pkgsrc changes:
- Switch to use go-module.mk (per upstream)
Changes:
1.2.1
-----
- Changed
- Add `-input-shell` flag
1.2.0
-----
- New
- Added 405 Method Not Allowed to list of status codes matched by default.
- New CLI flag `-rate` to set maximum rate of requests per second.
The adjustment is dynamic.
- New CLI flag `-config` to define a configuration file with preconfigured
settings for the job.
- Ffuf now reads a default configuration file `$HOME/.ffufrc` upon startup.
Options set in this file are overwritten by the ones provided on CLI.
- Change banner logging to stderr instead of stdout.
- New CLI flag `-or` to avoid creating result files if we didn't get any.
- New CLI flag `-input-shell` to set the shell to be used by `input-cmd`
- Changed
- Pre-flight errors are now displayed also after the usage text to prevent
the need to scroll through backlog.
- Cancelling via SIGINT (Ctrl-C) is now more responsive
- Fixed issue where a thread would hang due to TCP errors
- Fixed the issue where the option -ac was overwriting existing filters.
Now auto-calibration will add them where needed.
- The `-w` flag now accepts comma delimited values in the form of
`file1:W1,file2:W2`.
- Links in the HTML report are now clickable
- Fixed panic during wordlist flag parsing in Windows systems.
* Fix sqlite3 case.
Changelog:
10.6.0:
Summary
Bugfix - Cleaning up autocapitalize="off" in files: #15399
Bugfix - Google Drive file modifications should not create duplicate files: #25826
Bugfix - Fix exit codes of security:certificates commands: #35364
Bugfix - Translate public link sharing email subject: #37321
Bugfix - Only allow http/https protocol on CORS: #38101
Bugfix - Fix problem with the market app installing an app using OpenIDConnect: #37715
Bugfix - Fix expiring a wrong share entry problem: #37729
Bugfix - Fix decoding of calendars uri: #37750
Bugfix - Add openid client secret to the sensitive values list: #37782
Bugfix - Show all shares in the "shared with you" section: #37786
Bugfix - Reshares using files:transfer-ownership cannot be transferred: #4121
Bugfix - "Passwords do not match" message was not being translated: #37826
Bugfix - Fix federated share accepting problem which occurs with some apps enabled: #37719
Bugfix - Allow federated share name up to 255 character: #36730
Bugfix - Fix application id used for sharing settings translation: #37846
Bugfix - Add metrics shared secret to the sensitive values list: #37848
Bugfix - Fix list of apps returned by OCS Provisioning API apps endpoint: #37884
Bugfix - Add very minimal empty ODF files: #37896
Bugfix - Checksums will be kept when a file is uploaded or a version is created: #37934
Bugfix - Fix invisible notification container blocking mouse events: #37941
Bugfix - Fix display of public link shares in case avatars are disabled: #37945
Bugfix - Clean the user's preferences only if they exist during user sync: #37947
Bugfix - OCS and Public WebDAV Apis should handle LoginException: #112
Bugfix - Properly exit and log during error in user sync command: #37951
Bugfix - Add a configurable number of retries on unsuccessful mountpoint move: #37956
Bugfix - Fix icon alignment when avatars are disabled: #37964
Bugfix - Fix file target in the accept share API call: #37973
Bugfix - Fix for Google Docs not syncing with error "server reported no size": #37997
Bugfix - Do not emit "share.failedpasswordcheck" events for authenticated links: #138
Bugfix - Fix request token check for ocs requests: #38019
Bugfix - Fix logging when loading an apps fails: #38037
Bugfix - Properly handle StorageNotAvailableException in share external: #38042
Bugfix - Avoid retrieving user root iteratively in share controller: #4107
Bugfix - Pick the translations from templates included from other apps: #38072
Bugfix - Override browser Accept-Language header in ajax requests: #38073
Bugfix - Prevent server error when loading invalid/corrupt translations: #37799
Bugfix - SSL check when adding a public link to your ownCloud: #4241
Bugfix - Fix translations of some strings in settings: #38119
Change - Update deepdiver/zipstreamer (1.1.1 => 2.0.0): #37159
Change - Update sabre dependencies: #37684
Change - Update google/apiclient from 2.5.0 to 2.6.0 and related dependencies: #37687
Change - Update symfony/polyfill (1.17.0 => 1.18.0): #37694
Change - Update icewind/smb from 3.2.5 to 3.2.6 in files_external: #37712
Change - Add settings checkbox to enable manual file locking: #37720
Change - Update Symfony components to 4.4.11: #37727
Change - Update league/flysystem (1.0.69 => 1.0.70): #37730
Change - Make core/signature.json and core/skeleton/ inaccessible: #37734
Change - Update google/apiclient from 2.6.0 to 2.7.0 and related dependencies: #37739
Change - Add values to the invalid uid list: #37765
Change - Update doctrine/event-manager (1.1.0 => 1.1.1): #37768
Change - Update symfony/polyfill (1.18.0 => 1.18.1): #37772
Change - Update egulias/email-validator (2.1.18 => 2.1.19): #37790
Change - Update opis/closure (3.5.5 => 3.5.6): #37804
Change - Add system config to load a different license implementation: #37827
Change - Update laminas/laminas-zendframework-bridge (1.0.4 => 1.1.0): #37843
Change - Use a debug log level if a share download is aborted: #37856
Change - Add command to troubleshoot transfer ownership runs for issues: #37950
Change - Update Symfony components to 4.4.12: #37862
Change - Update doctrine/dbal (2.10.2 => 2.10.3): #37870
Change - Update Symfony components to 4.4.13: #37876
Change - Update opis/closure (3.5.6 => 3.5.7): #37892
Change - Update egulias/email-validator (2.1.19 => 2.1.20): #37892
Change - Update phpseclib/phpseclib (2.0.28 => 2.0.29): #37893
Change - Update icewind/smb from 3.2.6 to 3.2.7 in files_external: #37894
Change - Update doctrine/dbal (2.10.3 => 2.10.4): #37904
Change - Update symfony/translation-contracts (v1.1.9 => v1.1.10): #37904
Change - Reduce the log level of locked exceptions: #37907
Change - Update google/apiclient from 2.7.0 to 2.7.1 and related dependencies: #37912
Change - Update sabre/event (5.1.0 => 5.1.1): #37921
Change - Update laminas/laminas-zendframework-bridge (1.1.0 => 1.1.1): #37921
Change - New defaults for phoenix app switcher icon and label: #37923
Change - Update pear/archive_tar (1.4.9 => 1.4.10): #37926
Change - Update egulias/email-validator (2.1.20 => 2.1.21): #37926
Change - Update egulias/email-validator (2.1.21 => 2.1.22): #37949
Change - Update Symfony components to 4.4.14: #37949
Change - DropOldTables repair job won't show a progress bar: #37953
Change - Update sabre dependencies: #37975
Change - Update Symfony components to 4.4.15: #37975
Change - Update opis/closure (3.5.7 => 3.6.0): #38004
Change - Update symfony/polyfill (1.18.1 => 1.19.0): #38032
Change - Update symfony/polyfill (1.19.0 => 1.20.0): #38033
Change - Update google/apiclient from 2.7.1 to 2.8.0 and related dependencies: #38043
Change - Update dg/composer-cleaner (v2.1 => v2.2): #38044
Change - Update Symfony components to 4.4.16: #38046
Change - Update egulias/email-validator (2.1.22 => 2.1.23): #38061
Change - Update sabre/vobject (4.3.2 => 4.3.3): #38091
Change - Update opis/closure (3.6.0 => 3.6.1): #38091
Change - Update sabre/dav (4.1.2 => 4.1.3): #38092
Change - Update egulias/email-validator (2.1.23 => 2.1.24): #38116
Change - Update pear/archive_tar (1.4.10 => 1.4.11): #38137
C on disabling encryption: #35980
Enhancement - Add support for date expiration on remote shares: #37548
Enhancement - Support pre-signed urls: #37634
Enhancement - Add capability for the favorite files feature: #37673
Enhancement - Add Support for SGI Image Previews: #37758
Enhancement - Allow getting the share list filtered by share type via API: #38000
Enhancement - GetShare API request's "subfiles" parameter allows new interactions: #38053
Enhancement - Add new method in the PHP API interface: #38054
Older changelog is too long to include here.
changes in bozohttpd 20210227:
o new support for content types: .tar.bz2, .tar.xz, .tar.lz,
.tar.zst, .tbz2, .txz, .tlz, .zipx, .xz, .zst, .sz, .lz, .lzma,
.lzo, .7z, .lzo, .cab, .dmg, .jar, and .rar. should fix
netbsd PR#56026:
MIME type of .tar.xz file on ny{cdn,ftp}.NetBSD.org is invalid
changes in bozohttpd 20210211:
o fix various NULL derefs from malformed headers. mostly from
<emily@ingalls.rocks>.
o fix memory leaks in library interface: add bozo_cleanup().
lariza is an experimental web browser and the author's personal
playground. There are no "safety guards" and no "great awesome wow
usability" crap. It's meant to be a fast browser that does just
that: Browse the web.
When started as a service, gitea logs directly to the console, in
addition to its own log files. This change redirects the standard output
to /dev/null.
Bumps PKGREVISION.
Rather than letting openssl perform default validation, curl passes in
an explicit request to... use the certificates in the default
location. In cases where SSLCERTBUNDLE is defined (because the system
uses a bundle instead of the traditonal directory of trust anchors),
pass that to curl's configure.
As proposed on tech-pkg by Thomas Orgis, without objections.
Django 2.2.19 fixes a security issue in 2.2.18.
CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()
Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default. Django now includes this fix. See bpo-42967 for further details.
Django 3.1.7 fixes a security issue and a bug in 3.1.6.
CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()
Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default. Django now includes this fix. See bpo-42967 for further details.
Bugfixes
Fixed a regression in Django 3.1 that caused RuntimeError instead of connection errors when using only the 'postgres' database
3.0.3 (2020-12-28)
------------------
* Fixed a bug in Channels 3.0 where the legacy ``channels.http.AsgiHandler``
would not correctly isolate per-request scopes.
This is a security release for CVE-2020-35681. Please see the `Version 3.0.3
release notes
<https://channels.readthedocs.io/en/latest/releases/3.0.3.html>`_ for full
details.
3.0.2 (2020-11-9)
-----------------
* Fixes a bug in Channels 3.0 where ``StaticFilesWrapper`` was not updated to
the ASGI 3 single-callable interface.
* Users of the ``runworker`` command should ensure to update ``asgiref`` to
version 3.3.1 or later.
3.0.1 (2020-11-4)
-----------------
* Fixes a bug in Channels 3.0 where ``SessionMiddleware`` would not correctly
isolate per-instance scopes.
3.0.0 (2020-10-30)
------------------
Updated to ASGI v3, and added support for Django 3.0+.
This is a major version change requiring updates to consumers and middleware.
Please see the full `Version 3.0.0 release notes
<https://channels.readthedocs.io/en/latest/releases/3.0.0.html>`_ for details.
3.0.1 (2020-11-12)
* Fixed a bug where ``asyncio.CancelledError`` was not correctly handled on
Python 3.8+, resulting in incorrect protocol application cleanup.
3.0.0 (2020-10-28)
* Updates internals to use ASGI v3 throughout. ``asgiref.compatibility`` is
used for older applications.
* Consequently, the `--asgi-protocol` command-line option is removed.
* HTTP request bodies are now read, and passed to the application, in chunks.
* Added support for Python 3.9.
* Dropped support for Python 3.5.
0.17.0
Added
Add httpx.MockTransport(), allowing to mock out a transport using pre-determined responses.
Add httpx.HTTPTransport() and httpx.AsyncHTTPTransport() default transports.
Add mount API support, using httpx.Client(mounts=...).
Add chunk_size parameter to iter_raw(), iter_bytes(), iter_text().
Add keepalive_expiry parameter to httpx.Limits() configuration.
Add repr to httpx.Cookies to display available cookies.
Add support for params=<tuple> (previously only params=<list> was supported).
Fixed
Add missing raw_path to ASGI scope.
Tweak create_ssl_context defaults to use trust_env=True.
Properly URL-escape WSGI PATH_INFO.
Properly set default ports in WSGI transport.
Properly encode slashes when using base_url.
Properly map exceptions in request.aclose().
Rails 6.1.3 (February 17, 2021)
[ActionPack]
* Re-define routes when not set correctly via inheritance.
*John Hawthorn*
[ActiveRecord]
* Fix the MySQL adapter to always set the right collation and charset
to the connection session.
*Rafael Mendonça França*
* Fix MySQL adapter handling of time objects when prepared statements
are enabled.
*Rafael Mendonça França*
* Fix scoping in enum fields using conditions that would generate
an IN clause.
*Ryuta Kamizono*
* Skip optimised #exist? query when #include? is called on a relation
with a having clause
Relations that have aliased select values AND a having clause that
references an aliased select value would generate an error when
#include? was called, due to an optimisation that would generate
call #exists? on the relation instead, which effectively alters
the select values of the query (and thus removes the aliased select
values), but leaves the having clause intact. Because the having
clause is then referencing an aliased column that is no longer
present in the simplified query, an ActiveRecord::InvalidStatement
error was raised.
An sample query affected by this problem:
Author.select('COUNT(*) as total_posts', 'authors.*')
.joins(:posts)
.group(:id)
.having('total_posts > 2')
.include?(Author.first)
This change adds an addition check to the condition that skips the
simplified #exists? query, which simply checks for the presence of
a having clause.
Fixes#41417
*Michael Smart*
* Increment postgres prepared statement counter before making a
prepared statement, so if the statement is aborted without Rails
knowledge (e.g., if app gets kill -9d during long-running query or
due to Rack::Timeout), app won't end up in perpetual crash state for
being inconsistent with Postgres.
*wbharding*, *Martin Tepper*
Changes:
5.6.2:
This maintenance release features 5 bug fixes. These bugs affect WordPress version 5.6.1.
WordPress Core changes on Trac:
- #52440: Prevent the "Leave site" browser alert in Classic Editor when post title, excerpt, or post content fields are missing.
- #52018: Avoid a fatal error in PHP 8.0 when the "zip" PHP extension is disabled.
Block editor changes from GitHub and Trac:
- #52396: Image options are not visible in pop up when the clicking replace button from Image block.
- #52449: Can't change font size the 5.6.1 paragraph block.
- GH-26583: Restore block preview within the block inserter.
5.6.1:
This maintenance release features 20 bug fixes as well as 7 issues fixed on the block editor. These bugs affect WordPress version 5.6
WordPress Core changes on Trac:
- #51056: Fetch_feed parsing of permalinks triggers simplepie preg_match warnings
- #52327: Requested updates to the PHP Update Alert
- #51940: The schema for the taxonomy property of a term in the REST API should not include all taxonomies
- #51980: App Passwords: ‘Add New Application Password’ submit button is hidden on mobile devices in ‘User Profile’ page
- #51995: WordPress 5.6: Classic editor menu is not sticky
- #52003: Undefined index: PHP_AUTH_PW /wp-includes/user.php on line 469
- #52013: Duplicate wp_authorize_application_password_form actions
- #52030: Media metaboxes return fatal error if no author metadata present
- #52038: Issue in WooCommerce with wp_editor() after update to WP 5.6
- #52046: The Distraction Free Writing setting on the old Edit Post screen may be reset after page reload
- #52065: Media gallery: ‘Align’ and ‘Link To’ fields missing from ‘Insert from URL’
- #52066: Application Passwords are unusable in combination with password protected /wp-admin
- #52075: Word Count on Classic Editor doesn’t update in real time on Firefox unless saved
- #52097: Site Health Loopback Test doesn’t send admin cookies
- #52135: False positive on `WP_Site_Health_Auto_Updates`
- #52196: wp_get_attachment_metadata() is broken if no first argument is passed in.
- #52205: REST API: Plugins Controller single plugin route fatal errors on multisite
- #52299: Exported user data can be listed with directory listing
- #52351: missing echo function for translate method
- #52391: Gutenberg Updates for 5.6.1
Block editor changes from GitHub:
- #27970: Fix editor crash when registering a block pattern without categories
- #27733: Embed block: Add html and reusable support back
- #27727: Add aria labels to box control component inputs/button
- #27627: HTML Block: Fix editor styles
- #27526: Core Data: Normalize _fields value for use in stableKey
- #26705: Fix: Font size picker does not correctly handles big font sizes.
- #26432: Edit Site: prevent inserter overscroll
Changelog:
Version 21.0.0 February 22 2021
Changes
The biggest improvements we introduce with Nextcloud 21 are:
* High Performance Back-end for Nextcloud Files: reduces server load from
desktop clients and web interface polling by 90% while delivering instant
notifications to users.
* And a wide range of performance improvements all over on top, decreasing
loading times of pages and reducing load on the server
* Collaborative features: new Whiteboard, author colours in Text and
Document Templates to increase team productivity
* Nextcloud Talk: debuts message status indicators, a raise hand feature, a
group conversation description and more!
* A range of Groupware improvements like drag'n'drop and nicer threading in
Mail and syncing social media avatars in Contacts.
- Fixed build issue due to initial declarations only allowed in C99 mode
(e.g., CentOS7).
- Added 'Caddy' to the list of pre-defined log formats.
- Added command line option '--no-strict-status' to disable status validation.
- Added native support to parse JSON logs.
- Added the ability to process timestamps in milliseconds using '%*'.
- Ensure TUI/CSV/HTML reports are able to output 'uint64_t' data.
- Ensure we allow UI render if the rate at which data is being read is
greater than '8192' req/s.
- Ensure we don't re-render Term/HTML output if no data was read/piped.
- Fixed build configure to work on NetBSD.
- Fixed issue where it would send data via socket each second when managed
by systemd.
- Fixed issue where parser was unable to parse syslog date with padding.
- Fixed issue where some items under browsers.list were not tab separated.
- Fixed issue where the format parser was unable to properly parse logs
delimited by a pipe.
- Fixed issue where T.X. Amount metrics were not shown when data was piped.
- Fixed issue where XFF parser could swallow an additional field.
- Fixed memory leak when using '%x' as date/time specifier.
- Replaced select(2) with poll(2) as it is more efficient and a lot faster
than select(2).
- Updated Swedish i18n.
- Added the ability to set how often goaccess will parse data and output to
the HTML report via '--html-refresh=<secs>'.
- Changed how TLS is parsed so the Cypher uses a separate specifier.
It now uses '%K' for the TLS version and '%k' for the Cypher.
- Fixed issue where real-time output would double count a rotated log. This
was due to the change of inode upon rotating the log.
- Updated man page to reflect proper way of 'tail -f' a remote access log.
- Added the ability to show 'Encryption Settings' such as 'TLSv1.2' and
Cipher Suites on its own panel.
- Added the ability to show 'MIME Types' such as 'application/javascript' on
its own panel.
- Ensure the HTML report defaults to widescreen if viewport is larger than
'2560px'.
- Fixed inability to properly process multiple logs in real-time.
- Fixed issue where named PIPEs were not properly seed upon generating
filename.
- Fixed issue where served time metrics were not shown when data was piped.
- Removed unnecessary padding from SVG charts. Improves readability on mobile.
- Added addtional browsers and bots to the main list.
- Added 'Android 11' to the list of OSs.
- Added 'macOS 11.0 Big Sur' to the list of OSs.
- Added 'average' to each panel overall metrics.
- Added '.dmg', '.xz', and '.zst' to the static list.
- Added extra check to ensure restoring from disk verifies the content of the
log against previous runs.
- Added Russian translation (i18n).
- Added Ukrainian translation (i18n).
- Added support for HTTP status code '308'.
- Added the ability for 'get_home ()' to return NULL on error, instead of
terminating the process. Great if using through systemd.
- Added the ability to read lowercase predefined log formats. For instance,
'--log-format=COMBINED' or '--log-format=combined'.
- Changed how FIFOs are created and avoid using predictable filenames under
'/tmp'.
- Changed '--ignore-referer' to use whole referrer instead of referring site.
- Ensure Cache Status can be parsed without sensitivity to case.
- Ensure restored data enforces '--keep-last' if used by truncating
accordingly.
- Fixed a few memory leaks when restoring from disk.
- Fixed blank time distribution panel when using timestamps.
- Fixed build issue due to lack of 'mmap' on 'Win'/'Cygwin'/'MinGW'.
- Fixed crash in mouse enabled mode.
- Fixed double free on data restore.
- Fixed inability to keep processing a log when using '--keep-last'.
- Fixed inability to properly parse truncated logs.
- Fixed inability to properly count certain requests when restoring from
disk.
- Fixed issue where it would not parse subsequent requests coming from stdin (tail).
- Fixed issue where log truncation could prevent accurate number counting.
- Fixed issue where parsed date range was not rendered with '--date-spec'.
- Fixed issue where parser would stop regardless of a valid '--num-test' value.
- Fixed issue where restoring from disk would increment 'MAX.TS'.
- Fixed possible incremental issue when log rotation occurs.
- Fixed possible XSS when getting real-time data into the HTML report.
- Fixed potential memory leak when failing to get root node.
- Fixed real-time hits count issue for certain scenarios.
- Fixed segfault in 'Docker' due to a bad allocation when generating FIFOs.
- Fixed 'Unknown' Operating Systems with 'W3C' format.
- Removed unnecessary include from parser.c so it builds in macOS.
- Updated each panel overall UI to be more streamlined.
- Updated French translation.
- Updated German translation.
- Updated Spanish translation.
- Updated sigsegv handler.
upstream changes:
-----------------
Release notes for Grafana 7.4.3
Bug fixes
o AdHocVariables: Fixes crash when values are stored as numbers. #31382,
@hugohaggmark
o DashboardLinks: Fix an issue where the dashboard links were causing a full
page reload. #31334, @torkelo
o Elasticsearch: Fix query initialization logic & query transformation from
Prometheus/Loki. #31322, @Elfo404
o QueryEditor: Fix disabling queries in dashboards. #31336, @gabor
o Streaming: Fix an issue with the time series panel and streaming data
source when scrolling back from being out of view. #31431, @torkelo
o Table: Fix an issue regarding the fixed min and auto max values in bar
gauge cell. #31316, @torkelo
Release notes for Grafana 7.4.2
Features and enhancements
o Explore: Do not show non queryable data sources in data source picker.
#31144, @torkelo
o Snapshots: Do not allow an anonymous user to create snapshots. #31263,
@marefr
Bug fixes
o CloudWatch: Ensure empty query row errors are not passed to the panel.
#31172, @sunker
o DashboardLinks: Fix the links that always cause a full page to reload.
#31178, @torkelo
o DashboardListPanel: Fix issue with folder picker always showing All and
using old form styles. #31160, @torkelo
o IPv6: Support host address configured with enclosing square brackets.
#31226, @aknuds1
o Permissions: Fix team and role permissions on folders/dashboards not
displayed for non Grafana Admin users. #31132, @AgnesToulet
o Postgres: Fix timeGroup macro converts long intervals to invalid numbers
when TimescaleDB is enabled. #31179, @kurokochin
o Prometheus: Fix enabling of disabled queries when editing in dashboard.
#31055, @ivanahuckova
o QueryEditors: Fix an issue that happens after moving queries then editing
would update other queries. #31193, @torkelo
o SqlDataSources: Fix the Show Generated SQL button in query editors. #31236,
@torkelo
o StatPanels: Fix an issue where the palette color scheme is not cleared when
loading panel. #31126, @torkelo
o Variables: Add the default option back for the data source variable.
#31208, @hugohaggmark
o Variables: Fix missing empty elements from regex filters. #31156,
@hugohaggmark
Release notes for Grafana 7.4.1
Features and enhancements
o Influx: Make max series limit configurable and show the limiting message if
applied. #31025, @aocenas
o Make value mappings correctly interpret numeric-like strings. #30893,
@dprokop
o Variables: Adds queryparam formatting option. #30858, @hugohaggmark
Bug fixes
o Alerting: Fixes so notification channels are properly deleted. #31040,
@hugohaggmark
o BarGauge: Improvements to value sizing and table inner width calculations.
#30990, @torkelo
o DashboardLinks: Fixes crash when link has no title. #31008, @hugohaggmark
o Elasticsearch: Fix alias field value not being shown in query editor.
#30992, @Elfo404
o Elasticsearch: Fix log row context errors. #31088, @Elfo404
o Elasticsearch: Show Size setting for raw_data metric. #30980, @Elfo404
o Graph: Fixes so graph is shown for non numeric time values. #30972,
@hugohaggmark
o Logging: Ignore ‘file already closed’ error when closing file. #31119,
@aknuds1
o Plugins: Fix plugin signature validation for manifest v2 on Windows.
#31045, @wbrowne
o TextPanel: Fixes so panel title is updated when variables change. #30884,
@hugohaggmark
o Transforms: Fixes Outer join issue with duplicate field names not getting
the same unique field names as before. #31121, @torkelo
3.7.4 (2021-02-25)
Bugfixes
(SECURITY BUG) Started preventing open redirects in the aiohttp.web.normalize_path_middleware middleware. For more details, see https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg.
Thanks to Beast Glatisant for finding the first instance of this issue and Jelmer Vernooij for reporting and tracking it down in aiohttp.
Fix interpretation difference of the pure-Python and the Cython-based HTTP parsers construct a yarl.URL object for HTTP request-target.
Before this fix, the Python parser would turn the URI's absolute-path for //some-path into / while the Cython code preserved it as //some-path. Now, both do the latter.
1.8.7
Bugfix
- Decoding deflate-encoded responses now supports data which is packed in
a zlib container as it is supposed to be. The old, non-standard behaviour
is still supported.
Security Vulnerabilities fixed in Firefox ESR 78.8
#CVE-2021-23969: Content Security Policy violation report could have
contained the destination of a redirect
#CVE-2021-23968: Content Security Policy violation report could have
contained the destination of a redirect
#CVE-2021-23973: MediaError message property could have leaked
information about cross-origin resources
#CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR
78.8
Changelog:
New
* Firefox now supports simultaneously watching multiple videos in
Picture-in-Picture.
* Today, Firefox introduces Total Cookie Protection to Strict Mode. In Total
Cookie Protection, every website gets its own "cookie jar," preventing
cookies from being used to track you from site to site.
* We've improved our Print functionality with a cleaner design and better
integration with your computer's printer settings.
* For Firefox users in Canada, credit card management and auto-fill are now
enabled.
* Notable performance and stability improvements are achieved by moving
canvas drawing and WebGL drawing to the GPU process.
Fixed
* Reader mode now works with local HTML pages.
* Using screen reader quick navigation to move to editable text controls no
longer incorrectly reaches non-editable cells in some grids such as on
messenger.com.
* The Orca screen reader's mouse review feature now works correctly after
switching tabs in Firefox.
* Screen readers no longer report column headers incorrectly in tables
containing cells spanning multiple columns.
* Links in Reader View now have more color contrast.
* Various security fixes.
Changed
* On Linux and Android, the protection to mitigate the stack clash attack has
been activated.
* From Firefox 86 onward, DTLS 1.0 is no longer supported for establishing
WebRTC's PeerConnections. All WebRTC services need to support DTLS 1.2 from
now on as the minimum version.
* Consolidated all video decoding in the new RDD process which results in a
more secure Firefox.
Enterprise
* Various bug fixes and new policies have been implemented in the latest
version of Firefox. You can see more details in the Firefox for Enterprise
86 Release Notes.
Developer
* Developer Information
* CSS image-set() function in CSS is now enabled, allowing for responsive
images in CSS.
* Inactive CSS tool is now showing a warning when margin or padding is set on
internal table elements.
Inactive CSS screenshot
* Developer Tools Toolbox is now showing a number of errors on the current
page. This is a quick way to surface information to a developer that
something is wrong with their page. Clicking on the red exclamation icon
navigates the user to the Console panel.
Develeoper tools: screenshot of number of errors
Security fixes:
#CVE-2021-23969: Content Security Policy violation report could have contained
the destination of a redirect
#CVE-2021-23970: Multithreaded WASM triggered assertions validating separation
of script domains
#CVE-2021-23968: Content Security Policy violation report could have contained
the destination of a redirect
#CVE-2021-23974: noscript elements could have led to an HTML Sanitizer bypass
#CVE-2021-23971: A website's Referrer-Policy could have been be overridden,
potentially resulting in the full URL being sent as a Referrer
#CVE-2021-23976: Local spoofing of web manifests for arbitrary pages in Firefox
for Android
#CVE-2021-23977: Malicious application could read sensitive data from Firefox
for Android's application directories
#CVE-2021-23972: HTTP Auth phishing warning was omitted when a redirect is
cached
#CVE-2021-23975: about:memory Measure function caused an incorrect pointer
operation
#CVE-2021-23973: MediaError message property could have leaked information
about cross-origin resources
#CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
#CVE-2021-23979: Memory safety bugs fixed in Firefox 86
Version 20.12.2
Dependencies
Fix uvloop to 0.14 because 0.15 drops Python 3.6 support
Remove old chardet requirement, add in hard multidict requirement
Logswan 2.1.10 (2021-02-15)
- Only call MMDB_close if the GeoIP option was enabled. This fixes a
crash on program exit on OpenBSD when running without the GeoIP
option enabled.
Changelog:
Changes
Catch NotFoundException when querying quota (server#25315)
CalDAV] Validate notified emails (server#25324)
Fix/app fetcher php compat comparison (server#25347)
Show the actual error on share requests (server#25352)
Fix parameter provided as string not array (server#25366)
The objectid is a string (server#25374)
20.0.7 final (server#25387)
Properly handle SMB ACL blocking scanning a directory (server#25421)
Don't break completely when creating the digest fail for one user (activity#556)
Only attempt to use a secure view if hide download is actually set (files_pdfviewer#296)
Fix opening PDF files with special characters in their name (files_pdfviewer#298)
Fix PDF viewer failing on Edge (not based on Chromium) (files_pdfviewer#299)
Cannot unfold plain text notifications (notifications#846)
Remove EPUB mimetype (text#1391)
Logswan 2.1.9 (2021-02-15)
- Stop forcing FORTIFY_SOURCE=2, it should be package builders decision
- Add link to Homebrew package in the README
- Remove unused countryId variable
- Remove dead increments for argc and argv
- Rename variables to get rid of all camelCase occurences
- Remove the measuring Logswan memory usage section from the README
- Try to harmonize usage information everywhere
- Rename the displayUsage() function to usage()
- Rename all the parse*() functions to use snake_case
- Get rid of global variables, move all declarations to main()
Subversion 1.14.1.
This is a stable bugfix and security release of the Apache Subversion
open source version control system.
THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:
CVE-2020-17525
"Remote unauthenticated denial-of-service in Subversion mod_authz_svn"
The full security advisory for CVE-2020-17525 is available at:
https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
A brief summary of this advisory follows:
Subversion's mod_authz_svn module will crash if the server is using
in-repository authz rules with the AuthzSVNReposRelativeAccessFile
option and a client sends a request for a non-existing repository URL.
This can lead to disruption for users of the service.
We recommend all users to upgrade to the 1.10.7 or 1.14.1 release
of the Subversion mod_dav_svn server.
As a workaround, the use of in-repository authz rules files with
the AuthzSVNReposRelativeAccessFile can be avoided by switching
to an alternative configuration which fetches an authz rules file
from the server's filesystem, rather than from an SVN repository.
Ruby on Rails is a full-stack web framework optimized for programmer
happiness and sustainable productivity. It encourages beautiful code
by favoring convention over configuration.
This is for Ruby on Rails 6.1.
Action Cable - Integrated WebSockets for Rails
Action Cable seamlessly integrates WebSockets with the rest of your Rails
application. It allows for real-time features to be written in Ruby in the
same style and form as the rest of your Rails application, while still being
performant and scalable. It's a full-stack offering that provides both a
client-side JavaScript framework and a server-side Ruby framework. You have
access to your full domain model written with Active Record or your ORM of
choice.
This is for Ruby on Rails 6.1.
Action Pack is a framework for handling and responding to web requests. It
provides mechanisms for *routing* (mapping request URLs to actions), defining
*controllers* that implement actions, and generating responses by rendering
*views*, which are templates of various formats. In short, Action Pack
provides the view and controller layers in the MVC paradigm.
This is for Ruby on Rails 6.1.
5.2.1 (2021-02-05)
Bugfixes
* Fix TCP cork/uncork operations to work with ssl clients ([#2550])
* Require rack/common_logger explicitly if :verbose is true ([#2547])
* MiniSSL::Socket#write - use data.byteslice(wrote..-1) ([#2543])
* Set @env[CONTENT_LENGTH] value as string. ([#2549])
