* ikiwiki-mass-rebuild: Fix tty hijacking vulnerability by using su.
(Once su's related bug #628843 is fixed.) Thanks, Ludwig Nussel.
(CVE-2011-1408)
* search: Update search page when page.tmpl or searchquery.tmpl are locally
modified.
* Danish translation update. Closes: #625721
* Danish underlay translation update. Closes: #625765
(Thanks, Jonas Smedegaard)
* Support YAML::XS by not passing decoded unicode to Load. Closes: #625713
* openid, aggregate, pinger: Use Net::INET6Glue if available to
support making ipv6 connections. (Note that if LWPx::ParanoidAgent
is installed, it defeats this for openid.)
* Add additional directive quoting styles, to better support nested
directives. Both triple-single-quote and heredoc quotes can be used.
(Thanks, Timo Paulssen)
* Changed license of madduck's python plugins from GPL-2 to BSD-2-clause.
* po: support language codes in the form of 'es_AR', and 'arn'. (intrigeri)
Closes: #627844
* po: Make po4a warn, not error on a malformed document. (intrigeri)
* Support the Hiawatha web server which sets HTTPS=off rather than not
setting it. (There does not seem to be a standard here.)
pkgsrc changes:
* Adjust local modifications to improve our upstream chances.
* Quell pkglint.
* Indent consistently.
Version 1.6.17
(01 Jun 2011, from /branches/1.6.x)
http://svn.apache.org/repos/asf/subversion/tags/1.6.17
User-visible changes:
* improve checkout speed on Windows (issue #3719)
* make 'blame -g' more efficient on with large mergeinfo (r1094692)
* avoid some invalid handle exceptions on Windows (r1095654)
* preserve log message with a non-zero editor exit (r1072084)
* fix FSFS cache performance on 64-bit platforms (r1103665)
* make svn cleanup tolerate obstructed directories (r1091881)
* fix deadlock in multithreaded servers serving FSFS repositories (r1104093)
* detect very occasional corruption and abort commit (issue #3845)
* fixed: file externals cause non-inheritable mergeinfo (issue #3843)
* fixed: file externals cause mixed-revision working copies (issue #3816)
* fix crash in mod_dav_svn with GETs of baselined resources (r1104126)
See CVE-2011-1752, and descriptive advisory at
http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
* fixed: write-through proxy could direcly commit to slave (r917523)
* detect a particular corruption condition in FSFS (r1100213)
* improve error message when clients refer to unkown revisions (r939000)
* bugfixes and optimizations to the DAV mirroring code (r878607)
* fixed: locked and deleted file causes tree conflict (issue #3525)
* fixed: update touches locked file with svn:keywords property (issue #3471)
* fix svnsync handling of directory copyfrom (issue #3641)
* fix 'log -g' excessive duplicate output (issue #3650)
* fix svnsync copyfrom handling bug with BDB (r1036429)
* server-side validation of svn:mergeinfo syntax during commit (issue #3895)
* fix remotely triggerable mod_dav_svn DoS
See CVE-2011-1783, and descriptive advisory at
http://subversion.apache.org/security/CVE-2011-1783-advisory.txt
* fix potential leak of authz-protected file contents
See CVE-2011-1921, and descriptive advisory at
http://subversion.apache.org/security/CVE-2011-1921-advisory.txt
Developer-visible changes:
* fix reporting FS-level post-commit processing errors (r1104098)
* fix JVM recognition on OS X Snow Leopard (10.6) (r1028084)
* allow building on Windows with recent Expat (r1074572)
== Changes
= Changes in 2.2.1 =
Jun 2, 2011 - version 2.2.1
* Bug fixes
* For Lighttpd + PUT/POST support, do not send a request using chunked
encoding when IO respond to :size, File for example.
- There is no need to send query with Transfer-Encoding: chuncked when
IO respond to :size.
- Lighttpd does not support PUT, POST with Transfer-Encoding: chuncked.
You will see that the lighty respond with 200 OK, but there is a file
whose size is zero.
LIMITATION:
timeout occurs certainly when you send very large file and
@send_timeout is default since HTTPClient::Session#query() assumes
that *all* write are finished in @send_timeout sec not each write.
WORKAROUND:
increment @send_timeout and @receive_timeout or set @send_timeout and
@receive_timeout to 0 not to be timeout.
This fix is by TANABE Ken-ichi <nabeken@tknetworks.org>. Thanks!
* Allow empty http_proxy ENV variable. Just treat it the same as if it's
nil/unset. This fix is by Ash Berlin <ash_github@firemirror.com>.
Thanks!
* Check EOF while reading chunked response and close the session. It
raised NoMethodError.
* Changes
* Updated trusted CA certificates file (cacert.p7s and cacert_sha1.p7s).
CA certs are imported from
'Java(TM) SE Runtime Environment (build 1.6.0_25-b06)'.
* Changed default chunk size from 4K to 16K. It's used for reading size
at a time.
Drupal 6.22, 2011-05-25
----------------------
- Made Drupal 6 work better with IIS and Internet Explorer.
- Fixed .po file imports to work better with custom textgroups.
- Improved code documentation at various places.
- Fixed a variety of other bugs.
mirrored by NetBSD.org, had completely hosed file permissions; plus,
it differed in size (but not version) from the distfile available from
the sourceforge project site.
Since the latter actually works, I updated the checksum to use it.
* Various security hardening by Alexander Concha.
* Taxonomy query hardening by John Lamansky.
* Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
* Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
* Improves file upload security on hosts with dangerous security settings.
* Cleans up old WordPress import files if the import does not finish.
* Introduce "clickjacking" protection in modern browsers on admin and login pages.
Jekyll is a simple, blog aware, static site generator. It takes a
template directory (representing the raw form of a website), runs it
through Textile or Markdown and Liquid converters, and spits out a
complete, static website suitable for serving with Apache or your
favorite web server. This is also the engine behind GitHub Pages,
which you can use to host your project's page or blog right here
from GitHub.
Upstream changes:
Version 3.54, Apr 28, 2011
No code changes
[INTERNALS]
- Address test failures in t/tmpdir.t, thanks to Niko Tyni.
Some tests here are failing on some platforms and have been marked as TODO.
Version 3.53, Apr 25, 2011
[NEW FEATURES]
- The DELETE HTTP verb is now supported.
(RT#52614, James Robson, Eduardo Ari#o de la Rubia)
[INTERNALS]
- Correct t/tmpdir.t MANIFEST entry. (RT#64949)
- Update minimum required Perl version to be Perl 5.8.1, which
has been out since 2003. This allows us to drop some hacks
and exceptions (Mark Stosberg)
Version 3.52, Jan 24, 2011
[DOCUMENTATION]
- The documentation for multi-line header handling was been updated to reflect
the changes in 3.51. (Mark Stosberg, ntyni@iki.fi)
[INTERNALS]
- Add missing t/tmpfile.t file. (RT#64949)
- Fix warning in t/cookie.t (RT#64570, Chris Williams, Rainer Tammer, Mark Stosberg)
- Fixed logic bug in t/multipart_init.t (RT#64261, Niko Tyni)
Version 3.51, Jan 5, 2011
[NEW FEATURES]
- A new option to set $CGI::Carp::TO_BROWSER = 0, allows you to explicitly
exclude a particular scope from triggering printing to the browser when
fatatlsToBrowser is set. (RT#62783, Thanks to papowell)
- The <script> tag now supports the "charset" attribute.
(RT#62907, Thanks to Fabrice Metge)
- In CGI::Cookie, "Max-Age" is now supported for better spec compliance.
(Mark Stosberg)
[BUG FIXES]
- Setting charset() now works for all content types, not just "text/*".
(RT#57945, Thanks to Yanick and Gerv.)
- support for user temporary directories ($HOME/tmp) was commented out
in 2.61 but the documentation wasn't updated (Peter Gervai, Niko Tyni)
- setting $CGITempFile::TMPDIRECTORY before loading CGI.pm has been
working but undocumented since 3.12 (which listed it in Changes as
$CGI::TMPDIRECTORY) (Peter Gervai, Niko Tyni)
- unfortunately the previous change broke the runtime check for looking
for a new temporary directory if the current one suddenly became
unwritable (Peter Gervai, Niko Tyni)
- A bug was fixed in CGI::Carp triggered by certain death cases in
the BEGIN phase of parent classes.
(RT#57224, Thanks to UNERA, Yanick Champoux, Mark Stosberg)
- CGI::Cookie->new() now follows the documentation and returns undef
if the -name and -value args aren't provided. This new behavior is also
consistent with the docs and code of CGI::Simple::Cookie. (Mark Stosberg)
- CGI::Cookie->parse() now trims leading and trailing whitespace from cookie
elements as intended. The change also makes this part of the parsing
identical to CGI::Simple::Cookie (Mark Stosberg)
- Temp file handling was improved (RT#62762)
[SECURITY]
- Further improvements have been made to guard against newline injections
in headers. (Thanks to Max Kanat-Alexander, Yanick Champoux, Mark Stosberg)
[PERFORMANCE]
- Make EBCDIC a compile-time constant so there's zero overhead (and less
compiled code) in subroutines that test for it. (Tim Bunce)
- If you just want to use CGI::Cookie, CGI.pm will no longer be loaded
unless you call the bake() method, which requires it. (Mark Stosberg)
[DOCUMENTATION]
- quit referring to the <link> tag as being "rarely used". (Victor Sanders)
- typo and whitespace fixes (RT#62785, thanks to scop@cpan.org)
- The -dtd argument to start_html() is now documented
(RT#60473, Thanks to giecrilj and steve@fisharerojo.org)
- CGI::Carp doc are updated to reflect that it can work with mod_perl 2.0.
- when creating a temporary file in the directory fails, the error message
could indicate the root of the problem better (Peter Gervai, Niko Tyni)
[INTERNALS]
- Re-fixing https test in http.t. (RT#54768, thanks to SPROUT)
- param_fetch no longer triggers a warning when called with no arguments (ysth, Mark Stosberg)
Version 3.50, Nov 8, 2010
[SECURITY]
1. The MIME boundary in multipart_init is now random.
Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and Mark Stosberg
2. Further improvements to handling of newlines embedded in header values.
An exception is thrown if header values contain invalid newlines.
Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux,
Lincoln Stein, Fr#d#ric Buclin and Mark Stosberg
[DOCUMENTATION]
1. Correcting/clarifying documentation for param_fetch(). Thanks to
Ren#e B#cker. (RT#59132)
[INTERNALS]
1. Fixing https test in http.t. (RT#54768)
2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple.
- Revert ABI breakage in 2.2.18 caused by the function signature change
of ap_unescape_url_keep2f(). This release restores the signature from
2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
[Eric Covener]
Version 2.9.5 (2011-05-18)
--------------------------
- Updated: updated TCPDF to version 5.9.061 (#2929)
- Added: IE9 compatibility
- Added: added the Swedish editArea translation (#3016)
- Fixed: the code editor did not show up in the file manager (#2922)
- Fixed: the RSS reader did not parse HTML code correctly (#2918)
- Fixed: not all option callbacks worked correctly in override multiple mode (#2976)
- Fixed: the textarea widget did not support the readonly attribute (#2997)
- Fixed: the personal data modules did not handle checkbox fields (#3063)
- Fixed some minor issues
This package was submited as part of PR pkg/43929 which adds the Koha Integrated Library System
submitted by Edgar Fuß
-------------------------------------
HTTP::OAI is a stub module.
HTTP::OAI::Harvester is the harvesting front-end in the OAI-PERL library.
To harvest from an OAI-PMH compliant repository create an HTTP::OAI::Harvester
object using the baseURL option and then call OAI-PMH methods to request data
from the repository. To handle version 1.0/1.1 repositories automatically you
must request Identify() first.
It is recommended that you request an Identify from the Repository and use the
repository() method to update the Identify object used by the harvester.
When making OAI requests the underlying HTTP::OAI::UserAgent module will take
care of automatic redirection (http code 302) and retry-after (http code 503).
OAI-PMH flow control (i.e. resumption tokens) is handled transparently by
HTTP::OAI::Response.
This package was submited as part of PR pkg/43929 which adds the Koha Integrated Library System
submitted by Edgar Fuß
-------------------------------------
Original HTML::Template is written by Sam Tregar, sam@tregar.com with
contributions of many people mentioned there. Their efforts caused
HTML::Template to be mature html tempate engine which separate perl code and
html design. Yet powerful, HTML::Template is slow, especially if mod_perl isn't
available or in case of disk usage and memory limitations.
HTML::Template::Pro is a fast lightweight C/Perl+XS reimplementation of
HTML::Template (as of 2.9) and HTML::Template::Expr (as of 0.0.7). It is not
intended to be a complete replacement, but to be a fast implementation of
HTML::Template if you don't need quering, the extended facility of
HTML::Template. Designed for heavy upload, resource limitations, abcence of
mod_perl.
HTML::Template::Pro has complete support of filters and HTML::Template::Expr's
tag EXPR="<expression>", including user-defined functions and construction
<TMPL_INCLUDE EXPR="...">.
This package was submited as part of PR pkg/43929 which adds the Koha Integrated Library System
submitted by Edgar Fuß
-------------------------------------
This library can be used by CGI::Session to serialize session data.
It uses YAML, or the faster C implementation, YAML::Syck if it is available.
YAML serializers exist not just for Perl but also other dynamic languages,
such as PHP, Python, and Ruby, so storing session data in this format makes it
easy to share session data across different languages.
YAML is made to be friendly for humans to parse as well as other computer
languages. It creates a format that is easier to read than the default
serializer.
This package was submited as part of PR pkg/43929 which adds the Koha Integrated Library System
submitted by Edgar Fuß
-------------------------------------
CGI::Session::Driver::memcached is CGI::Session driver for memcached.
3.1.9 (stable)
- Fix regression introduced in 3.1.8 (#22687)
3.1.8 (stable)
- Windows read-write locks support on Windows XP or later and Windows
Win7 or later (use php_apc-xp.dll or php_apc-win7.dll)
- Fix variable type check in user cache update
- Make warnings that user cannot do anything about debug messages
- Fixed bug #21400 (Minor memory leak in MINFO)
- Fixed bug #18890: Ensure that --enable-apc-debug=no disables debug mode.
- Fixed bug #19459: check for expiry while looping through the iterator slots
3.1.7 (beta)
- pthread read-write locks support
- apc.serializer hooks, export apc_serializer.h as an API
- Fix regression bug #20529: Look up files in CWD
- Pool allocator fixes for large allocations
- trunk compat fixes (Kalle)
- ZTS fixes (Pierre, Hirokawa)
- Readability and warning fixes (Pierre, Kalle)
Zope 2.11.8 (2011/02/04)
Bugs fixed
- Prevent publication of acquired attributes, where the acquired
object does not have a docstring.
https://bugs.launchpad.net/zope2/+bug/713253/
Zope 2.11.7 (2010/09/01)
Bugs Fixed
- Prevent uncaught exceptions from killing ZServer worker threads.
https://bugs.launchpad.net/zope2/+bug/627988
- Ensure that mailhosts which share a queue directory do not double-
deliver mails, by sharing the thread which processes emails for
that directory. https://bugs.launchpad.net/zope2/+bug/574286
- Process "evil" JSON cookies which contain double quotes in violation
of RFC 2965 / 2616. https://bugs.launchpad.net/zope2/+bug/563229
- Ensure that Acquistion wrapper classes always have a ``__getnewargs__``
method, even if it is not provided by the underlying ExtensionClass.
- Fix the ``tp_name`` of the ImplicitAcquisitionWrapper and
ExplicitAcquisitionWrapper to match their Python visible names and thus
have a correct ``__name__``.
- Expand the ``tp_name`` of Acquisition's extension types to hold the
fully qualified name. This ensures classes have their ``__module__``
set correctly.
- Updated 'pytz' external to point to '2010b' version.
- Protect ZCTextIndex's clear method against storing Acquisition wrappers.
- LP #195761: fixed ZMI XML export / import.
- MailHost should fall back to HELO when EHLO fails.
Zope 2.11.6 (2010/01/12)
Bugs Fixed
- LP #491224: proper escaping of rendered error message
- Also look for ZEXP imports within the clienthome directory. This
provides a place to put imports that won't be clobbered by buildout
in a buildout-based Zope instance.
- LP #143444: add labels to checkboxes / radio buttons on import
/ export form.
- Fixed improper handling of IF_MODIFIED_SINCE header
inside Five/browser/resource.py
Zope 2.11.5 (2009/12/22)
Bugs Fixed
- LP #490514: preserve tainting when calling into DTML from ZPT.
- LP #360761 (backported from Acquisition trunk): fix iteration proxy
to pass `self` acquisition-wrapped into `__iter__` and `__getitem__`.
- LP #414757 (backported from Zope trunk): don't emit a IEndRequestEvent
when clearing a cloned request.
- updated to ZODB 3.8.4
Zope 2.11.4 (2009/08/06)
Restructuring
- Moved exception MountedStorageError from ZODB.POSExceptions
to Products.TemporaryFolder.mount (now its only client).
- LP #253362: Moved Zope2-specific module, ZODB/Mount.py, to
Products/TemporaryFolder/mount.py (its only client is
Products/TemporaryFolder/TemporaryFolder.py).
- Removed spurious import-time dependencies from
Products/ZODBMountPoint/MountedObject.py.
Bugs Fixed
- Fixed vulnerabilities in the ZEO network protocol
affecting ZEO storage servers.
Zope 2.11.3 (2009/05/04)
Features added
- SiteErrorLog now includes the entry id in the information copied to
the event log. This allowes you to correlate a user error report with
the event log after a restart, or let's you find the REQUEST
information in the SiteErrorLog when looking at a traceback in the
event log.
Restructuring
- Updated to match all new versions from the yet-unreleased Zope 3.4.1
release (`http://svn.zope.org/zope.release/branches/3.4/
releases/controlled-packages.cfg?rev=99659`).
- Updated to include all new versions from the final Zope 3.4.0 release
(http://download.zope.org/zope3.4/3.4.0/).
- Added 'InitializeClass' alias in 'App.class_init' to ease migration.
In Zope 2.12 it will be recommended to import 'InitializeClass' from
'App.class_init' instead of 'Globals'.
- Moved 'ApplicationDefaultPermissions' from 'App.class_init' to
'AccessControl.Permissions', in order to break an import cycle
in third-party code which avoids imports from 'Globals.' Left
the class importable from its old location without deprecation.
- configure script: setting ZOPE_VERS to '2.11'
- Products.PluginIndexes.PathIndex: backported doc fixes /
optimizations from trunk (and ExtendedPathIndex).
- Updated 'pytz' from '2007f' to '2008i'.
- Moved svn:externals for 'mechanize', 'ClientPath', and 'pytz' to
versions managed outside the Zope3 trunk.
- Testing.ZopeTestCase: Remove quota argument from DemoStorage calls in
preparation for ZODB 3.9.
Bugs Fixed
- Launchpad #373299: Removed bogus string exception in OFS.CopySupport.
- ZPublisher response.setBody: don't append Accept-Encoding to Vary
header if it is already present - this can make cache configuration
difficult. (merged 99493)
- Launchpad #267834: proper separation of HTTP header fields
using CRLF as requested by RFC 2616. (merged 90980, 92625)
- Launchpad #348223: optimize catalog query by breaking out early from
loop over indexes if the result set is already empty.
- "Permission tab": correct wrong form parameter for
the user-permission report
- Launchpad #290254, DateTime/DateTime.py:
added '__setstate__' to cope with old pickles missing a '_micros'
attribute; Python's pickling support was creating a new instance,
*with* a '_micros' attribute, but not clearing that attribute before
updating the instance dict with the unpickled state.
- Launchpad #332168, Shared/DC/RDBMS/Connection.py:
do not expose DB connection strings through exceptions
- Launchpad #324876: tighened regex for detecting the charset
from a meta-equiv header
- Launchpad #174705: ensure that the error info object exposed to a
'tal:on_error' handler has attributes visible to restricted code.
- Acquisition wrappers now correctly proxy __iter__.
Zope 2.10.13 (2011/02/04)
Bugs fixed
- Prevent publication of acquired attributes, where the acquired
object does not have a docstring.
https://bugs.launchpad.net/zope2/+bug/713253/
Zope 2.10.12 (2010/09/01)
Bugs fixed
- Prevent uncaught exceptions from killing ZServer worker threads.
https://bugs.launchpad.net/zope2/+bug/627988
- Updated 'pytz' external to point to '2010b' version (not via Zope3).
- Protect ZCTextIndex's clear method against storing Acquisition wrappers.
- LP #195761: fixed ZMI XML export / import and restored it to the UI.
Zope 2.10.11 (2010/01/12)
Bugs fixed
- LP #491224: proper escaping of rendered error message
- Also look for ZEXP imports within the clienthome directory. This
provides a place to put imports that won't be clobbered by buildout
in a buildout-based Zope instance.
- LP #143444: add labels to checkboxes / radio buttons on
import / export form.
- fixed improper usage of the IF_MODIFIED_SINCE header inside
Five/browser/resource.py (updated to Five 1.5.9)
Zope 2.10.10 (2009/12/22)
Features added
- Testing/custom_zodb.py: added support use a different storage other
than DemoStorage. A dedicated FileStorage can be mount by setting the
$TEST_FILESTORAGE environment variable to a custom Data.fs file. A
ZEO server can be configured using the $TEST_ZEO_HOST and
$TEST_ZEO_PORT environment variables. This new functionality allows us
to use the standard Zope testrunner for writing and running tests
against existing Zope installations.
Bugs fixed
- LP #490514: preserve tainting when calling into DTML from ZPT.
- LP #360761 (backported from Acquisition trunk): fix iteration proxy
to pass `self` acquisition-wrapped into `__iter__` and `__getitem__`.
- LP #414757 (backported from Zope trunk): don't emit a IEndRequestEvent
when clearing a cloned request.
Zope 2.10.9 (2009/08/06)
Restructuring
- Moved exception MountedStorageError from ZODB.POSExceptions
to Products.TemporaryFolder.mount (now its only client).
- LP #253362: Moved Zope2-specific module, ZODB/Mount.py, to
Products/TemporaryFolder/mount.py (its only client is
Products/TemporaryFolder/TemporaryFolder.py).
- Removed spurious import-time dependencies from
Products/ZODBMountPoint/MountedObject.py.
Bugs fixed
- Fixed vulnerabilities in the ZEO network protocol
affecting ZEO storage servers.
Zope 2.10.8 (2009/05/04)
Features added
- SiteErrorLog now includes the entry id in the information copied to
the event log. This allowes you to correlate a user error report with
the event log after a restart, or let's you find the REQUEST
information in the SiteErrorLog when looking at a traceback in the
event log.
Restructuring
- Added 'InitializeClass' alias in 'App.class_init' to ease migration.
In Zope 2.12 it will be recommended to import 'InitializeClass' from
'App.class_init' instead of 'Globals'.
- Moved 'ApplicationDefaultPermissions' from 'App.class_init' to
'AccessControl.Permissions', in order to break an import cycle
in third-party code which avoids imports from 'Globals.' Left
the class importable from its old location without deprecation.
Bugs fixed
- Launchpad #373299: Removed bogus string exception in OFS.CopySupport.
- ZPublisher response.setBody: don't append Accept-Encoding to Vary
header if it is already present - this can make cache configuration
difficult. (merged 99493)
- Launchpad #267834: proper separation of HTTP header fields
using CRLF as requested by RFC 2616. (merged 90980, 92625)
- Launchpad #348223: optimize catalog query by breaking out early from
loop over indexes if the result set is already empty.
- Launchpad ##332168: Connection.py: do not expose DB connection strings
through exceptions
- LP/#143873: Fixed problems when no HTTP_ACCEPT_CHARSET is in the
request. This required an update of zope.publisher to 3.3.3.
- LP/#324876: tighened regex for detecting the charset
from a meta-equiv header
- Acquisition wrappers now correctly proxy __iter__.
- Products.PluginIndexes.PathIndex: backported doc fixes /
optimizations from trunk (and ExtendedPathIndex).
- Launchpad #174705: ensure that the error info object exposed to a
'tal:on_error' handler has attributes visible to restricted code.
