X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=ChangeLog;h=4a02dc74c237d24ea1a06ea20bc1eb18f17e8158;hb=95be250e5c7527da293cb7110622e681fd07f1d1;hp=b382fc205cf92aadb1237a2f0d41c7de3fbe6dc4;hpb=e812bd191df0835cef4a4d21234338c0022ede18;p=privoxy.git

diff --git a/ChangeLog b/ChangeLog
index b382fc20..4a02dc74 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,30 @@ ChangeLog for Privoxy
 --------------------------------------------------------------------
 *** Version 3.0.32 stable ***
 
+- Security/Reliability:
+  - ssplit(): Remove an assertion that could be triggered with a
+    crafted CGI request.
+    Commit 2256d7b4d67. OVE-20210203-0001. CVE-2021-20272.
+    Reported by: Joshua Rogers (Opera)
+  - cgi_send_banner(): Overrule invalid image types. Prevents a
+    crash with a crafted CGI request if Privoxy is toggled off.
+    Commit e711c505c48. OVE-20210206-0001. CVE-2021-20273.
+    Reported by: Joshua Rogers (Opera)
+  - socks5_connect(): Don't try to send credentials when none are
+    configured. Fixes a crash due to a NULL-pointer dereference
+    when the socks server misbehaves.
+    Commit 85817cc55b9. OVE-20210207-0001. CVE-2021-20274.
+    Reported by: Joshua Rogers (Opera)
+  - chunked_body_is_complete(): Prevent an invalid read of size two.
+    Commit a912ba7bc9c. OVE-20210205-0001. CVE-2021-20275.
+    Reported by: Joshua Rogers (Opera)
+  - Obsolete pcre: Prevent invalid memory accesses with an invalid
+    pattern passed to pcre_compile(). Note that the obsolete pcre code
+    is scheduled to be removed before the 3.0.33 release. There has been
+    a warning since 2008 already.
+    Commit 28512e5b624. OVE-20210222-0001. CVE-2021-20276.
+    Reported by: Joshua Rogers (Opera)
+
 - Bug fixes:
   - Properly parse the client-tag-lifetime directive. Previously it was
     not accepted as an obsolete hash value was being used.
@@ -35,10 +59,7 @@ ChangeLog for Privoxy
     fail to open a local file.
 
 - General improvements:
-  - Log the TLS version and the the cipher when debug 2 is enabled..
-  - configure.in: Add a warning that the obsolete pcre code is scheduled
-    to be removed before the 3.0.33 release. There has been a warning since
-    since 2008 already.
+  - Log the TLS version and the the cipher when debug 2 is enabled.
   - ssl_send_certificate_error(): Respect HEAD requests by not sending a body.
   - ssl_send_certificate_error(): End the body with a single new line.
   - serve(): Increase the chances that the host is logged when closing
@@ -59,6 +80,7 @@ ChangeLog for Privoxy
     enable dynamic error checking.
   - gif_deanimate(): Confirm we've got an image before trying to write it
     Saves a pointless buf_copy() call.
+  - OpenSSL ssl_store_cert(): Remove a superfluous space before the serial number.
 
 - Action file improvements:
   - Disable fast-redirects for .golem.de/
@@ -73,6 +95,9 @@ ChangeLog for Privoxy
 
 - Privoxy-Log-Parser:
   - Highlight a few more messages.
+  - Clarify the --statistics output. The shown "Reused connections"
+    are server connections so name them appropriately.
+  - Bump version to 0.9.3.
 
 - Privoxy-Regression-Test:
   - Add the --check-bad-ssl option to the --help output.
@@ -80,6 +105,9 @@ ChangeLog for Privoxy
 
 - Documentation:
   - Add pushing the created tag to the release steps in the developer manual.
+  - Clarify that 'debug 32768' should be used in addition to the other debug
+    directives when reporting problems.
+  - Add a 'Third-party licenses and copyrights' section to the user manual.
 
 *** Version 3.0.31 stable ***