This version of Apache is principally a bug and security fix release.
The following potential security flaws are addressed:
- CVE-2008-2364: mod_proxy_http: Better handling of excessive interim
responses from origin server to prevent potential denial of service and
high memory usage. Reported by Ryujiro Shibuya.
- CVE-2007-6420: mod_proxy_balancer: Prevent CSRF attacks against the
balancer-manager interface.
pkgsrc related notes:
- CVE-2008-2364 was already fixed in "pkgsrc"
- CVE-2007-6420 doesn't affect the package in the default configuration
because the "proxy_balancer" isn't enabled.
* Escape item names in the object browser.
* Select db before queries in MySQL SessionHandler.
* Format messages sent through MIME_Mail in flowed text format.
* Fixes for SQL shares with split read/write databases, and various fixes for hierarchical shares.
* Workaround broken IE behavior when downloading files with 8-bit filenames.
* Fix storing of unlocked preferences set by hooks.
* Allow Horde memcache driver to use UNIX sockets.
* Fix parsing of addresses in headers when the RFC 2047-encoded personal part of the address contains address list delimiters.
* Fix generation of unique keys in configuration for machines too fast for microtime().
* Added group driver for Kolab.
* Added IMAP based preferences driver for Kolab.
* Fix missing timestamp variable in Horde SQL cache driver.
* Fix over-zealous preference caching when preferences are requested for a different user.
* Fix issue in Horde_Image that caused errors when performing certain image operations immediately after an image had been cropped when using the ImageMagick driver.
The full list of changes (from version 3.2) can be viewed here:
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.392&r2=1.515.2.413&ty=h
reported by Stuart Shelton in PR pkg/38252,
I also think that the PRIVOXY_GROUP thing was a false report caused
by some pkgsrc framework glitch -- the value passed to "configure"
is correct for me (check "config.status").
* Correct registration of the Sarissa javascript library: current KSS uses it
as well. Fixes bug 8141.
* Correct handling of external links in the portal section tabs. Fixes bug 7155.
* Correct display of sub-collections. Fixes bug 8159.
* Use a custom permission for collection portlets so users can use it on their
dashboard.
* Fix handling of unicode versioning comments. Fixes bug 7400.
* Update translations.
* Do not allow backquotes in URLs but replace them with a dash.
* Make CSS classes for the navigation tree more consistent.
* KSS updates:
o kss.demo is no longer required.
o Improve support for Sarari 3.1.
o Correct logging of doubly registered actions.
* Update the quick installer tool:
o Log ImportErrors in installation methods instead of silently ignoring
them.
o Sort products by title instead of id. This fixes bug 8012.
o Fix installation/upgrade of products which had pre-Plone 3.0/CMF 21
style actions.
* Update the kupu visual editor:
o Add a hint for Deliverance so it will not style kupu pages.
o Fix Plone bugs 7779, 7958, 7990, 8003, 8009, 8014, 8039, 8080, and
8129 .
* Update Zope:
o Bug 142350: Display description for properties as row title, if present.
o Bug 143813: zopectl now exits non-zero when child processes fail.
o Bug 164783: Indexes were migrated on initial creation of a ZODB.
o Bug 173658: Removed dead code in OFS.Traversable's
unrestrictedTraverse (apparent NameError).
o Bug 198274: "empty" ZopePageTemplates could not be unpickled.
o Bug 200007: DateTime(anotherDateTime) now preserves the timezone.
o Bug 213311: Handle "unsubscriptable object" errors during publishing
traversal.
o zope.security: upgrade to version 3.3.3, which contains a backport
of a huge performance bugfix from the 3.4 branch.
The ikiwiki amazon_s3 plugin injects wiki pages into Amazon S3
allowing ikiwiki to be used without a dedicated web server.
This option just make a dependency for required perl module.
Note the plugin is installed regardless (just like the svn and img
support are installed without the options bringing in dependencies).
See http://ikiwiki.info/news/ for complete list of changes.
Major changes include:
- "fixes an important security hole"
- new plugins: amazon_s3, pingee, pinger
patch-aa removed, fixed now.
"gtkmozembed" is deprecated and not shipped with firefox 3.0+
Some packages that need firefox (like www/epiphany?) can be configured
to use libxul instead.
For those packages that support it, it might be a good idea to add a
firefox3 option when we get closer to firefox 3 launch day.
enhancements:
* Stable synchronization support through integrated SyncML server.
* A new Alarm system that can send email alarms, generate popup or inline
notifications, and play sounds for events in any Horde application.
* Support for separate read and write databases, and improved useability
when the database is unavailable.
* Improved performance, through caching and native SQL drivers for shares,
groups, and permissions; faster DataTree queries, and smarter use of
session data.
* The administrator can disable users' ability to change permissions on
their Shares.
* Two slick new themes, Tango Blue and Silver Surfer.
* WCAG 1.0 Priority 2/Section 508 accessibility guidelines compliance.
* Full Kolab webclient support.
* Improved JavaScript code including more caching, JSON support, new
spell checking and color picking widgets, replacing htmlarea with xinha,
and dynamic portal updates.
* Help is now searchable and has a tree view for easy organization and
exploration of help topics.
* Wider memcache support and easier memcache configuration, including
connection pooling and multiple memcache servers.
* A more complete WebDAV server.
* "Drop-in" configuration support for applications through
config/registry.d/.
* Many additional hooks, for performing actions on preference value
changes, and after loading an application.
* and much, much more.
patches to add it). Drop pax from the default USE_TOOLS list.
Make bsdtar the default for those places that wanted gtar to extract
long links etc, as bsdtar can be built of the tree.
=== RELEASE 2.1pre36 ===
Tue May 13 04:04:47 MET 2008 mikulas:
Fixed crash that was introduced with Sun May 4 20:13:21 MET 2008 fix
Mon May 12 23:26:51 MET 2008 mikulas:
Blacklist another broken HTTP/1.1 server - Apache Sausalito
Fri May 9 04:06:47 MET 2008 mikulas:
Take downloaded file name from Content-Type; name argument, if it exists
Also, get encoding information from Content-Type/Content-Disposition
filename
=== RELEASE 2.1pre35 ===
Mon May 5 20:06:19 MET 2008 mikulas:
The fix from Sun May 4 20:13:21 MET 2008 broke loading of animated gifs
=== RELEASE 2.1pre34 ===
Sun May 4 21:18:15 MET 2008 mikulas:
Allow displaying large images in xwindow (that do not fit into xserver
memory)
Sun May 4 20:13:21 MET 2008 mikulas:
Fixed image was sometimes not redrawn, when connection was interrupted
in the middle and resumed
Sun May 4 17:52:29 MET 2008 Ben Secrest <blsecres@gmail.com>:
Don't change Xwindow class
Wed Apr 16 03:10:02 cet 2008 Didier Mequignon <didiermequignon@wanadoo.fr>:
Updated French translation
Wed Mar 26 20:50:32 MET 2008 mikulas:
Fixed crash in text mode with small window height and bookmarks
Sat Mar 22 22:01:15 MET 2008 mikulas:
Accept </> as an empty tag
Thu Mar 20 22:47:09 CET 2008 mikulas:
Accept alternate description attributes for image buttons
Thu Mar 20 04:36:45 MET 2008 mikulas:
Fixed the bug that when displaying source, some html entities were
errorneously translated
Thu Mar 20 04:30:52 MET 2008 mikulas:
Added fallback for ‑ entity
Thu Mar 13 22:43:48 CET 2008 mikulas:
Allow multiple WWW-Authenticate headers
While here, add DESTDIR support and more adapt sample config file to default settings.
* Version 0.6.3 (30 March 2008)
- Fixed a possible race condition concerning the check for the
right symlink owner.
- Added checks for the owner of the parent directories were added.
* Version 0.6.2 (19 November 2006)
- Made mod_suphp compatible with Apache 2.2
- Modified SmartPtr implementation (hopefully) fixing
double free problem
- Fixed problem that caused the process to block
when more than 4096 were written to stderr
- Implemented userdir support
- Fixed problem with PATH_INFO and PHP scripts
* Version 0.6.1 (26 November 2005)
- Changed usage of STL to gain better compatibility with old GCC versions
(credits to Jeremy Chadwick for finding the relevant code)
- Fixed typos in mod_suphp.c (Apache 1.3)
(credits to Johan Ekenberg for finding these typos)
- Fixed potential buffer overflow in function suphp_bucket_read() in
src/apache2/mod_suphp.c
- Fix problems with scripts sending "Last-Modified" headers
- Extended autoconf script to look for an installation of APR
and to use its includedir when building mod_suphp for Apache 2
- Added support for chroot() call before execution of script
Zope 2.10.6 (2008/05/10)
Bugs fixed
Launchpad #142350: Display description for properties as row title, if present.
Launchpad #200007: DateTime(anotherDateTime) now preserves the timezone.
Launchpad #213311: Handle "unsubscriptable object" errors during publishing traversal.
Launchpad #143813: zopectl now exits non-zero when child processes fail.
Launchpad #173658: Removed dead code in OFS.Traversable's unrestrictedTraverse (apparent NameError).
Launchpad #198274: "empty" ZopePageTemplates could not be unpickled.
zope.security: switched to use standalone 3.3.3 version, which contains a backport of a huge performance bugfix from the 3.4 branch.
Launchpad #164783: Indexes were migrated on initial creation of a ZODB.
Zope 2.9.9 (2008/05/10)
Bugs fixed
Launchpad #142350: Display description for properties as row title, if present.
Launchpad #200007: DateTime(anotherDateTime) now preserves the timezone.
Launchpad #143813: zopectl now exits non-zero when child processes fail.
Launchpad #143748: remove broken use of logging module in Products.Five.fiveconfigure.handleBrokenProduct. Fixed by upgrading to Products.Five 1.3.11.
Launchpad #147201: treat container-class in zope.conf as a string, making it possible to use types from extra products directories.
Collector #2287: form :record objects did not implement enough of the mapping protocol.
Collector #2346: username logging in FCGI crashed the server
Collector #2332: SessionDataManger: don't swallow ConflictErrors
Collector #146408: fixed broken logger call in Transience.py
- re-supported DnD to bookmark folder in toolbar.
- Print copied string in Statusbar when CopyInUserFormat action is executed.
- Make it work with xulrunner 1.9.
- Resupported thumbnails.
- New German translation.
- RSS with CDATA is now parsed correctly.
- Fixed a crash when preference dialog is opened.
- HyperEstraier ANDNOT support.
- Various GTK/glib related bugfixes.
:Q operator in CONFIGURE_ARGS removed as suggested by rillig and pkglint.
Stop lying and drop maintainership of these packages. I have not
maintained them for a very long time already, so leave room for
fresh blood to take over them.
Upgrade to 2.44. Many changes. Here are a couple of them:
* The security fix in the last release had buggy handling of data:image,
now fixed. Closes: #465110 (CVE-2008-0808, CVE-2008-0809)
* htmlscrubber security fix: Block javascript in uris.
Adds new tool: ikiwiki-transition
No longer installs rst and externaldemo plugins.
Add patch based on bugs I found -- both fixes are now upstream.
HTML::StripScript
===========
This module strips scripting constructs out of HTML, leaving as much
non-scripting markup in place as possible. This allows web applications
to display HTML originating from an untrusted source without introducing
XSS (cross site scripting) vulnerabilities.
- assume that Python 2.4 and 2.5 are compatible and allow checking for
fallout.
- remove PYTHON_VERSIONS_COMPATIBLE that are obsoleted by the 2.3+
default. Modify the others to deal with the removals.
1.30 November 26, 2007
Added t_write_test_lib for temporary testing packages
[Fred Moyer <fred@redhotpenguin.com>]
Fix syntax error in generated PHP files t/conf/*.php.in
[Philippe M. Chiasson]
Add bwshare.so to the list of modules to not inherit b/c
it rate limits requests to less then that of a test suite.
PR: 25548
[imacat <imacat@mail.imacat.idv.tw>]
Add EXTRA_CFLAGS to c-module building if defined in the environment
[Geoffrey Young]
1.20 Wed Mar 12 23:56:11 CDT 2008
-----------------------------------
[FIXES]
stuff_inputs() used to do nothing. Now it works.
http://code.google.com/p/www-mechanize/issues/detail?id=9
Fixed punctuation in some error messages.
Fixed compatibility with WWW::Mechanize 1.36.
1.18 Thu Dec 6 10:12:14 CST 2007
------------------------------------
[ENHANCEMENTS]
Added default descriptions for most test assertions.
[FIXES]
HTML::Lint is now properly optional.
Added delays in all the tests that use HTTP::Server::Simple to give
it time to correctly fire up.
1.16 Mon Oct 29 15:34:21 CDT 2007
------------------------------------
[ENHANCEMENTS]
Added $mech->post_ok(). Thanks, Greg Sheard.
Added $mech->submit_form_ok(). Thanks, Mark Stosberg.
Added $mech->html_lint_ok()
[FIXES]
Fixed some bugs that were causing test failures.
1.14 Fri May 11 16:22:02 CDT 2007
------------------------------------
[FIXES]
Fixes test failures. Thanks to Mark Blackman for RT #26602:
The module tests currently spawn a server (based on
HTTP::Server::Simple::CGI) which is killed when a __DIE__
signal is received, normally only when the invoking
perl dies. However, as perlvar makes clear, the __DIE__
signal is received when eval blocks die as well. The
new version (1.22) of WWW::Mechanize now calles
HTTP::Message::decoded_content which calls Encode.pm
which has a eval block that require's Encode::ConfigLocal
which is usually not present, so the eval dies and the
HTTP server is killed as soon as the $mech object tries
to do a 'get'. It's simple to use a system variable,
$^S to find out if the __DIE__ signal is being called
for an eval so we ignore that case with the patch
attached.
The stuff_inputs() function now actually works.
[DOCUMENTATION]
* Made the synopsis show that T:W:M doesn't take the tests=>$x
like other Test::* modules. It'd be nice if it did, though.
0.31 Sun Mar 16 20:51:04 EDT 2008
* Test suite parallelization fixes. Thanks to Slaven Rezic
0.30 Tue Mar 11 12:14:24 EDT 2008
* Minor doc fix from Paul Miller.
* Fixing doc style from "$this" to "$self" like any self-respecting perl code
0.29 Fri Feb 15 11:43:29 EST 2008
* new example section from almut on perlmonks
0.28 Tue Jan 15 09:33:58 EST 2008
* New restartability support from Mark Stosberg
After reviewing the code in HTTP::Server::Simple,
Catalyst::Engine::HTTP and HTTP::Server::Brick, I found and
implemented an updated signal handling approach that I like and
understand, and actually works.
The current code restarted immediately if a SIGHUP came in, no
matter what was happening, including if a request was in process of
being fulfilled.
The new code works more like "apachectl graceful". It waits for the
current request cycle to finish, and then restarts the server.
This code has to be integrated in the core, but its just about
the same amount of signal handling code that was there... it just
works better. It's also written in such a way I think subclass/mixin
authors could rewrite just these parts if they wanted.
Also, it looks like a Net::Server based sub-class would already be
doing its own thing with SIGHUP handling, and should continue to
be unaffected.
1.86 2008-02-01 by Alexandr Ciornii
- Default number of semaphores for *BSD is 8 in Apache::Session::Lock::Semaphore
1.85_01 2008-01-24 by Alexandr Ciornii
- typos corrected (catched by Gerald Fox)
- more tests and diag in 99semaphore.t
- no warning "disconnect invalidates 2 active statement" in
Apache::Session::Lock::MySQL by Tony Cook (RT#32148)
1.85 2007-12-20 by Alexandr Ciornii, Perl 20th birthday version
- mention Catalyst::Plugin::Session, Session
1.84_01 2007-11-26 by Alexandr Ciornii (alexchorny AT gmail.com)
- Added Apache::Session::Lock::Semaphore::remove to remove semaphore
- 99flex.t will remove semaphore (RT#30440)
- 99flex.t should work on 5.6.1 again (no chdir now)
- 99flex.t will clean all temporary files (RT#30209)
- pod.t included in MANIFEST
- cleaner tests
1.84 2007-10-02 by Alexandr Ciornii (alexchorny AT gmail.com)
- Added constant.pm to the list of prerequisites
- Jeffrey W. Baker, Casey West, Alexandr Ciornii, Oliver Maul agreed to
change license of all files to Perl license
Alexandr Ciornii agrees to relicense to Artistic 2.0 in future if needed.
- 99flex.t will be skipped on *bsd and Solaris
1.83_01 2007-08-03 by Alexandr Ciornii
- better handling of Storable errors by Rick Delaney (RT#27476)
1.83=1.82_05 2007-05-25
1.82_05 2007-05-14 by Alexandr Ciornii
- skipping part of 99flex.t on NetBSD
1.82_04 2007-04-27 by Alexandr Ciornii
- More diagnostics in Apache::Session::Lock::Semaphore::acquire_write_lock,
acquire_read_lock
- Did not increment modules versions in previous versions of distribution
- Apache::Session::Lock::Semaphore can work with private semaphore
- 99flex.t will use private semaphore
- 99dbfile.t, 99dbfilestore.t - added undef (for RT#6216)
1.82_03 2007-03-12 by Alexandr Ciornii
- Apache::Session::Lock::File checks flock success (RT#6936)
- Apache::Session::Lock::File will not change to shared lock if write
lock is in effect and read lock is requested (RT#7072)
- 99dbfile.t, 99dbfilestore.t - added untie (for RT#6216)
- Apache::Session::Lock::Semaphore will check for $Config{d_semget} and
cygserver
1.82_02 2007-03-11 by Alexandr Ciornii
- 99semaphore.t, 99flex.t will be skipped if $Config{d_semget}==undef,
patch by Slaven Rezic
- Removed redundant code in 99filelock.t
- Removed unnecessary skip in 99nulllock.t
- Added file 'Contributing.txt'
- Apache::Session - mention CGI::Session
- Request in Makefile.PL
1.82_01 2007-03-10 by Alexandr Ciornii
- Applied part of patch of SREZIC (Slaven Rezic), RT#3670,
more diagnostics on failing file operations (Apache::Session::Lock::File,
Apache::Session::Store::DB_File, Apache::Session::Store::File)
- RT#1251, ModUniqueId.pm, ModUsertrack.pm - small error in Carp usage,
by Slaven Rezic
- 99flex.t will be skipped on perls earlier than 5.8 (RT#16539)
- Requires Storable (core from 5.7.3), as it is almost useless without it
2.0.4 April 16, 2008
Fix $r->location corruption under certain conditions
[Gozer]
Fix a crash when spawning Perl threads under Perl 5.10
[Gozer]
Fix erratic behaviour when filters were used with Perl 5.10
[Gozer]
Fix problems with redefinitions of perl_free as free and perl_malloc
as malloc on Win32, as described at
http://marc.info/?l=apache-modperl&m=119896407510526&w=2
[Tom Donovan]
Fix a crash when running a sub-request from within a filter where
mod_perl was not the content handler. [Gozer]
Refactor tests to use keepalives instead of same_interp [Gozer, Phred]
Apache2::Reload has been moved to an externally maintained
CPAN distribution [Fred Moyer <fred@redhotpenguin.com>]
PerlCleanupHandler are now registered with a subpool of $r->pool,
instead of $r->pool itself, ensuring they run _before_ any other
$r->pool cleanups [Torsten Foertsch]
Fix a bug that would prevent pnotes from being cleaned up properly
at the end of the request [Torsten Foertsch]
On Win32, embed the manifest file, if present, in mod_perl.so,
so as to work with VC 8 [Steve Hay, Randy Kobes]
Expose apr_thread_rwlock_t with the APR::ThreadRWLock module
[Torsten Foertsch]
Don't waste an extra interpreter anymore under threaded MPMs when using a
modperl handler [Torsten Foertsch]
Fix a bug that could cause a crash when using $r->push_handlers() multiple
times for a phase that has no configured handlers [Torsten Foertsch]
Catch up with some httpd API changes
2.2.4:
The full server version information is now included in the error log at
startup as well as server status reports, irrespective of the setting
of the ServerTokens directive. ap_get_server_version() is now
deprecated, and is replaced by ap_get_server_banner() and
ap_get_server_description(). [Jeff Trawick]
2.3.0:
ap_get_server_version() has been removed. Third-party modules must
now use ap_get_server_banner() or ap_get_server_description().
[Gozer]
fixed Apache2::compat Apache2::ServerUtil::server_root() resolution
issues [Joshua Hoblitt]
*) SECURITY: CVE-2007-1349 (cve.mitre.org)
fix unescaped variable interprolation in regular expression
[Randal L. Schwartz <merlyn@stonehenge.com>, Fred Moyer <fred@redhotpenguin.com>]
Make $r->the_request() writeable
[Fred Moyer <fred@redhotpenguin.com>]
fix ModPerl::RegistryCooker::read_script to handle all possible
errors, previously there was a case where Apache2::Const::OK was
returned on an error. [Eivind Eklund <eeklund@gmail.com>]
a minor compilation warning resolved in modperl_handler_new_from_sv
[Stas]
a minor compilation warning resolved in modperl_gtop_size_string
[Stas]
Prevent direct use of _deprecated_ Apache2::ReadConfig in
<Perl> sections with httpd Alias directives from
incorrectly generating
'The Alias directive in xxxxx at line y will probably never match'
messages.
[Philip M. Gollucci <pgollucci@p6m78g.com>]
Prevent Apache2::PerSections::symdump() from returning invalid
httpd.conf snippets like 'Alias undef'
[Philip M. Gollucci <pgollucci@p6m78g.com>]
Require B-Size 0.9 for Apache2::Status which fixes
Can't call method "script_name" on an undefined value
[Philip M. Gollucci <pgollucci@p6m78g.com>]
-march=pentium4 or anything with an = in it in CCFLAGS or @ARGV
that gets passed to xs/APR/APR/Makefile.PL broke the @ARGV
parsing. I.E. FreeBSD port builds when users had CPUTYPE
set in /etc/make.conf.
[Philip M. Gollucci <pgollucci@p6m7g8.com>]
Fixes to get bleed-ithread (5.9.5+) to comile again.
[Philip M. Gollucci <pgollucci@p6m7g8.com>]
2008-04-16 Gisle Aas <gisle@ActiveState.com>
Release 5.812
Gisle Aas (6):
Typo fix.
Simplified Net::HTTP::Methods constructor call.
Croak if Net::HTTP constructor called with no argument.
Avoid calling $self->peerport to figure out what the port is.
5.811 breaks SSL requests [RT#35090]
Make test suite compatible with perl-5.6.1.
Toru Yamaguchi (1):
Wrong treatment of qop value in Digest Authentication [RT#35055]
2008-04-14 Gisle Aas <gisle@ActiveState.com>
Release 5.811
Gisle Aas (6):
Avoid "used only once" warning for $Config::Config.
Make HTTP::Request::Common::PUT set Content-Length header [RT#34772]
Added the add_content_utf8 method to HTTP::Message.
Typo fix.
Retry syscalls when they fail with EINTR or EAGAIN [RT#34093,32356]
Allow HTTP::Content content that can be downgraded to bytes.
Gavin Peters (1):
HTML::Form does not recognise multiple select items with same name [RT#18993]
Mark Stosberg (1):
Document how HTTP::Status codes correspond to the classification functions [RT#20819]
Robert Stone (1):
Allow 100, 204, 304 responses to have content [RT#17907]
sasao (1):
HTTP::Request::Common::POST suppressed filename="0" in Content-Disposition [RT#18887]
2008-04-08 Gisle Aas <gisle@ActiveState.com>
Release 5.810
Gisle Aas (10):
Small documentation issues [RT#31346]
Explain $netloc argument to $ua->credentials [RT#31969]
Make lwp-request honour option -b while dumping links [RT#31347]
Ignore params for date convenience methods [RT#30579]
Get rid of all the old CVS $Keyword:...$ templates. Set $VERSION to 5.810.
Update Copyright year.
Drop some sample URLs that were failing.
Complement the HTTP::Status codes [RT#29619]
Don't allow HTTP::Message content to be set to Unicode strings.
Refactor test for Encode.pm
Ville Skytta (3):
Spelling fixes [RT#33272]
Trigger HTML::HeadParser for XHTML [RT#33271]
Escape status line in error_as_HTML, convert to lowercase [RT#33270]
Alexey Tourbin (2):
Typo fix [RT#33843]
Protocol/file.pm: postpone load of URI::Escape and HTML::Entities [RT#33842]
Daniel Hedlund (1):
HTML::Form Module and <button> element clicks
Adam Kennedy (1):
HTTP::Cookies handle malformed empty Set-Cookie badly [RT#29401]
Jacob J (1):
[HTTP::Request::Common] Does not handle filenames containing " [RT#30538]
Rolf Grossmann (1):
Allow malformed chars in $mess->decoded_content [RT#17368]
FWILES (1):
Croak if LWP::UserAgent is constructed with hash ref as argument [RT#28597]
Adam Sjogren (1):
Disabled, checked radiobutton being submitted [RT#33512]
DAVIDRW (1):
warn if TextInput's maxlength exceeded [RT#32239]
www/htmldoc
www/htmldoc-x11
The latter is now just www/htmldoc built with a specific set of options.
Changes include:
+ Add options.mk that supports a new option:
htmldoc-gui Build with GUI support
+ Remove Makefile.common and move all logic into htmldoc/Makefile and
htmldoc/options.mk.
+ Add full DESTDIR support.
+ Bump the PKGREVISION for htmldoc and htmldoc-x11 to 7. Both packages
now track and use the same PKGREVISION number.
it any longer.
Fixes build problem in evolution:
> ===> Creating toolchain wrappers for evolution-2.22.1
> ERROR: libgnomeprintui is not installed; can't buildlink files.
Bump BUILDLINK_ABI_DEPENDS.gtkhtml314 for dependency change.
* [bug] Rescue all types of errors when processing request
* [bug] Use Swiftiply backend when -y option is specified
* Allow passing port as a string in Server.new
* Define deferred?(env) in your Rack application to set if a request
is handled in a thread (return true) or not (return false).
Based on patch provided by Zafer Aydogan via private mail.
This update to 2.6.1 contains all patches from the Debian package:
- various bug fixes
- uploading under the temporary name `weex.tmp' with the RenameOK option
- support for FTP proxy server that requires challenge/response
- The i386 RPM was compiled on RedHat 9
- You should be able to "rpmbuild --rebuild" the SRPM on older RedHat releases
or other RPM based distros.
pkgsrc changes:
* project now on sourceforge
* no need patch to fix localedir (patch-ac)
* need msgfmt to build
* need gettext-lib
* add DESTDIR support
Version 3.35
1. Resync with bleadperl, primarily fixing a bug in parsing semicolons in uploaded filenames.
Version 3.34
1. Handle Unicode %uXXXX escapes properly -- patch from DANKOGAI@cpan.org
2. Fix url() method to not choke on path names that contain regex characters.
Version 3.33
1. Remove uninit variable warning when calling url(-relative=>1)
2. Fix uninit variable warnings for two lc calls
3. Fixed failure of tempfile upload due to sprintf() taint failure in perl 5.10
Version 3.32
1. Patch from Miguel Santinho to prevent sending premature headers under mod_perl 2.0
Version 3.31
1. Patch from Xavier Robin so that CGI::Carp issues a 500 Status code rather than a 200 status code.
2. Patch from Alexander Klink to select correct temporary directory in OSX Leopard so that upload works.
3. Possibly fixed "wrapped pack" error on 5.10 and higher.
Version 3.30
1. Patch from Mike Barry to handle POSTDATA in the same way as PUT.
2. Patch from Rafael Garcia-Suarez to correctly reencode unicode values as byte values.
pkgsrc changes: replace MAKE_FLAGS+= INCLUDES="-I${LOCALBASE}/include/httpd"
with MAKE_FLAGS+= INCLUDES="-I${BUILDLINK_PREFIX.apache}/include/httpd"
Version2.2 (Jul 31st 2007)
1. Support configuration "PassHeader"
Thank Hans Christian Saustrup for the suggestion.
2. Support apr_shm_remove() in httpd.2.0.X
Thank Hans Christian Saustrup for bug report.
3. Support configuration "TimeScore"
Thank Tim Jensen for the patch.
4. Support new configurations "MaxRequestInMem" and "MaxRequestLen"
If the length of http request longer than "MaxRequestInMem", it will store in tmp file.
It the length of http request longer than "MaxRequestLen", it will return internal server error.
Thank Gabriel Barazer(gabriel at oxeva.fr) for the bug report.
Thank Steffen(info at apachelounge.com) for the help on this issue.
5. Fix miner Sanity check bug
Thank Yuya Tanaka for bug report
UNIX&Win32 source: mod_fcgid.2.2.tar.gz
Version2.1 ( Feb 15th 2007 )
1. Add missing config.m4 and Makefile.in for static linking
Thank Mark Drago for notice
2. FCGIWrapper disallowed in .htaccess
Thank Balinares for patch
3. Bug fix. Authoritative flag reversed
Thank Chris Darroch for the patch
4. Support arguments in FCGIWrapper
Thank Andre Nathan for suggestion and great help on testing it.
5. Support new config "SharememPath", which specifies the location of share memory path.
6. Check running user is root or not, while suexec is enabled.
Thank Chris Holleman for the bug report.
7. Bug fix. Should not pass respond to auth checkers.
Thank Szabolcs Hock for bug report.
Version 1.5.9 released
2008-02-17, 08:58 GMT
2008-01-25
- Added Ukrainian translation (Anton Lytvynenko)
2008-01-09
- Include Debian patch #403812, FTBFS on GNU/kFreeBSD
- Mark unread now toggles read status, Debian bug #394312
Version 1.5.8 released
2008-01-09, 08:15 GMT
1.5.8 has made it... somehow. Well actually this is just a small change
which adds two new translations and build fixes as well as moving the
manpages to share/ hierachy.
In other words, I have lost track of the changes. ;)
I'm currently going through the Debian bugtracker and integrate most of
what's pilled up there.
merb-sequel to 1. In that commit, the dependency was bumped at the
package level, but gems also track dependencies independently of
pkgsrc, so patch the Rakefile to:
+ Bump the dependency on sequel to 1.4.0.
+ Remove the dependency on sequel_model, which was merged into the
main sequel package as of version 1.4.0.
* When creating or editing a blog post or page, the preview is displayed above
the edit form rather than below it.
* Spaces in blog post URLs are replaced with - rather than _ (this change will
only affect new posts; existing post URLs will not be changed).
* Blog posts provide Atom feeds for recent comments.
* Tag pages provide Atom feeds for posts with that tag.
* Blog posts are marked up using the hAtom microformat.
* Thoth auto-generates an XML sitemap at http://yourblog.com/sitemap (set
site.enable_sitemap to false to disable).
* Comment URLs are built using the name of the post the comment is attached to
rather than the id.
* Fixed a bug that prevented Atom and RSS feeds from being cached when
server-side caching was enabled.
* Fixed entry titles in Atom feeds claiming to be type="html" when in fact
they weren't.
* Fixed a bug that sometimes caused flash messages to be cached with the
output of an action and re-displayed until the cached action expired.
* Fix server crash when header too large.
* Add --require (-r) option to require a library before executing your
script.
* Rename --rackup short option to -R, warn and load as rackup when file
ends with .ru.
* List supported adapters in command usage.
* Add file adapter to built-in adapter, serve static files in current
directory.
* Allow disabling signal handling in Server with :signals => false
* Make Server.new arguments more flexible, can now specify any of host,
port, app or hash options.
* Add --backend option to specified which backend to use.
* Serve static file only on GET and HEAD requests in Rails adapter.
* Add threaded option to run server in threaded mode; calling the
application in a thread allowing for concurrency in the Rack adapter.
* Guess which adapter to use from directory (chdir option) or use
specified one in 'adapter' option.
databases/ruby-sequel as of version 1.4.0.
+ Update dependencies for www/thoth and www/merb-sequel to reflect
removal of ruby-sequel-model -- use ruby-sequel instead. Bump the
PKGREVISION for these two packages.
This release fixes security vulnerabilities and also changes APIs. Sites are urged to upgrade immediately after reading the security announcement:
* SA-2008-026 - Drupal core - Drupal core - Access bypass
In addition to this security vulnerability, the following bugs have been fixed since the 6.0 release:
* #228120 by jvandyk: typo in documentation in comment.tpl.php
* #226480 by gpk: fix wording on when node access rebuild button is displayed in node_configure()
* #229817 by mcarrera: l() attributes were not properly specified in theme.inc's theme_username()
* #234403 by alienbrain: PHP.net documents we should use CRLF in mail headers, so do that
* #226555 by jvandyk, Rok Zlender: fix notice level error in xmlrpc.inc
* #204415 by chx: actually use 'administer content types' permission for node type editing instead of 'administer nodes'
* #234699 by hass: theme_link() did not mark frontpage links active properly
* #237717 by hass: missing t() in system_clear_cache_submit()
* #232037 by pwolanin: (performance) block regions should only be populated when called for, not in all cases (fixes performance expectation on 403/404 pages)
* #226728 by chx: (performance) temporary cache table entries were not flushed, causing cache_menu and cache_form to grow big
* #231587 by pwolanin, killes: (performance) use two level cache in menus, instead of storing very large amounts of data multiple times
* #239196 by jvandyk and myself: missing status check on nodes in search indexing counter
* rolling back #234403 by Bevan and damz: we should keep using LF in mail headers, without CR, CRLF causes problems
* #238564 by scor: two missing t() calls in update.module
* #241629 by solotandem: dblog module left one more row in, when cleaning up in cron
* #244597 by kbahey: remove cruft from user_login(), that added extra message to the form was never used or displayed
2.5 years of various changes and improvements.
pkgsrc changes:
Use libtool to provide a shared library; fixes wip/kdewebdev4 on amd64.
Generate API documentation from the provided files using doxygen.
Standardize path to installed documentation.
1.34 Mon Dec 10 00:30:39 CST 2007
========================================
[FIXES]
Many fixes to make the test suite more portable.
1.32 Tue Oct 30 12:02:17 CDT 2007
========================================
[ENHANCEMENTS]
Added dump methods to mirror mech-dump:
* $mech->dump_images()
* $mech->dump_links()
* $mech->dump_forms()
* $mech->dump_all()
Sanity checks in the WWW::Mechanize::Image constructor. Every Image
must have a "url" and "tag" field passed in to it.
1.31_02 Thu Oct 25 11:48:29 CDT 2007
========================================
[ENHANCEMENTS]
Added class, class_regex, id and id_regex limiters to find_link()
and find_all_links(). Thanks to Adriano Ferreira.
1.31_01 Mon Sep 17 23:38:03 CDT 2007
========================================
[FIXES]
Mech tests now pass even if your DNS server gives A records for
anything (like OpenDNS). Thanks, Miyagawa!
Searching for the <base href> is now case-inensitive. A better
solution would be to actually parse the HTML.
[ENHANCEMENTS]
mech-dump now handles --user and --password arguments for sites
that require authentication.
CGI::Ajax is an object-oriented module that provides a unique
mechanism for using perl code asynchronously from javascript-
enhanced HTML pages. CGI::Ajax unburdens the user from having to
write extensive javascript, except for associating an exported
method with a document-defined event (such as onClick, onKeyUp,
etc). CGI::Ajax also mixes well with HTML containing more complex
javascript.
Security
* Fixed an issue where newsfeed prompts could cause Opera to execute
arbitrary code, as reported by Michal Zalewski. See our advisory.
http://www.opera.com/support/search/view/881/
* Solved an issue where resized canvas patterns could cause Opera to
execute arbitrary code, as reported by Michal Zalewski. See our
advisory. http://www.opera.com/support/search/view/882/
* Improved keyboard handling of password inputs, as reported by Trystan S.
Miscellaneous
* Fixed a BitTorrent transfer stability issue.
* Resolved stablity issues with the Acid 3 test.
* Additional stability fixes.
New features/improvements:
- Full support for -day option. To build different report for each day
- Added virtualenamequot tag
- Added option NotPageList
- Addes .jobs and .mobi domains
Fixes:
- Minor bug in awstats_configure.pl
Other/Documentation:
- Updated some language files.
- Updated browsers database.
Drupal is software that allows an individual or a community of users to easily
publish, manage and organize a great variety of content on a website. Tens of
thousands of people and organizations have used Drupal to set up scores of
different kinds of web sites, including
* community web portals and discussion sites
* corporate web sites/intranet portals
* personal web sites
* aficionado sites
* e-commerce applications
* resource directories
Drupal includes features to enable:
* content management systems
* blogs
* collaborative authoring environments
* forums
* newsletters
* picture galleries
* file uploads and download
Webby is a static website generator tool. Rake tasks are used to
convert erb, textile, markdown, etc. formatted files into HTML suitable
for publication to a web server.
Thoth is a blog engine written in Ruby and based on Ramaze and Sequel.
Its simple, elegant architecture, minimalist featureset, and extensible
codebase make it both fast and easy to customize.
Thin is a very simple web server written in Ruby. It's single-threaded,
which means it can only serve one request at a time. This simplicity
affords increased speed and decreased memory usage for singled-threaded
framework like Rails.
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
include:
+ Install as a Ruby gem.
* Fixed a bug when fetching files and not pages.
* WWW::Mechanize#get now takes hash arguments for uri parameters.
* Handling gzipped responses with no Content-Length header
* Fixed a bug with EOF errors in net/http. [#17570]
* Handling 0 length gzipped responses. [#17471]
* Changed parser to lazily parse links
* Lazily parsing document
* Updating UTF-8 support for urls
* Adding AREA tags to the links list.
* WWW::Mechanize#follow_meta_refresh will allow you to automatically follow
meta refresh tags. [#10032]
* Adding x-gzip to accepted content-encoding.
* Added Digest Authentication support.
* Many bug fixes.
Ramaze is a simple, light and modular open-source web-framework written
in Ruby. It provides several easy to understand and fully documented
abstractions useful for the daily work of a pragmatic webdeveloper.
This package is a Mongrel plugin to help start/stop/restart multiple
mongrel servers to use behind a load balancer like Apache 2.2
(mod_proxy_balancer), Lighttpd, Pound, Pen or Balance. This plugin
adds an option to specify a number of Mongrel servers to launch, a
range of ports, and a configuration file for the cluster.
+ Remove dependencies on cgi_multipart_eof_fix and fastthread because
newer versions of Ruby required by pkgsrc don't need it. Also remove
signatures from the gem as these have been modified by pkgsrc.
v1.0.2. Signed gem; many minor bugfixes and patches.
v1.0.3. Fix user-switching bug.
v1.0.4. Backport fixes for versioning inconsistency, mongrel_rails bug,
and DirHandler bug.
v1.1. Pure Ruby URIClassifier. More modular architecture.
JRuby support.
v1.1.1. Fix mongrel_rails restart bug; fix bug with Rack status codes.
v1.1.2. Fix worker termination bug; fix JRuby 1.0.3 load order issue;
fix require issue on systems without Rubygems.
v1.1.3. Fix security flaw of DirHandler
v1.1.4. Fix camping handler. Correct treatment of @throttle parameter.
This package contains a plugin for the Merb framework that provides
Merb::PartController, which is a lightweight way to share logic and
templates amongst controllers.
This package contains a plugin for the Merb framework that exposes two
new controller methods which allow one to simply and flexibly filter
the parameters available within the controller.
This package contains merb-more, which provides the the full set of
functionally for Merb outside of the merb-core classes. Adding merb-more
gives you the Full Stack -- take what you need; leave what you don't.
Merb_has_flash is a plugin for the Merb framework that provides Rails-style
flash.
The ``flash'' provides a way to pass temporary objects between actions.
Anything you place in the flash will be exposed to the very next action
and then cleared out. This is a great way of doing notices and alerts,
such as a create action that sets
flash[:notice] = "Successfully created"
before redirecting to a display action that can then expose the flash
to its template.
merb-core is the heart of the merb MVC framwork. It has the rack
abstraction along with the dispatcher, router, controller and view
layers. You can make very fast, small footprint services and apps with
just merb-core.
This package contains a plugin for the Merb framework that provides
support for handling assets and asset bundling.
The key to making a fast web application is to reduce both the amount
of data transfered and the number of client-server interactions. While
having many small, module Javascript or stylesheet files aids in the
development process, your web application will benefit from bundling
those assets in the production environment.
An asset bundle is a set of asset files which are combined into a single
file. This reduces the number of requests required to render a page,
and can reduce the amount of data transfer required if you're using gzip
encoding.
Like Ruby on Rails, Merb is an MVC framework. Unlike Rails, Merb is
ORM-agnostic, JavaScript library agnostic, and template language
agnostic, preferring plugins that add in support for a particular
feature rather than trying to produce a monolithic library with
everything in the core. In fact, this is a guiding principle of the
project, which has led to third-party support for the ActiveRecord,
DataMapper, and Sequel ORMs.
In addition, it means that the core code in Merb is kept simple and
well organised. This has multiple benefits. It means it's faster
for one thing. It's also easier to understand, maintain and extend.
Heel is a mongrel based web server to quickly and easily serve up the
contents of a directory as webpages. Beyond just serving up webpages
heel uses an ERB template and famfamfam icons to create useful index
pages. And to make things even easier it launches your browser for
you so no cut and paste necessary.
+ Install as a Ruby gem.
- Ruby on Rails 2.0 support.
- Add new command-line property '--docwrite={true|false}' to
Erubis::Ejavascript. If this property is true then
'document.write(_buf.join(""));' is used as postamble and if it is
false then '_buf.join("")' is used.
- When using Erubis::Eruby#evaluate(), changing local variables in
templates have affected to variables accessible with TOPLEVEL_BINDING.
It means that if you change variables in templates, it is possible
to change variables in main program. This was a bug and is now
fixed not to affect to variables in main program.
- Preprocessing is supported by Ruby on Rails helper.
- Erubis::Eruby#evaluate() (or Erubis::RubyEvaluator#evaluate()) now
creates Proc object from @src and eval it.
- Erubis::Eruby#def_method() is supported. This method defines ruby
code as instance method or singleton metod.
- Erubis::XmlHelper.url_escape() and u() which is alias of url_escape()
are added.
Camping is a web framework which consistently stays at less than 4kb
of code. You can probably view the complete source code on a single
page. But, you know, it's so small that, if you think about it, what
can it really do?
The idea here is to store a complete fledgling web application in a
single file like many small CGIs. But to organize it as a
Model-View-Controller application like Rails does. You can then easily
move it to Rails once you've got it going.
Set user with DANSGUARDIAN_USER and DANSGUARDIAN_GROUP and ensure log dirs
is created with correct permissions.
Use OWN_DIRS to create languages and phraselists directories instead of our
own pre-install target - this fixes binary packages.
Bump PKGREVISION to 2
Changes to squid-2.6.STABLE19 (19 Mar 2008)
- Fix tcp_outgoing_address example config to match its description
- Bug #2198: assertion failed sc != NULL when using peer monitor
function
- Fix missing default disk store type into QUICKSTART example.
- Bugzilla #761 : Handle recursive completion operations in diskd.
- documentation bugfix for tcp_outgoing_tos directive
- Sort cache list in wccpv2 to ensure a consistent hash allocation
across all services
- Updated Ukrainan error pages
- Compile error in squid_kerb_auth under Mac OS X 10.5.2
- squid_radius_auth failed ro process more than 256 requests
- Clarified description of 'cache_vary' directive
- Make range_offset_limit 0 disable local range processing as
documented, even if the first range starts at 0
Security fixes in this version:
MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
MFSA 2008-18 Java socket connection to any local port via LiveConnect
MFSA 2008-17 Privacy issue with SSL Client Authentication
MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
For more info, see http://www.seamonkey-project.org/releases/seamonkey1.1.9/
Security fixes in this version:
MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
MFSA 2008-18 Java socket connection to any local port via LiveConnect
MFSA 2008-17 Privacy issue with SSL Client Authentication
MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.13/releasenotes/
This module takes a list of CSS files and concatenates them, making sure
to honor any valid @import statements included in the files.
Approved-by: cube
Major new features:
* quickly working standalone mode (similar to DesktopEdition)
* xapian index search (including attachments of supported mimetypes)
* WikiSynchronisation
* moin can receive email now
* wiki parser: easier link and transclusion markup (and new macro
markup)
* new parsers for: creole wiki markup, html (safe), diffs
* discussion pages
* inline comments
* hierarchical ACLs (see HelpOnAccessControlLists)
* new anti-spam feature: TextChas
* SisterSites support
* new xmlrpc methods, easier auth, multicall support
* Improved params for [[target|label|params]]:
* AdvancedSearch: make multiple categories/languages/mimetype selections
possible
* Added a configuration directive to only do one bind to the LDAP
server.
+ many bugfixes, including at least one XSS fix.
Sun Mar 9 19:24:26 GMT 2008 - surfraw 2.2.1
* New elvi:
+ lsm - Search the Linux Software Map.
+ sunonesearch - Search Sun's One Search (replaces sunsolve).
* Fixed elvi: cddb, cnn, debcontents, deblists, debpackages, freedb,
fsfdir, genpkg, and yubnub (thanks for the latter to Nathaniel Heinrichs).
* Removed elvis: sunsolve (replaced by sunonesearch).
* amazon, ebay, translate: expanded language/country list.
* Added new configuration variable SURFRAW_lang.
Elvi that support specifying language or country
will use this as a default. If used, it should be set
to an ISO 2-letter country code (eg uk, de, ca).
Thanks to Simon Ernst for the idea.
* Fixed quoting single quotes in URLs (thanks to Alexander
Becher for the patch).
urlgrabber is a pure python package that drastically simplifies
the fetching of files. It is designed to be used in programs that
need common (but not necessarily simple) url-fetching features.
It is extremely simple to drop into an existing program and provides
a clean interface to protocol-independant file-access. Best of all,
urlgrabber takes care of all those pesky file-fetching details,
and lets you focus on whatever it is that your program is written
to do!
3.0.8 is a stable release which includes many significant enhancements and
new features, and the usual squashed bugs. The most prominent new
features are the ability to "tag" headers and apply actions based on those
tags, making Privoxy much more flexibile, and Privoxy can now act as an
"intercepting" proxy.
http://tomcat.apache.org/tomcat-5.5-doc/changelog.html
Of note:
important: Data integrity CVE-2007-6286
important: Information disclosure CVE-2007-5461
low: Elevated privileges CVE-2007-5342
low: Session hi-jacking CVE-2007-5333
Are all fixed in this release.
- Revive support for system without NetBSD style rc/rc.d.
- Always pass command_args and squid_flags to squid command.
This should fix the PR pkg/38036 by Wolfgang Stukenbrock.
Bump PKGREVISION.
changes:
- Works with Firefox 1.5.x and xulrunner 1.8.x
- Compiles with xulrunner 1.9, but a lot of functionality is disabled due
to being no longer exposed by xulrunner (or not working)
- MyPortal
- User stylesheets
- Remembering passwords
- http authentication
- Support for external mailers which don't understand mailto: urls is
completely removed. Pretty much all modern mailers support them now.
see GIT history.
Made option elinks-fastmem the default, as it's significantly faster
and I don't trust their wrappers of malloc(), etc. al. anyway.
Version 0.12 supports boehm-gc, which will probably become the default.
If 0.12 isn't released fairly soon, I'll see about backporting support.
Also add elinks-html-highlight as a default, as there's really no
reason not to.
* 208700 by pwolanin. Fix bad backport of #194579. Modified to use Form API.
* 118569 by bevan: document how should one set RewriteBase, if under a VirtualDocumentRoot. Backport by Bart Jansens.
* Patch 115606 by Junyor, thesaint_02: added support for PHP 5.2's 'recoverable fatal errors'.
* 209409 by Heine, webernet, dww: more accurate register globals value checking
