Log message:
mitmproxy: updated to 11.1.2

06 February 2025: mitmproxy 11.1.2

CVE-2025-23217: mitmweb's API now requires an authentication token by default. \ 
The mitmweb API is bound to localhost only, but @gronke found that an attacker \ 
can circumvent that restriction by tunneling requests through the proxy server \ 
itself in an SSRF-style attack. (fa89055, @mhils)
Add (optional) password protection for mitmweb. The web_password option replaces \ 
the randomly-generated token authentication with a fixed secret that survives \ 
mitmproxy restarts. (0bd573a, @mhils)
mitmweb can now be hosted under arbitrary domains, the previously-used DNS \ 
rebind protection is not required anymore. (62693af, @mhils)
Security Hardening: mitmweb's xsrf_token cookie is now HttpOnly; SameSite=Strict.
We now provide standalone binaries for Linux arm64.
Standalone binaries are now compiled with Python 3.13.
Fix console freezing due to DNS queries with an empty question section.
Add mitmweb tutorial to docs.
Fixed a bug that caused mitmproxy to crash when loading prior knowledge h2 flows.
Fix a bug where mitmproxy would get stuck in secure web proxy mode when using \ 
ignore_hosts or allow_hosts.
Copy request/response data to the clipboard in mitmweb
Fix a bug where exporting a curl or httpie command with escaped characters would \ 
lead to different data being sent.
05 February 2025: mitmproxy 11.1.1

Yanked. Identical to 11.1.2, but failed to deploy in CI.

12 January 2025: mitmproxy 11.1.0

Local Capture Mode is now available on Linux as well.
mitmproxy now requires Python 3.12 or above.
Add cache-busting for mitmweb's front end code.
Clicking the URL in mitmweb now places the cursor at the current position \ 
instead of selecting the entire URL.
Add missing status codes
All filter expressions are now case-insensitive by default. Users can opt into \ 
case-sensitive filters by setting MITMPROXY_CASE_SENSITIVE_FILTERS=1 as an \ 
environment variable.
Remove filter expression lowercasing in block_list addon
Remove check for status codes in the blocklist add-on.
Prompt user before clearing screen

05 December 2024: mitmproxy 11.0.2

Stop sorting keys in JSON contentview
Fix a bug where a custom CA would raise an error.
Fix a bug where the mitmproxy UI would crash on negative durations.
Allow technically invalid HTTP transfer encodings in requests if \ 
validate_inbound_headers is disabled.
Fix a bug in windows management in mitmproxy TUI whereby the help window does \ 
not appear if "?" is pressed within the overlay

24 November 2024: mitmproxy 11.0.1

Tighten HTTP detection heuristic to better support custom TCP-based protocols.
Implement stricter validation of HTTP headers to harden against request \ 
smuggling attacks.
Increase HTTP/2 default flow control window size, fixing performance issues.
Fix a bug where mitmproxy would incorrectly report that TLS 1.0 and 1.1 are not \ 
supported with the current OpenSSL build.
Docker: Update image to Python 3.13 on Debian Bookworm.
Add a tun proxy mode that creates a virtual network device on Linux for \ 
transparent proxying.
browser.start command now supports Firefox.
Fix interaction of the modify_headers and stream_large_bodies options. This may \ 
break users of modify_headers that rely on filters referencing the message body. \ 
We expect this to be uncommon, but please make yourself heard if that's not the \ 
case.
Fix a crash when handling corrupted compressed body in savehar addon and its tests.
Remove dependency on protobuf library as it was no longer being used.

02 October 2024: mitmproxy 11.0.0

mitmproxy now supports transparent HTTP/3 proxying.
Add HTTP3 support in HTTPS reverse-proxy mode.
mitmproxy now officially supports Python 3.13.
Tighten HTTP detection heuristic to better support custom TCP-based protocols.
Add show_ignored_hosts option to display ignored flows in the UI. This option is \ 
implemented as a temporary workaround and will be removed in the future.
Fix slow tnetstring parsing in case of very large tnetstring.
Add getaddrinfo-based fallback for DNS resolution if we are unable to determine \ 
the operating system's name servers.
Improve the error message when users specify the certs option without a matching \ 
private key.
Fix a bug where intermediate certificates would not be transmitted when using QUIC.
Fix a bug where fragmented QUIC client hellos were not handled properly.
Emit a warning when users configure a TLS version that is not supported by the \ 
current OpenSSL build.
Fix a bug where mitmproxy would crash when receiving STOP_SENDING QUIC frames.
Fix error when unmarking all flows.
Add addon to update the alt-svc header in reverse mode.
Do not send unnecessary empty data frames when streaming HTTP/2.
Fix a bug where mitmproxy would ignore Ctrl+C/SIGTERM on OpenBSD.
Fix of measurement unit in HAR import, duration is in milliseconds.
Connection.tls_version now is QUICv1 instead of QUIC for QUIC.
Add support for full mTLS with client certs between client and mitmproxy.
Update documentation adding a list of all possibile web_columns

Log message:
py-*: remove unused tool dependency

py-setuptools includes the py-wheel functionality nowadays

Log message:
mitmproxy: add missing dependency

fix Python version selection, needs to be before pyversion.mk

Log message:
mitmproxy: Update to 10.2.4

Changes:
## mitmproxy 10.2.4

* Fix a bug where errors during startup would not be displayed when running \ 
mitmproxy.
* Use newer cryptography APIs to avoid CryptographyDeprecationWarnings.
  This bumps the minimum required version to cryptography 42.0.

## mitmproxy 10.2.3

* Fix a regression where `allow_hosts`/`ignore_hosts` would break with IPv6 \ 
connections.
* Fix bug where failed CONNECT request URLs are saved to HAR files incorrectly.
* Fix duplicate answers being returned in DNS queries.
* Fix bug where wireguard config is generated with incorrect endpoint when two \ 
or more NICs are active.
* Fix a regression when leaf cert creation would fail with intermediate CAs in \ 
`ca_file`.
* Add `content_view_lines_cutoff` option to mitmdump
* Allow runtime modifications of HTTP flow filters for server replays
* Fix bug view options menu in case of overflow
* Allow --allow-hosts and --ignore-hosts to work together

## mitmproxy 10.2.2

* Fix a regression where clientplayback would break due to eager task execution.
* Fix a regression where WebSocket connections would break due to eager task \ 
execution.
* Fix bug where insecure HTTP requests are saved incorrectly when exporting to \ 
HAR files.
* `allow_hosts`/`ignore_hosts` option now matches against the full `host:port` \ 
string.

Log message:
mitmproxy: add missing tool

Log message:
mitmproxy: Update to 10.2.1

pkgsrc changes:
- Update DESCR and COMMENT based respectively on upstream's README and
  GitHub project description
- Switch to non-versioned py-OpenSSL. mitmproxy now needs Rust-y bits also for
  mitmproxy_rs. Possibly avoiding Rust py-cryptography no longer helps.
- Adjust SUBST-fu in order to address dependencies versions in pyproject.toml,
  not setup.py (per upstream usage)

Changes:
## 06 January 2024: mitmproxy 10.2.1
* Fix a regression introduced in mitmproxy 10.2.0: WireGuard servers
  now bind to all interfaces again.
* Remove stale reference to ctx.log in addon documentation.
* Fix a bug where a traceback is shown during shutdown.

## 04 January 2024: mitmproxy 10.2.0
* Local Redirect Mode is now officially available on macOS and Windows.
  See the linked blog posts for details.
* UDP streams are now backed by a new implementation in mitmproxy_rs.
  This represents a major API change as UDP traffic is now exposed as
  streams instead of a callback for each packet.
* Fix a regression from mitmproxy 10.1.6 where ignore_hosts would
  terminate requests instead of forwarding them.
* ignore_hosts now waits for the entire HTTP headers if it suspects the
  connection to be HTTP.

## 14 December 2023: mitmproxy 10.1.6
* Fix compatibility with Windows Schannel clients, which previously got
  confused by CA and leaf certificate sharing the same Subject Key Identifier.
* Change keybinding for exporting flow from "e" to "x" to \ 
avoid conflict with "edit" keybinding.
* Fix bug where response flows from HAR files had incorrect `content-length` headers
* Improved handling for `allow_hosts`/`ignore_hosts` options in WireGuard mode.
* Fix a bug where TCP connections were not closed properly.
* DNS resolution is now exempted from `ignore_hosts` in WireGuard Mode.
* Fix case sensitivity of URL added to blocklist
* Fix a bug where logging was stopped prematurely during shutdown.
* For plaintext traffic, `ignore_hosts` now also takes HTTP/1 host headers into \ 
account.
* Fix empty cookie attributes being set to `Key=` instead of `Key`
* Scripts with relative paths are now loaded relative to the config file and not \ 
where the command is ran
* Fix `mitmweb` splitter becoming drag and drop.
* Enhance documentation and add alert log messages when stream_large_bodies and \ 
modify_body are set
* Subject Alternative Names are now represented as \ 
`cryptography.x509.GeneralNames` instead of `list[str]`
  across the codebase. This fixes a regression introduced in mitmproxy 10.1.1 \ 
related to punycode domain encoding.

## 14 November 2023: mitmproxy 10.1.5
* Remove stray `replay-extra` from CLI status bar.

## 13 November 2023: mitmproxy 10.1.4
* Fix a hang/freeze in the macOS distributions when doing TLS negotiation.
* Update savehar addon to fix creating corrupt har files caused by empty \ 
response content
* Update savehar addon to handle scenarios where "path" key in cookie
  attrs dict is missing.
* Add `server_replay_extra` option to serverplayback to define behaviour
  when replayable response is missing.

## 04 November 2023: mitmproxy 10.1.3
* Fix a bug introduced in mitmproxy 10.1.2 where mitmweb would fail to establish
  a WebSocket connection. Affected users may need to clear their browser cache
  or hard-reload mitmweb (Ctrl+Shift+R).

## 03 November 2023: mitmproxy 10.1.2
* Add a raw hex stream contentview.
* Add a contentview for DNS-over-HTTPS.
* Replaced standalone mitmproxy binaries on macOS with an app bundle
  that contains the mitmproxy/mitmweb/mitmdump CLI tools.
  This change was necessary to support macOS code signing requirements.
  Homebrew remains the recommended installation method.
* Fix certificate generation to work with strict mode OpenSSL 3.x clients
* Fix path() documentation that the return value might include the query string
* mitmproxy now officially supports Python 3.12.
* Fix root-relative URLs so that mitmweb can run in subdirectories.
* Add an optional parameter(ldap search filter key) to ProxyAuth-LDAP.
* Fix a regression when using the proxyauth addon with clients that (rightfully) \ 
reuse connections.

## 27 September 2023: mitmproxy 10.1.1
* Fix certificate generation for punycode domains.
* Fix a bug that would crash mitmweb when opening options.

## 24 September 2023: mitmproxy 10.1.0
* Add support for reading HAR files using the existing flow loading APIs, e.g. \ 
`mitmproxy -r example.har`.
* Add support for writing HAR files using the `save.har` command and the \ 
`hardump` option for mitmdump.
* Packaging changes:
  - `mitmproxy-rs` does not depend on a protobuf compiler being available anymore,
    we're now also providing a working source distribution for all platforms.
  - On macOS, `mitmproxy-rs` now depends on `mitmproxy-macos`. We only provide \ 
binary wheels for this package because
    it contains a code-signed system extension. Building from source requires a \ 
valid Apple Developer Id, see CI for
    details.
  - On Windows, `mitmproxy-rs` now depends on `mitmproxy-windows`. We only \ 
provide binary wheels for this package to
    simplify our deployment process, see CI for how to build from source.
* Increase maximum dump file size accepted by mitmweb

## 04 August 2023: mitmproxy 10.0.0
* Add experimental support for HTTP/3 and QUIC.
* ASGI/WSGI apps can now listen on all ports for a specific hostname.
  This makes it simpler to accept both HTTP and HTTPS.
* Add `replay.server.add` command for adding flows to server replay buffer
* Remove string escaping in raw view.
* Updating `Request.port` now also updates the Host header if present.
  This aligns with `Request.host`, which already does this.
* Fix editing of multipart HTTP requests from the CLI.
* Add documentation on using Magisk module for intercepting traffic in Android \ 
production builds.
* Fix a bug where the direction indicator in the message stream view would be in \ 
the wrong direction.
* Fix a bug where peername would be None in tls_passthrough script, which would \ 
make it not working.
* the `esc` key can now be used to exit the current view
* focus-follow shortcut will now work in flow view context too.
* Fix a bug where a server connection timeout would cause requests to be issued \ 
with a wrong SNI in reverse proxy mode.
* The `server_replay_nopop` option has been renamed to `server_replay_reuse` to \ 
avoid confusing double-negation.
* Add zstd to valid gRPC encoding schemes.
* For reverse proxy directly accessed via IP address, the IP address is now included
  as a subject in the generated certificate.
* Enable legacy SSL connect when connecting to server if the `ssl_insecure` flag \ 
is set.
* Change wording in the http-reply-from-proxy.py example
* Added option to specify an elliptic curve for key exchange between mitmproxy \ 
<-> server
* Add "Prettier" code linting tool to mitmweb.
* When logging exceptions, provide the entire exception object to log handlers
* mitmproxy now requires Python 3.10 or above.

### Breaking Changes
* The `onboarding_port` option has been removed. The onboarding app now responds
  to all requests for the hostname specified in `onboarding_host`.
* `connection.Client` and `connection.Server` now accept keyword arguments only.
  This is a breaking change for custom addons that use these classes directly.

## 02 November 2022: mitmproxy 9.0.1
* The precompiled binaries now ship with OpenSSL 3.0.7, which resolves \ 
CVE-2022-3602 and CVE-2022-3786.
* Performance and stability improvements for WireGuard mode.
* Fix a bug where the standalone Linux binaries would require libffi to be installed.
* Hard exit when mitmproxy cannot write logs, fixes endless loop when parent \ 
process exits.
* Fix a permission error affecting the Docker images.

## 28 October 2022: mitmproxy 9.0.0
### Major Features
* Add Raw UDP support.
* Add WireGuard mode to enable transparent proxying via WireGuard.
* Add DTLS support.
* Add a quick help bar to mitmproxy.

### Deprecations
* Deprecate `add_log` event hook. Users should use the builtin `logging` module \ 
instead.
* Deprecate `mitmproxy.ctx.log` in favor of Python's builtin `logging` module.

### Breaking Changes
 * The `mode` option is now a list of server specs instead of a single spec.
   The CLI interface is unaffected, but users may need to update their `config.yaml`.

### Full Changelog
* Mitmproxy binaries now ship with Python 3.11.
* One mitmproxy instance can now spawn multiple proxy servers.
* Add syntax highlighting to JSON and msgpack content view.
* Add MQTT content view.
* Setting `connection_strategy` to `lazy` now also disables early
  upstream connections to fetch TLS certificate details.
* Fix order of event hooks on startup.
* Include server information in bind/listen errors.
* Include information about lazy connection_strategy in related errors.
* Fix `tls_version_server_min` and `tls_version_server_max` options.
* Added Magisk module generation for Android onboarding.
* Update Linux binary builder to Ubuntu 20.04, bumping the minimum glibc version \ 
to 2.31.
* Add "Save filtered" button in mitmweb.
* Render application/prpc content as gRPC/Protocol Buffers
* Mitmweb now supports `content_view_lines_cutoff`.
* Fix a mitmweb crash when scrolling down the flow list.
* Add HTTP/3 binary frame content view.
* Fix mitmweb not properly opening a browser and being stuck on some Linux.
* Fix race condition when updating mitmweb WebSocket connections that are closing.
* Fix mitmweb crash when using filters.
* Fix missing default port when starting a browser.
* Add docs for transparent mode on Windows.

Log message:
*: recursive bump for Python 3.11 as new default

Log message:
*: remove more references to Python 3.7