A new hardened Tor Browser release is available. It can be found in the 6.5a1-hardened distribution directory and on the download page for hardened builds. This release features important security updates to Firefox. Tor Browser 6.5a1-hardened is the first hardened release in our 6.5 series. It updates Firefox to 45.2.0esr and contains all the improvements that went into Tor Browser 6.0. Compared to that there are additional noteworthy things that went into this alpha release: we bumped the Tor version to 0.2.8.3-alpha and backported additional security features: exploiting the JIT compiler got made harder and support for SHA1 HPKP pins got removed. On the infrastructure side, we are now using fastly to deliver the update files. We thank them for their support. Note: There is no incremental update from 6.0a5-hardened available due to bug 17858. The internal updater should work, though, doing a complete update. Here is the complete changelog since 6.0a5-hardened: All Platforms Update Firefox to 45.2.0esr Update Tor to 0.2.8.3-alpha Update Torbutton to 1.9.6 Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu Bug 18905: Hide unusable items from help menu Bug 17599: Provide shortcuts for New Identity and New Circuit Bug 18980: Remove obsolete toolbar button code Bug 18238: Remove unused Torbutton code and strings Translation updates Code clean-up Update Tor Launcher to 0.2.8.5 Bug 18947: Tor Browser is not starting on OS X if put into /Applications Update HTTPS-Everywhere to 5.1.9 Update meek to 0.22 (tag 0.22-18371-3) Bug 19121: The update.xml hash should get checked during update Bug 12523: Mark JIT pages as non-writable Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream Bug 19164: Remove support for SHA-1 HPKP pins Bug 19186: KeyboardEvents are only rounding to 100ms Bug 18884: Don't build the loop extension Bug 19187: Backport fix for crash related to popup menus Bug 19212: Fix crash related to network panel in developer tools Bug 18703: Fix circuit isolation issues on Page Info dialog Bug 19115: Tor Browser should not fall back to Bing as its search engine Bug 18915+19065: Use our search plugins in localized builds Bug 19176: Zip our language packs deterministically Bug 18811: Fix first-party isolation for blobs URLs in Workers Bug 18950: Disable or audit Reader View Bug 18886: Remove Pocket Bug 18619: Tor Browser reports "InvalidStateError" in browser console Bug 18945: Disable monitoring the connected state of Tor Browser users Bug 18855: Don't show error after add-on directory clean-up Bug 18885: Disable the option of logging TLS/SSL key material Bug 18770: SVGs should not show up on Page Info dialog when disabled Bug 18958: Spoof screen.orientation values Bug 19047: Disable Heartbeat prompts Bug 18914: Use English-only label in <isindex/> tags Bug 18996: Investigate server logging in esr45-based Tor Browser Bug 17790: Add unit tests for keyboard fingerprinting defenses Bug 18995: Regression test to ensure CacheStorage is disabled Bug 18912: Add automated tests for updater cert pinning Bug 16728: Add test cases for favicon isolation Bug 18976: Remove some FTE bridges Linux Bug 19189: Backport for working around a linker (gold) bug Build System All PLatforms Bug 18333: Upgrade Go to 1.6.2 Bug 18919: Remove unused keys and unused dependencies Bug 18291: Remove some uses of libfaketime Bug 18845: Make zip and tar helpers generate reproducible archives Continue reading...
