Changelog:
115.6.0:
* Security fixes.
Mozilla Foundation Security Advisory 2023-54
#CVE-2023-6856: Heap-buffer-overflow affecting WebGL DrawElementsInstanced
method with Mesa VM driver
#CVE-2023-6865: Potential exposure of uninitialized data in
EncryptingOutputStream
#CVE-2023-6857: Symlinks may resolve to smaller than expected buffers
#CVE-2023-6858: Heap buffer overflow in nsTextFragment
#CVE-2023-6859: Use-after-free in PR_GetIdentitiesLayer
#CVE-2023-6860: Potential sandbox escape due to VideoBridge lack of texture
validation
#CVE-2023-6867: Clickjacking permission prompts using the popup transition
#CVE-2023-6861: Heap buffer overflow affected nsWindow::PickerOpen(void) in
headless mode
#CVE-2023-6862: Use-after-free in nsDNSService
#CVE-2023-6863: Undefined behavior in ShutdownObserver()
#CVE-2023-6864: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and
Thunderbird 115.6
Changelog:
121.0.1:
Fixed
* Fixed unexpected line wrapping in some CJK contexts caused by changes in
ideographic space handling. (Bug 1870973)
* Fixed a hang when loading sites containing column-based layouts under some
circumstances. (Bug 1867784)
* Fixed missing rounded corners for videos playing over another video. (Bug
1869994)
* Fixed Firefox not closing properly and other applications being unable to
use a USB security key after being previously used during a Firefox
session. (Bug 1863135)
0.25.0 - 2023-12-17
Added
Support the WebSocket Denial Response ASGI extension
Fixed
Allow explicit hidden file paths on --reload-include
Properly annotate uvicorn.run()
0.24.0.post1 - 2023-11-06
Fixed
Revert mkdocs-material from 9.1.21 to 9.2.6
0.24.0 - 2023-11-04
Added
Support Python 3.12
Allow setting app via environment variable UVICORN_APP
0.23.2 - 2023-07-31
Fixed
Maintain the same behavior of websockets from 10.4 on 11.0
0.23.1 - 2023-07-18
Fixed
Add typing_extensions for Python 3.10 and lower
0.23.0 - 2023-07-10
Added
Add --ws-max-queue parameter WebSockets
Removed
Drop support for Python 3.7
Remove asgiref as typing dependency
Fixed
Set scope["scheme"] to ws or wss instead of http or https on ProxyHeadersMiddleware for WebSockets
Changed
Raise ImportError on circular import
Use logger.getEffectiveLevel() instead of logger.level to check if log level is TRACE
0.22.0 - 2023-04-28
Added
Add --timeout-graceful-shutdown parameter
Handle SIGBREAK on Windows
Fixed
Shutdown event is now being triggered on Windows when using hot reload
--reload-delay is effectively used on the watchfiles reloader
0.21.1 - 2023-03-16
Fixed
Reset lifespan state on each request
0.21.0 - 2023-03-09
Added
Introduce lifespan state
Allow headers to be sent as iterables on H11 implementation
Improve discoverability when --port=0 is used
Changed
Avoid importing h11 and pyyaml when not needed to improve import time
Replace current native WSGIMiddleware implementation by a2wsgi
Change default --app-dir from "." (dot) to "" (empty string)
Fixed
Send code 1012 on shutdown for WebSockets
Use surrogateescape to encode headers on websockets implementation
Fix warning message on reload failure
0.20.0 - 2022-11-20
Added
Check if handshake is completed before sending frame on wsproto shutdown
Add default headers to WebSockets implementations
Warn user when reload and workers flag are used together
Fixed
Use correct WebSocket error codes on close
Send disconnect event on connection lost for wsproto
Add SIGQUIT handler to UvicornWorker
Fix crash on exist with "--uds" if socket doesn't exist
Annotate CONFIG_KWARGS in UvicornWorker class
Removed
Remove conditional on RemoteProtocolError.event_hint on wsproto
Remove unused handle_no_connect on wsproto implementation
7.14.0
Enhancements made
- Convert `coalescese_streams` function to `CoalesceStreamsPreprocessor`
Maintenance and upkeep improvements
- chore: update pre-commit hooks
- Fix webpdf test on Python 3.12
- Clean up import
7.13.1
Bugs fixed
- Restore removed import
7.13.0
Enhancements made
- Add table, td, tr to allowed list of tags
Maintenance and upkeep improvements
- Remove twitter links that cause linkcheck to fail
- Update ruff config
- chore: update pre-commit hooks
Sync replace-moz.build.awk with firefox{102,} so that X11 desktop
capture works.
(Re)Fix PR pkg/56955.
(While here define PKGREVISION only once.)
PKGREVISION++
1.877.0 (2024-01-03)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.876.0 (2023-12-28)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.875.0 (2023-12-27)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.874.0 (2023-12-26)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.873.0 (2023-12-22)
* Feature - Added support for enumerating regions for Aws::NetworkMonitor.
1.872.0 (2023-12-21)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.871.0 (2023-12-20)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.870.0 (2023-12-19)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.869.0 (2023-12-18)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
Upstream changes:
Changes for version 4.60 - 2023-11-01
TESTING
move t/changes.t to xt/ as is now broken by the recent rewrite of Test::CPAN::Changes (GH #260)
aioquic is a library for the QUIC network protocol in Python. It
features a minimal TLS 1.3 implementation, a QUIC stack and an HTTP/3
stack.
QUIC was standardised in RFC 9000 and HTTP/3 in RFC 9114
aioquic is regularly tested for interoperability against other QUIC
implementations.
pylsqpack is a wrapper around the ls-qpack library. It provides Python
Decoder and Encoder objects to read or write HTTP/3 headers compressed
with QPACK.
Version 23.12.0
Features
* Start and restart arbitrary processes
* Cleaner process management in shutdown
* Suppress task cancel traceback on open websocket
* Listener and signal prioritization
* Reduce memory consumption
* Accept bare cookies
* Add websocket.handler.<before/after/exception> signals
* Add changed files to reload trigger listeners
* Allow for simple signals
* Improve functionality and consistency of Sanic.event()
* Allow range requests for a single byte
* Better Request.scheme for websocket requests
* Convert Sanic Request to a Websockets Request for handshake
* Add a REPL to the sanic CLI
* Add Python 3.12 support
* Better exception on multiprocessing context conflicts
Bugfixes
* Fix MOTD display for extra data
4.0.0 (2022-10-15)
------------------
Channels 4 is the next major version of the Channels package. Together with the
matching Daphne v4 and channels-redis v4 releases, it updates dependencies,
fixes issues, and removes outdated code. It so provides the foundation for
Channels development going forward.
In most cases, you can update now by updating ``channels``, ``daphne``, and
``channels-redis`` as appropriate, with ``pip``, and by adding ``daphne`` at
the top of your ``INSTALLED_APPS`` setting.
First ``pip``::
pip install -U 'channels[daphne]' channels-redis
Then in your Django settings file::
INSTALLED_APPS = [
"daphne",
...
]
Again, this is a major version change. Amongst other changes, large amounts of
the Django-wrapping code deprecated in Channels v3 has now been removed, in
favour of Django's own ASGI handling, and the ``runserver`` command has been
moved into the Daphne package.
4.0.0 (2022-10-07)
------------------
Major versioning targeting use with Channels 4.0 and beyond. Except where
noted should remain usable with Channels v3 projects, but updating Channels to the latest version is recommended.
* Added a ``runserver`` command to run an ASGI Django development server.
Added ``"daphne"`` to the ``INSTALLED_APPS`` setting, before
``"django.contrib.staticfiles"`` to enable:
INSTALLED_APPS = [
"daphne",
...
]
This replaces the Channels implementation of ``runserver``, which is removed
in Channels 4.0.
* Made the ``DaphneProcess`` tests helper class compatible with the ``spawn``
process start method, which is used on macOS and Windows.
Note that requires Channels v4 if using with ``ChannelsLiveServerTestCase``.
* Dropped support for Python 3.6.
* Updated dependencies to the latest versions.
Previously a range of Twisted versions have been supported. Recent Twisted
releases (22.2, 22.4) have issued security fixes, so those are now the
minimum supported version. Given the stability of Twisted, supporting a
range of versions does not represent a good use of maintainer time. Going
forward the latest Twisted version will be required.
* Set ``daphne`` as default ``Server`` header.
This can be configured with the ``--server-name`` CLI argument.
Added the new ``--no-server-name`` CLI argument to disable the ``Server``
header, which is equivalent to ``--server-name=` (an empty name).
* Added ``--log-fmt`` CLI argument.
* Added support for ``ASGI_THREADS`` environment variable, setting the maximum
number of workers used by a ``SyncToAsync`` thread-pool executor.
Set e.g. ``ASGI_THREADS=4 daphne ...`` when running to limit the number of
workers.
* Removed deprecated ``--ws_protocols`` CLI option.
Version 1.5.1 - Security Release
This is a minor security release to fix a potential DoS for applications that allow the use of symmetric keys with pbkdf2.
What's Changed
Fix X22519 import/export from PEM
Read the Docs now requires a config file
chore: refactor for removing pdb symbols
Fix potential DoS issue with p2c header
6.72 2023-07-17 22:01:19Z
- Don't mangle protocol scheme and don't require it to be valid if
implementor is already known (GH#436) (mwgamera)
6.71 2023-06-20 19:44:19Z
- Use rather than require Module::Load (GH#435) (Olaf Alders)
6.11 2023-07-09 15:10:30Z
- Remove Authority section from dist.ini (GH#64) (Olaf Alders)
- Add very basic diagnostic information via test (GH#73) (Olaf Alders)
- CVE-2014-3230 - don't disable verification if only hostnames should not
(GH#14) (Steffen Ullrich)
- Make explicit requirement of Mozilla::CA obsolete (GH#72) (Steffen
Ullrich and Olaf Alders)
- Remove _in_san and _cn_match. Empty out the _check_sock hook (GH#71)
(Chase Whitener)
- Use warnings (GH#69) (Pete Houston)
0.26.0 (20th December, 2023)
Added
* The `proxy` argument was added. You should use the `proxy` argument instead of the deprecated `proxies`, or use `mounts=` for more complex configurations.
Deprecated
* The `proxies` argument is now deprecated. It will still continue to work, but it will be removed in the future.
Fixed
* Fix cases of double escaping of URL path components. Allow / as a safe character in the query portion.
* Handle `NO_PROXY` envvar cases when a fully qualified URL is supplied as the value.
* Allow URLs where username or password contains unescaped '@'.
* Ensure ASGI `raw_path` does not include URL query component.
* Ensure `Response.iter_text()` cannot yield empty strings.
3.3.5
Remove unnecessary ChangeList queries to speed up export via Admin UI
Respect color scheme override
Update FAQ to cover skipping rows with validation errors
0.116
There are two notable changes in this release. For one, we have changed the
default location of the cacheDir (where Hugo stores all its file caches).
Having the cache stored in a /tmp folder has had its issues, especially for
the module cache and especially on MacOS. The current new default should be
better and more stable. See See Configure CacheDir for more info.
Also in this release: The where template func finally supports regular
expressions with the new like operator.
0.117
This is a release on the small side, but. especially the new
Page.RenderShortcodes method is so useful, especially for bigger sites, that
we decided to get it out sooner rather than later. This method renders all the
shortcodes in the content, preserving the surrounding markup (e.g. Markdown)
as is. See the Hugo Documentation for more information.
0.118
Hugo 0.118.0 now builds with Go 1.21. This version also comes with:
- Proper CJK support in Markdown
- A revamped implementation of hugo new site and hugo new theme.
0.119
This release comes with a dependency refresh and some useful image processing
improvements:
- A new general-purpose Process method and filter.
- A new Opacity filter.
Process support all of the existing scaling operations, but it can also be
used do simple format conversions (e.g. from JPG to PNG).
0.120
This is a full dependency refresh and a couple of new cool features:
A new Padding image filter, and a new debug.Timer template func. The new
debug.Timer is useful for finding performance bottle necks in templates.
If you then run hugo --logLevel info you should see timer info logged at the
end of the build. You can have as many timers as you want and if you don't
stop them, they will be stopped at the end of build.
Hugo now also builds release binaries for Solaris now that a long-living issue
in the upstream fsnotify library has been fixed.
0.121
There are some minor new features in this release, but it's mostly a release
with bug fixes and dependency updates. One notable dependency update is libweb
v1.3.2 which comes with a security fix for the Webp decoder (CVE-2023-4863).
Hugo only uses the encoder (we use Go's native Webp decoder) so we're not
affected by this, but we have been contacted by some corporate Hugo users
who's eager to have a clean security report.
kin-openapi v0.122.0 has some minor breaking API changes which, from Hugo's
side of it, can be adapted by using the new .Map accessors if you get an
error.
* CXXFLAGS has all CFLAGS values. Remove duplicated CXXFLAGS.
Changelog:
121.0
New
* Firefox now prompts Windows users to install the Microsoft AV1 Video
Extension to enable hardware decoding support for the AV1 video codec from
about:support if not already installed.
* Firefox now supports Voice Control commands on macOS systems.
* On Linux, Firefox now defaults to the Wayland compositor when available
instead of XWayland. This brings support for touchpad & touchscreen
gestures, swipe-to-nav, per-monitor DPI settings, better graphics
performance, and more.
Note that due to Wayland protocol limitations, Picture-in-Picture windows
require an extra user interaction (generally right-click on the window) or
a shell / desktop-environment tweak. See bug 1621261 for related discussion
and tracking, this post for a KDE configuration, and this extension for
GNOME. It is also a known issue that windows are not correctly placed when
restoring a previous session on launch.
* Firefox can now force links to always be underlined. This option can be
enabled in the Browsing section of the Firefox Settings menu.
* The PDF viewer now includes a floating button to simplify deleting
drawings, text, and images added in PDFs.
Fixed
* Various security fixes.
* Ubuntu Firefox Snap builds did not default to Wayland compositing on some
systems as expected when Firefox 121 was first released. This is now fixed
and updated builds can be installed with the Ubuntu Software Updater.
Security fixes:
Mozilla Foundation Security Advisory 2023-56
#CVE-2023-6856: Heap-buffer-overflow affecting WebGL DrawElementsInstanced
method with Mesa VM driver
#CVE-2023-6135: NSS susceptible to "Minerva" attack
#CVE-2023-6865: Potential exposure of uninitialized data in
EncryptingOutputStream
#CVE-2023-6857: Symlinks may resolve to smaller than expected buffers
#CVE-2023-6858: Heap buffer overflow in nsTextFragment
#CVE-2023-6859: Use-after-free in PR_GetIdentitiesLayer
#CVE-2023-6866: TypedArrays lack sufficient exception handling
#CVE-2023-6860: Potential sandbox escape due to VideoBridge lack of texture
validation
#CVE-2023-6867: Clickjacking permission prompts using the popup transition
#CVE-2023-6861: Heap buffer overflow affected nsWindow::PickerOpen(void) in
headless mode
#CVE-2023-6868: WebPush requests on Firefox for Android did not require VAPID
key
#CVE-2023-6869: Content can paint outside of sandboxed iframe
#CVE-2023-6870: Android Toast notifications may obscure fullscreen event
notifications
#CVE-2023-6871: Lack of protocol handler warning in some instances
#CVE-2023-6872: Browsing history leaked to syslogs via GNOME
#CVE-2023-6863: Undefined behavior in ShutdownObserver()
#CVE-2023-6864: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and
Thunderbird 115.6
#CVE-2023-6873: Memory safety bugs fixed in Firefox 121
