New Release: Tor Browser 13.5.7

system · October 9, 2024, 6:44pm

by morgan | October 9, 2024

Tor Browser 13.5.7 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox:

https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680

Users should update immediately.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 13.5.6 is:

All Platforms
- Bug tor-browser#43201: Security fixes from Firefox 131.0.2
- Bug mullvad-browser#361: SSL_ERROR_NO_CYPHER_OVERLAP on some Brazilian government websites
Build System
- Windows + macOS + Linux
  - Bug tor-browser-build#41254: Drop cryptoSafetyPrompt.properties line

This is a companion discussion topic for the original entry at https://blog.torproject.org/new-release-tor-browser-1357

ebanam · October 12, 2024, 4:30pm

2 posts were split to a new topic: Tor Browser for Android not getting updates on F-Droid since version 13.5.3

eneklo · October 12, 2024, 3:52pm

The post states that this new release fixes CVE-2024-9680 but if I go in About I see 13.5.7 (based on Mozilla Firefox 115.16.0esr) and the Mozilla advisory says the vulnerability is fixed in Firefox ESR 115.16.1, so who is right?

thorin · October 12, 2024, 4:03pm

If Tor Project’s post states they addressed something, then they did it.

For the record … Mozilla don’t always backport all security fixes to ESR, and @ma1 who has clearance to all mozilla security bugs, also cherry picks anything we feel the need to backport that Mozilla didn’t.

In this case, ESR115 would normally be EOL (end of life) since ESR128 is already rolled out to supported OSes. However ESR115 is going to be maintained in overlap for a while - see Firefox Release Calendar

So this CVE caused a chemspill and everything got the fix - see Security Vulnerability fixed in Firefox 131.0.2, Firefox ESR 128.3.1, Firefox ESR 115.16.1 — Mozilla -

    Firefox 131.0.2 - new and shiny
    Firefox ESR 115.16.1 - old timey OSes that should be nuked from space
    Firefox ESR 128.3.1 - supported OSes

My best guess here is ma1 backported the fix directly to our 115.16.0 base because of time constraints - but I don’t do the builds

ma1 · October 12, 2024, 4:45pm

I confirm I’ve backported the fix for CVE-2024-9680 straight from 13.0.2 to 115.16.0, rather than performing the usual preliminary rebase to 115.16.1 (which by the way contains only this fix) in order to release ASAP, since this was an emergency release for Mozilla as well.

thorin · October 12, 2024, 5:01pm

…aaaaaaand right on time a moz blog post - FYI: Behind the Scenes: Fixing an In-the-Wild Firefox Exploit - Mozilla Security Blog