Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Banectomy, n.: The removal of bruises on a banana. -- Rich Hall, "Sniglets"

rocksolid / Security / Tor security bug

o Tor security bugRetro Guy

Subject: Tor security bug
From: Retro Guy
Organization: RetroBBS II
Date: Fri, 10 Nov 2017 11:17 UTC
From: (Retro Guy)
Subject: Tor security bug
Date: Fri, 10 Nov 2017 11:17:34 +0000
Organization: RetroBBS II
Lines: 72
Message-ID: <ou41se$ns$>
Reply-To: Retro Guy <>
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 10 Nov 2017 11:17:34 -0000 (UTC)
Injection-Info:; posting-host="localhost:";
logging-data="764"; mail-complaints-to=""
User-Agent: FUDforum 3.0.7
X-FUDforum: d41d8cd98f00b204e9800998ecf8427e <39402>
View all headers

"Once an affected user navigates to a specially crafted URL
the operating system may directly connect to the remote
host, bypassing Tor Browser."

Tails and Whonix are not affected by this bug for one simple
reason, they run in a vm that doesn't know the external ip
address. This is a simple way to operate (since virtual
machines run so well now and are easy to set up).

If you are serious about your own security, you need to do
more than just set up access to a tor or i2p proxy, you need
to isolate your entire os from the outside world.

Here's the blog post:

 Tor Browser 7.0.9 is released
by gk | November 03, 2017

Note: Tor Browser 7.0.9 is a security bugfix release for
macOS and Linux users only. Users on Windows are not
affected and stay on Tor Browser 7.0.8.

Tor Browser 7.0.9 is now available for our macOS and Linux
users from the Tor Browser Project page and also from our
distribution directory.

This release features an important security update to Tor
Browser for macOS and Linux users. Due to a Firefox bug in
handling file:// URLs it is possible on both systems that
users leak their IP address (note: as of Nov. 4, 2017, this
link is non-public while Mozilla works on a fix for
Firefox). Once an affected user navigates to a specially
crafted URL the operating system may directly connect to the
remote host, bypassing Tor Browser. Tails users and users of
our sandboxed-tor-browser are unaffected, though.

The bug got reported to us on Thursday, October 26, by
Filippo Cavallarin. We created a workaround with the help of
Mozilla engineers on the next day which, alas, fixed the
leak only partially. We developed an additional fix on
Tuesday, October 31, plugging all known holes. We are not
aware of this vulnerability being exploited in the wild.
Thanks to everyone who helped during this process!

We are currently preparing updated macOS and Linux bundles
for our alpha series which will be tentatively available on
Monday, November 6. Meanwhile macOS and Linux users on that
series are strongly encouraged to use the stable bundles or
one of the above mentioned tools that are not affected by
the underlying problem.
Update: Tor Browser 7.5a7 has now been released.

Known issues: The fix we deployed is just a workaround
stopping the leak. As a result of that navigating file://
URLs in the browser might not work as expected anymore. In
particular entering file:// URLs in the URL bar and clicking
on resulting links is broken. Opening those in a new tab or
new window does not work either. A workaround for those
issues is dragging the link into the URL bar or on a tab
instead. We track this follow-up regression in bug 24136.

rocksolid light 0.7.2