ChangeLog.txt 118 KB
Newer Older
boklm's avatar
boklm committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
Tor Browser 7.0a3 -- April 20 2017
 * All Platforms
   * Update Firefox to 52.1.0esr
   * Tor to 0.3.0.5-rc
   * Update Torbutton to 1.9.7.2
     * Bug 21865: Update our JIT preferences in the security slider
     * Bug 21747: Make 'New Tor Circuit for this Site' work in ESR52
     * Bug 21745: Fix handling of catch-all circuit
     * Bug 21547: Fix circuit display under e10s
     * Bug 21268: e10s compatibility for New Identity
     * Bug 21267: Remove window resize implementation for now
     * Bug 21201: Make Torbutton multiprocess compatible
     * Translations update
   * Update Tor Launcher to 0.2.12
     * Bug 21920: Don't show locale selection dialog
     * Bug 21546: Mark Tor Launcher as multiprocess compatible
     * Bug 21264: Add a README file
     * Translations update
   * Update HTTPS-Everywhere to 5.2.14
   * Update NoScript to 5.0.2
   * Update sandboxed-tor-browser to 0.0.5
     * Bug 21764: Use bubblewrap's `--die-with-parent` when supported
     * Fix e10s Web Content crash on systems with grsec kernels
     * Bug 21928: Force a reinstall if an existing hardened bundle is present
     * Bug 21929: Remove hardened/ASAN related code
     * Bug 21927: Remove the ability to install/update the hardened bundle
     * Bug 21244: Update the MAR signing key for 7.0
     * Bug 21536: Remove asn's scramblesuit bridge from Tor Browser
     * Add `prlimit64` to the firefox system call whitelist
     * Fix compilation with Go 1.8
     * Use Config.Clone() to clone TLS configs when available
   * Update Go to 1.7.5 (bug 21709)
   * Bug 21555+16450: Don't remove Authorization header on subdomains (e.g. Twitter)
   * Bug 21887: Fix broken error pages on higher security levels
   * Bug 21876: Enable e10s by default on all supported platforms
   * Bug 21876: Always use esr policies for e10s
   * Bug 20905: Fix resizing issues after moving to a direct Firefox patch
   * Bug 21875: Modal dialogs are maximized in ESR52 nightly builds
   * Bug 21885: SVG is not disabled in Tor Browser based on ESR52
   * Bug 17334: Hide Referer when leaving a .onion domain (improved patch)
   * Bug 3246: Double-key cookies
   * Bug 8842: Fix XML parsing error
   * Bug 16886: 16886: "Add-on compatibility check dialog" contains Firefox logo
   * Bug 19192: Untrust Blue Coat CA
   * Bug 19955: Avoid confusing warning that favicon load request got cancelled
   * Bug 20005: Backport fixes for memory leaks investigation
   * Bug 20755: ltn.com.tw is broken in Tor Browser
   * Bug 21896: Commenting on website is broken due to CAPTCHA not being displayed
   * Bug 20680: Rebase Tor Browser patches to 52 ESR
   * Bug 21917: Add new obfs4 bridges
   * Bug 21918: Move meek-amazon to d2cly7j4zqgua7.cloudfront.net backend
 * Windows
   * Bug 21795: Fix Tor Browser crashing on github.com
   * Bug 12426: Make use of HeapEnableTerminationOnCorruption
   * Bug 19316: Make sure our Windows updates can deal with the SSE2 requirement
   * Bug 21868: Fix build bustage with FIREFOX_52_0_2esr_RELEASE for Windows
 * OS X
   * Bug 21723: Fix inconsistent generation of MOZ_MACBUNDLE_ID
   * Bug 21724: Make Firefox and Tor Browser distinct macOS apps
   * Bug 21931: Backport OSX SetupMacCommandLine updater fixes
   * Bug 15910: Don't download GMPs via the local fallback
 * Linux
   * Bug 21907: Fix runtime error on CentOS 6
   * Bug 21748: Fix broken Snowflake build and update bridge details
   * Bug 21954: Snowflake breaks the 7.0a3 build
   * Bug 15910: Don't download GMPs via the local fallback
 * Build system
   * Windows
     * Bug 21837: Fix reproducibility of accessibility code for Windows
     * Bug 21240: Create patches to fix mingw-w64 compilation of Firefox ESR 52
     * Bug 21904: Bump mingw-w64 commit to help with sandbox compilation
     * Bug 18831: Use own Yasm for Firefox cross-compilation
   * OS X
     * Bug 21328: Updating to clang 3.8.0
     * Bug 21754: Remove old GCC toolchain and macOS SDK
     * Bug 19783: Remove unused macOS helper scripts
     * Bug 10369: Don't use old GCC toolchain anymore for utils
     * Bug 21753: Replace our old GCC toolchain in PT descriptor
     * Bug 18530: ESR52 based Tor Browser only runs on macOS 10.9+
   * Linux
     * Bug 21930: NSS libraries are missing from mar-tools archive
     * Bug 21239: Adapt Linux Firefox descriptor to ESR52 (use GTK2)
     * Bug 21960: Linux bundles based on ESR 52 are not reproducible anymore
     * Bug 21629: Fix broken ASan builds when switching to ESR 52

Tor Browser 7.0a2-hardened -- March 7 2017
 * All Platforms
   * Update Firefox to 45.8.0esr
   * Tor to 0.3.0.4-rc
   * OpenSSL to 1.0.2k
   * Update Torbutton to 1.9.7.1
     * Bug 21396: Allow leaking of resource/chrome URIs (off by default)
     * Bug 21574: Add link for zh manual and create manual links dynamically
     * Bug 21330: Non-usable scrollbar appears in tor browser security settings
     * Bug 21324: Don't update NoScript button with timer update
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.11
   * Bug 21514: Restore W^X JIT implementation removed from ESR45
   * Bug 21536: Remove scramblesuit bridge
   * Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
   * Bug 21326: Update the "Using a system-installed Tor" section in start script
 * Build system
   * Bug 17034: Use our built binutils and GCC for building tor
   * Code clean-up

Tor Browser 7.0a2 -- March 7 2017
 * All Platforms
   * Update Firefox to 45.8.0esr
   * Tor to 0.3.0.4-rc
   * OpenSSL to 1.0.2k
   * Update Torbutton to 1.9.7.1
     * Bug 21396: Allow leaking of resource/chrome URIs (off by default)
     * Bug 21574: Add link for zh manual and create manual links dynamically
     * Bug 21330: Non-usable scrollbar appears in tor browser security settings
     * Bug 21324: Don't update NoScript button with timer update
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.11
   * Bug 21514: Restore W^X JIT implementation removed from ESR45
   * Bug 21536: Remove scramblesuit bridge
   * Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
   * Bug 21348: Make snowflake only available on Linux for now
 * Linux
   * Bug 21326: Update the "Using a system-installed Tor" section in start script
 * Build system
   * OS X
     * Bug 21343: Remove unused FTE related parts for macOS
   * Linux
     * Bug 17034: Use our built binutils and GCC for building tor
     * Clean-up

Tor Browser 6.5.1 -- March 7 2017
 * All Platforms
   * Update Firefox to 45.8.0esr
   * Tor to 0.2.9.10
   * OpenSSL to 1.0.2k
   * Update Torbutton to 1.9.6.14
     * Bug 21396: Allow leaking of resource/chrome URIs (off by default)
     * Bug 21574: Add link for zh manual and create manual links dynamically
     * Bug 21330: Non-usable scrollbar appears in tor browser security settings
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.11
   * Bug 21514: Restore W^X JIT implementation removed from ESR45
   * Bug 21536: Remove scramblesuit bridge
   * Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
 * Linux
   * Bug 21326: Update the "Using a system-installed Tor" section in start script

Tor Browser 7.0a1-hardened -- January 25 2017
 * All Platforms
   * Update Firefox to 45.7.0esr
   * Tor to 0.3.0.2-alpha
   * Update Torbutton to 1.9.7
     * Bug 19898: Use DuckDuckGo on about:tor
     * Bug 21091: Hide the update check menu entry when running under the sandbox
     * Bug 21243: Add links to es, fr, and pt Tor Browser manual
     * Bug 21194: Show snowflake in the circuit display
     * Bug 21131: Remove 2016 donation banner
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.9
   * Update NoScript to 2.9.5.3
   * Bug 20471: Allow javascript: links from HTTPS first party pages
   * Bug 20651: DuckDuckGo does not work with JavaScript disabled
   * Bug 20589: Add new MAR signing key
   * Bug 20735: Add snowflake pluggable transport to alpha Linux builds
 * Build system
   * All platforms
     * Bug 20927: Upgrade Go to 1.7.4

Tor Browser 7.0a1 -- January 25 2017
 * All Platforms
   * Update Firefox to 45.7.0esr
   * Tor to 0.3.0.2-alpha
   * Update Torbutton to 1.9.7
     * Bug 19898: Use DuckDuckGo on about:tor
     * Bug 21091: Hide the update check menu entry when running under the sandbox
     * Bug 21243: Add links to es, fr, and pt Tor Browser manual
     * Bug 21194: Show snowflake in the circuit display
     * Bug 21131: Remove 2016 donation banner
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.9
   * Update NoScript to 2.9.5.3
   * Bug 20471: Allow javascript: links from HTTPS first party pages
   * Bug 20651: DuckDuckGo does not work with JavaScript disabled
   * Bug 20589: Add new MAR signing key
 * Windows
   * Bug 20981: On Windows, check TZ for timezone first
 * OS X
   * Bug 20989: Browser sandbox profile is too restrictive on OSX 10.12.2
 * Linux
   * Update sandboxed-tor-browser to 0.0.3
   * Bug 20735: Add snowflake pluggable transport to alpha Linux builds
 * Build system
   * All platforms
     * Bug 20927: Upgrade Go to 1.7.4
   * Linux
     * Bug 21103: Update descriptors for sandboxed-tor-browser 0.0.3

Tor Browser 6.5 -- January 24 2017
 * All Platforms
   * Update Firefox to 45.7.0esr
   * Tor to 0.2.9.9
   * OpenSSL to 1.0.2j
   * Update Torbutton to 1.9.6.12
     * Bug 16622: Timezone spoofing moved to tor-browser.git
     * Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
     * Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
     * Bug 20701: Allow the directory listing stylesheet in the content policy
     * Bug 19837: Whitelist internal URLs that Firefox requires for media
     * Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
     * Bug 19273: Improve external app launch handling and associated warnings
     * Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
     * Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
     * Bug 17767: Make "JavaScript disabled" more visible in Security Slider
     * Bug 20556: Use pt-BR strings from now on
     * Bug 20614: Add links to Tor Browser User Manual
     * Bug 20414: Fix non-rendering arrow on OS X
     * Bug 20728: Fix bad preferences.xul dimensions
     * Bug 19898: Use DuckDuckGo on about:tor
     * Bug 21091: Hide the update check menu entry when running under the sandbox
     * Bug 19459: Move resizing code to tor-browser.git
     * Bug 20264: Change security slider to 3 options
     * Bug 20347: Enhance security slider's custom mode
     * Bug 20123: Disable remote jar on all security levels
     * Bug 20244: Move privacy checkboxes to about:preferences#privacy
     * Bug 17546: Add tooltips to explain our privacy checkboxes
     * Bug 17904: Allow security settings dialog to resize
     * Bug 18093: Remove 'Restore Defaults' button
     * Bug 20373: Prevent redundant dialogs opening
     * Bug 20318: Remove helpdesk link from about:tor
     * Bug 21243: Add links for pt, es, and fr Tor Browser manuals
     * Bug 20753: Remove obsolete StartPage locale strings
     * Bug 21131: Remove 2016 donation banner
     * Bug 18980: Remove obsolete toolbar button code
     * Bug 18238: Remove unused Torbutton code and strings
     * Bug 20388+20399+20394: Code clean-up
     * Translation updates
   * Update Tor Launcher to 0.2.10.3
     * Bug 19568: Set CurProcD for Thunderbird/Instantbird
     * Bug 19432: Remove special handling for Instantbird/Thunderbird
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.9
   * Update NoScript to 2.9.5.3
   * Bug 16622: Spoof timezone with Firefox patch
   * Bug 17334: Spoof referrer when leaving a .onion domain
   * Bug 19273: Write C++ patch for external app launch handling
   * Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
   * Bug 12523: Mark JIT pages as non-writable
   * Bug 20123: Always block remote jar files
   * Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
   * Bug 19164: Remove support for SHA-1 HPKP pins
   * Bug 19186: KeyboardEvents are only rounding to 100ms
   * Bug 16998: Isolate preconnect requests to URL bar domain
   * Bug 19478: Prevent millisecond resolution leaks in File API
   * Bug 20471: Allow javascript: links from HTTPS first party pages
   * Bug 20244: Move privacy checkboxes to about:preferences#privacy
   * Bug 20707: Fix broken preferences tab in non-en-US alpha bundles
   * Bug 20709: Fix wrong update URL in alpha bundles
   * Bug 19481: Point the update URL to aus1.torproject.org
   * Bug 20556: Start using pt-BR instead of pt-PT for Portuguese
   * Bug 20442: Backport fix for local path disclosure after drag and drop
   * Bug 20160: Backport fix for broken MP3-playback
   * Bug 20043: Isolate SharedWorker script requests to first party
   * Bug 18923: Add script to run all Tor Browser regression tests
   * Bug 20651: DuckDuckGo does not work with JavaScript disabled
   * Bug 19336+19835: Enhance about:tbupdate page
   * Bug 20399+15852: Code clean-up
 * Windows
   * Bug 20981: On Windows, check TZ for timezone first
   * Bug 18175: Maximizing window and restarting leads to non-rounded window size
   * Bug 13437: Rounded inner window accidentally grows to non-rounded size
 * OS X
   * Bug 20590: Badly resized window due to security slider notification bar on OS X
   * Bug 20439: Make the build PIE on OSX
 * Linux
   * Bug 20691: Updater breaks if unix domain sockets are used
   * Bug 15953: Weird resizing dance on Tor Browser startup
 * Build system
   * All platforms
     * Bug 20927: Upgrade Go to 1.7.4
     * Bug 20583: Make the downloads.json file reproducible
     * Bug 20133: Don't apply OpenSSL patch anymore
     * Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
     * Bug 18291: Remove some uses of libfaketime
     * Bug 18845: Make zip and tar helpers generate reproducible archives
   * OS X
     * Bug 20258: Make OS X Tor archive reproducible again
     * Bug 20184: Make OS X builds reproducible (use clang for compiling tor)
     * Bug 19856: Make OS X builds reproducible (getting libfaketime back)
     * Bug 19410: Fix incremental updates by taking signatures into account
     * Bug 20210: In dmg2mar, extract old mar file to copy permissions to the new one

boklm's avatar
boklm committed
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Tor Browser 6.5a6-hardened -- December 14 2016
 * All Platforms
   * Update Firefox to 45.6.0esr
   * Tor to 0.2.9.7-rc
   * Update Torbutton to 1.9.6.9
     * Bug 16622: Timezone spoofing moved to tor-browser.git
     * Bug 20701: Allow the directory listing stylesheet in the content policy
     * Bug 20556: Use pt-BR strings from now on
     * Bug 20614: Add links to Tor Browser User Manual
     * Bug 20414: Fix non-rendering arrow on OS X
     * Bug 20728: Fix bad preferences.xul dimensions
     * Bug 20318: Remove helpdesk link from about:tor
     * Bug 20753: Remove obsolete StartPage locale strings
     * Bug 20947: Donation banner improvements
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.8
   * Bug 16622: Spoof timezone with Firefox patch
   * Bug 20707: Fix broken preferences tab in non-en-US alpha bundles
   * Bug 20709: Fix wrong update URL in alpha bundles
   * Bug 20556: Start using pt-BR instead of pt-PT for Portuguese
   * Bug 20809: Use non-/html search engine URL for DuckDuckGo search plugins
   * Bug 20837: Activate iat-mode for certain obfs4 bridges
   * Bug 20838: Uncomment NX01 default obfs4 bridge
   * Bug 20840: Rotate ports a third time for default obfs4 bridges

Tor Browser 6.5a6 -- December 14 2016
 * All Platforms
   * Update Firefox to 45.6.0esr
   * Tor to 0.2.9.6-rc
   * Update Torbutton to 1.9.6.8
     * Bug 16622: Timezone spoofing moved to tor-browser.git
     * Bug 20701: Allow the directory listing stylesheet in the content policy
     * Bug 20556: Use pt-BR strings from now on
     * Bug 20614: Add links to Tor Browser User Manual
     * Bug 20414: Fix non-rendering arrow on OS X
     * Bug 20728: Fix bad preferences.xul dimensions
     * Bug 20318: Remove helpdesk link from about:tor
     * Bug 20753: Remove obsolete StartPage locale strings
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.8
   * Bug 16622: Spoof timezone with Firefox patch
   * Bug 20707: Fix broken preferences tab in non-en-US alpha bundles
   * Bug 20709: Fix wrong update URL in alpha bundles
   * Bug 20556: Start using pt-BR instead of pt-PT for Portuguese
   * Bug 20809: Use non-/html search engine URL for DuckDuckGo search plugins
   * Bug 20837: Activate iat-mode for certain obfs4 bridges
   * Bug 20838: Uncomment NX01 default obfs4 bridge
   * Bug 20840: Rotate ports a third time for default obfs4 bridges
 * Linux
   * Bug 20352: Integrate sandboxed-tor-browser into our Gitian build
   * Bug 20758: Make Linux sandbox build deterministic
   * Bug 10281: Use jemalloc4 and abort on redzone corruption
 * OS X
   * Bug 20121: Create Seatbelt profile(s) for Tor Browser

Tor Browser 6.0.8 -- December 13 2016
 * All Platforms
   * Update Firefox to 45.6.0esr
   * Tor to 0.2.8.11
   * Update Torbutton to 1.9.5.13
     * Bug 20947: Donation banner improvements
   * Update HTTPS-Everywhere to 5.2.8
   * Bug 20809: Use non-/html search engine URL for DuckDuckGo search plugins
   * Bug 20837: Activate iat-mode for certain obfs4 bridges
   * Bug 20838: Uncomment NX01 default obfs4 bridge
   * Bug 20840: Rotate ports a third time for default obfs4 bridges

Tor Browser 6.5a5-hardened -- December 1 2016
 * All Platforms
   * Update Firefox to 45.5.1esr
   * Update NoScript to 2.9.5.2
 * Linux
   * Bug 20691: Updater breaks if unix domain sockets are used

Tor Browser 6.5a5 -- December 1 2016
 * All Platforms
   * Update Firefox to 45.5.1esr
   * Update NoScript to 2.9.5.2
 * Linux
   * Bug 20691: Updater breaks if unix domain sockets are used

Tor Browser 6.0.7 -- November 30 2016
 * All Platforms
   * Update Firefox to 45.5.1esr
   * Update NoScript to 2.9.5.2

Tor Browser 6.5a4-hardened -- November 16 2016
 * All Platforms
   * Update Firefox to 45.5.0esr
   * Update Tor to 0.2.9.5-alpha
   * Update OpenSSL to 1.0.2j
   * Update Torbutton to 1.9.6.7
     * Bug 20414: Add donation banner on about:tor for 2016 campaign
     * Bug 20111: use Unix domain sockets for SOCKS port by default
     * Bug 19459: Move resizing code to tor-browser.git
     * Bug 20264: Change security slider to 3 options
     * Bug 20347: Enhance security slider's custom mode
     * Bug 20123: Disable remote jar on all security levels
     * Bug 20244: Move privacy checkboxes to about:preferences#privacy
     * Bug 17546: Add tooltips to explain our privacy checkboxes
     * Bug 17904: Allow security settings dialog to resize
     * Bug 18093: Remove 'Restore Defaults' button
     * Bug 20373: Prevent redundant dialogs opening
     * Bug 20388+20399+20394: Code clean-up
     * Translation updates
   * Update Tor Launcher to 0.2.11.1
     * Bug 20111: use Unix domain sockets for SOCKS port by default
     * Bug 20185: Avoid using Unix domain socket paths that are too long
     * Bug 20429: Do not open progress window if tor doesn't get started
     * Bug 19646: Wrong location for meek browser profile on OS X
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.7
   * Update meek to 0.25
     * Bug 19646: Wrong location for meek browser profile on OS X
     * Bug 20030: Shut down meek-http-helper cleanly if built with Go > 1.5.4
   * Bug 20304: Support spaces and other special characters for SOCKS socket
   * Bug 20490: Fix assertion failure due to fix for #20304
   * Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
   * Bug 20442: Backport fix for local path disclosure after drag and drop
   * Bug 20160: Backport fix for broken MP3-playback
   * Bug 20043: Isolate SharedWorker script requests to first party
   * Bug 20123: Always block remote jar files
   * Bug 20244: Move privacy checkboxes to about:preferences#privacy
   * Bug 19838: Add dgoulet's bridge and add another one commented out
   * Bug 19481: Point the update URL to aus1.torproject.org
   * Bug 20296: Rotate ports again for default obfs4 bridges
   * Bug 20651: DuckDuckGo does not work with JavaScript disabled
   * Bug 20399+15852: Code clean-up
   * Bug 15953: Weird resizing dance on Tor Browser startup
 * Build system
   * All platforms
     * Bug 20023: Upgrade Go to 1.7.3
     * Bug 20583: Make the downloads.json file reproducible

Tor Browser 6.5a4 -- November 16 2016
 * All Platforms
   * Update Firefox to 45.5.0esr
   * Update Tor to 0.2.9.5-alpha
   * Update OpenSSL to 1.0.2j
   * Update Torbutton to 1.9.6.7
     * Bug 20414: Add donation banner on about:tor for 2016 campaign
     * Bug 20111: use Unix domain sockets for SOCKS port by default
     * Bug 19459: Move resizing code to tor-browser.git
     * Bug 20264: Change security slider to 3 options
     * Bug 20347: Enhance security slider's custom mode
     * Bug 20123: Disable remote jar on all security levels
     * Bug 20244: Move privacy checkboxes to about:preferences#privacy
     * Bug 17546: Add tooltips to explain our privacy checkboxes
     * Bug 17904: Allow security settings dialog to resize
     * Bug 18093: Remove 'Restore Defaults' button
     * Bug 20373: Prevent redundant dialogs opening
     * Bug 20388+20399+20394: Code clean-up
     * Translation updates
   * Update Tor Launcher to 0.2.10.2
     * Bug 20111: use Unix domain sockets for SOCKS port by default
     * Bug 20185: Avoid using Unix domain socket paths that are too long
     * Bug 20429: Do not open progress window if tor doesn't get started
     * Bug 19646: Wrong location for meek browser profile on OS X
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.7
   * Update meek to 0.25
     * Bug 19646: Wrong location for meek browser profile on OS X
     * Bug 20030: Shut down meek-http-helper cleanly if built with Go > 1.5.4
   * Bug 20304: Support spaces and other special characters for SOCKS socket
   * Bug 20490: Fix assertion failure due to fix for #20304
   * Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
   * Bug 20442: Backport fix for local path disclosure after drag and drop
   * Bug 20160: Backport fix for broken MP3-playback
   * Bug 20043: Isolate SharedWorker script requests to first party
   * Bug 20123: Always block remote jar files
   * Bug 20244: Move privacy checkboxes to about:preferences#privacy
   * Bug 19838: Add dgoulet's bridge and add another one commented out
   * Bug 19481: Point the update URL to aus1.torproject.org
   * Bug 20296: Rotate ports again for default obfs4 bridges
   * Bug 20651: DuckDuckGo does not work with JavaScript disabled
   * Bug 20399+15852: Code clean-up
 * Windows
   * Bug 20342: Add tor-gencert.exe to expert bundle
   * Bug 18175: Maximizing window and restarting leads to non-rounded window size
   * Bug 13437: Rounded inner window accidentally grows to non-rounded size
 * OS X
   * Bug 20204: Windows don't drag on macOS Sierra anymore
   * Bug 20250: Meek fails on macOS Sierra if built with Go < 1.7
   * Bug 20590: Badly resized window due to security slider notification bar on OS X
   * Bug 20439: Make the build PIE on OSX
 * Linux
   * Bug 15953: Weird resizing dance on Tor Browser startup
 * Build system
   * All platforms
     * Bug 20023: Upgrade Go to 1.7.3
     * Bug 20583: Make the downloads.json file reproducible
   * OS X
     * Bug 20258: Make OS X Tor archive reproducible again
     * Bug 20184: Make OS X builds reproducible again
     * Bug 20210: In dmg2mar, extract old mar file to copy permissions to the new one

Tor Browser 6.0.6 -- November 15
 * All Platforms
   * Update Firefox to 45.5.0esr
   * Update Tor to 0.2.8.9
   * Update OpenSSL to 1.0.1u
   * Update Torbutton to 1.9.5.12
     * Bug 20414: Add donation banner on about:tor for 2016 campaign
     * Translation updates
   * Update Tor Launcher to 0.2.9.4
     * Bug 20429: Do not open progress window if tor doesn't get started
     * Bug 19646: Wrong location for meek browser profile on OS X
   * Update HTTPS-Everywhere to 5.2.7
   * Update meek to 0.25
     * Bug 19646: Wrong location for meek browser profile on OS X
     * Bug 20030: Shut down meek-http-helper cleanly if built with Go > 1.5.4
   * Bug 19838: Add dgoulet's bridge and add another one commented out
   * Bug 20296: Rotate ports again for default obfs4 bridges
   * Bug 19735: Switch default search engine to DuckDuckGo
   * Bug 20118: Don't unpack HTTPS Everywhere anymore
 * Windows
   * Bug 20342: Add tor-gencert.exe to expert bundle
 * OS X
   * Bug 20204: Windows don't drag on macOS Sierra anymore
   * Bug 20250: Meek fails on macOS Sierra if built with Go < 1.7
 * Build system
   * All platforms
     * Bug 20023: Upgrade Go to 1.7.3

Tor Browser 6.5a3-hardened -- September 20 2016
 * All Platforms
   * Update Firefox to 45.4.0esr
   * Update Tor to 0.2.9.2-alpha
   * Update OpenSSL to 1.0.2h (bug 20095)
   * Update Torbutton to 1.9.6.4
     * Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
     * Bug 17767: Make "JavaScript disabled" more visible in Security Slider
     * Bug 19995: Clear site security settings during New Identity
     * Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
     * Bug 19837: Whitelist internal URLs that Firefox requires for media
     * Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
     * Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
     * Bug 14271: Make Torbutton work with Unix Domain Socket option
     * Translation updates
   * Update Tor Launcher to 0.2.11
     * Bug 14272: Make Tor Launcher work with Unix Domain Socket option
     * Bug 19568: Set CurProcD for Thunderbird/Instantbird
     * Bug 19432: Remove special handling for Instantbird/Thunderbird
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.4
   * Update NoScript to 2.9.0.14
   * Bug 19851: Fix ASan error by upgrading GCC to 5.4.0
   * Bug 17858: Fix creation of incremental MARs for hardened builds
   * Bug 14273: Backport patches for Unix Domain Socket support
   * Bug 19890: Disable installation of system addons
   * Bug 17334: Spoof referrer when leaving a .onion domain
   * Bug 20092: Rotate ports for default obfs4 bridges
   * Bug 20040: Add update support for unpacked HTTPS Everywhere
   * Bug 20118: Don't unpack HTTPS Everywhere anymore
   * Bug 19336+19835: Enhance about:tbupdate page
 * Build system
   * All platforms
     * Bug 20133: Don't apply OpenSSL patch anymore
     * Bug 19528: Set MOZ_BUILD_DATE based on Firefox version

Tor Browser 6.5a3 -- September 20 2016
 * All Platforms
   * Update Firefox to 45.4.0esr
   * Update Tor to 0.2.9.2-alpha
   * Update OpenSSL to 1.0.2h (bug 20095)
   * Update Torbutton to 1.9.6.4
     * Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
     * Bug 17767: Make "JavaScript disabled" more visible in Security Slider
     * Bug 19995: Clear site security settings during New Identity
     * Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
     * Bug 19837: Whitelist internal URLs that Firefox requires for media
     * Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
     * Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
     * Bug 14271: Make Torbutton work with Unix Domain Socket option
     * Translation updates
   * Update Tor Launcher to 0.2.10.1
     * Bug 14272: Make Tor Launcher work with Unix Domain Socket option
     * Bug 19568: Set CurProcD for Thunderbird/Instantbird
     * Bug 19432: Remove special handling for Instantbird/Thunderbird
     * Translation updates
   * Update HTTPS-Everywhere to 5.2.4
   * Update NoScript to 2.9.0.14
   * Bug 14273: Backport patches for Unix Domain Socket support
   * Bug 19890: Disable installation of system addons
   * Bug 17334: Spoof referrer when leaving a .onion domain
   * Bug 20092: Rotate ports for default obfs4 bridges
   * Bug 20040: Add update support for unpacked HTTPS Everywhere
   * Bug 20118: Don't unpack HTTPS Everywhere anymore
   * Bug 19336+19835: Enhance about:tbupdate page
 * Android
   * Bug 19706: Store browser data in the app home directory
 * Build system
   * All platforms
     * Bug 20133: Don't apply OpenSSL patch anymore
     * Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
   * OS X
     * Bug 19856: Make OS X builds reproducible again
     * Bug 19410: Fix incremental updates by taking signatures into account

Tor Browser 6.0.5 -- September 16
 * All Platforms
   * Update Firefox to 45.4.0esr
   * Update Tor to 0.2.8.7
   * Update Torbutton to 1.9.5.7
     * Bug 19995: Clear site security settings during New Identity
     * Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
   * Update HTTPS-Everywhere to 5.2.4
   * Bug 20092: Rotate ports for default obfs4 bridges
   * Bug 20040: Add update support for unpacked HTTPS Everywhere
 * Windows
   * Bug 19725: Remove old updater files left on disk after upgrade to 6.x
 * Linux
   * Bug 19725: Remove old updater files left on disk after upgrade to 6.x
 * Android
   * Bug 19706: Store browser data in the app home directory
 * Build system
   * All platforms
     * Upgrade Go to 1.4.3

Tor Browser 6.0.4 -- August 16 2016
 * All Platforms
   * Update Tor to 0.2.8.6
   * Update NoScript to 2.9.0.14
   * Bug 19890: Disable installation of system addons

Tor Browser 6.5a2-hardened -- August 3 2016
 * All Platforms
   * Update Firefox to 45.3.0esr
   * Update Tor to tor-0.2.8.5-rc
   * Update Torbutton to 1.9.6.1
     * Bug 19689: Use proper parent window for plugin prompt
     * Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
     * Bug 19417: Disable asm.js (but add code to clear on New Identity if enabled)
     * Bug 19273: Improve external app launch handling and associated warnings
     * Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
   * Update HTTPS-Everywhere to 5.2.1
   * Update NoScript to 2.9.0.12
   * Bug 17406: Include Selfrando into our hardened builds
   * Bug 19417: Disable asmjs for now
   * Bug 19715: Disable the meek-google pluggable transport option
   * Bug 19714: Remove mercurius4 obfs4 bridge
   * Bug 19585: Fix regression test for keyboard layout fingerprinting
   * Bug 19515: Tor Browser is crashing in graphics code
   * Bug 18513: Favicon requests can bypass New Identity
   * Bug 19273: Write C++ patch for external app launch handling
   * Bug 16998: Isolate preconnect requests to URL bar domain
   * Bug 18923: Add script to run all Tor Browser regression tests
   * Bug 19478: Prevent millisecond resolution leaks in File API
   * Bug 19401: Fix broken PDF download button
   * Bug 19411: Don't show update icon if a partial update failed
   * Bug 19400: Back out GCC bug workaround to avoid asmjs crash
   * Bug 19735: Switch default search engine to DuckDuckGo
   * Bug 19276: Disable Xrender due to possible performance regressions
   * Bug 19725: Remove old updater files left on disk after upgrade to 6.x
 * Build System
   * All Platforms
     * Bug 19703: Upgrade Go to 1.6.3

Tor Browser 6.5a2 -- August 3 2016
 * All Platforms
   * Update Firefox to 45.3.0esr
   * Update Tor to tor-0.2.8.5-rc
   * Update Torbutton to 1.9.6.1
     * Bug 19689: Use proper parent window for plugin prompt
     * Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
     * Bug 19417: Disable asm.js (but add code to clear on New Identity if enabled)
     * Bug 19273: Improve external app launch handling and associated warnings
     * Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
   * Update HTTPS-Everywhere to 5.2.1
   * Update NoScript to 2.9.0.12
   * Bug 19417: Disable asmjs for now
   * Bug 19715: Disable the meek-google pluggable transport option
   * Bug 19714: Remove mercurius4 obfs4 bridge
   * Bug 19585: Fix regression test for keyboard layout fingerprinting
   * Bug 19515: Tor Browser is crashing in graphics code
   * Bug 18513: Favicon requests can bypass New Identity
   * Bug 19273: Write C++ patch for external app launch handling
   * Bug 16998: Isolate preconnect requests to URL bar domain
   * Bug 18923: Add script to run all Tor Browser regression tests
   * Bug 19478: Prevent millisecond resolution leaks in File API
   * Bug 19401: Fix broken PDF download button
   * Bug 19411: Don't show update icon if a partial update failed
   * Bug 19400: Back out GCC bug workaround to avoid asmjs crash
   * Bug 19735: Switch default search engine to DuckDuckGo
 * Windows
   * Bug 19348: Adapt to more than one build target on Windows (fixes updates)
   * Bug 19725: Remove old updater files left on disk after upgrade to 6.x
 * Linux
   * Bug 19276: Disable Xrender due to possible performance regressions
   * Bug 19725: Remove old updater files left on disk after upgrade to 6.x
 * OS X
   * Bug 19269: Icon doesn't appear in Applications folder or Dock
 * Android
   * Bug 19484: Avoid compilation error when MOZ_UPDATER is not defined
 * Build System
   * All Platforms
     * Bug 19703: Upgrade Go to 1.6.3

Tor Browser 6.0.3 -- August 2 2016
 * All Platforms
   * Update Firefox to 45.3.0esr
   * Update Torbutton to 1.9.5.6
     * Bug 19417: Disable asmjs for now
     * Bug 19689: Use proper parent window for plugin prompt
   * Update HTTPS-Everywhere to 5.2.1
   * Update NoScript to 2.9.0.12
   * Bug 19417: Disable asmjs for now
   * Bug 19715: Disable the meek-google pluggable transport option
   * Bug 19714: Remove mercurius4 obfs4 bridge
   * Bug 19585: Fix regression test for keyboard layout fingerprinting
   * Bug 19515: Tor Browser is crashing in graphics code
   * Bug 18513: Favicon requests can bypass New Identity
 * OS X
   * Bug 19269: Icon doesn't appear in Applications folder or Dock
 * Android
   * Bug 19484: Avoid compilation error when MOZ_UPDATER is not defined

Tor Browser 6.0.2 -- June 21 2016
 * All Platforms
   * Update Torbutton to 1.9.5.5
     * Bug 19417: Clear asmjscache
   * Bug 19401: Fix broken PDF download button
   * Bug 19411: Don't show update icon if a partial update failed
   * Bug 19400: Back out GCC bug workaround to avoid asmjs crash
 * Windows
   * Bug 19348: Adapt to more than one build target on Windows (fixes updates)
 * Linux
   * Bug 19276: Disable Xrender due to possible performance regressions

Tor Browser 6.5a1-hardened -- June 8 2016
 * All Platforms
   * Update Firefox to 45.2.0esr
   * Update Tor to 0.2.8.3-alpha
   * Update Torbutton to 1.9.6
     * Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
     * Bug 18905: Hide unusable items from help menu
     * Bug 17599: Provide shortcuts for New Identity and New Circuit
     * Bug 18980: Remove obsolete toolbar button code
     * Bug 18238: Remove unused Torbutton code and strings
     * Translation updates
     * Code clean-up
   * Update Tor Launcher to 0.2.8.5
     * Bug 18947: Tor Browser is not starting on OS X if put into /Applications
   * Update HTTPS-Everywhere to 5.1.9
   * Update meek to 0.22 (tag 0.22-18371-3)
   * Bug 19121: The update.xml hash should get checked during update
   * Bug 12523: Mark JIT pages as non-writable
   * Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
   * Bug 19164: Remove support for SHA-1 HPKP pins
   * Bug 19186: KeyboardEvents are only rounding to 100ms
   * Bug 18884: Don't build the loop extension
   * Bug 19187: Backport fix for crash related to popup menus
   * Bug 19212: Fix crash related to network panel in developer tools
   * Bug 18703: Fix circuit isolation issues on Page Info dialog
   * bug 19115: Tor Browser should not fall back to Bing as its search engine
   * Bug 18915+19065: Use our search plugins in localized builds
   * Bug 19176: Zip our language packs deterministically
   * Bug 18811: Fix first-party isolation for blobs URLs in Workers
   * Bug 18950:	Disable or audit Reader View
   * Bug 18886: Remove Pocket
   * Bug 18619: Tor Browser reports "InvalidStateError" in browser console
   * Bug 18945: Disable monitoring the connected state of Tor Browser users
   * Bug 18855: Don't show error after add-on directory clean-up
   * Bug 18885: Disable the option of logging TLS/SSL key material
   * Bug 18770: SVGs should not show up on Page Info dialog when disabled
   * Bug 18958: Spoof screen.orientation values
   * Bug 19047: Disable Heartbeat prompts
   * Bug 18914: Use English-only label in <isindex/> tags
   * Bug 18996: Investigate server logging in esr45-based Tor Browser
   * Bug 17790: Add unit tests for keyboard fingerprinting defenses
   * Bug 18995: Regression test to ensure CacheStorage is disabled
   * Bug 18912: Add automated tests for updater cert pinning
   * Bug 16728: Add test cases for favicon isolation
   * Bug 18976: Remove some FTE bridges
 * Linux
   * Bug 19189: Backport for working around a linker (gold) bug
 * Build System
   * All PLatforms
     * Bug 18333: Upgrade Go to 1.6.2
     * Bug 18919: Remove unused keys and unused dependencies
     * Bug 18291: Remove some uses of libfaketime
     * Bug 18845: Make zip and tar helpers generate reproducible archives

Tor Browser 6.5a1 -- June 8 2016
 * All Platforms
   * Update Firefox to 45.2.0esr
   * Update Tor to 0.2.8.3-alpha
   * Update Torbutton to 1.9.6
     * Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
     * Bug 18905: Hide unusable items from help menu
     * Bug 17599: Provide shortcuts for New Identity and New Circuit
     * Bug 18980: Remove obsolete toolbar button code
     * Bug 18238: Remove unused Torbutton code and strings
     * Translation updates
     * Code clean-up
   * Update Tor Launcher to 0.2.9.3
     * Bug 18947: Tor Browser is not starting on OS X if put into /Applications
   * Update HTTPS-Everywhere to 5.1.9
   * Update meek to 0.22 (tag 0.22-18371-3)
     * Bug 18904: Mac OS: meek-http-helper profile not updated
   * Bug 19121: The update.xml hash should get checked during update
   * Bug 12523: Mark JIT pages as non-writable
   * Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
   * Bug 19164: Remove support for SHA-1 HPKP pins
   * Bug 19186: KeyboardEvents are only rounding to 100ms
   * Bug 18884: Don't build the loop extension
   * Bug 19187: Backport fix for crash related to popup menus
   * Bug 19212: Fix crash related to network panel in developer tools
   * Bug 18703: Fix circuit isolation issues on Page Info dialog
   * bug 19115: Tor Browser should not fall back to Bing as its search engine
   * Bug 18915+19065: Use our search plugins in localized builds
   * Bug 19176: Zip our language packs deterministically
   * Bug 18811: Fix first-party isolation for blobs URLs in Workers
   * Bug 18950:	Disable or audit Reader View
   * Bug 18886: Remove Pocket
   * Bug 18619: Tor Browser reports "InvalidStateError" in browser console
   * Bug 18945: Disable monitoring the connected state of Tor Browser users
   * Bug 18855: Don't show error after add-on directory clean-up
   * Bug 18885: Disable the option of logging TLS/SSL key material
   * Bug 18770: SVGs should not show up on Page Info dialog when disabled
   * Bug 18958: Spoof screen.orientation values
   * Bug 19047: Disable Heartbeat prompts
   * Bug 18914: Use English-only label in <isindex/> tags
   * Bug 18996: Investigate server logging in esr45-based Tor Browser
   * Bug 17790: Add unit tests for keyboard fingerprinting defenses
   * Bug 18995: Regression test to ensure CacheStorage is disabled
   * Bug 18912: Add automated tests for updater cert pinning
   * Bug 16728: Add test cases for favicon isolation
   * Bug 18976: Remove some FTE bridges
 * OS X
   * Bug 18951: HTTPS-E is missing after update
   * Bug 18904: meek-http-helper profile not updated
   * Bug 18928: Upgrade is not smooth (requires another restart)
 * Linux
   * Bug 19189: Backport for working around a linker (gold) bug
 * Build System
   * All PLatforms
     * Bug 18333: Upgrade Go to 1.6.2
     * Bug 18919: Remove unused keys and unused dependencies
     * Bug 18291: Remove some uses of libfaketime
     * Bug 18845: Make zip and tar helpers generate reproducible archives

Tor Browser 6.0.1 -- June 7 2016
 * All Platforms
   * Update Firefox to 45.2.0esr
   * Bug 18884: Don't build the loop extension
   * Bug 19187: Backport fix for crash related to popup menus
   * Bug 19212: Fix crash related to network panel in developer tools
 * Linux
   * Bug 19189: Backport for working around a linker (gold) bug

Tor Browser 6.0 -- May 30 2016
 * All Platforms
   * Update Firefox to 45.1.1esr
   * Update OpenSSL to 1.0.1t
   * Update Torbutton to 1.9.5.4
     * Bug 18466: Make Torbutton compatible with Firefox ESR 45
     * Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
     * Bug 18905: Hide unusable items from help menu
     * Bug 16017: Allow users to more easily set a non-tor SSH proxy
     * Bug 17599: Provide shortcuts for New Identity and New Circuit
     * Translation updates
     * Code clean-up
   * Update Tor Launcher to 0.2.9.3
     * Bug 13252: Do not store data in the application bundle
     * Bug 18947: Tor Browser is not starting on OS X if put into /Applications
     * Bug 11773: Setup wizard UI flow improvements
     * Translation updates
   * Update HTTPS-Everywhere to 5.1.9
   * Update meek to 0.22 (tag 0.22-18371-3)
     * Bug 18371: Symlinks are incompatible with Gatekeeper signing
     * Bug 18904: Mac OS: meek-http-helper profile not updated
   * Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
   * Bug 18900: Fix broken updater on Linux
   * Bug 19121: The update.xml hash should get checked during update
   * Bug 18042: Disable SHA1 certificate support
   * Bug 18821: Disable libmdns support for desktop and mobile
   * Bug 18848: Disable additional welcome URL shown on first start
   * Bug 14970: Exempt our extensions from signing requirement
   * Bug 16328: Disable MediaDevices.enumerateDevices
   * Bug 16673: Disable HTTP Alternative-Services
   * Bug 17167: Disable Mozilla's tracking protection
   * Bug 18603: Disable performance-based WebGL fingerprinting option
   * Bug 18738: Disable Selfsupport and Unified Telemetry
   * Bug 18799: Disable Network Tickler
   * Bug 18800: Remove DNS lookup in lockfile code
   * Bug 18801: Disable dom.push preferences
   * Bug 18802: Remove the JS-based Flash VM (Shumway)
   * Bug 18863: Disable MozTCPSocket explicitly
   * Bug 15640: Place Canvas MediaStream behind site permission
   * Bug 16326: Verify cache isolation for Request and Fetch APIs
   * Bug 18741: Fix OCSP and favicon isolation for ESR 45
   * Bug 16998: Disable <link rel="preconnect"> for now
   * Bug 18898: Exempt the meek extension from the signing requirement as well
   * Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
   * Bug 18890: Test importScripts() for cache and network isolation
   * Bug 18886: Hide pocket menu items when Pocket is disabled
   * Bug 18703: Fix circuit isolation issues on Page Info dialog
   * bug 19115: Tor Browser should not fall back to Bing as its search engine
   * Bug 18915+19065: Use our search plugins in localized builds
   * Bug 19176: Zip our language packs deterministically
   * Bug 18811: Fix first-party isolation for blobs URLs in Workers
   * Bug 18950:	Disable or audit Reader View
   * Bug 18886: Remove Pocket
   * Bug 18619: Tor Browser reports "InvalidStateError" in browser console
   * Bug 18945: Disable monitoring the connected state of Tor Browser users
   * Bug 18855: Don't show error after add-on directory clean-up
   * Bug 18885: Disable the option of logging TLS/SSL key material
   * Bug 18770: SVGs should not show up on Page Info dialog when disabled
   * Bug 18958: Spoof screen.orientation values
   * Bug 19047: Disable Heartbeat prompts
   * Bug 18914: Use English-only label in <isindex/> tags
   * Bug 18996: Investigate server logging in esr45-based Tor Browser
   * Bug 17790: Add unit tests for keyboard fingerprinting defenses
   * Bug 18995: Regression test to ensure CacheStorage is disabled
   * Bug 18912: Add automated tests for updater cert pinning
   * Bug 16728: Add test cases for favicon isolation
   * Bug 18976: Remove some FTE bridges
 * Windows
   * Bug 13419: Support ICU in Windows builds
   * Bug 16874: Fix broken https://sports.yahoo.com/dailyfantasy page
   * Bug 18767: Context menu is broken on Windows in ESR 45 based Tor Browser
 * OS X
   * Bug 6540: Support OS X Gatekeeper
   * Bug 13252: Tor Browser should not store data in the application bundle
   * Bug 18951: HTTPS-E is missing after update
   * Bug 18904: meek-http-helper profile not updated
   * Bug 18928: Upgrade is not smooth (requires another restart)
 * Build System
   * All Platforms
     * Bug 18127: Add LXC support for building with Debian guest VMs
     * Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
     * Bug 18919: Remove unused keys and unused dependencies
   * Windows
     * Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
     * Bug 18290: Bump mingw-w64 commit we use
   * OS X
     * Bug 18331: Update toolchain for Firefox 45 ESR
     * Bug 18690: Switch to Debian Wheezy guest VMs
   * Linux
     * Bug 18699: Stripping fails due to obsolete Browser/components directory
     * Bug 18698: Include libgconf2-dev for our Linux builds
     * Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)

Tor Browser 6.0a5-hardened -- April 28 2016
 * All Platforms
   * Update Firefox to 45.1.0esr
   * Update Tor to 0.2.8.2-alpha
   * Update Torbutton to 1.9.5.3
     * Bug 18466: Make Torbutton compatible with Firefox ESR 45
     * Translation updates
   * Update Tor Launcher to 0.2.8.4
     * Bug 13252: Do not store data in the application bundle
     * Bug 10534: Don't advertise the help desk directly anymore
     * Translation updates
   * Update HTTPS-Everywhere to 5.1.6
   * Update NoScript to 2.9.0.11
   * Update meek to 0.22 (tag 0.22-18371-2)
     * Bug 18371: Symlinks are incompatible with Gatekeeper signing
   * Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
   * Bug 18900: Fix broken updater on Linux
   * Bug 18042: Disable SHA1 certificate support
   * Bug 18821: Disable libmdns support for desktop and mobile
   * Bug 18848: Disable additional welcome URL shown on first start
   * Bug 14970: Exempt our extensions from signing requirement
   * Bug 16328: Disable MediaDevices.enumerateDevices
   * Bug 16673: Disable HTTP Alternative-Services
   * Bug 17167: Disable Mozilla's tracking protection
   * Bug 18603: Disable performance-based WebGL fingerprinting option
   * Bug 18738: Disable Selfsupport and Unified Telemetry
   * Bug 18799: Disable Network Tickler
   * Bug 18800: Remove DNS lookup in lockfile code
   * Bug 18801: Disable dom.push preferences
   * Bug 18802: Remove the JS-based Flash VM (Shumway)
   * Bug 18863: Disable MozTCPSocket explicitly
   * Bug 15640: Place Canvas MediaStream behind site permission
   * Bug 16326: Verify cache isolation for Request and Fetch APIs
   * Bug 18741: Fix OCSP and favicon isolation for ESR 45
   * Bug 16998: Disable <link rel="preconnect"> for now
   * Bug 17506: Reenable building hardened Tor Browser with startup cache
   * Bug 18898: Exempt the meek extension from the signing requirement as well
   * Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
   * Bug 18890: Test importScripts() for cache and network isolation
   * Bug 18726: Add new default obfs4 bridge (GreenBelt)
 * Build System
   * Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
   * Bug 18699: Stripping fails due to obsolete Browser/components directory
   * Bug 18698: Include libgconf2-dev for our Linux builds

Tor Browser 6.0a5 -- April 28 2016
 * All Platforms
   * Update Firefox to 45.1.0esr
   * Update Tor to 0.2.8.2-alpha
   * Update Torbutton to 1.9.5.3
     * Bug 18466: Make Torbutton compatible with Firefox ESR 45
     * Translation updates
   * Update Tor Launcher to 0.2.9.1
     * Bug 13252: Do not store data in the application bundle
     * Bug 10534: Don't advertise the help desk directly anymore
     * Translation updates
   * Update HTTPS-Everywhere to 5.1.6
   * Update NoScript to 2.9.0.11
   * Update meek to 0.22 (tag 0.22-18371-2)
     * Bug 18371: Symlinks are incompatible with Gatekeeper signing
   * Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
   * Bug 18900: Fix broken updater on Linux
   * Bug 18042: Disable SHA1 certificate support
   * Bug 18821: Disable libmdns support for desktop and mobile
   * Bug 18848: Disable additional welcome URL shown on first start