X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=doc%2Fwebserver%2Fuser-manual%2Fwhatsnew.html;h=efd6daf6089893c877d4815502f8e0219bd13e1d;hp=5d7c0b252df5b54ba5e4ab7af24533db8ed26ee2;hb=dc80a8219d68d1e25821219e0b3b5bcda5bae21e;hpb=345a4d0bce0d40df7255eb1aeb2c1473dcb11f47 diff --git a/doc/webserver/user-manual/whatsnew.html b/doc/webserver/user-manual/whatsnew.html index 5d7c0b25..efd6daf6 100644 --- a/doc/webserver/user-manual/whatsnew.html +++ b/doc/webserver/user-manual/whatsnew.html @@ -1,351 +1,398 @@ - -
Privoxy 3.0.12 is mainly a bugfix release:
The socket-timeout option now also works on platforms whose - select() implementation modifies the timeout structure. - Previously the timeout was triggered even if the connection - didn't stall. Reported by cyberpatrol. -
The Connection: keep-alive code properly deals with files - larger than 2GB. Previously the connection was closed too - early. -
The content length for files above 2GB is logged correctly. -
The user-manual directive on the show-status page links to - the documentation location specified with the directive, - not to the Privoxy website. -
When running in daemon mode, Privoxy doesn't log anything - to the console unless there are errors before the logfile - has been opened. -
The show-status page prints warnings about invalid directives - on the same line as the directives themselves. -
Fixed several justified (but harmless) compiler warnings, - mostly on 64 bit platforms. -
The mingw32 version explicitly requests the default charset - to prevent display problems with some fonts available on more - recent Windows versions. Patch by Burberry. -
The mingw32 version uses the Privoxy icon in the alt-tab - windows. Patch by Burberry. -
The timestamp and the thread id is omitted in the "Fatal error" - message box on mingw32. -
Fixed two related mingw32-only buffer overflows. Triggering - them required control over the configuration file, therefore - this isn't seen as a security issue. -
In verbose mode, or if the new option --show-skipped-tests - is used, Privoxy-Regression-Test logs skipped tests and the - skip reason. -
A quick list of things to be aware of before upgrading from earlier - versions of Privoxy:
The recommended way to upgrade Privoxy is to backup your old - configuration files, install the new ones, verify that Privoxy - is working correctly and finally merge back your changes using - diff and maybe patch. -
There are a number of new features in each Privoxy release and - most of them have to be explicitly enabled in the configuration - files. Old configuration files obviously don't do that and due - to syntax changes using old configuration files with a new - Privoxy isn't always possible anyway. -
- Note that some installers remove earlier versions completely, - including configuration files, therefore you should really save - any important configuration files! -
- On the other hand, other installers don't overwrite existing configuration - files, thinking you will want to do that yourself. -
- standard.action has been merged into - the default.action file. -
In the default configuration only fatal errors are logged now. - You can change that in the debug section - of the configuration file. You may also want to enable more verbose - logging until you verified that the new Privoxy version is working - as expected. -
Three other config file settings are now off by default: - enable-remote-toggle, - enable-remote-http-toggle, - and enable-edit-actions. - If you use or want these, you will need to explicitly enable them, and - be aware of the security issues involved. -
Privoxy 3.0.24 stable contains a + couple of new features but is mainly a bug-fix release. Two of the fixed + bugs are security issues (CVE requests pending) and may be used to + remotely trigger crashes on platforms that carefully check memory + accesses (most don't).
+ +Security fixes (denial of service):
+ +Prevent invalid reads in case of corrupt chunk-encoded + content. Bug discovered with afl-fuzz and AddressSanitizer.
+Remove empty Host headers in client requests. Previously they + would result in invalid reads. Bug discovered with afl-fuzz and + AddressSanitizer.
+Bug fixes:
+ +When using socks5t, send the request body optimistically as + well. Previously the request body wasn't guaranteed to be sent at + all and the error message incorrectly blamed the server. Fixes + #1686 reported by Peter Müller and G4JC.
+Fixed buffer scaling in execute_external_filter() that could + lead to crashes. Submitted by Yang Xia in #892.
+Fixed crashes when executing external filters on platforms + like Mac OS X. Reported by Jonathan McKenzie on ijbswa-users@
+Properly parse ACL directives with ports when compiled with + HAVE_RFC2553. Previously the port wasn't removed from the host + and in case of 'permit-access 127.0.0.1 example.org:80' Privoxy + would try (and fail) to resolve "example.org:80" instead of + example.org. Reported by Pak Chan on ijbswa-users@.
+Check requests more carefully before serving them forcefully + when blocks aren't enforced. Privoxy always adds the force token + at the beginning of the path, but would previously accept it + anywhere in the request line. This could result in requests being + served that should be blocked. For example in case of pages that + were loaded with force and contained JavaScript to create + additionally requests that embed the origin URL (thus inheriting + the force prefix). The bug is not considered a security issue and + the fix does not make it harder for remote sites to intentionally + circumvent blocks if Privoxy isn't configured to enforce them. + Fixes #1695 reported by Korda.
+Normalize the request line in intercepted requests to make + rewriting the destination more convenient. Previously rewrites + for intercepted requests were expected to fail unless $hostport + was being used, but they failed "the wrong way" and would result + in an out-of-memory message (vanilla host patterns) or a crash + (extended host patterns). Reported by "Guybrush Threepwood" in + #1694.
+Enable socket lingering for the correct socket. Previously it + was repeatedly enabled for the listen socket instead of for the + accepted socket. The bug was found by code inspection and did not + cause any (reported) issues.
+Detect and reject parameters for parameter-less actions. + Previously they were silently ignored.
+Fixed invalid reads in internal and outdated pcre code. Found + with afl-fuzz and AddressSanitizer.
+Prevent invalid read when loading invalid action files. Found + with afl-fuzz and AddressSanitizer.
+Windows build: Use the correct function to close the event + handle. It's unclear if this bug had a negative impact on + Privoxy's behaviour. Reported by Jarry Xu in #891.
+In case of invalid forward-socks5(t) directives, use the + correct directive name in the error messages. Previously they + referred to forward-socks4t failures. Reported by Joel Verhagen + in #889.
+General improvements:
+ +Set NO_DELAY flag for the accepting socket. This significantly + reduces the latency if the operating system is not configured to + set the flag by default. Reported by Johan Sintorn in #894.
+Allow to build with mingw x86_64. Submitted by Rustam + Abdullaev in #135.
+Introduce the new forwarding type 'forward-webserver'. + Currently it is only supported by the forward-override{} action + and there's no config directive with the same name. The + forwarding type is similar to 'forward', but the request line + only contains the path instead of the complete URL.
+The CGI editor no longer treats 'standard.action' special. + Nowadays the official "standards" are part of default.action and + there's no obvious reason to disallow editing them through the + cgi editor anyway (if the user decided that the lack of + authentication isn't an issue in her environment).
+Improved error messages when rejecting intercepted requests + with unknown destination.
+A couple of log messages now include the number of active + threads.
+Removed non-standard Proxy-Agent headers in HTTP snipplets to + make testing more convenient.
+Include the error code for pcre errors Privoxy does not + recognize.
+Config directives with numerical arguments are checked more + carefully.
+Privoxy's malloc() wrapper has been changed to prevent + zero-size allocations which should only occur as the result of + bugs.
+Various cosmetic changes.
+Action file improvements:
+ +Unblock ".deutschlandradiokultur.de/". Reported by u302320 in + #924.
+Add two fast-redirect exceptions for "yandex.ru".
+Disable filter{banners-by-size} for ".plasmaservice.de/".
+Unblock klikki.fi/adv/.
+Block requests for "resources.infolinks.com/". Reported by + "Black Rider" on ijbswa-users@.
+Block a bunch of criteo domains. Reported by Black Rider.
+Block "abs.proxistore.com/abe/". Reported by Black Rider.
+Disable filter{banners-by-size} for + ".black-mosquito.org/".
+Disable fast-redirects for "disqus.com/".
+Documentation improvements:
+ +FAQ: Explicitly point fingers at ASUS as an example of a + company that has been reported to force malware based on Privoxy + upon its customers.
+Correctly document the action type for a bunch of + "multi-value" actions that were incorrectly documented to be + "parameterized". Reported by Gregory Seidman on + ijbswa-users@.
+Fixed the documented type of the forward-override{} action + which is obviously 'parameterized'.
+Website improvements:
+ +Users who don't trust binaries served by SourceForge can get + them from a mirror. Migrating away from SourceForge is planned + for 2016 (TODO list item #53).
+The website is now available as onion service + (http://jvauzb4sb3bwlsnc.onion/).
+A quick list of things to be aware of before upgrading from earlier + versions of Privoxy:
+ +The recommended way to upgrade Privoxy is to backup your old configuration + files, install the new ones, verify that Privoxy is working correctly and finally merge + back your changes using diff and + maybe patch.
+ +There are a number of new features in each Privoxy release and most of them have to be + explicitly enabled in the configuration files. Old configuration + files obviously don't do that and due to syntax changes using old + configuration files with a new Privoxy isn't always possible anyway.
+Note that some installers remove earlier versions completely, + including configuration files, therefore you should really save any + important configuration files!
+On the other hand, other installers don't overwrite existing + configuration files, thinking you will want to do that + yourself.
+In the default configuration only fatal errors are logged now. + You can change that in the debug + section of the configuration file. You may also want to enable + more verbose logging until you verified that the new Privoxy version is working as expected.
+Three other config file settings are now off by default: + enable-remote-toggle, + enable-remote-http-toggle, + and enable-edit-actions. If you + use or want these, you will need to explicitly enable them, and be + aware of the security issues involved.
+