## Rails 3.1.8 (Aug 9, 2012)
* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
helper doesn't correctly handle malformed html. As a result an attacker can
execute arbitrary javascript through the use of specially crafted malformed
html.
*Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
* When a "prompt" value is supplied to the `select_tag` helper, the
"prompt" value is not escaped.
If untrusted data is not escaped, and is supplied as the prompt value,
there is a potential for XSS attacks.
Vulnerable code will look something like this:
select_tag("name", options, :prompt => UNTRUSTED_INPUT)
*Santiago Pastorino*
## Rails 3.0.17 (Aug 9, 2012)
* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
helper doesn't correctly handle malformed html. As a result an attacker can
execute arbitrary javascript through the use of specially crafted malformed
html.
*Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
* When a "prompt" value is supplied to the `select_tag` helper, the "prompt"
value is not escaped. If untrusted data is not escaped, and is supplied as
the prompt value, there is a potential for XSS attacks.
Vulnerable code will look something like this:
select_tag("name", options, :prompt => UNTRUSTED_INPUT)
*Santiago Pastorino*
Collection.
The Marionette Collective aka. mcollective is a framework to build server
orchestration or parallel job execution systems.
Mcollective's primary use is to programmatically execute actions on clusters of
servers. In this regard it operates in the same space as tools like Func,
Fabric or Capistrano.
By not relying on central inventories and tools like SSH, it's not simply a
fancy SSH "for loop". MCollective uses modern tools like Publish Subscribe
Middleware and modern philosophies like real time discovery of network
resources using meta data and not hostnames. Delivering a very scalable and
very fast parallel execution environment.
The focus is on catering to the needs of enterprises and large deploys.
Pluggable Authentication, Authorization and Auditing capabilities sets it apart
from other tools in this space.
Bison 2.6.x+ handles the yydebug functionality differently by predefining
YYDEBUG. The yacc logic is not expecting YYDEBUG to be defined without
an value, so it breaks on an "#if YYDEBUG" macro in a few places.
In order to make this work with pre-2.6 bison as well as current versions,
hard code the inclusion of debug symbols. It doesn't hurt anything and
it fixes the package.
* Drop gmake from USE_TOOLS, bmake is sufficient
* Support NetBSD-current's libexecinfo
* Switch to gtk3
Fotoxx change log
=================
2012.08.01 v.12.08
+ Menus now show a popup descriptions if the mouse dwells on the menu.
+ Auto-synchronization (indexing of new image files) was made optional.
If disabled, metadata edit and search functions are also disabled.
These can be restored at any time by synchronizing the image files.
+ The size of a printed image (in centimeters) can be set in advance.
+ A 1-click sepia coloring was added (aged photo effect).
+ If Linux standard trash and desktop trash folder both fail (possible
with some distros) give the option to simply delete the image file.
+ Painting and scrolling the gallery window was made faster.
+ Navigating the gallery window to other directories was simplified.
+ A gallery from an image search or collection can be discarded and
replaced with a directory gallery using a toolbar button.
+ Bugfix: Edit Collections: keep the gallery window scroll position
stable when adding or removing images from a collection.
+ Bugfix: If the initial gallery window is list view (no thumbnails),
then the gallery window displayed only a blank window.
+ Bugifx: Crash if a retouch function is "painted" with the mouse and
and the function is canceled before any change is made.
+ Bugfix: Show RGB [clear] button cleared image tags but not the dialog.
+ Web site was changed from squarespace.kornelix.com to kornelix.com.
2012.07.05 v.12.07.1
+ Bugfix: World map loses the mouse connection and becomes unresponsive
after a left mouse click/drag is used to zoom/pan the map image.
2012.07.03 v.12.07
+ Tabs are now used to switch between the image and gallery windows.
+ List Geotag Groups by country, country/city, or country/city/date.
Nearby dates can be grouped together. Click a listed group to get the
corresponding thumbnail image gallery, view or edit images from there.
+ Click a location on a world map, get the corresponding image gallery.
+ Several small UI improvements in geotag edit and report functions.
+ Bugfix: edit collection: removing images was sometimes not possible if
some images still in the collection had been deleted from disk.
+ Bugfix: memory leak if successive images are viewed in rapid sequence.
+ Bugfix: Art > Dots treatment was destroyed when saved to a file.
+ Bugfix: crash in Open Recent File if the first file had been deleted.
2012.06.17 v.12.06.2
+ The Spanish and Galician translations were updated.
+ bugfix: crash following use of Batch Add Geotags function.
+ Bugfix: stop unwanted gallery window from appearing when the control
key is used to link mouse actions to the main window.
2012.06.01 v.12.06.1
+ bugfix: version check for exiftool failed for locales having a comma
decimal point instead of a period (e.g. 8,60 instead of 8.60).
2012.06.01 v.12.06
+ The Spanish and Galician translations were updated (as of v.12.05).
+ Package exiftool version 8.60 or later is now a requirement.
(this translates into Ubuntu 11.10 or later)
+ New: List geotag groups (city, country, date, image count), click on a
group to show a thumbnail gallery, click thumbnails to view or edit.
+ Added and revised geotag locations were separated from the download set,
to make them easier to keep when changing computers or Linux releases.
+ Geotag search for "null" can be used to find images with no geotags
(also within other search criteria such as date).
+ New: Voodoo retouch function improves most images with one click.
+ Thumbnail files are now .jpeg instead of .png. Initialization after a
new install is about 40% faster, and thumbnails are 1/3 as large.
+ There are now three thumbnail options: no thumbnails, thumbnails in the
image directories (as before), or use a designated thumbnail directory.
+ Flatten Brightness: prevent "color bands" in monotone bright areas.
+ Rotate function user interface was improved and made more responsive.
+ Keyboard shortcuts can be revised and new ones added by the user.
+ Stop popup messages from getting hidden behind other windows.
+ Block "save to file" if an edit dialog is active (unpredictable result).
+ Edit history log was moved from EXIF:EditStatus to EXIF:ImageHistory
because this is the de facto standard.
+ Metadata reports were changed to use EXIF tag names instead of tag
descriptions. These are needed to directly edit metadata.
+ Slide Show: added continuous loop option (last goes back to first).
+ Trim: new option to start automatically for each new file opened
(work through a batch of new photos more quickly).
+ Trim: new convenience button to do rotate and return to trim.
+ The [prev] and [next] buttons pre-load the next file ahead of need.
This can speed-up sequential viewing of images on a slow computer.
+ F11 toggles main window to full-screen (no menu/toolbar) and back.
+ Bugfix: geotag retrieval failure with photos from some cameras.
+ Bugfix: Keyboard shortcut T (for Trim) caused a crash.
2012.04.21 v.12.05
+ Geotagging and reporting was added. Geotags may be entered using city
names, with substring matching. Click the wanted city from multiple
candidates. Multiple images can be processed rapidly. Batch processing
is also available. Search images by city [country] or within radius of
a given location. Output is a gallery of clickable thumbnails. Select
locations to assign or search from a world map. Database has 3000+
cities and others can be added as needed from a web geocoding service.
+ Search Images function was simplified. Searching by date, rating, tags,
comments, caption, filename, geotags, and any other metadata is in one
GUI with buttons to select the unusual options.
+ Bugfix: captions and comments with imbedded quotes were causing some
metadata edits to fail (do nothing).
+ Bugfix: stop GUI lockup if window is resized by user while panorama or
other composite function is still computing.
+ Bugfix: stop paranoia if an image directory is read-only and thumbnail
subdirectory cannot be created - just leave out the thumbnails.
+ Bugfix: GUI was too difficult to view and edit the same collection.
2012.04.01 v.12.04
+ Select Area by color tones is almost 2x faster with less flicker.
+ New: Erase an object by overpainting with selected background.
+ New: Vignette Tool: change brightness or color in a radial pattern.
+ Art > Tiles: an optional 3D depth effect was added.
+ Edit Pixels: do area edge blending same as other edit functions.
+ Gamma Curve: buttons [++] etc. added as in brightness/color curves.
+ Select Area: "tweak" mode added: nudge an edge line using the mouse.
+ White Balance: slider added to adjust the impact from 0 to 100%.
+ Gallery window navigation was made a little more flexible.
+ First time startup: initial thumbnail creation and image file indexing
is 2x faster (2000+ images/min. on a strong PC with 4 cpu cores).
+ New: Help > Log File: view the current (live) log file.
+ Memory allocation failure: no crash, exit with a reasonable message.
+ Bugfix: rare crash when a concurrent edit function completes.
2012.03.14 v.12.03.2
+ Bugfix: Select Area / Finish: crash in cairo. This is apparently a new
bug in gtk3/cairo which affects some distros (but not current Ubuntu).
Fotoxx was changed to avoid the problem: remove calls to gdk_flush().
This can make Fotoxx appear to "freeze" during Select Area / Finish.
2012.03.04 v.12.03.1
+ Bugfix: Select Area: cancel button did not kill the Finish process.
+ Bugfix: Retouching a zoomed image caused temp. change in aspect ratio.
2012.03.01 v.12.03
+ Mouse-driven area select and edit functions respond much faster.
+ The internal image format was changed from int-16 to float-32 per
RGB color. This simplified the code and made some edit functions
slightly faster. There is no visual image impact. The main memory
needed to edit a 20 megapixel image has grown to about 800 MB.
+ The exiftool program is started as a server process and left running.
This eliminates a significant startup delay for every image opened.
+ Indexing of new files at startup was made much faster: typically
1-2 seconds on a strong PC if only a few new images are found.
+ A toolbar button is used to change the mouse-drawing color for select
and edit functions. Similar buttons on many dialogs were removed.
+ The pixel edit function was made easier and faster to use.
+ An edited file can be saved in the additional formats .bmp and .ico.
+ Setting the zoom ratio was simplified: each 2x zoom is 1-3 clicks.
+ Create Blank Image: the file type can be .jpg, .tif, .png, or .bmp.
+ The E-mail function was removed because Thunderbird and Evolution do
not work (or no longer work) with the "standard" xdg-email protocol
for attachments. Use Tools > Batch Convert to select images, export,
and reduce size (if wanted) for attaching to e-mail or uploading.
+ Bugfix: If the top image directory was set to /home/<user>, thousands
of unwanted files in /home/<user>/.thumbnails/* were being indexed.
+ Bugfix: Stack/Noise image alignment was poor if there was significant
camera movement between photos.
+ Bugfix: Progress monitoring for some functions was very inaccurate.
+ Bugfix: some .gif files produced empty thumbnail images.
+ Bugfix: file synchronization at startup was sometimes wasting time
with unnecessary updates.
2012.02.01 v.12.02
+ Fotoxx was converted to use GTK3 and Cairo. It will no longer build
or install on older Linux releases lacking these libraries.
+ Multiple (up to 10) top image directories are now supported.
+ The gallery thumbnail size is saved and restored across sessions.
+ Bugfix: crash if an image present 2+ times in a collection is removed.
+ Bugfix: crash in slide show "jaws" transition.
+ RPM packages are built using Fedora and rpmbuild instead of alien.
2012.01.04 v.12.01.2
+ Italian user guide was updated.
+ Swedish translation was updated.
Some of the libreoffice unit tests, for example system fonts, require
additional and currently unidentified dependencies to run. As a
result, Libreoffice will build outside a clean environment but fails
to build in pbulk chroot or Tinderbox.
With this new patch, libreoffice builds cleanly in Tinderbox.
The modified patch probably makes no difference but it's kept because
the configuration is known to build in a clean environment.
Some platforms will automatically convert DOS endings to unix endings
during the extraction of a zip file. Those that do this can't use
patches with DOS endings, so revert the last commit.
Instead, copy textproc/FlightCrew package's method:
For each file that will be patched, strip any DOS endings found after
extraction. If they've already been stripped out, that's fine. It
guarantees that every platform will strip the target files at least
once, allowing all of them to use Unix line-ending patches.
Version 2.1a is not compatible with zlib 1.26+. Luckily this problem
was fixed in version 2.2. Three patches were removed, and a few were
tweaked.
src/linux.c and src/win.c now have dos line endings. I used the
technique seen in textproc/FlightCrew to convert these to unix
endings after extraction. That should allow this package to build
on all platforms where zip handling of line ending differs.
Also defined GPLv3 license.
Several files needed the <cstring> include for functions like memset.
Additional, Tinderbox caught this error:
=== Checking filesystem state after all packages deleted
================================================================
list of extra files and directories in / (not present on clean system
but present after everything was deinstalled)
34217227226 0 lrwxr-xr-x 1 root wheel 65 Aug 12 00:13
usr/local/bin/openmsx ->
/work/emulators/openmsx/work/.destdir/usr/pkg/openmsx/bin/openmsx
The package was installing a symbolic link from /usr/local/bin to the
destdir! Luckily this feature is switchable with a variable. Fixed.
* Update MASTER_SITES
* Cannot connect to HOMEPAGE
* Update license, and remove RESTRICTED
* For example, ~/.termcap is needed, because this package uses Term::Cap
Changelog:
* Add a commandline option
* Change termcap handling
Based on the excellent TagLib C++ library, which is fast, full-featured
and mature. In contrast to other bindings, this one wraps the full C++ API,
not only the minimal C API. This means that all tag data can be accessed,
e.g. cover art of ID3v2 or custom fields of Ogg Vorbis comments.
* Convert to use FIND_PREFIX mechanism instead of LOCALBASE
* Set LICENSE
Changelog:
VERSION 1.3.1 (Aug 31 2008)
------------------------------------------------------------------------------
- Fix help message mixup in lines between -c and -t.
- Add more specific error messages for not currently implemented potential
per backup point options, like cmd_preexec.
- Allow named pipe as logfile - suggested by Patrice Levesque.
- Include rsnapshot-copy script written by Matt McCutchen.
- Allow `backticks` in include_conf.
- Apply fix-sync_first-rollback.diff patch from Matt McCutchen (02 Apr 2008).
- hopefully fix bug with link_dest not being used on second and later backups
when you have link_dest 1 and sync_first 1. (Ignore $sync_dir_was_present)
- Patch from Adam Greenbaum to allow passing of ssh arguments correctly.
- David Grant added rsync_numtries to rsnapshot.conf.
- Applied Ben Low's Linux LVM patch.
- Added stop_on_stale_lockfile, thanks to Henning Moll.
- Michael Ashley's fix for filter/space problems on the rsync command line.
- Remove trailing whitespace from command names in rsnapshot.conf.
- Warn about extra spaces between tab and argument.
- Added multi-line config options, thanks to Dieter Bloms.
- The 'interval' config option is now called 'retain'.
- chdir to avoid an obscure bug in some versions of GNU rm.
- Changed use_lazy_deletes option to use _delete.$$ directories.
- Added note about -H and hard links to docs for rsync_short_args.
- Include rsnapshot-diff.1 in rpm.
- Fix bug with rsnapshot sync the first time (when .sync does not exist)
trying to copy hourly.0 to .sync, even if hourly.0 doesn't exist.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413439
VERSION 1.3.0 (Oct 21 2006)
------------------------------------------------------------------------------
- Add files rsnapreport.pl Upgrading_from_1.1 rsnapshot-HOWTO.en.html to rpm.
- fix a bug with removing interval.delete (with use_lazy_deletes).
- rsnapshot detects the global ssh_args option being set multiple times,
and gives a config error suggesting the per-backup ssh_args instead.
- Move Upgrading section of INSTALL to docs/Upgrading_from_1.1.
- Incorporate patch from Alan Batie to fix bugs with include_conf.
- check for quoting on $rsync_long_args rather than just splitting on space.
- Change rsnapshot.conf default to have lockfile enabled.
- Check for stale lock files (PID not currently running).
- explicitly add mode 0644 to sysopen() to create lockfile
- give warning if write() or close() return 0 when writing/closing lockfile
- Make prev_max_interval "not present (yet), nothing to copy" message
when rotating interval.0 more visible (level 3 instead of level 4).
- Add man page for rsnapshot-diff (generated from perldoc).
- Updates to rsnapshot man pages (via perldoc).
- Use =item in AUTHORS section
- move mis-placed =back
- document stale lock file detection
- strongly recommend using a lock file
- add a chmod to example backup script
- change crontab example for weekly from 4 "weekly"s per month to 1 per week
- expand on why higher intervals are done first via cron.
- Change space to tab after #cmd_rsnapshot_diff in rsnapshot.conf.default.in.
- In rpm patch, set cmd_rsnapshot_diff to /usr/bin/rsnapshot-diff.
- Set the test scripts t/*.t.in to run from the source directory
and create directory t/support/files/a if necessary.
- Trim comments in README about gnu cp versions > 5.3 since rsnapshot
strips trailing slashes for gnu cp with rsnapshot 1.2.9 and later.
- Add pointers to HOWTO and utils/rsnapreport.pl in README.
- More examples (eg: timestamp backup_script) in rsnapshot.conf.default.in.
- Change "Perhaps this is not GNU cp?" error message.
Changelog:
2.1.1
- Tiny bug fix to make sure that the help file is in the right language.
2.1.0
- Dragging and and dropping files from Windows Explorer, Thunar, etc.,
now works (at least for me, on Windows 7 and Xubuntu).
- Updated Czech translation from Pavel Fric.
- French translation from Pierre-Alain Bandinelli.
- German translation (and many suggestions) from Rainer Krachten.
- Translations should "just work"; i.e., if you use a French locale then
the user interface and help text should appear in French. However, you
can force DiffPDF to use any language it supports by using the
--language command line option (e.g., --language=fr). If an
unsupported locale or --language option is used, DiffPDF will fall
back to English.
- Now support -h as a synonym for --help.
- Initial path defaults to home directory instead of DiffPDF's
installation directory.
- Improved the Options dialog's layout.
- A subtle bugfix to the --words command line option.
- Fixed a crash: clicking to set a margin when there're no PDFs loaded
now safely does nothing.
2.0.0
- Can now have comparisons exclude text that's outside user-specified
margins. This feature was sponsored by a company that prefers to
remain anonymous.
- Save As can now save images as well as PDFs.
- Minor bug fixes and improvements.
- Command line help (--help) will no longer work on Windows. This is to
avoid a spurious console window appearing. I've put the output in the
online help though.
- Improved dock window handling so that docks can now be stacked on top
of each other (useful for small screens).
dhbitty is a small public key encryption program written in C. It
uses elliptic curve Diffie-Hellman in the form of Curve25519 to
establish a shared secret between two users, and uses that secret to
symmetrically encrypt and authenticate messages.
There are no private key files; only passphrases. Never lose that
pesky thing again.
Both the sender and the receiver can decrypt a message. In fact,
there is no distinction between sender and receiver. Both passphrases
must be strong.
There is no signing. A similarly useful form of authentication occurs
using only DH. dhbitty attempts to be as simple as possible. It is
not optimized, but achieves a comfortable speed for most uses. It
does not use floating point numbers, or integers longer than 32 bits.
It does not contain more algorithms than are needed.
Example
This is how Alice generates her public key with dhbitty:
$ dhbitty generate alice_public_key.txt
username:passphrase (this is visible!): alice:Keyfiles be damned!
Done.
Bob will do the same thing:
$ dhbitty generate bob_public_key.txt
username:passphrase (this is visible!): bob:Bob's Spectacular Passphrase
Done.
Alice will publish her alice_public_key.txt, and Bob will publish his bob_public_key.txt. They can now access each other's
public keys. (But they should be careful that Eve cannot surreptitiously replace either public key with her own!)
Alice wants to send files to Bob. She packages them into a .tar archive (or any other type of archive with timestamps), along
with her message. Then she uses dhbitty:
$ dhbitty encrypt bob_public_key.txt files_to_bob.tar files_to_bob.tar.dhbt
username:passphrase (this is visible!): alice:Keyfiles be damned!
Done.
Alice sends files_to_bob.tar.dhbt to Bob. Bob will use dhbitty to decrypt this archive:
$ dhbitty decrypt files_to_bob.tar.dhbt files_to_bob.tar
username:passphrase (this is visible!): bob:Bob's Spectacular Passphrase
This is the public key of file's secondary owner:
0002f02b318c307bac07f3148a33c975cea04b79a870f0a5c7771cd38cc1986e
Done.
Bob can verify that the public key dhbitty just gave him indeed is Alice's public key. He unpacks the now-decrypted archive to
access the files Alice sent to him.
In practice, Alice and Bob should use a system like diceware to pick passphrases, in order to be confident of their strength.
Seven words picked using diceware is a good choice.
Sigil is delivered in a zip file, and the files have DOS line endings.
The patches had unix line endings, and at least on some platforms
including NetBSD 5, this resulted in rejected hunks.
All three patches repacked, now contain DOS line endings and work fine.
