The Tor Browser Bundle is free software under various licenses:
> Can I distribute Tor?
>
> Yes.
>
> The Tor software is free software. This means we give you the rights
> to redistribute the Tor software, either modified or unmodified,
> either for a fee or gratis. You don't have to ask us for specific
> permission.
>
> However, if you want to redistribute the Tor software you must follow
> our LICENSE. Essentially this means that you need to include our
> LICENSE file along with whatever part of the Tor software you're
> distributing.
>
> Most people who ask us this question don't want to distribute just the
> Tor software, though. They want to distribute the Tor Browser. This
> includes Firefox Extended Support Release, and the NoScript and
> HTTPS-Everywhere extensions. You will need to follow the license for
> those programs as well. Both of those Firefox extensions are
> distributed under the GNU General Public License, while Firefox ESR is
> released under the Mozilla Public License. The simplest way to obey
> their licenses is to include the source code for these programs
> everywhere you include the bundles themselves.
(https://www.torproject.org/docs/faq.html.en#DistributingTor)
tor-browser-bundle-bin is already marked as licenses.free, so it doesn't
really make sense that this one is marked as unfree.
* treewide: http -> https sources
This updates the source urls of all top-level packages from http to
https where possible.
* buildtorrent: fix url and tab -> spaces
Also fix such obsolete flags:
* `use_gconf` was already known to become obsolete with Chromium 65
* `enable_hotwording` has been removed in upstream commit d693f0c7ab
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/qutebrowser/versions.
These checks were done:
- built on NixOS
- /nix/store/d5f7w3hcgxzhk1sgk1gjnl36nrq30wlm-qutebrowser-1.3.2/bin/qutebrowser passed the binary check.
- /nix/store/d5f7w3hcgxzhk1sgk1gjnl36nrq30wlm-qutebrowser-1.3.2/bin/..qutebrowser-wrapped-wrapped passed the binary check.
- /nix/store/d5f7w3hcgxzhk1sgk1gjnl36nrq30wlm-qutebrowser-1.3.2/bin/.qutebrowser-wrapped passed the binary check.
- 3 of 3 passed binary check by having a zero exit code.
- 0 of 3 passed binary check by having the new version present in output.
- found 1.3.2 with grep in /nix/store/d5f7w3hcgxzhk1sgk1gjnl36nrq30wlm-qutebrowser-1.3.2
- directory tree listing: https://gist.github.com/86db26ab52e4c4aaabb2949ceba69142
- du listing: https://gist.github.com/47c80976cbfff66061ccbffa47d02669
In particular, this contains Firefox-related and libgcrypt updates.
Other larger rebuilds would apparently need lots of time to catch up
on Hydra, due to nontrivial rebuilds in other branches than staging.
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/qutebrowser/versions.
These checks were done:
- built on NixOS
- /nix/store/g9592dbmfj1icx0njg1dhj094v2l8rcj-qutebrowser-1.3.1/bin/qutebrowser passed the binary check.
- /nix/store/g9592dbmfj1icx0njg1dhj094v2l8rcj-qutebrowser-1.3.1/bin/..qutebrowser-wrapped-wrapped passed the binary check.
- /nix/store/g9592dbmfj1icx0njg1dhj094v2l8rcj-qutebrowser-1.3.1/bin/.qutebrowser-wrapped passed the binary check.
- 3 of 3 passed binary check by having a zero exit code.
- 0 of 3 passed binary check by having the new version present in output.
- found 1.3.1 with grep in /nix/store/g9592dbmfj1icx0njg1dhj094v2l8rcj-qutebrowser-1.3.1
- directory tree listing: https://gist.github.com/c6f74ace4cd8ac51662079876bcef904
- du listing: https://gist.github.com/c1a964f74432d7f8c83f9825d26fbad0
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/palemoon/versions.
These checks were done:
- built on NixOS
- ran ‘/nix/store/zcw80dly8ka0wa1afkl8wb01mg4aqdhx-palemoon-27.9.1/bin/palemoon -h’ got 0 exit code
- ran ‘/nix/store/zcw80dly8ka0wa1afkl8wb01mg4aqdhx-palemoon-27.9.1/bin/palemoon --help’ got 0 exit code
- ran ‘/nix/store/zcw80dly8ka0wa1afkl8wb01mg4aqdhx-palemoon-27.9.1/bin/palemoon -V’ and found version 27.9.1
- ran ‘/nix/store/zcw80dly8ka0wa1afkl8wb01mg4aqdhx-palemoon-27.9.1/bin/palemoon -v’ and found version 27.9.1
- ran ‘/nix/store/zcw80dly8ka0wa1afkl8wb01mg4aqdhx-palemoon-27.9.1/bin/palemoon --version’ and found version 27.9.1
- found 27.9.1 with grep in /nix/store/zcw80dly8ka0wa1afkl8wb01mg4aqdhx-palemoon-27.9.1
- directory tree listing: https://gist.github.com/5f0a5b316dd9c9cc0a59be36561c1b66
Update includes 4 security fixes, including one critical (see [0]):
* [835887] Critical: Chain leading to sandbox escape. Reported by Anonymous on 2018-04-23:
* [836858] High CVE-2018-6121: Privilege Escalation in extensions.
* [836141] High CVE-2018-6122: Type confusion in V8.
* [$5000][833721] High CVE-2018-6120: Heap buffer overflow in PDFium. Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2018-04-17
[0] https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop.html
PS: Didn't build Beta and Dev, verified only Stable for now
cc @bendlas @aszlig
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/qutebrowser/versions.
These checks were done:
- built on NixOS
- ran ‘/nix/store/nckfqg5crmyrx3aazk6szii42qy7v1g3-qutebrowser-1.3.0/bin/qutebrowser -h’ got 0 exit code
- ran ‘/nix/store/nckfqg5crmyrx3aazk6szii42qy7v1g3-qutebrowser-1.3.0/bin/qutebrowser --help’ got 0 exit code
- ran ‘/nix/store/nckfqg5crmyrx3aazk6szii42qy7v1g3-qutebrowser-1.3.0/bin/..qutebrowser-wrapped-wrapped -h’ got 0 exit code
- ran ‘/nix/store/nckfqg5crmyrx3aazk6szii42qy7v1g3-qutebrowser-1.3.0/bin/..qutebrowser-wrapped-wrapped --help’ got 0 exit code
- ran ‘/nix/store/nckfqg5crmyrx3aazk6szii42qy7v1g3-qutebrowser-1.3.0/bin/.qutebrowser-wrapped -h’ got 0 exit code
- ran ‘/nix/store/nckfqg5crmyrx3aazk6szii42qy7v1g3-qutebrowser-1.3.0/bin/.qutebrowser-wrapped --help’ got 0 exit code
- found 1.3.0 with grep in /nix/store/nckfqg5crmyrx3aazk6szii42qy7v1g3-qutebrowser-1.3.0
- directory tree listing: https://gist.github.com/b9f575b232cde51598aeed723a03f7ec
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/palemoon/versions.
These checks were done:
- built on NixOS
- ran ‘/nix/store/0qfxznyni5ivyrj3hs0w6dhlk3z4kfaq-palemoon-27.9.0/bin/palemoon -h’ got 0 exit code
- ran ‘/nix/store/0qfxznyni5ivyrj3hs0w6dhlk3z4kfaq-palemoon-27.9.0/bin/palemoon --help’ got 0 exit code
- ran ‘/nix/store/0qfxznyni5ivyrj3hs0w6dhlk3z4kfaq-palemoon-27.9.0/bin/palemoon -V’ and found version 27.9.0
- ran ‘/nix/store/0qfxznyni5ivyrj3hs0w6dhlk3z4kfaq-palemoon-27.9.0/bin/palemoon -v’ and found version 27.9.0
- ran ‘/nix/store/0qfxznyni5ivyrj3hs0w6dhlk3z4kfaq-palemoon-27.9.0/bin/palemoon --version’ and found version 27.9.0
- found 27.9.0 with grep in /nix/store/0qfxznyni5ivyrj3hs0w6dhlk3z4kfaq-palemoon-27.9.0
- directory tree listing: https://gist.github.com/d3039819d96bec3615450de44abbffc4
Critical CVE-2018-6085: Use after free in Disk Cache. Reported by Ned Williamson on 2018-03-28
Critical CVE-2018-6086: Use after free in Disk Cache. Reported by Ned Williamson on 2018-03-30
High CVE-2018-6087: Use after free in WebAssembly. Reported by Anonymous on 2018-02-20
High CVE-2018-6088: Use after free in PDFium. Reported by Anonymous on 2018-03-15
High CVE-2018-6089: Same origin policy bypass in Service Worker. Reported by Rob Wu on 2018-02-04
High CVE-2018-6090: Heap buffer overflow in Skia. Reported by ZhanJia Song on 2018-03-12
High CVE-2018-6091: Incorrect handling of plug-ins by Service Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-10-05
High CVE-2018-6092: Integer overflow in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-08
Medium CVE-2018-6093: Same origin bypass in Service Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-01
Medium CVE-2018-6094: Exploit hardening regression in Oilpan. Reported by Chris Rohlf on 2016-08-01
Medium CVE-2018-6095: Lack of meaningful user interaction requirement before file upload. Reported by Abdulrahman Alqabandi (@qab) on 2016-08-11
Medium CVE-2018-6096: Fullscreen UI spoof. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-19
Medium CVE-2018-6097: Fullscreen UI spoof. Reported by xisigr of Tencent's Xuanwu Lab on 2018-01-26
Medium CVE-2018-6098: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-01-03
Medium CVE-2018-6099: CORS bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-02-03
Medium CVE-2018-6100: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-02-11
Medium CVE-2018-6101: Insufficient protection of remote debugging prototol in DevTools . Reported by Rob Wu on 2018-02-19
Medium CVE-2018-6102: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-20
Medium CVE-2018-6103: UI spoof in Permissions. Reported by Khalil Zhani on 2018-02-24
Medium CVE-2018-6104: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-03-08
Medium CVE-2018-6105: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-01-18
Medium CVE-2018-6106: Incorrect handling of promises in V8. Reported by lokihardt of Google Project Zero on 2018-01-25
Medium CVE-2018-6107: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-02
Medium CVE-2018-6108: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-27
Low CVE-2018-6109: Incorrect handling of files by FileAPI. Reported by Dominik Weber (@DoWeb_) on 2017-04-10
Low CVE-2018-6110: Incorrect handling of plaintext files via file:// . Reported by Wenxiang Qian (aka blastxiang) on 2017-10-24
Low CVE-2018-6111: Heap-use-after-free in DevTools. Reported by Khalil Zhani on 2017-11-02
Low CVE-2018-6112: Incorrect URL handling in DevTools. Reported by Rob Wu on 2017-12-29
Low CVE-2018-6113: URL spoof in Navigation. Reported by Khalil Zhani on 2018-01-25
Low CVE-2018-6114: CSP bypass. Reported by Lnyas Zhang on 2018-02-13
Low CVE-2018-6115: SmartScreen bypass in downloads. Reported by James Feher on 2018-03-07
Low CVE-2018-6116: Incorrect low memory handling in WebAssembly. Reported by Jin from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. on 2018-03-15
Low CVE-2018-6117: Confusing autofill settings. Reported by Spencer Dailey on 2018-03-15
Low CVE-2018-6084: Incorrect use of Distributed Objects in Google Software Updater on MacOS. Reported by Ian Beer of Google Project Zero on 2018-03-15
Semi-automatic update generated by https://github.com/ryantm/nix-update tools. These checks were done:
- built on NixOS
- Warning: no binary found that responded to help or version flags. (This warning appears even if the package isn't expected to have binaries.)
- found 0.9.96 with grep in /nix/store/hy3dyckwbq8x0ylgydqf3hsd0yyj38mf-otter-browser-0.9.96
- directory tree listing: https://gist.github.com/3ba5ac755cab96acd876703e94dff4b4
Semi-automatic update generated by https://github.com/ryantm/nix-update tools.
This update was made based on information from https://repology.org/metapackage/qutebrowser/versions.
These checks were done:
- built on NixOS
- ran `/nix/store/p9a5d6129dvx6gqbxn9fqgsmx7hnhwxb-qutebrowser-1.2.1/bin/qutebrowser -h` got 0 exit code
- ran `/nix/store/p9a5d6129dvx6gqbxn9fqgsmx7hnhwxb-qutebrowser-1.2.1/bin/qutebrowser --help` got 0 exit code
- ran `/nix/store/p9a5d6129dvx6gqbxn9fqgsmx7hnhwxb-qutebrowser-1.2.1/bin/..qutebrowser-wrapped-wrapped -h` got 0 exit code
- ran `/nix/store/p9a5d6129dvx6gqbxn9fqgsmx7hnhwxb-qutebrowser-1.2.1/bin/..qutebrowser-wrapped-wrapped --help` got 0 exit code
- ran `/nix/store/p9a5d6129dvx6gqbxn9fqgsmx7hnhwxb-qutebrowser-1.2.1/bin/.qutebrowser-wrapped -h` got 0 exit code
- ran `/nix/store/p9a5d6129dvx6gqbxn9fqgsmx7hnhwxb-qutebrowser-1.2.1/bin/.qutebrowser-wrapped --help` got 0 exit code
- found 1.2.1 with grep in /nix/store/p9a5d6129dvx6gqbxn9fqgsmx7hnhwxb-qutebrowser-1.2.1
- directory tree listing: https://gist.github.com/b85ebb5c38a8861cac255f78b5c16525
The icons for Firefox are in a new location in the unwrapped package; the
wrapper is updated to reflect that. This should have no effect on other browers
that provide their own icons in the default XDG location.