X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=ChangeLog;h=f8d657a21d8187232ef9c92f7084f9dce46db7fc;hp=c2c9be26a35d5347fcb17d789ab28c16b2fcae5f;hb=c714bf93521b894e97e37ea448e41e67722ae205;hpb=559561260afba5ba7d5339bccd8cbc41d2837a33 diff --git a/ChangeLog b/ChangeLog index c2c9be26..f8d657a2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,16 +1,60 @@ -------------------------------------------------------------------- ChangeLog for Privoxy -------------------------------------------------------------------- +*** Version 3.0.23 stable *** + +- Bug fixes: + - Fixed a DoS issue in case of client requests with incorrect + chunk-encoded body. When compiled with assertions enabled + (the default) they could previously cause Privoxy to abort(). + Reported by Matthew Daley. CVE-2015-1380. + - Fixed multiple segmentation faults and memory leaks in the + pcrs code. This fix also increases the chances that an invalid + pcrs command is rejected as such. Previously some invalid commands + would be loaded without error. Note that Privoxy's pcrs sources + (action and filter files) are considered trustworthy input and + should not be writable by untrusted third-parties. CVE-2015-1381. + - Fixed an 'invalid read' bug which could at least theoretically + cause Privoxy to crash. So far, no crashes have been observed. + CVE-2015-1382. + - Compiles with --disable-force again. Reported by Kai Raven. + - Client requests with body that can't be delivered no longer + cause pipelined requests behind them to be rejected as invalid. + Reported by Basil Hussain. + +- General improvements: + - If a pcrs command is rejected as invalid, Privoxy now logs + the cause of the problem as text. Previously the pcrs error + code was logged. + - The tests are less likely to cause false positives. + +- Action file improvements: + - '.sify.com/' is no longer blocked. Apparently it is not actually + a pure tracking site (anymore?). Reported by Andrew on ijbswa-users@. + - Unblock banners on .amnesty.de/ which aren't ads. + +- Documentation improvements: + - The 'Would you like to donate?' section now also contains + a "Paypal" address. + - The list of supported operating systems has been updated. + - The existence of the SF support and feature trackers has been + deemphasized because they have been broken for months. + Most of the time the mailing lists still work. + - The claim that default.action updates are sometimes released + on their own has been removed. It hasn't happened in years. + - Explicitly mention that Tor's port may deviate from the default + when using a bundle. Requested by Andrew on ijbswa-users@. + *** Version 3.0.22 stable *** - Bug fixes: - Fixed a memory leak when rejecting client connections due to the socket limit being reached (CID 66382). This affected Privoxy 3.0.21 when compiled with IPv6 support (on most - platforms this is the default). + platforms this is the default). CVE-2015-1030. - Fixed an immediate-use-after-free bug (CID 66394) and two additional unconfirmed use-after-free complaints made by - Coverity scan (CID 66391, CID 66376). + Coverity scan (CID 66391, CID 66376). CVE-2015-1031. - Actually show the FORCE_PREFIX value on the show-status page. - Properly deal with Keep-Alive headers with timeout= parameters If the timeout still can't be parsed, use the configured @@ -44,7 +88,7 @@ ChangeLog for Privoxy This is an explicit RFC 2616 MUST and RFC 7230 mandates that intermediaries send their own HTTP-version in forwarded messages. - - Client 'Keep-Alive' headers are no longer forwarded. From a user's + - Server 'Keep-Alive' headers are no longer forwarded. From a user's point of view it doesn't really matter, but RFC 2616 (obsolete) mandates that the header is removed and this fixes a Co-Advisor complaint.