- <head>
- <meta name="generator" content="HTML Tidy, see www.w3.org">
- <title>
- What's New in this Release
- </title>
- <meta name="GENERATOR" content=
- "Modular DocBook HTML Stylesheet Version 1.79">
- <link rel="HOME" title="Privoxy 3.0.18 User Manual" href="index.html">
- <link rel="PREVIOUS" title="Installation" href="installation.html">
- <link rel="NEXT" title="Quickstart to Using Privoxy" href=
- "quickstart.html">
- <link rel="STYLESHEET" type="text/css" href="../p_doc.css">
- <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
- <link rel="STYLESHEET" type="text/css" href="p_doc.css">
-<style type="text/css">
- body {
- background-color: #EEEEEE;
- color: #000000;
- }
- :link { color: #0000FF }
- :visited { color: #840084 }
- :active { color: #0000FF }
- hr.c1 {text-align: left}
-</style>
- </head>
- <body class="SECT1">
- <div class="NAVHEADER">
- <table summary="Header navigation table" width="100%" border="0"
- cellpadding="0" cellspacing="0">
- <tr>
- <th colspan="3" align="center">
- Privoxy 3.0.18 User Manual
- </th>
- </tr>
- <tr>
- <td width="10%" align="left" valign="bottom">
- <a href="installation.html" accesskey="P">Prev</a>
- </td>
- <td width="80%" align="center" valign="bottom">
- </td>
- <td width="10%" align="right" valign="bottom">
- <a href="quickstart.html" accesskey="N">Next</a>
- </td>
- </tr>
- </table>
- <hr width="100%" class="c1">
- </div>
- <div class="SECT1">
- <h1 class="SECT1">
- <a name="WHATSNEW">3. What's New in this Release</a>
- </h1>
- <p>
- <span class="APPLICATION">Privoxy 3.0.17</span> is a stable release.
- The changes since 3.0.16 stable are:
- </p>
- <p>
- </p>
+<head>
+ <title>What's New in this Release</title>
+ <meta name="GENERATOR" content=
+ "Modular DocBook HTML Stylesheet Version 1.79">
+ <link rel="HOME" title="Privoxy 3.0.25 User Manual" href="index.html">
+ <link rel="PREVIOUS" title="Installation" href="installation.html">
+ <link rel="NEXT" title="Quickstart to Using Privoxy" href=
+ "quickstart.html">
+ <link rel="STYLESHEET" type="text/css" href="../p_doc.css">
+ <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+ <link rel="STYLESHEET" type="text/css" href="p_doc.css">
+</head>
+
+<body class="SECT1" bgcolor="#EEEEEE" text="#000000" link="#0000FF" vlink=
+"#840084" alink="#0000FF">
+ <div class="NAVHEADER">
+ <table summary="Header navigation table" width="100%" border="0"
+ cellpadding="0" cellspacing="0">
+ <tr>
+ <th colspan="3" align="center">Privoxy 3.0.25 User Manual</th>
+ </tr>
+
+ <tr>
+ <td width="10%" align="left" valign="bottom"><a href=
+ "installation.html" accesskey="P">Prev</a></td>
+
+ <td width="80%" align="center" valign="bottom"></td>
+
+ <td width="10%" align="right" valign="bottom"><a href=
+ "quickstart.html" accesskey="N">Next</a></td>
+ </tr>
+ </table>
+ <hr align="left" width="100%">
+ </div>
+
+ <div class="SECT1">
+ <h1 class="SECT1"><a name="WHATSNEW" id="WHATSNEW">3. What's New in this
+ Release</a></h1>
+
+ <p><span class="APPLICATION">Privoxy 3.0.24</span> stable contains a
+ couple of new features but is mainly a bug-fix release. Two of the fixed
+ bugs are security issues and may be used to remotely trigger crashes on
+ platforms that carefully check memory accesses (most don't).</p>
+
+ <ul>
+ <li>
+ <p>Security fixes (denial of service):</p>
+
+ <ul>
+ <li>
+ <p>Prevent invalid reads in case of corrupt chunk-encoded
+ content. CVE-2016-1982. Bug discovered with afl-fuzz and
+ AddressSanitizer.</p>
+ </li>
+
+ <li>
+ <p>Remove empty Host headers in client requests. Previously they
+ would result in invalid reads. CVE-2016-1983. Bug discovered with
+ afl-fuzz and AddressSanitizer.</p>
+ </li>
+ </ul>
+ </li>
+
+ <li>
+ <p>Bug fixes:</p>
+
+ <ul>
+ <li>
+ <p>When using socks5t, send the request body optimistically as
+ well. Previously the request body wasn't guaranteed to be sent at
+ all and the error message incorrectly blamed the server. Fixes
+ #1686 reported by Peter Müller and G4JC.</p>
+ </li>
+
+ <li>
+ <p>Fixed buffer scaling in execute_external_filter() that could
+ lead to crashes. Submitted by Yang Xia in #892.</p>
+ </li>
+
+ <li>
+ <p>Fixed crashes when executing external filters on platforms
+ like Mac OS X. Reported by Jonathan McKenzie on
+ ijbswa-users@.</p>
+ </li>
+
+ <li>
+ <p>Properly parse ACL directives with ports when compiled with
+ HAVE_RFC2553. Previously the port wasn't removed from the host
+ and in case of 'permit-access 127.0.0.1 example.org:80' Privoxy
+ would try (and fail) to resolve "example.org:80" instead of
+ example.org. Reported by Pak Chan on ijbswa-users@.</p>
+ </li>
+
+ <li>
+ <p>Check requests more carefully before serving them forcefully
+ when blocks aren't enforced. Privoxy always adds the force token
+ at the beginning of the path, but would previously accept it
+ anywhere in the request line. This could result in requests being
+ served that should be blocked. For example in case of pages that
+ were loaded with force and contained JavaScript to create
+ additionally requests that embed the origin URL (thus inheriting
+ the force prefix). The bug is not considered a security issue and
+ the fix does not make it harder for remote sites to intentionally
+ circumvent blocks if Privoxy isn't configured to enforce them.
+ Fixes #1695 reported by Korda.</p>
+ </li>
+
+ <li>
+ <p>Normalize the request line in intercepted requests to make
+ rewriting the destination more convenient. Previously rewrites
+ for intercepted requests were expected to fail unless $hostport
+ was being used, but they failed "the wrong way" and would result
+ in an out-of-memory message (vanilla host patterns) or a crash
+ (extended host patterns). Reported by "Guybrush Threepwood" in
+ #1694.</p>
+ </li>
+
+ <li>
+ <p>Enable socket lingering for the correct socket. Previously it
+ was repeatedly enabled for the listen socket instead of for the
+ accepted socket. The bug was found by code inspection and did not
+ cause any (reported) issues.</p>
+ </li>
+
+ <li>
+ <p>Detect and reject parameters for parameter-less actions.
+ Previously they were silently ignored.</p>
+ </li>
+
+ <li>
+ <p>Fixed invalid reads in internal and outdated pcre code. Found
+ with afl-fuzz and AddressSanitizer.</p>
+ </li>
+
+ <li>
+ <p>Prevent invalid read when loading invalid action files. Found
+ with afl-fuzz and AddressSanitizer.</p>
+ </li>
+
+ <li>
+ <p>Windows build: Use the correct function to close the event
+ handle. It's unclear if this bug had a negative impact on
+ Privoxy's behaviour. Reported by Jarry Xu in #891.</p>
+ </li>
+
+ <li>
+ <p>In case of invalid forward-socks5(t) directives, use the
+ correct directive name in the error messages. Previously they
+ referred to forward-socks4t failures. Reported by Joel Verhagen
+ in #889.</p>
+ </li>
+ </ul>
+ </li>
+
+ <li>
+ <p>General improvements:</p>
+
+ <ul>
+ <li>
+ <p>Set NO_DELAY flag for the accepting socket. This significantly
+ reduces the latency if the operating system is not configured to
+ set the flag by default. Reported by Johan Sintorn in #894.</p>
+ </li>
+
+ <li>
+ <p>Allow to build with mingw x86_64. Submitted by Rustam
+ Abdullaev in #135.</p>
+ </li>
+
+ <li>
+ <p>Introduce the new forwarding type 'forward-webserver'.
+ Currently it is only supported by the forward-override{} action
+ and there's no config directive with the same name. The
+ forwarding type is similar to 'forward', but the request line
+ only contains the path instead of the complete URL.</p>
+ </li>
+
+ <li>
+ <p>The CGI editor no longer treats 'standard.action' special.
+ Nowadays the official "standards" are part of default.action and
+ there's no obvious reason to disallow editing them through the
+ cgi editor anyway (if the user decided that the lack of
+ authentication isn't an issue in her environment).</p>
+ </li>
+
+ <li>
+ <p>Improved error messages when rejecting intercepted requests
+ with unknown destination.</p>
+ </li>
+
+ <li>
+ <p>A couple of log messages now include the number of active
+ threads.</p>
+ </li>
+
+ <li>
+ <p>Removed non-standard Proxy-Agent headers in HTTP snipplets to
+ make testing more convenient.</p>
+ </li>
+
+ <li>
+ <p>Include the error code for pcre errors Privoxy does not
+ recognize.</p>
+ </li>
+
+ <li>
+ <p>Config directives with numerical arguments are checked more
+ carefully.</p>
+ </li>
+
+ <li>
+ <p>Privoxy's malloc() wrapper has been changed to prevent
+ zero-size allocations which should only occur as the result of
+ bugs.</p>
+ </li>
+
+ <li>
+ <p>Various cosmetic changes.</p>
+ </li>
+ </ul>
+ </li>
+
+ <li>
+ <p>Action file improvements:</p>
+
+ <ul>
+ <li>
+ <p>Unblock ".deutschlandradiokultur.de/". Reported by u302320 in
+ #924.</p>
+ </li>
+
+ <li>
+ <p>Add two fast-redirect exceptions for "yandex.ru".</p>
+ </li>
+
+ <li>
+ <p>Disable filter{banners-by-size} for ".plasmaservice.de/".</p>
+ </li>
+
+ <li>
+ <p>Unblock "klikki.fi/adv/".</p>
+ </li>
+
+ <li>
+ <p>Block requests for "resources.infolinks.com/". Reported by
+ "Black Rider" on ijbswa-users@.</p>
+ </li>
+
+ <li>
+ <p>Block a bunch of criteo domains. Reported by Black Rider.</p>
+ </li>
+
+ <li>
+ <p>Block "abs.proxistore.com/abe/". Reported by Black Rider.</p>
+ </li>
+
+ <li>
+ <p>Disable filter{banners-by-size} for
+ ".black-mosquito.org/".</p>
+ </li>
+
+ <li>
+ <p>Disable fast-redirects for "disqus.com/".</p>
+ </li>
+ </ul>
+ </li>
+
+ <li>
+ <p>Documentation improvements:</p>
+
+ <ul>
+ <li>
+ <p>FAQ: Explicitly point fingers at ASUS as an example of a
+ company that has been reported to force malware based on Privoxy
+ upon its customers.</p>
+ </li>
+
+ <li>
+ <p>Correctly document the action type for a bunch of
+ "multi-value" actions that were incorrectly documented to be
+ "parameterized". Reported by Gregory Seidman on
+ ijbswa-users@.</p>
+ </li>
+
+ <li>
+ <p>Fixed the documented type of the forward-override{} action
+ which is obviously 'parameterized'.</p>
+ </li>
+ </ul>
+ </li>
+
+ <li>
+ <p>Website improvements:</p>
+
+ <ul>
+ <li>
+ <p>Users who don't trust binaries served by SourceForge can get
+ them from a mirror. Migrating away from SourceForge is planned
+ for 2016 (TODO list item #53).</p>
+ </li>
+
+ <li>
+ <p>The website is now available as onion service
+ (http://jvauzb4sb3bwlsnc.onion/).</p>
+ </li>
+ </ul>
+ </li>
+ </ul>
+
+ <div class="SECT2">
+ <h2 class="SECT2"><a name="UPGRADERSNOTE" id="UPGRADERSNOTE">3.1. Note
+ to Upgraders</a></h2>
+
+ <p>A quick list of things to be aware of before upgrading from earlier
+ versions of <span class="APPLICATION">Privoxy</span>:</p>
+