* Deep Munge the parameters for GET and POST Fixes CVE-2013-6417
* Stop using i18n's built in HTML error handling. Fixes: CVE-2013-4491
* Escape the unit value provided to number_to_currency Fixes CVE-2013-6415
* Only use valid mime type symbols as cache keys CVE-2013-6414
* Fix more of rev.12660
* Protect aclIsProxyAuth() debugging from NULL names (via NULL AclMatchedName).
* Bug 3972: Segfault when getting the deny info page ID after a reconfigure
* Fix mistake in porting rev.12660
* Bug 3782: Digest authentication not obeying nonce_max_count
* Bug 3970: max_filedescriptors disabled due to missing setrlimit
* Bug 3967: ipc/Kid.cc compilation failure: 'time' was not declared in this scope
* Re-compute Range response content offset after an FTP response was adapted.
* Source Maintenance: re-add snapshot script to branch
* Bug 3960: Dead Peers Are Not Revived
* Windows: Fix aclocal "is already registered" errors
* Windows: Ensure array index is an integer in C code
* Bug 3956: xstrndup: tried to dup a NULL pointer
* Make HTTP header parser obey relaxed_header_parser
* SourceFormat Enforcement
* Replace blocking sleep(3) and close UDS socket on failures.
* Bug 3936: error-details.txt parse error
* Bug 3906: Filedescriptor leaks in SNMP
This release fixes several bugs and adds two new pie charts about the most use top second level domains. It is also possible to do DNS lookup of Ip addresses inside SquidAnalyzer, see UseClientDNSName new configuration directive. This can slow down dramatically the squid-analyzer performances but you can adjust the DNS lookup timeout to prevent waiting slow DNS server, see DNSLookupTimeout new configuration directive.
- Update and fix first and second top level domain name.
- Add new directive DNSLookupTimeout to change the default timeout for
DNS lookup. Add 0.0001 second timeout when SquidAnalyzer look for a DNS
name and can't find a name server.
- Add pie chart of top second level domains.
- Fix some HTML tag issues and table ordering on Top domain hits and Top
url hits.
- Update INSTALL file to remove GD::Graph requirements.
- Change underscore used to replace space in user name by the special
string _SPC_ so that underscore will not be wrongly replaced on HTML
output.
- Fix pt_BR translation with charset to utf-8 and a few words with
accentuation fix.
- Allow Ip addresses on user names to be replaced by their DNS name, this
feature is activated by a new directive: UseClientDNSName.
- Add missing description of --no-year-stat option to documentation and
squid-analyzer usage.
4.58 2013-11-19
- Improved IIS and WebSphere compatibility of Mojo::Message::Request.
- Improved Mojo::Collection to allow join without arguments.
- Improved Mojo::DOM::HTML performance.
- Fixed recursion bug in Mojo::Reactor::EV where timers could run more than
once.
- Fixed a few "0" value bugs in Mojo::DOM::HTML.
Changelog:
Changes with Apache 2.4.7
*) APR 1.5.0 or later is now required for the event MPM.
*) slotmem_shm: Error detection. [Jim Jagielski]
*) event: Use skiplist data structure. [Jim Jagielski]
*) mpm_unix: Add ap_mpm_podx_* implementation to avoid code duplication
and align w/ trunk. [Jim Jagielski]
*) Fix potential rejection of valid MaxMemFree and ThreadStackSize
directives. [Mike Rumph <mike.rumph oracle.com>]
*) mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars.
An individual envvar with an encoded length of more than 16K will be
omitted. [Jeff Trawick]
*) mod_proxy_fcgi: Handle reading protocol data that is split between
packets. [Jeff Trawick]
*) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
allowing custom parameters to be configured via SSLCertificateFile,
and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
Unless custom parameters are configured, the standardized parameters
are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
*) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]
*) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
keys, and unconditionally disable aNULL, eNULL and EXP ciphers
(not overridable via SSLCipherSuite). [Kaspar Brand]
*) Add experimental cmake-based build system for Windows. [Jeff Trawick,
Tom Donovan]
*) event MPM: Fix possible crashes (third party modules accessing c->sbh)
or occasional missed mod_status updates for some keepalive requests
under load. [Eric Covener]
*) mod_authn_socache: Support optional initialization arguments for
socache providers. [Chris Darroch]
*) mod_session: Reset the max-age on session save. Bug 47476. [Alexey
Varlamov <alexey.v.varlamov gmail com>]
*) mod_session: After parsing the value of the header specified by the
SessionHeader directive, remove the value from the response. Bug 55279.
[Graham Leggett]
*) mod_headers: Allow for format specifiers in the substitution string
when using Header edit. [Daniel Ruggeri]
*) mod_dav: dav_resource->uri is treated as unencoded. This was an
unnecessary ABI changed introduced in 2.4.6. Bug 55397.
*) mod_dav: Don't require lock tokens for COPY source. Bug 55306.
*) core: Don't truncate output when sending is interrupted by a signal,
such as from an exiting CGI process. Bug 55643. [Jeff Trawick]
*) WinNT MPM: Exit the child if the parent process crashes or is terminated.
[Oracle Corporation]
*) Windows: Correct failure to discard stderr in some error log
configurations. (Error message AH00093) [Jeff Trawick]
*) mod_session_crypto: Allow using exec: calls to obtain session
encryption key. [Daniel Ruggeri]
*) core: Add missing Reason-Phrase in HTTP response headers.
Bug 54946. [Rainer Jung]
*) mod_rewrite: Make rewrite websocket-aware to allow proxying.
Bug 55598. [Chris Harris <chris.harris kitware com>]
*) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]
*) ab: Add wait time, fix processing time, and output write errors only if
they occured. [Christophe Jaillet]
*) worker MPM: Don't forcibly kill worker threads if the child process is
exiting gracefully. [Oracle Corporation]
*) core: apachectl -S prints wildcard name-based virtual hosts twice.
Bug 54948 [Eric Covener]
*) mod_auth_basic: Add AuthBasicUseDigestAlgorithm directive to
allow migration of passwords from digest to basic authentication.
[Chris Darroch]
*) ab: Add a new -l parameter in order not to check the length of the responses.
This can be usefull with dynamic pages.
Bug 9945, Bug 27888, Bug 42040 [<ccikrs1 cranbrook edu>]
*) Suppress formatting of startup messages written to the console when
ErrorLogFormat is used. [Jeff Trawick]
*) mod_auth_digest: Be more specific when the realm mismatches because the
realm has not been specified. [Graham Leggett]
*) mod_proxy: Add a note in the balancer manager stating whether changes
will or will not be persisted and whether settings are inherited.
[Daniel Ruggeri, Jim Jagielski]
*) mod_cache: Avoid a crash with strcmp() when the hostname is not provided.
[Graham Leggett]
*) core: Add util_fcgi.h and associated definitions and support
routines for FastCGI, based largely on mod_proxy_fcgi.
[Jeff Trawick]
*) mod_headers: Add 'Header note header-name note-name' for copying a response
headers value into a note. [Eric Covener]
*) mod_headers: Add 'setifempty' command to Header and RequestHeader.
[Eric Covener]
*) mod_logio: new format-specifier %S (sum) which is the sum of received
and sent byte counts.
Bug 54015 [Christophe Jaillet]
*) mod_deflate: Improve error detection when decompressing request bodies
with trailing garbage: handle case where trailing bytes are in
the same bucket. [Rainer Jung]
*) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663
from ERROR to DEBUG, since these modules do not know what mod_authz_core
is doing with their AUTHZ_DENIED return value. [Eric Covener]
*) mod_ldap: add TRACE5 for LDAP retries. [Eric Covener]
*) mod_ldap: retry on an LDAP timeout during authn. [Eric Covener]
*) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP
SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK
default, sans rebind authentication callback.
[Jan Kaluza <kaluze AT redhat.com>]
*) core: Log a message at TRACE1 when the client aborts a connection.
[Eric Covener]
*) WinNT MPM: Don't crash during child process initialization if the
Listen protocol is unrecognized. [Jeff Trawick]
*) modules: Fix some compiler warnings. [Guenter Knauf]
*) Sync 2.4 and trunk
- Avoid some memory allocation and work when TRACE1 is not activated
- fix typo in include guard
- indent
- No need to lower the string before removing the path, it is just a waste of time...
- Save a few cycles
[Christophe Jaillet <christophe.jaillet wanadoo.fr>]
*) mod_filter: Add "change=no" as a proto-flag to FilterProtocol
to remove a providers initial flags set at registration time.
[Eric Covener]
*) core, mod_ssl: Enable the ability for a module to reverse the sense of
a poll event from a read to a write or vice versa. This is a step on
the way to allow mod_ssl taking full advantage of the event MPM.
[Graham Leggett]
*) Makefile.win: Install proper pcre DLL file during debug build install.
Bug 55235. [Ben Reser <ben reser org>]
*) mod_ldap: Fix a potential memory leak or corruption. Bug 54936.
[Zhenbo Xu <zhenbo1987 gmail com>]
*) ab: Fix potential buffer overflows when processing the T and X
command-line options. Bug 55360.
[Mike Rumph <mike.rumph oracle.com>]
*) fcgistarter: Specify SO_REUSEADDR to allow starting a server
with old connections in TIME_WAIT. [Jeff Trawick]
*) core: Add open_htaccess hook which, in conjunction with dirwalk_stat
and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be
used without patches to httpd core. [Stefan Fritsch]
*) support/htdbm: fix processing of -t command line switch. Regression
introduced in 2.4.4
Bug 55264 [Jo Rhett <jrhett netconsonance com>]
[Apache 2.3.0-dev includes those bug fixes and changes with the
Apache 2.2.xx tree as documented, and except as noted, below.]
Changes with Apache 2.2.x and later:
*) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
Changes with Apache 2.0.x and later:
*) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
* pkgsrc change: drop optional php-tidy package requirement from MESSAGE.
Version 3.2.1 (2013-11-29)
--------------------------
### Updated
Updated TinyMCE to version 3.5.10 to fix the IE11 issues (see #6479).
### Fixed
Optionally override the repository tables when importing a template (see #6470).
### Fixed
Only do the UUID conversion once even if the `Database\Updater` helper methods
are called multiple times (see #6481).
### Fixed
Correctly toggle the mobile/desktop view (see #6227).
### Fixed
Correctly detect UUIDs in the "file" insert tag (see #6472).
### Fixed
Correctly assign images to FAQs (see #6465).
### Fixed
Improved the speed and memory footprint of the news archive menu (see #6463).
### Fixed
Removed `CalendarEventsModel::findBoundaries()` (see #6467).
Changelog:
The Apache Tomcat Project is proud to announce the release of version 7.0.47 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.42. The notable changes include:
Back-port the JSR-356 Java WebSocket 1.0 implementation from Apache Tomcat 8. Note that use of this functionality requires Java 7.
Deprecate the Apache Tomcat proprietary WebSocket API in favour of the new JSR-356 implementation.
Add a drawing board example to the WebSocket examples.
The minimum required APR/native library version required if the APR/native connector is used is now 1.1.29.
Upstream changes:
0.038 2013-11-18 12:56:26 America/New_York
[FIXED]
- Fixed a bug where authentication parameters in the URL would override
an existing Authorization header
0.037 2013-10-28 13:26:21 America/New_York
[FIXED]
- Basic authentication in the URL is now unescaped before being encoded
into the authentication header
[DOCUMENTED]
- Added HTTP::Tiny::UA to SEE ALSO and suggested it as the appropriate
place for new features
0.036 2013-09-25 12:10:06 America/New_York
[FIXED]
- Compile test could hang on Windows
[PREREQS]
- Dropped configure_requires for ExtUtils::MakeMaker to 6.17
[META]
- Updated support files
0.035 2013-09-10 12:29:28 America/New_York
[CHANGED]
- Encoded from data from 'post_form' preserves term order if data is
provided as an array reference. (They are still sorted for consistency
if provided as a hash reference.)
* Add mozilla-chatzilla option for chatzilla (and some JavaScript
development tools, I cannot separate them.)
Changelog:
Fixed in SeaMonkey 2.22.1
MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities
* Fix MESSAGE for sqlite3
Changelog:
Version 5.0.13 Nov 8th 2013
SECURITY: Fix a possible security bypass on admin page under certain circumstances and MariaDB
Correctly update database schema during app update
Fix automatic login rejecion error message
Several Oracle fixes
Fixing serverroot/webroot calculation
Adding detection for aborted uploads for chunked uploads
Fixing directory handling that end with a space
Fixing home storage handling
Allow to share a file/folder as public link also if one of it parents was already shared as link
Fix search in shared folders
Fix check for uploads into Shared folder
Several Shared folder handling fixes
Prefere them PNGs over core SVGs
Fall back to default log file of specified logfile doesn't exist
Several IE fixes
Fix LDAP login for certain circumstances
Fixed chunk size calculation for encrypted files
Fix recursive delete for smb
Fix using touch for creating files for smb
Support OCS Share API
Fix updating ETAGs
Don't write user passwords into logfile
Enable configuration of timezones for logfile timestamps
Cleanup share database table for files that no longer exist
Adding privilege check on move and rename operations
Contao Open Source CMS.
Contao is an Open Source Content Management Framework developed by Leo Feyer
and distributed under the LGPL license (see GPL.txt and LGPL.txt for more
information). It was formerly known as TYPOlight Open Source CMS.
Its open architecture allows everybody to extend the system to fit his
needs. Contao specializes in accessible websites and is accessbile
itself (front end and back end), rendering valid HTML5 or XHTML pages.
Changelog:
FIXED
Update branches that use 4.10 RTM to 4.10.2 RTM (see 935568)
FIXED
Update Mozilla to NSS 3.15.3 (new alternative NSS branch) to pick up a few fixes (see 935959)
FIXED
Some UI strings in Firefox 24.1.0 ESR l10n builds are in English (see 932310)
Changelog:
FIXED
25.0.1: New security fixes can be found here
FIXED
25.0.1: Pages sometimes wouldn't load without first moving the cursor
Fixed in Firefox 25.0.1
MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities
Version 2.11.13 (2013-11-19)
----------------------------
### Fixed
Sort the list of available modules (see #6391).
### Fixed
Decode entities in passwords (see #6252).
### Fixed
Replace insert tags in the details view of the listing module (see #6120).
Upstream changes:
Highlights
MDL-41252 - Accessibility improvements to course page.
MDL-34209 - Moving sections by drag and drop reorders sections correctly.
MDL-29987 - Embedded PDF files behave correctly.
Functional changes
MDL-42069 - Option to sort by last name in Quiz grading report.
MDL-38267 - Submit button is not shown after cut-off date in Assignment.
MDL-22669 - When restoring a larger course over a smaller one, the number of sections is maintained.
MDL-42666 and MDL-42668 - The Box.net repository and Box.net portfolio have been updated to use Box.net API v2. Moodle sites which have used the Box.net repository previously need to run the Box.net-alias-to-copy-conversion tool as soon as possible. Also, HTTPS is now required for sites to access Box.net. See Box.net APIv1 migration for details.
API changes
MDL-41861, MDL-41882, MDL-41853,... - Generator tools have been backported.
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
Fixes and improvements
MDL-32862 - Links to 1.9 resource types work after upgrade to 2.2 followed by backup and restore.
MDL-40903 - Persistent cache is now split into logical parts.
MDL-41942 - Courses in categories no longer become invisible due to caching problem.
MDL-41352 - Mymobile theme no longer producing JavaScript error on course pages.
MDL-37528 - Block drag-and-drop issue resolved.
MDL-42542 - The Portfolio cron job is now working.
MDL-42619 - Error deleting a course link from the community block is fixed.
MDL-37877 - Automated backup failure is now reported.
