msharov released this Oct 2, 2021
* Make the UI more compact.
* Simplify HTML detagging and rewrapping.
* Store feed cache content detagged.
* New translation for Serbian.
* Support ncurses without widechars.
* Quit normally on non-fatal signals.
* Stop using libiconv because only UTF8 is supported.
* Remove the need to configure html_entities.
* Ignore atom link tags where rel != alternate.
* Fix saving of changes to smart feeds.
0.4.7 release
* Fix the ~ character being percent escaped when sending URLs to servers. See RFC 3986.
0.4.6 release
* Python 3.10 compatibility
* Fix a bug in the regex used to parse www-authenticate headers that could lead to Denial-of-Service
Changelog:
New
* Firefox now supports the new AVIF image format, which is based on the
modern and royalty free AV1 video codec. It offers significant bandwidth
savings for sites compared to existing image formats. It also supports
transparency and other advanced features.
* Firefox PDF viewer now supports filling more forms (XFA-based forms, used
by multiple governments and banks). Learn more.
* When available system memory is critically low, Firefox on Windows will
automatically unload tabs based on their last access time, memory usage,
and other attributes. This should help reduce Firefox out-of-memory
crashes. Switching to an unloaded tab automatically reloads it.
* To prevent session loss for macOS users who are running Firefox from a
mounted .dmg file, they??ll now be prompted to finish installation. This
permission prompt only appears the first time these users run Firefox on
their computer.
* Firefox now blocks downloads that rely on insecure connections, protecting
against potentially malicious or unsafe downloads. Learn more and see where
to find downloads in Firefox.
* Improved web compatibility for privacy protections with SmartBlock 3.0.
Learn more
* Introducing a new referrer tracking protection in Strict Tracking
Protection and Private Browsing. Learn more
* Introducing Firefox Suggest, a faster way to navigate the web. Learn more
about the experience and locale-specific features.
Fixed
* The VoiceOver screen reader now correctly reports checkable items in
accessible tree controls as checked or unchecked.
* The Orca screen reader now works correctly with Firefox, no longer
requiring users to switch to another application after starting Firefox.
* Various security fixes
Changed
* TLS ciphersuites that use 3DES have been disabled. Such ciphersuites can
only be enabled when deprecated versions of TLS are also enabled. Learn
more.
* The download panel now follows the Firefox visual styles.
Enterprise
* Various bug fixes and new policies have been implemented in the latest
version of Firefox. See more details in the Firefox for Enterprise 93
Release Notes.
Developer
* Developer Information
Web Platform
* The UI for <input type="datetime-local"> has been implemented.
Security fixes:
#CVE-2021-38496: Use-after-free in MessageTask
#CVE-2021-38497: Validation message could have been overlaid on another origin
#CVE-2021-38498: Use-after-free of nsLanguageAtomService object
#CVE-2021-32810: Data race in crossbeam-deque
#CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and
Firefox ESR 91.2
#CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
#CVE-2021-38499: Memory safety bugs fixed in Firefox 93
1.0.2
Fix regression introduced in 1.0.1, adding double item rows on SortableInlineAdminMixin and TabularInline.
1.0.1
Fix CSS classes change introduced in Django-2.1.
Prepared to run on Django-4.0.
Ditch Travis-CI in favor of GitHub Actions.
- Added EXPERIMENTAL support for top-level await to Mojo::Promise.
- Updated Future::AsyncAwait requirement to 0.52 for new features and
bug fixes.
- Improved *_attr and *_text methods in Test::Mojo to return undef
instead of empty string for values that do not exist. (tim-2)
- Fixed Mojo::DOM not to auto-close tags in <svg> and <math>
blocks. (mkende)
- Added trace log level to Mojo::Log.
- Changed default log level in Mojo::Log from "debug" to "trace" and
moved all built-in "debug" log messages to the level "trace". That
will allow for the "debug" level to be used exclusively for user
defined log messages.
- Switched from HMAC-SHA1 to HMAC-SHA256 for signed cookies. Note that
this means that all sessions will be reset.
- Improved signed cookie based sessions to pad short values, to make it
harder to brute force attack the application secret. (jberger)
- Remove Font Awesome from distribution.
- This release contains fixes for security issues, everybody
should upgrade!
[ENHANCEMENTS]
Use ok() instead of cmp_ok() inside of lacks_uncapped_inputs().
This output makes more sense.
lacks_uncapped_inputs() now has a a default message if one isn't supplied.
[FIXES]
Fixed the subtest name inside of C<lacks_ids_ok>.
Fixed the minimum version of Carp::Assert::More in Makefile.PL.
Changes in release 0.32.1:
* Fix configure CFLAGS handling in Kerberos detection.
* Various spelling fixes.
Changes in release 0.32.0:
* Interface changes:
- API and ABI backwards-compatible with 0.27.x and later
- NE_AUTH_DIGEST now only enables RFC 2617/7616 auth by default;
to enable weaker RFC 2069 Digest, use NE_AUTH_LEGACY_DIGEST
(treated as a security enhancement, not an API/ABI break)
* Interface clarifications:
- ne_auth.h: use of non-ASCII usernames with the ne_auth_creds
callback type is now rejected for Digest auth since the
encoding is not specified. ne_add_auth() can be used instead.
- ne_request.h: the ne_create_request_fn callback is passed the
request-target using RFC 7230 terminology
* New interfaces and features:
- ne_string.h: added ne_strhash(), ne_vstrhash(), ne_strparam()
- ne_auth.h: added RFC 7616 (Digest authentication) support,
including userhash=, username*= and SHA-2 algorithms
(SHA-2 requires GnuTLS/OpenSSL). added NE_AUTH_LEGACY_DIGEST
- ne_auth.h: added ne_add_auth() unified auth callback interface,
accepts (only) UTF-8 usernames, uses a larger password buffer,
and has different/improved attempt counter semantics.
- RFC 7617 scoping rules are now applied for Basic authentication.
- ne_ssl.h: added ne_ssl_cert_hdigest()
- ne_socket.h: added ne_sock_shutdown()
- sendmsg()/send() are used with the MSG_NOSIGNAL flag to write to
sockets on Unix, rather than write()/writev(), avoiding SIGPIPE
- explicit_bzero() is used where available to clear credentials
* Bug fixes:
- fixed TLS connection shutdown handling for OpenSSL 3
- fix various Coverity and cppcheck warnings (Sebastian Reschke)
- Kerberos library detection uses pkg-config where possible.
- fix some configure checks on Win32 (Christopher Degawa)
- fix some configure errors on MacOS (Ryan Schmidt)
Security Vulnerabilities fixed in Firefox ESR 91.2
#CVE-2021-38496: Use-after-free in MessageTask
#CVE-2021-38497: Validation message could have been overlaid on another
origin
#CVE-2021-38498: Use-after-free of nsLanguageAtomService object
#CVE-2021-32810: Data race in crossbeam-deque
#CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
4.1.0 (2021-10-05)
------------------
API Changes (Backward-Compatible)
- Support for Python 3.9 has been added.
- Support for Python 3.10 has been added.
- New example for a Python socket HTTP/2 client.
- New `OutputLogger` for use with ``h2.config.logger``. This is only provided
for convenience and not part of the stable API.
Bugfixes
- Header validation now rejects empty header names with a ProtocolError. While
hpack decodes such header blocks without issues, they violate the
HTTP semantics.
- Fix TE header name in error message.
Changes with Apache 2.4.51
*) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
fix of CVE-2021-41773) (cve.mitre.org)
It was found that the fix for CVE-2021-41773 in Apache HTTP
Server 2.4.50 was insufficient. An attacker could use a path
traversal attack to map URLs to files outside the directories
configured by Alias-like directives.
If files outside of these directories are not protected by the
usual default configuration "require all denied", these requests
can succeed. If CGI scripts are also enabled for these aliased
pathes, this could allow for remote code execution.
This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
earlier versions.
*) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
unused AP_NORMALIZE_DROP_PARAMETERS flag.
Changes with Apache 2.4.50
*) SECURITY: CVE-2021-41773: Path traversal and file disclosure
vulnerability in Apache HTTP Server 2.4.49 (cve.mitre.org)
A flaw was found in a change made to path normalization in
Apache HTTP Server 2.4.49. An attacker could use a path
traversal attack to map URLs to files outside the expected
document root.
If files outside of the document root are not protected by
"require all denied" these requests can succeed. Additionally
this flaw could leak the source of interpreted files like CGI
scripts.
This issue is known to be exploited in the wild.
This issue only affects Apache 2.4.49 and not earlier versions.
Credits: This issue was reported by Ash Daulton along with the
cPanel Security Team
*) SECURITY: CVE-2021-41524: null pointer dereference in h2 fuzzing
(cve.mitre.org)
While fuzzing the 2.4.49 httpd, a new null pointer dereference
was detected during HTTP/2 request processing,
allowing an external source to DoS the server. This requires a
specially crafted request.
The vulnerability was recently introduced in version 2.4.49. No
exploit is known to the project.
Credits: Apache httpd team would like to thank LI ZHI XIN from
NSFocus Security Team for reporting this issue.
*) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in
the uri-path when it's preceded by a dot.
*) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
fails (!= 0 exit), the renewal process is aborted and an error is
reported for the MDomain. This provides scripts that distribute
information in a cluster to abort early with bothering an ACME
server to validate a dns name that will not work. The common
retry logic will make another attempt in the future, as with
other failures.
Fixed a bug when adding private key specs to an already working
MDomain, see <https://github.com/icing/mod_md/issues/260>.
*) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
had no hostname ("unix:/...").
*) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
run into an assertion which terminated (and restarted) the child process where
the task was running. Eventually, all OCSP responses were collected, but not
in the way that things are supposed to work.
See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
The bug was possibly triggered when more than one OCSP status needed updating
at the same time. For example for several renewed certificates after a server
reload.
*) mod_rewrite: Fix UDS ("unix:") scheme for
*) event mpm: Correctly count active child processes in parent process if
child process dies due to MaxConnectionsPerChild.
*) mod_http2: when a server is restarted gracefully, any idle h2 worker
threads are shut down immediately.
Also, change OpenSSL API use for deprecations in OpenSSL 3.0.
Adds all other, never proposed code changes to make a clean
sync of http2 sources.
*) mod_dav: Correctly handle errors returned by dav providers on REPORT
requests.
*) core: do not install core input/output filters on secondary
connections.
*) core: Add ap_pre_connection() as a wrapper to ap_run_pre_connection()
and use it to prevent that failures in running the pre_connection
hook cause crashes afterwards.
*) mod_speling: Add CheckBasenameMatch.
Django 3.2.8 fixes two bugs in 3.2.7.
Bugfixes
Fixed a bug in Django 3.2 that caused incorrect links on read-only fields in the admin.
Fixed a regression in Django 3.2 that caused incorrect selection of items across all pages when actions were placed both on the top and bottom of the admin change-list view.
Highlights
* improve performance, reduce memory use, bugfixes
* HTTP/2 smoother and lower memory use (in general)
* HTTP/2 tuning to better handle aggressive client initial requests
* reduce memory footprint; workaround poor glibc behavior; jemalloc is better
* mod_magnet lua performance improvements
* mod_dirlisting performance improvements and new caching option
* memory constraints for extreme edge cases in mod_dirlisting, mod_ssi, mod_webdav
* connect(), write(), read() time limits on backends (separate from client timeouts)
* lighttpd restarts if large discontinuity in time occurs (embedded systems)
* RFC7233 Range support for all non-streaming responses, not only static files
-Change buildsystem to use a ./configure script
-badwolf.1: Add tip to list dictionairies in enchant
-badwolf.h: Add WEBKIT_CHECK_VERSION
-Switch from libsoup-2.4 to glib's GUri
-badwolf.1: Fix gtk-doc css-properties URL
Changelog:
92.0.1
Fixed
* Fixes an issue where audio playback was not working on some Linux systems (
bug 1730499)
* Fixes issues with the findbar close button on different operating systems (
bug 1728368)
92.0
New
* More secure connections: Firefox can now automatically upgrade to HTTPS
using HTTPS RR as Alt-Svc headers.
* Full-range color levels are now supported for video playback on many
systems.
* Mac users can now access the macOS share options from the Firefox File
menu.
* Support for images containing ICC v4 profiles is enabled on macOS.
Fixed
* Firefox performance with screen readers and other accessibility tools is no
longer severely degraded if Mozilla Thunderbird is installed or updated
after Firefox.
* macOS VoiceOver now correctly reports buttons and links marked as ??
expanded?? using the aria-expanded attribute.
* An open alert in a tab no longer causes performance issues in other tabs
using the same process.
* Various security fixes
Changed
* Canonical is now building the official Firefox snap. It's also now
available on two additional architectures, ARMhf and ARM64.
* The bookmark toolbar menus on macOS now follow Firefox visual styles.
* Certificate error pages have been redesigned for a better user experience.
* Continuing work to restructure Firefox??s JavaScript memory management to
be more performant and use less memory.
Nghttp2 v1.45.1
build
This release fixes packaging issues which lack some configuration files in tar archives.
Nghttp2 v1.45.0
lib
Stricter checks for :method: and :path pseudo header fields are introduced.
build
nghttp2 applications can be compiled with OpenSSL v3.0.0.
Fix warning about systemd when cmake is used.
Added build options to enable HTTP/3 and eBPF.
nghttpx
The experimental HTTP/3 support has been added.
“dnf” (= “do not forward”) parameter is added to backend option.
h2load
The experimental HTTP/3 support has been added.
SSLKEYLOGFILE environment variable support has been added.
1.26.7
------
* Fixed a bug with HTTPS hostname verification involving IP addresses and lack
of SNI.
* Fixed a bug where IPv6 braces weren't stripped during certificate hostname
matching.
Changes:
2.34.0
------
- Add support for HTTP/2 when building with libsoup3.
- Add support for CSS Scroll Snap.
- Add support for date and datetime-local input elements.
- Add support for display capture.
- Add support for ICC color management.
- Add support color-schemes CSS property.
- Add support for link preconnect when building with libsoup3.
- Add support for client side certificates when building with libsoup3.
- Add multi-track support to MSE media backend.
- Add new API to handle web process unresponsiveness.
- Add API to disable CORS on a web view for particular domains.
- Add new API to access/modify capture devices states.
- Add new API to configure the memory pressure handler.
