#22291: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use --------------------------------------------------+--------------------- Reporter: 6h72Q484AddGha8H | Owner: yawning Type: defect | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser Sandbox | Version: Severity: Normal | Keywords: Actual Points: | Parent ID: Points: | Reviewer: Sponsor: | --------------------------------------------------+--------------------- Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use
Utilizing sandbox release 0.6, the first startup asks which channel to utilize. If selecting alpha, Tor Browser 7.0a3 is downloaded instead of the latest 7.0a4. This appears to be because the JSON published URLs are not kept up to date. This has been a bug in past too with respect to outdated or wrong JSON listings. This should probably be fixed so that users are not put in jeopardy of downloading a vulnerable version in the future. install: Metadata URL: https://aus1.torproject.org/torbrowser/update_2/alpha/downloads.json As you can see, the metadata URL is not updated and therefor the older version is downloaded, putting the Tor user potentially at risk due to running and outdated or insecure older release. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22291> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs