From: Fabian Keil Date: Fri, 27 May 2016 15:24:51 +0000 (+0000) Subject: Update changelog.sgml for 3.0.25 beta X-Git-Tag: v_3_0_25~4 X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff_plain;h=96db4df3378c7105293a112b7a73b1de55fa5cf3 Update changelog.sgml for 3.0.25 beta --- diff --git a/doc/source/changelog.sgml b/doc/source/changelog.sgml index 913f2416..5275152e 100644 --- a/doc/source/changelog.sgml +++ b/doc/source/changelog.sgml @@ -3,7 +3,7 @@ Purpose : Entity included in other project documents. - $Id: changelog.sgml,v 2.17 2016/05/03 13:22:13 fabiankeil Exp $ + $Id: changelog.sgml,v 2.18 2016/05/27 15:23:56 fabiankeil Exp $ Copyright (C) 2013-2016 Privoxy Developers https://www.privoxy.org/ See LICENSE. @@ -21,34 +21,35 @@ --> - Privoxy 3.0.24 stable contains a couple - of new features but is mainly a bug-fix release. Two of the fixed - bugs are security issues and may be used to remotely trigger crashes - on platforms that carefully check memory accesses (most don't). + Privoxy 3.0.25 beta introduces client-based + tags and includes a couple of minor improvements. It will be followed + by a stable release in the near future. - - - Security fixes (denial of service): + Bug fixes: - Prevent invalid reads in case of corrupt chunk-encoded content. - CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer. + Always use the current toggle state for new requests. + Previously new requests on reused connections inherited + the toggle state from the previous request even though + the toggle state could have changed. + Reported by Robert Klemme. - Remove empty Host headers in client requests. - Previously they would result in invalid reads. CVE-2016-1983. - Bug discovered with afl-fuzz and AddressSanitizer. + Fixed two buffer-overflows in the (deprecated) static + pcre code. These bugs are not considered security issues + as the input is trusted. + Found with afl-fuzz and ASAN. @@ -56,101 +57,91 @@ - Bug fixes: + General improvements: - When using socks5t, send the request body optimistically as well. - Previously the request body wasn't guaranteed to be sent at all - and the error message incorrectly blamed the server. - Fixes #1686 reported by Peter Müller and G4JC. - - - - - Fixed buffer scaling in execute_external_filter() that could lead - to crashes. Submitted by Yang Xia in #892. + Added support for client-specific tags which allow Privoxy + admins to pre-define tags that are set for all requests from + clients that previously opted in through the CGI interface. + They are useful in multi-user setups where admins may + want to allow users to disable certain actions and filters + for themselves without affecting others. + In single-user setups they are useful to allow more fine-grained + toggling. For example to disable request blocking while still + crunching cookies, or to disable experimental filters only. + This is an experimental feature, the syntax and behaviour may + change in future versions. + Sponsored by Robert Klemme. - Fixed crashes when executing external filters on platforms like - Mac OS X. Reported by Jonathan McKenzie on ijbswa-users@. + Dynamic filters and taggers now support a $listen-address variable + which contains the address the request came in on. + For external filters the variable is called $PRIVOXY_LISTEN_ADDRESS. + Original patch contributed by pursievro. - Properly parse ACL directives with ports when compiled with HAVE_RFC2553. - Previously the port wasn't removed from the host and in case of - 'permit-access 127.0.0.1 example.org:80' Privoxy would try (and fail) - to resolve "example.org:80" instead of example.org. - Reported by Pak Chan on ijbswa-users@. + Add client-header-tagger 'listen-address'. - Check requests more carefully before serving them forcefully - when blocks aren't enforced. Privoxy always adds the force token - at the beginning of the path, but would previously accept it anywhere - in the request line. This could result in requests being served that - should be blocked. For example in case of pages that were loaded with - force and contained JavaScript to create additionally requests that - embed the origin URL (thus inheriting the force prefix). - The bug is not considered a security issue and the fix does not make - it harder for remote sites to intentionally circumvent blocks if - Privoxy isn't configured to enforce them. - Fixes #1695 reported by Korda. + Include the listen-address in the log message when logging new requests. + Patch contributed by pursievro. - Normalize the request line in intercepted requests to make rewriting - the destination more convenient. Previously rewrites for intercepted - requests were expected to fail unless $hostport was being used, but - they failed "the wrong way" and would result in an out-of-memory - message (vanilla host patterns) or a crash (extended host patterns). - Reported by "Guybrush Threepwood" in #1694. + Turn invalid max-client-connections values into fatal errors. - Enable socket lingering for the correct socket. - Previously it was repeatedly enabled for the listen socket - instead of for the accepted socket. The bug was found by - code inspection and did not cause any (reported) issues. + The show-status page now shows whether or not dates before 1970 + and after 2038 are expected to be handled properly. + This is mainly useful for Privoxy-Regression-Test but could + also come handy when dealing with time-related support requests. - Detect and reject parameters for parameter-less actions. - Previously they were silently ignored. + On Mac OS X the thread id in log messages are more likely to + be unique now. - Fixed invalid reads in internal and outdated pcre code. - Found with afl-fuzz and AddressSanitizer. + When complaining about missing filters, the filter type is logged + as well. - Prevent invalid read when loading invalid action files. - Found with afl-fuzz and AddressSanitizer. + A couple of harmless coverity warnings were silenced + (CID #161202, CID #161203, CID #161211). - + + + + + + + Action file improvements: + - Windows build: Use the correct function to close the event handle. - It's unclear if this bug had a negative impact on Privoxy's behaviour. - Reported by Jarry Xu in #891. + Filtering is disabled for Range requests to let download resumption + and Windows updates work with the default configuration. - In case of invalid forward-socks5(t) directives, use the - correct directive name in the error messages. Previously they - referred to forward-socks4t failures. - Reported by Joel Verhagen in #889. + Unblock ".ardmediathek.de/". + Reported by ThTomate in #932. @@ -158,130 +149,135 @@ - General improvements: + Documentation improvements: - Set NO_DELAY flag for the accepting socket. This significantly reduces - the latency if the operating system is not configured to set the flag - by default. Reported by Johan Sintorn in #894. + Add FAQ entry for crashes caused by memory limits. - Allow to build with mingw x86_64. Submitted by Rustam Abdullaev in #135. + Remove obsolete FAQ entry about a bug in PHP 4.2.3. - Introduce the new forwarding type 'forward-webserver'. - Currently it is only supported by the forward-override{} action and - there's no config directive with the same name. The forwarding type - is similar to 'forward', but the request line only contains the path - instead of the complete URL. + Mention the new mailing lists were appropriate. + As the archives have not been migrated, continue to + mention the archives at SF in the contacting section + for now. - The CGI editor no longer treats 'standard.action' special. - Nowadays the official "standards" are part of default.action - and there's no obvious reason to disallow editing them through - the cgi editor anyway (if the user decided that the lack of - authentication isn't an issue in her environment). + Note that the templates should be adjusted if Privoxy is + running as intercepting proxy without getting all requests. - Improved error messages when rejecting intercepted requests - with unknown destination. + A bunch of links were converted to https://. - A couple of log messages now include the number of active threads. + Rephrase onion service paragraph to make it more obvious + that Tor is involved and that the whole website (and not + just the homepage) is available as onion service. - Removed non-standard Proxy-Agent headers in HTTP snipplets - to make testing more convenient. + Streamline the "More information" section on the homepage further + by additionally ditching the link to the 'See also' section + of the user manual. The section contains mostly links that are + directly reachable from the homepage already and the rest is + not significant enough to get a link from the homepage. - Include the error code for pcre errors Privoxy does not recognize. + Change the add-header{} example to set the DNT header + and use a complete section to make copy and pasting + more convenient. + Add a comment to make it obvious that adding the + header is not recommended for obvious reasons. + Using the DNT header as example was suggested by + Leo Wzukw. - Config directives with numerical arguments are checked more carefully. + Streamline the support-and-service template + Instead of linking to the various support trackers + (whose URLs hopefully change soon), link to the + contact section of the user manual to increase the + chances that users actually read it. - Privoxy's malloc() wrapper has been changed to prevent zero-size - allocations which should only occur as the result of bugs. + Add a FAQ entry for tainted sockets. - Various cosmetic changes. + More sections in the documentation have stable URLs now. - - - - - - - Action file improvements: - + - Unblock ".deutschlandradiokultur.de/". - Reported by u302320 in #924. + FAQ: Explain why 'ping config.privoxy.org' is not expected + to reach a local Privoxy installation. - Add two fast-redirect exceptions for "yandex.ru". + Note that donations done through Zwiebelfreunde e.V. currently + can't be checked automatically. - Disable filter{banners-by-size} for ".plasmaservice.de/". + Updated section regarding starting Privoxy under OS X. - Unblock "klikki.fi/adv/". + Use dedicated start instructions for FreeBSD and ElectroBSD. - Block requests for "resources.infolinks.com/". - Reported by "Black Rider" on ijbswa-users@. + Removed release instructions for AIX. They haven't been working + for years and unsurprisingly nobody seems to care. - Block a bunch of criteo domains. - Reported by Black Rider. + Removed obsolete reference to the solaris-dist target. - Block "abs.proxistore.com/abe/". - Reported by Black Rider. + Updated the release instructions for FreeBSD. - Disable filter{banners-by-size} for ".black-mosquito.org/". + Removed unfinished release instructions for Amiga OS and HP-UX 11. - Disable fast-redirects for "disqus.com/". + Added a pointer to the Cygwin Time Machine for getting the last release of + Cygwin version 1.5 to use for building Privoxy on Windows. + + + + + Various typos have been fixed. @@ -289,26 +285,110 @@ - Documentation improvements: + Infrastructure improvements: + + + + The website is no longer hosted at SourceForge and + can be reached through https now. + + + + + The mailing lists at SourceForge have been deprecated, + you can subscribe to the new ones at: https://lists.privoxy.org/ + + + + + Migrating the remaining services from SourceForge is + work in progress (TODO list item #53). + + + + + + + + Build system improvements: - FAQ: Explicitly point fingers at ASUS as an example of a - company that has been reported to force malware based on - Privoxy upon its customers. + Add configure argument to optimistically redefine FD_SETSIZE + with the intent to change the maximum number of client + connections Privoxy can handle. Only works with some libcs. + Sponsored by Robert Klemme. + + + + + Let the tarball-dist target skip files in ".git". - Correctly document the action type for a bunch of "multi-value" - actions that were incorrectly documented to be "parameterized". - Reported by Gregory Seidman on ijbswa-users@. + Let the tarball-dist target work in cwds other than current. - Fixed the documented type of the forward-override{} action - which is obviously 'parameterized'. + Make the 'clean' target faster when run from a git repository. + + + + + Include tools in the generic distribution. + + + + + Let the gen-dist target work in cwds other than current. + + + + + Sort find output that is used for distribution tarballs + to get reproducible results. + + + + + Don't add '-src' to the name of the tar ball generated by the + gen-dist target. The package isn't a source distribution but a + binary package. + While at it, use a variable for the name to reduce the chances + that the various references get out of sync and fix the gen-upload + target which was looking in the wrong directory. + + + + + Add regression-tests.action to the files that are distributed. + + + + + The gen-dist target which was broken since 2002 (r1.92) has been fixed. + + + + + Remove genclspec.sh which has been obsolete since 2009. + + + + + Remove obsolete reference to Redhat spec file. + + + + + Remove the obsolete announce target which has been commented out years ago. + + + + + Let rsync skip files if the checksums match. @@ -316,19 +396,45 @@ - Website improvements: + Privoxy-Regression-Test: - Users who don't trust binaries served by SourceForge - can get them from a mirror. Migrating away from SourceForge - is planned for 2016 (TODO list item #53). + Add a "Default level offset" directive which can be used to + change the default level by a given value. + This directive affects all tests located after it until the end + of the file or a another "Default level offset" directive is reached. + The purpose of this directive is to make it more convenient to skip + similar tests in a given file without having to remove or disable + the tests completely. + + + + + Let test level 17 depend on FEATURE_64_BIT_TIME_T + instead of FEATURE_PTHREAD which has no direct connection + to the time_t size. + + + + + Fix indentation in perldoc examples. + + + + + Don't overlook directives in the first line of the action file. + + + + + Bump version to 0.7. - The website is now available as onion service - (http://jvauzb4sb3bwlsnc.onion/). + Fix detection of the Privoxy version now that https:// + is used for the website.