0.9.6
------
- Plugins were creatd in toolbar even if they were asked not to in pop up
windows, fixed.
- Fixed Window Orphan and New Window popups so that they don't display
menubars and other uwanted contents.
- Implemented ContentHandler so that we dont see Mozilla's ugly File picker
which did not work for save even! - Now we display our own file picker and
then redirect for mozilla download for those users who opt to use Mozilla's
own MIME info/downloading or direct to user's own downloader.
0.9.5
-----
- Plugin compile was broken, fixed.
- Changed a plugin function (skipstone_load_url) to (skipstone_load_url_cb)
to distinguish from skipstone's internal message.
- Distribution cleanups.
XXX We really should make this package compile with recent firefox/seamonkey
versions, otherwise it will soon become unusable (with mozilla no longer
being maintained). I had a patch to make it compile with Firefox 1.0.x,
but it no longer works for Firefox 1.5.x.
A WikiWikiWeb is a collaborative hypertext environment, with an
emphasis on easy access to and modification of information. MoinMoin
is a Python WikiClone that allows you to easily set up your own wiki,
only requiring a Python installation.
Changes:
* Improved stability
* Several security fixes (see below)
* A bug was introduced in SeaMonkey 1.0.2 that sometimes caused the URL bar to
stop working properly when switching tabs. This has been fixed. (Bug 332874)
* If you have more bookmarks on your personal toolbar than there is space for,
the ">>" overflow icon will now display more reliably (Bug 338803)
* If you choose to update SeaMonkey when it notifies you that an update is
available, the update page will load in a more useful browser window (with
navigation buttons and toolbars) (Bug 334903)
Security fixes:
MFSA 2006-56 chrome: scheme loading remote content
MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5)
MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...)
MFSA 2006-53 UniversalBrowserRead privilege escalation
MFSA 2006-52 PAC privilege escalation using Function.prototype.call
MFSA 2006-51 Privilege escalation using named-functions and redefined "new Object()"
MFSA 2006-50 JavaScript engine vulnerabilities
MFSA 2006-49 Heap buffer overwrite on malformed VCard
MFSA 2006-48 JavaScript new Function race condition
MFSA 2006-47 Native DOM methods can be hijacked across domains
MFSA 2006-46 Memory corruption with simultaneous events
MFSA 2006-45 Javascript navigator Object Vulnerability
MFSA 2006-44 Code execution through deleted frame reference
For a detailed ChangeLog, see:
http://www.mozilla.org/projects/seamonkey/releases/seamonkey1.0.3/changelog.html
Changes with Apache 1.3.37
*) SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a pointer being
written out of bounds. Reported by Mark Dowd of McAfee.
[Mark Cox]
security problems with 1.5.0.4. No functional changes at all in the
package -- this is purely a security update.
See CERT advisory TA06-208A (last revised July 27) for details.
to version 2.0.59. Changes since *2.0.58:
- SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a pointer being
written out of bounds. Reported by Mark Dowd of McAfee.
If ${FILESDIR}/getsite.sh exists, then use it to determine the fetch
URL for each of the distfiles for the package. Otherwise, use
SITE_<file> and MASTER_SITES, in order, to determine the URL for each
distfile.
If the script path differs from ${FILESDIR}/getsite.sh, then set
DYNAMIC_SITE_SCRIPT to the full path to that script.
Remove the need to set DYNAMIC_MASTER_SITES explicitly in the package
Makefile for:
graphics/ns-cult3d
wm/sawfish-themes
www/apache-tomcat55
www/jakarta-tomcat4
www/jakarta-tomcat5
pkgsrc release engineering team.
- Keep current directory with DEINSTALL and INSTALL script.
- remove extra processing with POST-DEINSTALL action from DEINSTALL script.
- Suggest use of additional graphic package.
- Add APACHE_GROUP to BUILD_DEFS.
- install ${GEEKLOG_EXAMPLESDIR}/createdb.php with INSTALL_SCRIPT.
Bump PKGREVISION.
since they always need a C compiler, even when the source code is
completely in C++.
For some other packages, stated in the comment that a C compiler is
really not needed.
2006-04-28 Gisle Aas
Release 3.54
Yaakov Belch discovered yet another issue with <script> parsing.
Enabling of 'empty_element_tags' got the parser confused
if it found such a tag for elements that are normally parsed
in literal mode. Of these <script src="..."/> is the only
one likely to be found in documents.
<http://rt.cpan.org//Ticket/Display.html?id=18965>
2006-04-27 Gisle Aas
Release 3.53
When ignore_element was enabled it got confused if the
corresponding tags did not nest properly; the end tag
was treated it as if it was a start tag.
Found and fixed by Yaakov Belch
<http://rt.cpan.org/Ticket/Display.html?id=18936>
2006-04-26 Gisle Aas
Release 3.52
Make sure the 'start_document' fires exactly once for
each document parsed. For earlier releases it did not
fire at all for empty documents and could fire multiple
times if parse was called with empty chunks.
Documentation tweaks and typo fixes.
2006-03-22 Gisle Aas
Release 3.51
Named entities outside the Latin-1 range are now only expanded
when properly terminated with ";". This makes HTML::Parser
compatible with Firefox/Konqueror/MSIE when it comes to how these
entities are expanded in attribute values. Firefox does expand
unterminated non-Latin-1 entities in plain text, so here
HTML::Parser only stays compatible with Konqueror/MSIE.
Fixes <http://rt.cpan.org/Ticket/Display.html?id=17962>.
Fixed some documentation typos spotted by william at knowmad.com.
<http://rt.cpan.org/Ticket/Display.html?id=18062>
Changes with Apache 1.3.36
*) Reverted SVN rev #396294 due to unwanted regression.
The new feature introduced in 1.3.35 (Allow usage of the
"Include" configuration directive within previously "Include"d
files) has been removed in the meantime.
(http://svn.apache.org/viewcvs?rev=396294&view=rev)
Changes with Apache 1.3.35
*) SECURITY: CVE-2005-3352 (cve.mitre.org)
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_escape_html so we escape quotes. Reported by JPCERT.
[Mark Cox]
*) core: Allow usage of the "Include" configuration directive within
previously "Include"d files. [Colm MacCarthaigh]
*) HTML-escape the Expect error message. Not classed as security as
an attacker has no way to influence the Expect header a victim will
send to a target site. Reported by Thiago Zaninotti [Mark Cox]
*) mod_cgi: Remove block on OPTIONS method so that scripts can
respond to OPTIONS directly rather than via server default.
[Roy Fielding] PR 15242
had actually been ignoring LTCONFIG_OVERRIDE anyway and just using
the default LIBTOOL_OVERRIDE to replace libtool scripts in packages.
This just formalizes the fact that LTCONFIG_OVERRIDE is not used
meaningfully by pkgsrc.
version: 0.18
date: Wed Mar 8 02:06:47 PST 2006
changes:
- Made Test.Base stuff its own module. Now Jemplate relies on that module.
- Christian Hansen added a simple daemon for running tests.
- Cees Hek added all hash virtual methods (except `import` which caused
major grief)
- Cees monkeyed around in the Stash lookup code
- Yann K implemented the `replace` filter
- Ingy made `foo.bar()` always call a method `bar`.
- Ingy completely refactored Test.Base and then proceeded to refactor the
Jemplate test suite in kind.
- gugod pulled over some uri escaping code from Kwiki
- chansen tweaked the daemon to honor caching rules
- Cory Bennett fixed some bug having to do with a Javascript String object.
- Cees fixed the defaults for the `indent` and `truncate` filters.
- Stephen Howard reported that Jemplate was not localising the stash for
the INCLUDE directive, and he even supplied a patch, but Ingy had
already made the fix.
- Ingy played with the Stash lookup code and hopefully got it just perfect.
- Ingy added support for the DEFAULT directive.
- Lots more tests in this release.
It fixes cross-site-scripting security problem.
Geeklog 1.4.0sr5
JPCERT/CC informed us about a possible XSS in the comment handling that we're
fixing with this release.
