Tor Browser 11.5.8

Protect your privacy. Defend yourself against network surveillance and traffic analysis.

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody from watching your Internet connection and learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.

The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.

Tor Browser 11.5.8 changelog:

Tor Browser 11.5.8 backports the following security updates from Firefox ESR 102.5 to to Firefox ESR 91.13 on Windows, macOS and Linux.

CVE-2022-43680: In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
CVE-2022-45403: Service Workers might have learned size of cross-origin media files
CVE-2022-45404: Fullscreen notification bypass
CVE-2022-45405: Use-after-free in InputStream implementation
CVE-2022-45406: Use-after-free of a JavaScript Realm
CVE-2022-45408: Fullscreen notification bypass via windowName
CVE-2022-45409: Use-after-free in Garbage Collection
CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy
CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers
CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers
CVE-2022-45416: Keystroke Side-Channel Leakage
CVE-2022-45420: Iframe contents could be rendered outside the iframe
CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

Tor Browser 11.5.8 updates GeckoView on Android to Firefox ESR 102.5 and includes important security updates. Tor Browser 11.5.8 backports the following security updates from Firefox 107 to Firefox ESR 102.5 on Android:

CVE-2022-45413: SameSite=Strict cookies could have been sent cross-site via intent URLs

The full changelog since Tor Browser 11.5.7 is:

All Platforms

Update Translations
Update OpenSSL to 1.1.1s
Update NoScript to 11.4.12
Update tor to 0.4.7.11
Update zlib to 1.2.13
Bug tor-browser-build#40622: Update obfs4proxy to 0.0.14 in Tor Browser

Windows + macOS + Linux

Bug tor-browser#31064: Letterboxing is enabled in priviledged contexts too
Bug tor-browser#32411: Consider adding about:tor and others to the list of pages that do not need letterboxing
Bug tor-browser#41413: Backup intl.locale.requested in 11.5.x
Bug tor-browser#41434: Letterboxing bypass through secondary tab (popup/popunder...)
Bug tor-browser#41456: Backport ESR 102.5 security fixes to 91.13-based Tor Browser
Bug tor-browser#41460: Migrate new identity and security level preferences in 11.5.8
Bug tor-browser#41463: Backport fix for CVE-2022-43680

Android