This release features important security updates to Firefox.
This will probably be our last alpha release before the stable 6.0 and it contains a bunch of noteworthy changes.
First, we switched the browser to Firefox ESR 45 and rebased our old patches/wrote new ones where necessary.
Second, we ship a new Tor alpha version, 0.2.8.2, which makes meek usable again and contains a number of other improvements/stability fixes.
Third, this alpha release introduces code signing for OS X in order to cope with Gatekeeper, the OS X mechanism for allowing only authorized applications to run. There were bundle layout changes necessary to adhere to code signing requirements. Please test that everything is still working as expected if you happen to have an OS X machine. We plan to post instructions for removing the code signing parts on our website soon. This should make it easier to compare the bundles we build with the actual bundles we ship.
The fourth highlight is the fix for an installer related DLL hijacking vulnerability. This vulnerability made it necessary to deploy a newer NSIS version to create our .exe files. Please test that the installer is still working as expected if you happen to have a Windows machine.
- It seems there is a bug regarding our search engine selection in non-en-US bundles. The search engines actually used are the ones contained in the respective language packs but not those we ship. There is no easy workaround for this short of disabling the language pack or adding the search engines one wants to have by hand. We are sorry for this inconvenience.
- An other issue is an error “Unable to start tor” after upgrading from an older version, on Mac OS (Bug 18928). Quitting and restarting a second time should fix the problem.
Here is the full changelog since 6.0a4:
Tor Browser 6.0a5 — April 28 2016
- All Platforms
- Update Firefox to 45.1.0esr
- Update Tor to 0.2.8.2-alpha
- Update Torbutton to 126.96.36.199
- Bug 18466: Make Torbutton compatible with Firefox ESR 45
- Translation updates
- Update Tor Launcher to 0.2.9.1
- Update HTTPS-Everywhere to 5.1.6
- Update NoScript to 188.8.131.52
- Update meek to 0.22 (tag 0.22-18371-2)
- Bug 18371: Symlinks are incompatible with Gatekeeper signing
- Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
- Bug 18900: Fix broken updater on Linux
- Bug 18042: Disable SHA1 certificate support
- Bug 18821: Disable libmdns support for desktop and mobile
- Bug 18848: Disable additional welcome URL shown on first start
- Bug 14970: Exempt our extensions from signing requirement
- Bug 16328: Disable MediaDevices.enumerateDevices
- Bug 16673: Disable HTTP Alternative-Services
- Bug 17167: Disable Mozilla’s tracking protection
- Bug 18603: Disable performance-based WebGL fingerprinting option
- Bug 18738: Disable Selfsupport and Unified Telemetry
- Bug 18799: Disable Network Tickler
- Bug 18800: Remove DNS lookup in lockfile code
- Bug 18801: Disable dom.push preferences
- Bug 18802: Remove the JS-based Flash VM (Shumway)
- Bug 18863: Disable MozTCPSocket explicitly
- Bug 15640: Place Canvas MediaStream behind site permission
- Bug 16326: Verify cache isolation for Request and Fetch APIs
- Bug 18741: Fix OCSP and favicon isolation for ESR 45
- Bug 16998: Disable <link rel=”preconnect”> for now
- Bug 18898: Exempt the meek extension from the signing requirement as well
- Bug 18899: Don’t copy Torbutton, TorLauncher, etc. into meek profile
- Bug 18890: Test importScripts() for cache and network isolation
- Bug 18726: Add new default obfs4 bridge (GreenBelt)
- OS X
- Build System
- All Platforms
- OS X