In June, the Tor Browser team released 4.5.2[1] and 5.0a2[2]. We also produced builds for 4.5.3 and 5.0a3 releases[3,4], but as of the time of this writing, these releases have not been published yet. We expect them to be published within the next day.
The 4.5.2 release fixed the Logjam attack[5], as well as updated OpenSSL to fix a DoS/crash bug[6]. It also fixed a crash bug with certain media in GStreamer[7]. The 5.0a2 release included these fixes, and additionally fixed two issues with meek[8,9]. The 4.5.3 release updated Tor Browser to the latest Firefox 31-ESR point release. It also fixed a crash bug when displaying certain SVG images at the high security slider level[10]. Finally, it backported a Tor patch to allow underscores in DNS names, which was needed to make The New York Times load properly[11]. The 5.0a3 release is our first release based on the Firefox 38-ESR code base. We performed a thorough network and feature review[12,13], fixed the most pressing privacy and Tor proxy safety issues, and documented the remainder in our bug tracker for followup in subsequent alphas. In terms of fixes in this release, we wrote patches for fingerprinting issues[14,15,16], third party tracking issues[17,18,19,20], updates to New Identity[21,22], and disabled several potentially invasive and/or as-yet unaudited features[23,24,25,26,27]. The release also features usability improvements to the Tor Launcher Bridge UI[28], single-word URL bar searching[29], and improvements to the WebGL feature set[30]. With 5.0a3, we have completed a good portion of the work involved with switching to Firefox 38-ESR. We have 6 more weeks until Firefox 31-ESR is officially end of life, and the Firefox 38-ESR must become the new stable. The full list of tickets closed by the Tor Browser team in June can be seen using the TorBrowserTeam201506 tag on our bug tracker[31]. In July, our efforts continue to be focused on patching the remaining issues with Firefox 38-ESR. The hard deadline for the first Firefox 38-based Tor Browser stable release is August 11th, which will also coincide with an upstream Firefox point release. However, we may opt to do a "soft launch" at an earlier date so we do not have to autoupdate all of our users to the new Firefox 38 code immediately in case there are any lingering issues, similar to how we released Tor Browser 4.5. The set of tickets on our radar for the Firefox 38 switch can be viewed with the ff38-esr bug tracker tag[32]. The set of tickets we'd prefer to have tested in a "soft launch" are tagged with some variation of tbb-5.0a[33]. Two members of the Tor Browser team will also be at the HTTP/3 workshop at the end of July. The position paper we submitted can be found in our spec archives[34]. The full list of tickets that the Tor Browser team plans to work on in July can be seen using the TorBrowserTeam201507 tag on our bug tracker[35]. 1. https://blog.torproject.org/blog/tor-browser-452-released 2. https://blog.torproject.org/blog/tor-browser-50a2-released 3. https://lists.torproject.org/pipermail/tor-qa/2015-June/000628.html 4. https://lists.torproject.org/pipermail/tor-qa/2015-June/000634.html 5. https://weakdh.org/ 6. https://www.openssl.org/news/vulnerabilities.html#2015-1790 7. https://trac.torproject.org/projects/tor/ticket/16026 8. https://trac.torproject.org/projects/tor/ticket/16014 9. https://trac.torproject.org/projects/tor/ticket/16269 10. https://trac.torproject.org/projects/tor/ticket/16397 11. https://trac.torproject.org/projects/tor/ticket/16430 12. https://trac.torproject.org/projects/tor/ticket/16222 13. https://trac.torproject.org/projects/tor/ticket/16090 14. https://trac.torproject.org/projects/tor/ticket/15646 15. https://trac.torproject.org/projects/tor/ticket/13024 16. https://trac.torproject.org/projects/tor/ticket/16340 17. https://trac.torproject.org/projects/tor/ticket/13670 18. https://trac.torproject.org/projects/tor/ticket/16448 19. https://trac.torproject.org/projects/tor/ticket/7561 20. https://trac.torproject.org/projects/tor/ticket/16300 21. https://trac.torproject.org/projects/tor/ticket/16200 22. https://trac.torproject.org/projects/tor/ticket/16357 23. https://trac.torproject.org/projects/tor/ticket/16439 24. https://trac.torproject.org/projects/tor/ticket/16285 25. https://trac.torproject.org/projects/tor/ticket/15910 26. https://trac.torproject.org/projects/tor/ticket/16222 27. https://trac.torproject.org/projects/tor/ticket/16254 28. https://trac.torproject.org/projects/tor/ticket/6503 29. https://trac.torproject.org/projects/tor/ticket/15145 30. https://trac.torproject.org/projects/tor/ticket/16005 31. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201506 32. https://trac.torproject.org/projects/tor/query?keywords=~ff38-esr&status=!closed 33. https://trac.torproject.org/projects/tor/query?keywords=~tbb-5.0a&status=!closed 34. https://gitweb.torproject.org/tor-browser-spec.git/plain/position-papers/HTTP3/HTTP3.pdf 35. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201507 -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list tor-reports@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports