Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected.
www.securityfocus.com/bid/101665
www.securitytracker.com/id/1041610
access.redhat.com/errata/RHSA-2018:2692
access.redhat.com/errata/RHSA-2018:2693
access.redhat.com/errata/RHSA-2018:3403
access.redhat.com/errata/RHSA-2018:3458
blog.torproject.org/tor-browser-709-released
bugzilla.mozilla.org/show_bug.cgi?id=1412081
lists.debian.org/debian-lts-announce/2018/11/msg00011.html
security.gentoo.org/glsa/201810-01
security.gentoo.org/glsa/201811-13
trac.torproject.org/projects/tor/ticket/24052
www.bleepingcomputer.com/news/security/tormoil-vulnerability-leaks-real-ip-address-from-tor-browser-users/
www.debian.org/security/2018/dsa-4327
www.wearesegment.com/research/tormoil-torbrowser-unspecified-critical-security-vulnerability/