Tor Browser 6.0a5 is released

A new alpha Tor Browser release is available for download in the 6.0a5 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

This will probably be our last alpha release before the stable 6.0 and it contains a bunch of noteworthy changes.

First, we switched the browser to Firefox ESR 45 and rebased our old patches/wrote new ones where necessary.

Second, we ship a new Tor alpha version, 0.2.8.2, which makes meek usable again and contains a number of other improvements/stability fixes.

Third, this alpha release introduces code signing for OS X in order to cope with Gatekeeper, the OS X mechanism for allowing only authorized applications to run. There were bundle layout changes necessary to adhere to code signing requirements. Please test that everything is still working as expected if you happen to have an OS X machine. We plan to post instructions for removing the code signing parts on our website soon. This should make it easier to compare the bundles we build with the actual bundles we ship.

The fourth highlight is the fix for an installer related DLL hijacking vulnerability. This vulnerability made it necessary to deploy a newer NSIS version to create our .exe files. Please test that the installer is still working as expected if you happen to have a Windows machine.

Known issues:

• It seems there is a bug regarding our search engine selection in non-en-US bundles. The search engines actually used are the ones contained in the respective language packs but not those we ship. There is no easy workaround for this short of disabling the language pack or adding the search engines one wants to have by hand. We are sorry for this inconvenience.
• An other issue is an error "Unable to start tor" after upgrading from an older version, on Mac OS (Bug 18928). Quitting and restarting a second time should fix the problem.
• A third issue we found is the missing HTTPS-Everywhere extension in Mac OS bundles after an update from previous Tor Browser versions. Workarounds are either installing HTTPS-Everywhere manually from EFF's website or using a clean, new 6.0a5 Mac OS bundle.

Here is the full changelog since 6.0a4:

Tor Browser 6.0a5 -- April 28 2016

• All Platforms
  • Update Firefox to 45.1.0esr
  • Update Tor to 0.2.8.2-alpha
  • Update Torbutton to 1.9.5.3
    • Bug 18466: Make Torbutton compatible with Firefox ESR 45
    • Translation updates
  • Update Tor Launcher to 0.2.9.1
    • Bug 13252: Do not store data in the application bundle
    • Bug 10534: Don't advertise the help desk directly anymore
    • Translation updates
  • Update HTTPS-Everywhere to 5.1.6
  • Update NoScript to 2.9.0.11
  • Update meek to 0.22 (tag 0.22-18371-2)
    • Bug 18371: Symlinks are incompatible with Gatekeeper signing
  • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
  • Bug 18900: Fix broken updater on Linux
  • Bug 18042: Disable SHA1 certificate support
  • Bug 18821: Disable libmdns support for desktop and mobile
  • Bug 18848: Disable additional welcome URL shown on first start
  • Bug 14970: Exempt our extensions from signing requirement
  • Bug 16328: Disable MediaDevices.enumerateDevices
  • Bug 16673: Disable HTTP Alternative-Services
  • Bug 17167: Disable Mozilla's tracking protection
  • Bug 18603: Disable performance-based WebGL fingerprinting option
  • Bug 18738: Disable Selfsupport and Unified Telemetry
  • Bug 18799: Disable Network Tickler
  • Bug 18800: Remove DNS lookup in lockfile code
  • Bug 18801: Disable dom.push preferences
  • Bug 18802: Remove the JS-based Flash VM (Shumway)
  • Bug 18863: Disable MozTCPSocket explicitly
  • Bug 15640: Place Canvas MediaStream behind site permission
  • Bug 16326: Verify cache isolation for Request and Fetch APIs
  • Bug 18741: Fix OCSP and favicon isolation for ESR 45
  • Bug 16998: Disable <link rel="preconnect"> for now
  • Bug 18898: Exempt the meek extension from the signing requirement as well
  • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
  • Bug 18890: Test importScripts() for cache and network isolation
  • Bug 18726: Add new default obfs4 bridge (GreenBelt)
• Windows
  • Bug 13419: Support ICU in Windows builds
  • Bug 16874: Fix broken https://sports.yahoo.com/dailyfantasy page
  • Bug 18767: Context menu is broken on Windows in ESR 45 based Tor Browser
• OS X
  • Bug 6540: Support OS X Gatekeeper
  • Bug 13252: Tor Browser should not store data in the application bundle
• Build System
  • All Platforms
    • Bug 18127: Add LXC support for building with Debian guest VMs
    • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
  • Windows
    • Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
    • Bug 18290: Bump mingw-w64 commit we use
  • OS X
    • Bug 18331: Update toolchain for Firefox 45 ESR
    • Bug 18690: Switch to Debian Wheezy guest VMs
  • Linux
    • Bug 18699: Stripping fails due to obsolete Browser/components directory
    • Bug 18698: Include libgconf2-dev for our Linux builds