[Privoxy-commits] [privoxy] 04/07: Update SGML ChangeLog for Privoxy 4.2.0 stable
User Git
git at git.privoxy.org
Mon Apr 20 15:58:40 CEST 2026
This is an automated email from the git hooks/post-receive script.
git pushed a commit to branch master
in repository privoxy.
commit dcf383d0a8173fc4912baa431a0955c7530810f0
Author: Fabian Keil <fk at fabiankeil.de>
AuthorDate: Mon Apr 20 15:38:15 2026 +0200
Update SGML ChangeLog for Privoxy 4.2.0 stable
---
doc/source/changelog.sgml | 340 ++++++++++++++++++++--------------------------
1 file changed, 151 insertions(+), 189 deletions(-)
diff --git a/doc/source/changelog.sgml b/doc/source/changelog.sgml
index 6ac4186b..57b7b4b8 100644
--- a/doc/source/changelog.sgml
+++ b/doc/source/changelog.sgml
@@ -24,264 +24,243 @@
-->
<para>
- <application>Privoxy 4.1.0</application> fixes a few
- minor bugs and brings ZStandard-decompression support and
- a couple of general improvements.
+ <application>Privoxy 4.2.0</application> fixes a few
+ minor bugs and brings a couple of general improvements
+ inclusing support for elliptic-curve keys.
</para>
<para>
- Changes in <application>Privoxy 4.1.0</application> stable:
+ Changes in <application>Privoxy 4.2.0</application> stable:
</para>
<para>
<itemizedlist>
<listitem>
<para>
- General improvements:
+ Bug fixes:
<itemizedlist>
<listitem>
<para>
- Add Zstandard-decompression support.
+ block_acl(): Ignore ACL matches when we don't have a destination yet
+ but the ACL requires one to match. block_acl() will be called
+ again later on when the destination is known from parsing the request.
+ Fixes SF bug #913 reported by Rainer Sokoll with confirmation from
+ Peter Geelhoed.
</para>
</listitem>
<listitem>
<para>
- compile_pattern(): Use pcre2_get_error_message() to provide better error messages.
+ rfc2553_connect_to(): Prevent theoretical memory disclosure through
+ the CGI interface if a request is rejected due to ACLs. It's theoretical
+ due to the previous bug in the ACL code.
</para>
</listitem>
<listitem>
<para>
- wolfssl: Use wolfTLS_client_method() instead of wolfSSLv23_method()
- when creating the connection to the server. Allows to connect to
- <ulink url="https://media.ccc.de/"></ulink> and <ulink url="https://traxxas.com/">https://traxxas.com/</ulink> while wolfSSLv23_method()
- currently doesn't (wolfSSL 5.8.4). Unfortunately this does not allow to
- connect to <ulink url="https://www.fsf.org/">https://www.fsf.org/</ulink> while wolfSSLv23_method() does.
- Reported upstream in <ulink url="https://github.com/wolfSSL/wolfssl/issues/7735">https://github.com/wolfSSL/wolfssl/issues/7735</ulink>.
- curl is using wolfTLS_client_method() with recent wolfSSL versions
- as well so this seems to be the way to go.
+ send_http_request(): Give up on the client connection if writing the
+ request data failed. If there's a request body Privoxy may not have
+ read all the data yet. The issue could be reproduced by running the
+ upstream curl test 1293 multiple times in a row.
</para>
</listitem>
<listitem>
<para>
- wolfssl: Warn if HAVE_SECURE_RENEGOTIATION is unavailable
- and don't suggest to use HAVE_RENEGOTIATION_INDICATION instead.
+ load_one_re_filterfile(): Only register content filters for statistics.
+ Previously all filter types were registered which wasted a bit of memory.
</para>
</listitem>
<listitem>
<para>
- show-status template: Add links for external (de)compression libraries.
+ Prevent unused-variable warnings when compiling with
+ DISABLE_PCRE_JIT_COMPILATION defined.
</para>
</listitem>
<listitem>
<para>
- If the server sends multiple Connection headers, only parse and
- forward the first one.
+ cgi_show_url_info(): Remove special handling of "standard.action".
</para>
- </listitem>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ General improvements:
+ <itemizedlist>
<listitem>
<para>
- create_hexadecimal_hash_of_host(): Use snprintf() instead of sprint()
- Silences a warning on OpenBSD.
+ Add elliptic-curve-keys directive and enable it by default.
+ It lets Privoxy use the SN_X9_62_prime256v1 group instead of RSA when
+ generating website keys and certificates. This is expected to be faster
+ but may not be supported by older clients. The OpenSSL-specific code is
+ based on on a patch by Steven Smith submitted in SF#933.
</para>
</listitem>
<listitem>
<para>
- Also log the listening address and port the request came in on.
+ Check the listening address when deciding whether or not a client tag
+ matches. This allows to use different client tags for different clients
+ running on the same host.
</para>
</listitem>
<listitem>
<para>
- Added periods to a couple of log messages.
+ Add code to make debugging ACL rules more convenient. It can be enabled
+ with the new configure parameter --enable-acl-debugging.
</para>
</listitem>
<listitem>
<para>
- Removed support for pcre1.
+ acl_addr(): Properly reject IPv6 addresses when compiled without RFC2553 support.
</para>
</listitem>
<listitem>
<para>
- configure.in: Removed obsolete warning if OpenSSL is detected.
- Recent OpenSSL versions are licensed under the Apache 2 license so
- the "special exception" from section 3 of the GPLv2 isn't needed
- and a Privoxy binary linked to OpenSSL can be distributed under the
- GPLv3 or later.
+ Use separate linked lists for filters of different types to be able look up
+ filters more efficiently. Implements TODO item #96.
</para>
</listitem>
<listitem>
<para>
- init_domain_components(): Assert that the http->dbuffer and http->dvec
- are NULL to detect memory leaks earlier.
- </para>
- </listitem>
- </itemizedlist>
- </para>
- </listitem>
- <listitem>
- <para>
- Bug fixes:
- <itemizedlist>
- <listitem>
- <para>
- openssl: Don't call SSL_set_tlsext_host_name() if the host is an IP address
- With LibreSSl the call simply fails and with OpenSSL the call
- succeeds but results in an syntactically incorrect ClientHello
- a server may object to. While at it, add the host name to the error message.
+ Allow to set and unset external filters through the CGI editor.
</para>
</listitem>
<listitem>
<para>
- Don't forward connection options Privoxy doesn't understand.
+ parse_acl_rule(): Include the config file line number in the error messages.
</para>
</listitem>
<listitem>
<para>
- Look for the "keep-alive" keyword more carefully in Connection headers.
- Previously connections were not kept alive if the Connection header
- contained additional keywords like "Upgrade".
+ wolfssl: Downgrade an error message in create_server_ssl_connection()
+ to LOG_LEVEL_ERROR.
</para>
</listitem>
<listitem>
<para>
- If the MS IIS5 hack fails, only send the error response if we're buffering content
- Previously the error response was also sent if the client already
- received the HTTP headers from the server.
+ Remove useless csp member re_filterfile_short[].
</para>
</listitem>
<listitem>
<para>
- Fix compilation when configured with --disable-ipv6-support.
- Submitted by Luca Broglio.
+ templates: Update description of the 'unstable' conditional symbol.
</para>
</listitem>
<listitem>
<para>
- Fixed detection and use of pcre2.h from a subdirectory.
- SF bug #946. Patch submitted by Jakub Kulik.
+ templates/url-info-osd.xml: Update address of the Privoxy developers mailing list.
</para>
</listitem>
<listitem>
<para>
- Properly handle IPv6 addresses in the Host header.
- Reported by Joshua Rogers.
+ Factor parse_acl_rule() out of load_config().
</para>
</listitem>
<listitem>
<para>
- socks4_connect(): Fix the dstsize passed to strlcpy() in case of socks4a.
- Previously Privoxy would substract sizeof(struct socks_op) twice
- as it's already part of csiz. While this was wrong it didn't
- cause any actual problems as the buffer size is so large that
- it didn't matter. Reported by Joshua Rogers.
+ configure.in: Don't claim that OpenSSL has been detected when it may be LibreSSL.
</para>
</listitem>
<listitem>
<para>
- error_response(): Prevent a theoretical memory leak. Reported by Joshua Rogers.
+ configure.in: Remove code to disable pcre2. Since the removal of pcre1
+ support in 24d0ff8398fdf pcre2 is no longer optional.
</para>
</listitem>
<listitem>
<para>
- log_error(): Fix a segmentation fault when logging %E on a platform that
- isn't Windows and doesn't have strerror(). Reported by Joshua Rogers.
+ Replace the term 'TLS/SSL' with 'TLS' in a bunch of places as most (all?)
+ supported TLS libraries default to not supporting SSL anymore.
</para>
</listitem>
<listitem>
<para>
- accept_connection(): Fix memory and socket leak if the server name and
- port number ASCII decimal representation don't fit. This is not expected
- to happen. Reported by Joshua Rogers.
+ utils/filter2docs.pl: Add two spaces between filter names and description
+ so there's space after the longest filter name which currently is
+ 'allow-autocompletion'.
</para>
</listitem>
<listitem>
<para>
- parse_http_url(): Fail if no host is found when we expected one.
- This can happen in case of invalid requests in which case
- Privoxy previously would leak a couple of bytes of memory.
+ utils/filter2docs.pl: Recognize filters with dots in the name.
</para>
- </listitem>
- </itemizedlist>
- </para>
- </listitem>
- <listitem>
- <para>
- Action file improvements:
- <itemizedlist>
+ </listitem>
<listitem>
<para>
- Prevent a fingerprinting issue with various login pages by not handling
- the requests as image requests or fast-redirecting them. Without the added
- section a request to a blocked or redirected login URL could be misdetected
- by third parties as the user being logged in to the given site, thus making
- fingerprinting Privoxy users easier. Note that this does not prevent the
- fingerprinting issue if the client is actually logged in. For details see
- <ulink url="https://robinlinus.github.io/socialmedia-leak/">https://robinlinus.github.io/socialmedia-leak/</ulink>.
- Doing that would probably be too invasive for a default configuration.
+ Remove support for mbedtls 2.x.
</para>
</listitem>
<listitem>
<para>
- Stop downgrading the HTTP version for port 631. It was supposed to work
- around a problem with the CUPS webinterface but about 20 years later we
- probably don't need it anymore ...
+ Remove support for OpenSSL versions before 2.0.
</para>
</listitem>
<listitem>
<para>
- Fix sticky actions for .flickr.com to match the action section.
+ GNUMakefile.in: Remove duplicated 'only' in the web-rss-feed target's message.
</para>
</listitem>
<listitem>
<para>
- Remove an action section without an URL pattern.
+ GNUMakefile.in: Add a web-rss-feed target that only syncs the RSS feed.
</para>
</listitem>
<listitem>
<para>
- Disable fast-redirects for .bahn.de/
+ GNUMakefile.in: The Privoxy tools privoxy-log-parser, privoxy-regression-test
+ and uagen are handled by the "install" and "uninstall" targets now.
</para>
- </listitem>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Action file improvements:
+ <itemizedlist>
<listitem>
<para>
- Disable fast-redirects for report.error-report.com/
+ Disable fast-redirects for "/.*&__goaway_referer=http".
</para>
</listitem>
<listitem>
<para>
- Unblock metrics.1aeo.com/
+ Block ".parsely.com/p(logger|x)/" to match URLs that weren't
+ covered by ".pixel.parsely.com/".
</para>
</listitem>
<listitem>
<para>
- Unblock .crates.io/
+ Unblock "gitlab./search/count\?".
</para>
</listitem>
<listitem>
<para>
- Block requests for mv.outbrain.com/
+ Reword a comment in user.action that claimed that 'we' want
+ to support certain sites.
</para>
</listitem>
<listitem>
<para>
- Disable filter{banners-by-size} for .jwz.org/
+ Remove obsolete domain sunsolve.sun.com from user.action.
</para>
</listitem>
<listitem>
<para>
- Disable deanimate-gifs for .githubusercontent.com/
+ Stop referring to SSL in comments.
</para>
</listitem>
<listitem>
<para>
- Disable the banners-by-size filter for github.com
+ Disable fast-redirects for "archive.is/".
</para>
</listitem>
<listitem>
<para>
- Widen block pattern from 'metrics.' to '.metricts.'
+ Add example section for the taz.de filter to user.action.
</para>
</listitem>
<listitem>
<para>
- Add +server-header-tagger{content-type} to all standard settings.
+ default.action.master: Update list of predefined filters.
</para>
</listitem>
</itemizedlist>
@@ -293,20 +272,12 @@
<itemizedlist>
<listitem>
<para>
- Update imdb filter to remove wasted space below the search field.
+ Let the "sourceforge" filter hide the "MongoDB" ad and the "vibe coding bar".
</para>
</listitem>
<listitem>
<para>
- Update bundeswehr.de filter to be effective again.
- </para>
- </listitem>
- <listitem>
- <para>
- Removed the obsolete ie-exploits filter. It didn't actually reliably
- protect against Nimda, there never were active maintainers and IE is
- obsolete anyway. Also some virus scanners seem to be offended by the
- test case for the filter in the source tarball.
+ Add a "taz.de" filter which hides the "paywahl" banner on taz.de by default.
</para>
</listitem>
</itemizedlist>
@@ -314,76 +285,71 @@
</listitem>
<listitem>
<para>
- Privoxy-Log-Parser:
+ Documentation improvements:
<itemizedlist>
<listitem>
<para>
- Bumped version to 0.9.7.
+ The Privoxy tools privoxy-log-parser, privoxy-regression-test and uagen
+ have man pages now. Previously they were only documented in perldoc.
</para>
</listitem>
<listitem>
<para>
- Fully highlight: Accepted connection from 127.0.0.1 on socket 9 connected through 127.0.1.1:8118.
+ user-manual: Update the content filter list.
</para>
</listitem>
<listitem>
<para>
- Highlight: Socket 8 timed out while waiting for client headers
+ user-manual: Update limit-connect description. If the https-inspection action
+ is enabled, Privoxy does filter the transferred content even if the CONNECT
+ action is being used.
</para>
</listitem>
<listitem>
<para>
- Highlight: 'Giving up draining socket 35.'
+ Document that the listen-address is taken into account for client
+ tags as well now.
</para>
</listitem>
<listitem>
<para>
- Highlight: "Tagger 'http-method' didn't add tag 'POST': suppressed"
+ Update limit-connect description.
</para>
</listitem>
<listitem>
<para>
- Highlight: 'Skipped filter 'banners-by-size' after job number 1: match limit exceeded (-47)'
+ Don't mention an obsolete mbed TLS version in the user manual's
+ 'Third-party licenses and copyrights' section. While at it, link to the
+ GitHub page which shows the README instead of the list of tags which is
+ less informative and replace an 'and' with a comma.
</para>
- </listitem>
- </itemizedlist>
- </para>
- </listitem>
- <listitem>
- <para>
- uagen:
- <itemizedlist>
+ </listitem>
<listitem>
<para>
- Bumped version to 0.1.7
+ Mention zstd in the user manual's 'Third-party licenses and copyrights' section.
</para>
</listitem>
<listitem>
<para>
- Bumped BROWSER_VERSION and BROWSER_REVISION to match Firefox ESR 140.
+ license.sgml: Remove incorrect comment claiming that the file is included
+ into the user manual.
</para>
- </listitem>
- </itemizedlist>
- </para>
- </listitem>
- <listitem>
- <para>
- Documentation:
- <itemizedlist>
+ </listitem>
<listitem>
<para>
- Updated license info to deal with wolfSSL's license change to GPLv3.
+ Factor out license explanation into separate SGML document
+ to deduplicate the content. No HTML output change intended.
</para>
</listitem>
<listitem>
<para>
- Added new FAQ: 'Is the Privoxy source tarball infected by a virus?'.
+ user-manual: Sync paragraph explaining the license of Privoxy binaries
+ when linked to a recent TLS library with license.sgml.
</para>
</listitem>
<listitem>
<para>
- Removed claims that path matching can be turned case-sensitive.
- The suggested method didn't actually work.
+ user-manual: Use < instead of literal '<' to unbreak highlighting in Emacs.
</para>
</listitem>
</itemizedlist>
@@ -395,125 +361,121 @@
<itemizedlist>
<listitem>
<para>
- GNUmakefile.in: Add a web-robots.txt target to only transfer the robots.txt to the SF server.
- </para>
- </listitem>
- <listitem>
- <para>
- robots.txt: Disallow /gitweb to hopefully reduce the load on the webserver
+ Update doc/webserver/README.txt.
</para>
</listitem>
<listitem>
<para>
- robots.txt: Remove stray empty lines
+ Delete doc/webserver/redirect.php which hasn't been used in years.
</para>
- </listitem>
- <listitem>
- <para>
- Added a vanity onion address for the privoxy.org onion service.
- </para>
- </listitem>
+ </listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
- Tests:
+ Privoxy-Log-Parser:
<itemizedlist>
<listitem>
<para>
- Updated test framework to work with recent (rc-8_18_0-3) cts upstream tests.
+ Highlight listen address in "Evaluating tag 'forward-directly' for client
+ 127.0.0.1 using 127.0.1.1:8120. End of life 1774948202."
</para>
</listitem>
<listitem>
<para>
- tests/cts/run-privoxy-tests.sh: Pass arguments that follow "--" to
- runtests-wrapper.sh so they can be passed to runtests.pl.
- This allows to only run a single test without modifying the scripts:
- ./run-privoxy-tests.sh -t upstream-tests -- 473
+ Deal with a log message containing only 'TLS' instead of 'TLS/SSL'.
</para>
</listitem>
<listitem>
<para>
- run-privoxy-tests.sh: Explicitly log if there were no errors.
+ Bump version to 0.9.8.
</para>
</listitem>
<listitem>
<para>
- run-privoxy-tests.sh: Continue testing if a test in a test scenario fails.
+ Highlight listen address in 'Enlisting tag 'allow-cookies' for client
+ 127.0.0.1 using 127.0.1.1:8120.'
</para>
- </listitem>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Test improvements:
+ <itemizedlist>
<listitem>
<para>
- runtests-wrapper.sh: Explicitly set the path to the curl binary
- using an absolute path. Otherwise runtests.pl uses a relative
- path in its output which can be confusing.
+ run-privoxy-tests.sh: Kill the whole process group if Privoxy
+ doesn't start up in time. This prevents hangs when the system is
+ heavily loaded, run-privoxy-test.sh's output is piped into tee(1)
+ and Privoxy starts up after the the script checks for it, but before
+ it exits.
</para>
</listitem>
<listitem>
<para>
- runtests-wrapper.sh: Improve a log message.
+ Add test for the content filter "taz.de".
</para>
</listitem>
<listitem>
<para>
- Disable the forward-to-socks-proxy and forward-to-http-proxy scenarios
- for now. Since curl commit d39db811929f the port randomisation can no
- longer be disabled by the injected module so the tests don't work at the
- moment. Discussion on the curl library mailinglist didn't result in
- a solution (<ulink url="https://curl.se/mail/lib-2025-08/0000.html">https://curl.se/mail/lib-2025-08/0000.html</ulink>).
+ Add test scenarios for the ACL code.
</para>
</listitem>
<listitem>
<para>
- tests/cts: Remove 'none' server section from tests.
- It's no longer supported as of curl commit 71c9706959cb.
+ tests/cts: Make the TESTDIR available as environment variable so
+ the prechecks can access it.
</para>
</listitem>
<listitem>
<para>
- run-privoxy-tests.sh: Print supported arguments in case of invalid ones.
+ Add test helper script that checks if a local address is available
+ to bind to.
</para>
</listitem>
<listitem>
<para>
- Add a test for the bundeswehr.de filter.
+ run-privoxy-tests.sh: Add valgrind support that can be enabled with "-v".
</para>
</listitem>
<listitem>
<para>
- tests/cts/gzip-compression/data/test13: Fix repetitive sequence by adding a missing %.
+ run-privoxy-tests.sh: Turn $log_file into a local variable in start_privoxy().
</para>
</listitem>
<listitem>
<para>
- Add a couple of tests for connection headers with keep-alive-timeout set.
+ tests/cts/README: Recommend to use curl upstream tag curl-8_19_0.
</para>
</listitem>
<listitem>
<para>
- Add fetch test for the How-Tos in the user manual.
+ Regenerate curl-test-manifest-for-privoxy.
</para>
</listitem>
<listitem>
<para>
- ../privoxy-runtests.pm: Prevent warning if $_ is undefined.
+ gen-skip-reasons.pl: Skip test 1 due to multiple Connection header values.
</para>
</listitem>
<listitem>
<para>
- tests/cts/runtests-wrapper.sh: Stop explicitly setting HOSTIP.
- It doesn't work with curl master at the moment.
+ Privoxy-Regression-Test: Bump version to 0.7.6
</para>
</listitem>
<listitem>
<para>
- Let the "clean" target remove logs from the cts tests.
+ Privoxy-Regression-Test: Allow '!' characters which are used in URLs from
+ taz.de for example.
</para>
</listitem>
<listitem>
<para>
- .../content-filters/content-filters.action: Remove duplicate action section.
+ Privoxy-Regression-Test: Include the offending line in the error message
+ when rejecting Sticky Actions with whitespace inside the action parameters.
</para>
</listitem>
</itemizedlist>
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Privoxy-commits
mailing list