[Privoxy-announce] Announcing Privoxy 3.0.32 stable

Fabian Keil fk at fabiankeil.de
Sun Feb 28 09:03:11 UTC 2021

               Announcing Privoxy 3.0.32 stable

Privoxy 3.0.32 fixes multiple DoS issues and a couple of other bugs.
The issues also affect earlier Privoxy releases.

ChangeLog for Privoxy 3.0.32
- Security/Reliability:
  - ssplit(): Remove an assertion that could be triggered with a
    crafted CGI request.
    Commit 2256d7b4d67. OVE-20210203-0001.
    Reported by: Joshua Rogers (Opera)
  - cgi_send_banner(): Overrule invalid image types. Prevents a
    crash with a crafted CGI request if Privoxy is toggled off.
    Commit e711c505c48. OVE-20210206-0001.
    Reported by: Joshua Rogers (Opera)
  - socks5_connect(): Don't try to send credentials when none are
    configured. Fixes a crash due to a NULL-pointer dereference
    when the socks server misbehaves.
    Commit 85817cc55b9. OVE-20210207-0001.
    Reported by: Joshua Rogers (Opera)
  - chunked_body_is_complete(): Prevent an invalid read of size two.
    Commit a912ba7bc9c. OVE-20210205-0001.
    Reported by: Joshua Rogers (Opera)
  - Obsolete pcre: Prevent invalid memory accesses with an invalid
    pattern passed to pcre_compile(). Note that the obsolete pcre code
    is scheduled to be removed before the 3.0.33 release. There has been
    a warning since 2008 already.
    Commit 28512e5b624. OVE-20210222-0001.
    Reported by: Joshua Rogers (Opera)

- Bug fixes:
  - Properly parse the client-tag-lifetime directive. Previously it was
    not accepted as an obsolete hash value was being used.
    Reported by: Joshua Rogers (Opera)
  - decompress_iob(): Prevent reading of uninitialized data.
    Reported by: Joshua Rogers (Opera).
  - decompress_iob(): Don't advance cur past eod when looking
    for the end of the file name and comment.
  - decompress_iob(): Cast value to unsigned char before shifting.
    Prevents a left-shift of a negative value which is undefined behaviour.
    Reported by: Joshua Rogers (Opera)
  - gif_deanimate(): Confirm that that we have enough data before doing
    any work. Fixes a crash when fuzzing with an empty document.
    Reported by: Joshua Rogers (Opera).
  - buf_copy(): Fail if there's no data to write or nothing to do.
    Prevents undefined behaviour "applying zero offset to null pointer".
    Reported by: Joshua Rogers (Opera)
  - log_error(): Treat LOG_LEVEL_FATAL as fatal even when --stfu is
    being used while fuzzing.
    Reported by: Joshua Rogers (Opera).
  - Respect DESTDIR when considering whether or not to install
    config files with ".new" extension.
  - OpenSSL ssl_store_cert(): Fix two error messages.
  - Fix a couple of format specifiers.
  - Silence compiler warnings when compiling with NDEBUG.
  - fuzz_server_header(): Fix compiler warning.
  - fuzz_client_header(): Fix compiler warning.
  - cgi_send_user_manual(): Also reject requests if the user-manual
    directive specifies a https:// URL. Previously Privoxy would try and
    fail to open a local file.

- General improvements:
  - Log the TLS version and the the cipher when debug 2 is enabled.
  - ssl_send_certificate_error(): Respect HEAD requests by not sending a body.
  - ssl_send_certificate_error(): End the body with a single new line.
  - serve(): Increase the chances that the host is logged when closing
    a server socket.
  - handle_established_connection(): Add parentheses to clarify an expression
    Suggested by: David Binderman
  - continue_https_chat(): Explicitly unset CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE
    if process_encrypted_request() fails. This makes it more obvious that the
    connection will not be reused. Previously serve() relied on
    Inspired by a patch from Joshua Rogers (Opera).
  - decompress_iob(): Add periods to a couple of log messages
  - Terminate the body of the HTTP snipplets with a single new line
    instead of "\r\n".
  - configure: Add --with-assertions option and only enable assertions
    when it is used
  - windows build: Use --with-brotli and --with-mbedtls by default and
    enable dynamic error checking.
  - gif_deanimate(): Confirm we've got an image before trying to write it
    Saves a pointless buf_copy() call.
  - OpenSSL ssl_store_cert(): Remove a superfluous space before the serial number.

- Action file improvements:
  - Disable fast-redirects for .golem.de/
  - Unblock requests to adri*.
  - Block requests for trc*.taboola.com/
  - Disable fast-redirects for .linkedin.com/

- Filter file improvements:
  - Make the second pcrs job of the img-reorder filter greedy again.
    The ungreedy version broke the img tags on:

- Privoxy-Log-Parser:
  - Highlight a few more messages.
  - Clarify the --statistics output. The shown "Reused connections"
    are server connections so name them appropriately.
  - Bump version to 0.9.3.

- Privoxy-Regression-Test:
  - Add the --check-bad-ssl option to the --help output.
  - Bump version to 0.7.3.

- Documentation:
  - Add pushing the created tag to the release steps in the developer manual.
  - Clarify that 'debug 32768' should be used in addition to the other debug
    directives when reporting problems.
  - Add a 'Third-party licenses and copyrights' section to the user manual.

About Privoxy:

Privoxy is a non-caching web proxy with advanced filtering capabilities for
enhancing privacy, modifying web page data and HTTP headers, controlling
access, and removing ads and other obnoxious Internet junk. Privoxy has a
flexible configuration and can be customized to suit individual needs and
tastes. It has application for both stand-alone systems and multi-user

Privoxy is Free Software and licensed under the GNU GPLv2.

Our TODO list is rather long. Helping hands and donations are welcome:

  * https://www.privoxy.org/participate

  * https://www.privoxy.org/donate

At present, Privoxy is known to run on Windows 95 and later versions
(98, ME, 2000, XP, Vista, Windows 7, Windows 10 etc.), GNU/Linux
(RedHat, SuSE, Debian, Fedora, Gentoo, Slackware and others),
Mac OS X (10.4 and upwards on PPC and Intel processors), Haiku,
DragonFly, ElectroBSD, FreeBSD, NetBSD, OpenBSD, Solaris,
and various other flavors of Unix.

In addition to the core features of ad blocking and cookie management,
Privoxy provides many supplemental features, that give the end-user
more control, more privacy and more freedom:

  *  Supports "Connection: keep-alive". Outgoing connections can be kept
     alive independently from the client. Currently not available on all

  *  Supports IPv6, provided the operating system does so too,
     and the configure script detects it.

  *  Supports tagging which allows to change the behaviour based on client
     and server headers.

  *  Supports https inspection which allows to filter https requests.

  *  Can be run as an "intercepting" proxy, which obviates the need to
     configure browsers individually.

  *  Sophisticated actions and filters for manipulating both server and
     client headers.

  *  Can be chained with other proxies.

  *  Integrated browser based configuration and control utility at
     http://config.privoxy.org/ (shortcut: http://p.p/). Browser-based
     tracing of rule and filter effects. Remote toggling.

  *  Web page filtering (text replacements, removes banners based on size,
     invisible "web-bugs" and HTML annoyances, etc.)

  *  Modularized configuration that allows for standard settings and user
     settings to reside in separate files, so that installing updated actions
     files won't overwrite individual user settings.

  *  Support for Perl Compatible Regular Expressions in the configuration
     files, and a more sophisticated and flexible configuration syntax.

  *  GIF de-animation.

  *  Bypass many click-tracking scripts (avoids script redirection).

  *  User-customizable HTML templates for most proxy-generated pages (e.g.
     "blocked" page).

  *  Auto-detection and re-reading of config file changes.
  *  Most features are controllable on a per-site or per-location basis.

Home Page: 

  - Privoxy Developers <privoxy-devel at lists.privoxy.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-announce/attachments/20210228/7840c03f/attachment.bin>

More information about the Privoxy-announce mailing list