Headline
CVE-2020-35502: What's New in this Release
A flaw was found in Privoxy in versions before 3.0.29. Memory leaks when a response is buffered and the buffer limit is reached or Privoxy is running out of memory can lead to a system crash.
Added experimental https inspection support which allows to filter https traffic. To enable it, install MbedTLS and configure with --with-mbedtls, or install OpenSSL or LibreSSL and configure with --with-openssl. Afterwards configure the directives in section 7 of the config file and enable the +https-inspection action. Initial MbedTLS-based code contributed by Vaclav Svec, initial OpenSSL support contributed by Maxim Antonov. With help from Nedzad Hrnjica and Ho+ Ho+ Ho+. Integration and improvements sponsored by Robert Klemme.
pcrs: Request JIT compilation if it’s supported and the filter isn’t dynamic. This can speed up filtering.
Added support for Brotli decompression. Sponsored by: Robert Klemme
Added FEATURE_EXTENDED_STATISTICS to gather statistics for block reasons and filter executions. To enable it, configure with --enable-extended-statistics and visit http://config.privoxy.org/show-status. Sponsored by: Robert Klemme
Use the IP_FREEBIND socket option, if defined. This allows Privoxy to bind to not-yet assigned IP addresses which is useful in failover environments. Patch by Sam Varshavchik.
Allow to use extended host patterns and vanilla host patterns at the same time by prefixing extended host patterns with "PCRE-HOST-PATTERN:". To enable this, configure with --enable-pcre-host-patterns. Sponsored by: Robert Klemme
Added “Cross-origin resource sharing” (CORS) support. This allows to access Privoxy’s CGI interface via JavaScript from another domain (white-listed with the new cors-allowed-origin directive). Based on a patch by Nedzad Hrnjica. Sponsored by: Robert Klemme.
Add SOCKS5 username/password support. Based on a patch by Sam, improved by Ivan Romanov. Closes Patch#141 and solves TODO#105.
Bump the maximum number of action and filter files to 100 each. Sponsored by: Robert Klemme
Fixed handling of filters with “split-large-forms 1” when using the CGI editor. Reported by withoutname in #921.
Better detect a mismatch of connection details when figuring out whether or not a connection can be reused.
Don’t send a “Connection failure” message instead of the “DNS failure” message. Sponsored by: Robert Klemme
Let LOG_LEVEL_REQUEST log all requests. Previously unencrypted requests were only logged with LOG_LEVEL_REQUEST when they weren’t crunched (in which case they were logged with LOG_LEVEL_CRUNCH). This was documented behaviour, but logging all requests seems more useful.
Fixed locking around localtime() and gmtime().
Removed OS/2 support. We haven’t provided OS/2 packages in years, it complicated the code and it depended on a fallback snprintf() implementation which is GPLv2 only.
Remove the fallback snprintf() implementation Now that OS/2 support is gone we no longer need it.
Fixed a bunch of format specifiers log messages.
Added a missing apostrophe in the ‘More Privoxy’ menu.
Explicitly prevent use of FEATURE_CONNECTION_SHARING without FEATURE_CONNECTION_KEEP_ALIVE. It makes no sense and does not compile anyway. Sponsored by: Robert Klemme
Fix build without FEATURE_CONNECTION_KEEP_ALIVE. Sponsored by: Robert Klemme
Downgrade the ‘Graceful termination requested’ message to LOG_LEVEL_INFO as it isn’t an error. Sponsored by: Robert Klemme
decompress_iob(): Downgrade the no-content message to LOG_LEVEL_RE_FILTER While at it, fix a typo in a comment. Sponsored by: Robert Klemme
Fixed a couple of cppcheck warnings.
Rename LOG_LEVEL_GPC to LOG_LEVEL_REQUEST. Only the shadow knows what “GPC” is supposed to stand for.
Remove SourceForge references in copyright headers.
Upgrade a bunch of links to the homepage to https://.
Add ‘no-brotli-accepted’ filter which prevents the use of Brotli compression.
Changed license for pcrs to GPLv2+ after getting the permission from Andreas. This allows to redistribute Privoxy under the GPLv3 which is required when linking to future mbedTLS versions which are expected to be licensed under the Apache 2.0 license only.
Updated a bunch of tests that have to expect status code 403 now after r1.168/070e904afa5.
Lowercase the host name in the request line.
Only set SOURCE_DATE_EPOCH if it’s not already set so distributions can overwrite it through the environment.