Actions

Whonix Stable Release

From Whonix

About this Whonix Stable Release Page
Support Status stable
Difficulty easy
Maintainer torjunkie
Support Support

Whonix ™ 15 Changelog[edit]

Whonix ™ 15 was released on July 1, 2019. [1] Significantly, Whonix ™ 15 is based on the Debian buster (Debian 10) distribution which was officially released on July 6, 2019 instead of Debian stretch (Debian 9). The buster release has nearly 60,000 packages and over 62 per cent of them were updated [2] [3] -- see the official Debian 10 release notes to learn more.

All Platforms[edit]

Bug Fixes[edit]

  • Fixed file saving issues in scurl wrappers. [4] [5] [6]
  • Fixed the partial truncation of text in Whonix Connection Wizard. [7]
  • Installed cryptsetup by default so errors do not appear when using a GUI and interacting with encrypted containers. [8] [9] [10]

Builds[edit]

  • Ported the build script to cowbuilder; build packages in chroot and use mmdebstrap for better security. [11]

Code[edit]

  • Modified whonixcheck so it suggests to start networking / onion-grater if it is not running. [12]
  • Improved the /usr/share/sdwdate/unit_test [13] [14]
  • Improved the sdwdate message Tor consensus message. [15]
  • Confirmed the sanity of systemd DNS after porting to Debian buster. [16]
  • Established sane built-in defaults even if configuration files are non-existing. [17] [18]
  • Updated the onion list time sources for sdwdate so that offline and unwanted onions were removed. [19]

Improved Functionality and Usability[edit]

Security Enhancements[edit]

Non-Qubes-Whonix[edit]

Bug Fixes[edit]

  • Corrected a VirtualBox error related to guest utils not starting. [40] [41]

Builds[edit]

  • Significantly reduced the size of Non-Qubes-Whonix images using zerofree. [42]

Improved Functionality and Usability[edit]

Security Enhancements[edit]

Qubes-Whonix ™[edit]

Bug Fixes[edit]

  • Correctly configured Qubes-Whonix ™ XFCE default start menu entries (whitelisted appmenus). [59]

Builds[edit]

  • Created Qubes-Whonix 15 template configuration files. [60] [61]
  • Confirmed the Whonix-15-gateway template builds. [62]

Improved Functionality and Usability[edit]

  • Simplified instructions for VM kernel in Qubes-Whonix ™ by installing the same recommended Qubes packages as Qubes Debian packages. [63] [64]
  • In DisposableVMs, tb-updater / tb-starter was modified to no longer copy Tor Browser to the user home directory at first boot -- /var/cache/tb-binary is now directly used to improve startup performance. [65] [66]

Security Enhancements[edit]

  • Confirmed Qubes-Whonix ™ TemplateMVs cannot upgrade in timesync-fail-closed mode. [67] [68]

Whonix ™ 15 Updates[edit]

As Whonix ™ is now a rolling distribution, users will benefit from regular small security and usability improvements, features and bug fixes as they enter the Whonix ™ stable repository. Those will be announced here.

TODO: Document updates.

Footnotes[edit]

  1. Some fixes/changes were implemented in both Whonix ™ 14 and 15.
  2. https://www.debian.org/News/2019/20190706
  3. More than 91 per cent of the source packages included in Debian 10 are reproducible (will build bit-for-bit identical binary packages).
  4. https://phabricator.whonix.org/T899
  5. https://github.com/Whonix/scurl/pull/1
  6. A few fixes were needed, such as:
    • Remove --remote-name and replace it with --remote-name-all.
    • Improve download wrappers and add --remote-header-name.
  7. https://phabricator.whonix.org/T923
  8. https://phabricator.whonix.org/T890
  9. For instance, an error would otherwise appear when using XFCE file manager with encrypted USBs.
  10. https://forums.whonix.org/t/have-cryptsetup-installed-by-default-in-whonix/6684/5
  11. https://forums.whonix.org/t/fixed-apt-rce-announced-new-whonix-images-needed-whonix-build-not-safe-at-the-moment/6715
  12. https://phabricator.whonix.org/T853
  13. https://phabricator.whonix.org/T712
  14. Specifically:
    • Make it simpler (to split urls into chunks of 3).
    • Generate average, total etc. for each pool.
    • Add curl command for the failures (timeouts).
  15. https://phabricator.whonix.org/T850
  16. https://phabricator.whonix.org/T866
  17. https://phabricator.whonix.org/T503
  18. This was completed for whonix-gw-firewall, whonix-ws-firewall, whonixcheck, sdwdate, uwt, onion-grater (Control Port Filter Proxy), rads, open-link-confirmation, tb-starter, tb-updater and anon-ws-disable-stacked-tor.
  19. https://github.com/TNTBOMBOM/sdwdate/commit/2985fc70625ae13aed45225b8c83592575c21a78
  20. https://forums.whonix.org/t/port-whonix-from-debian-stretch-to-debian-buster/7101
  21. https://phabricator.whonix.org/T889
  22. https://phabricator.whonix.org/T869
  23. https://forums.whonix.org/t/install-firejail-firetools-by-default/5363/3
  24. MAT2 only removes metadata from your files, it does not anonymise their content, nor can it handle watermarking, steganography, or any too custom metadata field/system.

  25. https://phabricator.whonix.org/T885
  26. https://forums.whonix.org/t/add-mat2-to-whonix-15/6489
  27. zulumount-gui is also installed.
  28. https://phabricator.whonix.org/T769
  29. https://forums.whonix.org/t/zulucrypt-in-whonix-14/4876
  30. https://phabricator.whonix.org/T595
  31. https://forums.whonix.org/t/feature-request-onionshare-support/300/7?u=patrick
  32. https://github.com/Whonix/anon-meta-packages/commit/8d5e892d3b603bb1390d3c152f70f8b8e8bfefef
  33. Primarily due to incompatibility with v3 onions.
  34. https://forums.whonix.org/t/remove-ricochet-from-whonix/5009
  35. https://forums.whonix.org/t/what-about-nyx/6380
  36. nyx is actually the same project; just the name has changed and the presentation is very similar.
  37. http://phabricator.whonix.org/T798
  38. https://phabricator.whonix.org/T817
  39. Using the Jitter RNG core, the rngd provides an entropy source that feeds into the Linux /dev/random device if its entropy runs low. ... Especially during boot time, when the entropy of Linux is low, the Jitter RNGd provides a source of sufficient entropy.

  40. https://phabricator.whonix.org/T848
  41. https://forums.whonix.org/t/failed-failed-to-start-virtualbox-guest-utils/5975/4
  42. https://forums.whonix.org/t/reducing-size-of-ova-images/5095
  43. https://phabricator.whonix.org/T886
  44. https://github.com/Whonix/grub-default-live
  45. https://github.com/Whonix/anon-meta-packages/pull/18
  46. https://forums.whonix.org/t/installing-whonix-live-mode-in-all-distributed-images/6467
  47. This means Non-Qubes-Whonix users can boot into live-mode out of the box, without needing to install it.
  48. https://phabricator.whonix.org/T825
  49. Such as the root password, Whonix ™ home page and so on.
  50. https://forums.whonix.org/t/add-description-to-whonix-vbox-images/5828/1
  51. https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271
  52. https://phabricator.whonix.org/T782
  53. The floppy and optical settings were disabled in both the Gateway and Workstation, while the Gateway audio was also disabled.
  54. kloak is a privacy tool that makes keystroke biometrics less effective. This is accomplished by obfuscating the time intervals between key press and release events, which are typically used for identification. This project is experimental.

  55. https://forums.whonix.org/t/kloak-keystroke-anonymization-tool/7089
  56. See recent pull requests here.
  57. https://forums.whonix.org/t/kernel-hardening/7296/9
  58. The specific changes include:

    Kernel symbols in /proc/kallsyms are hidden to prevent malware from reading them and using them to learn more about what to attack on your system.

    Kexec is disabled as it can be used for live patching of the running kernel.

    The BPF JIT compiler is restricted to the root user and is hardened.

    ASLR effectiveness for mmap is increased.

    The ptrace system call is restricted to the root user only.

    The TCP/IP stack is hardened.

    This package makes some data spoofing attacks harder.

    SACK is disabled as it is commonly exploited and is rarely used.

    This package disables the merging of slabs of similar sizes to prevent an attacker from exploiting them.

    Sanity checks, redzoning, and memory poisoning are enabled.

    The kernel now panics on uncorrectable errors in ECC memory which could be exploited.

    Kernel Page Table Isolation is enabled to mitigate Meltdown and increase KASLR effectiveness.

    SMT is disabled as it can be used to exploit the MDS vulnerability.

    All mitigations for the MDS vulnerability are enabled.

    DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have unknown vulnerabilities.

  59. https://phabricator.whonix.org/T883
  60. https://github.com/QubesOS/qubes-template-configs/pull/6/commits/d4f429669b849fc73973e2e557a24cceab47c45e
  61. https://github.com/QubesOS/qubes-builder/pull/82/commits/64a661241430c6a22ca98bb11370b2a3e3cf0e12
  62. https://github.com/QubesOS/qubes-issues/issues/4957
  63. https://github.com/Whonix/qubes-whonix/commit/8d8ab41bbf9c7fa63f3e79b8511d439efe33caeb
  64. https://github.com/Whonix/qubes-whonix/commit/c08dfed97cfba369ff753b4d96755b47240fffb2
  65. https://github.com/QubesOS/qubes-issues/issues/4918
  66. Neither are backups of Tor Browser maintained anymore; previously three backups were stored.
  67. https://phabricator.whonix.org/T858
  68. timesync-fail-closed means sdwdate did not succeed yet. Networking for all but Tor and sdwdate should still be locked in this scenario.

No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Interested in becoming an author for the Whonix News Blog or writing about anonymity, privacy and security? Please get in touch!


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.