Upstream changes:
Nextcloud 16 is smarter than ever, with machine learning to detect suspicious
logins and offering clever recommendations. Group Folders now sport access control
lists so system administrators can easily manage who has access to what in
organization-wide shares. We also introduce Projects, a way to easily relate
and find related information like files, chats or tasks.
As this is a major release, the changelog is very long.
Please visit: https://nextcloud.com/changelog/
5.7.8
- Fix regression in restarting kernels in 5.7.5.
The restart handler would return before restart was completed.
- Further improve compatibility with tornado 6 with improved
checks for when websockets are closed.
- Fix regression in 5.7.6 on Windows where .js files could have the wrong mime-type.
- Fix Open Redirect vulnerability (CVE-2019-10255)
where certain malicious URLs could redirect from the Jupyter login page
to a malicious site after a successful login.
5.7.7 contained only a partial fix for this issue.
Version 2.0.8:
- Support recursive (self) ForeignKey relations.
Version 2.0.7:
- Fixed AstroidImportError for DecimalField.
- Add load_configuration() in pylint_django/__init__.py.
- Support ForeignKey relations with to keyword.
Version 0.15.2
- Rule code generation uses a filename that coverage will ignore.
The previous value, "generated", was causing coverage to fail.
- The test client removes the cookie header if there are no persisted
cookies. This fixes an issue introduced in 0.15.0 where the cookies
from the original request were used for redirects, causing functions
such as logout to fail.
- The test client copies the environ before passing it to the app, to
prevent in-place modifications from affecting redirect requests.
- The "werkzeug" logger only adds a handler if there is no handler
configured for its level in the logging chain. This avoids double
logging if other code configures logging first.
Version 0.15.1
- :class:~exceptions.Unauthorized takes description as the first
argument, restoring previous behavior. The new www_authenticate
argument is listed second.
Version 0.15.0
- Building URLs is ~7x faster. Each :class:~routing.Rule compiles
an optimized function for building itself.
- :meth:MapAdapter.build() <routing.MapAdapter.build> can be passed
a :class:~datastructures.MultiDict to represent multiple values
for a key. It already did this when passing a dict with a list
value.
- path_info defaults to '/' for
:meth:Map.bind() <routing.Map.bind>.
:pr:1316)
- Change RequestRedirect code from 301 to 308, preserving the verb
and request body (form data) during redirect.
- int and float converters in URL rules will handle negative
values if passed the signed=True parameter. For example,
/jump/<int(signed=True):count>.
- Location autocorrection in :func:Response.get_wsgi_headers()
<wrappers.BaseResponse.get_wsgi_headers> is relative to the current
path rather than the root path.
:pr:1315)
- 412 responses once again include entity headers and an error message
in the body. They were originally omitted when implementing
If-Match
- The Content-Length header is removed for 1xx and 204 responses. This
fixes a previous change where no body would be sent, but the header
would still be present. The new behavior matches RFC 7230.
- :class:~exceptions.Unauthorized takes a www_authenticate
parameter to set the WWW-Authenticate header for the response,
which is technically required for a valid 401 response.
- Add support for status code 424 :exc:~exceptions.FailedDependency.
- :func:http.parse_cookie ignores empty segments rather than
producing a cookie with no key or value.
- :func:~http.parse_authorization_header (and
:class:~datastructures.Authorization,
:attr:~wrappers.Request.authorization) treats the authorization
header as UTF-8. On Python 2, basic auth username and password are
unicode.
- :func:~http.parse_options_header understands :rfc:2231 parameter
continuations.
- :func:~urls.uri_to_iri does not unquote ASCII characters in the
unreserved class, such as space, and leaves invalid bytes quoted
when decoding. :func:~urls.iri_to_uri does not quote reserved
characters. See :rfc:3987 for these character classes.
- get_content_type appends a charset for any mimetype that ends
with +xml, not just those that start with application/.
Known text types such as application/javascript are also given
charsets.
- Clean up werkzeug.security module, remove outdated hashlib
support.
- In :func:~security.generate_password_hash, PBKDF2 uses 150000
iterations by default, increased from 50000.
- :class:~wsgi.ClosingIterator calls close on the wrapped
*iterable*, not the internal iterator. This doesn't affect objects
where __iter__ returned self. For other objects, the method
was not called before.
- Bytes may be used as keys in :class:~datastructures.Headers, they
will be decoded as Latin-1 like values are.
- :class:~datastructures.Range validates that list of range tuples
passed to it would produce a valid Range header.
- :class:~datastructures.FileStorage looks up attributes on
stream._file if they don't exist on stream, working around
an issue where :func:tempfile.SpooledTemporaryFile didn't
implement all of :class:io.IOBase. See
https://github.com/python/cpython/pull/3249.
- :class:CombinedMultiDict.copy() <datastructures.CombinedMultiDict>
returns a shallow mutable copy as a
:class:~datastructures.MultiDict. The copy no longer reflects
changes to the combined dicts, but is more generally useful.
- The version of jQuery used by the debugger is updated to 3.3.1.
- The debugger correctly renders long markupsafe.Markup instances.
- The debugger can serve resources when Werkzeug is installed as a
zip file. DebuggedApplication.get_resource uses
pkgutil.get_data.
- The debugger and server log support Python 3's chained exceptions.
- The interactive debugger highlights frames that come from user code
to make them easy to pick out in a long stack trace. Note that if an
env was created with virtualenv instead of venv, the debugger may
incorrectly classify some frames.
- Clicking the error message at the top of the interactive debugger
will jump down to the bottom of the traceback.
- When generating a PIN, the debugger will ignore a KeyError
raised when the current UID doesn't have an associated username,
which can happen in Docker.
- :class:~exceptions.BadRequestKeyError adds the KeyError
message to the description, making it clearer what caused the 400
error. Frameworks like Flask can omit this information in production
by setting e.args = ().
- If a nested ImportError occurs from :func:~utils.import_string
the traceback mentions the nested import. Removes an untested code
path for handling "modules not yet set up by the parent."
- Triggering a reload while using a tool such as PDB no longer hides
input.
- The reloader will not prepend the Python executable to the command
line if the Python file is marked executable. This allows the
reloader to work on NixOS.
- Fix an issue where sys.path would change between reloads when
running with python -m app. The reloader can detect that a
module was run with "-m" and reconstructs that instead of the file
path in sys.argv when reloading.
- The dev server can bind to a Unix socket by passing a hostname like
unix://app.socket.
- Server uses IPPROTO_TCP constant instead of SOL_TCP for
Jython compatibility.
- When using an adhoc SSL cert with :func:~serving.run_simple, the
cert is shown as self-signed rather than signed by an invalid
authority.
- The development server logs the unquoted IRI rather than the raw
request line, to make it easier to work with Unicode in request
paths during development.
- The development server recognizes ConnectionError on Python 3 to
silence client disconnects, and does not silence other OSErrors
that may have been raised inside the application.
- The environ keys REQUEST_URI and RAW_URI contain the raw
path before it was percent-decoded. This is non-standard, but many
WSGI servers add them. Middleware could replace PATH_INFO with
this to route based on the raw value.
- :class:~test.EnvironBuilder doesn't set CONTENT_TYPE or
CONTENT_LENGTH in the environ if they aren't set. Previously
these used default values if they weren't set. Now it's possible to
distinguish between empty and unset values.
- The test client raises a ValueError if a query string argument
would overwrite a query string in the path.
- :class:test.EnvironBuilder and :class:test.Client take a
json argument instead of manually passing data and
content_type. This is serialized using the
:meth:test.EnvironBuilder.json_dumps method.
- :class:test.Client redirect handling is rewritten.
- The redirect environ is copied from the initial request environ.
- Script root and path are correctly distinguished when
redirecting to a path under the root.
- The HEAD method is not changed to GET.
- 307 and 308 codes preserve the method and body. All others
ignore the body and related headers.
- Headers are passed to the new request for all codes, following
what browsers do.
- :class:test.EnvironBuilder sets the content type and length
headers in addition to the WSGI keys when detecting them from
the data.
- Intermediate response bodies are iterated over even when
buffered=False to ensure iterator middleware can run cleanup
code safely. Only the last response is not buffered.
- :class:~test.EnvironBuilder, :class:~datastructures.FileStorage,
and :func:wsgi.get_input_stream no longer share a global
_empty_stream instance. This improves test isolation by
preventing cases where closing the stream in one request would
affect other usages.
- The default :attr:SecureCookie.serialization_method
<contrib.securecookie.SecureCookie.serialization_method> will
change from :mod:pickle to :mod:json in 1.0. To upgrade existing
tokens, override :meth:~contrib.securecookie.SecureCookie.unquote
to try pickle if json fails.
- CGIRootFix no longer modifies PATH_INFO for very old
versions of Lighttpd. LighttpdCGIRootFix was renamed to
CGIRootFix in 0.9. Both are deprecated and will be removed in
version 1.0.
- :class:werkzeug.wrappers.json.JSONMixin has been replaced with
Flask's implementation. Check the docs for the full API.
- The :doc:contrib modules </contrib/index> are deprecated and will
either be moved into werkzeug core or removed completely in
version 1.0. Some modules that already issued deprecation warnings
have been removed. Be sure to run or test your code with
python -W default::DeprecationWarning to catch any deprecated
code you're using.
- LintMiddleware has moved to :mod:werkzeug.middleware.lint.
- ProfilerMiddleware has moved to
:mod:werkzeug.middleware.profiler.
- ProxyFix has moved to :mod:werkzeug.middleware.proxy_fix.
- JSONRequestMixin has moved to :mod:werkzeug.wrappers.json.
- cache has been extracted into a separate project,
cachelib <https://github.com/pallets/cachelib>_. The version
in Werkzeug is deprecated.
- securecookie and sessions have been extracted into a
separate project,
secure-cookie <https://github.com/pallets/secure-cookie>_. The
version in Werkzeug is deprecated.
- Everything in fixers, except ProxyFix, is deprecated.
- Everything in wrappers, except JSONMixin, is deprecated.
- atom is deprecated. This did not fit in with the rest of
Werkzeug, and is better served by a dedicated library in the
community.
- jsrouting is removed. Set URLs when rendering templates
or JSON responses instead.
- limiter is removed. Its specific use is handled by Werkzeug
directly, but stream limiting is better handled by the WSGI
server in general.
- testtools is removed. It did not offer significant benefit
over the default test client.
- iterio is deprecated.
- :func:wsgi.get_host no longer looks at X-Forwarded-For. Use
:class:~middleware.proxy_fix.ProxyFix to handle that.
- :class:~middleware.proxy_fix.ProxyFix is refactored to support
more headers, multiple values, and more secure configuration.
- Each header supports multiple values. The trusted number of
proxies is configured separately for each header. The
num_proxies argument is deprecated.
- Sets SERVER_NAME and SERVER_PORT based on
X-Forwarded-Host.
- Sets SERVER_PORT and modifies HTTP_HOST based on
X-Forwarded-Port.
- Sets SCRIPT_NAME based on X-Forwarded-Prefix.
- The original WSGI environment values are stored in the
werkzeug.proxy_fix.orig key, a dict. The individual keys
werkzeug.proxy_fix.orig_remote_addr,
werkzeug.proxy_fix.orig_wsgi_url_scheme, and
werkzeug.proxy_fix.orig_http_host are deprecated.
- Middleware from werkzeug.wsgi has moved to separate modules
under werkzeug.middleware, along with the middleware moved from
werkzeug.contrib. The old werkzeug.wsgi imports are
deprecated and will be removed in version 1.0.
- werkzeug.wsgi.DispatcherMiddleware has moved to
:class:werkzeug.middleware.dispatcher.DispatcherMiddleware.
- werkzeug.wsgi.ProxyMiddleware as moved to
:class:werkzeug.middleware.http_proxy.ProxyMiddleware.
- werkzeug.wsgi.SharedDataMiddleware has moved to
:class:werkzeug.middleware.shared_data.SharedDataMiddleware.
- :class:~middleware.http_proxy.ProxyMiddleware proxies the query
string.
- The filenames generated by
:class:~middleware.profiler.ProfilerMiddleware can be customized.
- The werkzeug.wrappers module has been converted to a package,
and its various classes have been organized into separate modules.
Any previously documented classes, understood to be the existing
public API, are still importable from werkzeug.wrappers, or may
be imported from their specific modules.
1.25:
* Require and validate certificates by default when using HTTPS.
* Upgraded urllib3.utils.parse_url() to be RFC 3986 compliant.
* Added support for key_password for HTTPSConnectionPool to use
encrypted key_file without creating your own SSLContext object.
* Add TLSv1.3 support to CPython, pyOpenSSL, and SecureTransport SSLContext
implementations.
* Switched the default multipart header encoder from RFC 2231 to HTML 5 working draft.
* Fixed issue where OpenSSL would block if an encrypted client private key was
given and no password was given. Instead an SSLError is raised.
* Added support for Brotli content encoding. It is enabled automatically if
brotlipy package is installed which can be requested with
urllib3[brotli] extra.
* Drop ciphers using DSS key exchange from default TLS cipher suites.
Improve default ciphers when using SecureTransport.
* Implemented a more efficient HTTPResponse.__iter__() method.
Changes from 1.7.5:
SECURITY
Prevent remote code execution vulnerability with mirror repo URL settings (#6593) (#6594)
Resolve 2FA bypass on API (#6676) (#6674)
Prevent the creation of empty sessions for non-logged in users (#6690) (#6677)
BREAKING
Add "ghost" and "notifications" to list of reserved user names. (#6208)
Change sqlite DB path default to data directory (#6198)
Adds MustChangePassword to user create/edit API (#6193)
Disable redirect for i18n (#5910)
Releases API paging (#5831)
Allow Macaron to be set to log through to gitea.log (#5667)
Don't close issues via commits on non-default branch (#5622)
FEATURE
Add regenerate secret feature for oauth2 (#6291)
Expose issue stopwatch toggling via API (#5970)
Add other session providers (#5963)
Pull request conflict files detection (#5951)
Integrate OAuth2 Provider (#5378)
Implement "conversation lock" for issue comments (#5073)
Feature: Archive repos (#5009)
Discord Oauth2 support (#4476)
Allow to set organization visibility (public, internal, private) (#1763)
Added URL mapping for Release attachments like on github.com (#1707)
ENHANCEMENT
Add support for client basic auth for exchanging access tokens (#6293)
Add ability to sort issues by due date (#6206) (#6244)
Style tweaks to issue selection (#6196)
Increase Username and Orgname MaxSize 35 -> 40 (#6178)
Coverage profile with multiple packages (#6167)
Split setting.go to multiple files (#6154)
Allow labels to contain emoji (#6063)
Disable git fsck for mirrored repos by default (#6018)
Add default time out for git operations (#6015)
Split setting.go as multiple files (#6014)
Make dashboard navbar and footer full-width (#6013)
Add lang specific font stacks for CJK (#6007)
Fix header menu misalignment (#6002)
Enhance closed PR and Issue status in the list (#6000)
Make navbar full width (#5998)
Add option to close issues via commit on a non master branch (#5992)
Support n as a line highlight prefix (#5987)
Search for org repos (#3031) (#5986)
Minor UI tweaks (#5980)
Use native golang SSH library but ssh-keygen when enable built-in SSH server to remove dependent on that command lines (#5976)
Dashboard tweaks (#5974)
Fixes for repo topic editor (#5971)
Display the branch name in the commit view (#5950)
handle milestone events for issues and PR (#5947)
Add label names as filter in issue search api (#5946)
Repo header tweaks (#5945)
Better support for long repo names (#5932)
Fix wrapping long code lines (#5927)
Change GPG Validation colors and remove inline CSS (#5404) (#5896)
Fix "pulls.blocked_by_approvals" text (#5879)
Rename reject to 'request changes' (#5858)
Move input fields to add members to a team and repos to a team (#5853)
Config option to disable automatic repo watching (#5852)
New Issue ?body= query (#5851)
Add API to list tags (#5850)
Pagination for git tree API (#5838)
Add InternalTokenURI to load InternalToken from an external file (#5812)
Allow markdown files to read from the LFS (#5787)
Add the ability to use multiple labels as filters (#5786)
Adjust log settings when a user is not found. (#5771)
Log IP of failed ssh connection (#5766)
Moved defaults in defaults.go to setting.go (#5764)
Make DB connect more robust (#5738)
Add Default Pull Request Title (#5735)
Refactor repo.isBare to repo.isEmpty #5629 (#5714)
Add flag to skip repository dumping (#5695)
Prioritize "readme.md" (#5691)
Improve "Fork button" for guests by showing a pop up asking them to log in before forking (#5690)
Allow for user specific themes (#5668)
Display branch name in delete branch confirmation modal. (#5654)
New API routes added (#5594)
Refactor notification for indexer (#5111)
Refactor mail notification (#5110)
Show email if the authenticated user owns the profile page being requested for (#4981)
Optimize pulls merging (#4921)
Sort Repositories widget by most recently updated (#3963) (#4599)
Allow markdown table to scroll (#4401)
Automatically clear stopwatch on merging a PR (#4327)
Add the Owner Name to differentiate when merging (#3807)
Add title attributes to all items in the repo list viewer (#6258) (#6650)
BUGFIXES
Fix dropdown icon padding (#6651) (#6654)
Fix wrong GPG expire date (#6643) (#6644)
Fix forking an empty repository (#6637) (#6653)
Remove call to EscapePound .Link as it is already escaped (#6656) (#6666)
Properly escape on the redirect from the web editor (#6657) (#6667)
Allow resend of confirmation email when logged in (#6482) (#6486)
Fix mail notification when close/reopen issue (#6581) (#6588)
Change API commit summary to full message (#6591) (#6592)
Add option to disable refresh token invalidation (#6584) (#6587)
Fix bug user search API pagesize didn't obey ExplorePagingNum (#6579) (#6586)
Fix new repo alignment (#6583) (#6585)
Prevent server 500 on compare branches with no common history (#6555) (#6558)
Properly escape release attachment URL (#6512) (#6523)
Hacky fix for alignment of the create-organization dialog (#6455) (#6462)
Disable benchmarking during tag events on DroneIO (#6365) (#6366)
Make sure units of a team are returned (#6379) (#6381)
Don't Unescape redirect_to cookie value (#6399) (#6401)
Fix dump table name error and add some test for dump database (#6394) (#6402)
Fix migration v82 to ignore unsynced tags between database and git data; Add missing is_archived column on repository table (#6387) (#6403)
Display correct error for invalid mirror interval (#6414) (#6429)
Clean up ref name rules (#6437) (#6439)
Fix Hook & HookList in Swagger (#6432) (#6440)
Change order that PostProcess Processors are run (#6445) (#6447)
Clean up various use of escape/unescape functions for URL generation (#6334)
Return 409 when creating repo if it already exists. (#6330)
Add same changes from issues page to milestone->issues page (#6328)
Fix ParsePatch function to work with quoted diff --git strings (#6323)
Fix reported issue in repo description (#6306)
Use url.PathEscape to escape the branchname (#6304)
Add robots.txt as reserved username (#6272)
Replace linkRegex with xurls library (#6261)
Remove visitLinksForShortLinks features (#6257)
Add unit types to repo action URL to correctly show 404 when archived (#6247)
Check organization visibility before everything else (#6234) (#6235)
Prevent double-close of issues (#6233)
Override xorm type mapping for U2F counter (#6232)
Add isAdmin to user API response (#6231)
Update git vendor to fix wrong release commit id and add migrations (#6224)
Fix fork button (#6223)
Fix renames over redirects (#6216)
Fix display dashboard even if require to change password (#6214)
Create a repo redirect when transferring ownership (#6210) (#6211)
Fix issue update race condition (#6194)
Fix bug when migrate repository 500 when repo is existed (#6188)
Fix scrollbar always present on page body (#6177)
Fix bug when set indexer as db and add tests (#6173)
Modify linkRegex to require http|https (#6171)
Fix bug user could change private repository to public when force private enabled. (#6156)
Fix admin list user/org API (#6143)
Make repo creation for API similar to UI (#6142)
Make document body a flexbox (#6139)
Refactor issue indexer, add some testing and fix a bug (#6131)
Load Issue attributes for API call (#6122)
Fix bug when update owner team then visit team's repo return 404 (#6119)
Fix heatmap and repository menu display in Internet Explorer 9+ (#6117)
Show private organization for admin, fix#6111 (#6112)
Fix prohibit login check on authorization (#6106)
Move to ldap.v3 to fix#5928 (#6105)
Remove use MakeAssigneeList in webhooks to fix deadlock (#6102)
Allow display of LFS stored Readme.md on directory page (#6073) (#6099)
Make sure labels are actually returned (#6053)
Fix panic: template: repo/issue/list:210: unexpected "=" in operand (#6041)
After deleting a repo on admin panel, UI should remember the last sort type (#6033)
Default create repository on organisation on its dashboard (#6026)
Swagger: Remove spaces in MergePullRequestOption enum (#6016)
Fix metrics auth token detection (#6006)
Fix repo header issues (#5995)
Fix bug when deleting a linked account will removed all (#5989)
Make organization dropdown scrollable when using mouse wheel (#5988)
Fix empty ssh key importing in ldap (#5984)
Admin config page mailertype setting option update (#5973)
Fix redirect loop during forced password change (#5965)
Show user who created the repository instead of the organisation in action feed (#5948)
Remove all CommitStatus when a repo is deleted (#5940)
Fix ssh deploy and user key constraints (#1357) (#5939)
Fix log output (#5938)
Set PusherName and PusherID to owner on deploy key to fix pushing with deploy keys (#5935)
Fix compare button (#5929)
Fix bug when read public repo lfs file (#5912)
Only allow local login if password is non-empty (#5906)
Recover panic in orgmode.Render if bad orgfile (#4982) (#5903)
Provide better panic handling (#5902)
Respect value of REQUIRE_SIGNIN_VIEW (#5901)
Show a 404 not a 500 if a repo does not exist (#5900)
Ensure repo is loaded in mailer (Completely fix#5891) (#5895)
Ensure issue.Poster is loaded in mailIssueCommentToParticipants (#5891)
Correct footer height if screen-width is to small (fixes#5878) (#5889)
In gitea serv switch off console logger to fix#5866 (#5887)
Don't allow pull requests to be created on an archived repository (#5883)
Support reviews on a deleted file path (#5880)
Fix compare button on upstream repo leading to 404 (#5877)
Fix null pointer on not logged in attempt to Sudo (#5872)
Fix new release creation API to allow empty target (#5870)
Fix an error while adding a dependency via UI. (#5862)
Fix failing migration v67 (#5849)
Fix delete correct temp directory (#5839)
Make sure .git/info is created before generating .git/info/sparse-che… (#5825)
Fix topics saving internal error and disable for archived repos (#5821)
Fix TLS errors when using acme/autocert for local connections (#5820)
When creating new repository fsck option should be enabled (#5817)
Request for public keys only if LDAP attribute is set (#5816)
Fix serving of raw wiki files other than .md (#5814)
Fix migration 78 error mssql (#5791)
Disallow empty titles (#5785)
Fix the v78 migration script (#5776)
Ensure valid git author names passed in signatures (#5774)
Fix wrong assumption where a user is always said to have unassigned (her)himself (#5769)
Upgrade go-sql-driver/mysql to fix invalid connection error (#5748)
Fixing PostgreSQL dump creation (#5747)
Add proper CORS preflight origin validation (#5740)
Disable auto-migrate in docker container (#5730)
In basic auth check for tokens before call UserSignIn (#5725)
Pooled and buffered gzip implementation (#5722)
Ensure that sessions are passed into queries that could use the database to prevent deadlocks (#5718)
Keep file permissions during database migration (#5707)
Use correct value for "MSpan Structures Obtained" #4742 (#5706)
Refactor editor upload, update and delete to use git plumbing and add LFS support (#5702)
Update xorm to fix issue #5659 and #5651 (#5680)
Fix public will not be reused as public key after deleting as deploy key (#5671)
When redirecting, clean the path (#5669)
Don't list an issue on its own dependency list UI. (#5658)
Fix commit page showing status for current default branch (#5649) (#5650)
Only count users own actions for heatmap contributions (#5647)
Fix sqlite deadlock when assigning to a PR (#5640)
Refactor issue indexer (#5363)
TESTING
Run benchmark at tag to track performances (#6035)
Add test environment for MySQL8 (#5234)
BUILD
Use go 1.12 for tests and deprecate go 1.9 (#6186)
Makefile changes for Windows and easier development (#6103)
Update bleve dependency to latest master revision (#6100)
Switch to more recent build of xgo (#6070)
Add autoprefixer to css build (#6029)
Update the version of less (#6010)
Make log mailer for testing (#5893)
DOCS
Add more tests and docs for issue indexer, add db indexer type for searching from database (#6144)
update default value of --must-change-password cli flag (#6032)
Update and expand information about building Gitea (#6019)
Update U2F Section of app.ini.sample (#5994)
Update swagger for release API pagination (#5841)
Added docs for the tree api (#5834)
MISC
Add single commit API support (#5843)
Add missing GET teams endpoints (#5382)
Migrate database if app.ini found (#5290)
Changes from 1.7.4:
SECURITY
Prevent remote code execution vulnerability with mirror repo URL settings (#6593) (#6595)
BUGFIXES
Allow resend of confirmation email when logged in (#6482) (#6487)
Cliqz develops novel Internet browsers that incorporate features
such as search and anti-tracking. Cliqz desktop browser is based
on Mozilla Firefox.
Cliqz pre-installs the Cliqz add-on, which causes search terms to
be sent to Cliqz as the default search engine. In addition the
HTTPS Everywhere addon is installed, and an addon to manage consent.
1.24.2:
* Don't load system certificates by default when any other ca_certs, ca_certs_dir or
ssl_context parameters are specified.
* Remove Authorization header regardless of case when redirecting to cross-site.
* Add support for IPv6 addresses in subjectAltName section of certificates.
3.1.2:
* New thread_critical argument to Local to tell it to not inherit contexts
across threads/tasks.
* Local now inherits across any number of sync_to_async to async_to_sync calls
nested inside each other
3.1.1:
* Local now cleans up storage of old threads and tasks to prevent a memory leak.
3.1.0:
* Added asgiref.local module to provide threading.local drop-in replacement.
3.0.0:
* Updated to match new ASGI 3.0 spec
* Compatibility library added that allows adapting ASGI 2 apps into ASGI 3 apps
losslessly
Changes with nginx 1.15.12:
*) Bugfix: a segmentation fault might occur in a worker process if
variables were used in the "ssl_certificate" or "ssl_certificate_key"
directives and OCSP stapling was enabled.
Changes with nginx 1.15.11:
*) Bugfix: in the "ssl_stapling_file" directive on Windows.
lib
This release fixes the bug that on_header callback is still called after stream is closed.
third-party
http-parser is upgraded to v2.9.1.
nghttpx
This release fixes the bug that authority and path altered by per-pattern mruby script can affect backend selection on retry.
It also fixes the bug that HTTP/1.1 chunked request stalls.
Now nghttpx does not log authorization request header field value with -LINFO.
Now nghttpx can be built with modern LibreSSL.
* 5.2.2.2 fixes these security problems:
CVE-2019-5418
CVE-2019-5419
CVE-2019-5420
## Rails 5.2.3 (March 27, 2019) ##
* Allow using combine the Cache Control `public` and `no-cache` headers.
Before this change, even if `public` was specified for Cache Control header,
it was excluded when `no-cache` was included. This fixed to keep `public`
header as is.
Fixes#34780.
*Yuji Yaginuma*
* Allow `nil` params for `ActionController::TestCase`.
*Ryo Nakamura*
## Rails 5.2.2.1 (March 11, 2019) ##
* No changes.
## Rails 5.2.3 (March 27, 2019) ##
* Prevent non-primary mouse keys from triggering Rails UJS click handlers.
Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.
```
<%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
```
Fixes#34541
*Wolfgang Hobmaier*
## Rails 5.2.2.1 (March 11, 2019) ##
* No changes.
- Security: prevent external redirections
- Fix some performances issues
- Fix various issues on plugins loading (cache conflict, bad locales)
- Fix display of documents in tickets
- Fix display of user's pictures
- Fix lost of some relations and sql errors when transferring items
- Feature: add Historical tab on config page
- And many more!
The full changelog is available:
https://github.com/glpi-project/glpi/milestone/32?closed=1
Sync WEBKIT_JIT_MACHINE_PLATFORMS (platforms where `webkit-jit'
option is suggested) is enabled by default with
Source/cmake/WebKitFeatures.cmake.
While here also disable ENABLE_C_LOOP when ENABLE_JIT is enabled
(the two options are incompatible).
Should workaround PR pkg/54109.
(No PKGREVISION bump since it should only fix platforms where since
update of webkit-gtk 2.24.0 were broken.)
Changelog:
Fixed
Address bar on tablets running Windows 10 now behaves correctly (Bug 1498973)
Performance issues with some HTML5 games (Bug 1537609)
Fixed a bug with keypress events in IBM cloud applications (Bug 1538970)
Fix for keypress events in some Microsoft cloud applications (Bug 1539618)
Changed
Updated Baidu search plugin
pkgsrc change: use SUBST_VARS.
Version 3.5.39 (2019-04-09)
---------------------------
### Fixed
Invalidate the user sessions if a password changes (see CVE-2019-10641).
Changes:
WebKitGTK 2.24.1
=================
- Do not allow changes in active URI before provisional load starts for non-API requests.
- Stop the threaded compositor when the page is not visible or layer tree state is frozen.
- Use WebKit HTTP source element again for adaptive streaming fragments downloading.
- Properly handle empty resources in webkit_web_resource_get_data().
- Add quirk to ensure outlook.live.com uses the modern UI.
- Fix methods returing GObject or boxed types in JavaScriptCore GLib API.
- Ensure callback data is passed to functions and constructors with no parameters in JavaScriptCore GLib API.
- Fix rendering of complex text when the font uses x,y origins.
- Fix sound loop with Google Hangouts and WhatsApp notifications.
- Fix the build with GStreamer 1.12.5 and GST GL enabled.
- Detect SSE2 at compile time.
- Fix several crashes and rendering issues.
- Security fixes: CVE-2019-6251.
Version 1.7.0:
**This is the last version supporting Python 2!**
- Added a feature called 'response_filter' which enables one to only
cache views depending on the response code.
- A DeprecationWarning got turned into a TypeError.
Version 1.6.0:
- The delete_many function is now able to ignore any errors and continue
deleting the cache. However, in order to preserve backwards compatibility,
the default mode is to abort the deletion process. In order to use the new
deletion mode, one has to flip the config setting CACHE_IGNORE_ERRORS to
True. This was and still is only relevant for the **filesystem** and
**simple** cache backends.
- Re-added the gaememcached CACHE_TYPE for improved backwards compatibility.
- Documentation improvements
pkgsrc changes:
- Add fontconfig and freetype2 dependencies to links-gui in order to adjust
per-upstream defaults
Changes:
2.19
----
- Disable high-DPI scaling on Windows
- Links makes it possible to specify scaling of text and images in the
dialog windows, so this should preferably be used instead of
system-level scaling
- Fixed a crash on invalid IDN URL, such as http://test,ï.com/
(found by lsxvdqe@gmail.com)
- Make it possible to select other fonts, using fontconfig and freetype
- Show certificate authority in the "Document info" box
- Use international error messages
- The -dump switch didn't report an error if write to stdout failed
0.14.0:
* Bugfix clarify subprotocol type as str not bytes.
* Support HTTP/2 WebSockets. This requires a HTTP/2 parser (not
included), with hyper-h2 recommended. It renames
handshake_extensions and hence is a breaking change.
* Bugfix badly formatted type hints.
* Bugfix minor issues identified by type checking.
0.13.0:
* Introduce a send method on the conenction which accepts the new
events. This requires the following usage changes, ::
connection.accept(subprotocol=subprotocol) -> connection.send(AcceptConnection(subprotocol=subprotocol))
connection.send_data(data) -> connection.send(Message(payload=payload))
connection.close(code) -> connection.send(CloseConnection(code=code))
connection.ping() -> connection.send(Ping())
connection.pong() -> connection.send(Pong())
* The Event structure is altered to allow for events to be sent and
received, this requires the following name changes in existing code, ::
ConnectionRequested -> Request
ConnectionEstablished -> AcceptConnection
ConnectionClosed -> CloseConnection
DataReceived -> Message
TextReceived -> TextMessage
BytesReceived -> BytesMessage
PingReceived -> Ping
PongReceived -> Pong
* Introduce RejectConnection and RejectData events to be used by a
server connection to reject rather than accept a connection or by a
client connection to emit the rejection response. The RejectData
event represents the rejection response body, if present.
* Add an extra_headers field to the AcceptConnection event in order to
customise the acceptance response in server mode or to emit this
information in client mode.
* Switch from Fail events being returned to RemoteProtocolErrors being
raised.
* Switch from ValueErrors to LocalProtocolErrors being raised when
an action is taken that is incompatible with the connection state or
websocket standard.
* Enforce version checking in SERVER mode, only 13 is supported.
* Add an event_hint to RemoteProtocolErrors to hint at how to respond
to issues.
* Switch from a bytes_to_send method to the send method
returning the bytes to send directly. Responses to Ping and Close
messages must now be sent (via send), with the Ping and
CloseConnection events gaining a response method. This
allows ::
if isinstance(event, Ping):
bytes_to_send = connection.send(event.response())
* Separate the handshake from the active connection handling. This
allows the handshake and connection to be seperately used. By
default though WSConnection does both.
* receive_bytes is renamed to receive_data and
WSConnection should be imported from wsproto rather than
wsproto.connection.
0.12.0:
* Support h11 ~0.8.1.
* Support Python 3.7.
* Make the close-handshake more explicit, by sending a close frame on
reciept of a close frame.
* Bugfix fix deflate after a non-compressable message.
* Bugfix connection header acceptance, by accepting Connection header
values that are comma separated lists.
19.3.1
Changes:
* Add support for zero-length and RFC 5987 encoded filename for multipart/form-data requests.
* The type of expires attribute of sanic.cookies.Cookie is now enforced to be of type datetime.
* Add support for the stream parameter of sanic.Sanic.add_route() available to sanic.Blueprint.add_route().
* Accept negative values for route parameters with type int or number.
* Deprecated the use of sanic.request.Request.raw_args - it has a fundamental flaw in which is drops repeated query string parameters. Added sanic.request.Request.query_args as a replacement for the original use-case.
* Remove an unwanted None check in Request class repr implementation. This changes the default repr of a Request from <Request> to <Request: None />
* Added 2 new parameters to sanic.app.Sanic.create_server:
return_asyncio_server - whether to return an asyncio.Server.
asyncio_server_kwargs - kwargs to pass to loop.create_server for the event loop that sanic is using.
This is a breaking change.
* Added a set of test cases that test and benchmark route resolution.
* The type of the "max-age" value in a sanic.cookies.Cookie is now enforced to be an integer. Non-integer values are replaced with 0.
* Added the endpoint attribute to an incoming request, containing the name of the handler function.
* Improved request streaming. request.stream is now a bounded-size buffer instead of an unbounded queue. Callers must now call await request.stream.read() instead of await request.stream.get() to read each portion of the body.
This is a breaking change.
Fixes:
* Sanic was prefetching time.time() and updating it once per second to avoid excessive time.time() calls. The implementation was observed to cause memory leaks in some cases. The benefit of the prefetch appeared to negligible, so this has been removed. Fixes
* Fix a bug in the auto-reloader when the process was launched as a module i.e. python -m init0.mod1 where the sanic server is started in init0/mod1.py with debug enabled and imports another module in init0.
* Allow sanic test client to bind to a random port by specifying port=None when constructing a SanicTestClient
* Added the ability to specify middleware on a blueprint group, so that all routes produced from the blueprints in the group have the middleware applied.
* Allow the the use the SANIC_ACCESS_LOG environment variable to enable/disable the access log when not explicitly passed to app.run(). This allows the access log to be disabled for example when running via gunicorn.
Developer infrastructure:
* Update project PyPI credentials
* fix linter issue causing travis build failures
* Fix python version in doc build
* Upgrade setuptools version and use native docutils in doc build
* Upgrade pytest, and fix caplog unit tests
Typos and Documentation:
* Fix typo at the exception documentation
* fix typo in Asyncio example
* Documentation typo
* Fix grammar in README.md
* Added "databases" to the extensions list
* Add sanic-zipkin to extensions list
* Removed link to deleted repo, Sanic-OAuth, from the extensions list
* 18.12 changelog
* Add example of amending request object
* Update README
* Update README
* Update README, including new logo
* fix minor type and pip install instruction mismatch
* Documentation Enhancements
Upstream changes:
2.15 2019-03-29
[FIX]
- ensure upload hooks are passed to CGI.pm constructor
(GH #19, thanks to ikegami)
2.14 2019-03-26
[DOCUMENTATION]
- Add a link to the "you probably shouldn't use CGI.pm" docs
Upstream changes:
1.3512 2019-03-31 20:10:08+01:00 Europe/London
Promoting previous trial release 1.3511 to stable.
1.3511 2019-03-29 11:16:08+00:00 Europe/London (TRIAL RELEASE)
[BUG FIXES]
- More session cookie handling fun - avoid causing test failures in dependencies
in some cases (e.g. RT #128911 and others)
[ENHANCEMENTS]
- hold session in SharedData, to avoid reading the session contents every time
anything is requested, could be a performance win
1.3510 2019-03-19 14:42:26+00:00 Europe/London
Promoting previous trial release 1.3501 to stable.
Fix#1204 - more proxy-related test failure fun
1.3501 2019-03-14 19:19:49+00:00 Europe/London (TRIAL RELEASE)
[BUG FIXES]
Fix "too late to set cookie" errors if you access a session within an after hook
after using send_file().
1.9.0:
NEW: Allow :contains() to accept a list of text to search for.
NEW: Add new escape function for escaping CSS identifiers.
NEW: Deprecate comments and icomments functions in the API to ensure Soup Sieve focuses only in CSS selectors. comments and icomments will most likely be removed in 2.0.
NEW: Add Python 3.8 support.
FIX: Don't install test files when installing the soupsieve package.
FIX: Improve efficiency of :contains() comparison.
FIX: Null characters should translate to the Unicode REPLACEMENT CHARACTER (U+FFFD) according to the specification. This applies to CSS escaped NULL characters as well.
FIX: Escaped EOF should translate to U+FFFD outside of CSS strings. In a string, they should just be ignored, but as there is no case where we could resolve such a string and still have a valid selector, string handling remains the same.
Changes with Apache 2.4.39
*) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
connection is recycled/reused to avoid a possible crash with some SSLProxy
configurations in <Location> or <Proxy> context.
*) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
*) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
*) mod_socache_redis: Support for Redis as socache storage provider.
*) core: new configuration option 'MergeSlashes on|off' that controls handling of
multiple, consecutive slash ('/') characters in the path component of the request URL.
*) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.
*) mod_http2: new configuration directive: `H2Padding numbits` to control
padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
controlling the range of padding bytes added to a frame. The actual number
added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
frames equally. The default continues to be 0, e.g. no padding.
*) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
has no more need for it. Optional functions are still declared but no longer implemented.
While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching
versions of both modules.
*) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
resolve bug 63170. The proxy module does now a single h2 request on the (reused)
connection and returns.
*) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status
to trigger immediate shutdown of backend connections. This is now always signalled
by mod_http2 when the the session is being released.
proxy_http2 now only sends a PING frame to the backend when there is not already one
in flight.
*) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite
loop when encountering certain errors on the backend connection.
*) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per
Location/Directory, e.g. disabling PUSH for a specific set of resources.
*) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.
*) http: Fix possible empty response with mod_ratelimit for HEAD requests.
*) mod_cache_socache: Avoid reallocations and be safe with outgoing data
lifetime.
*) MPMs unix: bind the bucket number of each child to its slot number, for a
more efficient per bucket maintenance.
*) mod_auth_digest: Fix a race condition. Authentication with valid
credentials could be refused in case of concurrent accesses from
different users.
*) mod_http2: enable re-use of slave connections again. Fixed slave connection
keepalives counter.
*) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.
*) mod_proxy_wstunnel: Fix websocket proxy over UDS.
*) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
configuration (SSLFIPS on) and not active by default in OpenSSL.
Changelog:
Fixed
Fixed Web compatibility issues with Office 365, iCloud and IBM
WebMail caused by recent changes to the handling of keyboard
events (Bug 1538966)
Crash fixes (bug 1521370, bug 1539118)
Changes:
3.4.0
=====
Added
-----
* Allow to show video in fullscreen, without statusbar and inputbox, if requested.
* Added option `--no-maximize` to no start with maximized window #483.
* New setting `prevent-newwindow` to enforce opening links into same window
even if they are crafted by `target="_blank"` or using `window.open(...)` #544.
Changed
-------
* Increased min required webkit version to 2.20.x.
* Use man page date instead of build date to make reproducible builds.
* URLs shown on statusbar and title are now shown as punicode if they contain
homographs.
Fixed
-----
* Fix out-of-bounds buffer access in parse_command (Thanks to Sören Tempel) #529.
* Fixed none shown hint labels by Content-Security-Policy headers #531.
* Fixed segfault on JavaScript `window.close()` call #537.
* Fixed no char inserted in input mode after timeout and imap/inoremap
candidate #546.
pkgsrc changes:
- No longer install MANUAL, it is no longer available
- Remove patch-lib_hostcheck.c, <netinet/in.h> is already included few
lines before
- Take MAINTAINERSHIP
Changes:
7.64.1
======
This release includes the following changes:
o alt-svc: experiemental support added [74]
o configure: add --with-amissl [84]
This release includes the following bugfixes:
o AppVeyor: add MinGW-w64 and classic Mingw builds [55]
o AppVeyor: switch VS 2015 builds to VS 2017 image [49]
o CURLU: fix NULL dereference when used over proxy [73]
o Curl_easy: remove req.maxfd - never used! [58]
o Curl_now: figure out windows version in win32_init: [11]
o Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning [20]
o DoH: inherit some SSL options from user's easy handle [80]
o Secure Transport: no more "darwinssl" [56]
o Secure Transport: tvOS 11 is required for ALPN support [94]
o cirrus: Added FreeBSD builds using Cirrus CI
o cleanup: make local functions static [5]
o cli tool: do not use mime.h private structures [27]
o cmdline-opts/proxytunnel.d: the option tunnnels all protocols [83]
o configure: add additional libraries to check for LDAP support [45]
o configure: remove the unused fdopen macro [40]
o configure: show features as well in the final summary [15]
o conncache: use conn->data to know if a transfer owns it [95]
o connection: never reuse CONNECT_ONLY connections [35]
o connection_check: restore original conn->data after the check [14]
o connection_check: set ->data to the transfer doing the check [3]
o cookie: Add support for cookie prefixes [29]
o cookies: dotless names can set cookies again [81]
o cookies: fix NULL dereference if flushing cookies with no CookieInfo set [47]
o curl.1: --user and --proxy-user are hidden from ps output [86]
o curl.1: mark the argument to --cookie as <data|filename> [87]
o curl.h: use __has_declspec_attribute for shared builds [52]
o curl: display --version features sorted alphabetically [51]
o curl: fix FreeBSD compiler warning in the --xattr code [2]
o curl: remove MANUAL from -M output [38]
o curl_easy_duphandle.3: clarify that a duped handle has no shares [64]
o curl_multi_remove_handle.3: use at any time, just not from within callbacks
o curl_url.3: this API is not experimental anymore
o dns: release sharelock as soon as possible [1]
o docs: update max-redirs.d phrasing [59]
o easy: fix win32 init to work without CURL_GLOBAL_WIN32 [30]
o examples/10-at-a-time.c: improve readability and simplify
o examples/cacertinmem.c: use multiple certificates for loading CA-chain [54]
o examples/crawler: Fix the Accept-Encoding setting
o examples/ephiperfifo.c: various fixes [63]
o examples/externalsocket: add missing close socket calls [78]
o examples/http2-download: cleaned up
o examples/http2-serverpush: add some sensible error checks [31]
o examples/http2-upload: cleaned up
o examples/httpcustomheader: Value stored to 'res' is never read
o examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory'
o examples/sftpuploadresume: Value stored to 'result' is never read
o examples: only include <curl/curl.h> [70]
o examples: remove recursive calls to curl_multi_socket_action [42]
o examples: remove superfluous null-pointer checks
o file: fix "Checking if unsigned variable 'readcount' is less than zero." [90]
o fnmatch: disable if FTP is disabled [25]
o gnutls: remove call to deprecated gnutls_compression_get_name [66]
o gopher: remove check for path == NULL [69]
o gssapi: fix deprecated header warnings [16]
o hostip: make create_hostcache_id avoid alloc + free [4]
o http2: multi_connchanged() moved from multi.c, only used for h2 [21]
o http2: verify :athority in push promise requests [37]
o http: make adding a blank header thread-safe [33]
o http: send payload when (proxy) authentication is done [89]
o http: set state.infilesize when sending multipart formposts [57]
o makefile: make checksrc and hugefile commands "silent" [85]
o mbedtls: make it build even if MBEDTLS_VERSION_C isn't set [24]
o mbedtls: release sessionid resources on error [28]
o memdebug: log pointer before freeing its data [91]
o memdebug: make debug-specific functions use curl_dbg_ prefix [82]
o mime: put the boundary buffer into the curl_mime struct [18]
o multi: call multi_done on connect timeouts, fixes CURLINFO_TOTAL_TIME [43]
o multi: remove verbose "Expire in" ... messages [23]
o multi: removed unused code for request retries [79]
o multi: support verbose conncache closure handle [72]
o negotiate: fix for HTTP POST with Negotiate [88]
o openssl: add support for TLS ASYNC state [46]
o openssl: if cert type is ENG and no key specified, key is ENG too [93]
o pretransfer: don't strlen() POSTFIELDS set for GET requests [22]
o rand: Fix a mismatch between comments in source and header [32]
o runtests: detect "schannel" as an alias for "winssl" [50]
o schannel: be quiet - remove verbose output [19]
o schannel: close TLS before removing conn from cache [10]
o schannel: support CALG_ECDH_EPHEM algorithm [44]
o scripts/completion.pl: also generate fish completion file [67]
o singlesocket: fix the 'sincebefore' placement [36]
o source: fix two 'nread' may be used uninitialized warnings [68]
o ssh: fix Condition '!status' is always true [60]
o ssh: loop the state machine if not done and not blocking [71]
o strerror: make the strerror function use local buffers [48]
o system_win32: move win32_init here from easy.c [65]
o test578: make it read data from the correct test
o tests: Fixed XML validation errors in some test files
o tests: add stderr comparison to the test suite [26]
o tests: fix multiple may be used uninitialized warnings
o threaded-resolver: shutdown the resolver thread without error message [61]
o tool_cb_wrt: fix writing to Windows null device NUL [96]
o tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr [84]
o tool_operate: build on AmigaOS [84]
o tool_operate: fix typecheck warning [9]
o transfer.c: do not compute length of undefined hex buffer
o travis: add build using gnutls [75]
o travis: add scan-build [13]
o travis: bump the used wolfSSL version to 4.0.0 [92]
o travis: enable valgrind for the iconv tests [12]
o travis: use updated compiler versions: clang 7 and gcc 8 [77]
o unit1307: require FTP support [17]
o unit1651: survive curl_easy_init() fails
o url/idnconvert: remove scan for <= 32 ascii values [6]
o url: change conn shutdown order to ensure SOCKETFUNCTION callbacks [39]
o urlapi: reduce variable scope, remove unreachable 'break' [7]
o urldata: convert bools to bitfields and move to end [53]
o urldata: simplify bytecounters [62]
o urlglob: Argument with 'nonnull' attribute passed null
o version.c: silent scan-build even when librtmp is not enabled
o vtls: rename some of the SSL functions [84]
o wolfssl: stop custom-adding curves [41]
o x509asn1: "Dereference of null pointer"
o x509asn1: cleanup and unify code layout [34]
o zsh.pl: escape ':' character [8]
o zsh.pl: update regex to better match curl -h output [8]
Changes with nginx 1.15.10:
*) Change: when using a hostname in the "listen" directive nginx now
creates listening sockets for all addresses the hostname resolves to
(previously, only the first address was used).
*) Feature: port ranges in the "listen" directive.
*) Feature: loading of SSL certificates and secret keys from variables.
*) Workaround: the $ssl_server_name variable might be empty when using
OpenSSL 1.1.1.
*) Bugfix: nginx/Windows could not be built with Visual Studio 2015 or
newer; the bug had appeared in 1.15.9.
nginx-nchan:
1.2.5:
fix: using multiplexed channels with Redis in backup mode may result in worker crash
fix: nchan_publisher_channel_id could not be set exclusively in a publisher location
fix: Google pagespeed module compatibility
fix: nchan prevents nginx from starting if no http {} block is configured
1.2.4:
fix: Redis cluster info with zero-length hostname may result in worker crash
fix: build problems with included hiredis lib in FreeBSD
feature: nchan_redis_namespace and nchan_redis_ping_interval now work in upstream blocks
fix: websocket publisher did not publishing channel events
fix: Redis namespace was limited to 8 bytes
Changelog:
The APR/Native connector now supports both OpenSSL and JSSE
TLS configuration syntax (NIO and NIO2 already support this)
Various improvements to NIO2
Various fixes for HTTP/2 push requests
Changelog:
The APR/Native connector now supports both OpenSSL and JSSE
TLS configuration syntax (NIO and NIO2 already support this)
Various improvements to NIO2
Various fixes for HTTP/2 push requests
Refactor error handling so that errors that occur early in
request processing are handled by the application's error
handling where the application can be identified
Changelog:
Update the packaged version of the Tomcat Native Library to 1.2.21
to pick up the latest Windows binaries built with APR 1.6.5 and
OpenSSL 1.1.1a and to pick up the memory leak fixes when using
NIO/NIO2 with OpenSSL.
Mostly based on work by tuxillo in pkgsrc-wip with some changes and additions
by me.
Gitea is a community managed fork of Gogs, lightweight code hosting solution
written in Go and published under the MIT license.
Changelog:
60.6.1
#CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information
#CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations
60.6.0
#CVE-2019-9790: Use-after-free when removing in-use DOM elements
#CVE-2019-9791: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey
#CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
#CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled
#CVE-2019-9794: Command line arguments not discarded during execution
#CVE-2019-9795: Type-confusion in IonMonkey JIT compiler
#CVE-2019-9801: Windows programs that are not 'URL Handlers' are exposed to web content
#CVE-2018-18506: Proxy Auto-Configuration file can define localhost access to be proxied
#CVE-2019-9788: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6
Enterprise
In the network connections settings, sites added to the "No proxy for" list will now honor that setting regardless of any other specified proxy settings
Changelog:
Changes
Show autocompletion as soon as "@" is typed (server#13961)
Trim filename in webfrontend for windows compatibility (server#13978)
Clean code and fix drop zone shadow (server#13982)
Show original path in trashbin (server#14029)
Update icewind/smb to 3.0.1 (server#14068)
Fix: Check if `$this->params['user']` is an array (server#14085)
[Security] Bump lodash from 4.17.10 to 4.17.11 in /apps/updatenotification (server#14093)
[Security] Bump lodash from 4.17.10 to 4.17.11 in /apps/accessibility (server#14094)
[Security] Bump lodash from 4.17.10 to 4.17.11 in /apps/oauth2 (server#14095)
Make sure the relative path is always a string (server#14101)
Fix the thorrtler whitelist bitmask (server#14151)
[Security] Bump handlebars from 4.0.12 to 4.1.0 in /build (server#14187)
Fix recent files (server#14195)
Update CRL to contain revoked files_external_dropbox, passman & payback (server#14201)
Ensure attribute names are lower cased (server#14203)
Fix small glitches in update notification page (server#14207)
Fix expiration date changing (server#14212)
Fix trashbin restore translation (server#14213)
Remove trailing spaces from localized strings (server#14225)
Fixing phpdoc in FullTextSearch/Model/ISearchResult (server#14268)
Fix empty file uploads to S3 (and other streaming storages) (server#14273)
Do not do redirect handling when loggin out (server#14275)
Catch Request exception in testRemoteUrl (server#14277)
Correctly determinate the owner in case of shared external storages (server#14283)
Fix header label visibility on open menu (server#14287)
Prefix $path for filename for internal file cache (server#14288)
Set false as default for requirePNG (server#14292)
Use proper scroll container when dragging files (server#14301)
Fix OC.getCurrentUser() on guest pages (server#14308)
Fix ocm end-point discovery discovery (server#14312)
Apply theme to 2FA button (server#14331)
Fix "Undefined index: user_uid" on login page (server#14339)
Fix unsafe array access (server#14340)
Always query lookup server in GS mode (server#14368)
Use latest ca-bundle.crt from https://curl.haxx.se/docs/caextract.html (server#14371)
Try to support 7.3 for DAV (3rdparty#213)
Backport/stable15/streams 0.7.1 (3rdparty#244)
Don't add empty entries to the objects array (activity#347)
Ensure parameters are always an array (activity#350)
Bye, Scrutinizer! (notifications#293)
Changelog:
Security fixes:
#CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information
#CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations
5.7.6
5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability,
where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server.
The fix involves setting the X-Content-Type-Options: nosniff
header, and applying CSRF checks previously on all non-GET
API requests to GET requests to API endpoints and the /files/ endpoint.
The attacking page is able to access some contents of files when using Internet Explorer through script errors,
but this has not been demonstrated with other browsers.
A CVE has been requested for this vulnerability.
5.7.5
- Fix compatibility with tornado 6
- Fix opening integer filedescriptor during startup on Python 2
- Fix compatibility with asynchronous KernelManager.restart_kernel methods
5.4.1:
New Features
- Expose pygments styles
- Tornado 6.0 support -- Convert proxy handler from callback to coroutine
- Add option to overwrite the highlight_code filter
Fixing Problems
- Mathjax.tpl fix for rendering Latex in html
- Backwards compatbility for empty kernel names
Testing, Docs, and Builds
- DOC: Add missing language specification to code-block
* Drupal core - Cross-Site Scripting- SA-CORE-2019-004
Under certain circumstances the File module/subsystem allows a
malicious user to upload a file that can trigger a cross-site
scripting (XSS) vulnerability.
* Drupal core - Cross-Site Scripting- SA-CORE-2019-004
Under certain circumstances the File module/subsystem allows a
malicious user to upload a file that can trigger a cross-site
scripting (XSS) vulnerability.
Upstream changes:
== Ruby-GNOME2 3.3.6: 2019-03-21
This is a follow-up release of 3.3.5.
=== Changes
==== Ruby/GIO2
* Improvements
* (({Gio::File#read})): Added support for block.
* (({Gio::File.open})): Added support for (({Pathname})).
* (({Gio::InputStream.open})): Added support for block.
==== Ruby/CairoGObject
* Fixes
* Fixed a bug that old cairo may be used.
==== Ruby/GObjectIntrospection
* Fixes
* Fixed a bug that 64bit integer conversion may be failed for
large integer.
* Fixed typos.
Changelog:
New
Firefox now prevents websites from automatically playing sound. You can add individual sites to an exceptions list or turn blocking off. To learn more about block autoplay, which will be rolled out gradually to all users, visit the Mozilla blog.
Improved search experience:
Find a specific webpage faster when you have a lot of tabs open: You can now search within all of your open tabs from the tab overflow menu
Easier search via a redesigned new tab in Private Windows
Smoother scrolling: Scroll anchoring keeps content from jumping as images and ads load at the top of the page
Improved performance and better user experience for extensions:
Extensions now store their settings in a Firefox database, rather than individual JSON files, making every site you visit faster
A redesigned keyboard shortcuts section in about:addons makes it easier to view and adjust default shortcuts
Redesigned certificate error pages help you better understand and resolve issues, including identification of certificate issuers for anti-virus software
Added basic support for macOS Touch Bar
Experimenting with an improved Pocket experience in New Tab with different layouts and more topical content
Improved performance and reduced crash rates by [doubling web content loading processes from 4 to 8 [1]
Easier, passwordless security: Added support for Windows Hello on Windows 10, allowing you to use your face, fingerprint, or external security keys for website authentication
Fixed
The Dark and Light Firefox themes now override the system setting for title bar accent color on Windows 10
Linux users: Resolved an issue that caused Firefox to freeze when downloading files
Various security fixes
Changed
System title bar is hidden by default to match Gnome guideline for Linux users
Developer
DevTools Inspector is now fully usable when the Debugger is paused
Lowered priority of setTimeout and setInterval during page load to improve overall page load performance
Fixed: <button> element is no longer special cased in event dispatch, per latest specifications
Security fixes:
Not available yet.
Upstream changes:
8.6.12
The third-party Twig library, which powers Drupal 8's theme system, recently released new versions (Twig 1.38.0 and 1.38.1) that introduced a fatal error for Drupal 8 sites using Composer. Drupal 8.6.11 was released yesterday with an update to Twig 1.38.2 in order to resolve that error. However, this update also led to a different regression for certain Drupal 8 themes that use Twig {% embed %} tags. This release hotfixes Drupal 8 to resolve that regression. No other changes are included.
8.6.11
This release resolves two critical issues affecting Drupal 8 site updates:
The third-party Twig library, which powers Drupal 8's theme system, recently released a new minor version (1.38.0) that introduced a fatal error when used with Drupal 8. As a result, Drupal 8 sites managed with Composer encountered this fatal error when updating Twig to version 1.38.0 or 1.38.1. This release updates Drupal to require Twig 1.38.2, which resolves the fatal error.
The recent releases for SA-CORE-2019-003 introduced a serialized data integrity issue affecting some contributed and custom modules, including the Default Content and Paragraphs modules. This release resolves the issue for affected sites.
Additionally, this release resolves an administrator-only access bypass with the Layout Builder module. Previously, users who didn't have access to view individual entities were still granted access to configure the layout for that entity (if per-entity layout configuration was enabled) and therefore could view its content. This implicit access has been removed. Site owners should ensure that all content editor roles have access to view the content for which they are configuring the layout.
pkgsrc changes:
- Remove patch-Source_JavaScriptCore_assembler_MacroAssemblerARM.cpp: logic
changed upstream and there is no longer a function that check for a VFP.
Changes:
2.24.0
------
- Added support fot content filtering.
- Variation fonts support.
- Fully emoji rendering support.
- Added navigation and pinch zoom gestures for touchpads.
- Support for JPEG2000 images (please note that in pkgsrc at the
moment it is disabled to avoid a dependency on openjpeg)
- Script dialogs are now modal to the current web view only.
- New API to convert URI to format for display.
19.2.1
fix: set announced roles on appsession object
new: lower log noise on ApplicationErrors
new: allow explicit passing of tx endpoint and reactor
new: add attribute to forward applicationrunner to applicationsession via componentconfig
v1.37.0:
build
CMake build explicitly sets install location when building shared library.
nghttpx
This release fixes possible backend stall when header and request body are sent in their own packets.
The backend option gets weight parameter to influence backend selection.
This release fixes compile error with BoringSSL.
Upstream changes:
Moodle 3.6.3 release notes
Releases > Moodle 3.6.3 release notes
Release date: 11 March 2019
Here is the full list of fixed issues in 3.6.3.
Fixes and improvements
MDL-63892 - Last post date and time shown correctly on forum page
MDL-64609 - Gradebook regrading no longer gets stuck
MDL-43428 - Quiz now displays the correct time left when quiz close date before time limit
MDL-62345 - Site home and Dashboard now have different data-key attributes when the home page is set to site
MDL-61405 - All assignment 'View annotated PDF' buttons work
MDL-64632 - Invalid response value detected messaging error fix
MDL-63103 - Server files performance improvement for sites with lots of activities and files
MDL-64528 - Activities can no longer be marked as complete when the context is frozen
MDL-63677 - Users no longer redirected back to a policy agreement when creating a new account
MDL-55135 - View competency framework no longer required for viewing competencies in a course
MDL-62454 - Numerical question units are displayed on the same line
MDL-64553 - Notifications table has index for the useridfrom column
MDL-64521 - Participants page performance improvement for courses with ~50k users and 10 groups
MDL-48338 - A single simple discussion forum now scrolls to new posts
MDL-60972 - Deleting course sections now also delete files used in the section description
MDL-64652 - Data export performance improvement
MDL-63674 - RTL languages correctly aligned in messaging interface
MDL-64171 - Course image scaled down when no course summary
MDL-64240 - Forum post word count correctly reflects the size of posts
MDL-62680 - Accessibility improvement for quiz question feedback
MDL-64679 - Option to clear prediction for analytics trained models
MDL-62963 - Clearer button background in Boost
MDL-64640 - Deleting of feedback question and deleting of user tour step no longer give a 404 error
MDL-64856 - Glossary 'Actions menu' icon no longer disappears when browsing
MDL-64730 - External tool 0 points score now correctly recorded as zero in the gradebook
MDL-64464 - Drag and drop question types now allow use of mixed languages
MDL-62143 - Boost navigation bar accessibility improvements
MDL-64561 - Install database CLI script now shows help even if Moodle is already installed
MDL-64134 - Messaging search simpler UI when search returns no results
MDL-64385 - 'Allowed email domains' setting is now case insensitive
MDL-63628 - Download assignment submission files via keyboard accessibility fix
MDL-64469 - Question bank category edit link usability improvement
MDL-63378 - Boost theme menu links contrast accessibility fix
MDL-64143 - Messaging contacts are now shown in bold
MDL-64144 - Messaging search results now shown with date rather than time stamp
MDL-64971 - get_with_capability_join, get_users_by_capability, assign/unassign_capability now check the capability exists
1.9.1:
* WARNING: This is most probably the last version supporting Python 2.
* Added testing for Python 3.7.
* Confirmed support for Django 2.2 (no code changes required).
* Updated translations.
Upstream changes:
== Ruby-GNOME2 3.3.5: 2019-03-10
This is a follow-up release of 3.3.4.
=== Changes
==== Ruby/GObjectIntrospection
* Improvements
* Ignored no (({GType})) interface.
Upstream changes:
== Ruby-GNOME2 3.3.4: 2019-03-09
This is a real release to support GLib 2.60.
=== Changes
==== Ruby/GObjectIntrospection
* Improvements
* Ignored no (({GType})) interface.
== Ruby-GNOME2 3.3.3: 2019-03-09
This is a release to support GLib 2.60.
=== Changes
==== Ruby/GLib2
* Improvements
* Made tests more robust.
[GitHub#1272][Reported by Jeremy Bicha]
* Required pkg-config 1.3.5 or later.
* Added support for GLib 2.60.
* Windows: Removed support for static compilation.
* Fixes
* (({GLib::PollFD#fd=})): Fixed wrong conversion.
==== Ruby/GObjectIntrospection
* Improvements
* Improved auto (({#==}))/(({#!=})) implementations.
They returns (({true}))/(({false})) for invalid argument instead
of raising an error.
==== Ruby/GTK2
* Improvements
* Made tests more robust.
[GitHub#1275][Reported by Jeremy Bicha]
==== Ruby/RSVG2
* Improvements
* Made tests more robust.
[GitHub#1273][Reported by Mamoru TASAKA]
==== Ruby/Poppler
* Improvements
* (({Poppler::Document.new(data:)})):
Added support for (({Encoding.default_internal})).
* (({Poppler::Document.new})):
Added support for (({#to_path})) objects as path.
=== Thanks
* Jeremy Bicha
* Mamoru TASAKA
* upstream (curl) ChangeLog:
This release includes the following changes:
* cookies: leave secure cookies alone
* hostip: support wildcard hosts
* http: Implement trailing headers for chunked transfers
* http: added options for allowing HTTP/0.9 responses
* timeval: Use high resolution timestamps on Windows
This release includes the following bugfixes:
* CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
* CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
* CVE-2019-3823: SMTP end-of-response out-of-bounds read
* FAQ: remove mention of sourceforge for github
* OS400: handle memory error in list conversion
* OS400: upgrade ILE/RPG binding.
* README: add codacy code quality badge
* Revert http_negotiate: do not close connection
* THANKS: added several missing names from year <= 2000
* build: make 'tidy' target work for metalink builds
* cmake: added checks for variadic macros
* cmake: updated check for HAVE_POLL_FINE to match autotools
* cmake: use lowercase for function name like the rest of the code
* configure: detect xlclang separately from clang
* configure: fix recv/send/select detection on Android
* configure: rewrite --enable-code-coverage
* conncache_unlock: avoid indirection by changing input argument type
* cookie: fix comment typo
* cookies: allow secure override when done over HTTPS
* cookies: extend domain checks to non psl builds
* cookies: skip custom cookies when redirecting cross-site
* curl --xattr: strip credentials from any URL that is stored
* curl -J: refuse to append to the destination file
* curl/urlapi.h: include "curl.h" first
* curl_multi_remove_handle() don't block terminating c-ares requests
* darwinssl: accept setting max-tls with default min-tls
* disconnect: separate connections and easy handles better
* disconnect: set conn->data for protocol disconnect
* docs/version.d: mention MultiSSL
* docs: fix the --tls-max description
* docs: use $(INSTALL_DATA) to install man page
* docs: use meaningless port number in CURLOPT_LOCALPORT example
* gopher: always include the entire gopher-path in request
* http2: clear pause stream id if it gets closed
* if2ip: remove unused function Curl_if_is_interface_name
* libssh: do not let libssh create socket
* libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
* libssh: free sftp_canonicalize_path() data correctly
* libtest/stub_gssapi: use "real" snprintf
* mbedtls: use VERIFYHOST
* multi: multiplexing improvements
* multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
* ntlm: fix NTMLv2 compliance
* ntlm_sspi: add support for channel binding
* openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
* openssl: fix the SSL_get_tlsext_status_ocsp_resp call
* openvms: fix OpenSSL discovery on VAX
* openvms: fix typos in documentation
* os400: add a missing closing bracket
* os400: fix extra parameter syntax error
* pingpong: change default response timeout to 120 seconds
* pingpong: ignore regular timeout in disconnect phase
* printf: fix format specifiers
* runtests.pl: Fix perl call to include srcdir
* schannel: fix compiler warning
* schannel: preserve original certificate path parameter
* schannel: stop calling it "winssl"
* sigpipe: if mbedTLS is used, ignore SIGPIPE
* smb: fix incorrect path in request if connection reused
* ssh: log the libssh2 error message when ssh session startup fails
* test1558: verify CURLINFO_PROTOCOL on file:// transfer
* test1561: improve test name
* test1653: make it survive torture tests
* tests: allow tests to pass by 2037-02-12
* tests: move objnames-* from lib into tests
* timediff: fix math for unsigned time_t
* timeval: Disable MSVC Analyzer GetTickCount warning
* tool_cb_prg: avoid integer overflow
* travis: added cmake build for osx
* urlapi: Fix port parsing of eol colon
* urlapi: distinguish possibly empty query
* urlapi: fix parsing ipv6 with zone index
* urldata: rename easy_conn to just conn
* winbuild: conditionally use /DZLIB_WINAPI
* wolfssl: fix memory-leak in threaded use
* spnego_sspi: add support for channel binding
0.7.1:
Add support for Python 3.5, 3.6 and 3.7.
Move to GitHub and Travis CI.
Add support for iterator arguments to _speedups Markup.join implementation so that it matches
the Python implementation.
Add HTML5 input placeholder attribute to list of translatable attributes.
Add missing boolean attributes to XHTML and HTML serializers.
Fix infinite recursion in template inlining.
Support slash escaped of CRLF newlines.
Disable the speedups C extension on CPython >= 3.3 since Genshi doesn't support the new Unicode
C API yet.
Fix handling of case where a translation has text after a closing tag.
Fix assert with side-effect in xi:fallback directive processing
3.9.2:
Routers: invalidate _urls cache on register()
Deferred schema renderer creation to avoid requiring pyyaml.
Added 'request_forms' block to base.html
Fixed SchemaView to reset renderer on exception.
Update Django Guardian dependency.
Ensured support for Django 2.2.
Made templates compatible with session-based CSRF.
Adjusted field validators to accept non-list iterables.
Added SearchFilter.get_search_fields() hook.
Fix DeprecationWarning when accessing collections.abc classes via collections
Allowed Q objects in limit_choices_to introspection.
Added lazy evaluation to composed permissions.
Add negation ~ operator to permissions composition
Avoided calling distinct on annotated fields in SearchFilter.
Introduced RemovedInDRF…Warning classes to simplify deprecations.
## 4.3.3
- update jquery to 3.3.1
## 4.3.2
- update jquery to 3.3.0
- Add possibility to test HTML: all, attribute prefix, attribute contains,
attribute ends with, child, and class selectors
- Fix matching mutiple calls for the same selector/function exception
## 4.3.1
- update jquery to 3.2.1
## 4.3.0
- update jquery to 3.2.0
- Add possibility to test HTML attribute selectors
## 4.2.2
- update jquery to 3.1.1
## 4.2.1
- update jquery to 3.1.0
## 4.2.0
- Support jQuery 3.x
- Update jquery-ujs to 1.2.2
- Update jQuery to 1.12.4 and 2.2.4
## 4.1.1
- Update jQuery to 1.12.1 and 2.2.1
- Update jquery-ujs to 1.2.1
## 4.1.0
- Update jQuery to 1.12.0 and 2.2.0
- Update jquery-ujs to 1.2.0
## 4.0.5
- Specify that Ruby version 1.9.3+ is required
- Test on Ruby 2.2
- Update jquery-ujs from 1.0.4 to 1.1.0
## 4.0.4
- Fix CSP bypass vulnerability. CVE-2015-1840
## 4.0.1
- Fix RubyGems permission problem.
## 4.0.0
- Minimum dependency set to Rails 4.2
- Updated to jquery-ujs 1.0.2
- Support jQuery 1.x and 2.x
Add ruby-coffee-rails package version 4.2.2 which supported by Ruby on
Rails 4.2 and later.
CoffeeScript adapter for the Rails asset pipeline. Also adds support to use
CoffeeScript to respond to JavaScript requests (use `.coffee` views).
Add ruby-rails52 version 5.2.2 package.
Ruby on Rails is a full-stack web framework optimized for programmer
happiness and sustainable productivity. It encourages beautiful code
by favoring convention over configuration.
This is for Ruby on Rails 5.2.
Add ruby-actioncable52 version 5.2.2 package.
# Action Cable – Integrated WebSockets for Rails
Action Cable seamlessly integrates WebSockets with the rest of your Rails
application. It allows for real-time features to be written in Ruby in the
same style and form as the rest of your Rails application, while still being
performant and scalable. It's a full-stack offering that provides both a
client-side JavaScript framework and a server-side Ruby framework. You have
access to your full domain model written with Active Record or your ORM of
choice.
This is for Ruby on Rails 5.2.
Add ruby-actionpack52 version 5.2.2 package.
Action Pack is a framework for handling and responding to web requests. It
provides mechanisms for *routing* (mapping request URLs to actions), defining
*controllers* that implement actions, and generating responses by rendering
*views*, which are templates of various formats. In short, Action Pack
provides the view and controller layers in the MVC paradigm.
This is for Ruby on Rails 5.2.
Add ruby-actionview52 version 5.2.2 package.
Action View provides simple, battle-tested conventions and helpers for
building web pages.
This is for Ruby on Rails 5.2.
Changes:
8.0
---
Javascript changes confirmation and prompts use dialogs again
Bug fixes in Urlbar completion and focus handling as well as Adblock filtering
Headerbar enabled by default only under Budgie, GNOME and Patreon
Re-introduced support for `--inactivity-reset`, `-e Fullscreen` and `-e ZoomIn`
Initial support for cross-browser web extensions (not exposed in the GUI yet)
Builds deps: Glib lowered to 2.46.2, Json-Glib and libarchive are now required
Link to the bug tracker from the About dialog
Correct handling of external URIs such as apt:
Fixed installation path for appdata and plugins
Support for building Midori on Android with Gradle
Better internal distinction of errors from visiting pages
Zoom indicators in the page menu and statusbar features extension
pkgsrc changes:
- Remove patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp, it was applied in
2.22.7
Changes:
2.22.7
======
- Fix rendering of glyphs in Hebrew (and possibly other languages) when
Unicode NFC normalization is used.
- Fix several crashes and race conditions.
Changelog:
Changes with nginx 1.15.9 26 Feb 2019
*) Feature: variables support in the "ssl_certificate" and
"ssl_certificate_key" directives.
*) Feature: the "poll" method is now available on Windows when using
Windows Vista or newer.
*) Bugfix: if the "select" method was used on Windows and an error
occurred while establishing a backend connection, nginx waited for
the connection establishment timeout to expire.
*) Bugfix: the "proxy_upload_rate" and "proxy_download_rate" directives
in the stream module worked incorrectly when proxying UDP datagrams.
* aggregate: Use LWPx::ParanoidAgent if available.
Previously blogspam, openid and pinger used this module if available,
but aggregate did not. This prevents server-side request forgery or
local file disclosure, and mitigates denial of service when slow
"tarpit" URLs are accessed.
(CVE-2019-9187)
* blogspam, openid, pinger: Use a HTTP proxy if configured, even if
LWPx::ParanoidAgent is installed.
Previously, only aggregate would obey proxy configuration. If a proxy
is used, the proxy (not ikiwiki) is responsible for preventing attacks
like CVE-2019-9187.
* aggregate, blogspam, openid, pinger: Do not access non-http, non-https
URLs.
Previously, these plugins would have allowed non-HTTP-based requests if
LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
file disclosure, and preventing other rarely-used URI schemes like
gopher mitigates request forgery attacks.
* aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
recommended.
These plugins can request attacker-controlled URLs in some site
configurations.
* blogspam: Document LWPx::ParanoidAgent as desirable.
This plugin doesn't request attacker-controlled URLs, so it's
non-critical here.
* blogspam, openid, pinger: Consistently use cookiejar if configured.
Previously, these plugins would only obey this configuration if
LWPx::ParanoidAgent was not installed, but this appears to have been
unintended.
* po: Always filter .po files.
The po plugin in previous ikiwiki releases made the second and
subsequent filter call per (page, destpage) pair into a no-op,
apparently in an attempt to prevent *recursive* filtering (which as
far as we can tell can't happen anyway), with the undesired effect
of interpreting the raw .po file as page content (e.g. Markdown)
if it was inlined into the same page twice, which is apparently
something that tails.org does. Simplify this by deleting the code
that prevented repeated filtering. Thanks, intrigeri
(Closes: #911356)
Version 2.0.6:
- Updating dependency version of pylint-plugin-utils as pylint 2.3 release
was not compatible
- Improvements to tox.ini
- Add support for new load_configuration hook of pylint
- 'urlpatterns' no longer reported as an invalid constant name
uWSGI 2.0.18:
Fixed support for Python 3.7
Allow to use autoport (socket :0) with custom socket backlog
pyuwsgi ported to python3
pyuwsgi packages fixes
pyuwsginossl build configuration for building pyuwsgi without ssl support
Fix unix socket inheritance after reload on FreeBSD
Fix crashes with –wsgi-env-behavior=holy
Fix invalid free in python plugin
Fix compilation warnings with gcc-8
Fix spooler python references
Don’t generate build warnings in systemd_logger
Fix segmentation fault during worker shutdown
This includes patches for third_party/rust/libc 2.43, which requires
hack to overwrite checksum fields in .cargo-checksum.json. These will
become unnecessary if libc >= 2.45 is imported.
For aarch64,
- python locks up randomly when "make configure"; see lib/54017:
http://gnats.netbsd.org/54017
- nodejs randomly(?) crashes sometimes.
However, if you are luckly enough ;-), you will have a working binary.
Bump revision.
0.55.0
- Add response headers in WebSocketBadStatusException
- Manually assigning WebSocket-Version
- SSL socket handling fix
- Let setup.py use the same license as LICENSE file
- Ensure that "timeout" is passed down, when calling WebSocket.connect()
- Retry connect on "Interrupted system call"
Version 1.5.0:
- Add support for a Redis Sentinel Cluster.
- Parameterize the hash function so alternatives can be used.
- Include the deprecated werkzeug.contrib.cache module in Flask-Caching.
Drupal 8.6.10 (2019-02-20)
Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the security announcement and notes below:
* Drupal core - Remote code execution - SA-CORE-2019-003
Sites on 8.5.x or earlier should update immediately to Drupal 8.5.11 instead,
and plan to update to the latest 8.6.x release before May 2019 (when 8.7.0 is
released and 8.5.x security coverage ends).
Important update information
For site owners
* In addition to the above fix, this release includes the fix for #3031740:
Updating to 8.6.8 or 8.6.9 with Drush 8 causes data loss via
update_fix_compatibility() to prevent Drush 8 issues for sites updating
directly from an earlier security release.
* update.php must be run after updating to ensure changes from the patch take
effect.
* No changes have been made to the .htaccess, web.config, robots.txt or
default settings.php files in this release, so upgrading custom versions of
those files is not necessary if your site is already on the previous
release.
For module developers
Some contributed module tests may need to be updated if they extend core's
test suite, due to a minor API change in a test base class.
3.4.25 (7 July 2017)
* Fix a bug where * wouldn't always be eliminated during selector unification.
Deprecations -- Must Read!
* Extending compound selectors such as .a.b is deprecated. This never followed
the stated semantics of extend: elements that match the extending selector
are styled as though they matches the extended selector.
* When you write h1 {@extend .a.b}, this should mean that all h1 elements are
styled as though they match .a.b¡½that is, as though they have class="a b",
which means they'd match both .a and .b separately. But instead we extend
only selectors that contain both .a and .b, which is incorrect.
* Color arithmetic is deprecated. Channel-by-channel arithmetic doesn't
correspond closely to intuitive understandings of color. Sass's suite of
color functions are a much cleaner and more comprehensible way of
manipulating colors dynamically.
* The reference combinator, /foo/, is deprecated since it hasn't been in the
CSS specification for some time.
* The old-style :name value property syntax is deprecated. This syntax is not
widely used, and is unnecessarily different from CSS.
3.7.3 (4 January 2019)
* Emit escaped tab characters in identifiers as \9 rather than a backslash followed by a literal tab.
3.7.2 (8 November 2018)
* Fix more escaped-whitespace edge cases.
3.7.1 (7 November 2018)
* Properly handle escaped whitespace and other unusual characters.
3.7.0 (6 November 2018)
* Add support for CSS's min() and max() math functions. A min() and max() call will continue to be parsed as a Sass function if it involves any Sass-specific features like variables or function calls, but if it's valid plain CSS (optionally with interpolation) it will be emitted as plain CSS instead.
See the proposal for details.
* Add support for range-format media features like (10px < width < 100px). See the proposal for details.
* Normalize escape codes in identifiers so that, for example, «±clair and \E9clair are parsed to the same value. See the proposal for details.
Backwards Incompatibilities -- Must Read!
* Percentages passed as $alpha arguments to rgba() and hsla() are now interpreted according to the spec, and all other units are disallowed.
3.6.0 (19 September 2018)
* Add support for importing an _index.scss or _index.sass file when importing a directory.
Backwards Incompatibilities -- Must Read!
* Tokens such as #abcd that are ambiguous between ID strings and hex colors with an alpha channel are now parsed as colors.
3.5.7 (18 July 2018)
* Add a post-install message indicating that Ruby Sass is deprecated.
* Properly emit an error when an empty block is passed to a mixin that doesn't use @content.
3.5.6 (22 March 2018)
* Allow ! in custom property values.
* var() may now be passed in place of multiple arguments to rgb(), rgba(), hsl() and hsla().
* Don't crash on custom properties that aren't followed by semicolons.
* Don't crash when normalizing numbers with complex units.
* Don't crash on $x % 0.
3.5.5 (4 January 2018)
* Emit a warning when && is used, since it's probably not what the user means.
* Add a suggested replacement for extended compound selectors.
* Fix a bug where an unparseable selector produced an unuseful error.
3.5.4 (15 December 2017)
* round() now returns the correct results for negative numbers that should round down.
* Avoid thread-unsafely modifying $stderr.
3.5.3 (26 October 2017)
* Generate correct source maps for map literals.
3.5.2 (4 October 2017)
* Properly parse CSS variables that begin with interpolation (for example, --#{$foo}: ...).
3.5.1 (13 July 2017)
* Avoid conflicts with the listen gem.
3.5.0 (12 July 2017)
* Default to ten digits of numeric precision.
* Combine ids and :root when unifying selectors with @extend and selector functions.
* It's no longer an error to @extend a selector that exists in the stylesheet, but for which unification fails.
* Add a $weight parameter to invert().
* The last argument in an argument list can now have a trailing comma.
* Allow var() to be passed to rgb(), rgba(), hsl(), and hsla().
* Add support for the ::slotted() pseudo-element.
* Add support for CSS's grid template areas and named lines. We support this syntax through a new type of list called a "bracketed list". Bracketed lists can be created by wrapping a list with square brackets. For example: [this is bracketed] and [this, is, also, bracketed]. Bracketed lists will output their square brackets when used as a CSS value. Bracketed lists may be either space-separated or comma-separated. The is-bracketed() function, when passed a list will return a boolean indicating whether that list will output with brackets. The join() function now accepts a $bracketed parameter that controls whether the returned list has brackets.
* A new function content-exists() will return true when called within a mixin that was passed content for use by the @content directive.
* Passing a string to call($function-name, $args...) indicating which function to invoke is now deprecated. Instead pass a function reference returned from get-function($function-name). This allows function name resolution to be performed in the correct lexical context and then invoked in a different context. This is required so that the module-based resolver in Sass 4.0 will invoke the correct function when calling across module boundaries. Developers of frameworks that use call should not do the function lookup for callers of their framework; this is likely to result in a situation where the framework cannot resolve the function in 4.0.
* Values that can be interpreted as hex colors with alpha channels and also as ID values, such as #abcd, now emit deprecation warnings in preparation for being parsed differently Sass 3.6. They were previously parsed as strings, and in 3.6 they will be parsed as colors instead.
* Pseudo selectors that take arguments now allow any [<declaration-value>][declaration-value] production in their argument list. This will provide better forwards-compatibility for future CSS syntax.
* Pseudo selectors that take selectors as arguments will no longer always be eliminated if they contain placeholder selectors that aren't extended. Instead, they'll be reduced to valid CSS selectors if possible.
* Generated transparent colors will now be emitted as rgba(0, 0, 0, 0) rather than transparent. This works around a bug wherein IE incorrectly handles the latter format.
* The indented syntax now allows different indentation to be used for different lines, as long as they define a consistent tree structure.
Backwards Incompatibilities -- Must Read!
* The way CSS variables are handled has changed to better correspond to the CSS spec. They no longer allow arbitrary SassScript in their values; instead, almost all text in the property values will be passed through unchanged to CSS. The only exception is #{}, which will inject a SassScript value as before.
Add ruby-sass-rails package version 5.0.7 which covers Ruby on Rails 4.2
and later.
Sass adapter for the Rails asset pipeline.
This gem provides official integration for Ruby on Rails projects with the
Sass stylesheet language.
This fork of guard/listen provides a stable API for users of the ruby Sass CLI.
Listen
The Listen gem listens to file modifications and notifies you about the changes.
Features
* OS-optimized adapters on MRI for Mac OS X 10.6+, Linux, \*BSD and Windows,
[more info](#listen-adapters) below.
* Detects file modification, addition and removal.
* You can watch multiple directories.
* Regexp-patterns for ignoring paths for more accuracy and speed
* Increased change detection accuracy on OS X HFS and VFAT volumes.
* Tested on MRI Ruby environments (2.0+ only) via
[Travis CI](https://travis-ci.org/guard/listen).
Note explicit dependency on libwebp >= 1.0.1. (libwebp itself doesn't
merit a general bump in its buildlink3.mk file, since according to its
change log, there are no incompatibilities added.) No PKGREVISION bump,
since either this previously built with the newer version of libwebp in
the current pkgsrc tree, or it failed to meet the dependency.
Subject: [PATCH] Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq
and CompareStrictEq nodes. https://bugs.webkit.org/show_bug.cgi?id=194800
<rdar://problem/48183773>
Reviewed by Yusuke Suzuki.
Fix doesGC() for the following nodes:
CompareEq:
CompareLess:
CompareLessEq:
CompareGreater:
CompareGreaterEq:
CompareStrictEq:
Only return false (i.e. does not GC) for child node use kinds that have
been vetted to not do anything that can GC. For all other use kinds
(including StringUse and BigIntUse), we return true (i.e. does GC).
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
This was published alongside with exploit code claiming it is remote
code execution, but I don't understand what the exploit is doing.
bump PKGREVISION
Changelog:
15.0.4
Changes
Make external storages browsable again in the web UI (server#14076)
15.0.3
Changes
Upload new files in objectstore to a .part path first (server#13036)
Broker: add timezone to CANCEL messages (server#13384)
Add strengthify.min files (server#13546)
Fix click app names (server#13575)
Principals can be principal/user/ or principal/ from lega… (server#13582)
Correctly handle displaynames returned from the sharee API (server#13585)
Don't close input stream when writing in encrypted file (server#13588)
Bump pear/archive_tar to 1.4.5 (server#13598)
Fix integer background job id type error (server#13609)
Fix user settings label translation (server#13611)
Fix app navigation flickering on hover (server#13625)
Update URL for federation (server#13636)
Fix colorizeSvg with transformations that contain a comma (,) (server#13653)
Use warning background color & primary text color for setting warnings (server#13665)
Fix template paramter (server#13670)
Cache tokens when using swift's v2 authentication (server#13740)
Cleanup shared lock if changing to exclusive lock failed (server#13744)
Honor remember_login_cookie_lifetime (server#13758)
Fix integration of social sharing into the link popover menu (server#13761)
Respect user locale in natural sort comparator (server#13762)
Call proper function when fetching link shares in the breadcrumb view (server#13769)
Add acceptance tests for moving and copying files (server#13771)
Show proper default locale (server#13781)
Ignore non existing users when retrieving details of group members (server#13792)
Remove .css fileending from accessibility user css route (server#13793)
Add icon to restore activity (server#13794)
Fix long comment in dark theme (server#13804)
Bump bower from 1.8.4 to 1.8.8 in /build (server#13821)
Fix for high contrast theme (server#13852)
Always use multipart uploader for s3 uploads (server#13882)
Fix paged search with multiple bases (LDAP) (server#13884)
Fix dropping a folder on a folder row (server#13887)
Fix updating the password of a link share when passwords are enforced (server#13900)
Add fallback for trashbin original location (server#13904)
Allow shared versions again in legacy backend (server#13905)
Improve data directory write checking for NFS mounts (server#13906)
Clean pending 2FA authentication on password reset (server#13915)
Forward error message from password policy (server#13918)
Remove warning in case of external storage error (server#13920)
Handle mail send error gracefully (server#13930)
Bump pear/archive_tar from 1.4.3 to 1.4.5 (3rdparty#214)
Move to SCSS and fix app icon for dark theme (activity#338)
Fill screen in fullscreen mode for public videos. Fixes#77 (files_videoplayer#79)
Use target="_blank" and rel="noreferrer noopener" (firstrunwizard#105)
Fix notification documentation to reflect recent changes (notifications#258)
Changelog:
Enhancements
Templates
Adjust tests ddc6d4e3 @bep #5643
Prevent getJSON and getCSV fetch failure from aborting build 6a2bfcbe @anthonyfok #5643
Core
Expand TestPageWithEmoji to cover '+', '-' and '_' too 2a9060a8 @anthonyfok #5635
Restore 0.48 slash handling in taxonomies 40ffb048 @bep #5571
Other
Use official semver even for main releases fab41f42 @bep #5639
Add test for --configDir 59d87044 @bep #5662
Ignore unknown config files in config dir 3244cb3b @bep #5646
Store supported config formats in a variable d9282cf9 @tryzniak
Bump to Go 1.11.5 8ed2a1ca @bep #5654
Update Afero e8596139 @bep #5650
Accept hyphen and plus sign in emoji detection 3038464e @anthonyfok #5635
Support numeric sort in ByParam 26f75edb @tryzniak #5305
Make hugo server -t work again db3c49d0 @tryzniak #5569#5061#4868
Add configFile(s) back to the watch list after RENAME event too e3cb8e6c @anthonyfok #5205
Remove historical rssURI config 55251aa8 @mywaiting
Use subtests with server_test.go 843fcd19 @tryzniak
Move resource interfaces into its own package ce8a09a4 @bep
Move resource processors into sub-packages 669ada43 @bep
Update _index.md 50745122 @vrMarc
Update go.sum 0584432b @bep
Update Chroma cc351958 @bep #4993
Make docshelper run again c24f3ae2 @bep #5568
Fixes
Templates
Fix reflect 9e4f9e0b @moorereason #5564
Other
Fix some inline shortcode issues c52045bb @bep #5645#5653
Fix OpenGraph image fallback to site params 526b5b1c @statik
Fix Params case handling in the new site global e1a66c73 @bep #5615
cache/namedmemcache: Fix data race 3f3187de @bep
Changelog:
Fixed
Fixed accidental requests to addons.mozilla.org when an addon recommendation doorhanger is shown (bug 1526387)
Improved playback of interactive Netflix videos (bug 1524500)
Fixed color management not working on macOS (bug 1506495)
Fixed incorrect sizing of the "Clear Recent History" window in some situations (bug 1523696)
Fixed audio & video delays while making WebRTC calls (bug 1521577 & bug 1523817)
Fixed video sizing problems during some WebRTC calls (bug 1520200)
Fixed looping CONNECT requests when using WebSockets over HTTP/2 from behind a proxy server (bug 1523427)
Fixed the "Enter" key not working on password entry fields for certain Linux distributions (bug 1523635)
Various stability and security fixes.
Security fixes:
#CVE-2018-18356: Use-after-free in Skia
#CVE-2019-5785: Integer overflow in Skia
#CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext
1.8.0
NEW: Add custom selector support.
FIX: Small tweak to CSS identifier pattern to ensure it matches the CSS specification exactly. Specifically, you can't have an identifier of only -.
FIX: CSS string patterns should allow escaping newlines to span strings across multiple lines.
FIX: Newline regular expression for CSS newlines should treat \r\n as a single character, especially in cases such as string escapes: \\\r\n.
FIX: Allow -- as a valid identifier or identifier start.
FIX: Bad CSS syntax now raises a SelectorSyntaxError, which is still currently derived from SyntaxError, but will most likely be derived from Exception in the future.
v1.0.0:
Update included self-signed cert to include IP address in SAN. Full version bump because this could be a breaking change for those depending on the certificate missing the IP address in the SAN (as it seems the requests test suite does)
Only use @pytest.fixture decorator once
Fix a few README typos
6.10.0
[Core] Fixed stackframes in some situations being in inverse order.
[Flask] Fix wrong exception handling logic (accidentally relied on Flask internals).
[Core] No longer send NaN local vars as non-standard JSON.
0.11.4 (February 15, 2019)
* New -json-to-caddyfile and -caddyfile-to-json flags
* Fix leaking logging goroutine on SIGUSR1
* basicauth: Error is logged when authentication fails
* proxy: Fix bug by re-adding pre-existing trailing slashes
* tls: Fix bug related to certificate storage path
0.11.3 (February 5, 2019)
* New {server_port} placeholder
* New third-party plugin: extauth
* New flags -log-roll-mb and -log-roll-compress
* basicauth: Bypass for OPTIONS method
* errors/log: Ability to disable log rolling
* proxy: New subdirective 'ca_certificates'
* staticfiles: Require GET method to serve static files
* tls: Fixes to self-signed certs, IP certs, email prompts, & more
* SOLVED REGRESSIONS: #2356, #2414
* A number of other important fixes and improvements
0.11.2 (January 16, 2019)
* Extracted automagic TLS code into CertMagic library
* Add support for new clustering plugins
* New placeholder: '{when_iso_local}'
* New third-party plugins: s3browser, filebrowser
* Removed third-party plugins: jekyll, hugo
* bind: Support multiple interface values
* import: Can now be used within directive blocks
* proxy: Status 499 when clients close connection early
* templates: No longer emit ETag and Last-Modified headers
* tls: Support for the ACME TLS-ALPN-01 challenge
* KNOWN/UNRESOLVED REGRESSIONS: #2356, #2414
* Several bug fixes and minor improvements
0.11.0
This release has been about 6 months in the making! Featuring an integrated
telemetry client, you can now view stats about your Caddy instance and
contribute to Internet research. Telemetry is entirely optional. Read the blog
post and telemetry docs for more information, and check out our global stats!
You can also look up details about your own instances there.
Full change list:
* Built with Go 1.10.2
* Integrated optional telemetry client
* proxy: Fixed file descriptor leak
0.10.14
* tls: Fix error handling bug when obtaining certificates
0.10.13
Caddy 0.10.13 is a minor release that fixes security flaws in TLS client
authentication and On-Demand TLS. It is recommended that everyone relying on
these capabilities upgrade. This release also has bug fixes for the Caddyfile
parser (caught by fuzzing) and handling errors when a certificate could not be
obtained via ACME.
Do not use this version, it cannot obtain certificates due to a bug. Version
0.10.14 fixed this.
Change list:
* New third-party plugin: supervisor
* Updated QUIC
* proxy: Fix transparent pass-thru of X-Forwarded-For
* proxy: Configurable timeout to upstream
* rewrite: Now supports regular expressions on single-line
* tls: StrictHostMatching mode to prevent client auth bypass
* tls: Disable client auth when using QUIC
* tls: Require same client auth cert pools per hostname
* tls: Prevent On-Demand TLS directory traversal
* tls: Fix empty files when using ACME fails to obtain cert
* Fixed test broken by 1.1.1.1 resolving
* Improved Caddyfile parser robustness by fuzzing
0.10.12
This release brings ACMEv2 and wildcard certificate support!
Read the release announcement blog post for details. There's some things in
there you should know, including a description of how some really cool features
work.
Thanks to everyone who contributed to this release!
Change list:
* Switch to Let's Encrypt ACMEv2 production endpoint
* Support for automated wildcard certificates
* Support distributed solving of HTTP-01 challenge
* New {labelN}, {tls_cipher}, and {tls_version} placeholders
* Curly braces can now be escaped when not used as placeholders
* New third-party plugin: geoip
* Updated QUIC
* fastcgi: Add SSL_CIPHER and SSL_PROTOCOL environment variables
* log: New 'except' subdirective to exempt paths from logging
* startup/shutdown: Removed in favor of 'on'
* tls: Default minimum version is TLS 1.2
* tls: Revert to fallback cert if no cert matches SNI
* tls: New 'wildcard' subdirective to force automated wildcard cert
* Several significant bug fixes and improvements!
2.0.33:
- Fixed 210. Allow to reset select multiple with field.value = []
- Support for PYTHONOPTIMIZE=2, fix tests on PYTHONOPTIMIZE=1, 2
- Fixed 196. Fix deprecation warnings for collections to use
collections.abc for Iterable on Python 3.
2.1.7:
* HTTP request body size limit is now enforced
* database_sync_to_async now closes old connections before it runs code
* Auth middleware closes old connections before it runs
2.2.5:
* WebSocket handshakes are now affected by the websocket connect timeout, so
you can limit them from the command line.
* Server name can now be set using --server-name
1.2:
Reformatted the code using Black.
Added equality of JS() objects to avoid adding the same script more than once in the same configuration.
Determine the static callable at module import time, not each time a static path is generated.
Customized the repr() of JS() objects.
Added Python 3.7 and Django 2.2 to the test matrix.
2.1.7:
Bugfixes
Corrected packaging error from 2.1.6
2.1.6:
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()¶
If django.utils.numberformat.format() – used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters – received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().
To avoid this, decimals with more than 200 digits are now formatted using scientific notation.
Bugfixes
Made the obj argument of InlineModelAdmin.has_add_permission() optional to restore backwards compatibility with third-party code that doesn’t provide it
1.11.20:
Bugfixes
Corrected packaging error from 1.11.19
1.11.19:
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
If django.utils.numberformat.format() – used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters – received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().
To avoid this, decimals with more than 200 digits are now formatted using scientific notation.
pkgsrc changes:
- Set USE_GCC_RUNTIME to depends on gcc6-libs when pkgsrc gcc is used
(XXX: Not tested and not clear if currently mk/compiler/gcc.mk DTRT
XXX: regarding (if not, that's probably why firefox/mozilla-common.mk
XXX: abuses USE_PKGSRC_GCC_RUNTIME!))
Changes:
WebKitGTK+ 2.22.6
=================
- Make kinetic scrolling slow down smoothly when reaching the ends of
pages, instead of abruptly, to better match the GTK+ behaviour.
- Fix Web inspector magnifier under Wayland.
- Fix garbled rendering of some websites (e.g. YouTube) while scrolling
under X11.
- Fix several crashes, race conditions, and rendering issues.
Upstream changes:
Major changes since 7.63:
Issue #3018637 by emilymoi, das-peter: [regression] Unset the 'host' header in drupal_http_request() during redirect
Compatibility fixes for PHP 7.3 (#3020771)
Compatibility fixes for MySQL 5.7 (#2981248)
All changes since 7.63:
#1430934 by johnish@gmail.com, DamienMcKenna, Berdir, malcomio, Dane Powell, zerolab, er.pushpinderrana, akosipax, njbarrett, Fabianx, alesr, David_Rothstein, littledynamo, das-peter: Notice: Undefined index: display_field in file_field_widget_value() (line 582 of /module/file/file.field.inc)
#1470656 by Damien Tournoud, joseph.olstad, Pol, Fabianx, catch: Registry rebuild should not parse the same file twice in the same request
#3028364 by Pol, Fabianx: Update function _registry_update() and move module_implements() and _registry_check_code() calls out of the try/catch
#3018637 by emilymoi, das-peter: [regression] Unset the 'host' header in drupal_http_request() during redirect
#3026529 by alexpott: 7.x does not have Phar protection and Phar tests are failing on Drupal 7
#2482549 by Pol, marcelovani, ndf, drupal@guusvandewal.nl, TR, jenlampton, kaidjohnson, ufku, MiSc, David_Rothstein, RobLoach, pablo.guerino, afoster, geerlingguy, SebCorbin, joelpittet, JohnAlbin: Fix up commit - convert short array styles to long.
#3023066 by Pol, mfb: [PHP 7.3] Fix BootstrapMiscTestCase::testCheckMemoryLimit() notice
#2482549 by Pol, marcelovani, ndf, drupal@guusvandewal.nl, jenlampton, ufku, kaidjohnson, MiSc, David_Rothstein, RobLoach, SebCorbin, geerlingguy, pablo.guerino, JohnAlbin, joelpittet, afoster: Ignore node_module folder in core to use Drupal with npm/grunt/nodejs
#3020771 by Ayesh, Pol, sjerdo: [PHP 7.3] strpos explicit string needle warnings
#2981248 by mfb, LFP6, msti: MySQL 5.7 incompatibility in system upgrade 7061
Remove the patch that included in upstream
Upstream changes:
8.6.7:
This is a hotfix release for a regression affecting some Drush installations that was introduced by the fix for SA-CORE-2019-002. No other fixes are included.
8.6.8:
Changes since 8.6.7
#2975539 by mondrake, alexpott, marcoscano, desierto: Changing machine name of image style leads to WSOD when loading widgets that used the old name
#2859315 by quietone, heddn, jhodgdon: SQL error from profile_fields when migrating d6 (or d7) to d8 without Profile module
#2443165 by davidwbarratt, amateescu, HOG, kostyashupenko, yched, Berdir, andypost, alexpott, tstoeckler, xjm: Drupal\Core\Entity\EntityInterface\ContentEntityStorageBase::doCreate() assumes that the bundle is a string
#2849074 by decafdennis, alexpott, zuuperman, AdamPS, sagesolutions, tucho, xjm: SiteConfigureForm overrides value from install profile
#3007716 by Sam152, kevin.dutra, jhedstrom, larowlan: Security update introduces breaking changes to content moderation
#2215857 by michielnugter, Lendude, gmercer, tim.plunkett, cferthorney, marabak, olli, ericmulder1980, TwoD, sanduhrs, stella, dww, nod_: Behaviors get attached to removed forms
#3017812 by ibustos, joachim: Language selector is immune to hook_entity_field_access in entity forms
#2900883 by larskhansen, GaëlG, kalyansamanta, Chi, tim.plunkett, Gábor Hojtsy, joachim: Wrong documentation of Drupal\Component\Plugin\Derivative\DeriverInterface::getDerivativeDefinitions()
#3027595 by amateescu, pmelab: Incorrect blacklist condition in WorkspaceManager
#2725259 by sardara, andrewmacpherson, claudiu.cristea, tedbow, alwaysworking, droplet, techmsi, kwoxer, xjm, alexpott, lauriii, catch, cilefen, Cottser: [regression] Table Drag handles no longer respond to up/down arrow keys
Revert "Issue #2725259 by sardara, andrewmacpherson, claudiu.cristea, tedbow, alwaysworking, droplet, techmsi, kwoxer, xjm, alexpott, @catch, @cilefen, @Cottser, @lauriii: [regression] Table Drag handles no longer respond to up/down arrow keys"
#2725259 by sardara, andrewmacpherson, claudiu.cristea, tedbow, alwaysworking, droplet, techmsi, kwoxer, xjm, alexpott, @catch, @cilefen, @Cottser, @lauriii: [regression] Table Drag handles no longer respond to up/down arrow keys
#2937073 by tim.plunkett, Saviktor, tedbow: Improve robustness of FieldBlockTest
#2973713 by quietone, Adita, etecjdo, apmsooner, mikeryan, gnuschichten, tstoeckler: cache_key source plugin configuration not documented
#2949555 by quietone, ankitjain28may: Correct the documentation on method UserMigrationClassTest
#3025685 by quietone: Add error msg to assertions in MigrateSourceTestBase
#3026840 by izus: Fix plural typo in workspaces field
#3024452 by kfritsche, hchonov, alexpott: DatabaseStorageExpirable:setWithExpireIfNotExists is not respecting expired
#2999908 by penyaskito: View more link in recipe cards is not fully translated
#3028819 by alwaysworking: Update username
#2916021 by d.olaresko, wengerk, Chi, xjm, dawehner, idebr: Update "Running tests" section in core.api.php
#2953995 by kjay, starshaped, rachel_norfolk, Vidushi Mehta, cferthorney, HAL 9000, Eli-T, markconroy, steveparks: Update the Umami Vegan Chocolate Brownie recipe
#3028608 by danharper, Eli-T, markconroy, Not Real: Umami - favicon
#2940027 by jmsosso: Add change record to @deprecated for AccountInterface
#2995150 by msankhala, tim.plunkett: Command examples in core/tests/README.md are confusing and not executable
#3024184 by seanB, andrewmacpherson, Kristen Pol: Make the tabbing order match the visual reading order in MediaLibraryWidget
#2668416 by Krzysztof Domański, wheatpenny, Lendude, alexpott: Wrong assert in NodeTitleTest
#2981870 by Lendude, alexpott: Duplicate BrokenSetUpTest for BrowserTestBase
#2809513 by Lendude, brentgees: Convert AJAX part of \Drupal\responsive_image\Tests\ResponsiveImageFieldUiTest to JavascriptTestBase and the rest to BrowserTestBase
#3027574 by tuutti: SqlContentEntityStorage no longer update entities with certain (id) fields
#3026043 by Berdir: ConfigEntityBase::__sleep() serializes plugin instances if they were not previously initialized
#3021395 by quietone, alexpott: MigrateDrupalTestBase::migrateContent(['translations') does not migrate translations
Revert "Issue #3003238 by Sam152, amateescu, Berdir: EntityStorageException: Default revision can not be deleted in content_moderation_entity_revision_delete()"
#2987418 by quietone, Kristen Pol: Rename MigrateUpgrade tests
#3003238 by Sam152, amateescu, Berdir: EntityStorageException: Default revision can not be deleted in content_moderation_entity_revision_delete()
#3026470 by alexpott, jrockowitz, Joseph Zhao: ArchiveTar is throwing fatal error
Merged 8.6.7.
Merged 8.6.6.
#3015992 by Krzysztof Domański, alexpott, larowlan: Not affecting spacing in PhpTransliterationTest
#2998769 by kiamlaluno, quietone, kkalaskar: @see directive used in the wrong place outputs the wrong HTML markup
#3000677 by catch, Shane Birley, featherbelly, alexpott, larowlan: Fatal error after upgrade to 8.6x [due to regression in extension system]
#2955457 by pfrenssen, Chewie, unrealauk, alexpott, Pol: ConfigFactory static cache gets polluted with data from config overrides
#3020142 by mglaman, tim.plunkett: Test module no_transitions_css has invalid hook_page_attachments
#3007973 by tim.plunkett, lukasss, xopoc, bnjmnm, stompersly: Layout builder prevents the rendering of extra fields (like Links) on pages not using Layout Builder
#3024259 by Pol, alexpott: [PHP 7.3] Fix EnvironmentTest::providerTestCheckMemoryLimit() notice
#3023747 by mikelutz, heddn: D6 profile migrations assume stubs, which fail
#2978922 by brathbone, philipnorton42, msankhala, hardikpandya, alexpott, siliconmeadow: Improve batch_process() documentation
#2845975 by quietone, Jo Fitzgerald, aleevas, maxocub, Gábor Hojtsy: Migrate Drupal 6 user profile field value option translations
#2701829 by alexpott, andypost, Soul88, Graber, Eduardo Morales, dawehner, pingwin4eg, catch, Berdir, jibran, httang12: Extension objects should not implement \Serializable
#2693727 by mikelutz, sanduhrs, CalebD, ajlib, Lendude, tstoeckler, catch: Limiting options for exposed Language filters causes errors and doesn't work for special languages
8.6.9:
Changes since 8.6.8:
#2215857 followup by gaydamaka, timmillwood, alexpott, lauriii: Regression on Internet Explorer 11
#3031128 by alexpott, TrevorBradley, indigoxela, catch, cilefen, larowlan, jibran: Update from 8.6.7 to 8.6.8 warnings - Drupal\Core\Extension\Extension has no unserializer
Revert "Issue #2924201 by tim.plunkett, tedbow, larowlan, xjm, jibran, Kristen Pol: Resolve random failure in LayoutBuilderTest so that it can be added to HEAD"
#2924201 by tim.plunkett, tedbow, larowlan, xjm, jibran, Kristen Pol: Resolve random failure in LayoutBuilderTest so that it can be added to HEAD
Update DEPENDS
Upstream changes:
v2.5.0 2019-02-08 22:18:11Z
- Strip some control characters from links (GH#34) (Olaf Alders)
- Enable empty_element_tags in HTML::Parser (GH#35) (Olaf Alders)
v2.4.1 2019-02-05 14:13:16Z
- Bump version of Type::Tiny to 1.002001. (GH#33) (Olaf Alders). Issue
reported by Slaven Rezić (GH#32).
v2.4.0 2019-02-05 02:51:05Z
- Process text until it returns the same value twice. (GH#31) (Olaf
Alders). Issue raised in (GH#29) by Juraj Major.
- Add max_parser_loops attribute
* graph: Add an optional "file" parameter
* emailauth: When email can't be sent, show the error message
* osm: Don't raise errors if tags don't have attached icons
* cgi: Avoid C compiler warnings for waitpid() on NetBSD
* Hide popup template content from documentation (Closes: #898836)
* meta: Make [[!meta date]] show an error if dates are invalid or
Date::Parse can't be loaded
* inline: Cope with non-ASCII `rootpage` parameter.
Thanks, Feng Shu
* table: Cope with non-ASCII content in CSV format tables.
Thanks, Feng Shu
* trail: Allow unescaped punctuation in `pagenames` parameter
* comments: Hide "add comment" link from print stylesheet.
Thanks, Antoine Beaupré
* recentchangesdiff, relativedate, toggle:
Import JavaScript at the end of the page content, not the beginning,
so that the browser can render content as soon as possible.
Thanks, Antoine Beaupré
* inline: Add basic test coverage for [[!inline rootpage]]
* table: Add basic test coverage
* po: Add enough test coverage to reproduce Debian #911356
* comments: Improve test coverage
* tests: Exercise Unicode more
* aggregate: Fix aggregation of posts without a title.
Thanks, Alexandre Oliva
* poll: Added postlink and posttrail options for better multi-page polls.
* Fix permalink to comments.
curl and libcurl 7.64.0
This release includes the following changes:
* cookies: leave secure cookies alone
* hostip: support wildcard hosts
* http: Implement trailing headers for chunked transfers
* http: added options for allowing HTTP/0.9 responses
* timeval: Use high resolution timestamps on Windows
This release includes the following bugfixes:
* CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
* CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
* CVE-2019-3823: SMTP end-of-response out-of-bounds read
* FAQ: remove mention of sourceforge for github
* OS400: handle memory error in list conversion
* OS400: upgrade ILE/RPG binding.
* README: add codacy code quality badge
* Revert http_negotiate: do not close connection
* THANKS: added several missing names from year <= 2000
* build: make 'tidy' target work for metalink builds
* cmake: added checks for variadic macros
* cmake: updated check for HAVE_POLL_FINE to match autotools
* cmake: use lowercase for function name like the rest of the code
* configure: detect xlclang separately from clang
* configure: fix recv/send/select detection on Android
* configure: rewrite --enable-code-coverage
* conncache_unlock: avoid indirection by changing input argument type
* cookie: fix comment typo
* cookies: allow secure override when done over HTTPS
* cookies: extend domain checks to non psl builds
* cookies: skip custom cookies when redirecting cross-site
* curl --xattr: strip credentials from any URL that is stored
* curl -J: refuse to append to the destination file
* curl/urlapi.h: include "curl.h" first
* curl_multi_remove_handle() don't block terminating c-ares requests
* darwinssl: accept setting max-tls with default min-tls
* disconnect: separate connections and easy handles better
* disconnect: set conn->data for protocol disconnect
* docs/version.d: mention MultiSSL
* docs: fix the --tls-max description
* docs: use $(INSTALL_DATA) to install man page
* docs: use meaningless port number in CURLOPT_LOCALPORT example
* gopher: always include the entire gopher-path in request
* http2: clear pause stream id if it gets closed
* if2ip: remove unused function Curl_if_is_interface_name
* libssh: do not let libssh create socket
* libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
* libssh: free sftp_canonicalize_path() data correctly
* libtest/stub_gssapi: use "real" snprintf
* mbedtls: use VERIFYHOST
* multi: multiplexing improvements
* multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
* ntlm: fix NTMLv2 compliance
* ntlm_sspi: add support for channel binding
* openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
* openssl: fix the SSL_get_tlsext_status_ocsp_resp call
* openvms: fix OpenSSL discovery on VAX
* openvms: fix typos in documentation
* os400: add a missing closing bracket
* os400: fix extra parameter syntax error
* pingpong: change default response timeout to 120 seconds
* pingpong: ignore regular timeout in disconnect phase
* printf: fix format specifiers
* runtests.pl: Fix perl call to include srcdir
* schannel: fix compiler warning
* schannel: preserve original certificate path parameter
* schannel: stop calling it "winssl"
* sigpipe: if mbedTLS is used, ignore SIGPIPE
* smb: fix incorrect path in request if connection reused
* ssh: log the libssh2 error message when ssh session startup fails
* test1558: verify CURLINFO_PROTOCOL on file:// transfer
* test1561: improve test name
* test1653: make it survive torture tests
* tests: allow tests to pass by 2037-02-12
* tests: move objnames-* from lib into tests
* timediff: fix math for unsigned time_t
* timeval: Disable MSVC Analyzer GetTickCount warning
* tool_cb_prg: avoid integer overflow
* travis: added cmake build for osx
* urlapi: Fix port parsing of eol colon
* urlapi: distinguish possibly empty query
* urlapi: fix parsing ipv6 with zone index
* urldata: rename easy_conn to just conn
* winbuild: conditionally use /DZLIB_WINAPI
* wolfssl: fix memory-leak in threaded use
* spnego_sspi: add support for channel binding
Closes NetBSD/pkgsrc#42.
5.1.16
- Fix build on OSX.
5.1.15
- Restore apc.serializer=php as the default, as the "default" serializer
still/again has issues.
- Fix possible issues in persistence of arrays with the "default" serializer.
- Attempt to reduce shared memory fragementation.
5.1.14
- Fixed GH #347: Disable slam defense by default.
- Fix potential issue with destruction of locks. This does not affect Linux,
but might affect Windows and BSD.
- Use mutex instead of rwlock for shared memory allocator (if pthreads mutex
available).
- Require only read-lock for apcu_cas(), by using atomic compare-and-swap.
5.1.13
- Reimplement persistence logic using precise allocation rather than memory
pools. This reduces memory usage of cache entries, especially for small
values, and improves performance of persisting and unpersisting values.
- Fixed GH #335: Stampede protection is broken.
- Fixed GH #328: Segfault in apcu_key_info() if APCu is disabled.
- Generally make the behavior of functions if APCu is disabled more consistent.
- Fixed PHP bug #72980: Empty strings are now consistently allowed as cache
keys.
- Optimized apcu_key_info() and apcu_cache_info() by using interned strings.
- Fix build against PHP master (PHP 7.4).
- Many changes to internal C APIs.
5.1.12
- gh#307: Fix 'Timout' sort option (apc.php).
- gh#308: Keep search parameter on cache entry detail link (apc.php).
- Fix --enable-apcu-clear-signal support.
- Show entries with expired global TTL in APCuIterator.
- Respect TTL when calculating APCuIterator totals.
- The per-entry TTL now always takes precedence over the global TTL.
- The global TTL is now always relative to the access time.
- apcu_inc() and apcu_dec() no longer update hard-expired entries. Instead a
new entry is created.
- Added optional $ttl argument to apcu_inc() and apcu_dec(), used when creating
a new entry.
- PHP bug #76145: Fix use of APCu inside Serializer::(un)serialize().
- gh#304: If apcu_cas() is used on a non-existing entry, don't insert it.
- gh#295: Improve APCuIterator performance by using PCRE JIT and preallocating
key strings.
- Reduce the memory overhead of cache entries.
- Prevent potential memory corruption in the cache slam defense implementation.
- Ensure cache entry references are released on bailout during unserialization.
- Make support for atomic operations a hard requirement for building APCu.
- Check write-lock acquisition for failure, to help debugging deadlock
situations.
- Make sure apcu_inc/dec are atomic when working on a non-existing entry.
- Many changes to internal C APIs.
5.1.11
- fix gh#246 apcu_entry hangs
- fix gh#259 deadlock in apcu_store
- fix gh#281 undefined variable in apc.php
- fix handling of fatal errors in apcu_entry
- check string lengths when looking up keys
- many internal C APIs changed
* pkgsrc change: add "USE_LANGAUGES= # none" line.
2.1.0 (2018-10-04)
Spring has sprung so let's make a new release
New features:
* Rack::PostBodyContentTypeParser -- you can now pass a block to the
middleware to override the default "parse me some JSON" behaviour.
Thanks to Kris Dekeyser (@Kris-LEBIS) for the patch.
* Ruby 2.5 support -- we're now running the test suite through Ruby 2.5.1, as
well as the latest patch releases of all other Ruby releases supported by
rack-contrib (back to 2.2, the same as Rack itself). The only "interesting"
change here is that some Rack::Profiler printers no longer work, which is
not our fault, but rather a problem with ruby-prof.
Bug fixes:
* Remove a deprecation warning about has_rdoc. Thanks to Luciano Sousa
(@lucianosousa) for the patch.
* pkgsrc change: add "USE_LANGAUGES= # none" line.
Update to 1.6.11 which fixes security problems of CVE-2018-16471.
(CVE-2018-16470 is only for rack 2.0.x.)
Flask-RESTPlus is an extension for Flask that adds support for
quickly building REST APIs. Flask-RESTPlus encourages best practices
with minimal setup. If you are familiar with Flask, Flask-RESTPlus
should be easy to pick up. It provides a coherent collection of
decorators and tools to describe your API and expose its documentation
properly using Swagger.
libgnurl is a fork of libcurl. The goal for libgnurl is to support
only HTTP and HTTPS (and only HTTP 1.x) with a single crypto backend
(GnuTLS) to ensure a small footprint and uniform experience for
developers regardless of how libcurl was compiled.
This software is mainly used by GNUnet. The modifications to curl
are kept to the bare minimum, intended to track upstream closely.
gnurl is not a replacement for curl, so different paths are used.
This is a hotfix release for a regression affecting some Drush
installations that was introduced by the fix for SA-CORE-2019-002. No
other fixes are included.
Scrapy 1.6.0:
Highlights:
* better Windows support;
* Python 3.7 compatibility;
* big documentation improvements, including a switch
from .extract_first() + .extract() API to .get() + .getall()
API;
* feed exports, FilePipeline and MediaPipeline improvements;
* better extensibility: :signal:item_error and
:signal:request_reached_downloader signals; from_crawler support
for feed exporters, feed storages and dupefilters.
* scrapy.contracts fixes and new features;
* telnet console security improvements, first released as a
backport in :ref:release-1.5.2;
* clean-up of the deprecated code;
* various bug fixes, small new features and usability improvements across
the codebase.
2.1.5
Changes:
New: ipdb, pdb and wdb filters
Fix: ForeignKeySearchInput, error with widget render(...) parameters on Django 2.1
Fix: pipchecker, unsupported format string passed to NoneType.format error
Tests: bunch of new test cases
Changelog:
New
Enhanced tracking protection: Simplified content blocking settings give users standard, strict, and custom options to control online trackers. A redesigned content blocking section in the site information panel (viewed by expanding the small “i” icon in the address bar) shows what Firefox detects and blocks on each website you visit. To learn more about content blocking, visit the Mozilla Blog.
A better experience for multilingual users: An updated Language section in Preferences allows users to install multiple language packs and order language preferences for Firefox and websites, without having to download locale-specific versions.
Support for Handoff on macOS: Continue browsing across devices. Pick up where you left off with iOS (via Firefox or Safari) on Firefox on Mac.
A better video streaming experience for Windows users: Firefox now supports the next-generation, royalty-free video compression technology called AV1. Read about Mozilla’s contribution to this new open standard.
Improved performance and web compatibility, with support for the WebP image format: WebP brings the same image quality as existing formats at smaller file sizes, which saves bandwidth and speeds up page load.
Fixed
Various security fixes.
Changed
Enhanced security for macOS, Linux, and Android users via stronger stack smashing protection which is now enabled by default for all platforms. "Stack smashing" is a common security attack in which malicious actors corrupt or take control of a vulnerable program.
Firefox will now warn you when closing a window (regardless of whether you have automatic session restore enabled for restart).
Easier performance management: The revamped Task Manager page found at about:performance now reports memory usage for tabs and add-ons.
Improved the pop-up blocker to prevent multiple pop-up windows from being opened by websites at the same time.
Security fixes:
Not available yet.
1.2.1:
Bugfixes
- When given an IPv6 address in X-Forwarded-For or Forwarded for=
waitress was placing the IP address in REMOTE_ADDR with brackets:
[2001:db8::0], this does not match the requirements in the CGI spec which
REMOTE_ADDR was lifted from. Waitress will now place the bare IPv6
address in REMOTE_ADDR: 2001:db8::0.