0.7.3
Fix: If model admin declares list_display_links = None, no link is autogenerated for the detail view.
0.7.2
Fully adopted and tested with Django-2.2
0.5.0:
Add csp compliance through django-csp
Fix problem with locale
0.4.0:
Changed name lookup field {field}__gte -> {field}__range__gte
Changed name lookup field {field}__lte -> {field}__range__lte
1.0.3:
* Fixed CVE-2019-10751 — the way the output filename is generated for
--download requests without --output resulting in a redirect has
been changed to only consider the initial URL as the base for the generated
filename, and not the final one. This fixes a potential security issue under
the following scenario:
1. A --download request with no explicit --output is made (e.g.,
$ http -d example.org/file.txt), instructing httpie to
generate the output filename <https://httpie.org/doc#downloaded-file-name>_
from the Content-Disposition response, or from the URL if the header
is not provided.
2. The server handling the request has been modified by an attacker and
instead of the expected response the URL returns a redirect to another
URL, e.g., attacker.example.org/.bash_profile, whose response does
not provide a Content-Disposition header (i.e., the base for the
generated filename becomes .bash_profile instead of file.txt).
3. Your current directory doesn’t already contain .bash_profile
(i.e., no unique suffix is added to the generated filename).
4. You don’t notice the potentially unexpected output filename
as reported by httpie in the console output
(e.g., Downloading 100.00 B to ".bash_profile").
Version 1.1.27 (released 06-Jun-2019)
* suppress stack traces (with option to show) (#140)
* distinguish text/binary/image files by icons (#166, #175)
* colorize alternating file content lines (#167)
* link to the instance root from the ViewVC logo (#168)
* display directory and root counts, too (#169)
* fix double fault error in standalone.py (#157)
* support timezone offsets with minutes piece (#176)
Version 0.7.3
* Add support for PEP 570 (positional-only keyword parameters) changes to CodeType
in Python 3.8.
Version 0.7.2
* Add support for Python 3.8.
0.13.0:
Add new Wildcard fields
Fix ABC deprecation warnings
Fix @api.expect(..., validate=False) decorators for an :class:`Api` where validate=True is set on the constructor
Ensure basePath is always a path
Hide Namespaces with all hidden Resources from Swagger documentation
Per route Swagger documentation for multiple routes on a Resource
Changelog:
Changes
Always set the display name for user shares (server#16254)
Prevent undefined offset 0 in findByUserIdOrMail (server#16325)
Use HTTP1.1 to read S3 objects (server#16330)
Bump lodash.mergewith from 4.6.1 to 4.6.2 (server#16338)
Bump lodash.merge from 4.6.1 to 4.6.2 (server#16341)
Bump lodash from 4.17.11 to 4.17.13 (server#16352)
Addsubtag should push to array (server#16405)
Add catch for RuntimeException (server#16414)
Only prevent disabling encrytion via the API (server#16425)
Do not keep searching for recent (server#16432)
Update operationprogressbar.js (server#16437)
Fix File#putContents(string) on ObjectStorage (server#16444)
Pass $configargs to openssl_pkey_export (server#16500)
Nested recursion breaking max nested level for parent comment calculation (server#16524)
Allow hidden smb shares (server#16527)
Allow to provide supported calendar component set internally as a string (server#16536)
Lock SCSS so we only run 1 job at a time (server#16541)
Fix max contrast retrieval to limit minimum color for relative time (server#16543)
Supresses disclosing the userid for LDAP users in the welcome mail (server#16561)
Use a pattern to identify sensitive config keys (server#16562)
Do not log locked files (server#16564)
Log email shares in admin_audit log (server#16566)
Change send to sent (server#16567)
Do not log all locked exceptions (server#16578)
Check the if we can actually access the storage cache for recent files (server#16598)
Set proper defaults for v-tooltip usages (server#16607)
Fix/xss/on favorite file (server#16610)
Log circles and remote shares in admin_audit (server#16627)
Make sure we only fetch the file by id for the actual owner (server#16630)
Remove unncessary code block in share recommendations, fixed undefined var error (server#16633)
Files_external: proper user context for sharing (server#16637)
Properly return an int in the getId function of the cache (server#16689)
Fix enable/disable user audit message (server#16691)
Delay sending event from app init to when they are needed (server#16695)
Fix download button shown in public share page with hidden downloads (files_pdfviewer#145)
Change name from 'Text editor' to 'Plain text editor' to prevent confusion with 'Text' (files_texteditor#169)
Run drone for webpack build (files_texteditor#176)
Bump lodash from 4.17.11 to 4.17.14 (files_videoplayer#135)
Bump lodash.mergewith from 4.6.1 to 4.6.2 (firstrunwizard#199)
Bump lodash.merge from 4.6.1 to 4.6.2 (firstrunwizard#200)
Bump lodash from 4.17.11 to 4.17.14 (firstrunwizard#202)
Bump fstream from 1.0.11 to 1.0.12 (firstrunwizard#205)
Bump lodash from 4.17.11 to 4.17.13 (notifications#376)
Trim the subject before encrypting the subject (notifications#384)
Align the notification subject vertically to the icon (notifications#390)
Fix notification body text alignment and text contrast (notifications#391)
Fix mention and actions layout (notifications#392)
Bump lodash.mergewith from 4.6.1 to 4.6.2 (recommendations#105)
Bump lodash from 4.17.11 to 4.17.14 (recommendations#107)
Bump tar from 2.2.1 to 2.2.2 (recommendations#120)
Bump cypress-image-snapshot from 3.0.1 to 3.0.2 (viewer#102)
Bump babel-loader from 8.0.5 to 8.0.6 (viewer#103)
Bump cypress-file-upload from 3.1.1 to 3.1.2 (viewer#104)
Bump @babel/preset-env from 7.4.4 to 7.4.5 (viewer#109)
Bump eslint-plugin-node from 9.0.1 to 9.1.0 (viewer#116)
Bump cypress-testing-library from 3.0.1 to 4.0.0 (viewer#119)
Bump nextcloud-vue from 0.11.3 to 0.11.4 (viewer#121)
Bump webpack-cli from 3.3.2 to 3.3.3 (viewer#127)
Bump file-loader from 3.0.1 to 4.0.0 (viewer#130)
Bump cypress-image-snapshot from 3.1.0 to 3.1.1 (viewer#131)
Bump webpack from 4.33.0 to 4.34.0 (viewer#135)
Bump cypress-file-upload from 3.1.2 to 3.1.3 (viewer#137)
Bump webpack-cli from 3.3.3 to 3.3.4 (viewer#138)
Bump nextcloud-server from 0.15.9 to 0.15.10 (viewer#139)
Bump webpack from 4.34.0 to 4.35.0 (viewer#144)
Bump eslint-plugin-vue from 5.2.2 to 5.2.3 (viewer#152)
Bump webpack-cli from 3.3.4 to 3.3.5 (viewer#153)
Bump eslint-plugin-promise from 4.1.1 to 4.2.1 (viewer#154)
Bump url-loader from 2.0.0 to 2.0.1 (viewer#155)
Bump eslint-plugin-import from 2.17.3 to 2.18.0 (viewer#156)
Bump eslint-loader from 2.1.2 to 2.2.1 (viewer#165)
Bump webpack from 4.35.2 to 4.35.3 (viewer#176)
Bump stylelint-scss from 3.8.0 to 3.9.1 (viewer#178)
Bump eslint-plugin-import from 2.18.0 to 2.18.2 (viewer#182)
Bump webpack-cli from 3.3.5 to 3.3.6 (viewer#187)
Bump vue-loader from 15.7.0 to 15.7.1 (viewer#188)
Bump webpack from 4.35.3 to 4.36.1 (viewer#189)
Bump webpack from 4.36.1 to 4.38.0 (viewer#194)
Bump url-loader from 2.0.1 to 2.1.0 (viewer#196)
Bump lodash from 4.17.11 to 4.17.15 (viewer#201)
Bump webpack from 4.38.0 to 4.39.0 (viewer#202)
Bump webpack from 4.39.0 to 4.39.1 (viewer#204)
Detect and switch fullscreen (viewer#47)
Update version on master (viewer#66)
Test actions (viewer#67)
Revert "Test actions" (viewer#68)
Bump nextcloud-vue from 0.9.5 to 0.10.0 (viewer#69)
Bump eslint-plugin-import from 2.16.0 to 2.17.2 (viewer#70)
Bump eslint-import-resolver-webpack from 0.11.0 to 0.11.1 (viewer#71)
Bump webpack from 4.29.6 to 4.30.0 (viewer#72)
Fix/loading/race condition (viewer#73)
Bump webpack-cli from 3.3.1 to 3.3.2 (viewer#90)
Bump eslint-plugin-node from 8.0.1 to 9.0.1 (viewer#92)
Bump webpack from 4.30.0 to 4.31.0 (viewer#96)
- Added ability to store accumulated processing time into DB_GEN_STATS tcb
file via '--accumulated-time' command line option.
- Added additional Apache status codes to the list.
- Added a few feed readers to the list.
- Added 'Android 8 Oreo' to the list of OSs.
- Added 'Android Pie 9' to the list of OSs.
- Added --anonymize-ip command line option to anonymize ip addresses.
- Added --browsers-file command line option to load a list of crawlers from a
text file.
- Added byte unit (PiB) to C formatter and refactored code.
- Added byte unit (PiB) to JS formatter.
- Added Chinese translation (i18n).
- Added French translation (i18n).
- Added '%h' date specifier to the allowed date character specifiers.
- Added "HeadlessChrome" to the list of browsers.
- Added --hide-referer command line option to hide referers from report.
- Added HTTP status code 429 (TOO MANY REQUESTS).
- Added IGNORE_LEVEL_PANEL and IGNORE_LEVEL_REQ definitions.
- Added --ignore-referer-report command line option to hide referers from
output.
- Added Japanese translation (i18n).
- Added macOS 10.14 Mojave to the list of OSs.
- Added "Mastodon" user-agent to the list of crawlers/unix-like.
- Added new fontawesome icons and use angle arrows in HTML paging.
- Added new purple theme to HTML report and default to it.
- Added --no-parsing-spinner command line option to switch off parsing
spinner.
- Added .ogv and ogg static file extension (ogg video, Ogg Vorbis audio).
- Added OS X version numbers when outputting with --real-os.
- Added parsing mechanism in an attempt capture more bots and to include
unspecified bots/crawlers.
- Added --pidfile command line option to the default config file.
- Added Spanish translation (i18n).
- Added SSL support for Docker goaccess build.
- Added support to the WebSocket server for openssl-1.1*.
- Added the ability to show/hide a chart per panel in the HTML report.
- Added transparency to the navigation bar of the HTML report.
- Added "WhatsApp" user-agent to the list of crawlers.
- Changed default db folder so it adds the process id (PID). --db-path is
required now when using --load-from-disk.
- Changed Dockerfile to build from the current source.
- Changed 'hits' to be right-aligned on TUI.
- Changed to use faster slide animations on HTML report.
- Changed wording from 'Bandwidth' to the proper term 'Tx. Amount'.
- Ensure database filenames used by btree are less predictable.
- Ensure HTML templates, CSS and JS files are minified when outputting
report.
- Ensure key phrases from Google are added even when https is used.
- Ensure live report updates data & charts if tab/document has focus.
- Ensure multiple 'Yandex' crawlers are properly parsed.
- Ensure Safari has priority over most crawlers except the ones that are
known to have it.
- Ensure the request protocol on its own is properly parsed.
- Ensure the right number of tests are performed against the given log.
- Ensure user configuration is parsed first when available.
- Ensure wss:// is used when connecting via HTTPS.
- Ensure XFF parser takes into account escaped braces.
- Fixed a regression where fifo-in/out would fail with ENXIO.
- Fixed a regression where it would return EXIT_FAILURE on an empty log.
- Fixed a (ssh) pipeline problem with fgetline()/fgets() when there is a race
for data on stdin.
- Fixed broken X-Forwarded-For (XFF) %~ specifier in certain parsing cases.
- Fixed conf.filenames duplication problem if logs are via pipe.
- Fixed float percent value on JSON/HTML output for locales using decimal comma.
- Fixed issue where it was not possible to establish a Web Socket connection
when attempting to parse and extract HTTP method.
- Fixed issue where log formats with pipe delimiter were not propely parsed.
- Fixed memory leak after config file path has been set (housekeeping).
- Fixed memory leak when adding host to holder introduced in c052d1ea.
- Fixed possible memory leak when hiding specific referrers.
- Fixed several JS jshint warnings.
- Fixed sudo installs on TravisCI.
- Fixed UNDEFINED time range in HTML report when VISITORS panel was ignored.
- Fixed unnecessary closing span tags from template.
- Fixed use-after-free when two color items were found on color_list.
Kore is an easy to use web application framework for writing scalable
web APIs in C.
Its main goals are security, scalability and allowing rapid development
and deployment of such APIs. Because of this Kore is an ideal candidate
for building robust, scalable and secure web things.
OK kamil@
6.0.1
- Attempt to re-establish websocket connection to Gateway
- Add missing react-dom js to package data
6.0
This is the first major release of the Jupyter Notebook since version 5.0 (March 2017).
We encourage users to start trying JupyterLab, which has just announced it's 1.0 release in preparation
for a future transition.
- Remove Python 2.x support in favor of Python 3.5 and higher.
- Multiple accessibility enhancements and bug-fixes.
- Multiple translation enhancements and bug-fixes.
- Remove deprecated ANSI CSS styles.
- Native support to forward requests to Jupyter Gateway(s) (Embedded NB2KG).
- Use JavaScript to redirect users to notebook homepage.
- Enhanced SSL/TLS security by using PROTOCOL_TLS which selects the highest ssl/tls
protocol version available that both the client and server support. When PROTOCOL_TLS
is not available use PROTOCOL_SSLv23.
- Add ?no_track_activity=1 argument to allow API requests.
to not be registered as activity (e.g. API calls by external activity monitors).
- Kernels shutting down due to an idle timeout is no longer considered
an activity-updating event.
- Further improve compatibility with tornado 6 with improved
checks for when websockets are closed.
- Launch the browser with a local file which redirects to the server address including
the authentication token. This prevents another logged-in user from stealing the token
from command line arguments and authenticating to the server.
The single-use token previously used to mitigate this has been removed.
Thanks to Dr. Owain Kenway for suggesting the local file approach.
- Respect nbconvert entrypoints as sources for exporters
- Update to CodeMirror to 5.37, which includes f-string syntax for Python 3.6.
- Update jquery-ui to 1.12
- Execute cells by clicking icon in input prompt.
- New "Save as" menu option.
- When serving on a loopback interface, protect against DNS rebinding by
checking the Host header from the browser.
This check can be disabled if necessary by setting
NotebookApp.allow_remote_access.
(Disabled by default while we work out some Mac issues in :ghissue:3754).
- Add kernel_info_timeout traitlet to enable restarting slow kernels.
- Add custom_display_host config option to override displayed URL.
- Add /metrics endpoint for Prometheus Metrics.
- Optimize large file uploads.
- Allow access control headers to be overriden in jupyter_notebook_config.py to support
greater CORS and proxy configuration flexibility.
- Add support for terminals on windows.
- Add a "restart and run all" button to the toolbar.
- Frontend/extension-config: allow default json files in a .d directory.
- Allow setting token via jupyter_token env.
- Cull idle kernels using --MappingKernelManager.cull_idle_timeout.
- Allow read-only notebooks to be trusted.
- Convert JS tests to Selenium.
Security Fixes included in previous minor releases of Jupyter Notebook and also included in version 6.0.
- Fix Open Redirect vulnerability (CVE-2019-10255)
where certain malicious URLs could redirect from the Jupyter login page
to a malicious site after a successful login.
- Contains a security fix for a cross-site inclusion (XSSI) vulnerability (CVE-2019–9644),
where files at a known URL could be included in a page from an unauthorized website if
the user is logged into a Jupyter server. The fix involves setting the
X-Content-Type-Options: nosniff header, and applying CSRF checks previously on all
non-GET API requests to GET requests to API endpoints and the /files/ endpoint.
- Check Host header to more securely protect localhost deployments from DNS rebinding.
This is a pre-emptive measure, not fixing a known vulnerability.
Use .NotebookApp.allow_remote_access and .NotebookApp.local_hostnames to configure
access.
- Upgrade bootstrap to 3.4, fixing an XSS vulnerability, which has been
assigned CVE-2018-14041 <https://nvd.nist.gov/vuln/detail/CVE-2018-14041>_.
- Contains a security fix preventing malicious directory names
from being able to execute javascript.
- Contains a security fix preventing nbconvert endpoints from executing javascript with
access to the server API. CVE request pending.
Scrapy 1.7.3:
Enforce lxml 4.3.5 or lower for Python 3.4 (issue 3912, issue 3918).
Scrapy 1.7.2:
Fix Python 2 support (issue 3889, issue 3893, issue 3896).
Scrapy 1.7.1:
Re-packaging of Scrapy 1.7.0, which was missing some changes in PyPI.
Scrapy 1.7.0:
Highlights:
Improvements for crawls targeting multiple domains
A cleaner way to pass arguments to callbacks
A new class for JSON requests
Improvements for rule-based spiders
New features for feed exports
Backward-incompatible changes
429 is now part of the RETRY_HTTP_CODES setting by default
This change is backward incompatible. If you don’t want to retry 429, you must override RETRY_HTTP_CODES accordingly.
Crawler, CrawlerRunner.crawl and CrawlerRunner.create_crawler no longer accept a Spider subclass instance, they only accept a Spider subclass now.
Spider subclass instances were never meant to work, and they were not working as one would expect: instead of using the passed Spider subclass instance, their from_crawler method was called to generate a new instance.
Non-default values for the SCHEDULER_PRIORITY_QUEUE setting may stop working. Scheduler priority queue classes now need to handle Request objects instead of arbitrary Python data structures.
New features
A new scheduler priority queue, scrapy.pqueues.DownloaderAwarePriorityQueue, may be enabled for a significant scheduling improvement on crawls targetting multiple web domains, at the cost of no CONCURRENT_REQUESTS_PER_IP support (issue 3520)
A new Request.cb_kwargs attribute provides a cleaner way to pass keyword arguments to callback methods (issue 1138, issue 3563)
A new JSONRequest class offers a more convenient way to build JSON requests (issue 3504, issue 3505)
A process_request callback passed to the Rule constructor now receives the Response object that originated the request as its second argument (issue 3682)
A new restrict_text parameter for the LinkExtractor constructor allows filtering links by linking text (issue 3622, issue 3635)
A new FEED_STORAGE_S3_ACL setting allows defining a custom ACL for feeds exported to Amazon S3 (issue 3607)
A new FEED_STORAGE_FTP_ACTIVE setting allows using FTP’s active connection mode for feeds exported to FTP servers (issue 3829)
A new METAREFRESH_IGNORE_TAGS setting allows overriding which HTML tags are ignored when searching a response for HTML meta tags that trigger a redirect (issue 1422, issue 3768)
A new redirect_reasons request meta key exposes the reason (status code, meta refresh) behind every followed redirect (issue 3581, issue 3687)
The SCRAPY_CHECK variable is now set to the true string during runs of the check command, which allows detecting contract check runs from code (issue 3704, issue 3739)
A new Item.deepcopy() method makes it easier to deep-copy items (issue 1493, issue 3671)
CoreStats also logs elapsed_time_seconds now (issue 3638)
Exceptions from ItemLoader input and output processors are now more verbose (issue 3836, issue 3840)
Crawler, CrawlerRunner.crawl and CrawlerRunner.create_crawler now fail gracefully if they receive a Spider subclass instance instead of the subclass itself (issue 2283, issue 3610, issue 3872)
Bug fixes
process_spider_exception() is now also invoked for generators (issue 220, issue 2061)
System exceptions like KeyboardInterrupt are no longer caught (issue 3726)
ItemLoader.load_item() no longer makes later calls to ItemLoader.get_output_value() or ItemLoader.load_item() return empty data (issue 3804, issue 3819)
The images pipeline (ImagesPipeline) no longer ignores these Amazon S3 settings: AWS_ENDPOINT_URL, AWS_REGION_NAME, AWS_USE_SSL, AWS_VERIFY (issue 3625)
Fixed a memory leak in MediaPipeline affecting, for example, non-200 responses and exceptions from custom middlewares (issue 3813)
Requests with private callbacks are now correctly unserialized from disk (issue 3790)
FormRequest.from_response() now handles invalid methods like major web browsers
DIST_SUBDIR no longer contains version suffix to prevent distfiles clutter.
Changes since 1.28.1:
* DB-2245: merge with Firefox 68.0.2
* DB-2245: Update to 1.28.2
* DB-2250: fixed about dialog license link
* DB-2247: fix texts on Profile Downgrade dialog
* DB-2246: fallback to textValue as url value
5.6.0:
Significant Changes
Jupter Client Pin
The jupyter_client dependency is now pinned to >5.3.1. This is done to support the Parallel NBConvert below, and future versions may require interface changes from that version.
Parallel NBConvert
NBConvert --execute can now be run in parallel via threads, multiprocessing, or async patterns! This means you can now parallelize nbconvert via a bash loop, or a python concurrency pattern and it should be able to execute those notebooks in parallel.
Kernels have varying support for safe concurrent execution. The ipython kernel (ipykernel version 1.5.2 and higher) should be safe to run concurrently using Python 3. However, the Python 2 ipykernel does not always provide safe concurrent execution and sometimes fails with a socket bind exception. Unlike ipykernel which is maintained by the project, other community-maintained kernels may have varying support for concurrent execution, and these kernels were not tested heavily.
Issues for nbconvert can be viewed here:
.. note: We'll keep an eye for issues related to this new capability and try to quickly patch any discovered issues post release. The improvement required touching three projects with separate releases, so if you do find an issue try upgrading dependencies and listing your dependencies for your environment when reporting.
Execute Loop Rewrite
This release completely rewrote the execution loop responsible for monitoring kernel messages until cell execution is completed. This removes an error where kernel messages could be dropped if too many were posted too quickly. Furthermore, the change means that messages are not buffered. Now, messages can be logged immediately rather than waiting for the cell to terminate.
Comprehensive notes
New Features
- Make a default global location for custom user templates
- Parallel execution improvements
- Added store_history option to preprocess_cell and run_cell
- Simplify the function signature for preprocess()
- Set flag to not always stop kernel execution on errors
- setup_preprocessor passes kwargs to start_new_kernel
Fixing Problems
- Very fast stream outputs no longer drop some messages
- LaTeX errors now properly raise exceptions
- Improve template whitespacing
- Fixes for character in LaTeX exports and filters
- Mistune pinned in preparation for 2.0 release
- Require mock only on Python 2
- Fix selection of mimetype when converting to HTML
- Correct a few typos
- Update export_from_notebook names
- Dedenting html in ExtractOutputPreprocessor
- Fix backwards incompatibility with markdown2html
- Fixed html image tagging
- Remove unnecessary css
Testing, Docs, and Builds
- Pip-install nbconvert on readthedocs.org
- Fix various doc build issues
- Add issue templates
- Added instructions for bumping the version forward when releasing
- Fix Testing on Windows
- Refactored test_run_notebooks
- Fixed documentation typos
1.9.3
- **FIX**: [attr!=value] pattern was mistakenly using :not([attr|=value]) logic instead of :not([attr=value]).
- **FIX**: Remove undocumented _QUIRKS mode flag. Beautiful Soup was meant to use it to help with transition to Soup
Sieve, but never released with it. Help with transition at this point is no longer needed.
Git 2.23 Release Notes
======================
Updates since v2.22
-------------------
Backward compatibility note
* The "--base" option of "format-patch" computed the patch-ids for
prerequisite patches in an unstable way, which has been updated to
compute in a way that is compatible with "git patch-id --stable".
* The "git log" command by default behaves as if the --mailmap option
was given.
UI, Workflows & Features
* The "git fast-export/import" pair has been taught to handle commits
with log messages in encoding other than UTF-8 better.
* In recent versions of Git, per-worktree refs are exposed in
refs/worktrees/<wtname>/ hierarchy, which means that worktree names
must be a valid refname component. The code now sanitizes the names
given to worktrees, to make sure these refs are well-formed.
* "git merge" learned "--quit" option that cleans up the in-progress
merge while leaving the working tree and the index still in a mess.
* "git format-patch" learns a configuration to set the default for
its --notes=<ref> option.
* The code to show args with potential typo that cannot be
interpreted as a commit-ish has been improved.
* "git clone --recurse-submodules" learned to set up the submodules
to ignore commit object names recorded in the superproject gitlink
and instead use the commits that happen to be at the tip of the
remote-tracking branches from the get-go, by passing the new
"--remote-submodules" option.
* The pattern "git diff/grep" use to extract funcname and words
boundary for Matlab has been extend to cover Octave, which is more
or less equivalent.
* "git help git" was hard to discover (well, at least for some
people).
* The pattern "git diff/grep" use to extract funcname and words
boundary for Rust has been added.
* "git status" can be told a non-standard default value for the
"--[no-]ahead-behind" option with a new configuration variable
status.aheadBehind.
* "git fetch" and "git pull" reports when a fetch results in
non-fast-forward updates to let the user notice unusual situation.
The commands learned "--no-show-forced-updates" option to disable
this safety feature.
* Two new commands "git switch" and "git restore" are introduced to
split "checking out a branch to work on advancing its history" and
"checking out paths out of the index and/or a tree-ish to work on
advancing the current history" out of the single "git checkout"
command.
* "git branch --list" learned to always output the detached HEAD as
the first item (when the HEAD is detached, of course), regardless
of the locale.
* The conditional inclusion mechanism learned to base the choice on
the branch the HEAD currently is on.
* "git rev-list --objects" learned the "--no-object-names" option to
squelch the path to the object that is used as a grouping hint for
pack-objects.
* A new tag.gpgSign configuration variable turns "git tag -a" into
"git tag -s".
* "git multi-pack-index" learned expire and repack subcommands.
* "git blame" learned to "ignore" commits in the history, whose
effects (as well as their presence) get ignored.
* "git cherry-pick/revert" learned a new "--skip" action.
* The tips of refs from the alternate object store can be used as
starting point for reachability computation now.
* Extra blank lines in "git status" output have been reduced.
* The commits in a repository can be described by multiple
commit-graph files now, which allows the commit-graph files to be
updated incrementally.
* "git range-diff" output has been tweaked for easier identification
of which part of what file the patch shown is about.
Performance, Internal Implementation, Development Support etc.
* Update supporting parts of "git rebase" to remove code that should
no longer be used.
* Developer support to emulate unsatisfied prerequisites in tests to
ensure that the remainder of the tests still succeeds when tests
with prerequisites are skipped.
* "git update-server-info" learned not to rewrite the file with the
same contents.
* The way of specifying the path to find dynamic libraries at runtime
has been simplified. The old default to pass -R/path/to/dir has been
replaced with the new default to pass -Wl,-rpath,/path/to/dir,
which is the more recent GCC uses. Those who need to build with an
old GCC can still use "CC_LD_DYNPATH=-R"
* Prepare use of reachability index in topological walker that works
on a range (A..B).
* A new tutorial targeting specifically aspiring git-core
developers has been added.
* Auto-detect how to tell HP-UX aCC where to use dynamically linked
libraries from at runtime.
* "git mergetool" and its tests now spawn fewer subprocesses.
* Dev support update to help tracing out tests.
* Support to build with MSVC has been updated.
* "git fetch" that grabs from a group of remotes learned to run the
auto-gc only once at the very end.
* A handful of Windows build patches have been upstreamed.
* The code to read state files used by the sequencer machinery for
"git status" has been made more robust against a corrupt or stale
state files.
* "git for-each-ref" with multiple patterns have been optimized.
* The tree-walk API learned to pass an in-core repository
instance throughout more codepaths.
* When one step in multi step cherry-pick or revert is reset or
committed, the command line prompt script failed to notice the
current status, which has been improved.
* Many GIT_TEST_* environment variables control various aspects of
how our tests are run, but a few followed "non-empty is true, empty
or unset is false" while others followed the usual "there are a few
ways to spell true, like yes, on, etc., and also ways to spell
false, like no, off, etc." convention.
* Adjust the dir-iterator API and apply it to the local clone
optimization codepath.
* We have been trying out a few language features outside c89; the
coding guidelines document did not talk about them and instead had
a blanket ban against them.
* A test helper has been introduced to optimize preparation of test
repositories with many simple commits, and a handful of test
scripts have been updated to use it.
Fixes since v2.22
-----------------
* A relative pathname given to "git init --template=<path> <repo>"
ought to be relative to the directory "git init" gets invoked in,
but it instead was made relative to the repository, which has been
corrected.
* "git worktree add" used to fail when another worktree connected to
the same repository was corrupt, which has been corrected.
* The ownership rule for the file descriptor to fast-import remote
backend was mixed up, leading to an unrelated file descriptor getting
closed, which has been fixed.
* A "merge -c" instruction during "git rebase --rebase-merges" should
give the user a chance to edit the log message, even when there is
otherwise no need to create a new merge and replace the existing
one (i.e. fast-forward instead), but did not. Which has been
corrected.
* Code cleanup and futureproof.
* More parameter validation.
* "git update-server-info" used to leave stale packfiles in its
output, which has been corrected.
* The server side support for "git fetch" used to show incorrect
value for the HEAD symbolic ref when the namespace feature is in
use, which has been corrected.
* "git am -i --resolved" segfaulted after trying to see a commit as
if it were a tree, which has been corrected.
* "git bundle verify" needs to see if prerequisite objects exist in
the receiving repository, but the command did not check if we are
in a repository upfront, which has been corrected.
* "git merge --squash" is designed to update the working tree and the
index without creating the commit, and this cannot be countermanded
by adding the "--commit" option; the command now refuses to work
when both options are given.
* The data collected by fsmonitor was not properly written back to
the on-disk index file, breaking t7519 tests occasionally, which
has been corrected.
* Update to Unicode 12.1 width table.
* The command line to invoke a "git cat-file" command from inside
"git p4" was not properly quoted to protect a caret and running a
broken command on Windows, which has been corrected.
* "git request-pull" learned to warn when the ref we ask them to pull
from in the local repository and in the published repository are
different.
* When creating a partial clone, the object filtering criteria is
recorded for the origin of the clone, but this incorrectly used a
hardcoded name "origin" to name that remote; it has been corrected
to honor the "--origin <name>" option.
* "git fetch" into a lazy clone forgot to fetch base objects that are
necessary to complete delta in a thin packfile, which has been
corrected.
* The filter_data used in the list-objects-filter (which manages a
lazily sparse clone repository) did not use the dynamic array API
correctly---'nr' is supposed to point at one past the last element
of the array in use. This has been corrected.
* The description about slashes in gitignore patterns (used to
indicate things like "anchored to this level only" and "only
matches directories") has been revamped.
* The URL decoding code has been updated to avoid going past the end
of the string while parsing %-<hex>-<hex> sequence.
* The list of for-each like macros used by clang-format has been
updated.
* "git branch --list" learned to show branches that are checked out
in other worktrees connected to the same repository prefixed with
'+', similar to the way the currently checked out branch is shown
with '*' in front.
(merge 6e9381469e nb/branch-show-other-worktrees-head later to maint).
* Code restructuring during 2.20 period broke fetching tags via
"import" based transports.
* The commit-graph file is now part of the "files that the runtime
may keep open file descriptors on, all of which would need to be
closed when done with the object store", and the file descriptor to
an existing commit-graph file now is closed before "gc" finalizes a
new instance to replace it.
* "git checkout -p" needs to selectively apply a patch in reverse,
which did not work well.
* Code clean-up to avoid signed integer wraparounds during binary search.
* "git interpret-trailers" always treated '#' as the comment
character, regardless of core.commentChar setting, which has been
corrected.
* "git stash show 23" used to work, but no more after getting
rewritten in C; this regression has been corrected.
* "git rebase --abort" used to leave refs/rewritten/ when concluding
"git rebase -r", which has been corrected.
* An incorrect list of options was cached after command line
completion failed (e.g. trying to complete a command that requires
a repository outside one), which has been corrected.
* The code to parse scaled numbers out of configuration files has
been made more robust and also easier to follow.
* The codepath to compute delta islands used to spew progress output
without giving the callers any way to squelch it, which has been
fixed.
* Protocol capabilities that go over wire should never be translated,
but it was incorrectly marked for translation, which has been
corrected. The output of protocol capabilities for debugging has
been tweaked a bit.
* Use "Erase in Line" CSI sequence that is already used in the editor
support to clear cruft in the progress output.
* "git submodule foreach" did not protect command line options passed
to the command to be run in each submodule correctly, when the
"--recursive" option was in use.
* The configuration variable rebase.rescheduleFailedExec should be
effective only while running an interactive rebase and should not
affect anything when running a non-interactive one, which was not
the case. This has been corrected.
* The "git clone" documentation refers to command line options in its
description in the short form; they have been replaced with long
forms to make them more recognisable.
* Generation of pack bitmaps are now disabled when .keep files exist,
as these are mutually exclusive features.
(merge 7328482253 ew/repack-with-bitmaps-by-default later to maint).
* "git rm" to resolve a conflicted path leaked an internal message
"needs merge" before actually removing the path, which was
confusing. This has been corrected.
* "git stash --keep-index" did not work correctly on paths that have
been removed, which has been fixed.
(merge b932f6a5e8 tg/stash-keep-index-with-removed-paths later to maint).
* Window 7 update ;-)
* A codepath that reads from GPG for signed object verification read
past the end of allocated buffer, which has been fixed.
* "git clean" silently skipped a path when it cannot lstat() it; now
it gives a warning.
* "git push --atomic" that goes over the transport-helper (namely,
the smart http transport) failed to prevent refs to be pushed when
it can locally tell that one of the ref update will fail without
having to consult the other end, which has been corrected.
* The internal diff machinery can be made to read out of bounds while
looking for --function-context line in a corner case, which has been
corrected.
(merge b777f3fd61 jk/xdiff-clamp-funcname-context-index later to maint).
* Other code cleanup, docfix, build fix, etc.
(merge fbec05c210 cc/test-oidmap later to maint).
(merge 7a06fb038c jk/no-system-includes-in-dot-c later to maint).
(merge 81ed2b405c cb/xdiff-no-system-includes-in-dot-c later to maint).
(merge d61e6ce1dd sg/fsck-config-in-doc later to maint).
Changes:
* BREAKING
* Add pagination for admin api get orgs and fix only list public orgs bug (#7742) (#7752)
* SECURITY
* Be more strict with git arguments (#7715) (#7762)
* Release built with go 1.12.8 to fix security fixes in golang std lib, ref: https://groups.google.com/forum/#!topic/golang-nuts/fCQWxqxP8aA
* BUGFIXES
* Fix local runs of ssh-requiring integration tests (#7855) (#7857)
* Fix hook problem (#7856) (#7754)
* Use .ExpiredUnix.IsZero to display green color of forever valid gpg key (#7850) (#7846)
* Do not fetch all refs (#7797) (#7837)
* Fix duplicate call of webhook (#7824) (#7821)
* Enable switching to a different source branch when PR already exists (#7823)
* Rewrite existing repo units if setting is not included in api body (#7811)
* Prevent Commit Status and Message From Overflowing On Branch Page (#7800) (#7808)
* API: fix multiple bugs with statuses endpoints (Backport #7785) (#7807)
* Fix Slack webhook fork message (1.9 release backport) (#7783)
* Fix approvals counting (#7757) (#7777)
* Fix rename failed when rewrite public keys (#7761) (#7769)
* Fix dropTableColumns sqlite implementation (#7710) (#7765)
* Fix repo_index_status lingering when deleting a repository (#7738)
* Fix milestone completness calculation when migrating (#7725) (#7732)
* Fixes indexed repos keeping outdated indexes when files grow too large (#7731)
* Skip non-regular files (e.g. submodules) on repo indexing (#7717)
* Improve branches list performance and fix protected branch icon when no-login (#7695) (#7704)
* Correct wrong datetime format for git (#7689) (#7690)
Pkgsrc changelog :
* Some files do not exist anymore, so they were removed from installation
* Fixed compilation issue about signals
Some of the upstream changes :
* an HTML parser : pages are now parsed for additional elements (images,
js...) that are also requested ;
* improved memory management ;
* logging to a file is now disabled by default ;
* colored output can be disabled in the config file ;
* implement disable cache option.
Full changelog available here :
https://github.com/JoeDog/siege/blob/v4.0.4/ChangeLog
Changes:
0.3
---
- Improve documentation and add man pages for all tools
- Several tscrape_update improvements (making it more robust/verbose about
possible errors)
Upstream changes (from NEWS):
== Ruby-GNOME2 3.3.7: 2019-08-17
This is the bug fix release of 3.3.6.
=== Changes
==== Ruby/Pango
* Improvements
* (({Pango::AttrList#each})): Added.
* (({Pango::AttrType})): Added support for (({PANGO_ATTR_FONT_DESC})).
==== Ruby/GObjectIntrospection
* Improvements
* Added support for (({GHashTable<utf8, enum>})).
* Added support for GObject Introspection 1.60.0.
==== Ruby/Pango
* Improvements
* Added support for Pango 1.44.
[GitHub#1288][Reported by Toshiaki Asai]
==== Ruby/GTK3
* Fixes
* Fixed document markup.
[GitHub#1280][GitHub#1281][GitHub#1282][Patch by İsmail Arılık]
==== Ruby/WNCK3
* Added.
[GitHub#1284][Reported by Christopher L. Ramsey]
==== Ruby/libsecret
* Added.
=== Thanks
* İsmail Arılık
* Christopher L. Ramsey
* Toshiaki Asai
ChangeLog:
Logswan 2.0.4 (2019-08-16)
- Adding #include guard in compat header file
- Add an example log file and regenerate output example
- Add dependencies installation instructions for NetBSD and FreeBSD
- Add final dots for options descriptions
- Add final dot when printing results summary
- Use EXIT_SUCCESS and EXIT_FAILURE macros for return values
- Add a trailing newline when printing JSON output
OK kamil@
Changelog:
Fixed
Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar (bug 1560228)
Allow fonts to be loaded via file:// URLs when opening a page locally (bug 1565942)
Printing emails from the Outlook web app no longer prints only the header and footer (bug 1567105)
Fixed a bug causing some images not to be displayed on reload, including on Google Maps (bug 1565542)
Fixed an error when starting external applications configured as URI handlers (bug 1567614)
Security fixes
#CVE-2019-11733: Stored passwords in 'Saved Logins' can be copied without master password entry
Changelog:
* make the warning in buildconf more clear, month
after noting that the hardfailure was not necessary.
* comment nroff parts of configure script, build +
check + release without groff tested succesfully on NetBSD 9.99.4
* Dependencies: python-3 is now supported (should be in curl
as well) for the tests. If python is required at all for
the tests needs to be looked at more closely. groff/nroff dropped.
The usual curl Changelog applies, consult https://curl.haxx.se for the
ChangeLog.
Changes with nginx 1.17.3
*) Security: when using HTTP/2 a client might cause excessive memory
consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
CVE-2019-9516).
*) Bugfix: "zero size buf" alerts might appear in logs when using
gzipping; the bug had appeared in 1.17.2.
*) Bugfix: a segmentation fault might occur in a worker process if the
"resolver" directive was used in SMTP proxy.
Changes with nginx 1.17.2
*) Change: minimum supported zlib version is 1.2.0.4.
Thanks to Ilya Leoshkevich.
*) Change: the $r->internal_redirect() embedded perl method now expects
escaped URIs.
*) Feature: it is now possible to switch to a named location using the
$r->internal_redirect() embedded perl method.
*) Bugfix: in error handling in embedded perl.
*) Bugfix: a segmentation fault might occur on start or during
reconfiguration if hash bucket size larger than 64 kilobytes was used
in the configuration.
*) Bugfix: nginx might hog CPU during unbuffered proxying and when
proxying WebSocket connections if the select, poll, or /dev/poll
methods were used.
*) Bugfix: in the ngx_http_xslt_filter_module.
*) Bugfix: in the ngx_http_ssi_filter_module.
Changes with nginx 1.17.1
*) Feature: the "limit_req_dry_run" directive.
*) Feature: when using the "hash" directive inside the "upstream" block
an empty hash key now triggers round-robin balancing.
Thanks to Niklas Keller.
*) Bugfix: a segmentation fault might occur in a worker process if
caching was used along with the "image_filter" directive, and errors
with code 415 were redirected with the "error_page" directive; the
bug had appeared in 1.11.10.
*) Bugfix: a segmentation fault might occur in a worker process if
embedded perl was used; the bug had appeared in 1.7.3.
Changes with nginx 1.16.1
*) Security: when using HTTP/2 a client might cause excessive memory
consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
CVE-2019-9516).
Changes with Apache 2.4.41
*) SECURITY: CVE-2019-10081 (cve.mitre.org)
mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
could lead to an overwrite of memory in the pushing request's pool,
leading to crashes. The memory copied is that of the configured push
link header values, not data supplied by the client.
*) SECURITY: CVE-2019-9517 (cve.mitre.org)
mod_http2: a malicious client could perform a DoS attack by flooding
a connection with requests and basically never reading responses
on the TCP connection. Depending on h2 worker dimensioning, it was
possible to block those with relatively few connections.
*) SECURITY: CVE-2019-10098 (cve.mitre.org)
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
matches and substitutions with encoded line break characters.
*) SECURITY: CVE-2019-10092 (cve.mitre.org)
Remove HTML-escaped URLs from canned error responses to prevent misleading
text/links being displayed via crafted links.
*) SECURITY: CVE-2019-10097 (cve.mitre.org)
mod_remoteip: Fix stack buffer overflow and NULL pointer deference
when reading the PROXY protocol header.
*) SECURITY: CVE-2019-10082 (cve.mitre.org)
mod_http2: Using fuzzed network input, the http/2 session
handling could be made to read memory after being freed,
during connection shutdown.
*) mod_proxy_balancer: Improve balancer-manager protection against
XSS/XSRF attacks from trusted users.
*) mod_session: Introduce SessionExpiryUpdateInterval which allows to
configure the session/cookie expiry's update interval.
*) modules/filters: Fix broken compilation when using old GCC (<4.2.x).
*) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
configured for a domain managed by mod_md.
nghttp2 v1.39.2
This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
“Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
frames cause Denial of Service by consuming CPU time. Check out
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.
Fix CVE-2019-9511 and CVE-2019-9513
Add nghttp2_option_set_max_outbound_ack API function
nghttpx: Fix request stall
v1.7.11
Implementation Changes
- Pass library and Python version in x-goog-api-client header
Documentation
- Fix typo in filename used in 'docs/auth.md'
Changelog:
Thu 01 Aug 2019 01:23:36 PM CEST
Releasing libmicrohttpd 0.9.66. -CG
Thu 01 Aug 2019 12:53:49 AM CEST
Fix issue with discarding unhandled upload data discovered
by Florian Dold. -CG
Mon 29 Jul 2019 08:01:50 PM CEST
Fix hanging situation with large transmission over upgraded
(i.e. Web socket) connection with epoll() and HTTPS enabled
(as reported by Viet on the mailinglist). -CG
Thu 25 Jul 2019 02:40:12 PM CEST
Fixing regression introduced in cc5032b85 (bit mask matching
of the header kinds in MHD_lookup_connection_value()), as
reported by Jose Bollo on the mailinglist. -CG/JB
Tue Jul 16 19:56:14 CEST 2019
Add MHD_OPTION_HTTPS_CERT_CALLBACK2 to allow OCSP stapling
and MHD_FEATURE_HTTPS_CERT_CALLBACK2 to check for. -TR
1.5.2:
* Selector.remove_namespaces received a significant performance improvement
* The value of data within the printable representation of a selector
(repr(selector)) now ends in ... when truncated, to make the
truncation obvious.
* Minor documentation improvements.
1.21.0:
- Add the encoding and path_encoding parameters to
:func:w3lib.url.safe_download_url
- :func:w3lib.url.safe_url_string now also removes tabs and new lines
- :func:w3lib.html.remove_comments now also removes truncated comments
- :func:w3lib.html.remove_tags_with_content no longer removes tags which
start with the same text as one of the specified tags
- Recommend pytest instead of nose to run tests
Perform common useful JavaScript operations in Shiny apps that will
greatly improve your apps without having to know any JavaScript.
Examples include: hiding an element, disabling an input, resetting an
input back to its original value, delaying code execution by a few
seconds, and many more useful functions for both the end user and the
developer. 'shinyjs' can also be used to easily call your own custom
JavaScript functions from R.
Makes it incredibly easy to build interactive web applications with R.
Automatic "reactive" binding between inputs and outputs and extensive
prebuilt widgets make it possible to build beautiful, responsive, and
powerful applications with minimal effort.
Provides low-level socket and protocol support for handling HTTP and
WebSocket requests directly from within R. It is primarily intended as
a building block for other packages, rather than making it
particularly easy to create complete web applications using httpuv
alone. httpuv is built on top of the libuv and http-parser C
libraries, both of which were developed by Joyent, Inc. (See LICENSE
file for libuv and http-parser license information.)
Useful tools for working with HTTP organised by HTTP verbs (GET(),
POST(), etc). Configuration functions make it easy to control
additional request components (authenticate(), add_headers() and so
on).
The canonical form [1] of an R package Makefile includes the
following:
- The first stanza includes R_PKGNAME, R_PKGVER, PKGREVISION (as
needed), and CATEGORIES.
- HOMEPAGE is not present but defined in math/R/Makefile.extension to
refer to the CRAN web page describing the package. Other relevant
web pages are often linked from there via the URL field.
This updates all current R packages to this form, which will make
regular updates _much_ easier, especially using pkgtools/R2pkg.
[1] http://mail-index.netbsd.org/tech-pkg/2019/08/02/msg021711.html
3.2.1:
* sys.exc_info() is now propagated across thread boundaries
3.2.0:
* New "thread_sensitive" argument to SyncToAsync allows for pinning of code into
the same thread as other thread_sensitive code.
* Test collection on Python 3.7 fixed
Django 2.2.4:
* CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator
* CVE-2019-14233: Denial-of-service possibility in strip_tags()
* CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField
* CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri()
* Fixed a regression in Django 2.2 when ordering a QuerySet.union(), intersection(), or difference() by a field type present more than once results in the wrong ordering being used
* Fixed a migration crash on PostgreSQL when adding a check constraint with a contains lookup on DateRangeField or DateTimeRangeField, if the right hand side of an expression is the same type
* Fixed a regression in Django 2.2 where auto-reloader crashes if a file path contains nulls characters ('\x00')
* Fixed a regression in Django 2.2 where auto-reloader crashes if a translation directory cannot be resolved
Django 1.11.23:
* CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator
* CVE-2019-14233: Denial-of-service possibility in strip_tags()
* CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField
* CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri()
Version 0.15.5
- Fix a TypeError due to changes to ast.Module in Python 3.8.
- Fix a C assertion failure in debug builds of some Python 2.7
releases.
- :class:~exceptions.BadRequestKeyError adds the KeyError
message to the description if e.show_exception is set to
True. This is a more secure default than the original 0.15.0
behavior and makes it easier to control without losing information.
- Upgrade the debugger to jQuery 3.4.1.
- Work around an issue in some external debuggers that caused the
reloader to fail.
- Work around an issue where the reloader couldn't introspect a
setuptools script installed as an egg.
- The reloader will use sys.executable even if the script is
marked executable, reverting a behavior intended for NixOS
introduced in 0.15. The reloader should no longer cause
OSError: [Errno 8] Exec format error.
- SharedDataMiddleware safely handles paths with Windows drive
names.
3.21.0
Require flask 1.0 or greater
Move docs to pallets-sphinx-themes
Add a new JWT_DECODE_ISSUER option for use with other JWT providers
Gracefully handle errors for malformed tokens
BREAKING
* Better logging (#6038) (#6095)
SECURITY
* Shadow the password on cache and session config on admin panel (#7300)
* Fix markdown invoke sequence (#7513) (#7560)
* Reserve .well-known username (#7638)
* Do not leak secrets via timing side channel (#7364)
* Ensure that decryption of cookie actually suceeds (#7363)
FEATURE
* Content API for Creating, Updating, Deleting Files (#6314)
* Enable tls-alpn-01: Use certmanager provided TLSConfig for LetsEncrypt (#7229)
* Add command to convert mysql database from utf8 to utf8mb4 (#7144)
* Fixes#2738 - Adds the /git/tags API endpoint (#7138)
* Compare branches, commits and tags with each other (#6991)
* Show Pull Request button or status of latest PR in branch list (#6990)
* Repository avatars (#6986)
* Show git-notes (#6984)
* Add commit statuses reports on pull request view (#6845)
* Number of commits ahead/behind in branch overview (#6695)
* Add CLI commands to manage LDAP authentication source (#6681)
* Add support for MS Teams webhooks (#6632)
* OAuth2 Grant UI (#6625)
* Add SUBJECT_PREFIX mailer config option (#6605)
* Include custom configuration file in dump (#6516)
* Add API for manipulating Git hooks (#6436)
* Improve migrations to support migrating milestones/labels/issues/comments/pullrequests (#6290)
* Add option to blame files (#5721)
* Implement Default Webhooks (#4299)
* Telegram webhook (#4227)
BUGFIXES
* Send webhook after commit when creating issue with assignees (#7681) (#7684)
* Upgrade macaron/captcha to fix random error problem (#7407) (#7683)
* Move add to hook queue for created repo to outside xorm session. (#7682) (#7675)
* Show protection symbol if needed on default branch (#7660) (#7668)
* Hide delete/restore button on archived repos (#7660)
* Fix bug on migrating milestone from github (#7665) (#7666)
* Use flex to fix floating paginate (#7656) (#7662)
* Change length of some repository's columns (#7652) (#7655)
* Fix wrong email when use gitea as OAuth2 provider (#7640) (#7647)
* Fix syntax highlight initialization (#7617) (#7626)
* Fix bug create/edit wiki pages when code master branch protected (#7580) (#7623)
* Fix panic on push at #7611 (#7615) (#7618)
* Handle ErrUserProhibitLogin in http git (#7586, #7591) (#7590)
* Fix color of split-diff view in dark theme (#7587) (#7589)
* Fix file header overflow in file and blame views (#7562) (#7579)
* Malformed URLs in API git/commits response (#7565) (#7567)
* Fix empty commits now showing in repo overview (#7521) (#7563)
* Fix repository's pull request count error (#7518) (#7524)
* Remove duplicated webhook trigger (#7511) (#7516)
* Handles all redirects for Web UI File CRUD (#7478) (#7507)
* Fix regex for issues in commit messages (#7444) (#7466)
* cmd/serv: actually exit after fatal errors (#7458) (#7460)
* Fix an issue with some pages throwing 'not defined' js exceptions #7450 (#7453)
* Fix Dropzone.js integration (#7445) (#7448)
* Create class for inline positioned lists (#7439) (#7393)
* Diff: Fix indentation on unhighlighted code (#7435) (#7443)
* jQuery 3 (#7442) (#7425)
* Only show "New Pull Request" button if repo allows pulls (#7426) (#7432)
* Fix vendor references (#7394) (#7396)
* Only return head: null if source branch was deleted (#6705) (#7376)
* Add missing template variable on organisation settings (#7386) (#7385)
* Fix post parameter on issue list which had unset assignee (#7380) (#7383)
* Fix migration tests due to issue 7 being resolved (#7375) (#7381)
* Correctly adjust mirror url (#6593)
* Handle early git version's lack of get-url (#7065)
* Fix icon position in issue view (#7354)
* Cut timeline length with last element on issue view (#7355)
* Fix mirror repository webhooks (#7366)
* Fix api route for hooks (#7346)
* Fix bug conflict between SyncReleasesWithTags and InsertReleases (#7337)
* Fix pull view ui merge section (#7335)
* Fix 7303 - remove unnessesary buttons on archived repos (#7326)
* Fix topic bar to allow prefixes (#7325)
* Fixes#7152 - Allow create/update/delete message to be empty, use default message (#7324)
* Fixes#7238 - Annotated tag commit ID incorrect (#7321)
* Dark theme fixes (#7319)
* Gitea own dark codemirror theme (#7317)
* Fixes#7292 - API File Contents bug (#7301)
* Fix API link header (#7298)
* Fix extra newlines when copying from diff in Firefox (#7288)
* Make diff line-marker non-selectable (#7279)
* Fix Submodule dection in subdir (#7275)
* Fix error log when loading issues caused by a xorm bug (#7271)
* Add .fa icon margin like .octicon (#7258)
* Fix hljs unintenionally highlighting commit links (#7244)
* Only check and config git on web subcommand but not others (#7236)
* Fix migration panic when Head.User is not exist (#7226)
* Only warn on errors in deleting LFS orphaned files during repo deletion (#7213)
* Fix duplicated file on pull request conflicted files (#7211)
* Allow colon between fixing word and issue (#7207)
* Fix overflow issues in repo (#7190)
* API error cleanup (#7186)
* Add error for fork already existing (#7185)
* Fixes diff on merged pull requests (#7171)
* If milestone id is zero don't get it from database (#7169)
* Fix pusher name via ssh push (#7167)
* Fix database lock when use random repository fallback image (#7166)
* Various fixes for issue mail notifications (#7165)
* Allow archived repos to be (un)starred and (un)watched (#7163)
* Fix GCArgs load from ini (#7156)
* Detect noreply email address as user (#7133)
* Avoid arbitrary format strings upon calling fail() function (#7112)
* Validate External Tracker URL Format (#7089)
* Repository avatar fallback configuration (#7087)
* Fix#732: Add LFS objects to base repository on merging (#7082)
* Install page - Handle invalid administrator username better (#7060)
* Workaround for posting single comments in split diff view (#7052)
* Fix possbile mysql invalid connnection error (#7051)
* Fix charset was not saved after installation finished (#7048)
* Handle insecure and ports in go get (#7041)
* Avoid bad database state after failed migration (#7040)
* Fix wrong init dependency on markup extensions (#7038)
* Fix default for allowing new organization creation for new users (#7017)
* Fix content download and /verify LFS handler expecting wrong content-type (#7015)
* Fix missing repo description when migrating (#7000)
* Fix LFS Locks over SSH (#6999)
* Do not attempt to return blob on submodule (#6996)
* Fix U2F for Chrome >= 74 (#6980)
* Fix index produces problem when issues/pulls deleted (#6973)
* Allow collaborators to view repo owned by private org (#6965)
* Stop running hooks on pr merge (#6963)
* Run hooks on merge/edit and cope with protected branches (#6961)
* Webhook Logs show proper HTTP Method, and allow change HTTP method in form (#6953)
* Stop colorizing log files by default (#6949)
* Rotate serv.log, http.log and hook logs and stop stacktracing in these (#6935)
* Fix plain text overflow line wrap (#6915)
* Fix input size for dependency select (#6913)
* Change drone token name to let users know to use oauth2 (#6912)
* Fix syntax highlight in blame view #6895 (#6909)
* Use AppURL for Oauth user link (#6894)
* Fixes#6881 - API users search fix (#6882)
* Fix 404 when send pull request some situation (#6871)
* Enforce osusergo build tag for releases (#6862)
* Fix 500 when reviewer is deleted with integration tests (#6856)
* Fix v85.go (#6851)
* Make dropTableColumns drop columns on sqlite and constraints on all (#6849)
* Fix double-generation of scratch token (#6832) (#6833)
* When mirroring we should set the remote to mirror (#6824)
* Fix the v78 migration "Drop is_bare" on MSSQL #6707 (#6823)
* Change verbose flag in dump command to avoid colliding with global version flag (#6822)
* Fix#6813: Allow git.GetTree to take both commit and tree names (#6816)
* Remove seen map from getLastCommitForPaths (#6807)
* Show scrollbar only when needed (#6802)
* Restore IsWindows variable assignment (#6722) (#6790)
* Service worker js is a missing comma (#6788)
* Fix team edit API panic (#6780)
* Set user search base field optional in LDAP (simple auth) edit page (#6779)
* Ignore already existing public keys after ldap sync (#6766)
* Fix pulls broken when fork repository deleted (#6754)
* Fix missing return (#6751)
* Fix new team 500 (#6749)
* OAuth2 token can be used in basic auth (#6747)
* Fix org visibility bug when git cloning (#6743)
* Fix bug when sort repos on org home page login with non-admin (#6741)
* Stricter domain name pattern in email regex (#6739)
* Fix admin template error (#6737)
* Drop is_bare IDX only when it exists for MySQL and MariaDB (#6736)
* UI: Detect and restore encoding and BOM in content (#6727)
* Load issue attributes when editing an issue with API (#6723)
* Fix team members API (#6714)
* Unfortunately MemProvider Init does not actually Init properly (#6692)
* Fix partial reversion of #6657 caused by #6314 (#6685)
* Prevent creating empty sessions (#6677)
* Fixes#6659 - Swagger schemes selection default to page's protocol (#6660)
* Update highlight.js to 9.15.6 (#6658)
* Properly escape on the redirect from the web editor (#6657)
* Fix#6655 - Don't EscapePound .Link as it is already escaped (#6656)
* Use ctx.metas for SHA hash links (#6645)
* Fix wrong GPG expire date (#6643)
* upgrade version of lib/pq to v1.1.0 (#6640)
* Fix forking an empty repository (#6637)
* Fix issuer of OTP URI should be URI-encoded. (#6634)
* Return a UserList from /api/v1/admin/users (#6629)
* Add json tags for oauth2 form (#6627)
* Remove extra slash from twitter card (#6619)
* remove bash requirement in makefile (#6617)
* Fix Open Graph og:image link (#6612)
* Fix cross-compile builds (#6609)
* Change commit summary to full message in API (#6591)
* Fix bug user search API pagesize didn't obey ExplorePagingNum (#6579)
* Prevent server 500 on compare branches with no common history (#6555)
* Properly escape release attachment URL (#6512)
* Delete local branch when repo branch is deleted (#6497)
* Fix bug when user login and want to resend register confirmation email (#6482)
* Fix upload attachments (#6481)
* Avoid multi-clicks in oauth2 login (#6467)
* Hacky fix for alignment of the create-organization dialog (#6455)
* Change order that PostProcess Processors are run (#6445)
* Clean up ref name rules (#6437)
* Fix Hook & HookList in Swagger (#6432)
* Fixed unitTypeCode not being used in accessLevelUnit (#6419)
* Display correct error for invalid mirror interval (#6414)
* Don't Unescape redirect_to cookie value (#6399)
* Fix dump table name error and add some test for dump database (#6394)
* Fix migrations 82 to ignore unsynced tags between database and git data and missing is_archived on repository table (#6387)
* Make sure units of a team are returned (#6379)
* Fix bug manifest.json will not request with cookie so that session will created every request (#6372)
* Disable benchmarking during tag events on DroneIO (#6365)
* Comments list performance optimization (#5305)
ENHANCEMENT
* Update Drone docker generation to standard format (#7480) (#7496) (#7504)
* Add API Endpoint for Repo Edit (#7006)
* Add state param to milestone listing API (#7131)
* Make captcha and password optional for external accounts (#6606)
* Detect migrating batch size (#7353)
* Fix 7255 - wrap long texts on user profile info (#7333)
* Use commit graph files for listing pages (#7314)
* Add git command line commitgraph support global default true when git version >= 2.18 (#7313)
* Add LFS_START_SERVER option to control git-lfs support (#7281)
* Dark theme markdown fixes (#7260)
* Update go-git to v4.12.0 (#7249)
* Show lfs config on admin panel (#7220)
* Disable same user check for internal SSH (#7215)
* Add LastLogin to the User API (#7196)
* Add missing description of label on API (#7159)
* Use go method to calculate ssh key fingerprint (#7128)
* Enable Rust highlighting (#7125)
* Refactor submodule URL parsing (#7100)
* Change issue mail title. (#7064)
* Use batch insert on migrating repository to make the process faster (#7050)
* Improve github downloader on migrations (#7049)
* When git version >= 2.18, git command could run with git wire protocol version 2 param if enabled (#7047)
* Fix Erlang and Elixir highlight mappings (#7044)
* API Org Visibility (#7028)
* Improve handling of non-square avatars (#7025)
* Bugfix: Align comment label and actions to the right (#7024)
* Change UpdateRepoIndex api to include watchers (#7012)
* Move serv hook functionality & drop GitLogger (#6993)
* Add support of utf8mb4 for mysql (#6992)
* Make webhook http connections resuable (#6976)
* Move xorm logger bridge from log to models so that log module could be a standalone package (#6944)
* Refactor models.NewRepoContext to extract git related codes to modules/git (#6941)
* Remove macaron dependent on models (#6940)
* Add less linter via npx (#6936)
* Remove macaron dependent on modules/log (#6933)
* Remove macaron dependent on models/mail.go (#6931)
* Clean less files (#6921)
* Fix code overflow (#6914)
* Style orgs list in user profile (#6911)
* Improve description of branch protection (fix#6886) (#6906)
* Move sdk structs to modules/structs (#6905)
* update sdk to latest (#6903)
* Escape the commit message on issues update and title in telegram hook (#6901)
* SearchRepositoryByName improvements and unification (#6897)
* Change the color of issues/pulls list, merged is purple and closed is red (#6874)
* Refactor table width to have more info shown in file list (#6867)
* Monitor all git commands; move blame to git package and replace git as a variable (#6864)
* Fix config ui error about cache ttl (#6861)
* Improve localization of git activity stats (#6848)
* Generate access token in admin cli (#6847)
* Update github.com/urfave/cli to version 1.2.0 (#6838)
* Rename LFS_JWT_SECRET cli option to include OAUTH2 as well (#6826)
* internal/ssh: ignore env command totally (#6825)
* Allow Recaptcha service url to be configured (#6820)
* update github.com/mcuadros/go-version to v0.0.0-20190308113854-92cdf37c5b75 (#6815)
* Use modules/git for git commands (#6775)
* Add GET requests to webhook (#6771)
* Move PushUpdate dependency from models to repofiles (#6763)
* Tweak tab text and icon colors (#6760)
* Ignore non-standard refs in git push (#6758)
* Disable web preview for telegram webhook (#6719)
* Show full name if DEFAULT_SHOW_FULL_NAME setting enabled (#6710)
* Reorder file actions (#6706)
* README WordPress the code is overflowing #6679 (#6696)
* Improve issue reference on commit (#6694)
* Handle redirects for git clone commands (#6688)
* Fix one performance/correctness regression in #6478 found on Rails repository. (#6686)
* API OTP Context (#6674)
* Remove local clones & make hooks run on merge/edit/upload (#6672)
* Bump github.com/stretchr/testify from 1.2.2 to 1.3.0 (#6663)
* Bump gopkg.in/src-d/go-git.v4 from 4.8.0 to 4.10.0 (#6662)
* Fix dropdown icon padding (#6651)
* Add more title attributes on shortened names (#6647)
* Update UI for topics labels on projects (#6639)
* Trace Logging on Permission Denied & ColorFormat (#6618)
* Add .gpg url (match github behaviour) (#6610)
* Support for custom GITEA_CUSTOM env var in docker(#6608)
* Show "delete branch" button on closed pull requests (#6570) (#6601)
* Add option to disable refresh token invalidation (#6584)
* Fix new repo dropdown alignment (#6583)
* Fix mail notification when close/reopen issue (#6581)
* Pre-calculate the absolute path of git (#6575)
* Minor CSS cleanup for the navbar (#6553)
* Render SHA1 links as code blocks (#6546)
* Add username flag in create-user command (#6534)
* Unifies pagination template usage (#6531) (#6533)
* Fixes pagination width on mobile view (#5711) (#6532)
* Improve SHA1 link detection (#6526)
* Fixes#6446 - Sort team members and team's repositories (#6525)
* Use stricter boundaries for auto-link detection (#6522)
* Use regular line-height on frontpage entries (#6518)
* Fixes#6514 - New Pull Request on files and pulls pages the same (#6515)
* Make distinction between DisplayName and Username in email templates (#6495)
* Add X-Auto-Response-Suppress header to outgoing messages (#6492)
* Cleaned permission checks for API -> site admin can now do anything (#6483)
* Support search operators for commits search (#6479)
* Improve listing performance by using go-git (#6478)
* Fix repo sub_menu font color in arc-green (#6477)
* Show last commit status in pull request lists (#6465)
* Add signatures to webhooks (#6428)
* Optimize all images in public/img (#6427)
* Add golangci (#6418)
* Make "Ghost" not link to 404 page (#6410)
* Include more variables on admin/config page (#6378)
* Markdown: enable some more extensions (#6362)
* Include repo name in page title tag (#6343)
* Show locale string on timestamp (#6324)
* Handle CORS requests (#6289)
* Improve issue autolinks (#6273)
* Migration Tweaks (#6260)
* Add title attributes to all items in the repo list viewer (#6258)
* Issue indexer queue redis support (#6218)
* Add bio field for user (#6113)
* Make the version within makefile overwriteable (#6080)
* Updates to API 404 responses (#6077)
* Use Go1.11 module (#5743)
* UX + Security current user password reset (#5042)
* Refactor: append, build variable and type switch (#4940)
* Git statistics in Activity tab (#4724)
* Drop the bits argument when generating an ed25519 key (#6504)
TESTING
* Exclude pull_request from fetch-tags step, fixes#7108 (#7120)
* Refactor and improve git test (#7086)
* Fix TestSearchRepo by waiting till indexing is done (#7004)
* Add mssql migration tests (needs #6823) (#6852)
* Add tests for Org API (#6731)
* Context.ServerError and NotFound should log from their caller (#6550)
TRANSLATION
* Add french specific rule for translating plural texts (#6846)
BUILD
* Update mssql driver to last working version 20180314172330-6a30f4e59a44 (#7306)
* Alpine 3.10 (#7256)
* Use vfsgen instead of go-bindata (#7080)
* remove and disable package-lock (#6969)
* add make targets for js and css, add js linter (#6952)
* Added tags pull step to drone config to show correct version hashes i… (#6836)
* Make CustomPath, CustomConf and AppWorkPath configurable at build (#6631)
* chore: update drone format to 1.0 (#6602)
* Fix race in integration testlogger (#6556)
* Quieter Integration Tests (#6513)
* Drop the docker Makefile from the image (#6507)
* Add make version on gitea version (#6485)
* Fix#6468 - Uses space match and adds newline for all sed flavors (#6473)
* Move code.gitea.io/git to code.gitea.io/gitea/modules/git (#6364)
* Update npm dependencies and various tweaks (#7344)
* Fix updated drone file (#7336)
* Add 'npm' and 'npm-update' make targets and lockfile (#7246)
DOCS
* Add work path CLI option (#6922)
* Fix logging documentation (#6904)
* Some logging documentation (#6498)
* Fix link to Hacking on Gitea on From-Source doc page (#6471)
* Fix typos in docs command-line examples (#6466)
* Added docker example for backup (#5846)
Version 1.7.10
Bugfix release
Implementation Changes
- Decode service to utf-8
- Use print() function in both Python2 and Python 3
- Make http.MediaFileUpload close its file descriptor
- Never make 'body' required
Documentation
- Add compatability check badges to README
- Regenerate docs
- Create index file for dynamically generated docs
- Add docs folder with guides from developers.google.com
Internal / Testing Changes
- Fix http.py, lint errors, unit test
- tox.ini: Look for Python syntax errors and undefined names
Changes:
9.0
---
- Use OpenGraph images for Speed Dial shortcuts
- Better support for Javascript popups
- (Re)store pinned tabs in the session
- Re-introduce the Trust (certificate) button
- Avoid key input recursion causing high CPU
- Close Tab/ Other context menu items
- Paste and Proceed option in the urlbar
- Better urlbar suggestion escaping
- Web extensions: Support for a sidebar action (experimental)
- Merge app and page menu into one
- Better focus handling of re-opened and background tabs
- Show volume icon for tabs playing music
Changes:
3.5.0
=====
Vimb 3.5.0 is out now with following changes.
Added
-----
* Add external download command #543#348.
* Added ephemeral mode by new option `--incognito` #562.
Changed
-------
* Hinting shows the current focused elements URI in the statusbar.
* Show error if printing with `:hardcopy` fails #564.
Fixed
-----
* Fixed compilation if source is not in a git repo (Thanks to Patrick Steinhardt).
* Fixed partial hidden hint labels on top of screen.
* Fix segfault on open in new tabe from context menu #556.
* Fix "... (null)" shown in title during url sanitization.
Removed
-------
* Setting `private-browsing` was removed in favor of `--incognito` option.
Thanks to the contributors for their work!
Changelog:
Fixed
Fixed missing Full Screen button when watching videos in full
screen mode on HBO GO (bug 1562837)
Fixed a bug causing incorrect messages to appear for some
locales when sites try to request the use of the Storage Access
API (bug 1558503)
Users in Russian regions may have their default search engine
changed (bug 1565315)
Built-in search engines in some locales do not function correctly
(bug 1565779)
Added
Introduces strictFileInteractability capability
Added new endpoint GET /session/{session id}/moz/screenshot/full
Added new --marionette-host <HOSTNAME> flag
Added new endpoint POST /session/{session_id}/window/new
Changed
Allow file uploads to hidden <input type=file> elements
Allow use of an indefinite script timeout for the Set Timeouts
command, thanks to reimu.
Fixed
Corrected Content-Type of response header to utf-8 to fix
an HTTP/1.1 compatibility bug.
Relaxed the deserialization of timeouts parameters to allow unknown
fields for the Set Timeouts command.
Fixed a regression in the Take Element Screenshot to not screenshot
the viewport, but the requested element.
4.8.0:
This release focuses on making it easier to customize Beautiful Soup's
input mechanism (the TreeBuilder) and output mechanism (the Formatter).
* You can customize the TreeBuilder object by passing keyword
arguments into the BeautifulSoup constructor. Those keyword
arguments will be passed along into the TreeBuilder constructor.
The main reason to do this right now is to change how which
attributes are treated as multi-valued attributes (the way 'class'
is treated by default). You can do this with the
'multi_valued_attributes' argument.
* The role of Formatter objects has been greatly expanded. The Formatter
class now controls the following:
- The function to call to perform entity substitution. (This was
previously Formatter's only job.)
- Which tags should be treated as containing CDATA and have their
contents exempt from entity substitution.
- The order in which a tag's attributes are output.
- Whether or not to put a '/' inside a void element, e.g. '<br/>' vs '<br>'
All preexisting code should work as before.
* Added a new method to the API, Tag.smooth(), which consolidates
multiple adjacent NavigableString elements.
* ' (which is valid in XML, XHTML, and HTML 5, but not HTML 4) is always
recognized as a named entity and converted to a single quote.
2.2.1
Changes:
Fix: tests, support for newer versions of pytest
Fix: tests, disable test with drf dependency for older python versions
2.2.0
Changes:
Fix: removing wrongly released text_tags template
Fix: graph_models, support for Python <3.6
Improvement: ForeignKeySearchInput, wrap media files in static()
Improvement: UniqField, added tests
Improvement: dumpscript, fix orm_item_locator to use dateutil
Improvement: graph_models, added argument to change arrow_shape
Changes:
7.65.2
------
This release includes the following bugfixes:
o CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH
o CMake: Convert errant elseif() to else()
o CMake: Fix finding Brotli on case-sensitive file systems
o CURLMOPT_SOCKETFUNCTION.3: clarified
o CURLMOPT_SOCKETFUNCTION.3: fix typo
o CURLOPT_CAINFO.3: polished wording
o CURLOPT_HEADEROPT.3: Fix example
o CURLOPT_RANGE.3: Caution against using it for HTTP PUT
o CURLOPT_SEEKDATA.3: fix variable name
o DEPRECATE: fixup versions and spelling
o bindlocal: detect and avoid IP version mismatches in bind()
o build: fix Codacy warnings
o buildconf.bat: fix header filename
o c-ares: honor port numbers in CURLOPT_DNS_SERVERS
o config-os400: add getpeername and getsockname defines
o configure: --disable-progress-meter
o configure: fix --disable-code-coverage
o configure: fix typo '--disable-http-uath'
o configure: more --disable switches to toggle off individual features
o configure: remove CURL_DISABLE_TLS_SRP
o conn_maxage: move the check to prune_dead_connections()
o curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds
o curl_multi_wait.3: escape backslash in example
o docs: Explain behavior change in --tlsv1. options since 7.54
o docs: Fix links to OpenSSL docs
o docs: fix string suggesting HTTP/2 is not the default
o examples/fopen: fix comparison
o examples/htmltitle: use C++ casts between pointer types
o headers: Remove no longer exported functions
o http2: call done_sending on end of upload
o http2: don't call stream-close on already closed streams
o http2: remove CURL_DISABLE_TYPECHECK define
o http: allow overriding timecond with custom header
o http: clarify header buffer size calculation
o krb5: fix compiler warning
o lib: Use UTF-8 encoding in comments
o libcurl-tutorial.3: Fix small typo (mutipart -> multipart)
o libcurl: Restrict redirect schemes to HTTP, HTTPS, FTP and FTPS
o multi: enable multiplexing by default (again)
o multi: fix the transfer hashes in the socket hash entries
o multi: make sure 'data' can present in several sockhash entries
o netrc: Return the correct error code when out of memory
o nss: don't set unused parameter
o nss: inspect returnvalue of token check
o nss: only cache valid CRL entries
o nss: support using libnss on macOS
o openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
o openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined
o openssl: fix pubkey/signature algorithm detection in certinfo
o openssl: remove outdated comment
o os400: make vsetopt() non-static as Curl_vsetopt() for os400 support
o quote.d: asterisk prefix works for SFTP as well
o runtests: keep logfiles around by default
o runtests: report single test time + total duration
o smb: Use the correct error code for access denied on file open
o sws: remove unused variables
o system_win32: fix clang warning
o system_win32: fix typo
o test1165: verify that CURL_DISABLE_ symbols are in sync
o test1521: adapt to SLISTPOINT
o test1523: test CURLOPT_LOW_SPEED_LIMIT
o test153: fix content-length to avoid occasional hang
o test188/189: fix Content-Length
o tests: have runtests figure out disabled features
o tests: support non-localhost HOSTIP for dict/smb servers
o tests: update fixed IP for hostip/clientip split
o tool_cb_prg: Fix integer overflow in progress bar
o travis: disable threaded resolver for coverage build
o travis: enable alt-svc for coverage build
o travis: enable brotli for all xenial jobs
o travis: enable libssh2 for coverage build
o travis: enable warnings-as-errors for coverage build
o travis: update scan-build job to xenial
o typecheck: CURLOPT_CONNECT_TO takes an slist too
o typecheck: add 3 missing strings and a callback data pointer
o unit1654: cleanup on memory failure
o unpause: trigger a timeout for event-based transfers
o url: Fix CURLOPT_MAXAGE_CONN time comparison
o win32: make DLL loading a no-op for UWP
o winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG
o winbuild: use WITH_PREFIX if given
o wolfssl: refer to it as wolfSSL only
5.2:
- Site Health
- PHP Error Protection
- Accessibility Updates
- New Dashboard Icons
- Plugin Compatibility Checks
- Privacy Updates
- New Body Hook
- Building JavaScript
5.2.1:
- 47180: An issue typing in the block editor while using a RTL language
has been fixed.
- 47186: An bug causing 32-bit systems to run out of memory when using
sodium_compat was fixed.
- 47189: The "Update your plugins" link in Site Health now links to the
correct page in multisite installs.
- 47185: An issue in wp_delete_file_from_directory() where files were
not deleting on Windows systems has been fixed.
- 47205: A bug was fixed where spaces could not be added in the Classic
Editor after pressing shift+enter.
- 47265: 2 fatal errors on the error protection page when a PHP error
was encountered in a drop-in (such as advanced-cache.php) were fixed.
- 47244: wp_targeted_link_rel() has been improved to prevent instances
where single and double quotation marks were incorrectly staggered.
- 47169: PHP/MySQL minimum version requirement checks now return proper
error codes when requirements are not met in test environments.
- 47177: The backwards compatibility of get_search_form() was improved.
- 47297: The accuracy of the HTTP requests test in Site Health was improved.
- 47229: TinyMCE has been updated to version 4.9.4.
- 47323: Prevents a fatal error that occurs when upgrading to 5.2.1 from
WordPress < 5.2.
- 47304: Fixes a regression that can affect the accuracy of
<lastBuildDate> in feeds.
- 47312: Changes the string used on the About page for 5.2.1 to one that
is already translated.
5.2.2:
- 45094: Dashboard elements don't always have clear focus states, tab order
- 46289: RTL Bug – wrong navigation arrows in media modal
- 46749: Extra border is displaying at bottom of Help section in Firefox
(Responsive : 778 * 841)
- 46881: Site Health: improve the header elements horizontal centering
- 46957: Site Health: Make site health page access be filterable
- 46960: Site Health: Table design issue in small devices (iphone 5/SE).
- 46997: Theme update links show in Customizer and don't work
- 47070: Recovery Mode Exit button not visible in responsive view
- 47158: Merge similar strings introduced in WP 5.2
- 47227: I18n: Merge similar translation strings – site health tabs
- 47475: I18n: Merge similar strings and fix typo
- 47429: Editor: Update packages for WordPress 5.2.2
- 47457: Fix the mediaelements player controls bar sizing
Changelog:
Tomcat 9.0.22 (markt)
Catalina
Fix: Improve parsing of Range request headers. (markt)
Fix: Range headers that specify a range unit Tomcat does not recognise should be ignored rather than triggering a 416 response. Based on a pull request by zhanhb. (markt)
Fix: When comparing a date from a If-Range header, an exact match is required. Based on a pull request by zhanhb. (markt)
Fix: Add an option to the default servlet to disable processing of PUT requests with Content-Range headers as partial PUTs. The default behaviour (processing as partial PUT) is unchanged. Based on a pull request by zhanhb. (markt)
Fix: Improve parsing of Content-Range headers. (markt)
Update: Update the recommended minimum Tomcat Native version to 1.2.23. (markt)
Coyote
Fix: Remove a source of potential deadlocks when using HTTP/2 when the Connector is configured with useAsyncIO as true. (markt)
Fix: 63523: Restore SSLUtilBase methods as protected to preserve compatibility. (remm)
Fix: Fix typo in UTF-32LE charset name. Patch by zhanhb vi Github. (fschumacher)
Fix: Once a URI is identified as invalid don't attempt to process it further. Based on a PR by Alex Repert. (markt)
Fix: Fix to avoid the possibility of long poll times for individual pollers when using mutliple pollers with APR. (markt)
Fix: Refactor the fix for 63205 so it only applies when using PKCS12 keystores as regressions have been reported with some other keystore types. (markt)
Jasper
Add: Include file names if SMAP processor is unable to delete or rename a class file during SMAP generation. (markt)
Update: Update to the Eclipse JDT compiler 4.12. (markt)
WebSocket
Fix: 63521: As required by the WebSocket specification, if a POJO that is deployed as a result of the SCI scan for annotated POJOs is subsequently deployed via the programmatic API ignore the programmatic deployment. (markt)
Other
Fix: Switch the check for terminal availability to test for stdin as using stdout does not work when output is piped to another process. Patch provided by Radosław Józwik. (markt)
Add: Add user buildable optional modules for easier CDI 2 and JAX-RS support. Also include a new documentation page describing how to use it. (remm)
2019-06-07 Tomcat 9.0.21 (markt)
Catalina
Add: 57287: Add file sorting to DefaultServlet (schultz)
Fix: Fix --no-jmx flag processing, which was called after registry initialization. (remm)
Fix: Ensure that a default request character encoding set on a ServletContext is used when calling ServletRequest#getReader(). (markt)
Fix: Make a best efforts attempt to clean-up if a request fails during processing due to an OutOfMemoryException. (markt)
Fix: Improve the BoM detection for static files handled by the default servlet for the rarely used UTF-32 encodings. Identified by Coverity Scan. (markt)
Fix: Ensure that the default servlet reads the entire global XSLT file if one is defined. Identified by Coverity Scan. (markt)
Fix: Avoid potential NullPointerException when generating an HTTP Allow header. Identified by Coverity Scan. (markt)
Code: Add Context.createInstanceManager() for easier framework integration. (remm)
Code: Add utility org.apache.catalina.core.FrameworkListener to allow replicating adding a Listener to context.xml in a programmatic way. (remm)
Code: Move Container.ADD_CHILD_EVENT to before the child container start, and Container.REMOVE_CHILD_EVENT to before removal of the child from the internal child collection. (remm)
Add: Remove any fragment included in the target path used to obtain a RequestDispatcher. The requested target path is logged as a warning since this is an application error. (markt)
Coyote
Fix: NIO poller seems to create some unwanted concurrency, causing rare CI test failures. Add sync when processing async operation to avoid this. (remm)
Fix: Fix concurrency issue that lead to incorrect HTTP/2 connection timeout. (remm/markt)
Fix: Avoid useless exception wrapping in async IO. (remm)
Fix: 63412: Security manager failure when using the async IO API from a webapp. (remm)
Fix: Remove acceptorThreadCount Connector attribute, one accept thread is sufficient. As documented, value 2 was the only other sensible value, but without and impact beyond certain microbenchmarks. (remm)
Fix: Avoid possible NPEs on connector stop. (remm)
Update: Remove pollerThreadCount Connector attribute for NIO, one poller thread is sufficient. (remm)
Add: Add async IO for APR connector for consistency, but disable it by default due to low performance. (remm)
Fix: Avoid blocking write of internal buffer when using async IO. (remm)
Code: Refactor async IO implementation to the SocketWrapperBase. (remm)
Update: Refactor SocketWrapperBase close using an atomic boolean and a doClose method that subclasses will implement, with a guarantee that it will be run only once. (remm)
Fix: Decouple the socket wrapper, which is not recycled, from the NIOx channel after close, and replace it with a dummy static object. (remm)
Fix: Clear buffers on socket wrapper close. (remm)
Fix: NIO2 failed to properly close sockets on connector stop. (remm)
Update: Reduce the default for maxConcurrentStreams on the Http2Protocol from 200 to 100 to align with typical defaults for HTTP/2 implementations. (markt)
Update: Reduce the default HTTP/2 header list size from 4GB to 32kB to align with typical HTTP/2 implementations. (markt)
Add: Add support for same-site cookie attribute. Patch provided by John Kelly. (markt)
Fix: Drop legacy NIO double socket close (close channel, then close socket). (remm)
Fix: Fix HTTP/2 end of stream concurrency with async. (remm)
Fix: Correct a bug in the stream flushing code that could lead to multiple threads processing the stream concurrently which in turn could cause errors processing the stream. (markt)
Cluster
Fix: 62841: Refactor the DeltaRequest serialization to reduce the window during which the DeltaSession is locked and to remove a potential cause of deadlocks during serialization. (markt)
Fix: 63441: Further streamline the processing of session creation messages in the DeltaManager to reduce the possibility of a session update message being processed before the session has been created. (markt)
WebSocket
d: Expand the explanation of how deprecated TLS configuration attributes are converted to the new TLS configuration style. (markt)
Tribes
Fix: Treat NoRouteToHostException the same way as SocketTimeoutException when checking the health of group membaven packaging. (remm)
Fix: 63403: Fix TestHttp2InitialConnection test failures when running with a non-English locale. (kkolinko)
Fix: Add Graal JreCompat, and use it to disable JMX and URL stream handlers. (remm)
Add: Expand the coverage and Expand the coverage and quality of the Simplified Chinese translations provided with Apache Tomcat. Includes contributions by 諵. (markt)
Fix: Use the test command to check for terminal availability rather than the tty command since the tty based te
Fix: Fix some edge cases where the docBase was not being set using a canonical path which in turn meant resource URLs were not being constructed as expected. (markt)
Fix: Fix a potential resource leak when executing CGI scripts from a WAR file. Identified by Coverity scan. (markt)
Fix: Fix a potential concurrency issue in the StringCache identified by Coverity scan. (markt)
Fix: Fix a potential concurrency issue in the main Sendfile thread of the APR connector. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak when running a web application from a WAR file. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak on some exception paths in the DataSourceRealm. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak on an exception path when parsing JSP files. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak when a JNDI lookup returns an object of an in compatible class. Identified by Coverity scan. (markt)
Code: Refactor ManagerServlet to avoid loading classes when filtering JNDI resources for resources of a specified type. (markt)
Fix: 63324: Refactor the CrawlerSessionManagerValve so that the object placed in the session is compatible with session serialization with mem-cached. Patch provided by Martin Lemanski. (markt)
Add: 63358: Expand the throwOnFailure support in the Connector to include the adding of a Connector to a running Service. (markt)
Add: 63361: Add a new method (Registry.disableRegistry()) that can be used to disable JMX registration of Tomcat components providing it is called before the first component is registered. (markt)
Fix: Avoid OutOfMemoryErrors and ArrayIndexOutOfBoundsExceptions when accessing large files via the default servlet when resource caching has been disabled. (markt)
Fix: Avoid a NullPointerException when a Context is defined in server.xml with a docBase but not the optional path. (markt)
Fix: 63333: Override the isAvailable() method in the JAASRealm so that only login failures caused by invalid credentials trigger account lock out when the LockOutRealm is in use. Patch provided by jchobantonov. (markt)
Fix: Add --no-jmx flag to allow disabling JMX in startup.Tomcat.main. (remm)
Coyote
Fix: The useAsyncIO boolean attribute on the Connector element value now defaults to true. (remm)
Fix: Possible HTTP/2 connection leak issue when using async with NIO. (remm)
Fix: Fix socket close discrepancies for NIO, now the wrapper close is used everywhere except for socket accept problems. (remm)
Fix: Implement poller timeout when using async IO with NIO. (remm)
Fix: Avoid creating and using object caches when they are disabled. (remm)
Fix: When running on newer JREs that don't support SSLv2Hello, don't warn that it is not available unless explicitly configured. (markt)
Fix: Change default value of pollerThreadCount of NIO to 1. (remm)
Fix: Associate BlockPoller thread name with its NIO connector for better readability. (remm)
Fix: The async HTTP/2 frame parser should tolerate concurrency so clearing shared buffers before attempting a read is not possible. (remm)
Update: Update the HTTP/2 connection preface and initial frame reading to be asynchronous instead of blocking IO. (remm)
Code: Refactor Hostname validation to improve performance. Patch provided by Uwe Hees. (markt)
Update: Add additional NIO2 style read and write methods closer to core NIO2, for possible use with an asynchronous workflow like CompletableFuture. (remm)
Fix: Expand HTTP/2 timeout handling to include connection window exhaustion on write. This is the fix for CVE-2019-10072. (markt)
Jasper
Fix: 63359: Ensure that the type conversions used when converting from strings for jsp:setProperty actions are correctly implemented as per section JSP.1.14.2.1 of the JSP 2.3 specification. (markt)
Other
Fix: 63335: Ensure that stack traces written by the OneLineFormatter are fully indented. The entire stack trace is now indented by an additional TAB character. (markt)
Fix: 63370: Message files (LocalStrings_*.properties) of the examples webapp not converted to ascii. (woonsan)
Add: Expand the coverage and quality of the French translations provided with Apache Tomcat. (remm)
Add: Expand the coverage and quality of the Japanese translations provided with Apache Tomcat. Includes contributions by motohashi.yuki. (markt)
Add: Expand the coverage and quality of the Czech translations provided with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
Fix: When using the OneLineFormatter, don't print a blank line in the log after printing a stack trace. (markt)
Update: Update the internal fork of Apache Commons FileUpload to 41e4047 (2019-04-24) pick up some enhancements. (markt)
Update: Update the internal fork of Apache Commons DBCP 2 to dcdbc72 (2019-04-24) to pick up some clean-up and enhancements. (markt)
Update: Update the internal fork of Apache Commons Pool 2 to 0664f4d (2019-04-30) to pick up some enhancements and bug fixes. (markt)
2019-04-13 Tomcat 9.0.19 (markt)
Catalina
Fix: Fix wrong JMX registration regression in 9.0.18. (remm)
Coyote
Update: Add vectoring for NIO in the base and SSL channels. (remm)
Add: Add asynchronous IO from NIO2 to the NIO connector, with support for the async IO implementations for HTTP/2 and Websockets. The useAsyncIO boolean attribute on the Connector element allows enabling use of the asynchronous IO API. (remm)
Other
Fix: Ensure that the correct files are included in the source distribution for javacc based parsers depending on whether jjtree is used or not. (markt)
Fix: Ensure that text files in the source distribution have the correct line endings for the target platform. (markt)
not released Tomcat 9.0.18 (markt)
Catalina
Fix: 63196: Provide a default (X-Forwarded-Proto) for the protocolHeader attribute of the RemoteIpFilter and RemoteIpValve. (markt)
Fix: 63235: Refactor Charset cache to reduce start time. (markt)
Fix: 63249: Use a consistent log level (WARN) when logging the failure to register or deregister a JMX Bean. (markt)
Fix: 63249: Use a consistent log level (ERROR) when logging the LifecycleException associated with the failure to start or stop a component. (markt)
Fix: When the SSI directive fsize is used with an invalid target, return a file size of - rather than 1k. (markt)
Fix: 63251: Implement a work-around for a known JRE bug (JDK-8194653) that may cause a dead-lock when Tomcat starts. (markt)
Fix: 63275: When using a RequestDispatcher ensure that HttpServletRequest.getContextPath() returns an encoded path in the dispatched request. (markt)
Update: Add optional listeners for Server/Listener, as a slight variant of a standard listener. The difference is that loading is not fatal when it fails. This would allow adding example configuration to the standard server.xml if deemed useful. Storeconfig will not attempt to persist the new listener. (remm)
Fix: 63286: Document the differences in behaviour between the LogFormat directive in httpd and the pattern attribute in the AccessLogValve for %D and %T. (markt)
Fix: 63287: Make logging levels more consistent for similar issues of similar severity. (markt)
Fix: 63311: Add support for https URLs to the local resolver within Tomcat used to resolve standard XML DTDs and schemas when Tomcat is configured to validate XML configuration files such as web.xml. (markt)
Fix: Encode the output of the SSI printenv command. This is the fix for CVE-2019-0221. (markt)
Code: Use constants for SSI encoding values. (markt)
Add: When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the encoded form of the individual command line arguments to those values allowed by RFC 3875. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsEncoded. (markt)
Add: When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the decoded form of the individual command line arguments to known safe values when running on Windows. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsDecoded. This is the fix for CVE-2019-0232. (markt)
Coyote
Fix: Fix bad interaction between NIO2 async read API and the regular read. (remm)
Fix: Refactor NIO2 write pending strategy for the classic IO API. (remm)
Fix: Restore original maxConnections default for NIO2 as the underlying close issues have been fixed. (remm)
Fix: Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm)
Fix: When using a JSSE TLS connector that supported ALPN (Java 9 onwards) and a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and instead dropped the connection. (markt)
Fix: Correct a regression in the TLS connector refactoring in Tomcat 9.0.17 that prevented the use of PKCS#8 private keys with OpenSSL based connectors. (markt)
Fix: Fix NIO2 SSL edge cases. (remm)
Fix: When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any query string present in the original HTTP/1.1 request is passed to the HTTP/2 request processing. (markt)
Fix: When Tomcat writes a final response without reading all of an HTTP/2 request, reset the stream to inform the client that the remaining request body is not required. (markt)
Jasper
Add: Add support for specifying Java 11 (with the value 11) as the compiler source and/or compiler target for JSP compilation. (markt)
Add: Add support for specifying Java 12 (with the value 12) and Java 13 (with the value 13) as the compiler source and/or compiler target for JSP compilation. If used with an ECJ version that does not support these values, a warning will be logged and the latest supported version will used. Based on a patch by Thomas Collignon. (markt)
Web applications
Fix: 63184: Expand the SSI documentation to provide more information on the supported directives and their attributes. Patch provided by nightwatchcyber. (markt)
Add: Add a note to the documentation about the risk of DoS with poorly written regular expressions and the RewriteValve. Patch provided by salgattas. (markt)
jdbc-pool
Fix: Improved maxAge handling. Add support for age check on idle connections. Connection that expired reconnects rather than closes it. Patch provided by toby1984. (kfujino)
Fix: 63320: Ensure that StatementCache caches statements that include arrays in arguments. (kfujino)
Other
Update: Update to the Eclipse JDT compiler 4.10. (markt)
Add: Expand the coverage and quality of the Spanish translations provided with Apache Tomcat. Includes contributions by Ulises Gonzalez Horta. (markt)
Add: Expand the coverage and quality of the Czech translations provided with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
Add: Expand the coverage and quality of the Chinese translations provided with Apache Tomcat. Includes contributions by winsonzhao and wjt. (markt)
Add: Expand the coverage and quality of the Russian translations provided with Apache Tomcat. (kkolinko)
Add: Expand the coverage and quality of the Japanese translations provided with Apache Tomcat. (kfujino)
Add: Expand the coverage and quality of the Korean translations provided with Apache Tomcat. (woonsan)
Add: Expand the coverage and quality of the German translations provided with Apache Tomcat. (fschumacher)
Add: Expand the coverage and quality of the French translations provided with Apache Tomcat. (remm)
Changelog:
Tomcat 8.5.43 (markt)
Catalina
Update: Modify the Default and WebDAV Servlets so that a 405 status code is returned for PUT and DELETE requests when disabled via the readonly initialisation parameter.
Fix: Align the contents of the Allow header with the response code for the Default and WebDAV Servlets. For any given resource a method that returns a 405 status code will not be listed in the Allow header and a method listed in the Allow header will not return a 405 status code. (markt)
Fix: When using WebDAV to copy a file resource to a destination that requires a collection to be overwritten, ensure that the operation succeeds rather than fails (with a 500 response). This enables Tomcat to pass two additional tests from the Litmus WebDAV test suite. (markt)
Fix: 49464: Improve the Default Servlet's handling of static files when the file encoding is not compatible with the required response encoding. (markt)
Fix: Fix typo in UTF-32LE charset name. Patch by zhanhb vi Github. (fschumacher)
Add: 58590: Add the ability for a UserDatabase to monitor the backing XML file for changes and reload the source file if a change in the last modified time is detected. This is enabled by default meaning that changes to $CATALINA_BASE/conf/tomcat-users.xml will now take effect a short time after the file is saved. (markt)
Fix: Improve parsing of Range request headers. (markt)
Fix: Range headers that specify a range unit Tomcat does not recognise should be ignored rather than triggering a 416 response. Based on a pull request by zhanhb. (markt)
Fix: When comparing a date from a If-Range header, an exact match is required. Based on a pull request by zhanhb. (markt)
Fix: Add an option to the default servlet to disable processing of PUT requests with Content-Range headers as partial PUTs. The default behaviour (processing as partial PUT) is unchanged. Based on a pull request by zhanhb. (markt)
Fix: Improve parsing of Content-Range headers. (markt)
Fix: Ensure that the HEAD response is consistent with the GET response when HttpServlet is relied upon to generate the HEAD response and the GET response uses chunking. (markt)
Update: Update the recommended minimum Tomcat Native version to 1.2.23. (markt)
Coyote
Fix: Avoid a potential hang when a client connects using TLS 1.0 to a Tomcat HTTPS connector configured to use NIO or NIO with OpenSSL 1.1.1 or later. (markt)
Fix: Once a URI is identified as invalid don't attempt to process it further. Based on a PR by Alex Repert. (markt)
Fix: Fix to avoid the possibility of long poll times for individual pollers when using mutliple pollers with APR. (markt)
Fix: Refactor the fix for 63205 so it only applies when using PKCS12 keystores as regressions have been reported with some other keystore types. (markt)
Jasper
Add: Include file names in error messages if SMAP processor is unable to delete or rename a class file during SMAP generation. (markt)
WebSocket
Fix: 63521: As required by the WebSocket specification, if a POJO that is deployed as a result of the SCI scan for annotated POJOs is subsequently deployed via the programmatic API ignore the programmatic deployment. (markt)
Other
Code: Switch i18n message files to use UTF-8 and convert to ASCII at build time. (markt)
Fix: 63523: Restore SSLUtilBase methods as protected to preserve compatibility. (remm)
Fix: Switch the check for terminal availability to test for stdin as using stdout does not work when output is piped to another process. Patch provided by Radosław Józwik. (markt)
2019-06-07 Tomcat 8.5.42 (markt)
Catalina
Add: 57287: Add file sorting to DefaultServlet (schultz)
Fix: Ensure that the default servlet reads the entire global XSLT file if one is defined. Identified by Coverity Scan. (markt)
Fix: Avoid potential NullPointerException when generating an HTTP Allow header. Identified by Coverity Scan. (markt)
Add: Remove any fragment included in the target path used to obtain a RequestDispatcher. The requested target path is logged as a warning since this is an application error. (markt)
Coyote
Update: Add additional NIO2 style read and write methods closer to core NIO2, for possible use with an asynchronous workflow like CompletableFuture. (remm)
Fix: Avoid useless exception wrapping in async IO. (remm)
Fix: 63412: Security manager failure when using the async IO API from a webapp. (remm)
Fix: Fix concurrency issue that lead to incorrect HTTP/2 connection timeout. (remm/markt)
Update: Reduce the default for maxConcurrentStreams on the Http2Protocol from 200 to 100 to align with typical defaults for HTTP/2 implementations. (markt)
Update: Reduce the default HTTP/2 header list size from 4GB to 32kB to align with typical HTTP/2 implementations. (markt)
Add: Add support for same-site cookie attribute. Patch provided by John Kelly. (markt)
Fix: Correct a bug in the stream flushing code that could lead to multiple threads processing the stream concurrently which in turn could cause errors processing the stream. (markt)
Cluster
Fix: 62841: Refactor the DeltaRequest serialization to reduce the window during which the DeltaSession is locked and to remove a potential cause of deadlocks during serialization. (markt)
Fix: 63441: Further streamline the processing of session creation messages in the DeltaManager to reduce the possibility of a session update message being processed before the session has been created. (markt)
Tribes
Fix: Treat NoRouteToHostException the same way as SocketTimeoutException when checking the health of group members. This avoids a SEVERE log message every time the check is performed when the host associated with a group member is not powered on. (markt)
Other
Update: Switch from FindBugs to SpotBugs. (fschumacher)and to check for terminal availability rather than the tty command since the tty based test fails on non-English locales. (markt)
2019-05-13 Tomcat 8.5.41 (markt)
Catalina
Fix: Fix a potential resource leak when executing CGI scripts from a WAR fileread of the APR connector. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak when running a web application from a WAR file. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak on some exception paths in ttified by Coverity scan. (markt)
Fix: Fix a potential resource leak when a JNDI lookup returns an object of an in compatible class. Identified by Coverity scan. (markt)
Code: Refactor ManagerServlet to avoid loading classes when filtering JNDI rescaching has been disabled. (markt)
Fix: Avoid a NullPointerException when a Context is defined in server.xml with a docBase but not the optional path. (markt)
Fix: 63324: Refactor the CrawlerSessionManagerValve so that the object placed in the sesials trigger account lock out when the LockOutRealm is in use. Patch provided by jchobantonov. (markt)
Coyote
Fix: When running on newer JREs that don't support SSLv2Hello, don't warn that it is not available unless explicitly configured. (markt)
Code: Refactor Hostname validation to improve performance. Patch provided by Uwe Hees. (markt)
Fix: Expand HTTP/2 timeout handling to include connection window exhaustion on write. This is the fix for CVE-2019-10072. (markt)
Other
Fix: 63335: Ensure that stack traces written by the OneLineFormatter are fully indented. The entire stack trace is now indented by an additional TAB character. (markt)
Fix: When using the OneLineFormatter, don't print a blank line in the log after printing a stack trace. (markt)
Update: Update the internal fork of Apache Commons DBCP 2 to dcdbc72 (2019-04-24) to pick up some clean-up and enhancements less the JDBC 4.2 related changes that require Java 8. (markt)
Update: Update the internal fork of Apache Commons Pool 2 to 0664f4d (2019-04-30) to pick up some enhancements and bug fixes. (markt)
Update: Update the internal fork of Apache Commons FileUpload to 41e4047 (2019-04-24) pick up some enhancements. (markt)
2019-04-12 Tomcat 8.5.40 (markt)
Catalina
Fix: 63196: Provide a default (X-Forwarded-Proto) for the protocolHeader attribute of the RemoteIpFilter and RemoteIpValve. (markt)
Fix: 63235: Refactor Charset cache to reduce start time. (markt)
Fix: 63249: Use a consistent log level (WARN) when logging the failure to register or deregister a JMX Bean. (markt)
Fix: 63249: Use a consistent log level (ERROR) when logging the LifecycleException associated with the failure to start or stop a component. (markt)
Fix: When the SSI directive fsize is used with an invalid target, return a file size of - rather than 1k. (markt)
Fix: 63251: Implement a work-around for a known JRE bug (JDK-8194653) that may cause a dead-lock when Tomcat starts. (markt)
Fix: 63275: When using a RequestDispatcher ensure that HttpServletRequest.getContextPath() returns an encoded path in the dispatched request. (markt)
Fix: 63286: Document the differences in behaviour between the LogFormat directive in httpd and the pattern attribute in the AccessLogValve for %D and %T. (markt)
Fix: 63311: Add support for https URLs to the local resolver within Tomcat used to resolve standard XML DTDs and schemas when Tomcat is configured to validate XML configuration files such as web.xml. (markt)
Fix: Encode the output of the SSI printenv command. This is the fix for CVE-2019-0221. (markt)
Code: Use constants for SSI encoding values. (markt)
Add: When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the encoded form of the individual command line arguments to those values allowed by RFC 3875. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsEncoded. (markt)
Add: When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the decoded form of the individual command line arguments to known safe values when running on Windows. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsDecoded. This is the fix for CVE-2019-0232. (markt)
Update: Change the default for the enableCmdLineArguments parameter of the CGI servlet from true to false as additional hardening against CVE-2019-0232. (markt)
Coyote
Fix: Fix bad interaction between NIO2 async read API and the regular read. (remm)
Fix: Refactor NIO2 write pending strategy for the classic IO API. (remm)
Fix: Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm)
Fix: When using a JSSE TLS connector that supported ALPN (Java 9 onwards) and a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and instead dropped the connection. (markt)
Fix: Correct a regression in the TLS connector refactoring in Tomcat 9.0.17 that prevented the use of PKCS#8 private keys with OpenSSL based connectors. (markt)
Fix: When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any query string present in the original HTTP/1.1 request is passed to the HTTP/2 request processing. (markt)
Fix: When Tomcat writes a final response without reading all of an HTTP/2 request, reset the stream to inform the client that the remaining request body is not required. (markt)
Fix: 63312: Correct a regression in the error page handling that prevented error pages from issuing redirects or taking other action that required the response status code to be changed. (markt)
Jasper
Add: Add support for specifying Java 11 (with the value 11) as the compiler source and/or compiler target for JSP compilation. (markt)
Add: Add support for specifying Java 12 (with the value 12) and Java 13 (with the value 13) as the compiler source and/or compiler target for JSP compilation. If used with an ECJ version that does not support these values, a warning will be logged and the latest supported version will used. Based on a patch by Thomas Collignon. (markt)
WebSocket
Fix: Improve the handling of exceptions during TLS handshakes for the WebSocket client. (markt)
Web applications
Fix: 63184: Expand the SSI documentation to provide more information on the supported directives and their attributes. Patch provided by nightwatchcyber. (markt)
Add: Add a note to the documentation about the risk of DoS with poorly written regular expressions and the RewriteValve. Patch provided by salgattas. (markt)
jdbc-pool
Fix: 63320: Ensure that StatementCache caches statements that include arrays in arguments. (kfujino)
From ng0 via pkgsrc-wip.
Fri Jul 05 2019 22:30:40 MSK
Releasing libmicrohttpd 0.9.65. -EG
Sun Jun 23 2019 21:27:43 MSK
Many fixes and improvements for connection-specific memory pool:
* Added asserts;
* Added testing of reallocation;
* Reallocation code rewritten to avoid extra allocation, when
possible to reuse already allocated memory;
* Large memory pools aligned to system page size;
* Large memory pools on W32 are cleared more securely after use,
optimised usage of system memory.
Better handled connection's memory shortage situations:
* error response could be sent to client even if all buffer space
was used;
* if buffer space become low when receiving, do not allocate last
buffer space and use small receive blocks instead.
Improved sending speed by using all available buffer space for
sending. -EG
Sun Jun 09 2019 20:27:04 MSK
Releasing libmicrohttpd 0.9.64. -EG
Sun Jun 09 2019 20:03:16 MSK
Updated HTTP headers, methods and status codes from registries,
Added scripts to import new headers, methods and status codes from
registries,
Minor doxyget comment fix,
Added missing MSVS project files to tarball.
Reodered includes in microhttpd.h -EG
Mon 03 Jun 2019 11:45:52 PM CEST
Apply MHD_-prefix to hash functions, even if they are not in the
officially exported API. -CG/DB
Sun Jun 02 01:52:11 MSK 2019
Support usage of SOCK_NOSIGPIPE on Solaris 11.4 and NetBSD 7+,
finally avoid SIGPIPE on Solaris. -EG
Sat Jun 01 22:51:50 MSK 2019
Do not report errors if AF_UNIX socket is used on *BSD. -EG
Thu May 30 23:32:09 MSK 2019
Improved detection of 'getsockname()' in configure.
Avoided using 'getsockname()' in code if not detected. -EG
Sun May 26 23:32:49 MSK 2019
Fixed some tests on W32. -EG
Sun May 26 23:05:42 MSK 2019
Better detection of sockaddr member in configure, fixed build on *BSD,
Fixed compiler warnings,
Updated and fixed libcurl tests. -EG
Tue May 21 22:12:43 MSK 2019
Fixed doxygen comments,
Avoid dropping 'const' qualifier in macros,
Fixed some compiler warnings,
Properly support automatic port detections on some platforms,
Added checks for too long TLS parameters strings. -EG
Tue May 21 17:52:48 MSK 2019
Spelling fixes. -EG
Mon May 20 15:39:35 MSK 2019
Compiler warning fixes. -EG/CG
Fixed example for non-64bits platforms. -EG
Web May 15 23:51:49 MSK 2019
Optimized and improved processing speed by using precalculated and
already calculated lengths of strings. -EG
Web May 15 14:54:00 MSK 2019
Fixed build from source on GNU Hurd. -EG
Mon May 6 11:58:00 MSK 2019
Updated README and COPYING files. MHD remains LGPLv2.1-licensed. -EG
Fri May 3 20:08:00 MSK 2019
Store connection's keys and values with sizes;
Speedup keys search be comparing key length first;
Added functions for working with keys and values with binary zeros;
Fixed test_postprocessor_amp to fail on problems. -EG
Wed May 1 16:40:00 MSK 2019
Reverted change of MHD_KeyValueIterator, implemented MHD_KeyValueIteratorN
with sizes for connection's key and value to get keys and values
with binary zeros. -EG
Mon 29 Apr 2019 01:26:39 AM BRT
Fixed signed/unsigned comparison in example http_chunked_compression.c. -SC/TR
Sun Apr 21 16:40:00 MSK 2019
Improved compatibility with MSVC compilers;
Fixed MHD compilation by Clang/LLVM in VS;
Used MSVC intrinsics for bit rotations and bytes swap;
Added project files for VS2019. -EG
Fri Apr 19 23:00:00 MSK 2019
Rewritten SHA-256 calculations from scratch to avoid changing LGPL version;
Added usage of GCC/Clang built-ins for bytes swap to significantly improve
speed of MD5 and SHA-256 calculation on platforms with known endianness.
Added test for SHA-256 calculations. -EG
Wed Apr 17 20:52:00 MSK 2019
Refactoring of mhd5.c: optimized, dead code removed;
Faster MD5 calculation on little endian platforms;
Bit manipulations moved to separate header file.
Added tests for MD5 calculations. -EG
Mon 15 Apr 2019 05:33:52 PM CEST
Add MHD_USE_POST_HANDSHAKE_AUTH_SUPPORT and
MHD_USE_INSECURE_TLS_EARLY_DATA flags. -CG
Thu Apr 11 11:37:00 MSK 2019
Fixed MSVC 'Release' builds;
Fixed usage of MSVC's assert. -EG
Wed Apr 10 14:31:00 MSK 2019
Improved shell compatibility for 'bootstrap', removed bash-ism.
Added wrapper script 'autogen.sh'. -EG
Mon 08 Apr 2019 03:06:05 PM CEST
Fix close() checks as suggested by MK on the mailinglist
(#3926). -MK/CG
Wed 20 Mar 2019 10:20:24 AM CET
Adding additional "value_length" argument to MHD_KeyValueIterator
callback to support binary zeros in values. This is done in a
backwards-compatible way, but may require adding a cast to existing
code to avoid a compiler warning. -CG
Sun Feb 10 21:00:37 BRT 2019
Added example for how to compress a chunked HTTP response. -SC
Sun 10 Feb 2019 05:03:44 PM CET
Releasing libmicrohttpd 0.9.63. -CG
Sat 09 Feb 2019 01:51:02 PM CET
Extended test_get to test URI logging and query string parsing
to avoid regression fixed in previous patch in the future. -CG
Thu Feb 7 16:16:12 CET 2019
Preliminary patch for the raw query string issue, to be tested. -CG
Tue Jan 8 02:57:21 BRT 2019
Added minimal example for how to compress HTTP response. -SC
Wed Dec 19 00:06:03 CET 2018
Check for GNUTLS_E_AGAIN instead of GNUTLS_E_INTERRUPTED when
giving up on a TLS connection. -LM/CG
Thu Dec 13 22:48:14 CET 2018
Fix connection timeout logic if in thread-per-connection mode the
working thread takes longer than the timeout to queue the response. -CG
Tue Dec 11 09:58:32 CET 2018
Add logic to avoid VLA arrays with compilers that do not support them. -CG
Sat Dec 8 23:15:53 CET 2018
Fixed missing WSA_FLAG_OVERLAPPED which can cause W32 to block on
socket races when using threadpool. (See very detailed description
of the issue in the libmicrohttpd mailinglist post of today.) -JM
Sat Dec 8 22:53:56 CET 2018
Added test for RFC 7616 and documented new API.
Releasing libmicrohttpd 0.9.62. -CG
Sat Dec 8 17:34:58 CET 2018
Adding support for RFC 7616, experimental, needs
testing and documentation still! -CG
Fri Dec 7 12:37:17 CET 2018
Add option to build MHD without any threads
and MHD_FEATURE_THREADS to test for it. -CG
Thu Dec 6 13:25:08 BRT 2018
Renamed all occurrences from _model(s)_ to _mode(s)_. -SC
Thu Dec 6 12:50:11 BRT 2018
Optimized the function MHD_create_response_from_callback() for
Windows by increasing its internal buffer size and allowed to customize
it via macro MHD_FD_BLOCK_SIZE. -SC
Thu Dec 6 02:11:15 BRT 2018
Referenced the gnutls_load_file() function in the HTTPs examples. -SC
Wed Dec 5 18:08:59 CET 2018
Fix regression causing URLs to be unescaped twice. -CG
Sun Nov 18 13:08:11 CET 2018
Parse arguments with (properly) escaped URLs correctly.
(making things work with recent cURL changes, #5473).
Replace sprintf with snprintf in testcases.
Releasing libmicrohttpd 0.9.61. -CG
Wed Nov 14 14:01:21 CET 2018
Fix build issue with GnuTLS < 3.0. -CG
Mon Nov 12 19:50:43 CET 2018
Fix#5473 (test case failure due to change in libcurl). -eworm
Thu Nov 8 14:53:27 CET 2018
Add MHD_create_response_from_buffer_with_free_callback. -CG
Tue Nov 6 19:43:47 CET 2018
Upgrading to gettext 0.19.8.
Releasing libmicrohttpd 0.9.60. -CG
Thu Nov 1 16:29:59 CET 2018
Enable using epoll() without listen socket. -JB
Sat Oct 20 12:44:16 CEST 2018
In thread-per-connection mode, signal main thread for
thread termination for instant clean-up and application
notification about closed connections. -CG
Tue Oct 16 20:43:41 CEST 2018
Add MHD_RF_HTTP_VERSION_1_0_RESPONSE option to make MHD
act more like an HTTP/1.0 server. -GH
Fri Oct 5 18:44:45 CEST 2018
MHD_add_response_header() now prevents applications from
setting a "Transfer-Encoding" header to values other than
"identity" or "chunked" as other transfer encodings are
not supported by MHD. (Note that usually MHD will pick the
transfer encoding correctly automatically, but applications
can use the header to force a particular behavior.)
Fixing #5411 (never set Content-length if Transfer-Encoding
is given). -CG
Sat Jul 14 11:42:15 CEST 2018
Add MHD_OPTION_GNUTLS_PSK_CRED_HANDLER to allow use of PSK with
TLS connections. -CG/TM
Sat Jul 14 11:03:37 CEST 2018
Integrate patch for checking digest authentication based on
a digest, allowing servers to store passwords only hashed.
Adding new function MHD_digest_auth_check_digest(). -CG/DB
Sat Mar 10 12:15:35 CET 2018
Upgrade to gettext-0.19.8.1. Switching to more canonical
gettext integration. -CG
Fri Mar 2 21:44:24 CET 2018
Ensure MHD_RequestCompletedCallback is always called from
the correct thread (even on shutdown and for upgraded connections). -CG
Tue Feb 27 23:27:02 CET 2018
Ensure MHD_RequestCompletedCallback is also called for
upgraded connections. -CG
Fri Feb 16 03:09:33 CET 2018
Fixing #5278 as suggested by reporter. -CG/texec
Thu Feb 1 10:12:22 CET 2018
Releasing GNU libicrohttpd 0.9.59. -CG
Thu Feb 1 08:39:50 CET 2018
Fix masking operation. -CG/silvioprog
Mon Jan 29 17:33:54 CET 2018
Fix deadlock when failing to prepare chunked response
(#5260). -CG/ghaderer
Thu Jan 4 12:24:33 CET 2018
Fix __clang_major__ related warnings for non-clang
compilers reported by Tim on the mailinglist. -CG
Mon Dec 11 17:11:00 MSK 2017
Fixed tests on platforms with huge number of CPUs.
Doxygen configuration was updated.
Various doxygen fixes. -EG
Mon Dec 07 21:08:00 MSK 2017
Releasing GNU libmicrohttpd 0.9.58. -EG
Mon Dec 07 16:01:00 MSK 2017
Fixed HTTPS tests on modern platforms. -EG
Mon Dec 04 15:43:00 MSK 2017
Minor documentation installation fixes. -EG
Mon Nov 27 22:58:38 CET 2017
Tolerate AF_UNIX when trying to determine our binding port
from socket. Use `sockaddr_storage` instead of trying to
guess the sockaddr type before calling getsockname(). -CG
Version 1.1.1
The flask.json_available flag was added back for compatibility with some extensions. It will raise a deprecation warning when used, and will be removed in version 2.0.0.
Version 1.1.0
Bump minimum Werkzeug version to >= 0.15.
Drop support for Python 3.4.
Error handlers for InternalServerError or 500 will always be passed an instance of InternalServerError. If they are invoked due to an unhandled exception, that original exception is now available as e.original_exception rather than being passed directly to the handler. The same is true if the handler is for the base HTTPException. This makes error handler behavior more consistent.
Flask.finalize_request() is called for all unhandled exceptions even if there is no 500 error handler.
Flask.logger takes the same name as Flask.name (the value passed as Flask(import_name). This reverts 1.0’s behavior of always logging to "flask.app", in order to support multiple apps in the same process. A warning will be shown if old configuration is detected that needs to be moved.
flask.RequestContext.copy() includes the current session object in the request context copy. This prevents session pointing to an out-of-date object.
Using built-in RequestContext, unprintable Unicode characters in Host header will result in a HTTP 400 response and not HTTP 500 as previously.
send_file() supports PathLike objects as described in PEP 0519, to support pathlib in Python 3.
send_file() supports BytesIO partial content.
open_resource() accepts the “rt” file mode. This still does the same thing as “r”.
The MethodView.methods attribute set in a base class is used by subclasses.
Flask.jinja_options is a dict instead of an ImmutableDict to allow easier configuration. Changes must still be made before creating the environment.
Flask’s JSONMixin for the request and response wrappers was moved into Werkzeug. Use Werkzeug’s version with Flask-specific support. This bumps the Werkzeug dependency to >= 0.15.
The flask command entry point is simplified to take advantage of Werkzeug 0.15’s better reloader support. This bumps the Werkzeug dependency to >= 0.15.
Support static_url_path that ends with a forward slash.
Support empty static_folder without requiring setting an empty static_url_path as well.
jsonify() supports dataclasses.dataclass objects.
Allow customizing the Flask.url_map_class used for routing.
The development server port can be set to 0, which tells the OS to pick an available port.
The return value from cli.load_dotenv() is more consistent with the documentation. It will return False if python-dotenv is not installed, or if the given path isn’t a file.
Signaling support has a stub for the connect_via method when the Blinker library is not installed.
Add an --extra-files option to the flask run CLI command to specify extra files that will trigger the reloader on change.
Allow returning a dictionary from a view function. Similar to how returning a string will produce a text/html response, returning a dict will call jsonify to produce a application/json response.
Blueprints have a cli Click group like app.cli. CLI commands registered with a blueprint will be available as a group under the flask command..
When using the test client as a context manager (with client:), all preserved request contexts are popped when the block exits, ensuring nested contexts are cleaned up correctly.
Show a better error message when the view return type is not supported.
flask.testing.make_test_environ_builder() has been deprecated in favour of a new class flask.testing.EnvironBuilder.
The flask run command no longer fails if Python is not built with SSL support. Using the --cert option will show an appropriate error message.
URL matching now occurs after the request context is pushed, rather than when it’s created. This allows custom URL converters to access the app and request contexts, such as to query a database for an id.
Changelog:
16.0.3
Changes
Do not fail hard on new user mail error (server#16189)
Fix redirect after rescanFailedIntegrityCheck to "Overview" page (server#16244)
Fix permissions for drag-n-drop uploads (server#16249)
Try to delete the cypress folder of the viewer app (server#16297)
Send browser notifications again (notifications#373)
16.0.2
Changes
Update ca bundle (server#15553)
Update ca bundle checker (server#15554)
User management/subadmin: rephrase ambiguous error message (server#15575)
Update shipped.json to include privacy and recommendations (server#15592)
Show supported apps in app management (server#15593)
Update CRL due to revoked cookbook.crt (server#15628)
Only show sharing section if it has content (server#15649)
Remove quota feedback if no link set (server#15666)
Allow redis cluster to use password (server#15686)
Don't run repair step for every individual user, outsource that to background job (server#15718)
Check the actual status code for 204 and 304 (server#15724)
[Security] Bump tar from 2.2.1 to 2.2.2 (server#15728)
Don't notify admins if no potentially over exposing links found (server#15745)
Also allow dragging below the file list (server#15754)
Change text color in search box in darktheme, ref #15598 (server#15768)
Check for free space on touch (server#15772)
Search files by id in shared storages last (server#15799)
Hide newFile menu if quota is set to 0B (server#15856)
Add core/js/dist/ to l10nignore (server#15948)
Add LDAP integr. test for receiving share candidates with group limitation (server#15984)
Remove auto focus of share input field on dialog open, fix#15261 (server#16010)
LDAP) API: return one base properly when multiple are configured (server#16015)
Handle storage exceptions when trying to set mtime (server#16038)
Fix LDAP Wizard forgetting groups on select with search (server#16051)
Revert "Fix userid casting in notifications" (server#16068)
Fix appid argument for integrity:check-app (server#16080)
Fix full text search for groupfolders (server#16082)
Fall back to black for non-color values (server#16089)
Check if uploading to lookup server is enabled before verifying (server#16091)
Allow apps to store longer messages in the comments API (server#16105)
Invalidates user when plugin reported deletion success (server#16112)
Fix download link included in public share page with hidden download (server#16125)
Better check reshare permissions (server#16127)
Verify that paths are valid for recursive local move (server#16128)
Don't allow to disable encryption via the API (server#16133)
Do not show a internet connectivity warning if internet access is dis… (server#16146)
Update Nextcloud version in docs link (server#16157)
Allow apps to overwrite the maximum length when reading from database (server#16177)
RefreshWebcalJob: replace ugly Regex with standard php utils (server#16201)
Better check reshare permissions part2 (server#16211)
Fix "unshare group share from self" activity (activity#380)
Fix load of character maps (files_pdfviewer#141)
[Security] Bump axios from 0.18.0 to 0.18.1 (firstrunwizard#192)
Correctly show errors when setting the password (gallery#529)
Blacklist using .noimage (gallery#533)
Update dependabot deps in stable16 (notifications#359)
Increase size of icon bubble for more visibility (notifications#368)
Add app description to readme and appinfo (privacy#133)
Catch and filter share that can't be found (recommendations#79)
[Security] Bump axios from 0.18.0 to 0.18.1 (recommendations#92)
[Security] Bump tar from 2.2.1 to 2.2.2 (viewer#113)
[Security] Bump axios from 0.18.0 to 0.19.0 (viewer#117)
Changelog:
New
Dark mode in reader view expands so that windows are also dark on the controls, sidebars and toolbars.
Improved extension security and discovery:
New reporting feature in about:addons allows you to report security and performance issues with extensions and themes.
Redesigned extensions dashboard in about:addons provides easy access to information about your extensions, including data and settings access required by each extension.
Find high quality, secure extensions via the Recommended Extensions program in about:addons, which now displays user count and ratings for each extension. "Recommended” badges for these extensions also appear on AMO. More extensions will be added over time.
Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences.
WebRender will roll out to Windows 10 users with AMD graphics cards.
Windows Background Intelligent Transfer Service (BITS) update download support, which allows Firefox update downloads to continue when Firefox is closed.
Fixed
Various security fixes
Local files can no longer access other files in the same directory.
Security fixes:
#CVE-2019-9811: Sandbox escape via installation of malicious language pack
#CVE-2019-11711: Script injection within domain through inner window reuse
#CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
#CVE-2019-11713: Use-after-free with HTTP/2 cached stream
#CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread
#CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault
#CVE-2019-11715: HTML parsing error can contribute to content XSS
#CVE-2019-11716: globalThis not enumerable until accessed
#CVE-2019-11717: Caret character improperly escaped in origins
#CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML
#CVE-2019-11719: Out-of-bounds read when importing curve25519 private key
#CVE-2019-11720: Character encoding XSS vulnerability
#CVE-2019-11721: Domain spoofing through unicode latin 'kra' character
#CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin
#CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries
#CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions
#CVE-2019-11725: Websocket resources bypass safebrowsing protections
#CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3
#CVE-2019-11728: Port scanning through Alt-Svc header
#CVE-2019-11710: Memory safety bugs fixed in Firefox 68
#CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
19.7.1
fix: implement client side payload exceed max size; improve max size exceeded handling
fix: detect when our transport is "already" closed at connect time
fix: XBR examples
3.1.3:
* async_timeout has been removed as a dependency, so there are now no required
dependencies.
* The WSGI adapter now sets REMOTE_ADDR from the ASGI client.
1.9.2
- **FIX**: Shortcut last descendant calculation if possible for performance.
- **FIX**: Fix issue where `Doctype` strings can be mistaken for a normal text node in some cases.
- **FIX**: A top level tag is not a `:root` tag if it has sibling text nodes or tag nodes. This is an issue that mostly manifests when using `html.parser` as the parser will allow multiple root nodes.
1.3.0:
Deprecations
- The send_bytes adjustment now defaults to 1 and is deprecated
pending removal in a future release.
Features
- Add a new outbuf_high_watermark adjustment which is used to apply
backpressure on the app_iter to avoid letting it spin faster than data
can be written to the socket. This stabilizes responses that iterate quickly
with a lot of data.
- Stop early and close the app_iter when attempting to write to a closed
socket due to a client disconnect. This should notify a long-lived streaming
response when a client hangs up.
- Adjust the flush to output SO_SNDBUF bytes instead of whatever was
set in the send_bytes adjustment. send_bytes now only controls how
much waitress will buffer internally before flushing to the kernel, whereas
previously it used to also throttle how much data was sent to the kernel.
This change enables a streaming app_iter containing small chunks to
still be flushed efficiently.
Bugfixes
- Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we will
no longer set the version to the string value "None". See
- When a client closes a socket unexpectedly there was potential for memory
leaks in which data was written to the buffers after they were closed,
causing them to reopen.
- Fix the queue depth warnings to only show when all threads are busy.
- Trigger the app_iter to close as part of shutdown. This will only be
noticeable for users of the internal server api. In more typical operations
the server will die before benefiting from these changes.
- Fix a bug in which a streaming app_iter may never cleanup data that has
already been sent. This would cause buffers in waitress to grow without
bounds. These buffers now properly rotate and release their data.
- Fix a bug in which non-seekable subclasses of io.IOBase would trigger
an exception when passed to the wsgi.file_wrapper callback.
Version 4.6.7:
Bugs Fixed
Fix Windows build errors due to Python 3.7+ not providing empty function stubs for PyOS_AfterFork_Child() and PyOS_AfterFork_Parent().
Version 4.6.6:
Bugs Fixed
Fix compilation failures when using Python 3.8.
Features Changed
When running mod_wsgi-express it will do a search for the location of bash and sh when defining the shell to use for the generated apachectl. The shell used can be overridden using --shell-executable option. This is to get around issue with FreeBSD not having /bin/bash.
New Features
The Apache request ID is accessible in request events as request_id.
The per request data dictionary accessible using mod_wsgi.request_data() is now also accessible in events as request_data.
- (security) Prevent execution of XSS on rich text,
- (security) Prevent xss attack on user picture,
- Fix performance issues when using entities,
- New "Prevent take into account" action on tickets business rules,
- New "Status" criterion on tickets business rules,
- Change and problem tasks can now be marked as private,
The full changelog is available under
<https://github.com/glpi-project/glpi/milestone/36?closed=1>
pkgsrc changes:
- Remove not needed dependency to gnutls and add missing dependency to
libtasn1 (previously indirectly picked up via gnutls)
- Remove patch-Source_WebCore_platform_graphics_gstreamer_MediaPlayerPrivateGStreamerBase.cpp,
fix is now present in 2.24.3.
- Remove a no more needed hunk in
patch-Source_JavaScriptCore_assembler_ARM64Assembler.h.
Changes:
2.24.3
======
- Deprecate WebSQL APIs.
- Make Previous/Next gesture work in RTL mode.
- Fix content disappearing when using CSS transforms.
- Fix rendering artifacts in youtube volume button.
- Fix trapezoid artifact in github comment box.
- Fix video pause that sometimes caused to skip to finish.
- Fix volume level changes when playing a video.
- Fix HLS streams being slow to start.
- Fix some radio streams that could not be played.
- Fix the build with older versions of GStreamer.
- Fix the build with video and audio disabled.
- Fix several crashes and rendering issues.
- Translation updates: Brazilian Portuguese.
Django 2.2.3
Fix CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
Fixed a regression in Django 2.2 where Avg, StdDev, and Variance crash with filter argument
Fixed a regression in Django 2.2.2 where auto-reloader crashes with AttributeError, e.g. when using ipdb
Cohttp is an OCaml library for creating HTTP daemons. It has a portable
HTTP parser, and implementations using various asynchronous programming
libraries. It's needed as a dependency for some ocaml-git options.
It's unmaintained by upstream for most of this decade (even then, this
is an old version), and broken in bulk builds since at least last year.
Discussed on pkgsrc-users@.
Upstream changelog:
MediaWiki 1.32.2
This is a security and maintenance release of the MediaWiki 1.32 branch.
Changes since MediaWiki 1.32.1
(T204423) Backport support for hyphenated DB names in JobQueueGroup.
(T216968) Return pageid as int in both list=iwbacklinks and list=langbacklinks.
(T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL.
(T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags.
(T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when $wgBlockDisablesLogin is true.
(T216029) Chrome redirects to Special:BadTitle after editing a section with a non-Latin name on a page with non-Latin characters in title.
Unbreak language related maintenance scripts that use StaticArrayWriter.
(T219728) Added support for new Japanese era name "Reiwa".
(T25227) SECURITY: action=logout now requires to be posted and have a csrf token.
Updated cssjanus/cssjanus from 1.2.0 to 1.3.0.
(T221045) Remove orphaned code from ConfigRepository.
(T222385) resourceloader: Use AND instead of OR for upsert conds in saveFileDependencies().
(T224374) Fix message parameters so that the message that says SQLite is out of date makes sense.
(T200471) Prevent LBFactorySimple breaking ExternalStorage, when trying to connect to external server with local database name.
(T197279) SECURITY: Fix reauth in Special:ChangeEmail.
(T208881) SECURITY: blacklist CSS var().
(T209794) SECURITY: rate-limit and prevent blocked users from changing email.
(T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
(T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
(T222036, T222038) SECURITY: Add permission check for user is permitted to view the log type.
(T221739) SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358.
stagit generates HTML pages for a Git repository, and supports the following
features:
- Log of all commits from HEAD.
- Log and diffstat per commit.
- Show file tree with linkable line numbers.
- Show references: local branches and tags.
- Detect README and LICENSE file from HEAD and link it as a webpage.
- Detect submodules (.gitmodules file) from HEAD and link it as a webpage.
- Atom feed log (atom.xml).
- Make index page for multiple repositories with stagit-index.
- After generating the pages (relatively slow) serving the files is very fast,
simple and requires little resources (because the content is static), only
a HTTP file server is required.
- Usable with text-browsers such as dillo, links, lynx and w3m.
OK kamil@, leot@
Bugfixes
Always set userID on LFS authentication (#7224) (Part of #6993)
Fix LFS Locks over SSH (#6999) (#7223)
Fix duplicated file on pull request conflicted files (#7211) (#7214)
Detect noreply email address as user (#7133) (#7195)
Don't get milestone from DB if ID is zero (#7169) (#7174)
Allow archived repos to be (un)starred and (un)watched (#7163) (#7168)
Fix GCArgs load from ini (#7156) (#7157)
Fix possbile mysql invalid connnection error (#7051) (#7071)
Handle invalid administrator username on install page (#7060) (#7063)
Fix default for allowing new organization creation for new users (#7017) (#7034)
SearchRepositoryByName improvements and unification (#6897) (#7002)
Fix u2f registrationlist ToRegistrations() method (#6980) (#6982)
Allow collaborators to view repo owned by private org (#6965) (#6968)
Use AppURL for Oauth user link (#6894) (#6925)
Escape the commit message on issues update (#6901) (#6902)
Fix regression for API users search (#6882) (#6885)
Handle early git version's lack of get-url (#7065) (#7076)
Fix wrong init dependency on markup extensions (#7038) (#7074)
2.1.9
Changes:
- Fix: show_urls, fix for traceback on multi language sites
- Improvement: reset_db, fix typo's in help test
2.1.8
Changes:
- New: HexValidator, validate hex strings
- Improvement: reset_db, move settings to `django_settings.settings` which makes it easier to override.
- Improvement: AutoSlugField, extend support for custom slugify function
- Fix: runprofileserver, fix autoreloader for newer Django versions
Flask-JWT-Extended not only adds support for using JSON Web Tokens (JWT) to
Flask for protecting views, but also many helpful (and optional) features built
in to make working with JSON Web Tokens easier. These include:
* Support for adding custom claims to JSON Web Tokens
* Custom claims validation on received tokens
* Creating tokens from complex objects or complex object from received tokens
* Refresh tokens
* Token freshness and separate view decorators to only allow fresh tokens
* Token revoking/blacklisting
* Storing tokens in cookies and CSRF protection
Flask API is a drop-in replacement for Flask that provides an implementation of
browsable APIs similar to what Django REST framework provides. It gives you
properly content negotiated-responses and smart request parsing.
3.6.1:
travis: add gcc-8 to CI
[build] enable concurrent compilation
Remove the link to ast_factory.hpp from Visual C++ project files
[build] add support of Visual Studio 2017 and 2019 to the Visual C++ project file
Makefile: Fix STATIC_LIBSTDCPP support
Remove abspath from native Makefile
Read files using for better portability
Add comparison operators for SharedImpl, fix bugs
VS2013 noexcept workaround
5.5.0:
New Features
- IPyWidget Support
- A new ClearMetadata Preprocessor is available
- Support for pandoc 2
- New, and better, latex template
Fixing Problems
- Refactored execute preprocessor to have a process_message function
- Fixed OOM kernel failures hanging
- Fixed latex export for svg data in python 3
- Enabled configuration to be shared to exporters from script exporter
- Make latex errors less verbose
- Typo in template syntax
- Improved attachments +fix supporting non-unique names
- PDFExporter "output_mimetype" traitlet is not longer 'text/latex'
- FIX: respect wait for clear_output
- address deprecation warning in cgi.escape
- Correct inaccurate description of available LaTeX template
- Fixed kernel death detection for executions with timeouts
- Fixed export names for various templates
Deprecations
- Dropped support for python 3.4
- Removed deprecated export_by_name
Testing, Docs, and Builds
- Added tests for each branch in execute's run_cell method
- Mention formats in --to options more clearly
- Adds ascii output type to command line docs page, mention image folder output
- Simplify setup.py
- Use utf-8 encoding in execute_api example
- Upgrade pytest on Travis
- Fix LaTeX base template name in docs
- Updated release instructions based on 5.4 release walk-through
- Fixed broken link to jinja docs
This replaces the OSS backend with something that passes the unit tests,
supports additional channels, and supports recording. It will be included
with future versions of Firefox.
Tested with:
* YouTube audio-video sync test
* about:support device detection
* WebRTC microphone recording (using an USB microphone)
Note: you can select an audio backend using the about:config variable
media.cubeb.backend. This can be set to options such as sun/pulse/oss.
Let me know if you still need to use the oss backend. It's very
incomplete, buggy, and FreeBSD has already removed it - ideally we
should eventually.
Bump PKGREVISION.
This replaces the OSS backend with something that passes the unit tests,
supports additional channels, and supports recording. It will be included
with future versions of Firefox.
Tested with:
* YouTube audio-video sync test
* about:support device detection
* WebRTC microphone recording (using an USB microphone)
While here, fix WebRTC builds.
Note: you can select an audio backend using the about:config variable
media.cubeb.backend. This can be set to options such as sun/pulse/oss.
Let me know if you still need to use the oss backend. It's very
incomplete, buggy, and FreeBSD has already removed it - ideally we
should eventually.
Bump PKGREVISION.
cubeb_sun replaces cubeb_oss, adding support for additional channels
on NetBSD, passing tests, and recording support (more useful on firefox
where WebRTC works)
upstream's official builds use gtk3 over gtk2 and doing so enables
support for hidpi displays.
me and several others have been using this for the past ~week, see
https://github.com/kinetiknz/cubeb/pull/510
bump PKGREVISION.
v1.39.1:
nghttpx
This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend.
v1.39.0:
lib
libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230.
third-party
mruby has been upgraded to 2.0.1.
asio
libnghttp2-asio now supports boost-1.70.
src
http-parser has been replaced with llhttp.
nghttpx
nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT.
This release fixes the bug that the log level does not change to the default value on configuration reload if log-level option is missing in new configuration.
Changelog:
Fixed
Fix JavaScript error ("TypeError: data is null in PrivacyFilter.jsm")
in console which may significantly degrade sessionstore
reliability and performance (bug 1553413)
Proxy authentication dialog box repeatedly pops up asking to
authenticate after upgrading to Firefox 67 (bug 1548804)
Pearson MyCloud breaks if FIDO U2F is not Chrome's implementation
(bug 1551282)
Starting in safe mode on Linux or macOS causes Firefox to think
on the subsequent launch that the profile is too recent to be
used with this version of Firefox (bug 1556612)
Linux distribution users can't easily install/use additional/different
languages using the built-in preferences UI (bug 1554744)
Developer tools users can't copy the href/src content from
various HTML tags via the context menu in the Inspector markup
view (bug 1552275)
Custom home page is broken with clearing data on shutdown
settings applied (bug 1554167)
Performance-regression for eclipse RAP based applications (bug
1555962)
macOS 10.15 crash fix (bug 1556076)
Can't start two downloads in parallel via <a download> anymore
(bug 1542912)
o extend timeout facility to ssl and stop servers hanging forever
if the client never sends anything. reported by Steffen in netbsd
PR#50655.
o don't display special files in the directory index. they aren't
served, but links to them are generated.
o fix CGI '+' parameter handling, some error checking, and a double
free. from rajeev_v_pillai@yahoo.com
o more directory indexing clean up. from rajeev_v_pillai@yahoo.com
upgrade notes from 1.0 to 1.2.x:
Obsolete Plugins
Trac has added functionality equivalent to the following plugins:
AdminEnumListPlugin
DateFieldPlugin: see the time custom field type
GroupBasedRedirectionPlugin: the default handler can set as a user preference.
LinenoMacro: see WikiProcessors#AvailableProcessors
NeverNotifyUpdaterPlugin: see notification subscribers
QueryUiAssistPlugin: see TracQuery#Filters.
TicketCreationStatusPlugin: see #NewWorkflowActions
The plugins should be removed when upgrading Trac to 1.2.
New workflow actions
The ticket creation step is controlled with a workflow action. The default workflow has create and create_and_assign actions. The create action will always be added when upgrading the database. The create_and_assign action will be added if the workflow has an assigned state. You may want to edit your workflow after upgrading the database to customize the actions available on the New Ticket page.
New permissions policy for read-only wiki pages
Since 1.1.2 the read-only attribute of wiki pages is enabled and enforced only when ReadonlyWikiPolicy is in the list of active permission policies. If [trac] permission_policy has the default value DefaultPermissionPolicy, LegacyAttachmentPolicy, then ReadonlyWikiPolicy should be automatically appended to the list when upgrading the environment:
[trac]
permission_policies = ReadonlyWikiPolicy,
DefaultPermissionPolicy,
LegacyAttachmentPolicy
If other permission policies are enabled, trac.ini will need to have ReadonlyWikiPolicy appended to the list of active permission_policies. See TracFineGrainedPermissions#ReadonlyWikiPolicy for additional details on the proper ordering.
0.10.1:
Enhancements:
Add support for Python wheels
Fixes:
Switch imports from deprecated flask.ext.* to flask_* syntax
0.10.0:
Enhancements:
Added new "Routes" panel displaying URL routing rules
"Versions" panel displays versions of all installed packages
SQLAlchemy displays necessary setup steps to set up query recording
Support reformatting SQL queries if sqlparse library is available
Enable sorting SQLAlchemy queries
Support inserting toolbar on HTML5 pages without </body> tag
Log a warning if unable to insert the toolbar
Fixes:
Ensure numeric sorting of profiler "Calls" column
3.0.8:
DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working
The mod_brotli module provides the BROTLI_COMPRESS output filter that
allows output from your server to be compressed using the brotli
compression format before being sent to the client over the network.
Upstream changes:
6.04 2019-04-02 13:09:45Z
- Remove circular dependency on LWP::RobotUA introduced in 6.02 (GH#29)
(Olaf Alders)
6.03 2019-04-01 20:56:38Z
- Remove circular dependency with LWP::UserAgent introduced in 6.02 (GH#27)
(Olaf Alders)
6.02 2019-04-01 16:03:37Z
- Added a .mailmap to properly keep up with contributors to the dist.
- Revised the changelog to follow current format styles
- Change port number in test (GH#5) (Perlover)
Changes since 1.26.5:
Cliqz Browser release 1.27.0 includes all changes of Firefox's latest version
67.0. A "What's new" page informs you about important new features and you can
now easily check add-on permissions.
New features
* Annoying auto-play content is now by default turned off
* By default any new extension you add to Cliqz won't run in Forget mode
unless you specifically allow it
* Cliqz is now also available for enterprise environment
* Added the possibility to Manage Extension Shortcuts from the settings on
“Manage your extensions� page
Improvements
* Cliqz got updated to Firefox 67.0 with various improvements and fixes
* To make sure you are even more protected, we added certificate checking for
System Addons folder (which is distributed with the browser) to prevent
potential malitious attacks
Fixes
* We fixed the issue with lost German translation on About:preferences#privacy
page
* You can now import all you data from Chrome to Cliqz with ease (if you wish,
also cookies)
Changes with nginx 1.17.0:
*) Feature: variables support in the "limit_rate" and "limit_rate_after"
directives.
*) Feature: variables support in the "proxy_upload_rate" and
"proxy_download_rate" directives in the stream module.
*) Change: minimum supported OpenSSL version is 0.9.8.
*) Change: now the postpone filter is always built.
*) Bugfix: the "include" directive did not work inside the "if" and
"limit_except" blocks.
*) Bugfix: in byte ranges processing.
6.2.2:
Features / Enhancements
Security: Prevent CSV formula injection attack when exporting data.
Bug Fixes
CloudWatch: Fixes error when hiding/disabling queries.
Database: Fixed slow permission query in folder/dashboard search.
Explore: Fixed updating time range before running queries.
Plugins: Fixed plugin config page navigation when using subpath.
6.2.1:
Features / Enhancements
CLI: Add command to migrate all datasources to use encrypted password fields.
Gauge/BarGauge: Improvements to auto value font size.
Bug Fixes
Auth Proxy: Resolve database is locked errors.
Database: Retry transaction if sqlite returns database is locked error.
Explore: Fixes so clicking in a Prometheus Table the query is filtered by clicked value.
Singlestat: Fixes issue with value placement and line wraps.
Tech: Update jQuery to 3.4.1 to fix issue on iOS 10 based browers as well as Chrome 53.x.
6.2.0:
Bug Fixes
BarGauge: Fix for negative min values.
Gauge/BarGauge: Fix for issues editing min & max options.
Search: Make only folder name only open search with current folder filter.
AzureMonitor: Revert to clearing chained dropdowns.
Breaking Changes
Plugins: Data source plugins that process hidden queries need to add a “hiddenQueries: true” attribute in plugin.json.
Changes:
7.65.1
------
This release includes the following bugfixes:
o CURLOPT_LOW_SPEED_* repaired
o NTLM: reset proxy "multipass" state when CONNECT request is done
o PolarSSL: deprecate support step 1. Removed from configure
o appveyor: add Visual Studio solution build
o cmake: check for if_nametoindex()
o cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
o config-win32: add support for if_nametoindex and getsockname
o conncache: Remove the DEBUGASSERT on length check
o conncache: make "bundles" per host name when doing proxy tunnels
o curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version
o curl_share_setopt.3: improve wording
o dump-header.d: spell out that no headers == empty file
o example/http2-download: fix format specifier
o examples: cleanups and compiler warning fixes
o http2: Stop drain from being permanently set
o http: don't parse body-related headers in bodyless responses
o md4: build correctly with openssl without MD4
o md4: include the mbedtls config.h to get the MD4 info
o multi: track users of a socket better
o nss: allow to specify TLS 1.3 ciphers if supported by NSS
o parse_proxy: make sure portptr is initialized
o parse_proxy: use the IPv6 zone id if given
o sectransp: handle errSSLPeerAuthCompleted from SSLRead()
o singlesocket: use separate variable for inner loop
o ssl: Update outdated "openssl-only" comments for supported backends
o tests: add HAProxy keywords
o tests: add support to test against OpenSSH for Windows
o tests: make test 1420 and 1406 work with rtsp-disabled libcurl
o tls13-docs: mention it is only for OpenSSL >= 1.1.1
o tool_parse_cfg: Avoid 2 fopen() for WIN32
o tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
o url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows
o url: fix bad feature-disable #ifdef
o url: use correct port in ConnectionExists()
o winbuild: Use two space indentation
Changelog:
In this version, Firefox helps you get better acquainted with our
family of products and services through a new experience that
includes a set of web pages and in-browser notifications. All
Firefox products and services have powerful privacy protection
built in; joining Firefox provides users with additional features
and capabilities. These experiences will highlight these benefits.
The new experience will roll out for English (en-US, en-GB, en-CA),
French (fr) and German (de) browser users today, expanding to other
languages in the coming weeks.
With the new experience, there will be an opportunity for users
to opt in for test-driving upcoming products during registration.
For new users, this release will come with Enhanced Tracking
Protection (ETP), stronger privacy protections on by default as
“Standard” in the Privacy & Security setting. Firefox Enhanced
Tracking Protection will now automatically block third-party tracking
cookies that appear on the Disconnect list. Firefox will continue
to block third-party tracking loads in private windows, as it has
done since version 42.
For existing users, while ETP will be rolling out by default
in the coming months, you can turn this feature on today under
Preferences, select Privacy & Security to select the Custom
menu, and under the Content Blocking section, mark the Cookies
checkbox and choose “Third-party trackers” in the Cookies pull
down menu.
3.5.0:
Features
* Run tests in the same order as Django
* Use verbosity=0 with disabled migrations
Bugfixes
* django_db_setup: warn instead of crash with teardown errors
Misc
* tests: fix test_sqlite_database_renamed
* tests/conftest.py: move import of db_helpers
* Cleanup/improve coverage, mainly with tests
* Slightly revisit unittest handling
2.2.2:
CVE-2019-12308: AdminURLFieldWidget XSS
The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.
2.2.1:
Bugfixes
Fixed a regression in Django 2.1 that caused the incorrect quoting of database user password when using dbshell on Oracle
Added compatibility for psycopg2 2.8
Fixed a regression in Django 2.2 that caused a crash when loading the template for the technical 500 debug page
Fixed crash of ordering argument in ArrayAgg and StringAgg when it contains an expression with params
Fixed a regression in Django 2.2 that caused a single instance fast-delete to not set the primary key to None
Prevented makemigrations from generating infinite migrations for check constraints and partial indexes when condition contains a range object
Reverted an optimization in Django 2.2
Fixed a regression in Django 2.2 where Paginator crashes if object_list is a queryset ordered or aggregated over a nested JSONField key transform
Fixed a regression in Django 2.2 where IntegerField validation of database limits crashes if limit_value attribute in a custom validator is callable
Fixed a regression in Django 2.2 where SearchVector generates SQL that is not indexable
Fixed a regression in Django 2.2 that caused an exception to be raised when a custom error handler could not be imported
Relaxed the system check added in Django 2.2 for the admin app’s dependencies to reallow use of SessionMiddleware subclasses, rather than requiring django.contrib.sessions to be in INSTALLED_APPS
Increased the default timeout when using Watchman to 5 seconds to prevent falling back to StatReloader on larger projects and made it customizable via the DJANGO_WATCHMAN_TIMEOUT environment variable
Fixed a regression in Django 2.2 that caused a crash when migrating permissions for proxy models if the target permissions already existed. For example, when a permission had been created manually or a model had been migrated from concrete to proxy
Fixed a regression in Django 2.2 that caused a crash of runserver when URLConf modules raised exceptions
Fixed a regression in Django 2.2 where changes were not reliably detected by auto-reloader when using StatReloader
Fixed a migration crash on Oracle and PostgreSQL when adding a check constraint with a contains, startswith, or endswith lookup (or their case-insensitive variant)
Fixed a migration crash on Oracle and SQLite when adding a check constraint with condition contains | (OR) operator
Django 2.2.2 release notesDjango 2.2 release notes
2.2:
This version has been designated as a long-term support (LTS) release, which means that security and data loss fixes will be applied for at least the next three years. It will also receive fixes for crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for the next eight months until December 2019.
As always, the release notes cover the salmagundi of new features in detail, but a few highlights are:
* HttpRequest.headers to allow simple access to a request’s headers.
* Database-level constraints on models.
* Watchman compatibility for runserver to improve the performance of watching a large number of files for changes.
Django 1.11.21 release notes
CVE-2019-12308: AdminURLFieldWidget XSS
The clickable “Current URL” link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using formfield_overrides.
HTML::Template::Compiled is a template system which can be used for HTML::Template
templates with almost the same API. It offers more flexible template delimiters,
additional tags and features, and by compiling the template into perl code it can
run significantly faster in persistent environments such as FastCGI or mod_perl.
The goal is to offer more features for flexibility but keep the basic syntax
as easy as it is.
configure.log from bulkbuild shows following:
| ERROR: nasm 2.13 or greater is required for AV1 support. Either install nasm or add --disable-av1 to your configure options.
| *** Error code 1
v0.9.0:
Bug fixes:
* Allow a broader range of characters in header values. This violates
the RFC, but is apparently required for compatibility with
real-world code, like Google Analytics cookies
* Validate incoming and outgoing request paths for invalid
characters. This prevents a variety of potential security issues
that have affected other HTTP clients.
* Force status codes to be integers, thereby allowing stdlib
HTTPStatus IntEnums to be used when constructing responses
Other changes:
* Make all sentinel values inspectable by IDEs, and split
SEND_BODY_DONE into SEND_BODY, and DONE
* Drop support for Python 3.3.
* LocalProtocolError raised in start_next_cycle now shows states for
more informative errors
19.0.0
A query parameter-centric release, with two enhancements:
"equals sign" characters in query parameter values are no longer escaped.
URL.remove() now accepts value and limit parameters, allowing for removal of specific name-value pairs, as well as limiting the number of removals.
19.5.1
fix: authextra merging
fix: set default retry_delay_jitter
new: add rawsocket + twisted example
new: WebSocket testing support, via Agent-style interface
new: decorator for on_connectfailure
fix: delayed call leakage
new: CLI client
fix: set up TLS over proxy properly
new: expose ser modules
fix: base64 encodings, add hex encoding
new: onConnecting callback (with TransportDetails and ConnectingRequest). Note: if you've implemented a pure IWebSocketChannel without inheriting from Autobahn base classes, you'll need to add an onConnecting() method that just does return None.
copy tsutsui's commit to firefox:
fix wrong latency unit in stream_init() function.
Based on a patch in PR pkg/54206 from Y.Sugahara.
Bump PKGREVISION.
pkgsrc changes:
Replace use of legacy GeoIP library with libmaxminddb.
Uses a different module.
Changes:
Highlights
behavior change: strict URL parsing and normalization (configurable)
behavior change: mod_webdav now rejects partial PUT (configurable)
mod_auth: HTTP Auth Digest algorithm=SHA-256
mod_webdav: major rewrite: robustness, performance, RFC compliance
mod_maxminddb: new; obsoletes discontinued mod_geoip
Changes from 1.4.53
[mod_evhost] handle IPv6 literal addr; add tests
[core] separate server_main_loop() func, mark hot
[core] mark startup/shutdown funcs cold
[core] some server_main_loop() cleanup
[core] fdevent_process()
[core] srv→max_fds_lowat and srv→max_fds_hiwat
[core] remove server.h
[mod_staticfile] search ext array if not empty
[core] store joblist pointer on stack
[core] quickly clear request buffer for reuse
[core] helper funcs for connection_state_machine()
[core] perf: optimize connection_read_header()
[core] parse request in connection_read_header()
[core] log_request_header_on_error in one place
[core] copy request only if might need for logging
[core] make parse_request,request.request same buf
[core] prefer buffer_caseless_compare()
[core] pass req hdrs buffer to http_request_parse
[core] replace con→response.keep_alive
[core] mark log_error_write*() funcs cold
[core] http_request_parse() mark error paths cold
[core] lift code out of request line parse loop
[core] get_http_method_key() match by strlen first
[core] RFC7230 HTTP-version parse
[mod_accesslog] attempt to reconstruct req line
[multiple] minor: remove duplicated conditions
[mod_deflate] honor request for x-gzip, x-bzip2
[mod_auth] minor: adjust config validation
[core] discard oversized trailers
[core] no keep-alive if POLLRDHUP,empty read queue
[core] fix gw_backend spelling of directive in err
[multiple] reduce code dup in list resizing
[core] con→is_ssl_sock
[core] connection_handle_write() updates con state
[core] skip plugins_call_cleanup if not init’ed
[core] simpler loops to run plugin hooks
[core] fix mixed use of srv→split_vals array (fixes#2932)
[core] dispatch events from within event framework
[core] don’t call fd event handlers more than once, they might already be gone (fixes segfault)
[core] poll: fdarray uses fd as index, not fde_ndx
[core] map FDEVENT_* to OS system event frameworks
[core] prefer memchr() over strchr()
[core] use openssl to read,discard request body
[mod_openssl] inherit cipherlist from global scope
[mod_openssl] default: ssl.cipher-list = “HIGH”
[mod_proxy] pass Content-Length to backend if > 0
[core] config option to allow GET w/ request body
[core] some fdevent code streamlining
[core] remove fde_ndx member outside fdevents
[core] remove redundant check for allow_http11
[mod_openssl] use 16k static buffer instead of 64k
[core] pull server load checks out of main loop
[core] isolate fdevent processing
[core] release empty chunk buf when nothing read
[core] perf: pass (fdnode *) to epoll and kqueue
[core] modify config parser to handle multiple }
[core] pass (fdnode *) for registered fdevent fd
[mod_auth] http_auth_digest_hex2bin()
[mod_auth] http_auth_info_t digest abstraction
[mod_auth] pass http_auth_require_t for 401 Unauth
[core] no SOCK_NONBLOCK on QNX 7.0
[mod_auth] HTTP Auth Digest algorithm=SHA-256
[core] silence coverity warning
[mod_magnet] fix invalid script return-type crash (fixes#2938)
[build] remove -Wdeclaration-after-statement
[core] pass conf.follow_symlink in more places
[core] fix assertion with server.error-handler (fixes#2941)
[core] extend dir redirection to take HTTP status
[doc] minor adjust create-mime.conf.pl regex match (#2942)
[core] attribute((fallthrough)) for GCC 7.0
[core] fdevent_mkstemp_append() (shared)
[core] off_t upload_temp_file_size
[core] clear FDEVENT_RDHUP if no POLLRDHUP
[mod_wstunnel] fix ping-interval for big-endian (fixes#2944)
[core] fix abort in http-parseopts (fixes#2945)
[core] remove repeated slashes in http-parseopts
[core] fix 1.4.52 regression in mem use with POST (fixes#2948)
[multiple] cleaner calloc use in SETDEFAULTS_FUNC
[core] add const to some etag prototypes
[core] attribute((format …))
[core] struct log_error_st for error logging
[core] log_error, log_perror using printf-like fmt
[core] new worker_init hook to follow parent fork
[core] replace open() with fdevent_open_cloexec()
[mod_webdav] major rewrite (fixes#1818)
[core] 200 for OPTIONS /non-existent/path HTTP/1.1 (fixes#2939)
[mod_webdav] surround Lock-Token with “<…>”
[mod_webdav] fix uuid detection macro
[mod_webdav] fix misbehavior on blank nodes in PROPPATCH
[mod_webdav] clean up resources after do{}while(0)
[mod_webdav] check If-Match, If-Unmodified-Since (#1818)
[mod_webdav] deprecated unsafe partial PUT compat
[mod_webdav] provide ETag in more responses
[mod_webdav] platform portability fixes
[mod_webdav] disable elftc_copyfile() on FreeBSD
[mod_webdav] special-case If: ()
[mod_webdav] check If-None-Match (#1818)
[stat_cache] separate func for symlink policy chk
[stat_cache] separate symlink pol from data struct
[stat_cache] store entries without trailing slash
[stat_cache] pass age param for stat cache cleanup
[stat_cache] remove splaytree ins/del debug code
[stat_cache] FAM: reduce string copying
[stat_cache] FAM: check FAMNextEvent() return code
[stat_cache] FAM: use entry hash index as userdata
[stat_cache] FAM: improve handling modified file
[stat_cache] FAM: ignore follow-symlink config
[stat_cache] FAM: check hash collision before add
[stat_cache] FAM: ignore event with no valid match
[stat_cache] FAM: funcs to invalidate entries
[stat_cache] interfaces to invalidate entries
[mod_webdav] update stat_cache after file mod
[core] use high precision stat timestamp in etag
[scons] adjustment for static build under CentOS
[core] emit trace using path before clearing path
[core] http_chunk_append_file_fd()
[multiple] open target file earlier in some cases
[stat_cache] no longer stat() and open() for stat
[stat_cache] FAM: improve monitoring, cache 16 sec
[stat_cache] FAM: separate routine for FDEVENT_IN
[stat_cache] FAM: whitespace-only change
[mod_webdav] quiet coverity warnings
[doc] highlight relevance of module load order (fixes#2946)
[core] behavior change: stricter URL normalization
[stat_cache] fix compilation error for cmake
[cmake] help cmake on FreeBSD find sys/event.h
[scons] help scons on FreeBSD find sys/event.h
[build] detect FreeBSD elftc_copyfile()
[mod_openssl] use SSL_CTX_set_client_hello_cb()
[core] support weak etags with If-None-Match
[core] store log_state_handling flag on stack
[core] check if splay_tree NULL before invalidate
[mod_webdav] workaround Microsoft-WebDAV-MiniRedir
[mod_webdav] doc Microsoft-WebDAV-MiniRedir bugs
[mod_webdav] invalidate parent dir in stat_cache
[doc] systemd socket activation config example
[core] chunkqueue perf: code reuse
[core] chunkqueue perf: specialized buffer.h funcs
[core] chunkqueue perf: skip opening 0-length file
[core] chunkqueue perf: read small files into mem
[core] buffer_reset() should not be passed NULL
[tests] has_feature() helper func
[tests] skip mod-secdownload HMAC-SHA1,HMAC-SHA256
[core] use high precision stat timestamp on OS X
[mod_magnet] expose server addr (local IP) to lua
[core] adjust http_chunk read() retry loop
[mod_maxminddb] MaxMind GeoIP2 support
[mod_authn_ldap] ldap_set_option LDAP_OPT_RESTART (fixes#2940)
Changelog:
Version 1.12.0
(12 Apr 2019, from /branches/1.12.x)
https://svn.apache.org/repos/asf/subversion/tags/1.12.0
User-visible changes:
- Major new features:
- Minor new features and improvements:
* 'move vs. move' merge conflicts can now be resolved (r1846851, r1851913)
* 'svn --version --verbose' shows loaded libraries on Linux (r1843774)
* 'svnrdump' can read/write a file instead of stdin/stdout (r1844906)
* 'svn list' tries to not truncate the author's name (r1847384 et al.)
* 'svn list' can show sizes in base-2 unit suffixes (r1847384 et al.)
* 'svn info' shows the size of files in the repository (r1847441 et al.)
* 'svn cleanup' can remove read-only directories (#4806, r1854072 et al.)
- Client-side bugfixes:
* Repos-to-WC copy with --parents works with absent target (r1843888)
* Repos-to-WC copy from foreign repo with peg/operative revs (#4785)
- Server-side bugfixes:
* Ignore empty group definitions in authz files (#4802, r1851687)
- Client-side and server-side bugfixes:
- Other tool improvements and bugfixes:
* svnauthz: warn about empty groups in authz files (#4803, r1851823)
* Storing passwords in plain text on disk is disabled by default (r1845377)
Developer-visible changes:
- General:
* Updated the required libtool version to 2.x (r1845716)
* get-deps.sh: Remove references to Googlemock and Googletest (r1849200)
* All C++ code is compiled in C++11 mode by default (r1849202)
- Bindings:
* JavaHL: Fixed potential core dump in ISVNClient.diff (r1845408)
* JavaHL: Let clients decode file contents from ISVNClient.blame (r1851333)
Version 1.11.1
(11 Jan 2019, from /branches/1.11.x)
http://svn.apache.org/repos/asf/subversion/tags/1.11.1
User-visible changes:
- Minor new features and improvements:
* Conflict resolver support for added vs unversioned file (r1845577)
* Conflict resolver support for unversioned directories (r1846299)
* Improve help for 'svn add' and the '-N' option (r1842814 et al.)
* Improve display of Mac OS name in 'svn --version --verbose' (r1842334)
- Client-side bugfixes:
* Fix: repos-to-WC copy with --parents doesn't create dirs (#4768)
* Fix: foreign repo copy with peg/operative revisions (#4785)
* Fix: foreign repo copy of file adding mergeinfo (#4792)
* Fix: assertion failure using -rPREV on a working copy at r0 (#4532)
* Fix: tree conflict message ends a sentence with a colon (#4717)
- Server-side bugfixes:
* Fix CVE-2018-11803: malicious SVN clients can crash mod_dav_svn
* Fix: unexpected SVN_ERR_FS_NOT_DIRECTORY errors (#4791)
* Fix: mod_dav_svn's SVNUseUTF8 had no effect in some setups (r1844882)
* Fix crash in mod_http2 (#4782)
- Other tool improvements and bugfixes:
* svndumpfilter: Clarify error messages by including node path (r1845261)
- Bindings bugfixes:
* JavaHL: Fix crash in client code when using external diff (r1845408)
Developer-visible changes:
- General:
* Fix build on systems without python in $PATH (r1845555)
* Fix compiler warnings about indentation (r1845556 et al.)
- API changes:
(none)
Version 1.11.0
(30 Oct 2018, from /branches/1.11.x)
http://svn.apache.org/repos/asf/subversion/tags/1.11.0
User-visible changes:
- Major new features:
* Shelving is no longer based on patch files (experimental) (issue #3625)
* Checkpointing (experimental) (issue #3626)
* Viewspec output command (experimental) (issue #4753)
- Minor new features and improvements:
* Improvements to tree conflict resolution (issue #4694#4766 ...)
* 'patch' can now read non-pretty-printed svn:mergeinfo diffs (r1822151)
* Better error when http:// URL is not a Subversion repository (r1825302)
* Add 'schedule' and 'depth' items to 'svn info --show-item' (r1827032)
* Allow the client cert password to be saved (r1836762)
- Client-side bugfixes:
* Fix a crash in a repo:WC summary diff of a local copy (r1835218)
* Fix double diff headers (r1836746)
* Tree conflict resolver: avoid endless scan in some cases (r1839662)
- Server-side bugfixes:
* svnadmin dump shouldn't canonicalize svn:date (issue #4767)
* 'svnadmin verify --keep-going --quiet' shows an error summary (r1837790)
* Let 'svnadmin recover' prune the rep-cache even if disabled (r1838813)
- Client-side and server-side bugfixes:
* Fix pattern-matching of top level path in listing with search (r1830599)
* Allow commands like 'svn ci --file X' to work when X is a FIFO (r1836306)
- Other tool improvements and bugfixes:
* tools/client-side/bash_completion: Add '--password-from-stdin' (r1820045)
Developer-visible changes:
- General:
* new tool: tools/dist/edit-N-log-messages (r1819207)
* tools/dev/unix-build/Makefile.svn: various fixes
* Expose the diff option 'pretty_print_mergeinfo' in APIs (r1822014)
* In 'revert' APIs, choose whether to delete schedule-add nodes (r1822534)
- Bindings:
* Fix Python binding fs.FileDiff behaviour with python-future (r1823802)
* Fix Python unit test, fs.SubversionFSTestCase, on Windows (r1824410)
* Bump minimum JDK version required for JavaHL to 1.8 (r1831895)
* Enable building against Java 10 (r1841180 et al)
* Fix a potential crash in JavaHL (issue #4764)
From Piotr Meyer, thank you.
Changelog:
changed:
Font and date adjustments to accommodate the new Reiwa era in Japan
fixed:
#CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS
#CVE-2019-9816: Type confusion with object groups and UnboxedObjects
#CVE-2019-9817: Stealing of cross-domain images using canvas
#CVE-2019-9818: Use-after-free in crash generation server
#CVE-2019-9819: Compartment mismatch with fetch API
#CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
#CVE-2019-11691: Use-after-free in XMLHttpRequest
#CVE-2019-11692: Use-after-free removing listeners in the event listener manager
#CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
#CVE-2019-7317: Use-after-free in png_image_free of libpng library
#CVE-2019-9797: Cross-origin theft of images with createImageBitmap
#CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext
#CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox
#CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks
#CVE-2019-5798: Out-of-bounds read in Skia
#CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
1.25.3:
* Change HTTPSConnection to load system CA certificates
when ca_certs, ca_cert_dir, and ssl_context are
unspecified.
* Upgrade bundled rfc3986 to v1.3.2.
bindings (at least on NetBSD and OS X, as built from pkgsrc). This
leaves us falling through to getConfDir(), which has been gone
rather longer.
From highlight git, it appears searchFile() and getFiletypesConfPath()
both originated in the 3.14 release. The latter is still available in
3.51, and returns the same result searchFile() used to. Switch to it.
(From upstream git 4d06df9583e6c4145f8c6fc2fd51d7894c0b85ce.)
Bump PKGREVISION.
Upstream changes:
Major features
Forum
MDL-22077 - Private reply option
MDL-65033 - Ability to star discussions
MDL-64956 - In-page forum post reply
MDL-65032 - Ability to lock discussions manually
MDL-65069 - Ability to create discussions without changing page
MDL-64820 - Forum display updated to use templates
MDL-65071 - List of discussions is sortable
MDL-65034 - Accessibility improvements to forum discussions
MDL-65394 - Forum rendering speed improvements
MDL-46881 - Forum scheduled task (cron) has been refactored into several smaller cron tasks
Messaging
MDL-65015 - HTML in messages is cleaned according to site/role "trusttext" configuration
MDL-64715 - Personal space in messaging drawer for draft messages etc.
MDL-64495 - New settings page for messaging-related settings
MDL-63620 - Group conversations can be created from both the auto-create groups edit page and the import groups tool
MDL-63915 - Old messaging user interface removed and replaced with a new widget
MDL-64773 - Messaging conversations can be muted
MDL-65132 - New capability for deleting messages for all users within group conversations
MDL-64017 - Message processors can identify and handle group messages
MDL-64703 - Updated interface on the messaging index page
MDL-64137 - Searches highlight text that matches the search term
MDL-65114 - Timestamps in the main conversation list include days and years
MDL-64093 - New admin setting to set the site default for using enter key to send messages
MDL-60680 - Improved push notifications
Themes
MDL-58428 - All Boost templates moved to core
MDL-64505 - Classic theme introduced to core
MDL-64506 - Bootstrapbase and related themes (Clean/More) removed from core
MDL-65449 - Themes can override the course pattern used on the dashboard
LTI
MDL-62599 - LTI 1.3 support introduced
Open Badges
MDL-63262 - Support added for Open Badges 2.0 platforms
MDL-63876 - Moodle competencies can be linked to criteria for badges in Open Badges 2.0
Dashboard and Course Overview
MDL-63794 - Course categories can be displayed on courses in the course overview block
MDL-64855 - New admin setting to control the output of the course category in the myoverview block
MDL-64376 - Scrolling improved in the recently accessed courses block
MDL-64903 - Course filters are logically grouped in the myoverview block
MDL-64898 - The completion progress bar is no longer displayed for teachers in the myoverview block
Learning Analytics
MDL-61667 - Improvements to the install/uninstall procedure the Analytics API offers to plugins
MDL-64783 - New “upcoming activities due” model added
MDL-65582 - The "upcoming activities due" model is enabled by default
MDL-64786 - Users can overwrite default model names
MDL-64693 - New target added for course competencies achievement
MDL-64636 - New target added for course completion
MDL-65176 - New target added for students at risk of not getting the minimum grade to pass a course
MDL-64954 - A "More info" link provides more information about different core analytics elements
MDL-64777 - Default models can be restored
MDL-64787 - Analytics models can be evaluated using a trained machine learning backend
MDL-60944 - Models can be created, deleted, imported and exported
MDL-64779 - Ability to choose whether to include trained model weights in an export
MDL-65175 - When evaluating a model, the time-splitting method can be set using the web interface
MDL-65177 - It is possible to set the frequency of insight generation for models based on assumptions (e.g. the "upcoming activities due" model)
MDL-60936 - "Enabled time-splitting methods" analytics setting converted to a list of default time-splitting methods for a model's evaluation
Usability improvements
MDL-5311 - Choices can be cleared for single-answer multiple-choice questions
MDL-43385 - Print output of books has been improved
MDL-28505 - Course backup and restore can be performed asynchronously
MDL-61537 - Ability to rotate pages when annotating PDFs in assignment feedback
MDL-63773 - Assignment settings form hides irrelevant options instead of disabling them
MDL-64552 - Moodle forms inside the admin top level directory hide irrelevant options instead of disabling them
MDL-64557 - Moodle forms inside the course directory hide irrelevant options instead of disabling them
MDL-60474 - The student selection tool in the grading interface reflects the sorting order of the grading table
MDL-39261 - File support added to lesson essay questions
MDL-60913 - Global search results can be split into tabs by category
MDL-50793 - Teachers can see hidden pages in book activities
MDL-60059 - Workshop activity action events support drag and drop in the calendar
MDL-62142 - Accessibility improvements for Boost course landing page
Other Highlights
Functional changes
MDL-31355 - Forum due dates are added to the calendar
MDL-36088 - Adding/modifying questions to/in the question bank is logged
MDL-49673 - Assignment has an option to not display the grader to students
MDL-31852 - HTML tags allowed in the title of Lesson "content pages"
MDL-64377 - Ability to delete assignment file submissions
MDL-64243 - Nextcloud serves "offline" files consistent with other integrations (e.g. OneDrive and Google Docs)
MDL-53346 - User competencies in courses show the linked learning plans
MDL-62223 - Improved submission statements for assignments
MDL-52828 - Competencies can be graded when grading an activity
MDL-65154 - Course competencies page shows students which competencies are linked to an activity
MDL-64414 - "AND" and "OR" are available in if-conditions for grade calculations
For administrators
MDL-10965 - There is a new capability available to view the list of non-hidden courses
MDL-57898 - New custom field types plugin and course custom fields functionality
MDL-49399 - Output can be captured during cron and task runs
MDL-62869 - Global search can be configured to include all visible courses
MDL-64322 - New data privacy capability to restrict submission of deletion requests for other users
MDL-63569 - A constant can be added to the subject of all emails
MDL-62907 - The standard log table 'other' field can be set to store in JSON format
MDL-64281 - Frame embedding is always allowed for requests coming from the Moodle app
MDL-61164 - Tasks using legacy cron functionality moved to scheduled tasks
MDL-57900 - Added fields to provide site metadata to support learning analytics
MDL-63623 - Plugins can be uninstalled via command line
MDL-64323 - Additional fields are included in user searches when making new data requests on behalf of a user
MDL-64347 - Improved processing of scheduled and ad-hoc tasks
MDL-65142 - Tables can be downloaded in PDF format (new dataformat)
MDL-64314 - Insights notification enable web notifications by default
MDL-65138 - Course sharing to Moodle.net is disabled by default (configured via a new setting)
MDL-64454 - Site administration page warns if cron does not run frequently
MDL-62728 - The language packs page displays a warning when locales are not fully supported
MDL-64071 - Improved diagnostics when testing LDAP settings
MDL-64823 - Disabling mobile plugins works as expected
MDL-44484 - Theme field available in the bulk upload users tool
MDL-64477 - Learning analytics usage data is included with site usage data
MDL-64337 - Mobile app enabled sites prompt users that do not use the app to download it in notification emails
MDL-64339 - User names provided in the comments report are hyperlinked to the user's profile
For developers
MDL-54592 - MongoDB cache store upgraded to use PHP 7 compatible library
MDL-63977 - Behat testing available for mobile app features and plugins
MDL-63986 - Behat testing added for the messaging drawer
MDL-64449 - New debug feature to expose code issues with session locks
MDL-52167 - Core functionality added to enable site administration settings to be hidden if dependent on another disabled setting
MDL-63366 - Ability to specify filters for unit testing coverage
MDL-65130 - Improved unit testing coverage generation by only respecting the @covers annotation
MDL-60470 - New "after_require_login" hook introduced
MDL-65204 - Phpunit upgraded to version 7.5.x
MDL-64348 - Improved AJAX template fetching
MDL-59986 - External database enrolment sync moved to a scheduled task
MDL-63880 - Some templates common in dashboard blocks have been moved to increase reusability
MDL-64587 - New option in the XMLDB editor to add the mandatory persistent fields
MDL-64324 - ID collisions are avoided when forms are loaded from AJAX
MDL-64684 - When JavaScript caching is disabled, jQuery and RequireJS are no longer minified
New web services
MDL-64252 - New SCORM web service to return user capabilities
MDL-64656 - New web service to return the tag associated with an element
MDL-64655 - New forum web service to return user access information
MDL-64642 - New web service to call multiple external functions
Version 0.15.4
- Fix a SyntaxError on Python 2.7.5. (:issue:1544)
Version 0.15.3
- Properly handle multi-line header folding in development server in
Python 2.7. (:issue:1080)
- Restore the response argument to :exc:~exceptions.Unauthorized.
(:pr:1527)
- :exc:~exceptions.Unauthorized doesn't add the WWW-Authenticate
header if www_authenticate is not given. (:issue:1516)
- The default URL converter correctly encodes bytes to string rather
than representing them with b''. (:issue:1502)
- Fix the filename format string in
:class:~middleware.profiler.ProfilerMiddleware to correctly handle
float values. (:issue:1511)
- Update :class:~middleware.lint.LintMiddleware to work on Python 3.
(:issue:1510)
- The debugger detects cycles in chained exceptions and does not time
out in that case. (:issue:1536)
- When running the development server in Docker, the debugger security
pin is now unique per container.
Changelog:
New
Firefox 67 demonstrates improved performance thanks to a number of changes such as:
Lowering priority of setTimeout during page load
Delayed component initialization until after start up
Painting sooner during page load but less often
Suspending unused tabs
Learn more about our approach to performance in 67 in the Mozilla blog.
Users can block known cryptominers and fingerprinters in the Custom settings of their Content Blocking preferences.
Keyboard accessibility has improved in the latest version of Firefox. Toolbar and toolbar overflow menu are both fully keyboard accessible: keyboard users can now access add-ons, the downloads panel, the overflow, Page actions and Firefox menus, and much more.
Private Browsing sees both usability and security improvements:
Save passwords in private browsing mode
Choose which extensions to exclude from private tabs
A myriad of new features help make Firefox easier to use:
We’ve added a toolbar menu for your Firefox Account to provide more transparency for when you are synced, sharing data across devices and with Firefox. Personalize the appearance of the menu with your own avatar
Tabs can now be pinned from the Page Actions menu in the address bar
Firefox will highlight useful features (like Pin Tabs) when users are most likely to benefit from them.
Easier access to your list of saved logins from the main menu and login autocomplete. Learn about all the ways you can manage your passwords in Firefox.
The Import Data from Another Browser feature is now also available from the File menu
Users will be able to run different Firefox installs side by side by default so that you can run the beta and release versions simultaneously
Firefox will now protect you against running older versions of the browser which can lead to data corruption and stability issues
Firefox is upgrading to the newer, higher performance, AV1 decoder known as ‘dav1d’
WebRender is gradually enabled by default on Windows 10 desktops with NVIDIA graphics cards
Mozilla’s highest performing JavaScript compiler now supports ARM64 Windows devices.
Enable FIDO U2F API, and permit registrations for Google Accounts
Some users will see experiments with an improved Pocket experience in Firefox Home with different layouts and more topical content.
Fixed
Various security fixes
#CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS
#CVE-2019-9816: Type confusion with object groups and UnboxedObjects
#CVE-2019-9817: Stealing of cross-domain images using canvas
#CVE-2019-9818: Use-after-free in crash generation server
#CVE-2019-9819: Compartment mismatch with fetch API
#CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
#CVE-2019-9821: Use-after-free in AssertWorkerThread
#CVE-2019-11691: Use-after-free in XMLHttpRequest
#CVE-2019-11692: Use-after-free removing listeners in the event listener manager
#CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
#CVE-2019-7317: Use-after-free in png_image_free of libpng library
#CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox
#CVE-2019-11695: Custom cursor can render over user interface outside of web content
#CVE-2019-11t .JNLP files are not recognized as executable files for download prompts
#CVE-2019-11697: Pressing key combinations can bypass installation prompt delays and install extensions
#CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to andsulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site.
#CVE-2019-11700: res: protocol can be used to open known local files
#CVE-2019-11699: Incorrect domain name highlighting during page navigation
#CVE-2019-11701: webcal: protocol default handler loads vulnerable web page
#CVE-2019-9814: Memory safety bugs fixed in Firefox 67
#CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
1. Added a missing build dependency, devel/yasm.
2. Fixed build failures when compiling with rust>=1.33 by disabling the
--enable-rust-simd flag for now. (borrowed from ryoon@'s fix from
www/firefox)
3. Bumped the rust dependency minimum version to 1.31.
4. Bump PKGREVISION
pkgsrc changes:
- Remove patch-configure test(1) `==' -> `=' hunk applied upstream
Changes:
7.65.0
------
This release includes the following changes:
o CURLOPT_DNS_USE_GLOBAL_CACHE: removed
o CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
o pipelining: removed
This release includes the following bugfixes:
o CVE-2019-5435: Integer overflows in curl_url_set
o CVE-2019-5436: tftp: use the current blksize for recvfrom()
o --config: clarify that initial : and = might need quoting
o AppVeyor: enable testing for WinSSL build
o CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
o CURLOPT_ADDRESS_SCOPE: fix range check and more
o CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later
o CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
o CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
o CURL_MAX_INPUT_LENGTH: largest acceptable string input size
o Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
o INTERNALS: Add code highlighting
o OS400/ccsidcurl: replace use of Curl_vsetopt
o OpenSSL: Report -fips in version if OpenSSL is built with FIPS
o README.md: fix no-consecutive-blank-lines Codacy warning
o VC15 project: remove MinimalRebuild
o VS projects: use Unicode for VC10+
o WRITEFUNCTION: add missing set_in_callback around callback
o altsvc: Fix building with cookies disabled
o auth: Rename the various authentication clean up functions
o base64: build conditionally if there are users
o build-openssl.bat: Fixed support for OpenSSL v1.1.0+
o build: fix "clarify calculation precedence" warnings
o checksrc.bat: ignore snprintf warnings in docs/examples
o cirrus: Customize the disabled tests per FreeBSD version
o cleanup: remove FIXME and TODO comments
o cmake: avoid linking executable for some tests with cmake 3.6+
o cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
o cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP
o cmake: set SSL_BACKENDS
o configure: avoid unportable `==' test(1) operator
o configure: error out if OpenSSL wasn't detected when asked for
o configure: fix default location for fish completions
o cookie: Guard against possible NULL ptr deref
o curl: make code work with protocol-disabled libcurl
o curl: report error for "--no-" on non-boolean options
o curl_easy_getinfo.3: fix minor formatting mistake
o curlver.h: use parenthesis in CURL_VERSION_BITS macro
o docs/BUG-BOUNTY: bug bounty time
o docs/INSTALL: fix broken link
o docs/RELEASE-PROCEDURE: link to live iCalendar
o documentation: Fix several typos
o doh: acknowledge CURL_DISABLE_DOH
o doh: disable DOH for the cases it doesn't work
o examples: remove unused variables
o ftplistparser: fix LGTM alert "Empty block without comment"
o hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS
o http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
o http: acknowledge CURL_DISABLE_HTTP_AUTH
o http: mark bundle as not for multiuse on < HTTP/2 response
o http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
o http_negotiate: do not treat failure of gss_init_sec_context() as fatal
o http_ntlm: Corrected the name of the include guard
o http_ntlm_wb: Handle auth for only a single request
o http_ntlm_wb: Return the correct error on receiving an empty auth message
o lib509: add missing include for strdup
o lib557: initialize variables
o makedebug: Fix ERRORLEVEL detection after running where.exe
o mbedtls: enable use of EC keys
o mime: acknowledge CURL_DISABLE_MIME
o multi: improved HTTP_1_1_REQUIRED handling
o netrc: acknowledge CURL_DISABLE_NETRC
o nss: allow fifos and character devices for certificates
o nss: provide more specific error messages on failed init
o ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup
o ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
o openssl: mark connection for close on TLS close_notify
o openvms: Remove pre-processor for SecureTransport
o openvms: Remove pre-processors for Windows
o parse_proxy: use the URL parser API
o parsedate: disabled on CURL_DISABLE_PARSEDATE
o pingpong: disable more when no pingpong protocols are enabled
o polarssl_threadlock: remove conditionally unused code
o progress: acknowledge CURL_DISABLE_PROGRESS_METER
o proxy: acknowledge DISABLE_PROXY more
o resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
o revert "multi: support verbose conncache closure handle"
o sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
o sasl: only enable if there's a protocol enabled using it
o scripts: fix typos
o singleipconnect: show port in the verbose "Trying ..." message
o smtp: fix compiler warning
o socks5: user name and passwords must be shorter than 256
o socks: fix error message
o socksd: new SOCKS 4+5 server for tests
o spnego_gssapi: fix return code on gss_init_sec_context() failure
o ssh-libssh: remove unused variable
o ssh: define USE_SSH if SSH is enabled (any backend)
o ssh: move variable declaration to where it's used
o test1002: correct the name
o test2100: Fix typos in test description
o tests/server/util: fix Windows Unicode build
o tests: Run global cleanup at end of tests
o tests: make Impacket (SMB server) Python 3 compatible
o tool_cb_wrt: fix bad-function-cast warning
o tool_formparse: remove redundant assignment
o tool_help: Warn if curl and libcurl versions do not match
o tool_help: include <strings.h> for strcasecmp
o transfer: fix LGTM alert "Comparison is always true"
o travis: add an osx http-only build
o travis: allow builds on branches named "ci"
o travis: install dependencies only when needed
o travis: update some builds do Xenial
o travis: updated mesalink builds
o url: always clone the CUROPT_CURLU handle
o url: convert the zone id from a IPv6 URL to correct scope id
o urlapi: add CURLUPART_ZONEID to set and get
o urlapi: increase supported scheme length to 40 bytes
o urlapi: require a non-zero host name length when parsing URL
o urlapi: stricter CURLUPART_PORT parsing
o urlapi: strip off zone id from numerical IPv6 addresses
o urlapi: urlencode characters above 0x7f correctly
o vauth/cleartext: update the PLAIN login to match RFC 4616
o vauth/oauth2: Fix OAUTHBEARER token generation
o vauth: Fix incorrect function description for Curl_auth_user_contains_domain
o vtls: fix potential ssl_buffer stack overflow
o wildcard: disable from build when FTP isn't present
o winbuild: Support MultiSSL builds
o xattr: skip unittest on unsupported platforms
v6.5.5
- :issue:99 via :pr:186': Sockets now collect statistics (bytes
read and written) on Python 3 same as Python 2.
- :cp-issue:1618 via :pr:180: Ignore OpenSSL's 1.1+ Error 0
under any Python while wrapping a socket.
6.1.6:
Features / Enhancements
Security: Bump jQuery to 3.4.0
Bug Fixes
Playlist: Fix loading dashboards by tag.
6.1.5:
Security: Urgent security patch release.
6.1.4:
Bug Fixes
DataPanel: Added missing built-in interval variables to scopedVars.
Explore: Adds maxDataPoints to data source query options .
Explore: Fixes so intervals are recalculated on run query.
Heatmap: Fix for empty graph when panel is too narrow.
Heatmap: Fixed auto decimals when bucket name is not number.
QueryInspector: Now shows error responses again.
6.1.3:
Bug Fixes
Graph: Fixed auto decimals in legend values for some units like ms and s.
Graph: Fixed png rendering with legend to the right.
Singlestat: Use decimals when manually specified.
UI Switch: Fix broken UI switches. Fixes Default Data Source switch, Explore Logs switches, Gauge option switches.
6.1.2:
Bug Fixes
Graph: Fixed series legend color for hidden series.
Graph: Fixed tooltip highlight on white theme.
Styles: Fixed menu hover highlight border.
Singlestat Panel: Correctly use the override decimals.
6.1.1:
Bug Fixes
Alerting: Notification channel http api fixes.
Graphite: Editing graphite query function now works again.
Playlist: Kiosk & auto fit panels modes are working normally again .
QueryEditors: Toggle edit mode now always work on slower computers.
6.1.0:
Bug Fixes
CloudWatch: Fix for dimension value list when changing dimension key.
Graphite: Editing function arguments now works again.
InfluxDB: Fix tag names with periods in alert evaluation.
PngRendering: Fix for panel height & title centering .
Templating: Fix for editing query variables.
Changelog:
This is a bug-fix release with one important fix. There have been
reports about infrequent paginator crashes when running the Hugo
server since 0.55.0. The reason have been narrowed down to that of
parallel rebuilds. This isn't a new thing, but the changes in 0.55.0
made it extra important to serialize the page initialization. This
release fixes that by protecting the Build method with a lock when
running in server mode. 95ce2a40 @bep #5885#5968
