--------------------------------------------------------------------
ChangeLog for Privoxy
--------------------------------------------------------------------
+*** Version 3.0.33 UNRELEASED ***
+
+- Bug fixes:
+ - handle_established_connection(): Skip the poll()/select() calls
+ if TLS data is pending on the server socket. The TLS library may
+ have already consumed all the data from the server response in
+ which case poll() and select() will not detect that data is
+ available to be read.
+ Fixes SF bug #926 reported by Wen Yue.
+ - continue_https_chat(): Update csp->server_connection.request_sent
+ after sending the request to make sure the latency is calculated
+ correctly. Previously https connections were not reused after
+ timeout seconds after the first request made on the connection.
+ - free_pattern_spec(): Don't try to free an invalid pointer
+ when unloading an action file with a TAG pattern while
+ Privoxy has been compiled without FEATURE_PCRE_HOST_PATTERNS.
+ Closes: SF patch request #147. Patch by Maxim Antonov.
+ - Establish the TLS connection with the client earlier and decide
+ how to route the request afterwards. This allows to change the
+ forwarding settings based on information from the https-inspected
+ request, for example the path.
+ Adjust build_request_line() to create a CONNECT request line when
+ https-inspecting and forwarding to a HTTP proxy.
+ Fixes SF bug #925 reported by Wen Yue.
+ - load_config(): Add a space that was missing in a log message.
+
+- General improvements:
+ - serve(): Close the client socket as well if the server socket
+ for an inspected connection has been closed. Privoxy currently
+ can't establish a new server connection when the client socket
+ is reused and would drop the connection in continue_https_chat()
+ anyway.
+ - Don't disable redirect checkers in redirect_url()
+ Disable them in handle_established_connection() instead.
+ Doing it in redirect_url() prevented the +redirect{} and
+ +fast-redirects{} actions from being logged with LOG_LEVEL_ACTIONS.
+ - handle_established_connection(): Slightly improve a comment
+ - handle_established_connection(): Fix a comment
+ - socks5_connect(): Fix indentation.
+ - handle_established_connection(): Improve an error message
+ - create_pattern_spec(): Fix ifdef indentation
+ - Fix comment typos
+
+- Action file improvements:
+ - Disable fast-redirects for .microsoftonline.com/.
+ - Disable fast-redirects for idp.springer.com/.
+
+- Privoxy-Regression-Test:
+ - Remove duplicated word in a comment.
+
+- Documentation:
+ - contacting: Remove obsolete reference to announce.sgml.
+ - contacting: Request that the browser cache is cleared before
+ producing a log file for submission.
+ - Sponsor FAQ: Note that Privoxy users may follow sponsor links
+ without Referer header set.
+ - newfeatures: Clarify that https inspection also allows to
+ filter https responses.
+ - developer-manual: Mention that announce.txt should be updated
+ when doing a release.
+
*** Version 3.0.32 stable ***
- Security/Reliability:
- ssplit(): Remove an assertion that could be triggered with a
crafted CGI request.
- Commit 2256d7b4d67. OVE-20210203-0001.
+ Commit 2256d7b4d67. OVE-20210203-0001. CVE-2021-20272.
Reported by: Joshua Rogers (Opera)
- cgi_send_banner(): Overrule invalid image types. Prevents a
crash with a crafted CGI request if Privoxy is toggled off.
- Commit e711c505c48. OVE-20210206-0001.
+ Commit e711c505c48. OVE-20210206-0001. CVE-2021-20273.
Reported by: Joshua Rogers (Opera)
- socks5_connect(): Don't try to send credentials when none are
configured. Fixes a crash due to a NULL-pointer dereference
when the socks server misbehaves.
- Commit 85817cc55b9. OVE-20210207-0001.
+ Commit 85817cc55b9. OVE-20210207-0001. CVE-2021-20274.
Reported by: Joshua Rogers (Opera)
- chunked_body_is_complete(): Prevent an invalid read of size two.
- Commit a912ba7bc9c. OVE-20210205-0001.
+ Commit a912ba7bc9c. OVE-20210205-0001. CVE-2021-20275.
Reported by: Joshua Rogers (Opera)
- Obsolete pcre: Prevent invalid memory accesses with an invalid
pattern passed to pcre_compile(). Note that the obsolete pcre code
is scheduled to be removed before the 3.0.33 release. There has been
a warning since 2008 already.
- Commit 28512e5b624. OVE-20210222-0001.
+ Commit 28512e5b624. OVE-20210222-0001. CVE-2021-20276.
Reported by: Joshua Rogers (Opera)
- Bug fixes:
projects / privoxy.git / blobdiff