[tor-bugs] #22291 [Applications/Tor Browser Sandbox]: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu May 18 04:25:29 UTC 2017


#22291: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use
--------------------------------------------------+---------------------
     Reporter:  6h72Q484AddGha8H                  |      Owner:  yawning
         Type:  defect                            |     Status:  new
     Priority:  Medium                            |  Milestone:
    Component:  Applications/Tor Browser Sandbox  |    Version:
     Severity:  Normal                            |   Keywords:
Actual Points:                                    |  Parent ID:
       Points:                                    |   Reviewer:
      Sponsor:                                    |
--------------------------------------------------+---------------------
 Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use

 Utilizing sandbox release 0.6, the first startup asks which channel to
 utilize. If selecting alpha, Tor Browser 7.0a3 is downloaded instead of
 the latest 7.0a4. This appears to be because the JSON published URLs are
 not kept up to date. This has been a bug in past too with respect to
 outdated or wrong JSON listings. This should probably be fixed so that
 users are not put in jeopardy of downloading a vulnerable version in the
 future.

 install: Metadata URL:
 https://aus1.torproject.org/torbrowser/update_2/alpha/downloads.json

 As you can see, the metadata URL is not updated and therefor the older
 version is downloaded, putting the Tor user potentially at risk due to
 running and outdated or insecure older release.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22291>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list