1.40 Sep 6 2016
Specify licence (Apache 2.0) in META.yml. [Steve Hay, CPAN RT#111359]
Fix broken POD. [Steve Hay]
Switch argument order in "openssl gendsa". [rjung]
Add (limited) checks for *_SAN_*_n and *_DN_Email variables. [kbrand]
Update key sizes and message digest to what is common in 2015. [kbrand]
nghttp2 v1.26.0
* docs: Fix some typos in the nghttpx how-to
* build: Update Dockerfile.android
* build: Refactoring include directories for build as CMake subdirectory (add_subdirectory(nghttp2))
* nghttpx: Fix OCSP related error when building with BoringSSL
* h2load: Fix bug that timing script stalls with -m1
* h2load: Reservoir sampling
* h2load: Add timing-based load-testing in h2load
The software Makefiles try to install example configuration files
directly into $(sysconfdir), which is set during the configure
stage to ${PKG_SYSCONFDIR} == ${PREFIX}/etc/siege. However, pkgsrc
standards require that the example configuration files be installed
into ${PREFIX}/share/examples/siege ( ${EGDIR} ).
Pass sysconfdir=${EGDIR} to the bmake(1) process during the install
stage so that the Makefile recipe will install the example files
into the correct location.
Remove the "install" substitution class that was trying to do the
same thing but which fails if ${PKG_SYSCONFBASE} != ${PREFIX}/etc.
Bump the PKGREVISION due to changes in the installed files if the
package is built with default settings. Fix discussed with nils@
in private correspondence.
Security issues:
- $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco.
- A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.
- A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
- A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).
- A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by 陈瑞琦 (Chen Ruiqi).
- An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
- A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team.
- A cross-site scripting (XSS) vulnerability was discovered in template names. Reported by Luka (sikic).
- A cross-site scripting (XSS) vulnerability was discovered in the link modal. Reported by Anas Roubi (qasuar).
And 6 other fixes:
* Emoji
- #41584 - Upgrade Twemoji to 2.5.0
- #41852 - Fix UN flag test by returning the correct value.
*I18N
- #41794 - Support numbers in locales during installation
* Security
- #13377 - Add more sanitization in _cleanup_header_comment
*Widgets
- #41596 - New Text Widget recognizes HTML but does not render it in the front end
- #41622 - Text widget can show DOMDocument::loadHTML() warnings in admin when is_legacy_widget method is called
More on https://codex.wordpress.org/Version_4.8.2
release announce:
Contao 4.4.5 is available 18.09.2017 10:28 by Leo Feyer
Contao version 4.4.5 is available. The bugfix release fixes several issues
including a problem with the install tool and a problem with SVG images in
Internet Explorer. In addition, the back end theme has been adjusted again
and some of the previous changes have been revised.
0.12.2 (2017/08/04)
* Fixes race condition issue with rubygems.org
0.12.1 (2017/08/03)
* Fixes support for Oj < 3.3.3 (#163)
* Adds support for parser_options on MultiXML and SafeYAML parsers
0.12.0 (2017/07/28)
* Replace rash with rash_alt (#136)
* Allow write_options to be specified for FaradayMiddleware::Caching (#155)
* Add support for passing options to JSON.parse (#156)
* Parse YAML safely (#157)
* Handle responses with missing Location header (#159)
* Removes support for ruby < 1.9.3 (#162)
17.9.2
new: allow setting correlation URI and anchor flag in WAMP messages from user code
fix: WebSocket proxy connect on Python 3 (unicode vs bytes bug)
## 1.4.1 / 2017-06-21
* Don't ask .empty? until it's a String. (#38)
* rename Liquid 4 `has_key?` to `key?` to add compatibility for liquid 4 (#41)
* Test against Ruby 2.1 to 2.4 (#45)
3.5.2 (2017/8/18)
* Backport #6281 for v3.5.x: Fix Drop#key? so it can handle a nil argument (#6288)
* Backport #6280 for v3.5.x: Guard against type error in absolute_url (#6287)
* Backport #6266 for v3.5.x: Memoize the return value of Document#url (#6301)
* Backport #6273 for v3.5.x: delegate StaticFile#to_json to StaticFile#to_liquid (#6302)
* Backport #6226 for v3.5.x: Reader#read_directories: guard against an entry not being a directory (#6304)
* Backport #6247 for v3.5.x: kramdown: symbolize keys in-place (#6303)
3.5.1 (2017/7/18)
Minor Enhancements
* Use Warn for deprecation messages (#6192)
* site template: Use plugins key instead of gems (#6045)
Bug Fixes
* Backward compatiblize URLFilters module (#6163)
* Static files contain front matter default keys when to_liquid'd (#6162)
* Always normalize the result of the relative_url filter (#6185)
Documentation
* Update reference to trouble with OS X/macOS (#6139)
* added BibSonomy plugin (#6143)
* add plugins for multiple page pagination (#6055)
* Update minimum Ruby version in installation.md (#6164)
* [docs] Add information about finding a collection in site.collections (#6165)
* Add {%raw%} to Liquid example on site (#6179)
* Added improved Pug plugin - removed 404 Jade plugin (#6174)
* Linking the link (#6210)
* Small correction in documentation for includes (#6193)
* Fix docs site page margin (#6214)
Development Fixes
* Add jekyll doctor to GitHub Issue Template (#6169)
* Test with Ruby 2.4.1-1 on AppVeyor (#6176)
* set minimum requirement for jekyll-feed (#6184)
1.6.0 (2017/09/01)
* Rack::PostBodyContentTypeParser: if the middleware is told a POST body is
JSON, but it doesn't parse as JSON, then... it's not really JSON, and the
request is now rejected with a 400 response. Thanks to Yukihiko SAWANOBORI
(@sawanoboly) for the fix.
1.5.0 (2017/07/19)
After an extended hiatus, rack-contrib maintenance is back on track. This
is a tidy-up release, merging things that have sat around for far too long.
* git-version-bump has now been moved to being a development dependency,
thanks to Tobias Haagen Michaelsen.
* Rack::AcceptLocale can be restricted to a set of enforced locales, thanks to
Paco Guzman.
* Rack::NotFound's path argument is now optional, thanks to Ed Morley.
* Rack::BounceFavicon now has a description and tests, thanks to Steven
Wilkin.
* The automated Travis CI suite now tests all supported Ruby versions up to
2.4, which necessitated a few small changes.
### 0.9.1
o Added ssl_version options `TLSv1_1`, `TLSv1_2`, `TLSv1_3` for explicitly
forcing the SSL version
* requires the appropriate versions of libCURL and OpenSSL installed to
support these new options
* reference: https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
o Added a new `:http_version` option with `HTTPv1_1` and `HTTPv2_0` values to
explicitly set the HTTP version of HTTP/1.1 or HTTP/2.0
* requires the appropriate versions of libCURL and OpenSSL installed to
support these new options
* reference: https://curl.haxx.se/libcurl/c/CURLOPT_HTTP_VERSION.html
o Updates the gem release procedure for more convenience, using the updated
Rubygems.org tasks
o Update a few minor dependencies and documentation to be Ruby
2.4.1-compatible, add 2.4.1. to Travis CI matrix
o Add `Session#download_byte_limit` for limiting the permitted download size.
This can be very useful in dealing with untrusted download sources, which
might attempt to send very large responses that would overwhelm the
receiving client.
o Add `Patron.libcurl_version_exact` which returns a triplet of major, minor
and patch libCURL version numbers. This can be used for more fine-grained
matching when using some more esoteric Curl features which might not
necessarily be available on libCURL Patron has been linked against.
**Mustermann 1.0.1** (2017-08-26)
#### Docs
* Updating readme to list Ruby 2.2 as minimum
* Fix rendering of HTML table
* Update summary and description in gemspec file.
#### Fixes
* avoid infinite loop by removing comments when receiving extended regexp
* avoid unintended conflict of namespace
* use Regexp#source instead of Regexp#inspect
0.13.1 (2017/8/18)
* Fixes an incompatibility with Addressable::URI being used as uri_parser
0.13.0 (2017/8/15)
* Dynamically reloads the proxy when performing a request on an absolute
domain (#701)
* Prefer #hostname over #host. (#714)
* Adapter support for Net::HTTP::Persistent v3.0.0 (#619)
* Fixes an edge-case issue with response headers parsing (missing HTTP header)
(#719)
0.12.2 (2017/07/21)
* Parse headers from aggregated proxy requests/responses (#681)
* Guard against invalid middleware configuration with warning (#685)
* Do not use :insecure option by default in Patron (#691)
* Fixes an issue with HTTPClient not raising a Faraday::ConnectionFailed
(#702)
* Fixes YAML serialization/deserialization for Faraday::Utils::Headers (#690)
* Fixes an issue with Options having a nil value (#694)
* Fixes an issue with Faraday.default_connection not using
Faraday.default_connection_options (#698)
* Fixes an issue with Options.merge! and Faraday instrumentation middleware
(#710)
Upstream changes:
Here is the full list of fixed issues in 3.3.2.
Highlights
MDL-59492 - Gray out hidden courses in the new course overview block
MDL-57412 - Setting "Always link course sections" should apply consistently in Boost and Clean/More
MDL-58196 - "Require grade to pass" in quiz completion settings must be checked only with "Require grade", otherwise it does not work and causes confusions
MDL-57698 - Bug fix: Backup and restore cause deadlock with sqlsrv driver
Fixes and improvements
MDL-55912 - Assignment: when blind marking is enabled, students should receive teacher participant number in the email and not their own
MDL-54607 - Calendar export should not export events without duration as full-day events, i.e. assignment due dates have time component that was lost during export
MDL-59490 - Bug fix: LTI does not work when activity has a long name
MDL-55937 - Assignment: fixed error when viewing attachments of team submission
MDL-59511, MDL-59746, MDL-59539, MDL-59869 - Multiple fixes in OAuth 2 services (Google, OwnCloud, Nextcloud, etc)
MDL-35290 - My private files should continue working even if some files in filesystem are currently unreadable
MDL-57259 - Fixed bug that caused multiple debugging messages in error.log when teachers use assignment grading
MDL-56646 - Assignment: changing maximum grade of the module could result in negative grades in assignment which were pushed as "0" to the gradebook. This bug was fixed and will not happen in the future. However, according to Moodle policy, no existing grades were changed. Teachers will see the warning that there are erroneous grades and will be able to fix all of them with one click
MDL-54965 - Database module: fixed SQL error when you edit an entry after having added a new picture/file field
MDL-46495 - When uploading courses the setting "Completion tracking" should be set to the site default
MDL-59262 - Courses made via course request or "Upload course" tool should respect default course sections
MDL-59442 - Some third party modules had very big icons in the Default activity completion page
MDL-38129 - Grade export of user profile fields can now work with uppercase letters in the fields names
MDL-59317 - Performance improvements on the messages page
MDL-57246 - Trying to view a forum without the capability may lead you to a broken page.
MDL-59287 - Generate calendar event for "Expected completed on" for all modules.
MDL-55364 - Forum headers alignment on narrow screens
MDL-57649 - Lesson: Fixed bug deleting files unrelated to the pages being deleted
MDL-59195 - Assignments: when switching role to student teacher should be able to view group submissions
MDL-59068 - Lesson: Restore the behaviour of "No, I just want to go on to the next question"
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version
=== raindrops 0.19.0 - Rack 2.x middleware compatibility / 2017-08-09 23:52 UTC
This release fixes Rack 2.x compatibility for the few users of
Raindrops::Middleware
<https://bogomips.org/raindrops/Raindrops/Middleware.html>.
Thanks to Dmytro Shteflyuk for this release.
No need to upgrade unless you use Raindrops::Middleware with
Rack 2.x.
There's also a few minor, inconsequential cleanups.
Dmytro Shteflyuk (1):
Properly override respond_to? in Raindrops::Middleware::Proxy
Eric Wong (2):
Ruby thread compatibility updates
tcp_info: remove unnecessary extconf.h include
# Version 2.15.1
Release date: 2017-08-04
### Fixed
* `attach_file` with no extension/MIME type when using the `:rack_test` driver
[Thomas Walpole]
# Version 2.15.0
Release date: 2017-08-04
### Added
* `sibling` and `ancestor` finders added [Thomas Walpole]
* Added ability to pass options to registered servers when setting
* Added basic built-in driver registrations `:selenium_chrome` and
`:selenium_chrome_headless` [Thomas Walpole]
* Add `and_then` to Capybara RSpec matchers which behaves like the previous
`and` compounder. [Thomas Walpole]
* Compound RSpec expectations with Capybara matchers now run both matchers
inside a retry loop rather than waiting for one to pass/fail before
checking the second. Will make `#or` more performant and confirm both
conditions are true "simultaneously" for `and`. [Thomas Walpole] If you
still want the
* Default filter values are now included in error descriptions [Thomas Walpole]
* Add `Session#refresh` [Thomas Walpole]
* Loosened restrictions on where `Session#within_window` can be called from
[Thomas Walpole]
* Switched from `mime-types` dependency to `mini_mime` [Jason Frey]
