Django 1.5.5 fixes a couple security-related bugs and several other bugs in the 1.5 series.
Readdressed denial-of-service via password hashers
Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a denial-of-service attack through submission of bogus but extremely large passwords. In Django 1.5.5, we’ve reverted this change and instead improved the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.
Properly rotate CSRF token on login
This behaviour introduced as a security hardening measure in Django 1.5.2 did not work properly and is now fixed.
Bugfixes
Fixed a data corruption bug with datetime_safe.datetime.combine.
Fixed a Python 3 incompatability in django.utils.text.unescape_entities().
Fixed a couple data corruption issues with QuerySet edge cases under Oracle and MySQL.
Fixed crashes when using combinations of annotate(), select_related(), and only()
Upstream changes:
0.322 2013-10-28 08:00:35 America/New_York
require a newer Getopt::Long to avoid --version conflicts
0.321 2013-10-26 07:44:19 America/New_York
avoiding getting [undef] in argument list in Simple apps
add --version support via version command (thanks, Jakob Voss!)
Upstream changes:
0.15 Sun Oct 27 21:59:43 EDT 2013
- hide internal packages from PAUSE
- point repo/bugtracker at GitHub
0.14 Sun Oct 27 21:59:43 EDT 2013
- typo fixes (dsteinbrunner)
- repackage to drop MYMETA files
- stop using 'use_ok' in tests
For FreeBSD:
* Fix careless mistake of patch to configure.
For MirBSD (and possibly OpenBSD):
* Don't pass empy string (before semicolon to sed(1).
* Correct suffix for libruby's shared library.
No PKGREVISION bump since this is simply fix for build problem.
pkgsrc changes:
- remove obsolete post-3.2.2 fixes
- adjust patches per changes in original files
Changes from doc/en/ReleaseNote:
ver 3.3.0
* Support framebuffer on NetBSD/x68k. (Thanks to NetBSD/x68k developers)
* Support Android. (Experimental)
* Update the colormap instead of searching the closest color when
OSC 4 ; c ; spec changes RGB of the color number on framebuffer.
* Support OSC ? 80 h (disable sixel scrolling).
* Support U+XXXX-XXXX key in 'font' configuration file.
* Add "unicode_noconv_areas" (a.k.a --ucsnoconv) option.
* Add "allow_scp" (a.k.a --scp) option.
* Remove SWITCH_OSC52. (Use "proto:allow_osc52=switch" instead.)
* OSC 5383 reqests challenge sequence.
* Bug fixes:
#70 (Thanks to Thomas Wolff)
Fix the bug which disabled redrawing the margin area on framebuffer.
Fix the bug of the transparent color of sixel graphics on win32.
OSC 4 has an effect on RGB of the window background color.
Send a sixel next line character (-) following a sixel dump.
Fix the bug which disabled Mod+XXX shortcut key settings on win32.
Fix the bug which erased the end character of each line in scrolling if DECSLRM
set the right margin at the right end is fixed.
Fix the bug of DL/IL which scrolled the screen instead of inserting or deleteing
lines from the cursor position.
Fix keypad '5' key (VK_CLEAR) on win32.
Fix the bug of ignoring the next character after sixel graphics data.
Fix the bug which makes the window smaller than necessary in resizing.
Support wsdisplay of the BBGGRR format on NetBSD/OpenBSD. (Thanks to @oshimyja san)
0.9 (2013-10-25)
webassets now support Python 3, and drops support for Python 2.5.
- Filter for Closure Soy templates (Michael Su).
- less filter can output source maps (Riccardo Forina).
- Support .pyc only deployments (Mike C. Fletcher).
- Jade template filter (Roshambo).
- YAMLLoader improvements (incl. Cédric Reginster).
- The gzip filter was removed.
goffice 0.10.8:
Jean:
* Do not destroy axes after adding a plot using a restricted set. [#708292]
* Don't crash when there are no x values for a moving average smoothing.
[#708562]
* Never redefine GtkJustfication, use GoJustification instead. [#709007]
Morten:
* Build fixes.
* Win32 work.
* Fix font selector crash. [#709438]
* Noteworthy changes in release 2.15 (2013-10-26) [stable]
** Bug fixes
grep's \s and \S failed to work with multi-byte white space characters.
For example, \s would fail to match a non-breaking space, and this
would print nothing: printf '\xc2\xa0' | LC_ALL=en_US.UTF-8 grep '\s'
A related bug is that \S would mistakenly match an invalid multibyte
character. For example, the following would match:
printf '\x82\n' | LC_ALL=en_US.UTF-8 grep '^\S$'
[bug present since grep-2.6]
grep -i would segfault on systems using UTF-16-based wchar_t (Cygwin)
when converting an input string containing certain 4-byte UTF-8
sequences to lower case. The conversions to wchar_t and back to
a UTF-8 multibyte string did not take surrogate pairs into account.
[bug present since at least grep-2.6, though the segfault is new with 2.13]
grep -E would segfault when given a regexp like '([^.]*[M]){1,2}'
for any multibyte character M. [bug introduced in grep-2.6, which would
segfault, but 2.7 and 2.8 had no problem, and 2.9 through 2.14 would
hit a failed assertion. ]
grep -F would get stuck in an infinite loop when given a search string
that is an invalid byte sequence in the current locale and that matches
the bytes of the input twice on a line. Now grep fails with exit status 1.
grep -P could misbehave. While multi-byte mode is only supported by PCRE
with UTF-8 locales, grep did not activate it. This would cause failures
to match multibyte characters against some regular expressions, especially
those including the '.' or '\p' metacharacters.
** New features
grep -P can now use a just-in-time compiler to greatly speed up matches,
This feature is transparent to the user; no flag is required to enable
it. It is only available if the corresponding support in the PCRE
library is detected when grep is compiled.
Add an option to disable burying of reviews.
Added a "bury card" option to the review screen, and changed the
shortcut to bury a note to "=".
Added a new is:buried search, and is:suspend no longer shows buried
cards.
Added a new cid:<card id> search to search for a particular card
by its ID, and IDs are now shown in the Card Info screen.
Don't mark cards as modified when automatically burying, which
could potentially cause issues.
Increase sync timeout
When Anki detects the clock is wrong, it now shows how far it is
off.
Fix an issue working around a broken trash folder on Windows.
Fix problems double clicking on files to import when path contains
non-latin text, thanks to wlhuang.
Display a more informative error when the user's temp folder
permissions are wrong.
When double-clicking on a backup file to restore, skip the sync on
startup.
Log some scheduling operations to make it easier to debug issues.
* Version 3.2.5 (released 2013-10-23)
** libgnutls: Documentation and build-time fixes.
** libgnutls: Allow the generation of DH groups of less than 700 bits.
** libgnutls: Added several combinations of ciphersuites with SHA256 and SHA384 as MAC,
as well as Camellia with GCM.
** libdane: Added interfaces to allow initialization of dane_query_t from
external DNS resolutions, and to allow direct verification of a certificate
chain against a dane_query_t. Contributed by Christian Grothoff.
** libdane: Fixed a buffer overflow in dane_query_tlsa(). This could be
triggered by a DNS server supplying more than 4 DANE records. Report and fix
by Christian Grothoff.
** srptool: Fixed index command line option. Patch by Attila Molnar.
** gnutls-cli: Added support for inline commands, using the
--inline-commands-prefix and --inline-commands options. Patch by Raj Raman.
** certtool: pathlen constraint is now read correctly. Reported by
Christoph Seitz.
** API and ABI modifications:
gnutls_certificate_get_crt_raw: Added
dane_verify_crt_raw: Added
dane_raw_tlsa: Added
* Version 3.2.4 (released 2013-08-31)
** libgnutls: Fixes when session tickets and session DB are used.
Report and initial patch by Stefan Buehler.
** libgnutls: Added the RSA-PSK key exchange. Patch by by Frank Morgner,
based on previous patch by Bardenheuer GmbH and Bundesdruckerei GmbH.
** libgnutls: Added ciphersuites that use ARCFOUR with ECDHE. Patch
by Stefan Buehler.
** libgnutls: Added the PFS priority string option.
** libgnutls: Gnulib included files are strictly LGPLv2.
** libgnutls: Corrected gnutls_certificate_server_set_request().
Reported by Petr Pisar.
** API and ABI modifications:
gnutls_record_set_timeout: Exported
Changes since 1.0.6:
* Python 3 compatibility fixes
* Redis CLI
* Dropped Flask-WTF dependency
* Upgraded to Select2 3.4.0
* Additional unit tests
* Separate loggers for each Flask-Admin component
* New, much more configurable datetime picker
* Spanish translation
* Form rendering rules
* Models: AJAX drop-down population for related models
* Models: Filter options can be translated
* Models: on_model_change now accepts third parameter is_created
* Models: New configurarion property form_extra_columns
* Models: Proper child field error highlighting
* Models: Save and continue button for edit views
* Models: FileUploadField and ImageUploadField
* Models: If Flask is running in debug mode, rethrow all exceptions
* Models: Backrefs are now displayed by default
* Models: If there are no models in the list view, message will be displayed
* MongoEngine: GridFS support for file and image uploads
* MongoEngine: Backend supports form_overrides, choices and other field
configuration properties
* MongoEngine: URLField and EmailField are now searchable
* MongoEngine: Embedded document configuration
* SQLAlchemy: Backend was renamed as flask.ext.admin.contrib.sqla
* SQLAlchemy: Automatic join for many-to-many relations
* SQLAlchemy: Fixed ambiguous primary key when building complex search query
in SQLAlchemy backend
* SQLAlchemy: Use joinedload for related model instead of subqueryload for
performance reasons
* SQLAlchemy: Improved inline model handling logic
* SQLAlchemy: Initial multi-pk support for inherited models
* SQLAlchemy: BigInt filtering support
(No changelog for 0.9.3 supplied, but includes maintainer change.)
Version 0.9.2
-------------
Released 2013/9/11
- Upgrade wtforms to 1.0.5.
- No lazy string for i18n `#77`_.
- No DateInput widget in html5 `#81`_.
- PUT and PATCH for CSRF `#86`_.
.. _`#77`: https://github.com/lepture/flask-wtf/issues/77
.. _`#81`: https://github.com/lepture/flask-wtf/issues/81
.. _`#86`: https://github.com/lepture/flask-wtf/issues/86
Version 0.9.1
-------------
Released 2013/8/21
This is a patch version for backward compitable for Flask<0.10 `#82`_.
.. _`#82`: https://github.com/lepture/flask-wtf/issues/82
Version 0.9.0
-------------
Released 2013/8/15
- Add i18n support (issue #65)
- Use default html5 widgets and fields provided by wtforms
- Python 3.3+ support
- Redesign form, replace SessionSecureForm
- CSRF protection solution
- Drop wtforms imports
- Fix recaptcha i18n support
- Fix recaptcha validator for python 3
- More test cases, it's 90%+ coverage now
- Redesign documentation
Version 1.0.5
-------------
Released September 10, 2013
- Fix a bug in validators which causes translations to happen once then
clobber any future translations.
- ext.sqlalchemy / ext.appengine: minor cleanups / deprecation.
- Allow blank string and the string 'false' to be considered false values
for BooleanField (configurable). This is technically a breaking change,
but it is not likey to affect the majority of users adversely.
- ext.i18n form allows passing LANGUAGES to the constructor.
