2 File : doc/source/changelog.sgml
4 Purpose : Entity included in other project documents.
6 Copyright (C) 2013-2021 Privoxy Developers https://www.privoxy.org/
9 ======================================================================
10 This file used for inclusion with other documents only.
11 ======================================================================
13 If you make changes to this file, please verify the finished
14 docs all display as intended.
16 This file is included into:
23 The SGML ChangeLog can be generated with: utils/changelog2doc.pl ChangeLog
27 <application>Privoxy 3.0.33</application> fixes an XSS issue
28 and multiple DoS issues and a couple of other bugs.
29 The issues also affect earlier Privoxy releases.
30 <application>Privoxy 3.0.33</application> also comes with
31 a couple of general improvements and new features.
34 Changes in <application>Privoxy 3.0.33</application> stable:
44 cgi_error_no_template(): Encode the template name to prevent
45 XSS (cross-site scripting) when Privoxy is configured to servce
46 the user-manual itself.
47 Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543.
48 Reported by: Artem Ivanov
53 get_url_spec_param(): Free memory of compiled pattern spec
55 Reported by Joshua Rogers (Opera) who also provided the fix.
56 Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.
61 process_encrypted_request_headers(): Free header memory when
62 failing to get the request destination.
63 Reported by Joshua Rogers (Opera) who also provided the fix.
64 Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541.
69 send_http_request(): Prevent memory leaks when handling errors
70 Reported by Joshua Rogers (Opera) who also provided the fix.
71 Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542.
83 handle_established_connection(): Skip the poll()/select() calls
84 if TLS data is pending on the server socket. The TLS library may
85 have already consumed all the data from the server response in
86 which case poll() and select() will not detect that data is
88 Fixes SF bug #926 reported by Wen Yue.
93 continue_https_chat(): Update csp->server_connection.request_sent
94 after sending the request to make sure the latency is calculated
95 correctly. Previously https connections were not reused after
96 timeout seconds after the first request made on the connection.
101 free_pattern_spec(): Don't try to free an invalid pointer
102 when unloading an action file with a TAG pattern while
103 Privoxy has been compiled without FEATURE_PCRE_HOST_PATTERNS.
104 Closes: SF patch request #147. Patch by Maxim Antonov.
109 Adjust build_request_line() to create a CONNECT request line when
110 https-inspecting and forwarding to a HTTP proxy.
111 Fixes SF bug #925 reported by Wen Yue.
116 load_config(): Add a space that was missing in a log message.
121 read_http_request_body(): Fix two error messages that used an
127 If the the response is chunk-encoded, ignore the Content-Length
128 header sent by the server.
129 Allows to load https://redmine.lighttpd.net/ with filtering enabled.
137 General improvements:
141 Allow to edit the add-header action through the CGI editor by
142 generalizing the code that got added with the suppress-tag action.
143 Closes SF patch request #146. Patch by Maxim Antonov.
148 Add a CGI handler for /wpad.dat that returns a
149 Proxy Auto-Configuration (PAC) file.
150 Among other things, it can be used to instruct clients
151 through DHCP to use Privoxy as proxy.
152 For example with the dnsmasq option:
153 dhcp-option=252,http://config.privoxy.org/wpad.dat
154 Initial patch by Richard Schneidt.
159 Don't log the applied actions in process_encrypted_request()
160 Log them in continue_https_chat() instead to mirror chat().
161 Prevents the applied actions from getting logged twice
162 for the first request on an https-inspected connection.
167 OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name
168 Org and Org Unit if the real host name is too long to get accepted by OpenSSL.
169 Clients should only care about the Subject Alternative Name
170 anyway and we can continue to use the real host name for it.
171 Reported by Miles Wen on privoxy-users@.
176 Establish the TLS connection with the client earlier and decide
177 how to route the request afterwards. This allows to change the
178 forwarding settings based on information from the https-inspected
179 request, for example the path.
184 listen_loop(): When shutting down gracefully, close listening ports
185 before waiting for the threads to exit. Allows to start a second
186 Privoxy with the same config file while the first Privoxy is still
192 serve(): Close the client socket as well if the server socket
193 for an inspected connection has been closed. Privoxy currently
194 can't establish a new server connection when the client socket
195 is reused and would drop the connection in continue_https_chat()
201 Don't disable redirect checkers in redirect_url().
202 Disable them in handle_established_connection() instead.
203 Doing it in redirect_url() prevented the +redirect{} and
204 +fast-redirects{} actions from being logged with LOG_LEVEL_ACTIONS.
209 handle_established_connection(): Slightly improve a comment.
214 handle_established_connection(): Fix a comment.
219 socks5_connect(): Fix indentation.
224 handle_established_connection(): Improve an error message.
229 create_pattern_spec(): Fix ifdef indentation.
239 process_encrypted_request(): Improve a log message.
240 The function only processes request headers and there
241 may still be unread request body data left to process.
246 chat(): Log the applied actions before deciding how to forward the request.
251 parse_time_header(): Silence a coverity complaint when building without assertions.
256 receive_encrypted_request_headers(): Improve a log message.
261 mbedTLS get_ciphersuites_from_string(): Use strlcpy() instead of strncpy().
262 Previously the terminating NUL wasn't copied which resulted
263 in a compiler warning. This didn't cause actual problems as
264 the target buffer was initialized by zalloc_or_die() so the
265 last byte of the target buffer was NUL already.
266 Actually copying the terminating NUL seems clearer, though.
271 Remove compiler warnings. "log_error(LOG_LEVEL_FATAL, ..."
272 doesn't return but apparently the compiler doesn't know that.
273 Get rid of several "this statement may fall through
274 [-Wimplicit-fallthrough=]" warnings.
279 Store the PEM certificate in a dynamically allocated buffer
280 when https-inspecting. Should prevent errors like:
281 2021-03-16 22:36:19.148 7f47bbfff700 Error: X509 PEM cert len 16694 is larger than buffer len 16383
282 As a bonus it should slightly reduce the memory usage as most
283 certificates are smaller than the previously used fixed buffer.
289 OpenSSL generate_host_certificate(): Fix two error messsages.
294 Improve description of handle_established_connection()
299 OpenSSL ssl_store_cert(): Translate EVP_PKEY_EC to a string.
304 OpenSSL ssl_store_cert(): Remove pointless variable initialization.
309 OpenSSL ssl_store_cert(): Initialize pointer with NULL instead of 0.
317 Action file improvements:
321 Disable fast-redirects for .microsoftonline.com/.
326 Disable fast-redirects for idp.springer.com/.
331 Disable fast-redirects for .zeit.de/zustimmung.
336 Unblock adv-archiv.dfn-cert.de/.
341 Block requests to eu-tlp01.kameleoon.eu/.
346 Block requests to fpa-events.arstechnica.com/.
356 Unblock adguard.com/.
368 Highlight 'Socket timeout 3 reached: http://127.0.0.1:20000/no-filter/chunked-content/36'.
373 Improve documentation for inactivity-detection mode.
378 Detect date changes when looking for inactivity.
383 Add a --passed-request-statistics-threshold option
384 that can be set to get statistics for requests that
390 Add a "inactivity detection" mode which can be useful
391 for debugging purposes.
396 Bump version to 0.9.4.
401 Only run print_intro() and print_outro() when syntax highlighting.
406 Rephrase a sentence in the documentation.
411 Highlight 'Client socket 7 is no longer usable. The server socket has been closed.'.
416 Clarify --statistics output by explicitly mentioning that
417 the status codes sent by the server may differ from the ones
418 in "debug 512" messages.
423 Fix typo in the --statistics output.
428 Remove an unused variable.
433 Highlight 'The peer notified us that the connection on socket 11 is going to be closed'.
441 Privoxy-Regression-Test:
445 Remove duplicated word in a comment.
453 regression-tests.action:
457 Add fetch test for http://p.p/wpad.dat.
462 Bump for-privoxy-version to 3.0.33 which introduced the wpad.dat support.
467 Add more tests for the '/send-banner' code.
472 Add test for OVE-20210203-0001.
477 Add a test for CVE-2021-20217.
489 Bump generated Firefox version to 91 (ESR).
494 Bump version to 1.2.3.
511 configure: Bump SOURCE_DATE_EPOCH.
516 GNUmakefile.in: Fix typo.
521 configure: Add another warning in case --disable-pthread
522 is used while POSIX threads are available.
523 Various features don't even compile when not using threads.
528 Add configure option to enable MemorySanitizer.
533 Add configure option to enable UndefinedBehaviorSanitizer.
538 Add configure option to enable AddressSanitizer.
548 Add a configure option to disable pcre JIT compilation.
549 While JIT compilation makes filtering faster it can
550 cause false-positive valgrind complaints.
551 As reported by Gwyn Ciesla in SF bug 924 it also can
552 cause problems when the SELinux policy does not grant
553 Privoxy "execmem" privileges.
558 configure: Remove obsolete RPM_BASE check.
566 Windows build system:
570 Update the build script to use mbed tls version 2.6.11.
575 Update build script to use the final 8.45 pcre library.
580 Put all the '--enable-xxx' options in the configure call together.
592 The OSXPackageBuilder repository has been updated and
593 can be used to create macOS packages again.
605 contacting: Remove obsolete reference to announce.sgml.
610 contacting: Request that the browser cache is cleared before
611 producing a log file for submission.
616 Sponsor FAQ: Note that Privoxy users may follow sponsor links
617 without Referer header set.
622 newfeatures: Clarify that https inspection also allows to
623 filter https responses.
628 developer-manual: Mention that announce.txt should be updated
629 when doing a release.
634 config: Explicitly mention that the CGI pages disclosing the
635 ca-password can be blocked and upgrade the disclosure paragraphs
641 Put all the requested debug options in the config file.
642 Section 11.1 of the Privoxy user manual lists all the debug
643 options that should be enabled when reporting problems or requesting support.
644 Make it easier for users to do the right thing by having all those
645 options present in the config.
650 Update TODO list item #184 to note that WolfSSL support will
651 (hopefully) appear after the 3.0.34 release.
656 Update max-client-connections's description.
657 On modern systems other than Windows Privoxy should
658 use poll() in which case the FD_SETSIZE value isn't
664 Add a warning that the socket-timeout does not apply
665 to operations done by TLS libraries.
670 Make documentation slightly less "offensive" for some people
671 by avoiding the word "hell".