Emergency fix for a major bug that messes up the cluster view page.
Fixed upstream in the next release, but there is another regression
in the latest release that still needs to be identified before upgrading.
Remove www/contao45 package since Contao 4.5 were not distributed as
release tar files since version 4.5.11. And it is EOL by release of
Contao 4.6 after 28th Aug 2018.
And Contao 4.6 is also only available via Contao Manager. Please refer
<https://contao.org/download.html> in detail.
Remove www/contao44 package since Contao 4.4 were not distributed as
release tar files since version 4.4.21.
Instead, Contao 4.4 is available via Contao Manager. Please refer
<https://contao.org/download.html> in detail.
Version 3.5.36 (2018-09-18)
---------------------------
### Fixed
Prevent arbitrary code execution through .phar files (see CVE-2018-17057).
### Fixed
Correctly reset the autologin data upon logout (#8868).
### Fixed
Remove support for deprecated user password hashes (see #8889).
Tornado 5.1.1:
Bug fixes
Fixed an case in which the Future returned by RequestHandler.finish could fail to resolve.
The TwitterMixin.authenticate_redirect method works again.
Improved error handling in the tornado.auth module, fixing hanging requests when a network or other error occurs.
Upstream changes:
Moodle 3.5.2 release notes
Releases > Moodle 3.5.2 release notes
Release date: 10 September 2018
Here is the full list of fixed issues in 3.5.2.
Contents
1 Highlights
2 Fixes and improvements
3 Security issues
4 See also
Highlights
MDL-61652 - Configuration as to who can download SAR data
MDL-62026 - Privacy officer can mark general enquiries as complete
MDL-62660 - Option to set a data request expiry time
MDL-57741 - Launch URL for Publish as LTI tool
MDL-57977 - Global search allows searching for users by alternate name
Fixes and improvements
MDL-60826 - Memory exhaustion error when trying to add/edit calendar event as admin
MDL-60874 - Clearer search results in user enrolment
MDL-62782 - Users with the capability mod/assign:viewgrades can also view uploaded feedback files
MDL-62849 - Filemanager: cannot manage files when there are folders
MDL-62534 - Empty course sections deleted when upgrading
MDL-62600 - Admin is misinformed that there are no data requests
MDL-61351 - Shibboleth logout does not handle file sessions correctly
MDL-62996 - Missing upgrade.php file on tool_dataprivacy may cause errors when upgrading from 3.3 or 3.4
MDL-62643 - Online text assignment submissions generate a blank HTML document for grading when no text is entered
MDL-61515 - The current core php-css-parser prefixing library does not support sass syntax "@supports"
MDL-61424 - When token is rejected from moodle.net provide option to unregister
MDL-59847 - Behaviour when city/country are hiddenfields and identityfields at the same time
MDL-62965 - User profile fields missing on signup page
MDL-62889 - Multiple fixes when redirecting to a URL after clicking on a notification
MDL-62989 - Data requests are listed by date requested for users
MDL-62896 - Some non-core plugins are missing their Additional label on the Plugin data registry page
MDL-62993 - External tool Message in Membership Service not in an Array
MDL-62969 - External tool LtiLinkMemberships URL is invalid
MDL-62581 - Boost Course restore screen styling improvements
MDL-62769 - "Statistics for question positions" graph shows last shown variant, not stats for overall question
MDL-62341 - 'Go back to previous page' link on All policies page
MDL-62746 - Boost core_tag modals content layout improvements
MDL-45389 - Forum index page alignment improvements
MDL-61707 - Pre-signup (minor check) session is not deleted upon signup
MDL-62852 - All policies page lists policy type and audience
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
Changelog:
#CVE-2018-12377: Use-after-free in refresh driver timers
#CVE-2018-12378: Use-after-free in IndexedDB
#CVE-2018-12379: Out-of-bounds write with malicious MAR file
#CVE-2017-16541: Proxy bypass using automount and autofs
#CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation
#CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
Git 2.19 Release Notes
Updates since v2.18
-------------------
UI, Workflows & Features
* "git diff" compares the index and the working tree. For paths
added with intent-to-add bit, the command shows the full contents
of them as added, but the paths themselves were not marked as new
files. They are now shown as new by default.
"git apply" learned the "--intent-to-add" option so that an
otherwise working-tree-only application of a patch will add new
paths to the index marked with the "intent-to-add" bit.
* "git grep" learned the "--column" option that gives not just the
line number but the column number of the hit.
* The "-l" option in "git branch -l" is an unfortunate short-hand for
"--create-reflog", but many users, both old and new, somehow expect
it to be something else, perhaps "--list". This step warns when "-l"
is used as a short-hand for "--create-reflog" and warns about the
future repurposing of the it when it is used.
* The userdiff pattern for .php has been updated.
* The content-transfer-encoding of the message "git send-email" sends
out by default was 8bit, which can cause trouble when there is an
overlong line to bust RFC 5322/2822 limit. A new option 'auto' to
automatically switch to quoted-printable when there is such a line
in the payload has been introduced and is made the default.
* "git checkout" and "git worktree add" learned to honor
checkout.defaultRemote when auto-vivifying a local branch out of a
remote tracking branch in a repository with multiple remotes that
have tracking branches that share the same names.
(merge 8d7b558bae ab/checkout-default-remote later to maint).
* "git grep" learned the "--only-matching" option.
* "git rebase --rebase-merges" mode now handles octopus merges as
well.
* Add a server-side knob to skip commits in exponential/fibbonacci
stride in an attempt to cover wider swath of history with a smaller
number of iterations, potentially accepting a larger packfile
transfer, instead of going back one commit a time during common
ancestor discovery during the "git fetch" transaction.
(merge 42cc7485a2 jt/fetch-negotiator-skipping later to maint).
* A new configuration variable core.usereplacerefs has been added,
primarily to help server installations that want to ignore the
replace mechanism altogether.
* Teach "git tag -s" etc. a few configuration variables (gpg.format
that can be set to "openpgp" or "x509", and gpg.<format>.program
that is used to specify what program to use to deal with the format)
to allow x.509 certs with CMS via "gpgsm" to be used instead of
openpgp via "gnupg".
* Many more strings are prepared for l10n.
* "git p4 submit" learns to ask its own pre-submit hook if it should
continue with submitting.
* The test performed at the receiving end of "git push" to prevent
bad objects from entering repository can be customized via
receive.fsck.* configuration variables; we now have gained a
counterpart to do the same on the "git fetch" side, with
fetch.fsck.* configuration variables.
* "git pull --rebase=interactive" learned "i" as a short-hand for
"interactive".
* "git instaweb" has been adjusted to run better with newer Apache on
RedHat based distros.
* "git range-diff" is a reimplementation of "git tbdiff" that lets us
compare individual patches in two iterations of a topic.
* The sideband code learned to optionally paint selected keywords at
the beginning of incoming lines on the receiving end.
* "git branch --list" learned to take the default sort order from the
'branch.sort' configuration variable, just like "git tag --list"
pays attention to 'tag.sort'.
* "git worktree" command learned "--quiet" option to make it less
verbose.
Performance, Internal Implementation, Development Support etc.
* The bulk of "git submodule foreach" has been rewritten in C.
* The in-core "commit" object had an all-purpose "void *util" field,
which was tricky to use especially in library-ish part of the
code. All of the existing uses of the field has been migrated to a
more dedicated "commit-slab" mechanism and the field is eliminated.
* A less often used command "git show-index" has been modernized.
(merge fb3010c31f jk/show-index later to maint).
* The conversion to pass "the_repository" and then "a_repository"
throughout the object access API continues.
* Continuing with the idea to programatically enumerate various
pieces of data required for command line completion, teach the
codebase to report the list of configuration variables
subcommands care about to help complete them.
* Separate "rebase -p" codepath out of "rebase -i" implementation to
slim down the latter and make it easier to manage.
* Make refspec parsing codepath more robust.
* Some flaky tests have been fixed.
* Continuing with the idea to programmatically enumerate various
pieces of data required for command line completion, the codebase
has been taught to enumerate options prefixed with "--no-" to
negate them.
* Build and test procedure for netrc credential helper (in contrib/)
has been updated.
* Remove unused function definitions and declarations from ewah
bitmap subsystem.
* Code preparation to make "git p4" closer to be usable with Python 3.
* Tighten the API to make it harder to misuse in-tree .gitmodules
file, even though it shares the same syntax with configuration
files, to read random configuration items from it.
* "git fast-import" has been updated to avoid attempting to create
delta against a zero-byte-long string, which is pointless.
* The codebase has been updated to compile cleanly with -pedantic
option.
(merge 2b647a05d7 bb/pedantic later to maint).
* The character display width table has been updated to match the
latest Unicode standard.
(merge 570951eea2 bb/unicode-11-width later to maint).
* test-lint now looks for broken use of "VAR=VAL shell_func" in test
scripts.
* Conversion from uchar[40] to struct object_id continues.
* Recent "security fix" to pay attention to contents of ".gitmodules"
while accepting "git push" was a bit overly strict than necessary,
which has been adjusted.
* "git fsck" learns to make sure the optional commit-graph file is in
a sane state.
* "git diff --color-moved" feature has further been tweaked.
* Code restructuring and a small fix to transport protocol v2 during
fetching.
* Parsing of -L[<N>][,[<M>]] parameters "git blame" and "git log"
take has been tweaked.
* lookup_commit_reference() and friends have been updated to find
in-core object for a specific in-core repository instance.
* Various glitches in the heuristics of merge-recursive strategy have
been documented in new tests.
* "git fetch" learned a new option "--negotiation-tip" to limit the
set of commits it tells the other end as "have", to reduce wasted
bandwidth and cycles, which would be helpful when the receiving
repository has a lot of refs that have little to do with the
history at the remote it is fetching from.
* For a large tree, the index needs to hold many cache entries
allocated on heap. These cache entries are now allocated out of a
dedicated memory pool to amortize malloc(3) overhead.
* Tests to cover various conflicting cases have been added for
merge-recursive.
* Tests to cover conflict cases that involve submodules have been
added for merge-recursive.
* Look for broken "&&" chains that are hidden in subshell, many of
which have been found and corrected.
* The singleton commit-graph in-core instance is made per in-core
repository instance.
* "make DEVELOPER=1 DEVOPTS=pedantic" allows developers to compile
with -pedantic option, which may catch more problematic program
constructs and potential bugs.
* Preparatory code to later add json output for telemetry data has
been added.
* Update the way we use Coccinelle to find out-of-style code that
need to be modernised.
* It is too easy to misuse system API functions such as strcat();
these selected functions are now forbidden in this codebase and
will cause a compilation failure.
* Add a script (in contrib/) to help users of VSCode work better with
our codebase.
* The Travis CI scripts were taught to ship back the test data from
failed tests.
(merge aea8879a6a sg/travis-retrieve-trash-upon-failure later to maint).
* The parse-options machinery learned to refrain from enclosing
placeholder string inside a "<bra" and "ket>" pair automatically
without PARSE_OPT_LITERAL_ARGHELP. Existing help text for option
arguments that are not formatted correctly have been identified and
fixed.
(merge 5f0df44cd7 rs/parse-opt-lithelp later to maint).
* Noiseword "extern" has been removed from function decls in the
header files.
* A few atoms like %(objecttype) and %(objectsize) in the format
specifier of "for-each-ref --format=<format>" can be filled without
getting the full contents of the object, but just with the object
header. These cases have been optimized by calling
oid_object_info() API (instead of reading and inspecting the data).
* The end result of documentation update has been made to be
inspected more easily to help developers.
* The API to iterate over all objects learned to optionally list
objects in the order they appear in packfiles, which helps locality
of access if the caller accesses these objects while as objects are
enumerated.
* Improve built-in facility to catch broken &&-chain in the tests.
* The more library-ish parts of the codebase learned to work on the
in-core index-state instance that is passed in by their callers,
instead of always working on the singleton "the_index" instance.
* A test prerequisite defined by various test scripts with slightly
different semantics has been consolidated into a single copy and
made into a lazily defined one.
(merge 6ec633059a wc/make-funnynames-shared-lazy-prereq later to maint).
* After a partial clone, repeated fetches from promisor remote would
have accumulated many packfiles marked with .promisor bit without
getting them coalesced into fewer packfiles, hurting performance.
"git repack" now learned to repack them.
* Partially revert the support for multiple hash functions to regain
hash comparison performance; we'd think of a way to do this better
in the next cycle.
* "git help --config" (which is used in command line completion)
missed the configuration variables not described in the main
config.txt file but are described in another file that is included
by it, which has been corrected.
* The test linter code has learned that the end of here-doc mark
"EOF" can be quoted in a double-quote pair, not just in a
single-quote pair.
6.0:
Warning
Version 6.0 introduces the :class:~http.Headers class for managing HTTP headers and changes several public APIs:
:meth:~server.WebSocketServerProtocol.process_request now receives a :class:~http.Headers instead of a :class:~http.client.HTTPMessage in the request_headers argument.
The :attr:~protocol.WebSocketCommonProtocol.request_headers and :attr:~protocol.WebSocketCommonProtocol.response_headers attributes of :class:~protocol.WebSocketCommonProtocol are :class:~http.Headers instead of :class:~http.client.HTTPMessage.
The :attr:~protocol.WebSocketCommonProtocol.raw_request_headers and :attr:~protocol.WebSocketCommonProtocol.raw_response_headers attributes of :class:~protocol.WebSocketCommonProtocol are removed. Use :meth:~http.Headers.raw_items instead.
Functions defined in the :mod:~handshake module now receive :class:~http.Headers in argument instead of get_header or set_header functions. This affects libraries that rely on low-level APIs.
Functions defined in the :mod:~http module now return HTTP headers as :class:~http.Headers instead of lists of (name, value) pairs.
Note that :class:~http.Headers and :class:~http.client.HTTPMessage provide similar APIs.
Also:
Added compatibility with Python 3.7.
3.4.4:
Fix installation from sources when compiling toolkit is not available
3.4.3:
Add app.pre_frozen state to properly handle startup signals in sub-applications.
6.9.0:
[Core] Switched from culprit to transaction for automatic transaction reporting.
[CI] Removed py3.3 from build
[Django] resolved an issue where the log integration would override the user.
v6.5.2
- Fix import of :py:mod:cheroot.ssl.pyopenssl by refactoring and separating
:py:mod:cheroot.makefile's stream wrappers.
- Add initial tests for SSL layer with use of :py:mod:trustme
Changelog:
New
Firefox Home (the default New Tab) now allows users to display up to
4 rows of top sites, Pocket stories, and highlights
"Reopen in Container" tab menu option appears for users with Containers
that lets them choose to reopen a tab in a different container
In advance of removing all trust for Symantec-issued certificates in
Firefox 63, a preference was added that allows users to distrust
certificates issued by Symantec. To use this preference, go to
about:config in the address bar and set the preference
"security.pki.distrust_ca_policy" to 2.
Added FreeBSD support for WebAuthn
Improved graphics rendering for Windows users without accelerated hardware
using Parallel-Off-Main-Thread Painting
Support for CSS Shapes, allowing for richer web page layouts. This goes
hand in hand with a brand new Shape Path Editor in the CSS inspector.
CSS Variable Fonts (OpenType Font Variations) support, which makes it
possible to create beautiful typography with a single font file
Updates for enterprise environments:
AutoConfig is sandboxed to the documented API by default. You
can disable the sandbox by setting the preference
general.config.sandbox_enabled to false. Our long term plan is to
remove the ability to turn off the sandboxing. If you need to
continue to use more complex AutoConfig scripts, you will need to use
Firefox Extended Support Release (ESR).
Added Canadian English (en-CA) locale
Changed
Removed the description field for bookmarks. Users who have stored
descriptions using the field may wish to export these descriptions
as html or json files, as they will be removed in a future release.
Dark theme is automatically enabled in macOS 10.14 dark mode
Changed the default setting to Enforce (3) for the
security.pki.name_matching_mode preference
Adobe Flash applets now run in a more secure mode using process
sandboxing on macOS. Learn how this may affect features here.
Users disconnecting from Sync are now offered the option to wipe
their Firefox profile data (including bookmarks, passwords, history,
cookies, and site data) from their desktop computer
Changed how WebRTC handles screen sharing: When screen-sharing a window,
the window will be brought to front
Developer
Three-pane Inspector in Developer Tools separates the rules into its own
panel
This release includes the following bugfixes:
o security advisory (CVE-2018-14618): NTLM password overflow via integer overflow [73]
o CURLINFO_SIZE_UPLOAD: fix missing counter update [46]
o CURLOPT_ACCEPT_ENCODING.3: list them comma-separated
o CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse [72]
o Curl_getoff_all_pipelines: improved for multiplexed [3]
o DEPRECATE: remove release date from 7.62.0
o HTTP: Don't attempt to needlessly decompress redirect body [30]
o INTERNALS: require GnuTLS >= 2.11.3 [62]
o README.md: add LGTM.com code quality grade for C/C++ [42]
o SSLCERTS: improve the openssl command line
o Silence GCC 8 cast-function-type warnings [47]
o ares: check for NULL in completed-callback [3]
o asyn-thread: Remove unused macro [40]
o auth: only pick CURLAUTH_BEARER if we *have* a Bearer token [15]
o auth: pick Bearer authentication whenever a token is available [15]
o cmake: CMake config files are defining CURL_STATICLIB for static builds [54]
o cmake: Respect BUILD_SHARED_LIBS [35]
o cmake: Update scripts to use consistent style [9]
o cmake: bumped minimum version to 3.4 [34]
o cmake: link curl to the OpenSSL targets instead of lib absolute paths [34]
o configure: conditionally enable pedantic-errors [64]
o configure: fix for -lpthread detection with OpenSSL and pkg-config [38]
o conn: remove the boolean 'inuse' field [3]
o content_encoding: accept up to 4 unknown trailer bytes after raw deflate data [5]
o cookie tests: treat files as text
o cookies: support creation-time attribute for cookies [75]
o curl: Fix segfault when -H @headerfile is empty [23]
o curl: add http code 408 to transient list for --retry [78]
o curl: fix time-of-check, time-of-use race in dir creation [71]
o curl: use Content-Disposition before the "URL end" for -OJ [29]
o curl: warn the user if a given file name looks like an option [56]
o curl_threads: silence bad-function-cast warning [69]
o darwinssl: add support for ALPN negotiation [7]
o docs/CURLOPT_URL: fix indentation [20]
o docs/CURLOPT_WRITEFUNCTION: size is always 1 [19]
o docs/SECURITY-PROCESS: mention bounty, drop pre-notify
o docs/examples: add hiperfifo example using linux epoll/timerfd [21]
o docs: add disallow-username-in-url.d and haproxy-protocol.d to dist [50]
o docs: clarify NO_PROXY env variable functionality [70]
o docs: improved the manual pages of some callbacks [48]
o docs: mention NULL is fine input to several functions [43]
o formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT [40]
o gopher: Do not translate `?' to `%09' [67]
o header output: switch off all styles, not just unbold [8]
o hostip: fix unused variable warning
o http2: Use correct format identifier for stream_id [77]
o http2: abort the send_callback if not setup yet [63]
o http2: avoid set_stream_user_data() before stream is assigned [61]
o http2: check nghttp2_session_set_stream_user_data return code [55]
o http2: clear the drain counter in Curl_http2_done [27]
o http2: make sure to send after RST_STREAM [58]
o http2: separate easy handle from connections better [12]
o http: fix for tiny "HTTP/0.9" response [51]
o http_proxy: Remove unused macro SELECT_TIMEOUT [40]
o lib/Makefile: only do symbol hiding if told to [32]
o lib1502: fix memory leak in torture test [44]
o lib1522: fix curl_easy_setopt argument type
o libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation [66]
o mime: check Curl_rand_hex's return code [22]
o multi: always do the COMPLETED procedure/state [3]
o openssl: assume engine support in 1.0.0 or later [2]
o openssl: fix debug messages [39]
o projects: Improve Windows perl detection in batch scripts [49]
o retry: return error if rewind was necessary but didn't happen [28]
o reuse_conn(): memory leak - free old_conn->options [17]
o schannel: client certificate store opening fix [68]
o schannel: enable CALG_TLS1PRF for w32api >= 5.1
o schannel: fix MinGW compile break [1]
o sftp: don't send post-qoute sequence when retrying a connection [79]
o smb: fix memory leak on early failure [26]
o smb: fix memory-leak in URL parse error path [4]
o smb_getsock: always wait for write socket too [11]
o ssh-libssh: fix infinite connect loop on invalid private key [53]
o ssh-libssh: reduce excessive verbose output about pubkey auth [53]
o ssh-libssh: use FALLTHROUGH to silence gcc8 [76]
o ssl: set engine implicitly when a PKCS#11 URI is provided [36]
o sws: handle EINTR when calling select() [24]
o system_win32: fix version checking [16]
o telnet: Remove unused macros TELOPTS and TELCMDS [40]
o test1143: disable MSYS2's POSIX path conversion [10]
o test1148: disable if decimal separator is not point [65]
o test1307: (fnmatch testing) disabled [31]
o test1422: add required file feature [6]
o test1531: Add timeout [41]
o test1540: Remove unused macro TEST_HANG_TIMEOUT [40]
o test214: disable MSYS2's POSIX path conversion for URL
o test320: treat curl320.out file as binary [14]
o tests/http_pipe.py: Use /usr/bin/env to find python
o tests: Don't use Windows path %PWD for SSH tests [74]
o tests: fixes for Windows line endlings [13]
o tool_operate: Fix setting proxy TLS 1.3 ciphers
o travis: build darwinssl on macos 10.12 to fix linker errors [33]
o travis: execute "set -eo pipefail" for coverage build [45]
o travis: run a 'make checksrc' too [25]
o travis: update to GCC-8 [52]
o travis: verify that man pages can be regenerated [50]
o upload: allocate upload buffer on-demand [60]
o upload: change default UPLOAD_BUFSIZE to 64KB [60]
o urldata: remove unused pipe_broke struct field [57]
o vtls: reinstantiate engine on duplicated handles [59]
o windows: implement send buffer tuning [37]
o wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random [18]
From the changelog:
10.0.9 - 2018-07-17
Added
Added account module middleware to be able to plug in logic after authentication - #31883#31933
occ user:list now takes a list of attributes to display - #31115
Added Symfony events for user preference changes - #31266
Added Symfony events for public links shared by email - #31632
Added Symfony events for accept and reject for local shares - #31702
Added support for Imprint and Privacy Policy URLs in web UI and email footers - #31666#31699#31730#31766
Added HTML template for lost password email - #31144
Received local shares can now trigger a notification to accept or reject them, also visible in "Shared with you" section - #31613#31886
Rejected shares can now be accepted again in the "Shared with you" section - #31613
Provide original exception via logging events - #31623
Share autocomplete now displays useful tooltip when typing less characters - #31729
Added public Webdav API for versions using a new "meta" DAV endpoint - #31729#29637#31805#31801
Added support for retrieving file previews using Webdav endpoint - #29319#30192#31748#31788#31862#31865
Added versioning support for primary object store - #29607#31285#31595
Changed
Updated ca-bundle.crt - #31734
Bump symfony to 3.4.8 and other pending minor bumps - #31221
Bump karma from 2.0.0 to 2.0.2 in /build - #31253
Bump karma-jasmine from 1.1.1 to 1.1.2 in /build - #31378
Bump karma-coverage from 1.1.1 to 1.1.2 in /build - #31380
Bump zendframework/zend-inputfilter from 2.8.1 to 2.8.2 - #31431
Bump icewind/smb from 1.1.0 to 3.0.0 in /apps/files_external/3rdparty - #31521
Bump symfony 3.4.9 to 3.4.11 - #31571
Update jsdoc requirement to ~3.5.5 - #30036
Removed example theme which now lives in the theme-example repository - #31447
A user who is a member of multiple groups is now excluded from sharing if at least one of their group is configured for exclusion - #31737#31822
Changed back default minimum search characters to 2 for share autocomplete due to confusion - #31729
Files app UI now uses new versions API through the "meta" DAV endpoint - #29607
Removed
Removed old private ajax API for previews, deprecated by DAV endpoint support - #30254
Bookmarks certificate was removed - #31878
Fixed
Adjustments for the notifications messages of the sharing apps - #31947
Disable jquery globalEval - #31972
Work around Edge browser memory leak in web UI chunked upload - #31884
Don't fail if ISqlMigration doesn't return anything - #31779
Fixed restoring of versions for single file shares - #31681
Group admins are not able to create groups any more using provisioning API - #31738
Fix Oracle for queries using ILIKE operator - #31466
Improve user-sync command help description - #31691
Fix deletion and restoration of files in trashbin in some partial selection scenarios - #31700
Do not load the code of disabled theme apps - #31478
Fix encrypt-all and decrypt-all commands to keep shares when encrypting - #31600#31590
Proceed with encrypt-all command by enabling user-keys if no mode is selected by user - #31612
Validate maximum length of a username - #31664
Save timezone as given during login - #31493
Fix checksum computation to not apply on read-write streams to avoid potential mismatch results - #31619
Exclude uploads directory from read-only cache mask, fixes guest app chunked uploads - #31596
Properly normalize paths for event, no &$magic needed - #31689
Use the correct user id in login related Symfony events - #31605
Fix public link dialog issue when collaborative tags app is disabled - #31581
Fix updating public link share in transfer ownership command - #31176#31953
Do not set the password again if it hasn't changed - #31370
Use correct l10n to translate 'password was changed' email - #31553
Improve text in settings/personal App Password - #31539
Fix default language code example - #31448
Fix double slash in versioning file copy events - #31452
Split public password enforced capabilities based on a config - #31499
Fix bogus exceptions related to missing DAV nodes after deletion - #31479
Fix enabling of users by group admins in the web UI - #31489
Fix AccountMapper to return an object or throw an exception - #31445
Proper handling of exceptions in UserManager - #31446
Properly cache non-existing user in UserManager - #31446
Update verify checksums console output to flow more naturally - #31449
Subadmin shouldn't be able to add users to their groups via API - #31337
Catch duplicate inserts in token table - #31460#31794#32041
Fix overflowing public share names in the share panel - #31369
Fix occ user:sync to sync quota from preferences after upgrade if backend provided no quota - #31360
Fix for Redis dev editions - #31282
Fix mail debug message recipient field - #31227
Prevent infinite loop in case of error in "log" event handler - #31247
Fix HTTP status code when uploading virus-infected files - #31260
Add back robots.txt in the release - #31248
- lib: Tweak nghttp2_session_set_stream_user_data
- lib: Fix handling of SETTINGS_MAX_CONCURRENT_STREAMS.
- lib: Implement ORIGIN frame
- asio: support definition of local endpoint for cleartext client
session
- integration: Remove remaining SPDY code from the integration tests.
- nghttpx: Fix worker process crash with neverbleed write error
- nghttpx: Support per-backend mruby script
- nghttpx: Fix stream reset if data from client is arrived before dconn
is attached
2.1.1:
Bugfixes
Fixed a race condition in QuerySet.update_or_create() that could result in data loss
Fixed a regression where QueryDict.urlencode() crashed if the dictionary contains a non-string value
Fixed a regression in Django 2.0 where using manage.py test --keepdb fails on PostgreSQL if the database exists and the user doesn’t have permission to create databases
Fixed a regression in Django 2.0 where combining Q objects with __in lookups and lists crashed
Fixed translation failure of DurationField’s “overflow” error message
Fixed a regression where the admin change form crashed if the user doesn’t have the ‘add’ permission to a model that uses TabularInline
Fixed a regression where a related_query_name reverse accessor wasn’t set up when a GenericRelation is declared on an abstract base model
Fixed the test client’s JSON serialization of a request data dictionary for structured content type suffixes
Made the admin change view redirect to the changelist view after a POST if the user has the ‘view’ permission
Fixed admin change view crash for view-only users if the form has an extra form field
Fixed a regression in Django 2.0.5 where QuerySet.values() or values_list() after combining querysets with extra() with union(), difference(), or intersection() crashed due to mismatching columns
Fixed crash if InlineModelAdmin.has_add_permission() doesn’t accept the obj argument
v18.0.0
* Drop support for Python 2.7. CherryPy 17 will
remain an LTS release for bug and security fixes.
* Drop support for Python 3.4.
v17.4.0
* When setting Response Body, reject Unicode
values, making behavior on Python 2 same as on Python 3.
* Other inconsequential refactorings.
v6.5.1:
Improve UNIX socket fs access mode in :py:meth:cheroot.server.HTTPServer.prepare on a file socket when starting to listen to it.
v6.5.0
Add support for validating client certificates.
7.94 2018-08-27
- Added EXPERIMENTAL content_type and file_type methods to Mojolicious::Types.
- Fixed a bug where the reply->file helper would not try to set a Content-Type
header.
- Fixed a bug where the render method in Mojolicious::Controller would not
always use Mojolicious::Types to find the correct Content-Type value.
2.24 Thu Aug 30 03:23:03 CEST 2018
- bring cookie management more in line with RFC 6265; implement idn
matching for cookie domains.
- update cookie_jar version to 2, invalidate existing cookie jars.
- preserve original cookie domain attribute.
- also expire old cookie jars in cookie parser, just in case.
- further improve relative redirection code.
- comment out code that tried to detect possible bugs with persistent
connection caching, but since it never triggered, it's probably
working fine :)
- do not call on_body callback on a response that AE::HTTP will recurse
on internally (reported by Антон Онуфриев and Ruslan Zakirov).
Changes:
3.8
---
NetSurf 3.8 features some page layout improvements, stability and
security improvements, and some minor additional features. We
recommend all users upgrade to NetSurf 3.8.
What's new in Tornado 5.1
Deprecation notice
- Tornado 6.0 will drop support for Python 2.7 and 3.4. The minimum
supported Python version will be 3.5.2.
- The tornado.stack_context module is deprecated and will be removed
in Tornado 6.0. The reason for this is that it is not feasible to
provide this module's semantics in the presence of async def
native coroutines. .ExceptionStackContext is mainly obsolete
thanks to coroutines. .StackContext lacks a direct replacement
although the new contextvars package (in the Python standard
library beginning in Python 3.7) may be an alternative.
- Callback-oriented code often relies on .ExceptionStackContext to
handle errors and prevent leaked connections. In order to avoid the
risk of silently introducing subtle leaks (and to consolidate all of
Tornado's interfaces behind the coroutine pattern), callback
arguments throughout the package are deprecated and will be removed
in version 6.0. All functions that had a callback argument
removed now return a .Future which should be used instead.
- Where possible, deprecation warnings are emitted when any of these
deprecated interfaces is used. However, Python does not display
deprecation warnings by default. To prepare your application for
Tornado 6.0, run Python with the -Wd argument or set the
environment variable PYTHONWARNINGS to d. If your
application runs on Python 3 without deprecation warnings, it should
be able to move to Tornado 6.0 without disruption.
tornado.auth
- .OAuthMixin._oauth_get_user_future may now be a native coroutine.
- All callback arguments in this package are deprecated and will
be removed in 6.0. Use the coroutine interfaces instead.
- The OAuthMixin._oauth_get_user method is deprecated and will be removed in
6.0. Override ~.OAuthMixin._oauth_get_user_future instead.
tornado.autoreload
- The command-line autoreload wrapper is now preserved if an internal
autoreload fires.
- The command-line wrapper no longer starts duplicated processes on windows
when combined with internal autoreload.
tornado.concurrent
- .run_on_executor now returns .Future objects that are compatible
with await.
- The callback argument to .run_on_executor is deprecated and will
be removed in 6.0.
- .return_future is deprecated and will be removed in 6.0.
tornado.gen
- Some older portions of this module are deprecated and will be removed
in 6.0. This includes .engine, .YieldPoint, .Callback,
.Wait, .WaitAll, .MultiYieldPoint, and .Task.
- Functions decorated with @gen.coroutine will no longer accept
callback arguments in 6.0.
tornado.httpclient
- The behavior of raise_error=False is changing in 6.0. Currently
it suppresses all errors; in 6.0 it will only suppress the errors
raised due to completed responses with non-200 status codes.
- The callback argument to .AsyncHTTPClient.fetch is deprecated
and will be removed in 6.0.
- tornado.httpclient.HTTPError has been renamed to
.HTTPClientError to avoid ambiguity in code that also has to deal
with tornado.web.HTTPError. The old name remains as an alias.
- tornado.curl_httpclient now supports non-ASCII characters in
username and password arguments.
- .HTTPResponse.request_time now behaves consistently across
simple_httpclient and curl_httpclient, excluding time spent
in the max_clients queue in both cases (previously this time was
included in simple_httpclient but excluded in
curl_httpclient). In both cases the time is now computed using
a monotonic clock where available.
- .HTTPResponse now has a start_time attribute recording a
wall-clock (time.time) timestamp at which the request started
(after leaving the max_clients queue if applicable).
tornado.httputil
- .parse_multipart_form_data now recognizes non-ASCII filenames in
RFC 2231/5987 (filename*=) format.
- .HTTPServerRequest.write is deprecated and will be removed in 6.0. Use
the methods of request.connection instead.
- Malformed HTTP headers are now logged less noisily.
tornado.ioloop
- .PeriodicCallback now supports a jitter argument to randomly
vary the timeout.
- .IOLoop.set_blocking_signal_threshold,
~.IOLoop.set_blocking_log_threshold, ~.IOLoop.log_stack,
and .IOLoop.handle_callback_exception are deprecated and will
be removed in 6.0.
- Fixed a KeyError in .IOLoop.close when .IOLoop objects are
being opened and closed in multiple threads.
tornado.iostream
- All callback arguments in this module are deprecated except for
.BaseIOStream.set_close_callback. They will be removed in 6.0.
- streaming_callback arguments to .BaseIOStream.read_bytes and
.BaseIOStream.read_until_close are deprecated and will be removed
in 6.0.
tornado.netutil
- Improved compatibility with GNU Hurd.
tornado.options
- tornado.options.parse_config_file now allows setting options to
strings (which will be parsed the same way as
tornado.options.parse_command_line) in addition to the specified
type for the option.
tornado.platform.twisted
- .TornadoReactor and .TwistedIOLoop are deprecated and will be
removed in 6.0. Instead, Tornado will always use the asyncio event loop
and twisted can be configured to do so as well.
tornado.stack_context
- The tornado.stack_context module is deprecated and will be removed
in 6.0.
tornado.testing
- .AsyncHTTPTestCase.fetch now takes a raise_error argument.
This argument has the same semantics as .AsyncHTTPClient.fetch,
but defaults to false because tests often need to deal with non-200
responses (and for backwards-compatibility).
- The .AsyncTestCase.stop and .AsyncTestCase.wait methods are
deprecated.
tornado.web
- New method .RequestHandler.detach can be used from methods
that are not decorated with @asynchronous (the decorator
was required to use self.request.connection.detach().
- .RequestHandler.finish and .RequestHandler.render now return
Futures that can be used to wait for the last part of the
response to be sent to the client.
- .FallbackHandler now calls on_finish for the benefit of
subclasses that may have overridden it.
- The .asynchronous decorator is deprecated and will be removed in 6.0.
- The callback argument to .RequestHandler.flush is deprecated
and will be removed in 6.0.
tornado.websocket
- When compression is enabled, memory limits now apply to the
post-decompression size of the data, protecting against DoS attacks.
- .websocket_connect now supports subprotocols.
- .WebSocketHandler and .WebSocketClientConnection now have
selected_subprotocol attributes to see the subprotocol in use.
- The .WebSocketHandler.select_subprotocol method is now called with
an empty list instead of a list containing an empty string if no
subprotocols were requested by the client.
- .WebSocketHandler.open may now be a coroutine.
- The data argument to .WebSocketHandler.ping is now optional.
- Client-side websocket connections no longer buffer more than one
message in memory at a time.
- Exception logging now uses .RequestHandler.log_exception.
tornado.wsgi
- .WSGIApplication and .WSGIAdapter are deprecated and will be removed
in Tornado 6.0.
