3.0.8 is a stable release which includes many significant enhancements and
new features, and the usual squashed bugs. The most prominent new
features are the ability to "tag" headers and apply actions based on those
tags, making Privoxy much more flexibile, and Privoxy can now act as an
"intercepting" proxy.
http://tomcat.apache.org/tomcat-5.5-doc/changelog.html
Of note:
important: Data integrity CVE-2007-6286
important: Information disclosure CVE-2007-5461
low: Elevated privileges CVE-2007-5342
low: Session hi-jacking CVE-2007-5333
Are all fixed in this release.
- Revive support for system without NetBSD style rc/rc.d.
- Always pass command_args and squid_flags to squid command.
This should fix the PR pkg/38036 by Wolfgang Stukenbrock.
Bump PKGREVISION.
changes:
- Works with Firefox 1.5.x and xulrunner 1.8.x
- Compiles with xulrunner 1.9, but a lot of functionality is disabled due
to being no longer exposed by xulrunner (or not working)
- MyPortal
- User stylesheets
- Remembering passwords
- http authentication
- Support for external mailers which don't understand mailto: urls is
completely removed. Pretty much all modern mailers support them now.
see GIT history.
Made option elinks-fastmem the default, as it's significantly faster
and I don't trust their wrappers of malloc(), etc. al. anyway.
Version 0.12 supports boehm-gc, which will probably become the default.
If 0.12 isn't released fairly soon, I'll see about backporting support.
Also add elinks-html-highlight as a default, as there's really no
reason not to.
* 208700 by pwolanin. Fix bad backport of #194579. Modified to use Form API.
* 118569 by bevan: document how should one set RewriteBase, if under a VirtualDocumentRoot. Backport by Bart Jansens.
* Patch 115606 by Junyor, thesaint_02: added support for PHP 5.2's 'recoverable fatal errors'.
* 209409 by Heine, webernet, dww: more accurate register globals value checking
=== RELEASE 2.1pre33 ===
Thu Jan 31 21:11:40 MET 2008 mikulas:
Fixed memory leak when there was an error in decompression
Thu Dec 27 23:37:03 MET 2007 mikulas:
Support few more keycodes on ANSI terminal (PAGE UP, PAGE DOWN and few
F* keys)
Wed Dec 26 03:43:35 cet 2007 mikulas:
Disable smb:// URLs on OS/2, fork+threads can cause crashes in EMX
Besides, there's no usable smb client program anyway
Tue Dec 25 01:44:28 MET 2007 mikulas (sponsored by Dondor Ltd.):
A .nsi file to make Windows installer with Nullsoft scriptable install
Mon Dec 24 01:44:11 MET 2007 mikulas:
Fixed a bug that strings with spaces could not be passed from command
line
Mon Dec 24 00:43:57 MET 2007 mikulas:
Socks 4A support (so that Links can be used with tor without
intermediate proxy)
Thu Dec 20 05:40:22 cet 2007 mikulas:
The previous Windows fix broke opening new windows on OS/2
include:
+ Add full DESTDIR support.
+ Split out package options into a separate options.mk file.
* Fix some cgi header processing
* Add simple Range: header processing
security/libssh2 package.
Changes:
o --data-urlencode
o CURLOPT_PROXY_TRANSFER_MODE
o --no-keepalive - now curl does connections with keep-alive enabled by
default
o --socks4a added (proxy type CURLPROXY_SOCKS4A for libcurl)
o --socks5-hostname added (CURLPROXY_SOCKS5_HOSTNAME for libcurl)
o curl_easy_pause()
o CURLOPT_SEEKFUNCTION and CURLOPT_SEEKDATA
o --keepalive-time
o curl --help output was re-ordered
This release includes the following bugfixes:
o curl-config --features and --protocols show the correct output when built
with NSS, and also when SCP, SFTP and libz are not available
o free problem in the curl tool for users with empty home dir
o curl.h version 7.17.1 problem when building C++ apps with MSVC
o SFTP and SCP use persistent connections
o segfault on bad URL
o variable wrapping when using absolutely huge send buffer sizes
o variable wrapping when using debug callback and the HTTP request wasn't sent
in one go
o SSL connections with NSS done with the multi-interface
o setting a share no longer activates cookies
o Negotiate now works on auth and proxy simultanouesly
o support HTTP Digest nonces up to 1023 letters
o resumed ftp upload no longer requires the read callback to return full
buffers
o no longer default-appends ;type= on FTP URLs thru proxies
o SSL session id caching
o POST with callback over proxy requiring NTLM or Digest
o Expect: 100-continue flaw on re-used connection with POSTs
o build fix for MSVC 9.0 (VS2008)
o Windows curl builds failed file truncation when retry downloading
o SSL session ID cache memory leak
o bad connection re-use check with environment variable-activated proxy use
o --libcurl now generates a return statement as well
o socklen_t is no longer used in the public includes
o time zone offsets from -1400 to +1400 are now accepted by the date parser
o allows more spaces in WWW/Proxy-Authenticate: headers
o curl-config --libs skips /usr/lib64
o range support for file:// transfers
o libcurl hang with huge POST request and request-body read from callback
o removed extra newlines from many error messages
o improved pipelining
o improved OOM handling for data url encoded HTTP POSTs when read from a file
o test suite could pick wrong tool(s) if more than one existed in the PATH
o curl_multi_fdset() failed to return socket while doing CONNECT over proxy
o curl_multi_remove_handle() on a handle that is in used for a pipeline now
break that pipeline
o CURLOPT_COOKIELIST memory leaks
o progress meter/callback during http proxy CONNECT requests
o auth for http proxy when the proxy closes connection after first response
Changes with Apache 1.3.41
*) SECURITY: CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason. [Mark Cox]
Changes with Apache 1.3.40 (not released)
*) SECURITY: CVE-2007-5000 (cve.mitre.org)
mod_imap: Fix cross-site scripting issue. Reported by JPCERT.
[Joe Orton]
*) SECURITY: CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers. PR 41144.
With Apache 1.3, the denial of service vulnerability applies only
to the Windows and NetWare platforms.
[Jeff Trawick]
*) More efficient implementation of the CVE-2007-3304 PID table
patch. This fixes issues with excessive memory usage by the
parent process if long-running and with a high number of child
process forks during that timeframe. Also fixes bogus "Bad pid"
errors. [Jim Jagielski, Jeff Trawick]
Changes with Apache 1.3.39
*) SECURITY: CVE-2006-5752 (cve.mitre.org)
mod_status: Fix a possible XSS attack against a site with a public
server-status page and ExtendedStatus enabled, for browsers which
perform charset "detection". Reported by Stefan Esser. [Joe Orton]
*) SECURITY: CVE-2007-3304 (cve.mitre.org)
Ensure that the parent process cannot be forced to kill non-child
processes by checking scoreboard PID data with parent process
privately stored PID data. [Jim Jagielski]
*) mime.types: Many updates to sync with IANA registry and common
unregistered types that the owners refuse to register. Admins
are encouraged to update their installed mime.types file.
pr: 35550, 37798, 39317, 31483 [Roy T. Fielding]
There was no Apache 1.3.38
"ncurses" option. "wide-curses" now just toggles whether we use
wide or narrow curses, which is a much simpler knob for users.
Bump the PKGREVISION to 5.
Changes Since Opera 9.25:
Security
--------
Fixed an issue where simulated text inputs could trick users into uploading
arbitrary files, as reported by Mozilla. See our advisory.
Image properties can no longer be used to execute scripts, as reported by
Max Leonov. See our advisory.
Fixed an issue where the representation of DOM attribute values could allow
cross site scripting, as reported by Arnaud.lb. See our advisory.
Miscellaneous
-------------
Fixed a stability issue found in Opera 9.0 to 9.25, when Opera connects
securely to Windows Server 2008 or other servers supporting the TLS
Certificate Status extension.
Additional stability fixes.
Quanta Plus
* Insert literal character entities if possible.
* List the plugin in the Open With context menu.
* Fix crashes when using XDebug.
* Do not keep an empty, Untitled document opened when opening new files.
* Fix crash when closing a plugin and no other document is opened.
* Make HTML forms work in the internal preview.
* Fix deadlock in CSS editor when the propery contains ":".
Kommander
* Support executing of widget slots.
* Add execute method for PushButton.
* Add possibility to pass parameters for ScriptObject.
* Add "return" command to get back the result of a ScriptObject.
* Add "createWidget" function for on-the-fly widget creation.
* Add "widgetExists" function.
* Add "execBackground" function.
* Add "connect/disconnect" function for on-the-fly signal/slot connection.
* Add indexed array functions
* Make "a="Label1"; a.setText("foo")" work.
* Add "TreeWidget.selectedIndexes".
* Add "Table.setCellWidget/cellWidget".
* Add "Table.selection" to get back the selection coordinates.
* New widgets: "AboutDialog, DatePicker, PopupMenu, ToolBox"
* Use the new parser by default for new dialogs.
* Support shebang ("#!/path_to/kmdr-executor") in the beginning of the
.kmdr files. Running .kmdr files is possible directly if you make
them executable.
* Warn if a dialog file is not executable.
* Store Kommander version in the "VERSION/_VERSION" global variable.
* Add experimental Kommander KPart (Kommander dialogs can be embedded in
other KDE applications).
* Make "input_color" and "@Input.color" accept a default color argument.
* Make "TreeWidget.selection" work in multi selection mode.
* Make "TreeWidget.setSelection" show the selected item.
* Make "CheckBox.setChecked" accept as argument false, "false", true,
"true", 0 (meaning false), everything else meaning "true".
* Optionally quote the strings inserted via the function browser.
* Use combobox for booleans in the function browser.
* Use multiline insert box in function browser.
* Add highlighting for the new parser.
* Make possible to open more associated editors at once.
* Make it possible to run external script in a ScriptObject.
* "execute" DCOP call returns a string.
* The editor does not save the dialog on running.
* Create backup files every 5 minutes.
* Rework the plugin system.
* Set new functions only available to new parser such as createWidget
to not be shown in the function browser if the old parser is run.
* Show all available functions in the function browser.
* Insert the functions using the syntax of the new parser if #!kommander
is specified in the associated text.
* Return the result of a division in floating form if the result is not
an integer.
* Update the handbook.
* Install examples that are easily reachable from the editor.
* Fix "exit" command.
* Make "dcopid, pid, parentPid" work in the new parser.
* Fix problem with losing the parser type status in the editor when
working with multiple dialogs.
* "@Array.fromString" should append the new elements to the array, just
like it did before and how "array_fromString" does.
* Fix @eval for addition/substraction and handle division by zero.
* Process code written in external script using the old parser.
* Fix many cases when the code was executed altough it was in a codepath
that should not be executed.
* Fixed the bug in the input text dialog where entering a default value
returned the caption.
* Fix the for loop parsing if end < start.
Change log
* Various tests were enhanced to increase our test coverage
* Implement unlocking for content which does not use portal_factory
and for LinguaPlone translations.
* Add a method to cleanup persistent schemas from content objects
which were created by the 'update schema' feature from older
Archetypes releases. This is available through the ZMI.
* Correct removing of all roles from a group. This fixes This fixes 6994.
* Correct generation of session cookies for long userids. This fixes
problems with OpenID2 accounts.
* Correct handling of unicode arguments for
acl_users.enumerateUsers. This fixes zope-pas bug 189627.
* Kupu updates:
o Correct full screen mode. This fixes 7473.
o Correct intenal link insertion for IE. This fixes 7494.
o Correct stripping out of anchor to top of current page. This fixes 7680.
o The 'Home' link nows goes to the content root instead of the
Plone root. This fixes 7713.
o 'Link using UIDs' broke indexing of richt text fields with
non-ASCII characters. This fixes 7728.
o Update the flags and languages list. This fixes 7441.
o Revert internal change in language selector code in the
plone.app.i18n release from Plone 3.0.5 in the language
selector widget which broke LinguaPlone.
o Fix lock timeout which was set by default to 12 minutes, it is
now set to maxtimeout (71582788 minutes). This fixes 7358.
o Fix TypeError when an anonymous user locks content. This fixes 7246.
Updated packages
* archetypes.kss 1.2.6
* plone.app.i18n 1.0.3
* plone.app.controlpanel 1.0.4
* plone.app.linkintegrity 1.0.5
* plone.app.vocabularies 1.0.3
* plone.locking 1.0.5
* plone.session 1.2
* Archetypes 1.5.6
* CMF 2.1.1
* CMFPlone 3.0.6
* PloneLanguageTool 2.0.2
* PlonePAS 3.2
* PloneTranslations 3.0.11
* PluggableAuthService 1.5.3
* kupu 1.4.8
Based on PR 38029, remove redundant PLIST and markd as DESTDIR ready.
I18N::AcceptLanguage matches language preference to available languages
per rules defined in RFC 2616, section 14.4: HTTP/1.1 - Header Field
Definitions - Accept-Language.
No package using "contrib" sub directory now and it is redundant.
If such a package exists on a platform, should use MOZ_DIR individually instead.
This change also fixes fetch problem of www/firefox-bin when MASTER_SITE_MOZILLA
is not defined in /etc/mk.conf.
Active Resource (ARes) connects business objects and Representational
State Transfer (REST) web services. It implements object-relational
mapping for REST webservices to provide transparent proxying
capabilities between a client (ActiveResource) and a RESTful service.
Security fixes in this version:
MFSA 2008-10 URL token stealing via stylesheet redirect
MFSA 2008-09 Mishandling of locally-saved plain text files
MFSA 2008-06 Web browsing history and forward navigation stealing
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-02 Multiple file input focus stealing vulnerabilities
MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)
For more info, see http://www.seamonkey-project.org/releases/seamonkey1.1.8/
Security fixes in this version:
MFSA 2008-11 Web forgery overwrite with div overlay
MFSA 2008-10 URL token stealing via stylesheet redirect
MFSA 2008-09 Mishandling of locally-saved plain text files
MFSA 2008-08 File action dialog tampering
MFSA 2008-06 Web browsing history and forward navigation stealing
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-04 Stored password corruption
MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-02 Multiple file input focus stealing vulnerabilities
MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.12/releasenotes/
HOMEPAGE for more information. While here, switch to using lang/ossp-js
package instead of lang/spidermonkey. Goodbye, nspr dependency!
Javascript support seems more stable.
Mark option 'spidermonkey' deprecated in favor of option 'javascript'.
This is a Perl implementation of the reCAPTCHA Mailhide API. It can
generate URLs or even directly usable HTML code for using the reCAPTCHA
Mailhide web service, which provides a way of asking people to solve a
reCAPTCHA before they can view your email address.
This is a Perl implementation of the reCAPTCHA API.
From the recaptcha.net web site:
reCAPTCHA improves the process of digitizing books by sending words that
cannot be read by computers to the Web in the form of CAPTCHAs for
humans to decipher. More specifically, each word that cannot be read
correctly by OCR is placed on an image and used as a CAPTCHA. This is
possible because most OCR programs alert you when a word cannot be read
correctly.
HTML::Tiny is a simple, dependency free Perl module for generating HTML
(and XML). It concentrates on generating syntactically correct XHTML using
a simple Perl notation.
Changes with Apache 2.0.63
*) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
to /Device/Nul as the server is starting up, mirroring unix MPM's.
PR: 43534 [Tom Donovan <Tom.Donovan acm.org>, William Rowe]
*) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
by recreating the bucket allocator each time the trans pool is cleared.
PR: 11427 #16 (follow-on) [Tom Donovan <Tom.Donovan acm.org>]
Changes with Apache 2.0.62 (not released)
*) SECURITY: CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason. [Mark Cox, Joe Orton]
*) SECURITY: CVE-2007-5000 (cve.mitre.org)
mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
[Joe Orton]
*) Introduce the ProxyFtpDirCharset directive, allowing the administrator
to identify a default, or specific servers or paths which list their
contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]
*) log.c: Ensure Win32 resurrects its lost robust logger processes.
[William Rowe]
*) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean
shutdown of the server when the MaxClients is higher then 257,
in a more responsive manner [Mladen Turk, William Rowe]
*) Add explicit charset to the output of various modules to work around
possible cross-site scripting flaws affecting web browsers that do not
derive the response character set as required by RFC2616. One of these
reported by SecurityReason [Joe Orton]
*) http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
into sending arbitrary method strings. [Jeff Trawick]
*) http_protocol: Escape request method in 413 error reporting.
Determined to be not generally exploitable, but a flaw in any case.
PR 44014 [Victor Stinner <victor.stinner inl.fr>]
there, not in post-patch.
There's no need to use xargs -0: Solaris doesn't know that option, POSIX
doesn't require it, and all the filenames are sane anyway.
error and the behavior of NetBSD on 64-bit machines. All three bugs
(including the Linux documentation problem) have been reported upstream
and will be fixed there.
=== RELEASE 2.1pre32 ===
Thu Dec 13 04:44:01 MET 2007 mikulas:
Do not display links to alternate stylesheets
Tue Dec 11 06:37:56 MET 2007 mikulas:
Use Content-Disposition as a suggestion for downloaded file name
Sun Dec 9 04:52:37 MET 2007 mikulas:
Fixed write to freed memory resulting in misbehavior of radio buttons
and a possible crash
Wed Dec 5 23:26:55 MET 2007 mikulas:
Make it run without Cygwin environment (only with Cygwin DLLs)
Workaround for flaws in Cygwin Unix emulation:
SIGWINCH is sometimes lost
Signal handlers write to a pipe and it should wake select() up,
sometimes, it doesn't
exec("command.com") crashes Windows 98 when some sockets are
open
Wed Dec 5 18:05:00 MET 2007 mikulas:
Do not search for compressed-file extension (.gz, .bz2) in URLs
containing '?', '&' or ';' --- they are likely scripts and they should
provide information about compression in the header.
Tue Dec 4 04:09:51 MET 2007 mikulas:
When the document was truncated to zero size on reload and no data were
received, links didn't invalidate formatted document cache
Wed Nov 7 00:20:12 MET 2007 mikulas:
Accept capital 'X' as a hex number mark in html entities
Fri Nov 2 19:53:01 MET 2007 mikulas:
Do not print links to stylesheet to the document
Fri Nov 2 19:52:22 MET 2007 mikulas:
Slightly improve parsing of ftp --- when the line contains "<DIR>", we
can assume that it is a directory
Tue Oct 30 21:22:27 cet 2007 mikulas:
Previous release didn't compile on OS/2 due to missing SIGCONT
Changes to squid-2.6.STABLE18 (10 Jan 2008)
- Fix 2 assertion failures related to the fix for SQUID-2007:2
- GPL license cleanup to GPLv2 or later. One file in edir_digest_auth
was GPLv2 only, now replaced with a GPLv2 or later licensed vesion.
- Minor cleanups to make certain 64-bit platforms happier
- Several Digest authentication bugs fixed wich was causing random
authenitcation popups or failures.
- --with-valgrind-debug updated for valgrind-3.3.0.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcement:
SA-2008-005 - Drupal core - Cross site request forgery
SA-2008-006 - Drupal core - Cross site scripting (UTF8)
SA-2008-007 - Drupal core - Cross site scripting (register_globals)
In addition to this security vulnerability, the following bugs have been fixed since the 5.5 release:
173858 by Gábor Hojtsy: skip UTF-8 BOM when importing locale files
179164 by Heine: sort modules by name on the module admin page
199640 by webernet: (usability) add option to select no taxonomy term in multiselect forms, not to rely on browser trickery
199084 by chx: better conformance with ISO date formats in our xmlrpc code
173459 by Dave Cohen. Backport of #78487 by FredCK, forngren and bjaspan: document support in url() and l() and proper active class support for .
89218 by Gábor Hojtsy. Properly initialize a counter variable and fix poll editing.
64388 by Gábor Hojtsy. Add missing db_rewrite_sql(); not a security issue since it is a count() query.
200338 by m3avrck and quicksketch: fix transparent GIF resizing
194652 by Heine: specify explicit accept-charset for forms to avoid browser guessing
182410 by greggles: HTTP Basic authentication username and password was parsed in drupal_http_request() but then not used in the request
- Patch 201894 by David Rothstein: fixed typo in user output.
180126 by mmoreno, drewish and scor: add realpath() call to file_save_data(), so Windows will create temporary files properly
115689 by chx: new content types should not overwrite old ones. Backport by Pancho.
203727 by Arancaytar. More effectively use hook API.
204855 by webernet. Add missing * in documentation.
168315 by schuyler1d: previous active database name was not consistently returned in db_set_active()
- Patch 199955 by saxofaan: file_upload_max_size() returns results in bytes, not in mega bytes.
194579 patch by pwolanin: clear filter cache when allowed HTML tags configuration changes in an input format
#166433 by Ralf Stamm. Use correct menu item type for revsion confirm pages.
58806 by fwalch and wicksteedc. Do not override MENU_VISIBLE_IF_HAS_CHILDREN on editing.
Partial backport of 112715 to fix 124641.
Changes from 5.4 -> 5.5
Fixed missing missing brackets in a query in the user module.
Fixed taxonomy feed bug introduced by SA-2007-031
o Changes from 3.0.4
* Update translations.
* If you are using the fullscreenmode.js script, you can now pass
in a minimal=1 argument in the URL to make a page start out in
the minimal mode.
* Fix problems with non-savepoint capable connections (such as SQL
connections) involved in folder_delete, folder_publish of
folder_rename actions.
* Hiding page history, page navigation, and busy icon (spinner) in
print CSS. This relates to 7402 and 7433.
* Fix persistant translation service creation code. This corrects
broken translations on initial Zope start. This fixes 7470.
* Visual editor improvements:
o Style whitelist and class blacklist now work when there is
only one entry in the list.
o Span tags with no attributes after filtering are removed.
* Make the content rule configuration page fully
translatable. This fixes 6886.
* Update the object-not-found error page to search for
alternatives within the navigation root instead of the entire
site.
* Fix translation for default item in display content menu for
situations. This fixes 7281.
* Fix absolute_url() for content rules add views, content rules
traversal adapters, portlet add views, portlet assignment
mappings and portlet assignments.
* Fix handling of RSS feeds which do not include an update
timestamp for feed entries. This fixes 7515.
* Change KSS saveField to not require value explicitply but take
it from the request if not specifies. This makes it possible to
use saveField-kssSubmitForm: currentForm(); which is needed for
multi-valued form variables.
* Fix handling of the portal type criteria for collections. This
fixes 7467.
* Update the delete-confirmation page for objects that are
references elsewhere to order all referencing items in
alphabetical order.
* Fix handling of types where allow_discussion is set as a class
attribute which could lead to an AttributeError when changing
the discussion settings. This fixes 761.
* Extend the Archetypes widget API to inform widgets when
processing the form in the validation phase. This fixes 760.
* Correct zope.i18n.translate calls in Archetypes: should use the
request, not the instance itself as the context. This fixes
translation problems seen in Plone 3.0.4.
* Do not create an empty <ul> in the personal actions bar if there
are no items in it. This fixes an XHTML syntax error.
* Fix the languages method of the language selector to include the
native language name.
* Fix invalid context argument passed into the translation
machinery in the workflow state vocabulary. This fixes 7492.
* Fix potential acquisition problem in five.localsitemanager when
assigning values to the utilities registry of the component
registry.
* Raise a ValueError when the Zope3 translation utilities get
passed in an invalid context argument. Translations in Zope3
work against the request alone and while the keyword is called
context it was too easily confused with a contentish context.
o Updated packages
* Archetypes 1.5.5
* ATContentTypes 1.2.4
* CMFPlone 3.0.5
* GenericSetup 1.3.3
* kupu 1.4.7
* PlacelessTranslationService 1.4.8
* PloneTranslations 3.0.10
* archetypes.kss 1.2.5
* plone.app.contentmenu 1.0.5
* plone.app.contentrules 1.0.5
* plone.app.i18n 1.0.1
* plone.app.kss 1.2.5
* plone.app.linkintegrity 1.0.4
* plone.app.portlets 1.0.5
* plone.app.redirector 1.0.5
* plone.app.vocabulary 1.0.2
* plone.app.layout 1.0.5
* plone.contentrules 1.0.5
* five.localsitemanager 0.3
*) Change: now the ngx_http_userid_module adds start time microseconds
to the cookie field contains a pid value.
*) Change: now the uname(2) is used on Linux instead of procfs.
Thanks to Ilya Novikov.
*) Feature: the "If-Range" request header line support.
Thanks to Alexander V. Inyukhin.
*) Bugfix: in HTTPS mode requests might fail with the "bad write retry"
error; bug appeared in 0.5.13.
*) Bugfix: the STARTTLS in SMTP mode did not work.
Thanks to Oleg Motienko.
*) Bugfix: large_client_header_buffers did not freed before going to
keep-alive state.
Thanks to Olexander Shtepa.
*) Bugfix: the "limit_rate" directive did not allow to use full
throughput, even if limit value was very high.
*) Bugfix: the $status variable was equal to 0 if a proxied server
returned response in HTTP/0.9 version.
*) Bugfix: if the "?" character was in a "error_page" directive, then
it was escaped in a proxied request; bug appeared in 0.5.32.
to list here; one may check the log at <http://repo.or.cz/w/elinks.git>
(see the elinks-0.11 branch). There should be a 0.11.4 release out
fairly soon.
While here, add two patches (from debian maintainer): one to ensure that
its gettext doesn't look for files in ../po/, and the other to disable
transparency by default.
Bump revision.
*) Change: now the full request line instead of URI only is written to
error_log.
*) Feature: Cygwin compatibility.
Thanks to Vladimir Kutakov.
*) Feature: the "merge_slashes" directive.
*) Feature: the "gzip_vary" directive.
*) Feature: the "server_tokens" directive.
*) Feature: the "access_log" directive may be used inside the
"limit_except" block.
*) Bugfix: if the $server_protocol was used in FastCGI parameters and a
request line length was near to the "client_header_buffer_size"
directive value, then nginx issued an alert "fastcgi: the request
record is too big".
*) Bugfix: if a plain text HTTP/0.9 version request was made to HTTPS
server, then nginx returned usual response.
*) Bugfix: URL double escaping in a redirect of the "msie_refresh"
directive; bug appeared in 0.5.28.
*) Bugfix: a segmentation fault might occur in worker process if
subrequests were used.
*) Bugfix: the big responses may be transferred truncated if SSL and
gzip were used.
*) Bugfix: compatibility with mget.
*) Bugfix: nginx did not unescape URI in the "include" SSI command.
*) Bugfix: the segmentation fault was occurred on start or while
reconfiguration if variable was used in the "charset" or
"source_charset" directives.
*) Bugfix: nginx returned the 400 response on requests like
"GET http://www.domain.com HTTP/1.0".
Thanks to James Oakley.
*) Bugfix: a segmentation fault occurred in worker process if
$date_local and $date_gmt were used outside the
ngx_http_ssi_filter_module.
*) Bugfix: a segmentation fault might occur in worker process if debug
log was enabled.
Thanks to Andrei Nigmatulin.
*) Bugfix: ngx_http_memcached_module did not set
$upstream_response_time.
Thanks to Maxim Dounin.
*) Bugfix: a worker process may got caught in an endless loop, if the
memcached was used.
- Remove -quiet option from CONFIGURE_ARGS. This cause verbose output
but it prevent detect errors.
- use INSTALLATION_DIRS.
- Use ../zope/Makefile.common. and common files from ../zope/files.
- Don't install unused runzope.bat.in template file.
- take maintainership.
- Add missing sitecustomize.py{,c} in PLIST.
Bump PKGREVISION.
- Remove -quiet option from CONFIGURE_ARGS. This cause verbose output
but it prevent detect errors.
- use INSTALLATION_DIRS.
- Use ../zope/Makefile.common. and common files from ../zope/files.
- Don't install unused runzope.bat.in template file.
- take maintainership.
Bump PKGREVISION.
This is a bugfix release that tries to fix three issues:
- The reappearing of already downloaded items
(caused by an incorrect cache handling)
- The continuous growth of the sqlite DB file
(caused by comments not being removed along with their parent items).
- The general performance problem with search folders.
Improved fix for MOPB-02-2007.
Fixed an integer overflow inside chunk_split(). Identified by Gerhard Wagner.
Fixed integer overlow in str[c]spn().
Fixed regression in glob when open_basedir is on introduced by 41655 fix.
Fixed money_format() not to accept multiple %i or %n tokens.
Addded "max_input_nesting_level" php.ini option to limit nesting level of input variables. Fix for MOPB-03-2007.
Fixed INFILE LOCAL option handling with MySQL - now not allowed when open_basedir or safe_mode is active.
Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378).
Fixed bug 43010 (Fixed regression in imagearc with two equivelent angles).
Fixed bug 41765 (Recode crashes/does not work on amd64).
Fixed bug 41630 (segfault when an invalid color index is present in the image data).
Fixed bug 41628 (PHP settings leak between Virtual Hosts in Apache 1.3).
Fixed bug 38798 (OpenSSL init corrected in php5 but not in php4).
Skip an interpreter check for a python script (as the
REPLACE_PERL is ignored because no python dependency yet).
(Add a TODO for later: add an option for reStructuredText
support to depend on python-docutils.)
Bump PKGREVISION.
Noticed in bulk builds. Fixed this during freeze so it will be
built by some bulk builders and available with the upcoming quarterly
branch packages. This is a leaf package.
Changes in v9.25:
Security
* Fixed an issue where plug-ins could be used to allow cross domain
scripting, as reported by David Bloom. Details will be disclosed
at a later date.
* Fixed an issue with TLS certificates that could be used to execute
arbitrary code, as reported by Alexander Klink (Cynops GmbH).
Details will be disclosed at a later date.
* Rich text editing can no longer be used to allow cross domain
scripting, as reported by David Bloom. See our advisory.
* Prevented bitmaps from revealing random data from memory, as
reported by Gynvael Coldwind. Details will be disclosed at a
later date.
Miscellaneous
* Fixed a problem where malformed BMP files could cause Opera to
temporarily freeze.
For pkgsrc use, put back opera-distinfo target (to easily re-generate
checksums for supported platforms)
Done during 2007Q4 freeze because the old distfile is no longer available.
New audio/video options
* H.264/HE-AAC codec support
Improved Performance
* Multi-core support
* Multi-threaded video decoding
* Image scaling
* Flash Player cache
* Flash Media Server buffering
Universal Reach
* Full screen mode for Linux
* Accessibility support for the plugin
* Mac Os X Leopard support
Fixed in this version:
* On Linux, modal dialogs displayed by Flash Player stay in front of browser windows but do not prevent interaction with the browser as they should. (191331)
* On certain SUSE 9.2 installations using the standalone player only, trying to Open a browser from the standalone player with SeaMonkey open will cause the player to hang. (193383)
* On Linux, networking operations in the standalone player are currently slow. (193158)
* On Linux, when the mouse is hovering over Flash content, keyboard input is not sent to the browser. (194265)
* Full-screen mode is not supported in the Opera Browser on Macintosh systems. (189140)
* Full-screen mode is now supported on Linux.
* The plugin version of Flash Player does not fire flash.events.Event.RENDER when wmode is set as transparent. (198515)
* Full-screen can be used when wmode is set (202290)
* Passing large amounts of XML through External Interface is significantly faster (206828)
* ExternalInterface now works with HTML objects that contain dots within the object name (199614)
There are three types Mozilla mirrors.
(http://www.mozilla.org/mirroring.html)
* mozilla-current
contains only the current version of Firefox and Thunderbird
* mozilla-release
contains Firefox, Thunderbird, and Sunbird releases
* mozilla-all
complete archive
Define following variables for mozilla master sites:
MASTER_SITE_MOZILLA_ALL = mozilla-all
MASTER_SITE_MOZILLA = mozilla-release
and change some packages to use appropriate variable.
Update contents of MASTER_SITE_MOZILLA with master and primary mirrors
taken from http://www.mozilla.org/mirrors.html and add some sample definitions.
- Change the order of including files in Makefile to use REPLACE_PYTHON
properly.
- Remove shebang line from a library file which would never be executed
directly.
pkgsrc changes:
- Honor squidGuard's name.
- Use PKGINSTALL frame work.
- More integration to squid; common configuration and logging directories.
Now depends on squid package.
- Switch to use db4; it might be selectable by option.
- Install some examples of configuration.
Todo:
- LDAP support option.
- Installing documents.
- DESTDIR support.
Release 1.3
2007-09-19 Included configurable logging. New configure option --nolog
suppress all runtime logmessages. Start and stop is still logged.
Default behaviour is now to log the non debug messages except
when the runtime option -d is supplied to squidGuard. May need
some more finetuning in later versions. (bug 11)
Made some slight changes to the outdated FAQ file.
2007-09-13 Modified auth code to work with and without ldap (choosing
subroutine rfc1738_unescape or sgFindUser in sg.y.in)
2007-08-20 Corrected include statement in sg.h.in.
2007-07-16 Added patch by Marc Clayton to include a progressbar to the
build of the database files (bug 6).
2007-07-01 Added patch by Eric Harrison to enable full sed compliance
to rewrite statements (bug 7).
2007-06-02 Corrected missing evaluation of configure parameters for
logdir, dbhome and config file (bug 11).
2007-05-25 Added patch from satish to block urls entries that include
hostnames (bug 4).
2007-05-20 Fixed broken regex evaluation (bug 12)
Fixed a compile problem on some systems (bug 10).
2007-05-10 Corrected an issue with the fix for the double
slash vulnerability (incorrectly found double
slashes) (bug 1).
Release 1.2.1
2007-04-10 Fixed multiple slash bypass vulnerabilty.
2007-03-17 Fixed some bugs in squidGuard-simple.cgi and added a
German version of it.
2007-03-16 Fixed encoding bypass vulnerabilty.
2007-03-16 Updated y.tab.c.bison and y.tab.h.bison to the recent
version.
2007-02-02 Fixed bug in user authentication.
2007-01-20 Fixed some typos which broke compilation on Sun Solaris
when using the Sun CC compiler.
2007-01-12 Corrected unproper evaluated if-clause, which broke the
BerkeleyDB 2 compatibility.
Fixed minor typo in samples/Makefile.in.
2006-12-29 Replaced the sleepycat links from the configure program with
the oracle links.
Corrected typo in Makefile.in.
2006-12-16 Removed a stupid bug from the Makefile in the docs directory.
2006-12-10 Removed references to squidguard.org in Makefile.in in the
Doc directory (squidguard.org is down).
Added ISSUES.txt file about known problem with the current
code (any information that is missing and should go in there
is gladly welcomed).
2006-06-17 Release now supports LDAP queries for authentication:
Added Chris Frey's ldap patches and fixes (03, 05, 06,
07 and 10; Patches from:
http://www.netdirect.ca/software/category.php?cat=SquidGuard).
The LDAP feature can be included during the configure run
by setting --with-ldap. Per default ldap support will not
be compiled in.
Added a fix provided by Francesco Ranieri to solve an issue
with the (un)escaping of the authentication "domain%5cusername".
Patch Release 1.2.0p3
2005-12-09 Modfied configure Skript to allow to specify the name of
the useraccount the squid cache is using.
Modified Makefile.in that during the installation the
necessary squidGuard directories are created if they are
not existing. Additionally a default configuration file
will be copied to the default location for squidGuard unless
an old one is found there.
Patch Release 1.2.0p2
2005-10-13 Added Adam Gorski's bugfix to correct a a null pointer access
bug in logging.
Added Chris Freys bugfix a bug where it won't search the url
db if the domain db is empty.
Added Chris Frey's buffer overflow checks (except for commenting
out the part from line 446 to 470 in sgDb.c).
(Patches from:
http://www.netdirect.ca/software/category.php?cat=SquidGuard)
Patch Release 1.2.0p1
2005-10-11 Added support for Berkeley DB 4.x
- Move some common parameter to Makefile.common; squid's user, group and
data directory.
- Add LOGDIR to Makefile.common.
These changes have no functional change but make it possible for
squidGuard package to share parameters.
MailHost is Zope-integrated feature to send mail from Web applications,
but can not send Japanese mail correctly.
This "jaMailHost" product will solve this problem.
This package is based on new zope's framework.
Plone is a ready-to-run content management system that is built on the
powerful and free Zope application server. Plone is easy to set up,
extremely flexible, and provides you with a system for managing web
content that is ideal for project groups, communities, web sites,
extranets and intranets.
Plone 3 runs on Zope 2.10.x and has many improved features from Plone 2.5.
1. Inline editing
2. Working Copy support
3. Link and reference integrity checking
4. Automatic locking and unlocking
5. Easy collaboration and sharing
6. Versioning, history and reverting content
7. Upgraded visual HTML editor
8. Powerful workflow capabilities
9. Flexible authentication back-end
10. Full-text indexing of Word and PDF documents
11. Collections
12. Presentation mode for content
13. Support for the search engine Sitemap protocol
14. Support for multiple mark-up formats
15. Wiki support
16. Automatic previous/next navigation
17. Rules engine for content
18. Auto-generated tables of contents
19. Portlets engine
20. Professional support, development, hosting & training
This package based on new zope's framework and finally replace
zope25-CMFPlone pacakge.
Plone is a ready-to-run content management system that is built on the
powerful and free Zope application server. Plone is easy to set up,
extremely flexible, and provides you with a system for managing web
content that is ideal for project groups, communities, web sites,
extranets and intranets.
Plone 2.5.5 runs on Zope 2.9.x.
Zope is an exciting new object-based, open source web application
platform. It allows you to build powerful and dynamic web applications
easily. Zope comes with source code and is friendly to developers as
well as users.
Zope 2.10.x is needed to run Plone 3.
Zope 2.9.8 (2007/07/05)
Bugs fixed
- updated to ZODB 3.6.3
- updated to Zope 3.2.3 codebase
- Collector #1306: Missing acquisition context on local roles screen.
- The REQUEST no longer accepts holds after it has been closed.
- Collector #2153: Supporting unquoted cookies with spaces.
- Collector #2295: Comments in PythonScripts could lead to syntax
errors
- Collector #2307: ObjectCopiedEvent not dispatched to sublocations.
- Fixed ZClass test breakage due to non-pickleability of
'zope.interface.Implements'
N.B.: updated 'zope.interface' package to Zope 3.2 branch;
should be pinned to a tag or a release before releasing
2.9.8).
- Collector #2260: fixed a bug in Examples.zexp
- Collector #2321: Skip trusted proxies when extracting the client IP
address from the request.
- Collector #2318: Allow override of zopectl's control socket in
zope.conf
- Collector #2316: correctly unpack DateTimeIndex dates when browsing the
index.
- Collector #1866: a 304 HTTP status should not have a content length.
- Collector #2300: delimit *all* HTTP Response headers with CRLF.
Zope 2.9.7 (2007/03/25)
Bugs fixed
- Protected various security mutators with a new postonly decorator.
The decorator limits method publishing to POST requests only, and
is a backport from Zope 2.11's requestmethod decorator factory.
- Collector #2298: webdav.Resource.COPY and webdav.Resource.MOVE did
not send the expected copy/move events.
- Collector #2296: Fixed import of ZClass products, broken by removal
of BBB support for pasting objects whose meta_type info was
permission-free.
- Collector #2294: Protected DOS-able ControlPanel methods with the
same 'requestmethod' wrapper.
- Collector #2294: Protected various security mutators with a new
'postonly' decorator. The decorator limits method publishing to
POST requests only, and is a backport from Zope 2.11's requestmethod
decorator factory.
- Collector #2288: @ and + should not be quoted when forming
request URLs in BaseRequest and HTTPRequest
- Undeprectated 'zLOG' package, which is going to remain a
backward-compatibility shim for the Python logger.
- Collector #2263: 'field2ulines' did not convert empty string
correctly.
- Reverted backward-incompatible fix for Collector #2191.
- added Python 2.4.4 as optimal Python version to 'configure'
Zope 2.9.6 (2006-11-22)
Bugs fixed
- Collector #2191: extended DateTime parser for better support
to the ISO8601 specification.
- Reworking of _cached_result in Shared.DC.ZRDB.DA.DA:
- fixed KeyError reported in Collector #2212
- fixed two memory leaks that occurred under high load
- fixed broken cache keys for people using the obscure
Shared.DC.ZRDB.DA.DA.connection_hook
- fixed incorrect cache ordering resulting in newer results
being dumped when the cache became too large.
- Collector #2237: 'make' doesn't tell you to run 'make inplace'
before running 'make instance'.
- Collector #2235: A number of ZCatalog methods were doing boolean
evaluation of objects that implemented __len__ instead of checking
them against None. Replaced a number of "if not obj" with
"if obj is None".
- Collector #2218: fixed wrong logger argument in OFS/Cache.py
- Collector #2205: fixed wrong logger argument in ZRDB/Connection.py
- Collector #2208: rewriting/setting the 'charset' part of the
content-type HTTP header will be done only for 'text/*'
- Collector #2206: Set PYTHONPATH to include existing PYTHONPATH
in skel/bin/zopectl.in and skel/bin/runzope.in
Zope 2.9.5 (2006/10/03)
Bugs fixed
- Call setDefaultSkin on new requests created as the result of
ConflictError retries.
- Collector #2189: Fix logging of errors during product refresh.
- Collector #2185: Log username for FCGI requests.
- Collector #2152: Fixed MailHost documentation; simple_send does not
process or validate its arguments in any way.
- Collector #2175: ZTUtils.make_hidden_input did not escape double-quotes.
- Collector #1907: Moved 'alt' property from File to Image.
- Collector #1983: Specifying session-resolution-seconds >= 1200 caused
Zope startup to fail.
- Collector #2169: webdav.Resource.COPY did not send ObjectClonedEvent.
- Updated Five to bugfix release 1.3.7.
- Collector #2157: Expose name of broken class in SystemError raised
from '__getstate__' of a broken instance.
- Usage of 'urljoin' in 'webdav.davcmds' could lead to wrongly
constructed urls.
- Collector #2155: Fix wrong parameter being passed to
logger's error() method, with tests.
- Collector #2178: Fix ZopeTestCase doctest support for layers
- included Zope 3.2.2
Fix bug whereby mod_wsgi daemon process could hang when a request with
content greater than UNIX socket buffer size, was directed at a WSGI
application resource handler which in turn returned a response, greater
than UNIX socket buffer size, without first consuming the request content.
- Drop POST from the allowed list; this mistake has been here since 2003,
but it doesn't really matter as POST on a Subversion repository is an
invalid operation anyway.
Changes:
* Fix :cookie_only to correctly avoid session fixation attacks (CVE-2007-6077)
* Fix regression where the association would not construct new finder
SQL on sav e causing bogus queries for "WHERE owner_id = NULL" even
after owner was saved.
- new maintainer
- PKG_DESTDIR_SUPPORT
- ok by joerg
Changelog:
1.29 21 Aug 2007 - Documentation fix to performance hints section.
No functional changes.
1.28 18 Aug 2007 - Improved mod_perl2 handling (patch courtesy of Jeremy Nixon).
Added a ':no_subprocess_env' flag to suppress populating
the %ENV environment hash. Added a 'subprocess_env'
static class method to allow smooth co-existance of
ModPerl2 scripts that use ':no_subprocess_env' with ModPerl2
scripts that do not on the same server.
1.27 25 May 2007 - Added example of a command line 'wrapper' script and
of using environment variables as an alternate way
to test scripts via the command line. Added example
for use with FastCGI. Changed behavior for unsupported
HTTP methods. The module used to 'croak' for unsupported
methods, it now 'carp's instead and treats as a 'GET'
(behavior change at suggestion of Roman Mashirov to support
FastCGI better).
1.26 06 Apr 2007 - Added decoding of Javascript/EMCAScript style unicode
escaped (%uxxxx form) parameter data (both to the main
'param' method and to the 'url_decode'/'url_encode' methods)
at the suggestion of Michael Kröll (the core code for
this additional functionality is derived from CGI.pm).
Fixed META.yml problems introduced with 1.25.
Changed POD/POD Coverage tests to only execute if specifically requested
Added examples directory and scripts
1.25 20 Apr 2006 - Added 'allow_hybrid_post_get' class method. Tweaked file permissions.
Added regression tests for hybrid forms.
1.24 23 Sep 2005 - Added 'Carp' to install requirements. Extended build tests.
Fixed multi-part form decoding bug in handling of degenerate MIME
boundaries. Added fatal errors for mis-calling of param_mime
and param_filename methods.
1.23 18.Sep 2005 - Made Test::More optional in build tests. No functional changes.
1.22 13.Sep 2005 - Changed POD tests to be more friendly to CPANTS.
1.21 11.Sep 2005 - Fixed pod coverage test for compatibility with Perl 5.005.
1.20 11.Sep 2005 - Fixed issue causing mod_perl to issue
'Use of uninitialized value.' warnings.
Extended build tests.
1.19 10.Sep 2005 - Fixed POD Coverage test error.
1.18 08.Sep 2005 - Adjusted prerequiste modules lists. Tweaked code for 'strict'.
Extended regression tests to cover more of the code.
1.17 04 Sep 2005 - More tweaks to regression tests to work around MS-Windows
problems with binary file handles under Perl 5.6.1.
Added 'Build.PL' support back in. Added POD tests.
Minor documentation tweaks.
- new maintainer
- PKG_DESTDIR_SUPPORT
- ok by joerg
Changelog:
4.06 Wed Apr 12, 2006
(No code changes)
- Updated tests to work with status codes emitted before and after CGI.pm 3.16.
The requirement for CGI.pm 3.16 or newer has been relaxed, so any version
of CGI.pm will do. (Rhesa)
4.05 Wed Mar 1, 2006
(No code changes)
- Updated tests for redirects to check for 'Found', not 'Moved'.
This correctly matches the standard, and was changed in CGI.pm 3.16.
As a result, we now require CGI.pm 3.16 for consistent results.
* SA-2007-031 - Drupal core - SQL Injection possible when certain contributed modules are enabled
In addition to this security vulnerability, the following bugs have been fixed since the 5.2 release:
* 178478 by scor: typo in text displyed when the DB is installed but not accessible
* Patch 122759 by Robrecht: fixed broken query in upgrade path.
* 55277 by catch and JirkaRybka: when flat comment view is used, order comments by cid (ie. original submission order) instead of timestamp (ie. last editing time order) to avoid comments jumping around when being edited
* Patch 181063 by chx and bjaspan: fixed problem with drupal_bootstrap() not booting to the proper level.
* 184668 by hazexp, Remove unnecessary ';'
* Patch 182728 by Darren Oh: improved PHPdoc of db_rewrite_sql().
* 93425 by bjaspan: remove pre-Drupal 4.6 era destination handling cruft carried over in comment module
* 154388 (backport of 172262) by JirkaRybka. Better globals handling in install system, so the choosen profile and language are remembered.
* 171117 by JirkaRybka: set access time for admin created or edited accounts so they are exempt from the spam protection we have for accounts never logged in
* Patch 168829 by Neil Drumm: fixed link in documentation.
* 165924 by odious. Use accurate count query for user list.
* 187601 by Bart Jansens. Use correct HTTP status codes for redirects.
* 180109 by JirkaRybka: overcome browser quirk to detect when no taxonomy term was selected
* 134984 by mikesmullin. Fix x2 coordinate for rendering gradients.
Remove patch -- make changes using SUBST_SED framework.
Add imagemagick as an option (not on by default).
Add perl:run for USE_TOOLS.
Add another script to REPLACE_PERL.
Get rid of most of post-install target and let the ikiwiki Makefile
do the installation.
Too many changes from CHANGELOG to list. Here are the most recent:
ikiwiki (2.15) unstable; urgency=low
* Add a new ikiwiki-makerepo program, that automates setting up a repo
and importing existing content for svn, git, and mercurial. This makes
the setup process much simpler.
* Reorganised git documentation.
* Actually install the ikiwiki-update-wikilist program.
* Improve workaround for perl bug #376329. Rather than double-encoding,
which has been reported to cause encoding problems (though I haven't
reproduced them), just catch a failure of markdown, and retry.
(The crazy perl bug magically disappears on the retry.)
Closes: #449379
* Add umask configuration option. Closes: #443329
-- Joey Hess <joeyh@debian.org> Sat, 01 Dec 2007 11:44:01 -0500
ikiwiki (2.14) unstable; urgency=high
* Let CC be used to control what compiler is used to build wrappers.
* Use 'cc' instead of gcc as the default compiler.
* Security fix: Ensure that there are no symlinks anywhere in the path
to the top of the srcdir. In certian unusual configurations, an attacker
who could commit to one of the parent directories of the srcdir could
use a symlink attack to cause ikiwiki to publish files elsewhere in the
filesystem. More details at <http://ikiwiki.info/security/#index29h2>
-- Joey Hess <joeyh@debian.org> Mon, 26 Nov 2007 15:26:06 -0500
Add apache SVN revision 574884 to fix garbage characters in Server header
http://issues.apache.org/bugzilla/show_bug.cgi?id=43334
When it hits, this issue can completely screw up returned pages if the
Server header gets embedded newlines
Security fixes in this version:
MFSA 2007-39 Referer-spoofing via window.location race condition
MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
MFSA 2007-37 jar: URI scheme XSS hazard
For more info, see http://www.mozilla.org/projects/seamonkey/releases/seamonkey1.1.7/
Changes to squid-2.6.STABLE17 (26 Nov 2007)
- Fix compile error with old GCC 2.x or other ANSI-C compilers before
C99
- Mention the login= cache_peer option in release notes
- Fix bad cache_peer example in squid.conf
- Bug #2086: Fix a compile-time memory corruption error causing cf_gen
to fail
- Bug #2048: Clarify high_memory_warning usage
- Reject DNS responses which result in no data
- Fix version number in configuration manual
- Move cache and request/reply_header_max_size to their proper
sections
- Bug #2088: sbrk statistics broken when process size >2GB
- Move logopen() much earlier to have fatal startup errors sent to the
proper syslog facility
- Fix HTTP/0.9 responses
- Correct bad example config for tos_outgoing_tos
- Fix grammar in description of mail_program squid.conf option
- Ignore Content-Length in chunked responses instead of rejecting the
response as invalid
- Documented that http_port no longer have a default
- Cleanup of cache digest documentation
- Make aufs store rebuilding back off a little if I/O load too high
- Bug #2100: Respect DNS ttl=0
- Update udp_(incoming|outgoing)_address documentation to reflect
current bahaviour.
- Update HTCP documentation
- Document the overlapping helper request format
- Change priority of proxy auth and extacl provided username in
login=*:pass
- pack header entries on cache updates
- Make squid_db_auth reopen the database connection on each query by
default
- Improve helper debug ouput, including the channel number
- Update cachePeerEntry MIB description to mention what is used as
index key
- Import squid_radius_auth for authenticating to RADIUS
GPM (which we do not support) and its lovely signal handler.
See my comment in main.c for more information. This fixes the extremely
annoying behavior I've been noticing on NetBSD-current where links seems to
send a SIGSTP to any jobs attempting to use its terminal after it received
a SIGSTP.
Bump rev.