Tor Browser 7.0a3 is released - Powered by EmpireCMS

标题:Tor Browser 7.0a3 is released
作者: boklm
日期:2017-04-24 09:00:00
内容:

Tor Browser 7.0a3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is the first alpha release which is based on Firefox ESR 52. We updated all of our patches that did not get upstreamed yet and made Torbutton and Tor Launcher multiprocess (e10s) compatible. After the first nightly build based on ESR52 went out we already fixed a number of bugs associated with this switch. But more remain, please help!

We hope having e10s and Mozilla's content sandbox enabled will be one of the major new features in the upcoming Tor Browser 7.0 series, both security- and performance-wise. While we are still working on the sandboxing part for Windows, both Linux and macOS have e10s and content sandboxing enabled by default in Tor Browser 7.0a3. There are already a number of bugs related to that on our radar which can be found on our bug tracker and which are tagged with the `tbb-e10s` keyword. If you find more, please report them!

The switch to Firefox ESR 52 raises the system requirements for Tor Browser on Windows and macOS. Computers running Windows and are not SSE2-capable are not supported anymore. On Apple computers with OS X < 10.9 Tor Browser won't run anymore either.

We updated our toolchains during the ESR transition as well. In particular we retired the old GCC-based one for our macOS cross-compilation and rely solely on clang/cctools now. As with previous releases building 7.0a3 is fully reproducible on all three supported platforms, even though we needed to deploy a last minute patch for Linux bundles this time.

Apart from switching to the new ESR and dealing with related issues we included a new Tor alpha (0.3.0.5-rc) and updated our NoScript (5.0.2) and HTTPS-Everywhere versions (5.2.14). The Sandboxed Tor Browser for Linux got updated to 0.0.6 making sure it is compatible with Firefox ESR 52.

As in Tor Browser 6.5.2 we provide a fix for Tor Browser crashing on github.com on Windows and for Twitter issues that got reported already a while ago. We update our security slider as well taking newer JIT preferences into account.

A note to Windows users: We signed the .exe files with a new codesigning certificate as the old one is about to expire. If there are issues with that new certificate, e.g. scary warnings showing up after downloading a Tor Browser .exe file and double-clicking on it, please let us know.

The full changelog since Tor Browser 7.0a2 is:

All Platforms
- Update Firefox to 52.1.0esr
- Tor to 0.3.0.5-rc
- Update Torbutton to 1.9.7.2
  - Bug 21865: Update our JIT preferences in the security slider
  - Bug 21747: Make 'New Tor Circuit for this Site' work in ESR52
  - Bug 21745: Fix handling of catch-all circuit
  - Bug 21547: Fix circuit display under e10s
  - Bug 21268: e10s compatibility for New Identity
  - Bug 21267: Remove window resize implementation for now
  - Bug 21201: Make Torbutton multiprocess compatible
  - Translations update
- Update Tor Launcher to 0.2.12
  - Bug 21920: Don't show locale selection dialog
  - Bug 21546: Mark Tor Launcher as multiprocess compatible
  - Bug 21264: Add a README file
  - Translations update
- Update HTTPS-Everywhere to 5.2.14
- Update NoScript to 5.0.2
- Update sandboxed-tor-browser to 0.0.6
  - Bug 21764: Use bubblewrap's `--die-with-parent` when supported
  - Fix e10s Web Content crash on systems with grsec kernels
  - Bug 21928: Force a reinstall if an existing hardened bundle is present
  - Bug 21929: Remove hardened/ASAN related code
  - Bug 21927: Remove the ability to install/update the hardened bundle
  - Bug 21244: Update the MAR signing key for 7.0
  - Bug 21536: Remove asn's scramblesuit bridge from Tor Browser
  - Add back old MAR signing key to not break updating Tor Browser stable
  - Add `prlimit64` to the firefox system call whitelist
  - Fix compilation with Go 1.8
  - Use Config.Clone() to clone TLS configs when available
- Update Go to 1.7.5 (bug 21709)
- Bug 21555+16450: Don't remove Authorization header on subdomains (e.g. Twitter)
- Bug 21887: Fix broken error pages on higher security levels
- Bug 21876: Enable e10s by default on all supported platforms
- Bug 21876: Always use esr policies for e10s
- Bug 20905: Fix resizing issues after moving to a direct Firefox patch
- Bug 21875: Modal dialogs are maximized in ESR52 nightly builds
- Bug 21885: SVG is not disabled in Tor Browser based on ESR52
- Bug 17334: Hide Referer when leaving a .onion domain (improved patch)
- Bug 3246: Double-key cookies
- Bug 8842: Fix XML parsing error
- Bug 16886: 16886: "Add-on compatibility check dialog" contains Firefox logo
- Bug 19192: Untrust Blue Coat CA
- Bug 19955: Avoid confusing warning that favicon load request got cancelled
- Bug 20005: Backport fixes for memory leaks investigation
- Bug 20755: ltn.com.tw is broken in Tor Browser
- Bug 21896: Commenting on website is broken due to CAPTCHA not being displayed
- Bug 20680: Rebase Tor Browser patches to 52 ESR
- Bug 21917: Add new obfs4 bridges
- Bug 21918: Move meek-amazon to d2cly7j4zqgua7.cloudfront.net backend
Windows
- Bug 21795: Fix Tor Browser crashing on github.com
- Bug 12426: Make use of HeapEnableTerminationOnCorruption
- Bug 19316: Make sure our Windows updates can deal with the SSE2 requirement
- Bug 21868: Fix build bustage with FIREFOX_52_0_2esr_RELEASE for Windows
OS X
- Bug 21723: Fix inconsistent generation of MOZ_MACBUNDLE_ID
- Bug 21724: Make Firefox and Tor Browser distinct macOS apps
- Bug 21931: Backport OSX SetupMacCommandLine updater fixes
- Bug 15910: Don't download GMPs via the local fallback
Linux
- Bug 21907: Fix runtime error on CentOS 6
- Bug 21748: Fix broken Snowflake build and update bridge details
- Bug 21954: Snowflake breaks the 7.0a3 build
- Bug 15910: Don't download GMPs via the local fallback
Build system
- Windows
  - Bug 21837: Fix reproducibility of accessibility code for Windows
  - Bug 21240: Create patches to fix mingw-w64 compilation of Firefox ESR 52
  - Bug 21904: Bump mingw-w64 commit to help with sandbox compilation
  - Bug 18831: Use own Yasm for Firefox cross-compilation
- OS X
  - Bug 21328: Updating to clang 3.8.0
  - Bug 21754: Remove old GCC toolchain and macOS SDK
  - Bug 19783: Remove unused macOS helper scripts
  - Bug 10369: Don't use old GCC toolchain anymore for utils
  - Bug 21753: Replace our old GCC toolchain in PT descriptor
  - Bug 18530: ESR52 based Tor Browser only runs on macOS 10.9+
- Linux
  - Bug 21930: NSS libraries are missing from mar-tools archive
  - Bug 21239: Adapt Linux Firefox descriptor to ESR52 (use GTK2)
  - Bug 21960: Linux bundles based on ESR 52 are not reproducible anymore
  - Bug 21629: Fix broken ASan builds when switching to ESR 52

Tor浏览器7.0a3现在可以从Tor浏览器项目页面和我们的发行目录中获得。

此版本提供了对Firefox的重要安全更新。

这是基于Firefox ESR 52的第一个alpha版本。我们更新了所有尚未上传的补丁，并使Torbutton和Tor Launcher多进程（e10s）兼容。在基于ESR52的第一个夜间构建之后，我们已经修复了与此开关相关的许多错误。但更多的是，请帮忙！

我们希望启用e10s和Mozilla的内容沙箱将成为即将推出的Tor Browser 7.0系列的主要新功能之一，无论是安全性还是性能方面。虽然我们仍在为Windows的沙箱部分工作，但Linux和MacOS在Tor Browser 7.0a3中默认启用了e10s和内容沙盒。已经有一些与我们的雷达相关的错误，可以在我们的错误跟踪器中找到，哪些标记有`tbb-e10s`关键字。如果您发现更多，请报告他们！

切换到Firefox ESR 52可以提高Windows和MacOS上Tor浏览器的系统要求。运行Windows并且不支持SSE2的计算机不再受支持。在具有OS X <10.9 Tor浏览器的Apple电脑上不再运行。

我们在ESR转换期间更新了我们的工具链。特别是，我们退休了旧的基于GCC的一个，用于我们的macOS交叉编译，现在仅仅依赖于clang / cctools。与以前的7.0a3版本一样，在所有三个支持的平台上都可以完全重现，即使我们需要为此Linux部署最后一分钟的修补程序。

除了切换到新的ESR和处理相关问题之外，我们还添加了一个新的Tor alpha（0.3.0.5-rc），并更新了我们的NoScript（5.0.2）和HTTPS-Everywhere版本（5.2.14）。适用于Linux的Sandboxed Tor浏览器已更新为0.0.6，确保它与Firefox ESR 52兼容。

在Tor Browser 6.5.2中，我们提供了Tor浏览器崩溃在Windows上的github.com和已经早些时候报告的Twitter问题的修复。我们更新我们的安全滑块以及考虑更新的JIT首选项。

Windows用户的注意事项：我们使用新的代码签名证书签署了.exe文件，因为旧的即将过期。如果有新证书有问题，例如在下载Tor浏览器的.exe文件并双击它之后，出现可怕的警告，请通知我们。

Tor Browser 7.0a2的完整更新日志是：

    所有平台
        将Firefox更新为52.1.0esr
        Tor为0.3.0.5-rc
        将Torbutton更新到1.9.7.2
            Bug 21865：在安全滑块中更新我们的JIT首选项
            错误21747：为ESR52制作“本网站的新Tor电路”
            错误21745：修复所有电路的处理
            错误21547：修复e10s下的电路显示
            Bug 21268：e10s兼容新标识
            Bug 21267：现在删除窗口调整大小的实现
            Bug 21201：使Torbutton多进程兼容
            翻译更新
        将Tor Launcher更新到0.2.12
            错误21920：不显示区域设置选择对话框
            Bug 21546：Mark Tor Launcher作为多进程兼容
            错误21264：添加自述文件
            翻译更新
        将HTTPS-Everywhere更新到5.2.14
        将NoScript更新到5.0.2
        将沙盒浏览器更新到0.0.6
            Bug 21764：支持时使用bubblewrap的`--die-with-parent`
            在e系统上修复e10s Web内容崩溃的内核
            Bug 21928：如果现有的硬化捆绑包存在，请强制重新安装
            Bug 21929：去除硬化/ ASAN相关代码
            Bug 21927：删除安装/更新硬化包的功能
            错误21244：更新7.0的MAR签名密钥
            Bug 21536：从Tor浏览器中删除asn的scramblesuit桥
            添加旧的MAR签名密钥，不会破坏更新Tor浏览器的稳定
            将`prlimit64`添加到firefox系统调用白名单
            使用Go 1.8修复编译
            使用Config.Clone（）可以克隆TLS配置
        更新到1.7.5（错误21709）
        错误21555 + 16450：不要删除子域（如Twitter）上的授权标题
        错误21887：在较高的安全级别修复损坏的错误页面
        Bug 21876：默认情况下，在所有支持的平台上启用e10s
        错误21876：始终为e10s使用esr策略
        错误20905：在移动到直接的Firefox修补程序后修复调整大小问题
        错误21875：在ESR52夜间构建中最大化模态对话框
        Bug 21885：基于ESR52的Tor浏览器中没有禁用SVG
        错误17334：离开.onion域时隐藏引用（改进补丁）
        Bug 3246：双键饼干
        错误8842：修复XML解析错误
        Bug 16886：16886：“附加兼容性检查对话框”包含Firefox徽标
2208/5000
Bug 19192：Untrust Blue Coat CA
    错误19955：避免混淆警告，favicon加载请求已被取消
    Bug 20005：Backport修复内存泄漏调查
    错误20755：在Tor浏览器中，ltn.com.tw已损坏
    错误21896：由于CAPTCHA未被显示，评论网站已损坏
    Bug 20680：Rebase Tor浏览器修补程序为52 ESR
    Bug 21917：添加新的obfs4桥
    Bug 21918：将温和亚马逊移动到d2cly7j4zqgua7.cloudfront.net后端

视窗

    错误21795：修复Tor浏览器崩溃在github.com
    Bug 12426：使用HeapEnableTerminationOnCorruption
    Bug 19316：确保我们的Windows更新可以处理SSE2要求
    Bug 21868：使用FIREFOX_52_0_2esr_RELEASE for Windows修复构建故障

OS X

    错误21723：修复不一致的MOZ_MACBUNDLE_ID生成
    Bug 21724：使Firefox和Tor浏览器不同的macOS应用程序
    错误21931：Backport OSX SetupMacCommandLine更新程序修复
    Bug 15910：不要通过本地回退下载GMP

Linux

    错误21907：修复CentOS 6上的运行时错误
    Bug 21748：修复破碎的Snowflake构建和更新桥梁详细信息
    Bug 21954：Snowflake打破了7.0a3版本
    Bug 15910：不要通过本地回退下载GMP

构建系统

    视窗
        Bug 21837：修复Windows可访问性代码的可重复性
        Bug 21240：创建修补程序来修复Firefox ESR 52的mingw-w64编译
        Bug 21904：Bump mingw-w64承诺帮助沙箱编译
        Bug 18831：使用自己的Yasm进行Firefox交叉编译
    OS X
        错误21328：更新到cl ang 3.8.0
        错误21754：删除旧的GCC工具链和macOS SDK
        Bug 19783：删除未使用的macOS辅助脚本
        Bug 10369：不要再使用旧的GCC工具链了
        Bug 21753：在PT描述符中替换我们旧的GCC工具链
        Bug 18530：基于ESR52的Tor浏览器仅在macOS 10.9+上运行
    Linux
        错误21930：从Mar-tools存档中缺少NSS库
        Bug 21239：将Linux Firefox描述符修改为ESR52（使用GTK2）
        Bug 21960：基于ESR 52的Linux软件包不再可重复
        Bug 21629：在切换到ESR 52时修复损坏的ASan构建