[tor-announce] New Release: Tor Browser 11.5.8 (Android, Windows, macOS, Linux)
Richard Pospesel
richard at torproject.org
Tue Nov 22 21:35:35 UTC 2022
Tor Browser 11.5.8 is now available from the Tor Browser download page and also from our distribution directory.
- https://dist.torproject.org/torbrowser/11.5.8/
This release will not be published on Google Play due to their target API level requirements. Assuming we do not run
into any major problems, Tor Browser 11.5.9 will be an Android-only release that fixes this issue.
Tor Browser 11.5.8 backports the following security updates from Firefox ESR 102.5 to Firefox ESR 91.13 on Windows,
macOS and Linux:
CVE-2022-43680: In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared
DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
CVE-2022-45403: Service Workers might have learned size of cross-origin media files
CVE-2022-45404: Fullscreen notification bypass
CVE-2022-45405: Use-after-free in InputStream implementation
CVE-2022-45406: Use-after-free of a JavaScript Realm
CVE-2022-45408: Fullscreen notification bypass via windowName
CVE-2022-45409: Use-after-free in Garbage Collection
CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy
CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers
CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers
CVE-2022-45416: Keystroke Side-Channel Leakage
CVE-2022-45420: Iframe contents could be rendered outside the iframe
CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5
Tor Browser 11.5.8 updates GeckoView on Android to Firefox ESR 102.5 and includes important security updates. Tor
Browser 11.5.8 backports the following security updates from Firefox 107 to Firefox ESR 102.5 on Android:
CVE-2022-45413: SameSite=Strict cookies could have been sent cross-site via intent URLs
The full changelog since Tor Browser 11.5.7 is:
All Platforms
Update Translations
Update OpenSSL to 1.1.1s
Update NoScript to 11.4.12
Update tor to 0.4.7.11
Update zlib to 1.2.13
Bug tor-browser-build#40622: Update obfs4proxy to 0.0.14 in Tor Browser
Windows + macOS + Linux
Bug tor-browser#31064: Letterboxing is enabled in priviledged contexts too
Bug tor-browser#32411: Consider adding about:tor and others to the list of pages that do not need letterboxing
Bug tor-browser#41413: Backup intl.locale.requested in 11.5.x
Bug tor-browser#41434: Letterboxing bypass through secondary tab (popup/popunder...)
Bug tor-browser#41456: Backport ESR 102.5 security fixes to 91.13-based Tor Browser
Bug tor-browser#41460: Migrate new identity and security level preferences in 11.5.8
Bug tor-browser#41463: Backport fix for CVE-2022-43680
Android
Update GeckoView to 102.5.0esr
Bug tor-browser#41461: Backport Android-specific 107-rr security fixes to 102.5-esr based Geckoview
Build
All Platforms
Update Go to 1.18.8
Bug tor-browser-build#40658: Create an anticensorship team keyring
Bug tor-browser-build#40690: Revert fix for zlib build break
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xDE47360363F34B2C.asc
Type: application/pgp-keys
Size: 4816 bytes
Desc: OpenPGP public key
URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20221122/51b4c8a3/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20221122/51b4c8a3/attachment.sig>
More information about the tor-announce
mailing list