Merge branch 'web/release-4.9' (Closes: #17833)

Conflicts:
	wiki/src/contribute/how/documentation/release_notes/template.mdwn

config/chroot_local-includes/usr/local/lib/tails-shell-library/po.sh

+# shellcheck shell=sh
 # This shell library is meant to be used with `set -e` and `set -u`.
 
 po_languages () {

config/chroot_local-includes/usr/local/lib/tails-spoof-mac

@@ -14,6 +14,10 @@ set -u
 # Get LIVE_USERNAME
 . /etc/live/config.d/username.conf
 
+# Get LANG
+. /etc/default/locale
+export LANG
+
 . /usr/bin/gettext.sh
 TEXTDOMAIN="tails"
 export TEXTDOMAIN
@@ -49,7 +53,7 @@ notify_panic_success() {
     local nic_name
     nic="${1}"
     nic_name="${2}"
-    show_notification "`gettext \"Network card \\\${nic} disabled\"`" \
+    show_notification "`eval_gettext \"Network card \\\${nic} disabled\"`" \
 "`eval_gettext \"MAC spoofing failed for network card \\\${nic_name} (\\\${nic}) so it is temporarily disabled.
 You might prefer to restart Tails and disable MAC spoofing.\"`"
 }
@@ -139,7 +143,8 @@ done
 # point we have to take some drastic measures in order to prevent
 # potential leaks.
 if [ -z "${OLD_MAC:-}" ] || [ -z "${NEW_MAC:-}" ] || \
-   [ "${OLD_MAC:-}" = "${NEW_MAC:-}" ]
+   [ "${OLD_MAC:-}" = "${NEW_MAC:-}" ] || \
+   grep -qs -w 'debug=test_mac_spoof_panic' /proc/cmdline
 then
     log "Failed to spoof MAC address of NIC ${NIC}. Going into panic mode."
     if ! mac_spoof_panic "${NIC}"; then

config/chroot_local-includes/usr/local/sbin/live-persist

@@ -2,13 +2,13 @@
 
 error ()
 {
-	echo "error: ${@}" >&2
+	echo "error: ${*}" >&2
 	exit 1
 }
 
 warning ()
 {
-	echo "warning: ${@}" >&2
+	echo "warning: ${*}" >&2
 }
 
 # import Cmdline_old()
@@ -131,13 +131,13 @@ migrate_persistence_preset()
 # We override live-boot's logging facilities to get more useful error messages
 log_warning_msg ()
 {
-	warning ${@}
+	warning "${@}"
 }
 
 # We override live-boot's panic() since it does a lot of crazy stuff
 panic ()
 {
-	error ${@}
+	error "${@}"
 }
 
 list_gpt_volumes ()
@@ -567,7 +567,7 @@ main ()
 			list_gpt_volumes ${labels}
 			;;
 		activate|close)
-			if ! echo ${@} | grep -qe "[^[:space:]]"
+			if ! echo "${@}" | grep -qe "[^[:space:]]"
 			then
 				error "you must specify at least one volume"
 			fi
@@ -582,4 +582,4 @@ main ()
 	esac
 }
 
-main ${@}
+main "${@}"

config/chroot_local-includes/usr/share/tails/build/thunderbird-patches/Add-pref-for-whether-to-accept-plaintext-protocols-d.patch

-From: intrigeri <intrigeri@boum.org>
-Date: Sun, 16 Feb 2020 09:29:00 +0000
-Subject: [PATCH] Add pref for whether to accept plaintext protocols during
- autoconfiguration.
-
-Author: anonym <anonym@riseup.net>
----
- comm/mail/components/accountcreation/content/readFromXML.js | 10 ++++++++++
- comm/mailnews/mailnews.js                                   |  6 ++++++
- 2 files changed, 16 insertions(+)
-
-diff --git a/comm/mail/components/accountcreation/content/readFromXML.js b/comm/mail/components/accountcreation/content/readFromXML.js
-index 780229f..6a9fef9 100644
---- a/comm/mail/components/accountcreation/content/readFromXML.js
-+++ b/comm/mail/components/accountcreation/content/readFromXML.js
-@@ -34,6 +34,8 @@ function readFromXML(clientConfigXML) {
-   }
-   var allow_oauth2 =
-     Services.prefs.getBoolPref("mailnews.auto_config.account_constraints.allow_oauth2");
-+  var ssl_only =
-+    Services.prefs.getBoolPref("mailnews.auto_config.sslOnly");
-   var exception;
-   if (
-     typeof clientConfigXML != "object" ||
-@@ -115,6 +117,10 @@ function readFromXML(clientConfigXML) {
-       }
-       exception = null;
- 
-+      if (ssl_only && iO.socketType == 1) {
-+        continue;
-+      }
-+
-       for (let iXauth of array_or_undef(iX.$authentication)) {
-         try {
-           iO.auth = sanitize.translate(iXauth, {
-@@ -257,6 +263,10 @@ function readFromXML(clientConfigXML) {
-       }
-       exception = null;
- 
-+      if (ssl_only && oO.socketType == 1) {
-+        continue;
-+      }
-+
-       for (let oXauth of array_or_undef(oX.$authentication)) {
-         try {
-           oO.auth = sanitize.translate(oXauth, {
-diff --git a/comm/mailnews/mailnews.js b/comm/mailnews/mailnews.js
-index 8f598b2..7dda1ad 100644
---- a/comm/mailnews/mailnews.js
-+++ b/comm/mailnews/mailnews.js
-@@ -969,6 +969,12 @@ pref("mailnews.auto_config.guess.sslOnly", false);
- pref("mailnews.auto_config.guess.timeout", 10);
- // Whether we allow fetched configurations using OAuth2.
- pref("mailnews.auto_config.account_constraints.allow_oauth2", true);
-+// Whether we allow fetched account configurations that employs
-+// non-SSL/TLS protocols. With this option set, insecure
-+// configurations are never presented to the user; with this option
-+// unset, users picking an insecure configuration will get a warning
-+// and have to opt-in.
-+pref("mailnews.auto_config.sslOnly", false);
- // Work around bug 1454325 by disabling mimetype mungling in XmlHttpRequest
- pref("dom.xhr.standard_content_type_normalization", false);
- 

config/chroot_local-includes/usr/share/tails/build/thunderbird-patches/Add-pref-for-whether-we-accept-OAuth2-during-autocon.patch

@@ -16,11 +16,9 @@ Original author: anonym <anonym@riseup.net>
  comm/mailnews/mailnews.js                          |  2 +
  3 files changed, 49 insertions(+), 30 deletions(-)
 
-diff --git a/comm/mail/components/accountcreation/content/emailWizard.js b/comm/mail/components/accountcreation/content/emailWizard.js
-index 3780792..86bef64 100644
 --- a/comm/mail/components/accountcreation/content/emailWizard.js
 +++ b/comm/mail/components/accountcreation/content/emailWizard.js
-@@ -1432,21 +1432,23 @@ EmailConfigWizard.prototype = {
+@@ -1515,21 +1515,23 @@
      }
      this.fillPortDropdown(config.incoming.type);
  
@@ -59,7 +57,7 @@ index 3780792..86bef64 100644
      }
  
      // outgoing server
-@@ -1471,21 +1473,23 @@ EmailConfigWizard.prototype = {
+@@ -1554,21 +1556,23 @@
        this.adjustOutgoingPortToSSLAndProtocol(config);
      }
  
@@ -98,11 +96,9 @@ index 3780792..86bef64 100644
      }
  
      // populate fields even if existingServerKey, in case user changes back
-diff --git a/comm/mail/components/accountcreation/content/readFromXML.js b/comm/mail/components/accountcreation/content/readFromXML.js
-index 8c7ecdd..780229f 100644
 --- a/comm/mail/components/accountcreation/content/readFromXML.js
 +++ b/comm/mail/components/accountcreation/content/readFromXML.js
-@@ -32,6 +32,8 @@ function readFromXML(clientConfigXML) {
+@@ -32,6 +32,8 @@
    function array_or_undef(value) {
      return value === undefined ? [] : value;
    }
@@ -111,7 +107,7 @@ index 8c7ecdd..780229f 100644
    var exception;
    if (
      typeof clientConfigXML != "object" ||
-@@ -126,6 +128,12 @@ function readFromXML(clientConfigXML) {
+@@ -126,6 +128,12 @@
              NTLM: Ci.nsMsgAuthMethod.NTLM,
              OAuth2: Ci.nsMsgAuthMethod.OAuth2,
            });
@@ -124,7 +120,7 @@ index 8c7ecdd..780229f 100644
            break; // take first that we support
          } catch (e) {
            exception = e;
-@@ -269,6 +277,11 @@ function readFromXML(clientConfigXML) {
+@@ -269,6 +277,11 @@
              OAuth2: Ci.nsMsgAuthMethod.OAuth2,
            });
  
@@ -136,11 +132,9 @@ index 8c7ecdd..780229f 100644
            break; // take first that we support
          } catch (e) {
            exception = e;
-diff --git a/comm/mailnews/mailnews.js b/comm/mailnews/mailnews.js
-index bde86d3..8f598b2 100644
 --- a/comm/mailnews/mailnews.js
 +++ b/comm/mailnews/mailnews.js
-@@ -967,6 +967,8 @@ pref("mailnews.auto_config.guess.enabled", true);
+@@ -967,6 +967,8 @@
  pref("mailnews.auto_config.guess.sslOnly", false);
  // The timeout (in seconds) for each guess
  pref("mailnews.auto_config.guess.timeout", 10);

config/chroot_local-includes/usr/share/tails/build/thunderbird-patches/Avoid-local-timestamp-disclosure-in-Date-header.patch

@@ -13,11 +13,9 @@ https://www.mozilla.org/en-US/MPL/
  comm/mailnews/mime/jsmime/jsmime.js | 42 +++++++++++++++++++++++++++++--------
  2 files changed, 40 insertions(+), 9 deletions(-)
 
-diff --git a/comm/mailnews/mailnews.js b/comm/mailnews/mailnews.js
-index 7dda1ad..2673c8b 100644
 --- a/comm/mailnews/mailnews.js
 +++ b/comm/mailnews/mailnews.js
-@@ -1029,3 +1029,10 @@ pref("mail.imap.qos", 0);
+@@ -1029,3 +1029,10 @@
  
  // PgpMime Addon
  pref("mail.pgpmime.addon_url", "https://addons.mozilla.org/addon/enigmail/");
@@ -28,11 +26,9 @@ index 7dda1ad..2673c8b 100644
 +// local time zone. These measures are taken to make tracking
 +// the user across accounts more difficult.
 +pref("mail.mime.avoid_fingerprinting", false);
-diff --git a/comm/mailnews/mime/jsmime/jsmime.js b/comm/mailnews/mime/jsmime/jsmime.js
-index 75ee0c8..74183b8 100644
 --- a/comm/mailnews/mime/jsmime/jsmime.js
 +++ b/comm/mailnews/mime/jsmime/jsmime.js
-@@ -3450,9 +3450,34 @@
+@@ -3466,9 +3466,34 @@
          throw new Error("Cannot encode an invalid date");
        }
  
@@ -68,7 +64,7 @@ index 75ee0c8..74183b8 100644
          throw new Error("Date year is out of encodable range");
        }
  
-@@ -3460,7 +3485,6 @@
+@@ -3476,7 +3501,6 @@
        // the the 0-padding is done by hand. Note that the tzoffset we output is in
        // the form ±hhmm, so we need to separate the offset (in minutes) into an hour
        // and minute pair.
@@ -76,7 +72,7 @@ index 75ee0c8..74183b8 100644
        let tzOffHours = Math.abs(Math.trunc(tzOffset / 60));
        let tzOffMinutes = Math.abs(tzOffset) % 60;
        let tzOffsetStr =
-@@ -3471,15 +3495,15 @@
+@@ -3487,15 +3511,15 @@
        // Convert the day-time figure into a single value to avoid unwanted line
        // breaks in the middle.
        let dayTime = [

config/chroot_local-includes/usr/share/tails/build/thunderbird-patches/Avoid-spellchecking-language-disclosure-in-Content-Language-header.patch

@@ -7,11 +7,9 @@ Subject: [PATCH] Bug 1370217 - Avoid spellchecking language disclosure in
  comm/mail/components/compose/content/MsgComposeCommands.js | 7 ++++---
  1 file changed, 4 insertions(+), 3 deletions(-)
 
-diff --git a/comm/mail/components/compose/content/MsgComposeCommands.js b/comm/mail/components/compose/content/MsgComposeCommands.js
-index ba73704..170ca9c 100644
 --- a/comm/mail/components/compose/content/MsgComposeCommands.js
 +++ b/comm/mail/components/compose/content/MsgComposeCommands.js
-@@ -2868,9 +2868,10 @@ function ComposeStartup(aParams) {
+@@ -2868,9 +2868,10 @@
          // Update the language in the composition fields, so we can save it
          // to the draft next time.
          if (gMsgCompose && gMsgCompose.compFields) {

config/chroot_local-includes/usr/share/tails/build/thunderbird-patches/Fix-buggy-pref-for-disabling-MS-Exchange-autoconfig-.patch

@@ -23,11 +23,9 @@ when disabled either.
  .../content/exchangeAutoDiscover.js           | 10 ---
  2 files changed, 45 insertions(+), 46 deletions(-)
 
-diff --git a/comm/mail/components/accountcreation/content/emailWizard.js b/comm/mail/components/accountcreation/content/emailWizard.js
-index 3780792641a..0b53b0a498d 100644
 --- a/comm/mail/components/accountcreation/content/emailWizard.js
 +++ b/comm/mail/components/accountcreation/content/emailWizard.js
-@@ -677,44 +677,53 @@ EmailConfigWizard.prototype = {
+@@ -757,46 +757,55 @@
        );
        call.setAbortable(fetch);
  
@@ -66,7 +64,9 @@ index 3780792641a..0b53b0a498d 100644
 -        (e, allErrors) => {
 -          // Must call error callback in any case to stop the discover mode.
 -          let errorCallback = call.errorCallback();
--          if (allErrors && allErrors.some(e => e.code == 401)) {
+-          if (e instanceof CancelledException) {
+-            errorCallback(e);
+-          } else if (allErrors && allErrors.some(e => e.code == 401)) {
 -            // Auth failed.
 -            // Ask user for username.
 -            this.onStartOver();
@@ -95,7 +95,9 @@ index 3780792641a..0b53b0a498d 100644
 +          (e, allErrors) => {
 +            // Must call error callback in any case to stop the discover mode.
 +            let errorCallback = call.errorCallback();
-+            if (allErrors && allErrors.some(e => e.code == 401)) {
++            if (e instanceof CancelledException) {
++              errorCallback(e);
++            } else if (allErrors && allErrors.some(e => e.code == 401)) {
 +              // Auth failed.
 +              // Ask user for username.
 +              this.onStartOver();
@@ -117,11 +119,9 @@ index 3780792641a..0b53b0a498d 100644
      } catch (e) {
        // e.g. when entering an invalid domain like "c@c.-com"
        this.showErrorMsg(e);
-diff --git a/comm/mail/components/accountcreation/content/exchangeAutoDiscover.js b/comm/mail/components/accountcreation/content/exchangeAutoDiscover.js
-index f9d2a6e0d3e..efe9966a600 100644
 --- a/comm/mail/components/accountcreation/content/exchangeAutoDiscover.js
 +++ b/comm/mail/components/accountcreation/content/exchangeAutoDiscover.js
-@@ -47,16 +47,6 @@ function fetchConfigFromExchange(
+@@ -48,16 +48,6 @@
  ) {
    assert(typeof successCallback == "function");
    assert(typeof errorCallback == "function");
@@ -138,6 +138,3 @@ index f9d2a6e0d3e..efe9966a600 100644
    // <https://technet.microsoft.com/en-us/library/bb124251(v=exchg.160).aspx#Autodiscover%20services%20in%20Outlook>
    // <https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-interoperability-guidance/hh352638(v%3Dexchg.140)>, search for "The Autodiscover service uses one of these four methods"
    let url1 =
--- 
-2.26.1
-

config/chroot_local-includes/usr/share/tails/build/thunderbird-patches/Make-use-of-non-SSL-Exchange-AutoDiscover-methods-op.patch

-From: anonym <anonym@riseup.net>
-Date: Wed, 27 Feb 2019 16:15:59 +0100
-Subject: [PATCH] Make use of non-SSL Exchange AutoDiscover methods optional.
-
-If an attacker does a MitM they can presumably modify the Exchange
-server's HTTP response to redirect to an attacker controller Exchange
-server instead. So let's provide protection against this via the
-mailnews.auto_config.sslOnly pref.
----
- .../accountcreation/content/exchangeAutoDiscover.js  | 20 +++++++++++---------
- 1 file changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/comm/mail/components/accountcreation/content/exchangeAutoDiscover.js b/comm/mail/components/accountcreation/content/exchangeAutoDiscover.js
-index f9d2a6e..4c3e1ce 100644
---- a/comm/mail/components/accountcreation/content/exchangeAutoDiscover.js
-+++ b/comm/mail/components/accountcreation/content/exchangeAutoDiscover.js
-@@ -127,15 +127,17 @@ function fetchConfigFromExchange(
-   fetch.start();
-   call.setAbortable(fetch);
- 
--  call = priority.addCall();
--  fetch3 = new FetchHTTP(
--    url3,
--    callArgs,
--    call.successCallback(),
--    call.errorCallback()
--  );
--  fetch3.start();
--  call.setAbortable(fetch3);
-+  if (!Services.prefs.getBoolPref("mailnews.auto_config.sslOnly")) {
-+    call = priority.addCall();
-+    fetch3 = new FetchHTTP(
-+      url3,
-+      callArgs,
-+      call.successCallback(),
-+      call.errorCallback()
-+    );
-+    fetch3.start();
-+    call.setAbortable(fetch3);
-+  }
- 
-   // url3 is an HTTP URL that will redirect to the real one, usually a HTTPS
-   // URL of the hoster. XMLHttpRequest unfortunately loses the call

config/chroot_local-includes/usr/share/tails/build/thunderbird-patches/Prefer-fetched-configurations-using-SSL-over-plainte.patch

@@ -6,11 +6,9 @@ Subject: [PATCH] Prefer fetched configurations using SSL over plaintext.
  comm/mail/components/accountcreation/content/readFromXML.js | 10 ++++++++--
  1 file changed, 8 insertions(+), 2 deletions(-)
 
-diff --git a/comm/mail/components/accountcreation/content/readFromXML.js b/comm/mail/components/accountcreation/content/readFromXML.js
-index 76b553b..8c7ecdd 100644
 --- a/comm/mail/components/accountcreation/content/readFromXML.js
 +++ b/comm/mail/components/accountcreation/content/readFromXML.js
-@@ -100,7 +100,10 @@ function readFromXML(clientConfigXML) {
+@@ -100,7 +100,10 @@
              SSL: 2,
              STARTTLS: 3,
            });
@@ -22,7 +20,7 @@ index 76b553b..8c7ecdd 100644
          } catch (e) {
            exception = e;
          }
-@@ -233,7 +236,10 @@ function readFromXML(clientConfigXML) {
+@@ -233,7 +236,10 @@
              SSL: 2,
              STARTTLS: 3,
            });

config/chroot_local-includes/usr/share/tails/build/thunderbird-patches/series

 Prefer-fetched-configurations-using-SSL-over-plainte.patch
-Make-use-of-non-SSL-Exchange-AutoDiscover-methods-op.patch
 Add-pref-for-whether-we-accept-OAuth2-during-autocon.patch
-Add-pref-for-whether-to-accept-plaintext-protocols-d.patch
 Avoid-local-timestamp-disclosure-in-Date-header.patch
 Avoid-spellchecking-language-disclosure-in-Content-Language-header.patch
 Fix-buggy-pref-for-disabling-MS-Exchange-autoconfig-.patch

config/chroot_local-includes/usr/share/tails/tbb-dist-url.txt

-http://torbrowser-archive.tails.boum.org/9.5.1-build2/
+http://torbrowser-archive.tails.boum.org/9.5.3-build1/

config/chroot_local-includes/usr/share/tails/tbb-sha256sums.txt

-ad91c18306534c520eb56a5984efec8c62c83f119f9d462c3aae1429f645bba3  tor-browser-linux64-9.5.1_en-US.tar.xz
-718f46b1e8a8220f28c4624fba0435f70502e31dec1ce922d04898ea954755dc  langpacks-tor-browser-linux64-9.5.1.tar.xz
+648931503b886d687828df9730aa284b7c18303682cc82f06c9da4a734c81bcf  tor-browser-linux64-9.5.3_en-US.tar.xz
+537063d595009efee225a9dce43b1625f2dc055cc650eef5bfedff75ca154e22  langpacks-tor-browser-linux64-9.5.3.tar.xz

config/chroot_local-includes/usr/src/persistence-setup/features/Configuration.feature

@@ -50,7 +50,7 @@ Feature: configuration model
   Scenario: merge empty file with default presets
     Given the file is empty
     When I merge the presets and the file
-    Then the list of configuration atoms should contain 12 elements
+    Then the list of configuration atoms should contain 13 elements
     And there should be 1 enabled configuration line
 
   Scenario: merge non-empty file with enabled-by-default preset in
@@ -60,7 +60,7 @@ Feature: configuration model
       /home/amnesia/.myapp source=myapp
       """
     When I merge the presets and the file
-    Then the list of configuration atoms should contain 13 elements
+    Then the list of configuration atoms should contain 14 elements
     And there should be 2 enabled configuration lines
 
   Scenario: merge non-empty file with disabled-by-default preset in
@@ -70,5 +70,5 @@ Feature: configuration model
       /home/amnesia/.myapp source=myapp
       """
     When I merge the presets and the file
-    Then the list of configuration atoms should contain 13 elements
+    Then the list of configuration atoms should contain 14 elements
     And there should be 3 enabled configuration lines

config/chroot_local-includes/usr/src/persistence-setup/features/Step_Configure.feature

@@ -7,9 +7,9 @@ Feature: configure step
     Given I have a Configuration object
     And I have a Step::Configure object
     Then I should have a defined Step::Configure object
-    And the list of displayed settings should contain 11 elements
-    And the list of configuration atoms should contain 12 elements
-    And the list box should have 22 children including separators
+    And the list of displayed settings should contain 12 elements
+    And the list of configuration atoms should contain 13 elements
+    And the list box should have 24 children including separators
     And there should be 1 active setting
     And there should be 1 setting with a configuration button
     And every active setting's atoms should be enabled

config/chroot_local-includes/usr/src/persistence-setup/t/specs/Configuration.t

@@ -34,8 +34,8 @@ describe 'A configuration object' => sub {
         it 'has a GnuPG atom' => sub {
             is(scalar(grep { $_->destination eq '/home/amnesia/.gnupg' } $configuration->all_atoms), 1);
         };
-        it 'has 12 atoms' => sub {
-            is(scalar($configuration->all_atoms), 12);
+        it 'has 13 atoms' => sub {
+            is(scalar($configuration->all_atoms), 13);
         };
         it 'has 1 enabled atom' => sub {
             is(scalar($configuration->all_enabled_atoms), 1);
@@ -59,8 +59,8 @@ EOF
                 config_file_path => $config_filename
             );
         };
-        it 'has 13 atoms' => sub {
-            is(scalar($configuration->all_atoms), 13);
+        it 'has 14 atoms' => sub {
+            is(scalar($configuration->all_atoms), 14);
         };
         it 'has 4 enabled atoms' => sub {
             is(scalar($configuration->all_enabled_atoms), 4);

config/chroot_local-includes/usr/src/persistence-setup/t/specs/Configuration::Presets.t

@@ -17,8 +17,8 @@ describe 'A configuration presets object' => sub {
     it 'can return all presets' => sub {
         ok($presets->all);
     };
-    it 'has 11 elements' => sub {
-        is(scalar($presets->all), 11);
+    it 'has 12 elements' => sub {
+        is(scalar($presets->all), 12);
     };
     it 'has a GnuPG preset' => sub {
         is(scalar(grep { $_->{name} eq 'GnuPG' } $presets->all), 1);

debian/changelog

+tails (4.9) unstable; urgency=medium
+
+  * Security fixes
+    - Upgrade Tor Browser to 9.5.3-build1 (Closes: #17827).
+    - Upgrade Thunderbird to 1:68.10.0-1~deb10u1 (DSA-4718).
+    - Upgrade Linux to 5.7.0-1 at 5.7.6-1 (Closes: #17786).
+    - Upgrade Evolution Data Server to 3.30.5-1+deb10u1 (DSA-4725).
+    - Upgrade FFmpeg to 7:4.1.6-1~deb10u1 (DSA-4722).
+    - Upgrade ImageMagick to 8:6.9.10.23+dfsg-2.1+deb10u1 (DSA-4712).
+    - Upgrade NSS to 2:3.42.1-1+deb10u3 (DSA-4726).
+    - Upgrade OpenMPT to 2:3.42.1-1+deb10u3 (DSA-4729).
+    - Upgrade WebKitGTK to 2.28.3-2~deb10u1 (DSA-4724).
+
+  * Bugfixes
+    - Fix quoting issue triggering problems with some administration
+      passwords (Closes: #17792).
+    - Fix toram boot option by not starting the tails-shutdown-on-media-removal
+      service unit in that case (Closes: #17800).
+    - Fix keyboard setting handling in the greeter (Closes: #17794).
+    - Make sure log messages can be displayed by Plymouth, which has strict
+      limits, and improve parsing in tails-gdm-error-message (Closes: #17533).
+    - Upgrade firmware-linux and firmware-nonfree to 20200421-1.
+
+  * Minor improvements and updates
+    - Ensure MAC spoofing messages are translated (Closes: #17783).
+    - Improve failure handling for MAC spoofing (Closes: #17784).
+    - Trigger MAC spoofing "panic" mode when the debug=test_mac_spoof_panic boot
+      option is set.
+    - Upgrade VirtualBox guest modules to 6.1.12-dfsg-5.
+
+  * Build system
+    - Automate post-release GitLab updates, using gitlab-triage (Closes: #17589).
+    - Fix a lot of possible problems spotted by ShellCheck, thanks to Paul Wise.
+    - Stop installing custom firmware: firmware-realtek 20200421-1 includes it
+      (See: #17786, #17323).
+    - Update Thunderbird patches (Closes: #6156, #17808).
+    - Bump snapshot of the Debian archive to 2020071801 (Closes: #17786).
+
+  * Test suite
+    - Add shell-special chars to passwords (See: #17792).
+    - Always test the Unsafe Browser in Farsi.
+    - Fix support for symlinks (Closes: #17547).
+    - Update persistence-setup test suite for a new preset in Welcome Screen
+      settings.
+    - Drop Thunderbird POP3 test.
+    - Make the "the Tor Browser has started" step stricter.
+    - Improve error output when the Unsafe Browser fails to start in some locale.
+
+ -- Tails developers <tails@boum.org>  Mon, 27 Jul 2020 09:03:10 +0200
+
 tails (4.8) unstable; urgency=medium
 
   * Major changes

features/mac_spoofing.feature

@@ -32,8 +32,6 @@ Feature: Spoofing MAC addresses
     And the 2nd network device has a spoofed MAC address configured
     And no network device leaked the real MAC address
 
-  #10774
-  @fragile
   Scenario: MAC address spoofing fails and macchanger returns false
     Given I have started Tails from DVD without network and stopped at Tails Greeter's login screen
     And I capture all network traffic
@@ -42,11 +40,8 @@ Feature: Spoofing MAC addresses
     When I log in to a new session
     Then no network interfaces are enabled
     And no network device leaked the real MAC address
-    # XXX: workaround for #11941
-    And I see the "Network card  disabled" notification after at most 60 seconds
+    And I see the "Network card eth0 disabled" notification after at most 60 seconds
 
-  #10774
-  @fragile
   Scenario: MAC address spoofing fails and macchanger returns true
     Given I have started Tails from DVD without network and stopped at Tails Greeter's login screen
     And I capture all network traffic
@@ -55,11 +50,8 @@ Feature: Spoofing MAC addresses
     When I log in to a new session
     Then no network interfaces are enabled
     And no network device leaked the real MAC address
-    # XXX: workaround for #11941
-    And I see the "Network card  disabled" notification after at most 60 seconds
+    And I see the "Network card eth0 disabled" notification after at most 60 seconds
 
-  #10774
-  @fragile
   Scenario: MAC address spoofing fails and the module is not removed
     Given I have started Tails from DVD without network and stopped at Tails Greeter's login screen
     And I capture all network traffic