From: Fabian Keil Date: Sun, 17 Jan 2016 14:30:54 +0000 (+0000) Subject: Add ChangeLog for 3.0.24 stable X-Git-Tag: v_3_0_24~24 X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff_plain;h=8db6b1f74e42dd25840d167a8b8799e4fc010dfb Add ChangeLog for 3.0.24 stable --- diff --git a/ChangeLog b/ChangeLog index ac48d503..dd554db7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,122 @@ -------------------------------------------------------------------- ChangeLog for Privoxy -------------------------------------------------------------------- +*** Version 3.0.24 stable *** + +- Security fixes (denial of service): + - Prevent invalid reads in case of corrupt chunk-encoded content. + Bug discovered with afl-fuzz and AddressSanitizer. + - Remove empty Host headers in client requests. + Previously they would result in invalid reads. + Bug discovered with afl-fuzz and AddressSanitizer. + +- Bug fixes: + - When using socks5t, send the request body optimistically as well. + Previously the request body wasn't guaranteed to be sent at all + and the error message incorrectly blamed the server. + Fixes #1686 reported by Peter Müller and G4JC. + - Fixed buffer scaling in execute_external_filter() that could lead + to crashes. Submitted by Yang Xia in #892. + - Fixed crashes when executing external filters on platforms like + Mac OS X. Reported by Jonathan McKenzie on ijbswa-users@ + - Properly parse ACL directives with ports when compiled with HAVE_RFC2553. + Previously the port wasn't removed from the host and in case of + 'permit-access 127.0.0.1 example.org:80' Privoxy would try (and fail) + to resolve "example.org:80" instead of example.org. + Reported by Pak Chan on ijbswa-users@. + - Check requests more carefully before serving them forcefully + when blocks aren't enforced. Privoxy always adds the force token + at the beginning of the path, but would previously accept it anywhere + in the request line. This could result in requests being served that + should be blocked. For example in case of pages that were loaded with + force and contained JavaScript to create additionally requests that + embed the origin URL (thus inheriting the force prefix). + The bug is not considered a security issue and the fix does not make + it harder for remote sites to intentionally circumvent blocks if + Privoxy isn't configured to enforce them. + Fixes #1695 reported by Korda. + - Normalize the request line in intercepted requests to make rewriting + the destination more convenient. Previously rewrites for intercepted + requests were expected to fail unless $hostport was being used, but + they failed "the wrong way" and would result in an out-of-memory + message (vanilla host patterns) or a crash (extended host patterns). + Reported by "Guybrush Threepwood" in #1694. + - Enable socket lingering for the correct socket. + Previously it was repeatedly enabled for the listen socket + instead of for the accepted socket. The bug was found by + code inspection and did not cause any (reported) issues. + - Detect and reject parameters for parameter-less actions. + Previously they were silently ignored. + - Fixed invalid reads in internal and outdated pcre code. + Found with afl-fuzz and AddressSanitizer. + - Prevent invalid read when loading invalid action files. + Found with afl-fuzz and AddressSanitizer. + - Windows build: Use the correct function to close the event handle. + It's unclear if this bug had a negative impact on Privoxy's behaviour. + Reported by Jarry Xu in #891. + - In case of invalid forward-socks5(t) directives, use the + correct directive name in the error messages. Previously they + referred to forward-socks4t failures. + Reported by Joel Verhagen in #889. + +- General improvements: + - Set NO_DELAY flag for the accepting socket. This significantly reduces + the latency if the operating system is not configured to set the flag + by default. Reported by Johan Sintorn in #894. + - Allow to build with mingw x86_64. Submitted by Rustam Abdullaev in #135. + - Introduce the new forwarding type 'forward-webserver'. + Currently it is only supported by the forward-override{} action and + there's no config directive with the same name. The forwarding type + is similar to 'forward', but the request line only contains the path + instead of the complete URL. + - The CGI editor no longer treats 'standard.action' special. + Nowadays the official "standards" are part of default.action + and there's no obvious reason to disallow editing them through + the cgi editor anyway (if the user decided that the lack of + authentication isn't an issue in her environment). + - Improved error messages when rejecting intercepted requests + with unknown destination. + - A couple of log messages now include the number of active threads. + - Removed non-standard Proxy-Agent headers in HTTP snipplets + to make testing more convenient. + - Include the error code for pcre errors Privoxy does not recognize. + - Config directives with numerical arguments are checked more carefully. + - Privoxy's malloc() wrapper has been changed to prevent zero-size + allocations which should only occur as the result of bugs. + - Various cosmetic changes. + +- Action file improvements: + - Unblock ".deutschlandradiokultur.de/". + Reported by u302320 in #924. + - Add two fast-redirect exceptions for "yandex.ru". + - Disable filter{banners-by-size} for ".plasmaservice.de/". + - Unblock klikki.fi/adv/. + - Block requests for "resources.infolinks.com/". + Reported by "Black Rider" on ijbswa-users@. + - Block a bunch of criteo domains. + Reported by Black Rider. + - Block "abs.proxistore.com/abe/". + Reported by Black Rider. + - Disable filter{banners-by-size} for ".black-mosquito.org/". + - Disable fast-redirects for "disqus.com/". + +- Documentation improvements: + - FAQ: Explicitly point fingers at ASUS as an example of a + company that has been reported to force malware based on + Privoxy upon its customers. + - Correctly document the action type for a bunch of "multi-value" + actions that were incorrectly documented to be "parameterized". + Reported by Gregory Seidman on ijbswa-users@. + - Fixed the documented type of the forward-override{} action + which is obviously 'parameterized'. + +- Website improvements: + - Users who don't trust binaries served by SourceForge + can get them from a mirror. Migrating away from SourceForge + is planned for 2016 (TODO list item #53). + - The website is now available as onion service + (http://jvauzb4sb3bwlsnc.onion/). + *** Version 3.0.23 stable *** - Bug fixes: