Changelog:
FIXED
Security fixes can be found here
Fixed in Firefox ESR 17.0.9
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
MFSA 2013-65 Buffer underflow when generating CRMF requests
Bugfixes
[SSPCPP-543] - AttributeExtractor fails to deal with multiple Logos
[SSPCPP-547] - Encoding problem with Metadata Attribute Extractor
[SSPCPP-549] - Shiboleth SP 2.5.1 breaks Apache 2.4.3's error pages
[SSPCPP-550] - Problems with native.log file rotation
[SSPCPP-551] - DiscoFeed Content-Type header lacks charset
[SSPCPP-552] - Solaris TCP Listener code is broken
[SSPCPP-568] - Unattended install pegs the CPU and never completes
[SSPCPP-569] - native log files not closed at/before CGI exec
[SSPCPP-570] - mod_shib takes over valid-user for entire server
[SSPCPP-573] - ShibDisable on breaks basic auth valid user
[SSPCPP-575] - Source build w/memcached and/or fastcgi support fails
[SSPCPP-579] - Internal stack overflow in log4shib
Improvements
[SSPCPP-493] - Default allow access to Shibboleth.sso by default in shibd.conf
[SSPCPP-501] - Make metagen ingest a list of hostnames from a file
2.5.1:
Bugfixes
[SSPCPP-409] - Shibboleth2.xml - undefined InProcess/OutOfProcess means no shibd.log/native.log
[SSPCPP-490] - CLang build issue with stream operator overload
[SSPCPP-492] - SP Release 2.5.0 does not compile with xml-security-c versions prior to 1.7.0
[SSPCPP-495] - Warning Shibboleth.PropertySet : load() skipping duplicate property set:
[SSPCPP-499] - Fresh Installation on Windows XP fails after service daemon fails to start
[SSPCPP-500] - configure fails against Apache 2.4
[SSPCPP-502] - Apache 2.4 post_read hook isn't run on subrequests, breaks module
[SSPCPP-504] - ScopedAttributeDecoder fails on non-ascii chars?
[SSPCPP-505] - shibd on Windows missing a version option
[SSPCPP-507] - Insert record failed Violation of PRIMARY KEY constraint with ODBC plugin
[SSPCPP-510] - Installer scripts (particularly the uninstall ones) should fail safe
[SSPCPP-514] - FCGI responder stdin buffer missing termination
[SSPCPP-516] - apache24.config missing from makefile target
[SSPCPP-518] - Incorrect requireLogoutWith redirection if the original URL has query string
[SSPCPP-519] - Shorthand SSO/Logout syntax not working with policyId setting
[SSPCPP-521] - Schemas are not being edited on Windows Installation
[SSPCPP-522] - Transform resolver echoes source string when match fails
[SSPCPP-526] - Transaction log crashes on SOAP-based logout
[SSPCPP-527] - Add ignoreNoPassive attribute to SSO element
[SSPCPP-540] - ISAPI header detection code is prone to false alarms
Improvements
[SSPCPP-402] - Support front-channel SLO without cookies
[SSPCPP-447] - Extension of consistentAddress for IPv6
[SSPCPP-501] - Make metagen ingest a list of hostnames from a file
[SSPCPP-517] - Windows SP installer should not always roll back when shibd fails to start
New Feature
[SSPCPP-515] - Make /Status handler report SessionCache
2.5.0:
Bugfixes
[SSPCPP-344] - Version strings in various spots are wired at compile time
[SSPCPP-345] - Split "package-level" and "user-level" settings in shib.conf to limit effect of RPM upgrades.
[SSPCPP-365] - Support for binary attributes in resolver
[SSPCPP-382] - Correct date format in Expires headers
[SSPCPP-383] - Tag entityID not usable in error templates
[SSPCPP-387] - Cryptographic nameID is longer than key length that memcache can handle
[SSPCPP-391] - Generation of keys for relay state is not strongly random
[SSPCPP-392] - Valgrind detects memory leaks
[SSPCPP-393] - Setting session timeout="0" creates infinite loop between SP and IDP
[SSPCPP-400] - NameID lookup for logout ignores logical SP boundaries
[SSPCPP-401] - IIS App Pool Crash
[SSPCPP-406] - Should check for cross platform previous versions?
[SSPCPP-408] - ECP flow fails for Session configured inside of ApplicationOverride
[SSPCPP-411] - openSUSE 12.1 erases /var/run at each reboot, so shibd fails to start
[SSPCPP-413] - Schema catalogs should be set after XMLTooling init.
[SSPCPP-416] - IIS breaks with error "isapi_shib: Attempted to insert duplicate storage key." Server restart required to fix
[SSPCPP-417] - redirectErrors configuration attribute does not handle relative URLs
[SSPCPP-419] - ExtensibleAttribute internal marshalling doesn't handle attribute naming correctly
[SSPCPP-423] - After upgrading SP to Alpha SP 2.5 RPM from previous version of SP, shibd does not start.
[SSPCPP-431] - Change links of https://spaces.inetrnet2.edu to wiki.shibboleth.net
[SSPCPP-438] - Artifact resolver code doesn't use EndpointIndex in 2.0 artifacts
[SSPCPP-439] - Auto-generated ACS endpoints improperly tracked by index
[SSPCPP-443] - SP not signing ECP AuthnRequests
[SSPCPP-444] - Multiple shib_state cookies get set -> server chokes on header field size
[SSPCPP-445] - RequestInitiator metadata generated in a case where it shouldn't be
[SSPCPP-448] - setting relayState to use ODBC storage service results in attempted redirects to an invalid URL
[SSPCPP-449] - RequestMap not normalizing hostname for comparison
[SSPCPP-459] - redirectLimit parser typo
[SSPCPP-460] - A spelling error in the configure file
[SSPCPP-461] - caching DiscoFeed fails b/c cache directory does not exist
[SSPCPP-465] - CLONE - Tag entityID not usable in error templates
[SSPCPP-467] - Cross-contamination from conflicting @relayState settings
[SSPCPP-468] - Aliases support in XML Attribute Extractor no longer working in 2.5.0 Beta 1
[SSPCPP-487] - relayStateLimitWhitelist parameter is being changed inadvertently by limitRelayState method
[SSPCPP-488] - No way to get client address set for ExternalAuth sessions
[SSPCPP-489] - Windows installer (tries to) install a 64 bit path into IIS
[SSPCPP-498] - Hardcoded path in XMLTooling is invalid on localized WinXP/2003
Improvements
[SSPCPP-319] - Augment XMLAccessControl for time based access control.
[SSPCPP-326] - Abbreviated IPv6 address format and CIDR support for acl
[SSPCPP-332] - Session cache slows down if large numbers of sessions with a single NameID are created
[SSPCPP-335] - Handle query strings on POST and avoid unintended POST data consumption
[SSPCPP-352] - Expose RelayState limiter as a public API and revisit default setting
[SSPCPP-353] - Package the SP to run as non-root user
[SSPCPP-361] - Session handler with better parseable and accessable (X)HTML code
[SSPCPP-362] - add 'metadata last refresh' to SP's status page
[SSPCPP-366] - generated metadata should include cryptographic algorithms
[SSPCPP-375] - Add httpOnly to cookieProps in the shibboleth2.xml config
[SSPCPP-376] - Add a post-filtering hashing feature to shorten long attributes, namely ePTIDs
[SSPCPP-394] - Support multiple authn context references in requests
[SSPCPP-399] - SImple Aggregation plugin should allow "prefixing" of attributes or dedicated extractors
[SSPCPP-403] - Facilitate signing Logout messages
[SSPCPP-404] - Log entry for failed consistentAddress="true" check
[SSPCPP-405] - CRIT Shibboleth.Application : no MetadataProvider available should be a warning not CRIT
[SSPCPP-407] - Improve logging on invalid XML in shibboleth2.xml configuration file
[SSPCPP-418] - Incorporating Boost libraries into code base
[SSPCPP-420] - Memcache build on RH6 and error handling fixes
[SSPCPP-425] - ShibAccessControl Relative Paths to user web content
[SSPCPP-436] - Log on DEBUG when a shibsession cookie is being cleared because no corresponding session is found by Shibboleth
[SSPCPP-446] - Try moving child_init hooks in Apache 2.x modules to post_config
[SSPCPP-458] - Unprecise error message when wrong certificate is used for SAML2 encryption
[SSPCPP-464] - Provide Logging to Recommend Production Settings
[SSPCPP-470] - Identify deprecated features or suboptimal settings and add warnings
[SSPCPP-472] - AttributeExtractor: remove leading/trailing whitespace created by formatter
New Features
[SSPCPP-245] - Support for attribute requirements in the SP
[SSPCPP-339] - Extraction of contacts and other built-in metadata information
[SSPCPP-341] - AttributeResolver plugin(s) for regexp or template-based transformation of values
[SSPCPP-342] - Metadata / Attribute filtering based on EntityAttributes
[SSPCPP-343] - Add support for capturing AuthenticatingAuthority
[SSPCPP-349] - Parseable audit logs for SP
[SSPCPP-389] - Add option to shibd to set uid and gid at startup
[SSPCPP-390] - Multiple language versions for the same attribute
[SSPCPP-396] - Simplify logout support for Native SP
[SSPCPP-410] - add support for the 'policy' query string parameter
[SSPCPP-421] - Extraction of consent attribute from SAML 2 responses
[SSPCPP-430] - Apache 2.4 support
[SSPCPP-437] - Add artifact binding for resolving artifacts via file system
[SSPCPP-440] - Loopback handler to exchange an assertion for a session
[SSPCPP-469] - Logout request extension to specify no response
[SSPCPP-471] - Shorthand settings for manipulating cookie properties
[SSPCPP-486] - Add automatic algorithm blacklist
* Merge some patches via FreeBSD ports.
* Tested on NetBSD/amd64 6.99.23 and DragonFly/amd64 3.4.1.
* Use system hunspell dictionaries.
* DuckDuckGo search window.
* Enable system icu support.
Changelog:
NEW
Support for new scrollbar style in Mac OS X 10.7 and newer
NEW
Implemented Close tabs to the right
NEW
Social: Ability to tear-off chat windows to view separately by simply dragging them out
CHANGED
Accessibility related improvements on using pinned tabs (see 577727)
CHANGED
Removed support for Revocation Lists feature (see 867465)
CHANGED
Performance improvements on New Tab Page loads (see 791670)
DEVELOPER
Major SVG rendering improvements around Image tiling and scaling (see 600207 )
DEVELOPER
Improved and unified Browser console for enhanced debugging experience, replacing existing Error console
DEVELOPER
Removed support for sherlock files that are loaded from application or profile directory
FIXED
Replace fixed-ratio audio resampler in webrtc.org capture code with Speex resampler and eliminate pseudo-44000Hz rate ( see 886886)
FIXED
24.0: Security fixes can be found here
Fixed in Firefox 24
MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-87 Shared object library loading from writable location
MFSA 2013-86 WebGL Information disclosure through OS X NVIDIA graphic drivers
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-84 Same-origin bypass through symbolic links
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-78 Integer overflow in ANGLE library
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
These releases address a denial-of-service attack against Django's authentication framework. All users of Django are encouraged to upgrade immediately.
0.11.3 (July 29th 2013)
* FIX#1297 Added missing comma to spec_helper.rb generation (@lmorduch)
* FIX#1298 DataMapper auto_migrate/auto_upgrade the default repository
(@Ortuna)
* FIX#1276 Merged range_field_tag.* templates into form_tag.* (@Ortuna)
* FIX#1247 Ensure requiring active_record (@udzura)
* FIX#1307 Lock nokogiri to 1.5.10 (@Ortuna)
* FIX#1307 fixed haml_tag so it doesn¡Çt explode with undefined method
(@Ortuna)
* FIX#1314 Do not add authenticity token to GET form (@Ortuna)
* FIX#1320 Some auto-detection for authenticity_token & form_tag (@Ortuna)
* FIX#1319 ¡È&¡É should be escaped to ¡È&¡É (@tmtm)
* NEW #1321 Added some additional HTML boolean attributes. (@namusyaka)
* FIX#1325 Locking down active support to less than 4.0 (@Ortuna)
* NEW #1326 Add ability for cache_key to be a block (@Ortuna)
* FIX#1318 Make caption arg in submit-tag helper optional even when options
args are supplied (@dayflower)
* FIX#1313 Implemented create and drop tasks for Sequel (@dariocravero)
* FIX#1250 Prevent logging of health-check requests at log level over :debug
(@tyabe)
* FIX#1244 mat method do not working in admin views (@silentvick)
* FIX#1226 Allow users to override admin templates on a file by file basis
(@xavriley)
* FIX#1054 Implemented disabled attribute for select_tag form helper
(@dariocravero)
* FIX#1328 Added test cases for #1188 (@Ortuna)
* FIX#1186 Reverted DataMapper¡Çs explicit String to Integer
castings. (@dariocravero)
* FIX#1330 Update Twitter Bootstrap and Font-Awesome (@WaYdotNET)
* FIX#1335 Make instances of he | himself | his | him all be gender
neutral. (@didlix)
* FIX#1334 Error into admin section (@WaYdotNET)
* FIX#1336 File.read is better than ¡Èopen¡É (@namusyaka)
* FIX#1294 Use :grouped_options of select_tag (@namusyaka)
* FIX#1337 don¡Çt use block for content_tag in #select_tag (@namusyaka)
* FIX#751 introduce #absolute_url for generating absolute urls (@ujifgc)
* FIX#827 refactor padrino-cache expiration (@ujifgc)
* FIX#1327 introduce :namespace option to abstract form builder (@sshaw)
* FIX#1341 Fix module name including dashes in project generator (@tyabe)
* FIX#1261 introduce case insensitive authentication by email (@ujifgc)
* FIX skip padrino-cache with mongo on rbx engine (@ujifgc)
* FIX#1195 Generator errors without git already set-up (@ujifgc)
* FIX#1349 Redo tests for cache (@Ortuna)
* FIX#1353 Add test cases for select_tag (@namusyaka)
* FIX#1354 compatibility with 1.8.7 (@namusyaka)
* FIX#1355 Automatically add multipart option to form_for if include
file_field (@tyabe)
* FIX#1356 Breadcrumb#del does not work when name type is Str (@namusyaka)
* FIX Receive multipart option (@tyabe)
* NEW #1358 Add test file for breadcrumbs. (@namusyaka)
* FIX#1361 prioritized routes are working again (@namusyaka)
* FIX#1257 Add a test to show use case for routing priority (@jeffutter)
* FIX#1365 padrino rake mi:create_indexes task looks at subdirs (@natsumesou)
* FIX#1367 bad placement output of button_to (@namusyaka)
=== raindrops 0.12.0 - compatibility fixes / 2013-09-02 10:33 UTC
This release fixes builds on systems where compilers target i386
(and not later x86 systems). There are also minor improvements for
Ruby 2.1.0dev and Rubinius.
Eric Wong (5):
doc: add email address to generated doc/site
README: update regarding Ruby support status
extconf: try harder for gcc atomics in i386-configured systems
linux_inet_diag: improve compatibility with newer GCs
test_watcher: fix for Ruby trunk r40195 and later
=== raindrops 0.11.0 - minor fixes improvements / 2013-04-20 23:10 UTC
Eric Wong (7):
raindrops: favor configured processor count over online count
watcher: set Content-Type via assignment
Linux::TCP_Info: implement #get! instance method
linux_inet_diag: avoid unnecessary sockaddr initialization
.gitignore: add .rbx
switch back to gemspec development dependencies
linux_inet_diag: better align listener_stats struct
Lawrence Pit (1):
Watcher: Use relative paths in HTML links
3.2.10
* Use the Sass logger infrastructure for @debug directives.
* When printing a Sass error into a CSS comment, escape */ so the comment
doesn¡Çt end prematurely.
* Preserve the ! in /*! ... */-style comments.
* Fix a bug where selectors were being incorrectly trimmed when using @extend.
* Fix a bug where sass --unix-newlines and sass-convert --in-place are not
working on Windows (thanks SATO Kentaro).
3.2.9
* Fix a bug where @extends would occasionally cause a selector to be generated
with the incorrect specificity.
* Avoid loading listen v1.0, even if it¡Çs installed as a Gem (see issue 719).
* Update the bundled version of listen to 0.7.3.
* Automatically avoid the IE7 content: counter bug.
3.2.8
* Fix some edge cases where redundant selectors were emitted when using @extend.
* Fix a bug where comma-separated lists with interpolation could lose elements.
* Fix a bug in sass-convert where lists being passed as arguments to functions
or mixins would lose their surrounding parentheses.
* Fix a bug in sass-convert where null wasn¡Çt being converted correctly.
* Fix a bug where multiple spaces in a string literal would sometimes be
folded together.
* sass and sass-convert won¡Çt create an empty file before writing to it. This
fixes a flash of unstyled content when using LiveReload and similar tools.
* Fix a case where a corrupted cache could produce fatal errors on some
versions of Ruby.
* Fix a case where a mixin loop error would be incorrectly reported when using
@content.
=== unicorn 4.6.3 - fix --no-default-middleware option / 2013-06-21 08:01 UTC
Thanks to Micah Chalmer for this fix. There are also minor
documentation updates and internal cleanups.
== 1.5.1 Straight Razor
* Fix issue when running as another user/group without a PID file.
* Allow overriding Connection & Server response headers.
* Update vlad example [Mathieu Lemoine]
* Keep connections in a Hash to speedup deletion [slivu]
* Force kill using already known pid. Prevents "thin stop" from leaving
a process that removed its pid file, but is still running (e.g. hung
on some at_exit callback) [Michal Kwiatkowski]
=== 2.9 / 2013-07-24
* Minor enhancement
* Added max_requests to avoid ECONNRESET for a server that allows a limited
number of requests on a connection. Pull request #42 by James Tucker.
* Request failures are now raised with the backtrace of the original
exception. This gives better insight into the reason for the failure.
See #41 by Andrew Cholakian.
* OpenSSL is no longer required. If OpenSSL is not available an exception
will be raised when attempting to access HTTPS resources. Feature request
by André Arko
* Bug fixes
* Explain the proper way of sending parameters depending upon the request
method. Issue #35 by André Arko.
* Handle Errno::ETIMEDOUT by retrying the request. Issue #36 by André Arko.
* Requests retried by ruby 2.x are no longer retried by net-http-persistent.
* Finish the connection if an otherwise unhandled exception happens during a
request. Bug #46 by Mark Oude Veldhuis.
* detect_idle_timeout now assumes a StandardError indicates the idle timeout
has been found. Bug #43 by James Tucker.
=== 1.4 / 2013-07-23
* Minor enhancements
* Relaxed parser to accept quoted algorithm to work with Linksys SPA922.
Pull request #8 by Ismail Hanli, Issue #5 by bearded
=== 1.3 / 2012-03-28
* Minor enhancements
* The cnonce is regenerated for every request to improve security.
* SecureRandom is used to generate the cnonce instead of Kernel#rand
* Bug fix
* cnonce and nonce-count are no longer sent when qop was not provided per
RFC 2617 section 3.2.2.
changelog
===========
Version 0.5.1 (June 25, 2013)
-----------------------------
* Ensure compatability across distros by detecting if `python2` is available
Version 0.5.0 (Apr 13, 2013)
-----------------------------
* Use #rstrip to fix table mode bug
Version 0.4.2 (Feb 25, 2013)
-----------------------------
* Add new lexers, including custom lexers
HTTP::Cookie is a ruby library to handle HTTP cookies in a way both
compliant with RFCs and compatible with today's major browsers.
It was originally a part of the
[Mechanize](https://github.com/sparklemotion/mechanize) library,
separated as an independent library in the hope of serving as a common
component that is reusable from any HTTP related piece of software.
The following is an incomplete list of its features:
* Its behavior is highly compatible with that of today's major web
browsers.
* It is based on and conforms to RFC 6265 (the latest standard for the
HTTP cookie mechanism) to a high extent, with real world conventions
deeply in mind.
* It takes eTLD (effective TLD, also known as "Public Suffix") into
account just as major browsers do, to reject cookies with an eTLD
domain like "org", "co.jp", or "appspot.com". This feature is
brought to you by the domain_name gem.
* The number of cookies and the size are properly capped so that a
cookie store does not get flooded.
* It supports the legacy Netscape cookies.txt format for
serialization, maximizing the interoperability with other
implementations.
* It supports the cookies.sqlite format adopted by Mozilla Firefox for
backend store database which can be shared among multiple program
instances.
* It is relatively easy to add a new serialization format or a backend
store because of its modular API.
= 2.1
=== 19th Aug, 2010 (whyday)
* Helpers#R now calls to_param on any object it passes in
* Fix route generation issue with routes including "." (#22)
* Improved tests
* Improved 1.9 support
* Camping::Server is now built upon Rack::Server
* Add support for ERB, Haml etc through Tilt
* Introducing Camping.options and Camping#set
* Camping::Server only loads ActiveRecord when needed
4.37 2013-09-13
- Improved design of built-in templates.
4.36 2013-09-12
- Added match method to Mojo::DOM.
- Added match method to Mojo::DOM::CSS.
- Improved ancestors and children methods in Mojo::DOM to support all CSS
selectors.
- Improved syntax highlighting in documentation browser.
- Improved compatibility with different object systems.
4.35 2013-09-10
- Added origin attribute to Mojo::Cookie::Response.
- Fixed RFC 6265 compliance bugs in Mojo::Cookie::Request,
Mojo::Cookie::Response and Mojo::UserAgent::CookieJar.
4.34 2013-09-08
- Fixed portability bug in SO_REUSEPORT tests.
Changelog:
Version 5.0.11 Sep 10th 2013
Fixing upload in shared folders with create privileges
Making ldap more robust in certain situations
Handing quota violation earlier to make the desktop clients more robust
Several quota fixes
Fix issues with certain file names like 0 or false
Disable smb in files_External on windows servers
Enable user to decrypt files again after encryption app was disabled
Improved Encryption messages
Add a searchByMime call to API
Fix multiselects for Firefox on Mac in groups management
Reduce the number of ldap connections
Show a “password incorrect” notice when used shared password is wrong
Switch to the completely new Google Drive SDK.
Scanner: additional tests for reusing etags during scanning
Fix accessing files that are newly created by setting the right mime type
Several Calendar bugfixes
Fixed “Show on Map” in Contacts
A lof of Contacts fixes
Several “Tasks” fixes
This Apache LDAP authentication/authorization module tries to solve
the following problems that other such modules may not solve in all cases:
* Map the short form of the distinguished name of a certificate and its
issuer obtained from the environment of mod_ssl to a user distinguished
name in an LDAP directory.
* Check the age of a password in an LDAP directory, denying authorization
in case the password is to old.
* Authorize a user based on roles or an arbitrary LDAP filter expression.
* Authorize a user based on whether he owns a file or belongs to the group
owning a file.
