What's new in Sudo 1.7.7
* I/O logging is now supported for commands run in background mode
(using sudo's -b flag).
* Group ownership of the sudoers file is now only enforced when
the file mode on sudoers allows group readability or writability.
* Visudo now checks the contents of an alias and warns about cycles
when the alias is expanded.
* If the user specifes a group via sudo's -g option that matches
the target user's group in the password database, it is now
allowed even if no groups are present in the Runas_Spec.
* "sudo -i command" now works correctly with the bash version
2.0 and higher. Previously, the .bash_profile would not be
sourced prior to running the command unless bash was built with
NON_INTERACTIVE_LOGIN_SHELLS defined.
* Multi-factor authentication is now supported on AIX.
* Added support for non-RFC 4517 compliant LDAP servers that require
that seconds be present in a timestamp, such as Tivoli Directory Server.
* If the group vector is to be preserved, the PATH search for the
command is now done with the user's original group vector.
* For LDAP-based sudoers, the "runas_default" sudoOption now works
properly in a sudoRole that contains a sudoCommand.
* Spaces in command line arguments for "sudo -s" and "sudo -i" are
now escaped with a backslash when checking the sudoers file.
[0.21]
- When using the tie() fallback ensure we do not obliterate a
foreign tie()
- Better document how to disable the tie() fallback
[0.20_01] (the "mst made me do it" release)
- Only invoke the deleted sub stashing if we run udner a debugger
(avoid runtime penalty of Sub::Name/Sub::Identify)
- Spellfixes (RT#54388)
- When B::Hooks::EndOfScope is not available, switch to a simple
tie() of %^H. While it can not 100% replace B::H::EOS, it does
everything n::c needs
[0.20]
- Bump Package::Stash dependency to 0.22 to pull in a bugfix in
Package::Stash::XS 0.19.
[0.19]
- Port to the new Package::Stash 0.18 API and depend on it.
- Don't rely on package::stash's remove_package_symbol implementation
(doy).
Revision history for Perl extension Net::Amazon:
0.60 (08/01/2011)
(cb) Fix the page and max_pages parameter to correctly fetch the specified
number of pages, and start at the correct offset. Reported as rt 69201.
(cb) Add a method to get similar products. Patch submitted by Jennifer.
(cb) Push from cpanservice: Small dist maintenance. Please use latest
ExtUtils::MakeMaker for release.
For some reason the "Checking for work-directory references" test
didn't catch the fact that ${DESTDIR}${LIBDIR} was being compiled
into the main binary as its library search path.
Noted by moof.
PKGREVISION -> 7
The official list of changes is shown below. However, this release also
switches to use GNU Autoconf and Automake, yet this is not shown in the
list of changes. This fact obsoletes our previous local changes, although
new portability problems might arise.
CHANGES FROM 1.4 TO 1.5, 09 July 2011
* Support xterm mouse modes 1002 and 1003.
* Change from a per-session stack of buffers to one global stack. This renders
copy-buffer useless and makes buffer-limit now a server option.
* Fix most-recently-used choice by avoiding reset the activity timer for
unattached sessions every second.
* Add a -P option to new-window and split-window to print the new window or
pane index in target form (useful to pass it into other commands).
* Handle a # at the end of a replacement string (such as status-left)
correctly.
* Support for UTF-8 mouse input (\033[1005h) which was added in xterm 262.
If the new mouse-utf8 option is on, UTF-8 mouse input is enabled for all
UTF-8 terminals. The option defaults to on if LANG etc are set in the same
manner as the utf8 option.
* Support for HP-UX.
* Accept colours of the hex form #ffffff and translate to the nearest from the
xterm(1) 256-colour set.
* Clear the non-blocking IO flag (O_NONBLOCK) on the stdio file descriptors
before closing them (fixes things like "tmux ls && cat").
* Use TMPDIR if set.
* Fix next and previous session functions to actually work.
* Support -x and -y for new-session to specify the initial size of the window
if created detached with -d.
* Make bind-key accept characters with the top-bit-set and print them as octal.
* Set $TMUX without the session when background jobs are run.
* Simplify the way jobs work and drop the persist type, so all jobs are
fire-and-forget.
* Accept tcgetattr/tcsetattr(3) failure, fixes problems with fatal() if the
terminal disappears while locked.
* Add a -P option to detach to HUP the client's parent process (usually causing
it to exit as well).
* Support passing through escape sequences to the underlying terminal by using
DCS with a "tmux;" prefix.
* Prevent tiled producing a corrupt layout when only one column is needed.
* Give each pane created in a tmux server a unique id (starting from 0), put it
in the TMUX_PANE environment variable and accept it as a target.
* Allow a start and end line to be specified for capture-pane which may be
negative to capture part of the history.
* Add -a and -s options to lsp to list all panes in the server or session
respectively. Likewise add -s to lsw.
* Change -t on display-message to be target-pane for the #[A-Z] replacements
and add -c as target-client.
* The attach-session command now prefers the most recently used unattached
session.
* Add -s option to detach-client to detach all clients attached to a session.
* Add -t to list-clients.
* Change window with mouse wheel over status line if mouse-select-window is on.
* When mode-mouse is on, automatically enter copy mode when the mouse is
dragged or the mouse wheel is used. Also exit copy mode when the mouse wheel
is scrolled off the bottom.
* Provide #h character pair for short hostname (no domain).
* Don't use strnvis(3) for the title as it breaks UTF-8.
* Use the tsl and fsl terminfo(5) capabilities to update terminal title and
automatically fill them in on terminals with the XT capability (which means
their title setting is xterm-compatible).
* Add a new option, mouse-resize-pane. When on, panes may be resized by
dragging their borders.
* Fix crash by resetting last pane on {break,swap}-pane across windows.
* Add three new copy-mode commands - select-line, copy-line, copy-end-of-line.
* Support setting the xterm clipboard when copying from copy mode using the
xterm escape sequence for the purpose (if xterm is configured to allow it).
* Support xterm(1) cursor colour change sequences through terminfo(5) Cc
(set) and Cr (reset) extensions.
* Support DECSCUSR sequence to set the cursor style with two new terminfo(5)
extensions, Cs and Csr.
* Make the command-prompt custom prompts recognize the status-left option
character pairs.
* Add a respawn-pane command.
* Add a couple of extra xterm-style keys that gnome terminal provides.
* Allow the initial context on prompts to be set with the new -I option to
command-prompt. Include the current window and session name in the prompt
when renaming and add a new key binding ($) for rename session.
* Option bell-on-alert added to trigger the terminal bell when there is an
alert.
* Change the list-keys format so that it shows the keys using actual tmux
commands which should be able to be directly copied into the config file.
* Show full targets for lsp/lsw -a.
* Make confirm-before prompt customizable with -p option like command-prompt
and add the character pairs #W and #P to the default kill-{pane,window}
prompts.
* Avoid sending data to suspended/locked clients.
* Small memory leaks in error paths plugged.
* Vi mode improvements.
Rails 3.0.10
* Magic encoding comment added to schema.rb files
* schema.rb is written as UTF-8 by default.
* Ensuring an established connection when running `rake db:schema:dump`
* Association conditions will not clobber join conditions.
* Destroying a record will destroy the HABTM record before destroying
itself. GH #402.
* Make `ActiveRecord::Batches#find_each` to not return `self`.
* Update `table_exists?` in PG to to always use current search_path or
schema if explictly set.
Rails 3.0.10
* Fixes an issue where cache sweepers with only after filters would
have no controller object, it would raise undefined method
controller_name for nil [jeroenj]
* Ensure status codes are logged when exceptions are raised.
* Subclasses of OutputBuffer are respected.
* Fixed ActionView::FormOptionsHelper#select with :multiple => false
* Avoid extra call to Cache#read in case of a fragment cache hit
2.3.14:
Security Fix:
1. The code in Ruby on Rails 2.3 which sets the response content type
performs insufficient sanitization of the values provided. This
means that applications which let the user provide an arbitrary
Content-Type header for the response are vulnerable to response
splitting attacks.
2. The strip_tags helper in Ruby on Rails is designed to remove all
HTML tags from a string. By using specially crafted values an
attacker can confuse the parser and cause HTML tags to be injected
into the response. This can be exploited to inject arbitrary
javascript into the rendered page.
Future releases of Ruby on Rails are likely to replace the current
HTML tokenizer with one provided by libxml to reduce the likelihood
of errors such as these in the future. In the meantime users can
install the loofah gem[1] which should enhance both the performance
and reliability of the HTML sanitization helpers.
2.3.14:
Security fix:
The quote_table_name method in the ActiveRecord adapaters for Ruby on
Rails were initially created solely for the purpose of escaping
reserved words encountered in table names. However over time 3rd
party libraries, and rails itself, grew to rely on those functions as
a way to sanitize potentially malicious user input. As a result these
functions need to be hardened to manage malicious input rather than
assuming they're being passed benign values generated by rails itself.
2.3.14:
Security fix with Ruby 1.8.x not affected Ruby 1.9.x:
Ruby on Rails has provided a high performance replacement for
ERB::Util.h since version 2.0.0. Due to a bug in the Ruby 1.8 Regular
Expression code this replacement version will fail to escape certain
malformed unicode strings. This malformed output will then be
interpreted as HTML by some browsers on some operating systems.
Major changes in this release:
* Added sequential version numbering
* Added a optional configure script - the Makefile still works
for most systems.
* Improvements to the "annotate" algorithm: only search
primary ancestors and ignore branches.
* Update the "scrub" command to remove traces of login-groups
and subrepositories.
* Added the --type option to the "fossil tag find" command.
* In contexts where only a check-in makes sense, resolve
branch and tag names to checkins only, never events or other
artifacts.
* Improved display of file renames on a diff. A rebuild is
required to take full advantage of this change.
* Update the built-in SQLite to version 3.7.7.
