* debug build is broken
Changelog:
New
Sidebars button in browser chrome enables faster access to social, bookmark, & history sidebars
New
Mac OS X command-E sets find term to selected text
New
Support for GStreamer 1.0
Changed
Disallow calling WebIDL constructors as functions on the web
Developer
With the exception of those bundled inside an extension or ones that are whitelisted, plugins will no longer be activated by default (see blog post)
Developer
Fixes to box-shadow and other visual overflow (see bug 480888)
Developer
Mute and volume available per window when using WebAudio
Developer
background-blend-mode enabled by default
Developer
Use of line-height allowed for <input type="reset|button|submit">
Developer
ES6 array and generator comprehensions implemented (read docs for more details)
Developer
Error stack now contains column number
Developer
Support for alpha option in canvas context options (feature description)
Fixed
Ignore autocomplete="off" when offering to save passwords via the password manager (see 956906)
Fixed
TypedArrays don't support new named properties (see 695438)
Fixed
Various security fixes
Fixed in Firefox 30
MFSA 2014-54 Buffer overflow in Gamepad API
MFSA 2014-53 Buffer overflow in Web Audio Speex resampler
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-51 Use-after-free in Event Listener Manager
MFSA 2014-50 Clickjacking through cursor invisability after Flash interaction
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
- caching framework may expose private data and/or allow cache poisoning
- stricter checking for valid URLs when redirecting based on user input,
e.g. on the login page
Version 3.3.2 (2014-06-04)
--------------------------
### Fixed
Add the media query to the style sheets in debug mode (see #7070).
### Fixed
Disable the debug mode in the extension creator (see #7068).
### Fixed
Convert image source insert tags in the back end preview (see #7065).
### Fixed
Render all root nodes in the page and file picker (see #6844).
### Fixed
Add the "scssphp-compass" library to support Compass functions.
### Fixed
Support adding multiple TinyMCE instances to the same page (see #7061).
Version 3.2.11 (2014-06-04)
---------------------------
### Fixed
Make `$this->locationLabel` available in the event list (see #7030).
### Fixed
Correctly set the root page title (see #7023).
### Fixed
Only show the sort hint if there is more than one element (see #6935).
### Fixed
Try to raise the PHP limits upon file synchronization (see #7035).
Security fixes
~~~~~~~~~~~~~~
* The XSRF token is now encoded with a random mask on each request.
This makes it safe to include in compressed pages without being
vulnerable to the `BREACH attack <http://breachattack.com>`_.
This applies to most applications that use both the ``xsrf_cookies``
and ``gzip`` options (or have gzip applied by a proxy).
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* If Tornado 3.2.2 is run at the same time as older versions on the same
domain, there is some potential for issues with the differing cookie
versions. The `.Application` setting ``xsrf_cookie_version=1`` can
be used for a transitional period to generate the older cookie format
on newer servers.
Other changes
~~~~~~~~~~~~~
* ``tornado.platform.asyncio`` is now compatible with ``trollius`` version 0.3.
added 'as' form to render_placeholder templatetag to save the result in context
added changeable strings for "?edit", "?edit_off" and "?build" urls
utils.page_resolver has been optimized
the get_page_from_path() api has been changed
fixed manage.py cms uninstall plugin for table-patched plugins
added support for python 3.4
docs updated
publish on apphook subpages no longer redirects to the apphook root
- Slovak translation (@jbub).
- Deleting a user no longer deletes the associated revisions (@daaray).
- Improving handling of inline models in admin integration (@blueyed).
- Improving error messages for proxy model registration (@blueyed).
- Improvements to using migrations with custom user model (@aivins).
- Removing sys.exit() in deleterevisions management command, allowing it to be used internally by Django projects (@tongwang).
- Fixing some backwards-compatible admin deprecation warnings (Thomas Schreiber).
- Fixing tests if RevisionMiddleware is used as a decorator in the parent project (@jmoldow).
- Derived models, such as those generated by deferred querysets, now work.
- Removed deprecated low-level API methods.
2.2.5 (2014-06-05)
------------------
Enhancements
- new meta tag to tell IE to use the highest mode available
- updated Dutch, Finnish, German, and Polish translations
Bug fixes
- avoid crashing when we forward an email with no Subject header
- we no longer try to include attachments when replying to a mail
- fixed ActiveSync repetitive events issues with "Weekly" and "Monthly" ones
- fixed ActiveSync text/plain parts re-encoding issues for Outlook
2.2.4 (2014-05-29)
------------------
New features
- new print option in Calendar module
- now able to save unknown recipient emails to address book on send (#1496)
Enhancements
- Sieve folder encoding is now configurable (#2622)
- SOGo version is now displayed in preferences window (#2612)
- report Sieve error when saving preferences (#1046)
- added the SOGoMaximumSyncWindowSize system default to overwrite the
maximum number of items returned during an ActiveSync sync operation
- updated datepicker
- addressbooks properties are now accessible from a popup window
- extended events and tasks searches
- updated Czech, French, Hungarian, Polish, Russian, Slovak, Spanish (Argentina), and Spanish (Spain) translations
- added more sycned contact properties when using ActiveSync (#2775)
- now possible to configure the default subscribed resource name using SOGoSubscriptionFolderFormat
- now handle server-side folder updates using ActiveSync (#2688)
- updated CKEditor to version 4.4.1
Bug fixes
- fixed saved HTML content of draft when attaching a file
- fixed text nodes of HTML content handler by encoding HTML entities
- fixed iCal7 delegation issue with the "inbox" folder (#2489)
- fixed birth date validity checks (#1636)
- fixed URL handling (#2616)
- improved folder rename operations using ActiveSync (#2700)
- fixed SmartReply/Forward when ReplaceMime was omitted (#2680)
- fixed wrong generation of weekly repetitive events with ActiveSync (#2654)
- fixed incorrect XML data conversion with ActiveSync (#2695)
- fixed display of events having a category with HTML entities (#2703)
- fixed display of images in CSS background (#2437)
- fixed limitation of Sieve script size (#2745)
- fixed sync-token generation when no change was returned (#2492)
- fixed the IMAP copy/move operation between subfolders in different accounts
- fixed synchronization of seen/unseen status of msgs in Webmail (#2715)
- fixed focus of popup windows open through a contextual menu with Firefox on Windows 7
- fixed missing characters in shared folder names over ActiveSync (#2709)
- fixed reply and forward mail templates for Brazilian Portuguese (#2738)
- fixed newline in signature when forwarding a message as attachment in HTML mode (#2787)
- fixed restoration of options (priority & return receipt) when editing a draft (#193)
- fixed update of participation status via CalDAV (#2786)
2.2.3 (2014-04-03)
------------------
Enhancements
- updated Dutch, Hungarian, Russian and Spanish (Argentina) translations
- initial support for ActiveSync event reminders support (#2681)
- updated CKEditor to version 4.3.4
Bug fixes
- fixed possible exception when retrieving the default event reminder value on 64bit architectures (#2678)
- fixed calling unescapeHTML on null variables to avoid JavaScript exceptions in Contacts module
- fixed detection of IMAP flags support on the client side (#2664)
- fixed the ActiveSync issue marking all mails as read when downloading them
- fixed ActiveSync's move operations not working for multiple selections (#2691)
- fixed email validation regexp to allow gTLDs
- improved all-day events support for ActiveSync (#2686)
2.2.2 (2014-03-21)
------------------
Enhancements
- updated French, Finnish, German and Spanish (Spain) translations
- added sanitization support for Outlook/ActiveSync to circumvent Outlook bugs (#2667)
- updated CKEditor to version 4.3.3
- updated jQuery File Upload to version 9.5.7
Bug fixes
- fixed possible exception when retrieving the default event reminder value on 64bit architectures (#2647, #2648)
- disable file paste support in mail editor (#2641)
- fixed copying/moving messages to a mail folder begining with a digit (#2658)
- fixed unseen count for folders beginning with a digit and used in Sieve filters (#2652)
- fixed decoding of HTML entities in reminder alerts (#2659)
- fixed check for resource conflict when creating an event in the resource's calendar (#2541)
- fixed construction of mail folders tree
- fixed parsing of ORG attribute in cards (#2662)
- disabled ActiveSync provisioning for now (#2663)
- fixed messages move in Outlook which would create duplicates (#2650)
- fixed translations for OtherUsersFolderName and SharedFoldersName folders (#2657)
- fixed handling of accentuated characters when filtering contacts (#2656)
- fixed classification icon of events (#2651)
- fixed ActiveSync's SendMail with client version <= 12.1 (#2669)
4.1.3
Known Issues
1. The makefiles for building mod_wsgi on Windows are currently
broken and need updating. As most new changes relate to mod_wsgi
daemon mode, which is not supported under Windows, you should keep
using the last available binary for version 3.X on Windows instead.
Bugs Fixed
1. The setup.py file wasnât always detecting the Python library
version suffix properly when setting it up to be linked into the
resulting mod_wsgi.so. This would cause an error message at link
time of:
4.1.2
Bugs Fixed
1. The integration for Django management command was looking for
the wrong name for the admin script to start mod_wsgi express.
2. The code which connected to the mod_wsgi daemon process was
passing an incorrect size into the connect() call for the size of
the address structure. On some Linux systems this would cause an
error similar to:
(22)Invalid argument: mod_wsgi (pid=22944): Unable to connect to
\
WSGI daemon process 'localhost:8000' on \
'/tmp/mod_wsgi-localhost:8000:12145/wsgi.22942.0.1.sock'
This issue was only introduced in 4.1.0 and does not affect older
versions.
3. The deadlock detection thread could try and acquire the Python
GIL after the Python interpreter had been destroyed on Python
shutdown resulting in the process crashing. This issue cannot be
completely eliminated, but the deadlock thread will now at least
check whether the flag indicating process shutdown is happening
has been set before trying to acquire the Python GIL
4.1.1
Bugs Fixed
1. Compilation would fail on Apache 2.4 due to a change in the
Apache API to determine the name of the MPM being used.
4.1.0
Bugs Fixed
1. If a UNIX signal received by daemon mode process while still
being initialised to signal that it should be shutdown, the process
could crash rather than shutdown properly due to not registering
the signal pipe prior to registering signal handler.
2. Python doesnât initialise codecs in sub interpreters automatically
which in some cases could cause code running in WSGI script to fail
due to lack of encoding for Unicode strings when converting them.
The error message in this case was:
LookupError: no codec search functions registered: can't find
encoding
The âasciiâ encoding is now forcibly loaded when initialising sub
interpreters to get Python to initialise codecs.
3. Fixed reference counting bug under Python 3 in SSL var_lookup()
function which can be used from an auth handler to look up SSL
variables.
4. The WWW-Authenticate headers returned from a WSGI application
when run under daemon mode are now always preserved as is.
Because of previously using an internal routine of Apache, way back
in time the values of multiple WWW-Authenticate headers would be
merged when there was more than one. This would cause an issue with
some browsers.
A workaround was subsequently implemented above the Apache routine
to break apart the merged header to create separate ones again,
however, if the value of a header validly had a â,â in it, this
would cause the header value to be broken apart where it wasnât
meant to. This could issues with some type of WWW-Authenticate
headers.
Features Removed
1. No longer support the use of mod_python in conjunction with
mod_wsgi. When this is attempted an error is forced and Apache will
not be able to start. An error message is logged in main Apache
error log.
2. No longer support the use of Apache 1.3. Minimum requirement is
now Apache 2.0.
Features Changed
1. Use of kernel sendfile() function by wsgi.file_wrapper is now
off by default. This was originally always on for embedded mode
and completely disabled for daemon mode. Use of this feature can
be enabled for either mode using WSGIEnableSendfile directive,
setting it to On to enable it.
The default is now off because kernel sendfile() is not always able
to work on all file objects. Some instances where it will not work
are described for the Apache EnableSendfile directive.
http://httpd.apache.org/docs/2.2/mod/core.html#enablesendfile
Although Apache has use of sendfile() enabled by default for static
files, they are moving to having it off by default in future version
of Apache. This change is being made because of the problems which
arise and users not knowing how to debug it and solve it.
Thus also erring on side of caution and having it off by default
but allowing more knowledgeable users to enable it where they know
always using file objects which will work with sendfile().
2. The HTTPS variable is no longer set within the WSGI environment.
The authoritative indicator of whether a SSL connection is used is
wsgi.url_scheme and a WSGI compliant application should check for
wsgi.url_scheme. The only reason that HTTPS was supplied at all
was because early Django versions supporting WSGI interface werenât
correctly using wsgi.url_scheme. Instead they were expecting to
see HTTPS to exist.
This change will cause non conformant WSGI applications to finally
break. This possibly includes some Django versions prior to Django
version 1.0.
Note that you can still set HTTPS in Apache configuration using
the SetEnv or SetEnvIf directive, or via a rewrite rule. In that
case, that will override what wsgi.url_scheme is set to and once
wsgi.url_scheme is set appropriately, the HTTPS variable will be
removed from the set of variables passed through to the WSGI
environment.
3. The wsgi.version variable has been reverted to 1.0 to conform
to the WSGI PEP 3333 specification. It was originally set to 1.1
on expectation that revised specification would use 1.1 but that
didnât come to be.
4. The inactivity-timeout option to WSGIDaemonProcess now only
results in the daemon process being restarted after the idle timeout
period where there are no active requests. Previously it would also
interrupt a long running request. See the new request-timeout option
for a way of interrupting long running, potentially blocked requests
and restarting the process.
5. If the home option is used with WSGIDaemonProcess, in addition
to that directory being made the current working directory for the
process, an empty string will be added to the start of the Python
module search path. This causes Python to look in the current
working directory for Python modules when they are being imported.
This behaviour brings things into line with what happens when
running the Python interpreter from the command line. You must
though be using the home option for this to come into play.
Do not that if your application then changes the working directory,
it will start looking in the new current working directory and not
that which is specified by the home option. This again mirrors what
the normal Python command line interpreter does.
New Features
1. Add supplementary-groups option to WSGIDaemonProcess to allow
group membership to be overridden and specified comma separate list
of groups used instead.
2. Add a graceful-timeout option to WSGIDaemonProcess. This option
is applied in a number of circumstances.
When maximum-requests and this option are used together, when
maximum requests is reached, rather than immediately shutdown,
potentially interupting active requests if they donât finished with
shutdown timeout, can specify a separate graceful shutdown period.
If the all requests are completed within this time frame then will
shutdown immediately, otherwise normal forced shutdown kicks in.
In some respects this is just allowing a separate shutdown timeout
on cases where requests could be interrupted and could avoid it if
possible.
When cpu-time-limit and this option are used together, when CPU
time limit reached, rather than immediately shutdown, potentially
interupting active requests if they donât finished with shutdown
timeout, can specify a separate graceful shutdown period.
3. Add potentially graceful process restart option for daemon
processes when sent a graceful restart signal. Signal is usually
SIGUSR1 but is platform dependent as using same signal as Apache
would use. If the graceful-timeout option had been provided to
WSGIDaemonProcess, then the process will attempt graceful shutdown
first based on the that timeout, otherwise normal shutdown procedure
used as if received a SIGTERM.
4. Add memory-limit option to WSGIDaemonProcess to allow memory
usage of daemon processes to be restricted. This will have no affect
on some platforms as RLIMIT_AS/RLIMIT_DATA with setrlimit() isnât
always implemented. For example MacOS X and older Linux kernel
versions do not implement this feature. You will need to test
whether this feature works or not before depending on it.
5. Add virtual-memory-limit option to WSGIDaemonProcess to allow
virtual memory usage of daemon processes to be restricted. This
will have no affect on some platforms as RLIMIT_VMEM with setrlimit()
isnât always implemented. You will need to test whether this feature
works or not before depending on it.
6. Access, authentication and authorisation hooks now have additional
keys in the environ dictionary for mod_ssl.is_https and
mod_ssl.var_lookup. These equate to callable functions provided by
mod_ssl for determining if the client connection to Apache used
SSL and what the values of variables specified in the SSL certifcates,
server or client, are. These are only available if Apache 2.0 or
later is being used.
7. For Python 2.6 and above, the WSGIDontWriteBytecode directive
can be used at global scope in Apache configuration to disable
writing of all byte code files, ie., .pyc, by the Python interpreter
when it imports Python code files. To disable writing of byte code
files, set directive to On.
Note that this doesnât prevent existing byte code files on disk
being used in preference to the corresponding Python code files.
Thus you should first remove .pyc files from web application
directories if relying on this option to ensure that .py file is
always used.
8. Add request-timeout option to WSGIDaemonProcess to allow a
separate timeout to be applied on how long a request is allowed to
run for before the daemon process is automatically restarted to
interrupt the request.
This is to counter the possibility that a request may become blocked
on some backend service, thereby using up available requests threads
and preventing other requests to be handled.
In the case of a single threaded process, then the timeout will
happen at the specified time duration from the start of the request
being handled.
Applying such a timeout in the case of a multithreaded process is
more problematic as doing a restart when a single requests exceeds
the timeout could unduly interfere with with requests which just
commenced.
In the case of a multi threaded process, what is instead done is
to take the total of the current running time of all requests and
divide that by the number of threads handling requests in that
process. When this average time exceeds the time specified, then
the process will be restarted.
This strategy for a multithreaded process means that individual
requests can actually run longer than the specified timeout and a
restart will only be performed when the overall capacity of the
processes appears to be getting consumed by a number of concurrent
long running requests, or when a specific requests has been blocked
for an excessively long time.
The intent of this is to allow the process to still keep handling
requests and only perform a restart when the available capacity of
the process to handle more requests looks to be potentially on the
decline.
9. Add connect-timeout option to WSGIDaemonProcess to allow a
timeout to be specified on how long the Apache child worker processes
should wait on being able to obtain a connection to the mod_wsgi
daemon process.
As UNIX domain sockets are used, connections should always succeed,
however there have been some incidences seen which could only be
explained by the operating system hanging on the initial connect
call without being added to the daemon process socket listener
queue. As such the timeout has been added. The timeout defaults to
15 seconds.
This timeout also now dictates how long the Apache child worker
process will attempt to get a connection to the daemon process when
the connection is refused due to the daemon socket listener queue
being full. Previously how long connection attempts were tried was
based on an internal retry count rather than a configurable timeout.
10. Add socket-timeout option to WSGIDaemonProcess to allow the
timeout on indvidual read/writes on the socket connection between
the Apache child worker and the daemon process to be specified
separately to the Apache Timeout directive.
If this option is not specified, it will default to the value of
the Apache Timeout directive.
11. Add queue-timeout option to WSGIDaemonProcess to allow a request
to be aborted if it never got handed off to a mod_wsgi daemon
process within the specified time. When this occurs a â503 Service
Unavailableâ response will be returned.
This is to allow one to control what to do when backlogging of
requests occurs. If the daemon process is overloaded and getting
behind, then it is more than likely that a user will have given up
on the request anyway if they have to wait too long. This option
allows you to specify that a request that was queued up waiting
for too long is discarded, allowing any transient backlog to be
quickly discarded and not simply cause the daemon process to become
even more backlogged.
12. Add listen-backlog option to WSGIDaemonProcess to allow the
daemon process socket listener backlog size to be specified. By
default this limit is 100, although this is actually a hint, as
different operating systems can have different limits on the maximum
value or otherwise treat it in special ways.
13. Add WSGIPythonHashSeed directive to allow Python behaviour
related to initial hash seed to be overridden when the interpreter
supports it.
This is equivalent to setting the PYTHONHASHSEED environment variable
and should be set to either random or a number in the range in
range [0; 4294967295].
14. Implemented a new streamlined way of installing mod_wsgi as a
Python package using a setup.py file or from PyPi. This includes
a mod_wsgi-express script that can then be used to start up
Apache/mod_wsgi with an auto generated configuration on port 8000.
This makes it easy to run up Apache for development without
interfering with the main Apache on the system and without having
to worry about configuring Apache. Command line options can be used
to override behaviour.
Once the mod_wsgi package has been installed into your Python
installation, you can run:
mod_wsgi-express start-server
Then open your browser on the listed URL. This will verify that
everything is working. Enter CTRL-C to exit the server and shut it
down.
You can now point it at a specific WSGI application script file:
mod_wsgi-express start-server wsgi.py
For options run:
mod_wsgi-express start-server --help
If you already have another web server running on port 8000, you
can override the port to be used using the --port option:
mod_wsgi-express start-server wsgi.py --port 8001
15. Implemented a Django application plugin to add a runmodwsgi
command to the Django management command script. This allows the
automatic run up of the new mod_wsgi express script, with it hosting
the Django web site the plugin was added to.
To enable, once the mod_wsgi package has been installed into your
Python installation, add mod_wsgi.server to the INSTALLED_APPS
setting in your Django settings file.
After having run the collectstatic Django management command, you
can then run:
python manage.py runmodwsgi
For options run:
python manage.py runmodwsgi --help
To enable automatic code reloading in a development setting, use
the option:
python manage.py runmodwsgi --reload-on-changes
16. The maximum size that a response header/value can be that is
returned from a WSGI application under daemon mode can now be
configured. The default size has also now been increased from 8192
bytes to 32768 bytes. The name of the option to WSGIDaemonProcess
to set the buffer size used is header-buffer-size.
Security Issues
Local privilege escalation when using daemon mode. (CVE-2014-0240)
The issue is believed to affect Linux systems running kernel versions
>= 2.6.0 and < 3.1.0.
The issue affects all versions of mod_wsgi up to and including
version 3.4.
The source of the issue derives from mod_wsgi not correctly handling
Linux specific error codes from setuid(), which differ to what
would be expected to be returned by UNIX systems conforming to the
Open Group UNIX specification for setuid().
http://man7.org/linux/man-pages/man2/setuid.2.htmlhttp://pubs.opengroup.org/onlinepubs/009695399/functions/setuid.html
This difference in behaviour between Linux and the UNIX specification
was believed to have been removed in version 3.1.0 of the Linux
kernel.
https://groups.google.com/forum/?fromgroups=#!topic/linux.kernel/u6cKf4D1D-k
The issue would allow a user, where Apache is initially being
started as the root user and where running code under mod_wsgi
daemon mode as an unprivileged user, to manipulate the number of
processes run by that user to affect the outcome of setuid() when
daemon mode processes are forked and so gain escalated privileges
for the users code.
Due to the nature of the issue, if you provide a service or allow
untrusted users to run Python web applications you do not control
the code for, and do so using daemon mode of mod_wsgi, you should
update mod_wsgi as soon as possible.
Bugs Fixed
1. Python 3 installations can add a suffix to the Python library.
So instead of libpythonX.Y.so it can be libpythonX.Ym.so.
2. When using daemon mode, if an uncaught exception occurred when
handling a request, when response was proxied back via the Apache
child process, an internal value for the HTTP status line was not
cleared correctly. This was resulting in a HTTP status in response
to client of â200 Errorâ rather than â500 Internal Server Errorâ.
Note that this only affected the status line and not the actual
HTTP status. The status would still be 500 and the client would
still interpret it as a failed request.
3. Null out Apache scoreboard handle in daemon processes for Apache
2.4 to avoid process crash when lingering close cleanup occurs.
4. Workaround broken MacOS X XCode Toolchain references in Apache
apxs build configuration tool and operating system libtool script.
This means it is no longer necessary to manually go into:
Applications/Xcode.app/Contents/Developer/Toolchains
and manually add symlinks to define the true location of the compiler
tools.
Restore ability to compile mod_wsgi source code under Apache
1.3.
6. Fix checks for whether the ITK MPM is used and whether ITK MPM
specific actions should be taken around the ownership of the mod_wsgi
daemon process listener socket.
7. Fix issue where when using Python 3.4, mod_wsgi daemon processes
would actually crash when the processes were being shutdown.
8. Made traditional library linking the default on MacOS X. If
needing framework style linking for the Python framework, then use
the --enable-framework option. The existing --disable-framework
has now been removed given that the default action has been swapped
around.
New Features
1. For Linux 2.4 and later, enable ability of daemon processes to
dump core files when Apache CoreDumpDirectory directive used.
2. Attempt to log whether daemon process exited normally or was
killed off by an unexpected signal.
* Fix CVE-2014-0119
Changelog:
Tomcat 7.0.54 (violetagg)
Catalina
fix Fix custom UTF-8 decoder so that a byte of value 0xC1 is always rejected immediately as it is never valid in a UTF-8 byte sequence. Update UTF-8 decoder tests to account for UTF-8 decoding improvements in Java 8. The custom UTF-8 decoder is still required due to bugs in the UTF-8 decoder provided by Java. Java 8's decoder is better than Java 7's but it is still buggy. (markt)
fix 56027: Add more options for managing FIPS mode in the AprLifecycleListener. (schultz/kkolinko)
fix 56321: When a WAR is modified, undeploy the web application before deleting any expanded directory as the undeploy process may refer to classes that need to be loaded from the expanded directory. If the expanded directory is deleted first, any attempt to load a new class during undeploy will fail. (markt)
fix 56339: Avoid an infinite loop if an application calls session.invalidate() from the session destroyed event for that session. (markt)
update 56365: Simplify file name pattern matching code in StandardJarScanner. Ignore leading and trailing whitespace and empty strings when configuring patterns. Improve documentation. (kkolinko)
fix 56369: Ensure that removing an MBean notification listener reverts all the operations performed when adding an MBean notification listener. (markt)
add 56382: Information about finished deployment and its execution time is added to the log files. Patch is provided by Danila Galimov. (violetagg)
add 56383: Properties for disabling server information and error report are added to the org.apache.catalina.valves.ErrorReportValve. Based on the patch provided by Nick Bunn. (violetagg/kkolinko)
fix Only create XML parsing objects if required and fix associated potential memory leak in the default Servlet. (markt)
fix Modify generic exception handling so that StackOverflowError is not treated as a fatal error and can handled and/or logged as required. (markt)
fix 56409: Avoid StackOverflowError on non-Windows systems if a file named \ is encountered when scanning for TLDs. (markt)
add 56430: Extend checks for suspicious URL patterns to include patterns of the form *.a.b which are not valid patterns for extension mappings. (markt)
add Extend XML factory, parser etc. memory leak protection to cover some additional locations where, theoretically, a memory leak could occur. (markt)
fix Ensure that a TLD parser obtained from the cache has the correct value of blockExternal. (markt)
fix 56441: Raise the visibility of exceptions thrown when a problem is encountered calling a getter or setter on a component attribute. The logging level is raised from debug to warning. (markt)
fix 56451: Make resources accessed via a context alias accessible via JNDI in the same way standard resources are available. (markt)
add 56463: Property for disabling server information is added to the DefaultServlet. Server information is presented in the response sent to the client when directory listings is enabled. (violetagg)
add Add the org.apache.naming package to the packages requiring code to have the defineClassInPackage permission when running under a security manager. (markt)
add Add the org.apache.naming.resources package to the packages requiring code to have the accessClassInPackage permission when running under a security manager. (markt)
fix Make the naming context tokens for containers more robust. Require RuntimePermission when introducing a new token. (markt/kkolinko)
fix 56472: Allow NamingContextListener to clean up on stop if its start failed. (kkolinko)
add 56492: Avoid eclipse debugger pausing on uncaught exceptions when tomcat renews its threads. (slaurent)
fix Minor fixes to ThreadLocalLeakPreventionListener. Do not trigger threads renewal for failed contexts. Do not ignore threadRenewalDelay setting. Improve documentation. (kkolinko)
fix Correct regression introduced in r797162 that broke authentication of users when using the JAASMemoryLoginModule. (markt)
fix 56501: HttpServletRequest.getContextPath() should return the undecoded context path used by the user agent. (markt)
fix 56523: When using SPNEGO authentication, log the exceptions associated with failed user logins at debug level rather than error level. (markt)
fix 56536: Ensure that HttpSessionBindingListener.valueUnbound() uses the correct class loader when the SingleSignOn valve is used. (markt)
Coyote
add 56399: Assert that both Coyote and Catalina request objects have been properly recycled. (kkolinko)
fix 56416: Correct documentation for default value of socket linger for the AJP and HTTP connectors. (markt)
Jasper
fix 56334: Fix a regression in the handling of back-slash escaping introduced by the fix for 55735. (markt/kkolinko)
fix 56425: Improve method matching for EL expressions. When looking for matching methods, an exact match between parameter types is preferred followed by an assignable match followed by a coercible match. (markt)
fix Correct the handling of back-slash escaping in the EL parser and no longer require that \$ or \# must be followed by { in order for the back-slash escaping to take effect. (markt)
fix 56529: Avoid NoSuchElementException while handling attributes with empty string value in custom tags. Patch provided by Hariprasad Manchi. (violetagg)
Cluster
fix Remove cluster and replicationValve from cluster manager template. These instance are not necessary to template. (kfujino)
fix Add support for cross context session replication to org.apache.catalina.ha.session.BackupManager. (kfujino)
fix Remove the unnecessary cross context check. It does not matter whether the context that is referenced by other context is set to crossContext=true. The context that refers to the different context must be set to crossContext=true. (kfujino)
code Move to org.apache.catalina.ha.session.ClusterManagerBase common logics of org.apache.catalina.ha.session.BackupManager and org.apache.catalina.ha.session.DeltaManager. (kfujino)
code Simplify the code of o.a.c.ha.tcp.SimpleTcpCluster. In order to add or remove cluster valve to Container, use pipeline instead of IntrospectionUtils. (kfujino)
fix There is no need to set cluster instance when SimpleTcpCluster.unregisterClusterValve is called. Set null than cluster instance for cleanup. (kfujino)
code Backport refactoring of AbstractReplicatedMap to implement Map rather than extend ConcurrentHashMap to enable Tomcat 7 to be built with Java 8. (markt)
WebSocket
fix 56343: Avoid a NPE if Tomcat's Java WebSocket 1.0 implementation is used with the Java WebSocket 1.0 API JAR from the reference implementation. (markt)
fix Increase the default maximum size of the executor used by the WebSocket implementation for call backs associated with asynchronous writes from 10 to 200. (markt)
add Add a warning if the thread group created for WebSocket asynchronous write call backs can not be destroyed when the web application is stopped. (markt)
fix Ensure that threads created to support WebSocket clients are stopped when no longer required. This will happen automatically for WebSocket client connections initiated by web applications but stand alone clients must call WsWebSocketContainer.destroy(). (markt)
fix 56449: When creating a new session, add the message handlers to the session before calling Endpoint.onOpen() so the message handlers are in place should the onOpen() method trigger the sending of any messages. (markt)
fix 56458: Report WebSocket sessions that are created over secure connections as secure rather than as not secure. (markt)
fix Stop threads used for secure WebSocket client connections when they are no longer required and give them better names for easier debugging while they are running. (markt)
Web applications
fix Add Support for copyXML attribute of Host to Host Manager. (kfujino)
fix Ensure that "name" request parameter is used as a application base of host if "webapps" request parameter is not set when adding host in HostManager Application. (kfujino)
fix Correct documentation on Windows service options, aligning it with Apache Commons Daemon documentation. (kkolinko)
update 55215: Improve log4j configuration example. Clarify access logging documentation. Based on patches provided by Brian Burch. (kkolinko)
update 55383: Backport improved HTML markup for tables and code fragments from Tomcat 8 documentation. (kkolinko)
fix 56418: Ensure that the Manager web application does not report success for a web application deployment that fails. (slaurent)
fix Fix target and rel attributes on links in documentation. They were lost during XSLT transformation. (kkolinko)
update Improve valves documentation. Split valves into groups. (kkolinko)
Other
fix Align DisplayName of Tomcat installed by service.bat with one installed by the *.exe installer. Print a warning in case if neither server nor client jvm is found by service.bat. (kkolinko)
update 56363: Update to version 1.1.30 of Tomcat Native library. (schultz)
update Update package renamed Apache Commons BCEL to r1593495 to pick up some additional changes for Java 7 support and some code clean up. (markt)
add In tests: allow to configure directory where JUnit reports and access log are written to. (kkolinko)
MacOS X < 10.6 had an undocumented behavior concerning execve(2)
inside a threaded process. If a process tried to call execve(2) and
had more than one active thread, the kernel returned ENOTSUP. So we
have to either fork(2) or vfork(2) before calling execve(2) to make
sure the caller is single-threaded as otherwise the application fails
to restart itself.
Upstream changes:
5.04 2014-06-03
- Added expect_close attribute to Mojo::Content.
- Improved support for broken responses to CONNECT requests.
5.03 2014-06-02
- Fixed bug where Mojo::DOM::HTML could not handle certain broken tags.
5.02 2014-05-31
- Added multi-name support to cookie and signed_cookie methods in
Mojolicious::Controller.
- Added multi-name support to cookie and upload methods in Mojo::Message.
- Improved Mojolicious::Command::generate::plugin to use better directory
names.
- Fixed bug where Mojo::DOM::HTML could not handle tags with lots of
attributes.
5.01 2014-05-30
- Fixed continuation line handling in Mojo::Headers.
5.0 2014-05-29
- Code name "Tiger Face", this is a major release.
- Changed heuristics for number detection in Mojo::JSON to better line up
with user expectations.
- Changed lock and unlock callbacks in Mojo::IOLoop to not receive an
invocant.
- Changed return value of path_for method in Mojolicious::Routes::Match.
- Changed return value and arguments of error method in Mojo::Message.
- Removed deprecated support for "X-Forwarded-HTTPS".
- Removed return values from wait method in Mojo::IOLoop::Delay.
- Removed list context support from header method in Mojo::Headers.
- Removed generate_port method from Mojo::IOLoop.
- Replaced reserved stash value partial with render_to_string method.
- Replaced format method in Mojo::Log with an attribute.
- Replaced check_file method in Mojo::Server::Morbo with check method.
- Added with_compression method to Mojo::Transaction::WebSocket.
- Added catch method to Mojo::EventEmitter.
- Added append method to Mojo::Log.
- Updated jQuery to version 2.1.1.
- Improved Mojo::IOLoop::Delay to automatically check if the event loop is
already running.
- Improved Mojo::Parameters to consistently accept arrays.
- Improved Mojo::Collection to perform actual boolean checks. (marcus)
- Fixed Mojo::DOM::HTML to handle slashes in unquoted attribute values
correctly.
- Fixed Mojo::IOLoop::Server to work correctly with newer versions of
IO::Socket::SSL. (noxxi)
- Fixed rendering bug where rewritten arguments could not be localized.
- Fixed verification bug in Mojo::IOLoop::Server.
- Fixed path generation bug in Mojolicious::Routes::Match.
- Fixed warnings in Mojo::IOLoop::Delay.
4.99 2014-05-12
- Added support for performing blocking and non-blocking requests at the
same time with Mojo::UserAgent.
- Added nb_url method to Mojo::UserAgent::Server.
- Improved Mojo::IOLoop::Server and Mojo::Server::Daemon to be able to
listen on random ports.
------------------
* Commands that take pathspecs on the command line misbehaved when
the pathspec is given as an absolute pathname (which is a
practice not particularly encouraged) that points at a symbolic
link in the working tree.
* An earlier fix to the shell prompt script (in contrib/) for using
the PROMPT_COMMAND interface did not correctly check if the extra
code path needs to trigger, causing the branch name not to appear
when 'promptvars' option is disabled in bash or PROMPT_SUBST is
unset in zsh.
A Python library to aid in implementing HTTP Digest Authentication.
This is the python 3.x-only version of the package. See www/py-python-digest
for the python 2.x version.
A Python library to aid in implementing HTTP Digest Authentication.
This is the python 2.x-only version of the package. See www/py-python3-digest
for the python 3.x version.
A module provides basic functions for parsing mime-type names and matching them
against a list of media-ranges.
This module provides basic functions for handling mime-types. It can handle
matching mime-types against a list of media-ranges. See section 14.1 of the HTTP
specification [RFC 2616] for a complete explanation:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.1
Contents:
* parse_mime_type(): Parses a mime-type into its component parts.
* parse_media_range(): Media-ranges are mime-types with wild-cards and a "q"
quality parameter.
* quality(): Determines the quality ("q") of a mime-type when compared against
a list of media-ranges.
* quality_parsed(): Just like quality() except the second parameter must be
pre-parsed.
* best_match(): Choose the mime-type with the highest quality ("q") from a list
of candidates.
explicit request a while back. (But use the current version.)
PR 48845.
I don't remember the PR number for the original request but it can be
tracked down if necessary.
Upstream changes:
1.22.7
== Security ==
* (bug 65501) SECURITY: Don't parse usernames as wikitext on
Special:PasswordReset.
== Bugfixes in 1.22.7 ==
* (bug 36356) Add space between two feed links.
* (bug 63269) Email notifications were not correctly handling the
[[MediaWiki:Helppage]] message being set to a full URL. This is a regression
from the 1.22.5 point release, which made the default value for it a URL.
If you customized [[MediaWiki:Enotif body]] (the text of email notifications),
you'll need to edit it locally to include the URL via the new variable
$HELPPAGE instead of the parser functions fullurl and canonicalurl; otherwise
you don't have to do anything.
* Add missing uploadstash.us_props for PostgreSQL.
* (bug 56047) Fixed stream wrapper in PhpHttpRequest.
CGI::Fast is a subclass of the CGI object created by CGI.pm. It is
specialized to work with the FCGI module, which greatly speeds up
CGI scripts by turning them into persistently running server
processes. Scripts that perform time-consuming initialization
processes, such as loading large modules or opening persistent
database connections, will see large performance improvements.
Version 4.01 May 27, 2014
[DOCUMENTATION]
- CGI.pm hasn't been removed from core *just* yet, but will be soon:
http://perl5.git.perl.org/perl.git/commitdiff/e9fa5a80
Version 4.00 May 22, 2014
[INTERNALS]
- CGI::Fast split out into its own distribution, related files and tests removed
- developer test added for building with perlbrew
[DOCUMENTATION]
- Update perldoc to explain that CGI.pm has been removed from perl core
- Make =head2 perldoc less shouty (RT #91140)
- Tickets migrated from RT to github issues (both CGI and CGI.pm distributions)
- Repointing bugtracker at newly forked github repo and note that Lee Johnson
is the current maintainer.
- Bump version to 4.00 for clear boundary of above changes
Version 3.65 Feb 11, 2014
[INTERNALS]
- Update Makefile to refine where CGI.pm gets installed
(Thanks to bingo, rjbs: https://github.com/markstos/CGI.pm/pull/30)
Version 3.64 Nov 23, 2013
[BUG FIXES]
- Avoid warning about "undefined variable in user_agent in some cases (RT#72882)
[INTERNALS]
- Avoiding warning about "unitialized value" in when calling user_agent() in some cases. (RT#72882, perl@max-maurer.de)
- Update minimum required version in Makefile.PL to 5.8.1. It had already been
updated to 5.8.1 in the CGI.pm module in 3.53.
- Fix POD errors reported by newer pod2man (Thanks to jmdh)
- Typo fixes, (dsteinbrunner).
- use deprecate.pm on perls 5.19.0 and later. (rjbs).
[DOCUMENTATION]
- Update CGI::Cookie docs to reflect that HttpOnly is widely supported now.
Though there is no description in CHANGELOG.md, data for an example web site
(Music Academy) was removed from the distribution.
Version 3.3.1 (2014-05-30)
--------------------------
### Fixed
Grant access to static files inside the `vendor` folder.
### Fixed
Do not make the `FormRadioButton` options an array (see #7060).
### Fixed
Support adding ACE and TinyMCE in subpalettes (see #7056).
### Fixed
Only use the DropZone uploader where Ajax uploads can be processed (see #7046).
### Fixed
Make the viewport field 255 characters long (see #7050).
### Fixed
Restore the "submit_container" class in the `FormSubmit` widget (see #7055).
### Fixed
Correctly generate the CSS classes of the `FormSelectMenu` widget (see #7045).
### Fixed
Use a more precise UUID detection in the `FilesModel` class (see #7054).
### Fixed
Use `pack()` instead of `hex2bin()` to be compatible with PHP 5.3 (see #7010).
The preprocessor macro XP_MACOSX is misused everywhere. They tend to
say "#if defined(XP_MACOSX)" to actually mean
"#if defined(MOZ_WIDGET_COCOA)". It's okay to equate XP_MACOSX with
XP_DARWIN but equating it with MOZ_WIDGET_COCOA is just wrong. As a
result, cairo-gtk2 build on Darwin is completely broken and needs
heavy patching. Ideally they should be fixed individually but that
will be an extremely hard work, so don't define XP_MACOSX for now.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
Contao 3.3 is new stable release of Contao Open Source CMS.
Some new features from Contao 3.2:
* Added a markdown content element.
* Added the insert tag flags "urlencode" and "rawurlencode".
* Add a flexible back end theme.
* Add DropZone-based file uploader.
* Add permissions to import and export themes.
* Allow to override the default templates of module, content element
and form firld.
* Add version control for editable files.
* Add template inheritance and template insertion.
* Make the title tag configurable in the page layout.
* Mark the beginning and end of each template in debug mode.
* Add support of SCSS/LESS files as external style sheets to page layout.
* Make the file system synchronization available on the command line.
URL parser: IPv6 zone identifiers are now supported
CURLOPT_PROXYHEADER: set headers for proxy-only
CURLOPT_HEADEROPT: added
curl: add --proxy-header
sasl: Added support for DIGEST-MD5 via Windows SSPI
sasl: Added DIGEST-MD5 qop-option validation in native challange handling
imap: Expanded mailbox SEARCH support to use URL query strings
imap: Extended FETCH support to include PARTIAL URL specifier
nss: implement non-blocking SSL handshake
build: Reworked Visual Studio project files
poll: enable poll on darwin13
mk-ca-bundle: added -p
libtests: add a wait_ms() function
Upstream changes:
Moodle 2.5.6 release notes
Release date: 12 May, 2014
Here is the full list of fixed issues in 2.5.6.
Functional changes
MDL-43985 - Checkbox added to control sending of feedback when grading Assignment (backport of MDL-33600)
Security issues
MSA-14-0014 Cross-site request forgery possible in Assignment
MSA-14-0015 Web service token expiry issue for MoodleMobile
MSA-14-0016 Anonymous student identity revealed in Assignment
MSA-14-0017 File access issue in HTML block
MSA-14-0019 Reflected XSS in URL downloader repository
Fixes and improvements
MDL-45119 - When student opens assignment feedback PDF no error messages are shown
MDL-41551 - Block drag-drop fixed for Clean theme on My Home page
MDL-44936 - CSS chunking is now more reliable on IE
MDL-45154 - Warnings and errors in user profile page fixed
MDL-43721 - Poor performance on Assignment grading page fixed
Version 3.2.10 (2014-05-21)
---------------------------
### Fixed
Correctly urlencode folder names in the file manager (see #6925).
### Update
Update MooTools to version 1.5.0 (see #6924).
### Fixed
Allow for up to 13 characters in `Validator::isEmail()` (see #6950).
### Fixed
Only fall back to the default option if there is no POST data (see #6899).
### Fixed
Do not override the event start time in `Events::addEvent()` (see #6701).
### Fixed
Correctly detect binary fields during theme import (see #6852).
### Fixed
Do not urldecode twice in `DC_Folder` (see #6840).
### Fixed
Standardize the fallback behavior of the downloads/gallery element (see #6662).
### Fixed
Correctly hide duplicated elements in the module wizard (see #6826).
### Fixed
Fix the mediabox "imgBackground" option (see #6866).
### Fixed
Strip double quotes in the options wizard (see #6919).
### Fixed
Strip the insert tag flags before passing the tag name to the hooks (see #6860).
### Fixed
Catch Swift exceptions when sending form data via e-mail (see #6941).
### Update
Update the back end date picker to version 2.2.0.
### Update
Update ACE to version 1.1.3.
### Fixed
Check for reserved article aliases before validating the alias name (see #6978).
### Fixed
Store the UUID of uploaded files in the session (see #6986).
### Fixed
Only assume a moved file or folder for new resources (see #6907).
### Fixed
Correctly strip the file extension in the `File` class (see #6968).
### Fixed
Remove the menu when `Swipe.kill()` is executed (see #6861).
### Fixed
Consider the protocol when embedding YouTube videos (see #6900).
These releases address a caching issue which might lead to cache poisoning and an incorrect validation of safe redirect targets. Since these issues will affect the majority of users we strongly encourage everyone to upgrade.
User-visible changes:
- Client-side bugfixes:
* log: use proper peg revision over DAV (r1568872)
* upgrade: allow upgrading from 1.7 with exclusive locks (r1572102 et al)
* proplist: resolve inconsitent inherited property results (r1575270 et al)
* increase minimal timestamp sleep from 1ms to 10ms (r1581305 et al)
* merge: automatic merge confused by subtree merge (issue 4481)
* propget: report proper error on invalid revision for url (r1586255)
* commit: fix an assertion when committing a deleted descendant
(r1571747, r1571787, r1571795)
* merge: resolve segfault when '--force' merges a directory delete
(r1577812, r1577813, r1579429)
* resolve: prevent interactive conflict resolution when nothing has been
done to resolve the conflict (r1577294)
* update: fix locks lost from wc with pre-1.6.17 servers (issue 4412)
* merge: honor the 'preserved-conflict-file-exts' setting (r1577151)
* list: fix '--verbose' against older servers (r1591111)
* unlock: fix ability to remove locks with timeouts (r1579588)
* copy: fix 'svn copy URL WC' on relocated working copies
(r1580626, r1580650)
* export: allow file externals to be exported (issue 4427)
* move: fix working copy db inconsistency in cert scenarios (issue 4437)
* commit: fix an issue where mixed revision copy with non copy descendants
that shadow a not present node couldn't be committed (r1518942 et al)
* delete: properly remove move_to info when the node in its original
location is removed (r1538812 et al)
* status; fix an issue where output would vary based on if the target
was the node itself or its parent (r1544597 et al)
- Server-side bugfixes:
* ensure proper access synchronization in fsfs on Windows (r1568953 et al)
* svnadmin dump: don't let invalid mergeinfo stop dump (r1574868 et al)
* svnserve: resolve performance regression caused by iprops (r1578853 et al)
* reduce size of memory buffer when reading config files (r1581296)
* remove dead transaction if commit was blocked by hook (r1583977)
* svnrdump load: fix crash when svn:* normalization (issue 4490)
* fix memcached support (issue 4470)
* svndumpfilter: fix order of node record headers (r1578670 et al)
* mod_dav_svn: blacklist building with broken versions of httpd; 2.2.25,
2.4.5 and 2.4.6 (r1545835)
* mod_dav_svn: allow generic DAV clients to refresh locks (issue 3515)
* mod_dav_svn: detect out of dateness correctly during commit (issue 4480)
Developer-visible changes:
- General:
* improve consistency checks of DAV inherited property requests (r1498000)
* fix ocassional failure in autoprop_tests.py (r1567752)
* avoid duplicate sqlite analyze information rows (r1571214)
* add Mavericks to our sysinfo output (r1573088)
* bump copyright years to 2014 (r1555403)
* unbreak test suite when running as root (r1583580)
* resolve buffer overflow in testcode (r1481782)
* fix libmagic detection with custom LDFLAGS (r1577200)
* fix an out of scope variable use in merge (r1587946)
* javahl: fix crash from resolve callback throwing an exception (r1586439)
* ruby: fix two memory lifetime bugs (r1586052, r1586467)
* fix a missing null byte when handling old pre-1.4 deltas (r1587968)
* fix building with APR 0.9.x (r1585499)
* make svn_ra_get_locks() and svn_ra_get_lock() report not locked nodes
with a NULL svn_lock_t *, as documented (r1578273, r1578311, r1578326)
* fix tests for compiler flags
Changes:
- A smoother media editing experience
- Improved visual editing - speed, accessibility, and mobile support
- Edit images easily - quicker access to crop and rotation tools, scale images
directly in the editor
- Drag and drop your images right onto the editor
- Image gallery previews right in the editor
- Showcase music and clips with simple audio and video playlists
- Live widget and header image previews in the Customizer
- Stunning new theme browser
Version 3.9.1 fixes 34 bugs from 3.9.
More details on http://codex.wordpress.org/Version_3.9 and
http://codex.wordpress.org/Version_3.9.1
No changelog provided.
* bug fixes, documentation improvements
* better sub-manager option handling
Incompatible changes:
* command.handle() is now simply command()
* short help is '-?'. '-h' is used for --host too often.
* Server options '-d' and '-r' are no longer toggles for debugging/reloading.
Instead, '-d' forces debugging on and '-D' forces it off,
no matter what the default said.
* The command.prompt_* compatibility methods have beeen removed.
(They were already heavily deprecated.)
2014-04-18 LWP-Protocol-https 6.06
Mike Schilli (3):
Merge pull request #12 from drieux/subjectAltName
Merge pull request #9 from chorny/master
Updated libwww requirement to 6.06 to fix failing t/proxy.t test cases.
Gisle Aas (2):
Getopt::Long isn't actually used
Merge pull request #7 from noxxi/master
Alexandr Ciornii (1):
better diagnostics in case of failures in apache.t
Karen Etheridge (1):
Merge pull request #8 from cpansprout/patch-1
Steffen Ullrich (1):
correct behavior for https_proxy, this goes together with change to
libwww-perl cb80c2ddb7, new method _upgrade_sock in LWP::Protocol::https
cpansprout (1):
Typo fix: envirionment =~ s/io/o/
drieux (1):
support for subjectAltName
2014-04-16 Release 6.06
Ville Skyttä (3):
Merge pull request #44 from dsteinbrunner/master
Spelling fixes.
Merge pull request #55 from oalders/master
Karen Etheridge (2):
Merge pull request #38 from mbeijen/typo-sting
Merge pull request #43 from dsteinbrunner/master
David Steinbrunner (2):
Spelling corrections
Olaf Alders (1):
Typo fixes.
Steffen Ullrich (1):
correct behavior for https_proxy,
e.g. don't send plain https:// requests to proxy, but instead establish
CONNECT tunnel and then send requests inside tunnel.
This change does together with a change in LWP::Protocol::https.
The change supports LWP::Protocol::https with the default
IO::Socket::SSL backend, but also with Net::SSL. Also:
- proxy authorization is supported (http://user:pass@host:port as proxy
URL, Net::SSL still needs special HTTPS_PROXY_* environemt variables,
as before)
- CONNECT request does not need to be the first request inside the
tunnel (not with Net::SSL)
- conn_cache is read and written inside request(), instead of writing in
request() and reading in _new_socket(). If a https tunnel is
established the cache_key no longer depends only on proxy host,port
but also on the tunnel endpoint
- CONNECT is a proxy request and must always use Proxy-Authorization,
not Authorization header
turugina (1):
fix: auth-header of Digest auth did not conform to
RFC 2617 when WWW-Authenticate has 'qop' parameter.
Gisle Aas (1):
SSL libs might trigger ENOTTY on read
Michiel Beijen (1):
Small typo.
Security fixes
The signed-value format used by RequestHandler.set_secure_cookie and
RequestHandler.get_secure_cookie has changed to be more secure. This is a
disruptive change. The secure_cookie functions take new version parameters
to support transitions between cookie formats.
The new cookie format fixes a vulnerability that may be present in
applications that use multiple cookies where the name of one cookie is a
prefix of the name of another.
To minimize disruption, cookies in the older format will be accepted by
default until they expire. Applications that may be vulnerable can reject
all cookies in the older format by passing min_version=2 to
RequestHandler.get_secure_cookie.
Thanks to Joost Pol of Certified Secure for reporting this issue.
Backwards-compatibility notes
Signed cookies issued by RequestHandler.set_secure_cookie in Tornado 3.2.1
cannot be read by older releases. If you need to run 3.2.1 in parallel with
older releases, you can pass version=1 to RequestHandler.set_secure_cookie
to issue cookies that are backwards-compatible (but have a known weakness,
so this option should only be used for a transitional period).
Other changes
The C extension used to speed up the websocket module now compiles
correctly on Windows with MSVC and 64-bit mode. The fallback to the
pure-Python alternative now works correctly on Mac OS X machines with no C
compiler installed.
Changelog:
Fixed
29.0.1 -pdf.js printing white page (1003707)
Fixed
29.0.1 - Tabs not visible with dark themes under Windows 8.1 (907373)
Fixed
29.0.1 - Session Restore failed with a corrupted sessionstore.js file (1001167)
Fixed
29.0.1 - Seer disabled by default (1005958)
## Rails 3.2.18 (May 6, 2014) ##
* Only accept actions without File::SEPARATOR in the name.
This will avoid directory traversal in implicit render.
Fixes: CVE-2014-0130
*Rafael Mendon«®a Fran«®a*
Drupal 7.28, 2014-05-08
-----------------------
- Fixed a regression introduced in Drupal 7.27 that caused JavaScript to break
on older browsers (such as Internet Explorer 8 and earlier) when Ajax was
used.
- Increased the timeout used by the Update Manager module when it fetches data
from drupal.org (from 5 seconds to 30 seconds), to work around a problem
which causes incomplete information about security updates to be presented to
site administrators. This fix may lead to a performance slowdown on the
Update Manager administration pages, when installing Drupal distributions,
and (for sites that use the automated cron feature) on occasional page loads
by site visitors.
- Fixed the behavior of the token system's "[node:summary]" token when the body
field does not have a manual summary.
- Changed the behavior of db_query_temporary() so that it works on SELECT
queries even when they have leading comments/whitespace. A side effect of
this fix is that db_query_temporary() will now fail with an error if it is
ever used on non-SELECT queries.
- Added a "node_admin_filter" tag to the database query used to build the list
of nodes on the content administration page, to make it easier to alter.
- Made the cron queue system log any exceptions that are thrown while an item
in the queue is being processed, rather than stopping the entire PHP request.
- Improved screen reader support by adding an aria-live HTML attribute to file
upload fields when there is an error uploading the file (minor markup
change).
- Made the pager on the Tracker module listing pages show the same number of
items as other pagers throughout Drupal core (minor UI change).
- Fixed a bug which caused caches not to be properly cleared when a file entity
was saved or deleted.
- Added several missing countries to the default list returned by
country_get_list() (string change).
- Replaced the term "weight" with "influence" in the content ranking settings
for search, and added help text for administrators (string change).
- Fixed untranslatable text strings in the administrative interface for the
"Crop" effect provided by the Image module (minor string change).
- Fixed a bug in the Taxonomy module update function introduced in Drupal 7.26
that caused memory and CPU problems on sites with very large numbers of
unpublished nodes.
- Numerous small bug fixes.
- Numerous API documentation improvements.
- Additional automated test coverage.
* "git p4" dealing with changes in binary files were broken by a
change in 1.9 release.
* The shell prompt script (in contrib/), when using the PROMPT_COMMAND
interface, used an unsafe construct when showing the branch name in
$PS1.
* "git rebase" used a POSIX shell construct FreeBSD /bin/sh does not
work well with.
* Some more Unicode codepoints defined in Unicode 6.3 as having
zero width have been taught to our display column counting logic.
* Some tests used shell constructs that did not work well on
FreeBSD.
The aws tools were linked to libssl without rpath. If libssl is not
located in a standard library search path, the rtld will not be able
to find it (as seen on Joyent dev area).
This change links the libssl runpath to the tools.
The configuration for the location of libz and libssl both were wrong,
and they were corrected with their respective BUILDLINK_PREFIX.
In addition, regardless of where libssl is located, the standard location
(/usr/include) was searched instead of relative to the library. This
required a patch to the GPR build in order to pass -I<loc> to the
compilation of C files.
The unnecessary removal of empty directories was removed as SunOS find
does not support the -empty switch.
Tested on Joyent dev area where both libz and libssl are not at /usr/lib.
- fix a potential execution of undesired code via reverse()
- avoid leaking the CSRF token via caching of anonymous requests
- fix missing explicit typecasts for MySQL
Collection.
Gunicorn 'Green Unicorn' is a Python WSGI HTTP Server for UNIX. It's a
pre-fork worker model ported from Ruby's Unicorn project. The Gunicorn
server is broadly compatible with various web frameworks, simply
implemented, light on server resource usage, and fairly speedy.
CHangelog:
Fixed in Firefox ESR 24.5
MFSA 2014-46 Use-after-free in nsHostResolve
MFSA 2014-44 Use-after-free in imgLoader while resizing images
MFSA 2014-43 Cross-site scripting (XSS) using history navigations
MFSA 2014-42 Privilege escalation through Web Notification API
MFSA 2014-38 Buffer overflow when using non-XBL object as XBL
MFSA 2014-37 Out of bounds read while decoding JPG images
MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer
MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)
* Logformat annotation fixes
* Resolve 'dying from an unhandled exception: c'
* Fix order dependency between cache_dir and maximum_object_size
* Bug 4051: fix inverted test on CONNECT payload existence
- Change CSS to adjust calendar position.
- Add Czech language file.
- Add Ukrainian translation file.
- Add CustomHeader to allow custom definition of the logo and title.
See squidanalyzer.conf or documentation for more explanation and
example.
- Replace logrotate example that was too simplistic.
- Update documentation about -P option.
- Prevents the script to run multiple instances using a pid file. This
patch adds a new command line option -P to change the default pid file
(/tmp/squid-analyzer.pid).
- Remove useless command to delete special files because those files are
not installed by make install.
- Fix spec file to build RPM.
- Fix usage to show $DEFAULT_CONFIGFILE that may not always be the
right place following the installation.
- Remove squid requirement from RPM spec file.
- Add spanish language file.
- Remove ^M when reading translation files.
- Add new weekly reports.
- Add build and storage of weekly statistics.
- Fix CSS to reduce font size used in the calendar and increase size
of the header.
- Add WeekDay translation string.
- Remove link on week, the week view is not available yet.
- Add week day and week number to the calendar.
- Fix bug where statistics from the last parsed day was count twice
in months and years statisics.
- Add file etc/included to limit entries to matching users, networks
or ip address.
- Show values of all dataset when mouse is over graph.
- Update pt_BR.txt language file.
- Update flotr2 to most recent version. Replace bars in graphs with
line to have mouse tracking on each dataset. Change line graphs
colors and reformat label shown on mouse over graph data.
- Remove special hidden character from documentation that prevent
pod2man from working.
- Add TCP DENIED report in cache statistics.
- Fix missing semi-colon after graph width definition. Add missing
graph on mime type.
- Add russian translation.
- Fix german lang file about new second level domain label.
- Update translation files with new Second_domain_graph_hits_title
and Second_domain_graph_bytes_title variables.
- Add ordering of pie legend following percentage.
- Change trackFormatter so that mouse over the pie-chart color shows
the domain/TLD name also with the value.
- Add advice about parsing access.log after logrotate.
- Fix some more issue on top second level report.
The CherryPy team is proud to announce the release of CherryPy
3.3.0!
After a long stable life, CherryPy 3.2 is now superseded by CherryPy
3.3. In addition to several bugs fixed, the latest release also
includes a few improvements, detailed in the Release Notes.
Beginning with this release, the CherryPy maintainers will seek to
make more frequent updates and follow semver versioning. The more
frequent releases will allow improvements and bug fixes to quickly
percolate and get frequent feedback. The semver scheme will allow
package maintainers to manage their expectations when upgrading.
We hope these changes to the release cycle will spur innovation
and reinvigorate the project.
Given that changes in this 3.3.0 release include changes going back
several years, please do upgrade with caution. If you encounter
any issues, please report those to the issue tracker.
Wishing you Voodoo-free HTTP, The CherryPy team
* Fix issue 125: no reverse lookup during Negotiate authentication for proxies.
* Fix a crash caused by incorrect reuse of the ssltunnel CONNECT request
* Cancel request if response parsing failed + authn callback set
* Update the expired certificates in the test suite.
Fixed an issue where logout doesn't refresh once the user logs out;
Updated the toolbar menu item to "Logout [name of user]" when available;
Updated the Page: Advanced Settings form to automatically show/hide the application instance name field when appropriate and to separate language-dependent fields from language-independent ones;
Fixed sitemaps to no longer lists pages which only redirect;
Fixes for the plugin clipboard to behave correctly;
Updates to the fix-mptt management command;
Various fixes to target the top frame when clicking links in the sideframe;
Fixed a number of refresh issues;
Various documentation updates.
Shortly after last week's security releases were issued, we received reports of a potential regression in using reverse() with views created by functools.partial. We were able to confirm the bug, and test and commit a fix for it.
Upstream changes:
0.1024 2013-10-12 11:35:35 PDT
- Fix a bug where exit_guard is not correctly decremented when writing header failed (maedama) #37
0.1023 2013-06-15 01:51:22 PDT
- Move the bin directory (moznion) #35
0.1022 2013-06-12 12:36:16 PDT
- convert to use Milla
- Fix dependency for LWP
0.1021 Fri Oct 19 15:09:17 PDT 2012
- Repackage with the latest Module::Install
0.1020 Mon Feb 20 16:31:44 PST 2012
- Improve SEREVR_PORT when binding multiple ports
- Documentation fixes (Pedro Melo)
- Suppres 400 if client disconnected (athomason)
- Don't restrict parsing the request body to PUT and POST requests (Moritz Onken)
- Fixed broken POST data processing (und3f, hidekiy)
Upstream changes:
4.97 2014-04-30
- Deprecated support for "X-Forwarded-HTTPS" in favor of
"X-Forwarded-Proto".
- Added multi-name support to param method in Mojo::Parameters.
4.96 2014-04-28
- Improved Mojo::IOLoop to use Mojo::IOLoop::Delay more consistently.
4.95 2014-04-27
- Improved Mojo::IOLoop::Delay with circular reference protection.
- Improved Mojo::IOLoop::Delay to allow argument splicing.
- Improved Mojo::IOLoop::Server to reuse cipher list from IO::Socket::SSL.
- Fixed memory leak in Mojo::UserAgent::Server.
4.94 2014-04-20
- Added reverse_proxy attribute to Mojo::Server::Daemon.
- Added reverse_proxy attribute to Mojo::Message::Request.
- Added prefork and upgrade_timeout attributes to Mojo::Server::Hypnotoad.
- Added configure method to Mojo::Server::Hypnotoad.
- Relaxed name handling in Mojo::Headers a little.
- Fixed small bug in online tests.
This is a simple Flask extension that configures your Flask application to
redirect all incoming requests to https. Redirects only occur when app.debug is
False.
Upstream changes:
MediaWiki 1.22.6[edit | edit source]
This is a security release of the MediaWiki 1.22 branch.
Changes since 1.22.5[edit | edit source]
(bug 63251) SECURITY: Escape sortKey in pageInfo.
MediaWiki 1.22.5[edit | edit source]
This is a security and maintenance release of the MediaWiki 1.22 branch.
Changes since 1.22.4[edit | edit source]
(bug 62497) SECURITY: Add CSRF token on Special:ChangePassword.
(bug 62467) Set a title for the context during import on the cli.
Fix custom local MediaWiki:Helppage values.
mediawiki.js: Fix documentation breakage.
(bug 58153) Make MySQLi work with non standard port.
(bug 53887) Reintroduced a link to help pages in the default sidebar, that any sysop can customize by editing MediaWiki:Sidebar locally. The link now points to a mediawiki.org page which is guaranteed to exist. Nothing needs to be done on your end, but remember to adjust MediaWiki:Sidebar for the needs of your wikis. Everyone can help with the shared documentation by translating: https://www.mediawiki.org/wiki/Special:Translate/agg-Help_pages .
(bug 53888) Corrected a regression in 1.22 which introduced red links on the login page. If you previously installed 1.22.x and have created a local page to make the red link blue, write its title as in MediaWiki:helplogin-url if you didn't already. Otherwise, you don't need to do anything, but you can translate the help page at https://www.mediawiki.org/wiki/Help:Logging_in
Upstream changes:
0.140001 2014-05-01 10:49:25CEST+0200 Europe/Amsterdam
[ BUG FIXES ]
* Bugfix for extracting multiple cookies within a request.
(Cymon, Russell Jenkins)
* Require minimum version of Plack to make sure we can add the Head
middleware. Not exactly a bug, but not a feature. (Sawyer X)
[ DOCUMENTATION ]
* Correct reference to HTTP::Server::Simple::PSGI. (Russell Jenkins)
0.140000 2014-04-28 23:14:31CEST+0200 Europe/Amsterdam
[ ENHANCEMENTS ]
* Replace Config role with better ConfigReader role.
(Mickey Nasriachi, Stefan Hornburg, Sawyer X)
* Move App-related attributes (engines) to App instead of config role.
(Mickey Nasriachi, Stefan Hornburg, Sawyer X)
* Untangle Runner-Server (removing Server entirely).
(Mickey Nasriachi, Stefan Hornburg, Sawyer X)
* Replace HTTP::Server::Simple::PSGI with HTTP::Server::PSGI.
(Mickey Nasriachi, Stefan Hornburg, Sawyer X)
* GH #527: Build request cookie objects from request headers, not env.
(Russell Jenkins)
* GH #569: Transform cookie using the HTTP_COOKIE header, per PSGI spec.
(Russell Jenkins)
* GH #559, #544: Use Plack middleware for HEAD request content removal.
(Russell Jenkins)
* GH #513, #483: Deserialize body content for DELETE requests.
(Russell Jenkins, Yanick Champoux, Sawyer X)
0.13 2014-04-13 19:19:44CEST+0200 Europe/Amsterdam
[ ENHANCEMENTS ]
* GH #562: Change YAML::Any to YAML (Steven Humphrey, Russell Jenkins).
[ BUG FIXES ]
* GH #524: Double encoding for YAML sessions.
* GH #557: Switch to using YAML::Old.
* GH #548: Deserializer test failure.
The new gprbuild configuration files must have a slight difference
because it can no longer work with the standard buildlink. Passing
an additional directory in the pass will fix it though.
The new gprbuild configuration files must have a slight difference
because it can no longer work with the standard buildlink. Passing
an additional directory in the pass will fix it though.
* Restore html5 audio playback under NetBSD
Changelog:
New
Significant new customization mode makes it easy to personalize your Web experience to access the features you use the most (learn more)
New
A new, easy to access menu sits in the right hand corner of Firefox and includes popular browser controls
New
Sleek new tabs provide an overall smoother look and fade into the background when not active
New
An interactive onboarding tour to guide users through the new Firefox changes
New
The ability to set up Firefox Sync by creating a Firefox account (learn more)
New
Gamepad API finalized and enabled (learn more)
New
HTTPS used for Yahoo Searches performed in en-US locale
New
Malay [ma] locale added
Changed
Clicking on a W3C Web Notification will switch to the originating tab
Developer
'box-sizing' (dropping the -moz- prefix) implemented (learn more)
Developer
Console object available in Web Workers (learn more)
Developer
Promises enabled by default (learn more)
Developer
SharedWorker enabled by default
Developer
<input type="number"> implemented and enabled
Developer
<input type="color"> implemented and enabled
Developer
Enabled ECMAScript Internationalization API
Developer
Add-on bar has been removed, content moved to navigation bar
Developer
Implemented URLSearchParams from the URL specification (see MDN for details )
Fixed
Various security fixes
Fixed in Firefox 29
MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript
MFSA 2014-46 Use-after-free in nsHostResolve
MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates
MFSA 2014-44 Use-after-free in imgLoader while resizing images
MFSA 2014-43 Cross-site scripting (XSS) using history navigations
MFSA 2014-42 Privilege escalation through Web Notification API
MFSA 2014-41 Out-of-bounds write in Cairo
MFSA 2014-40 Firefox for Android addressbar suppression
MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video
MFSA 2014-38 Buffer overflow when using non-XBL object as XBL
MFSA 2014-37 Out of bounds read while decoding JPG images
MFSA 2014-36 Web Audio memory corruption issues
MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer
MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)
As seen on FreeBSD 8, aws doesn't build with the shared runtime option
with the upcoming gcc-aux version 4.9.0. Disable the option completely.
The option may return when AWS is updated to the latest version.
features from the previous development branch (1.5.x) - including various
SSL improvements, SPDY 3.1 support, cache revalidation with conditional
requests, auth request module and more. Resolves CVE-2013-4547.
files/nginx.sh now has a configtest command for lazy admins (me) who don't
want to remember command line options. CHANGELOG:
Changes with nginx 1.5.13 08 Apr 2014
*) Change: improved hash table handling; the default values of the
"variables_hash_max_size" and "types_hash_bucket_size" were changed
to 1024 and 64 respectively.
*) Feature: the ngx_http_mp4_module now supports the "end" argument.
*) Feature: byte ranges support in the ngx_http_mp4_module and while
saving responses to cache.
*) Bugfix: alerts "ngx_slab_alloc() failed: no memory" no longer logged
when using shared memory in the "ssl_session_cache" directive and in
the ngx_http_limit_req_module.
*) Bugfix: the "underscores_in_headers" directive did not allow
underscore as a first character of a header.
*) Bugfix: cache manager might hog CPU on exit in nginx/Windows.
*) Bugfix: nginx/Windows terminated abnormally if the
"ssl_session_cache" directive was used with the "shared" parameter.
*) Bugfix: in the ngx_http_spdy_module.
Changes with nginx 1.5.12 18 Mar 2014
*) Security: a heap memory buffer overflow might occur in a worker
process while handling a specially crafted request by
ngx_http_spdy_module, potentially resulting in arbitrary code
execution (CVE-2014-0133).
*) Feature: the "proxy_protocol" parameters of the "listen" and
"real_ip_header" directives, the $proxy_protocol_addr variable.
*) Bugfix: in the "fastcgi_next_upstream" directive.
Changes with nginx 1.5.11 04 Mar 2014
*) Security: memory corruption might occur in a worker process on 32-bit
platforms while handling a specially crafted request by
ngx_http_spdy_module, potentially resulting in arbitrary code
execution (CVE-2014-0088); the bug had appeared in 1.5.10.
*) Feature: the $ssl_session_reused variable.
*) Bugfix: the "client_max_body_size" directive might not work when
reading a request body using chunked transfer encoding; the bug had
appeared in 1.3.9.
*) Bugfix: a segmentation fault might occur in a worker process when
proxying WebSocket connections.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_spdy_module was used on 32-bit platforms; the bug had
appeared in 1.5.10.
*) Bugfix: the $upstream_status variable might contain wrong data if the
"proxy_cache_use_stale" or "proxy_cache_revalidate" directives were
used.
*) Bugfix: a segmentation fault might occur in a worker process if
errors with code 400 were redirected to a named location using the
"error_page" directive.
*) Bugfix: nginx/Windows could not be built with Visual Studio 2013.
Changes with nginx 1.5.10 04 Feb 2014
*) Feature: the ngx_http_spdy_module now uses SPDY 3.1 protocol.
*) Feature: the ngx_http_mp4_module now skips tracks too short for a
seek requested.
*) Bugfix: a segmentation fault might occur in a worker process if the
$ssl_session_id variable was used in logs; the bug had appeared in
1.5.9.
*) Bugfix: the $date_local and $date_gmt variables used wrong format
outside of the ngx_http_ssi_filter_module.
*) Bugfix: client connections might be immediately closed if deferred
accept was used; the bug had appeared in 1.3.15.
*) Bugfix: alerts "getsockopt(TCP_FASTOPEN) ... failed" appeared in logs
during binary upgrade on Linux; the bug had appeared in 1.5.8.
Changes with nginx 1.5.9 22 Jan 2014
*) Change: now nginx expects escaped URIs in "X-Accel-Redirect" headers.
*) Feature: the "ssl_buffer_size" directive.
*) Feature: the "limit_rate" directive can now be used to rate limit
responses sent in SPDY connections.
*) Feature: the "spdy_chunk_size" directive.
*) Feature: the "ssl_session_tickets" directive.
*) Bugfix: the $ssl_session_id variable contained full session
serialized instead of just a session id.
*) Bugfix: nginx incorrectly handled escaped "?" character in the
"include" SSI command.
*) Bugfix: the ngx_http_dav_module did not unescape destination URI of
the COPY and MOVE methods.
*) Bugfix: resolver did not understand domain names with a trailing dot.
*) Bugfix: alerts "zero size buf in output" might appear in logs while
proxying; the bug had appeared in 1.3.9.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_spdy_module was used.
*) Bugfix: proxied WebSocket connections might hang right after
handshake if the select, poll, or /dev/poll methods were used.
*) Bugfix: the "xclient" directive of the mail proxy module incorrectly
handled IPv6 client addresses.
Changes with nginx 1.5.8 17 Dec 2013
*) Feature: IPv6 support in resolver.
*) Feature: the "listen" directive supports the "fastopen" parameter.
*) Feature: SSL support in the ngx_http_uwsgi_module.
*) Feature: vim syntax highlighting scripts were added to contrib.
*) Bugfix: a timeout might occur while reading client request body in an
SSL connection using chunked transfer encoding.
*) Bugfix: the "master_process" directive did not work correctly in
nginx/Windows.
*) Bugfix: the "setfib" parameter of the "listen" directive might not
work.
*) Bugfix: in the ngx_http_spdy_module.
Changes with nginx 1.5.7 19 Nov 2013
*) Security: a character following an unescaped space in a request line
was handled incorrectly (CVE-2013-4547); the bug had appeared in
0.8.41.
*) Change: a logging level of auth_basic errors about no user/password
provided has been lowered from "error" to "info".
*) Feature: the "proxy_cache_revalidate", "fastcgi_cache_revalidate",
"scgi_cache_revalidate", and "uwsgi_cache_revalidate" directives.
*) Feature: the "ssl_session_ticket_key" directive.
*) Bugfix: the directive "add_header Cache-Control ''" added a
"Cache-Control" response header line with an empty value.
*) Bugfix: the "satisfy any" directive might return 403 error instead of
401 if auth_request and auth_basic directives were used.
*) Bugfix: the "accept_filter" and "deferred" parameters of the "listen"
directive were ignored for listen sockets created during binary
upgrade.
*) Bugfix: some data received from a backend with unbufferred proxy
might not be sent to a client immediately if "gzip" or "gunzip"
directives were used.
*) Bugfix: in error handling in ngx_http_gunzip_filter_module.
*) Bugfix: responses might hang if the ngx_http_spdy_module was used
with the "auth_request" directive.
*) Bugfix: memory leak in nginx/Windows.
Changes with nginx 1.5.6 01 Oct 2013
*) Feature: the "fastcgi_buffering" directive.
*) Feature: the "proxy_ssl_protocols" and "proxy_ssl_ciphers"
directives.
*) Feature: optimization of SSL handshakes when using long certificate
chains.
*) Feature: the mail proxy supports SMTP pipelining.
*) Bugfix: in the ngx_http_auth_basic_module when using "$apr1$"
password encryption method.
*) Bugfix: in MacOSX, Cygwin, and nginx/Windows incorrect location might
be used to process a request if locations were given using characters
in different cases.
*) Bugfix: automatic redirect with appended trailing slash for proxied
locations might not work.
*) Bugfix: in the mail proxy server.
*) Bugfix: in the ngx_http_spdy_module.
Changes with nginx 1.5.5 17 Sep 2013
*) Change: now nginx assumes HTTP/1.0 by default if it is not able to
detect protocol reliably.
*) Feature: the "disable_symlinks" directive now uses O_PATH on Linux.
*) Feature: now nginx uses EPOLLRDHUP events to detect premature
connection close by clients if the "epoll" method is used.
*) Bugfix: in the "valid_referers" directive if the "server_names"
parameter was used.
*) Bugfix: the $request_time variable did not work in nginx/Windows.
*) Bugfix: in the "image_filter" directive.
*) Bugfix: OpenSSL 1.0.1f compatibility.
Changes with nginx 1.5.4 27 Aug 2013
*) Change: the "js" extension MIME type has been changed to
"application/javascript"; default value of the "charset_types"
directive was changed accordingly.
*) Change: now the "image_filter" directive with the "size" parameter
returns responses with the "application/json" MIME type.
*) Feature: the ngx_http_auth_request_module.
*) Bugfix: a segmentation fault might occur on start or during
reconfiguration if the "try_files" directive was used with an empty
parameter.
*) Bugfix: memory leak if relative paths were specified using variables
in the "root" or "auth_basic_user_file" directives.
*) Bugfix: the "valid_referers" directive incorrectly executed regular
expressions if a "Referer" header started with "https://".
*) Bugfix: responses might hang if subrequests were used and an SSL
handshake error happened during subrequest processing.
*) Bugfix: in the ngx_http_autoindex_module.
*) Bugfix: in the ngx_http_spdy_module.
Changes with nginx 1.5.3 30 Jul 2013
*) Change in internal API: now u->length defaults to -1 if working with
backends in unbuffered mode.
*) Change: now after receiving an incomplete response from a backend
server nginx tries to send an available part of the response to a
client, and then closes client connection.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_spdy_module was used with the "client_body_in_file_only"
directive.
*) Bugfix: the "so_keepalive" parameter of the "listen" directive might
be handled incorrectly on DragonFlyBSD.
*) Bugfix: in the ngx_http_xslt_filter_module.
*) Bugfix: in the ngx_http_sub_filter_module.
Changes with nginx 1.5.2 02 Jul 2013
*) Feature: now several "error_log" directives can be used.
*) Bugfix: the $r->header_in() embedded perl method did not return value
of the "Cookie" and "X-Forwarded-For" request header lines; the bug
had appeared in 1.3.14.
*) Bugfix: in the ngx_http_spdy_module.
*) Bugfix: nginx could not be built on Linux with x32 ABI.
Changes with nginx 1.5.1 04 Jun 2013
*) Feature: the "ssi_last_modified", "sub_filter_last_modified", and
"xslt_last_modified" directives.
*) Feature: the "http_403" parameter of the "proxy_next_upstream",
"fastcgi_next_upstream", "scgi_next_upstream", and
"uwsgi_next_upstream" directives.
*) Feature: the "allow" and "deny" directives now support unix domain
sockets.
*) Bugfix: nginx could not be built with the ngx_mail_ssl_module, but
without ngx_http_ssl_module; the bug had appeared in 1.3.14.
*) Bugfix: in the "proxy_set_body" directive.
*) Bugfix: in the "lingering_time" directive.
*) Bugfix: the "fail_timeout" parameter of the "server" directive in the
"upstream" context might not work if "max_fails" parameter was used;
the bug had appeared in 1.3.0.
*) Bugfix: a segmentation fault might occur in a worker process if the
"ssl_stapling" directive was used.
*) Bugfix: in the mail proxy server.
*) Bugfix: nginx/Windows might stop accepting connections if several
worker processes were used.
Changes with nginx 1.5.0 07 May 2013
*) Security: a stack-based buffer overflow might occur in a worker
process while handling a specially crafted request, potentially
resulting in arbitrary code execution (CVE-2013-2028); the bug had
appeared in 1.3.9.
1.0.8
-----
Highlights:
* Cleaned up documentation, many thanks to Petrus Janse van Rensburg.
* More flexible menu system, ability to add links to menus
* Human-readable filter URLs
* Callable filter `options`
* `EmailField` filter
* Simple accessibility fixes
* `InlineFormField` now accepts `widget_args` and `form_rules` arguments
* Support for newer wtforms versions
* `form_rules` property that affects both create and edit forms
* Lots of bugfixes
Version 0.13 2014-04-21
```````````````````````
- Port to Python >= 3.3 (requiring Python 2.6/2.7 for 2.x).
- Fixed bug with using per-memoize timeouts greater than the default timeout
- Added better support for per-instance memoization.
- Various bug fixes
uWSGI 2.0.4
Bugfixes
fixed "cmime" routing var (Steve Stagg)
allow duplicate headers in http parsers
faster on_demand Emperor management
fixed UWSGI_ADDITIONAL_SOURCES build option
merge duplicated headers when SPDY is enabled
fixed segfault for unnamed loggers
-need-app works in lazy-apps mode
fixed fatal hooks management
New features
The experimental asyncio loop engine (CPython >= 3.4)
asyncio (also known as 'tulip') is the new infrastructure for writing non-blocking/async/callback-based code with Python 3.
This plugin (experimental) allows you to use asyncio as the uWSGI loop engine
Docs: http://uwsgi-docs.readthedocs.org/en/latest/asyncio.html
httprouter advanced timeout management
The http router got 2 new specific timeout:
-http-headers-timeout <n> ; defines the timeout while waiting for http headers
-http-connect-timeout <n> ; defines the timeout when connecting to backend instances
they should help the sysadmin in improving security and availability
allow disabling cache warnings in -cache2
the 'ignore_full' keyval option has beed added to cache2. This will disable warnings when a cache is full
purge LRU cache feature by Yu Zhao (getcwd)
This new mode allows you to configure a cache to automatically expires least recently used (LRU) items when it is full.
Just add purge_lru=1 to your cache2 directive
support embedded config on FreeBSD
You can now embed config on FreeBSD systems:
http://uwsgi-docs.readthedocs.org/en/latest/Embed.html#step-2-embedding-the-config-file
rpc hook
Two new hooks have been added:
'rpc' -> call the specified rpc function (fails on error)
'rpcretry' -> call the specified rpc function (retry on error)
setmodifier1 and setmodifier2 routing actions
having to load the 'uwsgi' routing plugin just for setting modifiers was really annoying. This two routing actions (embedded in the core) allows you to dinamically set modifiers.
no_headers option for static router
keyval based static routing action can now avoid to rewrite response headers (useful for X-Sendfile), just add no_headers=1 to your keyval options.
uWSGI 2.0.3
Bugfixes
fixed spooler 'at' key usage
fixed a memory and fd leak with on-demand Emperor sokets
on __APPLE__ use LOG_NOTICE for syslog plugin
fixed mongrel2 support
hack for avoiding libmongoclient to crash on broken cursor
log alarm is now a uwsgi_log_verbose() wrapper
fixed tuntap router memory corruption
Set ECDHE curve independently from DHE parameters (Hynek Schlawack)
do not wait for a whole Emperor cycle before checking for each waitpid
fix a regression with caller() not indicating the starting *.psgi program (Ævar Arnfjörð Bjarmason)
New features
Emperor SIGWINCH and SIGURG
The Emperor now responds to two new signals:
SIGWINCH: force an emperor rescan of vassals
SIGURG: cleanup the Emperor states (for now it only clears its blacklist)
Building plugins on-the-fly from git repositories
You can now build plugins stored on git servers:
uwsgi --build-plugin https://github.com/unbit/uwsgi-bonjour
or
UWSGI_EMBED_PLUGINS="bonjour=https://github.com/unbit/uwsgi-bonjour" pip install uwsgi
uwsgi.add_var(key, value)
You can now set request variables direcly from your app, for better integration with the internal routing subsystem
my $app = sub {
uwsgi::add_var("newvar","newvalue");
return [200, ['Content-Type' => 'text/html'], ["Hello"]];
}
uwsgi --http-socket :9090 --psgi hello.pl --response-route-run "log:\${newvar}"
add_var has been implemented in the CPython and Perl plugins
'disableheaders' routing action
This new action disables the sending of response headers, independently by the current request state
Smarter Emperor on bad conditions
Now the Emperor completely destroys internal vassal-related structures when it is impossible to correctly kill a broken vassal (both for inconsistent Emperor state or for internal system problems)
This release contains a lot of bug fixes, many detected by scan.coverity.com (and more to come). The main reason for the release is a fix for an SQL injection (and path traversal) bug triggered by specially crafted (and invalid) Host: headers.
These releases address an unexpected code-execution issue, a caching issue which can expose CSRF tokens and a MySQL typecasting issue. While these issues present limited risk and may not affect all Django users, we encourage all users to evaluate their own risk and upgrade as soon as possible.
Collection.
HTTP library with thread-safe connection pooling, file post, and more.
Highlights
* Re-use the same socket connection for multiple requests (HTTPConnectionPool
and HTTPSConnectionPool) (with optional client-side certificate
verification).
* File posting (encode_multipart_formdata).
* Built-in redirection and retries (optional).
* Supports gzip and deflate decoding.
* Thread-safe and sanity-safe.
* Works with AppEngine, gevent, and eventlib.
* Tested on Python 2.6+ and Python 3.2+, 100% unit test coverage.
* Small and easy to understand codebase perfect for extending and building
upon. For a more comprehensive solution, have a look at Requests which is
also powered by urllib3.
It contains 9 bugfixes and 5 security fixes:
* Potential authentication cookie forgery. CVE-2014-0166.
* Privilege escalation: prevent contributors from publishing posts. CVE-2014-0165.
* (Hardening) Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
* (Hardening) Fix a low-impact SQL injection by trusted users.
* (Hardening) Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.
Upstream changes:
4.93 2014-04-13
- Fixed bug where Mojolicious::Static would not use the correct default MIME
type.
4.92 2014-04-08
- Removed deprecated use of hash references for optgroup generation with
select_field helper.
- Improved dumper helper to escape unprintable characters.
- Fixed small handler detection bug in Mojolicious::Renderer.
Upstream changes:
1.3123 2014-04-12
[ BUG FIXES ]
* Test was skipping wrong number of tests if JSON was absent.
1.3122 10.04.2014
[ DOCUMENTATION ]
* GH #995: Documentation improvements. (Colin Kuskie)
[ BUG FIXES ]
* Serializer::Mutable now consider 'Accept' before 'Content-Type'.
(GH#996, Bernhard Reutner-Fischer)
* Serializer::Mutable now correctly deals with content-types
with charsets. (GH#996, Bernhard Reutner-Fischer)
* Without Clone(), Dancer::Error::dumper() could clobber
values in deep structures. (GH#1006, fix by asergei)
* 'session_name' in Dancer::Session::Abstract couldn't be
redefined. (GH#1004, patch by Lee Carmichael)
[ MISC ]
* Unused function 'path_no_verify' removed. (GH#998,
reported by mjemmeson)
* Better support for multiple source generators.
* Update method used to check for modification dates of source and thumbnail
images. Thanks Ben Roberts.
* Better thumbnail_high_resolution handling, including the ability to switch on
and off explicitly with a ``HIGH_RESOLUTION`` thumbnail option.
* Added configuration option to specify the infix used for high resolution
image handling.
* Optional postprocessor for image optimization. Thanks Jacob Rief!
* More remote storages optimization
* Thumbnail dimensions can now optionally be cached. Thanks David Novakovic.
* New ``zoom`` option to generate a thumbnail of a source image with a
percentage clipped off each side.
* New ``background`` source processor that can add a border color to ensure
scaled images fit within the exact dimensions given.
Fixture loading issues fixed
A regression in 0.8.3 meant that fixtures referring to models outside of the app they were in, and some other references to custom user models, were broken. This should now be fixed.
While here,
* move dependency on wget to TOOLS,
* simplify configuration file handling
dillo-3.0.4 [April 09, 2014]
+- OPTGROUP and INS elements.
- Some HTML5 elements, etc.
- Added show_ui_tooltip preference (BUG#1140).
Patches: corvid
+- Make embedding into other applications more reliable (BUG#1127).
- Add search from address bar.
- Share CSS user agent stylesheet between pages.
Patches: Johannes Hofmann
+- Better scaling (down) of images, even with consideration of gamma
correction.
- Fixed (possibly security) problem of FltkImgBuf caused by integer overflow
(BUG#1129).
- Some linebreaking fixes, and optimization for non-justified text, including
new preference stretchability_factor.
- Added white_bg_replacement preference.
- Implemented background images (except 'background-attachment'), added
load_background_images preference, as well as a new entry in the tools menu.
Patches: Sebastian Geerken
+- Fix a set of bugs reported by Oulu Univ. Secure Programming Group
(HTML parsing, URL resolution, GIF processing, etc.)
- Improved/fixed handling of HEAD, TITLE, TEXTAREA and form inputs.
- Made show_url dillorc option work again (BUG#1128)
Patches: Jorge Arellano Cid
+- Fix compiling on Hurd.
Patch: Pino Toscano
+- Avoid Dpid children becoming zombies.
Patch: Jorge Arellano, J. Gaffney
+- HTML5 WBR element.
- Fix compiling on IRIX with MIPSpro compiler.
Patches: corvid, Sebastian Geerken
Upstream changes:
0.12 2014-04-07 22:42:12 Europe/Amsterdam
[ ENHANCEMENTS ]
* GH#518: Bump jQuery to 1.10.2 (Grzegorz Ro偶niecki).
* GH#535: Support OPTIONS and PATCH requests in Server::Standalone.
(Russell Jenkins)
* GH#553: Dancer2 CLI: specify directory to write app skeleton
(Jean Stebens)
* GH#543: Additional HTTP Methods for Ajax plugin (Jean Stebens).
[ DOCUMENTATION ]
* RT#91428: POD encoding set to UTF-8 in main .pm (Gregor Herrmann).
* GH#517: Miscellaneous documentation fixes (Cesare Gargano).
* GH#518: "Getting started" demo page fixes (Grzegorz Ro偶niecki).
* GH#522: s/PerlHandler/PerlResponseHandler/ in Apache2 sample configuration
(Grzegorz Ro偶niecki)
* GH#521: Remove duplicated POD and clean up list details (Shlomi Fish)
* GH#526: Cleanup POD formating and code snippets in manual.
(Grzegorz Ro偶niecki)
[ BUG FIXES ]
* GH#528,529: Force PSGI server in dispatch scripts for CGI or fcgi
deployments (Erik Smit, Alberto Sim玫es)
* GH#550,GH#551: Update all headers in Handler::File
(Sawyer X, Stefan @racke Hornburg)
* GH#540: Fix hook execution when default scalar was used in hook code.
(baynes, Russell Jenkins)
* GH#552: Rework test suite to use Plack::Test
(Sawyer X, Stefan @racke Hornburg)
* GH#560: Return value of hooks do not alter response content.
(Jean Stebens)
* Fix CVE-2014-0050 and CVE-2013-4590,
Changelog:
Tomcat 7.0.53 (violetagg)
Catalina
add Make it easier for applications embedding and/or extending Tomcat to modify the javaseClassLoader attribute of the WebappClassLoader. (markt)
fix Improve the robustness of web application undeployment based on some code analysis triggered by the report for 54315. (markt)
fix 56219: Improve merging process for web.xml files to take account of the elements and attributes supported by the Servlet version of the merged file. (markt)
fix 56190: The response should be closed (i.e. no further output is permitted) when a call to AsyncContext.complete() takes effect. (markt)
fix 56236: Enable Tomcat to work with alternative Servlet and JSP API JARs that package the XML schemas in such as way as to require a dependency on the JSP API before enabling validation for web.xml. Tomcat has no such dependency. (markt)
fix 56246: Fix NullPointerException in MemoryRealm when authenticating an unknown user. (markt)
fix 56248: Allow the deployer to update an existing WAR file without undeploying the existing application if the update flag is set. This allows any existing custom context.xml for the application to be retained. To update an application and remove any existing context.xml simply undeploy the old version of the application before deploying the new version. (markt)
fix Redefine the globalXsltFile initialisation parameter of the DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. Prevent user supplied XSLTs used by the DefaultServlet from defining external entities. (markt)
add Add a work around for validating XML documents (often TLDs) that use just the file name to refer to refer to the JavaEE schema on which they are based. (markt)
fix 56293: Cache resources loaded by the class loader from /META-INF/services/ for better performance for repeated look ups. (markt)
Coyote
fix 53119: Make sure the NIO AJP output buffer is cleared on any error to prevent any possible overflow if it is written to again before the connection is closed. This extends the original fix for the APR/native output buffer to the NIO connector. (kkolinko)
fix 56172: Avoid possible request corruption when using the AJP NIO connector and a request is sent using more than one AJP message. Patch provided by Amund Elstad. (markt)
fix 56213: Reduce garbage collection when the NIO connector is under heavy load. (markt)
fix Improve processing of chuck size from chunked headers. Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster. (markt/kkolinko)
fix Fix possible overflow when parsing long values from a byte array. (markt)
Jasper
fix 54475: Add Java 8 support to SMAP generation for JSPs. Patch by Robbie Gibson. (markt)
fix 55483: Improve handing of overloaded methods and constructors in expression language implementation. (markt)
fix 56208: Restore the validateXml option to Jasper that was previously renamed validateTld. Both options are now supported. validateXml controls the validation of web.xml files when Jasper parses them and validateTld controls the validation of *.tld files when Jasper parses them. (markt)
fix 56223: Throw an IllegalStateException if a call is made to ServletContext.setInitParameter() after the ServletContext has been initialized. (markt)
fix 56265: Do not escape values of dynamic tag attributes containing EL expressions. (kkolinko)
fix Make the default compiler source and target versions for JSPs Java 6 since Tomcat 7 requires Java 6 as a minimum. (markt)
update 56283: Update to the Eclipse JDT Compiler P20140317-1600 which adds support for Java 8 syntax to JSPs. Add support for value "1.8" for the compilerSourceVM and compilerTargetVM options. (markt)
WebSocket
fix Avoid a possible deadlock when one thread is shutting down a connection while another thread is trying to write to it. (markt)
fix Call onError if an exception is thrown calling onClose when closing a session. (remm)
Web applications
code In the documentation: add support for several documentation tags from Tomcat 8. Such as <version-major/>. (kkolinko)
add 56093: Add the SSL Valve to the documentation web application. (markt)
fix 56217: Improve readability by using left alignment for the table cell containing the request information on the Manager application status page. (markt)
fix Fixed java.lang.NegativeArraySizeException when using "Expire sessions" command in the manager web application on a context where the session timeout is disabled. (kfujino)
fix Add support for LAST_ACCESS_AT_START system property to Manager web application. (kfujino)
fix Add definition of org.apache.catalina.ant.FindLeaksTask. (kfujino)
fix 56273: If the Manager web application does not perform an operation because the web application is already being serviced, report an error rather than reporting success. (markt)
fix 56304: Add a note to the documentation about not using WebSocket with BIO HTTP in production. (markt)
Other
fix 56143: Improve service.bat so that it can be launched from a non-UAC console. This includes using a single call to tomcat7.exe to install the Windows service rather than three calls, and using command line arguments instead of environment variables to pass the settings. (markt/kkolinko)
fix Fix regression in 7.0.52: when using service.bat install to install the service the values for --StdOutput, --StdError options were passed as blank instead of "auto". (kkolinko)
fix Align options between service.bat and exe Windows installer. For service.bat the changes are in --Classpath, --DisplayName, --StartPath, --StopPath. For exe installer the changes are in --JvmMs, --JvmMx options, which are now 128 Mb and 256 Mb respectively instead of being empty. Explicitly specify --LogPath path when uninstalling Windows service, avoiding default value for that option. (kkolinko)
code Simplify Windows *.bat files: remove %OS% checks, as java 6 does not run on ancient non-NT operating systems. (kkolinko)
fix 56137: Explicitly use the BIO connector in the SSL example in server.xml so it doesn't break if APR is enabled. (markt)
fix 56139: Avoid a web application class loader leak in some unit tests when running on Windows. (markt)
fix Correct build script to avoid building JARs with empty packages. (markt)
add Allow to limit JUnit test run to a number of selected test case methods. (kkolinko)
fix 56189: Remove used file cpappend.bat from the distribution. (markt)
Tomcat 7.0.52 (violetagg) released 2014-02-17
Catalina
fix Generate a valid root element for the effective web.xml for a web application for all supported versions of web.xml. (markt)
Coyote
code Pull up SocketWrapper to AbstractProcessor. (markt)
fix In some circumstances asynchronous requests could time out too soon. (markt)
Tomcat 7.0.51 (violetagg) not released
Catalina
fix 55287: ServletContainerInitializer defined in the container may not be found. (markt/jboynes)
fix 55855: Provide a per Context option (containerSciFilter) to exclude container SCIs. (markt)
fix 55937: When deploying applications, treat a context path of /ROOT as equivalent to /. (markt)
fix 55943: Improve the implementation of the class loader check that prevents web applications from trying to override J2SE implementation classes. As part of this fix, refactor the way a null parent class loader is handled which enables a number of null checks and object creation calls to be removed. (markt)
fix 55958: Differentiate between foo.war the WAR file and foo.war the directory. (markt)
fix 55960: Improve the single sign on (SSO) unit tests. Patch provided by Brian Burch. (markt)
fix 55974: Retain order when reporting errors and warnings while parsing XML configuration files. (markt)
fix 56013: Fix issue with SPNEGO authentication when using IBM JREs. IBM JREs only understand the option of infinite lifetime for Kerberos credentials. Based on a patch provided by Arunav Sanyal. (markt)
fix 56016: When loading resources for XML schema validation, take account of the possibility that servlet-api.jar and jsp-api.jar may not be loaded by the same class loader. Patch by Juan Carlos Estibariz. (markt)
fix 56025: When creating a WebSocket connection, always call ServerEndpointConfig.Configurator.getNegotiatedSubprotocol() and always create the EndPoint instance after calling ServerEndpointConfig.Configurator.modifyHandshake(). (markt)
fix 56032: Ensure that the WebSocket connection is closed after an IO error or an interrupt while sending a WebSocket message. (markt)
fix 56042: If a request in async mode has an error but has already been dispatched don't generate an error page in the ErrorReportValve so the dispatch target can handle it. (markt)
fix Add missing javax.annotation.sql.* classes to annotations-api.jar. (markt)
fix The type of logger attribute of Context MBean should be not org.apache.commons.logging.Log but org.apache.juli.logging.Log. (kfujino)
fix 56082: Fix a concurrency bug in JULI's LogManager implementation. (markt)
fix 56096: When the attribute rmiBindAddress of the JMX Remote Lifecycle Listener is specified it's value will be used when constructing the address of a JMX API connector server. Patch is provided by Jim Talbut. (violetagg)
fix When environment entry with one and the same name is defined in the web deployment descriptor and with annotation then the one specified in the web deployment descriptor is with priority. (violetagg)
fix Change default value of xmlBlockExternal attribute of Context. It is true now. (kkolinko)
Coyote
fix Avoid possible NPE if a content type is specified without a character set. (markt)
fix 55956: Make the forwarded remote IP address available to the Connectors via a request attribute. (markt)
fix 55976: Fix sendfile support for the HTTP NIO connector. (markt)
fix 55996: Ensure Async requests timeout correctly when using the NIO HTTP connector. (markt)
add 56021: Make it possible to use the Windows-MY key store with the BIO and NIO connectors for SSL configuration. It requires a keystoreFile="" keystoreType="Windows-My" to be set on the connector. Based on a patch provided by Asanka. (markt)
Jasper
fix Correct a regression in the XML refactoring that meant that errors in TLD files were swallowed. (markt)
fix 55671: Correct typo in the log message for a wrong value of genStringAsCharArray init-param of JspServlet. This parameter had a different name in Tomcat 6. (kkolinko)
fix 55973: Fix processing of XML schemas when validation is enabled in Jasper. (kkolinko)
fix 56010: Don't throw an IllegalArgumentException when JspFactory.getPageContext is used with JspWriter.DEFAULT_BUFFER. Based on a patch by Eugene Chung. (markt)
fix 56012: When using the extends attribute of the page directive do not import the super class if it is in an unnamed package as imports from unnamed packages are now explicitly illegal. (markt)
fix 56029: A regression in the fix for 55198 meant that when EL containing a ternary expression was used in an attribute a compilation error would occur for some expressions. (markt)
fix Correct several errors in jspxml Schema and DTD. (kkolinko)
fix Change default value of the blockExternal attribute of JspC task. The default value is true. Add support for -no-blockExternal switch when JspC is run as a standalone application. (kkolinko)
Cluster
code Simplify the code of o.a.c.ha.tcp.SimpleTcpCluster.createManager(String). Remove unnecessary class cast. (kfujino)
WebSocket
fix Do not return an empty string for the Sec-WebSocket-Protocol HTTP header when no sub-protocol has been requested or no sub-protocol could be agreed as RFC6455 requires that no Sec-WebSocket-Protocol header is returned in this case. (markt)
Web applications
fix Add index.xhtml to the welcome files list for the examples web application. (kkolinko)
fix Clarify that the connectionTimeout may also be used as the read timeout when reading a request body (if any) in the documentation web application. (markt)
fix Clarify the behaviour of the maxConnections attribute for a connector in the documentation web application. (markt)
fix 55888: Update the documentation web application to make it clearer that a Container may define no more than one Realm. (markt)
fix 55956: Where available, displayed the forwarded remote IP address available on the status page of the Manager web application. (markt)
fix Correct links to the Tomcat mailing lists in the ROOT web application. (kkolinko)
fix In Manager web application improve handling of file upload errors. Display a message instead of error 500 page. Simplify parts handling code, as it is known that Tomcat takes care of them when recycling a request. (kkolinko)
Extras
fix 55166, 56045: Copy the XML schemas used for validation that are packaged in jsp-api.jar to servlet-api.jar so that an embedded Tomcat instance can start without Jasper being available. This also enables validation to work without Jasper being available. (markt/kkolinko)
fix 56039: Enable the JmxRemoteLifecycleListener to work over SSL. Patch by esengstrom. (markt)
Other
fix 55743: Enable the stop script to work when the shutdown port is disabled and a PID file is defined. This is only available on platforms that use catalina.sh. (markt)
fix 55986: When forcing Tomcat to stop via kill -9 $CATALINA_PID, the catalina.sh script could incorrectly report that Tomcat had not yet completely stopped when it had. Based on a patch by jess. (markt)
fix Package correct license and notice files with embedded JARs. (markt)
code Remove svn keywords (such as $Id) from source files and documentation. (kkolinko)
fix Fix CVE-2014-0050, a denial of service with a malicious, malformed Content-Type header and multipart request processing. Fixed by merging latest code (r1565163) from Commons FileUpload. (markt)
fix 56115: Expose the httpusecaches property of Ant's get task as some users may need to change the default. Based on a suggestion by Anthony. (markt)
Tomcat 7.0.50 (violetagg) released 2014-01-08
Catalina
fix Handle the case where a context.xml file is added to a web application deployed from a directory. Previously the file was ignored until Tomcat was restarted. Now (assuming automatic deployment is enabled) it will trigger a redeploy of the web application. (markt)
fix Fix string comparison in HostConfig.setContextClass(). (kkolinko)
code Streamline handling of WebSocket messages when no handler is configured for the message currently being received. (markt)
fix Handle the case where a WebSocket annotation configures a message size limit larger than the default permitted by Tomcat. (markt)
fix 55855: This is a partial fix that bypasses the relatively expensive check for a WebSocket upgrade request if no WebSocket endpoints have been registered. (markt)
fix 55905: Prevent a NPE when web.xml references a taglib file that does not exist. Provide better error message. (violetagg)
Coyote
fix When using the BIO connector with an internal executor, do not display a warning that the executor has not shutdown as the default configuration for BIO connectors is not to wait. This is because threads in keep-alive connections cannot be interrupted and therefore the warning was nearly always displayed. (markt)
Jasper
fix JspC uses servlet context initialization parameters to pass configuration so ensure that the servlet context used supports initialization parameters. (markt)
Cluster
fix In AbstractReplicatedMap#finalize, remove rpcChannel from channel Listener of group channel before sending MapMessage.MSG_STOP message. This prevents that the node that sent the MapMessage.MSG_STOP by normal shutdown is added to member map again by ping at heartbeat thread in the node that received the MapMessage.MSG_STOP. (kfujino)
fix Add time stamp to GET_ALL_SESSIONS message. (kfujino)
Web applications
fix Fix the sample configuration of StaticMembershipInterceptor in order to prevent warning log. uniqueId must be 16 bytes. (kfujino)
Extras
update Update dependencies that are used to build tomcat-juli extras component. Apache Avalon Framework is updated to version 4.1.5, Apache Log4J to version 1.2.17. (rjung)
Tomcat 7.0.49 (violetagg) not released
Catalina
fix Correct a regression in the new XML local resolver that triggered false failures when XML validation was configured. (markt)
fix Prevent a NPE when destroying HTTP upgrade handler for WebSocket connections. (violetagg)
Tomcat 7.0.48 (violetagg) not released
Catalina
add 51294: Add support for unpacking WARs located outside of the Host's appBase in to the appBase. (markt)
fix 55656: Configure the Digester to use the server class loader when parsing server.xml rather than the class loader that loaded StandardServer. Patch provided by Roberto Benedetti. (markt)
fix 55664: Correctly handle JSR 356 WebSocket Encoder, Decoder and MessageHandler implementations that use a generic type such as Encoder.Text<List<String>>. Includes a test case by Niki Dokovski. (markt)
fix Correctly handle WebSocket Encoders, Decoders and MessageHandlers that use arrays of generic types. (markt)
fix 55681: Ensure that the WebSocket session is made available to MessageHandler method calls. (markt)
fix Updated servlet spec version and documentation section-number reported when JAR files are rejected for containing a trigger class (e.g. javax.servlet.Servlet). (schultz)
add Modify the WebSocket handshake process so that the user properties Map exposed by the ServerEndpointConfig during the call to Configurator.modifyHandshake() is unique to the connection rather than shared by all connections associated with the Endpoint. This allows for easier configuration of per connection properties from within modifyHandshake(). (markt)
fix 55684: Log a warning but continue if the memory leak detection code is unable to access all threads to check for possible memory leaks when a web application is stopped. (markt)
fix Define the web-fragment.xml in tomcat7-websocket.jar as a Servlet 3.0 web fragment rather than as a Servlet 3.1 web fragment. (markt)
fix 55715: Add a per web application executor to the WebSocket implementation and use it for calling SendHandler.onResult() when there is a chance that the current thread also initiated the write. (markt)
fix Prevent file descriptors leak and ensure that files are closed when configuring the web application. (violetagg)
fix Fixed the name of the provider-configuration file located in tomcat7-websocket.jar!/META-INF/services that exposes information for javax.websocket.server.ServerEndpointConfig$Configurator implementation. (violetagg)
fix 55760: Remove the unnecessary setting of the javax.security.auth.useSubjectCredsOnly system property in the SpnegoAuthenticator as in addition to it being unnecessary, it causes problems with using SPNEGO with IBM JDKs. Patch provided by Arunav Sanyal. (markt)
fix 55772: Ensure that the request and response are recycled after an error during asynchronous processing. Includes a test case based on code contributed by Todd West. (markt)
fix 55778: Add an option to the JNDI Realm to control the QOP used for the connection to the LDAP server after authentication when using SPNEGO with delegated credentials. This value is used to set the javax.security.sasl.qop environment property for the LDAP connection. (markt)
fix 55798: Log an error if the MemoryUserDatabase is unable to find the specified user database file. (markt)
fix 55799: Correctly enforce the restriction in JSR356 that no more than one data message may be sent to a remote WebSocket endpoint at a time. (markt)
fix When Catalina parses TLD files, always use a namespace aware parser to be consistent with how Jasper parses TLD files. The tldNamespaceAware attribute of the Context is now ignored. (markt)
fix Deprecate the tldNamespaceAware Context attribute as TLDs are always parsed with a namespace aware parser. (markt)
fix Correct a logic error that meant that unpackWARs was ignored and the WAR was always expanded if a WAR failed to deploy. (markt)
add Add support for defining copyXML on a per Context basis. (markt)
fix Define the expected behaviour of the automatic deployment and align the implementation to that definition. (markt)
add When running under a security manager, change the default value of the Host's deployXML attribute to false. (markt)
add If a Host is configured with a value of false for deployXML, a web application has an embedded descriptor at META-INF/context.xml and no explicit descriptor has been defined for this application, do not allow the application to start. The reason for this is that the embedded descriptor may contain configuration necessary for secure operation such as a RemoteAddrValve. (markt)
fix Prevent an NPE in the WebSocket ServerContainer when processing an HTTP session end event. (markt)
add 55801: Add the ability to set a custom SSLContext to use for client wss connections. Patch provided by Maciej Lypik. (markt)
fix 55804: If the GSSCredential for the cached Principal expires when using SPNEGO authentication, force a re-authentication. (markt)
add 55811: If the main web.xml contains an empty absolute-ordering element and validation of web.xml is not enabled, skip parsing any web-fragment.xml files as the result is never used. (markt)
fix 55839: Extend support for digest prefixes {MD5}, {SHA} and {SSHA} to all Realms rather than just the JNDIRealm. (markt)
fix 55842: Ensure that if a larger than default response buffer is configured that the full buffer is used when a Servlet outputs via a Writer. (markt)
fix 55851: Further fixes to enable SPNEGO authentication to work with IBM JDKs. Based on a patch by Arunav Sanyal. (markt)
add Fix CVE-2013-4590: Add an option to the Context to control the blocking of XML external entities when parsing XML configuration files and enable this blocking by default when a security manager is used. The block is implemented via a custom resolver to enable the logging of any blocked entities. (markt)
Coyote
code Implement a number of small refactorings to the APR/native handler for upgraded HTTP connections. (markt)
fix Fix an issue with upgraded HTTP connections over HTTPS (e.g. secure WebSocket) when using the APR/native connector that resulted in the unexpected closure of the connection. (markt)
fix Ensure that the application class loader is used when calling the ReadListener and WriteListener methods when using non-blocking IO. A side effect of not doing this was that JNDI was not available when processing WebSocket events. (markt)
add Make the time that the internal executor (if used) waits for request processing threads to terminate before continuing with the connector stop process configurable. (markt)
fix 55749: Improve the error message when SSLEngine is disabled in the AprLifecycleListener and SSL is configured for an APR/native connector. (markt)
add If a request that includes an Expect: 100-continue header receives anything other than a 2xx response, close the connection This protects against misbehaving clients that may not sent the request body in that case and send the next request instead. (markt)
fix Improve the parsing of trailing headers in HTTP requests. (markt)
Jasper
fix 55735: Fix a regression caused by the fix to 55198. When processing JSP documents, attributes in XML elements that are template content should have their text xml-escaped, but output of EL expressions in them should not be escaped. (markt)
fix 55807: The JSP compiler used a last modified time of -1 for TLDs in JARs expanded in to WEB-INF/classes (IDEs often do this expansion) when creating the dependency list for JSPs that used that TLD. This meant JSPs using that TLD were recompiled on every access. (markt)
Cluster
add Add log message that initialization of AbstractReplicatedMap has been completed. (kfujino)
fix The logger of AbstractReplicatedMap should be non-static in order to enable logging of each application. Side-effects of this change is to throw RuntimeException in MapMessage#getKey() and getValue() instead of Null return and error log. (kfujino)
code Simplify the code of DeltaManager#startInternal(). Reduce unnecessary nesting for acquisition of cluster instance. (kfujino)
fix Remove unnecessary attributes of stateTransferCreateSendTime and receiverQueue from cluster manager template. These attributes should not be defined as a template. (kfujino)
fix Fix MBean attribute definition of stateTransfered. The method name is not isStateTransfered() but getStateTransfered(). (kfujino)
fix Correct stop failure log of cluster. Failure cause is not only Valve. (kfujino)
fix Remove unnecessary sleep when sending session blocks on session sync phase. (kfujino)
fix Expose stateTimestampDrop of org.apache.catalina.ha.session.DeltaManager via JMX. (kfujino)
fix When the ping timeouted, make sure that memberDisappeared method is not called by specifying the members that has already been removed. (kfujino)
add Add log message of session relocation when member disappeared. (kfujino)
fix If ping message fails, prevent wrong timeout detection of normal member that is no failure members. (kfujino)
Web applications
add Add some documentation on the SSL configuration options for WebSocket clients. (markt)
add Add to cluster document a description of notifyLifecycleListenerOnFailure and heartbeatBackgroundEnabled. (kfujino)
fix Update the documentation with information for WebSocket 1.0 specification and javadoc. (violetagg)
fix 55703: Clarify the role of the singleton attribute for JNDI resource factories. (markt)
fix 55746: Add documentation on the allRolesMode to the CombinedRealm and LockOutRealm. Patch by Cédric Couralet. (markt)
add Expand the information on web applications that ship as part of Tomcat in the security how-to section of the documentation web application. (markt)
fix Expand the description of the WebSocket buffers in the documentation web application to clarify their purpose. (markt)
add Correct the documentation for Cluster manager. (kfujino)
add Add information on how to configure integrated Windows authentication when Tomcat is running on a non-Windows host. (markt)
Extras
update Update commons-logging to version 1.1.3. (rjung)
Other
add 52323: Add support for the Cobertura code coverage tool when running the unit tests. Based on a patch by mhasko. (markt/kkolinko)
update Update sample Eclipse IDE project. Explicitly use a Java 6 SE JDK. Exclude JSR356 WebSocket classes from build path, as they cannot be compiled with Java 6. (kkolinko)
update Update the Eclipse compiler to 4.3.1. (kkolinko/markt)
* In main(), when parsing form input fails, the CGI script exits without
producing any output whatsoever. Wouldn't it be better to actually
emit an error status, instead of expecting the server to do something
sane with a script that produces no output?
* In mpRead(), a check is done to insure the requested length is not
greater than the amount of data still available, and to adjust it
if necessary. However, this check is currently done _after_ reading
data from the putback buffer, in which process len is decremented by
the amount of putback data read, but mpp->offset is not correspondingly
incremented (this happens later). As a result, the check uses too
small a value for len, and so fails to stop reading soon enough if
the requested length is greater than what is available _and_ there
was any data in the putback buffer.
The fix is to move the check to the beginning of mpRead()
* Further, if a read request is satisfied _entirely_ from the putback
buffer, mpp->offset is not updated at all, resulting in a similar
problem. The solution is to update mpp->offset in the "else if (got)"
case.
* In cgiParsePostMultipartInput(), if the Content-Disposition of a part
is not "form-data", afterNextBoundary() is not called before beginning
to process the next part. As a result, parsing of the next part headers
begins with the body of the unwanted part. It is necessary in this case
to call afterNextBoundary() before continuing with the next cycle.
* In handling out-of-memory conditions in afterNextBoundary(), *outP is
set to '\0'. While this is technically legal ('\0' is "an integral
constant expression with the value 0"), it looks funny.
* In cgiCookieString(), a change was introduced in v2.02 which purports
to prevent an overrun in cases where cgiCookie is exactly equal to
the requested cookie name. In fact, the problem can also occur if
the requested name occurs with no values at the end of cgiCookie.
Further, the change from v2.02 does not fix the problem, because it
compares the _pointers_ p and n to NULL, which they will never equal,
rather than comparing the pointers they point at to NUL.
* Also in cgiCookieString(), there is a comment suggesting that the main
loop never terminates except with a return. This is not the case.
For example, it will terminate if the requested cookie is not found
and the cgiCookie string ends in a semicolon.
* Why did days[] (formerly daysOfWeek[]) and months[] become non-static?
This pollutes the namespace of programs using CGIC.
* In cgiReadEnvironment(), when reading in the contents of an uploaded
file, it is possible that a temporary file is successfully created
but then cannot be opened. In this case, no attempt is made to remove
the tempoary file.
* Further, when a form entry does _not_ include an uploaded file,
e->tfileName is set to malloc'd but uninitialized memory. It should
be set to an empty string, by setting e->tfileName[0] to zero after
the 1-byte buffer is allocated.
Version 3.2.9 (2014-04-07)
--------------------------
### Fixed
Fixed a critical vulnerability of the install tool (see #6855).
### Fixed
Filter disabled groups in the registration module in the front end (see #6757).
### Fixed
Work around a bug in SimplePie with the "skip items" option (see #6107).
### Fixed
Fix the Swipe "continuous" option if there are exactly two slides (see #6812).
### Fixed
Apply `addslashes()` to strings in the `Config` class (see #6808).
### Fixed
Do not empty all fallback fields in sorting mode 4 (see #6498).
### Fixed
Do not allow template names to be longer than the DB fields (see #6819).
### Fixed
Correctly set the start time of a multi-day event (see #6802).
### Fixed
Correctly handle OR queries in the listing module (see #6344).
### Fixed
Use a monospaced font for the plain text newsletter preview (see #6790).
### Fixed
Adjust the `vScrollTo()` offset if the paste hint is visible (see #6478).
Upstream changes:
4.91 2014-03-29
- Added daemonize method to Mojo::Server.
- Added ensure_pid_file method to Mojo::Server::Prefork.
- Removed deprecated secret method from Mojolicious.
- Improved performance of Mojolicious::Plugin::EPRenderer and
Mojolicious::Plugin::EPLRenderer.
- Improved Mojo::Reactor::Poll portability with POLLPRI support.
4.90 2014-03-16
- Removed deprecated to_rel method from Mojo::URL.
- Updated IO::Socket::SSL requirement to 1.84 due to breaking changes in
IO::Socket::SSL.
- Improved documentation browser with more accessible links and readable
inline code.
- Fixed textarea and title parsing bugs in Mojo::DOM::HTML.
4.89 2014-03-13
- Added support for template variants.
- Improved built-in templates with unobtrusive menu bar.
- Fixed bug in Mojo::DOM::HTML where non-self-closing elements were not
handled correctly.
- Fixed bug in Mojo::DOM::HTML where <image> was not treated as an alias for
<img>.
4.88 2014-03-09
- Added build_controller method to Mojolicious.
- Added match method to Mojolicious::Routes.
- Improved Mojo::Server::Daemon to handle setuid/setgid errors more
gracefully.
- Improved Mojo::Server::Prefork to handle lock file errors more gracefully.
- Improved exception page to show better context information for templates.
- Fixed comment on last line bug in Mojo::Template.
4.87 2014-03-04
- Improved Mojo::ByteStream to allow more method chaining.
- Fixed RFC 7159 support in Mojo::JSON.
- Fixed RFC 7159 compliance bugs in Mojo::Transaction::WebSocket and
Test::Mojo.
- Fixed Unicode bugs in Test::Mojo.
4.86 2014-03-03
- Improved Mojo::IOLoop::Delay to allow more method chaining.
- Improved WebSocket and long poll performance.
4.85 2014-02-26
- Added next_tick method to Mojo::IOLoop and Mojo::Reactor.
- Added host_port and path_query methods to Mojo::URL.
- Added is_handshake method to Mojo::Message::Request.
- Improved Mojo::Reactor::EV responsiveness.
- Fixed IDNA support for CONNECT requests.
- Fixed "0" value bug in Mojo::Message::Request.
4.84 2014-02-22
- Added remaining attribute to Mojo::IOLoop::Delay.
- Added data and pass methods to Mojo::IOLoop::Delay.
- Improved Mojo::Exception context detection to better line up with user
expectations.
Version 0.9.5
-------------
Released 2014/03/21
- ``csrf_token`` for all template types `#112`_.
- Make FileRequired a subclass of InputRequired `#108`_.
Version 0.2.10
--------------
Released on March 9th, 2014
- Generalized `request_loader` introduced; ability to log users in via
customized callback over request.
- Fixes request context dependency by explicitly checking `has_request_context`.
- Fixes remember me issues since lazy user loading changes.
WTForms-reCaptcha is a convenient field for WTForms that transparently handles
reCaptcha display and validation via corresponding widget and validator classes.
Fixed in 7.36.0 - March 26 2014
Release contains security-related bug fixes
Changes:
ntlm: Added support for NTLMv2
tool: Added support for URL specific options
openssl: add ALPN support
gtls: add ALPN support
nss: add ALPN and NPN support
added CURLOPT_EXPECT_100_TIMEOUT_MS
tool: add --no-alpn and --no-npn
added CURLOPT_SSL_ENABLE_NPN and CURLOPT_SSL_ENABLE_ALPN
winssl: enable TLSv1.1 and TLSv1.2 by default
winssl: TLSv1.2 disables certificate signatures using MD5 hash
winssl: enable hostname verification of IP address using SAN or CN
darwinssl: Don't omit CN verification when an IP address is used
http2: build with current nghttp2 version
polarssl: dropped support for PolarSSL < 1.3.0
openssl: info message with SSL version used
Bugfixes:
SECURITY ADVISORY: wrong re-use of connections
SECURITY ADVISORY: IP address wildcard certificate validation
SECURITY ADVISORY: not verifying certs for TLS to IP address / Darwinssl
SECURITY ADVISORY: not verifying certs for TLS to IP address / Winssl
nss: allow to use ECC ciphers if NSS implements them
netrc: Fixed a memory leak in an OOM condition
ftp: fixed a memory leak on wildcard error path
pipeline: Fixed a NULL pointer dereference on OOM
nss: prefer highest available TLS version
100-continue: fix timeout condition
ssh: Fixed a NULL pointer dereference on OOM condition
formpost: use semicolon in multipart/mixaed
--help: add missing --tlsv1.x options
formdata: Fixed memory leak on OOM condition
ConnectionExists: reusing possible HTTP+NTLM connections better
mingw32: fix compilation
chunked decoder: track overflows correctly
curl_easy_setopt.3: add CURL_HTTP_VERSION_2_0
dict: fix memory leak in OOM exit path
valgrind: added suppression on optimized code
curl: output protocol headers using binary mode
tool: Added URL index to password prompt for multiple operations
ConnectionExists: re-use non-NTLM connections better
axtls: call ssl_read repeatedly
multi: make MAXCONNECTS default 4 x number of easy handles function
configure: Fix the --disable-crypto-auth option
multi: ignore SIGPIPE internally
curl.1: update the description of --tlsv1
SFTP: skip reading the dir when NOBODY=1
easy: Fixed a memory leak on OOM condition
tool: Fixed incorrect return code when setting HTTP request fails
configure: Tiny fix to honor POSIX
tool: Do not output libcurl source for the information only parameters
Rework Open Watcom make files to use standard Wmake features
x509asn: moved out Curl_verifyhost from NSS builds
configure: call it GSS-API
hostcheck: Curl_cert_hostcheck is not used by NSS builds
multi_runsingle: move timestamp into INIT
remote_port: allow connect to port 0
parse_remote_port: error out on illegal port numbers better
ssh: Pass errors from libssh2_sftp_read up the stack
docs: remove documentation on setting up krb4 support
polarssl: build fixes to work with PolarSSL 1.3.x
polarssl: fix possible handshake timeout issue in multi
nss: allow to enable/disable cipher-suites better
ssh: prevent a logic error that could result in an infinite loop
http2: free resources on disconnect
polarssl: avoid extra newlines in debug messages
rtsp: parse "Session:" header properly
trynextip: don't store 'ai' on failed connects
Curl_cert_hostcheck: strip trailing dots in host name and wildcard
* Change enigmail build mechanism
Changelog:
2.25:
SeaMonkey-specific changes
Newsgroup names can now be entered using autocompletion.
See the changes page for a more complete overview.
Mozilla platform changes
The Gamepad API has been finalized and enabled (learn more).
VP9 video decoding has been implemented.
Support for Opus in WebM was added.
Volume control for HTML5 audio/video has been added.
Mac OS X Notification Center support has been added for web notifications.
Support for spdy/2 has been removed.
Support for multi-line flexbox in layout has been added.
Support for the MathML 2.0 mathvariant attribute has been added.
Background thread hang reporting has been added.
<input type=color> has been implemented and enabled.
Fixed several stability issues.
Fixed in SeaMonkey 2.25
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-23 Content Security Policy for data: documents not preserved by session restore
MFSA 2014-22 WebGL content injection from one domain to rendering in another
MFSA 2014-20 onbeforeunload and Javascript navigation DOS
MFSA 2014-19 Spoofing attack on WebRTC permission prompt
MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)
2.24:
SeaMonkey-specific changes
The DoNotTrack and Prompt on Sanitize preferences are now kept in sync.
A pref (mailnews.p7m_external) has been added to allow users to choose an alternate application/pkcs7-mime handling.
Support for Atom Threading Extensions (RFC 4685) has been added.
Migrating profiles from Thunderbird supports the new signons file format now (support for the old format has been dropped).
Autocomplete drop-downs (e.g. used on the Location Bar and Open Location dialog) now show favicons for their entries.
The account name is now displayed in the status bar for all messages when checking mail.
IMAP alert messages now show the server of the corresponding mail account.
Newsgroup names are now searched for all search strings combined (AND-search) on the subscribe dialog.
See the changes page for a more complete overview.
Mozilla platform changes
Removed support for importing logins from the legacy signons.txt format, including the Base64 conversion (bug 717490).
Enabled support for TLS 1.2 (RFC 5246) by default (bug 861266).
Added support for the SPDY 3.1 protocol.
Added ability to reset style sheets using all:unset.
Added support for scrolled fieldsets (overflow property support, bug 261037).
Implemented allow-popups directive for iframe sandbox, enabling increased security (bug 766282).
Unprefixed CSS cursor keywords -moz-grab and -moz-grabbing (bug 880672).
Added support for ES6 generators in SpiderMonkey (blog post).
Implemented support for mathematical function Math.hypot() in ES6 (bug 896264).
Added dashed line support on Canvas (bug 768067).
Fixed Azure/Skia content rendering on Linux (bug 740200).
Fixed several stability issues.
Fixed in SeaMonkey 2.24
MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects
MFSA 2014-12 NSS ticket handling issues
MFSA 2014-11 Crash when using web workers with asm.js
MFSA 2014-09 Cross-origin information leak through web workers
MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing
MFSA 2014-07 XSLT stylesheets treated as styles in Content Security Policy
MFSA 2014-05 Information disclosure with *FromPoint on iframes
MFSA 2014-04 Incorrect use of discarded images by RasterImage
MFSA 2014-03 UI selection timeout missing on download prompts
MFSA 2014-02 Clone protected content with XBL scopes
MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
Changelog
=========
Since 2.5.1-rc
----------------
bugfix: can't view object link in notification when an email does not have a subject.
Since 2.5.1-beta
----------------
bugfix: cannot add milestones in templates
bugfix: when adding template, after adding milestone cannot select it when adding a task
Since 2.5.0.6
----------------
bugfix: Template view broken by single quote in property name.
bugfix: when edit a template if have milestones you can't see tasks.
bugfix: don't show members that cannot be used in member selector.
Since 2.5.0.5
----------------
bugfix: Tasks grouping by dimension fixed.
Since 2.5.0.4
----------------
performance: Issue when loading persons dim.
bugfix: Imap folders are not saved when editing an email account.
bugfix: Cannot unclassify mails from classify form.
bugfix: Emessage not shown when inputing dates with incorrect format.
bugfix: Add start date to task view.
bugfix: Get tasks by range query does not include logged user's timezone.
bugfix: In task complete edition form, assigned to are not displayed correctly.
bugfix: Issue in include myself in document notifications.
bugfix: Set db charset when reconnecting in abstract db adapter.
Since 2.5.0.3
----------------
bugfix: Add attachments column in queued_emails in upgrade scripts.
bugfix: Set db charset when reconnecting in abstract db adapter.
Since 2.5.0.2
----------------
bugfix: Render member selectors with preloaded member info.
bugfix: Order by name doesn't work on object list.
bugfix: People widget only display users.
Since 2.5.0.1
----------------
bugfix: on mysql 5.6 have_innodb variable is deprecated
Since 2.5
----------------
feature: Allow to configure dashboard widget position and order for each user.
feature: Allow to configure default dashboard widget position and order for all users.
feature: Comments dashboard widget.
feature: Email dashboard widget.
feature: choose to filter calendar widget or not.
feature: choose the user to filter the tasks widget.
bugfix: when add a timeslot by clock on tasks update the percent complete.
bugfix: if a file doesn't have revision when classify create one.
bugfix: several minor fixes of undefined variables, missing langs, etc.
bugfix: when disabling or reactivating users from company view, users list is not reloaded.
bugfix: member selector displayed wrong data
bugfix: on task add/edit view, assignee combo displayed wrong data
bugfix: subscribers and invited people were not shown correctly
bugfix: encoding when receiving emails
bugfix: when editing a classified timeslot, its context was not shown
bugfix: in file upload, the name is not changed if a new name is entered
bugfix: missing langs and sql changes for email user config options
Since 2.5-rc
----------------
bugfix: general search form submitted by enter key doesn't work in Google Chrome
bugfix: links are now saved as such when using WYSIWYG
bugfix: primary-breadcrumb show exact context
bugfix: mysql transaction problem when sending emails without using a cronjob
bugfix: when making a new installation, users were not shown by default
Since 2.5-beta
----------------
bugfix: if a file doesn't have a revision, when classifying an email create one.
bugfix: when adding a timeslot by clock on tasks, task progress bar was not updated correctly.
bugfix: fixed custom reports using boolean conditions in false.
bugfix: problems with paging on the overview list.
bugfix: on activity widget, when clicking on a member, change dimension.
* Applied patch #9 (Crash when more than one authplugin are selected)
by Frederic Bourgeois
* Added feature to allow Facebook mock ajax (request #6) by Jason Spiro
* Added contrib dir
* Added a new html & css validated html template in contrib (request #3).
By Chris Peschke
* Converted iso-8859 message files to utf-8 (bug #86). Suggested
by Fred Ulisses Maranhao
* Fixed Error reading Content-Length (bug #84). By Carlos Soto
* Fixed compilation error BSD due lack of string.h when using
memcpy() (bug #75). By Alexander Hornung
* Fixed exceptioniplist case sensitivity (bug #11). By Mark J Hewitt
* Fixed accept-encoding support for new tokens (bug #13). By userquin
* Applied patch 3438750 (GCC 4.4 and 4.6 compatibility) by Mathieu PARENT
* Applied patch 3438749 (French translation update) by Mathieu PARENT
* Applied patch 3418297 (Set proxy timeout in dansguardian.conf)
by Frederic Bourgeois
* Applied patch 3419088 (login/password in URL is dropped) by Mathieu PARENT
* Applied patch 3419089 ("Expect" header should be dropped) by Mathieu PARENT
* Applied patch 3438751 (Fix queue handling in OptionContainer)
by Mathieu PARENT
* Applied patch 3515167 (Fix digest identication) by Frederic Bourgeois
* Fixed GCC warnings
* LFS review in String.cpp (requires different arch review yet)
Previous release notes seem to be lost - the build structure changed, and:
Both the main configuration file and the filter group configuration
file(s) have changed since the last stable release. If you try
to re-use the configuration from an existing copy of 2.8.0.6 or
earlier, the daemon will not start. On the other hand, list
files (phrase lists, domain lists, etc.) have not changed format,
and should largely "just work". There have been improvements to
the default list files, though, so again it is recommended that
you start from the new version and re-do any customisations.
*) SECURITY: CVE-2014-0098 (cve.mitre.org)
Clean up cookie logging with fewer redundant string parsing passes.
Log only cookies with a value assignment. Prevents segfaults when
logging truncated cookies.
*) SECURITY: CVE-2013-6438 (cve.mitre.org)
mod_dav: Keep track of length of cdata properly when removing
leading spaces. Eliminates a potential denial of service from
specifically crafted DAV WRITE requests
*) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
TE/CL conflicts.
*) mod_proxy_http: Core dumped under high load. PR 50335.
*) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
*) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
is equivalent to <ProxyMatch wildcard-url>.
*) mod_ldap: Fix a potential memory leak or corruption.
*) mod_ssl: Do not perform SNI / Host header comparison in case of a
forward proxy request.
*) mod_rewrite: Add mod_rewrite.h to the headers installed on Windows.
