Changelog:
16.0.3
Changes
Do not fail hard on new user mail error (server#16189)
Fix redirect after rescanFailedIntegrityCheck to "Overview" page (server#16244)
Fix permissions for drag-n-drop uploads (server#16249)
Try to delete the cypress folder of the viewer app (server#16297)
Send browser notifications again (notifications#373)
16.0.2
Changes
Update ca bundle (server#15553)
Update ca bundle checker (server#15554)
User management/subadmin: rephrase ambiguous error message (server#15575)
Update shipped.json to include privacy and recommendations (server#15592)
Show supported apps in app management (server#15593)
Update CRL due to revoked cookbook.crt (server#15628)
Only show sharing section if it has content (server#15649)
Remove quota feedback if no link set (server#15666)
Allow redis cluster to use password (server#15686)
Don't run repair step for every individual user, outsource that to background job (server#15718)
Check the actual status code for 204 and 304 (server#15724)
[Security] Bump tar from 2.2.1 to 2.2.2 (server#15728)
Don't notify admins if no potentially over exposing links found (server#15745)
Also allow dragging below the file list (server#15754)
Change text color in search box in darktheme, ref #15598 (server#15768)
Check for free space on touch (server#15772)
Search files by id in shared storages last (server#15799)
Hide newFile menu if quota is set to 0B (server#15856)
Add core/js/dist/ to l10nignore (server#15948)
Add LDAP integr. test for receiving share candidates with group limitation (server#15984)
Remove auto focus of share input field on dialog open, fix#15261 (server#16010)
LDAP) API: return one base properly when multiple are configured (server#16015)
Handle storage exceptions when trying to set mtime (server#16038)
Fix LDAP Wizard forgetting groups on select with search (server#16051)
Revert "Fix userid casting in notifications" (server#16068)
Fix appid argument for integrity:check-app (server#16080)
Fix full text search for groupfolders (server#16082)
Fall back to black for non-color values (server#16089)
Check if uploading to lookup server is enabled before verifying (server#16091)
Allow apps to store longer messages in the comments API (server#16105)
Invalidates user when plugin reported deletion success (server#16112)
Fix download link included in public share page with hidden download (server#16125)
Better check reshare permissions (server#16127)
Verify that paths are valid for recursive local move (server#16128)
Don't allow to disable encryption via the API (server#16133)
Do not show a internet connectivity warning if internet access is dis… (server#16146)
Update Nextcloud version in docs link (server#16157)
Allow apps to overwrite the maximum length when reading from database (server#16177)
RefreshWebcalJob: replace ugly Regex with standard php utils (server#16201)
Better check reshare permissions part2 (server#16211)
Fix "unshare group share from self" activity (activity#380)
Fix load of character maps (files_pdfviewer#141)
[Security] Bump axios from 0.18.0 to 0.18.1 (firstrunwizard#192)
Correctly show errors when setting the password (gallery#529)
Blacklist using .noimage (gallery#533)
Update dependabot deps in stable16 (notifications#359)
Increase size of icon bubble for more visibility (notifications#368)
Add app description to readme and appinfo (privacy#133)
Catch and filter share that can't be found (recommendations#79)
[Security] Bump axios from 0.18.0 to 0.18.1 (recommendations#92)
[Security] Bump tar from 2.2.1 to 2.2.2 (viewer#113)
[Security] Bump axios from 0.18.0 to 0.19.0 (viewer#117)
Changelog:
New
Dark mode in reader view expands so that windows are also dark on the controls, sidebars and toolbars.
Improved extension security and discovery:
New reporting feature in about:addons allows you to report security and performance issues with extensions and themes.
Redesigned extensions dashboard in about:addons provides easy access to information about your extensions, including data and settings access required by each extension.
Find high quality, secure extensions via the Recommended Extensions program in about:addons, which now displays user count and ratings for each extension. "Recommended” badges for these extensions also appear on AMO. More extensions will be added over time.
Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences.
WebRender will roll out to Windows 10 users with AMD graphics cards.
Windows Background Intelligent Transfer Service (BITS) update download support, which allows Firefox update downloads to continue when Firefox is closed.
Fixed
Various security fixes
Local files can no longer access other files in the same directory.
Security fixes:
#CVE-2019-9811: Sandbox escape via installation of malicious language pack
#CVE-2019-11711: Script injection within domain through inner window reuse
#CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
#CVE-2019-11713: Use-after-free with HTTP/2 cached stream
#CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread
#CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault
#CVE-2019-11715: HTML parsing error can contribute to content XSS
#CVE-2019-11716: globalThis not enumerable until accessed
#CVE-2019-11717: Caret character improperly escaped in origins
#CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML
#CVE-2019-11719: Out-of-bounds read when importing curve25519 private key
#CVE-2019-11720: Character encoding XSS vulnerability
#CVE-2019-11721: Domain spoofing through unicode latin 'kra' character
#CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin
#CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries
#CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions
#CVE-2019-11725: Websocket resources bypass safebrowsing protections
#CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3
#CVE-2019-11728: Port scanning through Alt-Svc header
#CVE-2019-11710: Memory safety bugs fixed in Firefox 68
#CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
19.7.1
fix: implement client side payload exceed max size; improve max size exceeded handling
fix: detect when our transport is "already" closed at connect time
fix: XBR examples
3.1.3:
* async_timeout has been removed as a dependency, so there are now no required
dependencies.
* The WSGI adapter now sets REMOTE_ADDR from the ASGI client.
1.9.2
- **FIX**: Shortcut last descendant calculation if possible for performance.
- **FIX**: Fix issue where `Doctype` strings can be mistaken for a normal text node in some cases.
- **FIX**: A top level tag is not a `:root` tag if it has sibling text nodes or tag nodes. This is an issue that mostly manifests when using `html.parser` as the parser will allow multiple root nodes.
1.3.0:
Deprecations
- The send_bytes adjustment now defaults to 1 and is deprecated
pending removal in a future release.
Features
- Add a new outbuf_high_watermark adjustment which is used to apply
backpressure on the app_iter to avoid letting it spin faster than data
can be written to the socket. This stabilizes responses that iterate quickly
with a lot of data.
- Stop early and close the app_iter when attempting to write to a closed
socket due to a client disconnect. This should notify a long-lived streaming
response when a client hangs up.
- Adjust the flush to output SO_SNDBUF bytes instead of whatever was
set in the send_bytes adjustment. send_bytes now only controls how
much waitress will buffer internally before flushing to the kernel, whereas
previously it used to also throttle how much data was sent to the kernel.
This change enables a streaming app_iter containing small chunks to
still be flushed efficiently.
Bugfixes
- Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we will
no longer set the version to the string value "None". See
- When a client closes a socket unexpectedly there was potential for memory
leaks in which data was written to the buffers after they were closed,
causing them to reopen.
- Fix the queue depth warnings to only show when all threads are busy.
- Trigger the app_iter to close as part of shutdown. This will only be
noticeable for users of the internal server api. In more typical operations
the server will die before benefiting from these changes.
- Fix a bug in which a streaming app_iter may never cleanup data that has
already been sent. This would cause buffers in waitress to grow without
bounds. These buffers now properly rotate and release their data.
- Fix a bug in which non-seekable subclasses of io.IOBase would trigger
an exception when passed to the wsgi.file_wrapper callback.
Version 4.6.7:
Bugs Fixed
Fix Windows build errors due to Python 3.7+ not providing empty function stubs for PyOS_AfterFork_Child() and PyOS_AfterFork_Parent().
Version 4.6.6:
Bugs Fixed
Fix compilation failures when using Python 3.8.
Features Changed
When running mod_wsgi-express it will do a search for the location of bash and sh when defining the shell to use for the generated apachectl. The shell used can be overridden using --shell-executable option. This is to get around issue with FreeBSD not having /bin/bash.
New Features
The Apache request ID is accessible in request events as request_id.
The per request data dictionary accessible using mod_wsgi.request_data() is now also accessible in events as request_data.
- (security) Prevent execution of XSS on rich text,
- (security) Prevent xss attack on user picture,
- Fix performance issues when using entities,
- New "Prevent take into account" action on tickets business rules,
- New "Status" criterion on tickets business rules,
- Change and problem tasks can now be marked as private,
The full changelog is available under
<https://github.com/glpi-project/glpi/milestone/36?closed=1>
pkgsrc changes:
- Remove not needed dependency to gnutls and add missing dependency to
libtasn1 (previously indirectly picked up via gnutls)
- Remove patch-Source_WebCore_platform_graphics_gstreamer_MediaPlayerPrivateGStreamerBase.cpp,
fix is now present in 2.24.3.
- Remove a no more needed hunk in
patch-Source_JavaScriptCore_assembler_ARM64Assembler.h.
Changes:
2.24.3
======
- Deprecate WebSQL APIs.
- Make Previous/Next gesture work in RTL mode.
- Fix content disappearing when using CSS transforms.
- Fix rendering artifacts in youtube volume button.
- Fix trapezoid artifact in github comment box.
- Fix video pause that sometimes caused to skip to finish.
- Fix volume level changes when playing a video.
- Fix HLS streams being slow to start.
- Fix some radio streams that could not be played.
- Fix the build with older versions of GStreamer.
- Fix the build with video and audio disabled.
- Fix several crashes and rendering issues.
- Translation updates: Brazilian Portuguese.
Django 2.2.3
Fix CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
Fixed a regression in Django 2.2 where Avg, StdDev, and Variance crash with filter argument
Fixed a regression in Django 2.2.2 where auto-reloader crashes with AttributeError, e.g. when using ipdb
Cohttp is an OCaml library for creating HTTP daemons. It has a portable
HTTP parser, and implementations using various asynchronous programming
libraries. It's needed as a dependency for some ocaml-git options.
It's unmaintained by upstream for most of this decade (even then, this
is an old version), and broken in bulk builds since at least last year.
Discussed on pkgsrc-users@.
