Whonix for VirtualBox

Download Whonix for VirtualBox:

This is a point release.

Upgrade

Alternatively, in-place release upgrade is possible upgrade using Whonix repository.

Please Donate!

Please Contribute!

This release would not have been possible without the numerous supporters of Whonix!

Highlights

• onion v3 ready
• Tor updated to 0.4.5.9
• Tor Browser updated to 10.5
• VirtualBox 6.1.22 compatibility
• sdwdate time sources refurbished for exclusive use of onion v3
• Mac M1 / UTM architecture support development
• Linux KVM arm64 architecture support development

Please Donate!

Please Contribute!

Notable Changes

• anon-apps-config
  • disable gpg default key servers https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607/8
  • remove SecBrowser code since deprecated
• anon-apt-sources-list
  • remove extra spaces
  • fixes - do not enable deb-src by default - comments consistency Thanks to @nurmagoz for the bug report!
  • use same format as https://onion.debian.org
  • remove trailing slash (“/”) from Debian security repository since not used on https://onion.debian.org either
  • update to onion v3 https://onion.debian.org
• anon-connection-wizard
  • fix default bridges Thanks to @Time-Warp for the bug report! https://forums.whonix.org/t/anon-connection-wizard-crash/11782
• anon-meta-packages
  • split repository-dist GUI / CLI dependencies https://forums.whonix.org/t/kicksecure-minimal-version/11613/4
• anon-shared-build-apt-sources-tpo
  • update comment to deb.torproject.org to onion v3 http://web.archive.org/web/20210421073511/http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/
• apparmor-profile-everything
  • Fix various denial errors (Thanks to madaidan!)
• apparmor-profile-torbrowser
  • remove SecBrowser code since deprecated
• binaries-freedom
  • add ThomasV signing key
  • add SomberNight signing key
  • update to version 4.1.4
• hardened-kernel
  • Enable CONFIG_KPROBES (Thanks to madaidan!)
  • Revert “Optionally enable kprobes/ftrace for LKRG support” This reverts commit 629b62475455ce5ef073e6ba8b970ea76ade88a0. (Thanks to madaidan!)
• helper-scripts
  • add initramfs-debug-enable debugging tool which enables xtrace (set -x)
  • Remove unnecessary cat call (Thanks to madaidan!)
  • Remove unnecessary cat calls (Thanks to madaidan!)
  • Disable running anondate-get as diagnostic utility since it can currently not be run due to no new privs apparmor issues with sdwdate apparmor profile. This AppArmor bug is likely fixed in Debian bullseye.
• kicksecure-meta-packages
  • remove os-prober from non-qubes-vm-enhancements-cli since only useful for multi boot which is rarely done inside VMs since it can cause build issues
  • split repository-dist GUI / CLI dependencies https://forums.whonix.org/t/kicksecure-minimal-version/11613/4
  • remove SecBrowser code since deprecated
• onion-grater
  • Add Wahay profile (Thanks to Jeremy Rand!)
  • Add changes for arm64 (Thanks to Gavin Pacini!)
• open-link-confirmation
  • remove SecBrowser code since deprecated
• repository-dist
  • reduce dependencies for CLI version split dependencies into repository-dist (CLI) and repository-dist-wizard (GUI) https://forums.whonix.org/t/kicksecure-minimal-version/11613
• sandbox-app-launcher
  • Remove if statement when copying wrapper-script-wx (Thanks to madaidan!)
  • Check for wrapper-script-wx (Thanks to madaidan!)
  • Fix AppArmor (Thanks to madaidan!)
  • Add option to list all currently configured sandboxes (Thanks to madaidan!)
  • pass app_user to bwrap-wrapper
  • pass variables to bwrap-wrapper
  • proper whitespace handling
  • proper quoting for multiple parameter support
  • add usr/share/sandbox-app-launcher/bwrap-wrapper
  • initial unfinished bwrap-wrapper implementation https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008/359
• sdwdate
  • ported to onion v3
    • removed all onion v2 onion sources
    • ported to onion v3 onion sources
    • Suggest Trustworthy Tor Hidden Services as Time Sources for sdwdate - #176 by nurmagoz
    • Thanks to @nurmagoz for editing the onion sources configuration and suggestions as well as @Perestroika, @torjunkie for suggestions!
    • sdwdate Time Sources Criteria - #4 by Patrick
  • restore to MAX_FAILURE_RATIO=0.34 since enough onion v3s available https://forums.whonix.org/t/suggest-trustworthy-tor-hidden-services-as-time-sources-for-sdwdate/856/191
  • add /usr/share/sdwdate/onion_test_confirm a script to check if onions correspond to archived link
  • moved comment field rules to https://www.whonix.org/wiki/Sdwdate#Comment_Field_Rules
  • change onion source comment format, archived link first
  • more human readable format
  • config test
  • arm64 architecture support fixes (Thanks to madaidan!)
  • fix onion_tester
  • Split arch-specific syscalls from the base whitelist (Thanks to madaidan!)
  • MAX_FAILURE_RATIO=0.7 https://forums.whonix.org/t/suggest-trustworthy-tor-hidden-services-as-time-sources-for-sdwdate/856/191
  • One more SystemCallFilter syscall for arm64 (Thanks to Gavin Pacini!)
  • Extra SystemCallFilter syscalls required for restarting sdwdate on arm64 (Thanks to Gavin Pacini!)
  • fix systemd sandboxing for arm64 platform (Thanks to Gavin Pacini!)
  • fix systemd sandboxing for powerpc64 / ppc64el platform https://forums.whonix.org/t/apply-systemd-sandboxing-by-default-to-some-services/7590/58
• sdwdate-gui
  • port from tor-control-status tor_status to anon-connection-wizard fix minor confusing log output https://forums.whonix.org/t/full-system-apparmor-policy-testers-wanted/10381/83
• security-misc
  • pam-abort-on-locked-password: more descriptive error handling https://forums.whonix.org/t/restrict-root-access/7658/1
  • https://forums.whonix.org/t/restrict-root-access/7658/116
  • Restrict sudo’s file permissions (Thanks to madaidan!)
  • config-package-dev displace /etc/dkms/framework.conf https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
  • modify DKMS configuration file /etc/dkms/framework.conf Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines. parallel_jobs=1 This does not necessarily belong into security-misc, however likely security-misc will need to modify /etc/dkms/framework.conf in the future to enable kernel module signing. https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
  • add /etc/dkms/framework.conf.security-misc original, from - https://github.com/dell/dkms/blob/master/dkms_framework.conf - https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.conf https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
• systemcheck
  • improved text Thanks to @torjunkie! https://forums.whonix.org/t/one-time-popup-notification-of-whonix-15-deprecation-once-whonix-16-was-released/11720/3
  • add check for deprecated derivative (Whonix or Kicksecure) versions https://forums.whonix.org/t/one-time-popup-notification-of-whonix-15-deprecation-once-whonix-16-was-released/11720
  • Kicksecure compatibility
  • fix telling if Tor is disabled
  • Added Package Manager Consistency Check. Report if output of command dpkg --audit is non-empty, which would indicate in most cases a previously interrupted upgrade.
  • reorder tests
  • Fix AppArmor profile for ppc64le (Thanks to Jeremy Rand!)
• tb-default-browser
  • remove SecBrowser code since deprecated
• tb-starter
  • remove SecBrowser specific code since deprecated
  • add custom user.js support
  • Tor Browser Integration
• tb-updater
  • alpha tbb_hardcoded_version=“10.5a16”
  • tbb_hardcoded_version=“10.0.18”
  • use Heikki Lindholm gpg signing key for digital signature verification of arm64 builds from sourceforge.net created by Heikki Lindholm https://forums.whonix.org/t/arm64-tor-browser-maintainer/11786
  • add Heikki Lindholm gpg signing key for arm64 builds https://forums.whonix.org/t/arm64-tor-browser-maintainer/11786
  • arm64 port
  • arm64 platform support https://forums.whonix.org/t/arm64-tor-browser/11806 https://forums.whonix.org/t/arm64-tor-browser-maintainer/11786
  • update signing key https://forums.whonix.org/t/tor-browser-downloader-gpg-download-signature-could-not-be-verified/11794
  • fix DispVM mounting Thanks to @froalker for the bug report! https://github.com/Whonix/tb-updater/commit/ab0143d84c018563d553a124ca05adac9e79419a#r51740265
  • update to Tor Project onion v3 for --onion
• tirdad
  • Load tirdad before LKRG so LKRG does not judge tirdad to be malicious. /etc/modprobe.d/30-tirdad.conf softdep p_lkrg pre: tirdad Imported from lkrg package since it does not belong there and since Debian packaging for LKRG is now provided by upstream.
• tor-control-panel
  • remove obfs2, obfs3
  • same default bridges as ACW
• whonix-developer-meta-files
  • prepare_release: add libvirt raw image support and multiple platform support
• whonix-firewall
  • Fix denial errors (Thanks to madaidan!)
• whonix-libvirt
  • add UTM configs (Thanks to GavinPacini!)
• Whonix Build Script
  • ported onion support from onion v2 to onion v3
  • Mac M1 / arm64 architecture support development by @GavinPacini
• anon-ws-disable-stacked-tor
  • fix "Firefox is offline" messages in Tor Browser 10.5a17 and above by · Whonix/anon-ws-disable-stacked-tor@73a4e81 · GitHub

Full difference of all changes

https://github.com/Whonix/Whonix/compare/15.0.1.7.3-developers-only...15.0.1.9.2-developers-only

(This forum post was previously a call for testers. No release critical bugs where found during the testing period. This forum post was therefore transformed into a stable release announcement. See edit history.)