X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=doc%2Fwebserver%2Fuser-manual%2Fwhatsnew.html;h=6eb7a630df645ebf4d199bed824dda17bc6a919d;hp=1808b1e509c93e9d2037c4cfac630e2c41e579e3;hb=7a99a61ab1a3ce0401821aedcd06eba19a698b2a;hpb=1284f78d7c4454f212d1283695d76d78e23d6b4f diff --git a/doc/webserver/user-manual/whatsnew.html b/doc/webserver/user-manual/whatsnew.html index 1808b1e5..6eb7a630 100644 --- a/doc/webserver/user-manual/whatsnew.html +++ b/doc/webserver/user-manual/whatsnew.html @@ -1,322 +1,399 @@ - -
There are only a few improvements and new features since - Privoxy 3.0.10, the last stable release:
The mingw32 version uses mutex locks now which prevents - log message corruption under load. As a side effect, - the "no thread-safe PRNG" warning could be removed as well. -
Support for remote toggling is controlled by the configure - option --disable-toggle only. In previous versions it also - depended on the action editor and thus configuring with the - --disable-editor option would disable remote toggling support - as well. -
The hide-forwarded-for-headers action has been replaced with - the change-x-forwarded-for{} action which can also be used to - add X-Forwarded-For headers. The latter functionality already - existed in Privoxy versions prior to 3.0.7 but has been removed - as it was often used unintentionally (by not using the - hide-forwarded-for-headers action). -
For a more detailed list of changes please have a look at the ChangeLog.
A quick list of things to be aware of before upgrading from earlier - versions of Privoxy:
The recommended way to upgrade Privoxy is to backup your old - configuration files, install the new ones, verify that Privoxy - is working correctly and finally merge back your changes using - diff and maybe patch. -
There are a number of new features in each Privoxy release and - most of them have to be explicitly enabled in the configuration - files. Old configuration files obviously don't do that and due - to syntax changes using old configuration files with a new - Privoxy isn't always possible anyway. -
- Note that some installers remove earlier versions completely, - including configuration files, therefore you should really save - any important configuration files! -
- On the other hand, other installers don't overwrite existing configuration - files, thinking you will want to do that yourself. -
- standard.action has been merged into - the default.action file. -
In the default configuration only fatal errors are logged now. - You can change that in the debug section - of the configuration file. You may also want to enable more verbose - logging until you verified that the new Privoxy version is working - as expected. -
Three other config file settings are now off by default: - enable-remote-toggle, - enable-remote-http-toggle, - and enable-edit-actions. - If you use or want these, you will need to explicitly enable them, and - be aware of the security issues involved. -
The "filter-client-headers" and - "filter-server-headers" actions that were introduced with - Privoxy 3.0.5 to apply content filters to - the headers have been removed and replaced with new actions. - See the What's New section above. -
Privoxy 3.0.24 stable contains a + couple of new features but is mainly a bug-fix release. Two of the fixed + bugs are security issues and may be used to remotely trigger crashes on + platforms that carefully check memory accesses (most don't).
+ +Security fixes (denial of service):
+ +Prevent invalid reads in case of corrupt chunk-encoded + content. CVE-2016-1982. Bug discovered with afl-fuzz and + AddressSanitizer.
+Remove empty Host headers in client requests. Previously they + would result in invalid reads. CVE-2016-1983. Bug discovered with + afl-fuzz and AddressSanitizer.
+Bug fixes:
+ +When using socks5t, send the request body optimistically as + well. Previously the request body wasn't guaranteed to be sent at + all and the error message incorrectly blamed the server. Fixes + #1686 reported by Peter Müller and G4JC.
+Fixed buffer scaling in execute_external_filter() that could + lead to crashes. Submitted by Yang Xia in #892.
+Fixed crashes when executing external filters on platforms + like Mac OS X. Reported by Jonathan McKenzie on + ijbswa-users@.
+Properly parse ACL directives with ports when compiled with + HAVE_RFC2553. Previously the port wasn't removed from the host + and in case of 'permit-access 127.0.0.1 example.org:80' Privoxy + would try (and fail) to resolve "example.org:80" instead of + example.org. Reported by Pak Chan on ijbswa-users@.
+Check requests more carefully before serving them forcefully + when blocks aren't enforced. Privoxy always adds the force token + at the beginning of the path, but would previously accept it + anywhere in the request line. This could result in requests being + served that should be blocked. For example in case of pages that + were loaded with force and contained JavaScript to create + additionally requests that embed the origin URL (thus inheriting + the force prefix). The bug is not considered a security issue and + the fix does not make it harder for remote sites to intentionally + circumvent blocks if Privoxy isn't configured to enforce them. + Fixes #1695 reported by Korda.
+Normalize the request line in intercepted requests to make + rewriting the destination more convenient. Previously rewrites + for intercepted requests were expected to fail unless $hostport + was being used, but they failed "the wrong way" and would result + in an out-of-memory message (vanilla host patterns) or a crash + (extended host patterns). Reported by "Guybrush Threepwood" in + #1694.
+Enable socket lingering for the correct socket. Previously it + was repeatedly enabled for the listen socket instead of for the + accepted socket. The bug was found by code inspection and did not + cause any (reported) issues.
+Detect and reject parameters for parameter-less actions. + Previously they were silently ignored.
+Fixed invalid reads in internal and outdated pcre code. Found + with afl-fuzz and AddressSanitizer.
+Prevent invalid read when loading invalid action files. Found + with afl-fuzz and AddressSanitizer.
+Windows build: Use the correct function to close the event + handle. It's unclear if this bug had a negative impact on + Privoxy's behaviour. Reported by Jarry Xu in #891.
+In case of invalid forward-socks5(t) directives, use the + correct directive name in the error messages. Previously they + referred to forward-socks4t failures. Reported by Joel Verhagen + in #889.
+General improvements:
+ +Set NO_DELAY flag for the accepting socket. This significantly + reduces the latency if the operating system is not configured to + set the flag by default. Reported by Johan Sintorn in #894.
+Allow to build with mingw x86_64. Submitted by Rustam + Abdullaev in #135.
+Introduce the new forwarding type 'forward-webserver'. + Currently it is only supported by the forward-override{} action + and there's no config directive with the same name. The + forwarding type is similar to 'forward', but the request line + only contains the path instead of the complete URL.
+The CGI editor no longer treats 'standard.action' special. + Nowadays the official "standards" are part of default.action and + there's no obvious reason to disallow editing them through the + cgi editor anyway (if the user decided that the lack of + authentication isn't an issue in her environment).
+Improved error messages when rejecting intercepted requests + with unknown destination.
+A couple of log messages now include the number of active + threads.
+Removed non-standard Proxy-Agent headers in HTTP snipplets to + make testing more convenient.
+Include the error code for pcre errors Privoxy does not + recognize.
+Config directives with numerical arguments are checked more + carefully.
+Privoxy's malloc() wrapper has been changed to prevent + zero-size allocations which should only occur as the result of + bugs.
+Various cosmetic changes.
+Action file improvements:
+ +Unblock ".deutschlandradiokultur.de/". Reported by u302320 in + #924.
+Add two fast-redirect exceptions for "yandex.ru".
+Disable filter{banners-by-size} for ".plasmaservice.de/".
+Unblock "klikki.fi/adv/".
+Block requests for "resources.infolinks.com/". Reported by + "Black Rider" on ijbswa-users@.
+Block a bunch of criteo domains. Reported by Black Rider.
+Block "abs.proxistore.com/abe/". Reported by Black Rider.
+Disable filter{banners-by-size} for + ".black-mosquito.org/".
+Disable fast-redirects for "disqus.com/".
+Documentation improvements:
+ +FAQ: Explicitly point fingers at ASUS as an example of a + company that has been reported to force malware based on Privoxy + upon its customers.
+Correctly document the action type for a bunch of + "multi-value" actions that were incorrectly documented to be + "parameterized". Reported by Gregory Seidman on + ijbswa-users@.
+Fixed the documented type of the forward-override{} action + which is obviously 'parameterized'.
+Website improvements:
+ +Users who don't trust binaries served by SourceForge can get + them from a mirror. Migrating away from SourceForge is planned + for 2016 (TODO list item #53).
+The website is now available as onion service + (http://jvauzb4sb3bwlsnc.onion/).
+A quick list of things to be aware of before upgrading from earlier + versions of Privoxy:
+ +The recommended way to upgrade Privoxy is to backup your old configuration + files, install the new ones, verify that Privoxy is working correctly and finally merge + back your changes using diff and + maybe patch.
+ +There are a number of new features in each Privoxy release and most of them have to be + explicitly enabled in the configuration files. Old configuration + files obviously don't do that and due to syntax changes using old + configuration files with a new Privoxy isn't always possible anyway.
+Note that some installers remove earlier versions completely, + including configuration files, therefore you should really save any + important configuration files!
+On the other hand, other installers don't overwrite existing + configuration files, thinking you will want to do that + yourself.
+In the default configuration only fatal errors are logged now. + You can change that in the debug + section of the configuration file. You may also want to enable + more verbose logging until you verified that the new Privoxy version is working as expected.
+Three other config file settings are now off by default: + enable-remote-toggle, + enable-remote-http-toggle, + and enable-edit-actions. If you + use or want these, you will need to explicitly enable them, and be + aware of the security issues involved.
+