Hi,
we are excited to announce the first stable version in the 4.5 series
being ready for testing. It will be the next alpha as well. Bundles can
be found on
https://people.torproject.org/~mikeperry/builds/4.5-build4/
Compared to 4.5a5 we were able to put another couple of important
usability fixes into this release. We improved HTTP connection handling,
the HTTP authentication experience and fixed the TLS connection display,
to name a few. Moreover, we neutered Blob URIs to a great deal which can
get used to track users across domains and, finally, brought all Tor
Browser components up-to-date.
The complete changelog since 4.5a5 is:
Tor Browser 4.5 -- Apr 28 2015
* All Platforms
* Update Tor to 0.2.6.7 with additional patches:
* Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is
used
* Update NoScript to 2.6.9.22
* Update HTTPS-Everywhere to 5.0.2
* Bug 15689: Resume building HTTPS-Everywhere from git tags
* Update meek to 0.17
* Update obfs4proxy to 0.0.5
* Update Tor Launcher to 0.2.7.4
* Bug 15704: Do not enable network if wizard is opened
* Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
* Bug 13576: Don't strip "bridge" from the middle of bridge lines
* Bug 15657: Display the host:port of any connection faiures in
bootstrap
* Update Torbutton to 1.9.2.1
* Bug 15562: Bind SharedWorkers to thirdparty pref
* Bug 15533: Restore default security level when restoring defaults
* Bug 15510: Close Tor Circuit UI control port connections on New
Identity
* Bug 15472: Make node text black in circuit status UI
* Bug 15502: Wipe blob URIs on New Identity
* Bug 14429: Disable automatic window resizing for now
* Bug 4100: Raise HTTP Keep-Alive back to 115 second default
* Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
* Bug 15411: Remove old (and unused) cacheDomain cache isolation
mechanism
* Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS
connection info display
* Bug 15502: Isolate blob URI scope to URL domain; block WebWorker access
* Bug 15562: Disable Javascript SharedWorkers due to third party tracking
* Bug 15757: Disable Mozilla video statistics API extensions
* Bug 15758: Disable Device Sensor APIs
* Linux
* Bug 15747: Improve start-tor-browser argument handling
* Bug 15672: Provide desktop app registration+unregistration for Linux
* Windows
* Bug 15539: Make installer exe signatures reproducibly removable
* Bug 10761: Fix instances of shutdown crashes
Georg