[Privoxy-commits] [privoxy] 06/23: ChangeLog: Add changes for 4.1.0 stable

User Git git at git.privoxy.org
Thu Jan 1 15:56:03 CET 2026 

This is an automated email from the git hooks/post-receive script.

git pushed a commit to branch master
in repository privoxy.

commit 7004caa746ba9b3d67d2f2f6dd9538fe7d9e0b2a
Author: Fabian Keil <fk at fabiankeil.de>
AuthorDate: Wed Dec 24 14:39:58 2025 +0100

    ChangeLog: Add changes for 4.1.0 stable
---
 ChangeLog | 151 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 151 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index a7bffc52..e0067e53 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,157 @@
 --------------------------------------------------------------------
 ChangeLog for Privoxy
 --------------------------------------------------------------------
+*** Version 4.1.0 stable ***
+
+- General improvements:
+  - Add Zstandard-decompression support.
+  - compile_pattern(): Use pcre2_get_error_message() to provide better error messages.
+  - wolfssl: Use wolfTLS_client_method() instead of wolfSSLv23_method()
+    when creating the connection to the server. Allows to connect to
+    https://media.ccc.de/ and https://traxxas.com/ while wolfSSLv23_method()
+    currently doesn't (wolfSSL 5.8.4). Unfortunately this does not allow to
+    connect to https://www.fsf.org/ while wolfSSLv23_method() does.
+    Reported upstream in https://github.com/wolfSSL/wolfssl/issues/7735.
+    curl is using wolfTLS_client_method() with recent wolfSSL versions
+    as well so this seems to be the way to go.
+  - wolfssl: Warn if HAVE_SECURE_RENEGOTIATION is unavailable
+    and don't suggest to use HAVE_RENEGOTIATION_INDICATION instead.
+  - show-status template: Add links for external (de)compression libraries.
+  - If the server sends multiple Connection headers, only parse and
+    forward the first one.
+  - create_hexadecimal_hash_of_host(): Use snprintf() instead of sprint()
+    Silences a warning on OpenBSD.
+  - Also log the listening address and port the request came in on.
+  - Added periods to a couple of log messages.
+  - Removed support for pcre1.
+  - configure.in: Removed obsolete warning if OpenSSL is detected.
+    Recent OpenSSL versions are licensed under the Apache 2 license so
+    the "special exception" from section 3 of the GPLv2 isn't needed
+    and a Privoxy binary linked to OpenSSL can be distributed under the
+    GPLv3 or later.
+  - init_domain_components(): Assert that the http->dbuffer and http->dvec
+    are NULL to detect memory leaks earlier.
+
+- Bug fixes:
+  - openssl: Don't call SSL_set_tlsext_host_name() if the host is an IP address
+    With LibreSSl the call simply fails and with OpenSSL the call
+    succeeds but results in an syntactically incorrect ClientHello
+    a server may object to. While at it, add the host name to the error message.
+  - Don't forward connection options Privoxy doesn't understand.
+  - Look for the "keep-alive" keyword more carefully in Connection headers.
+    Previously connections were not kept alive if the Connection header
+    contained additional keywords like "Upgrade".
+  - If the MS IIS5 hack fails, only send the error response if we're buffering content
+    Previously the error response was also sent if the client already
+    received the HTTP headers from the server.
+  - Fix compilation when configured with --disable-ipv6-support.
+    Submitted by Luca Broglio.
+  - Fixed detection and use of pcre2.h from a subdirectory.
+    SF bug #946. Patch submitted by Jakub Kulik.
+  - Properly handle IPv6 addresses in the Host header.
+    Reported by Joshua Rogers.
+  - socks4_connect(): Fix the dstsize passed to strlcpy() in case of socks4a.
+    Previously Privoxy would substract sizeof(struct socks_op) twice
+    as it's already part of csiz. While this was wrong it didn't
+    cause any actual problems as the buffer size is so large that
+    it didn't matter. Reported by Joshua Rogers.
+  - error_response(): Prevent a theoretical memory leak. Reported by Joshua Rogers.
+  - log_error(): Fix a segmentation fault when logging %E on a platform that
+    isn't Windows and doesn't have strerror(). Reported by Joshua Rogers.
+  - accept_connection(): Fix memory and socket leak if the server name and
+    port number ASCII decimal representation don't fit. This is not expected
+    to happen. Reported by Joshua Rogers.
+  - parse_http_url(): Fail if no host is found when we expected one.
+    This can happen in case of invalid requests in which case
+    Privoxy previously would leak a couple of bytes of memory.
+
+- Action file improvements:
+  - Prevent a fingerprinting issue with various login pages by not handling
+    the requests as image requests or fast-redirecting them. Without the added
+    section a request to a blocked or redirected login URL could be misdetected
+    by third parties as the user being logged in to the given site, thus making
+    fingerprinting Privoxy users easier. Note that this does not prevent the
+    fingerprinting issue if the client is actually logged in. For details see:
+    https://robinlinus.github.io/socialmedia-leak/
+    Doing that would probably be too invasive for a default configuration.
+  - Stop downgrading the HTTP version for port 631. It was supposed to work
+    around a problem with the CUPS webinterface but about 20 years later we
+    probably don't need it anymore ...
+  - Fix sticky actions for .flickr.com to match the action section.
+  - Remove an action section without an URL pattern.
+  - Disable fast-redirects for .bahn.de/
+  - Disable fast-redirects for report.error-report.com/
+  - Unblock metrics.1aeo.com/
+  - Unblock .crates.io/
+  - Block requests for mv.outbrain.com/
+  - Disable filter{banners-by-size} for .jwz.org/
+  - Disable deanimate-gifs for .githubusercontent.com/
+  - Disable the banners-by-size filter for github.com
+  - Widen block pattern from 'metrics.' to '.metricts.'
+  - Add +server-header-tagger{content-type} to all standard settings.
+
+- Filter improvements:
+  - Update imdb filter to remove wasted space below the search field.
+  - Update bundeswehr.de filter to be effective again.
+  - Removed the obsolete ie-exploits filter. It didn't actually reliably
+    protect against Nimda, there never were active maintainers and IE is
+    obsolete anyway. Also some virus scanners seem to be offended by the
+    test case for the filter in the source tarball.
+
+- Privoxy-Log-Parser:
+  - Bumped version to 0.9.7.
+  - Fully highlight: Accepted connection from 127.0.0.1 on socket 9 connected through 127.0.1.1:8118.
+  - Highlight: Socket 8 timed out while waiting for client headers
+  - Highlight: 'Giving up draining socket 35.'
+  - Highlight: "Tagger 'http-method' didn't add tag 'POST': suppressed"
+  - Highlight: 'Skipped filter 'banners-by-size' after job number 1: match limit exceeded (-47)'
+
+- uagen:
+  - Bumped version to 0.1.7
+  - Bumped BROWSER_VERSION and BROWSER_REVISION to match Firefox ESR 140.
+
+- Documentation:
+  - Updated license info to deal with wolfSSL's license change to GPLv3.
+  - Added new FAQ: 'Is the Privoxy source tarball infected by a virus?'.
+  - Removed claims that path matching can be turned case-sensitive.
+    The suggested method didsn't actually work.
+
+- Website improvements:
+  - GNUmakefile.in: Add a web-robots.txt target to only transfer the robots.txt to the SF server.
+  - robots.txt: Disallow /gitweb to hopefully reduce the load on the webserver
+  - robots.txt: Remvoe stray empty lines
+  - Added a vanity onion address for the privoxy.org onion service.
+
+- Tests:
+  - Updated test framework to work with recent (rc-8_18_0-3) cts upstream tests.
+  - tests/cts/run-privoxy-tests.sh: Pass arguments that follow "--" to
+    runtests-wrapper.sh so they can be passed to runtests.pl.
+    This allows to only run a single test without modifying the scripts:
+        ./run-privoxy-tests.sh -t upstream-tests -- 473
+  - run-privoxy-tests.sh: Explicitly log if there were no errors.
+  - run-privoxy-tests.sh: Continue testing if a test in a test scenario fails.
+  - runtests-wrapper.sh: Explicitly set the path to the curl binary
+    using an absolute path. Otherwise runtests.pl uses a relative
+    path in its output which can be confusing.
+  - runtests-wrapper.sh: Improve a log message.
+  - Disable the forward-to-socks-proxy and forward-to-http-proxy scenarios
+    for now. Since curl commit d39db811929f the port randomisation can no
+    longer be disabled by the injected module so the tests don't work at the
+    moment. Discussion on the curl library mailinglist didn't result in
+    a solution (https://curl.se/mail/lib-2025-08/0000.html).
+  - tests/cts: Remove 'none' server section from tests.
+    It's no longer supported as of curl commit 71c9706959cb.
+  - run-privoxy-tests.sh: Print supported arguments in case of invalid ones.
+  - Add a test for the bundeswehr.de filter.
+  - tests/cts/gzip-compression/data/test13: Fix repetitive sequence by adding a missing %.
+  - Add a couple of tests for connection headers with keep-alive-timeout set.
+  - Add fetch test for the How-Tos in the user manual.
+  - ../privoxy-runtests.pm: Prevent warning if $_ is undefined.
+  - tests/cts/runtests-wrapper.sh: Stop explicitly setting HOSTIP.
+    It doesn't work with curl master at the moment.
+  - Let the "clean" target remove logs from the cts tests.
+  - .../content-filters/content-filters.action: Remove duplicate action section.
+
 *** Version 4.0.0 stable ***
 
 - Bug fixes:

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Privoxy-commits mailing list