- Fixed a DoS issue in case of client requests with incorrect
chunk-encoded body. When compiled with assertions enabled
(the default) they could previously cause Privoxy to abort().
- Reported by Matthew Daley.
+ Reported by Matthew Daley. CVE-2015-1380.
- Fixed multiple segmentation faults and memory leaks in the
pcrs code. This fix also increases the chances that an invalid
pcrs command is rejected as such. Previously some invalid commands
would be loaded without error. Note that Privoxy's pcrs sources
(action and filter files) are considered trustworthy input and
- should not be writable by untrusted third-parties.
+ should not be writable by untrusted third-parties. CVE-2015-1381.
- Fixed an 'invalid read' bug which could at least theoretically
cause Privoxy to crash. So far, no crashes have been observed.
- - Compiles with --disable-force again. Reported by Kay Raven.
+ CVE-2015-1382.
+ - Compiles with --disable-force again. Reported by Kai Raven.
- Client requests with body that can't be delivered no longer
cause pipelined requests behind them to be rejected as invalid.
Reported by Basil Hussain.
- Fixed a memory leak when rejecting client connections due to
the socket limit being reached (CID 66382). This affected
Privoxy 3.0.21 when compiled with IPv6 support (on most
- platforms this is the default).
+ platforms this is the default). CVE-2015-1030.
- Fixed an immediate-use-after-free bug (CID 66394) and two
additional unconfirmed use-after-free complaints made by
- Coverity scan (CID 66391, CID 66376).
+ Coverity scan (CID 66391, CID 66376). CVE-2015-1031.
- Actually show the FORCE_PREFIX value on the show-status page.
- Properly deal with Keep-Alive headers with timeout= parameters
If the timeout still can't be parsed, use the configured