Log Message:
mitmproxy: updated to 11.1.2

06 February 2025: mitmproxy 11.1.2

CVE-2025-23217: mitmweb's API now requires an authentication token by default. \ 
The mitmweb API is bound to localhost only, but @gronke found that an attacker \ 
can circumvent that restriction by tunneling requests through the proxy server \ 
itself in an SSRF-style attack. (fa89055, @mhils)
Add (optional) password protection for mitmweb. The web_password option replaces \ 
the randomly-generated token authentication with a fixed secret that survives \ 
mitmproxy restarts. (0bd573a, @mhils)
mitmweb can now be hosted under arbitrary domains, the previously-used DNS \ 
rebind protection is not required anymore. (62693af, @mhils)
Security Hardening: mitmweb's xsrf_token cookie is now HttpOnly; SameSite=Strict.
We now provide standalone binaries for Linux arm64.
Standalone binaries are now compiled with Python 3.13.
Fix console freezing due to DNS queries with an empty question section.
Add mitmweb tutorial to docs.
Fixed a bug that caused mitmproxy to crash when loading prior knowledge h2 flows.
Fix a bug where mitmproxy would get stuck in secure web proxy mode when using \ 
ignore_hosts or allow_hosts.
Copy request/response data to the clipboard in mitmweb
Fix a bug where exporting a curl or httpie command with escaped characters would \ 
lead to different data being sent.
05 February 2025: mitmproxy 11.1.1

Yanked. Identical to 11.1.2, but failed to deploy in CI.

12 January 2025: mitmproxy 11.1.0

Local Capture Mode is now available on Linux as well.
mitmproxy now requires Python 3.12 or above.
Add cache-busting for mitmweb's front end code.
Clicking the URL in mitmweb now places the cursor at the current position \ 
instead of selecting the entire URL.
Add missing status codes
All filter expressions are now case-insensitive by default. Users can opt into \ 
case-sensitive filters by setting MITMPROXY_CASE_SENSITIVE_FILTERS=1 as an \ 
environment variable.
Remove filter expression lowercasing in block_list addon
Remove check for status codes in the blocklist add-on.
Prompt user before clearing screen

05 December 2024: mitmproxy 11.0.2

Stop sorting keys in JSON contentview
Fix a bug where a custom CA would raise an error.
Fix a bug where the mitmproxy UI would crash on negative durations.
Allow technically invalid HTTP transfer encodings in requests if \ 
validate_inbound_headers is disabled.
Fix a bug in windows management in mitmproxy TUI whereby the help window does \ 
not appear if "?" is pressed within the overlay

24 November 2024: mitmproxy 11.0.1

Tighten HTTP detection heuristic to better support custom TCP-based protocols.
Implement stricter validation of HTTP headers to harden against request \ 
smuggling attacks.
Increase HTTP/2 default flow control window size, fixing performance issues.
Fix a bug where mitmproxy would incorrectly report that TLS 1.0 and 1.1 are not \ 
supported with the current OpenSSL build.
Docker: Update image to Python 3.13 on Debian Bookworm.
Add a tun proxy mode that creates a virtual network device on Linux for \ 
transparent proxying.
browser.start command now supports Firefox.
Fix interaction of the modify_headers and stream_large_bodies options. This may \ 
break users of modify_headers that rely on filters referencing the message body. \ 
We expect this to be uncommon, but please make yourself heard if that's not the \ 
case.
Fix a crash when handling corrupted compressed body in savehar addon and its tests.
Remove dependency on protobuf library as it was no longer being used.

02 October 2024: mitmproxy 11.0.0

mitmproxy now supports transparent HTTP/3 proxying.
Add HTTP3 support in HTTPS reverse-proxy mode.
mitmproxy now officially supports Python 3.13.
Tighten HTTP detection heuristic to better support custom TCP-based protocols.
Add show_ignored_hosts option to display ignored flows in the UI. This option is \ 
implemented as a temporary workaround and will be removed in the future.
Fix slow tnetstring parsing in case of very large tnetstring.
Add getaddrinfo-based fallback for DNS resolution if we are unable to determine \ 
the operating system's name servers.
Improve the error message when users specify the certs option without a matching \ 
private key.
Fix a bug where intermediate certificates would not be transmitted when using QUIC.
Fix a bug where fragmented QUIC client hellos were not handled properly.
Emit a warning when users configure a TLS version that is not supported by the \ 
current OpenSSL build.
Fix a bug where mitmproxy would crash when receiving STOP_SENDING QUIC frames.
Fix error when unmarking all flows.
Add addon to update the alt-svc header in reverse mode.
Do not send unnecessary empty data frames when streaming HTTP/2.
Fix a bug where mitmproxy would ignore Ctrl+C/SIGTERM on OpenBSD.
Fix of measurement unit in HAR import, duration is in milliseconds.
Connection.tls_version now is QUICv1 instead of QUIC for QUIC.
Add support for full mTLS with client certs between client and mitmproxy.
Update documentation adding a list of all possibile web_columns