Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use
Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use
Utilizing sandbox release 0.6, the first startup asks which channel to utilize. If selecting alpha, Tor Browser 7.0a3 is downloaded instead of the latest 7.0a4. This appears to be because the JSON published URLs are not kept up to date. This has been a bug in past too with respect to outdated or wrong JSON listings. This should probably be fixed so that users are not put in jeopardy of downloading a vulnerable version in the future.
install: Metadata URL: https://aus1.torproject.org/torbrowser/update_2/alpha/downloads.json
As you can see, the metadata URL is not updated and therefor the older version is downloaded, putting the Tor user potentially at risk due to running and outdated or insecure older release.
Trac:
Username: 6h72Q484AddGha8H