X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=ChangeLog;h=745d141ce03ce1552f80e7476253fec7f328cfc6;hp=eedf2a7e21cdff67ed38241a9e5f5040ba56ddfc;hb=28e89680c5e82861e5454856ad52032deddcf74b;hpb=03a0abda4a8930db8fe110333d7a2fde12912003 diff --git a/ChangeLog b/ChangeLog index eedf2a7e..745d141c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,10 +1,60 @@ -------------------------------------------------------------------- ChangeLog for Privoxy -------------------------------------------------------------------- +*** Version 3.0.23 stable *** + +- Bug fixes: + - Fixed a DoS issue in case of client requests with incorrect + chunk-encoded body. When compiled with assertions enabled + (the default) they could previously cause Privoxy to abort(). + Reported by Matthew Daley. + - Fixed multiple segmentation faults and memory leaks in the + pcrs code. This fix also increases the chances that an invalid + pcrs command is rejected as such. Previously some invalid commands + would be loaded without error. Note that Privoxy's pcrs sources + (action and filter files) are considered trustworthy input and + should not be writable by untrusted third-parties. + - Fixed an 'invalid read' bug which could at least theoretically + cause Privoxy to crash. So far, no crashes have been observed. + - Compiles with --disable-force again. Reported by Kay Raven. + - Client requests with body that can't be delivered no longer + cause pipelined requests behind them to be rejected as invalid. + Reported by Basil Hussain. + +- General improvements: + - If a pcrs command is rejected as invalid, Privoxy now logs + the cause of the problem as text. Previously the pcrs error + code was logged. + - The tests are less likely to cause false positives. + +- Action file improvements: + - '.sify.com/' is no longer blocked. Apparently it is not actually + a pure tracking site (anymore?). Reported by Andrew on ijbswa-users@. + - Unblock banners on .amnesty.de/ which aren't ads. + +- Documentation improvements: + - The 'Would you like to donate?' section now also contains + a "Paypal" address. + - The list of supported operating systems has been updated. + - The existence of the SF support and feature trackers has been + deemphasized because they have been broken for months. + Most of the time the mailing lists still work. + - The claim that default.action updates are sometimes released + on their own has been removed. It hasn't happened in years. + - Explicitly mention that Tor's port may deviate from the default + when using a bundle. Requested by Andrew on ijbswa-users@. + *** Version 3.0.22 stable *** - Bug fixes: - - Actually show the FORCE_PREFIX value on the show-status page + - Fixed a memory leak when rejecting client connections due to + the socket limit being reached (CID 66382). This affected + Privoxy 3.0.21 when compiled with IPv6 support (on most + platforms this is the default). CVE-2015-1030. + - Fixed an immediate-use-after-free bug (CID 66394) and two + additional unconfirmed use-after-free complaints made by + Coverity scan (CID 66391, CID 66376). CVE-2015-1031. + - Actually show the FORCE_PREFIX value on the show-status page. - Properly deal with Keep-Alive headers with timeout= parameters If the timeout still can't be parsed, use the configured timeout instead of preventing the client from keeping the @@ -12,54 +62,59 @@ ChangeLog for Privoxy - Not using any filter files no longer results in warning messages unless an action file is referencing header taggers or filters. Reported by Stefan Kurtz in #3614835. + - Fixed a bug that prevented Privoxy from reusing some reusable + connections. Two bit masks with different purpose unintentionally + shared the same bit. - A couple of additional bugs were discovered by Coverity Scan. - The changes that are not expected to be user visible are not - explicitly mentioned here, for details please have a look at - the CVS logs. + The fixes that are not expected to affect users are not explicitly + mentioned here, for details please have a look at the CVS logs. - General improvements: - -Introduced negative tag patterns NO-REQUEST-TAG and NO-RESPONSE-TAG - They apply if no matching tag is found after parsing client - or server headers. + - Introduced negative tag patterns NO-REQUEST-TAG and NO-RESPONSE-TAG. + They apply if no matching tag is found after parsing client or + server headers. - Add support for external filters which allow to process the response body with a script or program written in any language the platform supports. External filters are enabled with +external-filter{} after they have been defined in one of the filter files with a header line starting with "EXTERNAL-FILTER:". External filter support is experimental, not compiled by default - and not expected to work on all platforms. - - Add support for the 'PATCH' method as defined in RFC5789 - - Reject requests with unsupported Expect header values + and known not to work on all platforms. + - Add support for the 'PATCH' method as defined in RFC5789. + - Reject requests with unsupported Expect header values. Fixes a couple of Co-Advisor tests. - Normalize the HTTP-version in forwarded requests and responses. - This is an explicit RFC 2616 MUST and RFC 7230 mandates - that intermediaries send their own HTTP-version in forwarded + This is an explicit RFC 2616 MUST and RFC 7230 mandates that + intermediaries send their own HTTP-version in forwarded messages. - - Change declared template file encoding to UTF-8. - The files already used a subset of UTF-8 anyway and changing - the declaration allows to properly display UTF-8 characters - used in the action files. + - Server 'Keep-Alive' headers are no longer forwarded. From a user's + point of view it doesn't really matter, but RFC 2616 (obsolete) + mandates that the header is removed and this fixes a Co-Advisor + complaint. + - Change declared template file encoding to UTF-8. The templates + already used a subset of UTF-8 anyway and changing the declaration + allows to properly display UTF-8 characters used in the action files. This change may require existing action files with ISO-8859-1 characters that aren't valid UTF-8 to be converted to UTF-8. Requested by Sam Chen in #582. - Do not pass rejected keep-alive timeouts to the server. It might not have caused any problems (we know of), but doing the right thing shouldn't hurt either. - - Let log_error() use its own buffer size #define - to make changing the log buffer size slightly less inconvenient. + - Let log_error() use its own buffer size #define to make changing + the log buffer size slightly less inconvenient. - Turned single-threaded into a "proper" toggle directive with arguments. - CGI templates no longer enforce new windows for some links. - - Remove an undocumented workaround (HOST header removal) for + - Remove an undocumented workaround ('HOST' header removal) for an Apple iTunes bug that according to #729900 got fixed in 2003. - Action file improvements: - The pattern 'promotions.' is no longer being blocked. Reported by rakista in #3608540. - - Disable fast-redirects for .microsofttranslator.com/ - - Disable filter{banners-by-size} for .dgb-tagungszentren.de/ + - Disable fast-redirects for .microsofttranslator.com/. + - Disable filter{banners-by-size} for .dgb-tagungszentren.de/. - Add adn.speedtest.net as a site-specific unblocker. Support request #3612908. - - Disable filter{banners-by-size} for creativecommons.org/ + - Disable filter{banners-by-size} for creativecommons.org/. - Block requests to data.gosquared.com/. Reported by cbug in #3613653. - Unblock .conrad./newsletter/. Reported by David Bo in #3614238. - Unblock .bundestag.de/. @@ -78,16 +133,17 @@ ChangeLog for Privoxy Previously enabling the 'Advanced' settings (or manually enabling +fast-redirects{}) prevented some images from being loaded properly. - Unblock "adina*." Fixes #919 reported by Morton A. Goldberg. - - Block '/.*DigiAd' + - Block '/.*DigiAd'. - Unblock 'adele*.'. Reported by Adele Lime in #1663. + - Disable banners-by-size for kggp.de/. - Filter file improvements & bug fixes: - Decrease the chances that js-annoyances creates invalid JavaScript. Submitted by John McGowan on ijbswa-users@. - - Let the msn filter hide 'related' ads again - - Remove a stray '1' in the 'html-annoyances' filter - - Prevent img-reorder from messing up img tags with empty src attributes - Fixes #880 reported by Duncan. + - Let the msn filter hide 'related' ads again. + - Remove a stray '1' in the 'html-annoyances' filter. + - Prevent img-reorder from messing up img tags with empty src + attributes. Fixes #880 reported by Duncan. - Documentation improvements: - Updated the 'Would you like to donate?' section. @@ -95,36 +151,38 @@ ChangeLog for Privoxy detected until the parameter is used. - Add another +redirect{} example: a shortcut for illumos bugs. - Make it more obvious that many operating systems support log - rotation out of the box + rotation out of the box. - Fixed dead links. Reported by Mark Nelson in #3614557. - Rephrased the 'Why is the configuration so complicated?' answer to be slightly less condescending. Anonymously suggested in #3615122. - - Be more explicit about accept-intercepted-requests's lack of MITM support - - Make 'demoronizer' FAQ entries more generic - - Add an example hostname to the --pre-chroot-nslookup description - - Add an example for a host pattern that matches an IP address - - Rename the 'domain pattern' to 'host pattern' as it may contain IP addresses as well - - Recommend forward-socks5t when using Tor - It seems to work fine and modifying the Tor configuration - to profit from it hasn't been necessary for a while now. - - Add another redirect{} example to stress that redirect loops can and should be avoided + - Be more explicit about accept-intercepted-requests's lack of MITM support. + - Make 'demoronizer' FAQ entries more generic. + - Add an example hostname to the --pre-chroot-nslookup description. + - Add an example for a host pattern that matches an IP address. + - Rename the 'domain pattern' to 'host pattern' as it may + contain IP addresses as well. + - Recommend forward-socks5t when using Tor. It seems to work fine and + modifying the Tor configuration to profit from it hasn't been necessary + for a while now. + - Add another redirect{} example to stress that redirect loops can + and should be avoided. - The usual spelling and grammar fixes. Parts of them were reported by Reuben Thomas in #3615276. - - Mention the PCRS option letters T and D in the filter section + - Mention the PCRS option letters T and D in the filter section. - Clarify that handle-as-empty-doc-returns-ok is still useful - and will not be removed without replacement - - Note that security issues shouldn't be reported using the bug tracker - - Clarify what Privoxy does if both +block{} and +redirect{} apply + and will not be removed without replacement. + - Note that security issues shouldn't be reported using the bug tracker. + - Clarify what Privoxy does if both +block{} and +redirect{} apply. - Removed the obsolete bookmarklets section. -- Build system improvements - - Let --with-group properly deal with secondary groups +- Build system improvements: + - Let --with-group properly deal with secondary groups. Patch submitted by Anatoly Arzhnikov in #3615187. - - Fix web-actions target - - Add a web-faq target that only updates the FAQ on the webserver - - Remove already-commented-out non-portable DOSFILTER alternatives - - Remove the obsolete targets dok-put and dok-get - - Add a sf-shell target + - Fix web-actions target. + - Add a web-faq target that only updates the FAQ on the webserver. + - Remove already-commented-out non-portable DOSFILTER alternatives. + - Remove the obsolete targets dok-put and dok-get. + - Add a sf-shell target. *** Version 3.0.21 stable ***