Whonix VirtualBox 15.0.0.4.9 - Point Release

This is a point release.

(Same as Whonix VirtualBox 15.0.0.4.9 - Release Candidate - Testers Wanted!)

Download:

Alternatively, in-place release upgrade is possible.

Notable Changes:

• Mostly same as Whonix VirtualBox 15.0.0.3.9 - Testers Wanted! - Stronger Linux User Account Isolation and more Hardening but change default umask removed and replaced with better solution permission lockdown (linux pam based).

• tb-starter bug fixed.

• Upgraded Hardened Malloc to version 2 and switched to compile with clang rather than gcc as per upstream preference.

• msgcollector mount option hardening

• Bluetooth is blacklisted to reduce attack surface.

• Requires every module to be signed before being loaded. Any module that isunsigned or signed with an invalid key cannot be loaded. This makes it harder to load a malicious module.

• Abort login for users with locked passwords [security-misc]

• informational output during Linux PAM [security-misc]

  • Show failed and remaining password attempts.
    to read and write to newly created files.
  • Document unlock procedure if Linux user account got locked.
  • Point out, that there is no password feedback for su.
  • Explain locked (root) account if locked.

• remove system.map after kernel upgarde

• abort login without asking for password if it will fail anyhow

• apt-get error - E: Repository 'tor+https://cdn-aws.deb.debian.org/debian-security buster/updates InRelease' changed its 'Suite' value from 'testing' to 'stable' fixed

Full difference of all changes:

https://github.com/Whonix/Whonix/compare/15.0.0.3.9-developers-only...15.0.0.4.9-developers-only

This release would not have been possible without the numerous supporters of Whonix!

Please Donate!

Two things I noticed:

1. Tor browser does not show the “NoScript” button anymore. We can’t enable specific scripts on a site while on the “Safest” mode as was possible in the past (very useful feature I’d say).

2. Clicking on the File Manager icon and trying to access an encrypted usb prompts a window for the password (so far so good) but when password is entered, nothing happens. No errors and the USB doesn’t get decrypted or mounted. I successfully accessed it through the terminal (using cryptsetup and mount). This feature was working on Whonix 14 if cryptsetup is installed by user. I’d guess it has something to do with permissions of File Manager.

Not Whonix decision as per: Frequently Asked Questions - Whonix FAQ

I’m running the same version of Tor Browser in Whonix 15 and 14 (8.5.5). In Whonix 14 it’s visible, in Whonix 15 it isn’t. Not something to do with

?

No. add Tor Browser first startup popup to ask whether security slider should be set to safest explains very verbose what it does. When user clicks “no” it does exactly nothing. This can be verified by running the torbrowser script in verbose mode. bash -x torbrowser as it shows any command that is run.

Frequently Asked Questions - Whonix ™ FAQ references a ton of tickets. NoScript menu was really removed by Tor Browser developers.

I see, I overlooked it. That’s a pity. Reducing security level isn’t parellel to enabling scripts, especially when you want to allow some that are absolutely neccessary for a site to function and block some third party scripts that aren’t. If it’s considered safe to drag the button back using the “Customize” option I guess it’s not a big issue then.

I hope this is in the right place; in the Workstation iptables ruleset, filter table, output chain, there appears to be a duplicate rule

-A OUTPUT -p udp -d 10.152.152.10 --dport 53 -j ACCEPT
it appears twice; since iptables parses in order, is it supposed to be there?
best viewed with command: sudo iptables -v -n -L
just wanted to let you guys know

That shouldn’t have adverse effects (overlooking negligible performance reduction) and is there for simplicity of the firewall script.

Excellent, thanks for the clarification;
As an aside I think the rules used in both the Gateway and Workstation are really superb. I use many of them on my host machine