[Privoxy-commits] [privoxy] 13/23: Update SGML ChangeLog for Privoxy 4.1.0
User Git
git at git.privoxy.org
Thu Jan 1 15:56:10 CET 2026
This is an automated email from the git hooks/post-receive script.
git pushed a commit to branch master
in repository privoxy.
commit 8770e57a4a4a91d5aa0ef16218fb21ec086c64d2
Author: Fabian Keil <fk at fabiankeil.de>
AuthorDate: Thu Jan 1 13:56:15 2026 +0100
Update SGML ChangeLog for Privoxy 4.1.0
---
doc/source/changelog.sgml | 385 ++++++++++++++++++++++++++--------------------
1 file changed, 215 insertions(+), 170 deletions(-)
diff --git a/doc/source/changelog.sgml b/doc/source/changelog.sgml
index 26f793d6..bc2d6e2f 100644
--- a/doc/source/changelog.sgml
+++ b/doc/source/changelog.sgml
@@ -24,216 +24,178 @@
-->
<para>
- <application>Privoxy 4.0.0</application> fixes a few
- minor bugs and comes with a couple of general improvements
- and new features. HTTPS inspection is no
- longer considered experimental.
+ <application>Privoxy 4.1.0</application> fixes a few
+ minor bugs and brings ZStandard-decompression support and
+ a couple of general improvements.
</para>
<para>
- Two new features have been funded by donations. If you can,
- please consider
- <ulink url="https://www.privoxy.org/donate">making a donation</ulink>
- to support future improvements.
-</para>
-<para>
- Changes in <application>Privoxy 4.0.0</application> stable:
+ Changes in <application>Privoxy 4.1.0</application> stable:
</para>
<para>
<itemizedlist>
<listitem>
<para>
- Bug fixes:
+ General improvements:
<itemizedlist>
<listitem>
<para>
- Add missing client-body-tagger data to the action_type_info[] struct
- so lookups based on the action index work correctly again.
- Prevents assertion failures or segfaults when trying to edit
- an action file with the CGI editor.
- The type of failure depended on whether or not assertions
- were enabled and on whether or not Privoxy had been compiled
- with FEATURE_EXTERNAL_FILTERS.
- Regression introduced in Privoxy 3.0.34.
- Patch submitted by Aaron Li in #940.
+ Add Zstandard-decompression support.
</para>
</listitem>
<listitem>
<para>
- Bump MAX_FILTER_TYPES which should have been done in d128e6aa4
- when introducing the client-body-tagger{} action.
- Prevents an assertion in cgi_edit_actions_for_url() from triggering
- after e32d03e0 when using the CGI editor with assertions enabled.
+ compile_pattern(): Use pcre2_get_error_message() to provide better error messages.
</para>
</listitem>
<listitem>
<para>
- is_untrusted_url(): Search the encrypted headers for the Referer
- when the client is using https and https inspection is enabled.
- Fixes the trust mechanism for https requests.
- Reported by Laurent Caumont in #1767.
+ wolfssl: Use wolfTLS_client_method() instead of wolfSSLv23_method()
+ when creating the connection to the server. Allows to connect to
+ <ulink url="https://media.ccc.de/"></ulink> and <ulink url="https://traxxas.com/">https://traxxas.com/</ulink> while wolfSSLv23_method()
+ currently doesn't (wolfSSL 5.8.4). Unfortunately this does not allow to
+ connect to <ulink url="https://www.fsf.org/">https://www.fsf.org/</ulink> while wolfSSLv23_method() does.
+ Reported upstream in <ulink url="https://github.com/wolfSSL/wolfssl/issues/7735">https://github.com/wolfSSL/wolfssl/issues/7735</ulink>.
+ curl is using wolfTLS_client_method() with recent wolfSSL versions
+ as well so this seems to be the way to go.
</para>
</listitem>
<listitem>
<para>
- GNUMakefile.in: Let the install target work if no group is specified.
+ wolfssl: Warn if HAVE_SECURE_RENEGOTIATION is unavailable
+ and don't suggest to use HAVE_RENEGOTIATION_INDICATION instead.
</para>
</listitem>
<listitem>
<para>
- GNUMakefile.in: Set GROUP_T when installing configuration files as root
- and there is no privoxy user available so the install target doesn't
- fail. Patch by Fabrice Fontaine.
+ show-status template: Add links for external (de)compression libraries.
</para>
</listitem>
<listitem>
<para>
- GNUmakefile.in: Don't exit if configuration files are installed as root
- as this can be considered acceptable when cross-compiling
- Privoxy inside an autobuilder with only a root user.
- Patch by Fabrice Fontaine.
+ If the server sends multiple Connection headers, only parse and
+ forward the first one.
</para>
</listitem>
<listitem>
<para>
- configure.in: Fix argument types in gmtime_r() and localtime_r() probes.
- Otherwise these probes always fail with stricter compilers
- even if there is C library support for these functions.
- Patch submitted by Florian Weimer in SF#149.
+ create_hexadecimal_hash_of_host(): Use snprintf() instead of sprint()
+ Silences a warning on OpenBSD.
</para>
</listitem>
<listitem>
<para>
- Fix socks4 and socks4a support under glibc's source fortification.
- With glibc's source fortification, gcc offers the compilation warning
- resulting in a runtime abort() when using a socks4 or socks4a upstream proxy.
- Despite the warning, the strlcpy() call in question is fine: gcc
- misidentifies the size of the destination buffer, estimating to hold
- only a single char while in fact the buffer stretches beyond the end of
- the struct socks_op.
- The issue was originally reported in the
- <ulink url="https://github.com/NixOS/nixpkgs/issues/265654">NixOS
- issue tracker</ulink> prompted by an upgrade of glibc from 2.37-39 to 2.38-0.
- Patch submitted by Ingo Blechschmid, joint work with
- @esclear and @richi235.
- </para>
- </listitem>
- </itemizedlist>
- </para>
- </listitem>
- <listitem>
- <para>
- General improvements:
- <itemizedlist>
- <listitem>
- <para>
- Allow to use wolfSSL for https inspection.
- wolfSSL supports TLS 1.3 and can be significantly faster than
- mbedTLS. Mainly tested on ElectroBSD amd64 where it can
- <ulink url="https://www.fabiankeil.de/gehacktes/privoxy-tls-benchmarks/">compete
- with OpenSSL and LibreSSL</ulink>
- To enable the support, install wolfSSL and run ./configure
- with the --with-wolfssl option.
- Sponsored by Privoxy project funds collected at SPI.
+ Also log the listening address and port the request came in on.
</para>
</listitem>
<listitem>
<para>
- Add an test framework that leverages the curl test suite.
- Sponsored by Privoxy project funds collected at SPI.
+ Added periods to a couple of log messages.
</para>
</listitem>
<listitem>
<para>
- Add pcre2 support. Closes bug #935.
- Initial patch submitted by Gagan Sidhu.
+ Removed support for pcre1.
</para>
</listitem>
<listitem>
<para>
- Use SHA256 as hash algorithm for the certificate and key file names
- instead of MD5. The known MD5 vulnerabilities shouldn't matter for
- Privoxy's use case but it doesn't hurt to use a hash algorithm that
- isn't deprecated.
- Sponsored by: Robert Klemme
+ configure.in: Removed obsolete warning if OpenSSL is detected.
+ Recent OpenSSL versions are licensed under the Apache 2 license so
+ the "special exception" from section 3 of the GPLv2 isn't needed
+ and a Privoxy binary linked to OpenSSL can be distributed under the
+ GPLv3 or later.
</para>
</listitem>
<listitem>
<para>
- Add support for mbedTLS 3.x. This removes a sanity check
- (whether issuer key and issuer certificate match) that seems
- overly cautious and fails to compile with mbedTLS 3.x as the
- struct members are private. We don't have an equivalent check
- in the OpenSSL or wolfSSL code either.
+ init_domain_components(): Assert that the http->dbuffer and http->dvec
+ are NULL to detect memory leaks earlier.
</para>
- </listitem>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Bug fixes:
+ <itemizedlist>
<listitem>
<para>
- Factor out newer_privoxy_version_required() and improve the logic
- Previously 3.0.11 was considered newer than 4.0.0.
+ openssl: Don't call SSL_set_tlsext_host_name() if the host is an IP address
+ With LibreSSl the call simply fails and with OpenSSL the call
+ succeeds but results in an syntactically incorrect ClientHello
+ a server may object to. While at it, add the host name to the error message.
</para>
</listitem>
<listitem>
<para>
- init_error_log(): Include the reason for failures to open the log file.
+ Don't forward connection options Privoxy doesn't understand.
</para>
</listitem>
<listitem>
<para>
- create_client_ssl_connection(): Don't keep the certificate lock
- longer than necessary.
+ Look for the "keep-alive" keyword more carefully in Connection headers.
+ Previously connections were not kept alive if the Connection header
+ contained additional keywords like "Upgrade".
</para>
</listitem>
<listitem>
<para>
- Add periods to a bunch of log messages.
+ If the MS IIS5 hack fails, only send the error response if we're buffering content
+ Previously the error response was also sent if the client already
+ received the HTTP headers from the server.
</para>
</listitem>
<listitem>
<para>
- normalize_lws(): Only log the 'Reducing whitespace ...' message
- once per header
+ Fix compilation when configured with --disable-ipv6-support.
+ Submitted by Luca Broglio.
</para>
</listitem>
<listitem>
<para>
- log_error() Win32: Only call LogShowActivity() for debug level
- LOG_LEVEL_REQUEST. As of b94bbe62a950, which was part of Privoxy 3.0.29,
- LOG_LEVEL_REQUEST is used for all requests including crunched ones.
- Previously LogShowActivity() was called twice for crunched
- requests, (presumably) resulting in an aborted animation.
+ Fixed detection and use of pcre2.h from a subdirectory.
+ SF bug #946. Patch submitted by Jakub Kulik.
</para>
</listitem>
<listitem>
<para>
- Remove ./ prefix from tarball-dist files.
+ Properly handle IPv6 addresses in the Host header.
+ Reported by Joshua Rogers.
</para>
</listitem>
<listitem>
<para>
- create_client_ssl_connection(): Make it more obvious from an
- error message that a function failed.
+ socks4_connect(): Fix the dstsize passed to strlcpy() in case of socks4a.
+ Previously Privoxy would substract sizeof(struct socks_op) twice
+ as it's already part of csiz. While this was wrong it didn't
+ cause any actual problems as the buffer size is so large that
+ it didn't matter. Reported by Joshua Rogers.
</para>
</listitem>
<listitem>
<para>
- Use stringify() instead of section_target() and remove section_target().
- Like the XXX comment suggested this could be done my moving the hash
- into the templates which seems preferable anyway.
+ error_response(): Prevent a theoretical memory leak. Reported by Joshua Rogers.
</para>
</listitem>
<listitem>
<para>
- Prevent some compiler warnings.
+ log_error(): Fix a segmentation fault when logging %E on a platform that
+ isn't Windows and doesn't have strerror(). Reported by Joshua Rogers.
</para>
</listitem>
<listitem>
<para>
- parse_numeric_value(): Expect a base-ten number.
+ accept_connection(): Fix memory and socket leak if the server name and
+ port number ASCII decimal representation don't fit. This is not expected
+ to happen. Reported by Joshua Rogers.
</para>
</listitem>
<listitem>
<para>
- windows/MYconfigure: Have gcc diagnostics in color.
+ parse_http_url(): Fail if no host is found when we expected one.
+ This can happen in case of invalid requests in which case
+ Privoxy previously would leak a couple of bytes of memory.
</para>
</listitem>
</itemizedlist>
@@ -245,99 +207,106 @@
<itemizedlist>
<listitem>
<para>
- Block requests to .amazon-adsystem.com/
- </para>
- </listitem>
- <listitem>
- <para>
- Block requests to 0.css-load.com/
+ Prevent a fingerprinting issue with various login pages by not handling
+ the requests as image requests or fast-redirecting them. Without the added
+ section a request to a blocked or redirected login URL could be misdetected
+ by third parties as the user being logged in to the given site, thus making
+ fingerprinting Privoxy users easier. Note that this does not prevent the
+ fingerprinting issue if the client is actually logged in. For details see
+ <ulink url="https://robinlinus.github.io/socialmedia-leak/">https://robinlinus.github.io/socialmedia-leak/</ulink>.
+ Doing that would probably be too invasive for a default configuration.
</para>
</listitem>
<listitem>
<para>
- Block requests to html-load.com/ and 1.html-load.com/
+ Stop downgrading the HTTP version for port 631. It was supposed to work
+ around a problem with the CUPS webinterface but about 20 years later we
+ probably don't need it anymore ...
</para>
</listitem>
<listitem>
<para>
- Block requests to b.6sc.co/
+ Fix sticky actions for .flickr.com to match the action section.
</para>
</listitem>
<listitem>
<para>
- Block requests to i.clean.gg/
+ Remove an action section without an URL pattern.
</para>
</listitem>
<listitem>
<para>
- Block requests to s.cpx.to/
+ Disable fast-redirects for .bahn.de/
</para>
</listitem>
<listitem>
<para>
- Block requests to track.venatusmedia.com/
+ Disable fast-redirects for report.error-report.com/
</para>
</listitem>
<listitem>
<para>
- Block requests to secure-eu.nmrodam.com/
+ Unblock metrics.1aeo.com/
</para>
</listitem>
<listitem>
<para>
- Block requests to o2.mouseflow.com/
+ Unblock .crates.io/
</para>
</listitem>
<listitem>
<para>
- Disable fast-redirects for services.akteneinsichtsportal.de/
+ Block requests for mv.outbrain.com/
</para>
</listitem>
<listitem>
<para>
- Disable fast-redirects for /wp-content/plugins/pdf-viewer-for-elementor
+ Disable filter{banners-by-size} for .jwz.org/
</para>
</listitem>
<listitem>
<para>
- Disable fast-redirects for syndication.twitter.com/
+ Disable deanimate-gifs for .githubusercontent.com/
</para>
</listitem>
<listitem>
<para>
- Disable fast-redirects for archive.softwareheritage.org/
+ Disable the banners-by-size filter for github.com
</para>
</listitem>
<listitem>
<para>
- Disable fast-redirects to duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/
+ Widen block pattern from 'metrics.' to '.metricts.'
</para>
</listitem>
<listitem>
<para>
- Disable fast-redirects for .creator-spring.com/_next/image
+ Add +server-header-tagger{content-type} to all standard settings.
</para>
- </listitem>
- <listitem>
- <para>
- Disable fast redirects for accounts.bahn.de/
- </para>
- </listitem>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Filter improvements:
+ <itemizedlist>
<listitem>
<para>
- Unblock .datenschmutz.de/
+ Update imdb filter to remove wasted space below the search field.
</para>
</listitem>
<listitem>
<para>
- Unblock requests for 'adventur*.'
+ Update bundeswehr.de filter to be effective again.
</para>
</listitem>
<listitem>
<para>
- Unblock adl.windows.com/
- as it is apparently required to update from Windows 10 to 11.
- Reported by Sam Varshavchik.
+ Removed the obsolete ie-exploits filter. It didn't actually reliably
+ protect against Nimda, there never were active maintainers and IE is
+ obsolete anyway. Also some virus scanners seem to be offended by the
+ test case for the filter in the source tarball.
</para>
</listitem>
</itemizedlist>
@@ -349,27 +318,49 @@
<itemizedlist>
<listitem>
<para>
- Highlight 'Couldn't deliver the error message for [...]'.
+ Bumped version to 0.9.7.
</para>
</listitem>
<listitem>
<para>
- Highlight 'Failed to accept() incoming connection: Software caused connection abort'.
+ Fully highlight: Accepted connection from 127.0.0.1 on socket 9 connected through 127.0.1.1:8118.
</para>
</listitem>
<listitem>
<para>
- Highlight 'Keeping chunk offset at 0 despite flushing 31 bytes.'.
+ Highlight: Socket 8 timed out while waiting for client headers
</para>
</listitem>
<listitem>
<para>
- Highlight 'Not shutting down client connection on socket 8. The socket is no longer alive.'.
+ Highlight: 'Giving up draining socket 35.'
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Highlight: "Tagger 'http-method' didn't add tag 'POST': suppressed"
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Highlight: 'Skipped filter 'banners-by-size' after job number 1: match limit exceeded (-47)'
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ uagen:
+ <itemizedlist>
+ <listitem>
+ <para>
+ Bumped version to 0.1.7
</para>
</listitem>
<listitem>
<para>
- Bump version to 0.9.6.
+ Bumped BROWSER_VERSION and BROWSER_REVISION to match Firefox ESR 140.
</para>
</listitem>
</itemizedlist>
@@ -377,22 +368,22 @@
</listitem>
<listitem>
<para>
- Privoxy-Regression-Test.pl:
+ Documentation:
<itemizedlist>
<listitem>
<para>
- Let the --min-level option increase the --max-level
- if the latter is smaller than the former.
+ Updated license info to deal with wolfSSL's license change to GPLv3.
</para>
</listitem>
<listitem>
<para>
- Add --curl option to use a non-default curl binary.
+ Added new FAQ: 'Is the Privoxy source tarball infected by a virus?'.
</para>
</listitem>
<listitem>
<para>
- Bump version to 0.7.5.
+ Removed claims that path matching can be turned case-sensitive.
+ The suggested method didsn't actually work.
</para>
</listitem>
</itemizedlist>
@@ -400,75 +391,129 @@
</listitem>
<listitem>
<para>
- uagen:
+ Website improvements:
<itemizedlist>
<listitem>
<para>
- Bump BROWSER_VERSION and BROWSER_REVISION to match Firefox ESR 128.
+ GNUmakefile.in: Add a web-robots.txt target to only transfer the robots.txt to the SF server.
</para>
</listitem>
<listitem>
<para>
- Bump version to 1.2.6.
+ robots.txt: Disallow /gitweb to hopefully reduce the load on the webserver
</para>
- </listitem>
+ </listitem>
+ <listitem>
+ <para>
+ robots.txt: Remvoe stray empty lines
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Added a vanity onion address for the privoxy.org onion service.
+ </para>
+ </listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
- Documentation:
+ Tests:
<itemizedlist>
<listitem>
<para>
- Add HOWTOs for https inspection and client-tags to user-manual.
+ Updated test framework to work with recent (rc-8_18_0-3) cts upstream tests.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ tests/cts/run-privoxy-tests.sh: Pass arguments that follow "--" to
+ runtests-wrapper.sh so they can be passed to runtests.pl.
+ This allows to only run a single test without modifying the scripts:
+ ./run-privoxy-tests.sh -t upstream-tests -- 473
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ run-privoxy-tests.sh: Explicitly log if there were no errors.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ run-privoxy-tests.sh: Continue testing if a test in a test scenario fails.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ runtests-wrapper.sh: Explicitly set the path to the curl binary
+ using an absolute path. Otherwise runtests.pl uses a relative
+ path in its output which can be confusing.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ runtests-wrapper.sh: Improve a log message.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Disable the forward-to-socks-proxy and forward-to-http-proxy scenarios
+ for now. Since curl commit d39db811929f the port randomisation can no
+ longer be disabled by the injected module so the tests don't work at the
+ moment. Discussion on the curl library mailinglist didn't result in
+ a solution (<ulink url="https://curl.se/mail/lib-2025-08/0000.html">https://curl.se/mail/lib-2025-08/0000.html</ulink>).
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ tests/cts: Remove 'none' server section from tests.
+ It's no longer supported as of curl commit 71c9706959cb.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ run-privoxy-tests.sh: Print supported arguments in case of invalid ones.
</para>
</listitem>
<listitem>
<para>
- Suggest to use the force-text-mode action when filtering binary content
- with external filters.
+ Add a test for the bundeswehr.de filter.
</para>
</listitem>
<listitem>
<para>
- Declare https-inspection non-experimental.
+ tests/cts/gzip-compression/data/test13: Fix repetitive sequence by adding a missing %.
</para>
</listitem>
<listitem>
<para>
- FAQ: Mention that
- <ulink url="https://www.fabiankeil.de/gehacktes/privoxy-moral-license/">Privoxy
- Moral Licenses</ulink> are available as well.
+ Add a couple of tests for connection headers with keep-alive-timeout set.
</para>
</listitem>
<listitem>
<para>
- Fix LibreSSL URL.
+ Add fetch test for the How-Tos in the user manual.
</para>
</listitem>
<listitem>
<para>
- Update perlre perldoc URL.
+ ../privoxy-runtests.pm: Prevent warning if $_ is undefined.
</para>
</listitem>
<listitem>
<para>
- config: Add SOCKS 5 to the list of supported protocols.
+ tests/cts/runtests-wrapper.sh: Stop explicitly setting HOSTIP.
+ It doesn't work with curl master at the moment.
</para>
</listitem>
<listitem>
<para>
- In the Windows build section, note that one only needs tidy
- to build the docs. If you're not building the docbook stuff you
- don't need tidy.
+ Let the "clean" target remove logs from the cts tests.
</para>
</listitem>
<listitem>
<para>
- trust: Use the words 'allowlists' and 'blocklists'
- instead of "whitelists" and "blacklists" which some
- people consider to be less inclusive.
+ .../content-filters/content-filters.action: Remove duplicate action section.
</para>
</listitem>
</itemizedlist>
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Privoxy-commits
mailing list