--------------------------------------------------------------------
ChangeLog for Privoxy
--------------------------------------------------------------------
+*** Version 3.0.23 stable ***
+
+- Bug fixes:
+ - Fixed a DoS issue in case of client requests with incorrect
+ chunk-encoded body. When compiled with assertions enabled
+ (the default) they could previously cause Privoxy to abort().
+ Reported by Matthew Daley. CVE-2015-1380.
+ - Fixed multiple segmentation faults and memory leaks in the
+ pcrs code. This fix also increases the chances that an invalid
+ pcrs command is rejected as such. Previously some invalid commands
+ would be loaded without error. Note that Privoxy's pcrs sources
+ (action and filter files) are considered trustworthy input and
+ should not be writable by untrusted third-parties. CVE-2015-1381.
+ - Fixed an 'invalid read' bug which could at least theoretically
+ cause Privoxy to crash. So far, no crashes have been observed.
+ CVE-2015-1382.
+ - Compiles with --disable-force again. Reported by Kai Raven.
+ - Client requests with body that can't be delivered no longer
+ cause pipelined requests behind them to be rejected as invalid.
+ Reported by Basil Hussain.
+
+- General improvements:
+ - If a pcrs command is rejected as invalid, Privoxy now logs
+ the cause of the problem as text. Previously the pcrs error
+ code was logged.
+ - The tests are less likely to cause false positives.
+
+- Action file improvements:
+ - '.sify.com/' is no longer blocked. Apparently it is not actually
+ a pure tracking site (anymore?). Reported by Andrew on ijbswa-users@.
+ - Unblock banners on .amnesty.de/ which aren't ads.
+
+- Documentation improvements:
+ - The 'Would you like to donate?' section now also contains
+ a "Paypal" address.
+ - The list of supported operating systems has been updated.
+ - The existence of the SF support and feature trackers has been
+ deemphasized because they have been broken for months.
+ Most of the time the mailing lists still work.
+ - The claim that default.action updates are sometimes released
+ on their own has been removed. It hasn't happened in years.
+ - Explicitly mention that Tor's port may deviate from the default
+ when using a bundle. Requested by Andrew on ijbswa-users@.
+
*** Version 3.0.22 stable ***
- Bug fixes:
- Fixed a memory leak when rejecting client connections due to
the socket limit being reached (CID 66382). This affected
Privoxy 3.0.21 when compiled with IPv6 support (on most
- platforms this is the default).
+ platforms this is the default). CVE-2015-1030.
- Fixed an immediate-use-after-free bug (CID 66394) and two
additional unconfirmed use-after-free complaints made by
- Coverity scan (CID 66391, CID 66376).
+ Coverity scan (CID 66391, CID 66376). CVE-2015-1031.
- Actually show the FORCE_PREFIX value on the show-status page.
- Properly deal with Keep-Alive headers with timeout= parameters
If the timeout still can't be parsed, use the configured
This is an explicit RFC 2616 MUST and RFC 7230 mandates that
intermediaries send their own HTTP-version in forwarded
messages.
- - Client 'Keep-Alive' headers are no longer forwarded. From a user's
+ - Server 'Keep-Alive' headers are no longer forwarded. From a user's
point of view it doesn't really matter, but RFC 2616 (obsolete)
mandates that the header is removed and this fixes a Co-Advisor
complaint.
projects / privoxy.git / blobdiff