タイトル Privoxy
バージョン ver 3.0.34
更新日 2023/02/06
追加日 2013/08/17
種別 フリーソフト
説明 広告除去など優れたフィルタリング能力を持つオープンソースのWebプロキシ。







Announcing Privoxy 3.0.34 stable
Privoxy 3.0.34 fixes a few minor bugs and comes with a couple of
general improvements and new features.
Please note that Google started to bounce messages from the Privoxy
mailing lists a couple of months ago. As a result gmail users have
been unsubscribed by Mailman. If you are affected by this, please
resubscribe with a different mail address. The Privoxy project has
limited resources and limited time to investigate an issue that
only affects gmail addresses.
ChangeLog for Privoxy 3.0.34
- Improve the handling of chunk-encoded responses by buffering the data
even if filters are disabled and properly keeping track of where the
various chunks are supposed to start and end. Previously Privoxy would
merely check the last bytes received to see if they looked like the
last-chunk. This failed to work if the last-chunk wasn't received in one
read and could also result in actual data being misdetected
as last-chunk.
Should fix: SF support request #1739.
Reported by: withoutname.
Announcing Privoxy 3.0.33 stable
Privoxy 3.0.33 fixes an XSS issue, multiple DoS issues and a
couple of other bugs. The issues also affect earlier Privoxy releases.
Privoxy 3.0.33 also comes with a couple of general improvements and
new features.
ChangeLog for Privoxy 3.0.33
- cgi_error_no_template(): Encode the template name to prevent
XSS (cross-site scripting) when Privoxy is configured to servce
the user-manual itself.
Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543.
Reported by: Artem Ivanov
- get_url_spec_param(): Free memory of compiled pattern spec
before bailing.
Reported by Joshua Rogers (Opera) who also provided the fix.
Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.
- process_encrypted_request_headers(): Free header memory when
failing to get the request destination.
Reported by Joshua Rogers (Opera) who also provided the fix.
Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541.
Announcing Privoxy 3.0.32 stable
Privoxy 3.0.32 fixes multiple DoS issues and a couple of other bugs.
The issues also affect earlier Privoxy releases.
ChangeLog for Privoxy 3.0.32
- ssplit(): Remove an assertion that could be triggered with a
crafted CGI request.
Commit 2256d7b4d67. OVE-20210203-0001.
- cgi_send_banner(): Overrule invalid image types. Prevents a
crash with a crafted CGI request if Privoxy is toggled off.
Commit e711c505c48. OVE-20210206-0001.
Reported by: Joshua Rogers (Opera)
- socks5_connect(): Don't try to send credentials when none are
configured. Fixes a crash due to a NULL-pointer dereference
when the socks server misbehaves.
Commit 85817cc55b9. OVE-20210207-0001.
Reported by: Joshua Rogers (Opera)
- chunked_body_is_complete(): Prevent an invalid read of size two.
Commit a912ba7bc9c. OVE-20210205-0001.
Reported by: Joshua Rogers (Opera)
Announcing Privoxy 3.0.31 stable
Privoxy 3.0.31 fixes two security issues that were discovered while
preparing the 3.0.30 release. The issues also affect earlier Privoxy
ChangeLog for Privoxy 3.0.31
- Prevent an assertion from getting triggered by a crafted CGI request.
Commit 5bba5b89193fa. OVE-20210130-0001.
Reported by: Joshua Rogers (Opera)
- Fixed a memory leak when decompression fails "unexpectedly".
Commit f431d61740cc0. OVE-20210128-0001.
- Bug fixes:
- Fixed detection of insufficient data for decompression.
Previously Privoxy could try to decompress a partly
uninitialized buffer.
ChangeLog for Privoxy 3.0.30
- Bug fixes:
- Check the actual URL for redirects when https inspecting requests.
Announcing Privoxy 3.0.29 stable
Privoxy 3.0.29 stable fixes a couple of memory leaks and introduces
https inspection which allows to filter encrypted requests and
ChangeLog for Privoxy 3.0.29
- Security/Reliability:
- Fixed memory leaks when a response is buffered and the buffer
limit is reached or Privoxy is running out of memory.
Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.
- Fixed a memory leak in the show-status CGI handler when
no action files are configured. Commit c62254a686.
- Fixed a memory leak in the show-status CGI handler when
no filter files are configured. Commit 1b1370f7a8a.
- Fixes a memory leak when client tags are active.
Commit 245e1cf32. OVE-20201118-0004.
- Fixed a memory leak if multiple filters are executed
and the last one is skipped due to a pcre error.
Announcing Privoxy 3.0.28 stable
Privoxy 3.0.27 stable scales better in multi-user environments
and brings a couple of tuning directives.
Privoxy 3.0.28 stable fixes two regressions introduced in 3.0.27.
ChangeLog for Privoxy 3.0.28
- Bug fixes for regressions in 3.0.27:
- Fixed misplaced parentheses.
Reported by David Binderman.
- Changed two regression tests to depend on config directive
enable-remote-toggle instead of FEATURE_TOGGLE.
ChangeLog for Privoxy 3.0.27
- Add a receive-buffer-size directive which can be used to
set the size of the previously statically allocated buffer
in handle_established_connection().
Increasing the buffer size increases Privoxy's memory usage but
can lower the number of context switches and thereby reduce the
CPU usage and potentially increase the throughput.
Announcing Privoxy 3.0.26 stable
Privoxy 3.0.26 stable is a bug-fix release for the previously
released 3.0.25 beta which introduced client-specific tags and
included a couple of minor improvements.
- Fixed crashes with "listen-addr :8118" (SF Bug #902).
The regression was introduced in 3.0.25 beta and reported
by Marvin Renich in Debian bug #834941.
- General improvements:
- Log when privoxy is toggled on or off via cgi interface.
- Highlight the "Info: Now toggled " on/off log message
in the Windows log viewer.
- Highlight the loading actions/filter file log message
in the Windows log viewer.
- Mention client-specific tags on the toggle page as a
potentionally more appropriate alternative.
- Documentation improvements:
- Update download section on the homepage.
The downloads are available from the website now.
- Add sponsor FAQ.
Announcing Privoxy 3.0.25 beta
Privoxy 3.0.25 beta introduces client-specific tags and includes
a couple of minor improvements. It will be followed by a stable
release in the near future.
- Always use the current toggle state for new requests.
Previously new requests on reused connections inherited
the toggle state from the previous request even though
the toggle state could have changed.
Reported by Robert Klemme.
- Fixed two buffer-overflows in the (deprecated) static
pcre code. These bugs are not considered security issues
as the input is trusted.
Found with afl-fuzz and ASAN.
- Added support for client-specific tags which allow Privoxy
admins to pre-define tags that are set for all requests from
clients that previously opted in through the CGI interface.
They are useful in multi-user setups where admins may
want to allow users to disable certain actions and filters
for themselves without affecting others.
Announcing Privoxy 3.0.24 stable
Privoxy 3.0.24 stable contains a couple of new features but is
mainly a bug-fix release. Two of the fixed bugs are security issues
and may be used to remotely trigger crashes on platforms that
carefully check memory accesses (most don't).
- Security fixes (denial of service):
- Prevent invalid reads in case of corrupt chunk-encoded content.
CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer.
- Remove empty Host headers in client requests.
Previously they would result in invalid reads. CVE-2016-1983.
Bug discovered with afl-fuzz and AddressSanitizer.
- When using socks5t, send the request body optimistically as well.
Previously the request body wasn't guaranteed to be sent at all
and the error message incorrectly blamed the server.
Fixes #1686 reported by Peter M端ller and G4JC.
- Fixed buffer scaling in execute_external_filter() that could lead
to crashes. Submitted by Yang Xia in #892.
- Fixed crashes when executing external filters on platforms like
Mac OS X. Reported by Jonathan McKenzie on ijbswa-users@.
Announcing Privoxy v.3.0.19 stable
This is a bug-fix release for the previously released
Privoxy 3.0.18. One of the fixes addresses a security issue.
*** Version 3.0.19 Stable ***
- Bug fixes:
- Prevent a segmentation fault when de-chunking buffered content.
It could be triggered by malicious web servers if Privoxy was
configured to filter the content and running on a platform
where SIZE_T_MAX isn't larger than UINT_MAX, which probably
includes most 32-bit systems. On those platforms, all Privoxy
versions before 3.0.19 appear to be affected.
To be on the safe side, this bug should be presumed to allow
code execution as proving that it doesn't seems unrealistic.
- Do not expect a response from the SOCKS4/4A server until it
got something to respond to. This regression was introduced
in 3.0.18 and prevented the SOCKS4/4A negotiation from working.
Reported by qqqqqw in #3459781.
- General improvements:
Announcing Privoxy v.3.0.18 stable
This is mainly a bug-fix release for the previously released
Privoxy 3.0.17. One of the fixes addresses a security issue.
*** Version 3.0.18 stable ***
- Bug fixes:
- If the redirect URL contains characters RFC 3986 doesn't permit,
they are (re)encoded. Not doing this makes Privoxy versions from
3.0.5 to 3.0.17 susceptible to HTTP response splitting (CWE-113)
attacks if the +fast-redirects{check-decoded-url} action is used.
- Fix a logic bug that could cause Privoxy to reuse a server
socket after it got tainted by a server-header-tagger-induced
block that was triggered before the whole server response had
been read. If keep-alive was enabled and the request following
the blocked one was to the same host and using the same forwarding
settings, Privoxy would send it on the tainted server socket.
While the server would simply treat it as a pipelined request,
Privoxy would later on fail to properly parse the server's
response as it would try to parse the unread data from the
first response as server headers for the second one.