[tor-announce] Tor Browser 8.0.1 is released

Nicolas Vigier boklm at mars-attacks.org
Sat Sep 22 16:54:53 UTC 2018

Tor Browser 8.0.1 is now available from the Tor Browser Project page [1]
and also from our distribution directory [2].

    1: https://www.torproject.org/download/download-easy.html
    2: https://www.torproject.org/dist/torbrowser/8.0.1/

This release features important security updates [3] to Firefox. Note
that we just picked up the necessary patches this time but did not bump
the Firefox version to 60.2.1esr as we needed to start building before
Mozilla was ready. Thus, users are fine with Tor Browser 8.0.1 even if
the Firefox version says 60.2.0esr.

    3: https://www.mozilla.org/en-US/security/advisories/mfsa2018-23/

Moreover, Alex Catarineu from Cliqz found a mistake we made that would
make it possible to trick a user into installing an unsigned Torbutton
extension. Thus, all users are encouraged to update older Tor Browser
versions to 8.0.1 and keep in mind that installing third party extensions
is potentially dangerous to Tor Browser's privacy guarantees and
therefore strongly discouraged.

Tor Browser 8.0.1 is shipping the first stable Tor in the 0.3.4 series
( which solves an annoying crash bug [4] on older macOS systems

    4: https://trac.torproject.org/projects/tor/ticket/27482

We found a better solution to our User Agent treatment [5]: on desktop
platforms Tor Browser will send a Windows User Agent at the network
level now while still allowing to query the unspoofed User Agent with
JavaScript. This takes concerns about any server passively logging the
User Agent into account while still avoiding broken websites as good as
we can. Thanks to everyone who helped with this issue.

    5: https://trac.torproject.org/projects/tor/ticket/26146

Finally, we included a banner for signing up to Tor News which allows
anyone to stay up-to-date about things going on in the Tor universe
(which is, admittedly, sometimes hard to keep track of).

_Known Issues_

We already collected a number of unresolved bugs since Tor Browser
7.5.6 and tagged them with our tbb-8.0-issues [6] keyword to keep them
on our radar. While we fixed a number of them for the 8.0.1 release,
there are still issues remaining. The most important ones are listed

    6: https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-8.0-issues

  * WebGL is broken [7] right now.

    7: https://trac.torproject.org/projects/tor/ticket/27290

  * Accessibility support is broken [8] on Windows. We are considering
    options to address this issue right now.

    8: https://trac.torproject.org/projects/tor/ticket/27503

  * Tor Browser 8 is not starting anymore on some older Ubuntu/Mint
    Linux systems [9]. We still have issues to reproduce this bug but
    hope we can fix it in the next release.

    9: https://trac.torproject.org/projects/tor/ticket/27508

  * Tor Browser 8 is not starting anymore on CentOS 6 [10]. We have a
    fix in our upcoming 8.5a2 to give it a bit of testing. Users affected
    by this bug may resort to that alpha version for now. We plan to
    backport the patch in the next stable release.

    10: https://trac.torproject.org/projects/tor/ticket/27552

  * NoScript is not saving per-site permissions anymore [11]. We have
    a potential patch for this bug in our 8.5a2 release as well and
    plan to backport it, too, in the next stable release in case no
    issues with it are found.

    11: https://trac.torproject.org/projects/tor/ticket/27175

Note: The changelog file has an incorrect release date (September 24
instead of September 22).

The full changelog since Tor Browser 8.0 is:

 * All platforms
   * Update Tor to
   * Update Torbutton to 2.0.7
     * Bug 27097: Tor News signup banner
     * Bug 27663: Add New Identity menuitem again
     * Bug 26624: Only block OBJECT on highest slider level
     * Bug 26555: Don't show IP address for meek or snowflake
     * Bug 27478: Torbutton icons for dark theme
     * Bug 27506+14520: Move status version to upper left corner for RTL locales
     * Bug 27427: Fix NoScript IPC for about:blank by whitelisting messages
     * Bug 27558: Update the link to "Your Guard note may not change" text
     * Translations update
   * Update Tor Launcher to
     * Bug 27469: Adapt Moat URLs
     * Translations update
     * Clean-up
   * Update NoScript to
   * Bug 27763: Restrict Torbutton signing exemption to mobile
   * Bug 26146: Spoof HTTP User-Agent header for desktop platforms
   * Bug 27543: QR code is broken on web.whatsapp.com
   * Bug 27264: Bookmark items are not visible on the boomark toolbar
   * Bug 27535: Enable TLS 1.3 draft version
   * Backport of Mozilla bug 1490585, 1475775, and 1489744
 * OS X
   * Bug 27482: Fix crash during start-up on macOS 10.9.x systems
 * Linux
   * Bug 26556: Fix broken Tor Browser icon path on Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20180922/a6683f2a/attachment.sig>

More information about the tor-announce mailing list