load_config(): Fix indentation

[privoxy.git] / ChangeLog

diff --git a/ChangeLog b/ChangeLog
index bec47f2..f399120 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,190 @@
 --------------------------------------------------------------------
 ChangeLog for Privoxy
 --------------------------------------------------------------------
 --------------------------------------------------------------------
 ChangeLog for Privoxy
 --------------------------------------------------------------------

-*** Version 3.0.30 UNRELEASED ***
+*** Version 3.0.33 UNRELEASED ***
+
+- Bug fixes:
+  - handle_established_connection(): Skip the poll()/select() calls
+    if TLS data is pending on the server socket. The TLS library may
+    have already consumed all the data from the server response in
+    which case poll() and select() will not detect that data is
+    available to be read.
+    Fixes SF bug #926 reported by Wen Yue.
+  - continue_https_chat(): Update csp->server_connection.request_sent
+    after sending the request to make sure the latency is calculated
+    correctly. Previously https connections were not reused after
+    timeout seconds after the first request made on the connection.
+  - free_pattern_spec(): Don't try to free an invalid pointer
+    when unloading an action file with a TAG pattern while
+    Privoxy has been compiled without FEATURE_PCRE_HOST_PATTERNS.
+    Closes: SF patch request #147. Patch by Maxim Antonov.
+  - Establish the TLS connection with the client earlier and decide
+    how to route the request afterwards. This allows to change the
+    forwarding settings based on information from the https-inspected
+    request, for example the path.
+    Adjust build_request_line() to create a CONNECT request line when
+    https-inspecting and forwarding to a HTTP proxy.
+    Fixes SF bug #925 reported by Wen Yue.
+  - load_config(): Add a space that was missing in a log message.
+
+- General improvements:
+  - serve(): Close the client socket as well if the server socket
+    for an inspected connection has been closed. Privoxy currently
+    can't establish a new server connection when the client socket
+    is reused and would drop the connection in continue_https_chat()
+    anyway.
+  - Don't disable redirect checkers in redirect_url()
+    Disable them in handle_established_connection() instead.
+    Doing it in redirect_url() prevented the +redirect{} and
+    +fast-redirects{} actions from being logged with LOG_LEVEL_ACTIONS.
+  - handle_established_connection(): Slightly improve a comment
+  - handle_established_connection(): Fix a comment
+  - socks5_connect(): Fix indentation.
+  - handle_established_connection(): Improve an error message
+  - create_pattern_spec(): Fix ifdef indentation
+  - Fix comment typos
+
+- Action file improvements:
+  - Disable fast-redirects for .microsoftonline.com/.
+  - Disable fast-redirects for idp.springer.com/.
+
+- Privoxy-Regression-Test:
+  - Remove duplicated word in a comment.
+
+- Documentation:
+  - contacting: Remove obsolete reference to announce.sgml.
+  - contacting: Request that the browser cache is cleared before
+    producing a log file for submission.
+  - Sponsor FAQ: Note that Privoxy users may follow sponsor links
+    without Referer header set.
+  - newfeatures: Clarify that https inspection also allows to
+    filter https responses.
+  - developer-manual: Mention that announce.txt should be updated
+    when doing a release.
+
+*** Version 3.0.32 stable ***
+
+- Security/Reliability:
+  - ssplit(): Remove an assertion that could be triggered with a
+    crafted CGI request.
+    Commit 2256d7b4d67. OVE-20210203-0001. CVE-2021-20272.
+    Reported by: Joshua Rogers (Opera)
+  - cgi_send_banner(): Overrule invalid image types. Prevents a
+    crash with a crafted CGI request if Privoxy is toggled off.
+    Commit e711c505c48. OVE-20210206-0001. CVE-2021-20273.
+    Reported by: Joshua Rogers (Opera)
+  - socks5_connect(): Don't try to send credentials when none are
+    configured. Fixes a crash due to a NULL-pointer dereference
+    when the socks server misbehaves.
+    Commit 85817cc55b9. OVE-20210207-0001. CVE-2021-20274.
+    Reported by: Joshua Rogers (Opera)
+  - chunked_body_is_complete(): Prevent an invalid read of size two.
+    Commit a912ba7bc9c. OVE-20210205-0001. CVE-2021-20275.
+    Reported by: Joshua Rogers (Opera)
+  - Obsolete pcre: Prevent invalid memory accesses with an invalid
+    pattern passed to pcre_compile(). Note that the obsolete pcre code
+    is scheduled to be removed before the 3.0.33 release. There has been
+    a warning since 2008 already.
+    Commit 28512e5b624. OVE-20210222-0001. CVE-2021-20276.
+    Reported by: Joshua Rogers (Opera)
+
+- Bug fixes:
+  - Properly parse the client-tag-lifetime directive. Previously it was
+    not accepted as an obsolete hash value was being used.
+    Reported by: Joshua Rogers (Opera)
+  - decompress_iob(): Prevent reading of uninitialized data.
+    Reported by: Joshua Rogers (Opera).
+  - decompress_iob(): Don't advance cur past eod when looking
+    for the end of the file name and comment.
+  - decompress_iob(): Cast value to unsigned char before shifting.
+    Prevents a left-shift of a negative value which is undefined behaviour.
+    Reported by: Joshua Rogers (Opera)
+  - gif_deanimate(): Confirm that that we have enough data before doing
+    any work. Fixes a crash when fuzzing with an empty document.
+    Reported by: Joshua Rogers (Opera).
+  - buf_copy(): Fail if there's no data to write or nothing to do.
+    Prevents undefined behaviour "applying zero offset to null pointer".
+    Reported by: Joshua Rogers (Opera)
+  - log_error(): Treat LOG_LEVEL_FATAL as fatal even when --stfu is
+    being used while fuzzing.
+    Reported by: Joshua Rogers (Opera).
+  - Respect DESTDIR when considering whether or not to install
+    config files with ".new" extension.
+  - OpenSSL ssl_store_cert(): Fix two error messages.
+  - Fix a couple of format specifiers.
+  - Silence compiler warnings when compiling with NDEBUG.
+  - fuzz_server_header(): Fix compiler warning.
+  - fuzz_client_header(): Fix compiler warning.
+  - cgi_send_user_manual(): Also reject requests if the user-manual
+    directive specifies a https:// URL. Previously Privoxy would try and
+    fail to open a local file.
+
+- General improvements:
+  - Log the TLS version and the the cipher when debug 2 is enabled.
+  - ssl_send_certificate_error(): Respect HEAD requests by not sending a body.
+  - ssl_send_certificate_error(): End the body with a single new line.
+  - serve(): Increase the chances that the host is logged when closing
+    a server socket.
+  - handle_established_connection(): Add parentheses to clarify an expression
+    Suggested by: David Binderman
+  - continue_https_chat(): Explicitly unset CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE
+    if process_encrypted_request() fails. This makes it more obvious that the
+    connection will not be reused. Previously serve() relied on
+    CSP_FLAG_SERVER_CONTENT_LENGTH_SET and CSP_FLAG_CHUNKED being unset.
+    Inspired by a patch from Joshua Rogers (Opera).
+  - decompress_iob(): Add periods to a couple of log messages
+  - Terminate the body of the HTTP snipplets with a single new line
+    instead of "\r\n".
+  - configure: Add --with-assertions option and only enable assertions
+    when it is used
+  - windows build: Use --with-brotli and --with-mbedtls by default and
+    enable dynamic error checking.
+  - gif_deanimate(): Confirm we've got an image before trying to write it
+    Saves a pointless buf_copy() call.
+  - OpenSSL ssl_store_cert(): Remove a superfluous space before the serial number.
+
+- Action file improvements:
+  - Disable fast-redirects for .golem.de/
+  - Unblock requests to adri*.
+  - Block requests for trc*.taboola.com/
+  - Disable fast-redirects for .linkedin.com/
+
+- Filter file improvements:
+  - Make the second pcrs job of the img-reorder filter greedy again.
+    The ungreedy version broke the img tags on:
+    https://bulk.fefe.de/scalability/.
+
+- Privoxy-Log-Parser:
+  - Highlight a few more messages.
+  - Clarify the --statistics output. The shown "Reused connections"
+    are server connections so name them appropriately.
+  - Bump version to 0.9.3.
+
+- Privoxy-Regression-Test:
+  - Add the --check-bad-ssl option to the --help output.
+  - Bump version to 0.7.3.
+
+- Documentation:
+  - Add pushing the created tag to the release steps in the developer manual.
+  - Clarify that 'debug 32768' should be used in addition to the other debug
+    directives when reporting problems.
+  - Add a 'Third-party licenses and copyrights' section to the user manual.
+
+*** Version 3.0.31 stable ***
+
+- Security/Reliability:
+  - Prevent an assertion from getting triggered by a crafted CGI request.
+    Commit 5bba5b89193fa. OVE-20210130-0001. CVE-2021-20217.
+    Reported by: Joshua Rogers (Opera)
+  - Fixed a memory leak when decompression fails "unexpectedly".
+    Commit f431d61740cc0. OVE-20210128-0001. CVE-2021-20216.
+
+- Bug fixes:
+  - Fixed detection of insufficient data for decompression.
+    Previously Privoxy could try to decompress a partly
+    uninitialized buffer.
+
+*** Version 3.0.30 stable ***

 
 - Bug fixes:
   - Check the actual URL for redirects when https inspecting requests.
 
 - Bug fixes:
   - Check the actual URL for redirects when https inspecting requests.


@@ -17,19 +200,21 @@ ChangeLog for Privoxy
     This unbreaks (at least) https://config.privoxy.org/client-tags whose
     buttons would previously use a http:// URL resulting in browser warnings.
   - Support using https-inspection and client-header-order at the same time.
     This unbreaks (at least) https://config.privoxy.org/client-tags whose
     buttons would previously use a http:// URL resulting in browser warnings.
   - Support using https-inspection and client-header-order at the same time.

-    Privously Privoxy would crash.
+    Previously Privoxy would crash.

     Reported by: Kai Raven
   - Properly reject rewrites from http to https as they currently
     aren't supported. Previously Privoxy would wait for the client
     to establish an encrypted connection which obviously would not happen.
     Reported by: Kai Raven
   - Properly reject rewrites from http to https as they currently
     aren't supported. Previously Privoxy would wait for the client
     to establish an encrypted connection which obviously would not happen.

-  - When HTTPS inspection is enabled and Privoxy has been compiled with
+  - When https inspection is enabled and Privoxy has been compiled with

     FEATURE_GRACEFUL_TERMINATION (not recommended for production builds),
     FEATURE_GRACEFUL_TERMINATION (not recommended for production builds),

-    the the TLS backend resources are free'd later on and only if no active
+    the TLS backend resources are free'd later on and only if no active

     connections are left. Prevents crashes when exiting "gracefully" at the
     wrong time.
     connections are left. Prevents crashes when exiting "gracefully" at the
     wrong time.

+  - Let the uninstall target remove the config file even if DESTDIR
+    is set and properly announce the deletion of the configuration files.

 
 - General improvements:
 
 - General improvements:

-  - Allow to rewrite the request destination for https-intercepted
+  - Allow to rewrite the request destination for https-inspected

     requests behind the client's back. The documentation already sort
     of claimed that it was supported by not especially mentioning that
     it didn't work for https-inspected requests.
     requests behind the client's back. The documentation already sort
     of claimed that it was supported by not especially mentioning that
     it didn't work for https-inspected requests.


@@ -57,12 +242,11 @@ ChangeLog for Privoxy
     fatal error so the regression tests can be used with and
     without FEATURE_PCRE_HOST_PATTERNS.
   - The code compiles with older C compilers again.
     fatal error so the regression tests can be used with and
     without FEATURE_PCRE_HOST_PATTERNS.
   - The code compiles with older C compilers again.

-  - Check the chdir() return code to fix a compiler warning.
-  - Let the crude-parental filter insert a link to Privoxy's webinterface.
-  - Remove the packages feed from the source tarball.
+  - The chdir() return code is checked to fix a compiler warning.
+  - The packages feed has been removed from the source tarball.

     It's usually out of date when the source tarball is generated
     for the release.
     It's usually out of date when the source tarball is generated
     for the release.

-  - Fix harmless compiler warnings from GCC9 with -D_FORTIFY_SOURCE=2.
+  - Fixed harmless compiler warnings from GCC9 with -D_FORTIFY_SOURCE=2.

   - windows: Remove obsolete '$(DEST)/doc/images' target.
   - windows: Install the images referenced in the user manual.
   - Remove obsolete 'gnu_regex.@OBJEXT@' target.
   - windows: Remove obsolete '$(DEST)/doc/images' target.
   - windows: Install the images referenced in the user manual.
   - Remove obsolete 'gnu_regex.@OBJEXT@' target.


@@ -70,11 +254,8 @@ ChangeLog for Privoxy
     directory which is no longer used. The images were relocated to
     the user-manual directory years ago.
   - Add new FEATURES to the show-status page and resort list.
     directory which is no longer used. The images were relocated to
     the user-manual directory years ago.
   - Add new FEATURES to the show-status page and resort list.

-  - OpenSSL create_client_ssl_connection(): Remove unused variable.
+  - Remove unused variable in the OpenSSL-specific code.

   - Update bug tracker URL in cgi_error_unknown().
   - Update bug tracker URL in cgi_error_unknown().

-  - Properly deal with host certificates without keys and keys without
-    host certificate which may be left over from a previous Privoxy run
-    with incorrect configuration.

   - Saved a couple of memory allocations when sorting client headers.
   - Improved a couple of error messages.
   - Saved memory allocations when using OpenSSL and checking if a
   - Saved a couple of memory allocations when sorting client headers.
   - Improved a couple of error messages.
   - Saved memory allocations when using OpenSSL and checking if a


@@ -82,9 +263,9 @@ ChangeLog for Privoxy
   - The configure script will bail out if OpenSSL and mbedTLS are
     enabled at the same time.
   - Log a message right before exiting gracefully.
   - The configure script will bail out if OpenSSL and mbedTLS are
     enabled at the same time.
   - Log a message right before exiting gracefully.

-  - A couple of structure have been rearranged to require slightly
+  - A couple of structures have been rearranged to require slightly

     less memory.
     less memory.

-  - When HTTPs inspection is enabled and the certificate is invalid
+  - When https inspection is enabled and the certificate is invalid

     the error message is now sent with status code 403 instead of 200.
   - The Slackware rc script template has been renamed to
     slackware/rc.privoxy.in to silence complaints when building
     the error message is now sent with status code 403 instead of 200.
   - The Slackware rc script template has been renamed to
     slackware/rc.privoxy.in to silence complaints when building


@@ -92,7 +273,6 @@ ChangeLog for Privoxy
   - When building with MbedTLS support, mbedtls_md5_ret() is used
     instead of mbedtls_md5() which is deprecated and causes a warning
     on Debian GNU/Linux.
   - When building with MbedTLS support, mbedtls_md5_ret() is used
     instead of mbedtls_md5() which is deprecated and causes a warning
     on Debian GNU/Linux.

-  - The man page has been moved from section 1 to man section 8.

 
 - Action file improvements:
   - Block requests to eu-tlp03.kameleoon.com/.
 
 - Action file improvements:
   - Block requests to eu-tlp03.kameleoon.com/.


@@ -112,7 +292,7 @@ ChangeLog for Privoxy
   - Block requests for trc-events.taboola.com/.
 
 - Filter file improvements:
   - Block requests for trc-events.taboola.com/.
 
 - Filter file improvements:

-  - Added new 'allow-autocompletion' filter which changes
+  - A allow-autocompletion filter has been added which changes

     autocomplete="off" to "on" on input fields to allow autocompletion.
     Requested by Jamie Zawinski in #370.
     Filter based on a submission by Aaron Linville.
     autocomplete="off" to "on" on input fields to allow autocompletion.
     Requested by Jamie Zawinski in #370.
     Filter based on a submission by Aaron Linville.


@@ -122,21 +302,22 @@ ChangeLog for Privoxy
   - Added a github filter that removes the annoying "Sign-Up"
     banner and the Cookie disclaimer.
   - Removed a duplicated pcrs command from the js-annoyances filter.
   - Added a github filter that removes the annoying "Sign-Up"
     banner and the Cookie disclaimer.
   - Removed a duplicated pcrs command from the js-annoyances filter.

-  - The crude-parental filter provides a short reason when blocking
-    add inserts a new line at the end of the block page.
+  - The crude-parental filter now provides a short reason when blocking,
+    inserts a link to Privoxy's webinterface and adds a new line at
+    the end of the generated page.

 
 

-- privoxy-log-parser:
+- Privoxy-Log-Parser:

   - Highlight a few more messages.
   - Add a handler for tagging messages.
   - Highlight a few more messages.
   - Add a handler for tagging messages.

-  - Bump version to 0.9.2.

   - Properly deal with 'Certificate error' crunches
     Previously the error description was highlighted as 'host'.
   - Log truncated LOG_LEVEL_CLF messages more gracefully
   - Properly deal with 'Certificate error' crunches
     Previously the error description was highlighted as 'host'.
   - Log truncated LOG_LEVEL_CLF messages more gracefully

-    and note that the statistics will be inprecise.
+    and note that the statistics will be imprecise.

   - Fixed perldoc typo.
   - Fixed perldoc typo.

+  - Bump version to 0.9.2.

 
 

-- privoxy-regression-test:
-  - Use http://127.0.0.1:8118/ as default privoxy address
+- Privoxy-Regression-Test:
+  - Use http://127.0.0.1:8118/ as default Privoxy address

     unless http_proxy is set through the environment.
   - Add a --privoxy-cgi-prefix option that specifies the prefix
     to use when building URLs that are supposed to reach Privoxy's
     unless http_proxy is set through the environment.
   - Add a --privoxy-cgi-prefix option that specifies the prefix
     to use when building URLs that are supposed to reach Privoxy's


@@ -160,17 +341,20 @@ ChangeLog for Privoxy
     "TAG:^(application|text)/(x-)?javascript$".
   - When get_cgi_page_or_else() fails, include the URL of the
     requested page in the log message.
     "TAG:^(application|text)/(x-)?javascript$".
   - When get_cgi_page_or_else() fails, include the URL of the
     requested page in the log message.

-  - privoxy-regression-test: Bump version to 0.7.2
+  - Added a --check-bad-ssl option that can be used to verify that
+    Privoxy detects certificate problems when accessing the test
+    sites from badssl.com.
+  - Bumped version to 0.7.2

 
 - uagen:
   - Update example output.
   - Recommend the use of the https-inspection action in the documentation.
   - Upgrade a couple of URLs to https://.
   - Add ElectroBSD to the list of operating systems.
 
 - uagen:
   - Update example output.
   - Recommend the use of the https-inspection action in the documentation.
   - Upgrade a couple of URLs to https://.
   - Add ElectroBSD to the list of operating systems.

-  - Bump generated Firefox version to 78 (ESR).
-  - Bump version to 1.2.2.
+  - Bumped generated Firefox version to 78 (ESR).
+  - Bumped version to 1.2.2.

 
 

- - User Documentation:
+ - User documentation:

   - Remove reference to 'How to Report Bugs Effectively'.
     It was only rendered as text without URL in the README anyway
     and there's no indication that users read it ...
   - Remove reference to 'How to Report Bugs Effectively'.
     It was only rendered as text without URL in the README anyway
     and there's no indication that users read it ...


@@ -224,7 +408,7 @@ ChangeLog for Privoxy
   - Replace CVS reference with git.
   - Mention regression-tests.action in the config file.
   - Explicitly mention in the config file that access to the
   - Replace CVS reference with git.
   - Mention regression-tests.action in the config file.
   - Explicitly mention in the config file that access to the

-    ca key should be limited to Privoxy.
+    CA key should be limited to Privoxy.

   - List more client-specific-tag examples for inspiration.
   - Add additional headers to the client-header-order example.
   - Note that actions aren't updated after rewrites.
   - List more client-specific-tag examples for inspiration.
   - Add additional headers to the client-header-order example.
   - Note that actions aren't updated after rewrites.


@@ -233,8 +417,10 @@ ChangeLog for Privoxy
   - Note that protocol and host have to be added when rewriting
     the destination host for https-inspected requests.
   - Explicitly mention that the CA key is used to sign certificates.
   - Note that protocol and host have to be added when rewriting
     the destination host for https-inspected requests.
   - Explicitly mention that the CA key is used to sign certificates.

+  - Put openssl command in 'command' tags.
+  - The man page has been moved from section 1 to man section 8.

 
 

-- Developer Manual:
+- Developer manual:

   - Flesh out the build instructions for Debian.
   - Remove the packaging instructions for RPM-based systems.
     They don't work and we don't release RPM packages anymore anyway.
   - Flesh out the build instructions for Debian.
   - Remove the packaging instructions for RPM-based systems.
     They don't work and we don't release RPM packages anymore anyway.


@@ -270,7 +456,6 @@ ChangeLog for Privoxy
     They are not actually available through git (yet).
   - Don't speak of Privoxy version 3 in the past tense.
   - Update the list of programs required for the release process.
     They are not actually available through git (yet).
   - Don't speak of Privoxy version 3 in the past tense.
   - Update the list of programs required for the release process.

-  - Put openssl command in 'command' tags.

   - Update description of the webserver target which uses ssh, not scp.
   - Remove obsolete reference to config.new.
 
   - Update description of the webserver target which uses ssh, not scp.
   - Remove obsolete reference to config.new.
 


@@ -288,8 +473,10 @@ ChangeLog for Privoxy
   - Add a link to Privoxy-Regression-Test to regression-tests.action
     in case it isn't packaged.
   - Add regression tests for pcre host patterns.
   - Add a link to Privoxy-Regression-Test to regression-tests.action
     in case it isn't packaged.
   - Add regression tests for pcre host patterns.

+  - Fixed a regression test that is executed when
+    FEATURE_GRACEFUL_TERMINATION is enabled.

 
 

-- Privoxy Infrastructure:
+- Privoxy infrastructure:

   - Import a Privoxy logo for the website.
   - Update Tor onion service to HiddenServiceVersion 3.
   - Display the "model" photos in a single row and remove placeholder images.
   - Import a Privoxy logo for the website.
   - Update Tor onion service to HiddenServiceVersion 3.
   - Display the "model" photos in a single row and remove placeholder images.


@@ -303,32 +490,33 @@ ChangeLog for Privoxy
   - Fixed memory leaks when a response is buffered and the buffer
     limit is reached or Privoxy is running out of memory.
     Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.
   - Fixed memory leaks when a response is buffered and the buffer
     limit is reached or Privoxy is running out of memory.
     Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.

+    CVE-2020-35502.

     Sponsored by: Robert Klemme
   - Fixed a memory leak in the show-status CGI handler when
     no action files are configured. Commit c62254a686.
     Sponsored by: Robert Klemme
   - Fixed a memory leak in the show-status CGI handler when
     no action files are configured. Commit c62254a686.

-    OVE-20201118-0002.
+    OVE-20201118-0002. CVE-2021-20209.

     Sponsored by: Robert Klemme
   - Fixed a memory leak in the show-status CGI handler when
     no filter files are configured. Commit 1b1370f7a8a.
     Sponsored by: Robert Klemme
   - Fixed a memory leak in the show-status CGI handler when
     no filter files are configured. Commit 1b1370f7a8a.

-    OVE-20201118-0003.
+    OVE-20201118-0003. CVE-2021-20210.

     Sponsored by: Robert Klemme
   - Fixes a memory leak when client tags are active.
     Sponsored by: Robert Klemme
   - Fixes a memory leak when client tags are active.

-    Commit 245e1cf32. OVE-20201118-0004.
+    Commit 245e1cf32. OVE-20201118-0004. CVE-2021-20211.

     Sponsored by: Robert Klemme
   - Fixed a memory leak if multiple filters are executed
     and the last one is skipped due to a pcre error.
     Sponsored by: Robert Klemme
   - Fixed a memory leak if multiple filters are executed
     and the last one is skipped due to a pcre error.

-    Commit 5cfb7bc8fe. OVE-20201118-0005.
+    Commit 5cfb7bc8fe. OVE-20201118-0005. CVE-2021-20212.

   - Prevent an unlikely dereference of a NULL-pointer that
     could result in a crash if accept-intercepted-requests
     was enabled, Privoxy failed to get the request destination
     from the Host header and a memory allocation failed.
   - Prevent an unlikely dereference of a NULL-pointer that
     could result in a crash if accept-intercepted-requests
     was enabled, Privoxy failed to get the request destination
     from the Host header and a memory allocation failed.

-    Commit 7530132349. CID 267165. OVE-20201118-0006.
+    Commit 7530132349. CID 267165. OVE-20201118-0006. CVE-2021-20213.

   - Fixed memory leaks in the client-tags CGI handler when
     client tags are configured and memory allocations fail.
   - Fixed memory leaks in the client-tags CGI handler when
     client tags are configured and memory allocations fail.

-    Commit cf5640eb2a. CID 267168. OVE-20201118-0007.
+    Commit cf5640eb2a. CID 267168. OVE-20201118-0007. CVE-2021-20214.

   - Fixed memory leaks in the show-status CGI handler when memory
     allocations fail. Commit 064eac5fd0 and commit fdee85c0bf3.
   - Fixed memory leaks in the show-status CGI handler when memory
     allocations fail. Commit 064eac5fd0 and commit fdee85c0bf3.

-    CID 305233. OVE-20201118-0008.
+    CID 305233. OVE-20201118-0008. CVE-2021-20215.

 
 - General improvements:
   - Added experimental https inspection support which allows to filter
 
 - General improvements:
   - Added experimental https inspection support which allows to filter