ChangeLog.txt 149 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
Tor Browser 8.0a5 -- March 27 2018
 * All platforms
   * Update Firefox to 52.7.3esr
   * Update HTTPS Everywhere to 2018.3.13
   * Bug 23439: Exempt .onion domains from mixed content warnings
 * OS X
   * Update Snowflake
     * Bug 21312+25579+25449: Fix crashes and memory/file descriptor leaks in go-webrtc
 * Linux
   * Update Snowflake
     * Bug 21312+25579+25449: Fix crashes and memory/file descriptor leaks in go-webrtc

Georg Koppen's avatar
Georg Koppen committed
13
14
15
16
17
18
Tor Browser 7.5.3 -- March 26 2018
 * All platforms
   * Update Firefox to 52.7.3esr
   * Update HTTPS Everywhere to 2018.3.13
     * Bug 25339: Adapt build system for Python 3.6 based build procedure

Georg Koppen's avatar
Georg Koppen committed
19
20
21
22
Tor Browser 8.0a4 -- March 17 2018
 * All platforms
   * Update Firefox to 52.7.2esr

23
24
25
26
Tor Browser 7.5.2 -- March 17 2018
 * All platforms
   * Update Firefox to 52.7.2esr

Georg Koppen's avatar
Georg Koppen committed
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Tor Browser 8.0a3 -- March 13 2018
 * All platforms
   * Update Firefox to 52.7.0esr
   * Update Tor to 0.3.3.3-alpha
   * Update Tor Launcher to 0.2.15.1
     * Bug 23136: Moat integration (fetch bridges for the user)
     * Translations update
   * Update HTTPS Everywhere to 2018.2.26
     * Bug 25339: Adapt build system for Python 3.6 based build procedure
   * Bug 25356: Update obfs4proxy to v0.0.7
   * Bug 25147: Sanitize HTML fragments created for chrome-privileged documents
 * Windows
   * Bug 25112: No sandboxing on 64-bit Windows <= Vista

Georg Koppen's avatar
Georg Koppen committed
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Tor Browser 7.5.1 -- March 13 2018
 * All platforms
   * Update Firefox to 52.7.0esr
   * Update Tor to 0.3.2.10
   * Update Torbutton to 1.9.8.6
     * Bug 24159: Version check does not deal with platform specific checks
     * Bug 25016: Remove 2017 donation banner
     * Translations update
   * Update Tor Launcher to 0.2.14.4
     * Bug 25089: Special characters are not escaped in proxy password
     * Translations update
   * Update NoScript to 5.1.8.4
   * Bug 25356: Update obfs4proxy to v0.0.7
   * Bug 25000: Add [System+Principal] to the NoScript whitelist
 * Windows
   * Bug 25112: Disable sandboxing on 64-bit Windows <= Vista

Georg Koppen's avatar
Georg Koppen committed
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
Tor Browser 8.0a2 -- February 23 2018
 * All Platforms
   * Update Tor to 0.3.3.2-alpha
   * Update Torbutton to 1.9.9
     * Bug 24159: Version check does not deal with platform specific checks
     * Bug 25016: Remove 2017 donation banner
     * Translations update
   * Update Tor Launcher to 0.2.15
     * Bug 25089: Special characters are not escaped in proxy password
     * Translations update
   * Update HTTPS Everywhere to 2018.1.29
   * Update NoScript to 5.1.8.4
   * Update meek to 0.29
   * Bug 25215: Revert bug 18619 (we are not disabling IndexedDB any longer)
   * Bug 19910: Rip out optimistic data socks handshake variant (#3875)
   * Bug 22659: Changes to `intl.accept.languages` get overwritten after restart
   * Bug 25000: Add [System+Principal] to the NoScript whitelist
   * Bug 15599: Disable Range requests used by pdfjs as they are not isolated
   * Bug 22614: Make e10s/non-e10s Tor Browsers indistinguishable
   * Bug 13575: Disable randomised Firefox HTTP cache decay user tests
   * Bug 25020: Add a tbb_version.json file
   * Bug 24995: Include git hash in tor --version
 * OS X
   * Bug 22794: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured
 * Linux
   * Bug 22794: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured
 * Windows:
   * Bug 25266: PT config should include full names of executable files
 * Build System
   * Windows
     * Bug 25111: Don't compile Yasm on our own anymore for Windows Tor Browser

Georg Koppen's avatar
Georg Koppen committed
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
Tor Browser 8.0a1 -- January 23 2018
 * All Platforms
   * Update Firefox to 52.6.0esr
   * Update Tor to 0.3.2.9
   * Update Torbutton to 1.9.8.5
     * Bug 21245: Add da translation to Torbutton and keep track of it
     * Bug 24702: Remove Mozilla text from banner
     * Translations update
   * Update Tor Launcher to 0.2.14.3
     * Translations update
   * Update HTTPS Everywhere to 2018.1.11
   * Bug 24756: Add noisebridge01 obfs4 bridge configuration
   * Bug 23916: Add new MAR signing key
   * Bug 22548: Firefox downgrades VP9 videos to VP8 for some users
 * Windows
   * Bug 24197: Fix win64 sandbox compile issues
 * Build System
   * Windows
     * Bug 18691: switch Windows builds from precise to jessie
   * Linux
     * Bug 23892: Include Firefox and Tor debug files in final build directory
     * Bug 24842: include libasan.so.2 and libubsan.so.0 in debug builds

Georg Koppen's avatar
Georg Koppen committed
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
Tor Browser 7.5 -- January 23 2018
 * All Platforms
   * Update Firefox to 52.6.0esr
   * Update Tor to 0.3.2.9
   * Update OpenSSL to 1.0.2n
   * Update Torbutton to 1.9.8.5
     * Bug 21847: Update copy for security slider
     * Bug 21245: Add da translation to Torbutton and keep track of it
     * Bug 24702: Remove Mozilla text from banner
     * Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
     * Translations update
   * Update Tor Launcher to 0.2.14.3
     * Bug 23262: Implement integrated progress bar
     * Bug 23261: implement configuration portion of new Tor Launcher UI
     * Bug 24623: Revise "country that censors Tor" text
     * Bug 24624: tbb-logo.svg may cause network access
     * Bug 23240: Retrieve current bootstrap progress before showing progress bar
     * Bug 24428: Bootstrap error message sometimes lost
     * Bug 22232: Add README on use of bootstrap status messages
     * Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
     * Translations update
   * Update HTTPS Everywhere to 2018.1.11
   * Update NoScript to 5.1.8.3
   * Bug 23104: CSS line-height reveals the platform Tor Browser is running on
   * Bug 24398: Plugin-container process exhausts memory
   * Bug 22501: Requests via javascript: violate FPI
   * Bug 24756: Add noisebridge01 obfs4 bridge configuration
 * Windows
   * Bug 16010: Enable content sandboxing on Windows
   * Bug 23230: Fix build error on Windows 64
 * OS X
   * Bug 24566: Avoid white flashes when opening dialogs in Tor Browser
   * Bug 23025: Add some hardening flags to macOS build
 * Linux
   * Bug 23970: Make "Print to File" work with sandboxing enabled
   * Bug 23016: "Print to File" is broken on some non-english Linux systems
   * Bug 10089: Set middlemouse.contentLoadURL to false by default
   * Bug 18101: Suppress upload file dialog proxy bypass (linux part)
 * Android
   * Bug 22084: Spoof network information API
 * Build System
   * All Platforms
     * Switch from gitian/tor-browser-bundle to rbm/tor-browser-build
   * Windows
     * Bug 22563: Update mingw-w64 to fix W^X violations
     * Bug 20929: Bump GCC version to 5.4.0
   * Linux
     * Bug 20929: Bump GCC version to 5.4.0
     * Bug 23892: Include Firefox and Tor debug files in final build directory
     * Bug 24842: include libasan.so.2 and libubsan.so.0 in debug builds

Georg Koppen's avatar
Georg Koppen committed
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
Tor Browser 7.5a10 -- December 19 2017
 * All Platforms
   * Update Tor to 0.3.2.7-rc
   * Update OpenSSL to 1.0.2n
   * Update Torbutton to 1.9.8.4
     * Bug 21847: Update copy for security slider
     * Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
     * Translations update
   * Update Tor Launcher to 0.2.14.2
     * Bug 24623: Revise "country that censors Tor" text
     * Bug 24428: Bootstrap error message sometimes lost
     * Bug 24624: tbb-logo.svg may cause network access
     * Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
     * Translations update
   * Update NoScript to 5.1.8.3
   * Bug 23104: CSS line-height reveals the platform Tor Browser is running on
   * Bug 24398: Plugin-container process exhausts memory
 * OS X
   * Bug 24566: Avoid white flashes when opening dialogs in Tor Browser
 * Linux
   * Bug 23970: Make "Print to File" work with sandboxing enabled
   * Bug 23016: "Print to File" is broken on some non-english Linux systems
 * Android
   * Bug 22084: Spoof network information API

189
Tor Browser 7.5a9 -- December 09 2017
Georg Koppen's avatar
Georg Koppen committed
190
 * All Platforms
Georg Koppen's avatar
Georg Koppen committed
191
192
   * Update Firefox to 52.5.2esr
   * Update Tor to 0.3.2.6-alpha
193
   * Update HTTPS-Everywhere to 2017.12.6
Georg Koppen's avatar
Georg Koppen committed
194
   * Update NoScript to 5.1.8.1
Georg Koppen's avatar
Georg Koppen committed
195
196
   * Update sandboxed-tor-browser to 0.0.16

Georg Koppen's avatar
Georg Koppen committed
197
198
199
200
201
202
203
Tor Browser 7.0.11 -- December 09 2017
 * All Platforms
   * Update Firefox to 52.5.2esr
   * Update Tor to 0.3.1.9
   * Update HTTPS-Everywhere to 2017.12.6
   * Update NoScript to 5.1.8.1

Georg Koppen's avatar
Georg Koppen committed
204
Tor Browser 7.5a8 -- November 15 2017
Georg Koppen's avatar
Georg Koppen committed
205
206
207
208
209
210
211
212
 * All Platforms
   * Update Firefox to 52.5.0esr
   * Update Tor to 0.3.2.4-alpha
   * Update Torbutton to 1.9.8.3
     * Bug 23997: Add link to Tor Browser manual for de, nl, tr, vi
     * Bug 23949: Fix donation banner display
     * Update locales with translated banner
     * Translations update
213
   * Update Tor Launcher to 0.2.14.1
Georg Koppen's avatar
Georg Koppen committed
214
215
216
217
218
219
220
221
222
223
     * Bug 23262: Implement integrated progress bar
     * Bug 23261: implement configuration portion of new Tor Launcher UI
     * Translations update
   * Update HTTPS-Everywhere to 2017.10.30
   * Update NoScript to 5.1.5
     * Bug 23968: NoScript icon jumps to the right after update
   * Update sandboxed-tor-browser to 0.0.15
 * Windows
   * Bug 20636+10026: Create 64bit Tor Browser for Windows
   * Bug 24052: Block file:// redirects early
Georg Koppen's avatar
Georg Koppen committed
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239

Tor Browser 7.0.10 -- November 14 2017
 * All Platforms
   * Update Firefox to 52.5.0esr
   * Update Tor to 0.3.1.8
   * Update Torbutton to 1.9.7.10
     * Bug 23997: Add link to Tor Browser manual for de, nl, tr, vi
     * Translations update
   * Update HTTPS-Everywhere to 2017.10.30
     * Bug 24178: Use make.sh for building HTTPS-Everywhere
   * Update NoScript to 5.1.5
     * Bug 23968: NoScript icon jumps to the right after update
 * Windows
   * Bug 23582: Enable the Windows DLL blocklist for mingw-w64 builds
   * Bug 23396: Update the msvcr100.dll we ship
   * Bug 24052: Block file:// redirects early
Georg Koppen's avatar
Georg Koppen committed
240

241
242
243
244
245
246
247
Tor Browser 7.5a7 -- November 4 2017
 * OS X
   * Bug 24052: Streamline handling of file:// resources
 * Linux
   * Bug 24052: Streamline handling of file:// resources

Tor Browser 7.0.9 -- November 3 2017
248
249
250
251
252
 * OS X
   * Bug 24052: Streamline handling of file:// resources
 * Linux
   * Bug 24052: Streamline handling of file:// resources

253
254
255
256
257
258
259
Tor Browser 7.0.8 -- October 25 2017
 * All Platforms
   * Update Torbutton to 1.9.7.9
     * Bug 23949: Fix donation banner display
     * Update locales with translated banner
     * Translations update

Georg Koppen's avatar
Georg Koppen committed
260
261
262
263
264
265
266
267
268
269
270
Tor Browser 7.5a6 -- October 19 2017
 * All Platforms
   * Update Firefox to 52.4.1esr
   * Update Tor to 0.3.2.2-alpha
   * Update Torbutton to 1.9.8.2
     * Bug 23887: Update banner locales and Mozilla text
     * Translations update
   * Update HTTPS-Everywhere to 2017.10.4
   * Update NoScript to 5.1.2
     * Bug 23723: Loading entities from NoScript .dtd files is blocked
     * Bug 23724: NoScript update breaks Security Slider and its icon disappears
271
   * Update sandboxed-tor-browser to 0.0.14
Georg Koppen's avatar
Georg Koppen committed
272
273
274
275
276
277
278
   * Bug 23745: Tab crashes when using Tor Browser to access Google Drive
   * Bug 23694: Update the detailsURL in update responses
   * Bug 22501: Requests via javascript: violate FPI
 * OS X
   * Bug 23807: Tab crashes when playing video on High Sierra
   * Bug 23025: Add some hardening flags to macOS build

279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
Tor Browser 7.0.7 -- October 19 2017
 * All Platforms
   * Update Firefox to 52.4.1esr
   * Update Torbutton to 1.9.7.8
     * Bug 23887: Update banner locales and Mozilla text
     * Bug 23526: Add 2017 Donation banner text
     * Bug 23483: Donation banner on about:tor for 2017 (testing mode)
     * Bug 22610: Avoid crashes when canceling external helper app related downloads
     * Bug 22472: Fix FTP downloads when external helper app dialog is shown
     * Bug 22471: Downloading pdf files via the PDF viewer download button is broken
     * Bug 22618: Downloading pdf file via file:/// is stalling
     * Translations update
   * Update HTTPS-Everywhere to 2017.10.4
   * Update NoScript to 5.1.2
     * Bug 23723: Loading entities from NoScript .dtd files is blocked
     * Bug 23724: NoScript update breaks Security Slider and its icon disappears
   * Bug 23745: Tab crashes when using Tor Browser to access Google Drive
   * Bug 22610: Avoid crashes when canceling external helper app related downloads
   * Bug 22472: Fix FTP downloads when external helper app dialog is shown
   * Bug 22471: Downloading pdf files via the PDF viewer download button is broken
   * Bug 22618: Downloading pdf file via file:/// is stalling
   * Bug 23694: Update the detailsURL in update responses
 * OS X
   * Bug 23807: Tab crashes when playing video on High Sierra
 * Linux
   * Bug 22692: Enable content sandboxing on Linux

306
Tor Browser 7.5a5 -- September 28 2017
Georg Koppen's avatar
Georg Koppen committed
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
 * All Platforms
   * Update Firefox to 52.4.0esr
   * Update Tor to 0.3.2.1-alpha
   * Update Torbutton to 1.9.8.1
     * Bug 20375: Warn users after entering fullscreen mode
     * Bug 22989: Fix dimensions of new windows on macOS
     * Bug 23526: Add 2017 Donation banner text
     * Bug 23483: Donation banner on about:tor for 2017 (testing mode)
     * Translations update
   * Update Tor Launcher to 0.2.13
     * Bug 23240: Retrieve current bootstrap progress before showing progress bar
     * Bug 22232: Add README on use of bootstrap status messages
     * Translations update
   * Update HTTPS-Everywhere to 2017.9.12
   * Update NoScript to 5.0.10
   * Update sandboxed-tor-browser to 0.0.13
   * Bug 23393: Don't crash all tabs when closing one tab
   * Bug 23166: Add new obfs4 bridge to the built-in ones
   * Bug 23258: Fix broken HTTPS-Everywhere on higher security levels
   * Bug 21270: NoScript settings break WebExtensions add-ons
   * Bug 23104: CSS line-height reveals the platform Tor Browser is running on
 * Windows
   * Bug 16010: Enable content sandboxing on Windows
   * Bug 23582: Enable the Windows DLL blocklist for mingw-w64 builds
   * Bug 23396: Update the msvcr100.dll we ship
   * Bug 23230: Fix build error on Windows 64
 * OS X
   * Bug 23404: Add missing Noto Sans Buginese font to the macOS whitelist
 * Linux
   * Bug 10089: Set middlemouse.contentLoadURL to false by default
   * Bug 22692: Enable content sandboxing on Linux
   * Bug 18101: Suppress upload file dialog proxy bypass (linux part)
 * Build System
   * All Platforms
     * Switch from gitian/tor-browser-bundle to rbm/tor-browser-build

343
344
345
346
347
348
349
350
351
352
353
354
355
356
Tor Browser 7.0.6 -- September 28 2017
 * All Platforms
   * Update Firefox to 52.4.0esr
   * Update Tor to 0.3.1.7
   * Update Torbutton to 1.9.7.7
     * Bug 22542: Security Settings window too small on macOS 10.12 (fixup)
     * Bug 20375: Warn users after entering fullscreen mode
   * Update HTTPS-Everywhere to 2017.9.12
   * Update NoScript to 5.0.10
   * Bug 21830: Copying large text from web console leaks to /tmp
   * Bug 23393: Don't crash all tabs when closing one tab
 * OS X
   * Bug 23404: Add missing Noto Sans Buginese font to the macOS whitelist

Georg Koppen's avatar
Georg Koppen committed
357
358
359
360
361
362
363
364
365
366
367
Tor Browser 7.0.5 -- September 4 2017
 * All Platforms
   * Update Torbutton to 1.9.7.6
     * Bug 22989: Fix dimensions of new windows on macOS
     * Translations update
   * Update HTTPS-Everywhere to 2017.8.31
   * Update NoScript to 5.0.9
   * Bug 23166: Add new obfs4 bridge to the built-in ones
   * Bug 23258: Fix broken HTTPS-Everywhere on higher security levels
   * Bug 21270: NoScript settings break WebExtensions add-ons

boklm's avatar
boklm committed
368
369
370
371
372
373
374
375
376
377
378
379
Tor Browser 7.5a4 -- August 9 2017
 * All Platforms
   * Update Firefox to 52.3.0esr
   * Update Tor to 0.3.1.5-alpha
   * Update OpenSSL to 1.0.2l
   * Update Torbutton to 1.9.8
     * Bug 22610: Avoid crashes when canceling external helper app related downloads
     * Bug 22472: Fix FTP downloads when external helper app dialog is shown
     * Bug 22471: Downloading pdf files via the PDF viewer download button is broken
     * Bug 22618: Downloading pdf file via file:/// is stalling
     * Bug 22542: Resize slider window to work without scrollbars
     * Bug 21999: Fix display of language prompt in non-en-US locales
Georg Koppen's avatar
Georg Koppen committed
380
     * Bug 18913: Don't let about:tor have chrome privileges
boklm's avatar
boklm committed
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
     * Bug 22535: Search on about:tor discards search query
     * Bug 21948: Going back to about:tor page gives "Address isn't valid" error
     * Code clean-up
     * Translations update
   * Update Tor Launcher to 0.2.12.3
     * Bug 22592: Default bridge settings are not removed
     * Translations update
   * Update HTTPS-Everywhere to 5.2.21
   * Update NoScript to 5.0.8.1
     * Bug 22362: Remove workaround for XSS related browser freezing
     * Bug 22067: NoScript Click-to-Play bypass with embedded videos and audio
   * Update sandboxed-tor-browser to 0.0.12
   * Bug 22610: Avoid crashes when canceling external helper app related downloads
   * Bug 22472: Fix FTP downloads when external helper app dialog is shown
   * Bug 22471: Downloading pdf files via the PDF viewer download button is broken
   * Bug 22618: Downloading pdf file via file:/// is stalling
   * Bug 21321: Exempt .onions from HTTP related security warnings
   * Bug 21830: Copying large text from web console leaks to /tmp
   * Bug 22073: Disable GetAddons option on addons page
   * Bug 22884: Fix broken about:tor page on higher security levels
   * Bug 22829: Remove default obfs4 bridge riemann.
 * Windows
   * Bug 21617: Fix single RWX page on Windows (included in 52.3.0esr)
 * OS X
   * Bug 22831: Enable Snowflake for mac
 * Linux
   * Bug 22832: Don't include monthly timestamp in libwebrtc build output
   * Bug 20848: Deploy Selfrando in 32bit Linux builds
 * Build system
   * Windows
     * Bug 22563: Update mingw-w64 to fix W^X violations
     * Bug 20929: Bump GCC version to 5.4.0
   * Linux
     * Bug 20929: Bump GCC version to 5.4.0

416
417
418
419
420
421
Tor Browser 7.0.4 -- August 8 2017
 * All Platforms
   * Update Firefox to 52.3.0esr
   * Update Tor to 0.3.0.10
   * Update Torbutton to 1.9.7.5
     * Bug 21999: Fix display of language prompt in non-en-US locales
Georg Koppen's avatar
Georg Koppen committed
422
     * Bug 18913: Don't let about:tor have chrome privileges
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
     * Bug 22535: Search on about:tor discards search query
     * Bug 21948: Going back to about:tor page gives "Address isn't valid" error
     * Code clean-up
     * Translations update
   * Update Tor Launcher to 0.2.12.3
     * Bug 22592: Default bridge settings are not removed
     * Translations update
   * Update HTTPS-Everywhere to 5.2.21
   * Update NoScript to 5.0.8.1
     * Bug 22362: Remove workaround for XSS related browser freezing
     * Bug 22067: NoScript Click-to-Play bypass with embedded videos and audio
   * Bug 21321: Exempt .onions from HTTP related security warnings
   * Bug 22073: Disable GetAddons option on addons page
   * Bug 22884: Fix broken about:tor page on higher security levels
 * Windows
   * Bug 22829: Remove default obfs4 bridge riemann.
   * Bug 21617: Fix single RWX page on Windows (included in 52.3.0esr)
 * OS X
   * Bug 22829: Remove default obfs4 bridge riemann.

boklm's avatar
boklm committed
443
444
445
446
447
448
449
450
451
Tor Browser 7.5a3 -- July 28 2017
 * Linux
   * Bug 23044: Don't allow GIO supported protocols by default

Tor Browser 7.0.3 -- July 27 2017
 * Linux
   * Bug 23044: Don't allow GIO supported protocols by default
   * Bug 22829: Remove default obfs4 bridge riemann.

boklm's avatar
boklm committed
452
453
454
455
456
457
458
459
460
461
462
463
Tor Browser 7.5a2 -- July 6 2017
 * All Platforms
   * Update Tor to 0.3.1.4-alpha
   * Update HTTPS-Everywhere to 5.2.19
 * Linux
   * Update sandboxed-tor-browser to 0.0.9

Tor Browser 7.0.2 -- July 3 2017
 * All Platforms
   * Update Tor to 0.3.0.9, fixing bug #22753
   * Update HTTPS-Everywhere to 5.2.19

464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
Tor Browser 7.5a1 -- June 14 2017
 * All Platforms
   * Update Firefox to 52.2.0esr
   * Update Tor to 0.3.1.3-alpha
   * Update Torbutton to 1.9.7.4
     * Bug 22542: Security Settings window too small on macOS 10.12
     * Bug 22104: Adjust our content policy whitelist for ff52-esr
     * Bug 22457: Allow resources loaded by view-source://
     * Bug 21627: Ignore HTTP 304 responses when checking redirects
     * Bug 22459: Adapt our use of the nsIContentPolicy to e10s mode
     * Translations update
   * Update Tor Launcher to 0.2.12.2
     * Bug 22283: Linux 7.0a4 is broken after update due to unix: lines in torrc
     * Translations update
   * Update HTTPS-Everywhere to 5.2.18
   * Update NoScript to 5.0.5
   * Update sandboxed-tor-browser to 0.0.7
   * Bug 22362: NoScript's XSS filter freezes the browser
   * Bug 21766: Fix crash when the external application helper dialog is invoked
   * Bug 21886: Download is stalled in non-e10s mode
   * Bug 22333: Disable WebGL2 API for now
   * Bug 21861: Disable additional mDNS code to avoid proxy bypasses
   * Bug 21684: Don't expose navigator.AddonManager to content
   * Bug 21431: Clean-up system extensions shipped in Firefox 52
   * Bug 22320: Use preference name 'referer.hideOnionSource' everywhere
   * Bug 16285: Don't ship ClearKey EME system and update EME preferences
   * Bug 21972: about:support is partially broken
   * Bug 21323: Enable Mixed Content Blocking
   * Bug 22415: Fix format error in our pipeline patch
   * Bug 21862: Rip out potentially unsafe Rust code
   * Bug 16485: Improve about:cache page
   * Bug 22462: Backport of patch for bug 1329521 to fix assertion failure
   * Bug 22458: Fix broken `about:cache` page on higher security levels
   * Bug 18531: Uncaught exception when opening ip-check.info
   * Bug 18574: Uncaught exception when clicking items in Library
   * Bug 22327: Isolate Page Info media previews to first party domain
   * Bug 22452: Isolate tab list menuitem favicons to first party domain
   * Bug 15555: View-source requests are not isolated by first party domain
   * Bug 5293: Neuter fingerprinting with Battery API
   * Bug 22429: Add IPv6 address for Lisbeth:443 obfs4 bridge
   * Bug 22468: Add default obfs4 bridges frosty and dragon
 * Windows
   * Bug 22419: Prevent access to file://
   * Bug 21617: Fix single RWX page on Windows
 * OS X
   * Bug 22558: Don't update OS X 10.7.x and 10.8.x users to Tor Browser 7.0

 * Linux
   * Bug 16285: Remove ClearKey related library stripping
   * Bug 21852: Don't use jemalloc4 anymore
 * Android
   * Bug 19078: Disable RtspMediaResource stuff in Orfox

boklm's avatar
boklm committed
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
Tor Browser 7.0.1 -- June 13 2017
 * All Platforms
   * Update Firefox to 52.2.0esr
   * Update Tor to 0.3.0.8
   * Update Torbutton to 1.9.7.4
     * Bug 22542: Security Settings window too small on macOS 10.12
   * Update HTTPS-Everywhere to 5.2.18
   * Bug 22362: NoScript's XSS filter freezes the browser
 * OS X
   * Bug 22558: Don't update OS X 10.7.x and 10.8.x users to Tor Browser 7.0

Tor Browser 7.0 -- June 7 2017
 * All Platforms
   * Update Firefox to 52.1.2esr
   * Update Tor to 0.3.0.7
   * Update Torbutton to 1.9.7.3
     * Bug 22104: Adjust our content policy whitelist for ff52-esr
     * Bug 22457: Allow resources loaded by view-source://
     * Bug 21627: Ignore HTTP 304 responses when checking redirects
     * Bug 22459: Adapt our use of the nsIContentPolicy to e10s mode
     * Bug 21865: Update our JIT preferences in the security slider
     * Bug 21747: Make 'New Tor Circuit for this Site' work in ESR52
     * Bug 21745: Fix handling of catch-all circuit
     * Bug 21547: Fix circuit display under e10s
     * Bug 21268: e10s compatibility for New Identity
     * Bug 21267: Remove window resize implementation for now
     * Bug 21201: Make Torbutton multiprocess compatible
     * Translations update
   * Update Tor Launcher to 0.2.12.2
     * Bug 22283: Linux 7.0a4 broken after update due to unix: lines in torrc
     * Bug 20761: Don't ignore additional SocksPorts
     * Bug 21920: Don't show locale selection dialog
     * Bug 21546: Mark Tor Launcher as multiprocess compatible
     * Bug 21264: Add a README file
     * Translations update
   * Update HTTPS-Everywhere to 5.2.17
   * Update NoScript to 5.0.5
   * Update Go to 1.8.3 (bug 22398)
   * Bug 21962: Fix crash on about:addons page
   * Bug 21766: Fix crash when the external application helper dialog is invoked
   * Bug 21886: Download is stalled in non-e10s mode
   * Bug 21778: Canvas prompt is not shown in Tor Browser based on ESR52
   * Bug 21569: Add first-party domain to Permissions key
   * Bug 22165: Don't allow collection of local IP addresses
   * Bug 13017: Work around audio fingerprinting by disabling the Web Audio API
   * Bug 10286: Disable Touch API and add fingerprinting resistance as fallback
   * Bug 13612: Disable Social API
   * Bug 10283: Disable SpeechSynthesis API
   * Bug 22333: Disable WebGL2 API for now
   * Bug 21861: Disable additional mDNS code to avoid proxy bypasses
   * Bug 21684: Don't expose navigator.AddonManager to content
   * Bug 21431: Clean-up system extensions shipped in Firefox 52
   * Bug 22320: Use preference name 'referer.hideOnionSource' everywhere
   * Bug 16285: Don't ship ClearKey EME system and update EME preferences
   * Bug 21675: Spoof window.navigator.hardwareConcurrency
   * Bug 21792: Suppress MediaError.message
   * Bug 16337: Round times exposed by Animation API to nearest 100ms
   * Bug 21972: about:support is partially broken
   * Bug 21726: Keep Graphite support disabled
   * Bug 21323: Enable Mixed Content Blocking
   * Bug 21685: Disable remote new tab pages
   * Bug 21790: Disable captive portal detection
   * Bug 21686: Disable Microsoft Family Safety support
   * Bug 22073: Make sure Mozilla's experiments are disabled
   * Bug 21683: Disable newly added Safebrowsing capabilities
   * Bug 22071: Disable Kinto-based blocklist update mechanism
   * Bug 22415: Fix format error in our pipeline patch
   * Bug 22072: Hide TLS error reporting checkbox
   * Bug 20761: Don't ignore additional SocksPorts
   * Bug 21862: Rip out potentially unsafe Rust code
   * Bug 16485: Improve about:cache page
   * Bug 22462: Backport of patch for bug 1329521 to fix assertion failure
   * Bug 21340: Identify and backport new patches from Firefox
   * Bug 22153: Fix broken feeds on higher security levels
   * Bug 22025: Fix broken certificate error pages on higher security levels
   * Bug 21887: Fix broken error pages on higher security levels
   * Bug 22458: Fix broken `about:cache` page on higher security levels
   * Bug 21876: Enable e10s by default on all supported platforms
   * Bug 21876: Always use esr policies for e10s
   * Bug 20905: Fix resizing issues after moving to a direct Firefox patch
   * Bug 21875: Modal dialogs are maximized in ESR52 nightly builds
   * Bug 21885: SVG is not disabled in Tor Browser based on ESR52
   * Bug 17334: Hide Referer when leaving a .onion domain (improved patch)
   * Bug 18531: Uncaught exception when opening ip-check.info
   * Bug 18574: Uncaught exception when clicking items in Library
   * Bug 22327: Isolate Page Info media previews to first party domain
   * Bug 22452: Isolate tab list menuitem favicons to first party domain
   * Bug 15555: View-source requests are not isolated by first party domain
   * Bug 3246: Double-key cookies
   * Bug 8842: Fix XML parsing error
   * Bug 5293: Neuter fingerprinting with Battery API
   * Bug 16886: 16886: "Add-on compatibility check dialog" contains Firefox logo
   * Bug 19645: TBB zooms text when resizing browser window
   * Bug 19192: Untrust Blue Coat CA
   * Bug 19955: Avoid confusing warning that favicon load request got cancelled
   * Bug 20005: Backport fixes for memory leaks investigation
   * Bug 20755: ltn.com.tw is broken in Tor Browser
   * Bug 21896: Commenting on website is broken due to CAPTCHA not being displayed
   * Bug 20680: Rebase Tor Browser patches to 52 ESR
   * Bug 22429: Add IPv6 address for Lisbeth:443 obfs4 bridge
   * Bug 22468: Add default obfs4 bridges frosty and dragon
 * Windows
   * Bug 22419: Prevent access to file://
   * Bug 12426: Make use of HeapEnableTerminationOnCorruption
   * Bug 19316: Make sure our Windows updates can deal with the SSE2 requirement
   * Bug 21868: Fix build bustage with FIREFOX_52_0_2esr_RELEASE for Windows
 * OS X
   * Bug 21940: Don't allow privilege escalation during update
   * Bug 22044: Fix broken default search engine on macOS
   * Bug 21879: Use our default bookmarks on OSX
   * Bug 21779: Non-admin users can't access Tor Browser on macOS
   * Bug 21723: Fix inconsistent generation of MOZ_MACBUNDLE_ID
   * Bug 21724: Make Firefox and Tor Browser distinct macOS apps
   * Bug 21931: Backport OSX SetupMacCommandLine updater fixes
   * Bug 15910: Don't download GMPs via the local fallback
 * Linux
   * Bug 16285: Remove ClearKey related library stripping
   * Bug 22041: Fix update error during update to 7.0a3
   * Bug 22238: Fix use of hardened wrapper for Firefox build
   * Bug 21907: Fix runtime error on CentOS 6
   * Bug 15910: Don't download GMPs via the local fallback
 * Android
   * Bug 19078: Disable RtspMediaResource stuff in Orfox
 * Build system
   * Windows
     * Bug 21837: Fix reproducibility of accessibility code for Windows
     * Bug 21240: Create patches to fix mingw-w64 compilation of Firefox ESR 52
     * Bug 21904: Bump mingw-w64 commit to help with sandbox compilation
     * Bug 18831: Use own Yasm for Firefox cross-compilation
   * OS X
     * Bug 21328: Updating to clang 3.8.0
     * Bug 21754: Remove old GCC toolchain and macOS SDK
     * Bug 19783: Remove unused macOS helper scripts
     * Bug 10369: Don't use old GCC toolchain anymore for utils
     * Bug 21753: Replace our old GCC toolchain in PT descriptor
     * Bug 18530: ESR52 based Tor Browser only runs on macOS 10.9+
     * Bug 22328: Remove clang PIE wrappers
   * Linux
     * Bug 21930: NSS libraries are missing from mar-tools archive
     * Bug 21239: Adapt Linux Firefox descriptor to ESR52 (use GTK2)
     * Bug 21960: Linux bundles based on ESR 52 are not reproducible anymore
     * Bug 21629: Fix broken ASan builds when switching to ESR 52
     * Bug 22444: Use hardening-wrapper when building GCC
     * Bug 22361: Fix hardening of libraries built in linux/gitian-utils.yml

boklm's avatar
boklm committed
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
Tor Browser 7.0a4 -- May 15 2017
 * All Platforms
   * Update Firefox to 52.1.1esr
   * Update Tor to 0.3.0.6
   * Update Tor Launcher to 0.2.12.1
     * Bug 20761: Don't ignore additional SocksPorts
     * Translation update
   * Update HTTPS-Everywhere to 5.2.16
   * Update NoScript to 5.0.4
   * Bug 21962: Fix crash on about:addons page
   * Bug 21778: Canvas prompt is not shown in Tor Browser based on ESR52
   * Bug 21569: Add first-party domain to Permissions key
   * Bug 22165: Don't allow collection of local IP addresses
   * Bug 13017: Work around audio fingerprinting by disabling the Web Audio API
   * Bug 10286: Disable Touch API and add fingerprinting resistance as fallback
   * Bug 13612: Disable Social API
   * Bug 10283: Disable SpeechSynthesis API
   * Bug 21675: Spoof window.navigator.hardwareConcurrency
   * Bug 21792: Suppress MediaError.message
   * Bug 16337: Round times exposed by Animation API to nearest 100ms
   * Bug 21726: Keep Graphite support disabled
   * Bug 21685: Disable remote new tab pages
   * Bug 21790: Disable captive portal detection
   * Bug 21686: Disable Microsoft Family Safety support
   * Bug 22073: Make sure Mozilla's experiments are disabled
   * Bug 21683: Disable newly added Safebrowsing capabilities
   * Bug 22071: Disable Kinto-based blocklist update mechanism
   * Bug 22072: Hide TLS error reporting checkbox
   * Bug 20761: Don't ignore additional SocksPorts
   * Bug 21340: Identify and backport new patches from Firefox
   * Bug 22153: Fix broken feeds on higher security levels
   * Bug 22025: Fix broken certificate error pages on higher security levels
   * Bug 21710: Upgrade Go to 1.8.1
 * Mac
   * Bug 21940: Don't allow privilege escalation during update
   * Bug 22044: Fix broken default search engine on macOS
   * Bug 21879: Use our default bookmarks on OSX
   * Bug 21779: Non-admin users can't access Tor Browser on macOS
 * Linux
   * Bug 22041: Fix update error during update to 7.0a3
   * Bug 22238: Fix use of hardened wrapper for Firefox build
   * Bug 20683: Selfrando support for 64-bit Linux systems

boklm's avatar
boklm committed
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
Tor Browser 7.0a3 -- April 20 2017
 * All Platforms
   * Update Firefox to 52.1.0esr
   * Tor to 0.3.0.5-rc
   * Update Torbutton to 1.9.7.2
     * Bug 21865: Update our JIT preferences in the security slider
     * Bug 21747: Make 'New Tor Circuit for this Site' work in ESR52
     * Bug 21745: Fix handling of catch-all circuit
     * Bug 21547: Fix circuit display under e10s
     * Bug 21268: e10s compatibility for New Identity
     * Bug 21267: Remove window resize implementation for now
     * Bug 21201: Make Torbutton multiprocess compatible
     * Translations update
   * Update Tor Launcher to 0.2.12
     * Bug 21920: Don't show locale selection dialog
     * Bug 21546: Mark Tor Launcher as multiprocess compatible
     * Bug 21264: Add a README file
     * Translations update
   * Update HTTPS-Everywhere to 5.2.14
   * Update NoScript to 5.0.2
Georg Koppen's avatar
Georg Koppen committed
725
   * Update sandboxed-tor-browser to 0.0.6
boklm's avatar
boklm committed
726
727
728
729
730
731
732
     * Bug 21764: Use bubblewrap's `--die-with-parent` when supported
     * Fix e10s Web Content crash on systems with grsec kernels
     * Bug 21928: Force a reinstall if an existing hardened bundle is present
     * Bug 21929: Remove hardened/ASAN related code
     * Bug 21927: Remove the ability to install/update the hardened bundle
     * Bug 21244: Update the MAR signing key for 7.0
     * Bug 21536: Remove asn's scramblesuit bridge from Tor Browser
Georg Koppen's avatar
Georg Koppen committed
733
     * Add back the old release MAR signing key
boklm's avatar
boklm committed
734
735
736
737
738
739
740
741
742
743
744
745
746
747
     * Add `prlimit64` to the firefox system call whitelist
     * Fix compilation with Go 1.8
     * Use Config.Clone() to clone TLS configs when available
   * Update Go to 1.7.5 (bug 21709)
   * Bug 21555+16450: Don't remove Authorization header on subdomains (e.g. Twitter)
   * Bug 21887: Fix broken error pages on higher security levels
   * Bug 21876: Enable e10s by default on all supported platforms
   * Bug 21876: Always use esr policies for e10s
   * Bug 20905: Fix resizing issues after moving to a direct Firefox patch
   * Bug 21875: Modal dialogs are maximized in ESR52 nightly builds
   * Bug 21885: SVG is not disabled in Tor Browser based on ESR52
   * Bug 17334: Hide Referer when leaving a .onion domain (improved patch)
   * Bug 3246: Double-key cookies
   * Bug 8842: Fix XML parsing error
748
   * Bug 16886: "Add-on compatibility check dialog" contains Firefox logo
boklm's avatar
boklm committed
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
   * Bug 19192: Untrust Blue Coat CA
   * Bug 19955: Avoid confusing warning that favicon load request got cancelled
   * Bug 20005: Backport fixes for memory leaks investigation
   * Bug 20755: ltn.com.tw is broken in Tor Browser
   * Bug 21896: Commenting on website is broken due to CAPTCHA not being displayed
   * Bug 20680: Rebase Tor Browser patches to 52 ESR
   * Bug 21917: Add new obfs4 bridges
   * Bug 21918: Move meek-amazon to d2cly7j4zqgua7.cloudfront.net backend
 * Windows
   * Bug 21795: Fix Tor Browser crashing on github.com
   * Bug 12426: Make use of HeapEnableTerminationOnCorruption
   * Bug 19316: Make sure our Windows updates can deal with the SSE2 requirement
   * Bug 21868: Fix build bustage with FIREFOX_52_0_2esr_RELEASE for Windows
 * OS X
   * Bug 21723: Fix inconsistent generation of MOZ_MACBUNDLE_ID
   * Bug 21724: Make Firefox and Tor Browser distinct macOS apps
   * Bug 21931: Backport OSX SetupMacCommandLine updater fixes
   * Bug 15910: Don't download GMPs via the local fallback
 * Linux
   * Bug 21907: Fix runtime error on CentOS 6
   * Bug 21748: Fix broken Snowflake build and update bridge details
   * Bug 21954: Snowflake breaks the 7.0a3 build
   * Bug 15910: Don't download GMPs via the local fallback
 * Build system
   * Windows
     * Bug 21837: Fix reproducibility of accessibility code for Windows
     * Bug 21240: Create patches to fix mingw-w64 compilation of Firefox ESR 52
     * Bug 21904: Bump mingw-w64 commit to help with sandbox compilation
     * Bug 18831: Use own Yasm for Firefox cross-compilation
   * OS X
     * Bug 21328: Updating to clang 3.8.0
     * Bug 21754: Remove old GCC toolchain and macOS SDK
     * Bug 19783: Remove unused macOS helper scripts
     * Bug 10369: Don't use old GCC toolchain anymore for utils
     * Bug 21753: Replace our old GCC toolchain in PT descriptor
     * Bug 18530: ESR52 based Tor Browser only runs on macOS 10.9+
   * Linux
     * Bug 21930: NSS libraries are missing from mar-tools archive
     * Bug 21239: Adapt Linux Firefox descriptor to ESR52 (use GTK2)
     * Bug 21960: Linux bundles based on ESR 52 are not reproducible anymore
     * Bug 21629: Fix broken ASan builds when switching to ESR 52

Georg Koppen's avatar
Georg Koppen committed
791
792
793
794
795
796
797
798
799
800
801
802
Tor Browser 6.5.2 -- April 19 2017
 * All Platforms
   * Update Firefox to 45.9.0esr
   * Update HTTPS-Everywhere to 5.2.14
   * Update NoScript to 5.0.2
   * Bug 21555+16450: Don't remove Authorization header on subdomains (e.g. Twitter)
   * Bug 19316: Make sure our Windows updates can deal with the SSE2 requirement
   * Bug 21917: Add new obfs4 bridges
   * Bug 21918: Move meek-amazon to d2cly7j4zqgua7.cloudfront.net backend
 * Windows
   * Bug 21795: Fix Tor Browser crashing on github.com

boklm's avatar
boklm committed
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Tor Browser 7.0a2-hardened -- March 7 2017
 * All Platforms
   * Update Firefox to 45.8.0esr
   * Tor to 0.3.0.4-rc
   * OpenSSL to 1.0.2k
   * Update Torbutton to 1.9.7.1
     * Bug 21396: Allow leaking of resource/chrome URIs (off by default)
     * Bug 21574: Add link for zh manual and create manual links dynamically
     * Bug 21330: Non-usable scrollbar appears in tor browser security settings
     * Bug 21324: Don't update NoScript button with timer update
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.11
   * Bug 21514: Restore W^X JIT implementation removed from ESR45
   * Bug 21536: Remove scramblesuit bridge
   * Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
   * Bug 21326: Update the "Using a system-installed Tor" section in start script
 * Build system
   * Bug 17034: Use our built binutils and GCC for building tor
   * Code clean-up

Tor Browser 7.0a2 -- March 7 2017
 * All Platforms
   * Update Firefox to 45.8.0esr
   * Tor to 0.3.0.4-rc
   * OpenSSL to 1.0.2k
   * Update Torbutton to 1.9.7.1
     * Bug 21396: Allow leaking of resource/chrome URIs (off by default)
     * Bug 21574: Add link for zh manual and create manual links dynamically
     * Bug 21330: Non-usable scrollbar appears in tor browser security settings
     * Bug 21324: Don't update NoScript button with timer update
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.11
   * Bug 21514: Restore W^X JIT implementation removed from ESR45
   * Bug 21536: Remove scramblesuit bridge
   * Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
   * Bug 21348: Make snowflake only available on Linux for now
 * Linux
   * Bug 21326: Update the "Using a system-installed Tor" section in start script
 * Build system
   * OS X
     * Bug 21343: Remove unused FTE related parts for macOS
   * Linux
     * Bug 17034: Use our built binutils and GCC for building tor
     * Clean-up

Tor Browser 6.5.1 -- March 7 2017
 * All Platforms
   * Update Firefox to 45.8.0esr
   * Tor to 0.2.9.10
   * OpenSSL to 1.0.2k
   * Update Torbutton to 1.9.6.14
     * Bug 21396: Allow leaking of resource/chrome URIs (off by default)
     * Bug 21574: Add link for zh manual and create manual links dynamically
     * Bug 21330: Non-usable scrollbar appears in tor browser security settings
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.11
   * Bug 21514: Restore W^X JIT implementation removed from ESR45
   * Bug 21536: Remove scramblesuit bridge
   * Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
 * Linux
   * Bug 21326: Update the "Using a system-installed Tor" section in start script

Tor Browser 7.0a1-hardened -- January 25 2017
 * All Platforms
   * Update Firefox to 45.7.0esr
   * Tor to 0.3.0.2-alpha
   * Update Torbutton to 1.9.7
     * Bug 19898: Use DuckDuckGo on about:tor
     * Bug 21091: Hide the update check menu entry when running under the sandbox
     * Bug 21243: Add links to es, fr, and pt Tor Browser manual
     * Bug 21194: Show snowflake in the circuit display
     * Bug 21131: Remove 2016 donation banner
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.9
   * Update NoScript to 2.9.5.3
   * Bug 20471: Allow javascript: links from HTTPS first party pages
   * Bug 20651: DuckDuckGo does not work with JavaScript disabled
   * Bug 20589: Add new MAR signing key
   * Bug 20735: Add snowflake pluggable transport to alpha Linux builds
 * Build system
   * All platforms
     * Bug 20927: Upgrade Go to 1.7.4

Tor Browser 7.0a1 -- January 25 2017
 * All Platforms
   * Update Firefox to 45.7.0esr
   * Tor to 0.3.0.2-alpha
   * Update Torbutton to 1.9.7
     * Bug 19898: Use DuckDuckGo on about:tor
     * Bug 21091: Hide the update check menu entry when running under the sandbox
     * Bug 21243: Add links to es, fr, and pt Tor Browser manual
     * Bug 21194: Show snowflake in the circuit display
     * Bug 21131: Remove 2016 donation banner
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.9
   * Update NoScript to 2.9.5.3
   * Bug 20471: Allow javascript: links from HTTPS first party pages
   * Bug 20651: DuckDuckGo does not work with JavaScript disabled
   * Bug 20589: Add new MAR signing key
 * Windows
   * Bug 20981: On Windows, check TZ for timezone first
 * OS X
   * Bug 20989: Browser sandbox profile is too restrictive on OSX 10.12.2
 * Linux
   * Update sandboxed-tor-browser to 0.0.3
   * Bug 20735: Add snowflake pluggable transport to alpha Linux builds
 * Build system
   * All platforms
     * Bug 20927: Upgrade Go to 1.7.4
   * Linux
     * Bug 21103: Update descriptors for sandboxed-tor-browser 0.0.3

Tor Browser 6.5 -- January 24 2017
 * All Platforms
   * Update Firefox to 45.7.0esr
   * Tor to 0.2.9.9
   * OpenSSL to 1.0.2j
   * Update Torbutton to 1.9.6.12
     * Bug 16622: Timezone spoofing moved to tor-browser.git
     * Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
     * Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
     * Bug 20701: Allow the directory listing stylesheet in the content policy
     * Bug 19837: Whitelist internal URLs that Firefox requires for media
     * Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
     * Bug 19273: Improve external app launch handling and associated warnings
     * Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
     * Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
     * Bug 17767: Make "JavaScript disabled" more visible in Security Slider
     * Bug 20556: Use pt-BR strings from now on
     * Bug 20614: Add links to Tor Browser User Manual
     * Bug 20414: Fix non-rendering arrow on OS X
     * Bug 20728: Fix bad preferences.xul dimensions
     * Bug 19898: Use DuckDuckGo on about:tor
     * Bug 21091: Hide the update check menu entry when running under the sandbox
     * Bug 19459: Move resizing code to tor-browser.git
     * Bug 20264: Change security slider to 3 options
     * Bug 20347: Enhance security slider's custom mode
     * Bug 20123: Disable remote jar on all security levels
     * Bug 20244: Move privacy checkboxes to about:preferences#privacy
     * Bug 17546: Add tooltips to explain our privacy checkboxes
     * Bug 17904: Allow security settings dialog to resize
     * Bug 18093: Remove 'Restore Defaults' button
     * Bug 20373: Prevent redundant dialogs opening
     * Bug 20318: Remove helpdesk link from about:tor
     * Bug 21243: Add links for pt, es, and fr Tor Browser manuals
     * Bug 20753: Remove obsolete StartPage locale strings
     * Bug 21131: Remove 2016 donation banner
     * Bug 18980: Remove obsolete toolbar button code
     * Bug 18238: Remove unused Torbutton code and strings
     * Bug 20388+20399+20394: Code clean-up
     * Translation updates
   * Update Tor Launcher to 0.2.10.3
     * Bug 19568: Set CurProcD for Thunderbird/Instantbird
     * Bug 19432: Remove special handling for Instantbird/Thunderbird
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.9
   * Update NoScript to 2.9.5.3
   * Bug 16622: Spoof timezone with Firefox patch
   * Bug 17334: Spoof referrer when leaving a .onion domain
   * Bug 19273: Write C++ patch for external app launch handling
   * Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
   * Bug 12523: Mark JIT pages as non-writable
   * Bug 20123: Always block remote jar files
   * Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
   * Bug 19164: Remove support for SHA-1 HPKP pins
   * Bug 19186: KeyboardEvents are only rounding to 100ms
   * Bug 16998: Isolate preconnect requests to URL bar domain
   * Bug 19478: Prevent millisecond resolution leaks in File API
   * Bug 20471: Allow javascript: links from HTTPS first party pages
   * Bug 20244: Move privacy checkboxes to about:preferences#privacy
   * Bug 20707: Fix broken preferences tab in non-en-US alpha bundles
   * Bug 20709: Fix wrong update URL in alpha bundles
   * Bug 19481: Point the update URL to aus1.torproject.org
   * Bug 20556: Start using pt-BR instead of pt-PT for Portuguese
   * Bug 20442: Backport fix for local path disclosure after drag and drop
   * Bug 20160: Backport fix for broken MP3-playback
   * Bug 20043: Isolate SharedWorker script requests to first party
   * Bug 18923: Add script to run all Tor Browser regression tests
   * Bug 20651: DuckDuckGo does not work with JavaScript disabled
   * Bug 19336+19835: Enhance about:tbupdate page
   * Bug 20399+15852: Code clean-up
 * Windows
   * Bug 20981: On Windows, check TZ for timezone first
   * Bug 18175: Maximizing window and restarting leads to non-rounded window size
   * Bug 13437: Rounded inner window accidentally grows to non-rounded size
 * OS X
   * Bug 20590: Badly resized window due to security slider notification bar on OS X
   * Bug 20439: Make the build PIE on OSX
 * Linux
   * Bug 20691: Updater breaks if unix domain sockets are used
   * Bug 15953: Weird resizing dance on Tor Browser startup
 * Build system
   * All platforms
     * Bug 20927: Upgrade Go to 1.7.4
     * Bug 20583: Make the downloads.json file reproducible
     * Bug 20133: Don't apply OpenSSL patch anymore
     * Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
     * Bug 18291: Remove some uses of libfaketime