1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
5 <title>What's New in this Release</title>
6 <meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.79">
7 <link rel="HOME" title="Privoxy 3.0.33 User Manual" href="index.html">
8 <link rel="PREVIOUS" title="Installation" href="installation.html">
9 <link rel="NEXT" title="Quickstart to Using Privoxy" href="quickstart.html">
10 <link rel="STYLESHEET" type="text/css" href="../p_doc.css">
11 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
12 <link rel="STYLESHEET" type="text/css" href="p_doc.css">
14 <body class="SECT1" bgcolor="#EEEEEE" text="#000000" link="#0000FF" vlink="#840084" alink="#0000FF">
15 <div class="NAVHEADER">
16 <table summary="Header navigation table" width="100%" border="0" cellpadding="0" cellspacing="0">
18 <th colspan="3" align="center">Privoxy 3.0.33 User Manual</th>
21 <td width="10%" align="left" valign="bottom"><a href="installation.html" accesskey="P">Prev</a></td>
22 <td width="80%" align="center" valign="bottom"></td>
23 <td width="10%" align="right" valign="bottom"><a href="quickstart.html" accesskey="N">Next</a></td>
26 <hr align="left" width="100%">
29 <h1 class="SECT1"><a name="WHATSNEW" id="WHATSNEW">3. What's New in this Release</a></h1>
30 <p><span class="APPLICATION">Privoxy 3.0.32</span> fixes multiple DoS issues and a couple of other bugs. The issues
31 also affect earlier Privoxy releases.</p>
32 <p>Changes in <span class="APPLICATION">Privoxy 3.0.32</span> stable:</p>
35 <p>Security/Reliability:</p>
38 <p>ssplit(): Remove an assertion that could be triggered with a crafted CGI request. Commit 2256d7b4d67.
39 OVE-20210203-0001. Reported by: Joshua Rogers (Opera)</p>
42 <p>cgi_send_banner(): Overrule invalid image types. Prevents a crash with a crafted CGI request if Privoxy
43 is toggled off. Commit e711c505c48. OVE-20210206-0001. Reported by: Joshua Rogers (Opera)</p>
46 <p>socks5_connect(): Don't try to send credentials when none are configured. Fixes a crash due to a
47 NULL-pointer dereference when the socks server misbehaves. Commit 85817cc55b9. OVE-20210207-0001. Reported
48 by: Joshua Rogers (Opera)</p>
51 <p>chunked_body_is_complete(): Prevent an invalid read of size two. Commit a912ba7bc9c. OVE-20210205-0001.
52 Reported by: Joshua Rogers (Opera)</p>
55 <p>Obsolete pcre: Prevent invalid memory accesses with an invalid pattern passed to pcre_compile(). Note
56 that the obsolete pcre code is scheduled to be removed before the 3.0.33 release. There has been a warning
57 since 2008 already. Commit 28512e5b624. OVE-20210222-0001. Reported by: Joshua Rogers (Opera)</p>
65 <p>Properly parse the client-tag-lifetime directive. Previously it was not accepted as an obsolete hash
66 value was being used. Reported by: Joshua Rogers (Opera)</p>
69 <p>decompress_iob(): Prevent reading of uninitialized data. Reported by: Joshua Rogers (Opera).</p>
72 <p>decompress_iob(): Don't advance cur past eod when looking for the end of the file name and comment.</p>
75 <p>decompress_iob(): Cast value to unsigned char before shifting. Prevents a left-shift of a negative value
76 which is undefined behaviour. Reported by: Joshua Rogers (Opera)</p>
79 <p>gif_deanimate(): Confirm that that we have enough data before doing any work. Fixes a crash when fuzzing
80 with an empty document. Reported by: Joshua Rogers (Opera).</p>
83 <p>buf_copy(): Fail if there's no data to write or nothing to do. Prevents undefined behaviour "applying
84 zero offset to null pointer". Reported by: Joshua Rogers (Opera)</p>
87 <p>log_error(): Treat LOG_LEVEL_FATAL as fatal even when --stfu is being used while fuzzing. Reported by:
88 Joshua Rogers (Opera).</p>
91 <p>Respect DESTDIR when considering whether or not to install config files with ".new" extension.</p>
94 <p>OpenSSL ssl_store_cert(): Fix two error messages.</p>
97 <p>Fix a couple of format specifiers.</p>
100 <p>Silence compiler warnings when compiling with NDEBUG.</p>
103 <p>fuzz_server_header(): Fix compiler warning.</p>
106 <p>fuzz_client_header(): Fix compiler warning.</p>
109 <p>cgi_send_user_manual(): Also reject requests if the user-manual directive specifies a https:// URL.
110 Previously Privoxy would try and fail to open a local file.</p>
115 <p>General improvements:</p>
118 <p>Log the TLS version and the the cipher when debug 2 is enabled.</p>
121 <p>ssl_send_certificate_error(): Respect HEAD requests by not sending a body.</p>
124 <p>ssl_send_certificate_error(): End the body with a single new line.</p>
127 <p>serve(): Increase the chances that the host is logged when closing a server socket.</p>
130 <p>handle_established_connection(): Add parentheses to clarify an expression Suggested by: David
134 <p>continue_https_chat(): Explicitly unset CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE if
135 process_encrypted_request() fails. This makes it more obvious that the connection will not be reused.
136 Previously serve() relied on CSP_FLAG_SERVER_CONTENT_LENGTH_SET and CSP_FLAG_CHUNKED being unset. Inspired
137 by a patch from Joshua Rogers (Opera).</p>
140 <p>decompress_iob(): Add periods to a couple of log messages</p>
143 <p>Terminate the body of the HTTP snipplets with a single new line instead of "\r\n".</p>
146 <p>configure: Add --with-assertions option and only enable assertions when it is used</p>
149 <p>windows build: Use --with-brotli and --with-mbedtls by default and enable dynamic error checking.</p>
152 <p>gif_deanimate(): Confirm we've got an image before trying to write it Saves a pointless buf_copy()
156 <p>OpenSSL ssl_store_cert(): Remove a superfluous space before the serial number.</p>
161 <p>Action file improvements:</p>
164 <p>Disable fast-redirects for .golem.de/</p>
167 <p>Unblock requests to adri*.</p>
170 <p>Block requests for trc*.taboola.com/</p>
173 <p>Disable fast-redirects for .linkedin.com/</p>
178 <p>Filter file improvements:</p>
181 <p>Make the second pcrs job of the img-reorder filter greedy again. The ungreedy version broke the img tags
182 on: https://bulk.fefe.de/scalability/.</p>
187 <p>Privoxy-Log-Parser:</p>
190 <p>Highlight a few more messages.</p>
193 <p>Clarify the --statistics output. The shown "Reused connections" are server connections so name them
197 <p>Bump version to 0.9.3.</p>
202 <p>Privoxy-Regression-Test:</p>
205 <p>Add the --check-bad-ssl option to the --help output.</p>
208 <p>Bump version to 0.7.3.</p>
213 <p>Documentation:</p>
216 <p>Add pushing the created tag to the release steps in the developer manual.</p>
219 <p>Clarify that 'debug 32768' should be used in addition to the other debug directives when reporting
223 <p>Add a 'Third-party licenses and copyrights' section to the user manual.</p>
229 <h2 class="SECT2"><a name="UPGRADERSNOTE" id="UPGRADERSNOTE">3.1. Note to Upgraders</a></h2>
230 <p>A quick list of things to be aware of before upgrading from earlier versions of <span class=
231 "APPLICATION">Privoxy</span>:</p>
234 <p>The recommended way to upgrade <span class="APPLICATION">Privoxy</span> is to backup your old
235 configuration files, install the new ones, verify that <span class="APPLICATION">Privoxy</span> is working
236 correctly and finally merge back your changes using <span class="APPLICATION">diff</span> and maybe
237 <span class="APPLICATION">patch</span>.</p>
238 <p>There are a number of new features in each <span class="APPLICATION">Privoxy</span> release and most of
239 them have to be explicitly enabled in the configuration files. Old configuration files obviously don't do
240 that and due to syntax changes using old configuration files with a new <span class=
241 "APPLICATION">Privoxy</span> isn't always possible anyway.</p>
244 <p>Note that some installers remove earlier versions completely, including configuration files, therefore you
245 should really save any important configuration files!</p>
248 <p>On the other hand, other installers don't overwrite existing configuration files, thinking you will want
249 to do that yourself.</p>
252 <p>In the default configuration only fatal errors are logged now. You can change that in the <a href=
253 "config.html#DEBUG">debug section</a> of the configuration file. You may also want to enable more verbose
254 logging until you verified that the new <span class="APPLICATION">Privoxy</span> version is working as
258 <p>Three other config file settings are now off by default: <a href=
259 "config.html#ENABLE-REMOTE-TOGGLE">enable-remote-toggle</a>, <a href=
260 "config.html#ENABLE-REMOTE-HTTP-TOGGLE">enable-remote-http-toggle</a>, and <a href=
261 "config.html#ENABLE-EDIT-ACTIONS">enable-edit-actions</a>. If you use or want these, you will need to
262 explicitly enable them, and be aware of the security issues involved.</p>
267 <div class="NAVFOOTER">
268 <hr align="left" width="100%">
269 <table summary="Footer navigation table" width="100%" border="0" cellpadding="0" cellspacing="0">
271 <td width="33%" align="left" valign="top"><a href="installation.html" accesskey="P">Prev</a></td>
272 <td width="34%" align="center" valign="top"><a href="index.html" accesskey="H">Home</a></td>
273 <td width="33%" align="right" valign="top"><a href="quickstart.html" accesskey="N">Next</a></td>
276 <td width="33%" align="left" valign="top">Installation</td>
277 <td width="34%" align="center" valign="top"> </td>
278 <td width="33%" align="right" valign="top">Quickstart to Using Privoxy</td>
projects / privoxy.git / blob