= 1.3.2 / 2011-12-30
* Don't automatically add `Rack::CommonLogger` if `Rack::Server` is adding it,
too. (Konstantin Haase)
* Setting `logging` to `nil` will avoid setting up `Rack::NullLogger`.
(Konstantin Haase)
* Route specific params are now available in the block passed to #stream.
(Konstantin Haase)
* Fix bug where rendering a second template in the same request, after the
first one raised an exception, skipped the default layout. (Nathan Baum)
* Fix bug where parameter escaping got enabled when disabling a different
protection. (Konstantin Haase)
* Fix regression: Filters without a pattern may now again manipulate the params
hash. (Konstantin Haase)
* Added examples directory. (Konstantin Haase)
* Improved documentation. (Gabriel Andretta, Markus Prinz, Erick Zetta, Just
Lest, Adam Vaughan, Aleksander Dąbrowski)
* Improved MagLev support. (Tim Felgentreff)
Changes:
* Show warnings for JsonCsrtf attacks.
* do not enable parameter escaping by default, fixes#8.
* Use more specific namespace declaration in Rack::Builder configuration.
* NotimpelentedError typo fix
* add test that makes sure passingin on :track option works. related to #6.
* deal with PATH_INFO being nil, fixes#7.
* do not track HTTP_VERSION, fixes#6.
1.10:
* Fix display of trust errors.
1.09:
* Remove dir_test hack and add a way for vcs tests to run perl code,
using this for the same optimisation. Fixes support for git-svn
etc. Closes: #652317
1.08:
* Fix vcs test code. Closes: #651976
1.07
* Added support for vcsh, enable with: include = cat /usr/share/mr/vcsh
Thanks, Richard Hartmann
* Block tty control codes in untrusted mr config files.
* Correct printing of line numbers when includes are used. Closes: #650952
* The previous fix for chaining to absolute paths broke chaining
to relative paths with more than one path segment. Thanks, Adam
Spiers
* Support _append to add on to the existing value of a parameter.
Thanks, Adam Spiers
* Optimizations. Commands like "mr list" run up to 5 times faster.
* Fix shell escaping of parameters passed to mr commands. Closes: #644672
* Added --force option that disables repository skipping.
* Repositories using skip = lazy will not be checked out by "mr
update" or "mr checkout" unless --force is used.
prompt string, which I assume is there on purpose. Unfortunately, it
seems that when run through modern gcc's cpp, as at least Dragonfly's
current X resources processing pipeline apparently does, cpp treats
this as backslash-newline and splices on the next line, which causes
everything to go wahooni-shaped.
As a hack/workaround, insert a blank line after this line, so if the
next line does get spliced on it won't break things.
Reported by Artem Falcon.
contains fixes for PR#45785.
Version 1.4.27:
- Always use the internal MD5 functions for the built-in CRAM-MD5
implementation; never use the ones from OpenSSL. This fixes problems with
configurations that use OpenSSL and do not use GNU SASL. Thanks to Gleydson
Soares and Moritz Wilhelmy for providing information and for testing the fix.
- Fix a compiler warning with current OpenSSL versions.
Bug fixes:
* Erlang/OTP compatibility
- Support Erlang/OTP R15B regexp and drivers (EJAB-1521)
- Fix modules update in R14B04 and higher
- Fix modules update of stripped beams (EJAB-1520)
* XMPP Core
- Fix presence problem in C2S after first unavailable (EJAB-1466)
- Fix bug on S2S shaper when TLS is used
- Prevent overload of incoming S2S connections
* XEPs
- BOSH: Get rid of useless mnesia transaction (EJAB-1502)
- MUC: Don't reveal invitee resource when room informs invitor
- Privacy: Activate "Blocked Contacts" to current c2s connection (EJAB-1519)
- Privacy: Always allow packets from user's server and bare jid (EJAB-1441)
- Pubsub: Add hooks for node creation/deletion (EJAB-1470)
- Shared Rosters: support groupname@vhost in Displayed Groups (EJAB-506)
- Vcard: Fix error when lowercasing some search results (EJAB-1490)
These patches enable optimizations that allow video play w/o stuttering.
Other i386 and x86_64 platforms need the same optimizations, so this is
only a partial fix of the PR.
DragonFly has diverged from FreeBSD to the point where NSPR will
not build LibreOffice on DragonFly due to being configured as DragonFly.
These patches split out DragonFly as its own platform, and should not
affect other platforms.
OpenSSL CHANGES
_______________
Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
of the Vaudenay padding oracle attack on CBC mode encryption
which enables an efficient plaintext recovery attack against
the OpenSSL implementation of DTLS. Their attack exploits timing
differences arising during decryption processing. A research
paper describing this attack can be found at:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
for preparing the fix. (CVE-2011-4108)
[Robin Seggelmann, Michael Tuexen]
*) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
[Ben Laurie, Kasper <ekasper@google.com>]
*) Clear bytes used for block padding of SSL 3.0 records.
(CVE-2011-4576)
[Adam Langley (Google)]
*) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
[Adam Langley (Google)]
*) Prevent malformed RFC3779 data triggering an assertion failure.
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
[Rob Austein <sra@hactrn.net>]
*) Fix ssl_ciph.c set-up race.
[Adam Langley (Google)]
*) Fix spurious failures in ecdsatest.c.
[Emilia Käóper (Google)]
*) Fix the BIO_f_buffer() implementation (which was mixing different
interpretations of the '..._len' fields).
[Adam Langley (Google)]
*) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
threads won't reuse the same blinding coefficients.
This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
lock to call BN_BLINDING_invert_ex, and avoids one use of
BN_BLINDING_update for each BN_BLINDING structure (previously,
the last update always remained unused).
[Emilia Käóper (Google)]
*) Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH.
[Adam Langley (Google)]
*) Fix x509_name_ex_d2i memory leak on bad inputs.
[Bodo Moeller]
*) Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
[Neel Mehta, Adam Langley, Bodo Moeller (Google)]
*) Fix bug in string printing code: if *any* escaping is enabled we must
escape the escape character (backslash) or the resulting string is
ambiguous.
[Steve Henson]
Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
*) Disable code workaround for ancient and obsolete Netscape browsers
and servers: an attacker can use it in a ciphersuite downgrade attack.
Thanks to Martin Rex for discovering this bug. CVE-2010-4180
[Steve Henson]
*) Fixed J-PAKE implementation error, originally discovered by
Sebastien Martini, further info and confirmation from Stefan
Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
[Ben Laurie]
