6.16 2017-01-12
- Moved LWP::Protocol::GHTTP into its own dist and removed from here (PR#81)
- Updated test suite to use strict/warnings and Test::More (PR#88)
- Additional tests for UserAgent coverage (PR#79)
- Cleaned up documentation formatting and fixed several typos (PR#87, PR#93)
- Stop promoting use of HTTP::Cookies and instead use HTTP::CookieJar::LWP (PR#102)
- Added some new documentation to UserAgent and tutorial (PR#68)
- Allow default header to carry over when using ->post() in UA (PR#100)
Changelog:
Version 11.0.1 January 16 2017
Changes
Server
Safari CSPv3 support is sub-par (server/2699)
Fix legacy DAV endpoint (server/2685)
Use unmasked permissions in shared scanner (server/2696)
Do not connect to database before creating it (server/2703)
Fix todo list activity filter (server/2746)
Changed anchor in settings page (server/2805)
Also check in cron for old php version (server/2809)
Add DAV repair step to fix calendar data (server/2807)
Only log as info when we can not create a new DB user (server/2750)
Fix wording for apps mgmt buttons (server/2751)
Use a form so firefox doesn't try to save the space as a password (server/2804)
Fix overwriting parameter (server/2825)
Applied security hardening in SwiftMailer (core/2882)
Don't set Content-Disposition header if one already exists (server/2949)
Don't link to the oC forum (server/2988)
Set redirect_url on 2FA challenge page (server/2981)
Dont write a certificate bundle if the shipped ca bundle is empty (server/2994)
Remove group restrictions when those are not allowed anymore (server/2980)
Activity
Update docs and samples (activity/92)
Make sure the preview URLs are absolute (activity/91)
User_SAML
Update SAML library (user_saml/64))
Make the JS work with sudo mode (user_saml/71))
Enabled strict mode (user_saml/75))
files_retention
Delete job if tag not found (files_retention/18)
Also included is a precautionary update for a recent SwiftMailer security issue.
Version 0.11.15
---------------
Released on December 30th 2016.
- Bugfix for the bugfix in the previous release.
Version 0.11.14
---------------
Released on December 30th 2016.
- Check if platform can fork before importing ``ForkingMixIn``, raise exception
when creating ``ForkingWSGIServer`` on such a platform, see PR ``#999``.
Version 0.11.13
---------------
Released on December 26th 2016.
- Correct fix for the reloader issuer on certain Windows installations.
Version 0.11.12
---------------
Released on December 26th 2016.
- Fix more bugs in multidicts regarding empty lists. See ``#1000``.
- Add some docstrings to some `EnvironBuilder` properties that were previously
unintentionally missing.
- Added a workaround for the reloader on windows.
Version 0.11.11
---------------
Released on August 31st 2016.
- Fix JSONRequestMixin for Python3. See #731
- Fix broken string handling in test client when passing integers. See #852
- Fix a bug in ``parse_options_header`` where an invalid content type
starting with comma or semi-colon would result in an invalid return value,
see issue ``#995``.
- Fix a bug in multidicts when passing empty lists as values, see issue
``#979``.
- Fix a security issue that allows XSS on the Werkzeug debugger. See ``#1001``.
Flask-Webpack ties Webpack and Flask together. It exposes a few
global template tags so that you can work with assets in your jinja
templates and it works with any wsgi server.
Since upstream still maintaines the 2-series it is kept in www/SOGo.
Version 3, introduced in early 2016, has a modern, fully responsive Web
frontend. Both versions share a common implementation of the communication
protocols supported in SOGo and SOPE: LDAP, IMAP, SQL, CardDAV, CalDAV, and
Microsoft Enterprise ActiveSync.
DESCR:
SOGo is fully supported and trusted groupware server with a focus
on scalability and open standards. SOGo is released under the GNU
GPL/LGPL v2 and above.
SOGo provides a rich AJAX-based Web interface and supports multiple
native clients through the use of standard protocols such as CalDAV,
CardDAV and GroupDAV.
SOGo is the missing component of your infrastructure; it sits in
the middle of your servers to offer your users an uniform and
complete interface to access their information. It has been deployed
in production environments where thousands of users are involved.
MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
Version 3.5.24 (2017-01-19)
---------------------------
### Fixed
Correctly handle SVGZ files in the file manager (also fixes#8624).
### Fixed
Revert the download element changes (see #8620).
* Correctly handle nested public folders when symlinking a folder.
* Correctly handle SVGZ files in the file manager (see contao/core#8624).
* Prevent an endless redirect loop if the page alias is "/" (see contao/core#8560).
* Correctly parse German dates with two digit years in MooTools (see contao/core#8593).
* Correctly add new resources to the user/group permissions (see contao/core#8583).
* Trigger the auto-submit function in the date picker (see contao/core#8603).
* Call the load callback when loading page/file picker nodes (see contao/core#7702).
Upstream changes:
Moodle 3.2.1 release notes
Releases > Moodle 3.2.1 release notes
Release date: 9 January 2017
Here is the full list of fixed issues in 3.2.1.
Fixes and improvements
MDL-55906 - Assignment grading table reset button should clear persistent settings
MDL-57222 - Marking workflow and grading must still save for hidden Assignment
MDL-56810 - Fixed error converting submissions for annotation when student is unenrolled from course
MDL-55062 - Upload users admin tool incorrectly updates authentication method for existing users when not included in CSV
MDL-56912 - Feedback: Allow to submit empty not required multichoice questions
MDL-53044 - Completely prevent login with expired passwords
MDL-57213 - Boost - Fixed bug when my courses were not displayed at all with $CFG->navshowmycoursecategories on
Security issues
MSA-17-0001 System file inclusion when adding own preset file in Boost theme
MSA-17-0002 Incorrect sanitation of attributes in forums
MSA-17-0003 PHPMailer vulnerability in no-reply address
MSA-17-0004 XSS in assignment submission page
Upstream changes:
7.20 2017-01-18
- Fixed a bug in Mojo::File where the make_path method would die even if no
error occurred.
- Fixed warnings in Mojo::IOLoop::TLS.
7.19 2017-01-14
- Added module Mojo::IOLoop::TLS.
- Added can_nnr and can_socks methods to Mojo::IOLoop::Client.
7.18 2017-01-11
- Fixed support for relative %INC paths in Mojo::Home.
- Fixed a bug in Mojo::URL where invalid fragment strings could be generated.
7.17 2017-01-11
- Fixed Windows bugs in Mojo::File. (kmx)
7.16 2017-01-10
- Fixed Windows bugs in Mojo::File. (kmx)
7.15 2017-01-09
- Deprecated Mojo::ByteStream::slurp and Mojo::Util::slurp in favor of
Mojo::File::slurp.
- Deprecated Mojo::ByteStream::spurt and Mojo::Util::spurt in favor of
Mojo::File::spurt.
- Deprecated Mojo::Util::files in favor of Mojo::File::list_tree.
- Deprecated Mojo::Home::lib_dir, Mojo::Home::parse, Mojo::Home::parts in
favor of new features inherited from the Mojo::File base class.
- Added module Mojo::File.
- Improved Mojo::Home to be a subclass of Mojo::File.
- Improved mojo_lib_dir and rel_file methods in Mojo::Home to return
Mojo::Home objects.
- Improved rel_file methods in Mojolicious::Command to return Mojo::File
objects.
- Improved every_param and param methods in Mojolicious::Validator::Validation
to use the current topic.
Version 3.5.23 (2017-01-17)
---------------------------
### Fixed
Handle non-numeric values when calculating the image margin (see #8617).
### Fixed
Correctly generate the download elements in the back end (see #8620).
Version 3.5.22 (2017-01-16)
---------------------------
### Fixed
Prevent an endless redirect loop if the page alias is "/" (see #8560).
### Fixed
Correctly parse German dates with two digit years in MooTools (see #8593).
### Fixed
Correctly add new resources to the user/group permissions (see #8583).
### Fixed
Trigger the auto-submit function in the date picker (see #8603).
### Fixed
Call the load callback when loading page/file picker nodes (see #7702).
2.3.19 (2017-01-09)
-------------------
Enhancements
- [core] added handling of BYSETPOS for BYDAY in recurrence rules
- [core] improved IMIP handling from Exchange/Outlook clients
- [web] update jQuery to version 1.12.4 and jQuery UI to version 1.11.4
- [web] added SOGoMaximumMessageSizeLimit to limit webmail message size
- [web] added photo support for LDIF import (#1084)
- [web] updated CKEditor to version 4.6.1
Bug fixes
- [core] honor blocking wrong login attemps within time interval (#2850)
- [core] use source's domain when none defined and trying to match users (#3523)
- [core] properly honor the "include in freebusy" setting (#3354)
- [core] fix events in floating time during CalDAV's PUT operation (#2865)
- [core] handle rounds in sha512-crypt password hashes
- [web] return login page for unknown users (#2135)
- [web] append ics file extension when importing events (#2308)
- [web] set a max-height so we can scroll in the attendees list (#3666)
- [web] set a max-height so we can scroll in the attachments list (#3413)
- [web] handle URI in vCard photos (#2683)
- [web] handle semicolon in values during LDIF import (#1760)
- [eas] properly escape all GAL responses (#3923)
- [eas] properly skip folders we don't want to synchronize (#3943)
- [eas] fixed 30 mins freebusy offset with S Planner
- [eas] now correctly handles reminders on tasks (#3964)
- [eas] do not decode from hex the event's UID (#3965)
- [eas] add support for "other addresses" (#3966)
- [eas] provide correct response status when sending too big mails (#3956)
2.3.18 (2016-11-28)
-------------------
New features
- [eas] relaxed permission requirements for subscription synchronizations (#3118 and #3180)
Enhancements
- [core] added sha256-crypt and sha512-crypt password support
- [core] updated time zones to version 2016h
- [eas] initial support for recurring tasks EAS
- [eas] now support replied/forwarded flags using EAS (#3796)
- [eas] now also search on senders when using EAS Search ops
- [web] updated CKEditor to version 4.6.0
Bug fixes
- [core] fixed condition in weekly recurrence calculator
- [core] always send IMIP messages using UTF-8
- [web] fixed support for recurrent tasks
- [web] improved validation of mail account delegators
- [web] allow edition of a mailbox rights when user can administer mailbox
- [web] restore attributes when rewriting base64-encoded img tags (#3814)
2.3.17 (2016-10-20)
-------------------
Enhancements
- [web] allow custom email address to be one of the user's profile (#3551)
- [web] the left column of the attendees editor is resizable (not supported in IE) (#1479, #3667)
Bug fixes
- [eas] make sure we don't sleep for too long when EAS processes need interruption
- [eas] fixed recurring events with timezones for EAS (#3822)
- [eas] improve handling of email folders without a parent
- [eas] never send IMIP reply when the "initiator" is Outlook 2013/2016
- [core] only consider SMTP addresses for AD's proxyAddresses (#3842)
2.3.16 (2016-09-28)
-------------------
New features
- [eas] initial support for server-side mailbox search operations
Enhancements
- [eas] propagate message submission errors to EAS clients (#3774)
- [web] updated CKEditor to version 4.5.11
- [web] added Serbian (sr) translation - thanks to Bogdanović Bojan
Bug fixes
- [web] correctly set percent-complete for tasks from the list view (#3197)
- [core] fixed caching expiration of ACLs assigned to LDAP groups (#2867)
- [core] we now search in all domain sources for Apple Calendar
- [core] properly handle groups in Apple Calendar's delegation
- [core] make sure new cards always have a UID (#3819)
2.3.15 (2016-09-14)
------------------
Enhancements
- [web] don't allow a recurrence rule to end before the first occurrence
Bug fixes
- [eas] properly generate the BusyStatus for normal events
- [eas] properly escape all email and address fields
- [eas] properly generate yearly rrule
- [core] strip protocol value from proxyAddresses attribute (#3182)
- [web] handle binary content transfer encoding when displaying mails
0.12.1 (2017-01-08)
- Fix compatibility with Jinja 2.9.
- When globbing, include files in alphabetical order (Sam Douglas).
- Remove duplicate files from bundles (Sam Douglas).
- Support for PyInstaller (Ilya Kreymer).
- Fix the sass filter (Dan Callaghan).
0.12 (2016-08-18)
- Babel filter (JDeuce).
- NodeSASS filter (Luke Benstead).
- Autoprefixer 6 filter (Eugeniy Kuznetsov).
- Many other small changes and improvements by various contributors.
*) SECURITY: CVE-2016-8743 (cve.mitre.org)
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies.
*) Validate HTTP response header grammar defined by RFC7230, resulting
in a 500 error in the event that invalid response header contents are
detected when serving the response, to avoid response splitting and cache
pollution by malicious clients, upstream servers or faulty modules.
*) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
*) core: Avoid a possible truncation of the faulty header included in the
HTML response when LimitRequestFieldSize is reached.
*) core: Enforce LimitRequestFieldSize after multiple headers with the same
name have been merged.
*) core: Drop Content-Length header and message-body from HTTP 204 responses.
*) core: Permit unencoded ';' characters to appear in proxy requests and
Location: response headers. Corresponds to modern browser behavior.
*) core: ap_rgetline_core now pulls from r->proto_input_filters.
*) core: Correctly parse an IPv6 literal host specification in an absolute
URL in the request line.
*) core: New directive RegisterHttpMethod for registering non-standard
HTTP methods.
*) core: Limit to ten the number of tolerated empty lines between request.
*) core: reject NULLs in request line or request headers.
*) mod_proxy: Use the correct server name for SNI in case the backend
SSL connection itself is established via a proxy server.
*) Fix potential rejection of valid MaxMemFree and ThreadStackSize
directives.
*) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.
*) mod_proxy: Correctly consider error response codes by the backend when
processing failonstatus.
*) mod_proxy: Play/restore the TLS-SNI on new backend connections which
had to be issued because the remote closed the previous/reusable one
during idle (keep-alive) time.
*) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
*) mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to
use a different scoreboard slot then the original one.
*) mod_proxy: Fix a race condition that caused a failed worker to be retried
before the retry period is over.
*) mod_proxy: don't recyle backend announced "Connection: close" connections
to avoid reusing it should the close be effective after some new request
is ready to be sent.
*) mod_mem_cache: Fix concurrent removal of stale entries which could lead
to a crash.
*) mime.types: add common extension "m4a" for MPEG 4 Audio.
*) mod_substitute: Allow to configure the patterns merge order with the new
SubstituteInheritBefore on|off directive.
*) mod_mem_cache: Don't cache incomplete responses when the client
connection is aborted before the body is fully read.
*) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
*) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
v1.6.1
Version 1.6.1
Bugfix release
- Fixed a bug where using google-auth with scoped credentials would fail. (#328)
v1.6.0
Version 1.6.0
Release to drop support for Python 2.6 and add support for google-auth.
- Support for Python 2.6 has been dropped. (#319)
- The credentials argument to discovery.build and discovery.build_from_document
can be either oauth2client credentials or google-auth credentials. (#319)
- discovery.build and discovery.build_from_document now unambiguously use the
http argument to make all requests, including the request for the discovery
document. (#319)
- The http and credentials arguments to discovery.build and
discovery.build_from_document are now mutually exclusive, eliminating a
buggy edge case. (#319)
- If neither http or credentials is specified to discovery.build and
discovery.build_from_document, then Application Default Credentials will
be used. The library prefers google-auth for this if it is available, but
can also use oauth2client's implementation. (#319)
- Fixed resumable upload failure when receiving a 308 response. (#312)
- Clarified the support versions of Python 3. (#316)
6.12 2017-01-04 23:32:54-05:00 America/Toronto
- Fix prereqs
6.11 2017-01-04 15:05:57-05:00 America/Toronto
- Updated the Changes file
- When using Net::SSL, pending data was potentially ignored GH PR#7 (Jean-Louis Martineau)
6.10-DEV 2016-12-30
- Added LICENSE
- Added 'use warnings' to everywhere that lacked it
- Drop all use of Test.pm
- Removed unneeded uses of 'use vars'
- Switch live tests to use Google.
- Fix RT#112313 - Hang in my_readline() when keep-alive => 1 and $reponse_size % 1024 == 0
* [mod_cgi] skip local-redir handling if to self (fixes#2779, #2108)
* [mod_webdav] fix crash when plugin_ctx cleaned up (fixes#2780)
* [mod_fastcgi] detect child exit, restart proactively
* [mod_scgi] detect child exit, restart proactively
* [TLS] ssl.read-ahead = "disable" for low mem (fixes#2778)
pkgsrc changes:
- Rename non-standard "memcache" option to "memcached" (retaining
compatibility for the old option for a while)
Date: 2016-02-17
Bugfixes
Permit changing existing value on a ToOneField to None. (Closes#1449)
v0.13.2
Date: 2016-02-14
Bugfixes
Fix in Resource.save_related: related_obj can be empty in patch requests (introduced in #1378). (Fixes#1436)
Fixed bug that prevented fitlering on related resources. apply_filters hook now used in obj_get. (Fixes#1435, Fixes#1443)
Use build_filters in obj_get. (Fixes#1444)
Updated DjangoAuthorization to disallow read unless a user has change permission. (#1407, PR #1409)
Authorization classes now handle usernames containing spaces. Closes#966.
Cleaned up old, unneeded code. (closes PR #1433)
Reuse Django test Client.patch(). (@SeanHayes, closes#1442)
Just a typo fix in the testing docs (by @bezidejni, closes#810)
Removed references to patterns() (by @SeanHayes, closes#1437)
Removed deprecated methods Resource.apply_authorization_limits and Authorization.apply_limits from code and documentation. (by @SeanHayes, closes#1383, #1045, #1284, #837)
Updates docs/cookbook.rst to make sure it's clear which url to import. (by @yuvadm, closes#716)
Updated docs/tutorial.rst. Without "null=True, blank=True" parameters in Slugfield, expecting "automatic slug generation" in save method is pointless. (by @orges, closes#753)
Cleaned up Riak docs. (by @SeanHayes, closes#275)
Include import statement for trailing_slash. (by @ljosa, closes#770)
Fix docs: Meta.filtering is actually a dict. (by @georgedorn, closes#807)
Fix load data command. (by @blite, closes#357, #358)
Related schemas no longer raise error when not URL accessible. (Fixes PR #1439)
Avoid modifying Field instances during request/response cycle. (closes#1415)
Removing the Manager dependency in ToManyField.dehydrate(). (Closes#537)
v0.13.1
Date: 2016-01-25
Bugfixes
Prevent muting non-tastypie's exceptions (#1297, PR #1404)
Gracefully handle UnsupportFormat exception (#1154, PR #1417)
Add related schema urls (#782, PR #1309)
Repr value must be str in Py2 (#1421, PR #1422)
Fixed assertHttpAccepted (PR #1416)
v0.13.0
Date: 2016-01-12
Dropped Django 1.5-1.6 support, added Django 1.9.
Bugfixes
Various performance improvements (#1330, #1335, #1337, #1363)
More descriptive error messages (#1201)
Throttled requests now include Retry-After header. (#1204)
In DecimalField.hydrate, catch decimal.InvalidOperation and raise ApiFieldError (#862)
Add 'primary_key' Field To Schema (#1141)
ContentTypes: Remove 'return' in __init__; remove redundant parentheses (#1090)
Allow callable strings for ToOneField.attribute (#1193)
Ensure Tastypie doesn't return extra data it received (#1169)
In DecimalField.hydrate, catch decimal.InvalidOperation and raise ApiFieldError (#862)
Fixed tastypie's losing received microseconds. (#1126)
Data leakage fix (#1203)
Ignore extra related data (#1336)
Suppress Content-Type header on HTTP 204 (see #111) (#1054)
Allow creation of related resources that have an 'items' related_name (supercedes #1000) (#1340)
Serializers: remove unimplemented to_html/from_html (#1343)
If GEOS is not installed then exclude geos related calls. (#1348)
Fixed Resource.deserialize() to honor format parameter (#1354#1356, #1358)
Raise ValueError when trying to register a Resource class instead of a Resource instance. (#1361)
Fix hydrating/saving of related resources. (#1363)
Use Tastypie DateField for DateField on the model. (SHA: b248e7f)
ApiFieldError on empty non-null field (#1208)
Full schema (all schemas in a single request) (#1207)
Added verbose_name to API schema. (#1370)
Fixes Reverse One to One Relationships (Replaces #568) (#1378)
Fixed "GIS importerror vs improperlyconfigured" (#1384)
Fixed bug which occurs when detail_uri_name field has a default value (Issue #1323) (#1387)
Fixed disabling cache using timeout=0, fixes#1213, #1212 (#1399)
Removed Django 1.5-1.6 support, added 1.9 support. (#1400)
stop using django.conf.urls.patterns (#1402)
Fix for saving related items when resource_uri is provided but other unique data is not. (#1394) (#1410)
v0.12.2
Date: 2015-07-16
Dropped Python 2.6 support, added Django 1.8.
Bugfixes
Dropped support for Python 2.6
Added support for Django 1.8
Fix stale data caused by prefetch_related cache (SHA: b78661d)
* passwordauth: prevent authentication bypass via multiple name
parameters (CVE-2017-0356, OVE-20170111-0001)
* passwordauth: avoid userinfo forgery via repeated email parameter
(also in the scope of CVE-2017-0356)
* CGI, attachment, passwordauth: harden against repeated parameters
(not believed to have been a vulnerability)
* remove: make it clearer that repeated page parameter is OK here
* t/passwordauth.t: new automated test for passwordauth
[ Amitai Schleier ]
* wrappers: Correctly escape quotes in git_wrapper_background_command
[ Simon McVittie ]
* git: use an explicit function parameter for the directory to work
in. Previously, we used global state that was not restored correctly
on catching exceptions, causing an unintended log message
"cannot chdir to .../ikiwiki-temp-working: No such file or directory"
with versions >= 3.20161229 when an attempt to revert a change fails
or is disallowed
* git: don't run "git rev-list ... -- -- ..." which would select the
wrong commits if a file named literally "--" is present in the
repository
* check_canchange: log "bad file name whatever", not literal string
"bad file name %s"
* t/git-cgi.t: fix a race condition that made the test fail
intermittently
* t/git-cgi.t: be more careful to provide a syntactically valid
author/committer name and email, hopefully fixing this test on
ci.debian.net
* templates, comments, passwordauth: use rel=nofollow microformat
for dynamic URLs
* templates: use rel=nofollow microformat for comment authors
* news: use Debian security tracker instead of MITRE for security
references. Thanks, anarcat
* Set package format to 3.0 (native)
* d/copyright: re-order to put more specific stanzas later, to get the
intended interpretation
* d/source/lintian-overrides: override obsolete-url-in-packaging for
OpenID Selector, which does not seem to have any more current URL
(and in any case our version is a fork)
* docwiki.setup: exclude TourBusStop from offline documentation.
It does not make much sense there.
* d/ikiwiki.lintian-overrides: override script-not-executable warnings
* d/ikiwiki.lintian-overrides: silence false positive spelling warning
for Moin Moin
* d/ikiwiki.doc-base: register the documentation with doc-base
* d/control: set libmagickcore-6.q16-3-extra as preferred
build-dependency, with virtual package libmagickcore-extra as an
alternative, to help autopkgtest to do the right thing
Major changes:
New Default Theme - Twenty Seventeen
- It is an ambitious theme designed for business websites that focuses on a
creative home page and an easy site setup experience for users.
* multiple sections on the front page, selected in the Customizer.
* a striking asymmetrical grid.
* custom color schemes, built on top of a monochromatic foundation, and
adjustable via a hue picker.
* different headline placement for pages, changeable in the Customizer, via
them options.
* a great experience in many languages, thanks to language-specific font stacks.
* SVG icons (a first for a default theme).
* support for custom logo, custom header image and many post formats.
* the use of new functions in Core for making child theming easier.
Note: Twenty Seventeen only works on 4.7 and above. It uses the new
video header and starter content features, each launched in 4.7.
REST API Content Endpoints
* API endpoints for WordPress content. WordPress 4.7 comes with REST API
endpoints for posts, comments, terms, users, meta, and settings. Content
endpoints provide machine-readable external access to your WordPress site
with a clear, standards-driven interface, paving the way for new and
innovative methods of interacting with your site.
[FIXES]
The linting method html_lint_ok() was not calling the HTML::Lint API
correctly, so may have missed some HTML errors at the end of a page.
This also applies to get, post, etc if you have the autolint argument on.
7.14 2017-01-04
- Deprecated Mojo::Home::list_files in favor of Mojo::Util::files.
- Deprecated Mojo::Home::rel_dir in favor of Mojo::Home::rel_file.
- Deprecated Mojolicious::Command::rel_dir in favor of
Mojolicious::Command::rel_file.
- Fixed a bug in Mojo::IOLoop::Subprocess where the pipe used for IPC could
disappear because of a timeout.
This release fixes several bugs in nghttpx proxy server. Since v1.18.0 release, dynamic DNS feature has been added to nghttpx. This release fixes these DNS related bugs. User reported that nghttpx exited with assertion error in libev code when DNS was enabled. After investigating it, it turned out that this bug had existed well before DNS was added, but enabling DNS helped to trigger the bug.
Bugfixes
* Fixed a crash in the debug view if request.user can’t be retrieved, such as if the database is unavailable.
* Fixed occasional missing plural forms in JavaScriptCatalog.
* Fixed a regression in the timesince and timeuntil filters that caused incorrect results for dates in a leap year.
* Fixed a regression where collectstatic overwrote newer files in remote storages.
------------------------------
- 1.4.44
* [mod_scgi] fix segfault (fixes#2762)
* [mod_authn_gssapi] fix memory leak
* [config] warn if mod_authn_ldap,mysql not listed
* [mod_magnet] fix magnet_cgi_set() set of env vars (fixes#2763)
* [mod_cgi] FreeBSD 9.3/MacOSX does not have pipe2() (fixes#2765)
* [mod_extforward] fix crash on invalid IP (fixes#2766)
* [mod_fastcgi] fix segfault if all backends down (fixes#2768)
* [mod_cgi] fix out of sockets error for POST to CGI (fixes#2771)
* [mod_auth] compile fix for Mac OS X XCode (fixes#2772)
* [mod_authn_gssapi] better resource cleanup
* [core] compile fix for Mac OS X 10.6 (old) (fixes#2773)
* fix race in dynamic handler configs (reentrancy) (fixes#2774)
* [mod_authn_mysql] close mysql_conn in cleanup
* [mod_webdav] compile fix when locking not enabled
* load mod_auth & mod_authn_file in sample/test.conf
* comment out auth.backend.ldap.* in tests/*.conf
* [mod_fastcgi,mod_scgi] warn if invalid "bin-path"
* RAND_pseudo_bytes() is deprecated in openssl 1.1.0
* openssl 1.1.0 init and cleanup
* [mod_cgi] remove direct calls to network_backend*
* [build] build network_*.c into lighttpd executable
* suggest inclusion of mod_geoip... before mod_ssi.
* set systemd settings similar to lighttpd2
* [doc] remove reference to Linux rt-signals
* [mod_authn_gssapi] fix missing error ret, coverity
* [core] rename li_rand() to li_rand_pseudo_bytes()
* remove #include "stream.h" where not used
* [mod_cml] include lua headers before base.h
* [core] combine duplicated connection reset code
* [mod_ssi] produce content in subrequest hook
* [core] remove srv->entropy[]
* [core] defer li_rand_init() until first use
* [core] permit connection-level state in modules
* [mod_dirlisting] render dirlisting as HTML (fixes#2767)
* [mod_proxy] replace HTTP Host sent to backend (fixes#2770)
* [mod_ssi] basic recursive SSI include virtual (fixes#536)
* [mod_ssi] implement, ignore <!--#comment ... -->
* [core] consolidate duplicated read-to-close code
* [core] fix segfault when parsing a bad config file
* [core] support Transfer-Encoding: chunked req body (fixes#2156)
* [autobuild] set NO_RDYNAMIC=yes for midipix
* [mod_proxy] proxy.balance = "sticky" option (fixes#2117)
* [mod_secdownload] warn if SHA used w/o SSL crypto
* [build] compile fixes for AIX
* [build] check for pipe2() at configure time
* [mod_evhost] fix an incorrect error trace
* [tests] mark tests/docroot/www/*.pl scripts a+x
* [mod_cgi] fall back to pipe() if pipe2() fails
* fix SCons fullstatic build with glibc pthreads
* [TLS] openssl 1.1.0 makes SSL_OP_NO_SSLv2 no-op
(pkgsrc changes)
- Add Selection on PLIST depending on options
Chagnelog:
Security vulnerabilities fixed in Firefox ESR 45.6
#CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements
#CVE-2016-9895: CSP bypass using marquee tag
#CVE-2016-9897: Memory corruption in libGLES
#CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees
#CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs
#CVE-2016-9904: Cross-origin information leak in shared atoms
#CVE-2016-9905: Crash in EnumerateSubDocuments
#CVE-2016-9901: Data from Pocket server improperly sanitized before execution
#CVE-2016-9902: Pocket extension does not validate the origin of events
#CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6
Upstream changes:
Version 0.12
------------
Released on December 21st 2016, codename Punsch.
- the cli command now responds to `--version`.
- Mimetype guessing and ETag generation for file-like objects in ``send_file``
has been removed, as per issue ``#104``. See pull request ``#1849``.
- Mimetype guessing in ``send_file`` now fails loudly and doesn't fall back to
``application/octet-stream``. See pull request ``#1988``.
- Make ``flask.safe_join`` able to join multiple paths like ``os.path.join``
(pull request ``#1730``).
- Revert a behavior change that made the dev server crash instead of returning
a Internal Server Error (pull request ``#2006``).
- Correctly invoke response handlers for both regular request dispatching as
well as error handlers.
- Disable logger propagation by default for the app logger.
- Add support for range requests in ``send_file``.
- ``app.test_client`` includes preset default environment, which can now be
directly set, instead of per ``client.get``.
Version 0.11.2
--------------
Bugfix release, unreleased
- Fix crash when running under PyPy3, see pull request ``#1814``.
Version 0.11.1
--------------
Bugfix release, released on June 7th 2016.
- Fixed a bug that prevented ``FLASK_APP=foobar/__init__.py`` from working. See
pull request ``#1872``.
lib: Accept and ignore content-length: 0 in 204 response for now
build: Use pkg-config to detect libxml2
build: Require c-ares to compile applications under src
build: Add Windows CI via AppVeyor (Patch from Alexis La Goutte)
examples: Delete tiny-nghttpd
nghttpx: Retry h1 backend request if first write fails (GH-757)
nghttpx: Keep reading after backend write failed (GH-756)
nghttpx: Add frontend-keep-alive-timeout option (GH-755)
nghttpx: New error log format (GH-749)
nghttpx: Fix bug that fetch-ocsp-response does not work with OpenSSL 1.1.0 (GH-742)
nghttpx: Backend API call allows non-numeric host with dns parameter (GH-731)
nghttpx: Lookup backend host name dynamically (GH-721)
nghttpx: Accept and ignore content-length: 0 in 204 response for now (GH-735)
nghttpx: Wait for child process to exit
Upstream changes:
7.13 2016-12-23
- Deprecated Mojo::Message::Response::is_status_class in favor of new is_*
methods.
- Added result method to Mojo::Transaction.
- Added is_client_error, is_error, is_info, is_redirect, is_server_error and
is_success methods to Mojo::Message::Response.
- Fixed bug where Morbo could not handle broken symlinks. (Grinnz)
7.12 2016-12-18
- Added button_to and csrf_button_to helpers to
Mojolicious::Plugin::TagHelpers.
- Removed experimental status from Mojo::IOLoop::Subprocess.
- Removed experimental status from subprocess method in Mojo::IOLoop.
Upstream changes:
5.90114 - 2016-12-19
- Fixed regression introduced in the last version (5.90113) which caused
application to hang when the action private name contained a string
like 'foo/bar..html'. If you are running 5.90113 you should consider this
a required update.
- Tweaked travis CI script.
5.90113 - 2016-12-15
- Fixed issue with $controller->action_for when targeting an action in
a namespace nested inside the current controller and the current controller
is a 'root' controller.
- Enhanced $controller->action_for so that you can reference the 'parent'
controller via relative path (eg ->action_for('../foo')).
- Backcompat fix for people that made the mistake of doing $c->{stash}
- Sort controllers in setup_actions so cross-controller precedence is
consistent.
Upstream changes:
0.204002 2016-12-21 15:40:02-06:00 America/Chicago
[ BUG FIXES ]
* GH #975: Fix "public_dir" configuration to work, just like
DANCER_PUBLIC. (Sawyer X)
[ ENHANCEMENTS ]
* You can now call '$self->find_plugin(...)' within a plugin
in order to find a plugin, in order to use its DSL in your
custom plugin. (Sawyer X)
[ DOCUMENTATION ]
* GH #1282: Typo in Cookbook. (Kurt Edmiston)
* GH #1214: Update Migration document. (Sawyer X)
* GH #1286: Clarify hook behavior when disabling layout (biafra)
* GH #1280: Update documentation to use specific parameter
keywords (Hunter McMillen)
Upstream changes:
2.26 Thu Dec 29 22:36:54 CST 2016
Stable release. No changes from previous release.
2.25_02 Tue Dec 27 14:34:22 CST 2016
[FIXES]
html_fragment_ok() was not properly excluding document-level errors.
It was effectively the same as html_ok().
2.25_01 Fri Dec 23 22:36:17 CST 2016
[ENHANCEMENTS]
Added two new types of errors to let you know you're using the
API incorrectly. You should be parsing files like this:
my $lint = HTML::Lint->new;
$lint->newfile( $filename );
$lint->parse( $line );
$lint->eof();
my @errors = $lint->errors();
If you neglect to call ->parse or ->eof, you'll get an error returned
in the list of errors from ->errors().
[FIXES]
Test::HTML::Lint::html_fragment_ok() was not properly calling ->eof.
Changelog:
Tomcat 8.0.39 (violetagg)
Catalina
Fix: When creating a new Connector via JMX, ensure that both HTTP/1.1 and AJP/1.3 connectors can be created. (markt)
Fix: Include the Context name in the log message when an item cannot be added to the cache. (markt)
Fix: Exclude JAR files in /WEB-INF/lib from the static resource cache. (markt)
Fix: When calling getResourceAsStream() on a directory, ensure that null is returned. (markt)
Fix: 60161: Allow creating subcategories of the container logger, and use it for the rewrite valve. (remm)
Fix: Correctly test for control characters when reading the provided shutdown password. (markt)
Fix: When configuring the JMX remote listener, specify the allowed types for the credentials. (markt)
Coyote
Fix: Correct the HTTP header parser so that DEL is not treated as a valid token character. (markt)
Fix: 60319: When using an Executor, disconnect it from the Connector attributes maxThreads, minSpareThreads and threadPriority to enable the configuration settings to be consistently reported. These Connector attributes will be reported as -1 when an Executor is in use. The values used by the executor may be set and obtained via the Executor. (markt)
Fix: If an I/O error occurs during async processing on a non-container thread, ensure that the onError() event is triggered. (markt)
Fix: Improve detection of I/O errors during async processing on non-container threads and trigger async error handling when they are detected. (markt)
Add: Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. (markt)
Web applications
Fix: Correct a typo in HTTP Connector How-To. Issue reported via comments.apache.org. (violetagg)
Fix: Fix default value of validationInterval attribute in jdbc-pool. (kfujino)
Fix: Correct a typo in CGI How-To. Issue reported via comments.apache.org. (violetagg)
Tribes
Fix: When the proxy node sends a backup retrieve message, ensure that using the channelSendOptions that has been set rather than the default channelSendOptions. (kfujino)
Other
Update: Update the ECJ compiler to version 4.5.1. (markt)
Fix: Remove classes from tomcat-util-scan.jar that are duplicates of those in tomcat-util.jar. (markt)
2016-10-10 Tomcat 8.0.38 (markt)
Catalina
Add: 59961: Add an option to the StandardJarScanner to control whether or not JAR Manifests are scanned for additional class path entries. (markt)
Fix: 60013: Refactor the previous fix to align the behaviour of the Rewrite Valve with mod_rewrite. As part of this, provide an implementation for the B and NE flags and improve the handling for the QSA flag. Includes multiple test cases by Santhana Preethiand a patch by Tiago Oliveira. (markt)
Fix: 60087: Refactor the web resources handling to use the Tomcat specific war:file:... URL protocol to refer to WAR files and their contents rather than the standard jar:file:... form since some components of the JRE, such as JAR verification, give unexpected results when the standard form is used. A side-effect of the refactoring is that when using packed WARs, it is now possible to reference a WAR and/or specific JARs within a WAR in the security policy file used when running under a SecurityManager. (markt)
Fix: 60116: Fix a problem with the rewrite valve that caused back references evaluated in conditions to be forced to lower case when using the NC flag. (markt)
Fix: Ensure Digester.useContextClassLoader is considered in case the class loader is used. (violetagg)
Fix: 60117: Ensure that the name of LogLevel is localized when using OneLineFormatter. Patch provided by Tatsuya Bessho. (kfujino)
Fix: 60146: Improve performance for resource retrieval by making calls to WebResource.getInputStream() trigger caching if the resource is small enough. Patch provided by mohitchugh. (markt)
Add: 60151: Improve the exception error messages when a ResourceLink fails to specify the type, specifies an unknown type or specifies the wrong type. (markt)
Fix: 60167: Ignore empty lines in /etc/passwd files when using the PasswdUserDatabase. (markt)
Fix: 60170: Exclude the compressed test file index.html.br from RAT analysis. Patch provided by Gavin McDonald. (markt)
Fix: When starting web resources, ensure that class resources are only started once. (markt)
Fix: Improve the access checks for linked global resources to handle the case where the current class loader is a child of the web application class loader. (markt)
Fix: 60199: Log a warning if deserialization issues prevent a session attribute from being loaded. (markt)
Coyote
Fix: Correctly handle a call to AsyncContext.complete() from a non-container thread when non-blocking I/O is being used. (markt)
Add: Refactor the code that implements the requirement that a call to complete() or dispatch() made from a non-container thread before the container initiated thread that called startAsync() completes must be delayed until the container initiated thread has completed. Rather than implementing this by blocking the non-container thread, extend the internal state machine to track this. This removes the possibility that blocking the non-container thread could trigger a deadlock. (markt)
Fix: 60123: Avoid potential threading issues that could cause excessively large vales to be returned for the processing time of a current request. (markt)
Fix: 60174: Log instances of HeadersTooLargeException during request processing. (markt)
Jasper
Fix: 60101: Remove preloading of the class that was deleted. (violetagg)
Web applications
Add: Expand the documentation for the nested elements within a Resources element to clarify the behaviour of different configuration options with respect to the order in which resources are searched. (markt)
Add: Add an example of using the classesToInitialize attribute of the JreMemoryLeakPreventionListener to the documentation web application. Based on a patch by Cris Berneburg. (markt)
Fix: 60192: Correct a typo in the status output of the Manager application. Patch provided by Radhakrishna Pemmasani. (markt)
jdbc-pool
Fix: Notify jmx when returning the connection that has been marked suspect. (kfujino)
Fix: Ensure that the POOL_EMPTY notification has been added to the jmx notification types. (kfujino)
Fix: 60099: Ensure that use all method arguments as a cache key when using StatementCache. (kfujino)
Fix: 60139: Correct Javadocs for PoolConfiguration.getValidationInterval and setValidationInterval. Reported by Phillip Webb. (kfujino)
Other
Fix: Update the download location for Objenesis. (violetagg)
Fix: 60164: Replace log4j-core*.jar with log4j-web*.jar since it is log4j-web*.jar that contains the ServletContainerInitializer. (markt)
Add: Add documentation to the bin/catalina.bat script to remind users that environment variables don't affect the configuration of Tomcat when run as a Windows Service. Based upon a documentation patch by James H.H. Lampert. (schultz)
Update: Update the packaged version of the Tomcat Native Library to 1.2.10 to pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)
2016-09-05 Tomcat 8.0.37 (markt)
Catalina
Fix: 57705: Add debug logging for requests denied by the remote host and remote address valves and filters. Based on a patch by Graham Leggett. (markt)
Add: 59399: Add a new option to the Realm implementations that ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS redirects to be controlled per Realm. (markt)
Update: Change the default of the sessionCookiePathUsesTrailingSlash attribute of the Context element to false since the problems caused when a Servlet is mapped to /* are more significant than the security risk of not enabling this option by default. (markt)
Fix: Do not attempt to start web resources during a web application's initialisation phase since the web application is not fully configured at that point and the web resources may not be correctly configured. (markt)
Fix: 59708: Modify the LockOutRealm logic. Valid authentication attempts during the lock out period will no longer reset the lock out timer to zero. (markt)
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Fix: 59813: Ensure that circular relations of the Class-Path attribute from JAR manifests will be processed correctly. (violetagg)
Fix: Ensure that reading the singleThreadModel attribute of a StandardWrapper via JMX does not trigger initialisation of the associated servlet. With some frameworks this can trigger an unexpected initialisation thread and if initilisation is not thread-safe the initialisation can then fail. (markt)
Fix: Compatibility with rewrite from httpd for non existing headers. (jfclere)
Fix: By default, treat paths used to obtain a request dispatcher as encoded. This behaviour can be changed per web application via the dispatchersUseEncodedPaths attribute of the Context. (markt)
Fix: 59839: Apply roleSearchAsUser to all nested searches in JNDIRealm. (fschumacher)
Fix: 59859: Fix resource leak in WebDAV servlet. Based on patch by Coty Sutherland. (fschumacher)
Add: Provide a mechanism that enables the container to check if a component (typically a web application) has been granted a given permission when running under a SecurityManager without the current execution stack having to have passed through the component. Use this new mechanism to extend SecurityManager protection to the system property replacement feature of the digester. (markt)
Add: When retrieving an object via a ResourceLink, ensure that the object obtained is of the expected type. (markt)
Fix: 59824: Mark the RewriteValve as supporting async processing by default. (markt)
Fix: 59862: Allow nested jar files scanning to be filtered with the system property tomcat.util.scan.StandardJarScanFilter.jarsToSkip. Patch is provided by Terence Bandoian. (violetagg)
Fix: 59866: When scanning WEB-INF/classes for annotations, don't scan the contents of WEB-INF/classes/META-INF (if present) since classes will never be loaded from that location. (markt)
Fix: 59888: Correctly handle tabs and spaces in quoted version one cookies when using the Rfc6265CookieProcessor. (markt)
Fix: 59912: Fix an edge case in input stream handling where an IOException could be thrown when reading a POST body. (markt)
Fix: 59960: Fix Javadoc so it builds with Java 8. Patch by Coty Sutherland. (markt)
Fix: 59966: Do not start the web application if the error page configuration in web.xml is invalid. (markt)
Fix: Switch the CGI servlet to the standard logging mechanism and remove support for the debug attribute. (markt)
Fix: Changes to the allowLinking attribute of a StandardRoot instance now invalidate the cache if caching is enabled. (markt)
Add: Add a new initialisation parameter, envHttpHeaders, to the CGI Servlet to mitigate httpoxy (CVE-2016-5388) by default and to provide a mechanism that can be used to mitigate any future, similar issues. (markt)
Add: When adding and removing ResourceLinks dynamically, ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be. (markt)
Fix: 60008: When processing CORs requests, treat any origin with a URI scheme of file as a valid origin. (markt)
Fix: Improve handling of exceptions during a Lifecycle events triggered by a state transition. The exception is now caught and the component is now placed into the FAILED state. (markt)
Fix: 60013: Fix encoding issues when using the RewriteValve with UTF-8 query strings or UTF-8 redirect URLs. (markt)
Fix: 60022: Improve handling when a WAR file and/or the associated exploded directory are symlinked into the appBase. (markt)
Fix: Fix a file descriptor leak when reading the global web.xml. (markt)
Fix: Consistently decode URL patterns provided via web.xml using the encoding of the web.xml file where specified or UTF-8 where no explicit encoding is specified. (markt)
Fix: Make timing attacks against the Realm implementations harder. (schultz)
Coyote
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Fix: Extend synchronization for NIO2 writes to avoid ConcurrentModificationException observed during testing. (markt)
Fix: 59904: Add a limit (default 200) for the number of cookies allowed per request. Based on a patch by gehui. (markt)
Fix: 59925: Correct regression in r1628368 and ensure that HTTP separators are handled as configured in the LegacyCookieProcessor. Patch provided by Kyohei Nakamura. (markt)
Fix: OpenSSL now disables 3DES by default so reflect this when using OpenSSL syntax to select ciphers. (markt)
Jasper
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Fix: Improve the error handling for custom tags to ensure that the tag is returned to the pool or released and destroyed once used. (markt)
Fix: 60032: Fix handling of method calls that use varargs within EL value expressions. (markt)
Fix: Ignore engineOptionsClass and scratchdir when running under a security manager. (markt)
Fix: Fixed StringIndexOutOfBoundsException. Based on a patch provided by wuwen via Github. (violetagg)
WebSocket
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Fix: 59908: Ensure that a reason phrase is included in the close message if a session is closed due to a timeout. (markt)
Web Applications
Fix: Do not log an additional case of IOExceptions in the error handler for the Drawboard WebSocket example when the root cause is the client disconnecting since the logs add no value. (markt)
Fix: 59642: Mention the localDataSource in the DataSourceRealm section of the Realm How-To. (markt)
Fix: Follow-up to the fix for 59399. Ensure that the new attribute transportGuaranteeRedirectStatus is documented for all Realms. Also document the NullRealm and when it is automatically created for an Engine. (markt)
Fix: Fix the description of maxAge attribute in jdbc-pool doc. This attribute works both when a connection is returned and when a connection is borrowed. (kfujino)
Fix: 59774: Correct the prefix values in the documented examples for configuring the AccessLogValve. Patch provided by Mike Noordermeer. (markt)
Fix: 59868: Clarify the documentation for the Manager web application to make clearer that the host name and IP address in the server section are the primary host name and IP address. (markt)
Fix: MBeans Descriptors How-To is moved to mbeans-descriptors-howto.html. Patch provided by Radoslav Husar. (violetagg)
Fix: Update NIO Connector configuration documentation with an information about socket.directSslBuffer. (violetagg)
Fix: 60034: Correct a typo in the Manager How-To page of the documentation web application. (markt)
Tribes
Add: Add log message when the ping has timed-out. (kfujino)
Fix: If the ping message has been received at the AbstractReplicatedMap#leftOver method, ensure that notify the member is alive than ignore it. (kfujino)
jdbc-pool
Fix: Fix the duplicated connection release when connection verification failed. (kfujino)
Fix: Ensure that do not remove the abandoned connection that has been already released. (kfujino)
Fix: In order to avoid the unintended skip of PoolCleaner, remove the check code of the execution interval in the task that has been scheduled. (kfujino)
Fix: 59850: Ensure that the ResultSet is closed when enabling the StatementCache interceptor. (kfujino)
Fix: 59923: Reduce the default value of validationInterval in order to avoid the potential issue that continues to return an invalid connection after database restart. (kfujino)
Fix: Ensure that the ResultSet is returned as Proxy object when enabling the StatementDecoratorInterceptor. (kfujino)
Fix: 60043: Ensure that the suspectTimeout works without removing connection when the removeAbandoned is disabled. (kfujino)
Fix: Add log message of when returning the connection that has been marked suspect. (kfujino)
Fix: Correct Javadoc for ConnectionPool.suspect(). Based on a patch by Yahya Cahyadi. (markt)
Other
Update: 59276: Update optional Checkstyle library to 6.17. (kkolinko)
Add: Use the mirror network rather than the ASF master site to download the current ASF dependencies. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.8 to pick up the latest fixes and make 1.2.8 the minimum recommended version. (markt)
Fix: 59899: Update Tomcat's copy of the Java Persistence annotations to include the changes made in 2.1 / JavaEE 7. (markt)
Fix: Fixed typos in mbeans-descriptors.xml files. (violetagg)
Update: Update the internal fork of Commons BCEL to r1757132 to align with the BCEL 6 release. (markt)
Update: Update the internal fork of Commons DBCP2 to r1757164 to pick up a couple of bug fixes. (markt)
Update: Update the internal fork of Commons Codec to r1757174. Code formatting changes only. (markt)
Update: Update the internal fork of Commons FileUpload to afdedc9. This pulls in a fix to improve the performance with large multipart boundaries. (markt)
Changelog:
What's New in SeaMonkey 2.46
SeaMonkey 2.46 contains (among other changes) the following major changes relative to SeaMonkey 2.40:
SeaMonkey-specific changes
HTML5 fullscreen video (e.g. on YouTube) now works fine.
===== 6.1 (2016-12-20) =====
* Remove redundant dependency on calendar
* Permit client routing to "./"
* -y parameter for eliom-distillery (do not ask)
* Eliom_client: do not execute onload after OCaml services
* Permit suffix params in Eliom_service.create_attached_post
===== 6.0 (2016-12-08) =====
* Improve Eliom_service and Eliom_registration APIs using GADTs
* Implement client-side services, useful for mobile apps. This includes
** client-side service registration (Eliom_registration)
** client-side service routing (Eliom_client.change_page_uri)
* Transition to PPX internally
* Compatibility with
** OCaml 4.03.0 and 4.04.0
** Js_of_ocaml 2.8.2 and newer
** TyXML 4.0 and newer
* Various bugfixes and improvements
* PostgreSQL Ocsipersist backend
* Compatibility with TyXML 4.0.x
* Export OpenSSL options through configuration file
* Various small fixes and improvements
* Raise the minimum SwiftMailer version.
* Remove some left-over settings labels.
* Go back to using the stable channel of Composer now that version 1.3 has
been released.
* Reduce the filter menu width if preceded by the submit panel.
* Security: force CGI::FormBuilder->field to scalar context where
necessary, avoiding unintended function argument injection
analogous to CVE-2014-1572. In ikiwiki this could be used to
forge commit metadata, but thankfully nothing more serious.
(CVE-2016-9646)
* Security: try revert operations in a temporary working tree before
approving them. Previously, automatic rename detection could result in
a revert writing outside the wiki srcdir or altering a file that the
reverting user should not be able to alter, an authorization bypass.
(CVE-2016-10026 represents the original vulnerability.)
The incomplete fix released in 3.20161219 was not effective for git
versions prior to 2.8.0rc0.
(CVE-2016-9645 represents that incomplete solution.)
* Add CVE references for CVE-2016-10026
* Add automated test for using the CGI with git, including
CVE-2016-10026
- Build-depend on libipc-run-perl for better build-time test coverage
* Add missing ikiwiki.setup for the manual test for CVE-2016-10026
* git: don't issue a warning if the rcsinfo CGI parameter is undefined
* git: do not fail to commit changes with a recent git version
and an anonymous committer
2.2 (2016-12-21)
++++++++++++++++
- Made some changes to the UTS 46 data that should allow Jython to get around
64kb Java class limits. (Thanks, John A. Booth and Marcin Płonka.)
- In Python 2.6, skip two tests that rely on data not present in that
Python version's unicodedata module.
- Use relative imports to help downstream users.
### 4.3.1 (2016-12-22)
* Preserve uppercase characters in custom sections IDs (see #639).
* Always show the section title instead of its ID (see #640).
* Correctly handle DropZone file uploads (see #637).
* Fix the markup of the CSV importers (see #645).
* Correctly symlink the logs directory under Windows (see #634).
Fixed in 7.52.1
Bugfixes:
CVE-2016-9594: unititialized random
lib557: fix checksrc warnings
lib: fix MSVC compiler warnings
lib557.c: use a shorter MAXIMIZE representation
tests: run checksrc on debug builds
Version 7.52.0 (20 Dec 2016)
Changes:
nss: map CURL_SSLVERSION_DEFAULT to NSS default
vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
curl: introduce the --tlsv1.3 option to force TLS 1.3
curl: Add --retry-connrefused
proxy: Support HTTPS proxy and SOCKS+HTTP(s)
add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
curl: add --fail-early
Bugfixes:
CVE-2016-9586: printf floating point buffer overflow
CVE-2016-9952: Win CE schannel cert wildcard matches too much
CVE-2016-9953: Win CE schannel cert name out of buffer read
msvc: removed a straggling reference to strequal.c
winbuild: remove strcase.obj from curl build
examples: bugfixed multi-uv.c
configure: verify that compiler groks -Werror=partial-availability
mbedtls: fix build with mbedtls versions < 2.4.0
dist: add unit test CMakeLists.txt to the tarball
curl -w: added more decimal digits to timing counters
easy: Initialize info variables on easy init and duphandle
cmake: disable poll for macOS
http2: Don't send header fields prohibited by HTTP/2 spec
ssh: check md5 fingerprints case insensitively (regression)
openssl: initial TLS 1.3 adaptions
curl_formadd.3: *_FILECONTENT and *_FILE need the file to be kept
printf: fix ".*f" handling
examples/fileupload.c: fclose the file as well
SPNEGO: Fix memory leak when authentication fails
realloc: use Curl_saferealloc to avoid common mistakes
openssl: make sure to fail in the unlikely event that PRNG seeding fails
URL-parser: for file://[host]/ URLs, the [host] must be localhost
timeval: prefer time_t to hold seconds instead of long
Curl_rand: fixed and moved to rand.c
glob: fix [a-c] globbing regression
darwinssl: fix SSL client certificate not found on MacOS Sierra
curl.1: Clarify --dump-header only writes received headers
http2: Fix address sanitizer memcpy warning
http2: Use huge HTTP/2 windows
connects: Don't mix unix domain sockets with regular ones
url: Fix conn reuse for local ports and interfaces
x509: Limit ASN.1 structure sizes to 256K
checksrc: add more checks
winbuild: add config option ENABLE_NGHTTP2
http2: check nghttp2_session_set_local_window_size exists
http2: Fix crashes when parent stream gets aborted
CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries
URL parser: reject non-numerical port numbers
CONNECT: reject TE or CL in 2xx responses
CONNECT: read responses one byte at a time
curl: support zero-length argument strings in config files
openssl: don't use OpenSSL's ERR_PACK
curl.1: generated with the new man page system
curl_easy_recv: Improve documentation and example program
Curl_getconnectinfo: avoid checking if the connection is closed
CIPHERS.md: attempt to document TLS cipher names
[ Joey Hess ]
* inline: Prevent creating a file named ".mdwn" when the
postform is submitted with an empty title.
[ Simon McVittie ]
* Security: tell `git revert` not to follow renames. If it does, then
renaming a file can result in a revert writing outside the wiki srcdir
or altering a file that the reverting user should not be able to alter,
an authorization bypass. Thanks, intrigeri
* cgitemplate: remove some dead code. Thanks, blipvert
* Restrict CSS matches against header class to not break
Pandoc tables with header rows. Thanks, karsk
* Make pagestats output more deterministic. Thanks, intrigeri
Version 3.5.20 (2016-12-19)
---------------------------
### Fixed
Correctly show running repeated events in the event list (see #8588).
### Fixed
Improve the PHP 7.1 compatibility.
### Fixed
Keep the root nodes order in the page selector (see #8577).
### Fixed
Do not output invalid option values in widget error messages (see #8594).
Thanks to Pascal Gerundt for finding and reporting the issue.
### Fixed
Correctly parse english dates in MooTools (see #8573).
This release fixes several security problems, some of them are already
handled in pkgsrc. Please refer CHANGES file in detail.
*) SECURITY: CVE-2016-8740 (cve.mitre.org)
mod_http2: Mitigate DoS memory exhaustion via endless
CONTINUATION frames.
[Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
University, Stefan Eissing]
*) SECURITY: CVE-2016-5387 (cve.mitre.org)
core: Mitigate [f]cgi "httpoxy" issues.
[Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
*) SECURITY: CVE-2016-2161 (cve.mitre.org)
mod_auth_digest: Prevent segfaults during client entry allocation when
the shared memory space is exhausted.
[Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion]
*) SECURITY: CVE-2016-0736 (cve.mitre.org)
mod_session_crypto: Authenticate the session data/cookie with a
MAC (SipHash) to prevent deciphering or tampering with a padding
oracle attack. [Yann Ylavic, Colm MacCarthaigh]
*) SECURITY: CVE-2016-8743 (cve.mitre.org)
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
Update DEPENDS(upstream dropped php-5.3 support)
Upstream changes:
Version 9.1.3 Dec 13 2016
[major] UI: File list now works properly with many hidden entries - core/#26518
[major] Transfer ownership fails in some sharing scenario - core/#26523
[major] Transfer ownership fails if external storage with user-specified password - core/#26530
[major] Transfer ownership fails with file shares with invalid permissions - core/#26541
[major] Transfer ownership must skip trashed shares - core/#26525
[major] Versions on external storage never expire - core/#24161
[major] Properly convert public upload OCS params - core/#26691
[major] Properly load object store apps at install time when required in config - core/#26299
[major] Fix issue in sharing API that can happen with Galera Cluster - core/#26700
[major] Cannot delete file in share link from global external storage - core/#25618
[major] Fix issue where first run wizard made web UI unusable in IE11 - core/#26438
[major] Cannot upload to federated share when only create/update permission given - core/#26173
[major] Auth header in new DAV endpoint can break with Windows Webdav - core/#26412
[minor] Transfer ownership don't bail out on error - core/#26524
[minor] Don't scan received shares in OCC files scan or background jobs - core/#26590
[minor] Remove useless warning in log when accessing public shares - core/#25455
[minor] Fix disappearance of share info when clicking favorite star - core/#26241
[minor] Don't bother fetching preview images if previews disabled in config.php - core/#26705
Version 9.1.2 Nov 8 2016
Core: Adjusted documentation link to issue template - core/#26087
Core: Display feedback in users page when changing password - core/#25532
Core: Fix mime type detection in hidden directories - core/#26133
Core: Change forum URL to central - core/#25644
Core: Fix share array format passed to "post_unshareFromSelf" hook - core/#26390
Core: Release mount info memory after running background jobs - core/#26223
Core: Improve users page performance by not sorting after every add - core/#26234
Core: Escape special chars in some queries - core/#25429
Core: Redirect to two factor challenge page when only a single provider exists - core/#26134
Core: Fix bogus PasswordLoginForbidden DAV error when logging in as non-existing user - core/#26123
Core: Change the minimum log level to FATAL - core/#26131
Core: Fix issue with "(2)" appearing on shares when querying avatar with wrong casing - core/#26271
Core: Enabling an app now also analyzes dependencies at this time instead of only at install - core/#26295
Core: Reuse cached app info to avoid high load on some environments - core/#25603
Core: Show warning instead of exception when trying to run ownCloud on Windows - core/#26208
Core: Fix misleading SSL/TLS SMTP email configuration - core/#26447
Core: Fix malformed attribute in files app page - core/#26480
DAV: Improve chunk assembly performance for new DAV endpoint - core/#26062
DAV: New chunking now returns Etag and OC-Etag on the final MOVE - core/#25682
DAV: Do not print exception messages in HTML - core/#26460
DAV: Sanitize length headers when validating quota - core/#26366
Files: Allow uploading empty files in the web UI - core/#19116
Files: Properly translate file summary in lists - core/#26221
Files: Exclude more invalid chars in path - core/#26461
Sharing: Let the share owner increase permissions - core/#25542
Federation: Fix sharing with remote user names containing spaces - core/#25955
Federation: Save some memory in sync job by releasing mount info after each user - core/#26204
Federation: Fix federated address book syncing by using the correct background job name - core/#26202
CalDAV: Add Schedule and IMip plugins when receiving webdav v1 api calendar calls - core/#23600
CardDAV: Unset photo before setting a new one - core/#26242
CardDAV: Fix for birthday entries - core/#25636
CardDAV: Limit image export mime types - core/#26459
Updater: Fix web UI update in some environments - updater/#378
Updater: Retrigger integrity check after update - updater/#405
User_LDAP: Added OCC command to update group mappings - user_ldap/#14
User_LDAP: Fix issue with "(2)" appearing on shares when refreshing users in some scenarios - core/#25718
User_external: Double verify the SMB response - apps/#2198
Firstrunwizard: Only display the wizard when in files app - firstrunwizard/#52
Gallery: Do not display technical error messages - gallery/#707
Changes to squid-3.5.23 (16 Dec 2016):
- Bug 4627: fix generate-host-certificates and dynamic_cert_mem_cache_size docs
- Bug 4620: NetBSD build error with --enable-ipf-transparent
- Bug 4567: Strange IPv6 shown in access.log
- Bug 4406: SIGSEV in TunnelStateData::handleConnectResponse() during reconfigure and restart
- Bug 4174 partial: fix Write.cc:41 "!ccb->active()" assertion.
- Bug 4169: HIT marked as MISS when If-None-Match does not match
- Bug 4007: Hang on DNS query with dead-end CNAME
- Bug 4004 partial: Fix segfault via Ftp::Client::readControlReply
- Bug 3940 partial: hostHeaderVerify failures MISS when they should be HIT
- Bug 3533: Cache still valid after HTTP/1.1 303 See Other
- Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure
- Bug 3290: authenticate_ttl not working for digest authentication
- Bug 2258: bypassing cache but not destroying cache entry
- HTTP/1.1: make Vary:* objects cacheable
- HTTP/1.1: Add registered codes entry for new 103 (Early Hints) status code
- Support IPv6 NAT with PF for NetBSD and FreeBSD
- TLS: Make key= before cert= an error instead of quietly hiding the issue
- ... and some debug updates
- ... and some build fixes
- ... and several documentation updates
Changelog:
#CVE-2016-9894: Buffer overflow in SkiaGL
#CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements
#CVE-2016-9895: CSP bypass using marquee tag
#CVE-2016-9896: Use-after-free with WebVR
#CVE-2016-9897: Memory corruption in libGLES
#CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees
#CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs
#CVE-2016-9904: Cross-origin information leak in shared atoms
#CVE-2016-9901: Data from Pocket server improperly sanitized before execution
#CVE-2016-9902: Pocket extension does not validate the origin of events
#CVE-2016-9903: XSS injection vulnerability in add-ons SDK
#CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
#CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6
use the extension .so, not ${RUBY_DLEXT}, because the files in case
are from the distribution package and therefore have a fixed extension
unrelated to the extension used on the local system. Fixes the
package build on Mac OS X.
Upstream changes:
2.24 Wed Dec 7 22:20:13 CST 2016
Official release. No changes from 2.23_01.
2.23_01 Tue Dec 6 22:48:56 CST 2016
[ENHANCEMENTS]
Added detection of unknown HTML entities, like "known &unclosed
&entities are not found". Also fixes the case where HTML::Lint
gets confused by an entity like "²" which it thought was an
unterminated "⊃" entity. Thanks, Klaus S. Madsen.
[FIXES]
Errors of the type doc-tag-required did not come out in any defined
order. They are now sorted by tag name. This was discovered
because hash randomization caused tests to fail on Perl 5.18 and
above. Thanks, Slaven Rezic, Andrew Main and Lisa Hare.
Handle some warnings that get thrown if certain values are undef.
Thanks, Yves Lavoie.
Handle characters that are not handled by HTML::Entities. (GitHub
issue #13) Thanks, Tim Landscheidt.
[INTERNALS]
Add a test to verify a fixed bug. Thanks to Lance Wicks as part of
the CPAN Pull Request Challenge.
Version 4.15, 2016/04/19
------------------------
+ Update for a new, new way to handle animated gifs
* Big fixes for plugins social/facebook-comments and social/facebook-like
Version 4.14, 2015/03/02
------------------------
* Small change for galbum (-crf -v)
Over the last couple years we've worked very closely with the Ruby Sass team to
reach Sass 3.4 compatibility.
It's become clear that need to draw a line in sand with exactly how exactly
we can match Sass 3.4, especially in the face of changes in Sass 3.5.
With this release the LibSass team is marking the completion of active
development on Sass 3.4 compatibility. From today we'll focus our efforts on
Sass 3.5 compatibility, first prioritising CSS compatibility features like
support for CSS custom property and CSS grids.
**Backwards incompatible changes**
- clean: The list of ``ALLOWED_PROTOCOLS`` now defaults to http, https and
mailto. Previously it was a long list of protocols something like ed2k, ftp,
http, https, irc, mailto, news, gopher, nntp, telnet, webcal, xmpp, callto,
feed, urn, aim, rsync, tag, ssh, sftp, rtsp, afs, data.
**Changes**
- clean: Added ``protocols`` to arguments list to let you override the list of
allowed protocols. Thank you, Andreas Malecki!
- linkify: Fix a bug involving periods at the end of an email address. Thank you,
Lorenz Schori!
- linkify: Fix linkification of non-ascii ports. Thank you Alexandre, Macabies!
- linkify: Fix linkify inappropriately removing node tails when dropping nodes.
- Fixed a test that failed periodically.
- Switched from nose to py.test.
- Add test matrix for all supported Python and html5lib versions.
- Limit to html5lib ``>=0.999,!=0.9999,!=0.99999,<0.99999999`` because 0.9999
and 0.99999 are busted.
- Add support for ``python setup.py test``.
Many of these definitely do not depend on readline.
So there must be a different underlying problem, and that
should be tracked down instead of papering over it.
Changes:
o accomodate for differing dependencies:
+ graphics/gifsicle as a bug workaround
+ devel/flim (this was an implicite dependency through devel/semi)
- devel/{apel,semi}, editors/mule-ucs contained in xemacs-packages
o conditional PLIST changes for differing installation paths
Tested with xemacs 21.4 and emacs 22
Upstream changes:
0.18 2016-10-03T04:36:04Z
- Use a better tempdir, fix some documentation, and make json test more readable #4 (Thank you karenetheridge)
Add missing DEPENDS
Upstream changes:
0.19 2016-11-08 08:08:16 Europe/Copenhagen
- The standard is not clear on this, and some servers don't allow them, but it seems that DELETE can take a request body.
- Added serializer_options so it's possible to instantiate the serializer w/ parameters
- Fixed "Use of uninitialized value in concatenation (.) or string" warning when $self->server is not initialized
- Changes for rt #118413. Thanks to abraxxa
http_headers return a combined hashref of http_headers and persistent_headers
new method, clear_all_headers
Upstream changes:
7.11 2016-11-30
- Added EXPERIMENTAL close_idle_connections method to Mojo::Server::Daemon.
- Improved one_tick method in Mojo::IOLoop to protect from recursion, similar
to the start method.
- Improved log attribute in Mojolicious to make it easier to override default
settings. (jberger)
- Fixed bug in Mojo::Server::Prefork where workers would accept keep-alive
requests after a graceful shutdown had already been initiated.
- Fixed bugs in Mojo::Util and Mojo::Asset::File where incomplete writes would
not be recognized as errors. (bobkare, sri)
Upstream changes:
Major features
Highlights
MDL-55071, MDL-55074 - New "Boost" Bootstrap 4 theme, usability improvements of the navigation
MDL-54682 - Messaging UI improvements
MDL-52777 - User tours - walkthoughs/instructional overlays for first time user on page
MDL-38158 - Pluggable media players in Moodle; Video.JS player
MDL-55324 - Easier embedding videos in audios in Atto editor with poster, subtitles and other attributes
MDL-54987 - New chart API and library
Mobile app
MDL-53870 - Support for offline quizzes in the Mobile app
MDL-53777 - Include support for login via the browser in the new Moodle Mobile admin tool
MDL-55059 - Support Smart App Banners for iOS
MDL-56607 - Move mobile settings to top-level admin
External tool (LTI)
MDL-49609 - Add LTI Content Item support
MDL-47113 - Open LTI Tools in new Window, add link when popup is blocked
MDL-53832 - LTI v2.0 support
Assignment
MDL-38105 - Allow negative score for rubric and change default grade calculation method
MDL-29795 - Assignment deadline overrides for an individual or group
MDL-54872 - Sort blind marked assignment by blind ID instead of userid
Quiz
MDL-48629 - Change the separator for matching correct answer feedback
MDL-3782 - Allow multiple answers in cloze MULTICHOICE question type
MDL-55200 - Show coordinates in ddmarker questions to simplify dropzone creation
MDL-27072 - Quiz reports now work on very large courses, rather than running out of memory
Choice
MDL-18592 - Allow teacher to make choices for students
MDL-11369 - Show choice deadline in the course calendar
MDL-55140 - Allow to specify open and close dates separately
MDL-37946 - When choice display is set horizontal or vertical apply it to both options and results display
Forum
MDL-18599 - Upon restore, association of "owner" of single simple discussion forum type defaults to user completing restore. Solution: hide author of the first post
MDL-37669 - Forum: Make "Mark as read on notification" a user preference
MDL-55982 - Add support for automatic locking of an individual forum discussion after a period of inactivity
Other activity modules
MDL-55327 - Lesson: option to duplicate pages
MDL-55868 - Book: various usability improvements
MDL-56100 - Folder: Display in recent activity block
MDL-54945 - Workshop: integrate with portfolio API
MDL-48944 - Survey: activity completion condition on survey completion
MDL-44712 - SCORM: improve Multi-SCO completion handing in activity completion
MDL-55158 - Database activity: add start and end dates to the calendar
MDL-14448, MDL-55464, MDL-55254, MDL-55251, MDL-49029 - Add standard capability "mod/xxxxx:view" to Lesson, Label, Database, Chat and Choice activities
MDL-55866 - Remember editor disabled setting on a per-activity setting
Global search
MDL-54794 - Add users to global search
MDL-54973 - Add messages to global search
MDL-55127 - Add database entries to global search
MDL-53222 - Revise admin settings/report for global search for improved usability
Other improvements
MDL-30179 - Allow teacher to toggle to/from "user view" in the User report in the gradebook (some items may be hidden for students but not teachers)
MDL-53048 - New "password" fields that are not auto-filled by password managers
MDL-55767 - Competency frameworks import
MDL-29110 - Specify welcome email sender in enrol_self, or send emails from system noreply address
MDL-22078 - Store "End date" for each course to be used in reports and analytics
MDL-53399 - 'Activity chooser off/on' option moved to user preferences
MDL-54751 - Introduce asynchronous module deletion so that recycle bin backup does not slow down editing process for the teacher
MDL-55981 - By default non-editing teacher should not be able to access all groups (roles in upgraded sites are not changed)
MDL-31356 - IMS Enterprise enrol plugin added features
MDL-43230 - Support revoking awarded badges
MDL-50286 - Allow to filter report_log by origin : Logs clogged up with events listed as origin cli
MDL-51749 - Add Ability to Export Calendar for user or group events
MDL-50888 - Antivirus: Implement ClamAV virus scanning using unix sockets.
MDL-54617 - Always show count of online users in the online users block
MDL-54680 - Offer cartridges in LTI provider
For administrators
Please read carefully: Possible issues that may affect you in Moodle 3.2
MDL-44467 - Return-Path should use no-reply address instead of support email; use only no-reply email or allowed domains in "From" header
MDL-48468 - Add a Redis cache store to Moodle core
MDL-39117 - Add a APCu cache store to Moodle core
MDL-54947 - Update PostgreSQL binary (bytea) handling and improve connection performance
MDL-48766 - Support IPv6 in IP lookup tool
MDL-55124 - Support for connection pooler (pgbouncer) in PostgreSQL connection
MDL-55916 - Maintenance mode should serve a http 503 instead of a 200
MDL-54606 - Sessions: Add support for Redis as a session_class_handler
MDL-53366 - Antivirus clamav: Remove "Quarantine directory" settings parameter.
MDL-55791 - Add capability to allow certain users through Maintenance mode
Plugins removal
If you are using any of the following you need to download and install the plugins or otherwise they will be removed following 3.2 upgrade:
MDL-55837 - Themes Base and Canvas - these themes can not be used by themselves but they may be used as parent themes
MDL-49533 - Repository Alfresco for Alfresco 4.2 and below, see Alfresco repository documentation
MDL-55927 - Authentication method Radius. This plugin uses mcrypt library and is not compatible with PHP 7.1
MDL-38158 - Media players Flowplayer, Windows media player, RealPlayer, Quicktime - these media players were present in Moodle 3.1 but removed in 3.2. They need to be installed in media/player directory
Web services
MDL-31465 - Incorporate user suspension into web services
MDL-45639 - Web Service for SSO (auto-login from the app to the site)
MDL-55923 - Improve the behavior of deleted tokens on password reset
MDL-55928 - New Web Service gradereport_user_get_grade_items
MDL-55100 - New Web Service core_course_get_courses_by_field
For developers
MDL-55071, MDL-55074 - New "Boost" Bootstrap 4 theme, block and navigation changes (see Boost_Navigation and Themes)
MDL-38158 - Introduction of Media players plugin type (see Media players)
MDL-50937 - JQuery updated to version 3.1 (see jQuery)
MDL-54987 - New chart API and library (see Charts_API)
MDL-55727 - AMD modal module introduced (see AMD Modal documentation)
MDL-52127 - Linting for Javascript with ESLint (see Linting Javascript)
MDL-55058 - Linting for CSS with stylelint (see Linting CSS)
MDL-48114 - Moodle can now be downloaded via composer (see Composer)
MDL-55091 - phpunit has been upgraded to 5.x
MDL-55072 - Behat now supports different themes. (See Running_acceptance_test)
MDL-55048 - Grunt and npm build dependencies now require node version 4 or above
MDL-31243 - New get_with_capability_sql function for retrieving SQL for finding users with capability in the given context
MDL-49599 - Boxnet v1 API is now deprecated
MDL-53306 - New authentication plugin method added which is called before user login
MDL-47162 - Course ID is now required in message events
MDL-55141 - Debugging option added for scheduled tasks from CLI (see Scheduled tasks documentation)
MDL-54941 - Add filesize as a new field returned in all the Web Services returning file information
MDL-56082 - Expose external authentication methods (loginpage_idp_list) in login block (see Authentication plugins)
Contao is an Open Source Content Management Framework developed by Leo Feyer
and distributed under the LGPL license (see GPL.txt and LGPL.txt for more
information). It was formerly known as TYPOlight Open Source CMS.
Its open architecture allows everybody to extend the system to fit his
needs. Contao specializes in accessible websites and is accessbile
itself (front end and back end), rendering valid HTML5 or XHTML pages.
Contao 4.3 is fourth minor release of Contao 4, which has incompatible API
from Contao 3.
* Now Contao is Symfony bundle.
* Contao 4 dose not use .htaccess files for protexting directory.
* DocumentRoot is "web" subdirecotry.
* XHTML support has gone, HTML5 only.
* Schema.org markup support.
Additionally, these new features from 4.2.
* Flexible custom layout sections
* Save and duplicate
* Running events
* Template for form
* Image meta data
* HTTP/2 support
* Handling preview of protected elements
* And more...
new packages. Most of which are the remaining modules of the Tryton
platform which weren't packaged. The others are dependencies of the new
modules. This was tested on FreeBSD and is based in large part on Richard
Palo's (richard@) work. This is the most recent release of the Tryton
platform, version 4.2. There's a very large list of changes from the 3.8
series we have in pkgsrc. If you're interested, those functional changes
can be found here:
http://www.tryton.org/posts/new-tryton-release-42.htmlhttp://www.tryton.org/posts/new-tryton-release-40.html
Solves:
/usr/libexec/binutils225/elf/ld.gold: error: cannot find -lreadline
The missing specification is obvious on DragonFly because there's
no publically accessible version of readline in base.
Changelog:
45.5.1:
#CVE-2016-9079: Use-after-free in SVG Animation
45.5.0:
#CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
#CVE-2016-5293: Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink
#CVE-2016-5294: Arbitrary target directory for result files of update process
#CVE-2016-5297: Incorrect argument length checking in JavaScript
#CVE-2016-9064: Add-ons update must verify IDs match between current and new versions
#CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
#CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
#CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
#CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
* Change default audio support to ALSA.
You can use OSS or pulseaudio via ALSA plugin package.
Changelog:
50.0.2:
Fixed in Firefox 50.0.2
#CVE-2016-9079: Use-after-free in SVG Animation
50.0.1:
Fixed
*Firefox crashes with 3rd party Chinese IME when using IME text
Security vulnerabilities fixed in Firefox 50.0.1:
#CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect
50.0:
New
*Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac
*Improved performance for SDK extensions or extensions using the SDK module loader
*Added download protection for a large number of executable file types on Windows, Mac and Linux
*Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer
*Added Guarani (gn) locale
*Added option to Find in page that allows users to limit search to whole words only
*Updates to keyboard shortcuts
*Set a preference to have Ctrl+Tab cycle through tabs in recently used order
*View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac)
Fixed
*Login cookies are now saved for sites with a high number of cookies (Bug 1264192)
*Various security fixes
*Fixed rendering of dashed and dotted borders with rounded corners (border-radius)
Changed
*The link to check for plugin security updates has been removed from the addon manager as Firefox automatically checks for plugin updates
*Blocked versions of libavcodec older than 54.35.1
*Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux)
Developer
*Changes for web developers
Security vulnerabilities fixed in Firefox 50:
#CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
#CVE-2016-5292: URL parsing causes crash
#CVE-2016-5293: Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink
#CVE-2016-5294: Arbitrary target directory for result files of update process
#CVE-2016-5297: Incorrect argument length checking in JavaScript
#CVE-2016-9064: Add-ons update must verify IDs match between current and new versions
#CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen
#CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
#CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
#CVE-2016-9068: heap-use-after-free in nsRefreshDriver
#CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
#CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges
#CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them
#CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
#CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM
#CVE-2016-5298: SSL indicator can mislead the user about the real URL visited
#CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissionsPI key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
#CVE-2016-9062: Private browsing browser traces (Android) in browser.db and wal file
#CVE-2016-9070: Sidebar bookmark can have reference to chrome window
#CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
#CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
#CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s
#CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in Expat
#CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
#CVE-2016-5289: Memory safety bugs fixed in Firefox 50
#CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
Upstream changes:
== MediaWiki 1.28 ==
=== Changes since 1.28.0-rc1 ===
* (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db
errors.
* (T148956) Only apply wgDBschema to postgres/mssql.
* (T145991) Introduce separate log action for deleting pages on move.
* (T141474) (T110464) Bypass login page if no user input is required.
=== Changes since 1.28.0-rc0 ===
* (T142210) The changes to move the parser "NewPP limit report" from a HTML
comment to a machine-readable JavaScript config option 'wgPageParseReport'
have been undone. They caused the human-readable limit report to be shown
incompletely or not at all. ParserOutput::setLimitReportData() and
getLimitReportData() behave as they did in MediaWiki 1.27 again.
* (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
the text of subheadings on a category page when creating it. This wasn't
working correctly.
* (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
canonical pretty URL when a non-pretty URL is used. It resulted in redirect
loops in some clients and in some server configurations. This undoes a change
made in MediaWiki 1.26.
* (T149759) manifest_version: 2 was removed.
=== Configuration changes in 1.28 ===
* $wgSend404Code now affects status code of action=history if the page is not there.
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
made by MediaWiki via a proxy. Relying on the http_proxy environment
variable is no longer supported.
* The load.php entry point now enforces the existing policy of not allowing
access to session data, which includes the session user and the session
user's language. If such access is attempted, an exception will be thrown.
* The number of internal PBKDF2 iterations used to derive the session secret
is configurable via $wgSessionPbkdf2Iterations.
* Upload dialog's file upload log comment can now be configured separately for
local and foreign uploads.
* $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
signifies local uploads. A value of `[]` (empty array) now means that
no upload targets are allowed, effectively disabling the upload dialog.
* The deprecated $wgEditEncoding variable has been removed; it was only used
for Esperanto language character conversion. You are now recommended to use
input methods provided by the UniversalLanguageSelector extension.
* When $wgPingback is true, MediaWiki will periodically ping
https://www.mediawiki.org/beacon with basic information about the local
MediaWiki installation. This data includes, for example, the type of system,
PHP version, and chosen database backend. This behavior is off by default.
* When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
if false, the default, they will be "Save page"/"Save changes".
* The 'editcontentmodel' permission is now granted to all logged-in users ('user').
instead of just administrators ('sysop'). Documentation for this feature is
available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
* Magic links are now disabled by default, and can be re-enabled by modifying the value
of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
a tracking category will be added to help identify usage and make it easier to migrate
away from. If you depend upon magic link functionality, it is requested that you comment
on <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links> and
explain your use case(s).
* New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
in upcoming Content-Security-Policy feature's reporting.
=== New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
* Added a new 'slideshow' mode for galleries.
* Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
interact with API parsing.
* Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
upload. Unlike 'UploadVerifyFile' it provides information about upload comment
and the file description page, but does not run for uploads to stash.
* (T141604) Extensions can now provide a better error message when their
maintenance scripts are run without the extension being installed.
* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
a 'numeric' collation is also available. If migrating from another
collation, you will need to run the updateCollation.php maintenance script.
* Two new codes have been added to #time parser function: "xit" for days in current
month, and "xiz" for days passed in the year, both in Iranian calendar.
* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
appropriate for sending multi-valued parameters. This defaults to true when
the mw.Api instance seems to be for the local wiki.
* After a client performs an action which alters a database that has replica databases,
MediaWiki will wait for the replica databases to synchronize with the master database
while it renders the HTML output. However, if the output is a redirect to another wiki
on the wiki farm with a different domain, MediaWiki will instead alter the redirect
URL to include a ?cpPosTime parameter that triggers the database synchronization when
the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
'show' parameters to existing API query modules.
=== External library changes in 1.28 ===
==== Upgraded external libraries ====
* Updated es5-shim from v4.1.5 to v4.5.8
* Updated composer/semver from v1.4.1 to v1.4.2
* Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
==== New external libraries ====
* Added wikimedia/scoped-callback v1.0.0
* Added wikimedia/wait-condition-loop v1.0.1
=== Bug fixes in 1.28 ===
* (T146496) action=history pages should return 404 HTTP error code if the page does not exist
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T139670) Move 'UserGetRights' call before application of
Session::getAllowedUserRights()
=== Action API changes in 1.28 ===
* Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
the value of $wgMaxArticleSize.
* Property 'modulemessages' from action=parse&prop=modules was removed
(deprecated since 1.26).
* The following response properties from action=login, deprecated in 1.27, are
now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
to properly manage session state.
* Submitting the lgtoken and lgpassword parameters in the query string to
action=login is now deprecated and outputs a warning. They should be submitted
in the POST body instead.
* Submitting sensitive authentication request parameters to action=clientlogin,
action=createaccount, action=linkaccount, and action=changeauthenticationdata
in the query string is now deprecated and outputs a warning. They should be
submitted in the POST body instead.
* (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
instead of the pipe character. This will be useful if some of the multiple
values need to contain pipes, e.g. for action=options.
* The API will now warn if input is not NFC-normalized Unicode or if it
contains invalid characters.
* The 'normalized' list output by action=query and other modules that use
ApiPageSet may contain entries where the 'from' value is percent-encoded as
the raw value cannot be represented in a valid API response. These are
indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
* (T28680) action=paraminfo can now return info about all submodules of a
module without listing them all explicitly.
* (T146770) It is now possible to assert that the current user is a specific
named user, using the 'assertuser' parameter.
* (T141963) Added a 'known' property when missing-but-known titles (e.g. from
the 'TitleIsAlwaysKnown' hook) are output in various modules.
=== Action API internal changes in 1.28 ===
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
interact with ApiParse and ApiExpandTemplates.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* ApiBase::getResultData() was removed (deprecated since 1.25)
* ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
* ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
* ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
* ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
* ApiFormatBase::setHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
* ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
* ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
* ApiMain::setHelp() was removed (deprecated since 1.25)
* ApiResult::beginContinuation() was removed (deprecated since 1.25)
* ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
* ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
* ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::endContinuation() was removed (deprecated since 1.25)
* ApiResult::getData() was removed (deprecated since 1.25)
* ApiResult::getIsRawMode() was removed (deprecated since 1.25)
* ApiResult::setContent() was removed (deprecated since 1.25)
* ApiResult::setContinueParam() was removed (deprecated since 1.25)
* ApiResult::setElement() was removed (deprecated since 1.25)
* ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
* ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
* ApiResult::setParsedLimit() was removed (deprecated since 1.25)
* ApiResult::setRawMode() was removed (deprecated since 1.25)
* ApiResult::size() was removed (deprecated since 1.25)
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
'show' parameters to existing API query modules. A query module can enable
these hooks by passing an array for $hookData to ApiQueryBase::select() and
by calling ApiQueryBase->processRow() before adding a row's data to the
result.
=== Languages updated in 1.28 ===
MediaWiki supports over 375 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
* (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
Saiddzone Saimawnkham, Saosukham, and Sengwan.
* Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
* (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.
=== Other changes in 1.28 ===
* (T128697) Improved handling of large diffs.
* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
use or update a custom session provider if needed.
* Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
* The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
* SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
* The 'UserLoginComplete' hook has a new parameter to differentiate between actual
login and visiting the login page while already logged in.
* ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
* $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
* Linker::link() and Linker::linkKnown() were deprecated; please instead use
MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
respectively. See docs/hooks.txt for the specific changes needed for those hooks.
* Linker::formatSize() was deprecated. Use Language::formatSize() directly.
* Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
* Skin::commentBlock() (use Linker::commentBlock() instead)
* Skin::generateRollback() (use Linker::generateRollback() instead)
* Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
* Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
* Skin::userLink() (use Linker::userLink() instead)
* Skin::userToolLinks() (use Linker::userToolLinks() instead)
* Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
disabled.
* DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
* UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
Use ...->stashFile()->getFileKey() instead.
* "Public domain" was removed as a wiki license option from the installer, in
favour of CC-0.
* AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
on requests needed by primary providers even if all primaries need them.
Primary providers are discouraged from returning multiple REQUIRED requests.
* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
will no longer be automatically infused. You should call `OO.ui.infuse()`
on them yourself from your JavaScript code.
* parserTests.php has moved to tests/parser/parserTests.php
* The command line options specific to parser tests have been removed from
phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
Instead of --keep-uploads, use the same option to parserTests.php, but you
must specify a directory with --upload-dir.
* The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
* IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
migrate to using the same functions on a ProxyLookup instance, obtainable from
MediaWikiServices.
* The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete,
ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and
ShowRawCssJs hooks will now emit deprecation warnings if used.
* (T68404) CSS3 attr() function with url type is no longer allowed
in inline styles.
* Database::getSearchEngine() is deprecated, use SearchEngineFactory::getSearchEngineClass
instead.
== Compatibility ==
MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for
HHVM 3.6.5 or later.
MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.
The supported versions are:
* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)
== Upgrading ==
1.28 has several database changes since 1.27, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).
If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.
If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.
If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions.
For notes on 1.27.x and older releases, see HISTORY.
== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):
https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
A low-traffic announcements-only list is also available:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.
== IRC help ==
There's usually someone online in #mediawiki on irc.freenode.net.
Changes to GoAccess 1.1.1 - Wednesday, November 23, 2016
- Added data metric's "unique" count on each panel to the JSON/HTML outputs.
- Changed D3 bar charts to use .rangeBands and avoid extra outer padding.
- Fixed mouseover offset position issue on D3 bar charts.
- Fixed possible heap overflow when an invalid status code was parsed and
processed. This also ensures that only valid HTTP status codes are parsed
>=100 or <= 599.
- Fixed sluggish D3 chart re-rendering by changing how x-axis labels are
displayed in the HTML report.
* Fixed a regression when static placeholder was uneditable if it was present
on the page multiple times
* Removed globally unique constraint for Apphook configs.
* Fixed a bug when keyboard shortcuts were triggered when form fields were
focused
* Fixed a bug when ``shift + space`` shortcut wouldn't correctly highlight a
plugin in the structure board
* Fixed a bug when plugins that have top-level svg element would break
structure board
* Fixed a bug where output from the ``show_admin_menu_for_pages`` template tag
was escaped in Django 1.9
* Fixed a bug where plugins would be rendered as editable if toolbar was shown
but user was not in edit mode.
* Fixed css reset issue with shortcuts modal
Bugfixes
* Quoted the Oracle test user’s password in queries to fix the “ORA-00922: missing or invalid option” error when the password starts with a number or special character.
* Fixed incorrect app_label / model_name arguments for allow_migrate() in makemigrations migration consistency checks.
* Made Model.delete(keep_parents=True) preserve parent reverse relationships in multi-table inheritance.
* Fixed a QuerySet.update() crash on SQLite when updating a DateTimeField with an F() expression and a timedelta.
* Prevented LocaleMiddleware from redirecting on URLs that should return 404 when using prefix_default_language=False.
* Prevented an unnecessary index from being created on an InnoDB ForeignKey when the field was added after the model was created.
Remove manual CONFLICTS, pkg_add does this automatically.
=== RELEASE 2.14 ===
Thu Nov 3 19:45:34 CET 2016 mikulas:
Enable DECC$EFS_CHARSET on OpenVMS, so that we can browser files and
directories with extended names
Wed Nov 2 20:35:31 CET 2016 mikulas:
Limit keepalive of ciphers with 64-bit block size to mitigate
the SWEET32 attack
Wed Nov 2 19:14:33 CET 2016 mikulas:
Disable SSL compression to avoid the CRIME attack
Fri Oct 28 22:52:49 CEST 2016 mikulas:
On Windows, add an entry to programs in control panel, that allows
uninstalling Links
Fri Oct 28 21:25:28 CEST 2016 mikulas:
Report home directory in the "Version" window
Sat Oct 22 13:17:04 CEST 2016 mikulas:
On Windows, preload font data in a background thread, to minimize a
stall when viewing SVG image for the first time.
Sat Oct 8 17:14:59 CEST 2016 mikulas:
Improved tor hardening - when the user toggles the "Only Proxies" option
(i.e. when connecting to tor), we reset certain other options to their
default values, so that it is not possible to identify user behind tor
based on the selected options.
Thu Oct 6 14:39:26 CEST 2016 mikulas:
Use keys 'P' and 'L' to scroll up and down
Thu Sep 29 23:40:34 CEST 2016 Juhani Haverinen <juhani.haverinen@gmail.com>:
Fix a memory leak when copying the current url to clipboard
(the bug was introduced in Links 2.13)
Sat Sep 3 20:02:26 CEST 2016 mikulas:
Fix crash when the user pressed Ctrl-G on a form field
(the bug was introduced in Links 2.13)
Fri Aug 19 22:35:54 CEST 2016 mikulas:
Workaround for a bug in librsvg that makes mathematics on Wikipedia
unreadable
Fri Aug 19 19:05:55 CEST 2016 mikulas:
Support fourth and fifth mouse button in gpm and framebuffer
Thu Aug 18 19:34:47 CEST 2016 mikulas:
Fixed bugs when downgrading SSL connection while https proxy or socks
proxy is used
Tue Aug 16 18:53:53 CEST 2016 mikulas:
Security bug fixed: Don't load or render the content of
"407 Proxy Authentication Required" reply when using https proxy.
This avoids the FalseCONNECT attack.
Also, don't allow 401 and 407 responses to set cookies.
Wed Jul 27 21:38:37 CEST 2016 mikulas:
Pop openssl error stack on every error - make sure that SSL errors on
one connection do not affect other connections
Sun Jul 17 21:10:12 CEST 2016 mikulas:
Use libc tree functions from <search.h> for searching the cache
Thu Jul 7 19:39:15 CEST 2016 mikulas:
Set the GD_NOAUTO flag for the directfb driver, so that this driver is
never selected automatically. The directfb subsystem is buggy, it can
corrupt graphics or even cause system crash, so select this driver only
if the user explicitly requests it with '-driver directfb'
Upstream changes:
7.10 2016-11-01
- Added getopt function to Mojo::Util.
7.09 2016-10-22
- Added every_header method to Mojo::Headers.
- Fixed redirect bug in Mojo::UserAgent::Transactor.
- Fixed a few proxy bugs in Mojo::UserAgent.
libnghttp2
* In this release, libnghttp2 by default disallows content-length header field in 1xx, 204, or 200 to a CONNECT request as described in RFC 7230.
libnghttp2_asio
* Previously, server-side on_close callback was not called when connection was closed while streams were still alive. Now on_close callback is called for active streams on connection close.
build
* Remo E provided a patch to include MSVC version resource in cmake Windows build.
nghttpx
* We fixed the bug that sometimes made nghttpx crash if --backend-http-proxy-uri was used.
* We fixed the bug that one HTTP header fields from HTTP/1.1 backend were split into multiple fields in some situations.
* We fixed the bug that zero-length POST was not forwarded to HTTP/1.1 backend, causing dead lock.
* We removed optional reason phrase from SPDY response header fields. This is OK since reason phrase is optional.
* To align the changes made in libnghttp2 that disallows content-length in 1xx, 204, or 200 to a CONNECT request, we did the same thing to HTTP/1.1 backend. We also disallow transfer-encoding in those status codes as well.
* dalf provided a patch to fix compile failure with BoringSSL.
nghttpd, nghttpx, and libnghttp2_asio
* We fixed the bug that mandatory SP after status code wass missing in HTTP/1.1 status line.
