Eliom is an OCaml library for the webserver Ocsigen that allows
for the creation of dynamic webpages. In this way, a website is
not written as a separate set of pages, but as one integral OCaml
module.
Release notes says "no security fix" but it really fixes SA49131:
<http://secunia.com/advisories/49131/>.
Release notes
Maintenance release of the Drupal 7 series. Includes bugfixes and small
API/feature improvements only (no major new functionality); significant new
features are only being added to the forthcoming Drupal 8.0 release.
No security fixes are included in this release.
Besides documentation fixes, no changes have been made to the .htaccess,
robots.txt or settings.php files in this release, so upgrading custom versions
of those files is not necessary. Known issues:
#1708722: Call to undefined function drupal_find_base_themes() in
drupal-7.15/includes/module.inc on line 184: Under rare circumstances
which are still under investigation (most likely, sites with a sub-theme
enabled and a module enabled that calls certain code early in Drupal's
page request), upgrading to Drupal 7.15 may lead to a fatal error. A
patch to fix this is available.
http://drupal.org/node/1708292
## Rails 3.2.8 (Aug 9, 2012) ##
* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
helper doesn't correctly handle malformed html. As a result an attacker can
execute arbitrary javascript through the use of specially crafted malformed
html.
*Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
* When a "prompt" value is supplied to the `select_tag` helper, the "prompt"
value is not escaped.
If untrusted data is not escaped, and is supplied as the prompt value, there
is a potential for XSS attacks.
Vulnerable code will look something like this:
select_tag("name", options, :prompt => UNTRUSTED_INPUT)
*Santiago Pastorino*
## Rails 3.1.8 (Aug 9, 2012)
* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
helper doesn't correctly handle malformed html. As a result an attacker can
execute arbitrary javascript through the use of specially crafted malformed
html.
*Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
* When a "prompt" value is supplied to the `select_tag` helper, the
"prompt" value is not escaped.
If untrusted data is not escaped, and is supplied as the prompt value,
there is a potential for XSS attacks.
Vulnerable code will look something like this:
select_tag("name", options, :prompt => UNTRUSTED_INPUT)
*Santiago Pastorino*
## Rails 3.0.17 (Aug 9, 2012)
* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
helper doesn't correctly handle malformed html. As a result an attacker can
execute arbitrary javascript through the use of specially crafted malformed
html.
*Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
* When a "prompt" value is supplied to the `select_tag` helper, the "prompt"
value is not escaped. If untrusted data is not escaped, and is supplied as
the prompt value, there is a potential for XSS attacks.
Vulnerable code will look something like this:
select_tag("name", options, :prompt => UNTRUSTED_INPUT)
*Santiago Pastorino*
*) Feature: the Clang compiler support.
*) Bugfix: extra listening sockets might be created.
Thanks to Roman Odaisky.
*) Bugfix: nginx/Windows might hog CPU if a worker process failed to
start.
Thanks to Ricardo Villalobos Guevara.
*) Bugfix: the "proxy_pass_header", "fastcgi_pass_header",
"scgi_pass_header", "uwsgi_pass_header", "proxy_hide_header",
"fastcgi_hide_header", "scgi_hide_header", and "uwsgi_hide_header"
directives might be inherited incorrectly.
*) Bugfix: trailing dot in a source value was not ignored if the "map"
directive was used with the "hostnames" parameter.
*) Bugfix: incorrect location might be used to process a request if a
URI was changed via a "rewrite" directive before an internal redirect
to a named location.
*) Bugfix: a segmentation fault might occur in a worker process if the
"try_files" directive was used; the bug had appeared in 1.1.19.
*) Bugfix: response might be truncated if there were more than IOV_MAX
buffers used.
*) Bugfix: in the "crop" parameter of the "image_filter" directive.
Thanks to Maxim Bublis.
Changes with nginx 1.1.19 12 Apr 2012
*) Security: specially crafted mp4 file might allow to overwrite memory
locations in a worker process if the ngx_http_mp4_module was used,
potentially resulting in arbitrary code execution (CVE-2012-2089).
Thanks to Matthew Daley.
*) Bugfix: nginx/Windows might be terminated abnormally.
Thanks to Vincent Lee.
*) Bugfix: nginx hogged CPU if all servers in an upstream were marked as
"backup".
*) Bugfix: the "allow" and "deny" directives might be inherited
incorrectly if they were used with IPv6 addresses.
*) Bugfix: the "modern_browser" and "ancient_browser" directives might
be inherited incorrectly.
*) Bugfix: timeouts might be handled incorrectly on Solaris/SPARC.
*) Bugfix: in the ngx_http_mp4_module.
Changes with nginx 1.1.18 28 Mar 2012
*) Change: keepalive connections are no longer disabled for Safari by
default.
*) Feature: the $connection_requests variable.
*) Feature: $tcpinfo_rtt, $tcpinfo_rttvar, $tcpinfo_snd_cwnd and
$tcpinfo_rcv_space variables.
*) Feature: the "worker_cpu_affinity" directive now works on FreeBSD.
*) Feature: the "xslt_param" and "xslt_string_param" directives.
Thanks to Samuel Behan.
*) Bugfix: in configure tests.
Thanks to Piotr Sikora.
*) Bugfix: in the ngx_http_xslt_filter_module.
*) Bugfix: nginx could not be built on Debian GNU/Hurd.
Changes with nginx 1.1.17 15 Mar 2012
*) Security: content of previously freed memory might be sent to a
client if backend returned specially crafted response.
Thanks to Matthew Daley.
*) Bugfix: in the embedded perl module if used from SSI.
Thanks to Matthew Daley.
*) Bugfix: in the ngx_http_uwsgi_module.
Changes with nginx 1.1.16 29 Feb 2012
*) Change: the simultaneous subrequest limit has been raised to 200.
*) Feature: the "from" parameter of the "disable_symlinks" directive.
*) Feature: the "return" and "error_page" directives can now be used to
return 307 redirections.
*) Bugfix: a segmentation fault might occur in a worker process if the
"resolver" directive was used and there was no "error_log" directive
specified at global level.
Thanks to Roman Arutyunyan.
*) Bugfix: a segmentation fault might occur in a worker process if the
"proxy_http_version 1.1" or "fastcgi_keep_conn on" directives were
used.
*) Bugfix: memory leaks.
Thanks to Lanshun Zhou.
*) Bugfix: in the "disable_symlinks" directive.
*) Bugfix: on ZFS filesystem disk cache size might be calculated
incorrectly; the bug had appeared in 1.0.1.
*) Bugfix: nginx could not be built by the icc 12.1 compiler.
*) Bugfix: nginx could not be built by gcc on Solaris; the bug had
appeared in 1.1.15.
Changes with nginx 1.1.15 15 Feb 2012
*) Feature: the "disable_symlinks" directive.
*) Feature: the "proxy_cookie_domain" and "proxy_cookie_path"
directives.
*) Bugfix: nginx might log incorrect error "upstream prematurely closed
connection" instead of correct "upstream sent too big header" one.
Thanks to Feibo Li.
*) Bugfix: nginx could not be built with the ngx_http_perl_module if the
--with-openssl option was used.
*) Bugfix: the number of internal redirects to named locations was not
limited.
*) Bugfix: calling $r->flush() multiple times might cause errors in the
ngx_http_gzip_filter_module.
*) Bugfix: temporary files might be not removed if the "proxy_store"
directive was used with SSI includes.
*) Bugfix: in some cases non-cacheable variables (such as the $args
variable) returned old empty cached value.
*) Bugfix: a segmentation fault might occur in a worker process if too
many SSI subrequests were issued simultaneously; the bug had appeared
in 0.7.25.
Changes with nginx 1.1.14 30 Jan 2012
*) Feature: multiple "limit_req" limits may be used simultaneously.
*) Bugfix: in error handling while connecting to a backend.
Thanks to Piotr Sikora.
*) Bugfix: in AIO error handling on FreeBSD.
*) Bugfix: in the OpenSSL library initialization.
*) Bugfix: the "proxy_redirect" directives might be inherited
incorrectly.
*) Bugfix: memory leak during reconfiguration if the "pcre_jit"
directive was used.
Changes with nginx 1.1.13 16 Jan 2012
*) Feature: the "TLSv1.1" and "TLSv1.2" parameters of the
"ssl_protocols" directive.
*) Bugfix: the "limit_req" directive parameters were not inherited
correctly; the bug had appeared in 1.1.12.
*) Bugfix: the "proxy_redirect" directive incorrectly processed
"Refresh" header if regular expression were used.
*) Bugfix: the "proxy_cache_use_stale" directive with "error" parameter
did not return answer from cache if there were no live upstreams.
*) Bugfix: the "worker_cpu_affinity" directive might not work.
*) Bugfix: nginx could not be built on Solaris; the bug had appeared in
1.1.12.
*) Bugfix: in the ngx_http_mp4_module.
Changes with nginx 1.1.12 26 Dec 2011
*) Change: a "proxy_pass" directive without URI part now uses changed
URI after redirection with the "error_page" directive.
Thanks to Lanshun Zhou.
*) Feature: the "proxy/fastcgi/scgi/uwsgi_cache_lock",
"proxy/fastcgi/scgi/uwsgi_cache_lock_timeout" directives.
*) Feature: the "pcre_jit" directive.
*) Feature: the "if" SSI command supports captures in regular
expressions.
*) Bugfix: the "if" SSI command did not work inside the "block" command.
*) Bugfix: the "limit_conn_log_level" and "limit_req_log_level"
directives might not work.
*) Bugfix: the "limit_rate" directive did not allow to use full
throughput, even if limit value was very high.
*) Bugfix: the "sendfile_max_chunk" directive did not work, if the
"limit_rate" directive was used.
*) Bugfix: a "proxy_pass" directive without URI part always used
original request URI if variables were used.
*) Bugfix: a "proxy_pass" directive without URI part might use original
request after redirection with the "try_files" directive.
Thanks to Lanshun Zhou.
*) Bugfix: in the ngx_http_scgi_module.
*) Bugfix: in the ngx_http_mp4_module.
*) Bugfix: nginx could not be built on Solaris; the bug had appeared in
1.1.9.
Changes with nginx 1.1.11 12 Dec 2011
*) Feature: the "so_keepalive" parameter of the "listen" directive.
Thanks to Vsevolod Stakhov.
*) Feature: the "if_not_empty" parameter of the
"fastcgi/scgi/uwsgi_param" directives.
*) Feature: the $https variable.
*) Feature: the "proxy_redirect" directive supports variables in the
first parameter.
*) Feature: the "proxy_redirect" directive supports regular expressions.
*) Bugfix: the $sent_http_cache_control variable might contain a wrong
value if the "expires" directive was used.
Thanks to Yichun Zhang.
*) Bugfix: the "read_ahead" directive might not work combined with
"try_files" and "open_file_cache".
*) Bugfix: a segmentation fault might occur in a worker process if small
time was used in the "inactive" parameter of the "proxy_cache_path"
directive.
*) Bugfix: responses from cache might hang.
Changes with nginx 1.1.10 30 Nov 2011
*) Bugfix: a segmentation fault occured in a worker process if AIO was
used on Linux; the bug had appeared in 1.1.9.
Changes with nginx 1.1.9 28 Nov 2011
*) Change: now double quotes are encoded in an "echo" SSI-command
output.
Thanks to Zaur Abasmirzoev.
*) Feature: the "valid" parameter of the "resolver" directive. By
default TTL returned by a DNS server is used.
Thanks to Kirill A. Korinskiy.
*) Bugfix: nginx might hang after a worker process abnormal termination.
*) Bugfix: a segmentation fault might occur in a worker process if SNI
was used; the bug had appeared in 1.1.2.
*) Bugfix: in the "keepalive_disable" directive; the bug had appeared in
1.1.8.
Thanks to Alexander Usov.
*) Bugfix: SIGWINCH signal did not work after first binary upgrade; the
bug had appeared in 1.1.1.
*) Bugfix: backend responses with length not matching "Content-Length"
header line are no longer cached.
*) Bugfix: in the "scgi_param" directive, if complex parameters were
used.
*) Bugfix: in the "epoll" event method.
Thanks to Yichun Zhang.
*) Bugfix: in the ngx_http_flv_module.
Thanks to Piotr Sikora.
*) Bugfix: in the ngx_http_mp4_module.
*) Bugfix: IPv6 addresses are now handled properly in a request line and
in a "Host" request header line.
*) Bugfix: "add_header" and "expires" directives did not work if a
request was proxied and response status code was 206.
*) Bugfix: nginx could not be built on FreeBSD 10.
*) Bugfix: nginx could not be built on AIX.
Changes with nginx 1.1.8 14 Nov 2011
*) Change: the ngx_http_limit_zone_module was renamed to the
ngx_http_limit_conn_module.
*) Change: the "limit_zone" directive was superseded by the
"limit_conn_zone" directive with a new syntax.
*) Feature: support for multiple "limit_conn" limits on the same level.
*) Feature: the "image_filter_sharpen" directive.
*) Bugfix: a segmentation fault might occur in a worker process if
resolver got a big DNS response.
Thanks to Ben Hawkes.
*) Bugfix: in cache key calculation if internal MD5 implementation was
used; the bug had appeared in 1.0.4.
*) Bugfix: the "If-Modified-Since", "If-Range", etc. client request
header lines might be passed to backend while caching; or not passed
without caching if caching was enabled in another part of the
configuration.
*) Bugfix: the module ngx_http_mp4_module sent incorrect
"Content-Length" response header line if the "start" argument was
used.
Thanks to Piotr Sikora.
Changes with nginx 1.1.7 31 Oct 2011
*) Feature: support of several DNS servers in the "resolver" directive.
Thanks to Kirill A. Korinskiy.
*) Bugfix: a segmentation fault occurred on start or during
reconfiguration if the "ssl" directive was used at http level and
there was no "ssl_certificate" defined.
*) Bugfix: reduced memory consumption while proxying big files if they
were buffered to disk.
*) Bugfix: a segmentation fault might occur in a worker process if
"proxy_http_version 1.1" directive was used.
*) Bugfix: in the "expires @time" directive.
Changes with nginx 1.1.6 17 Oct 2011
*) Change in internal API: now module context data are cleared while
internal redirect to named location.
Requested by Yichun Zhang.
*) Change: if a server in an upstream failed, only one request will be
sent to it after fail_timeout; the server will be considered alive if
it will successfully respond to the request.
*) Change: now the 0x7F-0x1F characters are escaped as \xXX in an
access_log.
*) Feature: "proxy/fastcgi/scgi/uwsgi_ignore_headers" directives support
the following additional values: X-Accel-Limit-Rate,
X-Accel-Buffering, X-Accel-Charset.
*) Feature: decrease of memory consumption if SSL is used.
*) Bugfix: some UTF-8 characters were processed incorrectly.
Thanks to Alexey Kuts.
*) Bugfix: the ngx_http_rewrite_module directives specified at "server"
level were executed twice if no matching locations were defined.
*) Bugfix: a socket leak might occurred if "aio sendfile" was used.
*) Bugfix: connections with fast clients might be closed after
send_timeout if file AIO was used.
*) Bugfix: in the ngx_http_autoindex_module.
*) Bugfix: the module ngx_http_mp4_module did not support seeking on
32-bit platforms.
Changes with nginx 1.1.5 05 Oct 2011
*) Feature: the "uwsgi_buffering" and "scgi_buffering" directives.
Thanks to Peter Smit.
*) Bugfix: non-cacheable responses might be cached if
"proxy_cache_bypass" directive was used.
Thanks to John Ferlito.
*) Bugfix: in HTTP/1.1 support in the ngx_http_proxy_module.
*) Bugfix: cached responses with an empty body were returned
incorrectly; the bug had appeared in 0.8.31.
*) Bugfix: 201 responses of the ngx_http_dav_module were incorrect; the
bug had appeared in 0.8.32.
*) Bugfix: in the "return" directive.
*) Bugfix: the "ssl_session_cache builtin" directive caused segmentation
fault; the bug had appeared in 1.1.1.
Changes with nginx 1.1.4 20 Sep 2011
*) Feature: the ngx_http_upstream_keepalive module.
*) Feature: the "proxy_http_version" directive.
*) Feature: the "fastcgi_keep_conn" directive.
*) Feature: the "worker_aio_requests" directive.
*) Bugfix: if nginx was built --with-file-aio it could not be run on
Linux kernel which did not support AIO.
*) Bugfix: in Linux AIO error processing.
Thanks to Hagai Avrahami.
*) Bugfix: reduced memory consumption for long-lived requests.
*) Bugfix: the module ngx_http_mp4_module did not support 64-bit MP4
"co64" atom.
Changes with nginx 1.1.3 14 Sep 2011
*) Feature: the module ngx_http_mp4_module.
*) Bugfix: in Linux AIO combined with open_file_cache.
*) Bugfix: open_file_cache did not update file info on retest if file
was not atomically changed.
*) Bugfix: nginx could not be built on MacOSX 10.7.
Changes with nginx 1.1.2 05 Sep 2011
*) Change: now if total size of all ranges is greater than source
response size, then nginx disables ranges and returns just the source
response.
*) Feature: the "max_ranges" directive.
*) Bugfix: the "ssl_verify_client", "ssl_verify_depth", and
"ssl_prefer_server_ciphers" directives might work incorrectly if SNI
was used.
*) Bugfix: in the "proxy/fastcgi/scgi/uwsgi_ignore_client_abort"
directives.
Changes with nginx 1.1.1 22 Aug 2011
*) Change: now cache loader processes either as many files as specified
by "loader_files" parameter or works no longer than time specified by
the "loader_threshold" parameter during each iteration.
*) Change: now SIGWINCH signal works only in daemon mode.
*) Feature: now shared zones and caches use POSIX semaphores on Solaris.
Thanks to Den Ivanov.
*) Feature: accept filters are now supported on NetBSD.
*) Bugfix: nginx could not be built on Linux 3.0.
*) Bugfix: nginx did not use gzipping in some cases; the bug had
appeared in 1.1.0.
*) Bugfix: request body might be processed incorrectly if client used
pipelining.
*) Bugfix: in the "request_body_in_single_buf" directive.
*) Bugfix: in "proxy_set_body" and "proxy_pass_request_body" directives
if SSL connection to backend was used.
*) Bugfix: nginx hogged CPU if all servers in an upstream were marked as
"down".
*) Bugfix: a segmentation fault might occur during reconfiguration if
ssl_session_cache was defined but not used in previous configuration.
*) Bugfix: a segmentation fault might occur in a worker process if many
backup servers were used in an upstream.
*) Bugfix: a segmentation fault might occur in a worker process if
"fastcgi/scgi/uwsgi_param" directives were used with values starting
with "HTTP_"; the bug had appeared in 0.8.40.
Changes with nginx 1.1.0 01 Aug 2011
*) Feature: cache loader run time decrease.
*) Feature: "loader_files", "loader_sleep", and "loader_threshold"
options of the "proxy/fastcgi/scgi/uwsgi_cache_path" directives.
*) Feature: loading time decrease of configuration with large number of
HTTPS sites.
*) Feature: now nginx supports ECDHE key exchange ciphers.
Thanks to Adrian Kotelba.
*) Feature: the "lingering_close" directive.
Thanks to Maxim Dounin.
*) Bugfix: in closing connection for pipelined requests.
Thanks to Maxim Dounin.
*) Bugfix: nginx did not disable gzipping if client sent "gzip;q=0" in
"Accept-Encoding" request header line.
*) Bugfix: in timeout in unbuffered proxied mode.
Thanks to Maxim Dounin.
*) Bugfix: memory leaks when a "proxy_pass" directive contains variables
and proxies to an HTTPS backend.
Thanks to Maxim Dounin.
*) Bugfix: in parameter validaiton of a "proxy_pass" directive with
variables.
Thanks to Lanshun Zhou.
*) Bugfix: SSL did not work on QNX.
Thanks to Maxim Dounin.
*) Bugfix: SSL modules could not be built by gcc 4.6 without
--with-debug option.
- Fixed support of LOG / ALLOW targets
- LOG target for rules and actions
- brings security improvements (HTTP Auth in nx_extract and file disclosure
fixed in nx_extract)
No revbump as this does not affect nginx package itself.
into www/p5-LWPx-TimedHTTP.
This module performs an HTTP request exactly the same as LWP does normally
except for the fact that it times each stage of the request and then inserts
the results as header.
- Added extract_start_line method to Mojo::Message, Mojo::Message::Request
and Mojo::Message::Response.
- Added get_start_line_chunk method to Mojo::Message::Request and
Mojo::Message::Request.
- Improved end method in Mojo::IOLoop::Delay to return the number of
remaining events.
- Improved documentation.
- Improved tests.
3.19 2012-08-03
- Improved documentation.
- Improved tests.
- Fixed dynamic content generation bug in Mojo::Message.
- Fixed bug that prevented multiple anchors with the same name in
Mojolicious::Plugin::PODRenderer.
3.18 2012-08-02
- Improved documentation.
- Improved tests.
- Fixed chunked transfer encoding bug in Mojo::Content.
3.17 2012-08-01
- Improved documentation.
- Improved tests.
- Fixed bug in after_static_dispatch hook that prevented custom responses.
- Fixed bug that prevented conditions from generating responses.
3.16 2012-07-31
- Improved documentation.
- Fixed small memory leak in Mojolicious::Plugin::TagHelpers.
3.15 2012-07-28
- Improved Mojo::Base to load IO::Handle.
- Improved documentation.
3.14 2012-07-27
- Improved documentation.
3.13 2012-07-24
- Added multi name support to param method in Mojolicious::Controller.
- Added remove method to Mojo::DOM.
- Improved RFC 3986 compliance of Mojo::Parameters.
- Improved Mojolicious::Plugin::Config log messages. (jberger)
- Improved documentation.
- Improved tests.
- Fixed selector bug in dom method of Mojo::Message.
- Fixed small charset bug in get command.
3.12 2012-07-20
- Deprecated Mojo::Home->app_class.
- Deprecated Mojo::IOLoop->client_class.
- Deprecated Mojo::IOLoop->server_class.
- Deprecated Mojo::IOLoop->stream_class.
- Deprecated Mojo::Message->dom_class.
- Deprecated Mojo::Message->json_class.
- Added json method to Mojo::UserAgent::Transactor.
- Added build_json_tx and post_json methods to Mojo::UserAgent.
- Added post_json_ok method to Test::Mojo.
- Added n function to ojo.
- Improved text_field helper to always set the type attribute. (marty, sri)
- Improved documentation.
- Improved tests.
- Fixed file and content type detection bugs in Mojolicious::Static.
(marty, sri)
3.11 2012-07-19
- Added or method to Test::Mojo. (moritz, sri)
- Added file and serve_asset methods to Mojolicious::Static.
- Improved default descriptions for many methods in Test::Mojo.
- Improved Mojo::Cache performance. (nic)
- Improved documentation.
- Improved tests.
- Fixed a few small encoding bugs in Test::Mojo.
3.10 2012-07-17
- Improved tests.
- Fixed small bug in Mojo::Asset::File.
3.09 2012-07-16
- Added spurt function to Mojo::Util.
- Added spurt method to Mojo::ByteStream.
- Improved documentation.
- Improved tests.
3.08 2012-07-14
- Fixed small Mojo::Template bug.
3.07 2012-07-13
- Improved template error messages for generator commands and config files.
- Improved documentation.
- Improved tests.
- Fixed small bug in Mojolicious::Plugin::EPRenderer that prevented code to
be added to templates.
- Fixed small bug in Mojolicious::Plugin::JSONConfig that prevented code to
be added to config files.
3.06 2012-07-11
- Added tls_verify option to Mojo::IOLoop::Server->listen. (scottw)
- Added verify parameter to Mojo::Server::Daemon->listen. (scottw)
- Improved documentation.
- Improved tests.
- Fixed small bug in Mojo::UserAgent that prevented port reuse.
3.05 2012-07-08
- Reduced default graceful_timeout from 30 to 20 seconds in
Mojo::Server::Hypnotoad.
- Improved documentation.
- Improved tests.
- Fixed small initialization bug in Mojo::IOLoop::Stream.
3.04 2012-07-07
- Improved Mojo::IOLoop performance by reducing stream timeout precision
from 0.025 to 0.5 seconds.
3.03 2012-07-06
- Improved load balancing between Hypnotoad worker processes.
- Improved Hypnotoad log messages.
- Improved documentation.
- Improved tests.
- Fixed default format handling bug in render_exception and
render_not_found.
- Fixed small namespace detection bug in Mojo::DOM.
- Fixed small session reset bug in Test::Mojo.
3.02 2012-07-03
- Added pluck and uniq methods to Mojo::Collection.
- Added regular expression support to first and grep methods in
Mojo::Collection.
- Improved documentation.
- Improved tests.
- Fixed JSON Pointer escaping.
- Fixed small text and attribute extraction bugs in Mojo::DOM.
- Fixed small inconsistency between routes and static dispatchers.
Opera 12.01 is a recommended upgrade offering security and stability enhancements.
Fixes and Stability Enhancements since Opera 12.00
General and User Interface
* Several general fixes and stability improvements
* Website thumbnail memory usage improvements
* Address bar inline auto-completion no longer prefers shortest domain
* Corrected an error that could occur after removing the plugin wrapper
* Resolved an issue where favicons were squeezed too much when many tabs were
open
Display and Scripting
* Resolved an error with XHR transfers where content-type was incorrectly
determined
* Improved handling of object literals with numeric duplicate properties
* Changed behavior of nested/chained comma expressions: now expressing and
compiling them as a list rather than a tree
* Aligned behavior of the #caller property on function code objects in
ECMAScript 5 strict mode with the specification
* Fixed an issue where input type=month would return an incorrect value in its
valueAsDate property
* Resolved an issue with JSON.stringify() that could occur on cached number
conversion
* Fixed a problem with redefining special properties using
Object.defineProperty()
Network and Site-Specific
* Fixed an issue where loading would stop at "Document 100%" but the page
would still be loading
* tuenti.com: Corrected behavior when long content was displayed
* https://twitter.com: Fixed an issue with secure transaction errors
* Fixed an issue with Google Maps Labs that occured when compiling top-level
loops inside strict evals
* Corrected a problem that could occur with DISQUS
* Fixed a crash occurring on Lenovo's "Shop now" page
* Corrected issues when calling window.console.log via a variable at watch4you
* Resolved an issue with Yahoo! chat
Mail, News, Chat
* Resolved an issue where under certain conditions the mail panel would
continuously scroll up
* Fixed a crash occurring when loading mail databases on startup
Security
* Re-fixed an issue where certain URL constructs could allow arbitrary code
execution, as reported by Andrey Stroganov; see our advisory
http://www.opera.com/support/kb/view/1016/
* Fixed an issue where certain characters in HTML could incorrectly be
ignored, which could facilitate XSS attacks; see our advisory
http://www.opera.com/support/kb/view/1026/
* Fixed another issue where small windows could be used to trick users into
executing downloads as reported by Jordi Chancel; see our advisory
http://www.opera.com/support/kb/view/1027/
* Fixed an issue where an element's HTML content could be incorrectly
returned without escaping, bypassing some HTML sanitizers; see our advisory
http://www.opera.com/support/kb/view/1025/
* Fixed a low severity issue, details will be disclosed at a later date
Changes from 1.4.30
- [ssl] fix segfault in counting renegotiations for openssl versions
without TLSEXT/SNI (thx carpii for reporting)
- Move fdevent subsystem includes to implementation files to reduce
conflicts (fixes#2373)
- [mod_compress] fix handling if etags are disabled but cache-dir
is set - may lead to double response
- disable mmap by default (fixes#2391)
- buffer_caseless_compare: always convert letters to lowercase to get
transitive results, fixing array lookups (fixes#2405)
- Fix handling of empty header list entries in http_request_split_value,
fixing invalid read in valgrind (fixes#2413)
- Fix access log escaping of " and \\ (fixes#1551)
- [mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649,
RFC 2617) (fixes#2410)
- [auth] Add "AUTH_TYPE" environment (for * cgi), remove fastcgi specific
workaround, add fastcgi test case (fixes#889)
- [mod_*cgi,mod_accesslog] Fix splitting :port with ipv6 (fixes#2333,
thx simoncpu)
- Detect multiple -f options: show error message instead of assert
(fixes#2416)
- [mod_extforward] Support ipv6 addresses (fixes#1889)
- [mod_redirect] Support url.redirect-code option (fixes#2247)
- Fix --enable-mmap handling in configure.ac
Changes from 1.4.29
- Always use our 'own' md5 implementation, fixes linking issues on MacOS
(fixes#2331)
- Limit amount of bytes we send in one go; fixes stalling in one connection
and timeouts on slow systems.
- [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled
- Add static-file.disable-pathinfo option to prevent handling of urls like
.../secret.php/image.jpg as static file
- Don't overwrite 401 (auth required) with 501 (unknown method) (fixes#2341)
- Fix mod_status bug: always showed "0/0" in the "Read" column for uploads
(fixes#2351)
- [mod_auth] Fix signedness error in http_auth (fixes#2370, CVE-2011-4362)
- [ssl] count renegotiations to prevent client renegotiations
- [ssl] add option to honor server cipher order (fixes#2364, BEAST attack)
- [core] accept dots in ipv6 addresses in host header (fixes#2359)
- [ssl] fix ssl connection aborts if files are larger than
the MAX_WRITE_LIMIT (256kb)
- [libev/cgi] fix waitpid ECHILD errors in cgi with libev (fixes#2324)
## Rails 3.2.7 (unreleased) ##
* Do not convert digest auth strings to symbols. CVE-2012-3424
* Bump Journey requirements to 1.0.4
* Add support for optional root segments containing slashes
* Fixed bug creating invalid HTML in select options
* Show in log correct wrapped keys
* Fix NumberHelper options wrapping to prevent verbatim blocks being rendered
instead of line continuations.
* ActionController::Metal doesn't have logger method, check it and then
delegate
* ActionController::Caching depends on RackDelegation and
AbstractController::Callbacks
Thu Jul 19 21:48:42 CEST 2012
Releasing libmicrohttpd 0.9.21. -CG
Thu Jul 19 11:34:50 CEST 2012
Consistently use 'panic' function instead of ever directly
calling 'abort ()'. Eliminating unused mutex in SSL mode.
Removing check in testcases that fails depending on which
version of gnuTLS is involved. -CG
Tue Jul 17 23:50:43 CEST 2012
Stylistic code clean up. Allowing lookup up of trailing values
without keys using "MHD_lookup_connection_value" with a key of NULL
(thus achieving consistency with the existing iterator API). -CG
Tue Jul 17 22:37:05 CEST 2012
Adding experimental (!) code for MHD operation without listen socket. -CG
Tue Jul 17 22:15:57 CEST 2012
Making sendfile test pass again on non-W32 systems. -CG
Mon Jul 9 13:43:35 CEST 2012
Misc changes to allow testcases to pass on W32. -LRN
Sun Jul 8 15:05:31 CEST 2012
Misc changes to fix build on W32. -LRN
Fri Jun 22 11:31:25 CEST 2012
Make sure sockets opened by MHD are non-inheritable by default (#2414). -CG
Tue Jun 19 19:44:53 CEST 2012
Change various uses of time(NULL) to new MHD_monotonic_time() function to
make timeouts immune to the system real time clock changing. -MC
Tue Jun 12 21:35:00 CEST 2012
Adding 451 status code. -CG
- Compatibility fix with new c-icap 0.2.1 release that prevent
squidclamav service to be initialized.
- Fix issue with new c-icap 0.2.1 release that generate an error
error each time squidclamav return CI_MOD_204 in end of data
handler function.
Approved by: obache@
Upstream changes:
Highlights
MDL-28557 Group event now appears to teachers, managers and administrators
MDL-33398 MDL-27368 Cron works when course completion is enabled
Functional changes
MDL-24401 Lesson string changes
MDL-33401 Managers can add blocks at the site level
Security issues
MSA-12-0042 File access issue in blocks
MSA-12-0043 Early information access issue in forum
MSA-12-0044 Capability check issue in forum subscriptions
MSA-12-0045 Injection potential in admin for repositories
MSA-12-0046 Insecure protocol redirection in LDAP authentication
MSA-12-0047 SQL injection potential in Feedback module
MSA-12-0048 Possible XSS in cohort administration
MSA-12-0049 Group restricted activity displayed to all users
MSA-12-0050 Potential DOS attack through database activity
Fixes and improvements
MDL-32866 Filemanager in private files now saves changes
MDL-33583 "Keep all" automated backups now works
MDL-33607 Add new wiki page no longer reports error writing to database
MDL-33603 Database activity entries are linked correctly
MDL-26892 Question images not lost during upgrade
MDL-29924 Glossary attachments appear in filter popups
