* Add complete French basewiki and underlays translation from the
Debian French l10n team, including Philippe Batailler, Alexandre
Dupas, and Steve Petruzzello.
* Expand banned_users; it can now include PageSpecs, which allows
banning by IP address.
* underlay: Also allow configuring additional directories to search
for template files in.
* Fix parsing web commits from ipv6 addresses.
* Add genwrapper hook, that can be used to add code into the C wrapper.
* cvs: Yeah, ikiwiki even supports CVS now. Plugin contributed by
Amitai Schlair.
* Updated Czech translation from Miroslav Kure. Closes: #546223
* rsync: New plugin that allows pushing the destdir to a remote host
via rsync or similar. Thanks, Amitai Schlair.
* auto.setup, auto-blog.setup: Fix sanitization of entered wikiname.
Closes: #547378
Updated during the freeze because it's a leaf package and the bugfixes
and feature additions are desirable (if I may say so myself).
Upstream changes:
2009-09-21 Release 5.832
Ville Skytt"a (6):
Fix net test suite.
Comment spelling fixes.
Fix links to old Netscape cookie specification.
Documentation spelling fixes.
Improve max line length exceeded/read error messages.
Do not warn about seemingly wellformed but unrecognized robots.txt lines.
Gisle Aas (1):
$mess->content_charset would fail for empty content
mschilli (1):
Further restrict what variables env_proxy() process
pkgsrc changes:
- Adjusting dependencies
Upstream changes:
5.80013 2009-09-17 11:07:04
Bug fixes:
- Preserve immutable_options when temporarily making a class mutable in
Catalyst::ClassData as this is needed by new Class::MOP.
This could have potentially caused issues when using the deprecated runtime
plugins feature in an application with plugins which define their own new
method.
- Require new Moose version and new versions of various dependencies
to avoid warnings from newest Moose release.
Documentation:
- Rework the $c->go documentation to make it more clear.
- Additional documentation in Catalyst::Upgrading covering more deprecation
warnings.
Refactoring / cleanups:
- Action methods in the application class are deprecated and applications
using them will now generate a warning at startup.
- The -short option has been removed from catalyst.pl, stopping new
applications from being generated using the ::[MVC]:: naming scheme as
this is deprecated and generates warnings. RT#49771
pkgsrc changes: add LICENSE.
Changes to squid-2.7.STABLE7 (17 September 2009)
- Bug #2661 - Solaris /dev/poll support broken with EINVAL
- Clarify external_acl_type %{Header} documentation slightly
- Bug #2482: Remove mem_obj->old_entry in async code to avoid deep ctx
errors
- GCC-4.x cleanups
- Bug #2605: Don't call setsid() on helper childs when running in
daemon mode
- Windows port: Fix PSAPI.DLL usage, is always available on Windows NT
and later
- Windows port: Added support for Windows 7, Windows Server 2008 R2
and later
- Bug #2602: increase MAX_URL to 8192
- The debug mode option '-d' was not documented in LDAP helpers usage
message
- Windows port: Added a note about installation on Windows Vista and
later
- Bug #2642: Remove duplicate peerMonitorInit() on reconfigure
- Bug #2515: Final chunk parsing errors on FreeBSD6+
- Bug #2647: Reprioritise override-* and stale-while-revalidate
- Windows port: Fix improper access permissions to registry and DNS
parsing from registry
- Windows port: Fix getservbyname() usage abuse.
- Bug #2672: cacheMemMaxSize 32-bit overflow during snmpwalk
- Bug #2691: store_url memory leak
- Accept PUT/POST requests without an entity-body
- Plug request_t + HttpStateData memory leak on PUT/POST requests with
early response
- Bug #2710: squid_kerb_auth non-terminated string
- Bug #2369: squid traffic counter 32-bit overflow
- Bug #2080: wbinfo_group.pl - false positive under certain conditions
- Bug #2739: DNS resolver option ndots can't be parsed from
resolv.conf
- Windows port: fix mswin_negotiate_auth.exe crash when executing a
LocalCall authentication with verbose deBug #enabled
- Add 0.0.0.0 as an to_localhost address
- Windows port: Update mswin_check_ad_group to version 2.0
- Windows port: There is no "-P" command line option into
mswin_check_ad_group helper.
- Correct Valgrind mempool protection
- Bug #2451: Correct length handling on 304 responses
- Bug #2541: Hang in 100% CPU loop while extacting header details
using a delimiter other than comma (external_acl_type,
access_log_format, external_refresh_check)
- Bug #2768 - squid_ldap_group -K argument parsing error
PERL5_MODULE_TYPE makes this package install successfully with
USE_DESTDIR=yes. This fixes installation on NetBSD 3.1 and should also
fix the problem reported in Hasso Tepper's bulk build for DragonFly from
2009-09-11.
Set correct MAINTAINER (I did not create/import this package).
pkgsrc changes:
- Adjusting license definition
Upstream changes:
0.604 (09.14.2009) - John Siracusa <siracusa@gmail.com>
* Fixed a bug that caused html() to fail when called on a form that
contained a compound field. (Reported by Will Hawes)
* Make sure custom validator is called from DateTime fields.
o Add some pkgsrc patches to improve Content-Type header output.
Geeklog 1.6.0sr2
This release addresses the following security issue:
* Unauthorized file uploads were possible through FCKeditor.
Uploaded files still had to go through FCKeditor's filter, so it was not
possible to upload scripts (and the integrity of the Geeklog site as such
was not in danger). There were, however, reports that this was used to host
malware.
This update prevents use of the upload feature when FCKeditor is disabled
and disables it for anonymous users. It also doesn't allow uploading of
archive files any more. Furthermore, you need some sort of "edit"
permission now to be able to upload files through FCKeditor (this is meant
as an interim measure - we will probably introduce a separate "upload"
permission in future Geeklog versions).
Other fixes:
* Fixed installation using InnoDB tables.
* Fixed a (non-exploitable) SQL error when auto-updating a story's
commentcode field.
* Fixed a wrong function name in the Links plugin.
Geeklog 1.6.0sr1
This release addresses the following security issues:
1. Gerendi Sandor Attila reported an XSS in the forms to email a user and to
email a story to a friend.
2. The "Mail Story to a Friend" function didn't check story permissions, so
that it was possible to email a story even if you didn't have the
permissions to view it on the site.
Other fixes:
* Fixed an SQL error when submitting a story and the story submission queue
was off.
* Fixed calls to a nonexistent function COM_outputMessageAndAbort.
Geeklog 1.6.0
Results from the Summer of Code
This release incorporates the following projects implemented during the the
2008 Google Summer of Code:
* Site migration support and easier plugin installation, by Matt West
* Improved search, by Sami Barakat
* Comment moderation and editable comments, by Jared Wenerd
Other changes
* The minimum PHP version required by Geeklog is now PHP 4.3.0. Given that
the PHP team ended support for PHP 4 in August 2008, you should be looking
into upgrading to PHP 5 anyway.
* Includes FCKeditor 2.6.4.1
* Includes a new plugin, XMLSitemap, that automatically generates a XML
sitemap file, as supported by all major search engines. Plugin written and
provided by mystral-kk.
* Several new plugin API functions have been added and existing functions
have been extended.
* The included documentation has been moved to docs/english to allow for
translations. Links to the documentation from within Geeklog will link to
existing translations for the current language automatically (or fall back
to the English documentation if no suitable translation can be found).
* There were a variety of theme changes to support new functionality and fix
inconsistencies in the layout.
This release also includes a number of patches and improvements made by
students applying for participation in the Google Summer of Code 2009. Thank
you!
* Interface changes:
o none, API and ABI backwards-compatible with 0.28.x and 0.27.x
* New interfaces and features:
o added NTLM auth support for Unix builds (Kai Sommerfeld,
Daniel Stenberg)
o ne_auth.h: added NE_AUTH_GSSAPI and NE_AUTH_NTLM auth protocol codes
o added ne_acl3744.h, updated WebDAV ACL support (Henrik Holst)
o added built-in SOCKS v4/v4a/v5 support: ne_socket.h:ne_sock_proxy(),
and ne_session.h:ne_session_socks_proxy()
o added support for system-default proxies: ne_session_system_proxy(),
implemented using libproxy where available
o ne_session.h: added NE_SESSFLAG_EXPECT100 session flag,
SSL verification failure bits extended by NE_SSL_BADCHAIN and
NE_SSL_REVOKED, better handling of failures within the cert chain
(thanks to Ludwig Nussel)
o ne_socket.h: ne_sock_writev() (Julien Reichel), ne_sock_set_error(),
ne_iaddr_raw(), ne_iaddr_parse()
o ne_string.h: ne_buffer_qappend(), ne_strnqdup()
* Deprecated interfaces:
o ne_acl.h is obsoleted by ne_acl3744.h (but is still present)
o obsolete feature "NE_FEATURE_SOCKS" now never marked present
* Other changes:
o fix handling of "stale" flag in RFC2069-style Digest auth challenge
o ne_free() implemented as a function on Win32 (thanks to Helge Hess)
o symbol versioning used for new symbols, where supported
o ensure SSL connections are closed cleanly with OpenSSL
o fix build with OpenSSL 1.0 beta
o updated Polish (pl) translation (Arfrever Frehtes Taifersar Arahesis)
* SECURITY (CVE-2009-2473): Fix "billion laughs" attack against expat;
could allow a Denial of Service attack by a malicious server.
* SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in a
certificate subject name; could allow an undetected MITM attack against
an SSL server if a trusted CA issues such a cert.
Tested by Daniel Horecki with SVN client.
pkgsrc changes:
- Adjusting dependencies
Upstream changes:
0.04 Sat, 12 Sep 2009 06:13:20 +0900
* Depend on PadWalker (Closes RT#49551).
0.03 Sat, 05 Sep 2009 09:42:43 +0200
* Port to Devel::Cycle. We're now able to report a broader range of leaks.
pkgsrc changes:
- Module::Pluggable is in version 3.6 include in Perl 5.10.0
--> using this one as dependency
Upstream changes:
Thu 27 Aug 02:21:09 BST 2009 - Release 0.77
Allow dispatching to Catalyst Actions, for use with ActionClasses
etc - fREW
Fix test if CATALYST_DEBUG environment variable is set
pkgsrc changes:
- Updating dependencies
- use bundled Module::Install (AuthorTests)
Upstream changes:
0.10015 Tue Sep 1 01:40:36 BST 2009
- Remove (undeclared) dependency on Class::Data::Inhertiable (RT#49086)
- Remove dependency on Test::MockObject
- Fix repository metadata in META.yml / Makefile.PL
- Make POD tests author side only.
0.10014 Tue Aug 25 15:42:57 BST 2009
- Don't always supply an "id" column in the authinfo passed to the store
class in ::Credential::Remote. This means that it works better with
the DBIC store. (t0m)
- Make auth_realms method ensure authentication is initialized
before calling methods which get created during auth initialization.
Fixes back compat cases where auth store is in the plugin list
before the authentication plugin. (t0m)
pkgsrc changes:
- Adjusting dependencies
Upstream changes:
5.80012 2009-09-09 19:09:09
Bug fixes:
- Fix t/optional_http-server.t test.
- Fix t/optional_http-server-restart.t test.
- Fix duplicate components being loaded at setup time, each component is
now loaded at most once + tests.
- Fix backward compatibility - hash key configured actions are stored in
is returned to 'actions'.
- Fix get_action_methods returning duplicate methods when a method is both
decorated with method attributes and set as an action in config.
Refactoring / cleanups:
- Reduce minimum supported perl version from 5.8.6 to 5.8.4 as there are
many people still running/testing this version with no known issues.
Tests:
- Make the optional_http_server.t test an author only test which must be
run by authors to stop it being broken again.
- Fix recursion warnings in the test suites.
5.80011 2009-08-23 13:48:15
Bug fixes:
- Remove leftovers of the restarter engine. The removed code caused test
failures, which weren't apparent for anyone still having an old version
installed in @INC.
5.80010 2009-08-21 23:32:15
Bug fixes:
- Fix and add tests for a regression introduced by 5.80008.
Catalyst::Engine is now able to send out data from filehandles larger
than the default chunksize of 64k again.
5.80009 2009-08-21 22:21:08
Bug fixes:
- Fix and add tests for generating inner packages inside the COMPONENT
method, and those packages being correctly registered as components.
This fixes Catalyst::Model::DBIC among others.
5.80008 2009-08-21 17:47:30
Bug fixes:
- Fix replace_constructor warning to actually work if you make your
application class immutable without that option.
- Depend on Module::Pluggable 3.9 to prevent a bug wherein components
in inner packages might not be registered. This especially affected
tests.
- Catalyst::Engine::FastCGI - relax the check for versions of Microsoft
IIS. Provides compatibility with Windows 2008 R2 as well as
(hopefully) future versions.
- In tests which depend on the values of environment variables,
localise the environment, then delete only relevant environment
variables (RT#48555)
- Fix issue with Engine::HTTP not sending headers properly in some cases
(RT#48623)
- Make Catalyst::Engine write at least once when finalizing the response
body from a filehandle, even if the write is empty. This avoids fail
when trying to send out an empty response body from a filehandle.
- Catalyst::Engine::HTTP - Accept a fully qualified absolute URI in the
Request-URI of the Request-Line
Refactoring / cleanups:
- Deleted the Restarter engine and its Watcher code. Use the
new Catalyst::Restarter in a recent Catalyst::Devel instead.
- New unit test for Catalyst::Action 'unit_core_action.t'
- Bump minimum supported perl version from 5.8.1 to 5.8.6 as there are
known issues with 5.8.3.
- Debug output uses dynamic column sizing to create more readable output
when using a larger $ENV{COLUMNS} setting. (groditi)
New features:
- Added private_path method for Catalyst::Action
- Allow uri_for($controller_instance) which will produce a URI
for the controller namespace
- Break setup_components into two more parts: locate_components and
expand_component_module (rjbs)
- Allow Components to return anon classed from their COMPONENT method
correctly, and have action registration work on Controllers returned
as such by adding a catalyst_component_name accessor for all components
which returns the component instance's name to be used when building
actions etc.
- Adding X-Forwarded-Port to allow the frontend proxy to dictate the
frontend port (jshirley)
- Added Catalyst::Stats->created accessor for the time at the start of
the request.
Documentation:
- Fix POD to refer to ->config(key => $val), rather than
->config->{key} = $val, as the latter form is deprecated.
- Clearer docs for the 'uri_for' method.
- Fix POD refering to CGI::Cookie. We're using CGI::Simple::Cookie.
(Forrest Cahoon)
pkgsrc changes:
- Correcting license definition
Upstream changes:
0.26 Mon Aug 24 16:11:37 PDT 2009
- Work around not to expose Catalyst specific stash variables
(Chris Prather)
pkgsrc changes:
- Correcting license definition
- prevent Module::Install::AutoInstall from installing
Upstream changes:
0.30 2009-09-12 23:47:00
- Doc fixes:
+ Expand ::V:: to ::View:: (RT #45792)
+ Expand ::C:: to ::Controller:: and use $c->view('TT')
where appropriate (bricas)
+ Add note about use CGI in a template making Catalyst hang
(Gunnar Strand)
- "use warnings" in Catalyst::View::TT and output from the TT helper
- Expand TTSite documentation (RT #33838)
- Added a test for direct rendering of a template from a view object,
without a request.
- Added support for running render with a undef context.
pkgsrc changes:
- Adjusting license definition
Upstream changes:
0.18 Sat, 22 Aug 2009 21:17:52 +0200
- Make it work with Catalyst::Runtime 5.80010.
- Fix warnings in the test suite.
as full release.
And add updated fckeditor for Geeklog.
These updates should fix known security problems, Secunia SA36372.
Jul 30, 2009 (1.5.2sr5)
------------
This release addresses the following security issues:
- Gerendi Sandor Attila reported an XSS in the forms to email a user and to
email a story to a friend.
- The "Mail Story to a Friend" function didn't check story permissions, so that
it was possible to email a story even if you didn't have the permissions to
view it on the site.
Upstream changes:
Version 3.47
Re-release of 3.46, which did not contain a proper MANIFEST
Version 3.46
[BUG FIXES]
1. In CGI::Pretty, we no longer add line breaks after tags we claim not to format. Thanks to rrt, Bob Kuo and
and Mark Stosberg. (RT#42114).
2. unescapeHTML() no longer falsely recognizes certain text as entities. Thanks to Pete Gamanche, Mark Stosberg
and Bob Kuo. (RT#39122)
3. checkbox_group() now correctly includes a space before the "checked" attribute.
Thanks to Andrew Speer and Bob Kuo. (RT#36583)
4. Fix case-sensitivity in http() and https() according to docs. Make https()
return list of keys in list context. Thanks to riQyRoe and Rhesa Rozendaal. (RT#12909)
5. XHTML is now automatically disabled for HTML 4, as well as HTML 2 and HTML 3. Thanks to
Dan Harkless and Yanick Champoux. (RT#27907)
6. Pre-compiling 'end_form' with ':form' switch now works. Thanks to ryochin and Yanick Champoux. (RT#41530)
7. Empty name/values pairs are now properly saved and restored from filehandles. Thanks to rlucas and
Rhesa Rozendaal (RT#13158)
8. Some differences between startform() and start_form() have been fixed. Thanks to Slaven Rezic and
Shawn Corey. (RT#22046)
9. url_param() has been updated to be more consistent with the documentation and param().
Thanks to Britton Kerin and Yanick Campoux. (RT#43587)
10.hidden() now correctly supports multiple default values.
Thanks to david@dierauer.net and Russell Jenkins. (RT#20436)
11.Calling CGI->new() no longer clobbers the value of $_ in the current scope.
Thanks to Alexey Tourbin, Bob Kuo and Mark Stosberg. (RT#25131)
12.UTF-8 params should not get double-decoded now.
Thanks to Yves, Bodo, Burak G"ursoy, and Michael Schout. (RT#19913)
13.We now give objects passed to CGI::Carp::die a chance to be stringified.
Thanks to teek and Yanick Champoux (RT#41530)
14.Turning off autoEscape() now only affects the behavior of built-in HTML
generation fuctions. Explicit calls to escapeHTML() always escape HTML regardless
of the setting. Thanks to vindex, Bob Kuo and Mark Stosberg (RT#40748)
15.In CGI::Fast, preferences set via pragmas are now preserved.
Thanks to heinst and Mark Stosberg (RT#32119)
[DOCUMENTATION]
1. remote_addr() is now documented. Thanks to Yanick Champoux. (RT#38884)
2. In CGI::Pretty in the list of tags left unformatted was updated to match the code. Thanks to Mark Stosberg. (RT#42114)
3. In CGI::Pretty, performance concerns are now documented. Thanks to Jochen, Rhesa Rozendaal and Mark Stosberg (RT#13223)
4. A number of outdated Netscape references have been removed. Thanks to Mark Stosberg.
5. The documentation has been purged of examples of using indirect object notation. Thanks to Mark Stosberg.
6. Some POD formatting was fixed. Thanks to Dave Mitchell (RT#48935).
7. Docs and examples were updated to highlight start_form instead of startform.
Thanks to Slaven Rezic.
8. Note that CGI::Carp::carpout() doesn't work with in-memory filehandles.
Thanks to rhubbell and Mark Stosberg.
9. The documentation for the -newstyle_urls is now less confusing.
Thanks to Ryan Tate and Mark Stosberg (RT#49454)
[INTERNALS]
1. Quit bundling an ancient copy of Test::More and and using a custom 'lib' path for the tests. Instead, Test::More
is now a dependency. Thanks to Ansgar and Mark Stosberg (RT#48811)
2. Automated tests for hidden() have been added, thanks to Russel Jenkins and Mark Stosberg (RT#20436)
3. t/util.t has been updated to use Test::More instead of a home-grown test function. Thanks to Bob Kuo.
=============================
1.17 [20Aug2009]
---------------
- Add bug links in revision informations (Alexandre Garnier, #314052)
- Make sure that binary files aren't annotated. (Martin Albisetti,
#258848)
- Loggerhead now serves bzr branches over HTTP and exposes the URL
to branch them. Addresses bug #240577. (Jonathan Lange)
- Leading blank lines in commit messages no longer result in an
empty summary. (Colin Watson)
- Added optional syntax highlighting to annotate view using
python-pygments. Partially addresses bug #306631. (Peter Bui)
- Convert newlines in commit messages to HTML line breaks for
annotate and changelog views. Addresses bug #273688. (Peter
Bui)
- serve-branches now errors if run behind a proxy without
paste.deploy installed. (Michael Hudson)
- Loggerhead should now handle file and directory names that need
URL escaping without crashing.
- The start-loggerhead script properly sets the wsgi.url_scheme
from the server.webpath option. (neror, #260547)
- The revision page defaults to unified style again, and can
convert to a side-by-side view using JavaScript. (Michael Hudson)
- Clean up and improve performance of the annotate view. (Michael
Hudson)
- Finish converting JavaScript from MooTools to YUI 3. (Michael
Hudson)
- Improve compatibility with IE 6. (Michael Hudson)
- Leading blank lines in commit messages no longer result in an
empty summary. (Colin Watson)
- Clip long lines in side-by-side diff view. (Michael Hudson,
#334837)
- The user-confusing "next" and "previous" links now read "older"
and "newer" respectively. (Michael Hudson, #297930)
- The annotate view now contains line number anchors. (Michael
Hudson)
- Fix inventory pages using "//" in links. (Michael Hudson, #329668)
- Fix problems viewing files and directories containing spaces and
other funny characters. (Peter Bui)
- Changelog messages are now displayed with newlines preserved.
(Peter Bui, #273688)
- Offer a link to see the full file diffs for a file path. (Michael
Hudson, #333797)
- Fix annotate error caused by Pygments stripping trailing
whitespace. (Michael Hudson, #338762)
- Loggerhead can be installed as a Bazaar plugin and run by
'bzr serve --http'. (Martin Pool)
- Load parts of the changelog and revision pages via XMLHttpRequest
to improve performance. This adds a dependency on simplejson or
json. Partially addresses bug #253950. (Michael Hudson)
- Various improvements to the animation JavaScript. (Michael Hudson)
- Fix HTML content of source files being displayed unescaped when
Pygments was unavailable. (Michael Hudson, #344970)
- Fix serve-branches's path argument. (Michael Hudson, #353230)
- serve-branches now has an option, --use-cdn, to load YUI from
Yahoo!'s CDN. (Matt Nordhoff)
- Fix certain race conditions for loading bzr-search. (Robert
Collins, #334250)
- Fix errors when using serve-branches --log-folder or --user-dirs.
(It was calling config.get_option() incorrectly.) (Matt Nordhoff,
bug #361238)
- Move some caching from RAM to the disk, and other caching and
memory usage improvements. (Michael Hudson)
- Add a --cache-dir option to serve-branches to choose where to
place the SQL cache, and only create one temporary SQL dir per
process. (Matt Nordhoff, #358322)
- Replace homebrew memory profiling code with Dozer. (Paul Hummer)
- Use the branch's public_branch as the default suggested URL to
branch from (Matt Nordhoff, #369767)
- Fix a file descriptor leak (Matt Nordhoff, #370845)
- Use transport API internally, so it is possible to specify a remote
URL to serve-branches. (Jelmer Vernooij, #371787)
- Fix internal server errors when using start-loggerhead. (Matt
Nordhoff, #375948)
- Fix annotating non-UTF-8 files when Pygments is disabled. (Matt
Nordhoff, #376957)
- Fix 'bzr serve --http' errors. (Matt Nordhoff, #377551)
- Added the option to hide branches by setting http_serve = False
in locations.conf (Martin Albisetti)
- Fix serving branches over HTTP. (Matt Nordhoff, Jelmer Vernooij,
#380026)
- Install loggerhead as a bzr plugin by default (Jelmer Vernooij)
- Fix logging 404 Not Found responses (Matt Nordhoff, #381029)
- Bumped minimunm bzrlib version to 1.13 (Martin Albisetti)
- Make sure the Atom feeds (nearly) validate. (Matt Nordhoff, #247162)
- Support serving branches over HTTP using the smart server protocol.
(Jelmer Vernooij, #306853)
- Serving branch data was broken when --allow-writes was *not*
passed. (Michael Hudson, #388730)
- http_serve config values are interpreted more forgivingly.
(Michael Hudson)
- When specifying a remote url to serve-branches, do not share
connections between threads. (Michael Hudson, #390972)
- http_serve values from locations.conf are now applied to
non-branch .bzr data (e.g shared repositories). (Michael Hudson)
- tags are now displayed. (Cris Boylan, Alexandre Garnier, Michael
Hudson, #246739)
- Display Loggerhead's version number at the bottom of the page, and
add a <meta> generator tag also including the version numbers of
its dependencies. (Matt Nordhoff, #370155)
Changes to squid-3.0.STABLE19 (06 Sep 2009):
- Bug 2745: Invalid Response error on small reads
- Bug 2739: DNS resolver option ndots can't be parsed from resolv.conf
- Bug 2734: some compile errors on Solaris
- Bug 2648: stateful helpers stuck in reserved if client disconnects while helper busy
- Bug 2541: Hang in 100% CPU loop while extacting header details using a delimiter other than comma
- Bug 2362: Remove support for deferred state in stateful helpers
- Add 0.0.0.0 as a to_localhost address
- Docs: Improve chroot directive documentation slightly
- Fixup libxml2 include magics, was failing when a configure cache was used
- ... and some minor testing improvements.
Version 2.7.3 (2009-09-06)
--------------------------
- Added dynamic spellchecker languages to TinyMCE
- Added pseudo entities [{] and [}] to output insert tags
- Fixed issue with breadcrumb menu not handling redirect pages
- Fixed issue with incorrect row count in forms with hidden fields
- Fixed issue with empty rows in memberlists without username (#929)
- Fixed issue with event feeds containing foreign entries (#866)
- Fixed issue with certain multi-day events not being calculated correctly (#855)
- Fixed issue with empty keywords being added to the meta keywords tag (#540)
- Fixed issue with navigation icons not being disabled in the template editor (#761)
- Fixed issue with insert tag "user" not formatting its output (#957)
- Fixed issue with backlinks not being exempt from the search index (#896)
- Fixed issue with special characters in file names not being decoded properly (#877)
- Fixed issue with default user and group not being applied (#888)
- Fixed issue with missing "readonly" attribute of text field widgets (#901)
- Fixed issue with group login page overriding option "last page visited" (#916)
- Fixed issue with thumbnails of large images exceeding the memory limit (#922)
- Fixed issue with subscriptions being activated upon registration (#881)
- Fixed a few issues with the style sheet importer (#838)
- Fixed various spelling issues (#942)
- Fixed a few minor issues
It seems that one typo was fixed in
application/controllers/ToolController.class.php.
Introduce DIST_SUBDIR and bump PKGREVISION. Should be fix PR pkg/41999.
Changelog
=========
Since 1.5.2
-----------
- bugfix: Cannot create companies with normal user without the
"Can manage contacts" permission
- bugfix: Auto-upgrade feedback fixed.
- bugfix: Fixed a problem when classifying email (attachments were added
as new versions of existing files).
- bugfix: Allow email addresses with single quote
- bugfix: Changed several "substr" for "utf8_substr" to avoid errors like
"null" on dashboard.
- bugfix: Added a default address when sending email reminders.
Fixes problems when sending reminders.
- bugfix: Fixed some display issues with the "Close" button in objects' view.
- bugfix: Fixed a problem that would cause the Overview to be loaded
on every tab when clicking the "All" workspace.
- bugfix: Custom properties were not being kept when editing an object.
- bugfix: If a user is subscribed to an object and loses permissions to it
it will not receive notifications any more.
- bugfix: Error 500 when deleting a user.
- bugfix: Email body was not shown for html emails when ROOT_URL was relative.
- bugfix: Create user from contact was not allowed if user was linked
to a trashed contact, fix: contact is restored.
- bugfix: Task drag & drop does not allow drag from a workspace to another.
- bugfix: Saving workspace while rendering permissions was allowed, and
no permissions were saved.
- bugfix: When creating new workspace, user checkboxes did not
check/uncheck all permissions.
- bugfix: Internal server error when deleting user with its personal workspace.
- bugfix: Instantianting template without parameters was going back
instead of reloading.
- bugfix: Calendar views was not showing milestones assigned to everybody
when filtering by "my calendar".
- bugfix: In IE when expanding subtask list, the tasks below them did non
move aside.
- bugfix: Some mail contents were not included in reply or forward body.
- bugfix: Instantiating repeating tasks with subtasks did not put
correct status to some subtasks.
- bugfix: isToday function was not returning the correct value sometimes.
- bugfix: Csv export: when a field contains "," export is wrong, field
must be enclosed with quotes.
- bugfix: Importing more than one contact with no email address overwrites
the previous one.
- bugfix: Contacts are not linked to companies when importing from csv.
- bugfix: Subscribers and invitation lists were not showing users who have
group permissions but no individual permissions.
- bugfix: If an error occurs when sending a queued email the email is now
not deleted.
- bugfix: Mindmap viewer overlaps object linker.
- bugfix: The "include subworkspaces" checkbox for the iCal feed was
being ignored.
- usability: The user is warned when searching for short strings.
Bug Fixes
1. Change to workaround problem where correct version of Python
framework isn't being found at run time and instead uses the standard
system one, which may be the wrong version. Change is for those Python
versions on MacOS X which include a .a in Python config directory,
which should be symlinked to framework, link against the .a
instead. For some reason, doing this results in framework then being
picked up from the correct location.
This problem may well have only started cropping up at some point due
to a MacOS X Leopard patch update as has been noticed that Python
frameworks installed previously stopped being found properly when
mod_wsgi was subsequently recompiled against them. Something may
therefore have changed in compiler tools suite.
For more details see:
http://code.google.com/p/modwsgi/issues/detail?id=28
2. Remove isatty from Log object used for stdout/stderr. It should
have been a function and not an attribute. Even so, isatty() is not
meant to be supplied by a file like object if it is associated with a
file descriptor. Thus, packages which want to use isatty() are
supposed to check for its existance before calling it. Thus wasn't
ever mod_wsgi that was wrong in not supply this, but the packages
which were trying to use it.
For more details see:
http://code.google.com/p/modwsgi/issues/detail?id=146
* Included last fixes for 1.4 final.
* Some cleanup and fine work: added information about "-b" parameter to the
help output. Added "!" to the list of allowed characters in urls.
* Added a switch to turn on the progress bar.
* Bug fixes.
* Added MySQL support for authentication.
* [ Joey Hess ]
* po: Detect if nowrapi18n can't be passed to po4a, and warn about
the old version, but continue. Closes: #541205
* inline: Avoid use of my $_ as it fails with older perls.
Closes: #541215
* Add discussionpage configuration setting.
* Several optimisations, including speedups to orphans and brokenlinks
calculation.
* meta, img: Fix bugs in dependency code. (smcv)
* Allow building ikiwiki on systems w/o po4a --
building of the translated underlays will be skipped in this case.
* Add basic styling of po plugin's languages list.
* inline: Display an error if feedpages is specified and fails to match
due to a problem such as created_before being told to check against
a page that does not exist.
* Remove deprecated ikiwiki/blog and ikiwiki/preprocessordirective
pages from the basewiki.
* Updated French program translation from Philippe Batailler.
Closes: #542036
* po: Fixed to run rcs_add ralative to srcdir.
* Italian program translation from Luca Bruno.
* Fix example blog's tags/life to not have a broken PageSpec.
Closes: #543510
* Optimize the dependencies list. This also fixes a bug
that could cause repeated refreshes of the wiki to grow
increasingly larger dependency lists, and get increasingly
slower. (smcv)
* Rebuild wikis on upgrade to this version to fix bloat caused
by the dependency bug.
* Further optimisation of dependency handling by adding a special
case for simple page dependencies. (smcv)
* htmltidy: Return an error message if tidy fails. Closes: #543722
* po: Fix name of translated toplevel index page. (intrigeri)
* po: Fix display of links from a translated page to itself (ntrigeri)
* Add Czech basewiki translation from Miroslav Kure.
* po: fix interdiction to create pages of type po (intrigeri)
* po: po: favor the type of linking page's masterpage on page creation
(intrigeri)
* img: Don't generate new verison of image if it is scaled to be
larger in either dimension.
* [ Josh Triplett ]
* teximg: Replace the insufficient blacklist with the built-in security
mechanisms of TeX. (CVE-2009-2944)
In order to fix a performance bug, all wikis need to be rebuilt on
upgrade to this version. If you listed your wiki in /etc/ikiwiki/wikilist,
use ikiwiki-mass-rebuild to force a rebuild.
While here,
* add user-destdir support
* convert dynamic PLIST to static one
* share/doc/html was deprecated, install in share/doc directly
* Remove restriction to python23, and change PKGNAME to allow creating
python valiant packages.
This release addresses a vulnerability in mod_python's publisher handler
whereby a carefully crafted URL would expose objects that should not be
visible, leading to an information leak. The Common Vulnerabilities and
Exposures project (http://cve.mitre.org/) has assigned the name CAN-2005-0088
to this issue.
Users of the publisher handler are urged to upgrade as soon as possible.
left disabled by default. Correct me if I'm wrong but it feels like
most pkgsrc users don't use gnome. If someone can comment on the
benefits of these dependencies in the GNOME environment, speak up.
This Action handles doing automatic method dispatching for REST
requests. It takes a normal Catalyst action, and changes the dispatch
to append an underscore and method name.
For example, in the synopsis above, calling GET on "/foo" would
result in the foo_GET method being dispatched.
If a method is requested that is not implemented, this action will
return a status 405 (Method Not Found). It will populate the "Allow"
header with the list of implemented request methods. You can override
this behavior by implementing a custom 405 handler like so:
sub foo_not_implemented {
... handle not implemented methods ...
}
If you do not provide an _OPTIONS subroutine, we will automatically
respond with a 200 OK. The "Allow" header will be populated with
the list of implemented request methods.
It is likely that you really want to look at Catalyst::Controller::REST,
which brings this class together with automatic Serialization of
requests and responses.
This module provides a simple one-subroutine "named parameters"
style interface for creating URIs. Underneath the hood it uses
URI.pm, though because of the simplified interface it may not
support all possible options for all types of URIs.
It was created for the common case where you simply want to have
a simple interface for creating syntactically correct URIs from
known components (like a path and query string). Doing this using
the native URI.pm interface is rather tedious, requiring a number
of method calls, which is particularly ugly when done inside a
templating system such as Mason or TT2.
Since 1.5.1
-----------
- bugfix: Tags permissions rollbacked. It caused errors in some mysql settings.
- bugfix: Document editor toolbar not shown correctly.
- bugfix: Invited users to an event weren't being shown when editing the event.
- bugfix: When subscribing users to an object through the object's view, the
users were not being notified.
- bugfix: When editing an object, selected subscribers were reset after
changing the object's workspace.
- bugfix: When instantiating a milestone template it's subtasks were not added
to the same workspace.
- bugfix: Fixed performance issues when changing a workspace's parent on the
GUI.
- bugfix: Notes listing showed creator as last updater.
- bugfix: Cron events view wasn't converting times to user's timezone.
- bugfix: When filtering email by tag some extra email was shown.
- bugfix: Creating a template in IE wouldn't let you edit it's properties.
- bugfix: Dragging a task in the calendar would throw an error.
- bugfix: "Can't open file" error when classifying email.
- bugfix: Linked objects listing was missing the drag handle.
- bugfix: Workspaces for classfied Emails were not being shown on dashboard
viewed as list.
- bugfix: Error when deleting trashed emails from cron.
- bugfix: Error when instantiating templates with parameters assigned to a
project.
- bugfix: Instantiated template objects were not assigned to the current
workspace.
- langs: Added missing langs for tasks report fields.
- langs: Updated langs.
pkgsrc changes:
- Adding license
Upstream changes since 4.21:
4.31 Wed Jul 29, 2009
[FEATURES]
- html_tmpl_class() now allows setting an an alternate HTML::Template class
at a run time. This makes it easy to set the class to be
'HTML::Template::Dumper' for debugging. You can then see and precisely
test the Perl data structure that would be sent your template, taking
into account the template tokens that are actually set there. (Mark Stosberg)
[DOCUMENTATION]
- More typo fixes (Lyle)
to 0.13
pkgsrc changes:
- Adjusting dependencies
Upstream changes:
0.13 2009-08-19
- Remove Test::MockObject from the test suite as prone to failing on
some platforms and perl versions due to its UNIVERSAL:: package
dependencies.
- Remove Class::Accessor::Fast and replace with Moose. This allows
us to not have a ->new method, This is more correct for Plugins
and also means that Catalyst is not forced to invoke the scary
replace_constructor at scope end handling.
pkgsrc changes:
- Adjusting dependencies according to META.yml
Upstream changes:
0.26 2009-08-19
- Remove Test::MockObject from the test suite as prone to failing on
some platforms and perl versions due to it's UNIVERSAL:: package
dependencies.
pkgsrc changes:
- Adding license
- Removing dependency to CORE module Digest::MD5
Upstream changes:
2.05 - Thu May 14 18:37:07 PDT 2009
- Fixed bug in _get_cipher_type() where it was not memoizing the
Crypt::CBC objects.
- Fixed https://rt.cpan.org/Ticket/Display.html?id=45207
Hash keys for configuration values were wrong in several places.
- Improved test coverage a little.
pkgsrc changes:
- Adjusting dependencies (remove core module from extra dependencies)
- Adding license
Upstream changes:
1.07: 2009-08-05
- Skip the whole test when it can't bind to the specified private IP
(Tatsuhiko Miyagawa)
- Fix the way to get LWP error when it's set to X-Died instead of $@
(Zbigniew Lukasiak)
1.06: 2009-07-17
- explicitly load deprecated module LWP::Debug, now that it's not
loaded by default. (Tatsuhiko Miyagawa <miyagawa@gmail.com>)
1.05: 2009-06-21
- patch from Alessio Signorini <alessio.signorini@spryte.it> to
quiet a warning that could be triggered
1.04: 2008-10-30
- fix tests to no longer rely on my DNS servers, which had since migrated
to EasyDNS which doesn't allow the types of malicious records I was
testing for. instead, switch to a mock object resolver.
(Brad Fitzpatrick, brad@danga.com)
pkgsrc changes:
- Adding license (perl license)
Upstream changes:
0.40 Mon Aug 17 22:01:07 EDT 2009
* After a fork, we need to reset the random seed lest we have
duplicated random numbers in both forks.
0.39 Mon Aug 17 09:41:05 EDT 2009
* Added signature tests
0.38_04 Wed Aug 12 20:15:14 EDT 2009
Another pass at the Win32 fixes from KMX
0.38_03 Sat Apr 11 18:47:29 EDT 2009
* Subject: [rt.cpan.org #44961] [PATCH] xdg reports select() is problematic on win32
0.38_02 Fri Apr 10 20:57:19 EDT 2009
* Specify an HTTP version for our GETs should get escaping to wokr
0.38_01 Mon Mar 2 18:11:46 EST 2009
* http://rt.cpan.org/Ticket/Attachment/568795/286902/ from confound++ for
http://rt.cpan.org/Public/Bug/Display.html?id=28122
Upstream changes:
0.24 Tue Jul 21 21:28:02 CEST 2009
[ENHANCEMENTS]
- When a short-circuit response was send, the next response
would not be filtered at all. This has been fixed.
[FIXES]
- yet another fix for t/23connect, proposed by Marek Rouchal
(closed RT ticket #38995) [test skipped for now]
- HTTP::Headers::Util's split_header_words() returns lower case
tokens/keys since October 6, 2008. Fix by Maurice Aubrey.
(closed RT tickets #43249, #43622)
Upstream changes:
1.60 Mon Aug 17 00:41:39 CDT 2009
========================================
No new features. Exists only to skip tests that always fail on
Windows.
Fixed up some minor documentation problems.
pkgsrc changes:
- Adjusting license (now we have ${PERL5_LICENSE}
Upstream changes:
0.25 2009-0708
- Add the a change_session_id method which can be called after
authentication to change the user's session cookie whilst preserving
their session data. This can be used to provide protection from
Session Fixation attacks. (kmx)
pkgsrc changes:
- Require Catalyst 5.8 in general
Upstream changes:
0.27 Thu Aug 13 2009
- Require Catalyst 5.8 for tests that use ctx_request() (RT #48651)
0.26 Mon Aug 10 2009
- Fix test to not need "parent" (RT #48547)
- Do not localize %ENV, rather, remove potentially conflicting
k-v pairs (RT #48557)
0.25 Fri Aug 07 2009
- Fix get_config_local_suffix and get_config_path when finding values
from ENV vars (RT #47937)
pkgsrc changes:
- Updating MASTER_SITES
- Adding license (perl license)
- Adjusting dependencies
Upstream changes:
0.05 7 August 2009
- Fix a minor documentation problem. Reported by Eric Prestemon.
(Closes RT#48487)
- Switch from Class::C3 to MRO::Compat.
0.04 16 July 2009
- If no arguments are supplied, then construct new objects with {}
by default, rather than undef, as Moose classes fail if given undef.
pkgsrc changes:
- Adjust dependencies according to META.yml
Upstream changes:
0.08 2009-07-29 23:39:30
- Require Module::Pluggable 3.9 to avoid test failures.
- More verbose error when traits cannot be found, including full search path.
0.07 2009-07-26 15:11:55
- fix incompatibility with perl 5.8
0.06 2009-07-20 21:44:13
- configurable trait merging support
0.05 2009-07-17 23:46:43
- Correctly pass the application class into component constructors
0.04 2009-07-16 13:01:02
- updated algorithm to handle CatalystX:: namespaced things
Changes:
* implemented KrbServiceName Any to deal with multiple keytab entries for
various browsers
* implemented KrbLocalUserMapping i.e. to strip @REALM from username for
further use
* implemented already_succeeded function to avoid hammering the KDC with
same auth requests in single connection
* fixed threading issues
* improved configure and Makefile scripts (mainly for BSD users)
* fixed minor issues
Upstream changes:
2009-08-14 Release 1.40 - Gisle Aas <gisle@ActiveState.com>
Even stricter test for working DNS, 2nd try.
2009-08-13 Release 1.39 - Gisle Aas <gisle@ActiveState.com>
Even stricter test for working DNS, hopefully this gets rid of the rest of
the heuristics.t failures.
Upstream changes:
2009-08-13 Release 3.62
Ville Skytt"a (4):
HTTP::Header doc typo fix.
Do not bother tracking style or script, they're ignored.
Bring HTML 5 head elements up to date with WD-html5-20090423.
Improve HeadParser performance.
Gisle Aas (1):
Doc patch: Make it clearer what the return value from ->parse is
Upstream changes:
Version 3.45
[BUG FIXES]
1. Prevent warnings about "uninitialized values" for REQUEST_URI, HTTP_USER_AGENT and other environment variables.
Patches by Callum Gibson, heiko and Mark Stosberg. (RT#24684, RT#29065)
2. Avoid death in some cases when running under Taint mode on Windows.
Patch by Peter Hancock (RT#43796)
3. Allow 0 to be used as a default value in popup_menu(). This was broken starting in 3.37.
Thanks to Haze, who was the first to report this and supply a patch, and pfschill, who pinpointed
when the bug was introduced. A regression test for this was also added. (RT#37908)
4. Allow "+" as a valid character in file names, which fixes temp file creation on OS X Leopard.
Thanks to Andy Armstrong, and alech for patches. (RT#30504)
5. Set binmode() on the Netware platform, thanks to Guenter Knauf (RT#27455)
6. Don't allow a CGI::Carp error handler to die recursively. Print a warning and exit instead.
Thanks to Marc Chantreux. (RT#45956)
7. The Dump() method now is fixed to escape HTML properly. Thanks to Mark Stosberg (RT#21341)
8. Support for <optgroup> with scrolling_list() now works the same way as it does for popup_menu().
Thanks to Stuart Johnston (RT#30097)
9. CGI::Pretty now works properly when $" is set to ''. Thanks to Jim Keenan (RT#12401)
10. Fix crash when used in combination with PerlEx::DBI. Thanks to Burak G"ursoy (RT#19902)
[DOCUMENTATION]
1. Several typos were fixed, Thanks to ambs. (RT#41105)
2. A typo related to the nosticky pragma was fixed, thanks to Britton Kerin. (RT#43220)
3. examples/nph-clock.cgi is now more portable, by calling localtime() rather than `/bin/date`,
thanks to Guenter Knauf. (RT#27456).
4. In CGI::Carp, the SEE ALSO section was cleaned up, thanks to Slaven Rezic. (RT#32769)
5. The docs for redirect() were updated to reflect that most headers are
ignored during redirection. Thanks to Mark Stosberg (RT#44911)
[INTERNALS]
1. New t/unescapeHTML.t test script has been added. It includes a TODO test for a pre-existing
bug which could use a patch. Thanks to Pete Gamache and Mark Stosberg (RT#39122)
2. New test scripts have been added for user_agent(), popup_menu() and query_string(), scrolling_list() and Dump()
Thanks to Mark Stosberg and Stuart Johnston. (RT#37908, RT#43006, RT#21341, RT#30097)
3. CGI::Carp and CGI::Util have been updated to have non-developer version numbers.
Thanks to Slaven Rezic. (RT#48425)
4. CGI::Switch and CGI::Apache now properly set their VERSION in their own name space.
Thanks to Alexey Tourbin (RT#11941,RT#11942)
for SVN::WEB (www/p5-SVN-WEB).
Template::Plugin::Subst acts as a filter and a virtual method to carry out
regular expression substitutions with back references on text and variables
in the Template Toolkit.
version 0.01 as dependency of SVN::WEB (www/p5-SVN-WEB).
Template::Plugin::Clickable::Email converts any e-mail addresses found in
the filtered text in to HTML mailto: links.
version 20090319 as dependency for scheduled import of
www/p5-Template-Plugin-Clickable.
URI::Find does one thing: Finds URIs and URLs in plain text. It finds
them quickly and it finds them all (or what URI::URL considers a URI to
be.) It only finds URIs which include a scheme (http:// or the like),
for something a bit less strict have a look at included
URI::Find::Schemeless.
=== 1.2.4 ===
Jan 22, 2009 (revision 603)
- Added a new AtomPubClient class (and supporting classes) which begins a
foundation on which support for version two of the Google Data protocol
will be built.
- OAuth methods can now specify the desired OAuth server with the default
being the Google Accounts end point (thanks Dag Brattli!).
- Improved support for unicode strings in XML element class attributes and
text nodes (thanks again to Dag).
- Fixed constructors for Service classes which inherit from GDataService
to ensure that all parameters are passed up to the superclass
constructor (thanks Guillaume Ryder!).
- Added a 'contact_list' property to ContactsService to simplify API usage
for shared contacts (thanks Guillaume once again).
- For Google Contacts, added a GetFeedUri method to help users generating
feed URIs (Guillaume for a hat-trick).
- New unit tests to ensure that the ordering of entry objects within a feed
is preserved when converting to and from XML.
=== 1.2.3 ===
Dec 3, 2008 (revision 585)
- Added support for OAuth (thanks to Kunal Shah!). Your client can now obtain
an authorization token using the OAuth protocol.
- Added support for Secure AuthSub (thanks Eric Bidelman!). Your client can
digitally sign requests using RSA allowing Google service to verify that
the request came from your application.
- Added a new module for parsing XML which will be used in future versions to
support version of the Google Data APIs protocol. This new library handles
versioning of XML schemas.
- The Google Contacts API sample now pages through results.
- Added phone number rel types using in the Google Contacts API.
- The YouTube service module will use cElementTree if it is available.
Improves XML parsing speed.
- Fixed typo in gdata.geo, changed longtitude to longitude but kept an alias
for backwards compatibility.
- Fixed Blogger's GetBlogId regular expressions to extract the ID from
multiple kinds of entries.
- Fixed type check in atom.http to allow unicode URL strings.
- Added webmastertools test to the packaged download which fixed failures
when running all data tests.
- Improved compatibility of unit tests with Python2.3.
- Added copies of tlslite and dependencies to support secure AuthSub and
OAuth.
- Changed the default host for Google Apps API requests to
apps-apis.google.com.
=== 1.2.2 ===
Oct 15, 2008 (revision 556)
- Added support for the following APIs:
Google Apps Email Migration API
Google Apps Email Settings API
Google Webmaster Tools Data API
Some modules for the above are not yet fully tested, so please file an
issue if you notice something is not working as expected.
- Restored support for gdata.http_request_handler when using App Engine to
preserve backwards compatibility.
- Simplified auth token management by adding a current_token member to
service classes. Also added settings to control when the token_store
is updated when using SetXToken() methods. The token_store will only be
queried if there is no current_token.
- Fixed issue with requests to HTTPS URLs in which an AuthSub token was seen
as invalid because the request contained the default port number (443).
The library no longer includes the port in the Host header if it is using
the default.
- Resolved issues with YouTube token scopes.
- Fixed issue which appeared when the Calendar API issues a redirect to a
PUT request. The library now correctly retries with a PUT (instead of
a POST).
- Added workaround for differences in how the App Engine SDK handles
redirects.
- Fixed typo in gdata.EntryLink declaration.
- Fixed invalid host errors seen when using some HTTP proxies.
Version 7.19.6 (12 August 2009)
Daniel Stenberg (12 Aug 2009)
- Carsten Lange reported a bug and provided a patch for TFTP upload and the
sending of the TSIZE option. I don't like fixing bugs just hours before
a release, but since it was broken and the patch fixes this for him I decided
to get it in anyway.
Daniel Stenberg (11 Aug 2009)
- Peter Sylvester made the HTTPS test server use specific certificates for
each test, so that the test suite can now be used to actually test the
verification of cert names etc. This made an error show up in the OpenSSL-
specific code where it would attempt to match the CN field even if a
subjectAltName exists that doesn't match. This is now fixed and verified
in test 311.
- Benbuck Nason posted the bug report #2835196
(http://curl.haxx.se/bug/view.cgi?id=2835196), fixing a few compiler
warnings when mixing ints and bools.
Daniel Fandrich (10 Aug 2009)
- Fixed a memory leak in the FTP code and an off-by-one heap buffer overflow.
Daniel Fandrich (9 Aug 2009)
- Fixed some memory leaks in the command-line tool that caused most of the
torture tests to fail.
Daniel Stenberg (2 Aug 2009)
- Curt Bogmine reported a problem with SNI enabled on a particular server. We
should introduce an option to disable SNI, but as we're in feature freeze
now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
option for SNI, or are we simply not using it?
Daniel Stenberg (1 Aug 2009)
- Scott Cantor posted the bug report #2829955
(http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
verification flaw found and exploited by Moxie Marlinspike. The presentation
he did at Black Hat is available here:
https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
Apparently at least one CA allowed a subjectAltName or CN that contain a
zero byte, and thus clients that assumed they would never have zero bytes
were exploited to OK a certificate that didn't actually match the site. Like
if the name in the cert was "example.com\0theatualsite.com", libcurl would
happily verify that cert for example.com.
libcurl now better uses the length of the extracted name, not using the zero
termination for getting the string length.
This fixing only made and needed in OpenSSL interfacing code.
- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (present
only in some OpenSSL installs - like on Windows) isn't thread-safe and we
agreed that moving it to the global_init() function is a decent way to deal
with this situation.
- Alexander Beedie provided the patch for a noproxy problem: If I have set
CURLOPT_NOPROXY to "*", or to a host that should not use a proxy, I actually
could still end up using a proxy if a proxy environment variable was set.
Daniel Stenberg (27 Jul 2009)
- All the quote options (CURLOPT_QUOTE, CURLOPT_POSTQUOTE and
CURLOPT_PREQUOTE) now accept a preceeding asterisk before the command to
send when using FTP, as a sign that libcurl shall simply ignore the response
from the server instead of treating it as an error. Not treating a 400+ FTP
response code as an error means that failed commands will not abort the
chain of commands, nor will they cause the connection to get disconnected.
Daniel Stenberg (26 Jul 2009)
- Johan van Selst posted bug report #2825989
(http://curl.haxx.se/bug/view.cgi?id=2825989) pointing out that
OpenSSL-powered libcurl didn't support the SHA-2 digest algorithm, and
provided the solution too: to use OpenSSL_add_all_algorithms() in addition
to the older SSLeay_* alternative. OpenSSL_add_all_algorithms was added in
OpenSSL 0.9.5
Daniel Stenberg (23 Jul 2009)
- Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA.
They introduce known_host support for SSH keys to libcurl. See docs for
details. Note that this feature depends on a new enough libssh2 version, to
be supported in libssh2 1.2 and later (or current git repo at this time).
Michal Marek (22 Jul 2009)
- David Binderman found a memory and fd leak in lib/gtls.c:load_file()
(https://bugzilla.novell.com/523919). When looking at the code, I found that
also the ptr pointer can leak.
Kamil Dudka (20 Jul 2009)
- Claes Jakobsson improved the support for client certificates handling in
NSS-powered libcurl. Now the client certificates can be selected
automatically by a NSS built-in hook. Additionally pre-login to all PKCS11
slots is no more performed. It used to cause problems with HW tokens.
- Fixed reference counting for NSS client certificates. Now the PEM reader
module should be always properly unloaded on Curl_nss_cleanup(). If the
unload fails though, libcurl will try to reuse the already loaded instance.
Daniel Fandrich (15 Jul 2009)
- Added nonblock.c to the non-automake makefiles (note that the dependencies
in the Watcom makefiles aren't quite correct).
Michal Marek (15 Jul 2009)
- Changed the description of CURLINFO_OS_ERRNO to make it clear that the
errno is not reset on success.
Guenter Knauf (14 Jul 2009)
- renamed generated config.h to curl_config.h to avoid any future clashes
with config.h from other projects.
Daniel Stenberg (9 Jul 2009)
- Eric Wong introduced curlx_nonblock() that the curl tool now (re-)uses for
setting a file descriptor non-blocking. Used by the functionality Eric
himself brough on June 15th.
Daniel Stenberg (8 Jul 2009)
- Constantine Sapuntzakis posted bug report #2813123
(http://curl.haxx.se/bug/view.cgi?id=2813123) and an a patch that fixes the
problem:
Url A is accessed using auth. Url A redirects to Url B (on a different
server0. Url B reuses a persistent connection. Url B has auth, even though
it's on a different server.
Note: if Url B does not reuse a persistent connection, auth is not sent.
reason:
data->state.first_host is not initialized becuase Curl_http_connect is not
called when a connection is reused.
Solution:
move initialization of data->state.first_host to Curl_http. No code before
Curl_http uses data->state.first_host anyway.
Guenter Knauf (4 Jul 2009)
- Markus Koetter provided a patch to avoid getnameinfo() usage which broke a
couple of both IPv4 and IPv6 autobuilds.
Daniel Stenberg (29 Jun 2009)
- Markus Koetter made CURLOPT_FTPPORT (and curl's -P/--ftpport) support a port
range if given colon-separated after the host name/address part. Like
"192.168.0.1:2000-10000"
- Modified the separators used for CURLOPT_CERTINFO in multi-part outputs. I
don't know how they got wrong in the first place, but using this output
format makes it possible to quite easily separate the string into an array
of multiple items.
Daniel Fandrich (16 June 2009)
- Added a few more compiler warning options for gcc.
Daniel Stenberg (16 Jun 2009)
- Reuven Wachtfogel made curl -o - properly produce a binary output on windows
(no newline translations). Use -B/--use-ascii if you rather get the ascii
approach.
Michal Marek (16 Jun 2009)
- When doing non-anonymous ftp via http proxies and the password is not
provided in the url, add it there (squid needs this).
Daniel Stenberg (15 Jun 2009)
- Eric Wong's patch:
This allows curl(1) to be used as a client-side tunnel for arbitrary stream
protocols by abusing chunked transfer encoding in both the HTTP request and
HTTP response. This requires server support for sending a response while a
request is still being read, of course.
If attempting to read from stdin returns EAGAIN, then we pause our sender.
This leaves curl to attempt to read from the socket while reading from stdin
(and thus sending) is paused.
This change was needed to allow successfully tunneling the git protocol over
HTTP (--no-buffer is needed, as well).
Patrick Monnerat (15 Jun 2009)
- Replaced use of standard C library rand()/srand() by our own pseudo-random
number generator.
Yang Tse (11 Jun 2009)
- I adapted testcurl script to allow building test harness programs when
cross-compiling for a *-*-mingw* host.
Daniel Stenberg (10 Jun 2009)
- Fabian Keil ran clang on the (lib)curl code, found a bunch of warnings and
contributed a range of patches to fix them.
Yang Tse (10 Jun 2009)
- I introduced configure script option --enable-curldebug which now allows
the decoupled enabling or disabling of the curl debug memory tracking
feature from the --enable-debug option which no longer controls this.
curl --version will list 'Debug' feature for debug enabled builds, and
will list 'TrackMemory' feature for curl debug memory tracking capable
builds. These features are independent and can be controlled when running
the configure script. When --enable-debug is given both features will be
enabled, unless some restriction prevents memory tracking from being used.
Internally, definition of preprocessor symbol DEBUGBUILD restricts code
which is only compiled for debug enabled builds. And symbol CURLDEBUG is
used to differentiate code which is _only_ used for memory tracking.
Yang Tse (9 Jun 2009)
- Daniel Steinberg pointed out that Curl_FormInit() in formdata.c was not
initializing the fread callback pointer and this triggered a compiler
warning, also provided a friendly suggestion on how to fix it.
Daniel Stenberg (8 Jun 2009)
- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
issue with client certs that caused issues like segfaults.
http://curl.haxx.se/mail/lib-2009-05/0316.html
- Triggered by bug report #2798852 and the patch in there, I fixed configure
to detect gnutls build options with pkg-config only and not libgnutls-config
anymore since GnuTLS has stopped distributing that tool. If an explicit path
is given to configure, we will instead guess on how to link and use that
lib. I did not use the patch from the bug report.
Yang Tse (8 Jun 2009)
- Igor Novoseltsev adjusted Makefile.vxworks to get sources and headers
included from Makefile.inc, and provided docs\INSTALL VxWorks section.
- I removed buildconf.bat from release and daily snapshot archives. This
file is only for CVS tree checkout builds.
Daniel Stenberg (8 Jun 2009)
- Eric Wong fixed --no-buffer to actually switch off output buffering. Been
broken since 7.19.0
Bill Hoffman (6 Jun 2009)
- Added some cmake docs and fixed socklen_t in the build.
Yang Tse (5 Jun 2009)
- John E. Malmberg provided VMS specific patch: "This fixes an existing bug
in urlglob.c where it was not converting the Curl Unix exit code to a VMS
DCL compatible exit code. This fix required the enhancement described next.
This also adds an enhancement to main.c so that when curl is run under a
Unix shell like Bash on VMS, it will return the standard Unix exit codes
and messages." And another patch for docs/examples.
I introduced os-specific.c and os-specific.h for use in curl tool code
and adjusted John E. Malmberg's patch placement to use these new files
as an effort to prevent main.c from growing ad infinitum. Code already
existing in main.c which is OS specific should be moved into these files.
Daniel Stenberg (4 June 2009)
- Setting the Content-Length: header from your app when you do a POST or PUT
is almost always a VERY BAD IDEA. Yet there are still apps out there doing
this, and now recently it triggered a bug/side-effect in libcurl as when
libcurl sends a POST or PUT with NTLM, it sends an empty post first when it
knows it will just get a 401/407 back. If the app then replaced the
Content-Length header, it caused the server to wait for input that libcurl
wouldn't send. Aaron Oneal reported this problem in bug report #2799008
(http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
Yang Tse (4 Jun 2009)
- Igor Novoseltsev provided patches and information, that after some
adjustments to better fit curl's way of doing things, have resulted
in the posibility of building libcurl for VxWorks.
Daniel Fandrich (2 June 2009)
- Checked in a Google Android make file. To use it, you must first
create a config.h file by running configure in the Android environment,
which doesn't seem to be easy to do. If no easy way can be found, a
static config-android.h may need to be created and checked in to the
libcurl source tree.
Daniel Stenberg (1 June 2009)
- Claes Jakobsson fixed the configure script to better find and use NSS
without pkg-config.
Yang Tse (1 Jun 2009)
- John E. Malmberg provided a VMS specific clean-up for curl.h, and pointed
out that the configure script was failing to detect the timeval struct on
VMS when building with _XOPEN_SOURCE_EXTENDED undefined due to definition
taking place in socket.h instead of time.h. I have adjusted configure
script to also include this header when checking struct timeval.
Daniel Stenberg (27 May 2009)
- Frank McGeough provided a small OpenSSL #include fix to make libcurl compile
fine with Nokia 5th edition 1.0 SDK for Symbian.
- Andre Guibert de Bruet found a call to a OpenSSL function that didn't check
for a failure properly.
- Mike Crowe pointed out that setting CURLOPT_USERPWD to NULL used to clear
the auth credentials back in 7.19.0 and earlier while now you have to set ""
to get the same effect. His patch brings back the ability to use NULL.
- Claes Jakobsson fixed libcurl-NSS to build fine even without the
PK11_CreateGenericObject() function.
Daniel Stenberg (25 May 2009)
- bug report #2796358 (http://curl.haxx.se/bug/view.cgi?id=2796358) pointed
out that the cookie parser would leak memory when it parses cookies that are
received with domain, path etc set multiple times in the same header. While
such a cookie is questionable, they occur in the wild and libcurl no longer
leaks memory for them. I added such a header to test case 8.
Daniel Fandrich (22 May 2009)
- Removed some obsolete digest code that caused a valgrind error in test 551.
Daniel Fandrich (20 May 2009)
- Added "non-existing host" test keywords to make it easy to skip those
tests on machines that have broken DNS configurations (such as
those configured to use OpenDNS).
Daniel Stenberg (19 May 2009)
- Kamil Dudka brought the patch from the Redhat bug entry
https://bugzilla.redhat.com/show_bug.cgi?id=427966 which was libcurl closing
a bad file descriptor when closing down the FTP data connection. Caolan
McNamara seems to be the original author of it.
* Add new hooks: canremove, canrename, rename. (intrigeri)
* rename: Refactor subpage rename handling code into rename hook.
(intrigeri)
* po: New plugin, suporting translation of wiki pages using po
files. (intrigeri)
* Add build machinery to build po files to translate the underlay wikis,
* Add further build machinery to generate translated underlays from
the po file, for use by wikis whose primary language is not English.
* Add Danish basewiki translation by Jonas Smedegaard.
* img: Fix adding of dependency from page to the image.
* pagestats: add among parameter, which only counts links from
specified pages (smcv)
* pagestats: when making a tag cloud, don't emit links where the
tag is unused (smcv)
* map: Avoid emitting an unclosed ul element if the map is empty.
(harishcm)
* inline: Add pagenames parameter that can be used to list a set
of pages to inline, in a specific order, without using a PageSpec.
(smcv)
* Add getsource plugin (Will, smcv)
Note that the new po plugin won't work until textproc/po4a is updated
to at least 0.34. Any takers?
* Fix for downloads of files with Internet Explorer with SSL enabled.
* Mark session as disabled as soon as logout starts, in case the IdP
doesn't respond.
* Bugfix for session lifetime. Take the session lifetime from the
SessionNotOnOrAfter attribute if it is present.
- mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas. Report
warnings compiling mod_ssl against OpenSSL to the httpd developers.
[Guenter Knauf]
- mod_cgid: Do not add an empty argument when calling the CGI script.
Bug 46380 [Ruediger Pluem]
- Fix potential segfaults with use of the legacy ap_rputs() etc
interfaces, in cases where an output filter fails. Bug 36780.
[Joe Orton]
support Catalyst Developers using pkgsrc a bit better.
It's easy to create memory leaks in Catalyst applications and often they're
hard to find. This module tries to help you finding them by automatically
checking for common causes of leaks.
Right now, only one cause for leaks is looked for: putting a closure, that
closes over the Catalyst context (often called $ctx or $c), onto the stash,
without weakening the reference first. More checks might be implemented in
the future.
This module is intended for debugging only. I suggest to not enable it in a
production environment.
pkgsrc changes:
- Adding license information
Upstream changes:
$Revision: 0.6 $ $Date: 2009/07/28 21:25:25 $
! lib/HTTP/Response/Encoding.pm t/01-file.t
Addressed RT#47033:
new libwww-perl-5.827 release from 15.06.2009 breaks all tests
(Tested both on lwp5.826 and lwp5.830)
http://rt.cpan.org/Ticket/Display.html?47033
pkgsrc changes:
- Adjusting license information according to module Pod
Upstream changes:
Version 3.44
1. Patch from Kurt Jaeger to allow HTTP PUT even if the content length is unknown.
2. Patch from Pavel merdin to fix a problem for one of the FireFox addons.
3. Fixed issue in mod_perl & fastCGI environment of cookies returned from
CGI->cookie() leaking from one session to another.
New features (some are compile-time options):
* add session save/restore feature
o bind ^X to toggle view of page showing session information
o add binding for ^U to previous-document (outside of
line-editing).
o documented command-line options and configuration data
for this feature.
o document -child_relaxed option in Lynx users's guide.
* add -passive-ftp option.
* add -child_relaxed option.
* add "read_timeout" to lynx.cfg, and -read_timeout option to
command-line
* add -show_cfg option.
* add LYNX_HELPFILE environment variable to allow override of
location of the help-file
* add NO_PAUSE setting to lynx.cfg, .lynxrc and Options menu
* implement a LONG_LIST equivalent for ftp, configurable as
FTP_FORMAT
* add XWINDOWS / NON_XWINDOWS environment-variable field to
DOWNLOAD, etc., in lynx.cfg to specify whether a downloader
(printer, etc) is enabled when the X display variable is set
* configure script improvements
o add --with-mime-libdir option to set MIME_LIBDIR in
userdefs.h file
o add --with-destdir configure option to set a default
value for the DESTDIR variable in makefiles, and modified
makefiles to ensure that setting DESTDIR in the top-level
makefile propagates to lower levels
o add --enable-local-docs option to link doc-directory
from help-page
o add --enable-ascii-ctypes option to enable EXP_ASCII_CTYPES
Other enhancements:
* improve SSL support:
o improve X.509 certificate validation This is tested
for OpenSSL, ifdef'd to not break gnutls. Changes:
+ peer certificate is cached, no need to call
SSL_get_peer_certificate() twice
+ support foo.domain:port and [ip.add.re.ss] and
[ip.add.re.ss]:port and [i:p:v:6:ad:dr:es:s] and
[i:p:v:6:ad:dr:es:s]:port
+ add support for checking X.509v3 SubjectAltName
extensions (of type DNS - tested - and IP - untested)
when the X.509 commonName check fails.
+ when displaying a list of failed CNs, change
format from foo:bar:baz to
CN{foo}:CN{bar}:CN{baz}:SAN{DNS=foo}:SAN{IP=1.2.3.4}
so that we know where what comes from (in "Your
recent statusline messages")
+ if the peer certificate can *NOT* be verified,
output a message to the log as well
+ fix a possible use of an uninitialised value
ssl_all_cns
+ output certificate issuer to the logs as well
(so that you can, before entering your online
banking PIN, see if the certificate has been issued
not only _to_ your bank but also _from_ a place
you trust, in case /etc/ssl/certs/ contains a lot
of Root CA certs)
o add support for the X.509 extension subjectAltName
using GNUTLS.
o log SSL/TLS (HTTPS connection) X.509 certificate issuer
information into the "recent statusline messages"
(accessible via the backspace key)
o add TNS SNI support for the OpenSSL configuration
o modify CF_SSL configure macro to check for -ldl needed
for recent OpenSSL versions
o modify CF_SSL configure macro to build with MSYS for
MinGW configuration
o extend configure macros CF_SSL and CF_GNUTLS to check
for pkg-config, using that for the default if the
corresponding openssl or gnutls packages are installed.
o add configure --with-nss-compat option, for building
with NSS library's OpenSSL-compatible interface
o add SSL_CERT_FILE to lynx.cfg
o rewrite strcasecomp_asterisk() to support wildcards as
in RFC 2818
o add --enable-gnutls-compat configure option and associated
files to configure with GNU TLS without its gnutls-openssl
library, whose newer versions are available only under
a restrictive license.
o fix src/tidy_tls.c X509_get_issuer_name to actually
take the issuer DN of the present certificate and not
hope that it is the same as taking the subject DN of the
"next" certificate which may or may not exist.
* improve HTML interpretation:
o update Lynx's tables of HTML attributes to cover (except
for events) the keywords from HTML 4.01
o use RFC-822 encoding for filenames passed via file-upload
forms.
o provide navigation to script-buttons, to make them more
visible, showing their name
o add "Bad HTML messages" to Options menu, letting the
user disable the warning message, write the detailed
messages to the LYNXMESSAGES: status buffer.
o remove "Bad HTML" warning for buttons outside a form,
since those can be inline, according to the HTML 4 DTD
o correct check for default type of HTML BUTTON, which
is "submit". The code treated this as "button".
o implement "readonly" attribute for TEXTAREA and TEXT
fields
o accommodate (in)compatibility "feature" in HTML5 draft
which replaces ISO-8859-1 with Windows-1252, as indicated
here.
o add support for HTML5 rel=author in link.
o modify SGML_write() to check for UCS-2 BOMs, to provide
support for UCS-2 pages.
o modify SGML_write() to check for UTF-8 BOM, using that
as a hint to set the default document charset to UTF-8.
o parse xml processing-instruction to turn on UTF-8
decoding, as well as disable upper/lower case transforming
in source view.
o parse doctype for xhtml, to tell when empty tags such
as "<textarea />" can be discarded
o translate named entities, etc., for "content" field of
refresh-URL.
o add switch -xhtml-parsing and lynx.cfg XHTML_PARSING
setting to control whether the extensions for XHTML 1.0
are used.
o modify Lynx's DTD information to allow it to display
form-related tags that are inline, even without being in
a form as indicated in
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
for %inline.forms and %misc.inline.
* improvements to character sets and display:
o improve drawing of menus for multibyte characters by
changing the way the number of fill-characters is computed
in LYpaddstr
o fix some uses of gettext in options menu and info page
where a translated string might contain angle-brackets
or ampersand
o modify popup for externals added in 2.8.4dev.20 to
number the entries if keypad mode is set to one of the
numbered forms
o ie multibyte editing of text-fields.
* improvements to color-style:
o bug-fixes only
* improve interaction with user:
o remove check for -dump option from HTHandleAuthInfo(),
allowing Lynx to -dump or -source NNTP urls
o change the phase during which "-help" option is processed,
to allow it to reflect the configured values of the options
in the help-message
o check if there is piped-in data when starting without
"-" or "-stdin" options, warn about the ignored input
data in that case.
o add ncurses scroll-wheel support, which requires the
extended-mouse configure option of ncurses.
o modify initial active link in download-page to be the
first download action rather than the "help" link whided
in Novice mode.
o make the size of LYNXMESSAGES configurable in lynx.cfg
with STATUS_BUFFER_SIZE
* improve interaction with other programs:
o discard anchor's post_data field in HTLoadDocument()
if Lynx is about to reload a do. That would happen if
the result of the form includes a link back to the form.
Removing the data causes Lynx to prompt the user, e.g.,
Resubmit POST content to
http://localhost/cgi-bin/lynxtest.pl ? (y/n)
to offer the user the choice between revisiting form
or re-POST'ing the data that was on the form
o pass a newline after the start of PRE-section in
HTGopher.c to force the first newline between records to
be seen and cause the lines to split
o add POSITIONAL_EDITOR setting to configure editors
which accept a "+line" parameter
o modify external editing of TEXTAREA to not do
tab-conversion.
o modify behavior of "-nonumbers" option for -dump so it
can be combined with -listonly to obtain a list of the
URLs without reference numbers.
o implement "chunked" transfer-encoding to work with
servers that ignore the version number in HTTP get's
o add an Options menu checkbox to tell if Lynx should
send a user-agent string. Unless the useragent restriction
is set, the default for this checkbox is off, so that
Lynx will not send the string. The corresponding setting,
send_useragent, may be saved to ~/.lynxrc, but normally
is not.
o change default for configure --enable-ascii-ctypes to
true.
o modify exit code when doing a "-dump" to exit with
error if the server returned an error status for the
page.
* improve cookie support:
o modify cookie-writing to not write if no cookies were
read from the file and none are available.
o adapt/extend parsdate.y from tin to improve parsing of
cookie expiration times.
* improvements to debug/traces:
o change initialization of trace file, handing this during
the first part of argument parsing along with -help and
-version, to show steps done for initialization of
presentors, etc
* improvements to scripting/logging:
o bug-fixes only
* other improvements:
o build/install "en" po file so that GNU gettext LANGUAGE
environment variable can find the corresponding English
message file.
o if iconv_open() using transliteration fails, retry
without the transliteration feature.
o improve change for UCSetBoxChars() from 2.8.6dev.16
for EXP_CHARTRANS_AUTOSWITCH which assumed that the
line-drawing character set was always different from the
display character set. If both are US_ASCII for example,
ASCII lines would be drawn, which is not good
o modify scanning of floats from lynx.cfg to allow Lynx
to read POSIX values in non-POSIX locales
o replace BROKEN_PROFTPD and BROKEN_WU_FTPD logic with
configurable list of strings in lynx.cfg, i.e.,
BROKEN_FTP_RETR and BROKEN_FTP_EPSV, and add "spftp/" to
the predefined values for the former.
o modify to handle a special case where the content-type
is given as one of the compressed types, to check if the
address (after stripping the file suffix for that
compression) has a suffix that lynx could present For
example:
http://foo/bar.html.gz
would display the uncompressed "bar.html" rather than
offering to download the file. This also allows one to
add SUFFIX commands to lynx.cfg to display the
corresponding plain files. For example:
SUFFIX:CHANGES.*:text/plain:8bit
SUFFIX:CHANGES:text/plain:8bit
for
http://foo/CHANGES.tmp.gzhttp://foo/CHANGES.gz
o fix ipv6 literal command-line parsing.
o setup locale before writing version-message.
New/improved sample files:
* add sample scripts for configuring MinGW version using Cygwin.
New ports:
* none
(it seems to run everywhere, but there are a few possibilities)
Improvements to existing ports:
* UNIX:
o add definition for _FILE_OFFSET_BITS in CF_LARGEFILE,
needed for Solaris 64-bit compiles.
o modify UCdomap.c to work with Solaris iconv and handle
additional encodings:
+ if "TRANSLIT" feature (an extension of glibc)
does not succeed, retry the call to iconv_open
without "TRANSLIT"
+ add check for any MIME name beginning "iso8859",
mapping to "iso-8859"
+ recognize "eucjp" MIME name as alias for "euc-jp"
+ recognize "pck" MIME name as alias for "shift_jis"
+ recognize "ansi-1251" MIME name as alias for "windows-1251"
o modify parsdate.y to convert between EBCDIC/ASCII to work on z/OS
* Linux:
o bug-fixes only
Improvements for maintainability and testing:
* modify definitions in LYStructs.h for union to cast to a
void* rather than a long, to help with 64-bit ports
* fix some mismatched BOOL vs BOOLEAN from compiler warnings
due to dev.13 change to LYStructs.h
* change a few options such as --enable-locale-charset option
to non-experimental
* free leaks of LYLeaks.c, to make it simpler to check it with
a second tool such as valgrind.
* use off_t rather than long for representing file sizes, e.g.,
when used to print progress messages
* use dtd_util to replace most of HTMLDTD.h and HTMLDTD.c with
source generated from the existing tables in those files
* rename variable defined by CF_PATHSP to PATH_SEPARATOR, use
this consistently to ease use in later autoconf versions
As well as security-related changes:
* modify prompt in LYLoadCGI() from 2.8.6dev.15 to always prompt
user (from FEDORA-2008-9597), and modify compiled-in configuration
default for consistency with other lynx.cfg settings to require
that lynx.cfg be set to permit use of lynxcgi scripts.
* modify logic for reading PERSONAL_EXTENSION_MAP and
PERSONAL_MAILCAP to ensure that they are files that are controlled
only by the user. The default values for these allow lynx to
read configuration information from the user's current directory
at lynx's startup.
* ensure that PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP are
absolute pathnames, performing tilde expansion as needed.
Pathnames that are not given in absolute form will be sought
under the user's home directory as if they began with "~/".
* ensure that the configured values for GLOBAL_EXTENSION_MAP
and GLOBAL_MAILCAP are absolute pathnames.
And finally:
* A lot of bug fixes
* A lot of documentation changes.
* A lot of dead code removed
pkgsrc changes:
- Add dependency to textproc/p5-Pod-POM for Template::Plugin::Pod and
graphics/p5-Image-Info for Template::Plugin::Image
Upstream changes:
#-----------------------------------------------------------------------
# Version 2.22 - 21st July 2009
#------------------------------------------------------------------------
* Changed pod coverage and kwalitee tests to only run when release
testing.
#-----------------------------------------------------------------------
# Version 2.21_02 - 4th July 2009
#------------------------------------------------------------------------
* Added UTF8 support to the XS Stash.
https://rt.cpan.org/Ticket/Display.html?id=45842
* Fixed the truncate filter to handle lengths shorter than the '...'
string being appended on the end.
https://rt.cpan.org/Ticket/Display.html?id=45617
* Fixed a bug in the parser/grammar to make NEXT/LAST work correctly
inside nested loops.
https://rt.cpan.org/Ticket/Display.html?id=40887
* Fixed a bug in Template::Plugin::Filter that was causing the weakened
$self reference in a dynamic filter closure to be garbage collected
too soon. (NOTE: this has probably un-fixed a previous bug)
https://rt.cpan.org/Ticket/Display.html?id=46691
* Applied patch to allow list.sort to sort on multiple fields.
https://rt.cpan.org/Ticket/Display.html?id=40637
#-----------------------------------------------------------------------
# Version 2.21_01 - 4th July 2009
#------------------------------------------------------------------------
* Removed Template::Plugin::Autoformat and t/autoform.t. They're now
available as a separate distribution.
* Fixed some Win32 test failures and XS Stash compilation problems.
There's a SEGV in glib2 and the backtrace doesn't have any browser
engine references in it so I'm inclined to believe this package was
broken by a glib2/gtk2 update.
XXX: Some stock icons appear to not work, is there a missing GNOME
dependency here?
2.0.7 "Surprise!"
- Works with Firefox 2/3 and Xulrunner 1.8/1.9
- Restored support for http authentication by Mike Hommey <mh@glandium.org>
- Restored support for remembering passwords.
- Partially restored support for user stylesheets.
- Effect is global rather than per page but UI doesn't reflect this.
2.0.6 "Pining for the Fjords"
- Works with Firefox 2 and 3 and xulrunner 1.8 and 1.9
- Thanks to Alexander Sack <asac@ubuntu.com> and Loïc Minier <lool#dooz.org>
for the xulrunner 1.9 patches.
- With Firefox 3/xulrunner 1.9, functionality remains crippled as
documented in the 2.0.5 release notes.
- Support for older versions of Mozilla have been removed.
You can use 2.0.5 to build against them if you need to.
- GConf pref added to suppress close confirmation for web forms.
- SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects. Bug 39605.
[Joe Orton, Ruediger Pluem]
- SECURITY: CVE-2009-1195 (cve.mitre.org)
Prevent the "Includes" Option from being enabled in an .htaccess
file if the AllowOverride restrictions do not permit it.
[Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton,
Ruediger Pluem, Jeff Trawick]
- SECURITY: CVE-2009-1890 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_proxy in a
reverse proxy configuration, where a remote attacker can force a
proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
- SECURITY: CVE-2009-1191 (cve.mitre.org)
mod_proxy_ajp: Avoid delivering content from a previous request which
failed to send a request body. Bug 46949 [Ruediger Pluem]
- SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org)
The bundled copy of the APR-util library has been updated, fixing three
different security issues which may affect particular configurations
and third-party modules.
- mod_include: fix potential segfault when handling back references
on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew]
- mod_alias: check sanity in Redirect arguments.
Bug 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
- mod_proxy_http: fix Host: header for literal IPv6 addresses.
Bug 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
- mod_rewrite: Remove locking for writing to the rewritelog.
Bug 46942
- mod_alias: Ensure Redirect emits HTTP-compliant URLs.
Bug 44020
- mod_proxy_http: fix case sensitivity checking transfer encoding
Bug 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
- mod_rewrite: Fix the error string returned by RewriteRule.
RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
argument of RewriteRule was not started with "[" or not ended with "]".
Bug 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
- mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given;
BalancerMember balancer://alias http://example.com/foo
ProxyPassReverse /bash balancer://alias/bar
backend url http://example.com/foo/bar/that is now translated /bash/that
[William Rowe]
- New piped log syntax: Use "||process args" to launch the given process
without invoking the shell/command interpreter. Use "|$command line"
(the default behavior of "|command line" in 2.2) to invoke using shell,
consuming an additional shell process for the lifetime of the logging
pipe program but granting additional process invocation flexibility.
[William Rowe]
- mod_ssl: Add server name indication support (RFC 4366) and better
support for name based virtual hosts with SSL. Bug 34607
[Peter Sylvester <peter.sylvester edelweb.fr>,
Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton,
Ruediger Pluem]
- mod_negotiation: Escape pathes of filenames in 406 responses to avoid
HTML injections and HTTP response splitting. Bug 46837.
[Geoff Keating <geoffk apple.com>]
- mod_include: Prevent a case of SSI timefmt-smashing with filter chains
including multiple INCLUDES filters. Bug 39369 [Joe Orton]
- mod_rewrite: When evaluating a proxy rule in directory context, do
escape the filename by default. Bug 46428 [Joe Orton]
- mod_proxy_ajp: Check more strictly that the backend follows the AJP
protocol. [Mladen Turk]
- mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
to enable stricter checking of remote server certificates.
[Ruediger Pluem]
- mod_substitute: Fix a memory leak. Bug 44948
[Dan Poirier <poirier pobox.com>]
- mod_proxy_ajp: Forward remote port information by default.
[Rainer Jung]
- mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders
directive to correctly remove headers before storing them.
[Lars Eilebrecht]
- mod_deflate: revert changes in 2.2.8 that caused an invalid
etag to be emitted for on-the-fly gzip content-encoding.
Bug 39727 will require larger fixes and this fix was far more
harmful than the original code. Bug 45023. [Roy T. Fielding]
- mod_disk_cache: The module now turns off sendfile support if
'EnableSendfile off' is defined globally. Bug 41218.
[Lars Eilebrecht, Issac Goldstand]
- prefork: Fix child process hang during graceful restart/stop in
configurations with multiple listening sockets. Bug 42829. [Joe Orton,
Jeff Trawick]
- mod_ssl: Add SSLRenegBufferSize directive to allow changing the
size of the buffer used for the request-body where necessary
during a per-dir renegotiation. Bug 39243. [Joe Orton]
- mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
way that per-directory rewrites append the previous notion of PATH_INFO
to each substitution before evaluating subsequent rules.
Bug 38642 [Eric Covener]
- mod_authnz_ldap: Reduce number of initialization debug messages and make
information more clear. Bug 46342 [Dan Poirier]
- mod_cache: Introduce 'no-cache' per-request environment variable
to prevent the saving of an otherwise cacheable response.
[Eric Covener]
- core: Translate the status line to ASCII on EBCDIC platforms in
ap_send_interim_response() and for locally generated "100 Continue"
responses. [Eric Covener]
- CGI: return 504 (Gateway timeout) rather than 500 when a script
times out before returning status line/headers.
Bug 42190 [Nick Kew]
- prefork: Log an error instead of segfaulting when child startup fails
due to pollset creation failures. Bug 46467. [Jeff Trawick]
- mod_ext_filter: fix error handling when the filter prog fails to start,
and introduce an onfail configuration option to abort
All the security problems mentioned above had already been fixed in
"pkgsrc" via patches. Thanks a lot to Adam Ciarcinski for letting me
know that new version had finally been released.
+ Preserve navigation history with new tabs
+ Implement clearing private data when quitting
+ Ellipsize and show close icons in the tab panel
+ Allow hiding panel operating controls
+ Integrate Tools with the compact menu
+ Fix User scripts, User styles and Plugins panel
+ Remove the bookmarkbar popup
+ Add New Tab to the tab context menu
+ Implement minimizing tabs
OpenGoo 1.5.1 has just been released. Several bugs from version 1.5
were fixed forq this release, including:
- Tags permissions. Now a user can only see tags applied to objects
that the user can view.
- Some milestones were showing in wrong workspaces.
- Custom properties defined in Administration are now searchable.
- Memory exhausted error when rendering repetitive tasks with an old
date in the calendar.
- Fatal error when copying a milestone.
- Fatal error "undefined function saveFileAttributes" when uploading a file.
- Fixed the permissions control when editing a workspace's permissions.
- Fixed a small rendering problem with invited users in event edition.
- Fixed error when sending emails to empty recipients.
- Fixed default user preferences' rendered value.
- Fixed a rendering problem in comments and descriptions that would skip
a character before an email address or link.
- Tags query was using a hardcoded 'og_' table prefix.
- Translate OpenGoo tool now includes subfolders of language folders.
Checklang also improved.
- Files of type audio/mp3 are now correctly identified as MP3.
- Updated langs.
Changes since version 3.1.0.12:
- Bug 2723 regression: enable PURGE requests if PURGE method ACL is present.
- Fix one more internal profiler error
- Language Updates: Italian, Russian
- Language Updates: Add many more aliases
- Add Copyright document for errors/ content
- ... all bug fixes from 3.0.STABLE18
- ... and several code polishing cleanups
Firefox 3.5 is based on the Gecko 1.9.1 rendering platform.
Firefox 3.5 offers many changes over the previous version, supporting new web
technologies, improving performance and ease of use.
Some of the notable features are:
* Support for the HTML5 <video> and <audio> elements
* Improved tools for controlling your private data
* Better web application performance using the new TraceMonkey JavaScript engine
* The ability to share your location with websites using Location Aware Browsing
* Support for native JSON, and web worker threads.
* Improvements to the Gecko layout engine, including speculative parsing for
faster content rendering.
* Support for new web technologies such as: downloadable fonts, CSS media
queries, new transformations and properties, JavaScript query selectors,
HTML5 local storage and offline application storage, <canvas> text,
ICC profiles, and SVG transforms.
It contains some critical problem of 3.0.17 and really fix security
problem according to updated SQUID-2009_2.txt.
Changes to squid-3.0.STABLE18 (04 Aug 2009):
- Bug 2728: regression: assertion failed: !eof
- Bug 2732: reply_body_max_size smaller than error page loops
infinitely until out of memory
- Bug 2725: pconn failure if domain or client_address are unset
- Bug 2648: reserved helpers not shut down after reconfigure/rotate
- Bug 2462: make check should tell when cppunit is missing
- Remove excess messages about headers < minimum size
- Support Libtool 2.2.6
(I opted for removing and re-importing instead of a plain update due to
extensive patch rototil)
We may encounter minor turbulence as dependent packages are sorted out.
Thank you for flying pkgsrc-current.
Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1. Luckily, the entire WordPress community has our backs. Several folks in the community dug deeper and discovered areas that were overlooked. With their help, the remaining issues are fixed in 2.8.3. Since this is a security release, upgrading is highly recommended.
MFSA 2009-44 Location bar and SSL indicator spoofing via window.open() on
invalid URL
MFSA 2009-43 Heap overflow in certificate regexp parsing
MFSA 2009-42 Compromise of SSL-protected communication
