[tor-announce] New Alpha Release: Tor Browser 12.0a5 (Android, Windows, macOS, Linux)
Richard Pospesel
richard at torproject.org
Thu Dec 1 17:50:04 UTC 2022
Tor Browser 12.0a5 is now available from the Tor Browser download page and also from our distribution directory:
- https://www.torproject.org/dist/torbrowser/12.0a5/
Tor Browser 12.0a5 updates Firefox on Android, Windows, macOS, and Linux to 102.5.0esr.
This version includes important security updates to Firefox and GeckoView.
Tor Browser 12.0a5 backports the following security updates from Firefox 107 to Firefox ESR 102.5 on Android:
CVE-2022-45413: SameSite=Strict cookies could have been sent cross-site via intent URLs
# Major Changes since 11.5
This is the final planned alpha release before 12.0 stable. We have made a lot of changes over the past several months
both large and small, and would like to encourage alpha users to test the following features and report any issues you
discover.
## Universal macOS packages
This is the first universal package release of Tor Browser for macOS. Now Tor Browser should run natively for macOS
users, regardless of whether they are running on older x86_64 devices or on newer Apple M1 aarch64 devices.
**What to test:** Users with existing x86_64 macOS installs should receive an automatic update to the new universal
package without any loss of functionality. The universal dmg downloaded from the Tor Project website should continue to
work for macOS users on both x86_64 and aarch64 platforms. We would also appreciate if macOS users attempted a
build-to-build upgrade from an older version of Tor Browser Alpha to help us validate this update path.
Once installed, macOS users using aarch64-based Macs (i.e. those with Apple Silicon) can verify whether Tor Browser is
running natively by following these steps:
1. Open the Activity Monitor
2. Search for "Tor Browser" within the CPU tab.
3. Should Tor Browser read "Apple" under the Kind column, you are successfully running the native Apple Silicon build.
## Multi-locale bundles (Desktop)
As of Tor Browser 12.0a4, all supported languages are now included in a single bundle, and can be changed without
requiring additional downloads via the Language menu in General settings on the about:preferences page.
**What to test:** Tor Browser Alpha should default to your system language on first launch if it matches a language we
support. Alpha testers are also encouraged to test changing language within about:preferences#general, and to report any
new bugs with localization in general (in particular instances of 'Firefox' appearing instead of 'Tor Browser' or other
similar branding issues).
We would also appreciate if users on all our Desktop platforms attempted a build-to-build upgrade from an older version
of Tor Browser Alpha to help us validate the update path.
## Unified Español locale (Desktop and Android)
Previous versions of Tor Browser Alpha were available in both "es" and "es-AR" (Español Argentina) locales. As of Tor
Browser, 12.0a4 these have been unified into a single Spanish locale instead.
**What to test:** Alpha testers who use the "es-AR" locale should be automatically switched to "es-ES" after updating.
## New supported locales (Ukranian and Albanian)
We have added support for both Ukranian and Albanian languages.
**What to test:** Alpha testers who use the "uk" and "sq" locales should try them on both Desktop (using the language
picker in about:preferences#general) and Android (using the options in Settings > Language).
## tor-launcher migration (Desktop)
Parts of the code that power tor-launcher – which starts tor within Tor Browser – have been refactored. Although this
work doesn't include any changes to the user experience, those who run non-standard Tor Browser setups are encouraged to
test 12.0a5 on their systems.
**What to test:** Alpha testers who run non-standard Tor Browser setups (including, but not limited to, those who use
system tor in conjunction with Tor Browser and those with specific network and bridge settings) should test starting and
connecting to Tor, and report any unexpected error messages they encounter. All of the previously supported environment
variables should still behave the same way as in the stable series.
## Onion Auth fixes (Desktop)
Tor Browser 12.0a4 included two fixes to Onion Service client authorization:
1. A fix to the auth window itself, which was broken in Alpha due to a regression caused by the esr102 transition:
tor-browser#41344
2. Another fix to a longstanding issue with Onion Auth failing on subdomains, which has also been backported to 11.5.5:
tor-browser#40465
**What to test:** Accessing client authorized Onion Services on both top-level and subdomains.
## Always prioritize .onion sites (Android)
Android users can now enable automatic Onion-Location redirects by switching "Prioritize .onion sites" within Privacy
and Security settings. However, we have not yet implemented the url bar UI which we have in Tor Browser for Desktop.
**What to test:** Enable "Prioritize .onion sites" within settings, visit a website that supports Onion-Location, and
verify that you were redirected to the website's .onion address.
The full changelog since Tor Browser 12.0a4 is:
All Platforms
Update Translations
Update OpenSSL to 1.1.1s
Update NoScript to 11.4.13
Update tor to 0.4.7.11
Update zlib to 1.2.13
Bug tor-browser#17228: Consideration for disabling/trimming referrers within TBB
Bug tor-browser#27258: font whitelist means we don't have to set gfx.downloadable_fonts.fallback_delay
Bug tor-browser#40183: Consider disabling TLS ciphersuites containing SHA-1
Bug tor-browser-build#40622: Update obfs4proxy to 0.0.14 in Tor Browser
Bug tor-browser-build#40674: Add Secondary Snowflake Bridge
Bug tor-browser#40783: Review 000-tor-browser.js and 001-base-profile.js for 102
Bug tor-browser#41406: Do not define --without-wasm-sandboxed-libraries if WASI_SYSROOT is defined
Bug tor-browser#41420: Remove brand.dtd customization on nightly
Bug tor-browser#41457: Remove more Mozilla permissions
Bug tor-browser#41460: Migrate new identity and security level preferences in 11.5.8
Bug tor-browser#41473: Add support for Albanian (sq)
Windows + macOS + Linux
Update Firefox to 102.5.0esr
Bug tor-browser#31064: Letterboxing is enabled in priviledged contexts too
Bug tor-browser#31821: reapply window.open() clamping
Bug tor-browser#32411: Consider adding about:tor and others to the list of pages that do not need letterboxing
Bug tor-browser#40081: Letterboxing since 32220 affected by layout.css.devPixelsPerPx
Bug tor-browser#40767: 1px white border visible on fullscreen video playback
Bug tor-browser#41293: Incomplete branding in German with 12.0a2
Bug tor-browser#41378: Inform users when Tor Browser sets their language automatically
Bug tor-browser#41409: Circuit display is broken on Tails
Bug tor-browser#41410: Opening and closing HTTPS-Only settings make the identity panel shrink
Bug tor-browser#41412: New Identity shows "Tor Browser" instead of "Restart Tor Browser" in unstranslated locales
Bug tor-browser#41417: Prompt users to restart after changing language
Bug tor-browser#41429: TorConnect and TorSettings are initialized twice
Bug tor-browser#41433: Should letterboxing take in account optional components' heights?
Bug tor-browser#41434: Letterboxing bypass through secondary tab (popup/popunder...)
Bug tor-browser#41436: The new tor-launcher handles arrays in the wrong way
Bug tor-browser#41437: Use the new media query for dark theme for the "Connected" pill in bridges
Bug tor-browser#41449: Onion authentication's learn more should link to the offline manual
Bug tor-browser#41451: Still using requestedLocales in torbutton
Bug tor-browser#41455: Tor Browser dev build cannot launch tor
Bug tor-browser#41458: Prevent mach package-multi-locale from actually creating a package
Bug tor-browser#41462: Add anchors to bridge-moji and onion authentication entries
Bug tor-browser#41498: The Help panel is empty in 12.0a4
Windows
Bug tor-browser#41426: base-browser nightly fails to build for windows-i686
macOS
Bug tor-browser#23451: Adapt font whitelist to changes on macOS (zh locales)
Bug tor-browser-build#40687: macOS nightly builds with packaged locales fail
Android
Update GeckoView to 102.5.0esr
Bug tor-browser#40014: Check which of our mobile prefs and configuration changes are still valid for GeckoView
Bug tor-browser#41471: Update targetSdkVersion to 31
Bug tor-browser#41481: Tor Browser 11.5.9 for Android crashes on launch on Android 12+ after targetSdkVersion
update
Build System
All Platforms
Update Go to 1.19.3
Bug tor-browser-build#40675: Update tb_builders list in set-config
Bug tor-browser-build#40667: Update Node.js to 12.22.12
Bug tor-browser-build#40690: Revert fix for zlib build break
Bug tor-browser#41446: Multi-lingual alpha bundles break make fetch
Windows + macOS + Linux
Bug tor-browser-build#40503: Update Release Prep issue template with base-browser and privacy browser changes
Bug tor-browser-build#40641: Fetch Firefox locales from l10n-central
Bug tor-browser-build#40685: Remove targets/nightly/var/mar_locales from rbm.conf
Bug tor-browser-build#40686: Add a temporary project to fetch Fluent tranlations for base-browser
Bug tor-browser-build#40691: Update firefox config to point to base-browser branch rather than a particular
tag in nightly
Bug tor-browser-build#40699: Fix input_files in projects/firefox-l10n/config
Windows
Bug tor-browser-build#40666: Fix compiler depedencies for Firefox on Windows
macOS
Bug tor-browser-build#40067: Rename "OS X" to "macOS"
Bug tor-browser-build#40439: Create universal x86-64/arm64 mac builds
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xDE47360363F34B2C.asc
Type: application/pgp-keys
Size: 4816 bytes
Desc: OpenPGP public key
URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20221201/cc97d9ce/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20221201/cc97d9ce/attachment.sig>
More information about the tor-announce
mailing list