Jump to: navigation, search

Whonix Release Notes

This page contains changes which are not marked for translation.

Whonix 13[edit]

Whonix 13 was released on 31 May, 2016. [1] Whonix 13 contains many small security and usability improvements, features and bug fixes. [2] [3] [4]

Changelog - All Platforms[edit]

AppArmor

  • Fixed the Tor Browser AppArmor profile to allow correct functionality. [5]
  • Resolved AppArmor conflicts affecting Pidgin, Chromium and Evince. [6]
  • Merged AppArmor profiles for sdwdate, timesync and whonix-check into their corresponding packages and now install them by default. [7]


Bug Fixes

  • Fixed broken whonix-setup-wizard functionality. [8]


Code

  • Updated Whonix code for Tor Browser tb-updater. [9]
  • Refactored the Whonix socks redirection firewall rules to reduce their size and use less script code. [10] [11]
  • Refactored Whonix code so that scripts only use configuration files that end with the .conf extension. [12]


Improved Functionality and Usability

  • Modified whonixcheck to test for slow or fast system clocks which prevent Tor from properly connecting. [13]
  • Implemented an explicit check for timekeeping watchdog kernel messages in whonixcheck, so users are warned about clock jumps which prevent / time-out Tor connections. [14]
  • Enforced maximized terminal windows for xdg desktop users. [15] [16]
  • Enabled Transparent Proxy Ports for Whonix-Gateway by default (except for Whonix-Firewall). [17] [18]
  • Configured Whonix to use /etc/skel instead of writing to the home folder directly to maintain forward compatibility with Qubes. Further, this allows for proper error-handling where "user" is hardcoded in Whonix, and a newly created account with a different name has been used. [19]
  • Deprecated the timesync progress bar and replaced it with a tray icon using sdwdate-gui to improve usability and reduce confusion. [20]
  • Created a stable-proposed-updates repository for users who want to help in testing Whonix fixes, without resorting to the testers repository which comes with many more changes. [21]
  • Moved the WhonixBackupScript to the usability-misc package to make it more accessible. [22]
  • Replaced XChat with HexChat, since the former is no longer actively maintained, and created a new AppArmor profile to contain it. [23]
  • Implemented a VPN_FIREWALL feature as part of whonix-ws-firewall. [24]


Security Enhancements

  • Created a security-misc package that turns off Nautilus and Dolphin file previews by default, since this poses security risks. [25]
  • A known, good version of Tor is now maintained and uploaded to the Whonix repository from deb.torproject.org [26]
  • Extended the lifetime of the Whonix signing key. [27]
  • Sourced new onion services webservers for the sdwdate feature, which ensures the system's clock is correctly set for security, privacy and anonymity purposes. [28]

Changelog - Qubes-Whonix[edit]

Bug Fixes

  • Fixed qubes-whonix-firewall systemd service start. [29] [30]
  • Resolved whonixcheck fixes for Qubes R4. [31]
  • Corrected false positive failure messages for the updates proxy test in Qubes R4. [32] [33]
  • Disabled qubes-SetDateTime / qubes.SyncNtpClock in Qubes-Whonix VMs since it interfered with timesync. [34]
  • Resolved accumulation of old Tor Browser instances in /var/cache/tb-binary/.tb/ which caused users to run into full disk error messages. [35]
  • Resolved an occasional error message whereby Whonix templates incorrectly reported they were not connected to the Whonix-Gateway ProxyVM. [36]
  • Resolved the broken anon-ws-disable-stackedtor function in Qubes-Whonix. [37]
  • Enforced the opening of all links from sys-whonix, whonix-gw and whonix-ws in the anon-whonix AppVM to prevent error messages. [38]


Builds

  • Corrected the build failure of Whonix-Workstation template in Qubes-Whonix R3.2 and added the qubes-template-whonix to continuous integration service TravisCI. [39]
  • Resolved Whonix template build failures in Qubes R4 related to Tor Browser downloads. [40]
  • Changed the Qubes-Whonix build process to install Whonix from the Whonix binary APT repository. This simplifies code, results in faster builds, removes build dependencies inside the template, and reduces the overall template size. [41]
  • Allowed the Whonix build script to run as root and reworked user_name. [42]


Code

  • Removed fetching of Whonx source code in qubes-template-whonix. [43]
  • Removed the qubes-update-check system service from Qubes-Whonix TemplateVMs, since it was unnecessary. [44] [45]
  • Reworked / removed a number of installed packages in Qubes-Whonix which are only required for the non-Qubes-Whonix desktop. [46] [47]
  • Removed the default username and password in the Qubes-Whonix terminal, because it is not required. [48]


Improved Functionality and Usability

  • Ported whonixcheck and tb-updater to Qubes qrexec-based updates proxy, since TemplateVMs are non-networked by default in Qubes R4. [49]
  • Changed the tb-updater configuration to use Qubes updates proxy, since Qubes R4 sets the NetVM of TemplateVMs to none by default. [50]
  • Implemented the ability to install Whonix-Workstation and Whonix-Gateway from dom0 with a sudo apt-get install whonix-(workstation|gateway) feature. [51]
  • Ported the bind-directories functionality upstream to Qubes. [52]
  • Implemented the new bind-directories functionality in Qubes-Whonix. [53]
  • Implemented a check for whether the whonix-gw ProxyVM (sys-whonix) has a NetVM which is set to "none", with a warning shown if this is the case. [54]
  • Implemented a new feature so that following an update of the Whonix-Workstation TemplateVM, newly created AppVMs based on the updated TemplateVM come with an up-to-date version of Tor Browser. [55]
  • Modified whonixcheck to check if: Whonix-Gateway is running in a NetVM or ProxyVM; Whonix-Workstation is running in an AppVM; and to skip the test if a TemplateVM is detected. [56]


Security Enhancements

  • Prevented /usr/lib/qubes/qubes-setup-dnat-to-ns from running in Qubes-Whonix to stop it from modifying firewall rules. [57]

Whonix 14[edit]

Whonix 14 is due to be released in early 2018. Significantly, Whonix 14 is based on the Debian stretch (Debian 9) distribution which was released in mid-2017, instead of Debian jessie (Debian 8). [58]. Users will therefore have access to numerous updated and new software packages, a more modern branch of GnuPG, and more. [59] [60] [61]

The changelog below is current as at January 2018.

Changelog - All Platforms[edit]

AppArmor

  • Fixed the AppArmor profile for obfs4proxy to enable correct functioning of Tor Bridges in Whonix-Gateway. [62]
  • Fixed the Tor Browser AppArmor profile to allow correct functionality. [63]
  • Corrected the tor-controlport-filter AppArmor profile to ensure correct functioning. [64]
  • Removed the Pidgin AppArmor profile, since Pidgin is recommended against for security reasons. [65]
  • Hardened the Control Port Filter Apparmor profile. [66]


Bug Fixes

  • Corrected the broken whonix-setup-wizard autostart on Whonix-Gateway. [67]
  • Fixed sdwdate-gui freezing when using right-click in the menu. [68]
  • Fixed dependency issues which prevented the whonix-setup-wizard gui from starting. [69]


Builds

  • Resolved genmkfile build dependencies for building Whonix-Workstation and Whonix-Gateway. [70]


Code

  • Updated Whonix code for Tor Browser tb-updater. [71]
  • Changed the bindp compile to postinstall to make it cross-platform (Qubes, 64-bit, 32-bit). [72]
  • Rewrote sclockadj in C and updated the sdwdate package to compile sclockadj. [73] [74]
  • Removed the Control Port Filter Proxy script from anon-ws-disable-stacked-tor since it is no longer required for proper Tor connections or Tor Browser functions (its functionality is now replaced by onion-grater). This means onionshare, Ricochet and Zeronet are now compatible with Whonix. [75] [76]
  • Enhanced onion checking in sdwdate to improve the unit test. [77]
  • Ported msgcollector to python3 and python3-pyqt5. [78]
  • Ported whonix-setup-wizard to python3. [79]
  • Ported python-guimessages to python3. [80]
  • Rewrote sdwdate to ensure python exceptions are written to the journal. [81]
  • Rewrote control-port-filter-python to ensure exceptions are written to the journal. [82]
  • Re-added some non-essential packages to Whonix that were removed from Debian stretch. [83] [84]
  • Ported anon-shared-helper-scripts so they instead use Tor authentication cookies. [85]
  • Ported whonixcheck check_tor_socks_port_reachability.bsh to use the Tor unix domain socket socks file. [86]
  • Removed auditd configuration folder parsing /etc/audit/rules.d/ by default, since the feature has been implemented upstream.


Improved Functionality and Usability

  • Implemented the major new anon-connection-wizard feature into Whonix to simplify connections to the Tor network via a Tor bridge and/or a proxy. [87]
  • Installed necessary dependencies for proper ZeroNet functionality. [88]
  • Installed onionshare by default in Whonix. [89]
  • Installed onioncircuits by default in Whonix-Gateway. [90]
  • Added --list-interface to tor-controlport-filter, as it works better with dynamic IP addresses. [91]
  • Added a /etc/tor-controlport-filter.d configuration extension feature. [92]
  • Fixed the control-port-filer-python configuration to rewrite HS_DESC replies by Tor so onionshare is supported. [93]
  • Merged the tor-controlport-filter by Tails for various enhancements. [94]


Security Enhancements

  • Onion sources are now preferred in sources.list for Whonix updates / upgrades.
  • Confirmed functionality of the kloak anti-keystroke deanonymization tool in Whonix. [95] [96]
  • Identified more reliable onion servers as appropriate time sources for sdwdate, which enables correct network time synchronization for anonymity-focused distributions. [97]
  • Implemented Tails' Control Port Filter Proxy in Whonix and merged recent changes since it was forked. [98] [99]
  • Fixed security and hardening (stack canary) issues with the bindp libindp.so package (which were merged upstream). [100]
  • Uploaded the Tor 0.2.9.8 major (stable) release to the Whonix repository. [101]

Changelog - Non-Qubes-Whonix[edit]


Bug Fixes

  • Increased the Whonix-Gateway VRAM in VirtualBox from 8 to 16 MB to avoid error messages and possible video problems when using full screen mode. [103]
  • Corrected sdwdate-gui systray so it properly registers in kde systray (no longer appears as a gap in the Entry column). [104]
  • Corrected the sdwdate-gui tray icon so it is visible in Debian stretch. [105]


Code

  • Removed kmix-disable-autostart since it is no longer required to make sure the clipboard history icon is loaded into the system tray. [106]


Improved Functionality and Usability


Security Enhancements

  • Removed okular from anon-shared-applications-kde to anon-workstation-default-applications so it is not installed on Whonix-Gateway. [110]

Changelog - Qubes-Whonix[edit]

Bug Fixes

  • Resolved whonixcheck fixes for Qubes R4. [111]
  • Corrected false positive failure messages for the updates proxy test in Qubes R4. [112] [113]
  • Resolved non-functionality of Tor Browser due to jemalloc corruption. [114]
  • Resolved accumulation of old Tor Browser instances in /var/cache/tb-binary/.tb/ which caused users to run into full disk error messages. [115]
  • Corrected dependencies in the qubes-whonix package to resolve issues when upgrading to Debian stretch. [116]
  • Fixed a corridor lintian warning on Debian related to systemd documentation. [117]


Builds

  • Corrected the build failure of Whonix-Workstation template in Qubes-Whonix R3.2 and added the qubes-template-whonix to continuous integration service TravisCI. [118]


Code

  • Removed cups and system-config-printer from Whonix-Workstation, since printing capabilities are more suited to alternative VMs and this also removes a local TCP listener that is otherwise created. [119]
  • Corrected anon-meta-packages compatibility for Qubes R3.2 and R4. [120]


Improved Functionality and Usability

  • Confirmed full Qubes-Whonix compatibility with Qubes R4. [121]

Footnotes[edit]

  1. https://www.whonix.org/blog/whonix-13-released
  2. https://phabricator.whonix.org/maniphest/query/TfpGK0Sq8w1j/#R
  3. Descriptions of changes in Whonix 12 and earlier versions can be found on sourceforge.net
  4. A handful of issues have been fixed in both Whonix 13 and Whonix 14 and backported to both versions.
  5. https://phabricator.whonix.org/T672
  6. https://phabricator.whonix.org/T314
  7. https://phabricator.whonix.org/T201
  8. https://phabricator.whonix.org/T499
  9. https://phabricator.whonix.org/T666
  10. https://phabricator.whonix.org/T465
  11. The same firewall rules are still applied.
  12. https://phabricator.whonix.org/T286
  13. https://phabricator.whonix.org/T482
  14. https://phabricator.whonix.org/T480
  15. https://phabricator.whonix.org/T451
  16. For instance, tor-arm, restart Tor and other terminal programs.
  17. https://phabricator.whonix.org/T435
  18. This does not enable transparent proxying by default, but is required in Qubes so tinyproxy traffic can be redirected to 127.0.01 instead of to qubes-netvm-gateway.
  19. https://phabricator.whonix.org/T419
  20. https://phabricator.whonix.org/T300
  21. https://phabricator.whonix.org/T200
  22. https://phabricator.whonix.org/T159
  23. https://phabricator.whonix.org/T40
  24. https://phabricator.whonix.org/T158
  25. https://phabricator.whonix.org/T418
  26. https://phabricator.whonix.org/T472
  27. https://phabricator.whonix.org/T497
  28. https://phabricator.whonix.org/T266
  29. https://phabricator.whonix.org/T528
  30. This fixes various bugs relating to Tor starting / failing multiple times and qubes-whonix-torified-updates-proxy sometimes failing.
  31. https://phabricator.whonix.org/T724
  32. https://phabricator.whonix.org/T723
  33. Qubes R4 RC1.
  34. https://phabricator.whonix.org/T384
  35. https://phabricator.whonix.org/T671
  36. https://phabricator.whonix.org/T496
  37. https://phabricator.whonix.org/T454
  38. https://phabricator.whonix.org/T452
  39. https://phabricator.whonix.org/T527
  40. https://phabricator.whonix.org/T710
  41. https://phabricator.whonix.org/T498
  42. https://phabricator.whonix.org/T416
  43. https://phabricator.whonix.org/T507
  44. https://phabricator.whonix.org/T433
  45. The qubes-update-check.service already has improved upgrade notifications.
  46. https://phabricator.whonix.org/T429
  47. For instance, plasma-widget-folderview, kde-kdm-autologin, split the anon-shared-desktop-kde package and so on.
  48. https://phabricator.whonix.org/T428
  49. https://phabricator.whonix.org/T491
  50. https://phabricator.whonix.org/T477
  51. https://phabricator.whonix.org/T461
  52. https://phabricator.whonix.org/T414
  53. https://phabricator.whonix.org/T501
  54. https://phabricator.whonix.org/T421
  55. https://phabricator.whonix.org/T417
  56. https://phabricator.whonix.org/T406
  57. https://phabricator.whonix.org/T502
  58. https://www.debian.org/releases/stretch/
  59. https://www.debian.org/News/2017/20170617
  60. https://www.debian.org/releases/stable/amd64/release-notes/
  61. https://www.debian.org/releases/stable/i386/release-notes/
  62. https://phabricator.whonix.org/T676
  63. https://phabricator.whonix.org/T672
  64. https://phabricator.whonix.org/T587
  65. https://phabricator.whonix.org/T568
  66. https://phabricator.whonix.org/T532
  67. https://phabricator.whonix.org/T640
  68. https://phabricator.whonix.org/T626
  69. https://phabricator.whonix.org/T592
  70. https://phabricator.whonix.org/T700
  71. https://phabricator.whonix.org/T666
  72. https://phabricator.whonix.org/T688
  73. https://phabricator.whonix.org/T686
  74. https://phabricator.whonix.org/T650
  75. https://phabricator.whonix.org/T657
  76. onion-grater:
    Filters out Tor control protocol commands that are dangerous for anonymity such as GETINFO ADDRESS using a whitelist. Acts as a proxy between the client application and Tor.


    For example it allows using Tor Browser's New Identity feature on Anonymity Distribution Workstations, fixes Tor Browser's about:tor default homepage and Tor Button status indicator without exposing commands that are dangerous for anonymity.
  77. https://phabricator.whonix.org/T648
  78. https://phabricator.whonix.org/T632
  79. https://phabricator.whonix.org/T628
  80. https://phabricator.whonix.org/T627
  81. https://phabricator.whonix.org/T608
  82. https://phabricator.whonix.org/T603
  83. https://phabricator.whonix.org/T601
  84. gtk3-engines-oxygen.
  85. https://phabricator.whonix.org/T578
  86. https://phabricator.whonix.org/T548
  87. https://phabricator.whonix.org/T699
  88. https://phabricator.whonix.org/T701
  89. https://phabricator.whonix.org/T595
  90. https://forums.whonix.org/t/onioncircuits-viewing-the-status-and-circuits-of-tor/2539
  91. https://phabricator.whonix.org/T579
  92. https://phabricator.whonix.org/T576
  93. https://phabricator.whonix.org/T574
  94. https://phabricator.whonix.org/T573
  95. https://phabricator.whonix.org/T583
  96. kloak will not be packaged in Whonix by default until various upstream issues are resolved.
  97. https://phabricator.whonix.org/T647
  98. https://phabricator.whonix.org/T617
  99. https://phabricator.whonix.org/T612
  100. https://phabricator.whonix.org/T599
  101. https://phabricator.whonix.org/T584
  102. Until it is determined how to enable kde-folderview in Debian stretch.
  103. https://phabricator.whonix.org/T680
  104. https://phabricator.whonix.org/T638
  105. https://phabricator.whonix.org/T598
  106. https://phabricator.whonix.org/T722
  107. https://phabricator.whonix.org/T714
  108. grub-live is not installed by default in Whonix 14 and is an optional package only.
  109. https://phabricator.whonix.org/T703
  110. https://github.com/Whonix/anon-meta-packages/commit/a22b1807c79cb1d21447c83ed251c331cf6222f1
  111. https://phabricator.whonix.org/T724
  112. https://phabricator.whonix.org/T723
  113. Qubes R4 RC1.
  114. https://phabricator.whonix.org/T651
  115. https://phabricator.whonix.org/T671
  116. https://phabricator.whonix.org/T620
  117. https://phabricator.whonix.org/T607
  118. https://phabricator.whonix.org/T527
  119. https://phabricator.whonix.org/T619
  120. https://phabricator.whonix.org/T697
  121. https://phabricator.whonix.org/T698

Random News:

Want to get involved with Whonix? Check out our Contribute page.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)