From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 7 Mar 2013 14:11:11 +0000 (+0000)
Subject: Add ChangeLog entry for enable-proxy-authentication-forwarding
X-Git-Tag: v_3_0_21~5
X-Git-Url: http://www.privoxy.org/gitweb/@default-cgi@/static/developer-manual/@default-cgi@toggle?a=commitdiff_plain;h=d00498028d389a06ccbcc099b0c2e2aa3a60b32e;p=privoxy.git

Add ChangeLog entry for enable-proxy-authentication-forwarding
---

diff --git a/ChangeLog b/ChangeLog
index 78b86d5e..5d1df9fd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,11 @@ ChangeLog for Privoxy
     values above FD_SETSIZE are properly rejected. Previously they
     could cause memory corruption in configurations that allowed
     the limit to be reached.
+  - Proxy authentication headers are removed unless the new directive
+    enable-proxy-authentication-forwarding is used. Forwarding the
+    headers potentionally allows malicious sites to trick the user
+    into providing it with login information.
+    Reported by Chris John Riley.
   - Compiles on OS/2 again now that unistd.h is only included
     on platforms that have it.
 
diff --git a/doc/source/changelog.sgml b/doc/source/changelog.sgml
index e75d284f..9a07f275 100644
--- a/doc/source/changelog.sgml
+++ b/doc/source/changelog.sgml
@@ -3,7 +3,7 @@
 
  Purpose     :  Entity included in other project documents.
 
- $Id: changelog.sgml,v 2.3 2013/03/02 14:40:18 fabiankeil Exp $
+ $Id: changelog.sgml,v 2.4 2013/03/03 11:25:16 fabiankeil Exp $
 
  Copyright (C) 2013 Privoxy Developers http://www.privoxy.org/
  See LICENSE.
@@ -22,9 +22,8 @@
 
 <para>
  <application>Privoxy 3.0.21</application> stable is a bug-fix release
- for Privoxy 3.0.20 beta. It also addresses a security issue that affects
- all previous Privoxy versions (on some platforms). The changes since
- 3.0.20 beta are:
+ for Privoxy 3.0.20 beta. It also addresses two security issues that
+ affect all previous Privoxy versions. The changes since 3.0.20 beta are:
 </para>
 
 <!--
@@ -44,6 +43,15 @@
       the limit to be reached.
      </para>
     </listitem>
+    <listitem>
+     <para>
+      Proxy authentication headers are removed unless the new directive
+      enable-proxy-authentication-forwarding is used. Forwarding the
+      headers potentionally allows malicious sites to trick the user
+      into providing it with login information.
+      Reported by Chris John Riley.
+     </para>
+    </listitem>
     <listitem>
      <para>
       Compiles on OS/2 again now that unistd.h is only included