- With OpenSSL 0.9.7, prevent session resumption during a
renegotiation to force the client to negotiate a new (and
acceptable to mod_ssl) cipher suite. Additionally, ensure
that a correct cipher suite has been negotiated afterwards
(CAN-2004-0885).
- Fixed more printf(3) style format string bugs (not security
related) which could crash the server if mod_ssl's trace
or debug log level is enabled.
cp -r copies symlinks as symlinks (which caused
files to be missing in install).
Hopefully, this is portable. I tested under NetBSD and with coreutils.
And I brought this up on tech-pkg in July.
* fixed crash occuring in autosave after paste
* expose api version in pkgconfig file
* more line breaking touches
* fixed embedded widgets not shown problem
Unfortunately, guile{,14}/buildlink3.mk directly includes it, and I don't
know which dependencies actually need libltdl, so it was a recursive bump.
Hopefully this recursive inclusion can be ripped out of
guile{,14}/buildlink3.mk at some point and bubble down to dependencies that
actually use libltdl, avoiding this headache in the future....
Bug fixes
* Add a list of printers to the print dialog. Fix printing
in several recent ditributions. (Marco)
* Remove duplicate AC_PROG_INTLTOOL (Christian) [#155028]
* Fix a crash when rebuilding bookmarks menu (Christian) [#154805]
This includes security problem with SNMP support which enabled by default.
<http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities>
* pkgsrc changes:
- Don't use PKGNAME within DIST_SUBDIR. Instead, date based DIST_STAMP.
This change prevent extra DIST_SUBDIR change asked by kim@.
- Remove setproctitle(3) hack for dnsserver helper program since use of
dnsserver itself is problematic with huge size of squid process.
* Changes to squid-2.5.STABLE7 (11 Oct 2004)
- [Medium] No objects cached in ufs cache_dir type in some
configurations. Issue introduced in 2.5.STABLE6 by the patch for
Bug #676. (Bug #1011)
- [Minor] LDAP helpers update to correct LDAP connection management
and add support for literal password compare instead of binding
- [Minor] A large number of queued DNS lookups for the same domain
(Bug #852)
- [Cosmetic] request_header_max_size configuration partly ignored
(Bug #899)
- [Minor] Partial hit results in TCP_HIT, not TCP_MISS. (Bug #1001)
- Bug #1012: [Cosmetic] HEAD requests may return stale information
(Bug #1012)
- [Cosmetic] Warn if cache_dir ufs can not create files. (Bug #918)
- [Minor] case insensitive authentication (Bug #431)
- [Cosmetic] Add delay pools information to active_requests. (Bug
#882)
- [Minor] Apparent memory leak in client_db (Bug #833)
- [Minor] NTLM authentication truncated causing failures. (Bug
#1016)
- [Cosmetic] Grammatical corrections in squid.conf.default
- [Cosmetic] Unknown %X errorpage codes incorrectly quoted. (Bug
#1030)
- [Medium] Segfaults and other strange crashes when using heap
policies. (Bug #1009)
- [Minor] Supplementary group memberships not set (Bug #1021)
- [Cosmetic] ERR_TOO_BIG Portugese translation
- [Minor] external_acl does not handle newlines (Bug #1038)
- [Major] NTLM authentication denial of service when using msnt_auth
or fake_auth (Bug #1045)
- [Medium] Memory leaks when using NTLM authentication without
challenge reuse. (Bug #994)
- [Minor] Temporary NTLM memory leak with challenge reuse enabled
(Bug #910)
- [Minor] assertion failed: "n_ufs_dirs <=
Config.cacheSwap.n_configured". (Bug #1053)
- [Minor] Segfault in authenticateDigestHandleReply. (Bug #1031)
- [Minor] acl time fails to parse multiple time specifications
(Bug #1060)
- [Minor] cachemgr config dumps mixed up Range and Request-Range
headers in http_header_access & replace directives. (Bug #1056)
- [Minor] Content-Disposition added as a well known header (Bug #961)
- [Cosmetic] Don't warn about arp acls not being supported on FreeBSD
(Bug #1074)
- [Cosmetic] Limit internal send/receive buffer sizes (Bug #1075)
- [Medium] New acl types to match arbitrary HTTP headers. In addition
the http_header_access & replace directivess now support arbitrary
headers and not only the well known ones. (Bug #961)
- [Cosmetic] ncsa_auth now accepts Window formatted password files
(Bug #1078)
- [Cosmetic] Support the --program-prefix/suffix options or other
configure program name transforms (Bug #1019)
- [Minor] Fix race condition in CONNECT and also handle aborts of
CONNECT requests in a more graceful manner. (Bug #859)
- [Minor] New balance_on_multiple_ip directive to work around certain
broken load balancers and optimized ipcache on reload requests
(Bug #1058)
- [Medium] New reply_header_max_size directive (Bug #874)
- [Minor] Suspected instability on aborted PUT/POST requests (Bug #1089)
- [Security] SNMP Denial of Service fix (CAN-2004-0918)
Changes:
* Quanta Plus
o VPL: enable VPL on KDE 3.3.x
o show (again) the full filename in a tooltip
o don't crash if the preview widget is closed with a JavaScript command
from the code itself
o possible crash on startup fixed
o don't try to autofill a closing tag for non-xml tags
o when opening a Quanta 3.2 project set the upload status of the files
to "When Modified" not to "Never"
o when adding files to a project, use the upload status of the parent
directory for the newly added file
o fix the Save As.. behavior (it defaulted to some strange directories,
depending on the active treeview, selected directory, etc.)
o update the modified status text/icon when using Save All
o always find the right action to edit, even if there are more actions
with the same user visible name
o don't change the template description if writing to the .dirinfo file
fails (usually for global templates)
o fix creation of new template directories (template type was stored
incorrectly)
o display the user-readable template type in every dialog
o fix the Konqueror launch in meinproc.kmdr
o fix open dialog in checkxml.kmdr: use the the folder selection dialog
to select folders
o improvement: don't show the project toolbar when no project is loaded
o improvement: support loading of more than one toolbar at a time
o improvement: don't ask for toolbar saving if the toolbar names was
modified by Quanta to add (1), (2), etc. at the end
o improvement: disable the Quanta Template page in properties if you
don't have writing rights to the directory
o improvement: show the user-readable template description for every
template file, not just the directories.
o improvement: don't allow to change the template type in the properties
of a file as it's valid per-directory.
* Kommander
o output from ExecButton wasn't sent to standard output
* KLinkStatus
o enable the hide toolbar menu item in the toolbar context menu (and
don't crash with KDE 3.3.0 when you right click on the toolbar)
under ${PREFIX} instead of being an absolute path.
So fix the references using RCD_SCRIPTS_EXAMPLEDIR to be
${PREFIX}/${RCD_SCRIPTS_EXAMPLEDIR}.
This should have no changes to use before.
Please note that the MESSAGE files in most cases are wrong in the
first place. We have automated mechanisms and could have an automated
message for explaining rc.d script usage. (This is something to do!)
Also, work around a horrible interaction with the gzip in NetBSD
2.0 (at least RC4). If gzip is used in a pipeline the tarfile
fails to extract (PR bin/27228)
Changes since 5.0.27:
General
fix 30239: Updated IIS how-to to link to Wiki page with
instrutions for IIS 5 and IIS 6 configurations. (yoavs)
fix 30238: Replaced isapi_redirector.dll isapi_redirect.dll
in installation script for consistency. (yoavs)
fix 29584: Enhanced and clarified JNDI documentation.
(yoavs)
fix 30245: Corrected Connector documentation to list
"address" as a common attribute. (yoavs)
fix 29826: Modified setclasspath.bat exit code to 1.
(yoavs)
update Updated status page, mostly rewritten. (yoavs)
update Updated Jakarta-Commons dependencies: BeanUtils to 1.7.0,
Collections to 3.1. (yoavs)
update Removed classic compiler directives from Ant build, as we
use modern anyways. (yoavs)
update Modified RELEASE-PLAN-5.0.html to indicate status given
start of work on Tomcat 5.next. (yoavs)
update Added command lines utilities version.sh, version.bat to
let you know what version is installed. (funkman)
Catalina
30602: Subject is not available during the first call
fix to the servlet which use the basic authentication
(jfarcand)
fix 29831: Added support for Boolean property to
BeanFactory. (yoavs)
fix 28875: Made ErrorReportValve use UTF-8 encoding by
default. (yoavs)
fix 30325: Only set CATALINA_HOME if not already set (in
bin/catalina.sh). (yoavs)
fix 30144: Made SSIServlet check resource MimeType before
using text/html and UTF-8 default. (yoavs)
29406: Made JAASRealm configurable as to whether it
fix should use the context ClassLoader or the default
ClassLoader by adding a useContextClassLoader boolean
attribute. (yoavs)
If ServletResponse.getWriter() is called and no char
encoding has been specified, set response char encoding to
fix default (ISO-8859-1) so that it is reflected in
getContentType() and Content-Type header, as required by
the Servlet Spec (Bugtraq 6152759) (luehe)
fix 29869: Better JMX/JSR77 support in StandardContext and
StandardWrapper. (remm)
update Fixed broken link to JK documenration from AJP Connector
reference page. (yoavs)
fix 30587: Typo in ExtendedAccessLogValve. (yoavs)
fix 30561: Broken restart of NamingService. (yoavs)
fix 29668: NPE in HostConfig, directory created for
deployed WAR instead of xml file. (yoavs)
fix 30179: Improved Bootstrap catalina.properties
handling. (yoavs)
fix 30762: Servlet#destroy was called before
contextDestroyed. (yoavs)
fix 30650: Added explicit comments on session equals()
implementation. (yoavs)
Coyote
fix 30770: Check that the browser actually sent a user-agent
header before using it. (billbarker)
Default charset not included in Content-Type response header
fix if no char encoding was specified (see Bugtraq 6152759).
(luehe)
Jasper
fix 29971: Commented out page directive is parsed. (luehe)
fix 30067: 'Scripting elements are disallowed here' exception
behind scriptless tag. (luehe)
fix 30073: NPE when compiling .jspx with broken xml format in
jspcmode. (luehe)
fix 30291: Smap for a tag should not include its body.
(kinman)
fix 30289: Incorrect Smap for multiple line java expression.
(kinman)
Cluster
Webapps
fix 29779: Admin/Examples SetCharacterEncodingFilter wrong
package. (yoavs)
fix 30354: manager-howto.xml used wrong Ant task. (yoavs)
- Works with Mozilla 1.4 through 1.8a2 and trunk
- Support printing with Xprint
- Get rid of the startup script; you need to update your scripts
if you have been using galeon-bin directly
- Add saved files in recent-files list for easy access
- Add support for vfolders of bookmarks.
- Restore the 'Reload Frame' context menu item
- Add progress dialog when printing.
- Don't copy the history of the old tab, when creating an
unrelated new tab
- Support the new GNOME 2.8 mime type system
- lots of other bug fixes
Also include fix for http://bugzilla.gnome.org/show_bug.cgi?id=153693
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
Added 35 share/httpd/manual entries to PLIST. Most are .ko.euc-kr,
.ko, ja.euc-jp, and .ja files.
I don't know when these were added.
Bump PKGREVISION because now package has several more files.
Also added comment to www/apache2/Makefile.common to remind to
update checksum in devel/apr also.
No actual devel/apr changes seen.
Also removed www/apache2/patches/patch-ab because it is identical to
fix for security in new version.
Changes with Apache 2.0.52
*) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo]
*) Fix the global mutex crash when the global mutex is never allocated
due to disabled/empty caches. [Jess Holle <jessh ptc.com>]
*) Fix a segfault in the LDAP cache when it is configured switched
off. [Jess Holle <jessh ptc.com>]
*) SECURITY: CAN-2004-0811 (cve.mitre.org)
Fix merging of the Satisfy directive, which was applied to
the surrounding context and could allow access despite configured
authentication. PR 31315. [Rici Lake <rici ricilake.net>]
*) Fix the handling of URIs containing %2F when AllowEncodedSlashes
is enabled. Previously, such urls would still be rejected.
[Jeff Trawick, Bill Stoddard]
*) mod_mem_cache: Fixed race condition causing segfault because of memory being
freed twice, or reused after being freed.
[J. Clar, W. Stoddard, G. Ames]
*) Add -l option to rotatelogs to let it use local time rather than
UTC. PR 24417. [Ken Coar, Uli Zappe <uli ritual.org>]
*) mod_log_config: Fix a bug which prevented request completion time
from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
processing. PR 29696. [Alois Treindl <alois astro.ch>]
Changes since 4.3.8:
* fixes to GPC input processing
* bundled GD extension synced with 2.0.28, re-introducing write support
for GIF (patent expiration worldwide)
* Implemented periodic PCRE compiled regexp cache cleanup, to avoid memory
exhaustion
* Fixed strip_tags() to correctly handle '\0' characters.
* Rewritten UNIX and Windows install help files.
* Fixed a file-descriptor leak with phpinfo() and other 'special' URLs.
* Fixed possible crash inside php_shutdown_config().
* Fixed isset crashes on arrays.
* Fixed imagecreatefromstring() crashes with external GD library.
* Fixed fgetcsv() parsing of strings ending with escaped enclosures.
* Fixed overflow in array_slice(), array_splice(), substr(), substr_replace(),
strspn(), strcspn().
* Fixed '\0' in Authenticate header passed via safe_mode.
* Allow bundled GD to compile against freetype 2.1.2.
All in all this release fixes over 50 bugs that have been discovered
and resolved since the 4.3.8 release.
privoxy actually doesn't require the userid to exist at all. Simply whack
the validity checks from configure.in, move PKG_USERS/PKG_GROUPS to the
main privoxy package, and all works fine.
(Similar to the modifications originally needed for Mailman, but in that
case, the numeric user IDs were also embedded in the binaries. Fortunately,
that is not the case here.)
* Fixes:
- Fix a bug which prevented the user from logging into the server (Todd).
- Fix a crash when editing preferences (#151940) (Todd).
- Plug a memory leak when loading user pictures (Todd).
- Clarify auto-format tooltip (#151388) (Todd).
- Include date information in Drivel's draft format (Davyd).
* Translations:
- Added Japanese translation (Satoru Satoh).
- Added Punjabi translation (Amanpreet Singh Alam).
- Updated Czech translation (Miloslav Trmac).
- Updated Canadian English translation (Adam Weinberger).
- Updated Brazilian Portuguese translation (Estêvão Samuel Procópio).
- Updated Albanian translation (Laurent Dhima).
- Updated Dutch translation (Elros Cyriatan).
- Updated British translation (David Lodge).
