1.4.3 (2020-02-02)
------------------
Security Fixes
~~~~~~~~~~~~~~
- In Waitress version 1.4.2 a new regular expression was added to validate the
headers that Waitress receives to make sure that it matches RFC7230.
Unfortunately the regular expression was written in a way that with invalid
input it leads to catastrophic backtracking which allows for a Denial of
Service and CPU usage going to a 100%.
This was reported by Fil Zembowicz to the Pylons Project. Please see
https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc
for more information.
1.4.2 (2020-01-02)
------------------
Security Fixes
~~~~~~~~~~~~~~
- This is a follow-up to the fix introduced in 1.4.1 to tighten up the way
Waitress strips whitespace from header values. This makes sure Waitress won't
accidentally treat non-printable characters as whitespace and lead to a
potental HTTP request smuggling/splitting security issue.
Thanks to ZeddYu Lu for the extra test cases.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
CVE-ID: CVE-2019-16789
Bugfixes
~~~~~~~~
- Updated the regex used to validate header-field content to match the errata
that was published for RFC7230.
See: https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4189
1.4.1 (2019-12-24)
------------------
Security Fixes
~~~~~~~~~~~~~~
- Waitress did not properly validate that the HTTP headers it received were
properly formed, thereby potentially allowing a front-end server to treat a
request different from Waitress. This could lead to HTTP request
smuggling/splitting.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
CVE-ID: CVE-2019-16789
1.4.0 (2019-12-20)
------------------
Bugfixes
~~~~~~~~
- Waitress used to slam the door shut on HTTP pipelined requests without
setting the ``Connection: close`` header as appropriate in the response. This
is of course not very friendly. Waitress now explicitly sets the header when
responding with an internally generated error such as 400 Bad Request or 500
Internal Server Error to notify the remote client that it will be closing the
connection after the response is sent.
- Waitress no longer allows any spaces to exist between the header field-name
and the colon. While waitress did not strip the space and thereby was not
vulnerable to any potential header field-name confusion, it should have sent
back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273
Security Fixes
~~~~~~~~~~~~~~
- Waitress implemented a "MAY" part of the RFC7230
(https://tools.ietf.org/html/rfc7230#section-3.5) which states:
Although the line terminator for the start-line and header fields is
the sequence CRLF, a recipient MAY recognize a single LF as a line
terminator and ignore any preceding CR.
Unfortunately if a front-end server does not parse header fields with an LF
the same way as it does those with a CRLF it can lead to the front-end and
the back-end server parsing the same HTTP message in two different ways. This
can lead to a potential for HTTP request smuggling/splitting whereby Waitress
may see two requests while the front-end server only sees a single HTTP
message.
For more information I can highly recommend the blog post by ZeddYu Lu
https://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p
CVE-ID: CVE-2019-16785
- Waitress used to treat LF the same as CRLF in ``Transfer-Encoding: chunked``
requests, while the maintainer doesn't believe this could lead to a security
issue, this is no longer supported and all chunks are now validated to be
properly framed with CRLF as required by RFC7230.
- Waitress now validates that the ``Transfer-Encoding`` header contains only
transfer codes that it is able to decode. At the moment that includes the
only valid header value being ``chunked``.
That means that if the following header is sent:
``Transfer-Encoding: gzip, chunked``
Waitress will send back a 501 Not Implemented with an error message stating
as such, as while Waitress supports ``chunked`` encoding it does not support
``gzip`` and it is unable to pass that to the underlying WSGI environment
correctly.
Waitress DOES NOT implement support for ``Transfer-Encoding: identity``
eventhough ``identity`` was valid in RFC2616, it was removed in RFC7230.
Please update your clients to remove the ``Transfer-Encoding`` header if the
only transfer coding is ``identity`` or update your client to use
``Transfer-Encoding: chunked`` instead of ``Transfer-Encoding: identity,
chunked``.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p
CVE-ID: CVE-2019-16786
- While validating the ``Transfer-Encoding`` header, Waitress now properly
handles line-folded ``Transfer-Encoding`` headers or those that contain
multiple comma seperated values. This closes a potential issue where a
front-end server may treat the request as being a chunked request (and thus
ignoring the Content-Length) and Waitress using the Content-Length as it was
looking for the single value ``chunked`` and did not support comma seperated
values.
- Waitress used to explicitly set the Content-Length header to 0 if it was
unable to parse it as an integer (for example if the Content-Length header
was sent twice (and thus folded together), or was invalid) thereby allowing
for a potential request to be split and treated as two requests by HTTP
pipelining support in Waitress. If Waitress is now unable to parse the
Content-Length header, a 400 Bad Request is sent back to the client.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6
upstream changes:
-----------------
2020-04-04 Florian Schlichting <fsfs@debian.org>
* LSID logins were removed from AWL, drop related bits in davical
2019-12-06 Florian Schlichting <fsfs@debian.org>
* use foreach() instead of deprecated each() (fixes#190)
* HTTP_REFERER will usually be unset for caldav requests, prevent "Undefined index" warnings
2.0 (2019-12-20)
Jump to 2.0 to leave alpha versioning and start doing semver.
No actual breaking changes.
- Make the `sass` and `scss` filters compatible with the reference
compiler
- Add new `sass_ruby` and `scss_ruby` filters to use the deprecated
Ruby Sass compiler
- Update and improve a number of filters.
- Add a SRI feature (Arvid Norlander).
3.0.6:
Fixed a regression in Django 3.0 that caused a crash when filtering a Subquery() annotation of a queryset containing a single related field against a SimpleLazyObject.
These PLIST files have been autogenerated by mk/haskell.mk using
HS_UPDATE_PLIST=yes during a bulk build. They will help to track changes
to the packages. The Haskell packages didn't have PLIST files because
their paths contained package hashes. These hashes are now determined by
mk/haskell.mk, which makes it easy to generate easy to read PLIST files.
Version 2.3.1
-------------
Released 2020-04-22
- All modules in ``wtforms.ext`` show a deprecation warning on import.
They will be removed in version 3.0.
- Fixed a bug when :class:`~fields.SelectField` choices is ``None``.
:issue:`572, 585`
- Restored ``HTMLString`` and ``escape_html`` as aliases for
MarkupSafe functions. Their use shows a ``DeprecationWarning``.
:issue:`581`, :pr:`583`
- ``Form.validate`` takes an ``extra_validators`` parameter, mapping
field names to lists of extra validator functions. This matches
``BaseForm.validate``. :pr:`584`
- Update locale catalogs.
Version 2.3.0
-------------
Released 2020-04-21
- Drop support for Python 2.6, 3.3, and 3.4.
- :class:`~fields.SelectField` uses ``list()`` to construct a new list
of choices. :pr:`475`
- Permitted underscores in ``HostnameValidation``. :pr:`463`
- :class:`~validators.URL` validator now allows query parameters in
the URL. :issue:`523`, :pr:`524`
- Updated ``false_values`` param in ``BooleanField`` docs.
:issue:`483`, :pr:`485`
- Fixed broken format string in Arabic translation :pr:`471`
- Updated French and Japanese translations. :pr:`506, 514`
- Updated Ukrainian translation. :pr:`433`
- ``FieldList`` error list keeps entries in order for easier
identification of which fields had errors. :issue:`257`, :pr:`407`
- :class:`~validators.Length` gives a more helpful error message when
``min`` and ``max`` are the same value. :pr:`266`
- :class:`~fields.SelectField` no longer coerces ``None`` to
``"None"`` allowing use of ``"None"`` as an option. :issue:`289`,
:pr:`288`
- The :class:`~widgets.TextArea` widget prepends a ``\r\n`` newline
when rendering to account for browsers stripping an initial line for
display. This does not affect the value. :issue:`238`, :pr:`395`
- HTML5 :class:`~fields.html5.IntegerField` and
:class:`~fields.html5.RangeInput` don't render the ``step="1"``
attribute by default. :pr:`343`
- ``aria_`` args are rendered the same way as ``data_`` args, by
converting underscores to hyphens. ``aria_describedby="name-help"``
becomes ``aria-describedby="name-help"``. :issue:`239`, :pr:`389`
- Added a ``check_validators`` method to :class:`~fields.Field` which
checks if the given validators are both callable, and not classes.
:pr:`298, 410`
- ``form.errors`` is not cached and will update if an error is
appended to a field after access. :pr:`568`
- :class:`~wtforms.validators.NumberRange` correctly handle NaN
values. :issue:`505`, :pr:`548`
- :class:`~fields.IntegerField` checks input type when processing
data. :pr:`451`
- Added a parameter to :class:`~fields.SelectField` to skip choice
validation. :issue:`434`, :pr:`493`
- Choices which name and data are the same do not need to use tuples.
:pr:`526`
- Added more documentation on HTML5 fields. :pr:`326, 409`
- HTML is escaped using MarkupSafe instead of the previous internal
implementation. :func:`~widgets.core.escape_html` is removed,
replaced by :func:`markupsafe.escape`.
:class:`~widgets.core.HTMLString` is removed, replaced by
:class:`markupsafe.Markup`. :pr:`400`
- Fixed broken IPv6 validator, validation now uses the ``ipaddress``
package. :issue:`385`, :pr:`403`
- :class:`~fields.core.Label` text is escaped before rendering.
:issue:`315`, :pr:`375`
- Email validation is now handled by an optional library,
``email_validator``. :pr:`429`
Version 0.5.0
-------------
Released on February 9th, 2020
- New custom test client: `flask_login.FlaskLoginClient`.
You can use this to write clearer automated tests. 431
- Prefix authenticated user_id, remember, and remember_seconds in
Flask Session
with underscores to prevent accidental usage in application code. 470
- Simplify user loading. 378
- Various documentation improvements. 393, 394, 397, 417
- Set session ID when setting next. 403
- Clear session identifier on logout. 404
- Ensure use of a safe and up-to-date version of Flask.
- Drop support of Python versions: 2.6, 3.3, 3.4 450
Changelog:
Fixed
Fixed a bug causing some add-ons such as Amazon Assistant to see multiple
onConnect events, impairing functionality (bug 1635637)
Fixed a crash on 32-bit Windows systems with some nVidia drivers
installed (bug 1635823)
Security Vulnerabilities fixed in Firefox ESR 68.8
#CVE-2020-12387: Use-after-free during worker shutdown
#CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens
#CVE-2020-12389: Sandbox escape with improperly separated process types
#CVE-2020-6831: Buffer overflow in SCTP chunk input validation
#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
#CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
Upstream changes:
1.40 2020-02-27 17:00:00
- Note: There may be some additional fixes not listed below. Its been
a while since this has been released and I noted several commits in
git. Did my best to list but apologies if I missed your patch.
- Use absolute path for do $file in t/generated_app.t
- Add . to @INC in Makefile.PL
- Catalyst::Restarter::Forking: clear watcher in child process
- Typo fixes. RT#87103
- Catalyst::Restarter::Forking: clear watcher in child process.
RT#119830
Upstream changes:
6.07 2020-02-21 03:50:52Z
- Restore =head1 NAME section to pod for HTML::Form
6.06 2020-02-20 14:48:37Z
- Change the behaviour of find_input in list context (GH#21) (E. Choroba)
- Pod tweaks (GH#17) (Olaf Alders)
- Add list context examples for find_input() (GH#20) (Olaf Alders)
- Modernize some tests (GH#18) (Olaf Alders)
Upstream changes:
Moodle 3.8.2 release notes
Releases > Moodle 3.8.2 release notes
Release date: 9 March 2020
Here is the full list of fixed issues in 3.8.2.
CONTENTS
1 General fixes and improvements
2 Accessibility improvements
3 Security fixes and improvements
3.1 Security fixes
4 See also
General fixes and improvements
MDL-67175 - Chrome 80 support
MDL-57755 - Notifications automatically marked as read when messaging deactivated
MDL-67132 - LTI Adv grades do not roll up in course total
MDL-67414 - PostgreSQL 12.x support
MDL-67894 - Database error when sorting responses by "Groups"
MDL-67204 - Assignment calendar events with "alwaysshowdescription" get updated on every task run because of not updated "lastcron" field
MDL-65952 - mod_scorm automatically checks "passed" and "completed" completion options
MDL-67690 - Course Overview doesn't remember Starred filter state
MDL-63316 - Give back the default sort behaviour (lastname) in the participant table
MDL-49103 - Badge baking uses tEXt instead of iTXt
MDL-64531 - Delete quiz JSON error if question category deleted
MDL-67532 - Create Badge Page -- language defaults to 'Afar'
MDL-67817 - Update time zones listed in the language strings
MDL-67675 - Cannot cut and paste if H5P button is added to the Atto toolbar
MDL-60126 - Competency user data is not being erased when user gets deleted
MDL-67842 - Cannot remove the idnumber from a question
MDL-67674 - Performance: Course category tree cache can get built in parallel
MDL-66024 - tool_uploadcourse: fullname/shortname fields don't get length checked while uploading
MDL-51225 - Q&A forum recent activity reveals posts
MDL-67486 - Minimize how long we hold the global cron lock for
MDL-67721 - No 'View grade' button for single simple discussion forum
MDL-65884 - "Activity names auto-linking" filter and activity name like "-" (hyphen) breaks course content visualization
MDL-67471 - mark_notification_read fails if messaging disabled
MDL-66721 - Add an activity or resource menu "add" button appears below the fold
MDL-67364 - TinyMCE editor font sizes are too small in Classic theme (and other child themes)
MDL-67891 - Uninstalling Cohort roles tool can break site upgrade
MDL-67511 - Toast wrapper can interfere with Forum grading buttons
MDL-63424 - Required field indicator missing from Assign submission page
MDL-66875 - Calendar - Navigating months - URL doesn't work
MDL-66858 - <header> HTML5 tag is filtered out by Atto editor
MDL-66220 - Q&A forum allows students to reply to posts they cannot see
MDL-67830 - Error being logged when navigating from gradebook to quiz
MDL-67746 - Cleanup of task logs fails with big number of records to be deleted
MDL-66897 - 'The grades were not saved...' should not be displayed as a success message
MDL-67142 - Long quiz names break deletion ad hoc task when questions are backed up
MDL-67312 - Events without subscriptions can lock users out of their sites
MDL-66108 - Error "You cannot make a category of one of its own subcategories."
MDL-67644 - Allow to disable identity providers via Moodle app feature settings
MDL-67806 - Allow to disable Dark Mode via Moodle app feature settings
MDL-67237 - Option to disable "H5P Offline" feature in the app
MDL-67980 - Sort ad-hoc tasks by "nextruntime"
MDL-65573 - Splitting a discussion creates discussion record with an incorrect first post author
MDL-67732 - Respect the capability for displaying the fullname
MDL-64686 - "Search courses" layout should look good on all screen sizes
MDL-67942 - Quiz: report delete_selected_attempts notice when a user has multiple enrolments
MDL-67424 - Errors showing for Forums in Complete Report for students
Accessibility improvements
MDL-67969 - Calendar: View event details: Accessibility issues
MDL-67899 - Emoji picker button does not have a description
MDL-67876 - Forms with client-side validation should always scroll to the invalid element when you try to submit
MDL-67865 - Broken ARIA reference in the user menu
MDL-67863 - Ensure keyboard focus order is efficient and logical
MDL-67862 - Empty h3 tag in message deletion dialogue
MDL-67684 - Cache data contained in nested ul
MDL-67577 - Accessibility: Wrong tabindex order in top navbar (message+notification)
MDL-61390 - Forum: Heading structure on Search results page
MDL-61389 - Forum: "Discuss this topic" accessibility
MDL-59817 - Atto Accessibility Checker not catching accessibility issues in Firefox
MDL-35971 - Forum discussion table has no summary
Security fixes and improvements
Security fixes
MSA-20-0002 Grade history report does not respect Separate groups mode in the course settings
MSA-20-0003 IP addresses can be spoofed using X-Forwarded-For
MSA-20-0004 Admin PHP unit webrunner tool requires additional input escaping
Moodle 3.8.1 release notes
Releases > Moodle 3.8.1 release notes
Release date: 13 January 2020
Here is the full list of fixed issues in 3.8.1.
Fixes and improvements
MDL-67327 - Switching "JavaScript Cache" on crashes first.js
MDL-48024 - Plugins should be able to provide data generators for Behat
MDL-65956 - A teacher trying to remove a submission without having the relevant capability encounters an error
MDL-67410 - Ajax call to enroll potential users is too slow
MDL-66581 - Password reset email doesn't fill in $a->link when auth_method is LDAP
MDL-67392 - Forum information about timed discussion doesn't handle correctly "displaystartdate" and "displayenddate" containing quotes
MDL-67285 - Filepicker does not work in the modal forms - unable to click on input texts
MDL-66503 - Scorm player is really narrow in new window on classic theme
MDL-66871 - Moodle calendar is not able to import .ics files with repeated events anymore
MDL-67042 - Block overview course filter displays hidden custom fields
MDL-65735 - Activity completion report - clicking initial should reset page number
MDL-67152 - Current day not displayed by default when using the calendar day view
MDL-67458 - Fatal error if cohort_role_sync task is run when an assigned role no longer exists
MDL-67359 - Relocate the Notifications area in the grader interface
MDL-67300 - Calendar: Inconsistent behaviour of managegroupentries capability
MDL-67277 - Discussion list shows subjects in bold
MDL-67154 - Quiz print version should not split questions over two pages
MDL-66708 - LTI 1.3 private key reset on each tool edit
MDL-64695 - tool_dataprivacy doesn't filter multilang tags within $SITE->fullname
MDL-67233 - Choices with only open dates in the future do not appear on timeline
MDL-67336 - Forum inline reply option is applying filters before saving content in the DB
MDL-67596 - Cron / adhoc task runners ramp up slowly for no reason
Security fixes
MSA-20-0001 Stored XSS in message conversation overview
Upstream changes:
5.90126 - 2020-01-19
- fix for broken distribution
5.90125 - 2020-01-18
- Support samesite flag for cookies (mitchjacksontech++)
- utility method on Catalyst::Action 'equals'
- new predicate methods 'has_request' and 'has_response'. Useful in
plugins that might run bits before a request is finalized.
Upstream changes:
0.24 2020-01-30 13:59:56 UTC
- use better packages/subnames for coderefs
- add all CONTRIBUTORS to POD
- add test for working alarm signal in CGIs
0.23 2020-01-17 10:31:33 UTC
- fix race condition in temp dir creation (jr-dimedis) #24
Add p5-JSON as BUILD_DEPENDS for test
Upstream changes:
1.3513 2020-01-29 21:00:41+00:00 Europe/London
[BUG FIXES]
- Fix test failures since YAML.pm 1.30 (GH #1208)
- More test failures with proxy env var set (GH #1204)
3.6.4:
Fix parenthesization for selector schema and real parents
Add deprecation warning for global variable creation
Ensure correct output order of compound selectors
Handle loaded source code as shared objects
New custom memory allocator - disabled for now
Add back C-API getters for plugin paths
Fix abspath handling on windows without directory
Fix various edge case crashes
Fix segfault on directive ruleset
Fix heap-buffer-overflow in lexer
Fix stack-overflow in parser
Fix memory leak in parser
Fix memory leak in evaluation
Fix memory handling edge case
Fix some null pointer access crashes
Preparations for ongoing refactoring
Changelog:
SeaMonkey 2.53.2 contains (among other changes) the following major changes relative to SeaMonkey 2.53.1:
Scrollbars have been switched over to the native gtk3 theme in bug 1625754. If your theme does not show scrollbar buttons and you would like to see them try editing ~/.config/gtk-3.0/gtk.css and adding the following:
* {
-GtkScrollbar-has-backward-stepper: 1;
-GtkScrollbar-has-forward-stepper: 1;
}
The download progress dialog has been fixed and is now showing the correct status for downloads. Some downloads may not show the transferred count. This problem is under investigation.
SeaMonkey is now translated and available in Finnish and Georgian.
Because of website compatibility issues and privacy concerns the Lightning version is no longer appended to the user agent string and has been removed from the preferences dialog.
Advanced Layers has been activated on Windows. This should boost performance on some websites. If you experience graphics problems please disable it by setting the pref "layers.mlgpu.enabled" to false.
Whether the native app chooser is used in Linux is now controlled via a preference setting in the Helper Applications preference pane.
In the Modern theme, popup notifications have improved styling and column headers now display sort direction arrows.
The column picker and folder view have been reinstated for the bookmarks panel.
Introduced the ability to close all tabs to the right of the current tab.
Whether mailnews tabs open in the background is controlled by a separate preference to browser tabs via General Settings section of main Mail & Newsgroups preference pane.
Fixed an issue with the recipient being missing when using Reply to Sender and Group button in Newsgroup discussions.
SeaMonkey now prevents address books from having duplicate names.
SeaMonkey 2.53.2 contains (among other changes) the following major changes relative to SeaMonkey 2.49.5:
The Bookmarks Manager has switched its name to Library, and now also includes the History list. When invoking History, the Library will be shown with the History list selected. The extensive modifications were needed because of Mozilla Gecko platform API changes.
Download Manager has been migrated to a new API. Although it looks pretty much the same as before, the search option is missing and some other minor details work differently. The previous downloads history is removed during the upgrade.
The layout panel was added to the CSS Grid tools.
TLS 1.3 is the default SSL version now.
The only NPAPI plugin which will work with SeaMonkey 2.53.2 is Flash. Support for other NPAPI plugins like Java and Silverlight has been removed.
SeaMonkey now uses a new api for formatting regional data like time and date. Default is to use the application locale of the current SeaMonkey build. If you use a language pack or a different OS formatting this is usually not desired. You can change the formatting from the application locale to the regional settings locale (OS) in the preferences dialog under "Appearance".
SeaMonkey 2.53.2 uses the same backend as Firefox and contains the relevant Firefox 60.3 security fixes.
