Add missing DEPENDS.
Upstream changes:
0.150000 2014-08-17 01:35:16CEST+0200 Europe/Amsterdam
[ DOCUMENTATION ]
* GH #657: Update multi-app example in cookbook to include route
merging. (Bas Bloemsaat)
* GH #643: Improve session factory docs by mentioning Dancer2::Config.
(Andy Jack)
[ BUG FIXES ]
* Postponed hooks are no longer sent to all Apps.
(Sawyer X, Mickey Nasriachi)
* 404 File Not Found Application reworked to stay up to date with
postponed hooks merging in multiple apps. (Russell Jenkins)
* GH #610, #662: Removed two circular references memory leaks!
(Russell Jenkins)
* GH #633: Log an error when a hook dies. (DavsX)
[ ENHANCEMENT ]
* Allow settings apps in the psgi_app() call by name or regex.
(Sawyer X)
* GH #651: silly typo in clearer method name (DavsX).
0.149000_02 2014-08-10 13:50:39CEST+0200 Europe/Amsterdam
[ ENHANCEMENT ]
* GH #641: Adding a shim layer to prevent available hooks (and
thus plugins) from breaking.
* Each App can now define its own configuration. The Runner's
application-specific configure has been untangled.
(Russell @veryrusty Jenkins, Sawyer X, Mickey Nasriachi)
* Multiple Dancer App support. You can now create a App-specific
PSGI application using MyApp->psgi_app.
(Russell @veryrusty Jenkins, Sawyer X, Mickey Nasriachi)
* Add routes and hooks to an existing app on import.
(Russell @veryrusty Jenkins, Stevan Humphrey, Stefan racke
Hornburg, Jean Stebens, Chunzi, Sawyer X, Mickey Nasriachi)
* Allow DSL class to be specified in configuration file.
(Stevan Humphrey)
* forward() now returns a new request which is then just runs
the dispatching loop again. (Sawyer X, Mickey Nasriachi)
[ BUG FIXES ]
* GH #336: Set log level correctly.
(Andrew Solomon, Pedro Bruno)
* GH #627, #607: Remove potential context issues with returning
undef explicitly. (Javier Rojas)
* GH #646: Fix whitespacing for tests. (DavsX)
0.149000_01 2014-07-23 21:31:21CEST+0200 Europe/Amsterdam
*************************** NOTICE ***************************
* This very is a major upgrade *
* We untangled the context, DSL implementation a bit *
* Please check your code, including your plugins, thoroughly *
* Thank you *
[ ENHANCEMENTS ]
* GH #589: Removing Dancer2::Core::Context global context variable.
Finally in.
(Sawyer X, Mickey Nasriachi, Russell @veryrusty Jenkins)
[ BUG FIXES ]
* GH #606, #605: Fix for setting public directory.
(Ivan Kocienski, Russell Jenkins, Stefan @racke Hornburg)
* GH #618, #620: Fix jQuery link generated by CLI skeleton.
(Micha Wojciechowski)
* GH #589: Major memory leak fix by removal of Dancer2::Core::Context.
[ ENHANCEMENTS ]
* GH #620: Bump jQuery to 1.11.1. (Micha Wojciechowski)
LWP::Protocol::PSGI is a module to hijack any code that uses
LWP::UserAgent underneath such that any HTTP or HTTPS requests can be
routed to your own PSGI application.
Major changes:
General
- Featured image previews now support .bmp files
- Featured Image meta box is now hidden for contributors lacking upload
capabilities
- New supported oEmbed providers: CollegeHumor, Issuu, Mixcloud, YouTube
playlists, TED talks
- Install WordPress in your language
- Streamlined Language management right from the dashboard
Posts
- Display embed previews for audio/visual URLs in Visual editor content
box.
- Page scrolling now scrolls post content box.
- Edit Post/Page menu bar sticks to top of content box when scrolling
(Visual and Text editor).
- Color picker was re-added to the Visual editor
Media
- Add Media Grid view option (default) for Media Library
- Add "Bulk Select" button to Media Grid view to delete multiple items
- Add oEmbed support for TED talks, Mixcloud, CollegeHumor.com, Issuu
- Expand oEmbed support to include YouTube playlist URLs and Polldaddy’s
short URL format
- Remove Viddler oEmbed support
- Update SlideShare oEmbed regex
- Improved media experience on small screen sizes (embedded videos now
responsive)
- Native video and audio shortcodes now support Flash playback looping
Comments
- Comments in trash can now be marked as spam.
Plugins
- Display plugins list as grid, with thumbnails, on Add New screen.
- Add popup window with plugin details (displays info from plugin's
directory page).
- Add "Beta Testing" tab to Plugins screen for new features-as-plugins.
Accessibility
- Improved keyboard accessibility in the Add Media panel
- Improved screen-reader support for Customizer sections
- Makes links in help tabs keyboard accessible
- Improvements for screen-readers when managing widgets in the
Customizer
Install Process
- Add language select menu as first Installation screen (skipped for
localized installs)
Multisite
- mp4 file extension was added to allowed upload file types
Multiple access.log files can be processed at the same time.
Multiprocess mode can be activated using the -j N command line option.
New ExcludedMimes configuration directive to exclude from statistics a comma separated list of mime-type or using regex like text/.*.
New ExcludedMethods configuration directive to exclude from statistics a comma separated list of HTTP methods (GET,POST,CONNECT,...).
New translation available: pl_PL
Upstream changes:
5.39 2014-09-07
- Improved decamelize performance.
- Fixed bug in Mojo::Template where newline characters could get lost.
5.38 2014-09-05
- Improved routes command to use new terminology for flags.
- Fixed bug in Mojo::Util where tablify could not handle empty columns.
Upstream changes:
1.3129 2014-09-09
[BUG FIXES]
- Dzil conversion left 'dancer' script behind. (GH#1066)
[STATISTICS]
- code churn: 17 files changed, 1425 insertions(+), 1432 deletions(-)
1.3128 2014-09-09
[BUG FIXES]
- Remove test dependency for Person and Person::Child. (GH#1063)
1.3127 2014-09-08
[BUG FIXES]
- Test was using deprecated 'import_warnings'. (GH#1045, mokko)
- Fix default test names for headers and redirection test methods.
(GH#1048, odyniec)
- DANCER_SERVER_TOKENS and DANCER_SESSION_INFO are now
DANCER_NO_SERVER_TOKENS and DANCER_NO_SESSION_INFO. And working. :-)
(GH#1014, Yanick Champoux)
- 'any' wasn't understanding 'del' (only 'delete'). (GH#1044, Yanick
Champoux)
[DISTRIBUTION]
- Now using Dist::Zilla as package manager.
[DOCUMENTATION]
- Correct POD formatting for HTTP methods in introduction.pod. (GH#1047,
Lx)
[ENHANCEMENTS]
- environment configs are now merged with the global config, versus the
previous behavior that was overriding the whole config segments.
(GH#1016, Yanick Champoux)
- Dancer::Handler::Debug now accepts env variables from the command-line.
(GH#1056, Yanick Champoux)
- Accessing values abstracted as methods in Dancer::Session. (GH#1000,
John Wittkoski)
uWSGI 2.0.7
===========
Changelog [20140905]
Bugfixes
********
- fixed counters in statsd plugin (Joshua C. Forest)
- fixed caching in php plugin (Andrew Bevitt)
- fixed management of system users starting with a number
- fixed request body readline using memmove instead of memcpy (Andrew Wason)
- ignore "user" namespace in setns (still a source of problems)
- fixed Python3 rpc bytes/string mess (result: we support both)
- do not destroy the Emperor on failed mount hooks
- fixed symbol lookup error in the Mono plugin on OS X (Ventero)
- fixed fastcgi and scgi protocols error when out of buffer happens
- fixed solaris/smartos I/O management
- fixed 2 memory leaks in the rpc subsystem (Riccardo Magliocchetti)
- fixed rados plugin PUT method (Martin Mlynář)
- fixed multiple python mountpoints with multiple threads in cow mode
- stats UNIX socket is now deleted by vacuum
- fixed off-by-one corruption in cache LRU mode
- force single-cpu build in cygwin (Guido Notari)
New Features and improvements
*****************************
allow calling the spooler from every cpython context
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
At Europython 2014, Ultrabug (a uWSGI contributor and packager) asked for the possibility to spool tasks directly from a greenlet.
Done.
store_delete cache2 option
^^^^^^^^^^^^^^^^^^^^^^^^^^
Author: goir
The store_delete flag of the --cache2 option, allows you to force the cache engine to automatically remove an invalid
backing store file.
file logger rotation
^^^^^^^^^^^^^^^^^^^^
Author: Riccardo Magliocchetti
The `file` logger has been extended to allow the use of rotation (the same system used by the non-pluggable --logto):
0324e5965c
vassals plugin hooks
^^^^^^^^^^^^^^^^^^^^
The plugin have has been extended with two new hooks: vassal and vassal_before_exec.
Both allows to customize a vassal soon after its process has been generated.
The first third-party plugin using it is the 'apparmor' one:
https://github.com/unbit/uwsgi-apparmor
allowing you to apply an apparmor profile to a vassal
Broodlord improvements
^^^^^^^^^^^^^^^^^^^^^^
The broodlord subsystem has been improved with a new option: --vassal-sos that automatically ask for reinforcement when all of the workers of an instance are busy.
In addition to this a sysadmin can now manually ask for reinforcement sending the 'B' commando to the master fifo of an instance.
*) SECURITY: CVE-2014-0117 (cve.mitre.org)
mod_proxy: Fix crash in Connection header handling which
allowed a denial of service attack against a reverse proxy
with a threaded MPM.
*) SECURITY: CVE-2014-3523 (cve.mitre.org)
Fix a memory consumption denial of service in the WinNT MPM (used in all Windows
installations). Workaround: AcceptFilter <protocol> {none|connect}
*) SECURITY: CVE-2014-0226 (cve.mitre.org)
Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow.
*) SECURITY: CVE-2014-0118 (cve.mitre.org)
mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to avoid
denial of sevice via highly compressed bodies. See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
and DeflateInflateRatioBurst.
*) SECURITY: CVE-2014-0231 (cve.mitre.org)
mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child processes
filling up the scoreboard and eventually hanging the server. By
default, the client I/O timeout (Timeout directive) now applies to
communication with scripts. The CGIDScriptTimeout directive can be
used to set a different timeout for communication with scripts.
*) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
resumed by TLS session resumption (RFC 5077).
*) mod_deflate: Don't fail when flushing inflated data to the user-agent
and that coincides with the end of stream ("Zlib error flushing inflate
buffer").
*) mod_proxy_ajp: Forward local IP address as a custom request attribute
like we already do for the remote port.
*) core: Include any error notes set by modules in the canned error
response for 403 errors.
*) mod_ssl: Set an error note for requests rejected due to
SSLStrictSNIVHostCheck.
*) mod_ssl: Fix issue with redirects to error documents when handling
SNI errors.
*) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
larger keys and support up to 8192-bit keys.
*) mod_dav: Fix improper encoding in PROPFIND responses.
*) WinNT MPM: Improve error handling for termination events in child.
*) mod_proxy: When ping/pong is configured for a worker, don't send or
forward "100 Continue" (interim) response to the client if it does
not expect one.
*) mod_ldap: Be more conservative with the last-used time for
LDAPConnectionPoolTTL.
*) mod_ldap: LDAP connections used for authn were not respecting
LDAPConnectionPoolTTL.
*) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
*) event MPM: Fix possible crashes (third-party modules accessing c->sbh)
or occasional missed mod_status updates under load.
*) mod_authnz_ldap: Support primitive LDAP servers do not accept
filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
filter "none" to be specified in AuthLDAPURL.
*) mod_deflate: Fix inflation of files larger than 4GB.
*) mod_deflate: Handle Zlib header and validation bytes received in multiple
chunks.
*) mod_proxy: Allow reverse-proxy to be set via explicit handler.
*) ab: support custom HTTP method with -m argument.
*) mod_proxy_balancer: Correctly encode user provided data in management
interface.
*) mod_proxy_fcgi: Support iobuffersize parameter.
*) mod_auth_form: Add a debug message when the fields on a form are not
recognised.
*) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
response.
*) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
scheme.
*) mod_socache_shmcb: Correct counting of expirations for status display.
Expirations happening during retrieval were not counted.
*) mod_cache: Retry unconditional request with the full URL (including the
query-string) when the origin server's 304 response does not match the
conditions used to revalidate the stale entry.
*) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
variables as a result of AliasMatch.
*) mod_cache: Don't add cached/revalidated entity headers to a 304 response.
*) mod_proxy_scgi: Support Unix sockets. ap_proxy_port_of_scheme():
Support default SCGI port (4000).
*) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
is enabled.
*) mod_expires: don't add Expires header to error responses (4xx/5xx),
be they generated or forwarded.
*) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
(regression in 2.4.9 release)
*) mod_authn_socache: Fix crash at startup in certain configurations.
*) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
programs to the form used in releases up to 2.4.7, and emulate
a backwards-compatible behavior for existing setups.
*) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
OCSP requests should use a nonce to be checked against the responder's
one.
*) mod_ssl: "SSLEngine off" will now override a Listen-based default
and does disable mod_ssl for the vhost.
*) mod_lua: Enforce the max post size allowed via r:parsebody()
*) mod_lua: Use binary comparison to find boundaries for multipart
objects, as to not terminate our search prematurely when hitting
a NULL byte.
*) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
versions before 0.9.8h and not specifying an SSLCertificateChainFile
(regression introduced with 2.4.8).
*) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
no longer send warning-level unrecognized_name(112) alerts,
and limit startup warnings to cases where an OpenSSL version
without TLS extension support is used.
*) mod_proxy_html: Avoid some possible memory access violation in case of
specially crafted files, when the ProxyHTMLMeta directive is turned on.
*) mod_auth_form: Make sure the optional functions are loaded even when
the AuthFormProvider isn't specified.
*) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
(and logging garbled file names).
*) mod_ssl: fix merging of global and vhost-level settings with the
SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
directives.
*) mod_headers: Allow the "value" parameter of Header and RequestHeader to
contain an ap_expr expression if prefixed with "expr=".
*) rotatelogs: Avoid creation of zombie processes when -p is used on
Unix platforms.
*) mod_authnz_fcgi: New module to enable FastCGI authorizer
applications to authenticate and/or authorize clients.
*) mod_proxy: Do not try to parse the regular expressions passed by
ProxyPassMatch as URL as they do not follow their syntax.
*) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
under the Event MPM.
*) mod_proxy_fcgi: Fix sending of response without some HTTP headers
that might be set by filters.
*) mod_proxy_html: Do not delete the wrong data from HTML code when a
"http-equiv" meta tag specifies a Content-Type behind any other
"http-equiv" meta tag.
*) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
differs.
*) Add suspend_connection and resume_connection hooks to notify modules
when the thread/connection relationship changes. (Should be implemented
for any third-party async MPMs.)
*) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
hangups from websockets origin servers.
*) mod_proxy_wstunnel: Don't pool backend websockets connections,
because we need to handshake every time.
*) mod_lua: Redesign how request record table access behaves,
in order to utilize the request record from within these tables.
*) mod_lua: Add r:wspeek for peeking at WebSocket frames.
*) mod_lua: Log an error when the initial parsing of a Lua file fails.
*) mod_lua: Reformat and escape script error output.
*) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
from causing response splitting.
*) mod_lua: Disallow newlines in table values inside the request_rec,
to prevent HTTP Response Splitting via tainted headers.
*) mod_lua: Remove the non-working early/late arguments for
LuaHookCheckUserID.
*) mod_lua: Change IVM storage to use shm
*) mod_lua: More verbose error logging when a handler function cannot be
found.
Changes to GoAccess 0.8.4 - Monday, September 08, 2014
* Added ability to handle nginx non-standard status code 444 as 404.
`--444-as-404`
* Added and updated operating systems, and browsers.
* Added excluded IP hits count to the general statistics panel on all reports.
* Added HTTP nonstandard code '444' to the status code list.
* Added the ability to count client errors (4xx) to the unique visitors count.
Now by default it omits client errors (4xx) from being added to the unique
visitors count as they are probably not welcomed visitors. 4xx errors are
always counted in panels other than visitors, OS & browsers.
`--4xx-to-unique-count`
* Removed request status field restriction. This allows parsing logs that contain
only a valid date, IPv4/6 and host.
* Fixed issue when excluding IPv4/v6 ranges.
* Fixed compile error due to missing include <sys/types.h> for type off_t
(gcc 4.1).
Changes to GoAccess 0.8.3 - Monday, July 28, 2014
* Fixed SEGFAULT when parsing a CLF log format and using --ignore-crawlers.
* Fixed parsing conflict between some Opera browsers and Chrome.
* Fixed parsing of several feed readers that are Firefox/Safari-based.
* Fixed Steam detection.
* Added Huawei to the browser's list and removed it from the OS's list.
Changes to GoAccess 0.8.2 - Monday, July 20, 2014
* Added ability to parse dates containing whitespaces in between,
e.g., Jul 15 20:13:59 (syslog format).
* Added a variety of browsers, game systems, feed readers, and podcasts.
* Added a '-V --version' command line option.
* Added missing up/down arrows to the help section.
* Added the ability to ignore crawlers using the '--ignore-crawlers' option.
* Added the ability to ignore multiple IPv4/v6 and IP ranges.
* Added the PATCH method according to RFC 5789.
* Fixed GeoLocation percent issue for the JSON, CSV and HTML outputs.
* Fixed memory leak when excluding one or multiple IPs.
Changes to GoAccess 0.8.1 - Monday, June 16, 2014
* Added ability to add/remove static files by extension through the config
file.
* Added ability to print backtrace on segmentation fault.
* Escaped JSON strings correctly according to [RFC4627].
* Fixed encoding issue when extracting keyphrases for some HTTP referers.
* Fixed issue where HTML bar graphs were not shown due to numeric locale.
* Fixed issue with URIs containing "\r?\n" thus breaking the corresponding
output.
* Make sure request string is URL decoded on all outputs.
* v2.04
Minor documentation fixes and explanation of the proposed split into
legacy/trunk branches. No code changes from 2.03_02.
* v2.03_02
The uploads have had a minor change which may solve the windows size
difference failures. More diagnostics were added to the failures if it
does not.
* v2.03_01
The test multi-part upload data in the test suite has been fixed to have
the correct (CRLF) line terminators. These tests should now pass for
Microsoft users.
The documentation has been amended to reflect the change of maintainer.
* v2.03 - May 25, 2014
Maintainer change: Pete Houston has taken over maintenance from Smylers.
A test suite has been created.
BUG FIX: Cleared up some uninitialised value warnings emitted when query
strings are missing an entire key-value pair eg: "&foo=bar" (issue
38448).
BUG FIX: If the user calls parse_form_data as a class method without a
query string, the method now gives up early and silently
(issue 6180).
BUG FIX: In form-data uploads, the boundary string was not properly
escaped and therefore would not match when it contained
metacharacters (issue 29053).
BUG FIX: The content type for url-encoded forms now matches on the MIME
type only, so additional charset fields are allowed (issues 16236,
34827 and 41666).
BUG FIX: Leading/trailling whitespace is now stripped from cookie names
and values.
BUG FIX: Cookies now no longer need to be separated by whitespace.
Commas can now be used as separators too. (issue 32329).
BUG FIX: The semicolon is now a permitted delimiter in the query string
along with the ampersand (issue 8212).
Version 0.77 -- 2014-08-05
o re-release to remove build artifacts that should not have been shipped
Version 0.76 -- 2014-08-05
o On Android, set TMPDIR before calling configure (RT#97680, Brian Fraser)
Version 0.75 -- 2014-07-17
o deprecated APIs removed (chansen)
o broken PP implementation removed (chansen)
o retooled distribution so FCGI.pm and FCGI.xs exist as-is, rather than
being generated by FCGI.PL and FCGI.XL (chansen)
Upstream changes:
RELEASE 0.12
New SimpleTemplate parser implementation * Support for multi-line code blocks (<% ... %>). * The keywords include and rebase are functions now and can accept variable template names.
The new BaseRequest.route() property returns the Route that originally matched the request.
Removed the BaseRequest.MAX_PARAMS limit. The hash collision bug in CPythons dict() implementation was fixed over a year ago. If you are still using Python 2.5 in production, consider upgrading or at least make sure that you get security fixed from your distributor.
New ConfigDict API (see Configuration (DRAFT))
This module generates tokens to help protect against a website attack
known as Cross-Site Request Forgery (CSRF, also known as XSRF). CSRF
is an attack where an attacker fools a browser into make a request to
a web server for which that browser will automatically include some
form of credentials (cookies, cached HTTP Basic authentication, etc.),
thus abusing the web server's trust in the user for malicious use.
The most common CSRF mitigation is sending a special, hard-to-guess
token with every request, and then require that any request that is
not idempotent (i.e., has side effects) must be accompanied with such
a token. This mitigation depends critically on the fact that while an
attacker can easily make the victim's browser make a request, the
browser security model (same-origin policy, or SOP for short) prevents
third-party sites from reading the results of that request.
Upstream changes:
5.37 2014-09-03
- Improved Mojo::Template performance slightly.
- Fixed .ep template bug where the stash value "c" could no longer be used.
5.36 2014-09-02
- Improved Mojo::Template performance.
5.35 2014-08-30
- Improved monkey_patch to be able to name generated functions.
5.34 2014-08-29
- Added original_remote_address attribute to Mojo::Transaction.
- Fixed bug where Mojolicious::Commands would change @ARGV when loaded.
=================
WebKitGTK+ 2.4.5
=================
What's new in WebKitGTK+ 2.4.5?
- Do not freeze the UI process while scanning plugins if there's a
GTK+ 3 plugin installed.
- Fix a crash when drag and drop to a WebKitWebView.
- Fix a crash when navigating away from a web page containing an ogg
video.
- Fix slow motion rendering problem in GStreamer media backend due
to integer rounding.
- Make sure the plugins cache is always used even if the cache
directory doesn’t exist.
- Fix toggle buttons rendering with recent GTK+ versions.
- Do not use GtkWindow:resize-grip-visible with recent GTK+
versions.
- Add support for little-endian PowerPC64.
Version 3.3.5 (2014-08-27)
--------------------------
### Fixed
Do not output an empty `label` tag (see #7249).
### Fixed
Allow floating point numbers in "number" input fields (see #7257).
### Fixed
Do not adjust the start time of past events (see #7121).
### Fixed
Reset the image margins if it exceeds the maximum image size (see #7245).
### Fixed
Reset `$blnPreventSaving` when a model is cloned (see #7243).
### Fixed
Do not reload after storing `CURRENT_ID` in the session (see #7240).
### Fixed
Correctly validate the page number of the versions menu (see #7235).
### Fixed
Handle underscores in the Google+ vanity name (see #7241).
### Fixed
Correctly handle the `rem` unit when importing style sheets (see #7220).
### Fixed
Fix two issues with the extension repository theme.
Version 3.2.14 (2014-08-27)
---------------------------
### Fixed
Allow floating point numbers in "number" input fields (see #7257).
### Fixed
Do not adjust the start time of past events (see #7121).
### Fixed
Reset the image margins if it exceeds the maximum image size (see #7245).
### Fixed
Reset `$blnPreventSaving` when a model is cloned (see #7243).
### Fixed
Do not reload after storing `CURRENT_ID` in the session (see #7240).
### Fixed
Correctly validate the page number of the versions menu (see #7235).
### Fixed
Handle underscores in the Google+ vanity name (see #7241).
### Fixed
Correctly handle the `rem` unit when importing style sheets (see #7220).
### Fixed
Fix two issues with the extension repository theme.
kerberos_ldap_group: Fix 'error during setup of Kerberos credential cache'
Ignore Range headers with unidentifiable byte-range values
Use v3 for fake certificate if we add _any_ certificate extension.
Fix regression in rev.13156
Fix %USER_CA_CERT_* and %CA_CERT_ external_acl formating codes
Enable compile-time override for MAXTCPLISTENPORTS
ntlm_sspi_auth: fix various build errors
negotiate_wrapper: vfork is not portable
Windows: fix iphlpapi.h include case-sensitivity
Windows: correct libsspwin32 API for SSP_LogonUser()
negotiate_sspi_auth: Portability fixes for MinGW
ext_lm_group_acl: portability fixes for MinGW
SourceFormat Enforcement
Bug 4080: worker hangs when client identd is not responding
Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC.
Reduce cache_effective_user was leaking $HOME memory
Upstream changes:
5.33 2014-08-24
- Improved Mojo::Date to be able to handle higher precision times.
- Improved Mojo::ByteStream performance.
5.32 2014-08-21
- Added to_datetime method to Mojo::Date.
- Improved Mojo::Date to support RFC 3339.
5.31 2014-08-19
- Improved Mojolicious::Static to allow custom content types.
- Improved url_for performance.
5.30 2014-08-17
- Improved Mojolicious::Static to only handle GET and HEAD requests.
- Improved Mojo::URL performance.
- Improved url_for performance slightly.
- Fixed bug where DATA sections sometimes got corrupted after forking, which
caused applications to fail randomly.
- Fixed Mojo::IOLoop::Client to use a timeout for every connection.
5.29 2014-08-16
- Added helpers method to Mojolicious::Controller.
- Improved performance of .ep templates slightly.
- Fixed "0" value bug in Mojolicious::Plugin::EPRenderer.
We had 2 previously undetected regressions in 3.0.4. These are now fixed.
One small new feature also snuck into this release: apphooks and plugin registration now work as decorators.
If you are running 3.0.4 please upgrade.
- reversion.register() can now be used as a class decorator
- Danish translation
- Improvements to Travis CI integration
- Simplified Chinese translation
- Minor bugfixes and documentation improvement
Security fixes:
* Issue: reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
* Issue: file upload denial of service (CVE-2014-0481)
* Issue: RemoteUserMiddleware session hijacking (CVE-2014-0482)
* Issue: data leakage via querystring manipulation in admin (CVE-2014-0483)
Security fixes:
* Issue: reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
* Issue: file upload denial of service (CVE-2014-0481)
* Issue: RemoteUserMiddleware session hijacking (CVE-2014-0482)
* Issue: data leakage via querystring manipulation in admin (CVE-2014-0483)
kamelderouiche.
WebOb provides wrappers around the WSGI request environment, and an
object to help create WSGI responses.
The objects map much of the specified behavior of HTTP, including
header parsing and accessors for other standard parts of the
environment
WebDriver is a tool for writing automated tests of websites. It aims to mimic
the behaviour of a real user, and as such interacts with the HTML of the
application.
* Add google back to openid selector. Apparently this has gotten a stay
of execution until April 2015. (It may continue to work until 2017.)
* highlight: Add compatibility with highlight 3.18, while still supporting
3.9+. Closes: #757679
Thanks, David Bremner
* highlight: Add support for multiple language definition directories
Closes: #757680
Thanks, David Bremner
pkgsrc changes:
* Add ikiwiki-highlight option that pulls in textproc/p5-highlight,
for syntax highlighting code blocks (or entire source files).
The build will now fall back to pure-python mode if the C
extension fails to build for any reason (previously it would
fall back for some errors but not others).
IOLoop.call_at and IOLoop.call_later now always return a timeout
handle for use with IOLoop.remove_timeout.
If any callback of a PeriodicCallback or IOStream returns a
Future, any error raised in that future will now be logged
(similar to the behavior of IOLoop.add_callback).
Fixed an exception in client-side websocket connections when
the connection is closed.
simple_httpclient once again correctly handles 204 status codes with no content-length header.
Fixed a regression in simple_httpclient that would result in
timeouts for certain kinds of errors.
Changes:
* Fixes a possible denial of service issue in PHP’s XML processing, reported by
Nir Goldshlager of the Salesforce.com Product Security Team. Fixed by Michael
Adams and Andrew Nacin of the WordPress security team and David Rothstein of
the Drupal security team.
* Fixes a possible but unlikely code execution when processing widgets
(WordPress is not affected by default), discovered by Alex Concha of the
WordPress security team.
* Prevents information disclosure via XML entity attacks in the external GetID3
library, reported by Ivan Novikov of ONSec.
* Adds protections against brute attacks against CSRF tokens, reported by David
Tomaschik of the Google Security Team.
* Contains some additional security hardening, like preventing cross-site
scripting that could be triggered only by administrators.
Changes with nginx 1.7.4 05 Aug 2014
*) Security: pipelined commands were not discarded after STARTTLS
command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6.
Thanks to Chris Boulton.
*) Change: URI escaping now uses uppercase hexadecimal digits.
Thanks to Piotr Sikora.
*) Feature: now nginx can be build with BoringSSL and LibreSSL.
Thanks to Piotr Sikora.
*) Bugfix: requests might hang if resolver was used and a DNS server
returned a malformed response; the bug had appeared in 1.5.8.
*) Bugfix: in the ngx_http_spdy_module.
Thanks to Piotr Sikora.
*) Bugfix: the $uri variable might contain garbage when returning errors
with code 400.
Thanks to Sergey Bobrov.
*) Bugfix: in error handling in the "proxy_store" directive and the
ngx_http_dav_module.
Thanks to Feng Gu.
*) Bugfix: a segmentation fault might occur if logging of errors to
syslog was used; the bug had appeared in 1.7.1.
*) Bugfix: the $geoip_latitude, $geoip_longitude, $geoip_dma_code, and
$geoip_area_code variables might not work.
Thanks to Yichun Zhang.
*) Bugfix: in memory allocation error handling.
Thanks to Tatsuhiko Kubo and Piotr Sikora.
Changes with nginx 1.7.3 08 Jul 2014
*) Feature: weak entity tags are now preserved on response
modifications, and strong ones are changed to weak.
*) Feature: cache revalidation now uses If-None-Match header if
possible.
*) Feature: the "ssl_password_file" directive.
*) Bugfix: the If-None-Match request header line was ignored if there
was no Last-Modified header in a response returned from cache.
*) Bugfix: "peer closed connection in SSL handshake" messages were
logged at "info" level instead of "error" while connecting to
backends.
*) Bugfix: in the ngx_http_dav_module module in nginx/Windows.
*) Bugfix: SPDY connections might be closed prematurely if caching was
used.
Changes with nginx 1.7.2 17 Jun 2014
*) Feature: the "hash" directive inside the "upstream" block.
*) Feature: defragmentation of free shared memory blocks.
Thanks to Wandenberg Peixoto and Yichun Zhang.
*) Bugfix: a segmentation fault might occur in a worker process if the
default value of the "access_log" directive was used; the bug had
appeared in 1.7.0.
Thanks to Piotr Sikora.
*) Bugfix: trailing slash was mistakenly removed from the last parameter
of the "try_files" directive.
*) Bugfix: nginx could not be built on OS X in some cases.
*) Bugfix: in the ngx_http_spdy_module.
Changes with nginx 1.7.1 27 May 2014
*) Feature: the "$upstream_cookie_..." variables.
*) Feature: the $ssl_client_fingerprint variable.
*) Feature: the "error_log" and "access_log" directives now support
logging to syslog.
*) Feature: the mail proxy now logs client port on connect.
*) Bugfix: memory leak if the "ssl_stapling" directive was used.
Thanks to Filipe da Silva.
*) Bugfix: the "alias" directive used inside a location given by a
regular expression worked incorrectly if the "if" or "limit_except"
directives were used.
*) Bugfix: the "charset" directive did not set a charset to encoded
backend responses.
*) Bugfix: a "proxy_pass" directive without URI part might use original
request after the $args variable was set.
Thanks to Yichun Zhang.
*) Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug
had appeared in 1.5.6.
Thanks to Svyatoslav Nikolsky.
*) Bugfix: if sub_filter and SSI were used together, then responses
might be transferred incorrectly.
*) Bugfix: nginx could not be built with the --with-file-aio option on
Linux/aarch64.
Changes with nginx 1.7.0 24 Apr 2014
*) Feature: backend SSL certificate verification.
*) Feature: support for SNI while working with SSL backends.
*) Feature: the $ssl_server_name variable.
*) Feature: the "if" parameter of the "access_log" directive.
Changes with nginx 1.5.13 08 Apr 2014
*) Change: improved hash table handling; the default values of the
"variables_hash_max_size" and "types_hash_bucket_size" were changed
to 1024 and 64 respectively.
*) Feature: the ngx_http_mp4_module now supports the "end" argument.
*) Feature: byte ranges support in the ngx_http_mp4_module and while
saving responses to cache.
*) Bugfix: alerts "ngx_slab_alloc() failed: no memory" no longer logged
when using shared memory in the "ssl_session_cache" directive and in
the ngx_http_limit_req_module.
*) Bugfix: the "underscores_in_headers" directive did not allow
underscore as a first character of a header.
Thanks to Piotr Sikora.
*) Bugfix: cache manager might hog CPU on exit in nginx/Windows.
*) Bugfix: nginx/Windows terminated abnormally if the
"ssl_session_cache" directive was used with the "shared" parameter.
*) Bugfix: in the ngx_http_spdy_module.
Update DEPENDS
Upstream changes:
2014-07-24 Release 6.08
Mike Schilli (1):
Requiring Net::HTTP 6.07 to fix IPv6 support
(RT#75618 and https://github.com/libwww-perl/net-http/pull/10)
Jason A Fesler (2):
When the hostname is an IPv6 literal, encapsulate it with [brackets]
before calling Net::HTTP [rt.cpan.org #29468]
Extra steps to make sure that the host address that has a ":" contains
only characters appropriate for an IPv6 address.
John Wittkoski (1):
Fix doc typo for cookie_jar
_______________________________________________________________________________
2014-07-01 Release 6.07
Mike Schilli (5):
Removed Data::Dump references in test suite and dependency in Makefile.PL
Added MANIFEST.SKIP to enable "make manifest".
release script now checks for MacOS to avoid incompatible tarballs
Bumped version number to 6.07
Fixed gnu-incompatible tarball problem ([rt.cpan.org #94844])
Upstream changes:
2014-07-23 Net-HTTP 6.07
Jason Fesler (1):
Opportunistically use IO::Socket::IP or IO::Socket::INET6.
Properly parse IPv6 literal addreses with optional port numbers. [RT#75618]
Upstream changes:
0.13 2014-08-09T22:48:53Z
- Added URI::postgresxc and URI::pgxc, which simply inherit from
URI::pg.
- Added URI::ldapdb, which represents LDAP databases. Patch from Brian
T. Wightman.
Upstream changes:
0.10 2014-06-23
- CPAN Testers looking good after previous developer release.
- Added github repo to pod
0.09_01 2014-06-13
- If you've got caching enabled, and get a 304 response (Not Modified)
with content (from the cache), then is_success() returns true.
Suggested in RT#75665
- Caching now done under the original url rather than the sanitised
version of it. Bug report and patch from Mario Domgoergen RT#39820
- Switched to Dist::Zilla
- Reformatted Changes as per CPAN::Changes::Spec
Upstream changes:
20140709 Wed Jul 9 16:28:37 PDT 2014
New Features
* The "git" scheme is supported. (Schwern)
* svn, ssh and svn+ssh schemes are supported. [rt.cpan.org 57490] (Schwern)
* Added a --schemeless option to urifind. (Schwern)
Bug Fixes
* http:// is no longer matched [rt.cpan.org 63283] (Schwern)
Backwards Incompatibilities
* Previously, URIs stringified to their canonical version. Now
they stringify as written. This results in less loss of
information. For example. "Blah HTTP:://FOO.COM" previously
would stringify as "http://foo.com/" and now it will stringify
as "HTTP://FOO.COM". To restore the old behavior you can call
$uri->canonical. (Schwern)
Distribution Changes
* No longer using URI::URL. (Schwern)
* Now requires URI 1.60 for Unicode support. (Schwern)
20140702 Wed Jul 2 13:41:47 PDT 2014
New Features
* IDNA (aka Unicode) domains are now supported. [github 3] (GwenDragon)
* The list of TLDs for schemeless matching has been updated. [github 3] (GwenDragon)
Bug Fixes
* Handle balanced [], {} and quotes in addition to (). [rt.cpan.org 85053] (Schwern)
* Don't mangle IPv6 URLs. [rt.cpan.org 85053] (Schwern)
* Schemeless is more accurate about two letter TLDs. [github 3] (GwenDragon)
Distribution Changes
* Switched the issue tracker to Github. (Schwern)
Upstream changes:
2014-07-13 Karen Etheridge <ether@cpan.org>
Release 1.64
Eric Brine:
- better fix for RT#96941, that also works around utf8 bugs on older perls
2014-07-13 Karen Etheridge <ether@cpan.org>
Release 1.63
Karen Etheridge:
- mark utf8-related test failures on older perls caused by recent string
parsing changes as TODO (RT#97177, RT#96941)
2014-07-12 Karen Etheridge <ether@cpan.org>
Release 1.62
Karen Etheridge (2):
- use strict and warnings in all modules, tests and scripts
- remove all remaining uses of "use vars"
Eric Brine:
- fixed new "\C is deprecated in regex" warning in 5.21.2 (RT#96941)
2014-07-01 Karen Etheridge <ether@cpan.org>
Release 1.61
David Schmidt:
Fix test failure if local hostname is 'foo' [RT#75519]
Gisle Aas (2):
New 'has_recognized_scheme' interface [RT#71204]
Interfaces that return a single value now return undef rather than an
empty list in list context
Slaven Rezic:
Fix bad regex when parsing hostnames
Piotr Roszatycki:
Preferentially use $ENV{TMPDIR} for temporary test files over /tmp
(fixes tests on Android)
Upstream changes:
5.28 2014-08-13
- Improved performance of nested helpers and helpers in templates
significantly.
- Improved Mojo::JSON to generate smaller JSON by not escaping the "/"
character.
5.27 2014-08-11
- Added support for nested helpers.
- Added get_helper method to Mojolicious::Renderer.
- Added n function to ojo.
- Fixed bug in Mojolicious::Routes::Match where placeholder values got
merged too early.
pkgsrc changes:
---------------
- Cleanups
Upstream changes:
-----------------
Complete changelog in share/doc/py-gunicorn/2014-news.rst.
19.1
====
Bugfix release.
19.0
====
Gunicorn 19.0 is a major release with new features and fixes. This
version improve a lot the usage of Gunicorn with python 3 by adding two
new workers to it: `gthread` a fully threaded async worker using futures
and `gaiohttp` a worker using asyncio.
Breaking Changes
~~~~~~~~~~~~~~~~
Switch QUIT and TERM signals
++++++++++++++++++++++++++++
With this change, when gunicorn receives a QUIT all the workers are
killed immediately and exit and TERM is used for the graceful shutdown.
Note: the old behaviour was based on the NGINX but the new one is more
correct according the following doc:
https://www.gnu.org/software/libc/manual/html_node/Termination-Signals.html
also it is complying with the way the signals are sent by heroku:
https://devcenter.heroku.com/articles/python-faq#what-constraints-exist-when-developing-applications-on-heroku
Deprecations
+++++++++++++
`run_gunicorn`, `gunicorn_django` and `gunicorn_paster` are now
completely deprecated and will be removed in the next release. Use the
`gunicorn` command instead.
Upstream changes:
5.26 2014-08-09
- Improved WebSocket performance.
- Fixed proxy exception handling bug in Mojo::UserAgent.
- Fixed bug where Mojo::Transaction::WebSocket would build incorrect frames
if the FIN bit was not set.
5.25 2014-08-07
- Added reduce method to Mojo::Collection. (sri, batman)
- Added if_none_match method to Mojo::Headers.
- Added is_fresh method to Mojolicious::Static.
- Added is_fresh helper to Mojolicious::Plugin::DefaultHelpers.
- Improved Mojolicious to use MyApp::Controller namespace by default and
encourage its use in the documentation.
- Improved sort method in Mojo::Collection to use $a and $b. (batman)
- Improved Mojolicious::Static to support ETag and If-None-Match headers.
- Improved documentation browser CSS.
- Fixed escaping bugs in Mojo::DOM::CSS.
Drupal 7.31, 2014-08-06
----------------------
- Fixed security issues (denial of service). See SA-CORE-2014-004.
Drupal 7.30, 2014-07-24
-----------------------
- Fixed a regression introduced in Drupal 7.29 that caused files or images
attached to taxonomy terms to be deleted when the taxonomy term was edited
and resaved (and other related bugs with contributed and custom modules).
- Added a warning on the permissions page to recommend restricting access to
the "View site reports" permission to trusted administrators. See
DRUPAL-PSA-2014-002.
- Numerous API documentation improvements.
- Additional automated test coverage.
Changelog [20140701]
Bugfixes
fixed a memory leak with subscription system
fixed shortcut for ssl-socket
fixed apache2 mod_proxy_uwsgi (it is now considered stable with all mpm engines)
fixed SCRIPT_NAME and PATH_TRANSLATED generation in php plugin
remove the old FIFO socket from the event queue when recreating it
New features
The new Rados plugins
The rados plugin has been improved and stabilized, and now it is considered usable in production.
Async modes and multithreading correctly works, and support for uploading objects (via PUT) and creating new pools (MKCOL) has been added.
Expect webdav support in uWSGI 2.1
Docs have been updated: http://uwsgi-docs.readthedocs.org/en/latest/Rados.html
-if-hostname
This is a configuration logic for including options only when the specified hostname matches:
[uwsgi]
if-hostname = node1.local
socket = /tmp/socket1.socket
endif =
if-hostname = node2.local
socket = /var/run/foo.socket
endif =
Apache2 mod_proxy_uwsgi stabilization
After literally years of bug reports, and corrupted data, the mod_proxy_uwsgi is now stable, and on modern apache2 releases it supports unix sockets too.
Updated docs: http://uwsgi-docs.readthedocs.org/en/latest/Apache.html#mod-proxy-uwsgi
uwsgi[rsize] routing var
this routing var (meaningful only in the 'final' chain) exposes the response size of the request
the callint scheme
This scheme allows you to generate blob from functions exposed by your uWSGI instance:
[uwsgi]
uid = @(callint://get_my_uid)
gid = @(callint://get_my_gid)
-fastrouter-fallback-on-no-key
The corerouters fallback procedure requires a valid key (domain name) has been requested. This option forces the various routers to trigger the fallback procedure even if a key has not been found.
php 5.5 opcode caching via -php-sapi-name
For mysterious reasons the opcode caching of php5.5 is not enabled in the embed sapi. This option (set it to 'apache' if you want) allows you to fake the opcode caching engine forcing it to enable itself.
Improved chain-reloading
Thanks to Marko Tiikkaja the chain reloading procedure correctly works in cheaper modes and it is more verbose.
added 'chdir' keyval to -attach-daemon2
You can now set where attached daemons need to chdir()
*) Security: pipelined commands were not discarded after STARTTLS
command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6.
*) Bugfix: the $uri variable might contain garbage when returning errors
with code 400.
*) Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug
had appeared in 1.5.6.
^^^^^^^^^^^^^^^^^^^
- Added support for URLType of SQLAlchemy-Utils
0.12.7 (2014-07-21)
^^^^^^^^^^^^^^^^^^^
- Fix ModelFieldList handling of simultaneous deletes and updates
^^^^^^^^^^^^^^^^^^
- Fixed base_form option in SplitDateTimeField getting lost if form is initialized more than once.
0.9.4 (2014-07-29)
^^^^^^^^^^^^^^^^^^
- Added base_form option to SplitDateTimeField
The following changes are not fully backwards compatible:
3.2.0.1
-------
* JQuery major version switched from 2 to 1. Detailed information on this change can be found in the :ref:`FAQ <jquery-faq>`.
Upstream changes:
1.0031 2014-08-01 13:19:14 PDT
[SECURITY]
- Plack::App::File would previously strip trailing slashes off
provided paths. This in combination with the common pattern
of serving files with Plack::Middleware::Static could allow
an attacker to bypass a whitelist of generated files (avar) #446
[IMPROVEMENTS]
- Let HTTP::Message::PSGI warn in case of invalid PSGI response (wchristian) #437
- Update documentation on how response_cb works with writer (doy)
- Make AccessLog work on non-POSIX environment (dex4er) #442
- Plack::App::WrapCGI no longer warns under 5.19.9 (frew)
- Avoid Rosetta Flash attack in JSONP middleware (nichtich) #464
- Fix Plack::Util::inline_object to make it work with can() as a class method
[NEW FEATURES]
- Add $req->query_string shortcut to access QUERY_STRING in PSGI environment
Leonardo Taccari in wip.
Changes:
=================
WebKitGTK+ 2.4.4
=================
What's new in WebKitGTK+ 2.4.4?
- Fix annoying popup shown when visiting 8tracks.com.
- Expose links rendered as blocks to accessibility.
- Make text inside "span" block in "a" block accessible.
- Implement windowed plugins visibility.
- Fix the GObject introspection annotations of webkit_web_resource_get_data_finish().
- Fix a crash in TSymbolTableLevel::~TSymbolTableLevel when WebKit
is built with GCC 4.9.
- Fix a crash when playing a video in facebook.
- Several user agent changes to fix Google Maps and a few other issues.
- Allo to include WebKitVersion.h from web extensions API too.
- Fix web process leak when closing pages with network process enabled.
- Fix the build with --disable-webgl --disable-accelerated-compositing.
=================
WebKitGTK+ 2.4.3
=================
What's new in WebKitGTK+ 2.4.3?
- Fix video playback rate used when resuming in GStreamer media backend.
- Use GstMetaVideo as announced by WebKitVideoSink to fix some
decoders and filters that rely on buffer's meta rather that in the
caps structures.
- Do not pass a valid pointer as redirected-response parameter to
WebKitWebPage::send-request signal when not redirecting.
- Add missing files to the build required for building in Windows.
=================
WebKitGTK+ 2.4.2
=================
What's new in WebKitGTK+ 2.4.2?
- Correctly handle TLS errors in case of a server redirection.
- Fix a crash when submitting a form.
- Fix several JavaScriptCore crashes when browsing facebook.
- Fix a crash when closing a page with windowed plugins.
- Fix a crash after getting web view context property with g_object_get.
- Fix a new[] delete[] mismatch in SocketStreamHandleSoup.
=================
WebKitGTK+ 2.4.1
=================
What's new in WebKitGTK+ 2.4.1?
- Add CORS support for media elements to GStreamer media backend.
- Fix wrong flags used in fcntl call that failed in FreeBSD.
- Correctly handle HTTP authentication for cross-origin requests.
- Correctly handle cookies for cross-origin requests.
- Fix a crash in the plugin process with some plugins that redefine
NPN functions.
- Fix acceletared video when the video format has an alpha component.
- Fix sites using geolocation after reloading when using Geoclue2.
- Append Safari version to UserAgent to fix redirections in
www.globalforestwatch.org.
=================
WebKitGTK+ 2.4.0
=================
What's new in WebKitGTK+ 2.4.0?
- Fix infinite loop in WebProcess due to a race condition that can
happen when the socket event source is cancelled.
- Fix more runtime critical warnings about main loop sources not found
when trying to remove them.
- Lower the timeout used when waiting for the ShoulTerminate reply
in the WebProcess to release unused processes earlier.
- Fix the build for non X11 platforms.
=================
WebKitGTK+ 2.3.92
=================
What's new in WebKitGTK+ 2.3.92?
- Add support for Geoclue2.
- Always finalize the soup session object when the networking
process finishes.
- Make sure the web process doesn't finish if there's an ongoing
print operation.
- Fix runtime critical warnings about main loop sources not found
when trying to remove them.
- Fixed several crashes in JavaScriptCore when visiting facebook.
- Improve CSS properties performance.
- Fix web process leak when the WebView is leaked by the application.
- Fix the build when using vala bindings due to UI and web process
main headers included together.
=================
WebKitGTK+ 2.3.91
=================
What's new in WebKitGTK+ 2.3.91?
- Use a persistent cache for plugins metadata to avoid blocking the
UI while scanning plugins during page loads.
- Make the web inspector always load in multiprocess mode.
- Add a pkg-config file for WebKit2 web process extensions API.
- Fix the generation of g_return macros for GObject DOM bindings in
some cases where non pointer parameters were handled as pointers.
- Enable DFG_JIT on FreeBSD.
- Use system default compiler instead of gcc when building DOM
generated sources.
- Several build fixes for FreeBSD.
- Fix the build with wayland support enabled.
=================
WebKitGTK+ 2.3.90
=================
What's new in WebKitGTK+ 2.3.90?
- Add initial touch support to WebKit2.
- Add API to create a WebKitWebView related to another one to share
the same Web Process.
- Create the inspector view using the same web process as the
inspected page.
- Fix wrong mix of fcntl commands and flags in WebKit2.
- Fix marshaller used in WebKitWebPage::document-loaded signal.
- Fix a crash in GStreamer media backend when playback rate is too high.
- Fix the build on FreeBSD.
=================
WebKitGTK+ 2.3.5
=================
What's new in WebKitGTK+ 2.3.5?
- Add API to allow setting a multiple web process model.
- Add API to pass initialization user data from the UI process to
the web extensions.
- Implement languages support with network process.
- Implement custom URI schemes with network process.
- Disable MemoryCache when the DOCUMENT_VIEWER cache model is set.
- Expose aria-describedby with ATK_RELATION_DESCRIBED_BY.
- Fix a bug that prevented from entering fullscreen again in HTML5
videos after fullscreen was left with ESC.
- Set playback rate when pipeline is not ready in GStreamer media backend.
- Fix a lockup when playing Icecast radio in GStreamer media backend.
- Fix a web process crash when a download is cancelled.
- Fix several crashes when printing via JavaScript.
=================
WebKitGTK+ 2.3.4
=================
What's new in WebKitGTK+ 2.3.4?
- Add API to WebKitResponsePolicyDecision to check if the MIME type
can be shown.
- Enable fullscreen API by default.
- Fix handling of HTTP certificates with the network process enabled.
- Fix downloads with the network process enabled.
- Fix handling of cookies when network process is enabled.
- Remove the partial file downloaded when the download operation
fails or is cancelled.
- Make WebKitWebPage::send-request signal work after a redirect.
- Add xdg.origin.url extended attribute to downloads in WebKit2.
- Fix WebGL with GLES.
- Translation updates: Dutch, Brazilian Portuguese.
=================
WebKitGTK+ 2.3.3
=================
What's new in WebKitGTK+ 2.3.3?
- Initial Network Process support disabled by default.
- CSS regions are now enabled by default.
- Support right-side attachment of the inspector in WebKit2.
- Add spatial navigation setting to WebKit2 GTK+ API.
- Add media source setting to both WebKit1 and WebKit2.
- Support custom types for drag and drop data.
- Avoid extra copy when drawing images in cairo backend.
- Fix scrolling in combo boxes when the dropdown menu is larger than
the screen.
- Render AC layers also when using GTK+ 2 in WebKit1.
- Fix return value of webkit_web_view_get_view_source_mode() in
WebKit1.
- Emit stream-start, caps and segment events in webkitwebaudiosrc
element.
- Fix seeking on media content provided by servers not supporting
range requests.
- Fix a crash when using media source in GStreamer media backend.
- Fix an X11 error when the backing store surface is destroyed.
- Expose splitter elements with ATK_ROLE_SEPARATOR to accessibility.
- Expose accessibility objects WAI-ARIA landmark roles.
- Expose accessibility objects with ATK_ROLE_ARTICLE.
- Expose accessibility objects with ATK_ROLE_CHECK_MENU_ITEM.
- Remove support for GStreamer 0.10.
- Memory leak due to incorrect use of gst_tag_list_merge in
TextCombinerGStreamer.
- Translation updates: Brazilian Portuguese.
=================
WebKitGTK+ 2.3.2
=================
What's new in WebKitGTK+ 2.3.2?
- Add enable-media-stream setting to WebKit2 GTK+ API.
- Fix a crash when load fails due to SSL errors in WebKit2.
- Fix a crash when printing via JavaScript in WebKit2.
- Add support audio and video tracks to GStreamer media backend.
- Properly expose video and audio elements to accessibility.
- Fix invalid cairo matrix when drawing too small surfaces.
- Avoid extra copy when drawing images using cairo.
- Do not omit playback rate when seeking in GStreamer media backend.
- Several build fixes on non-linux platforms.
=================
WebKitGTK+ 2.3.1
=================
What's new in WebKitGTK+ 2.3.1?
- Add WebKit2 API for TLS errors.
- Make EventTarget interface introspectable in GObject DOM bindings.
- Expose WheelEvent in the GObject DOM bindings API.
- Generate API documentation for GObject DOM bindings.
- Respect image orientation by default.
- Enable text edition undo/redo operations support in WebKit2.
- Add suppport for blob URLs to GStreamer media backend.
- Add support for subtitles.
- Allow running the web process with an arbitrary prefix command in
debug builds.
- Expose image links properly to accessibility.
- Expose title and alternative text for links in image maps to
accessibility.
- Cancel the current active WebKitAuthenticationRequest on load
fail.
- Fix several memory leaks.
=================
WebKitGTK+ 2.1.4
=================
What's new in WebKitGTK+ 2.1.4?
- Add WebKitWebView::authenticate signal to WebKit2 GTK API.
- Expose KeyboardEvent in GObject DOM bindings.
- Implement attributesOfChildren() for AccessibilityUIElement.
- Implement allAttributes() for AccessibilityUIElement.
- Fix issues with edge cases when getting offsets for a text range
in AtkText.
- Remote inspector server now notifies about errors when loading
resurces.
- Disable HTTP request "Accept-Encoding:" header field on gstreamer
source element to avoid receiving the wrong size when retrieving
data.
- Fix the final position when receiving several seek calls in a row,
in GStreamer media backend.
- When rendering accelerated video, upload onto the texture only the
buffer to be painted.
- Fix response property definition of WebKitResponsePolicyDecision.
- Fix a crash in WebKit1 when the WebView is created and destroyed
too fast.
- Fix a crash in UI process when the web process crashes.
- Fix a crash in WebKit2 when a context menu item is selected after
the page has been closed.
- Fix a crash when getting the editor command for a key event
initiated by the web inspector.
- Fix the build when building with GTK+ 2.
- Fix several memory leaks.
=================
WebKitGTK+ 2.1.3
=================
What's new in WebKitGTK+ 2.1.3?
- Add support for preload="metadata" to GStreamer media backend.
- Do not expose '\n' for wrapped lines with ATK_TEXT_BOUNDARY_CHAR.
- Fix potential race condition in GStreamer media backend when
getting the video sink caps.
- Fix performance issues rendering a page with animations.
- Several fixes and improvements in GStreamer video accelerated
compositing support.
- Adjust internal size on GStreamer HTTP source element when
receiving data if necessary.
- Actually disable the memory cache when DOCUMENT_VIEWER cache model
is used in WebKit1.
- Fix runtime critical warning in WebKit2 when unloading a module
that failed to load.
- Fix several memory leaks.
=================
WebKitGTK+ 2.1.2
=================
What's new in WebKitGTK+ 2.1.2?
- Set the subresources load priority using new libsoup API available
in 2.43.
- Do not use X11 WidgetBackingStore implementation in Wayland.
- Support using GLContext from multiple threads.
- Make sure gstreamer source element is thread-safe.
- Prevent race condition when pad caps is set on gstreamer player.
- Invalidate the ProcessLauncher when the process is terminated
before it has finished launching
- Use custom cairo code instead of Pango API for highlighting
misspelled words.
- Respect PKG_CONFIG env variable when generating gtk-doc.
- Fix a crash due to an assert in gstreamer backend when seeking.
- Fix memory leak when web process is terminated.
- Translation updates: Telugu, Hindi, Kannada, Odia.
=================
WebKitGTK+ 2.1.1
=================
What's new in WebKitGTK+ 2.1.1?
- Add webkit_uri_scheme_request_finish_error to WebKit2 GTK+ API.
- Add a setting to control whether or not accelerated 2D canvas is
enabled in WebKit2.
- Add a setting to WebKit2 to allow sending console log messages to
stdout.
- Always use EGL to create the GL context when running on Wayland.
- Fix rendering of WebKitWebView child widgets with recent GTK+.
- Notify the web process in WebKitURISchemeRequest when we fail to read
from the user InputStream.
- Fixed race conditions closing the socket descriptor when the web
process crashes.
- Add video accelerated compositing support to the GStreamer backend.
- Add support for audio/speex MIME type to the GStreamer backend.
- Fix seek after video finished in GStreamer backend.
- Initialize WebKitWebPlugin path to prevent double-free in WebKit1.
- Fix several GObject instrospection warnings.
- Fixed several memory leaks.
WebKit is an open source web browser engine. WebKit is also the name of
the Mac OS X system framework version of the engine that's used by
Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML
and JavaScript code began as a branch of the KHTML and KJS libraries
from KDE.
This is the GTK3+ port of major version 1 of the engine.
for v2 of the package.
WebKit is an open source web browser engine. WebKit is also the name of
the Mac OS X system framework version of the engine that's used by
Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML
and JavaScript code began as a branch of the KHTML and KJS libraries
from KDE.
This is the GTK2+ port of major version 1 of the engine.
5.24 2014-08-02
- Improved url_escape performance slightly.
- Fixed memory leak in Mojo::IOLoop::Client.
- Fixed bug where ojo would sometimes die silently.
5.23 2014-07-31
- Improved router performance.
- Improved routes command to show format regular expression separately.
- Fixed partial route bug in Mojolicious::Routes::Match.
- Fixed format detection bug in Mojolicious::Routes::Pattern.
5.22 2014-07-30
- Added SOCKS5 support to Mojo::UserAgent.
- Added socks_address, socks_pass, socks_port and socks_user options to
Mojo::IOLoop::Client::connect.
- Improved documentation browser CSS.
Upstream changes:
MediaWiki 1.22.9
This is a security and maintenance release of the MediaWiki 1.22 branch.
Changes since 1.22.8
(bug 68187) SECURITY: Prepend jsonp callback with comment.
(bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used for loading a new page in Javascript,instead of relying on the URL in the link that has been clicked.
(bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
(bug 59147) The img_metadata field was not being decoded from bytea into text.
Version 3.3.4 (2014-07-29)
--------------------------
### Fixed
Restore permission to delete root pages for admin users (see #7135).
### Fixed
Pass the file IDs instead of their UUIDs to the file picker (see #7139).
### Fixed
Correctly handle double quotes in comments (see #7102).
### Fixed
Ignore hidden files when building the internal cache (see #7098).
### Fixed
Correctly pass the insert ID of the undo record (see #6234).
### Fixed
Update the vendor libraries (fixes various issues).
Version 3.2.13 (2014-07-29)
---------------------------
### Fixed
Use `DOMDocument::loadXML()` instead of `DOMDocument::load()` (see 7192).
### Fixed
Specify the font size in `rem` for modern browsers (see #7209).
### Fixed
Make sure the default language file is loaded in the DCA extractor (see #7202).
### Fixed
Do not add unpublished FAQs to the XML sitemap (see #7210).
### Fixed
Preserve new lines when replacing simple tokens (see #7178).
### Fixed
Always prevent saving if `PageModel::loadDetails()` is executed (see #7199).
### Fixed
Use `===` to compare password hashes (see #7175).
### Fixed
Correctly mark GET parameters as used (see #7185).
### Fixed
Correctly apply the "disabled" attribute to input unit fields (see #7147).
### Fixed
Correctly check the permission to edit multiple files (see #7157).
### Fixed
Correctly handle other MySQL character sets (see #7140).
### Fixed
Correctly recognize Opera Mobile in the `Environment` class (see #5869).
### Fixed
Fix the grid offset for articles (see #7166).
### Fixed
Restore the basic entities in the source editor (see #7170).
### Fixed
Correctly build the breadcrumb trail in the style sheets module (see #7132).
### Fixed
Do not associate the "use SSL" option with sitemaps only (see #7163).
### Fixed
URL encode the pipe character in the Google web font URL (see #7120).
### Fixed
Handle double quotes in the title attribute of the `<link>` element (see #7124).
### Fixed
Use the `save_callback` when generating multiple aliases (see #7114).
### Update
Update SwiftMailer to version 5.2.1 (see #7110).
### Fixed
Correctly handle double quotes in comments (see #7102).
### Fixed
Ignore hidden files when building the internal cache (see #7098).
### Fixed
Correctly pass the insert ID of the undo record (see #6234).
Upstream changes:
2.21 Mon Jun 9 01:35:54 CEST 2014
- correctly keep body when redirecting POSTs, instead of
deleting them.
2.2 Mon Jun 9 01:31:46 CEST 2014
- connection header was malformed (patch by Raphael Geissert).
- add lots of known idempotent methods from httpbis.
- implement relative location headers (rfc 7231), with fallback on URI.
- add support for status code 308 from rfc 7238.
- recommend URI.
Upstream changes:
0.3.1 Version
-----------------
* Add qqmail mail server backend support, thanks to Yubin Wang <harry198344 AT gmail.com>
* Add `yes` option, remove `--force` of makeapp,makeproject command
* Remove `has_options` attribute in Command class
* Fix `include` bug in ini
* Fix condition test bug of orm.get()
* Add `sqlshell` command
* Add `having` and `join` support to ORM
* Add whole database dump and load support #33
* Add NotFound to __all__ of orm
* Fix recorder bug
0.3 Version
-----------------
* Fix pyini "key=" for raw output bug
* Fix objcache for Lazy field bug, it'll refresh first if found Lazy field
* Fix executing orm command raise Exception not be thrown bug
* Refact multidb support
* Change UserWarn to DeprecationWarning
* Fix syncdb for different table name between `Model.__tablename__` and settings bug
* Remove `get_cached()` and add `cache` parameter to `Model.get()`
* Add `get_local_cache()` and `clear_local_cache()` in order to compatiable
with SimpleFrame implementation
* ORM `Property.to_str()` will return string but not unicode for CHAR and VARCHAR.
* Simplify server_default, if integer given, it'll be convert to `text(n)`
* `ManyResult.all()` can receive a `cache` parameter
* Improve `dump()` and `load()`, add PickleType , ManyToMany support
* Refact objcache app implementation and add `exclude` config option
* Remove primary_key detect, because multi primary_key columns can make composite primary key,
add partition support for mysql
* add None patch process, you can set '', 'empty, 'exception'.
* move uliweb/orm/middle*.py to uliweb/contrib/orm
* move uliweb/i18n/middle_i18n.py to uliweb/contrib/i18n
* move storage from core to utils directory
* improve count process
* Fix Reference and ManyToMany dump and load bug
* Add `is_in_web()` funciton, so you can test if current frame is in web executation
* Add `--gevent` support to call command
* Add `any` to Model, Result, ManyResult
* Add `clear_prefix()` to redis_cli APP, this feature need redis 2.6+ version
* Add version check to redis_cli APP, default is disabled
* Add `clear_table()` to objcache APP
* Add 'id' parameter to `get()` and `get_object()` and `get_cached_object()` functions,
so that if the ID can't be found in cache, condition (old parameter) will be used.
And when id and condition given both, only when id is not integer or valid expression
condition will be used. So in most cases, you don't need pass condition.
* If not set url option for session of database type, it'll automatically use ORM settings if exists
* Add settings and local_settings env variables support
* Fix count bug
* Change orm requirement.txt, add uliweb-alembic package
* generic app add avalon and mmgrid support
* Model.put() not is deprecated, you should use save
* `generic.py` add version support when saving, and add `save` callback parameter.
0.2.6 Version
-----------------
* Add warning output for Reference class parameter of relation properties definition.
* Fix manual and total process bug in ListView and SelectListView
* Fix rawsql bug
* Add `get_object()` support in Generic ListView
* Fix `get_cached()` bug
* Fix process_files in generic add and edit functions bug
* Add `import readline` before enter shell environment
* change occ name to version
* Improve autocomplete in shell command
* Fix manytomany cached value is not used when do the save, because of not stored
in `_old_values`
* If you've already define primary key in Model, then it'll not create id property
for you, just like:
```
user_id = Field(int, primary_key=True, autoincrement=True)
```
* Fix sqldot bug and improve sqlhtml generation
* Eanble colored log output by default.
* Add recorder app, you can use it to record the visit url, and test it later
0.2.5 Version
-----------------
* Fix config template and add `uwsgi` shell support
* Add environment variables support in `settings.ini`. For example, there is a
`MYSQL_PORT` defined in environment, so you can defined something in settings.ini:
```
[DEFAULT]
port = $MYSQL_PORT
port_str = '${MYSQL_PORT}'
```
`$MYSQL_PORT` is the same as `${MYSQL_PORT}`. Just when the variable follows
identifier, so `${}` can easily separate between them.
* Add `STATIC_COMBINE_CONFIG` configuration, you can toggle static combination with it.
Default is False. The configuration is:
```
[STATIC_COMBINE_CONFIG]
enabled = False
```
* Fix objcache app bug, if not fields defined in settings, it'll use all columns of table
* Add `get_table` function to `functions`, you can use it to get table object. Used
in `uliweb.contrib.tables` app.
* Add `local_cache` to local in SimpleFrame, and it can be used to store require relative
cache values, and it'll be empty after each require process.
* Improve `get_object()` function in ORM, add `use_local` parameter, so the cached
value will be checked in `local_cache` first, and also save it in local_cache when
get a value from cache or database.
* Improve objcache config format, you can also define table like this:
```
user = {'fields':['username'], 'expire':expire_time, 'key':callable(instance)|key_field}
#or
user = ['username', 'nickname']
#or
user =
```
If no fields defined, it'll use all fields of Model. And if expire is 0 or
not defined, it'll not expired at all.
`key` will be used to replace `id`, if you want another key value, and it
can be also a callable object, it'll receive an instance of Model parameter,
so you can create any key value as you want.
* Add Optimistic Concurrency Control support for ORM, so you should defined `version`
Field first in Model, then when you save the object, you should use:
```
obj.save(occ=True)
```
If there is already other operation saved the record, it'll raise an `SaveError`
Exception by default, because the version has been changed. You can also pass:
* `occ_fieldname` used to defined the version fieldname, default is `version`
* `occ_exception` used to enabled Exception raised, default is `True`, if you
set it `False` it'll return False, but not raise an Exception.
0.2.4 Version
-----------------
* Fix ORM is not compatible with SQLAlchemy 0.9.1.
* add `__contains__` to functions, so you can test if an API is already defined, just
use:
```
'flash' in functions
```
* Refact generic.py, remove `functions.flash` and `functions.get_fileserving` dependencies by default.
* Fix `yield` support in view function, you can also used in gevent environment.
* Fix `rawsql()` bug for different database engine
* Fix `jsonp()` dumps Chinese characters bug
* Add `trim_path()` function to `utils/common.py`, it can trim a file path to
limited length, for example:
```
>>> a = '/project/apps/default/settings.ini'
>>> trim_path(a, 30)
'.../apps/default/settings.ini'
```
Default limited length is 30.
* Add ORM connection information output when given `-v` option in command line. And
the password will be replace with `'*'`.
* Add multiple apps support for `makeapp` command.
* Refactor `save_file()` process, add `headers` and `convertors` parameter.
* Fix `call_view()` invoke `wrap_result` bug. Missing pass `handler` parameter to wrap_result.
Upstream changes:
5.21 2014-07-27
- Improved handling of Pod::Simple::XHTML 3.09 dependency.
- Improved documentation browser CSS.
5.20 2014-07-27
- Fixed a few bugs in Mojolicious::Plugin::PODRenderer by switching from
Pod::Simple::HTML to Pod::Simple::XHTML.
- Fixed Perl 5.18.x compatibility.
5.19 2014-07-26
- Improved support for Unicode anchors in Mojolicious::Plugin::PODRenderer.
- Fixed is_readable scalability problems in Mojo::Reactor.
5.18 2014-07-25
- Improved is_readable performance in Mojo::Reactor.
5.17 2014-07-24
- Welcome to the Mojolicious core team Jan Henning Thorsen.
- Added val method to Mojo::DOM. (batman, sri)
- Improved Mojo::Collection performance.
- Fixed support for Unicode anchors in Mojolicious::Plugin::PODRenderer.
5.16 2014-07-21
- Improved Mojo::Asset::File to allow appending data to existing files.
(iakuf, sri)
Upstream changes:
1.3126 2014-07-14
[ BUG FIXES ]
* Bunch of files were not in the MANIFEST.
1.3125 2014-07-12
[ ENHANCEMENT ]
* Skip bad cookie definitions. (GH#1036, Manuel Weiss)
* 'dancer' script warns and die if trying to create
an app with the same name of an existing module.
(GH#1038, Racke)
* In Dancer::Logger::Abstract, default host
name to '-' if not available. (GH#1029, John Wittkoski)
* Add Dancer::Serializer::JSONP. (GH#1035, David Zurborg)
[ DOCUMENTATION ]
* Improve the wording of the params() section in Dancer.
(GH#1025, Warren Young)
* Explain how to access config in Dancer::Config's POD.
(GH#1026, Gabor Szabo)
* Cookbook typo fix. (GH#1031, Florian Sojer)
1.3124 2014-05-09
[ ENHANCEMENTS ]
* Also check X-Forwarded-Proto. (GH#1015, Andy Jones)
* Update bundle jQuery to v1.11.0. (GH#1018, Michal Wojciechowski)
* Add session support to the skeleton config. (GH#1008. Gabor Szabo)
[ BUG FIXES ]
* Remove print statement in Dancer::ModuleLoad::require.
(GH#1021, John Wittkoski)
* Test was failing if JSON module was absent.
(GH#1022, Yanick Champoux)
* Allow for routes evaluating to false ('0', '', etc).
(GH#1020, Yanick Champoux)
[DOCUMENTATION]
* Specify defaults in POD. (GH#1023, isync)
* Fix doc for params(). (GH#1025, reported by Warren Young)
[ MISC ]
* Update mailing list url in README. (GH#1017, Racke)
* Markdownify the README. (GH#986, Chris Seymour)
packaged for wip by pho.
The HTTP package supports client-side web programming in Haskell. It lets
you set up HTTP connections, transmitting requests and processing the
responses coming back, all from within the comforts of Haskell. It's
dependent on the network package to operate, but other than that, the
implementation is all written in Haskell.
A basic API for issuing single HTTP requests + receiving responses is
provided. On top of that, a session-level abstraction is also on offer (the
BrowserAction monad); it taking care of handling the management of
persistent connections, proxies, state (cookies) and authentication
credentials required to handle multi-step interactions with a web server.
The representation of the bytes flowing across is extensible via the use of
a type class, letting you pick the representation of requests and responses
that best fits your use. Some pre-packaged, common instances are provided
for you (ByteString, String).
Changelog:
New
Add the search field to the new tab page
New
Support of Prefer:Safe http header for parental control (learn more)
New
mozilla::pkix as default certificate verifier (learn more)
New
Block malware from downloaded files (learn more)
New
Partial implementation of the OpenType MATH table (section 6.3.6) see documentation about mathematical fonts and the MathML Torture Test for details
New
audio/video .ogg and .pdf files handled by Firefox if no application specified (Windows only)
New
Upper Sorbian [hsb] locale added
Changed
Removal of the CAPS infrastructure for specifying site-specific permissions (via capability.policy.* preferences). Most notably, attempts to use this functionality to grant access to the clipboard will no longer work. The sole exception is the checkloaduri permission, which may still be used as before to allow sites to load file:// URIs.
HTML5
WebVTT implemented and enabled (learn more)
HTML5
CSS3 variables implemented (learn more)
Developer
Developer Tools: Add-on Debugger (learn more)
Developer
Developer Tools: Canvas Debugger (learn more)
Developer
New Array built-in: Array.prototype.fill() (learn more)
Developer
New Object built-in: Object.setPrototypeOf() (learn more)
Developer
CSP 1.1 nonce-source and hash-source enabled by default
Developer
Developer Tools: Eyedropper tool added to the color picker (learn more)
Developer
Developer Tools: Editable Box Model (learn more)
Developer
Developer Tools: Code Editor improvements (learn more)
Developer
Developer Tools: Console stack traces (learn more)
Developer
Developer Tools: Copy as cURL (learn more)
Developer
Developer Tools: Styled console logs (learn more)
Developer
navigator.sendBeacon enabled by default (learn more)
Developer
Dialogs spawned from the onbeforeunload event no longer block access to the rest of the browser
Fixed
Search for partially selected link text from context menu (985824)
Fixed
Various security fixes
Fixed in Firefox 31
MFSA 2014-66 IFRAME sandbox same-origin access through redirect
MFSA 2014-65 Certificate parsing broken by non-standard character encoding
MFSA 2014-64 Crash in Skia library when scaling high quality images
MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache
MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library
MFSA 2014-61 Use-after-free with FireOnStateChange event
MFSA 2014-60 Toolbar dialog customization event spoofing
MFSA 2014-59 Use-after-free in DirectWrite font handling
MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering
MFSA 2014-57 Buffer overflow during Web Audio buffering for playback
MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)
- SECURITY: CVE-2014-0117 (cve.mitre.org)
mod_proxy: Fix crash in Connection header handling which
allowed a denial of service attack against a reverse proxy
with a threaded MPM. [Ben Reser]
- SECURITY: CVE-2014-0226 (cve.mitre.org)
Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow. [Joe Orton, Eric Covener]
- SECURITY: CVE-2014-0118 (cve.mitre.org)
mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to avoid
denial of sevice via highly compressed bodies. See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
- SECURITY: CVE-2014-0231 (cve.mitre.org)
mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child processes
filling up the scoreboard and eventually hanging the server. By
default, the client I/O timeout (Timeout directive) now applies to
communication with scripts. The CGIDScriptTimeout directive can be
used to set a different timeout for communication with scripts.
[Rainer Jung, Eric Covener, Yann Ylavic]
- mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
resumed by TLS session resumption (RFC 5077). [Rainer Jung]
- mod_deflate: Don't fail when flushing inflated data to the user-agent
and that coincides with the end of stream ("Zlib error flushing inflate
buffer"). Bug 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
- mod_proxy_ajp: Forward local IP address as a custom request attribute
like we already do for the remote port. [Rainer Jung]
- core: Include any error notes set by modules in the canned error
response for 403 errors. [Jeff Trawick]
- mod_ssl: Set an error note for requests rejected due to
SSLStrictSNIVHostCheck. [Jeff Trawick]
- mod_ssl: Fix issue with redirects to error documents when handling
SNI errors. [Jeff Trawick]
- mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
larger keys and support up to 8192-bit keys. [Ruediger Pluem,
Joe Orton]
- mod_dav: Fix improper encoding in PROPFIND responses. Bug 56480.
[Ben Reser]
- WinNT MPM: Improve error handling for termination events in child.
[Jeff Trawick]
- mod_proxy: When ping/pong is configured for a worker, don't send or
forward "100 Continue" (interim) response to the client if it does
not expect one. [Yann Ylavic]
- mod_ldap: Be more conservative with the last-used time for
LDAPConnectionPoolTTL. Bug 54587 [Eric Covener]
- mod_ldap: LDAP connections used for authn were not respecting
LDAPConnectionPoolTTL. Bug 54587 [Eric Covener]
- mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
[Jeff Trawick]
- event MPM: Fix possible crashes (third-party modules accessing c->sbh)
or occasional missed mod_status updates under load. Bug 56639.
[Edward Lu <Chaosed0 gmail com>]
- mod_authnz_ldap: Support primitive LDAP servers do not accept
filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
filter "none" to be specified in AuthLDAPURL. [Eric Covener]
- mod_deflate: Fix inflation of files larger than 4GB. Bug 56062.
[Lukas Bezdicka <social v3.sk>]
- mod_deflate: Handle Zlib header and validation bytes received in multiple
chunks. Bug 46146. [Yann Ylavic]
- mod_proxy: Allow reverse-proxy to be set via explicit handler.
[ryo takatsuki <ryotakatsuki gmail com>]
- ab: support custom HTTP method with -m argument. Bug 56604.
[Roman Jurkov <winfinit gmail.com>]
- mod_proxy_balancer: Correctly encode user provided data in management
interface. Bug 56532 [Maksymilian, <max cert.cx>]
- mod_proxy_fcgi: Support iobuffersize parameter. [Jeff Trawick]
- mod_auth_form: Add a debug message when the fields on a form are not
recognised. [Graham Leggett]
- mod_cache: Preserve non-cacheable headers forwarded from an origin 304
response. Bug 55547. [Yann Ylavic]
- mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
scheme. Bug 55320. [Alex Liu <alex.leo.ca gmail.com>]
- mod_socache_shmcb: Correct counting of expirations for status display.
Expirations happening during retrieval were not counted. [Rainer Jung]
- mod_cache: Retry unconditional request with the full URL (including the
query-string) when the origin server's 304 response does not match the
conditions used to revalidate the stale entry. [Yann Ylavic].
- mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
variables as a result of AliasMatch. [Eric Covener]
- mod_cache: Don't add cached/revalidated entity headers to a 304 response.
Bug 55547. [Yann Ylavic]
- mod_proxy_scgi: Support Unix sockets. ap_proxy_port_of_scheme():
Support default SCGI port (4000). [Jeff Trawick]
- mod_expires: don't add Expires header to error responses (4xx/5xx),
be they generated or forwarded. Bug 55669. [Yann Ylavic]
- mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
(regression in 2.4.9 release) [Jeff Trawick]
- mod_authn_socache: Fix crash at startup in certain configurations.
Bug 56371. (regression in 2.4.7) [Jan Kaluza]
- mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
programs to the form used in releases up to 2.4.7, and emulate
a backwards-compatible behavior for existing setups. [Kaspar Brand]
- mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
OCSP requests should use a nonce to be checked against the responder's
one. Bug 56233. [Yann Ylavic, Kaspar Brand]
- mod_ssl: "SSLEngine off" will now override a Listen-based default
and does disable mod_ssl for the vhost. [Joe Orton]
- mod_lua: Enforce the max post size allowed via r:parsebody()
[Daniel Gruno]
- mod_lua: Use binary comparison to find boundaries for multipart
objects, as to not terminate our search prematurely when hitting
a NULL byte. [Daniel Gruno]
- mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
versions before 0.9.8h and not specifying an SSLCertificateChainFile
(regression introduced with 2.4.8). Bug 56410. [Kaspar Brand]
- mod_ssl: bring SNI behavior into better conformance with RFC 6066:
no longer send warning-level unrecognized_name(112) alerts,
and limit startup warnings to cases where an OpenSSL version
without TLS extension support is used. Bug 56241. [Kaspar Brand]
- mod_proxy_html: Avoid some possible memory access violation in case of
specially crafted files, when the ProxyHTMLMeta directive is turned on.
Follow up of Bug 56287 [Christophe Jaillet]
- mod_auth_form: Make sure the optional functions are loaded even when
the AuthFormProvider isn't specified. [Graham Leggett]
- mod_ssl: avoid processing bogus SSLCertificateKeyFile values
(and logging garbled file names). Bug 56306. [Kaspar Brand]
- mod_ssl: fix merging of global and vhost-level settings with the
SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
directives. Bug 56353. [Kaspar Brand]
- mod_headers: Allow the "value" parameter of Header and RequestHeader to
contain an ap_expr expression if prefixed with "expr=". [Eric Covener]
- rotatelogs: Avoid creation of zombie processes when -p is used on
Unix platforms. [Joe Orton]
- mod_authnz_fcgi: New module to enable FastCGI authorizer
applications to authenticate and/or authorize clients.
[Jeff Trawick]
- mod_proxy: Do not try to parse the regular expressions passed by
ProxyPassMatch as URL as they do not follow their syntax.
Bug 56074. [Ruediger Pluem]
- mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
under the Event MPM. Bug 56216. [Frank Meier <frank meier ergon ch>]
- mod_proxy_fcgi: Fix sending of response without some HTTP headers
that might be set by filters. [Jim Riggs <jim riggs.me>]
- mod_proxy_html: Do not delete the wrong data from HTML code when a
"http-equiv" meta tag specifies a Content-Type behind any other
"http-equiv" meta tag. Bug 56287 [Micha Lenk <micha lenk info>]
- mod_proxy: Don't reuse a SSL backend connection whose requested SNI
differs. Bug 55782. [Yann Ylavic]
- Add suspend_connection and resume_connection hooks to notify modules
when the thread/connection relationship changes. (Should be implemented
for any third-party async MPMs.) [Jeff Trawick]
- mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
hangups from websockets origin servers. Bug 56299
[Yann Ylavic, Edward Lu <Chaosed0 gmail com>, Eric Covener]
- mod_proxy_wstunnel: Don't pool backend websockets connections,
because we need to handshake every time. Bug 55890.
[Eric Covener]
- mod_lua: Redesign how request record table access behaves,
in order to utilize the request record from within these tables.
[Daniel Gruno]
- mod_lua: Add r:wspeek for peeking at WebSocket frames. [Daniel Gruno]
- mod_lua: Log an error when the initial parsing of a Lua file fails.
[Daniel Gruno, Felipe Daragon <filipe syhunt com>]
- mod_lua: Reformat and escape script error output.
[Daniel Gruno, Felipe Daragon <filipe syhunt com>]
- mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
from causing response splitting.
[Daniel Gruno, Felipe Daragon <filipe syhunt com>]
- mod_lua: Disallow newlines in table values inside the request_rec,
to prevent HTTP Response Splitting via tainted headers.
[Daniel Gruno, Felipe Daragon <filipe syhunt com>]
- mod_lua: Remove the non-working early/late arguments for
LuaHookCheckUserID. [Daniel Gruno]
- mod_lua: Change IVM storage to use shm [Daniel Gruno]
- mod_lua: More verbose error logging when a handler function cannot be
found. [Daniel Gruno]
Highlights
The tornado.web.stream_request_body decorator allows large
files to be uploaded with limited memory usage.
Coroutines are now faster and are used extensively throughout
Tornado itself. More methods now return Futures, including most
IOStream methods and RequestHandler.flush.
Many user-overridden methods are now allowed to return a Future
for flow control.
HTTP-related code is now shared between the tornado.httpserver,
tornado.simple_httpclient and tornado.wsgi modules, making
support for features such as chunked and gzip encoding more
consistent. HTTPServer now uses new delegate interfaces defined
in tornado.httputil in addition to its old single-callback
interface.
New module tornado.tcpclient creates TCP connections with
non-blocking DNS, SSL handshaking, and support for IPv6.
Backwards-compatibility notes
tornado.concurrent.Future is no longer thread-safe; use
concurrent.futures.Future when thread-safety is needed.
Tornado now depends on the certifi package instead of bundling
its own copy of the Mozilla CA list. This will be installed
automatically when using pip or easy_install.
This version includes the changes to the secure cookie format
first introduced in version 3.2.1, and the xsrf token change
in version 3.2.2. If you are upgrading from an earlier version,
see those versions' release notes.
WebSocket connections from other origin sites are now rejected
by default. To accept cross-origin websocket connections,
override the new method WebSocketHandler.check_origin.
WebSocketHandler no longer supports the old draft 76 protocol
(this mainly affects Safari 5.x browsers). Applications should
use non-websocket workarounds for these browsers.
Authors of alternative IOLoop implementations should see the
changes to IOLoop.add_handler in this release.
The RequestHandler.async_callback and WebSocketHandler.async_callback
wrapper functions have been removed; they have been obsolete
for a long time due to stack contexts (and more recently
coroutines).
curl_httpclient now requires a minimum of libcurl version 7.21.1
and pycurl 7.18.2.
Support for RequestHandler.get_error_html has been removed;
override RequestHandler.write_error instead.
Changes:
bits.close: introduce connection close tracking
darwinssl: Add support for --cacert
polarssl: add ALPN support
docs: Added new option man pages
Bugfixes:
build: Fixed incorrect reference to curl_setup.h in Visual Studio files
build: Use $(TargetDir) and $(TargetName) macros for .pdb and .lib output
curl.1: clarify that -u can't specify a user with colon
openssl: Fix uninitialized variable use in NPN callback
curl_easy_reset: reset the URL
curl_version_info.3: returns a pointer to a static struct
url-parser: only use if_nametoindex if detected by configure
select: with winsock, avoid passing unsupported arguments to select()
gnutls: don't use deprecated type names anymore
gnutls: allow building with nghttp2 but without ALPN support
tests: Fix portability issue with the tftpd server
curl_sasl_sspi: Fixed corrupt hostname in DIGEST-MD5 SPN
curl_sasl: extended native DIGEST-MD5 cnonce to be a 32-byte hex string
random: use Curl_rand() for proper random data
Curl_ossl_init: call OPENSSL_config for initing engines
config-win32.h: Updated for VC12
winbuild: Don't USE_WINSSL when WITH_SSL is being used
getinfo: HTTP CONNECT code not reset between transfers
Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set
http2: avoid segfault when using the plain-text http2
conncache: move the connection counter to the cache struct
http2: better return code error checking
curlbuild: fix GCC build on SPARC systems without configure script
tool_metalink: Support polarssl as digest provider
curl.h: reverse the enum/define setup for old symbols
curl.h: moved two really old deprecated symbols
curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx
buildconf: do not search tools in current directory.
OS400: make it compilable again. Make RPG binding up to date
nss: do not abort on connection failure (failing tests 305 and 404)
nss: make the fallback to SSLv3 work again
tool: prevent valgrind from reporting possibly lost memory (nss only)
progress callback: skip last callback update on errors
nss: fix a memory leak when CURLOPT_CRLFILE is used
compiler warnings: potentially uninitialized variables
url.c: Fixed memory leak on OOM
gnutls: ignore invalid certificate dates with VERIFYPEER disabled
gnutls: fix SRP support with versions of GnuTLS from 2.99.0
gnutls: fixed a couple of uninitialized variable references
gnutls: fixed compilation against versions < 2.12.0
build: Fixed overridden compiler PDB settings in VC7 to VC12
ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
netrc: don't abort if home dir cannot be found
netrc: fixed thread safety problem by using getpwuid_r if available
cookie: avoid mutex deadlock
configure: respect host tool prefix for krb5-config
gnutls: handle IP address in cert name check
Added an api to change the context menus of plugins and placeholders from plugins;
Apphooks better respect the page permissions;
Fixed how permissions are checked for static placeholder;
Fixed page permissions for decorated views;
Fallback language fixes for pages;
Button fixes in the modal window;
Improved the ability to subclass the RenderPlugin template tag;
Fixes 'hover' effect on menus for deeper submenus;
Added the ability to mark (Sub)Menu's 'active';
Improvements to the create_page API to support multi-site configs;
Reduced queries on placeholder.clear by 60%;
Auto-detect django-suit instead of using explicit setting;
Implemented transaction.atomic in django 1.4/1.5 way;
Added a automatic dynamic template directory for page templates;
Internal support for using custom forms;
- Integrated Caching Template Library original developed by Joe Mucchiello [Tom]
- Support for themes to specify a default theme. Default themes template and css
files will be used unless they are included in the new theme directory [Tom]
- Added configruable caching support for blocks (regular and gldefault),
staticpages and articles [Tom]
- Speed increases by caching topic tree structure [Tom]
- What's Related article block now includes all Topics. Can set length of titles
[Tom]
- Articles now list what Topics they are filed under. [Tom]
- New related_topics autotag. It displays all topics an item belongs too. [Tom]
- New related_items autotag. It displays all other related items based on what
topics the defined item belongs too [Tom]
- Updated Command & Control layout. Plugins can now organized into groups. [Tom]
- New OAuth login methods supported (Google, Microsoft, Yahoo). OAuth supported
now includes 1.0, 1.0a, and 2.0 (depends on what the provider supports) [Tom]
- Javascript and css can now be loaded in a specified order. [Tom]
- Numerous fixes for multi-language support [Tom]
- Added CKEditor 4.3.2 as the default advanced editor for Geeklog [Dengen]
- New article render which fixes entities etc... from showing up where they
shouldn't [Dengen]
- New Advanced Editor System that allows developers to easily to add new
javascript editors [Dengen]
- Article, Staticpages Poll and Topic IDs can now be 128 characters long [Tom]
- User Login page now can be accessed directly without first displaying a login
error message [Tom]
- Fixed deadlock issues with the session table [Tom]
- Updated Hebrew language files, provided by LWC
- jQuery can now be included in the header [Tom]
- Updated to jQuery 1.10.2 and jQuery UI to 1.10.3 [Tom]
- Added a Filemanager [Kenji ITO]
- Added timepicker jQuery control [Dengen]
Upstream changes:
2.7.1
Highlights
MDL-41383 - File picker works when zooming in and out of browser
MDL-45580 - PDF Annotations working with multiple attempts
Functional changes
MDL-43274 - Course logs can no longer be deleted when course is reset
API changes
MDL-44871 - Behat tests written for Atto functionalities
MDL-43669 - Configuration option added so that mail can be sent from noreply address exclusively
UI changes
MDL-45599 - The term 'add-on' is changed to 'plugin'
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
Fixes and improvements
MDL-44124 - iCal import recurrence rules working consistently
MDL-45579 - Duplicate group enrolment keys for the same course are no longer allowed
MDL-45682 - Can now insert images using Chrome
HTTPie is a command line HTTP client. Its goal is to make CLI interaction with
web services as human-friendly as possible. It provides a simple http command
that allows for sending arbitrary HTTP requests using a simple and natural
syntax, and displays colorized responses. HTTPie can be used for testing,
debugging, and generally interacting with HTTP servers.
Upstream changes:
5.13 2014-07-13
- Added json_like, json_message_like, json_message_unlike and json_unlike
methods to Test::Mojo.
- Improved HTML5.1 compliance of Mojo::DOM::HTML.
- Fixed bug where Mojo::UserAgent would keep too many connections alive.
- Fixed Mojo::Reactor::Poll bug where watchers were active after they have
been removed. (jberger)
5.12 2014-07-04
- Fixed a few multipart form handling bugs.
- Fixed AUTOLOAD bug in Mojo::Collection where it would behave differently
than calling pluck directly.
5.11 2014-07-02
- Moved reverse_proxy attribute from Mojo::Server::Daemon to Mojo::Server.
- Added delay and inactivity_timeout helpers to
Mojolicious::Plugin::DefaultHelpers.
- Improved error method in Mojolicious::Validator::Validation to return
field names when called without arguments.
- Fixed "0" value bug in Mojo::UserAgent::Transactor.
5.10 2014-06-28
- Added cleanup attribute to Mojo::Server::Prefork.
- Improved Mojo::Server::Prefork to keep sending heartbeat messages when
stopping gracefully.
- Fixed small bug where Mojo::Server::Daemon was too eager to reconfigure
Mojo::IOLoop.
- Fixed small bug where Hypnotoad would clean up process id and lock files
too early.
5.09 2014-06-24
- Improved .ep templates to make the current controller available as $c.
5.08 2014-06-17
- Added reset method to Mojo::IOLoop.
- Added reset method to Mojo::Reactor.
- Added reset method to Mojo::Reactor::Poll.
5.07 2014-06-13
- Fixed RFC 7230 compliance bugs in Mojo::Headers.
5.06 2014-06-11
- Added deserialize and serialize attributes to Mojolicious::Sessions.
- Improved redirect_to to behave more like url_for.
- Fixed bug in Mojo::UserAgent where HTTP/1.0 connections were sometimes
kept alive.
5.05 2014-06-08
- Fixed parsing of header fields with single character names in
Mojo::Headers. (crab)
Add missing DEPENDS
Upstream changes:
0.143000 2014-07-05 21:39:28CEST+0200 Europe/Amsterdam
[ BUG FIXES ]
* GH #538, #539: Coerce propogated exceptions to strings within Error object.
(Steven Humphrey)
* GH #531: Generate valid HTML when show_errors is true from Error objects.
(Steven Humphrey)
* GH #603: Update skeleton test to use Plack::Test. (Sawyer X)
[ ENHANCEMENTS ]
* Provide psgi_app in top-level Dancer.pm to make it easier to change it.
(Sawyer X)
0.142000 2014-06-24 15:16:42CEST+0200 Europe/Amsterdam
[ BUG FIXES ]
* GH #550, #555: Allow the content type to be set when using send_file
as per the documentation. (Russell Jenkins, Steven Humphrey)
[ ENHANCEMENTS ]
* GH #512, #520, #602: Pass all settings into JSON serializer engine.
(Jakob Voss, Russell Jenkins)
* GH #532: Serialize runtime errors such as those produced by die if a
serializer exists. (Steven Humphrey)
0.141000 2014-06-08 22:27:03CEST+0200 Europe/Amsterdam
* No functional changes.
0.140900_01 2014-06-07 23:32:56IDT+0300 Asia/Jerusalem
[ BUG FIXES ]
* GH #447: Setting the apphandler now triggers the Dancer Runner
configuration change, which works. (Sawyer X)
* GH #578: Remove the default engine configurations. (Sawyer X)
* GH #567: Check for proper module names in loading engines. Might help
with taint mode. (Sawyer X)
* GH #585, #595: Return 405 Method Not Allowed instead of 500.
(Omar M. Othman)
* GH #570, #579: Ensure keywords pass, send_error and send_file
exit immediatly when executed. (Russell Jenkins)
[ ENHANCEMENTS ]
* GH #587: Serializer::Mutable alive! (Pedro Bruno)
[ DOCUMENTATION ]
* Fix doc for params(). Ported from Dancer#1025 (Stefan Hornburg)
## Rails 3.2.19 (Jul 2, 2014) ##
* Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
`options[:raise]`.
This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
*Shota Fukumori (sora_h)*
Universal Ruby library to handle WebSocket protocol. It focuses on providing
abstraction layer over WebSocket API instead of providing server or client
functionality.
Currently, WebSocket Ruby supports all existing drafts of WebSocket, which
include:
* hixie-75
* hixie-76
* all hybi drafts (00-13)
* RFC 6455
Quote from http://www.providentcrm.com/news/sugarcrm-6-5-17-patch-list/.
1. Module scanner now blocks two additional functions:
simplexml_load_file and simplexml_load_string
2. JS Security Fix in Emails -- changing AJAX call from GET to POST.
3. XML Handling -- Additional error handling and libxml_disable_entity_loader
is now set to true.
4. Users module -- Additional checking on un-authorised access to other users
profile, plus Bugfix for password field.
Docs: external_acl_type documentation lies for cache=n option
Non https connectiona on SSL-bump enabled port may stuck
Do not leak implicit ACLs during reconfigure.
Assure that when LruMap::memLimit_ is set to 0 no entries stored on LruMap
Portability: use 64-bit for X-Cache-Age header
Windows: fix various libip build issues
Windows: rename TcpLogger::connect
Windows: rename ConnOpener::connect
Change order of BSD-specific network includes so that they are properly picked up
Do not leak ex_data for SSL state that survived reconfigure.
Do not register the same Cache Manager action more than once
Fix leaked TcpAcceptor job on reconfiguration
Fix leak of ACLs related to adaptation access rules
Bug 4056: assertion MemPools[type] from netdbExchangeStart()
Bug 4065: round-robin neighbor selection with unequal weights
Bug 4050: Segfault in CommSelectEngine::checkEvents on helper response
Fix segfault setting up server SSL connnection
Regression: segfault logging with %tg format specifier
SourceFormat Enforcement
Changelog:
1.11 12/21/2013
Minor parser bugfixes
Fix upgrading from older tt-rss versions
Minor performance improvements
Other bugfixes
API: fix labels not applying because API call expected labels in wrong format
1.12 03/21/2014
Parser / misc bugfixes
Default theme update
Traditional Chinese (zh_TW) translation
Various comics plugins merged into af_comics
* I gave up subdirectory installation with nginx... (MESSAGES)
Changelog:
Version 6.0.4 June 23rd 2014
Fixed a security issue (Will be disclosed two weeks after this release)
Several LDAP fixes and improvements
Add deprecated warning to load function
File scanner fixes
Heart beat fixes
Encryption fixes for some corner cases
Fix conflict dialog translations
Fix button text overflow
Fix search with Oracle
Php upload errors are written to log
OCS status code fixes
Add PostgreSQL version warning
Version 6.0.3 April 29rd 2014
Several security fixes. (Will be disclosed 2 weeks after the release)
Appframework extensions to improve the compatibility with 3rdparty apps
LDAP performance improvements
Fix updating of email adresses from LDAP
Fix WebDAV timestamp format handling
Disable internet connection check if a proxy is configured
Fix a potential file chunking problem on a server that is running out of storage
Do not expire file chunks while checking their existence
Fix loading of authentication apps in any case
Performance improvements by reducing the number of chmod operations.
Make the trusted domain upgrade feature more robust.
Don't allow creating a "Shared" folder.
Fixed "select all" + download on public page
Fix share as link with email multiple users
Reset time of last update feed polling to fix the updater
Share API fixes
Admin option for public upload with encryption enabled
Fix CIFS with home shares
Detect a missing "data" directory mount
Fix the filesize calculation of encrypted files
Fixes in the OpenStack support
Fixes in the SWIFT support
Don't block PHP sessions during download
Fix sharing oc addressbooks
Several ownCloud Documents improvements and fixes
Several smaller bugfixes
Tomcat 6.0.41
=============
Jasper
------
fix 56529: Avoid NoSuchElementException while handling attributes
with empty string value in custom tags. Based on a patch
provided by Hariprasad Manchi. (violetagg/kkolinko)
Tomcat 6.0.40 not released
============================
Catalina
--------
fix 56027: Add more options for managing FIPS mode in the
AprLifecycleListener. (schultz/kkolinko)
fix 56082: Fix a concurrency bug in JULI's LogManager
implementation. (markt)
fix 56236: Enable Tomcat to work with alternative Servlet and
JSP API JARs that package the XML schemas in such as way as
to require a dependency on the JSP API before enabling
validation for web.xml. Tomcat has no such dependency. (markt)
fix Change the default value of the xmlBlockExternal attribute
of Context elements. It is now true. (kkolinko)
fix Don't log to standard out in SSLValve. (kkolinko/markt)
code Use StringBuilder in DefaultServlet. (kkolinko)
fix 56275: Allow web applications to be stopped cleanly even
if filters throw exceptions when their destroy() method is
called. (markt/kkolinko)
fix Redefine the globalXsltFile initialisation parameter of the
DefaultServlet as relative to CATALINA_BASE/conf or
CATALINA_HOME/conf. Prevent user supplied XSLTs used by the
DefaultServlet from defining external entities. (markt)
fix Add a work around for validating XML documents (often TLDs)
that use just the file name to refer to refer to the JavaEE
schema on which they are based. (kkolinko)
fix 56369: Ensure that removing an MBean notification listener
reverts all the operations performed when adding an MBean
notification listener. (markt)
fix Only create XML parsing objects if required and fix associated
potential memory leak in the default Servlet. (markt)
fix Ensure that a TLD parser obtained from the cache has the
correct value of blockExternal. (markt/kkolinko)
add Extend XML factory, parser etc. memory leak protection to
cover some additional locations where, theoretically, a
memory leak could occur. (markt)
add Add the org.apache.naming package to the packages requiring
code to have the defineClassInPackage permission when running
under a security manager. (markt)
add Add the org.apache.naming.resources package to the packages
requiring code to have the accessClassInPackage permission
when running under a security manager. (markt)
fix Make the naming context tokens for containers more robust.
Require RuntimePermission when introducing a new token.
(markt/kkolinko)
Coyote
------
fix Improve processing of chuck size from chunked headers.
Avoid overflow and use a bit shift instead of a multiplication
as it is marginally faster. (markt/kkolinko)
fix Fix possible overflow when parsing long values from a byte
array. (markt)
update 56363: Update to version 1.1.30 of Tomcat Native library.
The minimum required version of this library for APR connector
is now 1.1.30. (kkolinko)
Jasper
------
fix Change the default behaviour of JspC to block XML external
entities by default. (kkolinko)
fix Restore the validateXml option to Jasper that was previously
renamed validateTld. Both options are now supported.
validateXml controls the validation of web.xml files when
Jasper parses them and validateTld controls the validation
of *.tld files when Jasper parses them. (markt)
fix 54475: Add Java 8 support to SMAP generation for JSPs.
Patch by Robbie Gibson. (markt)
fix 56010: Don't throw an IllegalArgumentException when
JspFactory.getPageContext is used with JspWriter.DEFAULT_BUFFER.
Based on a patch by Eugene Chung. (markt)
fix 56265: Do not escape values of dynamic tag attributes
ontaining EL expressions. (kkolinko)
fix 56283: Add support for running Tomcat 6 with ecj-P20140317-1600.jar
(as drop-in replacement for ecj-4.3.1.jar). Add support for
value "1.8" for the compilerSourceVM and compilerTargetVM
options. Note that ecj-P20140317-1600.jar can only be used
when running with Java 6 or later. The "1.8" options make
sense only when running with Java 8 (or later). (kkolinko)
fix 56334: Fix a regression in the handling of back-slash escaping
introduced by the fix for 55735. (markt/kkolinko)
fix Correct the handling of back-slash escaping in the EL parser
and no longer require that \$ or \# must be followed by { in
order for the back-slash escaping to take effect. (markt)
Cluster
-------
code Refactor AbstractReplicatedMap and related classes to enable
Tomcat 6 to be compiled using Java 8. (markt)
Web applications
----------------
add 56093: Documentation for SSLValve. (markt/kkolinko)
fix Correct documentation on Windows service options, aligning
it with Apache Commons Daemon documentation. (kkolinko)
add Add support for version-major, version-major-minor tags in
documentation XSLT, to simplify documentation backports. (kkolinko)
fix Fix target and rel attributes on links in documentation.
They were lost during XSLT transformation. (kkolinko)
Other
-----
code Remove svn keywords (such as $Id) from source files and
documentation. (kkolinko)
update Improvements to the Windows installer, to align it with
installing the sevice with service.bat. Use explicit memory
sizes (--JvmMs 128 Mb and --JvmMx 256 Mb). Specify log
directory path when ininstalling, so that the log file is
written to the Tomcat logs directory, instead of
"%SystemRoot%\System32\LogFiles\Apache". (kkolinko)
update 49993, 56143: Improve service.bat script. Allow it to be
launched from non-UAC console. The UAC prompt will be shown
only once. Now there is no need to run the command shell
with elevated privileges. Improve check for JAVA_HOME and
add support for JRE_HOME. Warn if neither "client" nor
"server" JVM is found. Align classpath, display name and
other options with the exe installer. Make command names
case-insensitive. Update documentation. (kkolinko)
This is a security update and approved by wiz@.
Upstream changes:
Changes since 1.22.7
(bug 65839) SECURITY: Prevent external resources in SVG files.
(bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.
Changelog:
SeaMonkey-specific changes
The delimiter for forwarded messages can now be configured.
An option to not strip signatures on reply has been added to prevent top signatures from deleting the body.
Add to Searchbar (search-engine autodiscovery) was implemented.
The location bar tooltip now shows the complete current URL in case it is displayed only partially.
See the changes page for a more complete overview.
Mozilla platform changes
The Gamepad API has been finalized and enabled (learn more).
navigator.plugins is no longer enumerable, for user privacy.
ECMAScript Internationalization API has been enabled.
'box-sizing' (dropping the -moz- prefix) has been implemented.
SharedWorker is now enabled by default.
CSS3 variables have been implemented.
Console object is now available in Web Workers.
Promises have been enabled by default.
<input type="number"> has been implemented and enabled.
<input type="color"> has been implemented and enabled.
Fixed several stability issues.
Fixed in SeaMonkey 2.26.1
MFSA 2014-54 Buffer overflow in Gamepad API
MFSA 2014-53 Buffer overflow in Web Audio Speex resampler
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-51 Use-after-free in Event Listener Manager
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
Fixed in SeaMonkey 2.26
MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript
MFSA 2014-46 Use-after-free in nsHostResolve
MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates
MFSA 2014-44 Use-after-free in imgLoader while resizing images
MFSA 2014-43 Cross-site scripting (XSS) using history navigations
MFSA 2014-42 Privilege escalation through Web Notification API
MFSA 2014-41 Out-of-bounds write in Cairo
MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video
MFSA 2014-38 Buffer overflow when using non-XBL object as XBL
MFSA 2014-37 Out of bounds read while decoding JPG images
MFSA 2014-36 Web Audio memory corruption issues
MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)
* Finnish translation is added and Latvian translation is removed.
* Example website (Music Academy) is removed from core distribution.
It is still available on Contao Extension Repository.
Version 3.2.12 (2014-06-18)
---------------------------
### Fixed
Replace insert tags in external redirect targets (see #6765).
### Fixed
Also apply the font settings to the ACE element (see #7103).
### Fixed
Show the placeholder image in the "edit file" dialog if the original image
exceeds the maximum dimensions supported by the GD library (see #7032).
### Fixed
Preserve whitespace before `<textarea>` tags when minifying code (see #7087).
### Fixed
Restore the PHP 5.3 compatibility of the listing module (see #7078).
### Fixed
Do not offer to drop tables or fields if the safe mode is active (see #7085).
### Fixed
Correctly detect binary fields during theme export (see #7079).
Version 3.3.3 (2014-06-18)
--------------------------
### Fixed
Convert insert tags before assigning the page title to the template (see #7097).
### Fixed
Correctly render images in TinyMCE in the newsletter module (see #7089).
usable with modern gcc.
Since the full "debug" version will behave differently to the standard
version (as it enables all the mozilla internal consistency checks, and
also drops compiler optimization), it is not very usefull when trying to
debug crashes that could be compiler bugs, or mozilla low level bugs -
so provide a new option "debug-info" that creates a debuggable, but
fully optimized version.
The result is best run from the pkgobj dir via the
work/build/dist/bin/run-mozilla script with options "-g ./firefox".
No changes to the default pkg generated.
=============
Version 4.2.4
=============
Version 4.2.4 of mod_wsgi can be obtained from:
https://github.com/GrahamDumpleton/mod_wsgi/archive/4.2.4.tar.gz
Bugs Fixed
----------
1. Fixed one off error in applying limit to the number of supplementary
groups allowed for a daemon process group. The result could be that if
more groups than the operating system allowed were specified to the option
``supplementary-groups``, then memory corruption or a process crash could
occur.
2. Improved error handling in setting up the current working directory and
group access rights for a process when creating a daemon process group. The
change means that if any error occurs that the daemon process group will be
restarted rather than allow it to keep running with an incorrect working
directory or group access rights.
New Features
------------
1. Added the ``--setup-only`` option to mod_wsgi express so that it is
possible to create the configuration when using the Django management command
``runmodwsgi`` without actually starting the server.
=============
Version 4.2.3
=============
Version 4.2.3 of mod_wsgi can be obtained from:
https://github.com/GrahamDumpleton/mod_wsgi/archive/4.2.3.tar.gz
Bugs Fixed
----------
1. The feature for starting mod_wsgi express using the Django management
command ``runmodwsgi`` was broken by the 4.2.2 release.
=============
Version 4.2.2
=============
Version 4.2.2 of mod_wsgi can be obtained from:
https://github.com/GrahamDumpleton/mod_wsgi/archive/4.2.2.tar.gz
Bugs Fixed
----------
1. The ``envvars`` file was being overwritten even if it existed and had
been modified.
New Features
------------
1. Output the location of the ``envvars`` file when using the
``setup-server`` command for ``mod_wsgi-express`` or if using the
``start-server`` command and the ``--envars-script`` option was being used.
2. Output the location of the ``apachectl`` script when using the
``setup-server`` command for ``mod_wsgi-express``.
=============
Version 4.2.1
=============
Version 4.2.1 of mod_wsgi can be obtained from:
https://github.com/GrahamDumpleton/mod_wsgi/archive/4.2.1.tar.gz
Bugs Fixed
----------
1. The auto generated configuration would not work with an Apache
installation where core Apache modules were statically compiled into Apache
rather than being dynamically loaded.
=============
Version 4.2.0
=============
Version 4.2.0 of mod_wsgi can be obtained from:
https://github.com/GrahamDumpleton/mod_wsgi/archive/4.2.0.tar.gz
New Features
------------
1. Added ``mod_wsgi.server_metrics()`` function which provides access to a
dictionary of data derived from the Apache worker scoreboard. In effect this
provides access to the same information that is used to create the Apache
server status page.
Note that if ``mod_status`` is not loaded into Apache, or the compile time
configuration of Apache prohibits the scoreboard from being available, this
function will return ``None``.
Also be aware that only partial information about worker status, and no
information about requests, will be returned if the ``ExtendedStatus``
directive is not also set to ``On``.
Although ``mod_status`` needs to be loaded, it is not necessary to enable
any URL to expose the server status page.
2. Added support for a platform plugin for New Relic to ``mod_wsgi-express``
which will report server status information up to New Relic if the
``--with-newrelic`` option is supplied when running mod_wsgi express.
That same option also enables the New Relic Python agent. If you only want
one or the other, you can instead use the ``--with-newrelic-agent`` and
``--with-newrelic-platform`` options.
The feature of ``mod_wsgi-express`` for reporting data up to the New Relic
Platform is dependent upon the separate ``mod_wsgi-metrics`` package being
installed.
Serf 1.3.6 [2014-06-09, from /tags/1.3.6, rxxxx]
Revert r2319 from serf 1.3.5: this change was making serf call handle_response
multiple times in case of an error response, leading to unexpected behavior.
Bugfixes
fixed support for repeated headers in lua plugin
fixed support for embedding config in OpenBSD and NetBSD
various fixes in the curl-based plugins
fixed milliseconds-based waits
fixed sharedarea poller
fixed stats server json escaper
fixed fastcgi parser and implemented eof management
improved fast on-demand mode
exclude avg_rt computation for static files
fixed variables support in uwsgi internal router
fixed websockets + keepalive ordering
disable SIGPIPE management in corutines-based loop-engines
fixed 64bit sharedarea management in 32bit systems
honour chmod/chown-socket in fd0 mode
hack for avoiding Safari iOS to make mess with keepalive
fixed log setup when both --logto and --log2
fixed mule_get_msg EAGAIN
signal_pidfile returns the right error code
fixed asyncio on OSX
New features
graceful reload of mule processes
SIGHUP is now sent to mules instead of directly killing them. You are free to trap/catch the signal in the code. If a mule does not die in the allowed "mercy time" (--mule-reload-mercy, default 60 seconds), SIGKILL will be sent.
return routing action
The new action will allow users to write simplified "break" clause.
For example, "return:403" is equivalent to "break:403 Forbidden", with response body "Forbidden".
The response body is quite useful for telling end users what goes wrong.
--emperor-no-blacklist
this new option, completely disables the blacklisting Emperor subsystem
Icecast2 protocol helpers
One of the upcoming unbit.com projects is a uWSGI based audio/video streaming server.
The plugin (should be released during europython 2014) already supports the Icecast2 protocol.
A bunch of patches have been added to the http router to support the icecast2 protocol.
For example the --http-manage-source option allows the HTTP router to honour SOURCE method requests, automatically placing them in raw mode.
--metrics-no-cores, --stats-no-cores, --stats-no-metrics
When you have hundreds (or thousands) of async cores, exposing metrics of them could be really slow.
Three new options have been added allowing you to disable the generation of core-related metrics and (eventually) their usage in the stats server.
sharedarea improvements
The sharedarea api continues to improve. Latest patches include support for mmapping device directly from the command line.
A funny way for testing it, is mapping the raspberrypi BCM2835 memory, the following example allows you to read the rpi system timer
uwsgi --sharedarea file=/dev/mem,offset=0x20003000,size=4096 ...
now you can read the 64bit value from the first (zero-based) sharedarea:
# read 64bit from 0x20003004
timer = uwsgi.sharedarea_read64(0, 0x04)
obviously, pay attention when accessing rpi memory, an error could crash the whole system !!!
UWSGI_GO_CHEAP_CODE
This exit code (15) can be raised by a worker to tell the master to not respawn it
PROXY1 support for the http router
The option --http-enable-proxy-protocol allows the HTTP router to understand PROXY1 protocol requests (like the ones made by haproxy or amazon elb)
reset_after_push for metrics
This metric attribute ensure that the matric value is reset to 0 (or its hardcoded initial_value) evry time the metric is pushed to some external system (like carbon, or statsd)
setremoteaddr
This routing action allows you to completely override the REMOTE_ADDR detected by protocol handlers:
[uwsgi]
; treat all requests as local
route-run = setremoteaddr:127.0.0.1
the resolve option
There are uWSGI options (or plugins) that do not automatically resolves dns name to ip addresses. This option allows you to map a placeholder to the dns resolution of a string:
[uwsgi]
; place the dns resolution of 'example.com' in the 'myserver' placeholder
resolve = myserver=example.com
subscribe2 = server=%(myserver),key=foobar
Changelog:
Fixed in Firefox ESR 24.6
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
Changes to GoAccess 0.8 - Tuesday, May 20, 2014
* Added APT-HTTP to the list of browsers.
* Added data persistence and ability to load data from disk.
* Added IE11 to the list of browsers.
* Added IEMobile to the list of browsers.
* Added multiple command line options.
* Added Nagios check_http to the list of browsers.
* Added parsing progress metrics - total requests / requests per second.
* Added the ability to parse a GeoLiteCity.dat to get the city given an IPv4.
* Change the way the configuration file is parsed. This will parse all
configuration options under ~/.goaccessrc or the specified config file and will
feed getopt_long with the extracted key/value pairs. This also allows the
ability to have comments on the config file which won't be overwritten.
* Ensure autoconf determines the location of ncurses headers.
* Fixed issue where geo_location_data was NULL.
* Fixed issue where GoAccess did not run without a tty allocated to it.
* Fixed potential memory leak on --log-file realpath().
* Fixed Solaris build errors.
* Implemented an on-memory hash database using Tokyo Cabinet. This implementation
allows GoAccess not to rely on GLib's hash table if one is needed.
* Implemented large file support using an on-disk B+ Tree database. This
implementation allows GoAccess not to hold everything in memory but instead it
uses an on-disk B+ Tree database.
* Trimmed leading and trailing whitespaces from keyphrases module.
Version 1.7.3
-------------
Released June 10th 2014
- Fixed a bug where redirection to `SECURITY_POST_LOGIN_VIEW` was not
respected
- Fixed string encoding in various places to be friendly to unicode
- Now using `werkzeug.security.safe_str_cmp` to check tokens
- Removed user information from JSON output on `/reset` responses
- Added Python 3.4 support
Version 0.9.6
-------------
(bugfix release, released on June 7th 2014)
- Added a safe conversion for IRI to URI conversion and use that
internally to work around issues with spec violations for
protocols such as ``itms-service``.
Version 0.9.5
-------------
(bugfix release, released on June 7th 2014)
- Forward charset argument from request objects to the environ
builder.
- Fixed error handling for missing boundaries in multipart data.
- Fixed session creation on systems without ``os.urandom()``.
- Fixed pluses in dictionary keys not being properly URL encoded.
- Fixed a problem with deepcopy not working for multi dicts.
- Fixed a double quoting issue on redirects.
- Fixed a problem with unicode keys appearing in headers on 2.x.
- Fixed a bug with unicode strings in the test builder.
- Fixed a unicode bug on Python 3 in the WSGI profiler.
- Fixed an issue with the safe string compare function on
Python 2.7.7 and Python 3.4.
Fixes the problem where thread safety was not consistent in
the php, ap-php and php-* extension packages, and makes ap-php
adhere to the maintainer-zts option. Bump PKGREVISION.
* debug build is broken
Changelog:
New
Sidebars button in browser chrome enables faster access to social, bookmark, & history sidebars
New
Mac OS X command-E sets find term to selected text
New
Support for GStreamer 1.0
Changed
Disallow calling WebIDL constructors as functions on the web
Developer
With the exception of those bundled inside an extension or ones that are whitelisted, plugins will no longer be activated by default (see blog post)
Developer
Fixes to box-shadow and other visual overflow (see bug 480888)
Developer
Mute and volume available per window when using WebAudio
Developer
background-blend-mode enabled by default
Developer
Use of line-height allowed for <input type="reset|button|submit">
Developer
ES6 array and generator comprehensions implemented (read docs for more details)
Developer
Error stack now contains column number
Developer
Support for alpha option in canvas context options (feature description)
Fixed
Ignore autocomplete="off" when offering to save passwords via the password manager (see 956906)
Fixed
TypedArrays don't support new named properties (see 695438)
Fixed
Various security fixes
Fixed in Firefox 30
MFSA 2014-54 Buffer overflow in Gamepad API
MFSA 2014-53 Buffer overflow in Web Audio Speex resampler
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-51 Use-after-free in Event Listener Manager
MFSA 2014-50 Clickjacking through cursor invisability after Flash interaction
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
- caching framework may expose private data and/or allow cache poisoning
- stricter checking for valid URLs when redirecting based on user input,
e.g. on the login page
Version 3.3.2 (2014-06-04)
--------------------------
### Fixed
Add the media query to the style sheets in debug mode (see #7070).
### Fixed
Disable the debug mode in the extension creator (see #7068).
### Fixed
Convert image source insert tags in the back end preview (see #7065).
### Fixed
Render all root nodes in the page and file picker (see #6844).
### Fixed
Add the "scssphp-compass" library to support Compass functions.
### Fixed
Support adding multiple TinyMCE instances to the same page (see #7061).
Version 3.2.11 (2014-06-04)
---------------------------
### Fixed
Make `$this->locationLabel` available in the event list (see #7030).
### Fixed
Correctly set the root page title (see #7023).
### Fixed
Only show the sort hint if there is more than one element (see #6935).
### Fixed
Try to raise the PHP limits upon file synchronization (see #7035).
Security fixes
~~~~~~~~~~~~~~
* The XSRF token is now encoded with a random mask on each request.
This makes it safe to include in compressed pages without being
vulnerable to the `BREACH attack <http://breachattack.com>`_.
This applies to most applications that use both the ``xsrf_cookies``
and ``gzip`` options (or have gzip applied by a proxy).
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* If Tornado 3.2.2 is run at the same time as older versions on the same
domain, there is some potential for issues with the differing cookie
versions. The `.Application` setting ``xsrf_cookie_version=1`` can
be used for a transitional period to generate the older cookie format
on newer servers.
Other changes
~~~~~~~~~~~~~
* ``tornado.platform.asyncio`` is now compatible with ``trollius`` version 0.3.
added 'as' form to render_placeholder templatetag to save the result in context
added changeable strings for "?edit", "?edit_off" and "?build" urls
utils.page_resolver has been optimized
the get_page_from_path() api has been changed
fixed manage.py cms uninstall plugin for table-patched plugins
added support for python 3.4
docs updated
publish on apphook subpages no longer redirects to the apphook root
- Slovak translation (@jbub).
- Deleting a user no longer deletes the associated revisions (@daaray).
- Improving handling of inline models in admin integration (@blueyed).
- Improving error messages for proxy model registration (@blueyed).
- Improvements to using migrations with custom user model (@aivins).
- Removing sys.exit() in deleterevisions management command, allowing it to be used internally by Django projects (@tongwang).
- Fixing some backwards-compatible admin deprecation warnings (Thomas Schreiber).
- Fixing tests if RevisionMiddleware is used as a decorator in the parent project (@jmoldow).
- Derived models, such as those generated by deferred querysets, now work.
- Removed deprecated low-level API methods.
2.2.5 (2014-06-05)
------------------
Enhancements
- new meta tag to tell IE to use the highest mode available
- updated Dutch, Finnish, German, and Polish translations
Bug fixes
- avoid crashing when we forward an email with no Subject header
- we no longer try to include attachments when replying to a mail
- fixed ActiveSync repetitive events issues with "Weekly" and "Monthly" ones
- fixed ActiveSync text/plain parts re-encoding issues for Outlook
2.2.4 (2014-05-29)
------------------
New features
- new print option in Calendar module
- now able to save unknown recipient emails to address book on send (#1496)
Enhancements
- Sieve folder encoding is now configurable (#2622)
- SOGo version is now displayed in preferences window (#2612)
- report Sieve error when saving preferences (#1046)
- added the SOGoMaximumSyncWindowSize system default to overwrite the
maximum number of items returned during an ActiveSync sync operation
- updated datepicker
- addressbooks properties are now accessible from a popup window
- extended events and tasks searches
- updated Czech, French, Hungarian, Polish, Russian, Slovak, Spanish (Argentina), and Spanish (Spain) translations
- added more sycned contact properties when using ActiveSync (#2775)
- now possible to configure the default subscribed resource name using SOGoSubscriptionFolderFormat
- now handle server-side folder updates using ActiveSync (#2688)
- updated CKEditor to version 4.4.1
Bug fixes
- fixed saved HTML content of draft when attaching a file
- fixed text nodes of HTML content handler by encoding HTML entities
- fixed iCal7 delegation issue with the "inbox" folder (#2489)
- fixed birth date validity checks (#1636)
- fixed URL handling (#2616)
- improved folder rename operations using ActiveSync (#2700)
- fixed SmartReply/Forward when ReplaceMime was omitted (#2680)
- fixed wrong generation of weekly repetitive events with ActiveSync (#2654)
- fixed incorrect XML data conversion with ActiveSync (#2695)
- fixed display of events having a category with HTML entities (#2703)
- fixed display of images in CSS background (#2437)
- fixed limitation of Sieve script size (#2745)
- fixed sync-token generation when no change was returned (#2492)
- fixed the IMAP copy/move operation between subfolders in different accounts
- fixed synchronization of seen/unseen status of msgs in Webmail (#2715)
- fixed focus of popup windows open through a contextual menu with Firefox on Windows 7
- fixed missing characters in shared folder names over ActiveSync (#2709)
- fixed reply and forward mail templates for Brazilian Portuguese (#2738)
- fixed newline in signature when forwarding a message as attachment in HTML mode (#2787)
- fixed restoration of options (priority & return receipt) when editing a draft (#193)
- fixed update of participation status via CalDAV (#2786)
2.2.3 (2014-04-03)
------------------
Enhancements
- updated Dutch, Hungarian, Russian and Spanish (Argentina) translations
- initial support for ActiveSync event reminders support (#2681)
- updated CKEditor to version 4.3.4
Bug fixes
- fixed possible exception when retrieving the default event reminder value on 64bit architectures (#2678)
- fixed calling unescapeHTML on null variables to avoid JavaScript exceptions in Contacts module
- fixed detection of IMAP flags support on the client side (#2664)
- fixed the ActiveSync issue marking all mails as read when downloading them
- fixed ActiveSync's move operations not working for multiple selections (#2691)
- fixed email validation regexp to allow gTLDs
- improved all-day events support for ActiveSync (#2686)
2.2.2 (2014-03-21)
------------------
Enhancements
- updated French, Finnish, German and Spanish (Spain) translations
- added sanitization support for Outlook/ActiveSync to circumvent Outlook bugs (#2667)
- updated CKEditor to version 4.3.3
- updated jQuery File Upload to version 9.5.7
Bug fixes
- fixed possible exception when retrieving the default event reminder value on 64bit architectures (#2647, #2648)
- disable file paste support in mail editor (#2641)
- fixed copying/moving messages to a mail folder begining with a digit (#2658)
- fixed unseen count for folders beginning with a digit and used in Sieve filters (#2652)
- fixed decoding of HTML entities in reminder alerts (#2659)
- fixed check for resource conflict when creating an event in the resource's calendar (#2541)
- fixed construction of mail folders tree
- fixed parsing of ORG attribute in cards (#2662)
- disabled ActiveSync provisioning for now (#2663)
- fixed messages move in Outlook which would create duplicates (#2650)
- fixed translations for OtherUsersFolderName and SharedFoldersName folders (#2657)
- fixed handling of accentuated characters when filtering contacts (#2656)
- fixed classification icon of events (#2651)
- fixed ActiveSync's SendMail with client version <= 12.1 (#2669)
4.1.3
Known Issues
1. The makefiles for building mod_wsgi on Windows are currently
broken and need updating. As most new changes relate to mod_wsgi
daemon mode, which is not supported under Windows, you should keep
using the last available binary for version 3.X on Windows instead.
Bugs Fixed
1. The setup.py file wasnât always detecting the Python library
version suffix properly when setting it up to be linked into the
resulting mod_wsgi.so. This would cause an error message at link
time of:
4.1.2
Bugs Fixed
1. The integration for Django management command was looking for
the wrong name for the admin script to start mod_wsgi express.
2. The code which connected to the mod_wsgi daemon process was
passing an incorrect size into the connect() call for the size of
the address structure. On some Linux systems this would cause an
error similar to:
(22)Invalid argument: mod_wsgi (pid=22944): Unable to connect to
\
WSGI daemon process 'localhost:8000' on \
'/tmp/mod_wsgi-localhost:8000:12145/wsgi.22942.0.1.sock'
This issue was only introduced in 4.1.0 and does not affect older
versions.
3. The deadlock detection thread could try and acquire the Python
GIL after the Python interpreter had been destroyed on Python
shutdown resulting in the process crashing. This issue cannot be
completely eliminated, but the deadlock thread will now at least
check whether the flag indicating process shutdown is happening
has been set before trying to acquire the Python GIL
4.1.1
Bugs Fixed
1. Compilation would fail on Apache 2.4 due to a change in the
Apache API to determine the name of the MPM being used.
4.1.0
Bugs Fixed
1. If a UNIX signal received by daemon mode process while still
being initialised to signal that it should be shutdown, the process
could crash rather than shutdown properly due to not registering
the signal pipe prior to registering signal handler.
2. Python doesnât initialise codecs in sub interpreters automatically
which in some cases could cause code running in WSGI script to fail
due to lack of encoding for Unicode strings when converting them.
The error message in this case was:
LookupError: no codec search functions registered: can't find
encoding
The âasciiâ encoding is now forcibly loaded when initialising sub
interpreters to get Python to initialise codecs.
3. Fixed reference counting bug under Python 3 in SSL var_lookup()
function which can be used from an auth handler to look up SSL
variables.
4. The WWW-Authenticate headers returned from a WSGI application
when run under daemon mode are now always preserved as is.
Because of previously using an internal routine of Apache, way back
in time the values of multiple WWW-Authenticate headers would be
merged when there was more than one. This would cause an issue with
some browsers.
A workaround was subsequently implemented above the Apache routine
to break apart the merged header to create separate ones again,
however, if the value of a header validly had a â,â in it, this
would cause the header value to be broken apart where it wasnât
meant to. This could issues with some type of WWW-Authenticate
headers.
Features Removed
1. No longer support the use of mod_python in conjunction with
mod_wsgi. When this is attempted an error is forced and Apache will
not be able to start. An error message is logged in main Apache
error log.
2. No longer support the use of Apache 1.3. Minimum requirement is
now Apache 2.0.
Features Changed
1. Use of kernel sendfile() function by wsgi.file_wrapper is now
off by default. This was originally always on for embedded mode
and completely disabled for daemon mode. Use of this feature can
be enabled for either mode using WSGIEnableSendfile directive,
setting it to On to enable it.
The default is now off because kernel sendfile() is not always able
to work on all file objects. Some instances where it will not work
are described for the Apache EnableSendfile directive.
http://httpd.apache.org/docs/2.2/mod/core.html#enablesendfile
Although Apache has use of sendfile() enabled by default for static
files, they are moving to having it off by default in future version
of Apache. This change is being made because of the problems which
arise and users not knowing how to debug it and solve it.
Thus also erring on side of caution and having it off by default
but allowing more knowledgeable users to enable it where they know
always using file objects which will work with sendfile().
2. The HTTPS variable is no longer set within the WSGI environment.
The authoritative indicator of whether a SSL connection is used is
wsgi.url_scheme and a WSGI compliant application should check for
wsgi.url_scheme. The only reason that HTTPS was supplied at all
was because early Django versions supporting WSGI interface werenât
correctly using wsgi.url_scheme. Instead they were expecting to
see HTTPS to exist.
This change will cause non conformant WSGI applications to finally
break. This possibly includes some Django versions prior to Django
version 1.0.
Note that you can still set HTTPS in Apache configuration using
the SetEnv or SetEnvIf directive, or via a rewrite rule. In that
case, that will override what wsgi.url_scheme is set to and once
wsgi.url_scheme is set appropriately, the HTTPS variable will be
removed from the set of variables passed through to the WSGI
environment.
3. The wsgi.version variable has been reverted to 1.0 to conform
to the WSGI PEP 3333 specification. It was originally set to 1.1
on expectation that revised specification would use 1.1 but that
didnât come to be.
4. The inactivity-timeout option to WSGIDaemonProcess now only
results in the daemon process being restarted after the idle timeout
period where there are no active requests. Previously it would also
interrupt a long running request. See the new request-timeout option
for a way of interrupting long running, potentially blocked requests
and restarting the process.
5. If the home option is used with WSGIDaemonProcess, in addition
to that directory being made the current working directory for the
process, an empty string will be added to the start of the Python
module search path. This causes Python to look in the current
working directory for Python modules when they are being imported.
This behaviour brings things into line with what happens when
running the Python interpreter from the command line. You must
though be using the home option for this to come into play.
Do not that if your application then changes the working directory,
it will start looking in the new current working directory and not
that which is specified by the home option. This again mirrors what
the normal Python command line interpreter does.
New Features
1. Add supplementary-groups option to WSGIDaemonProcess to allow
group membership to be overridden and specified comma separate list
of groups used instead.
2. Add a graceful-timeout option to WSGIDaemonProcess. This option
is applied in a number of circumstances.
When maximum-requests and this option are used together, when
maximum requests is reached, rather than immediately shutdown,
potentially interupting active requests if they donât finished with
shutdown timeout, can specify a separate graceful shutdown period.
If the all requests are completed within this time frame then will
shutdown immediately, otherwise normal forced shutdown kicks in.
In some respects this is just allowing a separate shutdown timeout
on cases where requests could be interrupted and could avoid it if
possible.
When cpu-time-limit and this option are used together, when CPU
time limit reached, rather than immediately shutdown, potentially
interupting active requests if they donât finished with shutdown
timeout, can specify a separate graceful shutdown period.
3. Add potentially graceful process restart option for daemon
processes when sent a graceful restart signal. Signal is usually
SIGUSR1 but is platform dependent as using same signal as Apache
would use. If the graceful-timeout option had been provided to
WSGIDaemonProcess, then the process will attempt graceful shutdown
first based on the that timeout, otherwise normal shutdown procedure
used as if received a SIGTERM.
4. Add memory-limit option to WSGIDaemonProcess to allow memory
usage of daemon processes to be restricted. This will have no affect
on some platforms as RLIMIT_AS/RLIMIT_DATA with setrlimit() isnât
always implemented. For example MacOS X and older Linux kernel
versions do not implement this feature. You will need to test
whether this feature works or not before depending on it.
5. Add virtual-memory-limit option to WSGIDaemonProcess to allow
virtual memory usage of daemon processes to be restricted. This
will have no affect on some platforms as RLIMIT_VMEM with setrlimit()
isnât always implemented. You will need to test whether this feature
works or not before depending on it.
6. Access, authentication and authorisation hooks now have additional
keys in the environ dictionary for mod_ssl.is_https and
mod_ssl.var_lookup. These equate to callable functions provided by
mod_ssl for determining if the client connection to Apache used
SSL and what the values of variables specified in the SSL certifcates,
server or client, are. These are only available if Apache 2.0 or
later is being used.
7. For Python 2.6 and above, the WSGIDontWriteBytecode directive
can be used at global scope in Apache configuration to disable
writing of all byte code files, ie., .pyc, by the Python interpreter
when it imports Python code files. To disable writing of byte code
files, set directive to On.
Note that this doesnât prevent existing byte code files on disk
being used in preference to the corresponding Python code files.
Thus you should first remove .pyc files from web application
directories if relying on this option to ensure that .py file is
always used.
8. Add request-timeout option to WSGIDaemonProcess to allow a
separate timeout to be applied on how long a request is allowed to
run for before the daemon process is automatically restarted to
interrupt the request.
This is to counter the possibility that a request may become blocked
on some backend service, thereby using up available requests threads
and preventing other requests to be handled.
In the case of a single threaded process, then the timeout will
happen at the specified time duration from the start of the request
being handled.
Applying such a timeout in the case of a multithreaded process is
more problematic as doing a restart when a single requests exceeds
the timeout could unduly interfere with with requests which just
commenced.
In the case of a multi threaded process, what is instead done is
to take the total of the current running time of all requests and
divide that by the number of threads handling requests in that
process. When this average time exceeds the time specified, then
the process will be restarted.
This strategy for a multithreaded process means that individual
requests can actually run longer than the specified timeout and a
restart will only be performed when the overall capacity of the
processes appears to be getting consumed by a number of concurrent
long running requests, or when a specific requests has been blocked
for an excessively long time.
The intent of this is to allow the process to still keep handling
requests and only perform a restart when the available capacity of
the process to handle more requests looks to be potentially on the
decline.
9. Add connect-timeout option to WSGIDaemonProcess to allow a
timeout to be specified on how long the Apache child worker processes
should wait on being able to obtain a connection to the mod_wsgi
daemon process.
As UNIX domain sockets are used, connections should always succeed,
however there have been some incidences seen which could only be
explained by the operating system hanging on the initial connect
call without being added to the daemon process socket listener
queue. As such the timeout has been added. The timeout defaults to
15 seconds.
This timeout also now dictates how long the Apache child worker
process will attempt to get a connection to the daemon process when
the connection is refused due to the daemon socket listener queue
being full. Previously how long connection attempts were tried was
based on an internal retry count rather than a configurable timeout.
10. Add socket-timeout option to WSGIDaemonProcess to allow the
timeout on indvidual read/writes on the socket connection between
the Apache child worker and the daemon process to be specified
separately to the Apache Timeout directive.
If this option is not specified, it will default to the value of
the Apache Timeout directive.
11. Add queue-timeout option to WSGIDaemonProcess to allow a request
to be aborted if it never got handed off to a mod_wsgi daemon
process within the specified time. When this occurs a â503 Service
Unavailableâ response will be returned.
This is to allow one to control what to do when backlogging of
requests occurs. If the daemon process is overloaded and getting
behind, then it is more than likely that a user will have given up
on the request anyway if they have to wait too long. This option
allows you to specify that a request that was queued up waiting
for too long is discarded, allowing any transient backlog to be
quickly discarded and not simply cause the daemon process to become
even more backlogged.
12. Add listen-backlog option to WSGIDaemonProcess to allow the
daemon process socket listener backlog size to be specified. By
default this limit is 100, although this is actually a hint, as
different operating systems can have different limits on the maximum
value or otherwise treat it in special ways.
13. Add WSGIPythonHashSeed directive to allow Python behaviour
related to initial hash seed to be overridden when the interpreter
supports it.
This is equivalent to setting the PYTHONHASHSEED environment variable
and should be set to either random or a number in the range in
range [0; 4294967295].
14. Implemented a new streamlined way of installing mod_wsgi as a
Python package using a setup.py file or from PyPi. This includes
a mod_wsgi-express script that can then be used to start up
Apache/mod_wsgi with an auto generated configuration on port 8000.
This makes it easy to run up Apache for development without
interfering with the main Apache on the system and without having
to worry about configuring Apache. Command line options can be used
to override behaviour.
Once the mod_wsgi package has been installed into your Python
installation, you can run:
mod_wsgi-express start-server
Then open your browser on the listed URL. This will verify that
everything is working. Enter CTRL-C to exit the server and shut it
down.
You can now point it at a specific WSGI application script file:
mod_wsgi-express start-server wsgi.py
For options run:
mod_wsgi-express start-server --help
If you already have another web server running on port 8000, you
can override the port to be used using the --port option:
mod_wsgi-express start-server wsgi.py --port 8001
15. Implemented a Django application plugin to add a runmodwsgi
command to the Django management command script. This allows the
automatic run up of the new mod_wsgi express script, with it hosting
the Django web site the plugin was added to.
To enable, once the mod_wsgi package has been installed into your
Python installation, add mod_wsgi.server to the INSTALLED_APPS
setting in your Django settings file.
After having run the collectstatic Django management command, you
can then run:
python manage.py runmodwsgi
For options run:
python manage.py runmodwsgi --help
To enable automatic code reloading in a development setting, use
the option:
python manage.py runmodwsgi --reload-on-changes
16. The maximum size that a response header/value can be that is
returned from a WSGI application under daemon mode can now be
configured. The default size has also now been increased from 8192
bytes to 32768 bytes. The name of the option to WSGIDaemonProcess
to set the buffer size used is header-buffer-size.
Security Issues
Local privilege escalation when using daemon mode. (CVE-2014-0240)
The issue is believed to affect Linux systems running kernel versions
>= 2.6.0 and < 3.1.0.
The issue affects all versions of mod_wsgi up to and including
version 3.4.
The source of the issue derives from mod_wsgi not correctly handling
Linux specific error codes from setuid(), which differ to what
would be expected to be returned by UNIX systems conforming to the
Open Group UNIX specification for setuid().
http://man7.org/linux/man-pages/man2/setuid.2.htmlhttp://pubs.opengroup.org/onlinepubs/009695399/functions/setuid.html
This difference in behaviour between Linux and the UNIX specification
was believed to have been removed in version 3.1.0 of the Linux
kernel.
https://groups.google.com/forum/?fromgroups=#!topic/linux.kernel/u6cKf4D1D-k
The issue would allow a user, where Apache is initially being
started as the root user and where running code under mod_wsgi
daemon mode as an unprivileged user, to manipulate the number of
processes run by that user to affect the outcome of setuid() when
daemon mode processes are forked and so gain escalated privileges
for the users code.
Due to the nature of the issue, if you provide a service or allow
untrusted users to run Python web applications you do not control
the code for, and do so using daemon mode of mod_wsgi, you should
update mod_wsgi as soon as possible.
Bugs Fixed
1. Python 3 installations can add a suffix to the Python library.
So instead of libpythonX.Y.so it can be libpythonX.Ym.so.
2. When using daemon mode, if an uncaught exception occurred when
handling a request, when response was proxied back via the Apache
child process, an internal value for the HTTP status line was not
cleared correctly. This was resulting in a HTTP status in response
to client of â200 Errorâ rather than â500 Internal Server Errorâ.
Note that this only affected the status line and not the actual
HTTP status. The status would still be 500 and the client would
still interpret it as a failed request.
3. Null out Apache scoreboard handle in daemon processes for Apache
2.4 to avoid process crash when lingering close cleanup occurs.
4. Workaround broken MacOS X XCode Toolchain references in Apache
apxs build configuration tool and operating system libtool script.
This means it is no longer necessary to manually go into:
Applications/Xcode.app/Contents/Developer/Toolchains
and manually add symlinks to define the true location of the compiler
tools.
Restore ability to compile mod_wsgi source code under Apache
1.3.
6. Fix checks for whether the ITK MPM is used and whether ITK MPM
specific actions should be taken around the ownership of the mod_wsgi
daemon process listener socket.
7. Fix issue where when using Python 3.4, mod_wsgi daemon processes
would actually crash when the processes were being shutdown.
8. Made traditional library linking the default on MacOS X. If
needing framework style linking for the Python framework, then use
the --enable-framework option. The existing --disable-framework
has now been removed given that the default action has been swapped
around.
New Features
1. For Linux 2.4 and later, enable ability of daemon processes to
dump core files when Apache CoreDumpDirectory directive used.
2. Attempt to log whether daemon process exited normally or was
killed off by an unexpected signal.
