Tor Browser 6.5a5 is released

by gk | December 2, 2016

Tor Browser 6.5a5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Firefox and contains, in addition to that, an update to NoScript (2.9.5.2) and a fix of our updater code so it can handle unix domain sockets.

The Firefox security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.

Tor Browser users who had set their security slider to "High" are believed to have been safe from this vulnerability.

A note to Linux users: We still require the same update procedure as experienced during the update to 6.5a4: a dialog will be shown asking to either set `app.update.staging.enabled` or `extensions.torlauncher.control_port_use_ipc` and `extensions.torlauncher.socks_port_use_ipc` to `false` (and restart the browser in the latter case) before attempting to update. The fix for this problem is shipped with this release and we will be back to a normal update experience with the update to 6.5a6. We are sorry for this inconvenience.

Here is the full changelog since 6.5a4:

  • All Platforms
    • Update Firefox to 45.5.1esr
    • Update NoScript to 2.9.5.2
  • Linux
    • Bug 20691: Updater breaks if unix domain sockets are used

Comments

Please note that the comment area below has been archived.

December 02, 2016

Permalink

i'm problem with update.

there were problems checking for, downloading, or installing this update. Navigateur Tor could not updated because:

The integrity of the update could not be verified

where in my problem please.

thank you

December 02, 2016

Permalink

hi,
I'm running TB 6.0.7 (based on Mozilla Firefox 45.5.1) and it says there are no updates available when I check...

WHY??

(win xp sp3 on a amd athlon xp processor)

Sounds like you're on the "stable" branch of Tor Browser.

There is an "alpha" branch too, which is what this post is about.

If you're on the stable branch (which is totally fine -- most people are), it will track updates to stable. Whereas the alpha branch tracks updates to alpha.

December 04, 2016

Permalink

On a highly loaded system during New Identity:

Torbutton cannot safely give you a new identity. It does not have access to the Tor Control Port.

Are you running Tor Browser Bundle?

December 05, 2016

In reply to gk

Permalink

Seems to be during overload of network stack. During CPU overload:

NS_ERROR_NOT_AVAILABLE: Cannot call openModalWindow on a hidden window nsPrompter.js:347:0
Error: Script terminated by timeout at:
torbutton_do_new_identity/<@chrome://torbutton/content/torbutton.js:1360:24
torbutton.js:1360:24

December 06, 2016

In reply to gk

Permalink

No. Only "unresponsive script" dialog appears during high CPU load, and those errors in Console. So that alert dialog is another issue.

December 08, 2016

In reply to gk

Permalink

OP here.
I dunno if that's reproducible. When I pressed OK on that dialog and opened error console, I found this:
[12-08 15:28:13] Torbutton NOTE: Exception on control port [Exception... "Component returned failure code: 0x804b000e (NS_ERROR_NET_TIMEOUT) [nsIBinaryInputStream.readBytes]" nsresult: "0x804b000e (NS_ERROR_NET_TIMEOUT)" location: "JS frame :: chrome://torbutton/content/torbutton.js :: torbutton_socket_readline :: line 1534" data: no]
[12-08 15:28:13] Torbutton WARN: Torbutton was unable to request a new circuit from Tor

December 06, 2016

In reply to gk

Permalink

It was only once on Win XP SP3, so it was reported as a notice, not an issue.

I just tested it on Windows and I don't get this error. More importantly after closing Tor Browser the HPKP entry for aus1.torproject.org gets written to SiteSecurityServiceState in the browser profile. Thus, this seems to be working.

Do you get that entry in the SiteSecurityServiceState as well? You should be able to find that file in your profile directory in Tor Browser\Browser\TorBrowser\Data\Browser\profile.default.

December 06, 2016

In reply to gk

Permalink

Yes, it's working and isn't site-specific. It happens sometimes for an unknown reason. And it seems better to test it with filled entries in that file - to check inconsistencies between received and written states.