Вы находитесь на странице: 1из 31

Tor Browser 6.0.

5 -- September 20
* All Platforms
* Update Firefox to 45.4.0esr
* Update Tor to 0.2.8.7
* Update Torbutton to 1.9.5.7
* Bug 18589: Clear site security settings during New Identity
* Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
* Update HTTPS-Everywhere to 5.2.4
* Bug 20092: Rotate ports for default obfs4 bridges
* Bug 20040: Add update support for unpacked HTTPS Everywhere
* Windows
* Bug 19725: Remove old updater files left on disk after upgrade to 6.x
* Linux
* Bug 19725: Remove old updater files left on disk after upgrade to 6.x
* Android
* Bug 19706: Store browser data in the app home directory
* Build system
* All platforms
* Upgrade Go to 1.4.3
Tor Browser 6.0.4 -- August 16
* All Platforms
* Update Tor to 0.2.8.6
* Update NoScript to 2.9.0.14
* Bug 19890: Disable installation of system addons
Tor Browser 6.0.3 -- August 2
* All Platforms
* Update Firefox to 45.3.0esr
* Update Torbutton to 1.9.5.6
* Bug 19417: Disable asmjs for now
* Bug 19689: Use proper parent window for plugin prompt
* Update HTTPS-Everywhere to 5.2.1
* Update NoScript to 2.9.0.12
* Bug 19417: Disable asmjs for now
* Bug 19715: Disable the meek-google pluggable transport option
* Bug 19714: Remove mercurius4 obfs4 bridge
* Bug 19585: Fix regression test for keyboard layout fingerprinting
* Bug 19515: Tor Browser is crashing in graphics code
* Bug 18513: Favicon requests can bypass New Identity
* OS X
* Bug 19269: Icon doesn't appear in Applications folder or Dock
* Android
* Bug 19484: Avoid compilation error when MOZ_UPDATER is not defined
Tor Browser 6.0.2 -- June 21
* All Platforms
* Update Torbutton to 1.9.5.5
* Bug 19417: Clear asmjscache
* Bug 19401: Fix broken PDF download button
* Bug 19411: Don't show update icon if a partial update failed
* Bug 19400: Back out GCC bug workaround to avoid asmjs crash
* Windows
* Bug 19348: Adapt to more than one build target on Windows (fixes updates)
* Linux
* Bug 19276: Disable Xrender due to possible performance regressions
Tor Browser 6.0.1 -- June 7
* All Platforms
* Update Firefox to 45.2.0esr

* Bug
* Bug
* Bug
* Linux
* Bug

18884: Don't build the loop extension


19187: Backport fix for crash related to popup menus
19212: Fix crash related to network panel in developer tools
19189: Backport for working around a linker (gold) bug

Tor Browser 6.0 -- May 30


* All Platforms
* Update Firefox to 45.1.1esr
* Update OpenSSL to 1.0.1t
* Update Torbutton to 1.9.5.4
* Bug 18466: Make Torbutton compatible with Firefox ESR 45
* Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
* Bug 18905: Hide unusable items from help menu
* Bug 16017: Allow users to more easily set a non-tor SSH proxy
* Bug 17599: Provide shortcuts for New Identity and New Circuit
* Translation updates
* Code clean-up
* Update Tor Launcher to 0.2.9.3
* Bug 13252: Do not store data in the application bundle
* Bug 18947: Tor Browser is not starting on OS X if put into /Applications
* Bug 11773: Setup wizard UI flow improvements
* Translation updates
* Update HTTPS-Everywhere to 5.1.9
* Update meek to 0.22 (tag 0.22-18371-3)
* Bug 18371: Symlinks are incompatible with Gatekeeper signing
* Bug 18904: Mac OS: meek-http-helper profile not updated
* Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
* Bug 18900: Fix broken updater on Linux
* Bug 19121: The update.xml hash should get checked during update
* Bug 18042: Disable SHA1 certificate support
* Bug 18821: Disable libmdns support for desktop and mobile
* Bug 18848: Disable additional welcome URL shown on first start
* Bug 14970: Exempt our extensions from signing requirement
* Bug 16328: Disable MediaDevices.enumerateDevices
* Bug 16673: Disable HTTP Alternative-Services
* Bug 17167: Disable Mozilla's tracking protection
* Bug 18603: Disable performance-based WebGL fingerprinting option
* Bug 18738: Disable Selfsupport and Unified Telemetry
* Bug 18799: Disable Network Tickler
* Bug 18800: Remove DNS lookup in lockfile code
* Bug 18801: Disable dom.push preferences
* Bug 18802: Remove the JS-based Flash VM (Shumway)
* Bug 18863: Disable MozTCPSocket explicitly
* Bug 15640: Place Canvas MediaStream behind site permission
* Bug 16326: Verify cache isolation for Request and Fetch APIs
* Bug 18741: Fix OCSP and favicon isolation for ESR 45
* Bug 16998: Disable <link rel="preconnect"> for now
* Bug 18898: Exempt the meek extension from the signing requirement as well
* Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
* Bug 18890: Test importScripts() for cache and network isolation
* Bug 18886: Hide pocket menu items when Pocket is disabled
* Bug 18703: Fix circuit isolation issues on Page Info dialog
* bug 19115: Tor Browser should not fall back to Bing as its search engine
* Bug 18915+19065: Use our search plugins in localized builds
* Bug 19176: Zip our language packs deterministically
* Bug 18811: Fix first-party isolation for blobs URLs in Workers
* Bug 18950: Disable or audit Reader View
* Bug 18886: Remove Pocket
* Bug 18619: Tor Browser reports "InvalidStateError" in browser console

* Bug 18945: Disable monitoring the connected state of Tor Browser users
* Bug 18855: Don't show error after add-on directory clean-up
* Bug 18885: Disable the option of logging TLS/SSL key material
* Bug 18770: SVGs should not show up on Page Info dialog when disabled
* Bug 18958: Spoof screen.orientation values
* Bug 19047: Disable Heartbeat prompts
* Bug 18914: Use English-only label in <isindex/> tags
* Bug 18996: Investigate server logging in esr45-based Tor Browser
* Bug 17790: Add unit tests for keyboard fingerprinting defenses
* Bug 18995: Regression test to ensure CacheStorage is disabled
* Bug 18912: Add automated tests for updater cert pinning
* Bug 16728: Add test cases for favicon isolation
* Bug 18976: Remove some FTE bridges
* Windows
* Bug 13419: Support ICU in Windows builds
* Bug 16874: Fix broken https://sports.yahoo.com/dailyfantasy page
* Bug 18767: Context menu is broken on Windows in ESR 45 based Tor Browser
* OS X
* Bug 6540: Support OS X Gatekeeper
* Bug 13252: Tor Browser should not store data in the application bundle
* Bug 18951: HTTPS-E is missing after update
* Bug 18904: meek-http-helper profile not updated
* Bug 18928: Upgrade is not smooth (requires another restart)
* Build System
* All Platforms
* Bug 18127: Add LXC support for building with Debian guest VMs
* Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
* Bug 18919: Remove unused keys and unused dependencies
* Windows
* Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
* Bug 18290: Bump mingw-w64 commit we use
* OS X
* Bug 18331: Update toolchain for Firefox 45 ESR
* Bug 18690: Switch to Debian Wheezy guest VMs
* Linux
* Bug 18699: Stripping fails due to obsolete Browser/components directory
* Bug 18698: Include libgconf2-dev for our Linux builds
* Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)
Tor Browser 6.0a5-hardened -- April 28 2016
* All Platforms
* Update Firefox to 45.1.0esr
* Update Tor to 0.2.8.2-alpha
* Update Torbutton to 1.9.5.3
* Bug 18466: Make Torbutton compatible with Firefox ESR 45
* Translation updates
* Update Tor Launcher to 0.2.8.4
* Bug 13252: Do not store data in the application bundle
* Bug 10534: Don't advertise the help desk directly anymore
* Translation updates
* Update HTTPS-Everywhere to 5.1.6
* Update NoScript to 2.9.0.11
* Update meek to 0.22 (tag 0.22-18371-2)
* Bug 18371: Symlinks are incompatible with Gatekeeper signing
* Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
* Bug 18900: Fix broken updater on Linux
* Bug 18042: Disable SHA1 certificate support
* Bug 18821: Disable libmdns support for desktop and mobile
* Bug 18848: Disable additional welcome URL shown on first start
* Bug 14970: Exempt our extensions from signing requirement

* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Bug
* Build
* Bug
* Bug
* Bug

16328:
16673:
17167:
18603:
18738:
18799:
18800:
18801:
18802:
18863:
15640:
16326:
18741:
16998:
17506:
18898:
18899:
18890:
18726:
System
16224:
18699:
18698:

Disable MediaDevices.enumerateDevices
Disable HTTP Alternative-Services
Disable Mozilla's tracking protection
Disable performance-based WebGL fingerprinting option
Disable Selfsupport and Unified Telemetry
Disable Network Tickler
Remove DNS lookup in lockfile code
Disable dom.push preferences
Remove the JS-based Flash VM (Shumway)
Disable MozTCPSocket explicitly
Place Canvas MediaStream behind site permission
Verify cache isolation for Request and Fetch APIs
Fix OCSP and favicon isolation for ESR 45
Disable <link rel="preconnect"> for now
Reenable building hardened Tor Browser with startup cache
Exempt the meek extension from the signing requirement as well
Don't copy Torbutton, TorLauncher, etc. into meek profile
Test importScripts() for cache and network isolation
Add new default obfs4 bridge (GreenBelt)
Don't use BUILD_HOSTNAME anymore in Firefox builds
Stripping fails due to obsolete Browser/components directory
Include libgconf2-dev for our Linux builds

Tor Browser 6.0a5 -- April 28 2016


* All Platforms
* Update Firefox to 45.1.0esr
* Update Tor to 0.2.8.2-alpha
* Update Torbutton to 1.9.5.3
* Bug 18466: Make Torbutton compatible with Firefox ESR 45
* Translation updates
* Update Tor Launcher to 0.2.9.1
* Bug 13252: Do not store data in the application bundle
* Bug 10534: Don't advertise the help desk directly anymore
* Translation updates
* Update HTTPS-Everywhere to 5.1.6
* Update NoScript to 2.9.0.11
* Update meek to 0.22 (tag 0.22-18371-2)
* Bug 18371: Symlinks are incompatible with Gatekeeper signing
* Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
* Bug 18900: Fix broken updater on Linux
* Bug 18042: Disable SHA1 certificate support
* Bug 18821: Disable libmdns support for desktop and mobile
* Bug 18848: Disable additional welcome URL shown on first start
* Bug 14970: Exempt our extensions from signing requirement
* Bug 16328: Disable MediaDevices.enumerateDevices
* Bug 16673: Disable HTTP Alternative-Services
* Bug 17167: Disable Mozilla's tracking protection
* Bug 18603: Disable performance-based WebGL fingerprinting option
* Bug 18738: Disable Selfsupport and Unified Telemetry
* Bug 18799: Disable Network Tickler
* Bug 18800: Remove DNS lookup in lockfile code
* Bug 18801: Disable dom.push preferences
* Bug 18802: Remove the JS-based Flash VM (Shumway)
* Bug 18863: Disable MozTCPSocket explicitly
* Bug 15640: Place Canvas MediaStream behind site permission
* Bug 16326: Verify cache isolation for Request and Fetch APIs
* Bug 18741: Fix OCSP and favicon isolation for ESR 45
* Bug 16998: Disable <link rel="preconnect"> for now
* Bug 18898: Exempt the meek extension from the signing requirement as well

* Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
* Bug 18890: Test importScripts() for cache and network isolation
* Bug 18726: Add new default obfs4 bridge (GreenBelt)
* Windows
* Bug 13419: Support ICU in Windows builds
* Bug 16874: Fix broken https://sports.yahoo.com/dailyfantasy page
* Bug 18767: Context menu is broken on Windows in ESR 45 based Tor Browser
* OS X
* Bug 6540: Support OS X Gatekeeper
* Bug 13252: Tor Browser should not store data in the application bundle
* Build System
* All Platforms
* Bug 18127: Add LXC support for building with Debian guest VMs
* Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
* Windows
* Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
* Bug 18290: Bump mingw-w64 commit we use
* OS X
* Bug 18331: Update toolchain for Firefox 45 ESR
* Bug 18690: Switch to Debian Wheezy guest VMs
* Linux
* Bug 18699: Stripping fails due to obsolete Browser/components directory
* Bug 18698: Include libgconf2-dev for our Linux builds
Tor Browser 5.5.5 -- April 26 2016
* All Platforms
* Update Firefox to 38.8.0esr
* Update Tor Launcher to 0.2.7.9
* Bug 10534: Don't advertise the help desk directly anymore
* Translation updates
* Update HTTPS-Everywhere to 5.1.6
* Update NoScript to 2.9.0.11
* Bug 18726: Add new default obfs4 bridge (GreenBelt)
Tor Browser 6.0a4-hardened -- March 17 2016
* All Platforms
* Update Firefox to 38.7.1esr
* Update Torbutton to 1.9.5.2
* Bug 18557: Exempt Graphite from the Security Slider
* Bug 18536: Make Mosaddegh and MaBishomarim available on port 80 and 443
Tor Browser 6.0a4 -- March 17 2016
* All Platforms
* Update Firefox to 38.7.1esr
* Update Torbutton to 1.9.5.2
* Bug 18557: Exempt Graphite from the Security Slider
* Bug 18536: Make Mosaddegh and MaBishomarim available on port 80 and 443
Tor Browser 5.5.4 -- March 16 2016
* All Platforms
* Update Firefox to 38.7.1esr
* Update Torbutton to 1.9.4.5
* Bug 18557: Exempt Graphite from the Security Slider
* Bug 18536: Make Mosaddegh and MaBishomarim available on port 80 and 443
Tor Browser 6.0a3-hardened -- March 8 2016
* All Platforms
* Update Firefox to 38.7.0esr
* Update Tor to 0.2.8.1-alpha
* Update OpenSSL to 1.0.1s

* Update NoScript to 2.9.0.4


* Update HTTPS Everywhere to 5.1.4
* Update Torbutton to 1.9.5.1
* Bug 16990: Don't mishandle multiline commands
* Bug 18144: about:tor update arrow position is wrong
* Bug 16725: Allow resizing with non-default homepage
* Bug 16917: Allow users to more easily set a non-tor SSH proxy
* Translation updates
* Bug 18030: Isolate favicon requests on Page Info dialog
* Bug 18297: Use separate Noto JP,KR,SC,TC fonts
* Bug 18170: Make sure the homepage is shown after an update as well
* Bug 16728: Add test cases for favicon isolation
* Windows
* Bug 18292: Disable staged updates on Windows
Tor Browser 6.0a3 -- March 8 2016
* All Platforms
* Update Firefox to 38.7.0esr
* Update Tor to 0.2.8.1-alpha
* Update OpenSSL to 1.0.1s
* Update NoScript to 2.9.0.4
* Update HTTPS Everywhere to 5.1.4
* Update Torbutton to 1.9.5.1
* Bug 16990: Don't mishandle multiline commands
* Bug 18144: about:tor update arrow position is wrong
* Bug 16725: Allow resizing with non-default homepage
* Bug 16917: Allow users to more easily set a non-tor SSH proxy
* Translation updates
* Bug 18030: Isolate favicon requests on Page Info dialog
* Bug 18297: Use separate Noto JP,KR,SC,TC fonts
* Bug 18170: Make sure the homepage is shown after an update as well
* Bug 16728: Add test cases for favicon isolation
* Windows
* Bug 18292: Disable staged updates on Windows
Tor Browser 5.5.3 -- March 8 2016
* All Platforms
* Update Firefox to 38.7.0esr
* Update OpenSSL to 1.0.1s
* Update NoScript to 2.9.0.4
* Update HTTPS Everywhere to 5.1.4
* Update Torbutton to 1.9.4.4
* Bug 16990: Don't mishandle multiline commands
* Bug 18144: about:tor update arrow position is wrong
* Bug 16725: Allow resizing with non-default homepage
* Translation updates
* Bug 18030: Isolate favicon requests on Page Info dialog
* Bug 18297: Use separate Noto JP,KR,SC,TC fonts
* Bug 18170: Make sure the homepage is shown after an update as well
* Windows
* Bug 18292: Disable staged updates on Windows
Tor Browser 6.0a2-hardened -- February 15 2016
* All Platforms
* Update Firefox to 38.6.1esr
* Update NoScript to 2.9.0.3
* Bug 18168: Don't clear an iframe's window.name (fix of #16620)
* Bug 18137: Add two new obfs4 default bridges
* Windows
* Bug 18169: Whitelist zh-CN UI font

* OSX
* Bug 18172: Add Emoji support
* Linux
* Bug 18172: Add Emoji support
* Build System
* Linux
* Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)
* Bug 18198: Building the hardened Tor Browser in a Debian Wheezy VM is bro
ken
Tor Browser 6.0a2 -- February 15 2016
* All Platforms
* Update Firefox to 38.6.1esr
* Update NoScript to 2.9.0.3
* Bug 18168: Don't clear an iframe's window.name (fix of #16620)
* Bug 18137: Add two new obfs4 default bridges
* Windows
* Bug 18169: Whitelist zh-CN UI font
* OSX
* Bug 18172: Add Emoji support
* Linux
* Bug 18172: Add Emoji support
Tor Browser 5.5.2 -- February 12 2016
* All Platforms
* Update Firefox to 38.6.1esr
* Update NoScript to 2.9.0.3
Tor Browser 5.5.1 -- February 4 2016
* All Platforms
* Bug 18168: Don't clear an iframe's window.name (fix of #16620)
* Bug 18137: Add two new obfs4 default bridges
* Windows
* Bug 18169: Whitelist zh-CN UI font
* OS X
* Bug 18172: Add Emoji support
* Linux
* Bug 18172: Add Emoji support
Tor Browser 6.0a1-hardened -- January 27 2016
* All Platforms
* Update Firefox to 38.6.0esr
* Update NoScript to 2.9.0.2
* Update Torbutton to 1.9.5
* Bug 16990: Show circuit display for connections using multi-party channel
s
* Bug 18019: Avoid empty prompt shown after non-en-US update
* Bug 18004: Remove Tor fundraising donation banner
* Code cleanup
* Translation updates
* Update Tor Launcher to 0.2.8.3
* Bug 18113: Randomly permutate available default bridges of chosen type
* Bug 11773: Setup wizard UI flow improvements
* Translation updates
* Bug 17428: Remove Flashproxy
* Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
* Bug 18072: Change recommended pluggable transport type to obfs4
* Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
* Bug 16322: Use onion address for DuckDuckGo search engine
* Bug 17917: Changelog after update is empty if JS is disabled

* Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646
)
Tor Browser 6.0a1 -- January 27 2016
* All Platforms
* Update Firefox to 38.6.0esr
* Update NoScript to 2.9.0.2
* Update Torbutton to 1.9.5
* Bug 16990: Show circuit display for connections using multi-party channel
s
* Bug 18019: Avoid empty prompt shown after non-en-US update
* Bug 18004: Remove Tor fundraising donation banner
* Code cleanup
* Translation updates
* Update Tor Launcher to 0.2.9
* Bug 18113: Randomly permutate available default bridges of chosen type
* Bug 11773: Setup wizard UI flow improvements
* Translation updates
* Bug 17428: Remove Flashproxy
* Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
* Bug 18072: Change recommended pluggable transport type to obfs4
* Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
* Bug 16322: Use onion address for DuckDuckGo search engine
* Bug 17917: Changelog after update is empty if JS is disabled
* Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646
)
* Build System
* Linux
* Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)
Tor Browser 5.5 -- January 26 2016
* All Platforms
* Update Firefox to 38.6.0esr
* Update libevent to 2.0.22-stable
* Update NoScript to 2.9.0.2
* Update Torbutton to 1.9.4.3
* Bug 16990: Show circuit display for connections using multi-party channel
s
* Bug 18019: Avoid empty prompt shown after non-en-US update
* Bug 18004: Remove Tor fundraising donation banner
* Bug 16940: After update, load local change notes
* Bug 17108: Polish about:tor appearance
* Bug 17568: Clean up tor-control-port.js
* Bug 16620: Move window.name handling into a Firefox patch
* Bug 17351: Code cleanup
* Translation updates
* Update Tor Launcher to 0.2.7.8
* Bug 18113: Randomly permutate available default bridges of chosen type
* Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
* Bug 10140: Add new Tor Browser locale (Japanese)
* Bug 17428: Remove Flashproxy
* Bug 13512: Load a static tab with change notes after an update
* Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
* Bug 15564: Isolate SharedWorkers by first-party domain
* Bug 16940: After update, load local change notes
* Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
* Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
* Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646
)
* Bug 17369: Disable RC4 fallback

*
*
*
*

Bug
Bug
Bug
Bug

17442: Remove custom updater certificate pinning


16620: Move window.name handling into a Firefox patch
17220: Support math symbols in font whitelist
10599+17305: Include updater and build patches needed for hardened buil

ds
* Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
* Bug 18072: Change recommended pluggable transport type to obfs4
* Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
* Bug 16322: Use onion address for DuckDuckGo search engine
* Bug 17917: Changelog after update is empty if JS is disabled
* Windows
* Bug 17250: Add localized font names to font whitelist
* Bug 16707: Allow more system fonts to get used on Windows
* Bug 13819: Ship expert bundles with console enabled
* Bug 17250: Fix broken Japanese fonts
* Bug 17870: Add intermediate certificate for authenticode signing
* OS X
* Bug 17122: Rename Japanese OS X bundle
* Bug 16707: Allow more system fonts to get used on OS X
* Bug 17661: Whitelist font .Helvetica Neue DeskInterface
* Linux
* Bug 16672: Don't use font whitelisting for Linux users
Tor Browser 5.5a6-hardened -- January 7 2016
* All Platforms
* Update NoScript to 2.9
* Update HTTPS Everywhere to 5.1.2
* Bug 17931: Tor Browser crashes in LogMessageToConsole()
* Bug 17875: Discourage editing of torrc-defaults
Tor Browser 5.5a6 -- January 7 2016
* All Platforms
* Update NoScript to 2.9
* Update HTTPS Everywhere to 5.1.2
* Bug 17931: Tor Browser crashes in LogMessageToConsole()
* Bug 17875: Discourage editing of torrc-defaults
* Bug 17870: Add intermediate certificate for authenticode signing
Tor Browser 5.0.7 -- January 7 2016
* All Platforms
* Update NoScript to 2.9
* Update HTTPS Everywhere to 5.1.2
* Bug 17931: Tor Browser crashes in LogMessageToConsole()
* Bug 17875: Discourage editing of torrc-defaults
Tor Browser 5.5a5-hardened -- December 18 2015
* All Platforms
* Update Firefox to 38.5.0esr
* Update Tor to 0.2.7.6
* Update OpenSSL to 1.0.1q
* Update NoScript to 2.7
* Update Torbutton to 1.9.4.2
* Bug 16940: After update, load local change notes
* Bug 16990: Avoid matching '250 ' to the end of node name
* Bug 17565: Tor fundraising campaign donation banner
* Bug 17770: Fix alignments on donation banner
* Bug 17792: Include donation banner in some non en-US Tor Browsers
* Bug 17108: Polish about:tor appearance
* Bug 17568: Clean up tor-control-port.js
* Translation updates

* Update Tor Launcher to 0.2.8.1


* Bug 17344: Enumerate available language packs for language prompt
* Code clean-up
* Translation updates
* Bug 12516: Compile Tor Browser with -fwrapv
* Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
* Bug 15564: Isolate SharedWorkers by first-party domain
* Bug 16940: After update, load local change notes
* Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
* Bug 17747: Add ndnop3 as new default obfs4 bridge
* Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
* Bug 17369: Disable RC4 fallback
* Bug 17442: Remove custom updater certificate pinning
* Bug 16863: Avoid confusing error when loop.enabled is false
* Bug 17502: Add a preference for hiding "Open with" on download dialog
* Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
* Bug 16441: Suppress "Reset Tor Browser" prompt
Tor Browser 5.5a5 -- December 18 2015
* All Platforms
* Update Firefox to 38.5.0esr
* Update Tor to 0.2.7.6
* Update OpenSSL to 1.0.1q
* Update NoScript to 2.7
* Update Torbutton to 1.9.4.2
* Bug 16940: After update, load local change notes
* Bug 16990: Avoid matching '250 ' to the end of node name
* Bug 17565: Tor fundraising campaign donation banner
* Bug 17770: Fix alignments on donation banner
* Bug 17792: Include donation banner in some non en-US Tor Browsers
* Bug 17108: Polish about:tor appearance
* Bug 17568: Clean up tor-control-port.js
* Translation updates
* Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
* Bug 15564: Isolate SharedWorkers by first-party domain
* Bug 16940: After update, load local change notes
* Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
* Bug 17747: Add ndnop3 as new default obfs4 bridge
* Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
* Bug 17369: Disable RC4 fallback
* Bug 17442: Remove custom updater certificate pinning
* Bug 16863: Avoid confusing error when loop.enabled is false
* Bug 17502: Add a preference for hiding "Open with" on download dialog
* Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
* Bug 16441: Suppress "Reset Tor Browser" prompt
* Windows
* Bug 13819: Ship expert bundles with console enabled
* Bug 17250: Fix broken Japanese fonts
* OS X
* Bug 17661: Whitelist font .Helvetica Neue DeskInterface
Tor Browser 5.0.6 -- December 18 2015
* All Platforms
* Bug 17877: Tor Browser 5.0.5 is using the wrong Mozilla build tag
Tor Browser 5.0.5 -- December 15 2015
* All Platforms
* Update Firefox to 38.5.0esr
* Update Tor to 0.2.7.6
* Update OpenSSL to 1.0.1q

* Update NoScript to 2.7


* Update HTTPS Everywhere to 5.1.1
* Update Torbutton to 1.9.3.7
* Bug 16990: Avoid matching '250 ' to the end of node name
* Bug 17565: Tor fundraising campaign donation banner
* Bug 17770: Fix alignments on donation banner
* Bug 17792: Include donation banner in some non en-US Tor Browsers
* Translation updates
* Bug 17207: Hide MIME types and plugins from websites
* Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
* Bug 16863: Avoid confusing error when loop.enabled is false
* Bug 17502: Add a preference for hiding "Open with" on download dialog
* Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
* Bug 16441: Suppress "Reset Tor Browser" prompt
* Bug 17747: Add ndnop3 as new default obfs4 bridge
Tor Browser 5.5a4 -- November 3 2015
* All Platforms
* Update Firefox to 38.4.0esr
* Update Tor to 0.2.7.4-rc
* Update NoScript to 2.6.9.39
* Update HTTPS-Everywhere to 5.1.1
* Update Torbutton to 1.9.4.1
* Bug 9623: Spoof Referer when leaving a .onion domain
* Bug 16620: Remove old window.name handling code
* Bug 17164: Don't show text-select cursor on circuit display
* Bug 17351: Remove unused code
* Translation updates
* Bug 17207: Hide MIME types and plugins from websites
* Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
* Bug 16620: Move window.name handling into a Firefox patch
* Bug 17220: Support math symbols in font whitelist
* Bug 10599+17305: Include updater and build patches needed for hardened buil
ds
* Bug 17318: Remove dead ScrambleSuit bridge
* Bug 17428: Remove default Flashproxy bridges
* Bug 17473: Update meek-amazon fingerprint
* Windows
* Bug 17250: Add localized font names to font whitelist
* OS X
* Bug 17122: Rename Japanese OS X bundle
* Linux
* Bug 17329: Ensure that non-ASCII characters can be typed (fixup of #5926)
Tor Browser 5.0.4 -- November 3 2015
* All Platforms
* Update Firefox to 38.4.0esr
* Update NoScript to 2.6.9.39
* Update Torbutton to 1.9.3.5
* Bug 9623: Spoof Referer when leaving a .onion domain
* Bug 16735: about:tor should accommodate different fonts/font sizes
* Bug 16937: Don't translate the homepage/spellchecker dictionary string
* Bug 17164: Don't show text-select cursor on circuit display
* Bug 17351: Remove unused code
* Translation updates
* Bug 16937: Remove the en-US dictionary from non en-US Tor Browser bundles
* Bug 17318: Remove dead ScrambleSuit bridge
* Bug 17473: Update meek-amazon fingerprint
* Bug 16983: Isolate favicon requests caused by the tab list dropdown
* Bug 17102: Don't crash while opening a second Tor Browser

* Windows:
* Bug 16906: Don't depend on Windows crypto DLLs
* Linux:
* Bug 17329: Ensure that non-ASCII characters can be typed (fixup of #5926)
Tor Browser 5.5a3 -- September 22 2015
* All Platforms
* Update Firefox to 38.3.0esr
* Update libevent to 2.0.22-stable
* Update Torbutton to 1.9.4
* Bug 16937: Don't translate the homepage/spellchecker dictionary string
* Bug 16735: about:tor should accommodate different fonts/font sizes
* Bug 16887: Update intl.accept_languages value
* Bug 15493: Update circuit display on new circuit info
* Bug 16797: brandShorterName is missing from brand.properties
* Translation updates
* Bug 10140: Add new Tor Browser locale (Japanese)
* Bug 17102: Don't crash while opening a second Tor Browser
* Bug 16983: Isolate favicon requests caused by the tab list dropdown
* Bug 13512: Load a static tab with change notes after an update
* Bug 16937: Remove the en-US dictionary from non en-US Tor Browser bundles
* Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains)
* Bug 16837: Disable Firefox Hotfix updates
* Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz
)
* Bug 16781: Allow saving pdf files in built-in pdf viewer
* Bug 16842: Restore Media tab on Page information dialog
* Bug 16727: Disable about:healthreport page
* Bug 16783: Normalize NoScript default whitelist
* Bug 16775: Fix preferences dialog with security slider set to "High"
* Bug 13579: Update download progress bar automatically
* Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent
* Bug 17046: Event.timeStamp should not reveal startup time
* Bug 16872: Fix warnings when opening about:downloads
* Bug 17097: Fix intermittent crashes when using the print dialog
* Windows
* Bug 16906: Fix Mingw-w64 compilation/Don't depend on Windows crypto DLLs
* Bug 16707: Allow more system fonts to get used on Windows
* OS X
* Bug 16910: Update copyright year in OS X bundles
* Bug 16707: Allow more system fonts to get used on OS X
* Linux
* Bug 16672: Don't use font whitelisting for Linux users
Tor Browser 5.0.3 -- September 22 2015
* All Platforms
* Update Firefox to 38.3.0esr
* Update Torbutton to 1.9.3.4
* Bug 16887: Update intl.accept_languages value
* Bug 15493: Update circuit display on new circuit info
* Bug 16797: brandShorterName is missing from brand.properties
* Bug 14429: Make sure the automatic resizing is disabled
* Translation updates
* Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains)
* Bug 16837: Disable Firefox Hotfix updates
* Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz
)
* Bug 16781: Allow saving pdf files in built-in pdf viewer
* Bug 16842: Restore Media tab on Page information dialog
* Bug 16727: Disable about:healthreport page

* Bug 16783: Normalize NoScript default whitelist


* Bug 16775: Fix preferences dialog with security slider set to "High"
* Bug 13579: Update download progress bar automatically
* Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent
* Bug 17046: Event.timeStamp should not reveal startup time
* Bug 16872: Fix warnings when opening about:downloads
* Bug 17097: Fix intermittent crashes when using the print dialog
* Windows
* Bug 16906: Fix Mingw-w64 compilation breakage
* OS X
* Bug 16910: Update copyright year in OS X bundles
Tor Browser 5.5a2 -- August 28 2015
* All Platforms:
* Update Firefox to 38.2.1esr
* Update NoScript to 2.6.9.36
* Bug 16771: Fix crash on some websites due to blob URIs
* Linux
* Bug 16860: Avoid duplicate desktop icons on Gnome and Unity
Tor Browser 5.0.2 -- August 27 2015
* All Platforms
* Update Firefox to 38.2.1esr
* Update NoScript to 2.6.9.36
* Linux
* Bug 16860: Avoid duplicate icons on Unity and Gnome
Tor Browser 5.0.1 -- August 18 2015
* All Platforms
* Bug 16771: Fix crash on some websites due to blob URIs
Tor Browser 5.5a1 -- August 11 2015
* All Platforms
* Update Firefox to 38.2.0esr
* Update NoScript to 2.6.9.34
* Update Torbutton to 1.9.3.3
* Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
* Bug 16730: Reset NoScript whitelist on upgrade
* Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
* Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
* Bug 14429: Make sure the automatic resizing is enabled
* Translation updates
* Update Tor Launcher to 0.2.7.7
* Translation updates
* Bug 16730: Prevent NoScript from updating the default whitelist
* Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
* Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
* Bug 16311: Fix navigation timing in ESR 38
* Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
* Bug 16672: Change font whitelists and configs for rendering issues (partial
)
Tor Browser 5.0 -- August 11 2015
* All Platforms
* Update Firefox to 38.2.0esr
* Update OpenSSL to 1.0.1p
* Update HTTPS-Everywhere to 5.0.7
* Update NoScript to 2.6.9.34
* Update meek to 0.20
* Update Tor to 0.2.6.10 with patches:

* Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name ch
ecks.
* Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
* Bug 15482: Don't allow circuits to change while a site is in use
* Update Torbutton to 1.9.3.2
* Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
* Bug 16730: Reset NoScript whitelist on upgrade
* Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
* Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
* Bug 16268: Show Tor Browser logo on About page
* Bug 16639: Check for Updates menu item can cause update download failure
* Bug 15781: Remove the sessionstore filter
* Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
* Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1
)
* Bug 16200: Update Cache API usage and prefs for FF38
* Bug 16357: Use Mozilla API to wipe permissions db
* Bug 14429: Make sure the automatic resizing is disabled
* Translation updates
* Update Tor Launcher to 0.2.7.7
* Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1
)
*
*
*
*
*
*
*
*
*
*

* Bug 15145: Visually distinguish "proxy" and "bridge" screens.


* Translation updates
Bug 16730: Prevent NoScript from updating the default whitelist
Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
Bug 16884: Prefer IPv6 when supported by the current Tor exit
Bug 16488: Remove "Sign in to Sync" from the browser menu
Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
Bug 15703: Isolate mediasource URIs and media streams to first party
Bug 16429+16416: Isolate blob URIs to first party
Bug 16632: Turn on the background updater and restart prompting
Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhe

re
* Bug 16523: Fix in-browser JavaScript debugger
* Bug 16236: Windows updater: avoid writing to the registry
* Bug 16625: Fully disable network connection prediction
* Bug 16495: Fix SVG crash when security level is set to "High"
* Bug 13247: Fix meek profile error after bowser restarts
* Bug 16005: Relax WebGL minimal mode
* Bug 16300: Isolate Broadcast Channels to first party
* Bug 16439: Remove Roku screencasting code
* Bug 16285: Disabling EME bits
* Bug 16206: Enforce certificate pinning
* Bug 15910: Disable Gecko Media Plugins for now
* Bug 13670: Isolate OCSP requests by first party domain
* Bug 16448: Isolate favicon requests by first party
* Bug 7561: Disable FTP request caching
* Bug 6503: Fix single-word URL bar searching
* Bug 15526: ES6 page crashes Tor Browser
* Bug 16254: Disable GeoIP-based search results.
* Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
* Bug 13024: Disable DOM Resource Timing API
* Bug 16340: Disable User Timing API
* Bug 14952: Disable HTTP/2
* Bug 1517: Reduce precision of time for Javascript
* Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
* Bug 16311: Fix navigation timing in ESR 38
* Windows

* Bug 16014: Staged update fails if meek is enabled


* Bug 16269: repeated add-on compatibility check after update (meek enabled)
* Mac OS
* Use OSX 10.7 SDK
* Bug 16253: Tor Browser menu on OS X is broken with ESR 38
* Bug 15773: Enable ICU on OS X
* Build System
* Bug 16351: Upgrade our toolchain to use GCC 5.1
* Bug 15772 and child tickets: Update build system for Firefox 38
* Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
* Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
Tor Browser 5.0a4 -- August 3 2015
* All Platforms
* Update Tor to 0.2.7.2-alpha with patches:
* Bug 15482: Don't allow circuits to change while a site is in use
* Update OpenSSL to 1.0.1p
* Update HTTPS-Everywhere to 5.0.7
* Update NoScript to 2.6.9.31
* Update Torbutton to 1.9.3.1
* Bug 16268: Show Tor Browser logo on About page
* Bug 16639: Check for Updates menu item can cause update download failure
* Bug 15781: Remove the sessionstore filter
* Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
* Translation updates
* Bug 16884: Prefer IPv6 when supported by the current Tor exit
* Bug 16488: Remove "Sign in to Sync" from the browser menu
* Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
* Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
* Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
* Bug 15703: Isolate mediasource URIs and media streams to first party
* Bug 16429+16416: Isolate blob URIs to first party
* Bug 16632: Turn on the background updater and restart prompting
* Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhe
re
* Bug 16523: Fix in-browser JavaScript debugger
* Bug 16236: Windows updater: avoid writing to the registry
* Bug 16005: Restrict WebGL minimal mode a bit (fixup)
* Bug 16625: Fully disable network connection prediction
* Bug 16495: Fix SVG crash when security level is set to "High"
* Build System
* Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
Tor Browser 5.0a3 -- June 30 2015
* All Platforms
* Update Firefox to 38.1.0esr
* Update OpenSSL to 1.0.1o
* Update NoScript to 2.6.9.27
* Update meek to 0.20
* Tor patch backport
* Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
* Update Torbutton to 1.9.3.0
* Bug 16403: Set search parameters for Disconnect
* Bug 14429: Make sure the automatic resizing is disabled
* Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1
)
* Bug 16200: Update Cache API usage and prefs for FF38
* Bug 16357: Use Mozilla API to wipe permissions db
* Translation updates
* Update Tor Launcher to 0.2.7.6

* Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1
)
* Bug 15145: Visually distinguish "proxy" and "bridge" screens.
* Translation updates
* Bug 13247: Fix meek profile error after bowser restarts
* Bug 16397: Fix crash related to disabling SVG
* Bug 16403: Set search parameters for Disconnect
* Bug 16446: Update FTE bridge #1 fingerprint
* Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent
* Bug 16005: Relax WebGL minimal mode
* Bug 16300: Isolate Broadcast Channels to first party
* Bug 16439: Remove Roku screencasting code
* Bug 16285: Disabling EME bits
* Bug 16206: Enforce certificate pinning
* Bug 15910: Disable GMPs for now
* Bug 13670: Isolate OCSP requests by first party domain
* Bug 16448: Isolate favicon requests by first party
* Bug 7561: Disable FTP request caching
* Bug 6503: Fix single-word URL bar searching
* Bug 15526: ES6 page crashes Tor Browser
* Bug 16254: Disable GeoIP-based search results.
* Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
* Bug 13024: Disable DOM Resource Timing API
* Bug 16340: Disable User Timing API
* Bug 14952: Disable HTTP/2
* Mac OS
* Use OSX 10.7 SDK
* Bug 16253: Tor Browser menu on OS X is broken with ESR 38
* Build System
* Bug 16351: Upgrade our toolchain to use GCC 5.1
* Bug 15772 and child tickets: Update build system for Firefox 38
Tor Browser 4.5.3 -- June 30 2015
* All Platforms
* Update Firefox to 31.8.0esr
* Update OpenSSL to 1.0.1o
* Update NoScript to 2.6.9.27
* Update Torbutton to 1.9.2.8
* Bug 16403: Set search parameters for Disconnect
* Bug 14429: Make sure the automatic resizing is disabled
* Translation updates
* Bug 16397: Fix crash related to disabling SVG
* Bug 16403: Set search parameters for Disconnect
* Bug 16446: Update FTE bridge #1 fingerprint
* Tor patch backport
* Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
Tor Browser 5.0a2 -- June 15 2015
* All Platforms
* Update Tor to 0.2.7.1-alpha
* Update HTTPS-Everywhere to 5.0.5
* Update OpenSSL to 1.0.1n
* Update NoScript to 2.6.9.26
* Update meek to 0.19
* Update Torbutton to 1.9.2.7
* Bug 15984: Disabling Torbutton breaks the Add-ons Manager
* Bug 14429: Make sure the automatic resizing is enabled
* Translation updates
* Bug 16130: Defend against logjam attack
* Bug 15984: Disabling Torbutton breaks the Add-ons Manager

* Windows
* Bug 16014:
* Bug 16269:
* Linux
* Bug 16026:
* Bug 16083:

Staged update fails if meek is enabled


repeated add-on compatibility check after update (meek enabled)
Fix crash in GStreamer
Update comment in start-tor-browser

Tor Browser 4.5.2 -- June 15 2015


* All Platforms
* Update Tor to 0.2.6.9
* Update HTTPS-Everywhere to 5.0.5
* Update OpenSSL to 1.0.1n
* Update NoScript to 2.6.9.26
* Update Torbutton to 1.9.2.6
* Bug 15984: Disabling Torbutton breaks the Add-ons Manager
* Bug 14429: Make sure the automatic resizing is disabled
* Translation updates
* Bug 16130: Defend against logjam attack
* Bug 15984: Disabling Torbutton breaks the Add-ons Manager
* Linux
* Bug 16026: Fix crash in GStreamer
* Bug 16083: Update comment in start-tor-browser
Tor Browser 5.0a1 -- May 14 2015
* All Platforms
* Update Firefox to 31.7.0esr
* Update meek to 0.18
* Update Tor Launcher to 0.2.7.5
* Translation updates only
* Update Torbutton to 1.9.2.5
* Bug 15837: Show descriptions if unchecking custom mode
* Bug 15927: Force update of the NoScript UI when changing security level
* Bug 15915: Hide circuit display if it is disabled.
* Bug 14429: Improved automatic window resizing
* Translation updates
* Bug 15945: Disable NoScript's ClearClick protection for now
* Bug 15933: Isolate by base (top-level) domain name instead of FQDN
* Bug 15857: Fix file descriptor leak in updater that caused update failures
* Bug 15899: Fix errors with downloading and displaying PDFs
* Bug 15773: Enable ICU on OS X
* Bug 1517: Reduce precision of time for Javascript
* Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
* Bug 13875: Improve the spoofing of window.devicePixelRatio
* Windows
* Bug 15872: Fix meek pluggable transport startup issue with Windows 7
* Build System
* Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env v
ar
* Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
Tor Browser 4.5.1 -- May 12 2015
* All Platforms
* Update Firefox to 31.7.0esr
* Update meek to 0.18
* Update Tor Launcher to 0.2.7.5
* Translation updates only
* Update Torbutton to 1.9.2.3
* Bug 15837: Show descriptions if unchecking custom mode
* Bug 15927: Force update of the NoScript UI when changing security level
* Bug 15915: Hide circuit display if it is disabled.

* Translation updates
* Bug 15945: Disable NoScript's ClearClick protection for now
* Bug 15933: Isolate by base (top-level) domain name instead of FQDN
* Bug 15857: Fix file descriptor leak in updater that caused update failures
* Bug 15899: Fix errors with downloading and displaying PDFs
* Windows
* Bug 15872: Fix meek pluggable transport startup issue with Windows 7
* Build System
* Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env v
ar
* Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
Tor Browser 4.5 -- Apr 28 2015
* All Platforms
* Update Tor to 0.2.6.7 with additional patches:
* Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used
* Update NoScript to 2.6.9.22
* Update HTTPS-Everywhere to 5.0.3
* Bug 15689: Resume building HTTPS-Everywhere from git tags
* Update meek to 0.17
* Update obfs4proxy to 0.0.5
* Update Tor Launcher to 0.2.7.4
* Bug 15704: Do not enable network if wizard is opened
* Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
* Bug 13576: Don't strip "bridge" from the middle of bridge lines
* Bug 15657: Display the host:port of any connection faiures in bootstrap
* Update Torbutton to 1.9.2.2
* Bug 15562: Bind SharedWorkers to thirdparty pref
* Bug 15533: Restore default security level when restoring defaults
* Bug 15510: Close Tor Circuit UI control port connections on New Identity
* Bug 15472: Make node text black in circuit status UI
* Bug 15502: Wipe blob URIs on New Identity
* Bug 15795: Some security slider prefs do not trigger custom checkbox
* Bug 14429: Disable automatic window resizing for now
* Bug 4100: Raise HTTP Keep-Alive back to 115 second default
* Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
* Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism
* Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info d
isplay
* Bug 15502: Isolate blob URI scope to URL domain; block WebWorker access
* Bug 15794: Crash on some pages with SVG images if SVG is disabled
* Bug 15562: Disable Javascript SharedWorkers due to third party tracking
* Bug 15757: Disable Mozilla video statistics API extensions
* Bug 15758: Disable Device Sensor APIs
* Linux
* Bug 15747: Improve start-tor-browser argument handling
* Bug 15672: Provide desktop app registration+unregistration for Linux
* Windows
* Bug 15539: Make installer exe signatures reproducibly removable
* Bug 10761: Fix instances of shutdown crashes
Tor Browser 4.5a5 -- Mar 31 2015
* All Platforms
* Update Firefox to 31.6.0esr
* Update OpenSSL to 1.0.1m
* Update Tor to 0.2.6.6
* Update NoScript to 2.6.9.19
* Update HTTPS-Everywhere to 5.0
* Update meek to 0.16
* Update Tor Launcher to 0.2.7.3

* Bug 13983: Directory search path fix for Tor Messanger+TorBirdy


* Update Torbutton to 1.9.1.0
* Bug 9387: "Security Slider 1.0"
* Include descriptions and tooltip hints for security levels
* Notify users that the security slider exists
* Flip slider so that "low" is on the bottom
* Make use of new SVG and MathML prefs
* Bug 13766: Set a 10 minute circuit lifespan for non-content requests
* Bug 15460: Ensure FTP urls use content-window circuit isolation
* Bug 13650: Clip initial window height to 1000px
* Bug 14429: Ensure windows can only be resized to 200x100px multiples
* Bug 15334: Display Cookie Protections menu if disk records are enabled
* Bug 14324: Show HS circuit in Tor circuit display
* Bug 15086: Handle RTL text in Tor circuit display
* Bug 15085: Fix about:tor RTL text alignment problems
* Bug 10216: Add a pref to disable the local tor control port test
* Bug 14937: Show meek and flashproxy bridges in tor circuit display
* Bugs 13891+15207: Fix exceptions/errors in circuit display with bridges
* Bug 13019: Change locale hiding pref to boolean
* Bug 7255: Warn users about maximizing windows
* Bug 14631: Improve profile access error msgs (strings).
* Pluggable Transport Dependency Updates:
* Bug 15448: Use golang 1.4.2 for meek and obs4proxy
* Bug 15265: Switch go.net repo to golang.org/x/net
* Bug 14937: Hard-code meek and flashproxy node fingerprints
* Bug 13019: Prevent Javascript from leaking system locale
* Bug 10280: Improved fix to prevent loading plugins into address space
* Bug 15406: Only include addons in incremental updates if they actually upda
te
* Bug 15029: Don't prompt to include missing plugins
* Bug 12827: Create preference to disable SVG images (for security slider)
* Bug 13548: Create preference to disable MathML (for security slider)
* Bug 14631: Improve startup error messages for filesystem permissions issues
* Bug 15482: Don't allow circuits to change while a site is in use
* Linux
* Bug 13375: Create a hybrid GUI/desktop/shell launcher wrapper
* Bug 12468: Only print/write log messages if launched with --debug
* Windows
* Bug 3861: Begin signing Tor Browser for Windows the Windows way
* Bug 15201: Disable 'runas Administrator' codepaths in updater
* Bug 14688: Create shortcuts to desktop and start menu by default (optional)
Tor Browser 4.0.6 -- Mar 31 2015
* All Platforms
* Update Firefox to 31.6.0esr
* Update meek to 0.16
* Update OpenSSL to 1.0.1m
Tor Browser 4.0.5 -- Mar 23 2015
* All Platforms
* Update Firefox to 31.5.3esr
* Update Tor to 0.2.5.11
* Update NoScript to 2.6.9.19
Tor Browser 4.5a4 -- Feb 24 2015
* All Platforms
* Update Firefox to 31.5.0esr
* Update Tor to 0.2.6.3-alpha
* Update OpenSSL to 1.0.1l
* Update NoScript to 2.6.9.15

* Update obfs4proxy to 0.0.4


* Use obfs4proxy for ScrambleSuit bridges
* Update Torbutton to 1.9.0.0
* Bug 13882: Fix display of bridges after bridge settings have been changed
* Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
* Bug 10280: Strings and pref for preventing plugin initialization.
* Bug 14866: Show correct circuit when more than one exists for a given dom
ain
* Bug 9442: Add New Circuit button to Torbutton menu
* Bug 9906: Warn users before closing all windows and performing new identi
ty.
* Bug 8400: Prompt for restart if disk records are enabled/disabled.
* Bug 14630: Hide Torbutton's proxy settings tab.
* Bug 14632: Disable Cookie Manager until we get it working.
* Bug 11175: Remove "About Torbutton" from onion menu.
* Bug 13900: Remove remaining SafeCache code in favor of C++ patch
* Bug 14490: Use Disconnect search in about:tor search box
* Bug 14392: Don't steal input focus in about:tor search box
* Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
* Bug 13406: Stop directing users to download-easy.html.en on update
* Bug 9387: Handle "custom" mode better in Security Slider
* Bug 12430: Bind jar: pref to Security Slider
* Bug 14448: Restore Torbutton menu operation on non-English localizations
* Translation updates
* Update Tor Launcher to 0.2.7.2
* Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
* Bug 14336: Fix navigation button display issues on some wizard panes
* Translation updates
* Bug 14203: Prevent meek from displaying an extra update notification
* Bug 14849: Remove new NoScript menu option to make permissions permanent
* Bug 14851: Set NoScript pref to disable permanent permissions
* Bug 14490: Make Disconnect the default omnibox search engine
* Bug 11236: Fix omnibox order for non-English builds
* Also remove Amazon, eBay and bing; add Youtube and Twitter
* Bug 10280: Don't load any plugins into the address space.
* Bug 14392: Make about:tor hide itself from the URL bar
* Bug 12430: Provide a preference to disable remote jar: urls
* Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
* Bug 5698: Fix branding in "About Torbrowser" window
* Windows:
* Bug 13169: Don't use /dev/random on Windows for SSP
* Linux:
* Bug 13717: Make sure we use the bash shell on Linux
Tor Browser 4.0.4 -- Feb 24 2015
* All Platforms
* Update Firefox to 31.5.0esr
* Update OpenSSL to 1.0.1l
* Update NoScript to 2.6.9.15
* Update HTTPS-Everywhere to 4.0.3
* Bug 14203: Prevent meek from displaying an extra update notification
* Bug 14849: Remove new NoScript menu option to make permissions permanent
* Bug 14851: Set NoScript pref to disable permanent permissions
Tor Browser 4.5a3 -- Jan 19 2015
* All Platforms
* Update Firefox to 31.4.0esr
* Update Tor to 0.2.6.2-alpha
* Update NoScript to 2.6.9.10
* Update HTTPS Everywhere to 5.0development.2

* Update meek to 0.15


* Update Torbutton to 1.8.1.3
* Bug 13998: Handle changes in NoScript 2.6.9.8+
* Bug 14100: Option to hide NetworkSettings menuitem
* Bug 13079: Option to skip control port verification
* Bug 13835: Option to change default Tor Browser homepage
* Bug 11449: Fix new identity error if NoScript is not enabled
* Bug 13881: Localize strings for tor circuit display
* Bug 9387: Incorporate user feedback
* Bug 13671: Fixup for circuit display if bridges are used
* Translation updates
* Update Tor Launcher to 0.2.7.1
* Bug 14122: Hide logo if TOR_HIDE_BROWSER_LOGO set
* Translation updates
* Bug 13379: Sign our MAR files
* Bug 13788: Fix broken meek in 4.5-alpha series
* Bug 13439: No canvas prompt for content callers
Tor Browser 4.0.3 -- Jan 13 2015
* All Platforms
* Update Firefox to 31.4.0esr
* Update NoScript to 2.6.9.10
* Update meek to 0.15
* Update Tor Launcher to 0.2.7.0.2
* Translation updates only
Tor Browser 4.5-alpha-2 -- Dec 5 2014
* All Platforms
* Update Firefox to 31.3.0esr
* Update NoScript to 2.6.9.5
* Update HTTPS Everywhere to 5.0development.1
* Update Torbutton to 1.8.1.2
* Bug 13672: Make circuit display optional
* Bug 13671: Make bridges visible on circuit display
* Bug 9387: Incorporate user feedback
* Bug 13784: Remove third party authentication tokens
* Bug 13435: Remove our custom POODLE fix (fixed by Mozilla in ESR 31.3.0)
Tor Browser 4.0.2 -- Dec 2 2014
* All Platforms
* Update Firefox to 31.3.0esr
* Update NoScript to 2.6.9.5
* Update HTTPS Everywhere to 4.0.2
* Update Torbutton to 1.7.0.2
* Bug 13019: Synchronize locale spoofing pref with our Firefox patch
* Bug 13746: Properly link Torbutton UI to thirdparty pref.
* Bug 13742: Fix domain isolation for content cache and disk-enabled browsing
mode
* Bug 5926: Prevent JS engine locale leaks (by setting the C library locale)
* Bug 13504: Remove unreliable/unreachable non-public bridges
* Bug 13435: Remove our custom POODLE fix
* Windows
* Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
* Bug 13558: Fix crash on Windows XP during download folder changing
* Bug 13594: Fix update failure for Windows XP users
Tor Browser 4.5-alpha-1 -- Nov 14 2014
* All Platforms
* Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolatio
n

* Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32


* Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33
)
* Bug 13019: Make JS engine use English locale if a pref is set by Torbutton
* Bug 13301: Prevent extensions incompatibility error after upgrades
* Bug 13460: Fix MSVC compilation issue
* Bug 13504: Remove stale bridges from default bridge set
* Bug 13742: Fix domain isolation for content cache and disk-enabled browsing
mode
* Update Tor to 0.2.6.1-alpha
* Update NoScript to 2.6.9.3
* Update Torbutton to 1.8.1.1
* Bug 9387: Provide a "Security Slider" for vulnerability surface reduction
* Bug 13019: Synchronize locale spoofing pref with our Firefox patch
* Bug 3455: Use SOCKS user+pass to isolate all requests from the same url d
omain
* Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
* Bug 13651: Prevent circuit-status related UI hang.
* Bug 13666: Various circuit status UI fixes
* Bugs 13742+13751: Remove cache isolation code in favor of direct C++ patc
h
* Bug 13746: Properly update third party isolation pref if disabled from UI
* Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
* Bug 12903: Include obfs4proxy pluggable transport
* Windows
* Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
* Bug 13558: Fix crash on Windows XP during download folder changing
* Bug 13091: Make app name "Tor Browser" instead of "Tor"
* Bug 13594: Fix update failure for Windows XP users
* Mac
* Bug 10138: Switch to 64bit builds for MacOS
Tor Browser 4.0.1 -- Oct 30 2014
* All Platforms
* Update Tor to 0.2.5.10
* Update NoScript to 2.6.9.3
* Bug 13301: Prevent extensions incompatibility error after upgrades
* Bug 13460: Fix MSVC compilation issue
* Windows
* Bug 13443: Disable DirectShow to prevent crashes on many sites
* Bug 13091: Make app name "Tor Browser" instead of "Tor"
Tor Browser 4.0 -- Oct 15 2014
* All Platforms
* Update Firefox to 31.2.0esr
* Update Torbutton to 1.7.0.1
* Bug 13378: Prevent addon reordering in toolbars on first-run.
* Bug 10751: Adapt Torbutton to ESR31's Australis UI.
* Bug 13138: ESR31-about:tor shows "Tor is not working"
* Bug 12947: Adapt session storage blocker to ESR 31.
* Bug 10716: Take care of drag/drop events in ESR 31.
* Bug 13366: Fix cert exemption dialog when disk storage is enabled.
* Update Tor Launcher to 0.2.7.0.1
* Translation updates only
* Udate fteproxy to 0.2.19
* Update NoScript to 2.6.9.1
* Bug 13416: Defend against new SSLv3 attack (poodle).
* Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
* Bug 13016: Hide CSS -moz-osx-font-smoothing values.
* Bug 13356: Meek and other symlinks missing after complete update.

*
*
*
*
*
*
*
*
*

Bug
Bug
Bug
Bug
Bug
Bug
Bug
Bug
Bug

13025:
13346:
13318:
10715:
13023:
13021:
12460:
13186:
13028:

Spoof screen orientation to landscape-primary.


Disable Firefox "slow to start" warnings and recordkeeping.
Minimize number of buttons on the browser toolbar.
Enable WebGL on Windows (still click-to-play via NoScript)
Disable the gamepad API.
Prompt before allowing Canvas isPointIn*() calls.
Several cross-compilation and gitian fixes (see child tickets)
Disable DOM Performance timers
Defense-in-depth checks for OCSP/Cert validation proxy usage

Tor Browser 4.0-alpha-3 -- Sep 24 2014


* All Platforms
* Update Tor to 0.2.5.8-rc
* Update Firefox to 24.8.1esr
* Update meek to 0.11
* Update NoScript to 2.6.8.42
* Update Torbutton to 1.6.12.3
* Bug 13091: Use "Tor Browser" everywhere
* Bug 10804: Workaround fix for some cases of startup hang
* Bug 13091: Use "Tor Browser" everywhere
* Bug 13049: Browser update failure (self.update is undefined)
* Bug 13047: Updater should not send Kernel and GTK version
* Bug 12998: Prevent intermediate certs from being written to disk
* Bug 13245: Prevent non-english TBBs from upgrading to english version.
* Linux:
* Bug 9150: Make RPATH unavailable on Tor binary.
* Bug 13031: Add full RELRO protection.
Tor Browser Bundle 3.6.6 -- Sep 24 2014
* All Platforms
* Update Tor to tor-0.2.4.24
* Update Firefox to 24.8.1esr
* Update NoScript to 2.6.8.42
* Update HTTPS Everywhere to 4.0.1
* Bug 12998: Prevent intermediate certs from being written to disk
* Update Torbutton to 1.6.12.3
* Bug 13091: Use "Tor Browser" everywhere
* Bug 10804: Workaround fix for some cases of startup hang
* Linux
* Bug 9150: Make RPATH unavailable on Tor binary.
Tor Browser Bundle 4.0-alpha-2 -- Sep 2 2014
* All Platforms
* Update Firefox to 24.8.0esr
* Update NoScript to 2.6.8.39
* Update Tor Launcher to 0.2.7.0
* Bug 11405: Remove firewall prompt from wizard.
* Bug 12895: Mention @riseup.net as a valid bridge request email address
* Bug 12444: Provide feedback when Copy Tor Log is clicked.
* Bug 11199: Improve error messages if Tor exits unexpectedly
* Update Torbutton to 1.6.12.1
* Bug 12684: New strings for canvas image extraction message
* Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
* Bug 12684: Improve Canvas image extraction permissions prompt
* Bug 7265: Only prompt for first party canvas access. Log all scripts
that attempt to extract canvas images to Browser console.
* Bug 12974: Disable NTLM and Negotiate HTTP Auth
* Bug 2874: Remove Components.* from content access (regression)
* Bug 4234: Automatic Update support (off by default)
* Bug 9881: Open popups in new tabs by default

* Meek Pluggable Transport:


* Bug 12766: Use TLSv1.0 in meek-http-helper to blend in with Firefox 24
* Windows:
* Bug 10065: Enable DEP, ASLR, and SSP hardening options
* Linux:
* Bug 12103: Adding RELRO hardening back to browser binaries.
Tor Browser Bundle 3.6.5 -- Sep 2 2014
* All Platforms
* Update Firefox to 24.8.0esr
* Update NoScript to 2.6.8.39
* Update HTTPS Everywhere to 4.0.0
* Update Torbutton to 1.6.12.1
* Bug 12684: New strings for canvas image extraction message
* Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
* Bug 9531: Workaround to avoid rare hangs during New Identity
* Bug 12684: Improve Canvas image extraction permissions prompt
* Bug 7265: Only prompt for first party canvas access. Log all scripts
that attempt to extract canvas images to Browser console.
* Bug 12974: Disable NTLM and Negotiate HTTP Auth
* Bug 2874: Remove Components.* from content access (regression)
* Bug 9881: Open popups in new tabs by default
* Linux:
* Bug 12103: Adding RELRO hardening back to browser binaries.
Tor Browser Bundle 4.0-alpha-1 -- Aug 8 2014
* All Platforms
* Ticket 10935: Include the Meek Pluggable Transport (version 0.10)
* Two modes of Meek are provided: Meek over Google and Meek over Amazon
* Update Firefox to 24.7.0esr
* Update Tor to 0.2.5.6-alpha
* Update OpenSSL to 1.0.1i
* Update NoScript to 2.6.8.36
* Script permissions now apply based on URL bar
* Update HTTPS Everywhere to 5.0development.0
* Update Torbutton to 1.6.12.0
* Bug 12221: Remove obsolete Javascript components from the toggle era
* Bug 10819: Bind new third party isolation pref to Torbutton security UI
* Bug 9268: Fix some window resizing corner cases with DPI and taskbar size
.
* Bug 12680: Change Torbutton URL in about dialog.
* Bug 11472: Adjust about:tor font and logo positioning to avoid overlap
* Bug 9531: Workaround to avoid rare hangs during New Identity
* Update Tor Launcher to 0.2.6.2
* Bug 11199: Improve behavior if tor exits
* Bug 12451: Add option to hide TBB's logo
* Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
* Bug 11471: Ensure text fits the initial configuration dialog
* Bug 9516: Send Tor Launcher log messages to Browser Console
* Bug 11641: Reorganize bundle directory structure to mimic Firefox
* Bug 10819: Create a preference to enable/disable third party isolation
* Backported Tor Patches:
* Bug 11200: Fix a hang during bootstrap introduced in the initial
bug11200 patch.
* Linux:
* Bug 10178: Make it easier to set an alternate Tor control port and password
* Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
* Bug 12249: Don't create PT debug files anymore
Tor Browser Bundle 3.6.4 -- Aug 8 2014

* All Platforms
* Update Tor to 0.2.4.23
* Update Tor launcher to 0.2.5.6
* Bug 9516: Show Tor log in TorBrowser's Browser Console
* Update OpenSSL to 1.0.1i
* Backported Tor Patches:
* Bug 11654: Properly apply the fix for malformed bug11156 log message
* Bug 11200: Fix a hang during bootstrap introduced in the initial
bug11200 patch.
* Update NoScript to 2.6.8.36
* Update Torbutton to 1.6.11.1
* Bug 11472: Adjust about:tor font and logo positioning to avoid overlap
* Bug 12680: Fix Torbutton about url.
Tor Browser Bundle 3.6.3 -- Jul 24 2014
* All Platforms
* Update Firefox to 24.7.0esr
* Update obfsproxy to 0.2.12
* Update FTE to 0.2.17
* Update NoScript to 2.6.8.33
* Update HTTPS Everywhere to 3.5.3
* Bug 12673: Update FTE bridges
* Update Torbutton to 1.6.11.0
* Bug 12221: Remove obsolete Javascript components from the toggle era
* Bug 10819: Bind new third party isolation pref to Torbutton security UI
* Bug 9268: Fix some window resizing corner cases with DPI and taskbar size
.
* Linux:
* Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
* Bug 12249: Don't create PT debug files anymore
Tor Browser Bundle 3.6.2 -- Jun 9 2014
* All Platforms
* Update Firefox to 24.6.0esr
* Update OpenSSL to 1.0.1h
* Update NoScript to 2.6.8.28
* Update Tor to 0.2.4.22
* Update Tor Launcher to 0.2.5.5
* Bug 10425: Provide geoip6 file location to Tor process
* Bug 11754: Remove untranslated locales that were dropped from Transifex
* Bug 11772: Set Proxy Type menu correctly after restart
* Bug 11699: Change &amp;#160 to &#160; in UI elements
* Update Torbutton to 1.6.10.0
* Bug 11510: about:tor should not report success if tor proxy is unreachabl
e
* Bug 11783: Avoid b.webProgress error when double-clicking on New Identity
* Bug 11722: Add hidden pref to force remote Tor check
* Bug 11763: Fix pref dialog double-click race that caused settings to be r
eset
* Bug 11629: Support proxies with Pluggable Transports
* Updates FTEProxy to 0.2.15
* Updates obfsproxy to 0.2.9
* Backported Tor Patches:
* Bug 11654: Fix malformed log message in bug11156 patch.
* Bug 10425: Add in Tor's geoip6 files to the bundle distribution
* Bugs 11834 and 11835: Include Pluggable Transport documentation
* Bug 9701: Prevent ClipBoardCache from writing to disk.
* Bug 12146: Make the CONNECT Host header the same as the Request-URI.
* Bug 12212: Disable deprecated webaudio API
* Bug 11253: Turn on TLS 1.1 and 1.2.

* Bug 11817: Don't send startup time information to Mozilla.


Tor Browser Bundle 3.6.1 -- May 6 2014
* All Platforms
* Update HTTPS-Everywhere to 3.5.1
* Update NoScript to 2.6.8.22
* Bug 11658: Fix proxy configuration for non-Pluggable Transports users
* Backport Pending Tor Patches:
* Bug 8402: Allow Tor proxy configuration while PTs are present
* Note: The Pluggable Transports themselves have not been updated to
support proxy configuration yet.
Tor Browser Bundle 3.6 -- Apr 29 2014
* All Platforms
* Update Firefox to 24.5.0esr
* Update Tor Launcher to 0.2.5.4
* Bug #11482: Hide bridge settings prompt if no default bridges.
* Bug #11484: Show help button even if no default bridges.
* Update Torbutton to 1.6.9.0
* Bug 7439: Improve download warning dialog text.
* Bug 11384: Completely remove hidden toggle menu item.
* Update NoScript to 2.6.8.20
* Update fte transport to 0.2.13
* Backport Pending Tor Patches:
* Bug 11156: Additional obfsproxy startup error message fixes
* Bug 11586: Include license files for component software in Docs directory.
* Windows and Mac:
* Bug 9308: Prevent install path from leaking in some JS exceptions
on Mac and Windows builds
Tor Browser Bundle 3.6-beta-2 -- Apr 8 2014
* All Platforms
* Update OpenSSL to 1.0.1g
* Bug 9010: Add Turkish language support.
* Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
* Update fte transport to 0.2.12
* Update NoScript to 2.6.8.19
* Update Torbutton to 1.6.8.1
* Bug 11242: Fix improper "update needed" message after in-place upgrade.
* Bug 10398: Ease translation of about:tor page elements
* Update Tor Launcher to 0.2.5.3
* Bug 9665: Localize Tor's unreachable bridges bootstrap error
* Backport Pending Tor Patches:
* Bug 9665: Report a bootstrap error if all bridges are unreachable
* Bug 11200: Prevent spurious error message prior to enabling network.
* Linux:
* Bug 11190: Switch linux PT build process to python2
* Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
* Windows:
* Bug 11286: Fix fte transport launch error
Tor Browser Bundle 3.5.4 -- Apr 7 2014
* All Platforms
* Update OpenSSL to 1.0.1g
Tor Browser Bundle 3.5.3 -- Mar 19 2014
* All Platforms
* Update Firefox to 24.4.0esr
* Update Torbutton to 1.6.7.0:
* Bug 9901: Fix browser freeze due to content type sniffing

* Bug 10611: Add Swedish (sv) to extra locales to update


* Update NoScript to 2.6.8.17
* Update Tor to 0.2.4.21
* Bug 10237: Disable the media cache to prevent disk leaks for videos
* Bug 10703: Force the default charset to avoid locale fingerprinting
* Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)
* Linux:
* Bug 9353: Fix keyboard input on Ubuntu 13.10
* Bug 9896: Provide debug symbols for Tor Browser binary
* Bug 10472: Pass arguments to the browser from Linux startup script
Tor Browser Bundle 3.6-beta-1 -- Mar 17 2014
* All Platforms
* Update Firefox to 24.4.0esr
* Include Pluggable Transports by default:
* Obfsproxy3 0.2.4, Flashproxy 1.6, and FTE 0.2.6 are now included
* Update Tor Launcher to 0.2.5.1
* Bug 10418: Provide UI configuration for Pluggable Transports
* Bug 10604: Allow Tor status & error messages to be translated
* Bug 10894: Make bridge UI clear that helpdesk is a last resort for
bridges
* Bug 10610: Clarify wizard UI text describing obstacles/blocking
* Bug 11074: Support Tails use case (XULRunner and optional
customizations)
* Update Torbutton to 1.6.7.0:
* Bug 9901: Fix browser freeze due to content type sniffing
* Bug 10611: Add Swedish (sv) to extra locales to update
* Update NoScript to 2.6.8.17
* Update Tor to 0.2.4.21
* Backport Pending Tor Patches:
* Bug 5018: Don't launch Pluggable Transport helpers if not in use
* Bug 9229: Eliminate 60 second stall during bootstrap with some PTs
* Bug 11069: Detect and report Pluggable Transport bootstrap failures
* Bug 11156: Prevent spurious warning about missing pluggable transports
* Bug 10237: Disable the media cache to prevent disk leaks for videos
* Bug 10703: Force the default charset to avoid locale fingerprinting
* Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)
* Mac:
* Bug 4261: Use DMG instead of ZIP for Mac packages
* Linux:
* Bug 9353: Fix keyboard input on Ubuntu 13.10
* Bug 9896: Provide debug symbols for Tor Browser binary
* Bug 10472: Pass arguments to the browser from Linux startup script
Tor Browser Bundle 3.5.2.1 -- Feb 14 2014
* All Platforms
* Bug 10895: Fix broken localized bundles
* Windows:
* Bug 10323: Remove unneeded gcc/libstdc++ libraries from dist
Tor Browser Bundle 3.5.2 -- Feb 8 2014
* All Platforms
* Rebase Tor Browser to Firefox 24.3.0ESR
* Bug 10419: Block content window connections to localhost
* Update Torbutton to 1.6.6.0
* Bug 10800: Prevent findbox exception and popup in New Identity
* Bug 10640: Fix about:tor's update pointer position for RTL languages.
* Bug 10095: Fix some cases where resolution is not a multiple of 200x100
* Bug 10374: Clear site permissions on New Identity
* Bug 9738: Fix for auto-maximizing on browser start

* Bug 10682: Workaround to really disable updates for Torbutton


* Bug 10419: Don't allow connections to localhost if Torbutton is toggled
* Bug 10140: Move Japanese to extra locales (not part of TBB dist)
* Bug 10687: Add Basque (eu) to extra locales (not part of TBB dist)
* Update Tor Launcher to 0.2.4.4
* Bug 10682: Workaround to really disable updates for Tor Launcher
* Update NoScript to 2.6.8.13
Tor Browser Bundle 3.5.1 -- Jan 22 2014
* All Platforms
* Bug 10447: Remove SocksListenAddress to allow multiple socks ports.
* Bug 10464: Remove addons.mozilla.org from NoScript whitelist
* Bug 10537: Build an Arabic version of TBB 3.5
* Update Torbutton to 1.6.5.5
* Bug 9486: Clear NoScript Temporary Permissions on New Identity
* Include Arabic translations
* Update Tor Launcher to 0.2.4.3
* Include Arabic translations
* Update Tor to 0.2.4.20
* Update OpenSSL to 1.0.1f
* Update NoScript to 2.6.8.12
* Update HTTPS-Everywhere to 3.4.5
* Windows
* Bug 9259: Enable Accessibility (screen reader) support
* Mac
* misc: Update bundle version field in Info.plist (for MacUpdates service)
Tor Browser Bundle 3.5 -- Dec 17 2013
* All Platforms
* Update Tor to 0.2.4.19
* Update Tor Launcher to 0.2.4.2
* Bug 10382: Fix a Tor Launcher hang on TBB exit
* Update Torbutton to 1.6.5.2
* Misc: Switch update download URL back to download-easy
Tor Browser Bundle 3.5rc1 -- Dec 12 2013
* All Platforms
* Update Firefox to 24.2.0esr
* Update NoScript to 2.6.8.7
* Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag)
* Tag includes a patch to handle enabling/disabling Mixed Content Blocking
* Bug 5060: Disable health report service
* Bug 10367: Disable prompting about health report and Mozilla Sync
* Misc Prefs: Disable HTTPS-Everywhere first-run tooltips
* Misc Prefs: Disable layer acceleration to avoid crashes on Windows
* Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 8
78890
* Update Tor Launcher to 0.2.4.1
* Bug 10147: Adblock Plus interferes w/Tor Launcher dialog
* Bug 10201: FF ESR 24 hangs during exit on Mac OS
* Bug 9984: Support running Tor Launcher from InstantBird
* Misc: Support browser directory location API changes in Firefox 24
* Update Torbutton to 1.6.5.1
* Bug 10352: Clear FF24 Private Browsing Mode data during New Identity
* Bug 8167: Update cache isolation for FF24 API changes
* Bug 10201: FF ESR 24 hangs during exit on Mac OS
* Bug 10078: Properly clear crypto tokens during New Identity on FF24
* Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF2
4
* Linux

* Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros)
Tor Browser Bundle 3.0rc1 -- Nov 21 2013
* All Platforms:
* Update Firefox to 17.0.11esr
* Update Tor to 0.2.4.18-rc
* Remove unsupported PDF.JS addon from the bundle
* Bug #7277: TBB's Tor client will now omit its timestamp in the TLS handshak
e.
* Update Torbutton to 1.6.4.1
* Bug #10002: Make the TBB3.0 blog tag our update download URL for now
* Windows
* Bug #10102: Patch binutils to remove nondeterministic bytes in compiled bin
aries
* Linux
* Bug #10049: Fix architecture check to work from outside TBB's directory
* Bug #10126: Remove libz and firefox-bin, and strip unstripped binaries
* Misc: Disable Firefox updater during compile time (in addition to pref)
Tor Browser Bundle 3.0beta1 -- Oct 31 2013
* All Platforms:
* Update Firefox to 17.0.10esr
* Update NoScript to 2.6.8.2
* Update HTTPS-Everywhere to 3.4.2
* Bug #9114: Reorganize the bundle directory structure to ease future
autoupdates
* Bug #9173: Patch Tor Browser to auto-detect profile directory if
launched without the wrapper script.
* Bug #9012: Hide Tor Browser infobar for missing plugins.
* Bug #8364: Change the default entry page for the addons tab to the
installed addons page.
* Bug #9867: Make flash objects really be click-to-play if flash is enabled.
* Bug #8292: Make getFirstPartyURI log+handle errors internally to simplify
caller usage of the API
* Bug #3661: Remove polipo and privoxy from the banned ports list.
* misc: Fix a potential memory leak in the Image Cache isolation
* misc: Fix a potential crash if OS theme information is ever absent
* Update Tor-Launcher to 0.2.3.1-beta
* Bug #9114: Handle new directory structure
* misc: Tor Launcher now supports Thunderbird
* Update Torbutton to 1.6.4
* Bug #9224: Support multiple Tor socks ports for about:tor status check
* Bug #9587: Add TBB version number to about:tor
* Bug #9144: Workaround to handle missing translation properties
* Windows:
* Bug #9084: Fix startup crash on Windows XP.
* Linux:
* Bug #9487: Create detached debuginfo files for Linux Tor and Tor
Browser binaries.
Tor Browser Bundle 3.0alpha4 -- Sep 24 2013
* All Platforms:
* Bug #8751: Randomize TLS HELLO timestamp in HTTPS connections
* Bug #9790 (workaround): Temporarily re-enable JS-Ctypes for cache
isolation and SSL Observatory
* Update Firefox to 17.0.9esr
* Update Tor to 0.2.4.17-rc
* Update NoScript to 2.6.7.1
* Update Tor-Launcher to 0.2.2-alpha
* Bug #9675: Provide feedback mechanism for clock-skew and other early

startup issues
* Bug #9445: Allow user to enter bridges with or without 'bridge' keyword
* Bug #9593: Use UTF16 for Tor process launch to handle unicode paths.
* misc: Detect when Tor exits and display appropriate notification
* Update Torbutton to 1.6.2.1
* Bug 9492: Fix Torbutton logo on OSX and Windows (and related
initialization code)
* Bug 8839: Disable Google/Startpage search filters using Tor-specific urls
Tor Browser Bundle 3.0alpha3 -- Aug 01 2013
* All Platforms:
* Update Firefox to 17.0.8esr
* Update Tor to 0.2.4.15-rc
* Update HTTPS-Everywhere to 3.3.1
* Update NoScript to 2.6.6.9
* Improve build input fetching and authentication
* Bug #9283: Update NoScript prefs for usability.
* Bug #6152 (partial): Disable JSCtypes support at compile time
* Update Torbutton to 1.6.1
* Bug 8478: Change when window resize code fires to avoid rounding errors
* Bug 9331: Hack an update URL for the next TBB release
* Bug 9144: Change an aboutTor.dtd string so transifex will accept it
* Update Tor-Launcher to 0.2.1-alpha
* Bug #9128: Remove dependency on JSCtypes
* Windows
* Bug #9195: Disable download manager AV scanning (to prevent cloud
reporting+scanning of downloaded files)
* Mac:
* Bug #9173 (partial): Launch firefox-bin on MacOS instead of TorBrowser.app
(improves dock behavior).
Tor Browser Bundle 3.0alpha2 -- June 27 2013
* All Platforms:
* Update Firefox to 17.0.7esr
* Update Tor to 0.2.4.14-alpha
* Include Tor's GeoIP file
* This should fix custom torrc issues with country-based node
restrictions
* Fix several build determinism issues
* Include ChangeLog in bundles.
* Linux:
* Use Ubuntu's 'hardening-wrapper' to build our Linux binaries
* Windows:
* Fix many crash issues by disabling Direct2D support for now.
* Mac:
* Bug 8987: Disable TBB's 'Saved Application State' disk records on OSX 10.7+
Tor Browser Bundle 3.0alpha1 -- June 17 2013
* All Platforms:
* Remove Vidalia; Use the new Tor Launcher Firefox Addon instead
* Update Torbutton to 1.6.0
* bug 7494: Create a local home page for TBB as about:tor
* misc: Perform a control port test of proper Tor configuration by default.
Only use https://check.torproject.org if the control port is
unavailable.
* misc: Add an icon menu option for Tor Launcher's Network Settings
* misc: Add branding string overrides (primarily controls browser name and
homepage)

* Update HTTPS-Everywhere to 3.2.2


* Update NoScript to 2.6.6.6
* Update PDF.JS to 0.8.1
* Windows:
* Use MinGW-w64 (via Gitian) to cross-compile the bundles from Ubuntu
* Use TBB-Windows-Installer to guide Windows users through TBB extraction
* Temporarily disable WebGL and Accessibility support due to minor MinGW
issues
* Mac:
* Use 'Toolchain4' fork by Ray Donnelley to cross-compile the bundles from
Ubuntu