Added an entry for the _privoxy user account deletion issue when upgrading to OS...

[privoxy.git] / doc / source / changelog.sgml

diff --git a/doc/source/changelog.sgml b/doc/source/changelog.sgml
index e75d284..c2812ba 100644 (file)
--- a/doc/source/changelog.sgml
+++ b/doc/source/changelog.sgml
@@ -3,7 +3,7 @@
 
  Purpose     :  Entity included in other project documents.
 
- $Id: changelog.sgml,v 2.3 2013/03/02 14:40:18 fabiankeil Exp $
+ $Id: changelog.sgml,v 2.6 2013/03/07 14:26:47 fabiankeil Exp $
 
  Copyright (C) 2013 Privoxy Developers http://www.privoxy.org/
  See LICENSE.
@@ -22,9 +22,8 @@
 
 <para>
  <application>Privoxy 3.0.21</application> stable is a bug-fix release
- for Privoxy 3.0.20 beta. It also addresses a security issue that affects
- all previous Privoxy versions (on some platforms). The changes since
- 3.0.20 beta are:
+ for Privoxy 3.0.20 beta. It addresses two security issues that
+ affect all previous Privoxy versions. The changes since 3.0.20 beta are:
 </para>
 
 <!--
@@ -44,6 +43,15 @@
       the limit to be reached.
      </para>
     </listitem>
+    <listitem>
+     <para>
+      Proxy authentication headers are removed unless the new directive
+      enable-proxy-authentication-forwarding is used. Forwarding the
+      headers potentially allows malicious sites to trick the user
+      into providing them with login information.
+      Reported by Chris John Riley.
+     </para>
+    </listitem>
     <listitem>
      <para>
       Compiles on OS/2 again now that unistd.h is only included