Squidview is an interactive console program which monitors and displays
squid logs in a nice fashion, and may then go deeper with searching and
reporting functions.
This includes security fixes.
Upstream changes:
-----------------
Tue Dec 3 21:25:56 CET 2013
Security fix: do not read past 0-terminator when unescaping
strings (thanks to Florian Weimer for reporting).
Releasing 0.9.32. -CG
Tue Dec 3 21:05:38 CET 2013
Signaling n times for shutdown works, but for resume we need to
wake up the correct daemon. Even if we signal n times in that
case also, there's no guarantee that some daemon can't run
through its select loop more than once before the daemon we want
to wake up gets a chance to read. Thus we need a signal pipe
per thread in the thread pool IF MHD_suspend_connection is used.
This introduces a new flag MHD_USE_SUSPEND_RESUME to add those
additional pipes and only allow MHD_suspend_connection to be
used in conjunction with this flag.
Also, as MHD_resume_connection() will be called on a non-daemon
thread, but none of the queue insert/delete calls are thread safe,
we need to be concerned about (a) corrupting the queue, and (b)
having to add mutex protection around every access to the queues,
including loops through timer queues, etc. This wasn't a problem
before adding resume; even suspend should be safe since it happens
in a callback from the daemon.
I think it's easier to (a) have MHD_suspend_connection() move the
connection to a suspended queue, (b) have MHD_resume_connection()
mark the connection as resuming, and then (c) do all the actual
queue manipulations in MHD_select (poll, epoll, etc.) to move the
resumed connections back to their normal queues, in response to
the wake up. The changes are simpler & cleaner. There is a cost to
the basic select loop that is avoided by making suspend/resume a
startup option. The per-worker pipes can then also be enabled only
with that option set. -MH
Fri Nov 29 20:17:03 CET 2013
Eliminating theoretical stack overflow by limiting length
of URIs in authentication headers to 32k (only applicable
if the application explicitly raised the memroy limits,
and only applies to MHD_digest_auth_check). Issue was
reported by Florian Weimer. -CG
Tue Nov 26 01:26:15 CET 2013
Fix race on shutdown signal with thread pool on non-Linux
systems by signalling n times for n threads. -CG
Sun Nov 24 13:41:15 CET 2013
Introduce state to mark connections in suspended state (with
epoll); add missing locking operations in MHD_suspend_connection.
Fix definition of MHD_TLS_CONNECTION_INIT. -MH/JC
Wed Oct 30 09:34:20 CET 2013
Fixing issue in PostProcessor when getting partial boundary
at the beginning, expanding test suite. -CG
Sun Oct 27 15:19:44 CET 2013
"work/libmicrohttpd-0.9.32/ChangeLog" 1318L, 46479C
Also, as MHD_resume_connection() will be called on a non-daemon
thread, but none of the queue insert/delete calls are thread safe,
we need to be concerned about (a) corrupting the queue, and (b)
having to add mutex protection around every access to the queues,
including loops through timer queues, etc. This wasn't a problem
before adding resume; even suspend should be safe since it happens
in a callback from the daemon.
I think it's easier to (a) have MHD_suspend_connection() move the
connection to a suspended queue, (b) have MHD_resume_connection()
mark the connection as resuming, and then (c) do all the actual
queue manipulations in MHD_select (poll, epoll, etc.) to move the
resumed connections back to their normal queues, in response to
the wake up. The changes are simpler & cleaner. There is a cost to
the basic select loop that is avoided by making suspend/resume a
startup option. The per-worker pipes can then also be enabled only
with that option set. -MH
Fri Nov 29 20:17:03 CET 2013
Eliminating theoretical stack overflow by limiting length
of URIs in authentication headers to 32k (only applicable
if the application explicitly raised the memroy limits,
and only applies to MHD_digest_auth_check). Issue was
reported by Florian Weimer. -CG
Tue Nov 26 01:26:15 CET 2013
Fix race on shutdown signal with thread pool on non-Linux
systems by signalling n times for n threads. -CG
Sun Nov 24 13:41:15 CET 2013
Introduce state to mark connections in suspended state (with
epoll); add missing locking operations in MHD_suspend_connection.
Fix definition of MHD_TLS_CONNECTION_INIT. -MH/JC
Wed Oct 30 09:34:20 CET 2013
Fixing issue in PostProcessor when getting partial boundary
at the beginning, expanding test suite. -CG
Sun Oct 27 15:19:44 CET 2013
Implementing faster processing of upload data in multipart
encoding (thanks to performance analysis by Adam Homolya). -CG
Thu Oct 24 10:40:03 CEST 2013
Adding support for connection flow control via
MHD_suspend_connection and MHD_resume_connection. -CG
Version 0.6.5
-----------------
Released on December 5, 2013
- Change warning from UserWarning to DeprecationWarning so it is
ignored by default
Version 0.6.4
-----------------
Released on December 5, 2013
- Only pass `parents` argument if a command's `create_parser`
accepts it. Workaround for #71
Changes with nginx 1.4.4 19 Nov 2013
*) Security: a character following an unescaped space in a request line
was handled incorrectly (CVE-2013-4547); the bug had appeared in
0.8.41.
Thanks to Ivan Fratric of the Google Security Team.
Changes with nginx 1.4.3 08 Oct 2013
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_spdy_module was used with the "client_body_in_file_only"
directive.
*) Bugfix: a segmentation fault might occur on start or during
reconfiguration if the "try_files" directive was used with an empty
parameter.
*) Bugfix: the $request_time variable did not work in nginx/Windows.
*) Bugfix: in the ngx_http_auth_basic_module when using "$apr1$"
password encryption method.
Thanks to Markus Linnala.
*) Bugfix: in the ngx_http_autoindex_module.
*) Bugfix: in the mail proxy server.
Changes with nginx 1.5.7 19 Nov 2013
*) Security: a character following an unescaped space in a request line
was handled incorrectly (CVE-2013-4547); the bug had appeared in
0.8.41.
Thanks to Ivan Fratric of the Google Security Team.
*) Change: a logging level of auth_basic errors about no user/password
provided has been lowered from "error" to "info".
*) Feature: the "proxy_cache_revalidate", "fastcgi_cache_revalidate",
"scgi_cache_revalidate", and "uwsgi_cache_revalidate" directives.
*) Feature: the "ssl_session_ticket_key" directive.
Thanks to Piotr Sikora.
*) Bugfix: the directive "add_header Cache-Control ''" added a
"Cache-Control" response header line with an empty value.
*) Bugfix: the "satisfy any" directive might return 403 error instead of
401 if auth_request and auth_basic directives were used.
Thanks to Jan Marc Hoffmann.
*) Bugfix: the "accept_filter" and "deferred" parameters of the "listen"
directive were ignored for listen sockets created during binary
upgrade.
Thanks to Piotr Sikora.
*) Bugfix: some data received from a backend with unbufferred proxy
might not be sent to a client immediately if "gzip" or "gunzip"
directives were used.
Thanks to Yichun Zhang.
*) Bugfix: in error handling in ngx_http_gunzip_filter_module.
*) Bugfix: responses might hang if the ngx_http_spdy_module was used
with the "auth_request" directive.
*) Bugfix: memory leak in nginx/Windows.
Changes with nginx 1.5.6 01 Oct 2013
*) Feature: the "fastcgi_buffering" directive.
*) Feature: the "proxy_ssl_protocols" and "proxy_ssl_ciphers"
directives.
Thanks to Piotr Sikora.
*) Feature: optimization of SSL handshakes when using long certificate
chains.
*) Feature: the mail proxy supports SMTP pipelining.
*) Bugfix: in the ngx_http_auth_basic_module when using "$apr1$"
password encryption method.
Thanks to Markus Linnala.
*) Bugfix: in MacOSX, Cygwin, and nginx/Windows incorrect location might
be used to process a request if locations were given using characters
in different cases.
*) Bugfix: automatic redirect with appended trailing slash for proxied
locations might not work.
*) Bugfix: in the mail proxy server.
*) Bugfix: in the ngx_http_spdy_module.
Changes with nginx 1.5.5 17 Sep 2013
*) Change: now nginx assumes HTTP/1.0 by default if it is not able to
detect protocol reliably.
*) Feature: the "disable_symlinks" directive now uses O_PATH on Linux.
*) Feature: now nginx uses EPOLLRDHUP events to detect premature
connection close by clients if the "epoll" method is used.
*) Bugfix: in the "valid_referers" directive if the "server_names"
parameter was used.
*) Bugfix: the $request_time variable did not work in nginx/Windows.
*) Bugfix: in the "image_filter" directive.
Thanks to Lanshun Zhou.
*) Bugfix: OpenSSL 1.0.1f compatibility.
Thanks to Piotr Sikora.
Changes with nginx 1.5.4 27 Aug 2013
*) Change: the "js" extension MIME type has been changed to
"application/javascript"; default value of the "charset_types"
directive was changed accordingly.
*) Change: now the "image_filter" directive with the "size" parameter
returns responses with the "application/json" MIME type.
*) Feature: the ngx_http_auth_request_module.
*) Bugfix: a segmentation fault might occur on start or during
reconfiguration if the "try_files" directive was used with an empty
parameter.
*) Bugfix: memory leak if relative paths were specified using variables
in the "root" or "auth_basic_user_file" directives.
*) Bugfix: the "valid_referers" directive incorrectly executed regular
expressions if a "Referer" header started with "https://".
Thanks to Liangbin Li.
*) Bugfix: responses might hang if subrequests were used and an SSL
handshake error happened during subrequest processing.
Thanks to Aviram Cohen.
*) Bugfix: in the ngx_http_autoindex_module.
*) Bugfix: in the ngx_http_spdy_module.
* Deep Munge the parameters for GET and POST Fixes CVE-2013-6417
* Stop using i18n's built in HTML error handling. Fixes: CVE-2013-4491
* Escape the unit value provided to number_to_currency Fixes CVE-2013-6415
* Only use valid mime type symbols as cache keys CVE-2013-6414
* Fix more of rev.12660
* Protect aclIsProxyAuth() debugging from NULL names (via NULL AclMatchedName).
* Bug 3972: Segfault when getting the deny info page ID after a reconfigure
* Fix mistake in porting rev.12660
* Bug 3782: Digest authentication not obeying nonce_max_count
* Bug 3970: max_filedescriptors disabled due to missing setrlimit
* Bug 3967: ipc/Kid.cc compilation failure: 'time' was not declared in this scope
* Re-compute Range response content offset after an FTP response was adapted.
* Source Maintenance: re-add snapshot script to branch
* Bug 3960: Dead Peers Are Not Revived
* Windows: Fix aclocal "is already registered" errors
* Windows: Ensure array index is an integer in C code
* Bug 3956: xstrndup: tried to dup a NULL pointer
* Make HTTP header parser obey relaxed_header_parser
* SourceFormat Enforcement
* Replace blocking sleep(3) and close UDS socket on failures.
* Bug 3936: error-details.txt parse error
* Bug 3906: Filedescriptor leaks in SNMP
This release fixes several bugs and adds two new pie charts about the most use top second level domains. It is also possible to do DNS lookup of Ip addresses inside SquidAnalyzer, see UseClientDNSName new configuration directive. This can slow down dramatically the squid-analyzer performances but you can adjust the DNS lookup timeout to prevent waiting slow DNS server, see DNSLookupTimeout new configuration directive.
- Update and fix first and second top level domain name.
- Add new directive DNSLookupTimeout to change the default timeout for
DNS lookup. Add 0.0001 second timeout when SquidAnalyzer look for a DNS
name and can't find a name server.
- Add pie chart of top second level domains.
- Fix some HTML tag issues and table ordering on Top domain hits and Top
url hits.
- Update INSTALL file to remove GD::Graph requirements.
- Change underscore used to replace space in user name by the special
string _SPC_ so that underscore will not be wrongly replaced on HTML
output.
- Fix pt_BR translation with charset to utf-8 and a few words with
accentuation fix.
- Allow Ip addresses on user names to be replaced by their DNS name, this
feature is activated by a new directive: UseClientDNSName.
- Add missing description of --no-year-stat option to documentation and
squid-analyzer usage.
4.58 2013-11-19
- Improved IIS and WebSphere compatibility of Mojo::Message::Request.
- Improved Mojo::Collection to allow join without arguments.
- Improved Mojo::DOM::HTML performance.
- Fixed recursion bug in Mojo::Reactor::EV where timers could run more than
once.
- Fixed a few "0" value bugs in Mojo::DOM::HTML.
Changelog:
Changes with Apache 2.4.7
*) APR 1.5.0 or later is now required for the event MPM.
*) slotmem_shm: Error detection. [Jim Jagielski]
*) event: Use skiplist data structure. [Jim Jagielski]
*) mpm_unix: Add ap_mpm_podx_* implementation to avoid code duplication
and align w/ trunk. [Jim Jagielski]
*) Fix potential rejection of valid MaxMemFree and ThreadStackSize
directives. [Mike Rumph <mike.rumph oracle.com>]
*) mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars.
An individual envvar with an encoded length of more than 16K will be
omitted. [Jeff Trawick]
*) mod_proxy_fcgi: Handle reading protocol data that is split between
packets. [Jeff Trawick]
*) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
allowing custom parameters to be configured via SSLCertificateFile,
and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
Unless custom parameters are configured, the standardized parameters
are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
*) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]
*) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
keys, and unconditionally disable aNULL, eNULL and EXP ciphers
(not overridable via SSLCipherSuite). [Kaspar Brand]
*) Add experimental cmake-based build system for Windows. [Jeff Trawick,
Tom Donovan]
*) event MPM: Fix possible crashes (third party modules accessing c->sbh)
or occasional missed mod_status updates for some keepalive requests
under load. [Eric Covener]
*) mod_authn_socache: Support optional initialization arguments for
socache providers. [Chris Darroch]
*) mod_session: Reset the max-age on session save. Bug 47476. [Alexey
Varlamov <alexey.v.varlamov gmail com>]
*) mod_session: After parsing the value of the header specified by the
SessionHeader directive, remove the value from the response. Bug 55279.
[Graham Leggett]
*) mod_headers: Allow for format specifiers in the substitution string
when using Header edit. [Daniel Ruggeri]
*) mod_dav: dav_resource->uri is treated as unencoded. This was an
unnecessary ABI changed introduced in 2.4.6. Bug 55397.
*) mod_dav: Don't require lock tokens for COPY source. Bug 55306.
*) core: Don't truncate output when sending is interrupted by a signal,
such as from an exiting CGI process. Bug 55643. [Jeff Trawick]
*) WinNT MPM: Exit the child if the parent process crashes or is terminated.
[Oracle Corporation]
*) Windows: Correct failure to discard stderr in some error log
configurations. (Error message AH00093) [Jeff Trawick]
*) mod_session_crypto: Allow using exec: calls to obtain session
encryption key. [Daniel Ruggeri]
*) core: Add missing Reason-Phrase in HTTP response headers.
Bug 54946. [Rainer Jung]
*) mod_rewrite: Make rewrite websocket-aware to allow proxying.
Bug 55598. [Chris Harris <chris.harris kitware com>]
*) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]
*) ab: Add wait time, fix processing time, and output write errors only if
they occured. [Christophe Jaillet]
*) worker MPM: Don't forcibly kill worker threads if the child process is
exiting gracefully. [Oracle Corporation]
*) core: apachectl -S prints wildcard name-based virtual hosts twice.
Bug 54948 [Eric Covener]
*) mod_auth_basic: Add AuthBasicUseDigestAlgorithm directive to
allow migration of passwords from digest to basic authentication.
[Chris Darroch]
*) ab: Add a new -l parameter in order not to check the length of the responses.
This can be usefull with dynamic pages.
Bug 9945, Bug 27888, Bug 42040 [<ccikrs1 cranbrook edu>]
*) Suppress formatting of startup messages written to the console when
ErrorLogFormat is used. [Jeff Trawick]
*) mod_auth_digest: Be more specific when the realm mismatches because the
realm has not been specified. [Graham Leggett]
*) mod_proxy: Add a note in the balancer manager stating whether changes
will or will not be persisted and whether settings are inherited.
[Daniel Ruggeri, Jim Jagielski]
*) mod_cache: Avoid a crash with strcmp() when the hostname is not provided.
[Graham Leggett]
*) core: Add util_fcgi.h and associated definitions and support
routines for FastCGI, based largely on mod_proxy_fcgi.
[Jeff Trawick]
*) mod_headers: Add 'Header note header-name note-name' for copying a response
headers value into a note. [Eric Covener]
*) mod_headers: Add 'setifempty' command to Header and RequestHeader.
[Eric Covener]
*) mod_logio: new format-specifier %S (sum) which is the sum of received
and sent byte counts.
Bug 54015 [Christophe Jaillet]
*) mod_deflate: Improve error detection when decompressing request bodies
with trailing garbage: handle case where trailing bytes are in
the same bucket. [Rainer Jung]
*) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663
from ERROR to DEBUG, since these modules do not know what mod_authz_core
is doing with their AUTHZ_DENIED return value. [Eric Covener]
*) mod_ldap: add TRACE5 for LDAP retries. [Eric Covener]
*) mod_ldap: retry on an LDAP timeout during authn. [Eric Covener]
*) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP
SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK
default, sans rebind authentication callback.
[Jan Kaluza <kaluze AT redhat.com>]
*) core: Log a message at TRACE1 when the client aborts a connection.
[Eric Covener]
*) WinNT MPM: Don't crash during child process initialization if the
Listen protocol is unrecognized. [Jeff Trawick]
*) modules: Fix some compiler warnings. [Guenter Knauf]
*) Sync 2.4 and trunk
- Avoid some memory allocation and work when TRACE1 is not activated
- fix typo in include guard
- indent
- No need to lower the string before removing the path, it is just a waste of time...
- Save a few cycles
[Christophe Jaillet <christophe.jaillet wanadoo.fr>]
*) mod_filter: Add "change=no" as a proto-flag to FilterProtocol
to remove a providers initial flags set at registration time.
[Eric Covener]
*) core, mod_ssl: Enable the ability for a module to reverse the sense of
a poll event from a read to a write or vice versa. This is a step on
the way to allow mod_ssl taking full advantage of the event MPM.
[Graham Leggett]
*) Makefile.win: Install proper pcre DLL file during debug build install.
Bug 55235. [Ben Reser <ben reser org>]
*) mod_ldap: Fix a potential memory leak or corruption. Bug 54936.
[Zhenbo Xu <zhenbo1987 gmail com>]
*) ab: Fix potential buffer overflows when processing the T and X
command-line options. Bug 55360.
[Mike Rumph <mike.rumph oracle.com>]
*) fcgistarter: Specify SO_REUSEADDR to allow starting a server
with old connections in TIME_WAIT. [Jeff Trawick]
*) core: Add open_htaccess hook which, in conjunction with dirwalk_stat
and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be
used without patches to httpd core. [Stefan Fritsch]
*) support/htdbm: fix processing of -t command line switch. Regression
introduced in 2.4.4
Bug 55264 [Jo Rhett <jrhett netconsonance com>]
[Apache 2.3.0-dev includes those bug fixes and changes with the
Apache 2.2.xx tree as documented, and except as noted, below.]
Changes with Apache 2.2.x and later:
*) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
Changes with Apache 2.0.x and later:
*) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
* pkgsrc change: drop optional php-tidy package requirement from MESSAGE.
Version 3.2.1 (2013-11-29)
--------------------------
### Updated
Updated TinyMCE to version 3.5.10 to fix the IE11 issues (see #6479).
### Fixed
Optionally override the repository tables when importing a template (see #6470).
### Fixed
Only do the UUID conversion once even if the `Database\Updater` helper methods
are called multiple times (see #6481).
### Fixed
Correctly toggle the mobile/desktop view (see #6227).
### Fixed
Correctly detect UUIDs in the "file" insert tag (see #6472).
### Fixed
Correctly assign images to FAQs (see #6465).
### Fixed
Improved the speed and memory footprint of the news archive menu (see #6463).
### Fixed
Removed `CalendarEventsModel::findBoundaries()` (see #6467).
Changelog:
The Apache Tomcat Project is proud to announce the release of version 7.0.47 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.42. The notable changes include:
Back-port the JSR-356 Java WebSocket 1.0 implementation from Apache Tomcat 8. Note that use of this functionality requires Java 7.
Deprecate the Apache Tomcat proprietary WebSocket API in favour of the new JSR-356 implementation.
Add a drawing board example to the WebSocket examples.
The minimum required APR/native library version required if the APR/native connector is used is now 1.1.29.
Upstream changes:
0.038 2013-11-18 12:56:26 America/New_York
[FIXED]
- Fixed a bug where authentication parameters in the URL would override
an existing Authorization header
0.037 2013-10-28 13:26:21 America/New_York
[FIXED]
- Basic authentication in the URL is now unescaped before being encoded
into the authentication header
[DOCUMENTED]
- Added HTTP::Tiny::UA to SEE ALSO and suggested it as the appropriate
place for new features
0.036 2013-09-25 12:10:06 America/New_York
[FIXED]
- Compile test could hang on Windows
[PREREQS]
- Dropped configure_requires for ExtUtils::MakeMaker to 6.17
[META]
- Updated support files
0.035 2013-09-10 12:29:28 America/New_York
[CHANGED]
- Encoded from data from 'post_form' preserves term order if data is
provided as an array reference. (They are still sorted for consistency
if provided as a hash reference.)
* Add mozilla-chatzilla option for chatzilla (and some JavaScript
development tools, I cannot separate them.)
Changelog:
Fixed in SeaMonkey 2.22.1
MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities
* Fix MESSAGE for sqlite3
Changelog:
Version 5.0.13 Nov 8th 2013
SECURITY: Fix a possible security bypass on admin page under certain circumstances and MariaDB
Correctly update database schema during app update
Fix automatic login rejecion error message
Several Oracle fixes
Fixing serverroot/webroot calculation
Adding detection for aborted uploads for chunked uploads
Fixing directory handling that end with a space
Fixing home storage handling
Allow to share a file/folder as public link also if one of it parents was already shared as link
Fix search in shared folders
Fix check for uploads into Shared folder
Several Shared folder handling fixes
Prefere them PNGs over core SVGs
Fall back to default log file of specified logfile doesn't exist
Several IE fixes
Fix LDAP login for certain circumstances
Fixed chunk size calculation for encrypted files
Fix recursive delete for smb
Fix using touch for creating files for smb
Support OCS Share API
Fix updating ETAGs
Don't write user passwords into logfile
Enable configuration of timezones for logfile timestamps
Cleanup share database table for files that no longer exist
Adding privilege check on move and rename operations
Contao Open Source CMS.
Contao is an Open Source Content Management Framework developed by Leo Feyer
and distributed under the LGPL license (see GPL.txt and LGPL.txt for more
information). It was formerly known as TYPOlight Open Source CMS.
Its open architecture allows everybody to extend the system to fit his
needs. Contao specializes in accessible websites and is accessbile
itself (front end and back end), rendering valid HTML5 or XHTML pages.
Changelog:
FIXED
Update branches that use 4.10 RTM to 4.10.2 RTM (see 935568)
FIXED
Update Mozilla to NSS 3.15.3 (new alternative NSS branch) to pick up a few fixes (see 935959)
FIXED
Some UI strings in Firefox 24.1.0 ESR l10n builds are in English (see 932310)
Changelog:
FIXED
25.0.1: New security fixes can be found here
FIXED
25.0.1: Pages sometimes wouldn't load without first moving the cursor
Fixed in Firefox 25.0.1
MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities
Version 2.11.13 (2013-11-19)
----------------------------
### Fixed
Sort the list of available modules (see #6391).
### Fixed
Decode entities in passwords (see #6252).
### Fixed
Replace insert tags in the details view of the listing module (see #6120).
Upstream changes:
Highlights
MDL-41252 - Accessibility improvements to course page.
MDL-34209 - Moving sections by drag and drop reorders sections correctly.
MDL-29987 - Embedded PDF files behave correctly.
Functional changes
MDL-42069 - Option to sort by last name in Quiz grading report.
MDL-38267 - Submit button is not shown after cut-off date in Assignment.
MDL-22669 - When restoring a larger course over a smaller one, the number of sections is maintained.
MDL-42666 and MDL-42668 - The Box.net repository and Box.net portfolio have been updated to use Box.net API v2. Moodle sites which have used the Box.net repository previously need to run the Box.net-alias-to-copy-conversion tool as soon as possible. Also, HTTPS is now required for sites to access Box.net. See Box.net APIv1 migration for details.
API changes
MDL-41861, MDL-41882, MDL-41853,... - Generator tools have been backported.
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
Fixes and improvements
MDL-32862 - Links to 1.9 resource types work after upgrade to 2.2 followed by backup and restore.
MDL-40903 - Persistent cache is now split into logical parts.
MDL-41942 - Courses in categories no longer become invisible due to caching problem.
MDL-41352 - Mymobile theme no longer producing JavaScript error on course pages.
MDL-37528 - Block drag-and-drop issue resolved.
MDL-42542 - The Portfolio cron job is now working.
MDL-42619 - Error deleting a course link from the community block is fixed.
MDL-37877 - Automated backup failure is now reported.
Changelog:
Fixed in Firefox ESR 17.0.10
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)
Among others, this changes using crypto:sha() to crypto:hash() for Erlang
that is new enough.
Bugfixes in pam, sendfile, generation of mime_types.erl
Other changes in the area of Webdav, sendfile, embedded mode, rebar
support, ssl options.
Optimization in ssi code.
Simplified default project and app templates
Improved transaction management
Persistent database connections
Discovery of tests in any test module
Time zone aware aggregation
Support for savepoints in SQLite
BinaryField model field
GeoDjango form widgets
check management command added for verifying compatibility
Model.save() algorithm changed
Minor features
Upstream changes:
4.57 2013-11-11
- Improved compatibility with IO::Socket::SSL 1.957.
- Fixed error event bug in Mojo::IOLoop::Delay.
4.56 2013-11-09
- Fixed backspace escaping bug in Mojo::JSON. (ig3)
4.55 2013-11-07
- Fixed Windows bug in "daemon.t".
4.54 2013-11-07
- Added parts attribute to Mojo::Home.
- Fixed keep alive connection timeout bug in Mojo::UserAgent.
- Fixed support for links within a page in Mojolicious::Plugin::PODRenderer.
- Fixed home detection bug in Mojo.
WordPress is a state-of-the-art publishing platform with a focus on
aesthetics, web standards, and usability. WordPress is both free and
priceless at the same time.
This package is WordPress of Japanese localized version.
It has Japanese locale file and some extension/modification for
website written in Japansese people, and for website located in Japan.
digiKam 3.5.0 - Release date: 2013-09-29
NEW FEATURES:
General : new RAW cameras supported : Richon GR, Panasonic LF1,
Canon EOS 70D, Sony RX100II, Sony RX1R, Olympus E-P5.
BUGFIXES FROM KDE BUGZILLA (alias B.K.O | http://bugs.kde.org):
001 ==> Removing tags limited to 250 selected pictures.
002 ==> Kipi-plugins cannot be deselected or digiKam not reading digikamrc.
003 ==> undo/redo does not take effect in the image.
004 ==> Feature request: Setting in digiKam to only detect faces, not
trying to recognize them automatically.
005 ==> digiLam crashed when validating face tag with button.
Changes:
Version 3.7:
* Background Updates
- Automatic updates for maintenance and security updates.
- Daily updates for developers using nightly builds.
* Stronger Password Meter
- New password meter to encourage users to choose stronger passwords.
* Improved Search
- More relevant search results.
* Better Global Support
- Localized versions will receive faster and more complete translations.
- Background updates will include translations
More info on http://codex.wordpress.org/Version_3.7
Version 3.7.1:
- Images with captions no longer appear broken in the visual editor.
- Allow some sites running on old or poorly configured servers to continue to check for updates from WordPress.org.
- Avoid fatal errors with certain plugins that were incorrectly calling some WordPress functions too early.
- Fix hierarchical sorting in get_pages(), exclusions in wp_list_categories(), and in_category() when called with empty values.
- Fix a warning that may occur in certain setups while performing a search, and a few other notices.
More info on http://codex.wordpress.org/Version_3.7.1
Version 3.1.5 (2013-11-08)
--------------------------
### Fixed
Correctly handle shorthand byte values (see #6345).
### Fixed
Also update the sitemap if a news/event feed is updated (see #5727).
### Fixed
Correctly sort by date in the listing module (see #5609).
### Fixed
Correctly handle the autologin key if a member is duplicated (see #5945).
### Fixed
Correctly export pages as PDF (see #6317).
* Add forgotten patch for NetBSD's cpuset(3), fix build
* Use __fstat50 etc instead of fstat on NetBSD. Based on martin@'s patch
for firefox 27.0.
Restore session is recovered on NetBSD/amd64.
* kerberos_ldap_group: fix LDAP string duplication
* Avoid "hot idle": A series of rapid select() calls with zero timeout.
* Bug 3887: tcp_outgoing_tos not working for IPv6
* Fix cbdata 'error: expression result unused' errors
* Have testRock use cachemgr stubs
* Bug 3836: Fix issues with automake 1.13 and later and make check (extra)
* Bug 3836: Fix issues with automake 1.13 and later and make check
* Append Connection:close to OPTIONS requests when icap_persistent_connections is off.
* Add cache_miss_revalidate
* Bug 3480: StoreEntry::kickProducer() segfaults in store_client::copy()
* Fix CBDATA_CLASS2 macro definition
* libntlmauth: Fix string field truncation
* ntlm_fake_auth: pass DOMAIN data to Squid in original case
* Fix SQUID_CC_CHECK_ARGUMENT autoconf macro
* Polish: better WARNING when workers directive is ignore on reconfigure.
* Use IPv6 localhost nameserver on DNS configuration errors
* Bug 3923: cbdata and undefined behavior due to dynamic runtime enumeration
* Polish: report bytes received when bad content-length detected by quick-abort
* Bug 3918: Squid 3.3.9 Self Test Failures on Mac OS X 10.8
* Bug 3929: request_header_add not working for tunnel requests
* Fix pinning hierarchy log information
* Close idle client connections associated with closed idle pinned connections.
Changelog:
SeaMonkey-specific changes
Sorting messages by date can now be configured to look at the thread root instead of the newest message in it (pref: mailnews.sort_threads_by_root).
Plugins doorhangers now allow to activate different plugin types independently.
The proxy popup is now also available from the MailNews main window.
A new Recipients column has been added that shows all recipients (To, CC, BCC).
The default HTML5 audio/video player controls allow to change the playback rate now.
A "Validate this page" entry has been added to Tools/Web Development.
The Firefox devtools debugger can now be used to debug SeaMonkey remotely.
See the changes page for a more complete overview.
Mozilla platform changes
Web Audio support has been added.
CSS3 background-attachment:local support to control background scrolling has been implemented.
Many new ES6 functions have been implemented.
iframe document content can now be specified inline.
Fixed several stability issues.
Fixed in SeaMonkey 2.22
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)
* Disable if test "A" = "A"; then fi test
SYntax error on SmartOS
* build is fine on SmartOS, hopefully other SunOS,
but I cannot confirm functionality now
* Remove DragonFly from SkThreadUtils_pthread_linux.cpp condition.
DragonFly has no cpuset(3) or CPU_SET(3) macros/functions.
It has usched_set(2), but I cannot implement with them.
Use SkThreadUtils_pthread_other.cpp instead.
Mozilla Firefox is a free, open-source and cross-platform web browser
for Windows, Linux, MacOS X and many other operating systems.
It is fast and easy to use, and offers many advantages over other web
browsers, such as tabbed browsing and the ability to block pop-up
windows.
Firefox also offers excellent bookmark and history management, and it
can be extended by developers using industry standards such as XML,
CSS, JavaScript, C++, etc. Many extensions are available.
This package tracks 24 extended support release branch.
* Enable pulseaudio by default, OSS support is dropped, and ALSA support
on NetBSD does not work properly for me
* Enable GStremer support for non-webm and non-theora video support
* Create alsa option, and enabled on Linux by default
Changelog:
NEW
Web Audio support
NEW
The find bar is no longer shared between tabs
CHANGED
If away from Firefox for months, you now will be offered the option to reset it to its default state while preserving your essential information
CHANGED
Resetting Firefox no longer clears your browsing session
DEVELOPER
CSS3 background-attachment:local support to control background scrolling
DEVELOPER
Many new ES6 functions implemented
HTML5
iframe document content can now be specified inline
FIXED
Blank or missing page thumbnails when opening a new tab
FIXED
Security fixes can be found here
Fixed in Firefox 25
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-99 Security bypass of PDF.js checks using iframes
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)
User-visible changes:
- Client- and server-side bugfixes:
* fix assertion on urls of the form 'file://./'
* stop linking against psapi.dll on Windows
* translation updates for Swedish
- Client-side bugfixes:
* revert: fix problems reverting moves
* update: fix assertion when file external access is denied
* merge: reduce network connections for automatic merge
* merge: fix path corruption during reintegration
* mergeinfo: fix crash
* ra_serf: verify the result of xml parsing
* ra_serf: improve error messages during commit
* ra_local: fix error with repository in Windows drive root
* fix crash on windows when piped command is interrupted
* fix crash in the crash handler on windows
* fix assertion when upgrading old working copies
- Server-side bugfixes:
* hotcopy: cleanup unpacked revprops with '--incremental'
* fix OOM on concurrent requests at threaded server start
* fsfs: improve error message when unsupported fsfs format found
* fix memory problem in 3rd party FS module loader
Developer-visible changes:
- General:
* allow compiling against serf 1.3 and later on Windows
- Bindings:
* javahl: canonicalize path for streaFileContent method
Fixed a bug in fixture loading signals handling
Fixed a bug in placeholder's primary key thousand formatting
Test fixes
Fixed use of cached content in the show_placeholder's preview mode
Fixed issues in cookie handling
Fixed minor unicode issues
Fixed a missing argument in ModelAdmin
Fixed a bug in WymEditor handling
Fixed bugs in migrations
Fixed bug in language fallback
Minor documentation fixes
* An issue with SQLite and default values that caused some migrations to fail has been fixed.
* South now recognises more Django MSSQL backends, and no longer fails to alter ForeignKeys that are in composite indexes.
* A small issue with the app cache on Django 1.6 has been fixed.
* The schemamigration and datamigration commands can now be properly inherited and their templates easily changed.
Upstream changes:
4.53 2013-10-30
- Fixed a few unsubscribe and error event bugs in Mojo::EventEmitter.
4.52 2013-10-29
- Improved Mojo::EventEmitter to allow unhandled error events to be fatal.
(powerman, sri)
4.51 2013-10-28
- Added tag_with_error helper to Mojolicious::Plugin::TagHelpers.
- Improved .ep template performance significantly, the number of helpers no
longer has any effect. (jberger, sri)
- Improved form_for performance.
- Improved built-in templates with documentation search.
- Fixed template inheritance bug in include helper.
- Fixed a few multipart form handling bugs.
mod_fastcgi: fix mix up of “mode” => “authorizer” in other fastcgi configs (fixes 2465, thx peex)
fix handling of If-Modified-Since if If-None-Match is present (don’t return 412 for date parsing errors);
follow current draft for HTTP/1.1, which tells us to ignore If-Modified-Since if we have matching etags.
[mod_fastcgi,log] support multi line logging (fixes 2252)
call ERR_clear_error only for ssl connections in CON_STATE_ERROR
reject non ASCII characters in HTTP header names
[mod_auth] use crypt() on encrypted password instead of extracting salt first (fixes 2483)
[mod_auth] add htpasswd -s (SHA1) support if openssl is used (needs openssl for SHA1). This doesn’t use any salt, md5 with salt is probably better.
[mod_auth] fix base64_decode (2484)
fix some bugs found with canalyze (fixes 2484, thx Zhenbo Xu)
fix undefined stuff found with clang
[cmake] Use TARGET_LINK_LIBRARIES instead of LINK_FLAGS for library dependencies, also add Wl,-as-needed to extra warnings (fixes 2448)
[mod_auth] fix invalid read in digest qop=auth-int handling (fixes 2478)
[auto* build] simplify autogen.sh, handle automake 1.13 test running (fixes 2490)
[mod_userdir] add userdir.active option, “enabled” by default
[core] return 501 Not Implemented in static file mode for all methods except GET/POST/HEAD/OPTIONS
[core] recognize more http methods to forward to backends (fixes 2346)
[ssl] use DH only if openssl supports it (fixes 2479)
[network] use constants available at compile time for maximum number of chunks for writev instead of calling sysconf (fixes 2470)
[ssl] Fix $HTTP[“scheme”] conditional, could be “http” for ssl connections if the ssl $SERVER[“socket”] conditional was nested (fixes 2501)
[ssl] accept ssl renegotiations if they are not disabled (fixes 2491)
[ssl] add option ssl.empty-fragments, defaulting to disabled (fixes 2492)
[auth] put REMOTE_USER into cgi environment, making it accessible to lua via lighty.req_env (fixes 2495)
[auth] new method “extern” to use already present REMOTE_USER (from magnet, ssl, …) (fixes 2436)
[core] remove requirement that default doc-root has to exist, there are reasonable scenarios not requiring static files at all
[core] check whether server.chroot exists
[mod_simple_vhost] fix cache; skip module if simple-vhost.server-root is empty (thx rm for reporting)
[mod_accesslog] add accesslog.syslog-level option (fixes 2480)
[core] allow files to be used as document-root (fixes 2475)
[core] set signal handlers before forking child processes in modules/plugins_call_set_defaults (fixes 2502)
Django 1.5.5 fixes a couple security-related bugs and several other bugs in the 1.5 series.
Readdressed denial-of-service via password hashers
Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a denial-of-service attack through submission of bogus but extremely large passwords. In Django 1.5.5, we’ve reverted this change and instead improved the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.
Properly rotate CSRF token on login
This behaviour introduced as a security hardening measure in Django 1.5.2 did not work properly and is now fixed.
Bugfixes
Fixed a data corruption bug with datetime_safe.datetime.combine.
Fixed a Python 3 incompatability in django.utils.text.unescape_entities().
Fixed a couple data corruption issues with QuerySet edge cases under Oracle and MySQL.
Fixed crashes when using combinations of annotate(), select_related(), and only()
0.9 (2013-10-25)
webassets now support Python 3, and drops support for Python 2.5.
- Filter for Closure Soy templates (Michael Su).
- less filter can output source maps (Riccardo Forina).
- Support .pyc only deployments (Mike C. Fletcher).
- Jade template filter (Roshambo).
- YAMLLoader improvements (incl. Cédric Reginster).
- The gzip filter was removed.
Changes since 1.0.6:
* Python 3 compatibility fixes
* Redis CLI
* Dropped Flask-WTF dependency
* Upgraded to Select2 3.4.0
* Additional unit tests
* Separate loggers for each Flask-Admin component
* New, much more configurable datetime picker
* Spanish translation
* Form rendering rules
* Models: AJAX drop-down population for related models
* Models: Filter options can be translated
* Models: on_model_change now accepts third parameter is_created
* Models: New configurarion property form_extra_columns
* Models: Proper child field error highlighting
* Models: Save and continue button for edit views
* Models: FileUploadField and ImageUploadField
* Models: If Flask is running in debug mode, rethrow all exceptions
* Models: Backrefs are now displayed by default
* Models: If there are no models in the list view, message will be displayed
* MongoEngine: GridFS support for file and image uploads
* MongoEngine: Backend supports form_overrides, choices and other field
configuration properties
* MongoEngine: URLField and EmailField are now searchable
* MongoEngine: Embedded document configuration
* SQLAlchemy: Backend was renamed as flask.ext.admin.contrib.sqla
* SQLAlchemy: Automatic join for many-to-many relations
* SQLAlchemy: Fixed ambiguous primary key when building complex search query
in SQLAlchemy backend
* SQLAlchemy: Use joinedload for related model instead of subqueryload for
performance reasons
* SQLAlchemy: Improved inline model handling logic
* SQLAlchemy: Initial multi-pk support for inherited models
* SQLAlchemy: BigInt filtering support
(No changelog for 0.9.3 supplied, but includes maintainer change.)
Version 0.9.2
-------------
Released 2013/9/11
- Upgrade wtforms to 1.0.5.
- No lazy string for i18n `#77`_.
- No DateInput widget in html5 `#81`_.
- PUT and PATCH for CSRF `#86`_.
.. _`#77`: https://github.com/lepture/flask-wtf/issues/77
.. _`#81`: https://github.com/lepture/flask-wtf/issues/81
.. _`#86`: https://github.com/lepture/flask-wtf/issues/86
Version 0.9.1
-------------
Released 2013/8/21
This is a patch version for backward compitable for Flask<0.10 `#82`_.
.. _`#82`: https://github.com/lepture/flask-wtf/issues/82
Version 0.9.0
-------------
Released 2013/8/15
- Add i18n support (issue #65)
- Use default html5 widgets and fields provided by wtforms
- Python 3.3+ support
- Redesign form, replace SessionSecureForm
- CSRF protection solution
- Drop wtforms imports
- Fix recaptcha i18n support
- Fix recaptcha validator for python 3
- More test cases, it's 90%+ coverage now
- Redesign documentation
Version 1.0.5
-------------
Released September 10, 2013
- Fix a bug in validators which causes translations to happen once then
clobber any future translations.
- ext.sqlalchemy / ext.appengine: minor cleanups / deprecation.
- Allow blank string and the string 'false' to be considered false values
for BooleanField (configurable). This is technically a breaking change,
but it is not likey to affect the majority of users adversely.
- ext.i18n form allows passing LANGUAGES to the constructor.
Add LICENSE
Upstream changes:
0.11 2013-10-11 15:11:59 Europe/London
0.10 2013-09-27 15:05:03 Europe/London
- RT3008 Changed examples to be XSS free
- RT19063, RT25477 fixed handling of self closing tags,
for example '<hr />'
- * attribute rule can be a regexp
- callbacks in rules to check or adjust attributes with
custom code (RT15747)
Update DEPENDS
Upstream changes:
0.09010 2012-10-05
- Internal changes - all Repeatable/nested_name munging is moved out of
HTML::FormFu::Element::Repeatable into individual constraints
0.09009 2012-09-29
- Make sure object can('checked') before calling checked() (colinnewell)
- Updated Repeatable control to update id_field on DBIC::Unique if present
- Added support for arbitrary elements within Multi blocks so that they
don't need to support methods like _striing_field and label etc.
- ComboBox new get_select_field_nested_name(), get_text_field_nested_name()
accessors.
- Fieldset new legend_attributes() method.
- New form_error_message_class() method.
- Constraint 'when' callback now receives $constraint as 2nd argument.
0.09007 2012-01-23
- bump MooseX::Attribute::Chained version
0.09006 2012-01-23
- fixed deprecation warnings of MX::Attribute::Chained (bricas)
- Added placeholder attributes for types Text and Textarea with L10N support.
- Added L10N support for 'prefix' attributes for types Date and DateTime.
- Added 'attributes' support to types Date and DateTime.
Upstream changes:
4.50 2013-10-22
- Deprecated Mojo::UserAgent::app in favor of
Mojo::UserAgent::Server::app.
- Deprecated Mojo::UserAgent::app_url in favor of
Mojo::UserAgent::Server::url.
- Deprecated Mojo::UserAgent::detect_proxy in favor of
Mojo::UserAgent::Proxy::detect.
- Deprecated Mojo::UserAgent::http_proxy in favor of
Mojo::UserAgent::Proxy::http.
- Deprecated Mojo::UserAgent::https_proxy in favor of
Mojo::UserAgent::Proxy::https.
- Deprecated Mojo::UserAgent::no_proxy in favor of
Mojo::UserAgent::Proxy::not.
- Deprecated Mojo::UserAgent::need_proxy in favor of
Mojo::UserAgent::Proxy::is_needed.
- Deprecated Mojo::UserAgent::name in favor of
Mojo::UserAgent::Transactor::name.
- Added modules Mojo::UserAgent::Proxy and Mojo::UserAgent::Server.
- Added proxy and server attributes to Mojo::UserAgent.
- Removed deprecated attrs method from Mojo::DOM.
- Improved Mojo::Message to allow max_message_size check to be disabled.
- Fixed small assignment bug in content helper.
Upstream changes:
1.3119 26.10.2013
[ ENHANCEMENTS ]
* GH #965: Serializer also serialize content for DELETE.
(reported by Achim Adam)
[ BUG FIXES ]
* GH #959: hash randomization could cause .pl MIME to vary and test
to fail. (Olof Johansson)
* GH #961: fix bug in require_environment's logic. (reported by
sapphirecat)
[ DOCUMENTATION ]
* GH #962: Improvements of the Dancer::Test docs. (Tom Hukins)
= 1.4.4 / 2013-10-21
* Allow setting layout to false in specifically for a singe rendering engine.
(Matt Wildig)
* Allow using wildcard in argument passed to `request.accept?`. (wilkie)
* Treat missing Accept header like wild card. (Patricio Mac Adden)
* Improve tests and documentation. (Darío Javier Cravero, Armen P., michelc,
Patricio Mac Adden, Matt Wildig, Vipul A M, utenmiki, George Timoschenko,
Diogo Scudelletti)
* Fix Ruby warnings. (Vipul A M, Patricio Mac Adden)
* Improve self-hosted server started by `run!` method or in classic mode.
(Tobias Bühlmann)
* Reduce objects allocated per request. (Vipul A M)
* Drop unused, undocumented options hash from Sinatra.new. (George Timoschenko)
* Keep Content-Length header when response is a `Rack::File` or when streaming.
(Patricio Mac Adden, George Timoschenko)
* Use reel if it's the only server available besides webrick. (Tobias Bühlmann)
* Add `disable :traps` so setting up signal traps for self hosted server can be
skipped. (George Timoschenko)
* The `status` option passed to `send_file` may now be a string. (George
Timoschenko)
* Reduce file size of dev mode images for 404 and 500 pages. (Francis Go)
* Fixing build issues on OS X with CLOCK_MONOTONIC not being implemented on OS X.
* Make libmicrohttpd play nicely with upcoming libgcrypt 1.6.0.
* Improved configure checks for cURL.
* Signal connection termination as OK (and not as ERROR) if the
stream was terminated by the callback returning
MHD_CONTENT_READER_END_OF_STREAM. Also, release response
mutex before calling the termination callback, to avoid
possible deadlock if the client destroys the response in
the termination callback (due to non-recursiveness of the lock).
* Adding #define MHD_HTTP_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN.
* Also pass MHD connection handle in URI log callback.
* Improved check for proper OpenSSL version for libmicrospdy.
* Set IPV6_V6ONLY socket option correctly when IPv6 is
enabled (MHD_USE_IPv6) but not dual stack (MHD_USE_DUAL_STACK).
Upstream changes:
2013-08-22 Dave Cross <dave@dave.org.uk> - RELEASE_3.04
========================================================
Dave Cross <dave@dave.org.uk> (17):
* Finish removing all references to SnipURL.pm.
* Bump to version 2.05 for release.
* Removed support for shorl.pm (now in WWW::Shorten::Shorl distribution).
* Bumped version number. Removed shorl files from MANIFEST.
* Added Config::Auto to list of dependencies (it's used by the shorten
program). Bumped version for release.
* Default to using a service that we currently support.
* Added MYMETA.yml to MANIFEST.SKIP.
* Be far more intelligent about the code that allows the user to choose
which service to use.
* Bump version number for release.
* Better examples of using bin/shorten
* Added a WWW::Shorten::UserAgent object which dies if it receives an HTTP
error response.
* Added documentation.
* Added META.json to MANIFEST.
* Licensing clean-up.
* Removed prototypes (and the ampersands in the tests that circumvented
them)
* Bump version number for release.
* Moved Pod tests into xt. (Pod coverage currently fails on some files. See
https://rt.cpan.org/Ticket/Display.html?id=87634 for details.)
Dave Cross <dave@angel.mag-sol.com> (1):
* Removed support for NotLong and OneShortLink (separate distributions to
follow soon). Bumper to version 2.06.
Dave Cross <dave@dacross.(none)> (1):
* Removed version number so it's picked up from lib/WWW/Shorten.pm
yappo <yappo@shibuya.pl> (1):
* shorl.com was change the request method ( POST to GET )
Router::Simple is a simple router class. Its main purpose is to serve as a
dispatcher for web applications. Router::Simple can match against PSGI $env
directly, which means it's easy to use with PSGI supporting web frameworks.
Upstream changes:
4.49 2013-10-17
- Added tls_ciphers option to Mojo::IOLoop::Server::listen.
- Added ciphers parameter to Mojo::Server::Daemon::listen.
- Removed experimental status from Mojolicioua::Validator.
- Removed experimental status from Mojolicioua::Validator::Validation.
- Removed experimental status from validation method in
Mojolicious::Controller.
- Removed experimental status from validator attribute in Mojolicious.
- Removed experimental status from validation helper in
Mojolicious::Plugin::DefaultHelpers.
- Fixed parameter bug in Mojolicious::Validator::Validation.
4.48 2013-10-16
- Fixed support for Net::SSLeay 1.55.
* Some old versions of bash do not grok some constructs like
'printf -v varname' which the prompt and completion code started
to use recently. The completion and prompt scripts have been
adjusted to work better with these old versions of bash.
* In FreeBSD's and NetBSD's "sh", a return in a dot script in a
function returns from the function, not only in the dot script,
breaking "git rebase" on these platforms (regression introduced
in 1.8.4-rc1).
* "git rebase -i" and other scripted commands were feeding a
random, data dependant error message to 'echo' and expecting it
to come out literally.
* Setting the "submodule.<name>.path" variable to the empty
"true" caused the configuration parser to segfault.
* Output from "git log --full-diff -- <pathspec>" looked strange
because comparison was done with the previous ancestor that
touched the specified <pathspec>, causing the patches for paths
outside the pathspec to show more than the single commit has
changed.
* The auto-tag-following code in "git fetch" tries to reuse the
same transport twice when the serving end does not cooperate and
does not give tags that point to commits that are asked for as
part of the primary transfer. Unfortunately, Git-aware transport
helper interface is not designed to be used more than once, hence
this did not work over smart-http transfer. Fixed.
* Send a large request to read(2)/write(2) as a smaller but still
reasonably large chunks, which would improve the latency when the
operation needs to be killed and incidentally works around broken
64-bit systems that cannot take a 2GB write or read in one go.
* A ".mailmap" file that ends with an incomplete line, when read
from a blob, was not handled properly.
* The recent "short-cut clone connectivity check" topic broke a
shallow repository when a fetch operation tries to auto-follow
tags.
* When send-email comes up with an error message to die with upon
failure to start an SSL session, it tried to read the error
string from a wrong place.
* A call to xread() was used without a loop to cope with short
read in the codepath to stream large blobs to a pack.
* On platforms with fgetc() and friends defined as macros, the
configuration parser did not compile.
* New versions of MediaWiki introduced a new API for returning
more than 500 results in response to a query, which would cause
the MediaWiki remote helper to go into an infinite loop.
* Subversion's serf access method (the only one available in
Subversion 1.8) for http and https URLs in skelta mode tells its
caller to open multiple files at a time, which made "git svn
fetch" complain that "Temp file with moniker 'svn_delta' already
in use" instead of fetching.
Also contains a handful of trivial code clean-ups, documentation
updates, updates to the test suite, etc.
## Rails 3.2.15 (Oct 16, 2013) ##
* Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for
spoofing attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are
set.
Fixes#12410
Backports #10844
*Tamir Duberstein*
* Fix the assert_recognizes test method so that it works when there are
constraints on the querystring.
Issue/Pull Request #9368
Backport #5219
*Brian Hahn*
* Fix to render partial by context(#11605).
*Kassio Borges*
* Fix `ActionDispatch::Assertions::ResponseAssertions#assert_redirected_to`
does not show user-supplied message.
Issue: when `assert_redirected_to` fails due to the response redirect not
matching the expected redirect the user-supplied message (second parameter)
is not shown. This message is only shown if the response is not a redirect.
*Alexey Chernenkov*
pax -rw, the destination directory must exist. pax in NetBSD creates it if
not, pax in MirBSD complains. I read through all pkgsrc Makefiles that use
pax and added an entry to INSTALLATION_DIRS, or an INSTALL_DATA_DIR
invocation.
I did not test all the changes but they should be fairly safe. If you notice
any breakage because of this change, please contact me.
* test code for testing the event based API
* CURLM_ADDED_ALREADY: new error code
* test TFTP server: support "writedelay" within
* krb4 support has been removed
* imap/pop3/smtp: added basic SASL XOAUTH2 support
* darwinssl: add support for PKCS12 files for client authentication
* darwinssl: enable BEAST workaround on iOS 7 & later
* Pass password to OpenSSL engine by user interface
* c-ares: Add support for various DNS binding options
* cookies: add expiration
* curl: added --oauth2-bearer option
Version 3.1.4 (2013-10-14)
--------------------------
### Fixed
Do not show the debug bar in the modal dialog (see #6302).
### Fixed
Ignore the "maxlength" setting in certain form fields (see #6283).
### Fixed
Correctly show the "toggle page status" icon (see #6282).
### Removed
Removed the TinyMCE spell checker (see #6247).
### Updated
Updated TCPDF to version 3.0.38 (see #6268).
### Fixed
Correctly render the pages breadcrumb menu for non-admin users (see #6067).
### Fixed
Correctly handle the accordion fields during the version 3.1 update (see #6229).
### Fixed
Correctly handle special characters in page aliases (see #6232).
Upstream changes:
4.47 2013-10-15
- Added dumper function to Mojo::Util.
- Improved compatibility with IO::Socket::SSL 1.955.
- Improved IIS compatibility of Mojo::Server::CGI.
4.46 2013-10-11
- Changed default name for generated applications from MyMojoliciousApp to
MyApp.
- Improved performance of route matching in Mojolicious::Routes::Pattern.
- Improved HTML Living Standard compliance of Mojo::DOM::HTML.
Update DEPENDS
Add LICENSE
Upstream changes:
2.20 Fri Apr 6 00:49:51 CDT 2012
[ENHANCEMENTS]
Sometimes creating HTML::Lint-compliant HTML just isn't possible.
Now, you can now turn individual errors on and off in your HTML
via comment directives, like so:
<!-- html-lint elem-img-sizes-missing: off, attr-unknown: off -->
And if you have a batch of code that's hopeless:
<!-- html-lint all: off -->
Added check for unknown entities, such as "&foo;".
Added check for unclosed entitities, such as "&" without the
closing semicolon.
Added a check for a bare ampersand that should be written as &
Version 0.7
http://svn.edgewall.org/repos/genshi/tags/0.7.0/
(Jan 27 2013, from branches/stable/0.7.x)
* Add support for Python 3.1, 3.2 and 3.3 (via 2to3) and for PyPy. The
majority of the coding was done in a sprint run by the Cape Town Python
Users Group with financial assistance from the Python Software Foundation.
* Default input and output encodings changed from UTF-8 to None (i.e. unicode
strings).
* Skip Mako benchmarks if Mako isn't installed (rather than failing
completely).
Version 0.6.1
http://svn.edgewall.org/repos/genshi/tags/0.6.1/
(Jan 27 2013, from branches/stable/0.6.x)
* Security fix to enhance sanitizing of CSS in style attributes. Genshi's
`HTMLSanitizer` disallows style attributes by default (this remains
unchanged) and warns against such attacks in its documentation, but
the provided CSS santizing is now less lacking (see #455).
* Fix for error in how `HTMLFormFiller` would handle `textarea` elements if
no value was not supplied form them.
* The `HTMLFormFiller` now correctly handles check boxes and radio buttons
with an empty `value` attribute.
* Template `Context` objects now have a `.copy` method.
* Added a simple `tox.ini` file for using tox to test against multiple
verions of Python.
* Fix for bug in `QName` comparison (see #413).
* Fix for bug in handling of trailing events in match template matches
(see #399).
* Fix i18n namespace declaration in documentation (see #400).
* Fix for bug in caching of events in serializers by no longer caching
`(TEXT, Markup)` events (see #429).
* Fix handling of `None` by `Markup.escape` in `_speedups.c` (see #439).
* Fix handling of internal state by match templates (relevant when multiple
templates match the same part of the stream, see #370).
* Fix handling of multiple events between or on either side of start and end
tags in translated messages (see #404).
* Fix test failures caused by changes in HTMLParser in Python 2.7 (see #501).
* Fix infinite loop in interplotation lexing that was introduced by a change
in Python 2.7's tokenizer (see #540).
* Fix handling of processing instructions without data (see #368).
* Updated MANIFEST.in so as not to rely on build from Subersion 1.6.
Changelog
=========
Since 2.3.2
----------------
bugfix: When creating members, do not assign permissions for all executives (or superior users) if member has a parent.
Since 2.3.2-rc2
----------------
bugfix: Cannot filter overview by tag.
bugfix: Tasks tooltip in calendar views shows description as html.
bugfix: Permissions issue when editing and subscribing for non-admins for not classiffied objects.
Since 2.3.2-rc
----------------
bugfix: Show can_manage_billing permission.
bugfix: Missing lang on javascript langs.
bugfix: Javascript plugin langs are not loaded.
bugfix: When requesting completed tasks for calendar month view, it does not filter by dates and calendar hangs if there are too much tasks.
bugfix: Administration / dimensions does not show members for dimensions that don't define permissions.
bugfix: Permissions fix when email module is not installed.
bugfix: Company object type name fixed.
bugfix: Try to reconect to database if not conected when executing a query (if connection is lost while performing other tasks).
bugfix: When users cannot see other user's tasks they can view them using the search.
bugfix: Group permissions not applied in assigned to combo (when adding or editing tasks).
bugfix: Minor bugfixes in 1.7 -> 2.x upgrade.
bugfix: Activity widget: logs for members (workspaces, etc.) were not displayed.
bugfix: General search sql query improved.
bugfix: Don't include context in the user edited notification.
bugfix: Don't show worked hours if user doesn't have permissions for it.
bugfix: Don't send archived mails.
feature: Only administrators can change system permissions.
feature: Users can change permissions of users of the same type (only dimension member permissions).
feature: Set permissions to executive, manager and admins when creating a new member.
Since 2.3.2-beta
----------------
bugfix: Archiving a submember does not archive its objects.
bugfix: Error 500 when adding group.
bugfix: Installer fixes.
bugfix: Modified the insert in read objects for emails.
bugfix: Minor bugfixes in document listing.
bugfix: Sql error when $selected_columns ins an empty array in ContentDataObjects::listing() function
bugfix: root permissions not set when installing new feng office.
bugfix: Person report fixed when displaying email field.
bugfix: contacts are always created when sending mails.
bugfix: Tasks list milestone grouping fixed.
preformance: Search query improved.
performance: Insert/delete into sharing table 500 objects x query when saving user permissions.
=== RELEASE 2.8 ===
Sat Sep 14 22:42:15 CEST 2013 mikulas:
Fixed a memory leak if TIFF download was interrupted
Sat Aug 24 17:59:01 cet 2013 mikulas:
DOS DJGPP port
Sun Jul 14 23:35:49 CEST 2013 mikulas:
Do not save lines starting with space to URL history on the disk
(idea by Volker Schatz)
Sun Jul 14 23:35:28 CEST 2013 Volker Schatz <linksbrowser@volkerschatz.com>
Do not misreport Date header value as last-modified date
in the info box popping up on "=".
New graphics glyphs
Wed May 15 00:44:53 CEST 2013 Samuli Suominen <ssuominen@gentoo.org>:
Fixed file 045e.png. It was not compatible with libpng-1.6
Wed May 15 00:43:27 CEST 2013 mikulas:
Test integers addition for overflow. This fixes possible crashes due to
overflows, they could possibly be security-sensitive.
Sat Apr 6 19:00:07 CEST 2013 mikulas:
Fixed a bug in Xwindow driver when images larger than 65536
pixels were used
Fixed some integer overflows when scaling images larger than 65536
pixels
Wed Jan 2 02:07:43 CET 2013 mikulas:
OpenVMS port
Wed Dec 12 04:52:33 MET 2012 mikulas:
Fixed invalid pointer comparison (comparing if NULL is smaller
than non-NULL pointer) that could result in failures with certain
compilers
Wed Nov 7 22:43:45 CET 2012 mikulas:
Fixed IPv6 detection on OpenBSD
Sat Sep 22 03:01:58 CEST 2012 mikulas:
Fixed an internal error in decompressed file cache if Links
was running out of memory and was freeing cached data
Wed Sep 19 22:40:04 MET 2012 mikulas:
An option that allows the user not to save URL history
Sat Sep 1 18:26:50 CEST 2012 mikulas:
An option to send do not track request
Thu Aug 16 04:19:58 CEST 2012 mikulas:
Reduced CPU consumption when downloading big files
Tue Aug 14 21:52:43 CEST 2012 mikulas:
Fixed a crash if the user selects "Save as" and the document has no
header (the bug was introduced in Links 2.7pre1)
Tue Aug 14 21:01:39 CEST 2012 mikulas:
Parse FTP directories on VMS FTP server
Mon Aug 13 21:39:09 CEST 2012 mikulas:
Use a blocking pipe when communicating with the dns process, it
fixes a possible error when system pipe buffer is too small
Mon Aug 6 23:31:44 CEST 2012 mikulas:
Workaround for bugs on GNU Hurd
Sat Jul 28 01:21:18 CEST 2012 mikulas:
data: url
Fri Jul 20 19:00:30 MET 2012 mikulas:
Accept color in #xxx format (besides usual #xxxxxx)
Tue Jul 10 22:45:19 CEST 2012 mikulas:
Fixed an infinite retry loop when the server terminates connection
prematurely
Sun Jul 8 20:23:43 CEST 2012 mikulas:
Fixed some races in the framebuffer driver that could result in
display corruption if the user is switching virtual consoles too
quickly
Thu Jul 5 22:35:57 CEST 2012 mikulas:
Don't save URLs with password to history file on a disk
Sat Jun 30 17:32:11 CEST 2012 mikulas:
Fixed a rare bug where image alpha channel was not applied correctly
Upstream downgraded their shlib major version (at least on NetBSD).
Since there are so few packages in pkgsrc depending on it, follow suit.
Recursive revbump coming next.
Serf 1.3.2 [2013-10-04, from /tags/1.3.2, r????]
Fix issue 130: HTTP headers should be treated case-insensitively
Fix issue 126: Compilation breaks with Codewarrior compiler
Fix crash during cleanup of SSL buckets in apr_terminate() (r2145)
Fix Windows build: Also export functions with capital letters in .def file
Fix host header when url contains a username or password (r2170)
Ensure less TCP package fragmentation on Windows (r2145)
Handle authentication for responses to HEAD requests (r2178,-9)
Improve serf_get: add option to add request headers, allow url with query,
allow HEAD requests (r2143,r2175,-6)
Improve RFC conformance: don't expect body for certain responses (r2011,-2)
Do not invoke progress callback when no data was received (r2144)
And more test suite fixes and build warning cleanups
SCons-related fixes:
Fix build when GSSAPI not in default include path (2155)
Fix OpenBSD build: always map all LIBPATH entries into RPATH (r2156)
Checksum generation in Windows shared libraries for release builds (2162)
Mac OS X: Use MAJOR version only in dylib install name (r2161)
Use both MAJOR and MINOR version for the shared library name (2163)
Fix the .pc file when installing serf in a non-default LIBDIR (r2191)
Upstream changes:
1.3118 01.09.2013
[ ENHANCEMENTS ]
* GH #946: new 'require_environment' setting. (Jesse van Herk)
* GH #952: don't set defaults for Template subclasses for
Dancer::Template::TemplateToolkit. (Rick Myers)
* GH #945: add function 'template_or_serialize' to
Dancer::Serializer::Mutable. (Yanick Champoux)
[ BUG FIXES ]
* GH #655: clarify logger error message. (Yanick Champoux,
reported by Gabor Szabo)
* GH #951: fix quoting of TemplateToolkit start_tag/stop_tag.
(Rick Myers)
* GH #940: carry over the session when we forward().
(Yanick Champoux, reported by sciurius)
* GH #954: don't die on autoflush for older perls.
(Yanick Champoux, reported by metateck and David Golden)
* GH #950: Dancer::Test functions now populate REQUEST_URI.
(Yanick Champoux, reported by S枚ren Kornetzki)
[ DOCUMENTATION ]
* GH #942: simpilify the Apache deployment docs for cgi/fcgi.
(bug report by Scott Penrose)
[ MISC ]
* GH #949: fixes a few errors in the serializer testsuite.
(Franck Cuny)
Upstream changes:
4.42 2013-09-30
- Added EXPERIMENTAL form validation support.
- Added EXPERIMENTAL modules Mojolicious::Validator and
Mojolicious::Validator::Validation.
- Added EXPERIMENTAL validation method to Mojolicious::Controller.
- Added EXPERIMENTAL validator attribute to Mojolicious.
- Added EXPERIMENTAL label_for and validation helpers to
Mojolicious::Plugin::DefaultHelpers.
4.41 2013-09-22
- Improved documentation browser to be a little more RESTful.
- Fixed flatten to work with older versions of Perl. (jamadam)
4.40 2013-09-21
- Added text method to Mojo::Message.
- Added siblings method to Mojo::DOM.
- Added flatten method to Mojo::Collection.
- Improved documentation browser with source links.
- Fixed smart whitespace trimming bug in Mojo::DOM.
- Fixed table parsing bug in Mojo::DOM::HTML.
- Fixed bug in Mojolicious::Types where the txt MIME type did not specify a
charset.
4.39 2013-09-17
- Improved HTML5.1 compliance of Mojo::DOM::HTML.
4.38 2013-09-16
- Added is_binary method to Mojo::Loader.
- Fixed support for binary files in inflate command.
- Fixed stylesheet helper not to enforce a media attribute.
Version 3.1.3 (2013-09-24)
--------------------------
### Fixed
Do not redirect to protected pages after logout (see #6210).
### Fixed
Consider the additional arguments in `Frontend::jumpToOrReload()` (see #5734).
### Fixed
Prevent article aliases from using reserved names (see #6066).
### Fixed
Correctly update the RSS feeds if a news item or event changes (see #6102).
### Fixed
Correctly link to news and calendar feeds via insert tag (see #6164).
### Fixed
Make the CSS ID available in the custom navigation module (see #6129).
### Fixed
Do not cache the "toggle_view" insert tag (see #6172).
### Fixed
Unset the primary key if a model is deleted (see #6162).
### Fixed
Support `tel:` and `sms:` upon IDNA conversion (see #6148).
### Fixed
Apply the width and height to the audio player as well (see #6114).
### Fixed
Do not exit after a template has been output (see #5570).
### Changed
Drop the database query cache (see #6070). This renders `executeUncached()` and
`executeCached()` deprecated. Use `execute()` instead.
### Fixed
Handle all possible errors when uploading files (see #5934).
Changelog:
SeaMonkey-specific changes
Implemented an option to thread messages received by date.
Allowed deletion of news posts by default.
Implemented optional taskbar preview-per-tab.
Added support (permission prompt) for desktop notifications.
Added Isn't operator for searching by Priority.
See the changes page for a more complete overview.
Mozilla platform changes
Support for new scrollbar style on Mac OS X 10.7 and newer.
Accessibility related improvements on using pinned tabs (bug 577727).
Major SVG rendering improvements around Image tiling and scaling (bug 600207).
Removed support for sherlock files that are loaded from application or profile directory.
Support for W3C touch events disabled (bug 888304).
Fixed several stability issues.
Fixed in SeaMonkey 2.21
MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-78 Integer overflow in ANGLE library
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
Changelog:
FIXED
Security fixes can be found here
Fixed in Firefox ESR 17.0.9
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
MFSA 2013-65 Buffer underflow when generating CRMF requests
Bugfixes
[SSPCPP-543] - AttributeExtractor fails to deal with multiple Logos
[SSPCPP-547] - Encoding problem with Metadata Attribute Extractor
[SSPCPP-549] - Shiboleth SP 2.5.1 breaks Apache 2.4.3's error pages
[SSPCPP-550] - Problems with native.log file rotation
[SSPCPP-551] - DiscoFeed Content-Type header lacks charset
[SSPCPP-552] - Solaris TCP Listener code is broken
[SSPCPP-568] - Unattended install pegs the CPU and never completes
[SSPCPP-569] - native log files not closed at/before CGI exec
[SSPCPP-570] - mod_shib takes over valid-user for entire server
[SSPCPP-573] - ShibDisable on breaks basic auth valid user
[SSPCPP-575] - Source build w/memcached and/or fastcgi support fails
[SSPCPP-579] - Internal stack overflow in log4shib
Improvements
[SSPCPP-493] - Default allow access to Shibboleth.sso by default in shibd.conf
[SSPCPP-501] - Make metagen ingest a list of hostnames from a file
2.5.1:
Bugfixes
[SSPCPP-409] - Shibboleth2.xml - undefined InProcess/OutOfProcess means no shibd.log/native.log
[SSPCPP-490] - CLang build issue with stream operator overload
[SSPCPP-492] - SP Release 2.5.0 does not compile with xml-security-c versions prior to 1.7.0
[SSPCPP-495] - Warning Shibboleth.PropertySet : load() skipping duplicate property set:
[SSPCPP-499] - Fresh Installation on Windows XP fails after service daemon fails to start
[SSPCPP-500] - configure fails against Apache 2.4
[SSPCPP-502] - Apache 2.4 post_read hook isn't run on subrequests, breaks module
[SSPCPP-504] - ScopedAttributeDecoder fails on non-ascii chars?
[SSPCPP-505] - shibd on Windows missing a version option
[SSPCPP-507] - Insert record failed Violation of PRIMARY KEY constraint with ODBC plugin
[SSPCPP-510] - Installer scripts (particularly the uninstall ones) should fail safe
[SSPCPP-514] - FCGI responder stdin buffer missing termination
[SSPCPP-516] - apache24.config missing from makefile target
[SSPCPP-518] - Incorrect requireLogoutWith redirection if the original URL has query string
[SSPCPP-519] - Shorthand SSO/Logout syntax not working with policyId setting
[SSPCPP-521] - Schemas are not being edited on Windows Installation
[SSPCPP-522] - Transform resolver echoes source string when match fails
[SSPCPP-526] - Transaction log crashes on SOAP-based logout
[SSPCPP-527] - Add ignoreNoPassive attribute to SSO element
[SSPCPP-540] - ISAPI header detection code is prone to false alarms
Improvements
[SSPCPP-402] - Support front-channel SLO without cookies
[SSPCPP-447] - Extension of consistentAddress for IPv6
[SSPCPP-501] - Make metagen ingest a list of hostnames from a file
[SSPCPP-517] - Windows SP installer should not always roll back when shibd fails to start
New Feature
[SSPCPP-515] - Make /Status handler report SessionCache
2.5.0:
Bugfixes
[SSPCPP-344] - Version strings in various spots are wired at compile time
[SSPCPP-345] - Split "package-level" and "user-level" settings in shib.conf to limit effect of RPM upgrades.
[SSPCPP-365] - Support for binary attributes in resolver
[SSPCPP-382] - Correct date format in Expires headers
[SSPCPP-383] - Tag entityID not usable in error templates
[SSPCPP-387] - Cryptographic nameID is longer than key length that memcache can handle
[SSPCPP-391] - Generation of keys for relay state is not strongly random
[SSPCPP-392] - Valgrind detects memory leaks
[SSPCPP-393] - Setting session timeout="0" creates infinite loop between SP and IDP
[SSPCPP-400] - NameID lookup for logout ignores logical SP boundaries
[SSPCPP-401] - IIS App Pool Crash
[SSPCPP-406] - Should check for cross platform previous versions?
[SSPCPP-408] - ECP flow fails for Session configured inside of ApplicationOverride
[SSPCPP-411] - openSUSE 12.1 erases /var/run at each reboot, so shibd fails to start
[SSPCPP-413] - Schema catalogs should be set after XMLTooling init.
[SSPCPP-416] - IIS breaks with error "isapi_shib: Attempted to insert duplicate storage key." Server restart required to fix
[SSPCPP-417] - redirectErrors configuration attribute does not handle relative URLs
[SSPCPP-419] - ExtensibleAttribute internal marshalling doesn't handle attribute naming correctly
[SSPCPP-423] - After upgrading SP to Alpha SP 2.5 RPM from previous version of SP, shibd does not start.
[SSPCPP-431] - Change links of https://spaces.inetrnet2.edu to wiki.shibboleth.net
[SSPCPP-438] - Artifact resolver code doesn't use EndpointIndex in 2.0 artifacts
[SSPCPP-439] - Auto-generated ACS endpoints improperly tracked by index
[SSPCPP-443] - SP not signing ECP AuthnRequests
[SSPCPP-444] - Multiple shib_state cookies get set -> server chokes on header field size
[SSPCPP-445] - RequestInitiator metadata generated in a case where it shouldn't be
[SSPCPP-448] - setting relayState to use ODBC storage service results in attempted redirects to an invalid URL
[SSPCPP-449] - RequestMap not normalizing hostname for comparison
[SSPCPP-459] - redirectLimit parser typo
[SSPCPP-460] - A spelling error in the configure file
[SSPCPP-461] - caching DiscoFeed fails b/c cache directory does not exist
[SSPCPP-465] - CLONE - Tag entityID not usable in error templates
[SSPCPP-467] - Cross-contamination from conflicting @relayState settings
[SSPCPP-468] - Aliases support in XML Attribute Extractor no longer working in 2.5.0 Beta 1
[SSPCPP-487] - relayStateLimitWhitelist parameter is being changed inadvertently by limitRelayState method
[SSPCPP-488] - No way to get client address set for ExternalAuth sessions
[SSPCPP-489] - Windows installer (tries to) install a 64 bit path into IIS
[SSPCPP-498] - Hardcoded path in XMLTooling is invalid on localized WinXP/2003
Improvements
[SSPCPP-319] - Augment XMLAccessControl for time based access control.
[SSPCPP-326] - Abbreviated IPv6 address format and CIDR support for acl
[SSPCPP-332] - Session cache slows down if large numbers of sessions with a single NameID are created
[SSPCPP-335] - Handle query strings on POST and avoid unintended POST data consumption
[SSPCPP-352] - Expose RelayState limiter as a public API and revisit default setting
[SSPCPP-353] - Package the SP to run as non-root user
[SSPCPP-361] - Session handler with better parseable and accessable (X)HTML code
[SSPCPP-362] - add 'metadata last refresh' to SP's status page
[SSPCPP-366] - generated metadata should include cryptographic algorithms
[SSPCPP-375] - Add httpOnly to cookieProps in the shibboleth2.xml config
[SSPCPP-376] - Add a post-filtering hashing feature to shorten long attributes, namely ePTIDs
[SSPCPP-394] - Support multiple authn context references in requests
[SSPCPP-399] - SImple Aggregation plugin should allow "prefixing" of attributes or dedicated extractors
[SSPCPP-403] - Facilitate signing Logout messages
[SSPCPP-404] - Log entry for failed consistentAddress="true" check
[SSPCPP-405] - CRIT Shibboleth.Application : no MetadataProvider available should be a warning not CRIT
[SSPCPP-407] - Improve logging on invalid XML in shibboleth2.xml configuration file
[SSPCPP-418] - Incorporating Boost libraries into code base
[SSPCPP-420] - Memcache build on RH6 and error handling fixes
[SSPCPP-425] - ShibAccessControl Relative Paths to user web content
[SSPCPP-436] - Log on DEBUG when a shibsession cookie is being cleared because no corresponding session is found by Shibboleth
[SSPCPP-446] - Try moving child_init hooks in Apache 2.x modules to post_config
[SSPCPP-458] - Unprecise error message when wrong certificate is used for SAML2 encryption
[SSPCPP-464] - Provide Logging to Recommend Production Settings
[SSPCPP-470] - Identify deprecated features or suboptimal settings and add warnings
[SSPCPP-472] - AttributeExtractor: remove leading/trailing whitespace created by formatter
New Features
[SSPCPP-245] - Support for attribute requirements in the SP
[SSPCPP-339] - Extraction of contacts and other built-in metadata information
[SSPCPP-341] - AttributeResolver plugin(s) for regexp or template-based transformation of values
[SSPCPP-342] - Metadata / Attribute filtering based on EntityAttributes
[SSPCPP-343] - Add support for capturing AuthenticatingAuthority
[SSPCPP-349] - Parseable audit logs for SP
[SSPCPP-389] - Add option to shibd to set uid and gid at startup
[SSPCPP-390] - Multiple language versions for the same attribute
[SSPCPP-396] - Simplify logout support for Native SP
[SSPCPP-410] - add support for the 'policy' query string parameter
[SSPCPP-421] - Extraction of consent attribute from SAML 2 responses
[SSPCPP-430] - Apache 2.4 support
[SSPCPP-437] - Add artifact binding for resolving artifacts via file system
[SSPCPP-440] - Loopback handler to exchange an assertion for a session
[SSPCPP-469] - Logout request extension to specify no response
[SSPCPP-471] - Shorthand settings for manipulating cookie properties
[SSPCPP-486] - Add automatic algorithm blacklist
