net-proxy/mitmproxy-8.0.0 version bump Security Fixes : CVE-2022-24766: Fix request smuggling vulnerability reported by @zeyu2001 (@mhils) Full Changelog : https://mitmproxy.org/posts/releases/mitmproxy8/ Support proxy authentication for SOCKS v5 mode (@starplanet) Make it possible to ignore connections in the tls_clienthello event hook (@mhils) fix some responses not being decoded properly if the encoding was uppercase (#4735, @Mattwmaster58) Trigger event hooks for flows with semantically invalid requests, for example invalid content-length headers (@mhils) Improve error message on TLS version mismatch (@mhils) Windows: Switch to Python’s default asyncio event loop, which increases the number of sockets that can be processed simultaneously (@mhils) Add client_replay_concurrency option, which allows more than one client replay request to be in-flight at a time. (@rbdixon) New content view which handles gRPC/protobuf. Allows to apply custom definitions to visualize different field decodings. Includes example addon which applies custom definitions for selected gRPC traffic (@mame82) Fix a crash caused when editing string option (#4852, @rbdixon) Base container image bumped to Debian 11 Bullseye (@Kriechi) Upstream replays don’t do CONNECT on plaintext HTTP requests (#4876, @HoffmannP) Remove workarounds for old pyOpenSSL versions (#4831, @KarlParkinson) Add fonts to asset filter (~a) (#4928, @elespike) Fix bug that crashed when using view.flows.resolve (#4916, @rbdixon) Fix a bug where running() is invoked twice on startup (#3584, @mhils) Correct documentation example for User-Agent header modification (#4997, @jamesyale) Fix random connection stalls (#5040, @EndUser509) Add n new flow keybind to mitmweb (#5061, @ianklatzco) Fix compatibility with BoringSSL (@pmoulton) Added WebSocketMessage.injected flag (@Prinzhorn) Add example addon for saving streamed data to individual files (@EndUser509) Change connection event hooks to be blocking. Processing will only resume once the event hook has finished. (@Prinzhorn) Reintroduce Flow.live, which signals if a flow belongs to a currently active connection. (#4207, @mhils) Speculative fix for some rare HTTP/2 connection stalls (#5158, @EndUser509) Add ability to specify custom ports with LDAP authentication (#5068, @demonoidvk) Add support for rotating saved streams every hour or day (@EndUser509) Console Improvements on Windows (@mhils) Fix processing of --set options (#5067, @marwinxxii) Lowercase user-added header names and emit a log message to notify the user when using HTTP/2 (#4746, @mhils) Exit early if there are errors on startup (#4544, @mhils) Reproducible: Always
If the security issue was worth thinking about, it may be worth reverting https://github.com/mitmproxy/mitmproxy/pull/4897 and going ahead without a newer pyOpenSSL (but I'd rather not).
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c4ab640e100fe8f29ee6cfe6bf0e9d822183890 commit 2c4ab640e100fe8f29ee6cfe6bf0e9d822183890 Author: Matthew Smith <matthew@gentoo.org> AuthorDate: 2022-04-28 17:12:42 +0000 Commit: Matthew Smith <matthew@gentoo.org> CommitDate: 2022-04-28 17:36:58 +0000 net-proxy/mitmproxy: add 8.0.0 Closes: https://bugs.gentoo.org/835809 Bug: https://bugs.gentoo.org/835803 Signed-off-by: Matthew Smith <matthew@gentoo.org> net-proxy/mitmproxy/Manifest | 1 + net-proxy/mitmproxy/mitmproxy-8.0.0.ebuild | 70 ++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+)
