Whonix Stable Release
|About this Whonix Stable Release Page|
- 1 Whonix ™ 15 Changelog
- 1.1 All Platforms
- 1.2 Non-Qubes-Whonix
- 1.3 Qubes-Whonix ™
- 2 Whonix ™ 15 Updates
- 3 Footnotes
Whonix ™ 15 Changelog
Whonix ™ 15 was released on July 1, 2019.  Significantly, Whonix ™ 15 is based on the Debian buster (Debian 10) distribution which was officially released on July 6, 2019 instead of Debian stretch (Debian 9). The buster release has nearly 60,000 packages and over 62 per cent of them were updated   -- see the official Debian 10 release notes [archive] to learn more.
- Fixed file saving issues in scurl wrappers.   
- Fixed the partial truncation of text in Whonix Connection Wizard. 
- Installed cryptsetup by default so errors do not appear when using a GUI and interacting with encrypted containers.   
- Ported the build script to cowbuilder; build packages in chroot and use mmdebstrap for better security. 
- Modified whonixcheck so it suggests to start networking / onion-grater if it is not running. 
- Improved the /usr/share/sdwdate/unit_test  
- Improved the sdwdate message Tor consensus message. 
- Confirmed the sanity of systemd DNS after porting to Debian buster. 
- Established sane built-in defaults even if configuration files are non-existing.  
- Updated the onion list time sources for sdwdate so that offline and unwanted onions were removed. 
Improved Functionality and Usability
- Ported Whonix ™ from Debian stretch to Debian buster. 
- Added the qTox instant messaging application [archive] by default. 
- Install Firejail [archive] and Firetools [archive] by default inside Whonix ™.  
- Added the Metadata anonymisation toolkit v2 (MAT2) [archive] by default.   
- Added a LUKS container GUI (zulucrypt-gui [archive])  by default to make management and creation of containers easy.  
- OnionShare is now installed by default for easier, anonymous sharing of files.  
- Added KeePassXC [archive] as the default Password Manager in Whonix-Workstation. 
- Removed the Richochet instant messaging application [archive] since it is no longer working in Whonix ™ 15.  
- Nyx [archive] has replaced tor-arm as the Tor controller, providing (slightly) better functionality and usability.  
- Set VLC X11 video decoding by default so it works more reliably and avoids known problems. 
- The Jitter RNG Daemon (jitterentropy) [archive] is now installed by default to improve randomness if entropy on the system runs low.  
- Significantly reduced the size of Non-Qubes-Whonix images using zerofree. 
Improved Functionality and Usability
- Added grub-live Whonix ™ Live-mode as a default package.     
- Added a description to whonix-vbox images.   
- Implemented Whonix KVM serial console support. 
- Disabled boot devices and modified audio settings in VirtualBox Workstation and Gateway to improve security.  
- Forked [archive] the kloak - Keystroke Anonymization Tool [archive] and installed it by default in Non-Qubes-Whonix.  
- Improved the default kernel hardening options for better security.   
- Correctly configured Qubes-Whonix ™ XFCE default start menu entries (whitelisted appmenus). 
- Created Qubes-Whonix 15 template configuration files.  
- Confirmed the Whonix-15-gateway template builds. 
Improved Functionality and Usability
- Simplified instructions for VM kernel [archive] in Qubes-Whonix ™ by installing the same recommended Qubes packages as Qubes Debian packages.  
- In DisposableVMs, tb-updater / tb-starter was modified to no longer copy Tor Browser to the user home directory at first boot -- /var/cache/tb-binary is now directly used to improve startup performance.  
Whonix ™ 15 Updates
As Whonix ™ is now a rolling distribution, users will benefit from regular small security and usability improvements, features and bug fixes as they enter the Whonix ™ stable repository. Those will be announced here.
A point release was announced on 10 September 2019.   Note that an in-place upgrade is not recommended for KVM -- significant changes have been made to the host settings that require the current machines and virtual networks to be replaced with updated ones. Refer to the KVM wiki for detailed installation instructions.
- Implemented apparmor-profile-torbrowser improvements, see: Why does the Tor Browser AppArmor profile have sys_admin, sys_chroot and ptrace capabilities? [archive]
- Fixed anon-connection-wizard truncated text.
- Fixed whonixcheck msgcollector permission errors.
- Corrected authentication failures related to Anon Connection Wizard and Whonix repository. 
- Fixed a tb-starter bug.
- Resolved the apt-get error relating to Debian's suite value changing from 'testing' to 'stable'. 
- Bumped base Debian packages to 10.1
- Tor Browser Updater (by Whonix developers): reduced old versions being kept to
- Added anon-base-files to whonix-host-xfce-kvm-freedom.
- Added hardened-malloc to hardened-packages-dependencies-cli.
- Removed unneeded dependency live-config-systemd.
- Do not create a home folder during postinst.
- Leave user
usercreation to Qubes.
- Fixed and actually use
- Documented how to use recovery mode.
Improved Functionality and Usability
- Disabled whonixcheck “Connecting to Tor…” and “Connected to Tor.” messages. 
- Added support for OnionShare “bundled Tor”.
- Packaged str_replace for literal search and replace functions.
- Display the pulseaudio plugin by default.
- Added arc-theme, gnome-themes-extra, gnome-themes-extra-data and gtk2-engines-murrine for better visual presentation and a more modern look.
- Set SUDO_EDITOR="mousepad" if: mousepad is installed and the environment variable SUDO_EDITOR has not already been set.
- Enabled kernel panic on kernel oops after boot, see: set oops=panic kernel parameter or kernel.panic_on_oops=1 sysctl for better security [archive].
- Enabled pam_umask.so usergroups, so group permissions are the same as user permissions. 
- Removed read, write and execute access for others for all users who have home folders under folder /home.  
- Group sudo membership is required to use
- Passwordless, recovery / emergency mode has been implemented.
- Lock user accounts with pam_tally2 after five failed authentication attempts are detected. 
- The thunderbolt and firewire modules were blacklisted, since they can be used for Direct Memory Access (DMA) attacks.
- Every module must now be signed before being loaded; any module that is unsigned or signed with an invalid key cannot be loaded. 
- Uncommon network protocols were blacklisted: these are rarely used and may have unknown vulnerabilities. 
- Enabled IOMMU [archive].
- The SysRq key is restricted to only allow shutdowns/reboots.
- A systemd service mounts /proc with
hidepid=2at boot, thereby preventing users from seeing each other’s processes.
- A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. 
- Remove System.map after a kernel upgrade.
- The kernel logs are restricted to root only.
- The BPF JIT compiler is restricted to the root user and is hardened.
- The ptrace system call is restricted to the root user only.
- Added user
rootto group sudo. This is necessary so it is still possible to login as a user in a virtual console. 
- Kernel symbols in /proc/kallsyms are hidden. This prevents malware from reading and using them to learn more about system vulnerabilities that can be attacked.
- Kexec is disabled because it can be used for live patching of the running kernel.
- Bluetooth is blacklisted to reduce the attack surface.
- For a full list of changes, see: https://github.com/Whonix/security-misc [archive]
- Command line control of KVM VMs is now supported. 
- The microphone is disabled by default.
- Switched RNG to /dev/urandom
- pvspinlock is enabled.
Much stronger Linux user account isolation has been enforced in non-Qubes-Whonix: 
- Locked and expired the root account in new Whonix builds. Existing users who upgraded are advised to lock their root account. 
- Disabled root login in virtual consoles by default. 
- Added a Tor Browser first startup popup [archive] to ask whether the security slider should be set to safest.
- Anonymized /etc/machine-id [archive].
- anon-gpg-tweaks: disabled keyservers for improved security. 
- Enabled APT seccomp sandboxing [archive].
- Enforced msgcollector security (mount option) hardening [archive].
- Implemented systemd unit file hardening of services maintained by Whonix.
- Tor Browser Starter (tb-starter Whonix package) hardening: implemented optional
--hardening / tb_hardening="true"which utilizes Firejail and/or Hardened Malloc, see: Tor Browser Hardening documentation.
- Installed Hardened Malloc [archive] by default to ease usage (although it is not enabled by default to avoid breakage).
- Upgraded Hardened Malloc to version 2 and switched to compile with clang rather than gcc as per upstream preference.
- Some fixes/changes were implemented in both Whonix ™ 14 and 15.
- https://www.debian.org/News/2019/20190706 [archive]
- More than 91 per cent of the source packages included in Debian 10 are reproducible (will build bit-for-bit identical binary packages).
- https://phabricator.whonix.org/T899 [archive]
- https://github.com/Whonix/scurl/pull/1 [archive]
- A few fixes were needed, such as:
--remote-nameand replace it with
- Improve download wrappers and add
- https://phabricator.whonix.org/T923 [archive]
- https://phabricator.whonix.org/T890 [archive]
- For instance, an error would otherwise appear when using XFCE file manager with encrypted USBs.
- https://forums.whonix.org/t/have-cryptsetup-installed-by-default-in-whonix/6684/5 [archive]
- https://forums.whonix.org/t/fixed-apt-rce-announced-new-whonix-images-needed-whonix-build-not-safe-at-the-moment/6715 [archive]
- https://phabricator.whonix.org/T853 [archive]
- https://phabricator.whonix.org/T712 [archive]
- Make it simpler (to split urls into chunks of 3).
- Generate average, total etc. for each pool.
- Add curl command for the failures (timeouts).
- https://phabricator.whonix.org/T850 [archive]
- https://phabricator.whonix.org/T866 [archive]
- https://phabricator.whonix.org/T503 [archive]
- This was completed for whonix-gw-firewall, whonix-ws-firewall, whonixcheck, sdwdate, uwt, onion-grater (Control Port Filter Proxy), rads, open-link-confirmation, tb-starter, tb-updater and anon-ws-disable-stacked-tor.
- https://github.com/TNTBOMBOM/sdwdate/commit/2985fc70625ae13aed45225b8c83592575c21a78 [archive]
- https://forums.whonix.org/t/port-whonix-from-debian-stretch-to-debian-buster/7101 [archive]
- https://phabricator.whonix.org/T889 [archive]
- https://phabricator.whonix.org/T869 [archive]
- https://forums.whonix.org/t/install-firejail-firetools-by-default/5363/3 [archive]
MAT2 only removes metadata from your files, it does not anonymise their content, nor can it handle watermarking, steganography, or any too custom metadata field/system.
- https://phabricator.whonix.org/T885 [archive]
- https://forums.whonix.org/t/add-mat2-to-whonix-15/6489 [archive]
- zulumount-gui [archive] is also installed.
- https://phabricator.whonix.org/T769 [archive]
- https://forums.whonix.org/t/zulucrypt-in-whonix-14/4876 [archive]
- https://phabricator.whonix.org/T595 [archive]
- https://forums.whonix.org/t/feature-request-onionshare-support/300/7?u=patrick [archive]
- https://github.com/Whonix/anon-meta-packages/commit/8d5e892d3b603bb1390d3c152f70f8b8e8bfefef [archive]
- Primarily due to incompatibility with v3 onions.
- https://forums.whonix.org/t/remove-ricochet-from-whonix/5009 [archive]
- https://forums.whonix.org/t/what-about-nyx/6380 [archive]
- nyx is actually the same project; just the name has changed and the presentation is very similar.
- http://phabricator.whonix.org/T798 [archive]
- https://phabricator.whonix.org/T817 [archive]
Using the Jitter RNG core, the rngd provides an entropy source that feeds into the Linux /dev/random device if its entropy runs low. ... Especially during boot time, when the entropy of Linux is low, the Jitter RNGd provides a source of sufficient entropy.
- https://phabricator.whonix.org/T848 [archive]
- https://forums.whonix.org/t/failed-failed-to-start-virtualbox-guest-utils/5975/4 [archive]
- https://forums.whonix.org/t/reducing-size-of-ova-images/5095 [archive]
- https://phabricator.whonix.org/T886 [archive]
- https://github.com/Whonix/grub-default-live [archive]
- https://github.com/Whonix/anon-meta-packages/pull/18 [archive]
- https://forums.whonix.org/t/installing-whonix-live-mode-in-all-distributed-images/6467 [archive]
- This means Non-Qubes-Whonix users can boot into live-mode out of the box, without needing to install it.
- https://phabricator.whonix.org/T825 [archive]
- Such as the root password, Whonix ™ home page and so on.
- https://forums.whonix.org/t/add-description-to-whonix-vbox-images/5828/1 [archive]
- https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271 [archive]
- https://phabricator.whonix.org/T782 [archive]
- The floppy and optical settings were disabled in both the Gateway and Workstation, while the Gateway audio was also disabled.
kloak is a privacy tool that makes keystroke biometrics less effective. This is accomplished by obfuscating the time intervals between key press and release events, which are typically used for identification. This project is experimental.
- https://forums.whonix.org/t/kloak-keystroke-anonymization-tool/7089 [archive]
- See recent pull requests here [archive].
- https://forums.whonix.org/t/kernel-hardening/7296/9 [archive]
- The specific changes include:
Kernel symbols in /proc/kallsyms are hidden to prevent malware from reading them and using them to learn more about what to attack on your system.
Kexec is disabled as it can be used for live patching of the running kernel.
The BPF JIT compiler is restricted to the root user and is hardened.
ASLR effectiveness for mmap is increased.
The ptrace system call is restricted to the root user only.
The TCP/IP stack is hardened.
This package makes some data spoofing attacks harder.
SACK is disabled as it is commonly exploited and is rarely used.
This package disables the merging of slabs of similar sizes to prevent an attacker from exploiting them.
Sanity checks, redzoning, and memory poisoning are enabled.
The kernel now panics on uncorrectable errors in ECC memory which could be exploited.
Kernel Page Table Isolation is enabled to mitigate Meltdown and increase KASLR effectiveness.
SMT is disabled as it can be used to exploit the MDS vulnerability.
All mitigations for the MDS vulnerability are enabled.
DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have unknown vulnerabilities.
- https://phabricator.whonix.org/T883 [archive]
- https://github.com/QubesOS/qubes-template-configs/pull/6/commits/d4f429669b849fc73973e2e557a24cceab47c45e [archive]
- https://github.com/QubesOS/qubes-builder/pull/82/commits/64a661241430c6a22ca98bb11370b2a3e3cf0e12 [archive]
- https://github.com/QubesOS/qubes-issues/issues/4957 [archive]
- https://github.com/Whonix/qubes-whonix/commit/8d8ab41bbf9c7fa63f3e79b8511d439efe33caeb [archive]
- https://github.com/Whonix/qubes-whonix/commit/c08dfed97cfba369ff753b4d96755b47240fffb2 [archive]
- https://github.com/QubesOS/qubes-issues/issues/4918 [archive]
- Neither are backups of Tor Browser maintained anymore; previously three backups were stored.
- https://phabricator.whonix.org/T858 [archive]
- timesync-fail-closed means sdwdate did not succeed yet. Networking for all but Tor and sdwdate should still be locked in this scenario.
- https://forums.whonix.org/t/whonix-virtualbox-15-0-0-4-9-point-release/8076 [archive]
- https://forums.whonix.org/t/whonix-kvm-15-0-0-4-9-point-release/8096 [archive]
- https://github.com/Whonix/Whonix/commit/5067d7eca6cfb36b71fe62ff7f3461f87bcdb3f6 [archive]
- https://forums.whonix.org/t/apt-get-error-e-repository-tor-https-cdn-aws-deb-debian-org-debian-security-buster-updates-inrelease-changed-its-suite-value-from-testing-to-stable/7704 [archive]
- In favor of sdwdate-gui. whonixcheck connectivity check code checks Tor as well as sdwdate. Due to slow Tor/onion speed it often times out. Improving that code is difficult, so sdwdate-gui is used instead as a solution that provides better visual feedback to users.
- By default, Debian utilizes User Private Groups (UPG) [archive]. Also see: /usr/share/pam-configs/usergroups-security-misc
- For example, this affects those running “chmod o-rwx /home/user” during package installation or an upgrade.
- This is only performed once for each folder in the parent /home folder, so users who wish to relax file permissions can do so. This action protects files in the user's home folder which were previously created with lax file permissions prior to the installation of this package.
- See: unlock instructions. This means it is possible to have short, easy-to-remember, "weak" passwords for the user
useraccount, while still preventing compromised non-root users from bruteforcing it.
- This makes it harder to load a malicious module.
- See: /etc/modprobe.d/uncommon-network-protocols.conf
- Forum discussion [archive].
- See: debian/security-misc.postinst
- See: KVM Command Line Interface (CLI)
- This does not yet apply to Qubes-Whonix.
- Qubes issue [archive].
- This is a purposeful security feature and there are no user freedom restrictions; read more here.
- See: gpg --recv-keys fails / no longer use keyservers for anything [archive].
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)