DO NOT OVERWRITE THE OLD VERSION, instead extract it to a new folder, because the folder structure was changed to make the auto-updater feature work. The auto-update feature is not enabled by default. There is still on-going work for this feature, which can be turned on under “Help > About”, at your own risk.
This release takes care of the attack on SSLv3, includes security fixes from Firefox and changes the behavior of NoScript.
The mentioned change regarding NoScript (applies to TorBrowser) is that you can enable/disable JavaScript on a site with all sub-elements. This change will allow more users to make use of disabling and enabling JavaScript. It is planned to have JavaScript turned off by a recommended setting. The TorBrowser still has to implement the security slider.
Tails 1.2.2 contains the fix for the NSS flaw, so you are advised to upgrade as soon as you can.
It just contains security fixes to software that it uses.
- Security fixes
- Upgrade the web browser to 24.8.0esr-0+tails3~bpo70+1
- Install Linux 3.16-1
- Numerous other software upgrades that fix security issues: GnuPG, APT, DBus, Bash, and packages built from the bind9 and libav source packages
The Tor Browser is based on Firefox. Firefox uses NSS (like Chrome) which contained a flaw. This release contains the fixed version. If you are using Firefox, Chrome or Tor Browser you are strongly advised to update.
As always you can get a fresh copy of it here.
Here is what has changed in the Tor Browser:
- All Platforms
- Update Tor to tor-0.2.4.24
- Update Firefox to 24.8.1esr
- Update NoScript to 2.6.8.42
- Update HTTPS Everywhere to 4.0.1
- Bug 12998: Prevent intermediate certs from being written to disk
- Update Torbutton to 1.6.12.3
- Bug 13091: Use “Tor Browser” everywhere
- Bug 10804: Workaround fix for some cases of startup hang
- Linux
- Bug 9150: Make RPATH unavailable on Tor binary.
Tor Browser 3.6.5 has been released. The main reason to update are the bugs that have been fixed in the underlying Firefox version. More details about them here.
Like always you can download it from its main website or from one of the mirrors. Which you probably have if you are reading it here instead of following the Tor Blog, which would be much easier and faster, so I assume that it is blocked for you.
The changes are:
- All Platforms
- Update Firefox to 24.8.0esr
- Update NoScript to 2.6.8.39
- Update HTTPS Everywhere to 4.0.0
- Update Torbutton to 1.6.12.1
- Bug 12684: New strings for canvas image extraction message
- Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
- Bug 9531: Workaround to avoid rare hangs during New Identity
- Bug 12684: Improve Canvas image extraction permissions prompt
- Bug 7265: Only prompt for first party canvas access. Log all scripts
that attempt to extract canvas images to Browser console. - Bug 12974: Disable NTLM and Negotiate HTTP Auth
- Bug 2874: Remove Components.* from content access (regression)
- Bug 9881: Open popups in new tabs by default
- Linux:
- Bug 12103: Adding RELRO hardening back to browser binaries.
To those who use Tails it should be no surprise that there was an update.
You are advised to upgrade as soon as you can.
The following has been changed:
- Security fixes
- Upgrade the web browser to 24.8.0esr-0+tails1~bpo70+1 (Firefox 24.8.0esr + Iceweasel patches + Torbrowser patches).
- Add an I2P boot parameter. Without adding “i2p” to the kernel command line, I2P will not be accessible for the Live user. I2P was also upgraded to 0.9.14.1-1~deb7u+1, and stricter firewall rules are applied to it, among other security enhancements.
- Upgrade Tor to 0.2.4.23-2~d70.wheezy+1 (fixes CVE-2014-5117).
- Upgrade Linux to 3.14.15-2 (fixes CVE-2014-3534, CVE-2014-4667 and CVE-2014-4943).
- Prevent dhclient from sending the hostname over the network (ticket #7688).
- Override the hostname provided by the DHCP server (ticket #7769).
- Bugfixes
- Don’t ship OpenJDK 6: I2P prefers v7, and we don’t need both (ticket #7807).
- Prevent Tails Installer from updating the system partition properties on MBR partitions (ticket #7716).
- Minor improvements
- Upgrade to Torbutton 1.6.12.1.
- Install gnome-user-guide (ticket #7618).
- Install cups-pk-helper (ticket #7636).
- Update the SquashFS sort file, which should speed up boot from DVD (ticket #6372).
- Compress the SquashFS more aggressively (ticket #7706) which should make the Tails ISO image smaller.
This release includes a new OpenSSL version, because it got some holes plugged. Additionally this release includes a change within Tor that issues a log message if some relay tries an RELAY_EARLY attack. Viewing the log is now easier because you don’t have to copy it to clipboard and paste it somewhere. Now you can see the entries on the browser console.
You are urged to update from whatever version you have to the latest, because Firefox got some holes plugged.
Like always, you can download it from its usual place. Mirrors should have updated by now.
Here are just the changes against the previous version:
- Bug 12221: Remove obsolete Javascript components from the toggle era
- Bug 10819: Bind new third party isolation pref to Torbutton security UI
- Bug 9268: Fix some window resizing corner cases with DPI and taskbar size.
I’m sure you are aware of the fact that Tails 1.1. has been released.
Like with all previous releases you are supposed to update it. It seems the best option would be USB device you can boot from as this saves you from burning DVD after DVD. Plus updating the USB device is much easier.
Please just download it form where you are used to get it from.
Before we get to the changes, let me tell you that there is a exploit dealer that claimed to know a vulnerability in Tails 1.0 and that by the looks of it, it would not be fixed by 1.1. However this should not hold you back from updating, because other bugs have been fixed. The issue is being worked on.
This is no “news” anymore, since it is from the 9th, but I missed it.
Please update as soon as you can. Apparently you have found the mirrors anyway. Please excuse my delay in reporting the update.
Changes:
- All Platforms
- Update Firefox to 24.6.0esr
- Update OpenSSL to 1.0.1h
- Update NoScript to 2.6.8.28
- Update Tor to 0.2.4.22
- Update Tor Launcher to 0.2.5.5
- Update Torbutton to 1.6.10.0
- Bug 11629: Support proxies with Pluggable Transports
- Updates FTEProxy to 0.2.15
- Updates obfsproxy to 0.2.9
- Backported Tor Patches:
- Bug 11654: Fix malformed log message in bug11156 patch.
- Bug 10425: Add in Tor’s geoip6 files to the bundle distribution
- Bugs 11834 and 11835: Include Pluggable Transport documentation
- Bug 9701: Prevent ClipBoardCache from writing to disk.
- Bug 12146: Make the CONNECT Host header the same as the Request-URI.
- Bug 12212: Disable deprecated webaudio API
- Bug 11253: Turn on TLS 1.1 and 1.2.
- Bug 11817: Don’t send startup time information to Mozilla.
bastikononion
roastedonion 
The Tor Project speaks out against online harassment
This “blog” has been silent for the most part, since the TorBrowser is supposed to update itself. This means I decided to just announce new major releases like 4.5 and 5 and so on. The reason I write something today is that the Tor Project speaks out against online harassment. In their blogpost “Solidarity against online harassment” they lay out the reason why the decided to speak out against (online) harassment and then they do speak out against (online) harassment.
If you like you can have your name put under the statement. With other words you can sign the statement, too if you like to do so. I did, even if I had initial problems with the order of the paragraphs, but it is arguable that the chosen order is more honest. I had and still have a problem with certain wordings and phrases as they appear one-sided and exclusively related to certain kind of people. However I assumed that this is and was not the intention behind it and as I think it is important to speak out against (online) harassment, so I put my name under it. (Sebastian “bastik” G.)
I think the issue of harassment is an important one. To me it’s a social issue. By no means it should be a gender issue, or a race issue or any other type of issue. It is something that exists within society and affects society, so no group shall have a monopoly in being allowed to talk about the issue. Speaking out against (online) harassment can occur in one way or another, surely it’s easy to talk from a moral high-ground, although that might not even be present for certain people, it is much more honest to admit to be part of society that either tolerates or enables (online) harassment or is silent about it. Often it is, and often I am part of that, a silent majority that disagrees with the treatment of people, but remains silent.
For me the freedom of speech is rather important and I’d like you to have the right to say as you please, but obviously that does not mean that either you nor I have the right to stay uncorrected or having committed a fallacy or being called out for harassment. Although I rather tolerate you insulting me, while you remain anonymous (and so may I) without having you revoked your freedom of speech and without having you to give up your anonymity, I’d prefer to have a conversation about the underlying topic.
I argued before that anonymity does not lead to harassment, because anonymity is a bad thing. Anonymity gives people a chance to be like they would be when they would be as they could be. People misuse their freedom of speech, sometimes because they are not aware of not having the privilege of freedom of speech. Anonymity give a people the chance to be like they really are, in part or as a whole. That is either good, as they can be brutally honest without having to fear be personally labeled and so on, or bad as they can harass others.
Saying something disagreeable either anonymous or not, should be handled in regard of what was said or what it implies and argued against by the same merits, not falling off to pick up or return personal slurs.
At times it arguably requires thick skin to speak out publicly (anonymous or not) and I think we should maintain that thick skin for ourselves. Not becoming over-sensitive and calling out harassment for fairly minor things. Let’s stick to speak out against harassment when we see it happen. That can mean to be more sensitive in the way it is seen. It can also mean to be more sensitive about statement oneself makes.
Please note that I don’t view “Your argument hurt my feelings.” as a valid argument. If anything it is a marker to check if the argument presented is reasonable. If someone argues that the earth revolves around the sun, rather than the other way around, that may hurt someones religious feelings, but getting complaints for it based on that should not lead to a change in your position, unless they also contain arguments against the statement, that seem sound.