sniproxy (0.11.1) unstable; urgency=medium

  * Fix IPV6_V6ONLY not effective when binding privileged ports via
    binder child process.

 -- Renaud Allard <renaud@allard.it>  Mon, 17 Mar 2026 12:00:00 +0100

sniproxy (0.11.0) unstable; urgency=medium

  * Add DTLS (TLS over UDP) protocol support for proxying WebRTC,
    OpenConnect VPN, CoAP, and other UDP/DTLS protocols by hostname.
  * DTLS source validation to prevent UDP reflection/amplification attacks.
  * Per-IP rate and connection limiting for UDP sessions.
  * Tighten seccomp, pledge, and systemd service hardening.
  * Disable TLS session tickets for DNS-over-TLS connections.
  * Detect explicit_bzero for reliable secret wiping.
  * Add compiler hardening flags and bounds checks.
  * Multiple bug fixes and hardening improvements.

 -- Renaud Allard <renaud@allard.it>  Sun, 16 Mar 2026 16:00:00 +0100

sniproxy (0.10.0) unstable; urgency=medium

  * Add per_ip_max_connections, tcp_fastopen, backend_acl, backend_affinity
    directives and random DNS result selection.
  * Accept incoming PROXY protocol v1/v2 headers on listeners.
  * Add PROXY protocol v2 (binary) output support.
  * Add Minecraft Java Edition protocol support.
  * Auto-anchor literal hostname patterns in table entries.
  * Fix broken binary search and host header detection in HPACK decoder.
  * Enforce RFC 7541 dynamic table size update limits in HPACK decoder.
  * Add missing recvfd pledge promise in logger child on OpenBSD.
  * Restart logger child on health check failure instead of fatal exit.
  * Use non-blocking poll in logger health check.
  * Fix use-after-free in resolve_server_address on sync DNS failure.
  * Fix per-IP conn_count mismatch with PROXY protocol.
  * Fix -T 1.3 rejecting all TLS connections.
  * Fix fallback address losing port on SIGHUP reload.
  * Fix EAGAIN on logger IPC permanently killing logger child.
  * Fix server buffer growing 4x instead of intended 2x on resize.
  * Fix IPC crypto context leak in resolver init on socketpair/fork failure.
  * Resolve relative config path before daemonize for SIGHUP reload.
  * Snapshot protocol at accept time to prevent mismatch during reload.
  * Use reallocarray() for overflow-safe allocation throughout.
  * Replace assert() with proper runtime error handling.
  * Clean up unused functions, dead code, and redundant includes.

 -- Renaud Allard <renaud@allard.it>  Fri, 14 Mar 2026 00:00:00 +0000

sniproxy (0.9.27) unstable; urgency=medium

  * Add Minecraft Java Edition protocol support.
  * Fix use-after-free in resolve_server_address on synchronous DNS failure.
  * Fix use-after-free when c-ares calls callback synchronously.
  * Fix use-after-free in resolver callback on config reload.
  * Fix PROXY protocol header sent after client data instead of before.
  * Fix HTTP Host header smuggling with bare Host: line.
  * Reject EOS symbol in HPACK Huffman decoder per RFC 7541.
  * Fix HTTP/2 empty HEADERS frame blocking CONTINUATION frames.
  * Fix HTTP parser returning wrong error for incomplete header lines.
  * Fix dead Huffman padding validation in HPACK decoder.
  * Fix double timestamp in syslog messages when logger process is enabled.
  * Clean up logger child sinks on abnormal parent exit.
  * Ignore SIGPIPE in logger child process.
  * Fix blocking waitpid in logger that can stall the mainloop.
  * Fix multiple NULL dereferences in logger initialization and formatting.
  * Fix file descriptor leaks in logger message handling and REOPEN handler.
  * Fix double-close of file descriptor in obtain_file_sink.
  * Fix recursive fork and zombie processes in logger and binder children.
  * Fix connection and resource leaks in buffer overflow and abort paths.
  * Fix IPC crypto state corruption on AEAD and rekey failures.
  * Fix undefined behavior in ipc_crypto_open for zero-length payloads.
  * Fix resource leak and base_key wipe in ipc_crypto_channel_init.
  * Fix fatal() on config file permission change during SIGHUP reload.
  * Config parser hardening: exact match for protocol and action values,
    reject negative values, handle EOF without trailing newline.
  * Check fcntl return values when setting sockets nonblocking.
  * Fix XMPP parser returning incomplete for malformed unclosed quotes.
  * Fix integer overflow in Minecraft parser on 32-bit platforms.
  * Fix heap over-read in buffer_coalesce on malloc failure.
  * Tighten OpenBSD pledge promises after privilege drop.

 -- Renaud Allard <renaud@allard.it>  Mon, 10 Mar 2026 00:00:00 +0000

sniproxy (0.9.26) unstable; urgency=medium

  * Set logger IPC socket non-blocking to prevent mainloop stall.
  * Combine logger header and payload into a single IPC message.
  * Cache EVP_CIPHER_CTX in IpcCryptoState to avoid per-message allocation.
  * Use cached send buffer in ipc_crypto_send_msg to avoid per-message malloc.
  * Add missing limits.h include in resolv.c for INT_MAX.
  * Fix autorelease glob expansion of release notes containing asterisks.

 -- Renaud Allard <renaud@allard.it>  Sun, 08 Mar 2026 00:00:00 +0000

sniproxy (0.9.25) unstable; urgency=medium

  * Fix infinite loop in shrink_idle_buffers under memory pressure.
  * Fix DNS per-client tracking bypass for IPv4-mapped IPv6 addresses.
  * Fix fd leak in IPC crypto receive on short prefix read.
  * Fix HTTP/2 to HTTP/1.1 fallthrough on full preface match.
  * Fix ACL policy validation for implicit default mode.
  * Fix logger priority name accepting partial matches.
  * Replace select() with poll() in logger health check.
  * Handle SSL_ERROR_ZERO_RETURN in DNS-over-TLS read.
  * Drain OpenSSL error queue after DoT TLS errors.
  * Clamp SSL_read/SSL_write length to INT_MAX.
  * Cap IPC payload length to INT_MAX for OpenSSL API.
  * Add size validation to binder AF_UNIX sockaddr comparison.
  * Add NULL guard to copy_address.
  * Fix size_t to int narrowing in config tokenizer.
  * Fix misleading logger stanza error messages.
  * Remove incorrect const from table_lookup_server_address.
  * Remove dead code in connection_cb buffer reserve path.
  * Update mutex nesting documentation in resolver.

 -- Renaud Allard <renaud@allard.it>  Sun, 08 Mar 2026 00:00:00 +0000

sniproxy (0.9.24) unstable; urgency=medium

  * Feature: Add -t flag to test configuration and exit.
  * Feature: Add -g flag to allow group-read (0640) config permissions
    for SIGHUP reload after privilege drop.
  * Improved config permission error messages.

 -- Renaud Allard <renaud@allard.it>  Tue, 04 Mar 2026 00:00:00 +0000

sniproxy (0.9.23) unstable; urgency=medium

  * Security: Normalize IPv4-mapped IPv6 in rate limiter.
  * Security: Log warning when seccomp sandbox disabled via env var.
  * Security: Verify privilege drop in logger child process.
  * Reliability: Register new listener addresses with binder on reload.
  * Reliability: Warn on user/group change during config reload.

 -- Renaud Allard <renaud@allard.it>  Sun, 02 Mar 2026 00:00:00 +0000

sniproxy (0.9.22) unstable; urgency=medium

  * Resolver: Fix deadlock on send failure, fix timer rescheduling, and use
    _exit() for seccomp failure in child.
  * Binder: Reject invalid sockaddr with short length.
  * Listener: Always set socket to nonblocking mode.
  * Logger: Fix fd leak in NEW_SINK handler, use _exit() for seccomp failure
    in child, and fix dead retry loop in logger_send_privileges.
  * Config: Fix connection_buffer_limit, client_buffer_limit,
    server_buffer_limit, and http_max_headers directives being non-functional.
  * HTTP/2: Fix broken HPACK Huffman decoder (wrong bit extraction and
    internal node/leaf confusion).
  * Testing: Fix dead round-trip in ipc_crypto fuzz harness.

 -- Renaud Allard <renaud@allard.it>  Sat, 01 Mar 2026 00:00:00 +0000

sniproxy (0.9.21) unstable; urgency=medium

  * IPC: Fix fd loss in encrypted IPC receive where the frame length prefix
    read discarded SCM_RIGHTS ancillary data. Retry sendmsg() on EINTR.
  * Resolver: Fix return value check after restart, use-after-free on
    realloc+strdup failure, and replace fatal() with graceful error return.
  * Listener: Re-apply socket options on binder fallback sockets.
  * Config: Reject NaN/Infinity in floating-point values and reject files
    with unclosed braces.
  * Logger: Drain payload on malloc failure to prevent protocol desync and
    add recursion guard in init_default_logger().
  * HTTP/2: Fix incomplete frame status when no frames parsed yet.
  * Shutdown: Remove pidfile on clean exit.

 -- Renaud Allard <renaud@allard.it>  Fri, 28 Feb 2026 00:00:00 +0000

sniproxy (0.9.20) unstable; urgency=medium

  * Memory: Halve server buffer initial size (64KB to 32KB), shrink spliced
    connection buffers to 4KB, reduce buffer pool max cache from 12MB to 6MB,
    lower rate limit free list cap from 8192 to 2048 entries, and shrink table
    cache from 1024 to 256 entries.
  * SO_SPLICE: Shrink user-space buffers when activating kernel splice and
    stop the libev idle timer since the kernel manages its own idle timeout.
  * Reliability: Suppress expected EPROTO warnings when unsplicing connections
    that were already terminated by the peer.

 -- Renaud Allard <renaud@allard.it>  Tue, 25 Feb 2026 00:00:00 +0000

sniproxy (0.9.19) unstable; urgency=medium

  * Performance: SO_SPLICE zero-copy forwarding on OpenBSD, PCRE2 JIT regex
    compilation, HPACK ring buffer for O(1) dynamic table inserts, TCP_NODELAY
    on client and server sockets, table hostname cache increased to 1024
    entries, redundant ev_io and buffer zeroing eliminated, TLS extension
    parsing merged into a single pass.
  * Security: Enforce TLS extension count limit across all parsing paths,
    explicitly unsplice before closing idle spliced connections, and log
    SO_SPLICE cleanup failures.
  * Bug fixes: Fix data corruption in buffer_coalesce, double close of FDs in
    ipc_crypto_recv_msg and logger, errno clobbered in resolver_ipc_cb,
    reload_tables skipping consecutive removals, accept_listener_arg returning
    success on invalid argument, listeners_reload ignoring init_listener
    failure, ambiguous prefix matching in resolver mode and syslog facility
    lookup, NULL dereference in hpack_add_entry on malloc failure, overlapping
    memcpy in address port stripping, and blocking nanosleep in connect path.
  * API: Getter/setter functions for connection timeouts, TLS extension limits,
    HTTP/2 frame and header count limits, and XMPP max header length.

 -- Renaud Allard <renaud@allard.it>  Fri, 06 Feb 2026 00:00:00 +0000

sniproxy (0.9.18) unstable; urgency=medium

  * XMPP: Add `protocol = xmpp` listener support that parses the stream `to`
    attribute to route XMPP (including STARTTLS) connections; adds dedicated
    parser tests and a fuzz harness.
  * Fuzzing: Disable ASan ODR indicators in libFuzzer builds and mark the stub
    HTTP/TLS protocol pointers in the listener ACL fuzzer as weak to stop
    multiple-definition link errors when linking the real implementations.

 -- Renaud Allard <renaud@allard.it>  Fri, 02 Jan 2026 00:00:00 +0000

sniproxy (0.9.17) unstable; urgency=medium

  * Security: Limit IPC generation gaps to 16 so forged UINT32_MAX generations
    cannot drive billions of rekeys and DoS ipc_crypto receivers.
  * Packaging/CI: release-packages workflow fetches autoconf 2.71 from GNU and
    kernel mirrors before ftp.gnu.org to avoid timeouts while building release
    packages.

 -- Renaud Allard <renaud@allard.it>  Fri, 19 Dec 2025 00:00:00 +0000

sniproxy (0.9.16) unstable; urgency=medium

  * IPC crypto: Bump protocol to IPC2 with an authenticated generation
    field so rekeys are deterministic, receivers auto-resynchronize after
    missed epochs, stale-generation frames are rejected to block
    replay-driven hangs, and time-based rekeys keep working even when
    traffic is sparse.
  * Tests: Expand ipc_crypto debug and time-based rekey coverage for the
    IPC2 protocol and auto-resync behavior.

 -- Renaud Allard <renaud@allard.it>  Tue, 16 Dec 2025 00:00:00 +0000

sniproxy (0.9.15) unstable; urgency=medium

  * Security: Binder helper validates AF_INET/AF_INET6/AF_UNIX socket requests
    against the listener allowlist and seccomp filters are process-specific.
  * TLS/DNS: Add a minimum TLS version setting for DoT upstreams (default
    tls1.2) and reject too-old ClientHello versions instead of routing them to
    fallback backends.
  * Reliability: Enforce monotonic IPC replay counters, add logger child health
    watchdog, fix backend regex cache initialization crash, reset global ACL
    policy on reload, retry EINTR connects, and reject connections when
    rate-limit accounting OOMs with clearer backoff.
  * Documentation: Refresh README/man pages and drop the unused splice(2)
    reference.

 -- Renaud Allard <renaud@allard.it>  Mon, 15 Dec 2025 00:00:00 +0000

sniproxy (0.9.14) unstable; urgency=medium

  * Enforce DoT IP literals to supply a TLS hostname or '/insecure'; bare IP
    entries are rejected to avoid silent verification bypass.
  * Log fatal exit paths so termination reasons are always recorded.

 -- Renaud Allard <renaud@allard.it>  Wed, 03 Dec 2025 00:00:00 +0000

sniproxy (0.9.13) unstable; urgency=medium

  * Packaging/CI: Discover Rocky releases via mirrors and Docker tags, build
    both latest and previous Rocky majors in the release workflow, fall back to
    microdnf when dnf is missing, and use a mirrored autoconf source for
    openSUSE builds.
  * Testing: Buffer tests create/destroy a dedicated libev loop, fix the leak
    that broke Valgrind runs, and the Valgrind workflow runs from tests/ and
    surfaces failures.
  * Bug fix: Resolve a use-after-free when configuration files have incorrect
    permissions.

 -- Renaud Allard <renaud@allard.it>  Tue, 25 Nov 2025 00:00:00 +0000

sniproxy (0.9.12) unstable; urgency=medium

  * Packaging: rpmbuild now keeps distribution %{optflags} while still adding
    the libev include path, drops the unused perl Build-Depends from the spec,
    and the release-packages workflow can be triggered manually to build RPM/DEB
    artifacts on demand.
  * Distribution: Ship the missing hostname_sanitize.h in release tarballs and
    remove the sniproxy wrapper so only /usr/sbin/sniproxy is installed.
  * Testing: Add a resolver response fuzz harness with exported fuzz-only
    helpers, expand the libev stub to cover timers/signals/loop lifecycle, and
    plug a leak in the resolver fuzz harness for stable fuzz runs.

 -- Renaud Allard <renaud@allard.it>  Mon, 24 Nov 2025 00:00:00 +0000

sniproxy (0.9.11) unstable; urgency=medium

  * Security: Add the http_max_headers directive (default 100) so HTTP
    frontends bound client header counts, pre-count TLS extensions before
    parsing ClientHellos, and force ipc_crypto_open() to perform constant-time
    dummy decrypts with dedicated zero_tag buffers whenever a frame is rejected.
  * Reliability: Canonicalize every absolute path directive, teach the config
    parser to use typed cleanup hooks so resolver/log/logger/listener blocks
    release previous allocations, plug double-free/leak windows triggered by
    repeated stanzas, and replace assert() calls in address/table/resolver code
    with runtime checks protected by a new resolver_pending_lock.
  * Tooling: Retire the sniproxy-cfg helper/man page, ship a hardened
    scripts/sniproxy.service unit while dropping the sniproxy wrapper so only
    /usr/sbin/sniproxy is installed, add RPM/DEB builds to the release workflow,
    and extend the fuzz harness suite (address/table/listener ACL/ipc) while
    defaulting to error-only logs for quieter CI runs.

 -- Renaud Allard <renaud@allard.it>  Sun, 23 Nov 2025 00:00:00 +0000

sniproxy (0.9.10) unstable; urgency=medium

  * Security: Tighten get_secure_temp_dir() so both /var/run and /tmp fallback
    paths use lstat() before opening, blocking symlink redirects despite
    pre-created directories.
  * Robustness: Unix socket address parsing now always null-terminates
    sun_path and cfg_tokenizer guarantees buffers are terminated before all
    error returns to avoid parser overreads.
  * DNS: Ensure the resolver per-client concurrency limit is applied on reloads
    alongside the global cap so throttles remain synchronized.

 -- Renaud Allard <renaud@allard.it>  Sat, 22 Nov 2025 00:00:00 +0000

sniproxy (0.9.9) unstable; urgency=medium

  * Security: PROXY header writes now require sufficient buffer space, log the
    offending client, and abort when the header cannot be appended; sockaddr
    parsing clamps copy_sockaddr_to_storage, validates sa_len, and backend
    caching rejects lengths that would overflow allocations.
  * Networking: Add per-client DNS concurrency limits alongside the global cap,
    raise the defaults to 16 per client and 512 overall, and rework address
    parsing so trailing ports are applied via centralized logic with bounded
    recursion depth while exposing both caps as resolver
    max_concurrent_queries(_per_client) settings.
  * Crypto: ipc_crypto_seal verifies header/tag overhead, prevents SIZE_MAX
    frames, halts when the send counter hits UINT64_MAX, and derive_key now
    rejects HKDF labels longer than 1024 bytes.
  * Reliability: Buffer helpers assert read/write offsets never exceed capacity
    and setup_write_iov bails when a buffer reports an impossible length.

 -- Renaud Allard <renaud@allard.it>  Fri, 21 Nov 2025 00:00:00 +0000

sniproxy (0.9.8) unstable; urgency=medium

  * Security: require libpcre2 across runtime/tests/fuzzers and drop PCRE1
    fallback; HKDF info buffers are wiped and reject oversized labels.
  * Hardening: configuration reloads recheck file permissions, config paths
    must be absolute, resolver search domains are treated as literal suffixes,
    and resolver cancellation uses a memory fence to close race windows.
  * Networking: resolver blocks can now point to DNS-over-TLS upstreams via
    `dot://address/hostname` entries with certificate validation.
  * Tooling: connection dumps prefer mkostemp(), README/architecture/docs now
    describe the tightened requirements, and packaging metadata reflects the
    libpcre2 dependency.

 -- Renaud Allard <renaud@allard.it>  Thu, 20 Nov 2025 09:00:00 +0100

sniproxy (0.9.7) unstable; urgency=medium

  * DNS: enable DNSSEC validation in relaxed mode by default so wildcard and
    fallback backends automatically request authenticated data without manual
    resolver stanzas.
  * Security: treat group/world-readable configuration files as fatal errors in
    sniproxy by checking permissions on the open file
    descriptor, covering startup, reload, and validation flows.
  * Documentation: README, man pages, and architecture notes now describe the
    DNSSEC default and stricter configuration-permission requirements.

 -- Renaud Allard <renaud@allard.it>  Wed, 19 Nov 2025 09:00:00 +0100

sniproxy (0.9.6) unstable; urgency=medium

  * Security: reinforce per-IP rate limiting with FNV-1a hashes, collision
    rejection, and strict limits on HTTP headers, TLS extensions, and IPC
    payloads to block CPU/memory exhaustion.
  * DNS: arc4random() query IDs, mutex-guarded restart state, and query handle
    validation prevent leaks, counter drift, and use-after-free bugs.
  * Reliability: shrink candidate queues cap at 4096 entries with active
    trimming, buffer growth failures now close connections, and log durations
    clamp under time jumps.
  * Hardening: secure_memzero wipes secrets, PID files get stricter sanity
    checks, and buffer pool magic numbers detect corruption before dereference.

 -- Renaud Allard <renaud@allard.it>  Tue, 18 Nov 2025 09:00:00 +0100

sniproxy (0.9.5) unstable; urgency=medium

  * Performance: cache ev_now and add hysteresis to idle timers/buffer growth
  * Reliability: resolver crash handler avoids spurious write warnings
  * CI: fuzz workflow now bootstraps a working clang/libFuzzer toolchain automatically

 -- Renaud Allard <renaud@allard.it>  Sat, 15 Nov 2025 09:00:00 +0100

sniproxy (0.9.4) unstable; urgency=medium

  * Security: configs with group/world permissions now abort startup.
  * Resource: new per-connection buffer limits prevent RAM pinning.
  * IPC: helper children no longer inherit unrelated file descriptors.

 -- Renaud Allard <renaud@allard.it>  Fri, 14 Nov 2025 09:00:00 +0100

sniproxy (0.9.3) unstable; urgency=medium

  * Security: verify privilege drop failure aborts the daemon immediately
  * Security: warn when configuration files are group/world accessible

 -- Renaud Allard <renaud@allard.it>  Wed, 12 Nov 2025 15:47:17 +0100

sniproxy (0.9.2) unstable; urgency=medium

  * Harden resolver restarts and preserve in-flight DNS queries
  * Restart binder helper on IPC failures and fix request framing
  * Retry outbound connects on transient EADDRNOTAVAIL errors

 -- Renaud Allard <renaud@allard.it>  Mon, 10 Nov 2025 09:00:00 +0100

sniproxy (0.9.1) unstable; urgency=medium

  * Prepare 0.9.1 release

 -- Renaud Allard <renaud@allard.it>  Sun, 09 Nov 2025 11:27:40 +0100

sniproxy (0.9.0) unstable; urgency=medium

  * Major performance and security release
  * Security: DNS query IDs use PRNG (xorshift32) instead of linear counter
  * Security: c-ares resolver hardening (async-signal-safe, integer overflow)
  * Security: TLS parser improvements (reject invalid ClientHello variants)
  * Performance: Per-backend pattern match caching (skip repeated PCRE2)
  * Performance: HTTP/2 HPACK optimization (precomputed lengths, binary search)
  * Performance: Optimized buffer shrink decisions (periodic timer)
  * Performance: Connection memory tracking and accounting
  * Performance: Rate limit hash table optimization (IPv4 fast path, LRU)
  * Performance: Protocol parser optimizations (TLS, HTTP, HTTP/2)
  * Performance: PROXY v1 header composition optimization

 -- Renaud Allard <renaud@allard.it>  Fri, 08 Nov 2025 00:00:00 +0000

sniproxy (0.8.6) unstable; urgency=medium

  * Prepare 0.8.6 release

 -- Renaud Allard <renaud@allard.it>  Thu, 04 Sep 2025 16:37:25 -0700

sniproxy (0.7.0) unstable; urgency=medium

  * Deprecate project
  * Cleanup autoconf
  * Require autoconf 2.71
  * Require explicit --enable-dns for DNS resolution functionality
  * Add support for libpcre2 as an alternative to the older libpcre3
  * Relax HTTP header parsing to accept CRLF or plain LF
  * Fix missing stdlib.h include
  * Fix various warnings reported by gcc 14 and clang 19 compilers

 -- Dustin Lundquist <dustin@null-ptr.net>  Thu, 04 Sep 2025 16:37:25 -0700

sniproxy (0.6.1) unstable; urgency=high

  * Fix buffer overflow in address module
  * Fix tests

 -- Dustin Lundquist <dustin@null-ptr.net>  Thu, 16 Mar 2023 21:53:48 -0700

sniproxy (0.6.0) unstable; urgency=medium

  * PROXY v1 protocol support
  * SO_REUSEPORT support on Linux 3.9 and later
  * Listener ipv6_only directive to accept only IPv6 connections
  * TCP keepalive

 -- Dustin Lundquist <dustin@null-ptr.net>  Wed, 05 Dec 2018 20:12:24 -0800

sniproxy (0.5.0) unstable; urgency=medium

  * Transparent proxy support
  * Use accept4() on Linux
  * Run as group specified in config

 -- Dustin Lundquist <dustin@null-ptr.net>  Wed, 26 Apr 2017 07:17:13 -0700

sniproxy (0.4.0) unstable; urgency=medium

  * Improve DNS resolver:
    Support for AAAA records
    Configuration options
  * Global access log
  * Man page for sniproxy.conf
  * Reject IP literals as hostnames for wildcard backends

 -- Dustin Lundquist <dustin@null-ptr.net>  Tue, 07 Apr 2015 09:14:41 -0700

sniproxy (0.3.6) unstable; urgency=medium

  * Improve logging:
    Fix negative connection duration in access log
    Include log rotate script
    Reopen log files on SIGHUP
    Share file handle to same log file between listeners
    Avoid unnecessary reconnection to syslog socket
    Cache timestamp string for current second
  * Man page
  * Packaging improvements:
    passes lintian and rpm-lint

 -- Dustin Lundquist <dustin@null-ptr.net>  Fri, 26 Sep 2014 19:52:38 -0700

sniproxy (0.3.5) unstable; urgency=medium

  * Configuration reloading on SIGHUP
  * SSL 2.0 connection handling: do not treat as an error, use fallback
    address if configured.
  * Fix buffer_coalesce error
  * Spawn privileged child to bind sockets to privileged ports on reload
  * Add -V flag to return sniproxy version
  * Use libev for timestamps to improve portability
  * Include several for BSD compatibility

 -- Dustin Lundquist <dustin@null-ptr.net>  Wed, 13 Aug 2014 18:25:53 -0700

sniproxy (0.3.4) unstable; urgency=medium

  * Add source address specification configuration option.
  * Line buffer log files.
  * Fix segfault when no hostname included in TLS extensions.
  * Fix erroneously report of invalid TLS client handshake.

 -- Dustin Lundquist <dustin@null-ptr.net>  Sun, 18 May 2014 14:38:33 -0700

sniproxy (0.3.3) unstable; urgency=medium

  * Fix format argument segfault in buffer full warning.
  * Add sniproxy-dbg package.
  * File descriptor limit: raise limit and improve handling when limit is
    reached.

 -- Dustin Lundquist <dustin@null-ptr.net>  Tue, 22 Apr 2014 17:35:59 -0700

sniproxy (0.3.2-1) unstable; urgency=high

  * Fix use after free when client closes connection before DNS response is
    received.
  * Fix two DNS query memory leaks.

 -- Dustin Lundquist <dustin@null-ptr.net>  Fri, 11 Apr 2014 16:32:06 -0700

sniproxy (0.3.1-1) unstable; urgency=high

  * Fix bug when client completely fills the buffer before the DNS query is
    answered.
  * Fix handling of invalid hostnames in client requests.

 -- Dustin Lundquist <dustin@null-ptr.net>  Wed, 09 Apr 2014 21:08:55 -0700

sniproxy (0.3-1) unstable; urgency=medium

  * Nonblocking connect and DNS resolution

 -- Dustin Lundquist <dustin@null-ptr.net>  Tue, 08 Apr 2014 17:03:37 -0700

sniproxy (0.2) unstable; urgency=low

  * Moving pidfile

 -- Dustin Lundquist <dustin@null-ptr.net>  Thu, 30 Jan 2014 13:51:02 -0800

sniproxy (0.1-1) unstable; urgency=low

  * Initial release

 -- Andreas Loibl <andreas@andreas-loibl.de>  Tue, 18 Jun 2013 17:55:43 +0200
