* Security fix for ASP.NET (XSP / mod_mono) source code disclosure
(CVE-2010-4225)
* Backport ParallelFx improvements from master (jlaval)
* Fix state check for short-circuiting with SupportRecursion in
ReaderWriterLockSlim #655361 (jlaval)
* Increment Count even on single-processor in SpinWait.
Fix#624849. (jlaval)
* Update ThreadLocal to use default(T) for initialization with
parameterless ctor. Fix#658689. (jlaval)
This release has essentially security fixes, covering the following
CVEs:
CVE-2010-4198 CVE-2010-4197 CVE-2010-4204 CVE-2010-4206
CVE-2010-1791 CVE-2010-3812 CVE-2010-3813
(plus 2 patches from upstream which fix crashes)
* tag: Do not include tagbase in rss/atom category tags. (Giuseppe Bilotta)
* tag: Improve display of tags with a slash in their names.
(Giuseppe Bilotta)
* Fix redirect to use a full url. Was broken (in theory) by baseurl
changes in last release.
* Fix `<base>` output by cgi to have a full url again, broken by last
release.
* Fix permalinks to recentchanges items and comments, broken by last
release.
* Export three cgi env vars needed for CGI->url to work. Fixed
openid breakage from last release.
* Removed `IkiWiki::misctemplate()` function. Any plugins using
it should use `IkiWiki::cgitemplate()` instead.
Version 2.9.3 (2011-01-06)
--------------------------
- Fixed: custom templates were not always shown in "override all" mode (#2725)
- Fixed: prevent the X_FORWARDED_FOR header against XSS attacks (#2751)
- Fixed: preserve the selector fields in the personal data module (#2609)
- Fixed: skip mounted folders in the file manager if they do not exist (#2708)
- Fixed: the quick navigation modules failed to work when aliases were
disabled (#2718)
- Fixed some minor issues
Jan 2, 2011 (1.7.1sr1)
------------
This release addresses the following security issue:
Aung Khant of the YGN Ethical Hacker Group reported an XSS in the admin's
configuration panel.
* Better support for serving the same site on multiple urls. (Such as
a http and a https url, or a ipv4 and an ipv6 url.)
(Thanks, smcv)
* API: urlto without a defined second parameter now generates an url
that starts with "/" (when possible; eg when the site's url and cgiurl
are on the same domain).
* Now when users log in via https, ikiwiki sends a secure cookie, that can
only be used over https. If the user switches to using http, they will
need to re-login. (smcv)
* inline: Display feed buttons for nested inlines, linking to the inlined
page's feed. (Giuseppe Bilotta)
* goldtype: New theme, based on blueview, contributed by Lars Wirzenius.
* po: do not override homepage title when it was overridden. (intrigeri)
* Set HTML::Template's parent_global_vars option to allow using parameters
like title_overridden that do not appear on the template. (intrigeri)
(See https://rt.cpan.org/Public/Bug/Display.html?id=64158)
* inline: Force an absolute page location when the inline postform is used.
* editpage, comment: Clean up title when editing or creating a page or
comment.
* teximg: Use `[` and `]` instead of not recommended `$$`. (Paul Menzel)
Closes: #596084
* monotone: Improve version parsing to support patch and development
versions of the monotone binary. (tommyd3mdi)
* highlight: Support highlight 3.2+svn19 (note that released version 3.2
is not supported). Closes: #605779 (David Bremner)
* Add a second parameter to the rcs_diff hook, and avoid bloating memory
reading in enormous commits.
* git: Fix bug involving attempting to web revert a commit that included
changes to attachments.
Updating during the freeze for bugfixes to this leaf package.
ChangeLog:
* Fix XSS vulnerabilities in the KSES library: Don't be case sensitive to
attribute names. Handle padded entities when checking for bad protocols.
Normalize entities before checking for bad protocols in esc_url().
fix essential problem when a header contains multiple encoded strings
with diffreent charset.
* Suprress some error of undefined variables.
* pkgsrc change: change ${FD_DIR}/tmp from SPECIAL_PERMS to OWN_DIRS_PERMS.
Bump PKGREVISION.
For full changes, please refer http://wiki.typo3.org/wiki/TYPO3_4.4.6.
2010-12-28 Benjamin Mack <benni@typo3.org>
* Release of TYPO3 4.4.6
2010-12-28 Benjamin Mack <benni@typo3.org>
* Revert change #16614 (rev. 9684): common.js resets TYPO3 namespace /
Fixed regression #16831: 'Ext' is undefinded, Line: 81, js/common.js
2010-12-26 Tobias Liebig <mail_typo3@etobi.de>
* Fixed bug #16661: include TSRef changes for t3editor code completion
(thanks to Christian Kartnig)
2010-12-23 Jigal van Hemert <jigal@xs4all.nl>
* Fixed bug #16825: Fatal error in lang.php (thanks to Georg Ringer)
2010-12-21 Francois Suter <francois.suter@typo3.org>
* Fixed bug #16786: Versioning: Generating preview link not working
(thanks to Frederic Gaus)
2010-12-21 Stanislas Rolland <typo3@sjbr.ca>
* Fixed bug #16760: RTE transformation removes all span tags on save
after upgrade TYPO3 4.4.5
2010-12-20 Tolleiv Nietsch <typo3@tolleiv.de>
* Fixed bug #16134: TYPO3 doesn't always fix permissions for new files
2010-12-19 Steffen Gebert <steffen@steffen-gebert.de>
* Fixed bug #16777: Test failure in t3lib_extmgmTest if tests are
located in typo3_src/tests/ instead of tests/ (Thanks to Oliver
Klee)
* Fixed bug #16790: Typo in topbar CSS
2010-12-17 Susanne Moog <typo3@susanne-moog.de>
* Fixed bug #5186: fixed rendering of multi-column image rows (thanks
to Michael B«ärgi)
2010-12-17 Steffen Kamper <steffen@typo3.org>
* Fixed bug #14500: Bug: Unit test failures in
t3lib_matchCondition_backend_testcase (Thanks to Oliver Klee)
2010-12-17 Francois Suter <francois.suter@typo3.org>
* Fixed bug #16470: Scheduler fails to calculateNextValue a turn of
the year (thanks to Tobias H«Óvelborn and Christian Kuhn)
2010-12-17 Ingo Renner <ingo@typo3.org>
* Fixed issue #16764: Insufficient information about which class is
failing to implement interfaces in tslib_cObj->start()
- Fix a bug in the admin interface that could leak informations to
users with staff privileges bypassing lookup arguments in the query
string.
- Fix a bug for running the test suite in a multi-db setup
- Deprecated django.contrib.gis.tests.run_gis_tests()
by Christopher M. Fuhrman.
MASTER_SITES don't work with ftp(1), thus commented out.
Version 1.0.12 (released 02-Jun-2010)
* fix exception caused by trying to HTML-escape non-string data (issue #454)
Version 1.0.11 (released 29-Mar-2010)
* security fix: escape user-provided search_re input to avoid XSS attack
alternative from mk/jpeg.buildlink3.mk
This allows selection of an alternative jpeg library (namely the x86 MMX,
SSE, SSE2 accelerated libjpeg-turbo) via JPEG_DEFAULT=libjpeg-turbo, and
follows the current standard model for alternatives (fam, motif, fuse etc).
The mechanical edits were applied via the following script:
#!/bin/sh
for d in */*; do
[ -d "$d" ] || continue
for i in "$d/"Makefile* "$d/"*.mk; do
case "$i" in *.orig|*"*"*) continue;; esac
out="$d/x"
sed -e 's;graphics/jpeg/buildlink3\.mk;mk/jpeg.buildlink3.mk;g' \
-e 's;BUILDLINK_PREFIX\.jpeg;JPEGBASE;g' \
< "$i" > "$out"
if cmp -s "$i" "$out"; then
rm -f "$out"
else
echo "Edited $i"
mv -f "$i" "$i.orig" && mv "$out" "$i"
fi
done
done
Changes:
* Added --noconfigure switch to testcurl.pl
* Added --xattr option
* Added CURLOPT_RESOLVE and --resolve
* Added CURLAUTH_ONLY
* Added version-check.pl to the examples dir
Bugfixes:
* check for libcurl features for some command line options
* Curl_setopt: disallow CURLOPT_USE_SSL without SSL support
* http_chunks: remove debug output
* URL-parsing: consider ? a divider
* SSH: avoid using the libssh2_ prefix
* SSH: use libssh2_session_handshake() to work on win64
* ftp: prevent server from hanging on closed data connection
when stopping a transfer before the end of the full transfer
(ranges)
* LDAP: detect non-binary attributes properly
* ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT
* gnutls->handshake: improved timeout handling
* security: Pass the right parameter to init
* krb5: Use GSS_ERROR to check for error
* TFTP: resend the correct data
* configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected
* GnuTLS: now detects socket errors on Windows
* symbols-in-versions: updated en masse
* added a couple examples that were missing from the tar ball
* Curl_send/recv_plain: return errno on failure
* Curl_wait_for_resolv (for c-ares): correct timeout
* ossl_connect_common: detect connection re-use
* configure: Prevent link errors with --librtmp
* openldap: use remote port in URL passed to ldap_init_fd()
* url: provide dead_connection flag in Curl_handler::disconnect
* lots of compiler warning fixes
* ssh: fix a download resume point calculation
* fix getinfo CURLINFO_LOCAL* for reused connections
* multi: the returned running handles conuter could turn negative
* multi: only ever consider pipelining for connections doing HTTP(S)
1.2.2 2010-10-25 10:15 UTC
Changelog:
QA release
Bug #17696 Patch in order to allow minimization of JS code
Bug #7324 Problem using together with XMLRPC
Bug #13665 phpcs errors
Request #14941 Improve PHPCS results (javascript, tabs vs spaces)
Bug #15292 Unit test failure -Fatal error: Call to undefined method Tree::setup()
Request #15957 images dont "work" on dark(er) backgrounds
Doc Bug #16718 sample simple example fails
3.1.6 2010-11-30
- make slam_defense a little more optimistic, allow a thread/process to write
to cache in a loop
- ensure realpaths hit the realpath_cache, in no-stat mode
- prevent memory starvation, nuke all caches when expunging just one doesn't
work
- fix uploadprogress keylength issues (NUL is part of keylen, pecl bug #20016)
3.1.5 2010-11-02
- Reduce usage of CG(open_files) (mkoppanen at php dot net)
- Add support for php-trunk, new op code, new internals string format,
etc. (Dmitry)
- apc_debug are not compiler-valid NOPs for non-debug builds
- Fixed relative paths resolution when ./foo/a.php or ../foo/a.php (or similar
path) are used. 'foo/a.php' path behaviors remain unchanged
- Fixed a possible memory corruption, when partial path cannot be resolved by
expand_filepath()
- Fixed notices in apc.php (Tomasz Krawczyk)
- Fixed Bug #17978: standardize user keys to include NULs in
identifier_len. Z_STRLEN_P() doesn't, so add to it.
- Fixed bug #16966, apc produces tons of warnings "Unable to allocate memory
for pool".
- Added --enable-apc-debug configuration argument to enable debugging (Kalle)
- Added support for internal debugging on Windows (Kalle)
- ZTS optimizations (Kalle)
3.1.4 2010-08-05
- Windows builds may now have filehits and memory protection if enabled
(Kalle)
- Renamed the memory protection configure option to --enable-apc-memprotect
(Kalle, Shire)
- ZTS fixes and optimizations (Kalle, Felipe)
- Win32 stat support (Pierre, Kalle)
- Added support for interned strings, run-time caches and Zend Engine 2.4
(Dmitry)
- Added apc_exists() (Rasmus)
- Fixed potential XSS in apc.php (Pierre, Matt Chapman)
- Fixed pecl bug #17597 (keys with embedded NUL) (Gopal)
- Fixed pecl bug #17650 (Fix goto jump offsets) (Gopal)
- Fixed pecl bug #17527 (Standardized error reporting) (Gopal, Paul Dragoonis)
- Fixed pecl bug #17089 (Scrub the constant table of all inherited members
before caching) (Gopal)
- Fixed pecl bug #16860 (files can be included more than once even when
include/require_once are used) (Pierre)
- Fixed pecl bug #16717 (apc_fetch dies after 1 hour, regardless of ttl
settings) (Kalle)
- Fixed pecl bug #17597 (apc user cache keys with embedded NULs) (Gopal)
- Fixed pecl bug #13583 (apc upload progress fixes) (Gopal)
commit 3017ed62f47ce14a959e2d315c434d4980cf4243
Author: Jakub Narebski <jnareb@gmail.com>
Date: Wed Dec 15 00:34:01 2010 +0100
gitweb: Introduce esc_attr to escape attributes of HTML elements
It is needed only to escape attributes of handcrafted HTML elements,
and not those generated using CGI.pm subroutines / methods for HTML
generation.
While at it, add esc_url and esc_html where needed, and prefer to use
CGI.pm HTML generating methods than handcrafted HTML code. Most of
those are probably unnecessary (could be exploited only by person with
write access to gitweb config, or at least access to the repository).
This fixes CVE-2010-3906
Reported-by: Emanuele Gentili <e.gentili@tigersecurity.it>
Helped-by: John 'Warthog9' Hawley <warthog9@kernel.org>
Helped-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
and lesser changes:
3017ed6 gitweb: Introduce esc_attr to escape attributes of HTML elements
d48b284 perl: bump the required Perl version to 5.8 from 5.6.[21]
d8a9480 gitweb: Don't die_error in git_tag after already printing headers
22e5e58 Typos in code comments, an error message, documentation
497d9c3 gitweb: clarify search results page when no matching commit found
0b45010 gitweb: Fix typo in run() subroutine
7f425db gitweb: allow configurations that change with each request
61bf126 gitweb: move highlight config out of guess_file_syntax()
109988f gitweb: fix esc_url
869d588 gitweb: Move evaluate_gitweb_config out of run_request
7064994 gitweb/Makefile: fix typo in gitweb.min.css rule
5ed2ec1 gitweb: Return or exit after done serving request
ad709ea gitweb: Fix typo in hash key name in %opts in git_header_html
45aa989 gitweb: Run in FastCGI mode if gitweb script has .fcgi extension
18d0532 gitweb: Move static files into seperate subdirectory
04794fd gitweb: Use @diff_opts while using format-patch
a0446e7 gitweb: Add support for FastCGI, using CGI::Fast
c2394fe gitweb: Put all per-connection code in run() subroutine
592ea41 gitweb: Refactor syntax highlighting support
b331fe5 gitweb: Syntax highlighting support
152d943 gitweb: Create install target for gitweb in Makefile
8515392 gitweb: Improve installation instructions in gitweb/INSTALL
ee1d8ee gitweb: Silence 'Variable VAR may be unavailable' warnings
efb2d0c gitweb: Move generating page title to separate subroutine
7a59745 gitweb: Add custom error handler using die_error
c42b00c gitweb: Use nonlocal jump instead of 'exit' in die_error
377bee3 gitweb: href(..., -path_info => 0|1)
8de096b gitweb: simplify gitweb.min.* generation and clean-up rules
e391859 gitweb: update INSTALL to use shorter make target
a8ab675 gitweb: add documentation to INSTALL regarding gitweb.js
bb4bbf7 Gitweb: add autoconfigure support for minifiers
0e6ce21 Gitweb: add support for minifying gitweb.css
890a13a Sync with 1.7.0.4
7a49c25 gitweb: git_get_project_config requires only $git_dir, not also $projec
9be3614 gitweb: Fix project-specific feature override behavior
964ad92 gitweb multiple project roots documentation
1df4876 gitweb: Protect escaping functions against calling on undef
453541f gitweb: esc_html (short) error message in die_error
e6e592d gitweb: Die if there are parsing errors in config file
57017b3 gitweb: Simplify (and fix) chop_str
aa14013 gitweb: Add optional extra parameter to die_error, for extended explanaion
1ee4b4e gitweb: add a "string" variant of print_sort_th
0cf207f gitweb: add a "string" variant of print_local_time
24d4afc gitweb: Check that $site_header etc. are defined before using them
62331ef gitweb: Makefile improvements
b62a1a9 gitweb: Load checking
b2c2e4c gitweb.js: Workaround for IE8 bug
- update patch provided by V.Seifert
ChangeLog:
- #494462 by z.stolar: modify robots.txt to give search engine crawlers
permission to index content in /sites/*, such as images uploaded to the
site #481142 by JohnAlbin, sociotech: theme settings forms were not
inherited by sub-themes
- #764548 by Dave Reid, sun: backport hiding of hidden modules on the
modules page, so if projects include hidden modules for testing, those
will not confuse users #687674 by jefnguo, rdrh555: fix minor code
documentation typo in menu.inc
- #881540 by bjaspan: make syslog identity configurable on the user
interface (instead of hardwired to 'drupal') #280930 by pillarsdotnet,
oadaeh, David_Rothstein: fall back on an empty array if hook_schema is
not defined for a module
- #956320: clean up documentation for menu_set_active_trail #903016 by
daniels220: path argument was not documented on the arg() function
- #618280 by daniels220: minor fix to drupal_add_css() documentation to
have correct path example #926440 by daniels220: document search_form()
return value properly
- #716348 by grendzy, hefox: document that drupal_get_path(),
drupal_load() and drupal_get_filename() can be used with 'profile' as
well #767408 by hunmonk: copy semaphore site creation to
update_fix_d6_requirements() to solve issues upgrading from any version
of Drupal 5
- #948520 by jhodgdon, mvc: fix formatting in Schema API documentation
lists #931304 by subnet_rx, webkenny: backport support for newly popular
tel: protocol in filter_xss_bad_protocols()
- #937508 by amateescu: document the return value of arg() better #505730
by alexanderpas, jhodgdon: document return value of
valid_email_address() better
- #930784 by Jay Matwichuk, daniels220: fix argument name in code
documentation for db_add_field() #225950 by mgriego, daniels220,
jhodgdon: improve documentation on theme_image()
- #698248 by andypost: fix notice in cache.inc when $user->cache is not
defined #872374 by sender: user_load() can take a uid not just an array;
document that properly
- #942718 by joachim: document where drupal_get_form() arguments end up in
form arrays #895858 by dstol: fix documentation of possible $item values
in menu_link_save()
- #379348 by dstol: refine documentation on node_submit() #403034 by
Andreas Wolf, roderik: node_assign_owner_action() should use
node_get_types('name', ...) to get the name of the node type
- #829968 by AlexisWilke, andypost: fix drupal_lookup_path() to always
return FALSE if the source was not found, not just for the 2nd call
onwards #245990 by David_Rothstein, Pedro Lozano, andypost: do not
follow any redirections in system_check_http_request() since we only
need data on whether HTTP requests worked at all
- #366768 by druppi, hass, plach, GiorgosK: do not link to unpublished
translation nodes, even if user would have access to them (once
published) #764234 by yan_nick, Zoltan Balogh and myself: backport width
of user filter labels in admin forms; better fit for some translations
- #971400 by myself, pp: backport change of language source URLs from
Drupal 7 #809616 by catch, hswong3i: fix notice in menu rebuild
- #973242 by pp: log type name not properly translated in dblog.module
- #147000 by pwolanin, mikeytown2, et. al.: avoid multiple, parallel
rebuildings of module and theme data
- #969252 by Dave Reid: save hook_help implementation in upload.module for
admin/settings/uploads #993834 by adamgerbert, nenne: fix documentation
of return value in do_search
- #991944 by Jacine: theme_locale_admin_manage_screen() doesn't exist
- #841134 by daniels220, jhodgdon: file_save_upload() documentation
corrections
- #287647 by bjaspan, lilou, mikejoconnor, cafuego, Déja: cast invalid
hook_schema() results into arrays at all times #917670 by mr.baileys,
rdrh555: fix documentation for drupal_alter()
- #357785 by arnoldc, gravalsyr, miro_dietiker, plach: retain the tnid
value for new nodes saved, so the node object reflects the database
- #422218 by salvis, jeremiah.snapp: fix a case in forum module where non
forum tids might get picked as the forum topic tid
- #488166 by EmanueleQuinto, Damien Tournoud, jhodgdon: search relevance
calculation fails if last_comment_timestamp is NULL #881132 by HLopes,
Garrett Albright: CSS files with non-UTF-8 characters broke CSS
optimization
- #772678 by sun, jpmckinney, Berdir, markus_petrux: no way to specify
default collation, entirely depended on database configuration (which
might be inappropriate) #212130 by salvis, boydjd, Steven, grendzy,
Damien Tournoud: more complete support for unicode entities, to account
for previously missing entities in decode_entities()
- #307636 by zbricoleur, sreynen, quicksketch: fix file identification bug
with image file processing on Microsoft IIS Roll back #147000, prevented
Drupal from being installed.
- #986682 by pkiraly: improve code documentation for db_table_exists() and
db_column_exists()
Fixing http://secunia.com/advisories/42355/.
-------
v3.3.11
-------
[mms] SECURITY: Fix XSS when viewing details of a vCard (Bug #9357).
[jan] Fix exporting recurrence exceptions to vCalendar 1.0.
[jan] Skip event status synchronization with Outlook, which is broken.
[jan] Don't send SIF data to recent Funambol clients, unless requested.
[jan] Log all queries and errors by the history library.
MFSA 2010-84 XSS hazard in multiple character encodings
MFSA 2010-83 Location bar SSL spoofing using network error page
MFSA 2010-82 Incomplete fix for CVE-2010-0179
MFSA 2010-81 Integer overflow vulnerability in NewIdArray
MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver
MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta
refresh
MFSA 2010-78 Add support for OTS font sanitizer
MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree
MFSA 2010-76 Chrome privilege escalation with window.open and <isindex> element
MFSA 2010-75 Buffer overflow while line breaking after document.write with
long string
MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)
Also:
Fixes for a number of non-security-relevant crashes, increasing the
stability of the whole platform and the Mail & Newsgroups part of SeaMonkey
MFSA 2010-84 XSS hazard in multiple character encodings
MFSA 2010-83 Location bar SSL spoofing using network error page
MFSA 2010-82 Incomplete fix for CVE-2010-0179
MFSA 2010-81 Integer overflow vulnerability in NewIdArray
MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver
MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta
refresh
MFSA 2010-78 Add support for OTS font sanitizer
MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree
MFSA 2010-76 Chrome privilege escalation with window.open and <isindex> element
MFSA 2010-75 Buffer overflow while line breaking after document.write with
long string
MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)
Fixes issues in the XML-RPC remote publishing interface which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish or delete posts.
Update Czech, Danish, French, Croatian, Italian, Japanese, Kurdish,
Dutch, Russian, Swedish and Turkish language files.
Also re-enable Lithuanian now.
Catch up to Contao 2.9.2.
Includes new startup scripts.
Summary of changes from 2.1.3 to 2.1.4
* A bug in the binary heap layout caused inflated object counts, this has been fixed.
* Much more comprehensive documentation.
* A DNS director that uses DNS lookups for choosing which backend to route requests to has been added.
* The client director now uses the variable client.identity for choosing which backend to send a given request to.
* String representation of now, making it easier to add Expires headers
* Portability fixes for Solaris.
* Various bug fixes.
Summary of changes from 2.1.2 to 2.1.3
* The scalability of critbit, the default hashing method, has been improved.
* A bug in varnishd would in some cases confuse varnishncsa leading to lost or wrong log lines.
* Some bugs in the handling of Range requests has been fixed. This only matters if you enable Range support.
* Add «log» command to VCL which will log to the Varnish log.
Summary of changes from 2.1.1 to 2.1.2
* When adding Range support in 2.1.1 an error was introduced. Garbage was appended to some objects. This affected some load balancers - but clients seemed not to be affected.
Summary of changes from 2.1.0 to 2.1.1
* Experimental support for the Range header, must be enabled with the http_range_support parameter.
* A bug in workspace rollback prevented ESI from working correctly in all situations. This is now fixed.
* A race condition and a deadlock in the critbit hasher have been fixed.
* HEAD requests are no longer converted to GET requests for pass and pipe.
* Support for completely obliterating objects including all variants («nuke»). See http://varnish-cache.org/changeset/4668 for details
Summary of changes from 2.0.6 to 2.1.0
Varnish 2.1.0 has just been released. It contains lots of changes relative to 2.0.6, the most important ones being:
* Experimental support for persistent cache
* The regular expression engine is now PCRE
* Saint mode, where we can serve a cached object if the backend is down or otherwise faulty.
* A more scalable hashing method called critbit
* Increased scalability, removing a limitation of maximum 64k connections
* obj_workspace is removed, this is now scaled automatically
* Hashing and client IP based directors
Note: The release has some syntaxchanges in VCL, please read the full changelog
* Fix moderate security issue where a malicious Author-level user could gain further access to the site.
* Remove pingback/trackback blogroll whitelisting feature as it can easily be abused.
* Fix canonical redirection for permalinks containing %category% with nested categories and paging.
* Fix occasional irrelevant error messages on plugin activation.
* Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin.
* Clarify the license in the readme
* Multisite: Fix the delete_user meta capability
* Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins
* Multisite: Fix ms-files.php content type headers when requesting a URL with a query string
* Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs
While here, set license.
* meta: Fix calling of htmlscrubber to pass the page parameter. The
change of the htmlscrubber to look at page rather than destpage
caused htmlscrubber_skip to not work for meta directives.
=== RELEASE 2.3pre1 ===
Sun Aug 16 06:17:03 MET 2009 mikulas:
Accept cookies for domains with two parts, such as xxxx.yy, where
"xxxx" has at least 4 chars. This likely won't be generic domain such
as "co.tw", so accepting the cookie is safe.
Sun May 17 22:29:43 MET DST 2009 mikulas:
Support encryption with NSS (GPL fanatics don't like OpenSSL, grrr)
Sun May 17 18:51:07 cet 2009 mikulas:
Ignore textarea that is not inside form (for Google)
Sun Jan 18 19:27:56 CET 2009 mikulas:
Avoid quadratic complexity when parsing long forms
Thu Jan 1 14:04:38 CET 2009 mikulas:
UTF-8 text mode terminal support
Sun Sep 14 01:02:06 MET 2008 mikulas:
Decode '%' in downloaded file names
Tue Sep 9 23:13:20 MET 2008 mikulas:
Do not add another '?' or '&' if already present at the end of form
submit URL
Sun Aug 24 17:19:32 MET 2008 Christian Biere <christianbiere@gmx.de>:
magnet: URL support
Wed Aug 20 23:03:10 cet 2008 mikulas:
More strict check for invalid GIF header
(catches some misgenerated images that reported too big size and
overflowed the memory allocator)
Sun Aug 17 23:30:34 MET 2008 mikulas:
Check for too big images
Wed Aug 13 00:24:41 CEST 2008 mikulas:
Fixed occasional drawing after VT switch on framebuffer
Mon Aug 4 18:53:52 cet 2008 mikulas:
Don't submit disabled form entries (this is compatible with
Mozilla/MSIE; Netscape and Lynx do submit them)
Sun Aug 3 02:40:58 MET 2008 mikulas:
Handle restart with servers that send 206 but don't send Content-Range
