--------------------------------------------------------------------
ChangeLog for Privoxy
--------------------------------------------------------------------
+*** Version 3.0.24 stable ***
+
+- Security fixes (denial of service):
+ - Prevent invalid reads in case of corrupt chunk-encoded content.
+ CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer.
+ - Remove empty Host headers in client requests.
+ Previously they would result in invalid reads. CVE-2016-1983.
+ Bug discovered with afl-fuzz and AddressSanitizer.
+
+- Bug fixes:
+ - When using socks5t, send the request body optimistically as well.
+ Previously the request body wasn't guaranteed to be sent at all
+ and the error message incorrectly blamed the server.
+ Fixes #1686 reported by Peter Müller and G4JC.
+ - Fixed buffer scaling in execute_external_filter() that could lead
+ to crashes. Submitted by Yang Xia in #892.
+ - Fixed crashes when executing external filters on platforms like
+ Mac OS X. Reported by Jonathan McKenzie on ijbswa-users@.
+ - Properly parse ACL directives with ports when compiled with HAVE_RFC2553.
+ Previously the port wasn't removed from the host and in case of
+ 'permit-access 127.0.0.1 example.org:80' Privoxy would try (and fail)
+ to resolve "example.org:80" instead of example.org.
+ Reported by Pak Chan on ijbswa-users@.
+ - Check requests more carefully before serving them forcefully
+ when blocks aren't enforced. Privoxy always adds the force token
+ at the beginning of the path, but would previously accept it anywhere
+ in the request line. This could result in requests being served that
+ should be blocked. For example in case of pages that were loaded with
+ force and contained JavaScript to create additionally requests that
+ embed the origin URL (thus inheriting the force prefix).
+ The bug is not considered a security issue and the fix does not make
+ it harder for remote sites to intentionally circumvent blocks if
+ Privoxy isn't configured to enforce them.
+ Fixes #1695 reported by Korda.
+ - Normalize the request line in intercepted requests to make rewriting
+ the destination more convenient. Previously rewrites for intercepted
+ requests were expected to fail unless $hostport was being used, but
+ they failed "the wrong way" and would result in an out-of-memory
+ message (vanilla host patterns) or a crash (extended host patterns).
+ Reported by "Guybrush Threepwood" in #1694.
+ - Enable socket lingering for the correct socket.
+ Previously it was repeatedly enabled for the listen socket
+ instead of for the accepted socket. The bug was found by
+ code inspection and did not cause any (reported) issues.
+ - Detect and reject parameters for parameter-less actions.
+ Previously they were silently ignored.
+ - Fixed invalid reads in internal and outdated pcre code.
+ Found with afl-fuzz and AddressSanitizer.
+ - Prevent invalid read when loading invalid action files.
+ Found with afl-fuzz and AddressSanitizer.
+ - Windows build: Use the correct function to close the event handle.
+ It's unclear if this bug had a negative impact on Privoxy's behaviour.
+ Reported by Jarry Xu in #891.
+ - In case of invalid forward-socks5(t) directives, use the
+ correct directive name in the error messages. Previously they
+ referred to forward-socks4t failures.
+ Reported by Joel Verhagen in #889.
+
+- General improvements:
+ - Set NO_DELAY flag for the accepting socket. This significantly reduces
+ the latency if the operating system is not configured to set the flag
+ by default. Reported by Johan Sintorn in #894.
+ - Allow to build with mingw x86_64. Submitted by Rustam Abdullaev in #135.
+ - Introduce the new forwarding type 'forward-webserver'.
+ Currently it is only supported by the forward-override{} action and
+ there's no config directive with the same name. The forwarding type
+ is similar to 'forward', but the request line only contains the path
+ instead of the complete URL.
+ - The CGI editor no longer treats 'standard.action' special.
+ Nowadays the official "standards" are part of default.action
+ and there's no obvious reason to disallow editing them through
+ the cgi editor anyway (if the user decided that the lack of
+ authentication isn't an issue in her environment).
+ - Improved error messages when rejecting intercepted requests
+ with unknown destination.
+ - A couple of log messages now include the number of active threads.
+ - Removed non-standard Proxy-Agent headers in HTTP snipplets
+ to make testing more convenient.
+ - Include the error code for pcre errors Privoxy does not recognize.
+ - Config directives with numerical arguments are checked more carefully.
+ - Privoxy's malloc() wrapper has been changed to prevent zero-size
+ allocations which should only occur as the result of bugs.
+ - Various cosmetic changes.
+
+- Action file improvements:
+ - Unblock ".deutschlandradiokultur.de/".
+ Reported by u302320 in #924.
+ - Add two fast-redirect exceptions for "yandex.ru".
+ - Disable filter{banners-by-size} for ".plasmaservice.de/".
+ - Unblock "klikki.fi/adv/".
+ - Block requests for "resources.infolinks.com/".
+ Reported by "Black Rider" on ijbswa-users@.
+ - Block a bunch of criteo domains.
+ Reported by Black Rider.
+ - Block "abs.proxistore.com/abe/".
+ Reported by Black Rider.
+ - Disable filter{banners-by-size} for ".black-mosquito.org/".
+ - Disable fast-redirects for "disqus.com/".
+
+- Documentation improvements:
+ - FAQ: Explicitly point fingers at ASUS as an example of a
+ company that has been reported to force malware based on
+ Privoxy upon its customers.
+ - Correctly document the action type for a bunch of "multi-value"
+ actions that were incorrectly documented to be "parameterized".
+ Reported by Gregory Seidman on ijbswa-users@.
+ - Fixed the documented type of the forward-override{} action
+ which is obviously 'parameterized'.
+
+- Website improvements:
+ - Users who don't trust binaries served by SourceForge
+ can get them from a mirror. Migrating away from SourceForge
+ is planned for 2016 (TODO list item #53).
+ - The website is now available as onion service
+ (http://jvauzb4sb3bwlsnc.onion/).
+
+*** Version 3.0.23 stable ***
+
+- Bug fixes:
+ - Fixed a DoS issue in case of client requests with incorrect
+ chunk-encoded body. When compiled with assertions enabled
+ (the default) they could previously cause Privoxy to abort().
+ Reported by Matthew Daley. CVE-2015-1380.
+ - Fixed multiple segmentation faults and memory leaks in the
+ pcrs code. This fix also increases the chances that an invalid
+ pcrs command is rejected as such. Previously some invalid commands
+ would be loaded without error. Note that Privoxy's pcrs sources
+ (action and filter files) are considered trustworthy input and
+ should not be writable by untrusted third-parties. CVE-2015-1381.
+ - Fixed an 'invalid read' bug which could at least theoretically
+ cause Privoxy to crash. So far, no crashes have been observed.
+ CVE-2015-1382.
+ - Compiles with --disable-force again. Reported by Kai Raven.
+ - Client requests with body that can't be delivered no longer
+ cause pipelined requests behind them to be rejected as invalid.
+ Reported by Basil Hussain.
+
+- General improvements:
+ - If a pcrs command is rejected as invalid, Privoxy now logs
+ the cause of the problem as text. Previously the pcrs error
+ code was logged.
+ - The tests are less likely to cause false positives.
+
+- Action file improvements:
+ - '.sify.com/' is no longer blocked. Apparently it is not actually
+ a pure tracking site (anymore?). Reported by Andrew on ijbswa-users@.
+ - Unblock banners on .amnesty.de/ which aren't ads.
+
+- Documentation improvements:
+ - The 'Would you like to donate?' section now also contains
+ a "Paypal" address.
+ - The list of supported operating systems has been updated.
+ - The existence of the SF support and feature trackers has been
+ deemphasized because they have been broken for months.
+ Most of the time the mailing lists still work.
+ - The claim that default.action updates are sometimes released
+ on their own has been removed. It hasn't happened in years.
+ - Explicitly mention that Tor's port may deviate from the default
+ when using a bundle. Requested by Andrew on ijbswa-users@.
+
*** Version 3.0.22 stable ***
- Bug fixes:
- - Actually show the FORCE_PREFIX value on the show-status page
+ - Fixed a memory leak when rejecting client connections due to
+ the socket limit being reached (CID 66382). This affected
+ Privoxy 3.0.21 when compiled with IPv6 support (on most
+ platforms this is the default). CVE-2015-1030.
+ - Fixed an immediate-use-after-free bug (CID 66394) and two
+ additional unconfirmed use-after-free complaints made by
+ Coverity scan (CID 66391, CID 66376). CVE-2015-1031.
+ - Actually show the FORCE_PREFIX value on the show-status page.
- Properly deal with Keep-Alive headers with timeout= parameters
If the timeout still can't be parsed, use the configured
timeout instead of preventing the client from keeping the
- Not using any filter files no longer results in warning messages
unless an action file is referencing header taggers or filters.
Reported by Stefan Kurtz in #3614835.
+ - Fixed a bug that prevented Privoxy from reusing some reusable
+ connections. Two bit masks with different purpose unintentionally
+ shared the same bit.
- A couple of additional bugs were discovered by Coverity Scan.
- The changes that are not expected to be user visible are not
- explicitly mentioned here, for details please have a look at
- the CVS logs.
+ The fixes that are not expected to affect users are not explicitly
+ mentioned here, for details please have a look at the CVS logs.
- General improvements:
- -Introduced negative tag patterns NO-REQUEST-TAG and NO-RESPONSE-TAG
- They apply if no matching tag is found after parsing client
- or server headers.
+ - Introduced negative tag patterns NO-REQUEST-TAG and NO-RESPONSE-TAG.
+ They apply if no matching tag is found after parsing client or
+ server headers.
- Add support for external filters which allow to process the
response body with a script or program written in any language
the platform supports. External filters are enabled with
+external-filter{} after they have been defined in one of the
filter files with a header line starting with "EXTERNAL-FILTER:".
External filter support is experimental, not compiled by default
- and not expected to work on all platforms.
- - Add support for the 'PATCH' method as defined in RFC5789
- - Reject requests with unsupported Expect header values
+ and known not to work on all platforms.
+ - Add support for the 'PATCH' method as defined in RFC5789.
+ - Reject requests with unsupported Expect header values.
Fixes a couple of Co-Advisor tests.
- Normalize the HTTP-version in forwarded requests and responses.
- This is an explicit RFC 2616 MUST and RFC 7230 mandates
- that intermediaries send their own HTTP-version in forwarded
+ This is an explicit RFC 2616 MUST and RFC 7230 mandates that
+ intermediaries send their own HTTP-version in forwarded
messages.
- - Change declared template file encoding to UTF-8.
- The files already used a subset of UTF-8 anyway and changing
- the declaration allows to properly display UTF-8 characters
- used in the action files.
+ - Server 'Keep-Alive' headers are no longer forwarded. From a user's
+ point of view it doesn't really matter, but RFC 2616 (obsolete)
+ mandates that the header is removed and this fixes a Co-Advisor
+ complaint.
+ - Change declared template file encoding to UTF-8. The templates
+ already used a subset of UTF-8 anyway and changing the declaration
+ allows to properly display UTF-8 characters used in the action files.
This change may require existing action files with ISO-8859-1
characters that aren't valid UTF-8 to be converted to UTF-8.
Requested by Sam Chen in #582.
- Do not pass rejected keep-alive timeouts to the server. It might
not have caused any problems (we know of), but doing the right
thing shouldn't hurt either.
- - Let log_error() use its own buffer size #define
- to make changing the log buffer size slightly less inconvenient.
+ - Let log_error() use its own buffer size #define to make changing
+ the log buffer size slightly less inconvenient.
- Turned single-threaded into a "proper" toggle directive with arguments.
- CGI templates no longer enforce new windows for some links.
- - Remove an undocumented workaround (HOST header removal) for
+ - Remove an undocumented workaround ('HOST' header removal) for
an Apple iTunes bug that according to #729900 got fixed in 2003.
- Action file improvements:
- The pattern 'promotions.' is no longer being blocked.
Reported by rakista in #3608540.
- - Disable fast-redirects for .microsofttranslator.com/
- - Disable filter{banners-by-size} for .dgb-tagungszentren.de/
+ - Disable fast-redirects for .microsofttranslator.com/.
+ - Disable filter{banners-by-size} for .dgb-tagungszentren.de/.
- Add adn.speedtest.net as a site-specific unblocker.
Support request #3612908.
- - Disable filter{banners-by-size} for creativecommons.org/
+ - Disable filter{banners-by-size} for creativecommons.org/.
- Block requests to data.gosquared.com/. Reported by cbug in #3613653.
- Unblock .conrad./newsletter/. Reported by David Bo in #3614238.
- Unblock .bundestag.de/.
Previously enabling the 'Advanced' settings (or manually enabling
+fast-redirects{}) prevented some images from being loaded properly.
- Unblock "adina*." Fixes #919 reported by Morton A. Goldberg.
- - Block '/.*DigiAd'
+ - Block '/.*DigiAd'.
- Unblock 'adele*.'. Reported by Adele Lime in #1663.
+ - Disable banners-by-size for kggp.de/.
- Filter file improvements & bug fixes:
- Decrease the chances that js-annoyances creates invalid JavaScript.
Submitted by John McGowan on ijbswa-users@.
- - Let the msn filter hide 'related' ads again
- - Remove a stray '1' in the 'html-annoyances' filter
- - Prevent img-reorder from messing up img tags with empty src attributes
- Fixes #880 reported by Duncan.
+ - Let the msn filter hide 'related' ads again.
+ - Remove a stray '1' in the 'html-annoyances' filter.
+ - Prevent img-reorder from messing up img tags with empty src
+ attributes. Fixes #880 reported by Duncan.
- Documentation improvements:
- Updated the 'Would you like to donate?' section.
detected until the parameter is used.
- Add another +redirect{} example: a shortcut for illumos bugs.
- Make it more obvious that many operating systems support log
- rotation out of the box
+ rotation out of the box.
- Fixed dead links. Reported by Mark Nelson in #3614557.
- Rephrased the 'Why is the configuration so complicated?' answer
to be slightly less condescending. Anonymously suggested in #3615122.
- - Be more explicit about accept-intercepted-requests's lack of MITM support
- - Make 'demoronizer' FAQ entries more generic
- - Add an example hostname to the --pre-chroot-nslookup description
- - Add an example for a host pattern that matches an IP address
- - Rename the 'domain pattern' to 'host pattern' as it may contain IP addresses as well
- - Recommend forward-socks5t when using Tor
- It seems to work fine and modifying the Tor configuration
- to profit from it hasn't been necessary for a while now.
- - Add another redirect{} example to stress that redirect loops can and should be avoided
+ - Be more explicit about accept-intercepted-requests's lack of MITM support.
+ - Make 'demoronizer' FAQ entries more generic.
+ - Add an example hostname to the --pre-chroot-nslookup description.
+ - Add an example for a host pattern that matches an IP address.
+ - Rename the 'domain pattern' to 'host pattern' as it may
+ contain IP addresses as well.
+ - Recommend forward-socks5t when using Tor. It seems to work fine and
+ modifying the Tor configuration to profit from it hasn't been necessary
+ for a while now.
+ - Add another redirect{} example to stress that redirect loops can
+ and should be avoided.
- The usual spelling and grammar fixes. Parts of them were
reported by Reuben Thomas in #3615276.
- - Mention the PCRS option letters T and D in the filter section
+ - Mention the PCRS option letters T and D in the filter section.
- Clarify that handle-as-empty-doc-returns-ok is still useful
- and will not be removed without replacement
- - Note that security issues shouldn't be reported using the bug tracker
- - Clarify what Privoxy does if both +block{} and +redirect{} apply
+ and will not be removed without replacement.
+ - Note that security issues shouldn't be reported using the bug tracker.
+ - Clarify what Privoxy does if both +block{} and +redirect{} apply.
- Removed the obsolete bookmarklets section.
-- Build system improvements
- - Let --with-group properly deal with secondary groups
+- Build system improvements:
+ - Let --with-group properly deal with secondary groups.
Patch submitted by Anatoly Arzhnikov in #3615187.
- - Fix web-actions target
- - Add a web-faq target that only updates the FAQ on the webserver
- - Remove already-commented-out non-portable DOSFILTER alternatives
- - Remove the obsolete targets dok-put and dok-get
- - Add a sf-shell target
+ - Fix web-actions target.
+ - Add a web-faq target that only updates the FAQ on the webserver.
+ - Remove already-commented-out non-portable DOSFILTER alternatives.
+ - Remove the obsolete targets dok-put and dok-get.
+ - Add a sf-shell target.
*** Version 3.0.21 stable ***
----------------------------------------------------------------------
-Copyright : Written by and Copyright (C) 2001-2013 the
+Copyright : Written by and Copyright (C) 2001-2016 the
Privoxy team. http://www.privoxy.org/
Based on the Internet Junkbuster originally written