From: Fabian Keil Date: Sun, 17 Jan 2016 14:31:21 +0000 (+0000) Subject: Update announcement for Privoxy 3.0.24 stable X-Git-Tag: v_3_0_24~23 X-Git-Url: http://www.privoxy.org/gitweb/%22https:/developer-manual/faq/static/user-manual/quickstart.html?a=commitdiff_plain;h=388adef56f800c8aefee9d1f488aa1718a9cc970;p=privoxy.git Update announcement for Privoxy 3.0.24 stable --- diff --git a/doc/webserver/announce.txt b/doc/webserver/announce.txt index 507b51e3..08eede0f 100644 --- a/doc/webserver/announce.txt +++ b/doc/webserver/announce.txt @@ -1,54 +1,127 @@ - Announcing Privoxy 3.0.23 stable + Announcing Privoxy 3.0.24 stable -------------------------------------------------------------------- -Privoxy 3.0.23 stable is a bug-fix release, some of the fixed bugs -are security issues (CVE requests pending): +Privoxy 3.0.24 stable contains a couple of new features but is +mainly a bug-fix release. Two of the fixed bugs are security issues +(CVE requests pending) and may be used to remotely trigger crashes +on platforms that carefully check memory accesses (most don't). -------------------------------------------------------------------- ChangeLog for Privoxy -------------------------------------------------------------------- -*** Version 3.0.23 stable *** +- Security fixes (denial of service): + - Prevent invalid reads in case of corrupt chunk-encoded content. + Bug discovered with afl-fuzz and AddressSanitizer. + - Remove empty Host headers in client requests. + Previously they would result in invalid reads. + Bug discovered with afl-fuzz and AddressSanitizer. - Bug fixes: - - Fixed a DoS issue in case of client requests with incorrect - chunk-encoded body. When compiled with assertions enabled - (the default) they could previously cause Privoxy to abort(). - Reported by Matthew Daley. - - Fixed multiple segmentation faults and memory leaks in the - pcrs code. This fix also increases the chances that an invalid - pcrs command is rejected as such. Previously some invalid commands - would be loaded without error. Note that Privoxy's pcrs sources - (action and filter files) are considered trustworthy input and - should not be writable by untrusted third-parties. - - Fixed an 'invalid read' bug which could at least theoretically - cause Privoxy to crash. So far, no crashes have been observed. - - Compiles with --disable-force again. Reported by Kai Raven. - - Client requests with body that can't be delivered no longer - cause pipelined requests behind them to be rejected as invalid. - Reported by Basil Hussain. + - When using socks5t, send the request body optimistically as well. + Previously the request body wasn't guaranteed to be sent at all + and the error message incorrectly blamed the server. + Fixes #1686 reported by Peter Müller and G4JC. + - Fixed buffer scaling in execute_external_filter() that could lead + to crashes. Submitted by Yang Xia in #892. + - Fixed crashes when executing external filters on platforms like + Mac OS X. Reported by Jonathan McKenzie on ijbswa-users@ + - Properly parse ACL directives with ports when compiled with HAVE_RFC2553. + Previously the port wasn't removed from the host and in case of + 'permit-access 127.0.0.1 example.org:80' Privoxy would try (and fail) + to resolve "example.org:80" instead of example.org. + Reported by Pak Chan on ijbswa-users@. + - Check requests more carefully before serving them forcefully + when blocks aren't enforced. Privoxy always adds the force token + at the beginning of the path, but would previously accept it anywhere + in the request line. This could result in requests being served that + should be blocked. For example in case of pages that were loaded with + force and contained JavaScript to create additionally requests that + embed the origin URL (thus inheriting the force prefix). + The bug is not considered a security issue and the fix does not make + it harder for remote sites to intentionally circumvent blocks if + Privoxy isn't configured to enforce them. + Fixes #1695 reported by Korda. + - Normalize the request line in intercepted requests to make rewriting + the destination more convenient. Previously rewrites for intercepted + requests were expected to fail unless $hostport was being used, but + they failed "the wrong way" and would result in an out-of-memory + message (vanilla host patterns) or a crash (extended host patterns). + Reported by "Guybrush Threepwood" in #1694. + - Enable socket lingering for the correct socket. + Previously it was repeatedly enabled for the listen socket + instead of for the accepted socket. The bug was found by + code inspection and did not cause any (reported) issues. + - Detect and reject parameters for parameter-less actions. + Previously they were silently ignored. + - Fixed invalid reads in internal and outdated pcre code. + Found with afl-fuzz and AddressSanitizer. + - Prevent invalid read when loading invalid action files. + Found with afl-fuzz and AddressSanitizer. + - Windows build: Use the correct function to close the event handle. + It's unclear if this bug had a negative impact on Privoxy's behaviour. + Reported by Jarry Xu in #891. + - In case of invalid forward-socks5(t) directives, use the + correct directive name in the error messages. Previously they + referred to forward-socks4t failures. + Reported by Joel Verhagen in #889. - General improvements: - - If a pcrs command is rejected as invalid, Privoxy now logs - the cause of the problem as text. Previously the pcrs error - code was logged. - - The tests are less likely to cause false positives. + - Set NO_DELAY flag for the accepting socket. This significantly reduces + the latency if the operating system is not configured to set the flag + by default. Reported by Johan Sintorn in #894. + - Allow to build with mingw x86_64. Submitted by Rustam Abdullaev in #135. + - Introduce the new forwarding type 'forward-webserver'. + Currently it is only supported by the forward-override{} action and + there's no config directive with the same name. The forwarding type + is similar to 'forward', but the request line only contains the path + instead of the complete URL. + - The CGI editor no longer treats 'standard.action' special. + Nowadays the official "standards" are part of default.action + and there's no obvious reason to disallow editing them through + the cgi editor anyway (if the user decided that the lack of + authentication isn't an issue in her environment). + - Improved error messages when rejecting intercepted requests + with unknown destination. + - A couple of log messages now include the number of active threads. + - Removed non-standard Proxy-Agent headers in HTTP snipplets + to make testing more convenient. + - Include the error code for pcre errors Privoxy does not recognize. + - Config directives with numerical arguments are checked more carefully. + - Privoxy's malloc() wrapper has been changed to prevent zero-size + allocations which should only occur as the result of bugs. + - Various cosmetic changes. - Action file improvements: - - '.sify.com/' is no longer blocked. Apparently it is not actually - a pure tracking site (anymore?). Reported by Andrew on ijbswa-users@. - - Unblock banners on .amnesty.de/ which aren't ads. + - Unblock ".deutschlandradiokultur.de/". + Reported by u302320 in #924. + - Add two fast-redirect exceptions for "yandex.ru". + - Disable filter{banners-by-size} for ".plasmaservice.de/". + - Unblock klikki.fi/adv/. + - Block requests for "resources.infolinks.com/". + Reported by "Black Rider" on ijbswa-users@. + - Block a bunch of criteo domains. + Reported by Black Rider. + - Block "abs.proxistore.com/abe/". + Reported by Black Rider. + - Disable filter{banners-by-size} for ".black-mosquito.org/". + - Disable fast-redirects for "disqus.com/". - Documentation improvements: - - The 'Would you like to donate?' section now also contains - a "Paypal" address. - - The list of supported operating systems has been updated. - - The existence of the SF support and feature trackers has been - deemphasized because they have been broken for months. - Most of the time the mailing lists still work. - - The claim that default.action updates are sometimes released - on their own has been removed. It hasn't happened in years. - - Explicitly mention that Tor's port may deviate from the default - when using a bundle. Requested by Andrew on ijbswa-users@. + - FAQ: Explicitly point fingers at ASUS as an example of a + company that has been reported to force malware based on + Privoxy upon its customers. + - Correctly document the action type for a bunch of "multi-value" + actions that were incorrectly documented to be "parameterized". + Reported by Gregory Seidman on ijbswa-users@. + - Fixed the documented type of the forward-override{} action + which is obviously 'parameterized'. + +- Website improvements: + - Users who don't trust binaries served by SourceForge + can get them from a mirror. Migrating away from SourceForge + is planned for 2016 (TODO list item #53). + - The website is now available as onion service + (http://jvauzb4sb3bwlsnc.onion/). ----------------------------------------------------------------- About Privoxy: @@ -123,9 +196,6 @@ more control, more privacy and more freedom: * Most features are controllable on a per-site or per-location basis. -Download location: - http://sourceforge.net/project/showfiles.php?group_id=11118 - Home Page: http://www.privoxy.org/