additional Administration Interface. You can use it to build up a
database with an inventory for your company (computers, software,
printers, etc).
Its enhanced functionality makes daily life for administrators easier.
Besides an inventory, it provides a trouble-ticket system, job
tracking with mail notification, and methods to build a database with
basic information about your network-topology.
<http://glpi-project.org/>
Features:
* Supports both Client and HTTP Server.
* Supports both Server WebSockets and Client WebSockets out-of-the-box.
* Web-server has Middlewares, Signals and pluggable routing.
### 4.4.1 (2017-07-12)
* Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
* Correctly handle subpalettes in "edit multiple" mode (see #946).
* Correctly show the DCA picker in the site structure (see #906).
* Correctly update the style sheets if a format definition is
enabled/disabled (see #893).
* Always show the "show from" and "show until" fields (see #908).
* Correctly set the "overwriteMeta" field during the database update (see
contao/core-bundle#888).
Version 3.5.28 (2017-07-12)
---------------------------
### Fixed
Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
### Fixed
Improve the accessibility of the CAPTCHA widget (see #8709).
### Fixed
Fixed the iOS scrolling bug in the simple modal script (see #8708).
### Fixed
Correctly cache the unique keys in the SQL cache (see #8712).
*) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
global variable when using Lua 5.2 or later. This was exported as a
side effect from luaL_register, which is no longer supported as of
Lua 5.2 which deprecates pollution of the global namespace.
*) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
The server will continue to run, but HTTP/2 will no longer be negotiated.
*) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
default ProxyFCGIBackendType, fixing a regression with PHP-FPM.
*) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
*) mod_http2: Simplify ready queue, less memory and better performance. Update
mod_http2 version to 1.10.7.
*) Allow single-char field names inadvertently disallowed in 2.4.25.
*) htpasswd / htdigest: Do not apply the strict permissions of the temporary
passwd file to a possibly existing passwd file.
*) core: Avoid duplicate HEAD in Allow header.
This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
*) Allow single-char field names inadvertantly disallowed in 2.2.32.
Changes with Apache 2.2.33 (not released)
*) SECURITY: CVE-2017-7668 (cve.mitre.org)
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.
*) SECURITY: CVE-2017-3169 (cve.mitre.org)
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
*) SECURITY: CVE-2017-3167 (cve.mitre.org)
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.
*) SECURITY: CVE-2017-7679 (cve.mitre.org)
mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.
*) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
Caddy is a HTTP/2 web server with automatic HTTPS.
Caddy was born out of the need for a "batteries-included" web server
that runs anywhere and doesn't have to take its configuration with it.
Caddy took inspiration from spark, nginx, lighttpd, Websocketd and
Vagrant, which provides a pleasant mixture of features from each of
them.
that application, without starting up an HTTP server.
This provides convenient full-stack testing of applications written with any
WSGI-compatible framework.
Upstream changes:
Here is the full list of fixed issues in 3.3.1.
Contents
1 Highlights
2 Security issues
3 Fixes and improvements
4 For developers
5 See also
Highlights
MDL-58136 - Show only "in progress" courses in the My courses list in Booost flat navigation
MDL-56046 - Fixed bug when downloading Quiz statistics report and other multiple-sheet reports
MDL-58646, MDL-59122 - Number of performance improvements in Boost cache rebuilding
MDL-58310, MDL-59312, MDL-58103 - Correctly display AJAX errors and ignore interrupted requests caused by page unload (occasional "undefined" popup)
MDL-44961 - When restoring course with rolling start date never change log dates
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
Fixes and improvements
MDL-46322 - Assignment: Only enrolled users may be assigned as markers, if admins/managers can view course but are not enrolled they will not be assigned
MDL-58907 - Course overview: Remember last view mode (Timeline/Courses), add a setting for a default mode
MDL-58729 - Performance impovement in MySQL collation change script (follow up for Full UTF-8 Support in MySQL)
MDL-57957 - Assignment: Fixed bug with feedback files not being shown to students if assignment has no grading
MDL-57021 - Use normal password form field during sign up, adding new user and enrolling in a course
MDL-49988 - Wiki: line breaks in HTML source code should not affect page layout
MDL-58811 - Quiz: fixed bug preventing quiz duplication if questions have file links in their texts
For developers
MDL-58911 - Change of behavior when writing unittests for the dashboard events - now callback from module are executed in unittests same way they would be executed on the dashboard
Features
- Python 3.6 is now officially supported in Waitress
Bugfixes
- Add a work-around for libc issue on Linux not following the documented
standards. If getnameinfo() fails because of DNS not being available it
should return the IP address instead of the reverse DNS entry, however
instead getnameinfo() raises. We catch this, and ask getnameinfo()
for the same information again, explicitly asking for IP address instead of
reverse DNS hostname.
-----
* 26: Change six requirement to >=1.4.0
* 28: Py3k fixes
* 29: paste.wsgilib.add_close: Add __next__ method to support using `add_close` objects as iterators on Python 3.
* 30: tox.ini: Add py35 to envlist
* 31: Enable testing with pypy
* 33: tox.ini: Measure test coveraage
these packages pull in GCC_REQD+=4.9 via mozilla-common.mk, and
are very widely used (I suspect only www/firefox actually needs it)
this will take care of most of the fallout from major bumping
pkgsrc-gcc-libstdc++ to 7 on netbsd. these are the most widely
used packages setting GCC_REQD>4.8.
based on the work done by the amazing folks at magicstack.
On top of being Flask-like, Sanic supports async request handlers. This means
you can use the new shiny async/await syntax from Python 3.5, making your code
non-blocking and speedy.
User-visible changes:
- Client-side bugfixes:
* cp/mv: improve error message when target is an unversioned dir
* merge: reduce memory usage with large amounts of mergeinfo
- Server-side bugfixes:
* 'svnadmin freeze': document the purpose more clearly
* dump: fix segfault when a revision has no revprops
* fsfs: improve error message upon failure to open rep-cache
* fsfs: never attempt to share directory representations
* fsfs: make consistency independent of hash algorithms
This change makes Subversion resilient to collision attacks, including
SHA-1 collision attacks such as <http://shattered.io/>. See also our
documentation at <https://subversion.apache.org/faq#shattered-sha1> and
<https://subversion.apache.org/docs/release-notes/1.9#shattered-sha1>.
- Client-side and server-side bugfixes:
* work around an APR bug related to file truncation
- Bindings bugfixes:
* javahl: follow redirects when opening a connection
Developer-visible changes:
- General:
* win_tests.py: make the --bin option work, rather than abort
(regression introduced in 1.9.2)
* windows: support building with 'zlibstat.lib' in install-layout
- API changes:
(none)
1.85 2017-06-28 22:06:00Z
========================================
[FIXED]
- use 127.0.0.1 instead of 'localhost' in a test to avoid the test hanging
due to ipv6 issues (GH#31)
- Remove private logic for taint checking (Dave Doyle)
- Fix Pod (simbabque)
- Bump Test::More prereq to get working subtest support (Karen Etheridge)
- Fix intermittent failures of taint.t (GH#108) (Kivanc Yazan)
- Fix kwalitee issues (GH#107) (Kivanc Yazan)
[ENHANCEMENTS]
- Print section titles if mech-dump --all is invoked (GH#81) (Сергей
Романов)
- Add cookbook docs on dumping a req without sending it (#115) (Grigor
Karavardanyan)
- Document that submit only submits current form (GH#114) (nawglan)
- Add Travis testing on Perl 5.26 (Karen Etheridge)
- Remove obsolete and unincremented $VERSIONs in test modules (Karen
Etheridge)
Changelog:
52.2.1
Printing text does not work on Windows when Direct2D is disabled (Bug 1318845)
52.2.0
#CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
#CVE-2017-7749: Use-after-free during docshell reloading
#CVE-2017-7750: Use-after-free with track elements
#CVE-2017-7751: Use-after-free with content viewer listeners
#CVE-2017-7752: Use-after-free with IME input
#CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
#CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files
#CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
#CVE-2017-7757: Use-after-free in IndexedDB
#CVE-2017-7778: Vulnerabilities in the Graphite 2 library
#CVE-2017-7758: Out-of-bounds read in Opus encoder
#CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service
#CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application
#CVE-2017-7763: Mac fonts render some unicode characters as spaces
#CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
#CVE-2017-7765: Mark of the Web bypass when saving executable files
#CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service
#CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service
#CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service
#CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.252.2.0
52.1.2
FIx hangs when using a proxy with NTLM authentication (bug 1360574)
Changelog:
Fixed
Fix a display issue of tab title (bug 1357656)
Fix a display issue of opening new tab (bug 1371995)
Fix a display issue when opening multiple tabs (bug 1371962)
Fix a tab display issue when downloading files (bug 1373109)
Fix a PDF printing issue (bug 1366744)
Fix a Netflix issue on Linux (bug 1375708)
Documentation
We have received several patches to fix grammer and typos.
The broken out-of-tree build has been also fixed.
nghttp
We fixed the bug that HTTP Upgrade fails if HTTP response does not have reason-phrase.
nghttpx
The default minimum TLS version is now TLSv1.2. This is because the default cipher list only contains cipher suites which are compatible with it.
