[tor-announce] New Release: Tor Browser 11.5.5 (Android, Windows, macOS, Linux)

Richard Pospesel richard at torproject.org
Tue Oct 25 17:19:40 UTC 2022 

Tor Browser 11.5.5 is now available from the Tor Browser download page and also 
from our distribution directory.

Tor Browser 11.5.5 backports the following security updates from Firefox ESR 
102.4 to to Firefox ESR 91.13 on Windows, macOS and Linux:

     CVE-2022-40674: libexpat before 2.4.9 has a use-after-free in the doContent 
function in xmlparse.c
     CVE-2022-42927: Same-origin policy violation could have leaked cross-origin 
URLs
     CVE-2022-42928: Memory Corruption in JS Engine
     CVE-2022-42929: Denial of Service via window.print
     CVE-2022-42932: Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4

Tor Browser 11.5.5 updates GeckoView on Android to 102.4.0esr and includes 
important security updates. There were no Android-specific security updates to 
backport from the Firefox 106 release.

The full changelog since Tor Browser 11.5.4 is:

     All Platforms
         Update Translations
         Bug tor-browser-build#40649: Update meek default bridge
         Bug tor-browser-build#40654: Enable uTLS and use the full bridge line 
for snowflake
     Windows + macOS + Linux
         Update Manual
         Bug tor-browser#40465: Onion Authentication fails when connecting to a 
subdomain
         Bug tor-browser#41355: Amends to YEC 2022 Takeover Desktop Stable 11.5.5
         Bug tor-browser#41359: Backport ESR 102.4 security fixes to 91.13-based 
Tor Browser
         Bug tor-browser#41364: Continued amends to YEC 2022 Takeover Desktop 
Stable 11.5.5
     Android
         Bug tor-browser-build#40650: Rebase geckoview-102.3.0esr-11.5-1 to ESR 
102.4
         Bug tor-browser#41360: Backport Android-specific Firefox 106 to ESR 
102.4-based Tor Browser
         Bug tor-browser#41365: Amends to YEC 2022 Takeover on Android
     Build
         Windows + macOS + Linux
             Update Go to 1.18.7
             Bug tor-browser-build#40464: go 1.18 fails to build on macOS

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xDE47360363F34B2C.asc
Type: application/pgp-keys
Size: 8030 bytes
Desc: OpenPGP public key
URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20221025/7ee3435d/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20221025/7ee3435d/attachment.sig>

More information about the tor-announce mailing list