(CVE-2010-0308 is http://www.squid-cache.org/Advisories/SQUID-2010_1.txt.)
Changes to squid-2.7.STABLE9 (15 March 2010)
- 2.7.STABLE8 failed to compile with OpenSSL 0.9.8 on some systems
- failure to detect certain system libraries on some systems
resulting in compilation errors
Changes to squid-2.7.STABLE8 (10 March 2010)
- Bug #2458: reply_body_max_size incorrectly documented
- Bug #2858: Segment violation in HTCP
- Bug #2773: Segfault in RFC2069 Digest authantication
- 64-bit filesize issue in squidclient if trying to post a file > 2GB
- Improve %nn parser to better deal with certain odd %nn sequences
- Segmentation fault if failed to open cache.log
- Bug #2819: const correctness errors in dns_internal.c
- Handle DNS header-only packets as invalid. (CVE-2010-0308)
- Windows port: Updated mswin_ad_group native helper to version 2.1
- Cosmetic change to keep GCC happy
- Bug #2678 - storeurl_rewrite does not play nicely with vary
- Bug #2861 - only-if-cached request blocks if it collapsed into
another request
- Use libcap functions instead of raw kernel interface
- No need to sync the store on -k rotate, but instead it needs to be
done in reconfigure
- const correctness in OpenSSL initialization
- Rework the http digest auth parser
* SourceFormat Enforcement
* Replace most USE_IPV6 with run-time support probing
* Translations: sync with 3.HEAD language updates
* Split-Stack enable DNS and http(s)_port sockets.
* Bug: --with-valgrind-debug failures ignored
* Fixed comm.cc:377: "fd_table[fd].halfClosedReader != NULL" assertion
* Kludge: try to detect system acinclude path, to fix libtool brokenness.
* Bug: search scope for digest_ldap_auth didn't work
* Update libtool autoconf macros to libtool2 style
* Correction documentation of QoS disable-preserve-miss
* Remove .so from SASL build checks
* Bug: AIX support: c only c++ style comments test case
* Bug: AIX support: check libm for log()
* Do not stop accepting just because we got COMM_NOMESSAGE.
* Bug: AIX support: uchar is already define (more)
* Bug: AIX support: uchar is already define
* Bug: crash handling NULL write callback
* Correct Joomla DB auth handling
* Fixed memory leak related to retried requests.
* Prevent memory leaks when cloning Range requests.
* Fixed memory leaks related to Range requests.
Changes 3.1.5:
* Bug: Fix context leak in HttpStateData::processReplyHeader
* Bug: raw-IPv6 address URL with append_domain broken
* Bug: does not send indirect X-Client-Ip in ICAP respmod
* Fix free memory corruption and off-by-on error when comparing SNMP OIDs
* Restart DNS retransmission count when restarting the query as an A lookup
* Bug: HTTP responses with no Date, L-M or Expires can now be cached
* Maintenance: Formater skip libltdl dirs
* SourceFormat Enforcement
* Bug: Fails to detect chunked encoding if not given in all lower case
* Port from 2.7: max_filedescriptor config option
* persistent_connection_after_error is meant to be on by default
* kFreeBSD does not have linux headers. Wrap properly.
* Maintenance: Use system MD5 instead of hard-coded python paths
* Bug: ICAP tokens not logged when using multiple access
* SourceFormat Enforcement
* OpenBSD: Fix build mem.cc warning: converting of negative value
- SECURITY: CVE-2010-1452 (cve.mitre.org)
mod_dav, mod_cache: Fix Handling of requests without a path segment.
PR: 49246 [Mark Drayton, Jeff Trawick]
- SECURITY: CVE-2010-2068 (cve.mitre.org)
mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung]
- core: Filter init functions are now run strictly once per request
before handler invocation. The init functions are no longer run
for connection filters. PR 49328. [Joe Orton]
- mod_filter: enable it to act on non-200 responses.
PR 48377 [Nick Kew]
- mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
title page only) when any mod_ldap directives were used in VirtualHost
context. [Eric Covener]
- mod_ssl: Fix segfault at startup if proxy client certs are shared
across multiple vhosts. PR 39915. [Joe Orton]
- mod_proxy_http: Log the port of the remote server in various messages.
PR 48812. [Igor Galić <i galic brainsware org>]
- apxs: Fix -A and -a options to ignore whitespace in httpd.conf
[Philip M. Gollucci]
- mod_dir: add FallbackResource directive, to enable admin to specify
an action to happen when a URL maps to no file, without resorting
to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
- mod_rewrite: Allow to set environment variables without explicitely
giving a value. [Rainer Jung]
While here, set LICENSE=mit.
1.7.4
-----
* Fix XSS bug (security issue) with not found handlers for
:class:`paste.urlparser.StaticURLParser` and
:class:`paste.urlmap.URLMap`. If you ask for a path with
``/--><script>...`` that will be inserted in the error page and can
execute Javascript. Reported by Tim Wintle.
* Replaced :func:`paste.util.mimeparse.desired_match`
1.7.3.1
-------
* Removed directory name from 404 errors in
:class:`paste.urlparser.StaticURLParser`.
* Fixed packaging to include Javascript and images for
:mod:`paste.evalexception`
1.7.3
-----
* I got a fever and the only prescription is more :mod:`paste.cowbell`!
* Fix :mod:`paste.httpserver` on Python 2.6.
* Fix :mod:`paste.auth.cookie`, which would insert newlines for long
cookies.
* :mod:`paste.util.mimeparse` parses a single ``*`` in Accept headers
(sent by IE 6).
* Fix some problems with the ``wdg_validate`` middleware.
* Improvements to :mod:`paste.auth.auth_tkt`: add httponly support,
don't always aggressively set cookies without the
``wildcard_cookie`` option. Also on logout, make cookies expire.
* In :class:`paste.proxy.Proxy` handle Content-Length of -1.
* In :mod:`paste.httpexceptions` avoid some unicode errors.
* In :mod:`paste.httpserver` handle ``.read()`` from 100 Continue
properly (because of a typo it was doing a readline).
* Update ``paste.util.mimeparse`` from `upstream
<http://code.google.com/p/mimeparse/>`_.
Pkgsrc changes:
- adjust dependencies
Upstream changes:
1.30 Wed Jun 9 12:23:48 CDT 2010
------------------------------------
[ENHANCEMENTS]
autolint used to only work on get_ok() calls. Now it works with
post_ok(), submit_form_ok(), follow_link_ok() and click_ok().
Added $mech->text_contains(), $mech->text_like() and $mech->text_unlike()
methods. These check the text of an HTML page separate from the
HTML markup. Thanks to Ashley Pond V.
1.28 Tue Apr 13 00:44:27 CDT 2010
------------------------------------
[FIXED]
t/put_ok.t finally passes.
1.26 Mon Apr 5 00:54:46 CDT 2010
------------------------------------
[FIXED]
Description of error in $mech->content_unlike() was wrong.
Now requires Test::LongString 0.12.
t/put_ok.t now passes, but with a handful of warnings. Help in figuring
out why would be appreciated.
[INTERNALS]
Hoisted common code out of get_ok, post_ok, etc.
[DOCUMENTATION]
Updated copyright and licensing information.
0.10.0 is from 2009; this package was at 0.3.0 (0.4.0 was released in
2005). Upstream does not provide changelogs or NEWS. This update
should be considered equivalent to removing the old package and
importing a new one.
* img: Add a margin around images displayed by this directive.
* comments: Added commentmoderation directive for easy linking to the
comment moderation queue.
* aggregate: Write timestamp next aggregation can happen to
.ikiwiki/aggregatetime, to allow for more sophisticated cron jobs.
* Add --changesetup mode that allows easily changing options in a
setup file.
* openid: Fix handling of utf-8 nicknames.
* Clarified what the filter hook should be passed: Only be the raw,
complete text of a page. Not a snippet, or data read in from an
unrelated file.
* template: Do not pass filled in template through filter hook.
Avoids causing breakage in po plugin.
* color, comments, conditional, cutpaste, more, sidebar, toggle: Also
avoid unnecessary calls to filter hook.
* po: needstranslation() pagespec can have a percent specified.
* Drop Cache-Control must-revalidate (Firefox 3.5.10 does not seem to have
the caching problem that was added to work around). Closes: #588623
* Made much more robust in cases where multiple source files produce
conflicting files/directories in the destdir.
* Updated French translation from Philippe Batailler. Closes: #589423
* po: Fix selflink display on tranlsated pages. (intrigeri)
* Avoid showing 'Add a comment' link at the bottom of the comment post form.
changes:
added the --proto and -proto-redir options
new configure option --enable-threaded-resolver
improve TELNET ability with libcurl
added support for PolarSSL
added support for FTP wildcard matching and downloads
added support for RTMP
added CURLINFO_PRIMARY_PORT, CURLINFO_LOCAL_IP and CURLINFO_LOCAL_PORT
Upstream changes:
1.45 Wed Jun 16 21:15:26 CEST 2010
- fix a bug where the handle woudl go away directly after a successful
connect (analyzed and patch by Maxim Dounin).
- due to popular demand, introduce the Redirect pseudo response header.
- document URL pseudo-header better.
- explain how to implement DNS caching.
Upstream changes:
1.64 Thu Jul 1 10:41:00 CDT 2010
========================================
[THINGS THAT MAY BREAK YOUR CODE]
If you've been accessing $mech->{forms} or $mech->{form} values
directly, instead of going through the $mech->forms or $mech->current_form
accessors, respectively, then this version of Mech will break your
code.
[ENHANCEMENTS]
Parsing of forms has been delayed until they're actually needed.
If don't use forms on a page, you'll no longer waste time and memory
parsing them.
$mech->title now caches the title of the page after parsing the
page to find it.
mech-dump now takes a --cookie-file parameter for keeping cookies
between calls.
[DOCUMENTATION]
Typo fixes.
