It is a security update, fix CVE-2012-4377 CVE-2012-4378 CVE-2012-4379
CVE-2012-4380 CVE-2012-4381 CVE-2012-4382.
Upstream changes:
Changes since 1.19.1
(bug 39700) File: link to non-existing file can inject html
(bug 39823) Hidden block text leaking to admins
(bug 39184) LDAP password leakage
(bug 39180) Disallow framing of api results
(bug 37587) Enforce language codes to be html safe
(bug 39824) Check global blocks on account creation
Fixes and Stability Enhancements since Opera 12.01
* General and User Interface
* Several general fixes and stability improvements
* Resolved an issue with Speed Dial thumbnails when automatic scaling is enabled
Security
* Fixed an issue where truncated dialogs may be used to trick users; see our advisory:
http://www.opera.com/support/kb/view/1028/
Upstream changes:
0.022 2012-06-01 23:31:40 America/New_York
[ADDED]
- Supports local_address option to set local socket interface
[Chris Nehren, David Golden]
0.021 2012-05-15 22:38:57 America/New_York
[TESTING]
- Skip live SSL testing if $ENV{http_proxy} is set
0.020 2012-05-14 15:24:37 America/New_York
[TESTING]
- Capture prerequisite versions under AUTOMATED_TESTING to help
chase down some failures from CPAN Testers
0.019 2012-05-14 07:14:00 America/New_York
[ADDED]
- Require IO::Socket::SSL 1.56 (which added SSL_hostname support) when
doing HTTPS. [Mike Doherty]
[TESTING]
- Provide better diagnostic output in t/210_live_ssl.t [Mike
Doherty]
0.018 2012-04-18 09:39:50 America/New_York
[ADDED]
- Add verify_SSL option to do more secure SSL operations, incl.
attempting to validate against a CA bundle (Mozilla::CA
recommended, but will attempt to find some OS bundles). Also
add SSL_opts, which passes through IO::Socket::SSL's SSL_*
options to control SSL verification. (GH #6, #9) [Mike Doherty]
- Reponse hashref includes final URL (including any redirections)
[Lukas Eklund]
0.017 2012-02-22 21:57:37 EST5EDT
[DOCUMENTATION]
- Clarified how max_size exceptions work [rt.cpan.org #75142]
- Clarify that 2XX is success for most methods (except mirror
where 304 is also success) [rt.cpan.org #75141]
Upstream changes:
1.3100 25.08.2012
[ BUG FIXES ]
* GH #816: Improve wording when failed to load engine. (Sawyer X)
* GH #817: Fix CODE reference uncloned using Clone::clone.
(David Previous, Sawyer X)
[ ENHANCEMENTS ]
* GH #755: HTTP::Headers accepted by dancer_response. (Roberto Patriarca)
[ DOCUMENTATION ]
* GH #818: Use "MyWeb::App" instead of "mywebapp" in examples. (pdl)
1.3099 11.08.2012
[ BUG FIXES ]
* GH #683: Fix uninitialized warnings. (Sawyer X)
* GH #700: Take into account the app name in route caching. (Perlover)
* GH #775: Clone variables for templates.
(Reported by Wanradt Koell, fixed by David Precious, Sawyer X)
* GH #776: get should be default to get/head even it's inside any.
(Fayland Lam)
* GH #788: Make sure ID key in sessions are clobbered. (kocoureasy)
* Fix uninitialized variables in config file path. (Sawyer X)
* GH #809: Require all necessarily modules in Dancer::Config.
(John Wittkoski)
[ ENHANCEMENTS ]
* GH #799: New test function: response_redirect_location_is. (Martin Schut)
* send_file now accepts an IO::Scalar. (David Precious)
* Clean up $VERSION. (Damien Krotkine)
[ DOCUMENTATION ]
* GH #784: Synopsis fix in Dancer::Error. (Alex C)
* Document session_domain in Dancer::Config. (David Precious)
* Pod fixes in abstract session. (David Precious)
* Synopsis fix in Dancer::Test. (Stefan Hornburg <Racke>)
1.3098 28.07.2012
[ ENHANCEMENTS ]
* New keyword 'plugin_args' exported by Dancer::Plugin to provide
a consistent way with Dancer 2 to obtain arguments from a plugin
keyword. (Alberto Sim.es).
* Add 'execute_hook' and deprecate 'execute_hooks' for homogeneity
with Dancer 2.
* send_file will do the right thing if given an IO::Scalar object
(David Precious, prompted by Ilya Chesnokov).
[ DOCUMENTATION ]
* Fix escaping on some docs (Stefan Hornburg @racke).
* Use patches from https://bugzilla.mozilla.org/show_bug.cgi?id=753046
* Fix firefox.sh
Changelog:
NEW Preliminary native PDF support (Aurora/Beta only)
NEW Support for SPDY networking protocol v3
NEW WebGL enhancements, including compressed textures for better performance
CHANGED Optimized memory usage for add-ons
DEVELOPER JavaScript debugger integrated into developer tools
DEVELOPER New layout view added to Inspector
DEVELOPER The CSS word-break property has been implemented.
DEVELOPER High precision event timer implemented
DEVELOPER New responsive design tool allows web developers to switch between desktop and mobile views of sites
HTML5 Native support for the Opus audio codec added
HTML5 The <source> element now supports the media attribute
HTML5 The <audio> and <video> elements now support the played attribute
* recentchangesdiff: When diffurl is not set, provide inline diffs
in the recentchanges page, with visibility toggleable via javascript.
Thanks, Antoine Beaupré
* Split CFLAGS into words when building wrapper. Closes: #682237
* osm: Avoid calling urlto before generated files are registered.
Thanks, Philippe Gauthier and Antoine Beaupré
* osm: Add osm_openlayers_url configuration setting.
Thanks, Genevieve
* osm: osm_layers can be used to configured the layers displayed on the map.
Thanks, Antoine Beaupré
* comments: Remove ipv6 address specific code.
changes:
- Fix several security issues with accessibility support.
- Finishing merging NPAPI plugin support for Windows.
- Turn off the deletion UI during editing, as it caused issues with some sites.
* Introducing Django 1.4 support, dropped support for Django 1.2
* Lazy page tree loading in admin
* Toolbar isolation
* Plugin cancel button fixed
* Tests refactor
* Moving text plugins to different placeholders no longer loses inline plugins
* Minor improvements
comprehensive version control facilities.
Features
* Roll back to any point in a model's history - an unlimited undo facility!
* Recover deleted models - never lose data again!
* Admin integration for maximum usability.
* Group related changes into revisions that can be rolled back in a single
transaction.
* Automatically save a new version whenever your model changes using Django's
flexible signalling framework.
* Automate your revision management with easy-to-use middleware.
django-reversion can be easily added to your existing Django project with
an absolute minimum of code changes.
* Fix security problems.
* Build three Multi-Processing Model shared libraries,
and select default model with option
* Retire mod_cgi.so module, use mod_cgid.so; Add MESSAGE
Changelog:
Changes with Apache 2.4.3
*) SECURITY: CVE-2012-3502 (cve.mitre.org)
mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
connection closing which could lead to privacy issues due
to a response mixup. PR 53727. [Rainer Jung]
*) SECURITY: CVE-2012-2687 (cve.mitre.org)
mod_negotiation: Escape filenames in variant list to prevent an
possible XSS for a site where untrusted users can upload files to
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
*) mod_authnz_ldap: Don't try a potentially expensive nested groups
search before exhausting all AuthLDAPGroupAttribute checks on the
current group. PR 52464 [Eric Covener]
*) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
authorization provider in lua. [Stefan Fritsch]
*) core: Be less strict when checking whether Content-Type is set to
"application/x-www-form-urlencoded" when parsing POST data,
or we risk losing data with an appended charset. PR 53698
[Petter Berntsen <petterb gmail.com>]
*) httpd.conf: Added configuration directives to set a bad_DNT environment
variable based on User-Agent and to remove the DNT header field from
incoming requests when a match occurs. This currently has the effect of
removing DNT from requests by MSIE 10.0 because it deliberately violates
the current specification of DNT semantics for HTTP. [Roy T. Fielding]
*) mod_socache_shmcb: Fix bus error due to a misalignment
in some 32 bit builds, especially on Solaris Sparc.
PR 53040. [Rainer Jung]
*) mod_cache: Set content type in case we return stale content.
[Ruediger Pluem]
*) Windows: Fix SSL failures on windows with AcceptFilter https none.
PR 52476. [Jeff Trawick]
*) ab: Fix read failure when targeting SSL server. [Jeff Trawick]
*) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
- mod_auth_digest: shared memory file
[Jeff Trawick]
*) htpasswd: Use correct file mode for checking if file is writable.
PR 45923. [Stefan Fritsch]
*) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T.
<mi apache aldan algebra com>]
*) mod_ssl: Add new directive SSLCompression to disable TLS-level
compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
*) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
client_ip to match conn_rec. [Stefan Fritsch]
*) mod_lua: Change prototype of vm_construct, to work around gcc bug which
causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>]
*) mpm_event: Don't count connections in lingering close state when
calculating how many additional connections may be accepted.
[Stefan Fritsch]
*) mod_ssl: If exiting during initialization because of a fatal error,
log a message to the main error log pointing to the appropriate
virtual host error log. [Stefan Fritsch]
*) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
*) mod_proxy_balancer: Restore balancing after a failed worker has
recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick]
*) mod_setenvif: Compile some global regex only once during startup.
This should save some memory, especially with .htaccess.
[Stefan Fritsch]
*) core: Add the port number to the vhost's name in the scoreboard.
[Stefan Fritsch]
*) mod_proxy: Fix ProxyPassReverse for balancer configurations.
PR 45434. [Joe Orton]
*) mod_lua: Add the parsebody function for parsing POST data. PR 53064.
[Daniel Gruno]
*) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS.
[Stefan Fritsch]
*) mod_proxy: Fix memory leak or possible corruption in ProxyBlock
implementation. [Ruediger Pluem, Joe Orton]
*) mod_proxy: Check hostname from request URI against ProxyBlock list,
not forward proxy, if ProxyRemote* is configured. [Joe Orton]
*) mod_proxy_connect: Avoid DNS lookup on hostname from request URI
if ProxyRemote* is configured. PR 43697. [Joe Orton]
*) mpm_event, mpm_worker: Remain active amidst prevalent child process
resource shortages. [Jeff Trawick]
*) Add "strict" and "warnings" pragmas to Perl scripts. [Rich Bowen]
*) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
- core: the scoreboard (ScoreBoardFile), pid file (PidFile), and
mutexes (Mutex)
[Jim Jagielski]
*) ab: Fix bind() errors. [Joe Orton]
*) mpm_event: Don't do a blocking write when starting a lingering close
from the listener thread. PR 52229. [Stefan Fritsch]
*) mod_so: If a filename without slashes is specified for LoadFile or
LoadModule and the file cannot be found in the server root directory,
try to use the standard dlopen() search path. [Stefan Fritsch]
*) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced
after child process resource shortages. [Jeff Trawick]
*) mpm_prefork: Reduce spawn rate after a child process exits due to
unexpected poll or accept failure. [Jeff Trawick]
*) core: Log value of Status header line in script responses rather
than the fixed header name. [Chris Darroch]
*) mpm_ssl: Fix handling of empty response from OCSP server.
[Jim Meyering <meyering redhat.com>, Joe Orton]
*) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch]
*) mod_authz_core: If an expression in "Require expr" returns denied and
references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
[Stefan Fritsch]
*) core: Always log if LimitRequestFieldSize triggers. [Stefan Fritsch]
*) mod_deflate: Skip compression if compression is enabled at SSL level.
[Stefan Fritsch]
*) core: Add missing HTTP status codes registered with IANA.
[Julian Reschke <julian.reschke gmx.de>, Rainer Jung]
*) mod_ldap: Treat the "server unavailable" condition as a transient
error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]
*) core: Fix spurious "not allowed here" error returned when the Options
directive is used in .htaccess and "AllowOverride Options" (with no
specific options restricted) is configured. PR 53444. [Eric Covener]
*) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
PR 53048. [Stefan Fritsch]
*) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
PR 53104. [Greg Ames]
*) mod_ext_filter: Fix error_log spam when input filters are configured.
[Joe Orton]
*) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
*) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
[Paul Wouters <pwouters redhat.com>, Joe Orton]
*) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
the chosen listener is configured for https. [Joe Orton]
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. PR 53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
*) mod_info: Display all registered providers. [Stefan Fritsch]
*) mod_ssl: Send the error message for speaking http to an https port using
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
using SNI. PR 50823. [Stefan Fritsch]
*) core: Fix segfault in logging if r->useragent_addr or c->client_addr is
unset. PR 53265. [Stefan Fritsch]
*) log_server_status: Bring Perl style forward to the present, use
standard modules, update for new format of server-status output.
PR 45424. [Richard Bowen, Dave Brondsema, and others]
*) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups.
[Joe Orton, André Malo]
*) core: Prevent "httpd -k restart" from killing server in presence of
config error. [Joe Orton]
*) mod_proxy_fcgi: If there is an error reading the headers from the
backend, send an error to the client. PR 52879. [Stefan Fritsch]
If selected, the existing apache-mpm-event, apache-mpm-prefork and
apache-mpm-worker options determine which will be loaded in the default
config file.
Note: if worker is in the mix, the build will simply never build mod_cgi,
regardless of which MPM is the default.
Upstream changes:
0.9507 Fri Dec 9 09:44:49 EET 2011
- patch for XSS vulnerability in HTML::Template::Pro
thanks to Shigeki Morimoto shigeki.morimoto mixi.co.jp
0.9508 Mon Dec 26 16:13:37 EET 2011
- use unicode quoting in XSS vulnerability patch (more portable)
thanks to Shigeki Morimoto shigeki.morimoto mixi.co.jp
0.9509 Tue Feb 28 21:15:28 EET 2012
- more verbose messages for tag stack underflow
== Changes
= Changes in 2.2.7 =
August 14, 2012 - version 2.2.7
* Bug fixes
* Fix arity incompatibility introduced in 2.2.6. It broke Webmock.
Thanks Andrew France for the report!
= Changes in 2.2.6 =
August 14, 2012 - version 2.2.6
* Bug fixes
* Make get_content doesn't raise a BadResponseError for perfectly good
responses like 304 Not Modified. Thanks to Florian Hars.
* Add 'Content-Type: application/x-www-form-urlencoded' for the PUT
request that has urlencoded entity-body.
* Features
* Add HTTPClient::IncludeClient by Jonathan Rochkind, a mix-in for easily
adding a thread-safe lazily initialized class-level HTTPClient object
to your class.
* Proxy DigestAuth support. Thanks to Alexander Kotov and Florian Hars.
* Accept an array of strings (and IO-likes) as a query value
e.g. `{ x: 'a', y: [1,2,3] }` is encoded into `"x=a&y=1&y=2&y=3"`.
Thanks to Akinori MUSHA.
* Allow body for DELETE method.
* Allow :follow_redirect => true for HEAD request.
* Fill request parameters request_method, request_uri and request_query
as part of response Message::Header.
- Fixed bug (apc_bin_dump doesn't swizzle bucket arKey in HashTable)
(Laruence)
- Fixed bug #62825 (php carshed OR return PHP Fatal error when used
apc_bin_dump after apc_store) (Laruence)
- Fixed bug due to Conditional "jump or move depends on uninitialised
value(s)" in apc_op_ZEND_INCLUDE_OR_EVAL and apc_bin_dump (Laruence)
- Fixed bug #62802 (Crash when use apc_bin_dump/load) (Laruence)
- Fixed bug #62757 (php-fpm carshed when used apc_bin_dumpfile with
apc.serializer) (Laruence)
- Fixed bug #62765 (apc_bin_dumpfile report Fatal error when there is "goto"
in function) (Laruence)
- Fixed bug #61133 (segfault in tests/apc_bin_002.phpt) (Laruence)
- Fixed handling of userspace stream wrappers simulating file
inclusion/requiring (Anatoliy, Rasmus)
- Fixed bug #62699 trait aliases and precedences handling (Anatoliy)
- Added cli built-in server tests (Anatoliy)
- Fixed filter regex freeing on request shutdown (Anatoliy)
- Fixed interned strings storage freeing on module shutdown (Anatoily)
- Fixed bug #61742 preload_path does not work due to incorrect string length
(Anatoliy)
- Fixed several memory leaks it APCIterator (Anatoliy)
- Fixed potential overflows in bin dumps (Anatoliy)
1.1.1:
There are no database changes in this release
Bug Fixes
Unassigned variable warning in Principal.php calling BuildDeadPropertyXML
Notification of deletes when hide_older_than is set
Fixes to URL encoding of some CalDAV/CardDAV properties
Fix to Basic Auth handling in admin UI
Fix CalDAV client library to handle multiple 'Allow' headers in OPTIONS response
Fix ldap driver to handle numeric usernames correctly.
Add handling for allprop and ommission of prop tag in calendar-query, calendar-multiget and addressbook-query
Fix parsing of relative alarm times where the event has a timezone
Correct detection of suhosin.server_strip status (from Christoph Anton Mitterer via debian bug #656392).
Other minor bugfixes.
Other Changes
Add support for ldap mapping of multiple fields to one DAViCal field (from Sylvain BURGER)
Generally improved support for a wider range of DAV/CalDAV/CardDAV properties in calendar-query, calendar-multiget and addressbook-query
1.1.0:
Database Upgrade
There are several changes to in-database functions.
Bug Fixes
Obscure password in LDAP debug log messages
Fix bugs parsing some RFC5545 duration values
Fix handling of ?mode=append when uploading calendar data.
Various fixes to external BIND support.
Fix some errors in content-type detection & handling.
Correct round-trip handling of arbitrary XML in dead properties.
Fix bugs in editing of existing grants.
Other Changes
Support for WebDAV Synchronisation is updated to match the final RFC.
Support If-Modified-Since header.
Merge iSchedule support from Rob Ostenson.
Add support for initialising an addressbook from a file of VCARDs
Add support for 'Prefer' and 'Brief' headers.
Reduce logging noise from 401 and 404 responses.
Some query performance improvements.
When someone is delegated 'write' by a principal they can now maintain that principal's details in the Admin UI.
New default_collections setting which replaces home_calendar_name and home_addressbook_name (these are deprecated)
Eliom is an OCaml library for the webserver Ocsigen that allows
for the creation of dynamic webpages. In this way, a website is
not written as a separate set of pages, but as one integral OCaml
module.
Release notes says "no security fix" but it really fixes SA49131:
<http://secunia.com/advisories/49131/>.
Release notes
Maintenance release of the Drupal 7 series. Includes bugfixes and small
API/feature improvements only (no major new functionality); significant new
features are only being added to the forthcoming Drupal 8.0 release.
No security fixes are included in this release.
Besides documentation fixes, no changes have been made to the .htaccess,
robots.txt or settings.php files in this release, so upgrading custom versions
of those files is not necessary. Known issues:
#1708722: Call to undefined function drupal_find_base_themes() in
drupal-7.15/includes/module.inc on line 184: Under rare circumstances
which are still under investigation (most likely, sites with a sub-theme
enabled and a module enabled that calls certain code early in Drupal's
page request), upgrading to Drupal 7.15 may lead to a fatal error. A
patch to fix this is available.
http://drupal.org/node/1708292
## Rails 3.2.8 (Aug 9, 2012) ##
* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
helper doesn't correctly handle malformed html. As a result an attacker can
execute arbitrary javascript through the use of specially crafted malformed
html.
*Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
* When a "prompt" value is supplied to the `select_tag` helper, the "prompt"
value is not escaped.
If untrusted data is not escaped, and is supplied as the prompt value, there
is a potential for XSS attacks.
Vulnerable code will look something like this:
select_tag("name", options, :prompt => UNTRUSTED_INPUT)
*Santiago Pastorino*
## Rails 3.1.8 (Aug 9, 2012)
* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
helper doesn't correctly handle malformed html. As a result an attacker can
execute arbitrary javascript through the use of specially crafted malformed
html.
*Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
* When a "prompt" value is supplied to the `select_tag` helper, the
"prompt" value is not escaped.
If untrusted data is not escaped, and is supplied as the prompt value,
there is a potential for XSS attacks.
Vulnerable code will look something like this:
select_tag("name", options, :prompt => UNTRUSTED_INPUT)
*Santiago Pastorino*
