0.11 (2015-08-21)
- Add libsass filter (Mantas, sirex).
- Add SlimitIt filter (Michael Fladischer).
- Prevent filters from crashing if the input file is empty (empty string
passed).
- A number of smaller improvements.
1.3.0 (2015-08-23)
------------------
* New feature: Edit models in the list view in a popup
* New feature: Read-only model details view
* Fixed XSS in column_editable_list values
* Improved navigation consistency in model create and edit views
* Ability to choose page size in model list view
* Updated client-side dependencies (jQuery, Select2, etc)
* Updated documentation and examples
* Updated translations
* Bug fixes
* Denial-of-service possibility in logout() view by filling session store.
* Bugfixes:
- Added the ability to serialize values from the newly added UUIDField.
- Added a system check warning if the old TEMPLATE_* settings are defined in addition to the new TEMPLATES setting.
- Fixed QuerySet.raw() so InvalidQuery is not raised when using the db_column name of a ForeignKey field with primary_key=True.
- Prevented an exception in TestCase.setUpTestData() from leaking the transaction.
- Fixed has_changed() method in contrib.postgres.forms.HStoreField.
- Fixed the recording of squashed migrations when running the migrate command.
- Moved the unsaved model instance assignment data loss check to Model.save() to allow easier usage of in-memory models.
- Prevented varchar_patterns_ops and text_patterns_ops indexes for ArrayField.
Upstream changes:
6.17 2015-08-21
- Improved slurp method in Mojo::Asset::File to only use one file descriptor.
6.16 2015-08-19
- Improved check_box, radio_button and select_field tag helpers to handle the
attributes "checked" and "selected" correctly.
- Improved performance of slurp function in Mojo::Util slightly.
6.15 2015-08-13
- Removed deprecated build_body and build_headers methods from Mojo::Content.
- Improved Mojo::Transaction::HTTP performance slightly.
- Fixed warnings in Mojo::DOM.
WebKit is an open source web browser engine. WebKit is also the name of
the Mac OS X system framework version of the engine that's used by
Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML
and JavaScript code began as a branch of the KHTML and KJS libraries
from KDE.
This is the GTK3+ port of the engine.
Upstream changes, ref.
https://www.mozilla.org/en-US/firefox/38.2.0/releasenotes/
* Firefox may crash during mp4 video playback
* Significant memory leak with GreaseMonkey add-on
* crash [@ RtlEnterCriticalSection | MessageLoop::PostTask_Helper]
on browser shutdown
* Browser UI becomes unresponsive state when using Unity Web Player Plugin
* ESRs will not build on hppa platform
* crash in mozilla::layers::SyncObjectD3D11::FinalizeFrame()
and a smattering of security fixes:
* 2015-92 Use-after-free in XMLHttpRequest with shared workers
* 2015-90 Vulnerabilities found through code inspection
* 2015-89 Buffer overflows on Libvpx when decoding WebM video
* 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
* 2015-87 Crash when using shared memory in JavaScript
* 2015-85 Out-of-bounds write with Updater and malicious MAR file
* 2015-84 Arbitrary file overwriting through Mozilla Maintenance Service
with hard links
* 2015-83 Overflow issues in libstagefright
* 2015-82 Redefinition of non-configurable JavaScript object properties
* 2015-80 Out-of-bounds read with malformed MP3 file
* 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
* Disable OSS support explicitly under NetBSD.
Changelog:
New Enabled API allowing Windows 10 users to open settings dialog (1193196)
Fixed mozalloc.lib was missing from the xulrunner package (1168291)
Fixed Fix a startup crash with some combination of hardware and drivers (1160295)
Curl and libcurl 7.44.0
Public curl releases: 148
Command line options: 176
curl_easy_setopt() options: 219
Public functions in libcurl: 58
Contributors: 1291
This release includes the following changes:
o http2: added CURLMOPT_PUSHFUNCTION and CURLMOPT_PUSHDATA [6]
o examples: added http2-serverpush.c [7]
o http2: added curl_pushheader_byname() and curl_pushheader_bynum()
o docs: added CODE_OF_CONDUCT.md [8]
o curl: Add --ssl-no-revoke to disable certificate revocation checks [5]
o libcurl: New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS [9]
o makefile: Added support for VC14
o build: Added Visual Studio 2015 (VC14) project files
o build: Added wolfSSL configurations to VC10+ project files [18]
This release includes the following bugfixes:
o FTP: fix HTTP CONNECT logic regression [1]
o openssl: Fix build with openssl < ~ 0.9.8f
o openssl: fix build with BoringSSL
o curl_easy_setopt.3: option order doesn't matter
o openssl: fix use of uninitialized buffer [2]
o RTSP: removed dead code
o Makefile.m32: add support for CURL_LDFLAG_EXTRAS
o curl: always provide negotiate/kerberos options
o cookie: Fix bug in export if any-domain cookie is present
o curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
o INSTALL: Advise use of non-native SSL for Windows <= XP
o tool_help: fix --tlsv1 help text to use >= for TLSv1
o HTTP: POSTFIELDSIZE set after added to multi handle [3]
o SSL-PROBLEMS: mention WinSSL problems in WinXP
o setup-vms.h: Symbol case fixups
o SSL: Pinned public key hash support
o libtest: call PR_Cleanup() on exit if NSPR is used
o ntlm_wb: Fix theoretical memory leak
o runtests: Allow for spaces in curl custom path
o http2: add stream != NULL checks for reliability
o schannel: Replace deprecated GetVersion with VerifyVersionInfo
o http2: verify success of strchr() in http2_send()
o configure: add --disable-rt option
o openssl: work around MSVC warning
o HTTP: ignore "Content-Encoding: compress"
o configure: check if OpenSSL linking wants -ldl
o build-openssl.bat: Show syntax if required args are missing
o test1902: attempt to make the test more reliable
o libcurl-thread.3: Consolidate thread safety info
o maketgz: Fixed some VC makefiles missing from the release tarball
o libcurl-multi.3: mention curl_multi_wait [10]
o ABI doc: use secure URL
o http: move HTTP/2 cleanup code off http_disconnect() [11]
o libcurl-thread.3: Warn memory functions must be thread safe [12]
o curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs [13]
o docs: formpost needs the full size at start of upload [14]
o curl_gssapi: remove 'const' to fix compiler warnings
o SSH: three state machine fixups [15]
o libcurl.3: fix a single typo [16]
o generate.bat: Only clean prerequisite files when in ALL mode
o curl_slist_append.3: add error checking to the example
o buildconf.bat: Added support for file clean-up via -clean
o generate.bat: Use buildconf.bat for prerequisite file clean-up
o NTLM: handle auth for only a single request [17]
o curl_multi_remove_handle.3: fix formatting [19]
o checksrc.bat: Fixed error when [directory] isn't a curl source directory
o checksrc.bat: Fixed error when missing *.c and *.h files
o CURLOPT_RESOLVE.3: Note removal support was added in 7.42 [20]
o test46: update cookie expire time
o SFTP: fix range request off-by-one in size check [21]
o CMake: fix GSSAPI builds [22]
o build: refer to fixed libidn versions [4]
o http2: discard frames with no SessionHandle [23]
o curl_easy_recv.3: fix formatting
o libcurl-tutorial.3: fix formatting [24]
o curl_formget.3: correct return code [25]
Due to a change in packaging the docs themes are currently excluded from
the pypi distribution, breaking the -docs package. Issue ``#761`` should
address this upstream; we'll being using GitHub as the master site for the
time being.
Version 0.10.4
--------------
(bugfix release, released on March 26th 2015)
- Re-release of 0.10.3 with packaging artifacts manually removed.
Version 0.10.3
--------------
(bugfix release, released on March 26th 2015)
- Re-release of 0.10.2 without packaging artifacts.
Version 0.10.2
--------------
(bugfix release, released on March 26th 2015)
- Fixed issue where ``empty`` could break third-party libraries that relied on
keyword arguments (pull request ``#675``)
- Improved ``Rule.empty`` by providing a ```get_empty_kwargs`` to allow setting
custom kwargs without having to override entire ``empty`` method. (pull
request ``#675``)
- Fixed ```extra_files``` parameter for reloader to not cause startup
to crash when included in server params
- Using `MultiDict` when building URLs is now not supported again. The behavior
introduced several regressions.
- Fix performance problems with stat-reloader (pull request ``#715``).
Version 0.10.1
--------------
(bugfix release, released on February 3rd 2015)
- Fixed regression with multiple query values for URLs (pull request ``#667``).
- Fix issues with eventlet's monkeypatching and the builtin server (pull
request ``#663``).
Version 0.10
------------
Released on January 30th 2015, codename Bagger.
- Changed the error handling of and improved testsuite for the caches in
``contrib.cache``.
- Fixed a bug on Python 3 when creating adhoc ssl contexts, due to `sys.maxint`
not being defined.
- Fixed a bug on Python 3, that caused
:func:`~werkzeug.serving.make_ssl_devcert` to fail with an exception.
- Added exceptions for 504 and 505.
- Added support for ChromeOS detection.
- Added UUID converter to the routing system.
- Added message that explains how to quit the server.
- Fixed a bug on Python 2, that caused ``len`` for
:class:`werkzeug.datastructures.CombinedMultiDict` to crash.
- Added support for stdlib pbkdf2 hmac if a compatible digest
is found.
- Ported testsuite to use ``py.test``.
- Minor optimizations to various middlewares (pull requests ``#496`` and
``#571``).
- Use stdlib ``ssl`` module instead of ``OpenSSL`` for the builtin server
(issue ``#434``). This means that OpenSSL contexts are not supported anymore,
but instead ``ssl.SSLContext`` from the stdlib.
- Allow protocol-relative URLs when building external URLs.
- Fixed Atom syndication to print time zone offset for tz-aware datetime
objects (pull request ``#254``).
- Improved reloader to track added files and to recover from broken
sys.modules setups with syntax errors in packages.
- ``cache.RedisCache`` now supports arbitrary ``**kwargs`` for the redis
object.
- ``werkzeug.test.Client`` now uses the original request method when resolving
307 redirects (pull request ``#556``).
- ``werkzeug.datastructures.MIMEAccept`` now properly deals with mimetype
parameters (pull request ``#205``).
- ``werkzeug.datastructures.Accept`` now handles a quality of ``0`` as
intolerable, as per RFC 2616 (pull request ``#536``).
- ``werkzeug.urls.url_fix`` now properly encodes hostnames with ``idna``
encoding (issue ``#559``). It also doesn't crash on malformed URLs anymore
(issue ``#582``).
- ``werkzeug.routing.MapAdapter.match`` now recognizes the difference between
the path ``/`` and an empty one (issue ``#360``).
- The interactive debugger now tries to decode non-ascii filenames (issue
``#469``).
- Increased default key size of generated SSL certificates to 1024 bits (issue
``#611``).
- Added support for specifying a ``Response`` subclass to use when calling
:func:`~werkzeug.utils.redirect`\ .
- ``werkzeug.test.EnvironBuilder`` now doesn't use the request method anymore
to guess the content type, and purely relies on the ``form``, ``files`` and
``input_stream`` properties (issue ``#620``).
- Added Symbian to the user agent platform list.
- Fixed make_conditional to respect automatically_set_content_length
- Unset ``Content-Length`` when writing to response.stream (issue ``#451``)
- ``wrappers.Request.method`` is now always uppercase, eliminating
inconsistencies of the WSGI environment (issue ``647``).
- ``routing.Rule.empty`` now works correctly with subclasses of ``Rule`` (pull
request ``#645``).
- Made map updating safe in light of concurrent updates.
- Allow multiple values for the same field for url building (issue ``#658``).
Version 0.9.7
-------------
(bugfix release, release date to be decided)
- Fix unicode problems in ``werkzeug.debug.tbtools``.
- Fix Python 3-compatibility problems in ``werkzeug.posixemulation``.
- Backport fix of fatal typo for ``ImmutableList`` (issue ``#492``).
- Make creation of the cache dir for ``FileSystemCache`` atomic (issue
``#468``).
- Use native strings for memcached keys to work with Python 3 client (issue
``#539``).
- Fix charset detection for ``werkzeug.debug.tbtools.Frame`` objects (issues
``#547`` and ``#532``).
- Fix ``AttributeError`` masking in ``werkzeug.utils.import_string`` (issue
``#182``).
- Explicitly shut down server (issue ``#519``).
- Fix timeouts greater than 2592000 being misinterpreted as UNIX timestamps in
``werkzeug.contrib.cache.MemcachedCache`` (issue ``#533``).
- Fix bug where ``werkzeug.exceptions.abort`` would raise an arbitrary subclass
of the expected class (issue ``#422``).
- Fix broken ``jsrouting`` (due to removal of ``werkzeug.templates``)
- ``werkzeug.urls.url_fix`` now doesn't crash on malformed URLs anymore, but
returns them unmodified. This is a cheap workaround for ``#582``, the proper
fix is included in version 0.10.
- The repr of ``werkzeug.wrappers.Request`` doesn't crash on non-ASCII-values
anymore (pull request ``#466``).
- Fix bug in ``cache.RedisCache`` when combined with ``redis.StrictRedis``
object (pull request ``#583``).
- The ``qop`` parameter for ``WWW-Authenticate`` headers is now always quoted,
as required by RFC 2617 (issue ``#633``).
- Fix bug in ``werkzeug.contrib.cache.SimpleCache`` with Python 3 where add/set
may throw an exception when pruning old entries from the cache (pull request
``#651``).
ok bsiegert@, wiz@
Changes:
=================
WebKitGTK+ 2.8.5
=================
What's new in WebKitGTK+ 2.8.5?
- Fix the window size reported when the web view isn't realized yet. This fixes the layout of
some websites when opening new tabs in the browser and anchor links when opened in new tabs too.
- Prevent clipboard contents from being lost when web process finishes.
- Always allow font matching for strong aliases.
- Move GStreamer missing plugins installer to the UI process.
- Fix a crash when spell checker returns no guesses.
- Fix a crash when SoupSession is destroyed in exit handler.
- Fix a crash closing a page when default context menu is open.
- Several crashes and rendering issues fixed.
- Translation updates: Swedish.
1.2.0
-----
* Codebase was migrated to Flask-Admin GitHub organization
* Automatically inject Flask-WTF CSRF token to internal Flask-Admin forms
* MapBox v4 support for GeoAlchemy
* Updated translations with help of CrowdIn
* Show warning if field was ignored in form rendering rules
* Simple AppEngine backend
* Optional support for Font Awesome in templates and menus
* Bug fixes
Version 0.12
------------
Released 2015/07/09
- Abstract protect_csrf() into a separate method
- Update reCAPTCHA configuration
- Fix reCAPTCHA error handle
User-visible changes:
- General:
* make all commands provide brief description in help output (r1522518)
* flush stdout before exiting to avoid information being lost (r1543868)
- Major new features:
* fsfs: new format 7 with more efficient on-disk layout (r1547045 et al)
* resolve: improve interactive conflict resolution menus
* blame: support showing prospective as well as previous changes
* info: support printing of individual values with --show-item (r1662620)
* svn auth: new subcommand to manage cached credentials and certs
* svnserve: cache config and authz to lower resource usage and be able to
serve large numbers of connections with a limited number of threads
* membuffer: quadruple the maximum cacheable directory size (r1545948 et al)
* new filesystem fsx (faster, smaller); experimental - see release notes
- Minor new features and improvements:
See http://svn.apache.org/repos/asf/subversion/tags/1.9.0/CHANGES
Upstream changes:
6.14 2015-07-12
- Improved app generator command not to create a log directory.
6.13 2015-07-08
- Added support for validating file uploads.
- Added upload check to Mojolicious::Validator.
- Improved error messages for broken applications in Mojo::Server. (mst)
- Improved subscribers method in Mojo::EventEmitter to allow subscribers to be
modified more easily.
Upstream changes:
0.056 2015-05-19 06:00:40-04:00 America/New_York
- No changes from 0.055
0.055 2015-05-07 18:13:41-04:00 America/New_York (TRIAL RELEASE)
[ADDED]
- Added 'can_ssl' method to detect SSL support before trying and
failing with a fatal exception.
- Added support for 308 redirects
[FIXED]
- When specifying a custom CA file, if that file is missing or
unreadable, HTTP::Tiny will no longer fall back to a default CA
[DOCUMENTED]
- Noted units are bytes for max_size
0.054 2015-01-27 07:18:19-05:00 America/New_York
[ADDED]
- Added more fallback paths to find CA files (thanks golang)
[DOCUMENTED]
- Fixed a typo
Upstream changes:
== Security fixes ==
* Internal review discovered that Special:DeletedContributions did not
properly
protect the IP of autoblocked users. This fix makes the functionality of
Special:DeletedContributions consistent with Special:Contributions and
Special:BlockList.
<https://phabricator.wikimedia.org/T106893>
* Internal review discovered that watchlist anti-csrf tokens were not being
compared in constant time, which could allow various timing attacks. This
could
allow an attacker to modify a user's watchlist via csrf.
<https://phabricator.wikimedia.org/T94116>
* John Menerick reported that MediaWiki's thumb.php failed to sanitize
various
error messages, resulting in xss.
<https://phabricator.wikimedia.org/T97391>
Additionally, the following extensions have been updated to fix security
issues:
* Extension:SemanticForms - MediaWiki user Grunny discovered multiple
reflected
xss vectors in SemanticForms. Further internal review discovered and fixed
other reflected and stored xss vectors.
<https://phabricator.wikimedia.org/T103391>
<https://phabricator.wikimedia.org/T103765>
<https://phabricator.wikimedia.org/T103761>
* Extension:SyntaxHighlight_GeSHi - xss and potential DoS vectors. Internal
review discovered that the contib directory for GeSHi was re-included in
MediaWiki 1.25. Some scripts could be potentially be used for DoS, and
DAU Huy Ngoc discovered an xss vector. All contrib scripts have been
removed.
<https://phabricator.wikimedia.org/T108198>
* Extension:TimedMediaHandler - User:McZusatz reported that resetting
transcodes deleted the transcode without creating a new one, which could be
used for vandalism or potentially DoS.
<https://phabricator.wikimedia.org/T100211>
* Extension:Quiz - Internal review discovered that Quiz did not properly
escape
regex metacharacters in a user controlled regular expression, enabling a DoS
vector.
<https://phabricator.wikimedia.org/T97083>
* Extension:Widgets - MediaWiki developer Majr reported a potential HTML
injection (xss) vector.
<https://phabricator.wikimedia.org/T88964>
== Bug Fixes in 1.25.2 ==
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
policy of Wikimedia Commons.
* (T100767) Setting a configuration setting for skin or extension to
false in LocalSettings.php was not working.
* (T100635) API action=opensearch json output no longer breaks when
$wgDebugToolbar is enabled.
* (T102522) Using an extension.json or skin.json file which has
a "manifest_version" property for 1.26 compatability will no longer
trigger warnings.
* (T86156) Running updateSearchIndex.php will not throw an error as
page_restrictions has been added to the locked table list.
* Special:Version would throw notices if using SVN due to an incorrectly
named variable. Add an additional check that an index is defined.
Changelog:
New Support for Windows 10
New Added protection against unwanted software downloads
New User can receive suggested tiles in the new tab page based on categories Firefox matches to browsing history (en-US only).
New Hello allows adding a link to conversations to provide context on what the conversation will be about
New New style for add-on manager based on the in-content preferences style
New Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only)
New Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked
Changed Add-on extensions that are not signed by Mozilla will display a warning
Changed NPAPI Plug-in performance improved via asynchronous initialization
Changed Smoother animation and scrolling with hardware vsync (Windows only)
Changed JPEG images use less memory when scaled and can be painted faster
Changed Sub-resources can no longer request HTTP authentication, thus protecting users from inadvertently disclosing login data
HTML5 IndexedDB transactions are now non-durable by default
HTML5 Implemented AudioBufferSourceNode.detune to modulate playback rate in cents, a logarithmic unit of measure used for musical intervals
Developer Improved Performance tools in the developer tools: Waterfall view, Call Tree view and a Flame Chart view
Developer New rules view tooltip in the Inspector to tweak CSS Filter values
Developer Console API messages from SharedWorker and ServiceWorker are now displayed in web console
Developer New page ruler highlighting tool that displays lightweight horizontal and vertical rules on a page
Developer Inspector now searches across all content frames in a page
Fixed Kannada text does not display properly in built-in pdf viewer
Fixed Various security fixes
Known Issues
unresolved If Firefox is restarted from an add-on install notification, on-going private browsing downloads might be canceled without warning (1185294)
Fixed in Firefox 40
2015-92 Use-after-free in XMLHttpRequest with shared workers
2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification
2015-90 Vulnerabilities found through code inspection
2015-89 Buffer overflows on Libvpx when decoding WebM video
2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
2015-87 Crash when using shared memory in JavaScript
2015-86 Feed protocol with POST bypasses mixed content protections
2015-85 Out-of-bounds write with Updater and malicious MAR file
2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links
2015-83 Overflow issues in libstagefright
2015-82 Redefinition of non-configurable JavaScript object properties
2015-81 Use-after-free in MediaStream playback
2015-80 Out-of-bounds read with malformed MP3 file
2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
Upstream changes:
-----------------
19.3.0 / 2015/03/06
Core
fix: :issue:`978` make sure a listener is inheritable
add check_config class method to workers
fix: :issue:`983` fix select timeout in sync worker with multiple connections
allows workers to access to the reloader. close :issue:`984`
raise TypeError instead of AssertionError
Logging
make Logger.loglevel a class attribute
Documentation
fix: :issue:`988` fix syntax errors in examples/gunicorn_rc
19.2.1 / 2015/02/4
Logging
expose loglevel in the Logger class
AsyncIO worker (gaiohttp)
fix :issue:`977` fix initial crash
Documentation
document security mailing-list in the contributing page.
Fixes Mozilla Foundation Security Advisory 2015-78:
Same origin violation and local file stealing via PDF reader
* Fixes CVE-2015-4495 - It's possible to read local files or
perform privilege escalation by using a native setter, bug 1178058.
* Remove PlayPreview registration from PDF viewer, bug 1179262.
ref. https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
