X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=doc%2Fwebserver%2Fannounce.txt;h=20cdfd4b69079b555e8ff57d535113be828f0ee2;hb=95923775ba5f094b8a09499e7c1e45f4e58074f3;hp=4f4619629d328e6497d0702ff2dfc813dc64299b;hpb=ba8960eb015a81b467026ee4670ddbecd718d040;p=privoxy.git diff --git a/doc/webserver/announce.txt b/doc/webserver/announce.txt index 4f461962..20cdfd4b 100644 --- a/doc/webserver/announce.txt +++ b/doc/webserver/announce.txt @@ -1,47 +1,117 @@ - Announcing Privoxy v.3.0.12 ------------------------------------------------------------------ - -Privoxy 3.0.12-stable is primarily a bugfix release. + Announcing Privoxy 3.0.32 stable +-------------------------------------------------------------------- -See http://www.privoxy.org/3.0.12/user-manual/whatsnew.html for details. +Privoxy 3.0.32 fixes multiple DoS issues and a couple of other bugs. +The issues also affect earlier Privoxy releases. -------------------------------------------------------------------- -ChangeLog for Privoxy +ChangeLog for Privoxy 3.0.32 -------------------------------------------------------------------- -*** Version 3.0.12 *** - -- The socket-timeout option now also works on platforms whose - select() implementation modifies the timeout structure. - Previously the timeout was triggered even if the connection - didn't stall. Reported by cyberpatrol. -- The Connection: keep-alive code properly deals with files - larger than 2GB. Previously the connection was closed too - early. -- The content length for files above 2GB is logged correctly. -- The user-manual directive on the show-status page links to - the documentation location specified with the directive, - not to the Privoxy website. -- When running in daemon mode, Privoxy doesn't log anything - to the console unless there are errors before the logfile - has been opened. -- The show-status page prints warnings about invalid directives - on the same line as the directives themselves. -- Fixed several justified (but harmless) compiler warnings, - mostly on 64 bit platforms. -- The mingw32 version explicitly requests the default charset - to prevent display problems with some fonts available on more - recent Windows versions. Patch by Burberry. -- The mingw32 version uses the Privoxy icon in the alt-tab - windows. Patch by Burberry. -- The timestamp and the thread id is omitted in the "Fatal error" - message box on mingw32. -- Fixed two related mingw32-only buffer overflows. Triggering - them required control over the configuration file, therefore - this isn't seen as a security issue. -- In verbose mode, or if the new option --show-skipped-tests - is used, Privoxy-Regression-Test logs skipped tests and the - skip reason. - +- Security/Reliability: + - ssplit(): Remove an assertion that could be triggered with a + crafted CGI request. + Commit 2256d7b4d67. OVE-20210203-0001. + Reported by: Joshua Rogers (Opera) + - cgi_send_banner(): Overrule invalid image types. Prevents a + crash with a crafted CGI request if Privoxy is toggled off. + Commit e711c505c48. OVE-20210206-0001. + Reported by: Joshua Rogers (Opera) + - socks5_connect(): Don't try to send credentials when none are + configured. Fixes a crash due to a NULL-pointer dereference + when the socks server misbehaves. + Commit 85817cc55b9. OVE-20210207-0001. + Reported by: Joshua Rogers (Opera) + - chunked_body_is_complete(): Prevent an invalid read of size two. + Commit a912ba7bc9c. OVE-20210205-0001. + Reported by: Joshua Rogers (Opera) + - Obsolete pcre: Prevent invalid memory accesses with an invalid + pattern passed to pcre_compile(). Note that the obsolete pcre code + is scheduled to be removed before the 3.0.33 release. There has been + a warning since 2008 already. + Commit 28512e5b624. OVE-20210222-0001. + Reported by: Joshua Rogers (Opera) + +- Bug fixes: + - Properly parse the client-tag-lifetime directive. Previously it was + not accepted as an obsolete hash value was being used. + Reported by: Joshua Rogers (Opera) + - decompress_iob(): Prevent reading of uninitialized data. + Reported by: Joshua Rogers (Opera). + - decompress_iob(): Don't advance cur past eod when looking + for the end of the file name and comment. + - decompress_iob(): Cast value to unsigned char before shifting. + Prevents a left-shift of a negative value which is undefined behaviour. + Reported by: Joshua Rogers (Opera) + - gif_deanimate(): Confirm that that we have enough data before doing + any work. Fixes a crash when fuzzing with an empty document. + Reported by: Joshua Rogers (Opera). + - buf_copy(): Fail if there's no data to write or nothing to do. + Prevents undefined behaviour "applying zero offset to null pointer". + Reported by: Joshua Rogers (Opera) + - log_error(): Treat LOG_LEVEL_FATAL as fatal even when --stfu is + being used while fuzzing. + Reported by: Joshua Rogers (Opera). + - Respect DESTDIR when considering whether or not to install + config files with ".new" extension. + - OpenSSL ssl_store_cert(): Fix two error messages. + - Fix a couple of format specifiers. + - Silence compiler warnings when compiling with NDEBUG. + - fuzz_server_header(): Fix compiler warning. + - fuzz_client_header(): Fix compiler warning. + - cgi_send_user_manual(): Also reject requests if the user-manual + directive specifies a https:// URL. Previously Privoxy would try and + fail to open a local file. + +- General improvements: + - Log the TLS version and the the cipher when debug 2 is enabled. + - ssl_send_certificate_error(): Respect HEAD requests by not sending a body. + - ssl_send_certificate_error(): End the body with a single new line. + - serve(): Increase the chances that the host is logged when closing + a server socket. + - handle_established_connection(): Add parentheses to clarify an expression + Suggested by: David Binderman + - continue_https_chat(): Explicitly unset CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE + if process_encrypted_request() fails. This makes it more obvious that the + connection will not be reused. Previously serve() relied on + CSP_FLAG_SERVER_CONTENT_LENGTH_SET and CSP_FLAG_CHUNKED being unset. + Inspired by a patch from Joshua Rogers (Opera). + - decompress_iob(): Add periods to a couple of log messages + - Terminate the body of the HTTP snipplets with a single new line + instead of "\r\n". + - configure: Add --with-assertions option and only enable assertions + when it is used + - windows build: Use --with-brotli and --with-mbedtls by default and + enable dynamic error checking. + - gif_deanimate(): Confirm we've got an image before trying to write it + Saves a pointless buf_copy() call. + - OpenSSL ssl_store_cert(): Remove a superfluous space before the serial number. + +- Action file improvements: + - Disable fast-redirects for .golem.de/ + - Unblock requests to adri*. + - Block requests for trc*.taboola.com/ + - Disable fast-redirects for .linkedin.com/ + +- Filter file improvements: + - Make the second pcrs job of the img-reorder filter greedy again. + The ungreedy version broke the img tags on: + https://bulk.fefe.de/scalability/. + +- Privoxy-Log-Parser: + - Highlight a few more messages. + - Clarify the --statistics output. The shown "Reused connections" + are server connections so name them appropriately. + - Bump version to 0.9.3. + +- Privoxy-Regression-Test: + - Add the --check-bad-ssl option to the --help output. + - Bump version to 0.7.3. + +- Documentation: + - Add pushing the created tag to the release steps in the developer manual. + - Clarify that 'debug 32768' should be used in addition to the other debug + directives when reporting problems. + - Add a 'Third-party licenses and copyrights' section to the user manual. ----------------------------------------------------------------- About Privoxy: @@ -54,70 +124,72 @@ flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks. -Privoxy is Free Software and licensed under the GPL2. +Privoxy is Free Software and licensed under the GNU GPLv2. + +Our TODO list is rather long. Helping hands and donations are welcome: + + * https://www.privoxy.org/participate -At present, Privoxy is known to run on Windows(95, 98, ME, 2000, -XP, Vista), Linux (Ubuntu, RedHat, SuSE, Debian, Fedora, Gentoo and -others), Mac OSX, OS/2, AmigaOS, FreeBSD, NetBSD, OpenBSD, Solaris, and -various other flavors of Unix. + * https://www.privoxy.org/donate + +At present, Privoxy is known to run on Windows 95 and later versions +(98, ME, 2000, XP, Vista, Windows 7, Windows 10 etc.), GNU/Linux +(RedHat, SuSE, Debian, Fedora, Gentoo, Slackware and others), +Mac OS X (10.4 and upwards on PPC and Intel processors), Haiku, +DragonFly, ElectroBSD, FreeBSD, NetBSD, OpenBSD, Solaris, +and various other flavors of Unix. In addition to the core features of ad blocking and cookie management, Privoxy provides many supplemental features, that give the end-user more control, more privacy and more freedom: + * Supports "Connection: keep-alive". Outgoing connections can be kept + alive independently from the client. Currently not available on all + platforms. - * Can keep outgoing connections alive and reuse them later on. - - * Supports tagging which allows to change the behaviour based on client - and server headers. - - * Can be run as an "intercepting" proxy, which obviates the need to - configure browsers individually. + * Supports IPv6, provided the operating system does so too, + and the configure script detects it. - * Sophisticated actions and filters for manipulating both server and - client headers. + * Supports tagging which allows to change the behaviour based on client + and server headers. - * Can be chained with other proxies. + * Supports https inspection which allows to filter https requests. - * Integrated browser based configuration and control utility at - http://config.privoxy.org/ (shortcut: http://p.p/). Browser-based - tracing of rule and filter effects. Remote toggling. + * Can be run as an "intercepting" proxy, which obviates the need to + configure browsers individually. - * Web page filtering (text replacements, removes banners based on size, - invisible "web-bugs", JavaScript and HTML annoyances, pop-up windows, - etc.) + * Sophisticated actions and filters for manipulating both server and + client headers. - * Modularized configuration that allows for standard settings and user - settings to reside in separate files, so that installing updated actions - files won't overwrite individual user settings. + * Can be chained with other proxies. - * Support for Perl Compatible Regular Expressions in the configuration - files, and a more sophisticated and flexible configuration syntax. + * Integrated browser based configuration and control utility at + http://config.privoxy.org/ (shortcut: http://p.p/). Browser-based + tracing of rule and filter effects. Remote toggling. - * Improved cookie management features (e.g. session based cookies). + * Web page filtering (text replacements, removes banners based on size, + invisible "web-bugs" and HTML annoyances, etc.) - * GIF de-animation. + * Modularized configuration that allows for standard settings and user + settings to reside in separate files, so that installing updated actions + files won't overwrite individual user settings. - * Bypass many click-tracking scripts (avoids script redirection). + * Support for Perl Compatible Regular Expressions in the configuration + files, and a more sophisticated and flexible configuration syntax. - * Multi-threaded (POSIX and native threads). + * GIF de-animation. - * User-customizable HTML templates for most proxy-generated pages (e.g. - "blocked" page). + * Bypass many click-tracking scripts (avoids script redirection). - * Auto-detection and re-reading of config file changes. + * User-customizable HTML templates for most proxy-generated pages (e.g. + "blocked" page). - * Improved signal handling, and a true daemon mode (Unix). - - * Every feature now controllable on a per-site or per-location basis, - configuration more powerful and versatile over-all. + * Auto-detection and re-reading of config file changes. + * Most features are controllable on a per-site or per-location basis. -Download location: - http://sourceforge.net/project/showfiles.php?group_id=11118 - -Home Page: - http://www.privoxy.org/ +Home Page: + https://www.privoxy.org/ - - Privoxy Developers + - Privoxy Developers