[tor-bugs] #22291 [Applications/Tor Browser Sandbox]: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu May 18 04:25:29 UTC 2017
#22291: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use
--------------------------------------------------+---------------------
Reporter: 6h72Q484AddGha8H | Owner: yawning
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------------------+---------------------
Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use
Utilizing sandbox release 0.6, the first startup asks which channel to
utilize. If selecting alpha, Tor Browser 7.0a3 is downloaded instead of
the latest 7.0a4. This appears to be because the JSON published URLs are
not kept up to date. This has been a bug in past too with respect to
outdated or wrong JSON listings. This should probably be fixed so that
users are not put in jeopardy of downloading a vulnerable version in the
future.
install: Metadata URL:
https://aus1.torproject.org/torbrowser/update_2/alpha/downloads.json
As you can see, the metadata URL is not updated and therefor the older
version is downloaded, putting the Tor user potentially at risk due to
running and outdated or insecure older release.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22291>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list