Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package privoxy for openSUSE:Factory checked in at 2026-06-09 14:22:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/privoxy (Old) and /work/SRC/openSUSE:Factory/.privoxy.new.2375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "privoxy" Tue Jun 9 14:22:36 2026 rev:64 rq:1358003 version:4.2.0 Changes: -------- --- /work/SRC/openSUSE:Factory/privoxy/privoxy.changes 2026-01-26 11:01:51.820811076 +0100 +++ /work/SRC/openSUSE:Factory/.privoxy.new.2375/privoxy.changes 2026-06-09 14:26:44.144521145 +0200 @@ -1,0 +2,154 @@ +Sun Jun 7 10:24:48 UTC 2026 - Carsten Ziepke <[email protected]> + +- Update to version 4.2.0: + Security improvements: + * Parse the chunk-size with a dedicated function and reject "unreasonably" + large values to prevent silent truncation by sscanf(), integer overflows + and misinterpretation of the content later on. Heap buffer overflows on + platforms with 32-bit pointers were alleged as well. + Commit 5b3bb22b77. OVE-20260515-0002. Reported by @TristanInSec. + * ssl_send_certificate_error(): Store the generated message on the heap + instead of the stack to prevent an alleged segmentation fault if there + are enough certificates in the chain to exceed the stack size. + While at it, replace another variable-length array that was probably + unproblematic with a heap-based buffer as well. + Commit 4963aa4f08. OVE-20260515-0001. Reported by @TristanInSec. + Bug fixes: + * block_acl(): Ignore ACL matches when we don't have a destination yet + but the ACL requires one to match. block_acl() will be called + again later on when the destination is known from parsing the request. + Fixes SF bug #913 reported by Rainer Sokoll with confirmation from + Peter Geelhoed. + * rfc2553_connect_to(): Prevent theoretical memory disclosure through + the CGI interface if a request is rejected due to ACLs. It's theoretical + due to the previous bug in the ACL code. + * send_http_request(): Give up on the client connection if writing the + request data failed. If there's a request body Privoxy may not have + read all the data yet. The issue could be reproduced by running the + upstream curl test 1293 multiple times in a row. + * load_one_re_filterfile(): Only register content filters for statistics. + Previously all filter types were registered which wasted a bit of memory. + * Prevent unused-variable warnings when compiling with + DISABLE_PCRE_JIT_COMPILATION defined. + * cgi_show_url_info(): Remove special handling of "standard.action". + General improvements: + * Add elliptic-curve-keys directive and enable it by default. + It lets Privoxy use the SN_X9_62_prime256v1 group instead of RSA when + generating website keys and certificates. This is expected to be faster + but may not be supported by older clients. The OpenSSL-specific code is + based on on a patch by Steven Smith submitted in SF#933. + * Check the listening address when deciding whether or not a client tag + matches. This allows to use different client tags for different clients + running on the same host. + * Add code to make debugging ACL rules more convenient. It can be enabled + with the new configure parameter --enable-acl-debugging. + * acl_addr(): Properly reject IPv6 addresses when compiled without RFC2553 support. + * Use separate linked lists for filters of different types to be able look up + filters more efficiently. Implements TODO item #96. + * Allow to set and unset external filters through the CGI editor. + * parse_acl_rule(): Include the config file line number in the error messages. + * wolfssl: Downgrade an error message in create_server_ssl_connection() + to LOG_LEVEL_ERROR. + * Remove useless csp member re_filterfile_short[]. + * templates: Update description of the 'unstable' conditional symbol. + * templates/url-info-osd.xml: Update address of the Privoxy developers mailing list. + * Factor parse_acl_rule() out of load_config(). + * configure.in: Don't claim that OpenSSL has been detected when it may be LibreSSL. + * configure.in: Remove code to disable pcre2. Since the removal of pcre1 + support in 24d0ff8398fdf pcre2 is no longer optional. + * Replace the term 'TLS/SSL' with 'TLS' in a bunch of places as most (all?) + supported TLS libraries default to not supporting SSL anymore. + * utils/filter2docs.pl: Add two spaces between filter names and description + so there's space after the longest filter name which currently is + 'allow-autocompletion'. + * utils/filter2docs.pl: Recognize filters with dots in the name. + * Remove support for mbedtls 2.x. + * Remove support for OpenSSL versions before 2.0. + * GNUMakefile.in: Remove duplicated 'only' in the web-rss-feed target's message. + * GNUMakefile.in: Add a web-rss-feed target that only syncs the RSS feed. + * GNUMakefile.in: The Privoxy tools privoxy-log-parser, privoxy-regression-test + and uagen are handled by the "install" and "uninstall" targets now. + Action file improvements: + * Disable fast-redirects for "/.*&__goaway_referer=http". + * Block ".parsely.com/p(logger|x)/" to match URLs that weren't + covered by ".pixel.parsely.com/". + * Block requests to ".siteintercept.qualtrics.com/". + * Unblock "gitlab./search/count\?". + * Reword a comment in user.action that claimed that 'we' want + to support certain sites. + * Remove obsolete domain sunsolve.sun.com from user.action. + * Stop referring to SSL in comments. + * Disable fast-redirects for "archive.is/". + * Add example section for the taz.de filter to user.action. + * default.action.master: Update list of predefined filters. + Filter improvements: + * Let the "sourceforge" filter hide the "MongoDB" ad and the "vibe coding bar". + * Add a "taz.de" filter which hides the "paywahl" banner on taz.de by default. + Documentation improvements: + * FAQ: Mention that one can also donate through Liberapay and add a link. + * Add two paragraphs to the 'Reporting security problems' section. + Request that use of "AI" is disclosed and that reporters respond to + questions about the report. + * The Privoxy tools privoxy-log-parser, privoxy-regression-test and uagen + have man pages now. Previously they were only documented in perldoc. + * user-manual: Update the content filter list. + * user-manual: Update limit-connect description. If the https-inspection action + is enabled, Privoxy does filter the transferred content even if the CONNECT + action is being used. + * Document that the listen-address is taken into account for client + tags as well now. + * Update limit-connect description. + * Don't mention an obsolete mbed TLS version in the user manual's + 'Third-party licenses and copyrights' section. While at it, link to the + GitHub page which shows the README instead of the list of tags which is + less informative and replace an 'and' with a comma. + * Mention zstd in the user manual's 'Third-party licenses and copyrights' section. + * license.sgml: Remove incorrect comment claiming that the file is included + into the user manual. + * Factor out license explanation into separate SGML document + to deduplicate the content. No HTML output change intended. + * user-manual: Sync paragraph explaining the license of Privoxy binaries + when linked to a recent TLS library with license.sgml. + * user-manual: Use < instead of literal '<' to unbreak highlighting in Emacs. + Website improvements: + * Update doc/webserver/README.txt. + * Delete doc/webserver/redirect.php which hasn't been used in years. + Privoxy-Log-Parser: + * Highlight listen address in "Evaluating tag 'forward-directly' for client + 127.0.0.1 using 127.0.1.1:8120. End of life 1774948202." + * Deal with a log message containing only 'TLS' instead of 'TLS/SSL'. + * Bump version to 0.9.8. + * Highlight listen address in 'Enlisting tag 'allow-cookies' for client + 127.0.0.1 using 127.0.1.1:8120.' + Test improvements: + * run-privoxy-tests.sh: Kill the whole process group if Privoxy + doesn't start up in time. This prevents hangs when the system is + heavily loaded, run-privoxy-test.sh's output is piped into tee(1) + and Privoxy starts up after the the script checks for it, but before + it exits. + * Add test for the content filter "taz.de". + * Add test scenarios for the ACL code. + * tests/cts: Make the TESTDIR available as environment variable so + the prechecks can access it. + * Add test helper script that checks if a local address is available + to bind to. + * run-privoxy-tests.sh: Add valgrind support that can be enabled with "-v". + * run-privoxy-tests.sh: Turn $log_file into a local variable in start_privoxy(). + * tests/cts/README: Recommend to use curl upstream tag curl-8_20_0. + * Regenerate curl-test-manifest-for-privoxy. + * gen-skip-reasons.pl: Use '==' instead of 'eq' when checking whether or + not a test should be skipped. While the script output is the same, the + test number isn't a string so using '==' seems more appropriate. + * gen-skip-reasons.pl: Skip test 1 due to multiple Connection header values. + * gen-skip-reasons.pl: Skip test 58 for now which doesn't work anymore after + a recent curl upstream change. + * gen-skip-reasons.pl: Skip test 1685 which uses a Cookie header with a tab + that Privoxy converts into a space. + * Privoxy-Regression-Test: Bump version to 0.7.6 + * Privoxy-Regression-Test: Allow '!' characters which are used in URLs from + taz.de for example. + * Privoxy-Regression-Test: Include the offending line in the error message + when rejecting Sticky Actions with whitespace inside the action parameters. + * Add three more tests for the chunked-transfer-encoding scenario. + +------------------------------------------------------------------- Old: ---- privoxy-4.1.0-stable-src.tar.gz privoxy-4.1.0-stable-src.tar.gz.asc New: ---- privoxy-4.2.0-stable-src.tar.gz privoxy-4.2.0-stable-src.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ privoxy.spec ++++++ --- /var/tmp/diff_new_pack.rw2QuJ/_old 2026-06-09 14:26:45.604581495 +0200 +++ /var/tmp/diff_new_pack.rw2QuJ/_new 2026-06-09 14:26:45.608581661 +0200 @@ -1,7 +1,7 @@ # # spec file for package privoxy # -# Copyright (c) 2026 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %define chroot %{_localstatedir}/lib/privoxy Name: privoxy -Version: 4.1.0 +Version: 4.2.0 Release: 0 Summary: The Internet Junkbuster - HTTP Proxy Server License: GPL-3.0-or-later @@ -90,6 +90,7 @@ mkdir -p %{buildroot}/%{chroot}%{_localstatedir}/log mkdir -p %{buildroot}/%{chroot}%{_localstatedir}/run mkdir -p %{buildroot}/%{chroot}/%{_lib} +mkdir -p %{buildroot}%{_mandir}/man1 mkdir -p %{buildroot}%{_mandir}/man8 mkdir -p %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d cp -a templates %{buildroot}/%{chroot}%{_sysconfdir} @@ -98,7 +99,9 @@ ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} install -m 755 privoxy %{buildroot}%{_sbindir} install -m 755 privoxy_nm %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/privoxyd -install -m 644 privoxy.8 %{buildroot}%{_mandir}/man8 +install -m 644 man/privoxy.8 %{buildroot}%{_mandir}/man8 +install -m 644 man/privoxy-log-parser.1 %{buildroot}%{_mandir}/man1 +install -m 644 man/uagen.1 %{buildroot}%{_mandir}/man1 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/privoxy ln -s ../../log %{buildroot}/%{chroot}%{_localstatedir}/log/privoxy ln -sf %{chroot}%{_sysconfdir}/ %{buildroot}%{_sysconfdir}/privoxy @@ -126,6 +129,8 @@ %{_sysconfdir}/NetworkManager/dispatcher.d/privoxyd %dir %{_sysconfdir}/NetworkManager %dir %{_sysconfdir}/NetworkManager/dispatcher.d +%{_mandir}/man1/privoxy-log-parser.1%{?ext_man} +%{_mandir}/man1/uagen.1%{?ext_man} %{_mandir}/man8/privoxy.8%{?ext_man} %config(noreplace) %{_sysconfdir}/logrotate.d/privoxy %dir /%{chroot}%{_sysconfdir} ++++++ privoxy-4.1.0-stable-src.tar.gz -> privoxy-4.2.0-stable-src.tar.gz ++++++ ++++ 11587 lines of diff (skipped)
