The Tor Browser Team is proud to announce the first alpha released based on Firefox 38 ESR. As such, this release features many updates to Firefox (including several security updates), as well as to our build system and dependencies. For this release, we performed a thorough network and feature review of Firefox 38, and fixed the most pressing privacy issues, as well as all Tor proxy safety issues that we discovered during the audit. We also updated our toolchain on OS X to use the OS X 10.7 SDK. For Linux and Windows we switched to GCC 5.1 as our new (cross)-compiler. We are therefore especially interested in feedback if there are stability issues or broken Tor Browser bundles due to these toolchain upgrades. Besides Firefox 38 and build system changes, we also updated several components. Most notably, we bumped OpenSSL to version 1.0.1o, NoScript to version 2.6.9.27 and Torbutton to version 1.9.3.0. Included as well is a backported Tor patch to improve usability on websites, and we fixed a crash bug impacting users with the security slider level set to "High". Here is the complete changelog since 5.0a2 All Platforms Update Firefox to 38.1.0esr Update OpenSSL to 1.0.1o Update NoScript to 2.6.9.27 Update meek to 0.20 Update Torbutton to 1.9.3.0 Bug 16403: Set search parameters for Disconnect Bug 14429: Make sure the automatic resizing is enabled Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1) Bug 16200: Update Cache API usage and prefs for FF38 Bug 16357: Use Mozilla API to wipe permissions db Translation updates Update Tor Launcher to 0.2.6.7 Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1) Bug 15145: Visually distinguish "proxy" and "bridge" screens. Translation updates Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com) (Tor patch backport) Bug 13247: Fix meek profile error after bowser restarts Bug 16397: Fix crash related to disabling SVG Bug 16403: Set search parameters for Disconnect Bug 16446: Update FTE bridge #1 fingerprint Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent Bug 16005: Relax WebGL minimal mode Bug 16300: Isolate Broadcast Channels to first party Bug 16439: Remove Roku screencasting code Bug 16285: Disabling EME bits Bug 16206: Enforce certificate pinning Bug 13670: Isolate OCSP requests by first party domain Bug 16448: Isolate favicon requests by first party Bug 7561: Disable FTP request caching Bug 6503: Fix single-word URL bar searching Bug 15526: ES6 page crashes Tor Browser Bug 16254: Disable GeoIP-based search results Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads. Bug 13024: Disable DOM Resource Timing API Bug 16340: Disable User Timing API Bug 14952: Disable HTTP/2 Mac OS Use OSX 10.7 SDK Bug 16253: Tor Browser menu on OS X is broken with ESR 38 Build System Bug 16351: Upgrade our toolchain to use GCC 5.1 Bug 15772 and child tickets: Update build system for Firefox 38 Continue reading...
