Tor Browser 7.5a3 is released
Note: Tor Browser 7.5a3 is a security bugfix release for Linux users only. Users on Windows and macOS are not affected and stay on Tor Browser 7.5a2.
Tor Browser 7.5a3 is now available for our Linux users from the Tor Browser Project page and also from our distribution directory.
This release features an important security update to Tor Browser for Linux users. On Linux systems with GVfs/GIO support Firefox allows to bypass proxy settings as it has a whitelist of supported protocols. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails and Whonix users, and users of our sandboxed Tor Browser are unaffected, though.
The bug got reported to us by Julian Jackson (@atechdad) via our HackerOne bug bounty program on July 26. Thanks! We are not aware of it being exploited in the wild.
Here is the full changelog since 7.5a2:
- Linux
- Bug 23044: Don't allow GIO supported protocols by default
Comments
Please note that the comment area below has been archived.
15:05:29.896 XML Parsing…
15:05:29.896 XML Parsing Error: syntax error
Location: https://www.html5video.org/
Line Number 1, Column 1: 1 www.html5video.org:1:1
Why on https://html5test.com…
Why on https://html5test.com/
Content Security Policy 1
No ✘
Content Security Policy 2
No ✘
?
Good question. With a…
Good question. With a vanilla Firefox ESR 52 I get a "No" for Content Security Policy 2 as well. But I am not sure why we differ wrt to Content Security Policy 1...
DEEP WEB
DEEP WEB