Upstream changes:
Moodle 3.2.1 release notes
Releases > Moodle 3.2.1 release notes
Release date: 9 January 2017
Here is the full list of fixed issues in 3.2.1.
Fixes and improvements
MDL-55906 - Assignment grading table reset button should clear persistent settings
MDL-57222 - Marking workflow and grading must still save for hidden Assignment
MDL-56810 - Fixed error converting submissions for annotation when student is unenrolled from course
MDL-55062 - Upload users admin tool incorrectly updates authentication method for existing users when not included in CSV
MDL-56912 - Feedback: Allow to submit empty not required multichoice questions
MDL-53044 - Completely prevent login with expired passwords
MDL-57213 - Boost - Fixed bug when my courses were not displayed at all with $CFG->navshowmycoursecategories on
Security issues
MSA-17-0001 System file inclusion when adding own preset file in Boost theme
MSA-17-0002 Incorrect sanitation of attributes in forums
MSA-17-0003 PHPMailer vulnerability in no-reply address
MSA-17-0004 XSS in assignment submission page
Upstream changes:
7.20 2017-01-18
- Fixed a bug in Mojo::File where the make_path method would die even if no
error occurred.
- Fixed warnings in Mojo::IOLoop::TLS.
7.19 2017-01-14
- Added module Mojo::IOLoop::TLS.
- Added can_nnr and can_socks methods to Mojo::IOLoop::Client.
7.18 2017-01-11
- Fixed support for relative %INC paths in Mojo::Home.
- Fixed a bug in Mojo::URL where invalid fragment strings could be generated.
7.17 2017-01-11
- Fixed Windows bugs in Mojo::File. (kmx)
7.16 2017-01-10
- Fixed Windows bugs in Mojo::File. (kmx)
7.15 2017-01-09
- Deprecated Mojo::ByteStream::slurp and Mojo::Util::slurp in favor of
Mojo::File::slurp.
- Deprecated Mojo::ByteStream::spurt and Mojo::Util::spurt in favor of
Mojo::File::spurt.
- Deprecated Mojo::Util::files in favor of Mojo::File::list_tree.
- Deprecated Mojo::Home::lib_dir, Mojo::Home::parse, Mojo::Home::parts in
favor of new features inherited from the Mojo::File base class.
- Added module Mojo::File.
- Improved Mojo::Home to be a subclass of Mojo::File.
- Improved mojo_lib_dir and rel_file methods in Mojo::Home to return
Mojo::Home objects.
- Improved rel_file methods in Mojolicious::Command to return Mojo::File
objects.
- Improved every_param and param methods in Mojolicious::Validator::Validation
to use the current topic.
Version 3.5.23 (2017-01-17)
---------------------------
### Fixed
Handle non-numeric values when calculating the image margin (see #8617).
### Fixed
Correctly generate the download elements in the back end (see #8620).
Version 3.5.22 (2017-01-16)
---------------------------
### Fixed
Prevent an endless redirect loop if the page alias is "/" (see #8560).
### Fixed
Correctly parse German dates with two digit years in MooTools (see #8593).
### Fixed
Correctly add new resources to the user/group permissions (see #8583).
### Fixed
Trigger the auto-submit function in the date picker (see #8603).
### Fixed
Call the load callback when loading page/file picker nodes (see #7702).
2.3.19 (2017-01-09)
-------------------
Enhancements
- [core] added handling of BYSETPOS for BYDAY in recurrence rules
- [core] improved IMIP handling from Exchange/Outlook clients
- [web] update jQuery to version 1.12.4 and jQuery UI to version 1.11.4
- [web] added SOGoMaximumMessageSizeLimit to limit webmail message size
- [web] added photo support for LDIF import (#1084)
- [web] updated CKEditor to version 4.6.1
Bug fixes
- [core] honor blocking wrong login attemps within time interval (#2850)
- [core] use source's domain when none defined and trying to match users (#3523)
- [core] properly honor the "include in freebusy" setting (#3354)
- [core] fix events in floating time during CalDAV's PUT operation (#2865)
- [core] handle rounds in sha512-crypt password hashes
- [web] return login page for unknown users (#2135)
- [web] append ics file extension when importing events (#2308)
- [web] set a max-height so we can scroll in the attendees list (#3666)
- [web] set a max-height so we can scroll in the attachments list (#3413)
- [web] handle URI in vCard photos (#2683)
- [web] handle semicolon in values during LDIF import (#1760)
- [eas] properly escape all GAL responses (#3923)
- [eas] properly skip folders we don't want to synchronize (#3943)
- [eas] fixed 30 mins freebusy offset with S Planner
- [eas] now correctly handles reminders on tasks (#3964)
- [eas] do not decode from hex the event's UID (#3965)
- [eas] add support for "other addresses" (#3966)
- [eas] provide correct response status when sending too big mails (#3956)
2.3.18 (2016-11-28)
-------------------
New features
- [eas] relaxed permission requirements for subscription synchronizations (#3118 and #3180)
Enhancements
- [core] added sha256-crypt and sha512-crypt password support
- [core] updated time zones to version 2016h
- [eas] initial support for recurring tasks EAS
- [eas] now support replied/forwarded flags using EAS (#3796)
- [eas] now also search on senders when using EAS Search ops
- [web] updated CKEditor to version 4.6.0
Bug fixes
- [core] fixed condition in weekly recurrence calculator
- [core] always send IMIP messages using UTF-8
- [web] fixed support for recurrent tasks
- [web] improved validation of mail account delegators
- [web] allow edition of a mailbox rights when user can administer mailbox
- [web] restore attributes when rewriting base64-encoded img tags (#3814)
2.3.17 (2016-10-20)
-------------------
Enhancements
- [web] allow custom email address to be one of the user's profile (#3551)
- [web] the left column of the attendees editor is resizable (not supported in IE) (#1479, #3667)
Bug fixes
- [eas] make sure we don't sleep for too long when EAS processes need interruption
- [eas] fixed recurring events with timezones for EAS (#3822)
- [eas] improve handling of email folders without a parent
- [eas] never send IMIP reply when the "initiator" is Outlook 2013/2016
- [core] only consider SMTP addresses for AD's proxyAddresses (#3842)
2.3.16 (2016-09-28)
-------------------
New features
- [eas] initial support for server-side mailbox search operations
Enhancements
- [eas] propagate message submission errors to EAS clients (#3774)
- [web] updated CKEditor to version 4.5.11
- [web] added Serbian (sr) translation - thanks to Bogdanović Bojan
Bug fixes
- [web] correctly set percent-complete for tasks from the list view (#3197)
- [core] fixed caching expiration of ACLs assigned to LDAP groups (#2867)
- [core] we now search in all domain sources for Apple Calendar
- [core] properly handle groups in Apple Calendar's delegation
- [core] make sure new cards always have a UID (#3819)
2.3.15 (2016-09-14)
------------------
Enhancements
- [web] don't allow a recurrence rule to end before the first occurrence
Bug fixes
- [eas] properly generate the BusyStatus for normal events
- [eas] properly escape all email and address fields
- [eas] properly generate yearly rrule
- [core] strip protocol value from proxyAddresses attribute (#3182)
- [web] handle binary content transfer encoding when displaying mails
0.12.1 (2017-01-08)
- Fix compatibility with Jinja 2.9.
- When globbing, include files in alphabetical order (Sam Douglas).
- Remove duplicate files from bundles (Sam Douglas).
- Support for PyInstaller (Ilya Kreymer).
- Fix the sass filter (Dan Callaghan).
0.12 (2016-08-18)
- Babel filter (JDeuce).
- NodeSASS filter (Luke Benstead).
- Autoprefixer 6 filter (Eugeniy Kuznetsov).
- Many other small changes and improvements by various contributors.
*) SECURITY: CVE-2016-8743 (cve.mitre.org)
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies.
*) Validate HTTP response header grammar defined by RFC7230, resulting
in a 500 error in the event that invalid response header contents are
detected when serving the response, to avoid response splitting and cache
pollution by malicious clients, upstream servers or faulty modules.
*) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
*) core: Avoid a possible truncation of the faulty header included in the
HTML response when LimitRequestFieldSize is reached.
*) core: Enforce LimitRequestFieldSize after multiple headers with the same
name have been merged.
*) core: Drop Content-Length header and message-body from HTTP 204 responses.
*) core: Permit unencoded ';' characters to appear in proxy requests and
Location: response headers. Corresponds to modern browser behavior.
*) core: ap_rgetline_core now pulls from r->proto_input_filters.
*) core: Correctly parse an IPv6 literal host specification in an absolute
URL in the request line.
*) core: New directive RegisterHttpMethod for registering non-standard
HTTP methods.
*) core: Limit to ten the number of tolerated empty lines between request.
*) core: reject NULLs in request line or request headers.
*) mod_proxy: Use the correct server name for SNI in case the backend
SSL connection itself is established via a proxy server.
*) Fix potential rejection of valid MaxMemFree and ThreadStackSize
directives.
*) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.
*) mod_proxy: Correctly consider error response codes by the backend when
processing failonstatus.
*) mod_proxy: Play/restore the TLS-SNI on new backend connections which
had to be issued because the remote closed the previous/reusable one
during idle (keep-alive) time.
*) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
*) mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to
use a different scoreboard slot then the original one.
*) mod_proxy: Fix a race condition that caused a failed worker to be retried
before the retry period is over.
*) mod_proxy: don't recyle backend announced "Connection: close" connections
to avoid reusing it should the close be effective after some new request
is ready to be sent.
*) mod_mem_cache: Fix concurrent removal of stale entries which could lead
to a crash.
*) mime.types: add common extension "m4a" for MPEG 4 Audio.
*) mod_substitute: Allow to configure the patterns merge order with the new
SubstituteInheritBefore on|off directive.
*) mod_mem_cache: Don't cache incomplete responses when the client
connection is aborted before the body is fully read.
*) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
*) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
v1.6.1
Version 1.6.1
Bugfix release
- Fixed a bug where using google-auth with scoped credentials would fail. (#328)
v1.6.0
Version 1.6.0
Release to drop support for Python 2.6 and add support for google-auth.
- Support for Python 2.6 has been dropped. (#319)
- The credentials argument to discovery.build and discovery.build_from_document
can be either oauth2client credentials or google-auth credentials. (#319)
- discovery.build and discovery.build_from_document now unambiguously use the
http argument to make all requests, including the request for the discovery
document. (#319)
- The http and credentials arguments to discovery.build and
discovery.build_from_document are now mutually exclusive, eliminating a
buggy edge case. (#319)
- If neither http or credentials is specified to discovery.build and
discovery.build_from_document, then Application Default Credentials will
be used. The library prefers google-auth for this if it is available, but
can also use oauth2client's implementation. (#319)
- Fixed resumable upload failure when receiving a 308 response. (#312)
- Clarified the support versions of Python 3. (#316)
6.12 2017-01-04 23:32:54-05:00 America/Toronto
- Fix prereqs
6.11 2017-01-04 15:05:57-05:00 America/Toronto
- Updated the Changes file
- When using Net::SSL, pending data was potentially ignored GH PR#7 (Jean-Louis Martineau)
6.10-DEV 2016-12-30
- Added LICENSE
- Added 'use warnings' to everywhere that lacked it
- Drop all use of Test.pm
- Removed unneeded uses of 'use vars'
- Switch live tests to use Google.
- Fix RT#112313 - Hang in my_readline() when keep-alive => 1 and $reponse_size % 1024 == 0
* [mod_cgi] skip local-redir handling if to self (fixes#2779, #2108)
* [mod_webdav] fix crash when plugin_ctx cleaned up (fixes#2780)
* [mod_fastcgi] detect child exit, restart proactively
* [mod_scgi] detect child exit, restart proactively
* [TLS] ssl.read-ahead = "disable" for low mem (fixes#2778)
pkgsrc changes:
- Rename non-standard "memcache" option to "memcached" (retaining
compatibility for the old option for a while)
Date: 2016-02-17
Bugfixes
Permit changing existing value on a ToOneField to None. (Closes#1449)
v0.13.2
Date: 2016-02-14
Bugfixes
Fix in Resource.save_related: related_obj can be empty in patch requests (introduced in #1378). (Fixes#1436)
Fixed bug that prevented fitlering on related resources. apply_filters hook now used in obj_get. (Fixes#1435, Fixes#1443)
Use build_filters in obj_get. (Fixes#1444)
Updated DjangoAuthorization to disallow read unless a user has change permission. (#1407, PR #1409)
Authorization classes now handle usernames containing spaces. Closes#966.
Cleaned up old, unneeded code. (closes PR #1433)
Reuse Django test Client.patch(). (@SeanHayes, closes#1442)
Just a typo fix in the testing docs (by @bezidejni, closes#810)
Removed references to patterns() (by @SeanHayes, closes#1437)
Removed deprecated methods Resource.apply_authorization_limits and Authorization.apply_limits from code and documentation. (by @SeanHayes, closes#1383, #1045, #1284, #837)
Updates docs/cookbook.rst to make sure it's clear which url to import. (by @yuvadm, closes#716)
Updated docs/tutorial.rst. Without "null=True, blank=True" parameters in Slugfield, expecting "automatic slug generation" in save method is pointless. (by @orges, closes#753)
Cleaned up Riak docs. (by @SeanHayes, closes#275)
Include import statement for trailing_slash. (by @ljosa, closes#770)
Fix docs: Meta.filtering is actually a dict. (by @georgedorn, closes#807)
Fix load data command. (by @blite, closes#357, #358)
Related schemas no longer raise error when not URL accessible. (Fixes PR #1439)
Avoid modifying Field instances during request/response cycle. (closes#1415)
Removing the Manager dependency in ToManyField.dehydrate(). (Closes#537)
v0.13.1
Date: 2016-01-25
Bugfixes
Prevent muting non-tastypie's exceptions (#1297, PR #1404)
Gracefully handle UnsupportFormat exception (#1154, PR #1417)
Add related schema urls (#782, PR #1309)
Repr value must be str in Py2 (#1421, PR #1422)
Fixed assertHttpAccepted (PR #1416)
v0.13.0
Date: 2016-01-12
Dropped Django 1.5-1.6 support, added Django 1.9.
Bugfixes
Various performance improvements (#1330, #1335, #1337, #1363)
More descriptive error messages (#1201)
Throttled requests now include Retry-After header. (#1204)
In DecimalField.hydrate, catch decimal.InvalidOperation and raise ApiFieldError (#862)
Add 'primary_key' Field To Schema (#1141)
ContentTypes: Remove 'return' in __init__; remove redundant parentheses (#1090)
Allow callable strings for ToOneField.attribute (#1193)
Ensure Tastypie doesn't return extra data it received (#1169)
In DecimalField.hydrate, catch decimal.InvalidOperation and raise ApiFieldError (#862)
Fixed tastypie's losing received microseconds. (#1126)
Data leakage fix (#1203)
Ignore extra related data (#1336)
Suppress Content-Type header on HTTP 204 (see #111) (#1054)
Allow creation of related resources that have an 'items' related_name (supercedes #1000) (#1340)
Serializers: remove unimplemented to_html/from_html (#1343)
If GEOS is not installed then exclude geos related calls. (#1348)
Fixed Resource.deserialize() to honor format parameter (#1354#1356, #1358)
Raise ValueError when trying to register a Resource class instead of a Resource instance. (#1361)
Fix hydrating/saving of related resources. (#1363)
Use Tastypie DateField for DateField on the model. (SHA: b248e7f)
ApiFieldError on empty non-null field (#1208)
Full schema (all schemas in a single request) (#1207)
Added verbose_name to API schema. (#1370)
Fixes Reverse One to One Relationships (Replaces #568) (#1378)
Fixed "GIS importerror vs improperlyconfigured" (#1384)
Fixed bug which occurs when detail_uri_name field has a default value (Issue #1323) (#1387)
Fixed disabling cache using timeout=0, fixes#1213, #1212 (#1399)
Removed Django 1.5-1.6 support, added 1.9 support. (#1400)
stop using django.conf.urls.patterns (#1402)
Fix for saving related items when resource_uri is provided but other unique data is not. (#1394) (#1410)
v0.12.2
Date: 2015-07-16
Dropped Python 2.6 support, added Django 1.8.
Bugfixes
Dropped support for Python 2.6
Added support for Django 1.8
Fix stale data caused by prefetch_related cache (SHA: b78661d)
* passwordauth: prevent authentication bypass via multiple name
parameters (CVE-2017-0356, OVE-20170111-0001)
* passwordauth: avoid userinfo forgery via repeated email parameter
(also in the scope of CVE-2017-0356)
* CGI, attachment, passwordauth: harden against repeated parameters
(not believed to have been a vulnerability)
* remove: make it clearer that repeated page parameter is OK here
* t/passwordauth.t: new automated test for passwordauth
[ Amitai Schleier ]
* wrappers: Correctly escape quotes in git_wrapper_background_command
[ Simon McVittie ]
* git: use an explicit function parameter for the directory to work
in. Previously, we used global state that was not restored correctly
on catching exceptions, causing an unintended log message
"cannot chdir to .../ikiwiki-temp-working: No such file or directory"
with versions >= 3.20161229 when an attempt to revert a change fails
or is disallowed
* git: don't run "git rev-list ... -- -- ..." which would select the
wrong commits if a file named literally "--" is present in the
repository
* check_canchange: log "bad file name whatever", not literal string
"bad file name %s"
* t/git-cgi.t: fix a race condition that made the test fail
intermittently
* t/git-cgi.t: be more careful to provide a syntactically valid
author/committer name and email, hopefully fixing this test on
ci.debian.net
* templates, comments, passwordauth: use rel=nofollow microformat
for dynamic URLs
* templates: use rel=nofollow microformat for comment authors
* news: use Debian security tracker instead of MITRE for security
references. Thanks, anarcat
* Set package format to 3.0 (native)
* d/copyright: re-order to put more specific stanzas later, to get the
intended interpretation
* d/source/lintian-overrides: override obsolete-url-in-packaging for
OpenID Selector, which does not seem to have any more current URL
(and in any case our version is a fork)
* docwiki.setup: exclude TourBusStop from offline documentation.
It does not make much sense there.
* d/ikiwiki.lintian-overrides: override script-not-executable warnings
* d/ikiwiki.lintian-overrides: silence false positive spelling warning
for Moin Moin
* d/ikiwiki.doc-base: register the documentation with doc-base
* d/control: set libmagickcore-6.q16-3-extra as preferred
build-dependency, with virtual package libmagickcore-extra as an
alternative, to help autopkgtest to do the right thing
Major changes:
New Default Theme - Twenty Seventeen
- It is an ambitious theme designed for business websites that focuses on a
creative home page and an easy site setup experience for users.
* multiple sections on the front page, selected in the Customizer.
* a striking asymmetrical grid.
* custom color schemes, built on top of a monochromatic foundation, and
adjustable via a hue picker.
* different headline placement for pages, changeable in the Customizer, via
them options.
* a great experience in many languages, thanks to language-specific font stacks.
* SVG icons (a first for a default theme).
* support for custom logo, custom header image and many post formats.
* the use of new functions in Core for making child theming easier.
Note: Twenty Seventeen only works on 4.7 and above. It uses the new
video header and starter content features, each launched in 4.7.
REST API Content Endpoints
* API endpoints for WordPress content. WordPress 4.7 comes with REST API
endpoints for posts, comments, terms, users, meta, and settings. Content
endpoints provide machine-readable external access to your WordPress site
with a clear, standards-driven interface, paving the way for new and
innovative methods of interacting with your site.
[FIXES]
The linting method html_lint_ok() was not calling the HTML::Lint API
correctly, so may have missed some HTML errors at the end of a page.
This also applies to get, post, etc if you have the autolint argument on.
7.14 2017-01-04
- Deprecated Mojo::Home::list_files in favor of Mojo::Util::files.
- Deprecated Mojo::Home::rel_dir in favor of Mojo::Home::rel_file.
- Deprecated Mojolicious::Command::rel_dir in favor of
Mojolicious::Command::rel_file.
- Fixed a bug in Mojo::IOLoop::Subprocess where the pipe used for IPC could
disappear because of a timeout.
This release fixes several bugs in nghttpx proxy server. Since v1.18.0 release, dynamic DNS feature has been added to nghttpx. This release fixes these DNS related bugs. User reported that nghttpx exited with assertion error in libev code when DNS was enabled. After investigating it, it turned out that this bug had existed well before DNS was added, but enabling DNS helped to trigger the bug.
Bugfixes
* Fixed a crash in the debug view if request.user can’t be retrieved, such as if the database is unavailable.
* Fixed occasional missing plural forms in JavaScriptCatalog.
* Fixed a regression in the timesince and timeuntil filters that caused incorrect results for dates in a leap year.
* Fixed a regression where collectstatic overwrote newer files in remote storages.
------------------------------
- 1.4.44
* [mod_scgi] fix segfault (fixes#2762)
* [mod_authn_gssapi] fix memory leak
* [config] warn if mod_authn_ldap,mysql not listed
* [mod_magnet] fix magnet_cgi_set() set of env vars (fixes#2763)
* [mod_cgi] FreeBSD 9.3/MacOSX does not have pipe2() (fixes#2765)
* [mod_extforward] fix crash on invalid IP (fixes#2766)
* [mod_fastcgi] fix segfault if all backends down (fixes#2768)
* [mod_cgi] fix out of sockets error for POST to CGI (fixes#2771)
* [mod_auth] compile fix for Mac OS X XCode (fixes#2772)
* [mod_authn_gssapi] better resource cleanup
* [core] compile fix for Mac OS X 10.6 (old) (fixes#2773)
* fix race in dynamic handler configs (reentrancy) (fixes#2774)
* [mod_authn_mysql] close mysql_conn in cleanup
* [mod_webdav] compile fix when locking not enabled
* load mod_auth & mod_authn_file in sample/test.conf
* comment out auth.backend.ldap.* in tests/*.conf
* [mod_fastcgi,mod_scgi] warn if invalid "bin-path"
* RAND_pseudo_bytes() is deprecated in openssl 1.1.0
* openssl 1.1.0 init and cleanup
* [mod_cgi] remove direct calls to network_backend*
* [build] build network_*.c into lighttpd executable
* suggest inclusion of mod_geoip... before mod_ssi.
* set systemd settings similar to lighttpd2
* [doc] remove reference to Linux rt-signals
* [mod_authn_gssapi] fix missing error ret, coverity
* [core] rename li_rand() to li_rand_pseudo_bytes()
* remove #include "stream.h" where not used
* [mod_cml] include lua headers before base.h
* [core] combine duplicated connection reset code
* [mod_ssi] produce content in subrequest hook
* [core] remove srv->entropy[]
* [core] defer li_rand_init() until first use
* [core] permit connection-level state in modules
* [mod_dirlisting] render dirlisting as HTML (fixes#2767)
* [mod_proxy] replace HTTP Host sent to backend (fixes#2770)
* [mod_ssi] basic recursive SSI include virtual (fixes#536)
* [mod_ssi] implement, ignore <!--#comment ... -->
* [core] consolidate duplicated read-to-close code
* [core] fix segfault when parsing a bad config file
* [core] support Transfer-Encoding: chunked req body (fixes#2156)
* [autobuild] set NO_RDYNAMIC=yes for midipix
* [mod_proxy] proxy.balance = "sticky" option (fixes#2117)
* [mod_secdownload] warn if SHA used w/o SSL crypto
* [build] compile fixes for AIX
* [build] check for pipe2() at configure time
* [mod_evhost] fix an incorrect error trace
* [tests] mark tests/docroot/www/*.pl scripts a+x
* [mod_cgi] fall back to pipe() if pipe2() fails
* fix SCons fullstatic build with glibc pthreads
* [TLS] openssl 1.1.0 makes SSL_OP_NO_SSLv2 no-op
(pkgsrc changes)
- Add Selection on PLIST depending on options
Chagnelog:
Security vulnerabilities fixed in Firefox ESR 45.6
#CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements
#CVE-2016-9895: CSP bypass using marquee tag
#CVE-2016-9897: Memory corruption in libGLES
#CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees
#CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs
#CVE-2016-9904: Cross-origin information leak in shared atoms
#CVE-2016-9905: Crash in EnumerateSubDocuments
#CVE-2016-9901: Data from Pocket server improperly sanitized before execution
#CVE-2016-9902: Pocket extension does not validate the origin of events
#CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6
Upstream changes:
Version 0.12
------------
Released on December 21st 2016, codename Punsch.
- the cli command now responds to `--version`.
- Mimetype guessing and ETag generation for file-like objects in ``send_file``
has been removed, as per issue ``#104``. See pull request ``#1849``.
- Mimetype guessing in ``send_file`` now fails loudly and doesn't fall back to
``application/octet-stream``. See pull request ``#1988``.
- Make ``flask.safe_join`` able to join multiple paths like ``os.path.join``
(pull request ``#1730``).
- Revert a behavior change that made the dev server crash instead of returning
a Internal Server Error (pull request ``#2006``).
- Correctly invoke response handlers for both regular request dispatching as
well as error handlers.
- Disable logger propagation by default for the app logger.
- Add support for range requests in ``send_file``.
- ``app.test_client`` includes preset default environment, which can now be
directly set, instead of per ``client.get``.
Version 0.11.2
--------------
Bugfix release, unreleased
- Fix crash when running under PyPy3, see pull request ``#1814``.
Version 0.11.1
--------------
Bugfix release, released on June 7th 2016.
- Fixed a bug that prevented ``FLASK_APP=foobar/__init__.py`` from working. See
pull request ``#1872``.
lib: Accept and ignore content-length: 0 in 204 response for now
build: Use pkg-config to detect libxml2
build: Require c-ares to compile applications under src
build: Add Windows CI via AppVeyor (Patch from Alexis La Goutte)
examples: Delete tiny-nghttpd
nghttpx: Retry h1 backend request if first write fails (GH-757)
nghttpx: Keep reading after backend write failed (GH-756)
nghttpx: Add frontend-keep-alive-timeout option (GH-755)
nghttpx: New error log format (GH-749)
nghttpx: Fix bug that fetch-ocsp-response does not work with OpenSSL 1.1.0 (GH-742)
nghttpx: Backend API call allows non-numeric host with dns parameter (GH-731)
nghttpx: Lookup backend host name dynamically (GH-721)
nghttpx: Accept and ignore content-length: 0 in 204 response for now (GH-735)
nghttpx: Wait for child process to exit
Upstream changes:
7.13 2016-12-23
- Deprecated Mojo::Message::Response::is_status_class in favor of new is_*
methods.
- Added result method to Mojo::Transaction.
- Added is_client_error, is_error, is_info, is_redirect, is_server_error and
is_success methods to Mojo::Message::Response.
- Fixed bug where Morbo could not handle broken symlinks. (Grinnz)
7.12 2016-12-18
- Added button_to and csrf_button_to helpers to
Mojolicious::Plugin::TagHelpers.
- Removed experimental status from Mojo::IOLoop::Subprocess.
- Removed experimental status from subprocess method in Mojo::IOLoop.
Upstream changes:
5.90114 - 2016-12-19
- Fixed regression introduced in the last version (5.90113) which caused
application to hang when the action private name contained a string
like 'foo/bar..html'. If you are running 5.90113 you should consider this
a required update.
- Tweaked travis CI script.
5.90113 - 2016-12-15
- Fixed issue with $controller->action_for when targeting an action in
a namespace nested inside the current controller and the current controller
is a 'root' controller.
- Enhanced $controller->action_for so that you can reference the 'parent'
controller via relative path (eg ->action_for('../foo')).
- Backcompat fix for people that made the mistake of doing $c->{stash}
- Sort controllers in setup_actions so cross-controller precedence is
consistent.
Upstream changes:
0.204002 2016-12-21 15:40:02-06:00 America/Chicago
[ BUG FIXES ]
* GH #975: Fix "public_dir" configuration to work, just like
DANCER_PUBLIC. (Sawyer X)
[ ENHANCEMENTS ]
* You can now call '$self->find_plugin(...)' within a plugin
in order to find a plugin, in order to use its DSL in your
custom plugin. (Sawyer X)
[ DOCUMENTATION ]
* GH #1282: Typo in Cookbook. (Kurt Edmiston)
* GH #1214: Update Migration document. (Sawyer X)
* GH #1286: Clarify hook behavior when disabling layout (biafra)
* GH #1280: Update documentation to use specific parameter
keywords (Hunter McMillen)
Upstream changes:
2.26 Thu Dec 29 22:36:54 CST 2016
Stable release. No changes from previous release.
2.25_02 Tue Dec 27 14:34:22 CST 2016
[FIXES]
html_fragment_ok() was not properly excluding document-level errors.
It was effectively the same as html_ok().
2.25_01 Fri Dec 23 22:36:17 CST 2016
[ENHANCEMENTS]
Added two new types of errors to let you know you're using the
API incorrectly. You should be parsing files like this:
my $lint = HTML::Lint->new;
$lint->newfile( $filename );
$lint->parse( $line );
$lint->eof();
my @errors = $lint->errors();
If you neglect to call ->parse or ->eof, you'll get an error returned
in the list of errors from ->errors().
[FIXES]
Test::HTML::Lint::html_fragment_ok() was not properly calling ->eof.
