The updated patches:
- fix the suppressing of messages when testing or disabled in configuration;
- import what should be a better fix when piping messages to sendmail(1).
Bumps PKGREVISION.
8.9.16 (2021-05-26)
Maintenance and security release of the Drupal 8 series.
This release fixes a security vulnerability. Sites are urged to upgrade
immediately after reading the notes below and the security announcement:
* Drupal core - Moderately critical - Cross Site Scripting -
SA-CORE-2021-003 No other fixes are included.
Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive
security coverage.
8.9.15 (2021-05-05)
This is a patch (bugfix) release of Drupal 8 and is ready for use on
production sites. Learn more about Drupal 8.
Drupal 8.9 is the final minor release of the 8.x series. It is a long-term
support (LTS) version, and will receive security coverage until November
2021. It provides the same public API as Drupal 9.0 aside from deprecated
code and dependency changes. (Learn more about Drupal 9.) Note that
features will only be added to Drupal 9 minor releases, so plan to adopt
Drupal 9 as soon as possible so that you can easily update to Drupal 9.2 and
later.
If you are upgrading to this release from 8.8.x, read the Drupal 8.9.0
release notes before you upgrade.
Known issues
Search the issue queue for known issues.
Important changes
The default glossary view did not previously include a filter to exclude
unpublished content. This view now includes such a filter by default, and
an update function is provided with this release to add a status filter to
the view on existing installations which do not have it.
Dependency updates
The composer/composer development dependency has been updated from 1.10.6 to
1.10.22.
Archive_Tar has been updated to 1.4.13 for security hardening.
Drupal core's development dependency on the Nightwatch npm package has been
increased from 1.2.1 to 1.6.3 and all locked versions of dependencies have
been updated to address security issues in these dependencies.
The minimum version of node.js for 8.9.x development has been increased to
version 10.
Underscore.js has been updated to 1.13.1
There is one issue due to newer rust not allowing RUSTC_BOOTSTRAP any longer,
fixed by setting magic variables in the build environment,
and another issue where something (not sure what) defines "CLEANUP" to
nothing. Add a patch that works around he latter.
0.19.2 (2021-05-25 23:13 UTC)
This release fixes compatibility with GC.compact on Ruby 3.x when using
ListenStats on Linux. The listener stats functionality is rarely used and
does not affect most users who just have raindrops installed for shared
atomic counters.
5.3.2 (2021-05-21)
Bugfixes
* Gracefully handle Rack not accepting CLI options (#2630, #2626)
* Fix sigterm misbehavior (#2629)
* Improvements to keepalive-connection shedding (#2628)
5.3.1 (2021-05-11)
Security
* Close keepalive connections after the maximum number of fast inlined
requests (CVE-2021-29509) (#2625)
5.3.0 (2021-05-07)
Features
* Add support for Linux's abstract sockets (#2564, #2526)
* Add debug to worker timeout and startup (#2559, #2528)
* Print warning when running one-worker cluster (#2565, #2534)
* Don't close systemd activated socket on pumactl restart (#2563, #2504)
Bugfixes
* systemd - fix event firing (#2591, #2572)
* Immediately unlink temporary files (#2613)
* Improve parsing of HTTP_HOST header (#2605, #2584)
* Handle fatal error that has no backtrace (#2607, #2552)
* Fix timing out requests too early (#2606, #2574)
* Handle segfault in Ruby 2.6.6 on thread-locals (#2567, #2566)
* Server#closed_socket? - parameter may be a MiniSSL::Socket (#2596)
* Define UNPACK_TCP_STATE_FROM_TCP_INFO in the right place (#2588, #2556)
* request.rb - fix chunked assembly for ascii incompatible encodings, add
test (#2585, #2583)
Performance
* Reset peerip only if remote_addr_header is set (#2609)
* Reduce puma_parser struct size (#2590)
Refactor
* Refactor drain on shutdown (#2600)
* Micro optimisations in wait_for_less_busy_worker feature (#2579)
* Lots of test fixes
0.15.1 (2021-04-25)
* FIX Adds readline as a dep (@nesquena)
* FIX#2229 Fix polish translations (@tiwi)
* FIX#2234 Avoid mocha warning in tests (@olleolleolle)
* FIX#2235 Update thor to a more recent version (@basex)
2.8.1 (2021-05-09)
Fix
* Gracefully handle parsing errors that contain an invalid byte sequence.
Previously, if libxml2 registered a parsing error that itself contained
invalid encoding, an exception might be raised. (#553)
2.8.0 (2021-04-01)
Requirements
* Mechanize now requires Ruby 2.5 or newer.
* Move from ntlm-http to rubyntlm gem. (#495, #574)
New Features
* Page::Link#uri now handles non-ASCII hrefs. (#569) @terryyin
* FileConnection supports Windows drive letters (#483)
* Credential headers 'Authorization' and 'Cookie' are deleted on
cross-origin redirects. (#538) @kyoshidajp
* ContentDispositionParser handles ISO8601 date headers, to be robust with
websites that ignore RFC2183. (#554) @reitermarkus
Bug fix
* POST headers 'Content-Length', 'Content-MD5', and 'Content-Type' are
deleted in a case-insensitive manner on redirects. Previously these
headers were treated as case-sensitive.
There are a few note with release but not others. Please refer commit log
<https://github.com/gjtorikian/html-proofer/compare/v3.15.2...v3.19.1> in
detail.
3.19.1 (2021-04-18)
3.19.0 (2021-04-11)
* Support hydra config on CLI #632
3.18.8 (2021-03-04)
3.18.7 (2021-03-04)
3.18.6 (2021-02-21)
3.18.5 (2021-01-02)
3.18.4 (2021-01-02)
3.18.3 (2020-12-29)
3.18.2 (2020-12-17)
3.18.1 (2020-12-16)
3.17.2 (2020-11-23)
3.17.1 (2020-11-22)
3.17.0 (2020-11-14)
3.16.0 (2020-09-10)
* Add support for before_request: #577
3.15.3 (2020-04-20)
Changes with nginx 1.21.0
*) Security: 1-byte memory overwrite might occur during DNS server
response processing if the "resolver" directive was used, allowing an
attacker who is able to forge UDP packets from the DNS server to
cause worker process crash or, potentially, arbitrary code execution
(CVE-2021-23017).
*) Feature: variables support in the "proxy_ssl_certificate",
"proxy_ssl_certificate_key" "grpc_ssl_certificate",
"grpc_ssl_certificate_key", "uwsgi_ssl_certificate", and
"uwsgi_ssl_certificate_key" directives.
*) Feature: the "max_errors" directive in the mail proxy module.
*) Feature: the mail proxy module supports POP3 and IMAP pipelining.
*) Feature: the "fastopen" parameter of the "listen" directive in the
stream module.
Thanks to Anbang Wen.
*) Bugfix: special characters were not escaped during automatic redirect
with appended trailing slash.
*) Bugfix: connections with clients in the mail proxy module might be
closed unexpectedly when using SMTP pipelining.
Changes with nginx 1.20.1
*) Security: 1-byte memory overwrite might occur during DNS server
response processing if the "resolver" directive was used, allowing an
attacker who is able to forge UDP packets from the DNS server to
cause worker process crash or, potentially, arbitrary code execution
(CVE-2021-23017).
nginx-rtmp-module v1.2.2:
Fixed segfaults.
Changelog:
Version 21.0.2 May 20 2021
Changes
* L10n: Add word user in FederatedShareProvider.php (server#26508)
* Increase subnet matcher (server#26514)
* Limit size of properties to 2048 characters (server#26525)
* Fix accessibility issues on log in screen (server#26535)
* Fix constraint violation detection in QB Mapper (server#26587)
* Bump ssri from 6.0.1 to 6.0.2 (server#26604)
* Add force option to app install command (server#26607)
* Update root.crl due to revoked news.crt (server#26616)
* Do not allow adding file drop shares to your own cloud (server#26621)
* Fix empty password check for mail shares (server#26625)
* Require read permissions for federated shares (server#26636)
* Ensure redis returns bool for hasKey (server#26639)
* Make lookup search explicit (server#26641)
* Update psalm baseline (server#26653)
* Fix broken Expiration test (server#26667)
* Do not stop directory listing when ACL is blocking access (server#26677)
* Mention MariaDB in MySQL support warning (server#26685)
* Make Testcase class compatible with phpunit-9.5 (server#26690)
* Explicitly check hex2bin input (server#26694)
* Remove undefined parameter, add description (server#26702)
* FIx Oracle by testing on Ubuntu 20.04 until oci8.so is available for ??
(server#26703)
* Update icewind/smb to 3.4.1 (server#26704)
* Bump @nextcloud/dialogs from 3.1.1 to 3.1.2 (server#26733)
* Private cannot be final (server#26752)
* Fix installer deprecation warnings for PHP 8 (server#26759)
* Validate the website field input to be a valid URL (server#26760)
* Respect the error level when logging (server#26766)
* Improve federated permission handling (server#26770)
* No longer add trusted servers on federated share creation (server#26778)
* Fix ratelimit template (server#26789)
* LDAP: do not bother to search after the last page (server#26797)
* Fail when creating new files with an empty path (server#26808)
* Only return display name as editable when the user backend allows it
(server#26815)
* Do not try to contact lookup server if not needed (server#26823)
* Only perform login check during ownership transfer for encryption (server#
26863)
* Fix creating vcards with multiple string values (server#26865)
* L10n: Spelling unification (server#26881)
* Remove self setting checking which can not be set anymore (activity#574)
* Ensure link names are unique for accessibility, thanks @nickvergessen, fix
#575 (activity#578)
* Use PNG images in daily activity summary emails (activity#584)
* Fix accessibility issues in PDF pt. II (example-files#18)
* Fix admin notification api (notifications#929)
* Only push delete-push to devices that also got the notification
(notifications#938)
* Move counting storage statistics to the background (serverinfo#298)
* Hide squashfs and overlay-FS from the overview (serverinfo#304)
* Add download button in actions menu (viewer#849)
* Limit scope of the icon white overwrite (viewer#858)
* Fixes for naughty filenames (viewer#869)
Changes:
-add article_parse_command
-use raw hex code when defining the default theme (setting color to "white"
can be different depending on the terminal's theme)
-fix bugs
-remove multiline from the regex parsing markdown URL (to avoid possible parsing errors)
ChangeLog:
- man page: codemadness is the primary server. make logo brandless (not 2f30)
- README: improve a bit the usage examples
- do not simplify the history by first-parent
- tiny comment change
- add function to print a single line, ignoring \r and \n
- add meta viewport on stagit-index too
The Flask-Sendmail extension provides a simple interface to your system's
sendmail client from within your Flask application and gives you ability to send
messages from your views and scripts.
curl and libcurl 7.77.0
This release includes the following changes:
o configure: make the TLS library choice(s) explicit [3]
o curl: ignore options asking for SSLv2 or SSLv3 [10]
o hsts: enable by default [8]
o SSL: support in-memory CA certs for some backends [85]
o vtls: refuse setting any SSL version [9]
This release includes the following bugfixes:
o CVE-2021-22297: schannel cipher selection surprise [132]
o CVE-2021-22298: TELNET stack contents disclosure [131]
o CVE-2021-22901: TLS session caching disaster [130]
o AmigaOS: add functions definitions for SHA256 [126]
o build: fix compilation for Windows UWP platform [82]
o c-hyper: don't write to set.writeheader if null [67]
o c-hyper: fix handling of zero-byte chunk from hyper [39]
o c-hyper: handle body on HYPER_TASK_EMPTY [104]
o checksrc: complain on == NULL or != 0 checks in conditions [20]
o CI/cirrus: add shared and static Windows release builds [102]
o cmake: add CURL_ENABLE_EXPORT_TARGET option [133]
o cmake: check for getppid and utimes [87]
o cmake: detect CURL_SA_FAMILY_T [124]
o cmake: fix two invokes result in different curl_config.h [123]
o cmake: make libcurl output filename configurable [41]
o cmake: Use multithreaded compilation on VS 2008+ [122]
o config: remove now-unused macros [107]
o configure: if asked for, fail if ldap is not found [109]
o configure: provide --with-openssl, deprecate --with-ssl [15]
o conn: add 'attach' to protocol handler, make libssh2 use it [119]
o connect: use CURL_SA_FAMILY_T for portability [34]
o ConnectionExists: respect requests for h1 connections better
o cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies [1]
o curl-wolfssl.m4: without custom include path, assume /usr/include [116]
o curl: include libmetalink version in --version output [111]
o Curl_http_header: check for colon when matching Persistent-Auth [51]
o Curl_http_input_auth: require valid separator after negotiation type [52]
o Curl_input_digest: require space after Digest [50]
o curl_mprintf.3: add description [73]
o curl_setup: provide the shutdown flags wider [33]
o curl_url_set.3: add memory management information [38]
o CURLcode: add CURLE_SSL_CLIENTCERT [47]
o CURLOPT_CAPATH.3: defaults to a path, not NULL [103]
o CURLOPT_IPRESOLVE: preventing wrong IP version from being used [125]
o CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data [40]
o data_pending: check only SECONDARY socket for FTP(S) transfers [117]
o docs/TheArtOfHttpScripting: fix markdown links [129]
o docs: camelcase it like GitHub everywhere [62]
o docs: cookies from HTTP headers need domain set [121]
o docs: fix typo in fail-with-body doc [63]
o docs: improve INTERNALS.md regarding getsock cb [105]
o docs: replace dots with dashes in markdown enums [101]
o easy: ignore sigpipe in curl_easy_send [69]
o FILEFORMAT: mention sectransp as a feature [89]
o GIT-INFO: suggest using autoreconf instead of buildconf [96]
o github: add a workflow with libssh2 on macOS using cmake [81]
o github: inhibit deprecated declarations for clang on macOS [118]
o GnuTLS: don't allow TLS 1.3 for versions that don't support it [77]
o gnutls: make setting only the MAX TLS allowed version work [83]
o gskit: fix CURL_DISABLE_PROXY build [57]
o gskit: fix undefined reference to 'conn' [58]
o hostip.h: remove declaration of unimplemented function [108]
o hostip: remove the debug code for LocalHost [113]
o http2: call the handle-closed function correctly on closed stream [37]
o http2: fix a resource leak in push_promise() [54]
o http2: fix resource leaks in set_transfer_url() [55]
o http2: make sure pause is done on HTTP [120]
o http2: move the stream error field to the per-transfer storage [36]
o http2: skip immediate parsing of payload following protocol switch [90]
o http2: use nghttp2_session_upgrade2 instead of nghttp2_session_upgrade [91]
o HTTP3.md: fix nghttp2's HTTP/3 server port [21]
o HTTP3.md: make the ngtcp2 build use the quictls fork [98]
o http: deal with partial CONNECT sends [97]
o http: fix the check for 'Authorization' with Bearer [53]
o http: limit the initial send amount to used upload buffer size [99]
o http: reset the header buffer when sending the request [61]
o http: use offsets inst of integer literals for header parsing [95]
o INSTALL: add IBM i specific quirks [75]
o krb5/name_to_level: replace checkprefix with curl_strequal [49]
o krb5: don't use 'static' to store PBSZ size response [23]
o krb5: remove the unused 'overhead' function [35]
o lib/hostip6.c: make NAT64 address synthesis on macOS work [135]
o lib1564.c: enable last wakeup test part on Windows [26]
o lib: fix 0-length Curl_client_write calls [60]
o lib: fix some misuse of curlx_convert_UTF8_to_tchar [64]
o libcurl-security.3: be careful of setuid [66]
o libcurl-security.3: don't try to filter IPv4 hosts based on the URL [71]
o libcurl.3: mention the URL API [76]
o libssh2: fix Value stored to 'sshp' is never read [13]
o libssh2: ignore timeout during disconnect [45]
o libssh: fix "empty expression statement has no effect" warnings [7]
o libtest: remove lib530.c [88]
o m4: add security frameworks on Mac when compiling rustls [31]
o multi: don't close connection HTTP_1_1_REQUIRED
o multi: fix slow write/upload performance on Windows [27]
o multi: reduce Win32 API calls to improve performance [28]
o ngtcp2: fix the cb_acked_stream_data_offset proto [46]
o NSS: add ciphers to map [30]
o NSS: make colons, commas and spaces valid separators in cipher list [106]
o nss_set_blocking: avoid static for sock_opt [72]
o ntlm: precaution against super huge type2 offsets [65]
o openldap: protect SSL-specific code with proper #ifdef [12]
o openldap: replace ldap_ prefix on private functions [84]
o openssl: fix build error with OpenSSL < 1.0.2 [4]
o openssl: remove unneeded cast for CertOpenSystemStore() [93]
o os400: additional support for options metadata [24]
o progress: fix scan-build-11 warnings [92]
o progress: reset limit_size variables at transfer start [114]
o progress: when possible, calculate transfer speeds with microseconds [48]
o README.md: delete Codacy UTM parameters [5]
o Revert "Revert 'multi: implement wait using winsock events'" [26]
o rustls: only return CURLE_AGAIN when TLS session is fully drained [2]
o rustls: use ALPN [56]
o sasl: use 'unsigned short' to store mechanism [112]
o schannel: Disable auto credentials; add an option to enable it [18]
o schannel: Support strong crypto option [44]
o sectransp: allow cipher name to be specified [29]
o sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer [136]
o sigpipe: ignore SIGPIPE when using wolfSSL as well [70]
o sockfilt: avoid getting stuck waiting for writable socket [80]
o sockfilt: fix invalid increment of handles index variable nfd [79]
o sws: #ifdef S_IFSOCK use [32]
o sws: allow HTTP requests up to 2MB in size [100]
o test server: take care of siginterrupt() deprecation [25]
o test2100: make it run with and require IPv6 [127]
o tests/disable-scan.pl: also scan all m4 files [17]
o tests/getpart: generate output URL encoded for better diffs [128]
o tests: ignore case of chunked hex numbers in tests [86]
o tls: add USE_HTTP2 define [59]
o tool_getparam: handle failure of curlx_convert_tchar_to_UTF8() [78]
o tool_getparam: replace (in-place) '%20' by '+' according to RFC1866 [14]
o tool_operate: don't discard failed parallel transfer result [16]
o tool_writeout: fix the HTTP_CODE json output [11]
o travis: disable the failing libssh build [94]
o URL-SYNTAX: update IDNA section for WHATWG spec changes [74]
o urlapi: "normalize" numerical IPv4 host names [6]
o vauth: factor base64 conversions out of authentication procedures [22]
o version: add gsasl_version to curl_version_info_data [43]
o version: add OpenLDAP version in the output [110]
o vtls: deduplicate some DISABLE_PROXY ifdefs [19]
o vtls: reset ssl use flag upon negotiation failure [42]
o wolfssl: handle SSL_write() returns 0 for error [68]
o wolfssl: remove SSLv3 support leftovers [115]
1.0
Added support for Django 3.2
Drop support for Python-2.7, 3.4 and 3.5.
Drop support for Django-1.10, 1.11, 2.0 and 2.1.
Add Python-3.9 to the testing matrix.
Refactor code base to clean Python-3 syntax.
2.3
- Dropped testing for Django 1.11, 2.0 and 2.1.
- Added support for Django 3.1 and Python 3.9.
- Added support for Django 3.2.
- Dropped support for Django 3.0.
- Dropped support for Python 3.5.
1.4.0
* Add Python 3.9 support.
* Remove Python 3.5 support.
* Add Django 3.2 support.
* Remove Django 1.11 and 3.0 support.
* Add Danish translation.
* Fix crashing that could occur with ``similar_objects`` in multi-inheritance contexts.
* Add support for custom fields on through table models with `through_defaults` for ``TaggedManager.add`` and ``TaggedManager.set``.
2.1.0
Dropped support for Django 1.11, 2.0, and 2.1.
Added the delete_stale_comments management command.
Added db_index to object_pk and is_removed fields.
Altered object_pk from TextField to CharField(max_length=64) so that the field can be indexed on MySQL, too. Warning: if you attach comments to objects whose primary key is serialized to more than 64 characters, you should provide a custom Comment model (more about that in the documentation) with an appropriate object_pk field.
Confirmed support for Python 3.9.
Added support for Django 3.2.
2.4.0
Caddy v2.4.0 is our first stable release of 2021, ushering in over 110 patches
including new features and bug fixes. Thank you to the many contributors who
helped make this possible!
Highlights:
- Secure remote management. You can now enable secure remote access to Caddy's
admin API! It uses TLS mutual authentication, and you can even define
permissions for different users.
- Config pull at start. Caddy can be configured to load a different config at
startup. This is useful if your config is federated through a separate system
that doesn't have the ability to push configs to Caddy. This feature is
modular, so configurations can be loaded different ways!
- Server identity management. Caddy can automatically manage its own server
identity certificate, which can be used when negotiating TLS connections with
peers. This is required when enabling the secure admin API.
- Self-upgrade command. The new caddy upgrade command will replace the current
Caddy binary with an upgraded one from our website, with all the same modules
installed, including third-party plugins that are registered on our site! (We
can use this code to add/remove modules later, too.)
- Configure other apps from the HTTP Caddyfile. The global options block of the
Caddyfile now allows configuration of Caddy apps other than HTTP (for
example, dynamic_dns to keep DNS records pointed at your server with a dynamic
IP address).
- Caddyfile fmt lint check. When running with a Caddyfile, Caddy will emit a
warning if the Caddyfile is not formatted with caddy fmt.
- New abort directive. The abort directive is a special case of the
static_response HTTP handler that prevents an HTTP response by aborting the
handler chain immediately and forcefully closing the connection.
- New error directive. The error directive returns internal error values in the
HTTP handler chain, as if an HTTP error had occurred, causing your error
routes to be invoked.
- Configure response interception from Caddyfile. The reverse_proxy is capable
of intercepting responses from the backend, and now this is exposed in the
Caddyfile with handle_response.
- Better caddy list-modules output. Now modules are organized by standard and
non-standard modules, so you can easily see if a Caddy build has been
customized.
- Configure logging from Caddyfile. The process logs can now be configured from
the global options of the Caddyfile.
- Better content negotiation. The file server can now be configured to serve
precompressed sidecar files, and content encoding preferences are better
configured and honored.
- Dark mode in directory listings. The file server's "browse" file listings now
has a dark mode.
- Removed the logfmt log encoder. It was broken anyways, and its deprecation
has been warned in previous releases.
- Deprecated common_log format. It will be removed in a future release.
- Deprecated health_path in reverse_proxy directive. It has been replaced with
health_uri and will be removed in the future.
- Numerous bug fixes and improvements. Thanks for the detailed, helpful bug
reports! We appreciate your collaboration in making Caddy better.
2.4.1
A small patch release that contains a few noncritical but pleasant fixes
(unless you're using /id/ endpoints in the admin API; then you should
definitely get this update).
Longboard: The easy way to surf*.
Features:
-provide a request body on the command line
-options: h1, curl and hyper for the surf* http backend
-provide a file system path to a file to use as the request body
*surf is a fast and friendly HTTP client framework for async Rust, it's
completely modular, and built directly for async/await.
3.6.5:
Fix extend edge case going endlessly
Fix source-maps and how we count unicode characters
Fix seed generator if std::random_device fails
Fix url() containing exclamation mark causing an error
Fix Offset initialization when end was not given
Fix obvious backporting error in pseudo extend
Fix obvious identical subexpressions in op_color_number
Fix edge case regarding unit-less number equality as object keys
Revert compound re-ordering for non extended selectors
Prevent compiler warning about unnecessary copy
Replace Travis CI with GitHub Actions
Application changes:
-remove q,w,e,r default shortcuts/functionalities used to filter stories by
past date
-add support for defining custom shortcut to navigate between different
StoryView with filters
Codebase changes:
-implement support for defining custom keymap.
-minor improvements, bug fixes
-add Derive(Debug) for most of the defined structs
-move src/view/utils.rs to src/utils.rs
-refactor HelpView to allow non-static description for a key shortcut
3.1.3
Changes:
Fix: Django 3.2, Run tests against Django 3.2
Fix: Django 3.2, Handle warnings for default_app_config
Fix: sqldiff, Fix for missing field/index in model case
Django 3.2.3 fixes several bugs in 3.2.2.
Bugfixes
Prepared for mysqlclient > 2.0.3 support.
Fixed a regression in Django 3.2 that caused the incorrect filtering of querysets combined with the | operator.
Fixed a regression in Django 3.2.1 where saving FileField would raise a SuspiciousFileOperation even when a custom upload_to returns a valid file path.
Django 3.2.2 fixes a security issue and a bug in 3.2.1.
CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+
On Python 3.9.5+, URLValidator didn’t prohibit newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn’t vulnerable because HttpResponse prohibits newlines in HTTP headers.
Moreover, the URLField form field which uses URLValidator silently removes newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your data only existed if you are using this validator outside of the form fields.
This issue was introduced by the bpo-43882 fix.
Django 2.2.23 fixes a regression in 2.2.21.
Bugfixes
Fixed a regression in Django 2.2.21 where saving FileField would raise a SuspiciousFileOperation even when a custom upload_to returns a valid file path
Django 2.2.22 fixes a security issue in 2.2.21.
CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+
On Python 3.9.5+, URLValidator didn’t prohibit newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn’t vulnerable because HttpResponse prohibits newlines in HTTP headers.
Moreover, the URLField form field which uses URLValidator silently removes newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your data only existed if you are using this validator outside of the form fields.
This issue was introduced by the bpo-43882 fix.
as well as adding options for other SSL libraries, disabling options
explicitly should cause less problems when the OS contains libraries used
by the options.
pkgsrc changes:
- Remove patches applied upstream
Changes:
2.32.1
------
- Support building against the Musl C library.
- Support building against ICU version 69 or newer.
- Improve handling of Media Capture devices.
- Improve WebAudio playback.
- Improve video orientation handling.
- Improve seeking support for MSE playback.
- Improve flush support in EME decryptors.
- Fix HTTP status codes for requests done through a custom URI handler.
- Fix the Bubblewrap sandbox in certain 32-bit systems.
- Fix inconsistencies between the WebKitWebView.is-muted property state
and values returned by webkit_web_view_is_playing_audio().
- Fix the build with ENABLE_VIDEO=OFF.
- Fix wrong timestamps for long-lived cookies.
- Fix UI process crash when failing to load favicons.
- Fix several crashes and rendering issues.
- Translation updates: Swedish.
2.4.0 (2021-05-11)
Features
alertcenter: update the api (cbf5364)
analyticsadmin: update the api (bfa2f1c)
androidenterprise: update the api (44a6719)
androidpublisher: update the api (44a6719)
artifactregistry: update the api (44a6719)
bigquery: update the api (bfa2f1c)
chromepolicy: update the api (44a6719)
content: update the api (c0b883a)
datacatalog: update the api (e58efe8)
dataproc: update the api (cbf5364)
dialogflow: update the api (44a6719)
dns: update the api (c0b883a)
documentai: update the api (bfa2f1c)
file: update the api (cbf5364)
file: update the api (44a6719)
firebasestorage: update the api (27f691d)
gameservices: update the api (bfa2f1c)
gkehub: update the api (44a6719)
lifesciences: update the api (44a6719)
monitoring: update the api (bfa2f1c)
mybusinessaccountmanagement: update the api (bfa2f1c)
networkmanagement: update the api (bfa2f1c)
oslogin: update the api (bfa2f1c)
pubsublite: update the api (bfa2f1c)
recommender: update the api (bfa2f1c)
retail: update the api (cbf5364)
servicedirectory: update the api (44a6719)
servicemanagement: update the api (c0b883a)
servicenetworking: update the api (bfa2f1c)
translate: update the api (c0b883a)
Bug Fixes
preventing accessing predefined discovery URLs when override is provided
Changelog:
Version 21.0.1 April 9 2021
Changes
* Always renew apppasswords on login (server#25571)
* Improve mention matches (server#25573)
* Disable trasbin during the moveFromStorage fallback (server#25877)
* Clear multiselect after selection in share panel (server#25918)
* Activity: show if files are hidden or not (server#25935)
* Sharebymail: set expiration on creation (server#25937)
* Catch notfound and forbidden exception in smb::getmetadata (server#25943)
* Skip empty obsolete owner when adding to own NC (server#25955)
* Fix admin password strengthify tooltip (server#25962)
* Add missing waits and asserts in acceptance tests (server#25993)
* Hide expiration date field for remote shares (server#26026)
* Remove trash items from other trash backends when deleting all (server#
26039)
* Fix SCSS compiler deprecated function usages (server#26042)
* Provisioning API to IBootstrap (server#26044)
* Cache baseurl in url generator (server#26051)
* Allow autocomplete based on phone sync (server#26056)
* Only clear share password model when actually saved (server#26058)
* Add appconfig to always show the unique label of a sharee (server#26062)
* Only clear known users when we had at least one phonebook entry (server#
26081)
* Chunk the array of phone numbers (server#26084)
* Limit constructing of result objects in file search (server#26087)
* Apply object store copy optimization when 'cross storage' copy is wit...
(server#26090)
* Add getID function to the simplefile implementation (server#26119)
* Allow overwriting isAuthenticated (server#26122)
* Send share notification instead of erroring on duplicate share (server#
26124)
* Log exceptions when creating share (server#26128)
* Do cachejail search filtering in sql (server#26133)
* Return the fileid from `copyFromCache` and use it instead of doing an extra
query (server#26146)
* Dont allow creating users with __groupfolders as uid (server#26151)
* Use correct exception type hint in catch statement (server#26162)
* Fix default missing initial state for templates (server#26166)
* Remove explicit fclose from S3->writeStream (server#26167)
* Adds ldap user:reset command (server#26175)
* Improve search results when only phonebook-matches can we autocompleted
(server#26177)
* Fix valid storages removed when cleaning remote storages (server#26192)
* Update user share must use correct expiration validation (server#26204)
* Expand 'path is already shared' error message (server#26211)
* Add (hidden) option to always show smb root as writable (server#26215)
* Removed unnecessary padding (server#26227)
* L10n: Add words user and because in ShareByMailProvider.php (server#26238)
* Fix non LGC glyphs in avatars and txt file previews (server#26249)
* Handle limit offset and sorting in files search (server#26257)
* Update icewind/smb to 3.4.0 (server#26263)
* Catch invalid cache source storage path (server#26271)
* Fix casing of core test folder, bring back missing tests (server#26276)
* L10n: Separate ellipsis (server#26279)
* Show better error messages when a file with a forbidden path is encountered
(server#26291)
* Fix l10n (server#26298)
* Log when a storage is marked as unavailable (server#26301)
* Delete old birthday calendar object when moving contact to another ad...
(server#26307)
* Add a prefix index to filecache.path (server#26326)
* Avatar privacy and new scope (server#26352)
* Fix broken Calendar Event Invite email icons in Gmail by using PNGs instead
of SVGs (server#26357)
* Update cipher defaults (server#26363)
* Fix wording for phone number integration (server#26366)
* Remove notifications when retesting profile field input (server#26371)
* Do not attempt to read 0 bytes when manually iterating over a non-seekable
file (server#26376)
* Fix(translation): replace static error message (server#26377)
* Only mark migrations as installed after execution (server#26379)
* Gracefully handle deleteFromSelf when share is already gone (server#26382)
* Also check the default phone region when the number has no country code
(server#26391)
* Allow apps to write/update account data (server#26398)
* Log and continue when failing to update encryption keys during for
individual files (server#26400)
* Make ILDAPProviderFactory usable when there is no ldap setup (server#26402)
* Remove leftover debug @NoCSRFRequired introduced with #26198 (server#26404)
* Get the parent directory before creating a file from a template (server#
26406)
* Bump y18n from 4.0.0 to 4.0.1 (server#26413)
* [3rdparty]phpseclib-2.0.31 (server#26447)
* Revert "add a prefix index to filecache.path" (server#26451)
* 21.0.1 final (server#26453)
* Show icon-phone when setting is set to private instead of local (server#
26459)
* Bump phpseclib/phpseclib from 2.0.30 to 2.0.31 (3rdparty#643)
* Fix 'Daily activity summary' email subject translation (activity#562)
* Fix notifying own activities (activity#566)
* Send the footer with the defined language (activity#570)
* Make sure we only load the public script on public pages (files_pdfviewer#
340)
* Extend reasons for email address (firstrunwizard#503)
* Only send desktop notifications in one tab (notifications#911)
* Fix Photos not shown in large browser windows #630 (photos#689)
* Add vue-virtual-grid to babel (photos#710)
* Match any non-whitespace character in filesystem type pattern (serverinfo#
280)
* Fix Internal Server Error @ /settings/admin/serverinfo in 21.0.0
(serverinfo#287)
* Disable cypress recording for now (text#1504)
* Use write permission when possible (text#1512)
* Fix clicking links with color annotations (text#1516)
* Update CLI tests to PHP 7.4 to 8.0 (updater#346)
* Disable UI when web updater is disabled in config.php (updater#351)
* Remove obsolete pipeline php72-master (updater#355)
* Update used version of box (updater#359)
* Do not allow to keep maintenance mode active in web updater (updater#363)
* Fix fullscreen (viewer#842)
v0.83.1
This is a bug-fix release with one important fix.
langs/i18n: Fix warning regression in i18n ececd1b1 @bep #8492
v0.83.0
Templates
Remove the FuzzMarkdownify func for now 5656a908 @bep
Output
Make the shortcode template lookup for output formats stable 0d86a32d @bep #7774
Only output mediaType once in docshelper JSON 7b4ade56 @bep #8379
Other
Regenerate docs helper a9b52b41 @bep
Regenerate CLI docs b073a1c9 @bep
Remove all dates from gendoc 4227cc1b @bep
Update getkin/kin-openapi v0.60.0 => v0.61. 3cc4fdd6 @bep
Update github.com/evanw/esbuild v0.11.14 => v0.11.16 78c1a6a7 @bep
Remove .Site.Authors from embedded templates f6745ad3 @jmooring #4458
Don't treat a NotFound response for Delete as a fatal error. f523e9f0 @vangent
Switch to deb packages of nodejs and python3-pygments 63cd05ce @anthonyfok
Install bin/node from node/14/stable 902535ef @anthonyfok
bump github.com/getkin/kin-openapi from 0.55.0 to 0.60.0 70aebba0 @dependabot[bot]
bump github.com/evanw/esbuild from 0.11.13 to 0.11.14 3e3b7d44 @dependabot[bot]
Update to Chroma v0.9.1 048418ba @caarlos0
Improve plural handling of floats eebde0c2 @bep #8464
bump github.com/evanw/esbuild from 0.11.12 to 0.11.13 65c502cc @dependabot[bot]
Revise the plural implementation 537c905e @bep #8454#7822
Update to "base: core20" 243951eb @anthonyfok
bump github.com/frankban/quicktest from 1.11.3 to 1.12.0 fe2ee028 @dependabot[bot]
bump google.golang.org/api from 0.44.0 to 0.45.0 316d65cd @dependabot[bot]
bump github.com/aws/aws-sdk-go from 1.37.11 to 1.38.23 b95229ab @dependabot[bot]
Correct function name in comment 0551df09 @xhit
Upgraded github.com/evanw/esbuild v0.11.0 => v0.11.12 057e5a22 @bep
Regen docs helper fd96f65a @bep
bump github.com/tdewolff/minify/v2 from 2.9.15 to 2.9.16 d3a64708 @dependabot[bot]
bump golang.org/x/text from 0.3.5 to 0.3.6 3b56244f @dependabot[bot]
Remove some unreachable code f5d3d635 @bep
bump github.com/getkin/kin-openapi from 0.39.0 to 0.55.0 0d3c42da @dependabot[bot]
Some performance tweaks for the HTML elements collector ef34dd8f @bep
Exclude comment and doctype elements from writeStats bc80022e @dirkolbrich #8396#8417
Merge branch 'release-0.82.1' 2bb9496c @bep
bump github.com/yuin/goldmark from 1.3.2 to 1.3.5 3ddffd06 @jmooring #8377
Remove duplicate references from release notes 6fc52d18 @jmooring #8360
bump github.com/spf13/afero from 1.5.1 to 1.6.0 73c3ae81 @dependabot[bot]
bump github.com/pelletier/go-toml from 1.8.1 to 1.9.0 7ca118fd @dependabot[bot]
Add webp image encoding support 33d5f805 @bep #5924
bump google.golang.org/api from 0.40.0 to 0.44.0 509d39fa @dependabot[bot]
bump github.com/nicksnyder/go-i18n/v2 from 2.1.1 to 2.1.2 7725c41d @dependabot[bot]
bump github.com/rogpeppe/go-internal from 1.6.2 to 1.8.0 5d36d801 @dependabot[bot]
Remove extraneous space from figure shortcode 9b34d42b @jmooring #8401
bump github.com/magefile/mage from 1.10.0 to 1.11.0 c2d8f87c @dependabot[bot]
bump github.com/google/go-cmp from 0.5.4 to 0.5.5 cbc24661 @dependabot[bot]
Disable broken pretty relative links feature fa432b17 @niklasfasching
Update go-org to v1.5.0 0cd55c66 @niklasfasching
bump github.com/jdkato/prose from 1.2.0 to 1.2.1 0d5cf256 @dependabot[bot]
bump github.com/spf13/cobra from 1.1.1 to 1.1.3 36527576 @dependabot[bot]
Add complete dependency list in "hugo env -v" 9b83f45b @bep #8400
Add hugo.IsExtended 7fdd2b95 @bep #8399
Also test minified HTML in the element collector 3d5dbdcb @bep #7567
Skip script, pre and textarea content when looking for HTML elements 8a308944 @bep #7567
Add slice syntax to sections permalinks config 2dc222ce @bep #8363
Upgrade github.com/evanw/esbuild v0.9.6 => v0.11.0 4d22ad58 @bep
Fixes
Templates
Fix where on type mismatches e4dc9a82 @bep #8353
Output
Regression in media type suffix lookup 6e9d2bf0 @bep #8406
Regression in media type suffix lookup e73f7a77 @bep #8406
Other
Fix multiple unknown language codes 7eb80a9e @bep #7838
Fix permalinks pattern detection for some of the sections variants c13d3687 @bep #8363
Fix Params case handling in where with slices of structs (e.g. Pages) bca40cf0 @bep #7009
Fix typo in docshelper.go 7c7974b7 @jmooring #8380
Try to fix the fuzz build 5e2f1289 @bep
v0.82.1
This is a bug-fix release with one important fix.
Regression in media type suffix lookup 6e9d2bf0 @bep #8406
v0.82.0
Enhancements
Templates
Add method mappings for strings.Contains, strings.ContainsAny 7f853003 @bep
Output
Make Type comparable ba1d0051 @bep #8317#8324
Add a basic benchmark 4d24e2a3 @bep
Other
Regenerate docs helper 86b4fd35 @bep
Regen CLI docs 195d108d @bep
Simplify some config loading code df8bb881 @bep
Update github.com/evanw/esbuild v0.9.0 => v0.9.6 57d8d208 @bep
Apply OS env overrides twice fc06e850 @bep
Attributes for code fences should be placed after the lang indicator only b725253f @bep #8313
Bump github.com/tdewolff/minify/v2 v2.9.15 35dedf15 @bep #8332
More explicit support link to discourse 137d2dab @davidsneighbour
Update to esbuild v0.9.0 1b1dcf58 @bep
Allow more spacing characters in strings 0a2ab3f8 @moorereason #8079#8079
Rename a test 35bfb662 @bep
Add a debug helper 6d21559f @bep
Add support for Google Analytics v4 ba16a14c @djatwood
Bump go.mod to Go 1.16 782c79ae @bep #8294#8210 Upgrade golang version for Dockerfile 5afcae7e @systemkern
Update CONTRIBUTING.md 60469f42 @bep
Handle attribute lists in code fences aed7df62 @bep #8278
Allow markdown attribute lists to be used in title render hooks cd0c5d7e @bep #8270
bump github.com/kyokomi/emoji/v2 from 2.2.7 to 2.2.8 88a85dce @dependabot[bot]
Fixes
Output
Fix output format handling for render hooks 18074d0c @bep #8176
Other
Fix OS env override for nested config param only available in theme 7ed56c69 @bep #8346
Fix new theme command description 24c716ca @rootkea
Fix handling of utf8 runes in nullString() f6612d8b @moorereason
Fixes#7698. 01dd7c16 @gzagatti
Fix autocomplete docs c8f45d1d @bep
v0.81.0
Make the build green again fe77f743 @bep
Regenerate internal templates c6080655 @bep
Update date logic of opengraph and schema internal templates ffd9dac4 @djatwood
Synch Go templates fork with Go 1.16dev cf3e077d @bep
Exclude pages without Permalink from sitemap 4867cd1d @Jaza
Add default user-agent header for getJSON requests 35def0ae @peacecwz
remove 1mb limit for readFile. ee9c1367 @avdva
Do not return errors in substr for out-of-bounds cases 8a26ab0b @moorereason #8113
Add missing test scenario for strings.Substr 788e50ad @moorereason
Regen CLI docs 9e99950c @bep
Regen docs helper 1b364b00 @bep
Run go mod tidy 88b93a09 @bep
Add arm64 to Darwinextended build and add vendorInfo 29fb456c @bep #8003
Update Travis, GitHub, CircleCI and Snap to Go 1.16 (only) 718fba7d @bep
Pull in latest Go 1.16 template source e77b2e3a @bep
Add breaking tests for "map read and map write in templates" b5485aea @bep #7293
Pull in latest Go template source ccb822eb @bep
Expand template newline testcase to commands 21e9eb18 @bep
Add a test case for Go 1.16 template action newlines ae57ba6a @bep
Update github.com/tdewolff/minify/v2 v2.6.2 => v2.9.13 66beac99 @bep #8258
bump github.com/frankban/quicktest from 1.11.2 to 1.11.3 968dd7a7 @dependabot[bot]
bump github.com/getkin/kin-openapi from 0.32.0 to 0.39.0 38f29e81 @dependabot[bot]
bump github.com/aws/aws-sdk-go from 1.36.33 to 1.37.11 cd87813a @dependabot[bot]
bump github.com/sanity-io/litter from 1.3.0 to 1.5.0 4e815b06 @dependabot[bot]
bump github.com/olekukonko/tablewriter from 0.0.4 to 0.0.5 652a59d3 @dependabot[bot]
Update to esbuild v0.8.46 84f0ec7f @bep
Add config option modules.vendorClosest bdfbcf6f @bep #8235#8242
bump google.golang.org/api from 0.26.0 to 0.40.0 a9b0fea6 @dependabot[bot]
Change version string format and add VendorInfo to help with issue triaging e8df0977 @anthonyfok
Allow absolute paths for any modules resolved via project replacement 3a5ee0d2 @bep #8240
Throw an error running hugo mod vendor on mountless module 4ffaeaf1 @bep
Add PowerShell completion support 5f621df2 @anthonyfok #8122
Refer to mage instead of make in comment regarding commitHash 7118f89c @anthonyfok
Add attributes support for blocks (tables etc.) 2681633d @bep #7548
Update to Goldmark v1.3.2 1b247282 @bep #8143
Update to Dart Sass Protocol beta6 441b11be @bep
Write to stdout by default d36fd5b3 @benmezger
Remove powershell support a7c515e1 @benmezger
Add zsh, fish and powershell completion support 216b00f3 @benmezger #4296
Enable NPM tests on Windows 14494379 @bep #8196
Update to esbuild v0.8.39 440fdb0e @bep #8189
Trim whitespace in elements written to hugo_stats.json b2a48dce @pmatiash #7958
bump github.com/aws/aws-sdk-go from 1.35.0 to 1.36.33 2f9dadae @dependabot[bot]
Remove mention of a file size limit for readFile ed3071b7 @avdva
Add Inject config option 32b86076 @bep #8164
Add Shims option e19a046c @bep #8165
bump github.com/spf13/afero from 1.4.1 to 1.5.1 07ad283f @eclipseo
Add external source map support to js.Build and Babel 2c8b5d91 @richtera #8132
Run go mod tidy 4d2b6fc4 @bep
Update go-org to v1.4.0 212e5e55 @niklasfasching
Adjust log level 4fdec67b @bep
Add temporary patch to fix template data race 9650e568 @bep #7293
Fix race condition in text template baseof 241b7483 @moorereason
Fix metrics hint tracking 0004a733 @moorereason #8125
Fix potential path issue on Windows b60e9279 @bep
Fix some humanize issues bf55afd7 @susiwen8 #7912
Fix handling of legacy attribute config e6dd3128 @bep #7548
Support translation files with suffix *.yml 92c6c404 @bep #8212
Fix nilpointer in js.Build error handling a1fe552f @bep #8162
Priority is a pure-Python implementation of the priority logic for HTTP/2, set
out in RFC 7540 Section 5.3 (Stream Priority). This logic allows for clients
to express a preference for how the server allocates its (limited) resources to
the many outstanding HTTP requests that may be running over a single HTTP/2
connection.
This release fixes these security issues from prior release.
* SQUID-2020:11 HTTP Request Smuggling
(CVE-2020-25097)
* SQUID-2021:1 Denial of Service in URN processing
(CVE-2021-28651)
* SQUID-2021:2 Denial of Service in HTTP Response Processing
(CVE-2021-28662)
* SQUID-2021:3 Denial of Service issue in Cache Manager
(CVE-2021-28652)
* SQUID-2021:4 Multiple issues in HTTP Range header
(CVE-2021-31806, CVE-2021-31807, CVE-2021-31808)
* SQUID-2021:5 Denial of Service in HTTP Response Processing
(CVE pending allocation)
Changes in squid-4.15 (10 May 2021):
- Bug 5112: Excessively loud chunked reply parsing error reporting
- Bug 5106: Broken cache manager URL parsing
- Bug 5104: Memory leak in RFC 2169 response parsing
- Bug 3556: "FD ... is not an open socket" for accept() problems
- Profiling: CPU timing implemented for MAC non-x86
- Fix HttpHeaderStats definition to include hoErrorDetail
- Fix Squid-to-client write_timeout triggers client_lifetime timeout
- Limit HeaderLookupTable_t::lookup() to BadHdr and specific IDs
- Handle more Range requests
- Handle more partial responses
- Stop processing a response if the Store entry is gone
- ... and some portability fixes
- ... and some documentation updates
9.0.1
Fixed issues with the packaging of the 9.0 release.
9.0
Note
Version 9.0 moves or deprecates several APIs.
Aliases provide backwards compatibility for all previously public APIs.
:class:`~datastructures.Headers` and :exc:`~datastructures.MultipleValuesError` were moved from websockets.http to :mod:`websockets.datastructures`. If you're using them, you should adjust the import path.
The client, server, protocol, and auth modules were moved from the websockets package to websockets.legacy sub-package, as part of an upcoming refactoring. Despite the name, they're still fully supported. The refactoring should be a transparent upgrade for most uses when it's available. The legacy implementation will be preserved according to the backwards-compatibility policy.
The framing, handshake, headers, http, and uri modules in the websockets package are deprecated. These modules provided low-level APIs for reuse by other WebSocket implementations, but that never happened. Keeping these APIs public makes it more difficult to improve websockets for no actual benefit.
Added compatibility with Python 3.9.
Added support for IRIs in addition to URIs.
Added close codes 1012, 1013, and 1014.
Raised an error when passing a :class:`dict` to :meth:`~legacy.protocol.WebSocketCommonProtocol.send`.
Fixed sending fragmented, compressed messages.
Fixed Host header sent when connecting to an IPv6 address.
Fixed creating a client or a server with an existing Unix socket.
Aligned maximum cookie size with popular web browsers.
Ensured cancellation always propagates, even on Python versions where :exc:`~asyncio.CancelledError` inherits :exc:`Exception`.
Improved error reporting.
7.2 (10 May 2021)
Allow the character field to work with custom country codes that are not 2 characters (such as "GB-WLS").
Fix compatibility with django-migrations-ignore-attrs library.
7.1 (17 March 2021)
Allow customising the str_attr of Country objects returned from a CountryField via a new countries_str_attr keyword argument (thanks C. Quentin).
Add pyuca as an extra dependency, so that it can be installed like pip install django-countries[pyuca].
Add Django 3.2 support.
7.0 (5 December 2020)
Add name_only as an option to the Django Rest Framework serializer field (thanks Miguel Marques).
Add in Python typing.
Add Python 3.9, Django 3.1, and Django Rest Framework 3.12 support.
Drop Python 3.5 support.
Improve IOC code functionality, allowing them to be overridden in COUNTRIES_OVERRIDE using the complex dictionary format.
6.1.3 (18 August 2020)
Update flag of Mauritania.
Add flag for Kosovo (under its temporary code of XK).
6.1.2 (26 March 2020)
Fix Python 3.5 syntax error (no f-strings just yet...).
6.1.1 (26 March 2020)
Change ISO country import so that "Falkland Islands [Malvinas]" => "Falkland Islands (Malvinas)".
6.1 (20 March 2020)
Add a GraphQL object type for a django Country object.
6.0 (28 February 2020)
Make DRF CountryField respect blank=False. This is a backwards incompatible change since blank input will now return a validation error (unless blank is explicitly set to True).
Fix COUNTRIES_OVERRIDE when using the complex dictionary format and a single name.
Add bandit to the test suite for basic security analysis.
Drop Python 2.7 and Python 3.4 support.
Add Rest Framework 3.10 and 3.11 to the test matrix, remove 3.8.
Fix a memory leak when using PyUCA. Thanks Meiyer (aka interDist)!
5.5 (11 September 2019)
Django 3.0 compatibility.
Plugin system for extending the Country object.
5.4 (11 August 2019)
Renamed Macedonia -> North Macedonia.
Fix an outlying makemigrations error.
Pulled in new translations which were provided but missing from previous version.
Fixed Simplified Chinese translation (needed to be locale/zh_Hans).
Introduce an optional complex format for COUNTRIES_ONLY and COUNTRIES_OVERRIDE to allow for multiple names for a country, a custom three character code, and a custom numeric country code.
5.3.3 (16 February 2019)
Add test coverage for Django Rest Framework 3.9.
5.3.2 (27 August 2018)
Tests for Django 2.1 and Django Rest Framework 3.8.
5.3.1 (12 June 2018)
Fix dumpdata and loaddata for CountryField(multiple=True).
5.3 (20 April 2018)
Iterating a Countries object now returns named tuples. This makes things nicer when using {% get_countries %} or using the country list elsewhere in your code.
While there, add the option to generate and include the documentation in the
package (disabled by default).
No PKGREVISION bump as the build simply broke with doxygen available, and the
new option is disabled by default.
Real changes are in www/ruby-actionpack61 only.
## Rails 6.1.3.2 (May 05, 2021) ##
* Prevent open redirects by correctly escaping the host allow list
CVE-2021-22903
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
Real changes are in www/ruby-actionpack60 only.
## Rails 6.0.3.7 (May 05, 2021) ##
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
0.17.0
Changed
- Require `HTTPX` 0.18.0 and implement the new transport API.
- Removed ASGI and WSGI transports from httpcore patch list.
- Don't pre-read mocked async resposne streams.
Fixed
- Fixed syntax highlighting in docs, thanks @florimondmanca.
- Type check `route.return_value`, thanks @tzing.
- Fixed a typo in the docs, thanks @lewoudar.
Added
- Added support for adding/removing patch targets.
- Added test session for python 3.10.
- Added RESPX Mock Swallowtail to README.
0.18.1 (29th April, 2021)
Changed
* Update brotli support to use the `brotlicffi` package
* Ensure that `Request(..., stream=...)` does not auto-generate any headers on the request instance.
Fixed
* Pass through `timeout=...` in top-level httpx.stream() function.
* Map httpcore transport close exceptions to httpx exceptions.
0.18.0 (27th April, 2021)
The 0.18.x release series formalises our low-level Transport API, introducing the base classes `httpx.BaseTransport` and `httpx.AsyncBaseTransport`.
See the "[Writing custom transports](https://www.python-httpx.org/advanced/#writing-custom-transports)" documentation and the [`httpx.BaseTransport.handle_request()`](397aad98fd/httpx/_transports/base.py (L77-L147)) docstring for more complete details on implementing custom transports.
Pull request 1522 includes a checklist of differences from the previous `httpcore` transport API, for developers implementing custom transports.
The following API changes have been issuing deprecation warnings since 0.17.0 onwards, and are now fully deprecated...
* You should now use httpx.codes consistently instead of httpx.StatusCodes.
* Use limits=... instead of pool_limits=....
* Use proxies={"http://": ...} instead of proxies={"http": ...} for scheme-specific mounting.
Changed
* Transport instances now inherit from `httpx.BaseTransport` or `httpx.AsyncBaseTransport`,
and should implement either the `handle_request` method or `handle_async_request` method.
* The `response.ext` property and `Response(ext=...)` argument are now named `extensions`.
* The recommendation to not use `data=<bytes|str|bytes (a)iterator>` in favour of `content=<bytes|str|bytes (a)iterator>` has now been escalated to a deprecation warning.
* Drop `Response(on_close=...)` from API, since it was a bit of leaking implementation detail.
* When using a client instance, cookies should always be set on the client, rather than on a per-request basis. We prefer enforcing a stricter API here because it provides clearer expectations around cookie persistence, particularly when redirects occur.
* The runtime exception `httpx.ResponseClosed` is now named `httpx.StreamClosed`.
* The `httpx.QueryParams` model now presents an immutable interface. There is a discussion on [the design and motivation here](https://github.com/encode/httpx/discussions/1599). Use `client.params = client.params.merge(...)` instead of `client.params.update(...)`. The basic query manipulation methods are `query.set(...)`, `query.add(...)`, and `query.remove()`.
Added
* The `Request` and `Response` classes can now be serialized using pickle.
* Handle `data={"key": [None|int|float|bool]}` cases.
* Support `httpx.URL(**kwargs)`, for example `httpx.URL(scheme="https", host="www.example.com", path="/')`, or `httpx.URL("https://www.example.com/", username="tom@gmail.com", password="123 456")`.
* Support `url.copy_with(params=...)`.
* Add `url.params` parameter, returning an immutable `QueryParams` instance.
* Support query manipulation methods on the URL class. These are `url.copy_set_param()`, `url.copy_add_param()`, `url.copy_remove_param()`, `url.copy_merge_params()`.
* The `httpx.URL` class now performs port normalization, so `:80` ports are stripped from `http` URLs and `:443` ports are stripped from `https` URLs.
* The `URL.host` property returns unicode strings for internationalized domain names. The `URL.raw_host` property returns byte strings with IDNA escaping applied.
Fixed
* Fix Content-Length for cases of `files=...` where unicode string is used as the file content.
* Fix some cases of merging relative URLs against `Client(base_url=...)`.
* The `request.content` attribute is now always available except for streaming content, which requires an explicit `.read()`.
0.13.3 (May 6th, 2021)
Added
- Support HTTP/2 prior knowledge, using `httpcore.SyncConnectionPool(http1=False)`.
Fixed
- Handle cases where environment does not provide `select.poll` support.
0.13.2 (April 29th, 2021)
Added
- Improve error message for specific case of `RemoteProtocolError` where server disconnects without sending a response.
0.13.1 (April 28th, 2021)
Fixed
- More resiliant testing for closed connections.
- Don't raise exceptions on ungraceful connection closes.
0.13.0 (April 21st, 2021)
The 0.13 release updates the core API in order to match the HTTPX Transport API,
introduced in HTTPX 0.18 onwards.
An example of making requests with the new interface is:
```python
with httpcore.SyncConnectionPool() as http:
status_code, headers, stream, extensions = http.handle_request(
method=b'GET',
url=(b'https', b'example.org', 443, b'/'),
headers=[(b'host', b'example.org'), (b'user-agent', b'httpcore')]
stream=httpcore.ByteStream(b''),
extensions={}
)
body = stream.read()
print(status_code, body)
```
Changed
- The `.request()` method is now `handle_request()`.
- The `.arequest()` method is now `.handle_async_request()`.
- The `headers` argument is no longer optional.
- The `stream` argument is no longer optional.
- The `ext` argument is now named `extensions`, and is no longer optional.
- The `"reason"` extension keyword is now named `"reason_phrase"`.
- The `"reason_phrase"` and `"http_version"` extensions now use byte strings for their values.
- The `httpcore.PlainByteStream()` class becomes `httpcore.ByteStream()`.
Added
- Streams now support a `.read()` interface.
Fixed
- Task cancelation no longer leaks connections from the connection pool.
1.5.0 - 2021-05-07
------------------
- Fix bug where a valid IRI is mishandled by ``urlparse`` and
``ParseResultBytes``.
- Add :meth:`~rfc3986.builder.URIBuilder.extend_path`,
:meth:`~rfc3986.builder.URIBuilder.extend_query_with`,
:meth:`~rfc3986.builder.URIBuilder.geturl` to
:class:`~rfc3986.builder.URIBuilder`.
2.2.0
=====
- Fixed compatibility with django-timezone-field>=4.1.0
- Fixed deprecation warnings: 'assertEquals' in tests.
- Fixed SolarSchedule event choices i18n support.
- Updated 'es' .po file metadata
- Update 'fr' .po file metadata
- New schema migrations for SolarSchedule events choices changes in models.
2.1.0
=====
- Fix string representation of CrontabSchedule, so it matches UNIX CRON expression format
- If no schedule is selected in PeriodicTask form, raise a non-field error instead of an error bounded to the `interval` field
- Fix some Spanish translations
- Log "Writing entries..." message as DEBUG instead of INFO
- Use CELERY_TIMEZONE setting as `CrontabSchedule.timezone` default instead of UTC
- Fix bug in ClockedSchedule that made the schedule stuck after a clocked task was executed. The `enabled` field of ClockedSchedule has been dropped
- Drop support for Python < 3.6
- Add support for Celery 5 and Django 3.1
2.0.0
=====
- Added support for Django 3.0
- Dropped support for Django < 2.2 and Python < 3.5
1.6.0
=====
- Fixed invalid long_description
- Exposed read-only field PeriodicTask.last_run_at in Django admin
- Added docker config to ease development
- Added validation schedule validation on save
- Added French translation
- Fixed case where last_run_at = None and CELERY_TIMEZONE != TIME_ZONE
1.5.0
=====
- Fixed delay returned when a task has a start_time in the future.
- PeriodicTaskAdmin: Declare some filtering, for usability
- fix _default_now is_aware bug
- Adds support for message headers for periodic tasks
- make last_run_at tz aware before passing to celery
4.1.2 (2021-03-17)
Avoid NonExistentTimeError during DST transition
4.1.1 (2020-11-28)
Don't import rest_framework from package root
4.1 (2020-11-28)
Add Django REST Framework serializer field
Add new choices_display kwarg with supported values WITH_GMT_OFFSET and STANDARD
Deprecate display_GMT_offset kwarg
4.0 (2019-12-03)
Add support for django 3.0, python 3.8
Drop support for django 1.11, 2.0, 2.1, python 2.7, 3.4
3.1 (2019-10-02)
Officially support django 2.2 (already worked)
Add option to display TZ offsets in form field
Changelog:
Version 78.10.1, first offered to ESR channel users on May 4, 2021
Fixed
* Resolved an issue caused by a recent Widevine plugin update which prevented
some purchased video content from playing correctly (bug 1705138)
* Security fix
Security fixes:
#CVE-2021-29951: Mozilla Maintenance Service could have been started or stopped
by domain users
Flask-Static-Digest is a Flask extension that will help make your
static files production ready with very minimal effort on your part.
It does this by md5 tagging and gzipping your static files after
running a `flask digest compile` command that this extension adds
to your Flask app.
Changelog:
Version 88.0.1, first offered to Release channel users on May 5, 2021
-------------------------------------------------------------------------------
Fixed
* Resolved an issue caused by a recent Widevine plugin update which prevented
some purchased video content from playing correctly (bug 1705138)
* Fixed corruption of videos playing on Twitter or WebRTC calls on some Gen6
Intel graphics chipsets (bug 1708937)
* Fixed menulists in Preferences being unreadable for users with High
Contrast Mode enabled (bug 1706496)
* Various stability and security fixes.
Security fixes:
#CVE-2021-29953: Universal Cross-Site Scripting
#CVE-2021-29952: Race condition in Web Render Components
