[Privoxy-commits] [privoxy] 03/03: Update announcement for Privoxy 4.1.0
User Git
git at git.privoxy.org
Fri Jan 2 14:34:29 CET 2026
This is an automated email from the git hooks/post-receive script.
git pushed a commit to branch master
in repository privoxy.
commit 481b2322909dd35158882064f2267f696461e333
Author: Fabian Keil <fk at fabiankeil.de>
AuthorDate: Thu Jan 1 19:45:17 2026 +0100
Update announcement for Privoxy 4.1.0
---
doc/webserver/announce.txt | 286 ++++++++++++++++++++++-----------------------
1 file changed, 143 insertions(+), 143 deletions(-)
diff --git a/doc/webserver/announce.txt b/doc/webserver/announce.txt
index d8d5ba30..78e2a908 100644
--- a/doc/webserver/announce.txt
+++ b/doc/webserver/announce.txt
@@ -1,160 +1,160 @@
- Announcing Privoxy 4.0.0 stable
+ Announcing Privoxy 4.1.0 stable
--------------------------------------------------------------------
-Privoxy 4.0.0 fixes a few minor bugs and comes with a couple of
-general improvements and new features. HTTPS inspection is no
-longer considered experimental.
-
-Two new features have been funded by donations. If you can,
-please consider making a donation to support future improvements.
+Privoxy 4.1.0 fixes a few minor bugs and brings ZStandard-decompression
+support and a couple of general improvements.
--------------------------------------------------------------------
-ChangeLog for Privoxy 4.0.0
+ChangeLog for Privoxy 4.1.0
--------------------------------------------------------------------
-- Bug fixes:
- - Add missing client-body-tagger data to the action_type_info[] struct
- so lookups based on the action index work correctly again.
- Prevents assertion failures or segfaults when trying to edit
- an action file with the CGI editor.
- The type of failure depended on whether or not assertions
- were enabled and on whether or not Privoxy had been compiled
- with FEATURE_EXTERNAL_FILTERS.
- Regression introduced in Privoxy 3.0.34.
- Patch submitted by Aaron Li in #940.
- - Bump MAX_FILTER_TYPES which should have been done in d128e6aa4
- when introducing the client-body-tagger{} action.
- Prevents an assertion in cgi_edit_actions_for_url() from triggering
- after e32d03e0 when using the CGI editor with assertions enabled.
- - is_untrusted_url(): Search the encrypted headers for the Referer
- when the client is using https and https inspection is enabled.
- Fixes the trust mechanism for https requests.
- Reported by Laurent Caumont in #1767.
- - GNUMakefile.in: Let the install target work if no group is specified.
- - GNUMakefile.in: Set GROUP_T when installing configuration files as root
- and there is no privoxy user available so the install target doesn't
- fail. Patch by Fabrice Fontaine.
- - GNUmakefile.in: Don't exit if configuration files are installed as root
- as this can be considered acceptable when cross-compiling
- Privoxy inside an autobuilder with only a root user.
- Patch by Fabrice Fontaine.
- - configure.in: Fix argument types in gmtime_r() and localtime_r() probes.
- Otherwise these probes always fail with stricter compilers
- even if there is C library support for these functions.
- Patch submitted by Florian Weimer in SF#149.
- - Fix socks4 and socks4a support under glibc's source fortification.
- With glibc's source fortification, gcc offers the compilation warning
- resulting in a runtime abort() when using a socks4 or socks4a upstream proxy.
- Despite the warning, the strlcpy() call in question is fine: gcc
- misidentifies the size of the destination buffer, estimating to hold
- only a single char while in fact the buffer stretches beyond the end of
- the struct socks_op.
- The issue was originally reported in the NixOS issue tracker at
- https://github.com/NixOS/nixpkgs/issues/265654
- prompted by an upgrade of glibc from 2.37-39 to 2.38-0.
- Patch submitted by Ingo Blechschmid, joint work with
- @esclear and @richi235.
-
- General improvements:
- - Allow to use wolfSSL for https inspection.
- wolfSSL supports TLS 1.3 and can be significantly faster than
- mbedTLS. Mainly tested on ElectroBSD amd64 where it can compete
- with OpenSSL and LibreSSL:
- https://www.fabiankeil.de/gehacktes/privoxy-tls-benchmarks/
- To enable the support, install wolfSSL and run ./configure
- with the --with-wolfssl option.
- Sponsored by Privoxy project funds collected at SPI.
- - Add an test framework that leverages the curl test suite.
- Sponsored by Privoxy project funds collected at SPI.
- - Add pcre2 support. Closes bug #935.
- Initial patch submitted by Gagan Sidhu.
- - Use SHA256 as hash algorithm for the certificate and key file names
- instead of MD5. The known MD5 vulnerabilities shouldn't matter for
- Privoxy's use case but it doesn't hurt to use a hash algorithm that
- isn't deprecated.
- Sponsored by: Robert Klemme
- - Add support for mbedTLS 3.x. This removes a sanity check
- (whether issuer key and issuer certificate match) that seems
- overly cautious and fails to compile with mbedTLS 3.x as the
- struct members are private. We don't have an equivalent check
- in the OpenSSL or wolfSSL code either.
- - Factor out newer_privoxy_version_required() and improve the logic
- Previously 3.0.11 was considered newer than 4.0.0.
- - init_error_log(): Include the reason for failures to open the log file.
- - create_client_ssl_connection(): Don't keep the certificate lock
- longer than necessary.
- - Add periods to a bunch of log messages.
- - normalize_lws(): Only log the 'Reducing whitespace ...' message
- once per header
- - log_error() Win32: Only call LogShowActivity() for debug level
- LOG_LEVEL_REQUEST. As of b94bbe62a950, which was part of Privoxy 3.0.29,
- LOG_LEVEL_REQUEST is used for all requests including crunched ones.
- Previously LogShowActivity() was called twice for crunched
- requests, (presumably) resulting in an aborted animation.
- - Remove ./ prefix from tarball-dist files.
- - create_client_ssl_connection(): Make it more obvious from an
- error message that a function failed.
- - Use stringify() instead of section_target() and remove section_target().
- Like the XXX comment suggested this could be done my moving the hash
- into the templates which seems preferable anyway.
- - Prevent some compiler warnings.
- - parse_numeric_value(): Expect a base-ten number.
- - windows/MYconfigure: Have gcc diagnostics in color.
+ - Add Zstandard-decompression support.
+ - compile_pattern(): Use pcre2_get_error_message() to provide better error messages.
+ - wolfssl: Use wolfTLS_client_method() instead of wolfSSLv23_method()
+ when creating the connection to the server. Allows to connect to
+ https://media.ccc.de/ and https://traxxas.com/ while wolfSSLv23_method()
+ currently doesn't (wolfSSL 5.8.4). Unfortunately this does not allow to
+ connect to https://www.fsf.org/ while wolfSSLv23_method() does.
+ Reported upstream in https://github.com/wolfSSL/wolfssl/issues/7735.
+ curl is using wolfTLS_client_method() with recent wolfSSL versions
+ as well so this seems to be the way to go.
+ - wolfssl: Warn if HAVE_SECURE_RENEGOTIATION is unavailable
+ and don't suggest to use HAVE_RENEGOTIATION_INDICATION instead.
+ - show-status template: Add links for external (de)compression libraries.
+ - If the server sends multiple Connection headers, only parse and
+ forward the first one.
+ - create_hexadecimal_hash_of_host(): Use snprintf() instead of sprint()
+ Silences a warning on OpenBSD.
+ - Also log the listening address and port the request came in on.
+ - Added periods to a couple of log messages.
+ - Removed support for pcre1.
+ - configure.in: Removed obsolete warning if OpenSSL is detected.
+ Recent OpenSSL versions are licensed under the Apache 2 license so
+ the "special exception" from section 3 of the GPLv2 isn't needed
+ and a Privoxy binary linked to OpenSSL can be distributed under the
+ GPLv3 or later.
+ - init_domain_components(): Assert that the http->dbuffer and http->dvec
+ are NULL to detect memory leaks earlier.
+
+- Bug fixes:
+ - openssl: Don't call SSL_set_tlsext_host_name() if the host is an IP address
+ With LibreSSl the call simply fails and with OpenSSL the call
+ succeeds but results in an syntactically incorrect ClientHello
+ a server may object to. While at it, add the host name to the error message.
+ - Don't forward connection options Privoxy doesn't understand.
+ - Look for the "keep-alive" keyword more carefully in Connection headers.
+ Previously connections were not kept alive if the Connection header
+ contained additional keywords like "Upgrade".
+ - If the MS IIS5 hack fails, only send the error response if we're buffering content
+ Previously the error response was also sent if the client already
+ received the HTTP headers from the server.
+ - Fix compilation when configured with --disable-ipv6-support.
+ Submitted by Luca Broglio.
+ - Fixed detection and use of pcre2.h from a subdirectory.
+ SF bug #946. Patch submitted by Jakub Kulik.
+ - Properly handle IPv6 addresses in the Host header.
+ Reported by Joshua Rogers.
+ - socks4_connect(): Fix the dstsize passed to strlcpy() in case of socks4a.
+ Previously Privoxy would substract sizeof(struct socks_op) twice
+ as it's already part of csiz. While this was wrong it didn't
+ cause any actual problems as the buffer size is so large that
+ it didn't matter. Reported by Joshua Rogers.
+ - error_response(): Prevent a theoretical memory leak. Reported by Joshua Rogers.
+ - log_error(): Fix a segmentation fault when logging %E on a platform that
+ isn't Windows and doesn't have strerror(). Reported by Joshua Rogers.
+ - accept_connection(): Fix memory and socket leak if the server name and
+ port number ASCII decimal representation don't fit. This is not expected
+ to happen. Reported by Joshua Rogers.
+ - parse_http_url(): Fail if no host is found when we expected one.
+ This can happen in case of invalid requests in which case
+ Privoxy previously would leak a couple of bytes of memory.
- Action file improvements:
- - Block requests to .amazon-adsystem.com/
- - Block requests to 0.css-load.com/
- - Block requests to html-load.com/ and 1.html-load.com/
- - Block requests to b.6sc.co/
- - Block requests to i.clean.gg/
- - Block requests to s.cpx.to/
- - Block requests to track.venatusmedia.com/
- - Block requests to secure-eu.nmrodam.com/
- - Block requests to o2.mouseflow.com/
- - Disable fast-redirects for services.akteneinsichtsportal.de/
- - Disable fast-redirects for /wp-content/plugins/pdf-viewer-for-elementor
- - Disable fast-redirects for syndication.twitter.com/
- - Disable fast-redirects for archive.softwareheritage.org/
- - Disable fast-redirects to duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/
- - Disable fast-redirects for .creator-spring.com/_next/image
- - Disable fast redirects for accounts.bahn.de/
- - Unblock .datenschmutz.de/
- - Unblock requests for 'adventur*.'
- - Unblock adl.windows.com/
- as it is apparently required to update from Windows 10 to 11.
- Reported by Sam Varshavchik.
+ - Prevent a fingerprinting issue with various login pages by not handling
+ the requests as image requests or fast-redirecting them. Without the added
+ section a request to a blocked or redirected login URL could be misdetected
+ by third parties as the user being logged in to the given site, thus making
+ fingerprinting Privoxy users easier. Note that this does not prevent the
+ fingerprinting issue if the client is actually logged in. For details see:
+ https://robinlinus.github.io/socialmedia-leak/
+ Doing that would probably be too invasive for a default configuration.
+ - Stop downgrading the HTTP version for port 631. It was supposed to work
+ around a problem with the CUPS webinterface but about 20 years later we
+ probably don't need it anymore ...
+ - Fix sticky actions for .flickr.com to match the action section.
+ - Remove an action section without an URL pattern.
+ - Disable fast-redirects for .bahn.de/
+ - Disable fast-redirects for report.error-report.com/
+ - Unblock metrics.1aeo.com/
+ - Unblock .crates.io/
+ - Block requests for mv.outbrain.com/
+ - Disable filter{banners-by-size} for .jwz.org/
+ - Disable deanimate-gifs for .githubusercontent.com/
+ - Disable the banners-by-size filter for github.com
+ - Widen block pattern from 'metrics.' to '.metricts.'
+ - Add +server-header-tagger{content-type} to all standard settings.
+
+- Filter improvements:
+ - Update imdb filter to remove wasted space below the search field.
+ - Update bundeswehr.de filter to be effective again.
+ - Removed the obsolete ie-exploits filter. It didn't actually reliably
+ protect against Nimda, there never were active maintainers and IE is
+ obsolete anyway. Also some virus scanners seem to be offended by the
+ test case for the filter in the source tarball.
- Privoxy-Log-Parser:
- - Highlight 'Couldn't deliver the error message for [...]'.
- - Highlight 'Failed to accept() incoming connection: Software caused connection abort'.
- - Highlight 'Keeping chunk offset at 0 despite flushing 31 bytes.'.
- - Highlight 'Not shutting down client connection on socket 8. The socket is no longer alive.'.
- - Bump version to 0.9.6.
-
-- Privoxy-Regression-Test.pl:
- - Let the --min-level option increase the --max-level
- if the latter is smaller than the former.
- - Add --curl option to use a non-default curl binary.
- - Bump version to 0.7.5.
+ - Bumped version to 0.9.7.
+ - Fully highlight: Accepted connection from 127.0.0.1 on socket 9 connected through 127.0.1.1:8118.
+ - Highlight: Socket 8 timed out while waiting for client headers
+ - Highlight: 'Giving up draining socket 35.'
+ - Highlight: "Tagger 'http-method' didn't add tag 'POST': suppressed"
+ - Highlight: 'Skipped filter 'banners-by-size' after job number 1: match limit exceeded (-47)'
- uagen:
- - Bump BROWSER_VERSION and BROWSER_REVISION to match Firefox ESR 128.
- - Bump version to 1.2.6.
+ - Bumped version to 0.1.7
+ - Bumped BROWSER_VERSION and BROWSER_REVISION to match Firefox ESR 140.
- Documentation:
- - Add HOWTOs for https inspection and client-tags to user-manual.
- - Suggest to use the force-text-mode action when filtering binary content
- with external filters.
- - Declare https-inspection non-experimental.
- - FAQ: Mention that Privoxy Moral Licenses are available as well.
- - Fix LibreSSL URL.
- - Update perlre perldoc URL.
- - config: Add SOCKS 5 to the list of supported protocols.
- - In the Windows build section, note that one only needs tidy
- to build the docs. If you're not building the docbook stuff you
- don't need tidy.
- - trust: Use the words 'allowlists' and 'blocklists'
- instead of "whitelists" and "blacklists" which some
- people consider to be less inclusive.
+ - Updated license info to deal with wolfSSL's license change to GPLv3.
+ - Added new FAQ: 'Is the Privoxy source tarball infected by a virus?'.
+ - Removed claims that path matching can be turned case-sensitive.
+ The suggested method didn't actually work.
+
+- Website improvements:
+ - GNUmakefile.in: Add a web-robots.txt target to only transfer the robots.txt to the SF server.
+ - robots.txt: Disallow /gitweb to hopefully reduce the load on the webserver
+ - robots.txt: Remove stray empty lines
+ - Added a vanity onion address for the privoxy.org onion service.
+
+- Tests:
+ - Updated test framework to work with recent (rc-8_18_0-3) cts upstream tests.
+ - tests/cts/run-privoxy-tests.sh: Pass arguments that follow "--" to
+ runtests-wrapper.sh so they can be passed to runtests.pl.
+ This allows to only run a single test without modifying the scripts:
+ ./run-privoxy-tests.sh -t upstream-tests -- 473
+ - run-privoxy-tests.sh: Explicitly log if there were no errors.
+ - run-privoxy-tests.sh: Continue testing if a test in a test scenario fails.
+ - runtests-wrapper.sh: Explicitly set the path to the curl binary
+ using an absolute path. Otherwise runtests.pl uses a relative
+ path in its output which can be confusing.
+ - runtests-wrapper.sh: Improve a log message.
+ - Disable the forward-to-socks-proxy and forward-to-http-proxy scenarios
+ for now. Since curl commit d39db811929f the port randomisation can no
+ longer be disabled by the injected module so the tests don't work at the
+ moment. Discussion on the curl library mailinglist didn't result in
+ a solution (https://curl.se/mail/lib-2025-08/0000.html).
+ - tests/cts: Remove 'none' server section from tests.
+ It's no longer supported as of curl commit 71c9706959cb.
+ - run-privoxy-tests.sh: Print supported arguments in case of invalid ones.
+ - Add a test for the bundeswehr.de filter.
+ - tests/cts/gzip-compression/data/test13: Fix repetitive sequence by adding a missing %.
+ - Add a couple of tests for connection headers with keep-alive-timeout set.
+ - Add fetch test for the How-Tos in the user manual.
+ - ../privoxy-runtests.pm: Prevent warning if $_ is undefined.
+ - tests/cts/runtests-wrapper.sh: Stop explicitly setting HOSTIP.
+ It doesn't work with curl master at the moment.
+ - Let the "clean" target remove logs from the cts tests.
+ - .../content-filters/content-filters.action: Remove duplicate action section.
-----------------------------------------------------------------
About Privoxy:
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Privoxy-commits
mailing list