--------------------------------------------------------------------
ChangeLog for Privoxy
--------------------------------------------------------------------
+*** Version 3.0.27 stable ***
+
+- General improvements:
+ - Add a receive-buffer-size directive which can be used to
+ set the size of the previously statically allocated buffer
+ in handle_established_connection().
+ Increasing the buffer size increases Privoxy's memory usage but
+ can lower the number of context switches and thereby reduce the
+ CPU usage and potentially increase the throughput.
+ This is mostly relevant for fast network connections and
+ large downloads that don't require filtering.
+ Sponsored by: Robert Klemme
+ - Add a listen-backlog directive which specifies the backlog
+ value passed to listen().
+ Sponsored by: Robert Klemme
+ - Add an enable-accept-filter directive which allows to
+ toggle accept filter support at run time when compiled
+ with FEATURE_ACCEPT_FILTER support.
+ It makes testing more convenient and now that it's
+ optional we can emit an error message if enabling
+ the accept filter fails.
+ Sponsored by: Robert Klemme
+ - Add a delay-response{} action.
+ This is useful to tar pit JavaScript requests that
+ are endlessly retried in case of blocks. It can also
+ be used to simulate a slow Internet connection.
+ Sponsored by: Robert Klemme
+ - Add a 'trusted-cgi-referrer' directive.
+ It allows to configure another page or site that can be used
+ to reach sensitive CGI resources.
+ Sponsored by: Robert Klemme
+ - Add a --fuzz mode which exposes Privoxy internals to input
+ from files or stdout.
+ Mainly tested with American Fuzzy Lop. For details see:
+ https://www.fabiankeil.de/talks/fuzzing-on-freebsd/
+ This work was partially funded with donations and done
+ as part of the Privoxy month in 2015.
+ - Consistently use the U(ngreedy) flag in the 'img-reorder' filter
+ - listen_loop(): Reuse a single thread attribute object
+ The object doesn't change and creating a new one for
+ every thread is a waste of (CPU) time.
+ Sponsored by: Robert Klemme
+ - Free csp resources in the thread that belongs to the csp instead
+ of the main thread which has enough on its plate already.
+ Sponsored by: Robert Klemme
+ - Improve 'socket timeout reached' message.
+ Log the timeout that was triggered and downgrade the
+ log level to LOG_LEVEL_CONNECT to reduce the log noise
+ with common debug settings.
+ The timeout isn't necessary the result of an error and
+ usually merely indicates that Privoxy's socket timeout
+ is lower than the relevant timeouts used by client and
+ server.
+ Sponsored by: Robert Klemme
+ - Explicitly taint the server socket in case of CONNECT requests.
+ This doesn't fix any known problems, but makes
+ some log messages less confusing.
+ - Remove a mysterious comment with a GNU FDL link as it isn't
+ useful and could confuse license scanners.
+ In May 2002 it was briefly claimed that "this document" was covered
+ by the GNU FDL. The commit message (r1.5) doesn't explain the motivation
+ or whether all copyright holders were actually asked and agreed to the
+ declared license change.
+ It's thus hard to tell whether or not the license change was legit,
+ but luckily two days later the "doc license" was "put" "back to GPL"
+ anyway (r1.6).
+ At the same time the offending comment with a link to the FDL
+ (not the GPL) was added for no obvious reason.
+ Now it's gone again.
+ - Let write_pid_file() terminate if the pid file can't be opened
+ Logging the issue at info level is unlikely to help.
+ - log_error(): Reduce the mutex-protected area by not using a
+ heap-allocated buffer that is shared between all threads.
+ This increases performance and reduces the latency with
+ verbose debug settings and multiple concurrent connections.
+ Sponsored by: Robert Klemme
+ - Let zalloc() use calloc() if it's available.
+ In some situations using calloc() can be faster than
+ malloc() + memset() and it should never be slower.
+ In the real world the impact of this change is not
+ expected to be noticeable.
+ Sponsored by: Robert Klemme
+ - Never use select() when poll() is available.
+ On most platforms select() is limited by FD_SETSIZE while
+ poll() is not. This was a scaling issue for multi-user setups.
+ Using poll() has no downside other than the usual risk
+ that code modifications may introduce new bugs that have
+ yet to be found and fixed.
+ At least in theory this commit could also reduce the latency
+ when there are lots of connections and select() would use
+ "bit fields in arrays of integers" to store file descriptors.
+ Another side effect is that Privoxy no longer has to stop
+ monitoring the client sockets when pipelined requests are
+ waiting but can't be read yet.
+ This code keeps the select()-based code behind ifdefs for
+ now but hopefully it can be removed soonish to make the
+ code more readable.
+ Sponsored by: Robert Klemme
+ - Add a 'reproducible-tarball-dist' target.
+ It's currently separate from the "tarball-dist" target
+ because it requires a tar implementation with mtree spec
+ support.
+ It's far from being perfect and does not enforce a
+ reproducible mode, but it's better than nothing.
+ - Use arc4random() if it's available.
+ While Privoxy doesn't need high quality pseudo-random numbers
+ there's no reason not to use them when we can and this silences
+ a warning emitted by code checkers that can't tell whether or not
+ the quality matters.
+ - Show the FEATURE_EXTERNAL_FILTERS status on the status page.
+ Better late than never. Previously a couple of tests weren't
+ executed as Privoxy-Regression-Test couldn't detect that the
+ FEATURE_EXTERNAL_FILTERS dependency was satisfied.
+ - Ditch FEATURE_IMAGE_DETECT_MSIE.
+ It's an obsolete workaround we inherited from Junkbuster
+ and was already disabled by default.
+ Users that feel the urge to work around issues with
+ image requests coming from an Internet Explorer version
+ from more than 15 years ago can still do this using tags.
+ - Consistently use strdup_or_die() instead of strdup() in
+ cases where allocation failures aren't expected.
+ Using strdup_or_die() allows to remove a couple of explicit
+ error checks which slightly reduces the size of the binary.
+ - Insert a refresh tag into the /client-tags CGI page when
+ serving it while a client-specific tag is temporarily enabled.
+ This makes it less likely that the user ends up
+ looking at tag state that is out of date.
+ - Use absolute URLs in the client-tag forms.
+ It's more consistent with the rest of the CGI page
+ URLs and makes it more convenient to copy the forms
+ to external pages.
+ - cgi_error_disabled(): Use status code 403 and an appropriate response line
+ - Use a dedicated CGI handler to deal with tag-toggle requests
+ As a result the /client-tags page is now safe to reach without
+ trusted Referer header which makes bookmarking or linking to
+ it more convenient.
+ Finally, refreshing the /client-tags page to show the
+ current state can no longer unintentionally repeat the
+ previous toggle request.
+ - Don't add a "Connection" header for CONNECT requests
+ Explicitly sending "Connection: close" is not necessary and
+ apparently it causes problems with some forwarding proxies
+ that will close the connection prematurely.
+ Reported by Marc Thomas.
+ - Fix compiler warnings.
+
+- Bug fixes:
+ - rfc2553_connect_to(): Properly detect and log when poll()
+ reached the time out. Previously this was logged as:
+ Could not connect to [...]: No error: 0.
+ which isn't very helpful.
+ Sponsored by: Robert Klemme
+ - add_tag_for_client(): Set time_to_live properly.
+ Previously the time_to_live was always set for the first tag.
+ Attempts to temporarily enable a tag would result in enabling
+ it permanently unless no tag was enabled already.
+ - Revert r1.165 which didn't perform as advertised.
+ While the idea was to use "https:// when creating links
+ for the user manual on the website", the actual effect
+ was to use "https://" when Privoxy was supposed to serve
+ the user manual itself.
+ Reported by Yossi Zahn on Privoxy-devel@.
+ - socks5_connect(): Fail in case of unsupported address types.
+ Previously they would not be detected right away and
+ Privoxy would fail later on with an error message that
+ didn't make it obvious that the problem was socks-related.
+ So far, no such problems have actually been reported.
+ - socks5_connect(): Properly deal with socks replies that
+ contain IPv6 addresses.
+ Previously parts of the reply were left unread and
+ later on treated as invalid HTTP response data.
+ Fixes #904 reported by Danny Goossen who also provided
+ the initial version of this patch.
+
+- Action file improvements:
+ - Unblock 'msdn.microsoft.com/'.
+ It (presumably) isn't used to serve the kind of ads Privoxy should
+ block by default but happens to serve lots of pages with URLs that
+ are likely to result in false positives.
+ Reported by bugreporter1694 in AF#939.
+ - Disable gif deanimation for requests tagged with CSS-REQUEST.
+ The action will ignore content that isn't considered text
+ anyway and explicitly disabling it makes this more obvious
+ if "action" debugging (debug 65536) is enabled while
+ "gif deanimation" debugging (debug 256) isn't.
+ - Explicitly disable HTML filters for requests with CSS-REQUEST tag.
+ The filters are unlikely to break CSS files but executing
+ them without (intentionally) getting any hits is a waste of
+ cpu time and makes the log more noisy when running with
+ "debug 64".
+ - Unblock 'adventofcode.com/'.
+ Reported by Clint Adams in Debian bug #848211.
+ Fixes Roland's AF#937.
+ - Unblock 'adlibris.com'.
+ Reported by Wyrex in #935
+ - Unblock .golang.org/
+ - Add fast-redirects exception for '.youtube.com/.*origin=http'
+
+- Privoxy-Log-Parser:
+ - Don't gather host and resource statistics if they aren't requested.
+ While the performance impact seems negligible this significantly
+ reduces the memory usage if there are lots of requests.
+ - Bump version as the behaviour (slightly) changed.
+ - Count connection failures as well in statistics mode.
+ Sponsored by: Robert Klemme
+ - Count connection timeouts as well in statistics mode.
+ Sponsored by: Robert Klemme
+ - Fix an 'uninitialized value' warning when generating
+ statistics for a log file without response headers.
+ While privoxy-log-parser was supposed to detect this already,
+ the check was flawed and the message the user didn't see was
+ somewhat confusing anyway.
+ Now the message is less confusing, more helpful and actually printed.
+ Reported by: Robert Klemme
+
+- Documentation improvements:
+ - Refer to the git sources instead of CVS.
+ - Use GNU/Linux when referring to the OS instead of the kernel.
+ - Add FAQ entry for what to do if editing the config file is access denied.
+ - Add brief HTTP/2 FAQ.
+ - Add a small fuzzing section to the developer documentation.
+ - Add a client-header-tagger{client-ip-address} example.
+ - Stop suggesting that Privoxy is an anonymizing proxy.
+ The term could lead to Privoxy users overestimating
+ what it can do on its own (without Tor).
+ - Make it more obvious that SPI accepts Paypal, too.
+ Currently most donations are made through the Paypal account
+ managed by Zwiebelfreunde e.V. and a more even distribution
+ would be useful.
+ - Suggest to log applying actions as well when reproducing problems.
+ - Explicitly mention that Privoxy binaries are built by individuals
+ on their own systems. Buyer beware!
+ - Mention the release feed on the homepage.
+
+- Regression tests:
+ - Bump for-privoxy-version to 3.0.27 as we now rely on untrusted
+ CGI request being rejected with status code 403 (instead of 200).
+ - Update test for /send-stylesheet and add another one
+
+- Templates
+ - Consistently use https:// when linking to the Privoxy website.
+ - Remove SourceForge references in Copyright header.
+ - Remove a couple of SourceForge references in a comment.
+ While at it, fix the grammar.
+ - Move the site-specific documentation block before the generic one.
+ While most Privoxy installations don't have a site-specific
+ documentation block, in cases were it exists it's likely to
+ be more relevant than the generic one.
+ Showing it first makes it less likely that users stop reading
+ before they reach it, especially on pages that don't fit on
+ the screen.
+
+- Build system improvements:
+ - Prefer openjade to jade. On some systems Jade produces
+ HTML with unescaped ampersands in URLs.
+ - Prefer OpenSP to SP to be consistent.
+ - Have Docbook generated HTML files be straight ASCII.
+ Dealing with a mixture of ISO-8859 and UTF-8 files is problematic.
+ - Echo the filename to stderr for 'make dok-tidy'.
+ Make it a bit easier to find errors in docbook generated HTML.
+ - Warn when still using select().
+ - Warn when compiling without calloc().
+ - Make it more obvious that the --with-fdsetsize configure switch
+ is pointless if poll() is available.
+ - Remove support for AmigaOS.
+ - Update windows build system to use supported software.
+ The cygwin gcc -mno-cygwin option is no longer supported, so
+ convert the windows build system to use the cygwin cross-compiler
+ to build "native" code.
+ - Add --enable-static-linking option for configure
+ does the same thing as LDFLAGS=-static; ./configure
+ but nicer than mixing evars and configure options.
+
+*** Version 3.0.26 stable ***
+
+- Bug fixes:
+ - Fixed crashes with "listen-addr :8118" (SF Bug #902).
+ The regression was introduced in 3.0.25 beta and reported
+ by Marvin Renich in Debian bug #834941.
+
+- General improvements:
+ - Log when privoxy is toggled on or off via cgi interface.
+ - Highlight the "Info: Now toggled " on/off log message
+ in the Windows log viewer.
+ - Highlight the loading actions/filter file log message
+ in the Windows log viewer.
+ - Mention client-specific tags on the toggle page as a
+ potentionally more appropriate alternative.
+
+- Documentation improvements:
+ - Update download section on the homepage.
+ The downloads are available from the website now.
+ - Add sponsor FAQ.
+ - Remove obsolete reference to mailing lists hosted at SourceForge.
+ - Update the "Before the Release" section of the developer manual.
+
+- Infrastructure improvements:
+ - Add perl script to generate an RSS feed for the packages
+ Submitted by "Unknown".
+
+- Build system improvements:
+ - strptime.h: fix a compiler warning about ambiguous else.
+ - configure.in: Check for Docbook goo on the BSDs as well.
+ - GNUMakefile.in: Let the dok-user target remove temporary files.
+
+*** Version 3.0.25 beta ***
+
+- Bug fixes:
+ - Always use the current toggle state for new requests.
+ Previously new requests on reused connections inherited
+ the toggle state from the previous request even though
+ the toggle state could have changed.
+ Reported by Robert Klemme.
+ - Fixed two buffer-overflows in the (deprecated) static
+ pcre code. These bugs are not considered security issues
+ as the input is trusted.
+ Found with afl-fuzz and ASAN.
+
+- General improvements:
+ - Added support for client-specific tags which allow Privoxy
+ admins to pre-define tags that are set for all requests from
+ clients that previously opted in through the CGI interface.
+ They are useful in multi-user setups where admins may
+ want to allow users to disable certain actions and filters
+ for themselves without affecting others.
+ In single-user setups they are useful to allow more fine-grained
+ toggling. For example to disable request blocking while still
+ crunching cookies, or to disable experimental filters only.
+ This is an experimental feature, the syntax and behaviour may
+ change in future versions.
+ Sponsored by Robert Klemme.
+ - Dynamic filters and taggers now support a $listen-address variable
+ which contains the address the request came in on.
+ For external filters the variable is called $PRIVOXY_LISTEN_ADDRESS.
+ Original patch contributed by pursievro.
+ - Add client-header-tagger 'listen-address'.
+ - Include the listen-address in the log message when logging new requests.
+ Patch contributed by pursievro.
+ - Turn invalid max-client-connections values into fatal errors.
+ - The show-status page now shows whether or not dates before 1970
+ and after 2038 are expected to be handled properly.
+ This is mainly useful for Privoxy-Regression-Test but could
+ also come handy when dealing with time-related support requests.
+ - On Mac OS X the thread id in log messages are more likely to
+ be unique now.
+ - When complaining about missing filters, the filter type is logged
+ as well.
+ - A couple of harmless coverity warnings were silenced
+ (CID #161202, CID #161203, CID #161211).
+
+- Action file improvements:
+ - Filtering is disabled for Range requests to let download resumption
+ and Windows updates work with the default configuration.
+ - Unblock ".ardmediathek.de/".
+ Reported by ThTomate in #932.
+
+- Documentation improvements:
+ - Add FAQ entry for crashes caused by memory limits.
+ - Remove obsolete FAQ entry about a bug in PHP 4.2.3.
+ - Mention the new mailing lists were appropriate.
+ As the archives have not been migrated, continue to
+ mention the archives at SF in the contacting section
+ for now.
+ - Note that the templates should be adjusted if Privoxy is
+ running as intercepting proxy without getting all requests.
+ - A bunch of links were converted to https://.
+ - Rephrase onion service paragraph to make it more obvious
+ that Tor is involved and that the whole website (and not
+ just the homepage) is available as onion service.
+ - Streamline the "More information" section on the homepage further
+ by additionally ditching the link to the 'See also' section
+ of the user manual. The section contains mostly links that are
+ directly reachable from the homepage already and the rest is
+ not significant enough to get a link from the homepage.
+ - Change the add-header{} example to set the DNT header
+ and use a complete section to make copy and pasting
+ more convenient.
+ Add a comment to make it obvious that adding the
+ header is not recommended for obvious reasons.
+ Using the DNT header as example was suggested by
+ Leo Wzukw.
+ - Streamline the support-and-service template
+ Instead of linking to the various support trackers
+ (whose URLs hopefully change soon), link to the
+ contact section of the user manual to increase the
+ chances that users actually read it.
+ - Add a FAQ entry for tainted sockets.
+ - More sections in the documentation have stable URLs now.
+ - FAQ: Explain why 'ping config.privoxy.org' is not expected
+ to reach a local Privoxy installation.
+ - Note that donations done through Zwiebelfreunde e.V. currently
+ can't be checked automatically.
+ - Updated section regarding starting Privoxy under OS X.
+ - Use dedicated start instructions for FreeBSD and ElectroBSD.
+ - Removed release instructions for AIX. They haven't been working
+ for years and unsurprisingly nobody seems to care.
+ - Removed obsolete reference to the solaris-dist target.
+ - Updated the release instructions for FreeBSD.
+ - Removed unfinished release instructions for Amiga OS and HP-UX 11.
+ - Added a pointer to the Cygwin Time Machine for getting the last release of
+ Cygwin version 1.5 to use for building Privoxy on Windows.
+ - Various typos have been fixed.
+
+- Infrastructure improvements:
+ - The website is no longer hosted at SourceForge and
+ can be reached through https now.
+ - The mailing lists at SourceForge have been deprecated,
+ you can subscribe to the new ones at: https://lists.privoxy.org/
+ - Migrating the remaining services from SourceForge is
+ work in progress (TODO list item #53).
+
+- Build system improvements:
+ - Add configure argument to optimistically redefine FD_SETSIZE
+ with the intent to change the maximum number of client
+ connections Privoxy can handle. Only works with some libcs.
+ Sponsored by Robert Klemme.
+ - Let the tarball-dist target skip files in ".git".
+ - Let the tarball-dist target work in cwds other than current.
+ - Make the 'clean' target faster when run from a git repository.
+ - Include tools in the generic distribution.
+ - Let the gen-dist target work in cwds other than current.
+ - Sort find output that is used for distribution tarballs
+ to get reproducible results.
+ - Don't add '-src' to the name of the tar ball generated by the
+ gen-dist target. The package isn't a source distribution but a
+ binary package.
+ While at it, use a variable for the name to reduce the chances
+ that the various references get out of sync and fix the gen-upload
+ target which was looking in the wrong directory.
+ - Add regression-tests.action to the files that are distributed.
+ - The gen-dist target which was broken since 2002 (r1.92) has been fixed.
+ - Remove genclspec.sh which has been obsolete since 2009.
+ - Remove obsolete reference to Redhat spec file.
+ - Remove the obsolete announce target which has been commented out years ago.
+ - Let rsync skip files if the checksums match.
+
+- Privoxy-Regression-Test:
+ - Add a "Default level offset" directive which can be used to
+ change the default level by a given value.
+ This directive affects all tests located after it until the end
+ of the file or a another "Default level offset" directive is reached.
+ The purpose of this directive is to make it more convenient to skip
+ similar tests in a given file without having to remove or disable
+ the tests completely.
+ - Let test level 17 depend on FEATURE_64_BIT_TIME_T
+ instead of FEATURE_PTHREAD which has no direct connection
+ to the time_t size.
+ - Fix indentation in perldoc examples.
+ - Don't overlook directives in the first line of the action file.
+ - Bump version to 0.7.
+ - Fix detection of the Privoxy version now that https://
+ is used for the website.
+
+*** Version 3.0.24 stable ***
+
+- Security fixes (denial of service):
+ - Prevent invalid reads in case of corrupt chunk-encoded content.
+ CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer.
+ - Remove empty Host headers in client requests.
+ Previously they would result in invalid reads. CVE-2016-1983.
+ Bug discovered with afl-fuzz and AddressSanitizer.
+
+- Bug fixes:
+ - When using socks5t, send the request body optimistically as well.
+ Previously the request body wasn't guaranteed to be sent at all
+ and the error message incorrectly blamed the server.
+ Fixes #1686 reported by Peter Müller and G4JC.
+ - Fixed buffer scaling in execute_external_filter() that could lead
+ to crashes. Submitted by Yang Xia in #892.
+ - Fixed crashes when executing external filters on platforms like
+ Mac OS X. Reported by Jonathan McKenzie on ijbswa-users@.
+ - Properly parse ACL directives with ports when compiled with HAVE_RFC2553.
+ Previously the port wasn't removed from the host and in case of
+ 'permit-access 127.0.0.1 example.org:80' Privoxy would try (and fail)
+ to resolve "example.org:80" instead of example.org.
+ Reported by Pak Chan on ijbswa-users@.
+ - Check requests more carefully before serving them forcefully
+ when blocks aren't enforced. Privoxy always adds the force token
+ at the beginning of the path, but would previously accept it anywhere
+ in the request line. This could result in requests being served that
+ should be blocked. For example in case of pages that were loaded with
+ force and contained JavaScript to create additionally requests that
+ embed the origin URL (thus inheriting the force prefix).
+ The bug is not considered a security issue and the fix does not make
+ it harder for remote sites to intentionally circumvent blocks if
+ Privoxy isn't configured to enforce them.
+ Fixes #1695 reported by Korda.
+ - Normalize the request line in intercepted requests to make rewriting
+ the destination more convenient. Previously rewrites for intercepted
+ requests were expected to fail unless $hostport was being used, but
+ they failed "the wrong way" and would result in an out-of-memory
+ message (vanilla host patterns) or a crash (extended host patterns).
+ Reported by "Guybrush Threepwood" in #1694.
+ - Enable socket lingering for the correct socket.
+ Previously it was repeatedly enabled for the listen socket
+ instead of for the accepted socket. The bug was found by
+ code inspection and did not cause any (reported) issues.
+ - Detect and reject parameters for parameter-less actions.
+ Previously they were silently ignored.
+ - Fixed invalid reads in internal and outdated pcre code.
+ Found with afl-fuzz and AddressSanitizer.
+ - Prevent invalid read when loading invalid action files.
+ Found with afl-fuzz and AddressSanitizer.
+ - Windows build: Use the correct function to close the event handle.
+ It's unclear if this bug had a negative impact on Privoxy's behaviour.
+ Reported by Jarry Xu in #891.
+ - In case of invalid forward-socks5(t) directives, use the
+ correct directive name in the error messages. Previously they
+ referred to forward-socks4t failures.
+ Reported by Joel Verhagen in #889.
+
+- General improvements:
+ - Set NO_DELAY flag for the accepting socket. This significantly reduces
+ the latency if the operating system is not configured to set the flag
+ by default. Reported by Johan Sintorn in #894.
+ - Allow to build with mingw x86_64. Submitted by Rustam Abdullaev in #135.
+ - Introduce the new forwarding type 'forward-webserver'.
+ Currently it is only supported by the forward-override{} action and
+ there's no config directive with the same name. The forwarding type
+ is similar to 'forward', but the request line only contains the path
+ instead of the complete URL.
+ - The CGI editor no longer treats 'standard.action' special.
+ Nowadays the official "standards" are part of default.action
+ and there's no obvious reason to disallow editing them through
+ the cgi editor anyway (if the user decided that the lack of
+ authentication isn't an issue in her environment).
+ - Improved error messages when rejecting intercepted requests
+ with unknown destination.
+ - A couple of log messages now include the number of active threads.
+ - Removed non-standard Proxy-Agent headers in HTTP snipplets
+ to make testing more convenient.
+ - Include the error code for pcre errors Privoxy does not recognize.
+ - Config directives with numerical arguments are checked more carefully.
+ - Privoxy's malloc() wrapper has been changed to prevent zero-size
+ allocations which should only occur as the result of bugs.
+ - Various cosmetic changes.
+
+- Action file improvements:
+ - Unblock ".deutschlandradiokultur.de/".
+ Reported by u302320 in #924.
+ - Add two fast-redirect exceptions for "yandex.ru".
+ - Disable filter{banners-by-size} for ".plasmaservice.de/".
+ - Unblock "klikki.fi/adv/".
+ - Block requests for "resources.infolinks.com/".
+ Reported by "Black Rider" on ijbswa-users@.
+ - Block a bunch of criteo domains.
+ Reported by Black Rider.
+ - Block "abs.proxistore.com/abe/".
+ Reported by Black Rider.
+ - Disable filter{banners-by-size} for ".black-mosquito.org/".
+ - Disable fast-redirects for "disqus.com/".
+
+- Documentation improvements:
+ - FAQ: Explicitly point fingers at ASUS as an example of a
+ company that has been reported to force malware based on
+ Privoxy upon its customers.
+ - Correctly document the action type for a bunch of "multi-value"
+ actions that were incorrectly documented to be "parameterized".
+ Reported by Gregory Seidman on ijbswa-users@.
+ - Fixed the documented type of the forward-override{} action
+ which is obviously 'parameterized'.
+
+- Website improvements:
+ - Users who don't trust binaries served by SourceForge
+ can get them from a mirror. Migrating away from SourceForge
+ is planned for 2016 (TODO list item #53).
+ - The website is now available as onion service
+ (http://jvauzb4sb3bwlsnc.onion/).
+
*** Version 3.0.23 stable ***
- Bug fixes:
- Fixed a DoS issue in case of client requests with incorrect
chunk-encoded body. When compiled with assertions enabled
(the default) they could previously cause Privoxy to abort().
- Reported by Matthew Daley.
+ Reported by Matthew Daley. CVE-2015-1380.
- Fixed multiple segmentation faults and memory leaks in the
pcrs code. This fix also increases the chances that an invalid
pcrs command is rejected as such. Previously some invalid commands
would be loaded without error. Note that Privoxy's pcrs sources
(action and filter files) are considered trustworthy input and
- should not be writable by untrusted third-parties.
+ should not be writable by untrusted third-parties. CVE-2015-1381.
- Fixed an 'invalid read' bug which could at least theoretically
cause Privoxy to crash. So far, no crashes have been observed.
+ CVE-2015-1382.
- Compiles with --disable-force again. Reported by Kai Raven.
- Client requests with body that can't be delivered no longer
cause pipelined requests behind them to be rejected as invalid.
----------------------------------------------------------------------
-Copyright : Written by and Copyright (C) 2001-2013 the
- Privoxy team. http://www.privoxy.org/
+Copyright : Written by and Copyright (C) 2001-2018 the
+ Privoxy team. https://www.privoxy.org/
Based on the Internet Junkbuster originally written
by and Copyright (C) 1997 Anonymous Coders and
projects / privoxy.git / blobdiff