[Tails-dev] Tor Browser 11.0.4 (Windows/macOS/Linux) is ready for testing

[Georg Koppen]

Hello!

We are happy to announce the first Tor Browser 11.0.4 release candidate
for wider testing. Packages can be found at:

https://people.torproject.org/~gk/builds/11.0.4-build2/

Tor Browser 11.0.4 updates Firefox to 91.5.0esr and gives our landing 
page the usual Tor Browser look and feel back, removing the parts of our 
year end donation campaign.


Additionally, we update NoScript to the latest release (11.2.14) and 
bundle the Noto Sans Gurmukhi and Sinhala fonts for our Linux users 
again after the underlying font rendering issue got resolved.


The full changelog since Tor Browser 11.0.3 is:

Tor Browser 11.0.4 - January 11 2022
 * Windows + OS X + Linux
   * Update Firefox to 91.5.0esr
   * Update NoScript to 11.2.14
   * Bug 40405: Rotate deusexmachina IP address [tor-browser-build]
   * Bug 40756: Fix up wrong observer removals [tor-browser]
   * Bug 40758: Remove YEC takeover from about:tor [torbutton]
 * Linux
   * Bug 40399: Bring back Noto Sans Gurmukhi and Sinhala fonts 
[tor-browser-build]


OpenPGP_signature
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 11.0.3 (Windows/macOS/Linux) is ready for testing

[Georg Koppen]

Hello!

We are happy to announce the first Tor Browser 11.0.3 release candidate
for wider testing. Packages can be found at:

https://people.torproject.org/~gk/builds/11.0.3-build1/

Tor Browser 11.0.3 updates Firefox to 91.4.1esr and picks up a number of 
bug fixes for our 11.0 stable series. In particular, this release should 
fix various extension related and crash issues Windows users were 
experiencing. Additionally, Linux users especially on Ubuntu and Fedora 
systems were reporting fonts not properly rendering. We believe those 
problems will be solved in the 11.0.3 release as well.


We used the opportunity to upgrade various components to their 
respective latest versions as well: Tor to 0.4.6.9, OpenSSL to 1.1.1m, 
and snowflake for enhanced censorship resistance.


The full changelog since Tor Browser 11.0.2 is:

Tor Browser 11.0.3 - December 20 2021
 * Windows + OS X + Linux
   * Update Firefox to 91.4.1esr
   * Update Tor to 0.4.6.9
   * Update OpenSSL to 1.1.1m
   * Bug 40393: Point to a forked version of pion/dtls with 
fingerprinting fix [tor-browser-build]

   * Bug 40394: Bump version of Snowflake to 221f1c41 [tor-browser-build]
   * Bug 40646: Revert tor-browser#40475 and inherit upstream fix 
[tor-browser]
   * Bug 40705: "visit our website" link on about:tbupdate pointing to 
different locations [tor-browser]
   * Bug 40736: Disable third-party cookies in Private Browsing Mode 
[tor-browser]

 * Windows
   * Bug 40389: Remove workaround for HTTPS-Everywhere WASM breakage 
[tor-browser-build]

   * Bug 40698: Addon menus missing content in TB11 [tor-browser]
   * Bug 40706: Fix issue in HTTPS-Everywhere WASM [tor-browser]
   * Bug 40721: Tabs crashing on certain pages in TB11 on Win 10 
[tor-browser]
   * Bug 40742: Remove workaround for fixing 
--disable-maintenance-service build bustage [tor-browser]

 * Linux
   * Bug 40387: Fonts of the GUI do not render after update [tor-browser]
   * Bug 40685: Monospace font in browser chrome [tor-browser]
 * Build System
   * Windows + OS X + Linux
 * Bug 40403: Update Go to 1.16.12 [tor-browser-build]
   * OS X
 * Bug 40390: Remove workaround for macOS OpenSSL build breakage 
[tor-browser-build]


OpenPGP_signature
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] NSA tails and closed code

[Georg Koppen]

anonym:
> Romper Stomper via Tails-dev:
>> Is it true that the “tails” ports are controlled by the NSA?
> 
> I'm not sure what you mean with "ports". However, NSA doesn't control
> anything related to Tails to our knowledge, and we do what we can to
> defend against it, e.g.: https://tails.boum.org/news/reproducible_Tails/
> 
> and why are there closed codes in “tails”?
> 
> I guess you are referring to the firmwares required for hardware
> support? If we didn't ship these firmwares Tails would not run on most
> hardware. It's a necessary trade-off.

Is there a list of those firmwares somewhere (I couldn't find anything
on the Tails website about that topic after searching a bit) or is it
"just" a Debian package taken 1:1 from upstream?

Georg



OpenPGP_signature
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 9.0.2 is ready for testing

[Georg Koppen]

Hello!

We are happy to announce that Tor Browser 9.0.2 is ready for testing.
Bundles can be found at

https://people.torproject.org/~gk/builds/9.0.2-build2/

This new stable release is picking up security fixes for Firefox
68.3.0esr and updating our external extensions (NoScript and HTTPS
Everywhere) to their latest versions.

Apart from backports for patches that already landed in alpha releases
and fixed both an error in our circuit display and improved our
letterboxing support Tor Browser 9.0.2 provides properly localized
Android bundles again as well.

The full changelog since Tor Browser 9.0.1 is

Tor Browser 9.0.2 -- December 3 2019
 * All Platforms
   * Update Firefox to 68.3.0esr
   * Bump NoScript to 11.0.9
 * Bug 32362: NoScript TRUSTED setting doesn't work
 * Bug 32429: Issues with about:blank and NoScript on .onion sites
   * Bump HTTPS Everywhere to 2019.11.7
   * Bug 27268: Preferences clean-up in Torbutton code
   * Translations update
 * Windows + OS X + Linux
   * Bug 32125: Fix circuit display for bridge without a fingerprint
   * Bug 32250: Backport enhanced letterboxing support (bug 1546832 and
1556017)
 * Windows
   * Bug 31989: Backport backout of old mingw-gcc patch
   * Bug 32616: Disable GetSecureOutputDirectoryPath() functionality
 * Android
   * Bug 32365: Localization is broken in Tor Browser 9 on Android
 * Build System
   * All Platforms
 * Bug 32413: Bump Go version to 1.12.13

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 9.0 is ready for testing

[Georg Koppen]

Hello!

We are pleased to announce that Tor Browser 9.0 is ready for testing.
Bundles can be found at

https://people.torproject.org/~gk/builds/9.0-build2/

Tor Browser 9.0 is the first stable release based on Firefox 68 ESR and
contains a number of updates to other components as well (including Tor
to 0.4.1.6 and OpenSSL to 1.1.1d for desktop versions and Tor to 0.4.1.5
for Android).

Besides all the patch rebasing and toolchain updates, which we needed to
do, we managed to make progress on three longstanding topics:

1) Consolidating our toolbar: We removed the onion button from the
toolbar and exposed a New Identity button instead to make this important
feature easier to access.

2) Better integration of Torbutton and Tor Launcher: Both extensions are
now tightly integrated into Tor Browser which results in them not
showing up anymore on the about:addons page. Moreover, we used the
opportunity to redesign the bridge and proxy configuration dialogs and
include them directly into the browser's preference settings now. They
are easier to access on about:preferences#tor compared to some submenu
behind the onion button.

3) Better localization support: Besides fixing bugs in our currently
shipped localized bundles (ar and ko come to mind here) we managed to
provide Tor Browser in two more locales, Macedonian (mk) and Romanian
(ro), after a lengthy period of testing and ironing out issues in our
alpha series. Many thanks to everyone who helped with that, in
particular to our translators.

The full changelog since Tor Browser 8.5.6 is

Tor Browser 9.0 -- October 22 2019
 * All Platforms
   * Update Firefox to 68.2.0esr
   * Bug 31740: Remove some unnecessary RemoteSettings instances
   * Bug 13543: Spoof smooth and powerEfficient for Media Capabilities
   * Bug 28196: about:preferences is not properly translated anymore
   * Bug 19417: Disable asmjs on safer and safest security levels
   * Bug 30463: Explicitly disable MOZ_TELEMETRY_REPORTING
   * Bug 31935: Disable profile downgrade protection
   * Bug 16285: Disable DRM/EME on Android and drop Adobe CDM
   * Bug 31602: Remove Pocket indicators in UI and disable it
   * Bug 31914: Fix eslint linter error
   * Bug 30429: Rebase patches for Firefox 68 ESR
   * Bug 31144: Review network code changes for Firefox 68 ESR
   * Bug 10760: Integrate Torbutton into Tor Browser directly
   * Bug 25856: Remove XUL overlays from Torbutton
   * Bug 31322: Fix about:tor assertion failure debug builds
   * Bug 29430: Add support for meek_lite bridges to bridgeParser
   * Bug 28561: Migrate "About Tor Browser" dialog to tor-browser
   * Bug 30683: Prevent detection of locale via some *.properties
   * Bug 31298: Backport patch for #24056
   * Bug 9336: Odd wyswig schemes without isolation for browserspy.dk
   * Bug 27601: Browser notifications are not working anymore
   * Bug 30845: Make sure internal extensions are enabled
   * Bug 28896: Enable extensions in private browsing by default
   * Bug 31563: Reload search extensions if extensions.enabledScopes has
changed
   * Bug 31396: Fix communication with NoScript for security settings
   * Bug 31142: Fix crash of tab and messing with about:newtab
   * Bug 29049: Backport JS Poison Patch
   * Bug 25214: Canvas data extraction on locale pdf file should be allowed
   * Bug 30657: Locale is leaked via title of link tag on non-html page
   * Bug 31015: Disabling SVG hides UI icons in extensions
   * Bug 30681: Set security.enterprise_roots.enabled to false
   * Bug 30538: Unable to comment on The Independent Newspaper
   * Bug 31209: View PDF in Tor Browser is fuzzy
   * Translations update
 * Windows + OS X + Linux
   * Update Tor to 0.4.1.6
   * Update OpenSSL to 1.1.1d
 * Bug 31844: OpenSSL 1.1.1d fails to compile for some
platforms/architectures
   * Update Tor Launcher to 0.2.20.1
 * Bug 28044: Integrate Tor Launcher into tor-browser
 * Bug 32154: Custom bridge field only allows one line of input
 * Bug 31286: New strings for about:preferences#tor
 * Bug 31303: Do not launch tor in browser toolbox
 * Bug 32112: Fix bad & escaping in translations
 * Bug 31491: Clean up the old meek http helper browser profiles
 * Bug 29197: Remove use of overlays
 * Bug 31300: Modify Tor Launcher so it is compatible with ESR68
 * Bug 31487: Modify moat client code so it is compatible with ESR68
 * Bug 31488: Moat: support a comma-separated list of transports
 * Bug 30468: Add mk locale
 * Bug 30469: Add ro locale
 * Bug 30319: Remove FTE bits
 * Translations update
   * Bug 32092: Fix Tor Browser Support link in preferences
   * Bug 32111: Fixed issue parsing user-provided bridge strings
   * Bug 31749: Fix security level panel spawning events
   * Bug 31920: Fix Security Level panel when its toolbar button moves
to overflow
   * Bug 31748+31961: Fix 'Learn More' links in Security Level
preferences and panel
   * Bug 28044: Integrate Tor Launcher into tor-browser
   * Bug 31059: 

[Tails-dev] Tor Browser 8.5.4 is ready for testing

[Georg Koppen]

Hi!

We are happy to announce the first Tor Browser 8.5.4 release candidate
for wider testing. Bundles can be found at

https://people.torproject.org/~gk/builds/8.5.4-build2/

Tor Browser 8.5.4 contains updates to a number of its components. Above
all, we include Firefox 60.8.0esr which contains important security
fixes. Moreover, after some testing in the alpha series, we start
shipping Tor 0.4.0.5 and update OpenSSL to 1.0.2s for the desktop platforms.

Finally, we add a fundraising banner to help us getting more donations.
Please donate if you can!

The full changelog since Tor Browser 8.5.3 is:

Tor Browser 8.5.4 -- July 9 2019
 * All platforms
   * Update Firefox to 60.8.0esr
   * Update Torbutton to 2.1.12
 * Bug 30577: Add Fundraising Banner
 * Bug 31041: Stop syncing network.cookie.lifetimePolicy
 * Translations update
   * Update HTTPS Everywhere to 2019.6.27
   * Bug 31055+31058: Remove four default bridges
   * Bug 30712: Backport fix for Mozilla's bug 1552993
   * Bug 30849: Backport fixes for Mozilla's bug 1552627 and 1549833
 * Windows + OS X + Linux
   * Update Tor to 0.4.0.5
   * Update OpenSSL to 1.0.2s
   * Bug 29045: Ensure that tor does not start up in dormant mode
 * OS X
   * Bug 30631: Blurry Tor Browser icon on macOS app switcher



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 8.5.1 is ready for testing

[Georg Koppen]

Hello!

We are happy to announce the first Tor Browser 8.5.1 release candidate
for wider testing. Bundles can be found at

https://people.torproject.org/~boklm/builds/8.5.1-build1/

Tor Browser 8.5.1 is the first bugfix release in the 8.5 series and aims
at mostly fixing regressions and providing small improvements related to
our 8.5 release. Additionally, we disable the WebGL readPixel()
fingerprinting vector, realizing, though, that we need a more holistic
approach when trying to deal with the fingerprinting potential WebGL
comes with.

The full changelog since Tor Browser 8.5 is:

Tor Browser 8.5.1 -- June 4 2019
 * All platforms
   * Update Torbutton to 2.1.10
 * Bug 30565: Sync nocertdb with privatebrowsing.autostart at startup
 * Bug 30464: Add WebGL to safer descriptions
 * Translations update
   * Update NoScript to 10.6.2
 * Bug 29969: Remove workaround for Mozilla's bug 1532530
   * Update HTTPS Everywhere to 2019.5.13
   * Bug 30541: Disable WebGL readPixel() for web content
 * Windows + OS X + Linux
   * Bug 30560: Better match actual toolbar in onboarding toolbar graphic
 * Android
   * Bug 30635: Sync mobile default bridges list with desktop one
 * Build System
   * All platforms
 * Bug 30480: Check that signed tag contains expected tag name

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 8.5 is ready for testing

[Georg Koppen]

Hello!

After months of work we are happy to announce that a release candidate
for Tor Browser 8.5 is ready for testing. Bundles can be found at:

https://people.torproject.org/~boklm/builds/8.5-build2/

(Note: we plan to do a build3 soon to pick up last minute mobile fixes
and maybe some for Windows accessibility support, but otherwise those
bundles should match what we intend to ship if no blockers are found
during testing)

Among the many changes we made three ones are particularly worthy of
getting mentioned:

1) Tor Browser 8.5 is the first stable release that comes to Android.
During the past few months we worked to provide the protections users
already enjoying on desktop to the Android platform by making sure there
are no proxy bypasses, first-party isolation is working as expected and
most of the fingerprinting defenses are working. While there are still
feature gaps[1] between the desktop and mobile Tor Browser we are
confident that Tor Browser for Android provides essentially the same
protections that can be found on desktop platforms. Thanks to everyone
working on getting our mobile experience into shape, in particular to
Antonela, Matt, Igor, and Shane.

2) Our security slider is an important tool for Tor Browser users,
especially for those with particular security requirements. However, so
far it was hidden behind the Torbutton menu and hard to access. During
the Tor Browser 8.5 development period we revamped the experience
showing now the chosen security level on the toolbar and making
interactions with the slider easier. For the fully planned changes check
out proposal 101.[2]

3) We made Tor Browser 8.5 compatible with Firefox's Photon UI and
redesigned our logos and about:tor page across all the platforms we
support to provide the same look and feel and better accessibility.

All the changes made between Tor Browser 8.0.9 and 8.5 are:

Tor Browser 8.5 -- May 21 2019
 * All platforms
   * Update Firefox to 60.7.0esr
   * Update Torbutton to 2.1.8
 * Bug 25013: Integrate Torbutton into tor-browser for Android
 * Bug 27111: Update about:tor desktop version to work on mobile
 * Bug 22538+22513: Fix new circuit button for error pages
 * Bug 25145: Update circuit display when back button is pressed
 * Bug 27749: Opening about:config shows circuit from previous website
 * Bug 30115: Map browser+domain to credentials to fix circuit display
 * Bug 25702: Update Tor Browser icon to follow design guidelines
 * Bug 21805: Add click-to-play button for WebGL
 * Bug 28836: Links on about:tor are not clickable
 * Bug 30171: Don't sync cookie.cookieBehavior and firstparty.isolate
 * Bug 29825: Intelligently add new Security Level button to taskbar
 * Bug 29903: No WebGL click-to-play on the standard security level
 * Bug 27290: Remove WebGL pref for min capability mode
 * Bug 25658: Replace security slider with security level UI
 * Bug 28628: Change onboarding Security panel to open new Security
Level panel
 * Bug 29440: Update about:tor when Tor Browser is updated
 * Bug 27478: Improved Torbutton icons for dark theme
 * Bug 29239: Don't ship the Torbutton .xpi on mobile
 * Bug 27484: Improve navigation within onboarding (strings)
 * Bug 29768: Introduce new features to users (strings)
 * Bug 28093: Update donation banner style to make it fit in small
screens
 * Bug 28543: about:tor has scroll bar between widths 900px and 1000px
 * Bug 28039: Enable dump() if log method is 0
 * Bug 27701: Don't show App Blocker dialog on Android
 * Bug 28187: Change tor circuit icon to torbutton.svg
 * Bug 29943: Use locales in AB-CD scheme to match Mozilla
 * Bug 26498: Add locale: es-AR
 * Bug 28082: Add locales cs, el, hu, ka
 * Bug 29973: Remove remaining stopOpenSecuritySettingsObserver() pieces
 * Bug 28075: Tone down missing SOCKS credential warning
 * Bug 30425: Revert armagadd-on-2.0 changes
 * Bug 30497: Add Donate link to about:tor
 * Bug 30069: Use slider and about:tor localizations on mobile
 * Bug 21263: Remove outdated information from the README
 * Bug 28747: Remove NoScript (XPCOM) related unused code
 * Translations update
 * Code clean-up
   * Update HTTPS Everywhere to 2019.5.6.1
   * Bug 27290: Remove WebGL pref for min capability mode
   * Bug 29120: Enable media cache in memory
   * Bug 24622: Proper first-party isolation of s3.amazonaws.com
   * Bug 29082: Backport patches for bug 1469916
   * Bug 28711: Backport patches for bug 1474659
   * Bug 27828: "Check for Tor Browser update" doesn't seem to do anything
   * Bug 29028: Auto-decline most canvas warning prompts again
   * Bug 27919: Backport SSL status API
   * Bug 27597: Fix our debug builds
   * Bug 28082: Add locales cs, el, hu, ka
   * Bug 26498: Add locale: es-AR
   * Bug 29916: Make sure enterprise policies are disabled
   * Bug 29349: Remove network.http.spdy.* overrides from meek helper

Re: [Tails-dev] [Tails-news] Tails 3.13.2 is out

[Georg Koppen]

sajolida:
> anonym:
>> Georg Koppen:
>>> Tails - News:
>>>> This release is an emergency release to fix a critical security 
>>>> vulnerability
>>>> in _Tor Browser_.
>>>>
>>>> It also fixes [other security
>>>> vulnerabilities](https://tails.boum.org/security/Numerous_security_holes_in_3.13.1/).
>>>> You should upgrade as soon as possible.
>>>>
>>>> # Changes
>>>>
>>>> ## Fixed _NoScript_ activation in _Tor Browser_
>>>>
>>>> Starting from Friday May 3, a problem in _Firefox_ and _Tor Browser_ 
>>>> disabled
>>>> all add-ons. This release reactivates all add-ons in _Tor Browser_, 
>>>> especially
>>>> _NoScript_ which is used to:
>>>>
>>>>   * Most importantly, protect against a very strong fingerprinting 
>>>> technique called _HTML5 canvas fingerprinting_ which can break your 
>>>> anonymity.
>>>
>>> Hm. How does it do that? In particular, what does it do in addition to
>>> the defense we baked into Tor Browser and which is not NoScript
>>> dependent? (see the: "Specific Fingerprinting Defenses in the Tor
>>> Browser", subsection 2. HTML5 Canvas Extraction at
>>> https://2019.www.torproject.org/projects/torbrowser/design/)
>>
>> There's been a misunderstanding. We were supposed to talk about 
>> fingerprinting enabled by the loss of NoScript's WebGL click-to-play, not 
>> HTML5 canvas fingerprinting.
> 
> Hi Georg!
> 
> So good to see that you keep an eye on our release notes :)

You are welcome :)

> I'm acting here as a mere translator of the technical knowledge that
> intrigeri transmitted to me in
> https://redmine.tails.boum.org/code/issues/16694#note-14 and that I
> could read on https://2019.www.torproject.org/projects/torbrowser/design/.
> 
> I understood that HTML5 canvas fingerprint can use a combination of
> "WebGL, font, and named color" and that "WebGL Canvases have
> click-to-play placeholders (provided by NoScript)".
> 
> So, a website could benefit from NoScript being deactivated to use WebGL
> to do HTML5 canvas fingerprinting; even though Tor Browser on its own
> could block other canvas fingerprinting attempts.
> 
> And from a user's point of view, NoScript protects them from (some types
> of) canvas fingerprinting.
> 
> Isn't it?

Well, not really. First of all, the canvas fingerprinting blocker is
effective regardless whether one has WebGL allowed or not. Before
anything is extracted from an HTML  element you get at least a
prompt whether you want to allow to return valid image data or not.
That's regardless whether WebGL is available in that process or not.
Thus, even if NoScript would not be enabled there should be no way that
WebGL could be used for canvas-based fingerprinting without the user
allowing it.

Now, you could argue that *if* users allowed canvas fingerprinting they
would be better off entropy-wise if the potentially available WebGL
parts would be behind a click-to-play option. Maybe. I am not convinced
yet, though, that this would make a big or an actual difference.

Click-to-play placeholders have been there from the beginning as there
were *security* concerns with WebGL which are orthogonal to the
fingerprinting ones. The latter we have patched we think, so
fingerprinting-wise we should be good (or at least not bad). NoScript in
 general in a Tor Browser context is only used for dealing with
potential security/usability trade-offs covered by the security slider.
In that sense it's a bit weird to have NoScript put WebGL behind
click-to-play by default as we claim on the default security mode all
web features work as expected and are enabled.

We have corrected that for 8.5 in that we place WebGL behind
click-to-play as we do for HTML 5 media on higher security levels but
have it enabled otherwise. An important role played here websites that
were subtly non-working with WebGL behind click-to-play or blatantly
broken without any sign of options for fixing that. I suspect there are
more and more libraries in use that check for WebGL capabilities and
just refuse to proceed if non are detected. :(

The medium-term plan is to actually raise the default security level Tor
Browser comes with to "safer", but that's not going to get accomplished
in the next couple of weeks. It's not even clear what trade-offs we need
to make to that mode to make it somewhat acceptable as a default setting.

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] [Tails-news] Tails 3.13.2 is out

[Georg Koppen]

Tails - News:
> This release is an emergency release to fix a critical security vulnerability
> in _Tor Browser_.
> 
> It also fixes [other security
> vulnerabilities](https://tails.boum.org/security/Numerous_security_holes_in_3.13.1/).
> You should upgrade as soon as possible.
> 
> # Changes
> 
> ## Fixed _NoScript_ activation in _Tor Browser_
> 
> Starting from Friday May 3, a problem in _Firefox_ and _Tor Browser_ disabled
> all add-ons. This release reactivates all add-ons in _Tor Browser_, especially
> _NoScript_ which is used to:
> 
>   * Most importantly, protect against a very strong fingerprinting technique 
> called _HTML5 canvas fingerprinting_ which can break your anonymity.

Hm. How does it do that? In particular, what does it do in addition to
the defense we baked into Tor Browser and which is not NoScript
dependent? (see the: "Specific Fingerprinting Defenses in the Tor
Browser", subsection 2. HTML5 Canvas Extraction at
https://2019.www.torproject.org/projects/torbrowser/design/)

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 8.0.7 is ready for testing

[Georg Koppen]

Hi!

We are happy to announce the first Tor Browser 8.0.7 release candidate
for wider testing. Bundles can be found at

https://people.torproject.org/~boklm/builds/8.0.7-build3/

This new release updates Firefox to 60.6.0esr and Tor to the latest
stable version, 0.3.5.8. Moreover, it makes Tor Browser more
interoperable with Noscript by telling it that it is running in a Tor
Browser context.

The full changelog since 8.0.6 is:

Tor Browser 8.0.7 -- March 19 2019
 * All platforms
   * Update Firefox to 60.6.0esr
   * Update Tor to 0.3.5.8
 * Bug 29660: XMPP can not connect to SOCKS5 anymore
   * Update Torbutton to 2.0.11
 * Bug 29021: Tell NoScript it is running within Tor Browser
 * Windows
   * Bug 29081: Harden libwinpthread
 * Linux
   * Bug 27531: Add separate LD_LIBRARY_PATH for fteproxy

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Release schedule for Tails 3.13

[Georg Koppen]

intrigeri:
> Hi,
> 
> Georg Koppen:
>> intrigeri:
>>> This relaxes me a bit regarding #27466, #26553, and #28044
>>> (Tor bugs, not Tails tickets).
> 
>> No worries about those. We think we don't get those bugs into a stable
>> release shape for 8.5. They will be 9.0 material if at all.
> 
> OK, so in the end it looks like 8.5 should not bring big changes for
> us (at least not those we had on our radar already as potential deal
> breakers).

One big thing we'll get into 8.5 and that is still missing in the
current alphas is the redesign of our security controls, see: #25658 for
details. Not sure how this affects Tails, though.

>>> Does this mean that the first 8.5.x release that has *no*
>>> corresponding 8.0.x will be the 2019-05-14 one?
> 
>> I am not sure exactly what you mean but let me come up with my best
>> guess. :)
> 
>> Assuming there are _no_ emergency releases in between, then the release
>> planned for 2019-05-14 will be the first stable release picking up
>> Firefox security bug fixes that will be based on 8.5 while the
>> corresponding alpha will be 9.0aX.
> 
> What I need to understand is essentially: what's our deadline to make
> sure Tails is ready to ship Tor Browser 8.5.
> 
> I think I now understood that:
> 
>  * If there's an emergency release, late March or in April, then it
>may be based on 8.5 (depending on how ready the 8.5 tree is).
> 
>  * Else, if there's no emergency release between the time the 8.5 tree
>is ready to be called stable, and May 14, then the first Tor
>Browser 8.5 release Tails needs to ship will be the May 14 one.
> 
> It follows that Tails needs to be ready before late March to upgrade
> to 8.5, in case there's an emergency release.

I think that's correct.

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Release schedule for Tails 3.13

[Georg Koppen]

intrigeri:
> Hi Georg,
> 
> Georg Koppen:
>> Don't wait on us here for Tor Browser 8.5. The current plan is to have
>> the release, which is scheduled for March 19, be a "normal" 8.0.x
>> release and getting 8.5 out end of March.
>> However, this is mainly bound to having the Android part in shape in
>> time, because 8.5 will be the first major release with Android
>> support. Thus, it might happen that we need to postpone 8.5 a little
>> further into April.
> 
> OK, thanks a lot for the update! I totally missed that but I have
> quite some backlog reading to do on Tor Browser team meeting minutes.
> 
> I'll update our release schedule and other plans accordingly.
> This relaxes me a bit regarding #27466, #26553, and #28044
> (Tor bugs, not Tails tickets).

No worries about those. We think we don't get those bugs into a stable
release shape for 8.5. They will be 9.0 material if at all. The Tor
Launcher integration (#28044) is planned for 9.0a1 which likely will
ship in April. I am not sure about the other two bugs yet.

> Does this mean that the first 8.5.x release that has *no*
> corresponding 8.0.x will be the 2019-05-14 one?

I am not sure exactly what you mean but let me come up with my best
guess. :)

Assuming there are _no_ emergency releases in between, then the release
planned for 2019-05-14 will be the first stable release picking up
Firefox security bug fixes that will be based on 8.5 while the
corresponding alpha will be 9.0aX.

>> That said, also keep in mind that Pwn2Own will be between March 20-22
>> and Firefox is one of the targets. The actual schedule of exploit
>> attempts is usually revealed at the beginning of the week, so not sure
>> yet when a potential emergency release would need to happen (if at all).
> 
> I wish Mozilla made it so they have a scheduled release *after*
> Pwn2Own instead of a couple days before… anyway, thanks, that's
> definitely something we should keep in mind. Added to our calendar and
> to our checklist for building release management schedules, so we rely
> a bit less on you to remind us of such important things :)

No worries, but it's always better having more eyes on this.

Re: Mozilla's release schedule. Yes, that was my first thought as well
and I was actually about to suggest to Mozilla to postpone that planned
release until after Pwn2Own. But I think from Mozilla's side it actually
makes sense to *not* have them together. That way they can have a
meaningful QA period for all the changes affecting the new releases
before Pwn2Own (remember they build already a whole week before
releasing) and get them out under normal conditions to be able to just
focus on the security bugs found at Pwn2Own and act quickly later on.

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Release schedule for Tails 3.13

[Georg Koppen]

intrigeri:
> Hi,
> 
> I'll be the release manager for Tails 3.13 up to, and including, the
> release of 3.13~rc1. Then someone else, likely kibi, will take over
> until 3.13 final is out.
> 
> This release will be a hybrid bugfix/major release:
> 
>  - It'll be major in the sense that it will upgrade Tor Browser to
>8.5, which will include major changes.
> 
>  - It won't be major in the sense that we may lack time to prepare and
>review major other changes in time for the freeze. We might also
>decide to stick to the frozen APT snapshots used by 3.12.
> 
> So please base on the *stable* branch any work targeted at 3.13.
> 
> If a Tor Browser 8.5 beta is ready and integrated into Tails
> by then:
> 
>  - March 8: build and upload Tails 3.13~rc1
>  - March 9: test and release Tails 3.13~rc1
> 
> Otherwise, we may have to skip the RC and instead send a call
> for testing later, for an unofficial nightly built image.
> 
> And then, in any case:
> 
>  - March 18: build and upload Tails 3.13
>  - March 19: test and release Tails 3.13
> 
> Anyone who's part of our internal QA process ("manual test suite"),
> please let me know if you're available on March 9 to test the RC,
> and/or on March 19 to test the final release. Thanks in advance!

Don't wait on us here for Tor Browser 8.5. The current plan is to have
the release, which is scheduled for March 19, be a "normal" 8.0.x
release and getting 8.5 out end of March. However, this is mainly bound
to having the Android part in shape in time, because 8.5 will be the
first major release with Android support. Thus, it might happen that we
need to postpone 8.5 a little further into April.

That said, also keep in mind that Pwn2Own will be between March 20-22
and Firefox is one of the targets. The actual schedule of exploit
attempts is usually revealed at the beginning of the week, so not sure
yet when a potential emergency release would need to happen (if at all).

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 8.0.5 is ready for testing

[Georg Koppen]

Hi!

Tor Browser 8.0.5 is ready for testing. Bundles can be found at

https://people.torproject.org/~boklm/builds/8.0.5-build2/

This new release updates Firefox to 60.5.0esr and Tor to the first
stable release in the 0.3.5 series, 0.3.5.7.

Apart from that it contains a number of backports from the alpha series,
most notably the proper first-party isolation of range requests when
loading PDF documents.

We also updated NoScript and HTTPS Everywhere to their latest versions
and removed our donation campaign related code.

The full changelog since 8.0.4 is:

Tor Browser 8.0.5 -- January 29 2019
 * All platforms
   * Update Firefox to 60.5.0esr
   * Update Tor to 0.3.5.7
   * Update Torbutton to 2.0.10
 * Bug 29035: Clean up our donation campaign and add newsletter
sign-up link
 * Bug 27175: Add pref to allow users to persist custom noscript
settings
   * Update HTTPS Everywhere to 2019.1.7
   * Update NoScript to 10.2.1
 * Bug 28873: Cascading of permissions is broken
 * Bug 28720: Some videos are blocked outright on higher security levels
   * Bug 26540: Enabling pdfjs disableRange option prevents pdfs from
loading
   * Bug 28740: Adapt Windows navigator.platform value on 64-bit systems
   * Bug 28695: Set default security.pki.name_matching_mode to enforce (3)

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 8.0.4 is ready for testing

[Georg Koppen]

Hello everyone!

We are happy to announce that Tor Browser 8.0.4 is ready for testing.
Bundles can be found at

https://people.torproject.org/~boklm/builds/8.0.4-build2/

This new Tor Browser version contains updates to Tor (0.3.4.9), OpenSSL
(1.0.2q) and other bundle components. Most importantly, however, it is
based on Firefox 60.4.0esr containing fixes to Firefox security bugs.

We backported a number of patches from our alpha series where they got
some baking time. The most important ones are

1) a defense against protocol handler enumeration which should enhance
our fingerprinting resistance,

2) enabling Stylo for macOS users by bypassing a reproducibility issue
caused by Rust compilation and

3) setting back the sandboxing level on 5 Windows (the default), after
working around some Tor Launcher interference causing a broken Tor
Browser experience.

Additionally, we ship an updated donation banner for our year-end
donation campaign.

The full changelog since 8.0.3 is:

Tor Browser 8.0.4 -- December 11 2018
 * All platforms
   * Update Firefox to 60.4.0esr
   * Update Tor to 0.3.4.9
   * Update OpenSSL to 1.0.2q
   * Update Torbutton to 2.0.9
 * Bug 28540: Use new text for 2018 donation banner
 * Bug 28515: Use en-US for english Torbutton strings
 * Translations update
   * Update HTTPS Everywhere to 2018.10.31
   * Update NoScript to 10.2.0
 * Bug 1623: Block protocol handler enumeration (backport of fix for
#680300)
 * Bug 25794: Disable pointer events
 * Bug 28608: Disable background HTTP response throttling
 * Bug 28185: Add smallerRichard to Tor Browser
 * Windows
   * Bug 26381: about:tor page does not load on first start on Windows
   * Bug 28657: Remove broken FTE bridge from Tor Browser
 * OS X
   * Bug 26263: App icon positioned incorrectly in macOS DMG installer
window
   * Bug 26475: Fix Stylo related reproducibilitiy issue
 * Linux
   * Bug 26475: Fix Stylo related reproducibilitiy issue
   * Bug 28657: Remove broken FTE bridge from Tor Browser
 * Build System
   * All Platforms
 * Bug 27218: Generate multiple Tor Browser bundles in parallel

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 8.0.3 is ready for testing

[Georg Koppen]

Hello!

We are happy to announce that a new Tor Browser release candidate is
ready for testing. Bundles can be found at:

https://people.torproject.org/~boklm/builds/8.0.3-build1/

Tor Browser 8.0.3 contains important Firefox security updates and
includes newer NoScript and HTTPS Everywhere versions.

Moreover, it ships with a donation banner for our end of the year
campaign and includes another round of smaller fixes for Tor Browser 8
issues on Linux systems. We switched as well to a newer API for our
NoScript <-> Torbutton communication, which we need for the Security Slider.

The full changelog since Tor Browser 8.0.2 is

Tor Browser 8.0.3 -- October 23 2018
 * All platforms
   * Update Firefox to 60.3.0esr
   * Update Torbutton to 2.0.8
 * Bug 23925+27959: Donation banner for year end 2018 campaign
 * Bug 24172: Donation banner clobbers Tor Browser version string
 * Bug 27760: Use new NoScript API for IPC and fix about:blank issue
 * Translations update
   * Update HTTPS Everywhere to 2018.9.19
   * Update NoScript to 10.1.9.9
 * Linux
   * Bug 27546: Fix vertical scrollbar behavior in Tor Browser 8 with Gtk3
   * Bug 27552: Use bundled dir on CentOS/RHEL 6

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] [Tails-news] Tails 3.9.1 is out

[Georg Koppen]

Tails - News:

> # What's coming up?
> 
> Tails 3.10 is [scheduled](https://tails.boum.org/contribute/calendar/) for
> October 22.

Are you sure about that? Firefox 60.3.0esr is scheduled for October 23
and I think you don't want to release before it is out.

Georg





signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 8.0.1 is ready for testing

[Georg Koppen]

Hi!

We are happy to announce that our first point release in our 8.0 series
is ready for testing. Bundles can be found at:

https://people.torproject.org/~boklm/builds/8.0.1-build1/

We used the 8.0.1 release to ship the new stable Tor (0.3.4.8) which
solves an annoying crash bug on older macOS systems (10.9.x).

We furthermore found a better solution to our User Agent treatment: on
desktop platforms Tor Browser will send a Windows User Agent at the
network level while still allowing to query the unspoofed User Agent
with JavaScript. This takes concerns about any server passively logging
the User Agent into account while still avoiding broken websites as good
as we can.

Finally, we included a banner for signing up to Tor News which allows
anyone to stay up-to-date about things going on in the Tor universe
(which is, admittedly, sometimes hard to keep track of).

Below is the full changelog since 8.0:

Tor Browser 8.0.1 -- September 20 2018
 * All platforms
   * Update Tor to 0.3.4.8
   * Update Torbutton to 2.0.7
 * Bug 27097: Tor News signup banner
 * Bug 27663: Add New Identity menuitem again
 * Bug 26624: Only block OBJECT on highest slider level
 * Bug 26555: Don't show IP address for meek or snowflake
 * Bug 27478: Torbutton icons for dark theme
 * Bug 27506+14520: Move status version to upper left corner for RTL
locales
 * Bug 27427: Fix NoScript IPC for about:blank by whitelisting messages
 * Bug 27558: Update the link to "Your Guard note may not change" text
 * Translations update
   * Update Tor Launcher to 0.2.16.5
 * Bug 27469: Adapt Moat URLs
 * Bug 25405: Cannot use Moat if a meek bridge is configured
 * Translations update
 * Clean-up
   * Update NoScript to 10.1.9.6
   * Bug 27763: Restrict Torbutton signing exemption to mobile
   * Bug 26146: Spoof HTTP User-Agent header for desktop platforms
   * Bug 27543: QR code is broken on web.whatsapp.com
   * Bug 27264: Bookmark items are not visible on the boomark toolbar
   * Bug 27535: Enable TLS 1.3 draft version
 * OS X
   * Bug 27482: Fix crash during start-up on macOS 10.9.x systems
 * Linux
   * Bug 26556: Fix broken Tor Browser icon path on Linux

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 8.0 is ready for testing

[Georg Koppen]

Hi all!

We are happy to announce that Tor Browser 8.0 is ready for testing.
Bundles can be found at:

https://people.torproject.org/~gk/builds/8.0-build5/

This is the first stable release based on Firefox 60 ESR and we worked
during the past few months to make Tor Browser compatible with that new
major Firefox ESR version.

Besides shipping Firefox Quantum it contains other major improvements:

1) User Experience

We redesigned our start page and included an onboarding to help new
users getting aquainted with Tor Browser's features. That was done in
collaboration with the UX team.

We added security indicators for .onion sites to provide a better user
experience for onion services

2) Localization and platform support

We added 9 new locales to Tor Browser giving more users the opportunity
of a localized Tor Browser experience. Additionally, we start shipping
64bit builds for Windows users which should enhance Tor Browser
stablility compared to the 32bit ones.

3) Easier censorship circumvention

Tor Browser includes now a way to request bridges directly from
BridgeDB, which should make it easier for users in censored areas to
bypass those restrictions just by configuring Tor Browser.

Apart from those three highlights a number of other component and
toolchains got an update for this major release. In particular, we now
ship Tor 0.3.3.9 with OpenSSL 1.0.2p and Libevent 2.1.8. Moreover, we
switched to the pure WebExtension version of NoScript (version 10.1.9.1)
which we still need to provide the security slider functionality.

Even though we are late in the release preparation process, please give
this release candidate a test and report bugs you find, thanks!

The full changelog since 7.5.6 is:

Tor Browser 8.0 -- September 5 2018
 * All platforms
   * Update Firefox to 60.2.0esr
   * Update Tor to 0.3.3.9
   * Update OpenSSL to 1.0.2p
   * Update Libevent to 2.1.8
   * Update Torbutton to 2.0.6
 * Bug 26960: Implement new about:tor start page
 * Bug 26961: Implement new user onboarding
 * Bug 26962: Circuit display onboarding
 * Bug 27301: Improve about:tor behavior and appearance
 * Bug 27214: Improve the onboarding text
 * Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger
menus
 * Bug 26100: Adapt Torbutton to Firefox 60 ESR
 * Bug 26520: Fix sec slider/NoScript for TOR_SKIP_LAUNCH=1
 * Bug 27401: Start listening for NoScript before it loads
 * Bug 26430: New Torbutton icon
 * Bug 24309: Move circuit display to the identity popup
 * Bug 26884: Use Torbutton to provide security slider on mobile
 * Bug 26128: Adapt security slider to the WebExtensions version of
NoScript
 * Bug 27276: Adapt to new NoScript messaging protocol
 * Bug 23247: Show security state of .onions
 * Bug 26129: Show our about:tor page on startup
 * Bug 26235: Hide new unusable items from help menu
 * Bug 26058: Remove workaround for hiding 'sign in to sync' button
 * Bug 26590: Use new svg.disabled pref in security slider
 * Bug 26655: Adjust color and size of onion button
 * Bug 26500: Reposition circuit display relay icon for RTL locales
 * Bug 26409: Remove spoofed locale implementation
 * Bug 26189: Remove content-policy.js
   * Bug 26544: Images are not centered anymore
 * Bug 26490: Remove the security slider notification
 * Bug 25126: Make about:tor layout responsive
 * Bug 27097: Add text for Tor News signup widget
 * Bug 21245: Add da translation to Torbutton and keep track of it
 * Bug 27129+20628: Add locales ca, ga, id, is, nb, da, he, sv, and
zh-TW
 * Translations update
  * Update Tor Launcher to 0.2.16.3
 * Bug 23136: Moat integration (fetch bridges for the user)
 * Bug 25750: Update Tor Launcher to make it compatible with Firefox
60 ESR
 * Bug 26985: Help button icons missing
 * Bug 25509: Improve the proxy help text
 * Bug 26466: Remove sv-SE from tracking for releases
 * Bug 27129+20628: Add locales ca, ga, id, is, nb, da, he, sv, and
zh-TW
 * Translations update
   * Update HTTPS Everywhere to 2018.8.22
   * Update NoScript to 10.1.9.1
   * Update meek to 0.31
 * Bug 26477: Make meek extension compatible with ESR 60
   * Update obfs4proxy to v0.0.7 (bug 25356)
   * Bug 27082: Enable a limited UITour for user onboarding
   * Bug 26961: New user onboarding
   * Bug 26962: New feature onboarding
   * Bug 27403: The onboarding bubble is not always displayed
   * Bug 27283: Fix first-party isolation for UI tour
   * Bug 27213: Update about:tbupdate to new (about:tor) layout
   * Bug 14952+24553: Enable HTTP2 and AltSvc
 * Bug 25735: Tor Browser stalls while loading Facebook login page
   * Bug 17252: Enable TLS session identifiers with first-party isolation
   * Bug 26353: Prevent speculative connects that violate first-party
isolation
   * Bug 26670: Make canvas permission prompt respect first-party isolation
   * Bug 24056: Use en-US strings in 

Re: [Tails-dev] Tor Browser 7.5.6 is ready for testing

[Georg Koppen]

Georg Koppen:
> Hi all!
> 
> Tor Browser 7.5.4 is ready for testing. Bundles can be found on:

FWIW as the subject said this is about Tor Browser 7.5.6 and not 7.5.4.

Sorry for the extra noise,
Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 7.5.6 is ready for testing

[Georg Koppen]

Hi all!

Tor Browser 7.5.4 is ready for testing. Bundles can be found on:

https://people.torproject.org/~boklm/builds/7.5.6-build4

Tor Browser 7.5.6 contains security updates to Firefox and includes
newer versions of NoScript and HTTPS Everywhere. Moreover, we added the
latest Tor stable version, 0.3.3.7.

This Tor Browser version additionally contains a number of backported
patches from the alpha, most notably the feature to treat cookies set by
.onion domain as secure as well.

For Windows users we activated an option that prevents an accidental
proxy bypass when dealing with UNC paths.

The full changelog since Tor Browser 7.5.5 is

Tor Browser 7.5.6 -- June 26 2018
 * All platforms
   * Update Firefox to 52.9.0esr
   * Update Tor to 0.3.3.7
   * Update Tor Launcher to 0.2.14.5
 * Bug 20890: Increase control port connection timeout
   * Update HTTPS Everywhere to 2018.6.21
 * Bug 26451: Prevent HTTPS Everywhere from freezing the browser
   * Update NoScript to 5.1.8.6
   * Bug 21537: Mark .onion cookies as secure
   * Bug 25938: Backport fix for cross-origin header leak (bug 1334776)
   * Bug 25721: Backport patches from Mozilla's bug 1448771
   * Bug 25147+25458: Sanitize HTML fragments for chrome documents
   * Bug 26221: Backport fix for leak in SHA256 in nsHttpConnectionInfo.cpp
 * Windows
   * Bug 26424: Disable UNC paths to prevent possible proxy bypasses



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 7.5.3 is ready for testing

[Georg Koppen]

Hi All!

Tor Browser 7.5.3 is ready for testing. Bundles can be found on:

https://people.torproject.org/~gk/builds/7.5.3-build1/

This release contains a security update to Firefox and an updated HTTPS
Everywhere version (2018.3.13). The release is planned for the upcoming
Monday. Please give it a test if you can.

The full changelog since 7.5.2 is:

Tor Browser 7.5.3 -- March 26 2018
 * All platforms
   * Update Firefox to 52.7.3esr
   * Update HTTPS Everywhere to 2018.3.13
 * Bug 25339: Adapt build system for Python 3.6 based build procedure

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 7.5.1 is ready for testing

[Georg Koppen]

Hi tor-qa!

Tor Browser 7.5.1 is ready for testing. Bundles can be found on:

https://people.torproject.org/~gk/builds/7.5.1-build3/

Tor Browser 7.5.1 contains security updates to Firefox and includes
newer versions of Tor (0.3.2.10), NoScript (5.1.8.4), and obfs4proxy
(0.0.7).

Moreover, we fixed sandbox incompatibilities for 64bit Windows Vista
users and amended the NoScript whitelist, which unbreaks extension
panels on higher security levels.

Note: We did not include the latest HTTPS Everywhere release in Tor
Browser 7.5.1 as we need to first test its new build system in an alpha
release to make sure we still can build everything reproducibly. We
expect to have this fixed in the next stable release, though. Sorry for
any inconvenience.

Here is the full changelog since 7.5:

Tor Browser 7.5.1 -- March 13 2018
 * All platforms
   * Update Firefox to 52.7.0esr
   * Update Tor to 0.3.2.10
   * Update Torbutton to 1.9.8.6
 * Bug 24159: Version check does not deal with platform specific checks
 * Bug 25016: Remove 2017 donation banner
 * Translations update
   * Update Tor Launcher to 0.2.14.4
 * Bug 25089: Special characters are not escaped in proxy password
 * Translations update
   * Update NoScript to 5.1.8.4
   * Bug 25356: Update obfs4proxy to v0.0.7
   * Bug 25000: Add [System+Principal] to the NoScript whitelist
 * Windows
   * Bug 25112: Disable sandboxing on 64-bit Windows <= Vista

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 7.5 is ready for testing

[Georg Koppen]

Hi all!

Tor Browser 7.5 is ready for testing. Bundles can be found on:

https://people.torproject.org/~gk/builds/7.5-build3/

This is the first stable release in the 7.5 series. Apart from the usual
Firefox security updates it contains some notable improvements compared
to the 7.0 series. Here are the highlights:

1) We ship the first release in Tor's 0.3.2 series, 0.3.2.9.

2) We redesigned parts of the Tor Browser user interface. First, we
improved Tor Launcher allowing users to configure bridges easier and
making the whole bootstrap sequence less confusing and more streamlined.
Second, we enhanced the security slider taking the user experience on
mobile, as shown in Orfox, into account.

3) On the security side we enabled content sandboxing on Windows and
fixed remaining issues on Linux that prevented printing to file from
working properly. Additionally, we improved the compiler hardening on
macOS and fixed holes in the W^X mitigation on Windows.

4) We finally moved away from Gitian/tor-browser-bundle as the base of
our reproducible builds environment. Over the past weeks and months
rbm/tor-browser-build got developed making it much easier to reproduce
Tor Browser builds and to add reproducible builds for new platforms and
architectures. This will allow us to ship 64bit bundles for Windows
(currently in the alpha series available) and bundles for Android at the
same day as the release for the current platforms/architectures is
getting out.

Please give the bundles a try if you can and give us feedback in case
things break. We are especially interested in hearing back from Windows
users about possible issues with the sandboxing part.

The full changelog since Tor Browser 7.0.11 is:

Tor Browser 7.5 -- January 23 2018
 * All Platforms
   * Update Firefox to 52.6.0esr
   * Update Tor to 0.3.2.9
   * Update OpenSSL to 1.0.2n
   * Update Torbutton to 1.9.8.5
 * Bug 21847: Update copy for security slider
 * Bug 21245: Add da translation to Torbutton and keep track of it
 * Bug 24702: Remove Mozilla text from banner
 * Bug 10573: Replace deprecated nsILocalFile with nsIFile (code
clean-up)
 * Translations update
   * Update Tor Launcher to 0.2.14.3
 * Bug 23262: Implement integrated progress bar
 * Bug 23261: implement configuration portion of new Tor Launcher UI
 * Bug 24623: Revise "country that censors Tor" text
 * Bug 24624: tbb-logo.svg may cause network access
 * Bug 23240: Retrieve current bootstrap progress before showing
progress bar
 * Bug 24428: Bootstrap error message sometimes lost
 * Bug 22232: Add README on use of bootstrap status messages
 * Bug 10573: Replace deprecated nsILocalFile with nsIFile (code
clean-up)
 * Translations update
   * Update HTTPS Everywhere to 2018.1.11
   * Update NoScript to 5.1.8.3
   * Bug 23104: CSS line-height reveals the platform Tor Browser is
running on
   * Bug 24398: Plugin-container process exhausts memory
   * Bug 22501: Requests via javascript: violate FPI
   * Bug 24756: Add noisebridge01 obfs4 bridge configuration
 * Windows
   * Bug 16010: Enable content sandboxing on Windows
   * Bug 23230: Fix build error on Windows 64
 * OS X
   * Bug 24566: Avoid white flashes when opening dialogs in Tor Browser
   * Bug 23025: Add some hardening flags to macOS build
 * Linux
   * Bug 23970: Make "Print to File" work with sandboxing enabled
   * Bug 23016: "Print to File" is broken on some non-english Linux systems
   * Bug 10089: Set middlemouse.contentLoadURL to false by default
   * Bug 18101: Suppress upload file dialog proxy bypass (linux part)
 * Android
   * Bug 22084: Spoof network information API
 * Build System
   * All Platforms
 * Switch from gitian/tor-browser-bundle to rbm/tor-browser-build
   * Windows
 * Bug 22563: Update mingw-w64 to fix W^X violations
 * Bug 20929: Bump GCC version to 5.4.0
   * Linux
 * Bug 20929: Bump GCC version to 5.4.0
 * Bug 23892: Include Firefox and Tor debug files in final build
directory
 * Bug 24842: include libasan.so.2 and libubsan.so.0 in debug builds

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Please test Tor Browser 7.5a5 in Tails

[Georg Koppen]

Hi!

Tor Browser 7.5a5 is the first version that contains Firefox's content
sandboxing (Level 2) enabled, thanks to Mozilla's help. Please test it
in Tails to make sure this feature does not break anything. My current
plan is to ship Tor Browser 7.0.7 with it enabled if nothing explodes.

Tor Browser 7.0.7 is supposed to get released in three weeks. It's a
planned release without picking up any security bugfixes (hopefully).
So, instead of the alpha you might want to take that stable version for
testing to be sure for 7.0.8 that everything is working fine.

Either way, let us know if you find content sandboxing related issues
that are blockers for Tails.

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Should we delay Tails 3.2? [Was: Tor Browser release is postponed by two days]

[Georg Koppen]

intrigeri:
> Hi,
> 
> Georg Koppen:
>> anonym:
>>> Georg Koppen:
>>>> Just to inform you about things we learned a couple of minutes ago: the
>>>> Firefox release is due on Thursday. It got postponed by two days mainly
>>>> to give 57 beta more publicity.
> [...]
> 
>>> Still, it makes me want to remember/re-evaluate *why* we always
>>> wait on Mozilla.
>>>
>>> What are your feelings around this? What are the arguments for/against 
>>> releasing early?
> 
>> Not sure what you mean with "early", probably not as soon as one
>> critical security bugfix lands on the esr52 branch (because there are
>> many :) ). Releasing once candidate build1 is done then? It sometimes
>> happens that additional changes get pushed and a buildN is done or that
>> some of the patches need to get backed out due to issues Mozilla found
>> during their Q I guess you don't want that risk either?
> 
> Sure.
> 
>>> TBH this has always seemed odd to me. I remember argument for this being 
>>> about us
>>> behaving like good Free Software community members by coordinating releases.
>>> I wonder if they really care, especially given our users' position. So, 
>>> let's
>>> ask them!
> 
>> I don't know whether they care but that argument has some weight for me
>> at least.
> 
> Same here.
> 
> But even putting ethical considerations aside, there's a strong
> technical argument in favour of waiting for Mozilla: their release
> engineering team is a much better position than us to judge when their
> code is ready to be shipped to users, and I don't think we should
> second-guess them.

Yes, I agree with that.

> Now, I'm open to making the occasional exception e.g. when we're
> certain that the *only* reason Mozilla has to delay a release, that
> they otherwise consider as "ready to ship", is about
> marketing/communication wrt. channels we don't track ourselves.
> If/when we do so, we should be extremely clear (e.g. in our changelog
> and release notes) that we're shipping something based on what will
> probably become FF ESR x.y.z, and not something based on FF ESR x.y.z.
> 
> In the case at hand, Georg wrote "mainly" so it's not clear to me what
> other reasons they have for delaying the release. Until this is
> clarified, I don't think we're in a good position to tell we can go
> ahead without waiting. Georg, can you please share any other info you
> have (possibly privately to tails...@boum.org if needed) or put anonym
> in touch with the Mozilla release engineering folks who could answer?

The delay was planned due to Firefox 57 Beta getting more publicity. I
used "mainly" because Mozilla needed this time six candidate builds for
Firefox 56 fixing, among others, last minute crash bugs (the last
candidate build got kicked off yestderday). I am not sure whether they
would have delayed the release for those, though. They might have
shipped follow-up releases instead. So, I think it is fair to summarize
the situation that Firefox 56 (and Firefox 52.4.0esr) got delayed by two
days due to PR/publicity requirements (which fit very well to the
technical issues (and solving them) related to this release cycle).

Georg




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Should we delay Tails 3.2? [Was: Tor Browser release is postponed by two days]

[Georg Koppen]

anonym:
> Georg Koppen:
>> Hi,
>>
>> Just to inform you about things we learned a couple of minutes ago: the
>> Firefox release is due on Thursday. It got postponed by two days mainly
>> to give 57 beta more publicity.
>>
>> We'll follow and release Tor Browser on Thursday as well.
> 
> Got it! It makes sense for you Tor Browser folks, since the Firefox security 
> issues fixed in ESR 52.3 are not publicly known yet (at least in theory, but 
> the code changes have been out for a week so they can have been 
> reverse-engineered).
> 
> But what about Tails? Tails 3.2, which is ready to be published right now, 
> would fix several publicly known security issues for our users, including 
> some potential RCEs (Thunderbird, libsoup, ...). Of course, some of these 
> issues have been out for weeks already, so what's two more days of delay? 
> Still, it makes me want to remember/re-evaluate *why* we always wait on 
> Mozilla.
> 
> What are your feelings around this? What are the arguments for/against 
> releasing early?

Not sure what you mean with "early", probably not as soon as one
critical security bugfix lands on the esr52 branch (because there are
many :) ). Releasing once candidate build1 is done then? It sometimes
happens that additional changes get pushed and a buildN is done or that
some of the patches need to get backed out due to issues Mozilla found
during their Q I guess you don't want that risk either?

> TBH this has always seemed odd to me. I remember argument for this being 
> about us behaving like good Free Software community members by coordinating 
> releases. I wonder if they really care, especially given our users' position. 
> So, let's ask them!

I don't know whether they care but that argument has some weight for me
at least.

> Tor Browser folks, would you care if we released Tails 3.2 right now, so we 
> in effect release Tor Browser 7.0.6 way before you? What do you feel about 
> this in general?

Fine with me.

Georg

> As for asking Mozilla, I'm not even sure who/where to ask. Does any one have 
> a clue?
> 
> Cheers!
> 




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser release is postponed by two days

[Georg Koppen]

Hi,

Just to inform you about things we learned a couple of minutes ago: the
Firefox release is due on Thursday. It got postponed by two days mainly
to give 57 beta more publicity.

We'll follow and release Tor Browser on Thursday as well.

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 7.0.6 is ready for testing

[Georg Koppen]

Hi!

Tor Browser 7.0.6 is ready for testing. Bundles can be found on:

https://people.torproject.org/~gk/builds/7.0.6-build3/

This release includes security updates for Firefox (52.4.0esr) and a new
Tor stable version (0.3.1.7), the first one in the 0.3.1 series. In
addition to that we updated the HTTPS Everywhere and NoScript extensions
we ship. Moreover, we fixed minor usability issues and a bug which,
under particular circumstances, caused tabs to crash after closing one.

The full changelog since Tor Browser 7.0.5 is:

Tor Browser 7.0.6 -- September 26 2017
 * All Platforms
   * Update Firefox to 52.4.0esr
   * Update Tor to 0.3.1.7
   * Update Torbutton to 1.9.7.7
 * Bug 22542: Security Settings window too small on macOS 10.12 (fixup)
 * Bug 20375: Warn users after entering fullscreen mode
   * Update HTTPS-Everywhere to 2017.9.12
   * Update NoScript to 5.0.10
   * Bug 21830: Copying large text from web console leaks to /tmp
   * Bug 23393: Don't crash all tabs when closing one tab
 * OS X
   * Bug 23404: Add missing Noto Sans Buginese font to the macOS whitelist

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 7.0.4 is ready for testing

[Georg Koppen]

Hi all!

Tor Browser 7.0.4 is ready for testing. Bundles can be found on:

https://people.torproject.org/~gk/builds/7.0.4-build1/

This release feature updates to a lot of Tor Browser components. Apart
from the usual Firefox update (to 52.3.0esr) we include a new Tor stable
release (0.3.0.10) + an updated HTTPS-Everywhere (5.2.12) and NoScript
(5.0.8.1).

In this new release we continue to fix regressions that happened due to
the transition to Firefox 52. Most notably, we avoid the scary warnings
popping up when entering passwords on .onion sites without a TLS
certificate (bug 21321). Handling our default start page (about:tor) has
improved, too, so that using the searchbox on it is working again and it
does no longer need enhanced privileges in order to function.

The full changelog since Tor Browser 7.0.2 (for Linux since Tor Browser
7.0.3) is:

Tor Browser 7.0.4 -- August 8 2017
 * All Platforms
   * Update Firefox to 52.3.0esr
   * Update Tor to 0.3.0.10
   * Update Torbutton to 1.9.7.5
 * Bug 21999: Fix display of language prompt in non-en-US locales
 * Bug 18193: Don't let about:tor have chrome privileges
 * Bug 22535: Search on about:tor discards search query
 * Bug 21948: Going back to about:tor page gives "Address isn't
valid" error
 * Code clean-up
 * Translations update
   * Update Tor Launcher to 0.2.12.3
 * Bug 22592: Default bridge settings are not removed
 * Translations update
   * Update HTTPS-Everywhere to 5.2.21
   * Update NoScript to 5.0.8.1
 * Bug 22362: Remove workaround for XSS related browser freezing
 * Bug 22067: NoScript Click-to-Play bypass with embedded videos and
audio
   * Bug 21321: Exempt .onions from HTTP related security warnings
   * Bug 22073: Disable GetAddons option on addons page
   * Bug 22884: Fix broken about:tor page on higher security levels
 * Windows
   * Bug 22829: Remove default obfs4 bridge riemann.
   * Bug 21617: Fix single RWX page on Windows (included in 52.3.0esr)
 * OS X
   * Bug 22829: Remove default obfs4 bridge riemann.

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 7.0.1 is ready for testing

[Georg Koppen]

Hi!

Tor Browser 7.0.1 is ready for testing. Bundles can be found on:

https://people.torproject.org/~boklm/builds/7.0.1-build1/

This release updates Firefox to 52.2.0esr, Tor to 0.3.0.8, and
HTTPS-Everywhere to 5.2.18. Additionally, we worked around an annoying
freezing of Tor Browser which is due to a NoScript bug and made the
security slider window slightly larger.

The full changelog since Tor Browser 7.0 is:

Tor Browser 7.0.1 -- June 13 2017
 * All Platforms
   * Update Firefox to 52.2.0esr
   * Update Tor to 0.3.0.8
   * Update Torbutton to 1.9.7.4
 * Bug 22542: Security Settings window too small on macOS 10.12
   * Update HTTPS-Everywhere to 5.2.18
   * Bug 22362: NoScript's XSS filter freezes the browser

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] First release candidate for Tor Browser 7.0 is available for testing

[Georg Koppen]

Hi all,

Finally, the first release candidate for Tor Browser 7.0 is ready for
testing. Bundles can be found on

https://people.torproject.org/~gk/builds/7.0-build1/

Depending on our Q results for this release candidate Tor Browser 7.0
will get released later next week (Tuesday/Wednesday) or early in the
week thereafter with the switch to Firefox ESR 52.2.0. So, please, give
this release candidate a thorough test!

This is the first stable release which is based on Firefox ESR 52
(52.1.2esr). We updated all of our patches that did not get upstreamed
yet and made Torbutton and Tor Launcher multiprocess (e10s) compatible.

We hope having e10s and Mozilla's content sandbox enabled will be one of
the major new features in the Tor Browser 7.0 series, both security- and
performance-wise. While we are still working on the sandbox part for
Windows[1] (the e10s part is ready), both Linux and macOS have e10s and
content sandboxing enabled by default in Tor Browser 7.0.

Linux and OS X users have in addition to that the option to harden their
Tor Browser setup by using only Unix Domain sockets for communication
with tor.

The highlights in our tracking and fingerprinting resistance
improvements are: cookies, view-source requests and permissions are
isolated to the first party URL bar domain now to enhance our tracking
related defenses. On the fingerprinting side we disabled and/or patched
several new features, among them WebGL2, the WebAudio, Social,
SpeechSynthesis, and Touch APIs, and the MediaError.message property.

With the switch to ESR52 new minimal system requirements for Tor Browser
arrived as well: Tor Browser 7.0 is the first stable release which
requires SSE2 on Windows machines and OS X 10.9+ for Apple computers.
Furthermore, Linux users need to have PulseAudio available now for audio
support in their browsers.

Apart from switching to the new Firefox ESR and dealing with related
issues we included a new Tor stable version (0.3.0.7) and updated our
NoScript (5.0.5) and HTTPS-Everywhere versions (5.2.17).

We updated our toolchains during the ESR transition as well. In
particular we retired the old GCC-based one for our macOS
cross-compilation and rely solely on clang/cctools now.

There are known issues/unfinished ESR52 transision work that can be
followed in our bug tracker[2][3]. We hope to get those remaining bugs
resolved as soon as possible.

If you find (new) issues while testing, let us know!

The full changelog since Tor Browser 6.5.2 is:

Tor Browser 7.0 -- June 6 2017
 * All Platforms
   * Update Firefox to 52.1.2esr
   * Update Tor to 0.3.0.7
   * Update Torbutton to 1.9.7.3
 * Bug 22104: Adjust our content policy whitelist for ff52-esr
 * Bug 22457: Allow resources loaded by view-source://
 * Bug 21627: Ignore HTTP 304 responses when checking redirects
 * Bug 22459: Adapt our use of the nsIContentPolicy to e10s mode
 * Bug 21865: Update our JIT preferences in the security slider
 * Bug 21747: Make 'New Tor Circuit for this Site' work in ESR52
 * Bug 21745: Fix handling of catch-all circuit
 * Bug 21547: Fix circuit display under e10s
 * Bug 21268: e10s compatibility for New Identity
 * Bug 21267: Remove window resize implementation for now
 * Bug 21201: Make Torbutton multiprocess compatible
 * Translations update
   * Update Tor Launcher to 0.2.12.2
 * Bug 22283: Linux 7.0a4 broken after update due to unix: lines in
torrc
 * Bug 20761: Don't ignore additional SocksPorts
 * Bug 21920: Don't show locale selection dialog
 * Bug 21546: Mark Tor Launcher as multiprocess compatible
 * Bug 21264: Add a README file
 * Translations update
   * Update HTTPS-Everywhere to 5.2.17
   * Update NoScript to 5.0.5
   * Update Go to 1.8.3 (bug 22398)
   * Bug 21962: Fix crash on about:addons page
   * Bug 21766: Fix crash when the external application helper dialog is
invoked
   * Bug 21886: Download is stalled in non-e10s mode
   * Bug 21778: Canvas prompt is not shown in Tor Browser based on ESR52
   * Bug 21569: Add first-party domain to Permissions key
   * Bug 22165: Don't allow collection of local IP addresses
   * Bug 13017: Work around audio fingerprinting by disabling the Web
Audio API
   * Bug 10286: Disable Touch API and add fingerprinting resistance as
fallback
   * Bug 13612: Disable Social API
   * Bug 10283: Disable SpeechSynthesis API
   * Bug 22333: Disable WebGL2 API for now
   * Bug 21861: Disable additional mDNS code to avoid proxy bypasses
   * Bug 21684: Don't expose navigator.AddonManager to content
   * Bug 21431: Clean-up system extensions shipped in Firefox 52
   * Bug 22320: Use preference name 'referer.hideOnionSource' everywhere
   * Bug 16285: Don't ship ClearKey EME system and update EME preferences
   * Bug 21675: Spoof window.navigator.hardwareConcurrency
   * Bug 21792: Suppress MediaError.message
   * Bug 16337: Round times exposed by Animation API to nearest 100ms
   * Bug 21972: about:support is 

Re: [Tails-dev] Tor Browser 6.5.2 is ready for testing

[Georg Koppen]

Georg Koppen:
> Hi all!
> 
> Tor Browser 6.5.2 is ready for testing. Bundles can be found on:
> 
> https://people.torproject.org/~gk/builds/6.5.2-build1/

For what it is worth we are currently doing a -build3 which we think
will be the final one. It should not affect Tails as it only has updater
related changes which are relevant for Windows users. Thus, if you want
I think you could just go with -build1 (in case no other issue shows up
that we need to address with a buildN (N > 3)).

Georg




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 6.5.2 is ready for testing

[Georg Koppen]

Hi all!

Tor Browser 6.5.2 is ready for testing. Bundles can be found on:

https://people.torproject.org/~gk/builds/6.5.2-build1/

This release updates Firefox to 45.9.0esr, Noscript to 5.0.2, and
HTTPS-Everywhere to 5.2.14.

Moreover, we included a fix for the broken Twitter experience and worked
around a Windows related crash bug. To improve our censorship resistance
we additionally updated our bridges we ship.

The full changelog since Tor Browser 6.5.1 is:

Tor Browser 6.5.2 -- April 19 2017
 * All Platforms
   * Update Firefox to 45.9.0esr
   * Update HTTPS-Everywhere to 5.2.14
   * Update NoScript to 5.0.2
   * Bug 21555+16450: Don't remove Authorization header on subdomains
(e.g. Twitter)
   * Bug 21917: Add new obfs4 bridges
   * Bug 21918: Move meek-amazon to d2cly7j4zqgua7.cloudfront.net backend
 * Windows
   * Bug 21795: Fix Tor Browser crashing on github.com



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 6.5.1 is ready for testing

[Georg Koppen]

Hi!

We are happy to accounce that Tor Browser 6.5.1 is ready for testing.
Bundles can be found on:

https://people.torproject.org/~gk/builds/6.5.1-build2/

This is the first minor release in the 6.5 series and it mainly contains
updates to several of our Tor Browser components: Firefox got updated to
45.8.0esr, Tor to 0.2.9.10, OpenSSL to 1.0.1k, and HTTPS-Everywhere to
5.2.11.

The update to 45.8.0esr made it necessary to rewrite the backported
Mozilla patch that hardened the JavaScript JIT by enforcing W^X on all
pages. Please test the release candidate with that in mind and report
back in case crashes or other issues with that patch in particular show up.

Additionally, we updated the bridges we ship with Tor Browser and fixed
some regressions that came with our last release.

The full changelog since Tor Browser 6.5 is:

Tor Browser 6.5.1 -- March 6 2017
 * All Platforms
   * Update Firefox to 45.8.0esr
   * Tor to 0.2.9.10
   * OpenSSL to 1.0.2k
   * Update Torbutton to 1.9.6.14
 * Bug 21396: Allow leaking of resource/chrome URIs (off by default)
 * Bug 21574: Add link for zh manual and create manual links dynamically
 * Bug 21330: Non-usable scrollbar appears in tor browser security
settings
 * Translation updates
   * Update HTTPS-Everywhere to 5.2.11
   * Bug 21514: Restore W^X JIT implementation removed from ESR45
   * Bug 21536: Remove scramblesuit bridge
   * Bug 21342: Move meek-azure to the meek.azureedge.net backend and
cymrubridge02 bridge
 * Linux
   * Bug 21326: Update the "Using a system-installed Tor" section in
start script

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 6.5 is ready for testing

[Georg Koppen]

Hi all!

We are pleased to accounce that Tor Browser 6.5 is ready for testing.
Bundles can be found on:

https://people.torproject.org/~gk/builds/6.5-build3/

This is a major release and the first one in the 6.5 series. First of
all it fixes the usual critical bugs in Firefox by updating to ESR
45.7.0. It contains version updates to other bundle components as well:
Tor to 0.2.9.8, OpenSSL to 1.0.2j, HTTPS-Everywhere to 5.2.9, and
NoScript to 2.9.5.3.

Besides those updates Tor Browser 6.5 ships with a lot of the
improvements we have been working on in the past couple of months.

On the security side we always block remote JAR files now and remove the
support for SHA-1 HPKP pins. Additionally we backported a patch to mark
JIT pages as non-writable and backported other crash fixes that could
disrupt a Tor Browser session quite reliably.

With respect to user tracking and fingerprinting we now isolate
SharedWorker script requests to the first party domain. We improved our
timer resolution spoofing and reduced the timing precision for
AudioContext, HTMLMediaElement, and Mediastream elements. We stopped
user fingerprinting via internal resource:// URLs, and for Windows users
we fixed a regression introduced in Tor Browser 6.0 which could leak the
local timezone if JavaScript were enabled.

A great deal of our time was spent on improving the usability of Tor
Browser. We redesigned the security slider and improved its labels. We
moved a lot of Torbutton's privacy settings directly into the respective
Firefox menu making it cleaner and more straightforward to use. Finally,
we moved as many Torbutton features as possible into Firefox to make it
easier for upstreaming them. This allowed us to resolve a couple of
window resizing bugs that piled on over the course of the past years.

The features menationed above were only some of the highlights in Tor
Browser 6.5. The full changelog since 6.0.8 is:

Tor Browser 6.5 -- January 24 2017
 * All Platforms
   * Update Firefox to 45.7.0esr
   * Tor to 0.2.9.8
   * OpenSSL to 1.0.2j
   * Update Torbutton to 1.9.6.12
 * Bug 16622: Timezone spoofing moved to tor-browser.git
 * Bug 17334: Move referrer spoofing for .onion domains into
tor-browser.git
 * Bug 8725: Block addon resource and url fingerprinting with
nsIContentPolicy
 * Bug 20701: Allow the directory listing stylesheet in the content
policy
 * Bug 19837: Whitelist internal URLs that Firefox requires for media
 * Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a
tor client
 * Bug 19273: Improve external app launch handling and associated
warnings
 * Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
 * Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries
+ IPv6
 * Bug 17767: Make "JavaScript disabled" more visible in Security Slider
 * Bug 20556: Use pt-BR strings from now on
 * Bug 20614: Add links to Tor Browser User Manual
 * Bug 20414: Fix non-rendering arrow on OS X
 * Bug 20728: Fix bad preferences.xul dimensions
 * Bug 19898: Use DuckDuckGo on about:tor
 * Bug 21091: Hide the update check menu entry when running under
the sandbox
 * Bug 19459: Move resizing code to tor-browser.git
 * Bug 20264: Change security slider to 3 options
 * Bug 20347: Enhance security slider's custom mode
 * Bug 20123: Disable remote jar on all security levels
 * Bug 20244: Move privacy checkboxes to about:preferences#privacy
 * Bug 17546: Add tooltips to explain our privacy checkboxes
 * Bug 17904: Allow security settings dialog to resize
 * Bug 18093: Remove 'Restore Defaults' button
 * Bug 20373: Prevent redundant dialogs opening
 * Bug 20318: Remove helpdesk link from about:tor
 * Bug 21243: Add links for pt, es, and fr Tor Browser manuals
 * Bug 20753: Remove obsolete StartPage locale strings
 * Bug 21131: Remove 2016 donation banner
 * Bug 18980: Remove obsolete toolbar button code
 * Bug 18238: Remove unused Torbutton code and strings
 * Bug 20388+20399+20394: Code clean-up
 * Translation updates
   * Update Tor Launcher to 0.2.10.3
 * Bug 19568: Set CurProcD for Thunderbird/Instantbird
 * Bug 19432: Remove special handling for Instantbird/Thunderbird
 * Translation updates
   * Update HTTPS-Everywhere to 5.2.9
   * Update NoScript to 2.9.5.3
   * Bug 16622: Spoof timezone with Firefox patch
   * Bug 17334: Spoof referrer when leaving a .onion domain
   * Bug 19273: Write C++ patch for external app launch handling
   * Bug 19459: Size new windows to 1000x1000 or nearest 200x100
(Firefox patch)
   * Bug 12523: Mark JIT pages as non-writable
   * Bug 20123: Always block remote jar files
   * Bug 19193: Reduce timing precision for AudioContext,
HTMLMediaElement, and MediaStream
   * Bug 19164: Remove support for SHA-1 HPKP pins
   * Bug 19186: KeyboardEvents are only rounding to 100ms
   * Bug 16998: Isolate preconnect requests to URL bar domain
   * Bug 

Re: [Tails-dev] Tor Browser 6.0.8 could need some testing

[Georg Koppen]

Georg Koppen:
> Hi,
> 
> we have a candidate build for 6.0.8 that could need some testing.
> Bundles can be found on:
> 
> https://people.torproject.org/~gk/builds/6.0.8-build1/

For what it is worth we are currently rebundling 6.0.8 to pick up some
donation banner improvements (#20947) and plan to ship the resulting
build2 as the final 6.0.8. Not sure if you want to wait for that or not
but in any case those banner changes are the only differences between
build1 and build2.

Georg

> This release is updating Firefox to 45.6.0esr fixing important security
> bugs and adding a new Tor version, 0.2.8.11. We update HTTPS-Everywhere
> to 5.2.8 as well and make improvements to our default obfs4 bridges.
> 
> The full changelog since Tor Browser 6.0.7 is:
> 
> Tor Browser 6.0.8 -- December 13
>  * All Platforms
>* Update Firefox to 45.6.0esr
>* Tor to 0.2.8.11
>* Update HTTPS-Everywhere to 5.2.8
>* Bug 20809: Use non-/html search engine URL for DuckDuckGo search
> plugins
>* Bug 20837: Activate iat-mode for certain obfs4 bridges
>* Bug 20838: Uncomment NX01 default obfs4 bridge
>* Bug 20840: Rotate ports a third time for default obfs4 bridges
> 
> Georg
> 
> 
> 
> ___
> Tails-dev mailing list
> Tails-dev@boum.org
> https://mailman.boum.org/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to 
> tails-dev-unsubscr...@boum.org.
> 




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 6.0.8 could need some testing

[Georg Koppen]

Hi,

we have a candidate build for 6.0.8 that could need some testing.
Bundles can be found on:

https://people.torproject.org/~gk/builds/6.0.8-build1/

This release is updating Firefox to 45.6.0esr fixing important security
bugs and adding a new Tor version, 0.2.8.11. We update HTTPS-Everywhere
to 5.2.8 as well and make improvements to our default obfs4 bridges.

The full changelog since Tor Browser 6.0.7 is:

Tor Browser 6.0.8 -- December 13
 * All Platforms
   * Update Firefox to 45.6.0esr
   * Tor to 0.2.8.11
   * Update HTTPS-Everywhere to 5.2.8
   * Bug 20809: Use non-/html search engine URL for DuckDuckGo search
plugins
   * Bug 20837: Activate iat-mode for certain obfs4 bridges
   * Bug 20838: Uncomment NX01 default obfs4 bridge
   * Bug 20840: Rotate ports a third time for default obfs4 bridges

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Tor Browser 6.0.6 is ready for testing

[Georg Koppen]

bertagaz:
> Hi,
> 
> On Thu, Nov 10, 2016 at 05:50:00PM +0000, Georg Koppen wrote:
>>
>> Tor Browser 6.0.6 is ready for testing. Bundles can be found on
>>
>> https://people.torproject.org/~boklm/builds/6.0.6-build5
> 
> Thanks!
> 
> I see there's 6.0.6-build6 now, which seems to contain only minor
> changes related to the donation campaign. Should we rather include this build
> in Tails now?

FWIW: we are rebundling a final time to fix an issue with our donation
banner affecting OS X users. Just that you don't get confused as soon as
a -build8 shows up.

Georg




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 6.0.6 is ready for testing

[Georg Koppen]

Hi all!

Tor Browser 6.0.6 is ready for testing. Bundles can be found on

https://people.torproject.org/~boklm/builds/6.0.6-build5

This release is updating Firefox to 45.5.0esr fixing important security
bugs. Moreover, other components are getting an update as well: Tor to
0.2.8.9, HTTPS-Everywhere to 5.2.7, and OpenSSL to 1.0.1u to name just a
few.

We fixed a lot of usability bugs, some caused by Apple's macOS Sierra
(meek did not work anymore and windows could not be dragged either). We
moved directly to DuckDuckGo as our search engine avoiding a roundtrip
to Disconnect.me first. Finally, we added a donation banner shown in
some localized bundled starting on Nov 15 in order to point to our
end-of-the-year 2016 donation campaign.

The full changelog since Tor Browser 6.0.5 is:

Tor Browser 6.0.6 -- November 15
 * All Platforms
   * Update Firefox to 45.5.0esr
   * Update Tor to 0.2.8.9
   * Update OpenSSL to 1.0.1u
   * Update Torbutton to 1.9.5.9
 * Bug 20414: Add donation banner on about:tor for 2016 campaign
 * Translation updates
   * Update Tor Launcher to 0.2.9.4
 * Bug 20429: Do not open progress window if tor doesn't get started
 * Bug 19646: Wrong location for meek browser profile on OS X
   * Update HTTPS-Everywhere to 5.2.7
   * Update meek to 0.25
 * Bug 19646: Wrong location for meek browser profile on OS X
 * Bug 20030: Shut down meek-http-helper cleanly if built with Go >
1.5.4
   * Bug 19838: Add dgoulet's bridge and add another one commented out
   * Bug 20296: Rotate ports again for default obfs4 bridges
   * Bug 19735: Switch default search engine to DuckDuckGo
   * Bug 20118: Don't unpack HTTPS Everywhere anymore
 * Windows
   * Bug 20342: Add tor-gencert.exe to expert bundle
 * OS X
   * Bug 20204: Windows don't drag on macOS Sierra anymore
   * Bug 20250: Meek fails on macOS Sierra if built with Go < 1.7
 * Build system
   * All platforms
 * Bug 20023: Upgrade Go to 1.7.3

Georg




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 6.0.5 is ready for testing

[Georg Koppen]

Hi,

we are pleased to accounce that Tor Browser 6.0.5 is ready for testing.
Bundles can be found on:

https://people.torproject.org/~boklm/builds/6.0.5-build1/

This release is updating Firefox to 45.4.0esr fixing important security
bugs. Moreover, other components are getting an update as well: Tor to
0.2.8.7, HTTPS-Everywhere to 5.2.4, and Torbutton to 1.9.5.7. The latter
deletes HSTS and other site security state saved on disk now when
requesting a New Identity.

The full changelog since Tor Browser 6.0.4 is:

Tor Browser 6.0.5 -- September 13
 * All Platforms
   * Update Firefox to 45.4.0esr
   * Update Tor to 0.2.8.7
   * Update Torbutton to 1.9.5.7
 * Bug 18589: Clear site security settings during New Identity
 * Bug 19906: "Maximizing Tor Browser" Notification can exist
multiple times
   * Update HTTPS-Everywhere to 5.2.4
   * Bug 20092: Rotate ports for default obfs4 bridges
   * Bug 20040: Add update support for unpacked HTTPS Everywhere
 * Windows
   * Bug 19725: Remove old updater files left on disk after upgrade to 6.x
 * Linux
   * Bug 19725: Remove old updater files left on disk after upgrade to 6.x
 * Android
   * Bug 19706: Store browser data in the app home directory
 * Build system
   * All platforms
 * Upgrade Go to 1.4.3

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 6.0.4 is ready for testing

[Georg Koppen]

Hi all,

we are pleased to accounce that Tor Browser 6.0.4 is ready for testing.
Bundles can be found on:

https://people.torproject.org/~boklm/builds/6.0.4-build2/

This release finally brings Tor Browser users the latest Tor stable,
0.2.8.6, and avoids pinging Mozilla servers for system extensions.

The latter was responsible for users getting an extension into their Tor
Browser that resulted in annoying and confusing "Your Firefox is out of
date" notifications on start-up (bug 19890). Thanks to Mozilla engineers
who fixed that issue as fast as possible on their side: the extension is
not shipped to Tor Browser users anymore if they ping Mozilla's server.
Users that are on the alpha channel or are using the hardened Tor
Browser were not affected. The same goes for Tails users as far as we know.

The full changelog since Tor Browser 6.0.3 is:

Tor Browser 6.0.4 -- August 16
 * All Platforms
   * Update Tor to 0.2.8.6
   * Update NoScript to 2.9.0.14
   * Bug 19890: Disable installation of system addons

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 6.0.2 is ready for testing

[Georg Koppen]

Hi,

Tor Browser 6.0.2 is ready for testing. Bundles can be found on:

https://people.torproject.org/~boklm/builds/6.0.2-build1/

Tor Browser 6.0.2 is a fixup release to address the most pressing issues
we found after switching to Firefox 45.2.0esr.

In particular, we resolved a possible crash bug visible e.g. on
Faceboook or mega.nz and we fixed the broken PDF download button in the
PDF reader.

The full changelog since 6.0.1 is:

Tor Browser 6.0.2 -- June 21
 * All Platforms
   * Update Torbutton to 1.9.5.5
 * Bug 19417: Clear asmjscache
   * Bug 19401: Fix broken PDF download button
   * Bug 19411: Don't show update icon if a partial update failed
   * Bug 19400: Back out GCC bug workaround to avoid asmjs crash
 * Windows
   * Bug 19348: Adapt to more than one build target on Windows (fixes
updates)
 * Linux
   * Bug 19276: Disable Xrender due to possible performance regressions

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Fwd: [tor-qa] Tor Browser 6.0.1 is ready for testing

[Georg Koppen]

Seems I forgot to Cc you this time...

Georg

 Forwarded Message 
Subject: [tor-qa] Tor Browser 6.0.1 is ready for testing
Date: Sat, 4 Jun 2016 06:38:11 +
From: Georg Koppen <g...@torproject.org>
To: tor...@lists.torproject.org



This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--snmC2NpAeBiv9cPx4xUR1peqS9sWKTsLX
Content-Type: multipart/mixed; boundary="tAPQSvcwEHfCqgcr38GJnk7one4Ok1xCN"
From: Georg Koppen <g...@torproject.org>
To: tor...@lists.torproject.org
Message-ID: <57527753.6060...@torproject.org>
Subject: Tor Browser 6.0.1 is ready for testing

--tAPQSvcwEHfCqgcr38GJnk7one4Ok1xCN
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi!

we are pleased to accounce that Tor Browser 6.0.1 is ready for testing.
Bundles can be found on:

https://people.torproject.org/~gk/builds/6.0.1-build2/

6.0.1 is the first point release in our 6.0 series. It updates Firefox
to 45.2.0esr, contains fixes for two crash bugs and does not ship the
loop extension anymore. Please give it a test if you can.

The full changelog since 6.0 is:

Tor Browser 6.0.1 -- June 7
 * All Platforms
   * Update Firefox to 45.2.0esr
   * Bug 18884: Don't build the loop extension
   * Bug 19187: Backport fix for crash related to popup menus
   * Bug 19212: Fix crash related to network panel in developer tools
 * Linux
   * Bug 19189: Backport for working around a linker (gold) bug

Georg



--tAPQSvcwEHfCqgcr38GJnk7one4Ok1xCN--

--snmC2NpAeBiv9cPx4xUR1peqS9sWKTsLX
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXUndaAAoJELu5eskkaQkD6bkP/RB50TjadjCaQLs5kcoFqoFD
iMx0aZMQbdMs6S4C9jrWvI2XCtGH0B1onpf9ZT2AVh/Rows0WZ2IGYSFBm0sZqJJ
X8pq+MMtBIIBNM0ZS3bC/dbfutOwc7cdHXRKKHxJg4K5xWQ7AfU0HmFt8O99Mksw
ch5sVz6YTLq7r+CxBl6488w/hGx6vrYIy1pTEEnYPxOu/m9CsUgwgDcrLNdCywug
W15+Y8JROuwvQ/nTOCvn6ch85X5EyQcFnM363FUjtl4CKngY11xRBAIcK2F1yzHb
GoEPELG0tYMByQXoVR2moAbpemMraaw4Vm2LFFWcnu54xy3fnokCJnoL8Izy/HIb
SxArJ1l41JXZr5aUDkcx5LvA3R0fs/xXhQH7hlohJxalvs7Ha1uvD/NpAbSKCvNd
l1Jj3X5zruMdkkqNvUJoKkourWCIrhgdhGDK4pJnX4cIxTPa1UuRUa1Queo85QdQ
uEjH66jfuT30Awmc6UNQz2ev7Pqhi8fLP3RorlUej9f4qJML/cU9xbumlYRm+tVH
GutGQ6AGql1ZUg7ubfHoBKjthNytZVprGBtoD5ka8LH0xaa3a+gdM/90juZCbW2T
m5QF64lpd/6Si4vV2t4bU2UayIw9QbtjVld0ZL/djkBGPFjN7HSds+SYZICkHMqq
7xNw81mpxTc5Aw+ehrgJ
=ZAg7
-END PGP SIGNATURE-

--snmC2NpAeBiv9cPx4xUR1peqS9sWKTsLX--

___
tor-qa mailing list
tor...@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-qa



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 6.0 is ready for testing

[Georg Koppen]

Hi everyone,

we are pleased to accounce that Tor Browser 6.0 is ready for testing.
Bundles can be found on:

https://people.torproject.org/~boklm/builds/6.0-build1/

This is a major release and the first one in the 6.0 series. It contains
a lot of new features, most notably:

1) Tor Browser is now based on Firefox ESR 45.

2) Beginning with the 6.0 series code-signing for OS X systems is
introduced. This should help our users who had trouble with getting Tor
Browser to work with their Gatekeeper system. There were bundle layout
changes necessary to adhere to code signing requirements. Please report
issues in this regard if you find any. (Note: the bundles are not signed
yet. The bundles that get released will be, though.)

There are numerous other improvements, bug fixes and upgraded Tor
Browser components in the new Tor Browser which are detailed in the
changelog below.

Full changelog from Tor Browser 5.5.5:

Tor Browser 6.0 -- May 30
 * All Platforms
   * Update Firefox to 45.1.1esr
   * Update OpenSSL to 1.0.1t
   * Update Torbutton to 1.9.5.4
 * Bug 18466: Make Torbutton compatible with Firefox ESR 45
 * Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
 * Bug 18905: Hide unusable items from help menu
 * Bug 16017: Allow users to more easily set a non-tor SSH proxy
 * Bug 17599: Provide shortcuts for New Identity and New Circuit
 * Translation updates
 * Code clean-up
   * Update Tor Launcher to 0.2.9.3
 * Bug 13252: Do not store data in the application bundle
 * Bug 18947: Tor Browser is not starting on OS X if put into
/Applications
 * Bug 11773: Setup wizard UI flow improvements
 * Translation updates
   * Update HTTPS-Everywhere to 5.1.9
   * Update meek to 0.22 (tag 0.22-18371-3)
 * Bug 18371: Symlinks are incompatible with Gatekeeper signing
 * Bug 18904: Mac OS: meek-http-helper profile not updated
   * Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
   * Bug 18900: Fix broken updater on Linux
   * Bug 18042: Disable SHA1 certificate support
   * Bug 18821: Disable libmdns support for desktop and mobile
   * Bug 18848: Disable additional welcome URL shown on first start
   * Bug 14970: Exempt our extensions from signing requirement
   * Bug 16328: Disable MediaDevices.enumerateDevices
   * Bug 16673: Disable HTTP Alternative-Services
   * Bug 17167: Disable Mozilla's tracking protection
   * Bug 18603: Disable performance-based WebGL fingerprinting option
   * Bug 18738: Disable Selfsupport and Unified Telemetry
   * Bug 18799: Disable Network Tickler
   * Bug 18800: Remove DNS lookup in lockfile code
   * Bug 18801: Disable dom.push preferences
   * Bug 18802: Remove the JS-based Flash VM (Shumway)
   * Bug 18863: Disable MozTCPSocket explicitly
   * Bug 15640: Place Canvas MediaStream behind site permission
   * Bug 16326: Verify cache isolation for Request and Fetch APIs
   * Bug 18741: Fix OCSP and favicon isolation for ESR 45
   * Bug 16998: Disable  for now
   * Bug 18898: Exempt the meek extension from the signing requirement
as well
   * Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
   * Bug 18890: Test importScripts() for cache and network isolation
   * Bug 18886: Hide pocket menu items when Pocket is disabled
   * Bug 18703: Fix circuit isolation issues on Page Info dialog
   * bug 19115: Tor Browser should not fall back to Bing as its search
engine
   * Bug 18915+19065: Use our search plugins in localized builds
   * Bug 18811: Fix first-party isolation for blobs URLs in Workers
   * Bug 18950: Disable or audit Reader View
   * Bug 18886: Remove Pocket
   * Bug 18619: Tor Browser reports "InvalidStateError" in browser console
   * Bug 18945: Disable monitoring the connected state of Tor Browser users
   * Bug 18855: Don't show error after add-on directory clean-up
   * Bug 18885: Disable the option of logging TLS/SSL key material
   * Bug 18770: SVGs should not show up on Page Info dialog when disabled
   * Bug 18958: Spoof screen.orientation values
   * Bug 19047: Disable Heartbeat prompts
   * Bug 18914: Use English-only label in  tags
   * Bug 18996: Investigate server logging in esr45-based Tor Browser
   * Bug 17790: Add unit tests for keyboard fingerprinting defenses
   * Bug 18995: Regression test to ensure CacheStorage is disabled
   * Bug 18912: Add automated tests for updater cert pinning
   * Bug 16728: Add test cases for favicon isolation
   * Bug 18976: Remove some FTE bridges
 * Windows
   * Bug 13419: Support ICU in Windows builds
   * Bug 16874: Fix broken https://sports.yahoo.com/dailyfantasy page
   * Bug 18767: Context menu is broken on Windows in ESR 45 based Tor
Browser
 * OS X
   * Bug 6540: Support OS X Gatekeeper
   * Bug 13252: Tor Browser should not store data in the application bundle
   * Bug 18951: HTTPS-E is missing after update
   * Bug 18904: meek-http-helper profile not updated
   * Bug 18928: Upgrade is not smooth (requires another 

[Tails-dev] Tor Browser 5.5.1 is ready for testing

[Georg Koppen]

Hi,

Tor Browser 5.5.1 is ready for testing and bundles can be found on:

https://people.torproject.org/~gk/builds/5.5.1-build1/

This release mainly fixes regressions due to our switch to 5.5 that
affected the usability of Tor Browser: font support got improved and
Iframes using window.name are handled properly.

Please test!

Here is the full changelog:

Tor Browser 5.5.1 -- February 4 2016
 * All Platforms
   * Bug 18168: Don't clear an iframe's window.name (fix of #16620)
   * Bug 18172: Add Emoji support
   * Bug 18137: Add two new obfs4 default bridges
 * Windows
   * Bug 18169: Whitelist zh-CN UI font

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 5.5 is ready for testing

[Georg Koppen]

Hi,

We are excited to announce Tor Browser 5.5 being ready for testing.
Bundles can be found on:

https://people.torproject.org/~gk/builds/5.5-build1/

This release contains an update to various bundle components: Firefox to
ESR 38.6.0esr, libevent to 2.0.22-stable and NoScript to 2.9.0.2.

Morevover, there are a bunch of new features worth mentioning. Above
all, we provide a defense against font enumeration attacks which we
developed over the last weeks and months. While there is still room for
improvement it closes an important gap in our fingerprinting defenses.

We ship Japanese bundles, start showing local change notes after an
update, isolate Shared Workers to the first-party domain, improved our
keyboard fingerprinting defense and added the onion service URL for the
DuckDuckGo search engine to name a few of the further features and bug
fixes.

Happy testing!

The full changelog since 5.0.7 is:

Tor Browser 5.5 -- January 26 2016
 * All Platforms
   * Update Firefox to 38.6.0esr
   * Update libevent to 2.0.22-stable
   * Update NoScript to 2.9.0.2
   * Update Torbutton to 1.9.4.3
 * Bug 16990: Show circuit display for connections using multi-party
channels
 * Bug 18019: Avoid empty prompt shown after non-en-US update
 * Bug 18004: Remove Tor fundraising donation banner
 * Bug 16940: After update, load local change notes
 * Bug 17108: Polish about:tor appearance
 * Bug 17568: Clean up tor-control-port.js
 * Bug 16620: Move window.name handling into a Firefox patch
 * Bug 17351: Code cleanup
 * Translation updates
   * Update Tor Launcher to 0.2.7.8
 * Bug 18113: Randomly permutate available default bridges of chosen
type
   * Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
   * Bug 10140: Add new Tor Browser locale (Japanese)
   * Bug 17428: Remove Flashproxy
   * Bug 13512: Load a static tab with change notes after an update
   * Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
   * Bug 15564: Isolate SharedWorkers by first-party domain
   * Bug 16940: After update, load local change notes
   * Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
   * Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of
#15646)
   * Bug 17790: Map the proper SHIFT characters to the digit keys (fix
of #15646)
   * Bug 17369: Disable RC4 fallback
   * Bug 17442: Remove custom updater certificate pinning
   * Bug 16620: Move window.name handling into a Firefox patch
   * Bug 17220: Support math symbols in font whitelist
   * Bug 10599+17305: Include updater and build patches needed for
hardened builds
   * Bug 18115+18102+18071+18091: Update/add new obfs4 bridge
   * Bug 18072: Change recommended pluggable transport type to obfs4
   * Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
   * Bug 16322: Use onion address for DuckDuckGo search engine
   * Bug 17917: Changelog after update is empty if JS is disabled
 * Windows
   * Bug 17250: Add localized font names to font whitelist
   * Bug 16707: Allow more system fonts to get used on Windows
   * Bug 13819: Ship expert bundles with console enabled
   * Bug 17250: Fix broken Japanese fonts
   * Bug 17870: Add intermediate certificate for authenticode signing
 * OS X
   * Bug 17122: Rename Japanese OS X bundle
   * Bug 16707: Allow more system fonts to get used on OS X
   * Bug 17661: Whitelist font .Helvetica Neue DeskInterface
 * Linux
   * Bug 16672: Don't use font whitelisting for Linux users

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 5.0.7 is ready for testing

[Georg Koppen]

Hi,

Tor Browser 5.0.7 is ready for testing. Bundles can be found on

https://people.torproject.org/~gk/builds/5.0.7-build1/

This release mainly fixes a serious crash bug in one of our patches
which is why we plan to get the new bundles out within the next 24
hours. Please give them some testing if you can.

The full changelog is:

Tor Browser 5.0.7 -- January 7 2016
 * All Platforms
   * Update NoScript to 2.9
   * Update HTTPS Everywhere to 5.1.2
   * Bug 17931: Tor Browser crashes in LogMessageToConsole()
   * Bug 17875: Discourage editing of torrc-defaults

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 5.0.5 is ready for testing

[Georg Koppen]

Hello tor-qa people!

Tor Browser 5.0.5 is ready for testing. Bundles can be found on

https://people.torproject.org/~gk/builds/5.0.5-build1/

Apart from the usual Firefox update (to version 38.5.0esr) this release
features a new Tor (0.2.7.6) + an updated OpenSSL (1.0.1q), NoScript
(2.7) and HTTPS-Everywhere (5.1.1). Moreover, we fixed an annoying bug
in our circuit display (circuits weren't visible sometimes) and improved
our fingerprinting defense against MIME type enumeration.

After testing the new build process for HTTPS-Everywhere in the last
alpha (5.5a4) we made the necessary changes to the code for the stable
channel as well. This allows us to ship the latest HTTPS-Everyhwere
versions again.

Last but not least: A number of bundles (en-US, de, fa, fr, nl, ru, tr
and zh-CN ones) will have a donation banner activated encouraging users
to donate money to us. Testing (the layout of) it in these locales on
different operating systems would be especially helpful. The banner is
visible on the about:tor page and should be so only ten times. It
features either Roger or Laura or Cory which is randomly chosen.

There are other features/bug fixes coming with this release which can be
found in the full changelog:

Tor Browser 5.0.5 -- December 15 2015
 * All Platforms
   * Update Firefox to 38.5.0esr
   * Update Tor to 0.2.7.6
   * Update OpenSSL to 1.0.1q
   * Update NoScript to 2.7
   * Update HTTPS Everywhere to 5.1.1
   * Update Torbutton to 1.9.3.7
 * Bug 16990: Avoid matching '250 ' to the end of node name
 * Bug 17565: Tor fundraising campaign donation banner
 * Bug 17770: Fix alignments on donation banner
 * Bug 17792: Include donation banner in some non en-US Tor Browsers
 * Translation updates
   * Bug 17207: Hide MIME types and plugins from websites
   * Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
   * Bug 16863: Avoid confusing error when loop.enabled is false
   * Bug 17502: Add a preference for hiding "Open with" on download dialog
   * Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
   * Bug 16441: Suppress "Reset Tor Browser" prompt
   * Bug 17747: Add ndnop3 as new default obfs4 bridge

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 5.0.4 release -- build5?

[Georg Koppen]

Hi,

we are pondering rebundling for the 5.0.4 release once more to include
the fix for https://bugs.torproject.org/17473.

As far as I can see Tails is not including meek yet, correct? Thus, your
release plans should not be affected by a tentative build5 (meaning you
could just stick with build4 as build5 would only change the meek-amazon
fingerprint). Am I something missing?

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Tor Browser 5.0.4 release -- build5?

[Georg Koppen]

anonym:
> Georg Koppen:
>> As far as I can see Tails is not including meek yet, correct? Thus, your
>> release plans should not be affected by a tentative build5 (meaning you
>> could just stick with build4 as build5 would only change the meek-amazon
>> fingerprint). Am I something missing?
> 
> You are correct. If that is exactly the only change, then I believe
> there's no problem with us staying with -build4 since we will ship the
> same files thanks to reproducible builds.

Well, there is the changelog update, too, but apart from that a build5
would be the same as build4.

Georg

> Cheers!
> 
> ___
> Tails-dev mailing list
> Tails-dev@boum.org
> https://mailman.boum.org/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to 
> tails-dev-unsubscr...@boum.org.
> 




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 5.0.4 is ready for testing

[Georg Koppen]

Hi,

Tor Browser 5.0.4 is ready for testing. Binaries can be found on

https://people.torproject.org/~gk/builds/5.0.4-build4/

It features an updated Firefox (38.4.0esr) and a number of other
improvements. Most notably, we included Yan Zhu's fix for not leaking
the Referer header when leaving a .onion domain. Additionally, this
release contains an updated NoScript version and minor bug fixes and
clean-ups.

Here is the full changelog:

Tor Browser 5.0.4 -- November 3 2015
 * All Platforms
   * Update Firefox to 38.4.0esr
   * Update NoScript to 2.6.9.39
   * Update Torbutton to 1.9.3.5
 * Bug 9263: Spoof Referer when leaving a .onion domain
 * Bug 16735: about:tor should accommodate different fonts/font sizes
 * Bug 16937: Don't translate the homepage/spellchecker dictionary
string
 * Bug 17164: Don't show text-select cursor on circuit display
 * Bug 17351: Remove unused code
 * Translation updates
   * Bug 16937: Remove the en-US dictionary from non en-US Tor Browser
bundles
   * Bug 17318: Remove dead ScrambleSuit bridge
   * Bug 16983: Isolate favicon requests caused by the tab list dropdown
   * Bug 17102: Don't crash while opening a second Tor Browser
 * Windows:
   * Bug 16906: Don't depend on Windows crypto DLLs
 * Linux:
   * Bug 17329: Ensure that non-ASCII characters can be typed (fixup of
#5926)

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Fwd: [tor-qa] Tor Browser 5.0.3 is ready for testing

[Georg Koppen]

FYI

Georg

 Forwarded Message 
Subject: [tor-qa] Tor Browser 5.0.3 is ready for testing
Date: Sat, 19 Sep 2015 00:46:57 -0700
From: Mike Perry 
To: tor...@lists.torproject.org

The 5.0.3 release is up and ready for testing. The target release date
is Tuesday, Sept 22:
https://people.torproject.org/~mikeperry/builds/5.0.3-build3/

The most important things to test here are likely:

1. NoScript script blocking behavior, esp with respect to the higher
security levels
2. Keyboard behavior with Google Docs, etherpad, and other webapps (esp
hotkeys)
3. Non-English bundles, esp wrt keyboard activity and general site behavior
4. The PDF viewer, esp saving PDFs

Here is the complete changelog:
 * All Platforms
   * Update Firefox to 38.3.0esr
   * Update Torbutton to 1.9.3.4
 * Bug 16887: Update intl.accept_languages value
 * Bug 15493: Update circuit display on new circuit info
 * Bug 16797: brandShorterName is missing from brand.properties
 * Bug 14429: Make sure the automatic resizing is disabled
 * Translation updates
   * Bug 7446: Tor Browser should not "fix up" .onion domains (or any
domains)
   * Bug 16837: Disable Firefox Hotfix updates
   * Bug 16855: Allow blobs to be download on first-party pages (fixes
mega.nz)
   * Bug 16781: Allow saving pdf files in built-in pdf viewer
   * Bug 16842: Restore Media tab on Page information dialog
   * Bug 16727: Disable about:healthreport page
   * Bug 16783: Normalize NoScript default whitelist
   * Bug 16775: Fix preferences dialog with security slider set to "High"
   * Bug 13579: Update download progress bar automatically
   * Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent
   * Bug 17046: Event.timeStamp should not reveal startup time
   * Bug 16872: Fix warnings when opening about:downloads
   * Bug 17097: Fix intermittent crashes when using the print dialog
 * Windows
  * Bug 16906: Fix Mingw-w64 compilation breakage
 * OS X
  * Bug 16910: Update copyright year in OS X bundles


-- 
Mike Perry



___
tor-qa mailing list
tor...@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-qa



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 5.0.2 is ready for testing

[Georg Koppen]

Hi,

Tor Browser 5.0.2 is ready for testing. Bundles can be found at

https://people.torproject.org/~mikeperry/builds/5.0.2-build2/

This release contains an update to Firefox 38.2.1 ESR and a small fix
for icons on Linux launchers. Moreover, we bumped NoScript to the most
recent version. Note: we did not do this for HTTPS-Everywhere due to
https://bugs.torproject.org/16909 and the very tight release schedule
(we plan to ship 5.0.2 in a couple of hours).

The full changelog is:

Tor Browser 5.0.2 -- August 27 2015
 * All Platforms
   * Update Firefox to 38.2.1esr
   * Update NoScript to 2.6.9.36
 * Linux
   * Bug 16860: Avoid duplicate icons on Unity and Gnome

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Bowser 5.0.1 is ready for testing

[Georg Koppen]

Hi,

Tor Browser 5.0.1 is ready for testing. Bundles can be found at

https://people.torproject.org/~mikeperry/builds/5.0.1-build1/

The only thing these bundles fix is a crash bug which slipped
throughduring our alpha cycle and QA. For details see:
https://bugs.torproject.org/16771.

There are reports the crash happens on Google Maps with steps like

1. Open Tor Browser
2. Go to Google Maps (maps.google.com)
3. Edit the URL to be .com instead of whatever ccTLD I landed on
4. search for something
5. click a marker
6. drag around
7. Repeat 5-7 until crash, usually takes 5-45 seconds.

However, it might be easier to test whether this bug is fixed if you
omit step 3.

Tumblr seems to be affected as well. Testing there using the following
steps might help, too:

After logged into tumblr, infinite scrolling down causes TBB 5 for
Linux x64 to crash after about 2-3 pages.

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] [tor-qa] Tor Browser 5.0 is ready for testing!

[Georg Koppen]

Mike Perry:
 https://people.torproject.org/~mikeperry/builds/5.0-build2/
 
 This release is our first stable release based on Firefox 38-ESR. We've
 done a lot of work to ensure that this release is minimally disruptive
 in terms of changes to the UI/UX, but some hacks were needed, especially
 to ensure the Tiles feature was disabled, and to clean up the NoScript
 whitelist.
 
 The current Firefox 31-ESR is end-of-life on Tuesday, August 11th, so we
 need to switch all users to 5.0 for them to pick up security updates. As
 such, extra testing would be appreciated!

FWIW: One thing we already found and which unfortunately makes a build3
necessary is the incompatibility with the localized language packs. I
was under the impression (wrongly as it turns out) that Mozilla fixed
their versioning scheme we get with the git checkouts starting with
their esr38 cycle and forgot to doublecheck that.

Georg

 
 Here is the complete changelog since 4.5.3:
  * All Platforms
* Update Firefox to 38.2.0esr
* Update OpenSSL to 1.0.1p
* Update HTTPS-Everywhere to 5.0.7
* Update NoScript to 2.6.9.34
* Update meek to 0.20
* Update Tor to 0.2.6.10 with patches:
  * Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name 
 checks.
  * Bug 16430: Allow DNS names with _ characters in them (fixes 
 nytimes.com)
  * Bug 15482: Don't allow circuits to change while a site is in use
* Update Torbutton to 1.9.3.2
  * Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
  * Bug 16730: Reset NoScript whitelist on upgrade
  * Bug 16722: Prevent Tiles feature from being enabled after upgrade
  * Bug 16488: Remove Sign in to Sync from the browser menu (fixup)
  * Bug 16268: Show Tor Browser logo on About page
  * Bug 16639: Check for Updates menu item can cause update download 
 failure
  * Bug 15781: Remove the sessionstore filter
  * Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
  * Bug 16427: Use internal update URL to block updates (instead of 
 127.0.0.1)
  * Bug 16200: Update Cache API usage and prefs for FF38
  * Bug 16357: Use Mozilla API to wipe permissions db
  * Bug 14429: Make sure the automatic resizing is disabled
  * Translation updates
* Update Tor Launcher to 0.2.7.7
* Bug 16730: Prevent NoScript from updating the default whitelist
* Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
* Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
* Bug 16884: Prefer IPv6 when supported by the current Tor exit
* Bug 16488: Remove Sign in to Sync from the browser menu
* Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
* Bug 15703: Isolate mediasource URIs and media streams to first party
* Bug 16429+16416: Isolate blob URIs to first party
* Bug 16632: Turn on the background updater and restart prompting
* Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and 
 elsewhere
* Bug 16523: Fix in-browser JavaScript debugger
* Bug 16236: Windows updater: avoid writing to the registry
* Bug 16625: Fully disable network connection prediction
* Bug 16495: Fix SVG crash when security level is set to High
* Bug 13247: Fix meek profile error after bowser restarts
* Bug 16005: Relax WebGL minimal mode
* Bug 16300: Isolate Broadcast Channels to first party
* Bug 16439: Remove Roku screencasting code
* Bug 16285: Disabling EME bits
* Bug 16206: Enforce certificate pinning
* Bug 15910: Disable Gecko Media Plugins for now
* Bug 13670: Isolate OCSP requests by first party domain
* Bug 16448: Isolate favicon requests by first party
* Bug 7561: Disable FTP request caching
* Bug 6503: Fix single-word URL bar searching
* Bug 15526: ES6 page crashes Tor Browser
* Bug 16254: Disable GeoIP-based search results.
* Bug 16222: Disable WebIDE to prevent remote debugging and addon 
 downloads.
* Bug 13024: Disable DOM Resource Timing API
* Bug 16340: Disable User Timing API
* Bug 14952: Disable HTTP/2
* Bug 1517: Reduce precision of time for Javascript
* Bug 13670: Ensure OCSP  favicons respect URL bar domain isolation
* Bug 16311: Fix navigation timing in ESR 38
  * Windows
* Bug 16014: Staged update fails if meek is enabled
* Bug 16269: repeated add-on compatibility check after update (meek 
 enabled)
  * Mac OS
* Use OSX 10.7 SDK
* Bug 16253: Tor Browser menu on OS X is broken with ESR 38
* Bug 15773: Enable ICU on OS X
  * Build System
* Bug 16351: Upgrade our toolchain to use GCC 5.1
* Bug 15772 and child tickets: Update build system for Firefox 38
* Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
* Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
 
 
 
 
 
 ___
 tor-qa mailing list
 tor...@lists.torproject.org
 

Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails

[Georg Koppen]

Jacob Appelbaum:
 On 8/7/15, Georg Koppen g...@torproject.org wrote:
 Jacob Appelbaum:
 On 8/7/15, jvoisin julien.voi...@dustri.org wrote:
 Hello,

 I disagree with your analysis;
 while the Apparmor profile (♥) will prevent tragic things like gpg key
 stealing, please keep in mind that an attacker can access every Firefox
 files, like cookies (stealing sessions), stored passwords, changing
 preferences (remember http://net.ipcalf.com/ ?), executing code inside
 the browser, …

 I believe that the newest Tor Browser alpha will provide a fix. I hope
 Mike will chime in here...

 I don't know what kind of fix you have in mind. All we'll provide is an
 update to ESR 38.2.0. We are basically about to tag the things and start
 building. ETA for the alpha is probably Tuesday.
 
 Ah ha - great. Thank you for chiming in!
 
 The current Tails Tor Browser is 4.5.3 (based on Mozilla Firefox
 31.8.0) - so the new alpha won't change anything and the current
 browser shouldn't be impacted by it.
 
 Did I understand that correctly?

The stable Tor Browser, which Tails is using, should not be affected,
correct. The upcoming alpha fixes the problem for our current alpha,
5.0a4, which is already based on ESR 38.

Georg




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails

[Georg Koppen]

Jacob Appelbaum:
 On 8/7/15, jvoisin julien.voi...@dustri.org wrote:
 Hello,

 I disagree with your analysis;
 while the Apparmor profile (♥) will prevent tragic things like gpg key
 stealing, please keep in mind that an attacker can access every Firefox
 files, like cookies (stealing sessions), stored passwords, changing
 preferences (remember http://net.ipcalf.com/ ?), executing code inside
 the browser, …
 
 I believe that the newest Tor Browser alpha will provide a fix. I hope
 Mike will chime in here...

I don't know what kind of fix you have in mind. All we'll provide is an
update to ESR 38.2.0. We are basically about to tag the things and start
building. ETA for the alpha is probably Tuesday.

That said Mozilla's reasoning for not doing a chemspill for ESR 31 was

we determined that the vulnerability isn't present in the current 31
ESR.

That's a quote from Liz Henry, the Firefox release manager.

Georg




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 4.5.3 is ready for testing

[Georg Koppen]

Hello,

Tor Browser 4.5.3-build2 is up for testing at

https://people.torproject.org/~gk/builds/4.5.3-build2/

This release contains a security update of Firefox to version 31.8.0esr
and a bunch of other improvements, above all an updated OpenSSL (to
version 1.0.1o), a fix for a crash bug visible with the security slider
level set to High and a backport of a Tor patch to improve usability
on websites.

Here comes the full change log:

Tor Browser 4.5.3 -- June 30 2015
 * All Platforms
   * Update Firefox to 31.8.0esr
   * Update OpenSSL to 1.0.1o
   * Update NoScript to 2.6.9.27
   * Update Torbutton to 1.9.2.8
 * Bug 16403: Set search parameters for Disconnect
 * Bug 14429: Make sure the automatic resizing is disabled
 * Translation updates
   * Bug 16397: Fix crash related to disabling SVG
   * Bug 16403: Set search parameters for Disconnect
   * Bug 16446: Update FTE bridge #1 fingerprint
   * Tor patch backport
 * Bug 16430: Allow DNS names with _ characters in them (fixes
nytimes.com)

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] [tor-qa] Tor Browser 4.5.2 is ready for testing

[Georg Koppen]

Daniel Kahn Gillmor:
 On Fri 2015-06-12 15:13:18 -0400, Georg Koppen wrote:
 We actually rebuilt parts of the 4.5.2 bundles mentioned above to
 include the latest Tor (0.2.6.9) and above all a fixed OpenSSL (1.0.1n).
 
 Please use OpenSSL 1.0.1o, and not 1.0.1n.
 
 1.0.1n had an ABI breakage which was fixed in 1.0.1o.  This might not be
 an issue for TBB in the common use case, particularly, if you're
 building all of TBB from source in one go, and nothing interacts with
 TBB's OpenSSL from outside TBB.  But if any of your components were
 built against 1.0.1m or earlier (or end up being built against 1.0.1o or
 later in the future) and they need to interact with the 1.0.1n, you risk
 memory corruption.

Thanks for this hint. We finally decided to ship Tor Browser with
OpenSSL 1.0.1n. I know this is not ideal but burning another two days
seemed not worth the issue given that using Tor Browser should be
working as expected. Moreover, upon further investigation we believe
that you can even point your browser to a system tor or compile your own
tor and put it into the respective Tor Browser directory without risking
memory corruption.

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] [tor-qa] Tor Browser 4.5.2 is ready for testing

[Georg Koppen]

Georg Koppen:
 Hi,
 
 Tor Browser 4.5.2-build1 is up at for testing:
 
 https://people.torproject.org/~gk/builds/4.5.2-build1/

We actually rebuilt parts of the 4.5.2 bundles mentioned above to
include the latest Tor (0.2.6.9) and above all a fixed OpenSSL (1.0.1n).
We plan to release 4.5.2 on Monday, June 15. If you have the time,
please give it a round of testing. The new bundles can be found on:

https://people.torproject.org/~gk/builds/4.5.2-build2/

Georg

 This release provides a fix for the Logjam attack (https://weakdh.org/)
 and updates a number of Tor Browser components: Tor to version 0.2.6.8,
 Torbutton to version 1.9.2.6, NoScript to version 2.6.9.26 and
 HTTPS-Everywhere to version 5.0.5. Moreover, it fixes a possible crash
 on Linux and avoids breaking the Add-ons page if Torbutton is disabled.
 
 Here is the full change log:
 
 Tor Browser 4.5.2 -- June 12 2015
  * All Platforms
* Update Tor to 0.2.6.8
* Update HTTPS-Everywhere to 5.0.5
* Update NoScript to 2.6.9.26
* Update Torbutton to 1.9.2.6
  * Bug 15984: Disabling Torbutton breaks the Add-ons Manager
  * Bug 14429: Make sure the automatic resizing is disabled
  * Translation updates
* Bug 16130: Defend against logjam attack
* Bug 15984: Disabling Torbutton breaks the Add-ons Manager
  * Linux
* Bug 16026: Fix crash in GStreamer
* Bug 16083: Update comment in start-tor-browser
 
 Georg
 
 
 
 ___
 tor-qa mailing list
 tor...@lists.torproject.org
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-qa
 




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 4.5.2 is ready for testing

[Georg Koppen]

Hi,

Tor Browser 4.5.2-build1 is up at for testing:

https://people.torproject.org/~gk/builds/4.5.2-build1/

This release provides a fix for the Logjam attack (https://weakdh.org/)
and updates a number of Tor Browser components: Tor to version 0.2.6.8,
Torbutton to version 1.9.2.6, NoScript to version 2.6.9.26 and
HTTPS-Everywhere to version 5.0.5. Moreover, it fixes a possible crash
on Linux and avoids breaking the Add-ons page if Torbutton is disabled.

Here is the full change log:

Tor Browser 4.5.2 -- June 12 2015
 * All Platforms
   * Update Tor to 0.2.6.8
   * Update HTTPS-Everywhere to 5.0.5
   * Update NoScript to 2.6.9.26
   * Update Torbutton to 1.9.2.6
 * Bug 15984: Disabling Torbutton breaks the Add-ons Manager
 * Bug 14429: Make sure the automatic resizing is disabled
 * Translation updates
   * Bug 16130: Defend against logjam attack
   * Bug 15984: Disabling Torbutton breaks the Add-ons Manager
 * Linux
   * Bug 16026: Fix crash in GStreamer
   * Bug 16083: Update comment in start-tor-browser

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tor Browser 4.0.6 is ready for testing

[Georg Koppen]

Hi,

Tor Browser 4.0.6 is up for testing. Bundles can be found at:

https://people.torproject.org/~mikeperry/builds/4.0.6/

This release is based on ESR 31.6.0 and contains an update of
additionally. Please give it some testing.

The changelog is:

Tor Browser 4.0.6 -- Mar 31 2015
 * All Platforms
   * Update Firefox to 31.6.0esr
   * Update meek to 0.16

Georg



signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] [tor-qa] Tor Browser 4.0.6 is ready for testing

[Georg Koppen]

Georg Koppen:
 Hi,
 
 Tor Browser 4.0.6 is up for testing. Bundles can be found at:
 
 https://people.torproject.org/~mikeperry/builds/4.0.6/
 
 This release is based on ESR 31.6.0 and contains an update of

meek

 additionally. Please give it some testing.
 
 The changelog is:
 
 Tor Browser 4.0.6 -- Mar 31 2015
  * All Platforms
* Update Firefox to 31.6.0esr
* Update meek to 0.16
 
 Georg

Georg




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Fwd: [Mozilla Enterprise] Firefox ESR 31.5.2 release

[Georg Koppen]

intrigeri:
 Hi,
 
 seems like we should start preparing an emergency point-release...
 what are you folks availability or lack thereof to prepare it, test
 it, and get it out of the door?

I have not had a chance to talk to Mike yet but my plan it to prepare an
emergency Tor Browser release with 31.5.3. I hope I have everything
ready to get the build going today.

Georg




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] [tbb-dev] TBB in Tails: Release timing in general

[Georg Koppen]

Hi,

anonym:
 Hi,
 
 For years Tails has shipped with an Iceweasel with the (relevant) Tor
 Browser patches applied. It has worked ok, but it's been high
 maintenance, and keeping the preferences synced with TBB was a bit of a
 chore, among other issues. Since Tails 1.2 we've migrated to installing
 the Tor Browser from the actual (32-bit Linux) TBB tarballs you
 distribute. We're very much interested in your comments on how we do
 this, so please have look at our design page: [1]
 
 [1] https://tails.boum.org/contribute/design/#index40h3

what does adding Adblock plus have for a benefit wrt to tracking
avoidance? To put it more precisely: In which cases are the defenses in
the current Tor Browser not adequate yet Adblock plus fixes this
situation (I could not find anything on the link you gave above about
it)? (might be a separate discussion, though)

 So, now we assume that the Tag date above also is the time when the
 tarballs are made available for download (and preferable announced on
 tor-qa@). Given that we want at least a +24 hours, this history doesn't
 look super promising for our (Tails') plans. I'm not sure the above
 assumption is very sound, though; for instance, the initial 4.0 tarballs
 (before the rebuild for POODLE but we're ignoring such exceptions) was
 announced on tor-qa@ on 2014-10-13 10:19:08 (UTC), which was 7 hours
 before the tbb-4.0-build1 tag.

Yes, this assumption may not hold in the current model we have, where we
build first to see whether we get matching builds and tag later. I am
not sure what would be a better model as not getting matching builds is
a blocker for us. Would it be possible for you to take the builds
announced on tor-qa instead of waiting for an official tag?

 However, do you think you can become such an upstream for Tails by
 trying to provide the time window detailed above? If you believe that
 window is too narrow, I suppose Tails could drop the same-day release
 goal and adopt a day-after release goal or possible even later. What
 do you think is possible? How can we help?

We aim at the same-day release as well which means something like
starting builds Thursday/Friday before Mozilla's release on Tuesday,
getting builds to tor-qa by Monday and (given there are no serious
issues popping up) releasing on Tuesday. Having them sent to tor-qa by
18:00:00 (UTC) should be doable.

 To get a more concrete understanding of what exactly I'm proposing,
 let's use the next Tails release, 1.2.1, as an example: It's aimed to be
 released at 2014-11-25 18:00:00 (UTC), the same day as Firefox 31.3.0esr
 will be officially released. We'd need the (final) TBB (32-bit Linux)
 tarballs based on that Firefox version at the latest 24 hours before
 that, i.e. 2014-11-24 18:00:00 (UTC). Does that seem reasonable? I'm
 actually genuinely interested in an answer to this specific question,
 since I'm writing the Tails 1.2.1 release schedule as we speak and may
 have to adjust it if this turns out difficult for you to promise.

We can try. How hard would it be for you to promise the
day-after-release and while trying to get Tails released the same day,
though? Does this buy you anything?

Georg




signature.asc
Description: OpenPGP digital signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.