Privoxy 3.0.23 stable is a bug-fix release, some of the fixed bugs are security issues:
Bug fixes:
Fixed a DoS issue in case of client requests with incorrect chunk-encoded body. When compiled with assertions enabled (the default) they could previously cause Privoxy to abort(). Reported by Matthew Daley. CVE-2015-1380.
Fixed multiple segmentation faults and memory leaks in the pcrs code. This fix also increases the chances that an invalid pcrs command is rejected as such. Previously some invalid commands would be loaded without error. Note that Privoxy's pcrs sources (action and filter files) are considered trustworthy input and should not be writable by untrusted third-parties. CVE-2015-1381.
Fixed an 'invalid read' bug which could at least theoretically cause Privoxy to crash. So far, no crashes have been observed. CVE-2015-1382.
Compiles with --disable-force again. Reported by Kai Raven.
Client requests with body that can't be delivered no longer cause pipelined requests behind them to be rejected as invalid. Reported by Basil Hussain.
General improvements:
If a pcrs command is rejected as invalid, Privoxy now logs the cause of the problem as text. Previously the pcrs error code was logged.
The tests are less likely to cause false positives.
Action file improvements:
'.sify.com/' is no longer blocked. Apparently it is not actually a pure tracking site (anymore?). Reported by Andrew on ijbswa-users@.
Unblock banners on .amnesty.de/ which aren't ads.
Documentation improvements:
The 'Would you like to donate?' section now also contains a "Paypal" address.
The list of supported operating systems has been updated.
The existence of the SF support and feature trackers has been deemphasized because they have been broken for months. Most of the time the mailing lists still work.
The claim that default.action updates are sometimes released on their own has been removed. It hasn't happened in years.
Explicitly mention that Tor's port may deviate from the default when using a bundle. Requested by Andrew on ijbswa-users@.
A quick list of things to be aware of before upgrading from earlier versions of Privoxy:
The recommended way to upgrade Privoxy is to backup your old configuration files, install the new ones, verify that Privoxy is working correctly and finally merge back your changes using diff and maybe patch.
There are a number of new features in each Privoxy release and most of them have to be explicitly enabled in the configuration files. Old configuration files obviously don't do that and due to syntax changes using old configuration files with a new Privoxy isn't always possible anyway.
Note that some installers remove earlier versions completely, including configuration files, therefore you should really save any important configuration files!
On the other hand, other installers don't overwrite existing configuration files, thinking you will want to do that yourself.
In the default configuration only fatal errors are logged now. You can change that in the debug section of the configuration file. You may also want to enable more verbose logging until you verified that the new Privoxy version is working as expected.
Three other config file settings are now off by default: enable-remote-toggle, enable-remote-http-toggle, and enable-edit-actions. If you use or want these, you will need to explicitly enable them, and be aware of the security issues involved.