-
-*** Version 3.0.11 ***
-
-- On most platforms, outgoing connections can be kept alive and
- reused if the server supports it. Whether or not this improves
- things depends on the connection.
-- When dropping privileges, membership in supplementary groups
- is given up as well. Not doing that can lead to Privoxy running
- with more rights than necessary and violates the principle of
- least privilege. Users of the --user option are advised to update.
- Thanks to Matthias Drochner for reporting the problem,
- providing the initial patch and testing the final version.
-- Passing invalid users or groups with the --user option
- didn't lead to program exit. Regression introduced in 3.0.7.
-- The match all section has been moved from default.action
- to a new file called match-all.action. As a result the
- default.action no longer needs to be touched by the user
- and can be safely overwritten by updates.
-- The standard.action file has been removed. Its content
- is now part of the default.action file.
-- In some situations the logged content length was slightly too low.
-- Crunched requests are logged with their own log level.
- If you used "debug 1" in the past, you'll probably want
- to additionally enable "debug 1024", otherwise only passed
- requests will be logged. If you only care about crunched
- requests, simply replace "debug 1" with "debug 1024".
-- The crunch reason has been moved to the beginning of the
- crunch message. For HTTP URLs, the protocol is logged as well.
-- Log messages are shortened by not printing the thread id
- on its own (as opposed to putting it inside "Privoxy()".
-- The config option socket-timeout has been added to control
- the time Privoxy waits for data to arrive on a socket.
-- Support for remote toggling is controlled by the configure
- option --disable-toggle only. In previous versions it also
- depended on the action editor and thus configuring with the
- --disable-editor option would disable remote toggling support
- as well.
-- Requests with invalid HTTP versions are rejected.
-- The template symbol @date@ can be used to include a date(1)-like
- time string. Initial patch submitted by Endre Szabo.
-- Responses from shoutcast servers are accepted again.
- Problem reported and fix suggested by Stefan.
-- The hide-forwarded-for-headers action has been replaced with
- the change-x-forwarded-for{} action which can also be used to
- add X-Forwarded-For headers. The latter functionality already
- existed in Privoxy versions prior to 3.0.7 but has been removed
- as it was often used unintentionally (by not using the
- hide-forwarded-for-headers action).
-- A "clear log" view option was added to the mingw32 version
- to clear out all of the lines in the Privoxy log window.
- Based on a patch submitted by T Ford.
-- The mingw32 version uses "critical sections" now, which prevents
- log message corruption under load. As a side effect, the
- "no thread-safe PRNG" warning could be removed as well.
-- The mingw32 version's task bar icon is crossed out and
- the color changed to gray if Privoxy is toggled off.
+*** Version 3.0.23 stable ***
+
+- Bug fixes:
+ - Fixed a DoS issue in case of client requests with incorrect
+ chunk-encoded body. When compiled with assertions enabled
+ (the default) they could previously cause Privoxy to abort().
+ Reported by Matthew Daley.
+ - Fixed multiple segmentation faults and memory leaks in the
+ pcrs code. This fix also increases the chances that an invalid
+ pcrs command is rejected as such. Previously some invalid commands
+ would be loaded without error. Note that Privoxy's pcrs sources
+ (action and filter files) are considered trustworthy input and
+ should not be writable by untrusted third-parties.
+ - Fixed an 'invalid read' bug which could at least theoretically
+ cause Privoxy to crash. So far, no crashes have been observed.
+ - Compiles with --disable-force again. Reported by Kay Raven.
+ - Client requests with body that can't be delivered no longer
+ cause pipelined requests behind them to be rejected as invalid.
+ Reported by Basil Hussain.
+
+- General improvements:
+ - If a pcrs command is rejected as invalid, Privoxy now logs
+ the cause of the problem as text. Previously the pcrs error
+ code was logged.
+ - The tests are less likely to cause false positives.
+
+- Action file improvements:
+ - '.sify.com/' is no longer blocked. Apparently it is not actually
+ a pure tracking site (anymore?). Reported by Andrew on ijbswa-users@.
+ - Unblock banners on .amnesty.de/ which aren't ads.
+
+- Documentation improvements:
+ - The 'Would you like to donate?' section now also contains
+ a "Paypal" address.
+ - The list of supported operating systems has been updated.
+ - The existence of the SF support and feature trackers has been
+ deemphasized because they have been broken for months.
+ Most of the time the mailing lists still work.
+ - The claim that default.action updates are sometimes released
+ on their own has been removed. It hasn't happened in years.
+ - Explicitly mention that Tor's port may deviate from the default
+ when using a bundle. Requested by Andrew on ijbswa-users@.