Tor Browser 6.5a3 is released

by boklm | September 20, 2016

Tor Browser 6.5a3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox including the recently disclosed extension update vulnerability. All users should upgrade as soon as possible.

This release bumps the versions of several of our components: Firefox to 45.4.0esr, Tor to 0.2.9.2-alpha and OpenSSL to 1.0.2h, HTTPS-Everywhere to 5.2.4, NoScript to 2.9.0.14. Additionally we are adding Unix Domain Socket support on Linux and OSX, the about:tbupdate page giving information about the update has been improved, the referrer spoofing for .onion domains has been moved from Torbutton to C++ patches.

Note: Due to bug 20185 Tor Browser on Linux and OS X will not work correctly if the path where it is installed is too long. As a workaround you may need to move it to a directory with a shorter path.

Update (9/22 07:15 UTC): We got reports about updates failing on OS X systems. We are still investigating the problem but this is likely due to a combination of issues. For one we might have introduced a permission problem by trying to get our incremental updates working again. Secondly, unix domain socket paths for the control port that contain spaces are not working. See comment 5 in bug 20210 for a preliminary analysis and workarounds. We are sorry for the inconvenience.

Here is the full changelog since 6.5a2:

  • All Platforms
    • Update Firefox to 45.4.0esr
    • Update Tor to 0.2.9.2-alpha
    • Update OpenSSL to 1.0.2h (bug 20095)
    • Update Torbutton to 1.9.6.4
      • Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
      • Bug 17767: Make "JavaScript disabled" more visible in Security Slider
      • Bug 19995: Clear site security settings during New Identity
      • Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
      • Bug 19837: Whitelist internal URLs that Firefox requires for media
      • Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
      • Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
      • Bug 14271: Make Torbutton work with Unix Domain Socket option
      • Translation updates
    • Update Tor Launcher to 0.2.10.1
      • Bug 14272: Make Tor Launcher work with Unix Domain Socket option
      • Bug 19568: Set CurProcD for Thunderbird/Instantbird
      • Bug 19432: Remove special handling for Instantbird/Thunderbird
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.4
    • Update NoScript to 2.9.0.14
    • Bug 14273: Backport patches for Unix Domain Socket support
    • Bug 19890: Disable installation of system addons
    • Bug 17334: Spoof referrer when leaving a .onion domain
    • Bug 20092: Rotate ports for default obfs4 bridges
    • Bug 20040: Add update support for unpacked HTTPS Everywhere
    • Bug 20118: Don't unpack HTTPS Everywhere anymore
    • Bug 19336+19835: Enhance about:tbupdate page
  • Android
    • Bug 19706: Store browser data in the app home directory
  • Build system
    • All platforms
      • Bug 20133: Don't apply OpenSSL patch anymore
      • Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
    • OS X
      • Bug 19856: Make OS X builds reproducible again
      • Bug 19410: Fix incremental updates by taking signatures into account

Comments

Please note that the comment area below has been archived.

September 21, 2016

Permalink

Why a SHA1 gpg signature? The 6.5a2 is signed with sha512. But the 6.5a3 is signed with sha1. Is tor under attack?

September 21, 2016

Permalink

03:40:12.708 TypeError: cert is null
updateCertDump() viewCertDetails.js:269
onselect() certViewer.xul:1
onxblmousedown() tree.xml:1087
1 viewCertDetails.js:269:5

September 28, 2016

Permalink

Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start.

Downloaded & installed twice - it won't open.

OS X 10.11.6

September 28, 2016

Permalink

Downloaded & installed twice - it won't open.

Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start.

OS X 10.11.6

September 28, 2016

Permalink

Tor browser 6.04 is incompatible with windows 10... is there a update patch?

It is not Tor Browser incompatible with Windows 10, it is Windows 10 incompatible with privacy and anonymity.

September 28, 2016

Permalink

Why aren't my messages showing up? This is the THIRD time!

I installed 6.5a3 several times today and it DOES NOT WORK.
In fact the first time it screwed up my Tor so that it wouldn't launch - I kept getting an error message.

Reinstalling 3.5a2 had the same errors.

I finally had to do a complete uninstall before reinstalling 3.5a2.

OS X 10.11.6

September 28, 2016

Permalink

We do not need updates all the time, Firefox is adding so many changes it virtually means "you exchange and old bug with a new bug", the ***-letter agencies status quo still stands and TP doesn't do anyththing about it, sorry I'm not falling for it, and also had the Cert pinning disabled for a looooong time, here you go....
security.cert_pinning.enforcement_level = 0
for occational browsing the cert pinning isn't needed in anyway, and the few services where it's critical, it is much better to save the certificate info and compare it to ensure there's no MITM.
Not going to touch any Tor browser based on e10s Firefox versions (ESR 45 and later) for a while, meaning Firefox ESR 38 based is the last one, maybe some time in the future when more info comes out how ESR 45 is doing I might consider a switch, but for another reason not probable, ESR 45 is heavily bloated and needs too much CPU resources and I can't run it on my old computer.
If I understood it correctly, TP never did release a full version based on ESR 38 but right in the middle switched to ESR45, which is a big disappointment.

> ESR 45 is heavily bloated and needs too much CPU resources and I can't run it on my old computer.

The greatest burden on CPU comes from NoScript > Temporarily allow all this page:

"Allow top level scripts on this site" would be vastly preferable to "Allow ALL this page" (which basically means: enable dozens of scripts, 99% of which are unneeded statistics, advertising, and off-site tracking scripts... and gobble up all of my free memory too.)

If only scripts would stop running when you switch to another tab as well. But that's a Firefox issue. I guess you can always restart the browser when it begins to bog down.

Are you saying that NoScript in combination in particular with TBB baesd on Firefox ESR 45 is the culrpit, because previous Firefox version are noticably lighter on old HW.

October 16, 2016

Permalink

re: mixed static content Is it possible to force un-encrypted content within a secure page to be served securely? The sites which serve the content offer http & https; but the people (board/forum) who provide links to the sites that host the content often do not choose or configure the embedded static content to use ssl.
Basically this is what I mean but from someone who actually knows what he's talking about -----> http://jasonwatmore.com/post/2014/09/25/aspnet-fix-for-https-ssl-insecu…