1 Announcing Privoxy 3.0.24 stable
2 --------------------------------------------------------------------
4 Privoxy 3.0.24 stable contains a couple of new features but is
5 mainly a bug-fix release. Two of the fixed bugs are security issues
6 (CVE requests pending) and may be used to remotely trigger crashes
7 on platforms that carefully check memory accesses (most don't).
9 --------------------------------------------------------------------
11 --------------------------------------------------------------------
12 - Security fixes (denial of service):
13 - Prevent invalid reads in case of corrupt chunk-encoded content.
14 Bug discovered with afl-fuzz and AddressSanitizer.
15 - Remove empty Host headers in client requests.
16 Previously they would result in invalid reads.
17 Bug discovered with afl-fuzz and AddressSanitizer.
20 - When using socks5t, send the request body optimistically as well.
21 Previously the request body wasn't guaranteed to be sent at all
22 and the error message incorrectly blamed the server.
23 Fixes #1686 reported by Peter Müller and G4JC.
24 - Fixed buffer scaling in execute_external_filter() that could lead
25 to crashes. Submitted by Yang Xia in #892.
26 - Fixed crashes when executing external filters on platforms like
27 Mac OS X. Reported by Jonathan McKenzie on ijbswa-users@.
28 - Properly parse ACL directives with ports when compiled with HAVE_RFC2553.
29 Previously the port wasn't removed from the host and in case of
30 'permit-access 127.0.0.1 example.org:80' Privoxy would try (and fail)
31 to resolve "example.org:80" instead of example.org.
32 Reported by Pak Chan on ijbswa-users@.
33 - Check requests more carefully before serving them forcefully
34 when blocks aren't enforced. Privoxy always adds the force token
35 at the beginning of the path, but would previously accept it anywhere
36 in the request line. This could result in requests being served that
37 should be blocked. For example in case of pages that were loaded with
38 force and contained JavaScript to create additionally requests that
39 embed the origin URL (thus inheriting the force prefix).
40 The bug is not considered a security issue and the fix does not make
41 it harder for remote sites to intentionally circumvent blocks if
42 Privoxy isn't configured to enforce them.
43 Fixes #1695 reported by Korda.
44 - Normalize the request line in intercepted requests to make rewriting
45 the destination more convenient. Previously rewrites for intercepted
46 requests were expected to fail unless $hostport was being used, but
47 they failed "the wrong way" and would result in an out-of-memory
48 message (vanilla host patterns) or a crash (extended host patterns).
49 Reported by "Guybrush Threepwood" in #1694.
50 - Enable socket lingering for the correct socket.
51 Previously it was repeatedly enabled for the listen socket
52 instead of for the accepted socket. The bug was found by
53 code inspection and did not cause any (reported) issues.
54 - Detect and reject parameters for parameter-less actions.
55 Previously they were silently ignored.
56 - Fixed invalid reads in internal and outdated pcre code.
57 Found with afl-fuzz and AddressSanitizer.
58 - Prevent invalid read when loading invalid action files.
59 Found with afl-fuzz and AddressSanitizer.
60 - Windows build: Use the correct function to close the event handle.
61 It's unclear if this bug had a negative impact on Privoxy's behaviour.
62 Reported by Jarry Xu in #891.
63 - In case of invalid forward-socks5(t) directives, use the
64 correct directive name in the error messages. Previously they
65 referred to forward-socks4t failures.
66 Reported by Joel Verhagen in #889.
68 - General improvements:
69 - Set NO_DELAY flag for the accepting socket. This significantly reduces
70 the latency if the operating system is not configured to set the flag
71 by default. Reported by Johan Sintorn in #894.
72 - Allow to build with mingw x86_64. Submitted by Rustam Abdullaev in #135.
73 - Introduce the new forwarding type 'forward-webserver'.
74 Currently it is only supported by the forward-override{} action and
75 there's no config directive with the same name. The forwarding type
76 is similar to 'forward', but the request line only contains the path
77 instead of the complete URL.
78 - The CGI editor no longer treats 'standard.action' special.
79 Nowadays the official "standards" are part of default.action
80 and there's no obvious reason to disallow editing them through
81 the cgi editor anyway (if the user decided that the lack of
82 authentication isn't an issue in her environment).
83 - Improved error messages when rejecting intercepted requests
84 with unknown destination.
85 - A couple of log messages now include the number of active threads.
86 - Removed non-standard Proxy-Agent headers in HTTP snipplets
87 to make testing more convenient.
88 - Include the error code for pcre errors Privoxy does not recognize.
89 - Config directives with numerical arguments are checked more carefully.
90 - Privoxy's malloc() wrapper has been changed to prevent zero-size
91 allocations which should only occur as the result of bugs.
92 - Various cosmetic changes.
94 - Action file improvements:
95 - Unblock ".deutschlandradiokultur.de/".
96 Reported by u302320 in #924.
97 - Add two fast-redirect exceptions for "yandex.ru".
98 - Disable filter{banners-by-size} for ".plasmaservice.de/".
99 - Unblock "klikki.fi/adv/".
100 - Block requests for "resources.infolinks.com/".
101 Reported by "Black Rider" on ijbswa-users@.
102 - Block a bunch of criteo domains.
103 Reported by Black Rider.
104 - Block "abs.proxistore.com/abe/".
105 Reported by Black Rider.
106 - Disable filter{banners-by-size} for ".black-mosquito.org/".
107 - Disable fast-redirects for "disqus.com/".
109 - Documentation improvements:
110 - FAQ: Explicitly point fingers at ASUS as an example of a
111 company that has been reported to force malware based on
112 Privoxy upon its customers.
113 - Correctly document the action type for a bunch of "multi-value"
114 actions that were incorrectly documented to be "parameterized".
115 Reported by Gregory Seidman on ijbswa-users@.
116 - Fixed the documented type of the forward-override{} action
117 which is obviously 'parameterized'.
119 - Website improvements:
120 - Users who don't trust binaries served by SourceForge
121 can get them from a mirror. Migrating away from SourceForge
122 is planned for 2016 (TODO list item #53).
123 - The website is now available as onion service
124 (http://jvauzb4sb3bwlsnc.onion/).
126 -----------------------------------------------------------------
128 -----------------------------------------------------------------
130 Privoxy is a non-caching web proxy with advanced filtering capabilities for
131 enhancing privacy, modifying web page data and HTTP headers, controlling
132 access, and removing ads and other obnoxious Internet junk. Privoxy has a
133 flexible configuration and can be customized to suit individual needs and
134 tastes. It has application for both stand-alone systems and multi-user
137 Privoxy is Free Software and licensed under the GNU GPLv2.
139 Our TODO list is rather long. Helping hands and donations are welcome:
141 * http://www.privoxy.org/faq/general.html#PARTICIPATE
143 * http://www.privoxy.org/faq/general.html#DONATE
145 At present, Privoxy is known to run on Windows 95 and later versions
146 (98, ME, 2000, XP, Vista, Windows 7 etc.), GNU/Linux (RedHat, SuSE,
147 Debian, Fedora, Gentoo, Slackware and others), Mac OS X (10.4 and
148 upwards on PPC and Intel processors), OS/2, Haiku, DragonFly, ElectroBSD,
149 FreeBSD, NetBSD, OpenBSD, Solaris, and various other flavors of Unix.
151 In addition to the core features of ad blocking and cookie management,
152 Privoxy provides many supplemental features, that give the end-user
153 more control, more privacy and more freedom:
155 * Supports "Connection: keep-alive". Outgoing connections can be kept
156 alive independently from the client. Currently not available on all
159 * Supports IPv6, provided the operating system does so too,
160 and the configure script detects it.
162 * Supports tagging which allows to change the behaviour based on client
165 * Can be run as an "intercepting" proxy, which obviates the need to
166 configure browsers individually.
168 * Sophisticated actions and filters for manipulating both server and
171 * Can be chained with other proxies.
173 * Integrated browser based configuration and control utility at
174 http://config.privoxy.org/ (shortcut: http://p.p/). Browser-based
175 tracing of rule and filter effects. Remote toggling.
177 * Web page filtering (text replacements, removes banners based on size,
178 invisible "web-bugs" and HTML annoyances, etc.)
180 * Modularized configuration that allows for standard settings and user
181 settings to reside in separate files, so that installing updated actions
182 files won't overwrite individual user settings.
184 * Support for Perl Compatible Regular Expressions in the configuration
185 files, and a more sophisticated and flexible configuration syntax.
189 * Bypass many click-tracking scripts (avoids script redirection).
191 * User-customizable HTML templates for most proxy-generated pages (e.g.
194 * Auto-detection and re-reading of config file changes.
196 * Most features are controllable on a per-site or per-location basis.
200 http://www.privoxy.org/
202 - Privoxy Developers <ijbswa-developers@lists.sourceforge.net>