[privoxy.git] / doc / webserver / user-manual / whatsnew.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
  <title>What's New in this Release</title>
  <meta name="GENERATOR" content=
  "Modular DocBook HTML Stylesheet Version 1.79">
  <link rel="HOME" title="Privoxy 3.0.24 User Manual" href="index.html">
  <link rel="PREVIOUS" title="Installation" href="installation.html">
  <link rel="NEXT" title="Quickstart to Using Privoxy" href=
  "quickstart.html">
  <link rel="STYLESHEET" type="text/css" href="../p_doc.css">
  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
  <link rel="STYLESHEET" type="text/css" href="p_doc.css">
</head>

<body class="SECT1" bgcolor="#EEEEEE" text="#000000" link="#0000FF" vlink=
"#840084" alink="#0000FF">
  <div class="NAVHEADER">
    <table summary="Header navigation table" width="100%" border="0"
    cellpadding="0" cellspacing="0">
      <tr>
        <th colspan="3" align="center">Privoxy 3.0.24 User Manual</th>
      </tr>

      <tr>
        <td width="10%" align="left" valign="bottom"><a href=
        "installation.html" accesskey="P">Prev</a></td>

        <td width="80%" align="center" valign="bottom"></td>

        <td width="10%" align="right" valign="bottom"><a href=
        "quickstart.html" accesskey="N">Next</a></td>
      </tr>
    </table>
    <hr align="left" width="100%">
  </div>

  <div class="SECT1">
    <h1 class="SECT1"><a name="WHATSNEW" id="WHATSNEW">3. What's New in this
    Release</a></h1>

    <p><span class="APPLICATION">Privoxy 3.0.24</span> stable contains a
    couple of new features but is mainly a bug-fix release. Two of the fixed
    bugs are security issues and may be used to remotely trigger crashes on
    platforms that carefully check memory accesses (most don't).</p>

    <ul>
      <li>
        <p>Security fixes (denial of service):</p>

        <ul>
          <li>
            <p>Prevent invalid reads in case of corrupt chunk-encoded
            content. CVE-2016-1982. Bug discovered with afl-fuzz and
            AddressSanitizer.</p>
          </li>

          <li>
            <p>Remove empty Host headers in client requests. Previously they
            would result in invalid reads. CVE-2016-1983. Bug discovered with
            afl-fuzz and AddressSanitizer.</p>
          </li>
        </ul>
      </li>

      <li>
        <p>Bug fixes:</p>

        <ul>
          <li>
            <p>When using socks5t, send the request body optimistically as
            well. Previously the request body wasn't guaranteed to be sent at
            all and the error message incorrectly blamed the server. Fixes
            #1686 reported by Peter M&uuml;ller and G4JC.</p>
          </li>

          <li>
            <p>Fixed buffer scaling in execute_external_filter() that could
            lead to crashes. Submitted by Yang Xia in #892.</p>
          </li>

          <li>
            <p>Fixed crashes when executing external filters on platforms
            like Mac OS X. Reported by Jonathan McKenzie on
            ijbswa-users@.</p>
          </li>

          <li>
            <p>Properly parse ACL directives with ports when compiled with
            HAVE_RFC2553. Previously the port wasn't removed from the host
            and in case of 'permit-access 127.0.0.1 example.org:80' Privoxy
            would try (and fail) to resolve "example.org:80" instead of
            example.org. Reported by Pak Chan on ijbswa-users@.</p>
          </li>

          <li>
            <p>Check requests more carefully before serving them forcefully
            when blocks aren't enforced. Privoxy always adds the force token
            at the beginning of the path, but would previously accept it
            anywhere in the request line. This could result in requests being
            served that should be blocked. For example in case of pages that
            were loaded with force and contained JavaScript to create
            additionally requests that embed the origin URL (thus inheriting
            the force prefix). The bug is not considered a security issue and
            the fix does not make it harder for remote sites to intentionally
            circumvent blocks if Privoxy isn't configured to enforce them.
            Fixes #1695 reported by Korda.</p>
          </li>

          <li>
            <p>Normalize the request line in intercepted requests to make
            rewriting the destination more convenient. Previously rewrites
            for intercepted requests were expected to fail unless $hostport
            was being used, but they failed "the wrong way" and would result
            in an out-of-memory message (vanilla host patterns) or a crash
            (extended host patterns). Reported by "Guybrush Threepwood" in
            #1694.</p>
          </li>

          <li>
            <p>Enable socket lingering for the correct socket. Previously it
            was repeatedly enabled for the listen socket instead of for the
            accepted socket. The bug was found by code inspection and did not
            cause any (reported) issues.</p>
          </li>

          <li>
            <p>Detect and reject parameters for parameter-less actions.
            Previously they were silently ignored.</p>
          </li>

          <li>
            <p>Fixed invalid reads in internal and outdated pcre code. Found
            with afl-fuzz and AddressSanitizer.</p>
          </li>

          <li>
            <p>Prevent invalid read when loading invalid action files. Found
            with afl-fuzz and AddressSanitizer.</p>
          </li>

          <li>
            <p>Windows build: Use the correct function to close the event
            handle. It's unclear if this bug had a negative impact on
            Privoxy's behaviour. Reported by Jarry Xu in #891.</p>
          </li>

          <li>
            <p>In case of invalid forward-socks5(t) directives, use the
            correct directive name in the error messages. Previously they
            referred to forward-socks4t failures. Reported by Joel Verhagen
            in #889.</p>
          </li>
        </ul>
      </li>

      <li>
        <p>General improvements:</p>

        <ul>
          <li>
            <p>Set NO_DELAY flag for the accepting socket. This significantly
            reduces the latency if the operating system is not configured to
            set the flag by default. Reported by Johan Sintorn in #894.</p>
          </li>

          <li>
            <p>Allow to build with mingw x86_64. Submitted by Rustam
            Abdullaev in #135.</p>
          </li>

          <li>
            <p>Introduce the new forwarding type 'forward-webserver'.
            Currently it is only supported by the forward-override{} action
            and there's no config directive with the same name. The
            forwarding type is similar to 'forward', but the request line
            only contains the path instead of the complete URL.</p>
          </li>

          <li>
            <p>The CGI editor no longer treats 'standard.action' special.
            Nowadays the official "standards" are part of default.action and
            there's no obvious reason to disallow editing them through the
            cgi editor anyway (if the user decided that the lack of
            authentication isn't an issue in her environment).</p>
          </li>

          <li>
            <p>Improved error messages when rejecting intercepted requests
            with unknown destination.</p>
          </li>

          <li>
            <p>A couple of log messages now include the number of active
            threads.</p>
          </li>

          <li>
            <p>Removed non-standard Proxy-Agent headers in HTTP snipplets to
            make testing more convenient.</p>
          </li>

          <li>
            <p>Include the error code for pcre errors Privoxy does not
            recognize.</p>
          </li>

          <li>
            <p>Config directives with numerical arguments are checked more
            carefully.</p>
          </li>

          <li>
            <p>Privoxy's malloc() wrapper has been changed to prevent
            zero-size allocations which should only occur as the result of
            bugs.</p>
          </li>

          <li>
            <p>Various cosmetic changes.</p>
          </li>
        </ul>
      </li>

      <li>
        <p>Action file improvements:</p>

        <ul>
          <li>
            <p>Unblock ".deutschlandradiokultur.de/". Reported by u302320 in
            #924.</p>
          </li>

          <li>
            <p>Add two fast-redirect exceptions for "yandex.ru".</p>
          </li>

          <li>
            <p>Disable filter{banners-by-size} for ".plasmaservice.de/".</p>
          </li>

          <li>
            <p>Unblock "klikki.fi/adv/".</p>
          </li>

          <li>
            <p>Block requests for "resources.infolinks.com/". Reported by
            "Black Rider" on ijbswa-users@.</p>
          </li>

          <li>
            <p>Block a bunch of criteo domains. Reported by Black Rider.</p>
          </li>

          <li>
            <p>Block "abs.proxistore.com/abe/". Reported by Black Rider.</p>
          </li>

          <li>
            <p>Disable filter{banners-by-size} for
            ".black-mosquito.org/".</p>
          </li>

          <li>
            <p>Disable fast-redirects for "disqus.com/".</p>
          </li>
        </ul>
      </li>

      <li>
        <p>Documentation improvements:</p>

        <ul>
          <li>
            <p>FAQ: Explicitly point fingers at ASUS as an example of a
            company that has been reported to force malware based on Privoxy
            upon its customers.</p>
          </li>

          <li>
            <p>Correctly document the action type for a bunch of
            "multi-value" actions that were incorrectly documented to be
            "parameterized". Reported by Gregory Seidman on
            ijbswa-users@.</p>
          </li>

          <li>
            <p>Fixed the documented type of the forward-override{} action
            which is obviously 'parameterized'.</p>
          </li>
        </ul>
      </li>

      <li>
        <p>Website improvements:</p>

        <ul>
          <li>
            <p>Users who don't trust binaries served by SourceForge can get
            them from a mirror. Migrating away from SourceForge is planned
            for 2016 (TODO list item #53).</p>
          </li>

          <li>
            <p>The website is now available as onion service
            (http://jvauzb4sb3bwlsnc.onion/).</p>
          </li>
        </ul>
      </li>
    </ul>

    <div class="SECT2">
      <h2 class="SECT2"><a name="UPGRADERSNOTE" id="UPGRADERSNOTE">3.1. Note
      to Upgraders</a></h2>

      <p>A quick list of things to be aware of before upgrading from earlier
      versions of <span class="APPLICATION">Privoxy</span>:</p>

      <ul>
        <li>
          <p>The recommended way to upgrade <span class=
          "APPLICATION">Privoxy</span> is to backup your old configuration
          files, install the new ones, verify that <span class=
          "APPLICATION">Privoxy</span> is working correctly and finally merge
          back your changes using <span class="APPLICATION">diff</span> and
          maybe <span class="APPLICATION">patch</span>.</p>

          <p>There are a number of new features in each <span class=
          "APPLICATION">Privoxy</span> release and most of them have to be
          explicitly enabled in the configuration files. Old configuration
          files obviously don't do that and due to syntax changes using old
          configuration files with a new <span class=
          "APPLICATION">Privoxy</span> isn't always possible anyway.</p>
        </li>

        <li>
          <p>Note that some installers remove earlier versions completely,
          including configuration files, therefore you should really save any
          important configuration files!</p>
        </li>

        <li>
          <p>On the other hand, other installers don't overwrite existing
          configuration files, thinking you will want to do that
          yourself.</p>
        </li>

        <li>
          <p>In the default configuration only fatal errors are logged now.
          You can change that in the <a href="config.html#DEBUG">debug
          section</a> of the configuration file. You may also want to enable
          more verbose logging until you verified that the new <span class=
          "APPLICATION">Privoxy</span> version is working as expected.</p>
        </li>

        <li>
          <p>Three other config file settings are now off by default:
          <a href="config.html#ENABLE-REMOTE-TOGGLE">enable-remote-toggle</a>,
          <a href=
          "config.html#ENABLE-REMOTE-HTTP-TOGGLE">enable-remote-http-toggle</a>,
          and <a href=
          "config.html#ENABLE-EDIT-ACTIONS">enable-edit-actions</a>. If you
          use or want these, you will need to explicitly enable them, and be
          aware of the security issues involved.</p>
        </li>
      </ul>
    </div>
  </div>

  <div class="NAVFOOTER">
    <hr align="left" width="100%">

    <table summary="Footer navigation table" width="100%" border="0"
    cellpadding="0" cellspacing="0">
      <tr>
        <td width="33%" align="left" valign="top"><a href="installation.html"
        accesskey="P">Prev</a></td>

        <td width="34%" align="center" valign="top"><a href="index.html"
        accesskey="H">Home</a></td>

        <td width="33%" align="right" valign="top"><a href="quickstart.html"
        accesskey="N">Next</a></td>
      </tr>

      <tr>
        <td width="33%" align="left" valign="top">Installation</td>

        <td width="34%" align="center" valign="top">&nbsp;</td>

        <td width="33%" align="right" valign="top">Quickstart to Using
        Privoxy</td>
      </tr>
    </table>
  </div>
</body>
</html>