### 4.4.1 (2017-07-12)
* Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
* Correctly handle subpalettes in "edit multiple" mode (see #946).
* Correctly show the DCA picker in the site structure (see #906).
* Correctly update the style sheets if a format definition is
enabled/disabled (see #893).
* Always show the "show from" and "show until" fields (see #908).
* Correctly set the "overwriteMeta" field during the database update (see
contao/core-bundle#888).
Version 3.5.28 (2017-07-12)
---------------------------
### Fixed
Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
### Fixed
Improve the accessibility of the CAPTCHA widget (see #8709).
### Fixed
Fixed the iOS scrolling bug in the simple modal script (see #8708).
### Fixed
Correctly cache the unique keys in the SQL cache (see #8712).
*) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
global variable when using Lua 5.2 or later. This was exported as a
side effect from luaL_register, which is no longer supported as of
Lua 5.2 which deprecates pollution of the global namespace.
*) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
The server will continue to run, but HTTP/2 will no longer be negotiated.
*) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
default ProxyFCGIBackendType, fixing a regression with PHP-FPM.
*) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
*) mod_http2: Simplify ready queue, less memory and better performance. Update
mod_http2 version to 1.10.7.
*) Allow single-char field names inadvertently disallowed in 2.4.25.
*) htpasswd / htdigest: Do not apply the strict permissions of the temporary
passwd file to a possibly existing passwd file.
*) core: Avoid duplicate HEAD in Allow header.
This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
*) Allow single-char field names inadvertantly disallowed in 2.2.32.
Changes with Apache 2.2.33 (not released)
*) SECURITY: CVE-2017-7668 (cve.mitre.org)
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.
*) SECURITY: CVE-2017-3169 (cve.mitre.org)
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
*) SECURITY: CVE-2017-3167 (cve.mitre.org)
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.
*) SECURITY: CVE-2017-7679 (cve.mitre.org)
mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.
*) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
Caddy is a HTTP/2 web server with automatic HTTPS.
Caddy was born out of the need for a "batteries-included" web server
that runs anywhere and doesn't have to take its configuration with it.
Caddy took inspiration from spark, nginx, lighttpd, Websocketd and
Vagrant, which provides a pleasant mixture of features from each of
them.
that application, without starting up an HTTP server.
This provides convenient full-stack testing of applications written with any
WSGI-compatible framework.
Upstream changes:
Here is the full list of fixed issues in 3.3.1.
Contents
1 Highlights
2 Security issues
3 Fixes and improvements
4 For developers
5 See also
Highlights
MDL-58136 - Show only "in progress" courses in the My courses list in Booost flat navigation
MDL-56046 - Fixed bug when downloading Quiz statistics report and other multiple-sheet reports
MDL-58646, MDL-59122 - Number of performance improvements in Boost cache rebuilding
MDL-58310, MDL-59312, MDL-58103 - Correctly display AJAX errors and ignore interrupted requests caused by page unload (occasional "undefined" popup)
MDL-44961 - When restoring course with rolling start date never change log dates
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
Fixes and improvements
MDL-46322 - Assignment: Only enrolled users may be assigned as markers, if admins/managers can view course but are not enrolled they will not be assigned
MDL-58907 - Course overview: Remember last view mode (Timeline/Courses), add a setting for a default mode
MDL-58729 - Performance impovement in MySQL collation change script (follow up for Full UTF-8 Support in MySQL)
MDL-57957 - Assignment: Fixed bug with feedback files not being shown to students if assignment has no grading
MDL-57021 - Use normal password form field during sign up, adding new user and enrolling in a course
MDL-49988 - Wiki: line breaks in HTML source code should not affect page layout
MDL-58811 - Quiz: fixed bug preventing quiz duplication if questions have file links in their texts
For developers
MDL-58911 - Change of behavior when writing unittests for the dashboard events - now callback from module are executed in unittests same way they would be executed on the dashboard
Features
- Python 3.6 is now officially supported in Waitress
Bugfixes
- Add a work-around for libc issue on Linux not following the documented
standards. If getnameinfo() fails because of DNS not being available it
should return the IP address instead of the reverse DNS entry, however
instead getnameinfo() raises. We catch this, and ask getnameinfo()
for the same information again, explicitly asking for IP address instead of
reverse DNS hostname.
-----
* 26: Change six requirement to >=1.4.0
* 28: Py3k fixes
* 29: paste.wsgilib.add_close: Add __next__ method to support using `add_close` objects as iterators on Python 3.
* 30: tox.ini: Add py35 to envlist
* 31: Enable testing with pypy
* 33: tox.ini: Measure test coveraage
these packages pull in GCC_REQD+=4.9 via mozilla-common.mk, and
are very widely used (I suspect only www/firefox actually needs it)
this will take care of most of the fallout from major bumping
pkgsrc-gcc-libstdc++ to 7 on netbsd. these are the most widely
used packages setting GCC_REQD>4.8.
based on the work done by the amazing folks at magicstack.
On top of being Flask-like, Sanic supports async request handlers. This means
you can use the new shiny async/await syntax from Python 3.5, making your code
non-blocking and speedy.
User-visible changes:
- Client-side bugfixes:
* cp/mv: improve error message when target is an unversioned dir
* merge: reduce memory usage with large amounts of mergeinfo
- Server-side bugfixes:
* 'svnadmin freeze': document the purpose more clearly
* dump: fix segfault when a revision has no revprops
* fsfs: improve error message upon failure to open rep-cache
* fsfs: never attempt to share directory representations
* fsfs: make consistency independent of hash algorithms
This change makes Subversion resilient to collision attacks, including
SHA-1 collision attacks such as <http://shattered.io/>. See also our
documentation at <https://subversion.apache.org/faq#shattered-sha1> and
<https://subversion.apache.org/docs/release-notes/1.9#shattered-sha1>.
- Client-side and server-side bugfixes:
* work around an APR bug related to file truncation
- Bindings bugfixes:
* javahl: follow redirects when opening a connection
Developer-visible changes:
- General:
* win_tests.py: make the --bin option work, rather than abort
(regression introduced in 1.9.2)
* windows: support building with 'zlibstat.lib' in install-layout
- API changes:
(none)
1.85 2017-06-28 22:06:00Z
========================================
[FIXED]
- use 127.0.0.1 instead of 'localhost' in a test to avoid the test hanging
due to ipv6 issues (GH#31)
- Remove private logic for taint checking (Dave Doyle)
- Fix Pod (simbabque)
- Bump Test::More prereq to get working subtest support (Karen Etheridge)
- Fix intermittent failures of taint.t (GH#108) (Kivanc Yazan)
- Fix kwalitee issues (GH#107) (Kivanc Yazan)
[ENHANCEMENTS]
- Print section titles if mech-dump --all is invoked (GH#81) (Сергей
Романов)
- Add cookbook docs on dumping a req without sending it (#115) (Grigor
Karavardanyan)
- Document that submit only submits current form (GH#114) (nawglan)
- Add Travis testing on Perl 5.26 (Karen Etheridge)
- Remove obsolete and unincremented $VERSIONs in test modules (Karen
Etheridge)
Changelog:
52.2.1
Printing text does not work on Windows when Direct2D is disabled (Bug 1318845)
52.2.0
#CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
#CVE-2017-7749: Use-after-free during docshell reloading
#CVE-2017-7750: Use-after-free with track elements
#CVE-2017-7751: Use-after-free with content viewer listeners
#CVE-2017-7752: Use-after-free with IME input
#CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
#CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files
#CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
#CVE-2017-7757: Use-after-free in IndexedDB
#CVE-2017-7778: Vulnerabilities in the Graphite 2 library
#CVE-2017-7758: Out-of-bounds read in Opus encoder
#CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service
#CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application
#CVE-2017-7763: Mac fonts render some unicode characters as spaces
#CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
#CVE-2017-7765: Mark of the Web bypass when saving executable files
#CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service
#CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service
#CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service
#CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.252.2.0
52.1.2
FIx hangs when using a proxy with NTLM authentication (bug 1360574)
Changelog:
Fixed
Fix a display issue of tab title (bug 1357656)
Fix a display issue of opening new tab (bug 1371995)
Fix a display issue when opening multiple tabs (bug 1371962)
Fix a tab display issue when downloading files (bug 1373109)
Fix a PDF printing issue (bug 1366744)
Fix a Netflix issue on Linux (bug 1375708)
Documentation
We have received several patches to fix grammer and typos.
The broken out-of-tree build has been also fixed.
nghttp
We fixed the bug that HTTP Upgrade fails if HTTP response does not have reason-phrase.
nghttpx
The default minimum TLS version is now TLSv1.2. This is because the default cipher list only contains cipher suites which are compatible with it.
Bugfixes
Removed an incorrect deprecation warning about a missing renderer argument if a Widget.render() method accepts **kwargs.
Fixed a regression causing Model.__init__() to crash if a field has an instance only descriptor.
Fixed an incorrect DisallowedModelAdminLookup exception when using a nested reverse relation in list_filter.
Fixed admin’s FieldListFilter.get_queryset() crash on invalid input.
Fixed invalid HTML for a required AdminFileWidget.
Fixed model initialization to set the name of class-based model indexes for models that only inherit models.Model.
Fixed crash in admin’s inlines when a model has an inherited non-editable primary key.
Fixed QuerySet.union(), intersection(), and difference() when combining with an EmptyQuerySet.
Prevented Paginator’s unordered object list warning from evaluating a QuerySet.
Fixed the value of redirect_field_name in LoginView’s template context. It’s now an empty string (as it is for the original function-based login() view) if the corresponding parameter isn’t sent in a request (in particular, when the login page is accessed directly).
Prevented attribute values in the django/forms/widgets/attrs.html template from being localized so that numeric attributes (e.g. max and min) of NumberInput work correctly.
Removed casting of the option value to a string in the template context of the CheckboxSelectMultiple, NullBooleanSelect, RadioSelect, SelectMultiple, and Select widgets. In Django 1.11.1, casting was added in Python to avoid localization of numeric values in Django templates, but this made some use cases more difficult. Casting is now done in the template using the |stringformat:'s' filter.
Prevented a primary key alteration from adding a foreign key constraint if db_constraint=False.
Fixed UnboundLocalError crash in RenameField with nonexistent field.
Fixed a regression preventing a model field’s limit_choices_to from being evaluated when a ModelForm is instantiated.
* t/git-cgi.t: Wait 1 second before doing a revert that should work.
This hopefully fixes a race condition in which the test failed
around 6% of the time. (Closes: 862494)
* Guard against set-but-empty REMOTE_USER CGI variable on
misconfigured nginx servers, and in general treat sessions with
a set-but-empty name as if they were not signed in.
* When the CGI fails, print the error to stderr, not "Died"
* mdwn: Don't mangle <style> into <elyts> under some circumstances
* mdwn: Enable footnotes by default when using the default Discount
implementation. A new mdwn_footnotes option can be used to disable
footnotes in MultiMarkdown and Discount.
* mdwn: Don't enable alphabetically labelled ordered lists by
default when using the default Discount implementation. A new
mdwn_alpha_list option can be used to restore the old
interpretation.
* osm: Convert savestate hook into a changes hook. savestate is not
the right place to write wiki content, and in particular this
breaks websetup if osm's dependencies are not installed, even
if the osm plugin is not actually enabled. (Closes: #719913)
* toc: if the heading is of the form <h1 id="...">, use that for
the link in the table of contents (but continue to generate
<a name="index42"></a> in case someone was relying on it)
* color: Do not leak markup into contexts that take only the plain
text, such as toc
* meta: Document [[!meta name="foo" content="bar"]]
Python. It implements RFC 6455 with a focus on correctness and simplicity.
It passes the Autobahn Testsuite.
Built on top of Python's asynchronous I/O support introduced in PEP 3156,
it provides an API based on coroutines, making it easy to write highly
concurrent applications.
HTTP, task offloading and other asynchrony support to your code, using familiar
Django design patterns and a flexible underlying framework that lets you not
only customize behaviours but also write support for your own protocols and
needs.
to power Django Channels.
It supports automatic negotiation of protocols; there's no need for URL
prefixing to determine WebSocket endpoints versus HTTP endpoints.
new: allow components to pass WebSocket/RawSocket options
fix: register/subscribe decorators support different URI syntax from what session.register and session.subscribe support
new: allow for standard Crossbar a.c..d style pattern URIs to be used with Pattern
new: dynamic authorizer example
new: configurable log level in ApplicationRunner.run for asyncio
fix: forward reason of hard dropping WebSocket connection in wasNotCleanReason
Changes are too many to write here, please refer
<https://github.com/jekyll/jekyll/releases> in detail.
* Upgrade to Liquid v4.
* Add support for TSV (Tab-Separated Values data) files.
* Add a template for custom 404 page.
* Documentation improvements.
## 4.0.0
### Changed
* Render an opaque internal error by default for non-Liquid::Error (#835) [Dylan Thacker-Smith]
* Ruby 2.0 support dropped (#832) [Dylan Thacker-Smith]
* Add to_number Drop method to allow custom drops to work with number filters (#731)
* Add strict_variables and strict_filters options to detect undefined references (#691)
* Improve loop performance (#681) [Florian Weingarten]
* Rename Drop method `before_method` to `liquid_method_missing` (#661) [Thierry Joyal]
* Add url_decode filter to invert url_encode (#645) [Larry Archer]
* Add global_filter to apply a filter to all output (#610) [Loren Hale]
* Add compact filter (#600) [Carson Reinke]
* Rename deprecated "has_key?" and "has_interrupt?" methods (#593) [Florian Weingarten]
* Include template name with line numbers in render errors (574) [Dylan Thacker-Smith]
* Add sort_natural filter (#554) [Martin Hanzel]
* Add forloop.parentloop as a reference to the parent loop (#520) [Justin Li]
* Block parsing moved to BlockBody class (#458) [Dylan Thacker-Smith]
* Add concat filter to concatenate arrays (#429) [Diogo Beato]
* Ruby 1.9 support dropped (#491) [Justin Li]
* Liquid::Template.file_system's read_template_file method is no longer passed the context. (#441) [James Reid-Smith]
* Remove support for `liquid_methods`
* Liquid::Template.register_filter raises when the module overrides registered public methods as private or protected (#705) [Gaurav Chande]
### Fixed
* Fix map filter when value is a Proc (#672) [Guillaume Malette]
* Fix truncate filter when value is not a string (#672) [Guillaume Malette]
* Fix behaviour of escape filter when input is nil (#665) [Tanel Jakobsoo]
* Fix sort filter behaviour with empty array input (#652) [Marcel Cary]
* Fix test failure under certain timezones (#631) [Dylan Thacker-Smith]
* Fix bug in uniq filter (#595) [Florian Weingarten]
* Fix bug when "blank" and "empty" are used as variable names (#592) [Florian Weingarten]
* Fix condition parse order in strict mode (#569) [Justin Li]
* Fix naming of the "context variable" when dynamically including a template (#559) [Justin Li]
* Gracefully accept empty strings in the date filter (#555) [Loren Hale]
* Fix capturing into variables with a hyphen in the name (#505) [Florian Weingarten]
* Fix case sensitivity regression in date standard filter (#499) [Kelley Reynolds]
* Disallow filters with no variable in strict mode (#475) [Justin Li]
* Disallow variable names in the strict parser that are not valid in the lax parser (#463) [Justin Li]
* Fix BlockBody#warnings taking exponential time to compute (#486) [Justin Li]
Bugfixes
- CONTINUATION frames sent on closed streams previously caused stream errors
of type STREAM_CLOSED. RFC 7540 § 6.10 requires that these be connection
errors of type PROTOCOL_ERROR, and so this release changes to match that
behaviour.
- Remote peers incrementing their inbound connection window beyond the maximum
allowed value now cause stream-level errors, rather than connection-level
errors, allowing connections to stay up longer.
- h2 now rejects receiving and sending request header blocks that are missing
any of the mandatory pseudo-header fields (:path, :scheme, and :method).
- h2 now rejects receiving and sending request header blocks that have an empty
:path pseudo-header value.
- h2 now rejects receiving and sending request header blocks that contain
response-only pseudo-headers, and vice versa.
- h2 now correct respects user-initiated changes to the HEADER_TABLE_SIZE
local setting, and ensures that if users shrink or increase the header
table size it is policed appropriately.
6.13 2017-06-20 01:07:03Z
- Non-TRIAL release of changes found in 6.12
6.12 2017-06-15 18:03:50Z (TRIAL RELEASE)
- If an object is passed to HTTP::Request, it must provide a canonical()
method (Olaf Alders)
- Make sure status messages don't die by checking the status exists before
checking the value range (Kent Fredric, GH #39)
- Add a .mailmap file to clean up the contributors list
- Avoid inconsistent setting of content to undef (Jerome Eteve)
- Simplify the way some methods are created (Tom Hukins)
- Remove some indirect object notation (Chase Whitener)
- Fix example in Pod (Tobias Leich)
- Add support for HTTP PATCH method (Mickey Nasriachi)
*) HTTP/2 support no longer tagged as "experimental" but is instead considered
fully production ready.
*) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
the session in continuous check for state changes that never happen.
*) mod_mime: Fix error checking for quoted pairs.
*) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
protocols.
*) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
a possible crash if a signal is caught during (graceful) restart.
*) core: Deprecate ap_get_basic_auth_pw() and add
ap_get_basic_auth_components().
*) mod_rewrite: When a substitution is a fully qualified URL, and the
scheme/host/port matches the current virtual host, stop interpreting the
path component as a local path just because the first component of the
path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
to revert to previous behavior.
*) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
platforms.
*) ab: enable option processing for setting a custom HTTP method also for
non-SSL builds.
*) core: EBCDIC fixes for interim responses with additional headers.
*) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
to ssl_io_filter_error().
*) mod_env: when processing a 'SetEnv' directive, warn if the environment
variable name includes a '='. It is likely a configuration error.
*) Evaluate nested If/ElseIf/Else configuration blocks.
*) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
allow spaces in backreferences to be encoded as %20 instead of '+'.
*) mod_rewrite: Add the possibility to limit the escaping to specific
characters in backreferences by listing them in the B flag.
*) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
systems.
*) mod_http2: fail requests without ERROR log in case we need to read interim
responses and see only garbage. This can happen if proxied servers send
data where none should be, e.g. a body for a HEAD request.
more...
Contao 4.4 is fourth minor release of Contao 4 and it is LTS (Long Term
Support) release until June 2021.
Additionally, these new features from 4.3.
* Improved backend theme
* Improved element preview
* Detect version conflicts
* Improved handling of image meta data
* Details view contains path addition to their UUIDs
* Honeypot anti-spam
* Allowed member groups
* Import options for some form fields
* DCA picker
* Filter pages and articles
* Search files
* Contao Manager support
* Fixed a bug in which cancelling the publishing dialog wasn't respected.
* Fixed a bug causing post-login redirection to an incorrect URL on single-language sites.
* Changed the signature for internal ``cms.plugin_base.CMSPluginBase`` methods ``get_child_classes``
and ``get_parent_classes`` to take an optional ``instance`` parameter.
* Fixed an error when retrieving placeholder label from configuration.
* Fixed a bug which caused certain translations to display double-escaped text in the page
list admin view.
* Adjusted the toolbar JavaScript template to escape values coming from the request.
* Added Dropdown class to toolbar items
* Replaced all custom markup on the ``admin/cms/page/includes/fieldset.html`` template
with an ``{% include %}`` call to Django's built-in ``fieldset.html`` template.
* Fixed a bug which prevented a page from being marked as dirty when a placeholder was cleared.
* Fixed an IntegrityError raised when publishing a page with no public version and whose publisher
state was pending.
* Fixed an issue with JavaScript not being able to determine correct path to the async bundle
* Fixed a ``DoesNotExist`` database error raised when moving a page marked as published, but whose public
translation did not exist.
* Fixed a bug in which the menu rendered nodes using the site session variable (set in the admin),
instead of the current request site.
* Fixed a race condition bug in which the database cache keys were deleted without syncing with the
cache server, and as a result old menu items would continue to be displayed.
* Fixed a 404 raised when using the ``Delete`` button for a Page or Title extension on Django >= 1.9
* Added "How to serve multiple languages" section to documentation
* Fixed a performance issue with nested pages when using the ``inherit`` flag on the ``{% placeholder %}`` tag.
* Removed the internal ``reset_to_public`` page method in favour of the ``revert_to_live`` method.
* Fixed a bug in which the placeholder cache was not consistently cleared when a page was published.
* Enhanced the plugin menu to not show plugins the user does not have permission to add.
* Fixed a regression which prevented users from setting a redirect to the homepage.
Add a CountryFieldMixin Django Rest Framework serializer mixin that automatically picks the right field type for a CountryField (both single and multi-choice).
Validation for Django Rest Framework field (thanks Simon Meers).
Allow case-insensitive .by_name() matching (thanks again, Simon).
Ensure a multiple-choice CountryField.max_length is enough to hold all countries.
Fix inefficient pickling of countries (thanks Craig de Stigter for the report and tests).
Stop adding a blank choice when dealing with a multi-choice CountryField.
Tests now cover multiple Django Rest Framework versions (back to 3.3).
Version 4.6.1
Fix invalid reStructuredText in CHANGES.
Add test targets, all tests pass for me.
Sun May 28 23:26:00 MSK 2017
Releasing GNU libmicrohttpd 0.9.55. -EG
Sun May 21 18:48:00 MSK 2017
Fixed build with disabled "UPGRADE".
Fixed possible null-dereference in HTTPS test.
Fixed compiler warning in process_request_body(), minor optimizations.
Do not allow suspend of "upgraded" connections.
Fixed returned value for MHD_CONNECTION_INFO_CONNECTION_SUSPENDED.
Fixed removal from timeout lists of non-existing connections in
cleanup_connection().
Fixed double locking of mutex. -EG
Sun May 14 15:05:00 MSK 2017
Fixed resuming connections and closing upgraded connections in select()
mode with thread-per-connection. -EG
Sun May 14 14:49:00 MSK 2017
Removed extra call to resume connections in MHD_run().
Handle resumed connection without delay in epoll mode.
Update states of resumed connection after resume in thread-per-connection
mode.
Fixed resuming connections and closing upgraded connections in poll()
mode with thread-per-connection. -EG
Thu May 11 22:37:00 MSK 2017
Faster start really processing data in resumed connections. -EG
Thu May 11 14:24:00 MSK 2017
Do not add any "Connection" headers for "upgrade" connections. -EG
Wed May 10 23:09:00 MSK 2017
Resume resuming connection before other processing in external polling
mode. -EG
Tue May 9 23:16:00 MSK 2017
Fixed: Do not add "Connection: Keep-Alive" header for "upgrade"
connections. -EG
Tue May 9 21:01:00 MSK 2017
Fixed: check all "Connection" headers of request for "Close" and "Upgrade"
tokens instead of using only first "Connection" header with full string
match. -EG
Tue May 9 12:28:00 MSK 2017
Revert: continue match footers in MHD_get_response_header() for backward
compatibility. -EG
Mon May 8 19:30:00 MSK 2017
Fixed: use case-insensitive matching for header name in
MHD_get_response_header(), match only headers (not footers). -EG
Fri May 5 20:57:00 MSK 2017
Fixed null dereference when connection has "Upgrade" request and
connection is not upgraded. -JB/EG
Better handle Keep-Alive/Close. -EG
7.33 2017-06-05
- Added EXPERIMENTAL support for :matches pseudo-class and :not pseudo-class
with compount selectors to Mojo::DOM::CSS.
- Fixed a few form element value extraction bugs in Mojo::DOM.
- Fixed version command to use the new MetaCPAN API, since the old one got
shut down.
7.32 2017-05-28
- Added -f option to get command.
- Improved get command with support for passing request data by redirecting
STDIN.
- Fixed memory leak in Mojo::IOLoop::Client that sometimes prevented the
connect timeout from working correctly for TLS handshakes.
* If your 54.0 is unstable, please disable e10s with
browser.tabs.remote.autostart.2=false (this works at least for me)
Changelog:
New
Simplified the download button and download status panel
Added support for multiple content processes (e10s-multi)
Added Burmese (my) locale
Fixed
Various security fixes
Changed
Moved the mobile bookmarks folder to the main bookmarks menu for easier access
Security fixes:
#CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
#CVE-2017-7749: Use-after-free during docshell reloading
#CVE-2017-7750: Use-after-free with track elements
#CVE-2017-7751: Use-after-free with content viewer listeners
#CVE-2017-7752: Use-after-free with IME input
#CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
#CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files
#CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
#CVE-2017-7757: Use-after-free in IndexedDB
#CVE-2017-7778: Vulnerabilities in the Graphite 2 library
#CVE-2017-7758: Out-of-bounds read in Opus encoder
#CVE-2017-7759: Android intent URLs can cause navigation to local file system
#CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service
#CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application
#CVE-2017-7762: Addressbar spoofing in Reader mode
#CVE-2017-7763: Mac fonts render some unicode characters as spaces
#CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
#CVE-2017-7765: Mark of the Web bypass when saving executable files
#CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service
#CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service
#CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service
#CVE-2017-7770: Addressbar spoofing with JavaScript events and fullscreen mode
#CVE-2017-5471: Memory safety bugs fixed in Firefox 54
#CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
