ChangeLog since 2.0.0
2.0.2a (2012-11-15)
-------------------
Enhancements
- improved user rights editor in calendar module
- disable alarms for newly subsribed calendars
Bug fixes
- fixed typos in Spanish (Spain) translation
- fixed display of raw source for tasks
- fixed title display of cards with a photo
- fixed null address in reply-to header of messages
- fixed scrolling for calendar/addressbooks lists
- fixed display of invitations on BlackBerry devices
- fixed sogo-tool rename-user for MySQL database
- fixed corrupted attachments in Webmail
- fixed parsing of URLs that can throw an exception
- fixed password encoding in user sources
2.0.2 (2012-10-24)
------------------
New features
- added support for SMTP AUTH
- sogo configuration can now be set in /etc/sogo/sogo.conf
- added support for GNU TLS
Enhancements
- speed up of the parsing of IMAP traffic
- minor speed up of the web interface
- speed up the scrolling of the message list in the mail module
- speed up the deletion of a large amounts of entries in the contacts module
- updated the timezone files to the 2012.g edition
- openchange backend: miscellaneous speed up of the synchronization
operations
- open file descriptors are now closed when the process starts
Bug fixes
- the parameters included in the url of remote calendars are now taken into
account
- fixed an issue occurring with timezone definitions providing multiple entries
- openchange backend: miscellaneous crashes during certain Outlook
operations, which have appeared in version 2.0.0, have been fixed
- fixed issues occuring on OpenBSD and potentially other BSD flavours
2.0.1 (2012-10-10)
-------------------
Enhancements
- deletion of contacts is now performed in batch, which speeds up the
operation for large numbers of items
- scalability enhancements in the OpenChange backend that enables the first
synchronization of mailboxes in a more reasonable time and using less
memory
- the task list is now sortable
Bug Fixes
- improved support of IE 9
* Patches are synced with xulrunner-17.0, and regen patches
* Update Mozilla Lightning to 1.9
Changelog:
SeaMonkey-specific changes
None (see changes page for minor changes).
Mozilla platform changes
OS X 10.6 is now the minimum supported Mac version.
JavaScript Maps and Sets are now iterable.
SVG FillPaint and StrokePaint have been implemented.
The sandbox attribute has been implemented for iframes, enabling increased security.
Fixed several stability issues.
Security fixes
Fixed in SeaMonkey 2.14
MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
MFSA 2012-105 Use-after-free and buffer overflow issues found using Address Sanitizer
MFSA 2012-103 Frames can shadow top.location
MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset
MFSA 2012-100 Improper security filtering for cross-origin wrappers
MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment
MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox
MFSA 2012-96 Memory corruption in str_unescape
MFSA 2012-94 Crash when combining SVG text on path with CSS
MFSA 2012-93 evalInSanbox location context incorrectly applied
MFSA 2012-92 Buffer overflow while rendering GIF images
MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)
* Add --enable-pulseaudio configure option (functionality is not tested)
Changelog:
NEW
First revision of the Social API and support for Facebook Messenger
NEW
Click-to-play blocklisting implemented to prevent vulnerable plugin versions from running without the user's permission (see blog post)
CHANGED
Updated Awesome Bar experience with larger icons
CHANGED
Mac OS X 10.5 is no longer supported
DEVELOPER
JavaScript Maps and Sets are now iterable
DEVELOPER
SVG FillPaint and StrokePaint implemented
DEVELOPER
Improvements that make the Web Console, Debugger and Developer Toolbar faster and easier to use
DEVELOPER
New Markup panel in the Page Inspector allows easy editing of the DOM
HTML5
Sandbox attribute for iframes implemented, enabling increased security
FIXED
Over twenty performance improvements, including fixes around the New Tab page
FIXED
Pointer lock doesn't work in web apps (769150)
FIXED
Page scrolling on sites with fixed headers (780345)
As discussed on pkgsrc-users, x11/ftlk (1.1) is no longer maintained,
and 1.3 is believed to be almost entirely compatible.
Patch from Tim Larson, who has build-tested these packages on
NetBSD/amd64.
TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core
2012-11-08 54eab24 [RELEASE] Release of TYPO3 4.7.6 (TYPO3 Release Team)
2012-11-08 f5d3162 #42696 [SECURITY] Fix SQL injection and XSS in record history (Oliver Hader)
2012-11-08 07c3d63 #42774 [SECURITY] XSS in TCA Tree (Oliver Hader)
2012-11-08 7b916d0 #42776 [SECURITY] Fix potential XSS in t3lib_BEfunc::getFuncCheck (Helmut Hummel)
2012-11-08 389452e [TASK] Raise submodule pointer (TYPO3 Release Team)
2012-11-07 3f2929d #39677 [BUGFIX] No sorting in TypoScript Object Browser when browsing (Nicole Cordes)
2012-11-02 b69dc9d #42281 [BUGFIX] Translated non-published page in workspace breaks live workspace (Oliver Hader)
2012-11-02 9330ab6 #38024 [BUGFIX] Illegal string offsets in t3lib_stdgraphic (Wouter Wolters)
2012-11-01 8098997 [TASK] Use correct branch for travis integration build (Helmut Hummel)
2012-11-01 24f4a8d#37578 [BUGFIX] PHP 5.4 warning in CLI context in switch back user (Christian Kuhn)
2012-10-31 dc73a91 #39662 [BUGFIX] RTE: Link class not always set in Firefox (Stanislas Rolland)
2012-10-31 ba8ead7 #42046 [BUGFIX] Restore display of mount points path (Francois Suter)
2012-10-29 fbd5057 #40733 [BUGFIX] Wrong call to TSFE in FrontendEditing (Steffen Ritter)
2012-10-29 4bf3cca #42054 [BUGFIX] PHP warning: open_basedir restriction (Xavier Perseguers)
2012-10-28 19f0cbb #42454 [BUGFIX] Fix usage of fileadminDir (Helmut Hummel)
2012-10-27 dd20440 #42444 [TASK] Fix generation of ext_emconf.php (Wouter Wolters)
2012-10-22 ce6ab74 #41980 [TASK] Clean-up EXT: aboutmodules, adapt to "TYPO3 CMS" (Felix Kopp)
2012-10-22 3440228 #38699 [BUGFIX] t3lib_div::unlink_tempfile does not always work on Windows (Stanislas Rolland)
2012-10-22 689f1fb #33504 [BUGFIX] New form wizard not loading in IE8 (Sebastian Schawohl)
2012-10-19 74c10e0 [BUGFIX] Unit test for saltedpasswords fail (Xavier Perseguers)
2012-10-18 bfb12db #36087 [BUGFIX] RTE: Link to disabled page doesn't show in FE, link icon does (Stanislas Rolland)
2012-10-18 9d621aa #29685 [BUGFIX] RTE: Words containing umlauts not added to personal dictionary (Stanislas Rolland)
2012-10-17 bd4645c #38406 [BUGFIX] Extension Import not working with postgresql and DBAL (Ernesto Baschny)
TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core
2012-11-08 948f241 [RELEASE] Release of TYPO3 4.6.14 (TYPO3 Release Team)
2012-11-08 c150b27 #42696 [SECURITY] Fix SQL injection and XSS in record history (Oliver Hader)
2012-11-08 b02026d #42774 [SECURITY] XSS in TCA Tree (Oliver Hader)
2012-11-08 f22dc79 #42776 [SECURITY] Fix potential XSS in t3lib_BEfunc::getFuncCheck (Helmut Hummel)
2012-11-08 72153cc [TASK] Raise submodule pointer (TYPO3 Release Team)
2012-11-07 3ea5e0b #39677 [BUGFIX] No sorting in TypoScript Object Browser when browsing (Nicole Cordes)
2012-11-02 5de1807 #42281 [BUGFIX] Translated non-published page in workspace breaks live workspace (Oliver Hader)
2012-11-02 93bb671 #38024 [BUGFIX] Illegal string offsets in t3lib_stdgraphic (Wouter Wolters)
2012-11-01 84cb9b6 #37578 [BUGFIX] PHP 5.4 warning in CLI context in switch back user (Christian Kuhn)
2012-10-29 76d0b9c #28248 [BUGFIX] t3lib_div: adjust substUrlsInPlainText to also work on URLs at end of sentence (Robert Heel)
2012-10-29 3ff27f4 #40733 [BUGFIX] Wrong call to TSFE in FrontendEditing (Steffen Ritter)
2012-10-29 9767b86 #42054 [BUGFIX] PHP warning: open_basedir restriction (Xavier Perseguers)
2012-10-27 7381250 #42444 [TASK] Fix generation of ext_emconf.php (Wouter Wolters)
2012-10-22 ccebb50 #38699 [BUGFIX] t3lib_div::unlink_tempfile does not always work on Windows (Stanislas Rolland)
2012-10-22 2a0929b #33504 [BUGFIX] New form wizard not loading in IE8 (Sebastian Schawohl)
2012-10-19 b32e08c [BUGFIX] Fix case of tests folder (Xavier Perseguers)
2012-10-19 22bef48 [BUGFIX] Unit test for saltedpasswords fail (Xavier Perseguers)
2012-10-18 9ed2c6f #36087 [BUGFIX] RTE: Link to disabled page doesn't show in FE, link icon does (Stanislas Rolland)
2012-10-18 2e48486 #29685 [BUGFIX] RTE: Words containing umlauts not added to personal dictionary (Stanislas Rolland)
2012-10-17 a3a7417 #38406 [BUGFIX] Extension Import not working with postgresql and DBAL (Ernesto Baschny)
2012-10-17 a5fc128 #25021 [BUGFIX] Creating new pages via drag'n'drop respects page TS (Philipp Kitzberger)
Security fix for TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core.
2012-11-08 c211c0e [RELEASE] Release of TYPO3 4.5.21 (TYPO3 Release Team)
2012-11-08 5245e09 #42696 [SECURITY] Fix SQL injection and XSS in record history (Oliver Hader)
2012-11-08 ab335bc #42774 [SECURITY] XSS in TCA Tree (Oliver Hader)
2012-11-08 a768d97 #42776 [SECURITY] Fix potential XSS in t3lib_BEfunc::getFuncCheck (Helmut Hummel)
2012-11-08 ba187e5 [TASK] Raise submodule pointer (TYPO3 Release Team)
2012-11-07 b4f7658 #39677 [BUGFIX] No sorting in TypoScript Object Browser when browsing (Nicole Cordes)
2012-11-02 dba123b #42281 [BUGFIX] Translated non-published page in workspace breaks live workspace (Oliver Hader)
2012-11-02 fc6f82f #38024 [BUGFIX] Illegal string offsets in t3lib_stdgraphic (Wouter Wolters)
2012-11-01 ded3a6e #37578 [BUGFIX] PHP 5.4 warning in CLI context in switch back user (Christian Kuhn)
2012-10-29 c05e759 #28248 [BUGFIX] t3lib_div: adjust substUrlsInPlainText to also work on URLs at end of sentence (Robert Heel)
2012-10-29 d4c539d #40733 [BUGFIX] Wrong call to TSFE in FrontendEditing (Steffen Ritter)
2012-10-27 7b28c0e #42444 [TASK] Fix generation of ext_emconf.php (Wouter Wolters)
2012-10-22 7f0696f #38699 [BUGFIX] t3lib_div::unlink_tempfile does not always work on Windows (Stanislas Rolland)
2012-10-22 f50483d #27020 [BUGFIX] TCEForms.Suggest wizard in IRRE records (Nicole Cordes)
2012-10-19 b77171c [BUGFIX] Fix case of tests folder (Xavier Perseguers)
2012-10-19 2490737 [BUGFIX] Unit test for saltedpasswords fail (Xavier Perseguers)
2012-10-18 9a14bcf #36087 [BUGFIX] RTE: Link to disabled page doesn't show in FE, link icon does (Stanislas Rolland)
2012-10-18 f8fc399 #29685 [BUGFIX] RTE: Words containing umlauts not added to personal dictionary (Stanislas Rolland)
2012-10-17 17b1d65 #38406 [BUGFIX] Extension Import not working with postgresql and DBAL (Ernesto Baschny)
Drupal 7.17, 2012-11-07
-----------------------
- Changed the default value of the '404_fast_html' variable to have a DOCTYPE
declaration.
- Made it possible to use associative arrays for the 'items' variable in
theme_item_list().
- Fixed a bug which prevented required form elements without a title from being
given an "error" class when the form fails validation.
- Prevented duplicate HTML IDs from appearing when two forms are displayed on
the same page and one of them is submitted with invalid data (minor markup
change).
- Fixed a bug which prevented Drupal 6 to Drupal 7 upgrades on sites which had
stale data in the Upload module's database tables.
- Fixed a bug in the States API which prevented certain types of form elements
from being disabled when requested.
- Allowed aggregator feed items with author names longer than 255 characters to
have a truncated version saved to the database (rather than causing a fatal
error).
- Allowed aggregator feed items to have URLs longer than 255 characters
(schema change which results in several columns in the Aggregator module's
database tables changing from VARCHAR to TEXT fields).
- Added hook_taxonomy_term_view() and standardized the process for rendering
taxonomy terms to invoke hook_entity_view() and otherwise make it consistent
with other entities (API change: http://drupal.org/node/1808870).
- Added hook_entity_view_mode_alter() to allow modules to change entity view
modes on display (API addition: http://drupal.org/node/1833086).
- Fixed a bug which made database queries running a "LIKE" query on blob fields
fail on PostgreSQL databases. This caused errors during the Drupal 6 to
Drupal 7 upgrade.
- Changed the hook_menu() entry for Drupal's rss.xml page to prevent extra path
components from being accidentally passed to the page callback function (data
structure change).
- Removed a non-standard "name" attribute from Drupal's default Content-Type
header for file downloads.
- Fixed the theme settings form to properly clean up submitted values in
$form_state['values'] when the form is submitted (data structure change).
- Fixed an inconsistency by removing the colon from the end of the label on
multi-valued form fields (minor string change).
- Added support for 'weight' in hook_field_widget_info() to allow modules to
control the order in which widgets are displayed in the Field UI.
- Updated various tables in the OpenID and Book modules to use the default
"empty table" text pattern (string change).
- Added proxy server support to drupal_http_request().
- Added "lang" attributes to language links, to better support screen readers.
- Fixed double occurrence of a "ul" HTML tag on secondary local tasks in the
Seven theme (markup change).
- Fixed bugs which caused taxonomy vocabulary and shortcut set titles to be
double-escaped. The fix replaces the taxonomy vocabulary overview page and
"Edit shortcuts" menu items' title callback entries in hook_menu() with new
functions that do not escape HTML characters (data structure change).
- Modified the Update manager module to allow drupal.org to collect usage
statistics for individual modules and themes, rather than only for entire
projects.
- Modified the node listing database query on Drupal's default front page to
add table aliases for better query altering (this is a data structure change
affecting code which implements hook_query_alter() on this query).
- Improved the translatability of the "Field type(s) in use" message on the
modules page (admin-facing string change).
- Fixed a regression which caused a "call to undefined function
drupal_find_base_themes()" fatal error under rare circumstances.
- Numerous API documentation improvements.
- Additional automated test coverage.
Contao Open Source CMS 3.0.0 is new major release since Contao (as
TYPOlight) was publicly released.
Major changes from 2.11.
* Use PHP namespace and more flexible to extend.
* Improve performance with mapper class loader.
* Better support for mobile devices and responsive design
* Database supported file management and handling of file's meta data.
* jQuery support coexist with MooTools.
* Directories in URL path.
* HTML5 based audio/video player (also YouTube).
* Improve ease to use.
* Display of what has changed.
* Complete fix for CSRF.
Changelog:
Version 4.0.8 Oct 10th 2012
Show Login Button when user and password are autocompleted
Sanitize LDAP base, user and groups
Security: Fix for insufficiently Random Values (CVE-2008-4107)
Security: Fixed multiple XSS vulnerabilities (CVE-2012-5056)
Security: Fixed a HTTP header injection (CVE-2012-5057)
Security: Fixed an Auth bypass in /lib/base.php (CVE-2012-5336)
a) lang/see support was removed (see below)
b) lang/spidermonkey and wip/spidermonkey185 aren't recognized
ELinks 0.12pre6
---------------
Security fix:
* bug 1124, CVE-2012-4545: Do not delegate GSSAPI credentials in HTTP
Negotiate or GSS-Negotiate authentication. Reported by Marko Myllynen.
(ELinks 0.12pre1 was the first release that supported GSSAPI; earlier
releases are not vulnerable.)
Fixed crashes and hangs:
* critical bug 943: Don't let user JavaScripts call any methods of
``elinks.action'' in tabs that do not have the focus. If a tab was
closed with ``elinks.action.tab_close'' while it had pop-up windows,
ELinks could crash; as a precaution, don't allow other actions
either. (ELinks 0.12pre1 was the first release that supported
``elinks.action''.)
* critical bug 1083: Avoid an infinite loop when trying to decompress
malformed data. Caused by the bug 1068 fix in ELinks 0.12pre3.
* Fix a possible crash or information disclosure on big-endian 64-bit
systems using HTTP Negotiate or GSS-Negotiate authentication.
Incompatibilities:
* Dropped support for SEE. (ELinks 0.12pre1 was the first release
that supported SEE.)
* Guile 2.0.0 (released on 2011-02-16) changed its license to
LGPLv3-or-later, which is not compatible with the GPLv2 that covers
ELinks. Also, Guile has deprecated many of the functions that
ELinks calls.
Other changes:
* major bug 764: Correctly initialize options on big-endian 64-bit
systems.
* bug 983: Give preference to the Content-Type specified in the HTTP
header over that specified via the HTML meta tag.
* bug 1084: Allow option names containing '+' and '*' in the option
manager.
* bug 1112: Map most numeric character references € ... Ÿ
to graphical characters also when the output charset is UTF-8.
(ELinks 0.12pre1 was the first release that supported UTF-8 as the
terminal charset, and ELinks 0.12pre5 was the first release that
supported UTF-8 as the dump charset.)
* minor bug 1113: Fix a small memory leak if a mailcap file is malformed.
* minor bug 1114: Decode SGML entities and NCRs only once in link/@title
and other attributes.
* build: Fix several warnings reported by GCC 4.7.1. Harmless at
runtime but could break the build if configured --enable-debug.
(This version does not fix all such warnings.)
Enhancements:
- support for include directive
- added support for HTTPS backends
- support for SNI via multiple Cert directives (thanks to Joe Gooch)
Bug fixes:
- fixed problem with long input lines in http.c
- keep sessions for disabled back-ends, continue using them until the time-out
- fixed memory leak in session removal
- fix for possible request smuggling by using multiple headers
- changed long to long long for support of requests larger than 2GB
0.17
handle /(de)?objectify_text/ for <script> extraction
(Stanislaw Pusep)
0.16
commit 07b40205fd03564d476eff7675e9f19196939f2f
Author: Oleg G <verdrehung@gmail.com>
Date: Sat Mar 31 13:26:11 2012 +0700
added few methods to support Web::Query
5.03 2012-09-22
Release by Christopher J. Madsen
[THINGS THAT MAY BREAK YOUR CODE OR TESTS]
* as_HTML no longer indents <textarea> (Tomohiro Hosaka) (RT #70385)
[FIXES]
* as_trimmed_text did not accept '0' for extra_chars
[DOCUMENTATION]
* Explain that as_text never adds whitespace (RT #66498)
* Explain what extra_chars can contain for as_trimmed_text.
Upstream changes:
2012-10-21 HTTP-Message 6.06
Gisle Aas (2):
More forgiving test on croak message [RT#80302]
Added test for multipart parsing
Mark Overmeer (1):
Multipart end boundary doesn't need match a complete line [RT#79239]
_______________________________________________________________________________
2012-10-20 HTTP-Message 6.05
Gisle Aas (5):
Updated ignores
No need to prevent visiting field values starting with '_'
Report the correct croak caller for delegated methods
Disallow empty field names or field names containing ':'
Make the extra std_case entries local to each header
_______________________________________________________________________________
2012-09-30 HTTP-Message 6.04
Gisle Aas (5):
Updated repository URL
Avoid undef warning for empty content
Teach $m->content_charset about JSON
Use the canonical charset name for UTF-16LE (and frieds)
Add option to override the "(no content)" marker of $m->dump
Christopher J. Madsen (2):
Use IO::HTML for <meta> encoding sniffing
mime_name was introduced in Encode 2.21
Tom Hukins (1):
Remove an unneeded "require"
Ville Skytt. (1):
Spelling fixes.
chromatic (1):
Sanitized PERL_HTTP_URI_CLASS environment variable.
Martin H. Sluka (1):
Add test from RT#77466
Father Chrysostomos (1):
Fix doc grammo [RT#75831]
Changelog
=========
Since 2.2-rc
----------------
bugfix: calendar monthly view performance upgrades.
bugfix: translation tool for plugins fixed.
bugfix: email html signature puts br tags when composing email.
bugfix: Person email modification does not work.
bugfix: Prevent double task completion (when double clicking on complete link).
bugfix: Fixed company edit link from people tree.
Since 2.2-beta
----------------
bugfix: several fixes in custom reports display.
bugfix: custom reports csv/pdf export always show status column.
bugfix: dashboard activity widget does not control permissions correctly.
bugfix: dashboard activity widget shows username instead of person complete name.
bugfix: subworkspace creation does not inherit color.
bugfix: email autoclassification does not classify attachments.
bugfix: email view shows wrong "To" value when "To" field is empty or undefined.
bugfix: unclassified mails allows to subscribe other users.
bugfix: error when forwarding another user's account emails with attachments.
bugfix: several fixes in email classification functions.
bugfix: company comments are not displayed.
bugfix: dashboard's tasks widget breaks right widgets when scrolling (only in chrome).
bugfix: permissions check in Administration/Dimensions.
bugfix: css is being printed in csv exported reports.
bugfix: error subscribing users when instantiating templates with milestones and subtasks.
bugfix: don't use $this in static functions.
bugfix: archiving and unarchiving members is not done in a transaction.
bugfix: permissions in dimension member selectors.
bugfix: cannot set task's due date to 12:30 PM, always sets the same time but AM.
bugfix: tasks drag and drop losses some attributes.
usability: mouseover highlight on member properties/restrictions tables.
Since 2.1
----------------
bugfix: several fixes in repetitive tasks.
bugfix: quick add of tasks does not subscribe creator.
bugfix: google calendar import fixed.
bugfix: fixed event deletion.
bugfix: fixed email account sharing.
bugfix: fixed AM/PM issue when selecting task's dates.
bugfix: special characters in workspace when adding from quick add.
bugfix: error 500 in workspaces dashboard.
bugfix: error when searching emails by "From" field in advanced search.
bugfix: 1.7 -> 2.x upgrade fixed subtasks.
bugfix: permissions in user's card.
bugfix: task's drag and drop edition bugfixes.
bugfix: task's quick add does not keep the task name when switching to complete edition.
bugfix: several LDAP integration fixes.
bugfix: fixed contact phones display in list.
bugfix: config option descriptions added.
bugfix: user email is not required.
bugfix: milestone selector does not show all available milestones.
bugfix: person email cannot be edited.
bugfix: disabled users are shown in subscribers and invited people.
bugfix: permission groups upgrade does not set type.
bugfix: Javascript problems in IE.
bugfix: issues with breadcrumbs with special characters.
bugfix: VCard import/export fixed.
bugfix: cannot delete workspace with apostrophe.
bugfix: fixed "enters" issue in tasks description wysisyg editor.
bugfix: File copy makes two copies.
bugfix: permissions fixed for submembers.
bugfix: when updating a file, does not subscribe the updater user.
bugfix: milestones display diferent dates in milestone view and task list.
bugfix: "assigned to" filter in tasks does not work properly.
bugfix: cannot archive dimension members.
bugfix: cannot archive several tasks at once.
feature: activity widget.
feature: new workspace and tag selectors.
feature: add timeslot entries to application_logs.
feature: complete parent tasks asks to complete child tasks.
usability: sort email panel by "to" column.
usability: changes in advanced search for email fields.
usability: can change imported calendar names.
usability: email with attachments classification process upgraded.
usability: linked objects selector can filter by workspace and tags.
system: CKEditor updated.
system: translation module upgraded - translate plugins files.
system: German, Russian and French languages upgraded.
Release notes
Maintenance and security release of the Drupal 7 series.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the security announcement:
SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and
Information disclosure
No other fixes are included.
* monochrome: New theme, contributed by Jon Dowland.
* rst: Ported to python 3, while still also being valid python 2.
Thanks, W. Trevor King
* Try to avoid a situation in which so many ikiwiki cgi wrapper programs
are running, all waiting on some long-running thing like a site rebuild,
that it prevents the web server from doing anything else. The current
approach only avoids this problem for GET requests; if multiple cgi's
run GETs on a site at the same time, one will display a "please wait"
page for a configurable number of seconds, which then redirects to retry.
To enable this protection, set cgi_overload_delay to the number of
seconds to wait. This is not enabled by default.
* Add back a 1em margin between archivepage divs.
* recentchangesdiff: Correct broken template that resulted in duplicate
diff icons being displayed, and bloated the recentchanges page with
inline diffs when the configuration should have not allowed them.
mj_turner and jihbed.
A comprehensive Python HTTP client library that supports many features left out
of other HTTP libraries.
Features:
o HTTP and HTTPS
o Keep-Alive
o Authentication
o Caching
o All Methods
o Redirects
o Compression
o Lost update support
o Unit Tested
Changelog:
Fixed in Firefox ESR 10.0.9
MFSA 2012-89 defaultValue security checks not applied
Fixed in Firefox ESR 10.0.8
MFSA 2012-87 Use-after-free in the IME State Manager
MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer
MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer
MFSA 2012-84 Spoofing and script injection through location.hash
MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties
MFSA 2012-82 top object and location property accessible by plugins
MFSA 2012-81 GetProperty function can bypass security checks
MFSA 2012-79 DOS and crash with full screen and history navigation
MFSA 2012-77 Some DOMWindowUtils methods bypass security checks
MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)
MFSA 2012-59 Location object can be shadowed using Object.defineProperty
* Update enigmail to 1.4.5
* Update Mozilla Lightning to 1.8
Changelog:
SeaMonkey-specific changes
None.
Mozilla platform changes
JavaScript responsiveness has been improved through incremental garbage collection.
CSS3 Animations, Transitions, Transforms and Gradients have been unprefixed.
MD5 is no longer supported as a hash algorithm in digital signatures.
The Opus codec is now support by default.
The reverse CSS3 animation direction has been implemented.
Per tab reporting is now available in about:memory.
Fixed several stability issues.
Changelog:
FIXED
16.0.1: Vulnerability outlined here
https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/
NEW
Firefox on Mac OS X now has preliminary VoiceOver support turned on by default
NEW
Initial web app support (Windows/Mac/Linux)
NEW
Acholi and Kazakh localizations added
CHANGED
Improvements around JavaScript responsiveness through incremental garbage collection
DEVELOPER
New Developer Toolbar with buttons for quick access to tools, error count for the Web Console, and a new command line for quick keyboard access
DEVELOPER
CSS3 Animations, Transitions, Transforms and Gradients unprefixed in Firefox 16
DEVELOPER
Recently opened files list in Scratchpad implemented
FIXED
16.0.1: Vulnerability outlined here
https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/
FIXED
Debugger breakpoints do not catch on page reload (783393)
FIXED
No longer supporting MD5 as a hash algorithm in digital signatures (650355)
FIXED
Opus support by default (772341)
FIXED
Reverse animation direction has been implemented (655920)
FIXED
Per tab reporting in about:memory (687724)
FIXED
User Agent strings for pre-release Firefox versions now show only major version (728831)
SSH: added agent based authentication
ftp: active conn, allow application to set sockopt after accept() call with CURLSOCKTYPE_ACCEPT
multi: add curl_multi_wait()
metalink: Added support for Microsoft Windows CryptoAPI
md5: Added support for Microsoft Windows CryptoAPI
parse_proxy: treat "socks://x" as a socks4 proxy
socks: Added support for IPv6 connections through SOCKSv5 proxy
Bugfixes:
WSAPoll disabled on Windows builds due to its bugs
segfault on request retries
curl-config: parentheses fix
VC build: add define for openssl
globbing: fix segfault when >9 globs were used
fixed a few clang-analyzer warnings
metalink: change code order to build with gnutls-nettle
gtls: fix build failure by including nettle-specific headers
change preferred HTTP auth on a handle previously used for another auth
file: use fdopen() to avoid race condition
Added DWANT_IDN_PROTOTYPES define for MSVC too
verbose: fixed (nil) output of hostnames in re-used connections
metalink: Un-broke the build when building --with-darwinssl
curl man page cleanup
Avoid leak of local device string when reusing connection
Curl_socket_check: fix return code for timeout
nss: do not print misleading NSS error codes
configure: remove the --enable/disable-nonblocking options
darwinssl: add TLS 1.1 and 1.2 support, replace deprecated functions
NTLM: re-use existing connection better
schannel crash on multi and easy handle cleanup
SOCKS: truly disable it if CURL_DISABLE_PROXY is defined
mk-ca-bundle: detect start of trust section better
gnutls: do not fail on non-fatal handshake errors
SMTP: only send SIZE if supported
ftpserver: respond with a 250 to SMTP EHLO
ssh: do not crash if MD5 fingerprint is not provided by libssh2
winbuild: Added support for building with SPNEGO enabled
metalink: Fixed validation of binary files containing EOF
setup.h: fixed for MS VC10 build
cmake: use standard findxxx modules for cmake v2.8+
HTTP_ONLY: disable more protocols
Curl_reconnect_request: clear pointer on failure
https.c example: remember to call curl_global_init()
metalink: Filter resource URLs by type
multi interface: CURLOPT_LOW_SPEED_* fix during rate limitation
curl_schannel: Removed buffer limit and optimized buffer strategy
---------------------
* When "git am" is fed an input that has multiple "Content-type: ..."
header, it did not grok charset= attribute correctly.
* Even during a conflicted merge, "git blame $path" always meant to
blame uncommitted changes to the "working tree" version; make it
more useful by showing cleanly merged parts as coming from the other
branch that is being merged.
* "git blame MAKEFILE" run in a history that has "Makefile" but not
"MAKEFILE" should say "No such file MAKEFILE in HEAD", but got
confused on a case insensitive filesystem and failed to do so.
* "git fetch --all", when passed "--no-tags", did not honor the
"--no-tags" option while fetching from individual remotes (the same
issue existed with "--tags", but combination "--all --tags" makes
much less sense than "--all --no-tags").
* "git log/diff/format-patch --stat" showed the "N line(s) added"
comment in user's locale and caused careless submitters to send
patches with such a line in them to projects whose project language
is not their language, mildly irritating others. Localization to
the line has been disabled for now.
* "git log --all-match --grep=A --grep=B" ought to show commits that
mention both A and B, but when these three options are used with
--author or --committer, it showed commits that mention either A or
B (or both) instead.
* The subcommand to remove the definition of a remote in "git remote"
was named "rm" even though all other subcommands were spelled out.
Introduce "git remote remove" to remove confusion, and keep "rm" as
a backward compatible synonym.
Also contains a handful of documentation updates.
Changelog:
The Apache Tomcat Project is proud to announce the release of version 7.0.30
of Apache Tomcat. This release contains numerous bug fixes and improvements
compared to version 7.0.29. The notable changes include:
* Significantly reduced memory footprint during web application start while
Servlet 3.0 annotation and SCI scanning is in progress.
* Adds support for scanning of classes that use Java 7 specific byte code
for Servlet 3.0 annotation and SCI scanning.
* Improvements to DIGEST and FORM authentication.
Full details of these changes, and all the other changes, are available in the
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html .
2.0.7 June 5, 2012
Fix breakage caused by removal of PL_uid et al from perl 5.16.0. Patch from
rt.cpan.org #77129. [Zefram]
2.0.6 April 24, 2012
Preserve 5.8 compatibility surrounding use of MUTABLE_CV [Adam Prime]
Move code after declarations to keep MSVC++ compiler happy. [Steve Hay]
Adopt modperl_pcw.c changes from httpd24 branch. [Torsten Foertsch]
Pool cleanup functions must not longjmp. Catch these exceptions and turn
them into warnings. [Torsten Foertsch]
Fix a race condition in our tipool management.
See http://www.gossamer-threads.com/lists/modperl/dev/104026
Patch submitted by: SalusaSecondus <salusa@nationstates.net>
Reviewed by: Torsten Foertsch
Ensure that MP_APXS is set when building on Win32 with MP_AP_PREFIX,
otherwise the bundled Reload and SizeLimit builds will fail to find a
properly configured Test environment.
[Steve Hay]
Fix a few REFCNT bugs.
Patch submitted by: Niko Tyni <ntyni@debian.org>
Reviewed by: Torsten Foertsch
Correct the initialization of the build config in ModPerl::MM. The global
variable was only being set once on loading the module, which was before
Apache2::BuildConfig.pm had been written, leading to cwd and MP_LIBNAME
being unset when writing the Reload and SizeLimit makefiles.
[Steve Hay]
Discover apr-2-config from Apache 2.4 onwards. [Gozer]
Apache 2.4 and onwards doesn't require linking the MPM module directly in
the httpd binary anymore. APXS lost the MPM_NAME query, so we can't assume
a given MPM anymore. Introduce a fake MPM 'dynamic' to represent this.
[Torsten Foertsch, Gozer]
Perl 5.14 brought a few changes in Perl_sv_dup() that made a threaded apache
segfault while cloning interpreters.
[Torsten Foertsch]
PerlIOApache_flush() and mpxs_Apache2__RequestRec_rflush() now no longer throw
exceptions when modperl_wbucket_flush() fails if the failure was just a reset
connection or an aborted connection. The failure is simply logged to the error
log instead. This should fix cases of httpd.exe crashing when users press the
Stop button in their web browsers.
[Steve Hay]
Fixed a few issues that came up with LWP 6.00:
- t/response/TestAPI/request_rec.pm assumes HTTP/1.0 but LWP 6 uses 1.1
- t/api/err_headers_out.t fails due to a bug somewhere in LWP 6
- t/filter/TestFilter/out_str_reverse.pm sends the wrong content-length header
[Torsten Foertsch]
Bugfix: Apache2::ServerUtil::get_server{description,banner,version} cannot
be declared as perl constants or they won't reflect added version components
if Apache2::ServerUtil is loaded before the PostConfig phase. Now, they
are ordinary perl functions. [Torsten Foertsch]
Check for the right ExtUtils::Embed version during build [Torsten Foertsch]
Take a lesson from rt.cpan.org #66085 and pass LD_LIBRARY_PATH if mod_env
is present. Should prevent test failures on some platforms.
[Fred Moyer]
Version 2.11.6 (2012-09-26)
---------------------------
### Fixed
Correctly handle root pages in `Controller::getPageDetails()` (see #4610).
### Fixed
Consider the page language when forwarding (see #4841).
### Fixed
URL encode the enclosure URLs in RSS/Atom feeds (see #4839).
### Fixed
Also create empty templates folders if a theme is imported (see #4793).
### Fixed
Decode Punycode domains when used via insert tag (see #4753).
### Fixed
Correctly handle open tags in `String::substrHtml()` (see #4773).
### Fixed
Correctly handle units when importing style sheets (see #4721).
### Fixed
The mediabox plugin did not play Vimeo videos (see #4770).
### Fixed
Correctly align stylect menus in the form generator in the back end (see #4557).
### Fixed
Add a link if a news item or event points to an internal page (see #4671).
### Fixed
Wrap the MooTools fallback into CDATA tags on XHTML pages (see #4680).
### Fixed
Do not add a default value to textareas (see #4722).
### Fixed
Do not override the comments array in case login is required to comment,
otherwise no commets will be shown (see #4064).
* Include contao/Makefile.common from contao/Makefile.example.
* Add code some fragment tward to Contao 3.0 support.
* Add CT_VERBASE to use COMMENT.
* Use CT_FILES to Contao's files directory name.
This module provides an extension to HTML::Template which allows
expressions in the template syntax. This is purely an addition -
all the normal HTML::Template options, syntax and behaviors will
still work.
* Fix security bug
Changelog:
Tar ball is not shipped with changelog...
5.6.0.1 Version History
Behavioral Improvements
Page Type names are sanitized better when created in the dashboard.
Multilingual controls in dashboard now display languages in their native language (for easier understanding. thanks patrickheck)
Better display when removing groups or users and having them show up in advanced permissions list.
Fixing bug where composer pages weren't being added to the bottom of the list. Fixing bug where moved pages weren't getting a rescanned display order
Fixing missing dashboard icons for Stacks and Block Types
Bug Fixes
Fixed inability to use Layout Presets
Fixed bug where blocks couldn¡Çt be copied out to child pages from page type defaults on upgraded sites.
Fixed form block bug where you¡Çd be unable to enter an email address in the form block for notification.
Fixed: http://www.concrete5.org/developers/bugs/5-6-0/getthemepath-prints-absolute-paths/
Blocks and packages can now insert header items into the 404 page correctly.
fixed: http://www.concrete5.org/developers/bugs/5-6-0/page-type-icons-incorrect-when-included-in-composer/
Fixed ¡ÈOut of range value for column 'uLastIP¡É error that would occur with certain IP addresses.
Bulk SEO Tool now shows DIR_REL constant within the URL slug properly.
Group sets now appear on the dashboard home page.
Fixed JavaScript error leading to aborted installation when installation routines have apostrophes in them (primarily for translated versions of concrete5.)
Theme assets no longer have two slashes in the URLs.
Fixed: http://www.concrete5.org/developers/bugs/5-6-0/fatal-error-call-to-a-member-function-isglobalarea-on-a-non-obje/ by hiding permissions options on the frontend (use the stacks interface instead.)
Fixed: http://www.concrete5.org/developers/bugs/5-6-0/global-area-update-issue-when-using-preview-my-edits/
Date Navigation block now honors the Pretty URLs settings.
Fixed: http://www.concrete5.org/developers/bugs/5-6-0/advanced-permissions-dont-work-after-translation/
Fixed: page_types/ directory was incorrectly excluded from overrides detection.
fixing 'Call to a member function getProxyBlock() on a non-object in /core/libraries/block_view.php on line 39' when calling an action URL on a non-object block
Developer Updates
Validation helpers didn¡Çt extend the core helpers properly. This has been fixed.
Clear override cache on adding a single page.
Refreshing overrides cache when installing a block type (fixes Designer Content add-on not working with the overrides cache turned on).
5.6.0 Release Notes
Feature Updates
Completely updated permissions system, including:
More granular permission control that maps directly to common concrete5 tasks.
Ability to control which users or groups CAN¡ÇT do something, as opposed to only allow those who CAN do something.
Ability to grant a permission to only those users in a particular combination of groups.
Ability to control which users and groups can add which types of block site-wide and in simple permissions mode.
Restrict permissions to various roles, including ¡Èuploader of the file¡É, ¡Èpage owner¡É, etc...
Shortcut for enabling guest view access on blocks.
Group Sets can group groups together for organizational purposes, permissions.
Fine-grained, granular controls on content types, permission types.
New user permissions to control who can edit which users, assign which groups, etc...
Complete new extendable workflow system, including basic workflow and waiting for me. Improved, normalized and rewrote a lot of old code for things like pending page actions to bring them into the workflow system.
Improved interface work, including bootstrap 2 integration.
Improved Mobile Support
Mobile theme switcher now integrated into core
Improved mobile performance of header on mobile devices.
Improved dashboard on mobile devices; fully responsive dashboard across all devices.
You can now choose an individual block or an entire stack when adding a stack on the front-end.
Added bulk actions to the user search
New SEO Manager in Dashboard > System & Settings gives you one place to modify SEO properties for your entire site.
Made page theme a versionable property.
Make page type a versionable property.
Ability to reorder block types globally (thanks jordanlev!)
You can now copy and paste a stack on the front-end.
Page URL Slugs now use the URLify library instead of our own solution (which wasn¡Çt as consistent or effective.)
Additional Features and Behavioral Improvements
When implicitly checking pages out (editing properties in sitemap, etc...) they will be checked back in when the dialog is closed. (New in 5.6.0b2)
Added an Add Group button to Groups page.
Rich text editor in dashboard now uses site theme for styles.
Color picker UI more consistent with 5.5 (thanks arcanepain.)
Add new page window no longer cut off on small monitors.
Search Block - Added page selector when posting search results to another page.
Form Block
added date and date time field types that allow a user to use a date/time picker to choose values.
Email field now has ability to be set as the default reply-to so administrators can reply directly to the form submitter.
No more jumpiness on editing.
Added theme to Page Search.
Removed HTML diff python library (since it didn¡Çt work very well). Replaced with tab-based compare that lets you compare more than two versions.
Off-server requests can now be made with a proxy server, found in System & Settings (thanks garagan!)
Added copy to the version dialog box. Improved version dialog box appearance.
Improved quick nav experience, reworked dashboard dropdown to use favorites for adding. Favorites show up in the dashboard dropdown.
You can now select Gravatar as a fallback user avatar (thanks danklassen!) in the profiles section of the dashboard.
Add page can happen with submit.
More consistent sitemap/search overlay, with various searches only loaded when needed. Tabs remember last selected sitemap/search option.
Miscellaneous string translation and Internationalization improvements (thanks thuic)
Added getSearchableContent method to rss viewer block so it¡Çs content will show up in search results (thanks 12345j)
Built-in countries and state/provinces helpers now use Zend_Locale for easier management, more consistency and localization.
Added URL Slug in Composer.
Maintenance mode now lets you perform some sitemap and page operations while the site is down.
Zend_Translate can now be stored at a different path to fix Zend_Translate bug with period in directory. Added TRANSLATE_OPTIONS that can be specified in config/site.php (thanks ahukkanen).
Added user to the Log entries screen (thanks klompie!)
Internationalization improvement: Zend_Date now included. Dates are now localized into the proper language (thanks patrickheck.). DateHelper::date() manages localization.
Block limits set in templates are now updated in realtime without a page refresh (thanks bhcarpenter)
Now you can clear your page search index from the ¡ÈSearch Index¡É page in the dashboard (which will let you fully reindex it through the reindex pages job.)
Form block: Adding the ability to set an email address as the reply-to address when replying to the email (thanks danklassen.)
Blog RSS feed now includes categories (thanks stonier)
Complete rewrite of sitemap.xml generation job to improve performance, no longer show deleted pages, add new constants for sitemap starting point, default change frequency and priority (thanks mlocati.)
Nicer alignment on Next/Previous block (thanks thirdender.)
Using realpath() instead of ../ to fix some base_dir errors, make things nicer.
More consistent ordering of log entries when they happen in rapid succession (thanks Johnthefish).
Cleaned up javascript in the google map block (thanks Remo).
Edit in Composer now available in page search.
Installing in a particular language no longer sets that language as the default in config/site.php (which would render no other languages selectable.)
Added cookie check to installation preflight.
Added last IP to user detail screen in dashboard.
Forbidden shows up if user can¡Çt view a page but is logged in (thanks mnkras).
Performance Improvements
Added environment library to cache overrides for better performance. Overrides cache setting now available from the Cache System and Settings page.
New autod support for better performance with on-demand class loading.
Removing nivo slider from the core for better compatibility with third party sliders and smaller file sizes; removing cropzoom from ccm.app.js for smaller file sizes.
Rewrote portions used with large blogs (New in 5.6b2)
Additional Bug Fixes
Additional pagination now works in large sitemaps from the front-end (New in 5.6.0b2)
Flat view pagination looks nicer (New in 5.6.0b2)
On some hosts, manual checking for concrete5 f were being added to the file manager.
Improved reliability when using composer with advanced permissions.* Bug Fix: events sort by priority (thanks arcanepain)
Fixed replace field in Firefox (width)
Tags and select options will only show usag-2-1/automatically-inclusion-of-additional-page-path-when-updating-ca/
data urls should work as background images in customizable stylesheets.
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/registration-errors-when-no-user-attributes-are-selected-to-show/ (New in 5.6.0b2)
Fixed: http://www.concrete5.org/developers/bugs/5-4-2-2/wrong-path-to-block-template-when-embedded-a-block-element-in-th/
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/url-replacement-in-theme-css-only-replaces-first-url-in-each-lin/#discussionpost
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/user-edit-multiple-of-the-same-group-can-be-added-to-a-user-caus/#discussionpost
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/dashboard-page-search-menu-overridden-if-working-with-overlay-fi/
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/page-attributes-attributes-list-stealing-kepresses-for-up-and-do/
Fixing potential SQL vulnerability in Autonav Preview pane.
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/cant-use-and-in-select-attribute-values/ (thanks arcanepain)
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/customize-result-in-user-search-retains-deleted-attribute-column/
Checking for invalid cookie length when starting a session.
RSS Displayer block now only cached for one hour.
http://www.concrete5.org/developers/bugs/5-5-2-1/bug-in-page-search-table/ (Fixed in 5.6.0b2)
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/jobs-play-button-url-contains-the-wrong-parameter-to-run-a-singl/
Fixed bug where editing an initial version of a page wouldn¡Çt create a new version of the page, until the second edit.
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/numbers-in-version-comments-still-arent-increased-correctly/ (thanks remo)
Fixed bug checking for captcha options form in the wrong place.
Fixed bug where custom style elements on blocks in stacks wouldn¡Çt show up in page (thanks acliss19xx)
Minor XSS fixes in edit mode.
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/object-doesnt-support-property-or-method-stoppropagation-in-ie8/
Fixed bug in FileList (which would show up in Slideshow blocks or anywhere that would filter by set) where selecting a file set and then deleting it would cause a SQL error (thanks remo)
Included updated SWFUpload to fix XSS issue.
Fixed bug where file set display order would appear random if files were in multiple sets.
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/deleting-composer-publish-location-page-results-mysql-1064-error/
Fix bug where defining LOCALE in config/site.php and then trying to save multilingual settings could override the default locale with a null locale.
Fixed potential SQL problems when an admin tried to pass nefarious parameters through to the file manager, page search, or metadata/version editing.
No longer will you get the ¡Èchecking for updates¡É spinner infinitely when in maintenance mode.
Forms/External Forms/Other Items that have been copied and pasted into another page will now work from that page.
Forms can now be edited properly when pasted from a clipboard.
More reliable permissions checking on dashboard dropdown for news, add functionality and system & settings (thanks arcanepain)
Progress status during installation should now be displayed in proper language.
Fixed pagination in blog index thumbnail (page list custom template.)
FIXED: If images or files were used in content block instances in content importer an error would be thrown.
Environment info no longer incorrectly reports all max_execution_time settings at 5.
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/insert-link-to-page-with-ie8/
replaced m/d/y with DATE_APP_GENERIC_MDY to jquery date pickers in date time helper (thx melat0nin)
Security Fix: Closed Redirect Loophole on Form block
Attempting to resolve this: http://www.concrete5.org/developers/bugs/5-5-2-1/fatal-error-call-to-a-member-function-getblocktypehandle/#discussionpost
Proper 404 headers should be sent when browsing to a method that doesn¡Çt exist under a single page.
Fixed some bugs and finicky behavior with search paging in file manager, page search, other search.
When editing page properties while checking out a page, approval fields will now be shown post update (rather than forcing you to refresh the page or exit edit mode and then approve the page.)
Fixed bug in block move() method that would copy all blocks from an area... (thanks herent)
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/error-on-package-uninstall/ (New in 5.6.0b2)
Fixed: Copy to clipboard from editable area then pasting to global area causes fatal error (New in 5.6.0b2)
Fixed: http://www.concrete5.org/developers/bugs/5-5-2-1/default-date_archive-block-controller-caches-its-active-state/ (New in 5.6.0b2)
Developer Updates
You can now pass an optional third parameter to the css() and javascript() functions which will be checked for uniqueness. This array contains ¡Æhandle¡Ç and ¡Æversion¡Ç and can be used to force only the right libraries loading at the right time (thanks jordanlev).
Added support for BASE_URL_SSL constant.
If a __call method is present in a controller, it will be used for any tasks that don¡Çt exist (thanks remo).
Packaged themes can now be overridden in the root themes directory. This is true for included elements (using inc()) and page types/single pages.
You can now add elements/dashboard/install_post.php to your package and it will be displayed in a dialog post install.
Updated auto-nav templates to be much nicer to edit.
Moved jQuery.Cookie library into ccm.app.js
Including t2() function for plural localization/translation (thanks mlocati.)
New Events
on_composer_publish
on_composer_save_draft
on_composer_delete_draft
on_block_load (New in 5.6b2)
Better block validation error messages on installation (thanks jordanlev)
Updated simplepie RSS and ATOM parsing library to 1.3 (thanks ahukkanen)
Added closures support to events for PHP 5.3 and greater (just specify an anonymous function.
Here are some of the new features and improvements of Feng Office 2.1 over
version 2.0 final release:
* New notification format
* Advanced search
* Notes and Tasks WYSIWYG
* Tasks quick edit is back and improved
* Google Docs compatibility
* Improved Google Calendar integration
* Archive Dimension Members is back
* Easier to delete Dimension Members (is back)
* Overview ¡ÈView as list¡É is back
* IMAP sent e-mail sync is back
* Improved templates
* Improvements when linking objects
* More data on the task list: good for management
* Indexing of .odt and .fodt
* File extension prevention upload
* Lots of improvements to the Gantt Chart module (Professional Edition)
* Task dependencies (Professional Edition)
* One task for many people
## 2.1.2 (06 September 2012)
- Updated to latest jquery-ujs
- required radio bugfix
- Updated to jQuery 1.8.1
## 2.1.1 (18 August 2012)
- Updated to latest jquery-ujs
- ajax:aborted:file bugfixes
## 2.1.0 (16 August 2012)
- Updated to latest jquery-ujs
- jQuery 1.8.0 compatibility
- Updated to jQuery 1.8.0
- Updated to jQuery UI 1.8.23
## 2.0.3 (16 August 2012)
- Updated to latest jquery-ujs
- created `rails:attachBindings` to allow for customization of $.rails
object settings
- created `ajax:send` event to provide access to jqXHR object from ajax
requests
- added support for `data-with-credentials`
== 1.4.1 Chromeo Fix
* Fix error when sending USR1 signal and no log file is supplied.
== 1.4.0 Chromeo
* kill -USR1 $PID for log rotation [catwell].
* Fix HUP signal being reseted after deamonization [atotic].
* Fix error with nil addresses in Connection#socket_address.
== 1.3.2 Low-bar Squat
* Remove mack and halcyon Rack adapters from automatic detection.
= 1.3.3 / 2012-08-19
* Improved documentation. (burningTyger, Konstantin Haase, Gabriel Andretta,
Anurag Priyam, michelc)
* No longer modify the load path. (Konstantin Haase)
* When keeping a stream open, set up callback/errback correctly to deal with
clients closing the connection. (Konstantin Haase)
* Fix bug where having a query param and a URL param by the same name would
concatinate the two values. (Konstantin Haase)
* Prevent douplicated log output when application is already wrapped in a
`Rack::CommonLogger`. (Konstantin Haase)
* Fix issue where `Rack::Link` and Rails were preventing indefinite streaming.
(Konstantin Haase)
* No longer cause warnings when running Ruby with `-w`. (Konstantin Haase)
* HEAD requests on static files no longer report a Content-Length of 0, but
instead the proper length. (Konstantin Haase)
* When protecting against CSRF attacks, drop the session instead of refusing
the request. (Konstantin Haase)
=== raindrops 0.10.0 - minor feature updates / 2012-06-19 08:30 UTC
Improvements to the Unix domain socket handling and small
bugfixes throughout.
Support for the "unix_diag" facility in Linux 3.3+ is planned
but not yet implemented (patches to raindrops@librelist.org
appreciated)
Brian Corrigan (1):
resolve symlinks to Unix domain sockets
Eric Wong (6):
unix_listener_stats follows and remembers symlinks
middleware/proxy: favor __send__ for method dispatch
unix: show zero-value stats for idle listeners
test_watcher: fix incorrect request/date comparison
watcher: sort index of listener listing
watcher: do not require Rack::Head for HEAD response
See "git log v0.9.0..v0.10.0" for full details
# Liquid Version History
## 2.4.0 / 2012-08-03
* Performance improvements
* Allow filters in `assign`
* Add `modulo` filter
* Ruby 1.8, 1.9, and Rubinius compatibility fixes
* Add support for `quoted['references']` in `tablerow`
* Add support for Enumerable to `tablerow`
* `strip_html` filter removes html comments
0.12.2 (06/24/2012)
* [Vertical Rhythm Module] Removed the $ie-font-ratio constatnt in favor of a
more clear $browser-default-font-size constant.
* [Vertical Rhythm Module] The establish-baseline mixin now styles the <html>
element instead of the <body> element. This makes the vertical rhythm module
work better with rem based measurements.
* [CSS3] Added 3D transform support for Mozillia, IE, and Opera.
* [CSS3] Added -ms support for css3 columns. Add support for the columns
shorthand property.
* [CSS3] Added -ms and -webkit support for CSS Regions. Docs
* [CSS3] Added mixins for column-break properties to the columns module.
* [CSS3] Added a css3/hyphenation module for the word-break and hyphens
properties.
* [CSS3] Made the API more consistent across the different mixins in the
transitions module.
* [CSS3] The text-shadow mixin now supports the spread parameter and it is
used to progressively enhance browsers that support it.
* [CSS3] Add a mixin for the unofficial filter property. Docs
* [CSS3] Removed the -ms prefix for gradients and transforms. Microsoft took
so long to release them, that the spec was approved first.
* [CLI] Added a -I option for adding sass import paths via the CLI during
compilation and project set up.
* [Configuration] For better ruby and rails integration, the add_import_path
command now accepts Sass::Importer objects and Ruby Pathname objects.
* Reverted the hide-text mixin to the -9999 method. If you prefer the Kellum
method then you need to set $hide-text-direction to right in your
stylesheets.
* $legacy-support-for-mozilla can be set to false to disable output for
Firefox 3.6 or earlier.
* Cleaned up the inline-block mixin to have less output and make the
vertical-alignment of that mixin configurable or even turned off. Details
* Output of SVG and original webkit gradients is now omitted when using the
degree-based linear gradient syntax.
* Added a --fonts-dir configuration flag for the compass command line.
* Added tint() and shade() color helper functions, for better
ligthening/darkening of colors.
* Set the standard :css_filename option for sass. This enables relative path
calculations for assets referred to by the stylesheet.
* Remove the Sass middleware if it gets accidently loaded.
Changes with Apache 2.2.23
*) SECURITY: CVE-2012-0883 (cve.mitre.org)
envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
current working directory to be searched for DSOs. [Stefan Fritsch]
*) SECURITY: CVE-2012-2687 (cve.mitre.org)
mod_negotiation: Escape filenames in variant list to prevent a
possible XSS for a site where untrusted users can upload files to
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
*) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
[Paul Wouters <pwouters redhat.com>, Joe Orton]
*) mod_ldap: Treat the "server unavailable" condition as a transient
error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]
*) core: Add filesystem paths to access denied / access failed messages.
[Eric Covener]
*) core: Fix error handling in ap_scan_script_header_err_brigade() if there
is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch]
*) core: Prevent "httpd -k restart" from killing server in presence of
config error. [Joe Orton]
*) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive,
adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'.
[Kaspar Brand, William Rowe]
*) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
PR 53104. [Greg Ames]
*) Unix MPMs: Fix small memory leak in parent process if connect()
failed when waking up children. [Joe Orton]
*) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
[Peter Pramberger <peter pramberger.at>, Jim Jagielski]
*) Added SSLProxyMachineCertificateChainFile directive so the proxy client
can select the proper client certificate when using a chain and the
remote server only lists the root CA as allowed.
*) mpm_event, mpm_worker: Remain active amidst prevalent child process
resource shortages. [Jeff Trawick]
*) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
*) mod_rewrite: Fix the RewriteEngine directive to work within a
location. Previously, once RewriteEngine was switched on globally,
it was impossible to switch off. [Graham Leggett]
*) mod_proxy_balancer: Restore balancing after a failed worker has
recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick]
*) mod_dumpio: Properly handle errors from subsequent input filters.
PR 52914. [Stefan Fritsch]
*) mpm_worker: Fix cases where the spawn rate wasn't reduced after child
process resource shortages. [Jeff Trawick]
*) mpm_prefork: Reduce spawn rate after a child process exits due to
unexpected poll or accept failure. [Jeff Trawick]
*) core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid
from logging bogus data in case of errors. [Stefan Fritsch]
*) mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the
response is a 206 Partial Content. This stops a reverse proxied partial
response from becoming cached, and then being served in subsequent
responses. PR 49113. [Graham Leggett]
*) configure: Fix usage with external apr and apu in non-default paths
and recent gcc versions >= 4.6. [Jean-Frederic Clere]
*) core: Fix building against PCRE 8.30 by switching from the obsolete
pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
*) mod_proxy: Add the forcerecovery balancer parameter that determines if
recovery for balancer workers is enforced. [Ruediger Pluem]
- Improved Mojo::EventEmitter to warn about failed error events.
- Improved resilience of Mojo::IOLoop exception handling.
- Improved tests.
- Fixed small CGI bug.
3.40 2012-09-11
- Improved tests.
- Fixed Perl 5.10.1 compatibility.
- Fixed FindBin support in Mojolicious applications.
- Fixed a few multipart bugs.
3.39 2012-09-10
- Improved Mojo::URL and Mojo::Parameters performance.
- Improved documentation.
- Improved tests.
- Fixed support for query parameters in Mojolicious::Plugin::Charset.
3.38 2012-09-07
- Added xor_encode method to Mojo::ByteStream.
- Added xor_encode function to Mojo::Util.
- Improved documentation.
- Fixed small xor_encode bug. (dod, crab)
3.37 2012-09-04
- Added finish method to Mojo::Message.
- Updated jQuery to version 1.8.1.
- Improved documentation.
- Improved tests.
- Fixed Mojo::Transaction to propagate connection close to Mojo::Message.
- Fixed small state bug in Mojo::Transaction.
3.36 2012-08-30
- Improved documentation.
- Improved tests.
- Fixed small multipart bug.
3.35 2012-08-28
- Deprecated Mojolicious::Controller->render_content in favor of content
helper.
- Improved Mojolicious::Plugin::Config to accept mode specific config files
without a normal config file. (alexbyk, sri)
- Improved documentation.
- Improved tests.
3.34 2012-08-24
- Improved documentation.
3.33 2012-08-23
- Improved Mojo::DOM::HTML to handle bad charsets more gracefully.
- Improved documentation.
- Improved tests.
3.32 2012-08-20
- Added event sequentialization support to delay method in Mojo::IOLoop.
(judofyr, marcus, sri)
- Added support for expiration session value to Mojolicious::Sessions.
- Added steps method to Mojo::IOLoop::Delay. (judofyr, marcus, sri)
- Added tap method to Mojo::Base.
- Added squish method to Mojo::ByteStream.
- Added squish function to Mojo::Util.
- Improved documentation.
- Improved tests.
- Fixed json_has method in Test::Mojo.
- Fixed bug in Mojo::Log that prevented some message events from being
emitted.
- Fixed get command to allow ":" character in header values.
- Fixed small class_to_file bug.
- Fixed a few small namespace handling bugs.
Changelog:
FIXED Sites visited while in Private Browsing mode could be found through manual browser cache inspection (787743)
NEW Silent, background updates
NEW Support for SPDY networking protocol v3
NEW WebGL enhancements, including compressed textures for better performance
NEW Localization in Maithili (see all available locales)
CHANGED Optimized memory usage for add-ons
DEVELOPER JavaScript debugger integrated into developer tools
DEVELOPER New layout view added to Inspector
DEVELOPER High precision event timer implemented
DEVELOPER The CSS word-break property has been implemented.
DEVELOPER New responsive design tool allows web developers to switch between desktop and mobile views of sites
HTML5 Native support for the Opus audio codec added
HTML5 The <audio> and <video> elements now support the played attribute
HTML5 The <source> element now supports the media attribute
FIXED Focus rings keep growing when repeatedly tabbing through elements (720987)
Upstream changes:
1.0003 Wed Aug 29 13:44:53 PDT 2012
[BUG FIXES]
- Fix Basic authentication error in case password contains a colon #319
- Fix AccessLog middleware in platforms where %z strftime is not supported #318
- Escape $_ in Plack::Request path method due to a possible URI::Escape bug
1.0002 Mon Aug 13 17:04:25 PDT 2012
[NEW FEATURES]
- Added --no-default-middleware option to plackup #290
[BUG FIXES]
- Use C locale for AccessLog strftime #313
- Escape Plack::Request URI path using RFC 3986 definition (ssmccoy)
[IMPROVEMENTS]
- Documentation improvements (ether, Tom Heady)
- Skip displaying ".." in Plack::App::Directory #277
- Document load_class() doesn't validate user input. #285
1.0001 Thu Jul 26 16:24:13 PDT 2012
[INCOMPATIBLE CHANGES]
- Deleted lots of code, methods and warnings that have been deprecated since 0.99
(which should have been done in the 1.0000 release)
[DEVELOPERS]
- Added bootstrap script to install devel dependencies
[IMPROVEMENTS]
- Fixed version numbers in some of the modules that have their own $VERSION
1.0000 Thu Jul 19 18:59:18 PDT 2012
- This be 1.0! (Same as 0.9991)
0.9991 Thu Jul 19 17:27:52 PDT 2012
[NEW FEATURES]
- Added IIS7 fix middleware (t0m)
0.9990 Wed Jul 18 11:12:07 PDT 2012
[INCOMPATIBILE CHANGES]
- Plack::Request changes the way it parses QUERY_STRING for valueless keys such as
"?a&b=1". Now "a" becomes part of query_parameters with empty string as its value (yannk)
[IMPROVEMENTS]
- Support max-age options in Plack::Response cookies (remorse)
- Pass correct protocol from HTTP::Server::PSGI to display https URL correctly (siracusa)
- Copy Authorization header from FastCGI handler (ray1729)
- Stop special casing COOKIE environment variable in Plack::Request headers (doy)
0.9989 Thu Jun 21 13:39:11 PDT 2012
[IMPROVEMENTS]
- Support streaming in Head middleware (wreis)
- Document middleware prefixing (Jon Swartz)
- Make Basic authentication detection case insensitive per RFC (Mark Fowler)
- Added backlog option to FCGI handler (xaicron)
0.9988 Fri May 11 12:25:09 CEST 2012
[BUG FIXES]
- Fixes HTTP_HOST in HTTP::Message::PSGI #287 (doy)
0.9987 Thu May 10 07:06:32 CEST 2012
[IMPROVEMENTS]
- Support streaming in AccessLog::Timed (Peter Makholm)
- Support streaming in ErrorDocument
- Removed UTF8 hack in HTTP::Message::PSGI. Depends on URI.pm 1.59 (wreis)
- Set Host headers correctly in HTTP::Message::PSGI #177
- Added documentation on supported %-flags in AccessLog (ether)
- Skip unnecessary tests on non-developer environment
0.9986 Mon Mar 12 11:26:59 PDT 2012
[IMPROVEMENTS]
- Use I/O handles to FCGI::Request instead of global STDIN, STDOUT etc. (chansen)
- Improved FastCGI docs (osfameron)
- Cascade app now returns the last response code (aristotle)
upstream changes:
Version 3.60 Aug 15th, 2012
[BUG FIXES]
- In some caes, When unescapeHTML() hit something it didn't recognize with an ampersand and
and semicolon, it would throw away the semicolon and ampersand. It now does a better job.
of preserving content it doesn't recognize. Thanks to CEBJYRE@cpan.org (RT#75595)
- Remove trailing newline after <form> tag inserted by startform and start_form. It can
cause rendering problems in some cases. Thanks to SJOHNSTON@cpan.org (RT#67719)
- Workaround "Insecure Dependency" warning generated by some versions of Perl (RT#53733).
Thanks to degatcpan@ntlworld.com, klchu@lbl.gov and Anonymous Monk
[DOCUMENTATION]
- Clarify that when -status is used, the human-readable phase should be included, per RFC 2616.
Thanks to SREZIC@cpan.org (RT#76691).
[INTERNALS]
- More tests for header(), thanks to Ryo Anazawa.
- t/url.t has been fixed on VMS. Thanks to cberry@cpan.org (RT#72380)
- MANIFEST patched so that t/multipart_init.t is included again. Thanks to shay@cpan.org (RT#76189)
Version 3.59 Dec 29th, 2011
[BUG FIXES]
- We no longer read from STDIN when the Content-Length is not set, preventing
requests with no Content-Length from freezing in some cases. This is consistent
with the CGI RFC 3875, and is also consistent with CGI::Simple. However, the old
behavior may have been expected by some command-line uses of CGI.pm.
Thanks to Philip Potter and Yanick Champoux. See RT#52469 for details:
https://rt.cpan.org/Public/Bug/Display.html?id=52469
[INTERNALS]
- remove tmpdirs more aggressively. Thanks to rjbs (RT#73288)
- use Text::ParseWords instead of ancient shellwords.pl. Thanks to AlexBio.
- remove use of define(@arr). Thanks to rjbs.
- spelling fixes. Thanks to Gregor Herrmann and Alessandro Ghedini.
- fix test count and warning in t/fast.t. Thanks to Yanick.
Changes:
* Fixes some issues in the admin area where some older browsers (IE7, in
particular) may slow down, lag, or freeze.
* Fixes an issue where a theme may not preview correctly, or its screenshot may
not be displayed.
* Fixes the use of multiple trackback URLs in a post.
* Prevents improperly sized images from being uploaded as headers from the
customizer.
* Ensures proper error messages can be shown to PHP4 installs. (WordPress
requires PHP 5.2.4 or later.)
* Fixes handling of oEmbed providers that only return XML responses.
* Addresses pagination problems with some category permalink structures.
* Adds more fields to be returned from the XML-RPC wp.getPost method.
* Avoids errors when updating automatically from very old versions of WordPress
(pre-3.0).
* Fixes problems with the visual editor when working with captions.
Additionally: Version 3.4.2 fixes a few security issues and contains some
security hardening. These issues were discovered and addressed by the WordPress
security team:
* Fix unfiltered HTML capabilities in multisite.
* Fix possible privilege escalation in the Atom Publishing Protocol endpoint.
* Allow operations on network plugins only through the network admin.
* Hardening: Simplify error messages when uploads fail.
* Hardening: Validate a parameter passed to wp_get_object_terms().
* Update Mozilla Lightning to 1.7
* Update Enigmail to 1.4.4 (functionality is not tested yet; should
be updated)
* Regen patches
Changelog:
SeaMonkey-specific changes
None.
Mozilla platform changes
Added support for SPDY networking protocol v3.
Implemented WebGL enhancements, including compressed textures for better performance.
Optimized memory usage for add-ons.
Implemented the CSS word-break property.
Implemented high precision event timer.
HTML5: Added native support for the Opus audio codec.
HTML5: Added support for the source element media attribute.
HTML5: Added support for the audio element and video element played attribute.
Fixed several stability issues.
Fixed in SeaMonkey 2.12
MFSA 2012-70 Location object security checks bypassed by chrome code
MFSA 2012-69 Incorrect site SSL certificate data display
MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html
MFSA 2012-65 Out-of-bounds read in format-number in XSLT
MFSA 2012-64 Graphite 2 memory corruption
MFSA 2012-63 SVG buffer overflow and use-after-free issues
MFSA 2012-62 WebGL use-after-free and memory corruption
MFSA 2012-61 Memory corruption with bitmap format images with negative height
MFSA 2012-59 Location object can be shadowed using Object.defineProperty
MFSA 2012-58 Use-after-free issues found using Address Sanitizer
MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)
Changes with mod_fcgid 2.3.7
*) Introduce FcgidWin32PreventOrphans directive on Windows to use OS
Job Control Objects to terminate all running fcgi's when the worker
process has been abruptly terminated. PR: 51078
[Thangaraj AntonyCrouse <thangaraj gmail.com>]
*) Periodically clean out the brigades which are pulling in the request
body for handoff to the fcgid child. PR: 51749
[Dominic Benson <dominic.benson thirdlight.com>]
*) Resolve crash during graceful restarts. PR 50309
[Mario Brandt <JBlond gmail.com>]
*) Solve latency/cogestion of resolving effective user file access rights
when no such info is desired, for config related filename stats.
PR: 51020 [Thangaraj AntonyCrouse <thangaraj gmail.com>, William Rowe]
*) Fix regression in 2.3.6 which broke process controls when using vhost-
specific configuration. [Jeff Trawick]
*) Account for first process in class in the spawn score. [Jeff Trawick]
Releasing libmicrohttpd 0.9.22. -CG
Adding configure option to allow selecting support for basic
and digest authentication separately (#2525). -CG
Fixing URI argument parsing when string contained keys without
equals sign (i.e. '&bar&') in the middle of the argument (#2531).
Also replacing 'strstr' with more efficient 'strchr' when
possible. -CG
Use "int" instead of "enum X" in 'va_arg' calls to be nice to
compilers that use 'short' (i.e. 8 or 16 bit) enums but pass
enums still as "int" in varargs. (See discussion on mailinglist). -CG/MV
Reduce default size in post processor buffer (for small systems;
performance impact on large systems should be minimal). -CG/MV
It is a security update, fix CVE-2012-4377 CVE-2012-4378 CVE-2012-4379
CVE-2012-4380 CVE-2012-4381 CVE-2012-4382.
Upstream changes:
Changes since 1.19.1
(bug 39700) File: link to non-existing file can inject html
(bug 39823) Hidden block text leaking to admins
(bug 39184) LDAP password leakage
(bug 39180) Disallow framing of api results
(bug 37587) Enforce language codes to be html safe
(bug 39824) Check global blocks on account creation
Fixes and Stability Enhancements since Opera 12.01
* General and User Interface
* Several general fixes and stability improvements
* Resolved an issue with Speed Dial thumbnails when automatic scaling is enabled
Security
* Fixed an issue where truncated dialogs may be used to trick users; see our advisory:
http://www.opera.com/support/kb/view/1028/
Upstream changes:
0.022 2012-06-01 23:31:40 America/New_York
[ADDED]
- Supports local_address option to set local socket interface
[Chris Nehren, David Golden]
0.021 2012-05-15 22:38:57 America/New_York
[TESTING]
- Skip live SSL testing if $ENV{http_proxy} is set
0.020 2012-05-14 15:24:37 America/New_York
[TESTING]
- Capture prerequisite versions under AUTOMATED_TESTING to help
chase down some failures from CPAN Testers
0.019 2012-05-14 07:14:00 America/New_York
[ADDED]
- Require IO::Socket::SSL 1.56 (which added SSL_hostname support) when
doing HTTPS. [Mike Doherty]
[TESTING]
- Provide better diagnostic output in t/210_live_ssl.t [Mike
Doherty]
0.018 2012-04-18 09:39:50 America/New_York
[ADDED]
- Add verify_SSL option to do more secure SSL operations, incl.
attempting to validate against a CA bundle (Mozilla::CA
recommended, but will attempt to find some OS bundles). Also
add SSL_opts, which passes through IO::Socket::SSL's SSL_*
options to control SSL verification. (GH #6, #9) [Mike Doherty]
- Reponse hashref includes final URL (including any redirections)
[Lukas Eklund]
0.017 2012-02-22 21:57:37 EST5EDT
[DOCUMENTATION]
- Clarified how max_size exceptions work [rt.cpan.org #75142]
- Clarify that 2XX is success for most methods (except mirror
where 304 is also success) [rt.cpan.org #75141]
Upstream changes:
1.3100 25.08.2012
[ BUG FIXES ]
* GH #816: Improve wording when failed to load engine. (Sawyer X)
* GH #817: Fix CODE reference uncloned using Clone::clone.
(David Previous, Sawyer X)
[ ENHANCEMENTS ]
* GH #755: HTTP::Headers accepted by dancer_response. (Roberto Patriarca)
[ DOCUMENTATION ]
* GH #818: Use "MyWeb::App" instead of "mywebapp" in examples. (pdl)
1.3099 11.08.2012
[ BUG FIXES ]
* GH #683: Fix uninitialized warnings. (Sawyer X)
* GH #700: Take into account the app name in route caching. (Perlover)
* GH #775: Clone variables for templates.
(Reported by Wanradt Koell, fixed by David Precious, Sawyer X)
* GH #776: get should be default to get/head even it's inside any.
(Fayland Lam)
* GH #788: Make sure ID key in sessions are clobbered. (kocoureasy)
* Fix uninitialized variables in config file path. (Sawyer X)
* GH #809: Require all necessarily modules in Dancer::Config.
(John Wittkoski)
[ ENHANCEMENTS ]
* GH #799: New test function: response_redirect_location_is. (Martin Schut)
* send_file now accepts an IO::Scalar. (David Precious)
* Clean up $VERSION. (Damien Krotkine)
[ DOCUMENTATION ]
* GH #784: Synopsis fix in Dancer::Error. (Alex C)
* Document session_domain in Dancer::Config. (David Precious)
* Pod fixes in abstract session. (David Precious)
* Synopsis fix in Dancer::Test. (Stefan Hornburg <Racke>)
1.3098 28.07.2012
[ ENHANCEMENTS ]
* New keyword 'plugin_args' exported by Dancer::Plugin to provide
a consistent way with Dancer 2 to obtain arguments from a plugin
keyword. (Alberto Sim.es).
* Add 'execute_hook' and deprecate 'execute_hooks' for homogeneity
with Dancer 2.
* send_file will do the right thing if given an IO::Scalar object
(David Precious, prompted by Ilya Chesnokov).
[ DOCUMENTATION ]
* Fix escaping on some docs (Stefan Hornburg @racke).
* Use patches from https://bugzilla.mozilla.org/show_bug.cgi?id=753046
* Fix firefox.sh
Changelog:
NEW Preliminary native PDF support (Aurora/Beta only)
NEW Support for SPDY networking protocol v3
NEW WebGL enhancements, including compressed textures for better performance
CHANGED Optimized memory usage for add-ons
DEVELOPER JavaScript debugger integrated into developer tools
DEVELOPER New layout view added to Inspector
DEVELOPER The CSS word-break property has been implemented.
DEVELOPER High precision event timer implemented
DEVELOPER New responsive design tool allows web developers to switch between desktop and mobile views of sites
HTML5 Native support for the Opus audio codec added
HTML5 The <source> element now supports the media attribute
HTML5 The <audio> and <video> elements now support the played attribute
* recentchangesdiff: When diffurl is not set, provide inline diffs
in the recentchanges page, with visibility toggleable via javascript.
Thanks, Antoine Beaupré
* Split CFLAGS into words when building wrapper. Closes: #682237
* osm: Avoid calling urlto before generated files are registered.
Thanks, Philippe Gauthier and Antoine Beaupré
* osm: Add osm_openlayers_url configuration setting.
Thanks, Genevieve
* osm: osm_layers can be used to configured the layers displayed on the map.
Thanks, Antoine Beaupré
* comments: Remove ipv6 address specific code.
changes:
- Fix several security issues with accessibility support.
- Finishing merging NPAPI plugin support for Windows.
- Turn off the deletion UI during editing, as it caused issues with some sites.
* Introducing Django 1.4 support, dropped support for Django 1.2
* Lazy page tree loading in admin
* Toolbar isolation
* Plugin cancel button fixed
* Tests refactor
* Moving text plugins to different placeholders no longer loses inline plugins
* Minor improvements
comprehensive version control facilities.
Features
* Roll back to any point in a model's history - an unlimited undo facility!
* Recover deleted models - never lose data again!
* Admin integration for maximum usability.
* Group related changes into revisions that can be rolled back in a single
transaction.
* Automatically save a new version whenever your model changes using Django's
flexible signalling framework.
* Automate your revision management with easy-to-use middleware.
django-reversion can be easily added to your existing Django project with
an absolute minimum of code changes.
* Fix security problems.
* Build three Multi-Processing Model shared libraries,
and select default model with option
* Retire mod_cgi.so module, use mod_cgid.so; Add MESSAGE
Changelog:
Changes with Apache 2.4.3
*) SECURITY: CVE-2012-3502 (cve.mitre.org)
mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
connection closing which could lead to privacy issues due
to a response mixup. PR 53727. [Rainer Jung]
*) SECURITY: CVE-2012-2687 (cve.mitre.org)
mod_negotiation: Escape filenames in variant list to prevent an
possible XSS for a site where untrusted users can upload files to
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
*) mod_authnz_ldap: Don't try a potentially expensive nested groups
search before exhausting all AuthLDAPGroupAttribute checks on the
current group. PR 52464 [Eric Covener]
*) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
authorization provider in lua. [Stefan Fritsch]
*) core: Be less strict when checking whether Content-Type is set to
"application/x-www-form-urlencoded" when parsing POST data,
or we risk losing data with an appended charset. PR 53698
[Petter Berntsen <petterb gmail.com>]
*) httpd.conf: Added configuration directives to set a bad_DNT environment
variable based on User-Agent and to remove the DNT header field from
incoming requests when a match occurs. This currently has the effect of
removing DNT from requests by MSIE 10.0 because it deliberately violates
the current specification of DNT semantics for HTTP. [Roy T. Fielding]
*) mod_socache_shmcb: Fix bus error due to a misalignment
in some 32 bit builds, especially on Solaris Sparc.
PR 53040. [Rainer Jung]
*) mod_cache: Set content type in case we return stale content.
[Ruediger Pluem]
*) Windows: Fix SSL failures on windows with AcceptFilter https none.
PR 52476. [Jeff Trawick]
*) ab: Fix read failure when targeting SSL server. [Jeff Trawick]
*) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
- mod_auth_digest: shared memory file
[Jeff Trawick]
*) htpasswd: Use correct file mode for checking if file is writable.
PR 45923. [Stefan Fritsch]
*) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T.
<mi apache aldan algebra com>]
*) mod_ssl: Add new directive SSLCompression to disable TLS-level
compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
*) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
client_ip to match conn_rec. [Stefan Fritsch]
*) mod_lua: Change prototype of vm_construct, to work around gcc bug which
causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>]
*) mpm_event: Don't count connections in lingering close state when
calculating how many additional connections may be accepted.
[Stefan Fritsch]
*) mod_ssl: If exiting during initialization because of a fatal error,
log a message to the main error log pointing to the appropriate
virtual host error log. [Stefan Fritsch]
*) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
*) mod_proxy_balancer: Restore balancing after a failed worker has
recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick]
*) mod_setenvif: Compile some global regex only once during startup.
This should save some memory, especially with .htaccess.
[Stefan Fritsch]
*) core: Add the port number to the vhost's name in the scoreboard.
[Stefan Fritsch]
*) mod_proxy: Fix ProxyPassReverse for balancer configurations.
PR 45434. [Joe Orton]
*) mod_lua: Add the parsebody function for parsing POST data. PR 53064.
[Daniel Gruno]
*) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS.
[Stefan Fritsch]
*) mod_proxy: Fix memory leak or possible corruption in ProxyBlock
implementation. [Ruediger Pluem, Joe Orton]
*) mod_proxy: Check hostname from request URI against ProxyBlock list,
not forward proxy, if ProxyRemote* is configured. [Joe Orton]
*) mod_proxy_connect: Avoid DNS lookup on hostname from request URI
if ProxyRemote* is configured. PR 43697. [Joe Orton]
*) mpm_event, mpm_worker: Remain active amidst prevalent child process
resource shortages. [Jeff Trawick]
*) Add "strict" and "warnings" pragmas to Perl scripts. [Rich Bowen]
*) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
- core: the scoreboard (ScoreBoardFile), pid file (PidFile), and
mutexes (Mutex)
[Jim Jagielski]
*) ab: Fix bind() errors. [Joe Orton]
*) mpm_event: Don't do a blocking write when starting a lingering close
from the listener thread. PR 52229. [Stefan Fritsch]
*) mod_so: If a filename without slashes is specified for LoadFile or
LoadModule and the file cannot be found in the server root directory,
try to use the standard dlopen() search path. [Stefan Fritsch]
*) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced
after child process resource shortages. [Jeff Trawick]
*) mpm_prefork: Reduce spawn rate after a child process exits due to
unexpected poll or accept failure. [Jeff Trawick]
*) core: Log value of Status header line in script responses rather
than the fixed header name. [Chris Darroch]
*) mpm_ssl: Fix handling of empty response from OCSP server.
[Jim Meyering <meyering redhat.com>, Joe Orton]
*) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch]
*) mod_authz_core: If an expression in "Require expr" returns denied and
references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
[Stefan Fritsch]
*) core: Always log if LimitRequestFieldSize triggers. [Stefan Fritsch]
*) mod_deflate: Skip compression if compression is enabled at SSL level.
[Stefan Fritsch]
*) core: Add missing HTTP status codes registered with IANA.
[Julian Reschke <julian.reschke gmx.de>, Rainer Jung]
*) mod_ldap: Treat the "server unavailable" condition as a transient
error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]
*) core: Fix spurious "not allowed here" error returned when the Options
directive is used in .htaccess and "AllowOverride Options" (with no
specific options restricted) is configured. PR 53444. [Eric Covener]
*) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
PR 53048. [Stefan Fritsch]
*) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
PR 53104. [Greg Ames]
*) mod_ext_filter: Fix error_log spam when input filters are configured.
[Joe Orton]
*) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
*) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
[Paul Wouters <pwouters redhat.com>, Joe Orton]
*) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
the chosen listener is configured for https. [Joe Orton]
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. PR 53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
*) mod_info: Display all registered providers. [Stefan Fritsch]
*) mod_ssl: Send the error message for speaking http to an https port using
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
using SNI. PR 50823. [Stefan Fritsch]
*) core: Fix segfault in logging if r->useragent_addr or c->client_addr is
unset. PR 53265. [Stefan Fritsch]
*) log_server_status: Bring Perl style forward to the present, use
standard modules, update for new format of server-status output.
PR 45424. [Richard Bowen, Dave Brondsema, and others]
*) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups.
[Joe Orton, André Malo]
*) core: Prevent "httpd -k restart" from killing server in presence of
config error. [Joe Orton]
*) mod_proxy_fcgi: If there is an error reading the headers from the
backend, send an error to the client. PR 52879. [Stefan Fritsch]
If selected, the existing apache-mpm-event, apache-mpm-prefork and
apache-mpm-worker options determine which will be loaded in the default
config file.
Note: if worker is in the mix, the build will simply never build mod_cgi,
regardless of which MPM is the default.
Upstream changes:
0.9507 Fri Dec 9 09:44:49 EET 2011
- patch for XSS vulnerability in HTML::Template::Pro
thanks to Shigeki Morimoto shigeki.morimoto mixi.co.jp
0.9508 Mon Dec 26 16:13:37 EET 2011
- use unicode quoting in XSS vulnerability patch (more portable)
thanks to Shigeki Morimoto shigeki.morimoto mixi.co.jp
0.9509 Tue Feb 28 21:15:28 EET 2012
- more verbose messages for tag stack underflow
== Changes
= Changes in 2.2.7 =
August 14, 2012 - version 2.2.7
* Bug fixes
* Fix arity incompatibility introduced in 2.2.6. It broke Webmock.
Thanks Andrew France for the report!
= Changes in 2.2.6 =
August 14, 2012 - version 2.2.6
* Bug fixes
* Make get_content doesn't raise a BadResponseError for perfectly good
responses like 304 Not Modified. Thanks to Florian Hars.
* Add 'Content-Type: application/x-www-form-urlencoded' for the PUT
request that has urlencoded entity-body.
* Features
* Add HTTPClient::IncludeClient by Jonathan Rochkind, a mix-in for easily
adding a thread-safe lazily initialized class-level HTTPClient object
to your class.
* Proxy DigestAuth support. Thanks to Alexander Kotov and Florian Hars.
* Accept an array of strings (and IO-likes) as a query value
e.g. `{ x: 'a', y: [1,2,3] }` is encoded into `"x=a&y=1&y=2&y=3"`.
Thanks to Akinori MUSHA.
* Allow body for DELETE method.
* Allow :follow_redirect => true for HEAD request.
* Fill request parameters request_method, request_uri and request_query
as part of response Message::Header.
- Fixed bug (apc_bin_dump doesn't swizzle bucket arKey in HashTable)
(Laruence)
- Fixed bug #62825 (php carshed OR return PHP Fatal error when used
apc_bin_dump after apc_store) (Laruence)
- Fixed bug due to Conditional "jump or move depends on uninitialised
value(s)" in apc_op_ZEND_INCLUDE_OR_EVAL and apc_bin_dump (Laruence)
- Fixed bug #62802 (Crash when use apc_bin_dump/load) (Laruence)
- Fixed bug #62757 (php-fpm carshed when used apc_bin_dumpfile with
apc.serializer) (Laruence)
- Fixed bug #62765 (apc_bin_dumpfile report Fatal error when there is "goto"
in function) (Laruence)
- Fixed bug #61133 (segfault in tests/apc_bin_002.phpt) (Laruence)
- Fixed handling of userspace stream wrappers simulating file
inclusion/requiring (Anatoliy, Rasmus)
- Fixed bug #62699 trait aliases and precedences handling (Anatoliy)
- Added cli built-in server tests (Anatoliy)
- Fixed filter regex freeing on request shutdown (Anatoliy)
- Fixed interned strings storage freeing on module shutdown (Anatoily)
- Fixed bug #61742 preload_path does not work due to incorrect string length
(Anatoliy)
- Fixed several memory leaks it APCIterator (Anatoliy)
- Fixed potential overflows in bin dumps (Anatoliy)
