2025-11-25  Renaud Allard  <renaud@allard.it>

	* Release 0.9.13
	- Build/CI: Release workflow discovers Rocky releases via mirrors and Docker
	  tags, builds both latest and previous Rocky majors with consistent jobs,
	  falls back to microdnf when dnf is missing, and openSUSE autoconf downloads
	  use a mirrored source when ftp.gnu.org is unavailable.
	- Testing: Buffer tests now create/destroy a dedicated libev loop and fix the
	  leak that broke Valgrind runs; the Valgrind workflow builds from tests/ and
	  surfaces failures.
	- Bug fix: Resolved a use-after-free when config files have incorrect
	  permissions.

2025-11-24  Renaud Allard  <renaud@allard.it>

	* Release 0.9.12
	- Build/Packaging: rpmbuild now preserves %{optflags} while appending the
	  libev include path, drops the unused perl BuildRequires, ships the missing
	  hostname_sanitize.h in release tarballs, and allows the release-packages
	  workflow to be triggered manually for RPM/DEB artifacts.
	- Installation: removed the sniproxy wrapper entirely so only the real
	  daemon installs under sbin, avoiding duplicate or stale binaries.
	- Tests/Fuzzing: added a resolver response fuzz harness with fuzz-only
	  resolver helpers, broadened the libev stub to cover timers/signals/loop
	  lifecycle, and fixed a leak in the resolver fuzz harness to keep fuzz runs
	  stable.

2025-11-23  Renaud Allard  <renaud@allard.it>

	* Release 0.9.11
	- Security: HTTP parsers enforce a configurable http_max_headers guard
	  (default 100), TLS ClientHello logic counts extensions before walking
	  them, and ipc_crypto rejection paths now run dummy decrypts with
	  dedicated zero_tag buffers so authentication failures do not leak timing
	  information.
	- Configuration: Path directives are canonicalized, keyword handlers
	  gained typed cleanup hooks so repeated resolver/logger/listener ACL
	  blocks release previous allocations, address/table helpers and resolver
	  restart queues were hardened with runtime checks, and the
	  long-deprecated sniproxy-cfg helper plus its man page were removed.
	- Tooling/Tests: Ship a hardened scripts/sniproxy.service unit, drop the
	  wrapper shim so only the real sniproxy binary installs under sbin on every
	  platform, extend GitHub releases to build RPM/DEB artifacts, and grow the
	  fuzzing suite with new address/table/listener ACL/ipc harnesses that
	  default to error-only logs.

2025-11-22  Renaud Allard  <renaud@allard.it>

	* Release 0.9.10
	- Security: Temporary directory creation now rejects symlinks for both /var/run
	  and /tmp fallbacks by switching to lstat() before the O_NOFOLLOW open,
	  so attackers cannot pre-create redirects.
	- Robustness: Unix-socket addresses always terminate sun_path after strncpy()
	  and the cfg_tokenizer guarantees buffers are null-terminated on every
	  failure path, preventing rare parser overreads.
	- DNS: Resolver concurrency defaults remain at 512/16 but configuration reloads
	  now propagate the per-client limit consistently alongside the global cap.

2025-11-21  Renaud Allard  <renaud@allard.it>

	* Release 0.9.9
	- Security: Harden PROXY header emission by checking buffer space, logging the
	  client when the header cannot be appended, and aborting routing instead of
	  silently continuing; address parsing now validates sockaddr lengths/sa_len,
	  casts bytes to unsigned char before tolower(), bounds the recursion depth,
	  and clamps copy_sockaddr_to_storage/back-end caches from overruns.
	- Networking: Per-client DNS concurrency limits complement the global cap so
	  abusive clients cannot starve other users, the defaults jump to 16 per client
	  and 512 overall with resolver max_concurrent_queries(_per_client) settings,
	  and the address parser handles trailing ports iteratively with centralized
	  apply_port_if_needed logic.
	- Crypto: ipc_crypto_seal validates header/tag overhead, refuses SIZE_MAX
	  overflows, and stops once the send counter reaches UINT64_MAX; derive_key
	  enforces a 1024-byte label limit before allocating HKDF info buffers.
	- Reliability: Buffer helpers now assert read/write offsets never exceed their
	  capacity and setup_write_iov aborts when a buffer claims more bytes than it
	  allocated, preventing silent corruption.

2025-11-20  Renaud Allard  <renaud@allard.it>

	* Release 0.9.8
	- Security: require libpcre2 everywhere (runtime, tests, fuzzers, packaging)
	  and drop the legacy PCRE1 fallback; HKDF buffers now zeroize and reject
	  oversized labels.
	- Hardening: configuration reloads re-check file permissions, all config
	  paths must be absolute, resolver search domains are treated as literal
	  suffixes, and temporary connection dumps use mkostemp() with CLOEXEC.
	- Networking: resolver blocks now support DNS-over-TLS `dot://` upstreams
	  with full certificate validation using the system trust store.
	- Reliability: resolver cancellation gains an atomic memory fence to prevent
	  race windows, and documentation/metadata reflect the updated behavior.

2025-11-19  Renaud Allard  <renaud@allard.it>

	* Release 0.9.7
	- DNS: enable relaxed DNSSEC validation by default so wildcard tables and
	fallback targets benefit from authenticated data without manual resolver
	blocks.
	- Security: enforce fatal configuration-permission checks in both sniproxy
	using fstat() on the open descriptor, covering startup and
	reload flows.
	- Documentation: refresh README, architecture references, and man pages to
	reflect the new DNSSEC default and strict configuration requirements.

2025-11-18  Renaud Allard  <renaud@allard.it>

	* Release 0.9.6
	- Security: per-IP rate limiting now uses FNV-1a hashes with collision
	rejection and short-chain cutoffs, plus hard caps on HTTP headers, TLS
	extensions, and IPC payload lengths to stop CPU/memory exhaustion attacks.
	- DNS: arc4random()-seeded query IDs, mutex-protected restart flags, and query
	handle state assertions prevent leaks, counter drift, and use-after-free bugs.
	- Reliability: shrink candidate queues cap at 4096 entries with active
	trimming, buffer growth failures explicitly close connections, and log duration
	math clamps negative values caused by time jumps.
	- Hardening: buffer pool magic numbers detect corruption, secure_memzero wipes
	sensitive memory, and PID file validation prevents stale sockets or symlink
	abuse before daemon startup.

2025-11-15  Renaud Allard  <renaud@allard.it>

	* Release 0.9.5
	- Performance: cache ev_now and add hysteresis to idle timers and buffer growth.
	- Reliability: resolver crash handler avoids spurious write/writev warnings.
	- CI: fuzz workflow auto-selects clang/libFuzzer toolchains and surfaces compiler output.

2025-11-14  Renaud Allard  <renaud@allard.it>

	* Release 0.9.4
	- Resource: configurable per-connection buffer caps prevent slow clients from pinning unbounded RAM.
	- Security: configuration files with group/world permissions now abort startup instead of warning.
	- IPC: binder/logger/resolver children close all inherited FDs except their control socket.

2025-11-12  Renaud Allard  <renaud@allard.it>

	* Release 0.9.3
	- Security: fail fast if dropping privileges leaves either real or effective UID at 0.
	- Security: warn sniproxy when configuration files are group or world accessible.
	- IPC: binder/logger/resolver channels encrypt control traffic and enforce stricter validation/error reporting.
	- Performance: idle connection buffers honor a soft memory limit and shrink immediately under load.
	- Resource: configurable per-connection buffer caps prevent slow clients from pinning unbounded RAM.

2025-11-10  Renaud Allard  <renaud@allard.it>

	* Release 0.9.2
	- Harden resolver restarts and keep pending DNS queries alive
	- Restart binder helper on IPC failures and fix partial read handling
	- Retry outbound connects on transient EADDRNOTAVAIL errors

Check https://github.com/renaudallard/sniproxy/commits/
