Changes in 1.2.1:
* Fixed CVE-2012-5641: Apache CouchDB Information disclosure via unescaped
backslashes in URLs on Windows
* Fixed CVE-2012-5649: Apache CouchDB JSONP arbitrary code execution with Adobe
Flash
* Fixed CVE-2012-5650: Apache CouchDB DOM based Cross-Site Scripting via Futon
UI
* Fix various bugs in the URL rewriter when recursion is involved.
* Fix couchdb start script.
* Futon: Disable buttons that aren't available for the logged-in user.
* Fix potential replication timeouts.
* Change use of signals to avoid broken view groups.
Upstream changes:
1.302 Fri Mar 1 2013
[ENHANCEMENTS]
- Git::Repository::Plugin::Log is now able to parse commits
with completely empty log messages
- Git::Repository::Plugin::Log is now able to parse commits
containing multiline headers (like gpgsig and mergetag)
1.301 Mon Jan 21 2013
[DEPRECATION]
- the following Git::Repository methods are obsolete,
and will die when called: create, wc_path, repo_path
- the following parameters to Git::Repository->new are obsolete,
and will cause the constructor to die: repository, working_copy
[PACKAGING]
- switch to Dist::Zilla for maintaining the distribution
1.300 Mon Jan 7 2013
[ENHANCEMENTS]
- fixed support for overloaded objects (e.g. Path::Class objects)
in Git::Repository::Command (RT #82373)
- fixed Git::Repository::Log::Iterator to work with older gits
when disabling colored output (thanks to Dominic Humphries)
- fixed some cases where Git::Repository::Command and Git::Repository
new() methods ignored some of their parameters. They now die when
passed ambiguous or unexpected parameters.
(follow-up of RT #82373, thanks to Michael G. Schwern)
1.29 Tue Dec 4 2012
[ENHANCEMENTS]
- added support for callbacks in run()
[DOCUMENTATION]
- minor documentation improvements
1.28 Sun Nov 4 2012
[ENHANCEMENTS]
- disabled colored output from logs in Git::Repository::Log::Iterator
- wc_path() and repo_path() accessors are deprecated and now warn
- improved the inter-documentation links by liberal use of L<>
[TESTS]
- ignore commit hooks that may be included with templates (RT #80593)
- test for quiet won't fail if no identity is defined (RT #80321)
- SECURITY: CVE-2012-3499 (cve.mitre.org)
Various XSS flaws due to unescaped hostnames and URIs HTML output in
mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
[Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
- SECURITY: CVE-2012-4558 (cve.mitre.org)
XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
Niels Heinen <heinenn google com>]
- mod_rewrite: Stop merging RewriteBase down to subdirectories
unless new option 'RewriteOptions MergeBase' is configured.
Merging RewriteBase was unconditionally turned on in 2.2.23.
Bug Report 53963. [Eric Covener]
- mod_ssl: Send the error message for speaking http to an https port using
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
using SNI. Bug Report 50823. [Stefan Fritsch]
- mod_ssl: log revoked certificates at level INFO
instead of DEBUG. Bug Report 52162. [Stefan Fritsch]
- mod_proxy_ajp: Support unknown HTTP methods. Bug Report 54416.
[Rainer Jung]
- mod_dir: Add support for the value 'disabled' in FallbackResource.
[Vincent Deffontaines]
- mod_ldap: Fix regression in handling "server unavailable" errors on
Windows. Bug Report 54140. [Eric Covener]
- mod_ssl: fix a regression with the string rendering of the "UID" RDN
introduced in 2.2.15. Bug Report 54510. [Kaspar Brand]
- ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
to more accurately report the negotiated protocol. Bug Report 53916.
[Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
- mod_cache: Explicitly allow cache implementations to cache a 206 Partial
Response if they so choose to do so. Previously an attempt to cache a 206
was arbitrarily allowed if the response contained an Expires or
Cache-Control header, and arbitrarily denied if both headers were missing.
Currently the disk and memory cache providers do not cache 206 Partial
Responses. [Graham Leggett]
- core: Remove unintentional APR dependency introduced with
Apache 2.2.22. [Eric Covener]
- core: Use a TLS 1.0 close_notify alert for internal dummy connection if
the chosen listener is configured for https. [Joe Orton]
- mod_ssl: Add new directive SSLCompression to disable TLS-level
compression. Bug Report 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
http://maven.apache.org/docs/3.0.5/release-notes.html
Apache Maven 3.0.5 is a maintenance release to fix a security
issue CVE-2013-0253 Apache Maven 3.0.4
http://maven.apache.org/security.html
CVE-2013-0253 Apache Maven 3.0.4
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has
introduced a non-secure SSL mode by default. This mode
disables all SSL certificate checking, including: host
name verification , date validity, and certificate chain.
Not validating the certificate introduces the possibility
of a man-in-the-middle attack.
All users are recommended to upgrade to Apache Maven 3.0.5
and Apache Maven Wagon 2.4.
* Added new option '-K, --skip-size'.
* Added new option '-T, --timeout'.
* Maximum skip size is now limited to 1% of infile size or 1 GiB.
* Set current_pos to end of block when reading backwards.
* The '-E, --max-error-rate' option now checks the rate of actually
failed reads, not the growth of error size.
- Added google search for indexable directories
- Changed X scan debug output so it won't give output all the time
- Fixed major bug in googlescan
- Added sendmail < 8.12.9 check
abc2midi, yaps, abc2abc: The time signature C| or c| is now
interpreted as 2/2 instead of 4/4.
Added Chinese character support in lyrics.
abc2midi extension: abc2midi treats Xn the same way as Zn
bug fix: abc2abc truncated the voice ids when it encounters the first
invalid character without giving any warning.
bug fix: abc2midi was unable to trill or roll tied notes.
Version 1.6
-----------
(released Feb 3, 2013)
- Lexers added:
* Dylan console (PR#149)
* Logos (PR#150)
* Shell sessions (PR#158)
- Fix guessed lexers not receiving lexer options (#838).
- Fix unquoted HTML attribute lexing in Opa (#841).
- Fixes to the Dart lexer (PR#160).
Version 1.6rc1
--------------
(released Jan 9, 2013)
- Lexers added:
* AspectJ (PR#90)
* AutoIt (PR#122)
* BUGS-like languages (PR#89)
* Ceylon (PR#86)
* Croc (new name for MiniD)
* CUDA (PR#75)
* Dg (PR#116)
* IDL (PR#115)
* Jags (PR#89)
* Julia (PR#61)
* Kconfig (#711)
* Lasso (PR#95, PR#113)
* LiveScript (PR#84)
* Monkey (PR#117)
* Mscgen (PR#80)
* NSIS scripts (PR#136)
* OpenCOBOL (PR#72)
* QML (PR#123)
* Puppet (PR#133)
* Racket (PR#94)
* Rdoc (PR#99)
* Robot Framework (PR#137)
* RPM spec files (PR#124)
* Rust (PR#67)
* Smali (Dalvik assembly)
* SourcePawn (PR#39)
* Stan (PR#89)
* Treetop (PR#125)
* TypeScript (PR#114)
* VGL (PR#12)
* Visual FoxPro (#762)
* Windows Registry (#819)
* Xtend (PR#68)
- The HTML formatter now supports linking to tags using CTags files, when the
python-ctags package is installed (PR#87).
- The HTML formatter now has a "linespans" option that wraps every line in a
<span> tag with a specific id (PR#82).
- When deriving a lexer from another lexer with token definitions, definitions
for states not in the child lexer are now inherited. If you override a state
in the child lexer, an "inherit" keyword has been added to insert the base
state at that position (PR#141).
- The C family lexers now inherit token definitions from a common base class,
removing code duplication (PR#141).
- Use "colorama" on Windows for console color output (PR#142).
- Fix Template Haskell highlighting (PR#63).
- Fix some S/R lexer errors (PR#91).
- Fix a bug in the Prolog lexer with names that start with 'is' (#810).
- Rewrite Dylan lexer, add Dylan LID lexer (PR#147).
- Add a Java quickstart document (PR#146).
- Add a "external/autopygmentize" file that can be used as .lessfilter (#802).
version 2.10.7 (02/13/2013):
Alien hatchery:
* No changes
General:
* The configure script will now exit with status 1 when specifying
invalid protocol plugins using the --with-static-prpls and
--with-dynamic-prpls arguments. (Michael Fiedler) (#15316)
libpurple:
* Fix a crash when receiving UPnP responses with abnormally long values.
(CVE-2013-0274)
* Don't link directly to libgcrypt when building with GnuTLS support.
(Bartosz Brachaczek) (#15329)
* Fix UPnP mappings on routers that return empty <URLBase/> elements
in their response. (Ferdinand Stehle) (#15373)
* Tcl plugin uses saner, race-free plugin loading.
* Fix the Tcl signals-test plugin for savedstatus-changed.
(Andrew Shadura) (#15443)
Pidgin:
* Make Pidgin more friendly to non-X11 GTK+, such as MacPorts' +no_x11
variant.
Gadu-Gadu:
* Fix a crash at startup with large contact list. Avatar support for
buddies will be disabled until 3.0.0. (#15226, #14305)
IRC:
* Support for SASL authentication. (Thijs Alkemade, Andy Spencer)
(#13270)
* Print topic setter information at channel join. (#13317)
MSN:
* Fix SSL certificate issue when signing into MSN for some users.
* Fix a crash when removing a user before its icon is loaded. (Mark
Barfield) (#15217)
MXit:
* Fix a bug where a remote MXit user could possibly specify a local
file path to be written to. (CVE-2013-0271)
* Fix a bug where the MXit server or a man-in-the-middle could
potentially send specially crafted data that could overflow a buffer
and lead to a crash or remote code execution. (CVE-2013-0272)
* Display farewell messages in a different colour to distinguish
them from normal messages.
* Add support for typing notification.
* Add support for the Relationship Status profile attribute.
* Remove all reference to Hidden Number.
* Ignore new invites to join a GroupChat if you're already joined, or
still have a pending invite.
* The buddy's name was not centered vertically in the buddy-list if they
did not have a status-message or mood set.
* Fix decoding of font-size changes in the markup of received messages.
* Increase the maximum file size that can be transferred to 1 MB.
* When setting an avatar image, no longer downscale it to 96x96.
Sametime:
* Fix a crash in Sametime when a malicious server sends us an abnormally
long user ID. (CVE-2013-0273)
Yahoo!:
* Fix a double-free in profile/picture loading code. (Mihai Serban)
(#15053)
* Fix retrieving server-side buddy aliases. (Catalin Salgu) (#15381)
Plugins:
* The Voice/Video Settings plugin supports using the sndio GStreamer
backends. (Brad Smith) (#14414)
* Fix a crash in the Contact Availability Detection plugin. (Mark)
(#15327)
* Make the Message Notification plugin more friendly to non-X11 GTK+,
such as MacPorts' +no_x11 variant.
