[tor-announce] Tor Browser 6.0.5 is released

Nicolas Vigier boklm at torproject.org
Fri Sep 16 22:02:08 UTC 2016 

Tor Browser 6.0.5 is now available from the Tor Browser Project page [1]
and also from our distribution directory [2].

    1: https://www.torproject.org/download/download-easy.html
    2: https://www.torproject.org/dist/torbrowser/6.0.5/

This release features important security updates to Firefox including
the recently disclosed extension update vulnerability [3]. All users
should upgrade as soon as possible.

    3: http://seclists.org/dailydave/2016/q3/51

That vulnerability [4] allows an attacker who is able to obtain a valid
certificate for addons.mozilla.org to impersonate Mozilla's servers and
to deliver a malicious extension update, e.g. for NoScript. This could
lead to arbitrary code execution. Moreover, other built-in certificate
pinnings are affected as well. Obtaining such a certificate is not an
easy task, but it's within reach of powerful adversaries (e.g. nation states).

    4: https://bugzilla.mozilla.org/show_bug.cgi?id=1303127

Thanks to everyone who helped investigating this bug and getting a bugfix
release out as fast as possible.

We are currently building the alpha and hardened bundles (6.5a3 and
6.5a3-hardened) that will contain the fix for alpha/hardened channel
users. We expect them to get released at the beginning of next week.
Until then users are strongly encouraged to use Tor Browser 6.0.5.

Apart from fixing Firefox vulnerabilities this release comes with a new
Tor stable version (0.2.8.7), an updated HTTPS-Everywhere (5.2.4), and
fixes minor bugs.

Here is the full changelog since Tor Browser 6.0.4:

 * All Platforms
   * Update Firefox to 45.4.0esr
   * Update Tor to 0.2.8.7
   * Update Torbutton to 1.9.5.7
     * Bug 18589: Clear site security settings during New Identity
     * Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
   * Update HTTPS-Everywhere to 5.2.4
   * Bug 20092: Rotate ports for default obfs4 bridges
   * Bug 20040: Add update support for unpacked HTTPS Everywhere
 * Windows
   * Bug 19725: Remove old updater files left on disk after upgrade to 6.x
 * Linux
   * Bug 19725: Remove old updater files left on disk after upgrade to 6.x
 * Android
   * Bug 19706: Store browser data in the app home directory
 * Build system
   * All platforms
     * Upgrade Go to 1.4.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1554 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20160917/5b5c41be/attachment.sig>

More information about the tor-announce mailing list