Professional Documents
Culture Documents
3 -- March 8 2016
* All Platforms
* Update Firefox to 38.7.0esr
* Update OpenSSL to 1.0.1s
* Update NoScript to 2.9.0.4
* Update HTTPS Everywhere to 5.1.4
* Update Torbutton to 1.9.4.4
* Bug 16990: Don't mishandle multiline commands
* Bug 18144: about:tor update arrow position is wrong
* Bug 16725: Allow resizing with non-default homepage
* Translation updates
* Bug 18030: Isolate favicon requests on Page Info dialog
* Bug 18297: Use separate Noto JP,KR,SC,TC fonts
* Bug 18170: Make sure the homepage is shown after an update as well
* Windows
* Bug 18292: Disable staged updates on Windows
Tor Browser 5.5.2 -- February 12 2016
* All Platforms
* Update Firefox to 38.6.1esr
* Update NoScript to 2.9.0.3
Tor Browser 5.5.1 -- February 4 2016
* All Platforms
* Bug 18168: Don't clear an iframe's window.name (fix of #16620)
* Bug 18137: Add two new obfs4 default bridges
* Windows
* Bug 18169: Whitelist zh-CN UI font
* OS X
* Bug 18172: Add Emoji support
* Linux
* Bug 18172: Add Emoji support
Tor Browser 5.5 -- January 26 2016
* All Platforms
* Update Firefox to 38.6.0esr
* Update libevent to 2.0.22-stable
* Update NoScript to 2.9.0.2
* Update Torbutton to 1.9.4.3
* Bug 16990: Show circuit display for connections using multi-party channel
s
* Bug 18019: Avoid empty prompt shown after non-en-US update
* Bug 18004: Remove Tor fundraising donation banner
* Bug 16940: After update, load local change notes
* Bug 17108: Polish about:tor appearance
* Bug 17568: Clean up tor-control-port.js
* Bug 16620: Move window.name handling into a Firefox patch
* Bug 17351: Code cleanup
* Translation updates
* Update Tor Launcher to 0.2.7.8
* Bug 18113: Randomly permutate available default bridges of chosen type
* Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
* Bug 10140: Add new Tor Browser locale (Japanese)
* Bug 17428: Remove Flashproxy
* Bug 13512: Load a static tab with change notes after an update
* Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
* Bug 15564: Isolate SharedWorkers by first-party domain
* Bug 16940: After update, load local change notes
* Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
* Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
* Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646
)
*
*
*
*
*
Bug
Bug
Bug
Bug
Bug
ds
* Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
* Bug 18072: Change recommended pluggable transport type to obfs4
* Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
* Bug 16322: Use onion address for DuckDuckGo search engine
* Bug 17917: Changelog after update is empty if JS is disabled
* Windows
* Bug 17250: Add localized font names to font whitelist
* Bug 16707: Allow more system fonts to get used on Windows
* Bug 13819: Ship expert bundles with console enabled
* Bug 17250: Fix broken Japanese fonts
* Bug 17870: Add intermediate certificate for authenticode signing
* OS X
* Bug 17122: Rename Japanese OS X bundle
* Bug 16707: Allow more system fonts to get used on OS X
* Bug 17661: Whitelist font .Helvetica Neue DeskInterface
* Linux
* Bug 16672: Don't use font whitelisting for Linux users
Tor Browser 5.5a6-hardened -- January 7 2016
* All Platforms
* Update NoScript to 2.9
* Update HTTPS Everywhere to 5.1.2
* Bug 17931: Tor Browser crashes in LogMessageToConsole()
* Bug 17875: Discourage editing of torrc-defaults
Tor Browser 5.5a6 -- January 7 2016
* All Platforms
* Update NoScript to 2.9
* Update HTTPS Everywhere to 5.1.2
* Bug 17931: Tor Browser crashes in LogMessageToConsole()
* Bug 17875: Discourage editing of torrc-defaults
* Bug 17870: Add intermediate certificate for authenticode signing
Tor Browser 5.0.7 -- January 7 2016
* All Platforms
* Update NoScript to 2.9
* Update HTTPS Everywhere to 5.1.2
* Bug 17931: Tor Browser crashes in LogMessageToConsole()
* Bug 17875: Discourage editing of torrc-defaults
Tor Browser 5.5a5-hardened -- December 18 2015
* All Platforms
* Update Firefox to 38.5.0esr
* Update Tor to 0.2.7.6
* Update OpenSSL to 1.0.1q
* Update NoScript to 2.7
* Update Torbutton to 1.9.4.2
* Bug 16940: After update, load local change notes
* Bug 16990: Avoid matching '250 ' to the end of node name
* Bug 17565: Tor fundraising campaign donation banner
* Bug 17770: Fix alignments on donation banner
* Bug 17792: Include donation banner in some non en-US Tor Browsers
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
* Bug 17473:
* Bug 16983:
* Bug 17102:
* Windows:
* Bug 16906:
* Linux:
* Bug 17329:
* Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
* Bug 16311: Fix navigation timing in ESR 38
* Windows
* Bug 16014: Staged update fails if meek is enabled
* Bug 16269: repeated add-on compatibility check after update (meek enabled)
* Mac OS
* Use OSX 10.7 SDK
* Bug 16253: Tor Browser menu on OS X is broken with ESR 38
* Bug 15773: Enable ICU on OS X
* Build System
* Bug 16351: Upgrade our toolchain to use GCC 5.1
* Bug 15772 and child tickets: Update build system for Firefox 38
* Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
* Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
Tor Browser 5.0a4 -- August 3 2015
* All Platforms
* Update Tor to 0.2.7.2-alpha with patches:
* Bug 15482: Don't allow circuits to change while a site is in use
* Update OpenSSL to 1.0.1p
* Update HTTPS-Everywhere to 5.0.7
* Update NoScript to 2.6.9.31
* Update Torbutton to 1.9.3.1
* Bug 16268: Show Tor Browser logo on About page
* Bug 16639: Check for Updates menu item can cause update download failure
* Bug 15781: Remove the sessionstore filter
* Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
* Translation updates
* Bug 16884: Prefer IPv6 when supported by the current Tor exit
* Bug 16488: Remove "Sign in to Sync" from the browser menu
* Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
* Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
* Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
* Bug 15703: Isolate mediasource URIs and media streams to first party
* Bug 16429+16416: Isolate blob URIs to first party
* Bug 16632: Turn on the background updater and restart prompting
* Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhe
re
* Bug 16523: Fix in-browser JavaScript debugger
* Bug 16236: Windows updater: avoid writing to the registry
* Bug 16005: Restrict WebGL minimal mode a bit (fixup)
* Bug 16625: Fully disable network connection prediction
* Bug 16495: Fix SVG crash when security level is set to "High"
* Build System
* Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
Tor Browser 5.0a3 -- June 30 2015
* All Platforms
* Update Firefox to 38.1.0esr
* Update OpenSSL to 1.0.1o
* Update NoScript to 2.6.9.27
* Update meek to 0.20
* Tor patch backport
* Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
* Update Torbutton to 1.9.3.0
* Bug 16403: Set search parameters for Disconnect
* Bug 14429: Make sure the automatic resizing is disabled
* Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1
)
* Bug 16200: Update Cache API usage and prefs for FF38
* Translation updates
* Bug 16130: Defend against logjam attack
* Bug 15984: Disabling Torbutton breaks the Add-ons Manager
* Windows
* Bug 16014: Staged update fails if meek is enabled
* Bug 16269: repeated add-on compatibility check after update (meek enabled)
* Linux
* Bug 16026: Fix crash in GStreamer
* Bug 16083: Update comment in start-tor-browser
Tor Browser 4.5.2 -- June 15 2015
* All Platforms
* Update Tor to 0.2.6.9
* Update HTTPS-Everywhere to 5.0.5
* Update OpenSSL to 1.0.1n
* Update NoScript to 2.6.9.26
* Update Torbutton to 1.9.2.6
* Bug 15984: Disabling Torbutton breaks the Add-ons Manager
* Bug 14429: Make sure the automatic resizing is disabled
* Translation updates
* Bug 16130: Defend against logjam attack
* Bug 15984: Disabling Torbutton breaks the Add-ons Manager
* Linux
* Bug 16026: Fix crash in GStreamer
* Bug 16083: Update comment in start-tor-browser
Tor Browser 5.0a1 -- May 14 2015
* All Platforms
* Update Firefox to 31.7.0esr
* Update meek to 0.18
* Update Tor Launcher to 0.2.7.5
* Translation updates only
* Update Torbutton to 1.9.2.5
* Bug 15837: Show descriptions if unchecking custom mode
* Bug 15927: Force update of the NoScript UI when changing security level
* Bug 15915: Hide circuit display if it is disabled.
* Bug 14429: Improved automatic window resizing
* Translation updates
* Bug 15945: Disable NoScript's ClearClick protection for now
* Bug 15933: Isolate by base (top-level) domain name instead of FQDN
* Bug 15857: Fix file descriptor leak in updater that caused update failures
* Bug 15899: Fix errors with downloading and displaying PDFs
* Bug 15773: Enable ICU on OS X
* Bug 1517: Reduce precision of time for Javascript
* Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
* Bug 13875: Improve the spoofing of window.devicePixelRatio
* Windows
* Bug 15872: Fix meek pluggable transport startup issue with Windows 7
* Build System
* Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env v
ar
* Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
Tor Browser 4.5.1 -- May 12 2015
* All Platforms
* Update Firefox to 31.7.0esr
* Update meek to 0.18
* Update Tor Launcher to 0.2.7.5
* Translation updates only
* Update Torbutton to 1.9.2.3
*
*
*
*
*
*
*
*
*
*
*
*
*
* All Platforms
* Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolatio
n
* Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
* Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33
)
* Bug 13019: Make JS engine use English locale if a pref is set by Torbutton
* Bug 13301: Prevent extensions incompatibility error after upgrades
* Bug 13460: Fix MSVC compilation issue
* Bug 13504: Remove stale bridges from default bridge set
* Bug 13742: Fix domain isolation for content cache and disk-enabled browsing
mode
* Update Tor to 0.2.6.1-alpha
* Update NoScript to 2.6.9.3
* Update Torbutton to 1.8.1.1
* Bug 9387: Provide a "Security Slider" for vulnerability surface reduction
* Bug 13019: Synchronize locale spoofing pref with our Firefox patch
* Bug 3455: Use SOCKS user+pass to isolate all requests from the same url d
omain
* Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
* Bug 13651: Prevent circuit-status related UI hang.
* Bug 13666: Various circuit status UI fixes
* Bugs 13742+13751: Remove cache isolation code in favor of direct C++ patc
h
* Bug 13746: Properly update third party isolation pref if disabled from UI
* Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
* Bug 12903: Include obfs4proxy pluggable transport
* Windows
* Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
* Bug 13558: Fix crash on Windows XP during download folder changing
* Bug 13091: Make app name "Tor Browser" instead of "Tor"
* Bug 13594: Fix update failure for Windows XP users
* Mac
* Bug 10138: Switch to 64bit builds for MacOS
Tor Browser 4.0.1 -- Oct 30 2014
* All Platforms
* Update Tor to 0.2.5.10
* Update NoScript to 2.6.9.3
* Bug 13301: Prevent extensions incompatibility error after upgrades
* Bug 13460: Fix MSVC compilation issue
* Windows
* Bug 13443: Disable DirectShow to prevent crashes on many sites
* Bug 13091: Make app name "Tor Browser" instead of "Tor"
Tor Browser 4.0 -- Oct 15 2014
* All Platforms
* Update Firefox to 31.2.0esr
* Update Torbutton to 1.7.0.1
* Bug 13378: Prevent addon reordering in toolbars on first-run.
* Bug 10751: Adapt Torbutton to ESR31's Australis UI.
* Bug 13138: ESR31-about:tor shows "Tor is not working"
* Bug 12947: Adapt session storage blocker to ESR 31.
* Bug 10716: Take care of drag/drop events in ESR 31.
* Bug 13366: Fix cert exemption dialog when disk storage is enabled.
* Update Tor Launcher to 0.2.7.0.1
* Translation updates only
* Udate fteproxy to 0.2.19
* Update NoScript to 2.6.9.1
* Bug 13416: Defend against new SSLv3 attack (poodle).
*
*
*
*
*
*
*
*
*
*
*
*
Bug
Bug
Bug
Bug
Bug
Bug
Bug
Bug
Bug
Bug
Bug
Bug
13027:
13016:
13356:
13025:
13346:
13318:
10715:
13023:
13021:
12460:
13186:
13028:
*
*
*
*
*
*
*
*
Bug
Bug
Bug
Bug
12146:
12212:
11253:
11817:
* Bug 10095: Fix some cases where resolution is not a multiple of 200x100
* Bug 10374: Clear site permissions on New Identity
* Bug 9738: Fix for auto-maximizing on browser start
* Bug 10682: Workaround to really disable updates for Torbutton
* Bug 10419: Don't allow connections to localhost if Torbutton is toggled
* Bug 10140: Move Japanese to extra locales (not part of TBB dist)
* Bug 10687: Add Basque (eu) to extra locales (not part of TBB dist)
* Update Tor Launcher to 0.2.4.4
* Bug 10682: Workaround to really disable updates for Tor Launcher
* Update NoScript to 2.6.8.13
Tor Browser Bundle 3.5.1 -- Jan 22 2014
* All Platforms
* Bug 10447: Remove SocksListenAddress to allow multiple socks ports.
* Bug 10464: Remove addons.mozilla.org from NoScript whitelist
* Bug 10537: Build an Arabic version of TBB 3.5
* Update Torbutton to 1.6.5.5
* Bug 9486: Clear NoScript Temporary Permissions on New Identity
* Include Arabic translations
* Update Tor Launcher to 0.2.4.3
* Include Arabic translations
* Update Tor to 0.2.4.20
* Update OpenSSL to 1.0.1f
* Update NoScript to 2.6.8.12
* Update HTTPS-Everywhere to 3.4.5
* Windows
* Bug 9259: Enable Accessibility (screen reader) support
* Mac
* misc: Update bundle version field in Info.plist (for MacUpdates service)
Tor Browser Bundle 3.5 -- Dec 17 2013
* All Platforms
* Update Tor to 0.2.4.19
* Update Tor Launcher to 0.2.4.2
* Bug 10382: Fix a Tor Launcher hang on TBB exit
* Update Torbutton to 1.6.5.2
* Misc: Switch update download URL back to download-easy
Tor Browser Bundle 3.5rc1 -- Dec 12 2013
* All Platforms
* Update Firefox to 24.2.0esr
* Update NoScript to 2.6.8.7
* Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag)
* Tag includes a patch to handle enabling/disabling Mixed Content Blocking
* Bug 5060: Disable health report service
* Bug 10367: Disable prompting about health report and Mozilla Sync
* Misc Prefs: Disable HTTPS-Everywhere first-run tooltips
* Misc Prefs: Disable layer acceleration to avoid crashes on Windows
* Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 8
78890
* Update Tor Launcher to 0.2.4.1
* Bug 10147: Adblock Plus interferes w/Tor Launcher dialog
* Bug 10201: FF ESR 24 hangs during exit on Mac OS
* Bug 9984: Support running Tor Launcher from InstantBird
* Misc: Support browser directory location API changes in Firefox 24
* Update Torbutton to 1.6.5.1
* Bug 10352: Clear FF24 Private Browsing Mode data during New Identity
* Bug 8167: Update cache isolation for FF24 API changes
* Bug 10201: FF ESR 24 hangs during exit on Mac OS
* Bug 10078: Properly clear crypto tokens during New Identity on FF24
* Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF2
4
* Linux
* Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros)
Tor Browser Bundle 3.0rc1 -- Nov 21 2013
* All Platforms:
* Update Firefox to 17.0.11esr
* Update Tor to 0.2.4.18-rc
* Remove unsupported PDF.JS addon from the bundle
* Bug #7277: TBB's Tor client will now omit its timestamp in the TLS handshak
e.
* Update Torbutton to 1.6.4.1
* Bug #10002: Make the TBB3.0 blog tag our update download URL for now
* Windows
* Bug #10102: Patch binutils to remove nondeterministic bytes in compiled bin
aries
* Linux
* Bug #10049: Fix architecture check to work from outside TBB's directory
* Bug #10126: Remove libz and firefox-bin, and strip unstripped binaries
* Misc: Disable Firefox updater during compile time (in addition to pref)
Tor Browser Bundle 3.0beta1 -- Oct 31 2013
* All Platforms:
* Update Firefox to 17.0.10esr
* Update NoScript to 2.6.8.2
* Update HTTPS-Everywhere to 3.4.2
* Bug #9114: Reorganize the bundle directory structure to ease future
autoupdates
* Bug #9173: Patch Tor Browser to auto-detect profile directory if
launched without the wrapper script.
* Bug #9012: Hide Tor Browser infobar for missing plugins.
* Bug #8364: Change the default entry page for the addons tab to the
installed addons page.
* Bug #9867: Make flash objects really be click-to-play if flash is enabled.
* Bug #8292: Make getFirstPartyURI log+handle errors internally to simplify
caller usage of the API
* Bug #3661: Remove polipo and privoxy from the banned ports list.
* misc: Fix a potential memory leak in the Image Cache isolation
* misc: Fix a potential crash if OS theme information is ever absent
* Update Tor-Launcher to 0.2.3.1-beta
* Bug #9114: Handle new directory structure
* misc: Tor Launcher now supports Thunderbird
* Update Torbutton to 1.6.4
* Bug #9224: Support multiple Tor socks ports for about:tor status check
* Bug #9587: Add TBB version number to about:tor
* Bug #9144: Workaround to handle missing translation properties
* Windows:
* Bug #9084: Fix startup crash on Windows XP.
* Linux:
* Bug #9487: Create detached debuginfo files for Linux Tor and Tor
Browser binaries.
Tor Browser Bundle 3.0alpha4 -- Sep 24 2013
* All Platforms:
* Bug #8751: Randomize TLS HELLO timestamp in HTTPS connections
* Bug #9790 (workaround): Temporarily re-enable JS-Ctypes for cache
isolation and SSL Observatory
* Update Firefox to 17.0.9esr
* Update Tor to 0.2.4.17-rc
* misc: Add an icon menu option for Tor Launcher's Network Settings
* misc: Add branding string overrides (primarily controls browser name and
homepage)
* Update HTTPS-Everywhere to 3.2.2
* Update NoScript to 2.6.6.6
* Update PDF.JS to 0.8.1
* Windows:
* Use MinGW-w64 (via Gitian) to cross-compile the bundles from Ubuntu
* Use TBB-Windows-Installer to guide Windows users through TBB extraction
* Temporarily disable WebGL and Accessibility support due to minor MinGW
issues
* Mac:
* Use 'Toolchain4' fork by Ray Donnelley to cross-compile the bundles from
Ubuntu