From 749db28d4a6a277a6e5cefe50088d79d9529d970 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Tue, 7 Dec 2021 15:32:49 +0100 Subject: [PATCH] Update smgl ChangeLog --- doc/source/changelog.sgml | 251 +++++++++++++++++++++++--------------- 1 file changed, 152 insertions(+), 99 deletions(-) diff --git a/doc/source/changelog.sgml b/doc/source/changelog.sgml index c6d086e1..f5d26c86 100644 --- a/doc/source/changelog.sgml +++ b/doc/source/changelog.sgml @@ -35,6 +35,45 @@ + + + Security/Reliability: + + + + cgi_error_no_template(): Encode the template name to prevent + XSS (cross-side scripting) when Privoxy is configured to servce + the user-manual itself. + Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543. + Reported by: Artem Ivanov + + + + + get_url_spec_param(): Free memory of compiled pattern spec + before bailing. + Reported by Joshua Rogers (Opera) who also provided the fix. + Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540. + + + + + process_encrypted_request_headers(): Free header memory when + failing to get the request destination. + Reported by Joshua Rogers (Opera) who also provided the fix. + Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541. + + + + + send_http_request(): Prevent memory leaks when handling errors + Reported by Joshua Rogers (Opera) who also provided the fix. + Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542. + + + + + Bug fixes: @@ -65,14 +104,6 @@ Closes: SF patch request #147. Patch by Maxim Antonov. - - - Establish the TLS connection with the client earlier and decide - how to route the request afterwards. This allows to change the - forwarding settings based on information from the https-inspected - request, for example the path. - - Adjust build_request_line() to create a CONNECT request line when @@ -84,6 +115,19 @@ load_config(): Add a space that was missing in a log message. + + + + read_http_request_body(): Fix two error messages that used an + incorrect variable. + + + + + If the the response is chunk-encoded, ignore the Content-Length + header sent by the server. + Allows to load https://redmine.lighttpd.net/ with filtering enabled. + @@ -94,87 +138,107 @@ - serve(): Close the client socket as well if the server socket - for an inspected connection has been closed. Privoxy currently - can't establish a new server connection when the client socket - is reused and would drop the connection in continue_https_chat() - anyway. + Allow to edit the add-header action through the CGI editor by + generalizing the code that got added with the suppress-tag action. + Closes SF patch request #146. Patch by Maxim Antonov. - Don't disable redirect checkers in redirect_url() - Disable them in handle_established_connection() instead. - Doing it in redirect_url() prevented the +redirect{} and - +fast-redirects{} actions from being logged with LOG_LEVEL_ACTIONS. + Add a CGI handler for /wpad.dat that returns a + Proxy Auto-Configuration (PAC) file. + Among other things, it can be used to instruct clients + through DHCP to use Privoxy as proxy. + For example with the dnsmasq option: + dhcp-option=252,http://config.privoxy.org/wpad.dat + Initial patch by Richard Schneidt. - handle_established_connection(): Slightly improve a comment + Don't log the applied actions in process_encrypted_request() + Log them in continue_https_chat() instead to mirror chat(). + Prevents the applied actions from getting logged twice + for the first request on an https-inspected connection. - handle_established_connection(): Fix a comment + OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name + Org and Org Unit if the real host name is too long to get accepted by OpenSSL. + Clients should only care about the Subject Alternative Name + anyway and we can continue to use the real host name for it. + Reported by Miles Wen on privoxy-users@. - socks5_connect(): Fix indentation. + Establish the TLS connection with the client earlier and decide + how to route the request afterwards. This allows to change the + forwarding settings based on information from the https-inspected + request, for example the path. - handle_established_connection(): Improve an error message + listen_loop(): When shutting down gracefully, close listening ports + before waiting for the threads to exit. Allows to start a second + Privoxy with the same config file while the first Privoxy is still + running. - create_pattern_spec(): Fix ifdef indentation + serve(): Close the client socket as well if the server socket + for an inspected connection has been closed. Privoxy currently + can't establish a new server connection when the client socket + is reused and would drop the connection in continue_https_chat() + anyway. - Fix comment typos + Don't disable redirect checkers in redirect_url(). + Disable them in handle_established_connection() instead. + Doing it in redirect_url() prevented the +redirect{} and + +fast-redirects{} actions from being logged with LOG_LEVEL_ACTIONS. - Add a CGI handler for /wpad.dat that returns a - Proxy Auto-Configuration (PAC) file. - Among other things, it can be used to instruct clients - through DHCP to use Privoxy as proxy. - For example with the dnsmasq option: - dhcp-option=252,http://config.privoxy.org/wpad.dat - Initial patch by Richard Schneidt. + handle_established_connection(): Slightly improve a comment. - listen_loop(): When shutting down gracefully, close listening ports - before waiting for the threads to exit. - Allows to start a second Privoxy with the same config file - while the first Privoxy is still running. + handle_established_connection(): Fix a comment. - Allow to edit the add-header action through the CGI editor by - generalizing the code that got added with the suppress-tag action. - Closes SF patch request #146. Patch by Maxim Antonov. + socks5_connect(): Fix indentation. - process_encrypted_request(): Improve a log message - The function only processes request headers and there - may still be unread request body data left to process. + handle_established_connection(): Improve an error message. - read_http_request_body(): Fix two error messages that used an incorrect variable. + create_pattern_spec(): Fix ifdef indentation. + + + + + Fix comment typos. + + + + + process_encrypted_request(): Improve a log message. + The function only processes request headers and there + may still be unread request body data left to process. @@ -189,7 +253,7 @@ - receive_encrypted_request_headers(): Improve a log message + receive_encrypted_request_headers(): Improve a log message. @@ -204,16 +268,10 @@ - Remove compiler warnings. "log_error(LOG_LEVEL_FATAL, ..." doesn't return - but apparently the compiler doesn't know that. - Get rid of several "this statement may fall through [-Wimplicit-fallthrough=]" warnings. - - - - - If the the response is chunk-encoded, ignore the Content-Length - header sent by the server. - Allows to load https://redmine.lighttpd.net/ with filtering enabled. + Remove compiler warnings. "log_error(LOG_LEVEL_FATAL, ..." + doesn't return but apparently the compiler doesn't know that. + Get rid of several "this statement may fall through + [-Wimplicit-fallthrough=]" warnings. @@ -226,23 +284,6 @@ Reported by: Wen Yue - - - Don't log the applied actions in process_encrypted_request() - Log them in continue_https_chat() instead to mirror chat(). - Prevents the applied actions from getting logged twice - for the first request on an https-inspected connection. - - - - - OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name - Org and Org Unit if the real host name is too long to get accepted by OpenSSL. - Clients should only care about the Subject Alternative Name - anyway and we can continue to use the real host name for it. - Reported by Miles Wen on privoxy-users@. - - OpenSSL generate_host_certificate(): Fix two error messsages. @@ -287,22 +328,22 @@ - Disable fast-redirects for .zeit.de/zustimmung + Disable fast-redirects for .zeit.de/zustimmung. - Unblock adv-archiv.dfn-cert.de/ + Unblock adv-archiv.dfn-cert.de/. - Block requests to eu-tlp01.kameleoon.eu/ + Block requests to eu-tlp01.kameleoon.eu/. - Block requests to fpa-events.arstechnica.com/ + Block requests to fpa-events.arstechnica.com/. @@ -324,73 +365,72 @@ - Highlight 'Socket timeout 3 reached: http://127.0.0.1:20000/no-filter/chunked-content/36' + Highlight 'Socket timeout 3 reached: http://127.0.0.1:20000/no-filter/chunked-content/36'. - Improve documentation for inactivity-detection mode + Improve documentation for inactivity-detection mode. - Detect date changes when looking for inactivity + Detect date changes when looking for inactivity. Add a --passed-request-statistics-threshold option - That can be set to get statistics for requests that + that can be set to get statistics for requests that were passed. - Add a "inactivity detection" mode - Which can be useful for debugging purposes. + Add a "inactivity detection" mode which can be useful + for debugging purposes. - Bump version to 0.9.4 + Bump version to 0.9.4. - Only run print_intro() and print_outro() when syntax highlighting + Only run print_intro() and print_outro() when syntax highlighting. - Rephrase a sentence in the documentation + Rephrase a sentence in the documentation. - Highlight 'Client socket 7 is no longer usable. The server socket has been closed.' + Highlight 'Client socket 7 is no longer usable. The server socket has been closed.'. - Clarify --statistics output - by explicitly mentioning that the status codes - sent by the server may differ from the ones in - "debug 512" messages. + Clarify --statistics output by explicitly mentioning that + the status codes sent by the server may differ from the ones + in "debug 512" messages. - Fix typo in the --statistics output + Fix typo in the --statistics output. - Remove an unused variable + Remove an unused variable. - Highlight 'The peer notified us that the connection on socket 11 is going to be closed' + Highlight 'The peer notified us that the connection on socket 11 is going to be closed'. @@ -446,17 +486,17 @@ - Bump generated Firefox version to 91 (ESR) + Bump generated Firefox version to 91 (ESR). - Bump version to 1.2.3 + Bump version to 1.2.3. - Bump copyright + Bump copyright. @@ -478,8 +518,8 @@ - configure: Add another warning in case --disable-pthread is used - while POSIX threads are available. + configure: Add another warning in case --disable-pthread + is used while POSIX threads are available. Various features don't even compile when not using threads. @@ -500,7 +540,7 @@ - Bump copyright + Bump copyright. @@ -515,7 +555,7 @@ - configure: Remove obsolete RPM_BASE check + configure: Remove obsolete RPM_BASE check. @@ -543,6 +583,19 @@ + + + macOS build system: + + + + The OSXPackageBuilder repository has been updated and + can be used to create macOS packages again. + + + + + Documentation: @@ -595,7 +648,7 @@ Update TODO list item #184 to note that WolfSSL support will - (hopefully) appear after the 3.0.34 release + (hopefully) appear after the 3.0.34 release. @@ -609,7 +662,7 @@ Add a warning that the socket-timeout does not apply - to operations done by TLS libraries + to operations done by TLS libraries. -- 2.39.2