Most notably this version includes fixes for
http://secunia.com/advisories/20365/
and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-0903
The fix for the latter was provided in PR pkg/33616 by Cedric
Devillers, cedric dot devillers at script dottt univ-paris7 dot fr,
and is not part of the upstream version 4.1.20.
* Changes since last packaged version (4.1.19)
(see http://dev.mysql.com/doc/refman/4.1/en/news-4-1-20.html for me details):
This is a security fix release for the previous production release
family. This release includes the security fix described later in
this section and a few other changes to resolve build problems,
relative to the last official MySQL release (4.1.19).
Bugs fixed:
- Security fix: An SQL-injection security hole has been found in
multi-byte encoding processing. The bug was in the server, incorrectly
parsing the string escaped with the mysql_real_escape_string() C
API function. (CVE-2006-2753, Bug#8378)
This vulnerability was discovered and reported by Josh Berkus
<josh@postgresql.org> and Tom Lane <tgl@sss.pgh.pa.us> as part of
the inter-project security collaboration of the OSDB consortium.
- The patch for Bug#8303 broke the fix for Bug#8378 and was undone.
(In string literals with an escape character (\) followed by a
multi-byte character that has a second byte of (\), the literal
was not interpreted correctly. The next byte now is escaped, not
the entire multi-byte character. This means it a strict reverse of
the mysql_real_escape_string() function.)
- The client libraries had not been compiled for position-indpendent
code on Solaris-SPARC and AMD x86_64 platforms. (Bug#13159, Bug#14202,
Bug#18091)
- Running myisampack followed by myisamchk with the --unpack option
would corrupt the auto_increment key. (Bug#12633)
0.27 release. Minor bug fixes and enhancements, plus ssh
support.
Major new features:
- Monotone can now push/pull/synchronize over arbitrary
bidirectional streams, not just raw TCP.
- File-to-file synchronization is enabled out of the box,
e.g.:
$ mtn -d db1.mtn sync file:/path/to/db2.mtn
- SSH synchronization is enabled out of the box, e.g.:
$ mtn -d local.mtn sync ssh://njs@venge.net/home/njs/remote.mtn
Note that this requires mtn be installed on the remote
computer, and locks the remote database while running; it
is not ideal for groups accessing a shared database.
- New protocols can be defined with Lua hooks -- for
example, someone could in principle make "$ mtn sync
xmpp://njs@jabber.org" do something interesting.
- See section "Other Transports" under "Advanced Uses" in the
for more details.
Minor new features:
- Selectors now support escaping, e.g., b:foo\/bar can be used
to refer to a branch with name "foo/bar" (normally / is a
metacharacter that separates multiple selectors).
- Visual C++ can now build monotone on Windows. (Mostly
important because it allows better Windows debugging.)
- --quiet now turns tickers off, and does not turn warnings
off. New option --reallyquiet disables warnings as well.
- New command 'automate common_ancestors'.
- 'ls branches' now takes a pattern, e.g.:
$ mtn ls branches "*contrib*"
Speed improvements:
- Bug in select() loop fixed, server should no longer pause in
processing other clients while busy with one, but multiplex
fairly.
- The database has a new write buffer which gives significant
speed improvements in initial pulls by cancelling redundant
database writes.
- There's been a fair bit of performance tuning all around.
Bug fixes:
- Merge tools that exit in failure are now detected.
- Better reporting of operating system errors on Win32.
- Passphrases stored in ~/.monotonerc are no longer written to
the log file. (Passphrases entered at the terminal were
never written to the log file.)
- Fix sql injection bugs in selectors, making it safe to
expose slectors in web interfaces etc.
- Files marked with the mtn:execute attr now respect umask.
- 'automate' commands on Win32 now disable newline translation
on their output; this is especially important for 'automate
stdio'.
- 'db check' now calls the sqlite "PRAGMA integrity_check", to
validate the integrity of things like sqlite indices.
- 'mtn annotate nonexistent-file' now gives a proper error
message, instead of an assertion error.
- 'mtn revert --missing' now works correctly when run in a
subdirectory.
- 'automate inventory' no longer fails when _MTN/work contains
patch stanzas.
Other:
- Many, many internal code cleanups
- Including changes to somewhat reduce the size of the
binary
- New tutorial on using packets added to the manual
- Updated translations, improved error messages, etc.
Reliability considerations:
- In the two months since 0.26 was released, zero serious bugs
have been reported in the new code.
