buf_copy(): Fail if there's no data to write or nothing to do

[privoxy.git] / ChangeLog

diff --git a/ChangeLog b/ChangeLog
index e26dcae..c9c3a91 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,21 @@
 --------------------------------------------------------------------
 ChangeLog for Privoxy
 --------------------------------------------------------------------
 --------------------------------------------------------------------
 ChangeLog for Privoxy
 --------------------------------------------------------------------

-*** Version 3.0.30 UNRELEASED ***
+*** Version 3.0.31 stable ***
+
+- Security/Reliability:
+  - Prevent an assertion from getting triggered by a crafted CGI request.
+    Commit 5bba5b89193fa. OVE-20210130-0001. CVE-2021-20217.
+    Reported by: Joshua Rogers (Opera)
+  - Fixed a memory leak when decompression fails "unexpectedly".
+    Commit f431d61740cc0. OVE-20210128-0001. CVE-2021-20216.
+
+- Bug fixes:
+  - Fixed detection of insufficient data for decompression.
+    Previously Privoxy could try to decompress a partly
+    uninitialized buffer.
+
+*** Version 3.0.30 stable ***

 
 - Bug fixes:
   - Check the actual URL for redirects when https inspecting requests.
 
 - Bug fixes:
   - Check the actual URL for redirects when https inspecting requests.


@@ -16,9 +30,22 @@ ChangeLog for Privoxy
   - Make CGI_PREFIX protocol-relative when building with FEATURE_HTTPS_INSPECTION.
     This unbreaks (at least) https://config.privoxy.org/client-tags whose
     buttons would previously use a http:// URL resulting in browser warnings.
   - Make CGI_PREFIX protocol-relative when building with FEATURE_HTTPS_INSPECTION.
     This unbreaks (at least) https://config.privoxy.org/client-tags whose
     buttons would previously use a http:// URL resulting in browser warnings.

+  - Support using https-inspection and client-header-order at the same time.
+    Previously Privoxy would crash.
+    Reported by: Kai Raven
+  - Properly reject rewrites from http to https as they currently
+    aren't supported. Previously Privoxy would wait for the client
+    to establish an encrypted connection which obviously would not happen.
+  - When https inspection is enabled and Privoxy has been compiled with
+    FEATURE_GRACEFUL_TERMINATION (not recommended for production builds),
+    the TLS backend resources are free'd later on and only if no active
+    connections are left. Prevents crashes when exiting "gracefully" at the
+    wrong time.
+  - Let the uninstall target remove the config file even if DESTDIR
+    is set and properly announce the deletion of the configuration files.

 
 - General improvements:
 
 - General improvements:

-  - Allow to rewrite the request destination for https-intercepted
+  - Allow to rewrite the request destination for https-inspected

     requests behind the client's back. The documentation already sort
     of claimed that it was supported by not especially mentioning that
     it didn't work for https-inspected requests.
     requests behind the client's back. The documentation already sort
     of claimed that it was supported by not especially mentioning that
     it didn't work for https-inspected requests.


@@ -46,12 +73,11 @@ ChangeLog for Privoxy
     fatal error so the regression tests can be used with and
     without FEATURE_PCRE_HOST_PATTERNS.
   - The code compiles with older C compilers again.
     fatal error so the regression tests can be used with and
     without FEATURE_PCRE_HOST_PATTERNS.
   - The code compiles with older C compilers again.

-  - Check the chdir() return code to fix a compiler warning.
-  - Let the crude-parental filter insert a link to Privoxy's webinterface.
-  - Remove the packages feed from the source tarball.
+  - The chdir() return code is checked to fix a compiler warning.
+  - The packages feed has been removed from the source tarball.

     It's usually out of date when the source tarball is generated
     for the release.
     It's usually out of date when the source tarball is generated
     for the release.

-  - Fix harmless compiler warnings from GCC9 with -D_FORTIFY_SOURCE=2.
+  - Fixed harmless compiler warnings from GCC9 with -D_FORTIFY_SOURCE=2.

   - windows: Remove obsolete '$(DEST)/doc/images' target.
   - windows: Install the images referenced in the user manual.
   - Remove obsolete 'gnu_regex.@OBJEXT@' target.
   - windows: Remove obsolete '$(DEST)/doc/images' target.
   - windows: Install the images referenced in the user manual.
   - Remove obsolete 'gnu_regex.@OBJEXT@' target.


@@ -59,28 +85,70 @@ ChangeLog for Privoxy
     directory which is no longer used. The images were relocated to
     the user-manual directory years ago.
   - Add new FEATURES to the show-status page and resort list.
     directory which is no longer used. The images were relocated to
     the user-manual directory years ago.
   - Add new FEATURES to the show-status page and resort list.

-  - OpenSSL create_client_ssl_connection(): Remove unused variable.
+  - Remove unused variable in the OpenSSL-specific code.

   - Update bug tracker URL in cgi_error_unknown().
   - Update bug tracker URL in cgi_error_unknown().

+  - Saved a couple of memory allocations when sorting client headers.
+  - Improved a couple of error messages.
+  - Saved memory allocations when using OpenSSL and checking if a
+    key already exists.
+  - The configure script will bail out if OpenSSL and mbedTLS are
+    enabled at the same time.
+  - Log a message right before exiting gracefully.
+  - A couple of structures have been rearranged to require slightly
+    less memory.
+  - When https inspection is enabled and the certificate is invalid
+    the error message is now sent with status code 403 instead of 200.
+  - The Slackware rc script template has been renamed to
+    slackware/rc.privoxy.in to silence complaints when building
+    Debian packages.
+  - When building with MbedTLS support, mbedtls_md5_ret() is used
+    instead of mbedtls_md5() which is deprecated and causes a warning
+    on Debian GNU/Linux.

 
 - Action file improvements:
   - Block requests to eu-tlp03.kameleoon.com/.
   - Unblock metrics.sr.ht/.
   - Disable fast-redirects for .fsf.org/.
 
 - Action file improvements:
   - Block requests to eu-tlp03.kameleoon.com/.
   - Unblock metrics.sr.ht/.
   - Disable fast-redirects for .fsf.org/.

+  - Disable fast-redirects for .gravater.com/.
+  - Disable fast-redirects for .ksta.de/.

   - Block requests to tag.crsspxl.com/.
   - Block requests to analytics.slashdotmedia.com/.
   - Block requests to ml314.com/.
   - Block requests to tag.crsspxl.com/.
   - Block requests to analytics.slashdotmedia.com/.
   - Block requests to ml314.com/.

-  - Disable fast-redirects for secure.gravatar.com/.

   - Block requests to .adroll.com/.
   - Block requests to fastlane.rubiconproject.com/.
   - Block requests to .adroll.com/.
   - Block requests to fastlane.rubiconproject.com/.

+  - Block requests to api.theadex.com/.
+  - Block requests to ih.adscale.de/.
+  - Block requests to .s400.meetrics.net/.
+  - Block requests for pp.lp4.io/.
+  - Block requests for trc-events.taboola.com/.

 
 

-- privoxy-log-parser:
-  - Highlight 'Rewritten request line results in downgrade to http'.
-  - Highlight 'Rewrite detected: ...' messages again.
+- Filter file improvements:
+  - A allow-autocompletion filter has been added which changes
+    autocomplete="off" to "on" on input fields to allow autocompletion.
+    Requested by Jamie Zawinski in #370.
+    Filter based on a submission by Aaron Linville.
+  - Added an imdb filter.
+  - Added a sourceforge filter that reduces the amount of ads
+    for proprietary software.
+  - Added a github filter that removes the annoying "Sign-Up"
+    banner and the Cookie disclaimer.
+  - Removed a duplicated pcrs command from the js-annoyances filter.
+  - The crude-parental filter now provides a short reason when blocking,
+    inserts a link to Privoxy's webinterface and adds a new line at
+    the end of the generated page.
+
+- Privoxy-Log-Parser:
+  - Highlight a few more messages.

   - Add a handler for tagging messages.
   - Add a handler for tagging messages.

+  - Properly deal with 'Certificate error' crunches
+    Previously the error description was highlighted as 'host'.
+  - Log truncated LOG_LEVEL_CLF messages more gracefully
+    and note that the statistics will be imprecise.
+  - Fixed perldoc typo.

   - Bump version to 0.9.2.
 
   - Bump version to 0.9.2.
 

-- privoxy-regression-test:
-  - Use http://127.0.0.1:8118/ as default privoxy address
+- Privoxy-Regression-Test:
+  - Use http://127.0.0.1:8118/ as default Privoxy address

     unless http_proxy is set through the environment.
   - Add a --privoxy-cgi-prefix option that specifies the prefix
     to use when building URLs that are supposed to reach Privoxy's
     unless http_proxy is set through the environment.
   - Add a --privoxy-cgi-prefix option that specifies the prefix
     to use when building URLs that are supposed to reach Privoxy's


@@ -104,17 +172,20 @@ ChangeLog for Privoxy
     "TAG:^(application|text)/(x-)?javascript$".
   - When get_cgi_page_or_else() fails, include the URL of the
     requested page in the log message.
     "TAG:^(application|text)/(x-)?javascript$".
   - When get_cgi_page_or_else() fails, include the URL of the
     requested page in the log message.

-  - privoxy-regression-test: Bump version to 0.7.2
+  - Added a --check-bad-ssl option that can be used to verify that
+    Privoxy detects certificate problems when accessing the test
+    sites from badssl.com.
+  - Bumped version to 0.7.2

 
 - uagen:
   - Update example output.
   - Recommend the use of the https-inspection action in the documentation.
   - Upgrade a couple of URLs to https://.
   - Add ElectroBSD to the list of operating systems.
 
 - uagen:
   - Update example output.
   - Recommend the use of the https-inspection action in the documentation.
   - Upgrade a couple of URLs to https://.
   - Add ElectroBSD to the list of operating systems.

-  - Bump generated Firefox version to 78 (ESR).
-  - Bump version to 1.2.2.
+  - Bumped generated Firefox version to 78 (ESR).
+  - Bumped version to 1.2.2.

 
 

- - User Documentation:
+ - User documentation:

   - Remove reference to 'How to Report Bugs Effectively'.
     It was only rendered as text without URL in the README anyway
     and there's no indication that users read it ...
   - Remove reference to 'How to Report Bugs Effectively'.
     It was only rendered as text without URL in the README anyway
     and there's no indication that users read it ...


@@ -168,12 +239,20 @@ ChangeLog for Privoxy
   - Replace CVS reference with git.
   - Mention regression-tests.action in the config file.
   - Explicitly mention in the config file that access to the
   - Replace CVS reference with git.
   - Mention regression-tests.action in the config file.
   - Explicitly mention in the config file that access to the

-    ca key should be limited to Privoxy.
+    CA key should be limited to Privoxy.

   - List more client-specific-tag examples for inspiration.
   - List more client-specific-tag examples for inspiration.

+  - Add additional headers to the client-header-order example.
+  - Note that actions aren't updated after rewrites.
+  - Explicitly mention that upgrading from http to https with
+    a client-header filter is not supported
+  - Note that protocol and host have to be added when rewriting
+    the destination host for https-inspected requests.
+  - Explicitly mention that the CA key is used to sign certificates.
+  - Put openssl command in 'command' tags.
+  - The man page has been moved from section 1 to man section 8.

 
 

-- Developer Manual:
-  - Mention the directory from which to execute the commands to
-    create Debian packages.
+- Developer manual:
+  - Flesh out the build instructions for Debian.

   - Remove the packaging instructions for RPM-based systems.
     They don't work and we don't release RPM packages anymore anyway.
   - Remove the packaging instructions for Solaris.
   - Remove the packaging instructions for RPM-based systems.
     They don't work and we don't release RPM packages anymore anyway.
   - Remove the packaging instructions for Solaris.


@@ -208,7 +287,6 @@ ChangeLog for Privoxy
     They are not actually available through git (yet).
   - Don't speak of Privoxy version 3 in the past tense.
   - Update the list of programs required for the release process.
     They are not actually available through git (yet).
   - Don't speak of Privoxy version 3 in the past tense.
   - Update the list of programs required for the release process.

-  - Put openssl command in 'command' tags.

   - Update description of the webserver target which uses ssh, not scp.
   - Remove obsolete reference to config.new.
 
   - Update description of the webserver target which uses ssh, not scp.
   - Remove obsolete reference to config.new.
 


@@ -226,8 +304,10 @@ ChangeLog for Privoxy
   - Add a link to Privoxy-Regression-Test to regression-tests.action
     in case it isn't packaged.
   - Add regression tests for pcre host patterns.
   - Add a link to Privoxy-Regression-Test to regression-tests.action
     in case it isn't packaged.
   - Add regression tests for pcre host patterns.

+  - Fixed a regression test that is executed when
+    FEATURE_GRACEFUL_TERMINATION is enabled.

 
 

-- Privoxy Infrastructure:
+- Privoxy infrastructure:

   - Import a Privoxy logo for the website.
   - Update Tor onion service to HiddenServiceVersion 3.
   - Display the "model" photos in a single row and remove placeholder images.
   - Import a Privoxy logo for the website.
   - Update Tor onion service to HiddenServiceVersion 3.
   - Display the "model" photos in a single row and remove placeholder images.


@@ -241,32 +321,33 @@ ChangeLog for Privoxy
   - Fixed memory leaks when a response is buffered and the buffer
     limit is reached or Privoxy is running out of memory.
     Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.
   - Fixed memory leaks when a response is buffered and the buffer
     limit is reached or Privoxy is running out of memory.
     Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.

+    CVE-2020-35502.

     Sponsored by: Robert Klemme
   - Fixed a memory leak in the show-status CGI handler when
     no action files are configured. Commit c62254a686.
     Sponsored by: Robert Klemme
   - Fixed a memory leak in the show-status CGI handler when
     no action files are configured. Commit c62254a686.

-    OVE-20201118-0002.
+    OVE-20201118-0002. CVE-2021-20209.

     Sponsored by: Robert Klemme
   - Fixed a memory leak in the show-status CGI handler when
     no filter files are configured. Commit 1b1370f7a8a.
     Sponsored by: Robert Klemme
   - Fixed a memory leak in the show-status CGI handler when
     no filter files are configured. Commit 1b1370f7a8a.

-    OVE-20201118-0003.
+    OVE-20201118-0003. CVE-2021-20210.

     Sponsored by: Robert Klemme
   - Fixes a memory leak when client tags are active.
     Sponsored by: Robert Klemme
   - Fixes a memory leak when client tags are active.

-    Commit 245e1cf32. OVE-20201118-0004.
+    Commit 245e1cf32. OVE-20201118-0004. CVE-2021-20211.

     Sponsored by: Robert Klemme
   - Fixed a memory leak if multiple filters are executed
     and the last one is skipped due to a pcre error.
     Sponsored by: Robert Klemme
   - Fixed a memory leak if multiple filters are executed
     and the last one is skipped due to a pcre error.

-    Commit 5cfb7bc8fe. OVE-20201118-0005.
+    Commit 5cfb7bc8fe. OVE-20201118-0005. CVE-2021-20212.

   - Prevent an unlikely dereference of a NULL-pointer that
     could result in a crash if accept-intercepted-requests
     was enabled, Privoxy failed to get the request destination
     from the Host header and a memory allocation failed.
   - Prevent an unlikely dereference of a NULL-pointer that
     could result in a crash if accept-intercepted-requests
     was enabled, Privoxy failed to get the request destination
     from the Host header and a memory allocation failed.

-    Commit 7530132349. CID 267165. OVE-20201118-0006.
+    Commit 7530132349. CID 267165. OVE-20201118-0006. CVE-2021-20213.

   - Fixed memory leaks in the client-tags CGI handler when
     client tags are configured and memory allocations fail.
   - Fixed memory leaks in the client-tags CGI handler when
     client tags are configured and memory allocations fail.

-    Commit cf5640eb2a. CID 267168. OVE-20201118-0007.
+    Commit cf5640eb2a. CID 267168. OVE-20201118-0007. CVE-2021-20214.

   - Fixed memory leaks in the show-status CGI handler when memory
     allocations fail. Commit 064eac5fd0 and commit fdee85c0bf3.
   - Fixed memory leaks in the show-status CGI handler when memory
     allocations fail. Commit 064eac5fd0 and commit fdee85c0bf3.

-    CID 305233. OVE-20201118-0008.
+    CID 305233. OVE-20201118-0008. CVE-2021-20215.

 
 - General improvements:
   - Added experimental https inspection support which allows to filter
 
 - General improvements:
   - Added experimental https inspection support which allows to filter


@@ -2991,7 +3072,7 @@ being a mix of "U.S. English", "U.K. English" and "Irish English".
 
 
 ----------------------------------------------------------------------
 
 
 ----------------------------------------------------------------------

-Copyright   :  Written by and Copyright (C) 2001-2020 the
+Copyright   :  Written by and Copyright (C) 2001-2021 the

                Privoxy team. https://www.privoxy.org/
 
                Based on the Internet Junkbuster originally written
                Privoxy team. https://www.privoxy.org/
 
                Based on the Internet Junkbuster originally written