Changes with Apache 2.0.63
*) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
to /Device/Nul as the server is starting up, mirroring unix MPM's.
PR: 43534 [Tom Donovan <Tom.Donovan acm.org>, William Rowe]
*) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
by recreating the bucket allocator each time the trans pool is cleared.
PR: 11427 #16 (follow-on) [Tom Donovan <Tom.Donovan acm.org>]
Changes with Apache 2.0.62 (not released)
*) SECURITY: CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason. [Mark Cox, Joe Orton]
*) SECURITY: CVE-2007-5000 (cve.mitre.org)
mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
[Joe Orton]
*) Introduce the ProxyFtpDirCharset directive, allowing the administrator
to identify a default, or specific servers or paths which list their
contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]
*) log.c: Ensure Win32 resurrects its lost robust logger processes.
[William Rowe]
*) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean
shutdown of the server when the MaxClients is higher then 257,
in a more responsive manner [Mladen Turk, William Rowe]
*) Add explicit charset to the output of various modules to work around
possible cross-site scripting flaws affecting web browsers that do not
derive the response character set as required by RFC2616. One of these
reported by SecurityReason [Joe Orton]
*) http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
into sending arbitrary method strings. [Jeff Trawick]
*) http_protocol: Escape request method in 413 error reporting.
Determined to be not generally exploitable, but a flaw in any case.
PR 44014 [Victor Stinner <victor.stinner inl.fr>]
Changes with APR 0.9.17
*) Fix DSO-related crash on z/OS caused by incorrect memory
allocation. [David Jones <oscaremma gmail.com>]
*) Define apr_ino_t in such a way that it doesn't change definition
based on the library consumer's -D'efines to the filesystem.
[Lucian Adrian Grijincu <lucian.grijincu gmail.com>]
*) Cause apr_file_dup2() on Win32 to update the MSVCRT psuedo-stdio
handles for fd-based and FILE * based I/O. [William Rowe]
*) Revert Win32 to the 0.9.14 behavior of apr_proc_create() for any
of the three stdio streams which are not initialized, through either
apr_procattr_io_set() or apr_procattr_child_XXX_set(), when given a
procattr_t with one or two streams which were initialized through
apr_procattr_child_XXX_set(). Once again, these do not inherit the
parent process stdio stream to WIN32 child processes (passing
INVALID_HANDLE_VALUE instead) as on Unix. Note APR 1.3.0 adopts
the Unix behavior of inheriting any uninitialized streams as the
parent's corresponding stdio stream, in such cases. [William Rowe]
(or actually the bundled t1lib) provides it's "own" implementation of
stdio.h as t1stdio.h. For this reason they take care not to include stdio.h
to avoid conflicts. But they do include stdlib.h which on HP-UX
recursively includes stdio.h. Fix by not including stdlib.h on HP-UX.
0.13 Thu May 3 23:03:00 EDT 2007
* Requires 5.8.1. (Uses tricks that don't work on 5.6). Thanks to DCANTRELL
0.12 Mon Apr 30 15:34:42 EDT 2007
* Requires 5.6. (Causes 5.5 to bus error). Thanks to RJBS.
0.11 Tue Apr 24 13:25:24 EDT 2007
* Fix for [rt.cpan.org #26536] Test suite uses /tmp with predictable filenames
Reported by ANDK
0.10_01 Tue May 9 01:21:55 EDT 2006
* Module::Refresh->refresh_module_if_modified($module)
as suggested by Daisuke Maki
----------------------------------------------------------------------
ChaSen 2.4.2 (2007/07/23)
----------------------------------------------------------------------
- bug fix
tokenization bug: unknown words with an half width space
there, not in post-patch.
There's no need to use xargs -0: Solaris doesn't know that option, POSIX
doesn't require it, and all the filenames are sane anyway.
PATH, in which it is not directly preceded by a quote character:
#define GDM_USER_PATH "/usr/bin:/bin:${exec_prefix}"
Catch this by complaining about "${" also when it appears after a colon.
Since this check is still disabled by default, it will not surprise anyone.
* Strings are re-encoded in UTF-8. Window titles will be set correctly
regardless of title encoding
* updated documentation to v0.12
* added Occitan Lanaguage
* Bug fixes:
- Nautilus desktop window can now restore its size properly
- Sawfish.desktop file now complies with freedesktop.org standard
- Fix select workspace to make sure it calls with right arguments
- Fix 64 bit client messages
- Don't display unneeded blank lines when window is opened by
prompt function
- KDE system tray no longer fighs with sawfish to reparent a tray icon
- Add bounds checking on _NET_CURRENT_DESKTOP requests
- QT applications no longer lose focus when menu is active
- Corrected window placement in xinerama/dualhead when using
centered/centered-on-parent
patch 3
1. It is corrected that the setting related to fold is not cleared with --reset.
2. The bug to which the line feed code cannot be judged correctly only for one
line the input is corrected.
3. Inputcode() is added to the perl/ruby enhancing (skf bug#10955).
4. The bug that accesses it under KEIS and another specific condition beyond
the limits of the array is corrected.
patch 2
(1) The correction of the FOLD_SUPPORT matter that leaks to the release file by
1.95.1 that the compilation doesn't pass when it is invalid is added.
(2) The judgment condition is mistaken when G3 is replaced at Shift_JIS X 0213
and the matter with the possibility of crashing is corrected.
(3) The trademark of the SoftBank Co. is corrected.
* 2007-09-06: version 1.31
- support CIDR-style addresses in the client whitelist (Claudio Strizzolo)
- improve logging of unresolveable hosts (Adrian von Bidder, Heiko
Schlichting)
- updated whitelist
- fix unix socket permission issues (Martin F Krafft, Adrian von Bidder,
Leos Bitto, Debian bug #376910)
- fix regexps for matching hosts in whitelists (Antonello Nocchi)
- do maintenance after the current request and not before (Clifton Royston)
Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default
exit policy a little bit more conservative so it's safer to run an exit
relay on a home system, and fixes a variety of smaller issues.
https://www.torproject.org/download.html
Changes in version 0.1.2.19 - 2008-01-17
o Security fixes:
- Exit policies now reject connections that are addressed to a
relay's public (external) IP address too, unless
ExitPolicyRejectPrivate is turned off. We do this because too
many relays are running nearby to services that trust them based
on network address.
o Major bugfixes:
- When the clock jumps forward a lot, do not allow the bandwidth
buckets to become negative. Fixes bug 544.
- Fix a memory leak on exit relays; we were leaking a cached_resolve_t
on every successful resolve. Reported by Mike Perry.
- Purge old entries from the "rephist" database and the hidden
service descriptor database even when DirPort is zero.
- Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
crashing or mis-answering these requests.
- When we decide to send a 503 response to a request for servers, do
not then also send the server descriptors: this defeats the whole
purpose. Fixes bug 539.
o Minor bugfixes:
- Changing the ExitPolicyRejectPrivate setting should cause us to
rebuild our server descriptor.
- Fix handling of hex nicknames when answering controller requests for
networkstatus by name, or when deciding whether to warn about
unknown routers in a config option. (Patch from mwenge.)
- Fix a couple of hard-to-trigger autoconf problems that could result
in really weird results on platforms whose sys/types.h files define
nonstandard integer types.
- Don't try to create the datadir when running --verify-config or
--hash-password. Resolves bug 540.
- If we were having problems getting a particular descriptor from the
directory caches, and then we learned about a new descriptor for
that router, we weren't resetting our failure count. Reported
by lodger.
- Although we fixed bug 539 (where servers would send HTTP status 503
responses _and_ send a body too), there are still servers out there
that haven't upgraded. Therefore, make clients parse such bodies
when they receive them.
- Run correctly on systems where rlim_t is larger than unsigned long.
This includes some 64-bit systems.
- Run correctly on platforms (like some versions of OS X 10.5) where
the real limit for number of open files is OPEN_FILES, not rlim_max
from getrlimit(RLIMIT_NOFILES).
- Avoid a spurious free on base64 failure.
- Avoid segfaults on certain complex invocations of
router_get_by_hexdigest().
- Fix rare bug on REDIRECTSTREAM control command when called with no
port set: it could erroneously report an error when none had
happened.
and nothing else. This prevents bootstrap from exiting just because
there is a subdirectory named "awk" (or another tool) in one of the PATH
directories.
Fixes PR 37806.
Based on patch provided by Claudio Leite in PR 37602.
Regen patch-ab and add DESTDIR support.
BSFlite ChangeLog
0.83 - 12/12/2007
* Log to a single file (option "single_log")
To review, use the command "lg"
* Added BeOS (R5) support.
* Ported to AmigaOS w/ GeekGadgets.
* Added 'v' command to set/unset invisible status.
* Fixed a mysterious bug where buddies would sign off repeatedly
