Privoxy 4.2.0 fixes a couple of bugs and brings general improvements such as support for elliptic-curve keys.
Two potential security problems have been reported and addressed.
Changes in Privoxy 4.2.0 stable:
Security improvements:
Parse the chunk-size with a dedicated function and reject "unreasonably" large values to prevent silent truncation by sscanf(), integer overflows and misinterpretation of the content later on. Heap buffer overflows on platforms with 32-bit pointers were alleged as well. Commit 5b3bb22b77. OVE-20260515-0002. Reported by @TristanInSec.
ssl_send_certificate_error(): Store the generated message on the heap instead of the stack to prevent an alleged segmentation fault if there are enough certificates in the chain to exceed the stack size. While at it, replace another variable-length array that was probably unproblematic with a heap-based buffer as well. Commit 4963aa4f08. OVE-20260515-0001. Reported by @TristanInSec.
Bug fixes:
block_acl(): Ignore ACL matches when we don't have a destination yet but the ACL requires one to match. block_acl() will be called again later on when the destination is known from parsing the request. Fixes SF bug #913 reported by Rainer Sokoll with confirmation from Peter Geelhoed.
rfc2553_connect_to(): Prevent theoretical memory disclosure through the CGI interface if a request is rejected due to ACLs. It's theoretical due to the previous bug in the ACL code.
send_http_request(): Give up on the client connection if writing the request data failed. If there's a request body Privoxy may not have read all the data yet. The issue could be reproduced by running the upstream curl test 1293 multiple times in a row.
load_one_re_filterfile(): Only register content filters for statistics. Previously all filter types were registered which wasted a bit of memory.
Prevent unused-variable warnings when compiling with DISABLE_PCRE_JIT_COMPILATION defined.
cgi_show_url_info(): Remove special handling of "standard.action".
General improvements:
Add elliptic-curve-keys directive and enable it by default. It lets Privoxy use the SN_X9_62_prime256v1 group instead of RSA when generating website keys and certificates. This is expected to be faster but may not be supported by older clients. The OpenSSL-specific code is based on on a patch by Steven Smith submitted in SF#933.
Check the listening address when deciding whether or not a client tag matches. This allows to use different client tags for different clients running on the same host.
Add code to make debugging ACL rules more convenient. It can be enabled with the new configure parameter --enable-acl-debugging.
acl_addr(): Properly reject IPv6 addresses when compiled without RFC2553 support.
Use separate linked lists for filters of different types to be able look up filters more efficiently. Implements TODO item #96.
Allow to set and unset external filters through the CGI editor.
parse_acl_rule(): Include the config file line number in the error messages.
wolfssl: Downgrade an error message in create_server_ssl_connection() to LOG_LEVEL_ERROR.
Remove useless csp member re_filterfile_short[].
templates: Update description of the 'unstable' conditional symbol.
templates/url-info-osd.xml: Update address of the Privoxy developers mailing list.
Factor parse_acl_rule() out of load_config().
configure.in: Don't claim that OpenSSL has been detected when it may be LibreSSL.
configure.in: Remove code to disable pcre2. Since the removal of pcre1 support in 24d0ff8398fdf pcre2 is no longer optional.
Replace the term 'TLS/SSL' with 'TLS' in a bunch of places as most (all?) supported TLS libraries default to not supporting SSL anymore.
utils/filter2docs.pl: Add two spaces between filter names and description so there's space after the longest filter name which currently is 'allow-autocompletion'.
utils/filter2docs.pl: Recognize filters with dots in the name.
Remove support for mbedtls 2.x.
Remove support for OpenSSL versions before 2.0.
GNUMakefile.in: Remove duplicated 'only' in the web-rss-feed target's message.
GNUMakefile.in: Add a web-rss-feed target that only syncs the RSS feed.
GNUMakefile.in: The Privoxy tools privoxy-log-parser, privoxy-regression-test and uagen are handled by the "install" and "uninstall" targets now.
Action file improvements:
Disable fast-redirects for "/.*&__goaway_referer=http".
Block ".parsely.com/p(logger|x)/" to match URLs that weren't covered by ".pixel.parsely.com/".
Block requests to ".siteintercept.qualtrics.com/".
Unblock "gitlab./search/count\?".
Reword a comment in user.action that claimed that 'we' want to support certain sites.
Remove obsolete domain sunsolve.sun.com from user.action.
Stop referring to SSL in comments.
Disable fast-redirects for "archive.is/".
Add example section for the taz.de filter to user.action.
default.action.master: Update list of predefined filters.
Filter improvements:
Let the "sourceforge" filter hide the "MongoDB" ad and the "vibe coding bar".
Add a "taz.de" filter which hides the "paywahl" banner on taz.de by default.
Documentation improvements:
FAQ: Mention that one can also donate through Liberapay and add a link.
Add two paragraphs to the 'Reporting security problems' section. Request that use of "AI" is disclosed and that reporters respond to questions about the report.
The Privoxy tools privoxy-log-parser, privoxy-regression-test and uagen have man pages now. Previously they were only documented in perldoc.
user-manual: Update the content filter list.
user-manual: Update limit-connect description. If the https-inspection action is enabled, Privoxy does filter the transferred content even if the CONNECT action is being used.
Document that the listen-address is taken into account for client tags as well now.
Update limit-connect description.
Don't mention an obsolete mbed TLS version in the user manual's 'Third-party licenses and copyrights' section. While at it, link to the GitHub page which shows the README instead of the list of tags which is less informative and replace an 'and' with a comma.
Mention zstd in the user manual's 'Third-party licenses and copyrights' section.
license.sgml: Remove incorrect comment claiming that the file is included into the user manual.
Factor out license explanation into separate SGML document to deduplicate the content. No HTML output change intended.
user-manual: Sync paragraph explaining the license of Privoxy binaries when linked to a recent TLS library with license.sgml.
user-manual: Use < instead of literal '<' to unbreak highlighting in Emacs.
Website improvements:
Update doc/webserver/README.txt.
Delete doc/webserver/redirect.php which hasn't been used in years.
Privoxy-Log-Parser:
Highlight listen address in "Evaluating tag 'forward-directly' for client 127.0.0.1 using 127.0.1.1:8120. End of life 1774948202."
Deal with a log message containing only 'TLS' instead of 'TLS/SSL'.
Bump version to 0.9.8.
Highlight listen address in 'Enlisting tag 'allow-cookies' for client 127.0.0.1 using 127.0.1.1:8120.'
Test improvements:
run-privoxy-tests.sh: Kill the whole process group if Privoxy doesn't start up in time. This prevents hangs when the system is heavily loaded, run-privoxy-test.sh's output is piped into tee(1) and Privoxy starts up after the the script checks for it, but before it exits.
Add test for the content filter "taz.de".
Add test scenarios for the ACL code.
tests/cts: Make the TESTDIR available as environment variable so the prechecks can access it.
Add test helper script that checks if a local address is available to bind to.
run-privoxy-tests.sh: Add valgrind support that can be enabled with "-v".
run-privoxy-tests.sh: Turn $log_file into a local variable in start_privoxy().
tests/cts/README: Recommend to use curl upstream tag curl-8_20_0.
Regenerate curl-test-manifest-for-privoxy.
gen-skip-reasons.pl: Use '==' instead of 'eq' when checking whether or not a test should be skipped. While the script output is the same, the test number isn't a string so using '==' seems more appropriate.
gen-skip-reasons.pl: Skip test 1 due to multiple Connection header values.
gen-skip-reasons.pl: Skip test 58 for now which doesn't work anymore after a recent curl upstream change.
gen-skip-reasons.pl: Skip test 1685 which uses a Cookie header with a tab that Privoxy converts into a space.
Privoxy-Regression-Test: Bump version to 0.7.6
Privoxy-Regression-Test: Allow '!' characters which are used in URLs from taz.de for example.
Privoxy-Regression-Test: Include the offending line in the error message when rejecting Sticky Actions with whitespace inside the action parameters.
Add three more tests for the chunked-transfer-encoding scenario.
The Privoxy project is currently underfunded. If you can afford it, please consider making a donation.
A quick list of things to be aware of before upgrading from earlier versions of Privoxy:
The recommended way to upgrade Privoxy is to backup your old configuration files, install the new ones, verify that Privoxy is working correctly and finally merge back your changes using diff and maybe patch.
There are a number of new features in each Privoxy release and most of them have to be explicitly enabled in the configuration files. Old configuration files obviously don't do that and due to syntax changes using old configuration files with a new Privoxy isn't always possible anyway.
Note that some installers remove earlier versions completely, including configuration files, therefore you should really save any important configuration files!
On the other hand, other installers don't overwrite existing configuration files, thinking you will want to do that yourself.
In the default configuration only fatal errors are logged now. You can change that in the debug section of the configuration file. You may also want to enable more verbose logging until you verified that the new Privoxy version is working as expected.
Three other config file settings are now off by default: enable-remote-toggle, enable-remote-http-toggle, and enable-edit-actions. If you use or want these, you will need to explicitly enable them, and be aware of the security issues involved.