2026-02-06  Renaud Allard  <renaud@allard.it>

	* Release 0.9.19
	- Performance: Add SO_SPLICE zero-copy forwarding on OpenBSD to eliminate
	  user-space copies after the initial handshake is parsed.
	- Performance: Enable PCRE2 JIT compilation for backend regex matching,
	  set TCP_NODELAY on client and server sockets, convert HPACK dynamic
	  table to a ring buffer for O(1) inserts, increase table hostname cache
	  from 256 to 1024 entries, skip redundant ev_io stop/start when event
	  mask is unchanged, remove redundant buffer zeroing on pool acquire,
	  merge TLS extension validation into a single pass, and remove the
	  per-backend single-entry match cache.
	- Security: Enforce extension count limit across all TLS parsing paths
	  including extensions_have_required_version, explicitly unsplice before
	  closing idle spliced connections, and log SO_SPLICE cleanup failures.
	- Bug fixes: Fix data corruption in buffer_coalesce optimization path,
	  double close of FDs in ipc_crypto_recv_msg and logger LOGGER_CMD_DROP,
	  errno clobbered before restart check in resolver_ipc_cb, reload_tables
	  skipping consecutive table removals, accept_listener_arg returning
	  success on invalid argument, listeners_reload ignoring init_listener
	  failure, ambiguous prefix matching in accept_resolver_mode and
	  lookup_syslog_facility, NULL pointer dereference in hpack_add_entry on
	  malloc failure, overlapping memcpy in new_address port stripping, and
	  blocking nanosleep retry loop in connect path.
	- API: Add getter/setter functions for connection header/idle timeouts,
	  TLS extension limits, HTTP/2 frame and header count limits, and XMPP
	  max header length.

2026-01-02  Renaud Allard  <renaud@allard.it>

	* Release 0.9.18
	- XMPP: Add protocol handler and listener support that extracts the stream 'to'
	  attribute so XMPP (including STARTTLS) can be proxied by hostname; includes
	  dedicated parser tests and a fuzz harness.
	- Fuzzing: Disable ASan ODR indicators in fuzz builds and mark stub HTTP/TLS
	  protocol pointers weak in the listener ACL harness to avoid
	  multiple-definition link errors.

2025-12-19  Renaud Allard  <renaud@allard.it>

	* Release 0.9.17
	- Security: Limit IPC generation gaps to 16 so forged UINT32_MAX generations
	  cannot force billions of rekeys and DoS ipc_crypto receivers.
	- Build/CI: release-packages workflow downloads autoconf 2.71 from GNU and
	  kernel mirrors before ftp.gnu.org to avoid bootstrap timeouts.

2025-12-16  Renaud Allard  <renaud@allard.it>

	* Release 0.9.16
	- IPC crypto: Protocol bumped to IPC2 with an authenticated generation
	  field so rekeys are deterministic, time-based rekeys succeed even with
	  sparse traffic, receivers catch up after missed generations, and
	  stale-generation frames are rejected to avoid replay-driven hangs after
	  long uptimes.

2025-12-15  Renaud Allard  <renaud@allard.it>

	* Release 0.9.15
	- Security: Binder helper restricts requests to validated AF_INET/AF_INET6/
	  AF_UNIX stream sockets under the configured allowlist and seccomp filters
	  are process-specific to narrow syscall exposure.
	- TLS/DNS: DoT upstreams accept a configurable minimum TLS version
	  (default tls1.2) and too-old ClientHello versions are rejected instead of
	  being routed to fallback backends.
	- Reliability: IPC replay protection enforces monotonic counters, logger
	  child health checks detect stalls, backend regex cache initialization
	  failures no longer crash lookup, global ACL policy resets after parsing,
	  EINTR connect retries were fixed, and rate-limit OOM paths reject with
	  exponential backoff.
	- Docs: README/man pages refreshed and the obsolete splice(2) reference was
	  removed.

2025-12-03  Renaud Allard  <renaud@allard.it>

	* Release 0.9.14
	- Breaking change: DNS-over-TLS nameserver entries using IP literals now
	  require either a TLS hostname (`dot://IP/hostname`) or `/insecure`; bare
	  IP-only entries are rejected to avoid silent verification bypass.
	- Reliability: Fatal exit paths log the failure reason before terminating,
	  covering daemonization, privilege drops, and child process handoffs.

2025-11-25  Renaud Allard  <renaud@allard.it>

	* Release 0.9.13
	- Build/CI: Release workflow discovers Rocky releases via mirrors and Docker
	  tags, builds both latest and previous Rocky majors with consistent jobs,
	  falls back to microdnf when dnf is missing, and openSUSE autoconf downloads
	  use a mirrored source when ftp.gnu.org is unavailable.
	- Testing: Buffer tests now create/destroy a dedicated libev loop and fix the
	  leak that broke Valgrind runs; the Valgrind workflow builds from tests/ and
	  surfaces failures.
	- Bug fix: Resolved a use-after-free when config files have incorrect
	  permissions.

2025-11-24  Renaud Allard  <renaud@allard.it>

	* Release 0.9.12
	- Build/Packaging: rpmbuild now preserves %{optflags} while appending the
	  libev include path, drops the unused perl BuildRequires, ships the missing
	  hostname_sanitize.h in release tarballs, and allows the release-packages
	  workflow to be triggered manually for RPM/DEB artifacts.
	- Installation: removed the sniproxy wrapper entirely so only the real
	  daemon installs under sbin, avoiding duplicate or stale binaries.
	- Tests/Fuzzing: added a resolver response fuzz harness with fuzz-only
	  resolver helpers, broadened the libev stub to cover timers/signals/loop
	  lifecycle, and fixed a leak in the resolver fuzz harness to keep fuzz runs
	  stable.

2025-11-23  Renaud Allard  <renaud@allard.it>

	* Release 0.9.11
	- Security: HTTP parsers enforce a configurable http_max_headers guard
	  (default 100), TLS ClientHello logic counts extensions before walking
	  them, and ipc_crypto rejection paths now run dummy decrypts with
	  dedicated zero_tag buffers so authentication failures do not leak timing
	  information.
	- Configuration: Path directives are canonicalized, keyword handlers
	  gained typed cleanup hooks so repeated resolver/logger/listener ACL
	  blocks release previous allocations, address/table helpers and resolver
	  restart queues were hardened with runtime checks, and the
	  long-deprecated sniproxy-cfg helper plus its man page were removed.
	- Tooling/Tests: Ship a hardened scripts/sniproxy.service unit, drop the
	  wrapper shim so only the real sniproxy binary installs under sbin on every
	  platform, extend GitHub releases to build RPM/DEB artifacts, and grow the
	  fuzzing suite with new address/table/listener ACL/ipc harnesses that
	  default to error-only logs.

2025-11-22  Renaud Allard  <renaud@allard.it>

	* Release 0.9.10
	- Security: Temporary directory creation now rejects symlinks for both /var/run
	  and /tmp fallbacks by switching to lstat() before the O_NOFOLLOW open,
	  so attackers cannot pre-create redirects.
	- Robustness: Unix-socket addresses always terminate sun_path after strncpy()
	  and the cfg_tokenizer guarantees buffers are null-terminated on every
	  failure path, preventing rare parser overreads.
	- DNS: Resolver concurrency defaults remain at 512/16 but configuration reloads
	  now propagate the per-client limit consistently alongside the global cap.

2025-11-21  Renaud Allard  <renaud@allard.it>

	* Release 0.9.9
	- Security: Harden PROXY header emission by checking buffer space, logging the
	  client when the header cannot be appended, and aborting routing instead of
	  silently continuing; address parsing now validates sockaddr lengths/sa_len,
	  casts bytes to unsigned char before tolower(), bounds the recursion depth,
	  and clamps copy_sockaddr_to_storage/back-end caches from overruns.
	- Networking: Per-client DNS concurrency limits complement the global cap so
	  abusive clients cannot starve other users, the defaults jump to 16 per client
	  and 512 overall with resolver max_concurrent_queries(_per_client) settings,
	  and the address parser handles trailing ports iteratively with centralized
	  apply_port_if_needed logic.
	- Crypto: ipc_crypto_seal validates header/tag overhead, refuses SIZE_MAX
	  overflows, and stops once the send counter reaches UINT64_MAX; derive_key
	  enforces a 1024-byte label limit before allocating HKDF info buffers.
	- Reliability: Buffer helpers now assert read/write offsets never exceed their
	  capacity and setup_write_iov aborts when a buffer claims more bytes than it
	  allocated, preventing silent corruption.

2025-11-20  Renaud Allard  <renaud@allard.it>

	* Release 0.9.8
	- Security: require libpcre2 everywhere (runtime, tests, fuzzers, packaging)
	  and drop the legacy PCRE1 fallback; HKDF buffers now zeroize and reject
	  oversized labels.
	- Hardening: configuration reloads re-check file permissions, all config
	  paths must be absolute, resolver search domains are treated as literal
	  suffixes, and temporary connection dumps use mkostemp() with CLOEXEC.
	- Networking: resolver blocks now support DNS-over-TLS `dot://` upstreams
	  with full certificate validation using the system trust store.
	- Reliability: resolver cancellation gains an atomic memory fence to prevent
	  race windows, and documentation/metadata reflect the updated behavior.

2025-11-19  Renaud Allard  <renaud@allard.it>

	* Release 0.9.7
	- DNS: enable relaxed DNSSEC validation by default so wildcard tables and
	fallback targets benefit from authenticated data without manual resolver
	blocks.
	- Security: enforce fatal configuration-permission checks in both sniproxy
	using fstat() on the open descriptor, covering startup and
	reload flows.
	- Documentation: refresh README, architecture references, and man pages to
	reflect the new DNSSEC default and strict configuration requirements.

2025-11-18  Renaud Allard  <renaud@allard.it>

	* Release 0.9.6
	- Security: per-IP rate limiting now uses FNV-1a hashes with collision
	rejection and short-chain cutoffs, plus hard caps on HTTP headers, TLS
	extensions, and IPC payload lengths to stop CPU/memory exhaustion attacks.
	- DNS: arc4random()-seeded query IDs, mutex-protected restart flags, and query
	handle state assertions prevent leaks, counter drift, and use-after-free bugs.
	- Reliability: shrink candidate queues cap at 4096 entries with active
	trimming, buffer growth failures explicitly close connections, and log duration
	math clamps negative values caused by time jumps.
	- Hardening: buffer pool magic numbers detect corruption, secure_memzero wipes
	sensitive memory, and PID file validation prevents stale sockets or symlink
	abuse before daemon startup.

2025-11-15  Renaud Allard  <renaud@allard.it>

	* Release 0.9.5
	- Performance: cache ev_now and add hysteresis to idle timers and buffer growth.
	- Reliability: resolver crash handler avoids spurious write/writev warnings.
	- CI: fuzz workflow auto-selects clang/libFuzzer toolchains and surfaces compiler output.

2025-11-14  Renaud Allard  <renaud@allard.it>

	* Release 0.9.4
	- Resource: configurable per-connection buffer caps prevent slow clients from pinning unbounded RAM.
	- Security: configuration files with group/world permissions now abort startup instead of warning.
	- IPC: binder/logger/resolver children close all inherited FDs except their control socket.

2025-11-12  Renaud Allard  <renaud@allard.it>

	* Release 0.9.3
	- Security: fail fast if dropping privileges leaves either real or effective UID at 0.
	- Security: warn sniproxy when configuration files are group or world accessible.
	- IPC: binder/logger/resolver channels encrypt control traffic and enforce stricter validation/error reporting.
	- Performance: idle connection buffers honor a soft memory limit and shrink immediately under load.
	- Resource: configurable per-connection buffer caps prevent slow clients from pinning unbounded RAM.

2025-11-10  Renaud Allard  <renaud@allard.it>

	* Release 0.9.2
	- Harden resolver restarts and keep pending DNS queries alive
	- Restart binder helper on IPC failures and fix partial read handling
	- Retry outbound connects on transient EADDRNOTAVAIL errors

Check https://github.com/renaudallard/sniproxy/commits/
