2 File : doc/source/changelog.sgml
4 Purpose : Entity included in other project documents.
6 Copyright (C) 2013-2021 Privoxy Developers https://www.privoxy.org/
9 ======================================================================
10 This file used for inclusion with other documents only.
11 ======================================================================
13 If you make changes to this file, please verify the finished
14 docs all display as intended.
16 This file is included into:
23 The SGML ChangeLog can be generated with: utils/changelog2doc.pl ChangeLog
27 <application>Privoxy 3.0.33</application> fixes an XSS issue
28 and multiple DoS issues and a couple of other bugs.
29 The issues also affect earlier Privoxy releases.
30 <application>Privoxy 3.0.33</application> also comes with
31 a couple of general improvements an new features.
34 Changes in <application>Privoxy 3.0.33</application> stable:
44 handle_established_connection(): Skip the poll()/select() calls
45 if TLS data is pending on the server socket. The TLS library may
46 have already consumed all the data from the server response in
47 which case poll() and select() will not detect that data is
49 Fixes SF bug #926 reported by Wen Yue.
54 continue_https_chat(): Update csp->server_connection.request_sent
55 after sending the request to make sure the latency is calculated
56 correctly. Previously https connections were not reused after
57 timeout seconds after the first request made on the connection.
62 free_pattern_spec(): Don't try to free an invalid pointer
63 when unloading an action file with a TAG pattern while
64 Privoxy has been compiled without FEATURE_PCRE_HOST_PATTERNS.
65 Closes: SF patch request #147. Patch by Maxim Antonov.
70 Establish the TLS connection with the client earlier and decide
71 how to route the request afterwards. This allows to change the
72 forwarding settings based on information from the https-inspected
73 request, for example the path.
78 Adjust build_request_line() to create a CONNECT request line when
79 https-inspecting and forwarding to a HTTP proxy.
80 Fixes SF bug #925 reported by Wen Yue.
85 load_config(): Add a space that was missing in a log message.
97 serve(): Close the client socket as well if the server socket
98 for an inspected connection has been closed. Privoxy currently
99 can't establish a new server connection when the client socket
100 is reused and would drop the connection in continue_https_chat()
106 Don't disable redirect checkers in redirect_url()
107 Disable them in handle_established_connection() instead.
108 Doing it in redirect_url() prevented the +redirect{} and
109 +fast-redirects{} actions from being logged with LOG_LEVEL_ACTIONS.
114 handle_established_connection(): Slightly improve a comment
119 handle_established_connection(): Fix a comment
124 socks5_connect(): Fix indentation.
129 handle_established_connection(): Improve an error message
134 create_pattern_spec(): Fix ifdef indentation
144 Add a CGI handler for /wpad.dat that returns a
145 Proxy Auto-Configuration (PAC) file.
146 Among other things, it can be used to instruct clients
147 through DHCP to use Privoxy as proxy.
148 For example with the dnsmasq option:
149 dhcp-option=252,http://config.privoxy.org/wpad.dat
150 Initial patch by Richard Schneidt.
155 listen_loop(): When shutting down gracefully, close listening ports
156 before waiting for the threads to exit.
157 Allows to start a second Privoxy with the same config file
158 while the first Privoxy is still running.
163 Allow to edit the add-header action through the CGI editor by
164 generalizing the code that got added with the suppress-tag action.
165 Closes SF patch request #146. Patch by Maxim Antonov.
170 process_encrypted_request(): Improve a log message
171 The function only processes request headers and there
172 may still be unread request body data left to process.
177 read_http_request_body(): Fix two error messages that used an incorrect variable.
182 chat(): Log the applied actions before deciding how to forward the request.
187 parse_time_header(): Silence a coverity complaint when building without assertions.
192 receive_encrypted_request_headers(): Improve a log message
197 mbedTLS get_ciphersuites_from_string(): Use strlcpy() instead of strncpy().
198 Previously the terminating NUL wasn't copied which resulted
199 in a compiler warning. This didn't cause actual problems as
200 the target buffer was initialized by zalloc_or_die() so the
201 last byte of the target buffer was NUL already.
202 Actually copying the terminating NUL seems clearer, though.
207 Remove compiler warnings. "log_error(LOG_LEVEL_FATAL, ..." doesn't return
208 but apparently the compiler doesn't know that.
209 Get rid of several "this statement may fall through [-Wimplicit-fallthrough=]" warnings.
214 If the the response is chunk-encoded, ignore the Content-Length
215 header sent by the server.
216 Allows to load https://redmine.lighttpd.net/ with filtering enabled.
221 Store the PEM certificate in a dynamically allocated buffer
222 when https-inspecting. Should prevent errors like:
223 2021-03-16 22:36:19.148 7f47bbfff700 Error: X509 PEM cert len 16694 is larger than buffer len 16383
224 As a bonus it should slightly reduce the memory usage as most
225 certificates are smaller than the previously used fixed buffer.
231 Don't log the applied actions in process_encrypted_request()
232 Log them in continue_https_chat() instead to mirror chat().
233 Prevents the applied actions from getting logged twice
234 for the first request on an https-inspected connection.
239 OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name
240 Org and Org Unit if the real host name is too long to get accepted by OpenSSL.
241 Clients should only care about the Subject Alternative Name
242 anyway and we can continue to use the real host name for it.
243 Reported by Miles Wen on privoxy-users@.
248 OpenSSL generate_host_certificate(): Fix two error messsages.
253 Improve description of handle_established_connection()
258 OpenSSL ssl_store_cert(): Translate EVP_PKEY_EC to a string.
263 OpenSSL ssl_store_cert(): Remove pointless variable initialization.
268 OpenSSL ssl_store_cert(): Initialize pointer with NULL instead of 0.
276 Action file improvements:
280 Disable fast-redirects for .microsoftonline.com/.
285 Disable fast-redirects for idp.springer.com/.
290 Disable fast-redirects for .zeit.de/zustimmung
295 Unblock adv-archiv.dfn-cert.de/
300 Block requests to eu-tlp01.kameleoon.eu/
305 Block requests to fpa-events.arstechnica.com/
315 Unblock adguard.com/.
327 Highlight 'Socket timeout 3 reached: http://127.0.0.1:20000/no-filter/chunked-content/36'
332 Improve documentation for inactivity-detection mode
337 Detect date changes when looking for inactivity
342 Add a --passed-request-statistics-threshold option
343 That can be set to get statistics for requests that
349 Add a "inactivity detection" mode
350 Which can be useful for debugging purposes.
355 Bump version to 0.9.4
360 Only run print_intro() and print_outro() when syntax highlighting
365 Rephrase a sentence in the documentation
370 Highlight 'Client socket 7 is no longer usable. The server socket has been closed.'
375 Clarify --statistics output
376 by explicitly mentioning that the status codes
377 sent by the server may differ from the ones in
378 "debug 512" messages.
383 Fix typo in the --statistics output
388 Remove an unused variable
393 Highlight 'The peer notified us that the connection on socket 11 is going to be closed'
401 Privoxy-Regression-Test:
405 Remove duplicated word in a comment.
413 regression-tests.action:
417 Add fetch test for http://p.p/wpad.dat.
422 Bump for-privoxy-version to 3.0.33 which introduced the wpad.dat support.
427 Add more tests for the '/send-banner' code.
432 Add test for OVE-20210203-0001.
437 Add a test for CVE-2021-20217.
449 Bump generated Firefox version to 91 (ESR)
454 Bump version to 1.2.3
471 configure: Bump SOURCE_DATE_EPOCH.
476 GNUmakefile.in: Fix typo.
481 configure: Add another warning in case --disable-pthread is used
482 while POSIX threads are available.
483 Various features don't even compile when not using threads.
488 Add configure option to enable MemorySanitizer.
493 Add configure option to enable UndefinedBehaviorSanitizer.
498 Add configure option to enable AddressSanitizer.
508 Add a configure option to disable pcre JIT compilation.
509 While JIT compilation makes filtering faster it can
510 cause false-positive valgrind complaints.
511 As reported by Gwyn Ciesla in SF bug 924 it also can
512 cause problems when the SELinux policy does not grant
513 Privoxy "execmem" privileges.
518 configure: Remove obsolete RPM_BASE check
526 Windows build system:
530 Update the build script to use mbed tls version 2.6.11.
535 Update build script to use the final 8.45 pcre library.
540 Put all the '--enable-xxx' options in the configure call together.
552 contacting: Remove obsolete reference to announce.sgml.
557 contacting: Request that the browser cache is cleared before
558 producing a log file for submission.
563 Sponsor FAQ: Note that Privoxy users may follow sponsor links
564 without Referer header set.
569 newfeatures: Clarify that https inspection also allows to
570 filter https responses.
575 developer-manual: Mention that announce.txt should be updated
576 when doing a release.
581 config: Explicitly mention that the CGI pages disclosing the
582 ca-password can be blocked and upgrade the disclosure paragraphs
588 Put all the requested debug options in the config file.
589 Section 11.1 of the Privoxy user manual lists all the debug
590 options that should be enabled when reporting problems or requesting support.
591 Make it easier for users to do the right thing by having all those
592 options present in the config.
597 Update TODO list item #184 to note that WolfSSL support will
598 (hopefully) appear after the 3.0.34 release
603 Update max-client-connections's description.
604 On modern systems other than Windows Privoxy should
605 use poll() in which case the FD_SETSIZE value isn't
611 Add a warning that the socket-timeout does not apply
612 to operations done by TLS libraries
617 Make documentation slightly less "offensive" for some people
618 by avoiding the word "hell".