Tor Browser 7.5a7 is released

by boklm | November 4, 2017

Note: Tor Browser 7.5a7 is a security bugfix release in the alpha channel for macOS and Linux users only. Users of the alpha channel on Windows are not affected and stay on Tor Browser 7.5a6.

Tor Browser 7.5a7 is now available for our macOS and Linux users from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Tor Browser for macOS and Linux users. Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails users and users of our sandboxed-tor-browser are unaffected, though.

The bug got reported to us on Thursday, October 26, by Filippo Cavallarin. We created a workaround with the help of Mozilla engineers on the next day which, alas, fixed the leak only partially. We developed an additional fix on Tuesday, October 31, plugging all known holes. We are not aware of this vulnerability being exploited in the wild. Thanks to everyone who helped during this process!

Known issues: The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136.

Here is the full changelog since 7.5a6:

  • OS X
    • Bug 24052: Streamline handling of file:// resources
  • Linux
    • Bug 24052: Streamline handling of file:// resources

Comments

Please note that the comment area below has been archived.

November 04, 2017

Permalink

whats with the:

Changelog:
Tor Browser 7.5a7 -- November 6 2017
* OS X
* Bug 24052: Streamline handling of file:// resources
* Linux
* Bug 24052: Streamline handling of file:// resources

This is November 4th, even with the international date line it doesn't work.

The process to prepare a new release takes a few days, but the Changelog is written when we start the build so we have to guess when everything will be ready for publishing, and this time we were faster than we planned.

November 05, 2017

Permalink

oooo

November 05, 2017

Permalink

Really proud that you thought about us, alpha users, thanks tor browser team :D

November 06, 2017

Permalink

Friends, do this bug affect Firefox Portable when configured with Tor expert bundle and running inside Windows?

November 07, 2017

Permalink

What happens when Entry guard or Middle relay is trying to control, to decide which following relay it will allow?