2 File : doc/source/changelog.sgml
4 Purpose : Entity included in other project documents.
6 Copyright (C) 2013-2021 Privoxy Developers https://www.privoxy.org/
9 ======================================================================
10 This file used for inclusion with other documents only.
11 ======================================================================
13 If you make changes to this file, please verify the finished
14 docs all display as intended.
16 This file is included into:
23 The SGML ChangeLog can be generated with: utils/changelog2doc.pl ChangeLog
27 <application>Privoxy 3.0.32</application> fixes multiple DoS issues
28 and a couple of other bugs. The issues also affect earlier Privoxy
32 Changes in <application>Privoxy 3.0.32</application> stable:
42 ssplit(): Remove an assertion that could be triggered with a
44 Commit 2256d7b4d67. OVE-20210203-0001.
45 Reported by: Joshua Rogers (Opera)
50 cgi_send_banner(): Overrule invalid image types. Prevents a
51 crash with a crafted CGI request if Privoxy is toggled off.
52 Commit e711c505c48. OVE-20210206-0001.
53 Reported by: Joshua Rogers (Opera)
58 socks5_connect(): Don't try to send credentials when none are
59 configured. Fixes a crash due to a NULL-pointer dereference
60 when the socks server misbehaves.
61 Commit 85817cc55b9. OVE-20210207-0001.
62 Reported by: Joshua Rogers (Opera)
67 chunked_body_is_complete(): Prevent an invalid read of size two.
68 Commit a912ba7bc9c. OVE-20210205-0001.
69 Reported by: Joshua Rogers (Opera)
74 Obsolete pcre: Prevent invalid memory accesses with an invalid
75 pattern passed to pcre_compile(). Note that the obsolete pcre code
76 is scheduled to be removed before the 3.0.33 release. There has been
77 a warning since 2008 already.
78 Commit 28512e5b624. OVE-20210222-0001.
79 Reported by: Joshua Rogers (Opera)
91 Properly parse the client-tag-lifetime directive. Previously it was
92 not accepted as an obsolete hash value was being used.
93 Reported by: Joshua Rogers (Opera)
98 decompress_iob(): Prevent reading of uninitialized data.
99 Reported by: Joshua Rogers (Opera).
104 decompress_iob(): Don't advance cur past eod when looking
105 for the end of the file name and comment.
110 decompress_iob(): Cast value to unsigned char before shifting.
111 Prevents a left-shift of a negative value which is undefined behaviour.
112 Reported by: Joshua Rogers (Opera)
117 gif_deanimate(): Confirm that that we have enough data before doing
118 any work. Fixes a crash when fuzzing with an empty document.
119 Reported by: Joshua Rogers (Opera).
124 buf_copy(): Fail if there's no data to write or nothing to do.
125 Prevents undefined behaviour "applying zero offset to null pointer".
126 Reported by: Joshua Rogers (Opera)
131 log_error(): Treat LOG_LEVEL_FATAL as fatal even when --stfu is
132 being used while fuzzing.
133 Reported by: Joshua Rogers (Opera).
138 Respect DESTDIR when considering whether or not to install
139 config files with ".new" extension.
144 OpenSSL ssl_store_cert(): Fix two error messages.
149 Fix a couple of format specifiers.
154 Silence compiler warnings when compiling with NDEBUG.
159 fuzz_server_header(): Fix compiler warning.
164 fuzz_client_header(): Fix compiler warning.
169 cgi_send_user_manual(): Also reject requests if the user-manual
170 directive specifies a https:// URL. Previously Privoxy would try and
171 fail to open a local file.
179 General improvements:
183 Log the TLS version and the the cipher when debug 2 is enabled.
188 ssl_send_certificate_error(): Respect HEAD requests by not sending a body.
193 ssl_send_certificate_error(): End the body with a single new line.
198 serve(): Increase the chances that the host is logged when closing
204 handle_established_connection(): Add parentheses to clarify an expression
205 Suggested by: David Binderman
210 continue_https_chat(): Explicitly unset CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE
211 if process_encrypted_request() fails. This makes it more obvious that the
212 connection will not be reused. Previously serve() relied on
213 CSP_FLAG_SERVER_CONTENT_LENGTH_SET and CSP_FLAG_CHUNKED being unset.
214 Inspired by a patch from Joshua Rogers (Opera).
219 decompress_iob(): Add periods to a couple of log messages
224 Terminate the body of the HTTP snipplets with a single new line
230 configure: Add --with-assertions option and only enable assertions
236 windows build: Use --with-brotli and --with-mbedtls by default and
237 enable dynamic error checking.
242 gif_deanimate(): Confirm we've got an image before trying to write it
243 Saves a pointless buf_copy() call.
248 OpenSSL ssl_store_cert(): Remove a superfluous space before the serial number.
256 Action file improvements:
260 Disable fast-redirects for .golem.de/
265 Unblock requests to adri*.
270 Block requests for trc*.taboola.com/
275 Disable fast-redirects for .linkedin.com/
283 Filter file improvements:
287 Make the second pcrs job of the img-reorder filter greedy again.
288 The ungreedy version broke the img tags on:
289 https://bulk.fefe.de/scalability/.
301 Highlight a few more messages.
306 Clarify the --statistics output. The shown "Reused connections"
307 are server connections so name them appropriately.
312 Bump version to 0.9.3.
320 Privoxy-Regression-Test:
324 Add the --check-bad-ssl option to the --help output.
329 Bump version to 0.7.3.
341 Add pushing the created tag to the release steps in the developer manual.
346 Clarify that 'debug 32768' should be used in addition to the other debug
347 directives when reporting problems.
352 Add a 'Third-party licenses and copyrights' section to the user manual.