports
-     * Updates FTEProxy to 0.2.15
-     * Updates obfsproxy to 0.2.9
-   * Backported Tor Patches:
-     * Bug 11654: Fix malformed log message in bug11156 patch.
-   * Bug 10425: Add in Tor's geoip6 files to the bundle distribution
-   * Bugs 11834 and 11835: Include Pluggable Transport documentation
-   * Bug 9701: Prevent ClipBoardCache from writing to disk.
-   * Bug 12146: Make the CONNECT Host header the same as the Request-URI.
-   * Bug 12212: Disable deprecated webaudio API
-   * Bug 11253: Turn on TLS 1.1 and 1.2.
-   * Bug 11817: Don't send startup time information to Mozilla.
-
-Tor Browser Bundle 3.6.1 -- May 6 2014
- * All Platforms
-   * Update HTTPS-Everywhere to 3.5.1
-   * Update NoScript to 2.6.8.22
-   * Bug 11658: Fix proxy configuration for non-Pluggable Transports users
-   * Backport Pending Tor Patches:
-     * Bug 8402: Allow Tor proxy configuration while PTs are present
-   * Note: The Pluggable Transports themselves have not been updated to
-           support proxy configuration yet.
-
-Tor Browser Bundle 3.6 -- Apr 29 2014
- * All Platforms
-   * Update Firefox to 24.5.0esr
-   * Update Tor Launcher to 0.2.5.4
-     * Bug #11482: Hide bridge settings prompt if no default bridges.
-     * Bug #11484: Show help button even if no default bridges.
-   * Update Torbutton to 1.6.9.0
-     * Bug 7439: Improve download warning dialog text.
-     * Bug 11384: Completely remove hidden toggle menu item.
-   * Update NoScript to 2.6.8.20
-   * Update fte transport to 0.2.13
-   * Backport Pending Tor Patches:
-     * Bug 11156: Additional obfsproxy startup error message fixes
-   * Bug 11586: Include license files for component software in Docs directory.
- * Windows and Mac:
-   * Bug 9308: Prevent install path from leaking in some JS exceptions
-               on Mac and Windows builds
-
-Tor Browser Bundle 3.6-beta-2 -- Apr 8 2014
- * All Platforms
-   * Update OpenSSL to 1.0.1g
-   * Bug 9010: Add Turkish language support.
-   * Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion. 
-   * Update fte transport to 0.2.12
-   * Update NoScript to 2.6.8.19
-   * Update Torbutton to 1.6.8.1
-     * Bug 11242: Fix improper "update needed" message after in-place upgrade.
-     * Bug 10398: Ease translation of about:tor page elements
-   * Update Tor Launcher to 0.2.5.3
-     * Bug 9665: Localize Tor's unreachable bridges bootstrap error
-   * Backport Pending Tor Patches:
-     * Bug 9665: Report a bootstrap error if all bridges are unreachable
-     * Bug 11200: Prevent spurious error message prior to enabling network.
- * Linux:
-   * Bug 11190: Switch linux PT build process to python2
-   * Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
- * Windows:
-   * Bug 11286: Fix fte transport launch error
-
-Tor Browser Bundle 3.5.4 -- Apr 7 2014
- * All Platforms
-   * Update OpenSSL to 1.0.1g
-
-Tor Browser Bundle 3.5.3 -- Mar 19 2014
- * All Platforms
-   * Update Firefox to 24.4.0esr
-   * Update Torbutton to 1.6.7.0:
-     * Bug 9901: Fix browser freeze due to content type sniffing
-     * Bug 10611: Add Swedish (sv) to extra locales to update
-   * Update NoScript to 2.6.8.17
-   * Update Tor to 0.2.4.21
-   * Bug 10237: Disable the media cache to prevent disk leaks for videos
-   * Bug 10703: Force the default charset to avoid locale fingerprinting
-   * Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)
- * Linux:
-   * Bug 9353: Fix keyboard input on Ubuntu 13.10
-   * Bug 9896: Provide debug symbols for Tor Browser binary
-   * Bug 10472: Pass arguments to the browser from Linux startup script
-
-Tor Browser Bundle 3.6-beta-1 -- Mar 17 2014
- * All Platforms
-   * Update Firefox to 24.4.0esr
-   * Include Pluggable Transports by default:
-     * Obfsproxy3 0.2.4, Flashproxy 1.6, and FTE 0.2.6 are now included
-   * Update Tor Launcher to 0.2.5.1
-     * Bug 10418: Provide UI configuration for Pluggable Transports
-     * Bug 10604: Allow Tor status & error messages to be translated
-     * Bug 10894: Make bridge UI clear that helpdesk is a last resort for
-                  bridges
-     * Bug 10610: Clarify wizard UI text describing obstacles/blocking
-     * Bug 11074: Support Tails use case (XULRunner and optional
-                  customizations)
-   * Update Torbutton to 1.6.7.0:
-     * Bug 9901: Fix browser freeze due to content type sniffing
-     * Bug 10611: Add Swedish (sv) to extra locales to update
-   * Update NoScript to 2.6.8.17
-   * Update Tor to 0.2.4.21
-   * Backport Pending Tor Patches:
-     * Bug 5018: Don't launch Pluggable Transport helpers if not in use
-     * Bug 9229: Eliminate 60 second stall during bootstrap with some PTs
-     * Bug 11069: Detect and report Pluggable Transport bootstrap failures
-     * Bug 11156: Prevent spurious warning about missing pluggable transports 
-   * Bug 10237: Disable the media cache to prevent disk leaks for videos
-   * Bug 10703: Force the default charset to avoid locale fingerprinting
-   * Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)
- * Mac:
-   * Bug 4261: Use DMG instead of ZIP for Mac packages
- * Linux:
-   * Bug 9353: Fix keyboard input on Ubuntu 13.10
-   * Bug 9896: Provide debug symbols for Tor Browser binary
-   * Bug 10472: Pass arguments to the browser from Linux startup script
-
-Tor Browser Bundle 3.5.2.1 -- Feb 14 2014
- * All Platforms
-   * Bug 10895: Fix broken localized bundles
- * Windows:
-   * Bug 10323: Remove unneeded gcc/libstdc++ libraries from dist
-
-Tor Browser Bundle 3.5.2 -- Feb 8 2014
- * All Platforms
-   * Rebase Tor Browser to Firefox 24.3.0ESR
-   * Bug 10419: Block content window connections to localhost
-   * Update Torbutton to 1.6.6.0
-     * Bug 10800: Prevent findbox exception and popup in New Identity
-     * Bug 10640: Fix about:tor's update pointer position for RTL languages.
-     * Bug 10095: Fix some cases where resolution is not a multiple of 200x100
-     * Bug 10374: Clear site permissions on New Identity
-     * Bug 9738: Fix for auto-maximizing on browser start
-     * Bug 10682: Workaround to really disable updates for Torbutton
-     * Bug 10419: Don't allow connections to localhost if Torbutton is toggled
-     * Bug 10140: Move Japanese to extra locales (not part of TBB dist)
-     * Bug 10687: Add Basque (eu) to extra locales (not part of TBB dist)
-   * Update Tor Launcher to 0.2.4.4
-     * Bug 10682: Workaround to really disable updates for Tor Launcher
-   * Update NoScript to 2.6.8.13
-
-Tor Browser Bundle 3.5.1 -- Jan 22 2014
- * All Platforms
-   * Bug 10447: Remove SocksListenAddress to allow multiple socks ports.
-   * Bug 10464: Remove addons.mozilla.org from NoScript whitelist
-   * Bug 10537: Build an Arabic version of TBB 3.5
-   * Update Torbutton to 1.6.5.5
-     * Bug 9486: Clear NoScript Temporary Permissions on New Identity
-     * Include Arabic translations
-   * Update Tor Launcher to 0.2.4.3
-     * Include Arabic translations
-   * Update Tor to 0.2.4.20
-   * Update OpenSSL to 1.0.1f
-   * Update NoScript to 2.6.8.12
-   * Update HTTPS-Everywhere to 3.4.5
- * Windows
-   * Bug 9259: Enable Accessibility (screen reader) support
- * Mac
-   * misc: Update bundle version field in Info.plist (for MacUpdates service)
-
-Tor Browser Bundle 3.5 -- Dec 17 2013
- * All Platforms
-   * Update Tor to 0.2.4.19
-   * Update Tor Launcher to 0.2.4.2
-     * Bug 10382: Fix a Tor Launcher hang on TBB exit
-   * Update Torbutton to 1.6.5.2
-     * Misc: Switch update download URL back to download-easy
-
-Tor Browser Bundle 3.5rc1 -- Dec 12 2013
- * All Platforms
-   * Update Firefox to 24.2.0esr
-   * Update NoScript to 2.6.8.7
-   * Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag)
-     * Tag includes a patch to handle enabling/disabling Mixed Content Blocking
-   * Bug 5060: Disable health report service
-   * Bug 10367: Disable prompting about health report and Mozilla Sync
-   * Misc Prefs: Disable HTTPS-Everywhere first-run tooltips
-   * Misc Prefs: Disable layer acceleration to avoid crashes on Windows
-   * Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 878890
-   * Update Tor Launcher to 0.2.4.1
-     * Bug 10147: Adblock Plus interferes w/Tor Launcher dialog
-     * Bug 10201: FF ESR 24 hangs during exit on Mac OS
-     * Bug 9984: Support running Tor Launcher from InstantBird
-     * Misc: Support browser directory location API changes in Firefox 24
-   * Update Torbutton to 1.6.5.1
-     * Bug 10352: Clear FF24 Private Browsing Mode data during New Identity
-     * Bug 8167: Update cache isolation for FF24 API changes
-     * Bug 10201: FF ESR 24 hangs during exit on Mac OS
-     * Bug 10078: Properly clear crypto tokens during New Identity on FF24
-     * Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF24
- * Linux
-   * Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros)
-
-Tor Browser Bundle 3.0rc1 -- Nov 21 2013
- * All Platforms:
-   * Update Firefox to 17.0.11esr
-   * Update Tor to 0.2.4.18-rc
-   * Remove unsupported PDF.JS addon from the bundle 
-   * Bug #7277: TBB's Tor client will now omit its timestamp in the TLS handshake.
-   * Update Torbutton to 1.6.4.1
-     * Bug #10002: Make the TBB3.0 blog tag our update download URL for now
- * Windows
-   * Bug #10102: Patch binutils to remove nondeterministic bytes in compiled binaries
- * Linux
-   * Bug #10049: Fix architecture check to work from outside TBB's directory
-   * Bug #10126: Remove libz and firefox-bin, and strip unstripped binaries
-   * Misc: Disable Firefox updater during compile time (in addition to pref)
-
-Tor Browser Bundle 3.0beta1 -- Oct 31 2013
- * All Platforms:
-   * Update Firefox to 17.0.10esr
-   * Update NoScript to 2.6.8.2
-   * Update HTTPS-Everywhere to 3.4.2
-   * Bug #9114: Reorganize the bundle directory structure to ease future
-                autoupdates
-   * Bug #9173: Patch Tor Browser to auto-detect profile directory if
-                launched without the wrapper script.
-   * Bug #9012: Hide Tor Browser infobar for missing plugins.
-   * Bug #8364: Change the default entry page for the addons tab to the 
-                installed addons page.
-   * Bug #9867: Make flash objects really be click-to-play if flash is enabled.
-   * Bug #8292: Make getFirstPartyURI log+handle errors internally to simplify
-                caller usage of the API
-   * Bug #3661: Remove polipo and privoxy from the banned ports list.
-   * misc: Fix a potential memory leak in the Image Cache isolation
-   * misc: Fix a potential crash if OS theme information is ever absent
-   * Update Tor-Launcher to 0.2.3.1-beta
-     * Bug #9114: Handle new directory structure
-     * misc: Tor Launcher now supports Thunderbird
-   * Update Torbutton to 1.6.4
-     * Bug #9224: Support multiple Tor socks ports for about:tor status check
-     * Bug #9587: Add TBB version number to about:tor
-     * Bug #9144: Workaround to handle missing translation properties
- * Windows:
-   * Bug #9084: Fix startup crash on Windows XP.
- * Linux:
-   * Bug #9487: Create detached debuginfo files for Linux Tor and Tor
-                Browser binaries.
-
-Tor Browser Bundle 3.0alpha4 -- Sep 24 2013
- * All Platforms:
-   * Bug #8751: Randomize TLS HELLO timestamp in HTTPS connections
-   * Bug #9790 (workaround): Temporarily re-enable JS-Ctypes for cache
-                             isolation and SSL Observatory
-   * Update Firefox to 17.0.9esr
-   * Update Tor to 0.2.4.17-rc
-   * Update NoScript to 2.6.7.1
-   * Update Tor-Launcher to 0.2.2-alpha
-     * Bug #9675: Provide feedback mechanism for clock-skew and other early 
-                  startup issues
-     * Bug #9445: Allow user to enter bridges with or without 'bridge' keyword
-     * Bug #9593: Use UTF16 for Tor process launch to handle unicode paths.
-     * misc: Detect when Tor exits and display appropriate notification
-   * Update Torbutton to 1.6.2.1
-     * Bug 9492: Fix Torbutton logo on OSX and Windows (and related
-                 initialization code)
-     * Bug 8839: Disable Google/Startpage search filters using Tor-specific urls
-
-
-Tor Browser Bundle 3.0alpha3 -- Aug 01 2013
- * All Platforms:
-   * Update Firefox to 17.0.8esr
-   * Update Tor to 0.2.4.15-rc
-   * Update HTTPS-Everywhere to 3.3.1
-   * Update NoScript to 2.6.6.9
-   * Improve build input fetching and authentication
-   * Bug #9283: Update NoScript prefs for usability.
-   * Bug #6152 (partial): Disable JSCtypes support at compile time
-   * Update Torbutton to 1.6.1
-     * Bug 8478: Change when window resize code fires to avoid rounding errors
-     * Bug 9331: Hack an update URL for the next TBB release
-     * Bug 9144: Change an aboutTor.dtd string so transifex will accept it
-   * Update Tor-Launcher to 0.2.1-alpha
-     * Bug #9128: Remove dependency on JSCtypes
- * Windows
-   * Bug #9195: Disable download manager AV scanning (to prevent cloud
-     reporting+scanning of downloaded files)
- * Mac:
-   * Bug #9173 (partial): Launch firefox-bin on MacOS instead of TorBrowser.app
-     (improves dock behavior).
-
-
-Tor Browser Bundle 3.0alpha2 -- June 27 2013
- * All Platforms:
-   * Update Firefox to 17.0.7esr
-   * Update Tor to 0.2.4.14-alpha
-   * Include Tor's GeoIP file
-     * This should fix custom torrc issues with country-based node
-       restrictions
-   * Fix several build determinism issues
-   * Include ChangeLog in bundles.
- * Linux:
-   * Use Ubuntu's 'hardening-wrapper' to build our Linux binaries
- * Windows:
-   * Fix many crash issues by disabling Direct2D support for now.
- * Mac:
-   * Bug 8987: Disable TBB's 'Saved Application State' disk records on OSX 10.7+
-
-Tor Browser Bundle 3.0alpha1 -- June 17 2013
- * All Platforms:
-   * Remove Vidalia; Use the new Tor Launcher Firefox Addon instead
-   * Update Torbutton to 1.6.0
-     * bug 7494: Create a local home page for TBB as about:tor
-     * misc: Perform a control port test of proper Tor configuration by default.
-             Only use https://check.torproject.org if the control port is
-             unavailable.
-     * misc: Add an icon menu option for Tor Launcher's Network Settings
-     * misc: Add branding string overrides (primarily controls browser name and
-             homepage)
-   * Update HTTPS-Everywhere to 3.2.2
-   * Update NoScript to 2.6.6.6
-   * Update PDF.JS to 0.8.1
- * Windows:
-   * Use MinGW-w64 (via Gitian) to cross-compile the bundles from Ubuntu
-   * Use TBB-Windows-Installer to guide Windows users through TBB extraction
-   * Temporarily disable WebGL and Accessibility support due to minor MinGW
-     issues
- * Mac:
-   * Use 'Toolchain4' fork by Ray Donnelley to cross-compile the bundles from
-     Ubuntu
-
-
+Tor Browser 5.5a5-hardened -- December 16 2015
+ * All Platforms
+   * Update Firefox to 38.5.0esr
+   * Update Tor to 0.2.7.6
+   * Update OpenSSL to 1.0.1q
+   * Update NoScript to 2.7
+   * Update Torbutton to 1.9.4.2
+     * Bug 16940: After update, load local change notes
+     * Bug 16990: Avoid matching '250 ' to the end of node name
+     * Bug 17565: Tor fundraising campaign donation banner
+     * Bug 17770: Fix alignments on donation banner
+     * Bug 17792: Include donation banner in some non en-US Tor Browsers
+     * Bug 17108: Polish about:tor appearance
+     * Bug 17568: Clean up tor-control-port.js
+     * Translation updates
+   * Update Tor Launcher to 0.2.8.1
+     * Bug 17344: Enumerate available language packs for language prompt
+     * Code clean-up
+     * Translation updates
+   * Bug 12516: Compile Tor Browser with -fwrapv
+   * Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
+   * Bug 15564: Isolate SharedWorkers by first-party domain
+   * Bug 16940: After update, load local change notes
+   * Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
+   * Bug 17747: Add ndnop3 as new default obfs4 bridge
+   * Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
+   * Bug 17369: Disable RC4 fallback
+   * Bug 17442: Remove custom updater certificate pinning
+   * Bug 16863: Avoid confusing error when loop.enabled is false
+   * Bug 17502: Add a preference for hiding "Open with" on download dialog
+   * Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
+   * Bug 16441: Suppress "Reset Tor Browser" prompt
diff --git a/gitian/versions.alpha b/gitian/versions.alpha
index da69f65..511ea05 100755
--- a/gitian/versions.alpha
+++ b/gitian/versions.alpha
@@ -11,14 +11,14 @@ MULTI_LINGUAL=1
 
 VERIFY_TAGS=1
 
-FIREFOX_VERSION=38.4.0esr
+FIREFOX_VERSION=38.5.0esr
 
 TORBROWSER_UPDATE_CHANNEL=hardened
 
 TORBROWSER_TAG=tor-browser-${FIREFOX_VERSION}-5.5-1-build1
-TOR_TAG=tor-0.2.7.4-rc
-TORLAUNCHER_TAG=0.2.8
-TORBUTTON_TAG=1.9.4.1
+TOR_TAG=tor-0.2.7.6
+TORLAUNCHER_TAG=0.2.8.1
+TORBUTTON_TAG=1.9.4.2
 HTTPSE_TAG=5.1.1
 NSIS_TAG=v0.3
 ZLIB_TAG=v1.2.8
@@ -43,10 +43,10 @@ NOTOFONTS_TAG=720e34851382ee3c1ef024d8dffb68ffbfb234c2
 
 GITIAN_TAG=tor-browser-builder-3.x-8-gpgsux
 
-OPENSSL_VER=1.0.1p
+OPENSSL_VER=1.0.1q
 GMP_VER=5.1.3
 FIREFOX_LANG_VER=$FIREFOX_VERSION
-FIREFOX_LANG_BUILD=build2
+FIREFOX_LANG_BUILD=build1
 BINUTILS_VER=2.24
 GCC_VER=5.2.0
 PYTHON_VER=2.7.5
@@ -66,7 +66,7 @@ NOTOCJKFONT_VER=1.004
 ## File names for the source packages
 OPENSSL_PACKAGE=openssl-${OPENSSL_VER}.tar.gz
 GMP_PACKAGE=gmp-${GMP_VER}.tar.bz2
-NOSCRIPT_PACKAGE=noscript_security_suite-2.6.9.39-sm+fx+fn.xpi
+NOSCRIPT_PACKAGE=noscript_security_suite-2.7-sm+fx+fn.xpi
 TOOLCHAIN4_PACKAGE=x86_64-apple-darwin10.tar.xz
 TOOLCHAIN4_OLD_PACKAGE=multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz
 OSXSDK_PACKAGE=MacOSX10.7.sdk.tar.gz
@@ -91,13 +91,13 @@ NOTOCJKFONT_PACKAGE=NotoSansCJKsc-Regular.otf
 STIXMATHFONT_PACKAGE=STIXv1.1.1-latex.zip
 
 # Hashes for packages with weak sigs or no sigs
-OPENSSL_HASH=bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1
+OPENSSL_HASH=b3658b84e9ea606a5ded3c972a5517cd785282e7ea86b20c78aa4b773a047fb7
 GMP_HASH=752079520b4690531171d0f4532e40f08600215feefede70b24fabdc6f1ab160
 OSXSDK_HASH=da77bb0003fcca5ea8c4e8cb2da8828ded750c54afdcac29ec6f3b46ad5e3adf
 OSXSDK_OLD_HASH=6602d8d5ddb371fbc02e2a5967d9bd0cd7358d46f9417753c8234b923f2ea6fc
 TOOLCHAIN4_HASH=7b71bfe02820409b994c5c33a7eab81a81c72550f5da85ff7af70da3da244645
 TOOLCHAIN4_OLD_HASH=65c1b2d302358a6b95a26c6828a66908a199276193bb0b268f2dcc1a997731e9
-NOSCRIPT_HASH=dd904c6a12a8b1f6b1da48d51e4df903d7f9211ba5b3f32d7272f413a3bf548a
+NOSCRIPT_HASH=ab84fd85addd6c15f2ce1e81c58ac9f09b228f9e56703f4d938447b8a2b752ea
 MSVCR100_HASH=1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067
 PYCRYPTO_HASH=f2ce1e989b272cfcb677616763e0a2e7ec659effa67a88aa92b3a65528f60a3c
 ARGPARSE_HASH=ddaf4b0a618335a32b6664d4ae038a1de8fbada3b25033f9021510ed2b3941a4
diff --git a/tools/update-responses/config.yml b/tools/update-responses/config.yml
index 7eddcac..4244d87 100644
--- a/tools/update-responses/config.yml
+++ b/tools/update-responses/config.yml
@@ -9,7 +9,7 @@ build_targets:
     osx32: Darwin_x86-gcc3
     osx64: Darwin_x86_64-gcc3
 channels:
-    hardened: 5.5a4-hardened
+    hardened: 5.5a5-hardened
     release: 5.0
 versions:
     5.0:
@@ -23,10 +23,12 @@ versions:
         osx32:
             minSupportedOSVersion: 10.8
             detailsURL: https://blog.torproject.org/blog/end-life-plan-tor-browser-32-bit-macs#updating
-    5.5a4-hardened:
-        platformVersion: 38.4.0
-        detailsURL: https://blog.torproject.org/blog/tor-browser-55a4-hardened-released
-        download_url: https://www.torproject.org/dist/torbrowser/5.5a4-hardened
+    5.5a5-hardened:
+        platformVersion: 38.5.0
+        detailsURL: https://blog.torproject.org/blog/tor-browser-55a5-hardened-released
+        download_url: https://www.torproject.org/dist/torbrowser/5.5a5-hardened
+        incremental_from:
+          - 5.5a4-hardened
         migrate_archs:
           osx32: osx64
         osx32:



More information about the tbb-commits mailing list