X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=doc%2Fwebserver%2Fannounce.txt;h=35720d99d359c964401f3c9695b4200caf91c02b;hb=6dadc0ac614a34a3844029322dd0d2c057735052;hp=08eede0fff7eb885d3024403721d34d5c4a3885c;hpb=388adef56f800c8aefee9d1f488aa1718a9cc970;p=privoxy.git diff --git a/doc/webserver/announce.txt b/doc/webserver/announce.txt index 08eede0f..35720d99 100644 --- a/doc/webserver/announce.txt +++ b/doc/webserver/announce.txt @@ -1,127 +1,142 @@ - Announcing Privoxy 3.0.24 stable + Announcing Privoxy 3.0.34 stable -------------------------------------------------------------------- -Privoxy 3.0.24 stable contains a couple of new features but is -mainly a bug-fix release. Two of the fixed bugs are security issues -(CVE requests pending) and may be used to remotely trigger crashes -on platforms that carefully check memory accesses (most don't). +Privoxy 3.0.34 fixes a few minor bugs and comes with a couple of +general improvements and new features. -------------------------------------------------------------------- -ChangeLog for Privoxy +ChangeLog for Privoxy 3.0.34 -------------------------------------------------------------------- -- Security fixes (denial of service): - - Prevent invalid reads in case of corrupt chunk-encoded content. - Bug discovered with afl-fuzz and AddressSanitizer. - - Remove empty Host headers in client requests. - Previously they would result in invalid reads. - Bug discovered with afl-fuzz and AddressSanitizer. - - Bug fixes: - - When using socks5t, send the request body optimistically as well. - Previously the request body wasn't guaranteed to be sent at all - and the error message incorrectly blamed the server. - Fixes #1686 reported by Peter Müller and G4JC. - - Fixed buffer scaling in execute_external_filter() that could lead - to crashes. Submitted by Yang Xia in #892. - - Fixed crashes when executing external filters on platforms like - Mac OS X. Reported by Jonathan McKenzie on ijbswa-users@ - - Properly parse ACL directives with ports when compiled with HAVE_RFC2553. - Previously the port wasn't removed from the host and in case of - 'permit-access 127.0.0.1 example.org:80' Privoxy would try (and fail) - to resolve "example.org:80" instead of example.org. - Reported by Pak Chan on ijbswa-users@. - - Check requests more carefully before serving them forcefully - when blocks aren't enforced. Privoxy always adds the force token - at the beginning of the path, but would previously accept it anywhere - in the request line. This could result in requests being served that - should be blocked. For example in case of pages that were loaded with - force and contained JavaScript to create additionally requests that - embed the origin URL (thus inheriting the force prefix). - The bug is not considered a security issue and the fix does not make - it harder for remote sites to intentionally circumvent blocks if - Privoxy isn't configured to enforce them. - Fixes #1695 reported by Korda. - - Normalize the request line in intercepted requests to make rewriting - the destination more convenient. Previously rewrites for intercepted - requests were expected to fail unless $hostport was being used, but - they failed "the wrong way" and would result in an out-of-memory - message (vanilla host patterns) or a crash (extended host patterns). - Reported by "Guybrush Threepwood" in #1694. - - Enable socket lingering for the correct socket. - Previously it was repeatedly enabled for the listen socket - instead of for the accepted socket. The bug was found by - code inspection and did not cause any (reported) issues. - - Detect and reject parameters for parameter-less actions. - Previously they were silently ignored. - - Fixed invalid reads in internal and outdated pcre code. - Found with afl-fuzz and AddressSanitizer. - - Prevent invalid read when loading invalid action files. - Found with afl-fuzz and AddressSanitizer. - - Windows build: Use the correct function to close the event handle. - It's unclear if this bug had a negative impact on Privoxy's behaviour. - Reported by Jarry Xu in #891. - - In case of invalid forward-socks5(t) directives, use the - correct directive name in the error messages. Previously they - referred to forward-socks4t failures. - Reported by Joel Verhagen in #889. + - Improve the handling of chunk-encoded responses by buffering the data + even if filters are disabled and properly keeping track of where the + various chunks are supposed to start and end. Previously Privoxy would + merely check the last bytes received to see if they looked like the + last-chunk. This failed to work if the last-chunk wasn't received in one + read and could also result in actual data being misdetected + as last-chunk. + Should fix: SF support request #1739. + Reported by: withoutname. + - remove_chunked_transfer_coding(): Refuse to de-chunk invalid data + Previously the data could get corrupted even further. + Now we simply pass the unmodified data to the client. + - gif_deanimate(): Tolerate multiple image extensions in a row. + This allows to deanimate all the gifs on: + https://commons.wikimedia.org/wiki/Category:Animated_smilies + Fixes SF bug #795 reported by Celejar. + - OpenSSL generate_host_certificate(): Use X509_get_subject_name() + instead of X509_get_issuer_name() to get the issuer for generated + website certificates so there are no warnings in the browser when using + an intermediate CA certificate instead of a self-signed root certificate. + Problem reported and patch submitted by Chakib Benziane. + - can_filter_request_body(): Fix a log message that contained a spurious u. + - handle_established_connection(): Check for pending TLS data from the client + before checking if data is available on the connection. + The TLS library may have already consumed all the data from the client + response in which case poll() and select() will not detect that data is + available to be read. + Sponsored by: Robert Klemme. + - ssl_send_certificate_error(): Don't crash if there's no certificate + information available. This is only relevant when Privoxy is built with + wolfSSL 5.0.0 or later (code not yet published). Earlier wolfSSL versions + or the other TLS backends don't seem to trigger the crash. + - socks5_connect(): Add support for target hosts specified as IPv4 address + Previously the IP address was sent as domain. - General improvements: - - Set NO_DELAY flag for the accepting socket. This significantly reduces - the latency if the operating system is not configured to set the flag - by default. Reported by Johan Sintorn in #894. - - Allow to build with mingw x86_64. Submitted by Rustam Abdullaev in #135. - - Introduce the new forwarding type 'forward-webserver'. - Currently it is only supported by the forward-override{} action and - there's no config directive with the same name. The forwarding type - is similar to 'forward', but the request line only contains the path - instead of the complete URL. - - The CGI editor no longer treats 'standard.action' special. - Nowadays the official "standards" are part of default.action - and there's no obvious reason to disallow editing them through - the cgi editor anyway (if the user decided that the lack of - authentication isn't an issue in her environment). - - Improved error messages when rejecting intercepted requests - with unknown destination. - - A couple of log messages now include the number of active threads. - - Removed non-standard Proxy-Agent headers in HTTP snipplets - to make testing more convenient. - - Include the error code for pcre errors Privoxy does not recognize. - - Config directives with numerical arguments are checked more carefully. - - Privoxy's malloc() wrapper has been changed to prevent zero-size - allocations which should only occur as the result of bugs. - - Various cosmetic changes. + - Add a client-body-tagger action which creates tags based on + the content of the request body. + Sponsored by: Robert Klemme. + - When client-body filters are enabled, buffer the whole request + before opening a connection to the server. + Makes it less likely that the server connection times out + and we don't open a connection if the buffering fails anyway. + Sponsored by: Robert Klemme. + - Add periods to a couple of log messages. + - accept_connection(): Add missing space to a log message. + - Initialize ca-related defaults with strdup_or_die() so errors + aren't silently ignored. + - make_path: Use malloc_or_die() in cases where allocation errors + were already fatal anyway. + - handle_established_connection(): Improve an error message slightly. + - receive_client_request(): Reject https URLs without CONNECT request. + - Include all requests in the statistics if mutexes are available. + Previously in case of reused connections only the last request got + counted. The statistics still aren't perfect but it's an improvement. + - Add read_socks_reply() and start using it in socks5_connect() + to apply the socket timeout more consistently. + - socks5_connect(): Deal with domain names in the socks reply + - Add a filter for bundeswehr.de that hides the cookie and + privacy info banner. - Action file improvements: - - Unblock ".deutschlandradiokultur.de/". - Reported by u302320 in #924. - - Add two fast-redirect exceptions for "yandex.ru". - - Disable filter{banners-by-size} for ".plasmaservice.de/". - - Unblock klikki.fi/adv/. - - Block requests for "resources.infolinks.com/". - Reported by "Black Rider" on ijbswa-users@. - - Block a bunch of criteo domains. - Reported by Black Rider. - - Block "abs.proxistore.com/abe/". - Reported by Black Rider. - - Disable filter{banners-by-size} for ".black-mosquito.org/". - - Disable fast-redirects for "disqus.com/". - -- Documentation improvements: - - FAQ: Explicitly point fingers at ASUS as an example of a - company that has been reported to force malware based on - Privoxy upon its customers. - - Correctly document the action type for a bunch of "multi-value" - actions that were incorrectly documented to be "parameterized". - Reported by Gregory Seidman on ijbswa-users@. - - Fixed the documented type of the forward-override{} action - which is obviously 'parameterized'. - -- Website improvements: - - Users who don't trust binaries served by SourceForge - can get them from a mirror. Migrating away from SourceForge - is planned for 2016 (TODO list item #53). - - The website is now available as onion service - (http://jvauzb4sb3bwlsnc.onion/). + - Disable filter{banners-by-size} for .freiheitsfoo.de/. + - Disable filter{banners-by-size} for freebsdfoundation.org/. + - Disable fast-redirects for consent.youtube.com/. + - Block requests to ups.xplosion.de/. + - Block requests for elsa.memoinsights.com/t. + - Fix a typo in a test. + - Disable fast-redirects for launchpad.net/. + - Unblock .eff.org/. + - Stop unblocking .org/.*(image|banner) which appears to be too generous + It let requests like: + https://stats.noblogs.org/piwik.php?action_name=anti%20gentrifizierungs%20fest&idsite=10175&rec=1&r=220192&h=17&m=7&s=44&url=https%3A%2F%2Fmuellemcalling.noblogs.org%2F&urlref=https%3A%2F%2Fmuellemcalling.noblogs.org%2Finfostande%2F&_id=&_idn=1&_refts=0&send_image=0&cookie=1&res=1366x768&pv_id=eqr7jX&pf_net=7&pf_srv=3&pf_tfr=2281&pf_dm1=156 + pass. + The example URL http://www.gnu.org/graphics/gnu-head-banner.png is + already unblocked due to .gnu.org being unblocked. + - Unblock adfd.org/. + - Disable filter{banners-by-link} for .eff.org/. + - Block requests to odb.outbrain.com/. + - Disable fast-redirects for .gandi.net/. + - Disable fast-redirects{} for .onion/.*/status/. + - Disable fast-redirects{} for twitter.com/.*/status/. + - Unblock pinkstinks.de/. + - Disable fast-redirects for .hagalil.com/. + +- Privoxy-Log-Parser: + - Bump version to 0.9.5. + - Highlight more log messages. + - Highlight the Crunch reason only once. Previously the "crunch reason" + could also be highlighted when the URL contained a matching string. + The real crunch reason only occurs once per line, so there's no need + to continue looking for it after it has been found once. + While at it, add a comment with an example log line. + +- uagen: + - Bump version to 1.2.4. + - Update BROWSER_VERSION and BROWSER_REVISION to 102.0 + to match the User-Agent of the current Firefox ESR. + - Explicitly document that changing the 'Gecko token' is suspicious. + - Consistently use a lower-case 'c' as copyright symbol. + - Bump copyright. + - Add 'aarch64' as Linux architecture. + - Add OpenBSD architecture 'arm64'. + - Stop using sparc64 as FreeBSD architecture. + It hasn't been supported for a while now. + +- Build system: + - Makefile: Add a 'dok' target that depends on the 'error' target + to show the "You are not using GNU make or did nor run configure" + message. + - configure: Fix --with-msan option. + Also (probably) reported by Andrew Savchenko. + +- macOS build system: + - Enable HTTPS inspection when building the macOS binary + (using OpenSSL as TLS library). + +- Documentation: + - Add OpenSSL to the list of libraries that may be licensed under the + Apache 2.0 license in which case the linked Privoxy binary has to be + distributed under the GPLv3 or later. + - config: Fix the documented ca-directory default value. + Reported by avoidr. + - Rebuild developer-manual and tidy with 'HTML Tidy for FreeBSD version 5.8.0'. + - Update developer manual with new macOS packaging instructions. + - Note that the FreeBSD installation instructions work for + ElectroBSD as well. + - Note that FreeBSD/ElectroBSD users can try to install Privoxy + as binary package using 'pkg'. ----------------------------------------------------------------- About Privoxy: @@ -138,15 +153,16 @@ Privoxy is Free Software and licensed under the GNU GPLv2. Our TODO list is rather long. Helping hands and donations are welcome: - * http://www.privoxy.org/faq/general.html#PARTICIPATE + * https://www.privoxy.org/participate - * http://www.privoxy.org/faq/general.html#DONATE + * https://www.privoxy.org/donate At present, Privoxy is known to run on Windows 95 and later versions -(98, ME, 2000, XP, Vista, Windows 7 etc.), GNU/Linux (RedHat, SuSE, -Debian, Fedora, Gentoo, Slackware and others), Mac OS X (10.4 and -upwards on PPC and Intel processors), OS/2, Haiku, DragonFly, ElectroBSD, -FreeBSD, NetBSD, OpenBSD, Solaris, and various other flavors of Unix. +(98, ME, 2000, XP, Vista, Windows 7, Windows 10 etc.), GNU/Linux +(RedHat, SuSE, Debian, Fedora, Gentoo, Slackware and others), +Mac OS X (10.4 and upwards on PPC and Intel processors), Haiku, +DragonFly, ElectroBSD, FreeBSD, NetBSD, OpenBSD, Solaris, +and various other flavors of Unix. In addition to the core features of ad blocking and cookie management, Privoxy provides many supplemental features, that give the end-user @@ -162,6 +178,8 @@ more control, more privacy and more freedom: * Supports tagging which allows to change the behaviour based on client and server headers. + * Supports https inspection which allows to filter https requests. + * Can be run as an "intercepting" proxy, which obviates the need to configure browsers individually. @@ -197,6 +215,6 @@ more control, more privacy and more freedom: Home Page: - http://www.privoxy.org/ + https://www.privoxy.org/ - - Privoxy Developers + - Privoxy Developers