2 File : $Source: /cvsroot/ijbswa/current/doc/source/changelog.sgml,v $
4 Purpose : Entity included in other project documents.
6 $Id: changelog.sgml,v 2.17 2016/05/03 13:22:13 fabiankeil Exp $
8 Copyright (C) 2013-2016 Privoxy Developers https://www.privoxy.org/
11 ======================================================================
12 This file used for inclusion with other documents only.
13 ======================================================================
15 If you make changes to this file, please verify the finished
16 docs all display as intended.
18 This file is included into:
24 <application>Privoxy 3.0.24</application> stable contains a couple
25 of new features but is mainly a bug-fix release. Two of the fixed
26 bugs are security issues and may be used to remotely trigger crashes
27 on platforms that carefully check memory accesses (most don't).
31 The SGML ChangeLog can be generated with: utils/changelog2doc.pl ChangeLog
39 Security fixes (denial of service):
43 Prevent invalid reads in case of corrupt chunk-encoded content.
44 CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer.
49 Remove empty Host headers in client requests.
50 Previously they would result in invalid reads. CVE-2016-1983.
51 Bug discovered with afl-fuzz and AddressSanitizer.
63 When using socks5t, send the request body optimistically as well.
64 Previously the request body wasn't guaranteed to be sent at all
65 and the error message incorrectly blamed the server.
66 Fixes #1686 reported by Peter Müller and G4JC.
71 Fixed buffer scaling in execute_external_filter() that could lead
72 to crashes. Submitted by Yang Xia in #892.
77 Fixed crashes when executing external filters on platforms like
78 Mac OS X. Reported by Jonathan McKenzie on ijbswa-users@.
83 Properly parse ACL directives with ports when compiled with HAVE_RFC2553.
84 Previously the port wasn't removed from the host and in case of
85 'permit-access 127.0.0.1 example.org:80' Privoxy would try (and fail)
86 to resolve "example.org:80" instead of example.org.
87 Reported by Pak Chan on ijbswa-users@.
92 Check requests more carefully before serving them forcefully
93 when blocks aren't enforced. Privoxy always adds the force token
94 at the beginning of the path, but would previously accept it anywhere
95 in the request line. This could result in requests being served that
96 should be blocked. For example in case of pages that were loaded with
97 force and contained JavaScript to create additionally requests that
98 embed the origin URL (thus inheriting the force prefix).
99 The bug is not considered a security issue and the fix does not make
100 it harder for remote sites to intentionally circumvent blocks if
101 Privoxy isn't configured to enforce them.
102 Fixes #1695 reported by Korda.
107 Normalize the request line in intercepted requests to make rewriting
108 the destination more convenient. Previously rewrites for intercepted
109 requests were expected to fail unless $hostport was being used, but
110 they failed "the wrong way" and would result in an out-of-memory
111 message (vanilla host patterns) or a crash (extended host patterns).
112 Reported by "Guybrush Threepwood" in #1694.
117 Enable socket lingering for the correct socket.
118 Previously it was repeatedly enabled for the listen socket
119 instead of for the accepted socket. The bug was found by
120 code inspection and did not cause any (reported) issues.
125 Detect and reject parameters for parameter-less actions.
126 Previously they were silently ignored.
131 Fixed invalid reads in internal and outdated pcre code.
132 Found with afl-fuzz and AddressSanitizer.
137 Prevent invalid read when loading invalid action files.
138 Found with afl-fuzz and AddressSanitizer.
143 Windows build: Use the correct function to close the event handle.
144 It's unclear if this bug had a negative impact on Privoxy's behaviour.
145 Reported by Jarry Xu in #891.
150 In case of invalid forward-socks5(t) directives, use the
151 correct directive name in the error messages. Previously they
152 referred to forward-socks4t failures.
153 Reported by Joel Verhagen in #889.
161 General improvements:
165 Set NO_DELAY flag for the accepting socket. This significantly reduces
166 the latency if the operating system is not configured to set the flag
167 by default. Reported by Johan Sintorn in #894.
172 Allow to build with mingw x86_64. Submitted by Rustam Abdullaev in #135.
177 Introduce the new forwarding type 'forward-webserver'.
178 Currently it is only supported by the forward-override{} action and
179 there's no config directive with the same name. The forwarding type
180 is similar to 'forward', but the request line only contains the path
181 instead of the complete URL.
186 The CGI editor no longer treats 'standard.action' special.
187 Nowadays the official "standards" are part of default.action
188 and there's no obvious reason to disallow editing them through
189 the cgi editor anyway (if the user decided that the lack of
190 authentication isn't an issue in her environment).
195 Improved error messages when rejecting intercepted requests
196 with unknown destination.
201 A couple of log messages now include the number of active threads.
206 Removed non-standard Proxy-Agent headers in HTTP snipplets
207 to make testing more convenient.
212 Include the error code for pcre errors Privoxy does not recognize.
217 Config directives with numerical arguments are checked more carefully.
222 Privoxy's malloc() wrapper has been changed to prevent zero-size
223 allocations which should only occur as the result of bugs.
228 Various cosmetic changes.
236 Action file improvements:
240 Unblock ".deutschlandradiokultur.de/".
241 Reported by u302320 in #924.
246 Add two fast-redirect exceptions for "yandex.ru".
251 Disable filter{banners-by-size} for ".plasmaservice.de/".
256 Unblock "klikki.fi/adv/".
261 Block requests for "resources.infolinks.com/".
262 Reported by "Black Rider" on ijbswa-users@.
267 Block a bunch of criteo domains.
268 Reported by Black Rider.
273 Block "abs.proxistore.com/abe/".
274 Reported by Black Rider.
279 Disable filter{banners-by-size} for ".black-mosquito.org/".
284 Disable fast-redirects for "disqus.com/".
292 Documentation improvements:
296 FAQ: Explicitly point fingers at ASUS as an example of a
297 company that has been reported to force malware based on
298 Privoxy upon its customers.
303 Correctly document the action type for a bunch of "multi-value"
304 actions that were incorrectly documented to be "parameterized".
305 Reported by Gregory Seidman on ijbswa-users@.
310 Fixed the documented type of the forward-override{} action
311 which is obviously 'parameterized'.
319 Website improvements:
323 Users who don't trust binaries served by SourceForge
324 can get them from a mirror. Migrating away from SourceForge
325 is planned for 2016 (TODO list item #53).
330 The website is now available as onion service
331 (http://jvauzb4sb3bwlsnc.onion/).