Changes:
* BREAKING
* Fix deadline on update issue or PR via API (#8698)
* Hide some user information via API if user doesn't have enough permission (#8655) (#8657)
* Remove legacy handling of drone token (#8191)
* Change repo search to use exact match for topic search. (#7941)
* Add pagination for admin api get orgs and fix only list public orgs bug (#7742)
* Implement the ability to change the ssh port to match what is in the gitea config (#7286)
* SECURITY
* Fix issue with user.fullname (#8903)
* Ignore mentions for users with no access (#8395)
* Be more strict with git arguments (#7715)
* Extract the username and password from the mirror url (#7651)
* reserve .well-known username (#7637)
* FEATURE
* Org/Members: display 2FA members states + optimize sql requests (#7621)
* SetDefaultBranch on pushing to empty repository (#7610)
* Adds side-by-side diff for images (#6784)
* API method to list all commits of a repository (#6408)
* Password Complexity Checks (#6230)
* Add option to initialize repository with labels (#6061)
* Add additional password hash algorithms (#6023)
* BUGFIXES
* Allow to merge if file path contains " or \ (#8629) (#8771)
* On windows set core.longpaths true (#8776) (#8786)
* Fix 500 when edit hook (#8782) (#8789)
* Fix Checkbox at RepoSettings Protected Branch (#8799) (#8801)
* Fix SSH2 conditional in key parsing code (#8806) (#8810)
* Fix commit expand button to not go to commit link (#8745) (#8825)
* Fix new user form for non-local users (#8826) (#8828)
* Fix to close opened io resources as soon as not needed (#8839) (#8846)
* Fix edit content button on migrated issue content (#8877) (#8884)
* Fix require external registration password (#8885) (#8890)
* Fix password complexity check on registration (#8887) (#8888)
* Update Github Migration Tests (#8896) (#8938) (#8945)
* Enable punctuations ending mentions (#8889) (#8894)
* Add Close() method to gogitRepository (#8901) (#8956)
* Hotfix for review actions and notifications (#8965)
* Expose db.SetMaxOpenConns and allow non MySQL dbs to set conn pool params (#8528) (#8618)
* Fix milestone close timestamp (#8728) (#8730)
* Fix 500 when getting user as unauthenticated user (#8653) (#8663)
* Fix 'New Issue Missing Milestone Comment' (#8678) (#8681)
* Use AppSubUrl for more redirections (#8647) (#8651)
* Add SubURL to redirect path (#8632) (#8634)
* Fix template error on account page (#8562) (#8622)
* Allow externalID to be UUID (#8551) (#8624)
* Prevent removal of non-empty emoji panel following selection of duplicate (#8609) (#8623)
* Update heatmap fixtures to restore tests (#8615) (#8616)
* Ensure that diff stats can scroll independently of the diff (#8581) (#8621)
* Webhook: set Content-Type for application/x-www-form-urlencoded (#8600)
* Fix#8582 by handling empty repos (#8587) (#8594)
* Fix bug on pull requests when transfer head repository (#8564) (#8569)
* Add missed close in ServeBlobLFS (#8527) (#8542)
* Ensure that GitRepo is set on Empty repositories (#8539) (#8541)
* Fix migrate mirror 500 bug (#8526) (#8530)
* Fix password complexity regex for special characters (#8524)
* Prevent .code-view from overriding font on icon fonts (#8614) (#8627)
* Allow more than 255 characters for tokens in external_login_user table (#8554)
* Fix errors in create org UI regarding team access permission (#8506)
* Fix bug on FindExternalUsersByProvider (#8504)
* Create .ssh dir as necessary (#8486)
* IsBranchExist: return false if provided name is empty (#8485)
* Making openssh listen on SSH_LISTEN_PORT not SSH_PORT (#8477)
* Add check for empty set when dropping indexes during migration (#8471)
* LFS files are relative to LFS content path, ensure that when deleting they are made relative to this (#8455)
* Ensure Request Body Readers are closed in LFS server (#8454)
* Fix template bug on mirror repository setting page (#8438)
* Fix migration v96 to keep issue attachments (#8435)
* Update strk.kbt.io/projects/go/libravatar to latest (#8429)
* Singular form for files that has only one line (#8416)
* Check for either escaped or unescaped wiki filenames (#8408)
* Allow users with explicit read access to give approvals (#8382)
* Fix editor commit to new branch if PR disabled (#8375)
* readd .markdown class to all markup renderers (#8357)
* Upgrade xorm to v0.7.9 to fix some bugs (#8354)
* Fix column name ambiguity in GetUserIssueStats() (#8347)
* Change general form binding to gogs form (#8334)
* Fix pull request commit status in user dashboard list (#8321)
* Fix repo_admin_change_team_access always checked in org settings (#8319)
* Update to github.com/lafriks/xormstore@v1.3.0 (#8317)
* Show correct commit status in PR list (#8316)
* Bugfix for image compare and minor improvements to image compare (#8289)
* Update xorm (#8286)
* Fix API for edit and delete release attachment (#8285)
* Fix nil object access in some conditions when parsing cross references (#8281)
* Fix label count (#8267)
* Only show teams access for organization repositories on collaboration setting page (#8265)
* Test more reserved usernames (#8263)
* Rewrite reference processing code in preparation for opening/closing from comment references (#8261)
* Fix assets key on release webhook (#8253)
* Allow registration when button is hidden (#8237)
* Fix release API URL generation (#8234)
* Fix milestone num_issues (#8221)
* MS Teams webhook misses commit messages (#8209)
* Fix data race (#8204)
* Fix team user api (#8172)
* Fix pull merge 500 error caused by git-fetch breaking behaviors (#8161)
* Make show private icon when repo avatar set (#8144)
* Add reviewers as participants (#8121)
* Fix Go 1.13 private repository go get issue (#8112)
* feat: highlight issue references with : (#8101)
* Make AllowedUsers configurable in sshd_config (#8094)
* Strict name matching for Repository.GetTagID() (#8074)
* Avoid ambiguity of branch/directory names for the git-diff-tree command (#8066)
* Add change title notification for issues (#8061)
* [ssh] fix the config specification in the authorized_keys template (#8031)
* Fix reading git notes from nested trees (#8026)
* Fixes synchronize tags to releases for repository - makes sure we are only getting tag refs (#7990)
* Fix adding default Telegram webhook (#7972)
* Run CORS handler first for /api routes (#7967)
* Abort synchronization from LDAP source if there is some error. (#7960)
* Fix wrong sender when send slack webhook (#7918)
* Fix bug when migrating a private repository (#7917)
* Evaluate emojis in commit messages in list view (#7906)
* Fix upload file type check (#7890)
* lfs/lock: round locked_at timestamp to second (#7872)
* fix non existent milestone with 500 error instead of 404 (#7867)
* gpg/bugfix: Use .ExpiredUnix.IsZero to display green color of forever valid gpg key (#7846)
* Fix duplicate call of webhook (#7821)
* Enable switching to a different source branch when PR already exists (#7819)
* Convert files to utf-8 for indexing (#7814)
* Do not fetch all refs in pull-request compare (#7797)
* Fix multiple bugs with statuses endpoints at API (#7785)
* Restore functionality for early gits (#7775)
* Fix Slack webhook fork message (#7774)
* Rewrite existing repo units if setting is not included in api body (#7763)
* Fix rename failed when rewrite public keys (#7761)
* Fix approvals counting (#7757)
* Add migration step to remove old repo_indexer_status orphaned records (#7746)
* Fix repo_index_status lingering when deleting a repository (#7734)
* Remove camel case tokenization from repo indexer (#7733)
* Fix milestone completness calculation when migrating (#7725)
* Regression: Include "executable" files in the index, as they are not necessarily … (#7718)
* Fixes indexed repos keeping outdated indexes when files grow too large (#7712)
* Skip non-regular files (e.g. submodules) on repo indexing (#7711)
* Fix dropTableColumns sqlite implementation (#7710)
* Update gopkg.in/src-d/go-git.v4 to v4.13.1 (#7705)
* improve branches list performance and fix protected branch icon when no-login (#7695)
* Correct wrong datetime format for git (#7689)
* Move add to hook queue for created repo to outside xorm session. (#7675)
* sugestion to use range .Branches (#7674)
* Fix bug on migrating milestone from github (#7665)
* hide delete/restore button on archived repos (#7658)
* css: use flex to fix floating paginate (#7656)
* Fix syntax highlight initialization (#7617)
* Fix panic on push at - Merging pull request causes 500 error (#7615)
* Make PKCS8, PEM and SSH2 keys work (#7600)
* Fix mistake in arc-green.less split-diff css code. (#7587)
* Handle ErrUserProhibitLogin in http git (#7586)
* Fix bug create/edit wiki pages when code master branch protected (#7580)
* Fixes Malformed URLs in API git/commits response (#7565)
* Fix file header overflow in file and blame views (#7562)
* Improve SSH key parser to handle newlines in keys (#7522)
* Fix empty commits now showing in repo overview (#7521)
* Fix repository's pull request count error (#7518)
* Fix markdown invoke sequence (#7513)
* Remove duplicated webhook trigger (#7511)
* Update User.NumRepos atomically in createRepository (#7493)
* Fix settings page of repo you aren't admin print error - Settings pages giving UnitType error message (#7482)
* Fix redirection after file edit - Handles all redirects for Web UI File CRUD (#7478)
* cmd/serv: actually exit after fatal errors (#7458)
* Fix an issue with some pages throwing 'not defined' js exceptions (#7450)
* fix Dropzone.js integration (#7445)
* Fix regex for issues in commit messages (#7444)
* Diff: Fix indentation on unhighlighted code (#7435)
* Only show "New Pull Request" button if repo allows pulls (#7426)
* Upgrade macaron/captcha to fix random error problem (#7407)
* create class for inline positioned lists (#7393)
* Fetch refs for successful testing for tag (#7388)
* add missing template variable on organisation settings (#7385)
* fix post parameter - on issue list - unset assignee (#7380)
* fix/define autochecked checkboxes on issue list in firefox (#7320)
* only return head: null if source branch was deleted (#6705)
* ENHANCEMENT
* Add nofollow to sign in links (#8509)
* vendor: update mvdan.cc/xurls/v2 to v2.1.0 (#8495)
* Update milestone issues numbers when save milestone and other code improvements (#8411)
* Add extra user information when migrating release (#8331)
* Require overall success if no context is given for status check (#8318)
* Transaction-aware retry create issue to cope with duplicate keys (#8307)
* Change link on issue milestone (#8246)
* Alwaywas return local url for users avatar (#8245)
* Move some milestone functions to a standalone package (#8213)
* Move create issue comment to comments package (#8212)
* Disable max height property of comment textarea (#8203)
* Add 'Mentioning you' group to /issues page (#8201)
* oauth2 with remote Gitea (#8149)
* Reference issues from pull requests and other issues (#8137)
* Fix webhooks to use proxy from environment (#8116)
* Add merged commit id on pull view when it's merged (#8062)
* Add teams to repo on collaboration page. (#8045)
* Update swagger to 0.20.1 (#8010)
* Make link last commit massages in repository home page and commit tables (#8006)
* Add API endpoint for accessing repo topics (#7963)
* Include description in repository search (#7942)
* Use gitea forked macaron (#7933)
* Fix pull creation with empty changes (#7920)
* Allow token as authorization for accessing attachments (#7909)
* Retry create issue to cope with duplicate keys (#7898)
* Move git diff codes from models to services/gitdiff (#7889)
* migrate gplus to google oauth2 provider (#7885)
* Remove unique filter from repo indexer analyzer. (#7878)
* Detect delimiter in CSV rendering (#7869)
* Import topics during migration (#7851)
* Move CreateReview to modules/pull (#7841)
* vendor: update pdf.js to v2.1.266 (#7834)
* Support SSH_LISTEN_PORT env var in docker app.ini template (#7829)
* Add Ability for User to Customize Email Notification Frequency (#7813)
* Move database settings from models to setting (#7806)
* Display ui time with customize time location (#7792)
* Implement webhook branch filter (#7791)
* Restrict repository indexing by glob match (#7767)
* Api: advanced settings for repository (external wiki, issue tracker etc.) (#7756)
* Update migrated repositories' issues/comments/prs poster id if user has a github external user saved (#7751)
* deps: Upgrade gopkg.in/editorconfig/editorconfig-core-go.v1 (#7749)
* Apply emoji on commit graph page (#7743)
* Add a lot of extension to language mappings for syntax highlights (#7741)
* Add SQL execution on log and indexes on table repository and comment (#7740)
* Set DB connection error level to error (#7724)
* Check commit message hashes before making links (#7713)
* remove unnecessary fmt on generate bindata (#7706)
* Fix specific highlighting (CMakeLists.txt ...) (#7686)
* Add file status on API (#7671)
* Add support for DEFAULT_ORG_MEMBER_VISIBLE (#7669)
* Provide links in commit summaries in commits table/view list (#7659)
* Change length of some repository's columns (#7652)
* Move commit repo action from models to repofiles package (#7645)
* fix wrong email when use gitea as OAuth2 provider (#7640)
* [Branch View] add download button (#7604)
* Update to xorm@v0.7.4 (#7596)
* use 403 instead of 401 for ErrUserProhibitLogin (#7591)
* Removed unnecessary conversions (#7557)
* Un-lambda base.FileSize (#7556)
* Added missing error checks in tests (#7554)
* Move create release from models to a standalone package (#7539)
* Make default branch name link to default branch (#7519)
* Added total count of contributions to heatmap (#7517)
* Move mirror to a standalone package from models (#7486)
* Move models.PushUpdate to repofiles.PushUpdate (#7485)
* Include thread related headers in issue/coment mail (#7484)
* Refuse merge until all required status checks success (#7481)
* convert all js var to let/const (#7464)
* Only create branches for opened pull requestes when migrating from github (#7463)
* jQuery 3 (#7425)
* Add notification placeholder (#7409)
* Search Commits via Commit Hash (#7400)
* Move status table to cron package (#7370)
* wiki - page revisions list (#7369)
* Display original author and URL information when showing migrated issues/comments (#7352)
* Refactor filetype is not allowed errors (#7309)
* switch to use gliderlabs/ssh for builtin server (#7250)
* Remove settting dependency on modules/session (#7237)
* Move all mail related codes from models to services/mailer (#7200)
* Support git.PATH entry in app.ini (#6772)
* Support setting cookie domain (#6288)
* Move migrating repository from frontend to backend (#6200)
* Delete releases attachments if release is deleted (#6068)
* TRANSLATION
* Latvian translation for home page (#8468)
* Add home template italian translation (#8352)
* fix misprint (#7452)
* BUILD
* use go 1.13 (#8088)
* MISC
* add file line count info on UI (#8396)
* Make issues page left menu 100% width and add reponame as title attribute (#8359)
* [arc-green] white on hover for active menu items (#8344)
* Move ref (branch or tag) location on issue list page (#8157)
* apply emoji on dashboard issue list labels (#8156)
* 1148: Take up the full width when viewing the diff in split view. (#8114)
* Display description of 'make this repo private' as help text, not as tooltip (#8097)
* Fixes deformed emoji in pull request reviews (#8047)
* Add strike to old header on comment (#8046)
* Add tooltip for the visibility checkbox in /repo/create (#8025)
* Update github.com/lafriks/xormstore and tidy up mod.go (#8020)
* keep blame view buttons sequence consistent with normal view when view a file (#8007)
* Use "Pull Request" instead of "Merge Request" (#8003)
* Move line number to :before attr to hide from search on browser (#8002)
* Changed black color to white for (read) number label on issue list page (#8000)
* [Branch View] show "New Pull Request" Button only if posible (#7977)
* Fix hook problem by only setting the git environment variables if we are passed them (#7854)
* Prevent Commit Status and Message From Overflowing On Branch Page (#7800)
* Fix global search result CSS, misc CSS tweaks (#7789)
* Tweak label border CSS (#7739)
* Fix create menu item widths (#7708)
* [Branch View] Delete duplicate protection symbol (#7624)
* [Branch View] Delete Table Header (#7622)
* [Branch View] icons to buttons (#7602)
* update js dependencies (#7462)
* Add Extra Info to Branches Page (#7461)
* Bump lodash from 4.17.11 to 4.17.14 (#7459)
* wiki history improvements (#7391)
* ui fixes - compare view and archieved repo issues (#7345)
* dark theme scrollbars (#7269)
* wiki - editor - add buttons 'inline code', 'empty checkbox', 'checked checkbox' (#7243)
* Fix Statuses API only shows first 10 statuses: Add paging and extend API GetCommitStatuses (#7141)
2.0.0
- Discontinue the lib and migrate to https://github.com/model-bakers/model_bakery
- Use default value for unknown field types
- Enable seq method to be imported directly from model_mommy
- Stick to Django's roadmap (https://www.djangoproject.com/download/)
- Add validation to `_fill_optional` parameter
- Add new `_from_manager` parameter to `make` method
- Clean up obsolete imports
- Save object instances when handling one to many relations
3.10.3
Include API version in OpenAPI schema generation, defaulting to empty string.
Add pagination properties to OpenAPI response schemas.
Add missing "description" property to OpenAPI response schemas.
Only include "required" for non-empty cases in OpenAPI schemas.
Fix response schemas for "DELETE" case in OpenAPI schemas.
Use an array type for list view response schemas.
Use consistent lowerInitialCamelCase style in OpenAPI operation IDs.
Fix minLength/maxLength/minItems/maxItems properties in OpenAPI schemas.
Only call FileField.url once in serialization, for improved performance.
Fix an edge case where throttling calcualtions could error after a configuration change.
3.10.2
Various OpenAPI schema fixes.
Ability to specify urlconf in include_docs_urls.
3.10.1
Don't include autocomplete fields on TokenAuth admin, since it forces constraints on custom user models & admin.
Require uritemplate for OpenAPI schema generation, but not coreapi.
3.10.0
Switch to OpenAPI schema generation.
Drop Python 2 support.
Add generateschema --generator_class CLI option
Updated PyYaml dependency for OpenAPI schema generation to pyyaml>=5.1
Resolve DeprecationWarning with markdown.
Use user.get_username in templates, in preference to user.username.
Fix for cursor pagination issue that could occur after object deletions.
Fix for nullable fields with source="*"
Always apply all throttle classes during throttling checks.
Updates to jQuery and Markdown dependencies.
Don't strict disallow redundant SerializerMethodField field name arguments.
Don't render extra actions in browable API if not authenticated.
Strip null characters from search parameters.
This package now depends on py-pallets-sphinx-themes>=1.2.2nb1, since
the latter added a new dependency for its basic functioning (and 1.2.2
pre-revbump was broken).
2019-11-07 Kovid Goyal
* 0.4.4 release
* URLs passed into mechanize now automatically have URL unsafe characters
percent encoded. This is necessary because newer versions of python
disallow processing of URLs with unsafe characters. Note that this means
values return by get_full_url(), get_selector() etc will be percent encoded.
Version 7.43.0.3 [requires libcurl-7.19.0 or better] - 2019-06-17
-----------------------------------------------------------------
* Fixed use with libcurl 7.65+ when FTP support is disabled.
* Added support for mbedTLS (patch by Josef Schlehofer).
* Fixed string processing on Python 3 (patch by Dmitriy Taychenachev).
* Added CURLOPT_TCP_FASTOPEN and CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE
(patch by Khavish Anshudass Bhundoo).
* Repaired inability to install PycURL when libcurl is using an SSL
backend other than the ones PycURL explicitly recognizes and
handles (OpenSSL, LibreSSL, BoringSSL, GnuTLS, NSS).
The requirement for setup.py to detect an SSL backend if libcurl
is configured to use SSL, added in 7.43.0.2, has been changed
to a warning to allow this.
=== RELEASE 2.20.2 ===
Wed Sep 18 18:39:07 CEST 2019 mikulas:
If the user runs links on a framebuffer and switch to a differnt
framebuffer, links would incorrectly respond to mouse clicks.
2.0.11 October 5, 2019
Fix t/modules/apache_resource.t failures [Steve Hay]
Fix [CVE-2011-2767] Arbitrary Perl code execution in the context of the user
account via a user-owned .htaccess. Patch from bugs.debian.org #644169. [Jan
Ingvoldstad <jani+debian-2011+@ifi.uio.no>]
Fix potential test suite hangs due to pipelined response deadlocks. Patch
from rt.cpan.org #82409. [Zefram <zefram@fysh.org>]
Fix t/compat/request.t failures [Steve Hay]
Fix use-after-free segfault in ap_server_config_defines seen on start-up on
OpenBSD. [Found/fixed by Sam Vaughan/Joe Orton]
Fix build with Perls earlier than 5.13.6. [Rainer Jung
<rainer.jung@kippdata.de>]
Fix filter/in_bbs_inject_header.t test failure with Apache 2.4.25+. [Stefan
Fritsch <sf@sfritsch.de>]
Fix apache/read.t test failure with Apache 2.4.25+. [Niko Tyni
<ntyni@debian.org>]
v4.1.4
* Make tests more deterministic and easier to run outside of ``tox``.
* Fix Fedora packaging `issue <https://github.com/evansd/whitenoise/issues/225>`_.
* Use `Black <https://github.com/psf/black>`_ to format all code.
v4.1.3
* Fix handling of zero-valued mtimes which can occur when running on some
filesystems.
* Fix potential path traversal attack while running in autorefresh mode on
Windows.
3.7.0:
Bugfixes
* Monkeypatch pytest to not use ``TestCase.debug`` with unittests, instead
of patching it into Django.
* Work around pytest crashing due to ``pytest.fail`` being used from within the
DB blocker, and pytest trying to display an object representation involving
DB access. pytest-django uses a ``RuntimeError`` now instead.
1.25.7:
* Preserve ``chunked`` parameter on retries
* Allow unset ``SERVER_SOFTWARE`` in App Engine
* Fix issue where URL fragment was sent within the request target.
* Fix issue where an empty query section in a URL would fail to parse.
* Remove TLS 1.3 support in SecureTransport due to Apple removing support
pkgsrc changes: added -lsendfile to SunOS build to make it work.
Release notes:
New in version 1.30:
Enlarged request read buffer to 50KB.
Fix security bug that let remote users read arbitrary files. (CVE-2018-18778)
New in version 1.29:
Allow CGI to handle HTTP methods besides GET/HEAD/POST.
New in version 1.28:
Fix to buffer overrun bug in htpasswd. Reported by Alessio Santoru as CVE-2017-17663.
Some fixes to keep connections from getting stuck forever in FIN_WAIT_2 state.
5.62.0
KDE WebKit
Use ECMAddQtDesignerPlugin instead of private copy
5.63.0
KJS
Added startsWith(), endsWith() and includes() JS String functions
Fixed Date.prototype.toJSON() called on non-Date objects
5.64.0
KHTML
Extend KHtmlView::print() to use a predefined QPrinter instance
KJS
Better message for String.prototype.repeat(count) range errors
Simplify parsing of numeric literals
Parse JS binary literals
Detect truncated hex and octal literals
Support new standard way of specifying octal literals
Collection of regression tests taken from khtmltests repository
Privoxy 3.0.27 stable scales better in multi-user environments
and brings a couple of tuning directives.
Privoxy 3.0.28 stable fixes two regressions introduced in 3.0.27.
--------------------------------------------------------------------
ChangeLog for Privoxy 3.0.28
--------------------------------------------------------------------
- Bug fixes for regressions in 3.0.27:
- Fixed misplaced parentheses.
Reported by David Binderman.
- Changed two regression tests to depend on config directive
enable-remote-toggle instead of FEATURE_TOGGLE.
--------------------------------------------------------------------
ChangeLog for Privoxy 3.0.27
--------------------------------------------------------------------
- General improvements:
- Add a receive-buffer-size directive which can be used to
set the size of the previously statically allocated buffer
in handle_established_connection().
Increasing the buffer size increases Privoxy's memory usage but
can lower the number of context switches and thereby reduce the
CPU usage and potentially increase the throughput.
This is mostly relevant for fast network connections and
large downloads that don't require filtering.
Sponsored by: Robert Klemme
- Add a listen-backlog directive which specifies the backlog
value passed to listen().
Sponsored by: Robert Klemme
- Add an enable-accept-filter directive which allows to
toggle accept filter support at run time when compiled
with FEATURE_ACCEPT_FILTER support.
It makes testing more convenient and now that it's
optional we can emit an error message if enabling
the accept filter fails.
Sponsored by: Robert Klemme
- Add a delay-response{} action.
This is useful to tar pit JavaScript requests that
are endlessly retried in case of blocks. It can also
be used to simulate a slow Internet connection.
Sponsored by: Robert Klemme
- Add a 'trusted-cgi-referrer' directive.
It allows to configure another page or site that can be used
to reach sensitive CGI resources.
Sponsored by: Robert Klemme
- Add a --fuzz mode which exposes Privoxy internals to input
from files or stdout.
Mainly tested with American Fuzzy Lop. For details see:
https://www.fabiankeil.de/talks/fuzzing-on-freebsd/
This work was partially funded with donations and done
as part of the Privoxy month in 2015.
- Consistently use the U(ngreedy) flag in the 'img-reorder' filter.
- listen_loop(): Reuse a single thread attribute object
The object doesn't change and creating a new one for
every thread is a waste of (CPU) time.
Sponsored by: Robert Klemme
- Free csp resources in the thread that belongs to the csp instead
of the main thread which has enough on its plate already.
Sponsored by: Robert Klemme
- Improve 'socket timeout reached' message.
Log the timeout that was triggered and downgrade the
log level to LOG_LEVEL_CONNECT to reduce the log noise
with common debug settings.
The timeout isn't necessary the result of an error and
usually merely indicates that Privoxy's socket timeout
is lower than the relevant timeouts used by client and
server.
Sponsored by: Robert Klemme
- Explicitly taint the server socket in case of CONNECT requests.
This doesn't fix any known problems, but makes
some log messages less confusing.
- Let write_pid_file() terminate if the pid file can't be opened.
Logging the issue at info level is unlikely to help.
- log_error(): Reduce the mutex-protected area by not using a
heap-allocated buffer that is shared between all threads.
This increases performance and reduces the latency with
verbose debug settings and multiple concurrent connections.
Sponsored by: Robert Klemme
- Let zalloc() use calloc() if it's available.
In some situations using calloc() can be faster than
malloc() + memset() and it should never be slower.
In the real world the impact of this change is not
expected to be noticeable.
Sponsored by: Robert Klemme
- Never use select() when poll() is available.
On most platforms select() is limited by FD_SETSIZE while
poll() is not. This was a scaling issue for multi-user setups.
Using poll() has no downside other than the usual risk
that code modifications may introduce new bugs that have
yet to be found and fixed.
At least in theory this commit could also reduce the latency
when there are lots of connections and select() would use
"bit fields in arrays of integers" to store file descriptors.
Another side effect is that Privoxy no longer has to stop
monitoring the client sockets when pipelined requests are
waiting but can't be read yet.
This code keeps the select()-based code behind ifdefs for
now but hopefully it can be removed soonish to make the
code more readable.
Sponsored by: Robert Klemme
- Add a 'reproducible-tarball-dist' target.
It's currently separate from the "tarball-dist" target
because it requires a tar implementation with mtree spec
support.
It's far from being perfect and does not enforce a
reproducible mode, but it's better than nothing.
- Use arc4random() if it's available.
While Privoxy doesn't need high quality pseudo-random numbers
there's no reason not to use them when we can and this silences
a warning emitted by code checkers that can't tell whether or not
the quality matters.
- Show the FEATURE_EXTERNAL_FILTERS status on the status page.
Better late than never. Previously a couple of tests weren't
executed as Privoxy-Regression-Test couldn't detect that the
FEATURE_EXTERNAL_FILTERS dependency was satisfied.
- Ditch FEATURE_IMAGE_DETECT_MSIE.
It's an obsolete workaround we inherited from Junkbuster
and was already disabled by default.
Users that feel the urge to work around issues with
image requests coming from an Internet Explorer version
from more than 15 years ago can still do this using tags.
- Consistently use strdup_or_die() instead of strdup() in
cases where allocation failures aren't expected.
Using strdup_or_die() allows to remove a couple of explicit
error checks which slightly reduces the size of the binary.
- Insert a refresh tag into the /client-tags CGI page when
serving it while a client-specific tag is temporarily enabled.
This makes it less likely that the user ends up
looking at tag state that is out of date.
- Use absolute URLs in the client-tag forms.
It's more consistent with the rest of the CGI page
URLs and makes it more convenient to copy the forms
to external pages.
- cgi_error_disabled(): Use status code 403 and an appropriate response line
- Use a dedicated CGI handler to deal with tag-toggle requests
As a result the /client-tags page is now safe to reach without
trusted Referer header which makes bookmarking or linking to
it more convenient.
Finally, refreshing the /client-tags page to show the
current state can no longer unintentionally repeat the
previous toggle request.
- Don't add a "Connection" header for CONNECT requests.
Explicitly sending "Connection: close" is not necessary and
apparently it causes problems with some forwarding proxies
that will close the connection prematurely.
Reported by Marc Thomas.
- Fix compiler warnings.
- Bug fixes:
- rfc2553_connect_to(): Properly detect and log when poll()
reached the time out. Previously this was logged as:
Could not connect to [...]: No error: 0.
which isn't very helpful.
Sponsored by: Robert Klemme
- add_tag_for_client(): Set time_to_live properly.
Previously the time_to_live was always set for the first tag.
Attempts to temporarily enable a tag would result in enabling
it permanently unless no tag was enabled already.
- Revert r1.165 which didn't perform as advertised.
While the idea was to use "https:// when creating links
for the user manual on the website", the actual effect
was to use "https://" when Privoxy was supposed to serve
the user manual itself.
Reported by Yossi Zahn on Privoxy-devel@.
- socks5_connect(): Fail in case of unsupported address types.
Previously they would not be detected right away and
Privoxy would fail later on with an error message that
didn't make it obvious that the problem was socks-related.
So far, no such problems have actually been reported.
- socks5_connect(): Properly deal with socks replies that
contain IPv6 addresses.
Previously parts of the reply were left unread and
later on treated as invalid HTTP response data.
Fixes#904 reported by Danny Goossen who also provided
the initial version of this patch.
- Action file improvements:
- Unblock 'msdn.microsoft.com/'.
It (presumably) isn't used to serve the kind of ads Privoxy should
block by default but happens to serve lots of pages with URLs that
are likely to result in false positives.
Reported by bugreporter1694 in AF#939.
- Disable gif deanimation for requests tagged with CSS-REQUEST.
The action will ignore content that isn't considered text
anyway and explicitly disabling it makes this more obvious
if "action" debugging (debug 65536) is enabled while
"gif deanimation" debugging (debug 256) isn't.
- Explicitly disable HTML filters for requests with CSS-REQUEST tag.
The filters are unlikely to break CSS files but executing
them without (intentionally) getting any hits is a waste of
cpu time and makes the log more noisy when running with
"debug 64".
- Unblock 'adventofcode.com/'.
Reported by Clint Adams in Debian bug #848211.
Fixes Roland's AF#937.
- Unblock 'adlibris.com'.
Reported by Wyrex in #935
- Unblock .golang.org/
- Add fast-redirects exception for '.youtube.com/.*origin=http'
- Privoxy-Log-Parser:
- Don't gather host and resource statistics if they aren't requested.
While the performance impact seems negligible this significantly
reduces the memory usage if there are lots of requests.
- Bump version as the behaviour (slightly) changed.
- Count connection failures as well in statistics mode.
Sponsored by: Robert Klemme
- Count connection timeouts as well in statistics mode.
Sponsored by: Robert Klemme
- Fix an 'uninitialized value' warning when generating
statistics for a log file without response headers.
While privoxy-log-parser was supposed to detect this already,
the check was flawed and the message the user didn't see was
somewhat confusing anyway.
Now the message is less confusing, more helpful and actually printed.
Reported by: Robert Klemme
- Documentation improvements:
- Refer to the git sources instead of CVS.
- Use GNU/Linux when referring to the OS instead of the kernel.
- Add FAQ entry for what to do if editing the config file is access denied.
- Add brief HTTP/2 FAQ.
- Add a small fuzzing section to the developer documentation.
- Add a client-header-tagger{client-ip-address} example.
- Stop suggesting that Privoxy is an anonymizing proxy.
The term could lead to Privoxy users overestimating
what it can do on its own (without Tor).
- Make it more obvious that SPI accepts Paypal, too.
Currently most donations are made through the Paypal account
managed by Zwiebelfreunde e.V. and a more even distribution
would be useful.
- Suggest to log applying actions as well when reproducing problems.
- Explicitly mention that Privoxy binaries are built by individuals
on their own systems. Buyer beware!
- Mention the release feed on the homepage.
- Remove a mysterious comment with a GNU FDL link as it isn't
useful and could confuse license scanners.
In May 2002 it was briefly claimed that "this document" was covered
by the GNU FDL. The commit message (r1.5) doesn't explain the motivation
or whether all copyright holders were actually asked and agreed to the
declared license change.
It's thus hard to tell whether or not the license change was legit,
but luckily two days later the "doc license" was "put" "back to GPL"
anyway (r1.6).
At the same time the offending comment with a link to the FDL
(not the GPL) was added for no obvious reason.
Now it's gone again.
- Regression tests:
- Bump for-privoxy-version to 3.0.27 as we now rely on untrusted
CGI request being rejected with status code 403 (instead of 200).
- Update test for /send-stylesheet and add another one
- Templates:
- Consistently use https:// when linking to the Privoxy website.
- Remove SourceForge references in Copyright header.
- Remove a couple of SourceForge references in a comment.
While at it, fix the grammar.
- Move the site-specific documentation block before the generic one.
While most Privoxy installations don't have a site-specific
documentation block, in cases were it exists it's likely to
be more relevant than the generic one.
Showing it first makes it less likely that users stop reading
before they reach it, especially on pages that don't fit on
the screen.
- Build system improvements:
- Prefer openjade to jade. On some systems Jade produces
HTML with unescaped ampersands in URLs.
- Prefer OpenSP to SP to be consistent.
- Have Docbook generated HTML files be straight ASCII.
Dealing with a mixture of ISO-8859 and UTF-8 files is problematic.
- Echo the filename to stderr for 'make dok-tidy'.
Make it a bit easier to find errors in docbook generated HTML.
- Warn when still using select().
- Warn when compiling without calloc().
- Make it more obvious that the --with-fdsetsize configure switch
is pointless if poll() is available.
- Remove support for AmigaOS.
- Update windows build system to use supported software.
The cygwin gcc -mno-cygwin option is no longer supported, so
convert the windows build system to use the cygwin cross-compiler
to build "native" code.
- Add --enable-static-linking option for configure
does the same thing as LDFLAGS=-static; ./configure
but nicer than mixing evars and configure options.
4.2
- Fix for old versions of libcurl (build was broken in 4.1 on RHEL / CentOS).
- Add hostname to timeout errors (#190)
4.1
- Fixed typechecking code for new internal macro names in libcurl 7.66
- Rewrite typechecking to work better with clang and old libcurl (#192)
- has_internet() now checks for connectivity via a proxy server if one is detected
- Windows: respect the CURL_SSL_BACKEND variable for people that want to use OpenSSL.
- Windows: respect CURL_CA_BUNDLE if (and only if) CURL_SSL_BACKEND == openssl
- curl_download now writes to a temporary file, which is renamed to the destfile
upon success. This prevents corrupt files when a download fails or is interrupted.
- Automatically set forbid_reuse = TRUE in curl_echo() handles
- Update symbol table to 7.66.0
1.5.4:
Fix display of inline x-editable boolean fields on list view
Add support for several SQLAlchemy-Utils data types
Support searching on SQLAlchemy hybrid properties
Extra URL paramaters are now propagated to the next page when searching / filtering
Add enum34 dependency when running on legacy Python version
Update Mapbox API v1 URL format
Update jQuery and moment dependencies in templates
Fixed a datepicker issue, where only dates up to 2015 were showing up
Updated Pillow dependency version
5.6.1:
Significant Changes
RegExRemove applies to all cells
RegExRemove preprocessor now removes cells regardless of cell outputs. Before this only cells that had outputs were filtered.
Comprehensive notes
New Features
- Add support for alt tags for jpeg and png images
- Allow HTML header anchor text to be HTML
- Change RegExRemove to remove code cells with output
- Added cell tag data attributes to HTML exporter
Fixing Problems
- Update svg2pdf.py to search the PATH for inkscape
- Fix latex dependencies installation command for Ubuntu systems
Testing, Docs, and Builds
- Added Circle CI builds for documentation
- Fix typo in argument name in docstring (TagRemovePreprocessor)
- Changelog typo fix
- Updated API page for TagRemovePreprocessor and TemplateExporter
- Added remove_input_tag traitlet to the docstring
Changes:
2.26.2
======
- Improve performance of querying system fallback fonts.
- Don't use prgname in dbus-proxy socket path.
- Fix thread-safety issues in image decoders.
- Fix the build with WebDriver disabled.
- Disable accelerated compositing when we fail to initialize the EGL
dispaly under Wayland.
- Fill the objects category in emoji picker.
- Fix several crashes and rendering issues.
Go-mux implements a request router and dispatcher for matching
incoming requests to their respective handler.
The name mux stands for "HTTP request multiplexer". Like the standard
http.ServeMux, mux.Router matches incoming requests against a list of
registered routes and calls a handler for the route that matches the
URL or other conditions. The main features are:
It implements the http.Handler interface so it is compatible with the
standard http.ServeMux.
Requests can be matched based on URL host, path, path prefix, schemes,
header and query values, HTTP methods or using custom matchers.
URL hosts, paths and query values can have variables with an optional
regular expression.
Registered URLs can be built, or "reversed", which helps maintaining
references to resources.
Routes can be used as subrouters: nested routes are only tested if the
parent route matches. This is useful to define groups of routes that
share common conditions like a host, a path prefix or other repeated
attributes. As a bonus, this optimizes request matching.
Changes:
7.67.0
------
This release includes the following changes:
o curl: added --no-progress-meter
o setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new
o urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
This release includes the following bugfixes:
o BINDINGS: five new bindings addded
o CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
o CURLOPT_TIMEOUT.3: remove the mention of "minutes"
o ESNI: initial build/setup support
o FTP: FTPFILE_NOCWD: avoid redundant CWDs
o FTP: allow "rubbish" prepended to the SIZE response
o FTP: remove trailing slash from path for LIST/MLSD
o FTP: skip CWD to entry dir when target is absolute
o FTP: url-decode path before evaluation
o HTTP3.md: move -p for mkdir, remove -j for make
o HTTP3: fix invalid use of sendto for connected UDP socket
o HTTP3: fix ngtcp2 Windows build
o HTTP3: fix prefix parameter for ngtcp2 build
o HTTP3: fix typo somehere1 > somewhere1
o HTTP3: show an --alt-svc using example too
o INSTALL: add missing space for configure commands
o INSTALL: add vcpkg installation instructions
o README: minor grammar fix
o altsvc: accept quoted ma and persist values
o altsvc: both backends run h3-23 now
o appveyor: Add MSVC ARM64 build
o appveyor: Use two parallel compilation on appveyor with CMake
o appveyor: add --disable-proxy autotools build
o appveyor: add 32-bit MinGW-w64 build
o appveyor: add a winbuild
o appveyor: add a winbuild that uses VS2017
o appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017
o appveyor: publish artifacts on appveyor
o appveyor: upgrade VS2017 to VS2019
o asyn-thread: make use of Curl_socketpair() where available
o asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
o build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
o checksrc: fix uninitialized variable warning
o chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
o cirrus: Increase the git clone depth
o cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build
o cirrus: switch off blackhole status on the freebsd CI machines
o cleanups: 21 various PVS-Studio warnings
o configure: only say ipv6 enabled when the variable is set
o configure: remove all cyassl references
o conn-reuse: requests wanting NTLM can reuse non-NTLM connections
o connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
o connect: silence sign-compare warning
o cookie: avoid harmless use after free
o cookie: pass in the correct cookie amount to qsort()
o cookies: change argument type for Curl_flush_cookies
o cookies: using a share with cookies shouldn't enable the cookie engine
o copyrights: update copyright notices to 2019
o curl: create easy handles on-demand and not ahead of time
o curl: ensure HTTP 429 triggers --retry
o curl: exit the create_transfers loop on errors
o curl: fix memory leaked by parse_metalink()
o curl: load large files with -d @ much faster
o docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
o docs: added multi-event.c example
o docs: disambiguate CURLUPART_HOST is for host name (ie no port)
o docs: note on failed handles not being counted by curl_multi_perform
o doh: allow only http and https in debug mode
o doh: avoid truncating DNS QTYPE to lower octet
o doh: clean up dangling DOH memory on easy close
o doh: fix (harmless) buffer overrun
o doh: fix undefined behaviour and open up for gcc and clang optimization
o doh: return early if there is no time left
o examples/sslbackend: fix -Wchar-subscripts warning
o examples: remove the "this exact code has not been verified"
o git: add tests/server/disabled to .gitignore
o gnutls: make gnutls_bye() not wait for response on shutdown
o http2: expire a timeout at end of stream
o http2: prevent dup'ed handles to send dummy PRIORITY frames
o http2: relax verification of :authority in push promise requests
o http2_recv: a closed stream trumps pause state
o http: lowercase headernames for HTTP/2 and HTTP/3
o ldap: Stop using wide char version of ldapp_err2string
o ldap: fix OOM error on missing query string
o mbedtls: add error message for cert validity starting in the future
o mime: when disabled, avoid C99 macro
o ngtcp2: adapt to API change
o ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23
o ngtcp2: remove fprintf() calls
o openssl: close_notify on the FTP data connection doesn't mean closure
o openssl: fix compiler warning with LibreSSL
o openssl: use strerror on SSL_ERROR_SYSCALL
o os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr
o parsedate: fix date parsing disabled builds
o quiche: don't close connection at end of stream
o quiche: persist connection details (fixes -I with --http3)
o quiche: set 'drain' when returning without having drained the queues
o quiche: update HTTP/3 config creation to new API
o redirect: handle redirects to absolute URLs containing spaces
o runtests: get textaware info from curl instead of perl
o schannel: reverse the order of certinfo insertions
o schannel_verify: Fix concurrent openings of CA file
o security: silence conversion warning
o setopt: handle ALTSVC set to NULL
o setopt: make it easier to add new enum values
o setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
o smb: check for full size message before reading message details
o smbserver: fix Python 3 compatibility
o socks: Fix destination host shown on SOCKS5 error
o test1162: disable MSYS2's POSIX path conversion
o test1591: fix spelling of http feature
o tests: add `connect to non-listen` keywords
o tests: fix narrowing conversion warnings
o tests: fix the test 3001 cert failures
o tests: makes tests succeed when using --disable-proxy
o tests: use %FILE_PWD for file:// URLs
o tests: use port 2 instead of 60000 for a safer non-listening port
o tool_operate: Fix retry sleep time shown to user when Retry-After
o travis: Add an ARM64 build
o url: Curl_free_request_state() should also free doh handles
o url: don't set appconnect time for non-ssl/non-ssh connections
o url: fix the NULL hostname compiler warning
o url: normalize CURLINFO_EFFECTIVE_URL
o url: only reuse TLS connections with matching pinning
o urlapi: avoid index underflow for short ipv6 hostnames
o urlapi: fix URL encoding when setting a full URL
o urlapi: fix unused variable warning
o urlapi: question mark within fragment is still fragment
o urldata: use 'bool' for the bit type on MSVC compilers
o vtls: Fix comment typo about macosx-version-min compiler flag
o vtls: fix narrowing conversion warnings
o winbuild/MakefileBuild.vc: Add vssh
o winbuild/MakefileBuild.vc: Fix line endings
o winbuild: Add manifest to curl.exe for proper OS version detection
o winbuild: add ENABLE_UNICODE option
Changelog:
Security fixes:
#CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber
#CVE-2019-11757: Use-after-free when creating index updates in IndexedDB
#CVE-2019-11758: Potentially exploitable crash due to 360 Total Security
#CVE-2019-11759: Stack buffer overflow in HKDF output
#CVE-2019-11760: Stack buffer overflow in WebRTC networking
#CVE-2019-11761: Unintended access to a privileged JSONView object
#CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation
#CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique
#CVE-2019-11764: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
5.5:
Django 3.0 compatibility.
Plugin system for extending the Country object.
5.4:
Renamed Macedonia -> North Macedonia.
Fix an outlying makemigrations error.
Pulled in new translations which were provided but missing from previous version.
Fixed Simplified Chinese translation (needed to be locale/zh_Hans).
Introduce an optional complex format for COUNTRIES_ONLY and COUNTRIES_OVERRIDE to allow for multiple names for a country, a custom three character code, and a custom numeric country code.
3.1.1:
Support the value file:// for origins, which is accidentally sent by some versions of Chrome on Android.
3.1.0:
Drop Python 2 support, only Python 3.5-3.7 is supported now.
Fix all links for move from github.com/ottoyiu/django-cors-headers to github.com/adamchainz/django-cors-headers.
Version 2.0.12:
- Fix too broad suppression of ``unused-argument`` warnings for functions and
methods where the first argument is named ``request``. Now issues warnings
for the rest of the arguments if they are unused.
- Pass arguments of ``scripts/test.sh`` to ``test_func/pytest`` to ease
development.
- Document behavior when ForeignKey fields are referenced as strings.
Django 2.2.7:
Fixed a crash when using a contains, contained_by, has_key, has_keys, or has_any_keys lookup on JSONField, if the right or left hand side of an expression is a key transform.
Prevented migrate --plan from showing that RunPython operations are irreversible when reverse_code callables don’t have docstrings or when showing a forward migration plan.
Fixed migrations crash on PostgreSQL when adding an Index with fields ordering and opclasses.
Restored the ability to override get_FOO_display().
Django 1.11.26:
Fixed a crash when using a contains, contained_by, has_key, has_keys, or has_any_keys lookup on JSONField, if the right or left hand side of an expression is a key transform.
3.6.3:
This release fixes issues introduced with 3.6.2 and the extend backport.
Also fixes an issue with memory lifespan of error_src on the C-API.
Additionally some edge case crashes have also been addressed.
Changelog
Fix compound extend warning
Fix extend being stuck in endless loop
Fix various edge-case segfault crashes
Extend error_src lifetime on c-api context
Fix memory leak in permutation function
Preserve indentation in nested mode
pkgsrc changes:
* Fix the script that initialize PostgreSQL database. Patch for AWL
directory was broken. Add '-U @PGUSER@' to psql command because it
is the default database administrator out of the box.
* Bump revision.
* Try to use pkgsrc clang/clang++ explicitly
Changelog:
Fixed
Fix for an issue that caused some websites or page elements using dynamic JavaScript to fail to load. (Bug 1592136)
Update OpenH264 video plugin for macOS 10.15 users (Bug 1587543)
Title bar no longer shows in full screen view (Bug 1588747)
Changed
OpenH264 video codec version bump for macOS 10.15 users (Bug 1587543)
Changes:
* BREAKING
* Hide some user information via API if user doesn't have enough permission (#8655) (#8658)
* BUGFIXES
* Fix milestone close timestamp (#8728) (#8731)
* Fix deadline on update issue or PR via API (#8699)
* Fix 'New Issue Missing Milestone Comment' (#8678) (#8682)
* Fix 500 when getting user as unauthenticated user (#8653) (#8662)
* Use AppSubUrl for more redirections (#8647) (#8652)
* Add SubURL to redirect path (#8632) (#8634) (#8640)
* Fix#8582 by handling empty repos (#8587) (#8593)
* Fix bug on pull requests when transfer head repository (#8571)
* Add missed close in ServeBlobLFS (#8527) (#8543)
* Return false if provided branch name is empty for IsBranchExist (#8485) (#8492)
* Create .ssh dir as necessary (#8369) (#8486) (#8489)
* Restore functionality for early gits (#7775) (#8476)
* Add check for empty set when dropping indexes during migration (#8475)
* Ensure Request Body Readers are closed in LFS server (#8454) (#8459)
* Ensure that LFS files are relative to the LFS content path (#8455) (#8458)
* SECURITY
* Ignore mentions for users with no access (#8395) (#8484)
* TESTING
* Update heatmap fixtures to restore tests (#8615) (#8617)
Logswan 2.1.1 (2019-10-30)
- Check if system has seccomp in CMakeLists.txt
- Use the HAVE_SECCOMP macro to check whether or not to enable seccomp
- Define and use a GEOIP2DB macro to specify GeoLite2 database name
- Add a switch (-d) to allow specifying path to a GeoIP2 database file
- Define and use a LOGSWAN_SYSCALL_ALLOW macro to make code more readable
- Adding missing #include guard in seccomp.h header file
- Use __NR_ instead of SYS_ prefix in LOGSWAN_SYSCALL_ALLOW
- Fix the build on aarch64 Linux, where the open() syscall does not exist
- Add error checking for both prctl() calls
19.10.1
new: updated docker image scripts
new: add WAMP serializer in use to SessionDetails
fix: partial support for xb buyers/sellers in pypy
fix: remove dependency on "ethereum" package (part of pypy support)
ChangeLog:
Logswan 2.1.0 (2019-10-23)
- Add FALLTHROUGH comments where appropriate
- Add support for parsing HTTP/3 requests
- Add initial seccomp support on Linux, tested on musl and glibc systems
* Offline build is incomplete. However I cannot finish the fix.
Changelog:
New
More privacy protections from Enhanced Tracking Protection:
Social tracking protection, which blocks cross-site tracking cookies from sites like Facebook, Twitter, and LinkedIn, is now a standard feature of Enhanced Tracking Protection.
The Privacy Protections report shows an overview, with details, of the trackers Firefox has blocked. It provides consolidated reports from Monitor and Lockwise.
More security protections from Firefox Lockwise, our digital identity and password management tool:
Lockwise for desktop lets you create, update, and delete your logins and passwords to sync across all your devices, including the Lockwise mobile apps and Firefox mobile browsers .
Integrated breach alerts from Firefox Monitor, to alert you when saved logins and passwords are compromised in online data breaches.
Complex password generation, to help you create and save strong passwords for new online accounts.
Improvements to core engine components, for better browsing on more sites
A faster Javascript Baseline Interpreter to handle the modern web’s
large codebases and improve page load performance by as much as 8
percent.
WebRender rolled out to more Firefox for Windows users, now available by default on Windows desktops with integrated Intel graphics cards and resolution of 1920x1200 or less) for improved graphics rendering.
Compositor improvements in Firefox for macOS that reduce power
consumption, speed up page load by as much as 22 percent, and reduce
resource use for video by up to 37 percent.
More browser features to help you get the most out of Firefox products and services
A stand-alone Firefox account menu for easy access to Firefox services like Monitor and Send.
A message panel accessed from the gift icon in the toolbar that offers a quick overview of new releases and key features.
When a website uses your geolocation, an indicator is shown in the
address bar.
Fixed
Various security fixes
Changed
Built-in Firefox pages now follow the system dark mode preference
Aliased theme properties have been removed, which may affect some themes
Passwords can now be imported from Chrome on macOS in addition to existing support for Windows
Readability is now greatly improved on under- or overlined texts, including links. The lines will now be interrupted instead of crossing over a glyph.
Improved privacy and security indicators
A new crossed-out lock icon will indicate sites delivered via
insecure HTTP
The formerly green lock icon is now grey
The Extended Validation (EV) indicator has been moved to the identity
popup that appears when clicking the lock icon
Security fixes:
#CVE-2018-6156: Heap buffer overflow in FEC processing in WebRTC
#CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber
#CVE-2019-11757: Use-after-free when creating index updates in IndexedDB
#CVE-2019-11759: Stack buffer overflow in HKDF output
#CVE-2019-11760: Stack buffer overflow in WebRTC networking
#CVE-2019-11761: Unintended access to a privileged JSONView object
#CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation
#CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique
#CVE-2019-11765: Incorrect permissions could be granted to a website
#CVE-2019-17000: CSP bypass using object tag with data: URI
#CVE-2019-17001: CSP bypass using object tag when script-src 'none' is specified
#CVE-2019-17002: upgrade-insecure-requests was not being honored for links dragged and dropped
#CVE-2019-11764: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
Changelog:
Sat 26 Oct 2019 06:53:05 PM CEST
Fix regression where MHD would fail to return an empty response
when used with HTTPS.
Releasing libmicrohttpd 0.9.68. -CG/TR
Fri 25 Oct 2019 02:31:59 PM CEST
Introduce MHD_RF_INSANITY_HEADER_CONTENT_LENGTH. -CG
This code is somewhat poorly documented, and highly experimental.
Its the result of a quick bit of hacking to get MetaCPAN::API working
faster via the WWW::Mechanize::Cached module ( and gaining cache
persistence via CHI )
It works so far for this purpose.
At present, only "get" and "request" are implemented, and all other
calls fall through to a native HTTP::Tiny.
Changes with nginx 1.17.5:
*) Feature: now nginx uses ioctl(FIONREAD), if available, to avoid
reading from a fast connection for a long time.
*) Bugfix: incomplete escaped characters at the end of the request URI
were ignored.
*) Bugfix: "/." and "/.." at the end of the request URI were not
normalized.
*) Bugfix: in the "merge_slashes" directive.
*) Bugfix: in the "ignore_invalid_headers" directive.
Thanks to Alan Kemp.
*) Bugfix: nginx could not be built with MinGW-w64 gcc 8.1 or newer.
Changes:
5.2.4:
Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.
Props to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.
Props to Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags.
Props to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.
Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.
Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.
5.2.3:
#38415: New Custom Link menu item has a wrong fallback label
#45739: Block Editor: $editor_styles bug.
#45935: A URL in do_block_editor_incompatible_meta_box function does not have classic-editor__forget parameter
#46757: Media Trash: The Bulk Media options when in the Trash shouldn’t provide two primary buttons
#46758: Media Trash: Primary button(s) should be on the left
#46899: Ensure that tables generated by the Settings API have no semantics
#47079: Incorrect version for excerpt_allowed_blocks filter
#47113: Media views: dismiss notice button is invisible
#47145: Feature Image dialog does not follow the dialog pattern
#47190: Twenty Seventeen: Native audio and video embeds have no focus state.
#47340: Twenty Nineteen: Revise Latest Posts block styles to support post content options.
#47386: Fix headings hierarchy in the legacy Custom Background and Custom Header pages
#47390: Improve accessibility of forms elements within some “form-table” forms
#47414: Twenty Seventeen: Button block preview has extra spacing within button
#47458: Fix tab sequence order in the Media attachment browser
#47489: Emoji are substituted in preformatted blocks
#47502: Media modal bottom toolbar cuts-off content in Internet Explorer 11
#47538: Minor Verbiage Update – Switch ‘developer time’ for ‘a developer’
#47543: Twenty Seventeen: buttons don’t change color on hover and focus
#47561: Plugin: View details popup layout issue
#47603: My account toggle on admin bar not visible at high zoom levels
#47604: Undefined variable: locked in wp-admin/edit-form-blocks.php
#47687: Use alt tags for gallery images in editor
#47688: Color hex code in color picker displayed in RTL instead of LTR on RTL install (take 2)
#47693: customizer Color picker should get closed when click on color picker area.
#47723: Adding a custom link in nav-menus.php doesn’t trim whitespace
#47758: Font sizes on installation screen are too small
#47835: PHP requirement always set to null for plugins
#47888: Adding a custom link in menu via Customize doesn’t trim whitespace.
Security Fixes
Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments.
Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.
Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability that for cross-site scripting (XSS) in shortcode previews.
Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions.
## 2.3.1 / 2019-10-22
### Security
Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
This CVE's public notice is at https://github.com/flavorjones/loofah/issues/171
## 2.3.0 / unreleased
### Features
* Expand set of allowed protocols to include `tel:` and `line:`. [#104, #147]
* Expand set of allowed CSS functions. [related to #122]
* Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
* Allow CSS property `list-style` [#162] (Thanks, @jaredbeck!)
* Allow CSS keywords `thick` and `thin` [#168] (Thanks, @georgeclaghorn!)
* Allow HTML property `contenteditable` [#167] (Thanks, @andreynering!)
### Bug fixes
* CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!)
### Deprecations / Name Changes
The following method and constants are hereby deprecated, and will be completely removed in a future release:
* Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead.
* Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead.
* Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead.
Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.
Nifty Site Manager ("nsm") is a cross-platform framework for managing
and generating websites. Some of its features are:
- it can manage and generate static and dynamic websites.
- it has support for pre/post build/serve scripts to integrate with
cURL, databases, SASS, Grunt, GraphQL, Python Web Server, Live
Server/Reload, and more.
- there is multithreading support
- it is language agnostic, you can use any language you want
(markdown, LATEX, html, xml, css, javascript, php, MySQL, etc)
- it integrates flawlessly with various Javascript and PHP frameworks
- it integrates with Git to clone from and push to various platforms
including AWS, BitBucket, GitHub, GitLab, Netlify, surge.sh, ZEIT Now, etc
- it has a templating system
(upstream)
ChangeLog has too many lines, sorry to omit
(pkgsrc)
- Some VARIABLES introduced to ease further version update
- following two patches dropped
(patch-w3mhack.el)
Compile mew-shimbun.el and mew-w3m.el when
emacs-w3m-mew option is set.
(patch-aclocal.m4)
Don't quote ${EGREP}, it may be set to "grep -E".
- (pkglint) LOCALBASE -> PREFIX
Upstream changes (from NEWS):
== Ruby-GNOME 3.4.1: 2019-10-16
This is a follow-up release of 3.4.0.
=== Changes
==== Ruby/GDK3
* Improvements
* Added support for (({String})) and (({Symbol})) as (({Gdk::Color})).
[GitHub#1286][Reported by rubyFeedback]
* Added support for (({String})) and (({Symbol})) as (({Gdk::RGBA})).
==== Ruby/GObjectIntrospection
* Improvements
* Added support for (({GBytes **})).
=== Thanks
* rubyFeedback
- Switch from FLTK 1.1 to FLTK 1.3 (tested to work with FLTK 1.4 too)
======================
# Changes in HTMLDOC v1.9.7
- Refactored the PRE rendering code to work around compiler optimization bugs
(Issue #349)
- Added support for links with targets (Issue #351)
- Fixed a table rowspan + valign bug (Issue #360)
# Changes in HTMLDOC v1.9.6
- Added support for data URIs (Issue #340)
- HTMLDOC no longer includes a PDF table of contents when converting a single
web page (Issue #344)
- Updated the markdown support with external links, additional inline markup,
and hard line breaks.
- Links in markdown text no longer render with a leading space as part of the
link (Issue #346)
- Fixed a buffer underflow bug discovered by AddressSanitizer.
- Fixed a bug in UTF-8 support (Issue #348)
- PDF output now includes the base language of the input document(s)
(Issue #350)
- Optimized the loading of font widths (Issue #354)
- Optimized PDF page resources (Issue #356)
- Optimized the base memory used for font widths (Issue #357)
- Added proper `­` support (Issue #361)
- Title files can now be markdown.
# Changes in HTMLDOC v1.9.5
- The GUI did not support EPUB output.
- Empty markdown table cells were not rendered in PDF or PostScript output.
- The automatically-generated title page now supports both "docnumber" and
"version" metadata.
- Added support for dc:subject and dc:language metadata in EPUB output from the
HTML keywords and lang values.
- Added support for the subject and language metadata in markdown input.
- Fixed a buffer underflow bug (Issue #338)
- `htmldoc --help` now reports whether HTTPS URLs are supported (Issue #339)
- Fixed an issue with HTML title pages and EPUB output.
# Changes in HTMLDOC v1.9.4
- Inline fixed-width text is no longer reduced in size automatically
(Issue #309)
- Optimized initialization of font width data (Issue #334)
# Changes in HTMLDOC v1.9.3
- Fixed formatting bugs with aligned images (Issue #322, Issue #324)
- Fixed support for three digit "#RGB" color values (Issue #323)
- Fixed character set support for markdown metadata.
- Updated libpng to v1.6.34 (Issue #326)
- The makefiles did not use the CPPFLAGS value (Issue #328)
# Changes in HTMLDOC v1.9.2
- Added Markdown table support.
- Fixed parsing of TBODY, TFOOT, and THEAD elements in HTML files.
# Changes in HTMLDOC v1.9.1
- Fixed monospace font size issue (Issue #309)
- Added support for reproducible builds (Issue #310)
- Added limited support for the HTML 4.0 SPAN element (Issue #311)
- Added (extremely limited) UTF-8 support for input files (Issue #314)
- Fixed buffer underflow for (invalid) short HTML comments (Issue #316)
- Now indent PRE text, by popular request.
- EPUB output now makes sure that `<element property>` is written as
`<element property="property">`.
- Now support both NAME and ID for table-of-contents targets.
# Changes in HTMLDOC v1.9
- Added support for repeating a single header row for tables that span multiple
pages (Issue #16)
- Added support for embedding the current filename/URL in the header or footer
(Issue #50)
- Added EPUB support (Issue #301)
- Added Markdown support (Issue #302)
- Fixed a regression in header/footer image scaling (Issue #303)
- Documentation updates (Issue #305)
- Compiler fixes (Issue #304, Issue #306)
- Fixed a bug when running HTMLDOC as a macOS application.
- Updated the bundled libpng to v1.6.29.
# Changes in HTMLDOC v1.8.30
- Updated documentation to reflect new project page on Github.
- Dropped old CDE and IRIX desktop integration files.
- Cleaned up the GUI and adopted new default text editors for Linux and macOS.
- PAGE BREAK comments at the end of a file in web page mode would lose the
first page (Issue #251)
- Fixed the scaling of header/footer images to limit them to the height of the
header or footer (Issue #273)
- Fixed an issue with the top-level makefile not exiting with an error as
needed (Issue #282)
- Fixed a URL referencing bug when the same hostname but a different port was
used (Issue #290)
- Fixed build issue on macOS (Issue #291)
- Fixed handling of indexed+alpha PNG images (Issue #295)
# Changes in HTMLDOC v1.8.29
- Updated local PNG library to version 1.6.20.
- Updated local JPEG library to version 9b.
- Dropped support for OpenSSL.
- Added configure script support for libjpeg-turbo.
- Updated HTTP code to latest CUPS/ippsample sources.
- Duplex PDF output incorrectly forced an even number of pages
- The table of contents showed the wrong page numbers after headings containing
the "_HD_OMIT_TOC" attribute.
- Fixed reported build issues
- The configure script's --enable-local* options did not work.
# Changes in HTMLDOC v1.8.28
- Updated local zlib to version 1.2.8.
- Updated local PNG library to version 1.6.8.
- Updated local JPEG library to version 9.
- Updated default PDF version to 1.4.
- SECURITY: Fixed three buffer overflow issues when reading AFM files and
parsing page sizes.
- Fixed incompatibility with Fortify's version of strcpy, which does not work
properly with variable-length arrays
- Fixed compilation against PNG library 1.5 or later
- Fixed documentation errors
- Marked Zapf-Dingbats as a standard font
- Fixed GPL license text in GUI
- Fixed a table formatting problem when a column has multiple colspan values
- Fixed parsing of HTML comments
- Fixed potential out-of-bounds read in table-of-contents rendering code
- Fixed handling of image URLs with ampersands in them
- Fixed top/bottom margins for logo and header/footer images
- Fixed image alignment bug
- Fixed X11 build problem
- patch-ab/patch-ac/patch-ad/patch-ae/patch-htmldoc_htmlsep.cxx removed
Already merged upstream
- INSTALL_MAKE_FLAGS removed from Makefile
No longer required (autotools do the right things)
- OpenSSL option removed
OpenSSL support was dropped in version 1.8.29
Always use GnuTLS for "ssl" option
======================
# Changes in HTMLDOC v1.9.7
- Refactored the PRE rendering code to work around compiler optimization bugs
(Issue #349)
- Added support for links with targets (Issue #351)
- Fixed a table rowspan + valign bug (Issue #360)
# Changes in HTMLDOC v1.9.6
- Added support for data URIs (Issue #340)
- HTMLDOC no longer includes a PDF table of contents when converting a single
web page (Issue #344)
- Updated the markdown support with external links, additional inline markup,
and hard line breaks.
- Links in markdown text no longer render with a leading space as part of the
link (Issue #346)
- Fixed a buffer underflow bug discovered by AddressSanitizer.
- Fixed a bug in UTF-8 support (Issue #348)
- PDF output now includes the base language of the input document(s)
(Issue #350)
- Optimized the loading of font widths (Issue #354)
- Optimized PDF page resources (Issue #356)
- Optimized the base memory used for font widths (Issue #357)
- Added proper `­` support (Issue #361)
- Title files can now be markdown.
# Changes in HTMLDOC v1.9.5
- The GUI did not support EPUB output.
- Empty markdown table cells were not rendered in PDF or PostScript output.
- The automatically-generated title page now supports both "docnumber" and
"version" metadata.
- Added support for dc:subject and dc:language metadata in EPUB output from the
HTML keywords and lang values.
- Added support for the subject and language metadata in markdown input.
- Fixed a buffer underflow bug (Issue #338)
- `htmldoc --help` now reports whether HTTPS URLs are supported (Issue #339)
- Fixed an issue with HTML title pages and EPUB output.
# Changes in HTMLDOC v1.9.4
- Inline fixed-width text is no longer reduced in size automatically
(Issue #309)
- Optimized initialization of font width data (Issue #334)
# Changes in HTMLDOC v1.9.3
- Fixed formatting bugs with aligned images (Issue #322, Issue #324)
- Fixed support for three digit "#RGB" color values (Issue #323)
- Fixed character set support for markdown metadata.
- Updated libpng to v1.6.34 (Issue #326)
- The makefiles did not use the CPPFLAGS value (Issue #328)
# Changes in HTMLDOC v1.9.2
- Added Markdown table support.
- Fixed parsing of TBODY, TFOOT, and THEAD elements in HTML files.
# Changes in HTMLDOC v1.9.1
- Fixed monospace font size issue (Issue #309)
- Added support for reproducible builds (Issue #310)
- Added limited support for the HTML 4.0 SPAN element (Issue #311)
- Added (extremely limited) UTF-8 support for input files (Issue #314)
- Fixed buffer underflow for (invalid) short HTML comments (Issue #316)
- Now indent PRE text, by popular request.
- EPUB output now makes sure that `<element property>` is written as
`<element property="property">`.
- Now support both NAME and ID for table-of-contents targets.
# Changes in HTMLDOC v1.9
- Added support for repeating a single header row for tables that span multiple
pages (Issue #16)
- Added support for embedding the current filename/URL in the header or footer
(Issue #50)
- Added EPUB support (Issue #301)
- Added Markdown support (Issue #302)
- Fixed a regression in header/footer image scaling (Issue #303)
- Documentation updates (Issue #305)
- Compiler fixes (Issue #304, Issue #306)
- Fixed a bug when running HTMLDOC as a macOS application.
- Updated the bundled libpng to v1.6.29.
# Changes in HTMLDOC v1.8.30
- Updated documentation to reflect new project page on Github.
- Dropped old CDE and IRIX desktop integration files.
- Cleaned up the GUI and adopted new default text editors for Linux and macOS.
- PAGE BREAK comments at the end of a file in web page mode would lose the
first page (Issue #251)
- Fixed the scaling of header/footer images to limit them to the height of the
header or footer (Issue #273)
- Fixed an issue with the top-level makefile not exiting with an error as
needed (Issue #282)
- Fixed a URL referencing bug when the same hostname but a different port was
used (Issue #290)
- Fixed build issue on macOS (Issue #291)
- Fixed handling of indexed+alpha PNG images (Issue #295)
# Changes in HTMLDOC v1.8.29
- Updated local PNG library to version 1.6.20.
- Updated local JPEG library to version 9b.
- Dropped support for OpenSSL.
- Added configure script support for libjpeg-turbo.
- Updated HTTP code to latest CUPS/ippsample sources.
- Duplex PDF output incorrectly forced an even number of pages
- The table of contents showed the wrong page numbers after headings containing
the "_HD_OMIT_TOC" attribute.
- Fixed reported build issues
- The configure script's --enable-local* options did not work.
# Changes in HTMLDOC v1.8.28
- Updated local zlib to version 1.2.8.
- Updated local PNG library to version 1.6.8.
- Updated local JPEG library to version 9.
- Updated default PDF version to 1.4.
- SECURITY: Fixed three buffer overflow issues when reading AFM files and
parsing page sizes.
- Fixed incompatibility with Fortify's version of strcpy, which does not work
properly with variable-length arrays
- Fixed compilation against PNG library 1.5 or later
- Fixed documentation errors
- Marked Zapf-Dingbats as a standard font
- Fixed GPL license text in GUI
- Fixed a table formatting problem when a column has multiple colspan values
- Fixed parsing of HTML comments
- Fixed potential out-of-bounds read in table-of-contents rendering code
- Fixed handling of image URLs with ampersands in them
- Fixed top/bottom margins for logo and header/footer images
- Fixed image alignment bug
- Fixed X11 build problem
Changelog:
Thu 17 Oct 2019 04:50:52 PM CEST
Integrate 0-byte send() method for uncorking for old FreeBSD/OS X
systems into new mhd_send.c logic for uncorking.
Releasing libmicrohttpd 0.9.67. -CG
Fri 18 Aug 2019 00:00:00 PM UTC
Fixes and optimizations for the setsockopt handling:
* Added: MHD_UPGRADE_ACTION_CORK_ON and MHD_UPGRADE_ACTION_CORK_OFF
to enum MHD_UpgradeAction (turn corking on/off on the underlying
socket).
* Use calls and flags native to the system for corking and
other operations, tested with performance improvements on
FreeBSD, Debian Linux, NetBSD, and cygwin. In particular,
this adds selective usage of MSG_MORE, NODELAY, TCP_NOPUSH,
TCP_CORK. -ng0
Fri 09 Aug 2019 10:07:27 AM CEST
Copy compiler and linker hardening flags from GNUnet (updating
configure.ac). -CG
3.6.2:
Improve pseudo selector handling
Code improvements
Fix various functions arguments
Fix "call" for $function
Check weight argument on invert call
Improve makefile to use dylib extension on MacOS
Fix bug in scale-color with positive saturation
Minor API documentation improvements
Fix selector isInvisible logic
Fix evaluation of unary expressions in loops
Fix attribute selector equality with modifiers
* BUGFIXES
* Highlight issue references (#8101) (#8404)
* Fix bug when migrating a private repository #7917 (#8403)
* Change general form binding to gogs form (#8334) (#8402)
* Fix editor commit to new branch if PR disabled (#8375) (#8401)
* Fix milestone num_issues (#8221) (#8400)
* Allow users with explicit read access to give approvals (#8398)
* Fix commit status in PR #8316 and PR #8321 (#8339)
* Fix API for edit and delete release attachment (#8290)
* Fix assets on release webhook (#8283)
* Fix release API URL generation (#8239)
* Allow registration when button is hidden (#8238)
* MS Teams webhook misses commit messages (backport v1.9) (#8225)
* Fix data race (#8206)
* Fix pull merge 500 error caused by git-fetch breaking behaviors (#8194)
* Fix the SSH config specification in the authorized_keys template (#8193)
* Fix reading git notes from nested trees (#8189)
* Fix team user api (#8172) (#8188)
* Add reviewers as participants (#8124)
* BUILD
* Use vendored go-swagger (#8087) (#8165)
* Fix version-validation for GO 1.13 (go-macaron/cors) (#8389)
* MISC
* Make show private icon when repo avatar set (#8144) (#8175)
3.2.2
* Avoid some reference cycles through tracebacks in httpserver.py
3.2.1
* Handle io.UnsupportedOperation from socket.tell()
3.2.0
* Ensure unicode URLs work in TestApp.
* Make LimitedLengthFile file return empty bytes.
* Protect against accidental close in FieldStorage.
3.1.1
* TestApp.encode_multipart handles bytes filenames and params.
3.1.0
* Allow anything that can read() for a file-like response, not just
a ``file`` instance.
Changes with nginx 1.17.4
*) Change: better detection of incorrect client behavior in HTTP/2.
*) Change: in handling of not fully read client request body when
returning errors in HTTP/2.
*) Bugfix: the "worker_shutdown_timeout" directive might not work when
using HTTP/2.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2 and the "proxy_request_buffering" directive.
*) Bugfix: the ECONNABORTED error log level was "crit" instead of
"error" on Windows when using SSL.
*) Bugfix: nginx ignored extra data when using chunked transfer
encoding.
*) Bugfix: nginx always returned the 500 error if the "return" directive
was used and an error occurred during reading client request body.
*) Bugfix: in memory allocation error handling.
Changelog:
Fixed
Fixed download errors for Windows 10 users with Parental Controls enabled (bug 1586228)
Fixed Yahoo mail users being prompted to download files when clicking on emails (bug 1582848)
4.8.1:
* When the html.parser or html5lib parsers are in use, Beautiful Soup
will, by default, record the position in the original document where
each tag was encountered. This includes line number (Tag.sourceline)
and position within a line (Tag.sourcepos). Based on code by Chris
Mayo.
* When instantiating a BeautifulSoup object, it's now possible to
provide a dictionary ('element_classes') of the classes you'd like to be
instantiated instead of Tag, NavigableString, etc.
* Fixed the definition of the default XML namespace when using
lxml 4.4. Patch by Isaac Muse.
* Fixed a crash when pretty-printing tags that were not created
during initial parsing.
* Copying a Tag preserves information that was originally obtained from
the TreeBuilder used to build the original Tag.
* Raise an explanatory exception when the underlying parser
completely rejects the incoming markup.
* Avoid a crash when trying to detect the declared encoding of a
Unicode document.
* Avoid a crash when unpickling certain parse trees generated
using html5lib on Python 3.
3.24.0:
Adds the ability to add custom data to the JWT headers via the headers kwarg when making new tokens or via the jwt_manager.additional_headers_loader decorator. These headers can be accessed in your endpoints via the get_raw_jwt_header function.
Version 0.16.0
Deprecate most top-level attributes provided by the werkzeug module in favor of direct imports. The deprecated imports will be removed in version 1.0.
For example, instead of import werkzeug; werkzeug.url_quote, do from werkzeug.urls import url_quote. A deprecation warning will show the correct import to use. werkzeug.exceptions and werkzeug.routing should also be imported instead of accessed, but for technical reasons can’t show a warning.
Upstream changes (from NEWS):
== Ruby-GNOME 3.4.0: 2019-10-10
This is a bug fix release of 3.3.9.
=== Changes
==== Ruby/ATK
* Fixes
* Fixed a typo.
[GitHub#1302][Reported by kojix2]
=== Thanks
* kojix2
== Ruby-GNOME 3.3.9: 2019-10-10
This is a full GLib 2.62.0 support release.
=== Changes
==== Ruby/GLib2
* Improvements
* Deprecated (({GLib::Param::PRIVATE})). Use
(({GLib::Param::STATIC_NAME})) instead.
* Deprecated (({GLib::Param#private?})). Use
(({GLib::Param#static_name?})) instead.
* Added new flags:
* (({GLib::Param::STATIC_NICK}))
* (({GLib::Param::STATIC_BLURB}))
* (({GLib::Param::EXPLICIT_NOTIFY}))
* (({GLib::Param::DEPRECATED}))
* Added new predicates:
* (({GLib::Param#static_nick?}))
* (({GLib::Param#static_blurb?}))
* (({GLib::Param#explicit_notify?}))
* (({GLib::Param#deprecated?}))
* Deprecated (({ruby_gnome2_version})) in `mkmf-gnome`. Use
(({ruby_gnome_version})) instead.
* Added (({rbgobj_gtype_from_ruby()})).
* Added (({rbg_is_object()})).
* Added (({rbg_is_value()})).
* Added (({rbg_is_bytes()})).
* Removed needless const from the return value of
(({rbg_rval2strv()})).
* Removed needless const from the return value of
(({rbg_rval2strv_accept_nil()})).
* Added (({rbg_rval2filenamev()})).
* Added (({rbg_rval2filenamev_accept_nil()})).
* Stopped to define (({GType})) for (({GPollFD})).
==== Ruby/GObjectIntrospection
* Improvements
* Added support for conversion from (({GLib::Bytes})) to
(({[gint8]})) and (({[guint8]})).
* Added more information to inspected result.
==== Ruby/GIO2
* Improvements
* Added support for GLib 2.62.0 or later.
[GitHub#1296][Reported by Mamoru TASAKA]
==== Ruby/GTK3
* Improvements
* Added (({Gtk::TreeModelSort.new})).
[GitHub#1298][Reported by LutzLue]
(({[gint8]})) and (({[guint8]})).
==== Ruby/GStreamer
* Improvements
* Removed all custom callbacks.
* (({Gst::TagList#each})): Changed to yield tag name and tag
values.
=== Thanks
* LutzLue
* Mamoru TASAKA
Core versioning support in *.info.yml files since 8.7.7
Drupal 8.7.7 introduces a new core_version_requirement key to
*.info.yml files, allowing contributed modules to specify specific
versions for Drupal core compatiblity, as well as to indicate that they
are compatible with both Drupal 8 and the forthcoming Drupal 9 release.
See the change record for more details.
Dependency updates
* Several JavaScript dependencies have been updated to resolve
publicly disclosed security issues:
+ nightwatch has been updated to version 1.2.1
+ chromedriver has been updated to version 75.1.0
+ stylelint-no-browser-hacks has been updated to 1.2.1
* Due to a compatibility issue between zend-diactoros 1.8.5 and
psr-http-message-bridge versions prior to 1.1.2, Drupal core's
composer.json has increased the minimum requirement for
psr-http-message-bridge from 1.0 to 1.1.2. This should not affect
sites using the tarball packaged by Drupal.org (which already
supplied version 1.1.2 of the component in Drupal 8.7.7), but may
lead to a dependency update for certain sites maintained with
Composer.
Full release notes available at:
https://www.drupal.org/project/drupal/releases/8.7.8
3.6.2:
Features
- Made exceptions pickleable. Also changed the repr of some exceptions.
- Use Iterable type hint instead of Sequence for Application *middleware*
parameter.
Bugfixes
- Reset the sock_read timeout each time data is received for a
aiohttp.ClientResponse.
- Fix handling of expired cookies so they are not stored in CookieJar.
- Fix misleading message in the string representation of ClientConnectorError;
self.ssl == None means default SSL context, not SSL disabled
- Don't clobber HTTP status when using FileResponse.
Improved Documentation
- Added minimal required logging configuration to logging documentation.
- Update docs to reflect proxy support.
- Fix typo in code example in testing docs.
2.3.0:
* Adjusted ``AsgiHandler`` HTTP body handling to use a spooled temporary file,
rather than reading the whole request body into memory.
As a result, ``AsgiRequest.__init__()`` is adjusted to expect a file-like
``stream``, rather than the whole ``body`` as bytes. Test cases instantiating
requests directly will likely need to be updated to wrap the provided body
in, e.g., `io.BytesIO`.
3.2.2:
Added helpful syntax errors when someone tries to run Beautiful Soup 3
code under Python 3. Added a detailed deprecation warning with
instructions for everyone else.
1.9.4
- **FIX**: :checked rule was too strict with option elements. The specification for :checked does not require an
option element to be under a select element.
- **FIX**: Fix level 4 :lang() wildcard match handling with singletons. Implicit wildcard matching should not
match any singleton. Explicit wildcard matching (* in the language range: *-US) is allowed to match singletons.
Changes:
Use octal mode for -M (patch by dfjoerg)
Add -b backlog option (fixes#2422, patch by aschmitz)
Restrict Unix socket file ownership by default to ug=rw
Add example apparmor spawn-fcgi abstraction
Use autoreconf instead of calling tools manually
Add more flags to extra-warning flags
Check return values of setuid, setgid, setgroups, initgroups, write
Check whether compiler supports wanted CFLAGS (fixes#2235)
Fix resource leaks in failure cases (found with coverity)
Changelog:
A quick overview of what is new:
Remote Wipe allows users and administrators to forcibly clean files from remote devices, for example in case they are stolen.
Nextcloud Text, our new distraction-free, collaborative rich text editor
Improvements to secure view like enforcable watermarks enable virtual data room use
Setup two-factor authentication after first login, admins can create one-time login tokens in the web UI and delegate this to group admins
secure mailbox in Outlook Add-in
LDAP write support makes it possible to manage users from Nextcloud
S3 versioning support, IBM Spectrum Scale integration and Global Scale with Collabora Online
Changelog:
4.0.0
Major Enhancements
Drop ruby 2.3 (#7454)
Drop support for Ruby 2.1 and 2.2 (#6560)
Drop support for older versions of Rouge (#6978)
Drop support for pygments as syntax-highlighter (#7118)
Drop support for Redcarpet (#6987)
Drop support for rdiscount (#6988)
Drop support for jekyll-watch-1.4.0 and older (#7287)
Incorporate relative_url filter in link tag (#6727)
Upgrade kramdown dependency to v2.x (#7492)
Upgrade jekyll-sass-converter to v2.x - Sassc + sourcemaps (#7778)
Upgrade i18n to v1.x (#6931)
Add Jekyll::Cache class to handle caching on disk (#7169)
Cache converted markdown (#7159)
Cache: Do not dump undumpable objects (#7190)
Cache matched defaults sets for given parameters (#6888)
Ignore cache directory (#7184)
Add Site#in_cache_dir helper method (#7160)
Remove 'cache_dir' during jekyll clean (#7158)
Cache parsed Liquid templates in memory (#7136)
Only read layouts from source_dir or theme_dir (#6788)
Allow custom sorting of collection documents (#7427)
Always exclude certain paths from being processed (#7188)
Remove Jekyll::Utils#strip_heredoc in favor of a Ruby > 2.3 built in (#7584)
Incorporate relative_url within post_url tag (#7589)
Remove patch to modify config for kramdown (#7699)
Minor Enhancements
Enhance --blank scaffolding (#7310)
Use jekyll-compose if installed (#6932)
Disable Liquid via front matter (#6824)
Configure cache_dir (#7232)
ISO week date drops (#5981)
Fix custom 404 page for GitHub pages (#7132)
Load config file from within current theme-gem (#7304)
Suggest re-running command with --trace on fail (#6551)
Support for binary operators in where_exp filter (#6998)
Automatically load _config.toml (#7299)
Add vendor folder to a newly installed site's .gitignore (#6968)
Output Jekyll Version while debugging (#7173)
Memoize computing excerpt's relative_path (#6951)
Skip processing posts that can not be read (#7302)
Memoize the return value of Site#documents (#7273)
Cache globbed paths in front matter defaults (#7345)
Cache computed item property (#7301)
Cleanup Markdown converter (#7519)
Do not process Liquid in post excerpt when disabled in front matter (#7146)
Liquefied link tag (#6269)
Update item_property to return numbers as numbers instead of strings (#6608)
Use .markdown extension for page templates (#7126)
Add support for *.xhtml files (#6854)
Allow i18n v0.9.5 and higher (#7044)
Ignore permission error of /proc/version (#7267)
Strip extra slashes via Jekyll.sanitized_path (#7182)
Site template: remove default config for markdown (#7285)
Add a custom inspect string for StaticFile objects (#7422)
Remind user to include gem in the Gemfile on error (#7476)
Search Front matter defaults for Page objects with relative_path (#7261)
Lock use of tzinfo gem to v1.x (#7521, #7562)
Utilize absolute paths of user-provided file paths (#7450)
Detect nil and empty values in objects with where filter (#7580)
Initialize mutations for Drops only if necessary (#7657)
Reduce Array allocations via Jekyll::Cleaner (#7659)
Encode and unencode urls only as required (#7654)
Reduce string allocations with better alternatives (#7643)
Reduce allocations from Jekyll::Document instances (#7625)
Add type attribute to Document instances (#7406)
Reduce allocations from where-filter (#7653)
Memoize SiteDrop#documents to reduce allocations (#7697)
Add PathManager class to cache interim paths (#7732)
Remove warnings and fixes for deprecated config (#7440)
Delegate --profile tabulation to terminal-table (#7627)
Bug Fixes
Security: fix include bypass of EntryFilter#filter symlink check (#7226)
Theme gems: ensure directories aren't symlinks (#7419)
Add call to unused method validate_options in commands/serve.rb (#7122)
Check if scope applies to type before given path (#7263)
Document two methods, simplify one of the methods (#7270)
Check key in collections only if it isn't "posts" (#7277)
Interpolate Jekyll::Page subclass on inspection (#7203)
Measure the no. of times a template gets rendered (#7316)
Reduce array traversal in Jekyll::Reader (#7157)
Re-implement handling Liquid blocks in excerpts (#7250)
Documents should be able to render their date (#7404)
Fix Interpreter warning from Jekyll::Renderer (#7448)
Loggers should accept both numbers and symbols (#6967)
Replace regex arg to :gsub with a string arg (#7189)
Dont write static files from unrendered collection (#7410)
Excerpt handling of custom and intermediate tags (#7382)
Change future post loglevel to warn to help user narrow down issues (#7527)
Handle files with trailing dots in their basename (#7315)
Fix unnecessary allocations via StaticFileReader (#7572)
Don't check if site URL is absolute if it is nil (#7498)
Avoid unnecessary duplication of pages array (#7272)
Memoize Site#post_attr_hash (#7276)
Memoize Document#excerpt_separator (#7569)
Optimize Document::DATE_FILENAME_MATCHER to match valid filenames (#7292)
Escape valid special chars in a site's path name (#7568)
Replace name in Page#inspect with relative_path (#7434)
Log a warning when the slug is empty (#7357)
Push Markdown link refs to excerpt only as required (#7577)
Fix broken include_relative usage in excerpt (#7633)
Initialize and reset glob_cache only as necessary (#7658)
Revert memoizing Site#docs_to_write and #documents (#7684)
Backport #7684 for v3.8.x: Revert memoizing Site#docs_to_write and refactor #documents (#7689)
Backport #7213 and #7633 for v3.8.x: Fix broken include_relative usage in excerpt (#7690)
Don't read symlinks in site.include in safe mode (#7711)
Replace String#=~ with String#match? (#7723)
Update log output for an invalid theme directory (#7679)
Remove configuration of theme sass files from Core (#7290)
Actually conditionally include liquid-c (#7792)
Test number_like regex on stringified property (#7788)
Development Fixes
Upgrade liquid-c to v4.0 (#7375)
Bump RuboCop to v0.71.0 (#7687)
Target Ruby 2.4 syntax (#7583)
Fix: RuboCop offenses (#7769)
Use communicative method parameters (#7566)
Scan assert_equal methods and rectify any offenses with a custom RuboCop cop (#7130)
CI: Test with Ruby 2.6 (#7438)
CI: Test with Ruby 2.6 on AppVeyor (#7518)
CI: Update RuboCop config (#7050)
CI: Add a script to profile docs (#7540)
CI(Appveyor): shallow clone with 5 last commits (#7312)
CI: Test with oldest and latest Ruby only (#7412)
CI: Update excludes for CodeClimate Analyses (#7365)
CI: Lock Travis to Bundler-1.16.2 (#7144)
CI: Bump tested version of JRuby to 9.2.7.0 (#7612)
CI: Do not install docs on updating gems on Travis (#7706)
Update gemspec (#7425)
deps: relax version constraint on classifier-reborn gem (#7471)
deps: update yajl-ruby (#7278)
deps: bump yajl-ruby to v1.4.0 (#6976)
Create symlink only if target is accessible (#7429)
Switch to :install_if for wdm gem (#7372)
Add cucumber feature to test include_relative tag (#7213)
Small benchmark refactoring (#7211)
Fix incorrectly passed arguments to assert_equal (#7134)
fix up refute_equal call (#7133)
Fix RuboCop offences in test files (#7128)
Use assert_include (#7093)
Remember to release docs gem (#7066)
Useless privates removed (#6768)
Load Rouge for TestKramdown (#7007)
Update instructions for releasing docs Gem (#6975)
We are not using Ruby 2.2 anymore (#6977)
Remove unnecessary Jekyll::Page constant (#6770)
Remove unused error class (#6511)
Add a Cucumber feature for post_url tag (#7586)
Generate a "TOTAL" row for build-profile table (#7614)
Refactor Jekyll::Cache (#7532)
Store list of expected extnames in a constant (#7638)
Profile allocations from a build session (#7646)
Update small typo in contributing.md (#7671)
Remove override to Jekyll::Document#respond_to? (#7695)
Update TestTags in sync with Rouge v3.4 (#7709)
Use regexp to filter special entries (#7702)
Reduce Array objects generated from utility method (#7749)
Update mime.types (#7756)
Replace redundant Array#map with Array#each (#7761)
Reduce allocations by using #each_with_object (#7758)
Memoize fallback_data for Drop (#7728)
Use String#end_with? to check if entry is a backup (#7701)
Documentation
Refactor docs (#7205)
Add a link to Giraffe Academy's tutorial (#7325)
Do not advise users to install Jekyll outside of Bundler (#6927)
Remove documentation for using Redcarpet (#6990)
Install Docs that Work on MacOS 10.14 (#7561)
Add Installation Instructions for Ubuntu (#6925)
Don't prompt for sudo when installing with Ubuntu WSL (#6781)
Installation instructions for Fedora (#7198)
Update Windows install docs (#6926)
List all standard liquid filters (#7333)
List all static files variables (#7002)
Improve how to include Rouge stylesheets (#7752)
Mention CommonMark plugins (#7418)
Add TSV to list of supported _data files. (#7168)
How to deploy using pre-push git hook (#7179)
Hosting with AWS Amplify (#7510)
CircleCI deployment through CircleCI v2 (#7024)
GitHub Pages: use themes from other repos (#7112)
Document page.dir and page.name (#7373)
Document custom tag blocks (#7359)
Document converter methods (#7289)
Document {{ page.collection }} (#7430)
Document Jekyll Filters with YAML data (#7335)
Document where Jekyll looks for layouts in a site (#7564)
plugin: liquid tag jekyll-flickr (#6946)
plugin: jekyll-target-blank (#7046)
plugin: json-get. (#7086)
plugin: jekyll-info (#7091)
plugin: jekyll-xml-source (#7114)
plugin: jekyll-firstimage filter (#7127)
plugin: CAT (#7011)
Resources: Statictastic (#7593)
Resources: Bonsai Search (#7543)
Resources: Formspark (#7601)
Resources: Jekpack(#7598)
Resources: formX (#7536)
Resources: 99inbound's Jekyll post (#7348)
Resources: CloudSh (#7497)
Community: DEV Community's Jekyll tag (#7139)
Showcase: developer.spotify.com (#7217)
Showcase: Isomer (#7300)
Add version number for group_by_exp doc (#6956)
Updated nginx configuration for custom-404-page documentation (#6994)
Clarify definition of 'draft' (#7037)
_drafts need to be contained within the custom collection directory (#6985)
Updated to supported version (#7031)
Add Hints for some Improved Travis Config in Doc (#7049)
Update travis-ci.md to point out "this is an example Gemfile" (#7089)
Instructions to view theme’s files under Linux (#7095)
Use a real theme in the example (#7125)
Update docs about post creation (#7138)
Initialize upgrading doc for v4.0 (#7140)
Add version badge for date filters with ordinal (#7162)
Corrected sample usage of postfiles (#7181)
Resolve "Unable to locate package ruby2.4" error (#7196)
Correct stylesheet url in tutorial step 7 (#7210)
Removes quotes from markdown for assets (#7223)
Clarified front matter requirement (#7234)
Explicit location of where to create blog.html (#7241)
Reference the build command options that allows multiple config files (#7266)
Add more issue template(s) and pull request template (#7269)
Suggest sites use OpenSSL instead of GnuTLS for their site's CI (#7010)
Fix broken Contributors link in README.markdown (#7200)
Add title tag to item in RSS template (#7282)
Add link tag to item in RSS template (#7291)
Remove redundant instruction comment (#7342)
Textile is only supported through a converter plugin (#7003)
Add recursive navigation tutorial (#7720)
Remove installation instructions with Homebrew (#7381)
Fix dead link and misleading prose (#7383)
Fix content management section (#7385)
Apply ruby official guide documents (#7393)
Fix group_by_exp filter example (#7394)
Remove alt attribute from a tags (#7407)
Fix BASH code-block in ubuntu.md (#7420)
zlib is missing (#7428)
Fixed unnecessary aticles and pronouns (#7466)
Store SSL key and cert in site source (#7473)
Fix typo in tutorial for converting existing site (#7524)
Check if var exists before include tag (#7530)
Clarify docs on collections regarding the need for front matter (#7538)
Fix incorrect Windows path in themes.md (#7525)
Addresses bundle not found. (#7351)
Update the contribution docs for draft pull requests (#7619)
Data file section adds TSV (#7640)
Indicate where the _sass folder is by default (#7644)
Docs: add version tags to new placeholders (#5981) for permalinks (#7647)
Solve "GitHub Page build failure" in 10-deployment.md (#7648)
fix link to Site Source config (#7708)
Introduce frontmatter in step 2 (#7704)
Add @ashmaroli to Core Team listing (#7398)
Lnk to Tidelift in site's footer (#7377)
Link to OpenCollective backing (#7378
Link to sponsor listing in README (#7405)
Adjust team page listings (#7395)
Updates to CODE OF CONDUCT (v1.4.0) (#7105)
More inclusive writing (#7283)
Update Ruby version used in Travis-CI example (#7783)
Documentation for binary operators in where_exp (#7786)
Adding SmartForms as Forms service (#7794)
Site Enhancements
Better Performance (#7388)
Add some minor improvements to image loading in Showcase page (#7214)
Simplify assigning classname to docs' aside-links (#7609)
Simplify couple of includes in the docs site (#7607)
Avoid generating empty classnames (#7610)
Minimize rendering count (#7343)
Release
Release post for v4.0.0 beta1 (#7716)
Release post for v4.0.0.pre.alpha1 (#7574)
Release post for v3.8.0 (#6849)
Release post for v3.6.3, v3.7.4 and v3.8.4 (#7259)
Post: v4.0 development (#6934)
Changelog:
2.0.1
Bug Fixes
Do not register hooks for documents of type :pages (#94)
Append theme's sass path after all sanitizations (#96)
2.0.0
Major Enhancements
Migrate to sassc gem (#75)
Use and test sassc-2.1.0 pre-releases and beyond (#86)
Drop support for Ruby 2.3 (#90)
Minor Enhancements
Generate Sass Sourcemaps (#79)
Configure Sass to load from theme-gem if possible (#80)
SyntaxError line and filename are set by SassC (#85)
Memoize #jekyll_sass_configuration (#82)
Development Fixes
Target Ruby 2.3 (#70)
Lint with rubocop-jekyll (#73)
Clear out RuboCop TODO (#87)
Cache stateless regexes in class constants (#83)
Add appveyor.yml (#76)
Bug Fixes
Fix rendering of sourcemap page (#89)
2.0.0.pre.beta
Major Enhancements
Migrate to sassc gem (#75)
Drop support for Ruby 2.3 (#90)
Minor Enhancements
Generate Sass Sourcemaps (#79)
Configure Sass to load from theme-gem if possible (#80)
SyntaxError line and filename are set by SassC (#85)
Memoize #jekyll_sass_configuration (#82)
Development Fixes
Target Ruby 2.3 (#70)
Lint with rubocop-jekyll (#73)
Clear out RuboCop TODO (#87)
Cache stateless regexes in class constants (#83)
Add appveyor.yml (#76)
Changelog:
2.6.1
Development Fixes
Test against Jekyll 4.x (#336)
2.6.0
Minor Enhancements
Twitter Image and Title (#330)
Bug Fixes
Do not cache the drop payload for SeoTag (#306)
Update url of schema website (#296)
Development Fixes
Relax version constraint on Bundler (#325)
chore(ci): Add Ruby 2.6, drop Ruby 2.3 (#326)
chore (ci): remove deprecated sudo: false in .travis.yml (#333)
Lint Ruby code with rubocop-jekyll gem (#302)
chore(deps): bump rubocop-jekyll to v0.4 (#320)
chore(deps): bump rubocop-jekyll to v0.3 (#316)
Correct RuboCop offenses in spec files (#319)
Documentation
Rectify error in Usage documentation (#328)
Changelog:
0.12.1
Bug Fixes
Re-introduce Ruby 2.3 support and test Jekyll 3.7+ (#272)
0.12.0
Allow Jekyll v4 (still alpha)
Development Fixes
style: fix offenses in specs (#248)
dev: update CI and style settings (#258)
Enable testing for Windows platform (#265)
Changelog:
Tomcat 9.0.26 (markt)
Oher
Fix: Re-tagged to ensure that the source file for the changelog did not contain an XML byte order mark. (markt)
not released Tomcat 9.0.25 (markt)
Catalina
Fix: Avoid a possible InvalidPathException when obtaining a URI for a configuration file. (markt)
Fix: 63684: Wrapper never passed to RealmBase.hasRole() for given security constraints. (michaelo)
Fix: 63740: Ensure configuration files are loaded correctly when a Host is configured with an xmlBase. Patch provided by uk4sx. (markt)
Fix: Avoid a potential NullPointerException on Service stop if a Service is embedded directly (i.e. with no Server) in an applciation and JNDI is enabled. Patch provided by S. Ali Tokmen. (markt)
Add: Add a new PropertySource implementation, EnvironmentPropertySource, that can be used to do property replacement in configuration files with environment variables. Based on a pull request provided by Thomas Meyer. (markt)
Coyote
Fix: 63682: Fix a potential hang when using the asynchronous Servlet API to write the response body and the stream and/or connection window reaches 0 bytes in size. (markt)
Fix: 63690: Use the average of the current and previous sizes when calculating overhead for HTTP/2 DATA and WINDOW_UPDATE frames to avoid false positives as a result of client side buffering behaviour that causes a small percentage of non-final DATA frames to be smaller than expected. (markt)
Fix: 63706: Avoid NPE accessing https port with plaintext. (remm)
Fix: Correct typos in the names of the configuration attributes overheadDataThreshold and overheadWindowUpdateThreshold. (markt)
Fix: If the HTTP/2 connection requires an initial window size larger than the default, send a WINDOW_UPDATE to increase the flow control window for the connection so that the initial size of the flow control window for the connection is consistent with the increased value. (markt)
Fix: 63710: When using HTTP/2, ensure that a content-length header is not set for those responses with status codes that do not permit one. (markt)
Fix: 63737: Correct various issues when parsing the accept-encoding header to determine if gzip encoding is supported including only parsing the first header found. (markt)
Jasper
Fix: 63724: Correct a regression introduced in 9.0.21 that broke compilation of JSPs in some configurations. (markt)
Web applications
Fix: Correct the source code links on the index page for the ROOT web application to point to Git rather than Subversion. (markt)
Fix: Fix various issues with the Javadoc generated for the documentation web application to enable release builds to be built with Java 10 onwards. (markt)
Fix: 63733: Remove the documentation for the "Additional Components" since they have been remove / merged into the core Tomcat distribution for 9.0.5 onwards. (markt)
Fix: 63739: Correct the invalid Automatic-Module-Name manifest entries for the Tomcat provided JARs included in the Tomcat embedded distribution. (markt)
Fix: Fix a large number of Javadoc and documentation typos. Patch provided by KangZhiDong. (markt)
Fix: Spelling and formatting corrections for the cluster how-to. Pull request provided by Bill Mitchell. (markt)
Other
Add: Expand the coverage and quality of the French translations provided with Apache Tomcat. (remm)
Add: Expand the coverage and quality of the Simplified Chinese translations provided with Apache Tomcat. Includes contributions by leeyazhou and 康智冬. (markt)
Fix: 62140: Additional usage documentation in comments for catalina.[bat|sh]. (markt)
Fix: Fix JSSE_OPTS quoting in catalina.bat. Contributed by Peter Uhnak. (fschumacher)
Update: 63625: Update to Commons Daemon 1.2.1. This corrects several regressions in Commons Daemon 1.2.1, most notably the Windows Service crashing on start when using 32-bit JVMs. (markt)
Fix: 63689: Correct a regression in the fix for 63285 that meant that when installing a service, the service display name was not set. (markt)
Fix: When performing a silent install with the Windows Installer, ensure that the registry entires are added to the 64-bit registry when using a 64-bit JVM. (markt)
Fix: Remove unused i18n messages and associated translations. Patch provided by KangZhiDong. (markt)
Add: Expand the coverage and quality of the Korean translations provided with Apache Tomcat. (woonsan)
2019-08-17 Tomcat 9.0.24 (markt)
Coyote
Code: Remove the code in the sendfile poller that ensured smaller pollsets were used with older, no longer supported versions of Windows that could not support larger pollsets. (markt)
not released Tomcat 9.0.23 (markt)
Catalina
Update: 63627: Implement more fine-grained handling in RealmBase.authenticate(GSSContext, boolean). (michaelo)
Add: 62496: Add option to write auth information (remote user/auth type) to response headers. (michaelo)
Add: 57665: Add support for the X-Forwarded-Host header to the RemoteIpFilter and RemoteIpValve. (markt)
Fix: 63550: Only try the alternateURL in the JNDIRealm if one has been specified. (markt)
Add: 63556: Mark request as forwarded in RemoteIpValve and RemoteIpFilter (michaelo)
Fix: If an unhandled exception occurs on a asynchronous thread started via AsyncContext.start(Runnable), process it using the standard error page mechanism. (markt)
Fix: Discard large byte buffers allocated using setBufferSize when recycling the request. (remm)
Fix: 63579: Correct parsing of malformed OPTIONS requests and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)
Fix: 63608: Align the implementation of the negative match feature for patterns used with the RewriteValve with the description in the documentation. (markt)
Fix: Avoid a NullPointerException in the CrawlerSessionManagerValve if no ROOT Context is deployed and a request does not map to any of the other deployed Contexts. Patch provided by Jop Zinkweg. (markt)
Fix: 63636: Context.findRoleMapping() never called in StandardWrapper.findSecurityReference(). (michaelo)
Coyote
Code: Refactor the APR poller to always use a single pollset now that the Windows operating systems that required multiple smaller pollsets to be used are no longer supported. (markt)
Fix: 63524: Improve the handling of PEM file based keys and certificates that do not include a full certificate chain when configuring the internal, in-memory key store. Improve the handling of PKCS#1 formatted private keys when configuring the internal, in-memory key store. (markt)
Update: Add callback when finishing the set properties rule in the digester. (remm)
Fix: 63570: Fix regression retrieving local address with the NIO connector. Submitted by Aditya Kadakia. (remm)
Fix: 63568: Avoid error when trying to set tcpNoDelay on socket types that do not support it, which can occur when using the NIO inherited channel capability. Submitted by František Kučera. (remm)
Fix: Correct parsing of invalid host names that contain bytes in the range 128 to 255 and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)
Fix: 63571: Allow users to configure infinite TLS session caches and/or timeouts. (markt)
Fix: 63578: Improve handling of invalid requests so that 400 responses are returned to the client rather than 500 responses. (markt)
Fix: Fix h2spec test suite failure. It is an error if a Huffman encoded string literal contains the EOS symbol. (jfclere)
Add: Connections that fail the TLS handshake will now appear in the access logs with a 400 status code. (markt)
Fix: Timeouts for HTTP/2 connections were not always correctly handled leaving some connections open for longer than expected. (markt)
Fix: 63650: Refactor initialisation for JSSE based TLS connectors to enable custom JSSE providers that provide custom cipher suites to be used. (markt)
Add: Expand the HTTP/2 excessive overhead protection to cover various forms of abusive client behaviour and close the connection if any such behaviour is detected. (markt)
Fix: Fix a crash on shutdown with the APR/native connector when a blocking I/O operation was still in progress when the connector stopped. (markt)
Cluster
Fix: Avoid failing Kubernetes membership (and preventing startup) if the stream cannot be opened, to get the same behavior as the DNS based membership. The namespace is still a failure on startup but it is easy to provide. (remm)
Fix: Avoid non fatal NPEs with Tribes when JMX is not available. (remm)
Fix: Make Kube environment optional for Kube memberships, for easier testing and Graal training. A warn log will occur if the environment is not present. (remm)
Web applications
Fix: 63597: Update the custom 404 error page for the Host Manager to take account of previous refactoring so that the page is used for 404 errors rather than falling back to the default error page. (markt)
Other
Fix: JNDI support for GraalVM native images. (remm)
Fix: JSP runtime library support for GraalVM native images. (remm)
Fix: java.util.logging configuration for GraalVM native images. (remm)
Update: Update Checkstyle to 8.22. (markt)
Update: 62696: The digital signature for the Windows installer now uses SHA-256 for hashes. (markt)
Update: 63310: Update to Commons Daemon 1.2.0. This provides improved support for Java 11. This also changes the user configured by the Windows installer for the Windows service from Local System to the lower privileged Local Service. (markt)
Fix: 55969: Tighten up the security of the Apache Tomcat installation created by the Windows installer. Change the default shutdown port used by the Windows installer from 8005 to -1 (disabled). Limit access to the chosen installation directory to local administrators, Local System and Local Service. (markt)
Add: Expand the coverage and quality of the French translations provided with Apache Tomcat. (remm)
Add: 63285: Add an option to service.bat so that when installing a Windows service, the name of the executables used by the Windows service may be changed to match the service name. This makes the installation behaviour consistent with the Windows installer. The original executable names will be restored when the Windows service is removed. The renaming can be enabled by using the new --rename option after the service name. (markt)
Fix: 63567: Restore the passing of $LOGGING_MANAGER to the jvm in catalina.sh when calling stop. (markt)
Fix: Correct broken OSGi data in JAR file manifests. (markt)
Fix: Add "embed" to the Bundle-Name and Bundle-Symbolic-Name for the Tomact embedded WebSocket JAR to align the naming with the other embedded JARs and to differentiate it from the standard WebSocket JAR that does not include the API classes. (markt)
Fix: 63555: Add Automatic-Module-Name entries for each of the Tomcat provided JARs included in the Tomcat embedded distribution. (markt)
Update: Update dependency on bnd to 4.2.0. (markt)
Update: Update the internal fork of Commons Codec to 3ebef4a (2018-08-01) to pick up the fix for CODEC-134. (markt)
Update: Update the internal fork of Commons Pool2 to 796e32d (2018-08-01) to pick up the changes Commons Pool2 2.7.0. (markt)
Update: Update the internal fork of Commons DBCP2 to 87d9e3a (2018-08-01) to pick up the changes Commons DBCP2 2.7.0 and DBCP-555. (markt)
Update: 63648: Update the test TLS keys and certificates used in the test suite to replace the keys and certificates that are about to expire. (markt)
Changelog:
Fixed
Fixed a crash when editing files on Office 365 websites (bug 1579858)
Fixed detection of the Windows 10 Parental Controls feature being enabled (bug 1584613)
Fixed a Linux-only crash when changing the playback speed while watching YouTube videos (bug 1582222)
3.6.1:
Features
- Compatibility with Python 3.8.
Bugfixes
- correct some exception string format
- Emit a warning when ``ssl.OP_NO_COMPRESSION`` is
unavailable because the runtime is built against
an outdated OpenSSL.
- Update multidict requirement to >= 4.5
Improved Documentation
- Provide pytest-aiohttp namespace for pytest fixtures in docs.
Upstream changes:
5.9010 - 2019-04-25
- updated stale urls
- numerous typo fixes
- many pod syntax fixes
- other pod syntax cleanup
- added references to the RT issues queue, mailing list, and irc channel
Update DEPENDS
Upstream changes:
0.37 - 2019-04-28
- fix Makefile.PL when current directory not in @INC (perl 5.26+)
- convert from Module::Install to Distar for release tooling
- Drop unneeded prerequisite on YAML
c-icap-modules-0.5.3 changes
- Add support for ClamAV 0.101.x
- Bug fix: use url-decoded string as filename on viralator mode
c-icap-modules-0.5.2 changes
- virus_scan: Add the counter AV_SCAN_FAILURES to count scan engine failures
- virus_scan: fix error handling when PassOnError is set to on
- virus_scan: Report correctly the X-Violations-Found header and the virus_scan:viruses-list attribute.
- url_check: Fix misplaced space in added headers using the HttpHeaderReplace and HttpHeaderAdd* rules
c-icap-modules-0.4.5 changes
- Fixes to compile with the c-icap-0.5.x releases
c-icap-0.5.5 changes
- c-icap may crash with a SIGBUS while using mmap to map files to memory.
- Fix multiple brotli decoding bugs
- c-icap-client does not send the ";ieof" preview termination sequence when sends zero sized files
c-icap-0.5.4 changes
- Bug fix: IPv6 address can not be used on Port configuration parameter
- Mark as deprecated the tls-method TlsPort option
- Bug fix: c-icap fails to decompress zero-sized files compressed with brotli
c-icap-0.5.2 changes
- Document the forceUnload=off option for Service/Module configuration parameter
- Bug fix: c-icap crashes when converting ci_simple_file_t to a memory object
- ci_headers_value* functions should remove spaces at the beginning of the returned value
c-icap-0.5.1 changes
The 0.5.1 release has the following new major features :
* TLS/SSL support. This feature sponsored by Ergon Informatik AG.
* A non-blocking ICAP client API. This feature sponsored by Ergon Informatik AG.
* Allow 204 response on preview handler even if the ICAP client does not support preview.
* New API functions.
Major bugs fixed:
* c-icap crashes on shutdown or on reconfigure, because of unloaded c++ dynamic libraries. The new release accepts the forceUnload=off parameter to Module and Service configuration parameters to force c-icap to not actually unload dynamic libraries on reconfigure, or shutdown.
New configuration parameters:
* FakeAllow204
* TlsPort
* TlsPassphrase
2.2.3
Changes:
- Fix: admin widgets, fix import of static template tag (part 2)
2.2.2
Changes:
- Fix: autoslugfield, find unique method overrideable
- Fix: notes, do not replace dot in template dirs
- Fix: admin widgets, fix import of static template tag
- Improvement: print_user_for_session, use session backend
- Improvement: sqlcreate, postgis support
- Improvement: graph_models, permit combination of includes and excludes
- Improvement: Adds missing GIS engine to DEFAULT_MYSQL_ENGINES
- Improvement: sqldiff, use lowercase field names in MySQL
- Improvement: sqldiff, mysql code could duplicate AUTO_INCREMENT and UNSIGNED statements
1.25.6:
* Fix issue where tilde (``~``) characters were incorrectly
percent-encoded in the path.
1.25.5:
* Add mitigation for BPO-37428 affecting Python <3.7.4 and OpenSSL 1.1.1+ which
caused certificate verification to be enabled when using ``cert_reqs=CERT_NONE``.
1.25.4:
* Propagate Retry-After header settings to subsequent retries.
* Fix edge case where Retry-After header was still respected even when
explicitly opted out of.
* Remove dependency on ``rfc3986`` for URL parsing.
* Fix issue where URLs containing invalid characters within ``Url.auth`` would
raise an exception instead of percent-encoding those characters.
* Add support for ``HTTPResponse.auto_close = False`` which makes HTTP responses
work well with BufferedReaders and other ``io`` module features.
* Percent-encode invalid characters in URL for ``HTTPConnectionPool.request()``
Changelog:
Tomcat 8.5.46 (markt)
Catalina
Fix: 63684: Wrapper never passed to RealmBase.hasRole() for given security constraints. (michaelo)
Fix: Avoid a potential NullPointerException on Service stop if a Service is embedded directly (i.e. with no Server) in an applciation and JNDI is enabled. Patch provided by S. Ali Tokmen. (markt)
Add: Add a new PropertySource implementation, EnvironmentPropertySource, that can be used to do property replacement in configuration files with environment variables. Based on a pull request provided by Thomas Meyer. (markt)
Coyote
Fix: 63682: Fix a potential hang when using the asynchronous Servlet API to write the response body and the stream and/or connection window reaches 0 bytes in size. (markt)
Fix: 63690: Use the average of the current and previous sizes when calculating overhead for HTTP/2 DATA and WINDOW_UPDATE frames to avoid false positives as a result of client side buffering behaviour that causes a small percentage of non-final DATA frames to be smaller than expected. (markt)
Fix: 63706: Avoid NPE accessing https port with plaintext. (remm)
Fix: Correct typos in the names of the configuration attributes overheadDataThreshold and overheadWindowUpdateThreshold. (markt)
Fix: If the HTTP/2 connection requires an initial window size larger than the default, send a WINDOW_UPDATE to increase the flow control window for the connection so that the initial size of the flow control window for the connection is consistent with the increased value. (markt)
Fix: 63710: When using HTTP/2, ensure that a content-length header is not set for those responses with status codes that do not permit one. (markt)
Fix: 63737: Correct various issues when parsing the accept-encoding header to determine if gzip encoding is supported including only parsing the first header found. (markt)
Web applications
Fix: Correct the source code links on the index page for the ROOT web application to point to Git rather than Subversion. (markt)
Fix: Fix various issues with the Javadoc generated for the documentation web application to enable release builds to be built with Java 10 onwards. (markt)
Fix: Fix a large number of Javadoc and documentation typos. Patch provided by KangZhiDong. (markt)
Fix: Spelling and formatting corrections for the cluster how-to. Pull request provided by Bill Mitchell. (markt)
Other
Fix: Back-port various corrections and improvements to the English versions of the i18n messages. (markt)
Add: Include the available German translations in the standard Tomcat distribution. Back-port additions and updates to the German i18n messages. (markt)
Fix: Back-port various corrections and improvements to the Spanish i18n messages. (markt)
Fix: Back-port various corrections and improvements to the French i18n messages. (markt)
Fix: Back-port various corrections and improvements to the Japanese i18n messages. (markt)
Fix: Back-port various corrections and improvements to the Russian i18n messages. (markt)
Add: Add Korean translations to the standard Tomcat distribution. (markt)
Add: Add Simplifed Chinese translations to the standard Tomcat distribution. (markt)
Fix: 62140: Additional usage documentation in comments for catalina.[bat|sh]. (markt)
Fix: Fix JSSE_OPTS quoting in catalina.bat. Contributed by Peter Uhnak. (fschumacher)
Update: 63625: Update to Commons Daemon 1.2.1. This corrects several regressions in Commons Daemon 1.2.1, most notably the Windows Service crashing on start when using 32-bit JVMs. (markt)
Fix: 63689: Correct a regression in the fix for 63285 that meant that when installing a service, the service display name was not set. (markt)
Fix: When performing a silent install with the Windows Installer, ensure that the registry entires are added to the 64-bit registry when using a 64-bit JVM. (markt)
Fix: Remove unused i18n messages and associated translations. Patch provided by KangZhiDong. (markt)
2019-08-21Tomcat 8.5.45 (markt)
Coyote
Code: Remove the code in the sendfile poller that ensured smaller pollsets were used with older, no longer supported versions of Windows that could not support larger pollsets. (markt)
not releasedTomcat 8.5.44 (markt)
Catalina
Add: 62258: Don't trigger the standard error page mechanism when the error has caused the connection to the client to be closed as no-one will ever see the error page. (markt)
Update: 63627: Implement more fine-grained handling in RealmBase.authenticate(GSSContext, boolean). (michaelo)
Add: 62496: Add option to write auth information (remote user/auth type) to response headers. (michaelo)
Add: 51497: Add an option, ipv6Canonical, to the AccessLogValve that causes IPv6 addresses to be output in canonical form defined by RFC 5952. (ognjen/markt)
Add: 57665: Add support for the X-Forwarded-Host header to the RemoteIpFilter and RemoteIpValve. (markt)
Fix: 63550: Only try the alternateURL in the JNDIRealm if one has been specified. (markt)
Add: 63556: Mark request as forwarded in RemoteIpValve and RemoteIpFilter (michaelo)
Fix: If an unhandled exception occurs on a asynchronous thread started via AsyncContext.start(Runnable), process it using the standard error page mechanism. (markt)
Fix: Discard large byte buffers allocated using setBufferSize when recycling the request. (remm)
Fix: 63579: Correct parsing of malformed OPTIONS requests and reject them with a 400onse rather than triggering an internal error that results in a 500 response. (markt)
Fix: Correct version information in X-Powered-By header. (markt)
Fix: 63608: Align the implementation of the negative match feature for patterns used with the RewriteVx: Avoid a NullPointerException in the CrawlerSessionManagerValve if no ROOT Context is deployed and a request does not map to any of the other deployed Contexts. Patch provided by Jop Zinkweg. (markt)
Fix: 63636: Context.findRoleMapping() never called 3524: Improve the handling of PEM file based keys and certificates that do not include a full certificate chain when configuring the internal, in-memory key store. Improve the handling of PKCS#1 formatted private keys when configuring the internal, in-memying to set tcpNoDelay on socket types that do not support it, which can occur when using the NIO inherited channel capability. Submitted by František Kučera. (remm)
Fix: Correct parsing of invalid host names that contain bytes in the range 128 to 255 or that results in a 500 response. (markt)
Fix: 63571: Allow users to configure infinite TLS session caches and/or timeouts. (markt)
Fix: 63578: Improve handling of invalid requests so that 400 responses are returned to the client rather than 500 respon an error if a Huffman encoded string literal contains the EOS symbol. (jfclere)
Add: Connections that fail the TLS handshake will now appear in the access logs with a 400 status code. (markt)
Fix: Timeouts for HTTP/2 connections were not always correctnger than expected. (markt)
Add: Expand the HTTP/2 excessive overhead protection to cover various forms of abusive client behaviour and close the connection if any such behaviour is detected. (markt)
Fix: Fix a crash on shutdown with the APR/native connress when the connector stopped. (markt)
Web applications
Fix: 63597: Update the custom 404 error page for the Host Manager to take account of previous refactoring so that the page is used for 404 errors rather than falling back to the default error pagebat so that when installing a Windows service, by default, it changes the name of the executables used by the Windows service to match the service name. This makes the installation behaviour consistent with the Windows installer. The original executable nhe renaming can be disabled by using the new --no-rename option after the service name. (markt)
Update: Switch from Checkstyle to the JRE6 backport and update to version 8.22. This allows Tomcat 8.5 to use the newer Checkstyle releases while still buildi digital signature for the Windows installer now uses SHA-256 for hashes. (markt)
Update: 63310: Update to Commons Daemon 1.2.0. This provides improved support for Java 11. This also changes the user configured by the Windows installer for the Windows seer privileged Local Service. (markt)
Fix: 55969: Tighten up the security of the Apache Tomcat installation created by the Windows installer. Change the default shutdown port used by the Windows installer from 8005 to -1 (disabled). Limit access to the cho local administrators, Local System and Local Service. (markt)
Add: 63285: Add an option to service.bat so that when installing a Windows service, the name of the executables used by the Windows service may be changed to match the service name. This maksistent with the Windows installer. The original executable names will be restored when the Windows service is removed. The renaming can be enabled by using the new --rename option after the service name. (markt)
Fix: 63567: Restore the passing of $LOGGIsh when calling stop. (markt)
Update: Update the internal fork of Commons Codec to 3ebef4a (2018-08-01) to pick up the fix for CODEC-134. (markt)
Update: Update the internal fork of Commons Pool2 to 796e32d (2018-08-01) to pick up the changes Commons Poe the internal fork of Commons DBCP2 to 87d9e3a (2018-08-01) to pick up the changes Commons DBCP2 2.7.0 and DBCP-555. (markt)
Update: 63648: Update the test TLS keys and certificates used in the test suite to replace the keys and certificates that are about to expire. (markt)
Django 2.2.6:
Fixed migrations crash on SQLite when altering a model containing partial indexes.
Fixed a regression in Django 2.2.4 that caused a crash when filtering with a Subquery() annotation of a queryset containing JSONField or HStoreField.
- Removes obsolete patches no longer applicable to 1.29.0.
- Adds a patch to support building cliqz from clang base in NetBSD.
- No longer uses gcc in the build process.
Changes since 1.28.2:
Merge with Firefox 69.0.1
Committed during freeze as it's a security fix to a leaf package. ok maya@
