Tor Browser 7.5a3 is released

by gk | July 28, 2017

Note: Tor Browser 7.5a3 is a security bugfix release for Linux users only. Users on Windows and macOS are not affected and stay on Tor Browser 7.5a2.

Tor Browser 7.5a3 is now available for our Linux users from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Tor Browser for Linux users. On Linux systems with GVfs/GIO support Firefox allows to bypass proxy settings as it has a whitelist of supported protocols. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails and Whonix users, and users of our sandboxed Tor Browser are unaffected, though.

The bug got reported to us by Julian Jackson (@atechdad) via our HackerOne bug bounty program on July 26. Thanks! We are not aware of it being exploited in the wild.

Here is the full changelog since 7.5a2:

  • Linux
    • Bug 23044: Don't allow GIO supported protocols by default

Comments

Please note that the comment area below has been archived.