[tor-announce] Tor Browser 7.0.9 is released

Nicolas Vigier boklm at mars-attacks.org
Fri Nov 3 19:47:51 UTC 2017 

Note: Tor Browser 7.0.9 is a security bugfix release for macOS and
Linux users only. Users on Windows are not affected and stay on Tor
Browser 7.0.8.

Tor Browser 7.0.9 is now available for our macOS [1] and Linux [2] users
from the Tor Browser Project page and also from our distribution
directory [3].

    1: https://www.torproject.org/download/download-easy.html#mac
    2: https://www.torproject.org/download/download-easy.html#linux
    3: https://www.torproject.org/dist/torbrowser/7.0.9/

This release features an important security update to Tor Browser for
macOS and Linux users. Due to a Firefox bug [4] in handling file:// URLs
it is possible on both systems that users leak their IP address. Once
an affected user navigates to a specially crafted URL the operating
system may directly connect to the remote host, bypassing Tor Browser.
Tails users and users of our sandboxed-tor-browser are unaffected, though.

    4: https://bugzilla.mozilla.org/show_bug.cgi?id=1412081

The bug got reported to us on Thursday, October 26, by Filippo Cavallarin.
We created a workaround with the help of Mozilla engineers on the next
day which, alas, fixed the leak only partially. We developed an additional
fix on Tuesday, October 31, plugging all known holes. We are not aware
of this vulnerability being exploited in the wild. Thanks to everyone
who helped during this process!

We are currently preparing updated macOS and Linux bundles for our alpha
series which will be tentatively available on Monday, November 6. Meanwhile
macOS and Linux users on that series are strongly encouraged to use the
stable bundles or one of the above mentioned tools that are not affected
by the underlying problem.

Known issues: The fix we deployed is just a workaround stopping the leak.
As a result of that navigating file:// URLs in the browser might not
work as expected anymore. In particular entering file:// URLs in the URL
bar and clicking on resulting links is broken. Opening those in a new
tab or new window does not work either. A workaround for those issues
is dragging the link into the URL bar or on a tab instead. We track this
follow-up regression in bug 24136 [5].

    5: https://trac.torproject.org/projects/tor/ticket/24136

Here is the full changelog since 7.0.8:

 * OS X
   * Bug 24052: Streamline handling of file:// resources
 * Linux
   * Bug 24052: Streamline handling of file:// resources

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20171103/308ce137/attachment.sig>

More information about the tor-announce mailing list