Tor Browser Changelog

What's new in Tor Browser 13.0.1

Oct 25, 2023

This release backports important security updates from Firefox 115.4.0esr and
This release updates Firefox to 115.4.0esr, including bug fixes, stability improvements and important security updates. We also backported the Android-specific security updates from Firefox 119.

New in Tor Browser 13.0 (Oct 12, 2023)

Refreshed application icons:
Earlier this year we spent some time artworking the Mullvad Browser logo into the various assets needed to support its release – including application, installer and document icons that conform to each platform's conventions. While getting up to speed with the current requirements for each platform, we identified a number of gaps with Tor Browser too, and started working on new icons for Tor Browser in parallel.
For context, Tor Browser's current icon (sometimes referred to as the "onion logo") was selected by community poll over four years ago to succeed the older purple and green globe in Tor Browser 8.5. Given the community's involvement in its selection, its recognizability by netizens, and the simple fact that we still love the existing icon, we chose to focus on refining rather than replacing it entirely.
One of the motivations behind work like this is our philosophy that privacy-preserving products shouldn't be purely utilitarian, but can also spark joy. However there are practical benefits too: adhering to platform conventions provides better consistency, discernible application and installer icons help prevent user error, and attracting new users benefits everyone because anonymity loves company.
New homepage:
For the past year we've been working on a significant rewrite of Tor Browser's back-end, which recently provided us with the opportunity to rebuild one of the few internal pages that hasn't changed in a while: the homepage (often referred to by its internal reference, "about:tor"). Tor Browser 13.0's homepage now features the new application icons, a simplified design, and the ability to "onionize" your DuckDuckGo searches by switching to the DuckDuckGo onion site. Continuing the work that began in Tor Browser 12.5 to improve the browser's accessibility, the redesigned homepage also offers better support for users of screen readers and other assistive technology too.
Existing Tor Browser users can rejoice that the "red screen of death" – an infamous error state that the previous homepage would occasionally trip itself into – is long gone. As part of the back-end rewrite we've removed the automatic Tor network connectivity check that was a hold-over from the legacy tor-launcher, where bootstrapping was handled by an extension that ran before the browser interface appeared. As a result of the tighter tor integration and in-browser bootstrapping experience introduced in Tor Browser 10.5, the old logic behind this check would often fail and present some users with the red screen of death, even if their connection was fine.
In fact, all of the reports we've received of users hitting this screen with the default tor configuration since Tor Browser 10.5 have proven to be false positives, causing undue alarm. Although the check is arguably still useful for users running non-default configurations, neither of the main environments which do so – Tails and Whonix – use about:tor as their default new-tab or home pages. For everyone else, we've added a new banner to the redesigned homepage in place of the red screen of death to check that tor is connected and working as expected.
Bigger new windows:
The explanation for how and why Tor Browser works this way is going to get into the weeds a little, so be warned. However the main thing to take away is that new windows should be bigger by default and present themselves in a more useful landscape aspect-ratio for the majority of desktop users in Tor Browser 13.0. Now, about those weeds...
Letterboxing was introduced in Tor Browser 9.0 to allow users to resize their browser window without fear of being fingerprinted by rounding the inner content window (sometimes referred to as the "viewport") down to multiples of 200 x 100 pixels. This technique works by grouping the window sizes of most users into a series of common "buckets", protecting individual users within those buckets from being singled-out based on their window or screen size.
In order to preserve these protections when opening new windows, Tor Browser overrides platform defaults and will instead select a size that conforms to our letterboxing steps up to a maximum of 1000 x 1000 pixels. However, while that may have been fine in the past, a max width of 1000px is no longer suitable for the modern web. For example, on many newer websites the first responsive break point lies somewhere in the range of 1000 – 1200px, meaning by default Tor Browser users would receive website menus and layouts intended for tablet and mobile devices. Alternatively, on certain websites, users would receive the desktop version but with the annoyance of a horizontal scroll bar instead. This, naturally, would lead to users of these websites needing to expand each new window manually before it's usable.
In response we've bumped up the max size of new windows up to 1400 x 900 pixels and amended the letterboxing steps to match. Thanks to the increase in width, Tor Browser for desktop should no longer trigger responsive break points on larger screens and the vast majority of our desktop users will see a familiar landscape aspect-ratio more in-keeping with modern browsers. This particular size was chosen by crunching the numbers to offer greater real estate for new windows without increasing the number of buckets past the point of their usefulness. As an added bonus, we also expect that Tor Browser users will not feel the need to manually change their window size as frequently as before – thereby keeping more users aligned to the default buckets.
Technical notes:
We're pleased to report that we've made the naming scheme for all our build outputs mutually consistent. Essentially, this means that going forward the names of all our build artifacts should follow the format ${ARTIFACT}-${OS}-${ARCH}-${VERSION}.${EXT}. For example, the macOS .dmg package for 12.5 was named TorBrowser-12.5-macos_ALL.dmg, whereas for 13.0 it's named tor-browser-macos-13.0.dmg.
If you are a downstream packager or download Tor Browser artifacts using scripts or automation, you'll need to do a little more work beyond just bumping the version number to support this and future releases.

New in Tor Browser 12.5.6 (Sep 30, 2023)

New in Tor Browser 12.5.5 (Sep 27, 2023)

New in Tor Browser 12.5.3 (Aug 29, 2023)

New in Tor Browser 12.5.2 (Aug 3, 2023)

New in Tor Browser 12.5 (Jun 22, 2023)

All Platforms:
Updated Translations:
Bug tor-browser-build#40353: Re-enable rlbox
Bug tor-browser-build#40810: Add Finnish (fi) language support
Bug tor-browser#41066: Circuit Isolation should take containers into account
Bug tor-browser#41428: Check if we can create our own directories for branding
Bug tor-browser#41514: eslint broken since migrating torbutton
Bug tor-browser#41568: Disable LaterRun
Bug tor-browser#41599: about:networking#networkid should be normalized
Bug tor-browser#41624: Disable unused about: pages
Bug tor-browser#41635: Disable the Normandy component at compile time
Bug tor-browser#41636: Disable back webextension.storage.sync after ensuring NoScript settings won't be lost
Bug tor-browser#41647: Turn --enable-base-browser in --with-base-browser-version
Bug tor-browser#41662: Disable about:sync-logs
Bug tor-browser#41671: Turn media.peerconnection.ice.relay_only to true as defense in depth against WebRTC ICE leaks
Bug tor-browser#41689: Remove startup.homepage_override_url from Base Browser
Bug tor-browser#41704: Immediately return on remoteSettings.pollChanges
Bug tor-browser#41738: Replace the patch to disable live reload with its preference
Bug tor-browser#41763: TTP-02-003 WP1: Data URI allows JS execution despite safest security level (Low)
Bug tor-browser#41775: Avoid re-defining some macros in nsUpdateDriver.cpp
Bug tor-browser#41818: Remove YEC 2022 strings
Windows + macOS + Linux:
Bug mullvad-browser#165: Fix maximization warning x button and preference
Bug tor-browser#20497: Improve support for non-portable mode
Bug tor-browser#33298: HTTP onion sites do not give a popup warning when submitting form data to non-onion HTTP sites
Bug tor-browser#40144: about:privatebrowsing Firefox branding
Bug tor-browser#40347: URL bar lock icon says connection is not secure when on "view-source:.onion" URLs [tor-browser]
Bug tor-browser#40552: New texts for the add a bridge manually modal
Bug tor-browser#40701: Improve security warning when downloading a file
Bug tor-browser-build#40711: Review and expand the stakeholders we communicate major changes to
Bug tor-browser-build#40733: Use the new branding directories
Bug tor-browser-build#40745: Allow customizing MOZ_APP_BASENAME
Bug tor-browser-build#40773: Copy some documentation files only on Tor Browser
Bug tor-browser-build#40781: Move translations to new paths
Bug tor-browser#40788: Tor Browser 11.0.4-11.0.6 phoning home
Bug tor-browser-build#40808: Set update URL for nightly base-browser
Bug tor-browser-build#40811: Make testing the updater easier
Bug tor-browser-build#40817: Add basebrowser-incrementals-nightly makefile target
Bug tor-browser-build#40833: base-browser nightly is using the default channel instead of nightly
Bug tor-browser#40958: The number of relays displayed for an onion site can be misleading
Bug tor-browser#41038: Update "Click to Copy" button label in circuit display
Bug tor-browser#41080: Some users are choosing an adjacent country for circumvention settings
Bug tor-browser#41084: Reserve red as a button color for dangerous actions
Bug tor-browser#41085: Refactor the UI to remove all bridges
Bug tor-browser#41093: Users don't understand the purpose of bridge-moji
Bug tor-browser#41109: "New circuit..." button gets cut-off when onion name wraps
Bug tor-browser#41350: Move the implementation of Bug 19273 out of Torbutton
Bug tor-browser#41351: Move the crypto protection patch earlier in the patchset
Bug tor-browser#41363: Crypto warning popup is not screen reader accessible
Bug tor-browser#41448: User 'danger' style for primary button in new identity modal
Bug tor-browser#41483: Tor Browser says Firefox timed out, confusing users
Bug tor-browser#41503: Disable restart in case of reboot and restore in case of crash
Bug tor-browser#41521: Improve localization notes
Bug tor-browser#41533: Page Info window for view-source:http://...onion addresses says Connection Not Encrypted
Bug tor-browser#41540: Confusing build-id date in about:preferences in alphas
Bug tor-browser#41562: API-triggered fullscreen after F11 causes letterboxing to crop the page
Bug tor-browser#41577: Disable profile migration
Bug tor-browser#41587: Disable the updater for Base Browser
Bug tor-browser#41595: Disable pagethumbnails capturing
Bug tor-browser#41600: Some users have difficulty finding the circuit display
Bug tor-browser#41607: Update "New Circuit" icon
Bug tor-browser#41608: Improve the UX of the location bar's connection status
Bug tor-browser#41609: Move the disabling of Firefox Home (Activity Stream) to base-browser
Bug tor-browser#41613: Skip Drang & Drop filtering for DNS-safe URLs (no hostname, e.g. RFC3966 tel:)
Bug tor-browser#41617: Improve the UX of the built-in bridges dialog
Bug tor-browser#41618: Update the iconography used in the status strip in connection settings
Bug tor-browser#41623: Update connection assist's iconography
Bug tor-browser#41633: Updating from 12.0.2 to 12.0.3 resets NoScript settings
Bug tor-browser#41657: Remove --enable-tor-browser-data-outside-app-dir
Bug tor-browser#41668: Move part of the updater patches to base browser
Bug tor-browser#41686: Move the 'Bug 11641: Disable remoting by default' commit from base-browser to tor-browser
Bug tor-browser#41695: Port warning on maximized windows without letterboxing from torbutton
Bug tor-browser#41699: Tighten up the tor onion alias regular expression
Bug tor-browser#41701: Reporting an extension does not work
Bug tor-browser#41702: The connection pill needs to be centered vertically
Bug tor-browser#41709: sendCommand should not try to send a command forever
Bug tor-browser#41711: Race condition when opening a new window in New Identity
Bug tor-browser#41718: Add the external filetype warning to about:downloads
Bug tor-browser#41719: Update title and button strings in the new circuit display to sentence case
Bug tor-browser#41725: Stray connectionPane.xhtml patch
Bug tor-browser#41726: Animate the torconnect icon to transition between connected states
Bug tor-browser#41734: Add a 'Connected' flag to indicate which built-in bridge option Tor Browser is currently using
Bug tor-browser#41736: Customize the default CustomizableUI toolbar using CustomizableUI.jsm
Bug tor-browser#41749: Replace the onion-glyph with dedicated icon for onion services
Bug tor-browser#41770: Keyboard navigation broken leaving the toolbar tor circuit button
Bug tor-browser#41775: Avoid re-defining some macros in nsUpdateDriver.cpp
Bug tor-browser#41785: Network monitor in developer tools shows HTTP onion resources as insecure
Bug tor-browser#41792: Drag and Drop protection prevents dragging downloads
Bug tor-browser#41800: Add the external filetype warning to Library / Manage Bookmarks
Bug tor-browser#41801: Fix handleProcessReady in TorSettings.init
Bug tor-browser#41802: Bad regex used to extract transport from bridgeline
Bug tor-browser#41810: Add "Connect" buttons to Request Bridge and Provide Bridge modals
Bug tor-browser#41816: The top navigation in about:torconnect isn't updated correctly
Bug tor-browser#41841: Use the new onion-site.svg icon in the onion-location pill
Windows + Linux:
Bug tor-browser-build#40714: Ship NoScript in the distribution directory also for Windows and Linux
Bug tor-browser#41654: UpdateInfo jumped into Data
Windows:
Bug tor-browser-build#40772: Check and fix HiDPI issues in the NSIS installer
Bug tor-browser-build#40793: Add some metadata also to the Windows installer
Bug tor-browser-build#40801: Correct the ExecShell for system-wide installs in the NSIS script
Bug tor-browser#41459: WebRTC fails to build under mingw
Bug tor-browser#41678: WebRTC build fix patches incorrectly defining pid_t
Build System:
All Platforms:
Updated Go to 1.20.5
Bug tor-browser-build#40673: Avoid building each go module separately
Bug tor-browser-build#40679: Use the latest translations for nightly builds
Bug tor-browser-build#40689: Update Ubuntu version from projects/mmdebstrap-image/config to 22.04.1
Bug tor-browser-build#40717: Create a script to prepare changelogs
Bug tor-browser-build#40720: Update fetch-changelogs.py scripts to support new Build System label
Bug tor-browser-build#40750: Find why rlbox hurts reproducibility
Bug tor-browser-build#40751: make signtag-* needs to take project name into account
Bug tor-browser-build#40753: We should not copy mar tools when the updater is disabled
Bug tor-browser-build#40760: Add BSD packager contacts to release prep templates
Bug tor-browser-build#40763: Add support for signing multiple browsers in tools/signing/nightly
Bug tor-browser-build#40783: Update download-unsigned-sha256sums-gpg-signatures-from-people-tpo to use $projectname prefix directory
Bug tor-browser-build#40784: Fix var_p/nightly_torbrowser_incremental_from after #40737
Bug tor-browser-build#40794: Include the build-id in firefox-l10n output name
Bug tor-browser-build#40795: Trim down tor-browser-build release prep issue templates
Bug tor-browser-build#40796: Bad UX for the changelogs script when using the issue number
Bug tor-browser-build#40805: Define the version flag for all browsers
Bug tor-browser-build#40807: Add config for signing base-browser nightly in tools/signing/nightly
Bug tor-browser-build#40812: Make var/rezip in projects/firefox/config quiet
Bug tor-browser-build#40818: Enable wasm target for rust compiler
Bug tor-browser-build#40828: Use http://archive.debian.org/debian-archive/ for jessie
Bug tor-browser-build#40837: Rebase mullvad-browser build changes onto main
Bug tor-browser-build#40870: Remove url without browser name from tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo
Bug tor-browser#41649: Create rebase and security backport gitlab issue templates
Bug tor-browser#41682: Add base-browser nightly mar signing key
Windows + macOS + Linux
Bug tor-browser-build#33953: Provide a way for easily updating Go dependencies of projects
Bug tor-browser-build#40713: Use the new tor-browser l10n branch in Firefox
Bug tor-browser-build#40777: Create a Go bootstrap project
Bug tor-browser-build#40778: Disable all translations with testbuilds in Firefox
Bug tor-browser-build#40788: Remove all languages but en-US for privacy-browser build target
Bug tor-browser-build#40809: Remove --enable-tor-browser-update and --enable-verify-mar from projects/firefox/mozconfig
Bug tor-browser-build#40813: Enable var/updater_enabled for basebrowser nightly
Bug tor-browser-build#40823: Update appname_* variables in projects/release/update_responses_config.yml
Bug tor-browser-build#40826: Correctly set appname_marfile for basebrowser in tools/signing/nightly/update-responses-base-config.yml
Bug tor-browser-build#40827: MAR generation uses (mostly) hard-coded MAR update channel
Bug tor-browser-build#40841: Adapt signing scripts to new signing machines
Bug tor-browser-build#40849: Move Go dependencies to the projects dependent on them, not as a standalone projects
Bug tor-browser-build#40866: Remove Using ansible to set up a nightly build machine from README
Bug tor-browser-build#40869: obfs4 is renamed to lyrebird
Windows
Bug tor-browser-build#29185: NSIS Installer not reproducible when icon has an alpha channel
Bug tor-browser-build#40757: Change projects/browser/windows-installer/torbrowser.nsi to a template file
Windows + macOS + Linux
Bug tor-browser-build#40732: Review Bundle-Data and try not to ship the default profile in base browser

New in Tor Browser 11.5.8 (Nov 23, 2022)

or Browser 11.5.8 backports the following security updates from Firefox ESR 102.5 to to Firefox ESR 91.13 on Windows, macOS and Linux:
CVE-2022-43680: In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
CVE-2022-45403: Service Workers might have learned size of cross-origin media files
CVE-2022-45404: Fullscreen notification bypass
CVE-2022-45405: Use-after-free in InputStream implementation
CVE-2022-45406: Use-after-free of a JavaScript Realm
CVE-2022-45408: Fullscreen notification bypass via windowName
CVE-2022-45409: Use-after-free in Garbage Collection
CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy
CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers
CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers
CVE-2022-45416: Keystroke Side-Channel Leakage
CVE-2022-45420: Iframe contents could be rendered outside the iframe
CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5
Tor Browser 11.5.8 updates GeckoView on Android to Firefox ESR 102.5 and includes important security updates. Tor Browser 11.5.8 backports the following security updates from Firefox 107 to Firefox ESR 102.5 on Android:
CVE-2022-45413: SameSite=Strict cookies could have been sent cross-site via intent URLs
The full changelog since Tor Browser 11.5.7 is:
All Platforms:
Update Translations
Update OpenSSL to 1.1.1s
Update NoScript to 11.4.12
Update tor to 0.4.7.11
Update zlib to 1.2.13
Bug tor-browser-build#40622: Update obfs4proxy to 0.0.14 in Tor Browser
Windows + macOS + Linux:
Bug tor-browser#31064: Letterboxing is enabled in priviledged contexts too
Bug tor-browser#32411: Consider adding about:tor and others to the list of pages that do not need letterboxing
Bug tor-browser#41413: Backup intl.locale.requested in 11.5.x
Bug tor-browser#41434: Letterboxing bypass through secondary tab (popup/popunder...)
Bug tor-browser#41456: Backport ESR 102.5 security fixes to 91.13-based Tor Browser
Bug tor-browser#41460: Migrate new identity and security level preferences in 11.5.8
Bug tor-browser#41463: Backport fix for CVE-2022-43680
Android:
Update GeckoView to 102.5.0esr
Bug tor-browser#41461: Backport Android-specific 107-rr security fixes to 102.5-esr based Geckoview
Build:
All Platforms:
Update Go to 1.18.8
Bug tor-browser-build#40658: Create an anticensorship team keyring
Bug tor-browser-build#40690: Revert fix for zlib build break

New in Tor Browser 11.5.7 (Nov 4, 2022)

New in Tor Browser 12.0a4 Alpha (Nov 1, 2022)

All Plaforms:
Update Translations
Bug tor-browser#24686: In Tor Browser context, should network.http.tailing.enabled be set to false?
Bug tor-browser#27127: Audit and enable HTTP/2 push
Bug tor-browser#40057: ensure that CSS4 system colors are not a fingerprinting vector
Bug tor-browser#40058: ensure no locale leaks from new Intl APIs
Bug tor-browser#40251: Clear obsolete prefs after torbutton!27
Bug tor-browser#40406: Remove Presentation API related prefs
Bug tor-browser#40465: Onion Authentication fails when connecting to a subdomain
Bug tor-browser#40491: Don't auto-pick a v2 address when it's in Onion-Location header
Bug tor-browser#40494: Update Startpage and Blockchair onion search providers
Bug tor-browser-build#40629: Bump snowflake version to 9ce1de4eee4e
Bug tor-browser-build#40633: Remove Team Cymru hard-coded bridges
Bug tor-browser-build#40646: Don't build Español AR anymore
Bug tor-browser-build#40649: Update meek default bridge
Bug tor-browser-build#40654: Enable uTLS and use the full bridge line for snowflake
Bug tor-browser-build#40665: Snowflake bridge parameters are too long (535 bytes) in 11.5.5
Bug tor-browser#41098: Compare Tor Browser's and GeckoView's profiles
Bug tor-browser#41154: Review Mozilla 1765167: Deprecate Cu.import
Bug tor-browser#41164: Add some #define for the base-browser section
Bug tor-browser#41306: Typo "will not able" in "Tor unexpectedly exited" dialog
Bug tor-browser#41317: Tor Browser leaks banned ports in network.security.ports.banned
Bug tor-browser#41326: Update preference for remoteRecipes
Bug tor-browser#41345: fonts: windows whitelist contains supplemental fonts
Bug tor-browser#41398: Disable Web MIDI API
Windows + macOS + Linux:
Update Firefox to 102.4.0esr
Bug tor-browser#17400: Decide how to use the multi-lingual Tor Browser in the alpha/release series
Bug tor-browser-build#40638: Visit our website link after build-to-build upgrade in Nightly channel points to old v2 onion
Bug tor-browser-build#40648: Do not customize update.locale in multi-lingual builds
Bug tor-browser#40853: use Subprocess.jsm to launch tor
Bug tor-browser#40933: Migrate remaining tor-launcher functionality to tor-browser
Bug tor-browser#41117: Review Mozilla 1512851: Add Share Menu to File Menu on macOS
Bug tor-browser#41323: Tor-ify notification bar gradient colors (branding)
Bug tor-browser#41337: Add a title to the new identity confirmation
Bug tor-browser#41342: Update the New Identity dialog to the proton modal style
Bug tor-browser#41344: Authenticated Onion Services do not prompt for auth key in 12.0 alpha series
Bug tor-browser#41352: Update or drop the show manual logic in torbutton
Bug tor-browser#41369: Consider a different list-order for locales in language menu
Bug tor-browser#41374: Missing a few torconnect strings in the DTD
Bug tor-browser#41377: Hide Search for more languages... from Language selector in multi-locale build
Bug tor-browser#41385: Bootstrap failure is logged but not raised up to about:torconnect
Bug tor-browser#41386: The new tor-launcher has a problem when another Tor is running
Bug tor-browser#41387: New identity and new circuit ended up inside history
Bug tor-browser#41400: Missing onionAuthViewKeys causes "Onion Services Keys" dialog to be empty.
Bug tor-browser#41401: Missing some mozilla icons because we still loading them from "chrome://browser/skin" rather than "chrome://global/skin/icons"
Bug tor-browser#41404: Fix blockchair-onion search extension
Windows:
Bug tor-browser#41149: Review Mozilla 1762576: Firefox is not allowing Symantec DLP to inject DLL into the browser for Data Loss Prevention software
Bug tor-browser#41278: Create Tor Browser styled pdf logo similar to the vanilla Firefox one
Build:
All Platforms:
Update Go to 1.19.2
Bug tor-browser-build#23656: Use .mozconfig files in tor-browser repo for rbm builds
Bug tor-browser-build#28754: make testbuild-android-armv7 stalls during sha256sum step
Bug tor-browser-build#40397: Create a new build target to package tor daemon, pluggable transports and dependencies
Bug tor-browser-build#40619: Make sure translations are taken from gitlab.tpo and not git.tpo
Bug torbrowser-build#40627: Add boklm to torbutton.gpg
Bug tor-browser-build#40634: Update the project/browser path in tools/changelog-format-blog-post and other files
Bug tor-browser-build#40636: Remove https-everywhere from projects/browser/config
Bug tor-browser-build#40639: Remove tor-launcher references
Bug tor-browser-build#40643: Update Richard's key in torbutton.gpg
Bug tor-browser-build#40655: Published tor-expert-bundle tar.gz files should not include their tor-browser-build build id
Bug tor-browser-build#40656: Improve get_last_build_version in tools/signing/nightly/sign-nightly
Bug tor-browser-build#40658: Create an anticensorship team keyring
Bug tor-browser-build#40660: Update changelog-format-blog-post script to point gitlab rather than gitolite
Bug tor-browser-build#40662: Make base-browser nightly build from tag
Bug tor-browser-build#40671: Update langpacks URL
Bug tor-browser#41308: Use the same branch for Desktop and GeckoView
Bug tor-browser#41340: Opt in to some of the NIGHTLY_BUILD features
Bug tor-browser#41343: Add -without-wam-sandboxed-libraries to mozconfig-linux-x86_64-dev for local builds
Bug tor-browser-build#40585: Prune the manual more
Bug tor-browser-build#40663: Do not ship bookmarks in tor-browser-build anymore
Bug tor-browser-build#40669: Remove HTTPS-Everywhere keyring
Bug tor-browser#41357: Enable browser toolbox debugging by default for dev builds

New in Tor Browser 11.5.6 (Oct 27, 2022)

New in Tor Browser 11.5.4 (Oct 12, 2022)

New in Tor Browser 11.5.2 (Aug 30, 2022)

New in Tor Browser 11.0.15 (Jul 2, 2022)

New in Tor Browser 11.5 Alpha 13 (Jun 30, 2022)

New in Tor Browser 11.5 Alpha 12 (May 30, 2022)

New in Tor Browser 11.5 Alpha 11 (May 20, 2022)

New in Tor Browser 11.5 Alpha 9 (Apr 27, 2022)

New in Tor Browser 11.0.10 (Apr 27, 2022)

New in Tor Browser 11.5 Alpha 8 (Mar 23, 2022)

New in Tor Browser 11.0.9 (Mar 20, 2022)

New in Tor Browser 11.5 Alpha 6 (Mar 20, 2022)

New in Tor Browser 11.0.1 (Nov 14, 2021)

New in Tor Browser 11.0 Alpha 10 (Nov 5, 2021)

New in Tor Browser 10.5.10 (Oct 26, 2021)

New in Tor Browser 11.0 Alpha 9 (Oct 18, 2021)

New in Tor Browser 11.0 Alpha 7 (Sep 23, 2021)

New in Tor Browser 11.0 Alpha 5 (Aug 24, 2021)

New in Tor Browser 11.0 Alpha 4 (Aug 17, 2021)

New in Tor Browser 11.0 Alpha 2 (Jul 20, 2021)

New in Tor Browser 10.5 Alpha 17 (Jun 29, 2021)

New in Tor Browser 10.0.18 (Jun 21, 2021)

New in Tor Browser 10.5 Alpha 16 (Jun 11, 2021)

New in Tor Browser 10.0.17 (Jun 3, 2021)

New in Tor Browser 10.5 Alpha 15 (Apr 27, 2021)

New in Tor Browser 10.0.16 (Apr 20, 2021)

New in Tor Browser 10.5 Alpha 14 (Apr 14, 2021)

New in Tor Browser 10.5 Alpha 13 (Apr 6, 2021)

New in Tor Browser 10.0.15 (Mar 28, 2021)

New in Tor Browser 10.0.14 (Mar 25, 2021)

New in Tor Browser 10.0.12 (Feb 24, 2021)

New in Tor Browser 10.0.11 (Feb 7, 2021)

New in Tor Browser 10.0.10 (Feb 5, 2021)

New in Tor Browser 10.0.9 (Jan 27, 2021)

New in Tor Browser 10.5 Alpha 8 (Jan 27, 2021)

New in Tor Browser 10.0.8 (Jan 13, 2021)

New in Tor Browser 10.5 Alpha 6 (Dec 17, 2020)

New in Tor Browser 10.0.6 (Dec 15, 2020)

New in Tor Browser 10.5 Alpha 2 (Oct 28, 2020)

New in Tor Browser 10.0.2 (Oct 21, 2020)

New in Tor Browser 10.0.1 (Oct 14, 2020)

New in Tor Browser 10.5 Alpha 1 (Sep 25, 2020)

New in Tor Browser 10.0 (Sep 23, 2020)

Windows + OS X + Linux:
Update Firefox to 78.3.0esr
Update Tor to 0.4.4.5
Update Tor Launcher to 0.2.25
Bug 32174: Replace XUL with
Bug 33890: Rename XUL files to XHTML
Bug 33862: Fix usages of createTransport API
Bug 33906: Fix Tor-Launcher issues for Firefox 75
Bug 33998: Use CSS grid instead of XUL grid
Bug 34164: Tor Launcher deadlocks during startup (Firefox 77)
Bug 34206: Tor Launcher button labels are missing (Firefox 76)
Bug 40002: After rebasing to 80.0b2 moat is broken
Translations update
Update NoScript to 11.0.44
Bug 40093: Youtube videos on safer produce an error
Translations update
Bug 10394: Let Tor Browser update HTTPS Everywhere
Bug 11154: Disable TLS 1.0 (and 1.1) by default
Bug 16931: Sanitize the add-on blocklist update URL
Bug 17374: Disable 1024-DH Encryption by default
Bug 21601: Remove unused media.webaudio.enabled pref
Bug 30682: Disable Intermediate CA Preloading
Bug 30812: Exempt about: pages from Resist Fingerprinting
Bug 31918+33533+40024+40037: Rebase Tor Browser esr68 patches for ESR 78
Bug 32612: Update MAR_CHANNEL_ID for the alpha
Bug 32886: Separate treatment of @media interaction features for desktop and android
Bug 33534: Review FF release notes from FF69 to latest (FF78)
Bug 33697: Use old search config based on list.json
Bug 33721: PDF Viewer is not working in the safest security level
Bug 33734: Set MOZ_NORMANDY to False
Bug 33737: Fix aboutDialog.js error for Firefox nightlies
Bug 33848: Disable Enhanced Tracking Protection
Bug 33851: Patch out Parental Controls detection and logging
Bug 33852: Clean up about:logins to not mention Sync
Bug 33856: Set browser.privatebrowsing.forceMediaMemoryCache to True
Bug 33862: Fix usages of createTransport API
Bug 33867: Disable password manager and password generation
Bug 33890: Rename XUL files to XHTML
Bug 33892: Add brandProductName to brand.dtd and brand.properties
Bug 33962: Uplift patch for bug 5741 (dns leak protection)
Bug 34125: API change in protocolProxyService.registerChannelFilter
Bug 40001: Generate tor-browser-brand.ftl when importing translations
Bug 40002: Remove about:pioneer
Bug 40002: Fix generateNSGetFactory being moved to ComponentUtils
Bug 40003: Adapt code for L10nRegistry API changes
Bug 40005: Initialize the identity UI before setting up the circuit display
Bug 40006: Fix new identity for 81
Bug 40007: Move SecurityPrefs initialization to the StartupObserver component
Bug 40008: Style fixes for 78
Bug 40016: Update Snowflake to discover NAT type
Bug 40017: Audit Firefox 68-78 diff for proxy issues
Bug 40022: Update new icons in Tor Browser branding
Bug 40025: Revert add-on permissions due to Mozilla's 1560059
Bug 40036: Remove product version/update channel from #13379 patch
Bug 40038: Review RemoteSettings for ESR 78
Bug 40048: Disable various ESR78 features via prefs
Bug 40059: Verify our external helper patch is still working
Bug 40066: Update existing prefs for ESR 78
Bug 40066: Remove default bridge 37.218.240.34
Bug 40073: Disable remote Public Suffix List fetching
Bug 40073: Repack omni.ja to include builtin HTTPS Everywhere
Bug 40078: Backport patches for bug 1651680 for now
Bug 40082: Let JavaScript on safest setting handled by NoScript again
Bug 40088: Moat "Submit" button does not work
Bug 40090: Disable v3 add-on blocklist for now
Bug 40091: Load HTTPS Everywhere as a builtin addon
Bug 40102: Fix UI bugs in Tor Browser 10.0 alpha
Bug 40106: Cannot install addons in full screen mode
Bug 40109: Playing video breaks after reloading pages
Bug 40119: Enable v3 extension blocklisting again
Windows:
Bug 33855: Don't use site's icon as window icon in Windows in private mode
Bug 40061: Omit the Windows default browser agent from the build
OS X:
Bug 32252: Tor Browser does not display correctly in VMWare Fusion on macOS (mojave)
Build System:
Windows + OS X + Linux:
Bump Go to 1.14.7
Bug 31845: Bump GCC version to 9.3.0
Bug 34011: Bump clang to 9.0.1
Bug 34014: Enable sqlite3 support in Python
Bug 34390: Don't copy DBM libraries anymore
Bug 34391: Remove unused --enable-signmar option
Bug 40004: Adapt Rust project for Firefox 78 ESR
Bug 40005: Adapt Node project for Firefox 78 ESR
Bug 40006: Adapt cbindgen for Firefox 78 ESR
Bug 40037: Move projects over to clang-source
Bug 40026: Fix full .mar creation for esr78
Bug 40027: Fix incremental .mar creation for esr78
Bug 40028: Do not reference unset env variables
Bug 40031: Add licenses for kcp-go and smux.
Bug 40045: Fix complete .mar file creation for dmg2mar
Bug 40065: Bump debootstrap-image ubuntu_version to 20.04.1
Bug 40087: Deterministically add HTTPS Everywhere into omni.ja
Windows:
Bug 34230: Update Windows toolchain for Firefox 78 ESR
Bug 40015: Use only 64bit fxc2
Bug 40017: Enable stripping again on Windows
Bug 40052: Bump NSIS to 3.06.1
Bug 40061: Omit the Windows default browser agent from the build
Bug 40071: Be explicit about no SEH with mingw-w64 on 32bit systems
Bug 40077: Don't pass --no-insert-timestamp when building Firefox
Bug 40090: NSIS 3.06.1 based builds are not reproducible anymore
OS X:
Bug 34229: Update macOS toolchain for Firefox 78 ESR
Bug 40003: Update cctools version for Firefox 78 ESR
Bug 40018: Add libtapi project for cctools
Bug 40019: Ship our own runtime library for macOS
Linux:
Bug 34359: Adapt abicheck.cc to deal with newer GCC version
Bug 34386: Fix up clang compilation on Linux
Bug 40053: Also create the langpacks tarball for non-release builds

New in Tor Browser 10.0 Alpha 7 (Sep 17, 2020)

New in Tor Browser 10.0 Alpha 6 (Aug 27, 2020)

New in Tor Browser 10.0 Alpha 5 (Aug 20, 2020)

Windows + OS X + Linux:
Update Firefox to 78.1.0esr
Update Tor to 0.4.4.4-rc
Update Tor Launcher to 0.2.22:
Bug 32174: Replace XUL <textbox> with <html:input>
Bug 33890: Rename XUL files to XHTML
Bug 33862: Fix usages of createTransport API
Bug 33906: Fix Tor-Launcher issues for Firefox 75
Bug 33998: Use CSS grid instead of XUL grid
Bug 34164: Tor Launcher deadlocks during startup (Firefox 77)
Bug 34206: Tor Launcher button labels are missing (Firefox 76)
Translations update
Update NoScript to 11.0.37
Bug 11154: Disable TLS 1.0 (and 1.1) by default
Bug 16931: Sanitize the add-on blocklist update URL
Bug 17374: Disable 1024-DH Encryption by default
Bug 30682: Disable Intermediate CA Preloading
Bug 30812: Exempt about: pages from Resist Fingerprinting
Bug 31918+33533+40024+40037: Rebase Tor Browser esr68 patches for ESR 78 [tor-browser]
Bug 32612: Update MAR_CHANNEL_ID for the alpha
Bug 32886: Separate treatment of @media interaction features for desktop and android
Bug 33534: Review FF release notes from FF69 to latest (FF78)
Bug 33697: Use old search config based on list.json
Bug 33721: PDF Viewer is not working in the safest security level
Bug 33734: Set MOZ_NORMANDY to False
Bug 33737: Fix aboutDialog.js error for Firefox nightlies
Bug 33848: Disable Enhanced Tracking Protection
Bug 33851: Patch out Parental Controls detection and logging
Bug 33852: Clean up about:logins to not mention Sync
Bug 33856: Set browser.privatebrowsing.forceMediaMemoryCache to True
Bug 33862: Fix usages of createTransport API
Bug 33867: Disable password manager and password generation
Bug 33890: Rename XUL files to XHTML
Bug 33892: Add brandProductName to brand.dtd and brand.properties
Bug 33962: Uplift patch for bug 5741 (dns leak protection)
Bug 34125: API change in protocolProxyService.registerChannelFilter
Bug 40001: Generate tor-browser-brand.ftl when importing translations [torbutton]
Bug 40002: Fix generateNSGetFactory being moved to ComponentUtils [torbutton]
Bug 40003: Adapt code for L10nRegistry API changes [torbutton]
Bug 40005: Initialize the identity UI before setting up the circuit display [torbutton]
Bug 40016: Update Snowflake to discover NAT type [tor-browser-build]
Bug 40017: Audit Firefox 68-78 diff for proxy issues [tor-browser]
Bug 40022: Update new icons in Tor Browser branding [tor-browser]
Bug 40025: Revert add-on permissions due to Mozilla's 1560059 [tor-browser]
Bug 40036: Remove product version/update channel from #13379 patch [tor-browser]
Bug 40038: Review RemoteSettings for ESR 78 [tor-browser]
Bug 40048: Disable various ESR78 features via prefs [tor-browser]
Bug 40059: Verify our external helper patch is still working [tor-browser]
Bug 40066: Update existing prefs for ESR 78 [tor-browser]
Bug 40073: Disable remote Public Suffix List fetching [tor-browser]
Bug 40078: Backport patches for bug 1651680 for now [tor-browser]
Translations update
Windows:
Bug 33855: Don't use site's icon as window icon in Windows in private mode
Bug 40061: Omit the Windows default browser agent from the build [tor-browser]
OS X:
Bug 32252: Tor Browser does not display correctly in VMWare Fusion on macOS (mojave)
Build System:
Windows + OS X + Linux:
Bug 31845: Bump GCC version to 9.3.0
Bug 34011: Bump clang to 9.0.1
Bug 34014: Enable sqlite3 support in Python
Bug 34390: Don't copy DBM libraries anymore
Bug 34391: Remove unused --enable-signmar option
Bug 40004: Adapt Rust project for Firefox 78 ESR [tor-browser-build]
Bug 40005: Adapt Node project for Firefox 78 ESR [tor-browser-build]
Bug 40006: Adapt cbindgen for Firefox 78 ESR [tor-browser-build]
Bug 40037: Move projects over to clang-source [tor-browser-build]
Bug 40026: Fix full .mar creation for esr78 [tor-browser-build]
Bug 40027: Fix incremental .mar creation for esr78 [tor-browser-build]
Bug 40028: Do not reference unset env variables [tor-browser-build]
Windows:
Bug 34230: Update Windows toolchain for Firefox 78 ESR
Bug 40015: Use only 64bit fxc2 [tor-browser-build]
Bug 40017: Enable stripping again on Windows [tor-browser-build]
Bug 40061: Omit the Windows default browser agent from the build [tor-browser]
OS X:
Bug 34229: Update macOS toolchain for Firefox 78 ESR
Bug 40003: Update cctools version for Firefox 78 ESR [tor-browser-build]
Bug 40018: Add libtapi project for cctools [tor-browser-build]
Bug 40019: Ship our own runtime library for macOS [tor-browser-build]
Linux:
Bug 34359: Adapt abicheck.cc to deal with newer GCC version
* Bug 34386: Fix up clang compilation on Linux

New in Tor Browser 9.5.3 (Jul 29, 2020)

New in Tor Browser 10.0 Alpha 3 (Jul 29, 2020)

New in Tor Browser 10.0 Alpha 2 (Jul 1, 2020)

New in Tor Browser 9.5.1 (Jun 29, 2020)

New in Tor Browser 10.0 Alpha 1 (Jun 3, 2020)

New in Tor Browser 9.5 Alpha 13 (May 23, 2020)

New in Tor Browser 9.5 Alpha 12 (May 7, 2020)

New in Tor Browser 9.0.10 (May 5, 2020)

New in Tor Browser 9.5 Alpha 11 (Apr 11, 2020)

New in Tor Browser 9.0.9 (Apr 9, 2020)

New in Tor Browser 9.5 Alpha 10 (Apr 7, 2020)

New in Tor Browser 9.5 Alpha 9 (Apr 1, 2020)

New in Tor Browser 9.0.7 (Mar 23, 2020)

New in Tor Browser 9.0.6 (Mar 13, 2020)

New in Tor Browser 9.5 Alpha 7 (Mar 11, 2020)

New in Tor Browser 9.5 Alpha 6 (Mar 3, 2020)

New in Tor Browser 9.5 Alpha 5 (Feb 14, 2020)

New in Tor Browser 9.0.5 (Feb 12, 2020)

New in Tor Browser 9.0.4 (Jan 10, 2020)

New in Tor Browser 9.0.3 (Jan 6, 2020)

New in Tor Browser 9.5 Alpha 3 (Dec 4, 2019)

New in Tor Browser 9.0.2 (Dec 3, 2019)

New in Tor Browser 9.5 Alpha 2 (Nov 12, 2019)

New in Tor Browser 9.0.1 (Nov 12, 2019)

New in Tor Browser 9.5 Alpha 1 (Oct 24, 2019)

New in Tor Browser 9.0 (Oct 23, 2019)

This release features important security updates to Firefox.
Tor Browser 9.0 is the first stable release based on Firefox 68 ESR and contains a number of updates to other components as well (including Tor to 0.4.1.6 and OpenSSL to 1.1.1d for desktop versions and Tor to 0.4.1.5 for Android).
In addition to all the needed patch rebasing and toolchain updates, we made big improvements to make Tor Browser work better for you.
Goodbye, Onion Button:
We want your experience using Tor to be fully integrated within the browser so how you use Tor is more intuitive. That's why now, rather than using the onion button that was in the toolbar, you can see your path through the Tor network and request a New Circuit through the Tor network in [i] on the URL bar.
Hello, New Identity Button:
Instead of going into the onion button to request a New Identity, we've made this important feature easier to access by giving it its own button in the toolbar. You can also request a New Identity, and a New Circuit, from within the [=] menu on the toolbar.
Torbutton and Tor Launcher Integration:
Now that both extensions are tightly integrated into Tor Browser, they'll no longer be found on the about:addons page.
We redesigned the bridge and proxy configuration dialogs and include them directly into the browser's preference settings as well.
Rather than being a submenu behind the onion button, Tor Network Settings, including the ability to fetch bridges to bypass censorship where Tor is blocked, are easier to access on about:preferences#tor.
Better Localization Support:
If we want all people around the world to be able to use our software, then we need to make sure it's speaking their language. Since 8.0, Tor Browser has been available in 25 languages. Today, we add support for two additional languages: Macedonian (mk) and Romanian (ro), bringing the number of supported languages to 27.
We also fixed bugs in our previously shipped localized bundles (such as ar and ko).
Full changelog:
Update Firefox to 68.2.0esr
Bug 31740: Remove some unnecessary RemoteSettings instances
Bug 13543: Spoof smooth and powerEfficient for Media Capabilities
Bug 28196: about:preferences is not properly translated anymore
Bug 19417: Disable asmjs on safer and safest security levels
Bug 30463: Explicitly disable MOZ_TELEMETRY_REPORTING
Bug 31935: Disable profile downgrade protection
Bug 16285: Disable DRM/EME on Android and drop Adobe CDM
Bug 31602: Remove Pocket indicators in UI and disable it
Bug 31914: Fix eslint linter error
Bug 30429: Rebase patches for Firefox 68 ESR
Bug 31144: Review network code changes for Firefox 68 ESR
Bug 10760: Integrate Torbutton into Tor Browser directly
Bug 25856: Remove XUL overlays from Torbutton
Bug 31322: Fix about:tor assertion failure debug builds
Bug 29430: Add support for meek_lite bridges to bridgeParser
Bug 28561: Migrate "About Tor Browser" dialog to tor-browser
Bug 30683: Prevent detection of locale via some *.properties
Bug 31298: Backport patch for #24056
Bug 9336: Odd wyswig schemes without isolation for browserspy.dk
Bug 27601: Browser notifications are not working anymore
Bug 30845: Make sure internal extensions are enabled
Bug 28896: Enable extensions in private browsing by default
Bug 31563: Reload search extensions if extensions.enabledScopes has changed
Bug 31396: Fix communication with NoScript for security settings
Bug 31142: Fix crash of tab and messing with about:newtab
Bug 29049: Backport JS Poison Patch
Bug 25214: Canvas data extraction on locale pdf file should be allowed
Bug 30657: Locale is leaked via title of link tag on non-html page
Bug 31015: Disabling SVG hides UI icons in extensions
Bug 30681: Set security.enterprise_roots.enabled to false
Bug 30538: Unable to comment on The Independent Newspaper
Bug 31209: View PDF in Tor Browser is fuzzy
Translations update
Update Tor to 0.4.1.6
Update OpenSSL to 1.1.1d:
Bug 31844: OpenSSL 1.1.1d fails to compile for some platforms/architectures
Update Tor Launcher to 0.2.20.1:
Bug 28044: Integrate Tor Launcher into tor-browser
Bug 32154: Custom bridge field only allows one line of input
Bug 31286: New strings for about:preferences#tor
Bug 31303: Do not launch tor in browser toolbox
Bug 32112: Fix bad & escaping in translations
Bug 31491: Clean up the old meek http helper browser profiles
Bug 29197: Remove use of overlays
Bug 31300: Modify Tor Launcher so it is compatible with ESR68
Bug 31487: Modify moat client code so it is compatible with ESR68
Bug 31488: Moat: support a comma-separated list of transports
Bug 30468: Add mk locale
Bug 30469: Add ro locale
Bug 30319: Remove FTE bits
Translations update
Bug 32092: Fix Tor Browser Support link in preferences
Bug 32111: Fixed issue parsing user-provided bridge strings
Bug 31749: Fix security level panel spawning events
Bug 31920: Fix Security Level panel when its toolbar button moves to overflow
Bug 31748+31961: Fix 'Learn More' links in Security Level preferences and panel
Bug 28044: Integrate Tor Launcher into tor-browser
Bug 31059: Enable Letterboxing
Bug 30468: Add mk locale
Bug 30469: Add ro locale
Bug 29430: Use obfs4proxy's meek_lite with utls instead of meek
Bug 31251: Security Level button UI polish
Bug 31344: Register SecurityLevelPreference's 'unload' callback
Bug 31286: Provide network settings on about:preferences#tor
Bug 31886: Fix ko bundle bustage
Bug 31768: Update onboarding for Tor Browser 9
Bug 27511: Add new identity button to toolbar
Bug 31778: Support dark-theme for the Circuit Display UI
Bug 31910: Replace meek_lite with meek in circuit display
Bug 30504: Deal with New Identity related browser console errors
Bug 31929: Don't escape DTD entity in ar
Bug 31747: Some onboarding UI is always shown in English
Bug 32041: Replace = with real hamburguer icon ≡
Bug 30304: Browser locale can be obtained via DTD strings
Bug 31065: Set network.proxy.allow_hijacking_localhost to true
Bug 24653: Merge securityLevel.properties into torbutton.dtd
Bug 31164: Set up default bridge at Karlstad University
Bug 15563: Disable ServiceWorkers on all platforms
Bug 31598: Disable warning on window resize if letterboxing is enabled
Bug 31562: Fix circuit display for error pages
Bug 31575: Firefox is phoning home during start-up
Bug 31491: Clean up the old meek http helper browser profiles
Bug 26345: Hide tracking protection UI
Bug 31601: Disable recommended extensions again
Bug 30662: Don't show Firefox Home when opening new tabs
Bug 31457: Disable per-installation profiles
Bug 28822: Re-implement desktop onboarding for ESR 68
Bug 31942: Re-enable signature check for language packs
Bug 29013: Enable stack protection for Firefox on Windows
Bug 30800: ftp:// on Windows can be used to leak the system time zone
Bug 31547: Back out patch for Mozilla's bug 1574980
Bug 31141: Fix typo in font.system.whitelist
Bug 30319: Remove FTE bits
Build System:
Bug 30585: Provide standalone clang 8 project across all platforms
Bug 30376: Use Rust 1.34 for Tor Browser 9
Bug 30490: Add cbindgen project for building Firefox 68 ESR/Fennec 68
Bug 30701: Add nodejs project for building Firefox 68 ESR/Fennec 68
Bug 31621: Fix node bug that makes large writes to stdout fail
Bug 30734: Add nasm project for building Firefox 68 ESR/Fennec 68
Bug 31293: Make sure the lo interface inside the containers is up
Bug 27493: Clean up mozconfig options
Bug 31308: Sync mozconfig files used in tor-browser over to tor-browser-build for esr68
Bug 29307: Use Stretch for cross-compiling for Windows
Bug 29731: Remove faketime for Windows builds
Bug 30322: Windows toolchain update for Firefox 68 ESR
Bug 28716: Create mingw-w64-clang toolchain
Bug 28238: Adapt firefox and fxc2 projects for Windows builds
Bug 28716: Optionally omit timestamp in PE header
Bug 31567: NS_tsnprintf() does not handle %s correctly on Windows
Bug 31458: Revert patch for #27503 and bump mingw-w64 revision used
Bug 9898: Provide clean fix for strcmpi issue in NSPR
Bug 29013: Enable stack protection support for Firefox on Windows
Bug 30384: Use 64bit containers to build 32bit Windows Tor Browser
Bug 31538: Windows bundles based on ESR 68 are not built reproducibly
Bug 31584: Clean up mingw-w64 project
Bug 31596: Bump mingw-w64 version to pick up fix for #31567
Bug 29187: Bump NSIS version to 3.04
Bug 31732: Windows nightly builds are busted due to mingw-w64 commit bump
Bug 29319: Remove FTE support for Windows

New in Tor Browser 9.0 Alpha 8 (Oct 16, 2019)

All Platforms:
Bug 13543: Spoof smooth and powerEfficient for Media Capabilities
Bug 28196: about:preferences is not properly translated anymore
Bug 19417: Disable asmjs on safer and safest security levels
Bug 30463: Explicitly disable MOZ_TELEMETRY_REPORTING
Bug 31935: Disable profile downgrade protection
Bug 31811: Backport fix for bug 1554805
Bug 16285: Disable DRM/EME on Android and drop Adobe CDM
Bug 31602: Remove Pocket indicators in UI and disable it
Bug 31914: Fix eslint linter error
Translations update
Windows + OS X + Linux:
Update Tor to 0.4.2.2-alpha
Update Tor Launcher to 0.2.19.5
Bug 31286: New strings for about:preferences#tor
Translations update
Bug 31286: Provide network settings on about:preferences#tor
Bug 31886: Fix ko bundle bustage
Bug 31768: Update onboarding for Tor Browser 9
Bug 27511: Add new identity button to toolbar
Bug 31778: Support dark-theme for the Circuit Display UI
Bug 31910: Replace meek_lite with meek in circuit display
Bug 30504: Deal with New Identity related browser console errors
Bug 31929: Don't escape DTD entity in ar
Bug 31747: Some onboarding UI is always shown in English
Bug 32041: Replace = with real hamburguer icon ≡
Windows:
Bug 31942: Re-enable signature check for language packs
Bug 29013: Enable stack protection for Firefox on Windows
OS X:
Bug 31607: App menu items stop working on macOS
Bug 31955: On macOS avoid throwing inside nonBrowserWindowStartup()
Linux:
Bug 31942: Re-enable signature check for language packs
Bug 31968: Don't fail if /proc/cpuinfo is not readable
Bug 24755: Stop using a heredoc in start-tor-browser
Bug 31550: Put curly quotes inside single quotes
Android:
Bug 31822: Security slider is not really visible on Android anymore
Build System:
All Platforms:
Bug 31293: Make sure the lo interface inside the containers is up
Windows:
Bug 29013: Enable stack protection support for Firefox on Windows
Android:
Bug 31564: Make Android bundles based on ESR 68 reproducible
Bug 31981: Remove require-api.patch
Bug 31979: TOPL: Sort dependency list
* Bug 30665: Remove unnecessary build patches for Firefox

New in Tor Browser 9.0 Alpha 7 (Oct 2, 2019)

All platforms:
Bug 30304: Browser locale can be obtained via DTD strings
Bug 31065: Set network.proxy.allow_hijacking_localhost to true
Bug 24653: Merge securityLevel.properties into torbutton.dtd
Bug 31725: Pick up mk in Torbutton properly
Bug 31164: Set up default bridge at Karlstad University
Bug 15563: Disable ServiceWorkers on all platforms
Translations update
Windows + OS X + Linux:
Update Tor to 0.4.2.1-alpha
Update OpenSSL to 1.1.1d; Bug 31844: OpenSSL 1.1.1d fails to compile for some platforms/architectures
Update Tor Launcher to 0.2.19.4:
Bug 31303: Do not launch tor in browser toolbox
Bug 31491: Clean up the old meek http helper browser profiles
Translations update
Bug 31598: Disable warning on window resize if letterboxing is enabled
Bug 31562: Fix circuit display for error pages
Bug 31575: Firefox is phoning home during start-up
Bug 31491: Clean up the old meek http helper browser profiles
Bug 26345: Hide tracking protection UI
Bug 31601: Disable recommended extensions again
Bug 30662: Don't show Firefox Home when opening new tabs
Bug 31457: disable per-installation profiles
Bug 28822: Re-implement desktop onboarding for ESR 68
Bug 25483: Provide Snowflake based on Pion for Windows, macOS, and Linux
Windows:
Bug 30800: ftp:// on Windows can be used to leak the system time zone
OS X:
Bug 30126: Make Tor Browser on macOS compatible with Apple's notarization
Bug 31702: Backport Mozilla's bug 1578075
Linux:
Bug 31646: Update abicheck to require newer libstdc++.so.6
Bug 31380: Snowflake does not start on older Linux systems
Android:
Update Tor to 0.4.1.5
Bug 31192: Support x86_64 target on Android
Bug 30380: Cancel dormant by startup
Bug 30943: Show version number on mobile
Bug 31720: Enable website suggestions in address bar
Build System:
All platforms
Bug 31621: Fix node bug that makes large writes to stdout fail
Bug 27493: Clean up mozconfig options
Bug 31308: Sync mozconfig files used in tor-browser over to tor-browser-build for esr68
Windows
Bug 30384: Use 64bit containers to build 32bit Windows Tor Browser
Bug 31538: Windows bundles based on ESR 68 are not built reproducibly
Bug 31584: Clean up mingw-w64 project
Bug 31596: Bump mingw-w64 version to pick up fix for #31567
Bug 39187: Bump NSIS version to 3.04
Bug 31732: Windows nightly builds are busted due to mingw-w64 commit bump
Linux
Bug 31448: gold and lld break linking 32bit Linux bundles
Bug 31618: linux32 builds of Tor Browser 9.0a6 are not matching
Bug 31450: Use still GCC for our ASan builds

New in Tor Browser 9.0 Alpha 6 (Sep 6, 2019)

All platforms:
Update Firefox to 68.1.0esr
Bug 30429: Rebase patches for Firefox 68 ESR
Bug 10760: Integrate Torbutton into Tor Browser directly
Bug 25856: Remove XUL overlays from Torbutton
Bug 31322: Fix about:tor assertion failure debug builds
Bug 31520: Remove monthly giving banner from Tor Browser
Bug 29430: Add support for meek_lite bridges to bridgeParser
Bug 28561: Migrate "About Tor Browser" dialog to tor-browser
Bug 30683: Prevent detection of locale via some *.properties
Bug 31298: Backport patch for #24056
Bug 9336: Odd wyswig schemes without isolation for browserspy.dk
Bug 27601: Browser notifications are not working anymore
Bug 30845: Make sure internal extensions are enabled
Bug 28896: Enable extensions in private browsing by default
Bug 31563: Reload search extensions if extensions.enabledScopes has changed
Bug 31396: Fix communication with NoScript for security settings
Bug 31142: Fix crash of tab and messing with about:newtab
Bug 29049: Backport JS Poison Patch
Bug 25214: Canvas data extraction on locale pdf file should be allowed
Bug 30657: Locale is leaked via title of link tag on non-html page
Bug 31015: Disabling SVG hides UI icons in extensions
Bug 31357: Retire Tom's default obfs4 bridge
Update NoScript to 11.0.3:
Bug 26847: NoScript pops up a full-site window for XSS warning
Bug 31287: NoScript leaks browser locale
Windows + OS X + Linux:
Update Tor to 0.4.1.5
Bug 29430: Use obfs4proxy's meek_lite with utls instead of meek
Bug 31251: Security Level button UI polish
Bug 31344: Register SecurityLevelPreference's 'unload' callback
Bug 12774: Selecting meek in the browser UI is broken
Update Tor Launcher to 0.2.19.3:
Bug 29197: Remove use of overlays
Bug 31300: Modify Tor Launcher so it is compatible with ESR68
Bug 31487: Modify moat client code so it is compatible with ESR68
Bug 31488: Moat: support a comma-separated list of transports
Translations update
Build System:
Bug 31465: Bump Go to 1.12.9
OS X:
Bug 29818: Adapt #13379 patch for 68esr
Bug 31403: Bump snowflake commit to cd650fa009
Build System:
All Platforms:
Bug 30585: Provide standalone clang 8 project across all platforms
Bug 30376: Use Rust 1.34 for Tor Browser 9
Bug 30490: Add cbindgen project for building Firefox 68 ESR/Fennec 68
Bug 30701: Add nodejs project for building Firefox 68 ESR/Fennec 68
Bug 30734: Add nasm project for building Firefox 68 ESR/Fennec 68
Bug 9898: Provide clean fix for strcmpi issue in NSPR
Windows:
Bug 31547: Back out patch for Mozilla's bug 1574980
Bug 31141: Fix typo in font.system.whitelist
Backport fix for bug 1572844 to fix broken build

New in Tor Browser 8.5.5 (Sep 4, 2019)

New in Tor Browser 9.0 Alpha 4 (Jul 9, 2019)

New in Tor Browser 8.5.4 (Jul 9, 2019)

New in Tor Browser 9.0 Alpha 3 (Jun 24, 2019)

New in Tor Browser 8.5.3 (Jun 21, 2019)

New in Tor Browser 8.5.2 (Jun 19, 2019)

New in Tor Browser 9.0 Alpha 2 (Jun 12, 2019)

New in Tor Browser 8.5.1 (Jun 4, 2019)

New in Tor Browser 9.0 Alpha 1 (May 23, 2019)

New in Tor Browser 8.5 (May 21, 2019)

All platforms:
Update Firefox to 60.7.0esr
Update Torbutton to 2.1.8:
Bug 25013: Integrate Torbutton into tor-browser for Android
Bug 27111: Update about:tor desktop version to work on mobile
Bug 22538+22513: Fix new circuit button for error pages
Bug 25145: Update circuit display when back button is pressed
Bug 27749: Opening about:config shows circuit from previous website
Bug 30115+27449+25145: Map browser+domain to credentials to fix circuit display
Bug 25702: Update Tor Browser icon to follow design guidelines
Bug 21805: Add click-to-play button for WebGL
Bug 28836: Links on about:tor are not clickable
Bug 30171: Don't sync cookie.cookieBehavior and firstparty.isolate
Bug 29825: Intelligently add new Security Level button to taskbar
Bug 29903: No WebGL click-to-play on the standard security level
Bug 27290: Remove WebGL pref for min capability mode
Bug 25658: Replace security slider with security level UI
Bug 28628: Change onboarding Security panel to open new Security Level panel
Bug 29440: Update about:tor when Tor Browser is updated
Bug 27478: Improved Torbutton icons for dark theme
Bug 29239: Don't ship the Torbutton .xpi on mobile
Bug 27484: Improve navigation within onboarding (strings)
Bug 29768: Introduce new features to users (strings)
Bug 28093: Update donation banner style to make it fit in small screens
Bug 28543: about:tor has scroll bar between widths 900px and 1000px
Bug 28039: Enable dump() if log method is 0
Bug 27701: Don't show App Blocker dialog on Android
Bug 28187: Change tor circuit icon to torbutton.svg
Bug 29943: Use locales in AB-CD scheme to match Mozilla
Bug 26498: Add locale: es-AR
Bug 28082: Add locales cs, el, hu, ka
Bug 29973: Remove remaining stopOpenSecuritySettingsObserver() pieces
Bug 28075: Tone down missing SOCKS credential warning
Bug 30425: Revert armagadd-on-2.0 changes
Bug 30497: Add Donate link to about:tor
Bug 30069: Use slider and about:tor localizations on mobile
Bug 21263: Remove outdated information from the README
Bug 28747: Remove NoScript (XPCOM) related unused code
Translations update
Code clean-up
Update HTTPS Everywhere to 2019.5.6.1
Bug 27290: Remove WebGL pref for min capability mode
Bug 29120: Enable media cache in memory
Bug 24622: Proper first-party isolation of s3.amazonaws.com
Bug 29082: Backport patches for bug 1469916
Bug 28711: Backport patches for bug 1474659
Bug 27828: "Check for Tor Browser update" doesn't seem to do anything
Bug 29028: Auto-decline most canvas warning prompts again
Bug 27919: Backport SSL status API
Bug 27597: Fix our debug builds
Bug 28082: Add locales cs, el, hu, ka
Bug 26498: Add locale: es-AR
Bug 29916: Make sure enterprise policies are disabled
Bug 29349: Remove network.http.spdy.* overrides from meek helper user.js
Bug 29327: TypeError: hostName is null on about:tor page
Bug 30425: Revert armagadd-on-2.0 changes
Windows + OS X + Linux:
Update OpenSSL to 1.0.2r
Update Tor Launcher to 0.2.18.3
* Bug 27994+25151: Use the new Tor Browser logo
* Bug 29328: Account for Tor 0.4.0.x's revised bootstrap status reporting
* Bug 22402: Improve "For assistance" link
* Bug 27994: Use the new Tor Browser logo
* Bug 25405: Cannot use Moat if a meek bridge is configured
* Bug 27392: Update Moat URLs
* Bug 28082: Add locales cs, el, hu, ka
* Bug 26498: Add locale es-AR
* Bug 28039: Enable dump() if log method is 0
* Translations update
* Bug 25702: Activity 1.1 Update Tor Browser icon to follow design guidelines
* Bug 28111: Use Tor Browser icon in identity box
* Bug 22343: Make 'Save Page As' obey first-party isolation
* Bug 29768: Introduce new features to users
* Bug 27484: Improve navigation within onboarding
* Bug 25658+29554: Replace security slider with security level UI
* Bug 25658+29554: Replace security slider with security level UI
* Bug 25405: Cannot use Moat if a meek bridge is configured
* Bug 28885: notify users that update is downloading
* Bug 29180: MAR download stalls when about dialog is opened
* Bug 27485: Users are not taught how to open security-slider dialog
* Bug 27486: Avoid about:blank tabs when opening onboarding pages
* Bug 29440: Update about:tor when Tor Browser is updated
* Bug 23359: WebExtensions icons are not shown on first start
* Bug 28628: Change onboarding Security panel to open new Security Level panel
* Bug 27905: Fix many occurrences of "Firefox" in about:preferences
* Bug 28369: Stop shipping pingsender executable
* Bug 30457: Remove defunct default bridges
* Windows
* Bug 27503: Improve screen reader accessibility
* Bug 27865: Tor Browser 8.5a2 is crashing on Windows
* Bug 22654: Firefox icon is shown for Tor Browser on Windows 10 start menu
* Bug 28874: Bump mingw-w64 commit to fix WebGL crash
* Bug 12885: Windows Jump Lists fail for Tor Browser
* Bug 28618: Set MOZILLA_OFFICIAL for Windows build
* Bug 21704: Abort install if CPU is missing SSE2 support
* Bug 28002: Fix the precomplete file in the en-US installer
Build System:
All platforms:
Bug 29868: Fix installation of python-future package
Bug 25623: Disable network during build
Bug 25876: Generate source tarballs during build
Bug 28685: Set Build ID based on Tor Browser version
Bug 29194: Set DEBIAN_FRONTEND=noninteractive
Bug 29167: Upgrade go to 1.11.5
Bug 29158: Install updated apt packages (CVE-2019-3462)
Bug 29097: Don't try to install python3.6-lxml for HTTPS Everywhere
Bug 27061: Enable verification of langpacks checksums
Windows:
Bug 26148: Update binutils to 2.31.1
Bug 27320: Build certutil for Windows

New in Tor Browser 8.0.9 (May 8, 2019)

New in Tor Browser 8.5 Alpha 11 (Apr 17, 2019)

New in Tor Browser 8.0.8 (Mar 23, 2019)

New in Tor Browser 8.5 Alpha 9 (Mar 21, 2019)

All platforms:
Update Firefox to 60.6.0esr
Bug 29120: Enable media cache in memory
Bug 29445: Enable support for enterprise policies
All platforms (update Torbutton to 2.1.5):
Bug 25658: Replace security slider with security level UI
Bug 28628: Change onboarding Security panel to open new Security Level panel
Bug 29440: Update about:tor when Tor Browser is updated
Bug 27478: Improved Torbutton icons for dark theme
Bug 29021: Tell NoScript it is running within Tor Browser
Bug 29239: Don't ship the Torbutton .xpi on mobile
Translations update
Windows + OS X + Linux:
Update OpenSSL to 1.0.2r
Bug 25658+29554: Replace security slider with security level UI
Bug 28885: notify users that update is downloading
Bug 29180: MAR download stalls when about dialog is opened
Bug 27485: Users are not taught how to open security-slider dialog
Bug 27486: Avoid about:blank tabs when opening onboarding pages
Bug 29440: Update about:tor when Tor Browser is updated
Bug 23359: WebExtensions icons are not shown on first start
Bug 28628: Change onboarding Security panel to open new Security Level panel
Windows + OS X + Linux (Update Tor to 0.4.0.2-alpha):
Bug 29660: XMPP can not connect to SOCKS5 anymore
Windows + OS X + Linux (Update Tor Launcher to 0.2.18.1):
Bug 29328: Account for Tor 0.4.0.x's revised bootstrap status reporting
Bug 22402: Improve "For assistance" link
Translations update
Android:
Bug 28329: Design Tor Browser for Android configuration UI
Bug 28802: Support PTs in Tor Browser for Android
Bug 29794: Update TBA built-in bridges
Bug 27210: Add support for x86 on Android
Bug 29809: Only ship tor binary for .apk architecture
Bug 29633: Don't ship pdnsd anymore
Bug 28708: about:tor is not the default homepage after upgrade
Bug 29626: Application name is now "Always-On Notifications"
Bug 29467: Backport fix for arc4random_buf bustage
Build System (all platforms):
Bug 25876: Generate source tarballs during build
Bug 28685: Set Build ID based on Tor Browser version
Bug 29194: Set DEBIAN_FRONTEND=noninteractive
Build System (Linux):
Bug 26323+29812: Build 32bit Linux bundles on 64bit Debian Wheezy
Bug 29758: Build firefox debug symbols for linux-i686
Build System (Android):
Bug 29632: Use HTTPS for downloading Gradle

New in Tor Browser 8.0.7 (Mar 18, 2019)

New in Tor Browser 8.0.6 (Feb 13, 2019)

New in Tor Browser 8.5 Alpha 7 (Jan 30, 2019)

New in Tor Browser 8.5 Alpha 6 (Dec 12, 2018)

New in Tor Browser 8.0.4 (Dec 11, 2018)

New in Tor Browser 8.5 Alpha 5 (Dec 7, 2018)

New in Tor Browser 8.5 Alpha 4 (Oct 24, 2018)

New in Tor Browser 8.0.2 (Oct 3, 2018)

New in Tor Browser 8.0.1 (Sep 20, 2018)

New in Tor Browser 8.5 Alpha 1 (Sep 6, 2018)

New in Tor Browser 8.0 (Sep 5, 2018)

ALL PLATFORMS:
Update Firefox to 60.2.0esr
Update Tor to 0.3.3.9
Update OpenSSL to 1.0.2p
Update Libevent to 2.1.8
Update Torbutton to 2.0.6
Update HTTPS Everywhere to 2018.8.22
Update NoScript to 10.1.9.1
Update obfs4proxy to v0.0.7 (bug 25356)
Bug 27082: Enable a limited UITour for user onboarding
Bug 26961: New user onboarding
Bug 26962: New feature onboarding
Bug 27403: The onboarding bubble is not always displayed
Bug 27283: Fix first-party isolation for UI tour
Bug 27213: Update about:tbupdate to new (about:tor) layout
Bug 17252: Enable TLS session identifiers with first-party isolation
Bug 26353: Prevent speculative connects that violate first-party isolation
Bug 26670: Make canvas permission prompt respect first-party isolation
Bug 24056: Use en-US strings in HTML forms if locale is spoofed to english
Bug 26456: HTTP .onion sites inherit previous page's certificate information
Bug 26561: .onion images are not displayed
Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
Bug 26833: Backport Mozilla's bug 1473247
Bug 26628: Backport Mozilla's bug 1470156
Bug 26237: Clean up toolbar for ESR60-based Tor Browser
Bug 26519: Avoid Firefox icons in ESR60
Bug 26039: Load our preferences that modify extensions (fixup)
Bug 26515: Update Tor Browser blog post URLs
Bug 26216: Fix broken MAR file generation
Bug 26409: Remove spoofed locale implementation
Bug 25543: Rebase Tor Browser patches for ESR60
Bug 23247: Show security state of .onions
Bug 26039: Load our preferences that modify extensions
Bug 17965: Isolate HPKP and HSTS to URL bar domain
Bug 21787: Spoof en-US for date picker
Bug 21607: Disable WebVR for now until it is properly audited
Bug 21549: Disable wasm for now until it is properly audited
Bug 26614: Disable Web Authentication API until it is properly audited
Bug 27281: Enable Reader View mode again
Bug 26114: Don't expose navigator.mozAddonManager to websites
Bug 21850: Update about:tbupdate handling for e10s
Bug 26048: Fix potentially confusing "restart to update" message
Bug 27221: Purge startup cache if Tor Browser version changed
Bug 26049: Reduce delay for showing update prompt to 1 hour
Bug 26365: Add potential AltSvc support
Bug 9145: Fix broken hardware acceleration on Windows and enable it
Bug 26045: Add new MAR signing keys
Bug 25215: Revert bug 18619 (we are not disabling IndexedDB any longer)
Bug 19910: Rip out optimistic data socks handshake variant (#3875)
Bug 22564: Hide Firefox Sync
Bug 25090: Disable updater telemetry
Bug 26127: Make sure Torbutton and Tor Launcher are not treated as legacy extensions
Bug 13575: Disable randomised Firefox HTTP cache decay user tests
Bug 22548: Firefox downgrades VP9 videos to VP8 for some users
Bug 24995: Include git hash in tor --version
Bug 27268+27257+27262+26603 : Preferences clean-up
Bug 26073: Migrate general.useragent.locale to intl.locale.requested
Bug 27129+20628: Make Tor Browser available in ca, ga, id, is, nb, da, he, sv, and zh-TW
Bug 12927: Include Hebrew translation into Tor Browser
Bug 21245: Add danish (da) translation

New in Tor Browser 8.0 Alpha 10 (Aug 20, 2018)

All platforms:
Update Tor to 0.3.4.6-rc
Update Torbutton to 2.0.2
Bug 26960: Implement new about:tor start page
Bug 26961: Implement new user onboarding
Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
Bug 26590: Use new svg.disabled pref in security slider
Bug 26655: Adjust color and size of onion button
Bug 26500: Reposition circuit display relay icon for RTL locales
Bug 26409: Remove spoofed locale implementation
Bug 26189: Remove content-policy.js
Bug 27129: Add locales ca, ga, id, is, nb
Translations update
Update Tor Launcher to 0.2.16.2
Bug 26985: Help button icons missing
Bug 25509: Improve the proxy help text
Bug 27129: Add locales ca, ga, id, is, nb
Translations update
Update NoScript to 10.1.8.16
Update meek to 0.31
Bug 26477: Make meek extension compatible with ESR 60
Bug 27082: Enable a limited UITour for user onboarding
Bug 26961: New user onboarding
Bug 14952: Enable HTTP2 and AltSvc
Bug 25735: Tor Browser stalls while loading Facebook login page
Bug 17252: Enable TLS session identifiers with first-party isolation
Bug 26353: Prevent speculative connects that violate first-party isolation
Bug 24056: Use en-US strings in HTML forms if locale is spoofed to english
Bug 26456: HTTP .onion sites inherit previous page's certificate information
Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
Bug 26833: Backport Mozilla's bug 1473247
Bug 26628: Backport Mozilla's bug 1470156
Bug 26237: Clean up toolbar for ESR60-based Tor Browser
Bug 26519: Avoid Firefox icons in ESR60
Bug 26039: Load our preferences that modify extensions (fixup)
Bug 26515: Update Tor Browser blog post URLs
Bug 27129: Add locales ca, ga, id, is, nb
Bug 26216: Fix broken MAR file generation
Bug 26409: Remove spoofed locale implementation
Bug 26603: Remove obsolete HTTP pipelining preferences
Windows:
Bug 26514: Fix intermittent updater failures on Win64 (Error 19)
Bug 26874: Fix UNC path restrictions failure in Tor Browser 8.0a9
Bug 12968: Enable HEASLR in Windows x86_64 builds
Bug 9145: Fix broken hardware acceleration
Update tbb-windows-installer to 0.4
Bug 26355: Update tbb-windows-installer to check for Windows7+
Bug 26355: Require Windows7+ for updates to Tor Browser 8
Build System:
All:
Bug 26410: Stop using old MAR format in the alpha series
Bug 27020: RBM build fails with runc version 1.0.1
Bug 26949: Use GitHub repository for STIX
Bug 26773: Add --verbose to the ./mach build flag for firefox
Bug 26569: Redirect pre-8.0a9 alpha users to a separate update directory
Bug 26319: Don't package up Tor Browser in the `mach package` step
Windows:
Bug 27152: Use mozilla/fxc2.git for the fxc2 repository

New in Tor Browser 8.0 Alpha 9 (Jun 27, 2018)

All platforms:
Update Firefox to 60.1.0esr
Update Tor to 0.3.4.2-alpha
Update Libevent to 2.1.8
Update Binutils to 2.26.1
Update HTTPS Everywhere to 2018.6.13
Update NoScript to 10.1.8.2
Bug 25543: Rebase Tor Browser patches for ESR60
Bug 23247: Show security state of .onions
Bug 26039: Load our preferences that modify extensions
Bug 17965: Isolate HPKP and HSTS to URL bar domain
Bug 26365: Add potential AltSvc support
Bug 26045: Add new MAR signing keys
Bug 22564: Hide Firefox Sync
Bug 25090: Disable updater telemetry
Bug 26127: Make sure Torbutton and Tor Launcher are not treated as legacy extensions
Bug 26073: Migrate general.useragent.locale to intl.locale.requested
Bug 20628: Make Tor Browser available in da, he, sv-SE, and zh-TW
Bug 12927: Include Hebrew translation into Tor Browser
Bug 21245: Add danish (da) translation
Update Torbutton to 2.0.1:
Bug 26100: Adapt Torbutton to Firefox 60 ESR
Bug 26430: New Torbutton icon
Bug 24309: Move circuit display to the identity popup
Bug 26128: Adapt security slider to the WebExtensions version of NoScript
Bug 23247: Show security state of .onions
Bug 26129: Show our about:tor page on startup
Bug 26235: Hide new unusable items from help menu
Bug 26058: Remove workaround for hiding 'sign in to sync' button
Bug 20628: Add locales da, he, sv, and zh-TW
Translations update
Update Tor Launcher to 0.2.16.1:
Bug 25750: Update Tor Launcher to make it compatible with Firefox 60 ESR
Bug 20890: Increase control port connection timeout
Bug 20628: Add more locales to Tor Browser
Translations update
Windows:
Bug 26239+24197: Enable content sandboxing for 64bit Windows builds
Bug 22581: Fix shutdown crash
Bug 26424: Disable UNC paths to prevent possible proxy bypasses
Bug 26304: Update zlib to version 1.2.11
Build System:
All:
Bug 26362: Use old MAR format for first ESR60-based alpha
Clean up
Windows:
Bug 26203: Adapt tor-browser-build/tor-browser for Windows
Bug 26204: Bundle d3dcompiler_47.dll for Tor Browser 8
Bug 26205: Don't build the uninstaller for Windows during Firefox compilation
Bug 26206: Ship pthread related dll where needed
Bug 26396: Build libwinpthread reproducible
Bug 25837: Integrate fxc2 into our build setup for Windows builds
Bug 25894: Get a rust cross-compiler for Windows
Bug 25554: Bump mingw-w64 version for ESR 60
Bug 23561: Fix nsis builds for Windows 64
Bug 23231: Remove our STL Wrappers workaround for Windows 64bit
Bug 26370: Don't copy msvcr100.dll and libssp-0.dll twice
Bug 26476: Work around Tor Browser crashes due to fix for bug 1467041
Bug 18287: Use SHA-2 signature for Tor Browser setup executables

New in Tor Browser 7.5.6 (Jun 25, 2018)

New in Tor Browser 8.0 Alpha 8 (Jun 10, 2018)

New in Tor Browser 7.5.5 (Jun 10, 2018)

New in Tor Browser 8.0 Alpha 7 (May 9, 2018)

New in Tor Browser 7.5.4 (May 9, 2018)

New in Tor Browser 8.0 Alpha 6 (Apr 21, 2018)

New in Tor Browser 8.0 Alpha 5 (Mar 26, 2018)

New in Tor Browser 7.5.2 (Mar 19, 2018)

New in Tor Browser 7.5.1 (Mar 13, 2018)

New in Tor Browser 8.0 Alpha 2 (Feb 23, 2018)

New in Tor Browser 8.0 Alpha 1 (Jan 23, 2018)

New in Tor Browser 7.5 (Jan 23, 2018)

New in Tor Browser 7.5 Alpha 9 (Dec 9, 2017)

New in Tor Browser 7.0.11 (Dec 8, 2017)

New in Tor Browser 7.5 Alpha 8 (Nov 15, 2017)

New in Tor Browser 7.0.10 (Nov 14, 2017)

New in Tor Browser 7.0.8 (Oct 25, 2017)

New in Tor Browser 7.5 Alpha 6 (Oct 20, 2017)

New in Tor Browser 7.0.7 (Oct 19, 2017)

New in Tor Browser 7.5 Alpha 5 (Sep 29, 2017)

New in Tor Browser 7.0.6 (Sep 26, 2017)

New in Tor Browser 7.0.5 (Sep 4, 2017)

New in Tor Browser 7.5 Alpha 4 (Aug 8, 2017)

New in Tor Browser 7.0.4 (Aug 8, 2017)

New in Tor Browser 7.0.2 (Jul 4, 2017)

New in Tor Browser 7.5 Alpha 1 (Jun 14, 2017)

All Platforms:
Update Firefox to 52.2.0esr
Update Tor to 0.3.1.3-alpha
Update Torbutton to 1.9.7.4
Bug 22542: Security Settings window too small on macOS 10.12
Bug 22104: Adjust our content policy whitelist for ff52-esr
Bug 22457: Allow resources loaded by view-source://
Bug 21627: Ignore HTTP 304 responses when checking redirects
Bug 22459: Adapt our use of the nsIContentPolicy to e10s mode
Translations update
Update Tor Launcher to 0.2.12.2:
Bug 22283: Linux 7.0a4 is broken after update due to unix: lines in torrc
Translations update
Update HTTPS-Everywhere to 5.2.18
Update NoScript to 5.0.5
Update sandboxed-tor-browser to 0.0.7
Bug 22362: NoScript's XSS filter freezes the browser
Bug 21766: Fix crash when the external application helper dialog is invoked
Bug 21886: Download is stalled in non-e10s mode
Bug 22333: Disable WebGL2 API for now
Bug 21861: Disable additional mDNS code to avoid proxy bypasses
Bug 21684: Don't expose navigator.AddonManager to content
Bug 21431: Clean-up system extensions shipped in Firefox 52
Bug 22320: Use preference name 'referer.hideOnionSource' everywhere
Bug 16285: Don't ship ClearKey EME system and update EME preferences
Bug 21972: about:support is partially broken
Bug 21323: Enable Mixed Content Blocking
Bug 22415: Fix format error in our pipeline patch
Bug 21862: Rip out potentially unsafe Rust code
Bug 16485: Improve about:cache page
Bug 22462: Backport of patch for bug 1329521 to fix assertion failure
Bug 22458: Fix broken `about:cache` page on higher security levels
Bug 18531: Uncaught exception when opening ip-check.info
Bug 18574: Uncaught exception when clicking items in Library
Bug 22327: Isolate Page Info media previews to first party domain
Bug 22452: Isolate tab list menuitem favicons to first party domain
Bug 15555: View-source requests are not isolated by first party domain
Bug 5293: Neuter fingerprinting with Battery API
Bug 22429: Add IPv6 address for Lisbeth:443 obfs4 bridge
Bug 22468: Add default obfs4 bridges frosty and dragon
Windows:
Bug 22419: Prevent access to file://
Bug 21617: Fix single RWX page on Windows

New in Tor Browser 7.0.1 (Jun 13, 2017)

New in Tor Browser 7.0 (Jun 6, 2017)

ALL PLATFORMS:
Update Firefox to 52.1.2esr
Update Tor to 0.3.0.7
Update Torbutton to 1.9.7.3
Bug 22104: Adjust our content policy whitelist for ff52-esr
Bug 22457: Allow resources loaded by view-source://
Bug 21627: Ignore HTTP 304 responses when checking redirects
Bug 22459: Adapt our use of the nsIContentPolicy to e10s mode
Bug 21865: Update our JIT preferences in the security slider
Bug 21747: Make 'New Tor Circuit for this Site' work in ESR52
Bug 21745: Fix handling of catch-all circuit
Bug 21547: Fix circuit display under e10s
Bug 21268: e10s compatibility for New Identity
Bug 21267: Remove window resize implementation for now
Bug 21201: Make Torbutton multiprocess compatible
Translations update:
Update Tor Launcher to 0.2.12.2
Bug 22283: Linux 7.0a4 broken after update due to unix: lines in torrc
Bug 20761: Don't ignore additional SocksPorts
Bug 21920: Don't show locale selection dialog
Bug 21546: Mark Tor Launcher as multiprocess compatible
Bug 21264: Add a README file
Translations update:
Update HTTPS-Everywhere to 5.2.17
Update NoScript to 5.0.5
Update Go to 1.8.3 (bug 22398)
Bug 21962: Fix crash on about:addons page
Bug 21766: Fix crash when the external application helper dialog is invoked
Bug 21886: Download is stalled in non-e10s mode
Bug 21778: Canvas prompt is not shown in Tor Browser based on ESR52
Bug 21569: Add first-party domain to Permissions key
Bug 22165: Don't allow collection of local IP addresses
Bug 13017: Work around audio fingerprinting by disabling the Web Audio API
Bug 10286: Disable Touch API and add fingerprinting resistance as fallback
Bug 13612: Disable Social API
Bug 10283: Disable SpeechSynthesis API
Bug 22333: Disable WebGL2 API for now
Bug 21861: Disable additional mDNS code to avoid proxy bypasses
Bug 21684: Don't expose navigator.AddonManager to content
Bug 21431: Clean-up system extensions shipped in Firefox 52
Bug 22320: Use preference name 'referer.hideOnionSource' everywhere
Bug 16285: Don't ship ClearKey EME system and update EME preferences
Bug 21675: Spoof window.navigator.hardwareConcurrency
Bug 21792: Suppress MediaError.message
Bug 16337: Round times exposed by Animation API to nearest 100ms
Bug 21972: about:support is partially broken
Bug 21726: Keep Graphite support disabled
Bug 21323: Enable Mixed Content Blocking
Bug 21685: Disable remote new tab pages
Bug 21790: Disable captive portal detection
Bug 21686: Disable Microsoft Family Safety support
Bug 22073: Make sure Mozilla's experiments are disabled
Bug 21683: Disable newly added Safebrowsing capabilities
Bug 22071: Disable Kinto-based blocklist update mechanism
Bug 22415: Fix format error in our pipeline patch
Bug 22072: Hide TLS error reporting checkbox
Bug 20761: Don't ignore additional SocksPorts
Bug 21862: Rip out potentially unsafe Rust code
Bug 16485: Improve about:cache page
Bug 22462: Backport of patch for bug 1329521 to fix assertion failure
Bug 21340: Identify and backport new patches from Firefox
Bug 22153: Fix broken feeds on higher security levels
Bug 22025: Fix broken certificate error pages on higher security levels
Bug 21887: Fix broken error pages on higher security levels
Bug 22458: Fix broken `about:cache` page on higher security levels
Bug 21876: Enable e10s by default on all supported platforms
Bug 21876: Always use esr policies for e10s
Bug 20905: Fix resizing issues after moving to a direct Firefox patch
Bug 21875: Modal dialogs are maximized in ESR52 nightly builds
Bug 21885: SVG is not disabled in Tor Browser based on ESR52
Bug 17334: Hide Referer when leaving a .onion domain (improved patch)
Bug 18531: Uncaught exception when opening ip-check.info
Bug 18574: Uncaught exception when clicking items in Library
Bug 22327: Isolate Page Info media previews to first party domain
Bug 22452: Isolate tab list menuitem favicons to first party domain
Bug 15555: View-source requests are not isolated by first party domain
Bug 3246: Double-key cookies
Bug 8842: Fix XML parsing error
Bug 5293: Neuter fingerprinting with Battery API
Bug 16886: 16886: "Add-on compatibility check dialog" contains Firefox logo
Bug 19645: TBB zooms text when resizing browser window
Bug 19192: Untrust Blue Coat CA
Bug 19955: Avoid confusing warning that favicon load request got cancelled
Bug 20005: Backport fixes for memory leaks investigation
Bug 20755: ltn.com.tw is broken in Tor Browser
Bug 21896: Commenting on website is broken due to CAPTCHA not being displayed
Bug 20680: Rebase Tor Browser patches to 52 ESR
Bug 22429: Add IPv6 address for Lisbeth:443 obfs4 bridge
Bug 22468: Add default obfs4 bridges frosty and dragon
Windows:
Bug 22419: Prevent access to file://
Bug 12426: Make use of HeapEnableTerminationOnCorruption
Bug 19316: Make sure our Windows updates can deal with the SSE2 requirement
Bug 21868: Fix build bustage with FIREFOX_52_0_2esr_RELEASE for Windows
BUILD SYSTEM:
Windows:
Bug 21837: Fix reproducibility of accessibility code for Windows
Bug 21240: Create patches to fix mingw-w64 compilation of Firefox ESR 52
Bug 21904: Bump mingw-w64 commit to help with sandbox compilation
Bug 18831: Use own Yasm for Firefox cross-compilation

New in Tor Browser 7.0 Alpha 4 (May 16, 2017)

New in Tor Browser 7.0 Alpha 3 (Apr 20, 2017)

ALL PLATFORMS:
Update Firefox to 52.1.0esr
Tor to 0.3.0.5-rc
Update HTTPS-Everywhere to 5.2.14
Update NoScript to 5.0.2
Update Go to 1.7.5 (bug 21709)
Bug 21555+16450: Don't remove Authorization header on subdomains (e.g. Twitter)
Bug 21887: Fix broken error pages on higher security levels
Bug 21876: Enable e10s by default on all supported platforms
Bug 21876: Always use esr policies for e10s
Bug 20905: Fix resizing issues after moving to a direct Firefox patch
Bug 21875: Modal dialogs are maximized in ESR52 nightly builds
Bug 21885: SVG is not disabled in Tor Browser based on ESR52
Bug 17334: Hide Referer when leaving a .onion domain (improved patch)
Bug 3246: Double-key cookies
Bug 8842: Fix XML parsing error
Bug 16886: 16886: "Add-on compatibility check dialog" contains Firefox logo
Bug 19192: Untrust Blue Coat CA
Bug 19955: Avoid confusing warning that favicon load request got cancelled
Bug 20005: Backport fixes for memory leaks investigation
Bug 20755: ltn.com.tw is broken in Tor Browser
Bug 21896: Commenting on website is broken due to CAPTCHA not being displayed
Bug 20680: Rebase Tor Browser patches to 52 ESR
Bug 21917: Add new obfs4 bridges
Bug 21918: Move meek-amazon to d2cly7j4zqgua7.cloudfront.net backend
Update sandboxed-tor-browser to 0.0.5:
Bug 21764: Use bubblewrap's `--die-with-parent` when supported
Fix e10s Web Content crash on systems with grsec kernels
Bug 21928: Force a reinstall if an existing hardened bundle is present
Bug 21929: Remove hardened/ASAN related code
Bug 21927: Remove the ability to install/update the hardened bundle
Bug 21244: Update the MAR signing key for 7.0
Bug 21536: Remove asn's scramblesuit bridge from Tor Browser
Add `prlimit64` to the firefox system call whitelist
Fix compilation with Go 1.8
Use Config.Clone() to clone TLS configs when available
Update Torbutton to 1.9.7.2:
Bug 21865: Update our JIT preferences in the security slider
Bug 21747: Make 'New Tor Circuit for this Site' work in ESR52
Bug 21745: Fix handling of catch-all circuit
Bug 21547: Fix circuit display under e10s
Bug 21268: e10s compatibility for New Identity
Bug 21267: Remove window resize implementation for now
Bug 21201: Make Torbutton multiprocess compatible
Translations update
Update Tor Launcher to 0.2.12:
Bug 21920: Don't show locale selection dialog
Bug 21546: Mark Tor Launcher as multiprocess compatible
Bug 21264: Add a README file
Translations update
BUILD SYSTEM:
Bug 21328: Updating to clang 3.8.0
Bug 21754: Remove old GCC toolchain and macOS SDK
Bug 19783: Remove unused macOS helper scripts
Bug 10369: Don't use old GCC toolchain anymore for utils
Bug 21753: Replace our old GCC toolchain in PT descriptor
Bug 18530: ESR52 based Tor Browser only runs on macOS 10.9+

New in Tor Browser 6.5.2 (Apr 19, 2017)

New in Tor Browser 6.5.1 (Mar 7, 2017)

New in Tor Browser 6.5 Alpha 6 (Dec 14, 2016)

New in Tor Browser 6.0.8 (Dec 14, 2016)

New in Tor Browser 6.0.7 (Nov 30, 2016)

New in Tor Browser 6.0.6 (Nov 15, 2016)

New in Tor Browser 6.5 Alpha 3 (Sep 21, 2016)

New in Tor Browser 6.0.5 (Sep 16, 2016)

New in Tor Browser 6.0.4 (Aug 16, 2016)

New in Tor Browser 6.5 Alpha 1 (Jun 8, 2016)

ALL PLATFORMS:
Update Firefox to 45.2.0esr
Update Tor to 0.2.8.3-alpha
Update HTTPS-Everywhere to 5.1.9
Bug 19121: The update.xml hash should get checked during update
Bug 12523: Mark JIT pages as non-writable
Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
Bug 19164: Remove support for SHA-1 HPKP pins
Bug 19186: KeyboardEvents are only rounding to 100ms
Bug 18884: Don't build the loop extension
Bug 19187: Backport fix for crash related to popup menus
Bug 19212: Fix crash related to network panel in developer tools
Bug 18703: Fix circuit isolation issues on Page Info dialog
bug 19115: Tor Browser should not fall back to Bing as its search engine
Bug 18915+19065: Use our search plugins in localized builds
Bug 19176: Zip our language packs deterministically
Bug 18811: Fix first-party isolation for blobs URLs in Workers
Bug 18950: Disable or audit Reader View
Bug 18886: Remove Pocket
Bug 18619: Tor Browser reports "InvalidStateError" in browser console
Bug 18945: Disable monitoring the connected state of Tor Browser users
Bug 18855: Don't show error after add-on directory clean-up
Bug 18885: Disable the option of logging TLS/SSL key material
Bug 18770: SVGs should not show up on Page Info dialog when disabled
Bug 18958: Spoof screen.orientation values
Bug 19047: Disable Heartbeat prompts
Bug 18914: Use English-only label in tags
Bug 18996: Investigate server logging in esr45-based Tor Browser
Bug 17790: Add unit tests for keyboard fingerprinting defenses
Bug 18995: Regression test to ensure CacheStorage is disabled
Bug 18912: Add automated tests for updater cert pinning
Bug 16728: Add test cases for favicon isolation
Bug 18976: Remove some FTE bridges
Update meek to 0.22 (tag 0.22-18371-3):
Bug 18904: Mac OS: meek-http-helper profile not updated
Update Torbutton to 1.9.6:
Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
Bug 18905: Hide unusable items from help menu
Bug 17599: Provide shortcuts for New Identity and New Circuit
Bug 18980: Remove obsolete toolbar button code
Bug 18238: Remove unused Torbutton code and strings
Translation updates
Code clean-up
Update Tor Launcher to 0.2.9.3:
Bug 18947: Tor Browser is not starting on OS X if put into /Applications
All Platforms:
Bug 18333: Upgrade Go to 1.6.2
Bug 18919: Remove unused keys and unused dependencies
Bug 18291: Remove some uses of libfaketime
Bug 18845: Make zip and tar helpers generate reproducible archives

New in Tor Browser 6.0.1 (Jun 7, 2016)

New in Tor Browser 6.0 (May 30, 2016)

All Platforms:
Update Firefox to 45.1.1esr
Update OpenSSL to 1.0.1t
Update Torbutton to 1.9.5.4:
Bug 18466: Make Torbutton compatible with Firefox ESR 45
Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
Bug 18905: Hide unusable items from help menu
Bug 16017: Allow users to more easily set a non-tor SSH proxy
Bug 17599: Provide shortcuts for New Identity and New Circuit
Translation updates
Code clean-up
Update Tor Launcher to 0.2.9.3:
Bug 13252: Do not store data in the application bundle
Bug 11773: Setup wizard UI flow improvements
Translation updates
Update HTTPS-Everywhere to 5.1.9
Update meek to 0.22 (tag 0.22-18371-3):
Bug 18371: Symlinks are incompatible with Gatekeeper signing
Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
Bug 18900: Fix broken updater on Linux
Bug 19121: The update.xml hash should get checked during update
Bug 18042: Disable SHA1 certificate support
Bug 18821: Disable libmdns support for desktop and mobile
Bug 18848: Disable additional welcome URL shown on first start
Bug 14970: Exempt our extensions from signing requirement
Bug 16328: Disable MediaDevices.enumerateDevices
Bug 16673: Disable HTTP Alternative-Services
Bug 17167: Disable Mozilla's tracking protection
Bug 18603: Disable performance-based WebGL fingerprinting option
Bug 18738: Disable Selfsupport and Unified Telemetry
Bug 18799: Disable Network Tickler
Bug 18800: Remove DNS lookup in lockfile code
Bug 18801: Disable dom.push preferences
Bug 18802: Remove the JS-based Flash VM (Shumway)
Bug 18863: Disable MozTCPSocket explicitly
Bug 15640: Place Canvas MediaStream behind site permission
Bug 16326: Verify cache isolation for Request and Fetch APIs
Bug 18741: Fix OCSP and favicon isolation for ESR 45
Bug 16998: Disable for now
Bug 18898: Exempt the meek extension from the signing requirement as well
Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
Bug 18890: Test importScripts() for cache and network isolation
Bug 18886: Hide pocket menu items when Pocket is disabled
Bug 18703: Fix circuit isolation issues on Page Info dialog
bug 19115: Tor Browser should not fall back to Bing as its search engine
Bug 18915+19065: Use our search plugins in localized builds
Bug 19176: Zip our language packs deterministically
Bug 18811: Fix first-party isolation for blobs URLs in Workers
Bug 18950: Disable or audit Reader View
Bug 18886: Remove Pocket
Bug 18619: Tor Browser reports "InvalidStateError" in browser console
Bug 18945: Disable monitoring the connected state of Tor Browser users
Bug 18855: Don't show error after add-on directory clean-up
Bug 18885: Disable the option of logging TLS/SSL key material
Bug 18770: SVGs should not show up on Page Info dialog when disabled
Bug 18958: Spoof screen.orientation values
Bug 19047: Disable Heartbeat prompts
Bug 18914: Use English-only label in tags
Bug 18996: Investigate server logging in esr45-based Tor Browser
Bug 17790: Add unit tests for keyboard fingerprinting defenses
Bug 18995: Regression test to ensure CacheStorage is disabled
Bug 18912: Add automated tests for updater cert pinning
Bug 16728: Add test cases for favicon isolation
Bug 18976: Remove some FTE bridges
Windows:
Bug 13419: Support ICU in Windows builds
Bug 16874: Fix broken https://sports.yahoo.com/dailyfantasy page
Bug 18767: Context menu is broken on Windows in ESR 45 based Tor Browser
Build System:
All Platforms:
Bug 18127: Add LXC support for building with Debian guest VMs
Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
Bug 18919: Remove unused keys and unused dependencies
Windows:
Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
Bug 18290: Bump mingw-w64 commit we us

New in Tor Browser 5.5.5 (Apr 28, 2016)

New in Tor Browser 6.0 Alpha 4 (Apr 26, 2016)

New in Tor Browser 6.0 Alpha 3 (Mar 8, 2016)

New in Tor Browser 5.5.3 (Mar 8, 2016)

New in Tor Browser 6.0 Alpha 2 (Feb 15, 2016)

New in Tor Browser 5.5.2 (Feb 12, 2016)

New in Tor Browser 5.5.1 (Feb 5, 2016)

New in Tor Browser 6.0 Alpha 1 (Jan 27, 2016)

New in Tor Browser 5.5 (Jan 27, 2016)

All Platforms:
Update Firefox to 38.6.0esr
Update libevent to 2.0.22-stable
Update NoScript to 2.9.0.2
Update Torbutton to 1.9.4.3
Bug 16990: Show circuit display for connections using multi-party channels
Bug 18019: Avoid empty prompt shown after non-en-US update
Bug 18004: Remove Tor fundraising donation banner
Bug 16940: After update, load local change notes
Bug 17108: Polish about:tor appearance
Bug 17568: Clean up tor-control-port.js
Bug 16620: Move window.name handling into a Firefox patch
Bug 17351: Code cleanup
Translation updates
Update Tor Launcher to 0.2.7.8:
Bug 18113: Randomly permutate available default bridges of chosen type
Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
Bug 10140: Add new Tor Browser locale (Japanese)
Bug 17428: Remove Flashproxy
Bug 13512: Load a static tab with change notes after an update
Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
Bug 15564: Isolate SharedWorkers by first-party domain
Bug 16940: After update, load local change notes
Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
Bug 17369: Disable RC4 fallback
Bug 17442: Remove custom updater certificate pinning
Bug 16620: Move window.name handling into a Firefox patch
Bug 17220: Support math symbols in font whitelist
Bug 10599+17305: Include updater and build patches needed for hardened builds
Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
Bug 18072: Change recommended pluggable transport type to obfs4
Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
Bug 16322: Use onion address for DuckDuckGo search engine
Bug 17917: Changelog after update is empty if JS is disabled
Windows:
Bug 17250: Add localized font names to font whitelist
Bug 16707: Allow more system fonts to get used on Windows
Bug 13819: Ship expert bundles with console enabled
Bug 17250: Fix broken Japanese fonts
Bug 17870: Add intermediate certificate for authenticode signing

New in Tor Browser 5.0.7 (Jan 6, 2016)

New in Tor Browser 5.5 Alpha 5 (Dec 18, 2015)

New in Tor Browser 5.0.6 (Dec 18, 2015)

New in Tor Browser 5.0.5 (Dec 16, 2015)

New in Tor Browser 5.5 Alpha 4 (Nov 4, 2015)

New in Tor Browser 5.0.4 (Nov 4, 2015)

New in Tor Browser 5.5 Alpha 3 (Sep 23, 2015)

New in Tor Browser 5.0.3 (Sep 22, 2015)

New in Tor Browser 5.5 Alpha 2 (Aug 29, 2015)

New in Tor Browser 5.0.2 (Aug 28, 2015)

New in Tor Browser 5.0.1 (Aug 18, 2015)

New in Tor Browser 5.5 Alpha 1 (Aug 12, 2015)

New in Tor Browser 5.0 (Aug 12, 2015)

All Platforms:
Update Firefox to 38.2.0esr
Update OpenSSL to 1.0.1p
Update HTTPS-Everywhere to 5.0.7
Update NoScript to 2.6.9.34
Update meek to 0.20
Bug 16730: Prevent NoScript from updating the default whitelist
Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
Bug 16884: Prefer IPv6 when supported by the current Tor exit
Bug 16488: Remove "Sign in to Sync" from the browser menu
Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
Bug 15703: Isolate mediasource URIs and media streams to first party
Bug 16429+16416: Isolate blob URIs to first party
Bug 16632: Turn on the background updater and restart prompting
Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere
Bug 16523: Fix in-browser JavaScript debugger
Bug 16236: Windows updater: avoid writing to the registry
Bug 16625: Fully disable network connection prediction
Bug 16495: Fix SVG crash when security level is set to "High"
Bug 13247: Fix meek profile error after bowser restarts
Bug 16005: Relax WebGL minimal mode
Bug 16300: Isolate Broadcast Channels to first party
Bug 16439: Remove Roku screencasting code
Bug 16285: Disabling EME bits
Bug 16206: Enforce certificate pinning
Bug 15910: Disable Gecko Media Plugins for now
Bug 13670: Isolate OCSP requests by first party domain
Bug 16448: Isolate favicon requests by first party
Bug 7561: Disable FTP request caching
Bug 6503: Fix single-word URL bar searching
Bug 15526: ES6 page crashes Tor Browser
Bug 16254: Disable GeoIP-based search results.
Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
Bug 13024: Disable DOM Resource Timing API
Bug 16340: Disable User Timing API
Bug 14952: Disable HTTP/2
Bug 1517: Reduce precision of time for Javascript
Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
Bug 16311: Fix navigation timing in ESR 38
Update Tor to 0.2.6.10 with patches:
Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name checks.
Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
Bug 15482: Don't allow circuits to change while a site is in use
Update Torbutton to 1.9.3.2:
Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
Bug 16730: Reset NoScript whitelist on upgrade
Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
Bug 16268: Show Tor Browser logo on About page
Bug 16639: Check for Updates menu item can cause update download failure
Bug 15781: Remove the sessionstore filter
Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1)
Bug 16200: Update Cache API usage and prefs for FF38
Bug 16357: Use Mozilla API to wipe permissions db
Bug 14429: Make sure the automatic resizing is disabled
Translation updates
Update Tor Launcher to 0.2.7.7:
Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1)
Bug 15145: Visually distinguish "proxy" and "bridge" screens.
Translation updates
Windows:
Bug 16014: Staged update fails if meek is enabled
Bug 16269: repeated add-on compatibility check after update (meek enabled)
Build System:
Bug 16351: Upgrade our toolchain to use GCC 5.1
Bug 15772 and child tickets: Update build system for Firefox 38
Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt

New in Tor Browser 5.0 Alpha 4 (Aug 4, 2015)

New in Tor Browser 5.0 Alpha 3 (Jul 7, 2015)

New in Tor Browser 5.0 Alpha 2 (Jun 16, 2015)

New in Tor Browser 4.5.2 (Jun 16, 2015)

New in Tor Browser 5.0 Alpha 1 (May 13, 2015)

New in Tor Browser 4.5.1 (May 13, 2015)

New in Tor Browser 4.5 (Apr 28, 2015)

New in Tor Browser 4.0.8 (Apr 10, 2015)

New in Tor Browser 4.0.7 (Apr 8, 2015)

New in Tor Browser 4.0.6 (Apr 1, 2015)

New in Tor Browser 4.5 Alpha 5 (Apr 1, 2015)

All Platforms:
Update Firefox to 31.6.0esr
Update OpenSSL to 1.0.1m
Update Tor to 0.2.6.6
Update NoScript to 2.6.9.19
Update HTTPS-Everywhere to 5.0
Update meek to 0.16
Update Tor Launcher to 0.2.7.3:
Bug 13983: Directory search path fix for Tor Messanger+TorBirdy
Update Torbutton to 1.9.1.0:
Bug 9387: "Security Slider 1.0"
Include descriptions and tooltip hints for security levels
Notify users that the security slider exists
Flip slider so that "low" is on the bottom
Make use of new SVG and MathML prefs
Bug 13766: Set a 10 minute circuit lifespan for non-content requests
Bug 15460: Ensure FTP urls use content-window circuit isolation
Bug 13650: Clip initial window height to 1000px
Bug 14429: Ensure windows can only be resized to 200x100px multiples
Bug 15334: Display Cookie Protections menu if disk records are enabled
Bug 14324: Show HS circuit in Tor circuit display
Bug 15086: Handle RTL text in Tor circuit display
Bug 15085: Fix about:tor RTL text alignment problems
Bug 10216: Add a pref to disable the local tor control port test
Bug 14937: Show meek and flashproxy bridges in tor circuit display
Bugs 13891+15207: Fix exceptions/errors in circuit display with bridges
Bug 13019: Change locale hiding pref to boolean
Bug 7255: Warn users about maximizing windows
Bug 14631: Improve profile access error msgs (strings).
Pluggable Transport Dependency Updates:
Bug 15448: Use golang 1.4.2 for meek and obs4proxy
Bug 15265: Switch go.net repo to golang.org/x/net
Bug 14937: Hard-code meek and flashproxy node fingerprints
Bug 13019: Prevent Javascript from leaking system locale
Bug 10280: Improved fix to prevent loading plugins into address space
Bug 15406: Only include addons in incremental updates if they actually update
Bug 15029: Don't prompt to include missing plugins
Bug 12827: Create preference to disable SVG images (for security slider)
Bug 13548: Create preference to disable MathML (for security slider)
Bug 14631: Improve startup error messages for filesystem permissions issues
Bug 15482: Don't allow circuits to change while a site is in use
Bug 3861: Begin signing Tor Browser for Windows the Windows way
Bug 15201: Disable 'runas Administrator' codepaths in updater
Bug 14688: Create shortcuts to desktop and start menu by default (optional)

New in Tor Browser 4.0.5 (Mar 24, 2015)

New in Tor Browser 4.5 Alpha 4 (Feb 26, 2015)

All Platforms:
Update Firefox to 31.5.0esr
Update Tor to 0.2.6.3-alpha
Update OpenSSL to 1.0.1l
Update NoScript to 2.6.9.15
Update obfs4proxy to 0.0.4
Use obfs4proxy for ScrambleSuit bridges
Bug 14203: Prevent meek from displaying an extra update notification
Bug 14849: Remove new NoScript menu option to make permissions permanent
Bug 14851: Set NoScript pref to disable permanent permissions
Bug 14490: Make Disconnect the default omnibox search engine
Bug 11236: Fix omnibox order for non-English builds
Also remove Amazon, eBay and bing; add Youtube and Twitter
Bug 10280: Don't load any plugins into the address space.
Bug 14392: Make about:tor hide itself from the URL bar
Bug 12430: Provide a preference to disable remote jar: urls
Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
Bug 5698: Fix branding in "About Torbrowser" window
Update Torbutton to 1.9.0.0:
Bug 13882: Fix display of bridges after bridge settings have been changed
Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
Bug 10280: Strings and pref for preventing plugin initialization.
Bug 14866: Show correct circuit when more than one exists for a given domain
Bug 9442: Add New Circuit button to Torbutton menu
Bug 9906: Warn users before closing all windows and performing new identity.
Bug 8400: Prompt for restart if disk records are enabled/disabled.
Bug 14630: Hide Torbutton's proxy settings tab.
Bug 14632: Disable Cookie Manager until we get it working.
Bug 11175: Remove "About Torbutton" from onion menu.
Bug 13900: Remove remaining SafeCache code in favor of C++ patch
Bug 14490: Use Disconnect search in about:tor search box
Bug 14392: Don't steal input focus in about:tor search box
Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
Bug 13406: Stop directing users to download-easy.html.en on update
Bug 9387: Handle "custom" mode better in Security Slider
Bug 12430: Bind jar: pref to Security Slider
Bug 14448: Restore Torbutton menu operation on non-English localizations
Translation updates
Update Tor Launcher to 0.2.7.2:
Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
Bug 14336: Fix navigation button display issues on some wizard panes
Translation updates
Windows:
Bug 13169: Don't use /dev/random on Windows for SSP

New in Tor Browser 4.0.4 (Feb 25, 2015)

New in Tor Browser 4.5 Alpha 3 (Jan 22, 2015)

New in Tor Browser 4.0.3 (Jan 14, 2015)

New in Tor Browser 4.5 Alpha 2 (Dec 5, 2014)

New in Tor Browser 4.0.2 (Dec 3, 2014)

New in Tor Browser 4.5 Alpha 1 (Nov 25, 2014)

New in Tor Browser 4.0.1 (Nov 1, 2014)

New in Tor Browser 4.0 (Oct 16, 2014)

New in Tor Browser 4.0.0 Alpha 3 (Sep 26, 2014)

New in Tor Browser 3.6.6 (Sep 26, 2014)

New in Tor Browser 4.0.0 Alpha 2 (Sep 3, 2014)

New in Tor Browser 3.6.5 (Sep 3, 2014)

New in Tor Browser 4.0.0 Alpha 1 (Sep 3, 2014)

New in Tor Browser 3.6.4 (Sep 3, 2014)

New in Tor Browser 3.6.3 (Jul 26, 2014)

New in Tor Browser 3.6.2 (Jun 11, 2014)

New in Tor Browser 3.6.1 (May 8, 2014)

New in Tor Browser 3.6 (Apr 30, 2014)

New in Tor Browser 3.6 Beta 2 (Apr 12, 2014)

New in Tor Browser 3.5.4 (Apr 9, 2014)

New in Tor Browser 3.5.3 (Mar 20, 2014)

New in Tor Browser 3.6 Beta 1 (Mar 19, 2014)

New in Tor Browser 3.5.2.1 (Feb 17, 2014)

New in Tor Browser 3.5.2 (Feb 11, 2014)

New in Tor Browser 3.5.1 (Jan 25, 2014)

New in Tor Browser 3.5 (Dec 18, 2013)

New in Tor Browser 3.5 RC 1 (Dec 13, 2013)

New in Tor Browser 3.0 RC 1 (Nov 22, 2013)

New in Tor Browser 3.0 Beta 1 (Nov 6, 2013)

New in Tor Browser 2.3.25-14 (Nov 2, 2013)

New in Tor Browser 3.0 Alpha 4 (Sep 30, 2013)

New in Tor Browser 2.4.17 Beta 2 (Sep 21, 2013)

New in Tor Browser 2.3.25-13 (Sep 21, 2013)

New in Tor Browser 2.4.17 Beta 1 (Sep 9, 2013)

New in Tor Browser 2.4.15 Beta 2 (Aug 11, 2013)

New in Tor Browser 2.3.25-11 (Aug 9, 2013)

New in Tor Browser 2.3.25-10 (Aug 9, 2013)

New in Tor Browser 3.0 Alpha 2 (Jul 9, 2013)

New in Tor Browser 2.4.15 Beta 1 (Jul 9, 2013)

New in Tor Browser 3.0 Alpha 1 (Jun 26, 2013)

New in Tor Browser 2.4.12 Alpha 1 (Apr 30, 2013)

New in Tor Browser 2.4.11 Alpha 2 (Apr 7, 2013)

New in Tor Browser 2.3.25-6 (Apr 5, 2013)

New in Tor Browser 2.3.25-5 (Mar 14, 2013)

New in Tor Browser 2.4.10 Alpha 2 (Feb 22, 2013)

Update Firefox to 17.0.3esr
Downgrade OpenSSL to 1.0.0k
Update libpng to 1.5.14
Update NoScript to 2.6.5.7
Firefox patch changes:
Exempt remote @font-face fonts from font limits (and prefer them):
Remote fonts (aka "User Fonts") are not a fingerprinting threat, so they should not count towards our CSS font count limits. Moreover, if a CSS font-family rule lists any remote fonts, those fonts are preferred over the local fonts, so we do not reduce the font count for that rule.
This vastly improves rendering and typography for many websites.
Disable WebRTC in Firefox build options. (closes: #8178)
WebRTC isn't slated to be enabled until Firefox 18, but the code was getting compiled in already and is capable of creating UDP Sockets and bypassing Tor. We disable it from build as a safety measure.
Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
This causes our browser pref changes to appear as defaults. It also means that future updates of TBB should preserve user pref settings.
Fix a use-after-free that caused crashing on MacOS (closes: #8234)
Eliminate several redundant, useless, and deprecated Firefox pref settings
Report Firefox 17.0 as the Tor Browser user agent
Use Firefox's click-to-play barrier for plugins instead of NoScript
Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms:
This fixes a SOCKS race condition with our SOCKS autoport configuration
and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy settings per URL now, which resulted in a proxy error for check.torproject.org if we lost the race.
Torbutton was updated to 1.5.0. The following issues were fixed:
Remove old toggle observers and related code (closes: #5279)
Simplify Security Preference UI and associated pref updates (closes: #3100)
Eliminate redundancy in our Flash/plugin disabling code (closes: #7470)
Leave most preferences under Tor Browser's control (closes: #3944)
Disable toggle-on-startup and crash detection logic (closes: #7974)
Disable/remove toggle-mode code and related observers (closes: #5379)
Add menu hint to Torbutton icon (closes: #6431)
Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
Perform version check every time there's a new tab. (closes: #6096)
Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
misc: Allow WebGL and DOM storage.
misc: Disable independent Torbutton updates
misc: Change the recommended SOCKSPort to 9150 (to match TBB)

New in Tor Browser 2.4.7 Alpha 1 (Jan 7, 2013)

New in Tor Browser 2.3.25-2 (Jan 7, 2013)

New in Tor Browser 2.3.25-1 (Dec 4, 2012)

New in Tor Browser 0.2.3.24 Alpha 1 (Oct 30, 2012)

New in Tor Browser 2.2.39-5 (Oct 30, 2012)

New in Tor Browser 0.2.3.23 Alpha 1 (Oct 23, 2012)

New in Tor Browser 2.2.39-3 (Oct 23, 2012)

New in Tor Browser 0.2.3.22 Alpha 1 (Sep 13, 2012)

New in Tor Browser 2.2.39-1 (Sep 13, 2012)

New in Tor Browser 2.2.38-1 (Aug 19, 2012)

New in Tor Browser 0.2.3.19 Alpha 1 (Jul 30, 2012)

New in Tor Browser 2.2.37-2 (Jul 30, 2012)

New in Tor Browser 2.2.36-1 (Jun 5, 2012)

New in Tor Browser 2.2.35-13 (May 25, 2012)

New in Tor Browser 2.2.35-12 (May 14, 2012)

New in Tor Browser 2.2.35-11 (May 4, 2012)

New in Tor Browser 2.2.35-9 (Apr 30, 2012)

New in Tor Browser 2.2.35-8 (Mar 19, 2012)

New in Tor Browser 0.2.3.12 Alpha 1 (Mar 7, 2012)

New in Tor Browser 2.2.35-6 (Feb 14, 2012)

New in Tor Browser 2.2.35-5 (Feb 3, 2012)

New in Tor Browser 2.2.35-4 (Jan 6, 2012)

New in Tor Browser 2.2.35-3 (Jan 4, 2012)

New in Tor Browser 2.2.35-2 (Jan 4, 2012)

New in Tor Browser 2.2.35-1 (Dec 17, 2011)